[SCM] Samba Shared Repository - branch v4-13-stable updated
Jule Anger
janger at samba.org
Wed Sep 22 07:04:32 UTC 2021
The branch, v4-13-stable has been updated
via aa756f3f9fc VERSION: Disable GIT_SNAPSHOT for the 4.13.12 release.
via 4703acc82c8 WHATSNEW: Add release notes for Samba 4.13.12.
via b7d16fdc653 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
via 7a2a6e0bcb0 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
via 1e27b45f49c tests/krb5: Allow expected_error_mode to be a container type
via 57800189c5f tests/krb5: Allow specifying parameters specific to the inner FAST request body
via b5e11c10966 tests/krb5: Add tests for omitting sname in request
via cabc5b114dc tests/krb5: Check PADATA-PW-SALT element in e-data
via 8a8872f7070 tests/krb5: Check e-data element for TGS-REP errors without FAST
via bd76f6d47e7 tests/krb5: Remove harmful and a-typical return in as_req testcase
via d3a611377bd CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
via a67cda7159f CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via 95de6d138ad tests/krb5: Make cname checking less strict
via 497b461238b tests/krb5: Make e-data checking less strict
via 17c7bc10695 selftest: Remove knownfail for no_etypes FAST tests
via 27e964233a5 tests/krb5: Add FAST tests
via 576e5ca2e9c initial FAST tests
via e7e79028093 tests/krb5: Check PADATA-FX-ERROR in reply
via 1fd611e9e7f tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
via 83073237a95 tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 48199d18cc9 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
via 8fa99e31658 tests/krb5: Make check_rep_padata() also work for checking TGS replies
via e1c4d715a61 tests/krb5: Check PADATA-FX-COOKIE in reply
via 2391eabfcf2 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via 40da4ffbf18 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
via 0febff53f38 tests/krb5: Check reply FAST padata if request included FAST
via ee892faca94 tests/krb5: Check sname is krbtgt for FAST generic error
via 2356b4d9b75 tests/krb5: Add get_krbtgt_sname() method
via be4977249bc tests/krb5: Remove unused variables
via fef9198aafc tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
via 087cf5f9504 tests/krb5: Add check_rep_padata() method to check padata in reply
via efe112dfa56 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
via bef5024da8c tests/krb5: Include authdata in kdc_exchange_dict
via 8eaa8e10383 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
via 8a3b41f0483 tests/krb5: Check encrypted-pa-data
via 701e5c98399 tests/krb5: Add methods to determine whether elements were included in the request
via 64b5183a776 tests/krb5: Add functions to get dicts of request padata
via cedfc67ede4 tests/krb5: Check FAST response
via 5d39d4b36e8 tests/krb5: Add method to verify ticket checksum for FAST
via b551c801193 tests/krb5: Add method to check PA-FX-FAST-REPLY
via de8fbf93111 tests/krb5: Allow specifying parameters specific to the outer request body
via 3be408a3a83 tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
via 52eb693ac31 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
via 25b6681c3cd tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
via a57e79c5fce tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
via 6264ed42420 tests/krb5: Add methods to calculate keys for FAST
via b7562c873e8 tests/krb5: Add method to generate FAST encrypted challenge padata
via 0e33a06673b tests/krb5: Add more methods to create ASN1 objects for FAST
via dbeafd158a4 tests/krb5: Add more ASN1 definitions for FAST
via 1ce82cbc9d6 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
via 04a6c902ede tests/krb5: Ensure generated padata is not None
via a9e421c4bfa tests/krb5: Add generate_ap_req() method
via d9f406518ca tests/krb5: Check nonce in EncKDCRepPart
via d81a88a78f4 tests/krb5: Make checking less strict
via ee9b0a028c2 tests/krb5: Check version number of obtained ticket
via 1e451d724b0 tests/krb5: Assert that more variables are not None
via db6495a2377 tests/krb5: Ensure in assertElementPresent() that container elements are not empty
via 81408702949 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
via cc1f6fcddbc tests/krb5: Include kdc_options in kdc_exchange_dict
via d82d3a20d32 tests/krb5: Always specify expected error code
via 235873ff334 tests/krb5: Add check_reply() method to check for AS or TGS reply
via dcd9320cd9c tests/krb5: Add method to calculate account salt
via afcf48e752c tests/krb5: Add more methods for obtaining machine and service credentials
via caca311af0a tests/krb5: Allow specifying additional details when creating an account
via 34faed8971c tests/krb5: Use encryption with admin credentials
via 5cada922527 tests/krb5: Add get_EpochFromKerberosTime()
via 2e42112ef96 tests/krb5: Make _test_as_exchange() return value more consistent
via ce7b1d71142 tests/krb5: Add method to return dict containing padata elements
via 11001fca4d2 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
via ca5b9aff8f9 tests/krb5: Refactor get_pa_data()
via 70dd144a05f tests/krb5: Allow cf2 to automatically use the enctype of the first key
via 2ae49840a4f tests/krb5: Use credentials kvno when creating password key
via e2d952cfa02 tests/krb5: Check Kerberos protocol version number
via e79061f0626 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
via 2f12714196c tests/krb5: Fix encpart_decryption_key with MIT KDC
via a4e70d45d3b tests/krb5: Fix callback_dict parameter
via 254bd5ad6ed tests/krb5: Fix including enc-authorization-data
via d4c3e11e247 tests/krb5: Remove magic constants
via cd3b4785b9a tests/krb5: Simplify Python syntax
via 80757c65b24 tests/krb5: Use more compact dict lookup
via c3ffa232c03 tests/krb5: Remove unneeded statements
via 70f6cf7afce tests/krb5: formatting
via fa26a95dda1 tests/krb5: Fix method name typo
via c76cf2bc054 tests/krb5: Fix comment typo
via 7b16ffcb46f tests/krb5: Fix ms_kile_client_principal_lookup_test errors
via 11cf6255573 pygensec: Don't modify Python bytes objects
via 52898d56abb pygensec: Fix memory leaks
via 3e013f04e19 selftest: add option to pass args to tests to planpythontestsuite()
via a5a26564a87 selftest: Add support for setting ENV variables in plantestsuite()
via f5e4fc453b1 selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
via e6de4d851c0 selftest: Re-format long lines in selftesthelpers.py
via 63be60227a8 selftest: add space after --list in output of selftesthelpers.py
via e1a4921d5e3 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
via 07610622027 tests/krb5: Use admin creds for SamDB rather than user creds
via 09d0e89265c tests/krb5/as_canonicalization_tests.py: Refactor account creation
via 5a0af3e510e tests/krb5: Deduplicate 'host' attribute initialisation
via c76c9f15a78 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
via 75f534c0ac5 tests/krb5/as_req_tests.py: Check the client kvno
via 02f3bd6a821 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
via 9db32a6a456 tests/krb5/as_req_tests.py: Automatically obtain credentials
via 56b5ceb0c64 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
via ea9083dfd63 tests/krb5/raw_testcase.py: Simplify conditionals
via d88603f8b5c tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
via 23496bb7cf3 tests/krb5/raw_testcase.py: Cache obtained credentials
via 7bd0c7f557b tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
via 5b209e40ec2 tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
via 44018e6131c tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
via 1c0c89ac3bf tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
via 768f1d71b93 tests/krb5/kdc_base_test.py: Create loadparm only when needed
via 113fa4ecfd1 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
via 807773d382b tests/krb5/kdc_base_test.py: Create database connection only when needed
via 051487c6ab9 tests/krb5/raw_testcase.py: Add get_admin_creds()
via fa1a2eb7b9a tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
via d371e8688c3 selftest: run new as_req_tests against fl2008r2dc and fl2003dc
via 99acba0be9e tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
via ec49afa5a23 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
via 1b36e3bd7e2 tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
via e6682e51206 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
via 38c4f77b9e4 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
via 697edd2e1db tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
via 1ec0efe26ff tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
via 159384d02fb tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
via bf799b23de2 tests/krb5/raw_testcase.py: add assertElement*()
via 5e69e2d7cd1 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
via ce264474d29 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
via a83ea43c7ba tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
via 9d32cb48194 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
via 019b77dbb85 auth/credentials: allow credentials.Credentials to act as base class
via 8737c731040 python: Make credentials cache test run against Windows
via 3a586a81f58 python: Fix ticket timestamp conversion when local timezone is not UTC
via 9bf0f33ad10 python: Fix erroneous increments of reference counts
via 73bba60d737 python: Ensure reference counts are properly incremented
via b32c1932054 python: Add SMB credentials cache test
via ff4d39737c5 pylibsmb: Add posix_whoami()
via d75226b9092 libsmb: Ensure that whoami parses all the data provided to it
via 1208a4dce1e libsmb: Check to see that whoami is not receiving more data than it requested
via e80ad4c0f29 libsmb: Avoid undefined behaviour when parsing whoami state
via 1a3cc9a4e2d libsmb: Remove overflow check
via 8e70f0c174a Revert "libsmb: Use sid_parse()"
via c40a90d7c7a python: Add RPC credentials cache test
via bb9ff0e143a python: Add LDAP credentials cache test
via 848458d1704 python: Add credentials cache test
via 02bfb9e2daf krb5: Add Python functions to create a credentials cache containing a service ticket
via 98727cd606c librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
via 38d622f38ea krb5ccache.idl: Add definition for a Kerberos credentials cache
via a47b37c170f Revert "s4-test: fixed ndrdump test for top level build"
via 1854fc55a30 pygensec: Fix method documentation
via 522ebd8e7c9 auth:creds: Fix parameter in creds.set_named_ccache()
via 427185f8a99 auth:creds: Remove unused variable
via 1748470cc21 tests python krb5: MS-KILE client principal look-up
via 9e0cf55529a librpc: Add py_descriptor_richcmp() equality function
via 28dee15ee08 tests python krb5: PEP8 cleanups
via 03e4bbb8d85 tests python krb5: use key usage constants
via d9f914d0820 tests python krb5: Add key usage constants
via f38ba415847 tests python krb5: initial TGS tests
via 81923ea8232 tests python krb5: add test base class
via c8f1511ea49 tests python krb5: Add Authorization data ad-type constants
via bde787c8484 tests python krb5: Extra canonicalization tests
via f719d74eb7e tests python krb5: add arcfour salt tests
via f79c7c3217c tests python krb5: refactor compatability tests
via 82d2ce2a66b tests python krb5: Convert kdc-heimdal to python
via ab09ca1b0e9 tests python krb5: raw_testcase permit RC4 salts
via 7858fd1799d tests python krb5: Refactor compatability test constants
via 1543efaead3 tests python krb5: Refactor canonicalization test constants
via 8610d03794e tests python krb5: Add constants module
via fb05f15519c tests python krb5: Add python kerberos compatability tests
via a142057393f selftest: add heimdal kdc specific known fail
via d810539294b selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals
via ed2c276f765 selftest: Add in encrypted-pa-data from RFC 6806
via 08a296f9018 selftest: Fix formatting of failure (traceback and options swapped in format string)
via 657dde3bdf2 selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name
via a07052104f3 samdb: Add samdb.domain_netbios_name()
via 0242419a010 selftest: Make as_canonicalization_tests.py easier to run outside "make test"
via d08faae8bd0 selftest: Fix flipped machine and user constants
via d7ebc3b7055 selftest: Send enterprise principals tagged as such
via ca83a606256 tests python krb5: Add python kerberos canonicalization tests
via 8536b5f4397 tests python krb5: Add canonicalize flag to ASN1
via 71f30ca29b4 tests python krb5: Make PrincipalName_create a class method
via 44841d2b18b selftest: add mit kdc specific known fail
via cea68cbf537 ctdb-daemon: Don't mark a node as unhealthy when connecting to it
via 479fc4fee0c ctdb-daemon: Ignore flag changes for disconnected nodes
via cc3ce341ee1 ctdb-daemon: Simplify ctdb_control_modflags()
via 3ab6be4f7bc ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
via 7c4daa7ffa0 ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
via c4d7ed5eac4 ctdb-daemon: Modernise remaining debug macro in this function
via 3d2313dc906 ctdb-daemon: Update logging for flag changes
via 85372296a7e ctdb-daemon: Correct the condition for logging unchanged flags
via c89f30810d3 ctdb-tools: Use disable and enable controls in tool
via 75b8b5de3e8 ctdb-client: Add client code for disable/enable controls
via ce58aefb4ee ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
via 7aac8fd9e5e ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
via 65f9b5520d2 ctdb-daemon: Factor out a function to get node structure from PNN
via e3578ea22cb ctdb-daemon: Add a helper variable
via 3d797b570b0 ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
via ac8bbe2d0ae ctdb-protocol: Add new controls to disable and enable nodes
via 74aa5b204e2 ctdb-recoverd: Push flags for a node if any remote node disagrees
via e93c885426d ctdb-recoverd: Update the local node map before pushing out flags
via 76f8dffb527 ctdb-recoverd: Add a helper variable
via 4ada6c24a5c selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
via 33ef89475b0 s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
via be4f4f4f594 selftest: Add a test for LookupSids3 and LookupNames4 in python
via 02c40fd92dc dsdb: Be careful to avoid use of the expensive talloc_is_parent()
via 49a15402f4d selftest: Only run samba_tool_drs_showrepl test once
via a69c7cb30fd selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
via a7fe21a0d66 VERSION: Bump version up to Samba 4.13.12...
from 2119f9f9f66 VERSION: Disable GIT_SNAPSHOT for the 4.13.11 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 81 +-
auth/credentials/pycredentials.c | 8 +-
ctdb/client/client_control_sync.c | 68 +
ctdb/client/client_sync.h | 12 +
ctdb/include/ctdb_private.h | 2 +
ctdb/protocol/protocol.h | 4 +-
ctdb/protocol/protocol_api.h | 6 +
ctdb/protocol/protocol_client.c | 36 +
ctdb/protocol/protocol_control.c | 12 +
ctdb/protocol/protocol_debug.c | 2 +
ctdb/server/ctdb_control.c | 42 +
ctdb/server/ctdb_daemon.c | 35 +-
ctdb/server/ctdb_monitor.c | 67 +-
ctdb/server/ctdb_recoverd.c | 120 +-
ctdb/server/ctdb_server.c | 1 -
ctdb/tests/UNIT/cunit/protocol_test_101.sh | 2 +-
ctdb/tests/src/fake_ctdbd.c | 54 +
ctdb/tests/src/protocol_common_ctdb.c | 24 +
ctdb/tests/src/protocol_ctdb_test.c | 2 +-
ctdb/tools/ctdb.c | 57 +-
lib/talloc/pytalloc.c | 4 +-
libgpo/pygpo.c | 2 +-
librpc/idl/krb5ccache.idl | 115 +
librpc/idl/wscript_build | 1 +
librpc/wscript_build | 8 +-
python/samba/netcmd/user.py | 10 +-
python/samba/samdb.py | 15 +
python/samba/tests/blackbox/ndrdump.py | 45 +-
python/samba/tests/dcerpc/lsa.py | 333 +++
python/samba/tests/dsdb_schema_attributes.py | 6 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 434 ++++
python/samba/tests/krb5/as_req_tests.py | 218 ++
python/samba/tests/krb5/compatability_tests.py | 227 ++
python/samba/tests/krb5/fast_tests.py | 1691 +++++++++++++
python/samba/tests/krb5/kcrypto.py | 79 +-
python/samba/tests/krb5/kdc_base_test.py | 913 +++++++
python/samba/tests/krb5/kdc_tests.py | 228 ++
python/samba/tests/krb5/kdc_tgs_tests.py | 213 ++
.../krb5/ms_kile_client_principal_lookup_tests.py | 829 +++++++
.../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0
python/samba/tests/krb5/raw_testcase.py | 2511 +++++++++++++++++---
python/samba/tests/krb5/rfc4120.asn1 | 187 +-
python/samba/tests/krb5/rfc4120_constants.py | 171 ++
python/samba/tests/krb5/rfc4120_pyasn1.py | 241 +-
python/samba/tests/krb5/s4u_tests.py | 38 +-
python/samba/tests/krb5/simple_tests.py | 49 +-
python/samba/tests/krb5/test_ccache.py | 135 ++
python/samba/tests/krb5/test_ldap.py | 96 +
python/samba/tests/krb5/test_rpc.py | 79 +
python/samba/tests/krb5/test_smb.py | 110 +
python/samba/tests/krb5/xrealm_tests.py | 45 +-
python/samba/tests/samdb.py | 13 +-
python/samba/tests/usage.py | 13 +
selftest/knownfail | 6 +-
selftest/knownfail.d/kdc-enterprise | 63 +
selftest/knownfail_heimdal_kdc | 123 +
selftest/knownfail_mit_kdc | 322 +++
selftest/selftesthelpers.py | 58 +-
selftest/target/Samba4.pm | 2 +-
selftest/tests.py | 1 +
selftest/wscript | 5 +
source3/libsmb/clifsinfo.c | 44 +-
source3/libsmb/pylibsmb.c | 138 +-
source3/passdb/py_passdb.c | 4 -
source3/selftest/ktest-krb5_ccache-2.txt | 1574 ++++++++++++
source3/selftest/ktest-krb5_ccache-3.txt | 832 +++++++
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/auth/gensec/pygensec.c | 71 +-
source4/dsdb/schema/schema_set.c | 41 +-
source4/heimdal/kdc/kerberos5.c | 4 +-
source4/heimdal/kdc/krb5tgs.c | 4 +
source4/librpc/ndr/py_security.c | 37 +
source4/librpc/wscript_build | 7 +
source4/ntvfs/posix/python/pyposix_eadb.c | 2 +-
source4/ntvfs/posix/python/pyxattr_native.c | 4 +-
source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +-
source4/rpc_server/lsa/lsa_lookup.c | 131 +-
source4/selftest/tests.py | 91 +-
source4/torture/krb5/kdc-heimdal.c | 104 +-
80 files changed, 12688 insertions(+), 682 deletions(-)
create mode 100644 librpc/idl/krb5ccache.idl
create mode 100644 python/samba/tests/dcerpc/lsa.py
create mode 100755 python/samba/tests/krb5/as_canonicalization_tests.py
create mode 100755 python/samba/tests/krb5/as_req_tests.py
create mode 100755 python/samba/tests/krb5/compatability_tests.py
create mode 100755 python/samba/tests/krb5/fast_tests.py
create mode 100644 python/samba/tests/krb5/kdc_base_test.py
create mode 100755 python/samba/tests/krb5/kdc_tests.py
create mode 100755 python/samba/tests/krb5/kdc_tgs_tests.py
create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%)
create mode 100644 python/samba/tests/krb5/rfc4120_constants.py
create mode 100755 python/samba/tests/krb5/test_ccache.py
create mode 100755 python/samba/tests/krb5/test_ldap.py
create mode 100755 python/samba/tests/krb5/test_rpc.py
create mode 100755 python/samba/tests/krb5/test_smb.py
create mode 100644 selftest/knownfail.d/kdc-enterprise
create mode 100644 selftest/knownfail_heimdal_kdc
create mode 100644 selftest/knownfail_mit_kdc
create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt
create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 8ab61a550f0..a1632f2e7b1 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=12
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4b33797845e..820185349ef 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,81 @@
+ ===============================
+ Release Notes for Samba 4.13.12
+ September 22, 2021
+ ===============================
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.11
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14806: Address a signifcant performance regression in database access
+ in the AD DC since Samba 4.12.
+ * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
+ Samba 4.9 by using an explicit database handle cache.
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+ * BUG 14818: Address flapping samba_tool_drs_showrepl test.
+ * BUG 14819: Address flapping dsdb_schema_attributes test.
+
+o Björn Baumbach <bb at sernet.de>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ
+
+o Luke Howard <lukeh at padl.com>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14784: Fix CTDB flag/status update race conditions.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
===============================
Release Notes for Samba 4.13.11
September 07, 2021
@@ -49,8 +127,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
===============================
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a5d0f9e051c..e583b83d9a4 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -603,8 +603,6 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused)
static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
{
char *newval;
- enum credentials_obtained obt = CRED_SPECIFIED;
- int _obt = obt;
struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
if (creds == NULL) {
PyErr_Format(PyExc_TypeError, "Credentials expected");
@@ -614,7 +612,6 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s", &newval)) {
return NULL;
}
- obt = _obt;
cli_credentials_set_forced_sasl_mech(creds, newval);
Py_RETURN_NONE;
@@ -766,6 +763,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
return NULL;
+ obt = _obt;
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
@@ -781,7 +779,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
ret = cli_credentials_set_ccache(creds,
lp_ctx,
- newval, CRED_SPECIFIED,
+ newval, obt,
&error_string);
if (ret != 0) {
@@ -1223,7 +1221,7 @@ static struct PyModuleDef moduledef = {
PyTypeObject PyCredentials = {
.tp_name = "credentials.Credentials",
.tp_new = py_creds_new,
- .tp_flags = Py_TPFLAGS_DEFAULT,
+ .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
.tp_methods = py_creds_methods,
};
diff --git a/ctdb/client/client_control_sync.c b/ctdb/client/client_control_sync.c
index e56a2b2f18d..29e0249198c 100644
--- a/ctdb/client/client_control_sync.c
+++ b/ctdb/client/client_control_sync.c
@@ -2718,3 +2718,71 @@ int ctdb_ctrl_tunnel_deregister(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
return 0;
}
+
+int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct ctdb_client_context *client,
+ int destnode,
+ struct timeval timeout)
+{
+ struct ctdb_req_control request;
+ struct ctdb_reply_control *reply;
+ int ret;
+
+ ctdb_req_control_disable_node(&request);
+ ret = ctdb_client_control(mem_ctx,
+ ev,
+ client,
+ destnode,
+ timeout,
+ &request,
+ &reply);
+ if (ret != 0) {
+ D_ERR("Control DISABLE_NODE failed to node %u, ret=%d\n",
+ destnode,
+ ret);
+ return ret;
+ }
+
+ ret = ctdb_reply_control_disable_node(reply);
+ if (ret != 0) {
+ D_ERR("Control DISABLE_NODE failed, ret=%d\n", ret);
+ return ret;
+ }
+
+ return 0;
+}
+
+int ctdb_ctrl_enable_node(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct ctdb_client_context *client,
+ int destnode,
+ struct timeval timeout)
+{
+ struct ctdb_req_control request;
+ struct ctdb_reply_control *reply;
+ int ret;
+
+ ctdb_req_control_enable_node(&request);
+ ret = ctdb_client_control(mem_ctx,
+ ev,
+ client,
+ destnode,
+ timeout,
+ &request,
+ &reply);
+ if (ret != 0) {
+ D_ERR("Control ENABLE_NODE failed to node %u, ret=%d\n",
+ destnode,
+ ret);
+ return ret;
+ }
+
+ ret = ctdb_reply_control_enable_node(reply);
+ if (ret != 0) {
+ D_ERR("Control ENABLE_NODE failed, ret=%d\n", ret);
+ return ret;
+ }
+
+ return 0;
+}
diff --git a/ctdb/client/client_sync.h b/ctdb/client/client_sync.h
index b29e669fba4..25a9615098c 100644
--- a/ctdb/client/client_sync.h
+++ b/ctdb/client/client_sync.h
@@ -491,6 +491,18 @@ int ctdb_ctrl_tunnel_deregister(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
int destnode, struct timeval timeout,
uint64_t tunnel_id);
+int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct ctdb_client_context *client,
+ int destnode,
+ struct timeval timeout);
+
+int ctdb_ctrl_enable_node(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct ctdb_client_context *client,
+ int destnode,
+ struct timeval timeout);
+
/* from client/client_message_sync.c */
int ctdb_message_recd_update_ip(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
diff --git a/ctdb/include/ctdb_private.h b/ctdb/include/ctdb_private.h
index 9ca87332d61..6f4111f1a18 100644
--- a/ctdb/include/ctdb_private.h
+++ b/ctdb/include/ctdb_private.h
@@ -565,6 +565,8 @@ int daemon_deregister_message_handler(struct ctdb_context *ctdb,
void daemon_tunnel_handler(uint64_t tunnel_id, TDB_DATA data,
void *private_data);
+struct ctdb_node *ctdb_find_node(struct ctdb_context *ctdb, uint32_t pnn);
+
int ctdb_start_daemon(struct ctdb_context *ctdb,
bool interactive,
bool test_mode_enabled);
diff --git a/ctdb/protocol/protocol.h b/ctdb/protocol/protocol.h
index 35543a67cf9..403d66c3972 100644
--- a/ctdb/protocol/protocol.h
+++ b/ctdb/protocol/protocol.h
@@ -137,7 +137,7 @@ struct ctdb_call {
/* SRVID to inform clients that an IP address has been taken over */
#define CTDB_SRVID_TAKE_IP 0xF301000000000000LL
-/* SRVID to inform recovery daemon of the node flags */
+/* SRVID to inform recovery daemon of the node flags - OBSOLETE */
#define CTDB_SRVID_SET_NODE_FLAGS 0xF400000000000000LL
/* SRVID to inform recovery daemon to update public ip assignment */
@@ -376,6 +376,8 @@ enum ctdb_controls {CTDB_CONTROL_PROCESS_EXISTS = 0,
CTDB_CONTROL_VACUUM_FETCH = 154,
CTDB_CONTROL_DB_VACUUM = 155,
CTDB_CONTROL_ECHO_DATA = 156,
+ CTDB_CONTROL_DISABLE_NODE = 157,
+ CTDB_CONTROL_ENABLE_NODE = 158,
};
#define MAX_COUNT_BUCKETS 16
diff --git a/ctdb/protocol/protocol_api.h b/ctdb/protocol/protocol_api.h
index bdb4bc0e2ea..b7fcc53dd68 100644
--- a/ctdb/protocol/protocol_api.h
+++ b/ctdb/protocol/protocol_api.h
@@ -615,6 +615,12 @@ void ctdb_req_control_echo_data(struct ctdb_req_control *request,
struct ctdb_echo_data *echo_data);
int ctdb_reply_control_echo_data(struct ctdb_reply_control *reply);
+void ctdb_req_control_disable_node(struct ctdb_req_control *request);
+int ctdb_reply_control_disable_node(struct ctdb_reply_control *reply);
+
+void ctdb_req_control_enable_node(struct ctdb_req_control *request);
+int ctdb_reply_control_enable_node(struct ctdb_reply_control *reply);
+
/* From protocol/protocol_debug.c */
void ctdb_packet_print(uint8_t *buf, size_t buflen, FILE *fp);
diff --git a/ctdb/protocol/protocol_client.c b/ctdb/protocol/protocol_client.c
index cde544feb52..71d2f0144b3 100644
--- a/ctdb/protocol/protocol_client.c
+++ b/ctdb/protocol/protocol_client.c
@@ -2409,3 +2409,39 @@ int ctdb_reply_control_echo_data(struct ctdb_reply_control *reply)
return reply->status;
}
+
+/* CTDB_CONTROL_DISABLE_NODE */
+
+void ctdb_req_control_disable_node(struct ctdb_req_control *request)
+{
+ request->opcode = CTDB_CONTROL_DISABLE_NODE;
+ request->pad = 0;
+ request->srvid = 0;
+ request->client_id = 0;
+ request->flags = 0;
+
+ request->rdata.opcode = CTDB_CONTROL_DISABLE_NODE;
+}
+
+int ctdb_reply_control_disable_node(struct ctdb_reply_control *reply)
+{
+ return ctdb_reply_control_generic(reply, CTDB_CONTROL_DISABLE_NODE);
+}
+
+/* CTDB_CONTROL_ENABLE_NODE */
+
+void ctdb_req_control_enable_node(struct ctdb_req_control *request)
+{
+ request->opcode = CTDB_CONTROL_ENABLE_NODE;
+ request->pad = 0;
+ request->srvid = 0;
+ request->client_id = 0;
+ request->flags = 0;
+
+ request->rdata.opcode = CTDB_CONTROL_ENABLE_NODE;
+}
+
+int ctdb_reply_control_enable_node(struct ctdb_reply_control *reply)
+{
+ return ctdb_reply_control_generic(reply, CTDB_CONTROL_ENABLE_NODE);
+}
diff --git a/ctdb/protocol/protocol_control.c b/ctdb/protocol/protocol_control.c
index 4fd5a5a7d4d..076863278a3 100644
--- a/ctdb/protocol/protocol_control.c
+++ b/ctdb/protocol/protocol_control.c
@@ -419,6 +419,12 @@ static size_t ctdb_req_control_data_len(struct ctdb_req_control_data *cd)
case CTDB_CONTROL_ECHO_DATA:
len = ctdb_echo_data_len(cd->data.echo_data);
break;
+
+ case CTDB_CONTROL_DISABLE_NODE:
+ break;
+
+ case CTDB_CONTROL_ENABLE_NODE:
+ break;
}
return len;
@@ -1418,6 +1424,12 @@ static size_t ctdb_reply_control_data_len(struct ctdb_reply_control_data *cd)
case CTDB_CONTROL_ECHO_DATA:
len = ctdb_echo_data_len(cd->data.echo_data);
break;
+
+ case CTDB_CONTROL_DISABLE_NODE:
+ break;
+
+ case CTDB_CONTROL_ENABLE_NODE:
+ break;
}
return len;
diff --git a/ctdb/protocol/protocol_debug.c b/ctdb/protocol/protocol_debug.c
index 56f14e32b09..2e5ed9f0ced 100644
--- a/ctdb/protocol/protocol_debug.c
+++ b/ctdb/protocol/protocol_debug.c
@@ -245,6 +245,8 @@ static void ctdb_opcode_print(uint32_t opcode, FILE *fp)
{ CTDB_CONTROL_VACUUM_FETCH, "VACUUM_FETCH" },
{ CTDB_CONTROL_DB_VACUUM, "DB_VACUUM" },
{ CTDB_CONTROL_ECHO_DATA, "ECHO_DATA" },
+ { CTDB_CONTROL_DISABLE_NODE, "DISABLE_NODE" },
+ { CTDB_CONTROL_ENABLE_NODE, "ENABLE_NODE" },
{ MAP_END, "" },
};
diff --git a/ctdb/server/ctdb_control.c b/ctdb/server/ctdb_control.c
index 95f3b175934..a9d1aa1b438 100644
--- a/ctdb/server/ctdb_control.c
+++ b/ctdb/server/ctdb_control.c
@@ -173,6 +173,40 @@ done:
TALLOC_FREE(state);
}
+static int ctdb_control_disable_node(struct ctdb_context *ctdb)
+{
+ struct ctdb_node *node;
+
+ node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+ if (node == NULL) {
+ /* Can't happen */
+ DBG_ERR("Unable to find current node\n");
+ return -1;
+ }
+
+ D_ERR("Disable node\n");
+ node->flags |= NODE_FLAGS_PERMANENTLY_DISABLED;
+
+ return 0;
+}
+
+static int ctdb_control_enable_node(struct ctdb_context *ctdb)
+{
+ struct ctdb_node *node;
+
+ node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+ if (node == NULL) {
+ /* Can't happen */
+ DBG_ERR("Unable to find current node\n");
+ return -1;
+ }
+
+ D_ERR("Enable node\n");
+ node->flags &= ~NODE_FLAGS_PERMANENTLY_DISABLED;
+
+ return 0;
+}
+
/*
process a control request
*/
@@ -828,6 +862,14 @@ static int32_t ctdb_control_dispatch(struct ctdb_context *ctdb,
return ctdb_control_echo_data(ctdb, c, indata, async_reply);
}
+ case CTDB_CONTROL_DISABLE_NODE:
+ CHECK_CONTROL_DATA_SIZE(0);
+ return ctdb_control_disable_node(ctdb);
+
+ case CTDB_CONTROL_ENABLE_NODE:
+ CHECK_CONTROL_DATA_SIZE(0);
+ return ctdb_control_enable_node(ctdb);
+
default:
DEBUG(DEBUG_CRIT,(__location__ " Unknown CTDB control opcode %u\n", opcode));
return -1;
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 7ebb419bc1f..f64a0475348 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -1225,28 +1225,51 @@ failed:
return -1;
}
-static void initialise_node_flags (struct ctdb_context *ctdb)
+struct ctdb_node *ctdb_find_node(struct ctdb_context *ctdb, uint32_t pnn)
{
+ struct ctdb_node *node = NULL;
unsigned int i;
+ if (pnn == CTDB_CURRENT_NODE) {
+ pnn = ctdb->pnn;
+ }
+
/* Always found: PNN correctly set just before this is called */
for (i = 0; i < ctdb->num_nodes; i++) {
- if (ctdb->pnn == ctdb->nodes[i]->pnn) {
- break;
+ node = ctdb->nodes[i];
+ if (pnn == node->pnn) {
+ return node;
}
}
- ctdb->nodes[i]->flags &= ~NODE_FLAGS_DISCONNECTED;
+ return NULL;
+}
+
+static void initialise_node_flags (struct ctdb_context *ctdb)
+{
+ struct ctdb_node *node = NULL;
+
+ node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+ /*
+ * PNN correctly set just before this is called so always
+ * found but keep static analysers happy...
+ */
+ if (node == NULL) {
+ DBG_ERR("Unable to find current node\n");
+ return;
+ }
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list