[SCM] Samba Shared Repository - branch v4-16-stable updated
Jule Anger
janger at samba.org
Tue Mar 1 08:43:08 UTC 2022
The branch, v4-16-stable has been updated
via 3b4041236d1 VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc4 release.
via d89d82bdde4 WHATSNEW: Add release notes for Samba 4.16.0rc4.
via 2d87ade08a6 waf: re-add missing readlink test
via 76463193044 readlink test: inverse return code
via e82833a1078 vfs_aixacl: add proper header file
via 821e16c077c wscript: s/default/required/ _static_modules for the acl modules
via 9016cb5c643 acl: fix function arguments for AIX' and Solaris' sys_acl_get_fd()
via 4346dac73a4 s3:winbind: Use the canonical principal name to renew the credentials
via e3efe2d0de2 s3:winbind: Store canonical principal and realm in ccache entry
via 85fdd88e3ca s3:libads: Return canonical principal and realm from kerberos_return_pac()
via a4b9a9ce8ef lib:krb5_wrap: Fix wrong debug message and use newer debug macro
via 7db685f8422 lib:krb5_wrap: Improve debug message and use newer debug macro
via 3fef25f2e62 s3:libads: Fix memory leak in kerberos_return_pac() error path
via 48929ba6634 docs-xml: Fix idmap_autorid documentation
via be4e42f01fb s3:utils: Add a testparm check for idmap autorid
via 0d27228e75c s3:winbindd: Add a sanity check for the range
via 79b42f0f2bf ctdb-tests: Add a test for stalled node triggering election
via f3047e90a86 ctdb-tests: Factor out functions to detect when generation changes
via d0133dd3a54 ctdb-recoverd: Consistently log start of election
via ddda97dc146 ctdb-recoverd: Always send unknown leader broadcast when starting election
via 758e953ee07 ctdb-recoverd: Consistently have caller set election-in-progress
via 07540a8cf45 ctdb-recoverd: Always cancel election in progress
via caa6785eff0 VERSION: Bump version up to Samba 4.16.0rc4...
from 2517bca6b10 VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 21 ++++++++-
ctdb/server/ctdb_recoverd.c | 17 ++++----
.../simple/cluster.015.reclock_remove_lock.sh | 14 +-----
.../cluster.030.node_stall_leader_timeout.sh | 48 ++++++++++++++++++++
ctdb/tests/scripts/integration.bash | 44 +++++++++++++++++++
docs-xml/manpages/idmap_autorid.8.xml | 8 +++-
lib/krb5_wrap/krb5_samba.c | 7 ++-
source3/lib/sysacls.c | 6 ++-
source3/libads/authdata.c | 33 ++++++++++++--
source3/libads/kerberos_proto.h | 2 +
auth/auth_util.h => source3/modules/vfs_aixacl.h | 26 ++++++-----
source3/modules/vfs_solarisacl.h | 1 +
source3/utils/net_ads.c | 2 +
source3/utils/testparm.c | 51 ++++++++++++++++++++++
source3/winbindd/idmap_autorid.c | 7 +--
source3/winbindd/winbindd.h | 2 +
source3/winbindd/winbindd_cred_cache.c | 18 +++++++-
source3/winbindd/winbindd_pam.c | 12 ++++-
source3/winbindd/winbindd_proto.h | 4 +-
source3/wscript | 12 +++--
tests/readlink.c | 11 +++--
22 files changed, 291 insertions(+), 57 deletions(-)
create mode 100755 ctdb/tests/INTEGRATION/simple/cluster.030.node_stall_leader_timeout.sh
copy auth/auth_util.h => source3/modules/vfs_aixacl.h (54%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 7c79f3655c4..f667b0d2f2d 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=3
+SAMBA_VERSION_RC_RELEASE=4
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cdd911d40b1..e511e17c4c8 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the third release candidate of Samba 4.16. This is *not*
+This is the fourth release candidate of Samba 4.16. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -174,6 +174,25 @@ smb.conf changes
rpc start on demand helpers Added true
+CHANGES SINCE 4.16.0rc3
+=======================
+
+o Samuel Cabrero <scabrero at suse.de>
+ * BUG 14979: Problem when winbind renews Kerberos.
+
+o Björn Jacke <bj at sernet.de>
+ * BUG 13631: DFS fix for AIX broken.
+ * BUG 14974: Solaris and AIX acl modules: wrong function arguments.
+ * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
+ id range only once.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14958: CTDB can get stuck in election and recovery.
+
+
CHANGES SINCE 4.16.0rc2
=======================
diff --git a/ctdb/server/ctdb_recoverd.c b/ctdb/server/ctdb_recoverd.c
index cc239959c56..03698ef2928 100644
--- a/ctdb/server/ctdb_recoverd.c
+++ b/ctdb/server/ctdb_recoverd.c
@@ -1836,7 +1836,7 @@ static void cluster_lock_election(struct ctdb_recoverd *rec)
if (cluster_lock_held(rec)) {
cluster_lock_release(rec);
}
- return;
+ goto done;
}
/*
@@ -1844,11 +1844,10 @@ static void cluster_lock_election(struct ctdb_recoverd *rec)
* attempt to retake it. This provides stability.
*/
if (cluster_lock_held(rec)) {
- return;
+ goto done;
}
rec->leader = CTDB_UNKNOWN_PNN;
- rec->election_in_progress = true;
ok = cluster_lock_take(rec);
if (ok) {
@@ -1856,6 +1855,7 @@ static void cluster_lock_election(struct ctdb_recoverd *rec)
D_WARNING("Took cluster lock, leader=%"PRIu32"\n", rec->leader);
}
+done:
rec->election_in_progress = false;
}
@@ -1867,7 +1867,7 @@ static void force_election(struct ctdb_recoverd *rec)
int ret;
struct ctdb_context *ctdb = rec->ctdb;
- DEBUG(DEBUG_INFO,(__location__ " Force an election\n"));
+ D_ERR("Start election\n");
/* set all nodes to recovery mode to stop all internode traffic */
ret = set_recovery_mode(ctdb, rec, rec->nodemap, CTDB_RECOVERY_ACTIVE);
@@ -1876,13 +1876,16 @@ static void force_election(struct ctdb_recoverd *rec)
return;
}
+ rec->election_in_progress = true;
+ /* Let other nodes know that an election is underway */
+ leader_broadcast_send(rec, CTDB_UNKNOWN_PNN);
+
if (cluster_lock_enabled(rec)) {
cluster_lock_election(rec);
return;
}
talloc_free(rec->election_timeout);
- rec->election_in_progress = true;
rec->election_timeout = tevent_add_timer(
ctdb->ev, ctdb,
fast_start ?
@@ -1975,10 +1978,8 @@ static void leader_broadcast_timeout_handler(struct tevent_context *ev,
rec->leader_broadcast_timeout_te = NULL;
- /* Let other nodes know that an election is underway */
- leader_broadcast_send(rec, CTDB_UNKNOWN_PNN);
+ D_NOTICE("Leader broadcast timeout\n");
- D_NOTICE("Leader broadcast timeout. Force election\n");
force_election(rec);
}
diff --git a/ctdb/tests/INTEGRATION/simple/cluster.015.reclock_remove_lock.sh b/ctdb/tests/INTEGRATION/simple/cluster.015.reclock_remove_lock.sh
index 35363d11f1d..2283c30edbf 100755
--- a/ctdb/tests/INTEGRATION/simple/cluster.015.reclock_remove_lock.sh
+++ b/ctdb/tests/INTEGRATION/simple/cluster.015.reclock_remove_lock.sh
@@ -56,24 +56,14 @@ echo
leader_get "$test_node"
-echo "Get initial generation"
-ctdb_onnode "$test_node" status
-# shellcheck disable=SC2154
-# $outfile set by ctdb_onnode() above
-generation_init=$(sed -n -e 's/^Generation:\([0-9]*\)/\1/p' "$outfile")
-echo "Initial generation is ${generation_init}"
-echo
+generation_get
echo "Remove recovery lock"
rm "$reclock"
echo
# This will mean an election has taken place and a recovery has occured
-echo "Wait until generation changes"
-wait_until 30 generation_has_changed "$test_node" "$generation_init"
-echo
-echo "Generation changed to ${generation_new}"
-echo
+wait_until_generation_has_changed "$test_node"
# shellcheck disable=SC2154
# $leader set by leader_get() above
diff --git a/ctdb/tests/INTEGRATION/simple/cluster.030.node_stall_leader_timeout.sh b/ctdb/tests/INTEGRATION/simple/cluster.030.node_stall_leader_timeout.sh
new file mode 100755
index 00000000000..7bca58c222b
--- /dev/null
+++ b/ctdb/tests/INTEGRATION/simple/cluster.030.node_stall_leader_timeout.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Verify that nothing bad occurs if a node stalls and the leader
+# broadcast timeout triggers
+
+. "${TEST_SCRIPTS_DIR}/integration.bash"
+
+set -e
+
+ctdb_test_init
+
+select_test_node
+echo
+
+echo 'Get "leader timeout":'
+conf_tool="${CTDB_SCRIPTS_HELPER_BINDIR}/ctdb-config"
+# shellcheck disable=SC2154
+# $test_node set by select_test_node() above
+try_command_on_node "$test_node" "${conf_tool} get cluster 'leader timeout'"
+# shellcheck disable=SC2154
+# $out set by ctdb_onnode() above
+leader_timeout="$out"
+echo "Leader timeout is ${leader_timeout} seconds"
+echo
+
+# Assume leader timeout is reasonable and doesn't cause node to be
+# disconnected
+stall_time=$((leader_timeout * 2))
+
+generation_get "$test_node"
+
+echo "Get ctdbd PID on node ${test_node}..."
+ctdb_onnode -v "$test_node" "getpid"
+ctdbd_pid="$out"
+echo
+
+echo "Sending SIGSTOP to ctdbd on ${test_node}"
+try_command_on_node "$test_node" "kill -STOP ${ctdbd_pid}"
+
+sleep_for "$stall_time"
+
+echo "Sending SIGCONT to ctdbd on ${test_node}"
+try_command_on_node "$test_node" "kill -CONT ${ctdbd_pid}"
+echo
+
+wait_until_generation_has_changed "$test_node"
+
+cluster_is_healthy
diff --git a/ctdb/tests/scripts/integration.bash b/ctdb/tests/scripts/integration.bash
index 25ee4d945cc..eb3db1e1849 100644
--- a/ctdb/tests/scripts/integration.bash
+++ b/ctdb/tests/scripts/integration.bash
@@ -688,6 +688,50 @@ wait_until_leader_has_changed ()
#######################################
+# sets: generation
+_generation_get ()
+{
+ local node="$1"
+
+ ctdb_onnode "$node" status
+ # shellcheck disable=SC2154
+ # $outfile set by ctdb_onnode() above
+ generation=$(sed -n -e 's/^Generation:\([0-9]*\)/\1/p' "$outfile")
+}
+
+generation_get ()
+{
+ local node="$1"
+
+ echo "Get generation"
+ _generation_get "$node"
+ echo "Generation is ${generation}"
+ echo
+}
+
+_generation_has_changed ()
+{
+ local node="$1"
+ local generation_old="$2"
+
+ _generation_get "$node"
+
+ [ "$generation" != "$generation_old" ]
+}
+
+# uses: generation
+wait_until_generation_has_changed ()
+{
+ local node="$1"
+
+ echo "Wait until generation changes..."
+ wait_until 30 _generation_has_changed "$node" "$generation"
+ echo "Generation changed to ${generation}"
+ echo
+}
+
+#######################################
+
wait_for_monitor_event ()
{
local pnn="$1"
diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
index 6c4da1cad8a..980718f0bd4 100644
--- a/docs-xml/manpages/idmap_autorid.8.xml
+++ b/docs-xml/manpages/idmap_autorid.8.xml
@@ -48,7 +48,13 @@
and the corresponding map is discarded. It is
intended as a way to avoid accidental UID/GID
overlaps between local and remotely defined
- IDs.
+ IDs. Note that the range should be a multiple
+ of the rangesize and needs to be at least twice
+ as large in order to have sufficient id range
+ space for the mandatory BUILTIN domain.
+ With a default rangesize of 100000 the range
+ needs to span at least 200000.
+ This would be: range = 100000 - 299999.
</para></listitem>
</varlistentry>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 61d651b4d5f..99809ffea27 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1084,7 +1084,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
/* FIXME: we should not fall back to defaults */
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
@@ -1106,7 +1106,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
+ "for client '%s' and service '%s' failed: %s\n",
+ ccache_string, client_string, service_string,
+ error_message(ret));
goto done;
}
diff --git a/source3/lib/sysacls.c b/source3/lib/sysacls.c
index d42337190c3..891fabea21e 100644
--- a/source3/lib/sysacls.c
+++ b/source3/lib/sysacls.c
@@ -34,6 +34,10 @@
#include "modules/vfs_hpuxacl.h"
#endif
+#if defined(HAVE_AIX_ACLS)
+#include "modules/vfs_aixacl.h"
+#endif
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_ACLS
@@ -410,7 +414,7 @@ SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle,
SMB_ACL_TYPE_T type,
TALLOC_CTX *mem_ctx)
{
- return solarisacl_sys_acl_get_fd(handle, fsp,
+ return solarisacl_sys_acl_get_fd(handle, fsp, type,
mem_ctx);
}
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index dd21d895fc2..bf9a2335445 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -57,11 +57,16 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
+ DATA_BLOB tkt = data_blob_null;
+ DATA_BLOB tkt_wrapped = data_blob_null;
+ DATA_BLOB ap_rep = data_blob_null;
+ DATA_BLOB sesskey1 = data_blob_null;
const char *auth_princ = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
@@ -72,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -81,7 +88,16 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (_canon_principal != NULL) {
+ *_canon_principal = NULL;
+ }
+
+ if (_canon_realm != NULL) {
+ *_canon_realm = NULL;
}
if (cache_name) {
@@ -105,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
- NULL, NULL, NULL,
+ tmp_ctx,
+ &canon_principal,
+ &canon_realm,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -131,7 +149,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
- return NT_STATUS_INVALID_LOGON_TYPE;
+ status = NT_STATUS_INVALID_LOGON_TYPE;
+ goto out;
}
ret = ads_krb5_cli_get_ticket(mem_ctx,
@@ -238,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
}
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+ if (_canon_principal != NULL) {
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+ }
+ if (_canon_realm != NULL) {
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+ }
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 3d7b5bc074b..807381248c8 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **pac_data_ctr);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/auth/auth_util.h b/source3/modules/vfs_aixacl.h
similarity index 54%
copy from auth/auth_util.h
copy to source3/modules/vfs_aixacl.h
index 0af6ff5ec6c..f9fe3f85dc6 100644
--- a/auth/auth_util.h
+++ b/source3/modules/vfs_aixacl.h
@@ -1,8 +1,5 @@
/*
- Unix SMB/CIFS implementation.
- Authentication utility functions
-
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2017
+ Copyright (C) Bjoern Jacke <bjacke at samba.org> 2022
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -18,15 +15,20 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef __AUTH_AUTH_UTIL_H__
-#define __AUTH_AUTH_UTIL_H__
+#ifndef __VFS_AIXACL_H__
+#define __VFS_AIXACL_H__
+
+SMB_ACL_T aixacl_sys_acl_get_fd(vfs_handle_struct *handle,
+ files_struct *fsp,
+ SMB_ACL_TYPE_T type,
+ TALLOC_CTX *mem_ctx);
-#include "replace.h"
-#include <talloc.h>
-#include "librpc/gen_ndr/auth.h"
+int aixacl_sys_acl_set_fd(vfs_handle_struct *handle,
+ files_struct *fsp,
+ SMB_ACL_TYPE_T type,
+ SMB_ACL_T acl_d);
-struct auth_session_info *copy_session_info(
- TALLOC_CTX *mem_ctx,
- const struct auth_session_info *src);
+int aixacl_sys_acl_delete_def_fd(vfs_handle_struct *handle,
+ files_struct *fsp);
#endif
diff --git a/source3/modules/vfs_solarisacl.h b/source3/modules/vfs_solarisacl.h
index f914304fd24..54d538c25a8 100644
--- a/source3/modules/vfs_solarisacl.h
+++ b/source3/modules/vfs_solarisacl.h
@@ -27,6 +27,7 @@ SMB_ACL_T solarisacl_sys_acl_get_file(vfs_handle_struct *handle,
SMB_ACL_T solarisacl_sys_acl_get_fd(vfs_handle_struct *handle,
files_struct *fsp,
+ SMB_ACL_TYPE_T type,
TALLOC_CTX *mem_ctx);
int solarisacl_sys_acl_set_fd(vfs_handle_struct *handle,
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d1fc3289184..d666f7fc3ec 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2976,6 +2976,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
2592000, /* one month */
impersonate_princ_s,
local_service,
+ NULL,
+ NULL,
pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
--
Samba Shared Repository
More information about the samba-cvs
mailing list