[SCM] Samba Shared Repository - branch v4-19-stable updated
Jule Anger
janger at samba.org
Fri Jul 28 12:16:52 UTC 2023
The branch, v4-19-stable has been updated
via 4f12024cafa VERSION: Disable GIT_SNAPSHOT for the Samba 4.19.0rc1 release.
via 6943c1e3cde WHATSNEW: Up to Samba 4.19.0rc1.
via 94f11c3c21b ldb: release 2.8.0 for use in Samba 4.19.x
via 7920d2ff627 ctdb-tools: Improve printing of multi-line event script output
via e3c0b72c340 ctdb-tools: Always print script output in event status
via e36a4149d80 librpc/idl: Remove DCOM and WMI IDL
via abc3d58e1cc dcom: Remove remainder of DCOM test client code
via 959dc9068d1 librpc:crypto: SAFE_FREE() -> krb5_free_enctypes()
via 05056775eae librpc:crypto: SAFE_FREE() -> krb5_free_string()
via ec121eb831d auth:credentials: SAFE_FREE() -> krb5_free_string()
via cd60e3fdef4 auth:credentials: SAFE_FREE() -> krb5_free_enctypes()
via c5778a0fbdd krb5_wrap: add krb5_free_string()
via 75139445c20 krb5_wrap: add krb5_free_enctypes()
via 9338d1b17c4 smbd: move tevent_req_post() out of smbd_smb2_create_after_exec()
via 20df26b9081 s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators.
via 2aa9ffa2f0f s3: torture: Add test to show an SMB1 DFS path of "\x//\/" crashes smbd.
via c2e83ebe726 mdssvc: fix returning file modification date for older Mac releases
via 620ca1e68d0 mdssvc: fix date marshalling
via 9dc66fecf7c mdssvc: prepare for returning timestamps with sub-seconds granularity
via 724a0518c90 mdssvc: reduce pagesize to 50
via 7f5e4edf64f tests/mdssvc: match hits:total:value to be the actual amount of entries in hits
via d8fa5c8e2a1 mdssvc: fix enforcement of "elasticsearch:max results"
via 086c2602d07 mdssvc: add and use SL_PAGESIZE
via 925fefae20e mdssvc: fix long running backend queries
via 4149ef97e59 mdssvc: set query state for continued queries to SLQ_STATE_RUNNING
via e86e0da9de6 WHATSNEW: Add TLS cert reload feature
via a1b1f8ffd20 doc-xml: Add entry for reload-certs for new LDAP certificate reload function
via 9facc2e1d85 docs-xml: Fix invalid XML in smbcontrol manpage
via 4516fee9b52 testprogs/blackbox: add test_ldap_tls_reload.sh
via 0c7cfb7a115 s4:ldap_server: reload tls certificates on smbcontrol reload-certs
via 321162c9bfc s4:ldap_server: remember dns_host_name in ldap_service
via cc4995d932d s4:ldap_server: don't store task_server in ldapsrv_service
via 7804bf55ad0 s4:tls_tstream: create tstream_tls_params_internal
via bed915d098e s3:smbcontrol: improve destination resolution using names db
via 1472e4c9dbf s4:process_prefork: create new messaging context for the master process
via 3af6ad6eea7 s4:process: add method called before entering the tevent_loop_wait
via c8ee3d45252 s4:process_prefork: avoid memory leaks caused by messaging_post_self
via dd998cc1633 s3:winbindd: Fix double close(fd)
via 61c951e063e mdscli: correct handling of in-progress searches
via 424af98c894 mdscli: increase MAX_SLQ_COUNT
via b8e0f02f081 mdscli: increase MAX_SLQ_TOCIDX
via 1149d497b35 mdssvc: increase MAX_SLQ_TOC
via 68bb582bc51 mdssvc: introduce MAX_MDSCMD_SIZE
via c2b4fe3fb7c mdscli: add fragmentation support
via 27980c87c9b mdssvc: remove duplicate define of MAX_SL_FRAGMENT_SIZE
via 566427c4f0e librpc/idl: mdssvc: unkn4 field is a fragment indicator
via 5442c47dad2 libsmb: increase a debug level when site-aware DC lookup failed
via 9bab902fc50 CVE-2023-3347: smbd: fix "server signing = mandatory"
via 5a222ac3718 CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot()
via 59131d6c345 CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in srv_init_signing()
via 1662eeeb7a6 CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing()
via a9a2b182df7 CVE-2023-3347: CI: add a test for server-side mandatory signing
via 578e434a941 CVE-2023-34968: mdssvc: return a fake share path
via 94fcbec8af5 CVE-2023-34968: mdscli: return share relative paths
via d402c0cc6ad CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()
via ac9008a20c8 CVE-2023-34968: mdssvc: switch to doing an early return
via 33b82c6185b CVE-2023-34968: mdssvc: remove response blob allocation
via 5c9efa9604d CVE-2023-34968: rpcclient: remove response blob allocation
via 6d77daa3af0 CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c
via e85e09eee93 CVE-2023-34968: mdscli: remove response blob allocation
via 617fe37cc2a CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob
via 70184ef3b40 CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties()
via 02552493e37 CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map
via 4c60e35add4 CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key()
via 3b3c30e2acf CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key()
via 38664163fca CVE-2023-34966: mdssvc: harden sl_unpack_loop()
via 10b6890d26b CVE-2023-34966: CI: test for sl_unpack_loop()
via e067c523b17 CVE-2022-2127: ntlm_auth: cap lanman response length value
via b2de71734f0 CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks
via 76ad44f446c lib/cmdline: Also redact --newpassword in samba_cmdline_burn()
via 414b3803bb6 lib/cmdline: Also burn the --password2 parameter if given
via a53ebc288f4 samba-tool: Use samba.glue.get_burnt_cmdline rather than regex
via 3f9e4558985 python: Add glue.burn_commandline() method
via 5afd206d1d8 python: Remove const from PyList_AsStringList()
via fd81759e2ed python: Move PyList_AsStringList to common code so we can reuse
via 848fea1a01a lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn()
via 0da6cc71054 claims.idl: Fix AD claims encoding
via 3109899299e lib/fault: During smb_panic() print process comment and setprocname() title
via e401ae44b2f python/samba: Adjust tarfile extraction filter
via 5e473cba0d3 WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction
via 3f253002280 WHATSNEW: mention KDC auditing
via b9667bc29a6 WHATSNEW: FAST support, Claims compression, SID compression
via 6844def6675 WHATSNEW: Mention Heimdal updates
via fbed6d80b1f WHATSNEW: Expand detail on what of 2012, 2012R2 and 2016 support is implemented
via 29310f27d49 WHATSNEW: PKINIT testing
via fb27e01b36f WHATSNEW: Include info on new samba-tool features
via 0ee8c263f61 WHATSNEW: Add text on PKINIT Certificate Revocation
via 980c1565ed1 s4:param: replace calls to deprecated Python methods
via ca5cc05b22b s3:script: Replace --merge by --merge-by-timestamp in samba-log-parser
via 16386bfd4cd docs-xml:manpages: Fix tabs in samba-log-parser.1.xml
via 6539f1e4cd6 s3:winbindd: Change the TALLOC_CTX to fix the tevent call depth tracking
via 801772012eb Revert "s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon"
via 40fb810de39 s4:dns_server: Add some more debugging in order to find problems with level 10 logs
via 76b0530e673 s4:dns_server: defer calling werr_to_dns_err() in a central place
via fb4bb188acf s3:waf: Fix code spelling
via 83b58255ed5 s3:winbindd: Fix code spelling
via 746ef717a74 s3:utils: Fix code spelling
via 4cff81603ab s3:torture: Fix code spelling
via 7077ae40423 s3:smbd: Fix code spelling
via feee2018883 s3:smbd: Fix trailing white spaces in quotas.c
via 26d9da1543f s3:smbd: Fix trailing white spaces in dmapi.c
via 9fd809296ce s3:selftest: Fix code spelling
via 18dd3f3dd31 s3:script: Fix code spelling
via 9826fd4588f s3:rpc_server: Fix code spelling
via 4a817b1655d s3:rpc_client: Fix code spelling
via 6a359944f1f s3:registry: Fix code spelling
via 1517fd17094 s3:printing: Rename variably to dummy to make codespell happy
via 73abbd1465e s3:printing: Fix code spelling
via d8dd743f0b2 s3:printing: Fix trailing white spaces in print_iprint.c
via d41702abe09 s3:passdb: Fix code spelling
via 57047ca56d6 s3:param: Fix code spelling
via f8d5e70a913 s3:param: Rename bLoaded global variable
via 6e4c7ae9a2e ctdb-tests: Log to stderr in statd-callout tests
via ef15a34d5dd ctdb-scripts: Support script logging to stderr
via 0ac9413735a ctdb-scripts: Avoid ShellCheck warning SC2162
via 59c5010b6ec ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"
via 2e2d81b92a9 ctdb-recoverd: CID 1509028 - Use of 32-bit time_t (Y2K38_SAFETY)
via 862fc5770cb ctdb: Do not use egrep
via 4deb178eb3e ctdb-doc: Correct bit-rotted documenation
via dbbede407f7 ctdb-utils: Drop unused scsi_io.c source file
via 7c0a1c1e13f s3:winbind: Set/unset the winbind_call_flow callback if log level changes
via a1b2f17c6db s3:winbind: Update winbind to tevent 0.15.0 API
via 5b130e620fa s3:winbind: Add callback winbind_call_flow()
via 24120728bb2 ldb: call tevent_set_max_debug_level(TEVENT_DEBUG_TRACE) together with ldb_tevent_debug()
via 0031a102c3d lib/util: call tevent_set_max_debug_level() in samba_tevent_set_debug()
via 6a80d170bca tevent: version 0.15.0
via 0ddf8b5645e tevent: add tevent_common_fd_str() helper
via 2645be60d7a tevent: avoid calling epoll_update_event() again if epoll_check_reopen() already did it
via e9d98097346 tevent: let epoll_check_reopen() clear all events before reopening them
via 3217d5dc1d6 tevent: avoid epoll_check_reopen() overhead unless required
via d94b9c81242 tevent: make use of TEVENT_DEBUG() when using TEVENT_DEBUG_TRACE
via 812313f1c82 tevent: add TEVENT_DEBUG() avoid argument overhead when log is not active...
via 2c78a4f527e tevent: introduce tevent_set_max_debug_level() (default TEVENT_DEBUG_WARNING)
via 86140d7c381 tevent: add fd_speed test
via d7b29125c01 tevent: Flow: add tevent_thread_call_depth_set_callback()
via 0c4d6e630f5 tevent: Flow: store cleanup function name in tevent_req
via 85e43e70b20 tevent: Flow: store cancel function name in tevent_req
via 5e83691d1ed tevent: Flow: store trigger function name in tevent_queue_entry
via deec9994eb8 tevent: Flow: store callback function name in tevent_req
via fb3a9cd7329 tevent: Flow: pass function name to tevent_req_create()
via 1c9e9f46046 tevent: Deprecate some tevent_thread_call_depth_*() functions
via e9f38f6e6d8 tevent: Move definition of _DEPRECATED_ to the top of tevent.h
via 28ddcaf4d8e s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon
via c1124ec8e5d tevent: add tevent_dlinklist.h as copy from lib/util/dlinklist.h
via e3c77030fee lib/util: dlinklist.h sync with LGPL copy from lib/ldb/include/dlinklist.h
via 8edb16a3964 ldb: clarify LGPL scope of include/dlinklist.h
via 18e18006ad0 ldb: remove trailing whitespaces from include/dlinklist.h
via a665d44f22c tevent: rely on epoll_create1() for epoll interface
via 0daa9ebc235 lib:replace: rely on epoll_create1() for epoll interface
via b649c7d3c2b tdb: release 1.4.9
via 791e2817e13 talloc: release 2.4.1
via bb6fecd9ac5 netcmd: sites: add sites and subnet list and view commands to manpage
via 7f7d68573c3 netcmd: sites: add missing subnet commands to samba-tool manpage
via 5e4a6cd75a1 netcmd: sites: tests for list and view sites and subnet
via 3cf81e98f36 netcmd: sites: make use of ldb_connect from base class
via 752eae68c2a netcmd: add list and view commands for sites and subnets
via b9d01c64207 netcmd: add Subnet and Site models
via 5f69220f0af WHATSNEW: Update minimum GnuTLS version
via f050124a96c lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds
via 9ea606dad11 lib/fuzzing: adapt fuzz_sddl_access_check for AD variant
via 89b02bad3e2 lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant
via eb2bed3899b lib/fuzzing: add fuzzer for arbitrary token/sd access checks
via 5ad28bd7605 lib/fuzzing: add fuzz_sddl_access_check
via 3ed1ba6fedd s4:provision: use better values for operatingSystem[Version]
via 9a79bed41e2 s4:pydsdb: add dc_operatingSystemVersion() helper
via b058b39f38b s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version]
via 16865d6d439 upgradeprovision: handle operatingSystem similar to operatingSystemVersion
via 85080ba9ea0 ldapcmp: also ignore operatingSystem similar to operatingSystemVersion
via 56ee153cae3 netlogon.idl: add some comments to netr_OsVersionInfoEx
via 81058c60136 third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498)
via 90b240be086 tests/krb5: Add a test for PK-INIT with a revoked certificate
via 2ab15cf1172 tests/krb5: Allow passing a pre-created certificate into _pkinit_req()
via b73a01eefd2 tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key
via 01196cc741d tests/krb5: Factor out a method to fetch the CA certificate and private key
via ce9786748b7 tests/krb5: Factor out a method to create a certificate
via db64b2762c4 s4:kdc: Add auth_data_reqd flag to SDBFlags
via 7340351097a third_party/heimdal_build: Make Heimdal version strings const
via a25f549e9a0 third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde)
via 5bfccbb7643 tests/krb5: Test Windows 2000 variant of PK-INIT
via af97579f161 tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT
via ecc62bc1207 tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070)
via f7393da2c07 tests/krb5: Remove unused methods
via 97ead77767c tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer
via 3ea1c559213 tests/krb5: Add PK-INIT testing framework
via 699d211084f tests/krb5: Allow KerberosCredentials to have associated RSA private key
via 7584e7a3a13 tests/krb5: Add helper methods for PK-INIT testing
via 7f9547fda79 tests/krb5: Refactor encryption type selection
via ef9ffbacb9c tests/krb5: Add PK-INIT ASN1 definitions and include licence
via 477fbd7bb4c tests/krb5: Add PKINIT pre-authentication types
via 8a0bde46a25 tests/krb5: Add PKINIT typed data errors
via d818ed644a5 tests/krb5: Add PKINIT error codes
via 7d2c267ae1a s4:kdc: Fix wrong debug message
via 97cde6f97b4 tests/krb5: Remove unused variables
from 7d2c68f2e25 s3:nmbd: Fix code spelling
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 6 +-
WHATSNEW.txt | 133 +-
auth/credentials/credentials_krb5.c | 3 +-
auth/credentials/pycredentials.c | 2 +-
ctdb/config/events/README | 2 +-
ctdb/config/functions | 966 +++++-----
ctdb/event/event_tool.c | 61 +-
ctdb/server/ctdb_recoverd.c | 2 +-
ctdb/tests/CLUSTER/complex/scripts/local.bash | 2 +-
.../INTEGRATION/simple/cluster.090.unreachable.sh | 2 +-
.../etc-ctdb/events/random/02.enabled.script | 29 +
ctdb/tests/UNIT/eventd/eventd_008.sh | 54 +
ctdb/tests/UNIT/eventscripts/etc-ctdb/rc.local | 5 -
ctdb/tests/UNIT/eventscripts/scripts/local.sh | 4 +-
ctdb/tools/ctdb_diagnostics | 2 +-
ctdb/utils/scsi_io/scsi_io.c | 1152 ------------
docs-xml/manpages/samba-log-parser.1.xml | 43 +-
docs-xml/manpages/samba-tool.8.xml | 51 +
docs-xml/manpages/smbcontrol.1.xml | 11 +-
lib/cmdline/cmdline.c | 19 +-
lib/cmdline/cmdline.h | 4 +-
lib/fuzzing/fuzz_sddl_access_check.c | 144 ++
lib/fuzzing/fuzz_security_token_vs_descriptor.c | 78 +
lib/fuzzing/patches/collect-access-check-seeds.txt | 253 +++
lib/fuzzing/wscript_build | 52 +-
lib/krb5_wrap/krb5_samba.c | 14 +-
lib/krb5_wrap/krb5_samba.h | 8 +
lib/ldb/common/ldb.c | 2 +
lib/ldb/include/dlinklist.h | 9 +-
lib/ldb/wscript | 2 +-
lib/replace/wscript | 4 +-
...oc-util-2.3.0.sigs => pytalloc-util-2.4.1.sigs} | 0
.../ABI/{talloc-2.3.5.sigs => talloc-2.4.1.sigs} | 0
lib/talloc/wscript | 2 +-
lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.9.sigs} | 0
lib/tdb/wscript | 2 +-
.../ABI/{tevent-0.14.0.sigs => tevent-0.15.0.sigs} | 10 +
lib/tevent/testsuite.c | 114 ++
lib/tevent/tevent.c | 5 +-
lib/tevent/tevent.h | 177 +-
lib/tevent/tevent_debug.c | 73 +-
.../dlinklist.h => tevent/tevent_dlinklist.h} | 9 +-
lib/tevent/tevent_epoll.c | 96 +-
lib/tevent/tevent_fd.c | 16 +
lib/tevent/tevent_immediate.c | 6 +-
lib/tevent/tevent_internal.h | 42 +-
lib/tevent/tevent_queue.c | 68 +-
lib/tevent/tevent_req.c | 86 +-
lib/tevent/tevent_threads.c | 2 +-
lib/tevent/tevent_timed.c | 8 +-
lib/tevent/tevent_util.h | 185 +-
lib/tevent/tevent_wrapper.c | 2 +-
lib/tevent/wscript | 6 +-
lib/util/dlinklist.h | 29 +-
lib/util/fault.c | 13 +-
lib/util/tevent_debug.c | 11 +
lib/util/util_process.c | 38 +-
lib/util/util_process.h | 34 +
lib/util/wscript_build | 2 +-
librpc/idl/claims.idl | 2 +-
librpc/idl/mdssvc.idl | 2 +-
librpc/idl/messaging.idl | 1 +
librpc/idl/netlogon.idl | 68 +
librpc/idl/security.idl | 6 +
librpc/idl/wmi.idl | 715 --------
librpc/idl/wscript_build | 18 -
librpc/ndr/ndr_wmi.c | 60 -
librpc/wscript_build | 32 +-
python/modules.c | 35 +
python/modules.h | 7 +
python/pyglue.c | 60 +
python/samba/getopt.py | 69 +-
python/samba/netcmd/domain/models/__init__.py | 2 +
.../netcmd/domain/models/{user.py => site.py} | 31 +-
.../netcmd/domain/models/{user.py => subnet.py} | 31 +-
python/samba/netcmd/ldapcmp.py | 3 +-
python/samba/netcmd/sites.py | 193 +-
python/samba/provision/__init__.py | 11 +-
python/samba/safe_tarfile.py | 2 +-
python/samba/tests/blackbox/mdsearch.py | 10 +-
python/samba/tests/blackbox/ndrdump.py | 59 -
python/samba/tests/cred_opt.py | 14 +-
python/samba/tests/dcerpc/mdssvc.py | 32 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 13 -
python/samba/tests/krb5/pkinit_tests.py | 1233 +++++++++++++
python/samba/tests/krb5/raw_testcase.py | 1069 ++++++++++-
python/samba/tests/krb5/rfc4120.asn1 | 1067 ++++++++++-
python/samba/tests/krb5/rfc4120_constants.py | 29 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 1927 ++++++++++++++++++--
python/samba/tests/samba_tool/sites.py | 71 +-
python/wscript | 1 +
selftest/knownfail_heimdal_kdc | 12 +
selftest/knownfail_mit_kdc_1_20 | 53 +
selftest/skip | 2 -
selftest/target/Samba.pm | 3 +
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 1 +
source3/librpc/crypto/gse.c | 2 +-
source3/librpc/crypto/gse_krb5.c | 2 +-
source3/libsmb/namequery.c | 8 +-
source3/param/loadparm.c | 16 +-
source3/passdb/machine_account_secrets.c | 2 +-
source3/passdb/passdb.c | 8 +-
source3/passdb/pdb_get_set.c | 2 +-
source3/passdb/pdb_interface.c | 2 +-
source3/passdb/pdb_ldap.c | 4 +-
source3/passdb/pdb_ldap.h | 2 +-
source3/passdb/pdb_smbpasswd.c | 6 +-
source3/passdb/pdb_tdb.c | 2 +-
source3/passdb/py_passdb.c | 2 +-
source3/printing/lpq_parse.c | 4 +-
source3/printing/nt_printing.c | 10 +-
source3/printing/nt_printing_ads.c | 2 +-
source3/printing/print_iprint.c | 34 +-
source3/printing/printing.c | 16 +-
source3/registry/reg_backend_db.c | 4 +-
source3/registry/reg_format.c | 2 +-
source3/registry/reg_format.h | 24 +-
source3/registry/reg_import.h | 2 +-
source3/registry/reg_parse.h | 2 +-
source3/registry/reg_parse_dox.cfg | 4 +-
source3/registry/reg_parse_internal.h | 2 +-
source3/registry/reg_perfcount.c | 2 +-
source3/registry/regfio.c | 6 +-
source3/registry/regfio.h | 2 +-
source3/rpc_client/cli_lsarpc.h | 8 +-
source3/rpc_client/cli_mdssvc.c | 267 ++-
source3/rpc_client/cli_mdssvc_private.h | 4 +
source3/rpc_client/cli_mdssvc_util.c | 148 +-
source3/rpc_client/cli_mdssvc_util.h | 4 +
source3/rpc_client/cli_pipe.c | 10 +-
source3/rpc_client/cli_samr.c | 2 +-
source3/rpc_client/cli_samr.h | 22 +-
source3/rpc_client/cli_winreg.h | 8 +-
source3/rpc_client/cli_winreg_int.h | 4 +-
source3/rpc_client/cli_winreg_spoolss.h | 6 +-
source3/rpc_client/py_mdscli.c | 7 +-
source3/rpc_server/epmapper/srv_epmapper.c | 2 +-
source3/rpc_server/eventlog/srv_eventlog_nt.c | 2 +-
source3/rpc_server/mdssvc/dalloc.c | 16 +-
source3/rpc_server/mdssvc/marshalling.c | 88 +-
source3/rpc_server/mdssvc/marshalling.h | 10 +-
source3/rpc_server/mdssvc/mdssvc.c | 165 +-
source3/rpc_server/mdssvc/mdssvc.h | 13 +-
source3/rpc_server/mdssvc/mdssvc_es.c | 8 +-
source3/rpc_server/mdssvc/sparql_mapping.h | 2 +-
source3/rpc_server/mdssvc/sparql_parser.y | 2 +-
source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 32 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +-
source3/rpc_server/samr/srv_samr_chgpasswd.c | 4 +-
source3/rpc_server/samr/srv_samr_nt.c | 2 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 10 +-
source3/rpc_server/srv_access_check.c | 4 +-
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 2 +-
source3/rpcclient/cmd_spotlight.c | 48 +-
source3/script/format_indent.sh | 2 +-
source3/script/samba-log-parser | 103 +-
source3/script/tests/smbspool_argv_wrapper.c | 2 +-
source3/script/tests/test_net_misc.sh | 2 +-
source3/script/tests/test_net_registry.sh | 4 +-
source3/script/tests/test_sacl_set_get.sh | 2 +-
source3/script/tests/test_smb1_system_security.sh | 2 +-
source3/script/tests/test_smbclient_s3.sh | 4 +-
source3/script/tests/test_smbclient_tarmode.pl | 6 +-
source3/script/tests/test_smbclient_tarmode.sh | 2 +-
source3/script/tests/test_smbcquota.py | 2 +-
source3/script/tests/test_smbd_no_krb5.sh | 2 +-
source3/script/tests/test_smbspool.sh | 4 +-
source3/script/tests/vfstest-catia/run.sh | 2 +-
source3/selftest/tests.py | 18 +-
source3/smbd/blocking.c | 6 +-
source3/smbd/close.c | 2 +-
source3/smbd/conn.c | 2 +-
source3/smbd/dfree.c | 2 +-
source3/smbd/dmapi.c | 36 +-
source3/smbd/dosmode.c | 2 +-
source3/smbd/fake_file.c | 2 +-
source3/smbd/fd_handle.c | 2 +-
source3/smbd/filename.c | 2 +-
source3/smbd/globals.h | 2 +-
source3/smbd/mangle_hash.c | 2 +-
source3/smbd/mangle_hash2.c | 2 +-
source3/smbd/notify.c | 4 +-
source3/smbd/notifyd/notifyd.c | 2 +-
source3/smbd/ntquotas.c | 2 +-
source3/smbd/open.c | 8 +-
source3/smbd/posix_acls.c | 6 +-
source3/smbd/proto.h | 1 -
source3/smbd/quotas.c | 16 +-
source3/smbd/server.c | 2 +-
source3/smbd/smb1_ipc.c | 2 +-
source3/smbd/smb1_lanman.c | 44 +-
source3/smbd/smb1_process.c | 4 +-
source3/smbd/smb1_reply.c | 12 +-
source3/smbd/smb1_service.c | 2 +-
source3/smbd/smb1_signing.c | 10 +-
source3/smbd/smb1_signing.h | 3 +-
source3/smbd/smb2_create.c | 9 +-
source3/smbd/smb2_lock.c | 4 +-
source3/smbd/smb2_negprot.c | 8 +-
source3/smbd/smb2_nttrans.c | 4 +-
source3/smbd/smb2_reply.c | 39 +-
source3/smbd/smb2_server.c | 6 +-
source3/smbd/smb2_service.c | 4 +-
source3/smbd/smb2_sesssetup.c | 2 +-
source3/smbd/smb2_signing.c | 23 +-
source3/smbd/smb2_trans2.c | 4 +-
source3/smbd/smbXsrv_session.c | 6 +-
source3/smbd/smbd_cleanupd.c | 10 +-
source3/torture/cmd_vfs.c | 2 +-
source3/torture/denytest.c | 4 +-
source3/torture/pdbtest.c | 8 +-
source3/torture/proto.h | 1 +
source3/torture/test_messaging_fd_passing.c | 2 +-
source3/torture/test_posix.c | 4 +-
source3/torture/test_smb1_dfs.c | 66 +-
source3/torture/test_smb2.c | 2 +-
source3/torture/torture.c | 12 +-
source3/utils/mdsearch.c | 10 +-
source3/utils/net_ads.c | 4 +-
source3/utils/net_ads_gpo.c | 2 +-
source3/utils/net_cache.c | 2 +-
source3/utils/net_registry_check.c | 2 +-
source3/utils/net_rpc.c | 6 +-
source3/utils/net_rpc_conf.c | 4 +-
source3/utils/net_rpc_printer.c | 36 +-
source3/utils/net_rpc_rights.c | 2 +-
source3/utils/ntlm_auth.c | 8 +-
source3/utils/smbcacls.c | 6 +-
source3/utils/smbcontrol.c | 34 +-
source3/winbindd/idmap_ldap.c | 4 +-
source3/winbindd/idmap_nss.c | 4 +-
source3/winbindd/idmap_rid.c | 4 +-
source3/winbindd/idmap_tdb2.c | 2 +-
source3/winbindd/wb_lookupsids.c | 2 +-
source3/winbindd/wb_seqnums.c | 12 +-
source3/winbindd/winbindd.c | 8 +-
source3/winbindd/winbindd.h | 2 +-
source3/winbindd/winbindd_ads.c | 4 +-
source3/winbindd/winbindd_cache.c | 2 +-
source3/winbindd/winbindd_ccache_access.c | 2 +-
source3/winbindd/winbindd_cm.c | 14 +-
source3/winbindd/winbindd_cred_cache.c | 2 +-
source3/winbindd/winbindd_creds.c | 2 +-
source3/winbindd/winbindd_dual.c | 11 +-
source3/winbindd/winbindd_getgrnam.c | 2 +-
source3/winbindd/winbindd_gpupdate.c | 2 +-
source3/winbindd/winbindd_group.c | 2 +-
source3/winbindd/winbindd_irpc.c | 2 +-
source3/winbindd/winbindd_list_users.c | 12 +-
source3/winbindd/winbindd_misc.c | 36 +
source3/winbindd/winbindd_pam.c | 14 +-
source3/winbindd/winbindd_pam_auth_crap.c | 31 +-
source3/winbindd/winbindd_proto.h | 8 +-
source3/winbindd/winbindd_samr.c | 2 +-
source3/winbindd/winbindd_show_sequence.c | 8 +-
source3/winbindd/winbindd_util.c | 2 +-
source3/wscript | 8 +-
source4/auth/pyauth.c | 38 +-
source4/auth/wscript_build | 4 +-
source4/dns_server/dns_crypto.c | 14 +
source4/dns_server/dns_server.c | 62 +-
source4/dns_server/dns_update.c | 18 +
source4/dsdb/common/util.c | 105 +-
source4/dsdb/pydsdb.c | 24 +
source4/dsdb/wscript_build | 2 +-
source4/kdc/pac-glue.c | 2 +-
source4/kdc/sdb.h | 2 +-
source4/kdc/sdb_to_hdb.c | 2 +-
source4/ldap_server/ldap_server.c | 176 +-
source4/ldap_server/ldap_server.h | 6 +-
source4/lib/tls/tls_tstream.c | 143 +-
source4/librpc/wscript_build | 4 -
source4/param/provision.c | 18 +-
source4/samba/process_prefork.c | 64 +
source4/samba/process_single.c | 3 +
source4/samba/process_standard.c | 3 +
source4/samba/service.h | 29 +
source4/scripting/bin/samba_upgradeprovision | 3 +-
source4/selftest/tests.py | 28 +
source4/setup/provision_self_join.ldif | 4 +-
source4/torture/rpc/mdssvc.c | 250 ++-
source4/torture/rpc/oxidresolve.c | 263 ---
source4/torture/rpc/remact.c | 104 --
source4/torture/rpc/rpc.c | 2 -
source4/torture/smb2/session.c | 64 +
source4/torture/smb2/smb2.c | 1 +
source4/torture/wscript_build | 5 -
testprogs/blackbox/test_ldap_tls_reload.sh | 64 +
third_party/heimdal/appl/gssmask/gssmask.c | 12 +-
third_party/heimdal/cf/make-proto.pl | 4 +-
third_party/heimdal/configure.ac | 9 +-
third_party/heimdal/include/NTMakefile | 4 +-
third_party/heimdal/kadmin/check.c | 19 +-
third_party/heimdal/kadmin/kadmin.1 | 62 +-
third_party/heimdal/kadmin/util.c | 1 +
third_party/heimdal/kcm/config.c | 15 +-
third_party/heimdal/kdc/config.c | 18 +-
third_party/heimdal/kdc/default_config.c | 17 +
third_party/heimdal/kdc/httpkadmind.c | 1 +
third_party/heimdal/kdc/kdc_locl.h | 2 +
third_party/heimdal/kdc/kerberos5.c | 197 +-
third_party/heimdal/kdc/misc.c | 4 +
third_party/heimdal/kdc/pkinit.c | 180 ++
third_party/heimdal/kuser/kinit.c | 80 +-
third_party/heimdal/lib/asn1/Makefile.am | 2 +-
third_party/heimdal/lib/asn1/check-gen.c | 18 +-
third_party/heimdal/lib/asn1/krb5.asn1 | 1 +
third_party/heimdal/lib/asn1/pkinit.asn1 | 1 +
third_party/heimdal/lib/base/common_plugin.h | 1 +
third_party/heimdal/lib/base/dict.c | 4 +-
third_party/heimdal/lib/base/heimbase.c | 16 +-
third_party/heimdal/lib/base/heimbase.h | 2 +-
third_party/heimdal/lib/base/heimbasepriv.h | 5 +-
third_party/heimdal/lib/base/plugin.c | 16 +-
third_party/heimdal/lib/com_err/Makefile.am | 4 +-
third_party/heimdal/lib/com_err/com_err.c | 2 +-
third_party/heimdal/lib/com_err/com_err.h | 2 +-
third_party/heimdal/lib/com_err/com_right.h | 2 +-
third_party/heimdal/lib/com_err/compile_et.c | 2 +-
third_party/heimdal/lib/com_err/error.c | 2 +-
third_party/heimdal/lib/hdb/hdb-mitdb.c | 4 +-
third_party/heimdal/lib/hdb/hdb.asn1 | 1 +
third_party/heimdal/lib/hx509/Makefile.am | 2 +-
third_party/heimdal/lib/hx509/hxtool.c | 7 +-
third_party/heimdal/lib/ipc/client.c | 4 +-
third_party/heimdal/lib/kadm5/admin.h | 1 +
third_party/heimdal/lib/kadm5/ent_setup.c | 4 +
third_party/heimdal/lib/kadm5/get_s.c | 1 +
third_party/heimdal/lib/krb5/addr_families.c | 34 +-
third_party/heimdal/lib/krb5/aname_to_localname.c | 6 +-
third_party/heimdal/lib/krb5/changepw.c | 10 +-
third_party/heimdal/lib/krb5/constants.c | 18 +-
third_party/heimdal/lib/krb5/context.c | 2 +-
third_party/heimdal/lib/krb5/crypto.c | 4 +-
third_party/heimdal/lib/krb5/db_plugin.c | 4 +-
third_party/heimdal/lib/krb5/get_host_realm.c | 6 +-
third_party/heimdal/lib/krb5/get_in_tkt.c | 4 +-
third_party/heimdal/lib/krb5/init_creds_pw.c | 14 +-
third_party/heimdal/lib/krb5/krb5.conf.5 | 15 +-
third_party/heimdal/lib/krb5/krb5.h | 22 +-
third_party/heimdal/lib/krb5/krb5_err.et | 3 +
third_party/heimdal/lib/krb5/krbhst.c | 4 +-
third_party/heimdal/lib/krb5/kuserok.c | 20 +-
third_party/heimdal/lib/krb5/mk_error.c | 4 +-
third_party/heimdal/lib/krb5/pac.c | 8 +-
third_party/heimdal/lib/krb5/pcache.c | 4 +-
third_party/heimdal/lib/krb5/pkinit.c | 1 +
third_party/heimdal/lib/krb5/plugin.c | 4 +-
third_party/heimdal/lib/krb5/salt-aes-sha1.c | 2 +-
third_party/heimdal/lib/krb5/salt-aes-sha2.c | 2 +-
third_party/heimdal/lib/krb5/send_to_kdc.c | 12 +-
third_party/heimdal/lib/roken/parse_bytes-test.c | 6 +-
third_party/heimdal/lib/roken/parse_bytes.c | 18 +-
third_party/heimdal/lib/roken/parse_bytes.h | 6 +-
third_party/heimdal/lib/sl/Makefile.am | 4 +-
third_party/heimdal/lib/vers/make-print-version.c | 2 +-
third_party/heimdal/tests/kdc/check-kdc.in | 38 +-
third_party/heimdal_build/roken.h | 4 +-
wscript_configure_system_mitkrb5 | 2 +
360 files changed, 10803 insertions(+), 4769 deletions(-)
delete mode 100644 ctdb/utils/scsi_io/scsi_io.c
create mode 100644 lib/fuzzing/fuzz_sddl_access_check.c
create mode 100644 lib/fuzzing/fuzz_security_token_vs_descriptor.c
create mode 100644 lib/fuzzing/patches/collect-access-check-seeds.txt
copy lib/talloc/ABI/{pytalloc-util-2.3.0.sigs => pytalloc-util-2.4.1.sigs} (100%)
copy lib/talloc/ABI/{talloc-2.3.5.sigs => talloc-2.4.1.sigs} (100%)
copy lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.9.sigs} (100%)
copy lib/tevent/ABI/{tevent-0.14.0.sigs => tevent-0.15.0.sigs} (91%)
copy lib/{ldb/include/dlinklist.h => tevent/tevent_dlinklist.h} (96%)
delete mode 100644 librpc/idl/wmi.idl
delete mode 100644 librpc/ndr/ndr_wmi.c
copy python/samba/netcmd/domain/models/{user.py => site.py} (59%)
copy python/samba/netcmd/domain/models/{user.py => subnet.py} (59%)
create mode 100755 python/samba/tests/krb5/pkinit_tests.py
delete mode 100644 source4/torture/rpc/oxidresolve.c
delete mode 100644 source4/torture/rpc/remact.c
create mode 100755 testprogs/blackbox/test_ldap_tls_reload.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 667a209b999..285ff9b821a 100644
--- a/VERSION
+++ b/VERSION
@@ -77,7 +77,7 @@ SAMBA_VERSION_BETA_RELEASE=
# e.g. SAMBA_VERSION_PRE_RELEASE=1 #
# -> "2.2.9pre1" #
########################################################
-SAMBA_VERSION_PRE_RELEASE=1
+SAMBA_VERSION_PRE_RELEASE=
########################################################
# For 'rc' releases the version will be #
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=1
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=
+SAMBA_VERSION_RC_RELEASE=1
########################################################
# To mark SVN snapshots this should be set to 'yes' #
@@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
########################################################
-SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
+SAMBA_VERSION_IS_GIT_SNAPSHOT=no
########################################################
# This is for specifying a release nickname #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b348217e995..44e7edc2263 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the first pre release of Samba 4.19. This is *not*
+This is the first release candidate of Samba 4.19. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -64,6 +64,14 @@ Kerberos Claims, Authentication Silos and NTLM authentication policies
An initial, partial implementation of Active Directory Functional
Level 2012, 2012R2 and 2016 is available in this release.
+In particular Samba will issue Active Directory "Claims" in the PAC,
+for member servers that support these, and honour in-directory
+configuration for Authentication Policies and Authentication Silos.
+
+The primary limitation is that while Samba can read and write claims
+in the directory, and populate the PAC, Samba does not yet use them
+for access control decisions.
+
While we continue to develop these features, existing domains can
test the feature by selecting the functional level in provision or
raising the DC functional level by setting
@@ -90,7 +98,130 @@ samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016
+Improved KDC Auditing
+---------------------
+
+As part of the auditing required to allow successful deployment of
+Authentication Policies and Authentication Silos, our KDC now provides
+Samba-style JSON audit logging of all issued Kerberos tickets,
+including if they would fail a policy that is not yet enforced.
+Additionally most failures are audited, (after the initial
+pre-validation of the request).
+
+Kerberos Armoring (FAST) Support for Windows clients
+----------------------------------------------------
+
+In domains where the domain controller functional level is set, as
+above, to 2012, 2012_R2 or 2016, Windows clients will, if configured
+via GPO, use FAST to protect user passwords between (in particular) a
+workstation and the KDC on the AD DC. This is a significant security
+improvement, as weak passwords in an AS-REQ are no longer available
+for offline attack.
+
+Claims compression in the AD PAC
+--------------------------------
+
+Samba as an AD DC will compress "AD claims" using the same compression
+algorithm as Microsoft Windows.
+
+Resource SID compression in the AD PAC
+--------------------------------------
+
+Samba as an AD DC will now correctly populate the various PAC group
+membership buffers, splitting global and local groups correctly.
+
+Additionally, Samba marshals Resource SIDs, being local groups in the
+member server's own domain, to only consume a header and 4 bytes per
+group in the PAC, not a full-length SID worth of space each. This is
+known as "Resource SID compression".
+
+New samba-tool support for silos, claims, sites and subnets.
+------------------------------------------------------------
+
+samba-tool can now list, show, add and manipulate Authentication Silos
+(silos) and Active Directory Authentication Claims (claims).
+
+samba-tool can now list and show Active Directory sites and subnets.
+
+A new Object Relational Model (ORM) based architecture, similar to
+that used with Django, has been built to make adding new samba-tool
+subcommands simpler and more consistent, with JSON output available
+standard on these new commands.
+
+Updated GnuTLS requirement / in-tree cryptography removal
+----------------------------------------------------------
+
+Samba requires GnuTLS 3.6.13 and prefers GnuTLS 3.6.14 or later.
+
+This has allowed Samba to remove all of our in-tree cryptography,
+except that found in our Heimdal import. Samba's runtime cryptography
+needs are now all provided by GnuTLS.
+
+(The GnuTLS vesion requirement is raised to 3.7.2 on systems without
+the Linux getrandom())
+
+We also use Python's cryptography module for our testing.
+The use of well known cryptography libraries makes Samba easier for
+end-users to validate and deploy, and for distributors to ship. This
+is the end of a very long journey for Samba.
+
+Updated Heimdal import
+----------------------
+
+Samba's Heimdal branch (known as lorikeet-heimdal) has been updated to
+the current pre-8.0 (master) tree from upstream Heimdal, ensuring that
+this vendored copy, included in our release remains as close as
+possible to the current upstream code.
+
+Revocation support in Heimdal KDC for PKINIT certificates
+---------------------------------------------------------
+
+Samba will now correctly honour the revocation of 'smart card'
+certificates used for PKINIT Kerberos authentication.
+
+This list is reloaded each time the file changes, so no further action
+other than replacing the file is required. The additional krb5.conf
+option is:
+
+ [kdc]
+ pkinit_revoke = FILE:/path/to/crl.pem
+
+Information on the "Smart Card login" feature as a whole is at:
+ https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login
+
+Protocol level testsuite for (Smart Card Logon) PKINIT
+------------------------------------------------------
+
+Previously Samba's PKINIT support in the KDC was tested by use of
+shell scripts around the client tools of MIT or Heimdal Kerberos.
+Samba's independently written python testsuite has been extended to
+validate KDC behaviour for PKINIT.
+
+Require encrypted connection to modify unicodePwd on the AD DC
+--------------------------------------------------------------
+
+Setting the password on an AD account on should never be attempted
+over a plaintext or signed-only LDAP connection. If the unicodePwd
+(or userPassword) attribute is modified without encryption (as seen by
+Samba), the request will be rejected. This is to encourage the
+administrator to use an encrypted connection in the future.
+
+NOTE WELL: If Samba is accessed via a TLS frontend or load balancer,
+the LDAP request will be regarded as plaintext.
+
+Samba AD TLS Certificates can be reloaded
+-----------------------------------------
+
+The TLS certificates used for Samba's AD DC LDAP server were
+previously only read on startup, and this meant that when then expired
+it was required to restart Samba, disrupting service to other users.
+
+ smbcontrol ldap_server reload-certs
+
+This will now allow these certificates to be reloaded 'on the fly'
+
+================
REMOVED FEATURES
================
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index c0631b43061..796b52ea905 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -945,7 +945,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds,
num_ktypes,
(int32_t *) etypes);
- SAFE_FREE(etypes);
+ krb5_free_enctypes(ccache->smb_krb5_context->krb5_context,
+ etypes);
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index b87cdc06a93..bd877941a9a 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1589,7 +1589,7 @@ static PyObject *py_ccache_name(PyObject *self, PyObject *unused)
ccc->ccache, &name);
if (ret == 0) {
py_name = PyString_FromStringOrNULL(name);
- SAFE_FREE(name);
+ krb5_free_string(ccc->smb_krb5_context->krb5_context, name);
} else {
PyErr_SetString(PyExc_RuntimeError,
"Failed to get ccache name");
diff --git a/ctdb/config/events/README b/ctdb/config/events/README
index 6ee6e6fae78..6553830326a 100644
--- a/ctdb/config/events/README
+++ b/ctdb/config/events/README
@@ -54,7 +54,7 @@ setup
Failure of this event will cause CTDB to terminate.
- Example: 00.ctdb processes tunables defined in ctdb.tunables.
+ Example: 11.natgw checks that it has valid configuration
startup
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 3e46fb496a3..56105aab165 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -2,9 +2,9 @@
# utility functions for ctdb event scripts
-if [ -z "$CTDB_BASE" ] ; then
- echo 'CTDB_BASE unset in CTDB functions file'
- exit 1
+if [ -z "$CTDB_BASE" ]; then
+ echo 'CTDB_BASE unset in CTDB functions file'
+ exit 1
fi
export CTDB_BASE
@@ -16,24 +16,24 @@ CTDB="${CTDB:-/usr/local/bin/ctdb}"
# Only (and always) override these variables in test code
-if [ -z "$CTDB_SCRIPT_VARDIR" ] ; then
- CTDB_SCRIPT_VARDIR="/usr/local/var/lib/ctdb/scripts"
+if [ -z "$CTDB_SCRIPT_VARDIR" ]; then
+ CTDB_SCRIPT_VARDIR="/usr/local/var/lib/ctdb/scripts"
fi
-if [ -z "$CTDB_SYS_ETCDIR" ] ; then
- CTDB_SYS_ETCDIR="/etc"
+if [ -z "$CTDB_SYS_ETCDIR" ]; then
+ CTDB_SYS_ETCDIR="/etc"
fi
-if [ -z "$CTDB_HELPER_BINDIR" ] ; then
- CTDB_HELPER_BINDIR="/usr/local/libexec/ctdb"
+if [ -z "$CTDB_HELPER_BINDIR" ]; then
+ CTDB_HELPER_BINDIR="/usr/local/libexec/ctdb"
fi
#######################################
# pull in a system config file, if any
-load_system_config ()
+load_system_config()
{
- for _i ; do
+ for _i; do
if [ -f "${CTDB_SYS_ETCDIR}/sysconfig/${_i}" ]; then
. "${CTDB_SYS_ETCDIR}/sysconfig/${_i}"
@@ -48,11 +48,11 @@ load_system_config ()
# load_script_options [ component script ]
# script is an event script name relative to a component
# component is currently ignored
-load_script_options ()
+load_script_options()
{
- if [ $# -eq 2 ] ; then
+ if [ $# -eq 2 ]; then
_script="$2"
- elif [ $# -eq 0 ] ; then
+ elif [ $# -eq 0 ]; then
_script=""
else
die "usage: load_script_options [ component script ]"
@@ -60,92 +60,100 @@ load_script_options ()
_options="${CTDB_BASE}/script.options"
- if [ -r "$_options" ] ; then
+ if [ -r "$_options" ]; then
. "$_options"
fi
- if [ -n "$_script" ] ; then
+ if [ -n "$_script" ]; then
_s="${CTDB_BASE}/events/legacy/${_script}"
else
_s="${0%.script}"
fi
_options="${_s}.options"
- if [ -r "$_options" ] ; then
+ if [ -r "$_options" ]; then
. "$_options"
fi
}
##############################################################
-die ()
+die()
{
- _msg="$1"
- _rc="${2:-1}"
+ _msg="$1"
+ _rc="${2:-1}"
- echo "$_msg" >&2
- exit "$_rc"
+ echo "$_msg" >&2
+ exit "$_rc"
}
# Log given message or stdin to either syslog or a CTDB log file
# $1 is the tag passed to logger if syslog is in use.
-script_log ()
-{
- _tag="$1" ; shift
-
- case "$CTDB_LOGGING" in
- file:*|"")
- if [ -n "$CTDB_LOGGING" ] ; then
- _file="${CTDB_LOGGING#file:}"
- else
- _file="/usr/local/var/log/log.ctdb"
- fi
- {
+script_log()
+{
+ _tag="$1"
+ shift
+
+ case "$CTDB_LOGGING" in
+ file:)
if [ -n "$*" ] ; then
- echo "$*"
+ echo "$*"
+ else
+ cat
+ fi >&2
+ ;;
+ file:* | "")
+ if [ -n "$CTDB_LOGGING" ]; then
+ _file="${CTDB_LOGGING#file:}"
else
- cat
+ _file="/usr/local/var/log/log.ctdb"
fi
- } >>"$_file"
- ;;
+ {
+ if [ -n "$*" ]; then
+ echo "$*"
+ else
+ cat
+ fi
+ } >>"$_file"
+ ;;
*)
- # Handle all syslog:* variants here too. There's no tool to do
- # the lossy things, so just use logger.
- logger -t "ctdbd: ${_tag}" "$@"
- ;;
- esac
+ # Handle all syslog:* variants here too. There's no tool to do
+ # the lossy things, so just use logger.
+ logger -t "ctdbd: ${_tag}" "$@"
+ ;;
+ esac
}
# When things are run in the background in an eventscript then logging
# output might get lost. This is the "solution". :-)
-background_with_logging ()
+background_with_logging()
{
- (
- "$@" 2>&1 </dev/null |
- script_log "${script_name}&"
- )&
+ (
+ "$@" 2>&1 </dev/null |
+ script_log "${script_name}&"
+ ) &
- return 0
+ return 0
}
##############################################################
# check number of args for different events
-ctdb_check_args ()
+ctdb_check_args()
{
- case "$1" in
- takeip|releaseip)
- if [ $# != 4 ]; then
- echo "ERROR: must supply interface, IP and maskbits"
- exit 1
- fi
- ;;
+ case "$1" in
+ takeip | releaseip)
+ if [ $# != 4 ]; then
+ echo "ERROR: must supply interface, IP and maskbits"
+ exit 1
+ fi
+ ;;
updateip)
- if [ $# != 5 ]; then
- echo "ERROR: must supply old interface, new interface, IP and maskbits"
- exit 1
- fi
- ;;
- esac
+ if [ $# != 5 ]; then
+ echo "ERROR: must supply old interface, new interface, IP and maskbits"
+ exit 1
+ fi
+ ;;
+ esac
}
##############################################################
@@ -153,7 +161,7 @@ ctdb_check_args ()
detect_init_style()
{
# only do detection if not already set:
- if [ -n "$CTDB_INIT_STYLE" ] ; then
+ if [ -n "$CTDB_INIT_STYLE" ]; then
return
fi
@@ -170,100 +178,100 @@ detect_init_style()
# simulate /sbin/service on platforms that don't have it
# _service() makes it easier to hook the service() function for
# testing.
-_service ()
+_service()
{
- _service_name="$1"
- _op="$2"
-
- # do nothing, when no service was specified
- [ -z "$_service_name" ] && return
-
- if [ -x /sbin/service ]; then
- $_nice /sbin/service "$_service_name" "$_op"
- elif [ -x /usr/sbin/service ]; then
- $_nice /usr/sbin/service "$_service_name" "$_op"
- elif [ -x /bin/systemctl ]; then
- $_nice /bin/systemctl "$_op" "$_service_name"
- elif [ -x "${CTDB_SYS_ETCDIR}/init.d/${_service_name}" ]; then
- $_nice "${CTDB_SYS_ETCDIR}/init.d/${_service_name}" "$_op"
- elif [ -x "${CTDB_SYS_ETCDIR}/rc.d/init.d/${_service_name}" ]; then
- $_nice "${CTDB_SYS_ETCDIR}/rc.d/init.d/${_service_name}" "$_op"
- fi
+ _service_name="$1"
+ _op="$2"
+
+ # do nothing, when no service was specified
+ [ -z "$_service_name" ] && return
+
+ if [ -x /sbin/service ]; then
+ $_nice /sbin/service "$_service_name" "$_op"
+ elif [ -x /usr/sbin/service ]; then
+ $_nice /usr/sbin/service "$_service_name" "$_op"
+ elif [ -x /bin/systemctl ]; then
+ $_nice /bin/systemctl "$_op" "$_service_name"
+ elif [ -x "${CTDB_SYS_ETCDIR}/init.d/${_service_name}" ]; then
+ $_nice "${CTDB_SYS_ETCDIR}/init.d/${_service_name}" "$_op"
+ elif [ -x "${CTDB_SYS_ETCDIR}/rc.d/init.d/${_service_name}" ]; then
+ $_nice "${CTDB_SYS_ETCDIR}/rc.d/init.d/${_service_name}" "$_op"
+ fi
}
service()
{
- _nice=""
--
Samba Shared Repository
More information about the samba-cvs
mailing list