[SCM] Samba Shared Repository - branch v4-21-stable updated

Jule Anger janger at samba.org
Tue Aug 20 11:24:55 UTC 2024


The branch, v4-21-stable has been updated
       via  bb4874ba201 VERSION: Disable GIT_SNAPSHOT for the 4.21.0rc3 release.
       via  21a75c2bf0a WHATSNEW: Add release notes for Samba 4.20.0rc3.
       via  38055454914 s3:smb2_server: return NT_STATUS_NETWORK_SESSION_EXPIRED for compound requests
       via  64416b69784 s4:torture/smb2: let smb2.session.expire2* also check compound requests
       via  294f9e47a3b s3:libads: Do not print error message for a default configuration
       via  fcca9820023 docs-xml: Fix script location in syncmachinepasswordscript.xml
       via  c7e6ec6bae8 source3/script: Fix installation of winbind_ctdb_updatekeytab.sh
       via  12084aa1bda WHATSNEW: update "New cephfs VFS module" section
       via  cf4feb17783 VERSION: Bump version up to Samba 4.21.0rc3...
      from  8e440c0a96a VERSION: Disable GIT_SNAPSHOT for the 4.21.0rc2 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |  2 +-
 WHATSNEW.txt                                       | 27 ++++++++++-
 docs-xml/generate-pathconf-entities.sh             |  1 +
 .../security/syncmachinepasswordscript.xml         |  4 +-
 dynconfig/wscript                                  |  5 ++
 source3/libads/kerberos_keytab.c                   |  5 +-
 source3/script/wscript_build                       |  4 +-
 source3/smbd/smb2_server.c                         | 16 ++++++-
 source4/torture/smb2/session.c                     | 56 ++++++++++++++++++++++
 9 files changed, 112 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index ba580667949..dd2eb2f8a9c 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1                      #
 #  ->  "3.0.0rc1"                                      #
 ########################################################
-SAMBA_VERSION_RC_RELEASE=2
+SAMBA_VERSION_RC_RELEASE=3
 
 ########################################################
 # To mark SVN snapshots this should be set to 'yes'    #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c42c8cdb142..9eee53ae713 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
 Release Announcements
 =====================
 
-This is the second release candidate of Samba 4.21.  This is *not*
+This is the third release candidate of Samba 4.21.  This is *not*
 intended for production environments and is designed for testing
 purposes only.  Please report any defects via the Samba bug reporting
 system at https://bugzilla.samba.org/.
@@ -238,6 +238,16 @@ nodes.  Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and
 
 For detailed information check the smb.conf(5) and net(8) manpages.
 
+New cephfs VFS module
+---------------------
+Introduce new vfs-to-cephfs bridge which uses libcephfs low-level APIs (instead
+of path-based operations in the existing module). It allows users to pass
+explicit user-credentials per call (including supplementary groups), as well as
+faster operations using inode and file-handle caching on the Samba side.
+Configuration is identical to existing module, but using 'ceph_new' instead of
+'ceph' for the relevant smb.conf entries. This new module is expected to
+deprecate and replace the old one in next major release.
+
 
 REMOVED FEATURES
 ================
@@ -270,6 +280,21 @@ smb.conf changes
   sync machine password script            script
 
 
+CHANGES SINCE 4.21.0rc2
+=======================
+
+o  Pavel Filipenský <pfilipensky at samba.org>
+   * BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 15696: Compound SMB2 requests don't return
+     NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
+     MacOSX clients.
+
+o  Anoop C S <anoopcs at samba.org>
+   * BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
+
+
 CHANGES SINCE 4.21.0rc1
 =======================
 
diff --git a/docs-xml/generate-pathconf-entities.sh b/docs-xml/generate-pathconf-entities.sh
index 6c0c31a3522..1b689a8a23f 100755
--- a/docs-xml/generate-pathconf-entities.sh
+++ b/docs-xml/generate-pathconf-entities.sh
@@ -17,5 +17,6 @@ echo "
 <!ENTITY pathconfig.NTP_SIGND_SOCKET_DIR '\${prefix}/var/lib/ntp_signd'>
 <!ENTITY pathconfig.MITKDCPATH           '\${prefix}/sbin/krb5kdc'>
 <!ENTITY pathconfig.SAMBA_DATADIR        '\${prefix}/var/samba'>
+<!ENTITY pathconfig.CTDB_DATADIR         '\${prefix}/share/ctdb'>
 <!ENTITY pathconfig.CONFIGFILE           '\${prefix}/etc/smb.conf'>
 "
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
index 9a7731930d5..df98610cf36 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
@@ -11,7 +11,7 @@
 
     <para>
     If keytabs should be generated in clustered environments it is recommended to update them on all nodes.
-    You can set the config option to &pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh in clustering case.
+    You can set the config option to &pathconfig.CTDB_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh in clustering case.
     It is also needed to activate the <constant>46.update-keytabs.script</constant> in ctdb,
     it re-creates the keytab during the ctdb recovered event:
     <programlisting>
@@ -22,5 +22,5 @@
 </description>
 
 <value type="default"/>
-<value type="example">&pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh</value>
+<value type="example">&pathconfig.CTDB_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh</value>
 </samba:parameter>
diff --git a/dynconfig/wscript b/dynconfig/wscript
index 2041d881546..a784dac4e6c 100644
--- a/dynconfig/wscript
+++ b/dynconfig/wscript
@@ -105,6 +105,11 @@ dynconfig = {
          'FHS-PATH':  '${DATADIR}',
          'OVERWRITE': True,
     },
+    'CTDB_DATADIR' : {
+         'STD-PATH':  '${DATADIR}/ctdb',
+         'FHS-PATH':  '${DATADIR}/ctdb',
+         'OVERWRITE': True,
+    },
     'SAMBA_DATADIR' : {
          'STD-PATH':  '${DATADIR}/samba',
          'FHS-PATH':  '${DATADIR}/samba',
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index e2fcee634b4..6ede567b75f 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -838,8 +838,9 @@ static bool pw2kt_default_keytab_name(char *name_str, size_t name_size)
 		break;
 
 	default:
-		DBG_ERR("Invalid kerberos method set (%d)\n",
-			lp_kerberos_method());
+		DBG_NOTICE("'kerberos method' is 'secrets only' but "
+			   "'sync machine password to keytab' is not set "
+			   "==> no keytab will be generated.\n");
 		return false;
 	}
 
diff --git a/source3/script/wscript_build b/source3/script/wscript_build
index 2b0643b0876..bc451497298 100644
--- a/source3/script/wscript_build
+++ b/source3/script/wscript_build
@@ -6,7 +6,9 @@ bld.INSTALL_FILES('${BINDIR}',
 	          'smbtar',
                   chmod=MODE_755, flat=True)
 bld.INSTALL_FILES('${BINDIR}', 'samba-log-parser', chmod=MODE_755, flat=True)
-bld.INSTALL_FILES('${DATADIR}', 'winbind_ctdb_updatekeytab.sh', chmod=MODE_755, flat=True)
+if conf.env.with_ctdb:
+    bld.INSTALL_FILES(bld.env.CTDB_DATADIR+"/scripts",
+                      'winbind_ctdb_updatekeytab.sh', chmod=MODE_755, flat=True)
 
 # Callout scripts for use in selftest environment
 bld.SAMBA_SCRIPT('smbaddshare', pattern='smbaddshare', installdir='.')
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index a32044d9357..b37829e8c4f 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -3050,6 +3050,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 	bool signing_required = false;
 	bool encryption_desired = false;
 	bool encryption_required = false;
+	bool session_expired = false;
 
 	inhdr = SMBD_SMB2_IN_HDR_PTR(req);
 
@@ -3098,6 +3099,9 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		signing_required = x->global->signing_flags & SMBXSRV_SIGNING_REQUIRED;
 		encryption_desired = x->global->encryption_flags & SMBXSRV_ENCRYPTION_DESIRED;
 		encryption_required = x->global->encryption_flags & SMBXSRV_ENCRYPTION_REQUIRED;
+		session_expired =
+			NT_STATUS_EQUAL(session_status,
+					NT_STATUS_NETWORK_SESSION_EXPIRED);
 	}
 
 	req->async_internal = false;
@@ -3171,7 +3175,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		 * This check is mostly for giving the correct error code
 		 * for compounded requests.
 		 */
-		if (!NT_STATUS_IS_OK(session_status)) {
+		if (!session_expired && !NT_STATUS_IS_OK(session_status)) {
 			return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 		}
 	} else {
@@ -3257,6 +3261,9 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		}
 
 		if (!NT_STATUS_IS_OK(session_status)) {
+			if (session_expired && opcode == SMB2_OP_CREATE) {
+				req->compound_create_err = session_status;
+			}
 			return smbd_smb2_request_error(req, session_status);
 		}
 	}
@@ -3308,11 +3315,18 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 skipped_signing:
 
 	if (flags & SMB2_HDR_FLAG_CHAINED) {
+		if (!NT_STATUS_IS_OK(req->compound_create_err)) {
+			return smbd_smb2_request_error(req,
+					req->compound_create_err);
+		}
 		req->compound_related = true;
 	}
 
 	if (call->need_session) {
 		if (!NT_STATUS_IS_OK(session_status)) {
+			if (session_expired && opcode == SMB2_OP_CREATE) {
+				req->compound_create_err = session_status;
+			}
 			return smbd_smb2_request_error(req, session_status);
 		}
 	}
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 2a3d0e6e853..ecaac76e6c3 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -1317,6 +1317,7 @@ static bool test_session_expire2i(struct torture_context *tctx,
 	char fname[256];
 	struct smb2_handle dh;
 	struct smb2_handle dh2;
+	struct smb2_handle relhandle = { .data = { UINT64_MAX, UINT64_MAX } };
 	struct smb2_handle _h1;
 	struct smb2_handle *h1 = NULL;
 	struct smb2_create io1;
@@ -1330,7 +1331,10 @@ static bool test_session_expire2i(struct torture_context *tctx,
 	struct smb2_ioctl ctl;
 	struct smb2_break oack;
 	struct smb2_lease_break_ack lack;
+	struct smb2_create cio;
 	struct smb2_find fnd;
+	struct smb2_close cl;
+	struct smb2_request *reqs[3] = { NULL, };
 	union smb_search_data *d = NULL;
 	unsigned int count;
 	struct smb2_request *req = NULL;
@@ -1562,6 +1566,58 @@ static bool test_session_expire2i(struct torture_context *tctx,
 				ret, done, "smb2_find_level "
 				"returned unexpected status");
 
+	/* Now do a compound open + query directory + close handle. */
+	smb2_transport_compound_start(tree->session->transport, 3);
+	torture_comment(tctx, "Compound: Open+QueryDirectory+Close => EXPIRED\n");
+
+	ZERO_STRUCT(cio);
+	cio.in.oplock_level = 0;
+	cio.in.desired_access = SEC_STD_SYNCHRONIZE | SEC_DIR_READ_ATTRIBUTE | SEC_DIR_LIST;
+	cio.in.file_attributes   = 0;
+	cio.in.create_disposition = NTCREATEX_DISP_OPEN;
+	cio.in.share_access = NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_DELETE;
+	cio.in.create_options = NTCREATEX_OPTIONS_ASYNC_ALERT;
+	cio.in.fname = "";
+
+	reqs[0] = smb2_create_send(tree, &cio);
+	torture_assert_not_null_goto(tctx, reqs[0], ret, done,
+		"smb2_create_send failed\n");
+
+	smb2_transport_compound_set_related(tree->session->transport, true);
+
+	ZERO_STRUCT(fnd);
+	fnd.in.file.handle	= relhandle;
+	fnd.in.pattern		= "*";
+	fnd.in.continue_flags	= SMB2_CONTINUE_FLAG_SINGLE;
+	fnd.in.max_response_size= 0x100;
+	fnd.in.level		= SMB2_FIND_BOTH_DIRECTORY_INFO;
+
+	reqs[1] = smb2_find_send(tree, &fnd);
+	torture_assert_not_null_goto(tctx, reqs[1], ret, done,
+		"smb2_find_send failed\n");
+
+	ZERO_STRUCT(cl);
+	cl.in.file.handle = relhandle;
+	reqs[2] = smb2_close_send(tree, &cl);
+	torture_assert_not_null_goto(tctx, reqs[2], ret, done,
+		"smb2_close_send failed\n");
+
+	status = smb2_create_recv(reqs[0], tree, &cio);
+	torture_assert_ntstatus_equal_goto(tctx, status,
+				NT_STATUS_NETWORK_SESSION_EXPIRED,
+				ret, done, "smb2_create "
+				"returned unexpected status");
+	status = smb2_find_recv(reqs[1], tree, &fnd);
+	torture_assert_ntstatus_equal_goto(tctx, status,
+				NT_STATUS_NETWORK_SESSION_EXPIRED,
+				ret, done, "smb2_find "
+				"returned unexpected status");
+	status = smb2_close_recv(reqs[2], &cl);
+	torture_assert_ntstatus_equal_goto(tctx, status,
+				NT_STATUS_NETWORK_SESSION_EXPIRED,
+				ret, done, "smb2_close "
+				"returned unexpected status");
+
 	torture_comment(tctx, "1st notify => CANCEL\n");
 	smb2_cancel(req);
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list