[SCM] Samba Shared Repository - branch v4-20-stable updated
Jule Anger
janger at samba.org
Wed Jun 19 14:34:21 UTC 2024
The branch, v4-20-stable has been updated
via 569d541c9bb VERSION: Disable GIT_SNAPSHOT for the 4.20.2 release.
via 55cd97dfef1 WHATSNEW: Add release notes for Samba 4.20.2.
via 3dd39600da3 BUG 15569 ldb: Release LDB 2.9.1
via fc318c63e55 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
via 212b014679f auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()
via 46ebf66fe96 auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper
via cccd9c95c8b testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos
via 694605f52a4 testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos
via 7d69ec93e31 vfs_recycle: remember resolved config->repository in vfs_recycle_connect()
via f464a85c129 Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()"
via 64d7108cddb vfs_recycle: fix memory hierarchy
via 4bb5f8a92aa vfs_recycle: use the correct return in SMB_VFS_HANDLE_GET_DATA()
via a5d5d83c492 vfs_recycle: use a talloc_stackframe() in recycle_unlink_internal()
via 69b9c140527 vfs_recycle: directly allocate smb_fname_final->base_name
via db098ff1aad vfs_recycle: don't unlink on allocation failure
via cf22968a8a1 TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()
via 7d277c424fc test_recycle.sh: make sure we don't see panics on the log files
via b3ce5a86489 vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send
via d7e0b5933fa s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
via 5b90acbef15 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
via 4b4b0152fd7 selftest: Add a python blackbox test for some misc (widelink) DFS tests
via dceb2e56b63 script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision
via 5d593a735d3 build: Add --vendor-name --vendor-patch-revision options to ./configure
via f46faceae1f ctdb/docs: Include ceph rados namespace support in man page
via 9110627bc24 ctdb/ceph: Add optional namespace support for mutex helper
via df54d3fdda9 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
via 89817ed2165 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
via fdd61d60caa s4:dns_server: dns_verify_tsig should return REFUSED on error
via f663b386156 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
via 3b36f447040 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
via 299818567ea s4:dns_server: use the client provided algorithm for the fake TSIG structure
via 7ddd758da50 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
via 6e395cabf38 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
via ed8ef00c297 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
via a7f3293ddf7 python:tests/dns_tkey: add test_update_tsig_record_access_denied()
via 9137bb66ab4 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
via 5a98bc50263 python:tests/dns_base: add get_unpriv_creds() helper
via ff0afdd1b05 python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022
via bda80382eb5 python:tests/dns_base: let verify_packet() work against Windows
via fdfd4e8adce python:tests/dns_tkey: test bad and changing tsig algorithms
via 7dabac46b5a python:tests/dns_tkey: add gss.microsoft.com tsig updates
via 6438249cf1e python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()
via 501a25a1f07 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms
via c7a936ecd27 python:tests/dns_base: maintain a dict with tkey related state
via da7c313740d python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True
via 85784854629 python:tests/dns_base: pass tkey_trans(expected_rcode)
via e58fe908371 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers
via 12d4e452410 python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument
via 9cfc2e24331 python:tests/dns_tkey: make use of self.assert_echoed_dns_error()
via f7f0518b46a python:tests/dns_base: add self.assert_echoed_dns_error()
via c00749edb35 python:tests/dns_base: let dns_transaction_tcp() handle short receives
via 3bd80a2545a python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()
via 19fc5bb6b9d python:tests/dns_base: generate a real signature in bad_sign_packet()
via 8b8fef4c9c8 third_party: Update socket_wrapper to version 1.4.3
via 87ac580b40f third_party: Update uid_wrapper to version 1.3.1
via e5293b114b1 gitlab-ci: Set git safe.directory for devel repo
via 95c59655141 bootstrap: Fix building CentOS 8 Stream container images
via 7edef3c7fb1 bootstrap: Set git safe.directory
via e8dc4bb0edf bootstrap: Fix runner tags
via e57e35908d5 s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.
via f681ee3bac0 s3/torture: Add test for widelink case insensitivity on a MSDFS share.
via 50d4451bd4b s3:smbcacls: fix ace_compare
via e21251926ba ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold
via 3f9d9f83448 ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold
via d12f3cced61 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
via 7ae866c6ffa s4:dsdb:mod: repl_md: make message_sort transitive
via 21a01b3bad4 ldb: avoid NULL deref in ldb_db_compare
via 7d295cb6fe5 ldb:attrib_handlers: make ldb_comparison_Boolean more consistent
via 3d62269dfbf ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs
via 586c0f3dd00 ldb-samba:ldif_handlers: dn_link_comparison leaks less
via d819b21464c ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects
via ae770139f25 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs
via 956bff1dc63 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects
via da5c625e641 ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate
via dcf393af595 s4:rpcsrv:samr: improve a comment in compare_msgRid
via 8f0490150b4 s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs
via d2aaed5d969 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
via de865f6c8b7 lib/socket: rearrange iface_comp() to use NUMERIC_CMP
via 1d527c49df5 gensec: sort_gensec uses NUMERIC_CMP
via 2f6c5b6603f s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
via 835594dea0e dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
via 29b17d296c0 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
via 6893310bd79 s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare
via 94f38553adf s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
via f61aabdb1a3 ldb:dn: make ldb_dn_compare() self-consistent
via f3b6ec046a0 ldb:sort: generalise both-NULL check to equality check
via a0a83539c30 ldb:sort: check that elements have values
via 5f52991b931 ldb:mod:sort: rearrange NULL checks
via faed55f4f88 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
via 4d6f0ad643c s3:util:sharesec ace_compare() uses NUMERIC_CMP()
via e3f491e3193 s3:smbcacls: use NUMERIC_CMP in ace_compare
via 48494283a66 s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP()
via 27becb5a7fc s4:wins: use NUMERIC_CMP in nbtd_wins_randomize1Clist_sort()
via 20648aaf7fe s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
via 7acee3ae13a s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
via a326992c07d s4:dns_server: use NUMERIC_CMP in rec_cmp()
via c6ed9351f81 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
via 39505028672 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
via 886818f5abb libcli/security: use NUMERIC_CMP in dom_sid_compare_auth()
via bd548a92d42 libcli/security: use NUMERIC_CMP in dom_sid_compare()
via c95b73014d3 ldb: reduce non-transitive comparisons in ldb_msg_element_compare()
via e0468b5a9ed ldb: avoid non-transitive comparison in ldb_val_cmp()
via 7990f5a2841 util:datablob: avoid non-transitive comparison in data_blob_cmp()
via f7e192e82f7 ldb:attrib_handlers: ldb_comparison_binary uses NUMERIC_CMP()
via 4fa00be3083 ldb:attrib_handlers: ldb_comparison_Boolean uses NUMERIC_CMP()
via 1c6f16cdca9 util: charset:util_str: use NUMERIC_CMP in strncasecmp_m_handle
via 6a0daf6818b lib/torture: add assert_int_{less,greater} macros
via ccd94628b58 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
via f9a7ded26d1 s3:libsmb:namequery: note intransitivity in addr_compare()
via 77b78b45330 util:charset:codepoints: codepoint_cmpi warning about non-transitivity
via 64d55301410 util:charset:codepoints: condepoint_cmpi uses NUMERIC_CMP()
via 10c0087dac8 util:test: test_ms_fn_match_protocol_no_wildcard: allow -1
via eb8fd60e10c util:charset:util_str: use NUMERIC_CMP in strcasecmp_m_handle
via d18a62836c0 torture:charset: test more of strcasecmp_m
via 94b574cde12 torture:charset: use < and > assertions for strncasecmp_m
via 767344ee512 torture:charset: use < and > assertions for strcasecmp_m
via be4965c69c8 util:binsearch: user NUMERIC_CMP()
via 51fa8c0168e s4: use numeric_cmp in dns_common_sort_zones()
via f94b87da1be s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
via 3071a4af9a5 s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
via 696cca23e3e ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
via 1b8ccbf031b ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare_base()
via 9e19cc17117 ldb: add NUMERIC_CMP macro to ldb.h
via b46af17050b util:tsort.h: add a macro for safely comparing numbers
via 3a840553cfb lib/fuzzing/decode_ndr_X_crash: guess the pipe from filename
via c206d3d20c8 ldb: avoid out of bounds read and write in ldb_qsort()
via e2191933876 examples:winexe: embed Samba version as exe timestamp
via b1173444ff8 examples:winexe: reproducible builds with zero timestamp
via e7c132a4a2c buildtools:pidl: avoid hash randomisation in pidl
via eb480df1baf pidl:Typelist: resolveType(): don't mistake a reference for a name
via 65e781a30b2 s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
via fb4c338f030 s3:libads: Do not fail if we don't get an IP passed down
via 069729202c3 s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP
via 1917b7f052d python: Fix NtVer check for site_dn_for_machine()
via 9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected handling
via 6a673a35ea0 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
via 82f73dc2312 s4:libcli/dgram: make use of socket_address_copy()
via 40fe6480d0d s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
via cf37f9f5272 libcli/nbt: add nbt_name_send_raw()
via b440c11ea0f s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
via b0c2389c886 s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()
via 234df77ae0a s3:libsmb/unexpected: don't use talloc_tos() in async code
via 2f73d251e0c s3:wscript: LIBNMB requires lp_ functions
via 27e4297f4c7 s3:include: split out fstring.h
via 260d1bbacf8 s3:include: let nameserv.h be useable on its own
via 4257e3b8fef s3:libads: avoid changing ADS->server.workgroup
via ba361b11d2e s3:libsmb: allow store_cldap_reply() to work with a ipv6 response
via 0d0fbf2bb86 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send()
via 2954489bd56 s3:utils: let smbstatus report anonymous signing/encryption explicitly
via 9530c418a38 s3:smbd: allow anonymous encryption after one authenticated session setup
via 610e11af858 s3:utils: let smbstatus also report partial tcon signing/encryption
via 6fbf5deb559 s3:utils: let smbstatus also report AES-256 encryption types for tcons
via c547e0c0ff7 s3:utils: let connections_forall_read() report if the session was authenticated
via fe91ed785ed s3:lib: let sessionid_traverse_read() report if the session was authenticated
via 716a0443c9f s3:utils: remove unused signing_flags in connections_forall()
via cd05e7ed937 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
via b945f645732 s4:libcli/smb2: add hack to test anonymous signing and encryption
via b7606714959 smbXcli_base: add hacks to test anonymous signing and encryption
via dfcbd88504d tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative
via 1b21c09d513 .gitlab-ci-main.yml: debug kernel details of the current runner
via d5638013962 .gitlab-ci: Remove tags no longer provided by gitlab.com
via 9b6bc91254c VERSION: Bump version up to Samba 4.20.2...
from 0ba948cba0b VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-coverage-runners.yml | 8 +-
.gitlab-ci-default-runners.yml | 44 +-
.gitlab-ci-main.yml | 9 +-
VERSION | 2 +-
WHATSNEW.txt | 86 ++-
auth/credentials/credentials.c | 5 +
auth/credentials/credentials.h | 1 +
auth/credentials/credentials_secrets.c | 31 +-
auth/credentials/tests/test_creds.c | 37 +-
auth/gensec/gensec_start.c | 2 +-
bootstrap/.gitlab-ci.yml | 6 +-
bootstrap/config.py | 3 +
bootstrap/generated-dists/centos8s/bootstrap.sh | 3 +
bootstrap/sha1sum.txt | 2 +-
buildtools/wafsamba/samba_pidl.py | 4 +-
buildtools/wafsamba/samba_third_party.py | 4 +-
buildtools/wafsamba/samba_version.py | 5 +
ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml | 4 +-
ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c | 50 +-
examples/winexe/wscript | 21 +
examples/winexe/wscript_build | 4 +-
lib/fuzzing/decode_ndr_X_crash | 12 +-
lib/ldb-samba/ldif_handlers.c | 94 +--
lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.9.1.sigs} | 0
...pyldb-util-2.1.0.sigs => pyldb-util-2.9.1.sigs} | 0
lib/ldb/common/attrib_handlers.c | 53 +-
lib/ldb/common/ldb_dn.c | 30 +-
lib/ldb/common/ldb_msg.c | 13 +-
lib/ldb/common/qsort.c | 2 +-
lib/ldb/include/ldb.h | 16 +
lib/ldb/modules/sort.c | 19 +-
lib/ldb/wscript | 2 +-
lib/socket/interfaces.c | 22 +-
lib/torture/torture.h | 20 +
lib/util/charset/codepoints.c | 15 +-
lib/util/charset/tests/charset.c | 31 +-
lib/util/charset/util_str.c | 9 +-
lib/util/data_blob.c | 5 +-
lib/util/tests/binsearch.c | 6 +-
lib/util/tests/test_ms_fnmatch.c | 2 +-
lib/util/tsort.h | 19 +
libcli/nbt/libnbt.h | 3 +
libcli/nbt/nbtsocket.c | 44 ++
libcli/security/dom_sid.c | 14 +-
libcli/smb/smbXcli_base.c | 104 +++-
libcli/smb/smbXcli_base.h | 5 +
pidl/lib/Parse/Pidl/Typelist.pm | 14 +-
python/samba/gp/gpclass.py | 4 +-
python/samba/tests/blackbox/misc_dfs_widelink.py | 86 +++
python/samba/tests/dns_base.py | 213 ++++---
python/samba/tests/dns_tkey.py | 325 +++++++++--
python/samba/tests/join.py | 2 +-
python/samba/tests/ntacls.py | 2 +-
script/autobuild.py | 3 +-
selftest/flapping.d/gitlab-setxattr-security | 18 +
selftest/knownfail-32bit | 8 -
selftest/target/Samba4.pm | 2 +
lib/util/unix_match.h => source3/include/fstring.h | 14 +-
source3/include/includes.h | 5 +-
source3/include/nameserv.h | 380 +------------
source3/include/session.h | 1 +
source3/include/smb.h | 26 +-
source3/lib/sessionid_tdb.c | 8 +
source3/lib/util_tdb.c | 4 +-
source3/libads/kerberos.c | 32 +-
source3/libads/ldap.c | 16 +-
source3/librpc/idl/ads.idl | 1 +
source3/libsmb/clidgram.c | 6 +-
source3/libsmb/dsgetdcname.c | 29 +-
source3/libsmb/libsmb_xattr.c | 14 +-
source3/libsmb/namequery.c | 21 +-
source3/libsmb/nmblib.c | 12 +-
source3/libsmb/nmblib.h | 2 +
source3/libsmb/unexpected.c | 18 +-
source3/libsmb/unexpected.h | 2 +
source3/locking/brlock.c | 7 +-
source3/modules/posixacl_xattr.c | 6 +-
source3/modules/vfs_default.c | 6 +
source3/modules/vfs_recycle.c | 176 +++---
source3/modules/vfs_vxfs.c | 6 +-
source3/modules/vfs_widelinks.c | 13 +-
source3/nmbd/nmbd.h | 382 +++++++++++++
source3/nmbd/nmbd_packets.c | 1 +
source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 2 +-
source3/script/tests/test_recycle.sh | 5 +
source3/script/tests/test_widelink_dfs_ci.sh | 72 +++
source3/selftest/tests.py | 11 +
source3/smbd/files.c | 18 +
source3/smbd/globals.h | 5 +
source3/smbd/smb2_server.c | 11 +
source3/smbd/smb2_sesssetup.c | 18 +-
source3/smbd/smb2_tcon.c | 4 +
source3/utils/conn_tdb.c | 12 +-
source3/utils/conn_tdb.h | 1 +
source3/utils/net_ads.c | 6 +
source3/utils/net_registry.c | 2 +-
source3/utils/sharesec.c | 8 +-
source3/utils/smbcacls.c | 15 +-
source3/utils/status.c | 82 ++-
source3/utils/status.h | 1 +
source3/utils/status_json.c | 2 +
source3/winbindd/idmap_ad.c | 11 +-
source3/wscript_build | 1 +
source4/dns_server/dns_crypto.c | 49 +-
source4/dns_server/dns_query.c | 27 +-
source4/dns_server/dns_update.c | 11 +
source4/dns_server/dnsserver_common.c | 8 +-
source4/dsdb/repl/drepl_out_helpers.c | 26 +-
source4/dsdb/samdb/ldb_modules/operational.c | 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 17 +-
source4/dsdb/schema/schema_set.c | 14 +-
source4/libcli/dgram/dgramsocket.c | 40 +-
source4/libcli/dgram/libdgram.h | 3 +
source4/libcli/smb2/session.c | 16 +-
source4/libcli/smb2/smb2.h | 2 +
source4/nbt_server/dgram/request.c | 56 +-
source4/nbt_server/interfaces.c | 29 +
source4/nbt_server/nbt_server.c | 143 +++++
source4/nbt_server/nbt_server.h | 2 +
source4/nbt_server/wins/winsdb.c | 5 +-
source4/nbt_server/wins/winsserver.c | 3 +-
source4/nbt_server/wscript_build | 2 +-
source4/ntvfs/posix/pvfs_streams.c | 3 +-
source4/rpc_server/dnsserver/dnsdata.c | 16 +-
source4/rpc_server/samr/dcesrv_samr.c | 7 +-
source4/selftest/tests.py | 14 +-
source4/torture/smb2/ioctl.c | 64 +++
source4/torture/smb2/session.c | 629 +++++++++++++++++++++
testprogs/blackbox/test_ldap_token.sh | 115 ++++
testprogs/blackbox/test_trust_token.sh | 5 +-
third_party/socket_wrapper/socket_wrapper.c | 45 +-
third_party/socket_wrapper/wscript | 3 +-
third_party/uid_wrapper/uid_wrapper.c | 58 +-
third_party/uid_wrapper/wscript | 4 +-
wscript | 20 +
135 files changed, 3554 insertions(+), 907 deletions(-)
copy lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.9.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.9.1.sigs} (100%)
create mode 100644 python/samba/tests/blackbox/misc_dfs_widelink.py
create mode 100644 selftest/flapping.d/gitlab-setxattr-security
copy lib/util/unix_match.h => source3/include/fstring.h (76%)
create mode 100755 source3/script/tests/test_widelink_dfs_ci.sh
create mode 100755 testprogs/blackbox/test_ldap_token.sh
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml
index 0f6b2ec1581..331c5d2399c 100644
--- a/.gitlab-ci-coverage-runners.yml
+++ b/.gitlab-ci-coverage-runners.yml
@@ -1,10 +1,4 @@
include:
- /.gitlab-ci-default-runners.yml
-.shared_runner_test:
- # We need the more powerful n1-standard-2 runners
- # in order to handle the lcov overhead.
- #
- # See .gitlab-ci-default-runners.yml for more details
- tags:
- - gitlab-org-docker
+# Currently we're happy with the defaults
diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml
index f73f868d39c..bdc504aff21 100644
--- a/.gitlab-ci-default-runners.yml
+++ b/.gitlab-ci-default-runners.yml
@@ -1,48 +1,26 @@
-# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners:
+# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html
#
# ...
#
-# All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, CoreOS
-# and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB of
-# HDD disk space. The default region of the VMs is US East1. Each instance is
-# used only for one job, this ensures any sensitive data left on the system can’t
-# be accessed by other people their CI jobs.
-#
-# The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are dedicated
-# for GitLab projects as well as community forks of them. They use a slightly
-# larger machine type (n1-standard-2) and have a bigger SSD disk size. They don’t
-# run untagged jobs and unlike the general fleet of shared runners, the instances
-# are re-used up to 40 times.
-#
-# ...
-#
-# The n1-standard-1 runners seem to be tagged with 'docker' together with 'gce'.
-#
-# The more powerful n1-standard-2 runners seem to be tagged with
-# 'gitlab-org-docker' or some with just 'gitlab-org'.
-#
+# Runner Tag vCPUs Memory Storage
+# saas-linux-small-amd64 2 8 GB 25 GB
#
# Our current private runner 'docker', 'samba-ci-private', 'shared' and
# 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an
-# ext4 filesystem and similar RAM as the n1-standard-2 runners.
+# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM.
#
.shared_runner_build:
- # We use n1-standard-1 shared runners by default.
- #
- # There are currently 5 shared runners with 'docker' and 'gce',
- # while there are only 2 provising 'docker' together with 'shared'.
+ # We use saas-linux-small-amd64 shared runners by default.
+ # We avoid adding explicit tags for them in order
+ # to work with potential changes in future
#
- # We used to fallback to our private runner if the docker+shared runners
- # were busy, but now that we use the 5 docker+gce runners, we try to only
- # use shared runners without a fallback to our private runner!
- # Lets see how that will work out.
- tags:
- - docker
- - gce
+ # In order to generate valid yaml, we define a dummy variable...
+ variables:
+ SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build
.shared_runner_test:
- # Currently we're fine using the n1-standard-1 runners also for testing
+ # We use saas-linux-small-amd64 shared runners by default.
extends: .shared_runner_build
.private_runner_test:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index add5f323ec4..face2103327 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -47,7 +47,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: 9a406973474a7903fe7fd6215226660911ed73c0
+ SAMBA_CI_CONTAINER_TAG: b078783e082ead539940faaa644567bf4ed67f67
#
# We use the ubuntu2204 image as default as
# it matches what we have on atb-devel-224
@@ -112,8 +112,14 @@ include:
before_script:
- uname -a
+ - ls -l /sys/module/
+ - ls -l /sys/kernel/security/
+ - if [ -e /sys/kernel/security/lsm ]; then cat /sys/kernel/security/lsm ; echo; fi
+ - if [ -e /proc/config.gz ]; then sudo zcat /proc/config.gz; echo; fi
- lsb_release -a
- cat /etc/os-release
+ - id
+ - cat /proc/self/status
- lscpu
- cat /proc/cpuinfo
- mount
@@ -141,6 +147,7 @@ include:
- ccache -s
# We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI
- git config --global --add safe.directory `pwd`
+ - git config --global --add safe.directory /builds/samba-team/devel/samba/.git
after_script:
- mount
- df -h
diff --git a/VERSION b/VERSION
index cfa7539380b..200f6ccac3e 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=20
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8249e9326f9..fb964d7a6f4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,86 @@
+ ==============================
+ Release Notes for Samba 4.20.2
+ June 19, 2024
+ ==============================
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.1
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 13213: Samba build is not reproducible.
+ * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
+ function.
+ * BUG 15625: Many qsort() comparison functions are non-transitive, which can
+ lead to out-of-bounds access in some circumstances.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
+ bill.
+ * BUG 15654: We have added new options --vendor-name and --vendor-patch-
+ revision arguments to ./configure to allow distributions and packagers to
+ put their name in the Samba version string so that when debugging Samba the
+ source of the binary is obvious.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 15665: CTDB RADOS mutex helper misses namespace support.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13019: Dynamic DNS updates with the internal DNS are not working.
+ * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+ * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
+ Windows Server 2022).
+ * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
+ * BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd
+ can't use nmb requests instead cldap.
+ * BUG 15642: winbindd, net ads join and other things don't work on an ipv6
+ only host.
+ * BUG 15659: Segmentation fault when deleting files in vfs_recycle.
+ * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
+ * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
+ machine account.
+
+o Noel Power <noel.power at suse.com>
+ * BUG 15435: Regression DFS not working with widelinks = true.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response.
+ * BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted
+ domain lookups.
+ * BUG 15660: The images don't build after the git security release and CentOS
+ 8 Stream is EOL.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.20.1
May 08, 2024
@@ -51,8 +134,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.20.0
March 27, 2024
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 20ab858e67b..e563be34399 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -146,6 +146,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct
return creds->kerberos_state;
}
+_PUBLIC_ enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds)
+{
+ return creds->kerberos_state_obtained;
+}
+
_PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
{
return creds->forced_sasl_mech;
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 341c984f60c..16eddccec57 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -267,6 +267,7 @@ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cr
const char *cli_credentials_get_self_service(struct cli_credentials *cred);
const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
+enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds);
const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 8469d6e116f..906f3ff1a21 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
}
if (secrets_tdb_password_more_recent) {
- enum credentials_use_kerberos use_kerberos =
- CRED_USE_KERBEROS_DISABLED;
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
+ enum credentials_use_kerberos use_kerberos =
+ cli_credentials_get_kerberos_state(cred);
+ enum credentials_obtained use_kerberos_obtained =
+ cli_credentials_get_kerberos_state_obtained(cred);
+ bool is_ad = false;
+
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
switch (server_role) {
@@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
FALL_THROUGH;
case ROLE_ACTIVE_DIRECTORY_DC:
case ROLE_IPA_DC:
- use_kerberos = CRED_USE_KERBEROS_DESIRED;
+ is_ad = true;
break;
}
+
+ if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) {
+ /*
+ * Keep an explicit selection
+ *
+ * For AD domains we also keep
+ * CRED_USE_KERBEROS_DESIRED
+ */
+ } else if (use_kerberos_obtained <= CRED_SMB_CONF) {
+ /*
+ * Disable kerberos by default within
+ * an NT4 domain.
+ */
+ cli_credentials_set_kerberos_state(cred,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SMB_CONF);
+ }
}
- cli_credentials_set_kerberos_state(cred,
- use_kerberos,
- CRED_SPECIFIED);
+
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index 2cb2e6d0e34..e79f08982ad 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -227,6 +227,8 @@ static void torture_creds_krb5_state(void **state)
TALLOC_CTX *mem_ctx = *state;
struct cli_credentials *creds = NULL;
struct loadparm_context *lp_ctx = NULL;
+ enum credentials_obtained kerberos_state_obtained;
+ enum credentials_use_kerberos kerberos_state;
bool ok;
lp_ctx = loadparm_init_global(true);
@@ -234,18 +236,27 @@ static void torture_creds_krb5_state(void **state)
creds = cli_credentials_init(mem_ctx);
assert_non_null(creds);
- assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_UNINITIALISED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
ok = cli_credentials_set_conf(creds, lp_ctx);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
ok = cli_credentials_guess(creds, lp_ctx);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE);
assert_non_null(creds->ccache);
@@ -253,15 +264,21 @@ static void torture_creds_krb5_state(void **state)
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
ok = cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED,
CRED_SMB_CONF);
assert_false(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
}
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 072188a6752..bcf98bd5968 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -1103,7 +1103,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
}
static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
- return (*gs2)->priority - (*gs1)->priority;
+ return NUMERIC_CMP((*gs2)->priority, (*gs1)->priority);
}
int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index ba82cdc1251..77b4e4fe290 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -6,9 +6,7 @@
# We need to make sure we only use gitlab.com
# runners and not our own runners, as our current runners
# don't allow 'docker build ...' to run.
- - docker
- - gce
- - shared
+ - saas-linux-small-amd64
variables:
SAMBA_CI_IS_BROKEN_IMAGE: "no"
SAMBA_CI_TEST_JOB: "samba-o3"
@@ -47,7 +45,7 @@
diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt
# run smoke test with samba-o3 or samba-fuzz
podman run --volume $(pwd):/src:ro ${ci_image_name} \
- /bin/bash -c "git clone /src samba && cd samba && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
+ /bin/bash -c "git config --global --add safe.directory /src/.git && git clone /src samba && cd samba && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
podman tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG}
podman tag ${ci_image_name} ${ci_image_path}:${timestamp_tag}
# We build all images, but only upload is it's not marked as broken
diff --git a/bootstrap/config.py b/bootstrap/config.py
index 11d8314aefc..a5a7366c7fa 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -241,6 +241,9 @@ CENTOS8S_YUM_BOOTSTRAP = r"""
{GENERATED_MARKER}
set -xueo pipefail
+sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+
yum update -y
yum install -y dnf-plugins-core
yum install -y epel-release
diff --git a/bootstrap/generated-dists/centos8s/bootstrap.sh b/bootstrap/generated-dists/centos8s/bootstrap.sh
index 4b2c62c66d9..9e0aabbac28 100755
--- a/bootstrap/generated-dists/centos8s/bootstrap.sh
+++ b/bootstrap/generated-dists/centos8s/bootstrap.sh
@@ -7,6 +7,9 @@
set -xueo pipefail
+sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+
yum update -y
yum install -y dnf-plugins-core
yum install -y epel-release
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 61ecaf0ccf6..1bb5e922d9b 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-9a406973474a7903fe7fd6215226660911ed73c0
+b078783e082ead539940faaa644567bf4ed67f67
diff --git a/buildtools/wafsamba/samba_pidl.py b/buildtools/wafsamba/samba_pidl.py
index 72997c8bf84..e1010869cdd 100644
--- a/buildtools/wafsamba/samba_pidl.py
+++ b/buildtools/wafsamba/samba_pidl.py
@@ -81,7 +81,9 @@ def SAMBA_PIDL(bld, pname, source,
else:
cc = 'CC="%s"' % bld.CONFIG_GET("CC")
- t = bld(rule='cd ${PIDL_LAUNCH_DIR} && %s%s %s ${PERL} ${PIDL} --quiet ${OPTIONS} --outputdir ${OUTPUTDIR} -- "${IDLSRC}"' % (pidl_dev, cpp, cc),
+ t = bld(rule=('cd ${PIDL_LAUNCH_DIR} && PERL_HASH_SEED=0 %s%s %s ${PERL} '
+ '${PIDL} --quiet ${OPTIONS} --outputdir ${OUTPUTDIR} -- "${IDLSRC}"' %
+ (pidl_dev, cpp, cc)),
ext_out = '.c',
before = 'c',
update_outputs = True,
diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py
index 52898486fd9..a42bb2ddc90 100644
--- a/buildtools/wafsamba/samba_third_party.py
+++ b/buildtools/wafsamba/samba_third_party.py
@@ -24,7 +24,7 @@ Build.BuildContext.CHECK_CMOCKA = CHECK_CMOCKA
@conf
def CHECK_SOCKET_WRAPPER(conf):
- return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.2')
+ return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.3')
Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER
@conf
@@ -39,7 +39,7 @@ Build.BuildContext.CHECK_RESOLV_WRAPPER = CHECK_RESOLV_WRAPPER
@conf
def CHECK_UID_WRAPPER(conf):
- return conf.CHECK_BUNDLED_SYSTEM_PKG('uid_wrapper', minversion='1.3.0')
+ return conf.CHECK_BUNDLED_SYSTEM_PKG('uid_wrapper', minversion='1.3.1')
Build.BuildContext.CHECK_UID_WRAPPER = CHECK_UID_WRAPPER
@conf
diff --git a/buildtools/wafsamba/samba_version.py b/buildtools/wafsamba/samba_version.py
index 31103e0f8c4..576168f5723 100644
--- a/buildtools/wafsamba/samba_version.py
--
Samba Shared Repository
More information about the samba-cvs
mailing list