The branch, v4-5-stable has been updated via 916fab0 VERSION: Set version to 4.5.0... via dc2c876 WHATSNEW: Add release notes for Samba 4.5.0. via d58fb55 s3-spoolss: fix _spoolss_GetPrinterDataEx by moving the keyname lengthcheck. via 3989032 s4-torture: test GetPrinterData with server handle and 0 keylength. via 2419d59 idmap_script: add missing "IDTOSID" argument to the script command line. via 3987f0e vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes via 1f1d54c docs: document vfs_acl_xattr|tdb enforced settings via 0069137 vfs_acl_common: use DBG_LEVEL and remove function prefixes in DEBUG statements via 2aa1aea s4/torture: tests for vfs_acl_xattr default ACL styles via 54e6a40 vfs_acl_common: Windows style default ACL via 497e828 vfs_acl_xattr|tdb: add option to control default ACL style via 7c657fc vfs_acl_common: check for ignore_system_acls before fetching filesystem ACL via 694c5d0 vfs_acl_common: move stat stuff to a helper function via eabd4f8 vfs_acl_tdb|xattr: use a config handle via a48d106 vfs_acl_common: move the ACL blob validation to a helper function via 8a8c2ce vfs_acl_common: simplify ACL logic, cleanup and talloc hierarchy via a2fb0fb vfs_acl_common: remove redundant NULL assignment via abbc4be vfs_acl_common: rename pdesc_next to psd_fs via 32f3f7b vfs_acl_common: rename psd to psd_blob in get_nt_acl_internal() via 8a02f97 Revert "vfs_acl_xattr: objects without NT ACL xattr" via 64e1f55 s3/rpc_server: shared rpc modules directory may not exist via 1349c67 gensec/spnego: work around missing server mechListMIC in SMB servers via 73e24ec Merge tag 'samba-4.5.0rc3' into v4-5-test via 51a6036 ctdb-tests: Add a test to ensure that CTDB works with no eventscripts via af2386b ctdb-tests: Conditionally use temporary config file for local daemons via 7e0846a ctdb-tests: Factor out function config_from_environment() via 8b2e01a ctdb-daemon: Don't steal control structure before synchronous reply via d9f5a6a ctdb-daemon: Handle failure immediately, do housekeeping later via 41ca635 ctdb-daemon: Schedule running of callback if there are no event scripts via 0ccfa21 dbcheck: Abandon dbcheck if we get an error during a transaction via b005b5b dsdb: Allow missing a mandatory attribute from a dbcheck fix via 181d050 script/release.sh: use 8 byte gpg key ids via 91901e0 WHATSNEW: Start release notes for Samba 4.5.0rc4. via ff8d3d6 VERSION: Bump version up to 4.5.0rc4... via 6c94b10 VERSION: Disable git snapshots for the 4.5.0rc3 release. via 81dff4e WHATSNEW: Release notes for Samba 4.5.0rc3. via 46139bb tests/getnc_exop: Ensure that attribute list sorting is correct via ef21629 getncchanges: Compute the partial attribute set from the remote schema via 91f9633 tests/getnc_exop: PartialAttrSetEx test (passes Windows, fails us) via 589b76f tests/getnc_exop: Ensure the remote prefixmap is always used (name attr) via a6c6050 tests/getnc_exop: Ensure the remote prefixmap is always used (secret attrs) via af88b47 tests/getnc_exop: Ensure that all attids are valid in a given PAS via fc27d74 tests/getnc_exop: Ensure we do the fallback if not given a PAS via ec38c59 drepl_out: Send the prefix map alongside the global catalog partial attribute set via 752a32a drepl_out: Send the prefix map alongside the RODC partial attribute set via c664c03 replicated_objects: Add missing newline for debug via c146881 getncchanges: Fix some whitespace via 257d1d6 tests/schemainfo: run dsdb schema info tests with proper URI via e7c0cb3 Removed upgrading-samba4.txt via 8869cf8 Added Wiki link to replPropertyMetaData Changes section from d7258cb VERSION: Disable git snapshots for the 4.5.0rc3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 46 +- auth/gensec/spnego.c | 69 +- ctdb/server/ctdb_takeover.c | 11 +- ctdb/server/eventscript.c | 87 ++- ctdb/tests/simple/28_zero_eventscripts.sh | 45 ++ ctdb/tests/simple/scripts/local_daemons.bash | 33 +- docs-xml/manpages/vfs_acl_tdb.8.xml | 49 ++ docs-xml/manpages/vfs_acl_xattr.8.xml | 49 ++ python/samba/dbchecker.py | 7 + script/release.sh | 12 +- selftest/target/Samba3.pm | 8 + source3/modules/vfs_acl_common.c | 729 ++++++++++++++------- source3/modules/vfs_acl_tdb.c | 28 + source3/modules/vfs_acl_xattr.c | 28 + source3/rpc_server/rpc_service_setup.c | 12 +- source3/rpc_server/spoolss/srv_spoolss_nt.c | 12 +- source3/selftest/tests.py | 4 +- source3/winbindd/idmap_script.c | 2 +- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 9 +- source4/torture/rpc/spoolss.c | 22 +- source4/torture/vfs/acl_xattr.c | 314 +++++++++ source4/torture/vfs/vfs.c | 1 + source4/torture/wscript_build | 2 +- testprogs/blackbox/dbcheck-oldrelease.sh | 10 + 25 files changed, 1283 insertions(+), 308 deletions(-) create mode 100755 ctdb/tests/simple/28_zero_eventscripts.sh create mode 100644 source4/torture/vfs/acl_xattr.c Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 85ce530..91beb78 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=3 +SAMBA_VERSION_RC_RELEASE= ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 91422af..b198a56 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,12 +1,10 @@ -Release Announcements -===================== + ============================= + Release Notes for Samba 4.5.0 + September 7, 2016 + ============================= -This is the third release candidate of Samba 4.5. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. -Samba 4.5 will be the next version of the Samba suite. +This is the first stable release of the Samba 4.5 release series. UPGRADING @@ -343,9 +341,43 @@ smb.conf changes KNOWN ISSUES ============ +While a lot of schema replication bugs were fixed in this release +Bug 12204 - Samba fails to replicate schema 69 +(https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open. +The replication fails if more than 133 schema objects are added +at the same time. + +More open bugs are listed at: https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All_bugs +CHANGES SINCE 4.5.0rc3 +====================== + +o Björn Baumbach <b...@sernet.de> + * BUG 12194: idmap_script: fix missing "IDTOSID" argument in scripts + command line. + +o Andrew Bartlett <abart...@samba.org> + * BUG 12178: samba-tool dbcheck fails to fix replPropertyMetaData. + +o Ralph Boehme <s...@samba.org> + * BUG 12177: Unexpected synthesized default ACL from vfs_acl_xattr. + * BUG 12181: vfs_acl_common not setting filesystem permissions anymore. + * BUG 12184: Loading shared RPC modules failed. + +o Günther Deschner <g...@samba.org> + * BUG 12245: fix _spoolss_GetPrinterDataEx by moving the keyname + length check. + +o Stefan Metzmacher <me...@samba.org> + * BUG 11994: smbclient fails to connect to Azure or Apple share spnego + fails with no mechListMIC. + +o Martin Schwenke <mar...@meltin.net> + * BUG 12180: CTDB crashes running eventscripts. + + CHANGES SINCE 4.5.0rc2 ====================== diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index ef30ab7..5f5047a 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -55,9 +55,11 @@ struct spnego_state { DATA_BLOB mech_types; size_t num_targs; + bool downgraded; bool mic_requested; bool needs_mic_sign; bool needs_mic_check; + bool may_skip_mic_check; bool done_mic_check; bool simulate_w2k; @@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ * Indicate the downgrade and request a * mic. */ + spnego_state->downgraded = true; spnego_state->mic_requested = true; break; } @@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n", gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid), gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech))); - + spnego_state->downgraded = true; spnego_state->no_response_expected = false; talloc_free(spnego_state->sub_sec_security); nt_status = gensec_subcontext_start(spnego_state, @@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA return NT_STATUS_INVALID_PARAMETER; } + if (spnego.negTokenTarg.mechListMIC.length == 0 + && spnego_state->may_skip_mic_check) { + /* + * In this case we don't require + * a mechListMIC from the server. + * + * This works around bugs in the Azure + * and Apple spnego implementations. + * + * See + * https://bugzilla.samba.org/show_bug.cgi?id=11994 + */ + spnego_state->needs_mic_check = false; + nt_status = NT_STATUS_OK; + goto client_response; + } + nt_status = gensec_check_packet(spnego_state->sub_sec_security, spnego_state->mech_types.data, spnego_state->mech_types.length, @@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA */ new_spnego = false; } + break; case SPNEGO_ACCEPT_INCOMPLETE: + if (spnego.negTokenTarg.mechListMIC.length > 0) { + new_spnego = true; + break; + } + + if (spnego_state->downgraded) { + /* + * A downgrade should be protected if + * supported + */ + break; + } + + /* + * The caller may just asked for + * GENSEC_FEATURE_SESSION_KEY, this + * is only reflected in the want_features. + * + * As it will imply + * gensec_have_features(GENSEC_FEATURE_SIGN) + * to return true. + */ + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + break; + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + break; + } + /* + * Here we're sure our preferred mech was + * selected by the server and our caller doesn't + * need GENSEC_FEATURE_SIGN nor + * GENSEC_FEATURE_SEAL support. + * + * In this case we don't require + * a mechListMIC from the server. + * + * This works around bugs in the Azure + * and Apple spnego implementations. + * + * See + * https://bugzilla.samba.org/show_bug.cgi?id=11994 + */ + spnego_state->may_skip_mic_check = true; + break; + case SPNEGO_REQUEST_MIC: if (spnego.negTokenTarg.mechListMIC.length > 0) { new_spnego = true; diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c index ede635e..d10ffef 100644 --- a/ctdb/server/ctdb_takeover.c +++ b/ctdb/server/ctdb_takeover.c @@ -522,7 +522,7 @@ static int32_t ctdb_do_takeip(struct ctdb_context *ctdb, state = talloc(vnn, struct ctdb_do_takeip_state); CTDB_NO_MEMORY(ctdb, state); - state->c = talloc_steal(ctdb, c); + state->c = NULL; state->vnn = vnn; vnn->update_in_flight = true; @@ -551,6 +551,7 @@ static int32_t ctdb_do_takeip(struct ctdb_context *ctdb, return -1; } + state->c = talloc_steal(ctdb, c); return 0; } @@ -659,7 +660,7 @@ static int32_t ctdb_do_updateip(struct ctdb_context *ctdb, state = talloc(vnn, struct ctdb_do_updateip_state); CTDB_NO_MEMORY(ctdb, state); - state->c = talloc_steal(ctdb, c); + state->c = NULL; state->old = old; state->vnn = vnn; @@ -691,6 +692,7 @@ static int32_t ctdb_do_updateip(struct ctdb_context *ctdb, return -1; } + state->c = talloc_steal(ctdb, c); return 0; } @@ -1003,8 +1005,8 @@ int32_t ctdb_control_release_ip(struct ctdb_context *ctdb, return -1; } - state->c = talloc_steal(state, c); - state->addr = talloc(state, ctdb_sock_addr); + state->c = NULL; + state->addr = talloc(state, ctdb_sock_addr); if (state->addr == NULL) { ctdb_set_error(ctdb, "Out of memory at %s:%d", __FILE__, __LINE__); @@ -1037,6 +1039,7 @@ int32_t ctdb_control_release_ip(struct ctdb_context *ctdb, /* tell the control that we will be reply asynchronously */ *async_reply = true; + state->c = talloc_steal(state, c); return 0; } diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c index bd5bc0d..86d37d9 100644 --- a/ctdb/server/eventscript.c +++ b/ctdb/server/eventscript.c @@ -699,6 +699,62 @@ static int remove_callback(struct event_script_callback *callback) return 0; } +struct schedule_callback_state { + struct ctdb_context *ctdb; + void (*callback)(struct ctdb_context *, int, void *); + void *private_data; + int status; + struct tevent_immediate *im; +}; + +static void schedule_callback_handler(struct tevent_context *ctx, + struct tevent_immediate *im, + void *private_data) +{ + struct schedule_callback_state *state = + talloc_get_type_abort(private_data, + struct schedule_callback_state); + + if (state->callback != NULL) { + state->callback(state->ctdb, state->status, + state->private_data); + } + talloc_free(state); +} + +static int +schedule_callback_immediate(struct ctdb_context *ctdb, + void (*callback)(struct ctdb_context *, + int, void *), + void *private_data, + int status) +{ + struct schedule_callback_state *state; + struct tevent_immediate *im; + + state = talloc_zero(ctdb, struct schedule_callback_state); + if (state == NULL) { + DEBUG(DEBUG_ERR, (__location__ " out of memory\n")); + return -1; + } + im = tevent_create_immediate(state); + if (im == NULL) { + DEBUG(DEBUG_ERR, (__location__ " out of memory\n")); + talloc_free(state); + return -1; + } + + state->ctdb = ctdb; + state->callback = callback; + state->private_data = private_data; + state->status = status; + state->im = im; + + tevent_schedule_immediate(im, ctdb->ev, + schedule_callback_handler, state); + return 0; +} + /* run the event script in the background, calling the callback when finished @@ -815,28 +871,33 @@ static int ctdb_event_script_callback_v(struct ctdb_context *ctdb, state->current = 0; state->child = 0; - if (call == CTDB_EVENT_MONITOR) { - ctdb->current_monitor = state; - } - - talloc_set_destructor(state, event_script_destructor); - - ctdb->active_events++; - /* Nothing to do? */ if (state->scripts->num_scripts == 0) { - callback(ctdb, 0, private_data); + int ret = schedule_callback_immediate(ctdb, callback, + private_data, 0); talloc_free(state); + if (ret != 0) { + DEBUG(DEBUG_ERR, + ("Unable to schedule callback for 0 scripts\n")); + return 1; + } return 0; } state->scripts->scripts[0].status = fork_child_for_script(ctdb, state); if (state->scripts->scripts[0].status != 0) { - /* Callback is called from destructor, with fail result. */ talloc_free(state); - return 0; + return -1; } + if (call == CTDB_EVENT_MONITOR) { + ctdb->current_monitor = state; + } + + ctdb->active_events++; + + talloc_set_destructor(state, event_script_destructor); + if (!timeval_is_zero(&state->timeout)) { tevent_add_timer(ctdb->ev, state, timeval_current_ofs(state->timeout.tv_sec, @@ -1015,7 +1076,7 @@ int32_t ctdb_run_eventscripts(struct ctdb_context *ctdb, state = talloc(ctdb->event_script_ctx, struct eventscript_callback_state); CTDB_NO_MEMORY(ctdb, state); - state->c = talloc_steal(state, c); + state->c = NULL; DEBUG(DEBUG_NOTICE,("Running eventscripts with arguments %s\n", indata.dptr)); @@ -1031,7 +1092,7 @@ int32_t ctdb_run_eventscripts(struct ctdb_context *ctdb, /* tell ctdb_control.c that we will be replying asynchronously */ *async_reply = true; - + state->c = talloc_steal(state, c); return 0; } diff --git a/ctdb/tests/simple/28_zero_eventscripts.sh b/ctdb/tests/simple/28_zero_eventscripts.sh new file mode 100755 index 0000000..7c03ae4 --- /dev/null +++ b/ctdb/tests/simple/28_zero_eventscripts.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +test_info() +{ + cat <<EOF +Check that CTDB operated correctly if there are 0 event scripts + +This test only does anything with local daemons. On a real cluster it +has no way of updating configuration. +EOF +} + +. "${TEST_SCRIPTS_DIR}/integration.bash" + +ctdb_test_init "$@" + +set -e + +cluster_is_healthy + +if [ -z "$TEST_LOCAL_DAEMONS" ] ; then + echo "SKIPPING this test - only runs against local daemons" + exit 0 +fi + +# Reset configuration +ctdb_restart_when_done + +daemons_stop + +echo "Starting CTDB with an empty eventscript directory..." +empty_dir=$(mktemp -d --tmpdir="$TEST_VAR_DIR") +ctdb_test_exit_hook_add "rmdir $empty_dir" +CTDB_EVENT_SCRIPT_DIR="$empty_dir" daemons_start + +wait_until_ready + +# If this fails to find processes then the tests fails, so look at +# full command-line so this will work with valgrind. Note that the +# output could be generated with pgrep's -a option but it doesn't +# exist in older versions. +ps -p $(pgrep -f '\<ctdbd\>' | xargs | sed -e 's| |,|g') -o args ww + +echo +echo "Good, that seems to work!" diff --git a/ctdb/tests/simple/scripts/local_daemons.bash b/ctdb/tests/simple/scripts/local_daemons.bash index ecb64f9..fb1e7e1 100644 --- a/ctdb/tests/simple/scripts/local_daemons.bash +++ b/ctdb/tests/simple/scripts/local_daemons.bash @@ -22,6 +22,15 @@ export CTDB_NODES="${TEST_VAR_DIR}/nodes.txt" ####################################### +config_from_environment () +{ + # Override from the environment. This would be easier if env was + # guaranteed to quote its output so it could be reused. + env | + grep '^CTDB_' | + sed -e 's@=\([^"]\)@="\1@' -e 's@[^"]$@&"@' -e 's@="$@&"@' +} + setup_ctdb () { mkdir -p "${TEST_VAR_DIR}/test.db/persistent" @@ -99,11 +108,9 @@ CTDB_SOCKET="${TEST_VAR_DIR}/sock.$pnn" CTDB_NOSETSCHED=yes EOF - # Override from the environment. This would be easier if env was - # guaranteed to quote its output so it could be reused. - env | - grep '^CTDB_' | - sed -e 's@=\([^"]\)@="\1@' -e 's@[^"]$@&"@' -e 's@="$@&"@' >>"$conf" + # Append any configuration variables set in environment to + # configuration file so they affect CTDB after each restart. + config_from_environment >>"$conf" done } @@ -116,9 +123,25 @@ daemons_start () local pidfile="${TEST_VAR_DIR}/ctdbd.${pnn}.pid" local conf="${TEST_VAR_DIR}/ctdbd.${pnn}.conf" + # If there is any CTDB configuration in the environment then + # append it to the regular configuration in a temporary + # configuration file and use it just this once. + local tmp_conf="" + local env_conf=$(config_from_environment) + if [ -n "$env_conf" ] ; then + tmp_conf=$(mktemp --tmpdir="$TEST_VAR_DIR") + cat "$conf" >"$tmp_conf" + echo "$env_conf" >>"$tmp_conf" + conf="$tmp_conf" + fi + CTDBD="${VALGRIND} ctdbd --sloppy-start --nopublicipcheck" \ CTDBD_CONF="$conf" \ ctdbd_wrapper "$pidfile" start + + if [ -n "$tmp_conf" ] ; then + rm -f "$tmp_conf" + fi done } diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml index 724776d..5ac6510 100644 --- a/docs-xml/manpages/vfs_acl_tdb.8.xml +++ b/docs-xml/manpages/vfs_acl_tdb.8.xml @@ -40,6 +40,15 @@ <filename>$LOCKDIR/file_ntacls.tdb</filename>. </para> -- Samba Shared Repository