The branch, v4-8-stable has been updated via 03a6d36 VERSION: Disable GIT_SNAPSHOT for the 4.8.6 release. via 8b8b0dc WHATSNEW: Add release notes for Samba 4.8.6. via 0e25965 lib: Hold at most 10 outstanding paged result cookies via aa529bc lib: Put "results_store" into a doubly linked list via 189697a ctdb-recoverd: Set recovery lock handle at start of attempt via 21e4884 ctdb-recoverd: Handle cancellation when releasing recovery lock via da9bb48 ctdb-recoverd: Return early when the recovery lock is not held via 72a8c69 ctdb-recoverd: Store recovery lock handle via 9745524 ctdb-recoverd: Use talloc() to allocate recovery lock handle via a4c4386 ctdb-recoverd: Rename hold_reclock_state to ctdb_recovery_lock_handle via 9b1cc7a ctdb-recoverd: Re-check master on failure to take recovery lock via 43c1ad1 ctdb-recoverd: Clean up taking of recovery lock via eb498ec ctdb-cluster-mutex: Block signals around fork via 1954a94 ctdb-cluster-mutex: Reset SIGTERM handler in cluster mutex child via b29d90f wafsamba: Fix 'make -j<jobs>' via 3ea96a2 krb5-samba: interdomain trust uses different salt principal via d726535 testprogs/blackbox: let test_trust_user_account.sh check the correct kerberos salt via 04fee9e testprogs/blackbox: add testit[_expect_failure]_grep() to subunit.sh via e311e6e samba-tool: add virtualKerberosSalt attribute to 'user getpassword/syncpasswords' via 0534104 s4:selftest: test kinit with the interdomain trust user account via d39a80c libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK via 772600f vfs_fruit: Don't unlink the main file via 64a9107 torture: Make sure that fruit_ftruncate only unlinks streams via 37f8294 s3:smbd: add a comment stating that file_close_user() is redundant for SMB2 via 9fe8691 s3:smbd: let session logoff close files and tcons before deleting the session via d36fbe9 s3:smbd: reorder tcon global record deletion and closing files of a tcon via e667b17 selftest: add a durable handle test with delayed disconnect via 34eeed2 s4:selftest: reformat smb2_s3only list via 3304d86 vfs_delay_inject: adding delay to VFS calls via a2b04c3 s4:rpc_server/netlogon: don't treet trusted domains as primary in LogonGetDomainInfo() via 73e383f s4:rpc_server/netlogon: make use of talloc_zero_array() for the netr_OneDomainInfo array via 2e7e58a s4:rpc_server/netlogon: use samdb_domain_guid()/dsdb_trust_local_tdo_info() to build our netr_OneDomainInfo values via e7b4313 s4:dsdb/common: add samdb_domain_guid() helper function via 66a0554 dsdb:util_trusts: add dsdb_trust_local_tdo_info() helper function via 96ae85b dsdb/util_trusts: domain_dn is an input parameter of dsdb_trust_crossref_tdo_info() via b7bd12d s4:torture/rpc/netlogon: verify the trusted domains output of LogonGetDomainInfo() via 7276bdb s4:torture/rpc/netlogon: assert that cli_credentials_get_{workstation,password} don't return NULL via 91a5d38 smbd: Fix a memleak in async search ask sharemode via 8385a0c ctdb-daemon: Log complete eventd startup command via f3a2f0b ctdb-daemon: Do not retry connection to eventd via 0f342d4 ctdb-daemon: Wait for eventd to be ready before connecting via eb3d91e ctdb-daemon: Open eventd pipe earlier via a4021fb ctdb-daemon: Improve error handling consistency via ae515ea ctdb-event: Add support to eventd for the startup notification FD via 0e50da4 ctdb-common: Add support for sock daemon to notify of successful startup via b53eb6f s3: util: Do not take over stderr when there is no log file via 1b01025 s3: smbd: Ensure get_real_filename() copes with empty pathnames. via cdbfc79 WHATSNEW: Fix wrong assignment. via 3c64c21 VERSION: Bump version up to 4.8.6... from 9fc7ccf VERSION: Disable GIT_SNAPSHOT for the 4.8.5 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 76 ++++++- auth/credentials/credentials_krb5.c | 16 +- buildtools/wafsamba/samba_utils.py | 9 +- ctdb/common/sock_daemon.c | 26 +++ ctdb/common/sock_daemon.h | 10 + ctdb/server/ctdb_cluster_mutex.c | 32 +++ ctdb/server/ctdb_eventd.c | 8 + ctdb/server/ctdb_recoverd.c | 120 +++++++---- ctdb/server/eventscript.c | 156 +++++++++++--- lib/krb5_wrap/krb5_samba.c | 61 ++++-- lib/krb5_wrap/krb5_samba.h | 2 +- lib/ldb/modules/paged_results.c | 43 ++-- lib/util/debug.c | 7 +- libds/common/flags.h | 2 +- python/samba/netcmd/user.py | 24 +++ selftest/target/Samba3.pm | 8 + source3/locking/share_mode_lock.c | 13 +- source3/modules/vfs_delay_inject.c | 58 +++++ source3/modules/vfs_fruit.c | 6 +- source3/modules/wscript_build | 7 + source3/passdb/machine_account_secrets.c | 3 +- .../script/tests/test_durable_handle_reconnect.sh | 21 ++ source3/selftest/tests.py | 5 +- source3/smbd/filename.c | 5 + source3/smbd/smbXsrv_session.c | 52 +++-- source3/smbd/smbXsrv_tcon.c | 38 ++-- source3/wscript | 1 + source4/dsdb/common/util.c | 55 +++++ source4/dsdb/common/util_trusts.c | 22 +- source4/dsdb/samdb/ldb_modules/password_hash.c | 6 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 234 +++++++++++++++------ source4/selftest/tests.py | 9 +- source4/torture/rpc/netlogon.c | 146 ++++++++++++- source4/torture/smb2/durable_v2_open.c | 95 +++++++++ source4/torture/smb2/smb2.c | 2 + source4/torture/vfs/fruit.c | 45 ++++ testprogs/blackbox/subunit.sh | 50 +++++ testprogs/blackbox/test_trust_user_account.sh | 58 +++++ 39 files changed, 1288 insertions(+), 245 deletions(-) create mode 100644 source3/modules/vfs_delay_inject.c create mode 100755 source3/script/tests/test_durable_handle_reconnect.sh create mode 100755 testprogs/blackbox/test_trust_user_account.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 9776c92..9dd6d51 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=8 -SAMBA_VERSION_RELEASE=5 +SAMBA_VERSION_RELEASE=6 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index cde1819..b930398 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,72 @@ ============================= + Release Notes for Samba 4.8.6 + October 9, 2018 + ============================= + + +This is the latest stable release of the Samba 4.8 release series. + + +Changes since 4.8.5: +-------------------- + +o Paulo Alcantara <pa...@paulo.ac> + * BUG 13578: s3: util: Do not take over stderr when there is no log file. + +o Jeremy Allison <j...@samba.org> + * BUG 13585: s3: smbd: Ensure get_real_filename() copes with empty pathnames. + +o Ralph Boehme <s...@samba.org> + * BUG 13441: vfs_fruit: delete 0 byte size streams if AAPL is enabled. + * BUG 13549: s3:smbd: Durable Reconnect fails because cookie.allow_reconnect + is not set. + +o Alexander Bokovoy <a...@samba.org> + * BUG 13539: krb5-samba: Interdomain trust uses different salt principal. + +o Volker Lendecke <v...@samba.org> + * BUG 13362: Fix possible memory leak in the Samba process. + * BUG 13441: vfs_fruit: Don't unlink the main file. + * BUG 13602: smbd: Fix a memleak in async search ask sharemode. + +o Stefan Metzmacher <me...@samba.org> + * BUG 11517: Fix Samba GPO issue when Trust is enabled. + * BUG 13539: samba-tool: Add virtualKerberosSalt attribute to 'user + getpassword/syncpasswords'. + +o Andreas Schneider <a...@samba.org> + * BUG 13606: wafsamba: Fix 'make -j<jobs>'. + +o Martin Schwenke <mar...@meltin.net> + * BUG 13592: ctdbd logs an error until it can successfully connect to + eventd. + * BUG 13617: Fix race conditions in CTDB recovery lock. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.8.5 August 24, 2018 ============================= @@ -13,13 +81,13 @@ Changes since 4.8.4: o Jeremy Allison <j...@samba.org> * BUG 13474: python: pysmbd: Additional error path leak fix. * BUG 13511: libsmbclient: Initialize written value before use. - * BUG 13519: ldb: Refuse to build Samba against a newer minor version of - ldb. * BUG 13527: s3: libsmbclient: Fix cli_splice() fallback when reading less than a complete file. * BUG 13537: Using "sendfile = yes" with SMB2 can cause CPU spin. o Andrew Bartlett <abart...@samba.org> + * BUG 13519: ldb: Refuse to build Samba against a newer minor version of + ldb. * BUG 13575: ldb: Release LDB 1.3.6. o Bailey Berro <baileybe...@chromium.org> @@ -110,8 +178,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.8.4 diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 9da1aa0..d36797b 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -34,6 +34,7 @@ #include "auth/kerberos/kerberos_util.h" #include "auth/kerberos/pac_utils.h" #include "param/param.h" +#include "../libds/common/flags.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -974,7 +975,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, const char *upn = NULL; const char *realm = cli_credentials_get_realm(cred); char *salt_principal = NULL; - bool is_computer = false; + uint32_t uac_flags = 0; if (cred->keytab_obtained >= (MAX(cred->principal_obtained, cred->username_obtained))) { @@ -999,9 +1000,15 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, switch (cred->secure_channel_type) { case SEC_CHAN_WKSTA: - case SEC_CHAN_BDC: case SEC_CHAN_RODC: - is_computer = true; + uac_flags = UF_WORKSTATION_TRUST_ACCOUNT; + break; + case SEC_CHAN_BDC: + uac_flags = UF_SERVER_TRUST_ACCOUNT; + break; + case SEC_CHAN_DOMAIN: + case SEC_CHAN_DNS_DOMAIN: + uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT; break; default: upn = cli_credentials_get_principal(cred, mem_ctx); @@ -1009,13 +1016,14 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, TALLOC_FREE(mem_ctx); return ENOMEM; } + uac_flags = UF_NORMAL_ACCOUNT; break; } ret = smb_krb5_salt_principal(realm, username, /* sAMAccountName */ upn, /* userPrincipalName */ - is_computer, + uac_flags, mem_ctx, &salt_principal); if (ret) { diff --git a/buildtools/wafsamba/samba_utils.py b/buildtools/wafsamba/samba_utils.py index 0f95c12..c20f61e 100644 --- a/buildtools/wafsamba/samba_utils.py +++ b/buildtools/wafsamba/samba_utils.py @@ -467,6 +467,7 @@ def CHECK_MAKEFLAGS(bld): if makeflags is None: return jobs_set = False + jobs = None # we need to use shlex.split to cope with the escaping of spaces # in makeflags for opt in shlex.split(makeflags): @@ -489,17 +490,21 @@ def CHECK_MAKEFLAGS(bld): setattr(Options.options, opt[0:loc], opt[loc+1:]) elif opt[0] != '-': for v in opt: - if v == 'j': + if re.search(r'j[0-9]*$', v): jobs_set = True + jobs = opt.strip('j') elif v == 'k': Options.options.keep = True - elif opt == '-j': + elif re.search(r'-j[0-9]*$', opt): jobs_set = True + jobs = opt.strip('-j') elif opt == '-k': Options.options.keep = True if not jobs_set: # default to one job Options.options.jobs = 1 + elif jobs_set and jobs: + Options.options.jobs = int(jobs) Build.BuildContext.CHECK_MAKEFLAGS = CHECK_MAKEFLAGS diff --git a/ctdb/common/sock_daemon.c b/ctdb/common/sock_daemon.c index 7554cd6..03d3ac1 100644 --- a/ctdb/common/sock_daemon.c +++ b/ctdb/common/sock_daemon.c @@ -31,6 +31,7 @@ #include "lib/util/dlinklist.h" #include "lib/util/tevent_unix.h" #include "lib/util/become_daemon.h" +#include "lib/util/sys_rw.h" #include "common/logging.h" #include "common/reqid.h" @@ -71,6 +72,7 @@ struct sock_daemon_context { struct pidfile_context *pid_ctx; struct sock_socket *socket_list; + int startup_fd; }; /* @@ -483,6 +485,7 @@ int sock_daemon_setup(TALLOC_CTX *mem_ctx, const char *daemon_name, sockd->funcs = funcs; sockd->private_data = private_data; + sockd->startup_fd = -1; ret = logging_init(sockd, logging, debug_level, daemon_name); if (ret != 0) { @@ -514,6 +517,11 @@ int sock_daemon_add_unix(struct sock_daemon_context *sockd, return 0; } +void sock_daemon_set_startup_fd(struct sock_daemon_context *sockd, int fd) +{ + sockd->startup_fd = fd; +} + /* * Run socket daemon */ @@ -543,6 +551,7 @@ static void sock_daemon_run_socket_fail(struct tevent_req *subreq); static void sock_daemon_run_watch_pid(struct tevent_req *subreq); static void sock_daemon_run_wait(struct tevent_req *req); static void sock_daemon_run_wait_done(struct tevent_req *subreq); +static void sock_daemon_startup_notify(struct sock_daemon_context *sockd); struct tevent_req *sock_daemon_run_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -669,6 +678,8 @@ static void sock_daemon_run_started(struct tevent_req *subreq) return; } sock_daemon_run_wait(req); + + sock_daemon_startup_notify(sockd); } static void sock_daemon_run_startup_done(struct tevent_req *subreq) @@ -696,6 +707,8 @@ static void sock_daemon_run_startup_done(struct tevent_req *subreq) return; } sock_daemon_run_wait(req); + + sock_daemon_startup_notify(sockd); } static void sock_daemon_run_signal_handler(struct tevent_context *ev, @@ -961,6 +974,19 @@ static void sock_daemon_run_wait_done(struct tevent_req *subreq) sock_daemon_run_shutdown(req); } +static void sock_daemon_startup_notify(struct sock_daemon_context *sockd) +{ + if (sockd->startup_fd != -1) { + unsigned int zero = 0; + ssize_t num; + + num = sys_write(sockd->startup_fd, &zero, sizeof(zero)); + if (num != sizeof(zero)) { + D_WARNING("Failed to write zero to pipe FD\n"); + } + } +} + bool sock_daemon_run_recv(struct tevent_req *req, int *perr) { int ret; diff --git a/ctdb/common/sock_daemon.h b/ctdb/common/sock_daemon.h index a071833..a28f8c6 100644 --- a/ctdb/common/sock_daemon.h +++ b/ctdb/common/sock_daemon.h @@ -208,6 +208,16 @@ int sock_daemon_add_unix(struct sock_daemon_context *sockd, void *private_data); /** + * @brief Set file descriptor for indicating startup success + * + * On successful completion, 0 (unsigned int) will be written to the fd. + * + * @param[in] sockd Socket daemon context + * @param[in] fd File descriptor + */ +void sock_daemon_set_startup_fd(struct sock_daemon_context *sockd, int fd); + +/** * @brief Async computation start to run a socket daemon * * @param[in] mem_ctx Talloc memory context diff --git a/ctdb/server/ctdb_cluster_mutex.c b/ctdb/server/ctdb_cluster_mutex.c index 804c6d5..330d5fd 100644 --- a/ctdb/server/ctdb_cluster_mutex.c +++ b/ctdb/server/ctdb_cluster_mutex.c @@ -196,6 +196,7 @@ ctdb_cluster_mutex(TALLOC_CTX *mem_ctx, { struct ctdb_cluster_mutex_handle *h; char **args; + sigset_t sigset_term; int ret; h = talloc(mem_ctx, struct ctdb_cluster_mutex_handle); @@ -225,15 +226,41 @@ ctdb_cluster_mutex(TALLOC_CTX *mem_ctx, return NULL; } + sigemptyset(&sigset_term); + sigaddset(&sigset_term, SIGTERM); + ret = sigprocmask(SIG_BLOCK, &sigset_term, NULL); + if (ret != 0) { + DBG_WARNING("Failed to block SIGTERM (%d)\n", errno); + } + h->child = ctdb_fork(ctdb); if (h->child == (pid_t)-1) { close(h->fd[0]); close(h->fd[1]); talloc_free(h); + ret = sigprocmask(SIG_UNBLOCK, &sigset_term, NULL); + if (ret != 0) { + DBG_WARNING("Failed to unblock SIGTERM (%d)\n", errno); + } return NULL; } if (h->child == 0) { + struct sigaction sa = { + .sa_handler = SIG_DFL, + }; + + ret = sigaction(SIGTERM, &sa, NULL); + if (ret != 0) { + DBG_WARNING("Failed to reset signal handler (%d)\n", + errno); + } + + ret = sigprocmask(SIG_UNBLOCK, &sigset_term, NULL); + if (ret != 0) { + DBG_WARNING("Failed to unblock SIGTERM (%d)\n", errno); + } + /* Make stdout point to the pipe */ close(STDOUT_FILENO); dup2(h->fd[1], STDOUT_FILENO); @@ -248,6 +275,11 @@ ctdb_cluster_mutex(TALLOC_CTX *mem_ctx, /* Parent */ + ret = sigprocmask(SIG_UNBLOCK, &sigset_term, NULL); + if (ret != 0) { + DBG_WARNING("Failed to unblock SIGTERM (%d)\n", errno); + } + DEBUG(DEBUG_DEBUG, (__location__ " Created PIPE FD:%d\n", h->fd[0])); set_close_on_exec(h->fd[0]); diff --git a/ctdb/server/ctdb_eventd.c b/ctdb/server/ctdb_eventd.c index feeac07..f79ee99 100644 --- a/ctdb/server/ctdb_eventd.c +++ b/ctdb/server/ctdb_eventd.c @@ -952,8 +952,10 @@ static struct { const char *pidfile; const char *socket; int pid; + int startup_fd; } options = { .debug_level = "ERR", + .startup_fd = -1, }; struct poptOption cmdline_options[] = { @@ -972,6 +974,8 @@ struct poptOption cmdline_options[] = { "eventd pid file", "FILE" }, { "socket", 's', POPT_ARG_STRING, &options.socket, 0, "eventd socket path", "FILE" }, + { "startup-fd", 'S', POPT_ARG_INT, &options.startup_fd, 0, + "file descriptor to notify of successful start", "FD" }, POPT_TABLEEND }; @@ -1068,6 +1072,10 @@ int main(int argc, const char **argv) goto fail; } + if (options.startup_fd != -1) { + sock_daemon_set_startup_fd(sockd, options.startup_fd); + } + ret = sock_daemon_run(ev, sockd, options.pidfile, false, false, options.pid); if (ret == EINTR) { diff --git a/ctdb/server/ctdb_recoverd.c b/ctdb/server/ctdb_recoverd.c index 2b94fed..62e4c46 100644 --- a/ctdb/server/ctdb_recoverd.c +++ b/ctdb/server/ctdb_recoverd.c @@ -237,6 +237,8 @@ struct ctdb_banning_state { struct timeval last_reported_time; }; +struct ctdb_recovery_lock_handle; + /* private state of recovery daemon */ @@ -258,7 +260,7 @@ struct ctdb_recoverd { uint32_t *force_rebalance_nodes; struct ctdb_node_capabilities *caps; bool frozen_on_inactive; - struct ctdb_cluster_mutex_handle *recovery_lock_handle; + struct ctdb_recovery_lock_handle *recovery_lock_handle; }; #define CONTROL_TIMEOUT() timeval_current_ofs(ctdb->tunable.recover_timeout, 0) @@ -879,18 +881,19 @@ static bool ctdb_recovery_have_lock(struct ctdb_recoverd *rec) return (rec->recovery_lock_handle != NULL); } -struct hold_reclock_state { +struct ctdb_recovery_lock_handle { bool done; bool locked; double latency; + struct ctdb_cluster_mutex_handle *h; }; static void take_reclock_handler(char status, double latency, void *private_data) { - struct hold_reclock_state *s = - (struct hold_reclock_state *) private_data; + struct ctdb_recovery_lock_handle *s = + (struct ctdb_recovery_lock_handle *) private_data; switch (status) { case '0': @@ -930,41 +933,68 @@ static bool ctdb_recovery_lock(struct ctdb_recoverd *rec) { struct ctdb_context *ctdb = rec->ctdb; struct ctdb_cluster_mutex_handle *h; - struct hold_reclock_state s = { - .done = false, - .locked = false, - .latency = 0, + struct ctdb_recovery_lock_handle *s; + + s = talloc_zero(rec, struct ctdb_recovery_lock_handle); + if (s == NULL) { + DBG_ERR("Memory allocation error\n"); + return false; }; - h = ctdb_cluster_mutex(rec, ctdb, ctdb->recovery_lock, 0, - take_reclock_handler, &s, - lost_reclock_handler, rec); + h = ctdb_cluster_mutex(s, + ctdb, + ctdb->recovery_lock, + 0, + take_reclock_handler, + s, + lost_reclock_handler, + rec); if (h == NULL) { + talloc_free(s); return false; } - while (!s.done) { + rec->recovery_lock_handle = s; + s->h = h; + + while (! s->done) { tevent_loop_once(ctdb->ev); } -- Samba Shared Repository