The branch, v4-15-stable has been updated via 30c5a0e60e8 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release. via 718da33d4e6 WHATSNEW: Add release notes for Samba 4.15.0rc6. via 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes via 1252f2c170c s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4 via bb825a909e9 selftest: Add a test for LookupSids3 and LookupNames4 in python via 86d3397f852 dsdb: Be careful to avoid use of the expensive talloc_is_parent() via d18232cdcfc selftest: Only run samba_tool_drs_showrepl test once via 8c246869e14 selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl via 5cec6963b69 WHATSNEW: Update with samba-tool domain backup offline fix via 0cc8a4708f0 WHATSNEW: Update for KDC crash fixes via 7ca641892b3 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname via 0fd150e4844 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field via dcbec3eab52 tests/krb5: Allow expected_error_mode to be a container type via 8d17a87523b tests/krb5: Add tests for omitting sname in inner request via c837f43a9cd tests/krb5: Allow specifying parameters specific to the inner FAST request body via b628cda6604 tests/krb5: Add tests for omitting sname in request via 83ba64c9106 tests/krb5: Check PADATA-PW-SALT element in e-data via 13cb2664266 tests/krb5: Check e-data element for TGS-REP errors without FAST via 2762a9dcee4 tests/krb5: Remove harmful and a-typical return in as_req testcase via f50f9618efa CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request via d9de103cc58 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ via 1ae386bf725 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST via b6496bd5990 tests/krb5: Make cname checking less strict via c9b594a1a21 tests/krb5: Make e-data checking less strict via ef69ac460bc Update common on currently supported Fedora versions via d0f26d12a9b bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml via 04cbe284f4e bootstrap: Update to get newer krb5 on Fedora 34 via 2c7d7307ae3 mit-kdc: Remove build time support for KDB_API < 10 via 0cf8c13b940 build: Move minimum MIT krb5 version to 1.19 to align with what is tested via e30483eb251 autobuild.py: Do not build MIT builds by default (eg sn-devel) via 1dd8ded8c57 gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC via 961bdab6647 gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos via e850967129d autobuild.py: Explain why each job is removed from the default set via 521adb2fd3e samba-tool domain backup: Use tdbbackup on metadata.tdb via 2f8295604ce samba-tool: Rework transations/locks to hold a lock during mdb backup via 21e1a6b48d6 samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb via 535bd82604e mit-samba: Only set the function opening bracket once via 13dff7227f4 mit-samba: Use talloc_get_type_abort() instead of casting via 9698e453ae9 mit-samba: Send the logging to the kdc log facility via 4bf41b6ccf5 mit-samba: Define debug class for kdb module via 07cfa4d6f95 tests/krb5: Add FAST tests via 003307b7d34 initial FAST tests via 18c2ff9a3c6 tests/krb5: Check PADATA-FX-ERROR in reply via 54f1f269f0a tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors via d6acfe270d0 tests/krb5: Check PADATA-PAC-OPTIONS in reply via 1e9a7cd0a81 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies via 464a7efe1b2 tests/krb5: Make check_rep_padata() also work for checking TGS replies via 220f76a98eb tests/krb5: Check PADATA-FX-COOKIE in reply via 18b587ad53b tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply via 904df7418b8 tests/krb5: Adjust reply padata checking depending on whether FAST was sent via 19aaacb5b2b tests/krb5: Check reply FAST padata if request included FAST via 5fc7588d3cc tests/krb5: Check sname is krbtgt for FAST generic error via fc2ec4b9e01 tests/krb5: Add get_krbtgt_sname() method via 6ed03543ea0 tests/krb5: Remove unused variables via 2e9c0a7ff2f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply via 4d8b3dcd2f7 tests/krb5: Add check_rep_padata() method to check padata in reply via 7628f04aa64 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata via 5893e9dc6d6 tests/krb5: Include authdata in kdc_exchange_dict via d544371bd15 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict via 6457ecee2a9 tests/krb5: Check encrypted-pa-data via 79972f42603 tests/krb5: Add methods to determine whether elements were included in the request via 361d9e73d15 tests/krb5: Add functions to get dicts of request padata via 038921df85e tests/krb5: Check FAST response via afd32084e3b tests/krb5: Add method to verify ticket checksum for FAST via 846c0132b52 tests/krb5: Add method to check PA-FX-FAST-REPLY via 9cc2d4a659c tests/krb5: Allow specifying parameters specific to the outer request body via 889593908e6 tests/krb5: Add FAST armor generation to _generic_kdc_exchange() via dbf3f3bab68 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ via 5f35f5ce1dc tests/krb5: Include authenticator_subkey in AS-REQ exchange dict via dc778a5f4ca tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error() via 943a58fc29f tests/krb5: Add methods to calculate keys for FAST via 539981fc13b tests/krb5: Add method to generate FAST encrypted challenge padata via cb609e47d76 tests/krb5: Add more methods to create ASN1 objects for FAST via db22b645c05 tests/krb5: Add more ASN1 definitions for FAST via 98f242cf97f tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange() via 9d8973d3775 tests/krb5: Ensure generated padata is not None via 2898841517e tests/krb5: Add generate_ap_req() method via 8bc2d847585 tests/krb5: Check nonce in EncKDCRepPart via 9c80f3188c5 tests/krb5: Make checking less strict via cd4d26b7342 tests/krb5: Check version number of obtained ticket via 7b859c2ce3a tests/krb5: Assert that more variables are not None via 17fb5d3534a tests/krb5: Ensure in assertElementPresent() that container elements are not empty via 88a3de1f8cd tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn via c8f98ef1bf7 tests/krb5: Include kdc_options in kdc_exchange_dict via 2804451db04 tests/krb5: Always specify expected error code via 9668d0a12af tests/krb5: Add check_reply() method to check for AS or TGS reply via 5d4f3948652 tests/krb5: Add method to calculate account salt via 2f26125a45b tests/krb5: Add more methods for obtaining machine and service credentials via 8926866e50f tests/krb5: Allow specifying additional details when creating an account via 80904c2493a tests/krb5: Use encryption with admin credentials via 8ebde4958f6 tests/krb5: Add get_EpochFromKerberosTime() via ad37b892482 tests/krb5: Make _test_as_exchange() return value more consistent via 4f9621dc01d tests/krb5: Add method to return dict containing padata elements via 790c07f6262 tests/krb5: Add get_enc_timestamp_pa_data_from_key() via 0ad81b04468 tests/krb5: Refactor get_pa_data() via 8a465e73ba3 tests/krb5: Allow cf2 to automatically use the enctype of the first key via d003d7a3edc tests/krb5: Use credentials kvno when creating password key via bd1a33d8b09 tests/krb5: Check Kerberos protocol version number via 5bed0606922 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC via 34b85fc9f02 tests/krb5: Fix encpart_decryption_key with MIT KDC via f5bb7f975c2 tests/krb5: Fix callback_dict parameter via 3ace86e524c tests/krb5: Fix including enc-authorization-data via f191934f14d tests/krb5: Remove magic constants via 82158d38ad6 tests/krb5: Simplify Python syntax via 122ed8d3f3e tests/krb5: Use more compact dict lookup via 68fc4851772 tests/krb5: Remove unneeded statements via 5df6c6850f4 tests/krb5: formatting via 3d751f9cc6f tests/krb5: Fix method name typo via 204f2dbcefe tests/krb5: Fix comment typo via 424b945426a tests/krb5: Fix ms_kile_client_principal_lookup_test errors via 25b51c3a287 pygensec: Don't modify Python bytes objects via a90933e820c pygensec: Fix memory leaks via 36a99feeafb selftest: Add support for setting ENV variables in plantestsuite() via daab1eba30a selftest: Add support for setting ENV variables in plansmbtorture4testsuite() via 2dfe335bbe2 selftest: Re-format long lines in selftesthelpers.py via a116dec4bb6 bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros via 9ded25beb7e python:waf: Correctly check for python-dateutil via 8586802eaca bootstrap: Install krb5-workstation on Fedora based distros via a0a96f6ebab VERSION: Bump version up to Samba 4.15.0rc6... from cbfc80e7b7d VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc5 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: .gitlab-ci-main.yml | 15 +- VERSION | 2 +- WHATSNEW.txt | 57 +- bootstrap/README.md | 4 +- bootstrap/config.py | 8 +- bootstrap/generated-dists/centos7/bootstrap.sh | 1 + bootstrap/generated-dists/centos7/packages.yml | 1 + bootstrap/generated-dists/centos8/bootstrap.sh | 1 + bootstrap/generated-dists/centos8/packages.yml | 1 + bootstrap/generated-dists/fedora33/bootstrap.sh | 3 +- bootstrap/generated-dists/fedora33/packages.yml | 3 +- bootstrap/generated-dists/fedora34/bootstrap.sh | 3 +- bootstrap/generated-dists/fedora34/packages.yml | 3 +- bootstrap/generated-dists/opensuse151/bootstrap.sh | 1 + bootstrap/generated-dists/opensuse151/packages.yml | 1 + bootstrap/generated-dists/opensuse152/bootstrap.sh | 3 +- bootstrap/generated-dists/opensuse152/packages.yml | 3 +- bootstrap/sha1sum.txt | 2 +- python/samba/netcmd/domain_backup.py | 54 +- python/samba/tests/dcerpc/lsa.py | 333 ++++ python/samba/tests/dsdb_schema_attributes.py | 6 +- .../samba/tests/krb5/as_canonicalization_tests.py | 4 - python/samba/tests/krb5/as_req_tests.py | 117 +- python/samba/tests/krb5/compatability_tests.py | 4 - python/samba/tests/krb5/fast_tests.py | 1734 ++++++++++++++++++++ python/samba/tests/krb5/kcrypto.py | 12 +- python/samba/tests/krb5/kdc_base_test.py | 193 ++- python/samba/tests/krb5/kdc_tests.py | 27 +- python/samba/tests/krb5/kdc_tgs_tests.py | 18 +- .../krb5/ms_kile_client_principal_lookup_tests.py | 71 +- python/samba/tests/krb5/raw_testcase.py | 1561 ++++++++++++++---- python/samba/tests/krb5/rfc4120.asn1 | 106 +- python/samba/tests/krb5/rfc4120_constants.py | 44 + python/samba/tests/krb5/rfc4120_pyasn1.py | 100 +- python/samba/tests/krb5/s4u_tests.py | 4 - python/samba/tests/krb5/simple_tests.py | 4 - python/samba/tests/krb5/xrealm_tests.py | 4 - python/samba/tests/usage.py | 1 + python/wscript | 23 +- script/autobuild.py | 47 +- selftest/knownfail_heimdal_kdc | 56 + selftest/knownfail_mit_kdc | 393 +---- selftest/knownfail_mit_krb5_pre_1_18 | 1 - selftest/selftesthelpers.py | 42 +- selftest/wscript | 3 - source4/auth/gensec/gensec_gssapi.c | 4 + source4/auth/gensec/pygensec.c | 59 +- source4/dsdb/schema/schema_set.c | 41 +- source4/heimdal/kdc/kerberos5.c | 4 +- source4/heimdal/kdc/krb5tgs.c | 4 + source4/kdc/mit-kdb/kdb_samba.h | 32 - source4/kdc/mit-kdb/kdb_samba_change_pwd.c | 3 + source4/kdc/mit-kdb/kdb_samba_common.c | 3 + source4/kdc/mit-kdb/kdb_samba_masterkey.c | 3 + source4/kdc/mit-kdb/kdb_samba_pac.c | 3 + source4/kdc/mit-kdb/kdb_samba_policies.c | 42 +- source4/kdc/mit-kdb/kdb_samba_principals.c | 10 +- source4/kdc/mit_samba.c | 37 +- source4/rpc_server/lsa/lsa_lookup.c | 131 +- source4/selftest/tests.py | 42 +- wscript_configure_system_mitkrb5 | 4 +- 61 files changed, 4370 insertions(+), 1126 deletions(-) create mode 100644 python/samba/tests/dcerpc/lsa.py create mode 100755 python/samba/tests/krb5/fast_tests.py delete mode 100644 selftest/knownfail_mit_krb5_pre_1_18 Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 0979c007dc6..4b2f17938c8 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: fa3eeb92fb5447524a057a4c377e6960dff626ce + SAMBA_CI_CONTAINER_TAG: 733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -234,10 +234,14 @@ samba-def-build: samba-mit-build: extends: .shared_template_build_only + variables: + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} stage: build_first .needs_samba-mit-build: extends: .shared_template_test_only + variables: + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} needs: - job: samba-mit-build artifacts: true @@ -274,6 +278,8 @@ samba: samba-mitkrb5: extends: .shared_template + variables: + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34} samba-minimal-smbd: extends: .shared_template @@ -383,6 +389,13 @@ samba-fips: samba-fileserver: extends: .needs_samba-h5l-build-private +# This is a full build without the AD DC so we test the build with MIT +# Kerberos from the default system (Ubuntu 18.04 at this stage). +# Runtime behaviour checked via the ktest (static ccache and keytab) +# environment +samba-ktest-mit: + extends: .shared_template + samba-ad-dc-1: extends: .needs_samba-def-build-private diff --git a/VERSION b/VERSION index 9dc372ed3ca..31a0c312220 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=5 +SAMBA_VERSION_RC_RELEASE=6 ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index d2c25df89ff..739a0b319ca 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements ===================== -This is the fifth release candidate of Samba 4.15. This is *not* +This is the sixth release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -52,6 +52,14 @@ Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt +New minimum version for the experimental MIT KDC +------------------------------------------------ + +The build of the AD DC using the system MIT Kerberos, an +experimental feature, now requires MIT Kerberos 1.19. An up-to-date +Fedora 34 has this version and has backported fixes for the KDC crash +bugs CVE-2021-37750 and CVE-2021-36222 + NEW FEATURES/CHANGES ==================== @@ -274,6 +282,23 @@ Windows. 'samba-tool dns update' is now a bit more careful in rejecting and warning you about malformed IPv4 and IPv6 addresses. +CVE-2021-3671: Crash in Heimdal KDC and updated security release policy +----------------------------------------------------------------------- + +An unuthenticated user can crash the AD DC KDC by omitting the server +name in a TGS-REQ. Per Samba's updated security process a specific +security release was not made for this issue as it is a recoverable +Denial Of Service. + +See https://wiki.samba.org/index.php/Samba_Security_Proces + +samba-tool domain backup offline with the LMDB backend +------------------------------------------------------ + +samba-tool domain backup offline, when operating with the LMDB backend +now correctly takes out locks against concurrent modification of the +database during the backup. If you use this tool on a Samba AD DC +using LMDB, you should upgrade to this release for safer backups. REMOVED FEATURES ================ @@ -316,6 +341,36 @@ smb.conf changes winbind scan trusted domains Changed No +CHANGES SINCE 4.15.0rc5 +======================= + +o Andrew Bartlett <abart...@samba.org> + * BUG 14806: Address a signifcant performance regression in database access + in the AD DC since Samba 4.12. + * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since + Samba 4.9 by using an explicit database handle cache. + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + * BUG 14818: Address flapping samba_tool_drs_showrepl test. + * BUG 14819: Address flapping dsdb_schema_attributes test. + +o Luke Howard <lu...@padl.com> + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Gary Lockyer <g...@catalyst.net.nz> + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Andreas Schneider <a...@samba.org> + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + + CHANGES SINCE 4.15.0rc4 ======================= diff --git a/bootstrap/README.md b/bootstrap/README.md index 47ef1c67836..44a354de545 100644 --- a/bootstrap/README.md +++ b/bootstrap/README.md @@ -13,7 +13,7 @@ A pure python3 module with CLI to bootstrap Samba envs for multiple distribution ## Supported Distributions deb: Debian 10, Ubuntu 1604|1804|2004 -rpm: CentOS 7|8, Fedora 32|33, openSUSE Leap 15.1|15.2 +rpm: CentOS 7|8, Fedora 33|34, openSUSE Leap 15.1|15.2 Easy to add more. @@ -32,7 +32,7 @@ Just calculate the sha1sum for consistency checks: bootstrap/template.py --sha1sum The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in -the toplevel .gitlab-ci.yml file. +the toplevel .gitlab-ci-main.yml file. ## User Stories diff --git a/bootstrap/config.py b/bootstrap/config.py index b5d04d4e371..ba4304bb9f8 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -20,6 +20,9 @@ Manage dependencies and bootstrap environments for Samba. Config file for packages and templates. +Update the lists in this file to require new packages in the +container images used in GitLab CI + Author: Joe Guo <j...@catalyst.net.nz> """ import os @@ -116,7 +119,7 @@ PKGS = [ ('bind9utils', 'bind-utils'), ('dnsutils', ''), ('xsltproc', 'libxslt'), - ('krb5-user', ''), + ('krb5-user', 'krb5-workstation'), ('krb5-config', ''), ('krb5-kdc', 'krb5-server'), ('apt-utils', 'yum-utils'), @@ -485,6 +488,7 @@ RPM_DISTS = { 'lsb-release': 'redhat-lsb', 'libsemanage-python': 'python3-libsemanage', 'policycoreutils-python': 'python3-policycoreutils', + 'python3-iso8601': 'python3-dateutil', } }, 'fedora34': { @@ -496,6 +500,7 @@ RPM_DISTS = { 'libsemanage-python': 'python3-libsemanage', 'policycoreutils-python': 'python3-policycoreutils', 'perl-FindBin': '', + 'python3-iso8601': 'python3-dateutil', 'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available } }, @@ -552,6 +557,7 @@ RPM_DISTS = { 'perl-interpreter': '', 'perl-FindBin': '', 'procps-ng': 'procps', + 'python3-iso8601': 'python3-python-dateutil', 'python3-dns': 'python3-dnspython', 'python3-markdown': 'python3-Markdown', 'quota-devel': '', diff --git a/bootstrap/generated-dists/centos7/bootstrap.sh b/bootstrap/generated-dists/centos7/bootstrap.sh index 00dd22b891f..36913f40b44 100755 --- a/bootstrap/generated-dists/centos7/bootstrap.sh +++ b/bootstrap/generated-dists/centos7/bootstrap.sh @@ -45,6 +45,7 @@ yum install -y \ keyutils-libs-devel \ krb5-devel \ krb5-server \ + krb5-workstation \ lcov \ libacl-devel \ libarchive-devel \ diff --git a/bootstrap/generated-dists/centos7/packages.yml b/bootstrap/generated-dists/centos7/packages.yml index 3f5e8331b40..4da3d61441f 100644 --- a/bootstrap/generated-dists/centos7/packages.yml +++ b/bootstrap/generated-dists/centos7/packages.yml @@ -31,6 +31,7 @@ packages: - keyutils-libs-devel - krb5-devel - krb5-server + - krb5-workstation - lcov - libacl-devel - libarchive-devel diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh index a3079982dda..60cf3937cf7 100755 --- a/bootstrap/generated-dists/centos8/bootstrap.sh +++ b/bootstrap/generated-dists/centos8/bootstrap.sh @@ -54,6 +54,7 @@ yum install -y \ keyutils-libs-devel \ krb5-devel \ krb5-server \ + krb5-workstation \ libacl-devel \ libarchive-devel \ libattr-devel \ diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8/packages.yml index 2994e81640a..f5d0ac5ffe6 100644 --- a/bootstrap/generated-dists/centos8/packages.yml +++ b/bootstrap/generated-dists/centos8/packages.yml @@ -34,6 +34,7 @@ packages: - keyutils-libs-devel - krb5-devel - krb5-server + - krb5-workstation - libacl-devel - libarchive-devel - libattr-devel diff --git a/bootstrap/generated-dists/fedora33/bootstrap.sh b/bootstrap/generated-dists/fedora33/bootstrap.sh index 106bd09ede8..52e199f6b88 100755 --- a/bootstrap/generated-dists/fedora33/bootstrap.sh +++ b/bootstrap/generated-dists/fedora33/bootstrap.sh @@ -45,6 +45,7 @@ dnf install -y \ keyutils-libs-devel \ krb5-devel \ krb5-server \ + krb5-workstation \ lcov \ libacl-devel \ libarchive-devel \ @@ -86,10 +87,10 @@ dnf install -y \ psmisc \ python3 \ python3-cryptography \ + python3-dateutil \ python3-devel \ python3-dns \ python3-gpg \ - python3-iso8601 \ python3-libsemanage \ python3-markdown \ python3-policycoreutils \ diff --git a/bootstrap/generated-dists/fedora33/packages.yml b/bootstrap/generated-dists/fedora33/packages.yml index 9fa48ad4502..d9cbfbd80db 100644 --- a/bootstrap/generated-dists/fedora33/packages.yml +++ b/bootstrap/generated-dists/fedora33/packages.yml @@ -34,6 +34,7 @@ packages: - keyutils-libs-devel - krb5-devel - krb5-server + - krb5-workstation - lcov - libacl-devel - libarchive-devel @@ -75,10 +76,10 @@ packages: - psmisc - python3 - python3-cryptography + - python3-dateutil - python3-devel - python3-dns - python3-gpg - - python3-iso8601 - python3-libsemanage - python3-markdown - python3-policycoreutils diff --git a/bootstrap/generated-dists/fedora34/bootstrap.sh b/bootstrap/generated-dists/fedora34/bootstrap.sh index 6686ab19250..de5a9670601 100755 --- a/bootstrap/generated-dists/fedora34/bootstrap.sh +++ b/bootstrap/generated-dists/fedora34/bootstrap.sh @@ -45,6 +45,7 @@ dnf install -y \ keyutils-libs-devel \ krb5-devel \ krb5-server \ + krb5-workstation \ lcov \ libacl-devel \ libarchive-devel \ @@ -85,10 +86,10 @@ dnf install -y \ psmisc \ python3 \ python3-cryptography \ + python3-dateutil \ python3-devel \ python3-dns \ python3-gpg \ - python3-iso8601 \ python3-libsemanage \ python3-markdown \ python3-policycoreutils \ diff --git a/bootstrap/generated-dists/fedora34/packages.yml b/bootstrap/generated-dists/fedora34/packages.yml index 1e488823dda..749f30dfc0e 100644 --- a/bootstrap/generated-dists/fedora34/packages.yml +++ b/bootstrap/generated-dists/fedora34/packages.yml @@ -34,6 +34,7 @@ packages: - keyutils-libs-devel - krb5-devel - krb5-server + - krb5-workstation - lcov - libacl-devel - libarchive-devel @@ -74,10 +75,10 @@ packages: - psmisc - python3 - python3-cryptography + - python3-dateutil - python3-devel - python3-dns - python3-gpg - - python3-iso8601 - python3-libsemanage - python3-markdown - python3-policycoreutils diff --git a/bootstrap/generated-dists/opensuse151/bootstrap.sh b/bootstrap/generated-dists/opensuse151/bootstrap.sh index 2271e2ea8b2..e4771284f4d 100755 --- a/bootstrap/generated-dists/opensuse151/bootstrap.sh +++ b/bootstrap/generated-dists/opensuse151/bootstrap.sh @@ -40,6 +40,7 @@ zypper --non-interactive install \ hostname \ htop \ keyutils-devel \ + krb5-client \ krb5-devel \ krb5-server \ lcov \ diff --git a/bootstrap/generated-dists/opensuse151/packages.yml b/bootstrap/generated-dists/opensuse151/packages.yml index 5710c60bd8b..d465252e26b 100644 --- a/bootstrap/generated-dists/opensuse151/packages.yml +++ b/bootstrap/generated-dists/opensuse151/packages.yml @@ -28,6 +28,7 @@ packages: - hostname - htop - keyutils-devel + - krb5-client - krb5-devel - krb5-server - lcov diff --git a/bootstrap/generated-dists/opensuse152/bootstrap.sh b/bootstrap/generated-dists/opensuse152/bootstrap.sh index ae766095a4d..534ff66896f 100755 --- a/bootstrap/generated-dists/opensuse152/bootstrap.sh +++ b/bootstrap/generated-dists/opensuse152/bootstrap.sh @@ -40,6 +40,7 @@ zypper --non-interactive install \ hostname \ htop \ keyutils-devel \ + krb5-client \ krb5-devel \ krb5-server \ lcov \ @@ -87,8 +88,8 @@ zypper --non-interactive install \ python3-devel \ python3-dnspython \ python3-gpg \ - python3-iso8601 \ python3-pyasn1 \ + python3-python-dateutil \ python3-setproctitle \ readline-devel \ rng-tools \ diff --git a/bootstrap/generated-dists/opensuse152/packages.yml b/bootstrap/generated-dists/opensuse152/packages.yml index 6bc1a137ca7..05b3779a2fd 100644 --- a/bootstrap/generated-dists/opensuse152/packages.yml +++ b/bootstrap/generated-dists/opensuse152/packages.yml @@ -28,6 +28,7 @@ packages: - hostname - htop - keyutils-devel + - krb5-client - krb5-devel - krb5-server - lcov @@ -75,8 +76,8 @@ packages: - python3-devel - python3-dnspython - python3-gpg - - python3-iso8601 - python3-pyasn1 + - python3-python-dateutil - python3-setproctitle - readline-devel - rng-tools diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index e198e6b80ae..e433f698b68 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -fa3eeb92fb5447524a057a4c377e6960dff626ce +733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0 diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py index 5cccccd40ec..81738196385 100644 --- a/python/samba/netcmd/domain_backup.py +++ b/python/samba/netcmd/domain_backup.py @@ -1004,7 +1004,12 @@ class cmd_domain_backup_offline(samba.netcmd.Command): # sam.ldb must have a transaction started on it before backing up # everything in sam.ldb.d with the appropriate backup function. + # + # Obtains the sidForRestore (SID for the new DC) and returns it + # from under the transaction def backup_smb_dbs(self, private_dir, samdb, lp, logger): + sam_ldb_path = os.path.join(private_dir, 'sam.ldb') + # First, determine if DB backend is MDB. Assume not unless there is a # 'backendStore' attribute on @PARTITION containing the text 'mdb' store_label = "backendStore" @@ -1012,16 +1017,28 @@ class cmd_domain_backup_offline(samba.netcmd.Command): attrs=[store_label]) mdb_backend = store_label in res[0] and str(res[0][store_label][0]) == 'mdb' - sam_ldb_path = os.path.join(private_dir, 'sam.ldb') + # This is needed to keep this variable in scope until the end + # of the transaction. + res_iterator = None + copy_function = None if mdb_backend: logger.info('MDB backend detected. Using mdb backup function.') copy_function = self.offline_mdb_copy + + # We can't backup with a write transaction open, so get a + # read lock with a search_iterator(). + # + # We have tests in lib/ldb/tests/python/api.py that the + # search iterator takes a read lock effective against a + # transaction. This in turn will ensure there are no + # transactions on either the main or sub-database, even if + # the read locks were not enforced globally (they are). + res_iterator = samdb.search_iterator() else: logger.info('Starting transaction on ' + sam_ldb_path) copy_function = self.offline_tdb_copy - sam_obj = Ldb(sam_ldb_path, lp=lp, flags=ldb.FLG_DONT_CREATE_DB) - sam_obj.transaction_start() + samdb.transaction_start() logger.info(' backing up ' + sam_ldb_path) self.offline_tdb_copy(sam_ldb_path) @@ -1031,12 +1048,22 @@ class cmd_domain_backup_offline(samba.netcmd.Command): if sam_file.endswith('.ldb'): logger.info(' backing up locked/related file ' + sam_file) copy_function(sam_file) + elif sam_file.endswith('.tdb'): + logger.info(' tdbbackup of locked/related file ' + sam_file) + self.offline_tdb_copy(sam_file) else: logger.info(' copying locked/related file ' + sam_file) shutil.copyfile(sam_file, sam_file + self.backup_ext) -- Samba Shared Repository