The branch, v4-20-stable has been updated via 569d541c9bb VERSION: Disable GIT_SNAPSHOT for the 4.20.2 release. via 55cd97dfef1 WHATSNEW: Add release notes for Samba 4.20.2. via 3dd39600da3 BUG 15569 ldb: Release LDB 2.9.1 via fc318c63e55 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts via 212b014679f auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]() via 46ebf66fe96 auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper via cccd9c95c8b testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos via 694605f52a4 testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos via 7d69ec93e31 vfs_recycle: remember resolved config->repository in vfs_recycle_connect() via f464a85c129 Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()" via 64d7108cddb vfs_recycle: fix memory hierarchy via 4bb5f8a92aa vfs_recycle: use the correct return in SMB_VFS_HANDLE_GET_DATA() via a5d5d83c492 vfs_recycle: use a talloc_stackframe() in recycle_unlink_internal() via 69b9c140527 vfs_recycle: directly allocate smb_fname_final->base_name via db098ff1aad vfs_recycle: don't unlink on allocation failure via cf22968a8a1 TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal() via 7d277c424fc test_recycle.sh: make sure we don't see panics on the log files via b3ce5a86489 vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send via d7e0b5933fa s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644 via 5b90acbef15 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share via 4b4b0152fd7 selftest: Add a python blackbox test for some misc (widelink) DFS tests via dceb2e56b63 script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision via 5d593a735d3 build: Add --vendor-name --vendor-patch-revision options to ./configure via f46faceae1f ctdb/docs: Include ceph rados namespace support in man page via 9110627bc24 ctdb/ceph: Add optional namespace support for mutex helper via df54d3fdda9 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored via 89817ed2165 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows via fdd61d60caa s4:dns_server: dns_verify_tsig should return REFUSED on error via f663b386156 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section via 3b36f447040 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig() via 299818567ea s4:dns_server: use the client provided algorithm for the fake TSIG structure via 7ddd758da50 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG via 6e395cabf38 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY via ed8ef00c297 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED via a7f3293ddf7 python:tests/dns_tkey: add test_update_tsig_record_access_denied() via 9137bb66ab4 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey via 5a98bc50263 python:tests/dns_base: add get_unpriv_creds() helper via ff0afdd1b05 python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022 via bda80382eb5 python:tests/dns_base: let verify_packet() work against Windows via fdfd4e8adce python:tests/dns_tkey: test bad and changing tsig algorithms via 7dabac46b5a python:tests/dns_tkey: add gss.microsoft.com tsig updates via 6438249cf1e python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}() via 501a25a1f07 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms via c7a936ecd27 python:tests/dns_base: maintain a dict with tkey related state via da7c313740d python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True via 85784854629 python:tests/dns_base: pass tkey_trans(expected_rcode) via e58fe908371 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers via 12d4e452410 python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument via 9cfc2e24331 python:tests/dns_tkey: make use of self.assert_echoed_dns_error() via f7f0518b46a python:tests/dns_base: add self.assert_echoed_dns_error() via c00749edb35 python:tests/dns_base: let dns_transaction_tcp() handle short receives via 3bd80a2545a python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet() via 19fc5bb6b9d python:tests/dns_base: generate a real signature in bad_sign_packet() via 8b8fef4c9c8 third_party: Update socket_wrapper to version 1.4.3 via 87ac580b40f third_party: Update uid_wrapper to version 1.3.1 via e5293b114b1 gitlab-ci: Set git safe.directory for devel repo via 95c59655141 bootstrap: Fix building CentOS 8 Stream container images via 7edef3c7fb1 bootstrap: Set git safe.directory via e8dc4bb0edf bootstrap: Fix runner tags via e57e35908d5 s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares. via f681ee3bac0 s3/torture: Add test for widelink case insensitivity on a MSDFS share. via 50d4451bd4b s3:smbcacls: fix ace_compare via e21251926ba ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold via 3f9d9f83448 ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold via d12f3cced61 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP() via 7ae866c6ffa s4:dsdb:mod: repl_md: make message_sort transitive via 21a01b3bad4 ldb: avoid NULL deref in ldb_db_compare via 7d295cb6fe5 ldb:attrib_handlers: make ldb_comparison_Boolean more consistent via 3d62269dfbf ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs via 586c0f3dd00 ldb-samba:ldif_handlers: dn_link_comparison leaks less via d819b21464c ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects via ae770139f25 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs via 956bff1dc63 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects via da5c625e641 ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate via dcf393af595 s4:rpcsrv:samr: improve a comment in compare_msgRid via 8f0490150b4 s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs via d2aaed5d969 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare via de865f6c8b7 lib/socket: rearrange iface_comp() to use NUMERIC_CMP via 1d527c49df5 gensec: sort_gensec uses NUMERIC_CMP via 2f6c5b6603f s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP via 835594dea0e dsdb:schema: use NUMERIC_CMP in place of uint32_cmp via 29b17d296c0 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp via 6893310bd79 s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare via 94f38553adf s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare via f61aabdb1a3 ldb:dn: make ldb_dn_compare() self-consistent via f3b6ec046a0 ldb:sort: generalise both-NULL check to equality check via a0a83539c30 ldb:sort: check that elements have values via 5f52991b931 ldb:mod:sort: rearrange NULL checks via faed55f4f88 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP() via 4d6f0ad643c s3:util:sharesec ace_compare() uses NUMERIC_CMP() via e3f491e3193 s3:smbcacls: use NUMERIC_CMP in ace_compare via 48494283a66 s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP() via 27becb5a7fc s4:wins: use NUMERIC_CMP in nbtd_wins_randomize1Clist_sort() via 20648aaf7fe s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP() via 7acee3ae13a s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list() via a326992c07d s4:dns_server: use NUMERIC_CMP in rec_cmp() via c6ed9351f81 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP() via 39505028672 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp() via 886818f5abb libcli/security: use NUMERIC_CMP in dom_sid_compare_auth() via bd548a92d42 libcli/security: use NUMERIC_CMP in dom_sid_compare() via c95b73014d3 ldb: reduce non-transitive comparisons in ldb_msg_element_compare() via e0468b5a9ed ldb: avoid non-transitive comparison in ldb_val_cmp() via 7990f5a2841 util:datablob: avoid non-transitive comparison in data_blob_cmp() via f7e192e82f7 ldb:attrib_handlers: ldb_comparison_binary uses NUMERIC_CMP() via 4fa00be3083 ldb:attrib_handlers: ldb_comparison_Boolean uses NUMERIC_CMP() via 1c6f16cdca9 util: charset:util_str: use NUMERIC_CMP in strncasecmp_m_handle via 6a0daf6818b lib/torture: add assert_int_{less,greater} macros via ccd94628b58 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare via f9a7ded26d1 s3:libsmb:namequery: note intransitivity in addr_compare() via 77b78b45330 util:charset:codepoints: codepoint_cmpi warning about non-transitivity via 64d55301410 util:charset:codepoints: condepoint_cmpi uses NUMERIC_CMP() via 10c0087dac8 util:test: test_ms_fn_match_protocol_no_wildcard: allow -1 via eb8fd60e10c util:charset:util_str: use NUMERIC_CMP in strcasecmp_m_handle via d18a62836c0 torture:charset: test more of strcasecmp_m via 94b574cde12 torture:charset: use < and > assertions for strncasecmp_m via 767344ee512 torture:charset: use < and > assertions for strcasecmp_m via be4965c69c8 util:binsearch: user NUMERIC_CMP() via 51fa8c0168e s4: use numeric_cmp in dns_common_sort_zones() via f94b87da1be s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare via 3071a4af9a5 s4:ntvfs: use NUMERIC_CMP in stream_name_cmp via 696cca23e3e ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare() via 1b8ccbf031b ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare_base() via 9e19cc17117 ldb: add NUMERIC_CMP macro to ldb.h via b46af17050b util:tsort.h: add a macro for safely comparing numbers via 3a840553cfb lib/fuzzing/decode_ndr_X_crash: guess the pipe from filename via c206d3d20c8 ldb: avoid out of bounds read and write in ldb_qsort() via e2191933876 examples:winexe: embed Samba version as exe timestamp via b1173444ff8 examples:winexe: reproducible builds with zero timestamp via e7c132a4a2c buildtools:pidl: avoid hash randomisation in pidl via eb480df1baf pidl:Typelist: resolveType(): don't mistake a reference for a name via 65e781a30b2 s3:winbind: Fix idmap_ad creating an invalid local krb5.conf via fb4c338f030 s3:libads: Do not fail if we don't get an IP passed down via 069729202c3 s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP via 1917b7f052d python: Fix NtVer check for site_dn_for_machine() via 9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected handling via 6a673a35ea0 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs via 82f73dc2312 s4:libcli/dgram: make use of socket_address_copy() via 40fe6480d0d s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages via cf37f9f5272 libcli/nbt: add nbt_name_send_raw() via b440c11ea0f s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL via b0c2389c886 s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}() via 234df77ae0a s3:libsmb/unexpected: don't use talloc_tos() in async code via 2f73d251e0c s3:wscript: LIBNMB requires lp_ functions via 27e4297f4c7 s3:include: split out fstring.h via 260d1bbacf8 s3:include: let nameserv.h be useable on its own via 4257e3b8fef s3:libads: avoid changing ADS->server.workgroup via ba361b11d2e s3:libsmb: allow store_cldap_reply() to work with a ipv6 response via 0d0fbf2bb86 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() via 2954489bd56 s3:utils: let smbstatus report anonymous signing/encryption explicitly via 9530c418a38 s3:smbd: allow anonymous encryption after one authenticated session setup via 610e11af858 s3:utils: let smbstatus also report partial tcon signing/encryption via 6fbf5deb559 s3:utils: let smbstatus also report AES-256 encryption types for tcons via c547e0c0ff7 s3:utils: let connections_forall_read() report if the session was authenticated via fe91ed785ed s3:lib: let sessionid_traverse_read() report if the session was authenticated via 716a0443c9f s3:utils: remove unused signing_flags in connections_forall() via cd05e7ed937 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} via b945f645732 s4:libcli/smb2: add hack to test anonymous signing and encryption via b7606714959 smbXcli_base: add hacks to test anonymous signing and encryption via dfcbd88504d tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative via 1b21c09d513 .gitlab-ci-main.yml: debug kernel details of the current runner via d5638013962 .gitlab-ci: Remove tags no longer provided by gitlab.com via 9b6bc91254c VERSION: Bump version up to Samba 4.20.2... from 0ba948cba0b VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: .gitlab-ci-coverage-runners.yml | 8 +- .gitlab-ci-default-runners.yml | 44 +- .gitlab-ci-main.yml | 9 +- VERSION | 2 +- WHATSNEW.txt | 86 ++- auth/credentials/credentials.c | 5 + auth/credentials/credentials.h | 1 + auth/credentials/credentials_secrets.c | 31 +- auth/credentials/tests/test_creds.c | 37 +- auth/gensec/gensec_start.c | 2 +- bootstrap/.gitlab-ci.yml | 6 +- bootstrap/config.py | 3 + bootstrap/generated-dists/centos8s/bootstrap.sh | 3 + bootstrap/sha1sum.txt | 2 +- buildtools/wafsamba/samba_pidl.py | 4 +- buildtools/wafsamba/samba_third_party.py | 4 +- buildtools/wafsamba/samba_version.py | 5 + ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml | 4 +- ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c | 50 +- examples/winexe/wscript | 21 + examples/winexe/wscript_build | 4 +- lib/fuzzing/decode_ndr_X_crash | 12 +- lib/ldb-samba/ldif_handlers.c | 94 +-- lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.9.1.sigs} | 0 ...pyldb-util-2.1.0.sigs => pyldb-util-2.9.1.sigs} | 0 lib/ldb/common/attrib_handlers.c | 53 +- lib/ldb/common/ldb_dn.c | 30 +- lib/ldb/common/ldb_msg.c | 13 +- lib/ldb/common/qsort.c | 2 +- lib/ldb/include/ldb.h | 16 + lib/ldb/modules/sort.c | 19 +- lib/ldb/wscript | 2 +- lib/socket/interfaces.c | 22 +- lib/torture/torture.h | 20 + lib/util/charset/codepoints.c | 15 +- lib/util/charset/tests/charset.c | 31 +- lib/util/charset/util_str.c | 9 +- lib/util/data_blob.c | 5 +- lib/util/tests/binsearch.c | 6 +- lib/util/tests/test_ms_fnmatch.c | 2 +- lib/util/tsort.h | 19 + libcli/nbt/libnbt.h | 3 + libcli/nbt/nbtsocket.c | 44 ++ libcli/security/dom_sid.c | 14 +- libcli/smb/smbXcli_base.c | 104 +++- libcli/smb/smbXcli_base.h | 5 + pidl/lib/Parse/Pidl/Typelist.pm | 14 +- python/samba/gp/gpclass.py | 4 +- python/samba/tests/blackbox/misc_dfs_widelink.py | 86 +++ python/samba/tests/dns_base.py | 213 ++++--- python/samba/tests/dns_tkey.py | 325 +++++++++-- python/samba/tests/join.py | 2 +- python/samba/tests/ntacls.py | 2 +- script/autobuild.py | 3 +- selftest/flapping.d/gitlab-setxattr-security | 18 + selftest/knownfail-32bit | 8 - selftest/target/Samba4.pm | 2 + lib/util/unix_match.h => source3/include/fstring.h | 14 +- source3/include/includes.h | 5 +- source3/include/nameserv.h | 380 +------------ source3/include/session.h | 1 + source3/include/smb.h | 26 +- source3/lib/sessionid_tdb.c | 8 + source3/lib/util_tdb.c | 4 +- source3/libads/kerberos.c | 32 +- source3/libads/ldap.c | 16 +- source3/librpc/idl/ads.idl | 1 + source3/libsmb/clidgram.c | 6 +- source3/libsmb/dsgetdcname.c | 29 +- source3/libsmb/libsmb_xattr.c | 14 +- source3/libsmb/namequery.c | 21 +- source3/libsmb/nmblib.c | 12 +- source3/libsmb/nmblib.h | 2 + source3/libsmb/unexpected.c | 18 +- source3/libsmb/unexpected.h | 2 + source3/locking/brlock.c | 7 +- source3/modules/posixacl_xattr.c | 6 +- source3/modules/vfs_default.c | 6 + source3/modules/vfs_recycle.c | 176 +++--- source3/modules/vfs_vxfs.c | 6 +- source3/modules/vfs_widelinks.c | 13 +- source3/nmbd/nmbd.h | 382 +++++++++++++ source3/nmbd/nmbd_packets.c | 1 + source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 2 +- source3/script/tests/test_recycle.sh | 5 + source3/script/tests/test_widelink_dfs_ci.sh | 72 +++ source3/selftest/tests.py | 11 + source3/smbd/files.c | 18 + source3/smbd/globals.h | 5 + source3/smbd/smb2_server.c | 11 + source3/smbd/smb2_sesssetup.c | 18 +- source3/smbd/smb2_tcon.c | 4 + source3/utils/conn_tdb.c | 12 +- source3/utils/conn_tdb.h | 1 + source3/utils/net_ads.c | 6 + source3/utils/net_registry.c | 2 +- source3/utils/sharesec.c | 8 +- source3/utils/smbcacls.c | 15 +- source3/utils/status.c | 82 ++- source3/utils/status.h | 1 + source3/utils/status_json.c | 2 + source3/winbindd/idmap_ad.c | 11 +- source3/wscript_build | 1 + source4/dns_server/dns_crypto.c | 49 +- source4/dns_server/dns_query.c | 27 +- source4/dns_server/dns_update.c | 11 + source4/dns_server/dnsserver_common.c | 8 +- source4/dsdb/repl/drepl_out_helpers.c | 26 +- source4/dsdb/samdb/ldb_modules/operational.c | 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 17 +- source4/dsdb/schema/schema_set.c | 14 +- source4/libcli/dgram/dgramsocket.c | 40 +- source4/libcli/dgram/libdgram.h | 3 + source4/libcli/smb2/session.c | 16 +- source4/libcli/smb2/smb2.h | 2 + source4/nbt_server/dgram/request.c | 56 +- source4/nbt_server/interfaces.c | 29 + source4/nbt_server/nbt_server.c | 143 +++++ source4/nbt_server/nbt_server.h | 2 + source4/nbt_server/wins/winsdb.c | 5 +- source4/nbt_server/wins/winsserver.c | 3 +- source4/nbt_server/wscript_build | 2 +- source4/ntvfs/posix/pvfs_streams.c | 3 +- source4/rpc_server/dnsserver/dnsdata.c | 16 +- source4/rpc_server/samr/dcesrv_samr.c | 7 +- source4/selftest/tests.py | 14 +- source4/torture/smb2/ioctl.c | 64 +++ source4/torture/smb2/session.c | 629 +++++++++++++++++++++ testprogs/blackbox/test_ldap_token.sh | 115 ++++ testprogs/blackbox/test_trust_token.sh | 5 +- third_party/socket_wrapper/socket_wrapper.c | 45 +- third_party/socket_wrapper/wscript | 3 +- third_party/uid_wrapper/uid_wrapper.c | 58 +- third_party/uid_wrapper/wscript | 4 +- wscript | 20 + 135 files changed, 3554 insertions(+), 907 deletions(-) copy lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.9.1.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.9.1.sigs} (100%) create mode 100644 python/samba/tests/blackbox/misc_dfs_widelink.py create mode 100644 selftest/flapping.d/gitlab-setxattr-security copy lib/util/unix_match.h => source3/include/fstring.h (76%) create mode 100755 source3/script/tests/test_widelink_dfs_ci.sh create mode 100755 testprogs/blackbox/test_ldap_token.sh Changeset truncated at 500 lines: diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml index 0f6b2ec1581..331c5d2399c 100644 --- a/.gitlab-ci-coverage-runners.yml +++ b/.gitlab-ci-coverage-runners.yml @@ -1,10 +1,4 @@ include: - /.gitlab-ci-default-runners.yml -.shared_runner_test: - # We need the more powerful n1-standard-2 runners - # in order to handle the lcov overhead. - # - # See .gitlab-ci-default-runners.yml for more details - tags: - - gitlab-org-docker +# Currently we're happy with the defaults diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml index f73f868d39c..bdc504aff21 100644 --- a/.gitlab-ci-default-runners.yml +++ b/.gitlab-ci-default-runners.yml @@ -1,48 +1,26 @@ -# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners: +# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html # # ... # -# All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, CoreOS -# and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB of -# HDD disk space. The default region of the VMs is US East1. Each instance is -# used only for one job, this ensures any sensitive data left on the system can’t -# be accessed by other people their CI jobs. -# -# The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are dedicated -# for GitLab projects as well as community forks of them. They use a slightly -# larger machine type (n1-standard-2) and have a bigger SSD disk size. They don’t -# run untagged jobs and unlike the general fleet of shared runners, the instances -# are re-used up to 40 times. -# -# ... -# -# The n1-standard-1 runners seem to be tagged with 'docker' together with 'gce'. -# -# The more powerful n1-standard-2 runners seem to be tagged with -# 'gitlab-org-docker' or some with just 'gitlab-org'. -# +# Runner Tag vCPUs Memory Storage +# saas-linux-small-amd64 2 8 GB 25 GB # # Our current private runner 'docker', 'samba-ci-private', 'shared' and # 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an -# ext4 filesystem and similar RAM as the n1-standard-2 runners. +# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM. # .shared_runner_build: - # We use n1-standard-1 shared runners by default. - # - # There are currently 5 shared runners with 'docker' and 'gce', - # while there are only 2 provising 'docker' together with 'shared'. + # We use saas-linux-small-amd64 shared runners by default. + # We avoid adding explicit tags for them in order + # to work with potential changes in future # - # We used to fallback to our private runner if the docker+shared runners - # were busy, but now that we use the 5 docker+gce runners, we try to only - # use shared runners without a fallback to our private runner! - # Lets see how that will work out. - tags: - - docker - - gce + # In order to generate valid yaml, we define a dummy variable... + variables: + SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build .shared_runner_test: - # Currently we're fine using the n1-standard-1 runners also for testing + # We use saas-linux-small-amd64 shared runners by default. extends: .shared_runner_build .private_runner_test: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index add5f323ec4..face2103327 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 9a406973474a7903fe7fd6215226660911ed73c0 + SAMBA_CI_CONTAINER_TAG: b078783e082ead539940faaa644567bf4ed67f67 # # We use the ubuntu2204 image as default as # it matches what we have on atb-devel-224 @@ -112,8 +112,14 @@ include: before_script: - uname -a + - ls -l /sys/module/ + - ls -l /sys/kernel/security/ + - if [ -e /sys/kernel/security/lsm ]; then cat /sys/kernel/security/lsm ; echo; fi + - if [ -e /proc/config.gz ]; then sudo zcat /proc/config.gz; echo; fi - lsb_release -a - cat /etc/os-release + - id + - cat /proc/self/status - lscpu - cat /proc/cpuinfo - mount @@ -141,6 +147,7 @@ include: - ccache -s # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI - git config --global --add safe.directory `pwd` + - git config --global --add safe.directory /builds/samba-team/devel/samba/.git after_script: - mount - df -h diff --git a/VERSION b/VERSION index cfa7539380b..200f6ccac3e 100644 --- a/VERSION +++ b/VERSION @@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024" ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=20 -SAMBA_VERSION_RELEASE=1 +SAMBA_VERSION_RELEASE=2 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8249e9326f9..fb964d7a6f4 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,86 @@ + ============================== + Release Notes for Samba 4.20.2 + June 19, 2024 + ============================== + + +This is the latest stable release of the Samba 4.20 release series. + + +Changes since 4.20.1 +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity. + +o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> + * BUG 13213: Samba build is not reproducible. + * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare + function. + * BUG 15625: Many qsort() comparison functions are non-transitive, which can + lead to out-of-bounds access in some circumstances. + +o Andrew Bartlett <abart...@samba.org> + * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI + bill. + * BUG 15654: We have added new options --vendor-name and --vendor-patch- + revision arguments to ./configure to allow distributions and packagers to + put their name in the Samba version string so that when debugging Samba the + source of the binary is obvious. + +o Günther Deschner <g...@samba.org> + * BUG 15665: CTDB RADOS mutex helper misses namespace support. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13019: Dynamic DNS updates with the internal DNS are not working. + * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with + SysvolReady=0. + * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to + Windows Server 2022). + * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger. + * BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd + can't use nmb requests instead cldap. + * BUG 15642: winbindd, net ads join and other things don't work on an ipv6 + only host. + * BUG 15659: Segmentation fault when deleting files in vfs_recycle. + * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp(). + * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the + machine account. + +o Noel Power <noel.po...@suse.com> + * BUG 15435: Regression DFS not working with widelinks = true. + +o Andreas Schneider <a...@samba.org> + * BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response. + * BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted + domain lookups. + * BUG 15660: The images don't build after the git security release and CentOS + 8 Stream is EOL. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- ============================== Release Notes for Samba 4.20.1 May 08, 2024 @@ -51,8 +134,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.20.0 March 27, 2024 diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 20ab858e67b..e563be34399 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -146,6 +146,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct return creds->kerberos_state; } +_PUBLIC_ enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds) +{ + return creds->kerberos_state_obtained; +} + _PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds) { return creds->forced_sasl_mech; diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 341c984f60c..16eddccec57 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -267,6 +267,7 @@ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cr const char *cli_credentials_get_self_service(struct cli_credentials *cred); const char *cli_credentials_get_target_service(struct cli_credentials *cred); enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); +enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds); const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred); enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds); NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 8469d6e116f..906f3ff1a21 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti } if (secrets_tdb_password_more_recent) { - enum credentials_use_kerberos use_kerberos = - CRED_USE_KERBEROS_DISABLED; char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); if (strequal(domain, lpcfg_workgroup(lp_ctx))) { + enum credentials_use_kerberos use_kerberos = + cli_credentials_get_kerberos_state(cred); + enum credentials_obtained use_kerberos_obtained = + cli_credentials_get_kerberos_state_obtained(cred); + bool is_ad = false; + cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); switch (server_role) { @@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti FALL_THROUGH; case ROLE_ACTIVE_DIRECTORY_DC: case ROLE_IPA_DC: - use_kerberos = CRED_USE_KERBEROS_DESIRED; + is_ad = true; break; } + + if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) { + /* + * Keep an explicit selection + * + * For AD domains we also keep + * CRED_USE_KERBEROS_DESIRED + */ + } else if (use_kerberos_obtained <= CRED_SMB_CONF) { + /* + * Disable kerberos by default within + * an NT4 domain. + */ + cli_credentials_set_kerberos_state(cred, + CRED_USE_KERBEROS_DISABLED, + CRED_SMB_CONF); + } } - cli_credentials_set_kerberos_state(cred, - use_kerberos, - CRED_SPECIFIED); + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c index 2cb2e6d0e34..e79f08982ad 100644 --- a/auth/credentials/tests/test_creds.c +++ b/auth/credentials/tests/test_creds.c @@ -227,6 +227,8 @@ static void torture_creds_krb5_state(void **state) TALLOC_CTX *mem_ctx = *state; struct cli_credentials *creds = NULL; struct loadparm_context *lp_ctx = NULL; + enum credentials_obtained kerberos_state_obtained; + enum credentials_use_kerberos kerberos_state; bool ok; lp_ctx = loadparm_init_global(true); @@ -234,18 +236,27 @@ static void torture_creds_krb5_state(void **state) creds = cli_credentials_init(mem_ctx); assert_non_null(creds); - assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_UNINITIALISED); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED); ok = cli_credentials_set_conf(creds, lp_ctx); assert_true(ok); - assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED); ok = cli_credentials_guess(creds, lp_ctx); assert_true(ok); - assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED); assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE); assert_non_null(creds->ccache); @@ -253,15 +264,21 @@ static void torture_creds_krb5_state(void **state) CRED_USE_KERBEROS_REQUIRED, CRED_SPECIFIED); assert_true(ok); - assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED); ok = cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED, CRED_SMB_CONF); assert_false(ok); - assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED); } diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 072188a6752..bcf98bd5968 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -1103,7 +1103,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void) } static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) { - return (*gs2)->priority - (*gs1)->priority; + return NUMERIC_CMP((*gs2)->priority, (*gs1)->priority); } int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value) diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index ba82cdc1251..77b4e4fe290 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -6,9 +6,7 @@ # We need to make sure we only use gitlab.com # runners and not our own runners, as our current runners # don't allow 'docker build ...' to run. - - docker - - gce - - shared + - saas-linux-small-amd64 variables: SAMBA_CI_IS_BROKEN_IMAGE: "no" SAMBA_CI_TEST_JOB: "samba-o3" @@ -47,7 +45,7 @@ diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt # run smoke test with samba-o3 or samba-fuzz podman run --volume $(pwd):/src:ro ${ci_image_name} \ - /bin/bash -c "git clone /src samba && cd samba && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" + /bin/bash -c "git config --global --add safe.directory /src/.git && git clone /src samba && cd samba && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" podman tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG} podman tag ${ci_image_name} ${ci_image_path}:${timestamp_tag} # We build all images, but only upload is it's not marked as broken diff --git a/bootstrap/config.py b/bootstrap/config.py index 11d8314aefc..a5a7366c7fa 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -241,6 +241,9 @@ CENTOS8S_YUM_BOOTSTRAP = r""" {GENERATED_MARKER} set -xueo pipefail +sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* +sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* + yum update -y yum install -y dnf-plugins-core yum install -y epel-release diff --git a/bootstrap/generated-dists/centos8s/bootstrap.sh b/bootstrap/generated-dists/centos8s/bootstrap.sh index 4b2c62c66d9..9e0aabbac28 100755 --- a/bootstrap/generated-dists/centos8s/bootstrap.sh +++ b/bootstrap/generated-dists/centos8s/bootstrap.sh @@ -7,6 +7,9 @@ set -xueo pipefail +sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* +sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* + yum update -y yum install -y dnf-plugins-core yum install -y epel-release diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 61ecaf0ccf6..1bb5e922d9b 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -9a406973474a7903fe7fd6215226660911ed73c0 +b078783e082ead539940faaa644567bf4ed67f67 diff --git a/buildtools/wafsamba/samba_pidl.py b/buildtools/wafsamba/samba_pidl.py index 72997c8bf84..e1010869cdd 100644 --- a/buildtools/wafsamba/samba_pidl.py +++ b/buildtools/wafsamba/samba_pidl.py @@ -81,7 +81,9 @@ def SAMBA_PIDL(bld, pname, source, else: cc = 'CC="%s"' % bld.CONFIG_GET("CC") - t = bld(rule='cd ${PIDL_LAUNCH_DIR} && %s%s %s ${PERL} ${PIDL} --quiet ${OPTIONS} --outputdir ${OUTPUTDIR} -- "${IDLSRC}"' % (pidl_dev, cpp, cc), + t = bld(rule=('cd ${PIDL_LAUNCH_DIR} && PERL_HASH_SEED=0 %s%s %s ${PERL} ' + '${PIDL} --quiet ${OPTIONS} --outputdir ${OUTPUTDIR} -- "${IDLSRC}"' % + (pidl_dev, cpp, cc)), ext_out = '.c', before = 'c', update_outputs = True, diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py index 52898486fd9..a42bb2ddc90 100644 --- a/buildtools/wafsamba/samba_third_party.py +++ b/buildtools/wafsamba/samba_third_party.py @@ -24,7 +24,7 @@ Build.BuildContext.CHECK_CMOCKA = CHECK_CMOCKA @conf def CHECK_SOCKET_WRAPPER(conf): - return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.2') + return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.3') Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER @conf @@ -39,7 +39,7 @@ Build.BuildContext.CHECK_RESOLV_WRAPPER = CHECK_RESOLV_WRAPPER @conf def CHECK_UID_WRAPPER(conf): - return conf.CHECK_BUNDLED_SYSTEM_PKG('uid_wrapper', minversion='1.3.0') + return conf.CHECK_BUNDLED_SYSTEM_PKG('uid_wrapper', minversion='1.3.1') Build.BuildContext.CHECK_UID_WRAPPER = CHECK_UID_WRAPPER @conf diff --git a/buildtools/wafsamba/samba_version.py b/buildtools/wafsamba/samba_version.py index 31103e0f8c4..576168f5723 100644 --- a/buildtools/wafsamba/samba_version.py -- Samba Shared Repository