The branch, v4-21-stable has been updated
via 0dba5ef975a VERSION: Disable GIT_SNAPSHOT for the 4.21.3 release.
via d4857962df4 WHATSNEW: Add release notes for Samba 4.21.3.
via e1c1b88170d docs:manpages: Update 'net ads keytab create'
via 7202467477d pam_winbind: Fix Bug 15771
via 884500cb316 s4:drs:test:getncchanges skips some tests with
reserved_usn = 0
via 5842ec1d056 s4:drs:test:getncchanges: remove timeout failure
via 28626e763ee s4:drsuapi:getncchanges: allow 0 reserved_usn reply
via 6c66d01c6df s4:drsuapi:getncchanges: use DBG_ERR() macro
via 9954fd8994f s4:drsuapi:getncchanges: fix whitespace
via b43b7a9ac1b s4:drs:tests: repeat getncchanges test with zero
reserved_usn
via ec6263a3f0e s4:drs:tests: add hook for changing highwatermark
via 9b7f1ce151b s4:drs:test:getncchanges: add a timeout failure
via ba4363a7277 selftest: Add test for vfs crossrename module
via bab50c88c7d docs:manpage: vfs_crossrename is not fully stackable
VFS module
via 6b37df9e58e s3:vfs_crossrename: add back checking for errno ENOENT
via bca095a71a3 s3:vfs_crossrename: crossrename_renameat() needs to
return 0 if copy_reg() is successful
via 7219acad073 s3:vfs_crossrename: avoid locking panic in copy_reg()
via aee855de33b s4:rpc_server: make use of
dcesrv_assoc_group_common_destructor()
via b7d2e29c59a s3:rpc_server: make use of
dcesrv_assoc_group_common_destructor()
via f2ed20c2011 dcesrv_core: add dcesrv_assoc_group_common_destructor()
via e47866ae948 smbd: fix breaking leases on rename
via 4eaf7b8b855 smbd: force sync rename with lease break
via b8a543f2ccb smbd: return correct error for compound related
requests that went async
via ebe5e4c3499 smbtorture: test rename with other opens on the file
via 52b1c6aba35 smbtorture: add a bunch of tests for async rename and
async interim responses
via 52c3f270610 smbtorture: rename CHECK_VALUE() to CHECK_VAL() in
smb2/compound.c
via 0f4e46398bd vfs_btrfs: Also call vfs_offload_token_ctx_init() in
btrfs_offload_write_send()
via 9a7047e8cca ctdb-common: Map ENOENT for a missing event script to
ENOEXEC
via a01a0c34dad VERSION: Bump version up to Samba 4.21.3...
from d67152765b3 VERSION: Disable GIT_SNAPSHOT for the 4.21.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 65 +-
ctdb/common/run_event.c | 23 +-
.../etc-ctdb/share/events/data/01.dummy.script | 4 +
ctdb/tests/UNIT/eventd/eventd_009.sh | 37 +
docs-xml/manpages/net.8.xml | 33 +-
docs-xml/manpages/vfs_crossrename.8.xml | 5 +-
librpc/rpc/dcesrv_core.h | 2 +
librpc/rpc/dcesrv_handles.c | 17 +-
nsswitch/pam_winbind.c | 1 +
selftest/knownfail | 2 -
selftest/knownfail.d/getncchanges | 3 +
selftest/target/Samba3.pm | 12 +
source3/modules/vfs_btrfs.c | 6 +
source3/modules/vfs_crossrename.c | 126 ++-
source3/rpc_server/rpc_server.c | 3 +
source3/rpc_server/rpc_worker.c | 2 +
source3/script/tests/test_recycle.sh | 80 +-
source3/selftest/tests.py | 2 +-
source3/smbd/smb2_server.c | 10 +
source3/smbd/smb2_setinfo.c | 10 +-
source4/rpc_server/dcerpc_server.c | 3 +
source4/rpc_server/drsuapi/getncchanges.c | 83 +-
source4/torture/drs/python/drs_base.py | 7 +
source4/torture/drs/python/getncchanges.py | 49 ++
source4/torture/smb2/compound.c | 905 ++++++++++++++++++++-
source4/torture/smb2/rename.c | 72 ++
27 files changed, 1478 insertions(+), 86 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index e34c965aa18..ba6611968d1 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4f3ff92965b..63971826231 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,65 @@
+ ==============================
+ Release Notes for Samba 4.21.3
+ January 06, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Changes since 4.21.2
+--------------------
+
+o Douglas Bagnall <[email protected]>
+ * BUG 15701: More possible replication loops against Azure AD.
+
+o Ralph Boehme <[email protected]>
+ * BUG 15697: Compound rename from Mac clients can fail with
+ NT_STATUS_INTERNAL_ERROR if the file has a lease.
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15724: vfs crossrename seems not work correctly.
+ * BUG 6750: After 'machine password timeout' /etc/krb5.keytab is not
updated.
+
+o Volker Lendecke <[email protected]>
+ * BUG 15771: Memory leak wbcCtxLookupSid.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 15765: Fix heap-user-after-free with association groups.
+
+o Andreas Schneider <[email protected]>
+ * BUG 15758: Segfault in vfs_btrfs.
+
+o Martin Schwenke <[email protected]>
+ * BUG 15755: Avoid event failure race when disabling an event script.
+
+o Jones Syue <[email protected]>
+ * BUG 15724: vfs crossrename seems not work correctly.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.21.2
November 25, 2024
@@ -51,8 +113,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.21.1
October 14, 2024
diff --git a/ctdb/common/run_event.c b/ctdb/common/run_event.c
index d283664e2cf..30369eeff22 100644
--- a/ctdb/common/run_event.c
+++ b/ctdb/common/run_event.c
@@ -268,8 +268,27 @@ static int run_event_script_status(struct run_event_script
*script)
if (script->result.sig > 0) {
ret = -EINTR;
} else if (script->result.err > 0) {
- if (script->result.err == EACCES) {
- /* Map EACCESS to ENOEXEC */
+ if (script->result.err == EACCES ||
+ script->result.err == ENOENT) {
+ /*
+ * Map EACCESS/ENOENT to ENOEXEC
+ *
+ * ENOENT: Disabling a standard event script
+ * by removing its symlink can result in
+ * ENOENT. This happens when the script list
+ * is built while the link exists, but the
+ * link is removed before the attempt to run
+ * it. Map it to ENOEXEC (which causes a
+ * script to be shown as DISABLED). This
+ * makes it impossible to distinguish a
+ * removed symlink from a dangling
+ * symlink... but the latter can just be
+ * defined as disabled. It should be rare
+ * because it shouldn't happen if event
+ * scripts are properly managed. If someone
+ * is doing weird things then they can easily
+ * debug such issues by looking at the link.
+ */
ret = -ENOEXEC;
} else {
ret = -script->result.err;
diff --git a/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data/01.dummy.script
b/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data/01.dummy.script
index 9c56f5b968b..b7b5945714c 100755
--- a/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data/01.dummy.script
+++ b/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data/01.dummy.script
@@ -2,5 +2,9 @@
case "$1" in
"failure") exit 1 ;;
+"disablehack")
+ ctdb-event script disable data 02.disabled
+ ctdb-event script disable data 03.notalink
+ ;;
*) exit 0 ;;
esac
diff --git a/ctdb/tests/UNIT/eventd/eventd_009.sh
b/ctdb/tests/UNIT/eventd/eventd_009.sh
index 39e5cd658cc..86c7224ad23 100755
--- a/ctdb/tests/UNIT/eventd/eventd_009.sh
+++ b/ctdb/tests/UNIT/eventd/eventd_009.sh
@@ -153,3 +153,40 @@ ok <<EOF
* 03.notalink
EOF
simple_test script list data
+
+#
+# Test disabling of scripts after the script list has been
+# built. Normally this would be an admin racing with eventd instead of
+# one script disabling subsequent ones.
+#
+
+# First enable all scripts - this might repeat some previous stuff
+ok_null
+simple_test script enable data 01.dummy
+ok_null
+simple_test script enable data 02.disabled
+ok_null
+simple_test script enable data 03.notalink
+
+# Confirm expected state
+ok <<EOF
+* 01.dummy
+* 02.disabled
+
+* 03.notalink
+EOF
+simple_test script list data
+
+# Now run the event that disables the subsequent scripts:
+# - 02.disabled has its link removed
+# - 03.notalink effectively has "chmod -x" applied
+ok_null
+simple_test run 10 data disablehack
+
+# Confirm that both subsequent scripts were disabled
+ok <<EOF
+01.dummy OK DURATION DATETIME
+02.disabled DISABLED
+03.notalink DISABLED
+EOF
+simple_test status data disablehack
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index e633c8c7c6a..f388644172f 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1548,12 +1548,33 @@ to show in the result.
<title>ADS KEYTAB <replaceable>CREATE</replaceable></title>
<para>
-Creates a new keytab file if one doesn't exist with default entries. Default
-entries are kerberos principals created from the machinename of the
-client, the UPN (if it exists) and any Windows SPN(s) associated with the
-computer AD account for the client. If a keytab file already exists then only
-missing kerberos principals from the default entries are added. No changes
-are made to the computer AD account.
+Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
+name="sync machine password to keytab"/>. The keytab is created only for
+<smbconfoption name="kerberos method">secrets only</smbconfoption> and
+<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
+the smb.conf default values for <smbconfoption name="kerberos method"> secrets
+only</smbconfoption> and <smbconfoption name="sync machine password to
keytab"/>
+(default is empty) the keytab is not generated at all. Keytab with a default
+name and SPNs synced from AD is created for <smbconfoption name="kerberos
+method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
+password to keytab"/> is missing.
+</para>
+<para>
+Till Samba 4.20.0, two more entries were created by default: the machinename of
+the client (ending with '$') and the UPN (host/domain@REALM). If these two
+entries are still needed, each must be specified in an own keytab file.
+Example below will generate three keytab files that contain SPNs synced from
+AD, host UPN and machine$ SPN:
+</para>
+<programlisting>
+<smbconfoption name="sync machine password to keytab">
+/etc/krb5.keytab0:sync_spns:machine_password,
+/etc/krb5.keytab1:spns=host/[email protected]:machine_password,
+/etc/krb5.keytab2:account_name:machine_password
+</smbconfoption>
+</programlisting>
+<para>
+No changes are made to the computer AD account.
</para>
</refsect2>
diff --git a/docs-xml/manpages/vfs_crossrename.8.xml
b/docs-xml/manpages/vfs_crossrename.8.xml
index 72d67d685b1..7ea0b50cc9b 100644
--- a/docs-xml/manpages/vfs_crossrename.8.xml
+++ b/docs-xml/manpages/vfs_crossrename.8.xml
@@ -62,7 +62,10 @@
</varlistentry>
</variablelist>
- <para>This module is stackable.</para>
+ <para> This module is not fully stackable. It can be combined with other
+ modules, but should be the last module in the <command>vfs
objects</command>
+ list. It directly access the files in the OS filesystem.
+ </para>
</refsect1>
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index 24750872b3f..90f5bd21d64 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -647,6 +647,8 @@ _PUBLIC_ NTSTATUS
dcesrv_interface_bind_reject_connect(struct dcesrv_connection_
_PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct
dcesrv_connection_context *context,
const struct
dcesrv_interface *iface);
+_PUBLIC_ void dcesrv_assoc_group_common_destructor(struct dcesrv_assoc_group
*assoc_group);
+
_PUBLIC_ NTSTATUS _dcesrv_iface_state_store_assoc(
struct dcesrv_call_state *call,
uint64_t magic,
diff --git a/librpc/rpc/dcesrv_handles.c b/librpc/rpc/dcesrv_handles.c
index b8719d8c804..eff63970e16 100644
--- a/librpc/rpc/dcesrv_handles.c
+++ b/librpc/rpc/dcesrv_handles.c
@@ -163,10 +163,25 @@ struct dcesrv_iface_state {
static int dcesrv_iface_state_destructor(struct dcesrv_iface_state *istate)
{
- DLIST_REMOVE(istate->assoc->iface_states, istate);
+ if (istate->assoc != NULL) {
+ DLIST_REMOVE(istate->assoc->iface_states, istate);
+ istate->assoc = NULL;
+ }
return 0;
}
+void dcesrv_assoc_group_common_destructor(struct dcesrv_assoc_group
*assoc_group)
+{
+ struct dcesrv_iface_state *cur = NULL;
+ struct dcesrv_iface_state *next = NULL;
+
+ for (cur = assoc_group->iface_states; cur != NULL; cur = next) {
+ next = cur->next;
+ cur->assoc = NULL;
+ DLIST_REMOVE(assoc_group->iface_states, cur);
+ }
+}
+
static void *dcesrv_iface_state_find(struct dcesrv_assoc_group *assoc,
const struct dcesrv_interface *iface,
const struct dom_sid *owner,
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 968a72bccc0..652ceddc85e 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -2527,6 +2527,7 @@ static char* winbind_upn_to_username(struct pwb_context
*ctx,
/* Convert the UPN to a SID */
wbc_status = wbcCtxLookupName(ctx->wbc_ctx, domain, name, &sid, &type);
+ TALLOC_FREE(name);
if (!WBC_ERROR_IS_OK(wbc_status)) {
return NULL;
}
diff --git a/selftest/knownfail b/selftest/knownfail
index 31e70a1a9d3..5f64e4edad0 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -215,8 +215,6 @@
^samba3.smb2.getinfo.fsinfo # quotas don't work yet
^samba3.smb2.setinfo.setinfo
^samba3.smb2.session.*reauth5 # some special anonymous checks?
-^samba3.smb2.compound.interim2 # wrong return code (STATUS_CANCELLED)
-^samba3.smb2.compound.aio.interim2 # wrong return code (STATUS_CANCELLED)
^samba3.smb2.lock.*replay_broken_windows # This tests the windows behaviour
^samba3.smb2.lease.unlink # we currently do not downgrade RH lease to R after
unlink
^samba4.smb2.ioctl.compress_notsup.*\(ad_dc_ntvfs\)
diff --git a/selftest/knownfail.d/getncchanges
b/selftest/knownfail.d/getncchanges
index bda9b31a1b1..7288309c32a 100644
--- a/selftest/knownfail.d/getncchanges
+++ b/selftest/knownfail.d/getncchanges
@@ -6,3 +6,6 @@
samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegri
samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_multivalued_links\(promoted_dc\)
# Samba chooses to always increment the USN for the NC root at the point where
it would otherwise show up.
samba4.drs.getncchanges.python\(.*\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_nc_is_first_nc_change_only\(
+
+# test_repl_get_tgt_multivalued_links also fails with
DrsReplicaSyncFakeAzureAdTests on promoted_dc
+samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncFakeAzureAdTests.test_repl_get_tgt_multivalued_links\(promoted_dc\)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index a7dd1b20e66..17343e63e52 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2780,6 +2780,9 @@ sub provision($$)
my $recycle_shrdir="$shrdir/recycle";
push(@dirs,$recycle_shrdir);
+ my $recycle_shrdir2="$shrdir/recycle2";
+ push(@dirs,$recycle_shrdir2);
+
my $fakedircreatetimes_shrdir="$shrdir/fakedircreatetimes";
push(@dirs,$fakedircreatetimes_shrdir);
@@ -3715,6 +3718,15 @@ sub provision($$)
recycle : exclude = *.tmp
recycle : directory_mode = 755
+[recycle2]
+ copy = tmp
+ path = $recycle_shrdir2
+ vfs objects = recycle crossrename
+ recycle : repository = .trash
+ recycle : exclude = *.tmp
+ recycle : directory_mode = 755
+ wide links = yes
+
[fakedircreatetimes]
copy = tmp
path = $fakedircreatetimes_shrdir
diff --git a/source3/modules/vfs_btrfs.c b/source3/modules/vfs_btrfs.c
index 90312524287..908f4e43464 100644
--- a/source3/modules/vfs_btrfs.c
+++ b/source3/modules/vfs_btrfs.c
@@ -261,6 +261,12 @@ static struct tevent_req *btrfs_offload_write_send(struct
vfs_handle_struct *han
state->handle = handle;
+ status = vfs_offload_token_ctx_init(handle->conn->sconn->client,
+ &btrfs_offload_ctx);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
tevent_req_set_cleanup_fn(req, btrfs_offload_write_cleanup);
status = vfs_offload_token_db_fetch_fsp(btrfs_offload_ctx,
diff --git a/source3/modules/vfs_crossrename.c
b/source3/modules/vfs_crossrename.c
index 042144bfc4d..1da36706ecb 100644
--- a/source3/modules/vfs_crossrename.c
+++ b/source3/modules/vfs_crossrename.c
@@ -54,10 +54,12 @@ static NTSTATUS copy_reg(vfs_handle_struct *handle,
struct files_struct *dstfsp,
const struct smb_filename *dest)
{
- NTSTATUS status;
- struct smb_filename *full_fname_src = NULL;
- struct smb_filename *full_fname_dst = NULL;
+ NTSTATUS status = NT_STATUS_OK;
int ret;
+ off_t off;
+ int ifd = -1;
+ int ofd = -1;
+ struct timespec ts[2];
if (!VALID_STAT(source->st)) {
status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
@@ -79,64 +81,105 @@ static NTSTATUS copy_reg(vfs_handle_struct *handle,
goto out;
}
- full_fname_src = full_path_from_dirfsp_atname(talloc_tos(),
- srcfsp,
- source);
- if (full_fname_src == NULL) {
- status = NT_STATUS_NO_MEMORY;
+ ret = SMB_VFS_NEXT_UNLINKAT(handle,
+ dstfsp,
+ dest,
+ 0);
+ if (ret == -1 && errno != ENOENT) {
+ status = map_nt_error_from_unix(errno);
goto out;
}
- full_fname_dst = full_path_from_dirfsp_atname(talloc_tos(),
- dstfsp,
- dest);
- if (full_fname_dst == NULL) {
- status = NT_STATUS_NO_MEMORY;
+
+ ifd = openat(fsp_get_pathref_fd(srcfsp),
+ source->base_name,
+ O_RDONLY,
+ 0);
+ if (ifd < 0) {
+ status = map_nt_error_from_unix(errno);
goto out;
}
- ret = SMB_VFS_NEXT_UNLINKAT(handle,
- dstfsp,
- dest,
- 0);
- if (ret == -1) {
+ ofd = openat(fsp_get_pathref_fd(dstfsp),
+ dest->base_name,
+ O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW,
+ 0600);
+ if (ofd < 0) {
+ status = map_nt_error_from_unix(errno);
+ goto out;
+ }
+
+ off = transfer_file(ifd, ofd, source->st.st_ex_size);
+ if (off == -1) {
+ status = map_nt_error_from_unix(errno);
+ goto out;
+ }
+
+ ret = fchown(ofd, source->st.st_ex_uid, source->st.st_ex_gid);
+ if (ret == -1 && errno != EPERM) {
status = map_nt_error_from_unix(errno);
goto out;
}
/*
- * copy_internals() takes attribute values from the NTrename call.
- *
- * From MS-CIFS:
- *
- * "If the attribute is 0x0000, then only normal files are renamed.
- * If the system file or hidden attributes are specified, then the
- * rename is inclusive of both special types."
+ * fchown turns off set[ug]id bits for non-root,
+ * so do the chmod last.
*/
- status = copy_internals(talloc_tos(),
- handle->conn,
- NULL,
- srcfsp, /* src_dirfsp */
- full_fname_src,
- dstfsp, /* dst_dirfsp */
- full_fname_dst,
- FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM);
- if (!NT_STATUS_IS_OK(status)) {
+ ret = fchmod(ofd, source->st.st_ex_mode & 07777);
+ if (ret == -1 && errno != EPERM) {
+ status = map_nt_error_from_unix(errno);
goto out;
}
- ret = SMB_VFS_NEXT_UNLINKAT(handle,
- srcfsp,
- source,
- 0);
+ /* Try to copy the old file's modtime and access time. */
+ ts[0] = source->st.st_ex_atime;
+ ts[1] = source->st.st_ex_mtime;
+ ret = futimens(ofd, ts);
+ if (ret == -1) {
+ DBG_DEBUG("Updating the time stamp on destinaton '%s' failed "
+ "with '%s'. Rename operation can continue.\n",
+ dest->base_name,
+ strerror(errno));
+ }
+
+ ret = close(ifd);
if (ret == -1) {
status = map_nt_error_from_unix(errno);
goto out;
}
+ ifd = -1;
- out:
--
Samba Shared Repository
