The branch, v4-20-stable has been updated
via 3984b04d708 VERSION: Disable GIT_SNAPSHOT for the 4.20.7 release.
via 1031da06c17 WHATSNEW: Add release notes for Samba 4.20.7.
via 7123833ab49 sharesec: Check if share exists in configuration
via 017f90a03d0 sharesec: Add function to check existence of share from
config
via 91410773497 param: Add API to load registry without share info
via 839b32b1d14 sharesec: Fix warning frame not freed in order
via 6fb64f70203 s3-sharesec: Add Test to verify command option
"--view-all"
via 36f514f9079 s4:dsdb: fix logic of dsdb_trust_routing_by_name()
via a015ffb3dea s4:scripting: fix gen_hresult.py
via 4d043ea5e51 pam_winbind: Fix Bug 15771
via af0bcf35f47 selftest: Add test for vfs crossrename module
via c121f03f597 docs:manpage: vfs_crossrename is not fully stackable
VFS module
via f1e28919ae4 s3:vfs_crossrename: add back checking for errno ENOENT
via fac7288aff4 s3:vfs_crossrename: crossrename_renameat() needs to
return 0 if copy_reg() is successful
via 197578b4d69 s3:vfs_crossrename: avoid locking panic in copy_reg()
via ec098fbe840 s4:rpc_server: make use of
dcesrv_assoc_group_common_destructor()
via 59207809655 s3:rpc_server: make use of
dcesrv_assoc_group_common_destructor()
via 34618ab0a50 dcesrv_core: add dcesrv_assoc_group_common_destructor()
via c9581976a4e smbd: fix breaking leases on rename
via ebf4b30d087 smbd: force sync rename with lease break
via 9cdfb755b7a smbd: return correct error for compound related
requests that went async
via 00fb1d0fe22 smbtorture: test rename with other opens on the file
via 7e5019e845a smbtorture: add a bunch of tests for async rename and
async interim responses
via 6c4a0272e70 smbtorture: rename CHECK_VALUE() to CHECK_VAL() in
smb2/compound.c
via 622bcc55181 ctdb-common: Map ENOENT for a missing event script to
ENOEXEC
via 1531eb53883 ctdb-scripts: Track connections for all ports for
public IPs
via 664538a65fd ctdb-scripts: Get connections after tickle list
via 20987bf5058 ctdb-scripts: Move connection tracking to 10.interface
via 75701619fb6 ctdb-server: Drop a log message to DEBUG level
via a80b6294919 ctdb-server: Clean up connection tracking functions
via eb1c30341af ctdb-scripts: Use ss -H option to simplify
via 76ddab97e76 ctdb-scripts: Remove superseded compatibility code
via aadc131405b ctdb-scripts: update_tickles() should use the public
IPs cache
via 71210ed0dff ctdb-scripts: Add caching function for public IPs
via 7c696349733 ctdb-scripts: Don't list connections when not hosting
IPs
via 82db30cdbd9 smbd: avoid a panic in close_directory()
via 0cfc035e9da VERSION: Bump version up to Samba 4.20.7...
from 3de528753a4 VERSION: Disable GIT_SNAPSHOT for the 4.20.6 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 72 +-
ctdb/common/run_event.c | 23 +-
ctdb/config/events/legacy/10.interface.script | 11 +
ctdb/config/events/legacy/60.nfs.script | 1 -
ctdb/config/functions | 105 ++-
ctdb/server/ctdb_takeover.c | 108 ++-
.../etc-ctdb/share/events/data/01.dummy.script | 4 +
ctdb/tests/UNIT/eventd/eventd_009.sh | 37 +
ctdb/tests/UNIT/eventscripts/scripts/local.sh | 8 +
ctdb/tests/UNIT/eventscripts/stubs/ctdb | 3 +-
docs-xml/manpages/vfs_crossrename.8.xml | 5 +-
librpc/rpc/dcesrv_core.h | 2 +
librpc/rpc/dcesrv_handles.c | 17 +-
nsswitch/pam_winbind.c | 1 +
selftest/knownfail | 2 -
selftest/target/Samba3.pm | 12 +
source3/modules/vfs_crossrename.c | 126 ++-
source3/param/loadparm.c | 11 +
source3/param/loadparm.h | 1 +
source3/rpc_server/rpc_server.c | 3 +
source3/rpc_server/rpc_worker.c | 2 +
source3/script/tests/test_recycle.sh | 80 +-
source3/script/tests/test_sharesec.sh | 8 +
source3/selftest/tests.py | 2 +-
source3/smbd/close.c | 4 +-
source3/smbd/smb2_server.c | 10 +
source3/smbd/smb2_setinfo.c | 10 +-
source3/utils/sharesec.c | 88 +-
source4/dsdb/common/util_trusts.c | 26 +-
source4/rpc_server/dcerpc_server.c | 3 +
source4/scripting/bin/gen_hresult.py | 4 +-
source4/torture/smb2/compound.c | 905 ++++++++++++++++++++-
source4/torture/smb2/rename.c | 72 ++
34 files changed, 1604 insertions(+), 164 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 6e6adf6dfb6..144555f6342 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=20
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4f302a50d28..9f8326ef28b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,72 @@
+ ==============================
+ Release Notes for Samba 4.20.7
+ January 21, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.6
+--------------------
+
+o Vinit Agnihotri <[email protected]>
+ * BUG 15780: Increasing slowness of sharesec performance with high number of
+ registry shares.
+
+o Ralph Boehme <[email protected]>
+ * BUG 15697: Compound rename from Mac clients can fail with
+ NT_STATUS_INTERNAL_ERROR if the file has a lease.
+ * BUG 15754: Panic in close_directory.
+
+o Guenther Deschner <[email protected]>
+ * BUG 15780: Increasing slowness of sharesec performance with high number of
+ registry shares.
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15724: vfs crossrename seems not work correctly.
+
+o Volker Lendecke <[email protected]>
+ * BUG 15771: Memory leak wbcCtxLookupSid. samba-4.21.2.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 15765: Fix heap-user-after-free with association groups.
+ * BUG 15769: The values from hresult_errstr_const and hresult_errstr are
+ reversed in 4.20 and 4.21.
+ * BUG 15778: Kerberos referral tickets are generated for principals in our
+ domain if we have a trust to a top level domain.
+
+o Martin Schwenke <[email protected]>
+ * BUG 15320: Update CTDB to track all TCP connections to public IP
addresses.
+ * BUG 15755: Avoid event failure race when disabling an event script.
+
+o Jones Syue <[email protected]>
+ * BUG 15724: vfs crossrename seems not work correctly.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.20.6
November 19, 2024
@@ -67,8 +136,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.20.5
September 17, 2024
diff --git a/ctdb/common/run_event.c b/ctdb/common/run_event.c
index d283664e2cf..30369eeff22 100644
--- a/ctdb/common/run_event.c
+++ b/ctdb/common/run_event.c
@@ -268,8 +268,27 @@ static int run_event_script_status(struct run_event_script
*script)
if (script->result.sig > 0) {
ret = -EINTR;
} else if (script->result.err > 0) {
- if (script->result.err == EACCES) {
- /* Map EACCESS to ENOEXEC */
+ if (script->result.err == EACCES ||
+ script->result.err == ENOENT) {
+ /*
+ * Map EACCESS/ENOENT to ENOEXEC
+ *
+ * ENOENT: Disabling a standard event script
+ * by removing its symlink can result in
+ * ENOENT. This happens when the script list
+ * is built while the link exists, but the
+ * link is removed before the attempt to run
+ * it. Map it to ENOEXEC (which causes a
+ * script to be shown as DISABLED). This
+ * makes it impossible to distinguish a
+ * removed symlink from a dangling
+ * symlink... but the latter can just be
+ * defined as disabled. It should be rare
+ * because it shouldn't happen if event
+ * scripts are properly managed. If someone
+ * is doing weird things then they can easily
+ * debug such issues by looking at the link.
+ */
ret = -ENOEXEC;
} else {
ret = -script->result.err;
diff --git a/ctdb/config/events/legacy/10.interface.script
b/ctdb/config/events/legacy/10.interface.script
index fead88c014f..4bee4fa29ec 100755
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@@ -167,6 +167,8 @@ takeip)
ip=$3
maskbits=$4
+ update_my_public_ip_addresses "takeip" "$ip"
+
add_ip_to_iface "$iface" "$ip" "$maskbits" || {
exit 1;
}
@@ -195,6 +197,8 @@ releaseip)
kill_tcp_connections "$iface" "$ip"
+ update_my_public_ip_addresses "releaseip" "$ip"
+
delete_ip_from_iface "$iface" "$ip" "$maskbits" || {
ip_unblock "$ip" "$iface"
exit 1
@@ -254,8 +258,15 @@ updateip)
tickle_tcp_connections "$ip"
;;
+ipreallocated)
+ # Just to make sure
+ update_my_public_ip_addresses "ipreallocated"
+ ;;
+
monitor)
monitor_interfaces || exit 1
+
+ update_tickles
;;
esac
diff --git a/ctdb/config/events/legacy/60.nfs.script
b/ctdb/config/events/legacy/60.nfs.script
index b7ae0746be5..d7d30229172 100755
--- a/ctdb/config/events/legacy/60.nfs.script
+++ b/ctdb/config/events/legacy/60.nfs.script
@@ -289,7 +289,6 @@ monitor)
exit $?
fi
- update_tickles 2049
nfs_update_lock_info
nfs_check_services
diff --git a/ctdb/config/functions b/ctdb/config/functions
index a40b276e2b8..75f55f58e2a 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -269,6 +269,59 @@ ctdb_get_ip_address()
cat "$_ip_addr_file"
}
+# Cache of public IP addresses assigned to this node. This function
+# exists mainly so statd-callout does not need to talk to ctdbd, so
+# can be run as non-root, but it may be used in other places. This
+# must be updated/refreshed on failover. This is done in
+# 10.interface, but doing it in "ipreallocated" isn't enough because
+# clients may connect as soon as "takeip" completes. Also, the VNN in
+# the daemon is only updated after the "releaseip" event completes, so
+# "ctdb -X ip" can't be relied on there. Hence, complex updates
+# involving locking for "takeip" & "releaseip". A future
+# restructuring of the failover model will obsolete all of these
+# moving parts.
+CTDB_MY_PUBLIC_IPS_CACHE="${CTDB_SCRIPT_VARDIR}/my-public-ip-addresses"
+update_my_public_ip_addresses()
+{
+ _event="$1"
+
+ _f="$CTDB_MY_PUBLIC_IPS_CACHE"
+ _lock="${_f}.lock"
+
+ # In private CTDB state directory - no $$ security issue
+ _new="${_f}.new.$$"
+ {
+ flock --timeout 10 9 ||
+ die "ctdb_get_my_public_ip_addresses: timeout"
+
+ case "$_event" in
+ takeip)
+ _ip="$2"
+ # Redirect of stderr guards against initial
+ # missing file
+ cat "$_f" 2>/dev/null >"$_new"
+ echo "$_ip" >>"$_new"
+ ;;
+ releaseip)
+ _ip="$2"
+ # Redirect of stderr guards against initial
+ # missing file, which shouldn't happen in
+ # releaseip...
+ grep -Fvx "$_ip" "$_f" 2>/dev/null >"$_new"
+ ;;
+ ipreallocated)
+ _pnn=$(ctdb_get_pnn)
+ $CTDB -X ip |
+ awk -F'|' -v pnn="$_pnn" \
+ '$3 == pnn {print $2}' >"$_new"
+ ;;
+ esac
+
+ mv "$_new" "$_f"
+
+ } 9>"$_lock"
+}
+
# Cached retrieval of database options for use by event scripts.
#
# If the variables are already set then they should not be overwritten
@@ -446,7 +499,7 @@ ctdb_check_unix_socket()
return 1
fi
- _out=$(ss -l -x "src ${_sockpath}" | tail -n +2)
+ _out=$(ss -l -xH "src ${_sockpath}")
if [ -z "$_out" ]; then
echo "ERROR: ${service_name} not listening on ${_sockpath}"
return 1
@@ -549,7 +602,7 @@ get_tcp_connections_for_ip()
{
_ip="$1"
- ss -tn state established "src [$_ip]" | awk 'NR > 1 {print $3, $4}'
+ ss -tnH state established "src [$_ip]" | awk '{print $3, $4}'
}
########################################################
@@ -1096,49 +1149,39 @@ nfs_callout()
update_tickles()
{
- _port="$1"
-
tickledir="${CTDB_SCRIPT_VARDIR}/tickles"
mkdir -p "$tickledir"
- # What public IPs do I hold?
- _pnn=$(ctdb_get_pnn)
- _ips=$($CTDB -X ip | awk -F'|' -v pnn="$_pnn" '$3 == pnn {print $2}')
+ # If not hosting any public IPs then can't have any connections...
+ if [ ! -s "$CTDB_MY_PUBLIC_IPS_CACHE" ]; then
+ return
+ fi
- # IPs and port as ss filters
+ # IPs ss filter
_ip_filter=""
- for _ip in $_ips; do
+ while read -r _ip; do
_ip_filter="${_ip_filter}${_ip_filter:+ || }src [${_ip}]"
- done
- _port_filter="sport == :${_port}"
+ done <"$CTDB_MY_PUBLIC_IPS_CACHE"
+
+ # Record our current tickles in a temporary file
+ _my_tickles="${tickledir}/all.tickles.$$"
+ while read -r _i; do
+ $CTDB -X gettickles "$_i" |
+ awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4,
$5 }'
+ done <"$CTDB_MY_PUBLIC_IPS_CACHE" |
+ sort >"$_my_tickles"
# Record connections to our public IPs in a temporary file.
# This temporary file is in CTDB's private state directory and
# $$ is used to avoid a very rare race involving CTDB's script
# debugging. No security issue, nothing to see here...
- _my_connections="${tickledir}/${_port}.connections.$$"
- # Parentheses are needed around the filters for precedence but
+ _my_connections="${tickledir}/all.connections.$$"
+ # Parentheses are needed around the IP filter for precedence but
# the parentheses can't be empty!
- #
- # Recent versions of ss print square brackets around IPv6
- # addresses. While it is desirable to update CTDB's address
- # parsing and printing code, something needs to be done here
- # for backward compatibility, so just delete the brackets.
- ss -tn state established \
- "${_ip_filter:+( ${_ip_filter} )}" \
- "${_port_filter:+( ${_port_filter} )}" |
- awk 'NR > 1 {print $4, $3}' |
- tr -d '][' |
+ ss -tnH state established "${_ip_filter:+( ${_ip_filter} )}" |
+ awk '{print $4, $3}' |
sort >"$_my_connections"
- # Record our current tickles in a temporary file
- _my_tickles="${tickledir}/${_port}.tickles.$$"
- for _i in $_ips; do
- $CTDB -X gettickles "$_i" "$_port" |
- awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4,
$5 }'
- done |
- sort >"$_my_tickles"
-
# Add tickles for connections that we haven't already got tickles for
comm -23 "$_my_connections" "$_my_tickles" |
$CTDB addtickle
diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c
index b622fafd95f..7054e0f3844 100644
--- a/ctdb/server/ctdb_takeover.c
+++ b/ctdb/server/ctdb_takeover.c
@@ -1503,27 +1503,40 @@ static struct ctdb_connection *ctdb_tcp_find(struct
ctdb_tcp_array *array,
clients managing that should tickled with an ACK when IP takeover is
done
*/
-int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool
tcp_update_needed)
+int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb,
+ TDB_DATA indata,
+ bool tcp_update_needed)
{
struct ctdb_connection *p = (struct ctdb_connection *)indata.dptr;
struct ctdb_tcp_array *tcparray;
struct ctdb_connection tcp;
struct ctdb_vnn *vnn;
+ char conn_str[132] = { 0, };
+ int ret;
/* If we don't have public IPs, tickles are useless */
if (ctdb->vnn == NULL) {
return 0;
}
+ ret = ctdb_connection_to_buf(conn_str,
+ sizeof(conn_str),
+ p,
+ false,
+ " -> ");
+ if (ret != 0) {
+ strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
+ }
+
vnn = find_public_ip_vnn(ctdb, &p->dst);
if (vnn == NULL) {
- DEBUG(DEBUG_INFO,(__location__ " got TCP_ADD control for an
address which is not a public address '%s'\n",
- ctdb_addr_to_str(&p->dst)));
+ DBG_INFO("Attempt to add connection %s "
+ "but destination is not a public address\n",
+ conn_str);
return -1;
}
-
tcparray = vnn->tcp_array;
/* If this is the first tickle */
@@ -1533,7 +1546,8 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb,
TDB_DATA indata, bool tc
vnn->tcp_array = tcparray;
tcparray->num = 0;
- tcparray->connections = talloc_size(tcparray, sizeof(struct
ctdb_connection));
+ tcparray->connections = talloc_size(tcparray,
+ sizeof(struct
ctdb_connection));
CTDB_NO_MEMORY(ctdb, tcparray->connections);
tcparray->connections[tcparray->num].src = p->src;
@@ -1551,27 +1565,22 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb,
TDB_DATA indata, bool tc
tcp.src = p->src;
tcp.dst = p->dst;
if (ctdb_tcp_find(tcparray, &tcp) != NULL) {
- DEBUG(DEBUG_DEBUG,("Already had tickle info for %s:%u for
vnn:%u\n",
- ctdb_addr_to_str(&tcp.dst),
- ntohs(tcp.dst.ip.sin_port),
- vnn->pnn));
+ DBG_DEBUG("Already had connection %s\n", conn_str);
return 0;
}
/* A new tickle, we must add it to the array */
- tcparray->connections = talloc_realloc(tcparray, tcparray->connections,
- struct ctdb_connection,
- tcparray->num+1);
+ tcparray->connections = talloc_realloc(tcparray,
+ tcparray->connections,
+ struct ctdb_connection,
+ tcparray->num + 1);
CTDB_NO_MEMORY(ctdb, tcparray->connections);
tcparray->connections[tcparray->num].src = p->src;
tcparray->connections[tcparray->num].dst = p->dst;
tcparray->num++;
- DEBUG(DEBUG_INFO,("Added tickle info for %s:%u from vnn %u\n",
- ctdb_addr_to_str(&tcp.dst),
- ntohs(tcp.dst.ip.sin_port),
- vnn->pnn));
+ D_INFO("Added connection %s\n", conn_str);
if (tcp_update_needed) {
vnn->tcp_update_needed = true;
@@ -1581,58 +1590,59 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb,
TDB_DATA indata, bool tc
}
-static void ctdb_remove_connection(struct ctdb_vnn *vnn, struct
ctdb_connection *conn)
+static void ctdb_remove_connection(struct ctdb_vnn *vnn,
+ struct ctdb_connection *conn)
{
struct ctdb_connection *tcpp;
+ char conn_str[132] = { 0, };
+ int ret;
if (vnn == NULL) {
return;
}
- /* if the array is empty we can't remove it
- and we don't need to do anything
- */
+ ret = ctdb_connection_to_buf(conn_str,
+ sizeof(conn_str),
+ conn,
+ false,
+ " -> ");
+ if (ret != 0) {
+ strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
+ }
+
+ /* If the array is empty there is nothing to remove */
if (vnn->tcp_array == NULL) {
- DEBUG(DEBUG_INFO,("Trying to remove tickle that doesn't exist
(array is empty) %s:%u\n",
- ctdb_addr_to_str(&conn->dst),
- ntohs(conn->dst.ip.sin_port)));
+ D_INFO("Attempt to remove untracked connection %s (empty)\n",
+ conn_str);
return;
}
- /* See if we know this connection
- if we don't know this connection then we don't need to do anything
- */
tcpp = ctdb_tcp_find(vnn->tcp_array, conn);
if (tcpp == NULL) {
- DEBUG(DEBUG_INFO,("Trying to remove tickle that doesn't exist
%s:%u\n",
- ctdb_addr_to_str(&conn->dst),
- ntohs(conn->dst.ip.sin_port)));
+ D_DEBUG("Attempt to remove untracked connection %s\n",
conn_str);
return;
}
- /* We need to remove this entry from the array.
- Instead of allocating a new array and copying data to it
- we cheat and just copy the last entry in the existing array
- to the entry that is to be removed and just shring the
- ->num field
+ /*
+ * We need to remove this entry from the array. Instead of
+ * allocating a new array and copying data to it, cheat and
+ * just copy the last entry in the existing array to the entry
+ * that is to be removed and just shrink the size.
*/
*tcpp = vnn->tcp_array->connections[vnn->tcp_array->num - 1];
vnn->tcp_array->num--;
- /* If we deleted the last entry we also need to remove the entire array
- */
+ /* Last entry deleted, so remove the entire array */
if (vnn->tcp_array->num == 0) {
talloc_free(vnn->tcp_array);
vnn->tcp_array = NULL;
--
Samba Shared Repository
