[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via 2b97c11bca6 VERSION: Bump version up to Samba 4.13.13... via aa756f3f9fc VERSION: Disable GIT_SNAPSHOT for the 4.13.12 release. via 4703acc82c8 WHATSNEW: Add release notes for Samba 4.13.12. from b7d16fdc653 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 2b97c11bca667e40dd84c36de42cb057dead12ae Author: Jule Anger Date: Wed Sep 22 08:57:14 2021 +0200 VERSION: Bump version up to Samba 4.13.13... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit aa756f3f9fc88bbd10c6a3a7c1827ca09a669714 Author: Jule Anger Date: Wed Sep 22 08:56:40 2021 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.13.12 release. Signed-off-by: Jule Anger commit 4703acc82c8840fefbbee62f4485355e48b1d699 Author: Jule Anger Date: Wed Sep 22 08:56:02 2021 +0200 WHATSNEW: Add release notes for Samba 4.13.12. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 81 ++-- 2 files changed, 80 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index ee13bf3ceef..c65285cf4cd 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=13 -SAMBA_VERSION_RELEASE=12 +SAMBA_VERSION_RELEASE=13 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4b33797845e..820185349ef 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,81 @@ + === + Release Notes for Samba 4.13.12 + September 22, 2021 + === + + +This is the latest stable release of the Samba 4.13 release series. + + +Changes since 4.13.11 +- + +o Andrew Bartlett + * BUG 14806: Address a signifcant performance regression in database access + in the AD DC since Samba 4.12. + * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since + Samba 4.9 by using an explicit database handle cache. + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + * BUG 14818: Address flapping samba_tool_drs_showrepl test. + * BUG 14819: Address flapping dsdb_schema_attributes test. + +o Björn Baumbach + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ + +o Luke Howard + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Volker Lendecke + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Gary Lockyer + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Stefan Metzmacher + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Andreas Schneider + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Martin Schwenke + * BUG 14784: Fix CTDB flag/status update race conditions. + +o Joseph Sutton + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + === Release Notes for Samba 4.13.11 September 07, 2021 @@ -49,8 +127,7 @@ database (https://bugzilla.samba.org/). == -Release notes for older rele
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ec95b3042bf tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures via a562882b151 tests/krb5: Add methods for creating zeroed checksums and verifying checksums via 419e4061ced tests/krb5: Cache obtained tickets via 6193f7433b1 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds via 59c1043be25 tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test via 035a8f19855 tests/krb5: Allow get_tgt() to specify expected and unexpected flags via 4ecfa82e71b tests/krb5: Allow get_tgt() to specify different kdc-options via 2d69805b1e3 tests/krb5: Allow get_tgt() to get tickets from the RODC via 5d3a135c232 tests/krb5: Allow get_service_ticket() to get tickets from the RODC via 7645dfa5bed tests/krb5: Set DN of created accounts to ldb.Dn type via c226029655c tests/krb5: Don't manually create PAC request and options in fast_tests via 3504e99dc5b tests/krb5: Use PAC buffer type constants from krb5pac.idl via a5e62d681d8 tests/krb5: Allow as_req() to specify different kdc-options via 6403a09d94a tests/krb5: Allow tgs_req() to send requests to the RODC via 1a3426da544 tests/krb5: Allow tgs_req() to specify different kdc-options via 1f0654b8fac tests/krb5: Allow tgs_req() to send additional padata via 2a4d53dc12a tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange via 0061fa2c2a2 tests/krb5: Check correct flags element via a281ae09bcf tests/krb5: Add helper method for modifying PACs via b81f6f3d714 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) via 21a77173590 python/join: Check for correct msDS-KrbTgtLink attribute via cde38d36b98 python: Don't leak file handles from 9a24d8e491f lib:cmdline: fix a comment https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ec95b3042bf2649c0600cafb12818c27242b5098 Author: Joseph Sutton Date: Thu Sep 16 17:20:22 2021 +1200 tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures Signatures created by an RODC have an RODCIdentifier appended to them identifying the RODC's krbtgt account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184 commit a562882b15125902c5d89f094b8c9b1150f5d010 Author: Joseph Sutton Date: Thu Sep 16 16:54:57 2021 +1200 tests/krb5: Add methods for creating zeroed checksums and verifying checksums Creating a zeroed checksum is needed for signing a PAC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 419e4061ced466ec7e5e23f815823b540ef4751c Author: Joseph Sutton Date: Tue Sep 21 11:51:20 2021 +1200 tests/krb5: Cache obtained tickets Now tickets obtained with get_tgt() and get_service_ticket() make use of a cache so they can be reused, unless the 'fresh' parameter is specified as true. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 6193f7433b15579aa32b26a146287923c9d3844d Author: Joseph Sutton Date: Tue Sep 21 11:51:05 2021 +1200 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds The encpart is already contained in ticket_creds, so it no longer needs to be returned as a separate value. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 59c1043be25b92db75ab5676601cb15426ef37a3 Author: Joseph Sutton Date: Thu Sep 16 13:24:46 2021 +1200 tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce Author: Joseph Sutton Date: Thu Sep 16 13:14:45 2021 +1200 tests/krb5: Allow get_tgt() to specify expected and unexpected flags BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3 Author: Joseph Sutton Date: Thu Sep 16 13:14:06 2021 +1200 tests/krb5: Allow get_tgt() to specify different kdc-options BUG: https://bugzilla.samba.org/sh
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9a24d8e491f lib:cmdline: fix a comment from e50083ceb80 smbd: Update debug messages for failed sharemode release https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9a24d8e491fc5b289c3e25eb448574e035420536 Author: Michael Adam Date: Mon Sep 20 13:27:59 2021 +0200 lib:cmdline: fix a comment The default log target was changed in 726ccf1d56b2979c827dd8586d1aeb6cb8de236c (as a side effect), but the comment was only partially updated. This patch fixes the comment by completing the orignal change to correctly reflect current behavior. Signed-off-by: Michael Adam Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Sep 21 20:28:49 UTC 2021 on sn-devel-184 --- Summary of changes: lib/cmdline/cmdline.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c index 40292a6a332..5dd543f244d 100644 --- a/lib/cmdline/cmdline.c +++ b/lib/cmdline/cmdline.c @@ -67,8 +67,8 @@ bool samba_cmdline_init_common(TALLOC_CTX *mem_ctx) fault_setup(); /* -* Log to stdout by default. -* This can be changed to stderr using the option: --debug-stdout +* Log to stderr by default. +* This can be changed to stdout using the option: --debug-stdout */ setup_logging(getprogname(), DEBUG_DEFAULT_STDERR); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e50083ceb80 smbd: Update debug messages for failed sharemode release via 0a2b5011459 smbd: Remove return variable for releasing filesystem sharemode via fa3f952f3e7 smbd: Rename return variable for requesting filesystem sharemode via d8972d92010 smbd: Update comment for durable handles via 113f6964d01 VFS: Update tracking documents for renamed function via 041dfdfc131 vfs_catia: Rename kernel_flock to filesystem_sharemode via 3224eb8fcf7 vfs_default: Rename kernel_flock to filesystem_sharemode via 4209e42ab1b vfs_streams_xattr: Rename kernel_flock to filesystem_sharemode via b63ee5c7391 vfs_gpfs: Rename kernel_flock to filesystem_sharemode via 272fce3cbd5 vfs_time_audit: Fix message for fcntl VFS call via f3bd312ad97 vfs_time_audit: Rename kernel_flock to filesystem_sharemode via 0bd1df93fc3 vfs_glusterfs: Rename kernel_flock to filesystem_sharemode via 0ac9dfd2677 vfs_ceph: Rename kernel_flock to filesystem_sharemode via 73f04003e3e docs-xml: Update vfs_full_audit manpage for renamed function via ad87998ab40 vfs_full_audit: Rename kernel_flock to filesystem_sharemode via 264440c983a s3: Remove definition of removed kernel_flock function via 0ae59ffc499 examples/VFS/skel_opaque: Rename kernel_flock to filesystem_sharemode via a2578d9b564 examples/VFS/skel_transparent: Rename kernel_flock to filesystem_sharemode via 0a26b2386e3 VFS: Increase VFS version for renamed function via c794e773814 VFS: Rename kernel_flock to filesystem_sharemode via f3b5733df76 profile: Remove syscall_kernel_flock profiling from af06d73a756 s3:rpc_server: Do not use the default ncalrpc endpoint for external services https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e50083ceb8013288d506ba9224f65deb5e3a38a5 Author: Christof Schmitt Date: Mon Sep 20 15:55:32 2021 -0700 smbd: Update debug messages for failed sharemode release Use new macros, consistent log level and remove reference to flock. Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison Autobuild-User(master): Christof Schmitt Autobuild-Date(master): Tue Sep 21 19:39:10 UTC 2021 on sn-devel-184 commit 0a2b50114599ed609778eb5add9a9c18126d07a4 Author: Christof Schmitt Date: Mon Sep 20 15:50:08 2021 -0700 smbd: Remove return variable for releasing filesystem sharemode flock is no longer used, the existing "ret" variable can be used instead. Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit fa3f952f3e7d27a0977f497ce96ef8484c2f Author: Christof Schmitt Date: Mon Sep 20 15:46:21 2021 -0700 smbd: Rename return variable for requesting filesystem sharemode flock is no longer used, rename the variable accordingly. Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit d8972d920106043c8b0a24482174009d68f6faf8 Author: Christof Schmitt Date: Mon Sep 20 15:38:59 2021 -0700 smbd: Update comment for durable handles Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit 113f6964d0168c21dc94aa594f728c175fc294df Author: Christof Schmitt Date: Mon Sep 20 15:29:22 2021 -0700 VFS: Update tracking documents for renamed function Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit 041dfdfc131e92e6947325a78180d83909e81b8e Author: Christof Schmitt Date: Mon Sep 20 15:27:07 2021 -0700 vfs_catia: Rename kernel_flock to filesystem_sharemode Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit 3224eb8fcf79b5f2554a6195aeeb313dd25c2de5 Author: Christof Schmitt Date: Mon Sep 20 15:26:19 2021 -0700 vfs_default: Rename kernel_flock to filesystem_sharemode Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit 4209e42ab1b07753c6130a25b52a48bada4d90e9 Author: Christof Schmitt Date: Mon Sep 20 15:25:21 2021 -0700 vfs_streams_xattr: Rename kernel_flock to filesystem_sharemode Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit b63ee5c7391ce683eed46e68a1e2dd47c2b14fd7 Author: Christof Schmitt Date: Mon Sep 20 15:24:33 2021 -0700 vfs_gpfs: Rename kernel_flock to filesystem_sharemode Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit 272fce3cbd5114c190570e4565f8e2f7b16ea3d4 Author: Christof Schmitt Date: Mon Sep 20 15:22:50 2021 -0700 vfs_time_audit: Fix message for fcntl VFS call Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison commit f3bd312ad97521df5f78d784a6abf7b82bc37a90 Author: Christof Schmitt Date: Mon Sep 20 15:22:06 2021 -0700 vfs_time_audit: Rename kernel_flock to filesystem_sharemod
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via af06d73a756 s3:rpc_server: Do not use the default ncalrpc endpoint for external services via 9c8521848bb librpc:core: Add a function to register an interface passing the binding handle via 99bf0c1b264 pidl:NDR/ServerCompat.pm: Do not register disabled services from b09efc8b8b9 lib: Move closefrom_except*() to a separate file https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit af06d73a7563f6a7dec7653b7de1748de099b051 Author: Samuel Cabrero Date: Mon Aug 23 14:27:49 2021 +0200 s3:rpc_server: Do not use the default ncalrpc endpoint for external services In samba3 it is possible to run some services externally, for example: rpc_daemon:lsasd = fork rpc_server:netlogon = disabled rpc_server:samr = external rpc_server:lsarpc = external The external services running in separate processes have to use its own dedicated ncalrpc endpoint, otherwise will race with main smbd serving the embedded services to accept connections on ncalrpc default socket. If the connection ends in an external process and the client tries to bind to an interface not registered there (like winreg for example) the bind will fail. Signed-off-by: Samuel Cabrero Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Sep 21 11:00:01 UTC 2021 on sn-devel-184 commit 9c8521848bb5fedb3501d03e564a759d8709f418 Author: Samuel Cabrero Date: Thu Aug 19 12:52:04 2021 +0200 librpc:core: Add a function to register an interface passing the binding handle Signed-off-by: Samuel Cabrero Reviewed-by: Volker Lendecke commit 99bf0c1b2649f74a3199c59bbc16c6e604ff4e79 Author: Samuel Cabrero Date: Mon Aug 23 14:23:58 2021 +0200 pidl:NDR/ServerCompat.pm: Do not register disabled services In samba3 it is possible to disable RPC services, for exapmle: rpc_server:netlogon = disabled If a service is disabled do not register the interface neither create its endpoint. Signed-off-by: Samuel Cabrero Reviewed-by: Volker Lendecke --- Summary of changes: librpc/rpc/dcesrv_core.c | 80 +- librpc/rpc/dcesrv_core.h | 5 ++ pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm | 62 +++- selftest/knownfail | 19 +- source3/rpc_server/rpc_ncacn_np.c | 24 +++- source3/winbindd/winbindd_dual_ndr.c | 10 6 files changed, 169 insertions(+), 31 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c index b75336d0a85..6a2e0c25e7f 100644 --- a/librpc/rpc/dcesrv_core.c +++ b/librpc/rpc/dcesrv_core.c @@ -176,11 +176,47 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx, const char *ncacn_np_secondary_endpoint, const struct dcesrv_interface *iface, const struct security_descriptor *sd) +{ + struct dcerpc_binding *binding = NULL; + struct dcerpc_binding *binding2 = NULL; + NTSTATUS ret; + + ret = dcerpc_parse_binding(dce_ctx, ep_name, &binding); + if (NT_STATUS_IS_ERR(ret)) { + DBG_ERR("Trouble parsing binding string '%s'\n", ep_name); + goto out; + } + + if (ncacn_np_secondary_endpoint != NULL) { + ret = dcerpc_parse_binding(dce_ctx, + ncacn_np_secondary_endpoint, + &binding2); + if (NT_STATUS_IS_ERR(ret)) { + DBG_ERR("Trouble parsing 2nd binding string '%s'\n", + ncacn_np_secondary_endpoint); + goto out; + } + } + + ret = dcesrv_interface_register_b(dce_ctx, + binding, + binding2, + iface, + sd); +out: + TALLOC_FREE(binding); + TALLOC_FREE(binding2); + return ret; +} + +_PUBLIC_ NTSTATUS dcesrv_interface_register_b(struct dcesrv_context *dce_ctx, + struct dcerpc_binding *binding, + struct dcerpc_binding *binding2, + const struct dcesrv_interface *iface, + const struct security_descriptor *sd) { struct dcesrv_endpoint *ep; struct dcesrv_if_list *ifl; - struct dcerpc_binding *binding; - struct dcerpc_bind