[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.10] 344 commits: VERSION: Bump version up to 4.10.1...

Mathieu Parent gitlab at salsa.debian.org
Thu Aug 29 14:17:22 BST 2019



Mathieu Parent pushed to branch upstream_4.10 at Debian Samba Team / samba


Commits:
3170d75b by Karolin Seeger at 2019-03-19T09:57:53Z
VERSION: Bump version up to 4.10.1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
2b309861 by Stefan Metzmacher at 2019-03-22T08:14:07Z
ctdb-build: use a fixed ctdb_version.h using SAMBA_VERSION_STRING

This way we don't get constant rebuild as SAMBA_VERSION_STRING
is "4.7.0pre1.DEVELOPERBUILD" for the binaries under bin/
instead of "4.7.0pre1.GIT.59e51f6".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13789

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
(cherry picked from commit 05c28fee21c0cc986cb8301f4199595cdb13faee)

- - - - -
6401d809 by Martin Schwenke at 2019-03-22T08:14:07Z
ctdb-build: Drop creation of .distversion in tarball

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13789

Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
(cherry picked from commit 148306674d0e4706adca3e5dcbb779c51a2c03da)

- - - - -
f515f1a5 by Amitay Isaacs at 2019-03-22T08:14:07Z
ctdb-version: Simplify version string usage

There is no need to write SAMBA_VERSION_STRING as CTDB_VERSION_STRING.
Wherever required use SAMBA_VERSION_STRING directly.

Avoids the confusion with two version.h files.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13789

Signed-off-by: Amitay Isaacs <amitay at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Fri Mar 15 06:31:50 UTC 2019 on sn-devel-144

(cherry picked from commit edd4a23d7632af51f4d7b4287917b7fa0dced963)

- - - - -
5f1d98c2 by Stefan Metzmacher at 2019-03-22T08:14:07Z
ndr_spoolss_buf: fix out of scope use of stack variable in NDR_SPOOLSS_PUSH_ENUM_OUT()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13818

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 6da3664f8a11397fd3fb38e89c2432b8bf321e59)

- - - - -
4cafdc7f by Martin Schwenke at 2019-03-22T08:14:07Z
ctdb-tests: Build cluster mutex path manually

CTDB_CLUSTER_MUTEX_HELPER can't be depended on because it is only set
when the tests are not installed and setting it unconditionally for
this particular use would be wrong.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13800

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit a215d2017f95974913a7e97c25e5fc613bb79c26)

- - - - -
d3ed17e7 by Andreas Schneider at 2019-03-22T08:14:07Z
s3:script: Fix jobid check in test_smbspool.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Bryan Mason <bmason at redhat.com>
Signed-off-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a)

- - - - -
18515064 by Andreas Schneider at 2019-03-22T08:14:07Z
s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to smbspool

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Bryan Mason <bmason at redhat.com>
Signed-off-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a)

- - - - -
0db94874 by Andreas Schneider at 2019-03-22T08:14:07Z
s3:client: Evaluate the AUTH_INFO_REQUIRED variable set by cups

This should not switch to username,password if cups has been configured
to use negotiate (Kerberos authentication).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Bryan Mason <bmason at redhat.com>
Signed-off-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)

- - - - -
c6f1719b by Andreas Schneider at 2019-03-22T08:14:07Z
s3:client: Make sure we work on a copy of the title

We can't be sure we can write to the input buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Bryan Mason <bmason at redhat.com>
Signed-off-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282)

- - - - -
84aad2ea by Andreas Schneider at 2019-03-22T08:14:08Z
s3:client: Fix smbspool device uri handling

If we are executed as a CUPS backend, argv[0] is set to the device uri.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Bryan Mason <bmason at redhat.com>
Signed-off-by: Guenther Deschner <gd at samba.org>

(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a)

- - - - -
755f624e by Martin Schwenke at 2019-03-22T08:14:08Z
ctdb-packaging: ctdb package should not own system library directory

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13838

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit b2b8dce4fc56c27ef0131104b316346565369dd7)

- - - - -
fc4e3273 by Martin Schwenke at 2019-03-22T08:14:08Z
ctdb-packaging: Test package requires tcpdump

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13838

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit 957c38b65ca060eabe1e676f8dfb54839d706155)

- - - - -
909cecd3 by Zhu Shangzhong at 2019-03-22T08:14:08Z
ctdb: Initialize addr struct to zero before reparsing as IPV4

Failed to kill the tcp connection that using IPv4-mapped IPv6 address
(e.g. ctdb_killtcp eth0 ::ffff:192.168.200.44:2049
::ffff:192.168.200.45:863).

When the ctdb_killtcp is used to kill the tcp connection, the IPs and
ports in the connection will be parsed to conn.client and conn.server
(call stack: main->ctdb_sock_addr_from_string->ip_from_string). In
the ip_from_string, as we are using IPv4-mapped IPv6 addresses, the
ipv6_from_string will be used to parse ip to addr.ip6 first. The next
step the ipv4_from_string will be used to reparse ip to addr.ip.

As a result, the data that dump from conn.server is "2 0 8 1 192 168
200 44 0 0 0 0 0 0 0 0 0 0 255 255 192 168 200 44 0 0 0 0", the data
from conn.client is "2 0 3 95 192 168 200 45 0 0 0 0 0 0 0 0 0 0 255 255
192 168 200 45 0 0 0 0". The connection will be add to conn_list by
ctdb_connection_list_add. Then the reset_connections_send uses conn_list
as parameter to start to reset connections in the conn_list.

In the reset_connections_send, the database "connections" will be
created. The connections from conn_list will be written to the
database(call db_hash_add), and use the data that dump from conn_client
and conn_server as key.

In the reset_connections_capture_tcp_handler, the
ctdb_sys_read_tcp_packet will receive data on the raw socket. And
extract the IPs and ports from the tcp packet. when extracting IP and
port, the tcp4_extract OR tcp6_extract will be used. Then we got the
new conn.client and conn.server. the data that dump from the
conn.server is "2 0 8 1 192 168 200 44 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0", the data from conn.client is "2 0 3 95 192 168 200 45 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0". Finally, we use the data as key to check
if this connection is one being reset(call db_hash_delete). The
db_hash_delete will return ENOENT. Because the two key that being used
by db_hash_delete and db_hash_add are different.

So, the TCP RST will be NOT sent for the connection forever. We should
initialize addr struct to zero before reparsing as IPV4 in the
ip_from_string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13839

Signed-off-by: Zhu Shangzhong <zhu.shangzhong at zte.com.cn>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit 539b5ff32b32b7c75dfaaa119e41f5af6ff1e6fc)

- - - - -
eb632754 by Martin Schwenke at 2019-03-22T08:14:08Z
ctdb-tests: Add some testing for IPv4-mapped IPv6 address parsing

ctdb_sock_addr values are hashed in some contexts.  This means that
all of the memory used for the ctdb_sock_addr should be consistent
regardless of how parsing is done.  The first 2 cases are just sanity
checks but the 3rd case involving an IPv4-mapped IPv6 address is the
real target of this test addition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13839

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit d9286701cd9253bf3b42cac3d850ae8c23743e6d)

- - - - -
f6df8d97 by Andreas Schneider at 2019-03-22T08:14:08Z
s4:librpc: Fix installation of Samba

This breaks installation of Samba 4.10 on Fedora.

https://bugzilla.samba.org/show_bug.cgi?id=13847

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>

(cherry picked from commit bf469343f577e2d78df0e38d80e7976b351eaf0d)

- - - - -
c8e8d979 by Andreas Schneider at 2019-03-22T12:50:24Z
s3:lib: Fix the debug message for adding cache entries.

To get correct values, we need to cast 'timeout' to 'long int' first in
order to do calculation in that integer space! Calculations are don in
the space of the lvalue!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13848

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 5822449a7340f53987ce4c04851652427f5b49e8)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Fri Mar 22 12:50:24 UTC 2019 on sn-devel-144

- - - - -
084d2f1b by Andreas Schneider at 2019-04-02T09:10:50Z
s3:utils: Use C99 initializer for poptOption in smbstatus

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 83d25ca9d90897925a4431dd55e68c78244900b3)

- - - - -
b866bdbe by Andreas Schneider at 2019-04-02T09:10:50Z
s3:utils: Add 'smbstatus -L --resolve-uids' to show usernames

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13793

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ffad76ae260ac33926db87c61aede5b66d9b09e6)

- - - - -
79d3de4d by Andreas Schneider at 2019-04-02T09:10:50Z
selftest: Add smbstatus to testhelper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13793

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6106b8a053e06699c332fd1a6d7636f550422cc7)

- - - - -
a21e9754 by Andreas Schneider at 2019-04-02T09:10:51Z
s3:tests: Add test for smbstatus and smbstatus --resolve_uids

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13793

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Mar 27 14:33:35 UTC 2019 on sn-devel-144

(cherry picked from commit 2e7f4b1d3701b9da32e03dcee1095711945f22b8)

- - - - -
2d4820f0 by Andreas Schneider at 2019-04-02T09:10:51Z
s3:waf: Fix the detection of makdev() macro on Linux

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13853

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit eace58b539a382c61edd7c2be6fdfab31114719f)

- - - - -
18f41671 by Stefan Metzmacher at 2019-04-02T09:10:51Z
selftest: force running with TZ=UTC

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Feb 27 11:24:59 UTC 2019 on sn-devel-144

(cherry picked from commit 4f307f2302b0fe8fd0fc6379eb8e6491faf8520c)

- - - - -
8d1241da by Stefan Metzmacher at 2019-04-02T09:10:51Z
blackbox/*.sh: pass -u to 'diff'

This is what we work with every day...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8ba6f1c895ee9b6b592578f21e7f79ed36236bef)

- - - - -
4fc17804 by Stefan Metzmacher at 2019-04-02T09:10:51Z
blackbox/dbcheck-links.sh: reproduce lost deleted object problem

When a parent object is removed during the tombstone garbage collection
before a child object and samba-tool dbcheck runs at the same time, the
following can happen:

- If the object child had DISALLOW_MOVE_ON_DELETE in systemFlags,
  samba-tool dbcheck moves the object under the LostAndFound[Config]
  object (as an originating update!)
- The lastKnownParent attribute is removed (as an originating update!)

These originating updates cause the object to have an extended time
as tombstone. And these changes are replicated to other DCs,
which very likely already removed the object completely!

This means the destination DC of replication has no chance to handle
the object it gets from the source DC with just 2 attributes (name, lastKnownParent).

The destination logs something like:

  No objectClass found in replPropertyMetaData

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5357f591accffbf8c62335c308b985811b66f0b5)

- - - - -
3e539f75 by Stefan Metzmacher at 2019-04-02T09:10:51Z
dsdb:repl_meta_data: allow CONTROL_DBCHECK_FIX_LINK_DN_NAME to by pass rename

We need a way to rename an object without updating the replication meta
data.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3e8a435d27da899d0e3dab7cbc0a1c738067eba3)

- - - - -
8736fb5e by Stefan Metzmacher at 2019-04-02T09:10:52Z
dbcheck: use DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME when renaming deleted objects

We should never do originating updates on deleted objects.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 07a8326746f0c444eedf3860b178fc29d84e8d16)

- - - - -
95f5b9f2 by Stefan Metzmacher at 2019-04-02T09:10:52Z
dbcheck: do isDeleted, systemFlags and replPropertyMetaData detection first

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9afcd5331ce567bd80d35175f8e4e21c506e9347)

- - - - -
0c2f7224 by Stefan Metzmacher at 2019-04-02T09:10:52Z
dbcheck: don't move already deleted objects to LostAndFound

This would typically happen when the garbage collection
removed a parent object before a child object (both with
the DISALLOW_MOVE_ON_DELETE bit set in systemFlags),
while dbcheck is running at the same time as the garbage collection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6d50ee74920c39cdb18b427bfaaf200775bf2d73)

- - - - -
a47b27b2 by Stefan Metzmacher at 2019-04-02T09:10:52Z
dbcheck: don't remove dangling one-way links on already deleted objects

This would typically happen when the garbage collection
removed a parent object before a child object (both with
the DISALLOW_MOVE_ON_DELETE bit set in systemFlags),
while dbcheck is running at the same time as the garbage collection.
In this case the lastKnownParent attributes points a non existing
object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e388e599495b6d7c38b8b6966332e27f8b958783)

- - - - -
caf0caba by Stefan Metzmacher at 2019-04-02T09:10:53Z
dbcheck: add find_repl_attid() helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 598e38d2a5e0832429ba65b4e55bf7127618f894)

- - - - -
4f0b554b by Stefan Metzmacher at 2019-04-02T09:10:53Z
blackbox/dbcheck-links.sh: add regression test for lost deleted object repair

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1ccc21a34d295be3bb2ab481a5918003eae88bf4)

- - - - -
89fb9d0a by Stefan Metzmacher at 2019-04-02T09:10:53Z
dbcheck: detect the change after deletion bug

Old versions of 'samba-tool dbcheck' could reanimate
deleted objects, when running at the same time as the
tombstone garbage collection.

When the (deleted) parent of a deleted object
(with the DISALLOW_MOVE_ON_DELETE bit in systemFlags),
is removed before the object itself, dbcheck moved
it in the LostAndFound[Config] subtree of the partition
as an originating change. That means that the object
will be in tombstone state again for 180 days on the local
DC. And other DCs fail to replicate the object as
it's already removed completely there and the replication
only gives the name and lastKnownParent attributes, because
all other attributes should already be known to the other DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a1658b306d85452407388b91a745078c9c1f7dc7)

- - - - -
178fad24 by Stefan Metzmacher at 2019-04-02T09:10:53Z
python/samba/netcmd: provide SUPPRESS_HELP via Option class

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b61d580fb7dba8ff94e9e98c958e324865cd2f1d)

- - - - -
b292ef1d by Stefan Metzmacher at 2019-04-02T09:10:53Z
dbcheck: add --selftest-check-expired-tombstones cmdline option

This will be used by dbcheck tests which operate on static/old provision
dumps in the following commits.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6f9c5ed8de47bb98e21e8064d8e90f963f2f71ca)

- - - - -
40b6af9c by Stefan Metzmacher at 2019-04-02T09:10:53Z
blackbox/dbcheck*.sh: pass --selftest-check-expired-tombstones to dbcheck

These tests operate on provision dumps created long ago, they still
want to run tests on deleted objects, when the next commits remove
processing expired tombstone objects in dbcheck.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5fccc4e9044d2e57be33471f5e6b9be7cc37ac3a)

- - - - -
4b658a5a by Stefan Metzmacher at 2019-04-02T09:10:53Z
blackbox/dbcheck-links.sh: prepare regression test for skipping expired tombstones

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b096a3117ed9249fd6f65f3221a26c88efbba3b8)

- - - - -
6602a77b by Stefan Metzmacher at 2019-04-02T09:10:54Z
dbcheck: don't check expired tombstone objects by default anymore

These will be removed anyway and any change on them risks to
be an originating update that causes replication problems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Mar 14 03:12:27 UTC 2019 on sn-devel-144

(cherry picked from commit a2c5f8cf41c2dfdc4f122e8427d1dfeabb6ba311)

- - - - -
10a390e8 by Stefan Metzmacher at 2019-04-02T09:10:54Z
dbcheck: use the str() value of the "name" attribute

We do the same with the rdn attribute value
and we need the same logic on both in order to
check they are the same.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13816

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit dd6f0dad218ec1d5aa38ea8aa6848ec81035cb3f)

- - - - -
286b80cb by Aaron Haslett at 2019-04-02T09:10:54Z
ldb: cmocka test for empty attributes bug

Cmocka test exposing LDB bug where a request with an empty attributes
list returns a response containing all attributes.  The bug is in the
ACL module and will be fixed in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13836

Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 24efa3ca5399d5cf538c3be504014a954685f1ed)

- - - - -
868356cf by Garming Sam at 2019-04-02T09:10:54Z
acl_read: Fix regression caused by db15fcfa899e1fe4d6994f68ceb299921b8aa6f1 for empty lists

The original code never dereferenced attrs and only added "*" if attrs
was NULL (not if attrs[0] was NULL).

This causes significant performance issues with the new paged_results
module introduced for 4.10 as the initial GUID search requests no
attributes. This GUID search turns into a search for "*" and ends up
allocating memory for the entire database.

This never appears to cause changes in the final result set, only
intermediate processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13836

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Mar 29 18:37:29 UTC 2019 on sn-devel-144

(cherry picked from commit a2b1970a37836e46d6c9eb6bda9bd20185de96ce)

- - - - -
75b6e02a by Douglas Bagnall at 2019-04-02T09:10:54Z
py/graph: use 2.6 compatible check for set membership

It is better this way anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Mar 20 06:36:05 UTC 2019 on sn-devel-144

(cherry picked from commit c0aca17a4c9ec06f0127d5c972f3fa979a87a77f)

- - - - -
9b8398ec by Douglas Bagnall at 2019-04-02T09:10:55Z
py/kcc_utils: py2.6 compatibility

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>

- - - - -
f52ebe25 by Douglas Bagnall at 2019-04-02T09:10:55Z
py/uptodateness: use 2.6 compatible dictionary construction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>

- - - - -
76b38e19 by Douglas Bagnall at 2019-04-02T09:10:55Z
py/logger: use python 2.6 compatible arguments

In 2.6 stream is a positional argument; 2.7+ it is also a keyword
argument.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13837
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>

- - - - -
3f278c3f by Michael Hanselmann at 2019-04-02T09:10:55Z
Fix typos in "valid"

s/vald/valid/

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840

Signed-off-by: Michael Hanselmann <public at hansmi.ch>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 305346d360d3c13fd315c1af27b037f46fd10650)

- - - - -
cfffac0f by Michael Hanselmann at 2019-04-02T09:10:55Z
regfio: Use correct function names in debug information

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840

Signed-off-by: Michael Hanselmann <public at hansmi.ch>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit aa6b355858a0d8b77bf49384e5329642add1a5ff)

- - - - -
bf6a8517 by Michael Hanselmann at 2019-04-02T09:10:55Z
regfio: Add trivial unit test

An upcoming commit will resolve two cases of insufficient handling of
mangled registry hive files and will include unit tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840

Signed-off-by: Michael Hanselmann <public at hansmi.ch>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9b2cb845b23cd1c91ab3b5ea8ad791b18b3ab733)

- - - - -
d4ef858e by Michael Hanselmann at 2019-04-02T09:10:56Z
regfio: Improve handling of malformed registry hive files

* next_record: A malformed file can lead to an endless loop.
* regfio_rootkey: Supplying a malformed registry hive file to the
  registry hive I/O code can lead to out-of-bounds reads.

Test cases are included. Both issues resolved have been identified using
AddressSanitizer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840

Signed-off-by: Michael Hanselmann <public at hansmi.ch>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 601afd690346087fbd53819dba9b1afa81560064)

- - - - -
722c5b32 by Andrew Bartlett at 2019-04-02T09:10:56Z
regfio: Update code near recent changes to match README.Coding

This file long predates our current code conventions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit acbf103fcaa4150a57bfbab2450e36b5b39e399b)

- - - - -
78b72ff3 by Andrew Bartlett at 2019-04-02T09:10:56Z
regfio tests: Update comment style to match README.Coding

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13840

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 68c0fc4335d0c3c526a38481538a33290be6d58a)

- - - - -
7921aa63 by Garming Sam at 2019-04-02T09:10:56Z
dlz: Add test to ensure there are writable zones

This is currently broken since 28e2a518ff32

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13841

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6c62e05466917d9454d67eb2dd77e303e612c8a9)

- - - - -
0e94b0a3 by Michael Saxl at 2019-04-02T09:10:56Z
s4:dlz make b9_has_soa check dc=@ node

the zone node does not hold the dnsRecord values, so for the zone level
the node dc=@,dc=zonename has to be queried

regression introduced with 28e2a518ff32, BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13841

Signed-off-by: Michael Saxl <mike at mwsys.mine.bz>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 526c6d0be53d97beb38f82a3619d8710fefb4091)

- - - - -
e769bd66 by Anoop C S at 2019-04-02T09:10:56Z
s4/messaging: Fix undefined reference in linking libMESSAGING-samba4.so

Early check for DEVELOPER or ENABLE_SELFTEST configure options inside
messaging_handlers.c leaves us with the following undefined reference
linkage error:

[1315/3712] Linking bin/default/source4/lib/messaging/libMESSAGING-samba4.so
/usr/bin/ld: source4/lib/messaging/messaging.c.4.o: in function
						`imessaging_init_internal':
/root/samba.git/bin/default/../../source4/lib/messaging/messaging.c:472:
		undefined reference to `imessaging_register_extra_handlers'
collect2: error: ld returned 1 exit status

This happened due to failure in including "includes.h" before checking
the above mentioned configure options.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13854

Signed-off-by: Anoop C S <anoopcs at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 08ba013a2b8b2cf9fc17fdcb3d107e1434709036)

- - - - -
815be52b by Volker Lendecke at 2019-04-02T09:10:56Z
lib: Make fd_load work for non-regular files

Follow-up to

https://lists.samba.org/archive/samba/2018-September/217992.html

and following. This also fixes a small and very theoretical race: Between the
fstat and the read call the file size might change. This would make us fail on
potentially legitimate files.

This is more complex and probably slower, but looking at the use cases I don't
think the speed matters.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13859

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Mar 26 04:43:40 UTC 2019 on sn-devel-144

(cherry picked from commit ac487bf4d04c9771ada1ca7eeb9dac4e5fe34185)

- - - - -
af05bf79 by Philipp Gesang at 2019-04-02T13:52:01Z
libcli: permit larger values of DataLength in SMB2_ENCRYPTION_CAPABILITIES of negotiate response

Certain Netapp versions are sending SMB2_ENCRYPTION_CAPABILITIES
structures containing DataLength field that includes the padding
[0]. Microsoft has since clarified that only values smaller than
the size are considered invalid [1].

While parsing the NegotiateContext it is ensured that DataLength
does not exceed the message bounds. Also, the value is not
actually used anywhere outside the validation. Thus values
greater than the actual data size are safe to use. This patch
makes Samba fail only on values that are too small for the (fixed
size) payload.

[0] https://lists.samba.org/archive/samba/2019-February/221139.html
[1] https://lists.samba.org/archive/cifs-protocol/2019-March/003210.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13869

Signed-off-by: Philipp Gesang <philipp.gesang at intra2net.com>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sun Mar 31 01:11:09 UTC 2019 on sn-devel-144

(cherry picked from commit 865b7b0c7d2ba7fa0a045586d1e83a72028a0864)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Tue Apr  2 13:52:02 UTC 2019 on sn-devel-144

- - - - -
17f3d535 by Karolin Seeger at 2019-04-03T08:31:06Z
WHATSNEW: Add release notes for Samba 4.10.1.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
e0cc225f by Karolin Seeger at 2019-04-03T08:32:27Z
VERSION: Disable GIT_SNAPSHOT for the 4.10.1 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
61c4d715 by Karolin Seeger at 2019-04-03T08:33:17Z
VERSION: Bump version up to 4.10.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
16fa173a by Karolin Seeger at 2019-04-05T08:13:40Z
VERSION: Bump version up to 4.10.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 61c4d715a7382047a9a97165256866fe39ebad26)

- - - - -
c25ee5bd by Tim Beale at 2019-04-05T08:14:36Z
CVE-2019-3870 tests: Extend smbd tests to check for umask being overwritten

The smbd changes the umask - if the code fails to restore the umask to
what it was, then this is very bad. Add an extra check to every
smbd-related test that the umask at the end of the test is the same as
what it was at the beginning (i.e. if the smbd code changed the umask
then it correctly restored the value afterwards).

As the selftest sets the umask for all tests to zero, it makes it hard
to detect this problem, so the test setUp() needs to set it to something
else first.

This extra checking is added to the setUp()/tearDown() so that it
applies to all test-cases. However, any failure that occur with this
approach will not be able to be known-failed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0b712415 by Tim Beale at 2019-04-05T08:14:36Z
CVE-2019-3870 tests: Add test to check file-permissions are correct after provision

This provisions a new DC and checks there are no world-writable
files in the new DC's private directory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
ebb9b7fa by Andrew Bartlett at 2019-04-05T08:14:36Z
CVE-2019-3870 pysmbd: Include tests to show the outside umask has no impact

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
9a4029b5 by Andrew Bartlett at 2019-04-05T08:14:36Z
CVE-2019-3870 pysmbd: Move umask manipuations as close as possible to users

Umask manipulation was added to pysmbd with e146fe5ef96c1522175a8e81db15d1e8879e5652 in 2012
and init_files_struct was split out in 747c3f1fb379bb68cc7479501b85741493c05812 in 2018 for
Samba 4.9. (It was added to assist the smbd.create_file() routine used in the backup and
restore tools, which needed to write files with full metadata).

This in turn avoids leaving init_files_struct() without resetting the umask to
the original, saved, value.

Per umask(2) this is required before open() and mkdir() system calls (along
side other file-like things such as those for Unix domain socks and FIFOs etc).

Therefore for safety and clarify the additional 'belt and braces' umask
manipuations elsewhere are removed.

mkdir() will be protected by a umask() bracket, for correctness, in the next patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
8e0a6867 by Andrew Bartlett at 2019-04-05T08:14:36Z
CVE-2019-3870 pysmbd: Ensure a zero umask is set for smbd.mkdir()

mkdir() is the other call that requires a umask of 0 in Samba.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
67c83778 by Jeremy Allison at 2019-04-05T08:15:19Z
CVE-2019-3880 s3: rpc: winreg: Remove implementations of SaveKey/RestoreKey.

The were not using VFS backend calls and could only work
locally, and were unsafe against symlink races and other
security issues.

If the incoming handle is valid, return WERR_BAD_PATHNAME.

[MS-RRP] states "The format of the file name is implementation-specific"
so ensure we don't allow this.

As reported by Michael Hanselmann.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
619d3953 by Karolin Seeger at 2019-04-05T08:18:41Z
WHATSNEW: Add release notes for Samba 4.10.2.

CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
CVE-2019-3880 (Save registry file outside share as unprivileged user)

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
17cd92e1 by Karolin Seeger at 2019-04-05T08:35:41Z
VERSION: Disable GIT_SNAPSHOT for 4.10.2 release.

CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
CVE-2019-3880 (Save registry file outside share as unprivileged user)

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
ebf34098 by Karolin Seeger at 2019-04-08T10:30:18Z
Merge tag 'samba-4.10.2' into v4-10-test

samba: tag release samba-4.10.2

- - - - -
cf323d76 by Karolin Seeger at 2019-04-08T10:30:35Z
VERSION: Bump version up to 4.10.3.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
54571d33 by Andreas Schneider at 2019-04-10T11:02:25Z
docs: Update smbclient manpage for --max-protocol

We default to SMB3 now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)

- - - - -
ada3417c by Andreas Schneider at 2019-04-10T11:02:25Z
s3:libads: Print more information when LDAP fails

Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)

- - - - -
461090e0 by Andreas Schneider at 2019-04-10T11:02:25Z
s3:libsmb: Add some useful debug output to cliconnect

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)

- - - - -
2e96408e by Guenther Deschner at 2019-04-10T11:02:25Z
s3:libnet: Fix debug message in libnet_DomainJoin()

A newline is missing but also use DBG_INFO macro and cleanup spelling.

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)

- - - - -
0b00c7a2 by Guenther Deschner at 2019-04-10T11:02:25Z
auth:ntlmssp: Add back CRAP ndr debug output

This got lost somehow during refactoring. This is still viable
information when trying to figure out what is going wrong when
authenticating a user over NTLMSSP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)

- - - - -
936594d6 by Andreas Schneider at 2019-04-10T11:02:25Z
auth:creds: Prefer the principal over DOMAIN/username when using NTLM

If we want to authenticate using -Wadmin at otherdomain the DC should do
take care of the authentication with the right DC for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)

- - - - -
bd573b37 by Andreas Schneider at 2019-04-10T11:02:25Z
s3:libnet: Use more secure name for the JOIN krb5.conf

Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)

- - - - -
78f30808 by Andreas Schneider at 2019-04-10T11:02:26Z
s3:libads: Make sure we can lookup KDCs which are not configured

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)

- - - - -
837a141a by Guenther Deschner at 2019-04-10T11:02:26Z
s3:ldap: Leave add machine code early for pre-existing accounts

This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)

- - - - -
05709dba by Günther Deschner at 2019-04-10T11:02:26Z
s3-libnet_join: always pass down admin domain to ads layer

Otherwise we could loose the information that a non-default domain name
has been used for admin creds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)

- - - - -
f85efe20 by Günther Deschner at 2019-04-10T11:02:26Z
s3-libnet_join: setup libnet join error string when AD connect fails

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)

- - - - -
bdf59b41 by Günther Deschner at 2019-04-10T11:02:26Z
s3-libnet_join: allow fallback to NTLMSSP auth in libnet_join

When a non-DNS and non-default admin domain is provided during the join
sometimes we might not be able to kinit with 'user at SHORTDOMAINNAME'
(e.g. when the winbind krb5 locator is not installed). In that case lets
fallback to NTLMSSP, like we do in winbind.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Apr  3 18:57:31 UTC 2019 on sn-devel-144

(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)

- - - - -
dda1c48a by Douglas Bagnall at 2019-04-10T14:21:16Z
py/provision: fix for Python 2.6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13882
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Wed Apr 10 14:21:16 UTC 2019 on sn-devel-144

- - - - -
63453eb3 by Martin Schwenke at 2019-04-11T11:36:21Z
ctdb-scripts: Reindent some functions prior to making changes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit d7e187c1a7046196ec96637bdc14cc6b042eafcc)

- - - - -
a1275fed by Martin Schwenke at 2019-04-11T11:36:21Z
ctdb-scripts: Rename variable nfslock_service to nfs_lock_service

There will be more of these variable for other services so, for
readability, it makes sense for them to start with "nfs_".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit 9981353ab79dce81b698c535977be4a681119d1e)

- - - - -
b2aa818e by Martin Schwenke at 2019-04-11T11:36:21Z
ctdb-scripts: Add test variable CTDB_NFS_DISTRO_STYLE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit e72c3c800a50fe746164e319e21180c44d041619)

- - - - -
aaf8b6a6 by Martin Schwenke at 2019-04-11T11:36:21Z
ctdb-scripts: Factor out nfs_load_config()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit 8de0a339b550e7363d265af04ad69f2179af75c6)

- - - - -
ee78bddd by Martin Schwenke at 2019-04-11T11:36:21Z
ctdb-scripts: Stop/start mount/rquotad/status via NFS call-out

When an NFS check restarts a failed service by hand then systemd will
be unable to stop or start this service again because (at least) the
PID file will be wrong.  Do this via the NFS Linux kernel call-out
instead.  Allow the call-out to use the services instead of doing
manual restarts.  Add variables for mount, status and rquotad services
to support this.

Adding systemd NFS services to the call-out will follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit 42103b568698d8087d27f0848b402ccb7cfac86b)

- - - - -
002beda3 by Martin Schwenke at 2019-04-11T11:36:21Z
ctdb-scripts: Start NFS quota service if defined

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit 708c04071af8d6ddc3bf2bddbde4d5847f440c0e)

- - - - -
80c6b7d3 by Martin Schwenke at 2019-04-11T11:36:21Z
ctdb-scripts: Add systemd services to NFS call-out

At least Red Hat and Debian appear to use (a variant of?) the upstream
systemd units for NFS, so adding support for these services is
relatively easy.  Distributions using Sys-V init can patch the
call-out to use the relevant Sys-V init services.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit a8fafd377ff0cb07ab161e437c5fe024704345eb)

- - - - -
53e76ab4 by Martin Schwenke at 2019-04-11T11:36:21Z
ctdb-tests: Update NFS test infrastructure to support systemd services

The tests are written around the default of sysvinit-redhat.  Add
support for systemd-redhat.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit 2833ddcfcb780497264e0f412a9ad6e26a9bc657)

- - - - -
12f6eae2 by Martin Schwenke at 2019-04-11T11:36:22Z
ctdb-scripts: Allow load_system_config() to take multiple alternatives

The situation for NFS config has got more complicated and is probably
broken in statd-callout on Debian-like systems at the moment.  Allow
several alternative configuration names to be tried.  Stop after the
first that is found and loaded.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit 0d67ea5fcca766734ecc73ad6b0139f7c13a15c5)

- - - - -
6baf1529 by Martin Schwenke at 2019-04-11T11:36:22Z
ctdb-scripts: Update statd-callout to try several configuration files

The alternative seems to be to try something via CTDB_NFS_CALLOUT.
That would be complicated and seems like overkill for something this
simple.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13860

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at samba.org>
(cherry picked from commit a2bd4085896804ee2da811e17f18c78a5bf4e658)

- - - - -
d4ea61f5 by Christof Schmitt at 2019-04-11T11:36:22Z
memcache: Introduce struct for storing talloc pointer

This allows extending the additional data stored for talloced objects
later.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13865

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7c44f2f76eefb9156cb1d170c92b4ff07dd6a3d5)

- - - - -
43f3544e by Christof Schmitt at 2019-04-11T11:36:22Z
memcache: Properly track the size of talloc objects

With memcache_add_talloc, the talloc object becomes part of the pool and
the memcache_element stores a pointer to the talloc object. The
size of the the talloc object was not used when tracking the used space,
allowing the cache to grow larger than defined in the memcache_init
call.

Fix this by adding the size of the talloc object to the used space.

Also record the initial size of the talloc object for proper adjustment
of the used space in the cache later. This is in case the size of the
talloc object is modified while being owned by the cache (e.g.
allocating talloc child objects). This should never happen, but better
be safe than ending up with a broken cache usage counter.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13865

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit a04ca6f3438595ba7e1a110877f53d1cac0f0402)

- - - - -
1a82c4b9 by Christof Schmitt at 2019-04-11T11:36:22Z
memcache: Increase size of default memcache to 512k

With the fixed accounting of talloc objects, the default cache size
needs to increase. The exact increase required depends on the workloads,
going form 256k to 512k seems like a reasonable guess.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13865

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 9ff5c0bab76c5d3d7bea1fcb79861d0c9a3b9839)

- - - - -
182f329f by Christof Schmitt at 2019-04-11T14:56:59Z
torture: Add test for talloc size accounting in memcache

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13865

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Apr  6 06:08:42 UTC 2019 on sn-devel-144

(cherry picked from commit b7028c42462c34cf86cb949bfdb16ebc7ed0a6c6)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Thu Apr 11 14:56:59 UTC 2019 on sn-devel-144

- - - - -
8f43d725 by Martin Schwenke at 2019-04-15T11:02:27Z
ctdb-daemon: Revert "We can not assume that just because we could complete a TCP handshake"

We also can not assume that nodes can be marked as connected via only
the keepalive mechanism.  Keepalives are not sent to disconnected
nodes so, in the absence of other packets (e.g. broadcasts), 2 nodes
may never become marked as connected to each other.

Revert to marking nodes as connected in the TCP transport code.  If a
connection is to a non(-operational) ctdbd then it will revert to
disconnected after a short while and may actually flap.  This should
be rare.

This reverts commit 66919db3d7ab1e091223faf515b183af8bfddc83.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13888

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 38dc6d11a26c2e9a2cae7927321f2216ceb1c5ec)

- - - - -
e23fdfe6 by Amitay Isaacs at 2019-04-15T14:23:16Z
ctdb-common: Avoid race between fd and signal events

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13895

In run_proc, there was an implicit assumption that when a process exits,
fd event (pipe between parent and child) would be processed first and
signal event (SIGCHLD for the child) would be processed later.

However, that is not the case.  SIGCHLD can be received asynchronously
any time even when the pipe data has not fully been read.  This causes
run_proc to miss some of the output from child process in tests.

When SIGCHLD is being processed, if the pipe between parent and child is
still open, then do an explict read from the pipe to ensure we read any
data still in the pipe before closing the pipe.

Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Fri Apr 12 08:19:29 UTC 2019 on sn-devel-144

(cherry picked from commit 289201277cd983b27cdfd5376c607eab112b4082)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Mon Apr 15 14:23:16 UTC 2019 on sn-devel-144

- - - - -
690ba5dc by Stefan Metzmacher at 2019-04-16T08:51:19Z
s3:smbd: handle IO_REPARSE_TAG_DFS in SMB_FIND_FILE_FULL_DIRECTORY_INFO

This completes commit 74829fecd7a4e806ee441cd75141bede2eefef1a,
which missed SMB_FIND_FILE_FULL_DIRECTORY_INFO

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10097

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1d9348575914891dbb5638bc9b8d51eda98fe554)

- - - - -
d0f5c69b by Stefan Metzmacher at 2019-04-16T08:51:20Z
smb2_server: allow smbd_smb2_request_pending_queue(0) to avoid STATUS_PENDING

This has the same meaning as smb2_request_set_async_internal(),
but this will simplifies callers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13698
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13796

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4760b85243f335bb2094fc779802ce4b52db0ccb)

- - - - -
914d7c53 by Stefan Metzmacher at 2019-04-16T08:51:20Z
smb2_sesssetup: avoid STATUS_PENDING responses for session setup

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13698
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13796

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 23792449694b5221f6ea422166c96fac494e3e2c)

- - - - -
3e4d622e by Stefan Metzmacher at 2019-04-16T08:51:20Z
smb2_tcon: avoid STATUS_PENDING responses for tree connect

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12844
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13698

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8a11da429bd3c89766f43c2bff681837a769987c)

- - - - -
0acd5de3 by Stefan Metzmacher at 2019-04-16T08:51:21Z
smb2_sesssetup: avoid STATUS_PENDING completely on session logoff

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10344
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13698

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d64038425f250e253dce707d69899c7a5d8cb32e)

- - - - -
94b7fcba by Stefan Metzmacher at 2019-04-16T08:51:21Z
smb2_tcon: avoid STATUS_PENDING completely on tdis

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10344
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13698

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 1dc002548336b969979c3bf85b531c059d87f015)

- - - - -
5d418910 by David Disseldorp at 2019-04-16T08:51:21Z
vfs_snapper: drop unneeded fstat handler

fstat is handle based, and unlike vfs_shadow_copy2, we don't need to
make any changes to the returned sbuf, so remove the existing handler
which does nothing.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13858

Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Mar 27 18:21:38 UTC 2019 on sn-devel-144

(cherry picked from commit c68d9c9ef367c1e85619ac2d027a0a425164ca8a)

- - - - -
cfdec9a8 by Stefan Metzmacher at 2019-04-16T08:51:22Z
vfs_default: fix DEBUG messages in vfswrap_offload_write_*_done()

SMB_VFS_{PREAD,PWRITE}_RECV() don't set errno, so we need to
use strerror(aio_state.error) in the debug messages.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13862

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2abf9e9a95cbdf76109b3501dee3e0c34ad09194)

- - - - -
d508ec61 by Stefan Metzmacher at 2019-04-16T08:51:22Z
vfs_default: fix vfswrap_offload_write_send() NT_STATUS_INVALID_VIEW_SIZE check

This fixes a regression introduced in commit
60e45a2d25401eaf9a15a86d19114670ccfde259, where the 'num' variable
was renamed to 'to_copy', but a new 'num' variable was introduced.

Note that off_t is signed!
In future we need to watch out for filesystems supporting
FMODE_UNSIGNED_OFFSET on Linux. Which means they use it unsigned.

This is more or less a theoretical problem, The
NT_STATUS_INVALID_PARAMETER cases are catched before by
SMB_VFS_PREAD_SEND/RECV.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13862

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4d6cd932a955a99ca33cc4aedd7f612e56e0b1de)

- - - - -
822df5a6 by Stefan Metzmacher at 2019-04-16T08:51:22Z
smb2_server: grant all 8192 credits to clients

This seems to match Windows Server 2016.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13863

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 829f692fb1552e56c6a9726036a995b4328731dd)

- - - - -
bd3c73e0 by David Disseldorp at 2019-04-16T08:51:23Z
vfs_ceph: explicitly enable libcephfs POSIX ACL support

libcephfs disables ACL support by default and returns -EOPNOTSUPP in the
POSIX ACL get/setxattr paths as a result. Enable support by setting the
following Ceph config parameters during mount:
        client acl type = posix_acl
        fuse default permissions = false

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13896

Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4982e282f2f2246952854ccc10d4787ac6653a7f)

- - - - -
faa61e3c by David Disseldorp at 2019-04-16T14:42:07Z
docs/vfs_ceph: describe new ACL behaviour

vfs_ceph now explicitly enables libcephfs POSIX ACL support.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13896

Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Apr 12 19:40:25 UTC 2019 on sn-devel-144

(cherry picked from commit 58314d71ea63e36d5f1bbd2c3e190b1edffee726)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Tue Apr 16 14:42:07 UTC 2019 on sn-devel-144

- - - - -
3c027df8 by Anoop C S at 2019-04-30T08:22:22Z
s3/vfs_glusterfs_fuse: Dynamically determine NAME_MAX

This allows the vfs_glusterfs_fuse build to complete on AIX.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13872

Signed-off-by: Anoop C S <anoopcs at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e28d172b00cadf492c22bd892e2dda3bf2fe2d70)

- - - - -
c7b67d3c by Anoop C S at 2019-04-30T13:54:13Z
s3/vfs_glusterfs: Dynamically determine NAME_MAX

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13872

Signed-off-by: Anoop C S <anoopcs at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8e3a042eb9e502821b147f1bbb2d98d59f17a095)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Tue Apr 30 13:54:14 UTC 2019 on sn-devel-144

- - - - -
770352cd by Karolin Seeger at 2019-05-07T08:53:30Z
VERSION: Bump version up to 4.10.3.

Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit cf323d769f0f75a8201b21e5563fc5481beb614e)

- - - - -
6a7e0623 by Karolin Seeger at 2019-05-07T09:02:47Z
VERSION: Re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
6ad19ca4 by Isaac Boukris at 2019-05-07T09:02:47Z
CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685

Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
12086db2 by Isaac Boukris at 2019-05-07T09:02:47Z
CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685

Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
20ce967a by Karolin Seeger at 2019-05-07T09:02:47Z
WHATSNEW: Add release notes for Samba 4.10.3.

CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
70a164b3 by Karolin Seeger at 2019-05-07T09:06:14Z
VERSION: Disable GIT_SNAPSHOT for the 4.10.3 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
6c23ad16 by Karolin Seeger at 2019-05-07T10:26:53Z
VERSION: Disable GIT_SNAPSHOT for the 4.10.3 release.

CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
c0a8bd3d by Karolin Seeger at 2019-05-14T06:21:05Z
Merge tag 'samba-4.10.3' into v4-10-test

samba: tag release samba-4.10.3

- - - - -
2ad7a4a6 by Karolin Seeger at 2019-05-14T06:23:51Z
VERSION: Bump version up to 4.10.4.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
b7f79137 by Christof Schmitt at 2019-05-14T13:58:10Z
nsswitch: Add testcase for checking output of wbinfo --sid-to-name

The username should always be returned in the DOMAISHORTNAME/USERNAME
format.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit d006c769a9cad275339b18b08e13d48acb29d7fc)

- - - - -
2670fe83 by Christof Schmitt at 2019-05-14T13:58:10Z
winbind: Query domain from msrpc name_to_sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 60b0e91237179b8782c4bd83b9579f51d5af2928)

- - - - -
af488780 by Christof Schmitt at 2019-05-14T13:58:10Z
winbind: Query domain from winbind rpc name_to_sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 562551c0886bdef1f97059e16d375c2e97452b45)

- - - - -
b519cd21 by Christof Schmitt at 2019-05-14T13:58:10Z
winbind: Query domain from winbind sam_name_to_sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 32e3f0663be39cf4a81639c818fc88e959791673)

- - - - -
90349804 by Christof Schmitt at 2019-05-14T13:58:10Z
winbind: Return queried domain name from name_to_sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 640e0ef4fd338ddf03b813a8d45cce67c7ec7a01)

- - - - -
b01e1e33 by Christof Schmitt at 2019-05-14T13:58:10Z
winbind: Use domain name from lsa query for sid_to_name cache entry

When winbindd is asked to map a name like realm.com\name to a SID ,that
is sucessfully resolved through the lsa lookup name call. The same call
also returns the short domain name (netbios name of the domain). Use
that short domain name for the sid_to_name cache entry, so that
subsequent sid_to_name queries return the expected netbiosname\name
result and not realm.com\name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13831

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit aec9bda25f10ca2710d91fb680cca7904e92f9de)

- - - - -
ea74b0eb by Stefan Metzmacher at 2019-05-14T13:58:10Z
dbcheck: fix the err_empty_attribute() check

ldb.bytes('') == '' is never True in python3,
we nee ldb.bytes('') == b'' in order to
check that on attribute has an empty value,
that seems to work for python2 and python3.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13843

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Noel Power <npower at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Mar 21 18:15:20 UTC 2019 on sn-devel-144

(cherry picked from commit 261ef9d5b62f0d49f858717e6d8b4b41f008efb5)

- - - - -
1efa1e01 by Tim Beale at 2019-05-14T13:58:11Z
tests: Add test for setting min/maxPwdAge

Currently setting maxPwdAge doesn't work at all.

While we're adding a test, we might as well assert that minPwdAge
can't be greater than maxPwdAge as well.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d247a600845fdc6bf232496e8db56cd1d95a3022)

- - - - -
36da4c09 by Tim Beale at 2019-05-14T13:58:11Z
netcmd: Use python constant for -0x8000000000000000

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b43f997f2397771b159c49526a36bd2b3467b0ef)

- - - - -
afc2243b by Tim Beale at 2019-05-14T13:58:11Z
netcmd: Add some timestamp conversion helper functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 940306a24a8d14fbb8c76c5a60b3d5f2773873a0)

- - - - -
893ac2a6 by Tim Beale at 2019-05-14T17:36:28Z
netcmd: Fix passwordsettings --max-pwd-age command

The min_pwd_age and max_pwd_age parameters are both optional and default
to None. However, if we just set the max-pwd-age, then the check
'min_pwd_age >= max_pwd_age' will throw a Python exception because it's
trying to compare an int to NoneType (min_pwd_age). This works on Python 2
but is a problem on Python 3.

We could just add a check that min_pwd_age is not None, but that defeats
the point of having the check if you're only setting either the min or
max age indepedently.

This patch gets the current min/max password age from the DB (in ticks).
If either setting is changed, the ticks will be updated. Then at the end
we check the min is still less than the max (to do this, we convert the
ticks back to days in the interests of readability).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13873

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Apr  5 08:03:08 UTC 2019 on sn-devel-144

(cherry picked from commit 7a410ccb5f6f2958d56fa6f16d8780c69a3830dd)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Tue May 14 17:36:28 UTC 2019 on sn-devel-144

- - - - -
d1962a5f by Douglas Bagnall at 2019-05-16T10:37:48Z
pytests/dns: use 2.6 compatible syntax

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13886
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
2cc3b4c4 by Volker Lendecke at 2019-05-16T10:37:49Z
lib: Initialize getline() arguments

Keep "len" valid across the loop iterations for getline to consume

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13892

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c0b2272a7d15d266ce64c86cf6a313b5b0fb67fd)

- - - - -
9c167fa8 by Gary Lockyer at 2019-05-16T10:37:49Z
lib util debug: Increase format buffer to 4KiB

Increase the debug line buffer to 4KiB, the existing size of 1KiB is too
small for dsdbChange JSON audit messages.  These messages were then
split across multipe lines causing issues in log ingestion tools
expecting single line messages.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13902

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Mon May  6 01:18:22 UTC 2019 on sn-devel-184

(cherry picked from commit ad3af7cdffb98b7998857db609548fc96f60c669)

- - - - -
38746ec0 by Christof Schmitt at 2019-05-16T10:37:49Z
selftest: Add gid-to-sid lookup to idmap_ad test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d7b5ad5e6159c224f70bea782bbdc46059e67978)

- - - - -
28b5ff2c by Christof Schmitt at 2019-05-16T10:37:49Z
selftest: Use fl2008r2dc for ad_member_idmap_ad

fl2008r2dc already has a trusted domain. That will be used to use
idmap_ad for querying idmap attributes from the trusted domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8266bd1f45d1b5b2a61d84006ab8e8e1ed0e52a9)

- - - - -
79c04524 by Christof Schmitt at 2019-05-16T10:37:49Z
selftest: Make trusted domain information available for idmap_ad environment

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 281fb81ab1c72831c752be44fd1bfdcfd10bd798)

- - - - -
c3c2f370 by Christof Schmitt at 2019-05-16T10:37:49Z
selftest: Add idmap configuration for trusted domain for idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 65e1d783cb17904cd117d896569e7cbe79a3131b)

- - - - -
3a46730f by Christof Schmitt at 2019-05-16T10:37:50Z
selftest: Pass trusted domain information to idmap_ad test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ac0f8656eed39a4527a5336cf93aa1508666f79b)

- - - - -
24d39db5 by Christof Schmitt at 2019-05-16T10:37:50Z
selftest: Add trusted domain tests for idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2577f43a133f8b8eb997b9529a38e21c77b5da22)

- - - - -
1fa6a46f by Volker Lendecke at 2019-05-16T10:37:50Z
winbind: Fix overlapping id ranges

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Apr 24 02:25:56 UTC 2019 on sn-devel-184

(cherry picked from commit 3020050bdf9df077ec9a0e962a689557187174ac)

- - - - -
c7f25b25 by Ralph Wuerthner at 2019-05-16T10:37:50Z
s3:debug: use struct initializer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13904

Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
(cherry picked from commit b9e1b4ad0033c211710da285c30d603ccb8b8d40)

- - - - -
c584a4b4 by Ralph Wuerthner at 2019-05-16T10:37:50Z
s3:debug: adjust indention

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13904

Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>
(cherry picked from commit a45675879ddcb43ab274d28496eedd6833466ae4)

- - - - -
de505618 by Ralph Wuerthner at 2019-05-16T10:37:51Z
s3:debug: enable logging for early startup failures

Commit c89a33a07a 'debug: Use backends instead of explicitly logging to
syslog or file' introduced a regression where early startup failures (e.g.
unable to connect to CTDB) are no longer logged because the debug subsystem
is not yet fully initialized. Enable logging again with reasonable defaults
when reopen_logs() is called and the parameter file is not yet parsed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13904

Signed-off-by: Ralph Wuerthner <ralph.wuerthner at de.ibm.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Christof Schmitt <cs at samba.org>

Autobuild-User(master): Christof Schmitt <cs at samba.org>
Autobuild-Date(master): Thu Apr 18 22:21:15 UTC 2019 on sn-devel-144

(cherry picked from commit 9b30fcda64080592d20de64b384fd6d3d0775cbf)

- - - - -
f4a603a9 by Robert Sander at 2019-05-16T10:37:51Z
s3: modules: ceph: use current working directory instead of share path

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13918

Signed-off-by: Robert Sander <r.sander at heinlein-support.de>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu May  2 19:34:11 UTC 2019 on sn-devel-184

(cherry picked from commit 966fc0dc604299a87e40e7170d80911475317db5)

- - - - -
649dd7bc by Stefan Metzmacher at 2019-05-16T10:37:51Z
s4:torture/smb2: add smb2.stream.names3 test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13919

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b5c4fdbf99caa3a9e7c6446cfbc4f1b23b84b3c8)

- - - - -
07382f07 by Stefan Metzmacher at 2019-05-16T10:37:51Z
smbd: allow case insensitive opens of named streams

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13919

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2a69c0915586fb9fb2148239965d06bf9f93c803)

- - - - -
3205d032 by Stefan Metzmacher at 2019-05-16T10:37:51Z
s4:libcli/raw: add RAW_FILEINFO_NORMALIZED_NAME_INFORMATION support

This is supported over the wire in SMB 3.1.1 on starting with
Windows 10 1803.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13919

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 0c602319194bda6b2a0efdd7c186078583f79264)

- - - - -
5308f042 by Stefan Metzmacher at 2019-05-16T10:37:51Z
s4:torture/smb2: add smb2.getinfo.normalized test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13919

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8a5828de2bdd95223e5f30996d0490fef53742dd)

- - - - -
42b32da4 by Stefan Metzmacher at 2019-05-16T10:37:52Z
smbd: implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling

Windows 10 (1803 and higher) support and use
SMB_FILE_NORMALIZED_NAME_INFORMATION calls over the network. As a
fallback (in case the server don't support it) the client traverses all
path components, which is very expensive.

Implementing SMB_FILE_NORMALIZED_NAME_INFORMATION is very cheap for us
as the open already went through unix_convert() and we have the
information the client is asking for.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13919

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed May  1 18:33:00 UTC 2019 on sn-devel-184

(cherry picked from commit b20fd15e04ce9292f90a7f70f4184e43034b4b9d)

- - - - -
8c9abb27 by Martin Schwenke at 2019-05-16T10:37:52Z
ctdb-tools: Fix ctdb dumpmemory to avoid printing trailing NUL

Fix ctdb rddumpmemory too.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13923

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit f78d9388fb459dc83fafb4da6e683e3137ad40e1)

- - - - -
c054f19f by Martin Schwenke at 2019-05-16T10:37:52Z
ctdb-tests: Extend test to cover ctdb rddumpmemory

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13923

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 8108b3134c017c22d245fc5b2207a88d44ab0dd2)

- - - - -
8bb1726f by Martin Schwenke at 2019-05-16T10:37:52Z
ctdb-tests: Change sanity_check_output() to internally use $out

All callers are currently passed $out.  Global variable $out is used
in many other places so use it here to simplify the interface and make
future changes simpler.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 7c3819d1ac264acf998f426e0cef7f6211e0ddee)

- - - - -
2044466d by Martin Schwenke at 2019-05-16T10:37:52Z
ctdb-tests: Make try_command_on_node less error-prone

This sometimes fails, apparently due to a cat process in onnode
getting EAGAIN.  The conclusion is that tests that process large
amounts of output should not depend on a sub-shell delivering that
output into a shell variable.

Change try_command_on_node() to leave all of the output in file
$outfile and just put the first 1KB into $out.  $outfile is removed
after each test completes.

Change the implementation of sanity_check_output() to use $outfile
instead of $out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 9d02452a24625df5f62fd6d45a16effe2fa45fbe)

- - - - -
221da170 by Martin Schwenke at 2019-05-16T10:37:53Z
ctdb-tests: Avoid bulk output in $out, prefer $outfile

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 066cc5b0c561464ed08890d9aa1a1a55b545e9cc)

- - - - -
b8cf1594 by Martin Schwenke at 2019-05-16T10:37:53Z
ctdb-tests: Wait to allow database attach/detach to take effect

Sometimes the detach test fails:

  Check detaching single test database detach_test1.tdb
  BAD: database detach_test1.tdb is still attached
  Number of databases:4
  dbid:0x5ae995ee name:detach_test4.tdb path:tests/var/simple/node.0/db/volatile/detach_test4.tdb.0
  dbid:0xd84cc13c name:detach_test3.tdb path:tests/var/simple/node.0/db/volatile/detach_test3.tdb.0
  dbid:0x8e8e8cef name:detach_test2.tdb path:tests/var/simple/node.0/db/volatile/detach_test2.tdb.0
  dbid:0xc62491f4 name:detach_test1.tdb path:tests/var/simple/node.0/db/volatile/detach_test1.tdb.0
  Number of databases:3
  dbid:0x5ae995ee name:detach_test4.tdb path:tests/var/simple/node.1/db/volatile/detach_test4.tdb.1
  dbid:0xd84cc13c name:detach_test3.tdb path:tests/var/simple/node.1/db/volatile/detach_test3.tdb.1
  dbid:0x8e8e8cef name:detach_test2.tdb path:tests/var/simple/node.1/db/volatile/detach_test2.tdb.1
  Number of databases:4
  dbid:0x5ae995ee name:detach_test4.tdb path:tests/var/simple/node.2/db/volatile/detach_test4.tdb.2
  dbid:0xd84cc13c name:detach_test3.tdb path:tests/var/simple/node.2/db/volatile/detach_test3.tdb.2
  dbid:0x8e8e8cef name:detach_test2.tdb path:tests/var/simple/node.2/db/volatile/detach_test2.tdb.2
  dbid:0xc62491f4 name:detach_test1.tdb path:tests/var/simple/node.2/db/volatile/detach_test1.tdb.2
  *** TEST COMPLETED (RC=1) AT 2019-04-27 03:35:40, CLEANING UP...

When issued from a client, the detach control re-broadcasts itself
asynchronously to all nodes and then returns success.  The controls to
some nodes to do the actual detach may still be in flight when success
is returned to the client.  Therefore, the test should wait for a few
seconds to allow the asynchronous controls to complete.

The same is true for the attach control, so workaround the problem in
the attach test too.

An alternative is to make the attach and detach controls synchronous
by avoiding the broadcast and waiting for the results of the
individual controls sent to the nodes.  However, a simple
implementation would involve adding new nested event loops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 3cb53a7a05409925024d6a67bcfaeb962d896e0b)

- - - - -
3582e306 by Martin Schwenke at 2019-05-16T10:37:53Z
ctdb-tests: Fix usage message

Since commit 0e9ead8f28fced3ebfa888786a1dc5bb59e734a3 daemons have
been shut down after each test, so this option no longer has anything
to do with killing daemons.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit a2ab6485e027ebb13871c7d83b7626ac5c9b98c0)

- - - - -
0cdf5c6b by Martin Schwenke at 2019-05-16T10:37:53Z
ctdb-tests: Don't clean up test var directory in autotest target

If the directory is always cleaned up then it is not possible to look
at daemon logs to debug test failures.

This target is only really used by autobuild.py, which (optionally)
cleans up the parent directory anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Tue May  7 06:56:01 UTC 2019 on sn-devel-184

(cherry picked from commit 5a9e338330fe136908a3a17a5df81c054c5cc5b0)

- - - - -
33739d55 by Martin Schwenke at 2019-05-16T10:37:54Z
ctdb-tests: Actually restart if cluster doesn't become healthy

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 97ad353a67ce0232d7ca5637f1bf8886e2df1aca)

- - - - -
65bf14af by Martin Schwenke at 2019-05-16T10:37:54Z
ctdb-tests: Remove old socket wrapper state directory during setup

Otherwise, when looping tests for a long time, nodes are unable to
connect to each other.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Mon May 13 08:42:44 UTC 2019 on sn-devel-184

(cherry picked from commit c75fbeaa96108cd4dc193ef5f4170977804e5104)

- - - - -
efb35a1a by Martin Schwenke at 2019-05-16T10:37:54Z
ctdb-tests: Capture output in $out on failure as well

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit cf00db40355b49443263187f9d97934f91287e51)

- - - - -
63a59de4 by Martin Schwenke at 2019-05-16T10:37:54Z
ctdb-tests: Make ctdb reloadips tests more reliable

ctdb reloadips will fail if it can't disable takover runs.  The most
likely reason for this is that there is already a takeover run in
progress.  We can't predict when this will happen, so retry if this
occurs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 8be4ee1a28d5c037955832b6f827d40f28f02796)

- - - - -
52ba5136 by Martin Schwenke at 2019-05-16T10:37:54Z
ctdb-tests: Fix logic error in simple ctdb reloadips test

There is a chance that restoring IP addresses to the test node will
result in different IP addresses being assigned to that node.
Removing a single IP address may then fail (or be a no-op) if it is
done after the restore.

So, swap the single IP address removal to happen first, then restore,
then remove all IP addresses.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13924

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit dc89db8ca6aadd4a9f7e8a85843c53709d04587c)

- - - - -
385a36b7 by Gary Lockyer at 2019-05-16T10:37:54Z
nsswitch pam_winbind: Fix Asan use after free

Fix use after free condition detected by Address Sanitizer triggered by
wbcLogonUserInfoDestructor, wbcFreeMemory has code to detect and prevent a
double free.  This patch prevents the Address Sanitizer error, allowing
tests to be run with Address Sanitizer enabled.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13927

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon May  6 08:55:22 UTC 2019 on sn-devel-184

(cherry picked from commit 193b44466ba05deba8f2b1fdc16ab55c102e82ad)

- - - - -
6aa0fd8b by Gary Lockyer at 2019-05-16T10:37:55Z
s4 lib socket: Ensure address string owned by parent struct

The local address string was not owned by it's parent structure, which
caused a use after free error in
continue_ip_open_socket source4/librpc/rpc/dcerpc_sock.c:267

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13929

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed May  8 20:03:42 UTC 2019 on sn-devel-184

(cherry picked from commit ae9fb93393bcadbc71328335e481e4381ecb65bf)

- - - - -
8a320aad by Martin Schwenke at 2019-05-16T10:37:55Z
ctdb-daemon: Never use 0 as a client ID

ctdb_control_db_attach() and ctdb_control_db_detach() assume that any
control with client ID 0 comes from another daemon and treat it
specially.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13930

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 8663e0a64fbdb9ea16babbfe87d6f5d7a7b72bbd)

- - - - -
8542379b by Gary Lockyer at 2019-05-16T10:37:55Z
s3 rpc_client: Fix Asan stack use after scope

Fixes Asan error:

==1924==ERROR: AddressSanitizer: stack-use-after-scope on address
    0x7ffe63f873d0 at pc 0x7fb99dae1733 bp 0x7ffe63f86a00 sp 0x7ffe63f861a8
READ of size 24 at 0x7ffe63f873d0 thread T0
    #0 0x7fb99dae1732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
    #1 0x7fb99cfe5549 in memcpy
        /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #2 0x7fb99cfe5549 in ndr_push_bytes
        ../../librpc/ndr/ndr_basic.c:729
    #3 0x7fb99cfe5646 in ndr_push_array_uint8
        ../../librpc/ndr/ndr_basic.c:754
    #4 0x7fb99a69dd1b in ndr_push_netr_ChallengeResponse
        librpc/gen_ndr/ndr_netlogon.c:462
    #5 0x7fb99a6c5fab in ndr_push_netr_NetworkInfo
        librpc/gen_ndr/ndr_netlogon.c:556
    #6 0x7fb99a6c749d in ndr_push_netr_LogonLevel
         librpc/gen_ndr/ndr_netlogon.c:783
    #7 0x7fb99a7222de in ndr_push_netr_LogonSamLogonEx
         librpc/gen_ndr/ndr_netlogon.c:16547
    #8 0x7fb99c982c97 in dcerpc_binding_handle_call_send
         ../../librpc/rpc/binding_handle.c:416

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13936

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri May 10 10:02:21 UTC 2019 on sn-devel-184

(cherry picked from commit a5d1df4a8f9c535ff2f7ef11d7dfea4d79d65e7e)

- - - - -
4f0a4fac by Andreas Schneider at 2019-05-16T10:37:55Z
s4:auth: Fix debug statement in gensec_gssapi

The 'role' is set to null, we should first set it to the correct value
before printing anything.

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit bd29f3fcc023d00afde8e9cc2f9db22dcae49877)

- - - - -
40587294 by Andreas Schneider at 2019-05-16T10:37:55Z
s3:rpc_server: Do not free the tdbname before we printed it

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 790d7e34cbe4e190d6acdd24696efe53944cd4a6)

- - - - -
b522ed38 by Andreas Schneider at 2019-05-16T10:37:56Z
s4:ntvfs: Do not free eadb before we printed an error

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 6da032df5450ef72f8608a19b3b5cc6e9185cd6e)

- - - - -
a81f78ce by Andreas Schneider at 2019-05-16T10:37:56Z
s4:torture: Do not print NULL strings we just checked before

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit be72dfbc8edc53ed191dc01668a53cafb5cd785d)

- - - - -
4113054a by Andreas Schneider at 2019-05-16T10:37:56Z
lib:torture: Fix string comparison macros where we directly pass NULL

See e.g. lib/util/tests/strlist.c +177

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit a8f773e326d6bdfc1c9eb87a74c00108f6620c56)

- - - - -
b578a2df by Andreas Schneider at 2019-05-16T10:37:56Z
s4:torture: Do not free full_name before we printed it

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 46f036d3231bc99cf37c7cabf82757d3c28c5cff)

- - - - -
5b6adbb0 by Andreas Schneider at 2019-05-16T10:37:56Z
ctdb:common: Do not print NULL if we don't get a sockpath

sock_socket_start_recv() might not fill sockpath if we return early.

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 830cb7e67568de5f3ce359cb6af3be8ab545c824)

- - - - -
601cb1d5 by Andreas Schneider at 2019-05-16T10:37:56Z
s3:winbindd: Do not free db_path in idmap_tdb2 before we printed it

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e333425e0ff6be5691b74a920610b508e7d26892)

- - - - -
b0e862a6 by Andreas Schneider at 2019-05-16T10:37:57Z
s3:utils: If share is NULL in smbcquotas, don't print it

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3653dc7013518d90e6deb08a1f21d7472dc86675)

- - - - -
f7ffa7a0 by Andreas Schneider at 2019-05-16T10:37:57Z
s3:utils: If share is NULL in smbcacls, don't print it

Found by GCC 9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13937

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2b957bde5a2f0f670ee0c8acde6edae1f4aaf253)

- - - - -
198cb5b0 by Ralph Boehme at 2019-05-16T10:37:57Z
s3:smbd: don't use recvfile on streams

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13938

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu May  9 20:43:53 UTC 2019 on sn-devel-184

(cherry picked from commit 219bc189472acff24410009ee16a409e0aaf8eef)

- - - - -
5c9489ba by Jeremy Allison at 2019-05-16T10:37:57Z
s3: SMB1: Don't allow recvfile on stream fsp's.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13938

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri May 10 01:14:02 UTC 2019 on sn-devel-184

(cherry picked from commit 667db8e8c7836c750085729f5062807669cbb204)

- - - - -
4c02823a by Andreas Schneider at 2019-05-16T10:37:57Z
s3:smbspool: Fix regression printing with Kerberos credentials

This is a regression which has been introduced with Samba 4.8.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a)

- - - - -
417a4d2c by David Disseldorp at 2019-05-16T10:37:58Z
vfs_ceph: fix cephwrap_flistxattr() debug message

The @list buffer may be uninitialised prior to ceph_flistxattr()
invocation, so only log the address.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13940

Signed-off-by: David Disseldorp <ddiss at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): David Disseldorp <ddiss at samba.org>
Autobuild-Date(master): Fri May 10 12:59:05 UTC 2019 on sn-devel-184

(cherry picked from commit 21dc6f8e8d82f84e4afda355a48fbbd39c7fe800)

- - - - -
32065a07 by Martin Schwenke at 2019-05-16T10:37:58Z
ctdb-recoverd: Fix memory leak

state is always freed before exiting this function, so allocate fde
off it instead of long-lived ctdb context.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13943

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 6a2941e2a9fd6ab2d5b8dbac042b61a7b1b0b914)

- - - - -
0d4280ab by Martin Schwenke at 2019-05-16T10:37:58Z
ctdb-common: Fix memory leak

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13943

Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 30bc6e2529cdd444d4ec7902844c3a6fb0858090)

- - - - -
d6243acb by Amitay Isaacs at 2019-05-16T13:56:00Z
ctdb-common: Fix memory leak in run_proc

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13943

Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Tue May 14 08:59:03 UTC 2019 on sn-devel-184

(cherry picked from commit b1f4c86eea022999d5439e4a6ef3494fe41479b6)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Thu May 16 13:56:00 UTC 2019 on sn-devel-144

- - - - -
fa9de546 by Karolin Seeger at 2019-05-22T09:48:35Z
WHATSNEW: Add release notes for Samba 4.10.4.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
d3cfdd71 by Karolin Seeger at 2019-05-22T09:49:22Z
VERSION: Disable GIT_SNAPSHOT for the 4.10.4 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
827b5423 by Karolin Seeger at 2019-05-22T09:50:17Z
VERSION: Bump version up to 4.10.5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
8eb462bf by Karolin Seeger at 2019-05-22T10:05:58Z
Merge tag 'samba-4.10.3' into v4-10-stable

samba: tag release samba-4.10.3

Signed-off-by: Karolin Seeger <kseeger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
def2c7da by Karolin Seeger at 2019-05-22T10:14:55Z
Merge 'origin/v4-10-stable' into the real 4.10.4 release

Signed-off-by: Karolin Seeger <kseeger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
8e479542 by Karolin Seeger at 2019-05-22T10:16:02Z
VERSION: Disable GIT_SNAPSHOT for the 4.10.4 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
5508e9c8 by Karolin Seeger at 2019-05-22T10:31:17Z
Merge tag 'samba-4.10.4' into v4-10-test

samba: tag release samba-4.10.4

Signed-off-by: Karolin Seeger <kseeger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
7f1d37ab by Stefan Metzmacher at 2019-06-13T08:52:26Z
dsdb/repl: we need to replicate the whole schema before we can apply it

Otherwise we may not be able to construct a working schema that's
required to apply the changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12204
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13713

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 661dc4574110b0f13c127c8aa6ed0c385292b77c)

- - - - -
183d21bd by Stefan Metzmacher at 2019-06-13T08:52:26Z
drsuapi.idl: add DRSUAPI_ATTID_schemaInfo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 140a6733a458d0afa20237a09ef4ee2546a83a8f)

- - - - -
4ebeef8e by Aaron Haslett at 2019-06-13T08:52:26Z
samdb: test for schemainfo update with relax control

Currently schema info's revision field isn't incremented if relax
control is present.  This is so that no increment is done during
provision, but we need the relax control in other situations where the
increment is desired.  This patch adds a failing test to expose the
problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799

Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit e34abefb77729330cd48bc039c82b03fe545f8a9)

- - - - -
1711b155 by Stefan Metzmacher at 2019-06-13T08:52:26Z
ldapcmp: ignore 'schemaInfo' if two domains are compared

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit b5b572d5f71e2b9783ddb25c21ac32904fbfd661)

- - - - -
b97bba87 by Stefan Metzmacher at 2019-06-13T08:52:26Z
s4:provision: split out provision_self_join_modify_schema.ldif

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 5ea84af2d69e0b3a2a801ea0cc3f4ffc66bf1764)

- - - - -
d2d8caf4 by Stefan Metzmacher at 2019-06-13T08:52:26Z
python/provision: use provision and relax controls for schema provision

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 7652439fa1aab92945f5540a43fc49568d446917)

- - - - -
36830a4e by Aaron Haslett at 2019-06-13T08:52:27Z
dsdb:samdb: schemainfo update with relax control

Currently schema info's revision field isn't incremented if relax
control is present.  This is so that no increment is done during
provision, but we need the relax control in other situations where
the increment is desired, so we should use the provision control instead
to disable schema info update.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799

Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit b7c1752754da1e8a83a53670cf4a410ec6e9d7b7)

- - - - -
79d0ad8b by Stefan Metzmacher at 2019-06-13T08:52:27Z
python/ntacls: we only need security.SEC_STD_READ_CONTROL in order to get the ACL

We should avoid security.SEC_FLAG_MAXIMUM_ALLOWED otherwise
we may get NT_STATUS_SHARING_VIOLATION when we run
'samba-tool domain backup online' against a Windows DC.
Windows DCs have hidden folders for the NtFrs or Dfsr services,
which are locked by the running service.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13917

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 15032ec6df1abbb53f1b1d5377aab369f83ae707)

- - - - -
65bc340a by Andreas Schneider at 2019-06-13T08:52:27Z
s3:smbspool: Add the 'lp' group to the users groups

This is required to access files in /var/spool/cups which have been
temporarily created in there by CUPS.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b)

- - - - -
819b364f by Andreas Schneider at 2019-06-13T08:52:27Z
s3:smbspool: Print the principal we use to authenticate with

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5)

- - - - -
97c1b4d8 by Andreas Schneider at 2019-06-13T08:52:27Z
s3:smbspool: Add debug for finding KRB5CCNAME

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba)

- - - - -
1e4d726d by Andreas Schneider at 2019-06-13T08:52:27Z
s3:smbspool: Use %u format specifier to print uid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858)

- - - - -
4f3cb356 by Andreas Schneider at 2019-06-13T08:52:27Z
s3:smbspool: Fallback to default ccache if KRB5CCNAME is not set

This could also support the new KCM credential cache storage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3)

- - - - -
b8abd04c by Andreas Schneider at 2019-06-13T08:52:27Z
s3:smbspool: Print the filename we failed to open

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd)

- - - - -
d95b2eca by Andreas Schneider at 2019-06-13T08:52:27Z
s3:smbspool: Always try to authenticate using Kerberos

If username and password is given, then fallback to NTLM. However try
kinit first. Also we correctly handle NULL passwords in the meantime and
this makes it easier to deal with issues.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d)

- - - - -
57f1c2d4 by Andreas Schneider at 2019-06-13T08:52:28Z
s3:smbspool: Add debug messages to kerberos_ccache_is_valid()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3)

- - - - -
2e1b093e by Andreas Schneider at 2019-06-13T08:52:28Z
s3:smbspool: Use NTSTATUS return codes

This allows us to simplify some code and return better errors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea)

- - - - -
b6b9f49c by Andrew Bartlett at 2019-06-13T08:52:28Z
s4 dsdb/repl_meta_data: allocate new extended DNs during ADD on a better context

Lower down in this function new_values is assigned over el->values and is
filled in with the values of all the parsed DNs.  Therefore it is the natural
talloc parent.

This will allow el->values to be allocated on tmp_ctx in the next commit for
a working area during the function call.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 4aa9924310287ff3b36618496fa6c707c615ad4c)

- - - - -
6946f069 by Gary Lockyer at 2019-06-13T08:52:28Z
s4 dsdb/repl_meta_data: fix use after free in dsdb_audit_add_ldb_value

Fix use after free detected by AddressSanitizer

AddressSanitizer: heap-use-after-free on address 0x61400026a4a0
                  at pc 0x7fd555c52f12 bp 0x7ffed7231180 sp 0x7ffed7231170
                  READ of size 1 at 0x61400026a4a0 thread T0
    #0 0x7fd555c52f11 in ldb_should_b64_encode
       ../../lib/ldb/common/ldb_ldif.c:197
    #1 0x7fd539dc9417 in dsdb_audit_add_ldb_value
       ../../source4/dsdb/samdb/ldb_modules/audit_util.c:491
    #2 0x7fd539dc9417 in dsdb_audit_attributes_json
       ../../source4/dsdb/samdb/ldb_modules/audit_util.c:651
    #3 0x7fd539dc6a7e in operation_json
       ../../source4/dsdb/samdb/ldb_modules/audit_log.c:305

The problem is that at the successful end of these functions
el->values is overwritten with new_values.  However get_parsed_dns()
points p->v at the supplied el and it effectively gets used
as a working area by replmd_build_la_val().  So we must duplicate it
because our caller only called ldb_msg_copy_shallow().

The reason this matters is that the audit_log module is
above repl_meta_data in the stack, and tries to log the
ldb_message it saw after the reply (to include the error code).
If that ldb_message is changed it is not only misleading,
it can point to memory that has since gone away.

In this case the memory for the full extended DN in the
member attribute ended up on 'ac', a context lost by
the time repl_meta_data has finished processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13941

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed May 15 05:35:47 UTC 2019 on sn-devel-184

(cherry picked from commit 0daa0ff921b270df9b794f02acbaa391c95cd89b)

- - - - -
643c75aa by Gary Lockyer at 2019-06-13T08:52:28Z
s4 dsdb: fix use after free in samldb_rename_search_base_callback

Fix use after free detected by AddressSanitizer

AddressSanitizer: heap-use-after-free on address 0x60f0002b2738
                  at pc 0x7f89b1a213b5 bp 0x7ffce9528810 sp 0x7ffce9528800
                  READ of size 8 at 0x60f0002b2738 thread T0
    #0 0x7f89b1a213b4 in samldb_rename_search_base_callback
        ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203
    #1 0x7f89d3a0db4a in ldb_module_send_entry
        ../../lib/ldb/common/ldb_modules.c:793
    #2 0x7f89b6f27356 in es_callback
        ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13942

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b0cc6d217485c317b2138347216fac5d74684328)

- - - - -
4406c829 by Shyamsunder Rathi at 2019-06-13T08:52:28Z
s3:loadparm: Ensure to truncate FS Volume Label at multibyte boundary

For FS_VOLUME_INFO/FS_INFO operation, a maximum of 32 characters are
sent back. However, since Samba chops off any share name with >32
bytes at 32, it is possible that a multi-byte share name can get chopped
off between a full character. This causes the string decoding for unicode
failure which sends back NT_STATUS_ILLEGAL_CHARACTER (EILSEQ) to the client
applications.

On Windows, Notepad doesn't like it, and refuses to open a file in this
case and fails with the following error:

  Invalid character. For multibyte character sets, only the leading byte is
  included without the trailing byte. For Unicode character sets, include
  the characters 0xFFFF and 0xFFFE.

Proposed fix:
- Find the last starting point of a multibyte codepoint if the character
  at 32nd byte is a subsequent byte of a MB codepoint.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13947

Signed-off-by: Shyamsunder Rathi <shyam.rathi at nutanix.com>
Reviewed-by: Hemanth Thummala <hemanth.thummala at nutanix.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0fa490e8476a2a5020ff2c253167b8a9454e8b97)

- - - - -
def08d36 by Jeremy Allison at 2019-06-13T08:52:28Z
s3: winbind: Fix crash when invoking winbind idmap scripts.

Previously the private context was caching a pointer to
a string returned from lp_XXX(). This string can change
on config file reload. Ensure the string is talloc_strup'ed
onto the owning context instead.

Reported by Heinrich Mislik <Heinrich.Mislik at univie.ac.at>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13956

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit a1f95ba5db6fc017fad35377fbf76c048f2dd8ab)

- - - - -
9f7fc364 by Volker Lendecke at 2019-06-13T08:52:28Z
smbd: Enable "smbd:suicide mode" for smb2

The next commit needs an smbd to just exit and leave data behind in the
locking.tdb file. Don't make it harder to eventually phase out SMB1: Do
the test in SMB2.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13957
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
bec45189 by Volker Lendecke at 2019-06-13T08:52:29Z
smbtorture: Add a test to make smbd panic

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13957
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
ebe505e7 by Volker Lendecke at 2019-06-13T08:52:29Z
smbd: Fix a panic

Opening a file with a stale (smbd died) LEVEL_II oplock makes

vfs_set_filelen-> ... ->contend_level2_oplocks_begin_default

trigger the immediate leading to do_break_to_none. This goes through
because fsp->oplock_type is not initialized yet, thus 0. Also,
file_has_read_oplocks is still valid, because the smbd that has died
could not clean up the brlock.tdb entry.

Later in the code the exclusive oplock is granted, which is then found
by do_break_to_none, making it panic.

This patch just runs the direct FTRUNCATE instead of vfs_set_filelen.
This means the contend_level2_oplock code is skipped.

The relevant break (LEVEL_II to NONE) is now done in delay_for_oplock()
with the nice effect of removing a comment that was very confusing to
me.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13957
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed May 22 20:09:29 UTC 2019 on sn-devel-184

- - - - -
d1cb288b by Aliaksei Karaliou at 2019-06-13T08:52:29Z
s3:util: Move popen wrappers to lib/util

When linked into Samba3 libraries, sys_popen()/sys_pclose()
cannot be used in lower level libraries because of circular
dependencies.

This patch moves them into common samba-util library.

Extra fix needed to enable easy back-port of code for:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Aliaksei Karaliou <akaraliou at panasas.com>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 65ea3f2a461c0eeca7d14c4258eea52e19f0ed06)

- - - - -
21b99870 by Aliaksei Karaliou at 2019-06-13T08:52:29Z
s3:util: Move static file_pload() function to lib/util

file_pload() is static private function in Samba3 library, however it
does not have any special dependencies and might be widely used as
common function, so moving it into common samba-util library.

Extra fix needed to enable easy back-port of code for:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Aliaksei Karaliou <akaraliou at panasas.com>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d21fc7d8b86b0cddc619ffe528d9cd93eeedbb0b)

- - - - -
7ce66c8b by Jeremy Allison at 2019-06-13T08:52:29Z
lib: popen: Prepare to remove sys_popen().

Add sys_popenv(char * const argl[]) that uses a NULL
terminated vector array of args. Change sys_popen() to
split up its command string and call sys_popenv().

Once all callers are converted to sys_popenv() we
can remove sys_popen().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f20538de041eed1cadbabe2149b2b7cfcb779cb5)

- - - - -
59bf36ee by Jeremy Allison at 2019-06-13T08:52:29Z
lib: util: Add file_ploadv().

Not yet used.

Duplicate code to file_pload() except uses vectored
argument list. file_pload() will be removed once all
callers are converted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 5c34fa0b85e4d9a3c5fd4fa0b39af4772ec023db)

- - - - -
0f093e6b by Jeremy Allison at 2019-06-13T08:52:29Z
s3: lib: util: Add file_lines_ploadv().

Not yet used.

Duplicate code to file_lines_pload() except uses vectored
argument list. file_lines_pload() will be removed once all
callers are converted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3b19412baedfffb7adc2a79471f5b17990259c31)

- - - - -
c477e2a5 by Jeremy Allison at 2019-06-13T08:52:29Z
s3: smbd: Convert dfree code to use file_lines_ploadv().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d6453e1ffd92c7754862389a933a9fd9089ce518)

- - - - -
4912e62a by Jeremy Allison at 2019-06-13T08:52:29Z
s3: smbd: Convert print_svid code to use file_lines_ploadv().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f9ccf1cc3df13138a1a4b645c8190238ce011f04)

- - - - -
7bf8d14d by Jeremy Allison at 2019-06-13T08:52:30Z
s3: smbd: Convert sysquotas.c code to use file_lines_ploadv().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4a63e3b9659c8715d436c66dee8bf420e2ea89fb)

- - - - -
1e94a68d by Jeremy Allison at 2019-06-13T08:52:30Z
s3: lib: Remove file_lines_pload().

No longer used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 02bc0ce9d22117b464bae47c5d09c45b4f7c2272)

- - - - -
681627eb by Jeremy Allison at 2019-06-13T08:52:30Z
lib: util: Remove file_pload()

No longer used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c5729ae44219ec81008040d4d50f0f5fdf254201)

- - - - -
8f690bbc by Jeremy Allison at 2019-06-13T08:52:30Z
s3: lib: Add file_ploadv_send().

Not yet used. Preparing to remove file_pload_send()
with this safer alternative.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 61054e53f53e5884902b566b1f9b454a3ff4741f)

- - - - -
bcfdd137 by Jeremy Allison at 2019-06-13T08:52:30Z
s3: winbind: Convert idmap to use file_ploadv_send().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 449d49946b295f574e1fed83b5a5ffbf1c1b1e30)

- - - - -
482219fe by Jeremy Allison at 2019-06-13T08:52:30Z
s3: lib: Remove file_pload_send().

No longer used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d5c363d65d771c792523f2f3e526c90514212fc2)

- - - - -
323fd664 by Ralph Boehme at 2019-06-13T08:52:30Z
s3: lib: Rename all uses of file_pload_XXX -> file_ploadv_XXX.

Keep naming consistent across all usage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit dbfa3cd186428c02589aa9093e868554b4c695d5)

- - - - -
024d287c by Jeremy Allison at 2019-06-13T08:52:30Z
lib: util: Finally remove possibilities of using sys_popen() unsafely.

All code now uses sys_popenv() which is much
harder to use incorrectly.

Remove the extract_args() function that was the
cause of possible issues.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9fa95d5b45369acfdd38923e8618e94e5d04b07e)

- - - - -
b78b7215 by Jeremy Allison at 2019-06-13T08:52:30Z
docs: dfree command. Correct usage of dfree scripts.

Add quotes to the sample scripts to prevent incorrect
parameter usage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13964

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri May 24 20:12:02 UTC 2019 on sn-devel-184

(cherry picked from commit 77eabd74e9a28b1e6decf0890a9ef4c83fa002d4)

- - - - -
40ab5075 by Douglas Bagnall at 2019-06-13T08:52:31Z
tests/samba-tool: test dns serverinfo/zoneinfo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13965

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>

- - - - -
16f3a73c by Douglas Bagnall at 2019-06-13T08:52:31Z
samba-tool dns: use bytes for inet_ntop

>From Python's point of view, array.AddrArray is a list of byte-valued
integers. In Python 3 we can convert directly using the likes of

         bytes(array.AddrArray[i].MaxSa[8:24])

but in 4.10 we need to support both, so we use struct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13965

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Wed May 29 11:29:17 UTC 2019 on sn-devel-184

- - - - -
e0e1707d by Ralph Boehme at 2019-06-13T08:52:31Z
registry: add a missing include

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13840

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Karolin Seeger <kseeger at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon May 27 14:29:36 UTC 2019 on sn-devel-184

(cherry picked from commit e09053faf457f69ad9b5e6a34be43c947503575f)

- - - - -
6dcec5e2 by Ralph Boehme at 2019-06-13T08:52:31Z
s4:torture/vfs/fruit: ensure test_adouble_conversion() uses a non-emtpy resourcefork

This ensures the resource fork is not deleted as part of the AppleDouble file
conversion for the option fruit:wipe_intentionally_left_blank_rfork=yes.

This is currently not a problem in selftest, as we don't enable the option, but
a subsequent commit will run all vfs.fruit tests against a share with this
option enabled.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13958

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit c3d28d49be3c7536d1ccfe8d00553ce72843f369)

- - - - -
0dfaa704 by Ralph Boehme at 2019-06-13T08:52:31Z
s4:torture/vfs/fruit: ensure test_adouble_conversion_wo_xattr() uses a non-emtpy resourcefork

This ensures the resource fork is not deleted as part of the AppleDouble file
conversion for the option fruit:wipe_intentionally_left_blank_rfork=yes.

This is currently not a problem in selftest, as we don't enable the option, but
a subsequent commit will run all vfs.fruit tests against a share with this
option enabled.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13958

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit bb5a457f2872a383b58d62981dade322fca9b283)

- - - - -
886ab130 by Ralph Boehme at 2019-06-13T08:52:31Z
selftest: run vfs.fruit test against a share that deletes empty resource forks

This reveals a bug in the AppleDouble conversion code: the conversion code that
unlinks an empty resource fork AppleDouble sidecar file ("._file") gets
triggered as part of open_file_ntcreate(..., "file:AFP_AfpResource", ...):

after SMB_VFS_OPEN() has been called with O_CREAT, what created the file, we
call SMB_VFS_FSTAT() on the just created filehandle. This ends up in
ad_convert(), finds the resource fork empty and thus deletes the file.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13958

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8ed9b6b457923d2353d1d18838f4a278db48c6b9)

- - - - -
436356f8 by Ralph Boehme at 2019-06-13T08:52:31Z
vfs_fruit: add a forward declaration for ad_get()

Will be needed in the next commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13958

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4777d1163a7c18c89ce9be955903427a18134415)

- - - - -
090e8700 by Karolin Seeger at 2019-06-13T09:28:21Z
VERSION: Bump version up to 4.10.5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 827b5423c0fe6ad472226b6d172e0460d074135a)

- - - - -
0b9da247 by Douglas Bagnall at 2019-06-13T09:28:28Z
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation

We still want to return DOES_NOT_EXIST when request_filter is not 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d32b96ae by Douglas Bagnall at 2019-06-13T09:28:28Z
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2

We still want to return DOES_NOT_EXIST when request_filter is not 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c4892009 by Douglas Bagnall at 2019-06-13T09:30:50Z
CVE-2019-12436 dsdb/paged_results: ignore successful results without messages

So that we don't dereference result->msgs[0] when it doesn't exist.
This can happen when the object has changed in such a way that it no
longer matches the original search query.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bfa9f92e by Karolin Seeger at 2019-06-13T09:53:44Z
WHATSNEW: Add release notes for Samba 4.10.5.

CVE-2019-12436 dsdb/paged_results: ignore successful results without messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951

CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
09539176 by Karolin Seeger at 2019-06-13T09:53:44Z
VERSION: Disable GIT_SNAPSHOT for the 4.10.5 release.

CVE-2019-12436 dsdb/paged_results: ignore successful results without messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951

CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
881793d5 by Ralph Boehme at 2019-06-13T13:55:34Z
vfs_fruit: change trigger points of AppleDouble conversion

This moves the trigger points where AppleDouble file conversion is run by
ad_convert() from deep down the callchain in ad_read_rsrc_adouble() to high
level VFS entry points.

Currently ad_convert() will be triggered as part of open_file_ntcreate(...,
"file:AFP_AfpResource", ...): after SMB_VFS_OPEN() has been called with O_CREAT,
what created the file, we call SMB_VFS_FSTAT() on the just created
filehandle. This ends up in ad_convert(), finds the resource fork empty and thus
deletes the file.

This commit moves calling of the conversion funtion to the high level VFS entry
points where the converted metadata is needed:

o for directory enumerations SMB_VFS_READDIR_ATTR() is called to fill in the
  repurposed fields in the directory entry metadata

o obviously for SMB_VFS_CREATE_FILE() on an macOS stream

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13958

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 78a4639b2d06cc69788861618d2e91945e142d2b)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Thu Jun 13 13:55:35 UTC 2019 on sn-devel-144

- - - - -
734d72bd by Karolin Seeger at 2019-06-19T07:22:20Z
Merge tag 'samba-4.10.5' into v4-10-test

samba: tag release samba-4.10.5

Signed-off-by: Karolin Seeger <kseeger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
70e8344a by Karolin Seeger at 2019-06-19T07:24:10Z
VERSION: Bump version up to 4.10.6...

GIT_SNAPSHOT is still enabled in v4-10-test.

Signed-off-by: Karolin Seeger <kseeger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
f830628c by Günther Deschner at 2019-06-21T06:49:28Z
Revert "s3/vfs_glusterfs: Dynamically determine NAME_MAX"

This reverts commit 8e3a042eb9e502821b147f1bbb2d98d59f17a095.

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
bb688404 by Günther Deschner at 2019-06-21T06:49:28Z
Revert "s3/vfs_glusterfs_fuse: Dynamically determine NAME_MAX"

This reverts commit e28d172b00cadf492c22bd892e2dda3bf2fe2d70.

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
77844846 by Günther Deschner at 2019-06-21T06:49:28Z
s3/vfs_glusterfs: Avoid using NAME_MAX directly

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13872

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
fa1de54c by Günther Deschner at 2019-06-21T06:49:28Z
s3/vfs_glusterfs_fuse: Avoid using NAME_MAX directly

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13872

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Jun 11 00:29:19 UTC 2019 on sn-devel-184

- - - - -
207295b9 by Gary Lockyer at 2019-06-21T06:49:28Z
ldap tests: test scheme for referrals

Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6ccf74cf878c295903673e3a1d1ed924a5e87547)

- - - - -
8867c178 by Gary Lockyer at 2019-06-21T06:49:28Z
ldap server: generate correct referral schemes

Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184

(cherry picked from commit 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa)

- - - - -
d9fed540 by Andrew Bartlett at 2019-06-21T06:49:28Z
samba-tool domain provision: Fix --interactive module in python3

The prompts were not being printed to the screen because the stream
was not being flushed.

As reported on the samba mailing list by Adam Xu:
https://lists.samba.org/archive/samba/2019-March/221753.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13828

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Tim Beale <timbeale at catalyst.net.nz>
(cherry picked from commit 31aecee1446c5006771aaa535ae85810bbfb5db0)

- - - - -
49acbea1 by Andrew Bartlett at 2019-06-21T06:49:29Z
ldb_kv: Skip @ records early in a search full scan

@ records like @IDXLIST are only available via a base search on the specific name
but the method by which they were excluded was expensive, after the unpack the
DN is exploded and ldb_match_msg_error() would reject it for failing to match the
scope.

This uses the fact that @ records have the DN=@ prefix on their TDB/LMDB key
to quickly exclude them from consideration.

Based on analysis by Garming Sam.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13893

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Apr 10 06:23:39 UTC 2019 on sn-devel-144

(cherry picked from commit 49b77d8df2d7113ac7ddb75e78de6628933ff852)

- - - - -
813856c1 by Stefan Metzmacher at 2019-06-21T06:49:29Z
dsdb:audit_log: avoid printing "... remote host [Unknown] SID [(NULL SID)] ..."

We better print "... remote host [Unknown] SID [S-1-5-18] ..."
in 'dsdb_audit' message, this matches what we print for
'dsdb_json_audit'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13916

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 706aba5bf62e674ae12786f6ab275752b8714464)

- - - - -
7f6b171c by Ralph Boehme at 2019-06-21T06:49:29Z
s3:auth: add reinit_guest_session_info()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8096cc7eb2b36b074ff17a52dc3540be4ecff6bb)

- - - - -
90a538f4 by Ralph Boehme at 2019-06-21T06:49:29Z
s3:smbd: call reinit_guest_session_info() in the conf updated handler

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f4e340a48b6f059a1daa66deb9c26da9e8fcd5e7)

- - - - -
d8e33def by Ralph Boehme at 2019-06-21T06:49:29Z
selftest: allow guest login in the ad_member_idmap_rid env

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ac2167eb2349dc1c453e14a65692f16c8ba6532e)

- - - - -
b312ceb5 by Ralph Boehme at 2019-06-21T06:49:29Z
tests: add a test for guest authentication

This verifies that smbd always adds BUILTIN\Guests to the guest token which is
required for guest authentication.

Currently the guest token depends on the on-disk configured group mappings. If
there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
a member, the final guest token won't contain BUILTIN\Guests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0e88f98855e24cfddb55bef65c5910b8e662c630)

- - - - -
730c2490 by Ralph Boehme at 2019-06-21T06:49:29Z
s3:auth: explicitly add BUILTIN\Guests to the guest token

This changes ensures that smbd always adds BUILTIN\Guests to the guest token
which is required for guest authentication.

Currently the guest token depends on the on-disk configured group mappings. If
there's an existing group mapping for BUILTIN\Guests, but LOCALSAM\Guest is not
a member, the final guest token won't contain BUILTIN\Guests.

For SMB2 the flag SMB2_SESSION_FLAG_IS_GUEST will not be set in the final SMB2
SESSION_SETUP response, because smbd sets it based on the token containing the
BUILTIN\Guests SID S-1-5-32-546.

At the same time, the packet is not signed which causes Windows clients and
smbclient to reject the unsigned SMB2 SESSION_SETUP response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13944

Pair-programmed-with: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jun  5 16:55:26 UTC 2019 on sn-devel-184

(cherry picked from commit a66af4c96accba4ee64eeb1958458b69f3ccec1d)

- - - - -
92bc9e3e by Ralph Boehme at 2019-06-21T06:49:30Z
vfs_fruit: pass handle to ad_fset()

On the course of removing ad_handle from struct adouble, step 1.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 585d4d49770b4ddc3f7d9dcbb3e322f072767781)

- - - - -
ab9a428f by Ralph Boehme at 2019-06-21T06:49:30Z
vfs_fruit: pass handle to ad_set()

On the course of removing ad_handle from struct adouble, step 2.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit c78ba30ac4534b7037b979ac96b77b834b2eb2fe)

- - - - -
25ee7f97 by Ralph Boehme at 2019-06-21T06:49:30Z
vfs_fruit: pass handle to ad_read()

On the course of removing ad_handle from struct adouble, step 3.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d0abf945e683766029d28915541a4baf9f3879ab)

- - - - -
7a99bba9 by Ralph Boehme at 2019-06-21T06:49:30Z
vfs_fruit: pass handle to ad_read_meta()

On the course of removing ad_handle from struct adouble, step 4.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f8df09157f31b53dbe73eaf4349fc071bfcc1b90)

- - - - -
fd63fda7 by Ralph Boehme at 2019-06-21T06:49:30Z
vfs_fruit: indentation fix

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 47721d8d359ef78b8dd4f77f92c30c2caf2c4a80)

- - - - -
9b4ad2a3 by Ralph Boehme at 2019-06-21T06:49:30Z
vfs_fruit: use proper VFS function in ad_read_meta()

Continuing to ignore a possible error for now, this is in an error codepath
anyway.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 30ca328c698c2e035e240359bda7c9dcbeb646df)

- - - - -
03d1328e by Ralph Boehme at 2019-06-21T06:49:31Z
vfs_fruit: pass handle to ad_read_rsrc() and all the way down

On the course of removing ad_handle from struct adouble, step 5.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 661dfa4a19673fdb30d5bf36279cdf867454b947)

- - - - -
47e08c03 by Ralph Boehme at 2019-06-21T06:49:31Z
vfs_fruit: indentation fix

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 400b3c2f8c82b1defe1e321e0cdae486b930344f)

- - - - -
4e22296d by Ralph Boehme at 2019-06-21T06:49:31Z
vfs_fruit: pass handle to ad_convert_xattr()

On the course of removing ad_handle from struct adouble, step 7.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit fd2f4cf828ee4c31e3b5a27a79d3a0ee12a5877a)

- - - - -
3ff1b960 by Ralph Boehme at 2019-06-21T06:49:31Z
vfs_fruit: pass handle to ad_convert_blank_rfork()

On the course of removing ad_handle from struct adouble, step 8.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit adc7ac38b849b4dce4a85fd6442c8d4b9da57686)

- - - - -
f2b79684 by Ralph Boehme at 2019-06-21T06:49:31Z
vfs_fruit: pass handle to ad_convert_finderinfo()

On the course of removing ad_handle from struct adouble, step 9.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 50874c1548d62ab0ddaaa6dd4124279ee5029fcf)

- - - - -
ef0522b3 by Ralph Boehme at 2019-06-21T06:49:31Z
vfs_fruit: pass handle to ad_convert_delete_adfile()

On the course of removing ad_handle from struct adouble, step 10.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 5f4d16b40e07acf8d27fee62f1a56de175663a1d)

- - - - -
2b8eeb23 by Ralph Boehme at 2019-06-21T06:49:31Z
vfs_fruit: finally, remove ad_handle from struct adouble

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e266daaed149561b746dbb8d5e9523862f0057b5)

- - - - -
8787ac79 by Ralph Boehme at 2019-06-21T06:49:32Z
vfs_fruit: add and use is_adouble_file()

This adds a helper function that checks whether the last component of a path is
an AppleDouble sidecar file with "._" name prefix.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ad70c947c759aa0965ee57f973fb8dc1909e0e39)

- - - - -
30f25ed6 by Ralph Boehme at 2019-06-21T06:49:32Z
vfs_fruit: add a missing else

Luckily the missing else has the same control flow due to the previous if and
else blocks calling return.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 44d8568001c87d28962dfc4e3fde6d0f7f409997)

- - - - -
8ceb0486 by Ralph Boehme at 2019-06-21T06:49:32Z
vfs_fruit: ignore AppleDouble files in fruit_unlink()

Otherwise, if SMB_VFS_UNLINK() is called for an AppleDouble path "._file", we
try to delete "._._file" which doesn't make sense. AppleDouble files don't have
AppleDouble themselves.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 797dc649456f39add4af8b54b60db0268ad4e90e)

- - - - -
d1164d9f by Ralph Boehme at 2019-06-21T06:49:32Z
vfs_fruit: use correct case FRUIT_RSRC_STREAM in readdir_attr_rfork_size()

This is a genuine bug, but luckily this would only impact configs which nobody
uses:

  fruit:metadata = netatalk
  fruit:resource = stream

With the above configuration the switch in readdir_attr_rfork_size() would hit
the default case and so always report resource forks as 0 bytes in size.

All deployment that I've seen that use fruit:resource=stream also use
fruit:metadata=stream, so the switch takes FRUIT_META_STREAM case which runs the
correct code readdir_attr_rfork_size_stream().

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 83179a74119de84d20f796c241aae6bccb83a68b)

- - - - -
cc1ff660 by Ralph Boehme at 2019-06-21T06:49:32Z
vfs_fruit: use stream code for resource fork size calculation in readdir_attr_rfork_size()

This works as well, using an fstat() on the filehandle to get the size. This is
tested by the torture test "vfs.fruit.SMB2/CREATE context AAPL".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit a23bcc1916a49bf3e0edece190e5434e39862d2c)

- - - - -
7bd5ceea by Ralph Boehme at 2019-06-21T06:49:32Z
vfs_fruit: remove now unused AppleDouble code for resource fork in xattr

This was only needed to get the resourcefork size via the ad_* AppleDouble
function. This is now done with a fstat on the low level xattr fd (remember,
this is Solaris only code...), so we can remove the xattr special casing from
the AppleDouble functions.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit cb9dffa1c66294b6eed85e7576aa99c642d0b541)

- - - - -
8f49fbfd by Ralph Boehme at 2019-06-21T06:49:32Z
vfs_fruit: remove xattr code from the AppleDouble subsystem

The subsystem consumers have been reworked in the previous commits, so this is
not used anymore. ad_init() doesn't need a handle argument anymore due to this,
remove it as well.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit e3cb1cb24f2a31d7fd03f3bdf417f4704fb4ac7c)

- - - - -
f890c4fb by Ralph Boehme at 2019-06-21T06:49:33Z
vfs_fruit: pass VFS handle to ad_convert_move_reso()

Not used for now, that comes next.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3919ea048fe3b763657e14cdfb5920184a900d27)

- - - - -
9ebfd4f2 by Ralph Boehme at 2019-06-21T06:49:33Z
vfs_fruit: remove a layer of indirection

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 97d485ff2cda85edeba163ea01b6abfa705db20f)

- - - - -
f5d1561c by Ralph Boehme at 2019-06-21T06:49:33Z
vfs_fruit: only do cross protocol locking on non-internal opens

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit f5f7d1e9bf7e39933ccf7c874e682f9df80a6fec)

- - - - -
d49df05e by Ralph Boehme at 2019-06-21T06:49:33Z
vfs_fruit: convert ad_open_rsrc() to open a proper fsp with SMB_VFS_CREATE_FILE()

A first step in converting all raw syscalls to use proper VFS functions. All
existing users of the raw system filedescriptor continue to use the fd from
fsp->fh for now.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 29418c726be74feb1d8c3ac9f7b8c983901a2aab)

- - - - -
7fc300d4 by Ralph Boehme at 2019-06-21T06:49:33Z
vfs_fruit: remove use of mmap() from ad_convert_move_reso()

We now have an fsp that we can use, so we can get rid of mmap() and
sys_pread()/sys_pwrite().

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 0041855af0b05d6c47558880d6eebd1970179272)

- - - - -
fef47b90 by Ralph Boehme at 2019-06-21T06:49:33Z
vfs_fruit: use fsp and remove mmap in ad_convert_xattr()

No need to mmap() anyway, the xattr data is already available in ad->ad_data.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4ff7ea0e0312c737aefd350f7b8fbed4c8602325)

- - - - -
28cdc442 by Ralph Boehme at 2019-06-21T06:49:33Z
vfs_fruit: add VFS handle to ad_convert_truncate()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4e44b1da9357120f0ad74e24c650bc6386085c47)

- - - - -
91ed0f8b by Ralph Boehme at 2019-06-21T06:49:34Z
vfs_fruit: use VFS function in ad_convert_truncate()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3739ad90cf2bbaa2094a34197c894363d2e24a5a)

- - - - -
2d6a2080 by Ralph Boehme at 2019-06-21T06:49:34Z
vfs_fruit: use fsp and remove syscalls from ad_convert_blank_rfork()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 70c4a8f0ac307009c26e857523192c95b42a92f5)

- - - - -
bdc257a1 by Ralph Boehme at 2019-06-21T06:49:34Z
vfs_fruit: use VFS functions in ad_read_rsrc_adouble()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 9fe84a6345bf5d9fdb1df87a853db3380e6fb0f7)

- - - - -
47a96935 by Ralph Boehme at 2019-06-21T06:49:34Z
vfs_fruit: remove a now unnecessary include

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13968

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu May 30 22:12:50 UTC 2019 on sn-devel-184

(cherry picked from commit 9a2c9834cb1b77547b8b932c35870301afb9fc25)

- - - - -
4f322848 by Andrew Bartlett at 2019-06-21T06:49:34Z
docs: Improve documentation of "lanman auth" and "ntlm auth" connection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit dbf3e81f7f0b28c69dca004b32ea3a7344b0cad3)

- - - - -
7c80167e by Rafael David Tinoco via samba-technical at 2019-06-21T06:49:34Z
ctdb-scripts: Fix tcp_tw_recycle existence check

net.ipv4.tcp_tw_recycle has been removed from Linux 4.12 but, still,
makes sense to check its existence. Unfortunately, current check does
not test for the procfs file existence. This commit fixes the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13984

Signed-off-by: Rafael David Tinoco <rafaeldtinoco at ubuntu.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Jun  4 23:31:24 UTC 2019 on sn-devel-184

(cherry picked from commit 843fbb1207ee7ac84f3282974b66b9290d8da0ac)

- - - - -
d106f5eb by Ralph Boehme at 2019-06-21T06:49:35Z
s3:mdssvc: fix flex compilation error

[4440/4495] Compiling bin/default/source3/rpc_server/mdssvc/sparql_lexer.lex.c
../../source3/rpc_server/mdssvc/sparql_lexer.l:26: error: "yyalloc" redefined [-Werror]
26 | #define yyalloc SMB_MALLOC

Looks like the dirty redefine trick doesn't work anymore with newer flex
versions. According to the flex manual the right thing to do is to provide own
functions for yyalloc and yyrealloc when passing the options "noyyalloc
noyyrealloc".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13987

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue May 28 11:49:06 UTC 2019 on sn-devel-184

(cherry picked from commit 9053391f86a529e0a7dbcd23fa3a555d85c2207c)

- - - - -
48c47f5d by Lukas Slebodnik at 2019-06-21T11:14:16Z
wafsamba: Use native waf timer

  __main__:1: DeprecationWarning: time.clock has been deprecated in Python 3.3
  and will be removed from Python 3.8: use time.perf_counter
  or time.process_time instead

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13998

Signed-off-by: Lukas Slebodnik <lslebodn at fedoraproject.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 8f082904ce580f1a6b8a06ebcc323c99e892bd1f)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Fri Jun 21 11:14:16 UTC 2019 on sn-devel-144

- - - - -
92186553 by Andreas Schneider at 2019-06-26T07:30:27Z
s3:client: Link smbspool_krb5_wrapper against krb5samba

Heimdal doesn't provide krb5_free_unparsed_name(), so we need to use the
function we provide in krb5samba.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9268919e046190c7b423133de3f9d0edada3f1b8)

- - - - -
1970eadd by Andreas Schneider at 2019-06-26T07:30:27Z
docs: Document DCEPRC binding string for rpcclient

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Feb  4 02:03:56 CET 2019 on sn-devel-144

(cherry picked from commit cca48c1a1029685672e1c25e39e8be2be947238f)

- - - - -
662d66dc by Björn Baumbach at 2019-06-26T07:30:27Z
selftest: add test for samba-tool ntacl get/set --use-ntvfs --xattr-backend=tdb

Signed-off-by: Björn Baumbach <bb at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 1b0184a9562689a658e75a0cfc69bdd23277cff6)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14002

- - - - -
f8d504ac by Björn Baumbach at 2019-06-26T11:37:29Z
python/ntacls: use correct "state directory" smb.conf option instead of "state dir"

samba-tool ntacl get testfile --xattr-backend=tdb --use-ntvfs
Fixes: Unknown parameter encountered: "state dir"

Signed-off-by: Björn Baumbach <bb at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 670a12df52df63a067b638d37bec71341bf18bdd)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14002

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Wed Jun 26 11:37:29 UTC 2019 on sn-devel-144

- - - - -
8052d52b by Stefan Metzmacher at 2019-07-03T10:21:43Z
ldb: Release ldb 1.5.5

Compared to 1.5.4:

* LDAP_REFERRAL_SCHEME_OPAQUE was added
  to ldb_module.h in order to fix bug #12478.
  It means that Samba >= 4.10.6 will no longer be able to
  build with ldb 1.5.4.

* We Skip @ records early in a search full scan
  in order to address bug #13893.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478

Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
9f1a6fe7 by Karolin Seeger at 2019-07-08T09:56:40Z
WHATSNEW: Add release notes for Samba 4.10.6.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
9c671870 by Karolin Seeger at 2019-07-08T09:57:39Z
VERSION: Disable GIT_SNAPSHOT for the 4.10.6 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
372ee382 by Karolin Seeger at 2019-07-08T09:58:35Z
VERSION: Bump version up to 4.10.7...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
8128cece by Andrew Bartlett at 2019-07-09T06:33:30Z
build: Allow build when --disable-gnutls is set

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13844

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Mar 20 05:25:48 UTC 2019 on sn-devel-144

(cherry picked from commit a40b0f452af5f393aa33c9d52673994effd0e31f)

- - - - -
4179bdb6 by Douglas Bagnall at 2019-07-09T06:33:30Z
s4/pyrpc_util: appropriately decrement refcounts on failure

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit e23b9f88cc1c8a8c8cda07fb25d639218c12d91a)

- - - - -
4f70d4d7 by Gary Lockyer at 2019-07-09T06:33:30Z
s4 librpc rpc pyrpc: Ensure tevent_context deleted last

Ensure that the tevent_context is deleted after the connection, to
prevent a use after free.

Note: Py_DECREF calls dcerpc_interface_dealloc so the
TALLOC_FREE(ret->mem_ctx) calls in the error paths of
py_dcerpc_interface_init_helper needed removal.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13932

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d65b7641c84976c543ded8f0de5ab2da3c19b407)

- - - - -
58760fe8 by Gary Lockyer at 2019-07-09T06:33:30Z
s4 librpc rpc pyrpc: Fix flapping dcerpc.bare tests

Commit d65b7641c84976c543ded8f0de5ab2da3c19b407 had the parameters to
talloc_reparent reversed.  This caused the dcerpc.bare tests to flap.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13932

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Wed May 22 03:03:43 UTC 2019 on sn-devel-184

(cherry picked from commit 3e6661fd73bb24ef5700a98f676f1df5eeca408b)

- - - - -
e9c23a02 by Stefan Metzmacher at 2019-07-09T06:33:30Z
s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()

The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc)

- - - - -
b7f586ca by Stefan Metzmacher at 2019-07-09T06:33:30Z
s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()

The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.

Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916)

- - - - -
1f0870a7 by Stefan Metzmacher at 2019-07-09T06:33:30Z
s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()

The gensec schannel module already asserts that at least
AUTH_LEVEL_INTEGRITY is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de)

- - - - -
27bd08f3 by Tim Beale at 2019-07-09T06:33:30Z
dsdb: Handle DB corner-case where PSO container doesn't exist

A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.

We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.

The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 295bf73e9b24b1f2b4594320a6501dc7410d4b43)

- - - - -
01a7df07 by Michael Adam at 2019-07-09T06:33:30Z
vfs:glusterfs: treat ENOATTR as ENOENT

The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.

Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.

This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT
to be fully functional again with latest gluster.

- Without this patch, samba against a new gluster will work correctly,
  but the get_real_filename optimization for a non-existing entry
  is lost.

- With this patch, Samba will not work correctly any more against
  very old gluster servers: Those (correctly) returned ENOATTR
  always, which Samba originally interpreted as EOPNOTSUPP, triggering
  the expensive directory scan. With this patch, ENOATTR is
  interpreted as ENOENT, the authoritative answer that the requested
  entry does not exist, which is wrong unless it really does not exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010

Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 8899eb21d48b7077328ae560490f9fb9715a6b83)

- - - - -
47431884 by Michael Adam at 2019-07-09T06:33:31Z
vfs:glusterfs_fuse: treat ENOATTR as ENOENT

The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.

Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.

This patch changes the glusterfs_fuse vfs module to treat ENOATTR as
ENOENT to be fully functional again with latest gluster.

- Without this patch, samba against a new gluster will work correctly,
  but the get_real_filename optimization for a non-existing entry
  is lost.

- With this patch, Samba will not work correctly any more against
  very old gluster servers: Those (correctly) returned ENOATTR
  always, which Samba originally interpreted as EOPNOTSUPP, triggering
  the expensive directory scan. With this patch, ENOATTR is
  interpreted as ENOENT, the authoritative answer that the requested
  entry does not exist, which is wrong unless it really does not exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010

Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>

Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184

(cherry picked from commit fee8cf326bfe240d3a8720569eab43f474349aff)

- - - - -
b56e010a by Tim Beale at 2019-07-09T10:31:39Z
s4/libnet: Fix joining a Windows pre-2008R2 DC

>From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.

If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.

We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.

I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
 'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Tue Jul  9 10:31:40 UTC 2019 on sn-devel-144

- - - - -
fdec94ba by Stefan Metzmacher at 2019-08-08T07:30:10Z
lib/util: fix call to dbghdrclass() for DEBUGC()

dbghdrclass() sets the global 'current_msg_class' and for that
DEBUGC() should pass the given dbgc_class instead of the per file
DBGC_CLASS.

This is important with the new per class logfile with:

 log level = 1 dsdb_audit:10@/var/log/samba/log.dsdb_audit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bb0ffbf38cb1955c9e400003add680eabcf706a6)

- - - - -
823d5709 by Stefan Metzmacher at 2019-08-08T07:30:11Z
lib/util: remove unused prototypes in debug.h

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d98a971247450d494c581c5454e6c270ad1b6880)

- - - - -
1dcb5dc3 by Stefan Metzmacher at 2019-08-08T07:30:11Z
lib/util: set current_msg_{level,class} also during a DEBUGADD[C]() call

In some situations we use DEBUGADDC() in order to print out content
without a related debug header line.

This is important with the new per class logfile with:

 log level = 1 dsdb_json_audit:10@/var/log/samba/log.dsdb_json_audit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0da12ff93d213ac742eeb865bfa5697ca8a2280a)

- - - - -
c51d810e by Andreas Schneider at 2019-08-08T07:30:11Z
third_party: Update waf to version 2.0.17

This fixes building Samba, libtalloc, libtevent, libtdb and libldb with
Python 3.8.

     wget https://waf.io/waf-2.0.17.tar.bz2
     tar -xf waf-2.0.17.tar.bz2
     git rm third_party/waf/waflib/ -r
     mkdir third_party/waf -p
     rsync -a waf-2.0.17/waflib/ third_party/waf/waflib/
     git add third_party/waf/waflib/

(Then update version number in buildtools/bin/waf and
buildtools/wafsamba/wafsamba.py)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13960

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit aabdcc91513e242c4f191e1bbbb70c890416d213)

- - - - -
bbe41dc7 by Stefan Metzmacher at 2019-08-08T07:30:11Z
dbcheck: fallback to the default tombstoneLifetime of 180 days

If a domain was provisioned by Windows 2000 this value is missing in the
database.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13967

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue May 28 08:32:10 UTC 2019 on sn-devel-184

(cherry picked from commit 2ef79a4c1d695a3e498b142810a1317d85b9b6da)

- - - - -
7dbde452 by Stefan Metzmacher at 2019-08-08T07:30:11Z
s4:torture: add local.ndr.dnsp tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 9a0c3a475f29138c0c49e0d22cf52ab45178d16b)

- - - - -
e7dfe3f7 by Stefan Metzmacher at 2019-08-08T07:30:11Z
dnsp.idl: fix dnsp_ip4_array definition

In future we should use ipv4address, but that would result in a much
larger change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 6d958af0b4cb6fd45cfda0298243859b3b043c6f)

- - - - -
d2087e4b by Stefan Metzmacher at 2019-08-08T07:30:11Z
dnsp.idl: fix the dnsp_dns_addr_array definition

The endian changes are needed in order to get the following result
from the blobs Windows generated (see the torture test):

  AddrArray: ARRAY(3)
      AddrArray: struct dnsp_dns_addr
          family                   : 0x0002 (2)
          port                     : 0x0035 (53)
          ipv4                     : 172.31.99.33
          ipv6                     : 0000:0000:0000:0000:0000:0000:0000:0000

[MS-DNSP] states that the port is supposed to be ignored, but it's still
good to decode it as port '53' (0x0035) instead of '13568' (0x3500).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
(cherry picked from commit 6fc7cc15048673d109042d7b40684ed63eb4ff9e)

- - - - -
b2849a88 by Stefan Metzmacher at 2019-08-08T07:30:11Z
dnsp.idl: fix payload for DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Jun 21 11:02:21 UTC 2019 on sn-devel-184

(cherry picked from commit aa2a3d95098231f48d7c308881bf66418164111e)

- - - - -
65c4f412 by Björn Baumbach at 2019-08-08T07:30:12Z
s4:torture:fsmo.py: test role transfers of dns partitions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>

Signed-off-by: Björn Baumbach <bbaumbach at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5e000a8487d788dd196980b77ec7299c8be74abf)

- - - - -
cfce211f by Stefan Metzmacher at 2019-08-08T07:30:12Z
samba-tool: fix replication after dns partition fsmo role transfer

The new role owner need to replicate from the old role owner.

Before we told the old role owner to replicate from itself.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4793f8ed584a4e6d8a26b06b691ec636e77d8f2a)

- - - - -
4d7ce477 by Björn Baumbach at 2019-08-08T07:30:12Z
s4:torture:fsmo.py: remove unused 'net_cmd' variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Signed-off-by: Björn Baumbach <bbaumbach at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0fbb013bef886e425602fdbbef14a4029719818f)

- - - - -
7788b9f3 by Stefan Metzmacher at 2019-08-08T07:30:12Z
samba-tool: use only one LDAP modify for dns partition fsmo role transfer

We should not risk that we end with no role owner.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6a2e3a15585086bcceb18283216978a2fcb30da3)

- - - - -
376bed3a by Björn Baumbach at 2019-08-08T07:30:12Z
samba-tool: add 'import samba.drs_utils' to fsmo.py

On some systems we're seeing this:

 ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 533, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 136, in transfer_dns_role
     except samba.drs_utils.drsException as e:

E.g. it happens on debian stretch (9.9) with python 2.7.13 (on 4.10.4)

While it doesn't happen on ubuntu 18.04 with python 2.7.15rc1 or
with python 3.6.7.

There were also some reports on the mailing lists, see:
https://lists.samba.org/archive/samba-technical/2019-May/133624.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>

Signed-off-by: Björn Baumbach <bbaumbach at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu May 30 08:27:24 UTC 2019 on sn-devel-184

(cherry picked from commit 320a5c5425e6ced18b1a9bf19b4f361ee16821ed)

- - - - -
b0ebe62f by Ralph Boehme at 2019-08-08T07:30:12Z
vfs_catia: pass stat info to synthetic_smb_fname()

This doesn't cause visible damage in vanilla Samba, but would affect downstream
consumers that add additional fields to struct smb_filename.

For the same reason there's no test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14015
RN: Ensure vfs_catia passes stat info to stacked VFS modules

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit ae6dd4853e3e651f6e56ce735bcb0a2264857385)

- - - - -
f839423b by Rafael David Tinoco at 2019-08-08T07:30:12Z
ctdb-config: depend on /etc/ctdb/nodes file

CTDB should start as a disabled unit (systemd) in most of the
distributions and, when trying to enable it for the first time, user
should get an unconfigured, or similar, error.

Depending on /etc/ctdb/nodes file will give a clear direction to final
user on what is needed in order to get cluster up and running. It should
work like previous ENABLED=NO variables in SySV like initialization
scripts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14017
RN: ctdb.service should only start if /etc/ctdb/nodes is not empty
Signed-off-by: Rafael David Tinoco <rafaeldtinoco at ubuntu.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit c5803507df7def388edcd5b6cbfee30cd217b536)

- - - - -
9dac4d85 by Tim Beale at 2019-08-08T07:30:13Z
join: Use a specific attribute order for the DsAddEntry nTDSDSA object

Joining a Windows domain can throw an error if the HasMasterNCs
attribute occurs before msDS-HasMasterNCs. This patch changes the
attribute order so that msDS-HasMasterNCs is always first.

Previously on python2, the dictionary hash order was arbitrary but
constant. By luck, msDS-HasMasterNCs was always before HasMasterNCs, so
we never noticed any problem. With python3, the dictionary hash order
now changes everytime you run the command, so the order is
unpredictable.

To enforce a order, we can change to use an OrderedDict, which will
return the keys in the order they're added.

I've asked Microsoft to clarify the protocol requirement here WRT
attribute order. However, in the meantime we may as well fix the problem
for users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14046
RN: When trying to join a Windows domain (with functional level 2008R2)
as an AD domain controller, the 'samba-tool domain join' command could
throw a python exception: 'RuntimeError ("DsAddEntry failed")'. When
this problem occurred, you would also see the message "DsAddEntry failed
with status WERR_ACCESS_DENIED info (8363, 'WERR_DS_NO_CROSSREF_FOR_NC')"
in the command output. This issue has now been resolved. Note that this
problem would only occur on Samba v4.10 when using the Python3 packages.

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Jul 24 04:18:21 UTC 2019 on sn-devel-184

(cherry picked from commit 256684c7a86301d26d6cf7298fb70e647bf45cf5)

- - - - -
1d2c7ee7 by Garming Sam at 2019-08-08T07:30:13Z
netcmd: Allow drs replicate --local to create partitions

Currently, neither the offline (--local) or online (normal replica sync)
methods allow partition creation post-join. This overrides the Python
default to not create the DB, which allows TDB + MDB to work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d90ccce59754bc833027c06683afac25f7a8d474)

- - - - -
bf70fc09 by Garming Sam at 2019-08-08T07:30:13Z
tests: Add samba_upgradedns to the list of possible cmds

This will be used to test the replication scenario with no DNS partitions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7d2875bd70cf727730be8dc705bfd01eacaaaa6f)

- - - - -
bf28f9d7 by Garming Sam at 2019-08-08T11:15:54Z
tests/drs_no_dns: Check dbcheck and ldapcmp pass

When joining a DC without DNS partitions, make sure that the alternate
flow of creating them afterwards results in a database with everything
that is necessary.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14051
RN: Allow a DC join without DNS partitions, to add them later

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 35c54007e6183829d9d85a24b3bd95f469739ad3)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Thu Aug  8 11:15:54 UTC 2019 on sn-devel-144

- - - - -
a89157e5 by Alexander Bokovoy at 2019-08-16T09:48:19Z
torture/rpc/lsa: allow testing different lookup levels

Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing
different LSA_LOOKUP_NAMES_* levels. Keep existing level 1
(LSA_LOOKUP_NAMES_ALL) for the current set of tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091

Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

(cherry picked from commit 317bc6a7342edfa2c503f5932142bf5883485cc9)

- - - - -
692e9e1f by Alexander Bokovoy at 2019-08-16T09:48:19Z
lookup_name: allow own domain lookup when flags == 0

In 2007, we've added support for multiple lookup levels for LSA
LookupNames family of calls. However, forest-wide lookups, as described
in MS-LSAT 2.2.16, never worked because flags passed to lookup_name()
were always set to zero, expecting at least default lookup on a DC to
apply. lookup_name() was instead treating zero flags as 'skip all
checks'.

Allow at least own domain lookup in case domain name is the same.
This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a
trusted AD DC side.

For the reference, below is a request Windows Server 2016 domain
controller sends to FreeIPA domain controller when attempting to look up
a user from a trusted forest root domain that attemps to login to the
domain controller. Notice the level in the lsa_LookupNames3 call and
resulting flags in lookup_name().

[2019/08/03 07:14:24.156065,  1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       lsa_LookupNames3: struct lsa_LookupNames3
          in: struct lsa_LookupNames3
              handle                   : *
                  handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 0000004c-0000-0000-455d-3018575c0000
              num_names                : 0x00000001 (1)
              names: ARRAY(1)
                  names: struct lsa_String
                      length                   : 0x000a (10)
                      size                     : 0x000c (12)
                      string                   : *
                          string                   : 'XS\ab'
              sids                     : *
                  sids: struct lsa_TransSidArray3
                      count                    : 0x00000000 (0)
                      sids                     : NULL
              level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
              count                    : *
                  count                    : 0x00000000 (0)
              lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
              client_revision          : LSA_CLIENT_REVISION_2 (2)
[2019/08/03 07:14:24.156189,  6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal)
  Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00   00 00 00 00 45 5D 30 18   ....L... ....E]0.
  [0010] 57 5C 00 00                                        W\..
[2019/08/03 07:14:24.156228,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156246,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/08/03 07:14:24.156259,  4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2019/08/03 07:14:24.156273,  5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2019/08/03 07:14:24.156285,  5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2019/08/03 07:14:24.156311,  5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids)
  lookup_lsa_sids: looking up name XS\ab
[2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name)
  lookup_name: XS\ab => domain=[XS], name=[ab]
[2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name)
  lookup_name: flags = 0x00

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091

Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

(cherry picked from commit 685bb03de6ab733590831d1df4f5fd60d2ac427d)

- - - - -
aabd5558 by Alexander Bokovoy at 2019-08-16T14:24:42Z
smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames

Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3
using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass
zero lookup flags to lookup_name().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091

Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
Autobuild-Date(master): Wed Aug 14 13:07:42 UTC 2019 on sn-devel-184

(cherry picked from commit 4d276a93fc624dc04d880f5b4157f272d3555be6)

Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Fri Aug 16 14:24:42 UTC 2019 on sn-devel-144

- - - - -
db1d9ca5 by Karolin Seeger at 2019-08-20T09:08:32Z
WHATSNEW: Add release notes for Samba 4.10.7.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
c0f6317d by Karolin Seeger at 2019-08-20T09:09:02Z
VERSION: Disable GIT_SNAPSHOT for the 4.10.7 release.

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
b9ee441b by Mathieu Parent at 2019-08-22T21:01:58Z
New upstream version 4.10.7+dfsg
- - - - -


30 changed files:

- VERSION
- WHATSNEW.txt
- auth/credentials/credentials.c
- auth/ntlmssp/ntlmssp_client.c
- buildtools/bin/waf
- buildtools/wafsamba/samba_deps.py
- buildtools/wafsamba/wafsamba.py
- ctdb/.gitignore
- ctdb/common/event_script.c
- ctdb/common/run_proc.c
- ctdb/common/sock_daemon.c
- − ctdb/common/version.c
- − ctdb/common/version.h
- ctdb/config/ctdb.service
- ctdb/config/functions
- ctdb/config/nfs-checks.d/10.status.check
- ctdb/config/nfs-checks.d/40.mountd.check
- ctdb/config/nfs-checks.d/50.rquotad.check
- ctdb/config/nfs-linux-kernel-callout
- ctdb/config/statd-callout
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/5b2a3764d4ef3ea3f1c61b2ffeda54a4555a0de2...b9ee441bfef2d6d114f24296b82dea3ec4237190

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/5b2a3764d4ef3ea3f1c61b2ffeda54a4555a0de2...b9ee441bfef2d6d114f24296b82dea3ec4237190
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20190829/a98cba96/attachment-0001.html>


More information about the Pkg-samba-maint mailing list