summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* VERSION: Disable GIT_SNAPSHOT for the 4.9.6 release.samba-4.9.6Karolin Seeger2019-04-051-1/+1
| | | | | | | CVE-2019-3870 (World writable files in Samba AD DC private/ dir) CVE-2019-3880 (Save registry file outside share as unprivileged user) Signed-off-by: Karolin Seeger <kseeger@samba.org>
* WHATSNEW: Add release notes for Samba 4.9.6.Karolin Seeger2019-04-051-2/+64
| | | | | | | CVE-2019-3870 (World writable files in Samba AD DC private/ dir) CVE-2019-3880 (Save registry file outside share as unprivileged user) Signed-off-by: Karolin Seeger <kseeger@samba.org>
* CVE-2019-3880 s3: rpc: winreg: Remove implementations of SaveKey/RestoreKey.Jeremy Allison2019-04-051-88/+4
| | | | | | | | | | | | | | | | | | The were not using VFS backend calls and could only work locally, and were unsafe against symlink races and other security issues. If the incoming handle is valid, return WERR_BAD_PATHNAME. [MS-RRP] states "The format of the file name is implementation-specific" so ensure we don't allow this. As reported by Michael Hanselmann. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2019-3870 pysmbd: Ensure a zero umask is set for smbd.mkdir()Andrew Bartlett2019-04-052-2/+10
| | | | | | | | | mkdir() is the other call that requires a umask of 0 in Samba. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CVE-2019-3870 pysmbd: Move umask manipuations as close as possible to usersAndrew Bartlett2019-04-053-28/+10
| | | | | | | | | | | | | | | | | | | | | | | | | Umask manipulation was added to pysmbd with e146fe5ef96c1522175a8e81db15d1e8879e5652 in 2012 and init_files_struct was split out in 747c3f1fb379bb68cc7479501b85741493c05812 in 2018 for Samba 4.9. (It was added to assist the smbd.create_file() routine used in the backup and restore tools, which needed to write files with full metadata). This in turn avoids leaving init_files_struct() without resetting the umask to the original, saved, value. Per umask(2) this is required before open() and mkdir() system calls (along side other file-like things such as those for Unix domain socks and FIFOs etc). Therefore for safety and clarify the additional 'belt and braces' umask manipuations elsewhere are removed. mkdir() will be protected by a umask() bracket, for correctness, in the next patch. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 Signed-off-by: Andrew Bartlett <abartlet@samba.org> (This backport to Samba 4.9 by Andrew Bartlett is not a pure cherry-pick due to merge conflicts)
* CVE-2019-3870 pysmbd: Include tests to show the outside umask has no impactAndrew Bartlett2019-04-053-1/+15
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CVE-2019-3870 tests: Add test to check file-permissions are correct after ↵Tim Beale2019-04-053-0/+73
| | | | | | | | | | | | | provision This provisions a new DC and checks there are no world-writable files in the new DC's private directory. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CVE-2019-3870 tests: Extend smbd tests to check for umask being overwrittenTim Beale2019-04-054-4/+55
| | | | | | | | | | | | | | | | | | | | | | | | The smbd changes the umask - if the code fails to restore the umask to what it was, then this is very bad. Add an extra check to every smbd-related test that the umask at the end of the test is the same as what it was at the beginning (i.e. if the smbd code changed the umask then it correctly restored the value afterwards). As the selftest sets the umask for all tests to zero, it makes it hard to detect this problem, so the test setUp() needs to set it to something else first. This extra checking is added to the setUp()/tearDown() so that it applies to all test-cases. However, any failure that occur with this approach will not be able to be known-failed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (This backport to Samba 4.9 by Andrew Bartlett was not a pure cherry-pick due to merge conflicts)
* VERSION: Bump version up to 4.9.6...Karolin Seeger2019-04-051-2/+2
| | | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <kseeger@samba.org> (cherry picked from commit 3e6b84f8b43f769b823c13852237f47ebfad6d77)
* VERSION: Disable GIT_SNAPSHOT for the 4.9.5 release.samba-4.9.5Karolin Seeger2019-03-111-1/+1
| | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
* WHATSNEW: Add release notes for Samba 4.9.5.Karolin Seeger2019-03-111-2/+143
| | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
* libcli/security: fix handling of deny type ACEs in access_check_max_allowed()Ralph Boehme2019-03-112-5/+1
| | | | | | | | | | | | | | Deny ACEs must always be evaluated against explicitly granted rights from previous ACEs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 8d355dd9769e8990ce998b4c9f28977669b43616) Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Mon Mar 11 12:25:05 UTC 2019 on sn-devel-144
* s4:torture: Add test_deny1().Ralph Boehme2019-03-112-0/+142
| | | | | | | | | | | | Creates a 2-element ALLOW + DENY ACE showing that when calculating effective permissions and maximum access already seen allow bits are not removed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit b205d695d769e910a91bec87451dec189ec33740)
* s4:torture: Add test_owner_rights_deny1().Jeremy Allison2019-03-112-0/+146
| | | | | | | | | | | Creates a 3-element ALLOW + ALLOW + DENY ACE showing that when calculating maximum access already seen allow bits are not removed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 0ebd8c99aed28a0ba43a22c429837f66f7e94409)
* libcli/security: correct access check and maximum access calculation for ↵Ralph Boehme2019-03-112-69/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Owner Rights ACEs We basically must process the Owner Rights ACEs as any other ACE wrt to the order of adding granted permissions and checking denied permissions. According to MS-DTYP 2.5.3.2 Owner Rights ACEs must be evaluated in the main loop over the ACEs in an ACL and the corresponding access_mask must be directly applied to bits_remaining. We currently defer this to after the loop over the ACEs in ACL, this is wrong. We just have to do some initial magic to determine if an ACL contains and Owner Rights ACEs, and in case it doesn't we grant SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL at the *beginning*. MS-DTYP: -- the owner of an object is always granted READ_CONTROL and WRITE_DAC. CALL SidInToken(Token, SecurityDescriptor.Owner, PrincipalSelfSubst) IF SidInToken returns True THEN IF DACL does not contain ACEs from object owner THEN Remove READ_CONTROL and WRITE_DAC from RemainingAccess Set GrantedAccess to GrantedAccess or READ_CONTROL or WRITE_OWNER END IF END IF BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 9722f75757c0e38c7f42c7cc310d56aa6eaf6392)
* s4:torture: Add test_owner_rights_deny().Jeremy Allison2019-03-112-0/+139
| | | | | | | | | | | | | Shows that owner and SID_OWNER_RIGHTS ACE entries interact in max permissions requests. Tested against Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit fadc4c1bc5fcc3b2d9daea44ef8daf8a8ae0fbe2)
* s4:torture: Fix the test_owner_rights() test to show permissions are additive.Jeremy Allison2019-03-111-4/+16
| | | | | | | | | | Tested against Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 2e181e34c48c879235c5dc64bd7ab2b59781810c)
* libcli/security: add "Owner Rights" calculation to access_check_max_allowed()Ralph Boehme2019-03-112-7/+28
| | | | | | | | | | | | | | This was missing in 44590c1b70c0a24f853c02d5fcdb3c609401e2ca. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Thu Feb 28 19:18:16 UTC 2019 on sn-devel-144 (cherry picked from commit 5cf0764bc4b65dbc59d8626760dbe946a2234833)
* s4:torture: add a Maximum Access check with an Owner Rights ACERalph Boehme2019-03-112-0/+127
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> (cherry picked from commit 3ca38d2cd1189a5040e13ddab016063280be2b4d)
* s4:libcli: remember return code from maximum accessRalph Boehme2019-03-112-2/+3
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13812 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> (cherry picked from commit 9f4ee05295827c9a607e1f63694a17906f777176)
* sambaundoguididx: use the right escaped oder unescaped sam ldb filesBjörn Jacke2019-03-111-2/+1
| | | | | | | | | | | | the correct filename is taken from the partition database before, we should not unescape that because this can result in a new unescaped ldb file being created and the script not to work at all. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13759 Signed-off-by: Bjoern Jacke <bjacke@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit cd1ac3668cd164bd5f7cadf7b59df9541aaef83e)
* s4-server: Open and close a transaction on sam.ldb at startupAndrew Bartlett2019-03-111-0/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes upgrading from 4.7 and earlier releases, and makes the DB reindexing more transparent. It should also make it easier to handle future normalisation rule changes, e.g. if we change the pack-format of integer indexes in a future release. Without this change, the should have still handled reindexing the database. We don't know why exactly this wasn't happening correctly, but opening a transaction early in the samba process startup should now guarantee that the DB is correctly reindexed by the time the main samba code runs. An alternative fix would have been to open a transaction in the the DSDB module stack every time we connect to the database. However, this would add an extra write lock every time we open the DB, whereas starting samba happens much more infrequently. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13760 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 7 04:58:42 UTC 2019 on sn-devel-144 (cherry picked from commit 8b18da27cf261b0283fe66d2b827cab542488ac7)
* vfs_ceph: remove ceph_fallocate/ceph_ftruncate fallbackDavid Disseldorp2019-03-041-89/+8
| | | | | | | | | | | | | | Both libcephfs functions are supported and capable of extending files, so fallback can be dropped. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13807 Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> (cherry picked from commit 155f1289ba7a4802fbb99fbc9ea90d8bc6cff0c9) Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Mon Mar 4 15:02:26 UTC 2019 on sn-devel-144
* vfs_ceph: fix strict_allocate_ftruncate()David Disseldorp2019-03-041-2/+4
| | | | | | | | | | | The vfs_ceph "strict allocate = yes" ftruncate wrapper may attempt *local* filesystem ftruncate(). Fix this. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13807 Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> (cherry picked from commit 70329c36ed91dd0e50ff66f9b0a85c62ac8a621e)
* vfs_ceph: add missing fallocate hookDavid Disseldorp2019-03-041-0/+17
| | | | | | | | | | | | SMB_VFS_FALLOCATE() calls atop a vfs_ceph share currently fall through to vfs_default, which results in a local filesystem I/O attempt using a libcephfs file-descriptor. Add the missing fallocate hook to vfs_ceph. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13807 Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> (cherry picked from commit 5a7e7280813559fb70a9fc8e4238cb6015ee3b53)
* s3: smbd: filenames - ensure we replace the missing '/' if we error in an ↵Jeremy Allison2019-03-042-1/+18
| | | | | | | | | | | | | | | | | intermediate POSIX path. Previous regression test ensures we still return the correct error code for POSIX pathname operations. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Feb 25 09:33:27 CET 2019 on sn-devel-144 (cherry picked from commit 3f1a13a94a753c5cb3b9f2cf795df5adb0f74205)
* s3: torture: Add additional POSIX mkdir tests.Jeremy Allison2019-03-042-0/+103
| | | | | | | | | | | | | | | | | | Ensure that if POSIX_foo exists as a file we return the correct error code NT_STATUS_OBJECT_PATH_NOT_FOUND if we try and traverse it as a directory. Also ensure creation/deletion of POSIX_foo/foo fails for directories and files with NT_STATUS_OBJECT_PATH_NOT_FOUND if the directory POSIX_foo/ doesn't exist. knownfail is back :-). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit 632d0db8c42d50f5eecd002d9573f739cd945960)
* smbd: unix_convert: Ensure we don't call get_real_filename on POSIX paths.Jeremy Allison2019-03-042-1/+25
| | | | | | | | | | | | | | | | | | | For posix_pathnames don't blunder into the name_has_wildcard OR get_real_filename() codepaths as they may be doing case insensitive lookups. So when creating a new POSIX directory 'Foo' they might match on name 'foo'. Remove POSIX-MKDIR from knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Sun Feb 24 14:04:14 CET 2019 on sn-devel-144 (cherry picked from commit 12da33e2bbce657f25abe9bc4cb936ca4615b30f)
* smbd: SMB1-POSIX: Add missing info-level SMB_POSIX_PATH_OPEN for ↵Jeremy Allison2019-03-041-0/+1
| | | | | | | | | | UCF_UNIX_NAME_LOOKUP flag. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit 980db8debde68f9edce13fc01bc45a904379cffd)
* s3: smbtorture3: Add POSIX-MKDIR test for posix_mkdir case sensitive bug.Jeremy Allison2019-03-044-1/+103
| | | | | | | | | | | | | | | | | | | | | | | Test does: mkdir POSIX_foo mkdir POSIX_Foo mkdir POSIX_foo/Foo mkdir POSIX_foo/foo mkdir POSIX_Foo/Foo mkdir POSIX_Foo/foo Which should pass a SMB1 POSIX extensions server as posix mkdir should always be case sensitive no matter what the share is set to. Mark as knownfail for now. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13803 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit f0decb31fff24ceb57d23bebbfb87aa0e5103947)
* winbindd: set idmap cache entries as the last step in async wb_xids2sidsRalph Boehme2019-03-041-11/+22
| | | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=13802 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Sat Feb 23 09:23:22 CET 2019 on sn-devel-144 (cherry picked from commit 9b9565c3e69b92c298c7168e516387bb249c9e36)
* winbindd: track whether a result from xid2sid was coming from the cacheRalph Boehme2019-03-041-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is needed in preparation of moving the step to update the idmap cache from the per-idmap-domain callback wb_xids2sids_dom_done() to the top-level callback wb_xids2sids_done(). Currently the sequence of action is: * check cache, if not found: * ask backends * cache result from backend * return results Iow, if we got something from the cache, we don't write the cache. The next commit defers updating the cache to the top-level callback, so the sequence becomes * check cache, if not found: * ask backends * cache results * return results This has two problems: * it needlessly writes to the cache what we just got from it * it possibly overwrites the ID_TYPE_BOTH for a SID-to-xid mapping in the following case: - existing ID_TYPE_BOTH mapping in the cache, eg: IDMAP/SID2XID/S-1-5-21-2180672342-2513613279-2566592647-512 -> Value: 3000000:B - someone calls wb_xids2sids_send() with xid.id=3000000,xid.type=ID_TYPE_GID - cache lookup with idmap_cache_find_gid2sid() succeeds - when caching results we'd call idmap_cache_set_sid2unixid() with the callers xid.type=ID_TYPE_GID, so idmap_cache_set_sid2unixid() will overwrite the SID-to-xid mapping with ID_TYPE_GID Bug: https://bugzilla.samba.org/show_bug.cgi?id=13802 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit 62f54229fced20102e11ad1da02faef45c2a7c2e)
* winbindd: switch send-next/done orderRalph Boehme2019-03-041-9/+13
| | | | | | | | | | | In preparation of adding more logic to the done step. No change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13802 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit 8e9c2a1f6ceb06d695a6572701b96a3e3821ac42)
* winbindd: update xid in wb_xids2sids_state->xids with what we gotRalph Boehme2019-03-041-0/+1
| | | | | | | | | | | | In preparation of priming the idmap cache in the top-level wb_xids2sids_done(), not in the per-idmap-domain callback wb_xids2sids_dom_done(). Bug: https://bugzilla.samba.org/show_bug.cgi?id=13802 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit 7f23ef7b2cf7bd6e8dc087aa15137292b421a689)
* winbindd: convert id to a pointer in wb_xids2sids_dom_done()Ralph Boehme2019-03-041-2/+2
| | | | | | | | | | No change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13802 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit f8bf4fc608639695651f75c52b31f95e796a5a26)
* winbindd: make xids a const argument to wb_xids2sids_send()Ralph Boehme2019-03-042-2/+2
| | | | | | | | | | | | The previous commit made an internal copy of xids, this commit makes it more obvious that we must not mess with the xids argument but treat it as an in-parameter and don't write to it. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13802 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit 5d277ea7ea258676b9ea5081a451a5874af115f6)
* winbindd: make a copy of xid's in wb_xids2sids_send()Ralph Boehme2019-03-041-1/+6
| | | | | | | | | | | | | | | | | | | | This is in preparation of setting the result of the mapping in the top- level callback wb_xids2sids_done(), not in the per-idmap-domain callback wb_xids2sids_dom_done(). When caching the mapping we need the id-type from the backend, so we need a way to pass up that information from wb_xids2sids_dom_done() up to wb_xids2sids_done() The xids array copy gets passed from wb_xids2sids_send() to wb_xids2sids_dom_send(), so wb_xids2sids_dom_done() can then directly update the top-level copy. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13802 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit f5a8bc2f945be45cdade5f70d4f975bae8337f67)
* ctdb-cluster-mutex: Separate out command and file handlingMartin Schwenke2019-03-041-42/+71
| | | | | | | | | | | | | | | | | | This code is difficult to read and there really is no common code between the 2 cases. For example, there is no need to split a filename into words. Separating each of the 2 cases into its own function makes the logic much easier to understand. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13800 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> Autobuild-User(master): Amitay Isaacs <amitay@samba.org> Autobuild-Date(master): Mon Feb 25 03:40:16 CET 2019 on sn-devel-144 (cherry picked from commit c93430fe8fe530a55b9a04cf6cc660c3d420e333) (cherry picked from commit d5131afc533102ed5adfb147bf1a316e51810729)
* ctdb-recoverd: Time out attempt to take recovery lock after 120sMartin Schwenke2019-03-041-1/+1
| | | | | | | | | | | Currently this will wait forever. It really needs a timeout in case the cluster filesystem (or other lock mechanism) is completely wedged. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13800 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit 13a1a4808935290dceb219daccd7aac3fda4e184)
* ctdb-recoverd: Ban node on unknown error when taking recovery lockMartin Schwenke2019-03-041-0/+11
| | | | | | | | | | | We really shouldn't see unknown errors. They probably represent a misconfigured recovery lock or similar. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13800 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit 45a77d65b2e39b4af94da4ab99575f4ee08a7ebd)
* ctdb-recoverd: Make recoverd context available in recovery lock handleMartin Schwenke2019-03-041-0/+3
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13800 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit c0fb62ed3954fc6e8667480aba92003fc270f257)
* ctdb-recoverd: Clean up logging on failure to take recovery lockMartin Schwenke2019-03-041-3/+6
| | | | | | | | | | Add an explicit case for a timeout and clean up the other messages. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13800 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit 7e4aae6943291c3144c8a3ff97537e8d4c7dc7c9)
* ctdb-recoverd: Free cluster mutex handler on failure to take lockMartin Schwenke2019-03-041-1/+10
| | | | | | | | | | | | | If nested events occur while the file descriptor handler is still active then chaos can ensue. For example, if a node is banned and the lock is explicitly cancelled (e.g. due to election loss) then double-talloc-free()s abound. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13800 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit 621658cbed5d91d7096fc208bac2ff93a1880e7d)
* ctdb-config: Change example recovery lock setting to one that failsMartin Schwenke2019-03-041-4/+9
| | | | | | | | | | | | | | | | | | | ctdbd will start without a recovery lock configured. It will log a message saying that this is not optimal. However, a careless user may overlook both this message and the importance of setting a recovery lock. If the existing example configuration is uncommented then the directory containing it will be created (by 01.reclock.script) and the failure (i.e. multiple nodes able to take the lock) will be confusing. Instead, change the example setting to one that will result in banned nodes, encouraging users to consciously configure (or deconfigure) the recovery lock. Tweak the corresponding comment. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13790 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com> (cherry picked from commit 82e7f38214896c2c200132bc6dde3348cfac16cc)
* messages_dgm: Properly handle receiver re-initializationVolker Lendecke2019-03-042-1/+16
| | | | | | | | | | | | | | | | | | | | | | This only properly covers the small-message nonblocking case. Covering the large-message and the blocking case is a much larger effort assuming we want to re-send the failed message if parts of the message has gone through properly. Don't do that for now. This was found by sanba_dnsupdate constantly recreating its irpc handle to winbindd in the RODC case. The messaging_dgm code cached connected datagram sockets based on the destination pid for 1 second. Which means the IRPC responses from winbindd are never delivered to samba_dnsupdate, which will then hit a timeout. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13786 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 2543bba0364d8054e9ad316f5611621841bc061d)
* torture3: Extend read3 for the "messaging target re-inits" failureVolker Lendecke2019-03-042-20/+25
| | | | | | | | | | | Do ping_pong a hundred times, re-initializing the msg_ctx every time. https://bugzilla.samba.org/show_bug.cgi?id=13786 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 8d8f62c4b9dea381ce9f5833bc794553ae358173)
* messages_dgm: Use saved errno valueVolker Lendecke2019-03-041-1/+1
| | | | | | | | | | | | | In this case this is just a cleanup, the value has just been set by messaging_dgm_sendmsg. But as that already saves errno into a local variable, use that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13786 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c27afc098398274abaed6dc9bef2019091c1b635)
* man pages: document prefork process modelGary Lockyer2019-03-042-6/+33
| | | | | | | | | | | | | | | | Document the process model options -M BUG: https://bugzilla.samba.org/show_bug.cgi?id=13765 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Tim Beale <timbeale@samba.org> Autobuild-Date(master): Thu Jan 31 04:25:14 CET 2019 on sn-devel-144 (manual merge of commit 4ecdcc4b462d03bec3ec36ba1b90f45d9977be8b, with description updated for v4.9 behaviour)
* notifyd: Fix SIGBUS on sparcJiří Šašek2019-03-041-2/+9
| | | | | | | | | | Problem is the structure "struct notify_instance" can lay in message buffer on address not dividable by 8 but this structure begins by uint_64 (secs in time-stamp). Structure should be re-packed to standalone buffer before the use. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13704 Signed-off-by: jiri.sasek@oracle.com Reviewed-by: Volker Lendecke <vl@samba.org>
* CVE-2019-3824 ldb: Release ldb 1.4.6ldb-1.4.6Gary Lockyer2019-02-264-1/+284
| | | | | | | | | | | * CVE-2019-3824 out of bounds read in wildcard compare (bug 13773) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(v4-9-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-9-test): Tue Feb 26 11:11:42 CET 2019 on sn-devel-144
View Lorry Controller Status