git.samba.org - samba.git/log

Merge tag 'samba-4.1.17' into v4-1-test

samba: tag release samba-4.1.17

doc:man:vfs_glusterfs: improve the configuration section.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Feb 20 14:29:21 CET 2015 on sn-devel-104

(cherry picked from commit e6e6f563e6968dcb3ae558a7857f8dff49d2939f)

The last 3 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11117
vfs_glusterfs manpage corrections

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Wed Feb 25 22:15:39 CET 2015 on sn-devel-104

doc:man:vfs_glusterfs: improve and update description.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 7852dd9e4c806d4e2b5428cb783b8ce6db8902d0)

doc:man:vfs_glusterfs: remove extra % signs.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit b9bf3c4d785606573ee3b9cb8e727bb04b3be6fb)

debug: Set close-on-exec for the main log file FD

This does not change the properties of dup2() of the fd as STDERR, however this is closed
before we start smbd or winbindd as child processes.

This is needed otherwise the logfile remains open in the child process, and
logfile rotation can mean this old log remains on disk indefinatly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11100
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 16 11:42:47 CET 2015 on sn-devel-104

(based on commit 1d95b0afc3547a91f8558873ce58652c271ed9eb)

VERSION: Bump version up to 4.1.18.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable git snapshots for the 4.1.17 release.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077

CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon server
could lead to security vulnerability.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.1.17.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077

CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon server
could lead to security vulnerability.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

s3-netlogon: Make sure we do not deference a NULL pointer.

This is an additional patch for CVE-2015-0240.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

VERSION: Disable git snapshots for the 4.1.17 release.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077

CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon server
could lead to security vulnerability.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.1.17.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077

CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon server
could lead to security vulnerability.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

s3-netlogon: Make sure we do not deference a NULL pointer.

This is an additional patch for CVE-2015-0240.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3: smbclient: Allinfo leaves the file handle open.

https://bugzilla.samba.org/show_bug.cgi?id=11094

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Feb 10 23:28:46 CET 2015 on sn-devel-104

(cherry picked from commit 080ec0f7d9735b27138deb5f91a397935f089f02)

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Mon Feb 16 23:20:50 CET 2015 on sn-devel-104

printing/cups: pack requested-attributes with IPP_TAG_KEYWORD

The CUPS IPP_GET_JOBS requested-attributes array indicates which job
attributes the caller would like in the cupsd response.

Until now, Samba has packed these attributes with a IPP_TAG_NAME
format tag. In recent versions of CUPS, this results in the IPP_GET_JOBS
response only including the job-id and job-printer-uri fields, even with
JobPrivateValues=none configured.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10808

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 10 01:38:58 CET 2015 on sn-devel-104

(cherry picked from commit 2f4998113e539ea4ba6fb0a72ba6ac25c9d74bd6)

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Tue Feb 10 23:20:58 CET 2015 on sn-devel-104

VERSION: Re-enable git snapshots.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Bump version up to 4.1.17.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit c4e46cd4e32ef5bf25f3a21f74bb40dfb1dd3c0d)

s3:smb2_server: protect against integer wrap with "smb2 max credits = 65535"

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 29 14:58:40 CET 2015 on sn-devel-104

(similar to commit 8aed0fc38ae28cce7fd1a443844a865265fc719c)

Autobuild-User(v4-1-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-1-test): Tue Feb 3 00:04:10 CET 2015 on sn-devel-104

s3:smb2_server: always try to grant the credits the client just consumed

It turns out that the effective credits_requested is always at least 1,
even if the client sends credits_requested == 0.

This means the client is not able to reduce the amount of credits
itself.

Without this fix a client (e.g. Windows7) would reach the case
where it has been granted all credits it asked for.
When copying a large file with a lot of parallel requests,
all these requests have credits_requested == 0.
This means the amount of granted credits where reduced by each
request and only when the granted credits reached 0,
the server granted one credit to allow the client to go on.
The client might require more than one credit ([MS-SMB2] says
Windows clients require at least 4 credits) and freezes
with just 1 credit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9702

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(similar to commit 1944c857e59922a2ebfc88a6a824a6ed9396f2d5)

dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable

This includes additional tests based directly on the docs, rather than
simply testing our internal implementation in client and server contexts,
that create a user and groups.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming-Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104

(similar to commit e4213512d0a967e87a74a1ae816c903fb38dd8b9)

Change-Id: Ia98bf5a62bb69e15ae6420b34e09a65c1f3e79dd

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Thu Jan 29 23:24:18 CET 2015 on sn-devel-104

Revert "dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable"

This reverts commit 333d25739eb5a0d347ff8c57726ea184af4c1ec9.

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Mon Jan 26 23:05:21 CET 2015 on sn-devel-104

s3-pam_smbpass: Fix memory leak in pam_sm_authenticate().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11066

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 0cb9b28acb7008cd30c6de3add9876eb5607a5a6)

utils: Fix 'net time' segfault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11058

This is part two of the bugfix. Make sure we pass the IP we found to
cli_servertime(). Hence we always pass at least one of name or IP.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 45829800eb3f3a8aeccfe7c1114dcf9df60371d5)

cli_connect_nb_send: don't segfault on host == NULL.

The functions called futher down can cope with host == NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11058

This is part one of the bugfix:
This ensures that it is enough to pass one of host or address to the function.

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a0a254f74234bed6c9a0c71a5bda8254fa6f633f)

vfs_glusterfs: Add comments to the pipe(2) code.

The guarantees around read(2) and write(2) and pipes are critical
to understanding this code. Hopefully these comments will help.

Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 23 20:58:51 CET 2015 on sn-devel-104

(cherry picked from commit 3b2d8bdbb1851961536241d3aaaf6ac936964517)

The last 10 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11069
Backport remaining performance patches for vfs_glusterfs to 4.2/4.1.

vfs: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 22 13:14:38 CET 2015 on sn-devel-104

(cherry picked from commit db63e4887c81c3e458194004353d7ef92c67b393)

vfs:glusterfs: whitespace fix.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 22 03:20:17 CET 2015 on sn-devel-104

(cherry picked from commit cde5d380e192487ae77734afcb3eb3d327aafb98)

vfs_glusterfs: Replace eventfd with pipes, for AIO use

Pipes clean up the AIO implementation substantially, due to the fact
that they implement a natural ithread safe queue instead of us
creating our own queue.

Signed-off-by: Ira Cooper <ira@samba.org>
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Wed Jan 21 20:40:11 CET 2015 on sn-devel-104

(cherry picked from commit 4c3a3d9e6adc95d0f0e1f6030b2406613d9f9f53)

vfs/glusterfs: Change xattr key to match gluster key.

Gluster changed the key used to do get_real_filename
in 3.5. This changes Samba's glusterfs vfs-module
to use the same key.

This will render SMB_VFS_GET_REALFILENAME() working
again under 3.5 and will remove support for that functionality
for Gluster 3.4 and older.

Signed-off-by: raghavendra talur <raghavendra.talur@gmail.com>
Reviewed-by: Ira Cooper <ira@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit af9ec9fea5a730023cdee6e236f9585e3a18b0e6)

vfs_glusterfs: Implement AIO support

Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Dec 17 16:35:37 CET 2014 on sn-devel-104

(cherry picked from commit 051b81aac81c7ccb234da221e9f8272b70b265ce)

vfs_glusterfs: Change sys_get_acl_file/fd to return ACLs corresponding to mode bits when there are no ACLs set.

Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 26b3544251babdfcdf5ada338a4ed39ff18bc47a)

vfs_glusterfs: Set connectpath as snapdir-entry-path.

snapview client in gluster would require connectpath
in order add snapdir entry to readdir result.

Signed-off-by: raghavendra talur <raghavendra.talur@gmail.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Dec 10 16:38:27 CET 2014 on sn-devel-104

(cherry picked from commit a12ae815b01b372cbf8697d32d5d45d7b2d5f93d)

vfs_glusterfs: Remember the connect path too for reopening.

As Samba allows us to share subdirs, lets re-use preopened
connections to glusterfs only if they are for same volume
AND same connectpath.

Signed-off-by: raghavendra talur <raghavendra.talur@gmail.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 2fb4317352a165d0dd4af78fcf0a576fa246eab2)

vfs_glusterfs: In vfs_gluster_sys_acl_get_file/fd, reduce the number of getxattr calls.

Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Ira Cooper <ira@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit a4fa9ca5a7a4c0b770079ab126f8172ff6d6851c)

libsmb: provide authinfo domain for encrypted session referrals

6c9de0cd056afc0b478c02f1bdb0e06532388037 requires this extra change.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 21 04:29:06 CET 2015 on sn-devel-104

(cherry picked from commit 6da86012a2ca521efe0cf1bf05fcd04c3099b190)

libsmb: provide authinfo domain for DFS referral auth

libsmbclient uses the smbc_init->smbc_get_auth_data_fn() provided
workgroup/domain in initial connections, but then switches to the
default smb.conf workgroup/domain when handling DFS referrals.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11059

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6c9de0cd056afc0b478c02f1bdb0e06532388037)
[ddiss@samba.org: 4.1 rebase with cli_init_creds() call]

libsmb: reuse connections derived from DFS referrals

[MS-DFSC] 3.2.1.1 and 3.2.1.2 states that DFS targets with the same site
location or relative cost are placed in random order in a DFS referral
response.

libsmbclient currently resolves DFS referrals on every API call, always
using the first entry in the referral response. With random ordering,
libsmbclient may open a new server connection, rather than reuse an
existing (cached) connection established in a previous DFS referred API
call.

This change sees libsmbclient check the connection cache for any of the
DFS referral response entries before creating a new connection.

This change is based on a patch by Har Gagan Sahai
<SHarGagan@novell.com>.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10123

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 7b7d4f740fe5017107d3100041cc8c7982f0eac7)

VERSION: Bump version up to 4.1.17.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

Merge tag 'samba-4.1.16' into v4-1-test

samba: tag release samba-4.1.16

smbd: Fix CID 1063259 Uninitialized scalar variable

Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11041

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cc983c9a6a92f3d127ec6461b15aed3fa90e6d30)
Reviewed-by: David Disseldorp <ddiss@samba.org>

s3-libads: Fix a possible segfault in kerberos_fetch_pac().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11037

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a13e29cc4345d85ab6fe4482119386b87e4e8673)

spoolss: clear PrinterInfo on GetPrinter error

If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a11e97b79645ff0d9e7d20f5318a979194a858fe)

spoolss: clear info on GetPrinterDriverDirectory error

If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c9fccb5018f9a19bb654b9ad79aa716e37a274d6)

spoolss: clear info on GetPrintProcessorDirectory error

If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 679c781112ce6b7cffca11c28e58ae5f9a0d717d)

spoolss: clear FormInfo on GetForm error

In handling a spoolss GetForm request, the handler may return an
immediate error if one of the input parameters is invalid. If this is
done without zeroing the pre-allocated @info pointer, then marshalling
of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b113ed6043622cdec68f3a70631b363594f3a8d0)

spoolss: clear DriverInfo on GetPrinterDriver2 error

In handling a spoolss GetPrinterDriver2 request, the handler may
return an immediate error if one of the input parameters is invalid.
If this is done without zeroing the pre-allocated @info pointer, then
marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit fb9ecb044ee986ab3496da6cbad162a224378475)

spoolss: clear JobInfo on GetJob error

In handling a spoolss GetJob request, the _spoolss_GetJob() handler may
return an immediate error if one of the input parameters is invalid. If
this is done without zeroing the pre-allocated @info pointer, then
api_spoolss_GetJob() will attempt to marshall @info, which in the case
of an @offered value of zero results in a marshalling error:

ndr_push_error(7): Bad subcontext (PUSH) content_size 64 is larger
than size_is(0)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 89869e090c56a3f83b451b437f9c3f40a231dd24)

vfs: Add glusterfs manpage.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10240

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jan 7 20:57:57 CET 2015 on sn-devel-104

net: Fix sam addgroupmem

Domain local groups come across as SID_TYPE_ALIAS and are sent to us in the
PAC/Info3 struct. We should allow this in net sam addgroupmem.

Volker

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11051

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jan 13 15:28:16 CET 2015 on sn-devel-104

dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable

This includes additional tests based directly on the docs, rather than
simply testing our internal implementation in client and server contexts,
that create a user and groups.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming-Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104

(similar to commit e4213512d0a967e87a74a1ae816c903fb38dd8b9)

s3-util: Fix authentication with long hostnames.

If the hostname is longer than MAX_NETBIOSNAME_LEN we fail to correctly
check the hostname.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11008

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit da2611adef32107f5a0eec97501c01232ab72efc)
Signed-off-by: Andreas Schneider <asn@samba.org>

VERSION: Disable git snapshots for the 4.1.16 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.1.16.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl

This requires an additional control to be used in the
LSA server to add domain trust account objects.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.c

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flag

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I36ad5ebc5d8a4811c41b59af90a3add4ae5fd857
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CVE-2014-8143:auth: Force talloc type of session_info pointer to match

This helps us keep things safe in LDB where we put this in a opaque pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Andrew Bartlett

Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

VERSION: Bump version up to 4.1.16...

and re-enable git snapshots.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit 9f52de75088380915835e815217bdcd0afa8dc85)

VERSION: Bump version up to 4.1.16...

and re-enable git snapshots.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable git snapshots for the 4.1.15 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.1.15.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

nsswitch: fix soname of linux nss_*.so.2 modules

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(similar to commit 575b093dac3c509b1bfaab0b4ad29b9b4214e487)

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Sun Jan 11 16:15:06 CET 2015 on sn-devel-104

selftest: use shared/libnss_wrapper_winbind.so.2

This library is always available in make test.
nss-wrapper strictly requires the linux nss api.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 4eb24fa545234be506eb1330ccbbfd5c2b9e0d82)

wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 82e583b04b04e560c121163850d70c52d2fce78d)

winbind: Retry after SESSION_EXPIRED error in ping-dc

Trying to establish a netlogon connection when the service ticket
expires might fail with NT_STATUS_NETWORK_SESSION_EXPIRED. The
underlying client code already marks the session as invalid, so retry
the netlogon connect in this case.

Signed-off-by: Christof Schmit <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 6 02:58:57 CET 2015 on sn-devel-104
(cherry picked from commit a2670f15dea27c10e3827216adf572f9c3894f85)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11034

winbind: Retry LogonControl RPC in ping-dc after session expiration

When the underlying session expires, the LogonControl RPC call used in
ping-dc returns NT_STATUS_IO_DEVICE_ERROR. Retry once in this case,
instead of returning the error to the caller.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 23 02:46:34 CET 2014 on sn-devel-104
(cherry picked from commit 2fdc55160309cec89aeb88243cb18d058c67e918)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11034

librpc/ndr_drsuapi: Allow ndrdump to dump dsinfo52 blobs

Change-Id: I6968b25c67587296b928b2193a9d48093c69c01a
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1ac96a416d7d6db2476f56129166fd9e018e7306)

The last 6 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11006
'domain join' fails - 'drsuapi.DsBindInfoFallBack' has no attribute
'supported_extensions'.

idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo

Signed-off-by: Samuel Cabrero <scabrero@zentyal.com>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
(cherry picked from commit d747372d28273542298f86530e715e8faaf907f2)

librpc-idl: change the drsuapi_DsBindInfoCtr so that it match what is on the wire both in NDR32 and NDR64.

Previous implementation had a problem with NDR64 with uint32 and
uint3264 being in the wrong order

Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 30 10:16:02 CET 2013 on sn-devel-104

(cherry picked from commit 8dc931bafca00c1c61a4366ffb6cfa72a98bb412)

librpc-idl: replace int32 by uint32 as the values are always > 0

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1e2e421632c275f8cf7529935f72ef3639ddea14)

librpc-idl: replace int32 by the enumeration as it's the type that we use in union's switch drsuapi_DsGetDCInfoCtrLevels

Signed-off-by: Matthieu Patou <mat@matws.net>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 568bf16dfadb4bd3003ed18b19098a3d1473f2fe)

drsuapi.idl: change the range for attribute values to 26214400 bytes.

This matches the IDL from [MS-DRSR].

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
(cherry picked from commit 51d8eba8417c58c2ade30d58a838441008209542)

libcli/smb: only force signing of smb2 session setups when binding a new session

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 12 23:11:40 CET 2014 on sn-devel-104

(cherry picked from commit daff0f5d709eca621a7f319c892ecaba7b03e5c2)

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Thu Dec 18 23:00:51 CET 2014 on sn-devel-104

s3:smb2_server: allow reauthentication without signing

If signing is not required we should not require it for reauthentication.
Windows clients would otherwise fail to reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 382019656ee164fd21455ed7d7b5e9e18bd0ca72)

s3:smb2_server: use the global signing key to check if signing is required

If we have a channel session key, we also always have a global session key.

For multi-channel it's possible that the channel session key is not in place
yet, in that case the global session key needs to be used.

In both cases (reauth or session bind) we session setup requests need to be
signed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 7e006d11134cdc37ea0fc13110fe5bbfb9de3f14)

testprogs/test_ldb: check rootdse search with extended-dn control

Verifies BUG: https://bugzilla.samba.org/show_bug.cgi?id=10949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Dec 12 20:15:46 CET 2014 on sn-devel-104

(cherry picked from commit 7e81fe282540a5b52dcb8c5396321a67733790d2)

s4:dsdb/rootdse: expand extended dn values with the AS_SYSTEM control

Otherwise we can't find the GUID of the 'serverName' attribute
as ANONYMOUS.

This results in

  root@ub1204-161:~# ldbsearch -U% -H ldap://172.31.9.161 -b '' -s base --extended-dn serverName
  search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:567> <>

While it works as system:

  root@ub1204-161:~# ldbsearch -U% -H /var/lib/samba/private/sam.ldb -b '' -s base --extended-dn serverName
  # record 1
  dn:
  serverName: <GUID=348c35e1-04e3-4988-a32c-32478d584551>;CN=UB1204-161,CN=Serve
   rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4xdom,DC=base

  # returned 1 records
  # 1 entries
  # 0 referrals

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit a6ecef4532e4529a819219cd814e2979c2df0797)

s3:utils/profiles fix a use after free

path is a talloc-child of subkeys, so subkeys should not be freed before calling
verbose_output

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Wed Dec 3 00:43:19 CET 2014 on sn-devel-104

(cherry picked from commit 3b90bfb1089e6a4b7e05e7ed62bb642521f57917)

s3:registry/regfio fix some valgrind warnings

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4b41489901b7f1a78ffd479128c3e0d309e53b53)

s3:registry/regfio read SD from the correct location

try to find the security descriptor at the data pointer, not at the beginning of the hbin

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9629

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 217a0189c15761f6c7b24c9d7bfdbccf85de8e1d)

s3: modules: Fix *allocate* calls to follow POSIX error return convention.

Fix up the ceph, time_audit and streams_xattr modules to follow
the -1,errno convention for errors.

Reported by Jones <jones.kstw@gmail.com> who provided the
initial patch. This patch tested and confirmed working
by him as well.

Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Mon Dec 8 12:29:00 CET 2014 on sn-devel-104

s3: smbd: Fix *allocate* calls to follow POSIX error return convention.

Fix vfs_allocate_file_space(), vfs_slow_fallocate(),
vfs_fill_sparse() to follow the -1,errno convention
for errors.

Standardize on the -1,errno convention.

Reported by Jones <jones.kstw@gmail.com> who provided the
initial patch. This patch tested and confirmed working
by him as well.

https://bugzilla.samba.org/show_bug.cgi?id=10982

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@suse.de>
(cherry picked from commit cc1f91cec627cb3e4fc89b96aae1e7e4c539cd1c)

s3: smbd: Fix *allocate* calls to follow POSIX error return convention.

vfswrap_fallocate() is broken in that it can call posix_fallocate()
which returns an int error (and doesn't set errno) but can also
call Linux fallocate() which returns -1 and sets errno.

Standardize on the -1,errno convention.

Reported by Jones <jones.kstw@gmail.com> who provided the
initial patch. This patch tested and confirmed working
by him as well.

https://bugzilla.samba.org/show_bug.cgi?id=10982

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@suse.de>
(cherry picked from commit c9235deee0fc49c99cfaf2329b7af526d9dd12d0)

s3-libsmb: Duplicate the memory before we free it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10279

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 8c41795c81d85114e383e694ba7421e95bacb912)

s3-libsmb: Set the netbios_name in use_ccache case too.

If we do not set the netbios_name we are not able to connect to a
Windows DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10279

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 206f25d815024248214f076fd60c35862e9de8a1)

s3-lib: Do not require a password with --use-ccache.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10279

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 1e148a91fd20053f823b57e19d757665fa30c53d)

pam_winbind: fix warn_pwd_expire implementation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9056

warn_pwd_expire parameter is not working as documented in pam_winbind manual
page. This patch adds missing bit and allows disabling warning message fully,
i.e. setting warn time to zero days.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Dec 3 21:36:49 CET 2014 on sn-devel-104

libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does.

Required as some servers return zero when asked for
zero credits in an initial SMB2-only negprot.

Back-port of c426f97238e4f664d1b13781101ca9c942aa7d0d
from master.

https://bugzilla.samba.org/show_bug.cgi?id=10966

Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Thu Dec 4 21:55:16 CET 2014 on sn-devel-104

s3-smbstatus: Fix exit code of profile output.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10961

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3-smbclient: Return success if we listed the shares.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10960

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses

In the initial implementation only IPv4 addresses were supported.

Add IPv6 (and mixed IPv4/IPv6) support and all further needed conversion
routines to support w2k, dotnet, longhorn clients.

Signed-off-by: Guenter Kukkukk <linux@kukkukk.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Wed Nov 26 03:44:07 CET 2014 on sn-devel-104

(cherry picked from commit 3ac4355f3e7f79bc0045c43bc818697dc6b08850)

The last 3 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10952
samba-tool dns serverinfo <server> is broken for IPv6 - also in mixed IPv4/IPv6
environments.

samba-tool: Fix the IP output of "samba-tool dns serverinfo <some_server>"

Avoid hardcoded IP-strings, use standard python IP functions to format
IPv4 and IPv6 addresses correctly.

I have removed the display of the port number.
MS-DNSP 2.2.3.2.2.1 DNS_ADDR: (from May 15, 2014)
Port Number (2bytes): Senders MUST set this to zero, and receivers MUST ignore
it.

Signed-off-by: Guenter Kukkukk <linux@kukkukk.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit d5af53c5372866a33a0195cabbd64232ac53bad4)

samba-tool: Fix enum values in dns.py

DNS_ZONE_UPDATE_SECURE was used twice, DNS_ZONE_UPDATE_UNSECURE was missing.

Signed-off-by: Guenter Kukkukk <linux@kukkukk.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 4bda589c8e68cd66ca3b0ea9496cb1b11febcae6)

VERSION: Bump version up to 4.1.15...

and re-enable git snapshots.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable git snapshots for the 4.1.14 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.1.14.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

s4-dns: dlz-bind: Add trailing '.' to all fqdn strings

BIND 9.10.x is strict when sending records via putrr and putnamedrr.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10620

Thanks to Guenter Kukkukk for identifying the problem and resolution.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Guenter Kukkukk <kukks@samba.org>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Nov 21 06:14:55 CET 2014 on sn-devel-104

(cherry picked from commit b7f6b09a13daaa702aef5a0ab9f458521e4902b1)

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Mon Nov 24 23:27:37 CET 2014 on sn-devel-104

s4-dns: Add support for BIND 9.10

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Matthieu Patou <mat@matws.net>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Sat Oct 25 05:42:19 CEST 2014 on sn-devel-104

(cherry picked from commit faa3423d1a26eb6103389b234add0f1e8d0dfc08)

Conflicts:
python/samba/provision/sambadns.py
source4/dns_server/dlz_bind9.c
source4/setup/named.conf.dlz

s4-dns: Update dlz_minimal.h based on BIND release 9.10

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Matthieu Patou <mat@matws.net>
(cherry picked from commit aeb6ad8a9c2713c6c71a2ac4cd355dd1bda6cc51)