VERSION: Disable git snapshots for the 4.2.0rc4 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.2.0rc4.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl

This requires an additional control to be used in the
LSA server to add domain trust account objects.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.c

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flag

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I36ad5ebc5d8a4811c41b59af90a3add4ae5fd857
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CVE-2014-8143:auth: Force talloc type of session_info pointer to match

This helps us keep things safe in LDB where we put this in a opaque pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Andrew Bartlett

Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

vfs_fruit: mmap under FreeBSD needs PROT_READ

We memmove, which does read

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11040

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <rb@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 56e2384dfe29fd8f16b9d0cf7264f9bb8ed38966)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Thu Jan 15 16:16:51 CET 2015 on sn-devel-104

vfs_fruit: fix base_fsp name conversion

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11039

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit d9c22a3af2ac319d075a952c71496b6b76c83fcf)

s3-libads: Fix a possible segfault in kerberos_fetch_pac().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11037

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a13e29cc4345d85ab6fe4482119386b87e4e8673)

lib/util: Avoid collision which alread defined consumer DEBUG macro.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11033

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 87c176563baea3458c5322f1e3dfae6cf074b4b4)
Signed-off-by: Andreas Schneider <asn@samba.org>

spoolss: clear PrinterInfo on GetPrinter error

If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a11e97b79645ff0d9e7d20f5318a979194a858fe)

spoolss: clear info on GetPrinterDriverDirectory error

If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c9fccb5018f9a19bb654b9ad79aa716e37a274d6)

spoolss: clear info on GetPrintProcessorDirectory error

If an error is returned without zeroing a pre-allocated @info pointer,
then marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 679c781112ce6b7cffca11c28e58ae5f9a0d717d)

spoolss: clear FormInfo on GetForm error

In handling a spoolss GetForm request, the handler may return an
immediate error if one of the input parameters is invalid.  If this is
done without zeroing the pre-allocated @info pointer, then marshalling
of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b113ed6043622cdec68f3a70631b363594f3a8d0)

spoolss: clear DriverInfo on GetPrinterDriver2 error

In handling a spoolss GetPrinterDriver2 request, the handler may
return an immediate error if one of the input parameters is invalid.
If this is done without zeroing the pre-allocated @info pointer, then
marshalling of the response will fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit fb9ecb044ee986ab3496da6cbad162a224378475)

spoolss: clear JobInfo on GetJob error

In handling a spoolss GetJob request, the _spoolss_GetJob() handler may
return an immediate error if one of the input parameters is invalid. If
this is done without zeroing the pre-allocated @info pointer, then
api_spoolss_GetJob() will attempt to marshall @info, which in the case
of an @offered value of zero results in a marshalling error:

ndr_push_error(7): Bad subcontext (PUSH) content_size 64 is larger
than size_is(0)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10984

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 89869e090c56a3f83b451b437f9c3f40a231dd24)

[PATCH] vfs: Add glusterfs manpage.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10240

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jan  7 20:57:57 CET 2015 on sn-devel-104

net: Fix sam addgroupmem

Domain local groups come across as SID_TYPE_ALIAS and are sent to us in the
PAC/Info3 struct. We should allow this in net sam addgroupmem.

Volker

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11051

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jan 13 15:28:16 CET 2015 on sn-devel-104

s3:passdb: fix logic in pdb_set_pw_history()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10940

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan  5 16:51:30 CET 2015 on sn-devel-104

(cherry picked from commit c5948040805f2585dd9da3a6955f605d8d9fa70c)

s3-util: Fix authentication with long hostnames.

If the hostname is longer than MAX_NETBIOSNAME_LEN we fail to correctly
check the hostname.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11008

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit da2611adef32107f5a0eec97501c01232ab72efc)
Signed-off-by: Andreas Schneider <asn@samba.org>

winbind: Retry after SESSION_EXPIRED error in ping-dc

Trying to establish a netlogon connection when the service ticket
expires might fail with NT_STATUS_NETWORK_SESSION_EXPIRED. The
underlying client code already marks the session as invalid, so retry
the netlogon connect in this case.

Signed-off-by: Christof Schmit <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan  6 02:58:57 CET 2015 on sn-devel-104
(cherry picked from commit a2670f15dea27c10e3827216adf572f9c3894f85)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11034

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Tue Jan 13 23:17:05 CET 2015 on sn-devel-104

winbind: Retry LogonControl RPC in ping-dc after session expiration

When the underlying session expires, the LogonControl RPC call used in
ping-dc returns NT_STATUS_IO_DEVICE_ERROR. Retry once in this case,
instead of returning the error to the caller.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 23 02:46:34 CET 2014 on sn-devel-104
(cherry picked from commit 2fdc55160309cec89aeb88243cb18d058c67e918)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11034

tdb_wrap: Make mutexes easier to use

This patch makes sure we work fine and open without mutexes if they
are not supported.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 911439639a2caa17a9680cb297e9fe26eba56149)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11032

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Mon Jan 12 22:28:31 CET 2015 on sn-devel-104

nss_wrapper: check for nss.h

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11026

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Oct 15 14:06:11 CEST 2014 on sn-devel-104

(cherry picked from commit ee9d075ae44ca8fdfa16afe878038711641f9a0c)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Fri Jan  2 23:52:50 CET 2015 on sn-devel-104

ctdb-daemon: Use correct tdb flags when enabling robust mutex support

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11000

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e0bf5dd4566785b41ad1fa0492a9f215639f1685)

tdb: version 1.3.4

Transactions are supported with TDB_MUTEX_LOCKING.

This fixes https://bugzilla.samba.org/show_bug.cgi?id=11004

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Dec 19 11:41:26 CET 2014 on sn-devel-104

(cherry picked from commit a1a90f74eb10a10ac9d508028ed998f8c843f88a)

tdb/toos: allow transactions with TDB_MUTEX_LOCKING

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11004

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit f32747ddd06445b5c51aa3f1b56fead48285a735)

tdb/test: add tdb1-run-mutex-transaction1 test

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11004

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 5d5d91fae55a806261375b87bf7109a980471799)

tdb: allow transactions on on tdb's with TDB_MUTEX_LOCKING

There's no real reason to disallow transactions as the
allrecord lock is also available with mutexes enabled.

E.g. ctdbd requires transactions also on non-persistent databases
opened with TDB_CLEAR_IF_FIRST and TDB_MUTEX_LOCKING.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11004

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit d0839af9d60a6fdf0720cd0b1a859e0e2241903f)

VERSION: Bump version up to 4.2.0rc4 and...

re-enable git snapshots.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable git snapshots for the 4.2.0rc3 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.2.0rc3.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

s3:passdb: let pdb_get_trust_credentials() try pdb_get_trusteddom_creds() first

NT_STATUS_NOT_IMPLEMENTED lets it fallback to the old get_trust_pw_clear2()
code.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 18 06:46:05 CET 2014 on sn-devel-104

(cherry picked from commit 12aaafd2971ac71823ccbebda7b2afd689239770)

Autobuild-User(v4-2-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-2-test): Thu Dec 18 13:06:40 CET 2014 on sn-devel-104

s3:passdb: add optional get_trusteddom_creds() hooks

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8e90b93ddceabd582cb28e40882036e7772608aa)

pdb: fix build issues with shared modules

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10355

Change-Id: I26e78b56ead0c66afcda6b3fb8b1fd09130b24a5
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 7a9147dab593a495c5ed5e1157ec8eb8a2809586)

s3:idmap_cache: remove unused idmap_cache_set_sid2[u|g]id()

Change-Id: I40bcfacb812b0dac7917533c9baf82a79f598efd
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Dec  3 06:44:29 CET 2014 on sn-devel-104

(cherry picked from commit 816751a3a8ed564f2cf880fd1ca3b1e8f9c85471)

pdb: Increase version number to fix ABI

In the process, we can also rename pdb to avoid conflicts with libpdb.

We don't depend directly on pdb to avoid duplicate symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10355
Change-Id: I4df6ba2f4ce35d3718dc4198b527cca46a139efe
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3b76b705f03b8f639ece2308afdc0962d230c42a)

idmap: return the correct id type to *id_to_sid methods

We have a pointer to a unixid which is sent down instead of a uid or
gid. We can use this as an in-out variable so that pdb_samba_dsdb can be
returned ID_TYPE_BOTH to cache correctly instead of leaving it as
ID_TYPE_UID or ID_TYPE_GID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720

Change-Id: I0cef2e419cbb337531244b7b41c708cf2ab883e3
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 58b343be4742b3ba1f447701a8254453c21af413)

idmap: unify passdb *id_to_sid methods

Instead of passing down gid or uid, a pointer to a unixid is now sent
down. This acts as an in-out variable so that the idmap functions can
correctly receive ID_TYPE_BOTH, filling in cache details correctly
rather than forcing the cache to store ID_TYPE_UID or ID_TYPE_GID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10720

Change-Id: I11409a0f498e61a3c0a6ae606dd7af1135e6b066
Pair-programmed-with: Andrew Bartlett <abarlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7979c6cc50eaa792e5094866878c63df36e715c3)

s3:passdb: avoid invalid pointer type warnings in pdb_wbc_sam.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 7ec8401f82994070eaaf81ff067c0cd0576d58e3)

s3:passdb: always copy the history in pdb_set_plaintext_passwd()

We should not write to memory marked as const
(returned from pdb_get_pw_history())!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 966192ee16d6802da5c2b046d2488ddd1a7ec960)

pdb_tdb: Avoid a nasty error message with ctdb

ctdb gives us 0-sized records for deleted passdb entries

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Nov 11 16:19:37 CET 2014 on sn-devel-104

(cherry picked from commit c2bda5bfae2cac4e473f2ae42775d2e35995c790)

pdb_tdb: don't leak state_path onto talloc tos

Also check for allocation failures.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6d5b8dd70e542840a96c45b916b1bd2b9685697f)

account_pol: don't leak state_path onto talloc tos

Also check for allocation failures.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f88535e56e23e27492851c0fc6e9a86cfdaab041)

passdb: Use common code in cli_credentials_set_machine_account_db_ctx()

This avoids some duplication in setting the machine account passsword
for the domain member and DC case.

This does not yet remove the duplication, that requires a bigger
restructure of the various routines used here to obtain the machine
and domain trust secrets.

Also no longer used is the timeout/2 code to not set the previous
password.  It is now always passed to the caller.

Andrew Bartlett

Change-Id: Idd5bafedf4cbac30b174955d743ec4128a6902ee
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 37f5d822d636d4286bd8ee64c7e9e44ae1a297e1)

auth/credentials: Ensure that we set the realm when reading secrets.tdb

Otherwise, we try and kinit as host$@DOMAIN and that will not work.

Andrew Bartlett

Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e9dc6423d3f1ab3401314e134ecc574fc5d4c18b)

credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account()

This adds a new wrapper, cli_credentials_set_machine_account_db_ctx()

Andrew Bartlett

Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 35b8ed7710f60abcc70e0b070afc16bf3faef263)

credentials: Improve error message on failure to set machine account password

Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 89daf5dc534ab03724a2622d3b6b4d6783756bae)

credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account

This should ensure more parts of the source4 code can work with a
password set in secrets.tdb.

Andrew Bartlett

Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit adb3eb79ea828b6e6e1858c3d1b8b5ffe868f8ed)

s3:locking: fix uninitialiazed variable in brl_get_locks_readonly_parser()

In a cluster this can be called with an empty record, while
brl_parse_data() relies on an initialized structure.

This is a regression in commit 837e29035c911f3509135252c3f423d0f56b606d.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10911

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6bc41c459f6da7de62d2113590bc7d0c2d04e136)

ctdb-build: fix build without xsltproc

Check for XSLTPROC_MANPAGES before trying to build the docs.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 8d5f58120b6eeb73d1dc3c4df2ec6e12170888aa)

The last 4 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11014
Top level build does not install CTDB configuration files.

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Wed Dec 17 23:45:20 CET 2014 on sn-devel-104

packaging: Include CTDB man pages in the tarball

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0f7aae85804889e586c0ce88563af0720e55bd3f)

ctdb-build: Fix the installation of config files for top-level build

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit be241207c29357c3cbda2eddb1002930d2e0592c)

ctdb-build: Fix the indentation

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 641bb5eab344fe85fb93898d5a8bc08d35e11fdc)

libcli/smb: only force signing of smb2 session setups when binding a new session

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 12 23:11:40 CET 2014 on sn-devel-104

(cherry picked from commit daff0f5d709eca621a7f319c892ecaba7b03e5c2)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Tue Dec 16 23:36:50 CET 2014 on sn-devel-104

s3:smb2_server: allow reauthentication without signing

If signing is not required we should not require it for reauthentication.
Windows clients would otherwise fail to reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 382019656ee164fd21455ed7d7b5e9e18bd0ca72)

vfs_streams_xattr: add missing call to SMB_VFS_NEXT_CONNECT

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11005

Signed-off-by: Ralph Boehme <slow@samba.org>
Rewviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 12 02:09:24 CET 2014 on sn-devel-104

(cherry picked from commit 3554d88a589c079edea068867601c2d25b966932)

testprogs/test_ldb: check rootdse search with extended-dn control

Verifies BUG: https://bugzilla.samba.org/show_bug.cgi?id=10949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Dec 12 20:15:46 CET 2014 on sn-devel-104

(cherry picked from commit 7e81fe282540a5b52dcb8c5396321a67733790d2)

s4:dsdb/rootdse: expand extended dn values with the AS_SYSTEM control

Otherwise we can't find the GUID of the 'serverName' attribute
as ANONYMOUS.

This results in

  root@ub1204-161:~# ldbsearch -U% -H ldap://172.31.9.161 -b '' -s base --extended-dn serverName
  search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:567> <>

While it works as system:

  root@ub1204-161:~# ldbsearch -U% -H /var/lib/samba/private/sam.ldb -b '' -s base --extended-dn serverName
  # record 1
  dn:
  serverName: <GUID=348c35e1-04e3-4988-a32c-32478d584551>;CN=UB1204-161,CN=Serve
   rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4xdom,DC=base

  # returned 1 records
  # 1 entries
  # 0 referrals

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit a6ecef4532e4529a819219cd814e2979c2df0797)

s3:utils/profiles fix a use after free

path is a talloc-child of subkeys, so subkeys should not be freed before calling
verbose_output

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Wed Dec  3 00:43:19 CET 2014 on sn-devel-104

(cherry picked from commit 3b90bfb1089e6a4b7e05e7ed62bb642521f57917)

s3:registry/regfio fix some valgrind warnings

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4b41489901b7f1a78ffd479128c3e0d309e53b53)

s3:registry/regfio read SD from the correct location

try to find the security descriptor at the data pointer, not at the beginning of the hbin

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9629

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 217a0189c15761f6c7b24c9d7bfdbccf85de8e1d)

ctdb-tests: Need to drop public IPs in kill-failover tests

These tests simulate a dead node rather than a CTDB failure, so drop
IP addresses when killing a "node" to avoid problems with duplicates.

To cope with a CTDB failure a watchdog would be needed to ensure that
the public IPs are dropped when CTDB dies.  Let's not do that now.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Dec  5 23:29:39 CET 2014 on sn-devel-104

(cherry picked from commit a07af1bb56a76d1a7ab856547c801499fc17b21b)

The last 30 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10996
IPv6 support in CTDB is broken.

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Wed Dec 10 23:19:21 CET 2014 on sn-devel-104

ctdb-daemon: Gratuitous ARP equivalent for IPv6 is neighbor advertisement

Not neighbour solicitation.  See:

  https://tools.ietf.org/html/rfc4861#section-4.4

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 7f3f3b15d52c4047cbcb1c3e81f65675c8708f5f)

ctdb-tests: More debug on SSH failure

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 3a2c8bb906fac4e2611a28ead6b4290ddc93de54)

ctdb-tests: Make tcpdump output more verbose

This helps with debugging.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 49449f66fca52d5044d2e486570562df866adf57)

ctdb-tests: Use ip neigh command instead of arp

Extend select_test_node_and_ips() to set $test_prefix in addition to
$test_ip.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit a7e7d95de9cf09652cef63d65484bbb0faa42e1c)

ctdb-tests: Generalise the gratarp and tickle sniffing code for IPv6

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Pair-programmed-with: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 0f3d9752c4677b2f3b5ee47a0b8f973b4260ef57)

ctdb-tests: Match IPv6 connections in netstat output

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 3135a8c62551e09a3abada86335882a91d398747)

ctdb-tests: Use ping_wrapper to do relevant ping or ping6

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 255705c030135bd54a1f7a7dc40cbf00c2fb39c9)

ctdb-tests: Extend regexps to handle IPv6 address matching

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 62acf5986f52a3118ed4e3638c5ac8b1f9c0adf8)

ctdb-tests: Bracket IP addresses in NFS mounts and scp command (for IPv6)

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 62164ec52fd1082863bf5017a5170f74f18a07c3)

ctdb-tests: Try to handle IPv6 addresses for local daemons

If CTDB_USE_IPV6 is set then use IPv6 addresses for nodes and public
IPs.  This can be useful for some simple tests.  However, the node
address actually needs to be on lo so that ctdbd can bind to the port
on that address, so they actually need to be added as root before
running tests, like this:

  for i in $(seq 1 10) ; do ip addr add "fc00:10::${i}/64" dev lo ; done

IPv4 127.0.0.0/8 addresses are somehow magic and only one needs to be
on lo so that many can be bound to.

Also change the IPv4 node addresses to be (slightly) more exotic.

For both IPv4 and IPv6, choose addresses that are compatible with
socket wrapper.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Signed-off-by: Amitay Isaacs <amitay@gmail.com> (socket wrapper fixes)
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net> (socket wrapper fixes)
(cherry picked from commit d9d07fff34143d251b4987cdb1cff1e8b3384e64)

ctdb-tests: Extend regexp to match IPv6 addresses

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 2a83b74597a3366536e1935e2e8ff23493503117)

ctdb-tools: Bracket IP addresses in onnode (for IPv6)

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 2d480792e7d0b3f6628186dc77f54b708e315dd1)

ctdb-daemon: Fix IP address comparisons for IPv6 addresses

Before storing node IP address, convert into the correct abbreviated
string form for IPv6 addresses.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit e3c59d83d0ace9d7421d40d33fe917fb82bb38d8)

ctdb-scripts: Wait until IPv6 addresses are not "tentative"

There are a few potential failure modes when adding an IPv6 address.
It takes a little while of duplicate address detection to complete, so
wait for a while.  After a timeout, also need to check to see if
duplicate address detection failed - if it did then actually drop the
IP address.

This really needs some careful thinking.  If CTDB disappears on a node
but the node's IP addresses are still on interfaces then the above
failure mode could cause the takeover nodes to become banned.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit d0b2375c3d754da3cd68e34617ab3edd36e9317b)

ctdb-eventscripts: Specify broadcast optionally to ip addr add

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit d4212bd6a533b4b54b56e376a9246f2396cba253)

ctdb-daemon: Trust vnn->interface for an IP when releasing it

ctdb_sys_find_ifname() doesn't work for IPv6 addresses so don't use
it.

Trust the eventscript to do sanity checking on the interface.  Current
warnings are replaced with equivalents generated by the eventscript.
The unlikely message:

  Public IP %s is hosted on interface %s but we have no VNN

will be replaced by:

  WARNING: Public IP %s hosted on interface %s but VNN says __none__

which is clear enough.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 108b1be0ee62af7ecb3c775f45c540dd07a527bf)

ctdb-scripts: Make 10.interface IPv6-safe

Add checking to "releaseip" and "updateip" to ensure that the given IP
address is really on the given interface with the given netmask.  If
reality doesn't match the given arguments then believe reality.

Use new function iptables_wrapper() instead of calling iptables()
directly.

Use new function flush_route_cache() instead of doing IPv4-specific
/proc magic.

Remove setting of otherwise unused variable "failed".

Fix a test for which the error message has changed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 6471541d6d2bc9f2af0ff92b280abbd1d933cf88)

ctdb-scripts: New functions ip6tables() and iptables_wrapper()

ip6tables() uses the same lock as iptables().  This is done on
suspicion.

iptables_wrapper() takes 1st argument "inet" or "inet6", and the rest
is passed to the correct iptables variant.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit c314ae0b2af4a902cdd003ec6d663fe5b62b003b)

ctdb-scripts: Add IPv6 addresses support in ip_maskbits_iface()

It also prints a third word, the address family.  This is either
"inet" or "inet6".

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit ed029ae0a1faa56bf882a71d10828e2a90ab0bc7)

ctdb-utils: Update Nagios code to use ctdb -X

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit b41c1bdaa1df92ee6c510ae6749d0524b88ef828)

ctdb-doc: Update examples to use ctdb -X

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 0d61b6137306ee0eab2981e3c213023c332da550)

ctdb-tool: Fix "ctdb -Y ifaces" output to have trailing delimiters

In the CTDB CLI tool source code and the documentation example.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 550fb8ce877cf980b4fd3be4f964449b369cf61e)

ctdb-tests: Update integration tests to use ctdb -X

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 2c4de75d8754616891e97222cfb2ec58fdd8eac2)

ctdb-tools: Update onnode and ctdb-diagnostics to use ctdb -X

Also update onnode unit tests.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 55df9c86c19e261a2a384ffc4b77c596c84e53a0)

ctdb-scripts: Update eventscripts to use ctdb -X instead of ctdb -Y

Also update associated eventscript unit tests and ctdb stub.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 4940f191d37b5deadc8b1edf0cd516674e5d5d64)

ctdb-tools: Add -X option for machine parsable output with separator '|'

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 7428f809a76044fcbc98fd5f718e331ce183941d)

ctdb-tools: Add -x option to specify delimiter for machine readable output

To support this, update printm() to replace ':' in format string with
options.machineseparator, which is a string but must contain a single
character.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 3b90e45bae555cc4a47fe9958b86628d41084868)

ctdb-tools: Produce machine readable output with new function printm()

printm() is a printf(3) replacement and must be used to printing any
machine readable output.  It currently just calls vprintf(3).  Later
it will change the field delimiter.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit fbacbb9c7868e22c04980af3602bae59dd5fe34d)

Conflicts:
ctdb/tools/ctdb.c

ctdb-recoverd: Process all the records for vacuum fetch in a loop

Processing one migration request at a time is very slow and processing
a batch of records can take longer than VacuumInterval.  This causes
subsequent vacuum fetch requests to be dropped.  The dropped records
can accumulate quickly and will cause the vacuum database traverse to
be quite expensive.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Dec  5 17:06:58 CET 2014 on sn-devel-104

(cherry picked from commit 959b9ea0ef85c57ffc84d66a6e5e855868943391)

The last 6 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10997
Fix database vacuuming.

ctdb-vacuum: Do not delete VACUUM MIGRATED records immediately

Such records should be processed by the local vacuuming daemon to ensure
that all the remote copies have been deleted first.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 257311e337065f089df688cbf261d2577949203d)

ctdb-vacuum: Use non-blocking lock when traversing delete tree

This avoids vacuuming getting in the way of ctdb daemon to process
record requests.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit dbb1958284657f26a868705e5f9612bc377fd5e0)

ctdb-vacuum: Use non-blocking lock when traversing delete queue

This avoids vacuuming getting in the way of ctdb daemon to process
record requests.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit d35f512cd972ac1f732fe998b2179242d042082d)

ctdb-vacuum: Stagger vacuuming child processes

This prevents multiple child processes being forked at the same time
for vacuuming TDBs.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit e4597f8771f42cf315bd163c18b2f27147d3de5f)

ctdb-vacuum: Track time for vacuuming in database statistics

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit a0628e317df76c7c38a7cca9c3090077fa352899)

WHATSNEW: Announce SMB2 leases support.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10911

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Wed Dec 10 00:00:08 CET 2014 on sn-devel-104

s3:locking: Change the data model for leases_db to cope with dynamic path renames.

interface leases_db
{
        typedef [public] struct {
                GUID client_guid;
                smb2_lease_key lease_key;
        } leases_db_key;

        typedef [public] struct {
                file_id id;
                [string,charset(UTF8)] char *servicepath;
                [string,charset(UTF8)] char *base_name;
                [string,charset(UTF8)] char *stream_name;
        } leases_db_file;

        typedef [public] struct {
                uint32 num_files;
                [size_is(num_files)] leases_db_file files[];
        } leases_db_value;
}

As designed by metze.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec  9 03:44:04 CET 2014 on sn-devel-104

(cherry picked from commit 5ebb1903858b4d1aadfa4e04644ec1b2b218b914)

The last 5 patches address
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10911
SMB2 leases are not yet supported.

s3:locking: pass down servicepath to leases_db_add()

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 708f87b79dcdfc58e2219e90473160eb5a22ecb6)