VERSION: Disable git snapshots for the 4.2.5 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.2.5.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

dcerpc.idl: accept invalid dcerpc_bind_nak pdus

Older Samba versions (<= 4.1) had a bug in the dcerpc_bind_nak
idl, see commit f73ef3028c4f4583c81b611a9714608eae79360c.

Note: ndr_pull_dcerpc_bind_nak() was generated by pidl and
has been extended by the (_available == 0) check.
That's why we ignore the 80 char per line limit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11327

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 21 20:34:28 CEST 2015 on sn-devel-104

(cherry picked from commit 38d547bc0d39b56a7491a5f220905f1756c1530a)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Mon Oct 26 13:40:47 CET 2015 on sn-devel-104

s3:smbstatus: add stream name to share_entry_forall()

Add stream name argument to share_entry_forall machinery so smbstatus
can print the stream name of a file.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11550

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cd0c2a5eca43cea76491ae0d820414287c234c1a)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Wed Oct 21 11:39:53 CEST 2015 on sn-devel-104

s3: lsa: lookup_name() logic for unqualified (no DOMAIN\ component) names is incorrect.

Change so we only use unqualified name lookup logic if
domain component = "" and LOOKUP_NAME_ISOLATED flag is
passed in.

Remember to search for "NT Authority" *before* going
into unqualified name lookup logic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit 2f6dc260ada6cd178a650ca003c2ad22e12697c1)

s3:lib: validate domain name in lookup_wellknown_name()

If domain argument is not an empty string, only search the matching
wellknown domain name.

As the only wellknown domain with a name is "NT Authority", passing ""
to lookup_wellknown_name() will search all domains inlcuding "NT
Authority".

Passing "NT Authority" otoh will obviously only search that domain.

This change makes lookup_wellknown_name() behave like this:

in domain         | in name       | ok | out sid | out domain
========================================================
                    Dialup          +    S-1-5-1   NT Authority
NT Authority        Dialup          +    S-1-5-1   NT Authority
Creator Authority   Dialup          -    -         -
                    Creator Owner   +    S-1-3-0   ""
Creator Authority   Creator Owner   -    -         -
NT Authority        Creator Owner   -    -         -

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11555

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit 23f674488a1f62fcc58bb94bed0abed98078b96d)

s3:locking: initialize lease pointer in share_mode_traverse_fn()

Initialize lease pointer to point to the share_mode_data leases array
entry at index lease_idx.

This fixes a bug in smbstatus where the lease info is not printed.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11549

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 13 01:14:09 CEST 2015 on sn-devel-104

(cherry picked from commit 0ef9c67b56a0b493ed06f9a64ac2bc2233041aee)

s4: torture: Add SMB2 access-based enumeration test. Passes against Win2k12R2.

https://bugzilla.samba.org/show_bug.cgi?id=10252

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Oct 14 19:00:03 CEST 2015 on sn-devel-104

(cherry picked from commit 808f29cb2f9de47dcf78b380cc8767e9546e1954)

lib: cli: Add accessor function smb2cli_tcon_flags() to get tcon flags.

We need this to see if a share supports access-based enumeration.

https://bugzilla.samba.org/show_bug.cgi?id=10252

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit b1bd84e9c9867092055f29fe39279e1c767f570a)

s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows.

Torture test to follow.

https://bugzilla.samba.org/show_bug.cgi?id=10252

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit cc05f73872c36cd307da3d6fed200beb16d5c2a8)

smbd: Fix file name buflen and padding in notify repsonse

The array is uint16, doubling the file name length consumes twice the space
required.

As we're hand assembling this as a series of concatinated individual data_blobs,
we must take care to ensure the correct 4 byte alignment that was
being masked by the previous doubling of the filename length.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10634

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Oct 18 01:56:41 CEST 2015 on sn-devel-104

(cherry picked from commit 7c483690ac6ed007798aeeb7b8549c9d55877e56)

vfs_fruit: return value of ad_pack in vfs_fruit.c

ad_pack() in vfs_fruit.c returns false on failure and 0 on success -
i.e. return value is interpreted as success even when it fails.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11543

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Oct  6 16:14:42 CEST 2015 on sn-devel-104

(cherry picked from commit 5d7eaf959a0f11be878f698305fcb8908d7ba047)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Tue Oct 13 00:00:36 CEST 2015 on sn-devel-104

tdb: Fix bug 11381, deadlock

This fixes a deadlock in tdb that is a bad interaction between tdb_lockall
and tdb_traverse. This deadlock condition has been around even before
tdb mutexes, it's just that the kernel fcntl EDEADLK detection protected
us from this ABBA lock condition to become a real deadlock stalling
processes. With tdb mutexes, this deadlock protection is gone, so we do
lock dead.

This patch glosses over this particular ABBA condition, making tdb with
mutexes behave the same as tdb without mutexes. Admittedly this is no
real fix, but it works around a real user's problem.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11381
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 1061a9cafda7d73ebcd2f74e69e74f4adc485d5d)

vfs_commit: set the fd on open before calling SMB_VFS_FSTAT

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11547

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct  8 02:56:41 CEST 2015 on sn-devel-104

(cherry picked from commit 5709dece4860f205e31309e31ec4e3e938d9f6a5)

s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 70dbba96e311449575f571db68710584fc991234)

kerberos: make sure we only use prompter type when available.

We also verified that we cannot simply remove the prompter as several older
versions of Heimdal would crash.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Oct  2 07:29:43 CEST 2015 on sn-devel-104

(cherry picked from commit 6755376cedaf0c88230b47e04c584c7d9fce13e3)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Mon Oct  5 12:04:41 CEST 2015 on sn-devel-104

winbind: Fix 100% loop

Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038

From the bug report:

"With e551cdb37d3e re-applied the problem is gone with
and without kerberos. Moreover, if correctly configured,
sshd requests you to change your password at logon time,
which then succeeds.

The problem why I had this reverted was because I had not
gone through the pain to correctly configure all the PAM
services (in particular the "account" section), leading
to sshd letting the user in when the password had to be
changed."

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e551cdb37d3e8cfb155bc33f9b162761c8d60889)

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct  2 00:16:29 CEST 2015 on sn-devel-104

(cherry picked from commit e524ab9f7ee9f4aff50dd5bc42312f9000bf1c6e)

s3: smbd: Fix NULL pointer bug introduced by previous 'raw' stream fix (bug #11522).

Ensure dirpath can never be NULL.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11535

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct  1 08:58:36 CEST 2015 on sn-devel-104

(cherry picked from commit f9ceaf443991e0bb5db23eeced2841436f47359e)

s3: smbd: fix a crash in unix_convert()

Some error code paths may result in dirpath being NULL.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11535

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit bec685fb13e7cbe3bb98e5647183720d31f1c522)

net: fix a crash with net ads keytab create

Fix a crash that happens when executing "net ads keytab create"
and the machine account in AD does not have setvice principal names
attached to it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11528

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e224e622971853bddbe24df717ea5dcddef71b89)

s3: tests: smbclient test to ensure we can create and see a :foobar stream on the top level directory in a share.

Regression test for:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11522

Remember to remove the ARCHIVE attribute from the toplevel
share when done (can only be done over SMB2+).

Back-ported from master 6ce3643e45bac6660ae69123738c4b39d7bc1864

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: Fix opening/creating :stream files on the root share directory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11522

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 74fd4f93efe92516fc507edf71a588660782879e)

s3: smbd: Remove unused parameter from build_stream_path().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 94e7e707783036b57babc73d320d2a3d8c0648d6)

s3: smbclient: Move cmd_setmode out of clitar.c and back into client.c

setmode <file> attribute is a valid smbclient command even if libarchive
isn't on the system and tarmode isn't compiled in.

Back-ported from master a47012d5429044c9a3616718bac21360f281aa81.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

pam_winbind: Fix a segfault if initialization fails

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11502

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Sep  8 21:39:21 CEST 2015 on sn-devel-104

(cherry picked from commit 7d84cd6e40024fd361ea21635f7befed40f0e41f)

s4: torture: Test mkdir race condition.

Found by Max of LoadDynamix <adx.forum@gmail.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11486

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 24 06:13:22 CEST 2015 on sn-devel-104

(cherry picked from commit 969d043596c0a382325d54d16dbd5e049f884fa9)

s3: smbd: Fix mkdir race condition.

Found by Max of LoadDynamix <adx.forum@gmail.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11486

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit b1c823dc8c2824ec89921601d8e5e95f6d18fca8)

s3: dfs: Fix a crash when the dfs targets are disabled.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11509

Signed-off-by: Har Gagan Sahai <SHarGagan@novell.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@wakeful.net>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 11 06:39:19 CEST 2015 on sn-devel-104

nss_winbind: fix hang on Solaris on big groups

The problem with large groups on Solaris in the the NSS winbind module is
Solaris wants the return value to be NSS_UNAVAIL if the buffer given is too
small for getgrnam_r.  The current code return NSS_TRYAGAIN which causes
Solaris/Illumos to loop without trying to resize the buffer.

Thanks to  Nathan Huff <nhuff@acm.org> for finding this out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10365

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Ralph Böhme <rb@sernet.de>
(cherry picked from commit d3e51b9cfe3d56530253571e020af72da1877044)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Tue Sep 15 13:32:29 CEST 2015 on sn-devel-104

build: use as-needed linker flag also on OpenBSD

OpenBSD is unusable with binaries with many superfluous libs linked in.
samba-tool start times of 250 seconds without as-needed vs. 1.4 seconds with
as-needed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11355

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Ralph Böhme <rb@sernet.de>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Fri Sep 11 03:37:17 CEST 2015 on sn-devel-104

(cherry picked from commit b0f41c07ffe8600433c20a038b1612c04ed29e89)

VERSION: Bump version up to 4.2.5...

and re-enable git snapshots.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable git snapshots for the 4.2.4 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.2.4.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

s4:torture:vfs_fruit: created empty resourceforks

Check for opens and creates, created empty resourceforks result in
ENOENT in subsequent opens.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11467

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep  2 06:50:16 CEST 2015 on sn-devel-104

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Fri Sep  4 15:24:26 CEST 2015 on sn-devel-104

s4:torture:vfs_fruit: add a resource fork truncation test

Truncating a resource fork to 0 bytes should make it inaccessible for
subsequent creates and return NT_STATUS_OBJECT_NAME_NOT_FOUND.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11467

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_fruit: delete ._ file when deleting the basefile

0 byte resource fork streams are not listed by vfs_streaminfo, as a
result stream cleanup/deletion of file deletion doesn't remove the
resourcefork stream.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11467

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_fruit: split and simplify fruit_ftruncate

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11467

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_fruit: handling of empty resource fork

Opening the resource fork stream with O_CREAT mustn't create a visible
node in the filesystem, only create a file handle. As long as the
creator didn't write into the stream, other openers withour O_CREAT
MUST get an ENOENT error. This is way OS X SMB server implements it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11467

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

samr4: Use <SID=%s> in GetGroupsForUser

This way we avoid quoting problems in user's DNs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep  1 23:49:14 CEST 2015 on sn-devel-104

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11488
(cherry picked from commit 841845dea35089a187fd1626c9752d708989ac7b)

Autobuild-User(v4-2-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-2-test): Thu Sep  3 11:45:06 CEST 2015 on sn-devel-104

s3-util: Compare the maximum allowed length of a NetBIOS name

This fixes a problem where is_myname() returns true if one of our names
is a substring of the specified name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11427

Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4e178ed498c594ffcd5592d0b792d47b064b9586)

Autobuild-User(v4-2-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-2-test): Mon Aug 31 12:33:42 CEST 2015 on sn-devel-104

s3-auth: Fix a memory leak in make_server_info_info3()

We call make_server_info(NULL) and it is possible that we do not free
it, because server_info is not allocated on the memory context we pass
to the function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 6363c0232c2238e1a782e9c22ef762e3ff9b7563)

s3-auth: Pass nt_username to check_account()

We set nt_username above but do not use it in this function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit e8c76932e4ac192a00afa3b9731f5921c4b37da6)

s3-auth: Fix 'map to guest = Bad Uid' support

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9862

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 34965d4d98d172e848e2b96fad8a9e0b99288ba7)

s3: winbindd: Fix TALLOC_FREE of uninitialized groups variable.

Fix created by by: wei zhong <wweyeww@gmail.com>

Only for 4.2.x and below, master code already fixed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10823

Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Tue Aug 25 11:25:58 CEST 2015 on sn-devel-104

s4:rpc_server/netlogon: fix bugs in dcesrv_netr_DsRGetDCNameEx2()

We should return the our ip address the client is connected too.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 459d1d3fb9a5282d19121eaacba9d611896b37ff)

Autobuild-User(v4-2-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-2-test): Tue Aug 18 19:15:43 CEST 2015 on sn-devel-104

ctdb-daemon: Correctly process the exit code from failed eventscripts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11431

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Jul 22 15:03:53 CEST 2015 on sn-devel-104

(cherry picked from commit 00ec3c477eba50206801b451ae4eb64c12aba5db)

Autobuild-User(v4-2-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-2-test): Tue Aug 18 15:55:44 CEST 2015 on sn-devel-104

ctdb-daemon: Improve error handling for running event scripts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11431

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Nov 14 03:06:12 CET 2014 on sn-devel-104

(cherry picked from commit d04bfc6ec6ad7a4749ebfee2284253c4a91a81aa)

ctdb-tool: Correctly print timed out event scripts output

The timed out error is ignored for certain events (start_recovery,
recoverd, takeip, releaseip).  If these events time out, then the debug
hung script outputs the following:

 3 scripts were executed last releaseip cycle
 00.ctdb              Status:OK    Duration:4.381 Thu Jul 16 23:45:24 2015
 01.reclock           Status:OK    Duration:13.422 Thu Jul 16 23:45:28 2015
 10.external          Status:DISABLED
 10.interface         Status:OK    Duration:-1437083142.208 Thu Jul 16 23:45:42 2015

The endtime for timed out scripts is not set.  Since the status is not
returned as -ETIME for some events, ctdb scriptstatus prints -ve duration.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11431

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 71b89b2b7a9768de437347e6678370b2682da892)

s3:lib: fix some corner cases of open_socket_out_cleanup()

In case of timeouts we retry the async_connect_send() and forgot
to remember it, this results in an abort() in async_connect_cleanup()
as the fd is already closed when calling fcntl(F_SETFL).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit ce3c77fb45ccf4d45a0fa655325e30e748d89245)

lib: Fix rundown of open_socket_out()

Under valgrind I've seen the abort in async_connect_cleanup kick in. Yes, it's
good that we check these return codes!

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11316
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jun 30 20:24:37 CEST 2015 on sn-devel-104

(cherry picked from commit 6fc65aaf956f35e2068e2a6f8521af2f2351d31e)

s4:torture:vfs_fruit: add a test for stream names

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11278

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7258061e5e9cd4b68f1c010c3667c3fd2b0663cc)

Autobuild-User(v4-2-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-2-test): Tue Aug 18 01:07:03 CEST 2015 on sn-devel-104

s4:torture:vfs_fruit: pass xattr name as arg to torture_setup_local_xattr()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11278

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fe4909f1cab72f80715a996a63290462102aabc6)

vfs_catia: run translation on stream names

With vfs_fruit option "fruit:encoding = native" we're already converting
stream names that contain illegal NTFS characters from their on-the-wire
Unicode Private Range encoding to their native ASCII representation.

Unfortunately the reverse mapping for stream names was not perfomed.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11278

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1db11998bf1b0eef5f543377700b03ab8739338d)

vfs_streams_xattr: stream names may contain colons

With vfs_fruit option "fruit:encoding = native" we're already converting
stream names that contain illegal NTFS characters from their on-the-wire
Unicode Private Range encoding to their native ASCII representation.

As as result the name of xattrs storing the streams (via
vfs_streams_xattr) may contain a colon, so we have to use strrchr_m()
instead of strchr_m() for matching the stream type suffix.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11278

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fb9a64ea37dd4b0cd754fe6d421417a4c8ccbc57)

s4:torture:vfs_fruit: copyfile

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11317

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 43820da1ca2ae09a030a510f42fc1b5d848f7fcc)

vfs:fruit: implement copyfile style copy_chunk

Implement Apple's special copy_chunk ioctl that requests a copy of the
whole file along with all attached metadata.

These copy_chunk requests have a chunk count of 0 that we translate to a
copy_chunk_send VFS call overloading the parameters src_off = dest_off =
num = 0.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11317

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e34c879471fe6a4a5c88144394bf621e910cc82b)

smb2:ioctl: support for OS X AAPL copyfile style copy_chunk

Apple's special copy_chunk ioctl that requests a copy of the whole file
along with all attached metadata.

These copy_chunk requests have a chunk count of 0 that we translate to a
copy_chunk_send VFS call overloading the parameters src_off = dest_off =
num = 0.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11317

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 58480da5066bd33bc73aeb72bd17bd4797c22110)

s3:util: add internal function for transfer_file that uses pread/pwrite

read/write aren't overloaded in the streams VFS modules, using
pread/pwrite instead this makes it possible to use transfer_file() with
named streams.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11317

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit cda8c24a676232bc5834c523407caef8ea9ff038)

ctdb-build: Fix building of PCP PMDA module

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 1e13455d7e9d668b426427e8bdebc73328e50d92)

Autobuild-User(v4-2-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-2-test): Mon Aug 17 20:39:02 CEST 2015 on sn-devel-104

ctdb-daemon: Check if updates are in flight when releasing all IPs

Some code involved in releasing IPs is not re-entrant.  Memory
corruption can occur if, for example, overlapping attempts are made to
ban a node.  We haven't been able to recreate the corruption but this
should protect against it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11432

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 952a50485f68b3cffdf57da84aa9bb9fde630b7e)

ctdb-banning: If node is already banned, do not run ctdb_local_node_got_banned()

This calls release_all_ips() only once on the first ban.  If the node gets
banned again due to event script timeout while running release_all_ips(),
then avoid calling release_all_ips() in re-entrant fashion.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11432

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 8eb04d09b119e234c88150e1dc35fc5057f9c926)

s3-net: use talloc array in share allowedusers

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11426

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Aug  4 16:48:36 CEST 2015 on sn-devel-104

(cherry picked from commit 95eb6db580678a29b1f5f30a9567ea449a43d75a)

s4:rpc_server/netlogon: Fix for NetApp

This patch fixes an issue where NetApp filers joined to a
Samba/ADDC cannot resolve SIDs. Without this patch the issue
can only be avoided by setting "allow nt4 crypto = yes" in smb.conf.

The issue is triggered by NetApp filers in three steps:

1. The client calls netr_ServerReqChallenge to set up challenge tokens

2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS
   set to 0. Native AD and Samba respond to this with
   NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away
   the challenge token negotiated in the first step.

3. Next the client calls netr_ServerAuthenticate2 again, this time with
   NETLOGON_NEG_STRONG_KEYS set to 1.
   Samba returns NT_STATUS_ACCESS_DENIED as it has lost track
   of the challenge and denies logon with the message

   No challenge requested by client [CLNT1/CLNT1$], cannot authenticate

Git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced
a workaround for a different but related issue. This patch makes a minor
adjustment to that commit to delay flushing the cached challenge until
it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED
situation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Aug  6 20:29:04 CEST 2015 on sn-devel-104

(cherry picked from commit d3ac3da98611e665dc0f4e825faa5f12f6c848ef)

s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.

Somewhere along the line, a config line like "valid users = @foo"
broke when "foo" also exists as a user.

user_ok_token() already does the right thing by adding the LOOKUP_NAME_GROUP
flag; but lookup_name() was not respecting that flag, and went ahead and looked
for users anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11320

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 28 21:35:58 CEST 2015 on sn-devel-104

(cherry picked from commit dc99d451bf23668d73878847219682fced547622)

Autobuild-User(v4-2-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-2-test): Tue Aug  4 16:07:21 CEST 2015 on sn-devel-104

lib: replace: Add strsep function (missing on Solaris).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11359

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@wakeful.net>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 29 02:24:55 CEST 2015 on sn-devel-104

(cherry picked from commit f07b746ad3f3ee2fcbb65a0d452ed80f07c9e8f9)

s3-auth: Fix a possible null pointer dereference

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11404

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 109ff388fd5e1306189d680a8f964a69374f1b01)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Wed Jul 22 02:30:04 CEST 2015 on sn-devel-104

s3-smbd: Leave sys_disk_free() if dfree command is used

If we have a broken system which reports incorrect sizes we provide the
'dfree command'. This command makes sure Samba gets the correct values.
However after that we call the quota command which then reports the
broken values. The dfree command should take care to provide the correct
values and in case of quota's it should also calculate the quote
correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11403

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 48a4d5a4078ff2a66dd753323d6e5d76d34b9828)

ctdb-tests: Add some 10.interfaces VLAN tests

One without a bond, one with a bond.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11399

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 8ed0cacaf4aa9fc63b8c8d610a6164c5d01e473a)

ctdb-tests: Add VLAN support to the "ip link" stub

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11399

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 8e41cb1e4e7b4a7d92628771260649ded4432772)

ctdb-tests: Interface number in "ip link show" stub defaults to 42

It needs to have a default for the standalone case, when it is not run
in a loop inside "ip addr show".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11399

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 4f84d42b511a4c9a79bd835eeca0a80082e76227)

ctdb-scripts: Support monitoring of interestingly named VLANs on bonds

VLAN interfaces on bonds with a name other than <iface>.<id>@<iface>
are not currently supported.  That is, where the VLAN name isn't based
on the underlying bond name.  Such VLAN interfaces can be created with
the "ip link" command, as opposed to the "vconfig" command, or by
renaming a VLAN interface.

This is improved by determining the underlying interface name for a
VLAN from the output of "ip link".

No serious attempt is made to support VLANs with '@' in their name,
although this seems to be legal.  Why would you do that?

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11399

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit bc71251433ce618c95c674d7cbe75b01a94adad9)

ctdb-scripts: Fix regression in VLAN interface support

Commit 6471541d6d2bc9f2af0ff92b280abbd1d933cf88 broke support for VLAN
interfaces.  Releasing a public IP address depends on
ip_maskbits_iface() and for a VLAN interface this will return an
interface of the form <vlan>@<iface>, which can't be fed back into
"ip" commands.

Update ip_maskbits_iface() to drop the '@' and everything after it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11399

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Reported-by: Jan Schwaratzki <jschwaratzki@ddn.com>
(cherry picked from commit 87c5c96b767aa317dd620f89ac3e11bb40dae70f)

auth/credentials: if credentials have principal set, they are not anonymous anymore

When dealing with Kerberos, we cannot consider credentials anonymous
if credentials were obtained properly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11265

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Jul 15 16:32:55 CEST 2015 on sn-devel-104

(cherry picked from commit a0d2dd0e01618346b4ad8ea9da3f7ce4eb0364b0)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Thu Jul 16 14:11:52 CEST 2015 on sn-devel-104

ctdb-daemon: Return correct sequence number for CONTROL_GET_DB_SEQNUM

Due to the missing cast of uint64_t, CONTROL_GET_DB_SEQNUM always returned
seqnum <= 256.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11398

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Tue Jul 14 13:03:25 CEST 2015 on sn-devel-104

(cherry picked from commit 1023db2543f7785e4527a4565db91edcde4ca7f1)

s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11373

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libsmb: Fix a bug in conversion of ea list to ea array.

Bug 11361 - Reading of EA's (Extended Attributes) fails using SMB2 and above
protocols

Tested against Win2k12r2 server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11361

Signed-off-by: Anubhav Rakshit <anubhav.rakshit@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 5af2e3eed2ac309e2491fc54e03e7b04c8b118fb)

smbd:trans2: treat new SMB_SIGNING_DESIRED in case

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 76f8d0fbada15c9466f66a2d9961bebd1425d141)

docs:smb.conf: explain effect of new setting 'desired' of smb encrypt

Thereby clarify some details.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 365d9d8bdfe9759ef9662d0080cf9c9a0767dbf2)

smbd:smb2: use encryption_desired in send_break

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 14357700fd69291995ce6adebb13e7340a63c209)

smbd:smb2: only enable encryption in tcon if desired

Don't enforce it but only announce DATA_ENCRYPT,
making use of encryption_desired in tcon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 41cb881e775ea7eb0c59d9e0cafb6ab5531918d9)

smbd:smb2: only enable encryption in session if desired

Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fc228025d78f165815d3fa1670d51f0c27ed2091)

smbd:smb2: separate between encryption required and enc desired

this means we:
- accept unencrypted requests if encryption only desired
  and not required,
- but we always send encrypted responses in the desired
  case, not only when the request was encrypted.

For this purpose, the do_encryption in the request
structure is separated into was_encrypted and do_encryption.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 3bb299944391633c45d87d5e8ad48c2c14428592)

smbXsrv: add bools encryption_desired to session and tcon

This is to indicate that we should sen the ENCRYPT_DATA
flag on session or tcon replies.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit a3ea6dbef53e049701326497e684e1563344e6d8)

Introduce setting "desired" for 'smb encrypt' and 'client/server signing'

This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 204cbe3645c59b43175beeadad792b4a00e80da3)

smbd: Make SMB3 clients use encryption with "smb encrypt = auto"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar  3 10:40:42 CET 2015 on sn-devel-104

(cherry picked from commit b3385f74db54bd8a07a0be5515151b633c067da4)

VERSION: Bump version up to 4.2.4...

and re-enable git snapshots.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

VERSION: Disable git snapshots for the 4.2.3 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

WHATSNEW: Add release notes for Samba 4.2.3.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

ncacn_http: fix GNUism

%a format conversion is a GNU extension, use the more portable %m.
It's at least in SUSv4, supported by glibc since 2.7 and FreeBSD 10.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11371

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct  9 22:05:26 CEST 2014 on sn-devel-104

(cherry picked from commit 9ae65baf3cd6382678624864f13fc053d942d013)

Autobuild-User(v4-2-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-2-test): Sun Jul  5 23:51:47 CEST 2015 on sn-devel-104

s4:torture:vfs_fruit: check offset and length when reading AFP_AfpInfo stream

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11363

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul  3 01:47:29 CEST 2015 on sn-devel-104

(cherry picked from commit c6e044ea33d1f16809196833e9e96a10e65b092e)

vfs_fruit: check offset and length for AFP_AfpInfo read requests

fruit_pread doesn't check the offset and length parameters and instead
always writes 60 bytes, the size of the AFP_AfpInfo blob, to the the
passed buffer. If the passed in buffer is smaller, we overwrite
something somewhere.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11363

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 25f302a47c3119d454531dc992183552b9a42b13)

winbindd: disconnect child process if request is cancelled at main process

When cancelling a request at the main winbindd process, that is currently
being served by a child winbindd process, just freeing all objects related
to the request is not enough, as the next bytes to come through the pipe
from the child process are the response to the cancelled request, and the
object reading those bytes will be the next request. This breaks the protocol.

This change, upon canceling a request that is being served, closes the
connection to the child process, causing the next request to be served
by a new child process (and the detached child to die eventually).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11358

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jun 29 14:00:24 CEST 2015 on sn-devel-104

(cherry picked from commit eaf99203093cabc3069f1c69345d38d739b0663d)

s4:selftest: also run rpc.winreg with kerberos and all possible auth options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 23 17:31:08 CEST 2015 on sn-devel-104

(cherry picked from commit 6dd117b21ef06da68af67051f2822f71193d193a)

s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5b917fd6226952a1f792d1ad921d2ae54ab6ab42)

s4:rpc_server: fix padding caclucation in dcesrv_auth_response()

This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 69c1b4b7c10dd5fd9cacaa3a76c47bc854ee3fed)

s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error

Don't send plaintext on the wire because of an internal error...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1bf7ab49b4459e81ab2b82d9668b3d7cb76372f4)

s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload

The sig_size could differ depending on the aligment/padding.
So should use the same alignment as we use for the payload.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 16f3837e026e4cae135bbdddf09b44a02af25b05)

s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3fbdb255e3ac7ad5261c5fa3836e4a38a0d59221)

s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign()

This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 114c52e73ed9e0adeac8ad1bc1dc014f3c10f4d6)

s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with auth_info as internal error

Don't send plaintext on the wire because of an internal error...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 48f2c383e1d7f52114223cd2a54857426bf64025)