VERSION: Disable GIT_SNAPSHOT for the 4.15.0 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.15.0.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Bump version up to Samba 4.15.0rc8...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc7 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.15.0rc7.

Signed-off-by: Jule Anger <janger@samba.org>

ctdb-daemon: Don't mark a node as unhealthy when connecting to it

Remote nodes are already initialised as UNHEALTHY when the node list
is initialised at startup (ctdb_load_nodes_file() calls
convert_node_map_to_list()) and when disconnected (ctdb_node_dead()).
So, drop this code.

RN: Fix CTDB flag/status update race conditions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Sep  9 02:38:34 UTC 2021 on sn-devel-184

(cherry picked from commit 9e7d2d9794af7251c42cb22f23ee9f86c6ea05c1)

Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Mon Sep 13 12:33:53 UTC 2021 on sn-devel-184

ctdb-daemon: Ignore flag changes for disconnected nodes

If this node is not connected to a node then we shouldn't know
anything about it.  The state will be pushed later by the recovery
master.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 7f697b1938efb3972f03f25546bf807d5af9a26c)

ctdb-daemon: Simplify ctdb_control_modflags()

Now that there are separate disable/enable controls used by the ctdb
tool this control can ignore any flag updates for the current nodes.
These only come from the recovery master, which depends on being able
to fetch flags for all nodes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit ae10a8a4b70e53ea3be6257d1f86f2d9a56aa62a)

ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete

CTDB_SRVID_SET_NODE_FLAGS is no longer sent so drop monitor_handler()
and replace with srvid_not_implemented().  Mark the SRVID obsolete in
its comment.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 916c5ee131dc5c7f1d9c3540147d1f915c8302ad)

ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS

The code that handles this message is
ctdb_recoverd.c:monitor_handler().  Although it appears to do
something potentially useful, it only logs the flags changes.  All
changes made are to local structures - there are no actual
side-effects.

It used to trigger a takeover run when the DISABLED flag changed.
This was dropped back in commit
662f06de9fdce7b1bc1772a4fbe43de271564917.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit e75256767fffc6a7ac0b97e58737a39c63c8b187)

ctdb-daemon: Modernise remaining debug macro in this function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 0132bd5a2233193256af434a37506f86ed62c075)

ctdb-daemon: Update logging for flag changes

When flags change, promote the message to NOTICE level and switch the
message to the style that is currently generated by
ctdb-recoverd.c:monitor_handler().  This will allow monitor_handler()
to go away in future.

Drop logging when flags do not change.  The recovery master now logs
when it pushes flags for a node, so the lack of a corresponding
"changed flags" message here indicates that no update was required.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit b6d25d079e30919457cacbfbbfd670bf88295a9c)

ctdb-daemon: Correct the condition for logging unchanged flags

Don't trust the old flags from the recovery master.

Surrounding code will change in future comments, including the use of
old-style debug macros, so just make this change clear.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit eec44e286250a6ee7b5c42d85d632bdc300a409f)

ctdb-tools: Use disable and enable controls in tool

Note that there a change from broadcast to a directed control here.
This is OK because the recovery master will push flags if any nodes
disagree with the canonical flags fetched from a node.

Static function ctdb_ctrl_modflags() is no longer used to drop it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 5914054698dab934fd4db5efb9d211b2fdc40bb9)

ctdb-client: Add client code for disable/enable controls

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 6fe6a54e7f32e650be6ab36041159081dbde5165)

ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 15a6489c288b3adb635a728cb2049621ab1a07f7)

ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED

DISABLED is UNHEALTHY | PERMANENTLY_DISABLED, which is not what is
intended here.  Luckily, it doesn't do any harm because nodes are
marked unhealthy at startup anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 60c1ef146538d90f97b7823459f7548ca5fa6dd3)

ctdb-daemon: Factor out a function to get node structure from PNN

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 1ac7bc7532b2fad791d0e53effa7c64cdc73c4eb)

ctdb-daemon: Add a helper variable

Simplifies a subsequent change.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit e0a7b5a9e866452b1faaed86a105492fe7b237e2)

ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 6845dca87e6ffc5e449fb78d23eb9c7a22698b80)

ctdb-protocol: Add new controls to disable and enable nodes

These are CTDB_CONTROL_DISABLE_NODE and CTDB_CONTROL_ENABLE_NODE.

For consistency these match CTDB_CONTROL_STOP_NODE and
CTDB_CONTROL_CONTINUE_NODE.  It would be possible to add a single
control but it would need to take data.

The aim is to finally fix races in flag handling.  Previous fixes have
improved the situation but they have only narrowed the race window.
The problem is that the recovery daemon on the master node pushes
flags to nodes the same way that disable and enable are implemented.
So the following sequence is still racy:

1. Node A is disabled
2. Recovery master pulls flags from all nodes including A
3. Node A is enabled
4. Recovery master notices A is disabled and pushes a flag update to
   all nodes including node A
5. Node A is erroneously marked disabled

Node A can not tell if the MODIFY_FLAGS control is from a "ctdb
disable" command or a flag update from the recovery master.

The solution is to use a different mechanism for disable/enable and
for a node to ignore MODIFY_FLAGS controls for their own flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 49dc5d8cd2d3767044ac69cbd25c8210d11cadf7)

ctdb-recoverd: Push flags for a node if any remote node disagrees

This will usually happen if flags on the node in question change, so
keeping the code simple and pushing to all nodes won't hurt.  When all
nodes come up there might be differences in connected nodes, causing
such "fix ups".  Receiving nodes will ignore no-op pushes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 8305f6a7f132f03b0bbdb26692b7491fd3f6c24f)

ctdb-recoverd: Update the local node map before pushing out flags

The resulting code structure looks a little weird.  However, there is
another condition that requires the flags to be pushed that will be
inserted before the continue statement in a subsequent commit..

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 620d07871420cdbfa055c1ace75ec1ac4c32721d)

ctdb-recoverd: Add a helper variable

Improves readability and simplifies subsequent changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 82a075d4d734588a42fca7ebaf529892d1eba853)

WHATSNEW: The New VFS

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Mon Sep 13 08:51:05 UTC 2021 on sn-devel-184

Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups()

On MacOS sysconf(_SC_NGROUPS_MAX) always returns 16. However, this is not
the value used by getgroups(2). MacOS uses nested groups but getgroups(2)
will return the flattened list which can easily exceed 16 groups. In my
testing getgroups() already returns 16 groups on a freshly installed
system. And on a 10.14 system the root user is in more than 16 groups by
default which makes it impossible to run smbd without this change.
Setting _DARWIN_UNLIMITED_GETGROUPS allows getgroups() to return more than
16 groups. This also changes set_unix_security_ctx() to only set up to
16 groups since that is the limit for initgroups() according to the manpage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8773

Signed-off-by: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep  9 17:43:19 UTC 2021 on sn-devel-184

(cherry picked from commit 2c18a982537ea1a62e4d802c9ae0ef06b36158dc)

smbd: fix "ea support = no"

Introduced by de83946311d8c1f007c236751280e9f101cc3a29.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14829

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 11 21:48:01 UTC 2021 on sn-devel-184

(cherry picked from commit 926db374a615e88003c99a476f45981beb30f8cf)

WHATSNEW: unknown options now trigger an error in all tools

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>

WHATSNEW: clarify the -e and -s handling for ldb tools

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4/torture/masktest: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Sep 10 16:02:10 UTC 2021 on sn-devel-184

(cherry picked from commit b053bea0af2b2f059d7ed2c920f283d82339022f)

s4/torture/locktest: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0c47f244312f193c299d5b5b7b00db90364f8c8e)

s4/torture/gentest: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f6be1c18bf78db9e45be953d95ef8581daed5b4b)

s4/regtree: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ecb27e02e113c597f952457e8a7803325c4c620e)

s4/regshell: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ac86779fe490318a943ab90e5d117537e839b55f)

s4/regpatch: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 604ce3d85a879aa50c045b1f36c0580748b72eb7)

s4/regdiff: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5c75b5bdeb9b39843f115fe07f1a44689af3fcc5)

s4/cifsdd: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 08532b3d2e0f66ee524401b8b939b3af31b6b7cd)

testparm: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ac292ec428ea8ef6702e028c15077818000dfa87)

split_tokens: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit b851d48277f226ff825b4aaf17483e2d91c54451)

smbtree: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5562674a2188d4e11fbdfcbed7bf1fba02af9e90)

smbget: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d841457aedd8715ceacb20af8f1ae42cbf8ebf49)

smbcquotas: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 46a0da16710f99f33780d030557562e1a52a8cba)

smbcacls: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3755304b6efb98739aca3aa121c095302b09e631)

sharesec: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5a2b4ba059809a1e16124bf448a9398822fe5c80)

regedit: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 246d4f7b934fbfa75d967aee1ff6bd64866995d1)

profiles: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 372adfda9f0aa8f91db6b5dc4357d848baa9fab3)

pdbedit: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit bcc4756d8293e452d09a6a73005302eddb6c1f28)

ntlm_auth: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5536e7981c3902014e91cdfa5bd9a17276e41be7)

nmblookup: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ff6a16806f6a030a36179b1e9db699ae72670db4)

mvxattr: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c84916fef5520795d54a29e8e8e2817dd8322f30)

log2pcaphex: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 72a6cf1a8a2903518488cff1bdadd001c5b0b281)

s3/async-tracker: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4056bebf05f4d1e0bfcbc5fe53d63b3bab9e031f)

vfstest: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 96ab7909bd9eea14ba3aad535c28d53c184341a2)

pdbtest: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e3c5516dc578aee25aaaac1ab7a66ede9d313be0)

rpcclient: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6afa1b3485cef59676dbccf0276bdfa289e009b4)

s3/param: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d5f360723349c26a50472188e4f299def5b82742)

source3/lib/smbconf: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 08512e3a54180253445a16e976dd4f6ef4f2a799)

nmblookup: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 98c977f44b6086e2c5cec52451078a6ade81d4a8)

s4/smbclient: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6845051266a785bc26356e296bd716162e8a133e)

smbstatus: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4053a59d8dc95ff4de2f6f5c50f7007b6456141f)

texpect: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c87cc09315a169300e57a58b88587e54fcf29d8f)

smbclient: don't ignore unknown options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d179c4f49b37dbcd04197b8cc31933e19dd8ac9a)

selftest: remove unsupported smbcacls option --get

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 09fd46aa1cb6c1e24948b7d370a4851191b205b2)

lib/cmdline: restore s3 option name --max-protocol for MAXPROTOCOL from 4.14

s4 used --maxprotocol, s3 used --max-protocol. We should continue supporting
--max-protocol.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 29910da882d75b20d63714a1365a7b0dba6904a7)

manpages: remove duplicate options from smbclient

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9a3b7f1338e2947aa1cbf1ae34d0e1e7cb692ee9)

selftest: fix ---configfile option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fdfc475000f606cc9e4ac160350f7ced64749589)

lib/cmdline: fix --configfile handling of POPT_COMMON_CONFIG_ONLY used by ntlm_auth

ntlm_auth only every knew about '--configfile' without the '-s' alias,
keep it that way and make sure we actually process the argument via
the OPT_CONFIGFILE handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8f3ef4e6c5a440c6582f7af268c6c27c8a2273d4)

vfs_btrfs: fix btrfs_fget_compression()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14790
RB: vfs_btrfs compression support broken

Reported-by: noel.kuntze@thermi.consulting
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ed35fce4fe48b1fa26854a7b4bb151b5c5fb6fc6)

docs: Avoid duplicate information on USER and PASSWD, reference the common section

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep  9 00:52:09 UTC 2021 on sn-devel-184

(cherry picked from commit 18e08c709002506fe217ca6a7a098fcdc00f8c29)

Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Fri Sep 10 14:54:25 UTC 2021 on sn-devel-184

docs: Document all the other ways to send a password to smbclient et al

This was previously hidden knowlege not easily available to
administrators and end users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9b50d2e52e6c85bc3ab991cd8a4b870aff397bda)

docs: Ensure to rebuild manpages if samba.entities or samba.version changes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a363742635c54a6cb19363f4be9d2be2b731a5e6)

docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values

This matches what smbstatus prints out. Note there's also the removal of
an '-' in "hmac-sha-256" => HMAC-SHA256".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14825
RN: "{client,server} smb3 {signing,encryption} algorithms" should use the same strings as smbstatus output

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Sep  8 16:37:07 UTC 2021 on sn-devel-184

(cherry picked from commit 867c6ff9f3f28ab4bfa0cb1660889f3f5be0d111)

VERSION: Bump version up to Samba 4.15.0rc7...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.15.0rc6.

Signed-off-by: Jule Anger <janger@samba.org>

selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes

If two of these unit tests run in the same second they could
select the same name, as the name was only based on the time
and a common prefix.

As observed by Jeremy Allison.  Thanks for the report!

RN: Address flapping dsdb_schema_attributes test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14819

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Sep  6 02:32:51 UTC 2021 on sn-devel-184

(cherry picked from commit 6590bb0b77c641f0d4686b39c713c1405ffb64f5)

Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Wed Sep  8 13:31:05 UTC 2021 on sn-devel-184

s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4

Since 5c0345ea9bb34695dcd7be6c913748323bebe937 this
would not have been implicitly cached via the ldb_wrap
cache, due to the recording of the remote IP address
(which is a good thing).

This creates a more explicit and direct correct
cache on the connection.

The common code, including the SCHANNEL check is
placed into a helper function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807

RN: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Sep  5 03:19:26 UTC 2021 on sn-devel-184

(cherry picked from commit ae57d22e45b33537e9fca5969e9b68abd1ad633f)

selftest: Add a test for LookupSids3 and LookupNames4 in python

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b40761b42e889369599c5eb355028ba377c43b49)

dsdb: Be careful to avoid use of the expensive talloc_is_parent()

The wrong talloc API was selected while addressing a memory leak.

commit ee2fe56ba0ef6626b634376e8dc2185aa89f8c99
Author: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Date:   Tue Nov 27 11:07:44 2018 +1300

    drepl: memory leak fix

    Fixes a memory leak where schema reference attached to ldb
    instance is lost before it can be freed.

    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14042

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
    Autobuild-User(master): Garming Sam <garming@samba.org>
    Autobuild-Date(master): Wed Jul 17 06:17:10 UTC 2019 on sn-devel-184

By using talloc_get_parent() walking the entire talloc tree is
avoided.

RN: Address a signifcant performance regression in database access in the AD DC since Samba 4.12

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14806

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 8affe4a1e625104de4ca024fdc3e9cd96498aff3)

selftest: Only run samba_tool_drs_showrepl test once

This test is not slow, but there is no value running it twice.

Running this test twice just increases the chances we might
loose a race as it shows and validates live replication data.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 75a5ed66731e947fa16af81aab7649d1fddec45f)

selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl

These now run in the disconnected sets schema_dc/schema_pair_dc and
ad_dc/vampire_dc/promoted_dc.  By aiming at different sets ofservers
we can't cause cross-contamination in terms of which servers are
listed as outbound connections.

Also, by running the tests only once we reduce the chaces of trouble
by half.

RN: Address flapping samba_tool_drs_showrepl test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14818

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e8b4599e0935290c5e59df9fd4f695ad8d6f361c)

WHATSNEW: Update with samba-tool domain backup offline fix

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

WHATSNEW: Update for KDC crash fixes

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname

This allows our code to still pass with the error code that
MIT and Heimdal have chosen

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Sep  2 14:28:31 UTC 2021 on sn-devel-184

(cherry picked from commit 10baaf08523200e47451aa1862430977b0365b59)

kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field

If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.

[abartlet@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd
and knownfail added]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b0f4455e524cbbfb13202220e7095f466b083a2f)

tests/krb5: Allow expected_error_mode to be a container type

This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ebd673e976aea5dd481a75f180fd526995c4fda0)

tests/krb5: Add tests for omitting sname in inner request

Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC.

This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49
and was given CVE-2021-37750

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 24914ae17d49f634fafc1bdeb88859293da05f79)

tests/krb5: Allow specifying parameters specific to the inner FAST request body

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340)

tests/krb5: Add tests for omitting sname in request

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b)

tests/krb5: Check PADATA-PW-SALT element in e-data

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1e4d757394a0bbda587d5ff91801f88539b712b1)

tests/krb5: Check e-data element for TGS-REP errors without FAST

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a)

tests/krb5: Remove harmful and a-typical return in as_req testcase

A test in a TestCase class should not return a value, the
test is determined by the assertions raised.

Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.

This also fixes a *lot* of tests against the MIT KDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5)

CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request

Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b8e2515552ffa158fab1e86a39004de4cc419da5)

CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ

In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

[abartlet@samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]

RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ

Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0cb4b939f192376bf5e33637863a91a20f74c5a5)

tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST

Note: This test crashed the MIT KDC prior to MIT commit
fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given
CVE-2021-36222.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 15f9f040fe537ebd30419a4751aa0f13b20f242b)

tests/krb5: Make cname checking less strict

Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 36798f5b651a02b74b6844c024101f7a026f1f68)

tests/krb5: Make e-data checking less strict

Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 79dda329f2a8382f1e46b50f4b9692e78d687826)

Update common on currently supported Fedora versions

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d9edad89f3b268c6da8f988a42f8cf2a3b697fe7)

bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5805a7c49aa13b578a717cbbc46460741d325c65)

bootstrap: Update to get newer krb5 on Fedora 34

We need the update FEDORA-2021-20b495cb94 (krb5) to
get a fix for CVE-2021-37750 (explicit NULL deref on KDC)
so our CI will pass as we have a test for this.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e9c8ac4adbca2f8cb45470ccb45a45039188a285)