2025-03-11 16:58:40 +03:00 · 2024-11-25 16:01:52 +01:00 · 2024-11-25 16:01:38 +01:00 · 2024-11-25 16:01:01 +01:00 · 2024-11-25 14:09:18 +00:00 · 2024-11-25 12:38:16 +00:00
6 changed files with 145 additions and 78 deletions
--- a/2
+++ b/2
@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024"
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3

 ########################################################
 # If a official release has a serious bug              #
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@ -1,3 +1,58 @@
+                   ==============================
+                   Release Notes for Samba 4.21.2
+                         November 25, 2024
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Changes since 4.21.1
+--------------------
+
+o  Ralph Boehme <slow@samba.org>
+   * BUG 15732: smbd fails to correctly check sharemode against OVERWRITE
+     dispositions.
+   * BUG 15754: Panic in close_directory.
+
+o  Pavel Filipenský <pfilipensky@samba.org>
+   * BUG 15752: winexe no longer works with samba 4.21.
+
+o  Stefan Metzmacher <metze@samba.org>
+   * BUG 14356: protocol error - Unclear debug message "pad length mismatch" for
+     invalid bind packet.
+   * BUG 15425: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented.
+   * BUG 15740: gss_accept_sec_context() from Heimdal does not imply
+     GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE.
+   * BUG 15749: winbindd should call process_set_title() for locator child.
+
+o  Martin Schwenke <mschwenke@ddn.com>
+   * BUG 15320: Update CTDB to track all TCP connections to public IP addresses.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                   ==============================
                   Release Notes for Samba 4.21.1
                          October 14, 2024
@ -68,8 +123,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================


-Release notes for older releases follow:
----------------------------------------
+----------------------------------------------------------------------
                   ==============================
                   Release Notes for Samba 4.21.0
                         September 02, 2024
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@ -247,6 +247,8 @@ ipreallocated)

 monitor)
 	monitor_interfaces || exit 1
+
+	update_tickles
 	;;
 esac

--- a/ctdb/config/events/legacy/60.nfs.script
+++ b/ctdb/config/events/legacy/60.nfs.script
@ -338,7 +338,6 @@ monitor)
 			exit $?
 	fi

-	update_tickles 2049
 	nfs_update_lock_info

 	nfs_check_services
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@ -499,7 +499,7 @@ ctdb_check_unix_socket()
 		return 1
 	fi

-	_out=$(ss -l -x "src ${_sockpath}" | tail -n +2)
+	_out=$(ss -l -xH "src ${_sockpath}")
 	if [ -z "$_out" ]; then
 		echo "ERROR: ${service_name} not listening on ${_sockpath}"
 		return 1
@ -602,7 +602,7 @@ get_tcp_connections_for_ip()
 {
 	_ip="$1"

-	ss -tn state established "src [$_ip]" | awk 'NR > 1 {print $3, $4}'
+	ss -tnH state established "src [$_ip]" | awk '{print $3, $4}'
 }

 ########################################################
@ -1176,49 +1176,39 @@ nfs_callout()

 update_tickles()
 {
-	_port="$1"
-
 	tickledir="${CTDB_SCRIPT_VARDIR}/tickles"
 	mkdir -p "$tickledir"

-	# What public IPs do I hold?
-	_pnn=$(ctdb_get_pnn)
-	_ips=$($CTDB -X ip | awk -F'|' -v pnn="$_pnn" '$3 == pnn {print $2}')
+	# If not hosting any public IPs then can't have any connections...
+	if [ ! -s "$CTDB_MY_PUBLIC_IPS_CACHE" ]; then
+		return
+	fi

-	# IPs and port as ss filters
+	# IPs ss filter
 	_ip_filter=""
-	for _ip in $_ips; do
+	while read -r _ip; do
 		_ip_filter="${_ip_filter}${_ip_filter:+ || }src [${_ip}]"
-	done
-	_port_filter="sport == :${_port}"
+	done <"$CTDB_MY_PUBLIC_IPS_CACHE"
+
+	# Record our current tickles in a temporary file
+	_my_tickles="${tickledir}/all.tickles.$$"
+	while read -r _i; do
+		$CTDB -X gettickles "$_i" |
+			awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4, $5 }'
+	done <"$CTDB_MY_PUBLIC_IPS_CACHE" |
+		sort >"$_my_tickles"

 	# Record connections to our public IPs in a temporary file.
 	# This temporary file is in CTDB's private state directory and
 	# $$ is used to avoid a very rare race involving CTDB's script
 	# debugging.  No security issue, nothing to see here...
-	_my_connections="${tickledir}/${_port}.connections.$$"
-	# Parentheses are needed around the filters for precedence but
+	_my_connections="${tickledir}/all.connections.$$"
+	# Parentheses are needed around the IP filter for precedence but
 	# the parentheses can't be empty!
-	#
-	# Recent versions of ss print square brackets around IPv6
-	# addresses.  While it is desirable to update CTDB's address
-	# parsing and printing code, something needs to be done here
-	# for backward compatibility, so just delete the brackets.
-	ss -tn state established \
-		"${_ip_filter:+( ${_ip_filter} )}" \
-		"${_port_filter:+( ${_port_filter} )}" |
-		awk 'NR > 1 {print $4, $3}' |
-		tr -d '][' |
+	ss -tnH state established "${_ip_filter:+( ${_ip_filter} )}" |
+		awk '{print $4, $3}' |
 		sort >"$_my_connections"

-	# Record our current tickles in a temporary file
-	_my_tickles="${tickledir}/${_port}.tickles.$$"
-	for _i in $_ips; do
-		$CTDB -X gettickles "$_i" "$_port" |
-			awk -F'|' 'NR > 1 { printf "%s:%s %s:%s\n", $2, $3, $4, $5 }'
-	done |
-		sort >"$_my_tickles"
-
 	# Add tickles for connections that we haven't already got tickles for
 	comm -23 "$_my_connections" "$_my_tickles" |
 		$CTDB addtickle
--- a/ctdb/server/ctdb_takeover.c
+++ b/ctdb/server/ctdb_takeover.c
@ -1504,27 +1504,40 @@ static struct ctdb_connection *ctdb_tcp_find(struct ctdb_tcp_array *array,
  clients managing that should tickled with an ACK when IP takeover is
  done
 */
-int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool tcp_update_needed)
+int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb,
+			     TDB_DATA indata,
+			     bool tcp_update_needed)
 {
 	struct ctdb_connection *p = (struct ctdb_connection *)indata.dptr;
 	struct ctdb_tcp_array *tcparray;
 	struct ctdb_connection tcp;
 	struct ctdb_vnn *vnn;
+	char conn_str[132] = { 0, };
+	int ret;

 	/* If we don't have public IPs, tickles are useless */
 	if (ctdb->vnn == NULL) {
 		return 0;
 	}

+	ret = ctdb_connection_to_buf(conn_str,
+				     sizeof(conn_str),
+				     p,
+				     false,
+				     " -> ");
+	if (ret != 0) {
+		strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
+	}
+
 	vnn = find_public_ip_vnn(ctdb, &p->dst);
 	if (vnn == NULL) {
-		DEBUG(DEBUG_INFO,(__location__ " got TCP_ADD control for an address which is not a public address '%s'\n",
-			ctdb_addr_to_str(&p->dst)));
+		DBG_INFO("Attempt to add connection %s "
+			 "but destination is not a public address\n",
+			 conn_str);

 		return -1;
 	}

-
 	tcparray = vnn->tcp_array;

 	/* If this is the first tickle */
@ -1534,7 +1547,8 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool tc
 		vnn->tcp_array = tcparray;

 		tcparray->num = 0;
-		tcparray->connections = talloc_size(tcparray, sizeof(struct ctdb_connection));
+		tcparray->connections = talloc_size(tcparray,
+						    sizeof(struct ctdb_connection));
 		CTDB_NO_MEMORY(ctdb, tcparray->connections);

 		tcparray->connections[tcparray->num].src = p->src;
@ -1552,27 +1566,22 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool tc
 	tcp.src = p->src;
 	tcp.dst = p->dst;
 	if (ctdb_tcp_find(tcparray, &tcp) != NULL) {
-		DEBUG(DEBUG_DEBUG,("Already had tickle info for %s:%u for vnn:%u\n",
-			ctdb_addr_to_str(&tcp.dst),
-			ntohs(tcp.dst.ip.sin_port),
-			vnn->pnn));
+		DBG_DEBUG("Already had connection %s\n", conn_str);
 		return 0;
 	}

 	/* A new tickle, we must add it to the array */
-	tcparray->connections = talloc_realloc(tcparray, tcparray->connections,
-					struct ctdb_connection,
-					tcparray->num+1);
+	tcparray->connections = talloc_realloc(tcparray,
+					       tcparray->connections,
+					       struct ctdb_connection,
+					       tcparray->num + 1);
 	CTDB_NO_MEMORY(ctdb, tcparray->connections);

 	tcparray->connections[tcparray->num].src = p->src;
 	tcparray->connections[tcparray->num].dst = p->dst;
 	tcparray->num++;

-	DEBUG(DEBUG_INFO,("Added tickle info for %s:%u from vnn %u\n",
-		ctdb_addr_to_str(&tcp.dst),
-		ntohs(tcp.dst.ip.sin_port),
-		vnn->pnn));
+	D_INFO("Added connection %s\n", conn_str);

 	if (tcp_update_needed) {
 		vnn->tcp_update_needed = true;
@ -1582,58 +1591,59 @@ int32_t ctdb_control_tcp_add(struct ctdb_context *ctdb, TDB_DATA indata, bool tc
 }


-static void ctdb_remove_connection(struct ctdb_vnn *vnn, struct ctdb_connection *conn)
+static void ctdb_remove_connection(struct ctdb_vnn *vnn,
+				   struct ctdb_connection *conn)
 {
 	struct ctdb_connection *tcpp;
+	char conn_str[132] = { 0, };
+	int ret;

 	if (vnn == NULL) {
 		return;
 	}

-	/* if the array is empty we can't remove it
-	   and we don't need to do anything
-	 */
+	ret = ctdb_connection_to_buf(conn_str,
+				     sizeof(conn_str),
+				     conn,
+				     false,
+				     " -> ");
+	if (ret != 0) {
+		strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
+	}
+
+	/* If the array is empty there is nothing to remove */
 	if (vnn->tcp_array == NULL) {
-		DEBUG(DEBUG_INFO,("Trying to remove tickle that doesn't exist (array is empty) %s:%u\n",
-			ctdb_addr_to_str(&conn->dst),
-			ntohs(conn->dst.ip.sin_port)));
+		D_INFO("Attempt to remove untracked connection %s (empty)\n",
+		       conn_str);
 		return;
 	}


-	/* See if we know this connection
-	   if we don't know this connection  then we don't need to do anything
-	 */
 	tcpp = ctdb_tcp_find(vnn->tcp_array, conn);
 	if (tcpp == NULL) {
-		DEBUG(DEBUG_INFO,("Trying to remove tickle that doesn't exist %s:%u\n",
-			ctdb_addr_to_str(&conn->dst),
-			ntohs(conn->dst.ip.sin_port)));
+		D_DEBUG("Attempt to remove untracked connection %s\n", conn_str);
 		return;
 	}


-	/* We need to remove this entry from the array.
-           Instead of allocating a new array and copying data to it
-	   we cheat and just copy the last entry in the existing array
-	   to the entry that is to be removed and just shring the 
-	   ->num field
+	/*
+	 * We need to remove this entry from the array.  Instead of
+	 * allocating a new array and copying data to it, cheat and
+	 * just copy the last entry in the existing array to the entry
+	 * that is to be removed and just shrink the size.
 	 */
 	*tcpp = vnn->tcp_array->connections[vnn->tcp_array->num - 1];
 	vnn->tcp_array->num--;

-	/* If we deleted the last entry we also need to remove the entire array
-	 */
+	/* Last entry deleted, so remove the entire array */
 	if (vnn->tcp_array->num == 0) {
 		talloc_free(vnn->tcp_array);
 		vnn->tcp_array = NULL;
-	}		
+	}

 	vnn->tcp_update_needed = true;

-	DEBUG(DEBUG_INFO,("Removed tickle info for %s:%u\n",
-		ctdb_addr_to_str(&conn->src),
-		ntohs(conn->src.ip.sin_port)));
+	D_INFO("Removed connection %s\n", conn_str);
 }


@ -1653,9 +1663,21 @@ int32_t ctdb_control_tcp_remove(struct ctdb_context *ctdb, TDB_DATA indata)

 	vnn = find_public_ip_vnn(ctdb, &conn->dst);
 	if (vnn == NULL) {
-		DEBUG(DEBUG_ERR,
-		      (__location__ " unable to find public address %s\n",
-		       ctdb_addr_to_str(&conn->dst)));
+		char conn_str[132] = { 0, };
+		int ret;
+
+		ret = ctdb_connection_to_buf(conn_str,
+					     sizeof(conn_str),
+					     conn,
+					     false,
+					     " -> ");
+		if (ret != 0) {
+			strlcpy(conn_str, "UNKNOWN", sizeof(conn_str));
+		}
+
+		DBG_ERR("Attempt to remove connection %s "
+			"but destination is not a public address\n",
+			conn_str);
 		return 0;
 	}
Author	SHA1	Message	Date
Jule Anger	a01a0c34da	VERSION: Bump version up to Samba 4.21.3... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <janger@samba.org>	2024-11-25 16:01:52 +01:00
Jule Anger	d67152765b	VERSION: Disable GIT_SNAPSHOT for the 4.21.2 release. Signed-off-by: Jule Anger <janger@samba.org>	2024-11-25 16:01:38 +01:00
Jule Anger	c8e1d81697	WHATSNEW: Add release notes for Samba 4.21.2. Signed-off-by: Jule Anger <janger@samba.org>	2024-11-25 16:01:01 +01:00
Martin Schwenke	8da34956d6	ctdb-scripts: Track connections for all ports for public IPs Currently TCP ports like NFS lock manager are not tracked. It is easier to track all connections than to add a configuration system to try to track specified ports, so do that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit 590a86dbe4adf45ac8d15497934e25ea98148034) Autobuild-User(v4-21-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-21-test): Mon Nov 25 14:09:18 UTC 2024 on atb-devel-224	2024-11-25 14:09:18 +00:00
Martin Schwenke	53df2b78ae	ctdb-scripts: Get connections after tickle list Running ss to get current connections before running ctdb gettickles means the ss output might be out of date when the 2 lists are compared. Some tickles might have been added after ss was run by some other means (e.g. SMB tickles, added internally) and they would be deleted according to the stale ss output. This isn't currently a problem because update_tickles() is currently only called with port 2049, so all tickles are managed by this code. That will change in a subsequent commit. Changing the order means the reverse problem can occur, where update_tickles() attempts to delete an already deleted tickle. That may happen occasionally but is harmless because it doesn't result in missing information. It (currently) just causes a message to be logged at DEBUG level. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit c3695722b6316b624aa6c44cad4f44279303d1b1)	2024-11-25 12:38:16 +00:00
Martin Schwenke	f5fc8aa709	ctdb-scripts: Move connection tracking to 10.interface This should really be done for all connections to public IP addresses. Leave the port number there for now - this is just the first step. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit 9683bb3ac2bbdf0e83c3be3681f9d1c8ee7cc327)	2024-11-25 12:38:16 +00:00
Martin Schwenke	c6c0722cb7	ctdb-server: Drop a log message to DEBUG level This is harmless, so it doesn't generally need to be logged. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit f4a8f84328c5e692ce63bec05bb71fcb469a3e9c)	2024-11-25 12:38:16 +00:00
Martin Schwenke	7791375ccc	ctdb-server: Clean up connection tracking functions Apply README.Coding, modernise logging, pre-render connection as a string for logging, switch terminology from "tickle" to "connection", tidy up comments. No changes in functionality. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit 3c19c8df778070705485b3c993e695ca1636bfa7)	2024-11-25 12:38:16 +00:00
Martin Schwenke	84deecc5e8	ctdb-scripts: Use ss -H option to simplify This option has been available since ~2018 and has been implemented in the stub since then. I guess we didn't use it because CentOS 7? BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit 0505d06b12a04a5c5e813fb3f4799278f9e5b7eb)	2024-11-25 12:38:16 +00:00
Martin Schwenke	5920d47149	ctdb-scripts: Remove superseded compatibility code Since commit 224e99804efef960ef4ce2ff2f4f6dced1e74146, square brackets have been parsed by daemon and tool code, so drop the compatibility code from here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit 32e4f786601712e57992ce4c8f46e5d38620a5dd)	2024-11-25 12:38:16 +00:00
Martin Schwenke	0a571a6dbe	ctdb-scripts: update_tickles() should use the public IPs cache This avoids duplicating logic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit b3e2c69ad92c0d20bb10146d2dd6d0d475455298)	2024-11-25 12:38:16 +00:00
Martin Schwenke	650ce39d63	ctdb-scripts: Don't list connections when not hosting IPs With an empty IP filter, all incoming connections to port 2049 will be listed, not just those to public IP addresses. This causes error messages like the following to be logged: ctdb-eventd[...]: 60.nfs: Failed to add 1 tickles since the connection being added seems to be for a random NFS mount that doesn't use a public IP addresses. This has been a problem for a long time (probably since commit 04fe9e20749985c71fef1bce7f6e4c439fe11c81 in 2015). It isn't currently a huge deal because it only affects NFS connections. However, this code will soon be used to track connections to public IP addresses on all ports. This would result in a constant stream of log messages, since there will always be some active connections. The theory behind the fix is that if a node hosts no public IPs then it should have no relevant connections and has no business changing the list of registered tickles. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320 RN: Update CTDB to track all TCP connections to public IP addresses Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jerry Heyman <jheyman@ddn.com> (cherry picked from commit 1a4a6c46f1cdabfea67c264d6576a597a70c3007)	2024-11-25 12:38:16 +00:00