Standard signature is 'calloc(n_elems, elem_size)', where element size
(in particular, when using 'sizeof') comes as 2nd arg. The actual
allocation size does not care for ordering but swapping the order
confuses static-analysis tools like Coverity, as well as naive readers.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Aug 19 18:08:02 UTC 2025 on atb-devel-224
Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Aug 19 09:45:46 UTC 2025 on atb-devel-224
Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Aug 18 12:03:30 UTC 2025 on atb-devel-224
Ralph Boehme [Fri, 8 Aug 2025 11:52:59 +0000 (13:52 +0200)]
smbd: improve lease break when handling overwrite create disposition
If the contending create uses overwrite create disposition, but has caused a
sharing violation and the existing create has a SMB2_LEASE_HANDLE, then the
server should just send break the SMB2_LEASE_HANDLE.
The break will then either result in a close and the contending open succeeds,
or a STATUS_SHARING_VIOLATION. Either way, there's no need to additionally break
SMB2_LEASE_READ or SMB2_LEASE_WRITE.
Ralph Boehme [Thu, 7 Aug 2025 16:44:27 +0000 (18:44 +0200)]
s3/locking: fix checking for byterange locks when granting RH lease
From MS-FSA 2.1.5.18 "Server Requests an Oplock":
...
* Else If Type is LEVEL_GRANULAR:
* If RequestedOplockLevel is READ_CACHING or (READ_CACHING|HANDLE_CACHING):
* The operation MUST be failed with STATUS_OPLOCK_NOT_GRANTED under either of the
following conditions:
* Open.Stream.ByteRangeLockList is not empty and Open.Stream.AllocationSize
is greater than any ByteRangeLock.LockOffset in
Open.Stream.ByteRangeLockList.
Ralph Boehme [Mon, 2 Jun 2025 10:07:26 +0000 (12:07 +0200)]
smbd: avoid granting "H"-only lease
If an "RH" lease was requested and due to existing brl-lock we do not grant
an "R" lease, we end up granting an "H"-only lease which is not a valid lease
state.
Ralph Boehme [Sat, 9 Aug 2025 07:09:47 +0000 (09:09 +0200)]
smbtorture: add test smb2.lease.lock2
Verifies byterange locks only affect lease state if the lock is actually
"backed" by the file. Eg, if a file has size 0, byterange locks will never
affect lease state.
Stop using un-needed variable 'handle', this variable is not used
anywhere later.
Also load_module() internally allocates and uses handle, which suffice
for its operation.
This fixes resource leak issue reported by coverity #1412633
Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Aug 15 06:19:51 UTC 2025 on atb-devel-224
Günther Deschner [Mon, 24 Oct 2022 13:42:54 +0000 (15:42 +0200)]
s3-vfs_fruit: add 'fruit:veto_localized' option
This new boolean option allows to automatically treat ".localized" as
vetoed files. Any attempts to access a ".localized" file or directory
will result in an access failure. MacOS tries to check for the presence
of such a file to check for the need of localized name display in
directory listings or checks for .localized directories containing name
translations). In large directory listings, typically half of the
compound SMB2 queries are done for ".localized", causing a significant
performance impact in particular with clustered filesystems.
More information can be found here:
https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemAdvancedPT/LocalizingtheNameofaDirectory/LocalizingtheNameofaDirectory.html
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Aug 14 11:08:11 UTC 2025 on atb-devel-224
Michael Adam [Wed, 13 Aug 2025 11:05:23 +0000 (13:05 +0200)]
lib: docs: talloc: fix a wrong cd command
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Aug 14 06:27:38 UTC 2025 on atb-devel-224
Ralph Boehme [Thu, 24 Jul 2025 10:59:30 +0000 (12:59 +0200)]
libads: change netlogon_pings() behaviour wrt to min_servers parameter
Currently if a caller passes min_servers=X with X>1, netlogon_pings() will fail
if it can't contact X DCs. This is not really what we want. What we want is: we
want at least one DC, and up to X.
Change implemenentation in that sense and rename the min_servers argument to
wanted_servers to express this behaviour change.
Ralph Boehme [Thu, 24 Jul 2025 13:49:19 +0000 (15:49 +0200)]
idmap_ad: add and use ldap_timeout and fix LDAP server failover
The key parts are:
1. If an LDAP search fails with the hardcoded fatal error, remove the
retry. That would only retry the query against the same server, taken
from the DCINFO cache key. Instead, force a DC rediscovery.
2. Set a default ldap_timeout and pass it to tldap_search(). This
avoids tldap_search() hanging forever on a stale TCP connection.
3. The LDAP server idmap_ad is using is not necessarily the same DC
we're using for RPC, so in case we learn about a dead DC, put it in
the negative-conn-cache.
Ralph Boehme [Mon, 21 Jul 2025 04:44:22 +0000 (06:44 +0200)]
tldap: use tevent_req_set_endtime() to terminate LDAP searches
Needed to detect unresponsive LDAP servers, otherwise we might be sitting up to
924.6 seconds after sending a request before the kernel notifies us of a broken
connection.
s4:torture/smb2: Fix torture test case smb2.acls.ACCESS_BASED
Currently this test case fails to run against windows target, as
it is hardcoded to use sharename as "hideunread".
This change enables this test case to be executed against windows,
by omitting use of hideunread share and relevant flags.
Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Aug 13 18:29:53 UTC 2025 on atb-devel-224
s4:torture/smb2: Mark smb2.acl.SDFLAGSVSCHOWN as not supported for windows
Test case is expecting return code of NT_STATUS_OK for changing owner to
'everyone', however 'Windows 2016 server' is returning error code as
NT_STATUS_INVALID_OWNER and test case fails.
Same error code is returned if tested against targets w2k16, win2k12R2, win10, win11,
win7, win8 and winxp as well.
Thus marking this case as not supported for all windows versions till, issue is resolved.
Singed-off-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
s4:torture/smb2: Restore original sd for every test case finish
Some tests are not restoring original sd, at end of test.
This causes create test file to stay with incorrect access, resulting
into failure of smb2_deltree() to clear them up, which in-turn causes
other test cases to fail with 'object name collision' for mkdir test
directory.
Fix:
- Call setinfo on testfile with original sd.
- Fix some typos
Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
This fix adds new target 'w2k16' which sets default value for option
'hide_on_access_denied' to true.
'windows 2016 server' returns NT_STATUS_OBJECT_NAME_NOT_FOUND on a createfile when
access is denied rather than NT_STATUS_ACCESS_DENIED. Above option
takes care of this behaviour.
Move TARGET_IS_WINDOWS to utils.h and add all presently defined windows
targets for the same.
Singed-off-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Gary Lockyer [Tue, 12 Aug 2025 23:52:36 +0000 (11:52 +1200)]
third_party:ngtcp2 Fix compilation with clang-20
Add -Wno-error=implicit-fallthrough and -Wno-error=format-nonliteral so that
ngtcp2 builds with clang 20
[1972/4994] Compiling third_party/ngtcp2/lib/ngtcp2_objalloc.c
../../third_party/ngtcp2/lib/ngtcp2_rtb.c:1120:7: error:
unannotated fall-through between switch labels
[-Werror,-Wimplicit-fallthrough]
1120 | case NGTCP2_ECN_STATE_UNKNOWN:
| ^
../../third_party/ngtcp2/lib/ngtcp2_rtb.c:1120:7: note:
insert '__attribute__((fallthrough));' to silence this warning
1120 | case NGTCP2_ECN_STATE_UNKNOWN:
| ^
| __attribute__((fallthrough));
../../third_party/ngtcp2/lib/ngtcp2_rtb.c:1120:7: note:
insert 'break;' to avoid fall-through
1120 | case NGTCP2_ECN_STATE_UNKNOWN:
| ^
| break;
1 error generated.
../../third_party/ngtcp2/lib/ngtcp2_log.c:818:35: error:
format string is not a string literal [-Werror,-Wformat-nonliteral]
818 | n = vsnprintf(buf, sizeof(buf), fmt, ap);
| ^~~
1 error generated.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Aug 13 03:58:43 UTC 2025 on atb-devel-224
Signed-off-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Shachar Sharon <ssharon@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Aug 12 09:32:19 UTC 2025 on atb-devel-224
Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Aug 11 22:59:26 UTC 2025 on atb-devel-224
free memory allocated to status on error condition.
Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Aug 9 07:37:05 UTC 2025 on atb-devel-224
Anoop C S [Fri, 11 Jul 2025 15:10:12 +0000 (20:40 +0530)]
vfs: Convert pread, pwrite and fsync recv interfaces to macros
Following the common convention of using uppercase letters for macros,
convert SMB_VFS_PREAD_RECV, SMB_VFS_PWRITE_RECV and SMB_VFS_FSYNC_RECV
functions to equivalent macros.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Aug 8 13:04:52 UTC 2025 on atb-devel-224
Ralph Boehme [Wed, 30 Jul 2025 07:53:40 +0000 (09:53 +0200)]
smbclient: fix handling errors from do_put in mput
Pair-Programmed-With: Anoop C S <anoopcs@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Aug 8 11:59:33 UTC 2025 on atb-devel-224
Douglas Bagnall [Wed, 9 Jul 2025 00:50:31 +0000 (12:50 +1200)]
python:ndr: improve type annotation and docs for pack/unpack
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Aug 8 00:29:00 UTC 2025 on atb-devel-224
Douglas Bagnall [Thu, 26 Jun 2025 00:45:24 +0000 (12:45 +1200)]
dbcheck: make deleted_objects check case-insensitive
While a BinaryDn.prefix is generated in upper-case, and
dsdb.DS_GUID_DELETED_OBJECTS_CONTAINER is upper-case, we can avoid
having to think about that by comparing the actual bytes.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Douglas Bagnall [Thu, 19 Jun 2025 01:25:08 +0000 (13:25 +1200)]
python:samdb: replace dsdb_Dn with stricter types
dsdb_Dn() was a catchall for DN+Binary, DN+String, and plain DNs which
needed to be sorted in a particular way. This meant it treated none of
them exactly right.
For example, a binary dsdb_Dn would be compared on the string
representation of the binary portion, so 'B:2:ff:CN=foo' would not
equal 'B:2:FF:CN=foo', when it should.
It meant a field that expected a binary dsdb_DN would also accept a
plain DN or a string DN, which is never actually allowed.
Also the parsing was a bit dodgy, so a string like 'B:6:ff:CN=foo'
would be accepted, when the length of the binary portion ("ff") is
obviously different from that given ("6").
Here we solve many of the problems by making stricter subclasses but
leaving a compatibility shim in place so that existing code continues
to work.
There is one INCOMPATIBLE change. Previously the `.binary` attribute
of a dsdb_Dn was the hex-string, while now it is the actual binary
data. In the case of StringDn, this means the utf-8 bytes.
This affects dbcheck, which is fixed here (the .prefix assignment now
correctly sets .binary).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Douglas Bagnall [Thu, 26 Jun 2025 04:30:48 +0000 (16:30 +1200)]
pytests: test normalise_int32 against out-of-range numbers
For example, we don't want to "normalise" 0x9876543210 to
0x9776543210, or 0x200000000 to 0x100000000. That is just causing
random damage to 64 bit values without achieving the sign switch.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Although dsdb_Dn is currently in samba.samdb, we aren't moving the
tests to samba.tests.samdb, because those tests need a real AD
environment whereas these ones can run more cheaply in the "none"
environment.
Another patch will improve the remaining samba.common tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Jule Anger [Thu, 7 Aug 2025 10:01:59 +0000 (12:01 +0200)]
tevent: version 0.17.1
* Coverity checks:
Fix 1649525 Use of 32-bit time_t
Fix Coverity ID 1649524 Dereference before null check
Fix Coverity ID 1649526 Dereference before null check
Signed-off-by: Jule Anger <janger@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
It fixes one occurrence in each of
pdb_samba_dsdb_create_user and pdb_samba_dsdb_create_alias
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Shachar Sharon <ssharon@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Aug 7 11:20:25 UTC 2025 on atb-devel-224
libcli/security: use talloc_free at the end of sub-tests
Memory should be free by talloc_free() if it is allocated using talloc_new()
Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Aug 7 09:02:29 UTC 2025 on atb-devel-224
Volker Lendecke [Wed, 6 Aug 2025 13:28:29 +0000 (15:28 +0200)]
ctdb: Fix a stuck cluster lock holder after a delayed leader bcast
If a delayed broadcast by a previous cluster lock holder arrives, the
new legitimate leader will accept this without questioning in
leader_handler(). Without this patch rec->leader will never be
overwritten, and because rec->pnn != rec->leader we'll also never send
out fresh leader broadcasts. And because we hold the cluster lock,
nobody else can step up.
Fix this in the next round of leader broadcast timeout.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15892 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Aug 7 02:59:20 UTC 2025 on atb-devel-224
Gary Lockyer [Wed, 6 Aug 2025 01:03:30 +0000 (13:03 +1200)]
librpc:ndr:keycredlink don't require that kmi be a talloc_context
This prevents fuzzing of ndr_pull_KeyMaterialInternal which we want. So instead
allocate against the ndr talloc context, then the callers can talloc_steal,
memcpy the data as appropriate.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Aug 6 05:10:43 UTC 2025 on atb-devel-224
Gary Lockyer [Wed, 6 Aug 2025 01:00:32 +0000 (13:00 +1200)]
s4:kdc:db-glue talloc steal pub_key data
talloc_steal the data pointers of pub_key, modulus and exponent onto pub_key.
To allow fuzz testing of ndr_pull_KeyMaterialInternal the KeyMaterialInternal
struct may not be a talloc_context. So the data portions will be allocated on
the ndr context.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Ralph Boehme [Fri, 11 Jul 2025 12:29:38 +0000 (14:29 +0200)]
docs: document serverid command
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Aug 5 16:03:56 UTC 2025 on atb-devel-224
Ralph Boehme [Fri, 11 Jul 2025 04:02:13 +0000 (06:02 +0200)]
libndr: add support for unions to ndr_pull_struct_blob_noalloc() and ndr_push_struct_into_fixed_blob()
The union switch value is stored by ndr_token_store() which uses talloc to
manage ndr.switch_list. Preallocate a ndr_token array and ndr_token_list on the
stack of size ndr_token_list.fixed_alloc_count and optionally use that in
ndr_token_store().
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 10 Jul 2025 14:48:22 +0000 (16:48 +0200)]
smbd: implement session check from MS-SMB2 3.3.5.9 Receiving an SMB2 CREATE Request
If the server implements the SMB 3.x dialect family and all of the following conditions are TRUE, the
server MUST look up an Open in GlobalOpenTable where Open.IsReplayEligible is TRUE and
Open.CreateGuid matches the CreateGuid in the SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2
create context and Open.ClientGuid matches the ClientGuid of the connection that received this
request:
...
If an Open is found, the server MUST perform the following:
...
If Open.Session.SessionId is not equal to the current Session.SessionId, the server MUST fail
the request with STATUS_DUPLICATE_OBJECTID.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>