Pawan Sahu [Fri, 20 Jun 2025 03:42:01 +0000 (05:42 +0200)]
gpfs: Fetch GPFS DOS attributes asynchronously
This change introduces asynchronous handling of GPFS DOS attributes
using the pthreadpool infrastructure. This is part of the overall
effort to improve SMB directory listing performance in environments
with GPFS as the backend filesystem.
Move the logic that checks for sufficient threads and per-thread credential
support into a dedicated helper function: vfswrap_check_async_with_thread_creds().
Pawan Sahu [Fri, 9 May 2025 06:19:03 +0000 (23:19 -0700)]
smbd: Introduce struct vfs_pthread_pool_job_state
Refactor the vfswrap_getattrat_state structure by extracting the members
specific to pthreadpool job handling into a new struct vfs_pthread_pool_job_state.
This improves code clarity and allows reuse of the job-related
state in other contexts.
lib: Add a safeguard for misconfigured directory permissions
An installation I've seen had the path to the msg.lock directory set
up such that only root could access it. We're calling
serverid_exists() as non-root, so this is a pretty bad error. Log this
as an error in syslog by default and assume this PID still exists.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Sep 29 08:14:22 UTC 2025 on atb-devel-224
If read is failed torture_assert could return without freeing the t.
Fixing the leak.
Signed-off-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sun Sep 28 09:30:56 UTC 2025 on atb-devel-224
lib:crypto: Use gnutls_cipher_decrypt3() if possible
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Sep 26 18:38:57 UTC 2025 on atb-devel-224
The call to get_time_t_max() doesn't work as expected when time_t is a
64-bits type and the returned value is stored into a 32-bits unsigned
integer. Truncating a 64-bits constant to a 32-bits number won't return,
in general, the same value we would get if time_t were a 32-bits type.
It's unsafe and could even return small numbers very far from the
intended maximum.
This patch completely avoids the need to use get_time_t_max() by
assuming that when pwd_max_age is 0 or -1, it means no maximum age is
defined, so the password never expires and we don't need to do any
comparison.
A small adjustment has also been made to avoid calling
pdb_get_account_policy() if it's not necessary.
Signed-off-by: Xavi Hernandez <xhernandez@gmail.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Sep 26 05:23:30 UTC 2025 on atb-devel-224
Martin Schwenke [Fri, 15 Aug 2025 05:01:58 +0000 (15:01 +1000)]
ctdb-common: Only respect CTDB_SOCKET in CTDB_TEST_MODE
At the moment CTDB_SOCKET can be used outside of test mode even though
nobody should do this. So, no longer allow this.
This means ensuring CTDB_TEST_MODE is set in the in the
"clusteredmember" selftest environment, so that CTDB_SOCKET is
respected there..
Details...
The associated use of chown(2) and chmod(2), used to secure the socket
in ctdb_daemon.c:ux_socket_bind(), potentially enables a symlink race
attack. However, the chown(2) is currently not done in test mode, so
restricting the use of CTDB_SOCKET to test mode solves the potential
security issue.
Also, sprinkle warnings about use of CTDB_TEST_MODE in appropriate
places, just to attempt to limit unwanted behaviour.
An alternative could be to use the socket file descriptor with
fchown(2) and fchmod(2). However, these system calls are not well
defined on sockets. Still, this was previously done in CTDB's early
days (using the poorly documented method where they are allowed in
Linux (only?) before calling bind(2)). It was removed (due to
portability issues, via commits cf1056df94943ddcc3d547d4533b4bc04f57f265 and 2da3fe1b175a468fdff4aa4f65627facd2c28394) and replaced with the
current post-bind chown(2) and chmod(2).
I would like to remove the CTDB_SOCKET environment variable entirely,
since setting CTDB_TEST_MODE and CTDB_BASE covers all reasonable test
environments. However, I have a feeling that people use it for
interactive testing, and that can still be done in CTDB_TEST_MODE.
Martin Schwenke [Thu, 18 Sep 2025 05:24:32 +0000 (15:24 +1000)]
ctdb-ib: Replace uses of sprintf()
An unbounded sprintf() into ibw_lasterr (a 512-byte static data
buffer) can potentially cause overflow into other BSS data.
However, the risk is effectively minimised to zero due to:
* This code not being executed at all in ctdbd. It is only executed
in the accompanying test code:
- The function ibw_process_init_attrs() can cause a buffer overflow
if its 2nd argument, nattr, is non-zero and one of the structs in
the array pointed to by its 1st argument, attr, contains a name
member that is too long.
- ibw_process_init_attrs() is only called by ibw_init(), which also
has attr and nattr as its 1st and 2nd args, and it just passes them
straight through.
- ibw_init() is called in 2 places:
1. In ibwrapper_test.c, which is targeted test code.
2. In ibw_ctdb_init.c:ctdb_ibw_init(), which is the initialisation
function use to initialise the IB transport in ctdbd. Here, NULL
and 0 are passed as the relevant arguments to ibw_init(). Both
arguments are flagged with TODO comments. :-)
* This code is not built by default (--enable-infiniband is
required).
It appears that Debian and Red Hat family Linux distributions have
never distributed binaries with this enabled.
* Documentation (ctdb(7) and the wiki) recommends that private
addresses are configured on a private network that is separate from
client networks. So, even if the TODOs were done and the relevant
arguments could come off the wire, the attack surface should be very
small.
Only the instance with %s in the format is potentially problematic.
The others can not overflow the current 512 byte buffer. However, it
makes sense to change them all in case someone foolishly reduces the
size of the buffer and makes other changes so that the buffer can be
overflowed in ctdbd.
Now, will static analysers complain that the result of snprintf() is
not checked even though snprintf() always NUL-terminates?
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reported-by: Marcos “Tr0p” Tolosa <marcos.tolosa@owasp.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Fix:
*** CID 1665466: Resource leaks (RESOURCE_LEAK)
/source4/kdc/sdb_to_hdb.c: 482 in sdb_entry_to_hdb_entry()
476 }
477
478 h->context = ske;
479 if (ske != NULL) {
480 ske->kdc_entry = h;
481 }
>>> CID 1665466: Resource leaks (RESOURCE_LEAK)
>>> Variable "kt" going out of scope leaks the storage "kt.val" points to.
482 return 0;
483 error:
484 free_hdb_entry(h);
485 return rc;
This is almost certainly a false positive as when kt.len == 0, kt.val will be
NULL. But changing the condition to kt.val != NULL, will not do any harm.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Sep 25 07:13:28 UTC 2025 on atb-devel-224
passdb: Fixing CID 1509029 for time_t in DEBUG statement
In the most likely scenario of time_t being 64 bit signed, we do the
typecast to intmax_t to also log negative values correctly.
Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Vinit Agnihotri <vagnihot@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Sep 24 06:44:50 UTC 2025 on atb-devel-224
Signed-off-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Sep 23 12:53:10 UTC 2025 on atb-devel-224
vfs_ceph_new: dont use ceph_ll_nonblocking_readv_writev for fsync_send
Commit 4ae922413844 ("vfs_ceph_new: use libcephfs nonblocking API for
async-io ops") uses ceph_ll_nonblocking_readv_writev for fsync_send.
However, the actual behaviour of libcephfs when using this API with
'fsync=true' is not async-fsync, as one may assume. Instead,
vfs_ceph_new should use a nonblocking fsync API[1], once it is ready.
Removed the usage of ceph_ll_nonblocking_readv_writev for fsync.
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Sat Sep 20 06:49:37 UTC 2025 on atb-devel-224
Mike L [Tue, 16 Sep 2025 09:17:25 +0000 (11:17 +0200)]
s4:kdc/db-glue: Use realloc_p macro
Signed-off-by: Mike L. <cl.jeremy@gmail.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Sep 17 13:19:25 UTC 2025 on atb-devel-224
Gary Lockyer [Mon, 11 Aug 2025 00:00:03 +0000 (12:00 +1200)]
s4:kdc:sdb_to_hdb key trust support
Convert key trust public keys contained in the clients sdb records, and add
to the HDB_Ext_KeyTrust extension on the clients HDB record
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Sep 16 23:23:42 UTC 2025 on atb-devel-224
Shachar Sharon [Thu, 7 Aug 2025 13:42:07 +0000 (16:42 +0300)]
buildtools: fixed broken build with FIPS-enabled host
MD5 is not supported on FIPS-enabled machines, but the current
work-around is broken. One the other hand, latest Waf has proper
fixup (use sha1 as a replacement to md5) so there is no need for Samba
specific code.
Tested on CentOS-stream-9 with FIPS (Python-3.9.23).
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Sep 15 15:44:38 UTC 2025 on atb-devel-224
../../ctdb/utils/pmda/pmda_ctdb.c:52:9: warning: 'pmdaResult' redefined
52 | #define pmdaResult pmResult
| ^~~~~~~~~~
In file included from ../../ctdb/utils/pmda/pmda_ctdb.c:35:
/usr/include/pcp/pmda.h:30:9: note: this is the location of the previous definition
30 | #define pmdaResult pmResult_v2
| ^~~~~~~~~~
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Sep 13 08:12:42 UTC 2025 on atb-devel-224
tdbtorture: Fix CID 1034815,1034816: protect from out-of-bounds access
A user may provide a non-valid input value for 'num_procs' (negative).
Avoid potential out-of-bound access by forcing 'unsigned int' value
(Coverity: OVERRUN).
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Sep 11 19:06:16 UTC 2025 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Sep 11 17:05:00 UTC 2025 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Shachar Sharon [Tue, 19 Aug 2025 08:34:13 +0000 (11:34 +0300)]
samr: Fix CID 1035506: close slave fd (REASOURCE_LEAK)
In the case of (unlikely) failure of dup2 on one of the standard file
descriptors, close 'slave' fd upon return.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Sep 11 13:29:37 UTC 2025 on atb-devel-224
selftest: Do not use wrappers for samba.tests.docs
We will run into issues with Python 3.14 passing sockets for
concurrently running tasks.
https://bugzilla.samba.org/show_bug.cgi?id=15910
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Sep 10 19:21:55 UTC 2025 on atb-devel-224
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Sep 10 15:23:08 UTC 2025 on atb-devel-224
utils: Fixing CID 1509034 for time_t in DEBUG statement
Fix: typecast changing from (int)nt_time_to_unix_abs(&i12->lockout_window)
to (intmax_t)nt_time_to_unix_abs(&i12->lockout_window)
as intmax_t can hold epoch seconds after 2038 year
Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andreas Schneider <asn@samba.org>
passdb: Fixing CID 1508970 for time_t in DEBUG statement
Fix: typecast changing from (unsigned int)entry->bad_password_time to
(intmax_t)entry->bad_password_time as intmax_t can hold epoch seconds
after 2038 year
Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Andreas Schneider <asn@samba.org>
Very simple reopen of a directory as pathref. Too much magic in
openat_pathref_fsp_lcomp() leads to Bug 15897:
openat_pathref_fsp_lcomp() can return NT_STATUS_OK but still leave the
file descriptor at -1 for msdfs and smb1 posix reasons. When using it
in filename_convert_dirfsp_nosymlink() this bites us, the -1 can leak
into vfswrap_openat(). Avoid any magic by directly calling
SMB_VFS_OPENAT() with maximum NOFOLLOW/etc safety for this use case
and fail when this does not work.
This adds another flavor of openat_pathref_fsp, and at some point we
need to consolidate them again.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15897 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Sep 10 03:13:07 UTC 2025 on atb-devel-224
s3:script: Avoid UnicodeDecodeError for samba-log-parser processing whole directory
When log directory contains zipped files like
old/log.rpcd_spoolss-20250831.gz we get error.
We want to ignore such files.
$ samba-log-parser --traceid 6 --merge-by-timestamp
Traceback (most recent call last):
File "/usr/bin/samba-log-parser", line 382, in <module>
main()
~~~~^^
File "/usr/bin/samba-log-parser", line 311, in main
process_file(
~~~~~~~~~~~~^
record_list,
^^^^^^^^^^^^
...<3 lines>...
options.traceid,
^^^^^^^^^^^^^^^^
)
^
File "/usr/bin/samba-log-parser", line 92, in process_file
data = infile.readlines()
File "<frozen codecs>", line 325, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8b in position 1: invalid start byte
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Sep 9 13:50:00 UTC 2025 on atb-devel-224
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Sep 8 04:47:37 UTC 2025 on atb-devel-224
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Jennifer Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Sep 8 02:27:53 UTC 2025 on atb-devel-224
s3:shadow_copy: CID 1449539 talloc_realloc and error handling
- Replace TALLOC_REALLOC with talloc_realloc inorder to handle
the integer overflow better.
- Rename tlabels as tmp_labels for clarity.
- Use shadow_copy_data->labels directly after successful
reallocation instead of relying on a temporary variable.
- Ensure that shadow_copy_data->num_volumes is set to 0 and
shadow_copy_data->labels is freed on error paths inorder to
address the potential resource leaks.
Fixes: CID_1449539 Signed-off-by: Shwetha K Acharya <Shwetha.K.Acharya@ibm.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sat Sep 6 10:34:27 UTC 2025 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Pair-Programmed-With: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Fri Sep 5 13:38:33 UTC 2025 on atb-devel-224
GSS-Proxy stores its credential in encrypted form in the Kerberos ccache
with a start and end time of 0 and a server principal in the realm named
'X-GSSPROXY:'. This credential is accessed through GSS-Proxy interposer
mechanism in MIT Kerberos and cannot be analysed with raw krb5 API.
As MIT Kerberos has no krb5_cc_get_lifetime() implementation, add check
for the GSS-Proxy credential to smb_krb5_cc_get_lifetime() wrapper to
return KRB5_PLUGIN_NO_HANDLE. The two places where
smb_krb5_cc_get_lifetime() is used then handle this return code to avoid
deciding on the 'expired' lifetime to cause a kinit.
This fixes FreeIPA use case where an IPA API endpoint uses Samba Python
bindings with a GSS-Proxy-controlled credential cache.
Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Sep 3 10:15:50 UTC 2025 on atb-devel-224
Douglas Bagnall [Sun, 31 Aug 2025 09:24:34 +0000 (21:24 +1200)]
dsdb:audit log: cmocka unit tests for KCL
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Sep 3 03:13:47 UTC 2025 on atb-devel-224
Douglas Bagnall [Thu, 28 Aug 2025 05:09:43 +0000 (17:09 +1200)]
dsdb:audit: bump minor version of password logs (1.1 -> 1.2)
In https://wiki.samba.org/index.php/Interpreting_JSON_Audit_Logs we say:
> a version number for the JSON format. It has two parts.
>
> major: incremented if fields change meaning
> minor: incremented if a field is added
>
> A change in possible values does not usually trigger a version
> change. This is obviously true for client supplied data, but also
> applies to e.g. passwordType, where the set of supported password
> formats can change over time without changing the JSON version.
The last paragraph explicitly exempts us from a version change for
adding a new possible value ("Public key change") to the "action"
field. On the other hand we have expanded the scope of the log, which
deserves some version recognition.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Volker Lendecke [Tue, 13 May 2025 09:31:12 +0000 (11:31 +0200)]
libsmb: Slightly clarify format in set/get_secdesc
We have reserved fields after those 16-bit ones. With little endian
those are set to 0 with PUSH_LE32. That is unnecessary here, the
fields are already set to 0. This patch is not for efficiency, I just
got a bit confused by the subtlety.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
projects / thirdparty / samba.git / log
