Martin Schwenke [Fri, 15 Aug 2025 05:01:58 +0000 (15:01 +1000)]
ctdb-common: Only respect CTDB_SOCKET in CTDB_TEST_MODE
At the moment CTDB_SOCKET can be used outside of test mode even though
nobody should do this. So, no longer allow this.
This means ensuring CTDB_TEST_MODE is set in the in the
"clusteredmember" selftest environment, so that CTDB_SOCKET is
respected there..
Details...
The associated use of chown(2) and chmod(2), used to secure the socket
in ctdb_daemon.c:ux_socket_bind(), potentially enables a symlink race
attack. However, the chown(2) is currently not done in test mode, so
restricting the use of CTDB_SOCKET to test mode solves the potential
security issue.
Also, sprinkle warnings about use of CTDB_TEST_MODE in appropriate
places, just to attempt to limit unwanted behaviour.
An alternative could be to use the socket file descriptor with
fchown(2) and fchmod(2). However, these system calls are not well
defined on sockets. Still, this was previously done in CTDB's early
days (using the poorly documented method where they are allowed in
Linux (only?) before calling bind(2)). It was removed (due to
portability issues, via commits cf1056df94943ddcc3d547d4533b4bc04f57f265 and 2da3fe1b175a468fdff4aa4f65627facd2c28394) and replaced with the
current post-bind chown(2) and chmod(2).
I would like to remove the CTDB_SOCKET environment variable entirely,
since setting CTDB_TEST_MODE and CTDB_BASE covers all reasonable test
environments. However, I have a feeling that people use it for
interactive testing, and that can still be done in CTDB_TEST_MODE.
vfs_ceph_new: dont use ceph_ll_nonblocking_readv_writev for fsync_send
Commit 4ae922413844 ("vfs_ceph_new: use libcephfs nonblocking API for
async-io ops") uses ceph_ll_nonblocking_readv_writev for fsync_send.
However, the actual behaviour of libcephfs when using this API with
'fsync=true' is not async-fsync, as one may assume. Instead,
vfs_ceph_new should use a nonblocking fsync API[1], once it is ready.
Removed the usage of ceph_ll_nonblocking_readv_writev for fsync.
Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Pair-Programmed-With: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Fri Sep 5 13:38:33 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(backported from commit 36f6ac547c09f492d1dcab11570e8bcbd377cf26)
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 5d2f60ae5aa96751b74901ae5384291ef338b152)
Ralph Boehme [Thu, 24 Jul 2025 10:59:30 +0000 (12:59 +0200)]
libads: change netlogon_pings() behaviour wrt to min_servers parameter
Currently if a caller passes min_servers=X with X>1, netlogon_pings() will fail
if it can't contact X DCs. This is not really what we want. What we want is: we
want at least one DC, and up to X.
Change implemenentation in that sense and rename the min_servers argument to
wanted_servers to express this behaviour change.
Ralph Boehme [Thu, 24 Jul 2025 13:49:19 +0000 (15:49 +0200)]
idmap_ad: add and use ldap_timeout and fix LDAP server failover
The key parts are:
1. If an LDAP search fails with the hardcoded fatal error, remove the
retry. That would only retry the query against the same server, taken
from the DCINFO cache key. Instead, force a DC rediscovery.
2. Set a default ldap_timeout and pass it to tldap_search(). This
avoids tldap_search() hanging forever on a stale TCP connection.
3. The LDAP server idmap_ad is using is not necessarily the same DC
we're using for RPC, so in case we learn about a dead DC, put it in
the negative-conn-cache.
Ralph Boehme [Mon, 21 Jul 2025 04:44:22 +0000 (06:44 +0200)]
tldap: use tevent_req_set_endtime() to terminate LDAP searches
Needed to detect unresponsive LDAP servers, otherwise we might be sitting up to
924.6 seconds after sending a request before the kernel notifies us of a broken
connection.
vfs_virsufilter: Fix the invocation of SMB_VFS_NEXT_CONNECT
virusfilter is failing if path is defined for virusfilter:quarantine
as next module is not initialized by mean time. So rearranged invocation
of SMB_VFS_NEXT_CONNECT call
Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Jul 21 11:28:12 UTC 2025 on atb-devel-224
Volker Lendecke [Wed, 6 Aug 2025 13:28:29 +0000 (15:28 +0200)]
ctdb: Fix a stuck cluster lock holder after a delayed leader bcast
If a delayed broadcast by a previous cluster lock holder arrives, the
new legitimate leader will accept this without questioning in
leader_handler(). Without this patch rec->leader will never be
overwritten, and because rec->pnn != rec->leader we'll also never send
out fresh leader broadcasts. And because we hold the cluster lock,
nobody else can step up.
Fix this in the next round of leader broadcast timeout.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15892 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Aug 7 02:59:20 UTC 2025 on atb-devel-224
possibly_set_archive is being passed smb_fname->st.st_ex_mode.
Inside the function same variable is getting assigned to itself.
Fixed this to send unx_mode to possibly_set_archive.
Signed-off-by: Srinivas Rao V <Srinivas.Rao.V@ibm.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jul 18 22:25:05 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug 5 14:51:51 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1dbafcc4e4ff8f39af5ca737b30e9821413dd1f2)
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d88268102ade07fab345e04109818d97d8843a14)
Pavel Filipenský [Wed, 23 Jul 2025 13:09:21 +0000 (15:09 +0200)]
s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC
server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling
in dcip_check_name(). We should resolve the DC name using:
- CLDAP in dcip_check_name_ads()
instead of:
- NETBIOS in nbt_getdc() that fails if Windows is not providing netbios.
The impacted environment has:
domain->alt_name = example.com
domain->active_directory = 1
security = USER
server role = ROLE_IPA_DC
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-programmed-with: Andreas Schneider <asn@samba.org>
Add check for the GPO link to have at least two attributes separated by semicolumn. Allows to handle empty links.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15877
RN: Fix handling of empty GPO link
Singed-off-by: Alex Sharov (kororland@gmail.com) Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 10 18:55:33 UTC 2025 on atb-devel-224
Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 18 12:10:03 UTC 2025 on atb-devel-224
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Baumbach <bb@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon Jun 16 22:22:27 UTC 2025 on atb-devel-224
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Baumbach <bb@samba.org>
(cherry picked from commit f545a77a3c466e2be37e0c453861566d42b1a01d)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Baumbach <bb@samba.org>
(cherry picked from commit 3150d103bb2990e005d70c90f3f9c316c5353005)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6f0ae60428a024b4aba92a8103a698c1eca2357c)
Autobuild-User(v4-22-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-22-test): Thu Jun 5 11:55:52 UTC 2025 on atb-devel-224
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed May 28 16:03:59 UTC 2025 on atb-devel-224
Ralph Boehme [Fri, 23 May 2025 15:06:50 +0000 (17:06 +0200)]
smbd: add access_mask to delay_for_handle_lease_break_send()
No change in behaviour, existing caller all pass SEC_RIGHTS_DIR_ALL. Prepares
for selectively breaking only H-leases if the access_mask of the corresponding
open contains DELETE_ACCESS.
Ralph Boehme [Thu, 22 May 2025 14:57:49 +0000 (16:57 +0200)]
smbd: support breaking leases on an object where we don't have an own internal open
So far, when dealing with the rename destination, we had an internal open on
that which ensured get_existing_share_mode_lock() would always return a
lock.
Subsequently I'll want delay_for_handle_lease_break_send() to be callable on an
object that doesn't have a full internal open including locking.tdb entry, but
merely an open handle from filename_convert_dirfsp().
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu May 29 10:57:35 UTC 2025 on atb-devel-224
Martin Schwenke [Thu, 15 May 2025 04:01:16 +0000 (14:01 +1000)]
ctdb-daemon: Run "startipreallocate" event in SHUTDOWN runstate
Even though all nodes may be shutting down there is still a very small
window for a race when multiple nodes are shut down. For simplicity,
assume 2 nodes. Assume the shutdowns of nodes are staggered, which is
usual because they're usually initiated by a loop (e.g. onnode -p all
ctdb shutdown). Although commands can continue in parallel, some
commands are started later than others.
Consider this sequence:
1. Node 0 reaches ctdb_shutdown_takeover() in
ctdb_shutdown_sequence() and a takeover run starts
2. Node 1 has not yet set its runlevel to SHUTDOWN in
ctdb_shutdown_sequence()
3. The leader node asks node 1 which IPs it can host
4. Node 1 replies "all of them"
5. Node 1 now sets its runlevel to SHUTDOWN in
ctdb_shutdown_sequence()
6. The leader node continues with the takeover run, first asking all
nodes to run "startipreallocate"
7. Node 0 runs "startipreallocate", so its NFS server starts grace
8. Node 1 does not run "startipreallocate" because it is not in
RUNNING runstate, so its NFS server does not start grace
9. The leader node continues with the takeover run, first asking all
nodes to run "releaseip" for IPs they can no longer hold
10. Node 0 releases all IPs, since it is SHUTDOWN runstate (so can't
host IPs)
11. As part of this, the NFS server on node 0 releases locks held
against IPs it is releasing
12. A client connected to node 1, where the NFS server is not in
grace, takes ("steals") one of those locks
This client is then permitted to reclaim the lock when nodes are
restarted.
Martin Schwenke [Mon, 12 May 2025 01:33:19 +0000 (11:33 +1000)]
ctdb-daemon: Add failover on shutdown
Without this, NFS servers on other nodes will not go into grace before
this node releases locks. This should also support improved behaviour
for SMB durable file handles.
The timeout is currently a constant 10s. However, it will
subsequently be switched to an option.
Martin Schwenke [Wed, 14 May 2025 06:55:51 +0000 (16:55 +1000)]
ctdb-protocol: Add CTDB server SRVID range
Normally, communication from other components to ctdbd is done via
controls. However, there are contexts where receiving SRVID messages
in ctdbd makes sense, such as replies to outgoing SRVID messages.
Martin Schwenke [Wed, 21 May 2025 12:17:42 +0000 (22:17 +1000)]
ctdb-daemon: Avoid aborting during early shutdown
An early shutdown can put ctdbd into SHUTDOWN runstate before ctdbd
has completed all early initialisation. Some of the start-time
transitions then attempt to set the runstate to FIRST_RECOVERY or
RUNNING, which would make the runstate go backwards, so ctdbd aborts.
Upcoming changes cause ctdbd shutdown to take longer, so the problem
will become more likely. With those changes, this can be
unreliably (50% of the time?) triggered by:
since it does an early shutdown due to a version mismatch.
Avoid this by noticing when the runstate is SHUTDOWN and refusing to
continue with subsequent early initialisation steps, which aren't
needed when shutting down.
Earlier runstate transitions do not seems likely to cause an abort
during early shutdown. The following:
sees ctdbd already into FIRST_RECOVERY before the shutdown is
processed.
The change to ctdb_run_startup() probably isn't strictly necessary.
There will be no abort in this case. ctdb_shutdown_sequence() will
always run the "shutdown" event and then stop the event daemon, so it
doesn't seem possible that services could be left running. However,
we might as well avoid running the "startup" event when shutting down,
even if only to avoid confusing logs.
Ultimately, it seems like some redesign would be needed to avoid this
in a more predictable manner, rather than responding when an early
initialisation step inconveniently completes during shutdown. For
example, hanging a lot of the start-time event handling off a common
talloc context, could allow it to be cancelled with a single
TALLOC_FREE(). However, a change like that would involve a lot of
analysis to ensure that the talloc hierarchy is correct and there is
no change of free'd pointers being dereferenced. So, we're probably
better off just keeping this issue in mind during a broader redesign.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 783ca9dc434bd1d18b762185ee936fcbcf292124)
Autobuild-User(v4-22-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-22-test): Thu May 8 14:04:08 UTC 2025 on atb-devel-224
Use the same logic from shadow_copy2 module to always prepend the
connectpath to the relative snapshot path so as to return converted
path corresponding to the file's share root.
Please note that with the current working directory staying at the
connectpath level we are safe to prefix it to the smb_filename. In
other words it seems we never get past the connectpath internally
during normal file system operations via chdir(). Since all relative
paths are now based on dirfsp we could constitute absolute path by
prepending the connectpath to full_path_from_dirfsp_atname() output
ignoring the current working directory.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Apr 30 11:32:59 UTC 2025 on atb-devel-224
Anoop C S [Tue, 4 Mar 2025 09:39:33 +0000 (15:09 +0530)]
vfs_ceph_snapshots: Use full path from dirfsp at smb_fname
In ceph_snap_gmt_openat() we hand in the incoming smb_fname as it is
to ceph_snap_gmt_strip_snapshot() which is then passed on to derive
the actual snapshot path using ceph_snap_gmt_convert(). But this can
go wrong in ceph_snap_gmt_convert_dir() while opening the snapdir.
Unless we constitute the full path from dirfsp at the first place we
always end up opening the snapdir from the parent directory with
OpenDir().
For example with dirfsp("foobar") and smb_fname("shift.txt"), we open
snapdir from share root because parent is calculated as empty string
via ceph_snap_get_parent_path(). Instead we could construct the full
path from dirfsp using full_path_from_dirfsp_atname() to ensure we
don't open the wrong snapdir.
Since we have access to the twrp token at VFS layer it doesn't make
much sense to make use of ceph_snap_gmt_strip_snapshot() in openat.
We could instead directly act based on already available twrp token
avoiding an extra copy of incoming smb_filename.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 23 12:14:17 UTC 2025 on atb-devel-224
libcli/smb: make smb2_lease_{pull,push} endian safe
smbd_smb2_send_lease_break() is already endian safe,
which means we'll get a mismatch on big endian systems,
so that smbd_smb2_send_lease_break() sends the lease key
in reversed order.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr 17 11:30:58 UTC 2025 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit edf9cf4b29dab78f63eec8391cd1cd9eef861612)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit cbe438eb1a3c44f5cd46c5e685da9964da64f892)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org>
(cherry picked from commit 31ebf2cd1daeed25fab92ef71f7591fea8c92226)
s3:smbd: work around broken "vfs mkdir use tmp name" on FAT
"vfs mkdir use tmp name" creates a name with ":" because the file should
be invisible for Windows clients. ":" however is an invalid character on
FAT filesystems and we get EINVAL back. In that case we fall back to not
using tmp names for mkdir.
vfs_wide_links hides symlinks from the rest of smbd, and it implicitly
follows symlinks. Also, O_PATH will expose symlinks to the rest of
smbd, remove that.
We also need to do this for posix paths, as deep inside
rename_internals we want to avoid case-insensitive lookups by setting
SMB_FILENAME_POSIX_PATH.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Mar 25 05:21:49 UTC 2025 on atb-devel-224
Douglas Bagnall [Fri, 14 Mar 2025 04:45:18 +0000 (17:45 +1300)]
samba-tool gpo: better entities check copes with new lines
Per https://www.w3.org/TR/xml/#sec-entity-decl (and MS references)
there is always some whitespace between '<!ENTITY' and the name, and
between the name and whatever is next. Also, it is valid XML to have
newlines inside entity declarations, like this:
<!ENTITY
bubble
"*S-1-5-113"
>
We used to create such files, so we should allow them.
There is a kind of entity that has '%' before the name, and there are
non-ascii names, which we continue not to support.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
(cherry picked from commit 6107656ebc8d092b2c1907940b2486ab0265aad9)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
(cherry picked from commit 65751f2562f98bd7fd0734dc00784e6395d76322)
This meant we were testing nothing because the assertions are all that
the files are the same -- though the only affected check is one in
test_backup_restore_generalize().
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
(cherry picked from commit 6b619b568f6661d3a5f0701cdfaf1e1e4943ff6f)
Andreas Hasenack [Tue, 18 Feb 2025 15:43:46 +0000 (12:43 -0300)]
python:netcmd:gpo: fix crash when updating an MOTD GPO
When the policy exists already, there is no exception and the code
tries to use the "data" variable, but it doesn't exist because it was
only defined in the exception handling.
Signed-off-by: Andreas Hasenack <andreas.hasenack@canonical.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
(cherry picked from commit e87e20c04d90292e3a5caac8ea3105b16f948ed3)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
(cherry picked from commit 969cb41e06247949c3992cab25e824795204e31e)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c36cc2b6720a2cfe54ce52a500dc499418e27e34)
projects / thirdparty / samba.git / log
