Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar 26 01:51:40 UTC 2025 on atb-devel-224
Signed-off-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Signed-off-by: Thomas Karlsson <thomas.karlsson@relea.se> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Mar 25 05:21:49 UTC 2025 on atb-devel-224
Douglas Bagnall [Fri, 14 Mar 2025 04:45:18 +0000 (17:45 +1300)]
samba-tool gpo: better entities check copes with new lines
Per https://www.w3.org/TR/xml/#sec-entity-decl (and MS references)
there is always some whitespace between '<!ENTITY' and the name, and
between the name and whatever is next. Also, it is valid XML to have
newlines inside entity declarations, like this:
<!ENTITY
bubble
"*S-1-5-113"
>
We used to create such files, so we should allow them.
There is a kind of entity that has '%' before the name, and there are
non-ascii names, which we continue not to support.
This meant we were testing nothing because the assertions are all that
the files are the same -- though the only affected check is one in
test_backup_restore_generalize().
Andreas Hasenack [Tue, 18 Feb 2025 15:43:46 +0000 (12:43 -0300)]
python:netcmd:gpo: fix crash when updating an MOTD GPO
When the policy exists already, there is no exception and the code
tries to use the "data" variable, but it doesn't exist because it was
only defined in the exception handling.
Signed-off-by: Andreas Hasenack <andreas.hasenack@canonical.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Douglas Bagnall [Fri, 14 Mar 2025 06:47:53 +0000 (19:47 +1300)]
samba-tool gpo: close opened files
It is almost certain that we are not going to run out of files, as
they get garbage collected anyway, but in some circumstances these can
fill your screen with "ResourceWarning: unclosed file" messages, which
hides the real messages.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 19 15:56:38 UTC 2025 on atb-devel-224
Before that commit we included only SEC_ACE_TYPE_ACCESS_ALLOWED(0)
as 'not type & SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT' filtered out
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT(5), but also
SEC_ACE_TYPE_ACCESS_DENIED and SEC_ACE_TYPE_ACCESS_DENIED_OBJECT.
After that commit we started to include
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT, which is wrong.
It was also always wrong to exclude SEC_ACE_TYPE_ACCESS_DENIED(1).
So now we make it explicit that we only include
SEC_ACE_TYPE_ACCESS_ALLOWED and SEC_ACE_TYPE_ACCESS_DENIED.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Mar 17 20:48:55 UTC 2025 on atb-devel-224
John Mulligan [Mon, 10 Mar 2025 20:47:10 +0000 (16:47 -0400)]
ctdb/doc: document the newly added option to not register the helper
Add the newly established -R (no-register) option to allow skipping the
registration of the helper as a ceph service.
Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Mar 14 09:42:02 UTC 2025 on atb-devel-224
John Mulligan [Tue, 4 Mar 2025 20:43:52 +0000 (15:43 -0500)]
ctdb/ceph: add option to not register mutex rados helper as a service
Add a new `-R` option (no-register) that will skip the step of
registering the lock helper as a ceph service. Ceph will treat the lock
helper more like a typical rados client. The `ceph -s` output will not
have ctdb listed under the services section (previous output):
```
cluster:
id: 5b81295a-fdec-11ef-a18f-525400220000
health: HEALTH_WARN
1 stray daemon(s) not managed by cephadm
services:
mon: 3 daemons, quorum ceph0,ceph1,ceph2 (age 6m)
mgr: ceph0.mkodry(active, since 85s)
mds: 1/1 daemons up
osd: 6 osds: 6 up (since 52m), 6 in (since 52m)
ctdb: 1 daemon active (1 hosts)
```
Most importantly, this will avoid triggering health warnings from ceph
when cephadm discovers services that it did not create (or directly
manage) listed in the cluster. Something we looked into hiding on the
cephadm side but proved quite tricky so it's better off not to try this
registration on cephadm managed clusters in the first place.
In addition, the `1 daemon active` bit is somewhat confusing when you
have a N (N>1) node ctdb cluster managed by cephadm. The fact that the
mutex helper only runs on one of those nodes at once is a low level
implementation detail that most users do not need and I assume could
confuse.
Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Douglas Bagnall [Wed, 5 Mar 2025 00:20:26 +0000 (13:20 +1300)]
manpages:samba-tool: sort 'service-account' into place alphabetically
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar 12 20:55:01 UTC 2025 on atb-devel-224
Douglas Bagnall [Thu, 27 Feb 2025 04:42:08 +0000 (17:42 +1300)]
python:getopt: hack to generate docbook stubs from --help
We have many many samba-tool subcommands that are not documented in
the manpage. Often the --help text is a good place to start, but doing
it entirely manually is VERY tedious.
This automates some of the process.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Rowland Penny <rpenny@samba.org>
Dmitry Antipov [Wed, 8 Feb 2023 08:59:59 +0000 (11:59 +0300)]
pylibsmb: do not use obsolete PyEval_InitThreads() for Python > 3.6
Do not use obsolete PyEval_InitThreads() for Python > 3.6:
../../source3/libsmb/pylibsmb.c: In function ‘py_cli_state_setup_mt_ev’:
../../source3/libsmb/pylibsmb.c:271:9: warning: ‘PyEval_InitThreads’ is
deprecated [-Wdeprecated-declarations]
271 | PyEval_InitThreads();
| ^~~~~~~~~~~~~~~~~~
In file included from /usr/include/python3.11/Python.h:95,
from ../../source3/libsmb/pylibsmb.c:48:
/usr/include/python3.11/ceval.h:132:37: note: declared here
132 | Py_DEPRECATED(3.9) PyAPI_FUNC(void) PyEval_InitThreads(void);
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar 12 04:36:21 UTC 2025 on atb-devel-224
Douglas Bagnall [Thu, 28 Nov 2024 03:06:10 +0000 (16:06 +1300)]
librpc/wsp: use unsigned char for high byte comparison
../../librpc/wsp/wsp_util.c:244:28: warning: result of comparison of constant 160 with expression of type 'char' is always false [-Wtautological-constant-out-of-range-compare]
244 | if (strlen(t) == 1 && *t == 0xa0) {
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Mar 12 01:32:30 UTC 2025 on atb-devel-224
Xavi Hernandez [Tue, 4 Mar 2025 11:48:41 +0000 (12:48 +0100)]
vfs_ceph_new: detect case sensitivity in CephFS
CephFS has recently added support for case insensitive access to the
file system. This modification detects whether the shared volume is case
sensitive or not and reports the FILE_CASE_SENSITIVE_SEARCH capability
accordingly.
s3:utils: Remove call of ads_startup() from net_ads_keytab_create()
Calling ads_startup() is not needed in net_ads_keytab_create. Keytab
creation code in sync_pw2keytabs() decides if it needs to talk to DC or
not and connects to AD accordingly.
Fixing this, makes the bug below easier to reproduce using
'net ads keytab create'.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Mar 10 11:09:29 UTC 2025 on atb-devel-224
s3:libads: Make sure that REALM is always added to keytab principals
The code responsible for adding SPNs to keytab should always set the
REALM part. Current code is not adding it for e.g. SPNs synced from AD.
If REALM is missing, krb5_parse_name() will succeed (and add the REALM)
only if the krb5.conf contains libdefaults section with
default_realm set and will fail otherwise. E.g.:
Pair-Programmed-With: Noel Power <noel.power@suse.com>
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Sun Mar 9 00:25:08 UTC 2025 on atb-devel-224
Ralph Boehme [Wed, 5 Mar 2025 17:02:39 +0000 (18:02 +0100)]
docs-xml: enable SMB3 Unix Extensions by default
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 7 20:06:31 UTC 2025 on atb-devel-224
Ralph Boehme [Fri, 7 Mar 2025 13:51:26 +0000 (14:51 +0100)]
s3:locking: make sure brl_conflict_posix() is only called with 2 POSIX_LOCKS
Otherwise we hit the assert if the caller is a windows lock
and the conflicting one a posix lock.
Or in the non-developer build we don't enforce the windows locking
rules.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 7 Mar 2025 13:47:49 +0000 (14:47 +0100)]
s3:locking: assert POSIX_LOCK in brl_[un]lock_posix()
This makes it clearer and prevents possible problems in future.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
which came in with commit f68fffa85d1de992384a210bb0b9261cda3fb168,
apparently forgetting to remove the previously existing initialization
locks[i].lock_flav=WINDOWS_LOCK.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 7 Mar 2025 11:57:24 +0000 (12:57 +0100)]
smbd: fix check for POSIX opens in have_file_open_below()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Fri, 7 Mar 2025 11:57:07 +0000 (12:57 +0100)]
smbd: fix checks for POSIX opens in file_find_subpath()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Anoop C S [Tue, 25 Feb 2025 12:10:13 +0000 (17:40 +0530)]
vfs_ceph_new: Do not resolve by inode number
CephFS snapshots within snap directory shares the same inode number from
its parent. Until unless we resolve by name we may incorrectly point at
an inode which is not a snapshot directory. Therefore to be functionally
correct we avoid resolving by inode number but proper name.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Mar 7 18:20:47 UTC 2025 on atb-devel-224
Anoop C S [Mon, 24 Feb 2025 08:30:56 +0000 (14:00 +0530)]
vfs_ceph_new: Handle absolute path in vfs_ceph_ll_walk
It can very well be the case that the incoming path is absolute in
nature which breaks the assumption inside vfs_ceph_ll_walk that it
is within the current working directory. Instead perform a check to
see whether the path includes current working directory path in its
components and accordingly trim it to make it relative in nature.
s4:auth: let auth_user_info_dc_expand_sids() add This Organization SID
We do that unless the Other Organization SID is already there.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 6 17:35:50 UTC 2025 on atb-devel-224
Volker Lendecke [Wed, 26 Feb 2025 12:20:36 +0000 (13:20 +0100)]
vfs: Simplify DBGs
Avoid casts: We have PRIu64, size_t is printed with %zu. Only off_t
must be cast to intmax_t, but for that we should not need a macro.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 5 18:42:03 UTC 2025 on atb-devel-224
Volker Lendecke [Fri, 3 Jan 2025 14:24:01 +0000 (15:24 +0100)]
vfs: Rewrite vfs_streams_depot
This started when I found vfs_streams_depot() is the last user of
recursive_rmdir() and ended as a pretty complete rewrite. Why? This
new version does not call the path-based NEXT_[L]STAT routines
anymore, it only uses FSTATAT. This is one tiny step towards getting
rid of the path-based calls we still have that implicitly depend on
the current working directory. In some distant future I want to get
rid of our chdir() calls and do everything relative to a O_PATH handle
that we opened on the share root when connecting to a share.
This patch removes a few lines, and I don't see a reasonable way to do
this in micro-steps. Structurally it should be simple though:
Everything works off streams_depot_rootdir_pathref(), which gives a
pathref fsp to the ".streams" directory, stream_dir_pathref() turns
this into a pathref of the actual per-file subdirectory.
We also have to remove the special handling of absolute paths in
vfs_shadow_copy2, streams_depot does not send absolute paths anymore.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>