Cause: recycle_do_touch() fails since the path ".deleted/administrator/./file"
contains a dot '.' - openat_pathref_fsp_nosymlink() loops over all
components and fails if there is a dot:
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Nov 4 11:38:52 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5124acec34c20391cdfeb9d9005365047b7d7eee)
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 498984cf346630c17169dbdb13a232854309f6a8)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Oct 20 10:59:03 UTC 2025 on atb-devel-224
in a Spotlight query produces the following log message:
map_fts: Mapping fts [757378800] unexpected op [~]
However, when
elasticsearch:ignore unknown attribute = yes
is set, the parser will ignore the failed expression and continue
parsing given the expression is part of a larger expression like
"subexpression1 OR subexpression2". Avoid spamming the log and reduce
the loglevel when we hit this case.
Martin Schwenke [Thu, 16 Oct 2025 02:54:22 +0000 (13:54 +1100)]
ctdb-scripts: Avoid failing updateip when IP is not assigned
There is no use failing this when it could behave more like takeip.
Use old interface of "__none__" as a hint that ctdbd doesn't think the
IP is assigned either. In this case print a warning instead of an
error. Take some care to avoid spurious errors in updateip.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
Reported-by: Bailey Allison <ballison@45drives.com> Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Oct 17 06:28:30 UTC 2025 on atb-devel-224
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
(cherry picked from commit 01d3d25c0139a3dd49a2322a9416698d08733377)
Martin Schwenke [Wed, 15 Oct 2025 23:42:22 +0000 (10:42 +1100)]
ctdb-tests: Add an event script unit test for updateip
This illustrates the current failure where an unassigned public IP
address causes updateip to fail.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
Reported-by: Bailey Allison <ballison@45drives.com> Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
(cherry picked from commit a98ffb96efc4a9ea2110c654860a4ba3896ab3d5)
Martin Schwenke [Wed, 15 Oct 2025 21:17:44 +0000 (08:17 +1100)]
ctdb-daemon: Fix a crash due to a failed updateip
This should really be a takeip. However, CTDB's weak check of the IP
address state (using bind(2)) incorrectly indicates that the IP
address is assigned to an interface so it is converted to an updateip.
After commit 0536d7a98b832fc00d26b09c26bf14fb63dbf5fb (which improves
IP address state checking), this will almost certainly not occur on
platforms with getifaddrs(3) (e.g. Linux). This means it is only
likely to occur in 4.21 when net.ipv4.ip_nonlocal_bind=1.
Reported-by: Bailey Allison <ballison@45drives.com> Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
(cherry picked from commit d08f9ebd2755671d30c73a4e979029d353848828)
Ralph Boehme [Sat, 27 Sep 2025 11:01:32 +0000 (13:01 +0200)]
smbtorture: add test "smb2.lease.lease-epoch"
Verifies the lease epoch is not incremented by the server (returns what the
client sent in the request) if a lease was not granted ie lease_level=NONE.
Test passes against Windows 2025.
From MS-SMB2 3.3.5.9.11 "Handling the SMB2_CREATE_REQUEST_LEASE_V2 Create
Context":
If the object store succeeds this request, Lease.LeaseState MUST be set to the
new caching state. The server MUST increment Lease.Epoch by 1.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit a112978ed1240c399eb90e4472d5c43d867c49d9)
[slow@samba.org: conflict due to option veto_localized present only in master]
Ralph Boehme [Thu, 18 Sep 2025 18:35:22 +0000 (20:35 +0200)]
smbd: hang directory pattern matching case sensitivity on the pathname
For the SMB3 POSIX client both posix_open=true and (fsp->fsp_name->flags &
SMB_FILENAME_POSIX_PATH) will always be the case, so this is no change in
behaviour for that case.
However, for the macOS client fruit will carefully setup both flags as
posix_open=true but SMB_FILENAME_POSIX_PATH will not be set.
This is a deliberate hack to give the macOS client POSIX behaviour for some
operations, but not for others, while also allowing the POSIX-ified macOS client
to continue to get case insensitive behavour.
Ralph Boehme [Thu, 18 Sep 2025 21:44:34 +0000 (23:44 +0200)]
smbd: hang posix brl per-handle check on the pathname
For the SMB3 POSIX client both posix_open=true and (fsp->fsp_name->flags &
SMB_FILENAME_POSIX_PATH) will always be the case, so this is no change in
behaviour for that case.
However, for the macOS client fruit will carefully setup both flags as
posix_open=true but SMB_FILENAME_POSIX_PATH will not be set.
This is a deliberate hack to give the macOS client POSIX behaviour for some
operations, but not for others, while also allowing the POSIX-ified macOS client
to continue to get case insensitive behavour.
Tags alls opens as POSIX by setting fsp_flags.posix_open to true.
POSIX handles have different behaviour compared to Windows:
Behaviour | POSIX | Windows | macOS |fruit:posix_opens = yes
-----------------------------------+------------+----------------------------------------
Deleting files with open handles | yes | no | yes | yes
Moving directories with open files | yes | no | yes | yes
Byterange locks behaviour | POSIX-ish | Window-ish | POSIX-ish | POSIX-ish
Sticky writetime | no | yes | no | no
Case sensitive | no | yes | yes | yes
Streams allowed | no | yes | yes | yes
macOS follows POSIX for the first four, but needs case insensitive behaviour
and needs streams.
By carefully setting fsp_flags.posix_open to true *after* going through the path
resolution logic, but before opens are added to locking.tdb, with
"fruit:posix_opens = yes" we get closest to macOS semantics.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit e86f0c2de80e2409bfe3fc12df24e94470988e3c)
[slow@samba.org: conflict due to optino veto_localized only present in master]
This commit fixes a situation in which vfs_streams_xattr could
write unitialized memory into alternate data streams if the
user writes to an offset that is beyond the current end of file
to insert a hole in it.
Douglas Bagnall [Wed, 3 Sep 2025 02:20:24 +0000 (14:20 +1200)]
CVE-2025-10230: s4:wins: restrict names fed to shell
If the "wins hook" smb.conf parameter is set, the WINS server will
attempt to execute that value in a shell command line when a client
asks to modify a name. The WINS system is a trusting one, and clients
can claim any NETBIOS name they wish.
With the source3 nmbd WINS server (since the 1999 commit now called 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7) the wins hook will not be
run for names that contain shell metacharacters. This restriction has
not been present on the source4 nbt WINS server, which is the WINS
server that will be used in the event that an Active Directory Domain
Controller is also running WINS.
This allowed an unauthenticated client to execute arbitrary commands
on the server.
This commit brings the nmbd check into the nbt WINS server, so that
the wins hook will only be run for names that contain only letters,
digits, hyphens, underscores and periods. This matches the behaviour
described in the smb.conf man page.
The source3 nmbd WINS server has another layer of protection, in that
it uses the smb_run() exec wrapper that tries to escape arguments. We
don't do that here.
Douglas Bagnall [Tue, 9 Sep 2025 01:36:16 +0000 (13:36 +1200)]
CVE-2025-10230: s4/tests: check that wins hook sanitizes names
An smb.conf can contain a 'wins hook' parameter, which names a script
to run when a WINS name is changed. The man page says
The second argument is the NetBIOS name. If the name is not a
legal name then the wins hook is not called. Legal names contain
only letters, digits, hyphens, underscores and periods.
but it turns out the legality check is not performed if the WINS
server in question is the source4 nbt one. It is not expected that
people will run this server, but they can. This is bad because the
name is passed unescaped into a shell command line, allowing command
injection.
For this test we don't care whether the WINS server is returning an
error code, just whether it is running the wins hook. The tests show
it often runs the hook it shouldn't, though some characters are
incidentally blocked because the name has to fit in a DN before it
gets to the hook, and DNs have a few syntactic restrictions (e.g.,
blocking '<', '>', and ';').
The source3 WINS server that is used by Samba when not run as a DC is
not affected and not here tested.
Martin Schwenke [Fri, 15 Aug 2025 05:01:58 +0000 (15:01 +1000)]
ctdb-common: Only respect CTDB_SOCKET in CTDB_TEST_MODE
At the moment CTDB_SOCKET can be used outside of test mode even though
nobody should do this. So, no longer allow this.
This means ensuring CTDB_TEST_MODE is set in the in the
"clusteredmember" selftest environment, so that CTDB_SOCKET is
respected there..
Details...
The associated use of chown(2) and chmod(2), used to secure the socket
in ctdb_daemon.c:ux_socket_bind(), potentially enables a symlink race
attack. However, the chown(2) is currently not done in test mode, so
restricting the use of CTDB_SOCKET to test mode solves the potential
security issue.
Also, sprinkle warnings about use of CTDB_TEST_MODE in appropriate
places, just to attempt to limit unwanted behaviour.
An alternative could be to use the socket file descriptor with
fchown(2) and fchmod(2). However, these system calls are not well
defined on sockets. Still, this was previously done in CTDB's early
days (using the poorly documented method where they are allowed in
Linux (only?) before calling bind(2)). It was removed (due to
portability issues, via commits cf1056df94943ddcc3d547d4533b4bc04f57f265 and 2da3fe1b175a468fdff4aa4f65627facd2c28394) and replaced with the
current post-bind chown(2) and chmod(2).
I would like to remove the CTDB_SOCKET environment variable entirely,
since setting CTDB_TEST_MODE and CTDB_BASE covers all reasonable test
environments. However, I have a feeling that people use it for
interactive testing, and that can still be done in CTDB_TEST_MODE.
vfs_ceph_new: dont use ceph_ll_nonblocking_readv_writev for fsync_send
Commit 4ae922413844 ("vfs_ceph_new: use libcephfs nonblocking API for
async-io ops") uses ceph_ll_nonblocking_readv_writev for fsync_send.
However, the actual behaviour of libcephfs when using this API with
'fsync=true' is not async-fsync, as one may assume. Instead,
vfs_ceph_new should use a nonblocking fsync API[1], once it is ready.
Removed the usage of ceph_ll_nonblocking_readv_writev for fsync.
Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Pair-Programmed-With: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Fri Sep 5 13:38:33 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(backported from commit 36f6ac547c09f492d1dcab11570e8bcbd377cf26)
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 5d2f60ae5aa96751b74901ae5384291ef338b152)
Ralph Boehme [Thu, 24 Jul 2025 10:59:30 +0000 (12:59 +0200)]
libads: change netlogon_pings() behaviour wrt to min_servers parameter
Currently if a caller passes min_servers=X with X>1, netlogon_pings() will fail
if it can't contact X DCs. This is not really what we want. What we want is: we
want at least one DC, and up to X.
Change implemenentation in that sense and rename the min_servers argument to
wanted_servers to express this behaviour change.
Ralph Boehme [Thu, 24 Jul 2025 13:49:19 +0000 (15:49 +0200)]
idmap_ad: add and use ldap_timeout and fix LDAP server failover
The key parts are:
1. If an LDAP search fails with the hardcoded fatal error, remove the
retry. That would only retry the query against the same server, taken
from the DCINFO cache key. Instead, force a DC rediscovery.
2. Set a default ldap_timeout and pass it to tldap_search(). This
avoids tldap_search() hanging forever on a stale TCP connection.
3. The LDAP server idmap_ad is using is not necessarily the same DC
we're using for RPC, so in case we learn about a dead DC, put it in
the negative-conn-cache.
Ralph Boehme [Mon, 21 Jul 2025 04:44:22 +0000 (06:44 +0200)]
tldap: use tevent_req_set_endtime() to terminate LDAP searches
Needed to detect unresponsive LDAP servers, otherwise we might be sitting up to
924.6 seconds after sending a request before the kernel notifies us of a broken
connection.
vfs_virsufilter: Fix the invocation of SMB_VFS_NEXT_CONNECT
virusfilter is failing if path is defined for virusfilter:quarantine
as next module is not initialized by mean time. So rearranged invocation
of SMB_VFS_NEXT_CONNECT call
Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Jul 21 11:28:12 UTC 2025 on atb-devel-224
Volker Lendecke [Wed, 6 Aug 2025 13:28:29 +0000 (15:28 +0200)]
ctdb: Fix a stuck cluster lock holder after a delayed leader bcast
If a delayed broadcast by a previous cluster lock holder arrives, the
new legitimate leader will accept this without questioning in
leader_handler(). Without this patch rec->leader will never be
overwritten, and because rec->pnn != rec->leader we'll also never send
out fresh leader broadcasts. And because we hold the cluster lock,
nobody else can step up.
Fix this in the next round of leader broadcast timeout.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15892 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Aug 7 02:59:20 UTC 2025 on atb-devel-224
possibly_set_archive is being passed smb_fname->st.st_ex_mode.
Inside the function same variable is getting assigned to itself.
Fixed this to send unx_mode to possibly_set_archive.
Signed-off-by: Srinivas Rao V <Srinivas.Rao.V@ibm.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jul 18 22:25:05 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug 5 14:51:51 UTC 2025 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1dbafcc4e4ff8f39af5ca737b30e9821413dd1f2)
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d88268102ade07fab345e04109818d97d8843a14)
Pavel Filipenský [Wed, 23 Jul 2025 13:09:21 +0000 (15:09 +0200)]
s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC
server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling
in dcip_check_name(). We should resolve the DC name using:
- CLDAP in dcip_check_name_ads()
instead of:
- NETBIOS in nbt_getdc() that fails if Windows is not providing netbios.
The impacted environment has:
domain->alt_name = example.com
domain->active_directory = 1
security = USER
server role = ROLE_IPA_DC
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-programmed-with: Andreas Schneider <asn@samba.org>
Add check for the GPO link to have at least two attributes separated by semicolumn. Allows to handle empty links.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15877
RN: Fix handling of empty GPO link
Singed-off-by: Alex Sharov (kororland@gmail.com) Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 10 18:55:33 UTC 2025 on atb-devel-224
Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 18 12:10:03 UTC 2025 on atb-devel-224
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Baumbach <bb@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon Jun 16 22:22:27 UTC 2025 on atb-devel-224
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Baumbach <bb@samba.org>
(cherry picked from commit f545a77a3c466e2be37e0c453861566d42b1a01d)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Baumbach <bb@samba.org>
(cherry picked from commit 3150d103bb2990e005d70c90f3f9c316c5353005)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6f0ae60428a024b4aba92a8103a698c1eca2357c)
Autobuild-User(v4-22-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-22-test): Thu Jun 5 11:55:52 UTC 2025 on atb-devel-224
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed May 28 16:03:59 UTC 2025 on atb-devel-224
projects / thirdparty / samba.git / log
