CVE-2026-4480: s3:printing: mask and/or single quote jobname passed as %J to "print command"
Fix an unauthenticated remote code execution vulnerability with
printing set to anything *but* cups and iprint, for example "lprng",
so that "print command" is executed upon job submission. If the
client-controlled job name is handed to the "print command" via %J,
rpcd_spoolssd passes this to the shell without escaping critical
characters.
Using single quotes (directly) around %J, '%J' would avoid the
problem, we now try to autodetect if we can use '%J' implicitly
or we fallback to a fixed "__CVE-2026-4480_FallbackJobname__"
string instead of the client provided jobname.
This is the basic helper function for the security problems.
talloc_string_sub_mixed_quoting() checks for strange quoting
in smb.conf options.
And talloc_string_sub_unsafe() tries to autodetect how the unsafe
(client controlled value) and masked and single quote it,
as a fallback for strange quoting a fixed fallback string
is used and the caller should warn the admin and give
hints how to fix the configuration.
CVE-2026-4480/CVE-2026-4408: s3:lib: let realloc_string_sub2() use realloc_string_sub_raw()
We don't need this logic more than once!
But we leave the strange calling convention of
realloc_string_sub2(), where the caller it
not allowed to use the passed pointer when
NULL is returned...
Douglas Bagnall [Fri, 27 Feb 2026 01:46:04 +0000 (14:46 +1300)]
CVE-2026-3012: gpo tests should use real certificates
Or at least, more real than a short arbitrary byte string, so that
the certificates can be parsed.
This shows that certificate enrolment works via LDAP in the situations
where we would have fetched them via HTTP.
This does not fix the advanced_gp_cert_auto_enroll_ext test which
wants to install certificates it has no access too. This will not be
fixed in the security release.
Douglas Bagnall [Thu, 26 Feb 2026 01:21:01 +0000 (14:21 +1300)]
CVE-2026-3012: gp_auto_enrol: skip CAs not found in LDAP
If a certificate is mentioned in a GPO but is not present as a
cACertificate attribute on a pKIEnrollmentService object, we have no way
of obtaining it, so we might as well forget it.
Douglas Bagnall [Sun, 22 Feb 2026 22:01:57 +0000 (11:01 +1300)]
CVE-2026-3012: do not fetch certificate over http
In the case where a certificate was found via HTTP, it was trusted
without verification and put in the global CA store.
There is no means to check the certificate other than by comparing it
to certificates we may have gathered via LDAP, but in that case there
is no advantage over just using the LDAP-derived certificates.
Using the LDAP certificates was already the fallback case if HTTP
failed, so we just make it the default.
The HTTP fetch depends on the NDES service, which is a variant of
Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
Samba implements none of that protocol other than the HTTP fetch. SCEP
is for clients that are not true domain members. Domain members can
access to certificates over LDAP. This patch is not reducing SCEP
client support because Samba never had it.
Reported-by: Arad Inbar, DREAM Security Research Team Reported-by: Nir Somech, DREAM Security Research Team Reported-by: Ben Grinberg, DREAM Security Research Team Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Douglas Bagnall [Thu, 26 Feb 2026 22:30:40 +0000 (11:30 +1300)]
CVE-2026-3012: gpo tests: fix test cleanup
These tests are going to fail soon but as currently written they do
not clean up after themselves, erroring instead of failing and causing
cascading errors in subsequent tests. For now we don't care to make
the other tests less fragile.
Pavel Kohout [Fri, 13 Feb 2026 02:51:41 +0000 (15:51 +1300)]
CVE-2026-2340: vfs_worm: Check destination WORM status in rename
vfs_worm_renameat() only checked if the source file was WORM-protected,
but not the destination. This allowed overwriting immutable files via
SMB2 rename with ReplaceIfExists=1, bypassing WORM protection.
Add destination check using FSTATAT on the destination dirfsp, as
suggested by the maintainer.
CWE-284 (Improper Access Control)
Reported-by: Pavel Kohout, Aisle Research, www.aisle.com
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15997
Signed-off-by: Pavel Kohout <pavel.kohout@aisle.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
CVE-2026-1933: smbd: Add access checks to reparse point operations
On a share marked "read only = yes" and on file handles opened R/O
users can set or delete the reparse point xattrs on files that the
user has write-access in the file system for. Add the required access
checks.
Thanks to Asim Viladi Oglu Manizada for reporting the issue.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May 21 18:27:37 UTC 2026 on atb-devel-224
C26: add explicit casts where const must be stripped for mutation
For cases where code intentionally writes through a pointer returned by
strchr/strrchr/strstr, add explicit discard_const_p casts or adjust variable
types to non-const to make the mutability intent clear.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
C26: refactor to avoid modifying data via const pointer
Refactor code that assigns to a struct member, then calls strchr/strrchr on it
for in-place modification. Use a local mutable variable for modification, then
assign the final result to the struct member.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Use C99 static array size in function parameters (e.g. uint8_t buf[static 516])
to document minimum array size requirements and enable compiler diagnostics.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
C26: use strchr_m/strrchr_m/strstr_m for multibyte-safe search
Replace strchr/strrchr/strstr with their multibyte-aware
Samba equivalents where appropriate. These wrappers return
char * regardless of input constness.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
charset: make strchr_m/strrchr_m/strstr_m const-correct via C11 _Generic
Since glibc-2.43 and C23, strchr/strrchr/strstr use _Generic macros to
return const char * when given const char * input. This caused build
failures in strchr_m and strrchr_m whose fast-path returns passed the
const char * result through as char *:
lib/util/charset/util_str.c:370: error: return discards 'const'
qualifier from pointer target type [-Werror=discarded-qualifiers]
Rather than wrapping the returns in discard_const_p (which the project
discourages adding more of), fix the API properly: rename the
implementations to strchr_m_const/strrchr_m_const/strstr_m_const
returning const char *, and expose C11 _Generic macros under the
original names. The macros preserve the caller's const qualification:
char * input yields char *, const char * input yields const char *.
This matches C23 strchr semantics and requires no changes at call sites.
libcli:auth: fix BURN_DATA_SIZE on array-decayed pointer parameter
_encode_pwd_buffer_from_str() declares `buf` as uint8_t buf[N],
which decays to a pointer. BURN_DATA_SIZE(buf, N) expands to
memset_explicit(&buf, 0, N), taking the address of the pointer
variable (8 bytes) rather than the buffer itself, triggering a
GCC -Wstringop-overflow error.
Gary Lockyer [Tue, 19 May 2026 22:18:43 +0000 (10:18 +1200)]
build: clang 23 enable unused-but-set-global
All the offending code has been fixed so re-enable the warning as an error.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu May 21 08:18:46 UTC 2026 on atb-devel-224
Gary Lockyer [Tue, 19 May 2026 22:16:14 +0000 (10:16 +1200)]
s3:torture:torture remove unread global got_alarm
Removed as it was declared and updated, but never read. This triggers the
clang 23 warning unused-but-set-global
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Gary Lockyer [Tue, 19 May 2026 22:11:13 +0000 (10:11 +1200)]
lib:talloc:testsuite remove unread global test_abort_stop
Removed as it was declared and updated, but never read. This triggers the
clang 23 warning unused-but-set-global
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Gary Lockyer [Tue, 19 May 2026 21:58:56 +0000 (09:58 +1200)]
s4:torture:raw:offline remove unread global num_connected
Removed as it was declared and updated, but never read. This triggers the
clang 23 warning unused-but-set-global
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Gary Lockyer [Tue, 19 May 2026 21:26:15 +0000 (09:26 +1200)]
s4:torture:util_smb remove unread global procnum
Removed as as it was declared and updated, but never read. This triggers the
clang 23 warning unused-but-set-global
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Gary Lockyer [Tue, 19 May 2026 21:25:15 +0000 (09:25 +1200)]
s4:torture:util_smb fix trailing white space
Fix trailing white space issues
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Gary Lockyer [Tue, 19 May 2026 21:19:09 +0000 (09:19 +1200)]
tdb:tools:tdbtool remove unread global total_bytes
Removed as as it was declared and updated, but never read. This triggers the
clang 23 warning unused-but-set-global
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Gary Lockyer [Tue, 19 May 2026 04:47:05 +0000 (16:47 +1200)]
build: Allow developer builds with clang 23
Disable the unused-but-set-global warning to allow samba to be compiled with
clang 23
Subsequent commits will fix the offending code.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
s3/smb_prometheus_endpoint: single function to export profile stats
Avoid duplicated defines: use 'export_profile_stats' to export both
global profile counters and per-share counters.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu May 21 06:41:46 UTC 2026 on atb-devel-224
Using multiple sections defines (both SMBPROFILE_STATS_ALL_SECTIONS
and SMBPROFILE_STATS_PERSVC_SECTIONS) creates maintenance burden with
no real benefit. Use only single definition with the penalty of emitting
all zeros on unused fields in the case of persvc profile.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
The function `smbprofile_persvc_unref` may be called by smb2_service.c
due to `on_err_call_profile_unref`. In such case, need to protect from
possible negative refcnt of persvc entry.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Set proper level value, within valid range [0,2], for MSG_PROFILELEVEL.
Fixes a bug in existing code where return 'level' my be in non-valid
values 3 or 7.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Anoop C S [Tue, 19 May 2026 10:47:56 +0000 (16:17 +0530)]
source4/librpc: Add NULL check in dcerpc_secondary_auth_connection()
When dcerpc_secondary_auth_connection_send() fails, it returns NULL.
The NULL pointer is passed to dcerpc_secondary_auth_connection_recv()
which dereferences it without checking, causing a NULL pointer
dereference.
Add NULL check before calling the recv function and return
NT_STATUS_NO_MEMORY.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu May 21 03:24:09 UTC 2026 on atb-devel-224
Anoop C S [Tue, 19 May 2026 10:43:40 +0000 (16:13 +0530)]
source4/dsdb: Fix NULL dereference in attribute_list_from_class()
When dsdb_class_by_lDAPDisplayName_ldb_val() returns NULL due
to a missing class in the schema, the result is passed to
attribute_list_from_class() without validation. The function
immediately dereferences sclass when calling dsdb_attribute_list(),
causing a NULL pointer dereference.
Add NULL check at the entry of attribute_list_from_class() and return
NULL for missing schema classes.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Anoop C S [Tue, 19 May 2026 10:38:02 +0000 (16:08 +0530)]
source4/dsdb: Fix NULL dereference in vlv_results()
When vlv_search_by_dn_guid() returns an error other than
LDB_SUCCESS, the result pointer remains uninitialized. The
subsequent condition uses OR logic that only guards result->count
when ret equals LDAP_NO_SUCH_OBJECT. For any other error code,
result remains NULL and is dereferenced, causing a NULL pointer
dereference.
Fix by reorganizing the if condition to ensure the dereferencing
statement only executes when LDB_SUCCESS is returned.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Anoop C S [Tue, 19 May 2026 10:31:55 +0000 (16:01 +0530)]
source4/dsdb: Fix NULL dereference in log_membership_changes()
When get_parsed_dns() fails due to OOM, it returns NULL. Without
checking for NULL before the comparison loop, old_val and new_val
are dereferenced causing a NULL pointer dereference.
Add explicit NULL guards after both get_parsed_dns() calls and return
early if either fails when the corresponding element has values.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Anoop C S [Wed, 13 May 2026 08:37:49 +0000 (14:07 +0530)]
source3/smbd: Fix NULL dereference in smbXsrv_open_cleanup_fn()
If smbXsrv_open_global_parse_record() fails, global remains NULL. The
do_delete path then attempts to dereference it, causing a crash. Add a
NULL check before accessing global->client_guid and global->create_guid.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Anoop C S [Tue, 19 May 2026 10:07:28 +0000 (15:37 +0530)]
source3/passdb: Fix NULL dereference in _lsa_LookupSids()
When lookup_sids() returns NT_STATUS_NONE_MAPPED but exits early without
populating the names array, the subsequent dereference of names causes a
NULL pointer dereference.
Return an appropriate error status that allows existing error handling
to catch this case before the NULL dereference occurs.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Anoop C S [Wed, 13 May 2026 08:20:40 +0000 (13:50 +0530)]
source3/passdb: Add NULL check in pdb_samba_dsdb_update_sam_account()
pdb_samba_dsdb_get_samu_private() can return NULL on memory allocation or
database query failures. Add an explicit NULL check to prevent dereference
and return an error status early.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Anoop C S [Wed, 13 May 2026 08:44:38 +0000 (14:14 +0530)]
vfs_fruit: Fix uninitialized variable in fruit_fstatat_meta()
The variable smb_relname is used uninitialized in fruit_fstatat_meta().
This appears to be a copy-paste error where _smb_relname (the function
parameter) should have been used instead.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Anoop C S [Wed, 13 May 2026 06:25:06 +0000 (11:55 +0530)]
source3/adouble: Assert fsp is not NULL in ad_fget()
The DBG_DEBUG() in ad_open() dereferences smb_fname, which can be NULL
when ad_fget() calls ad_get_internal(). Add an SMB_ASSERT() guard in
ad_fget() to catch this early.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Signed-off-by: Bjoern Jacke <bjacke@samba.org> Reviewed-by: Björn Baumbach <bb@sernet.de>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Tue May 12 11:19:12 UTC 2026 on atb-devel-224
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon May 11 21:24:02 UTC 2026 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Sun May 10 23:22:27 UTC 2026 on atb-devel-224
s3:winbindd: ignore unsupported anonymous smb sessions for AD trusts
This is handles the cases where a DC has
'Require NTLMv2 session security' activated which
disables anonymous NTLMSSP and let the server return
NT_STATUS_NOT_SUPPORTED.
Similar problems happen with a Samba DC that
uses 'restrict anonymous = 2' and the
tcon to ipc$ fails with NT_STATUS_ACCESS_DENIED.
For active directory related trusts we only use
ncacn_ip_tcp (or ncalrpc), so there's no need for
a valid smb connection.
Historically it very hard to restructure the code
in order to only connect smb for ncacn_np, so
this is more a hack to let us work in real world
scenarios.
s3:winbind: fix response array leak on error paths
Free map_ids_out.ids unconditionally when it differs from
map_ids_in.ids, not only on success.
Signed-off-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sat May 9 11:51:32 UTC 2026 on atb-devel-224
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Avan Thakkar <athakkar@redhat.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed May 6 05:28:48 UTC 2026 on atb-devel-224
Shachar Sharon [Tue, 5 May 2026 10:04:22 +0000 (13:04 +0300)]
ctdb-server: Fix use-after-free bug
When 'rev_hdl->fde' is NULL due to failure in tevent_add_fd bail-out
with free-and-error in order to avoid pointer dereferencing 'rev_hdl'
after it is freed.
A failure to tevent_wakeup_recv(subreq) should trigger oom call on 'req'
(instead on 'subreq', which has already been free).
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Noel Power <npower@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sat May 2 14:51:58 UTC 2026 on atb-devel-224
libcli/dns: Add TCP parallel fallback after 1 second UDP timeout
Comes with refactoring: Add EDNS0 only to the UDP request, try TCP on
any UDP failure. This patch should probably be split up into several
micro-commits, but the code is very simply structured, so I'd propose
to put this in as is. For review, just look at the final code :-)
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr 29 17:40:38 UTC 2026 on atb-devel-224
Volker Lendecke [Tue, 31 Mar 2026 16:28:41 +0000 (18:28 +0200)]
libcli/dns: Simplify dns over tcp requests, save 39 lines :-)
tstream_readv_pdu_send() is overkill here, tstream_read_packet_send()
is sufficient. The only downside is that dns_tcp_request_recv() does
not return a talloc context on its own in reply anymore, but as the
reply is immediately ndr-parsed, so we keep that around only a tiny
bit longer.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Ralph Boehme [Wed, 1 Apr 2026 09:58:03 +0000 (11:58 +0200)]
smbd: do S_ISDIR check even earlier
Doing this in open_file() is too late, as when the client requests an open with
SEC_FLAG_MAXIMUM_ALLOWED on a directory that has FILE_ATTRIBUTE_READ_ONLY set,
this will currently trigger an NT_STATUS_ACCESS_DENIED by the following code in
open_file_ntcreate() if the ACL grants write access to the user:
if (((flags & O_ACCMODE) != O_RDONLY) && file_existed &&
(!CAN_WRITE(conn) ||
(existing_dos_attributes & FILE_ATTRIBUTE_READONLY))) {
DEBUG(5,("open_file_ntcreate: write access requested for "
"file %s on read only %s\n",
smb_fname_str_dbg(smb_fname),
!CAN_WRITE(conn) ? "share" : "file" ));
return NT_STATUS_ACCESS_DENIED;
}
Fixes this bug, but should otherwise cause no change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 29 12:00:18 UTC 2026 on atb-devel-224
Ralph Boehme [Wed, 1 Apr 2026 12:04:40 +0000 (14:04 +0200)]
smbd: ignore FILE_ATTRIBUTE_READONLY for the "MxAC" create context
As much as I dislike adding a boolean parameter to control this behaviour, I
don't see a different clean way to do it.
Note that I'm not touching the case where the share is realy-only, I just don't
want to open that additional can of worms now and instead focus on fixing the
FILE_ATTRIBUTE_READONLY case.
Ralph Boehme [Wed, 1 Apr 2026 10:28:55 +0000 (12:28 +0200)]
smbtorture: add test smb2.maximum_allowed.read_only_dir
Verifies that FILE_ATTRIBUTE_READONLY is effectively ignored on directories.
Passes against Windows, fails against Samba: Samba enforces read-only access in
fsp->access_mask and "MxAC" create context response for directories with
FILE_ATTRIBUTE_READONLY. This is wrong, Windows doesn't do this.
Note that MS-FSA doesn't quite has all these details right, the correct
behaviour was taken from a modern Windows server.
docs-xml: Improve documentation for 'winbind reconnect delay'
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 29 09:32:21 UTC 2026 on atb-devel-224
Martin Schwenke [Wed, 4 Feb 2026 03:53:54 +0000 (14:53 +1100)]
ctdb-server: Avoid removing connections for released IP
Commit c6602b686b4e50d93272667ef86d3904181fb1ab causes TCP connections
to be cleared whenever an associated client goes away. This shouldn't
happen when the associated public IP is being released, since the
takeover node will need the connection details to send tickle ACKs.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 29 02:58:12 UTC 2026 on atb-devel-224
s3:winbindd: let wb_irpc_SamLogon reject the local domain as RWDC
If the clients use a subdomain of our domain the
'sam' auth backend passed the request along to
the 'winbind' auth backend. If winbindd tries
to use the local domain we hit the case that
an unknown domain was used. So we need to
bounce the request back to 'sam_ignoredomain'.
s3:loadparm: return NULL upon memalloc failure in lp_idmap_backend
Return NULL instead of valid-but-misleading cast from 'false' to
pointer.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Noel Power <npower@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Apr 23 20:53:10 UTC 2026 on atb-devel-224
s4:torture: Retry DsExecuteKCC on NT_STATUS_DS_BUSY
The KCC service runs a periodic samba_kcc child process (every 300s,
first at 15s after startup) with a 40 second timeout. If a test calls
DsExecuteKCC while the periodic child is running, kccsrv returns
NT_STATUS_DS_BUSY which propagates as EPT_NT_CANT_PERFORM_OP to the
client, causing flaky test failures.
UNEXPECTED(error): samba4.drs.samba_tool_drs_showrepl.python(schema_pair_dc).samba_tool_drs_showrepl.SambaToolDrsShowReplTests.test_samba_tool_showrepl(schema_pair_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
File "/builds/samba-testbase/samba-def-build/source4/torture/drs/python/samba_tool_drs_showrepl.py", line 57, in test_samba_tool_showrepl
kcc_out = self.check_output("samba-tool drs kcc %s %s" % (self.dc1,
File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/__init__.py", line 593, in check_output
raise BlackboxProcessError(retcode, line, stdoutdata, stderrdata)
samba.tests.BlackboxProcessError: Command 'python3 bin/samba-tool drs kcc liveupgrade1dc -USCHEMADOMAIN/Administrator%locDCpass1'; shell True; exit status 255;
stdout: ''; stderr: 'ERROR(runtime): DsExecuteKCC failed - (3221356597, 'The operation cannot be performed.')
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 23 07:55:04 UTC 2026 on atb-devel-224
s3:tests: Improve debugging for test_wbinfo_lookuprids_cache.sh
Note that if this test fails, it is like something else creating keys.
The last time it was a crashing smbd which left a key in the database
and this test failed as a result.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Apr 22 16:35:58 UTC 2026 on atb-devel-224
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 22 14:19:03 UTC 2026 on atb-devel-224
vfs_ceph_release_fh() was called explicitly then again via the FSP
extension destructor triggered by vfs_ceph_remove_fh(). Drop the
explicit call and let the destructor handle cleanup.
Signed-off-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Apr 21 22:18:42 UTC 2026 on atb-devel-224
vfs_ceph_new: fix return type mismatch in disk_free
-ENOMEM cast to uint64_t is not the error sentinel UINT64_MAX and
leaves errno unset. Set errno and return UINT64_MAX instead.
Also replace UINT64_MAX instead of (uint64_t)-1) in all error path.
Signed-off-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
The functions 'brl_lock_windows_default' and 'brl_lock_posix' uses
explicit 'errno_ret' value to avoid possible errno overwrite. Use in
failure case.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Shwetha Acharya <Shwetha.K.Acharya@ibm.com> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Apr 21 02:05:57 UTC 2026 on atb-devel-224
projects / thirdparty / samba.git / log
