John Mulligan [Fri, 29 Aug 2025 15:38:34 +0000 (11:38 -0400)]
manpages/vfs_ceph_new: document fscrypt and keybridge options
Document the option used to enable fscrypt-style subvolume encryption
on cephfs. Document the options used to get key material for fscrypt
using the varlink-based keybridge local RPC protocol.
Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Gunther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Jan 20 06:52:32 UTC 2026 on atb-devel-224
John Mulligan [Wed, 6 Aug 2025 17:32:50 +0000 (13:32 -0400)]
vfs_ceph_new: add keybridge and ceph fscrypt support
Add support for CephFS's new fscrypt feature. Fetch the key material
using the new keybridge varlink local RPC API.
Adds the following configuration parameters for the vfs_ceph_new module:
```
ceph_new:keybridge socket = unix:/run/keybridge.sock
ceph_new:keybridge scope = mem
ceph_new:keybridge name = test
ceph_new:keybridge kind = B64
ceph_new:fscrypt = keybridge
```
Where the various keybridge parameters configure what keybridge server
to use and what key to fetch. The `ceph_new:fscrypt` parameter defaults to
'disabled' and can be set to 'keybridge'. An enum is used here in case
we ever need to support something other than keybridge in the future.
Pair-Programmed-With: Shachar Sharon <ssharon@redhat.com> Signed-off-by: Shachar Sharon <ssharon@redhat.com> Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Gunther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
John Mulligan [Thu, 5 Jun 2025 20:47:10 +0000 (16:47 -0400)]
vfs: add files to access the varlink keybridge API
Add a pair of helper files that will allow vfs modules to make use of
the keybridge - a varlink API and server that is defined by the sambacc
project. The keybridge server exists to act as a proxy between smbd and
various possible "secrets management" backends. Currently, the sambacc
keybridge server implements a "mem" backend, for testing only, and a
KMIP backend.
Using a local RPC protocol, like varlink + keybridge allows the smbd
side to be very simple and only know how to talk the keybridge API,
versus having to teach it about various other APIs that may need to
make use of things like mTLS.
Furthermore, samba already has an (currently optional) dependency on
libvarlink so adding another use of varlink seems like a fairly
minimal change to samba's set of dependencies. This feature will
not be built on if libvarlink is not enabled. The plan is to add this
to vfs_ceph_new in a future patch.
Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Gunther Deschner <gd@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Shachar Sharon [Sun, 18 Jan 2026 10:24:27 +0000 (12:24 +0200)]
WHATSNEW: update with vfs_aio_ratelimit details
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Gunther Deschner <gd@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Jan 19 14:25:41 UTC 2026 on atb-devel-224
SUMMARY: ThreadSanitizer: data race ../../lib/pthreadpool/pthreadpool_tevent.c:405 in pthreadpool_tevent_job_done
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15958 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 18 15:16:59 UTC 2026 on atb-devel-224
Noel Power [Wed, 26 Nov 2025 09:46:23 +0000 (09:46 +0000)]
Add basic cmocka unit tests for pthreadpool
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15958
Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Noel Power <noel.power@suse.com> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Shachar Sharon [Thu, 14 Aug 2025 14:01:16 +0000 (17:01 +0300)]
docs-xml/manpages: doc for 'vfs_aio_ratelimit' module
Documentation for newly introduced async-I/O rate-limiting module.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Avan Thakkar <athakkar@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Gunther Deschner <gd@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sun Jan 18 07:23:19 UTC 2026 on atb-devel-224
Shachar Sharon [Sun, 10 Aug 2025 08:42:42 +0000 (11:42 +0300)]
vfs_aio_ratelimit: rate-limiting module for async I/O
A new stackable module to allow rate-limiting functionality for async
I/O operations. When the number of IOPS or bytes-per-sec overflow a
user-defined threshold, inject a delay before allowing an operation to
complete, yielding an implicit throughput ceiling. Uses token-based
algorithm to calculate the actual delay.
In order to generate constant load for profiles
--option="torture:looplimit=150000" can be used to stop
after the given number of loops before the timelimit hits.
Sometimes the bottleneck is the smbtorture process.
In order to bring the smbd process to 100% cpu, you can use
'--option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4"'
and run multiple instances of the test at the same time,
which both talk to the same smbd process.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jan 16 16:50:46 UTC 2026 on atb-devel-224
s4:torture/smb2: fix using uninitialized memory in test_lease_dynamic_share()
We left basically the Channel value of the SMB2 write with a high chance
of being non 0, which means the server should reject the request
as rdma offload is not used.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Jan 15 09:18:21 UTC 2026 on atb-devel-224
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
This just uses valid hex values and doesn't rely on special positions.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Jan 15 08:01:36 UTC 2026 on atb-devel-224
Gary Lockyer [Tue, 23 Dec 2025 00:37:19 +0000 (13:37 +1300)]
Update WHATSNEW with kerberos changes
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jan 15 02:50:59 UTC 2026 on atb-devel-224
Douglas Bagnall [Wed, 17 Dec 2025 02:17:23 +0000 (15:17 +1300)]
s4:test: fix kdc-canon-heimdal tests for 'require canonicalization'
The combination of the server 'require canonicalization' option with a
lack of a 'canonicalize' flag from the client will result in AS_REPs
with PRINCIPAL UNKNOWN.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Douglas Bagnall [Wed, 26 Nov 2025 22:12:21 +0000 (11:12 +1300)]
kdc: match implicit dollar without canon affects AS_REQ client only
The smb.conf option
kdc name match implicit dollar without canonicalization = no
is supposed to avoid the dollar ticket attack by refusing to consider
"foo$" as a match for "foo" unless canonicalization is requested.
This was rather blunt however, as the only time we care about this is for
the client name in an AS_REQ, and we can easily check whether that is the
case.
This makes the option less intrusive, allowing the use of "SERVER" for a
server name rather than "SERVER$". A number of tests no longer fail.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Douglas Bagnall [Thu, 4 Dec 2025 22:09:26 +0000 (11:09 +1300)]
selftest: we no longer use 'testscenarios' or 'subunit.tests.testsuite'
If 'python3-testscenarios' is installed, the test is bound to fail,
like this:
$ make test TESTS=subunit
[...]
[1(0)/2 at 0s] subunit.tests.test_suite
subunit.tests.test_suite.unittest.loader._FailedTest.subunit(none)
REASON: Exception: Exception: ImportError: Failed to import test module: subunit
Traceback (most recent call last):
File "/usr/lib/python3.12/unittest/loader.py", line 137, in loadTestsFromName
module = __import__(module_name)
^^^^^^^^^^^^^^^^^^^^^^^
ModuleNotFoundError: No module named 'subunit'
I am not certain when "subunit.tests.test_suite" would have
successfully resolved.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Jennifer Sutton [Wed, 7 Jan 2026 01:56:33 +0000 (14:56 +1300)]
auth:kerberos: Do not fail if PAC account name doesn’t match ticket principal name
Andrew Bartlett says:
“These days, we can trust that the PAC has been validated by the library, and I
think also that nobody could have put in a false PAC anyway (the KDC should stop
clients setting pre-auth data of that type), so the validation step that fails
isn't doing as much as it did 20 years ago. So I think we could simply patch
[this] check to accept the canonical name and know that we just are working with
that option [‘krb5 acceptor report canonical client name’] having been set.”
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Jennifer Sutton [Mon, 5 Jan 2026 22:44:13 +0000 (11:44 +1300)]
s4:torture:auth: Fix PAC checksum test
This test was supposed to corrupt the KDC signature and ensure that PAC
verification failed, but it corrupted a harmless padding byte instead. However,
PAC verification still failed as expected because the principal remained
corrupted from the previous test.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Wed, 24 Sep 2025 23:45:30 +0000 (11:45 +1200)]
ldb: add "policy hints" controls to be used by password_hash module
These won't have any effect yet, but soon they will allow a privileged
account to perform a password reset that respects constraints on
password history, age, and length, as if the reset was an ordinary
password change (that is, where the user provides the old password).
A normal user can't reset their own password using this, if the
organisation is using a remote service (e.g. Entra ID or Keycloak) to
manage passwords, that service can use a policy hints control to
ensure it follows AD password policy.
Entra ID Self Service Password Reset (SSPR) uses the deprecated OID.
Douglas Bagnall [Wed, 8 Oct 2025 20:44:48 +0000 (09:44 +1300)]
s3:vfs_ceph_new: use #ifdef, not #if HAVE_CEPH_ASYNCIO
This is one of our half-bit flags; there is no way it can be defined
to zero. '#if' works because unknown identifiers are considered to be
zero, but it isn't how we do things.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
The name and results are confusing. Rename the function and use a bool that it
is easier to understand.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 13 17:00:06 UTC 2026 on atb-devel-224
Gary Lockyer [Tue, 6 Jan 2026 21:23:33 +0000 (10:23 +1300)]
s3:winbindd fix race condition in terminate_child
Fixes:
winbindd[306061]: Bad talloc magic value - unknown value
winbindd[306061]: =========================================================
winbindd[306061]: INTERNAL ERROR: Bad talloc magic value - unknown value in
winbindd () () pid
A race condition in source3/windbindd/winbindd_util.c::terminate_child
between the child socket closing, and the destructor de-registering the
child socket from epoll.
If the socket closes before it is de-registered from epoll, the event
is added to the epoll rdllink and will be retrieved when epoll_wait
is next called. However monitor_fde has been deallocated and we get the
observed failure.
Moving the TALLOC_FREE before the kill ensures that the child socket has been
de-registered from epoll before it closes.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 13 14:50:20 UTC 2026 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Jan 13 12:34:02 UTC 2026 on atb-devel-224
projects / thirdparty / samba.git / log
