Gary Lockyer [Wed, 18 Feb 2026 23:18:38 +0000 (12:18 +1300)]
s4:kdc:db-glue altSecurityIdentities DN and serial reversed
When altSecurityIdentities is set by RSAT / ADUC they store the
Issuer and Subject DN in last to first order i.e.
CN=Common Name, O=Organization, C=Country
Need to reverse that to first to last order, i.e.
C=Country, O=Organization, CN=Common name
Which is how they're stored on the X509 certificates.
Also the serial number is stored in reverse order.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 23 12:37:28 UTC 2026 on atb-devel-224
Martin Schwenke [Mon, 23 Feb 2026 03:42:17 +0000 (14:42 +1100)]
ctdb-tools: Fix CID 1681637 - Drop unnecessary if-statements
The first was found by Coverity:
>>> CID 1681637: Incorrect expression (IDENTICAL_BRANCHES)
>>> The same code is executed when the condition "ret != 0" is
true or false, because the code in the if-then branch and
after the if statement is identical. Should the if statement
be removed?
The second and third are also obvious.
Sorry, missed these in review.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Signed-off-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Feb 23 08:43:29 UTC 2026 on atb-devel-224
docs: smbget: Fix typos and misleading options in manpage
This patch corrects several issues in the smbget documentation:
- Removed duplicate '-O' from the synopsis (it conflicted with socket
options).
- Clarified that '-o' conflicts with '--recursive', not '-R' (which is
name resolve order).
- Fixed malformed example syntax (changed '-resume' to '--resume').
- Fixed spelling typo of 'recursive' in the BUGS section.
RN: Fixed misleading documentation for smbget options (-O vs --stdout)
and corrected typos.
Signed-off-by: Hugo Chia <hugochiaxyz.nus@gmail.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sun Feb 22 06:10:46 UTC 2026 on atb-devel-224
Ralph Boehme [Mon, 26 Jan 2026 14:59:44 +0000 (15:59 +0100)]
s3/passdb: add parameter to control handling of wellknown SIDs in pdb_tdb
With "tdbsam:map wellknown", one can control if pdb_tdb should be used
to map entries of wellknown SIDs or not. By default, they will not be
mapped, as in previous releases.
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Feb 20 08:37:17 UTC 2026 on atb-devel-224
John Mulligan [Mon, 9 Feb 2026 18:02:01 +0000 (13:02 -0500)]
ctdb-doc: add section to manpage for -j/--json option
Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Feb 20 01:50:20 UTC 2026 on atb-devel-224
Shachar Sharon [Sun, 8 Feb 2026 11:15:02 +0000 (13:15 +0200)]
ctdb-tools: add --json support to 'version' sub-command
When building ctdb with json-outpuit support, enable json output when
running 'ctdb version --json'. This may be used as indication to json
support in other sub-commands.
Pair-Programmed-With: John Mulligan <jmulligan@redhat.com> Signed-off-by: Shachar Sharon <ssharon@redhat.com> Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
John Mulligan [Thu, 12 Feb 2026 22:47:58 +0000 (17:47 -0500)]
ctdb-tools: add a --json option for ctdb status
Add a new --json option that prints JSON as a higher-level machine
parse-able output. The --json option is only supported if the
jansson library is available.
The --json option will ONLY print json. If the subcommand does not
(yet) support json it will raise an error rather than fall back to
emitting human readable text. This way a json parser is never given
"invalid" input.
Pair-Programmed-With: Shachar Sharon <ssharon@redhat.com> Signed-off-by: Shachar Sharon <ssharon@redhat.com> Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
John Mulligan [Tue, 10 Feb 2026 18:55:11 +0000 (13:55 -0500)]
ctdb-tools: reformat ctdb.c with clang-format
This is the result of running:
clang-format -i ctdb/tools/ctdb.c
This is in preparation for some upcoming changes that add fields to the
struct tables and general recommendations to use `clang-format` and/or
`git clang-format` to keep samba code formatted consistently.
Signed-off-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Signed-off-by: Peter Schwenke <pschwenke@ddn.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Feb 18 12:29:16 UTC 2026 on atb-devel-224
Peter Schwenke [Tue, 29 Apr 2025 06:33:45 +0000 (16:33 +1000)]
ctdb-scripts: Only send notifies for newly taken IPs
We no longer delete shared state (and send notifies) for
IPs previously held by the current node. The NFS lock manager
won't have released locks for these IPs, so won't generate
SM_MON on reclaim attempts. Therefore, there will be
no add-client to put them back.
We now record newly taken IP addresses in takeip,
and only send notifies for those during
ipreallocated. The extra notifies were also confusing
statd.
Update existing tests to always simulate taking all of a node's IPs.
This causes no output changes.
Test updates confirm the subtleties of the statd_callout_helper
behaviour change. These pretend to only take a single IP, so
SM_NOTIFY must not be sent for other IPs. Shared state should
remain for these other files.
Martin Schwenke [Thu, 15 May 2025 05:20:25 +0000 (15:20 +1000)]
ctdb-tests: Update statd-callout unit test infrastructure
Don't cheat. Keep some state about what is happening, similar to what
statd_callout and statd_callout_helper are expected to keep. This
means hinting arguments to check_shared_storage_statd_state() and
check_statd_callout_smnotify() can be dropped.
Anoop C S [Tue, 17 Feb 2026 16:21:35 +0000 (21:51 +0530)]
vfs_ceph_new: Reduce a level of indirection for SMB_VFS_FSTATVFS
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Feb 18 11:12:23 UTC 2026 on atb-devel-224
Jennifer Sutton [Wed, 4 Feb 2026 00:51:38 +0000 (13:51 +1300)]
CVE-2026-20833: WHATSNEW: Document new default for ‘kdc default domain supported enctypes’
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Feb 18 01:52:23 UTC 2026 on atb-devel-224
cli_credentials_get_keytab() uses the sAMAccountName to calculate the salt via
cli_credentials_get_salt_principal(). Changing the sAMAccountName means that
cli_credentials_get_keytab() will generate AES Kerberos keys using the wrong
salt, and gensec authentication will fail.
Douglas Bagnall [Mon, 2 Feb 2026 21:24:14 +0000 (10:24 +1300)]
build: allow `./configure _foo=x` to work like FOO=x
OpenWRT passes arguments like '_python_sysroot=x' after the './configure',
which it expects to work as if the occurred before the './configure'
-- that is, setting environment variables (let's assume its build
system is necessarily complex due to all the cross-compiles).
This used to work (or at least not cause a failure return code) until
the upgrade to waf 2.1.5 or 2.1.6 in mid-2025, when waf started using
the argparse parser.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Feb 18 00:00:30 UTC 2026 on atb-devel-224
Noel Power [Mon, 19 Jan 2026 16:18:02 +0000 (16:18 +0000)]
s3/libsmb: block anon authentication fallback is use-kerberos = desired
When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED
libsmbclient method SMBC_server_internal will still try to fallback to
anon NTLM. This patch prevents that.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224
Noel Power [Mon, 19 Jan 2026 16:10:10 +0000 (16:10 +0000)]
s3/libsmb: cli_session_creds_init fails when kerberos is desired
There is a regression with code using cli_session_creds_init when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
Authentication succeeds when boolean fallback_after_kerberos is false
and fails when true.
There doesn't seem to be a good reason why the value of
fallback_after_kerberos should initialise the krb5 ccache or not.
It would seems that krb5 cache should be setup for creds
for *any* kerberos auth (whether fallback is enabled or not)
Partial patch from <will69@gmx.de> (see bug referenced below)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
gensec_kerberos_possible() will always fail when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
It seems since use kerberos == desired is the default that it isn't
necessary to see if credentials were modified to indicated authentication
was requested. gensec_kerberos_possible() should afaics return true
if kerberos is desired OR required (regardless of whether credentials
were requested)
This commit removes the knownfail associated with this bug.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 Signed-off-by: <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
Anoop C S [Sun, 15 Feb 2026 04:27:18 +0000 (09:57 +0530)]
vfs_ceph: Handle absolute paths with dirfd = ‑1 in openat
ceph_openat() does not follow the convention of ignoring 'dirfd' when
the pathname is absolute, resulting in EBADF. As a temporary workaround,
handle this special case in cephwrap_openat() by calling ceph_open()
directly instead of ceph_openat().
Signed-off-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com> Reviewed-by: Shwetha K Acharya <Shwetha.K.Acharya@ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Feb 16 17:27:03 UTC 2026 on atb-devel-224
s3:utils: Fix misleading recursive flag in smbget error message
The error message in smbget incorrectly instructs users to use "-R" for
recursive downloads.
In recent Samba versions, the "-R" flag was repurposed for
"--name-resolve" to align with other tools. The correct flag for
recursion is now "--recursive". This mismatch causes confusion as using
"-R" triggers a parameter parsing error rather than enabling recursion.
This patch updates the error string to correctly suggest "--recursive"
instead of "-R".
RN: smbget: Fix error message suggesting wrong flag for recursion.
Signed-off-by: Hugo Chia hugochiaxyz.nus@gmail.com Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Feb 16 15:37:04 UTC 2026 on atb-devel-224
Volker Lendecke [Mon, 9 Feb 2026 12:10:07 +0000 (13:10 +0100)]
vfs: Simplify xattr_tdb_getxattrat_send()
Avoid calls to SMB_VFS_CHDIR and SMB_VFS_GETWD by using
openat_pathref_fsp()
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sun Feb 15 11:45:52 UTC 2026 on atb-devel-224
Volker Lendecke [Fri, 23 Jan 2026 18:08:16 +0000 (19:08 +0100)]
lib: Remove sys_fsusage()
"man statfs" on Linux says "Unless you need the f_type field, you
should use the standard statvfs(3) interface instead.". We don't need
f_type to get disk usage :-)
We lose some of the older compatibility layers. Should these ever be
needed again, we should add them to lib/util/statvfs.c an the single
interface to retrieve file system usage info.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Volker Lendecke [Tue, 27 Jan 2026 17:15:53 +0000 (18:15 +0100)]
vfs: Change SMB_VFS_DISK_FREE to take a fsp
The modules that change the pathname need a synthetic_pathref now for
the SMB_VFS_NEXT_DISK_FREE() call. I think this is the right thing to
do anyway, as this goes through all the path scrutiny and does not
depend on direct multi-component paths anymore.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Volker Lendecke [Tue, 3 Feb 2026 13:35:20 +0000 (14:35 +0100)]
third_party: init vars for -Og on debian testing
When building on debian testing with -Og, gcc complains about these
two uninitialized variables. Not sure how to deal with those, I'm
happy to re-fix if a new upstream patch overwrites them.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Noel Power [Tue, 27 Jan 2026 11:50:38 +0000 (11:50 +0000)]
lib/pthreadpool: Add some pthreadpool_pipe unit tests
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Feb 13 11:22:34 UTC 2026 on atb-devel-224
Michael Adam [Mon, 9 Feb 2026 17:17:13 +0000 (18:17 +0100)]
bootstrap: fix bootstrap in opensuse container
bootstrap.sh was failing in an opensuse container due to a conflict
of which with the pre-installed busybox-which package.
forcing resolution with zypper fixes the bootstrapping.
Thanks to Andreas Scheider for the hint!
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Feb 11 10:30:26 UTC 2026 on atb-devel-224
Martin Schwenke [Sun, 8 Feb 2026 23:03:04 +0000 (10:03 +1100)]
ctdb-daemon: Hex encode key before logging
This currently causes binary data to be logged.
Instead, conditionally hex encode the key in a similar style to the
way it is done in dbwrap_ctdb.c:fetch_locked_internal(). In this
case, the key is truncated if the debug level is less than 10.`
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 9 12:21:08 UTC 2026 on atb-devel-224
Martin Schwenke [Sun, 22 Sep 2024 06:37:50 +0000 (16:37 +1000)]
util: Avoid signed/unsigned integer comparisons
../../../lib/util/sys_rw.c: In function ‘sys_pread_full’:
../../../lib/util/sys_rw.c:219:25: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare]
219 | if (ret > curr_count) {
| ^
../../../lib/util/sys_rw.c: In function ‘sys_pwrite_full’:
../../../lib/util/sys_rw.c:282:25: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare]
282 | if (ret > curr_count) {
| ^
../../../lib/util/sys_rw.c: In function ‘sys_write_full’:
../../../lib/util/sys_rw.c:321:25: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare]
321 | if (ret > curr_count) {
| ^
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Feb 5 21:11:13 UTC 2026 on atb-devel-224
s3:utils: 'net ads kerberos kinit' should use also default ccache name from krb5.conf
This is re-introducing the behavior from samba-4.20 where both these
commands operated on the same ccache (default_ccache_name in
[libdefaults] section of krb5.conf)
'net ads kerberos kinit -P'
'klist'
With samba-4.21 it no longer works, 'net ads kerberos kinit -P'
fallbacks to 'MEMORY:net' (which is of a very limited use, ticket
cannot be used by other process) and klist finds no ticket.
'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials.
Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name()
because of commit: 1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Noel Power [Thu, 29 Jan 2026 15:12:52 +0000 (15:12 +0000)]
s3/printing: Fix leaking parsed options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Jan 30 11:09:44 UTC 2026 on atb-devel-224
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jan 29 00:33:43 UTC 2026 on atb-devel-224
projects / thirdparty / samba.git / log
