This avoids mixing malloc and talloc allocation patterns and
aligns the code with Samba's memory management conventions.
Signed-off-by: Shwetha Acharya <Shwetha.K.Acharya@ibm.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Sat Apr 18 20:58:22 UTC 2026 on atb-devel-224
Martin Schwenke [Thu, 9 Apr 2026 07:52:20 +0000 (17:52 +1000)]
ctdb-scripts: Support interface altnames
This avoids generating a warning like:
WARNING: Public IP <ip> hosted on interface <iface> but VNN says <altname>
every time a public IP is removed from an interface that is configured
via an altname.
The new check will nearly always be successful because the IP will be
on the expected interface during releaseip/updateip.
The original check is now used as a backup when the IP is not on the
expected interface. To allow the mask bits check to cover both cases,
the original check and the associated interface check needs to be
inside the else clause.
Update the unit test to reflect the change.
Best reviewed with "git show -w" or similar.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Apr 17 00:11:50 UTC 2026 on atb-devel-224
Martin Schwenke [Fri, 10 Apr 2026 01:22:19 +0000 (11:22 +1000)]
ctdb-scripts: Add an extra variable to help reviewers
Using $_bcast to determine if the address is an IPv6 one is lazy. It
causes anyone reading the code (including the original author) to have
to go back and confirm that the condition makes sense.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Martin Schwenke [Thu, 9 Apr 2026 02:15:33 +0000 (12:15 +1000)]
ctdb-scripts: Only warn when removing an unassigned public IP
get_iface_ip_maskbits() now sets iface="" when the IP is unassigned,
allowing dependent code to be conditional.
Currently, ctdb_takeover.c:ctdb_control_release_ip() ensures no
releaseip event is triggered if the public address is not on the node.
So, no change of behaviour for releaseip.
The previous attempt at making updateip behave more like takeip when
the IP isn't currently assigned caused commands with missing mask bits
to be run. Avoid this.
Best reviewed with "git show -w" or similar.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Martin Schwenke [Thu, 9 Apr 2026 12:02:24 +0000 (22:02 +1000)]
ctdb-scripts: Simplify by taking advantage of early return/exit
Negate the condition in the if-statement so the current else part goes
first. It always returns or exits, so the remainder (current if part)
can just follow.
This makes a subsequent change easier to understand.
Probably best reviewed with "git show -w" or similar.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Martin Schwenke [Thu, 9 Apr 2026 02:08:40 +0000 (12:08 +1000)]
ctdb-scripts: Add address with specified mask bits in updateip
That is, add using $_maskbits, not $maskbits.
In the rare case where the mask bits were inconsistent on the old
interface, $maskbits will be needed for removal from the old
interface.
However, the specified mask bits ($_maskbits) must always be used when
adding to the new interface. Circumstances where this matters are
likely to be very rare.
It matters more if the address is unexpectedly not assigned at all.
In this case $maskbits will not be set, so the address can't be added
to the new interface using that variable.
Martin Schwenke [Fri, 10 Apr 2026 00:51:53 +0000 (10:51 +1000)]
ctdb-scripts: Change style to use if-statements
Well known, explicit structured programming constructs are arguably
easier to understand than implicit shell magic.
Only change instances that will be updated by subsequent commits.
Doing this separately, instead of in each subsequent commit, will make
those commits easier to understand.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Martin Schwenke [Thu, 2 Apr 2026 01:41:14 +0000 (12:41 +1100)]
ctdb-scripts: Avoid a shellcheck complaint
In ctdb/config/events/legacy/11.natgw.script line 174:
read _old_natgwleader <"$natgw_leader_old"
^--^ SC2162 (info): read without -r will mangle backslashes.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com> Reviewed-by: John Mulligan <jmulligan@redhat.com>
smbd: handle synthetic_smb_fname failure properly in delete_all_streams
When 'synthetic_smb_fname' fails due to memory error, it returns NULL.
Fix this error-case logic in 'delete_all_streams'.
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Apr 16 13:48:23 UTC 2026 on atb-devel-224
Douglas Bagnall [Wed, 1 Apr 2026 20:35:01 +0000 (09:35 +1300)]
ndr:dns_utils.h: add header guards
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Apr 16 01:57:42 UTC 2026 on atb-devel-224
Douglas Bagnall [Tue, 19 May 2020 22:05:16 +0000 (10:05 +1200)]
ndr: pull_dns_string: don't allow dots or '\0' in labels
We use a copy function that returns false if the copied string
contains the bad characters, and true otherwise.
As a special case, we allow a '.' as the last character, because an
NBT name with a trailing dot is sometimes used as a username, and we
need to match these exactly, even though the dotless form is
semantically the same (per RFC).
librpc/tests: Initialize name _test_ndr_pull_dns_string_list
When ndr_pull_struct_blob fails (which it will for labels containing
dots, now rejected by the new dns_component_copy check), name remains
uninitialized and the subsequent push call dereference it.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Sat, 6 Jun 2020 11:22:16 +0000 (23:22 +1200)]
ndr: pull_dns_string: check length, use buffers/memcpy
RFC 1035 says the maximum length for a DNS name is 255 characters, and
one of the factors that allowed CVE-2020-10745 is that Samba did not
enforce that directly, enabling names around 8k long.
We fix that by keeping track of the name length. It is easier and more
efficient to use a 64 byte buffer for the components, and this will
help us to introduce further hardening in the next commit.
Douglas Bagnall [Wed, 20 May 2020 07:18:14 +0000 (19:18 +1200)]
ndr: pull_dns_string: drop nbt/dns mem_ctx difference
Until now NBT and DNS have used talloc contexts of different lifetimes
to allocate component strings. The actual talloc context doesn't
really matter -- these strings are immediately copied and can be freed
straight after. So that is what we do.
Douglas Bagnall [Wed, 3 Jun 2020 02:42:41 +0000 (14:42 +1200)]
pytests: dns_packet tests check rcodes match Windows
the dns_packet tests originally checked only for a particular DoS
situation (CVE-2020-10745) but now we widen them to ensure Samba's
replies to invalid packets resembles those of Windows (in particular,
Windows 2012r2). We want Samba to reply only when Windows replies, and
with the same rcode.
At present we fail a lot of these tests.
The original CVE-2020-10745 test is retained and widened indirectly --
any test that leaves the server unable to respond within 0.5 seconds
will count as a failure.
Noel Power [Fri, 10 Apr 2026 15:50:55 +0000 (16:50 +0100)]
s3/modules: fix snapper_gmt_fstatat
snapper_gmt_fstatat is failing when called on items in a
'previous version' snapshot because the wrong timestamp value is
passed (the raw timewarp value is used) and snapper_gmt_convert cannot
find the valid snapshot instance to use.
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Apr 15 15:29:38 UTC 2026 on atb-devel-224
Noel Power [Fri, 10 Apr 2026 10:08:08 +0000 (11:08 +0100)]
s3/modules: Fix vfs snapper not finding files in subdirs
when trying to browse on windows a snapper share (exposed via windows previous versions) files in subdirs are not visible. In other words only files that are in the root dir of the versioned share can be seen
For example with the file hierarchy above only file1, file2 and subdir are visible. Navigating into subdir shows an empty dir
snapper_gmt_openat is failing because when calling snapper_gmt_convert
it doesn't take into account the path to the subdirectory.
snapper_gmt_convert is just passed the leaf name where it constructs the
snapper path based on the base dir of the share.
Jeremy Allison [Fri, 10 Apr 2026 21:24:34 +0000 (14:24 -0700)]
s3:loadparm: fix NULL pointer dereference in volume_label()
volume_label() calls lp_servicename() as a fallback when lp_volume()
returns an empty string. lp_servicename() is a FN_LOCAL_SUBSTITUTED_STRING
that falls back to sDefault.szService when the service is invalid. Since
sDefault.szService is initialized to NULL and is never set by
init_globals(), the substitution returns NULL, and the subsequent
strlen() call crashes with a segmentation fault.
Add a NULL guard so volume_label() returns an empty string instead
of crashing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 15 00:07:12 UTC 2026 on atb-devel-224
Jeremy Allison [Fri, 10 Apr 2026 21:21:55 +0000 (14:21 -0700)]
s3:smbd: guard lp_killservice() in delete_and_reload_printers() with connections_snum_used check
delete_and_reload_printers() unconditionally calls lp_killservice()
to destroy autoloaded printer services that are no longer in the
printer list. If any active connection is still using the printer
service number, the destroyed service can cause a NULL pointer
dereference on subsequent requests.
Guard the call with connections_snum_used() so the service is only
freed when no connections are using it.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Jeremy Allison [Fri, 10 Apr 2026 21:20:45 +0000 (14:20 -0700)]
s3:srvsvc: guard lp_killservice() in _srvsvc_NetShareDel() with connections_snum_used check
_srvsvc_NetShareDel() unconditionally calls lp_killservice() to
destroy the service after deleting a share via RPC. If any active
connection is still using this service number, the destroyed service
can cause a NULL pointer dereference on subsequent requests.
Guard the call with connections_snum_used() so the service is only
freed when no connections are using it. The periodic
load_usershare_shares() sweep will clean up the stale service once
all connections have disconnected.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Jeremy Allison [Fri, 10 Apr 2026 21:19:01 +0000 (14:19 -0700)]
s3:loadparm: guard free_service_byindex() in lp_servicenumber() with snum_in_use check
lp_servicenumber() calls free_service_byindex() to destroy usershare
services when usershare_exists() returns false or when the usershare
file has been modified. This is unsafe because active connections may
still hold the service number — the destroyed service leaves a NULL
ServicePtrs[] entry that causes a NULL pointer dereference when the
connection subsequently calls lp_servicename() or similar functions.
The crash path is:
get_referred_path() -> lp_servicenumber() -> usershare_exists()
fails (e.g. EACCES) -> free_service_byindex() destroys service ->
later request on same connection -> volume_label() ->
lp_servicename() -> FN_LOCAL_SUBSTITUTED_STRING falls back to
sDefault.szService (NULL) -> strlen(NULL) -> SIGSEGV
Guard both free_service_byindex() call sites with the snum_in_use
callback registered in the previous commit. When the service is in
use by an active connection, skip the destruction and let the
periodic load_usershare_shares() mark-and-sweep handle cleanup
safely via its conn_snum_used() check.
When snum_in_use is NULL (non-smbd programs), the original behaviour
is preserved — services are freed immediately since no connections
can exist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Add a mechanism for smbd to register a callback that checks whether
a service number is currently in use by any active connection.
This will be used by subsequent commits to guard free_service_byindex()
calls in lp_servicenumber() and other sites that currently destroy
services without checking if they are in use, which can leave active
connections holding stale service numbers that lead to NULL pointer
dereferences.
The callback is registered by smbd during smbd_process() startup via
connections_snum_used. Non-smbd programs (testparm, net, etc.) leave the
callback as NULL, meaning no connections exist and it is always safe
to free services.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Jeremy Allison [Fri, 10 Apr 2026 23:45:39 +0000 (16:45 -0700)]
s3:tests: add regression test for usershare EACCES crash
Add a test that verifies smbd does not crash when a usershare
definition file becomes inaccessible while a client is connected.
The test creates a usershare, connects to it, makes the usershare
definition file inaccessible (chmod 000), then issues a volume
query which triggers the volume_label() -> lp_servicename() code
path. It verifies smbd is still alive afterward by connecting to
a different share.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Mulder <dmulder@samba.org>
Shwetha Acharya [Thu, 5 Mar 2026 12:01:52 +0000 (17:31 +0530)]
rpc_server: Only allocate fsp when counting file locks
Avoids creating fsp, which is not needed unless we
are going to count the brlocks.
Also uses early continue and removes num_locks variable
by assigning the result directly.
Signed-off-by: Shwetha Acharya <Shwetha.K.Acharya@ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com> Reviewed-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Apr 14 10:02:29 UTC 2026 on atb-devel-224
vfs_glusterfs: fix directory fd leak via FSP extension destructor
When Samba closes a directory backed by vfs_glusterfs, the glfs_fd_t
opened by vfs_gluster_openat() is never closed. This leaks one
libgfapi file descriptor and one server-side fd_t in glusterfsd per
directory open/close cycle. With persistent SMB2 connections the
leak is unbounded and drives monotonic RSS growth on the GlusterFS
brick process.
The leak happens because vfs_glusterfs creates two independent
glfs_fd_t handles per directory: one via glfs_open() in
vfs_gluster_openat(), stored in the FSP extension, and another via
glfs_opendir() in vfs_gluster_fdopendir(), tracked by struct smb_Dir.
On close, smb_Dir_destructor() closes the opendir handle and sets the
pathref fd to -1. fd_close() then returns early without calling
SMB_VFS_CLOSE, so vfs_gluster_close() never runs and the glfs_open()
handle is orphaned. The original code passed NULL as the destroy
callback to VFS_ADD_FSP_EXTENSION, so there was no safety net.
The default VFS does not have this problem because fdopendir(3) wraps
the existing kernel fd rather than opening a new handle. libgfapi
has no equivalent -- glfs_opendir() always creates an independent
handle by path. The actual glfs_fd_t is stored in the FSP extension,
not in fsp->fh->fd (which holds a sentinel value), so Samba's generic
close path cannot reach it.
Register vfs_gluster_fsp_ext_destroy() as the FSP extension destroy
callback. It calls glfs_close() on the stored pointer and is invoked
by vfs_remove_all_fsp_extensions() during file_free(), which runs
unconditionally for every fsp. In the explicit close path,
vfs_gluster_close() NULLs the extension pointer before calling
VFS_REMOVE_FSP_EXTENSION to prevent double-close. This follows the
same pattern used by vfs_ceph_new.c (vfs_ceph_fsp_ext_destroy_cb).
Observed on a production file server with persistent SMB2 connections
and continuous directory operations. GlusterFS brick statedumps
showed fd_t pool growth from 1,993 to 80,350 active instances over
6 days, roughly 13,000 leaked fds per day per brick.
RN: Fix a directory file descriptor leak in vfs_glusterfs that caused
unbounded memory growth on the GlusterFS brick with persistent SMB2
connections.
Vinit Agnihotri [Mon, 23 Mar 2026 15:31:37 +0000 (21:01 +0530)]
printing: Set default value in case of non-exisiting record
This fixes regression caused by commit#e9a7dce599
Newly added function treats non-existing record as error, instead of
setting just -1 i.e. default value for non-exisiting record for
printing subsystem. This results into print_cache_expired returning
incorrect status.
Fix sets default value in case of non-exisiting record
which would ensure print_cache_expired to return correct status.
s3:smb2_server: failing lease/oplock breaks should call smbd_server_connection_terminate()
If there's a problem sending a lease break we need to
call smbd_server_connection_terminate(xconn).
Currently we only called smbXsrv_connection_disconnect_transport(),
which only closes the low level socket, but it doesn't
cleanup smbXsrv_connection and in case of the last connection
for the smbXsrv_client, so we leave the stale structures and
the stale process behind.
Gary Lockyer [Tue, 31 Mar 2026 01:54:44 +0000 (14:54 +1300)]
buildtools: fix clang warning: argument unused
Fix:
clang-xx: warning: argument unused during compilation:
'-undefined dynamic_lookup' [-Wunused-command-line-argument]
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Apr 8 08:38:21 UTC 2026 on atb-devel-224
s3:printing: make printer_list.tdb none readable for others
Signed-off-by: Shwetha Acharya <Shwetha.K.Acharya@ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Apr 7 16:12:32 UTC 2026 on atb-devel-224
Ralph Wuerthner [Wed, 26 Feb 2020 10:29:50 +0000 (11:29 +0100)]
s3:gencache: make gencache.tdb none readable for others
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Ralph Wuerthner [Tue, 21 Jan 2020 08:14:23 +0000 (09:14 +0100)]
s3:locking: make leases.tdb none readable for others
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Ralph Wuerthner [Tue, 21 Jan 2020 08:14:36 +0000 (09:14 +0100)]
s3:locking: make locking.tdb none readable for others
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Ralph Wuerthner [Tue, 21 Jan 2020 08:15:40 +0000 (09:15 +0100)]
s3:idmap_autorid: make autorid.tdb none readable for others
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Ralph Wuerthner [Wed, 26 Feb 2020 10:31:26 +0000 (11:31 +0100)]
s3:cleanupdb: make smbd_cleanupd.tdb none readable for others
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Ralph Wuerthner [Wed, 26 Feb 2020 13:01:50 +0000 (14:01 +0100)]
s3:smbprofile: make smbprofile.tdb none readable for others
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com> Reviewed-by: Xavi Hernandez <xhernandez@redhat.com> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Anoop C S <anoopcs@samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Apr 7 14:09:40 UTC 2026 on atb-devel-224
Jennifer Sutton [Thu, 2 Apr 2026 03:11:56 +0000 (16:11 +1300)]
subunit: Do not return successful exit code if tests fail or error
TestProtocolClient.writeOutcome() removed items from self.errors and
self.failures via TestProtocolClient._filterErrors(). This made wasSuccessful()
inappropriately return True even if there were errors or failures.
subunit.run.runTests() uses wasSuccessful() to determine the exit code.
To fix this, do not remove items from self.errors or self.failures, but instead
use indices to keep track of how many items we have already processed in each of
self.errors and self.failures.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Tue Apr 7 04:17:08 UTC 2026 on atb-devel-224
Shweta Sodani [Wed, 25 Mar 2026 09:23:42 +0000 (14:53 +0530)]
vfs_ceph_new: fix errno handling in vfs_ceph_readdir
Signed-off-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Apr 2 05:49:13 UTC 2026 on atb-devel-224
Andréas Leroux [Fri, 13 Feb 2026 08:25:55 +0000 (09:25 +0100)]
s4/dns_server: truncate large dns packets over udp and set truncated flag
Large DNS response must be truncated over UDP, letting client retry over TCP. Current threshold is set to 1232 as it is regarded as a safe size.
Truncated packets have no answers nor record, only the packet header and initial question(s).
Signed-off-by: Andréas Leroux <aleroux@tranquil.it> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Jennifer Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Apr 1 05:08:14 UTC 2026 on atb-devel-224
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Mar 31 09:18:43 UTC 2026 on atb-devel-224
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Tue Mar 31 00:41:46 UTC 2026 on atb-devel-224
Gary Lockyer [Thu, 26 Mar 2026 00:39:45 +0000 (13:39 +1300)]
tests:krb5 expired password handling
The windows ADDC checks password validity before password expiry. So an
incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not
KDC_ERR_KEY_EXPIRED.
The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to
samba.
python:tests/krb5: Make PADATA_PK_AS_REP optional in non-strict mode
Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to
the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED.
This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints
in expired-password error responses.
Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED
responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and
the FX-COOKIE (type 133). This causes test_pw_expired to fail intermittently
when the expired-password code path is exercised against MIT KDC.
Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19,
so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0)
while still being enforced in strict mode.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224
selftest: Add test_device_and_server_silo_restrictions to knownfail_mit_kdc
MIT KRB5 1.22 fixed a spurious FAST armor processing error. In
KRB5 1.21 this spurious error caused verify_access() with device FAST
armor to fail, which accidentally made the device silo restriction check
in test_device_and_server_silo_restrictions appear to work.
With KRB5 1.22 the spurious error is gone. Device authentication is
still not implemented in MIT Kerberos, so the second assertRaises block
(user has silo assigned, device does not) no longer raises NTSTATUSError
and the test fails.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
python:tests: Fix assertEqual placement in test_device_group_restrictions
The assertEqual calls checking the exception attributes were incorrectly
indented inside the 'with self.assertRaises()' block. When the expected
NTSTATUSError is raised by verify_access(), execution exits the block
immediately, so those lines were never reached.
When the exception is not raised (e.g. with MIT KRB5 1.22 where a spurious FAST
error was fixed), execution falls through to the assertEqual inside the block,
causing AttributeError because error.exception is only available after the
'with' block exits.
The exception returned is NT_STATUS_UNSUCCESSFUL with Heimdal.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Noel Power [Thu, 26 Mar 2026 12:03:55 +0000 (12:03 +0000)]
s3/librpc/crypto: Don't keep growing in memory keytab
When we have long living concurrent connections every rpc bind
ends up calling and subsequently adding keytab entries to the
memory keytab returned by 'gse_krb5_get_server_keytab(...)'. This is
happening because as long as there is a handle open for the
keytab named "MEMORY:cifs_srv_keytab" then we keep adding entries to
it.
Note: There is no leak of gensec_security nor the krb5_keytab
it contains. When rpc clients connected to the rpc worker process
exit the gensec_security and the krb5_keytab structures are
destructed as expected. However because we use a fixed name
"MEMORY:cifs_srv_keytab" clients end up with a handle to a
reference counted shared keytab. Destruction of the keytab results
in the associated reference count being decremented. When the
reference count reaches 0 the keytab is destroyed.
To avoid the keytab being extended the easiest solution is to ensure a
unique memory keytab is created for each client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16042 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Mar 30 09:36:45 UTC 2026 on atb-devel-224
Gary Lockyer [Tue, 24 Mar 2026 02:02:19 +0000 (15:02 +1300)]
quic:libquic:handshake fix clang-22 warning
Fix:
../../third_party/quic/libquic/handshake.c:567:56:
error: format specifies type 'unsigned int' but the argument has type
'size_t' (aka 'unsigned long') [-Werror,-Wformat]
567 quic_log_debug(" Read func: %u %u %u", level, htype, datalen);
~~ ^~~~~~~
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Mon Mar 30 01:49:56 UTC 2026 on atb-devel-224
wafsamba: Add -D_FORTIFY_SOURCE=3 when stack protector is enabled
The capability check in SAMBA_CONFIG_H() already tests that the compiler
accepts both -Wp,-D_FORTIFY_SOURCE and the stack protector flag
together, but only the stack protector flag was added to EXTRA_CFLAGS on
success.
The glibc normally silently downgrades to the supported level if the on
specified is not supported.
Note that -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 only sets it if not
already defined.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 27 08:33:09 UTC 2026 on atb-devel-224
docs-xml: Sync pam_winbind with pam_winbind.conf manpage
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 26 10:59:47 UTC 2026 on atb-devel-224
s3:winbind: Add support for krb5_ccache_type = DEFAULT
This will use the ccache_type defined in the krb5.conf.
Pair-Programmed-With: Pavel Filipenský <pfilipen@samba.org> Signed-off-by: Pavel Filipenský <pfilipen@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
lib:krb5_wrap: Add function to read the default_ccache_name config value
krb5_cc_default_name() expands the config value %{uid} is expanded to the
current id. However when we call this as winbind, it is expanded to root and not
the user we are authenticating. This functions reads directly from the config.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
s3:winbind: Also support %{uid} substitution for krb5_ccache_type
Pair-Programmed-With: Pavel Filipenský <pfilipen@redhat.com> Signed-off-by: Pavel Filipenský <pfilipen@redhat.com> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Shachar Sharon [Sun, 22 Mar 2026 17:52:44 +0000 (19:52 +0200)]
vfs_ceph_new: do not set negative value in vfs_aio_state.error
Ceph uses negative error valuers but Samba's VFS expects error value as
non-negative values (errno style).
Signed-off-by: Shachar Sharon <ssharon@redhat.com> Reviewed-by: Avan Thakkar <athakkar@redhat.com> Reviewed-by: Shweta Sodani <ssodani@redhat.com> Reviewed-by: Vinit Agnihotri <vagnihot@redhat.com> Reviewed-by: Anoop C S <anoopcs@samba.org> Reviewed-by: John Mulligan <jmulligan@redhat.com>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Mar 26 09:23:11 UTC 2026 on atb-devel-224
Pavel Filipenský [Wed, 11 Mar 2026 19:07:05 +0000 (20:07 +0100)]
auth: Remove talloc_set_name_const() if talloc_keep_secret() changes the talloc name
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(timing): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(timing): Wed Mar 25 21:16:35 UTC 2026 on atb-devel-224
projects / thirdparty / samba.git / log
