rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix winbind group resolution

Browse Source 
- resolves: RHEL-144390
This commit is contained in:
Pavel Filipenský 2026-01-27 10:19:37 +01:00
parent af5e9d5369
commit 3afec2d54b
2 changed files with 147 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
samba-4.19-redhat.patch
View File

@ -1,7 +1,7 @@
From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Thu, 17 Aug 2023 01:05:54 +0300
Subject: [PATCH 01/69] gp: Support more global trust directories
Subject: [PATCH 01/70] gp: Support more global trust directories
In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).
@ -66,7 +66,7 @@ index 312c8ddf467..1b90ab46e90 100644
From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Thu, 17 Aug 2023 01:09:28 +0300
Subject: [PATCH 02/69] gp: Support update-ca-trust helper
Subject: [PATCH 02/70] gp: Support update-ca-trust helper
This is used on RHEL/Fedora instead of update-ca-certificates. They
behave similarly so it's enough to change the command name.
@ -110,7 +110,7 @@ index 1b90ab46e90..cefdafa21b2 100644
From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 11 Aug 2023 18:46:42 +0300
Subject: [PATCH 03/69] gp: Change root cert extension suffix
Subject: [PATCH 03/70] gp: Change root cert extension suffix
On Ubuntu, certificates must end in '.crt' in order to be considered by
the `update-ca-certificates` helper.
@ -144,7 +144,7 @@ index cefdafa21b2..c562722906b 100644
From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 18 Aug 2023 17:06:43 +0300
Subject: [PATCH 04/69] gp: Test with binary content for certificate data
Subject: [PATCH 04/70] gp: Test with binary content for certificate data
This fails all GPO-related tests that call `gpupdate --rsop`.
@ -222,7 +222,7 @@ index 00000000000..0aad59607c2
From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Wed, 16 Aug 2023 12:20:11 +0300
Subject: [PATCH 05/69] gp: Convert CA certificates to base64
Subject: [PATCH 05/70] gp: Convert CA certificates to base64
I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
@ -295,7 +295,7 @@ index 0aad59607c2..00000000000
From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 18 Aug 2023 17:16:23 +0300
Subject: [PATCH 06/69] gp: Test adding new cert templates enforces changes
Subject: [PATCH 06/70] gp: Test adding new cert templates enforces changes
Ensure that cepces-submit reporting additional templates and re-applying
will enforce the updated policy.
@ -428,7 +428,7 @@ index 00000000000..4edc1dce730
From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Wed, 16 Aug 2023 12:37:17 +0300
Subject: [PATCH 07/69] gp: Template changes should invalidate cache
Subject: [PATCH 07/70] gp: Template changes should invalidate cache
If certificate templates are added or removed, the autoenroll extension
should react to this and reapply the policy. Previously this wasn't
@ -493,7 +493,7 @@ index 4edc1dce730..00000000000
From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 18 Aug 2023 17:26:59 +0300
Subject: [PATCH 08/69] gp: Test disabled enrollment unapplies policy
Subject: [PATCH 08/70] gp: Test disabled enrollment unapplies policy
For this we need to stage a Registry.pol file with certificate
autoenrollment enabled, but with checkboxes unticked.
@ -594,7 +594,7 @@ index 00000000000..83bc9f0ac1f
From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Wed, 16 Aug 2023 12:33:59 +0300
Subject: [PATCH 09/69] gp: Send list of keys instead of dict to remove
Subject: [PATCH 09/70] gp: Send list of keys instead of dict to remove
`cache_get_all_attribute_values` returns a dict whereas we need to pass
a list of keys to `remove`. These will be interpolated in the gpdb search.
@ -640,7 +640,7 @@ index 83bc9f0ac1f..00000000000
From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jan 2024 08:50:01 +0100
Subject: [PATCH 10/69] python:gp: Print a nice message if cepces-submit can't
Subject: [PATCH 10/70] python:gp: Print a nice message if cepces-submit can't
be found
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552
@ -697,7 +697,7 @@ index 64c35782ae8..08d1a7348cd 100644
From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Mon, 8 Jan 2024 18:05:08 +0200
Subject: [PATCH 11/69] gpo: Test certificate policy without NDES
Subject: [PATCH 11/70] gpo: Test certificate policy without NDES
As of 8231eaf856b, the NDES feature is no longer required on Windows, as
cert auto-enroll can use the certificate from the LDAP request.
@ -901,7 +901,7 @@ index 00000000000..f1e590bc7d8
From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Thu, 18 Jan 2024 20:23:24 +0200
Subject: [PATCH 12/69] gpo: Decode base64 root cert before importing
Subject: [PATCH 12/70] gpo: Decode base64 root cert before importing
The reasoning behind this is described in the previous commit message,
but essentially this should either be wrapped in certificate blocks and
@ -954,7 +954,7 @@ index f1e590bc7d8..00000000000
From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 19 Jan 2024 11:36:19 +0200
Subject: [PATCH 13/69] gpo: Do not get templates list on first run
Subject: [PATCH 13/70] gpo: Do not get templates list on first run
This is a visual fix and has no impact on functionality apart from
cleaner log messages.
@ -1003,7 +1003,7 @@ index cd5e54f1110..559c903e1a2 100644
From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@samba.org>
Date: Fri, 5 Jan 2024 08:47:07 -0700
Subject: [PATCH 14/69] gp: Skip site GP list if no site is found
Subject: [PATCH 14/70] gp: Skip site GP list if no site is found
[MS-GPOL] 3.2.5.1.4 Site Search says if the site
search returns ERROR_NO_SITENAME, the GP site
@ -1071,7 +1071,7 @@ index 617ef79350c..babd8f90748 100644
From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 14:14:30 +0100
Subject: [PATCH 15/69] python:gp: Avoid path check for cepces-submit
Subject: [PATCH 15/70] python:gp: Avoid path check for cepces-submit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1117,7 +1117,7 @@ index 559c903e1a2..7325d5132cf 100644
From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 14:07:47 +0100
Subject: [PATCH 16/69] python:gp: Improve logging for certificate enrollment
Subject: [PATCH 16/70] python:gp: Improve logging for certificate enrollment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1177,7 +1177,7 @@ index 7325d5132cf..a25a9678587 100644
From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 15:04:36 +0100
Subject: [PATCH 17/69] python:gp: Do not print an error, if CA already exists
Subject: [PATCH 17/70] python:gp: Do not print an error, if CA already exists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1223,7 +1223,7 @@ index a25a9678587..0b23cd688db 100644
From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 15:05:02 +0100
Subject: [PATCH 18/69] python:gp: Do not print an error if template already
Subject: [PATCH 18/70] python:gp: Do not print an error if template already
exists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1270,7 +1270,7 @@ index 0b23cd688db..db681cb6f69 100644
From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 15:05:24 +0100
Subject: [PATCH 19/69] python:gp: Log an error if update fails
Subject: [PATCH 19/70] python:gp: Log an error if update fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1307,7 +1307,7 @@ index db681cb6f69..c8ad2039dc6 100644
From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 15:46:24 +0100
Subject: [PATCH 20/69] python:gp: Improve working of log messages to avoid
Subject: [PATCH 20/70] python:gp: Improve working of log messages to avoid
confusion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1360,7 +1360,7 @@ index c8ad2039dc6..2b7f7d22c2b 100644
From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 29 Jan 2024 17:46:30 +0100
Subject: [PATCH 21/69] python:gp: Fix logging with gp
Subject: [PATCH 21/70] python:gp: Fix logging with gp
This allows enable INFO level logging with: `samba-gpupdate -d3`
@ -1402,7 +1402,7 @@ index a74a8707d50..c3de32825db 100644
From 14ceb0b5f2f954bbabdaf78b8185fc515e3c8294 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Wed, 13 Mar 2024 13:55:41 +0100
Subject: [PATCH 22/69] docs-xml: Add parameter all_groupmem to idmap_ad
Subject: [PATCH 22/70] docs-xml: Add parameter all_groupmem to idmap_ad
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1444,7 +1444,7 @@ index b364bbfa231..de6d36afe95 100644
From ac4184c8c3220263cb6f1a46a012533ed1c4e047 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Tue, 12 Mar 2024 13:20:24 +0100
Subject: [PATCH 23/69] s3:winbindd: Improve performance of lookup_groupmem()
Subject: [PATCH 23/70] s3:winbindd: Improve performance of lookup_groupmem()
in idmap_ad
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1527,7 +1527,7 @@ index d7a665abbc6..e625aa6473f 100644
From d0e2002efcc37055b35c351a6b936e6ab89fad32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 25 Mar 2024 22:38:18 +0100
Subject: [PATCH 24/69] selftest: Add "winbind expand groups = 1" to
Subject: [PATCH 24/70] selftest: Add "winbind expand groups = 1" to
setup_ad_member_idmap_ad
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1561,7 +1561,7 @@ index 44ac4a5901a..606c65f8ab1 100755
From 9625b6aed981aa4e70fe11d9d1acdb54db7591a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Thu, 14 Mar 2024 15:24:21 +0100
Subject: [PATCH 25/69] tests: Add a test for "all_groups=no" to
Subject: [PATCH 25/70] tests: Add a test for "all_groups=no" to
test_idmap_ad.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1634,7 +1634,7 @@ index 7ae112ada71..1d4bd395ba9 100755
From e5890e63c35a4a5af29ae16e6dd734c4a3a304cc Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 28 May 2024 13:51:53 +0200
Subject: [PATCH 26/69] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs
Subject: [PATCH 26/70] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs
IP
Remove the requirement to provide an IP address. We should look up the
@ -1699,7 +1699,7 @@ index 50f4a6de3c6..ddf97c11973 100644
From 96a1ecd8db249fa03db60259cf76fdef9c1bd749 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 28 May 2024 13:53:51 +0200
Subject: [PATCH 27/69] s3:libads: Do not fail if we don't get an IP passed
Subject: [PATCH 27/70] s3:libads: Do not fail if we don't get an IP passed
down
The IP should be optional and we should look it up if not provided.
@ -1733,7 +1733,7 @@ index ddf97c11973..f74d8eb567c 100644
From 4934642b7a7d92c6d81ba25ef6e4b66e3805f708 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 28 May 2024 13:54:24 +0200
Subject: [PATCH 28/69] s3:winbind: Fix idmap_ad creating an invalid local
Subject: [PATCH 28/70] s3:winbind: Fix idmap_ad creating an invalid local
krb5.conf
In case of a trusted domain, we are providing the realm of the primary
@ -1789,7 +1789,7 @@ index 5c9fe07db95..b8002825161 100644
From cccc902c64c93db317bf4707d0af5e56b2887286 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jul 2024 12:26:55 +0200
Subject: [PATCH 29/69] s3:notifyd: Use a watcher per db record
Subject: [PATCH 29/70] s3:notifyd: Use a watcher per db record
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -2307,7 +2307,7 @@ index 36c08f47c54..db8e6e1c005 100644
From b04cb93ee52aac0ce7213d0581d69e852df52d4a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Mon, 5 Feb 2024 15:03:48 +0100
Subject: [PATCH 30/69] smbd: simplify handling of failing fstat() after
Subject: [PATCH 30/70] smbd: simplify handling of failing fstat() after
unlinking file
close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the
@ -2371,7 +2371,7 @@ index 3581c4b9173..93c12e00eb0 100644
From 29f0c0fb2f1cb0cfc4c615d31e82048b46a2cb0d Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Tue, 20 Feb 2024 09:26:29 +0000
Subject: [PATCH 31/69] s3/smbd: If we fail to close file_handle ensure we
Subject: [PATCH 31/70] s3/smbd: If we fail to close file_handle ensure we
should reset the fd
if fsp_flags.fstat_before_close == true then close_file_smb will call
@ -2452,7 +2452,7 @@ index 93c12e00eb0..74be444fef5 100644
From ed138c4d679e8291de18162e1cac65cc9da33b4d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 15 Jan 2025 10:21:19 -0800
Subject: [PATCH 32/69] auth: Add missing talloc_free() in error code path.
Subject: [PATCH 32/70] auth: Add missing talloc_free() in error code path.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -2489,7 +2489,7 @@ index b914075d85c..196654b36bd 100644
From f8a7d7a3e8c3be3c7742c874239766b34c25ef3e Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 16 Jan 2025 16:12:31 -0800
Subject: [PATCH 33/69] auth: Cleanup exit code paths in kerberos_decode_pac().
Subject: [PATCH 33/70] auth: Cleanup exit code paths in kerberos_decode_pac().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -2761,7 +2761,7 @@ index 196654b36bd..abb096bde1b 100644
From 9fd06d5c331f5babaf417cc7339d12854a79fe4b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 15 Feb 2024 17:29:46 +0100
Subject: [PATCH 34/69] s3:libsmb/dsgetdcname: use
Subject: [PATCH 34/70] s3:libsmb/dsgetdcname: use
NETLOGON_NT_VERSION_AVOID_NT4EMUL
In 2024 we always want an active directory response...
@ -2798,7 +2798,7 @@ index 280ccd585b0..6fcaa26810c 100644
From 58e28d056f2df0906ee77ccfb9b56e8a764b38b4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 7 May 2024 14:53:24 +0000
Subject: [PATCH 35/69] s3:libsmb: allow store_cldap_reply() to work with a
Subject: [PATCH 35/70] s3:libsmb: allow store_cldap_reply() to work with a
ipv6 response
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642
@ -2856,7 +2856,7 @@ index 6fcaa26810c..da173e7bbb0 100644
From e4d5269b2359c670acdf0cba81248f148ae68c17 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 11 Oct 2024 13:32:22 +0000
Subject: [PATCH 36/69] s3:libsmb: let discover_dc_netbios() return
Subject: [PATCH 36/70] s3:libsmb: let discover_dc_netbios() return
DOMAIN_CONTROLLER_NOT_FOUND
We may get NT_STATUS_NOT_FOUND when the name can't be resolved
@ -2902,7 +2902,7 @@ index da173e7bbb0..8278959dd7d 100644
From d90d2b0e985913247f43192cb94eec0efb3e9046 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 2 Jul 2025 21:59:48 +0200
Subject: [PATCH 37/69] s3-winbindd: Fix internal winbind dsgetdcname calls
Subject: [PATCH 37/70] s3-winbindd: Fix internal winbind dsgetdcname calls
w.r.t. domain name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -3086,7 +3086,7 @@ index fe93528787d..eca4116d0c8 100644
From 7da6072ce95bca445368f6d0453247c8f92fcdf2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 9 May 2025 09:38:41 +0200
Subject: [PATCH 38/69] s3:winbindd: avoid using any netlogon call to get a dc
Subject: [PATCH 38/70] s3:winbindd: avoid using any netlogon call to get a dc
name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
@ -3389,7 +3389,7 @@ index f0fd18a8fa6..47c68257b12 100644
From ad54ceadacfbcf0d9c96ad773e50db96003e2c08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Wed, 23 Jul 2025 15:09:21 +0200
Subject: [PATCH 39/69] s3:winbindd: Resolve dc name using CLDAP also for
Subject: [PATCH 39/70] s3:winbindd: Resolve dc name using CLDAP also for
ROLE_IPA_DC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -3443,7 +3443,7 @@ index 195259daa43..86dbf68f033 100644
From b73efffbb02903427af2c2cc57171d4848ca11f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 4 Aug 2025 08:35:29 +0200
Subject: [PATCH 40/69] docs-xml: Make smb.conf 'server role' value consistent
Subject: [PATCH 40/70] docs-xml: Make smb.conf 'server role' value consistent
with ROLE_IPA_DC in libparam
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -3480,7 +3480,7 @@ index 4ea4e4751ee..40244e125ce 100644
From 832a4e31630fd441f8ab4325439f90d561cb8fa4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 4 Aug 2025 23:26:02 +0200
Subject: [PATCH 41/69] s3:netlogon: IPA DC is the PDC as well - allow
Subject: [PATCH 41/70] s3:netlogon: IPA DC is the PDC as well - allow
ROLE_IPA_DC in _netr_DsRGetForestTrustInformation()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -3520,7 +3520,7 @@ index c5a4b0ef30c..7957d3ab34d 100644
From 8d5638581dfc539c8524d7a507e8cc8977e827a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 4 Aug 2025 23:28:24 +0200
Subject: [PATCH 42/69] s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in
Subject: [PATCH 42/70] s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in
gensec
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -3569,7 +3569,7 @@ index cff3c53845f..2968ca47734 100644
From 3ef02a381cdc83549506e159ebc457730c06c547 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 22 Jul 2025 19:22:31 +0200
Subject: [PATCH 43/69] libads: fix get_kdc_ip_string()
Subject: [PATCH 43/70] libads: fix get_kdc_ip_string()
Correctly handle the interaction between optionally passed in DC via
pss and DC lookup.
@ -3620,7 +3620,7 @@ index f74d8eb567c..f324321c87b 100644
From b0dbc167f85deabff2af5b18bc201e8db0d3b97d Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 22 Jul 2025 19:16:14 +0200
Subject: [PATCH 44/69] winbindd: use find_domain_from_name_noinit() in
Subject: [PATCH 44/70] winbindd: use find_domain_from_name_noinit() in
find_dns_domain_name()
Avoid triggering a connection to a DC of a trusted domain.
@ -3654,7 +3654,7 @@ index eca4116d0c8..3a7a9114988 100644
From 1961f54ce07f7dc3cfcae5c00b96b39109f08b3a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 19 Dec 2023 11:11:55 +0100
Subject: [PATCH 45/69] vfs_default: allow disabling /proc/fds and
Subject: [PATCH 45/70] vfs_default: allow disabling /proc/fds and
RESOLVE_NO_SYMLINK at compile time
This will be used in CI to have a gitlab runner without all modern Linux
@ -3724,7 +3724,7 @@ index 1d4b9b1a840..8d78831492f 100644
From 26de62a2a968dd5b73af296251b26112cdd533e5 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 19 Dec 2023 11:12:49 +0100
Subject: [PATCH 46/69] CI: disable /proc/fds and RESOLVE_NO_SYMLINK in
Subject: [PATCH 46/70] CI: disable /proc/fds and RESOLVE_NO_SYMLINK in
samba-no-opath-build runner
This is a more sensible combination of missing Linux specific features:
@ -3797,7 +3797,7 @@ index c3a13f5ec6e..67764a0b027 100644
From 2c27aae5a4c8d7368dc142fb2be36919296d2a02 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 2 Jan 2024 12:49:14 +0100
Subject: [PATCH 47/69] smbd: pass symlink target path to
Subject: [PATCH 47/70] smbd: pass symlink target path to
safe_symlink_target_path()
Moves processing the symlink error response to the caller
@ -3961,7 +3961,7 @@ index 8693dcf1153..45fb90381e2 100644
From 99d7e841d4e18f760c137530bbed0dea6115311a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 2 Jan 2024 13:25:25 +0100
Subject: [PATCH 48/69] smbd: add a directory argument to
Subject: [PATCH 48/70] smbd: add a directory argument to
safe_symlink_target_path()
Existing caller passes NULL, no change in behaviour. Prepares for
@ -4039,7 +4039,7 @@ index 45fb90381e2..55a49e0ba93 100644
From 5041a6fa5cdfd21bf697249d900ea5c107d355a2 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 2 Jan 2024 14:34:26 +0100
Subject: [PATCH 49/69] smbd: use safe_symlink_target_path() in
Subject: [PATCH 49/70] smbd: use safe_symlink_target_path() in
symlink_target_below_conn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549
@ -4185,7 +4185,7 @@ index 74be444fef5..6582bd60245 100644
From f2fc99f0c7d441115a486413f345c0226a00b38b Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Mon, 18 Dec 2023 12:35:58 +0100
Subject: [PATCH 50/69] smbd: use dirfsp and atname in open_directory()
Subject: [PATCH 50/70] smbd: use dirfsp and atname in open_directory()
On systems without /proc/fd support this avoid the expensive chdir()
logic in non_widelink_open(). open_file_ntcreate() already passes
@ -4230,7 +4230,7 @@ index 6582bd60245..b9849f82396 100644
From 7d102268ebbebf6fc723a43485a82f72069d00ee Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 16 Dec 2022 16:35:00 +0100
Subject: [PATCH 51/69] smbd: Return open_symlink_err from
Subject: [PATCH 51/70] smbd: Return open_symlink_err from
filename_convert_dirfsp_nosymlink()
Don't lose information returned from openat_pathref_fsp_nosymlink()
@ -4393,7 +4393,7 @@ index 55a49e0ba93..9fd85af992a 100644
From edaabc3d53fddd9e2fa6168c8bf01ebfbf229657 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 25 Apr 2024 15:24:57 +0200
Subject: [PATCH 52/69] s3/lib: add next helper variable in server_id_watch_*
Subject: [PATCH 52/70] s3/lib: add next helper variable in server_id_watch_*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624
@ -4473,7 +4473,7 @@ index f0189e0e896..50b35f27b3e 100644
From c25f1811c2ccaa2d5cc8005597fb9979aa1102ee Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 4 Apr 2024 12:31:05 +0200
Subject: [PATCH 53/69] s3/lib: add option "serverid watch:debug = yes" to
Subject: [PATCH 53/70] s3/lib: add option "serverid watch:debug = yes" to
print kernel stack of hanging process
We only do if sys_have_proc_fds() returns true, so it's most likely
@ -4595,7 +4595,7 @@ index 50b35f27b3e..c372ec8c431 100644
From 23dbf8f0317810d65e716a3c9b947c7a6549cb46 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 25 Apr 2024 15:17:08 +0200
Subject: [PATCH 54/69] s3/lib: add option "serverid watch:debug script"
Subject: [PATCH 54/70] s3/lib: add option "serverid watch:debug script"
This takes just PID and NODE:PID on a cluster.
@ -4688,7 +4688,7 @@ index c372ec8c431..8ddf9c6b1c8 100644
From 59975168627e4bfbd2e75a611cb8cb13019a7df3 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 5 Apr 2024 12:15:28 +0200
Subject: [PATCH 55/69] smbd: log share_mode_watch_recv() errors as errors
Subject: [PATCH 55/70] smbd: log share_mode_watch_recv() errors as errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624
@ -4725,7 +4725,7 @@ index b9849f82396..da129119c7f 100644
From e619b72fe1b9c36963c452c1d102009b28e8e289 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 4 Apr 2024 19:18:19 +0200
Subject: [PATCH 56/69] smbd: add option "smbd lease break:debug hung procs"
Subject: [PATCH 56/70] smbd: add option "smbd lease break:debug hung procs"
By enabling this a process sending a lease break message to another process
holding a lease will start watching that process and if that process didn't
@ -4983,7 +4983,7 @@ index da129119c7f..4cc5190f690 100644
From e6a0d821ba28839728371ca94bb364dd6865b5dd Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Wed, 20 Mar 2024 14:27:27 +0100
Subject: [PATCH 57/69] smbd: move trace_state variable behind tv variable
Subject: [PATCH 57/70] smbd: move trace_state variable behind tv variable
Next commit adds timestamp variables to trace_state that want to be initialized
with the current time, so moving behind tv we can then just reuse tv for that.
@ -5031,7 +5031,7 @@ index fbbe4ef3992..188eaa14839 100644
From 15276d7645255ddddf2a3bf6b7a429e3d40ec9b7 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Wed, 20 Mar 2024 14:28:43 +0100
Subject: [PATCH 58/69] smbd: add option "smbd:debug events" for tevent
Subject: [PATCH 58/70] smbd: add option "smbd:debug events" for tevent
handling duration threshold warnings
Can be used to enable printing an error message if tevent event handlers ran
@ -5173,7 +5173,7 @@ index 188eaa14839..dbe91132f7f 100644
From 4631b9d60a874db10dbdd52406d0094a7dbd1356 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 26 Aug 2024 14:11:02 +0200
Subject: [PATCH 59/69] vfs_error_inject: add 'error_inject:durable_reconnect =
Subject: [PATCH 59/70] vfs_error_inject: add 'error_inject:durable_reconnect =
st_ex_nlink'
This allows to simulate durable reconnect failures because the stat
@ -5294,7 +5294,7 @@ index 529504fd8d5..dcf0de0a2d9 100644
From c8e88652163cc56b1f9fb0926a140c81e6b7ec94 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 26 Aug 2024 14:42:02 +0200
Subject: [PATCH 60/69] s4:torture/smb2: add
Subject: [PATCH 60/70] s4:torture/smb2: add
smb2.durable-v2-regressions.durable_v2_reconnect_bug15624
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624
@ -5470,7 +5470,7 @@ index 5b6477e47bc..9cf7f5da78b 100644
From 56a3aaf95c44052b19b61115686c71d5b7dbab4a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 26 Aug 2024 14:42:12 +0200
Subject: [PATCH 61/69] s3:tests: let test_durable_handle_reconnect.sh run
Subject: [PATCH 61/70] s3:tests: let test_durable_handle_reconnect.sh run
smb2.durable-v2-regressions.durable_v2_reconnect_bug15624
This demonstrates the dead lock after a durable reconnect failed
@ -5530,7 +5530,7 @@ index 0ab32974824..fd5c156956f 100755
From d8f01885145ecfce15f2507fdcc625442db1738c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 9 Apr 2024 14:52:44 +0200
Subject: [PATCH 62/69] smbd: consolidate DH reconnect failure code
Subject: [PATCH 62/70] smbd: consolidate DH reconnect failure code
No change in behaviour, except that we now
also call fd_close() if vfs_default_durable_cookie()
@ -5834,7 +5834,7 @@ index b21c223b2e4..50075ddd3f7 100644
From b248ddd3dd7193ba44c9ad86488dd180a25e3774 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 9 Apr 2024 14:53:32 +0200
Subject: [PATCH 63/69] smbd: remove just created sharemode entry in the error
Subject: [PATCH 63/70] smbd: remove just created sharemode entry in the error
codepaths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -5906,7 +5906,7 @@ index 50075ddd3f7..98d0d403e30 100644
From 67ff429e41004899e514d893e80332de79ca2bab Mon Sep 17 00:00:00 2001
From: Earl Chew <earl_chew@yahoo.com>
Date: Sun, 17 Dec 2023 08:37:33 -0800
Subject: [PATCH 64/69] Augment library_flags() to return libraries
Subject: [PATCH 64/70] Augment library_flags() to return libraries
Extend library_flags() to return the libraries provided by
pkg-config --libs.
@ -6075,7 +6075,7 @@ index 9c27fc664f0..58858f69b31 100644
From a4f79d7fb725fab47bda53b9482c1ee301a8393a Mon Sep 17 00:00:00 2001
From: Earl Chew <earl_chew@yahoo.com>
Date: Sat, 16 Dec 2023 17:47:09 -0800
Subject: [PATCH 65/69] Improve CHECK_LIB interaction with CHECK_PKG
Subject: [PATCH 65/70] Improve CHECK_LIB interaction with CHECK_PKG
When checking for shared libraries, only name the target library
if it was not previously discoverd by pkg-config --libs and now
@ -6134,7 +6134,7 @@ index d3b6503c5ca..b1d2f761095 100644
From 2b4f5a62eac69e12ecd9a1e3919ea4a8b3d40820 Mon Sep 17 00:00:00 2001
From: Earl Chew <earl_chew@yahoo.com>
Date: Sat, 16 Dec 2023 08:48:36 -0800
Subject: [PATCH 66/69] Combine ICU libraries icu-i18n and icu-uc into a single
Subject: [PATCH 66/70] Combine ICU libraries icu-i18n and icu-uc into a single
dependency
Rather than probing for icu-i18n, icu-uc, and icudata libraries
@ -6244,7 +6244,7 @@ index 58858f69b31..c49b55a4fd4 100644
From 8e5968634b263c20ad71c75e839abb217614b567 Mon Sep 17 00:00:00 2001
From: Earl Chew <earl_chew@yahoo.com>
Date: Fri, 10 May 2024 19:46:28 -0700
Subject: [PATCH 67/69] Restore empty string default for conf.env['icu-libs']
Subject: [PATCH 67/70] Restore empty string default for conf.env['icu-libs']
The reworked ICU libraries configuration code used [] as
default for conf.env['icu-libs']. This breaks dependency analysis
@ -6281,7 +6281,7 @@ index c49b55a4fd4..adae44eab5e 100644
From 88a29be0ed6cf611eb812c0729d2ee61be07a3a3 Mon Sep 17 00:00:00 2001
From: Earl Chew <earl_chew@yahoo.com>
Date: Fri, 27 Sep 2024 06:50:31 -0700
Subject: [PATCH 68/69] Describe implication of upstream ICU-22610
Subject: [PATCH 68/70] Describe implication of upstream ICU-22610
Add commentary to link commit 86c7688 (MR !3447) to the upstream
fix for ICU-22610 in case there is subsequent breakage.
@ -6320,7 +6320,7 @@ index adae44eab5e..451f7f7bca3 100644
From 72c6766af2ac55854b816147a277404d98b1de9a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 8 Jan 2026 11:55:18 +0100
Subject: [PATCH 69/69] smbd: add a directory argument to
Subject: [PATCH 69/70] smbd: add a directory argument to
safe_symlink_target_path()
Existing caller passes NULL, no change in behaviour. Prepares for
@ -6445,3 +6445,77 @@ index 9fd85af992a..f6e9ed6aae0 100644
--
2.52.0
From 9b8c2d3abe56b53b4ac7dfb6af927a889580ae7f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 19 Jan 2026 14:33:52 +0100
Subject: [PATCH 70/70] s3:libads: Reset ads->config.flags in ads_disconnect()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is doing the same thing in ads_disconnect() as commit
a26f535 Clear previous CLDAP ping flags when reusing the ADS_STRUCT
did in ads_current_time()
In this case we:
1) found cached ADS_STRUCT which already has ads->config.flags set:
lookup_groupmem()
ads_cached_connection()
ads_cached_connection_reuse()
2) started search which immediately timeouts (the cached conn. was dead)
ads_do_search_retry_internal()
ldap_search_with_timeout() - IO_TIMEOUT
3) Retry loop finds a new DC and tries to connect
ads_do_search_retry_internal()
ads_disconnect()
ads_find_dc()
ads_try_connect()
netlogon_pings()
check_cldap_reply_required_flags()
4) check_cldap_reply_required_flags() fails since ads->config.flags
(stored possibly long time ago) contain:
NBT_SERVER_CLOSEST 0x00000080
which is misinterpreted as:
DS_PDC_REQUIRED 0x00000080
the newly found DC is not PDC (we asked for DS_ONLY_LDAP_NEEDED)
and since previous DC had NBT_SERVER_CLOSEST we want DS_PDC_REQUIRED
and fail.
We should anyway avoid mixing independent namespaces NBT_* and DS_*
in the same flag.
Next commit will do that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9f3a35991feb01a8d2c2b69fa0b914bbc637a809)
---
source3/libads/ldap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index cc00753ff74..625377fa2cc 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1068,6 +1068,7 @@ void ads_disconnect(ADS_STRUCT *ads)
if (ads->ldap_wrap_data.mem_ctx) {
talloc_free(ads->ldap_wrap_data.mem_ctx);
}
+ ads->config.flags = 0;
ads_zero_ldap(ads);
ZERO_STRUCT(ads->ldap_wrap_data);
}
--
2.52.0

5
samba.spec
View File

@ -147,7 +147,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global samba_version 4.19.4
%global baserelease 13
%global baserelease 14
# This should be rc1 or %%nil
%global pre_release %nil
@ -4479,6 +4479,9 @@ fi
%endif
%changelog
* Tue Jan 27 2026 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-14
- resolves: RHEL-144390 - Fix winbind group resolution
* Thu Jan 08 2026 Andreas Schneider <asn@redhat.com> - 4.19.4-13
- resolves: RHEL-131616 - Fix regression with relative symlinks in a share