import CS samba-4.23.5-6.el9

This commit is contained in:
AlmaLinux RelEng Bot 2026-03-30 11:03:00 -04:00
parent b7f65a31ea
commit aec19cff4b
8 changed files with 1114 additions and 518 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/samba-4.22.4.tar.xz
SOURCES/samba-4.23.5.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg

View File

@ -1,2 +1,2 @@
1437538612045e08c3dde1527825d11a11a6d71f SOURCES/samba-4.22.4.tar.xz
19e3789510e8306f9584f56e198559f5c1c5bbc2 SOURCES/samba-4.23.5.tar.xz
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

View File

@ -1,492 +0,0 @@
From b0ff8644c06b01252bdbac6a31c77c5781d4b5a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Tue, 29 Jul 2025 11:19:07 +0200
Subject: [PATCH 1/3] selftest: Add the short name for localvampiredc to hosts
file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 5d2f60ae5aa96751b74901ae5384291ef338b152)
---
selftest/target/Samba4.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 9da339f6239..af0434a8e6b 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -878,7 +878,7 @@ nogroup:x:65534:nobody
my $hostname = lc($ctx->{hostname});
open(HOSTS, ">>$ctx->{nsswrap_hosts}");
- if ($hostname eq "localdc") {
+ if ($hostname eq "localdc" || $hostname eq "localvampiredc") {
print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
} else {
--
2.51.0
From 03431792b4707e50afc8f9e356f08a91f4fb67c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 4 Aug 2025 11:20:54 +0200
Subject: [PATCH 2/3] tests: Add test for 'net ads join' to a preferred DC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 36f6ac547c09f492d1dcab11570e8bcbd377cf26)
---
selftest/knownfail | 1 +
source4/selftest/tests.py | 1 +
.../test_net_ads_join_to_preferred_dc.sh | 61 +++++++++++++++++++
3 files changed, 63 insertions(+)
create mode 100755 testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh
diff --git a/selftest/knownfail b/selftest/knownfail
index ab2d79d7114..7c0e9dd00e7 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -335,6 +335,7 @@
^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.*
^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean
^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing
+^samba4.blackbox.net_ads_join.join
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 9c5e85e428a..14a41ba77ed 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -902,6 +902,7 @@ plantestsuite("samba4.blackbox.rfc2307_mapping",
plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', r"CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX/chgdcpass', "aes256-cts-hmac-sha1-96", '$PREFIX/chgdcpass', smbclient3])
plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
plantestsuite("samba4.blackbox.net_ads", "ad_dc:client", [os.path.join(bbdir, "test_net_ads.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS'])
+plantestsuite("samba4.blackbox.net_ads_join", "vampire_dc:client", [os.path.join(bbdir, "test_net_ads_join_to_preferred_dc.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX'])
plantestsuite("samba4.blackbox.net_offlinejoin", "ad_dc:client", [os.path.join(bbdir, "test_net_offline.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS'])
plantestsuite("samba4.blackbox.client_etypes_all(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'all', '17_18_23'])
plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'legacy', '23'])
diff --git a/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh b/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh
new file mode 100755
index 00000000000..1bebc2f4dbe
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh
@@ -0,0 +1,61 @@
+if [ $# -lt 4 ]; then
+ cat <<EOF
+Usage: test_net_ads.sh DC_SERVER DC_USERNAME DC_PASSWORD BASEDIR
+EOF
+ exit 1
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+BASEDIR=$4
+
+HOSTNAME=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10)
+
+RUNDIR=$(pwd)
+cd $BASEDIR
+WORKDIR=$(mktemp -d -p .)
+WORKDIR=$(basename $WORKDIR)
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads"
+
+# Load test functions
+. $(dirname $0)/subunit.sh
+. "$(dirname "${0}")/common_test_fns.inc"
+
+# This test is run in environment with two DCs ('localdc' and 'localvampiredc')
+# The 'net ads join' has these two steps:
+# 1. create machine account at DC ('-S' points to 'localvampiredc')
+# 2. create keytab and sync the KVNO from a DC
+#
+# It must be ensured that in step #2 the keytab code contacts the same DC
+# ('localvampiredc'). The configuration below tries to break it.
+# We disable [SAF/DOMAIN/...] and [SAFJOIN/DOMAIN/...] by setting TTL to '-1'
+# And via setting 'password server' to 'localdc' we manage that
+# get_dc_list() returns 'localdc' instead of 'localvampiredc'
+#
+# As long as the keytab code is not explicitly told to use the same DC as join,
+# we get failure:
+# gensec_gse_client_prepare_ccache: Kinit for F0D26C71F6$@SAMBA.EXAMPLE.COM to access ldap/localdc.samba.example.com failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE
+
+cat <<EOF >>$BASEDIR/$WORKDIR/client.conf
+sync machine password to keytab = $BASEDIR/keytab:account_name:machine_password:sync_kvno
+password server = $DC_SERVER
+saf: join ttl = -1
+saf: ttl = -1
+EOF
+
+testit "join" $VALGRIND $net_tool ads join -S$SERVER -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1)
+
+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1)
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
--
2.51.0
From 5cff37091161976a979752351003c9c1deb0d39f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 28 Jul 2025 10:43:36 +0200
Subject: [PATCH 3/3] s3:net: Pass down the server from cmdline to
sync_pw2keytabs()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This makes sure that during 'net ads join' the keytab create code
- sync_pw2keytabs() talks to the same DC at what the machine account
was created.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Pair-Programmed-With: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Fri Sep 5 13:38:33 UTC 2025 on atb-devel-224
(cherry picked from commit 5d1d3a8b568b5a07ed1ed537d20aa93820cecc14)
---
selftest/knownfail | 1 -
source3/include/secrets.h | 25 ++++++++++++++----------
source3/libads/ads_proto.h | 2 +-
source3/libads/kerberos_keytab.c | 24 ++++++++++++++++++++---
source3/libads/trusts_util.c | 15 ++++++++------
source3/libads/util.c | 10 ++++++----
source3/libnet/libnet_join.c | 2 +-
source3/passdb/machine_account_secrets.c | 10 ++++++----
source3/utils/net.c | 10 ++++++----
source3/utils/net_ads.c | 2 +-
10 files changed, 66 insertions(+), 35 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index 7c0e9dd00e7..ab2d79d7114 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -335,7 +335,6 @@
^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.*
^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean
^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing
-^samba4.blackbox.net_ads_join.join
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index a454c8bb8ff..061b9c6ef34 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -125,12 +125,15 @@ char *secrets_domain_info_string(TALLOC_CTX *mem_ctx, const struct secrets_domai
NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain,
TALLOC_CTX *mem_ctx,
struct secrets_domain_info1 **pinfo);
-NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname,
- const char *cleartext_unix,
- TALLOC_CTX *mem_ctx,
- struct secrets_domain_info1 **pinfo,
- struct secrets_domain_info1_change **pprev,
- NTSTATUS (*sync_pw2keytabs_fn)(void));
+NTSTATUS secrets_prepare_password_change(
+ const char *domain,
+ const char *dcname,
+ const char *cleartext_unix,
+ TALLOC_CTX *mem_ctx,
+ struct secrets_domain_info1 **pinfo,
+ struct secrets_domain_info1_change **pprev,
+ NTSTATUS (*sync_pw2keytabs_fn)(const char *),
+ const char *opt_host);
NTSTATUS secrets_failed_password_change(const char *change_server,
NTSTATUS local_status,
NTSTATUS remote_status,
@@ -139,10 +142,12 @@ NTSTATUS secrets_defer_password_change(const char *change_server,
NTSTATUS local_status,
NTSTATUS remote_status,
const struct secrets_domain_info1 *info);
-NTSTATUS secrets_finish_password_change(const char *change_server,
- NTTIME change_time,
- const struct secrets_domain_info1 *info,
- NTSTATUS (*sync_pw2keytabs_fn)(void));
+NTSTATUS secrets_finish_password_change(
+ const char *change_server,
+ NTTIME change_time,
+ const struct secrets_domain_info1 *info,
+ NTSTATUS (*sync_pw2keytabs_fn)(const char *),
+ const char *prefer_dc);
bool secrets_delete_machine_password_ex(const char *domain, const char *realm);
bool secrets_delete_domain_sid(const char *domain);
char *secrets_fetch_prev_machine_password(const char *domain);
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 8440c35e46d..2e67eef155c 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -230,6 +230,6 @@ struct spn_struct {
/* parse a windows style SPN, returns NULL if parsing fails */
struct spn_struct *parse_spn(TALLOC_CTX *ctx, const char *srvprinc);
-NTSTATUS sync_pw2keytabs(void);
+NTSTATUS sync_pw2keytabs(const char *prefer_dc);
#endif /* _LIBADS_ADS_PROTO_H_ */
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 49a892e5a55..1d4f9c12e1d 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -84,6 +84,7 @@ struct pw2kt_global_state {
char *ad_upn;
char *ad_sam_account;
char **ad_spn_array;
+ const char *prefer_dc;
size_t ad_num_spns;
/* This is from secrets.db */
struct secrets_domain_info1 *info;
@@ -869,8 +870,11 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_global_state *state)
int count;
bool ok;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
- ADS_STRUCT *ads = ads_init(
- tmp_ctx, lp_realm(), lp_workgroup(), NULL, ADS_SASL_SIGN);
+ ADS_STRUCT *ads = ads_init(tmp_ctx,
+ lp_realm(),
+ lp_workgroup(),
+ state->prefer_dc,
+ ADS_SASL_SIGN);
if (ads == NULL) {
DBG_ERR("ads_init() failed\n");
@@ -1029,7 +1033,20 @@ static bool pw2kt_default_keytab_name(char *name_str, size_t name_size)
return true;
}
-NTSTATUS sync_pw2keytabs(void)
+/**
+ * @internal
+ *
+ * @brief Sync machine password from secrets to keytab
+ *
+ * @param prefer_dc The DC we should talk to. This is especially important
+ * during domain join. Pass NULL if we should pick a random
+ * one.
+ *
+ * @return An NTSTATUS error code.
+ *
+ * @see NT_STATUS_IS_OK()
+ */
+NTSTATUS sync_pw2keytabs(const char *prefer_dc)
{
TALLOC_CTX *frame = talloc_stackframe();
const struct loadparm_substitution *lp_sub =
@@ -1055,6 +1072,7 @@ NTSTATUS sync_pw2keytabs(void)
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
+ state->prefer_dc = prefer_dc;
lp_ptr = lp_sync_machine_password_to_keytab();
if (lp_ptr == NULL) {
diff --git a/source3/libads/trusts_util.c b/source3/libads/trusts_util.c
index 6a39f32f350..c51c556e86b 100644
--- a/source3/libads/trusts_util.c
+++ b/source3/libads/trusts_util.c
@@ -360,10 +360,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
&info,
&prev,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ NULL /* opt_host */);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("secrets_prepare_password_change() failed for domain %s!\n",
domain));
@@ -610,10 +611,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
prev->password->change_time,
info,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ prev->password->change_server);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("secrets_prepare_password_change() failed for domain %s!\n",
domain));
@@ -759,10 +761,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
info->next_change->change_time,
info,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ info->next_change->change_server);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("secrets_finish_password_change() failed for domain %s!\n",
domain));
diff --git a/source3/libads/util.c b/source3/libads/util.c
index 243dd09f3d0..360e556ab9b 100644
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -59,10 +59,11 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip
&info,
&prev,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ ads->auth.kdc_server);
if (!NT_STATUS_IS_OK(status)) {
return ADS_ERROR_NT(status);
}
@@ -138,10 +139,11 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip
now,
info,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ ads->auth.kdc_server);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("Failed to save machine password\n"));
return ADS_ERROR_NT(status);
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 5796c68e2e0..cb997dcbe23 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -867,7 +867,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
- NTSTATUS ntstatus = sync_pw2keytabs();
+ NTSTATUS ntstatus = sync_pw2keytabs(r->in.dc_name);
return NT_STATUS_IS_OK(ntstatus);
}
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 0679535f026..568d77a3892 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1674,7 +1674,8 @@ NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname,
TALLOC_CTX *mem_ctx,
struct secrets_domain_info1 **pinfo,
struct secrets_domain_info1_change **pprev,
- NTSTATUS (*sync_pw2keytabs_fn)(void))
+ NTSTATUS (*sync_pw2keytabs_fn)(const char *),
+ const char *opt_host)
{
TALLOC_CTX *frame = talloc_stackframe();
struct db_context *db = NULL;
@@ -1770,7 +1771,7 @@ NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname,
}
if (prev == NULL && sync_pw2keytabs_fn != NULL) {
- status = sync_pw2keytabs_fn();
+ status = sync_pw2keytabs_fn(opt_host);
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("Sync of machine password failed.\n");
dbwrap_transaction_cancel(db);
@@ -2023,7 +2024,8 @@ NTSTATUS secrets_defer_password_change(const char *change_server,
NTSTATUS secrets_finish_password_change(const char *change_server,
NTTIME change_time,
const struct secrets_domain_info1 *cookie,
- NTSTATUS (*sync_pw2keytabs_fn)(void))
+ NTSTATUS (*sync_pw2keytabs_fn)(const char *),
+ const char *prefer_dc)
{
const char *domain = cookie->domain_info.name.string;
TALLOC_CTX *frame = talloc_stackframe();
@@ -2102,7 +2104,7 @@ NTSTATUS secrets_finish_password_change(const char *change_server,
}
if (sync_pw2keytabs_fn != NULL) {
- status = sync_pw2keytabs_fn();
+ status = sync_pw2keytabs_fn(prefer_dc);
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("Sync of machine password failed.\n");
TALLOC_FREE(frame);
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 7ce93ced79e..ecabd980d0c 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -235,10 +235,11 @@ static int net_changesecretpw(struct net_context *c, int argc,
&info,
&prev,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ c->opt_host);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr,
_("Unable to write the machine account password in the secrets database"));
@@ -261,10 +262,11 @@ static int net_changesecretpw(struct net_context *c, int argc,
now,
info,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ c->opt_host);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr,
_("Unable to write the machine account password in the secrets database"));
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 46531210411..753b957e43f 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2965,7 +2965,7 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a
net_use_krb_machine_account(c);
}
- ntstatus = sync_pw2keytabs();
+ ntstatus = sync_pw2keytabs(c->opt_host);
ret = NT_STATUS_IS_OK(ntstatus) ? 0 : 1;
return ret;
}
--
2.51.0

957
SOURCES/redhat-4.23.patch Normal file
View File

@ -0,0 +1,957 @@
From e8384b6daea3b8091ad1bcfce84efc9e2c6a746d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Thu, 22 Jan 2026 14:27:09 +0100
Subject: [PATCH 01/13] s3:libads: Allocate cli_credentials on a stackframe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes:
ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158
What happens:
* `struct cli_credentials *creds` is allocated on `ads` talloc context
* gensec_set_credentials() creates a talloc_reference to `creds`
* TALLOC_FREE(creds) sees two parents and complains
All other code is using temporary talloc_stackframe() for `creds`.
Do it here as well.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224
---
source3/libads/ldap_utils.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
index 9d6d962a2bc..d01afa69697 100644
--- a/source3/libads/ldap_utils.c
+++ b/source3/libads/ldap_utils.c
@@ -99,6 +99,7 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
struct cli_credentials *creds = NULL;
char *cred_name = NULL;
NTSTATUS ntstatus;
+ TALLOC_CTX *frame = talloc_stackframe();
if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) &&
ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) &&
@@ -119,18 +120,20 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
DBG_NOTICE("Search for %s in <%s> failed: %s\n",
expr, bp, ads_errstr(status));
SAFE_FREE(bp);
+ TALLOC_FREE(frame);
return status;
}
ntstatus = ads->auth.reconnect_state->fn(ads,
ads->auth.reconnect_state->private_data,
- ads, &creds);
+ frame, &creds);
if (!NT_STATUS_IS_OK(ntstatus)) {
DBG_WARNING("Failed to get creds for realm(%s): %s\n",
ads->server.realm, nt_errstr(ntstatus));
DBG_WARNING("Search for %s in <%s> failed: %s\n",
expr, bp, ads_errstr(status));
SAFE_FREE(bp);
+ TALLOC_FREE(frame);
return status;
}
@@ -151,11 +154,11 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
* callers depend on it being around.
*/
ads_disconnect(ads);
- TALLOC_FREE(creds);
+ TALLOC_FREE(frame);
SAFE_FREE(bp);
return status;
}
- TALLOC_FREE(creds);
+ TALLOC_FREE(frame);
*res = NULL;
--
2.53.0
From 7af95c7cb142aeb5f422a69d3b7a0ea3c0d2c2c2 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Mon, 26 Jan 2026 13:36:02 +0100
Subject: [PATCH 02/13] s3:rpc_client: Fix memory leak opening local named pipe
If no local server name was passed to rpc_pipe_open_local_np() then
get_myname() was called with NULL talloc context instead of the
current stackframe.
This was causing an increase of memory usage on busy servers with long-living
rpcd_* workers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan 27 10:13:40 UTC 2026 on atb-devel-224
(cherry picked from commit 24dc455362fb49ef81c99d95880e106a234ce29a)
---
source3/rpc_client/cli_pipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index e3f48526492..c61b8eb16cf 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3625,7 +3625,7 @@ NTSTATUS rpc_pipe_open_local_np(
}
if (local_server_name == NULL) {
- local_server_name = get_myname(result);
+ local_server_name = get_myname(frame);
}
if (local_server_addr != NULL) {
--
2.53.0
From ab1287f78bd9d2397c8eb26fbedafa028e2aaa16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:17:33 +0100
Subject: [PATCH 03/13] s3-selftest: mention in-memory ccache usage when
nothing is provided
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/script/tests/test_net_ads_kerberos.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index 8a3c9ef2bc7..92d3996d078 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -30,6 +30,7 @@ KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
## Test "net ads kerberos kinit" variants
#################################################
+#simply uses in memory ccache
testit "net_ads_kerberos_kinit" \
"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
@@ -50,6 +51,7 @@ rm -f "$KRB5CCNAME_PATH"
# --use-krb5-ccache=${KRB5CCNAME} \
# || failed=$((failed + 1))
+#simply uses in memory ccache
testit "net_ads_kerberos_kinit (-P)" \
"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
-P "$ADDARGS" \
--
2.53.0
From 0aa0d39e9a5deb77114f40930b599f11fd7cf3b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:18:41 +0100
Subject: [PATCH 04/13] s3-selftest: verify KRB5CCNAME presence after kinit
using klist
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/script/tests/test_net_ads_kerberos.sh | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index 92d3996d078..c53520cf733 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -14,6 +14,12 @@ PREFIX="$4"
shift 4
ADDARGS="$*"
+if [ -x $(which klist) ]; then
+ KLIST=$(which klist);
+else
+ KLIST="test -e";
+fi
+
incdir=$(dirname "$0")/../../../testprogs/blackbox
. "$incdir"/subunit.sh
@@ -41,6 +47,9 @@ testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
|| failed=$((failed + 1))
+testit "klist env $KRB5CCNAME" \
+ "$KLIST" "$KRB5CCNAME" \
+ || failed=$((failed +1))
unset KRB5CCNAME
rm -f "$KRB5CCNAME_PATH"
@@ -62,6 +71,9 @@ testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
-P "$ADDARGS" \
|| failed=$((failed + 1))
+testit "klist env $KRB5CCNAME" \
+ "$KLIST" "$KRB5CCNAME" \
+ || failed=$((failed +1))
unset KRB5CCNAME
rm -f "$KRB5CCNAME_PATH"
--
2.53.0
From b9c07d59c6a20931b80fa104629477ab8f78b4ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:01:31 +0100
Subject: [PATCH 05/13] s3-selftest: Activate "net ads kerberos kinit" tests
with --use-krb5-ccache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail | 2 ++
source3/script/tests/test_net_ads_kerberos.sh | 30 +++++++++++--------
2 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index ab2d79d7114..76f1dae605d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -338,3 +338,5 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
+
+^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.*
diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index c53520cf733..b7933bab6a6 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -53,12 +53,15 @@ testit "klist env $KRB5CCNAME" \
unset KRB5CCNAME
rm -f "$KRB5CCNAME_PATH"
-# --use-krb5-ccache is not working
-#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
-# $VALGRIND $BINDIR/net ads kerberos kinit \
-# -U$USERNAME%$PASSWORD $ADDARGS \
-# --use-krb5-ccache=${KRB5CCNAME} \
-# || failed=$((failed + 1))
+testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ --use-krb5-ccache="${KRB5CCNAME_PATH}" \
+ || failed=$((failed + 1))
+testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \
+ "$KLIST" "$KRB5CCNAME_PATH" \
+ || failed=$((failed +1))
+rm -f "$KRB5CCNAME_PATH"
#simply uses in memory ccache
testit "net_ads_kerberos_kinit (-P)" \
@@ -77,12 +80,15 @@ testit "klist env $KRB5CCNAME" \
unset KRB5CCNAME
rm -f "$KRB5CCNAME_PATH"
-# --use-krb5-ccache is not working
-#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
-# $VALGRIND $BINDIR/net ads kerberos kinit \
-# -P $ADDARGS \
-# --use-krb5-ccache=${KRB5CCNAME} \
-# || failed=$((failed + 1))
+testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -P "$ADDARGS" \
+ --use-krb5-ccache="${KRB5CCNAME_PATH}" \
+ || failed=$((failed + 1))
+testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \
+ "$KLIST" "$KRB5CCNAME_PATH" \
+ || failed=$((failed +1))
+rm -f "$KRB5CCNAME_PATH"
#################################################
--
2.53.0
From c82b7636b633575621e8e5964a93332956c238ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 16:56:44 +0100
Subject: [PATCH 06/13] s3-net: properly setup krb5 ccache name via
--use-krb5-ccache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail | 2 --
source3/utils/net.c | 19 ++++++++++++-------
source3/utils/net_ads.c | 4 ++++
3 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index 76f1dae605d..ab2d79d7114 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -338,5 +338,3 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
-^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.*
diff --git a/source3/utils/net.c b/source3/utils/net.c
index ecabd980d0c..271c96cf804 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1396,7 +1396,7 @@ static struct functable net_func[] = {
cli_credentials_get_principal_obtained(c->creds);
enum credentials_obtained password_obtained =
cli_credentials_get_password_obtained(c->creds);
- char *krb5ccname = NULL;
+ const char *krb5ccname = NULL;
if (principal_obtained == CRED_SPECIFIED) {
c->explicit_credentials = true;
@@ -1415,15 +1415,20 @@ static struct functable net_func[] = {
}
/* cli_credentials_get_ccache_name_obtained() would not work
- * here, we also cannot get the content of --use-krb5-ccache= so
- * for now at least honour the KRB5CCNAME environment variable
- * to get 'net ads kerberos' functions to work at all - gd */
-
- krb5ccname = getenv("KRB5CCNAME");
- if (krb5ccname == NULL) {
+ * here but we can now access the content of the
+ * --use-krb5-ccache option via cli credentials. Fallback to
+ * KRB5CCNAME environment variable to get 'net ads kerberos'
+ * functions to work at all - gd */
+
+ krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
+ if (krb5ccname == NULL || krb5ccname[0] == '\0') {
+ krb5ccname = getenv("KRB5CCNAME");
+ }
+ if (krb5ccname == NULL || krb5ccname[0] == '\0') {
krb5ccname = talloc_strdup(c, "MEMORY:net");
}
if (krb5ccname == NULL) {
+ DBG_ERR("Not able to setup krb5 ccache");
exit(1);
}
c->opt_krb5_ccache = krb5ccname;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d49b7537e71..5c57a0b290e 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3245,7 +3245,11 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
if (ret) {
d_printf(_("failed to kinit password: %s\n"),
nt_errstr(status));
+ return ret;
}
+
+ d_printf("Stored Kerberos TGT in: %s\n", c->opt_krb5_ccache);
+
return ret;
}
--
2.53.0
From 4f5ffea631d805564f7e92cc5f0f2f7ad55ba493 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 13 Dec 2025 13:49:37 +0100
Subject: [PATCH 07/13] doc-xml: Document "net ads kerberos" commands
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 5 15:49:04 UTC 2026 on atb-devel-224
---
docs-xml/manpages/net.8.xml | 139 ++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index d9293d0bb34..737415b3722 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1810,7 +1810,146 @@ the following entry types;
</refsect2>
+<refsect2>
+ <title>ADS KERBEROS</title>
+
+<para>
+ Issue Kerberos operations against an Active Directory KDC.
+</para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS KERBEROS KINIT</title>
+
+<para>
+ Issue a kinit request for a given user. When no other options are
+ defined the ticket granting ticket (TGT) will be stored in a memory cache.
+</para>
+
+<para>
+ To store the TGT in a different location either use the
+ <option>--krb5-ccache</option> option or set the
+ <replaceable>KRB5CCNAME</replaceable> environment variable.
+</para>
+
+<para>Example: <userinput>net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS KERBEROS RENEW</title>
+
+<para>
+ Renew an already acquired ticket granting ticket (TGT).
+</para>
+
+<para>Example: <userinput>net ads kerberos renew</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS KERBEROS PAC</title>
+
+<para>
+ Request a Kerberos PAC while authenticating to an Active Directory KDC.
+</para>
+
+<para>
+ The following commands are provided:
+</para>
+
+<simplelist>
+<member>net ads kerberos pac dump - Dump a PAC to stdout.</member>
+<member>net ads kerneros pac save - Save a PAC to a file.</member>
+</simplelist>
+
+<para>
+ All commands allow to define an impersonation principal to do a Kerberos
+ Service for User (S4U2SELF) operation via
+ the <replaceable>impersonate=STRING</replaceable> option.
+ The impersonation principal can have multiple different formats:
+</para>
+
+<itemizedlist>
+ <listitem>
+ <para><replaceable>user@MY.REALM</replaceable></para>
+ <para>This is the default format.</para>
+ </listitem>
+ <listitem>
+ <para><replaceable>user@MY.REALM@MY.REALM</replaceable></para>
+ <para>The Kerberos Service for User (S4U2SELF) also supports
+ Enterprise Principals.</para>
+ </listitem>
+ <listitem>
+ <para><replaceable>user@UPN.SUFFIX@MY.REALM</replaceable></para>
+ <para>Enterprise Principal using a defined upn suffix.</para>
+ </listitem>
+ <listitem>
+ <para><replaceable>user@WORKGROUP@MY.REALM</replaceable></para>
+ <para>Enterprise Principal with netbios domain name.
+ This format is currently not supported by Samba AD.</para>
+ </listitem>
+</itemizedlist>
+<para>
+ By default net will request a service ticket for the local service
+ of the joined machine. A different service can be defined via
+ <replaceable>local_service=STRING</replaceable>.
+</para>
+
+</refsect2>
+<refsect2>
+ <title>ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int]</title>
+
+<para>
+ Request a Kerberos PAC while authenticating to an Active Directory KDC.
+ The PAC will be printed on stdout.
+</para>
+
+<para>
+ When no specific pac_buffer is selected, all buffers will be printed.
+ It is possible to select a specific one via
+ <replaceable>pac_buffer_type=INT</replaceable> from this list:
+</para>
+
+<simplelist>
+<member>1 PAC_TYPE_LOGON_INFO</member>
+<member>2 PAC_TYPE_CREDENTIAL_INFO</member>
+<member>6 PAC_TYPE_SRV_CHECKSUM</member>
+<member>7 PAC_TYPE_KDC_CHECKSUM</member>
+<member>10 PAC_TYPE_LOGON_NAME</member>
+<member>11 PAC_TYPE_CONSTRAINED_DELEGATION</member>
+<member>12 PAC_TYPE_UPN_DNS_INFO</member>
+<member>13 PAC_TYPE_CLIENT_CLAIMS_INFO</member>
+<member>14 PAC_TYPE_DEVICE_INFO</member>
+<member>15 PAC_TYPE_DEVICE_CLAIMS_INFO</member>
+<member>16 PAC_TYPE_TICKET_CHECKSUM</member>
+<member>17 PAC_TYPE_ATTRIBUTES_INFO</member>
+<member>18 PAC_TYPE_REQUESTER_SID</member>
+<member>19 PAC_TYPE_FULL_CHECKSUM</member>
+</simplelist>
+
+<para>Example: <userinput>net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string]</title>
+
+<para>
+ Request a Kerberos PAC while authenticating to an Active Directory KDC.
+ The PAC will be saved in a file.
+</para>
+
+<para>
+ The filename to store the PAC can be set via the
+ <replaceable>filename=STRING</replaceable> option.
+</para>
+
+<para>Example: <userinput>net ads kerberos pac save -U user%password filename=/tmp/pacstore</userinput></para>
+
+</refsect2>
<refsect2>
<title>SAM CREATEBUILTINGROUP &lt;NAME&gt;</title>
--
2.53.0
From f634526bd95b8396ea7f5f1c8ed059eb01a5286b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Tue, 3 Feb 2026 12:53:10 +0100
Subject: [PATCH 08/13] s3:utils: 'net ads kerberos kinit' should use also
default ccache name from krb5.conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is re-introducing the behavior from samba-4.20 where both these
commands operated on the same ccache (default_ccache_name in
[libdefaults] section of krb5.conf)
'net ads kerberos kinit -P'
'klist'
With samba-4.21 it no longer works, 'net ads kerberos kinit -P'
fallbacks to 'MEMORY:net' (which is of a very limited use, ticket
cannot be used by other process) and klist finds no ticket.
The order is changed from:
--use-krb5-ccache
env "KRB5CCNAME"
"MEMORY:net"
to ("MEMORY:net" is removed):
--use-krb5-ccache
env "KRB5CCNAME"
default_ccache_name
'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials.
Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name()
because of commit:
1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e)
---
source3/utils/net.c | 36 ++++++++++++++++++++++++++----------
1 file changed, 26 insertions(+), 10 deletions(-)
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 271c96cf804..0ce03f8213d 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -54,6 +54,7 @@
#include "source3/utils/passwd_proto.h"
#include "auth/gensec/gensec.h"
#include "lib/param/param.h"
+#include "lib/krb5_wrap/krb5_samba.h"
#ifdef WITH_FAKE_KASERVER
#include "utils/net_afs.h"
@@ -1414,18 +1415,33 @@ static struct functable net_func[] = {
CRED_SPECIFIED);
}
- /* cli_credentials_get_ccache_name_obtained() would not work
- * here but we can now access the content of the
- * --use-krb5-ccache option via cli credentials. Fallback to
- * KRB5CCNAME environment variable to get 'net ads kerberos'
- * functions to work at all - gd */
-
+ /*
+ * Priority order for krb5 credential cache name
+ *
+ * via cli_credentials_get_out_ccache_name() :
+ *
+ * 1. '--use-krb5-ccache' option
+ *
+ * via krb5_cc_default_name() :
+ *
+ * 2. KRB5CCNAME environment variable
+ * 3. default_ccache_name in [libdefaults] section of krb5.conf
+ * 4. ...more - krb5_cc_default_name() always returns something
+ * - see documentation
+ */
krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
if (krb5ccname == NULL || krb5ccname[0] == '\0') {
- krb5ccname = getenv("KRB5CCNAME");
- }
- if (krb5ccname == NULL || krb5ccname[0] == '\0') {
- krb5ccname = talloc_strdup(c, "MEMORY:net");
+ krb5_context ct = NULL;
+ krb5_error_code ret = smb_krb5_init_context_common(&ct);
+
+ if (ret == 0) {
+ krb5ccname = smb_force_krb5_cc_default_name(ct);
+ if (krb5ccname != NULL) {
+ krb5ccname = talloc_strdup(c,
+ krb5ccname);
+ }
+ krb5_free_context(ct);
+ }
}
if (krb5ccname == NULL) {
DBG_ERR("Not able to setup krb5 ccache");
--
2.53.0
From 0ca830d6ddded29b2b5d1969ebcbc4df1156656e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Thu, 5 Feb 2026 16:04:25 +0100
Subject: [PATCH 09/13] manpages: Update NET ADS KERBEROS KINIT manpage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Feb 5 21:11:13 UTC 2026 on atb-devel-224
(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b)
---
docs-xml/manpages/net.8.xml | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 737415b3722..b793361a27f 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1823,17 +1823,37 @@ the following entry types;
<title>ADS KERBEROS KINIT</title>
<para>
- Issue a kinit request for a given user. When no other options are
- defined the ticket granting ticket (TGT) will be stored in a memory cache.
+ Issue a kinit request for a given user. The following methods can be used
+ to specify where to store the ticket granting ticket (TGT) (in order of
+ precedence):
</para>
-<para>
- To store the TGT in a different location either use the
- <option>--krb5-ccache</option> option or set the
- <replaceable>KRB5CCNAME</replaceable> environment variable.
-</para>
+<itemizedlist>
+ <listitem>
+ <para>option <option>--use-krb5-ccache</option></para>
+ </listitem>
+ <listitem>
+ <para><replaceable>KRB5CCNAME</replaceable> environment variable</para>
+ </listitem>
+ <listitem>
+ <para><parameter>default_ccache_name</parameter> setting in <filename>krb5.conf</filename></para>
+ </listitem>
+</itemizedlist>
-<para>Example: <userinput>net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache</userinput></para>
+<variablelist><title>Examples:</title>
+<varlistentry>
+<term>Use file based cache (FILE:/tmp/krb5cache)</term>
+<listitem><literallayout>
+net ads kerberos kinit -P --use-krb5-ccache=/tmp/krb5cache
+</literallayout></listitem>
+</varlistentry>
+<varlistentry>
+<term>Use memory cache (MEMORY:net) to verify the authentication</term>
+<listitem><literallayout>
+net ads kerberos kinit -P --use-krb5-ccache=MEMORY:net
+</literallayout></listitem>
+</varlistentry>
+</variablelist>
</refsect2>
--
2.53.0
From 44b613d80c6a3818cc6ca593d57d51cd1bc00aa5 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Fri, 13 Feb 2026 11:54:46 +0000
Subject: [PATCH 10/13] selftest: Update tests to use
--use-kereros=desired|required no creds
Add tests to call smbclient without passing credentials to
demonstrate failure with --use-kereros=desired
Also add knownfail
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a22af9420965083b99b956477d1833000b7f2414)
---
selftest/knownfail | 2 ++
source3/script/tests/test_smbclient_kerberos.sh | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/selftest/knownfail b/selftest/knownfail
index ab2d79d7114..f0a5f7bb935 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -315,6 +315,8 @@
# ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member
^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member
+# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789
+samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).*
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
diff --git a/source3/script/tests/test_smbclient_kerberos.sh b/source3/script/tests/test_smbclient_kerberos.sh
index 31678d17e28..1139efd70d7 100755
--- a/source3/script/tests/test_smbclient_kerberos.sh
+++ b/source3/script/tests/test_smbclient_kerberos.sh
@@ -73,6 +73,18 @@ test_smbclient "smbclient.smb3.kerberos.desired[//${SERVER}/tmp]" \
--use-kerberos=desired -U${USERNAME}%${PASSWORD} -mSMB3 ||
failed=$(expr $failed + 1)
+test_smbclient "smbclient.smb3.kerberos.desired (no user/pass) [//${SERVER}/tmp]" \
+ "ls; quit" //${SERVER}/tmp \
+ --use-kerberos=desired -mSMB3 ||
+ failed=$(expr $failed + 1)
+
+test_smbclient "smbclient.smb3.kerberos.required (no user/pass) [//${SERVER}/tmp]" \
+ "ls; quit" //${SERVER}/tmp \
+ --use-kerberos=required -mSMB3 ||
+ failed=$(expr $failed + 1)
+
+
+
$samba_kdestroy
rm -rf $KRB5CCNAME_PATH
--
2.53.0
From 65f70c0505759489a8b219e1297f8cdee2cc260a Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 19 Jan 2026 15:46:59 +0000
Subject: [PATCH 11/13] auth/credentials: Fix regression with
--use-kerberos=desired for smbclient
As part of the gse_krb5 processing the following call chain
gensec_gse_client_start()
---> gensec_kerberos_possible()
---> cli_credentials_authentication_requested()
gensec_kerberos_possible() will always fail when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
It seems since use kerberos == desired is the default that it isn't
necessary to see if credentials were modified to indicated authentication
was requested. gensec_kerberos_possible() should afaics return true
if kerberos is desired OR required (regardless of whether credentials
were requested)
This commit removes the knownfail associated with this bug.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 88f42eb222f299189d5f5f8204ae353e63a50970)
---
auth/gensec/gensec_util.c | 5 -----
selftest/knownfail | 2 --
2 files changed, 7 deletions(-)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 0c7688d33d2..af6d198d48f 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -362,7 +362,6 @@ char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_securi
NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
{
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
- bool auth_requested = cli_credentials_authentication_requested(creds);
enum credentials_use_kerberos krb5_state =
cli_credentials_get_kerberos_state(creds);
char *user_principal = NULL;
@@ -370,10 +369,6 @@ NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
const char *target_principal = gensec_get_target_principal(gensec_security);
const char *hostname = gensec_get_target_hostname(gensec_security);
- if (!auth_requested) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
return NT_STATUS_INVALID_PARAMETER;
}
diff --git a/selftest/knownfail b/selftest/knownfail
index f0a5f7bb935..ab2d79d7114 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -315,8 +315,6 @@
# ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member
^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member
-# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789
-samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).*
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
--
2.53.0
From 8c955cad98b197936fceaf98306047e1f929ddfe Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 19 Jan 2026 16:10:10 +0000
Subject: [PATCH 12/13] s3/libsmb: cli_session_creds_init fails when kerberos
is desired
There is a regression with code using cli_session_creds_init when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
Authentication succeeds when boolean fallback_after_kerberos is false
and fails when true.
There doesn't seem to be a good reason why the value of
fallback_after_kerberos should initialise the krb5 ccache or not.
It would seems that krb5 cache should be setup for creds
for *any* kerberos auth (whether fallback is enabled or not)
Partial patch from <will69@gmx.de> (see bug referenced below)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1c48599105736499d18aa1f647bce9e1f8dbdcca)
---
source3/libsmb/cliconnect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 116f746d37e..3fd423d8e5f 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -218,7 +218,7 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
goto fail;
}
}
- } else if (use_kerberos && !fallback_after_kerberos) {
+ } else if (use_kerberos) {
const char *error_string = NULL;
int rc;
--
2.53.0
From 015167aea7ece2bb683f86aa4b8c688d7a83267d Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 19 Jan 2026 16:18:02 +0000
Subject: [PATCH 13/13] s3/libsmb: block anon authentication fallback is
use-kerberos = desired
When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED
libsmbclient method SMBC_server_internal will still try to fallback to
anon NTLM. This patch prevents that.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224
(cherry picked from commit bc868800276fe09cbcb206ebe4cb4da32af7599f)
---
source3/libsmb/libsmb_server.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index f9b52e1f05a..8c7208aaee0 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -632,6 +632,8 @@ SMBC_server_internal(TALLOC_CTX *ctx,
password_used = "";
if (smbc_getOptionNoAutoAnonymousLogin(context) ||
+ cli_credentials_get_kerberos_state(creds) ==
+ CRED_USE_KERBEROS_REQUIRED ||
!NT_STATUS_IS_OK(cli_session_setup_anon(c))) {
cli_shutdown(c);
--
2.53.0

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAminOhEACgkQqplEL7aA
tiDtRg//e/Jocf1iPjaEtiR2tGQSnqQPdaaRId8luFu0ykevvIiR+GL2IctJnvWZ
IYL/svmWAlLULgb+13S1Gs7CGYTievrh+OaEnuo+CmnGpNYUFO/yyymBW9eWFGA4
bA6ilMjE2KgyCakvBT22mL9IFGZQsKQh46YXjs4hCKZdadx733/Znwj/kIkm0Wxl
S6gnxstroM5zUbA/Xw26KUOBTd0mTZXXKH14HSH1XX3RNgA0/FsZ+kde4Y+VUwP+
t/LvuNqN2s/pyUeKd8eoiZv7zTwUT1gsvoBTWP8kzmubtBbxz4abJ9QCEb/HEdkv
iMh1RbRQZRKpmIo/NzAMRhxDyuVtzg69Egn19iLjnPfmrpqDZpxhi5csNumIFKsi
bFmT7/KTZfKvsg9h5SfHL3JeblYbEQNjIhDutdZ3yJ+JymAkaWjChHqY0wTwiZbX
pHing+t+c4SRx2064/jBFn48kdj1JweEaGSGdEEwa7zejMHLcl7vKheyGqSTWMYH
XiBtm1kN2gLrgazLFNXKTD9YectYPmRkiv6f1hUhqLfac2jkwIdWeT1LIPqJ2fMw
YrNk4UYYS4L7PZSXUJ3r88RGPWJvTa7WQrM556uxcspCr7W6TauMRe0hKquqOekH
0J4jD+hmfuEQ/LryC29rSLSNG0N99v2nWuAn78KxUk7FuZ9H4og=
=D+9R
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmlzV8sACgkQqplEL7aA
tiCrUxAAkEcyHkI48DZpwRd+0rP2IJC+6vpGj/RSGHdlyztw3R+49EOW9HURNqsl
8FHHUairod5CzyXc2UfoZNHuo5s3YE2WOuxSur2W8/FYPVllX9sOvNilaQsplvDX
8zMsQ4Ky5z57EeScDFaGl/NPypLcJ5i2hrBHRrn4Gsa5koKs9M+BlO1/xH8TBFPG
hAAXaLFw8pkMFDEIIrRMdOGAUeNaBq3dVkfzPAgd6FYAAUjuP/3O2gM87zLPgbf1
5Deg+HYNLhKaAUNJPs3OuiLZTN3FpRAif/DKJCL16kbNxygN71OXI1vf20BooNpj
qTx3xseHraHkTy3HElru5CTlW+jYPLd7UqHcH0g+wRp/xlwH5vR7vc+wZpyFmOfm
OThXsVzZKzwQo9Ce+N9vs0FgSR0BLXvHHIs77XV0BdC3G/tE+iOPsp1GFbmhC5Dn
F/hqFmbKBBNiqv2v1s3mT1rX8DNeUaHA44coJJnr8vc9fMtrqkDuBiAOtzknm+j+
IW3NLWsvl2y94anc9Aq6Ffanc1qSwVvdFNb/d1dZjR7sLP19UdJAFZTiJ/V2yQET
++AX9DKBtIO0KguJowEROrRu+inOT/Rs4PLwxxbtEVxqmqH7An+nO0FzV+xSjI/1
l+zLG3njDFDSDS/cXvrnzvFAWqs/5pKmlhcDzAicnuUgIzsKd08=
=qxcw
-----END PGP SIGNATURE-----

View File

@ -18,6 +18,9 @@
load printers = yes
cups options = raw
# Install samba-usershares package for support
include = /etc/samba/usershares.conf
[homes]
comment = Home Directories
valid users = %S, %D%w%S

View File

@ -117,13 +117,20 @@
%bcond etcd_mutex 0
%endif
# Build the prometheus exporter by default on Fedora
%if 0%{?fedora}
%bcond prometheus 1
%else
%bcond prometheus 0
%endif
%ifarch aarch64 ppc64le s390x x86_64
%bcond lmdb 1
%else
%bcond lmdb 0
%endif
%global samba_version 4.22.4
%global samba_version 4.23.5
# The release field is extended:
# <pkgrel>[.<extraver>][.<snapinfo>]%%{?dist}[.<minorbump>]
@ -169,8 +176,8 @@
%global libwbclient_so_version 0
%global talloc_version 2.4.3
%global tdb_version 1.4.13
%global tevent_version 0.16.2
%global tdb_version 1.4.14
%global tevent_version 0.17.1
%global required_mit_krb5 1.20.1
@ -229,11 +236,11 @@ Source202: samba.abignore
#
# git clone git@gitlab.com:samba-redhat/samba.git
# cd samba
# git checkout v4-22-redhat
# git format-patch --stdout -l1 --no-renames -N > redhat-4.22.patch
# git checkout v4-23-redhat
# git format-patch --stdout -l1 --no-renames -N > redhat-4.23.patch
# where N is number of commits
Patch0: redhat-4.22.patch
Patch0: redhat-4.23.patch
Requires(pre): %{name}-common = %{samba_depver}
Requires: %{name}-common = %{samba_depver}
@ -334,6 +341,11 @@ BuildRequires: xz
BuildRequires: zlib-devel >= 1.2.3
BuildRequires: pkgconfig(libsystemd)
# TODO FIXME This is not in RHEL yet
%if 0%{?fedora} >= 43
BuildRequires: pkgconfig(libngtcp2)
BuildRequires: pkgconfig(libngtcp2_crypto_gnutls)
%endif
%ifnarch i686
%if 0%{?fedora} >= 37
@ -363,6 +375,9 @@ BuildRequires: librados-devel
%if %{with etcd_mutex}
BuildRequires: python3-etcd
%endif
%if %{with prometheus}
BuildRequires: libevent-devel
%endif
BuildRequires: cepces-certmonger >= 0.3.8
@ -1224,6 +1239,18 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB
#endif with clustering
%endif
%if %{with prometheus}
%package prometheus
Summary: SMB Prometheus exporter
Requires: samba = %{samba_depver}
%description prometheus
Support for exporting metrics via Prometheus
#endif with prometheus
%endif
### LIBLDB
%package -n libldb
Summary: A schema-less, ldap like, API and database
@ -1232,7 +1259,6 @@ License: LGPL-3.0-or-later
Requires: libtalloc%{?_isa} >= %{talloc_version}
Requires: libtdb%{?_isa} >= %{tdb_version}
Requires: libtevent%{?_isa} >= %{tevent_version}
Requires: samba-common-libs = %{samba_depver}
# /endif without includelibs
%endif
@ -1375,6 +1401,8 @@ if [ -n "${CCACHE}" ]; then
fi
%endif
# workaround https://gitlab.com/ita1024/waf/-/issues/2472
export PYTHONARCHDIR=%{python3_sitearch}
%configure \
--enable-fhs \
--with-piddir=/run \
@ -1414,6 +1442,9 @@ fi
%endif
%if %{with etcd_mutex}
--enable-etcd-reclock \
%endif
%if %{with prometheus}
--with-prometheus-exporter \
%endif
--with-profiling-data \
--with-systemd \
@ -2013,22 +2044,27 @@ fi
%{_libdir}/samba/libndr-samba4-private-samba.so
%{_libdir}/samba/libnet-keytab-private-samba.so
%{_libdir}/samba/libnetif-private-samba.so
%if 0%{?rhel}
%{_libdir}/samba/libngtcp2-crypto-gnutls-private-samba.so
%{_libdir}/samba/libngtcp2-private-samba.so
%endif
%{_libdir}/samba/libnpa-tstream-private-samba.so
%{_libdir}/samba/libposix-eadb-private-samba.so
%{_libdir}/samba/libprinter-driver-private-samba.so
%{_libdir}/samba/libprinting-migrate-private-samba.so
%{_libdir}/samba/libquic-private-samba.so
%{_libdir}/samba/libregistry-private-samba.so
%{_libdir}/samba/libsamba-cluster-support-private-samba.so
%{_libdir}/samba/libsamba-debug-private-samba.so
%{_libdir}/samba/libsamba-modules-private-samba.so
%{_libdir}/samba/libsamba-security-private-samba.so
%{_libdir}/samba/libsamba-security-trusts-private-samba.so
%{_libdir}/samba/libsamba-sockets-private-samba.so
%{_libdir}/samba/libsamba3-util-private-samba.so
%{_libdir}/samba/libsamdb-common-private-samba.so
%{_libdir}/samba/libsecrets3-private-samba.so
%{_libdir}/samba/libserver-id-db-private-samba.so
%{_libdir}/samba/libserver-role-private-samba.so
%{_libdir}/samba/libsmb-transport-private-samba.so
%{_libdir}/samba/libsmbclient-raw-private-samba.so
%{_libdir}/samba/libsmbd-base-private-samba.so
%{_libdir}/samba/libsmbd-shim-private-samba.so
@ -2124,6 +2160,7 @@ fi
%{_mandir}/man8/net.8*
%{_mandir}/man8/pdbedit.8*
%{_mandir}/man8/smbpasswd.8*
%{_datadir}/locale/*/LC_MESSAGES/net.mo
### TOOLS
%files tools
@ -2201,6 +2238,7 @@ fi
%{_libdir}/samba/ldb/subtree_delete.so
%{_libdir}/samba/ldb/subtree_rename.so
%{_libdir}/samba/ldb/tombstone_reanimate.so
%{_libdir}/samba/ldb/trust_notify.so
%{_libdir}/samba/ldb/unique_object_sids.so
%{_libdir}/samba/ldb/update_keytab.so
%{_libdir}/samba/ldb/vlv.so
@ -2246,6 +2284,7 @@ fi
%{_libdir}/samba/service/dns.so
%{_libdir}/samba/service/dns_update.so
%{_libdir}/samba/service/drepl.so
%{_libdir}/samba/service/ft_scanner.so
%{_libdir}/samba/service/kcc.so
%{_libdir}/samba/service/kdc.so
%{_libdir}/samba/service/ldap.so
@ -2598,6 +2637,7 @@ fi
%{python3_sitearch}/samba/dcerpc/atsvc.*.so
%{python3_sitearch}/samba/dcerpc/auth.*.so
%{python3_sitearch}/samba/dcerpc/base.*.so
%{python3_sitearch}/samba/dcerpc/bcrypt_rsakey_blob.*.so
%{python3_sitearch}/samba/dcerpc/claims.*.so
%{python3_sitearch}/samba/dcerpc/conditional_ace.*.so
%{python3_sitearch}/samba/dcerpc/dcerpc.*.so
@ -2613,6 +2653,7 @@ fi
%{python3_sitearch}/samba/dcerpc/idmap.*.so
%{python3_sitearch}/samba/dcerpc/initshutdown.*.so
%{python3_sitearch}/samba/dcerpc/irpc.*.so
%{python3_sitearch}/samba/dcerpc/keycredlink.*.so
%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so
%{python3_sitearch}/samba/dcerpc/krb5pac.*.so
%{python3_sitearch}/samba/dcerpc/lsa.*.so
@ -2634,6 +2675,7 @@ fi
%{python3_sitearch}/samba/dcerpc/spoolss.*.so
%{python3_sitearch}/samba/dcerpc/srvsvc.*.so
%{python3_sitearch}/samba/dcerpc/svcctl.*.so
%{python3_sitearch}/samba/dcerpc/tpm20_rsakey_blob.*.so
%{python3_sitearch}/samba/dcerpc/unixinfo.*.so
%{python3_sitearch}/samba/dcerpc/winbind.*.so
%{python3_sitearch}/samba/dcerpc/windows_event_ids.*.so
@ -3137,6 +3179,7 @@ fi
%{python3_sitearch}/samba/tests/__pycache__/auth_log_netlogon_bad_creds.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/auth_log_samlogon.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/auth_log_winbind.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/bcrypt_rsakey_blob.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/common.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/compression.*.pyc
@ -3178,6 +3221,7 @@ fi
%{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/join.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/key_credential_link.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc
@ -3255,6 +3299,7 @@ fi
%{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/token_factory.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/tpm20_rsakey_blob.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/upgrade.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/upgradeprovision.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/upgradeprovisionneeddc.*.pyc
@ -3272,6 +3317,7 @@ fi
%{python3_sitearch}/samba/tests/auth_log_pass_change.py
%{python3_sitearch}/samba/tests/auth_log_samlogon.py
%{python3_sitearch}/samba/tests/auth_log_winbind.py
%{python3_sitearch}/samba/tests/bcrypt_rsakey_blob.py
%dir %{python3_sitearch}/samba/tests/blackbox
%{python3_sitearch}/samba/tests/blackbox/__init__.py
%dir %{python3_sitearch}/samba/tests/blackbox/__pycache__
@ -3340,6 +3386,7 @@ fi
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/dfs.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc
@ -3360,6 +3407,7 @@ fi
%{python3_sitearch}/samba/tests/dcerpc/array.py
%{python3_sitearch}/samba/tests/dcerpc/bare.py
%{python3_sitearch}/samba/tests/dcerpc/binding.py
%{python3_sitearch}/samba/tests/dcerpc/dfs.py
%{python3_sitearch}/samba/tests/dcerpc/dnsserver.py
%{python3_sitearch}/samba/tests/dcerpc/integer.py
%{python3_sitearch}/samba/tests/dcerpc/lsa.py
@ -3432,6 +3480,7 @@ fi
%{python3_sitearch}/samba/tests/kcc/graph_utils.py
%{python3_sitearch}/samba/tests/kcc/kcc_utils.py
%{python3_sitearch}/samba/tests/kcc/ldif_import_export.py
%{python3_sitearch}/samba/tests/key_credential_link.py
%dir %{python3_sitearch}/samba/tests/krb5
%dir %{python3_sitearch}/samba/tests/krb5/__pycache__
%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc
@ -3547,6 +3596,12 @@ fi
%{python3_sitearch}/samba/tests/net_join_no_spnego.py
%{python3_sitearch}/samba/tests/net_join.py
%{python3_sitearch}/samba/tests/netlogonsvc.py
%dir %{python3_sitearch}/samba/tests/nss
%dir %{python3_sitearch}/samba/tests/nss/__pycache__
%{python3_sitearch}/samba/tests/nss/__pycache__/base.*.pyc
%{python3_sitearch}/samba/tests/nss/__pycache__/group.*.pyc
%{python3_sitearch}/samba/tests/nss/base.py
%{python3_sitearch}/samba/tests/nss/group.py
%{python3_sitearch}/samba/tests/ntacls.py
%{python3_sitearch}/samba/tests/ntacls_backup.py
%{python3_sitearch}/samba/tests/ntlmdisabled.py
@ -3707,10 +3762,21 @@ fi
%{python3_sitearch}/samba/tests/subunitrun.py
%{python3_sitearch}/samba/tests/tdb_util.py
%{python3_sitearch}/samba/tests/token_factory.py
%{python3_sitearch}/samba/tests/tpm20_rsakey_blob.py
%{python3_sitearch}/samba/tests/upgrade.py
%{python3_sitearch}/samba/tests/upgradeprovision.py
%{python3_sitearch}/samba/tests/upgradeprovisionneeddc.py
%{python3_sitearch}/samba/tests/usage.py
%dir %{python3_sitearch}/samba/tests/varlink
%dir %{python3_sitearch}/samba/tests/varlink/__pycache__
%{python3_sitearch}/samba/tests/varlink/__pycache__/base.*.pyc
%{python3_sitearch}/samba/tests/varlink/__pycache__/getgrouprecord.*.pyc
%{python3_sitearch}/samba/tests/varlink/__pycache__/getmemberships.*.pyc
%{python3_sitearch}/samba/tests/varlink/__pycache__/getuserrecord.*.pyc
%{python3_sitearch}/samba/tests/varlink/base.py
%{python3_sitearch}/samba/tests/varlink/getgrouprecord.py
%{python3_sitearch}/samba/tests/varlink/getmemberships.py
%{python3_sitearch}/samba/tests/varlink/getuserrecord.py
%{python3_sitearch}/samba/tests/xattr.py
### TEST
@ -3779,6 +3845,7 @@ fi
%config(noreplace) %{_sysconfdir}/security/pam_winbind.conf
%{_mandir}/man5/pam_winbind.conf.5*
%{_mandir}/man8/pam_winbind.8*
%{_datadir}/locale/*/LC_MESSAGES/pam_winbind.mo
%if %{with clustering}
%files -n ctdb
@ -3928,6 +3995,13 @@ fi
%{_mandir}/man1/winexe.1.gz
%endif
%if %{with prometheus}
%files prometheus
%{_bindir}/smb_prometheus_endpoint
%{_mandir}/man8/smb_prometheus_endpoint.8.gz
#endif with prometheus
%endif
%files -n libldb
%license lib/ldb/LICENSE
%{_libdir}/libldb.so.*
@ -3989,6 +4063,60 @@ fi
%changelog
## START: Generated by rpmautospec
* Thu Feb 19 2026 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.5-6
- Fix regression with --use-kerberos=desired for smbclient
- resolves: RHEL-150824
* Wed Feb 11 2026 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.5-5
- Fix 'net ads kerberos kinit' to use default ccache name from krb5.conf
- resolves: RHEL-147419
* Wed Feb 11 2026 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.5-4
- Fix samba-bgqd to load [printers] share
- resolves: RHEL-147858
* Tue Jan 27 2026 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.5-3
- Fix 'net ads kerberos kinit -P' with option '--use-krb5-ccache'
- resolves: RHEL-144590
* Tue Jan 27 2026 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.5-2
- Fix winbind memory leak seen with long living rpcd_* workers
- resolves: RHEL-144480
* Fri Jan 23 2026 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.5-1
- Update to version 4.23.5
- resolves: RHEL-143401 - Fix winbind group resolution
- resolves: RHEL-141027 - Fix winbind crash
* Thu Dec 18 2025 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.4-2
- Remove libldb dependency to samba-common-libs
- resolves: RHEL-133003
* Mon Dec 15 2025 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.4-1
- Update to version 4.23.4
- resolves: RHEL-114548 - Update to version 4.23.4
- resolves: RHEL-132995 - Fix Time Machine backup
- resolves: RHEL-133003 - Remove unexpected dependency of libldb to samba
* Mon Dec 15 2025 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.3-2
- Remove osci.brew-build.tier0.functional from gating.yaml
* Fri Nov 07 2025 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.3-1
- Update to version 4.23.3
- resolves: RHEL-114548
* Thu Sep 18 2025 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.0-3
- Update to pre-version of 4.23.1
- resolves: RHEL-114548
* Thu Sep 18 2025 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.0-2
- smb.conf: include /etc/samba/usershares.conf
- related: RHEL-114548
* Sat Sep 13 2025 Pavel Filipenský <pfilipensky@samba.org> - 0:4.23.0-1
- Update to version 4.23.0
- resolves: RHEL-114548
* Thu Sep 11 2025 Pavel Filipenský <pfilipensky@samba.org> - 0:4.22.4-6
- resolves: RHEL-104147 - Fix 'net ads join' in setups with multiple DCs