From af5e9d536967e5b1069454aef6f5546435141822 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 8 Jan 2026 13:11:38 +0100 Subject: [PATCH] Fix regression with relative symlinks in a share resolves: RHEL-131616 --- samba-4.19-redhat.patch | 795 +++++++++++++++++++++++++++++++++------- samba.spec | 5 +- 2 files changed, 673 insertions(+), 127 deletions(-) diff --git a/samba-4.19-redhat.patch b/samba-4.19-redhat.patch index 8f747fb..d0ecfad 100644 --- a/samba-4.19-redhat.patch +++ b/samba-4.19-redhat.patch @@ -1,7 +1,7 @@ From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 17 Aug 2023 01:05:54 +0300 -Subject: [PATCH 01/63] gp: Support more global trust directories +Subject: [PATCH 01/69] gp: Support more global trust directories In addition to the SUSE global trust directory, add support for RHEL and Debian-based distributions (including Ubuntu). @@ -60,13 +60,13 @@ index 312c8ddf467..1b90ab46e90 100644 # Symlink the certs to global trust dir dst = os.path.join(global_trust_dir, os.path.basename(src)) -- -2.51.0 +2.52.0 From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 17 Aug 2023 01:09:28 +0300 -Subject: [PATCH 02/63] gp: Support update-ca-trust helper +Subject: [PATCH 02/69] gp: Support update-ca-trust helper This is used on RHEL/Fedora instead of update-ca-certificates. They behave similarly so it's enough to change the command name. @@ -104,13 +104,13 @@ index 1b90ab46e90..cefdafa21b2 100644 Popen([update]).wait() # Setup Certificate Auto Enrollment -- -2.51.0 +2.52.0 From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 11 Aug 2023 18:46:42 +0300 -Subject: [PATCH 03/63] gp: Change root cert extension suffix +Subject: [PATCH 03/69] gp: Change root cert extension suffix On Ubuntu, certificates must end in '.crt' in order to be considered by the `update-ca-certificates` helper. @@ -138,13 +138,13 @@ index cefdafa21b2..c562722906b 100644 w.write(cert) root_certs.append(dest) -- -2.51.0 +2.52.0 From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:06:43 +0300 -Subject: [PATCH 04/63] gp: Test with binary content for certificate data +Subject: [PATCH 04/69] gp: Test with binary content for certificate data This fails all GPO-related tests that call `gpupdate --rsop`. @@ -216,13 +216,13 @@ index 00000000000..0aad59607c2 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.51.0 +2.52.0 From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:20:11 +0300 -Subject: [PATCH 05/63] gp: Convert CA certificates to base64 +Subject: [PATCH 05/69] gp: Convert CA certificates to base64 I don't know whether this applies universally, but in our case the contents of `es['cACertificate'][0]` are binary, so cleanly converting @@ -289,13 +289,13 @@ index 0aad59607c2..00000000000 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.51.0 +2.52.0 From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:16:23 +0300 -Subject: [PATCH 06/63] gp: Test adding new cert templates enforces changes +Subject: [PATCH 06/69] gp: Test adding new cert templates enforces changes Ensure that cepces-submit reporting additional templates and re-applying will enforce the updated policy. @@ -422,13 +422,13 @@ index 00000000000..4edc1dce730 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.51.0 +2.52.0 From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:37:17 +0300 -Subject: [PATCH 07/63] gp: Template changes should invalidate cache +Subject: [PATCH 07/69] gp: Template changes should invalidate cache If certificate templates are added or removed, the autoenroll extension should react to this and reapply the policy. Previously this wasn't @@ -487,13 +487,13 @@ index 4edc1dce730..00000000000 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.51.0 +2.52.0 From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:26:59 +0300 -Subject: [PATCH 08/63] gp: Test disabled enrollment unapplies policy +Subject: [PATCH 08/69] gp: Test disabled enrollment unapplies policy For this we need to stage a Registry.pol file with certificate autoenrollment enabled, but with checkboxes unticked. @@ -588,13 +588,13 @@ index 00000000000..83bc9f0ac1f @@ -0,0 +1 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.51.0 +2.52.0 From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:33:59 +0300 -Subject: [PATCH 09/63] gp: Send list of keys instead of dict to remove +Subject: [PATCH 09/69] gp: Send list of keys instead of dict to remove `cache_get_all_attribute_values` returns a dict whereas we need to pass a list of keys to `remove`. These will be interpolated in the gpdb search. @@ -634,13 +634,13 @@ index 83bc9f0ac1f..00000000000 @@ -1 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.51.0 +2.52.0 From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 9 Jan 2024 08:50:01 +0100 -Subject: [PATCH 10/63] python:gp: Print a nice message if cepces-submit can't +Subject: [PATCH 10/69] python:gp: Print a nice message if cepces-submit can't be found BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552 @@ -691,13 +691,13 @@ index 64c35782ae8..08d1a7348cd 100644 def getca(ca, url, trust_dir): -- -2.51.0 +2.52.0 From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Mon, 8 Jan 2024 18:05:08 +0200 -Subject: [PATCH 11/63] gpo: Test certificate policy without NDES +Subject: [PATCH 11/69] gpo: Test certificate policy without NDES As of 8231eaf856b, the NDES feature is no longer required on Windows, as cert auto-enroll can use the certificate from the LDAP request. @@ -895,13 +895,13 @@ index 00000000000..f1e590bc7d8 @@ -0,0 +1 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes -- -2.51.0 +2.52.0 From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 18 Jan 2024 20:23:24 +0200 -Subject: [PATCH 12/63] gpo: Decode base64 root cert before importing +Subject: [PATCH 12/69] gpo: Decode base64 root cert before importing The reasoning behind this is described in the previous commit message, but essentially this should either be wrapped in certificate blocks and @@ -948,13 +948,13 @@ index f1e590bc7d8..00000000000 @@ -1 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes -- -2.51.0 +2.52.0 From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 19 Jan 2024 11:36:19 +0200 -Subject: [PATCH 13/63] gpo: Do not get templates list on first run +Subject: [PATCH 13/69] gpo: Do not get templates list on first run This is a visual fix and has no impact on functionality apart from cleaner log messages. @@ -997,13 +997,13 @@ index cd5e54f1110..559c903e1a2 100644 if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: self.unapply(guid, attribute, old_val) -- -2.51.0 +2.52.0 From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 5 Jan 2024 08:47:07 -0700 -Subject: [PATCH 14/63] gp: Skip site GP list if no site is found +Subject: [PATCH 14/69] gp: Skip site GP list if no site is found [MS-GPOL] 3.2.5.1.4 Site Search says if the site search returns ERROR_NO_SITENAME, the GP site @@ -1065,13 +1065,13 @@ index 617ef79350c..babd8f90748 100644 # (L)ocal gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy", -- -2.51.0 +2.52.0 From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 14:14:30 +0100 -Subject: [PATCH 15/63] python:gp: Avoid path check for cepces-submit +Subject: [PATCH 15/69] python:gp: Avoid path check for cepces-submit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1111,13 +1111,13 @@ index 559c903e1a2..7325d5132cf 100644 '%s --server=%s --auth=%s' % (cepces_submit, ca['hostname'], auth)], -- -2.51.0 +2.52.0 From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 14:07:47 +0100 -Subject: [PATCH 16/63] python:gp: Improve logging for certificate enrollment +Subject: [PATCH 16/69] python:gp: Improve logging for certificate enrollment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1171,13 +1171,13 @@ index 7325d5132cf..a25a9678587 100644 getcert = which('getcert') cepces_submit = find_cepces_submit() -- -2.51.0 +2.52.0 From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:04:36 +0100 -Subject: [PATCH 17/63] python:gp: Do not print an error, if CA already exists +Subject: [PATCH 17/69] python:gp: Do not print an error, if CA already exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1217,13 +1217,13 @@ index a25a9678587..0b23cd688db 100644 for template in supported_templates: attrs = fetch_template_attrs(ldb, template) -- -2.51.0 +2.52.0 From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:05:02 +0100 -Subject: [PATCH 18/63] python:gp: Do not print an error if template already +Subject: [PATCH 18/69] python:gp: Do not print an error if template already exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1264,13 +1264,13 @@ index 0b23cd688db..db681cb6f69 100644 data['templates'].append(nickname) if update is not None: -- -2.51.0 +2.52.0 From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:05:24 +0100 -Subject: [PATCH 19/63] python:gp: Log an error if update fails +Subject: [PATCH 19/69] python:gp: Log an error if update fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1301,13 +1301,13 @@ index db681cb6f69..c8ad2039dc6 100644 log.warn('certmonger and cepces must be installed for ' + 'certificate auto enrollment to work') -- -2.51.0 +2.52.0 From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:46:24 +0100 -Subject: [PATCH 20/63] python:gp: Improve working of log messages to avoid +Subject: [PATCH 20/69] python:gp: Improve working of log messages to avoid confusion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1354,13 +1354,13 @@ index c8ad2039dc6..2b7f7d22c2b 100644 log.warn('Installing the server certificate only.') der_certificate = base64.b64decode(ca['cACertificate']) -- -2.51.0 +2.52.0 From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 29 Jan 2024 17:46:30 +0100 -Subject: [PATCH 21/63] python:gp: Fix logging with gp +Subject: [PATCH 21/69] python:gp: Fix logging with gp This allows enable INFO level logging with: `samba-gpupdate -d3` @@ -1396,13 +1396,13 @@ index a74a8707d50..c3de32825db 100644 logger.setLevel(logging.CRITICAL) if log_level == 1: -- -2.51.0 +2.52.0 From 14ceb0b5f2f954bbabdaf78b8185fc515e3c8294 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Wed, 13 Mar 2024 13:55:41 +0100 -Subject: [PATCH 22/63] docs-xml: Add parameter all_groupmem to idmap_ad +Subject: [PATCH 22/69] docs-xml: Add parameter all_groupmem to idmap_ad MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1438,13 +1438,13 @@ index b364bbfa231..de6d36afe95 100644 This parameter is a list of OUs from which objects will not be mapped via the ad idmap -- -2.51.0 +2.52.0 From ac4184c8c3220263cb6f1a46a012533ed1c4e047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 12 Mar 2024 13:20:24 +0100 -Subject: [PATCH 23/63] s3:winbindd: Improve performance of lookup_groupmem() +Subject: [PATCH 23/69] s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1521,13 +1521,13 @@ index d7a665abbc6..e625aa6473f 100644 if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("%s: add_primary_group_members failed: %s\n", -- -2.51.0 +2.52.0 From d0e2002efcc37055b35c351a6b936e6ab89fad32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 25 Mar 2024 22:38:18 +0100 -Subject: [PATCH 24/63] selftest: Add "winbind expand groups = 1" to +Subject: [PATCH 24/69] selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1555,13 +1555,13 @@ index 44ac4a5901a..606c65f8ab1 100755 my $ret = $self->provision( -- -2.51.0 +2.52.0 From 9625b6aed981aa4e70fe11d9d1acdb54db7591a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Thu, 14 Mar 2024 15:24:21 +0100 -Subject: [PATCH 25/63] tests: Add a test for "all_groups=no" to +Subject: [PATCH 25/69] tests: Add a test for "all_groups=no" to test_idmap_ad.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1628,13 +1628,13 @@ index 7ae112ada71..1d4bd395ba9 100755 changetype: delete EOF -- -2.51.0 +2.52.0 From e5890e63c35a4a5af29ae16e6dd734c4a3a304cc Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 28 May 2024 13:51:53 +0200 -Subject: [PATCH 26/63] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs +Subject: [PATCH 26/69] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP Remove the requirement to provide an IP address. We should look up the @@ -1693,13 +1693,13 @@ index 50f4a6de3c6..ddf97c11973 100644 /* -- -2.51.0 +2.52.0 From 96a1ecd8db249fa03db60259cf76fdef9c1bd749 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 28 May 2024 13:53:51 +0200 -Subject: [PATCH 27/63] s3:libads: Do not fail if we don't get an IP passed +Subject: [PATCH 27/69] s3:libads: Do not fail if we don't get an IP passed down The IP should be optional and we should look it up if not provided. @@ -1727,13 +1727,13 @@ index ddf97c11973..f74d8eb567c 100644 } -- -2.51.0 +2.52.0 From 4934642b7a7d92c6d81ba25ef6e4b66e3805f708 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 28 May 2024 13:54:24 +0200 -Subject: [PATCH 28/63] s3:winbind: Fix idmap_ad creating an invalid local +Subject: [PATCH 28/69] s3:winbind: Fix idmap_ad creating an invalid local krb5.conf In case of a trusted domain, we are providing the realm of the primary @@ -1783,13 +1783,13 @@ index 5c9fe07db95..b8002825161 100644 if (!ok) { DBG_DEBUG("Could not create private krb5.conf\n"); -- -2.51.0 +2.52.0 From cccc902c64c93db317bf4707d0af5e56b2887286 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jul 2024 12:26:55 +0200 -Subject: [PATCH 29/63] s3:notifyd: Use a watcher per db record +Subject: [PATCH 29/69] s3:notifyd: Use a watcher per db record MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -2301,13 +2301,13 @@ index 36c08f47c54..db8e6e1c005 100644 #endif -- -2.51.0 +2.52.0 From b04cb93ee52aac0ce7213d0581d69e852df52d4a Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 5 Feb 2024 15:03:48 +0100 -Subject: [PATCH 30/63] smbd: simplify handling of failing fstat() after +Subject: [PATCH 30/69] smbd: simplify handling of failing fstat() after unlinking file close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the @@ -2365,13 +2365,13 @@ index 3581c4b9173..93c12e00eb0 100644 } -- -2.51.0 +2.52.0 From 29f0c0fb2f1cb0cfc4c615d31e82048b46a2cb0d Mon Sep 17 00:00:00 2001 From: Noel Power Date: Tue, 20 Feb 2024 09:26:29 +0000 -Subject: [PATCH 31/63] s3/smbd: If we fail to close file_handle ensure we +Subject: [PATCH 31/69] s3/smbd: If we fail to close file_handle ensure we should reset the fd if fsp_flags.fstat_before_close == true then close_file_smb will call @@ -2446,13 +2446,13 @@ index 93c12e00eb0..74be444fef5 100644 /**************************************************************************** -- -2.51.0 +2.52.0 From ed138c4d679e8291de18162e1cac65cc9da33b4d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 15 Jan 2025 10:21:19 -0800 -Subject: [PATCH 32/63] auth: Add missing talloc_free() in error code path. +Subject: [PATCH 32/69] auth: Add missing talloc_free() in error code path. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -2483,13 +2483,13 @@ index b914075d85c..196654b36bd 100644 } -- -2.51.0 +2.52.0 From f8a7d7a3e8c3be3c7742c874239766b34c25ef3e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Jan 2025 16:12:31 -0800 -Subject: [PATCH 33/63] auth: Cleanup exit code paths in kerberos_decode_pac(). +Subject: [PATCH 33/69] auth: Cleanup exit code paths in kerberos_decode_pac(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -2755,13 +2755,13 @@ index 196654b36bd..abb096bde1b 100644 NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, -- -2.51.0 +2.52.0 From 9fd06d5c331f5babaf417cc7339d12854a79fe4b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 15 Feb 2024 17:29:46 +0100 -Subject: [PATCH 34/63] s3:libsmb/dsgetdcname: use +Subject: [PATCH 34/69] s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL In 2024 we always want an active directory response... @@ -2792,13 +2792,13 @@ index 280ccd585b0..6fcaa26810c 100644 snprintf(my_acct_name, -- -2.51.0 +2.52.0 From 58e28d056f2df0906ee77ccfb9b56e8a764b38b4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 7 May 2024 14:53:24 +0000 -Subject: [PATCH 35/63] s3:libsmb: allow store_cldap_reply() to work with a +Subject: [PATCH 35/69] s3:libsmb: allow store_cldap_reply() to work with a ipv6 response BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642 @@ -2850,13 +2850,13 @@ index 6fcaa26810c..da173e7bbb0 100644 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, r, (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX); -- -2.51.0 +2.52.0 From e4d5269b2359c670acdf0cba81248f148ae68c17 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 11 Oct 2024 13:32:22 +0000 -Subject: [PATCH 36/63] s3:libsmb: let discover_dc_netbios() return +Subject: [PATCH 36/69] s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND We may get NT_STATUS_NOT_FOUND when the name can't be resolved @@ -2896,13 +2896,13 @@ index da173e7bbb0..8278959dd7d 100644 } -- -2.51.0 +2.52.0 From d90d2b0e985913247f43192cb94eec0efb3e9046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 2 Jul 2025 21:59:48 +0200 -Subject: [PATCH 37/63] s3-winbindd: Fix internal winbind dsgetdcname calls +Subject: [PATCH 37/69] s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -3080,13 +3080,13 @@ index fe93528787d..eca4116d0c8 100644 + return wbdom->name; +} -- -2.51.0 +2.52.0 From 7da6072ce95bca445368f6d0453247c8f92fcdf2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 9 May 2025 09:38:41 +0200 -Subject: [PATCH 38/63] s3:winbindd: avoid using any netlogon call to get a dc +Subject: [PATCH 38/69] s3:winbindd: avoid using any netlogon call to get a dc name BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 @@ -3383,13 +3383,13 @@ index f0fd18a8fa6..47c68257b12 100644 NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) -- -2.51.0 +2.52.0 From ad54ceadacfbcf0d9c96ad773e50db96003e2c08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Wed, 23 Jul 2025 15:09:21 +0200 -Subject: [PATCH 39/63] s3:winbindd: Resolve dc name using CLDAP also for +Subject: [PATCH 39/69] s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -3437,13 +3437,13 @@ index 195259daa43..86dbf68f033 100644 } -- -2.51.0 +2.52.0 From b73efffbb02903427af2c2cc57171d4848ca11f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 4 Aug 2025 08:35:29 +0200 -Subject: [PATCH 40/63] docs-xml: Make smb.conf 'server role' value consistent +Subject: [PATCH 40/69] docs-xml: Make smb.conf 'server role' value consistent with ROLE_IPA_DC in libparam MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -3474,13 +3474,13 @@ index 4ea4e4751ee..40244e125ce 100644 This mode of operation runs Samba in a hybrid mode for IPA domain controller, providing forest trust to Active Directory. -- -2.51.0 +2.52.0 From 832a4e31630fd441f8ab4325439f90d561cb8fa4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 4 Aug 2025 23:26:02 +0200 -Subject: [PATCH 41/63] s3:netlogon: IPA DC is the PDC as well - allow +Subject: [PATCH 41/69] s3:netlogon: IPA DC is the PDC as well - allow ROLE_IPA_DC in _netr_DsRGetForestTrustInformation() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -3514,13 +3514,13 @@ index c5a4b0ef30c..7957d3ab34d 100644 return WERR_NERR_NOTPRIMARY; } -- -2.51.0 +2.52.0 From 8d5638581dfc539c8524d7a507e8cc8977e827a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 4 Aug 2025 23:28:24 +0200 -Subject: [PATCH 42/63] s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in +Subject: [PATCH 42/69] s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in gensec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -3563,13 +3563,13 @@ index cff3c53845f..2968ca47734 100644 CRED_USE_KERBEROS_DESIRED, CRED_SPECIFIED); -- -2.51.0 +2.52.0 From 3ef02a381cdc83549506e159ebc457730c06c547 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 22 Jul 2025 19:22:31 +0200 -Subject: [PATCH 43/63] libads: fix get_kdc_ip_string() +Subject: [PATCH 43/69] libads: fix get_kdc_ip_string() Correctly handle the interaction between optionally passed in DC via pss and DC lookup. @@ -3614,13 +3614,13 @@ index f74d8eb567c..f324321c87b 100644 } -- -2.51.0 +2.52.0 From b0dbc167f85deabff2af5b18bc201e8db0d3b97d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 22 Jul 2025 19:16:14 +0200 -Subject: [PATCH 44/63] winbindd: use find_domain_from_name_noinit() in +Subject: [PATCH 44/69] winbindd: use find_domain_from_name_noinit() in find_dns_domain_name() Avoid triggering a connection to a DC of a trusted domain. @@ -3648,13 +3648,13 @@ index eca4116d0c8..3a7a9114988 100644 return domain_name; } -- -2.51.0 +2.52.0 From 1961f54ce07f7dc3cfcae5c00b96b39109f08b3a Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 19 Dec 2023 11:11:55 +0100 -Subject: [PATCH 45/63] vfs_default: allow disabling /proc/fds and +Subject: [PATCH 45/69] vfs_default: allow disabling /proc/fds and RESOLVE_NO_SYMLINK at compile time This will be used in CI to have a gitlab runner without all modern Linux @@ -3718,13 +3718,13 @@ index 1d4b9b1a840..8d78831492f 100644 return 0; /* Return >= 0 for success */ } -- -2.51.0 +2.52.0 From 26de62a2a968dd5b73af296251b26112cdd533e5 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 19 Dec 2023 11:12:49 +0100 -Subject: [PATCH 46/63] CI: disable /proc/fds and RESOLVE_NO_SYMLINK in +Subject: [PATCH 46/69] CI: disable /proc/fds and RESOLVE_NO_SYMLINK in samba-no-opath-build runner This is a more sensible combination of missing Linux specific features: @@ -3791,13 +3791,13 @@ index c3a13f5ec6e..67764a0b027 100644 +^samba3.blackbox.virus_scanner.*\(fileserver:local\) +^samba3.blackbox.shadow_copy2.*\(fileserver.*\) -- -2.51.0 +2.52.0 From 2c27aae5a4c8d7368dc142fb2be36919296d2a02 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 2 Jan 2024 12:49:14 +0100 -Subject: [PATCH 47/63] smbd: pass symlink target path to +Subject: [PATCH 47/69] smbd: pass symlink target path to safe_symlink_target_path() Moves processing the symlink error response to the caller @@ -3955,13 +3955,13 @@ index 8693dcf1153..45fb90381e2 100644 symlink_redirects += 1; -- -2.51.0 +2.52.0 From 99d7e841d4e18f760c137530bbed0dea6115311a Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 2 Jan 2024 13:25:25 +0100 -Subject: [PATCH 48/63] smbd: add a directory argument to +Subject: [PATCH 48/69] smbd: add a directory argument to safe_symlink_target_path() Existing caller passes NULL, no change in behaviour. Prepares for @@ -4033,13 +4033,13 @@ index 45fb90381e2..55a49e0ba93 100644 unparsed, &safe_target); -- -2.51.0 +2.52.0 From 5041a6fa5cdfd21bf697249d900ea5c107d355a2 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 2 Jan 2024 14:34:26 +0100 -Subject: [PATCH 49/63] smbd: use safe_symlink_target_path() in +Subject: [PATCH 49/69] smbd: use safe_symlink_target_path() in symlink_target_below_conn() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549 @@ -4179,13 +4179,13 @@ index 74be444fef5..6582bd60245 100644 discard_const_p(files_struct, dirfsp), smb_fname_rel, -- -2.51.0 +2.52.0 From f2fc99f0c7d441115a486413f345c0226a00b38b Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 18 Dec 2023 12:35:58 +0100 -Subject: [PATCH 50/63] smbd: use dirfsp and atname in open_directory() +Subject: [PATCH 50/69] smbd: use dirfsp and atname in open_directory() On systems without /proc/fd support this avoid the expensive chdir() logic in non_widelink_open(). open_file_ntcreate() already passes @@ -4224,13 +4224,13 @@ index 6582bd60245..b9849f82396 100644 O_RDONLY | O_DIRECTORY, 0, -- -2.51.0 +2.52.0 From 7d102268ebbebf6fc723a43485a82f72069d00ee Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 16 Dec 2022 16:35:00 +0100 -Subject: [PATCH 51/63] smbd: Return open_symlink_err from +Subject: [PATCH 51/69] smbd: Return open_symlink_err from filename_convert_dirfsp_nosymlink() Don't lose information returned from openat_pathref_fsp_nosymlink() @@ -4387,13 +4387,13 @@ index 55a49e0ba93..9fd85af992a 100644 return status; } -- -2.51.0 +2.52.0 From edaabc3d53fddd9e2fa6168c8bf01ebfbf229657 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 25 Apr 2024 15:24:57 +0200 -Subject: [PATCH 52/63] s3/lib: add next helper variable in server_id_watch_* +Subject: [PATCH 52/69] s3/lib: add next helper variable in server_id_watch_* BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624 @@ -4467,13 +4467,13 @@ index f0189e0e896..50b35f27b3e 100644 return; } -- -2.51.0 +2.52.0 From c25f1811c2ccaa2d5cc8005597fb9979aa1102ee Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 4 Apr 2024 12:31:05 +0200 -Subject: [PATCH 53/63] s3/lib: add option "serverid watch:debug = yes" to +Subject: [PATCH 53/69] s3/lib: add option "serverid watch:debug = yes" to print kernel stack of hanging process We only do if sys_have_proc_fds() returns true, so it's most likely @@ -4589,13 +4589,13 @@ index 50b35f27b3e..c372ec8c431 100644 subreq = tevent_wakeup_send(state, state->ev, next); if (tevent_req_nomem(subreq, req)) { -- -2.51.0 +2.52.0 From 23dbf8f0317810d65e716a3c9b947c7a6549cb46 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 25 Apr 2024 15:17:08 +0200 -Subject: [PATCH 54/63] s3/lib: add option "serverid watch:debug script" +Subject: [PATCH 54/69] s3/lib: add option "serverid watch:debug script" This takes just PID and NODE:PID on a cluster. @@ -4682,13 +4682,13 @@ index c372ec8c431..8ddf9c6b1c8 100644 DBG_ERR("Process %s hanging for %f seconds?\n", pid, duration); -- -2.51.0 +2.52.0 From 59975168627e4bfbd2e75a611cb8cb13019a7df3 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 5 Apr 2024 12:15:28 +0200 -Subject: [PATCH 55/63] smbd: log share_mode_watch_recv() errors as errors +Subject: [PATCH 55/69] smbd: log share_mode_watch_recv() errors as errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624 @@ -4719,13 +4719,13 @@ index b9849f82396..da129119c7f 100644 * Even if it failed, retry anyway. TODO: We need a way to * tell a re-scheduled open about that error. -- -2.51.0 +2.52.0 From e619b72fe1b9c36963c452c1d102009b28e8e289 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 4 Apr 2024 19:18:19 +0200 -Subject: [PATCH 56/63] smbd: add option "smbd lease break:debug hung procs" +Subject: [PATCH 56/69] smbd: add option "smbd lease break:debug hung procs" By enabling this a process sending a lease break message to another process holding a lease will start watching that process and if that process didn't @@ -4977,13 +4977,13 @@ index da129119c7f..4cc5190f690 100644 } if (!NT_STATUS_IS_OK(status)) { -- -2.51.0 +2.52.0 From e6a0d821ba28839728371ca94bb364dd6865b5dd Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 20 Mar 2024 14:27:27 +0100 -Subject: [PATCH 57/63] smbd: move trace_state variable behind tv variable +Subject: [PATCH 57/69] smbd: move trace_state variable behind tv variable Next commit adds timestamp variables to trace_state that want to be initialized with the current time, so moving behind tv we can then just reuse tv for that. @@ -5025,13 +5025,13 @@ index fbbe4ef3992..188eaa14839 100644 char *chroot_dir = NULL; int rc; -- -2.51.0 +2.52.0 From 15276d7645255ddddf2a3bf6b7a429e3d40ec9b7 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 20 Mar 2024 14:28:43 +0100 -Subject: [PATCH 58/63] smbd: add option "smbd:debug events" for tevent +Subject: [PATCH 58/69] smbd: add option "smbd:debug events" for tevent handling duration threshold warnings Can be used to enable printing an error message if tevent event handlers ran @@ -5167,13 +5167,13 @@ index 188eaa14839..dbe91132f7f 100644 tevent_set_trace_callback(ev_ctx, smbd_tevent_trace_callback, -- -2.51.0 +2.52.0 From 4631b9d60a874db10dbdd52406d0094a7dbd1356 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 26 Aug 2024 14:11:02 +0200 -Subject: [PATCH 59/63] vfs_error_inject: add 'error_inject:durable_reconnect = +Subject: [PATCH 59/69] vfs_error_inject: add 'error_inject:durable_reconnect = st_ex_nlink' This allows to simulate durable reconnect failures because the stat @@ -5288,13 +5288,13 @@ index 529504fd8d5..dcf0de0a2d9 100644 static_decl_vfs; -- -2.51.0 +2.52.0 From c8e88652163cc56b1f9fb0926a140c81e6b7ec94 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 26 Aug 2024 14:42:02 +0200 -Subject: [PATCH 60/63] s4:torture/smb2: add +Subject: [PATCH 60/69] s4:torture/smb2: add smb2.durable-v2-regressions.durable_v2_reconnect_bug15624 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15624 @@ -5464,13 +5464,13 @@ index 5b6477e47bc..9cf7f5da78b 100644 torture_suite_add_suite(suite, torture_smb2_lease_init(suite)); torture_suite_add_suite(suite, torture_smb2_compound_init(suite)); -- -2.51.0 +2.52.0 From 56a3aaf95c44052b19b61115686c71d5b7dbab4a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 26 Aug 2024 14:42:12 +0200 -Subject: [PATCH 61/63] s3:tests: let test_durable_handle_reconnect.sh run +Subject: [PATCH 61/69] s3:tests: let test_durable_handle_reconnect.sh run smb2.durable-v2-regressions.durable_v2_reconnect_bug15624 This demonstrates the dead lock after a durable reconnect failed @@ -5524,13 +5524,13 @@ index 0ab32974824..fd5c156956f 100755 + testok $0 $failed -- -2.51.0 +2.52.0 From d8f01885145ecfce15f2507fdcc625442db1738c Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 9 Apr 2024 14:52:44 +0200 -Subject: [PATCH 62/63] smbd: consolidate DH reconnect failure code +Subject: [PATCH 62/69] smbd: consolidate DH reconnect failure code No change in behaviour, except that we now also call fd_close() if vfs_default_durable_cookie() @@ -5828,13 +5828,13 @@ index b21c223b2e4..50075ddd3f7 100644 + return status; } -- -2.51.0 +2.52.0 From b248ddd3dd7193ba44c9ad86488dd180a25e3774 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Tue, 9 Apr 2024 14:53:32 +0200 -Subject: [PATCH 63/63] smbd: remove just created sharemode entry in the error +Subject: [PATCH 63/69] smbd: remove just created sharemode entry in the error codepaths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -5900,5 +5900,548 @@ index 50075ddd3f7..98d0d403e30 100644 NTSTATUS close_status; close_status = fd_close(fsp); -- -2.51.0 +2.52.0 + + +From 67ff429e41004899e514d893e80332de79ca2bab Mon Sep 17 00:00:00 2001 +From: Earl Chew +Date: Sun, 17 Dec 2023 08:37:33 -0800 +Subject: [PATCH 64/69] Augment library_flags() to return libraries + +Extend library_flags() to return the libraries provided by +pkg-config --libs. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 + +Signed-off-by: Earl Chew +Reviewed-by: Andrew Bartlett +Reviewed-by: Douglas Bagnall +(cherry picked from commit 363c33185779141fdfbda695997d548939a0251f) +--- + buildtools/wafsamba/samba3.py | 8 ++++---- + buildtools/wafsamba/samba_autoconf.py | 22 +++++++++++++--------- + buildtools/wafsamba/samba_deps.py | 5 ++--- + lib/util/charset/wscript_configure | 2 +- + 4 files changed, 20 insertions(+), 17 deletions(-) + +diff --git a/buildtools/wafsamba/samba3.py b/buildtools/wafsamba/samba3.py +index 227ee27705d..ba0783f0d22 100644 +--- a/buildtools/wafsamba/samba3.py ++++ b/buildtools/wafsamba/samba3.py +@@ -45,25 +45,25 @@ def s3_fix_kwargs(bld, kwargs): + '../bin/default/third_party/heimdal/lib/asn1' ] + + if bld.CONFIG_SET('USING_SYSTEM_TDB'): +- (tdb_includes, tdb_ldflags, tdb_cpppath) = library_flags(bld, 'tdb') ++ (tdb_includes, tdb_ldflags, tdb_cpppath, tdb_libs) = library_flags(bld, 'tdb') + extra_includes += tdb_cpppath + else: + extra_includes += [ '../lib/tdb/include' ] + + if bld.CONFIG_SET('USING_SYSTEM_TEVENT'): +- (tevent_includes, tevent_ldflags, tevent_cpppath) = library_flags(bld, 'tevent') ++ (tevent_includes, tevent_ldflags, tevent_cpppath, tevent_libs) = library_flags(bld, 'tevent') + extra_includes += tevent_cpppath + else: + extra_includes += [ '../lib/tevent' ] + + if bld.CONFIG_SET('USING_SYSTEM_TALLOC'): +- (talloc_includes, talloc_ldflags, talloc_cpppath) = library_flags(bld, 'talloc') ++ (talloc_includes, talloc_ldflags, talloc_cpppath, talloc_libs) = library_flags(bld, 'talloc') + extra_includes += talloc_cpppath + else: + extra_includes += [ '../lib/talloc' ] + + if bld.CONFIG_SET('USING_SYSTEM_POPT'): +- (popt_includes, popt_ldflags, popt_cpppath) = library_flags(bld, 'popt') ++ (popt_includes, popt_ldflags, popt_cpppath, popt_libs) = library_flags(bld, 'popt') + extra_includes += popt_cpppath + else: + extra_includes += [ '../lib/popt' ] +diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py +index 34fd5fab2c0..d3b6503c5ca 100644 +--- a/buildtools/wafsamba/samba_autoconf.py ++++ b/buildtools/wafsamba/samba_autoconf.py +@@ -91,7 +91,7 @@ def CHECK_HEADER(conf, h, add_headers=False, lib=None): + conf.env.hlist.append(h) + return True + +- (ccflags, ldflags, cpppath) = library_flags(conf, lib) ++ (ccflags, ldflags, cpppath, libs) = library_flags(conf, lib) + + hdrs = hlist_to_string(conf, headers=h) + if lib is None: +@@ -435,7 +435,7 @@ def CHECK_CODE(conf, code, define, + + uselib = TO_LIST(lib) + +- (ccflags, ldflags, cpppath) = library_flags(conf, uselib) ++ (ccflags, ldflags, cpppath, libs) = library_flags(conf, uselib) + + includes = TO_LIST(includes) + includes.extend(cpppath) +@@ -569,21 +569,24 @@ Build.BuildContext.CONFIG_SET = CONFIG_SET + Build.BuildContext.CONFIG_GET = CONFIG_GET + + +-def library_flags(self, libs): ++def library_flags(self, library): + '''work out flags from pkg_config''' + ccflags = [] + ldflags = [] + cpppath = [] +- for lib in TO_LIST(libs): ++ libs = [] ++ for lib in TO_LIST(library): + # note that we do not add the -I and -L in here, as that is added by the waf + # core. Adding it here would just change the order that it is put on the link line + # which can cause system paths to be added before internal libraries + extra_ccflags = TO_LIST(getattr(self.env, 'CFLAGS_%s' % lib.upper(), [])) + extra_ldflags = TO_LIST(getattr(self.env, 'LDFLAGS_%s' % lib.upper(), [])) + extra_cpppath = TO_LIST(getattr(self.env, 'CPPPATH_%s' % lib.upper(), [])) ++ extra_libs = TO_LIST(getattr(self.env, 'LIB_%s' % lib.upper(), [])) + ccflags.extend(extra_ccflags) + ldflags.extend(extra_ldflags) + cpppath.extend(extra_cpppath) ++ libs.extend(extra_libs) + + extra_cpppath = TO_LIST(getattr(self.env, 'INCLUDES_%s' % lib.upper(), [])) + cpppath.extend(extra_cpppath) +@@ -593,11 +596,12 @@ def library_flags(self, libs): + ccflags = unique_list(ccflags) + ldflags = unique_list(ldflags) + cpppath = unique_list(cpppath) +- return (ccflags, ldflags, cpppath) ++ libs = unique_list(libs) ++ return (ccflags, ldflags, cpppath, libs) + + + @conf +-def CHECK_LIB(conf, libs, mandatory=False, empty_decl=True, set_target=True, shlib=False): ++def CHECK_LIB(conf, library, mandatory=False, empty_decl=True, set_target=True, shlib=False): + '''check if a set of libraries exist as system libraries + + returns the sublist of libs that do exist as a syslib or [] +@@ -611,13 +615,13 @@ int foo() + } + ''' + ret = [] +- liblist = TO_LIST(libs) +- for lib in liblist[:]: ++ liblist = TO_LIST(library) ++ for lib in liblist: + if GET_TARGET_TYPE(conf, lib) == 'SYSLIB': + ret.append(lib) + continue + +- (ccflags, ldflags, cpppath) = library_flags(conf, lib) ++ (ccflags, ldflags, cpppath, libs) = library_flags(conf, lib) + if shlib: + res = conf.check(features='c cshlib', fragment=fragment, lib=lib, uselib_store=lib, cflags=ccflags, ldflags=ldflags, uselib=lib.upper(), mandatory=False) + else: +diff --git a/buildtools/wafsamba/samba_deps.py b/buildtools/wafsamba/samba_deps.py +index 66adf40307e..5b428295b86 100644 +--- a/buildtools/wafsamba/samba_deps.py ++++ b/buildtools/wafsamba/samba_deps.py +@@ -83,9 +83,8 @@ def build_dependencies(self): + self.add_objects = list(self.final_objects) + + # extra link flags from pkg_config +- libs = self.final_syslibs.copy() +- +- (cflags, ldflags, cpppath) = library_flags(self, list(libs)) ++ (cflags, ldflags, cpppath, libs) = library_flags( ++ self, list(self.final_syslibs.copy())) + new_ldflags = getattr(self, 'samba_ldflags', [])[:] + new_ldflags.extend(ldflags) + self.ldflags = new_ldflags +diff --git a/lib/util/charset/wscript_configure b/lib/util/charset/wscript_configure +index 9c27fc664f0..58858f69b31 100644 +--- a/lib/util/charset/wscript_configure ++++ b/lib/util/charset/wscript_configure +@@ -8,7 +8,7 @@ + # managed to link when specifying -liconv a executable even if there is no + # libiconv.so or libiconv.a + +-conf.CHECK_LIB(libs="iconv", shlib=True) ++conf.CHECK_LIB("iconv", shlib=True) + + #HP-UX can use libiconv as an add-on package, which has #define iconv_open libiconv_open + if (conf.CHECK_FUNCS_IN('iconv_open', 'iconv', checklibc=False, headers='iconv.h') or +-- +2.52.0 + + +From a4f79d7fb725fab47bda53b9482c1ee301a8393a Mon Sep 17 00:00:00 2001 +From: Earl Chew +Date: Sat, 16 Dec 2023 17:47:09 -0800 +Subject: [PATCH 65/69] Improve CHECK_LIB interaction with CHECK_PKG + +When checking for shared libraries, only name the target library +if it was not previously discoverd by pkg-config --libs and now +available from uselib_store. This avoids using both sources of +information which results in the library being named twice on +the command line. + +Once the library is confirmed by CHECK_LIB, append the library if +not already present, to avoid dropping libraries that were +previously discovered by CHECK_PKG. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 + +Signed-off-by: Earl Chew +Reviewed-by: Andrew Bartlett +Reviewed-by: Douglas Bagnall +(cherry picked from commit 0c983bd0095d4fb20ef8b42f5efb740393073862) +--- + buildtools/wafsamba/samba_autoconf.py | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py +index d3b6503c5ca..b1d2f761095 100644 +--- a/buildtools/wafsamba/samba_autoconf.py ++++ b/buildtools/wafsamba/samba_autoconf.py +@@ -623,7 +623,12 @@ int foo() + + (ccflags, ldflags, cpppath, libs) = library_flags(conf, lib) + if shlib: +- res = conf.check(features='c cshlib', fragment=fragment, lib=lib, uselib_store=lib, cflags=ccflags, ldflags=ldflags, uselib=lib.upper(), mandatory=False) ++ # Avoid repeating the library if it is already named by ++ # pkg-config --libs. ++ kw = {} ++ if lib not in libs: ++ kw['lib'] = lib ++ res = conf.check(features='c cshlib', fragment=fragment, uselib_store=lib, cflags=ccflags, ldflags=ldflags, uselib=lib.upper(), mandatory=False, **kw) + else: + res = conf.check(lib=lib, uselib_store=lib, cflags=ccflags, ldflags=ldflags, uselib=lib.upper(), mandatory=False) + +@@ -637,7 +642,10 @@ int foo() + SET_TARGET_TYPE(conf, lib, 'EMPTY') + else: + conf.define('HAVE_LIB%s' % lib.upper().replace('-','_').replace('.','_'), 1) +- conf.env['LIB_' + lib.upper()] = lib ++ # To avoid losing information from pkg-config, append the library ++ # only it is not already present. ++ if lib not in libs: ++ conf.env.append_value('LIB_' + lib.upper(), lib) + if set_target: + conf.SET_TARGET_TYPE(lib, 'SYSLIB') + ret.append(lib) +-- +2.52.0 + + +From 2b4f5a62eac69e12ecd9a1e3919ea4a8b3d40820 Mon Sep 17 00:00:00 2001 +From: Earl Chew +Date: Sat, 16 Dec 2023 08:48:36 -0800 +Subject: [PATCH 66/69] Combine ICU libraries icu-i18n and icu-uc into a single + dependency + +Rather than probing for icu-i18n, icu-uc, and icudata libraries +separately, only probe for icu-i18n, and icu-uc, as direct dependencies +This avoids overlinking with icudata, and allows the package +to build even when ICU is not installed as a system library. + +RN: Only use icu-i18n and icu-uc to express ICU dependency + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 + +Signed-off-by: Earl Chew +Reviewed-by: Andrew Bartlett +Reviewed-by: Douglas Bagnall +(cherry picked from commit 05807488fd340751ee976c5f8a367013ff94843e) +--- + lib/util/charset/iconv.c | 8 ++++---- + lib/util/charset/wscript_build | 3 ++- + lib/util/charset/wscript_configure | 17 +++++++---------- + 3 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/lib/util/charset/iconv.c b/lib/util/charset/iconv.c +index 30e705ee119..3234f92bc55 100644 +--- a/lib/util/charset/iconv.c ++++ b/lib/util/charset/iconv.c +@@ -26,7 +26,7 @@ + #include "lib/util/charset/charset.h" + #include "lib/util/charset/charset_proto.h" + +-#ifdef HAVE_ICU_I18N ++#ifdef HAVE_ICUI18N + #include + #include + #endif +@@ -168,7 +168,7 @@ static size_t sys_iconv(void *cd, + } + #endif + +-#ifdef HAVE_ICU_I18N ++#ifdef HAVE_ICUI18N + static size_t sys_uconv(void *cd, + const char **inbuf, + size_t *inbytesleft, +@@ -334,7 +334,7 @@ static bool is_utf16(const char *name) + + static int smb_iconv_t_destructor(smb_iconv_t hwd) + { +-#ifdef HAVE_ICU_I18N ++#ifdef HAVE_ICUI18N + /* + * This has to come first, as the cd_direct member won't be an iconv + * handle and must not be passed to iconv_close(). +@@ -418,7 +418,7 @@ _PUBLIC_ smb_iconv_t smb_iconv_open_ex(TALLOC_CTX *mem_ctx, const char *tocode, + } + #endif + +-#ifdef HAVE_ICU_I18N ++#ifdef HAVE_ICUI18N + if (strcasecmp(fromcode, "UTF8-NFD") == 0 && + strcasecmp(tocode, "UTF8-NFC") == 0) + { +diff --git a/lib/util/charset/wscript_build b/lib/util/charset/wscript_build +index c69a17170ad..3af90a0ad57 100644 +--- a/lib/util/charset/wscript_build ++++ b/lib/util/charset/wscript_build +@@ -6,7 +6,8 @@ bld.SAMBA_SUBSYSTEM('ICONV_WRAPPER', + weird.c + charset_macosxfs.c + ''', +- public_deps='iconv replace talloc ' + bld.env['icu-libs']) ++ deps=bld.env['icu-libs'], ++ public_deps='iconv replace talloc') + + bld.SAMBA_SUBSYSTEM('charset', + public_headers='charset.h', +diff --git a/lib/util/charset/wscript_configure b/lib/util/charset/wscript_configure +index 58858f69b31..c49b55a4fd4 100644 +--- a/lib/util/charset/wscript_configure ++++ b/lib/util/charset/wscript_configure +@@ -37,15 +37,12 @@ conf.CHECK_CODE(''' + lib='iconv', + headers='errno.h iconv.h') + +-if conf.CHECK_CFG(package='icu-i18n', ++if conf.CHECK_CFG(package='icu-i18n icu-uc', + args='--cflags --libs', +- msg='Checking for icu-i18n', +- uselib_store='ICU_I18N'): +- for lib in conf.env['LIB_ICU_I18N']: +- conf.CHECK_LIB(lib, shlib=True, mandatory=True) +- conf.env['icu-libs'] = ' '.join(conf.env['LIB_ICU_I18N']) +- if not conf.CHECK_HEADERS('unicode/ustring.h'): +- conf.fatal('Found libicu, but unicode/ustring.h is missing') ++ msg='Checking for icu-i18n icu-uc', ++ uselib_store='ICUI18N'): ++ conf.env['icu-libs'] = 'icui18n' ++ conf.CHECK_LIB(conf.env['icu-libs'], shlib=True, mandatory=True) ++ if not conf.CHECK_HEADERS('unicode/ustring.h', lib='icui18n'): ++ conf.fatal('Found icui18n, but unicode/ustring.h is missing') + conf.DEFINE('HAVE_UTF8_NORMALISATION', 1) +-else: +- conf.env['icu-libs'] = '' +-- +2.52.0 + + +From 8e5968634b263c20ad71c75e839abb217614b567 Mon Sep 17 00:00:00 2001 +From: Earl Chew +Date: Fri, 10 May 2024 19:46:28 -0700 +Subject: [PATCH 67/69] Restore empty string default for conf.env['icu-libs'] + +The reworked ICU libraries configuration code used [] as +default for conf.env['icu-libs']. This breaks dependency analysis +in samba_deps.py because SAMBA_SUBSYSTEM() expects deps to be +a string. + +Signed-off-by: Earl Chew +Reviewed-by: Andrew Bartlett +Reviewed-by: Douglas Bagnall +Reviewed-by: Volker Lendecke + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue May 14 14:44:06 UTC 2024 on atb-devel-224 + +(cherry picked from commit 68a1200f66e9008ca0a739b37b48c49453ca9d83) +--- + lib/util/charset/wscript_configure | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/util/charset/wscript_configure b/lib/util/charset/wscript_configure +index c49b55a4fd4..adae44eab5e 100644 +--- a/lib/util/charset/wscript_configure ++++ b/lib/util/charset/wscript_configure +@@ -46,3 +46,5 @@ if conf.CHECK_CFG(package='icu-i18n icu-uc', + if not conf.CHECK_HEADERS('unicode/ustring.h', lib='icui18n'): + conf.fatal('Found icui18n, but unicode/ustring.h is missing') + conf.DEFINE('HAVE_UTF8_NORMALISATION', 1) ++else: ++ conf.env['icu-libs'] = '' +-- +2.52.0 + + +From 88a29be0ed6cf611eb812c0729d2ee61be07a3a3 Mon Sep 17 00:00:00 2001 +From: Earl Chew +Date: Fri, 27 Sep 2024 06:50:31 -0700 +Subject: [PATCH 68/69] Describe implication of upstream ICU-22610 + +Add commentary to link commit 86c7688 (MR !3447) to the upstream +fix for ICU-22610 in case there is subsequent breakage. + +Signed-off-by: Earl Chew +Reviewed-by: Andreas Schneider +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Andrew Bartlett +Autobuild-Date(master): Fri Nov 8 00:20:38 UTC 2024 on atb-devel-224 + +(cherry picked from commit 1655413f1246147db9b34d4684a64dac49cf5f0c) +--- + lib/util/charset/wscript_configure | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/util/charset/wscript_configure b/lib/util/charset/wscript_configure +index adae44eab5e..451f7f7bca3 100644 +--- a/lib/util/charset/wscript_configure ++++ b/lib/util/charset/wscript_configure +@@ -37,6 +37,10 @@ conf.CHECK_CODE(''' + lib='iconv', + headers='errno.h iconv.h') + ++# Since commit 86c7688 (MR !3447), the required ICU libraries are discovered ++# as a single group. This had the benefit of working around ICU-22610, and also ++# works with the fix that was merged to ICU main in commit 199bc827. ++ + if conf.CHECK_CFG(package='icu-i18n icu-uc', + args='--cflags --libs', + msg='Checking for icu-i18n icu-uc', +-- +2.52.0 + + +From 72c6766af2ac55854b816147a277404d98b1de9a Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 8 Jan 2026 11:55:18 +0100 +Subject: [PATCH 69/69] smbd: add a directory argument to + safe_symlink_target_path() + +Existing caller passes NULL, no change in behaviour. Prepares for +replacing symlink_target_below_conn() in open.c. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549 + +Signed-off-by: Ralph Boehme +Reviewed-by: Volker Lendecke +(backported from commit fc80c72d658a41fe4d93b24b793b52c91b350175) + +Backport changes: + - The v4-19 branch has a different safe_symlink_target_path() signature + that takes (name_in, substitute) instead of (dir, target), due to + commit 7d102268ebb being backported out of order. + - Adapted the function to use the new (dir, target) signature matching + proto.h, which already had the correct declaration. + - Updated filename_convert_dirfsp() to call symlink_target_path() first + to compute the target path, then pass dir=NULL to safe_symlink_target_path(). + - This fixes symlink resolution for relative symlinks in subdirectories + (e.g., subdir/link -> ../file) by correctly building the absolute path + as connectpath/dir/target instead of just connectpath/target. +--- + source3/smbd/filename.c | 52 +++++++++++++++++++++++++++-------------- + 1 file changed, 34 insertions(+), 18 deletions(-) + +diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c +index 9fd85af992a..f6e9ed6aae0 100644 +--- a/source3/smbd/filename.c ++++ b/source3/smbd/filename.c +@@ -944,35 +944,40 @@ static char *symlink_target_path( + + NTSTATUS safe_symlink_target_path(TALLOC_CTX *mem_ctx, + const char *connectpath, +- const char *name_in, +- const char *substitute, ++ const char *dir, ++ const char *target, + size_t unparsed, + char **_relative) + { +- char *target = NULL; + char *abs_target = NULL; + char *abs_target_canon = NULL; + const char *relative = NULL; + bool in_share; + NTSTATUS status = NT_STATUS_NO_MEMORY; + +- target = symlink_target_path(mem_ctx, +- name_in, +- substitute, +- unparsed); +- if (target == NULL) { +- goto fail; +- } +- +- DBG_DEBUG("connectpath [%s] target [%s] unparsed [%zu]\n", +- connectpath, target, unparsed); ++ DBG_DEBUG("connectpath [%s] dir [%s] target [%s] unparsed [%zu]\n", ++ connectpath, ++ dir != NULL ? dir : "", ++ target, ++ unparsed); + + if (target[0] == '/') { +- abs_target = target; +- } else { +- abs_target = talloc_asprintf(target, ++ abs_target = talloc_strdup(mem_ctx, target); ++ } else if (dir == NULL) { ++ abs_target = talloc_asprintf(mem_ctx, ++ "%s/%s", ++ connectpath, ++ target); ++ } else if (dir[0] == '/') { ++ abs_target = talloc_asprintf(mem_ctx, + "%s/%s", ++ dir, ++ target); ++ } else { ++ abs_target = talloc_asprintf(mem_ctx, ++ "%s/%s/%s", + connectpath, ++ dir, + target); + } + if (abs_target == NULL) { +@@ -1432,6 +1437,7 @@ NTSTATUS filename_convert_dirfsp( + struct open_symlink_err *symlink_err = NULL; + NTSTATUS status; + char *substitute = NULL; ++ char *target = NULL; + char *safe_target = NULL; + size_t symlink_redirects = 0; + +@@ -1470,13 +1476,23 @@ next: + */ + substitute = symlink_err->reparse->substitute_name; + ++ target = symlink_target_path(mem_ctx, ++ name_in, ++ substitute, ++ symlink_err->unparsed); ++ if (target == NULL) { ++ TALLOC_FREE(symlink_err); ++ return NT_STATUS_NO_MEMORY; ++ } ++ + status = safe_symlink_target_path(mem_ctx, + conn->connectpath, +- name_in, +- substitute, ++ NULL, ++ target, + symlink_err->unparsed, + &safe_target); + TALLOC_FREE(symlink_err); ++ TALLOC_FREE(target); + if (!NT_STATUS_IS_OK(status)) { + return status; + } +-- +2.52.0 diff --git a/samba.spec b/samba.spec index ba2e55f..4ec929c 100644 --- a/samba.spec +++ b/samba.spec @@ -147,7 +147,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %global samba_version 4.19.4 -%global baserelease 12 +%global baserelease 13 # This should be rc1 or %%nil %global pre_release %nil @@ -4479,6 +4479,9 @@ fi %endif %changelog +* Thu Jan 08 2026 Andreas Schneider - 4.19.4-13 +- resolves: RHEL-131616 - Fix regression with relative symlinks in a share + * Thu Oct 09 2025 Andreas Schneider - 4.19.4-12 - resolves: RHEL-119843 - Fix stale sharemode entries which can cause deadlocks