diff --git a/.gitignore b/.gitignore index 6ab5adc..6da8d98 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -samba-4.22.4.tar.xz +samba-4.23.5.tar.xz samba-pubkey_AA99442FB680B620.gpg diff --git a/redhat-4.22.patch b/redhat-4.22.patch deleted file mode 100644 index a56bdbb..0000000 --- a/redhat-4.22.patch +++ /dev/null @@ -1,4830 +0,0 @@ -From b0ff8644c06b01252bdbac6a31c77c5781d4b5a0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 29 Jul 2025 11:19:07 +0200 -Subject: [PATCH 01/59] selftest: Add the short name for localvampiredc to - hosts file -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 5d2f60ae5aa96751b74901ae5384291ef338b152) ---- - selftest/target/Samba4.pm | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index 9da339f6239..af0434a8e6b 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -878,7 +878,7 @@ nogroup:x:65534:nobody - - my $hostname = lc($ctx->{hostname}); - open(HOSTS, ">>$ctx->{nsswrap_hosts}"); -- if ($hostname eq "localdc") { -+ if ($hostname eq "localdc" || $hostname eq "localvampiredc") { - print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n"; - print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n"; - } else { --- -2.53.0 - - -From 03431792b4707e50afc8f9e356f08a91f4fb67c3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 4 Aug 2025 11:20:54 +0200 -Subject: [PATCH 02/59] tests: Add test for 'net ads join' to a preferred DC -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 36f6ac547c09f492d1dcab11570e8bcbd377cf26) ---- - selftest/knownfail | 1 + - source4/selftest/tests.py | 1 + - .../test_net_ads_join_to_preferred_dc.sh | 61 +++++++++++++++++++ - 3 files changed, 63 insertions(+) - create mode 100755 testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh - -diff --git a/selftest/knownfail b/selftest/knownfail -index ab2d79d7114..7c0e9dd00e7 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -335,6 +335,7 @@ - ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.* - ^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean - ^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing -+^samba4.blackbox.net_ads_join.join - - # We currently don't send referrals for LDAP modify of non-replicated attrs - ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 9c5e85e428a..14a41ba77ed 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -902,6 +902,7 @@ plantestsuite("samba4.blackbox.rfc2307_mapping", - plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', r"CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX/chgdcpass', "aes256-cts-hmac-sha1-96", '$PREFIX/chgdcpass', smbclient3]) - plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass']) - plantestsuite("samba4.blackbox.net_ads", "ad_dc:client", [os.path.join(bbdir, "test_net_ads.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS']) -+plantestsuite("samba4.blackbox.net_ads_join", "vampire_dc:client", [os.path.join(bbdir, "test_net_ads_join_to_preferred_dc.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX']) - plantestsuite("samba4.blackbox.net_offlinejoin", "ad_dc:client", [os.path.join(bbdir, "test_net_offline.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS']) - plantestsuite("samba4.blackbox.client_etypes_all(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'all', '17_18_23']) - plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'legacy', '23']) -diff --git a/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh b/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh -new file mode 100755 -index 00000000000..1bebc2f4dbe ---- /dev/null -+++ b/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh -@@ -0,0 +1,61 @@ -+if [ $# -lt 4 ]; then -+ cat </dev/null | sha1sum | cut -b 1-10) -+ -+RUNDIR=$(pwd) -+cd $BASEDIR -+WORKDIR=$(mktemp -d -p .) -+WORKDIR=$(basename $WORKDIR) -+cp -a client/* $WORKDIR/ -+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf -+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf -+rm -f $WORKDIR/private/secrets.tdb -+cd $RUNDIR -+ -+failed=0 -+ -+net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" -+ -+# Load test functions -+. $(dirname $0)/subunit.sh -+. "$(dirname "${0}")/common_test_fns.inc" -+ -+# This test is run in environment with two DCs ('localdc' and 'localvampiredc') -+# The 'net ads join' has these two steps: -+# 1. create machine account at DC ('-S' points to 'localvampiredc') -+# 2. create keytab and sync the KVNO from a DC -+# -+# It must be ensured that in step #2 the keytab code contacts the same DC -+# ('localvampiredc'). The configuration below tries to break it. -+# We disable [SAF/DOMAIN/...] and [SAFJOIN/DOMAIN/...] by setting TTL to '-1' -+# And via setting 'password server' to 'localdc' we manage that -+# get_dc_list() returns 'localdc' instead of 'localvampiredc' -+# -+# As long as the keytab code is not explicitly told to use the same DC as join, -+# we get failure: -+# gensec_gse_client_prepare_ccache: Kinit for F0D26C71F6$@SAMBA.EXAMPLE.COM to access ldap/localdc.samba.example.com failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE -+ -+cat <>$BASEDIR/$WORKDIR/client.conf -+sync machine password to keytab = $BASEDIR/keytab:account_name:machine_password:sync_kvno -+password server = $DC_SERVER -+saf: join ttl = -1 -+saf: ttl = -1 -+EOF -+ -+testit "join" $VALGRIND $net_tool ads join -S$SERVER -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) -+ -+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) -+ -+rm -rf $BASEDIR/$WORKDIR -+ -+exit $failed --- -2.53.0 - - -From 5cff37091161976a979752351003c9c1deb0d39f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 28 Jul 2025 10:43:36 +0200 -Subject: [PATCH 03/59] s3:net: Pass down the server from cmdline to - sync_pw2keytabs() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This makes sure that during 'net ads join' the keytab create code -- sync_pw2keytabs() talks to the same DC at what the machine account -was created. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905 - -Signed-off-by: Andreas Schneider -Signed-off-by: Pavel Filipenský -Pair-Programmed-With: Pavel Filipenský - -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Pavel Filipensky -Autobuild-Date(master): Fri Sep 5 13:38:33 UTC 2025 on atb-devel-224 - -(cherry picked from commit 5d1d3a8b568b5a07ed1ed537d20aa93820cecc14) ---- - selftest/knownfail | 1 - - source3/include/secrets.h | 25 ++++++++++++++---------- - source3/libads/ads_proto.h | 2 +- - source3/libads/kerberos_keytab.c | 24 ++++++++++++++++++++--- - source3/libads/trusts_util.c | 15 ++++++++------ - source3/libads/util.c | 10 ++++++---- - source3/libnet/libnet_join.c | 2 +- - source3/passdb/machine_account_secrets.c | 10 ++++++---- - source3/utils/net.c | 10 ++++++---- - source3/utils/net_ads.c | 2 +- - 10 files changed, 66 insertions(+), 35 deletions(-) - -diff --git a/selftest/knownfail b/selftest/knownfail -index 7c0e9dd00e7..ab2d79d7114 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -335,7 +335,6 @@ - ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.* - ^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean - ^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing --^samba4.blackbox.net_ads_join.join - - # We currently don't send referrals for LDAP modify of non-replicated attrs - ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -diff --git a/source3/include/secrets.h b/source3/include/secrets.h -index a454c8bb8ff..061b9c6ef34 100644 ---- a/source3/include/secrets.h -+++ b/source3/include/secrets.h -@@ -125,12 +125,15 @@ char *secrets_domain_info_string(TALLOC_CTX *mem_ctx, const struct secrets_domai - NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain, - TALLOC_CTX *mem_ctx, - struct secrets_domain_info1 **pinfo); --NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname, -- const char *cleartext_unix, -- TALLOC_CTX *mem_ctx, -- struct secrets_domain_info1 **pinfo, -- struct secrets_domain_info1_change **pprev, -- NTSTATUS (*sync_pw2keytabs_fn)(void)); -+NTSTATUS secrets_prepare_password_change( -+ const char *domain, -+ const char *dcname, -+ const char *cleartext_unix, -+ TALLOC_CTX *mem_ctx, -+ struct secrets_domain_info1 **pinfo, -+ struct secrets_domain_info1_change **pprev, -+ NTSTATUS (*sync_pw2keytabs_fn)(const char *), -+ const char *opt_host); - NTSTATUS secrets_failed_password_change(const char *change_server, - NTSTATUS local_status, - NTSTATUS remote_status, -@@ -139,10 +142,12 @@ NTSTATUS secrets_defer_password_change(const char *change_server, - NTSTATUS local_status, - NTSTATUS remote_status, - const struct secrets_domain_info1 *info); --NTSTATUS secrets_finish_password_change(const char *change_server, -- NTTIME change_time, -- const struct secrets_domain_info1 *info, -- NTSTATUS (*sync_pw2keytabs_fn)(void)); -+NTSTATUS secrets_finish_password_change( -+ const char *change_server, -+ NTTIME change_time, -+ const struct secrets_domain_info1 *info, -+ NTSTATUS (*sync_pw2keytabs_fn)(const char *), -+ const char *prefer_dc); - bool secrets_delete_machine_password_ex(const char *domain, const char *realm); - bool secrets_delete_domain_sid(const char *domain); - char *secrets_fetch_prev_machine_password(const char *domain); -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h -index 8440c35e46d..2e67eef155c 100644 ---- a/source3/libads/ads_proto.h -+++ b/source3/libads/ads_proto.h -@@ -230,6 +230,6 @@ struct spn_struct { - /* parse a windows style SPN, returns NULL if parsing fails */ - struct spn_struct *parse_spn(TALLOC_CTX *ctx, const char *srvprinc); - --NTSTATUS sync_pw2keytabs(void); -+NTSTATUS sync_pw2keytabs(const char *prefer_dc); - - #endif /* _LIBADS_ADS_PROTO_H_ */ -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index 49a892e5a55..1d4f9c12e1d 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -84,6 +84,7 @@ struct pw2kt_global_state { - char *ad_upn; - char *ad_sam_account; - char **ad_spn_array; -+ const char *prefer_dc; - size_t ad_num_spns; - /* This is from secrets.db */ - struct secrets_domain_info1 *info; -@@ -869,8 +870,11 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_global_state *state) - int count; - bool ok; - TALLOC_CTX *tmp_ctx = talloc_stackframe(); -- ADS_STRUCT *ads = ads_init( -- tmp_ctx, lp_realm(), lp_workgroup(), NULL, ADS_SASL_SIGN); -+ ADS_STRUCT *ads = ads_init(tmp_ctx, -+ lp_realm(), -+ lp_workgroup(), -+ state->prefer_dc, -+ ADS_SASL_SIGN); - - if (ads == NULL) { - DBG_ERR("ads_init() failed\n"); -@@ -1029,7 +1033,20 @@ static bool pw2kt_default_keytab_name(char *name_str, size_t name_size) - return true; - } - --NTSTATUS sync_pw2keytabs(void) -+/** -+ * @internal -+ * -+ * @brief Sync machine password from secrets to keytab -+ * -+ * @param prefer_dc The DC we should talk to. This is especially important -+ * during domain join. Pass NULL if we should pick a random -+ * one. -+ * -+ * @return An NTSTATUS error code. -+ * -+ * @see NT_STATUS_IS_OK() -+ */ -+NTSTATUS sync_pw2keytabs(const char *prefer_dc) - { - TALLOC_CTX *frame = talloc_stackframe(); - const struct loadparm_substitution *lp_sub = -@@ -1055,6 +1072,7 @@ NTSTATUS sync_pw2keytabs(void) - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } -+ state->prefer_dc = prefer_dc; - - lp_ptr = lp_sync_machine_password_to_keytab(); - if (lp_ptr == NULL) { -diff --git a/source3/libads/trusts_util.c b/source3/libads/trusts_util.c -index 6a39f32f350..c51c556e86b 100644 ---- a/source3/libads/trusts_util.c -+++ b/source3/libads/trusts_util.c -@@ -360,10 +360,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, - &info, - &prev, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ NULL /* opt_host */); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("secrets_prepare_password_change() failed for domain %s!\n", - domain)); -@@ -610,10 +611,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, - prev->password->change_time, - info, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ prev->password->change_server); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("secrets_prepare_password_change() failed for domain %s!\n", - domain)); -@@ -759,10 +761,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, - info->next_change->change_time, - info, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ info->next_change->change_server); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("secrets_finish_password_change() failed for domain %s!\n", - domain)); -diff --git a/source3/libads/util.c b/source3/libads/util.c -index 243dd09f3d0..360e556ab9b 100644 ---- a/source3/libads/util.c -+++ b/source3/libads/util.c -@@ -59,10 +59,11 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip - &info, - &prev, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ ads->auth.kdc_server); - if (!NT_STATUS_IS_OK(status)) { - return ADS_ERROR_NT(status); - } -@@ -138,10 +139,11 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip - now, - info, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ ads->auth.kdc_server); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1,("Failed to save machine password\n")); - return ADS_ERROR_NT(status); -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 5796c68e2e0..cb997dcbe23 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -867,7 +867,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, - static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { -- NTSTATUS ntstatus = sync_pw2keytabs(); -+ NTSTATUS ntstatus = sync_pw2keytabs(r->in.dc_name); - - return NT_STATUS_IS_OK(ntstatus); - } -diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c -index 0679535f026..568d77a3892 100644 ---- a/source3/passdb/machine_account_secrets.c -+++ b/source3/passdb/machine_account_secrets.c -@@ -1674,7 +1674,8 @@ NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname, - TALLOC_CTX *mem_ctx, - struct secrets_domain_info1 **pinfo, - struct secrets_domain_info1_change **pprev, -- NTSTATUS (*sync_pw2keytabs_fn)(void)) -+ NTSTATUS (*sync_pw2keytabs_fn)(const char *), -+ const char *opt_host) - { - TALLOC_CTX *frame = talloc_stackframe(); - struct db_context *db = NULL; -@@ -1770,7 +1771,7 @@ NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname, - } - - if (prev == NULL && sync_pw2keytabs_fn != NULL) { -- status = sync_pw2keytabs_fn(); -+ status = sync_pw2keytabs_fn(opt_host); - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("Sync of machine password failed.\n"); - dbwrap_transaction_cancel(db); -@@ -2023,7 +2024,8 @@ NTSTATUS secrets_defer_password_change(const char *change_server, - NTSTATUS secrets_finish_password_change(const char *change_server, - NTTIME change_time, - const struct secrets_domain_info1 *cookie, -- NTSTATUS (*sync_pw2keytabs_fn)(void)) -+ NTSTATUS (*sync_pw2keytabs_fn)(const char *), -+ const char *prefer_dc) - { - const char *domain = cookie->domain_info.name.string; - TALLOC_CTX *frame = talloc_stackframe(); -@@ -2102,7 +2104,7 @@ NTSTATUS secrets_finish_password_change(const char *change_server, - } - - if (sync_pw2keytabs_fn != NULL) { -- status = sync_pw2keytabs_fn(); -+ status = sync_pw2keytabs_fn(prefer_dc); - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("Sync of machine password failed.\n"); - TALLOC_FREE(frame); -diff --git a/source3/utils/net.c b/source3/utils/net.c -index 7ce93ced79e..ecabd980d0c 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -235,10 +235,11 @@ static int net_changesecretpw(struct net_context *c, int argc, - &info, - &prev, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ c->opt_host); - if (!NT_STATUS_IS_OK(status)) { - d_fprintf(stderr, - _("Unable to write the machine account password in the secrets database")); -@@ -261,10 +262,11 @@ static int net_changesecretpw(struct net_context *c, int argc, - now, - info, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ c->opt_host); - if (!NT_STATUS_IS_OK(status)) { - d_fprintf(stderr, - _("Unable to write the machine account password in the secrets database")); -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 46531210411..753b957e43f 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2965,7 +2965,7 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a - net_use_krb_machine_account(c); - } - -- ntstatus = sync_pw2keytabs(); -+ ntstatus = sync_pw2keytabs(c->opt_host); - ret = NT_STATUS_IS_OK(ntstatus) ? 0 : 1; - return ret; - } --- -2.53.0 - - -From 5b23ab3845597dcfcf33e2c0a7d7af820d3167a5 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Wed, 13 Aug 2025 17:02:16 +0200 -Subject: [PATCH 04/59] smbtorture: fix locking offset in - test_fruit_locking_conflict() - -AD_FILELOCK_RSRC_DENY_WR = AD_FILELOCK_BASE + 6 - = (0x7FFFFFFFFFFFFFFF - 9) + 6 - = 0x7FFFFFFFFFFFFFFC - -No change in behaviour though, just stumpled across it. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke -(cherry picked from commit 3052839636f185307edb8832de9bdba4b2e2c83c) ---- - source4/torture/vfs/fruit.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c -index 6bad4e409c6..e9ff4a57e66 100644 ---- a/source4/torture/vfs/fruit.c -+++ b/source4/torture/vfs/fruit.c -@@ -8002,7 +8002,7 @@ static bool test_fruit_locking_conflict(struct torture_context *tctx, - - /* Add AD_FILELOCK_RSRC_DENY_WR lock. */ - el = (struct smb2_lock_element) { -- .offset = 0xfffffffffffffffc, -+ .offset = 0x7ffffffffffffffc, - .length = 1, - .flags = SMB2_LOCK_FLAG_EXCLUSIVE, - }; --- -2.53.0 - - -From 9c7228f46c3955b0e1a3c91fd42da6f2ea864cb8 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Fri, 1 Aug 2025 17:28:04 +0200 -Subject: [PATCH 05/59] smbd: don't use sticky write times on POSIX handles - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke -(cherry picked from commit 795a8c0e84f2bf2b70c8070737183e33f4254a54) ---- - source3/smbd/dosmode.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c -index 9a8ecf6e0a7..ab45f9edbb9 100644 ---- a/source3/smbd/dosmode.c -+++ b/source3/smbd/dosmode.c -@@ -1279,6 +1279,10 @@ bool set_sticky_write_time_fsp(struct files_struct *fsp, struct timespec mtime) - { - bool ok; - -+ if (fsp->fsp_flags.posix_open) { -+ return true; -+ } -+ - if (is_omit_timespec(&mtime)) { - return true; - } --- -2.53.0 - - -From ec9f60e4eda3162aec63ada4ec49574e99362989 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Fri, 19 Sep 2025 00:20:43 +0200 -Subject: [PATCH 06/59] smbtorture: add test vfs.fruit.readonly-exclusive-lock - -Verify macOS clients get Windows byterange lock behavour by trying to set an -exclusive lock on a file opened in read-only mode. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke -(cherry picked from commit 777db5b50689d28c53d6b0116818601fd8e52aa8) ---- - source4/torture/vfs/fruit.c | 92 +++++++++++++++++++++++++++++++++++++ - 1 file changed, 92 insertions(+) - -diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c -index e9ff4a57e66..02f7acd0fea 100644 ---- a/source4/torture/vfs/fruit.c -+++ b/source4/torture/vfs/fruit.c -@@ -7839,6 +7839,97 @@ done: - return ret; - } - -+/* -+ test exclusive byte range lock on read-only file -+*/ -+static bool test_readonly_exclusive_lock(struct torture_context *tctx, -+ struct smb2_tree *tree) -+{ -+ NTSTATUS status; -+ bool ret = true; -+ struct smb2_handle h; -+ struct smb2_create create; -+ struct smb2_lock lock; -+ struct smb2_lock_element lock_element; -+ const char *fname = "readonly_lock_test.txt"; -+ -+ torture_comment(tctx, "Testing exclusive lock on read-only opened file\n"); -+ -+ ret = enable_aapl(tctx, tree); -+ torture_assert_goto(tctx, ret == true, ret, done, "enable_aapl failed"); -+ -+ /* Clean up any existing file */ -+ smb2_util_unlink(tree, fname); -+ -+ /* Create the file first with write access to ensure it exists */ -+ ZERO_STRUCT(create); -+ create.in.desired_access = SEC_RIGHTS_FILE_ALL; -+ create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; -+ create.in.share_access = NTCREATEX_SHARE_ACCESS_READ | -+ NTCREATEX_SHARE_ACCESS_WRITE | -+ NTCREATEX_SHARE_ACCESS_DELETE; -+ create.in.create_disposition = NTCREATEX_DISP_CREATE; -+ create.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; -+ create.in.security_flags = 0; -+ create.in.fname = fname; -+ -+ status = smb2_create(tree, tctx, &create); -+ CHECK_STATUS(status, NT_STATUS_OK); -+ -+ /* Write some data to the file */ -+ status = smb2_util_write(tree, create.out.file.handle, "test data", 0, 9); -+ CHECK_STATUS(status, NT_STATUS_OK); -+ -+ /* Close the file */ -+ status = smb2_util_close(tree, create.out.file.handle); -+ CHECK_STATUS(status, NT_STATUS_OK); -+ -+ /* Now open the file read-only */ -+ ZERO_STRUCT(create); -+ create.in.desired_access = SEC_FILE_READ_DATA | SEC_FILE_READ_ATTRIBUTE; -+ create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; -+ create.in.share_access = NTCREATEX_SHARE_ACCESS_READ | -+ NTCREATEX_SHARE_ACCESS_WRITE | -+ NTCREATEX_SHARE_ACCESS_DELETE; -+ create.in.create_disposition = NTCREATEX_DISP_OPEN; -+ create.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; -+ create.in.security_flags = 0; -+ create.in.fname = fname; -+ -+ status = smb2_create(tree, tctx, &create); -+ CHECK_STATUS(status, NT_STATUS_OK); -+ h = create.out.file.handle; -+ -+ torture_comment(tctx, "File opened read-only successfully\n"); -+ -+ /* Attempt to set an exclusive byte-range lock */ -+ ZERO_STRUCT(lock); -+ ZERO_STRUCT(lock_element); -+ -+ lock.in.lock_count = 1; -+ lock.in.lock_sequence = 0; -+ lock.in.file.handle = h; -+ lock.in.locks = &lock_element; -+ -+ lock_element.offset = 0; -+ lock_element.length = 100; -+ lock_element.flags = SMB2_LOCK_FLAG_EXCLUSIVE | SMB2_LOCK_FLAG_FAIL_IMMEDIATELY; -+ -+ torture_comment(tctx, "Attempting to set exclusive lock on read-only file\n"); -+ -+ status = smb2_lock(tree, &lock); -+ CHECK_STATUS(status, NT_STATUS_OK); -+ -+done: -+ /* Close the file */ -+ smb2_util_close(tree, h); -+ -+ /* Clean up */ -+ smb2_util_unlink(tree, fname); -+ -+ return ret; -+} -+ - /* - * Note: This test depends on "vfs objects = catia fruit streams_xattr". For - * some tests torture must be run on the host it tests and takes an additional -@@ -7885,6 +7976,7 @@ struct torture_suite *torture_vfs_fruit(TALLOC_CTX *ctx) - torture_suite_add_1smb2_test(suite, "empty_stream", test_empty_stream); - torture_suite_add_1smb2_test(suite, "writing_afpinfo", test_writing_afpinfo); - torture_suite_add_1smb2_test(suite, "delete_trigger_convert_sharing_violation", test_delete_trigger_convert_sharing_violation); -+ torture_suite_add_1smb2_test(suite, "readonly-exclusive-lock", test_readonly_exclusive_lock); - - return suite; - } --- -2.53.0 - - -From 87e6e2d0cdb78cfe9b372732439706d94a5ea7a2 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Fri, 19 Sep 2025 06:43:57 +0200 -Subject: [PATCH 07/59] smbtorture: add test vfs.fruit.case_insensitive_find - -Verifies case insensitive directory scanning works. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke -(cherry picked from commit 68ed6279335cfac13a624ae8a7738dac3d9b0d1a) ---- - source4/torture/vfs/fruit.c | 85 ++++++++++++++++++++++++++++++++++++- - 1 file changed, 84 insertions(+), 1 deletion(-) - -diff --git a/source4/torture/vfs/fruit.c b/source4/torture/vfs/fruit.c -index 02f7acd0fea..a6f86cd5edf 100644 ---- a/source4/torture/vfs/fruit.c -+++ b/source4/torture/vfs/fruit.c -@@ -7930,6 +7930,89 @@ done: - return ret; - } - -+/* -+ * Test case-insensitive file finding with AAPL extensions -+ * Add this function to source4/torture/vfs/fruit.c -+ */ -+ -+static bool test_case_insensitive_find(struct torture_context *tctx, -+ struct smb2_tree *tree) -+{ -+ NTSTATUS status; -+ bool ret = true; -+ const char *fname = "TestFile.txt"; -+ const char *fname_upper = "TESTFILE.TXT"; -+ struct smb2_handle testdirh; -+ struct smb2_handle h1; -+ struct smb2_create create; -+ struct smb2_find f; -+ union smb_search_data *d; -+ uint_t count; -+ -+ smb2_deltree(tree, BASEDIR); -+ -+ status = torture_smb2_testdir(tree, BASEDIR, &testdirh); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ "torture_smb2_testdir failed"); -+ -+ /* Enable AAPL extensions */ -+ ret = enable_aapl(tctx, tree); -+ torture_assert_goto(tctx, ret, ret, done, -+ "enable_aapl failed"); -+ -+ /* Create test file */ -+ ZERO_STRUCT(create); -+ create.in.desired_access = SEC_RIGHTS_FILE_ALL; -+ create.in.file_attributes = FILE_ATTRIBUTE_NORMAL; -+ create.in.share_access = NTCREATEX_SHARE_ACCESS_READ | -+ NTCREATEX_SHARE_ACCESS_WRITE | -+ NTCREATEX_SHARE_ACCESS_DELETE; -+ create.in.create_disposition = NTCREATEX_DISP_CREATE; -+ create.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; -+ create.in.fname = talloc_asprintf(tctx, "%s\\%s", BASEDIR, fname); -+ -+ status = smb2_create(tree, tctx, &create); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ talloc_asprintf(tctx, "failed to create %s", fname)); -+ h1 = create.out.file.handle; -+ -+ /* Close the file */ -+ status = smb2_util_close(tree, h1); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ "failed to close test file"); -+ -+ /* Search for file using different case */ -+ f = (struct smb2_find) { -+ .in.file.handle = testdirh, -+ .in.pattern = fname_upper, -+ .in.max_response_size = 0x1000, -+ .in.level = SMB2_FIND_ID_BOTH_DIRECTORY_INFO, -+ }; -+ -+ status = smb2_find_level(tree, tctx, &f, &count, &d); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ talloc_asprintf(tctx, "smb2_find_level failed searching for %s", fname_upper)); -+ -+ /* Verify we found exactly one file */ -+ torture_assert_int_equal_goto(tctx, count, 1, ret, done, -+ talloc_asprintf(tctx, "Expected 1 file, got %u", count)); -+ -+ /* Verify the filename matches our original file (case may differ) */ -+ torture_assert_str_equal_goto(tctx, -+ d[0].id_both_directory_info.name.s, fname, ret, done, -+ talloc_asprintf(tctx, "Found file name '%s' doesn't match expected '%s'", -+ d[0].directory_info.name.s, fname)); -+ -+ torture_comment(tctx, "Case-insensitive find test passed: " -+ "searched for '%s', found '%s'\n", -+ fname_upper, d[0].id_both_directory_info.name.s); -+ -+done: -+ smb2_util_close(tree, testdirh); -+ smb2_deltree(tree, BASEDIR); -+ return ret; -+} -+ - /* - * Note: This test depends on "vfs objects = catia fruit streams_xattr". For - * some tests torture must be run on the host it tests and takes an additional -@@ -7977,7 +8060,7 @@ struct torture_suite *torture_vfs_fruit(TALLOC_CTX *ctx) - torture_suite_add_1smb2_test(suite, "writing_afpinfo", test_writing_afpinfo); - torture_suite_add_1smb2_test(suite, "delete_trigger_convert_sharing_violation", test_delete_trigger_convert_sharing_violation); - torture_suite_add_1smb2_test(suite, "readonly-exclusive-lock", test_readonly_exclusive_lock); -- -+ torture_suite_add_1smb2_test(suite, "case_insensitive_find", test_case_insensitive_find); - return suite; - } - --- -2.53.0 - - -From 98e1a3b39cb3e4fa03ac8340338179cd85df18f3 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Mon, 10 Mar 2025 15:01:42 +0100 -Subject: [PATCH 08/59] vfs_fruit: add option "fruit:posix_opens = yes|no" - (default: yes) - -Tags alls opens as POSIX by setting fsp_flags.posix_open to true. - -POSIX handles have different behaviour compared to Windows: - -Behaviour | POSIX | Windows | macOS |fruit:posix_opens = yes ------------------------------------+------------+---------------------------------------- -Deleting files with open handles | yes | no | yes | yes -Moving directories with open files | yes | no | yes | yes -Byterange locks behaviour | POSIX-ish | Window-ish | POSIX-ish | POSIX-ish -Sticky writetime | no | yes | no | no -Case sensitive | no | yes | yes | yes -Streams allowed | no | yes | yes | yes - -macOS follows POSIX for the first four, but needs case insensitive behaviour -and needs streams. - -By carefully setting fsp_flags.posix_open to true *after* going through the path -resolution logic, but before opens are added to locking.tdb, with -"fruit:posix_opens = yes" we get closest to macOS semantics. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke -(backported from commit e86f0c2de80e2409bfe3fc12df24e94470988e3c) -[slow@samba.org: conflict due to optino veto_localized only present in master] ---- - docs-xml/manpages/vfs_fruit.8.xml | 15 +++++++++++++ - selftest/knownfail.d/samba3.vfs.fruit | 2 ++ - source3/include/vfs.h | 18 ++++++++++++++++ - source3/modules/vfs_fruit.c | 31 ++++++++++++++++++++++----- - 4 files changed, 61 insertions(+), 5 deletions(-) - -diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml -index 9e27030b660..21c2e76de8d 100644 ---- a/docs-xml/manpages/vfs_fruit.8.xml -+++ b/docs-xml/manpages/vfs_fruit.8.xml -@@ -426,6 +426,21 @@ - - - -+ -+ fruit:posix_opens = yes | no -+ -+ -+ When fruit:posix_opens is set to -+ yes, vfs_fruit will internally translate -+ all filesystem semantics to use POSIX behaviour instead of Windows -+ behaviour. As Macs are closer to POSIX than Windows with regard -+ to filesystem semantics, this improves access semantics for -+ a lot of corner cases. -+ The default is yes. -+ -+ -+ -+ - - - -diff --git a/selftest/knownfail.d/samba3.vfs.fruit b/selftest/knownfail.d/samba3.vfs.fruit -index 6307e2b3404..b774b0503e7 100644 ---- a/selftest/knownfail.d/samba3.vfs.fruit -+++ b/selftest/knownfail.d/samba3.vfs.fruit -@@ -1,2 +1,4 @@ - ^samba3.vfs.fruit streams_depot.OS X AppleDouble file conversion\(nt4_dc\) - ^samba3.vfs.fruit streams_depot.OS X AppleDouble file conversion without embedded xattr\(nt4_dc\) -+^samba3.vfs.fruit.*readonly-exclusive-lock\(.*\) -+^samba3.vfs.fruit.*case_insensitive_find\(.*\) -diff --git a/source3/include/vfs.h b/source3/include/vfs.h -index 581148fa053..cab809de5d3 100644 ---- a/source3/include/vfs.h -+++ b/source3/include/vfs.h -@@ -462,6 +462,15 @@ typedef struct files_struct { - bool lock_failure_seen : 1; - bool encryption_required : 1; - bool fstat_before_close : 1; -+ /* -+ * For POSIX clients struct files_struct.fsp_flags.posix_open -+ * and struct smb_filename.flags SMB_FILENAME_POSIX_PATH will -+ * always be set to the same value. -+ * -+ * For macOS clients vfs_fruit with fruit:posix_open=yes, we -+ * deliberately set both flags to fsp_flags.posix_open=true -+ * while SMB_FILENAME_POSIX_PATH will not be set. -+ */ - bool posix_open : 1; - bool posix_append : 1; - } fsp_flags; -@@ -886,6 +895,15 @@ struct smb_filename { - struct fsp_smb_fname_link *fsp_link; - }; - -+/* -+ * For POSIX clients struct files_struct.fsp_flags.posix_open -+ * and struct smb_filename.flags SMB_FILENAME_POSIX_PATH will -+ * always be set to the same value. -+ * -+ * For macOS clients vfs_fruit with fruit:posix_open=yes, we -+ * deliberately set both flags to fsp_flags.posix_open=true -+ * while SMB_FILENAME_POSIX_PATH will not be set. -+ */ - #define SMB_FILENAME_POSIX_PATH 0x01 - - enum vfs_translate_direction { -diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c -index ba744e52a96..ce9cba2525c 100644 ---- a/source3/modules/vfs_fruit.c -+++ b/source3/modules/vfs_fruit.c -@@ -125,6 +125,7 @@ struct fruit_config_data { - bool use_aapl; /* config from smb.conf */ - bool use_copyfile; - bool readdir_attr_enabled; -+ bool posix_opens; - bool unix_info_enabled; - bool copyfile_enabled; - bool veto_appledouble; -@@ -339,6 +340,9 @@ static int init_fruit_config(vfs_handle_struct *handle) - config->use_copyfile = lp_parm_bool(-1, FRUIT_PARAM_TYPE_NAME, - "copyfile", false); - -+ config->posix_opens = lp_parm_bool( -+ SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, "posix_opens", true); -+ - config->aapl_zero_file_id = - lp_parm_bool(SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, - "zero_file_id", true); -@@ -1754,16 +1758,27 @@ static int fruit_openat(vfs_handle_struct *handle, - files_struct *fsp, - const struct vfs_open_how *how) - { -+ struct fruit_config_data *config = NULL; - int fd; - -+ SMB_VFS_HANDLE_GET_DATA(handle, config, -+ struct fruit_config_data, return -1); -+ - DBG_DEBUG("Path [%s]\n", smb_fname_str_dbg(smb_fname)); - - if (!is_named_stream(smb_fname)) { -- return SMB_VFS_NEXT_OPENAT(handle, -- dirfsp, -- smb_fname, -- fsp, -- how); -+ fd = SMB_VFS_NEXT_OPENAT(handle, -+ dirfsp, -+ smb_fname, -+ fsp, -+ how); -+ if (fd == -1) { -+ return -1; -+ } -+ if (config->posix_opens && global_fruit_config.nego_aapl) { -+ fsp->fsp_flags.posix_open = true; -+ } -+ return fd; - } - - if (how->resolve != 0) { -@@ -1798,7 +1813,13 @@ static int fruit_openat(vfs_handle_struct *handle, - DBG_DEBUG("Path [%s] fd [%d]\n", smb_fname_str_dbg(smb_fname), fd); - - /* Prevent reopen optimisation */ -+ if (fd == -1) { -+ return -1; -+ } - fsp->fsp_flags.have_proc_fds = false; -+ if (config->posix_opens && global_fruit_config.nego_aapl) { -+ fsp->fsp_flags.posix_open = true; -+ } - return fd; - } - --- -2.53.0 - - -From 1549f90eccfe838fe984cebe0c02f768b50666f2 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Thu, 18 Sep 2025 23:44:34 +0200 -Subject: [PATCH 09/59] smbd: hang posix brl per-handle check on the pathname - -For the SMB3 POSIX client both posix_open=true and (fsp->fsp_name->flags & -SMB_FILENAME_POSIX_PATH) will always be the case, so this is no change in -behaviour for that case. - -However, for the macOS client fruit will carefully setup both flags as -posix_open=true but SMB_FILENAME_POSIX_PATH will not be set. - -This is a deliberate hack to give the macOS client POSIX behaviour for some -operations, but not for others, while also allowing the POSIX-ified macOS client -to continue to get case insensitive behavour. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke -(cherry picked from commit 75fa416f911f1f30aae8bdf14b423140874acaa0) ---- - selftest/knownfail.d/samba3.vfs.fruit | 1 - - source3/smbd/smb2_lock.c | 16 +++++++++++++++- - 2 files changed, 15 insertions(+), 2 deletions(-) - -diff --git a/selftest/knownfail.d/samba3.vfs.fruit b/selftest/knownfail.d/samba3.vfs.fruit -index b774b0503e7..b51c887c212 100644 ---- a/selftest/knownfail.d/samba3.vfs.fruit -+++ b/selftest/knownfail.d/samba3.vfs.fruit -@@ -1,4 +1,3 @@ - ^samba3.vfs.fruit streams_depot.OS X AppleDouble file conversion\(nt4_dc\) - ^samba3.vfs.fruit streams_depot.OS X AppleDouble file conversion without embedded xattr\(nt4_dc\) --^samba3.vfs.fruit.*readonly-exclusive-lock\(.*\) - ^samba3.vfs.fruit.*case_insensitive_find\(.*\) -diff --git a/source3/smbd/smb2_lock.c b/source3/smbd/smb2_lock.c -index 8591b2fbd2c..73a341eff79 100644 ---- a/source3/smbd/smb2_lock.c -+++ b/source3/smbd/smb2_lock.c -@@ -381,8 +381,22 @@ static struct tevent_req *smbd_smb2_lock_send(TALLOC_CTX *mem_ctx, - - for (i=0; ifsp_flags.posix_open; -+ bool posix_handle = fsp->fsp_name->flags & -+ SMB_FILENAME_POSIX_PATH; - -+ /* -+ * For POSIX clients struct files_struct.fsp_flags.posix_open -+ * and struct smb_filename.flags SMB_FILENAME_POSIX_PATH will -+ * always be set to the same value. -+ * -+ * For macOS clients vfs_fruit with fruit:posix_open=yes, we -+ * deliberately set both flags to fsp_flags.posix_open=true -+ * while SMB_FILENAME_POSIX_PATH will not be set. -+ * -+ * By deliberately checking the fsp_name flag here instead of -+ * the fsp flag, Byterange Lock processing uses Windows -+ * behaviour for macOS clients which is what we want. -+ */ - switch (in_locks[i].flags) { - case SMB2_LOCK_FLAG_SHARED: - case SMB2_LOCK_FLAG_EXCLUSIVE: --- -2.53.0 - - -From fe490422b79c74fc789358c191d157d31761be68 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Thu, 18 Sep 2025 20:35:22 +0200 -Subject: [PATCH 10/59] smbd: hang directory pattern matching case sensitivity - on the pathname - -For the SMB3 POSIX client both posix_open=true and (fsp->fsp_name->flags & -SMB_FILENAME_POSIX_PATH) will always be the case, so this is no change in -behaviour for that case. - -However, for the macOS client fruit will carefully setup both flags as -posix_open=true but SMB_FILENAME_POSIX_PATH will not be set. - -This is a deliberate hack to give the macOS client POSIX behaviour for some -operations, but not for others, while also allowing the POSIX-ified macOS client -to continue to get case insensitive behavour. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke -(cherry picked from commit b3132202cf787cc9fb061e39eaf1509157f53953) ---- - selftest/knownfail.d/samba3.vfs.fruit | 1 - - source3/smbd/dir.c | 2 +- - 2 files changed, 1 insertion(+), 2 deletions(-) - -diff --git a/selftest/knownfail.d/samba3.vfs.fruit b/selftest/knownfail.d/samba3.vfs.fruit -index b51c887c212..6307e2b3404 100644 ---- a/selftest/knownfail.d/samba3.vfs.fruit -+++ b/selftest/knownfail.d/samba3.vfs.fruit -@@ -1,3 +1,2 @@ - ^samba3.vfs.fruit streams_depot.OS X AppleDouble file conversion\(nt4_dc\) - ^samba3.vfs.fruit streams_depot.OS X AppleDouble file conversion without embedded xattr\(nt4_dc\) --^samba3.vfs.fruit.*case_insensitive_find\(.*\) -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index afc9c74dfdd..c72fd4349d2 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1171,7 +1171,7 @@ static NTSTATUS OpenDir_fsp( - goto fail; - } - dir_hnd->fsp = fsp; -- if (fsp->fsp_flags.posix_open) { -+ if (fsp->fsp_name->flags & SMB_FILENAME_POSIX_PATH) { - dir_hnd->case_sensitive = true; - } else { - dir_hnd->case_sensitive = conn->case_sensitive; --- -2.53.0 - - -From 68d6be8e2c68385797b9c9f51d87b601a9eace33 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Sat, 6 Sep 2025 08:48:44 +0200 -Subject: [PATCH 11/59] vfs_fruit: ignore Set-ACL requests with zero ACEs - -Workaround for a new behaviour in latest macOS versions. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke -(backported from commit a112978ed1240c399eb90e4472d5c43d867c49d9) -[slow@samba.org: conflict due to option veto_localized present only in master] ---- - docs-xml/manpages/vfs_fruit.8.xml | 18 ++++++++++++++++++ - source3/modules/vfs_fruit.c | 18 ++++++++++++++++++ - 2 files changed, 36 insertions(+) - -diff --git a/docs-xml/manpages/vfs_fruit.8.xml b/docs-xml/manpages/vfs_fruit.8.xml -index 21c2e76de8d..13748c110fb 100644 ---- a/docs-xml/manpages/vfs_fruit.8.xml -+++ b/docs-xml/manpages/vfs_fruit.8.xml -@@ -441,6 +441,24 @@ - - - -+ -+ fruit:ignore_zero_aces = yes | no -+ -+ -+ When fruit:ignore_zero_aces is -+ enabled, attempts to modify filesystem permissions fail if the ACL -+ sent over the wire contains no ACEs. This is completely valid -+ client behaviour, but it means subsequently no further access is -+ possible to the file, unless permissions get fixed by an -+ administrator. -+ This problematic behaviour has been reported for latest -+ macOS versions and this new option allows to work around -+ it. -+ The default is yes. -+ -+ -+ -+ - - - -diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c -index ce9cba2525c..213d4cc3eeb 100644 ---- a/source3/modules/vfs_fruit.c -+++ b/source3/modules/vfs_fruit.c -@@ -137,6 +137,7 @@ struct fruit_config_data { - bool wipe_intentionally_left_blank_rfork; - bool delete_empty_adfiles; - bool validate_afpinfo; -+ bool ignore_zero_aces; - - /* - * Additional options, all enabled by default, -@@ -343,6 +344,11 @@ static int init_fruit_config(vfs_handle_struct *handle) - config->posix_opens = lp_parm_bool( - SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, "posix_opens", true); - -+ config->ignore_zero_aces = lp_parm_bool(SNUM(handle->conn), -+ FRUIT_PARAM_TYPE_NAME, -+ "ignore_zero_aces", -+ true); -+ - config->aapl_zero_file_id = - lp_parm_bool(SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, - "zero_file_id", true); -@@ -4626,6 +4632,7 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, - uint32_t security_info_sent, - const struct security_descriptor *orig_psd) - { -+ struct fruit_config_data *config = NULL; - NTSTATUS status; - bool do_chmod; - mode_t ms_nfs_mode = 0; -@@ -4633,6 +4640,10 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, - struct security_descriptor *psd = NULL; - uint32_t orig_num_aces = 0; - -+ SMB_VFS_HANDLE_GET_DATA(handle, config, -+ struct fruit_config_data, -+ return NT_STATUS_UNSUCCESSFUL); -+ - if (orig_psd->dacl != NULL) { - orig_num_aces = orig_psd->dacl->num_aces; - } -@@ -4644,6 +4655,13 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, - - DBG_DEBUG("%s\n", fsp_str_dbg(fsp)); - -+ if (config->ignore_zero_aces && (psd->dacl->num_aces == 0)) { -+ /* -+ * Just ignore Set-ACL requests with zero ACEs. -+ */ -+ return NT_STATUS_OK; -+ } -+ - status = check_ms_nfs(handle, fsp, psd, &ms_nfs_mode, &do_chmod); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("fruit_fset_nt_acl: check_ms_nfs failed%s\n", fsp_str_dbg(fsp))); --- -2.53.0 - - -From 73d2494edfc58bd8c8806c7ca6aeb38bb2310cee Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Fri, 14 Nov 2025 14:55:12 +0100 -Subject: [PATCH 12/59] vfs_fruit: psd->dacl can be NULL, use orig_num_aces - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15926 - -Signed-off-by: Ralph Boehme -Reviewed-by: Volker Lendecke - -Autobuild-User(master): Volker Lendecke -Autobuild-Date(master): Tue Nov 18 10:13:44 UTC 2025 on atb-devel-224 - -(cherry picked from commit 0de67cf0748139920006a4dd65cb77c874c3595f) - -Autobuild-User(v4-23-test): Jule Anger -Autobuild-Date(v4-23-test): Wed Nov 26 11:26:55 UTC 2025 on atb-devel-224 - -(cherry picked from commit b3f2445aef48e855f689de864d770fc2130f0ecc) ---- - source3/modules/vfs_fruit.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c -index 213d4cc3eeb..795f79ce09c 100644 ---- a/source3/modules/vfs_fruit.c -+++ b/source3/modules/vfs_fruit.c -@@ -4655,7 +4655,7 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct *handle, - - DBG_DEBUG("%s\n", fsp_str_dbg(fsp)); - -- if (config->ignore_zero_aces && (psd->dacl->num_aces == 0)) { -+ if (config->ignore_zero_aces && (orig_num_aces == 0)) { - /* - * Just ignore Set-ACL requests with zero ACEs. - */ --- -2.53.0 - - -From 0b0e342500042b80dedda6c5bd1d9d2598f710ca Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 2 Dec 2025 14:02:08 +0100 -Subject: [PATCH 13/59] Revert "ldb: User hexchars_upper from replace.h" - -This reverts commit 542cf01bfe530a83dfbc8a606d182c0a5a622059. - -We shouldn't put a hard requirement for libreplace in libldb! We do not need -libreplace on Linux until we start using hexbytes_upper. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15961 - -Signed-off-by: Andreas Schneider -Reviewed-by: Douglas Bagnall -(cherry picked from commit 1bb25c0e01d35b1adb3137cb193de27f5c5a65f0) - -Autobuild-User(v4-23-test): Jule Anger -Autobuild-Date(v4-23-test): Thu Dec 11 17:00:21 UTC 2025 on atb-devel-224 ---- - lib/ldb/common/ldb_dn.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c -index 5b8c0f4f580..389da444904 100644 ---- a/lib/ldb/common/ldb_dn.c -+++ b/lib/ldb/common/ldb_dn.c -@@ -232,10 +232,15 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len) - case '\0': { - /* any others get \XX form */ - unsigned char v; -+ /* -+ * Do not use libreplace for this. We don't want to have -+ * a hard requirement for it. -+ */ -+ const char *hexbytes = "0123456789ABCDEF"; - v = (const unsigned char)c; - *d++ = '\\'; -- *d++ = hexchars_upper[v>>4]; -- *d++ = hexchars_upper[v&0xF]; -+ *d++ = hexbytes[v>>4]; -+ *d++ = hexbytes[v&0xF]; - break; - } - default: -@@ -2100,7 +2105,7 @@ int ldb_dn_set_extended_component(struct ldb_dn *dn, - unsigned int i; - struct ldb_val v2; - const struct ldb_dn_extended_syntax *ext_syntax; -- -+ - if ( ! ldb_dn_validate(dn)) { - return LDB_ERR_OTHER; - } --- -2.53.0 - - -From d8558ac294e7c622e6bb1239635e4e17f5f6e8cf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 19 Jan 2026 14:33:52 +0100 -Subject: [PATCH 14/59] s3:libads: Reset ads->config.flags in ads_disconnect() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is doing the same thing in ads_disconnect() as commit -a26f535 Clear previous CLDAP ping flags when reusing the ADS_STRUCT -did in ads_current_time() - -In this case we: - -1) found cached ADS_STRUCT which already has ads->config.flags set: - - lookup_groupmem() - ads_cached_connection() - ads_cached_connection_reuse() - -2) started search which immediately timeouts (the cached conn. was dead) - - ads_do_search_retry_internal() - ldap_search_with_timeout() - IO_TIMEOUT - -3) Retry loop finds a new DC and tries to connect - - ads_do_search_retry_internal() - ads_disconnect() - ads_find_dc() - ads_try_connect() - netlogon_pings() - check_cldap_reply_required_flags() - -4) check_cldap_reply_required_flags() fails since ads->config.flags - (stored possibly long time ago) contain: - - NBT_SERVER_CLOSEST 0x00000080 - which is misinterpreted as: - DS_PDC_REQUIRED 0x00000080 - - the newly found DC is not PDC (we asked for DS_ONLY_LDAP_NEEDED) - and since previous DC had NBT_SERVER_CLOSEST we want DS_PDC_REQUIRED - and fail. - -We should anyway avoid mixing independent namespaces NBT_* and DS_* -in the same flag. -Next commit will do that. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider -(cherry picked from commit 9f3a35991feb01a8d2c2b69fa0b914bbc637a809) ---- - source3/libads/ldap.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 49fa1d47298..8dde09e3551 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -1261,6 +1261,7 @@ void ads_disconnect(ADS_STRUCT *ads) - if (ads->ldap_wrap_data.mem_ctx) { - talloc_free(ads->ldap_wrap_data.mem_ctx); - } -+ ads->config.flags = 0; - ads_zero_ldap(ads); - ZERO_STRUCT(ads->ldap_tls_data); - ZERO_STRUCT(ads->ldap_wrap_data); --- -2.53.0 - - -From 37cbf09ec9b9bacd2c9e8fd50bd4b80046388d9a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Sun, 18 Jan 2026 01:04:11 +0100 -Subject: [PATCH 15/59] s3:libads: Separate use of ads->config.flags for NBT_* - and DS_* values -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Use of ads->config.flags is overloaded. - -It is used to: - -- pass DS_* flags down to cldap_netlogon() -- store the server_type from NETLOGON_SAM_LOGON_RESPONSE - -Both cases use different values and cannot be combined. -E.g. flags mess up with value 0x00000080 - -NBT_SERVER_CLOSEST 0x00000080 -DS_PDC_REQUIRED 0x00000080 - -Let's create two separate flags - -nbt_server_type server_flags; /* NBT_* cldap flags identifying the services. */ -uint32 required_flags; /* DS_* - Netlogon flags */ - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Pavel Filipensky -Autobuild-Date(master): Thu Jan 22 09:14:25 UTC 2026 on atb-devel-224 - -(cherry picked from commit 7483903575eab97773a992149d64511d5ec6f256) ---- - source3/libads/ldap.c | 46 ++++++++++++++++++---------------- - source3/librpc/idl/ads.idl | 4 ++- - source3/libsmb/namequery_dc.c | 4 ++- - source3/winbindd/winbindd_cm.c | 6 ++--- - 4 files changed, 33 insertions(+), 27 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 8dde09e3551..ac57489d1eb 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -237,7 +237,7 @@ bool ads_sitename_match(ADS_STRUCT *ads) - - bool ads_closest_dc(ADS_STRUCT *ads) - { -- if (ads->config.flags & NBT_SERVER_CLOSEST) { -+ if (ads->config.server_flags & NBT_SERVER_CLOSEST) { - DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n")); - return True; - } -@@ -344,7 +344,7 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads, - sitename_store(cldap_reply->dns_domain, cldap_reply->client_site); - - /* Leave this until last so that the flags are not clobbered */ -- ads->config.flags = cldap_reply->server_type; -+ ads->config.server_flags = cldap_reply->server_type; - - ret = true; - -@@ -379,7 +379,8 @@ static bool ads_try_connect(ADS_STRUCT *ads, bool gc, - ok = ads_cldap_netlogon_5(frame, - ss, - ads->server.realm, -- ads->config.flags | DS_ONLY_LDAP_NEEDED, -+ ads->config.required_flags | -+ DS_ONLY_LDAP_NEEDED, - &cldap_reply); - if (!ok) { - DBG_NOTICE("ads_cldap_netlogon_5(%s, %s) failed.\n", -@@ -490,20 +491,21 @@ again: - return status; - } - -- status = netlogon_pings(frame, /* mem_ctx */ -- lp_client_netlogon_ping_protocol(), /* proto */ -- ts_list, /* servers */ -- num_requests, /* num_servers */ -- (struct netlogon_ping_filter){ -- .ntversion = nt_version, -- .domain = ads->server.realm, -- .acct_ctrl = -1, -- .required_flags = ads->config.flags | -- DS_ONLY_LDAP_NEEDED, -- }, -- 1, /* wanted_servers */ -- endtime, /* timeout */ -- &responses); -+ status = netlogon_pings( -+ frame, /* mem_ctx */ -+ lp_client_netlogon_ping_protocol(), /* proto */ -+ ts_list, /* servers */ -+ num_requests, /* num_servers */ -+ (struct netlogon_ping_filter){ -+ .ntversion = nt_version, -+ .domain = ads->server.realm, -+ .acct_ctrl = -1, -+ .required_flags = ads->config.required_flags | -+ DS_ONLY_LDAP_NEEDED, -+ }, -+ 1, /* wanted_servers */ -+ endtime, /* timeout */ -+ &responses); - if (!NT_STATUS_IS_OK(status)) { - DBG_WARNING("netlogon_pings(realm=%s, num_requests=%zu) " - "for count[%zu] - %s\n", -@@ -1261,7 +1263,7 @@ void ads_disconnect(ADS_STRUCT *ads) - if (ads->ldap_wrap_data.mem_ctx) { - talloc_free(ads->ldap_wrap_data.mem_ctx); - } -- ads->config.flags = 0; -+ ads->config.server_flags = 0; - ads_zero_ldap(ads); - ZERO_STRUCT(ads->ldap_tls_data); - ZERO_STRUCT(ads->ldap_wrap_data); -@@ -3726,10 +3728,10 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) - } - - /* -- * Reset ads->config.flags as it can contain the flags -+ * Reset flags as it can contain the flags - * returned by the previous CLDAP ping when reusing the struct. - */ -- ads_s->config.flags = 0; -+ ads_s->config.server_flags = 0; - - status = ads_connect_simple_anon(ads_s); - if ( !ADS_ERR_OK(status)) -@@ -3815,10 +3817,10 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val) - } - - /* -- * Reset ads->config.flags as it can contain the flags -+ * Reset flags as it can contain the flags - * returned by the previous CLDAP ping when reusing the struct. - */ -- ads_s->config.flags = 0; -+ ads_s->config.server_flags = 0; - - status = ads_connect_simple_anon(ads_s); - if ( !ADS_ERR_OK(status)) -diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl -index 381447a1a29..20941e90346 100644 ---- a/source3/librpc/idl/ads.idl -+++ b/source3/librpc/idl/ads.idl -@@ -6,6 +6,7 @@ - */ - - import "nbt.idl"; -+import "netlogon.idl"; - - cpp_quote("#include ") - -@@ -51,7 +52,8 @@ interface ads - } ads_auth; - - typedef [nopull,nopush] struct { -- nbt_server_type flags; /* cldap flags identifying the services. */ -+ nbt_server_type server_flags; /* NBT_* cldap flags identifying the services. */ -+ netr_DsRGetDCName_flags required_flags; /* DS_* - Netlogon flags */ - string workgroup; - string realm; - string bind_path; -diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c -index 3a2f22129b8..3d771d77b8d 100644 ---- a/source3/libsmb/namequery_dc.c -+++ b/source3/libsmb/namequery_dc.c -@@ -109,7 +109,9 @@ static bool ads_dc_name(const char *domain, - } - - #ifdef HAVE_ADS -- if (is_our_primary_domain(domain) && (ads->config.flags & NBT_SERVER_KDC)) { -+ if (is_our_primary_domain(domain) && -+ (ads->config.server_flags & NBT_SERVER_KDC)) -+ { - if (ads_closest_dc(ads)) { - /* We're going to use this KDC for this realm/domain. - If we are using sites, then force the krb5 libs -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c -index 2c18aeba060..45b68ebe561 100644 ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -1061,7 +1061,7 @@ static bool dcip_check_name_ads(const struct winbindd_domain *domain, - ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto out; - } -- ads->config.flags |= request_flags; -+ ads->config.required_flags |= request_flags; - ads->server.no_fallback = true; - - ads_status = ads_connect_cldap_only(ads); -@@ -1077,9 +1077,9 @@ static bool dcip_check_name_ads(const struct winbindd_domain *domain, - } - namecache_store(name, 0x20, 1, sa); - -- DBG_DEBUG("CLDAP flags = 0x%"PRIx32"\n", ads->config.flags); -+ DBG_DEBUG("CLDAP flags = 0x%" PRIx32 "\n", ads->config.server_flags); - -- if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) { -+ if (domain->primary && (ads->config.server_flags & NBT_SERVER_KDC)) { - if (ads_closest_dc(ads)) { - char *sitename = sitename_fetch(tmp_ctx, - ads->config.realm); --- -2.53.0 - - -From e02f1dca11cbee015923d9e8c141a727dc1c02d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Thu, 22 Jan 2026 14:27:09 +0100 -Subject: [PATCH 16/59] s3:libads: Allocate cli_credentials on a stackframe -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This fixes: -ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158 - -What happens: - -* `struct cli_credentials *creds` is allocated on `ads` talloc context -* gensec_set_credentials() creates a talloc_reference to `creds` -* TALLOC_FREE(creds) sees two parents and complains - -All other code is using temporary talloc_stackframe() for `creds`. -Do it here as well. - -Signed-off-by: Pavel Filipenský -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224 ---- - source3/libads/ldap_utils.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c -index 9d6d962a2bc..d01afa69697 100644 ---- a/source3/libads/ldap_utils.c -+++ b/source3/libads/ldap_utils.c -@@ -99,6 +99,7 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind - struct cli_credentials *creds = NULL; - char *cred_name = NULL; - NTSTATUS ntstatus; -+ TALLOC_CTX *frame = talloc_stackframe(); - - if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) && - ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) && -@@ -119,18 +120,20 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind - DBG_NOTICE("Search for %s in <%s> failed: %s\n", - expr, bp, ads_errstr(status)); - SAFE_FREE(bp); -+ TALLOC_FREE(frame); - return status; - } - - ntstatus = ads->auth.reconnect_state->fn(ads, - ads->auth.reconnect_state->private_data, -- ads, &creds); -+ frame, &creds); - if (!NT_STATUS_IS_OK(ntstatus)) { - DBG_WARNING("Failed to get creds for realm(%s): %s\n", - ads->server.realm, nt_errstr(ntstatus)); - DBG_WARNING("Search for %s in <%s> failed: %s\n", - expr, bp, ads_errstr(status)); - SAFE_FREE(bp); -+ TALLOC_FREE(frame); - return status; - } - -@@ -151,11 +154,11 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind - * callers depend on it being around. - */ - ads_disconnect(ads); -- TALLOC_FREE(creds); -+ TALLOC_FREE(frame); - SAFE_FREE(bp); - return status; - } -- TALLOC_FREE(creds); -+ TALLOC_FREE(frame); - - *res = NULL; - --- -2.53.0 - - -From 2bdf2b96a818a64d7c420f0fb675530959602188 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Mon, 26 Jan 2026 13:36:02 +0100 -Subject: [PATCH 17/59] s3:rpc_client: Fix memory leak opening local named pipe - -If no local server name was passed to rpc_pipe_open_local_np() then -get_myname() was called with NULL talloc context instead of the -current stackframe. - -This was causing an increase of memory usage on busy servers with long-living -rpcd_* workers. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Noel Power -Reviewed-by: Volker Lendecke - -Autobuild-User(master): Volker Lendecke -Autobuild-Date(master): Tue Jan 27 10:13:40 UTC 2026 on atb-devel-224 - -(cherry picked from commit 24dc455362fb49ef81c99d95880e106a234ce29a) ---- - source3/rpc_client/cli_pipe.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 23adbbc62fa..91afccd7fb2 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -3624,7 +3624,7 @@ NTSTATUS rpc_pipe_open_local_np( - } - - if (local_server_name == NULL) { -- local_server_name = get_myname(result); -+ local_server_name = get_myname(frame); - } - - if (local_server_addr != NULL) { --- -2.53.0 - - -From 17c104ea4171aa002df0e7f69e61312898c7fad5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 4 Apr 2025 10:27:50 +0200 -Subject: [PATCH 18/59] lib:cmdline: Make sure --use-krb5-ccache sets the - ccache - -Pair-Programmed-With: Alexander Bokovoy -Signed-off-by: Alexander Bokovoy -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher ---- - lib/cmdline/cmdline.c | 79 ++++++++++++++++++++++++++++++------------- - 1 file changed, 55 insertions(+), 24 deletions(-) - -diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c -index 161ba8874bf..5902628cc15 100644 ---- a/lib/cmdline/cmdline.c -+++ b/lib/cmdline/cmdline.c -@@ -16,6 +16,7 @@ - */ - - #include "includes.h" -+#include "auth/credentials/credentials.h" - #include "lib/param/param.h" - #include "dynconfig/dynconfig.h" - #include "auth/gensec/gensec.h" -@@ -930,6 +931,7 @@ static struct poptOption popt_common_connection[] = { - - static bool skip_password_callback; - static bool machine_account_pending; -+static char *krb5_ccache = NULL; - - static void popt_common_credentials_callback(poptContext popt_ctx, - enum poptCallbackReason reason, -@@ -1004,6 +1006,31 @@ static void popt_common_credentials_callback(poptContext popt_ctx, - CRED_SPECIFIED); - } - -+ /* -+ * If --use-krb5-ccache was passed on the command line we need -+ * to overwrite the values set by cli_credentials_guess(). -+ */ -+ if (krb5_ccache != NULL) { -+ const char *error_string = NULL; -+ int rc; -+ -+ rc = cli_credentials_set_ccache(creds, -+ lp_ctx, -+ krb5_ccache, -+ CRED_SPECIFIED, -+ &error_string); -+ SAFE_FREE(krb5_ccache); -+ if (rc != 0) { -+ fprintf(stderr, -+ "Error setting krb5 credentials cache: " -+ "'%s'" -+ " - %s\n", -+ krb5_ccache, -+ error_string); -+ exit(1); -+ } -+ } -+ - if (cli_credentials_get_kerberos_state(creds) == - CRED_USE_KERBEROS_REQUIRED) - { -@@ -1023,10 +1050,10 @@ static void popt_common_credentials_callback(poptContext popt_ctx, - skip_password_callback = true; - } - } -- if (!skip_password_callback) { -- (void)cli_credentials_get_password_and_obtained(creds, -- &password_obtained); -- } -+ -+ (void)cli_credentials_get_password_and_obtained( -+ creds, &password_obtained); -+ - if (!skip_password_callback && - password_obtained < CRED_CALLBACK) { - ok = cli_credentials_set_cmdline_callbacks(creds); -@@ -1038,6 +1065,15 @@ static void popt_common_credentials_callback(poptContext popt_ctx, - } - } - -+ /* -+ * If the user specified a password on the command line always -+ * do a kinit! -+ */ -+ if (password_obtained == CRED_SPECIFIED) { -+ cli_credentials_invalidate_ccache(creds, -+ CRED_SPECIFIED); -+ } -+ - return; - } - -@@ -1138,9 +1174,6 @@ static void popt_common_credentials_callback(poptContext popt_ctx, - break; - } - case OPT_USE_KERBEROS_CCACHE: { -- const char *error_string = NULL; -- int rc; -- - if (arg == NULL) { - fprintf(stderr, - "Failed to parse --use-krb5-ccache=CCACHE: " -@@ -1148,26 +1181,24 @@ static void popt_common_credentials_callback(poptContext popt_ctx, - exit(1); - } - -- ok = cli_credentials_set_kerberos_state(creds, -- CRED_USE_KERBEROS_REQUIRED, -- CRED_SPECIFIED); -- if (!ok) { -- fprintf(stderr, -- "Failed to set Kerberos state to %s!\n", arg); -- exit(1); -+ /* -+ * Remember the value and handle it in -+ * POPT_CALLBACK_REASON_POST. -+ */ -+ if (arg[0] != '\0') { -+ krb5_ccache = strdup(arg); -+ if (krb5_ccache == NULL) { -+ fprintf(stderr, "Failed allocate memory\n"); -+ exit(1); -+ } - } - -- rc = cli_credentials_set_ccache(creds, -- lp_ctx, -- arg, -- CRED_SPECIFIED, -- &error_string); -- if (rc != 0) { -+ ok = cli_credentials_set_kerberos_state( -+ creds, CRED_USE_KERBEROS_REQUIRED, CRED_SPECIFIED); -+ if (!ok) { - fprintf(stderr, -- "Error reading krb5 credentials cache: '%s'" -- " - %s\n", -- arg, -- error_string); -+ "Failed to set Kerberos state to %s!\n", -+ arg); - exit(1); - } - --- -2.53.0 - - -From d36e10471ddbd2175da53c046e3e62b9cdb576fd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 11 Apr 2025 10:56:43 +0200 -Subject: [PATCH 19/59] lib:cmdline: POPT_CALLBACK_REASON_POST should handle if - we skip the password callback - -It is already checking if there is a valid ccache and disabling the callback. -In case of IAKerb we specify a ccache but might to fill one with a krbtgt. - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Apr 15 12:54:57 UTC 2025 on atb-devel-224 ---- - lib/cmdline/cmdline.c | 5 ++++- - testprogs/blackbox/test_client_kerberos.sh | 2 +- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c -index 5902628cc15..e434d65a2ef 100644 ---- a/lib/cmdline/cmdline.c -+++ b/lib/cmdline/cmdline.c -@@ -1202,7 +1202,10 @@ static void popt_common_credentials_callback(poptContext popt_ctx, - exit(1); - } - -- skip_password_callback = true; -+ /* -+ * The password callback will be skipped, if we have a valid -+ * ccache. This is handled in POPT_CALLBACK_REASON_POST. -+ */ - break; - } - case OPT_USE_WINBIND_CCACHE: -diff --git a/testprogs/blackbox/test_client_kerberos.sh b/testprogs/blackbox/test_client_kerberos.sh -index 54554ea3290..395b5bc989a 100755 ---- a/testprogs/blackbox/test_client_kerberos.sh -+++ b/testprogs/blackbox/test_client_kerberos.sh -@@ -147,7 +147,7 @@ testit "test rpcclient kerberos" \ - failed=$(expr $failed + 1) - - cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1' --testit_expect_failure "test rpcclient kerberos interactive (negative test)" \ -+testit "test rpcclient kerberos interactive" \ - test_rpc_getusername || - failed=$(expr $failed + 1) - --- -2.53.0 - - -From c4369a82dffbc550b8740fca70aba57bc46400d4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 25 Apr 2025 11:30:14 +0200 -Subject: [PATCH 20/59] auth:creds: Make sure when parsing username that realm - is uppercase - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - auth/credentials/credentials.c | 7 +++++++ - auth/credentials/tests/test_creds.c | 2 +- - python/samba/tests/credentials.py | 4 ++-- - 3 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c -index a88a458f82b..c31470a81d2 100644 ---- a/auth/credentials/credentials.c -+++ b/auth/credentials/credentials.c -@@ -1030,6 +1030,8 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, - } - - if ((p = strchr_m(uname,'@'))) { -+ char *x = NULL; -+ - /* - * We also need to set username and domain - * in order to undo the effect of -@@ -1038,6 +1040,11 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, - cli_credentials_set_username(credentials, uname, obtained); - cli_credentials_set_domain(credentials, "", obtained); - -+ /* Make sure the realm is uppercase */ -+ for (x = p + 1; x[0] != '\0'; x++) { -+ *x = toupper_m(*x); -+ } -+ - cli_credentials_set_principal(credentials, uname, obtained); - *p = 0; - cli_credentials_set_realm(credentials, p+1, obtained); -diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c -index fa8755e0a40..4abb7e4b90c 100644 ---- a/auth/credentials/tests/test_creds.c -+++ b/auth/credentials/tests/test_creds.c -@@ -219,7 +219,7 @@ static void torture_creds_parse_string(void **state) - usr_obtained = cli_credentials_get_username_obtained(creds); - assert_int_equal(usr_obtained, CRED_SPECIFIED); - -- assert_string_equal(creds->principal, "wurst@brot.realm"); -+ assert_string_equal(creds->principal, "wurst@BROT.REALM"); - princ_obtained = cli_credentials_get_principal_obtained(creds); - assert_int_equal(princ_obtained, CRED_SPECIFIED); - -diff --git a/python/samba/tests/credentials.py b/python/samba/tests/credentials.py -index f9781f8ba03..bc132681c48 100644 ---- a/python/samba/tests/credentials.py -+++ b/python/samba/tests/credentials.py -@@ -403,7 +403,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir): - self.assertEqual(creds.get_username(), "user@samba.org") - self.assertEqual(creds.get_domain(), "") - self.assertEqual(creds.get_realm(), "SAMBA.ORG") -- self.assertEqual(creds.get_principal(), "user@samba.org") -+ self.assertEqual(creds.get_principal(), "user@SAMBA.ORG") - self.assertEqual(creds.is_anonymous(), False) - self.assertEqual(creds.authentication_requested(), True) - -@@ -445,7 +445,7 @@ class CredentialsTests(samba.tests.TestCaseInTempDir): - self.assertEqual(creds.get_domain(), "") - self.assertEqual(creds.get_password(), "pass") - self.assertEqual(creds.get_realm(), "SAMBA.ORG") -- self.assertEqual(creds.get_principal(), "user@samba.org") -+ self.assertEqual(creds.get_principal(), "user@SAMBA.ORG") - self.assertEqual(creds.is_anonymous(), False) - self.assertEqual(creds.authentication_requested(), True) - --- -2.53.0 - - -From 0673310878659d01fb250243c427d36b6cda105c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 4 Apr 2025 13:32:41 +0200 -Subject: [PATCH 21/59] auth:creds: Always store the ccache name - -This will allow us to specify the cache as one to fill with credentials. - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - auth/credentials/credentials_internal.h | 1 + - auth/credentials/credentials_krb5.c | 8 ++++++++ - 2 files changed, 9 insertions(+) - -diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h -index cda361e1dd0..72ec390ad7e 100644 ---- a/auth/credentials/credentials_internal.h -+++ b/auth/credentials/credentials_internal.h -@@ -74,6 +74,7 @@ struct cli_credentials { - DATA_BLOB nt_response; - DATA_BLOB nt_session_key; - -+ const char *ccache_name; - struct ccache_container *ccache; - struct gssapi_creds_container *client_gss_creds; - struct keytab_container *keytab; -diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c -index ce76b10361d..7d8b744b3e2 100644 ---- a/auth/credentials/credentials_krb5.c -+++ b/auth/credentials/credentials_krb5.c -@@ -293,6 +293,14 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, - return 0; - } - -+ if (name != NULL) { -+ cred->ccache_name = talloc_strdup(cred, name); -+ if (cred->ccache_name == NULL) { -+ (*error_string) = error_message(ENOMEM); -+ return ENOMEM; -+ } -+ } -+ - ccc = talloc(cred, struct ccache_container); - if (!ccc) { - (*error_string) = error_message(ENOMEM); --- -2.53.0 - - -From d1ab591115e1d09e89eb2e960ca989a1f14fe62d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 4 Apr 2025 13:33:19 +0200 -Subject: [PATCH 22/59] auth:creds: Add cli_credentials_get_out_ccache_name() - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - auth/credentials/credentials.h | 1 + - auth/credentials/credentials_krb5.c | 5 +++++ - 2 files changed, 6 insertions(+) - -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h -index cae6a94b450..9f945726440 100644 ---- a/auth/credentials/credentials.h -+++ b/auth/credentials/credentials.h -@@ -262,6 +262,7 @@ int cli_credentials_set_ccache(struct cli_credentials *cred, - const char *name, - enum credentials_obtained obtained, - const char **error_string); -+const char *cli_credentials_get_out_ccache_name(struct cli_credentials *cred); - bool cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained); - bool cli_credentials_parse_password_fd(struct cli_credentials *credentials, - int fd, enum credentials_obtained obtained); -diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c -index 7d8b744b3e2..6c61eca7b4b 100644 ---- a/auth/credentials/credentials_krb5.c -+++ b/auth/credentials/credentials_krb5.c -@@ -280,6 +280,11 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, - return 0; - } - -+_PUBLIC_ const char *cli_credentials_get_out_ccache_name(struct cli_credentials *cred) -+{ -+ return cred->ccache_name; -+} -+ - _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, - struct loadparm_context *lp_ctx, - const char *name, --- -2.53.0 - - -From 843a279c4fd93bf312ab242f7dc9569e65ffdcd5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 4 Apr 2025 13:37:21 +0200 -Subject: [PATCH 23/59] librpc:gse: Implement storing tickets into an emtpy - ccache - -smbclient //server/share --krb5-use-ccache=/tmp/foo - -Will write the ticket to the specified ccache. - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - source3/librpc/crypto/gse.c | 65 ++++++++++++++++++++++++++++++ - wscript_configure_embedded_heimdal | 1 + - wscript_configure_system_heimdal | 9 +++++ - wscript_configure_system_mitkrb5 | 7 ++++ - 4 files changed, 82 insertions(+) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index e6f96d2464e..d29122c9ce6 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -632,6 +632,71 @@ init_sec_context_done: - goto done; - } - -+ /* -+ * In case we have a ccache specified on the command line we probably -+ * want to use it to store credentials we got it. -+ */ -+#ifdef HAVE_GSS_KEY_VALUE_SET_DESC -+ if (NT_STATUS_IS_OK(status)) { -+ struct cli_credentials *creds = gensec_get_credentials( -+ gensec_security); -+ bool ccache_valid = false; -+ enum credentials_obtained ccache_obtained = CRED_UNINITIALISED; -+ -+ ccache_valid = cli_credentials_get_ccache_name_obtained( -+ creds, gse_ctx, NULL, &ccache_obtained); -+ /* -+ * In case we don't have a valid ccache yet, try to create it if -+ * one has been specified. -+ */ -+ if (!ccache_valid) { -+ gss_key_value_set_desc store; -+ const char *ccache_name = -+ cli_credentials_get_out_ccache_name(creds); -+ -+ if (ccache_name == NULL) { -+ goto done; -+ } -+ -+ store.elements = talloc_zero_array( -+ mem_ctx, -+ struct gss_key_value_element_struct, -+ 1); -+ if (store.elements == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto done; -+ } -+ -+ store.count = 1; -+ store.elements[0] = -+ (struct gss_key_value_element_struct){ -+ .key = "ccache", -+ .value = ccache_name, -+ }; -+ -+ /* -+ * We attempt to store the cred into the ccache. It -+ * might fail but we don't need to act on it for the -+ * purpose of the authentication. -+ */ -+ gss_maj = gss_store_cred_into(&gss_min, -+ gse_ctx->creds, -+ GSS_C_INITIATE, -+ GSS_C_NO_OID, -+ /* overwrite_cred = */ 1, -+ /* default_cred = */ 1, -+ &store, -+ NULL, -+ NULL); -+ if (gss_maj != 0) { -+ DBG_ERR("Failed to store Kerberos credentials " -+ "into ccache: %s\n", -+ ccache_name); -+ } -+ } -+ } -+#endif /* HAVE_GSS_KEY_VALUE_SET_DESC */ -+ - /* we may be told to return nothing */ - if (out_data.length) { - blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length); -diff --git a/wscript_configure_embedded_heimdal b/wscript_configure_embedded_heimdal -index c1488e5506e..325b1b11d4b 100644 ---- a/wscript_configure_embedded_heimdal -+++ b/wscript_configure_embedded_heimdal -@@ -15,3 +15,4 @@ conf.RECURSE('third_party/heimdal_build') - conf.define('HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG', 1) - - conf.define('HAVE_KRB5_INIT_CREDS_STEP', 1) -+conf.define('HAVE_GSS_KEY_VALUE_SET_DESC', 1) -diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal -index c320a76ea17..6256bbac4e6 100644 ---- a/wscript_configure_system_heimdal -+++ b/wscript_configure_system_heimdal -@@ -66,3 +66,12 @@ conf.CHECK_FUNCS(''' - ''', - lib='krb5', - headers='krb5.h') -+ -+# gss_key_value_set_desc is not part of system heimdal in the build image. Maybe -+# the distro we use is too old. -+conf.CHECK_CODE( -+ "gss_key_value_set_desc", -+ "HAVE_GSS_KEY_VALUE_SET_DESC", -+ headers="gssapi/gssapi.h", -+ lib="gssapi", -+) -diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 -index 58b9fb802d0..87cd6e9a1b8 100644 ---- a/wscript_configure_system_mitkrb5 -+++ b/wscript_configure_system_mitkrb5 -@@ -344,6 +344,13 @@ conf.CHECK_CODE(''' - headers='krb5.h', lib='krb5', execute=False, - msg="Checking whether krb5_creds have flags property") - -+conf.CHECK_CODE( -+ "gss_key_value_set_desc", -+ "HAVE_GSS_KEY_VALUE_SET_DESC", -+ headers="gssapi/gssapi_ext.h", -+ lib="gssapi", -+) -+ - # Check for MIT KDC - if conf.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): - Logs.info("Looking for MIT KDC") --- -2.53.0 - - -From cc930a27882a5ad2878ceb5dfd7eac2f164c98b1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 25 Apr 2025 17:32:16 +0200 -Subject: [PATCH 24/59] lib:cmdline: Check if we have a valid default ccache - -If you don't specify anything, and we have a valid ccache then try to -use it! - -> smbclient -L //samba1.earth.milkyway.site -Anonymous login successful - - Sharename Type Comment - --------- ---- ------- - print$ Disk Printer Drivers - IPC$ IPC IPC Service (Samba 4.22.1) -SMB1 disabled -- no workgroup available - -In case the user specifies a principal, it will ask for a password: - -> bin/smbclient -L //samba1.earth.milkyway.site -Ualice1@EARTH.MILKYWAY.SITE -Password for [alice1@EARTH.MILKYWAY.SITE]: - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - lib/cmdline/cmdline.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c -index e434d65a2ef..f96ca88f95b 100644 ---- a/lib/cmdline/cmdline.c -+++ b/lib/cmdline/cmdline.c -@@ -1031,8 +1031,8 @@ static void popt_common_credentials_callback(poptContext popt_ctx, - } - } - -- if (cli_credentials_get_kerberos_state(creds) == -- CRED_USE_KERBEROS_REQUIRED) -+ if (cli_credentials_get_kerberos_state(creds) != -+ CRED_USE_KERBEROS_DISABLED) - { - enum credentials_obtained ccache_obtained = - CRED_UNINITIALISED; --- -2.53.0 - - -From 5bb7e14a4e23626383467f25b34f5d4d1b01ab91 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 5 Aug 2025 09:15:43 +0200 -Subject: [PATCH 25/59] docs-xml: Update documentation for --use-kerberos and - --use-krb5-ccache - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Aug 5 11:49:35 UTC 2025 on atb-devel-224 ---- - docs-xml/build/DTD/samba.entities | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities -index cefddacd9b7..65d597ae8ff 100644 ---- a/docs-xml/build/DTD/samba.entities -+++ b/docs-xml/build/DTD/samba.entities -@@ -764,10 +764,19 @@ - --use-kerberos=desired|required|off - - -- This parameter determines whether Samba client tools -- will try to authenticate using Kerberos. For Kerberos -- authentication you need to use dns names instead of IP -- addresses when connecting to a service. -+ This parameter determines whether Samba client tools -+ will try to authenticate using Kerberos. For Kerberos -+ authentication you should use DNS names instead of IP -+ addresses when connecting to a service. -+ -+ By default Samba client tools will try to use the -+ default Kerberos credential cache (ccache). -+ In case the ccache does not exist or -U|--user option -+ was specified, clients will ask to enter a password and -+ will obtain a Kerberos ticket (kinit) for you. -+ -+ If you want to use an alternative Kerberos credentical -+ cache, use the --use-krb5-ccache option. - - - -@@ -789,7 +798,7 @@ - - - -- This will set --use-kerberos=required too. -+ This will enforce --use-kerberos=required. - - - --- -2.53.0 - - -From b5cf950c9bdca697bdba6dfbceccabcb18a62a49 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 2 Dec 2025 17:17:33 +0100 -Subject: [PATCH 26/59] s3-selftest: mention in-memory ccache usage when - nothing is provided - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider ---- - source3/script/tests/test_net_ads_kerberos.sh | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh -index 8a3c9ef2bc7..92d3996d078 100755 ---- a/source3/script/tests/test_net_ads_kerberos.sh -+++ b/source3/script/tests/test_net_ads_kerberos.sh -@@ -30,6 +30,7 @@ KRB5CCNAME="FILE:$KRB5CCNAME_PATH" - ## Test "net ads kerberos kinit" variants - ################################################# - -+#simply uses in memory ccache - testit "net_ads_kerberos_kinit" \ - "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ - -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ -@@ -50,6 +51,7 @@ rm -f "$KRB5CCNAME_PATH" - # --use-krb5-ccache=${KRB5CCNAME} \ - # || failed=$((failed + 1)) - -+#simply uses in memory ccache - testit "net_ads_kerberos_kinit (-P)" \ - "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ - -P "$ADDARGS" \ --- -2.53.0 - - -From 62f84f324a6c2d999f564f2d2d29ab6937ec65eb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 2 Dec 2025 17:18:41 +0100 -Subject: [PATCH 27/59] s3-selftest: verify KRB5CCNAME presence after kinit - using klist - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider ---- - source3/script/tests/test_net_ads_kerberos.sh | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh -index 92d3996d078..c53520cf733 100755 ---- a/source3/script/tests/test_net_ads_kerberos.sh -+++ b/source3/script/tests/test_net_ads_kerberos.sh -@@ -14,6 +14,12 @@ PREFIX="$4" - shift 4 - ADDARGS="$*" - -+if [ -x $(which klist) ]; then -+ KLIST=$(which klist); -+else -+ KLIST="test -e"; -+fi -+ - incdir=$(dirname "$0")/../../../testprogs/blackbox - . "$incdir"/subunit.sh - -@@ -41,6 +47,9 @@ testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \ - "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ - -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ - || failed=$((failed + 1)) -+testit "klist env $KRB5CCNAME" \ -+ "$KLIST" "$KRB5CCNAME" \ -+ || failed=$((failed +1)) - unset KRB5CCNAME - rm -f "$KRB5CCNAME_PATH" - -@@ -62,6 +71,9 @@ testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \ - "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ - -P "$ADDARGS" \ - || failed=$((failed + 1)) -+testit "klist env $KRB5CCNAME" \ -+ "$KLIST" "$KRB5CCNAME" \ -+ || failed=$((failed +1)) - unset KRB5CCNAME - rm -f "$KRB5CCNAME_PATH" - --- -2.53.0 - - -From dbddccedd00a71f75b2af6eee39519503f46dba0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 2 Dec 2025 17:01:31 +0100 -Subject: [PATCH 28/59] s3-selftest: Activate "net ads kerberos kinit" tests - with --use-krb5-ccache - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider ---- - selftest/knownfail | 2 ++ - source3/script/tests/test_net_ads_kerberos.sh | 30 +++++++++++-------- - 2 files changed, 20 insertions(+), 12 deletions(-) - -diff --git a/selftest/knownfail b/selftest/knownfail -index ab2d79d7114..76f1dae605d 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -338,3 +338,5 @@ - - # We currently don't send referrals for LDAP modify of non-replicated attrs - ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -+ -+^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.* -diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh -index c53520cf733..b7933bab6a6 100755 ---- a/source3/script/tests/test_net_ads_kerberos.sh -+++ b/source3/script/tests/test_net_ads_kerberos.sh -@@ -53,12 +53,15 @@ testit "klist env $KRB5CCNAME" \ - unset KRB5CCNAME - rm -f "$KRB5CCNAME_PATH" - --# --use-krb5-ccache is not working --#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \ --# $VALGRIND $BINDIR/net ads kerberos kinit \ --# -U$USERNAME%$PASSWORD $ADDARGS \ --# --use-krb5-ccache=${KRB5CCNAME} \ --# || failed=$((failed + 1)) -+testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \ -+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ -+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ -+ --use-krb5-ccache="${KRB5CCNAME_PATH}" \ -+ || failed=$((failed + 1)) -+testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \ -+ "$KLIST" "$KRB5CCNAME_PATH" \ -+ || failed=$((failed +1)) -+rm -f "$KRB5CCNAME_PATH" - - #simply uses in memory ccache - testit "net_ads_kerberos_kinit (-P)" \ -@@ -77,12 +80,15 @@ testit "klist env $KRB5CCNAME" \ - unset KRB5CCNAME - rm -f "$KRB5CCNAME_PATH" - --# --use-krb5-ccache is not working --#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \ --# $VALGRIND $BINDIR/net ads kerberos kinit \ --# -P $ADDARGS \ --# --use-krb5-ccache=${KRB5CCNAME} \ --# || failed=$((failed + 1)) -+testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \ -+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ -+ -P "$ADDARGS" \ -+ --use-krb5-ccache="${KRB5CCNAME_PATH}" \ -+ || failed=$((failed + 1)) -+testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \ -+ "$KLIST" "$KRB5CCNAME_PATH" \ -+ || failed=$((failed +1)) -+rm -f "$KRB5CCNAME_PATH" - - - ################################################# --- -2.53.0 - - -From 106053bd124c95ebf24f164e774b512c7cf52557 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 2 Dec 2025 16:56:44 +0100 -Subject: [PATCH 29/59] s3-net: properly setup krb5 ccache name via - --use-krb5-ccache - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider ---- - selftest/knownfail | 2 -- - source3/utils/net.c | 19 ++++++++++++------- - source3/utils/net_ads.c | 4 ++++ - 3 files changed, 16 insertions(+), 9 deletions(-) - -diff --git a/selftest/knownfail b/selftest/knownfail -index 76f1dae605d..ab2d79d7114 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -338,5 +338,3 @@ - - # We currently don't send referrals for LDAP modify of non-replicated attrs - ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -- --^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.* -diff --git a/source3/utils/net.c b/source3/utils/net.c -index ecabd980d0c..271c96cf804 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -1396,7 +1396,7 @@ static struct functable net_func[] = { - cli_credentials_get_principal_obtained(c->creds); - enum credentials_obtained password_obtained = - cli_credentials_get_password_obtained(c->creds); -- char *krb5ccname = NULL; -+ const char *krb5ccname = NULL; - - if (principal_obtained == CRED_SPECIFIED) { - c->explicit_credentials = true; -@@ -1415,15 +1415,20 @@ static struct functable net_func[] = { - } - - /* cli_credentials_get_ccache_name_obtained() would not work -- * here, we also cannot get the content of --use-krb5-ccache= so -- * for now at least honour the KRB5CCNAME environment variable -- * to get 'net ads kerberos' functions to work at all - gd */ -- -- krb5ccname = getenv("KRB5CCNAME"); -- if (krb5ccname == NULL) { -+ * here but we can now access the content of the -+ * --use-krb5-ccache option via cli credentials. Fallback to -+ * KRB5CCNAME environment variable to get 'net ads kerberos' -+ * functions to work at all - gd */ -+ -+ krb5ccname = cli_credentials_get_out_ccache_name(c->creds); -+ if (krb5ccname == NULL || krb5ccname[0] == '\0') { -+ krb5ccname = getenv("KRB5CCNAME"); -+ } -+ if (krb5ccname == NULL || krb5ccname[0] == '\0') { - krb5ccname = talloc_strdup(c, "MEMORY:net"); - } - if (krb5ccname == NULL) { -+ DBG_ERR("Not able to setup krb5 ccache"); - exit(1); - } - c->opt_krb5_ccache = krb5ccname; -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 753b957e43f..2dc7de37e43 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -3283,7 +3283,11 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** - if (ret) { - d_printf(_("failed to kinit password: %s\n"), - nt_errstr(status)); -+ return ret; - } -+ -+ d_printf("Stored Kerberos TGT in: %s\n", c->opt_krb5_ccache); -+ - return ret; - } - --- -2.53.0 - - -From 3d9d2a73fa16661a4908dd89a65c24b497e38f00 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Sat, 13 Dec 2025 13:49:37 +0100 -Subject: [PATCH 30/59] doc-xml: Document "net ads kerberos" commands -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Mon Jan 5 15:49:04 UTC 2026 on atb-devel-224 ---- - docs-xml/manpages/net.8.xml | 139 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 139 insertions(+) - -diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml -index 05191236ecc..3f276236e1e 100644 ---- a/docs-xml/manpages/net.8.xml -+++ b/docs-xml/manpages/net.8.xml -@@ -1801,7 +1801,146 @@ the following entry types; - - - -+ -+ ADS KERBEROS -+ -+ -+ Issue Kerberos operations against an Active Directory KDC. -+ -+ -+ -+ -+ -+ ADS KERBEROS KINIT -+ -+ -+ Issue a kinit request for a given user. When no other options are -+ defined the ticket granting ticket (TGT) will be stored in a memory cache. -+ -+ -+ -+ To store the TGT in a different location either use the -+ option or set the -+ KRB5CCNAME environment variable. -+ -+ -+Example: net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache -+ -+ -+ -+ -+ ADS KERBEROS RENEW -+ -+ -+ Renew an already acquired ticket granting ticket (TGT). -+ -+ -+Example: net ads kerberos renew -+ -+ -+ -+ -+ ADS KERBEROS PAC -+ -+ -+ Request a Kerberos PAC while authenticating to an Active Directory KDC. -+ -+ -+ -+ The following commands are provided: -+ -+ -+ -+net ads kerberos pac dump - Dump a PAC to stdout. -+net ads kerneros pac save - Save a PAC to a file. -+ -+ -+ -+ All commands allow to define an impersonation principal to do a Kerberos -+ Service for User (S4U2SELF) operation via -+ the impersonate=STRING option. -+ The impersonation principal can have multiple different formats: -+ -+ -+ -+ -+ user@MY.REALM -+ This is the default format. -+ -+ -+ user@MY.REALM@MY.REALM -+ The Kerberos Service for User (S4U2SELF) also supports -+ Enterprise Principals. -+ -+ -+ user@UPN.SUFFIX@MY.REALM -+ Enterprise Principal using a defined upn suffix. -+ -+ -+ user@WORKGROUP@MY.REALM -+ Enterprise Principal with netbios domain name. -+ This format is currently not supported by Samba AD. -+ -+ - -+ -+ By default net will request a service ticket for the local service -+ of the joined machine. A different service can be defined via -+ local_service=STRING. -+ -+ -+ -+ -+ ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int] -+ -+ -+ Request a Kerberos PAC while authenticating to an Active Directory KDC. -+ The PAC will be printed on stdout. -+ -+ -+ -+ When no specific pac_buffer is selected, all buffers will be printed. -+ It is possible to select a specific one via -+ pac_buffer_type=INT from this list: -+ -+ -+ -+1 PAC_TYPE_LOGON_INFO -+2 PAC_TYPE_CREDENTIAL_INFO -+6 PAC_TYPE_SRV_CHECKSUM -+7 PAC_TYPE_KDC_CHECKSUM -+10 PAC_TYPE_LOGON_NAME -+11 PAC_TYPE_CONSTRAINED_DELEGATION -+12 PAC_TYPE_UPN_DNS_INFO -+13 PAC_TYPE_CLIENT_CLAIMS_INFO -+14 PAC_TYPE_DEVICE_INFO -+15 PAC_TYPE_DEVICE_CLAIMS_INFO -+16 PAC_TYPE_TICKET_CHECKSUM -+17 PAC_TYPE_ATTRIBUTES_INFO -+18 PAC_TYPE_REQUESTER_SID -+19 PAC_TYPE_FULL_CHECKSUM -+ -+ -+Example: net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM -+ -+ -+ -+ -+ ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string] -+ -+ -+ Request a Kerberos PAC while authenticating to an Active Directory KDC. -+ The PAC will be saved in a file. -+ -+ -+ -+ The filename to store the PAC can be set via the -+ filename=STRING option. -+ -+ -+Example: net ads kerberos pac save -U user%password filename=/tmp/pacstore -+ -+ - - SAM CREATEBUILTINGROUP <NAME> - --- -2.53.0 - - -From 4968f9680faa37a4814b30fc17f9dd85ca4e842e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 3 Feb 2026 12:53:10 +0100 -Subject: [PATCH 31/59] s3:utils: 'net ads kerberos kinit' should use also - default ccache name from krb5.conf -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is re-introducing the behavior from samba-4.20 where both these -commands operated on the same ccache (default_ccache_name in -[libdefaults] section of krb5.conf) - - 'net ads kerberos kinit -P' - 'klist' - - With samba-4.21 it no longer works, 'net ads kerberos kinit -P' - fallbacks to 'MEMORY:net' (which is of a very limited use, ticket - cannot be used by other process) and klist finds no ticket. - - The order is changed from: - - --use-krb5-ccache - env "KRB5CCNAME" - "MEMORY:net" - -to ("MEMORY:net" is removed): - - --use-krb5-ccache - env "KRB5CCNAME" - default_ccache_name - -'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials. - -Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name() -because of commit: -1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider -(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e) ---- - source3/utils/net.c | 36 ++++++++++++++++++++++++++---------- - 1 file changed, 26 insertions(+), 10 deletions(-) - -diff --git a/source3/utils/net.c b/source3/utils/net.c -index 271c96cf804..0ce03f8213d 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -54,6 +54,7 @@ - #include "source3/utils/passwd_proto.h" - #include "auth/gensec/gensec.h" - #include "lib/param/param.h" -+#include "lib/krb5_wrap/krb5_samba.h" - - #ifdef WITH_FAKE_KASERVER - #include "utils/net_afs.h" -@@ -1414,18 +1415,33 @@ static struct functable net_func[] = { - CRED_SPECIFIED); - } - -- /* cli_credentials_get_ccache_name_obtained() would not work -- * here but we can now access the content of the -- * --use-krb5-ccache option via cli credentials. Fallback to -- * KRB5CCNAME environment variable to get 'net ads kerberos' -- * functions to work at all - gd */ -- -+ /* -+ * Priority order for krb5 credential cache name -+ * -+ * via cli_credentials_get_out_ccache_name() : -+ * -+ * 1. '--use-krb5-ccache' option -+ * -+ * via krb5_cc_default_name() : -+ * -+ * 2. KRB5CCNAME environment variable -+ * 3. default_ccache_name in [libdefaults] section of krb5.conf -+ * 4. ...more - krb5_cc_default_name() always returns something -+ * - see documentation -+ */ - krb5ccname = cli_credentials_get_out_ccache_name(c->creds); - if (krb5ccname == NULL || krb5ccname[0] == '\0') { -- krb5ccname = getenv("KRB5CCNAME"); -- } -- if (krb5ccname == NULL || krb5ccname[0] == '\0') { -- krb5ccname = talloc_strdup(c, "MEMORY:net"); -+ krb5_context ct = NULL; -+ krb5_error_code ret = smb_krb5_init_context_common(&ct); -+ -+ if (ret == 0) { -+ krb5ccname = smb_force_krb5_cc_default_name(ct); -+ if (krb5ccname != NULL) { -+ krb5ccname = talloc_strdup(c, -+ krb5ccname); -+ } -+ krb5_free_context(ct); -+ } - } - if (krb5ccname == NULL) { - DBG_ERR("Not able to setup krb5 ccache"); --- -2.53.0 - - -From 1094773e980bded36d2e3993e61fb1a8236c4ab2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Thu, 5 Feb 2026 16:04:25 +0100 -Subject: [PATCH 32/59] manpages: Update NET ADS KERBEROS KINIT manpage -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Pavel Filipensky -Autobuild-Date(master): Thu Feb 5 21:11:13 UTC 2026 on atb-devel-224 - -(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b) ---- - docs-xml/manpages/net.8.xml | 36 ++++++++++++++++++++++++++++-------- - 1 file changed, 28 insertions(+), 8 deletions(-) - -diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml -index 3f276236e1e..4e149394df3 100644 ---- a/docs-xml/manpages/net.8.xml -+++ b/docs-xml/manpages/net.8.xml -@@ -1814,17 +1814,37 @@ the following entry types; - ADS KERBEROS KINIT - - -- Issue a kinit request for a given user. When no other options are -- defined the ticket granting ticket (TGT) will be stored in a memory cache. -+ Issue a kinit request for a given user. The following methods can be used -+ to specify where to store the ticket granting ticket (TGT) (in order of -+ precedence): - - -- -- To store the TGT in a different location either use the -- option or set the -- KRB5CCNAME environment variable. -- -+ -+ -+ option -+ -+ -+ KRB5CCNAME environment variable -+ -+ -+ default_ccache_name setting in krb5.conf -+ -+ - --Example: net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache -+Examples: -+ -+Use file based cache (FILE:/tmp/krb5cache) -+ -+net ads kerberos kinit -P --use-krb5-ccache=/tmp/krb5cache -+ -+ -+ -+Use memory cache (MEMORY:net) to verify the authentication -+ -+net ads kerberos kinit -P --use-krb5-ccache=MEMORY:net -+ -+ -+ - - - --- -2.53.0 - - -From 64540e6cc5aba9ac0806dd30485d5c593076771d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 23 Oct 2025 11:00:38 +0200 -Subject: [PATCH 33/59] docs-xml: Improve the samba-bgqd manpage - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15809 - -Signed-off-by: Andreas Schneider -Reviewed-by: Anoop C S - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Fri Nov 14 15:05:11 UTC 2025 on atb-devel-224 - -(cherry picked from commit 9322231f716237abba8627acda62c279c6a90f4f) ---- - docs-xml/manpages/samba-bgqd.8.xml | 37 +++++++++++++++++++++++++----- - 1 file changed, 31 insertions(+), 6 deletions(-) - -diff --git a/docs-xml/manpages/samba-bgqd.8.xml b/docs-xml/manpages/samba-bgqd.8.xml -index ef50a542a9e..9a16a2aaad0 100644 ---- a/docs-xml/manpages/samba-bgqd.8.xml -+++ b/docs-xml/manpages/samba-bgqd.8.xml -@@ -14,28 +14,53 @@ - - samba-bgqd - This is an internal helper program performing -- asynchronous printing-related jobs. -+ asynchronous printing-related tasks - - - - - samba-bgqd -+ -D|--daemon -+ -i|--interactive -+ -F|--foreground -+ --no-process-group -+ -d <debug level> -+ --debug-stdout -+ --configfile=<configuration file> -+ --option=<name>=<value> -+ -l|--log-basename <log directory> -+ --ready-signal-fd <fd> -+ --parent-watch-fd <fd> - - - - - DESCRIPTION - -- This tool is part of the -+ This program is part of the - samba - 7 suite. - -- samba-bgqd is an helper program to be spawned by smbd or -- spoolssd to perform jobs like updating the printer list or -- other management tasks asynchronously on demand. It is not -- intended to be called by users or administrators. -+ samba-bgqd is not intended to be invoked -+ directly by users. -+ -+ Likewise, while samba-bgqd is also not -+ intended to be run manually by system administrators, on systems with a -+ large number of printers configured via CUPS, it is recommended to run -+ samba-bgqd as a systemd service to improve -+ performance and responsiveness of printing operations. - - -+ -+ SEE ALSO -+ -+ -+ smbd -+ 8, and -+ smb.conf -+ 5. -+ -+ - - AUTHOR - --- -2.53.0 - - -From 49d53f23b6051b33810fd0a3e0173f258d6e4383 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 23 Oct 2025 10:49:31 +0200 -Subject: [PATCH 34/59] s3:printing: Load the shares for [printers] in - samba-bgqd - -One of the main functions of bgqd is: - - delete_and_reload_printers_full() - -It isn't able to do its work, if we don't load the shares. Normally bgqd was -forked from smbd and this loaded the shares. But with the introduction of -samba-dcerpcd it is a standalone service now. As a standalone service it is -responsible to load the shares if it needs to work on them. - -The following message is printed if delete_and_reload_printers_full() tries to -do its job: - -[2025/10/23 09:57:27, 7, pid=41935, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:4419(lp_servicenumber) - lp_servicenumber: couldn't find printers -[2025/10/23 09:57:27, 7, pid=41935, effective(0, 0), real(0, 0)] ../../source3/param/loadparm.c:4419(lp_servicenumber) - lp_servicenumber: couldn't find printers - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15936 - -Signed-off-by: Andreas Schneider -Reviewed-by: Anoop C S -(cherry picked from commit 327e60adf2e1e0c040bd32c748fbabc9e4a3593b) ---- - source3/printing/queue_process.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/printing/queue_process.c b/source3/printing/queue_process.c -index 0f95bd736f2..51eafa31572 100644 ---- a/source3/printing/queue_process.c -+++ b/source3/printing/queue_process.c -@@ -265,6 +265,7 @@ static void bq_smb_conf_updated(struct messaging_context *msg_ctx, - DEBUG(10,("smb_conf_updated: Got message saying smb.conf was " - "updated. Reloading.\n")); - change_to_root_user(); -+ lp_load_with_shares(get_dyn_CONFIGFILE()); - pcap_cache_reload(state->ev, msg_ctx, reload_pcap_change_notify); - printing_subsystem_queue_tasks(state); - } -@@ -322,6 +323,8 @@ struct bq_state *register_printing_bq_handlers( - goto fail_free_handlers; - } - -+ /* Load shares, needed for [printers] */ -+ lp_load_with_shares(get_dyn_CONFIGFILE()); - /* Initialize the printcap cache as soon as the daemon starts. */ - pcap_cache_reload(state->ev, state->msg, reload_pcap_change_notify); - --- -2.53.0 - - -From 6dd0f468f75966e64d0340301fbfc4da461492df Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Fri, 13 Feb 2026 11:54:46 +0000 -Subject: [PATCH 35/59] selftest: Update tests to use - --use-kereros=desired|required no creds - -Add tests to call smbclient without passing credentials to -demonstrate failure with --use-kereros=desired - -Also add knownfail - -Signed-off-by: Noel Power -Reviewed-by: Andreas Schneider -(cherry picked from commit a22af9420965083b99b956477d1833000b7f2414) ---- - selftest/knownfail | 2 ++ - source3/script/tests/test_smbclient_kerberos.sh | 12 ++++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/selftest/knownfail b/selftest/knownfail -index ab2d79d7114..f0a5f7bb935 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -315,6 +315,8 @@ - # ad_member don't support ntlmv1 (not even over SMB1) - ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member - ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member -+# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789 -+samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).* - #nt-vfs server blocks read with execute access - ^samba4.smb2.read.access - #ntvfs server blocks copychunk with execute access on read handle -diff --git a/source3/script/tests/test_smbclient_kerberos.sh b/source3/script/tests/test_smbclient_kerberos.sh -index 31678d17e28..1139efd70d7 100755 ---- a/source3/script/tests/test_smbclient_kerberos.sh -+++ b/source3/script/tests/test_smbclient_kerberos.sh -@@ -73,6 +73,18 @@ test_smbclient "smbclient.smb3.kerberos.desired[//${SERVER}/tmp]" \ - --use-kerberos=desired -U${USERNAME}%${PASSWORD} -mSMB3 || - failed=$(expr $failed + 1) - -+test_smbclient "smbclient.smb3.kerberos.desired (no user/pass) [//${SERVER}/tmp]" \ -+ "ls; quit" //${SERVER}/tmp \ -+ --use-kerberos=desired -mSMB3 || -+ failed=$(expr $failed + 1) -+ -+test_smbclient "smbclient.smb3.kerberos.required (no user/pass) [//${SERVER}/tmp]" \ -+ "ls; quit" //${SERVER}/tmp \ -+ --use-kerberos=required -mSMB3 || -+ failed=$(expr $failed + 1) -+ -+ -+ - $samba_kdestroy - - rm -rf $KRB5CCNAME_PATH --- -2.53.0 - - -From dc40fdde863e95c1ff24e76e4397e55aa257a7cf Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Mon, 19 Jan 2026 15:46:59 +0000 -Subject: [PATCH 36/59] auth/credentials: Fix regression with - --use-kerberos=desired for smbclient - -As part of the gse_krb5 processing the following call chain - -gensec_gse_client_start() - ---> gensec_kerberos_possible() - ---> cli_credentials_authentication_requested() - -gensec_kerberos_possible() will always fail when -cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED - -It seems since use kerberos == desired is the default that it isn't -necessary to see if credentials were modified to indicated authentication -was requested. gensec_kerberos_possible() should afaics return true -if kerberos is desired OR required (regardless of whether credentials -were requested) - -This commit removes the knownfail associated with this bug. - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 -Signed-off-by: -Reviewed-by: Andreas Schneider -(cherry picked from commit 88f42eb222f299189d5f5f8204ae353e63a50970) ---- - auth/gensec/gensec_util.c | 5 ----- - selftest/knownfail | 2 -- - 2 files changed, 7 deletions(-) - -diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c -index 0c7688d33d2..af6d198d48f 100644 ---- a/auth/gensec/gensec_util.c -+++ b/auth/gensec/gensec_util.c -@@ -362,7 +362,6 @@ char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_securi - NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security) - { - struct cli_credentials *creds = gensec_get_credentials(gensec_security); -- bool auth_requested = cli_credentials_authentication_requested(creds); - enum credentials_use_kerberos krb5_state = - cli_credentials_get_kerberos_state(creds); - char *user_principal = NULL; -@@ -370,10 +369,6 @@ NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security) - const char *target_principal = gensec_get_target_principal(gensec_security); - const char *hostname = gensec_get_target_hostname(gensec_security); - -- if (!auth_requested) { -- return NT_STATUS_INVALID_PARAMETER; -- } -- - if (krb5_state == CRED_USE_KERBEROS_DISABLED) { - return NT_STATUS_INVALID_PARAMETER; - } -diff --git a/selftest/knownfail b/selftest/knownfail -index f0a5f7bb935..ab2d79d7114 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -315,8 +315,6 @@ - # ad_member don't support ntlmv1 (not even over SMB1) - ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member - ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member --# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789 --samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).* - #nt-vfs server blocks read with execute access - ^samba4.smb2.read.access - #ntvfs server blocks copychunk with execute access on read handle --- -2.53.0 - - -From 2681e90123b1b2a9efdb55b841f2cd0ae6fed273 Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Mon, 19 Jan 2026 16:10:10 +0000 -Subject: [PATCH 37/59] s3/libsmb: cli_session_creds_init fails when kerberos - is desired - -There is a regression with code using cli_session_creds_init when -cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED - -Authentication succeeds when boolean fallback_after_kerberos is false -and fails when true. -There doesn't seem to be a good reason why the value of -fallback_after_kerberos should initialise the krb5 ccache or not. -It would seems that krb5 cache should be setup for creds -for *any* kerberos auth (whether fallback is enabled or not) - -Partial patch from (see bug referenced below) -Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 -Signed-off-by: Noel Power -Reviewed-by: Andreas Schneider -(cherry picked from commit 1c48599105736499d18aa1f647bce9e1f8dbdcca) ---- - source3/libsmb/cliconnect.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index bd75393ac07..da751f54f00 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -215,7 +215,7 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx, - goto fail; - } - } -- } else if (use_kerberos && !fallback_after_kerberos) { -+ } else if (use_kerberos) { - const char *error_string = NULL; - int rc; - --- -2.53.0 - - -From c6c1567ee601ba06d97e6269d6378278cc145e39 Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Mon, 19 Jan 2026 16:18:02 +0000 -Subject: [PATCH 38/59] s3/libsmb: block anon authentication fallback is - use-kerberos = desired - -When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED -libsmbclient method SMBC_server_internal will still try to fallback to -anon NTLM. This patch prevents that. - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 -Signed-off-by: Noel Power -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Noel Power -Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224 - -(cherry picked from commit bc868800276fe09cbcb206ebe4cb4da32af7599f) ---- - source3/libsmb/libsmb_server.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c -index 8808781d410..a0d9c47e431 100644 ---- a/source3/libsmb/libsmb_server.c -+++ b/source3/libsmb/libsmb_server.c -@@ -607,6 +607,8 @@ SMBC_server_internal(TALLOC_CTX *ctx, - password_used = ""; - - if (smbc_getOptionNoAutoAnonymousLogin(context) || -+ cli_credentials_get_kerberos_state(creds) == -+ CRED_USE_KERBEROS_REQUIRED || - !NT_STATUS_IS_OK(cli_session_setup_anon(c))) { - - cli_shutdown(c); --- -2.53.0 - - -From b60ba4c12b8509652d269ab07b2619075e77aa2e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Wed, 18 Mar 2026 20:24:37 +0100 -Subject: [PATCH 39/59] s3:libnet: Fix DC numeric ip handling -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is fixing regression introduced via 82f53c8 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider ---- - source3/libnet/libnet_join.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index cb997dcbe23..3507e87032f 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2632,7 +2632,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - struct sockaddr_storage ss = {0}; - const char *numeric_dcip = info->dc_address + 2; - -- if (numeric_dcip[0] == '\0') { -+ if (numeric_dcip[0] != '\0') { - if (!interpret_string_addr(&ss, numeric_dcip, - AI_NUMERICHOST)) { - DBG_ERR( --- -2.53.0 - - -From c27a523baa05e726f479f2a0d59a03fe7aa8e8ee Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 23 Mar 2026 19:03:34 +0100 -Subject: [PATCH 40/59] s3:libads: Allow to specify 'dns_lookup_kdc' in - krb5.conf -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider ---- - source3/libads/kerberos.c | 23 ++++++++++++++++------- - source3/libads/kerberos_proto.h | 33 +++++++++++++++++++++++++++++---- - 2 files changed, 45 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index d8325201b2f..b0b1895ba48 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -1362,10 +1362,12 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx) - } - #endif - --bool create_local_private_krb5_conf_for_domain(const char *realm, -- const char *domain, -- const char *sitename, -- const struct sockaddr_storage *pss) -+bool create_local_private_krb5_conf_for_domain_internal( -+ const char *realm, -+ const char *domain, -+ const char *sitename, -+ const struct sockaddr_storage *pss, -+ bool dns_lookup_kdc) - { - char *dname; - char *tmpname = NULL; -@@ -1441,10 +1443,16 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, - #endif - - /* -- * We are setting 'dns_lookup_kdc' to true, because we want to lookup -- * KDCs which are not configured via DNS SRV records, eg. if we do: -+ * Normally 'dns_lookup_kdc' should be set to true, because we want to -+ * also lookup KDCs via DNS SRV records, e.g. cross domain scenario: - * - * net ads join -Uadmin@otherdomain -+ * -+ * However, during domain join we need to set it to false when we -+ * reconnect using the freshly created machine account credentials. -+ * With dns_lookup_kdc = true, Kerberos may pick a different DC -+ * for the TCP retry (after UDP response is too large), and that DC -+ * might not have replicated the new machine account yet. - */ - file_contents = - talloc_asprintf(fname, -@@ -1452,7 +1460,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, - "\tdefault_realm = %s\n" - "%s" - "\tdns_lookup_realm = false\n" -- "\tdns_lookup_kdc = true\n\n" -+ "\tdns_lookup_kdc = %s\n\n" - "[realms]\n\t%s = {\n" - "%s\t}\n" - "\t%s = {\n" -@@ -1460,6 +1468,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, - "%s\n", - realm_upper, - enctypes, -+ dns_lookup_kdc ? "true" : "false", - realm_upper, - kdc_ip_string, - domain, -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h -index a96211c7289..fbeaeff92a9 100644 ---- a/source3/libads/kerberos_proto.h -+++ b/source3/libads/kerberos_proto.h -@@ -70,10 +70,35 @@ int ads_kdestroy(const char *cc_name); - int kerberos_kinit_password(const char *principal, - const char *password, - const char *cache_name); --bool create_local_private_krb5_conf_for_domain(const char *realm, -- const char *domain, -- const char *sitename, -- const struct sockaddr_storage *pss); -+ -+bool create_local_private_krb5_conf_for_domain_internal( -+ const char *realm, -+ const char *domain, -+ const char *sitename, -+ const struct sockaddr_storage *pss, -+ bool dns_lookup_kdc); -+ -+/* Create krb5.conf that allows DC lookup using DNS. */ -+static inline bool create_local_private_krb5_conf_for_domain( -+ const char *realm, -+ const char *domain, -+ const char *sitename, -+ const struct sockaddr_storage *pss) -+{ -+ return create_local_private_krb5_conf_for_domain_internal( -+ realm, domain, sitename, pss, true); -+} -+ -+/* Create krb5.conf that disables DC lookup using DNS - needed during join. */ -+static inline bool create_local_private_krb5_conf_for_domain_join( -+ const char *realm, -+ const char *domain, -+ const char *sitename, -+ const struct sockaddr_storage *pss) -+{ -+ return create_local_private_krb5_conf_for_domain_internal( -+ realm, domain, sitename, pss, false); -+} - - /* The following definitions come from libads/authdata.c */ - --- -2.53.0 - - -From 9328d62302aa4328f8763e09aaa6f561e1a5bad3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 23 Mar 2026 19:05:31 +0100 -Subject: [PATCH 41/59] s3:libads: Set dns_lookup_kdc=false during net ads join -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Pavel Filipensky -Autobuild-Date(master): Tue Apr 7 14:09:40 UTC 2026 on atb-devel-224 ---- - source3/libnet/libnet_join.c | 60 +++++++++++++++++++++++++++++++++++- - 1 file changed, 59 insertions(+), 1 deletion(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 3507e87032f..6ccf505ca19 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2870,6 +2870,10 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { - WERROR werr; -+#ifdef HAVE_ADS -+ struct sockaddr_storage dc_ss = {0}; -+ bool dns_lookup_kdc_disabled = false; -+#endif /* HAVE_ADS */ - - if (r->in.debug) { - LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r); -@@ -2893,6 +2897,49 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, - } - } - -+#ifdef HAVE_ADS -+ /* -+ * The machine account was just created on r->in.dc_name, -+ * but might not have replicated to other DCs yet. -+ * Regenerate the krb5.conf with dns_lookup_kdc = false -+ * so that the Kerberos library only talks to the DC -+ * where the account was created. This covers all -+ * subsequent machine-credential operations: -+ * - libnet_join_post_processing_ads_modify() (etype update) -+ * - libnet_join_post_verify() (domain membership verification) -+ */ -+ if (r->out.domain_is_ad && -+ !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && -+ !r->in.request_offline_join) -+ { -+ bool ok; -+ const char *ip = NULL; -+ -+ /* dcinfo might not be set for offline joins, however this -+ * check is redundant since we have a guard: -+ * !r->in.request_offline_join -+ */ -+ if (r->out.dcinfo) { -+ ip = r->out.dcinfo->dc_address + 2; /* Strip "\\" */ -+ } -+ -+ if (ip && ip[0] != '\0') { -+ ok = interpret_string_addr(&dc_ss, ip, AI_NUMERICHOST); -+ } else { -+ ok = interpret_string_addr(&dc_ss, r->in.dc_name, 0); -+ } -+ -+ if (ok) { -+ create_local_private_krb5_conf_for_domain_join( -+ r->out.dns_domain_name, -+ r->out.netbios_domain_name, -+ NULL, /* sitename */ -+ &dc_ss); -+ dns_lookup_kdc_disabled = true; -+ } -+ } -+#endif /* HAVE_ADS */ -+ - werr = libnet_join_post_processing(mem_ctx, r); - if (!W_ERROR_IS_OK(werr)) { - goto done; -@@ -2920,7 +2967,18 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, - } - } - -- done: -+done: -+#ifdef HAVE_ADS -+ if (dns_lookup_kdc_disabled) { -+ /* Restore dns_lookup_kdc = true for subsequent operations */ -+ create_local_private_krb5_conf_for_domain( -+ r->out.dns_domain_name, -+ r->out.netbios_domain_name, -+ NULL, /* sitename */ -+ &dc_ss); -+ } -+#endif /* HAVE_ADS */ -+ - r->out.result = werr; - - if (r->in.debug) { --- -2.53.0 - - -From 1618908df1133d9cb3080363b5078e7b892fb260 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Thu, 23 Jan 2025 13:42:48 +0100 -Subject: [PATCH 42/59] vfs: Allow WITH_BACKUP_INTENT in vfs openat functions - -BACKUP_INTENT has no real meaning so far throughout our code, so we -should ignore and thus allow it in our openat-intercepting functions. - -Signed-off-by: Volker Lendecke -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_aio_pthread.c | 2 +- - source3/modules/vfs_ceph.c | 2 +- - source3/modules/vfs_ceph_new.c | 2 +- - source3/modules/vfs_fruit.c | 2 +- - source3/modules/vfs_glusterfs.c | 2 +- - source3/modules/vfs_streams_depot.c | 2 +- - source3/modules/vfs_streams_xattr.c | 2 +- - 7 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c -index b099a6b5b52..bd0c94b8cce 100644 ---- a/source3/modules/vfs_aio_pthread.c -+++ b/source3/modules/vfs_aio_pthread.c -@@ -457,7 +457,7 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle, - bool aio_allow_open = lp_parm_bool( - SNUM(handle->conn), "aio_pthread", "aio open", false); - -- if (how->resolve != 0) { -+ if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { - errno = ENOSYS; - return -1; - } -diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c -index 49cbd17692f..3913cb01b2c 100644 ---- a/source3/modules/vfs_ceph.c -+++ b/source3/modules/vfs_ceph.c -@@ -472,7 +472,7 @@ static int cephwrap_openat(struct vfs_handle_struct *handle, - int result = -ENOENT; - int dirfd = -1; - -- if (how->resolve != 0) { -+ if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { - errno = ENOSYS; - return -1; - } -diff --git a/source3/modules/vfs_ceph_new.c b/source3/modules/vfs_ceph_new.c -index b97279982cd..28e91235b91 100644 ---- a/source3/modules/vfs_ceph_new.c -+++ b/source3/modules/vfs_ceph_new.c -@@ -2274,7 +2274,7 @@ static int vfs_ceph_openat(struct vfs_handle_struct *handle, - int result = -ENOENT; - - START_PROFILE(syscall_openat); -- if (how->resolve != 0) { -+ if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { - result = -ENOSYS; - goto err_out; - } -diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c -index 795f79ce09c..4da7c1efa07 100644 ---- a/source3/modules/vfs_fruit.c -+++ b/source3/modules/vfs_fruit.c -@@ -1787,7 +1787,7 @@ static int fruit_openat(vfs_handle_struct *handle, - return fd; - } - -- if (how->resolve != 0) { -+ if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { - errno = ENOSYS; - return -1; - } -diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c -index 48a76189096..63dc7a30b04 100644 ---- a/source3/modules/vfs_glusterfs.c -+++ b/source3/modules/vfs_glusterfs.c -@@ -731,7 +731,7 @@ static int vfs_gluster_openat(struct vfs_handle_struct *handle, - - START_PROFILE(syscall_openat); - -- if (how->resolve != 0) { -+ if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { - END_PROFILE(syscall_openat); - errno = ENOSYS; - return -1; -diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c -index 951f1af17a9..9d6bdf826dc 100644 ---- a/source3/modules/vfs_streams_depot.c -+++ b/source3/modules/vfs_streams_depot.c -@@ -759,7 +759,7 @@ static int streams_depot_openat(struct vfs_handle_struct *handle, - how); - } - -- if (how->resolve != 0) { -+ if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { - errno = ENOSYS; - return -1; - } -diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c -index 7601e744198..ac01cc46043 100644 ---- a/source3/modules/vfs_streams_xattr.c -+++ b/source3/modules/vfs_streams_xattr.c -@@ -416,7 +416,7 @@ static int streams_xattr_openat(struct vfs_handle_struct *handle, - how); - } - -- if (how->resolve != 0) { -+ if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { - errno = ENOSYS; - return -1; - } --- -2.53.0 - - -From e6bb0d0ba3097365fdeedfd06cce3cf610eb123e Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Fri, 14 Feb 2025 17:07:14 +0100 -Subject: [PATCH 43/59] vfs: Add VFS_OPEN_HOW_RESOLVE_NO_XDEV flag - -It disallows traversal of mount points during path resolution, including bind -mounts. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/include/vfs.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/include/vfs.h b/source3/include/vfs.h -index cab809de5d3..1353f661d20 100644 ---- a/source3/include/vfs.h -+++ b/source3/include/vfs.h -@@ -923,6 +923,7 @@ struct vfs_aio_state { - - #define VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS 1 - #define VFS_OPEN_HOW_WITH_BACKUP_INTENT 2 -+#define VFS_OPEN_HOW_RESOLVE_NO_XDEV 4 - - struct vfs_open_how { - int flags; --- -2.53.0 - - -From b9342aca75aaa2bc9f923461c97c81bb8ec0f1d6 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Fri, 14 Feb 2025 17:13:39 +0100 -Subject: [PATCH 44/59] vfs: Use RESOLVE_NO_XDEV by default on all shares - -Enable the flag by default on all shares, it will be automatically -disabled if the system does not support openat2(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - script/autobuild.py | 2 +- - source3/modules/vfs_default.c | 11 +++++++++++ - 2 files changed, 12 insertions(+), 1 deletion(-) - -diff --git a/script/autobuild.py b/script/autobuild.py -index 137a6eb0999..5a7dad4b8fa 100755 ---- a/script/autobuild.py -+++ b/script/autobuild.py -@@ -322,7 +322,7 @@ tasks = { - "samba-no-opath-build": { - "git-clone-required": True, - "sequence": [ -- ("configure", "ADDITIONAL_CFLAGS='-DDISABLE_OPATH=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=1 -DDISABLE_PROC_FDS=1' ./configure.developer --without-ad-dc " + samba_configure_params), -+ ("configure", "ADDITIONAL_CFLAGS='-DDISABLE_OPATH=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_XDEV=1 -DDISABLE_PROC_FDS=1' ./configure.developer --without-ad-dc " + samba_configure_params), - ("make", "make -j"), - ("check-clean-tree", CLEAN_SOURCE_TREE_CMD), - ("chmod-R-a-w", "chmod -R a-w ."), -diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c -index 5d16cbb5bf3..c11eae3da04 100644 ---- a/source3/modules/vfs_default.c -+++ b/source3/modules/vfs_default.c -@@ -76,6 +76,17 @@ static int vfswrap_connect(vfs_handle_struct *handle, const char *service, const - #ifdef DISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS - handle->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS; - #endif -+ bval = lp_parm_bool(SNUM(handle->conn), -+ "vfs_default", -+ "VFS_OPEN_HOW_RESOLVE_NO_XDEV", -+ true); -+ if (bval) { -+ handle->conn->open_how_resolve |= -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV; -+ } -+#ifdef DISABLE_VFS_OPEN_HOW_RESOLVE_NO_XDEV -+ handle->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; -+#endif - - return 0; /* Return >= 0 for success */ - } --- -2.53.0 - - -From bf6c44ddf0dcffd545615b5ef51053834262b219 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 8 Oct 2025 10:54:55 +0200 -Subject: [PATCH 45/59] selftest/Samba3: nt4_dc* use - vfs_default:VFS_OPEN_HOW_RESOLVE_NO_XDEV=no - -From 076c22fbd7ecbf22dbfeb1711609f07fd42f88b0, we should always test the -code path without openat2 being available, even if the kernel supports it. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - selftest/target/Samba3.pm | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 8906608bc1f..681808eafe0 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -304,6 +304,7 @@ sub setup_nt4_dc - server schannel require seal:torturetest\$ = no - - vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no -+ vfs_default:VFS_OPEN_HOW_RESOLVE_NO_XDEV = no - - fss: sequence timeout = 1 - check parent directory delete on close = yes --- -2.53.0 - - -From 396e34c5a4d56c211fec2de004e87d898426536d Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Fri, 14 Feb 2025 17:14:59 +0100 -Subject: [PATCH 46/59] vfs: Pass the RESOLVE_NO_XDEV from upper layers to - openat2() syscall - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_default.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c -index c11eae3da04..14d16ab8ae4 100644 ---- a/source3/modules/vfs_default.c -+++ b/source3/modules/vfs_default.c -@@ -630,7 +630,9 @@ static int vfswrap_openat(vfs_handle_struct *handle, - SMB_ASSERT((dirfd != -1) || (smb_fname->base_name[0] == '/')); - - if (how->resolve & ~(VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS | -- VFS_OPEN_HOW_WITH_BACKUP_INTENT)) { -+ VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) -+ { - errno = ENOSYS; - result = -1; - goto out; -@@ -663,12 +665,20 @@ static int vfswrap_openat(vfs_handle_struct *handle, - } - #endif - -- if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS) { -+ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS || -+ how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) -+ { - struct open_how linux_how = { - .flags = flags, - .mode = mode, -- .resolve = RESOLVE_NO_SYMLINKS, -+ .resolve = 0, - }; -+ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS) { -+ linux_how.resolve |= RESOLVE_NO_SYMLINKS; -+ } -+ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) { -+ linux_how.resolve |= RESOLVE_NO_XDEV; -+ } - - result = openat2(dirfd, - smb_fname->base_name, -@@ -681,10 +691,13 @@ static int vfswrap_openat(vfs_handle_struct *handle, - * openat2(), so indicate to - * the callers that - * VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS -+ * or VFS_OPEN_HOW_RESOLVE_NO_XDEV - * would just be a waste of time. - */ - fsp->conn->open_how_resolve &= - ~VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS; -+ fsp->conn->open_how_resolve &= -+ ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; - } - goto out; - } --- -2.53.0 - - -From 31c935b9c3384e61ba475b2321486e48603b5860 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 8 Oct 2025 13:18:44 +0200 -Subject: [PATCH 47/59] smbd: Refactor reopen_from_fsp(), factor out name based - reopen - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/smbd/open.c | 55 +++++++++++++++++++++++++++++++-------------- - 1 file changed, 38 insertions(+), 17 deletions(-) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index b91f9d8ce1e..4bc26f6994b 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -847,6 +847,33 @@ static NTSTATUS fd_open_atomic(struct files_struct *dirfsp, - return status; - } - -+/* -+ * Close the existing pathref fd and set the fsp flag -+ * is_pathref to false so we get a "normal" fd this time. -+ */ -+static NTSTATUS reopen_from_fsp_namebased(struct files_struct *dirfsp, -+ struct smb_filename *smb_fname, -+ struct files_struct *fsp, -+ const struct vfs_open_how *how, -+ bool *p_file_created) -+{ -+ NTSTATUS status; -+ -+ status = fd_close(fsp); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ fsp->fsp_flags.is_pathref = false; -+ -+ status = fd_open_atomic(dirfsp, -+ smb_fname, -+ fsp, -+ how, -+ p_file_created); -+ return status; -+} -+ - NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, - struct smb_filename *smb_fname, - struct files_struct *fsp, -@@ -896,7 +923,12 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, - * point we get ENOENT. We - * have to retry pathbased. - */ -- goto namebased_open; -+ return reopen_from_fsp_namebased(dirfsp, -+ smb_fname, -+ fsp, -+ how, -+ p_file_created); -+ - } - /* restore ENOENT if changed in the meantime */ - errno = ENOENT; -@@ -916,22 +948,11 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, - return NT_STATUS_OK; - } - --#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) --namebased_open: --#endif -- /* -- * Close the existing pathref fd and set the fsp flag -- * is_pathref to false so we get a "normal" fd this time. -- */ -- status = fd_close(fsp); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- -- fsp->fsp_flags.is_pathref = false; -- -- status = fd_open_atomic(dirfsp, smb_fname, fsp, how, p_file_created); -- return status; -+ return reopen_from_fsp_namebased(dirfsp, -+ smb_fname, -+ fsp, -+ how, -+ p_file_created); - } - - /**************************************************************************** --- -2.53.0 - - -From 7c80ee9fd5b3ee5f99caadab4275fe4e7cdb5766 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 8 Oct 2025 13:53:14 +0200 -Subject: [PATCH 48/59] smbd: Refactor reopen_from_fsp(), factor out - automounter mountpoint check - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/smbd/open.c | 66 +++++++++++++++++++++++++++------------------ - 1 file changed, 40 insertions(+), 26 deletions(-) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index 4bc26f6994b..73d99fb2600 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -874,6 +874,30 @@ static NTSTATUS reopen_from_fsp_namebased(struct files_struct *dirfsp, - return status; - } - -+static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd) -+{ -+#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) -+ struct statfs sbuf = {}; -+ int ret; -+ -+ if (!S_ISDIR(fsp->fsp_name->st.st_ex_mode)) { -+ return false; -+ } -+ -+ ret = fstatfs(old_fd, &sbuf); -+ if (ret == -1) { -+ DBG_ERR("fstatfs failed: %s\n", strerror(errno)); -+ return false; -+ } -+ if (sbuf.f_type == AUTOFS_SUPER_MAGIC) { -+ return true; -+ } -+ return false; -+#else -+ return false; -+#endif -+} -+ - NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, - struct smb_filename *smb_fname, - struct files_struct *fsp, -@@ -908,33 +932,23 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, - fsp, - how); - if (new_fd == -1) { --#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) -- if (S_ISDIR(fsp->fsp_name->st.st_ex_mode) && -- (errno == ENOENT)) { -- struct statfs sbuf = {}; -- int ret = fstatfs(old_fd, &sbuf); -- if (ret == -1) { -- DBG_ERR("fstatfs failed: %s\n", -- strerror(errno)); -- } else if (sbuf.f_type == AUTOFS_SUPER_MAGIC) { -- /* -- * When reopening an as-yet -- * unmounted autofs mount -- * point we get ENOENT. We -- * have to retry pathbased. -- */ -- return reopen_from_fsp_namebased(dirfsp, -- smb_fname, -- fsp, -- how, -- p_file_created); -- -- } -- /* restore ENOENT if changed in the meantime */ -- errno = ENOENT; -+ int saved_errno = errno; -+ if (saved_errno == ENOENT && -+ fsp_is_automount_mountpoint(fsp, old_fd)) -+ { -+ /* -+ * When reopening an as-yet unmounted autofs -+ * mount point we get ENOENT. We have to retry -+ * pathbased. -+ */ -+ return reopen_from_fsp_namebased(dirfsp, -+ smb_fname, -+ fsp, -+ how, -+ p_file_created); - } --#endif -- status = map_nt_error_from_unix(errno); -+ -+ status = map_nt_error_from_unix(saved_errno); - fd_close(fsp); - return status; - } --- -2.53.0 - - -From cc59f5ed57ca6e2d01de14b644297055eadc8403 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 8 Oct 2025 14:17:27 +0200 -Subject: [PATCH 49/59] smbd: Refactor reopen_from_fsp(), factor out pathref - based - -Best viewed ignoring white space changes - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/smbd/open.c | 117 +++++++++++++++++++++++++------------------- - 1 file changed, 66 insertions(+), 51 deletions(-) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index 73d99fb2600..f1f5945a817 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -898,68 +898,83 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd) - #endif - } - --NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, -- struct smb_filename *smb_fname, -- struct files_struct *fsp, -- const struct vfs_open_how *how, -- bool *p_file_created) -+static NTSTATUS reopen_from_fsp_pathref_based( -+ struct files_struct *dirfsp, -+ struct smb_filename *smb_fname, -+ struct files_struct *fsp, -+ const struct vfs_open_how *how, -+ bool *p_file_created) - { - NTSTATUS status; -- int old_fd; -+ struct sys_proc_fd_path_buf buf; -+ int pathref_fd = fsp_get_pathref_fd(fsp); -+ struct smb_filename proc_fname = { -+ .base_name = sys_proc_fd_path(pathref_fd, &buf), -+ }; -+ mode_t mode = fsp->fsp_name->st.st_ex_mode; -+ int new_fd; - -- if (fsp->fsp_flags.have_proc_fds && -- ((old_fd = fsp_get_pathref_fd(fsp)) != -1)) { -+ if (S_ISLNK(mode)) { -+ return NT_STATUS_STOPPED_ON_SYMLINK; -+ } -+ if (!(S_ISREG(mode) || S_ISDIR(mode))) { -+ return NT_STATUS_IO_REPARSE_TAG_NOT_HANDLED; -+ } - -- struct sys_proc_fd_path_buf buf; -- struct smb_filename proc_fname = { -- .base_name = sys_proc_fd_path(old_fd, &buf), -- }; -- mode_t mode = fsp->fsp_name->st.st_ex_mode; -- int new_fd; -+ fsp->fsp_flags.is_pathref = false; - -- if (S_ISLNK(mode)) { -- return NT_STATUS_STOPPED_ON_SYMLINK; -- } -- if (!(S_ISREG(mode) || S_ISDIR(mode))) { -- return NT_STATUS_IO_REPARSE_TAG_NOT_HANDLED; -+ new_fd = SMB_VFS_OPENAT(fsp->conn, -+ fsp->conn->cwd_fsp, -+ &proc_fname, -+ fsp, -+ how); -+ if (new_fd == -1) { -+ int saved_errno = errno; -+ if (saved_errno == ENOENT && -+ fsp_is_automount_mountpoint(fsp, pathref_fd)) -+ { -+ /* -+ * When reopening an as-yet unmounted autofs -+ * mount point we get ENOENT. We have to retry -+ * pathbased. -+ */ -+ return reopen_from_fsp_namebased(dirfsp, -+ smb_fname, -+ fsp, -+ how, -+ p_file_created); - } - -- fsp->fsp_flags.is_pathref = false; -+ status = map_nt_error_from_unix(saved_errno); -+ fd_close(fsp); -+ return status; -+ } - -- new_fd = SMB_VFS_OPENAT(fsp->conn, -- fsp->conn->cwd_fsp, -- &proc_fname, -- fsp, -- how); -- if (new_fd == -1) { -- int saved_errno = errno; -- if (saved_errno == ENOENT && -- fsp_is_automount_mountpoint(fsp, old_fd)) -- { -- /* -- * When reopening an as-yet unmounted autofs -- * mount point we get ENOENT. We have to retry -- * pathbased. -- */ -- return reopen_from_fsp_namebased(dirfsp, -- smb_fname, -- fsp, -- how, -- p_file_created); -- } -+ status = fd_close(fsp); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - -- status = map_nt_error_from_unix(saved_errno); -- fd_close(fsp); -- return status; -- } -+ fsp_set_fd(fsp, new_fd); -+ return NT_STATUS_OK; -+} - -- status = fd_close(fsp); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -+NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, -+ struct smb_filename *smb_fname, -+ struct files_struct *fsp, -+ const struct vfs_open_how *how, -+ bool *p_file_created) -+{ -+ int old_fd; - -- fsp_set_fd(fsp, new_fd); -- return NT_STATUS_OK; -+ if (fsp->fsp_flags.have_proc_fds && -+ ((old_fd = fsp_get_pathref_fd(fsp)) != -1)) -+ { -+ return reopen_from_fsp_pathref_based(dirfsp, -+ smb_fname, -+ fsp, -+ how, -+ p_file_created); - } - - return reopen_from_fsp_namebased(dirfsp, --- -2.53.0 - - -From d8a7aff642d7e18855a94b2a847198eadbf7b60f Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 8 Oct 2025 17:09:22 +0200 -Subject: [PATCH 50/59] smbd: Fix crossing direct automounter mount points - -The workaround implemented in commit ac7a16f9cc4bd97ef546d1b7b02605991000d0f9 -to trigger automounts does not work for direct automounts (either with -systemd-automount or autofs daemon). - -In direct automounts the mount point is a real directory instead of a "ghost" -directory so when turning the O_PATH handle into a real one through -/proc/self/fd/ openat() does not return ENOENT, it returs a fd referring -to the mount point without triggering the mount. - -To trigger the mount first we have to know when we are crossing mount points -by using the RESOLVE_NO_XDEV flag in open_how.resolve, then we can check with -fstatfs() the .f_type and fallback to a path-based open for automounts or -retry without RESOLVE_NO_XDEV otherwise. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/smbd/open.c | 71 ++++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 67 insertions(+), 4 deletions(-) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index f1f5945a817..739fb224b0b 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -913,6 +913,7 @@ static NTSTATUS reopen_from_fsp_pathref_based( - }; - mode_t mode = fsp->fsp_name->st.st_ex_mode; - int new_fd; -+ struct vfs_open_how pathref_how = *how; - - if (S_ISLNK(mode)) { - return NT_STATUS_STOPPED_ON_SYMLINK; -@@ -923,26 +924,88 @@ static NTSTATUS reopen_from_fsp_pathref_based( - - fsp->fsp_flags.is_pathref = false; - -+#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) -+ /* -+ * There is no point in setting RESOLVE_NO_XDEV if we can't -+ * check with fstatfs later in fsp_is_automount_mountpoint -+ */ -+ if (S_ISDIR(fsp->fsp_name->st.st_ex_mode) && -+ fsp->conn->open_how_resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) { -+ /* -+ * If the *at cwd_fsp is a pathref (opened with O_PATH) -+ * and old_fd refers to an automounter mount point not -+ * yet mounted, we will get a fd referring to the -+ * mount point without actually triggering the mount -+ * (man 2 openat). To detect this situation set the -+ * RESOLVE_NO_XDEV flag so openat2 will return an -+ * error when crossing mount points. Then check -+ * with fstatfs if it is an autofs mount point or not, -+ * falling back to name-based openat or retry without -+ * RESOLVE_NO_XDEV otherwise (could be a bind mount, -+ * other type of mount of an automounter mount point -+ * already mounted). -+ */ -+ pathref_how.resolve |= VFS_OPEN_HOW_RESOLVE_NO_XDEV; -+ } -+#endif -+ -+retry: - new_fd = SMB_VFS_OPENAT(fsp->conn, - fsp->conn->cwd_fsp, - &proc_fname, - fsp, -- how); -+ &pathref_how); - if (new_fd == -1) { - int saved_errno = errno; - if (saved_errno == ENOENT && - fsp_is_automount_mountpoint(fsp, pathref_fd)) - { - /* -- * When reopening an as-yet unmounted autofs -- * mount point we get ENOENT. We have to retry -- * pathbased. -+ * This is a not yet triggered indirect automount -+ * detected by openat(pathref_fd). Retry name-based. - */ - return reopen_from_fsp_namebased(dirfsp, - smb_fname, - fsp, - how, - p_file_created); -+ } else if (saved_errno == EXDEV && -+ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV && -+ fsp_is_automount_mountpoint(fsp, pathref_fd)) -+ { -+ /* -+ * This is a not yet triggered direct or indirect -+ * automount, detected by -+ * openat2(pathref_fd, .., RESOLVE_NO_XDEV). -+ * Retry name-based. -+ */ -+ return reopen_from_fsp_namebased(dirfsp, -+ smb_fname, -+ fsp, -+ how, -+ p_file_created); -+ } else if (saved_errno == ENOSYS && -+ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) -+ { -+ /* -+ * The kernel doesn't support openat2() yet, or any -+ * VFS module rejected the flag. Notify to the user -+ * and retry without RESOLVE_NO_XDEV. -+ */ -+ DBG_WARNING("Failed to open directory disallowing the " -+ "traversal of mount points during path " -+ "resolution. Retrying allowing traversal, " -+ "but automounts won't be triggered.\n"); -+ pathref_how.resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; -+ goto retry; -+ } else if (saved_errno == EXDEV && -+ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) -+ { -+ /* -+ * Just crossing a mount. Retry allowing traversals. -+ */ -+ pathref_how.resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; -+ goto retry; - } - - status = map_nt_error_from_unix(saved_errno); --- -2.53.0 - - -From 47fb5e3ad088f636cdf77a47e3bdc1a023ea4882 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Fri, 2 May 2025 11:57:30 +0200 -Subject: [PATCH 51/59] vfs:aio_pthread: Handle VFS_OPEN_HOW_RESOLVE_NO_XDEV - flag - -This module uses openat() instead of openat2() so the flag won't be used and -automounts might not be triggered. - -Disable flag usage for subsequent opens and return an error to callers to warn -the user and retry without the flag. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_aio_pthread.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c -index bd0c94b8cce..afbaaedf7b5 100644 ---- a/source3/modules/vfs_aio_pthread.c -+++ b/source3/modules/vfs_aio_pthread.c -@@ -457,7 +457,9 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle, - bool aio_allow_open = lp_parm_bool( - SNUM(handle->conn), "aio_pthread", "aio open", false); - -- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { -+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) -+ { - errno = ENOSYS; - return -1; - } -@@ -498,6 +500,16 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle, - aio_allow_open = false; - } - -+ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) { -+ /* -+ * RESOLVE_NO_XDEV needs openat2(). Disallow further usage of -+ * this flag and return ENOSYS to force a retry. -+ */ -+ fsp->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; -+ errno = ENOSYS; -+ return -1; -+ } -+ - if (!aio_allow_open) { - /* aio opens turned off. */ - return SMB_VFS_NEXT_OPENAT(handle, --- -2.53.0 - - -From 45f8a10c79dde52989119ec834872edfde65f47a Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Fri, 2 May 2025 12:11:01 +0200 -Subject: [PATCH 52/59] vfs:ceph: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV flag - -Don't return ENOSYS if the flag is set. It will be ignored, -does not make sense in a ceph virtual filesystem. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_ceph.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c -index 3913cb01b2c..d070fb644c7 100644 ---- a/source3/modules/vfs_ceph.c -+++ b/source3/modules/vfs_ceph.c -@@ -472,7 +472,9 @@ static int cephwrap_openat(struct vfs_handle_struct *handle, - int result = -ENOENT; - int dirfd = -1; - -- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { -+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) -+ { - errno = ENOSYS; - return -1; - } --- -2.53.0 - - -From ece9a7871cba6165f49a06e58c682caeaafad84a Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 30 Sep 2025 10:32:36 +0200 -Subject: [PATCH 53/59] vfs:ceph_new: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV flag - -Don't return ENOSYS if the flag is set. It will be ignored, -does not make sense in a ceph filesystem. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_ceph_new.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_ceph_new.c b/source3/modules/vfs_ceph_new.c -index 28e91235b91..ec611b8e5c9 100644 ---- a/source3/modules/vfs_ceph_new.c -+++ b/source3/modules/vfs_ceph_new.c -@@ -2274,7 +2274,9 @@ static int vfs_ceph_openat(struct vfs_handle_struct *handle, - int result = -ENOENT; - - START_PROFILE(syscall_openat); -- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { -+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) -+ { - result = -ENOSYS; - goto err_out; - } --- -2.53.0 - - -From fd133f3e3f4165e2f25e8d3b243a2df679499b42 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 9 Oct 2025 12:30:17 +0200 -Subject: [PATCH 54/59] vfs:glusterfs: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV - -Don't return ENOSYS if the flag is set. It will be ignored as does not make -sense in this module. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_glusterfs.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c -index 63dc7a30b04..4d7d96f2888 100644 ---- a/source3/modules/vfs_glusterfs.c -+++ b/source3/modules/vfs_glusterfs.c -@@ -731,7 +731,9 @@ static int vfs_gluster_openat(struct vfs_handle_struct *handle, - - START_PROFILE(syscall_openat); - -- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { -+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) -+ { - END_PROFILE(syscall_openat); - errno = ENOSYS; - return -1; --- -2.53.0 - - -From 07fb5c69afeeab9c4eed3da552c6d8d19b59f03f Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Fri, 2 May 2025 13:21:52 +0200 -Subject: [PATCH 55/59] vfs:shadow_copy2: Allow RESOLVE_NO_XDEV flag - -This module updates the path and calls the next VFS module. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_shadow_copy2.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c -index 42626653e0f..d8a5a05e0d0 100644 ---- a/source3/modules/vfs_shadow_copy2.c -+++ b/source3/modules/vfs_shadow_copy2.c -@@ -1573,7 +1573,9 @@ static int shadow_copy2_openat(vfs_handle_struct *handle, - int ret; - bool ok; - -- if ((how.resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { -+ if ((how.resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) -+ { - errno = ENOSYS; - return -1; - } --- -2.53.0 - - -From 636c474cc963bb0b162a1a84ec298fc453ee1443 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 9 Oct 2025 12:52:11 +0200 -Subject: [PATCH 56/59] vfs:streams_depot: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV - flag - -The flag is passed down the modules stack. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_streams_depot.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c -index 9d6bdf826dc..576a7cef67d 100644 ---- a/source3/modules/vfs_streams_depot.c -+++ b/source3/modules/vfs_streams_depot.c -@@ -759,7 +759,9 @@ static int streams_depot_openat(struct vfs_handle_struct *handle, - how); - } - -- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { -+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) -+ { - errno = ENOSYS; - return -1; - } --- -2.53.0 - - -From 1f2e84b8eeb046d189636bdbf27d57f8555ddbfe Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 9 Oct 2025 12:59:59 +0200 -Subject: [PATCH 57/59] vfs:fruit: Allow RESOLVE_NO_XDEV flag - -For stream opens, it returns a fake fd. The streams will be stored by -vfs_streams_depot or vfs_streams_xattr. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme ---- - source3/modules/vfs_fruit.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c -index 4da7c1efa07..812e3a351d2 100644 ---- a/source3/modules/vfs_fruit.c -+++ b/source3/modules/vfs_fruit.c -@@ -1787,7 +1787,9 @@ static int fruit_openat(vfs_handle_struct *handle, - return fd; - } - -- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { -+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) -+ { - errno = ENOSYS; - return -1; - } --- -2.53.0 - - -From 4132b12d9b86df111ef8101c3432cd364f47eff4 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Thu, 9 Oct 2025 13:05:16 +0200 -Subject: [PATCH 58/59] vfs:streams_xattr: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV - -The open function returns a fake fd. Extended attributes will be stored by -vfs_xattr_tdb or vfs_default. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Samuel Cabrero -Autobuild-Date(master): Tue Nov 18 09:08:38 UTC 2025 on atb-devel-224 ---- - source3/modules/vfs_streams_xattr.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c -index ac01cc46043..6dd4b58b642 100644 ---- a/source3/modules/vfs_streams_xattr.c -+++ b/source3/modules/vfs_streams_xattr.c -@@ -416,7 +416,9 @@ static int streams_xattr_openat(struct vfs_handle_struct *handle, - how); - } - -- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { -+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | -+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) -+ { - errno = ENOSYS; - return -1; - } --- -2.53.0 - - -From e994ad2ede02b71a600de0133d6a374efd8f70fb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 7 Apr 2026 16:28:05 +0200 -Subject: [PATCH 59/59] smbdotconf: Add "automount fs types" to smb.conf -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This adds a new global parameter "automount fs types" that allows -administrators to configure additional filesystem types that should -trigger automounting, beyond the always-supported autofs filesystem. - -To enable 'samba unaware FS' automounting, add: - - automount fs types = 0x12345678 - -This allows e.g. ZFS snapshots in /.zfs/snapshot to be -mounted. To find out the magic number that is not listed -in /usr/include/linux/magic.h, run: - - stat -f -c '0x%t' /path/to/mountpoint - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15991 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Samuel Cabrero - -Autobuild-User(master): Pavel Filipensky -Autobuild-Date(master): Mon Apr 20 19:57:42 UTC 2026 on atb-devel-224 ---- - docs-xml/smbdotconf/misc/automountfstypes.xml | 24 ++++++++++++++ - source3/smbd/open.c | 31 +++++++++++++++++++ - 2 files changed, 55 insertions(+) - create mode 100644 docs-xml/smbdotconf/misc/automountfstypes.xml - -diff --git a/docs-xml/smbdotconf/misc/automountfstypes.xml b/docs-xml/smbdotconf/misc/automountfstypes.xml -new file mode 100644 -index 00000000000..4c5bc510520 ---- /dev/null -+++ b/docs-xml/smbdotconf/misc/automountfstypes.xml -@@ -0,0 +1,24 @@ -+ -+ -+ This parameter specifies a list of additional filesystem magic numbers -+ that should trigger automounting when accessed. -+ -+ The values should be specified as hexadecimal numbers (with or without -+ 0x prefix), separated by spaces or commas. -+ -+ Note: This parameter is only available on Linux systems. -+ -+ To find the filesystem magic number for a mounted filesystem, -+ consult /usr/include/linux/magic.h or call: -+ stat -f -c '0x%t' /path/to/mountpoint -+ -+ Note: autofs (0x187) is always checked and does not need to be included -+ in this list. -+ -+ -+ -+0xA0B0C0D0 0x12345678 -+ -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index 739fb224b0b..00dabc5ac95 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -42,6 +42,7 @@ - #include "locking/leases_db.h" - #include "librpc/gen_ndr/ndr_leases_db.h" - #include "lib/util/time_basic.h" -+#include "lib/util/smb_strtox.h" - #include "source3/smbd/dir.h" - - #if defined(HAVE_LINUX_MAGIC_H) -@@ -879,6 +880,8 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd) - #if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) - struct statfs sbuf = {}; - int ret; -+ const char **fs_types_list = NULL; -+ int i; - - if (!S_ISDIR(fsp->fsp_name->st.st_ex_mode)) { - return false; -@@ -892,6 +895,34 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd) - if (sbuf.f_type == AUTOFS_SUPER_MAGIC) { - return true; - } -+ -+ /* Check for additional filesystem types from configuration */ -+ fs_types_list = lp_automount_fs_types(); -+ if (fs_types_list == NULL) { -+ return false; -+ } -+ -+ for (i = 0; fs_types_list[i] != NULL; i++) { -+ unsigned long long fs_type_val; -+ int error = 0; -+ -+ fs_type_val = smb_strtoull(fs_types_list[i], -+ NULL, -+ 0, -+ &error, -+ SMB_STR_FULL_STR_CONV); -+ if (error != 0) { -+ DBG_WARNING( -+ "Invalid value in 'automount fs types': %s\n", -+ fs_types_list[i]); -+ continue; -+ } -+ -+ if (sbuf.f_type == fs_type_val) { -+ return true; -+ } -+ } -+ - return false; - #else - return false; --- -2.53.0 - diff --git a/redhat-4.23.patch b/redhat-4.23.patch new file mode 100644 index 0000000..7f51e2d --- /dev/null +++ b/redhat-4.23.patch @@ -0,0 +1,2338 @@ +From e8384b6daea3b8091ad1bcfce84efc9e2c6a746d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 22 Jan 2026 14:27:09 +0100 +Subject: [PATCH 01/33] s3:libads: Allocate cli_credentials on a stackframe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes: +ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158 + +What happens: + +* `struct cli_credentials *creds` is allocated on `ads` talloc context +* gensec_set_credentials() creates a talloc_reference to `creds` +* TALLOC_FREE(creds) sees two parents and complains + +All other code is using temporary talloc_stackframe() for `creds`. +Do it here as well. + +Signed-off-by: Pavel Filipenský +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224 +--- + source3/libads/ldap_utils.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c +index 9d6d962a2bc..d01afa69697 100644 +--- a/source3/libads/ldap_utils.c ++++ b/source3/libads/ldap_utils.c +@@ -99,6 +99,7 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind + struct cli_credentials *creds = NULL; + char *cred_name = NULL; + NTSTATUS ntstatus; ++ TALLOC_CTX *frame = talloc_stackframe(); + + if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) && + ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) && +@@ -119,18 +120,20 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind + DBG_NOTICE("Search for %s in <%s> failed: %s\n", + expr, bp, ads_errstr(status)); + SAFE_FREE(bp); ++ TALLOC_FREE(frame); + return status; + } + + ntstatus = ads->auth.reconnect_state->fn(ads, + ads->auth.reconnect_state->private_data, +- ads, &creds); ++ frame, &creds); + if (!NT_STATUS_IS_OK(ntstatus)) { + DBG_WARNING("Failed to get creds for realm(%s): %s\n", + ads->server.realm, nt_errstr(ntstatus)); + DBG_WARNING("Search for %s in <%s> failed: %s\n", + expr, bp, ads_errstr(status)); + SAFE_FREE(bp); ++ TALLOC_FREE(frame); + return status; + } + +@@ -151,11 +154,11 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind + * callers depend on it being around. + */ + ads_disconnect(ads); +- TALLOC_FREE(creds); ++ TALLOC_FREE(frame); + SAFE_FREE(bp); + return status; + } +- TALLOC_FREE(creds); ++ TALLOC_FREE(frame); + + *res = NULL; + +-- +2.53.0 + + +From 7af95c7cb142aeb5f422a69d3b7a0ea3c0d2c2c2 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 26 Jan 2026 13:36:02 +0100 +Subject: [PATCH 02/33] s3:rpc_client: Fix memory leak opening local named pipe + +If no local server name was passed to rpc_pipe_open_local_np() then +get_myname() was called with NULL talloc context instead of the +current stackframe. + +This was causing an increase of memory usage on busy servers with long-living +rpcd_* workers. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Noel Power +Reviewed-by: Volker Lendecke + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Tue Jan 27 10:13:40 UTC 2026 on atb-devel-224 + +(cherry picked from commit 24dc455362fb49ef81c99d95880e106a234ce29a) +--- + source3/rpc_client/cli_pipe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c +index e3f48526492..c61b8eb16cf 100644 +--- a/source3/rpc_client/cli_pipe.c ++++ b/source3/rpc_client/cli_pipe.c +@@ -3625,7 +3625,7 @@ NTSTATUS rpc_pipe_open_local_np( + } + + if (local_server_name == NULL) { +- local_server_name = get_myname(result); ++ local_server_name = get_myname(frame); + } + + if (local_server_addr != NULL) { +-- +2.53.0 + + +From ab1287f78bd9d2397c8eb26fbedafa028e2aaa16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:17:33 +0100 +Subject: [PATCH 03/33] s3-selftest: mention in-memory ccache usage when + nothing is provided + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + source3/script/tests/test_net_ads_kerberos.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index 8a3c9ef2bc7..92d3996d078 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -30,6 +30,7 @@ KRB5CCNAME="FILE:$KRB5CCNAME_PATH" + ## Test "net ads kerberos kinit" variants + ################################################# + ++#simply uses in memory ccache + testit "net_ads_kerberos_kinit" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ +@@ -50,6 +51,7 @@ rm -f "$KRB5CCNAME_PATH" + # --use-krb5-ccache=${KRB5CCNAME} \ + # || failed=$((failed + 1)) + ++#simply uses in memory ccache + testit "net_ads_kerberos_kinit (-P)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -P "$ADDARGS" \ +-- +2.53.0 + + +From 0aa0d39e9a5deb77114f40930b599f11fd7cf3b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:18:41 +0100 +Subject: [PATCH 04/33] s3-selftest: verify KRB5CCNAME presence after kinit + using klist + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + source3/script/tests/test_net_ads_kerberos.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index 92d3996d078..c53520cf733 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -14,6 +14,12 @@ PREFIX="$4" + shift 4 + ADDARGS="$*" + ++if [ -x $(which klist) ]; then ++ KLIST=$(which klist); ++else ++ KLIST="test -e"; ++fi ++ + incdir=$(dirname "$0")/../../../testprogs/blackbox + . "$incdir"/subunit.sh + +@@ -41,6 +47,9 @@ testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ + || failed=$((failed + 1)) ++testit "klist env $KRB5CCNAME" \ ++ "$KLIST" "$KRB5CCNAME" \ ++ || failed=$((failed +1)) + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +@@ -62,6 +71,9 @@ testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -P "$ADDARGS" \ + || failed=$((failed + 1)) ++testit "klist env $KRB5CCNAME" \ ++ "$KLIST" "$KRB5CCNAME" \ ++ || failed=$((failed +1)) + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-- +2.53.0 + + +From b9c07d59c6a20931b80fa104629477ab8f78b4ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:01:31 +0100 +Subject: [PATCH 05/33] s3-selftest: Activate "net ads kerberos kinit" tests + with --use-krb5-ccache + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + selftest/knownfail | 2 ++ + source3/script/tests/test_net_ads_kerberos.sh | 30 +++++++++++-------- + 2 files changed, 20 insertions(+), 12 deletions(-) + +diff --git a/selftest/knownfail b/selftest/knownfail +index ab2d79d7114..76f1dae605d 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -338,3 +338,5 @@ + + # We currently don't send referrals for LDAP modify of non-replicated attrs + ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* ++ ++^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.* +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index c53520cf733..b7933bab6a6 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -53,12 +53,15 @@ testit "klist env $KRB5CCNAME" \ + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-# --use-krb5-ccache is not working +-#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \ +-# $VALGRIND $BINDIR/net ads kerberos kinit \ +-# -U$USERNAME%$PASSWORD $ADDARGS \ +-# --use-krb5-ccache=${KRB5CCNAME} \ +-# || failed=$((failed + 1)) ++testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \ ++ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ ++ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ ++ --use-krb5-ccache="${KRB5CCNAME_PATH}" \ ++ || failed=$((failed + 1)) ++testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \ ++ "$KLIST" "$KRB5CCNAME_PATH" \ ++ || failed=$((failed +1)) ++rm -f "$KRB5CCNAME_PATH" + + #simply uses in memory ccache + testit "net_ads_kerberos_kinit (-P)" \ +@@ -77,12 +80,15 @@ testit "klist env $KRB5CCNAME" \ + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-# --use-krb5-ccache is not working +-#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \ +-# $VALGRIND $BINDIR/net ads kerberos kinit \ +-# -P $ADDARGS \ +-# --use-krb5-ccache=${KRB5CCNAME} \ +-# || failed=$((failed + 1)) ++testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \ ++ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ ++ -P "$ADDARGS" \ ++ --use-krb5-ccache="${KRB5CCNAME_PATH}" \ ++ || failed=$((failed + 1)) ++testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \ ++ "$KLIST" "$KRB5CCNAME_PATH" \ ++ || failed=$((failed +1)) ++rm -f "$KRB5CCNAME_PATH" + + + ################################################# +-- +2.53.0 + + +From c82b7636b633575621e8e5964a93332956c238ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 16:56:44 +0100 +Subject: [PATCH 06/33] s3-net: properly setup krb5 ccache name via + --use-krb5-ccache + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + selftest/knownfail | 2 -- + source3/utils/net.c | 19 ++++++++++++------- + source3/utils/net_ads.c | 4 ++++ + 3 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/selftest/knownfail b/selftest/knownfail +index 76f1dae605d..ab2d79d7114 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -338,5 +338,3 @@ + + # We currently don't send referrals for LDAP modify of non-replicated attrs + ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* +- +-^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.* +diff --git a/source3/utils/net.c b/source3/utils/net.c +index ecabd980d0c..271c96cf804 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -1396,7 +1396,7 @@ static struct functable net_func[] = { + cli_credentials_get_principal_obtained(c->creds); + enum credentials_obtained password_obtained = + cli_credentials_get_password_obtained(c->creds); +- char *krb5ccname = NULL; ++ const char *krb5ccname = NULL; + + if (principal_obtained == CRED_SPECIFIED) { + c->explicit_credentials = true; +@@ -1415,15 +1415,20 @@ static struct functable net_func[] = { + } + + /* cli_credentials_get_ccache_name_obtained() would not work +- * here, we also cannot get the content of --use-krb5-ccache= so +- * for now at least honour the KRB5CCNAME environment variable +- * to get 'net ads kerberos' functions to work at all - gd */ +- +- krb5ccname = getenv("KRB5CCNAME"); +- if (krb5ccname == NULL) { ++ * here but we can now access the content of the ++ * --use-krb5-ccache option via cli credentials. Fallback to ++ * KRB5CCNAME environment variable to get 'net ads kerberos' ++ * functions to work at all - gd */ ++ ++ krb5ccname = cli_credentials_get_out_ccache_name(c->creds); ++ if (krb5ccname == NULL || krb5ccname[0] == '\0') { ++ krb5ccname = getenv("KRB5CCNAME"); ++ } ++ if (krb5ccname == NULL || krb5ccname[0] == '\0') { + krb5ccname = talloc_strdup(c, "MEMORY:net"); + } + if (krb5ccname == NULL) { ++ DBG_ERR("Not able to setup krb5 ccache"); + exit(1); + } + c->opt_krb5_ccache = krb5ccname; +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index d49b7537e71..5c57a0b290e 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -3245,7 +3245,11 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** + if (ret) { + d_printf(_("failed to kinit password: %s\n"), + nt_errstr(status)); ++ return ret; + } ++ ++ d_printf("Stored Kerberos TGT in: %s\n", c->opt_krb5_ccache); ++ + return ret; + } + +-- +2.53.0 + + +From 4f5ffea631d805564f7e92cc5f0f2f7ad55ba493 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Sat, 13 Dec 2025 13:49:37 +0100 +Subject: [PATCH 07/33] doc-xml: Document "net ads kerberos" commands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Mon Jan 5 15:49:04 UTC 2026 on atb-devel-224 +--- + docs-xml/manpages/net.8.xml | 139 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 139 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index d9293d0bb34..737415b3722 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1810,7 +1810,146 @@ the following entry types; + + + ++ ++ ADS KERBEROS ++ ++ ++ Issue Kerberos operations against an Active Directory KDC. ++ ++ ++ ++ ++ ++ ADS KERBEROS KINIT ++ ++ ++ Issue a kinit request for a given user. When no other options are ++ defined the ticket granting ticket (TGT) will be stored in a memory cache. ++ ++ ++ ++ To store the TGT in a different location either use the ++ option or set the ++ KRB5CCNAME environment variable. ++ ++ ++Example: net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache ++ ++ ++ ++ ++ ADS KERBEROS RENEW ++ ++ ++ Renew an already acquired ticket granting ticket (TGT). ++ ++ ++Example: net ads kerberos renew ++ ++ ++ ++ ++ ADS KERBEROS PAC ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ ++ ++ ++ The following commands are provided: ++ ++ ++ ++net ads kerberos pac dump - Dump a PAC to stdout. ++net ads kerneros pac save - Save a PAC to a file. ++ ++ ++ ++ All commands allow to define an impersonation principal to do a Kerberos ++ Service for User (S4U2SELF) operation via ++ the impersonate=STRING option. ++ The impersonation principal can have multiple different formats: ++ ++ ++ ++ ++ user@MY.REALM ++ This is the default format. ++ ++ ++ user@MY.REALM@MY.REALM ++ The Kerberos Service for User (S4U2SELF) also supports ++ Enterprise Principals. ++ ++ ++ user@UPN.SUFFIX@MY.REALM ++ Enterprise Principal using a defined upn suffix. ++ ++ ++ user@WORKGROUP@MY.REALM ++ Enterprise Principal with netbios domain name. ++ This format is currently not supported by Samba AD. ++ ++ + ++ ++ By default net will request a service ticket for the local service ++ of the joined machine. A different service can be defined via ++ local_service=STRING. ++ ++ ++ ++ ++ ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int] ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ The PAC will be printed on stdout. ++ ++ ++ ++ When no specific pac_buffer is selected, all buffers will be printed. ++ It is possible to select a specific one via ++ pac_buffer_type=INT from this list: ++ ++ ++ ++1 PAC_TYPE_LOGON_INFO ++2 PAC_TYPE_CREDENTIAL_INFO ++6 PAC_TYPE_SRV_CHECKSUM ++7 PAC_TYPE_KDC_CHECKSUM ++10 PAC_TYPE_LOGON_NAME ++11 PAC_TYPE_CONSTRAINED_DELEGATION ++12 PAC_TYPE_UPN_DNS_INFO ++13 PAC_TYPE_CLIENT_CLAIMS_INFO ++14 PAC_TYPE_DEVICE_INFO ++15 PAC_TYPE_DEVICE_CLAIMS_INFO ++16 PAC_TYPE_TICKET_CHECKSUM ++17 PAC_TYPE_ATTRIBUTES_INFO ++18 PAC_TYPE_REQUESTER_SID ++19 PAC_TYPE_FULL_CHECKSUM ++ ++ ++Example: net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM ++ ++ ++ ++ ++ ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string] ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ The PAC will be saved in a file. ++ ++ ++ ++ The filename to store the PAC can be set via the ++ filename=STRING option. ++ ++ ++Example: net ads kerberos pac save -U user%password filename=/tmp/pacstore ++ ++ + + SAM CREATEBUILTINGROUP <NAME> + +-- +2.53.0 + + +From f634526bd95b8396ea7f5f1c8ed059eb01a5286b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 3 Feb 2026 12:53:10 +0100 +Subject: [PATCH 08/33] s3:utils: 'net ads kerberos kinit' should use also + default ccache name from krb5.conf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is re-introducing the behavior from samba-4.20 where both these +commands operated on the same ccache (default_ccache_name in +[libdefaults] section of krb5.conf) + + 'net ads kerberos kinit -P' + 'klist' + + With samba-4.21 it no longer works, 'net ads kerberos kinit -P' + fallbacks to 'MEMORY:net' (which is of a very limited use, ticket + cannot be used by other process) and klist finds no ticket. + + The order is changed from: + + --use-krb5-ccache + env "KRB5CCNAME" + "MEMORY:net" + +to ("MEMORY:net" is removed): + + --use-krb5-ccache + env "KRB5CCNAME" + default_ccache_name + +'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials. + +Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name() +because of commit: +1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e) +--- + source3/utils/net.c | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +diff --git a/source3/utils/net.c b/source3/utils/net.c +index 271c96cf804..0ce03f8213d 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -54,6 +54,7 @@ + #include "source3/utils/passwd_proto.h" + #include "auth/gensec/gensec.h" + #include "lib/param/param.h" ++#include "lib/krb5_wrap/krb5_samba.h" + + #ifdef WITH_FAKE_KASERVER + #include "utils/net_afs.h" +@@ -1414,18 +1415,33 @@ static struct functable net_func[] = { + CRED_SPECIFIED); + } + +- /* cli_credentials_get_ccache_name_obtained() would not work +- * here but we can now access the content of the +- * --use-krb5-ccache option via cli credentials. Fallback to +- * KRB5CCNAME environment variable to get 'net ads kerberos' +- * functions to work at all - gd */ +- ++ /* ++ * Priority order for krb5 credential cache name ++ * ++ * via cli_credentials_get_out_ccache_name() : ++ * ++ * 1. '--use-krb5-ccache' option ++ * ++ * via krb5_cc_default_name() : ++ * ++ * 2. KRB5CCNAME environment variable ++ * 3. default_ccache_name in [libdefaults] section of krb5.conf ++ * 4. ...more - krb5_cc_default_name() always returns something ++ * - see documentation ++ */ + krb5ccname = cli_credentials_get_out_ccache_name(c->creds); + if (krb5ccname == NULL || krb5ccname[0] == '\0') { +- krb5ccname = getenv("KRB5CCNAME"); +- } +- if (krb5ccname == NULL || krb5ccname[0] == '\0') { +- krb5ccname = talloc_strdup(c, "MEMORY:net"); ++ krb5_context ct = NULL; ++ krb5_error_code ret = smb_krb5_init_context_common(&ct); ++ ++ if (ret == 0) { ++ krb5ccname = smb_force_krb5_cc_default_name(ct); ++ if (krb5ccname != NULL) { ++ krb5ccname = talloc_strdup(c, ++ krb5ccname); ++ } ++ krb5_free_context(ct); ++ } + } + if (krb5ccname == NULL) { + DBG_ERR("Not able to setup krb5 ccache"); +-- +2.53.0 + + +From 0ca830d6ddded29b2b5d1969ebcbc4df1156656e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 5 Feb 2026 16:04:25 +0100 +Subject: [PATCH 09/33] manpages: Update NET ADS KERBEROS KINIT manpage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Pavel Filipensky +Autobuild-Date(master): Thu Feb 5 21:11:13 UTC 2026 on atb-devel-224 + +(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b) +--- + docs-xml/manpages/net.8.xml | 36 ++++++++++++++++++++++++++++-------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 737415b3722..b793361a27f 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1823,17 +1823,37 @@ the following entry types; + ADS KERBEROS KINIT + + +- Issue a kinit request for a given user. When no other options are +- defined the ticket granting ticket (TGT) will be stored in a memory cache. ++ Issue a kinit request for a given user. The following methods can be used ++ to specify where to store the ticket granting ticket (TGT) (in order of ++ precedence): + + +- +- To store the TGT in a different location either use the +- option or set the +- KRB5CCNAME environment variable. +- ++ ++ ++ option ++ ++ ++ KRB5CCNAME environment variable ++ ++ ++ default_ccache_name setting in krb5.conf ++ ++ + +-Example: net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache ++Examples: ++ ++Use file based cache (FILE:/tmp/krb5cache) ++ ++net ads kerberos kinit -P --use-krb5-ccache=/tmp/krb5cache ++ ++ ++ ++Use memory cache (MEMORY:net) to verify the authentication ++ ++net ads kerberos kinit -P --use-krb5-ccache=MEMORY:net ++ ++ ++ + + + +-- +2.53.0 + + +From 44b613d80c6a3818cc6ca593d57d51cd1bc00aa5 Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Fri, 13 Feb 2026 11:54:46 +0000 +Subject: [PATCH 10/33] selftest: Update tests to use + --use-kereros=desired|required no creds + +Add tests to call smbclient without passing credentials to +demonstrate failure with --use-kereros=desired + +Also add knownfail + +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider +(cherry picked from commit a22af9420965083b99b956477d1833000b7f2414) +--- + selftest/knownfail | 2 ++ + source3/script/tests/test_smbclient_kerberos.sh | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/selftest/knownfail b/selftest/knownfail +index ab2d79d7114..f0a5f7bb935 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -315,6 +315,8 @@ + # ad_member don't support ntlmv1 (not even over SMB1) + ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member + ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member ++# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789 ++samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).* + #nt-vfs server blocks read with execute access + ^samba4.smb2.read.access + #ntvfs server blocks copychunk with execute access on read handle +diff --git a/source3/script/tests/test_smbclient_kerberos.sh b/source3/script/tests/test_smbclient_kerberos.sh +index 31678d17e28..1139efd70d7 100755 +--- a/source3/script/tests/test_smbclient_kerberos.sh ++++ b/source3/script/tests/test_smbclient_kerberos.sh +@@ -73,6 +73,18 @@ test_smbclient "smbclient.smb3.kerberos.desired[//${SERVER}/tmp]" \ + --use-kerberos=desired -U${USERNAME}%${PASSWORD} -mSMB3 || + failed=$(expr $failed + 1) + ++test_smbclient "smbclient.smb3.kerberos.desired (no user/pass) [//${SERVER}/tmp]" \ ++ "ls; quit" //${SERVER}/tmp \ ++ --use-kerberos=desired -mSMB3 || ++ failed=$(expr $failed + 1) ++ ++test_smbclient "smbclient.smb3.kerberos.required (no user/pass) [//${SERVER}/tmp]" \ ++ "ls; quit" //${SERVER}/tmp \ ++ --use-kerberos=required -mSMB3 || ++ failed=$(expr $failed + 1) ++ ++ ++ + $samba_kdestroy + + rm -rf $KRB5CCNAME_PATH +-- +2.53.0 + + +From 65f70c0505759489a8b219e1297f8cdee2cc260a Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Mon, 19 Jan 2026 15:46:59 +0000 +Subject: [PATCH 11/33] auth/credentials: Fix regression with + --use-kerberos=desired for smbclient + +As part of the gse_krb5 processing the following call chain + +gensec_gse_client_start() + ---> gensec_kerberos_possible() + ---> cli_credentials_authentication_requested() + +gensec_kerberos_possible() will always fail when +cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED + +It seems since use kerberos == desired is the default that it isn't +necessary to see if credentials were modified to indicated authentication +was requested. gensec_kerberos_possible() should afaics return true +if kerberos is desired OR required (regardless of whether credentials +were requested) + +This commit removes the knownfail associated with this bug. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 +Signed-off-by: +Reviewed-by: Andreas Schneider +(cherry picked from commit 88f42eb222f299189d5f5f8204ae353e63a50970) +--- + auth/gensec/gensec_util.c | 5 ----- + selftest/knownfail | 2 -- + 2 files changed, 7 deletions(-) + +diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c +index 0c7688d33d2..af6d198d48f 100644 +--- a/auth/gensec/gensec_util.c ++++ b/auth/gensec/gensec_util.c +@@ -362,7 +362,6 @@ char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_securi + NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security) + { + struct cli_credentials *creds = gensec_get_credentials(gensec_security); +- bool auth_requested = cli_credentials_authentication_requested(creds); + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(creds); + char *user_principal = NULL; +@@ -370,10 +369,6 @@ NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security) + const char *target_principal = gensec_get_target_principal(gensec_security); + const char *hostname = gensec_get_target_hostname(gensec_security); + +- if (!auth_requested) { +- return NT_STATUS_INVALID_PARAMETER; +- } +- + if (krb5_state == CRED_USE_KERBEROS_DISABLED) { + return NT_STATUS_INVALID_PARAMETER; + } +diff --git a/selftest/knownfail b/selftest/knownfail +index f0a5f7bb935..ab2d79d7114 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -315,8 +315,6 @@ + # ad_member don't support ntlmv1 (not even over SMB1) + ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member + ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member +-# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789 +-samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).* + #nt-vfs server blocks read with execute access + ^samba4.smb2.read.access + #ntvfs server blocks copychunk with execute access on read handle +-- +2.53.0 + + +From 8c955cad98b197936fceaf98306047e1f929ddfe Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Mon, 19 Jan 2026 16:10:10 +0000 +Subject: [PATCH 12/33] s3/libsmb: cli_session_creds_init fails when kerberos + is desired + +There is a regression with code using cli_session_creds_init when +cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED + +Authentication succeeds when boolean fallback_after_kerberos is false +and fails when true. +There doesn't seem to be a good reason why the value of +fallback_after_kerberos should initialise the krb5 ccache or not. +It would seems that krb5 cache should be setup for creds +for *any* kerberos auth (whether fallback is enabled or not) + +Partial patch from (see bug referenced below) +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider +(cherry picked from commit 1c48599105736499d18aa1f647bce9e1f8dbdcca) +--- + source3/libsmb/cliconnect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index 116f746d37e..3fd423d8e5f 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -218,7 +218,7 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx, + goto fail; + } + } +- } else if (use_kerberos && !fallback_after_kerberos) { ++ } else if (use_kerberos) { + const char *error_string = NULL; + int rc; + +-- +2.53.0 + + +From 015167aea7ece2bb683f86aa4b8c688d7a83267d Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Mon, 19 Jan 2026 16:18:02 +0000 +Subject: [PATCH 13/33] s3/libsmb: block anon authentication fallback is + use-kerberos = desired + +When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED +libsmbclient method SMBC_server_internal will still try to fallback to +anon NTLM. This patch prevents that. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Noel Power +Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224 + +(cherry picked from commit bc868800276fe09cbcb206ebe4cb4da32af7599f) +--- + source3/libsmb/libsmb_server.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c +index f9b52e1f05a..8c7208aaee0 100644 +--- a/source3/libsmb/libsmb_server.c ++++ b/source3/libsmb/libsmb_server.c +@@ -632,6 +632,8 @@ SMBC_server_internal(TALLOC_CTX *ctx, + password_used = ""; + + if (smbc_getOptionNoAutoAnonymousLogin(context) || ++ cli_credentials_get_kerberos_state(creds) == ++ CRED_USE_KERBEROS_REQUIRED || + !NT_STATUS_IS_OK(cli_session_setup_anon(c))) { + + cli_shutdown(c); +-- +2.53.0 + + +From 3f66a4fbb46f614bf81533677944b1093439aaf8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Wed, 18 Mar 2026 20:24:37 +0100 +Subject: [PATCH 14/33] s3:libnet: Fix DC numeric ip handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is fixing regression introduced via 82f53c8 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +--- + source3/libnet/libnet_join.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 609b2b96222..66d682a5b95 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2643,7 +2643,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + struct sockaddr_storage ss = {0}; + const char *numeric_dcip = info->dc_address + 2; + +- if (numeric_dcip[0] == '\0') { ++ if (numeric_dcip[0] != '\0') { + if (!interpret_string_addr(&ss, numeric_dcip, + AI_NUMERICHOST)) { + DBG_ERR( +-- +2.53.0 + + +From 4725da7df3028d37d8bf34b3671c553b7337703b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 23 Mar 2026 19:03:34 +0100 +Subject: [PATCH 15/33] s3:libads: Allow to specify 'dns_lookup_kdc' in + krb5.conf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +--- + source3/libads/kerberos.c | 23 ++++++++++++++++------- + source3/libads/kerberos_proto.h | 33 +++++++++++++++++++++++++++++---- + 2 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 5593364c397..865c32d73ca 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -1362,10 +1362,12 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx) + } + #endif + +-bool create_local_private_krb5_conf_for_domain(const char *realm, +- const char *domain, +- const char *sitename, +- const struct sockaddr_storage *pss) ++bool create_local_private_krb5_conf_for_domain_internal( ++ const char *realm, ++ const char *domain, ++ const char *sitename, ++ const struct sockaddr_storage *pss, ++ bool dns_lookup_kdc) + { + char *dname; + char *tmpname = NULL; +@@ -1450,10 +1452,16 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + #endif + + /* +- * We are setting 'dns_lookup_kdc' to true, because we want to lookup +- * KDCs which are not configured via DNS SRV records, eg. if we do: ++ * Normally 'dns_lookup_kdc' should be set to true, because we want to ++ * also lookup KDCs via DNS SRV records, e.g. cross domain scenario: + * + * net ads join -Uadmin@otherdomain ++ * ++ * However, during domain join we need to set it to false when we ++ * reconnect using the freshly created machine account credentials. ++ * With dns_lookup_kdc = true, Kerberos may pick a different DC ++ * for the TCP retry (after UDP response is too large), and that DC ++ * might not have replicated the new machine account yet. + */ + file_contents = + talloc_asprintf(fname, +@@ -1467,7 +1475,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + "\tdefault_realm = %s\n" + "%s" + "\tdns_lookup_realm = false\n" +- "\tdns_lookup_kdc = true\n\n" ++ "\tdns_lookup_kdc = %s\n\n" + "[realms]\n\t%s = {\n" + "%s\t}\n" + "\t%s = {\n" +@@ -1476,6 +1484,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + timeout_sec, + realm_upper, + enctypes, ++ dns_lookup_kdc ? "true" : "false", + realm_upper, + kdc_ip_string, + domain, +diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h +index a96211c7289..fbeaeff92a9 100644 +--- a/source3/libads/kerberos_proto.h ++++ b/source3/libads/kerberos_proto.h +@@ -70,10 +70,35 @@ int ads_kdestroy(const char *cc_name); + int kerberos_kinit_password(const char *principal, + const char *password, + const char *cache_name); +-bool create_local_private_krb5_conf_for_domain(const char *realm, +- const char *domain, +- const char *sitename, +- const struct sockaddr_storage *pss); ++ ++bool create_local_private_krb5_conf_for_domain_internal( ++ const char *realm, ++ const char *domain, ++ const char *sitename, ++ const struct sockaddr_storage *pss, ++ bool dns_lookup_kdc); ++ ++/* Create krb5.conf that allows DC lookup using DNS. */ ++static inline bool create_local_private_krb5_conf_for_domain( ++ const char *realm, ++ const char *domain, ++ const char *sitename, ++ const struct sockaddr_storage *pss) ++{ ++ return create_local_private_krb5_conf_for_domain_internal( ++ realm, domain, sitename, pss, true); ++} ++ ++/* Create krb5.conf that disables DC lookup using DNS - needed during join. */ ++static inline bool create_local_private_krb5_conf_for_domain_join( ++ const char *realm, ++ const char *domain, ++ const char *sitename, ++ const struct sockaddr_storage *pss) ++{ ++ return create_local_private_krb5_conf_for_domain_internal( ++ realm, domain, sitename, pss, false); ++} + + /* The following definitions come from libads/authdata.c */ + +-- +2.53.0 + + +From 5e1fde5e03c3899b329bd38c36033c385f6fb5f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 23 Mar 2026 19:05:31 +0100 +Subject: [PATCH 16/33] s3:libads: Set dns_lookup_kdc=false during net ads join +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Pavel Filipensky +Autobuild-Date(master): Tue Apr 7 14:09:40 UTC 2026 on atb-devel-224 +--- + source3/libnet/libnet_join.c | 60 +++++++++++++++++++++++++++++++++++- + 1 file changed, 59 insertions(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 66d682a5b95..81bcb9793a6 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2881,6 +2881,10 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { + WERROR werr; ++#ifdef HAVE_ADS ++ struct sockaddr_storage dc_ss = {0}; ++ bool dns_lookup_kdc_disabled = false; ++#endif /* HAVE_ADS */ + + if (r->in.debug) { + LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r); +@@ -2904,6 +2908,49 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, + } + } + ++#ifdef HAVE_ADS ++ /* ++ * The machine account was just created on r->in.dc_name, ++ * but might not have replicated to other DCs yet. ++ * Regenerate the krb5.conf with dns_lookup_kdc = false ++ * so that the Kerberos library only talks to the DC ++ * where the account was created. This covers all ++ * subsequent machine-credential operations: ++ * - libnet_join_post_processing_ads_modify() (etype update) ++ * - libnet_join_post_verify() (domain membership verification) ++ */ ++ if (r->out.domain_is_ad && ++ !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && ++ !r->in.request_offline_join) ++ { ++ bool ok; ++ const char *ip = NULL; ++ ++ /* dcinfo might not be set for offline joins, however this ++ * check is redundant since we have a guard: ++ * !r->in.request_offline_join ++ */ ++ if (r->out.dcinfo) { ++ ip = r->out.dcinfo->dc_address + 2; /* Strip "\\" */ ++ } ++ ++ if (ip && ip[0] != '\0') { ++ ok = interpret_string_addr(&dc_ss, ip, AI_NUMERICHOST); ++ } else { ++ ok = interpret_string_addr(&dc_ss, r->in.dc_name, 0); ++ } ++ ++ if (ok) { ++ create_local_private_krb5_conf_for_domain_join( ++ r->out.dns_domain_name, ++ r->out.netbios_domain_name, ++ NULL, /* sitename */ ++ &dc_ss); ++ dns_lookup_kdc_disabled = true; ++ } ++ } ++#endif /* HAVE_ADS */ ++ + werr = libnet_join_post_processing(mem_ctx, r); + if (!W_ERROR_IS_OK(werr)) { + goto done; +@@ -2931,7 +2978,18 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, + } + } + +- done: ++done: ++#ifdef HAVE_ADS ++ if (dns_lookup_kdc_disabled) { ++ /* Restore dns_lookup_kdc = true for subsequent operations */ ++ create_local_private_krb5_conf_for_domain( ++ r->out.dns_domain_name, ++ r->out.netbios_domain_name, ++ NULL, /* sitename */ ++ &dc_ss); ++ } ++#endif /* HAVE_ADS */ ++ + r->out.result = werr; + + if (r->in.debug) { +-- +2.53.0 + + +From 42e48d3dd29027573f6e1c04f78f8d9cb91eb4ab Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Fri, 14 Feb 2025 17:07:14 +0100 +Subject: [PATCH 17/33] vfs: Add VFS_OPEN_HOW_RESOLVE_NO_XDEV flag + +It disallows traversal of mount points during path resolution, including bind +mounts. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/include/vfs.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/include/vfs.h b/source3/include/vfs.h +index e87a0d923e5..15e2186eab7 100644 +--- a/source3/include/vfs.h ++++ b/source3/include/vfs.h +@@ -926,6 +926,7 @@ struct vfs_aio_state { + + #define VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS 1 + #define VFS_OPEN_HOW_WITH_BACKUP_INTENT 2 ++#define VFS_OPEN_HOW_RESOLVE_NO_XDEV 4 + + struct vfs_open_how { + int flags; +-- +2.53.0 + + +From 5656562fd43507501aea62b7a43b1d3d5431b313 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Fri, 14 Feb 2025 17:13:39 +0100 +Subject: [PATCH 18/33] vfs: Use RESOLVE_NO_XDEV by default on all shares + +Enable the flag by default on all shares, it will be automatically +disabled if the system does not support openat2(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + script/autobuild.py | 2 +- + source3/modules/vfs_default.c | 11 +++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/script/autobuild.py b/script/autobuild.py +index 8acf6cdc854..97d44a07ee4 100755 +--- a/script/autobuild.py ++++ b/script/autobuild.py +@@ -338,7 +338,7 @@ tasks = { + "samba-no-opath-build": { + "git-clone-required": True, + "sequence": [ +- ("configure", "ADDITIONAL_CFLAGS='-DDISABLE_OPATH=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=1 -DDISABLE_PROC_FDS=1' ./configure.developer --without-ad-dc " + samba_configure_params), ++ ("configure", "ADDITIONAL_CFLAGS='-DDISABLE_OPATH=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_XDEV=1 -DDISABLE_PROC_FDS=1' ./configure.developer --without-ad-dc " + samba_configure_params), + ("make", "make -j"), + ("check-clean-tree", CLEAN_SOURCE_TREE_CMD), + ("chmod-R-a-w", "chmod -R a-w ."), +diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c +index 83c9cc06de8..d531f277199 100644 +--- a/source3/modules/vfs_default.c ++++ b/source3/modules/vfs_default.c +@@ -76,6 +76,17 @@ static int vfswrap_connect(vfs_handle_struct *handle, const char *service, const + #ifdef DISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS + handle->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS; + #endif ++ bval = lp_parm_bool(SNUM(handle->conn), ++ "vfs_default", ++ "VFS_OPEN_HOW_RESOLVE_NO_XDEV", ++ true); ++ if (bval) { ++ handle->conn->open_how_resolve |= ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV; ++ } ++#ifdef DISABLE_VFS_OPEN_HOW_RESOLVE_NO_XDEV ++ handle->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; ++#endif + + return 0; /* Return >= 0 for success */ + } +-- +2.53.0 + + +From 21ce7f160fb6f2bec613be36f2120002205bf84e Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 8 Oct 2025 10:54:55 +0200 +Subject: [PATCH 19/33] selftest/Samba3: nt4_dc* use + vfs_default:VFS_OPEN_HOW_RESOLVE_NO_XDEV=no + +From 076c22fbd7ecbf22dbfeb1711609f07fd42f88b0, we should always test the +code path without openat2 being available, even if the kernel supports it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + selftest/target/Samba3.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 6f17d659d96..3b990bcb349 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -304,6 +304,7 @@ sub setup_nt4_dc + server schannel require seal:torturetest\$ = no + + vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no ++ vfs_default:VFS_OPEN_HOW_RESOLVE_NO_XDEV = no + + fss: sequence timeout = 1 + check parent directory delete on close = yes +-- +2.53.0 + + +From 0f873b9e694c2db4c54bb480183583d04dde3bdd Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Fri, 14 Feb 2025 17:14:59 +0100 +Subject: [PATCH 20/33] vfs: Pass the RESOLVE_NO_XDEV from upper layers to + openat2() syscall + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/modules/vfs_default.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c +index d531f277199..f0270e96002 100644 +--- a/source3/modules/vfs_default.c ++++ b/source3/modules/vfs_default.c +@@ -630,7 +630,9 @@ static int vfswrap_openat(vfs_handle_struct *handle, + SMB_ASSERT((dirfd != -1) || (smb_fname->base_name[0] == '/')); + + if (how->resolve & ~(VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS | +- VFS_OPEN_HOW_WITH_BACKUP_INTENT)) { ++ VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) ++ { + errno = ENOSYS; + result = -1; + goto out; +@@ -663,12 +665,20 @@ static int vfswrap_openat(vfs_handle_struct *handle, + } + #endif + +- if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS) { ++ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS || ++ how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) ++ { + struct open_how linux_how = { + .flags = flags, + .mode = mode, +- .resolve = RESOLVE_NO_SYMLINKS, ++ .resolve = 0, + }; ++ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS) { ++ linux_how.resolve |= RESOLVE_NO_SYMLINKS; ++ } ++ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) { ++ linux_how.resolve |= RESOLVE_NO_XDEV; ++ } + + result = openat2(dirfd, + smb_fname->base_name, +@@ -681,10 +691,13 @@ static int vfswrap_openat(vfs_handle_struct *handle, + * openat2(), so indicate to + * the callers that + * VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS ++ * or VFS_OPEN_HOW_RESOLVE_NO_XDEV + * would just be a waste of time. + */ + fsp->conn->open_how_resolve &= + ~VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS; ++ fsp->conn->open_how_resolve &= ++ ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; + } + goto out; + } +-- +2.53.0 + + +From ff04fbf4e754c6eca9ea87a13d91bb84613ff9f9 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 8 Oct 2025 13:18:44 +0200 +Subject: [PATCH 21/33] smbd: Refactor reopen_from_fsp(), factor out name based + reopen + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/smbd/open.c | 55 +++++++++++++++++++++++++++++++-------------- + 1 file changed, 38 insertions(+), 17 deletions(-) + +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index f2cbf7d6bf6..8443ddd32d3 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -847,6 +847,33 @@ static NTSTATUS fd_open_atomic(struct files_struct *dirfsp, + return status; + } + ++/* ++ * Close the existing pathref fd and set the fsp flag ++ * is_pathref to false so we get a "normal" fd this time. ++ */ ++static NTSTATUS reopen_from_fsp_namebased(struct files_struct *dirfsp, ++ struct smb_filename *smb_fname, ++ struct files_struct *fsp, ++ const struct vfs_open_how *how, ++ bool *p_file_created) ++{ ++ NTSTATUS status; ++ ++ status = fd_close(fsp); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ fsp->fsp_flags.is_pathref = false; ++ ++ status = fd_open_atomic(dirfsp, ++ smb_fname, ++ fsp, ++ how, ++ p_file_created); ++ return status; ++} ++ + NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, + struct smb_filename *smb_fname, + struct files_struct *fsp, +@@ -896,7 +923,12 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, + * point we get ENOENT. We + * have to retry pathbased. + */ +- goto namebased_open; ++ return reopen_from_fsp_namebased(dirfsp, ++ smb_fname, ++ fsp, ++ how, ++ p_file_created); ++ + } + /* restore ENOENT if changed in the meantime */ + errno = ENOENT; +@@ -916,22 +948,11 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, + return NT_STATUS_OK; + } + +-#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) +-namebased_open: +-#endif +- /* +- * Close the existing pathref fd and set the fsp flag +- * is_pathref to false so we get a "normal" fd this time. +- */ +- status = fd_close(fsp); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- +- fsp->fsp_flags.is_pathref = false; +- +- status = fd_open_atomic(dirfsp, smb_fname, fsp, how, p_file_created); +- return status; ++ return reopen_from_fsp_namebased(dirfsp, ++ smb_fname, ++ fsp, ++ how, ++ p_file_created); + } + + /**************************************************************************** +-- +2.53.0 + + +From 1f869b2d814930c4c97a9fff461a3ec2327f4503 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 8 Oct 2025 13:53:14 +0200 +Subject: [PATCH 22/33] smbd: Refactor reopen_from_fsp(), factor out + automounter mountpoint check + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/smbd/open.c | 66 +++++++++++++++++++++++++++------------------ + 1 file changed, 40 insertions(+), 26 deletions(-) + +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index 8443ddd32d3..67bb9774429 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -874,6 +874,30 @@ static NTSTATUS reopen_from_fsp_namebased(struct files_struct *dirfsp, + return status; + } + ++static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd) ++{ ++#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) ++ struct statfs sbuf = {}; ++ int ret; ++ ++ if (!S_ISDIR(fsp->fsp_name->st.st_ex_mode)) { ++ return false; ++ } ++ ++ ret = fstatfs(old_fd, &sbuf); ++ if (ret == -1) { ++ DBG_ERR("fstatfs failed: %s\n", strerror(errno)); ++ return false; ++ } ++ if (sbuf.f_type == AUTOFS_SUPER_MAGIC) { ++ return true; ++ } ++ return false; ++#else ++ return false; ++#endif ++} ++ + NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, + struct smb_filename *smb_fname, + struct files_struct *fsp, +@@ -908,33 +932,23 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, + fsp, + how); + if (new_fd == -1) { +-#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) +- if (S_ISDIR(fsp->fsp_name->st.st_ex_mode) && +- (errno == ENOENT)) { +- struct statfs sbuf = {}; +- int ret = fstatfs(old_fd, &sbuf); +- if (ret == -1) { +- DBG_ERR("fstatfs failed: %s\n", +- strerror(errno)); +- } else if (sbuf.f_type == AUTOFS_SUPER_MAGIC) { +- /* +- * When reopening an as-yet +- * unmounted autofs mount +- * point we get ENOENT. We +- * have to retry pathbased. +- */ +- return reopen_from_fsp_namebased(dirfsp, +- smb_fname, +- fsp, +- how, +- p_file_created); +- +- } +- /* restore ENOENT if changed in the meantime */ +- errno = ENOENT; ++ int saved_errno = errno; ++ if (saved_errno == ENOENT && ++ fsp_is_automount_mountpoint(fsp, old_fd)) ++ { ++ /* ++ * When reopening an as-yet unmounted autofs ++ * mount point we get ENOENT. We have to retry ++ * pathbased. ++ */ ++ return reopen_from_fsp_namebased(dirfsp, ++ smb_fname, ++ fsp, ++ how, ++ p_file_created); + } +-#endif +- status = map_nt_error_from_unix(errno); ++ ++ status = map_nt_error_from_unix(saved_errno); + fd_close(fsp); + return status; + } +-- +2.53.0 + + +From d1f0323322b0c70998e901ad79aafcce795646a4 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 8 Oct 2025 14:17:27 +0200 +Subject: [PATCH 23/33] smbd: Refactor reopen_from_fsp(), factor out pathref + based + +Best viewed ignoring white space changes + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/smbd/open.c | 117 +++++++++++++++++++++++++------------------- + 1 file changed, 66 insertions(+), 51 deletions(-) + +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index 67bb9774429..69c78ff563c 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -898,68 +898,83 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd) + #endif + } + +-NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, +- struct smb_filename *smb_fname, +- struct files_struct *fsp, +- const struct vfs_open_how *how, +- bool *p_file_created) ++static NTSTATUS reopen_from_fsp_pathref_based( ++ struct files_struct *dirfsp, ++ struct smb_filename *smb_fname, ++ struct files_struct *fsp, ++ const struct vfs_open_how *how, ++ bool *p_file_created) + { + NTSTATUS status; +- int old_fd; ++ struct sys_proc_fd_path_buf buf; ++ int pathref_fd = fsp_get_pathref_fd(fsp); ++ struct smb_filename proc_fname = { ++ .base_name = sys_proc_fd_path(pathref_fd, &buf), ++ }; ++ mode_t mode = fsp->fsp_name->st.st_ex_mode; ++ int new_fd; + +- if (fsp->fsp_flags.have_proc_fds && +- ((old_fd = fsp_get_pathref_fd(fsp)) != -1)) { ++ if (S_ISLNK(mode)) { ++ return NT_STATUS_STOPPED_ON_SYMLINK; ++ } ++ if (!(S_ISREG(mode) || S_ISDIR(mode))) { ++ return NT_STATUS_IO_REPARSE_TAG_NOT_HANDLED; ++ } + +- struct sys_proc_fd_path_buf buf; +- struct smb_filename proc_fname = { +- .base_name = sys_proc_fd_path(old_fd, &buf), +- }; +- mode_t mode = fsp->fsp_name->st.st_ex_mode; +- int new_fd; ++ fsp->fsp_flags.is_pathref = false; + +- if (S_ISLNK(mode)) { +- return NT_STATUS_STOPPED_ON_SYMLINK; +- } +- if (!(S_ISREG(mode) || S_ISDIR(mode))) { +- return NT_STATUS_IO_REPARSE_TAG_NOT_HANDLED; ++ new_fd = SMB_VFS_OPENAT(fsp->conn, ++ fsp->conn->cwd_fsp, ++ &proc_fname, ++ fsp, ++ how); ++ if (new_fd == -1) { ++ int saved_errno = errno; ++ if (saved_errno == ENOENT && ++ fsp_is_automount_mountpoint(fsp, pathref_fd)) ++ { ++ /* ++ * When reopening an as-yet unmounted autofs ++ * mount point we get ENOENT. We have to retry ++ * pathbased. ++ */ ++ return reopen_from_fsp_namebased(dirfsp, ++ smb_fname, ++ fsp, ++ how, ++ p_file_created); + } + +- fsp->fsp_flags.is_pathref = false; ++ status = map_nt_error_from_unix(saved_errno); ++ fd_close(fsp); ++ return status; ++ } + +- new_fd = SMB_VFS_OPENAT(fsp->conn, +- fsp->conn->cwd_fsp, +- &proc_fname, +- fsp, +- how); +- if (new_fd == -1) { +- int saved_errno = errno; +- if (saved_errno == ENOENT && +- fsp_is_automount_mountpoint(fsp, old_fd)) +- { +- /* +- * When reopening an as-yet unmounted autofs +- * mount point we get ENOENT. We have to retry +- * pathbased. +- */ +- return reopen_from_fsp_namebased(dirfsp, +- smb_fname, +- fsp, +- how, +- p_file_created); +- } ++ status = fd_close(fsp); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } + +- status = map_nt_error_from_unix(saved_errno); +- fd_close(fsp); +- return status; +- } ++ fsp_set_fd(fsp, new_fd); ++ return NT_STATUS_OK; ++} + +- status = fd_close(fsp); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } ++NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, ++ struct smb_filename *smb_fname, ++ struct files_struct *fsp, ++ const struct vfs_open_how *how, ++ bool *p_file_created) ++{ ++ int old_fd; + +- fsp_set_fd(fsp, new_fd); +- return NT_STATUS_OK; ++ if (fsp->fsp_flags.have_proc_fds && ++ ((old_fd = fsp_get_pathref_fd(fsp)) != -1)) ++ { ++ return reopen_from_fsp_pathref_based(dirfsp, ++ smb_fname, ++ fsp, ++ how, ++ p_file_created); + } + + return reopen_from_fsp_namebased(dirfsp, +-- +2.53.0 + + +From 55bddf76fe649ca7ba30f0645a199255f2698a70 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 8 Oct 2025 17:09:22 +0200 +Subject: [PATCH 24/33] smbd: Fix crossing direct automounter mount points + +The workaround implemented in commit ac7a16f9cc4bd97ef546d1b7b02605991000d0f9 +to trigger automounts does not work for direct automounts (either with +systemd-automount or autofs daemon). + +In direct automounts the mount point is a real directory instead of a "ghost" +directory so when turning the O_PATH handle into a real one through +/proc/self/fd/ openat() does not return ENOENT, it returs a fd referring +to the mount point without triggering the mount. + +To trigger the mount first we have to know when we are crossing mount points +by using the RESOLVE_NO_XDEV flag in open_how.resolve, then we can check with +fstatfs() the .f_type and fallback to a path-based open for automounts or +retry without RESOLVE_NO_XDEV otherwise. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/smbd/open.c | 71 ++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 67 insertions(+), 4 deletions(-) + +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index 69c78ff563c..ea400c41aa8 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -913,6 +913,7 @@ static NTSTATUS reopen_from_fsp_pathref_based( + }; + mode_t mode = fsp->fsp_name->st.st_ex_mode; + int new_fd; ++ struct vfs_open_how pathref_how = *how; + + if (S_ISLNK(mode)) { + return NT_STATUS_STOPPED_ON_SYMLINK; +@@ -923,26 +924,88 @@ static NTSTATUS reopen_from_fsp_pathref_based( + + fsp->fsp_flags.is_pathref = false; + ++#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) ++ /* ++ * There is no point in setting RESOLVE_NO_XDEV if we can't ++ * check with fstatfs later in fsp_is_automount_mountpoint ++ */ ++ if (S_ISDIR(fsp->fsp_name->st.st_ex_mode) && ++ fsp->conn->open_how_resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) { ++ /* ++ * If the *at cwd_fsp is a pathref (opened with O_PATH) ++ * and old_fd refers to an automounter mount point not ++ * yet mounted, we will get a fd referring to the ++ * mount point without actually triggering the mount ++ * (man 2 openat). To detect this situation set the ++ * RESOLVE_NO_XDEV flag so openat2 will return an ++ * error when crossing mount points. Then check ++ * with fstatfs if it is an autofs mount point or not, ++ * falling back to name-based openat or retry without ++ * RESOLVE_NO_XDEV otherwise (could be a bind mount, ++ * other type of mount of an automounter mount point ++ * already mounted). ++ */ ++ pathref_how.resolve |= VFS_OPEN_HOW_RESOLVE_NO_XDEV; ++ } ++#endif ++ ++retry: + new_fd = SMB_VFS_OPENAT(fsp->conn, + fsp->conn->cwd_fsp, + &proc_fname, + fsp, +- how); ++ &pathref_how); + if (new_fd == -1) { + int saved_errno = errno; + if (saved_errno == ENOENT && + fsp_is_automount_mountpoint(fsp, pathref_fd)) + { + /* +- * When reopening an as-yet unmounted autofs +- * mount point we get ENOENT. We have to retry +- * pathbased. ++ * This is a not yet triggered indirect automount ++ * detected by openat(pathref_fd). Retry name-based. + */ + return reopen_from_fsp_namebased(dirfsp, + smb_fname, + fsp, + how, + p_file_created); ++ } else if (saved_errno == EXDEV && ++ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV && ++ fsp_is_automount_mountpoint(fsp, pathref_fd)) ++ { ++ /* ++ * This is a not yet triggered direct or indirect ++ * automount, detected by ++ * openat2(pathref_fd, .., RESOLVE_NO_XDEV). ++ * Retry name-based. ++ */ ++ return reopen_from_fsp_namebased(dirfsp, ++ smb_fname, ++ fsp, ++ how, ++ p_file_created); ++ } else if (saved_errno == ENOSYS && ++ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) ++ { ++ /* ++ * The kernel doesn't support openat2() yet, or any ++ * VFS module rejected the flag. Notify to the user ++ * and retry without RESOLVE_NO_XDEV. ++ */ ++ DBG_WARNING("Failed to open directory disallowing the " ++ "traversal of mount points during path " ++ "resolution. Retrying allowing traversal, " ++ "but automounts won't be triggered.\n"); ++ pathref_how.resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; ++ goto retry; ++ } else if (saved_errno == EXDEV && ++ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) ++ { ++ /* ++ * Just crossing a mount. Retry allowing traversals. ++ */ ++ pathref_how.resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; ++ goto retry; + } + + status = map_nt_error_from_unix(saved_errno); +-- +2.53.0 + + +From 4872b32c28d540618462ee186e91716c9ee3807c Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Fri, 2 May 2025 11:57:30 +0200 +Subject: [PATCH 25/33] vfs:aio_pthread: Handle VFS_OPEN_HOW_RESOLVE_NO_XDEV + flag + +This module uses openat() instead of openat2() so the flag won't be used and +automounts might not be triggered. + +Disable flag usage for subsequent opens and return an error to callers to warn +the user and retry without the flag. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/modules/vfs_aio_pthread.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c +index bd0c94b8cce..afbaaedf7b5 100644 +--- a/source3/modules/vfs_aio_pthread.c ++++ b/source3/modules/vfs_aio_pthread.c +@@ -457,7 +457,9 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle, + bool aio_allow_open = lp_parm_bool( + SNUM(handle->conn), "aio_pthread", "aio open", false); + +- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { ++ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) ++ { + errno = ENOSYS; + return -1; + } +@@ -498,6 +500,16 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle, + aio_allow_open = false; + } + ++ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) { ++ /* ++ * RESOLVE_NO_XDEV needs openat2(). Disallow further usage of ++ * this flag and return ENOSYS to force a retry. ++ */ ++ fsp->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV; ++ errno = ENOSYS; ++ return -1; ++ } ++ + if (!aio_allow_open) { + /* aio opens turned off. */ + return SMB_VFS_NEXT_OPENAT(handle, +-- +2.53.0 + + +From e11fa05e10b1a5fadd7c73c87dcb68b048c73878 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Fri, 2 May 2025 12:11:01 +0200 +Subject: [PATCH 26/33] vfs:ceph: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV flag + +Don't return ENOSYS if the flag is set. It will be ignored, +does not make sense in a ceph virtual filesystem. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/modules/vfs_ceph.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c +index 8ea7eb09099..4add6cf993e 100644 +--- a/source3/modules/vfs_ceph.c ++++ b/source3/modules/vfs_ceph.c +@@ -472,7 +472,9 @@ static int cephwrap_openat(struct vfs_handle_struct *handle, + int result = -ENOENT; + int dirfd = -1; + +- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { ++ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) ++ { + errno = ENOSYS; + return -1; + } +-- +2.53.0 + + +From 4cd5f6c4c39ac172e3e3e9e2c11fa9be06f2ed38 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 30 Sep 2025 10:32:36 +0200 +Subject: [PATCH 27/33] vfs:ceph_new: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV flag + +Don't return ENOSYS if the flag is set. It will be ignored, +does not make sense in a ceph filesystem. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/modules/vfs_ceph_new.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_ceph_new.c b/source3/modules/vfs_ceph_new.c +index 6ea8e56c155..37cff6fe051 100644 +--- a/source3/modules/vfs_ceph_new.c ++++ b/source3/modules/vfs_ceph_new.c +@@ -2325,7 +2325,9 @@ static int vfs_ceph_openat(struct vfs_handle_struct *handle, + int result = -ENOENT; + + START_PROFILE_X(SNUM(handle->conn), syscall_openat); +- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { ++ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) ++ { + result = -ENOSYS; + goto err_out; + } +-- +2.53.0 + + +From 8f4ad32afca03b564d00a5a6795d4b4a50ae8c66 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 9 Oct 2025 12:30:17 +0200 +Subject: [PATCH 28/33] vfs:glusterfs: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV + +Don't return ENOSYS if the flag is set. It will be ignored as does not make +sense in this module. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/modules/vfs_glusterfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c +index 63dc7a30b04..4d7d96f2888 100644 +--- a/source3/modules/vfs_glusterfs.c ++++ b/source3/modules/vfs_glusterfs.c +@@ -731,7 +731,9 @@ static int vfs_gluster_openat(struct vfs_handle_struct *handle, + + START_PROFILE(syscall_openat); + +- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { ++ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) ++ { + END_PROFILE(syscall_openat); + errno = ENOSYS; + return -1; +-- +2.53.0 + + +From b41558ebe158f413d2cfa71478c3eeb5e1a201ec Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Fri, 2 May 2025 13:21:52 +0200 +Subject: [PATCH 29/33] vfs:shadow_copy2: Allow RESOLVE_NO_XDEV flag + +This module updates the path and calls the next VFS module. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/modules/vfs_shadow_copy2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c +index 449d08e8830..465a0f9d28e 100644 +--- a/source3/modules/vfs_shadow_copy2.c ++++ b/source3/modules/vfs_shadow_copy2.c +@@ -1563,7 +1563,9 @@ static int shadow_copy2_openat(vfs_handle_struct *handle, + int ret; + bool ok; + +- if ((how.resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { ++ if ((how.resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) ++ { + errno = ENOSYS; + return -1; + } +-- +2.53.0 + + +From 49ac956d858b455291edd1330a8d428209728ea0 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 9 Oct 2025 12:52:11 +0200 +Subject: [PATCH 30/33] vfs:streams_depot: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV + flag + +The flag is passed down the modules stack. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/modules/vfs_streams_depot.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c +index 19b9356fd57..bcf5acf79b4 100644 +--- a/source3/modules/vfs_streams_depot.c ++++ b/source3/modules/vfs_streams_depot.c +@@ -729,7 +729,9 @@ static int streams_depot_openat(struct vfs_handle_struct *handle, + handle, dirfsp, smb_fname, fsp, how); + } + +- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { ++ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) ++ { + errno = ENOSYS; + return -1; + } +-- +2.53.0 + + +From 7b875e245ec205ee083c5c4158933e0e42e8a064 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 9 Oct 2025 12:59:59 +0200 +Subject: [PATCH 31/33] vfs:fruit: Allow RESOLVE_NO_XDEV flag + +For stream opens, it returns a fake fd. The streams will be stored by +vfs_streams_depot or vfs_streams_xattr. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme +--- + source3/modules/vfs_fruit.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c +index 4da7c1efa07..812e3a351d2 100644 +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -1787,7 +1787,9 @@ static int fruit_openat(vfs_handle_struct *handle, + return fd; + } + +- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { ++ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) ++ { + errno = ENOSYS; + return -1; + } +-- +2.53.0 + + +From 97fb984b6c5c5fe1c562cd23980ea8e110438577 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 9 Oct 2025 13:05:16 +0200 +Subject: [PATCH 32/33] vfs:streams_xattr: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV + +The open function returns a fake fd. Extended attributes will be stored by +vfs_xattr_tdb or vfs_default. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Samuel Cabrero +Autobuild-Date(master): Tue Nov 18 09:08:38 UTC 2025 on atb-devel-224 +--- + source3/modules/vfs_streams_xattr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c +index 58e5b1eb189..410cd793cd9 100644 +--- a/source3/modules/vfs_streams_xattr.c ++++ b/source3/modules/vfs_streams_xattr.c +@@ -416,7 +416,9 @@ static int streams_xattr_openat(struct vfs_handle_struct *handle, + how); + } + +- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) { ++ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT | ++ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0) ++ { + errno = ENOSYS; + return -1; + } +-- +2.53.0 + + +From 23aa86c38e049eb0f75bdd21d18c670abf2c6134 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 7 Apr 2026 16:28:05 +0200 +Subject: [PATCH 33/33] smbdotconf: Add "automount fs types" to smb.conf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This adds a new global parameter "automount fs types" that allows +administrators to configure additional filesystem types that should +trigger automounting, beyond the always-supported autofs filesystem. + +To enable 'samba unaware FS' automounting, add: + + automount fs types = 0x12345678 + +This allows e.g. ZFS snapshots in /.zfs/snapshot to be +mounted. To find out the magic number that is not listed +in /usr/include/linux/magic.h, run: + + stat -f -c '0x%t' /path/to/mountpoint + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15991 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Samuel Cabrero + +Autobuild-User(master): Pavel Filipensky +Autobuild-Date(master): Mon Apr 20 19:57:42 UTC 2026 on atb-devel-224 +--- + docs-xml/smbdotconf/misc/automountfstypes.xml | 24 ++++++++++++++ + source3/smbd/open.c | 31 +++++++++++++++++++ + 2 files changed, 55 insertions(+) + create mode 100644 docs-xml/smbdotconf/misc/automountfstypes.xml + +diff --git a/docs-xml/smbdotconf/misc/automountfstypes.xml b/docs-xml/smbdotconf/misc/automountfstypes.xml +new file mode 100644 +index 00000000000..4c5bc510520 +--- /dev/null ++++ b/docs-xml/smbdotconf/misc/automountfstypes.xml +@@ -0,0 +1,24 @@ ++ ++ ++ This parameter specifies a list of additional filesystem magic numbers ++ that should trigger automounting when accessed. ++ ++ The values should be specified as hexadecimal numbers (with or without ++ 0x prefix), separated by spaces or commas. ++ ++ Note: This parameter is only available on Linux systems. ++ ++ To find the filesystem magic number for a mounted filesystem, ++ consult /usr/include/linux/magic.h or call: ++ stat -f -c '0x%t' /path/to/mountpoint ++ ++ Note: autofs (0x187) is always checked and does not need to be included ++ in this list. ++ ++ ++ ++0xA0B0C0D0 0x12345678 ++ +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index ea400c41aa8..ae1ce208cba 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -42,6 +42,7 @@ + #include "locking/leases_db.h" + #include "librpc/gen_ndr/ndr_leases_db.h" + #include "lib/util/time_basic.h" ++#include "lib/util/smb_strtox.h" + #include "source3/smbd/dir.h" + + #if defined(HAVE_LINUX_MAGIC_H) +@@ -879,6 +880,8 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd) + #if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H) + struct statfs sbuf = {}; + int ret; ++ const char **fs_types_list = NULL; ++ int i; + + if (!S_ISDIR(fsp->fsp_name->st.st_ex_mode)) { + return false; +@@ -892,6 +895,34 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd) + if (sbuf.f_type == AUTOFS_SUPER_MAGIC) { + return true; + } ++ ++ /* Check for additional filesystem types from configuration */ ++ fs_types_list = lp_automount_fs_types(); ++ if (fs_types_list == NULL) { ++ return false; ++ } ++ ++ for (i = 0; fs_types_list[i] != NULL; i++) { ++ unsigned long long fs_type_val; ++ int error = 0; ++ ++ fs_type_val = smb_strtoull(fs_types_list[i], ++ NULL, ++ 0, ++ &error, ++ SMB_STR_FULL_STR_CONV); ++ if (error != 0) { ++ DBG_WARNING( ++ "Invalid value in 'automount fs types': %s\n", ++ fs_types_list[i]); ++ continue; ++ } ++ ++ if (sbuf.f_type == fs_type_val) { ++ return true; ++ } ++ } ++ + return false; + #else + return false; +-- +2.53.0 + diff --git a/samba-4.22.4.tar.asc b/samba-4.22.4.tar.asc deleted file mode 100644 index ba5e216..0000000 --- a/samba-4.22.4.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAminOhEACgkQqplEL7aA -tiDtRg//e/Jocf1iPjaEtiR2tGQSnqQPdaaRId8luFu0ykevvIiR+GL2IctJnvWZ -IYL/svmWAlLULgb+13S1Gs7CGYTievrh+OaEnuo+CmnGpNYUFO/yyymBW9eWFGA4 -bA6ilMjE2KgyCakvBT22mL9IFGZQsKQh46YXjs4hCKZdadx733/Znwj/kIkm0Wxl -S6gnxstroM5zUbA/Xw26KUOBTd0mTZXXKH14HSH1XX3RNgA0/FsZ+kde4Y+VUwP+ -t/LvuNqN2s/pyUeKd8eoiZv7zTwUT1gsvoBTWP8kzmubtBbxz4abJ9QCEb/HEdkv -iMh1RbRQZRKpmIo/NzAMRhxDyuVtzg69Egn19iLjnPfmrpqDZpxhi5csNumIFKsi -bFmT7/KTZfKvsg9h5SfHL3JeblYbEQNjIhDutdZ3yJ+JymAkaWjChHqY0wTwiZbX -pHing+t+c4SRx2064/jBFn48kdj1JweEaGSGdEEwa7zejMHLcl7vKheyGqSTWMYH -XiBtm1kN2gLrgazLFNXKTD9YectYPmRkiv6f1hUhqLfac2jkwIdWeT1LIPqJ2fMw -YrNk4UYYS4L7PZSXUJ3r88RGPWJvTa7WQrM556uxcspCr7W6TauMRe0hKquqOekH -0J4jD+hmfuEQ/LryC29rSLSNG0N99v2nWuAn78KxUk7FuZ9H4og= -=D+9R ------END PGP SIGNATURE----- diff --git a/samba-4.23.5.tar.asc b/samba-4.23.5.tar.asc new file mode 100644 index 0000000..cb3ee28 --- /dev/null +++ b/samba-4.23.5.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmlzV8sACgkQqplEL7aA +tiCrUxAAkEcyHkI48DZpwRd+0rP2IJC+6vpGj/RSGHdlyztw3R+49EOW9HURNqsl +8FHHUairod5CzyXc2UfoZNHuo5s3YE2WOuxSur2W8/FYPVllX9sOvNilaQsplvDX +8zMsQ4Ky5z57EeScDFaGl/NPypLcJ5i2hrBHRrn4Gsa5koKs9M+BlO1/xH8TBFPG +hAAXaLFw8pkMFDEIIrRMdOGAUeNaBq3dVkfzPAgd6FYAAUjuP/3O2gM87zLPgbf1 +5Deg+HYNLhKaAUNJPs3OuiLZTN3FpRAif/DKJCL16kbNxygN71OXI1vf20BooNpj +qTx3xseHraHkTy3HElru5CTlW+jYPLd7UqHcH0g+wRp/xlwH5vR7vc+wZpyFmOfm +OThXsVzZKzwQo9Ce+N9vs0FgSR0BLXvHHIs77XV0BdC3G/tE+iOPsp1GFbmhC5Dn +F/hqFmbKBBNiqv2v1s3mT1rX8DNeUaHA44coJJnr8vc9fMtrqkDuBiAOtzknm+j+ +IW3NLWsvl2y94anc9Aq6Ffanc1qSwVvdFNb/d1dZjR7sLP19UdJAFZTiJ/V2yQET +++AX9DKBtIO0KguJowEROrRu+inOT/Rs4PLwxxbtEVxqmqH7An+nO0FzV+xSjI/1 +l+zLG3njDFDSDS/cXvrnzvFAWqs/5pKmlhcDzAicnuUgIzsKd08= +=qxcw +-----END PGP SIGNATURE----- diff --git a/samba.spec b/samba.spec index f2438f1..4a58332 100644 --- a/samba.spec +++ b/samba.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.6.5) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 22; + release_number = 8; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -117,13 +117,20 @@ %bcond etcd_mutex 0 %endif +# Build the prometheus exporter by default on Fedora +%if 0%{?fedora} +%bcond prometheus 1 +%else +%bcond prometheus 0 +%endif + %ifarch aarch64 ppc64le s390x x86_64 riscv64 %bcond lmdb 1 %else %bcond lmdb 0 %endif -%global samba_version 4.22.4 +%global samba_version 4.23.5 # The release field is extended: # [.][.]%%{?dist}[.] @@ -169,8 +176,8 @@ %global libwbclient_so_version 0 %global talloc_version 2.4.3 -%global tdb_version 1.4.13 -%global tevent_version 0.16.2 +%global tdb_version 1.4.14 +%global tevent_version 0.17.1 %global required_mit_krb5 1.20.1 @@ -229,11 +236,11 @@ Source202: samba.abignore # # git clone git@gitlab.com:samba-redhat/samba.git # cd samba -# git checkout v4-22-redhat -# git format-patch --stdout -l1 --no-renames -N > redhat-4.22.patch +# git checkout v4-23-redhat +# git format-patch --stdout -l1 --no-renames -N > redhat-4.23.patch # where N is number of commits -Patch0: redhat-4.22.patch +Patch0: redhat-4.23.patch Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} @@ -334,6 +341,11 @@ BuildRequires: xz BuildRequires: zlib-devel >= 1.2.3 BuildRequires: pkgconfig(libsystemd) +# TODO FIXME This is not in RHEL yet +%if 0%{?fedora} >= 43 +BuildRequires: pkgconfig(libngtcp2) +BuildRequires: pkgconfig(libngtcp2_crypto_gnutls) +%endif %ifnarch i686 %if 0%{?fedora} >= 37 @@ -363,6 +375,9 @@ BuildRequires: librados-devel %if %{with etcd_mutex} BuildRequires: python3-etcd %endif +%if %{with prometheus} +BuildRequires: libevent-devel +%endif BuildRequires: cepces-certmonger >= 0.3.8 @@ -1224,6 +1239,18 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB #endif with clustering %endif +%if %{with prometheus} + +%package prometheus +Summary: SMB Prometheus exporter +Requires: samba = %{samba_depver} + +%description prometheus +Support for exporting metrics via Prometheus + +#endif with prometheus +%endif + ### LIBLDB %package -n libldb Summary: A schema-less, ldap like, API and database @@ -1374,6 +1401,8 @@ if [ -n "${CCACHE}" ]; then fi %endif +# workaround https://gitlab.com/ita1024/waf/-/issues/2472 +export PYTHONARCHDIR=%{python3_sitearch} %configure \ --enable-fhs \ --with-piddir=/run \ @@ -1413,6 +1442,9 @@ fi %endif %if %{with etcd_mutex} --enable-etcd-reclock \ +%endif +%if %{with prometheus} + --with-prometheus-exporter \ %endif --with-profiling-data \ --with-systemd \ @@ -2012,22 +2044,27 @@ fi %{_libdir}/samba/libndr-samba4-private-samba.so %{_libdir}/samba/libnet-keytab-private-samba.so %{_libdir}/samba/libnetif-private-samba.so +%if 0%{?rhel} +%{_libdir}/samba/libngtcp2-crypto-gnutls-private-samba.so +%{_libdir}/samba/libngtcp2-private-samba.so +%endif %{_libdir}/samba/libnpa-tstream-private-samba.so %{_libdir}/samba/libposix-eadb-private-samba.so %{_libdir}/samba/libprinter-driver-private-samba.so %{_libdir}/samba/libprinting-migrate-private-samba.so +%{_libdir}/samba/libquic-private-samba.so %{_libdir}/samba/libregistry-private-samba.so %{_libdir}/samba/libsamba-cluster-support-private-samba.so %{_libdir}/samba/libsamba-debug-private-samba.so %{_libdir}/samba/libsamba-modules-private-samba.so %{_libdir}/samba/libsamba-security-private-samba.so +%{_libdir}/samba/libsamba-security-trusts-private-samba.so %{_libdir}/samba/libsamba-sockets-private-samba.so %{_libdir}/samba/libsamba3-util-private-samba.so %{_libdir}/samba/libsamdb-common-private-samba.so %{_libdir}/samba/libsecrets3-private-samba.so %{_libdir}/samba/libserver-id-db-private-samba.so %{_libdir}/samba/libserver-role-private-samba.so -%{_libdir}/samba/libsmb-transport-private-samba.so %{_libdir}/samba/libsmbclient-raw-private-samba.so %{_libdir}/samba/libsmbd-base-private-samba.so %{_libdir}/samba/libsmbd-shim-private-samba.so @@ -2123,6 +2160,7 @@ fi %{_mandir}/man8/net.8* %{_mandir}/man8/pdbedit.8* %{_mandir}/man8/smbpasswd.8* +%{_datadir}/locale/*/LC_MESSAGES/net.mo ### TOOLS %files tools @@ -2200,6 +2238,7 @@ fi %{_libdir}/samba/ldb/subtree_delete.so %{_libdir}/samba/ldb/subtree_rename.so %{_libdir}/samba/ldb/tombstone_reanimate.so +%{_libdir}/samba/ldb/trust_notify.so %{_libdir}/samba/ldb/unique_object_sids.so %{_libdir}/samba/ldb/update_keytab.so %{_libdir}/samba/ldb/vlv.so @@ -2245,6 +2284,7 @@ fi %{_libdir}/samba/service/dns.so %{_libdir}/samba/service/dns_update.so %{_libdir}/samba/service/drepl.so +%{_libdir}/samba/service/ft_scanner.so %{_libdir}/samba/service/kcc.so %{_libdir}/samba/service/kdc.so %{_libdir}/samba/service/ldap.so @@ -2597,6 +2637,7 @@ fi %{python3_sitearch}/samba/dcerpc/atsvc.*.so %{python3_sitearch}/samba/dcerpc/auth.*.so %{python3_sitearch}/samba/dcerpc/base.*.so +%{python3_sitearch}/samba/dcerpc/bcrypt_rsakey_blob.*.so %{python3_sitearch}/samba/dcerpc/claims.*.so %{python3_sitearch}/samba/dcerpc/conditional_ace.*.so %{python3_sitearch}/samba/dcerpc/dcerpc.*.so @@ -2612,6 +2653,7 @@ fi %{python3_sitearch}/samba/dcerpc/idmap.*.so %{python3_sitearch}/samba/dcerpc/initshutdown.*.so %{python3_sitearch}/samba/dcerpc/irpc.*.so +%{python3_sitearch}/samba/dcerpc/keycredlink.*.so %{python3_sitearch}/samba/dcerpc/krb5ccache.*.so %{python3_sitearch}/samba/dcerpc/krb5pac.*.so %{python3_sitearch}/samba/dcerpc/lsa.*.so @@ -2633,6 +2675,7 @@ fi %{python3_sitearch}/samba/dcerpc/spoolss.*.so %{python3_sitearch}/samba/dcerpc/srvsvc.*.so %{python3_sitearch}/samba/dcerpc/svcctl.*.so +%{python3_sitearch}/samba/dcerpc/tpm20_rsakey_blob.*.so %{python3_sitearch}/samba/dcerpc/unixinfo.*.so %{python3_sitearch}/samba/dcerpc/winbind.*.so %{python3_sitearch}/samba/dcerpc/windows_event_ids.*.so @@ -3136,6 +3179,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/auth_log_netlogon_bad_creds.*.pyc %{python3_sitearch}/samba/tests/__pycache__/auth_log_samlogon.*.pyc %{python3_sitearch}/samba/tests/__pycache__/auth_log_winbind.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/bcrypt_rsakey_blob.*.pyc %{python3_sitearch}/samba/tests/__pycache__/common.*.pyc %{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc %{python3_sitearch}/samba/tests/__pycache__/compression.*.pyc @@ -3177,6 +3221,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc %{python3_sitearch}/samba/tests/__pycache__/join.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/key_credential_link.*.pyc %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc @@ -3254,6 +3299,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc %{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc %{python3_sitearch}/samba/tests/__pycache__/token_factory.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/tpm20_rsakey_blob.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgradeprovision.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgradeprovisionneeddc.*.pyc @@ -3271,6 +3317,7 @@ fi %{python3_sitearch}/samba/tests/auth_log_pass_change.py %{python3_sitearch}/samba/tests/auth_log_samlogon.py %{python3_sitearch}/samba/tests/auth_log_winbind.py +%{python3_sitearch}/samba/tests/bcrypt_rsakey_blob.py %dir %{python3_sitearch}/samba/tests/blackbox %{python3_sitearch}/samba/tests/blackbox/__init__.py %dir %{python3_sitearch}/samba/tests/blackbox/__pycache__ @@ -3339,6 +3386,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/dfs.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc @@ -3359,6 +3407,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/array.py %{python3_sitearch}/samba/tests/dcerpc/bare.py %{python3_sitearch}/samba/tests/dcerpc/binding.py +%{python3_sitearch}/samba/tests/dcerpc/dfs.py %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py %{python3_sitearch}/samba/tests/dcerpc/integer.py %{python3_sitearch}/samba/tests/dcerpc/lsa.py @@ -3431,6 +3480,7 @@ fi %{python3_sitearch}/samba/tests/kcc/graph_utils.py %{python3_sitearch}/samba/tests/kcc/kcc_utils.py %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py +%{python3_sitearch}/samba/tests/key_credential_link.py %dir %{python3_sitearch}/samba/tests/krb5 %dir %{python3_sitearch}/samba/tests/krb5/__pycache__ %{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc @@ -3546,6 +3596,12 @@ fi %{python3_sitearch}/samba/tests/net_join_no_spnego.py %{python3_sitearch}/samba/tests/net_join.py %{python3_sitearch}/samba/tests/netlogonsvc.py +%dir %{python3_sitearch}/samba/tests/nss +%dir %{python3_sitearch}/samba/tests/nss/__pycache__ +%{python3_sitearch}/samba/tests/nss/__pycache__/base.*.pyc +%{python3_sitearch}/samba/tests/nss/__pycache__/group.*.pyc +%{python3_sitearch}/samba/tests/nss/base.py +%{python3_sitearch}/samba/tests/nss/group.py %{python3_sitearch}/samba/tests/ntacls.py %{python3_sitearch}/samba/tests/ntacls_backup.py %{python3_sitearch}/samba/tests/ntlmdisabled.py @@ -3706,10 +3762,21 @@ fi %{python3_sitearch}/samba/tests/subunitrun.py %{python3_sitearch}/samba/tests/tdb_util.py %{python3_sitearch}/samba/tests/token_factory.py +%{python3_sitearch}/samba/tests/tpm20_rsakey_blob.py %{python3_sitearch}/samba/tests/upgrade.py %{python3_sitearch}/samba/tests/upgradeprovision.py %{python3_sitearch}/samba/tests/upgradeprovisionneeddc.py %{python3_sitearch}/samba/tests/usage.py +%dir %{python3_sitearch}/samba/tests/varlink +%dir %{python3_sitearch}/samba/tests/varlink/__pycache__ +%{python3_sitearch}/samba/tests/varlink/__pycache__/base.*.pyc +%{python3_sitearch}/samba/tests/varlink/__pycache__/getgrouprecord.*.pyc +%{python3_sitearch}/samba/tests/varlink/__pycache__/getmemberships.*.pyc +%{python3_sitearch}/samba/tests/varlink/__pycache__/getuserrecord.*.pyc +%{python3_sitearch}/samba/tests/varlink/base.py +%{python3_sitearch}/samba/tests/varlink/getgrouprecord.py +%{python3_sitearch}/samba/tests/varlink/getmemberships.py +%{python3_sitearch}/samba/tests/varlink/getuserrecord.py %{python3_sitearch}/samba/tests/xattr.py ### TEST @@ -3778,6 +3845,7 @@ fi %config(noreplace) %{_sysconfdir}/security/pam_winbind.conf %{_mandir}/man5/pam_winbind.conf.5* %{_mandir}/man8/pam_winbind.8* +%{_datadir}/locale/*/LC_MESSAGES/pam_winbind.mo %if %{with clustering} %files -n ctdb @@ -3927,6 +3995,13 @@ fi %{_mandir}/man1/winexe.1.gz %endif +%if %{with prometheus} +%files prometheus +%{_bindir}/smb_prometheus_endpoint +%{_mandir}/man8/smb_prometheus_endpoint.8.gz +#endif with prometheus + +%endif %files -n libldb %license lib/ldb/LICENSE %{_libdir}/libldb.so.* @@ -3988,63 +4063,63 @@ fi %changelog ## START: Generated by rpmautospec -* Wed Apr 22 2026 Pavel Filipenský - 0:4.22.4-121 -- Fix samba automount triggering for more file systems -- resolves: RHEL-137447 - -* Wed Apr 22 2026 Pavel Filipenský - 0:4.22.4-120 +* Tue Apr 21 2026 Pavel Filipenský - 0:4.23.5-107 - Fix 'net ads join' AD replication race with multiple DCs -- resolves: RHEL-169667 +- resolves: RHEL-169668 -* Thu Feb 19 2026 Pavel Filipenský - 0:4.22.4-119 +* Tue Apr 21 2026 Pavel Filipenský - 0:4.23.5-106 +- Fix samba automount triggering for more file systems +- resolves: RHEL-137446 + +* Thu Feb 19 2026 Pavel Filipenský - 0:4.23.5-105 - Fix regression with --use-kerberos=desired for smbclient -- resolves: RHEL-150823 +- resolves: RHEL-150820 -* Mon Feb 09 2026 Pavel Filipenský - 0:4.22.4-118 -- Fix samba-bgqd to load [printers] share -- resolves: RHEL-147859 - -* Mon Feb 09 2026 Pavel Filipenský - 0:4.22.4-117 +* Wed Feb 11 2026 Pavel Filipenský - 0:4.23.5-104 - Fix 'net ads kerberos kinit' to use default ccache name from krb5.conf -- resolves: RHEL-147420 +- resolves: RHEL-147417 -* Mon Feb 02 2026 Pavel Filipenský - 0:4.22.4-116 -- Fix 'net ads kerberos kinit -P' with option '--use-krb5-ccache' (v2) -- resolves: RHEL-144593 +* Wed Feb 11 2026 Pavel Filipenský - 0:4.23.5-103 +- Fix samba-bgqd to load [printers] share +- resolves: RHEL-53167 -* Tue Jan 27 2026 Pavel Filipenský - 0:4.22.4-115 +* Tue Jan 27 2026 Pavel Filipenský - 0:4.23.5-102 - Fix 'net ads kerberos kinit -P' with option '--use-krb5-ccache' -- resolves: RHEL-144593 +- resolves: RHEL-144586 -* Tue Jan 27 2026 Pavel Filipenský - 0:4.22.4-114 +* Tue Jan 27 2026 Pavel Filipenský - 0:4.23.5-101 - Fix winbind memory leak seen with long living rpcd_* workers -- resolves: RHEL-144499 +- resolves: RHEL-144479 -* Fri Jan 23 2026 Pavel Filipenský - 0:4.22.4-113 -- Fix ERROR: talloc_free with references -- related: RHEL-143402 +* Fri Jan 23 2026 Pavel Filipenský - 0:4.23.5-100 +- Update to version 4.23.5 +- resolves: RHEL-138263 - Fix winbind group resolution +- resolves: RHEL-141012 - Fix winbind crash -* Thu Jan 22 2026 Pavel Filipenský - 0:4.22.4-112 -- Fix winbind group resolution -- resolves: RHEL-143402 - -* Thu Jan 22 2026 Pavel Filipenský - 0:4.22.4-111 -- Revert samba automounter triggering fix -- reverts: RHEL-137447 - -* Tue Jan 06 2026 Pavel Filipenský - 0:4.22.4-110 -- Fix samba automounter triggering -- resolves: RHEL-137447 - -* Thu Dec 18 2025 Pavel Filipenský - 0:4.22.4-109 +* Thu Dec 18 2025 Pavel Filipenský - 0:4.23.4-101 - Remove libldb dependency to samba-common-libs -- resolves: RHEL-133005 +- resolves: RHEL-132975 -* Wed Dec 17 2025 Pavel Filipenský - 0:4.22.4-108 -- Remove unexpected dependency of libldb to samba +* Mon Dec 15 2025 Pavel Filipenský - 0:4.23.4-100 +- Update to version 4.23.4 +- resolves: RHEL-114545 - Update to version 4.23.4 +- resolves: RHEL-132338 - Fix Time Machine backup +- resolves: RHEL-132975 - Remove unexpected dependency of libldb to samba -* Wed Dec 17 2025 Pavel Filipenský - 0:4.22.4-107 -- Fix Time Machine backup +* Thu Nov 20 2025 Pavel Filipenský - 0:4.23.3-101 +- Remove osci.brew-build.tier0.functional from gating.yaml + +* Fri Nov 07 2025 Pavel Filipenský - 0:4.23.3-100 +- Update to version 4.23.3 +- resolves: RHEL-114545 + +* Thu Sep 18 2025 Pavel Filipenský - 0:4.23.0-101 +- Update to pre-version of 4.23.1 +- resolves: RHEL-114545 + +* Sat Sep 13 2025 Pavel Filipenský - 0:4.23.0-100 +- Update to version 4.23.0 +- resolves: RHEL-114545 * Thu Sep 11 2025 Pavel Filipenský - 0:4.22.4-106 - resolves: RHEL-106240 - Fix 'net ads join' in setups with multiple DCs diff --git a/sources b/sources index 85c7cb8..402cbaf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (samba-4.22.4.tar.xz) = d04db845227ace43642ba69da4ded80d576db01d2e6a7e3e3161c05ce20ff77bd944d39aaf35adab59bed607e0037713969cb9a855a367ab65d021c5aef7ea46 +SHA512 (samba-4.23.5.tar.xz) = a710dcb2b12b9613df446179492b6a69720e0bb9ac52949ac4c25e64348b812a6184a01e007c7acdfee5f43f280d0c4e26aa47b86a37459824a3a84b028ec8a0 SHA512 (samba-pubkey_AA99442FB680B620.gpg) = 4a13414888fae9776a8edfb629e7002689f01cc482df9686c91eaec793b5e2afa2e1afe6ffeb424093a12259594676d40b4343e844a00499888840f7fe96a199