rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity
cbb3041d4b
samba/redhat-4.23.patch
Pavel Filipenský 14f3f302e4 Fix samba automount triggering for more file systems 
- resolves: RHEL-169726
2026-04-21 10:31:19 +02:00

2339 lines
73 KiB
Diff
Raw Blame History

From e8384b6daea3b8091ad1bcfce84efc9e2c6a746d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Thu, 22 Jan 2026 14:27:09 +0100
Subject: [PATCH 01/33] s3:libads: Allocate cli_credentials on a stackframe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes:
ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158
What happens:
* `struct cli_credentials *creds` is allocated on `ads` talloc context
* gensec_set_credentials() creates a talloc_reference to `creds`
* TALLOC_FREE(creds) sees two parents and complains
All other code is using temporary talloc_stackframe() for `creds`.
Do it here as well.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224
---
source3/libads/ldap_utils.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
index 9d6d962a2bc..d01afa69697 100644
--- a/source3/libads/ldap_utils.c
+++ b/source3/libads/ldap_utils.c
@@ -99,6 +99,7 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
struct cli_credentials *creds = NULL;
char *cred_name = NULL;
NTSTATUS ntstatus;
+ TALLOC_CTX *frame = talloc_stackframe();
if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) &&
ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) &&
@@ -119,18 +120,20 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
DBG_NOTICE("Search for %s in <%s> failed: %s\n",
expr, bp, ads_errstr(status));
SAFE_FREE(bp);
+ TALLOC_FREE(frame);
return status;
}
ntstatus = ads->auth.reconnect_state->fn(ads,
ads->auth.reconnect_state->private_data,
- ads, &creds);
+ frame, &creds);
if (!NT_STATUS_IS_OK(ntstatus)) {
DBG_WARNING("Failed to get creds for realm(%s): %s\n",
ads->server.realm, nt_errstr(ntstatus));
DBG_WARNING("Search for %s in <%s> failed: %s\n",
expr, bp, ads_errstr(status));
SAFE_FREE(bp);
+ TALLOC_FREE(frame);
return status;
}
@@ -151,11 +154,11 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
* callers depend on it being around.
*/
ads_disconnect(ads);
- TALLOC_FREE(creds);
+ TALLOC_FREE(frame);
SAFE_FREE(bp);
return status;
}
- TALLOC_FREE(creds);
+ TALLOC_FREE(frame);
*res = NULL;
--
2.53.0
From 7af95c7cb142aeb5f422a69d3b7a0ea3c0d2c2c2 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Mon, 26 Jan 2026 13:36:02 +0100
Subject: [PATCH 02/33] s3:rpc_client: Fix memory leak opening local named pipe
If no local server name was passed to rpc_pipe_open_local_np() then
get_myname() was called with NULL talloc context instead of the
current stackframe.
This was causing an increase of memory usage on busy servers with long-living
rpcd_* workers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan 27 10:13:40 UTC 2026 on atb-devel-224
(cherry picked from commit 24dc455362fb49ef81c99d95880e106a234ce29a)
---
source3/rpc_client/cli_pipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index e3f48526492..c61b8eb16cf 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3625,7 +3625,7 @@ NTSTATUS rpc_pipe_open_local_np(
}
if (local_server_name == NULL) {
- local_server_name = get_myname(result);
+ local_server_name = get_myname(frame);
}
if (local_server_addr != NULL) {
--
2.53.0
From ab1287f78bd9d2397c8eb26fbedafa028e2aaa16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:17:33 +0100
Subject: [PATCH 03/33] s3-selftest: mention in-memory ccache usage when
nothing is provided
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/script/tests/test_net_ads_kerberos.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index 8a3c9ef2bc7..92d3996d078 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -30,6 +30,7 @@ KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
## Test "net ads kerberos kinit" variants
#################################################
+#simply uses in memory ccache
testit "net_ads_kerberos_kinit" \
"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
@@ -50,6 +51,7 @@ rm -f "$KRB5CCNAME_PATH"
# --use-krb5-ccache=${KRB5CCNAME} \
# || failed=$((failed + 1))
+#simply uses in memory ccache
testit "net_ads_kerberos_kinit (-P)" \
"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
-P "$ADDARGS" \
--
2.53.0
From 0aa0d39e9a5deb77114f40930b599f11fd7cf3b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:18:41 +0100
Subject: [PATCH 04/33] s3-selftest: verify KRB5CCNAME presence after kinit
using klist
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/script/tests/test_net_ads_kerberos.sh | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index 92d3996d078..c53520cf733 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -14,6 +14,12 @@ PREFIX="$4"
shift 4
ADDARGS="$*"
+if [ -x $(which klist) ]; then
+ KLIST=$(which klist);
+else
+ KLIST="test -e";
+fi
+
incdir=$(dirname "$0")/../../../testprogs/blackbox
. "$incdir"/subunit.sh
@@ -41,6 +47,9 @@ testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
|| failed=$((failed + 1))
+testit "klist env $KRB5CCNAME" \
+ "$KLIST" "$KRB5CCNAME" \
+ || failed=$((failed +1))
unset KRB5CCNAME
rm -f "$KRB5CCNAME_PATH"
@@ -62,6 +71,9 @@ testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
-P "$ADDARGS" \
|| failed=$((failed + 1))
+testit "klist env $KRB5CCNAME" \
+ "$KLIST" "$KRB5CCNAME" \
+ || failed=$((failed +1))
unset KRB5CCNAME
rm -f "$KRB5CCNAME_PATH"
--
2.53.0
From b9c07d59c6a20931b80fa104629477ab8f78b4ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:01:31 +0100
Subject: [PATCH 05/33] s3-selftest: Activate "net ads kerberos kinit" tests
with --use-krb5-ccache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail | 2 ++
source3/script/tests/test_net_ads_kerberos.sh | 30 +++++++++++--------
2 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index ab2d79d7114..76f1dae605d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -338,3 +338,5 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
+
+^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.*
diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index c53520cf733..b7933bab6a6 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -53,12 +53,15 @@ testit "klist env $KRB5CCNAME" \
unset KRB5CCNAME
rm -f "$KRB5CCNAME_PATH"
-# --use-krb5-ccache is not working
-#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
-# $VALGRIND $BINDIR/net ads kerberos kinit \
-# -U$USERNAME%$PASSWORD $ADDARGS \
-# --use-krb5-ccache=${KRB5CCNAME} \
-# || failed=$((failed + 1))
+testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ --use-krb5-ccache="${KRB5CCNAME_PATH}" \
+ || failed=$((failed + 1))
+testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \
+ "$KLIST" "$KRB5CCNAME_PATH" \
+ || failed=$((failed +1))
+rm -f "$KRB5CCNAME_PATH"
#simply uses in memory ccache
testit "net_ads_kerberos_kinit (-P)" \
@@ -77,12 +80,15 @@ testit "klist env $KRB5CCNAME" \
unset KRB5CCNAME
rm -f "$KRB5CCNAME_PATH"
-# --use-krb5-ccache is not working
-#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
-# $VALGRIND $BINDIR/net ads kerberos kinit \
-# -P $ADDARGS \
-# --use-krb5-ccache=${KRB5CCNAME} \
-# || failed=$((failed + 1))
+testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ -P "$ADDARGS" \
+ --use-krb5-ccache="${KRB5CCNAME_PATH}" \
+ || failed=$((failed + 1))
+testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \
+ "$KLIST" "$KRB5CCNAME_PATH" \
+ || failed=$((failed +1))
+rm -f "$KRB5CCNAME_PATH"
#################################################
--
2.53.0
From c82b7636b633575621e8e5964a93332956c238ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 16:56:44 +0100
Subject: [PATCH 06/33] s3-net: properly setup krb5 ccache name via
--use-krb5-ccache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail | 2 --
source3/utils/net.c | 19 ++++++++++++-------
source3/utils/net_ads.c | 4 ++++
3 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index 76f1dae605d..ab2d79d7114 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -338,5 +338,3 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
-^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.*
diff --git a/source3/utils/net.c b/source3/utils/net.c
index ecabd980d0c..271c96cf804 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1396,7 +1396,7 @@ static struct functable net_func[] = {
cli_credentials_get_principal_obtained(c->creds);
enum credentials_obtained password_obtained =
cli_credentials_get_password_obtained(c->creds);
- char *krb5ccname = NULL;
+ const char *krb5ccname = NULL;
if (principal_obtained == CRED_SPECIFIED) {
c->explicit_credentials = true;
@@ -1415,15 +1415,20 @@ static struct functable net_func[] = {
}
/* cli_credentials_get_ccache_name_obtained() would not work
- * here, we also cannot get the content of --use-krb5-ccache= so
- * for now at least honour the KRB5CCNAME environment variable
- * to get 'net ads kerberos' functions to work at all - gd */
-
- krb5ccname = getenv("KRB5CCNAME");
- if (krb5ccname == NULL) {
+ * here but we can now access the content of the
+ * --use-krb5-ccache option via cli credentials. Fallback to
+ * KRB5CCNAME environment variable to get 'net ads kerberos'
+ * functions to work at all - gd */
+
+ krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
+ if (krb5ccname == NULL || krb5ccname[0] == '\0') {
+ krb5ccname = getenv("KRB5CCNAME");
+ }
+ if (krb5ccname == NULL || krb5ccname[0] == '\0') {
krb5ccname = talloc_strdup(c, "MEMORY:net");
}
if (krb5ccname == NULL) {
+ DBG_ERR("Not able to setup krb5 ccache");
exit(1);
}
c->opt_krb5_ccache = krb5ccname;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d49b7537e71..5c57a0b290e 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3245,7 +3245,11 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
if (ret) {
d_printf(_("failed to kinit password: %s\n"),
nt_errstr(status));
+ return ret;
}
+
+ d_printf("Stored Kerberos TGT in: %s\n", c->opt_krb5_ccache);
+
return ret;
}
--
2.53.0
From 4f5ffea631d805564f7e92cc5f0f2f7ad55ba493 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 13 Dec 2025 13:49:37 +0100
Subject: [PATCH 07/33] doc-xml: Document "net ads kerberos" commands
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 5 15:49:04 UTC 2026 on atb-devel-224
---
docs-xml/manpages/net.8.xml | 139 ++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index d9293d0bb34..737415b3722 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1810,7 +1810,146 @@ the following entry types;
</refsect2>
+<refsect2>
+ <title>ADS KERBEROS</title>
+
+<para>
+ Issue Kerberos operations against an Active Directory KDC.
+</para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS KERBEROS KINIT</title>
+
+<para>
+ Issue a kinit request for a given user. When no other options are
+ defined the ticket granting ticket (TGT) will be stored in a memory cache.
+</para>
+
+<para>
+ To store the TGT in a different location either use the
+ <option>--krb5-ccache</option> option or set the
+ <replaceable>KRB5CCNAME</replaceable> environment variable.
+</para>
+
+<para>Example: <userinput>net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS KERBEROS RENEW</title>
+
+<para>
+ Renew an already acquired ticket granting ticket (TGT).
+</para>
+
+<para>Example: <userinput>net ads kerberos renew</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS KERBEROS PAC</title>
+
+<para>
+ Request a Kerberos PAC while authenticating to an Active Directory KDC.
+</para>
+
+<para>
+ The following commands are provided:
+</para>
+
+<simplelist>
+<member>net ads kerberos pac dump - Dump a PAC to stdout.</member>
+<member>net ads kerneros pac save - Save a PAC to a file.</member>
+</simplelist>
+
+<para>
+ All commands allow to define an impersonation principal to do a Kerberos
+ Service for User (S4U2SELF) operation via
+ the <replaceable>impersonate=STRING</replaceable> option.
+ The impersonation principal can have multiple different formats:
+</para>
+
+<itemizedlist>
+ <listitem>
+ <para><replaceable>user@MY.REALM</replaceable></para>
+ <para>This is the default format.</para>
+ </listitem>
+ <listitem>
+ <para><replaceable>user@MY.REALM@MY.REALM</replaceable></para>
+ <para>The Kerberos Service for User (S4U2SELF) also supports
+ Enterprise Principals.</para>
+ </listitem>
+ <listitem>
+ <para><replaceable>user@UPN.SUFFIX@MY.REALM</replaceable></para>
+ <para>Enterprise Principal using a defined upn suffix.</para>
+ </listitem>
+ <listitem>
+ <para><replaceable>user@WORKGROUP@MY.REALM</replaceable></para>
+ <para>Enterprise Principal with netbios domain name.
+ This format is currently not supported by Samba AD.</para>
+ </listitem>
+</itemizedlist>
+<para>
+ By default net will request a service ticket for the local service
+ of the joined machine. A different service can be defined via
+ <replaceable>local_service=STRING</replaceable>.
+</para>
+
+</refsect2>
+<refsect2>
+ <title>ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int]</title>
+
+<para>
+ Request a Kerberos PAC while authenticating to an Active Directory KDC.
+ The PAC will be printed on stdout.
+</para>
+
+<para>
+ When no specific pac_buffer is selected, all buffers will be printed.
+ It is possible to select a specific one via
+ <replaceable>pac_buffer_type=INT</replaceable> from this list:
+</para>
+
+<simplelist>
+<member>1 PAC_TYPE_LOGON_INFO</member>
+<member>2 PAC_TYPE_CREDENTIAL_INFO</member>
+<member>6 PAC_TYPE_SRV_CHECKSUM</member>
+<member>7 PAC_TYPE_KDC_CHECKSUM</member>
+<member>10 PAC_TYPE_LOGON_NAME</member>
+<member>11 PAC_TYPE_CONSTRAINED_DELEGATION</member>
+<member>12 PAC_TYPE_UPN_DNS_INFO</member>
+<member>13 PAC_TYPE_CLIENT_CLAIMS_INFO</member>
+<member>14 PAC_TYPE_DEVICE_INFO</member>
+<member>15 PAC_TYPE_DEVICE_CLAIMS_INFO</member>
+<member>16 PAC_TYPE_TICKET_CHECKSUM</member>
+<member>17 PAC_TYPE_ATTRIBUTES_INFO</member>
+<member>18 PAC_TYPE_REQUESTER_SID</member>
+<member>19 PAC_TYPE_FULL_CHECKSUM</member>
+</simplelist>
+
+<para>Example: <userinput>net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string]</title>
+
+<para>
+ Request a Kerberos PAC while authenticating to an Active Directory KDC.
+ The PAC will be saved in a file.
+</para>
+
+<para>
+ The filename to store the PAC can be set via the
+ <replaceable>filename=STRING</replaceable> option.
+</para>
+
+<para>Example: <userinput>net ads kerberos pac save -U user%password filename=/tmp/pacstore</userinput></para>
+
+</refsect2>
<refsect2>
<title>SAM CREATEBUILTINGROUP &lt;NAME&gt;</title>
--
2.53.0
From f634526bd95b8396ea7f5f1c8ed059eb01a5286b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Tue, 3 Feb 2026 12:53:10 +0100
Subject: [PATCH 08/33] s3:utils: 'net ads kerberos kinit' should use also
default ccache name from krb5.conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is re-introducing the behavior from samba-4.20 where both these
commands operated on the same ccache (default_ccache_name in
[libdefaults] section of krb5.conf)
'net ads kerberos kinit -P'
'klist'
With samba-4.21 it no longer works, 'net ads kerberos kinit -P'
fallbacks to 'MEMORY:net' (which is of a very limited use, ticket
cannot be used by other process) and klist finds no ticket.
The order is changed from:
--use-krb5-ccache
env "KRB5CCNAME"
"MEMORY:net"
to ("MEMORY:net" is removed):
--use-krb5-ccache
env "KRB5CCNAME"
default_ccache_name
'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials.
Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name()
because of commit:
1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e)
---
source3/utils/net.c | 36 ++++++++++++++++++++++++++----------
1 file changed, 26 insertions(+), 10 deletions(-)
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 271c96cf804..0ce03f8213d 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -54,6 +54,7 @@
#include "source3/utils/passwd_proto.h"
#include "auth/gensec/gensec.h"
#include "lib/param/param.h"
+#include "lib/krb5_wrap/krb5_samba.h"
#ifdef WITH_FAKE_KASERVER
#include "utils/net_afs.h"
@@ -1414,18 +1415,33 @@ static struct functable net_func[] = {
CRED_SPECIFIED);
}
- /* cli_credentials_get_ccache_name_obtained() would not work
- * here but we can now access the content of the
- * --use-krb5-ccache option via cli credentials. Fallback to
- * KRB5CCNAME environment variable to get 'net ads kerberos'
- * functions to work at all - gd */
-
+ /*
+ * Priority order for krb5 credential cache name
+ *
+ * via cli_credentials_get_out_ccache_name() :
+ *
+ * 1. '--use-krb5-ccache' option
+ *
+ * via krb5_cc_default_name() :
+ *
+ * 2. KRB5CCNAME environment variable
+ * 3. default_ccache_name in [libdefaults] section of krb5.conf
+ * 4. ...more - krb5_cc_default_name() always returns something
+ * - see documentation
+ */
krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
if (krb5ccname == NULL || krb5ccname[0] == '\0') {
- krb5ccname = getenv("KRB5CCNAME");
- }
- if (krb5ccname == NULL || krb5ccname[0] == '\0') {
- krb5ccname = talloc_strdup(c, "MEMORY:net");
+ krb5_context ct = NULL;
+ krb5_error_code ret = smb_krb5_init_context_common(&ct);
+
+ if (ret == 0) {
+ krb5ccname = smb_force_krb5_cc_default_name(ct);
+ if (krb5ccname != NULL) {
+ krb5ccname = talloc_strdup(c,
+ krb5ccname);
+ }
+ krb5_free_context(ct);
+ }
}
if (krb5ccname == NULL) {
DBG_ERR("Not able to setup krb5 ccache");
--
2.53.0
From 0ca830d6ddded29b2b5d1969ebcbc4df1156656e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Thu, 5 Feb 2026 16:04:25 +0100
Subject: [PATCH 09/33] manpages: Update NET ADS KERBEROS KINIT manpage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Feb 5 21:11:13 UTC 2026 on atb-devel-224
(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b)
---
docs-xml/manpages/net.8.xml | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 737415b3722..b793361a27f 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1823,17 +1823,37 @@ the following entry types;
<title>ADS KERBEROS KINIT</title>
<para>
- Issue a kinit request for a given user. When no other options are
- defined the ticket granting ticket (TGT) will be stored in a memory cache.
+ Issue a kinit request for a given user. The following methods can be used
+ to specify where to store the ticket granting ticket (TGT) (in order of
+ precedence):
</para>
-<para>
- To store the TGT in a different location either use the
- <option>--krb5-ccache</option> option or set the
- <replaceable>KRB5CCNAME</replaceable> environment variable.
-</para>
+<itemizedlist>
+ <listitem>
+ <para>option <option>--use-krb5-ccache</option></para>
+ </listitem>
+ <listitem>
+ <para><replaceable>KRB5CCNAME</replaceable> environment variable</para>
+ </listitem>
+ <listitem>
+ <para><parameter>default_ccache_name</parameter> setting in <filename>krb5.conf</filename></para>
+ </listitem>
+</itemizedlist>
-<para>Example: <userinput>net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache</userinput></para>
+<variablelist><title>Examples:</title>
+<varlistentry>
+<term>Use file based cache (FILE:/tmp/krb5cache)</term>
+<listitem><literallayout>
+net ads kerberos kinit -P --use-krb5-ccache=/tmp/krb5cache
+</literallayout></listitem>
+</varlistentry>
+<varlistentry>
+<term>Use memory cache (MEMORY:net) to verify the authentication</term>
+<listitem><literallayout>
+net ads kerberos kinit -P --use-krb5-ccache=MEMORY:net
+</literallayout></listitem>
+</varlistentry>
+</variablelist>
</refsect2>
--
2.53.0
From 44b613d80c6a3818cc6ca593d57d51cd1bc00aa5 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Fri, 13 Feb 2026 11:54:46 +0000
Subject: [PATCH 10/33] selftest: Update tests to use
--use-kereros=desired|required no creds
Add tests to call smbclient without passing credentials to
demonstrate failure with --use-kereros=desired
Also add knownfail
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a22af9420965083b99b956477d1833000b7f2414)
---
selftest/knownfail | 2 ++
source3/script/tests/test_smbclient_kerberos.sh | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/selftest/knownfail b/selftest/knownfail
index ab2d79d7114..f0a5f7bb935 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -315,6 +315,8 @@
# ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member
^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member
+# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789
+samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).*
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
diff --git a/source3/script/tests/test_smbclient_kerberos.sh b/source3/script/tests/test_smbclient_kerberos.sh
index 31678d17e28..1139efd70d7 100755
--- a/source3/script/tests/test_smbclient_kerberos.sh
+++ b/source3/script/tests/test_smbclient_kerberos.sh
@@ -73,6 +73,18 @@ test_smbclient "smbclient.smb3.kerberos.desired[//${SERVER}/tmp]" \
--use-kerberos=desired -U${USERNAME}%${PASSWORD} -mSMB3 ||
failed=$(expr $failed + 1)
+test_smbclient "smbclient.smb3.kerberos.desired (no user/pass) [//${SERVER}/tmp]" \
+ "ls; quit" //${SERVER}/tmp \
+ --use-kerberos=desired -mSMB3 ||
+ failed=$(expr $failed + 1)
+
+test_smbclient "smbclient.smb3.kerberos.required (no user/pass) [//${SERVER}/tmp]" \
+ "ls; quit" //${SERVER}/tmp \
+ --use-kerberos=required -mSMB3 ||
+ failed=$(expr $failed + 1)
+
+
+
$samba_kdestroy
rm -rf $KRB5CCNAME_PATH
--
2.53.0
From 65f70c0505759489a8b219e1297f8cdee2cc260a Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 19 Jan 2026 15:46:59 +0000
Subject: [PATCH 11/33] auth/credentials: Fix regression with
--use-kerberos=desired for smbclient
As part of the gse_krb5 processing the following call chain
gensec_gse_client_start()
---> gensec_kerberos_possible()
---> cli_credentials_authentication_requested()
gensec_kerberos_possible() will always fail when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
It seems since use kerberos == desired is the default that it isn't
necessary to see if credentials were modified to indicated authentication
was requested. gensec_kerberos_possible() should afaics return true
if kerberos is desired OR required (regardless of whether credentials
were requested)
This commit removes the knownfail associated with this bug.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 88f42eb222f299189d5f5f8204ae353e63a50970)
---
auth/gensec/gensec_util.c | 5 -----
selftest/knownfail | 2 --
2 files changed, 7 deletions(-)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 0c7688d33d2..af6d198d48f 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -362,7 +362,6 @@ char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_securi
NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
{
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
- bool auth_requested = cli_credentials_authentication_requested(creds);
enum credentials_use_kerberos krb5_state =
cli_credentials_get_kerberos_state(creds);
char *user_principal = NULL;
@@ -370,10 +369,6 @@ NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
const char *target_principal = gensec_get_target_principal(gensec_security);
const char *hostname = gensec_get_target_hostname(gensec_security);
- if (!auth_requested) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
return NT_STATUS_INVALID_PARAMETER;
}
diff --git a/selftest/knownfail b/selftest/knownfail
index f0a5f7bb935..ab2d79d7114 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -315,8 +315,6 @@
# ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member
^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member
-# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789
-samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).*
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
--
2.53.0
From 8c955cad98b197936fceaf98306047e1f929ddfe Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 19 Jan 2026 16:10:10 +0000
Subject: [PATCH 12/33] s3/libsmb: cli_session_creds_init fails when kerberos
is desired
There is a regression with code using cli_session_creds_init when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
Authentication succeeds when boolean fallback_after_kerberos is false
and fails when true.
There doesn't seem to be a good reason why the value of
fallback_after_kerberos should initialise the krb5 ccache or not.
It would seems that krb5 cache should be setup for creds
for *any* kerberos auth (whether fallback is enabled or not)
Partial patch from <will69@gmx.de> (see bug referenced below)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1c48599105736499d18aa1f647bce9e1f8dbdcca)
---
source3/libsmb/cliconnect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 116f746d37e..3fd423d8e5f 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -218,7 +218,7 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
goto fail;
}
}
- } else if (use_kerberos && !fallback_after_kerberos) {
+ } else if (use_kerberos) {
const char *error_string = NULL;
int rc;
--
2.53.0
From 015167aea7ece2bb683f86aa4b8c688d7a83267d Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 19 Jan 2026 16:18:02 +0000
Subject: [PATCH 13/33] s3/libsmb: block anon authentication fallback is
use-kerberos = desired
When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED
libsmbclient method SMBC_server_internal will still try to fallback to
anon NTLM. This patch prevents that.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224
(cherry picked from commit bc868800276fe09cbcb206ebe4cb4da32af7599f)
---
source3/libsmb/libsmb_server.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index f9b52e1f05a..8c7208aaee0 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -632,6 +632,8 @@ SMBC_server_internal(TALLOC_CTX *ctx,
password_used = "";
if (smbc_getOptionNoAutoAnonymousLogin(context) ||
+ cli_credentials_get_kerberos_state(creds) ==
+ CRED_USE_KERBEROS_REQUIRED ||
!NT_STATUS_IS_OK(cli_session_setup_anon(c))) {
cli_shutdown(c);
--
2.53.0
From 3f66a4fbb46f614bf81533677944b1093439aaf8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Wed, 18 Mar 2026 20:24:37 +0100
Subject: [PATCH 14/33] s3:libnet: Fix DC numeric ip handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is fixing regression introduced via 82f53c8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libnet/libnet_join.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 609b2b96222..66d682a5b95 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2643,7 +2643,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
struct sockaddr_storage ss = {0};
const char *numeric_dcip = info->dc_address + 2;
- if (numeric_dcip[0] == '\0') {
+ if (numeric_dcip[0] != '\0') {
if (!interpret_string_addr(&ss, numeric_dcip,
AI_NUMERICHOST)) {
DBG_ERR(
--
2.53.0
From 4725da7df3028d37d8bf34b3671c553b7337703b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 23 Mar 2026 19:03:34 +0100
Subject: [PATCH 15/33] s3:libads: Allow to specify 'dns_lookup_kdc' in
krb5.conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 23 ++++++++++++++++-------
source3/libads/kerberos_proto.h | 33 +++++++++++++++++++++++++++++----
2 files changed, 45 insertions(+), 11 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 5593364c397..865c32d73ca 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1362,10 +1362,12 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx)
}
#endif
-bool create_local_private_krb5_conf_for_domain(const char *realm,
- const char *domain,
- const char *sitename,
- const struct sockaddr_storage *pss)
+bool create_local_private_krb5_conf_for_domain_internal(
+ const char *realm,
+ const char *domain,
+ const char *sitename,
+ const struct sockaddr_storage *pss,
+ bool dns_lookup_kdc)
{
char *dname;
char *tmpname = NULL;
@@ -1450,10 +1452,16 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
#endif
/*
- * We are setting 'dns_lookup_kdc' to true, because we want to lookup
- * KDCs which are not configured via DNS SRV records, eg. if we do:
+ * Normally 'dns_lookup_kdc' should be set to true, because we want to
+ * also lookup KDCs via DNS SRV records, e.g. cross domain scenario:
*
* net ads join -Uadmin@otherdomain
+ *
+ * However, during domain join we need to set it to false when we
+ * reconnect using the freshly created machine account credentials.
+ * With dns_lookup_kdc = true, Kerberos may pick a different DC
+ * for the TCP retry (after UDP response is too large), and that DC
+ * might not have replicated the new machine account yet.
*/
file_contents =
talloc_asprintf(fname,
@@ -1467,7 +1475,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
"\tdefault_realm = %s\n"
"%s"
"\tdns_lookup_realm = false\n"
- "\tdns_lookup_kdc = true\n\n"
+ "\tdns_lookup_kdc = %s\n\n"
"[realms]\n\t%s = {\n"
"%s\t}\n"
"\t%s = {\n"
@@ -1476,6 +1484,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
timeout_sec,
realm_upper,
enctypes,
+ dns_lookup_kdc ? "true" : "false",
realm_upper,
kdc_ip_string,
domain,
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index a96211c7289..fbeaeff92a9 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -70,10 +70,35 @@ int ads_kdestroy(const char *cc_name);
int kerberos_kinit_password(const char *principal,
const char *password,
const char *cache_name);
-bool create_local_private_krb5_conf_for_domain(const char *realm,
- const char *domain,
- const char *sitename,
- const struct sockaddr_storage *pss);
+
+bool create_local_private_krb5_conf_for_domain_internal(
+ const char *realm,
+ const char *domain,
+ const char *sitename,
+ const struct sockaddr_storage *pss,
+ bool dns_lookup_kdc);
+
+/* Create krb5.conf that allows DC lookup using DNS. */
+static inline bool create_local_private_krb5_conf_for_domain(
+ const char *realm,
+ const char *domain,
+ const char *sitename,
+ const struct sockaddr_storage *pss)
+{
+ return create_local_private_krb5_conf_for_domain_internal(
+ realm, domain, sitename, pss, true);
+}
+
+/* Create krb5.conf that disables DC lookup using DNS - needed during join. */
+static inline bool create_local_private_krb5_conf_for_domain_join(
+ const char *realm,
+ const char *domain,
+ const char *sitename,
+ const struct sockaddr_storage *pss)
+{
+ return create_local_private_krb5_conf_for_domain_internal(
+ realm, domain, sitename, pss, false);
+}
/* The following definitions come from libads/authdata.c */
--
2.53.0
From 5e1fde5e03c3899b329bd38c36033c385f6fb5f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 23 Mar 2026 19:05:31 +0100
Subject: [PATCH 16/33] s3:libads: Set dns_lookup_kdc=false during net ads join
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Apr 7 14:09:40 UTC 2026 on atb-devel-224
---
source3/libnet/libnet_join.c | 60 +++++++++++++++++++++++++++++++++++-
1 file changed, 59 insertions(+), 1 deletion(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 66d682a5b95..81bcb9793a6 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2881,6 +2881,10 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
WERROR werr;
+#ifdef HAVE_ADS
+ struct sockaddr_storage dc_ss = {0};
+ bool dns_lookup_kdc_disabled = false;
+#endif /* HAVE_ADS */
if (r->in.debug) {
LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
@@ -2904,6 +2908,49 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx,
}
}
+#ifdef HAVE_ADS
+ /*
+ * The machine account was just created on r->in.dc_name,
+ * but might not have replicated to other DCs yet.
+ * Regenerate the krb5.conf with dns_lookup_kdc = false
+ * so that the Kerberos library only talks to the DC
+ * where the account was created. This covers all
+ * subsequent machine-credential operations:
+ * - libnet_join_post_processing_ads_modify() (etype update)
+ * - libnet_join_post_verify() (domain membership verification)
+ */
+ if (r->out.domain_is_ad &&
+ !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
+ !r->in.request_offline_join)
+ {
+ bool ok;
+ const char *ip = NULL;
+
+ /* dcinfo might not be set for offline joins, however this
+ * check is redundant since we have a guard:
+ * !r->in.request_offline_join
+ */
+ if (r->out.dcinfo) {
+ ip = r->out.dcinfo->dc_address + 2; /* Strip "\\" */
+ }
+
+ if (ip && ip[0] != '\0') {
+ ok = interpret_string_addr(&dc_ss, ip, AI_NUMERICHOST);
+ } else {
+ ok = interpret_string_addr(&dc_ss, r->in.dc_name, 0);
+ }
+
+ if (ok) {
+ create_local_private_krb5_conf_for_domain_join(
+ r->out.dns_domain_name,
+ r->out.netbios_domain_name,
+ NULL, /* sitename */
+ &dc_ss);
+ dns_lookup_kdc_disabled = true;
+ }
+ }
+#endif /* HAVE_ADS */
+
werr = libnet_join_post_processing(mem_ctx, r);
if (!W_ERROR_IS_OK(werr)) {
goto done;
@@ -2931,7 +2978,18 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx,
}
}
- done:
+done:
+#ifdef HAVE_ADS
+ if (dns_lookup_kdc_disabled) {
+ /* Restore dns_lookup_kdc = true for subsequent operations */
+ create_local_private_krb5_conf_for_domain(
+ r->out.dns_domain_name,
+ r->out.netbios_domain_name,
+ NULL, /* sitename */
+ &dc_ss);
+ }
+#endif /* HAVE_ADS */
+
r->out.result = werr;
if (r->in.debug) {
--
2.53.0
From 42e48d3dd29027573f6e1c04f78f8d9cb91eb4ab Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Fri, 14 Feb 2025 17:07:14 +0100
Subject: [PATCH 17/33] vfs: Add VFS_OPEN_HOW_RESOLVE_NO_XDEV flag
It disallows traversal of mount points during path resolution, including bind
mounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/include/vfs.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/include/vfs.h b/source3/include/vfs.h
index e87a0d923e5..15e2186eab7 100644
--- a/source3/include/vfs.h
+++ b/source3/include/vfs.h
@@ -926,6 +926,7 @@ struct vfs_aio_state {
#define VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS 1
#define VFS_OPEN_HOW_WITH_BACKUP_INTENT 2
+#define VFS_OPEN_HOW_RESOLVE_NO_XDEV 4
struct vfs_open_how {
int flags;
--
2.53.0
From 5656562fd43507501aea62b7a43b1d3d5431b313 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Fri, 14 Feb 2025 17:13:39 +0100
Subject: [PATCH 18/33] vfs: Use RESOLVE_NO_XDEV by default on all shares
Enable the flag by default on all shares, it will be automatically
disabled if the system does not support openat2().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
script/autobuild.py | 2 +-
source3/modules/vfs_default.c | 11 +++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/script/autobuild.py b/script/autobuild.py
index 8acf6cdc854..97d44a07ee4 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -338,7 +338,7 @@ tasks = {
"samba-no-opath-build": {
"git-clone-required": True,
"sequence": [
- ("configure", "ADDITIONAL_CFLAGS='-DDISABLE_OPATH=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=1 -DDISABLE_PROC_FDS=1' ./configure.developer --without-ad-dc " + samba_configure_params),
+ ("configure", "ADDITIONAL_CFLAGS='-DDISABLE_OPATH=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS=1 -DDISABLE_VFS_OPEN_HOW_RESOLVE_NO_XDEV=1 -DDISABLE_PROC_FDS=1' ./configure.developer --without-ad-dc " + samba_configure_params),
("make", "make -j"),
("check-clean-tree", CLEAN_SOURCE_TREE_CMD),
("chmod-R-a-w", "chmod -R a-w ."),
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 83c9cc06de8..d531f277199 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -76,6 +76,17 @@ static int vfswrap_connect(vfs_handle_struct *handle, const char *service, const
#ifdef DISABLE_VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS
handle->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS;
#endif
+ bval = lp_parm_bool(SNUM(handle->conn),
+ "vfs_default",
+ "VFS_OPEN_HOW_RESOLVE_NO_XDEV",
+ true);
+ if (bval) {
+ handle->conn->open_how_resolve |=
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV;
+ }
+#ifdef DISABLE_VFS_OPEN_HOW_RESOLVE_NO_XDEV
+ handle->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV;
+#endif
return 0; /* Return >= 0 for success */
}
--
2.53.0
From 21ce7f160fb6f2bec613be36f2120002205bf84e Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Wed, 8 Oct 2025 10:54:55 +0200
Subject: [PATCH 19/33] selftest/Samba3: nt4_dc* use
vfs_default:VFS_OPEN_HOW_RESOLVE_NO_XDEV=no
From 076c22fbd7ecbf22dbfeb1711609f07fd42f88b0, we should always test the
code path without openat2 being available, even if the kernel supports it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
selftest/target/Samba3.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 6f17d659d96..3b990bcb349 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -304,6 +304,7 @@ sub setup_nt4_dc
server schannel require seal:torturetest\$ = no
vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no
+ vfs_default:VFS_OPEN_HOW_RESOLVE_NO_XDEV = no
fss: sequence timeout = 1
check parent directory delete on close = yes
--
2.53.0
From 0f873b9e694c2db4c54bb480183583d04dde3bdd Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Fri, 14 Feb 2025 17:14:59 +0100
Subject: [PATCH 20/33] vfs: Pass the RESOLVE_NO_XDEV from upper layers to
openat2() syscall
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/modules/vfs_default.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index d531f277199..f0270e96002 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -630,7 +630,9 @@ static int vfswrap_openat(vfs_handle_struct *handle,
SMB_ASSERT((dirfd != -1) || (smb_fname->base_name[0] == '/'));
if (how->resolve & ~(VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS |
- VFS_OPEN_HOW_WITH_BACKUP_INTENT)) {
+ VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV))
+ {
errno = ENOSYS;
result = -1;
goto out;
@@ -663,12 +665,20 @@ static int vfswrap_openat(vfs_handle_struct *handle,
}
#endif
- if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS) {
+ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS ||
+ how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV)
+ {
struct open_how linux_how = {
.flags = flags,
.mode = mode,
- .resolve = RESOLVE_NO_SYMLINKS,
+ .resolve = 0,
};
+ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS) {
+ linux_how.resolve |= RESOLVE_NO_SYMLINKS;
+ }
+ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) {
+ linux_how.resolve |= RESOLVE_NO_XDEV;
+ }
result = openat2(dirfd,
smb_fname->base_name,
@@ -681,10 +691,13 @@ static int vfswrap_openat(vfs_handle_struct *handle,
* openat2(), so indicate to
* the callers that
* VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS
+ * or VFS_OPEN_HOW_RESOLVE_NO_XDEV
* would just be a waste of time.
*/
fsp->conn->open_how_resolve &=
~VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS;
+ fsp->conn->open_how_resolve &=
+ ~VFS_OPEN_HOW_RESOLVE_NO_XDEV;
}
goto out;
}
--
2.53.0
From ff04fbf4e754c6eca9ea87a13d91bb84613ff9f9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Wed, 8 Oct 2025 13:18:44 +0200
Subject: [PATCH 21/33] smbd: Refactor reopen_from_fsp(), factor out name based
reopen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/smbd/open.c | 55 +++++++++++++++++++++++++++++++--------------
1 file changed, 38 insertions(+), 17 deletions(-)
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index f2cbf7d6bf6..8443ddd32d3 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -847,6 +847,33 @@ static NTSTATUS fd_open_atomic(struct files_struct *dirfsp,
return status;
}
+/*
+ * Close the existing pathref fd and set the fsp flag
+ * is_pathref to false so we get a "normal" fd this time.
+ */
+static NTSTATUS reopen_from_fsp_namebased(struct files_struct *dirfsp,
+ struct smb_filename *smb_fname,
+ struct files_struct *fsp,
+ const struct vfs_open_how *how,
+ bool *p_file_created)
+{
+ NTSTATUS status;
+
+ status = fd_close(fsp);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ fsp->fsp_flags.is_pathref = false;
+
+ status = fd_open_atomic(dirfsp,
+ smb_fname,
+ fsp,
+ how,
+ p_file_created);
+ return status;
+}
+
NTSTATUS reopen_from_fsp(struct files_struct *dirfsp,
struct smb_filename *smb_fname,
struct files_struct *fsp,
@@ -896,7 +923,12 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp,
* point we get ENOENT. We
* have to retry pathbased.
*/
- goto namebased_open;
+ return reopen_from_fsp_namebased(dirfsp,
+ smb_fname,
+ fsp,
+ how,
+ p_file_created);
+
}
/* restore ENOENT if changed in the meantime */
errno = ENOENT;
@@ -916,22 +948,11 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp,
return NT_STATUS_OK;
}
-#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H)
-namebased_open:
-#endif
- /*
- * Close the existing pathref fd and set the fsp flag
- * is_pathref to false so we get a "normal" fd this time.
- */
- status = fd_close(fsp);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- fsp->fsp_flags.is_pathref = false;
-
- status = fd_open_atomic(dirfsp, smb_fname, fsp, how, p_file_created);
- return status;
+ return reopen_from_fsp_namebased(dirfsp,
+ smb_fname,
+ fsp,
+ how,
+ p_file_created);
}
/****************************************************************************
--
2.53.0
From 1f869b2d814930c4c97a9fff461a3ec2327f4503 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Wed, 8 Oct 2025 13:53:14 +0200
Subject: [PATCH 22/33] smbd: Refactor reopen_from_fsp(), factor out
automounter mountpoint check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/smbd/open.c | 66 +++++++++++++++++++++++++++------------------
1 file changed, 40 insertions(+), 26 deletions(-)
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 8443ddd32d3..67bb9774429 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -874,6 +874,30 @@ static NTSTATUS reopen_from_fsp_namebased(struct files_struct *dirfsp,
return status;
}
+static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd)
+{
+#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H)
+ struct statfs sbuf = {};
+ int ret;
+
+ if (!S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
+ return false;
+ }
+
+ ret = fstatfs(old_fd, &sbuf);
+ if (ret == -1) {
+ DBG_ERR("fstatfs failed: %s\n", strerror(errno));
+ return false;
+ }
+ if (sbuf.f_type == AUTOFS_SUPER_MAGIC) {
+ return true;
+ }
+ return false;
+#else
+ return false;
+#endif
+}
+
NTSTATUS reopen_from_fsp(struct files_struct *dirfsp,
struct smb_filename *smb_fname,
struct files_struct *fsp,
@@ -908,33 +932,23 @@ NTSTATUS reopen_from_fsp(struct files_struct *dirfsp,
fsp,
how);
if (new_fd == -1) {
-#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H)
- if (S_ISDIR(fsp->fsp_name->st.st_ex_mode) &&
- (errno == ENOENT)) {
- struct statfs sbuf = {};
- int ret = fstatfs(old_fd, &sbuf);
- if (ret == -1) {
- DBG_ERR("fstatfs failed: %s\n",
- strerror(errno));
- } else if (sbuf.f_type == AUTOFS_SUPER_MAGIC) {
- /*
- * When reopening an as-yet
- * unmounted autofs mount
- * point we get ENOENT. We
- * have to retry pathbased.
- */
- return reopen_from_fsp_namebased(dirfsp,
- smb_fname,
- fsp,
- how,
- p_file_created);
-
- }
- /* restore ENOENT if changed in the meantime */
- errno = ENOENT;
+ int saved_errno = errno;
+ if (saved_errno == ENOENT &&
+ fsp_is_automount_mountpoint(fsp, old_fd))
+ {
+ /*
+ * When reopening an as-yet unmounted autofs
+ * mount point we get ENOENT. We have to retry
+ * pathbased.
+ */
+ return reopen_from_fsp_namebased(dirfsp,
+ smb_fname,
+ fsp,
+ how,
+ p_file_created);
}
-#endif
- status = map_nt_error_from_unix(errno);
+
+ status = map_nt_error_from_unix(saved_errno);
fd_close(fsp);
return status;
}
--
2.53.0
From d1f0323322b0c70998e901ad79aafcce795646a4 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Wed, 8 Oct 2025 14:17:27 +0200
Subject: [PATCH 23/33] smbd: Refactor reopen_from_fsp(), factor out pathref
based
Best viewed ignoring white space changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/smbd/open.c | 117 +++++++++++++++++++++++++-------------------
1 file changed, 66 insertions(+), 51 deletions(-)
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 67bb9774429..69c78ff563c 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -898,68 +898,83 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd)
#endif
}
-NTSTATUS reopen_from_fsp(struct files_struct *dirfsp,
- struct smb_filename *smb_fname,
- struct files_struct *fsp,
- const struct vfs_open_how *how,
- bool *p_file_created)
+static NTSTATUS reopen_from_fsp_pathref_based(
+ struct files_struct *dirfsp,
+ struct smb_filename *smb_fname,
+ struct files_struct *fsp,
+ const struct vfs_open_how *how,
+ bool *p_file_created)
{
NTSTATUS status;
- int old_fd;
+ struct sys_proc_fd_path_buf buf;
+ int pathref_fd = fsp_get_pathref_fd(fsp);
+ struct smb_filename proc_fname = {
+ .base_name = sys_proc_fd_path(pathref_fd, &buf),
+ };
+ mode_t mode = fsp->fsp_name->st.st_ex_mode;
+ int new_fd;
- if (fsp->fsp_flags.have_proc_fds &&
- ((old_fd = fsp_get_pathref_fd(fsp)) != -1)) {
+ if (S_ISLNK(mode)) {
+ return NT_STATUS_STOPPED_ON_SYMLINK;
+ }
+ if (!(S_ISREG(mode) || S_ISDIR(mode))) {
+ return NT_STATUS_IO_REPARSE_TAG_NOT_HANDLED;
+ }
- struct sys_proc_fd_path_buf buf;
- struct smb_filename proc_fname = {
- .base_name = sys_proc_fd_path(old_fd, &buf),
- };
- mode_t mode = fsp->fsp_name->st.st_ex_mode;
- int new_fd;
+ fsp->fsp_flags.is_pathref = false;
- if (S_ISLNK(mode)) {
- return NT_STATUS_STOPPED_ON_SYMLINK;
- }
- if (!(S_ISREG(mode) || S_ISDIR(mode))) {
- return NT_STATUS_IO_REPARSE_TAG_NOT_HANDLED;
+ new_fd = SMB_VFS_OPENAT(fsp->conn,
+ fsp->conn->cwd_fsp,
+ &proc_fname,
+ fsp,
+ how);
+ if (new_fd == -1) {
+ int saved_errno = errno;
+ if (saved_errno == ENOENT &&
+ fsp_is_automount_mountpoint(fsp, pathref_fd))
+ {
+ /*
+ * When reopening an as-yet unmounted autofs
+ * mount point we get ENOENT. We have to retry
+ * pathbased.
+ */
+ return reopen_from_fsp_namebased(dirfsp,
+ smb_fname,
+ fsp,
+ how,
+ p_file_created);
}
- fsp->fsp_flags.is_pathref = false;
+ status = map_nt_error_from_unix(saved_errno);
+ fd_close(fsp);
+ return status;
+ }
- new_fd = SMB_VFS_OPENAT(fsp->conn,
- fsp->conn->cwd_fsp,
- &proc_fname,
- fsp,
- how);
- if (new_fd == -1) {
- int saved_errno = errno;
- if (saved_errno == ENOENT &&
- fsp_is_automount_mountpoint(fsp, old_fd))
- {
- /*
- * When reopening an as-yet unmounted autofs
- * mount point we get ENOENT. We have to retry
- * pathbased.
- */
- return reopen_from_fsp_namebased(dirfsp,
- smb_fname,
- fsp,
- how,
- p_file_created);
- }
+ status = fd_close(fsp);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- status = map_nt_error_from_unix(saved_errno);
- fd_close(fsp);
- return status;
- }
+ fsp_set_fd(fsp, new_fd);
+ return NT_STATUS_OK;
+}
- status = fd_close(fsp);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+NTSTATUS reopen_from_fsp(struct files_struct *dirfsp,
+ struct smb_filename *smb_fname,
+ struct files_struct *fsp,
+ const struct vfs_open_how *how,
+ bool *p_file_created)
+{
+ int old_fd;
- fsp_set_fd(fsp, new_fd);
- return NT_STATUS_OK;
+ if (fsp->fsp_flags.have_proc_fds &&
+ ((old_fd = fsp_get_pathref_fd(fsp)) != -1))
+ {
+ return reopen_from_fsp_pathref_based(dirfsp,
+ smb_fname,
+ fsp,
+ how,
+ p_file_created);
}
return reopen_from_fsp_namebased(dirfsp,
--
2.53.0
From 55bddf76fe649ca7ba30f0645a199255f2698a70 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Wed, 8 Oct 2025 17:09:22 +0200
Subject: [PATCH 24/33] smbd: Fix crossing direct automounter mount points
The workaround implemented in commit ac7a16f9cc4bd97ef546d1b7b02605991000d0f9
to trigger automounts does not work for direct automounts (either with
systemd-automount or autofs daemon).
In direct automounts the mount point is a real directory instead of a "ghost"
directory so when turning the O_PATH handle into a real one through
/proc/self/fd/<fdnum> openat() does not return ENOENT, it returs a fd referring
to the mount point without triggering the mount.
To trigger the mount first we have to know when we are crossing mount points
by using the RESOLVE_NO_XDEV flag in open_how.resolve, then we can check with
fstatfs() the .f_type and fallback to a path-based open for automounts or
retry without RESOLVE_NO_XDEV otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/smbd/open.c | 71 ++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 67 insertions(+), 4 deletions(-)
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 69c78ff563c..ea400c41aa8 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -913,6 +913,7 @@ static NTSTATUS reopen_from_fsp_pathref_based(
};
mode_t mode = fsp->fsp_name->st.st_ex_mode;
int new_fd;
+ struct vfs_open_how pathref_how = *how;
if (S_ISLNK(mode)) {
return NT_STATUS_STOPPED_ON_SYMLINK;
@@ -923,26 +924,88 @@ static NTSTATUS reopen_from_fsp_pathref_based(
fsp->fsp_flags.is_pathref = false;
+#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H)
+ /*
+ * There is no point in setting RESOLVE_NO_XDEV if we can't
+ * check with fstatfs later in fsp_is_automount_mountpoint
+ */
+ if (S_ISDIR(fsp->fsp_name->st.st_ex_mode) &&
+ fsp->conn->open_how_resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) {
+ /*
+ * If the *at cwd_fsp is a pathref (opened with O_PATH)
+ * and old_fd refers to an automounter mount point not
+ * yet mounted, we will get a fd referring to the
+ * mount point without actually triggering the mount
+ * (man 2 openat). To detect this situation set the
+ * RESOLVE_NO_XDEV flag so openat2 will return an
+ * error when crossing mount points. Then check
+ * with fstatfs if it is an autofs mount point or not,
+ * falling back to name-based openat or retry without
+ * RESOLVE_NO_XDEV otherwise (could be a bind mount,
+ * other type of mount of an automounter mount point
+ * already mounted).
+ */
+ pathref_how.resolve |= VFS_OPEN_HOW_RESOLVE_NO_XDEV;
+ }
+#endif
+
+retry:
new_fd = SMB_VFS_OPENAT(fsp->conn,
fsp->conn->cwd_fsp,
&proc_fname,
fsp,
- how);
+ &pathref_how);
if (new_fd == -1) {
int saved_errno = errno;
if (saved_errno == ENOENT &&
fsp_is_automount_mountpoint(fsp, pathref_fd))
{
/*
- * When reopening an as-yet unmounted autofs
- * mount point we get ENOENT. We have to retry
- * pathbased.
+ * This is a not yet triggered indirect automount
+ * detected by openat(pathref_fd). Retry name-based.
*/
return reopen_from_fsp_namebased(dirfsp,
smb_fname,
fsp,
how,
p_file_created);
+ } else if (saved_errno == EXDEV &&
+ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV &&
+ fsp_is_automount_mountpoint(fsp, pathref_fd))
+ {
+ /*
+ * This is a not yet triggered direct or indirect
+ * automount, detected by
+ * openat2(pathref_fd, .., RESOLVE_NO_XDEV).
+ * Retry name-based.
+ */
+ return reopen_from_fsp_namebased(dirfsp,
+ smb_fname,
+ fsp,
+ how,
+ p_file_created);
+ } else if (saved_errno == ENOSYS &&
+ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV)
+ {
+ /*
+ * The kernel doesn't support openat2() yet, or any
+ * VFS module rejected the flag. Notify to the user
+ * and retry without RESOLVE_NO_XDEV.
+ */
+ DBG_WARNING("Failed to open directory disallowing the "
+ "traversal of mount points during path "
+ "resolution. Retrying allowing traversal, "
+ "but automounts won't be triggered.\n");
+ pathref_how.resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV;
+ goto retry;
+ } else if (saved_errno == EXDEV &&
+ pathref_how.resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV)
+ {
+ /*
+ * Just crossing a mount. Retry allowing traversals.
+ */
+ pathref_how.resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV;
+ goto retry;
}
status = map_nt_error_from_unix(saved_errno);
--
2.53.0
From 4872b32c28d540618462ee186e91716c9ee3807c Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Fri, 2 May 2025 11:57:30 +0200
Subject: [PATCH 25/33] vfs:aio_pthread: Handle VFS_OPEN_HOW_RESOLVE_NO_XDEV
flag
This module uses openat() instead of openat2() so the flag won't be used and
automounts might not be triggered.
Disable flag usage for subsequent opens and return an error to callers to warn
the user and retry without the flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/modules/vfs_aio_pthread.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_aio_pthread.c b/source3/modules/vfs_aio_pthread.c
index bd0c94b8cce..afbaaedf7b5 100644
--- a/source3/modules/vfs_aio_pthread.c
+++ b/source3/modules/vfs_aio_pthread.c
@@ -457,7 +457,9 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle,
bool aio_allow_open = lp_parm_bool(
SNUM(handle->conn), "aio_pthread", "aio open", false);
- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) {
+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0)
+ {
errno = ENOSYS;
return -1;
}
@@ -498,6 +500,16 @@ static int aio_pthread_openat_fn(vfs_handle_struct *handle,
aio_allow_open = false;
}
+ if (how->resolve & VFS_OPEN_HOW_RESOLVE_NO_XDEV) {
+ /*
+ * RESOLVE_NO_XDEV needs openat2(). Disallow further usage of
+ * this flag and return ENOSYS to force a retry.
+ */
+ fsp->conn->open_how_resolve &= ~VFS_OPEN_HOW_RESOLVE_NO_XDEV;
+ errno = ENOSYS;
+ return -1;
+ }
+
if (!aio_allow_open) {
/* aio opens turned off. */
return SMB_VFS_NEXT_OPENAT(handle,
--
2.53.0
From e11fa05e10b1a5fadd7c73c87dcb68b048c73878 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Fri, 2 May 2025 12:11:01 +0200
Subject: [PATCH 26/33] vfs:ceph: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV flag
Don't return ENOSYS if the flag is set. It will be ignored,
does not make sense in a ceph virtual filesystem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/modules/vfs_ceph.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index 8ea7eb09099..4add6cf993e 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -472,7 +472,9 @@ static int cephwrap_openat(struct vfs_handle_struct *handle,
int result = -ENOENT;
int dirfd = -1;
- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) {
+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0)
+ {
errno = ENOSYS;
return -1;
}
--
2.53.0
From 4cd5f6c4c39ac172e3e3e9e2c11fa9be06f2ed38 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Tue, 30 Sep 2025 10:32:36 +0200
Subject: [PATCH 27/33] vfs:ceph_new: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV flag
Don't return ENOSYS if the flag is set. It will be ignored,
does not make sense in a ceph filesystem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/modules/vfs_ceph_new.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_ceph_new.c b/source3/modules/vfs_ceph_new.c
index 6ea8e56c155..37cff6fe051 100644
--- a/source3/modules/vfs_ceph_new.c
+++ b/source3/modules/vfs_ceph_new.c
@@ -2325,7 +2325,9 @@ static int vfs_ceph_openat(struct vfs_handle_struct *handle,
int result = -ENOENT;
START_PROFILE_X(SNUM(handle->conn), syscall_openat);
- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) {
+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0)
+ {
result = -ENOSYS;
goto err_out;
}
--
2.53.0
From 8f4ad32afca03b564d00a5a6795d4b4a50ae8c66 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Thu, 9 Oct 2025 12:30:17 +0200
Subject: [PATCH 28/33] vfs:glusterfs: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV
Don't return ENOSYS if the flag is set. It will be ignored as does not make
sense in this module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/modules/vfs_glusterfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index 63dc7a30b04..4d7d96f2888 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -731,7 +731,9 @@ static int vfs_gluster_openat(struct vfs_handle_struct *handle,
START_PROFILE(syscall_openat);
- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) {
+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0)
+ {
END_PROFILE(syscall_openat);
errno = ENOSYS;
return -1;
--
2.53.0
From b41558ebe158f413d2cfa71478c3eeb5e1a201ec Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Fri, 2 May 2025 13:21:52 +0200
Subject: [PATCH 29/33] vfs:shadow_copy2: Allow RESOLVE_NO_XDEV flag
This module updates the path and calls the next VFS module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/modules/vfs_shadow_copy2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
index 449d08e8830..465a0f9d28e 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -1563,7 +1563,9 @@ static int shadow_copy2_openat(vfs_handle_struct *handle,
int ret;
bool ok;
- if ((how.resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) {
+ if ((how.resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0)
+ {
errno = ENOSYS;
return -1;
}
--
2.53.0
From 49ac956d858b455291edd1330a8d428209728ea0 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Thu, 9 Oct 2025 12:52:11 +0200
Subject: [PATCH 30/33] vfs:streams_depot: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV
flag
The flag is passed down the modules stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/modules/vfs_streams_depot.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c
index 19b9356fd57..bcf5acf79b4 100644
--- a/source3/modules/vfs_streams_depot.c
+++ b/source3/modules/vfs_streams_depot.c
@@ -729,7 +729,9 @@ static int streams_depot_openat(struct vfs_handle_struct *handle,
handle, dirfsp, smb_fname, fsp, how);
}
- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) {
+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0)
+ {
errno = ENOSYS;
return -1;
}
--
2.53.0
From 7b875e245ec205ee083c5c4158933e0e42e8a064 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Thu, 9 Oct 2025 12:59:59 +0200
Subject: [PATCH 31/33] vfs:fruit: Allow RESOLVE_NO_XDEV flag
For stream opens, it returns a fake fd. The streams will be stored by
vfs_streams_depot or vfs_streams_xattr.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/modules/vfs_fruit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 4da7c1efa07..812e3a351d2 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -1787,7 +1787,9 @@ static int fruit_openat(vfs_handle_struct *handle,
return fd;
}
- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) {
+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0)
+ {
errno = ENOSYS;
return -1;
}
--
2.53.0
From 97fb984b6c5c5fe1c562cd23980ea8e110438577 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Thu, 9 Oct 2025 13:05:16 +0200
Subject: [PATCH 32/33] vfs:streams_xattr: Allow VFS_OPEN_HOW_RESOLVE_NO_XDEV
The open function returns a fake fd. Extended attributes will be stored by
vfs_xattr_tdb or vfs_default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15805
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Nov 18 09:08:38 UTC 2025 on atb-devel-224
---
source3/modules/vfs_streams_xattr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
index 58e5b1eb189..410cd793cd9 100644
--- a/source3/modules/vfs_streams_xattr.c
+++ b/source3/modules/vfs_streams_xattr.c
@@ -416,7 +416,9 @@ static int streams_xattr_openat(struct vfs_handle_struct *handle,
how);
}
- if ((how->resolve & ~VFS_OPEN_HOW_WITH_BACKUP_INTENT) != 0) {
+ if ((how->resolve & ~(VFS_OPEN_HOW_WITH_BACKUP_INTENT |
+ VFS_OPEN_HOW_RESOLVE_NO_XDEV)) != 0)
+ {
errno = ENOSYS;
return -1;
}
--
2.53.0
From 23aa86c38e049eb0f75bdd21d18c670abf2c6134 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Tue, 7 Apr 2026 16:28:05 +0200
Subject: [PATCH 33/33] smbdotconf: Add "automount fs types" to smb.conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This adds a new global parameter "automount fs types" that allows
administrators to configure additional filesystem types that should
trigger automounting, beyond the always-supported autofs filesystem.
To enable 'samba unaware FS' automounting, add:
automount fs types = 0x12345678
This allows e.g. ZFS snapshots in <dataset root>/.zfs/snapshot to be
mounted. To find out the magic number that is not listed
in /usr/include/linux/magic.h, run:
stat -f -c '0x%t' /path/to/mountpoint
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15991
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Apr 20 19:57:42 UTC 2026 on atb-devel-224
---
docs-xml/smbdotconf/misc/automountfstypes.xml | 24 ++++++++++++++
source3/smbd/open.c | 31 +++++++++++++++++++
2 files changed, 55 insertions(+)
create mode 100644 docs-xml/smbdotconf/misc/automountfstypes.xml
diff --git a/docs-xml/smbdotconf/misc/automountfstypes.xml b/docs-xml/smbdotconf/misc/automountfstypes.xml
new file mode 100644
index 00000000000..4c5bc510520
--- /dev/null
+++ b/docs-xml/smbdotconf/misc/automountfstypes.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="automount fs types"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies a list of additional filesystem magic numbers
+ that should trigger automounting when accessed.</para>
+
+ <para>The values should be specified as hexadecimal numbers (with or without
+ 0x prefix), separated by spaces or commas.</para>
+
+ <para>Note: This parameter is only available on Linux systems.</para>
+
+ <para>To find the filesystem magic number for a mounted filesystem,
+ consult /usr/include/linux/magic.h or call:
+ <command>stat -f -c '0x%t' /path/to/mountpoint</command></para>
+
+ <para>Note: autofs (0x187) is always checked and does not need to be included
+ in this list.</para>
+</description>
+
+<value type="default"></value>
+<value type="example">0xA0B0C0D0 0x12345678</value>
+</samba:parameter>
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index ea400c41aa8..ae1ce208cba 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -42,6 +42,7 @@
#include "locking/leases_db.h"
#include "librpc/gen_ndr/ndr_leases_db.h"
#include "lib/util/time_basic.h"
+#include "lib/util/smb_strtox.h"
#include "source3/smbd/dir.h"
#if defined(HAVE_LINUX_MAGIC_H)
@@ -879,6 +880,8 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd)
#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H)
struct statfs sbuf = {};
int ret;
+ const char **fs_types_list = NULL;
+ int i;
if (!S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
return false;
@@ -892,6 +895,34 @@ static bool fsp_is_automount_mountpoint(struct files_struct *fsp, int old_fd)
if (sbuf.f_type == AUTOFS_SUPER_MAGIC) {
return true;
}
+
+ /* Check for additional filesystem types from configuration */
+ fs_types_list = lp_automount_fs_types();
+ if (fs_types_list == NULL) {
+ return false;
+ }
+
+ for (i = 0; fs_types_list[i] != NULL; i++) {
+ unsigned long long fs_type_val;
+ int error = 0;
+
+ fs_type_val = smb_strtoull(fs_types_list[i],
+ NULL,
+ 0,
+ &error,
+ SMB_STR_FULL_STR_CONV);
+ if (error != 0) {
+ DBG_WARNING(
+ "Invalid value in 'automount fs types': %s\n",
+ fs_types_list[i]);
+ continue;
+ }
+
+ if (sbuf.f_type == fs_type_val) {
+ return true;
+ }
+ }
+
return false;
#else
return false;
--
2.53.0
Reference in New Issue View Git Blame Copy Permalink