The branch, v4-21-stable has been updated
via 0b084c0bc6f VERSION: Disable GIT_SNAPSHOT for the 4.21.4 release.
via d79cf425c09 WHATSNEW: Add release notes for Samba 4.21.4.
via 1fe10a03c5d mdssvc: support a few more attributes
via 7b31e8ea82d vfs_gpfs: add gpfs:clamp_invalid_times
via e3b3db36171 ndr: fix coda logic around in ndr_pull_security_ace()
via b222d6ec73a pytest: add ndr packing tests for security descriptors
via cead38fb096 docs: Update documentation for 'sync machine password
to keytab'
via 63b115a0092 s3:libads: Remove specifier for 'host' principal from
'sync machine password to keytab'
via 8d5384e965f docs-xml:smbdotconf: Document new options for 'sync
machinepassword to keytab'
via 58a7666b678 s3: Add new keytab specifiers
via 55173721908 vfs_ceph_new:minor logging improvement
via 81d4b6467b2 vfs_ceph_new: add smbprofile for async-ops
via 5de7646e7f7 vfs_ceph_new: add profiling support
via 2aae61a8ad3 vfs_ceph_new: log open-flags upon release-fh
via a828997221d vfs_ceph_new: improved vfs-opers logging
via 12394b895a7 vfs_ceph_new: improved mount logging
via 6e0ca057961 vfs_ceph_new: improve mount cache-entry add
via 0aea2e374d5 vfs_ceph_new: improve mount cache-entry ref-count
via 79d6da01caa vfs_ceph_new: avoid setting errno in
cephmount_cache_update
via ab29d3eb6ee vfs_ceph_new: refactor error-case in cephmount_mount_fs
via 3e00ee5a1ca vfs_ceph_new: switch to ceph_readdir_r
via 7302ea418a4 docs_xml/vfs_ceph_new: Add new proxy option
via 378f28e66ae wscript_build: Do not link vfs_ceph_new against
libcephfs
via 50047d6fe64 vfs_ceph_new: Use function pointers for API calls
via 08e50814655 vfs_ceph_new: Pass module config to userperm helpers
via 8183c2cbf2b vfs_ceph_new: Hold a config reference in vfs_ceph_fh
via c176fe4c975 vfs_ceph_new: Call vfs_ceph_userperm_new with
handle->conn
via 254c0846118 vfs_ceph_new: Populate function pointers with addresses
via 8f048690516 vfs_ceph_new: Add required function pointers to config
via 58631b66bf9 vfs_ceph_new: Dynamically open library for 'proxy' mode
via 7d6d1fa4c00 vfs_ceph_new: Introduce new parametric option 'proxy'
via 5f6622e04be vfs_ceph_new: Add a new struct to hold ceph module
config
via 9aa97eb93bd vfs_ceph_new: implement DFS hooks using libcephfs
low-level APIs
via 512514bbae4 s3-libnet: avoid using lp_dns_hostname() in join code
via 6e4c35f8007 selfest: add test for non-local offlinejoin provision
via 33edcf2cadb s3-libads: dump ADS_MODSLIST before attempting the LDAP
modify
via 1f24b3ff23f sharesec: Check if share exists in configuration
via 22b7b4bd728 sharesec: Add function to check existence of share from
config
via 2588668e44b param: Add API to load registry without share info
via a564f5dbad8 sharesec: Fix warning frame not freed in order
via 087972fded9 s3-sharesec: Add Test to verify command option
"--view-all"
via 816f312a7fa s4:rpc_server/lsa: let LookupSids* behave like Windows
2022/2025
via 40145184e9e libcli/security: let dom_sid_lookup_predefined_sid()
behave like Windows 2008R2
via 8d84240c40c python:tests/dcerpc/lsa: add tests for invalid
LookupSids2 combinations
via bbe0fa97bc5 s4:pyrpc: allow connections with
raise_result_exceptions=False
via 2caf09bf9cd pidl:Python: prepare code to avoid NTSTATUS/WERROR
exceptions
via e83db7bd634 pidl:Python: handle NTSTATUS/WERROR exceptions first
via 07ef42d594a pidl:Python: separate logic to calculate the signature
string
via 364b39ef370 pidl:Python: check PyTuple_New() return value
via 26001cecf4b pidl:Python: initialize pointers and add 'result' at
the end
via 75c5435bb90 pidl:Python: introduce $is_raisable_return helper
variable
via 8123af73519 pidl:Python: generate nicer code for PyNdrRpcMethodDef
arrays
via bbbaf264d1b s3:auth: let check_sam_security() add
NETLOGON_NTLMV2_ENABLED
via 3bbcf93686c s4:auth/ntlm: let authsam_check_password_internals()
add NETLOGON_NTLMV2_ENABLED
via 1c9a1d5fd11 auth: Cleanup exit code paths in kerberos_decode_pac().
via 0387515d687 auth: Add missing talloc_free() in error code path.
via 81fc67cce2a lib:replace: Don't use deprecated readline CPPFunction
cast
via 52f4e853c0b lib:replace: Remove trailing spaces from readline.h
via f3518ee95b6 lib:util: Fix stack-use-after-return in
crypt_as_best_we_can()
via 720ecf666f2 util:datablob: data_blob_pad checks its alignment
assumption
via 399d56fe13a pytest: password_hash uses internal _glue.crypt
via 332cd9f5861 samba-tool user: hashlib.sha1 is always present
via 0cc9a50269e samba-tool user: use _glue.crypt, not crypt.crypt
via 4004f475c4d pytest: test that _glue.crypt works
via 48297d18171 pyglue: add crypt() function
via bbd30dc1d5d util: add a crypt strerror helper
via 07b6b341781 dsdb:password_hash: use talloc_crypt_blob()
via 9428e088b1f dsdb:password_hash: move hash_blob allocation up
via 0dccda38f27 util: add a crypt wrapper, derived from
dsdb:password_hash
via ff60445563c s4:dsdb: fix logic of dsdb_trust_routing_by_name()
via e903d8aa33f s4:scripting: fix gen_hresult.py
via 25a188f352a VERSION: Bump version up to Samba 4.21.4...
from 0dba5ef975a VERSION: Disable GIT_SNAPSHOT for the 4.21.3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 90 +-
auth/kerberos/kerberos_pac.c | 87 +-
docs-xml/manpages/net.8.xml | 24 +-
docs-xml/manpages/vfs_ceph_new.8.xml | 29 +
docs-xml/manpages/vfs_gpfs.8.xml | 29 +
.../security/syncmachinepasswordtokeytab.xml | 41 +-
lib/replace/system/readline.h | 10 +-
lib/util/data_blob.c | 2 +-
lib/util/util_crypt.c | 122 ++
lib/util/util_crypt.h | 7 +
lib/util/wscript_build | 6 +
libcli/security/util_sid.c | 5 +-
libcli/smbreadline/wscript_configure | 8 +-
librpc/ndr/ndr_sec_helper.c | 5 +-
pidl/lib/Parse/Pidl/Samba4/Python.pm | 157 +-
python/pyglue.c | 41 +
python/samba/netcmd/user/readpasswords/common.py | 37 +-
python/samba/tests/dcerpc/lsa.py | 226 ++-
python/samba/tests/glue.py | 65 +
python/samba/tests/ndr/sd.py | 623 +++++++
python/samba/tests/password_hash.py | 4 +-
python/wscript | 1 +
selftest/target/Samba3.pm | 7 +-
selftest/tests.py | 1 +
source3/auth/check_samsec.c | 2 +
source3/libads/kerberos_keytab.c | 626 ++++---
source3/libads/ldap.c | 66 +
source3/libnet/libnet_join.c | 9 +-
source3/modules/vfs_ceph_new.c | 1771 ++++++++++++++------
source3/modules/vfs_gpfs.c | 43 +-
source3/modules/wscript_build | 2 +-
source3/param/loadparm.c | 11 +
source3/param/loadparm.h | 1 +
source3/rpc_server/mdssvc/mdssvc.c | 23 +-
source3/script/tests/test_sharesec.sh | 8 +
source3/script/tests/test_update_keytab.sh | 401 +++--
source3/utils/sharesec.c | 88 +-
source4/auth/ntlm/auth_sam.c | 1 +
source4/dsdb/common/util_trusts.c | 26 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 88 +-
.../dsdb/samdb/ldb_modules/wscript_build_server | 2 +-
source4/librpc/rpc/pyrpc.h | 1 +
source4/librpc/rpc/pyrpc_util.c | 27 +-
source4/librpc/rpc/pyrpc_util.h | 2 +-
source4/rpc_server/lsa/lsa_lookup.c | 15 +
source4/scripting/bin/gen_hresult.py | 4 +-
testprogs/blackbox/test_net_offline.sh | 14 +
48 files changed, 3718 insertions(+), 1142 deletions(-)
create mode 100644 lib/util/util_crypt.c
create mode 100644 lib/util/util_crypt.h
create mode 100644 python/samba/tests/ndr/sd.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index ba6611968d1..a8a8ae01d2a 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 63971826231..6d5e65dd043 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,90 @@
+ ==============================
+ Release Notes for Samba 4.21.4
+ February 17, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Changes since 4.21.3
+--------------------
+
+o Vinit Agnihotri <[email protected]>
+ * BUG 15780: Increasing slowness of sharesec performance with high number of
+ registry shares.
+
+o Jeremy Allison <[email protected]>
+ * BUG 15782: winbindd shows memleak in kerberos_decode_pac.
+
+o Douglas Bagnall <[email protected]>
+ * BUG 15738: Creation of GPOs applicable to more than one group is
impossible
+ with Samba 4.20.0 and later.
+ * BUG 15756: Replace `crypt` module in
+ python/samba/netcmd/user/readpasswords/common.py.
+
+o Ralph Boehme <[email protected]>
+ * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
+ * BUG 15796: Spotlight search results don't show file size and creation
date.
+
+o Guenther Deschner <[email protected]>
+ * BUG 15703: General improvements for vfs_ceph_new module.
+ * BUG 15777: net offlinejoin not working correctly.
+ * BUG 15780: Increasing slowness of sharesec performance with high number of
+ registry shares.
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15759: net ads create/join/winbind producing unix dysfunctional
+ keytabs.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 14213: Windows Explorer crashes on S-1-22-* Unix-SIDs when accessing
+ security tab.
+ * BUG 15769: The values from hresult_errstr_const and hresult_errstr are
+ reversed in 4.20 and 4.21.
+ * BUG 15778: Kerberos referral tickets are generated for principals in our
+ domain if we have a trust to a top level domain.
+ * BUG 15783: NETLOGON_NTLMV2_ENABLED is missing in the SamLogon* user_flags
+ field.
+
+o Anoop C S <[email protected]>
+ * BUG 15703: General improvements for vfs_ceph_new module.
+
+o Andreas Schneider <[email protected]>
+ * BUG 15784: Regression: stack-use-after-return in crypt_as_best_we_can().
+ * BUG 15788: libreplace:readline: gcc 15 complains about incompatible
pointer
+ types.
+
+o Shachar Sharon <[email protected]>
+ * BUG 15703: General improvements for vfs_ceph_new module.
+
+o Shweta Sodani <[email protected]>
+ * BUG 15703: General improvements for vfs_ceph_new module.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.21.3
January 06, 2025
@@ -58,8 +145,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.21.2
November 25, 2024
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index b6272ac15eb..4c61cfe838f 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -137,7 +137,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
time_t tgs_authtime,
struct PAC_DATA **pac_data_out)
{
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_NO_MEMORY;
enum ndr_err_code ndr_err;
krb5_error_code ret;
DATA_BLOB modified_pac_blob;
@@ -173,8 +173,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
kdc_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
srv_sig_wipe = talloc(tmp_ctx, struct PAC_SIGNATURE_DATA);
if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
- talloc_free(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
}
ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
@@ -183,15 +183,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
if (pac_data->num_buffers < 4) {
/* we need logon_info, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
ndr_err = ndr_pull_struct_blob(
@@ -201,15 +200,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
if (pac_data_raw->num_buffers < 4) {
/* we need logon_info, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (pac_data->num_buffers != pac_data_raw->num_buffers) {
@@ -217,8 +215,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
"PAC_DATA_RAW has %d\n", pac_data->num_buffers,
pac_data_raw->num_buffers));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
for (i=0; i < pac_data->num_buffers; i++) {
@@ -229,8 +227,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
"%d while PAC_DATA_RAW has %d\n", i,
data_buf->type, raw_buf->type));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
switch (data_buf->type) {
case PAC_TYPE_LOGON_INFO:
@@ -263,26 +261,26 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (!logon_info) {
DEBUG(0,("PAC no logon_info\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (!logon_name) {
DEBUG(0,("PAC no logon_name\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (!srv_sig_ptr || !srv_sig_blob) {
DEBUG(0,("PAC no srv_key\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (!kdc_sig_ptr || !kdc_sig_blob) {
DEBUG(0,("PAC no kdc_key\n"));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
/* Find and zero out the signatures,
@@ -297,8 +295,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
ndr_err = ndr_pull_struct_blob(
@@ -308,8 +305,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the SRV signature: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
/* Now zero the decoded structure */
@@ -326,8 +322,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the KDC signature: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
ndr_err = ndr_push_struct_blob(
srv_sig_blob, pac_data_raw, srv_sig_wipe,
@@ -336,8 +331,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the SRV signature: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
/* push out the whole structure, but now with zero'ed signatures */
@@ -348,8 +342,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the RAW PAC: %s\n",
nt_errstr(status)));
- talloc_free(tmp_ctx);
- return status;
+ goto out;
}
if (service_keyblock) {
@@ -360,7 +353,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (ret) {
DEBUG(5, ("PAC Decode: Failed to verify the service "
"signature: %s\n", error_message(ret)));
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
if (krbtgt_keyblock) {
@@ -370,8 +364,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the KDC
signature: %s\n",
smb_get_krb5_error_message(context,
ret, tmp_ctx)));
- talloc_free(tmp_ctx);
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
}
}
@@ -387,8 +381,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
nt_time_string(tmp_ctx,
logon_name->logon_time)));
DEBUG(2, ("PAC Decode: Ticket: %s\n",
nt_time_string(tmp_ctx,
tgs_authtime_nttime)));
- talloc_free(tmp_ctx);
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
}
@@ -400,8 +394,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (ret) {
DEBUG(2, ("Could not unparse name from ticket to match
with name from PAC: [%s]:%s\n",
logon_name->account_name,
error_message(ret)));
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
bool_ret = strcmp(client_principal_string,
logon_name->account_name) == 0;
@@ -412,8 +406,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
logon_name->account_name,
client_principal_string));
SAFE_FREE(client_principal_string);
- talloc_free(tmp_ctx);
- return NT_STATUS_ACCESS_DENIED;
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
}
SAFE_FREE(client_principal_string);
@@ -434,10 +428,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
}
if (pac_data_out) {
- *pac_data_out = talloc_steal(mem_ctx, pac_data);
+ *pac_data_out = talloc_move(mem_ctx, &pac_data);
}
- return NT_STATUS_OK;
+ status = NT_STATUS_OK;
+
+ out:
+
+ TALLOC_FREE(tmp_ctx);
+ return status;
}
NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index f388644172f..a5f004d6e12 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1549,29 +1549,25 @@ to show in the result.
<para>
Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
-name="sync machine password to keytab"/>. The keytab is created only for
+name="sync machine password to keytab"/> . The keytab can be created only when
+machine password is available in secrets.tdb, i.e. only for
<smbconfoption name="kerberos method">secrets only</smbconfoption> and
<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
the smb.conf default values for <smbconfoption name="kerberos method"> secrets
only</smbconfoption> and <smbconfoption name="sync machine password to
keytab"/>
(default is empty) the keytab is not generated at all. Keytab with a default
-name and SPNs synced from AD is created for <smbconfoption name="kerberos
-method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
-password to keytab"/> is missing.
+name containing: SPNs synced from AD, account name COMPUTER$ and principal
+host/dns_hostname is created for <smbconfoption name="kerberos method">secrets
+and keytab</smbconfoption> if <smbconfoption name="sync machine password to
+keytab"/> is missing.
</para>
<para>
-Till Samba 4.20.0, two more entries were created by default: the machinename of
-the client (ending with '$') and the UPN (host/domain@REALM). If these two
-entries are still needed, each must be specified in an own keytab file.
-Example below will generate three keytab files that contain SPNs synced from
-AD, host UPN and machine$ SPN:
+Till Samba 4.20, these entries were created by default: the account name
+COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
+such keytab:
</para>
<programlisting>
-<smbconfoption name="sync machine password to keytab">
-/etc/krb5.keytab0:sync_spns:machine_password,
-/etc/krb5.keytab1:spns=host/[email protected]:machine_password,
-/etc/krb5.keytab2:account_name:machine_password
-</smbconfoption>
+<smbconfoption name="sync machine password to
keytab">/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
</programlisting>
<para>
No changes are made to the computer AD account.
diff --git a/docs-xml/manpages/vfs_ceph_new.8.xml
b/docs-xml/manpages/vfs_ceph_new.8.xml
index b0640a591a5..eaf5b66cceb 100644
--- a/docs-xml/manpages/vfs_ceph_new.8.xml
+++ b/docs-xml/manpages/vfs_ceph_new.8.xml
@@ -152,6 +152,35 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ceph_new:proxy = [ yes | no | auto ]</term>
+ <listitem>
+ <para>
+ Allows one to indicate use of the libcephfs proxy
library
+ for optimized resource utilization, allowing more
simultaneous
+ client connections. Prerequisites include the presence
of
+ <emphasis>libcephfs_proxy.so.X</emphasis> shared
library file
+ under loadable locations for dynamic linker and an
active(running)
+ <emphasis>libcephfsd</emphasis> daemon.
+ </para>
+
+ <itemizedlist>
+ <listitem><para><constant>no</constant> (default) - Do
+ not use the proxy library but regular connection through
+ <emphasis>libcephfs.so.X</emphasis>.</para></listitem>
+
+ <listitem><para><constant>yes</constant> - Always use
+ the proxy library and fail the client connection request
+ if prerequisites are unmet.</para></listitem>
+
+ <listitem><para><constant>auto</constant> - Attempt to
+ use the proxy library but fall back to the regular
cephfs
+ connection if prerequisites are unmet.</para></listitem>
+
+ </itemizedlist>
+
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/docs-xml/manpages/vfs_gpfs.8.xml b/docs-xml/manpages/vfs_gpfs.8.xml
index 29f2ac453f0..cee12cd3f94 100644
--- a/docs-xml/manpages/vfs_gpfs.8.xml
+++ b/docs-xml/manpages/vfs_gpfs.8.xml
@@ -316,6 +316,35 @@
</varlistentry>
+ <varlistentry>
+ <term>gpfs:clamp_invalid_times = [ yes | no ]</term>
+ <listitem>
+ <para>
+ GPFS stores timestamps using 32-bit unsigned integers for the
+ seconds component. When using gpfs:settimes = yes, this module
+ validates times that clients attempt to set are within the
+ supported GPFS range between 0 and UINT32_MAX. If a timestamp is
+ outside of this range, the client request is rejected. To cope
+ with clients setting eg temporary timestamps outside the valid
+ range, this parameter can be used to clamp the client timestamp
+ to the allowed range. Times before Thu Jan 1 12:00:00 AM UTC
+ 1970 (the UNIX epock) are then set to Thu Jan 1 12:00:00 AM UTC
+ 1970, times after Sun Feb 7 06:28:15 AM UTC 2106 will be set to
+ Sun Feb 7 06:28:15 AM UTC 2106.
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ <command>no(default)</command> - Fail request with invalid time.
+ </para></listitem>
+ <listitem><para>
+ <command>yes</command> - clamp invalid times to 0 or UINT32_MAX.
+ </para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+
+
<varlistentry>
<term>gpfs:syncio = [yes|no]</term>
<listitem>
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index f7dc30023d4..ec3fffc1119 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -24,36 +24,48 @@ synchronization.
Each string has this form:
<programlisting>
-absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
+absolute_path_to_keytab:spn_spec[:spn_spec]*[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
</programlisting>
-where spn_spec can have exactly one of these four forms:
+spn_spec can be specified multiple times (separated using ':') and each
spn_spec can have exactly one of these forms:
<programlisting>
account_name
+sync_account_name
--
Samba Shared Repository
