The branch, v4-22-stable has been updated
via 64a23714e6d VERSION: Disable GIT_SNAPSHOT for the 4.22.2 release.
via 2fbf88cb964 WHATSNEW: Add release notes for Samba 4.22.2.
via baea7672858 CVE-2025-0620: smbd: smbd doesn't pick up group
membership changes when re-authenticating an expired SMB session
via 43698c834c3 smbd: use fsp->name_hash in check_parent_access_fsp()
via 0527b007031 smbd: remove parent_dirname_compatible_open()
via 4cc5ed62dd3 selftest: stop running smb2.streams against the
ad_dc_ntvfs
via 44811da2e66 selftest: stop running smb2.streams against "ad_dc"
environment
via 9b651c01be1 smbd: implement H-lease breaks on parent directory of
rename target
via 4874eb99e6e smbd: add access_mask to
delay_for_handle_lease_break_send()
via 2b8ac68790f smbd: add has_delete_access_opens()
via b171beb860c smbd: support breaking leases on an object where we
don't have an own internal open
via 4c62ed11087 smbd: expand logging in contend_dirleases()
via e23cddcc2e6 smbtorture: fix test smb2.notify-inotify.inotify-rename
via edd94c6d709 smbtorture: add test smb2.dirlease.rename_dst_parent
via 31f4023ce9f smbtorture: add support for closing a handle when
receiving a lease break
via 0939ddae86b smbtorture: make torture_lease_break_callback() static
via b58ffb3b149 smbtorture: remove unused torture_lease_ignore_handler()
via 0c47b4e7ca2 ctdb-daemon: Modernise some DEBUGs
via 64e92bc93d1 ctdb-daemon: Add configuration option shutdown extra
timeout
via 302af7a928e ctdb-daemon: Run "startipreallocate" event in SHUTDOWN
runstate
via 8b49433a41b ctdb-daemon: Add configuration option shutdown failover
timeout
via 9e4b88f800b ctdb-daemon: Add failover on shutdown
via ee3415e3c86 ctdb-protocol: Add CTDB server SRVID range
via b0a66c42704 ctdb-daemon: Avoid aborting during early shutdown
via 6f21f9527d6 s3:rpc_server: make sure we can bind to the same port
on all ip addresses
via 77e490b018a vfs_ceph_snapshots: Always calculate absolute snapshot
path
via 501f32eab61 vfs_ceph_snapshots: Use full path from dirfsp at
smb_fname
via c9064d2372b lib/krb5_wrap: Fix placement of TALLOC_FREE(frame)
via 46d661f5a90 VERSION: Bump version up to Samba 4.22.2...
from 86e867d7008 VERSION: Disable GIT_SNAPSHOT for the 4.22.1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 87 ++++++++++-
ctdb/conf/ctdb_config.c | 8 +
ctdb/conf/ctdb_config.h | 2 +
ctdb/conf/failover_conf.c | 12 ++
ctdb/conf/failover_conf.h | 3 +
ctdb/doc/ctdb.conf.5.xml | 50 +++++++
ctdb/protocol/protocol.h | 7 +
ctdb/server/ctdb_daemon.c | 229 ++++++++++++++++++++++++++++-
ctdb/server/ctdb_monitor.c | 18 +++
ctdb/server/ctdb_takeover.c | 5 +-
ctdb/tests/UNIT/cunit/config_test_001.sh | 2 +
lib/krb5_wrap/krb5_samba.c | 3 +-
selftest/knownfail | 3 -
source3/modules/vfs_ceph_snapshots.c | 36 ++---
source3/rpc_server/rpc_sock_helper.c | 114 +++++++++-----
source3/selftest/tests.py | 1 -
source3/smbd/close.c | 41 ++++++
source3/smbd/conn.c | 4 +-
source3/smbd/open.c | 11 +-
source3/smbd/proto.h | 5 +
source3/smbd/smb2_close.c | 1 +
source3/smbd/smb2_oplock.c | 32 ++--
source3/smbd/smb2_reply.c | 48 ------
source3/smbd/smb2_setinfo.c | 180 +++++++++++++++++++++++
source3/smbd/smbXsrv_session.c | 1 +
source4/selftest/tests.py | 1 +
source4/torture/smb2/lease.c | 110 ++++++++++++++
source4/torture/smb2/lease_break_handler.c | 44 ++++--
source4/torture/smb2/lease_break_handler.h | 7 +-
source4/torture/smb2/notify.c | 6 +-
source4/torture/smb2/streams.c | 20 ++-
32 files changed, 929 insertions(+), 164 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 6af89d009a7..5b8bfb01ce6 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2025"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=22
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ef1a223266a..8b98a91f28a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,87 @@
+ ==============================
+ Release Notes for Samba 4.22.2
+ June 05, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.22 release series.
+It contains the security-relevant bugfix CVE-2025-0620:
+
+ smbd doesn't pick up group membership changes
+ when re-authenticating an expired SMB session
+ https://www.samba.org/samba/security/CVE-2025-0620.html
+
+
+Description of CVE-2025-0620
+-----------------------------
+
+ With Kerberos authentication SMB sessions typically have an
+ associated lifetime, requiring re-authentication by the
+ client when the session expires. As part of the
+ re-authentication, Samba receives the current group
+ membership information and is expected to reflect this
+ change in further SMB request processing.
+
+ For historic reasons, Samba maintains a cache of
+ associations between a user's impersonation information and
+ connected shares. A recent change in this cache caused Samba
+ to not reflect group membership changes from session
+ re-authentication when processing further SMB requests.
+
+ As a result, when an administrator removes a user from a
+ particular group in Active Directory, this change will not
+ become effective unless the user disconnects from the server
+ and establishes a new connection.
+
+
+Changes since 4.22.1
+--------------------
+
+o Ralph Boehme <[email protected]>
+ * BUG 15707: (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick up
+ group membership changes when re-authenticating an expired SMB
+ session.
+ * BUG 15861: Profile sync fails due to Directory Leases.
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15727: net ad join fails with "Failed to join domain: failed to create
+ kerberos keytab".
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 15851: dcerpcd not able to bind to listening port.
+
+o Anoop C S <[email protected]>
+ * BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
+ level beyond share root.
+
+o Martin Schwenke <[email protected]>
+ * BUG 15858: CTDB does not put nodes running NFS into grace on graceful
+ shutdown.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.22.1
April 17, 2025
@@ -74,8 +158,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.22.0
March 06, 2025
diff --git a/ctdb/conf/ctdb_config.c b/ctdb/conf/ctdb_config.c
index f75bf374a80..d9f6f3a5457 100644
--- a/ctdb/conf/ctdb_config.c
+++ b/ctdb/conf/ctdb_config.c
@@ -110,6 +110,14 @@ static void setup_config_pointers(struct conf_context
*conf)
FAILOVER_CONF_SECTION,
FAILOVER_CONF_DISABLED,
&ctdb_config.failover_disabled);
+ conf_assign_integer_pointer(conf,
+ FAILOVER_CONF_SECTION,
+ FAILOVER_CONF_SHUTDOWN_EXTRA_TIMEOUT,
+ &ctdb_config.shutdown_extra_timeout);
+ conf_assign_integer_pointer(conf,
+ FAILOVER_CONF_SECTION,
+ FAILOVER_CONF_SHUTDOWN_FAILOVER_TIMEOUT,
+ &ctdb_config.shutdown_failover_timeout);
/*
* Legacy
diff --git a/ctdb/conf/ctdb_config.h b/ctdb/conf/ctdb_config.h
index 575e3045fa4..01195a4c9f5 100644
--- a/ctdb/conf/ctdb_config.h
+++ b/ctdb/conf/ctdb_config.h
@@ -44,6 +44,8 @@ struct ctdb_config {
/* Failover */
bool failover_disabled;
+ int shutdown_extra_timeout;
+ int shutdown_failover_timeout;
/* Legacy */
bool realtime_scheduling;
diff --git a/ctdb/conf/failover_conf.c b/ctdb/conf/failover_conf.c
index 3f9f749fcae..424021b7a22 100644
--- a/ctdb/conf/failover_conf.c
+++ b/ctdb/conf/failover_conf.c
@@ -50,4 +50,16 @@ void failover_conf_init(struct conf_context *conf)
FAILOVER_CONF_DISABLED,
false,
check_static_boolean_change);
+
+ conf_define_integer(conf,
+ FAILOVER_CONF_SECTION,
+ FAILOVER_CONF_SHUTDOWN_EXTRA_TIMEOUT,
+ 0,
+ NULL);
+
+ conf_define_integer(conf,
+ FAILOVER_CONF_SECTION,
+ FAILOVER_CONF_SHUTDOWN_FAILOVER_TIMEOUT,
+ 10,
+ NULL);
}
diff --git a/ctdb/conf/failover_conf.h b/ctdb/conf/failover_conf.h
index d7ac0ac507d..08f5fb8939c 100644
--- a/ctdb/conf/failover_conf.h
+++ b/ctdb/conf/failover_conf.h
@@ -25,6 +25,9 @@
#define FAILOVER_CONF_SECTION "failover"
#define FAILOVER_CONF_DISABLED "disabled"
+#define FAILOVER_CONF_SHUTDOWN_EXTRA_TIMEOUT "shutdown extra timeout"
+#define FAILOVER_CONF_SHUTDOWN_FAILOVER_TIMEOUT "shutdown failover timeout"
+
void failover_conf_init(struct conf_context *conf);
diff --git a/ctdb/doc/ctdb.conf.5.xml b/ctdb/doc/ctdb.conf.5.xml
index 7bdbc038f7d..048e02196bb 100644
--- a/ctdb/doc/ctdb.conf.5.xml
+++ b/ctdb/doc/ctdb.conf.5.xml
@@ -496,6 +496,56 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>shutdown extra timeout = <parameter>TIMEOUT</parameter></term>
+ <listitem>
+ <para>
+ CTDB will wait for TIMEOUT seconds after failover
+ completes during shutdown. This can provide extra time
+ for SMB durable handles to be reclaimed. If set to 0 then
+ no extra timeout occurs.
+ </para>
+ <para>
+ This timeout only occurs if both of the following
+ conditions are true:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ shutdown failover timeout (below) is not 0
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Failover during shutdown completes and does not time out
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Default: <literal>0</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>shutdown failover timeout = <parameter>TIMEOUT</parameter></term>
+ <listitem>
+ <para>
+ CTDB will wait for TIMEOUT seconds for failover to
+ complete during shutdown. This allows NFS servers on
+ other nodes to go into grace during graceful shutdown of a
+ node. Failover during shutdown also helps with SMB
+ durable handle reclaim.
+ </para>
+ <para>
+ Set this to 0 to disable explicit failover on shutdown.
+ </para>
+ <para>
+ Default: <literal>10</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/ctdb/protocol/protocol.h b/ctdb/protocol/protocol.h
index c775c4bcc64..ecec0a45891 100644
--- a/ctdb/protocol/protocol.h
+++ b/ctdb/protocol/protocol.h
@@ -234,6 +234,13 @@ struct ctdb_call {
#define CTDB_SRVID_TEST_RANGE 0xAE00000000000000LL
+/* Range of ports reserved for CTDB server (top 8 bits)
+ * All ports matching the 8 top bits are reserved for exclusive use by
+ * the CTDB server
+ */
+#define CTDB_SRVID_SERVER_RANGE 0x9E00000000000000LL
+
+
enum ctdb_controls {CTDB_CONTROL_PROCESS_EXISTS = 0,
CTDB_CONTROL_STATISTICS = 1,
/* #2 removed */
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 46bc324ae87..3bdf9fee6f5 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -23,6 +23,7 @@
#include "system/wait.h"
#include "system/time.h"
+#include <errno.h>
#include <talloc.h>
/* Allow use of deprecated function tevent_loop_allow_nesting() */
#define TEVENT_DEPRECATED
@@ -41,6 +42,7 @@
#include "ctdb_client.h"
#include "protocol/protocol.h"
+#include "protocol/protocol_basic.h"
#include "protocol/protocol_api.h"
#include "common/rb_tree.h"
@@ -50,7 +52,9 @@
#include "common/logging.h"
#include "common/pidfile.h"
#include "common/sock_io.h"
+#include "common/srvid.h"
+#include "conf/ctdb_config.h"
#include "conf/node.h"
struct ctdb_client_pid_list {
@@ -2219,15 +2223,234 @@ done:
return ret;
}
+/*
+ * Construct a SRVID for accepting replies to this ctdbd. The bottom
+ * 24 bits of the PNN are used in the top half. extra_mask is used in
+ * the bottom half.
+ */
+
+static uint64_t ctdb_srvid_id(struct ctdb_context *ctdb, uint32_t extra_mask)
+{
+ uint64_t pnn_mask = (uint64_t)(ctdb->pnn & 0xFFFFFF) << 32;
+
+ return CTDB_SRVID_SERVER_RANGE | pnn_mask | extra_mask;
+}
+
+/*
+ * Do a takeover run on shutdown
+ *
+ * This allows for a graceful transition of resources to another node.
+ * This ensures all nodes go into grace for NFS and, with an extra
+ * timeout, allows data transfer for SMB durable handles.
+ *
+ * Nodes need to be in CTDB_RUNSTATE_RUNNING to host public IP
+ * addresses. So, this node will release all IPs. The good news is
+ * that a node can remain leader when in CTDB_RUNSTATE_SHUTDOWN, so
+ * shutting down the cluster will not be adversely delayed by this.
+ * The only issue to guard against is delaying shutdown of this node
+ * if it is the only node and doesn't have CTDB_CAP_RECMASTER, in
+ * which case there is no node to do the takeover run. Hence, the
+ * timeout.
+ */
+
+struct shutdown_takeover_state {
+ bool takeover_done;
+ bool timed_out;
+ struct tevent_timer *te;
+ unsigned int leader_broadcast_count;
+};
+
+static void shutdown_takeover_handler(uint64_t srvid,
+ TDB_DATA data,
+ void *private_data)
+{
+ struct shutdown_takeover_state *state = private_data;
+ int32_t result = 0;
+ size_t count = 0;
+ int ret = 0;
+
+ ret = ctdb_int32_pull(data.dptr, data.dsize, &result, &count);
+ if (ret == EMSGSIZE) {
+ /*
+ * Can't happen unless there's bug somewhere else, so
+ * just ignore - ctdb_shutdown_takeover() will
+ * probably time out...
+ */
+ DBG_WARNING("Wrong size for result\n");
+ return;
+ }
+
+ if (result == -1) {
+ /*
+ * No early return - can't afford endless retries
+ * during shutdown...
+ */
+ DBG_WARNING("Takeover run failed\n");
+ } else {
+ DBG_NOTICE("Takeover run successful by node=%"PRIi32"\n",
+ result);
+ }
+
+ state->takeover_done = true;
+}
+
+static void shutdown_timeout_handler(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval yt,
+ void *private_data)
+{
+ struct shutdown_takeover_state *state = private_data;
+
+ TALLOC_FREE(state->te);
+ state->timed_out = true;
+}
+
+static void shutdown_leader_handler(uint64_t srvid,
+ TDB_DATA data,
+ void *private_data)
+{
+ struct shutdown_takeover_state *state = private_data;
+ uint32_t pnn = 0;
+ size_t count = 0;
+ int ret = 0;
+
+ ret = ctdb_uint32_pull(data.dptr, data.dsize, &pnn, &count);
+ if (ret == EMSGSIZE) {
+ /*
+ * Can't happen unless there's bug somewhere else, so
+ * just ignore
+ */
+ DBG_WARNING("Wrong size for result\n");
+ return;
+ }
+
+ DBG_DEBUG("Leader broadcast received from node=%"PRIu32"\n", pnn);
+ state->leader_broadcast_count++;
+}
+
+static void ctdb_shutdown_takeover(struct ctdb_context *ctdb)
+{
+ struct shutdown_takeover_state state = {
+ .takeover_done = false,
+ .timed_out = false,
+ .te = NULL,
+ .leader_broadcast_count = 0,
+ };
+ /*
+ * This one is memcpy()ed onto the wire, so initialise below
+ * after ZERO_STRUCT(), to keep things valgrind clean
+ */
+ struct ctdb_srvid_message rd;
+ struct TDB_DATA rddata = {
+ .dptr = (uint8_t *)&rd,
+ .dsize = sizeof(rd),
+ };
+ int ret = 0;
+
+ if (ctdb_config.shutdown_failover_timeout <= 0) {
+ return;
+ }
+
+ ZERO_STRUCT(rd);
+ rd = (struct ctdb_srvid_message) {
+ .pnn = ctdb->pnn,
+ .srvid = ctdb_srvid_id(ctdb, 0),
+ };
+
+ ret = srvid_register(ctdb->srv,
+ ctdb->srv,
+ rd.srvid,
+ shutdown_takeover_handler,
+ &state);
+ if (ret != 0) {
+ DBG_WARNING("Failed to register takeover run handler\n");
+ return;
+ }
+
+ state.te = tevent_add_timer(
+ ctdb->ev,
+ ctdb->srv,
+ timeval_current_ofs(ctdb_config.shutdown_failover_timeout, 0),
+ shutdown_timeout_handler,
+ &state);
+ if (state.te == NULL) {
+ DBG_WARNING("Failed to set shutdown timeout\n");
+ goto done;
+ }
+
+ ret = srvid_register(ctdb->srv,
+ ctdb->srv,
+ CTDB_SRVID_LEADER,
+ shutdown_leader_handler,
+ &state);
+ if (ret != 0) {
+ /* Leader broadcasts provide extra information, so no
+ * problem if they can't be monitored...
+ */
+ DBG_WARNING("Failed to register leader handler\n");
+ }
+
+ ret = ctdb_daemon_send_message(ctdb,
+ CTDB_BROADCAST_CONNECTED,
+ CTDB_SRVID_TAKEOVER_RUN,
+ rddata);
+ if (ret != 0) {
+ DBG_WARNING("Failed to send IP takeover run request\n");
+ goto done;
+ }
+
+ while (!state.takeover_done && !state.timed_out) {
+ tevent_loop_once(ctdb->ev);
+ }
+
+ if (state.takeover_done) {
+ goto done;
+ }
+
+ if (state.timed_out) {
+ DBG_WARNING("Timed out waiting for takeover run "
+ "(%u leader broadcasts received)\n",
+ state.leader_broadcast_count);
+ }
+done:
+ srvid_deregister(ctdb->srv, CTDB_SRVID_TAKEOVER_RUN, &state);
+ srvid_deregister(ctdb->srv, CTDB_SRVID_LEADER, &state);
+ TALLOC_FREE(state.te);
+
+ if (!state.takeover_done || ctdb_config.shutdown_extra_timeout <= 0) {
+ return;
+ }
+
+ state.timed_out = false;
+ state.te = tevent_add_timer(
+ ctdb->ev,
+ ctdb->srv,
+ timeval_current_ofs(ctdb_config.shutdown_extra_timeout, 0),
+ shutdown_timeout_handler,
+ &state);
--
Samba Shared Repository
