The branch, v4-22-stable has been updated
via 70eeb722062 VERSION: Disable GIT_SNAPSHOT for the 4.22.3 release.
via 22a95d2aa77 WHATSNEW: Add release notes for Samba 4.22.3.
via 78d69a9eebe s3-winbindd: Fix internal winbind dsgetdcname calls
w.r.t. domain name
via b197ce8c6f1 s3:winbindd: avoid using any netlogon call to get a dc
name
via 7501696d552 lib:util: Disable logging to syslog for startup messages
via 76d1b6b1807 python: Do not interpret 16 character group names as
GUIDs
via de43d8e305d pytest: samba-tool group: test with 16 character name
via d80ff2e1e58 pytest:samba-tool group: test addmembers
via de600282aaf VERSION: Bump version up to Samba 4.22.3...
from 64a23714e6d VERSION: Disable GIT_SNAPSHOT for the 4.22.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 88 ++++++++++++++++++-
lib/util/debug.c | 15 ++++
lib/util/debug.h | 9 ++
python/samba/samdb.py | 10 ++-
python/samba/tests/samba_tool/group.py | 17 +++-
source3/winbindd/wb_queryuser.c | 17 +++-
source3/winbindd/wb_sids2xids.c | 17 +++-
source3/winbindd/wb_xids2sids.c | 12 ++-
source3/winbindd/winbindd_cm.c | 150 ---------------------------------
source3/winbindd/winbindd_dual.c | 6 +-
source3/winbindd/winbindd_dual_srv.c | 105 ++---------------------
source3/winbindd/winbindd_proto.h | 1 +
source3/winbindd/winbindd_util.c | 19 +++++
14 files changed, 201 insertions(+), 267 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 5b8bfb01ce6..171017d023a 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2025"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=22
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8b98a91f28a..57d9133b43f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,88 @@
+ ==============================
+ Release Notes for Samba 4.22.3
+ July 07, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.22 release series.
+
+
+Important Change in Upcoming Microsoft Update
+---------------------------------------------
+
+On 8th of July, Microsoft will release an important security update for
+Active Directory Domain Controllers for Windows Server versions prior to
+2025.
+
+This update includes a change to the Microsoft RPC Netlogon protocol,
+which improves security by tightening access checks for a set of RPC
+requests. Samba running as domain members in these environments will be
+impacted by this change if a specific configuration is used, see below
+for which configuration is affected.
+
+Windows Server version 2025 is already equipped with these specific
+security hardenings, and Microsoft is now planning to deploy them to all
+supported Windows Server versions down to Windows Server 2008.
+
+
+Who is affected?
+
+Samba installations acting as member servers in Windows AD domains will
+be affected if they are configured to use the 'ad' idmapping backend.
+Samba servers not using this configuration will not be affected by the
+change – at least to our current knowledge and understanding of the
+change – and no further action is required.
+
+Current versions of Samba with the affected configuration will no longer
+function correctly once the Microsoft update has been applied. Users
+will not be able to connect to the SMB service provided by Samba for any
+domain configured to use the 'ad' idmapping backend.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15876.
+
+
+Changes since 4.22.2
+--------------------
+
+o Douglas Bagnall <[email protected]>
+ * BUG 15854: samba-tool cannot add user to group whose name is exactly 16
+ characters long.
+
+o Günther Deschner <[email protected]>
+ * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+ calls like netr_DsRGetDCName.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+ calls like netr_DsRGetDCName.
+
+o Andreas Schneider <[email protected]>
+ * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.22.2
June 05, 2025
@@ -80,8 +165,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.22.1
April 17, 2025
diff --git a/lib/util/debug.c b/lib/util/debug.c
index 86f13f181cf..f79b8811a4b 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -95,6 +95,7 @@ static struct {
bool reopening_logs;
bool schedule_reopen_logs;
int forced_log_priority;
+ bool disable_syslog;
struct debug_settings settings;
debug_callback_fn callback;
@@ -302,6 +303,10 @@ static void debug_syslog_log(int msg_level, const char
*msg, size_t msg_len)
{
int priority;
+ if (state.disable_syslog) {
+ return;
+ }
+
priority = debug_level_to_priority(msg_level);
/*
@@ -1124,6 +1129,16 @@ void debug_set_forced_log_priority(int
forced_log_priority)
state.forced_log_priority = forced_log_priority;
}
+void debug_disable_syslog(void)
+{
+ state.disable_syslog = true;
+}
+
+void debug_enable_syslog(void)
+{
+ state.disable_syslog = false;
+}
+
/**
* Ensure debug logs are initialised.
*
diff --git a/lib/util/debug.h b/lib/util/debug.h
index f188105c9f4..2a56c7d48fe 100644
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -276,9 +276,16 @@ void debuglevel_set_class(size_t idx, int level);
#define DBGLVL_INFO 5 /* informational message */
#define DBGLVL_DEBUG 10 /* debug-level message */
+/*
+ * Logging to syslog will be disabled as messages on debug level 0 are always
+ * reported to syslog too. We don't want to clutter the syslog with startup
+ * messages from rpc on demand daemons.
+ */
#define DBG_STARTUP_NOTICE(...) do { \
debug_set_forced_log_priority(DBGLVL_NOTICE); \
+ debug_disable_syslog(); \
D_ERR(__VA_ARGS__); \
+ debug_enable_syslog(); \
debug_set_forced_log_priority(-1); \
} while(0)
@@ -362,6 +369,8 @@ void debug_set_settings(struct debug_settings *settings,
int syslog_level, bool syslog_only);
void debug_set_hostname(const char *name);
void debug_set_forced_log_priority(int forced_log_priority);
+void debug_disable_syslog(void);
+void debug_enable_syslog(void);
bool reopen_logs_internal( void );
void force_check_log_size( void );
bool need_to_check_log_size( void );
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 0545aed98eb..7a1cee1e108 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -35,6 +35,7 @@ from samba.common import normalise_int32
from samba.common import get_bytes, cmp
from samba.dcerpc import security
from samba import is_ad_dc_built
+from samba import string_is_guid
from samba import NTSTATUSError, ntstatus
import binascii
@@ -388,6 +389,13 @@ lockoutTime: 0
partial_groupfilter = None
+ # If <group> looks like a SID, GUID, or DN, we use it
+ # accordingly, otherwise as a name.
+ #
+ # Because misc.GUID() will read any 16 byte sequence as a
+ # binary guid, we need to be careful not to read 16 character
+ # names as GUIDs.
+
group_sid = None
try:
group_sid = security.dom_sid(group)
@@ -397,7 +405,7 @@ lockoutTime: 0
partial_groupfilter = "(objectClass=*)"
group_guid = None
- if partial_groupfilter is None:
+ if partial_groupfilter is None and string_is_guid(group):
try:
group_guid = misc.GUID(group)
except NTSTATUSError as e:
diff --git a/python/samba/tests/samba_tool/group.py
b/python/samba/tests/samba_tool/group.py
index e8c0960849f..1c5bc9690f9 100644
--- a/python/samba/tests/samba_tool/group.py
+++ b/python/samba/tests/samba_tool/group.py
@@ -38,7 +38,8 @@ class GroupCmdTestCase(SambaToolCmdTest):
self.groups.append(self._randomGroup({"name": "testgroup1"}))
self.groups.append(self._randomGroup({"name": "testgroup2"}))
self.groups.append(self._randomGroup({"name": "testgroup3"}))
- self.groups.append(self._randomGroup({"name": "testgroup4"}))
+ self.groups.append(self._randomGroup(
+ {"name": "16 character name for bug 15854"[:16]}))
self.groups.append(self._randomGroup({"name": "testgroup5 (with
brackets)"}))
self.groups.append(self._randomPosixGroup({"name": "posixgroup1"}))
self.groups.append(self._randomPosixGroup({"name": "posixgroup2"}))
@@ -334,6 +335,20 @@ class GroupCmdTestCase(SambaToolCmdTest):
name = str(groupobj.get("dn", idx=0))
self.assertMatch(out, name, "group '%s' not found" % name)
+ def test_addmember(self):
+ groups = [g['name'] for g in self.groups]
+ for parent, child in zip(groups, groups[1:]):
+ (result, out, err) = self.runsubcmd(
+ "group", "addmembers", parent, child)
+ self.assertCmdSuccess(result, out, err)
+
+ (result, out, err) = self.runsubcmd(
+ "group", "addmembers", groups[-1], ','.join(groups[:-1]))
+ self.assertCmdSuccess(result, out, err)
+
+ (result, out, err) = self.runsubcmd(
+ "group", "addmembers", groups[0], "alice,bob")
+ self.assertCmdSuccess(result, out, err)
def test_move(self):
full_ou_dn = str(self.samdb.normalize_dn_in_domain("OU=movetest_grp"))
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index c2758f1b76a..db8e946ba71 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -289,10 +289,19 @@ static void wb_queryuser_done(struct tevent_req *subreq)
if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
!state->tried_dclookup) {
- D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling
wb_dsgetdcname_send()\n");
- subreq = wb_dsgetdcname_send(
- state, state->ev, state->info->domain_name, NULL, NULL,
- DS_RETURN_DNS_NAME);
+ const char *domain_name = find_dns_domain_name(
+ state->info->domain_name);
+
+ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling "
+ "wb_dsgetdcname_send(%s)\n",
+ domain_name);
+
+ subreq = wb_dsgetdcname_send(state,
+ state->ev,
+ domain_name,
+ NULL,
+ NULL,
+ DS_RETURN_DNS_NAME);
if (tevent_req_nomem(subreq, req)) {
return;
}
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index f0f6c23fc20..03e5e7e0258 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -612,13 +612,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
!state->tried_dclookup) {
struct lsa_DomainInfo *d;
+ const char *domain_name = NULL;
- D_DEBUG("Domain controller not found. Calling
wb_dsgetdcname_send() to get it.\n");
d = &state->idmap_doms.domains[state->dom_index];
- subreq = wb_dsgetdcname_send(
- state, state->ev, d->name.string, NULL, NULL,
- DS_RETURN_DNS_NAME);
+ domain_name = find_dns_domain_name(d->name.string);
+
+ D_DEBUG("Domain controller not found. Calling "
+ "wb_dsgetdcname_send(%s) to get it.\n",
+ domain_name);
+
+ subreq = wb_dsgetdcname_send(state,
+ state->ev,
+ domain_name,
+ NULL,
+ NULL,
+ DS_RETURN_DNS_NAME);
if (tevent_req_nomem(subreq, req)) {
return;
}
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index 86bd7f9deab..6fcf524d94f 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -143,9 +143,15 @@ static void wb_xids2sids_dom_done(struct tevent_req
*subreq)
if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
!state->tried_dclookup) {
- subreq = wb_dsgetdcname_send(
- state, state->ev, state->dom_map->name, NULL, NULL,
- DS_RETURN_DNS_NAME);
+ const char *domain_name = find_dns_domain_name(
+ state->dom_map->name);
+
+ subreq = wb_dsgetdcname_send(state,
+ state->ev,
+ domain_name,
+ NULL,
+ NULL,
+ DS_RETURN_DNS_NAME);
if (tevent_req_nomem(subreq, req)) {
return;
}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 420ea961876..741761f606b 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -475,140 +475,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials
*creds)
return ret;
}
-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
- fstring dcname,
- struct sockaddr_storage *dc_ss,
- uint32_t request_flags)
-{
- struct winbindd_domain *our_domain = NULL;
- struct rpc_pipe_client *netlogon_pipe = NULL;
- NTSTATUS result;
- WERROR werr;
- TALLOC_CTX *mem_ctx;
- unsigned int orig_timeout;
- const char *tmp = NULL;
- const char *p;
- struct dcerpc_binding_handle *b;
-
- /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
- * moment.... */
-
- if (IS_DC) {
- return False;
- }
-
- if (domain->primary) {
- return False;
- }
-
- our_domain = find_our_domain();
-
- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
- return False;
- }
-
- result = cm_connect_netlogon(our_domain, &netlogon_pipe);
- if (!NT_STATUS_IS_OK(result)) {
- talloc_destroy(mem_ctx);
- return False;
- }
-
- b = netlogon_pipe->binding_handle;
-
- /* This call can take a long time - allow the server to time out.
- 35 seconds should do it. */
-
- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
- if (our_domain->active_directory) {
- struct netr_DsRGetDCNameInfo *domain_info = NULL;
-
- /*
- * TODO request flags are not respected in the server
- * (and in some cases, like REQUIRE_PDC, causes an error)
- */
- result = dcerpc_netr_DsRGetDCName(b,
- mem_ctx,
- our_domain->dcname,
- domain->name,
- NULL,
- NULL,
-
request_flags|DS_RETURN_DNS_NAME,
- &domain_info,
- &werr);
- if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
- tmp = talloc_strdup(
- mem_ctx, domain_info->dc_unc);
- if (tmp == NULL) {
- DBG_ERR("talloc_strdup failed for dc_unc[%s]\n",
- domain_info->dc_unc);
- talloc_destroy(mem_ctx);
- return false;
- }
- if (domain->alt_name == NULL) {
- domain->alt_name = talloc_strdup(domain,
-
domain_info->domain_name);
- if (domain->alt_name == NULL) {
- DBG_ERR("talloc_strdup failed for "
-
"domain_info->domain_name[%s]\n",
- domain_info->domain_name);
- talloc_destroy(mem_ctx);
- return false;
- }
- }
- if (domain->forest_name == NULL) {
- domain->forest_name = talloc_strdup(domain,
-
domain_info->forest_name);
- if (domain->forest_name == NULL) {
- DBG_ERR("talloc_strdup failed for "
-
"domain_info->forest_name[%s]\n",
- domain_info->forest_name);
- talloc_destroy(mem_ctx);
- return false;
- }
- }
- }
- } else {
- result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
- our_domain->dcname,
- domain->name,
- &tmp,
- &werr);
- }
-
- /* And restore our original timeout. */
- rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
- nt_errstr(result)));
- talloc_destroy(mem_ctx);
- return false;
- }
-
- if (!W_ERROR_IS_OK(werr)) {
- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
- win_errstr(werr)));
- talloc_destroy(mem_ctx);
- return false;
- }
-
- /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
- p = strip_hostname(tmp);
-
- fstrcpy(dcname, p);
-
- talloc_destroy(mem_ctx);
-
- DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
-
- if (!resolve_name(dcname, dc_ss, 0x20, true)) {
- return False;
- }
-
- return True;
-}
-
/**
* Helper function to assemble trust password and account name
*/
@@ -1307,24 +1173,8 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct
winbindd_domain *domain,
struct samba_sockaddr *sa_list = NULL;
size_t salist_size = 0;
size_t i;
- bool is_our_domain;
enum security_types sec = (enum security_types)lp_security();
- is_our_domain = strequal(domain->name, lp_workgroup());
-
- /* If not our domain, get the preferred DC, by asking our primary DC */
- if ( !is_our_domain
- && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
- num_dcs) )
- {
- char addr[INET6_ADDRSTRLEN];
- print_sockaddr(addr, sizeof(addr), &ss);
--
Samba Shared Repository
