The branch, v4-23-stable has been updated
via 4936cd33142 VERSION: Disable GIT_SNAPSHOT for the 4.23.0rc2 release.
via 7a5da9c9f82 WHATSNEW: Add release notes for Samba 4.23.0rc2.
via 5c9f7d68912 WHATSNEW: samba-tool domain backup --no-secrets changes
via 93cb60fe642 third_party:quic_ko_wrapper Fix compilation with
clang-20
via e69828e8de5 third_party:quic Fix compilation with clang-20
via d43c632b632 third_party: fix libquic build on older systems
via 8d50eb1938a libads: change netlogon_pings() behaviour wrt to
min_servers parameter
via 0dc0860f3a6 libads: reverse termination condition in
netlogon_pings_done()
via e412ceaa8e9 idmap_ad: add and use ldap_timeout and fix LDAP server
failover
via e03f233e920 tldap: use tevent_req_set_endtime() to terminate LDAP
searches
via a0b8de88f85 winbindd: use find_domain_from_name_noinit() in
find_dns_domain_name()
via 02e2933d081 libads: fix get_kdc_ip_string()
via 224d4f69abe WHATSNEW: add Per-share profiling stats
via 2c308dabec6 WHATSNEW: add CTDB changes
via 8c9f571be0d VERSION: Bump version up to Samba 4.23.0rc2...
from 2986c2680ba VERSION: Disable GIT_SNAPSHOT for the Samba 4.23.0rc1
release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-23-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 61 +++++++++++++++++++++++++--
source3/lib/tldap.c | 5 +++
source3/libads/cldap.c | 2 +-
source3/libads/kerberos.c | 18 +++++---
source3/libads/ldap.c | 2 +-
source3/libads/netlogon_ping.c | 32 ++++++++------
source3/libads/netlogon_ping.h | 4 +-
source3/libsmb/dsgetdcname.c | 2 +-
source3/winbindd/idmap_ad.c | 33 +++++++++++----
source3/winbindd/wb_queryuser.c | 10 ++++-
source3/winbindd/wb_sids2xids.c | 12 +++++-
source3/winbindd/wb_xids2sids.c | 10 ++++-
source3/winbindd/winbindd_cm.c | 52 +++++++++++++++++++++++
source3/winbindd/winbindd_proto.h | 1 +
source3/winbindd/winbindd_util.c | 2 +-
source4/libnet/libnet_site.c | 2 +-
source4/torture/rpc/lsa.c | 2 +-
third_party/quic/libquic_handshake_wrapper.c | 2 +
third_party/quic/wscript | 11 ++++-
third_party/quic_ko_wrapper/quic_ko_wrapper.c | 9 ++--
21 files changed, 224 insertions(+), 50 deletions(-)
create mode 100644 third_party/quic/libquic_handshake_wrapper.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index bde911e0679..b91b719c4b5 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=1
+SAMBA_VERSION_RC_RELEASE=2
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e8a27072985..051fa2084de 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the first release candidate release of Samba 4.23. This is *not*
+This is the second release candidate release of Samba 4.23. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -32,9 +32,47 @@ Initial version of smb_prometheus_endpoint
------------------------------------------
todo
-samba-tool improvements
------------------------
-todo
+samba-tool domain backup --no-secrets avoids confidential attributes
+--------------------------------------------------------------------
+
+The --no-secrets option creates a back-up without secret attributes
+(e.g. passwords), suitable for use in a lab domain. Until now it could
+still contain confidential attributes, including BitLocker recovery
+data and KDS root keys. Objects in the classes msKds-ProvRootKey,
+msFVE-RecoveryInformation, and msTPM-InformationObject will now be
+entirely removed from the backup, as these objects are required by
+schema to have confidential attributes and are no use without them.
+
+CTDB changes
+------------
+
+* CTDB now supports loading tunables from
+ /etc/ctdb/tunables.d/*.tunables, in addition to the standard
+ /etc/ctdb/tunables.conf. See the ctdb-tunables(7) manual page for
+ more details. Note that the above locations are examples - the
+ actual location of these files will depend on compile time
+ configuration.
+
+ It isn't expected that many users will require a directory of tunables
+ files, since most users do not need to change tunables from their
+ default values. However, this allows vendors to ship their required
+ tunables settings (for example, in one or more files marked "do not
+ edit") while still allowing local administrators to add their own
+ tunables settings (in one or more separate files).
+
+Per-share profiling stats
+-------------------------
+Starting with Samba 4.23, users can collect profile counters at a
+per-share level. This feature requires building Samba with profiling
+data enabled and adding an appropriate `smb.conf` parameter for
+specific shares. It's particularly useful for deployments with a large
+number of active shares, allowing administrators to monitor individual
+share activity and identify potential bottlenecks or hot-spots. When
+enabled, users can inspect current per-share profile information
+("Extended Profile") using the standard `smbstatus` utility.
+
+Currently, this functionality is supported only by the default and
+`ceph_new` VFS modules.
REMOVED FEATURES
@@ -51,6 +89,21 @@ smb.conf changes
server smb transports New tcp, nbt
winbind varlink service New no
+CHANGES SINCE 4.23.0rc1
+=======================
+
+o Björn Baumbach <[email protected]>
+ * BUG 15896: libquic build fixes.
+
+o Ralph Boehme <[email protected]>
+ * BUG 15844: getpwuid does not shift to new DC when current DC is down.
+ * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+ calls like netr_DsRGetDCName.
+
+o Gary Lockyer <[email protected]>
+ * BUG 15896: libquic build fixes.
+
+
KNOWN ISSUES
============
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index f89306d2acd..7b1d04064e2 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1905,6 +1905,11 @@ struct tevent_req *tldap_search_send(TALLOC_CTX *mem_ctx,
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
+ if (timelimit != 0) {
+ struct timeval end;
+ end = timeval_current_ofs(timelimit * 1.5F, 0);
+ tevent_req_set_endtime(subreq, ev, end);
+ }
tevent_req_set_callback(subreq, tldap_search_done, req);
return req;
diff --git a/source3/libads/cldap.c b/source3/libads/cldap.c
index 96d602d9feb..fdb78454141 100644
--- a/source3/libads/cldap.c
+++ b/source3/libads/cldap.c
@@ -69,7 +69,7 @@ static bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
.acct_ctrl = -1,
.required_flags = required_flags,
},
- 1, /* min_servers */
+ 1, /* wanted_servers */
timeval_current_ofs(MAX(3, lp_ldap_timeout() / 2), 0),
&responses);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index c1f3f3ce356..d8325201b2f 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1180,10 +1180,12 @@ static char *get_kdc_ip_string(char *mem_ctx,
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
/*
- * We do not have additional KDCs, but we have the one passed
- * in via `pss`. So just use that one and leave.
+ * We do not have additional KDCs, but if we have one passed
+ * in via `pss` just use that one, otherwise fail
*/
- result = talloc_move(mem_ctx, &kdc_str);
+ if (pss != NULL) {
+ result = talloc_move(mem_ctx, &kdc_str);
+ }
goto out;
}
@@ -1223,14 +1225,20 @@ static char *get_kdc_ip_string(char *mem_ctx,
.acct_ctrl = -1,
.required_flags = DS_KDC_REQUIRED,
},
- MIN(num_dcs, 3), /* min_servers */
+ MIN(num_dcs, 3), /* wanted_servers */
timeval_current_ofs(3, 0), /* timeout */
&responses);
TALLOC_FREE(dc_addrs2);
if (!NT_STATUS_IS_OK(status)) {
DBG_DEBUG("netlogon_pings failed: %s\n", nt_errstr(status));
- result = talloc_move(mem_ctx, &kdc_str);
+ /*
+ * netlogon_pings() failed, but if we have one passed
+ * in via `pss` just just use that one, otherwise fail
+ */
+ if (pss != NULL) {
+ result = talloc_move(mem_ctx, &kdc_str);
+ }
goto out;
}
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index af467cfe390..49fa1d47298 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -501,7 +501,7 @@ again:
.required_flags = ads->config.flags |
DS_ONLY_LDAP_NEEDED,
},
- 1, /* min_servers */
+ 1, /* wanted_servers */
endtime, /* timeout */
&responses);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/libads/netlogon_ping.c b/source3/libads/netlogon_ping.c
index 22f5a56b395..c65244dd876 100644
--- a/source3/libads/netlogon_ping.c
+++ b/source3/libads/netlogon_ping.c
@@ -588,7 +588,7 @@ struct netlogon_pings_state {
struct tsocket_address **servers;
size_t num_servers;
- size_t min_servers;
+ size_t wanted_servers;
struct timeval timeout;
enum client_netlogon_ping_protocol proto;
uint32_t required_flags;
@@ -610,7 +610,7 @@ struct tevent_req *netlogon_pings_send(TALLOC_CTX *mem_ctx,
struct tsocket_address **servers,
size_t num_servers,
struct netlogon_ping_filter filter,
- size_t min_servers,
+ size_t wanted_servers,
struct timeval timeout)
{
struct tevent_req *req = NULL;
@@ -626,7 +626,7 @@ struct tevent_req *netlogon_pings_send(TALLOC_CTX *mem_ctx,
state->proto = proto;
state->servers = servers;
state->num_servers = num_servers;
- state->min_servers = min_servers;
+ state->wanted_servers = wanted_servers;
state->timeout = timeout;
state->required_flags = filter.required_flags;
@@ -685,7 +685,7 @@ struct tevent_req *netlogon_pings_send(TALLOC_CTX *mem_ctx,
}
state->filter = filter_str;
- for (i = 0; i < min_servers; i++) {
+ for (i = 0; i < wanted_servers; i++) {
state->reqs[i] = netlogon_ping_send(state->reqs,
state->ev,
state->servers[i],
@@ -699,7 +699,7 @@ struct tevent_req *netlogon_pings_send(TALLOC_CTX *mem_ctx,
netlogon_pings_done,
req);
}
- state->num_sent = min_servers;
+ state->num_sent = wanted_servers;
if (state->num_sent < state->num_servers) {
/*
* After 100 milliseconds fire the next one
@@ -818,21 +818,27 @@ static void netlogon_pings_done(struct tevent_req *subreq)
}
}
- if (state->num_good_received >= state->min_servers) {
+ if (state->num_good_received >= state->wanted_servers) {
tevent_req_done(req);
return;
}
- if (state->num_received == state->num_servers) {
+ if (state->num_received < state->num_servers) {
/*
- * Everybody replied, but we did not get enough good
- * answers (see above)
+ * Wait for more answers
*/
- tevent_req_nterror(req, NT_STATUS_NOT_FOUND);
+ return;
+ }
+ if (state->num_good_received == 1) {
+ /* We require at least one DC */
+ tevent_req_done(req);
return;
}
/*
- * Wait for more answers
+ * Everybody replied, but we did not get a single good
+ * answers (see above)
*/
+ tevent_req_nterror(req, NT_STATUS_NOT_FOUND);
+ return;
}
NTSTATUS netlogon_pings_recv(struct tevent_req *req,
@@ -856,7 +862,7 @@ NTSTATUS netlogon_pings(TALLOC_CTX *mem_ctx,
struct tsocket_address **servers,
int num_servers,
struct netlogon_ping_filter filter,
- int min_servers,
+ int wanted_servers,
struct timeval timeout,
struct netlogon_samlogon_response ***responses)
{
@@ -875,7 +881,7 @@ NTSTATUS netlogon_pings(TALLOC_CTX *mem_ctx,
servers,
num_servers,
filter,
- min_servers,
+ wanted_servers,
timeout);
if (req == NULL) {
goto fail;
diff --git a/source3/libads/netlogon_ping.h b/source3/libads/netlogon_ping.h
index d50c0a47936..6063c4e8a28 100644
--- a/source3/libads/netlogon_ping.h
+++ b/source3/libads/netlogon_ping.h
@@ -45,7 +45,7 @@ struct tevent_req *netlogon_pings_send(TALLOC_CTX *mem_ctx,
struct tsocket_address **servers,
size_t num_servers,
struct netlogon_ping_filter filter,
- size_t min_servers,
+ size_t wanted_servers,
struct timeval timeout);
NTSTATUS netlogon_pings_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
@@ -55,7 +55,7 @@ NTSTATUS netlogon_pings(TALLOC_CTX *mem_ctx,
struct tsocket_address **servers,
int num_servers,
struct netlogon_ping_filter filter,
- int min_servers,
+ int wanted_servers,
struct timeval timeout,
struct netlogon_samlogon_response ***responses);
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index 695f0c38d85..97633317903 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -871,7 +871,7 @@ static NTSTATUS process_dc_dns(TALLOC_CTX *mem_ctx,
.domain = domain_name,
.required_flags = flags,
},
- 1, /* min_servers */
+ 1, /* wanted_servers */
timeval_current_ofs(MAX(3, lp_ldap_timeout() / 2), 0),
&responses);
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 38e902b8292..0644b844df1 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -50,6 +50,7 @@ struct idmap_ad_context {
bool unix_primary_group;
bool unix_nss_info;
+ int ldap_timeout;
struct ldb_context *ldb;
struct ldb_dn **deny_ous;
@@ -576,6 +577,8 @@ static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
domname, "unix_primary_group", false);
ctx->unix_nss_info = idmap_config_bool(
domname, "unix_nss_info", false);
+ ctx->ldap_timeout = idmap_config_int(
+ domname, "ldap_timeout", 10);
schema_mode = idmap_config_const_string(
domname, "schema_mode", "rfc2307");
@@ -742,7 +745,7 @@ static NTSTATUS idmap_ad_query_user(struct idmap_domain
*domain,
rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
- 0, 0, 0, talloc_tos(), &msgs);
+ ctx->ldap_timeout, 0, 0, talloc_tos(), &msgs);
if (!TLDAP_RC_IS_SUCCESS(rc)) {
return NT_STATUS_LDAP(TLDAP_RC_V(rc));
}
@@ -815,13 +818,17 @@ static NTSTATUS idmap_ad_query_user_retry(struct
idmap_domain *domain,
{
const NTSTATUS status_server_down =
NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
+ const NTSTATUS status_timeout =
+ NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_TIMEOUT));
NTSTATUS status;
status = idmap_ad_query_user(domain, info);
- if (NT_STATUS_EQUAL(status, status_server_down)) {
+ if (NT_STATUS_EQUAL(status, status_server_down) ||
+ NT_STATUS_EQUAL(status, status_timeout))
+ {
TALLOC_FREE(domain->private_data);
- status = idmap_ad_query_user(domain, info);
+ return NT_STATUS_HOST_UNREACHABLE;
}
return status;
@@ -978,7 +985,7 @@ static NTSTATUS idmap_ad_unixids_to_sids(struct
idmap_domain *dom,
rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
- 0, 0, 0, talloc_tos(), &msgs);
+ ctx->ldap_timeout, 0, 0, talloc_tos(), &msgs);
if (!TLDAP_RC_IS_SUCCESS(rc)) {
return NT_STATUS_LDAP(TLDAP_RC_V(rc));
}
@@ -1142,7 +1149,7 @@ static NTSTATUS idmap_ad_sids_to_unixids(struct
idmap_domain *dom,
rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
- 0, 0, 0, talloc_tos(), &msgs);
+ ctx->ldap_timeout, 0, 0, talloc_tos(), &msgs);
if (!TLDAP_RC_IS_SUCCESS(rc)) {
return NT_STATUS_LDAP(TLDAP_RC_V(rc));
}
@@ -1249,13 +1256,17 @@ static NTSTATUS idmap_ad_unixids_to_sids_retry(struct
idmap_domain *dom,
{
const NTSTATUS status_server_down =
NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
+ const NTSTATUS status_timeout =
+ NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_TIMEOUT));
NTSTATUS status;
status = idmap_ad_unixids_to_sids(dom, ids);
- if (NT_STATUS_EQUAL(status, status_server_down)) {
+ if (NT_STATUS_EQUAL(status, status_server_down) ||
+ NT_STATUS_EQUAL(status, status_timeout))
+ {
TALLOC_FREE(dom->private_data);
- status = idmap_ad_unixids_to_sids(dom, ids);
+ return NT_STATUS_HOST_UNREACHABLE;
}
return status;
@@ -1266,13 +1277,17 @@ static NTSTATUS idmap_ad_sids_to_unixids_retry(struct
idmap_domain *dom,
{
const NTSTATUS status_server_down =
NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_SERVER_DOWN));
+ const NTSTATUS status_timeout =
+ NT_STATUS_LDAP(TLDAP_RC_V(TLDAP_TIMEOUT));
NTSTATUS status;
status = idmap_ad_sids_to_unixids(dom, ids);
- if (NT_STATUS_EQUAL(status, status_server_down)) {
+ if (NT_STATUS_EQUAL(status, status_server_down) ||
+ NT_STATUS_EQUAL(status, status_timeout))
+ {
TALLOC_FREE(dom->private_data);
- status = idmap_ad_sids_to_unixids(dom, ids);
+ return NT_STATUS_HOST_UNREACHABLE;
}
return status;
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index db8e946ba71..0f318f8b631 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -279,6 +279,7 @@ static void wb_queryuser_done(struct tevent_req *subreq)
NTSTATUS status, result;
bool need_group_name = false;
const char *tmpl = NULL;
+ uint32_t dsgetdcname_flags = DS_RETURN_DNS_NAME;
status = dcerpc_wbint_GetNssInfo_recv(subreq, info, &result);
TALLOC_FREE(subreq);
@@ -287,6 +288,13 @@ static void wb_queryuser_done(struct tevent_req *subreq)
return;
}
+ if (NT_STATUS_EQUAL(result, NT_STATUS_HOST_UNREACHABLE)) {
+ winbind_idmap_add_failed_connection_entry(info->domain_name);
+ /* Trigger DC lookup and reconnect below */
+ result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ dsgetdcname_flags |= DS_FORCE_REDISCOVERY;
+ }
+
if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
!state->tried_dclookup) {
const char *domain_name = find_dns_domain_name(
@@ -301,7 +309,7 @@ static void wb_queryuser_done(struct tevent_req *subreq)
domain_name,
NULL,
NULL,
- DS_RETURN_DNS_NAME);
+ dsgetdcname_flags);
if (tevent_req_nomem(subreq, req)) {
return;
}
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index 03e5e7e0258..f5ff9223034 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -598,6 +598,7 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
NTSTATUS status, result;
const struct wbint_TransIDArray *src = NULL;
struct wbint_TransIDArray *dst = NULL;
+ uint32_t dsgetdcname_flags = DS_RETURN_DNS_NAME;
uint32_t si;
status = dcerpc_wbint_Sids2UnixIDs_recv(subreq, state, &result);
@@ -608,6 +609,15 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
return;
}
+ if (NT_STATUS_EQUAL(result, NT_STATUS_HOST_UNREACHABLE)) {
+ struct lsa_DomainInfo *d =
+ &state->idmap_doms.domains[state->dom_index];
+ winbind_idmap_add_failed_connection_entry(d->name.string);
+ /* Trigger DC lookup and reconnect below */
+ result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+ dsgetdcname_flags |= DS_FORCE_REDISCOVERY;
+ }
+
if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
!state->tried_dclookup) {
@@ -627,7 +637,7 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
domain_name,
NULL,
NULL,
- DS_RETURN_DNS_NAME);
+ dsgetdcname_flags);
if (tevent_req_nomem(subreq, req)) {
return;
}
--
Samba Shared Repository
