The branch, v4-21-stable has been updated
via 05debb4bf19 VERSION: Disable GIT_SNAPSHOT for the 4.21.8 release.
via fa5a1430213 WHATSNEW: Add release notes for Samba 4.21.8.
via 81e5b025498 s3:net: fix "net ads group"
via 1f8a549ec8e winbindd: use find_domain_from_name_noinit() in
find_dns_domain_name()
via 3ba1c4bed4d libads: fix get_kdc_ip_string()
via 8910ba21bab idmap_ad: add and use ldap_timeout and fix LDAP server
failover
via 236672028c1 tldap: use tevent_req_set_endtime() to terminate LDAP
searches
via e71799c9bb3 vfs_virsufilter: Fix the invocation of
SMB_VFS_NEXT_CONNECT
via 2278b6317b7 smbd: fix mode being sent to possibly_set_archive
via c2be2d30ec7 ctdb: Fix a stuck cluster lock holder after a delayed
leader bcast
via 2a52c976070 s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in
gensec
via 7bf2051aadd s3:netlogon: IPA DC is the PDC as well - allow
ROLE_IPA_DC in _netr_DsRGetForestTrustInformation()
via 1c6b6494735 docs-xml: Make smb.conf 'server role' value consistent
with ROLE_IPA_DC in libparam
via a8e2ea60831 s3:winbindd: Resolve dc name using CLDAP also for
ROLE_IPA_DC
via 9ca7d637aae s3-net: fix "net ads kerberos" krb5ccname handling
via d9fc8dc0d4b s3-selftest: add tests for "net ads kerberos" commands
via 4750b7b5905 s3/libsmb: check the negative-conn-cache in
resolve_ads()
via ad604bb46f2 s3/libsmb: check command in
make_dc_info_from_cldap_reply()
via a0bf6a94267 libads: check for DCs in paused state in
ads_try_connect()
via e56376504a8 s3/libads: get rid of additional loop calling
add_failed_connection_entry()
via a9250ab504e s3:libads: let get_kdc_ip_string() check for a
blacklisted server name
via 2994369b3bd s3:libads: let cldap_ping_list() check for a
blacklisted server name
via 49948686de0 winbindd: blacklist servers returning
ACCESS_DENIED/authoritative=0
via 23eeafe43e9 winbindd: always use
winbind_add_failed_connection_entry() wrapper
via 56b975c4ff4 s3:conncache: improve debugging for the negative
connection cache
via 04913d3a42e Add check for the GPO link to have at least two
attributes separated by semicolumn. Allows to handle empty links.
via f6381830154 WHATSNEW: fix typo
via b542e35437c third_party: Update socket_wrapper to version 1.4.4
via 693e4eaf28b VERSION: Bump version up to Samba 4.21.8...
from 5da3e988292 VERSION: Disable GIT_SNAPSHOT for the 4.21.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 75 +++++++++++-
buildtools/wafsamba/samba_third_party.py | 2 +-
ctdb/server/ctdb_recoverd.c | 1 +
docs-xml/smbdotconf/security/serverrole.xml | 2 +-
python/samba/gp/gpclass.py | 4 +-
selftest/knownfail | 1 -
source3/lib/tldap.c | 5 +
source3/libads/kerberos.c | 36 +++++-
source3/libads/ldap.c | 55 +++++++--
source3/libsmb/conncache.c | 8 +-
source3/libsmb/dsgetdcname.c | 6 +
source3/libsmb/namequery.c | 25 +++-
source3/modules/vfs_virusfilter.c | 7 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 5 +-
source3/script/tests/test_net_ads_kerberos.sh | 158 ++++++++++++++++++++++++++
source3/selftest/tests.py | 12 ++
source3/smbd/open.c | 2 +-
source3/utils/net.c | 15 +++
source3/utils/net.h | 1 +
source3/utils/net_ads.c | 8 +-
source3/utils/ntlm_auth.c | 6 +-
source3/winbindd/idmap_ad.c | 33 ++++--
source3/winbindd/wb_queryuser.c | 10 +-
source3/winbindd/wb_sids2xids.c | 12 +-
source3/winbindd/wb_xids2sids.c | 10 +-
source3/winbindd/winbindd_cm.c | 58 +++++++++-
source3/winbindd/winbindd_pam.c | 96 +++++++++++++++-
source3/winbindd/winbindd_proto.h | 5 +
source3/winbindd/winbindd_util.c | 2 +-
third_party/socket_wrapper/socket_wrapper.c | 7 ++
third_party/socket_wrapper/wscript | 2 +-
32 files changed, 614 insertions(+), 57 deletions(-)
create mode 100755 source3/script/tests/test_net_ads_kerberos.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 4fff7d5eb09..aa7a8e30894 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 127fd8a3811..b3c21a5ebaf 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,73 @@
+ ==============================
+ Release Notes for Samba 4.21.8
+ September 09, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Changes since 4.21.7
+--------------------
+
+o Ralph Boehme <[email protected]>
+ * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+ * BUG 15844: getpwuid does not shift to new DC when current DC is down.
+ * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+ calls like netr_DsRGetDCName.
+
+o Günther Deschner <[email protected]>
+ * BUG 15840: kinit command is failing with Missing cache Error.
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15891: Figuring out the DC name from IP address fails and breaks
+ fork_domain_child().
+
+o Volker Lendecke <[email protected]>
+ * BUG 15892: Delayed leader broadcast can block ctdb forever.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+
+o MikeLiu <[email protected]>
+ * BUG 15900: 'net ads group' failed to list domain groups.
+
+o Rabinarayan Panigrahi <[email protected]>
+ * BUG 15663: Apparently there is a conflict between shadow_copy2 module and
+ virusfilter (action quarantine).
+
+o Aleksandr Sharov <[email protected]>
+ * BUG 15877: Fix handling of empty GPO link.
+
+o Srinivas Rao V <[email protected]>
+ * BUG 15880: SMB ACL inheritance doesn't work for files created.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.21.7
July 07, 2025
@@ -54,7 +124,7 @@ o Stefan Metzmacher <[email protected]>
o Andreas Schneider <[email protected]>
* BUG 15680: Trust domains are not created.
- * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+ * BUG 15869: Startup messages of rpc daemons fills /var/log/messages.
#######################################
@@ -78,8 +148,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.21.6
June 03, 2025
diff --git a/buildtools/wafsamba/samba_third_party.py
b/buildtools/wafsamba/samba_third_party.py
index d6fe609c896..0387328daec 100644
--- a/buildtools/wafsamba/samba_third_party.py
+++ b/buildtools/wafsamba/samba_third_party.py
@@ -24,7 +24,7 @@ Build.BuildContext.CHECK_CMOCKA = CHECK_CMOCKA
@conf
def CHECK_SOCKET_WRAPPER(conf):
- return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.3')
+ return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.4')
Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER
@conf
diff --git a/ctdb/server/ctdb_recoverd.c b/ctdb/server/ctdb_recoverd.c
index 3f71c07d05d..dfd8a78e325 100644
--- a/ctdb/server/ctdb_recoverd.c
+++ b/ctdb/server/ctdb_recoverd.c
@@ -1902,6 +1902,7 @@ static void cluster_lock_election(struct ctdb_recoverd
*rec)
* attempt to retake it. This provides stability.
*/
if (cluster_lock_held(rec)) {
+ rec->leader = rec->pnn;
goto done;
}
diff --git a/docs-xml/smbdotconf/security/serverrole.xml
b/docs-xml/smbdotconf/security/serverrole.xml
index 4ea4e4751ee..40244e125ce 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,7 +78,7 @@
url="http://wiki.samba.org/index.php/Samba4/HOWTO";>Samba4
HOWTO</ulink></para>
- <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN
CONTROLLER</emphasis></para>
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA PRIMARY DOMAIN
CONTROLLER</emphasis></para>
<para>This mode of operation runs Samba in a hybrid mode for IPA
domain controller, providing forest trust to Active Directory.
diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index d86aacec138..07b4fb3e7bd 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -673,8 +673,10 @@ class GP_LINK:
self.gp_opts = int(gPOptions)
def gpo_parse_gplink(self, gPLink):
+ # normally formed link looks like [LDAP://host/path;options]
+ # empty link looks like [ ]
for p in gPLink.decode().split(']'):
- if not p:
+ if not p or ';' not in p:
continue
log.debug('gpo_parse_gplink: processing link')
p = p.lstrip('[')
diff --git a/selftest/knownfail b/selftest/knownfail
index 5f64e4edad0..a7a2e2b2251 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -343,4 +343,3 @@
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
diff --git a/source3/lib/tldap.c b/source3/lib/tldap.c
index ac95272fe06..3d4f672ac00 100644
--- a/source3/lib/tldap.c
+++ b/source3/lib/tldap.c
@@ -1899,6 +1899,11 @@ struct tevent_req *tldap_search_send(TALLOC_CTX *mem_ctx,
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
+ if (timelimit != 0) {
+ struct timeval end;
+ end = timeval_current_ofs(timelimit * 1.5F, 0);
+ tevent_req_set_endtime(subreq, ev, end);
+ }
tevent_req_set_callback(subreq, tldap_search_done, req);
return req;
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 72ce5b7bb34..30df5c97934 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -531,10 +531,12 @@ static char *get_kdc_ip_string(char *mem_ctx,
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
/*
- * We do not have additional KDCs, but we have the one passed
- * in via `pss`. So just use that one and leave.
+ * We do not have additional KDCs, but if we have one passed
+ * in via `pss` just use that one, otherwise fail
*/
- result = talloc_move(mem_ctx, &kdc_str);
+ if (pss != NULL) {
+ result = talloc_move(mem_ctx, &kdc_str);
+ }
goto out;
}
@@ -575,16 +577,44 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
"%s\n", nt_errstr(status)));
+ /*
+ * cldap_multi_netlogon() failed, but if we have one passed
+ * in via `pss` just just use that one, otherwise fail
+ */
+ if (pss != NULL) {
+ result = talloc_move(mem_ctx, &kdc_str);
+ }
goto out;
}
for (i=0; i<num_dcs; i++) {
char *new_kdc_str;
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
+ char addr[INET6_ADDRSTRLEN];
if (responses[i] == NULL) {
continue;
}
+ if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
+ continue;
+ }
+
+ print_sockaddr(addr, sizeof(addr), &dc_addrs[i]);
+
+ cldap_reply = &responses[i]->data.nt5_ex;
+
+ if (cldap_reply->pdc_dns_name != NULL) {
+ status = check_negative_conn_cache(
+ realm,
+ cldap_reply->pdc_dns_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* propagate blacklisting from name to ip */
+ add_failed_connection_entry(realm, addr,
status);
+ continue;
+ }
+ }
+
/* Append to the string - inefficient but not done often. */
new_kdc_str = talloc_asprintf_append(
kdc_str,
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index a2654c1f504..b9de711b63d 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -280,6 +280,15 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
goto out;
}
+ if (cldap_reply->command == LOGON_SAM_LOGON_PAUSE_RESPONSE ||
+ cldap_reply->command == LOGON_SAM_LOGON_PAUSE_RESPONSE_EX)
+ {
+ DBG_NOTICE("DC %s in paused state\n", addr);
+ ret = false;
+ goto out;
+ }
+
+
/* Fill in the ads->config values */
ADS_TALLOC_CONST_FREE(ads->config.workgroup);
@@ -520,21 +529,53 @@ again:
struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
char server[INET6_ADDRSTRLEN];
+ print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
+
if (responses[i] == NULL) {
+ add_failed_connection_entry(
+ domain,
+ server,
+ NT_STATUS_INVALID_NETWORK_RESPONSE);
continue;
}
- print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
-
if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
DBG_NOTICE("realm=[%s] nt_version mismatch: 0x%08x for
%s\n",
ads->server.realm,
responses[i]->ntver, server);
+ add_failed_connection_entry(
+ domain,
+ server,
+ NT_STATUS_INVALID_NETWORK_RESPONSE);
continue;
}
cldap_reply = &responses[i]->data.nt5_ex;
+ if (cldap_reply->pdc_dns_name != NULL) {
+ status = check_negative_conn_cache(
+ domain,
+ cldap_reply->pdc_dns_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * only use the server if it's not black listed
+ * by name
+ */
+ DBG_NOTICE("realm=[%s] server=[%s][%s] "
+ "black listed: %s\n",
+ ads->server.realm,
+ server,
+ cldap_reply->pdc_dns_name,
+ nt_errstr(status));
+ /* propagate blacklisting from name to ip */
+ add_failed_connection_entry(domain,
+ server,
+ status);
+ retry = true;
+ continue;
+ }
+ }
+
/* Returns ok only if it matches the correct server type */
ok = ads_fill_cldap_reply(ads,
false,
@@ -573,16 +614,6 @@ again:
}
}
- /* keep track of failures as all were not suitable */
- for (i = 0; i < num_requests; i++) {
- char server[INET6_ADDRSTRLEN];
-
- print_sockaddr(server, sizeof(server), &req_sa_list[i]->u.ss);
-
- add_failed_connection_entry(domain, server,
- NT_STATUS_UNSUCCESSFUL);
- }
-
status = NT_STATUS_NO_LOGON_SERVERS;
DBG_WARNING("realm[%s] no valid response "
"num_requests[%zu] for count[%zu] - %s\n",
diff --git a/source3/libsmb/conncache.c b/source3/libsmb/conncache.c
index 7310b508a3b..353c1e8f930 100644
--- a/source3/libsmb/conncache.c
+++ b/source3/libsmb/conncache.c
@@ -147,8 +147,9 @@ NTSTATUS check_negative_conn_cache( const char *domain,
const char *server)
if (gencache_get(key, talloc_tos(), &value, NULL))
result = negative_conn_cache_valuedecode(value);
done:
- DEBUG(9,("check_negative_conn_cache returning result %d for domain %s "
- "server %s\n", NT_STATUS_V(result), domain, server));
+ DBG_PREFIX(NT_STATUS_IS_OK(result) ? DBGLVL_DEBUG : DBGLVL_INFO,
+ ("returning result %s for domain %s "
+ "server %s\n", nt_errstr(result), domain, server));
TALLOC_FREE(key);
TALLOC_FREE(value);
return result;
@@ -187,7 +188,8 @@ void add_failed_connection_entry(const char *domain, const
char *server,
if (gencache_set(key, value,
time(NULL) + FAILED_CONNECTION_CACHE_TIMEOUT))
DEBUG(9,("add_failed_connection_entry: added domain %s (%s) "
- "to failed conn cache\n", domain, server ));
+ "to failed conn cache %s\n", domain, server,
+ nt_errstr(result)));
else
DEBUG(1,("add_failed_connection_entry: failed to add "
"domain %s (%s) to failed conn cache\n",
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index 654893c172c..a61c34a9ae3 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -791,6 +791,12 @@ static NTSTATUS make_dc_info_from_cldap_reply(
char addr[INET6_ADDRSTRLEN];
+ if (r->command == LOGON_SAM_LOGON_PAUSE_RESPONSE ||
+ r->command == LOGON_SAM_LOGON_PAUSE_RESPONSE_EX)
+ {
+ return NT_STATUS_NETLOGON_NOT_STARTED;
+ }
+
if (sa != NULL) {
print_sockaddr(addr, sizeof(addr), &sa->u.ss);
dc_address = addr;
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 9a47f034d38..779386be39d 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -2576,6 +2576,14 @@ static NTSTATUS resolve_ads(TALLOC_CTX *ctx,
for(i = 0; i < numdcs; i++) {
/* Copy all the IP addresses from the SRV response */
size_t j;
+
+ status = check_negative_conn_cache(name, dcs[i].hostname);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("Skipping blacklisted server [%s] "
+ "for domain [%s]", dcs[i].hostname, name);
+ continue;
+ }
+
for (j = 0; j < dcs[i].num_ips; j++) {
char addr[INET6_ADDRSTRLEN];
@@ -2584,12 +2592,19 @@ static NTSTATUS resolve_ads(TALLOC_CTX *ctx,
continue;
}
+ print_sockaddr(addr,
+ sizeof(addr),
+ &srv_addrs[num_srv_addrs]);
+
DBG_DEBUG("SRV lookup %s got IP[%zu] %s\n",
- name,
- j,
- print_sockaddr(addr,
- sizeof(addr),
- &srv_addrs[num_srv_addrs]));
+ name, j, addr);
+
+ status = check_negative_conn_cache(name, addr);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("Skipping blacklisted server [%s] "
+ "for domain [%s]", addr, name);
+ continue;
+ }
num_srv_addrs++;
}
diff --git a/source3/modules/vfs_virusfilter.c
b/source3/modules/vfs_virusfilter.c
index b566b628ed2..9b65f44de44 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -219,6 +219,11 @@ static int virusfilter_vfs_connect(
int ret = -1;
bool ok;
+ ret = SMB_VFS_NEXT_CONNECT(handle, svc, user);
+ if (ret < 0) {
+ return ret;
+ }
+
config = talloc_zero(handle, struct virusfilter_config);
if (config == NULL) {
DBG_ERR("talloc_zero failed\n");
@@ -578,7 +583,7 @@ static int virusfilter_vfs_connect(
}
}
- return SMB_VFS_NEXT_CONNECT(handle, svc, user);
+ return 0;
}
static void virusfilter_vfs_disconnect(struct vfs_handle_struct *handle)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index e5abcbdbd84..53ace9e2a46 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2655,7 +2655,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct
pipes_struct *p,
return WERR_INVALID_FLAGS;
}
- if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() !=
ROLE_DOMAIN_PDC)) {
+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) &&
+ (lp_server_role() != ROLE_DOMAIN_PDC) &&
+ (lp_server_role() != ROLE_IPA_DC))
+ {
p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NERR_NOTPRIMARY;
}
diff --git a/source3/script/tests/test_net_ads_kerberos.sh
b/source3/script/tests/test_net_ads_kerberos.sh
new file mode 100755
index 00000000000..8a3c9ef2bc7
--- /dev/null
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -0,0 +1,158 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_net_ads_kerberos.sh USERNAME REALM PASSWORD PREFIX
+EOF
+ exit 1
+fi
+
+USERNAME="$1"
+REALM="$2"
+PASSWORD="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
--
Samba Shared Repository
