The branch, v4-23-stable has been updated
via 942092eadf5 VERSION: Disable GIT_SNAPSHOT for the 4.23.0 release.
via 44daf531b54 WHATSNEW: Add release notes for Samba 4.23.0.
via c51f476794a s4:auth: Fix 'no delegation' logic in
gensec_gssapi_start()
via 48d375dbe0f third_party: Bump version for socket_wrapper
via c4349b4d3a4 pytest: safe_tarfile: accept NotADirectoryError as bad
path rejection
via 4cb72d2c15f selftest: Do not use wrappers for samba.tests.docs
via eb9a6f40d14 printing: Fix an uninitialized read
via 8a85326c716 s4:torture: Fix stack buffer overflow in
test_dirlease_oplocks()
via 5bbb682b0fc s3:net: Pass down the server from cmdline to
sync_pw2keytabs()
via 5294b24f6e2 tests: Add test for 'net ads join' to a preferred DC
via 65181b65b83 selftest: Add the short name for localvampiredc to
hosts file
via 1e6a3af2058 ctdb: fix build against PCP 7.0.0
via a2f9e7392ea VERSION: Bump version up to Samba 4.23.0rc5...
from cd1acdf3240 VERSION: Disable GIT_SNAPSHOT for the 4.23.0rc4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-23-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 38 ++++++++++----
buildtools/wafsamba/samba_third_party.py | 2 +-
ctdb/utils/pmda/pmda_ctdb.c | 11 +++-
ctdb/wscript | 21 ++++----
python/samba/tests/safe_tarfile.py | 3 +-
selftest/target/Samba4.pm | 2 +-
selftest/tests.py | 9 +++-
source3/include/secrets.h | 25 +++++----
source3/libads/ads_proto.h | 2 +-
source3/libads/kerberos_keytab.c | 24 +++++++--
source3/libads/trusts_util.c | 15 +++---
source3/libads/util.c | 10 ++--
source3/libnet/libnet_join.c | 2 +-
source3/passdb/machine_account_secrets.c | 10 ++--
source3/printing/print_generic.c | 2 +-
source3/utils/net.c | 10 ++--
source3/utils/net_ads.c | 2 +-
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/selftest/tests.py | 1 +
source4/torture/smb2/lease.c | 2 +-
.../blackbox/test_net_ads_join_to_preferred_dc.sh | 61 ++++++++++++++++++++++
third_party/socket_wrapper/wscript | 2 +-
23 files changed, 193 insertions(+), 65 deletions(-)
create mode 100755 testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index a037177e3f0..ec498854233 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=4
+SAMBA_VERSION_RC_RELEASE=
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 73af675c1ab..106646c6f0e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,16 +1,11 @@
-Release Announcements
-=====================
+ ==============================
+ Release Notes for Samba 4.23.0
+ September 12, 2025
+ ==============================
-This is the fourth release candidate release of Samba 4.23. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-Samba 4.23 will be the next version of the Samba suite.
-
-
-UPGRADING
-=========
+This is the first stable release of the Samba 4.22 release series.
+Please read the release notes carefully before upgrading.
NEW FEATURES/CHANGES
@@ -126,6 +121,27 @@ smb.conf changes
winbind varlink service New no
+CHANGES SINCE 4.23.0rc4
+=======================
+
+o Douglas Bagnall <[email protected]>
+ * BUG 15911: samba.tests.safe_tarfile fails on Python 3.13 with additional
+ security fixes for tarfile support.
+
+o Alexander Bokovoy <[email protected]>
+ * BUG 15904: CTDB does not support PCP 7.0.0.
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
+
+o Volker Lendecke <[email protected]>
+ * BUG 15908: Uninitialized read leads to hanging rpcd_spoolss.
+
+o Andreas Schneider <[email protected]>
+ * BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
+ * BUG 15907: Stack buffer overflow in samba3.smb2.dirlease.fileserver.
+
+
CHANGES SINCE 4.23.0rc3
=======================
diff --git a/buildtools/wafsamba/samba_third_party.py
b/buildtools/wafsamba/samba_third_party.py
index b6c5ad60964..8f0c56dec79 100644
--- a/buildtools/wafsamba/samba_third_party.py
+++ b/buildtools/wafsamba/samba_third_party.py
@@ -24,7 +24,7 @@ Build.BuildContext.CHECK_CMOCKA = CHECK_CMOCKA
@conf
def CHECK_SOCKET_WRAPPER(conf):
- return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.5.0')
+ return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.5.1')
Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER
@conf
diff --git a/ctdb/utils/pmda/pmda_ctdb.c b/ctdb/utils/pmda/pmda_ctdb.c
index 7ac8a3b38d1..9845f26defb 100644
--- a/ctdb/utils/pmda/pmda_ctdb.c
+++ b/ctdb/utils/pmda/pmda_ctdb.c
@@ -39,10 +39,19 @@
#define pmID_cluster(id) id->cluster
#define pmID_item(id) id->item
+#endif
+
+#ifndef HAVE_PMGETPROGNAME
#define pmGetProgname() pmProgname
+#endif
+#ifndef HAVE_PMSETPROGNAME
#define pmSetProgname(a) __pmSetProgname(a)
#endif
+#ifdef HAVE_STRUCT_PMRESULT
+#define pmdaResult pmResult
+#endif
+
#include "domain.h"
/*
@@ -450,7 +459,7 @@ err_out:
* instance domain evaluation.
*/
static int
-pmda_ctdb_fetch(int numpmid, pmID pmidlist[], pmResult **resp, pmdaExt *pmda)
+pmda_ctdb_fetch(int numpmid, pmID pmidlist[], pmdaResult **resp, pmdaExt *pmda)
{
int ret;
diff --git a/ctdb/wscript b/ctdb/wscript
index e9cd89436a3..6ab68dce870 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -226,16 +226,17 @@ def configure(conf):
have_pmda = False
if Options.options.ctdb_pmda:
- pmda_support = True
-
- if not conf.CHECK_HEADERS('pcp/pmapi.h pcp/impl.h pcp/pmda.h',
- together=True):
- pmda_support = False
- if not conf.CHECK_FUNCS_IN('pmProgname', 'pcp'):
- pmda_support = False
- if not conf.CHECK_FUNCS_IN('pmdaDaemon', 'pcp_pmda'):
- pmda_support = False
- if pmda_support:
+ checks = [conf.CHECK_HEADERS('pcp/pmapi.h pcp/impl.h pcp/pmda.h',
+ together=True),
+ conf.CHECK_FUNCS_IN('pmdaDaemon', 'pcp_pmda')]
+
+ have_progname = [conf.CHECK_FUNCS_IN('pmProgname', 'pcp'),
+ conf.CHECK_FUNCS_IN('pmGetProgname', 'pcp'),
+ conf.CHECK_FUNCS_IN('pmSetProgname', 'pcp')]
+
+ conf.CHECK_TYPE_IN('struct pmResult', 'pcp/pmapi.h')
+
+ if all(checks) and any(have_progname):
conf.CHECK_TYPE_IN('__pmID_int', 'pcp/pmapi.h pcp/impl.h')
have_pmda = True
else:
diff --git a/python/samba/tests/safe_tarfile.py
b/python/samba/tests/safe_tarfile.py
index 1f2cb03aeb4..6dc2a6e3355 100644
--- a/python/samba/tests/safe_tarfile.py
+++ b/python/samba/tests/safe_tarfile.py
@@ -45,7 +45,8 @@ class SafeTarFileTestCase(TestCaseInTempDir):
# If we have data_filter, we have a patched python to address
# CVE-2007-4559.
if hasattr(tarfile, "data_filter"):
- self.assertRaises(tarfile.OutsideDestinationError,
+ self.assertRaises((tarfile.OutsideDestinationError,
+ NotADirectoryError),
stf.extractall,
tarname)
else:
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 9635629d291..8d30fefbab2 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -878,7 +878,7 @@ nogroup:x:65534:nobody
my $hostname = lc($ctx->{hostname});
open(HOSTS, ">>$ctx->{nsswrap_hosts}");
- if ($hostname eq "localdc") {
+ if ($hostname eq "localdc" || $hostname eq "localvampiredc") {
print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname}
$ctx->{dnsname} ${hostname}\n";
print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname}
$ctx->{dnsname} ${hostname}\n";
} else {
diff --git a/selftest/tests.py b/selftest/tests.py
index 49fe5e6426b..104fa65f672 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -57,7 +57,14 @@ planpythontestsuite("none", "samba.tests.source")
planpythontestsuite("none", "samba.tests.source_chars")
if have_man_pages_support:
- planpythontestsuite("none", "samba.tests.docs")
+ # This is a unit test which doesn't need any wrappers. We unset LD_PRELOAD
+ # as it is causing issues with Python >= 3.14 passing sockets around if a
+ # task is running concurrently.
+ planpythontestsuite(
+ "none",
+ "samba.tests.docs",
+ environ={'LD_PRELOAD': ''}
+ )
try:
import testscenarios
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index a454c8bb8ff..061b9c6ef34 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -125,12 +125,15 @@ char *secrets_domain_info_string(TALLOC_CTX *mem_ctx,
const struct secrets_domai
NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain,
TALLOC_CTX *mem_ctx,
struct secrets_domain_info1 **pinfo);
-NTSTATUS secrets_prepare_password_change(const char *domain, const char
*dcname,
- const char *cleartext_unix,
- TALLOC_CTX *mem_ctx,
- struct secrets_domain_info1 **pinfo,
- struct secrets_domain_info1_change
**pprev,
- NTSTATUS (*sync_pw2keytabs_fn)(void));
+NTSTATUS secrets_prepare_password_change(
+ const char *domain,
+ const char *dcname,
+ const char *cleartext_unix,
+ TALLOC_CTX *mem_ctx,
+ struct secrets_domain_info1 **pinfo,
+ struct secrets_domain_info1_change **pprev,
+ NTSTATUS (*sync_pw2keytabs_fn)(const char *),
+ const char *opt_host);
NTSTATUS secrets_failed_password_change(const char *change_server,
NTSTATUS local_status,
NTSTATUS remote_status,
@@ -139,10 +142,12 @@ NTSTATUS secrets_defer_password_change(const char
*change_server,
NTSTATUS local_status,
NTSTATUS remote_status,
const struct secrets_domain_info1 *info);
-NTSTATUS secrets_finish_password_change(const char *change_server,
- NTTIME change_time,
- const struct secrets_domain_info1 *info,
- NTSTATUS (*sync_pw2keytabs_fn)(void));
+NTSTATUS secrets_finish_password_change(
+ const char *change_server,
+ NTTIME change_time,
+ const struct secrets_domain_info1 *info,
+ NTSTATUS (*sync_pw2keytabs_fn)(const char *),
+ const char *prefer_dc);
bool secrets_delete_machine_password_ex(const char *domain, const char *realm);
bool secrets_delete_domain_sid(const char *domain);
char *secrets_fetch_prev_machine_password(const char *domain);
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index e5b68530866..a368e04d7e4 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -229,6 +229,6 @@ struct spn_struct {
/* parse a windows style SPN, returns NULL if parsing fails */
struct spn_struct *parse_spn(TALLOC_CTX *ctx, const char *srvprinc);
-NTSTATUS sync_pw2keytabs(void);
+NTSTATUS sync_pw2keytabs(const char *prefer_dc);
#endif /* _LIBADS_ADS_PROTO_H_ */
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ed26c6af499..364d8421bda 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -84,6 +84,7 @@ struct pw2kt_global_state {
char *ad_upn;
char *ad_sam_account;
char **ad_spn_array;
+ const char *prefer_dc;
size_t ad_num_spns;
/* This is from secrets.db */
struct secrets_domain_info1 *info;
@@ -869,8 +870,11 @@ static ADS_STATUS pw2kt_get_dc_info(struct
pw2kt_global_state *state)
int count;
bool ok;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
- ADS_STRUCT *ads = ads_init(
- tmp_ctx, lp_realm(), lp_workgroup(), NULL, ADS_SASL_SIGN);
+ ADS_STRUCT *ads = ads_init(tmp_ctx,
+ lp_realm(),
+ lp_workgroup(),
+ state->prefer_dc,
+ ADS_SASL_SIGN);
if (ads == NULL) {
DBG_ERR("ads_init() failed\n");
@@ -1029,7 +1033,20 @@ static bool pw2kt_default_keytab_name(char *name_str,
size_t name_size)
return true;
}
-NTSTATUS sync_pw2keytabs(void)
+/**
+ * @internal
+ *
+ * @brief Sync machine password from secrets to keytab
+ *
+ * @param prefer_dc The DC we should talk to. This is especially important
+ * during domain join. Pass NULL if we should pick a random
+ * one.
+ *
+ * @return An NTSTATUS error code.
+ *
+ * @see NT_STATUS_IS_OK()
+ */
+NTSTATUS sync_pw2keytabs(const char *prefer_dc)
{
TALLOC_CTX *frame = talloc_stackframe();
const struct loadparm_substitution *lp_sub =
@@ -1055,6 +1072,7 @@ NTSTATUS sync_pw2keytabs(void)
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
+ state->prefer_dc = prefer_dc;
lp_ptr = lp_sync_machine_password_to_keytab();
if (lp_ptr == NULL) {
diff --git a/source3/libads/trusts_util.c b/source3/libads/trusts_util.c
index 9bea87990b6..2a1f732f298 100644
--- a/source3/libads/trusts_util.c
+++ b/source3/libads/trusts_util.c
@@ -359,10 +359,11 @@ NTSTATUS trust_pw_change(struct
netlogon_creds_cli_context *context,
&info,
&prev,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ NULL /* opt_host */);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("secrets_prepare_password_change() failed for
domain %s!\n",
domain));
@@ -609,10 +610,11 @@ NTSTATUS trust_pw_change(struct
netlogon_creds_cli_context *context,
prev->password->change_time,
info,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ prev->password->change_server);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("secrets_prepare_password_change() failed for
domain %s!\n",
domain));
@@ -758,10 +760,11 @@ NTSTATUS trust_pw_change(struct
netlogon_creds_cli_context *context,
info->next_change->change_time,
info,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ info->next_change->change_server);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("secrets_finish_password_change() failed for
domain %s!\n",
domain));
diff --git a/source3/libads/util.c b/source3/libads/util.c
index 243dd09f3d0..360e556ab9b 100644
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -59,10 +59,11 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT
*ads, char *host_princip
&info,
&prev,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ ads->auth.kdc_server);
if (!NT_STATUS_IS_OK(status)) {
return ADS_ERROR_NT(status);
}
@@ -138,10 +139,11 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT
*ads, char *host_princip
now,
info,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ ads->auth.kdc_server);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("Failed to save machine password\n"));
return ADS_ERROR_NT(status);
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index c33724494aa..609b2b96222 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -869,7 +869,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX
*mem_ctx,
static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
- NTSTATUS ntstatus = sync_pw2keytabs();
+ NTSTATUS ntstatus = sync_pw2keytabs(r->in.dc_name);
return NT_STATUS_IS_OK(ntstatus);
}
diff --git a/source3/passdb/machine_account_secrets.c
b/source3/passdb/machine_account_secrets.c
index 971dd15aa5f..525092b2e1a 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1673,7 +1673,8 @@ NTSTATUS secrets_prepare_password_change(const char
*domain, const char *dcname,
TALLOC_CTX *mem_ctx,
struct secrets_domain_info1 **pinfo,
struct secrets_domain_info1_change
**pprev,
- NTSTATUS (*sync_pw2keytabs_fn)(void))
+ NTSTATUS (*sync_pw2keytabs_fn)(const
char *),
+ const char *opt_host)
{
TALLOC_CTX *frame = talloc_stackframe();
struct db_context *db = NULL;
@@ -1770,7 +1771,7 @@ NTSTATUS secrets_prepare_password_change(const char
*domain, const char *dcname,
}
if (prev == NULL && sync_pw2keytabs_fn != NULL) {
- status = sync_pw2keytabs_fn();
+ status = sync_pw2keytabs_fn(opt_host);
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("Sync of machine password failed.\n");
TALLOC_FREE(frame);
@@ -2022,7 +2023,8 @@ NTSTATUS secrets_defer_password_change(const char
*change_server,
NTSTATUS secrets_finish_password_change(const char *change_server,
NTTIME change_time,
const struct secrets_domain_info1
*cookie,
- NTSTATUS (*sync_pw2keytabs_fn)(void))
+ NTSTATUS (*sync_pw2keytabs_fn)(const
char *),
+ const char *prefer_dc)
{
const char *domain = cookie->domain_info.name.string;
TALLOC_CTX *frame = talloc_stackframe();
@@ -2101,7 +2103,7 @@ NTSTATUS secrets_finish_password_change(const char
*change_server,
}
if (sync_pw2keytabs_fn != NULL) {
- status = sync_pw2keytabs_fn();
+ status = sync_pw2keytabs_fn(prefer_dc);
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("Sync of machine password failed.\n");
TALLOC_FREE(frame);
diff --git a/source3/printing/print_generic.c b/source3/printing/print_generic.c
index d5bfa9ea527..7c7a14de045 100644
--- a/source3/printing/print_generic.c
+++ b/source3/printing/print_generic.c
@@ -161,7 +161,7 @@ static int generic_queue_get(const char *printer_name,
print_status_struct *status)
{
char **qlines;
- int fd;
+ int fd = -1;
int numlines, i, qcount;
print_queue_struct *queue = NULL;
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 7ce93ced79e..ecabd980d0c 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -235,10 +235,11 @@ static int net_changesecretpw(struct net_context *c, int
argc,
&info,
&prev,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ c->opt_host);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr,
_("Unable to write the machine account password
in the secrets database"));
@@ -261,10 +262,11 @@ static int net_changesecretpw(struct net_context *c, int
argc,
now,
info,
#ifdef HAVE_ADS
- sync_pw2keytabs);
+ sync_pw2keytabs,
#else
- NULL);
+ NULL,
#endif
+ c->opt_host);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr,
_("Unable to write the machine account password
in the secrets database"));
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 6c11faeb091..d49b7537e71 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2935,7 +2935,7 @@ static int net_ads_keytab_create(struct net_context *c,
int argc, const char **a
net_use_krb_machine_account(c);
}
- ntstatus = sync_pw2keytabs();
+ ntstatus = sync_pw2keytabs(c->opt_host);
ret = NT_STATUS_IS_OK(ntstatus) ? 0 : 1;
return ret;
}
diff --git a/source4/auth/gensec/gensec_gssapi.c
b/source4/auth/gensec/gensec_gssapi.c
index c43dc66ab4a..6eef0547e1d 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -200,7 +200,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security
*gensec_security)
--
Samba Shared Repository
