The branch, v4-21-stable has been updated
via 63a935cbc8f VERSION: Disable GIT_SNAPSHOT for the 4.21.10 release.
via 73b2acddc10 WHATSNEW: Add release notes for Samba 4.21.10.
via 93152dcbc7d ctdb-scripts: Avoid failing updateip when IP is not
assigned
via 604e1ab09c6 ctdb-scripts: Avoid printing a message if no connections
via 605972c5dd7 ctdb-tests: Add an event script unit test for updateip
via cb080ee6277 ctdb-daemon: Fix a crash due to a failed updateip
via a5294d2a735 ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"
via bf3c99e70f6 Revert "s3/rpc_server/dfs: fix creating a DFS link"
via 22ac145743a Revert "vfs_xattr_tdb: fix dangling symlink detection"
via fbdc6c6da73 Revert "pylibsmb: add SMB2_FIND_ID_BOTH_DIRECTORY_INFO"
via a3d7a2a82a2 Revert "python/tests: also populate self.server in
calls LibsmbTests setup()"
via 8755a16858b Revert "CI: add Python test
samba.tests.dcerpc.dfs.DfsTests.test_dfs_reparse_tag"
via 1f0bdf8873a Revert "smbd: return correct reparse tag DFS when
listing directories"
via 13587f415c9 VERSION: Bump version up to Samba 4.21.10...
via 894e1537d93 Merge tag 'samba-4.21.9' into v4-21-test
via 825d6197eff ctdb-common: Only respect CTDB_SOCKET in CTDB_TEST_MODE
via 467557d63a0 ctdb-common: Factor out checking of CTDB_TEST_MODE
via 086f6393ab3 ctdb-pmda: Do not directly support CTDB_SOCKET
environment variable
via 13bc5d1887e vfs_ceph_new: Use integer value instead of boolean
via c74aa4a6cbe vfs_ceph_new: dont use ceph_ll_nonblocking_readv_writev
for fsync_send
via a200d4720ee smbd: return correct reparse tag DFS when listing
directories
via c9f67123071 CI: add Python test
samba.tests.dcerpc.dfs.DfsTests.test_dfs_reparse_tag
via 327fd685213 python/tests: also populate self.server in calls
LibsmbTests setup()
via 3c7b596f1bb pylibsmb: add SMB2_FIND_ID_BOTH_DIRECTORY_INFO
via 2de3b8ec09c vfs_xattr_tdb: fix dangling symlink detection
via a2ad8f49cfe s3/rpc_server/dfs: fix creating a DFS link
via d1a778414e1 s3:net: Pass down the server from cmdline to
sync_pw2keytabs()
via 015c3ef6c10 tests: Add test for 'net ads join' to a preferred DC
via 393e35dca2b selftest: Add the short name for localvampiredc to
hosts file
via 070ff8f5766 VERSION: Bump version up to Samba 4.21.9...
from 25ea748dac2 VERSION: Disable GIT_SNAPSHOT for the 4.21.9 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 4 +-
WHATSNEW.txt | 60 ++++++++++++-
ctdb/common/path.c | 35 ++++++--
ctdb/config/events/legacy/10.interface.script | 97 ++++++++++++----------
ctdb/config/functions | 4 +
ctdb/server/ctdb_takeover.c | 10 ++-
ctdb/server/ctdbd.c | 7 ++
ctdb/tests/README | 10 ++-
.../UNIT/eventscripts/10.interface.updateip.001.sh | 16 ++++
ctdb/utils/pmda/pmda_ctdb.c | 13 +--
selftest/target/Samba.pm | 1 +
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 2 +-
source3/include/secrets.h | 25 +++---
source3/libads/ads_proto.h | 2 +-
source3/libads/kerberos_keytab.c | 24 +++++-
source3/libads/trusts_util.c | 15 ++--
source3/libads/util.c | 10 ++-
source3/libnet/libnet_join.c | 2 +-
source3/modules/vfs_ceph_new.c | 12 +--
source3/passdb/machine_account_secrets.c | 10 ++-
source3/utils/net.c | 10 ++-
source3/utils/net_ads.c | 2 +-
source4/selftest/tests.py | 1 +
.../blackbox/test_net_ads_join_to_preferred_dc.sh | 61 ++++++++++++++
25 files changed, 322 insertions(+), 112 deletions(-)
create mode 100755 ctdb/tests/UNIT/eventscripts/10.interface.updateip.001.sh
create mode 100755 testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index be0768339f9..06d255f9bc7 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=9
+SAMBA_VERSION_RELEASE=10
########################################################
# If a official release has a serious bug #
@@ -101,7 +101,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
########################################################
-SAMBA_VERSION_IS_GIT_SNAPSHOT=no
+SAMBA_VERSION_IS_GIT_SNAPSHOT=no
########################################################
# This is for specifying a release nickname #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 299c894c198..c5c422cdf3c 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,60 @@
+ ===============================
+ Release Notes for Samba 4.21.10
+ November 11, 2025
+ ===============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Changes since 4.21.9
+--------------------
+
+o Bailey Allison <[email protected]>
+ * BUG 15935: Crash in ctdbd on failed updateip.
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
+
+o Anoop C S <[email protected]>
+ * BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev
+ for fsync_send.
+
+o Andreas Schneider <[email protected]>
+ * BUG 15905: samba-4.21 fails to join AD when multiple DCs are returned.
+
+o Shachar Sharon <[email protected]>
+ * BUG 15919: vfs_ceph_new should not use ceph_ll_nonblocking_readv_writev
+ for fsync_send.
+
+o Martin Schwenke <[email protected]>
+ * BUG 15921: CTDB_SOCKET can be used even when CTDB_TEST_MODE is not set.
+ * BUG 15935: Crash in ctdbd on failed updateip.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.21.9
October 15, 2025
@@ -44,8 +101,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.21.8
September 09, 2025
diff --git a/ctdb/common/path.c b/ctdb/common/path.c
index ea3b08f4b2e..0d935429460 100644
--- a/ctdb/common/path.c
+++ b/ctdb/common/path.c
@@ -45,16 +45,30 @@ struct {
.vardir = CTDB_VARDIR,
};
-static void path_set_basedir(void)
+static void path_set_test_mode(void)
{
- const char *t;
-
+ const char *t = NULL;
+
+ /*
+ * Do not use CTDB_TEST_MODE outside a test environment to
+ * attempt to (for example) improve installation flexibility.
+ * This is unsupported, may cause unwanted security issues and
+ * may break in future releases.
+ */
t = getenv("CTDB_TEST_MODE");
if (t == NULL) {
- goto done;
+ return;
}
ctdb_paths.test_mode = true;
+}
+
+static void path_set_basedir(void)
+{
+ path_set_test_mode();
+ if (!ctdb_paths.test_mode) {
+ goto done;
+ }
ctdb_paths.basedir = getenv("CTDB_BASE");
if (ctdb_paths.basedir == NULL) {
@@ -188,11 +202,14 @@ char *path_config(TALLOC_CTX *mem_ctx)
char *path_socket(TALLOC_CTX *mem_ctx, const char *daemon)
{
- if (strcmp(daemon, "ctdbd") == 0) {
- const char *t = getenv("CTDB_SOCKET");
-
- if (t != NULL) {
- return talloc_strdup(mem_ctx, t);
+ path_set_test_mode();
+ if (ctdb_paths.test_mode) {
+ if (strcmp(daemon, "ctdbd") == 0) {
+ const char *t = getenv("CTDB_SOCKET");
+
+ if (t != NULL) {
+ return talloc_strdup(mem_ctx, t);
+ }
}
}
diff --git a/ctdb/config/events/legacy/10.interface.script
b/ctdb/config/events/legacy/10.interface.script
index dfd796563fd..f0545a40455 100755
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@@ -5,7 +5,7 @@
# this adds/removes IPs from your
# public interface
-[ -n "$CTDB_BASE" ] || \
+[ -n "$CTDB_BASE" ] ||
CTDB_BASE=$(d=$(dirname "$0") && cd -P "$d" && dirname "$PWD")
. "${CTDB_BASE}/functions"
@@ -13,7 +13,7 @@
load_script_options
if ! have_public_addresses; then
- if [ "$1" = "init" ] ; then
+ if [ "$1" = "init" ]; then
echo "No public addresses file found"
fi
exit 0
@@ -32,8 +32,8 @@ monitor_interfaces()
#
# public_ifaces set by get_public_ifaces() above
# shellcheck disable=SC2154
- for _iface in $public_ifaces ; do
- if interface_monitor "$_iface" ; then
+ for _iface in $public_ifaces; do
+ if interface_monitor "$_iface"; then
up_interfaces_found=true
$CTDB setifacelink "$_iface" up >/dev/null 2>&1
else
@@ -42,11 +42,11 @@ monitor_interfaces()
fi
done
- if ! $down_interfaces_found ; then
+ if ! $down_interfaces_found; then
return 0
fi
- if ! $up_interfaces_found ; then
+ if ! $up_interfaces_found; then
return 1
fi
@@ -58,63 +58,66 @@ monitor_interfaces()
}
# Sets: iface, ip, maskbits
-get_iface_ip_maskbits ()
+get_iface_ip_maskbits()
{
- _iface_in="$1"
- ip="$2"
- _maskbits_in="$3"
-
- # Intentional word splitting here
- # shellcheck disable=SC2046
- set -- $(ip_maskbits_iface "$ip")
- if [ -n "$1" ] ; then
- maskbits="$1"
- iface="$2"
-
- if [ "$iface" != "$_iface_in" ] ; then
- printf \
- 'WARNING: Public IP %s hosted on interface %s but VNN says
%s\n' \
- "$ip" "$iface" "$_iface_in"
- fi
- if [ "$maskbits" != "$_maskbits_in" ] ; then
- printf \
- 'WARNING: Public IP %s has %s bit netmask but VNN says %s\n' \
- "$ip" "$maskbits" "$_maskbits_in"
+ _iface_in="$1"
+ ip="$2"
+ _maskbits_in="$3"
+
+ # Intentional word splitting here
+ # shellcheck disable=SC2046
+ set -- $(ip_maskbits_iface "$ip")
+ if [ -n "$1" ]; then
+ maskbits="$1"
+ iface="$2"
+
+ if [ "$iface" != "$_iface_in" ]; then
+ printf 'WARNING: Public IP %s hosted on interface %s
but VNN says %s\n' \
+ "$ip" "$iface" "$_iface_in"
+ fi
+ if [ "$maskbits" != "$_maskbits_in" ]; then
+ printf 'WARNING: Public IP %s has %s bit netmask but
VNN says %s\n' \
+ "$ip" "$maskbits" "$_maskbits_in"
+ fi
+ else
+ if [ "$_iface_in" = "__none__" ]; then
+ echo "WARNING: Unable to determine interface for IP
${ip}"
+ iface="$_iface_in"
+ return
+ fi
+ die "ERROR: Unable to determine interface for IP ${ip}"
fi
- else
- die "ERROR: Unable to determine interface for IP ${ip}"
- fi
}
-ip_block ()
+ip_block()
{
_ip="$1"
_iface="$2"
case "$_ip" in
*:*) _family="inet6" ;;
- *) _family="inet" ;;
+ *) _family="inet" ;;
esac
# Extra delete copes with previously killed script
iptables_wrapper "$_family" \
- -D INPUT -i "$_iface" -d "$_ip" -j DROP 2>/dev/null
+ -D INPUT -i "$_iface" -d "$_ip" -j DROP 2>/dev/null
iptables_wrapper "$_family" \
- -I INPUT -i "$_iface" -d "$_ip" -j DROP
+ -I INPUT -i "$_iface" -d "$_ip" -j DROP
}
-ip_unblock ()
+ip_unblock()
{
_ip="$1"
_iface="$2"
case "$_ip" in
*:*) _family="inet6" ;;
- *) _family="inet" ;;
+ *) _family="inet" ;;
esac
iptables_wrapper "$_family" \
- -D INPUT -i "$_iface" -d "$_ip" -j DROP 2>/dev/null
+ -D INPUT -i "$_iface" -d "$_ip" -j DROP 2>/dev/null
}
ctdb_check_args "$@"
@@ -128,8 +131,8 @@ init)
}
_promote="sys/net/ipv4/conf/all/promote_secondaries"
- get_proc "$_promote" >/dev/null 2>&1 || \
- die "Public IPs only supported if promote_secondaries is available"
+ get_proc "$_promote" >/dev/null 2>&1 ||
+ die "Public IPs only supported if promote_secondaries is
available"
# make sure we drop any ips that might still be held if
# previous instance of ctdb got killed with -9 or similar
@@ -152,7 +155,7 @@ takeip)
update_my_public_ip_addresses "takeip" "$ip"
add_ip_to_iface "$iface" "$ip" "$maskbits" || {
- exit 1;
+ exit 1
}
# In case a previous "releaseip" for this IP was killed...
@@ -213,15 +216,19 @@ updateip)
# Could check maskbits too. However, that should never change
# so we want to notice if it does.
- if [ "$oiface" = "$niface" ] ; then
+ if [ "$oiface" = "$niface" ]; then
echo "Redundant \"updateip\" - ${ip} already on ${niface}"
exit 0
fi
- ip_block "$ip" "$oiface"
-
- delete_ip_from_iface "$oiface" "$ip" "$maskbits" 2>/dev/null
- delete_ip_from_iface "$niface" "$ip" "$maskbits" 2>/dev/null
+ # Behave more like takeip when the IP is not assigned. No
+ # need for a similar condition around ip_unblock()s because
+ # they will silently fail.
+ if [ "$oiface" != "__none__" ]; then
+ ip_block "$ip" "$oiface"
+ delete_ip_from_iface "$oiface" "$ip" "$maskbits" >/dev/null 2>&1
+ fi
+ delete_ip_from_iface "$niface" "$ip" "$maskbits" >/dev/null 2>&1
add_ip_to_iface "$niface" "$ip" "$maskbits" || {
ip_unblock "$ip" "$oiface"
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 4139059a3d3..d61852a8161 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -594,6 +594,10 @@ tickle_tcp_connections()
_conns=$(get_tcp_connections_for_ip "$_ip" |
awk '{ print $1, $2 ; print $2, $1 }')
+ if [ -z "$_conns" ]; then
+ return
+ fi
+
echo "$_conns" | awk '{ print "Tickle TCP connection", $1, $2 }'
echo "$_conns" | ctdb tickle
}
diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c
index b9196e3ff63..f1b3119bf34 100644
--- a/ctdb/server/ctdb_takeover.c
+++ b/ctdb/server/ctdb_takeover.c
@@ -613,7 +613,15 @@ static void ctdb_do_updateip_callback(struct ctdb_context
*ctdb, int status,
*/
ctdb_vnn_unassign_iface(ctdb, state->vnn);
state->vnn->iface = state->old;
- state->vnn->iface->references++;
+ /*
+ * state->old (above) can be NULL if the IP wasn't
+ * recorded as held by this node but the system thinks
+ * the IP was assigned. In that case, a move could
+ * still be desirable..
+ */
+ if (state->vnn->iface != NULL) {
+ state->vnn->iface->references++;
+ }
ctdb_request_control_reply(ctdb, state->c, NULL, status, NULL);
talloc_free(state);
diff --git a/ctdb/server/ctdbd.c b/ctdb/server/ctdbd.c
index 67311c6a5da..12f5e00c7c8 100644
--- a/ctdb/server/ctdbd.c
+++ b/ctdb/server/ctdbd.c
@@ -242,6 +242,13 @@ int main(int argc, const char *argv[])
* Logging setup/options
*/
+
+ /*
+ * Do not use CTDB_TEST_MODE outside a test environment to
+ * attempt to (for example) improve installation flexibility.
+ * This is unsupported, may cause unwanted security issues and
+ * may break in future releases.
+ */
test_mode = getenv("CTDB_TEST_MODE");
/* Log to stderr (ignoring configuration) when running as interactive */
diff --git a/ctdb/tests/README b/ctdb/tests/README
index 80f3311b684..8a243c21703 100644
--- a/ctdb/tests/README
+++ b/ctdb/tests/README
@@ -98,7 +98,7 @@ Test and debugging variable options
PID file relative to CTDB_BASE.
When testing with multiple local daemons on a single
- machine this does 3 extra things:
+ machine this does some extra things:
* Disables checks related to public IP addresses
@@ -107,6 +107,14 @@ Test and debugging variable options
* Disables real-time scheduling
+ * Allows the CTDB_SOCKET environment variable to be used to
+ specify ctdbd's Unix domain socket location.
+
+ Do not use this variable outside a test environment to
+ attempt to (for example) improve installation flexibility.
+ This is unsupported, may cause unwanted security issues and
+ may break in future releases.
+
CTDB_DEBUG_HUNG_SCRIPT_LOGFILE=FILENAME
FILENAME specifies where log messages should go when
debugging hung eventscripts. This is a testing option. See
diff --git a/ctdb/tests/UNIT/eventscripts/10.interface.updateip.001.sh
b/ctdb/tests/UNIT/eventscripts/10.interface.updateip.001.sh
new file mode 100755
index 00000000000..e9567a8d114
--- /dev/null
+++ b/ctdb/tests/UNIT/eventscripts/10.interface.updateip.001.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "error - update a non-existent ip"
+
+setup
+
+public_address=$(ctdb_get_1_public_address)
+ip="${public_address% *}"
+ip="${ip#* }"
+
+ok "WARNING: Unable to determine interface for IP ${ip}"
+# Want separate words from public_address: interface IP maskbits
+# shellcheck disable=SC2086
+simple_test "__none__" $public_address
diff --git a/ctdb/utils/pmda/pmda_ctdb.c b/ctdb/utils/pmda/pmda_ctdb.c
index 7ac8a3b38d1..9df7f780652 100644
--- a/ctdb/utils/pmda/pmda_ctdb.c
+++ b/ctdb/utils/pmda/pmda_ctdb.c
@@ -28,6 +28,8 @@
#include "lib/util/time.h"
#include "lib/util/blocking.h"
+#include "common/path.h"
+
#include "client/client.h"
#include "client/client_sync.h"
@@ -49,9 +51,7 @@
* CTDB PMDA
*
* This PMDA connects to the locally running ctdbd daemon and pulls
- * statistics for export via PCP. The ctdbd Unix domain socket path can be
- * specified with the CTDB_SOCKET environment variable, otherwise the default
- * path is used.
+ * statistics for export via PCP.
*/
/*
@@ -191,7 +191,7 @@ pmda_ctdb_disconnected(void *args)
static int
pmda_ctdb_daemon_connect(void)
{
- const char *socket_name;
+ char *socket_name = NULL;
int ret;
ev = tevent_context_init(NULL);
@@ -200,9 +200,9 @@ pmda_ctdb_daemon_connect(void)
return -1;
}
- socket_name = getenv("CTDB_SOCKET");
+ socket_name = path_socket(ev, "ctdbd");
if (socket_name == NULL) {
- socket_name = CTDB_SOCKET;
+ goto err_ev;
}
ret = ctdb_client_init(ev, ev, socket_name, &client);
@@ -215,6 +215,7 @@ pmda_ctdb_daemon_connect(void)
ctdb_client_set_disconnect_callback(client, pmda_ctdb_disconnected,
NULL);
+ talloc_free(socket_name);
--
Samba Shared Repository
