The branch, v4-23-test has been updated
via 82bcd3d8046 Revert "ldb: User hexchars_upper from replace.h"
via 4ebdc808cc1 s3:libads: Set udp_preference_limit = 0 for MIT Kerberos
via 0c50f3d513d s3:libads: Set a request timeout for Kerberos requests
via f09e6d24233 s3-winbindd: make sure we always have
WINBINDD_CACHE_VERSION in winbindd_cache.tdb
via 57a6d19deea s3-winbindd: provide one wcache_open() function for all
tdb opens
via 4a31a42c102 s3-winbindd: make initialize_winbindd_cache() static
via 3c9b3169ebc s3-winbind: make wcache_store_seqnum static
via 971a37fa4c6 s3-winbindd: Fix winbind NDR caching.
via 603a8d2936e s3-selftest: add tests for winbindd_cache.tdb sanity
from b3f2445aef4 vfs_fruit: psd->dacl can be NULL, use orig_num_aces
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-23-test
- Log -----------------------------------------------------------------
commit 82bcd3d80464713b6d88ca3e830265d03d26f1a2
Author: Andreas Schneider <[email protected]>
Date: Tue Dec 2 14:02:08 2025 +0100
Revert "ldb: User hexchars_upper from replace.h"
This reverts commit 542cf01bfe530a83dfbc8a606d182c0a5a622059.
We shouldn't put a hard requirement for libreplace in libldb! We do not need
libreplace on Linux until we start using hexbytes_upper.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15961
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
(cherry picked from commit 1bb25c0e01d35b1adb3137cb193de27f5c5a65f0)
Autobuild-User(v4-23-test): Jule Anger <[email protected]>
Autobuild-Date(v4-23-test): Thu Dec 11 17:00:21 UTC 2025 on atb-devel-224
commit 4ebdc808cc1394d9b7eefc6d2a815b8d373162ec
Author: Andreas Schneider <[email protected]>
Date: Thu Nov 27 11:04:30 2025 +0100
s3:libads: Set udp_preference_limit = 0 for MIT Kerberos
This option enable TCP connection before UDP, when sending a message to
the KDC.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
(cherry picked from commit 2c51cf118a1d9b7a5956a62e71df8fa1e576599c)
commit 0c50f3d513ddcba77544ecbefa525ca3693d8a37
Author: Andreas Schneider <[email protected]>
Date: Wed Nov 19 14:42:24 2025 +0100
s3:libads: Set a request timeout for Kerberos requests
Without this, libkrb5 can wait indefinitely after creating a TCP
connection. This means winbind is stuck forever till it is restarted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15955
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
(cherry picked from commit 92601536ba0490bdfb5dd632fff2e5c0b541620c)
commit f09e6d242333acbd8b89c4a645a6bca712651843
Author: Günther Deschner <[email protected]>
Date: Fri Jul 25 22:50:08 2025 +0200
s3-winbindd: make sure we always have WINBINDD_CACHE_VERSION in
winbindd_cache.tdb
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15963
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Mon Dec 8 09:59:58 UTC 2025 on atb-devel-224
(cherry picked from commit d6ee9b04f2c9875953fba60a26a764ef61670114)
commit 57a6d19deea651aad5c37f206659ef2ae1ac0391
Author: Günther Deschner <[email protected]>
Date: Fri Jul 25 23:05:39 2025 +0200
s3-winbindd: provide one wcache_open() function for all tdb opens
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15963
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 7136a6ba39ddf025e85c639f3e53f53f8ff46cb5)
commit 4a31a42c102ee3f184401b98e70fbe8fee602d8a
Author: Günther Deschner <[email protected]>
Date: Fri Jul 25 22:43:55 2025 +0200
s3-winbindd: make initialize_winbindd_cache() static
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15963
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 6667f25507687c19f3d3eaa3301a7ccd2433d4e3)
commit 3c9b3169ebcc93ed840d827467c39bc0a26b7b1c
Author: Günther Deschner <[email protected]>
Date: Fri Aug 1 16:10:48 2025 +0200
s3-winbind: make wcache_store_seqnum static
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15963
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit ffe1883d7d68dd933b6fa41e3af722e8688ff882)
commit 971a37fa4c61cc5a163695f3d725d7203a8558f1
Author: Günther Deschner <[email protected]>
Date: Thu Jul 17 16:49:03 2025 +0200
s3-winbindd: Fix winbind NDR caching.
All of winbindd's core caching relies on NDR entries. Those entries can
not be stored in winbindd_cache.tdb via wcache_store_ndr() as long as
there is no SEQNUM entry present in the cache.
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15963
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit c4606bc40632869ff4f1036cf6899df400d15a53)
commit 603a8d2936e6a07547cdad4ee72c526fb975d281
Author: Günther Deschner <[email protected]>
Date: Fri Jul 25 17:58:59 2025 +0200
s3-selftest: add tests for winbindd_cache.tdb sanity
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15963
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 073a9482f0ace8847781181a552e0d0ceb897d0c)
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb_dn.c | 11 ++-
source3/libads/kerberos.c | 16 ++++
source3/script/tests/test_winbind_cache_sanity.sh | 112 ++++++++++++++++++++++
source3/selftest/tests.py | 4 +
source3/winbindd/winbindd_cache.c | 82 ++++++++--------
source3/winbindd/winbindd_proto.h | 3 -
6 files changed, 184 insertions(+), 44 deletions(-)
create mode 100755 source3/script/tests/test_winbind_cache_sanity.sh
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index 5b8c0f4f580..389da444904 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -232,10 +232,15 @@ static int ldb_dn_escape_internal(char *dst, const char
*src, int len)
case '\0': {
/* any others get \XX form */
unsigned char v;
+ /*
+ * Do not use libreplace for this. We don't want to have
+ * a hard requirement for it.
+ */
+ const char *hexbytes = "0123456789ABCDEF";
v = (const unsigned char)c;
*d++ = '\\';
- *d++ = hexchars_upper[v>>4];
- *d++ = hexchars_upper[v&0xF];
+ *d++ = hexbytes[v>>4];
+ *d++ = hexbytes[v&0xF];
break;
}
default:
@@ -2100,7 +2105,7 @@ int ldb_dn_set_extended_component(struct ldb_dn *dn,
unsigned int i;
struct ldb_val v2;
const struct ldb_dn_extended_syntax *ext_syntax;
-
+
if ( ! ldb_dn_validate(dn)) {
return LDB_ERR_OTHER;
}
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d8325201b2f..5593364c397 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1380,6 +1380,15 @@ bool create_local_private_krb5_conf_for_domain(const
char *realm,
char *enctypes = NULL;
const char *include_system_krb5 = "";
mode_t mask;
+ /*
+ * The default will be 15 seconds, it can be changed in the smb.conf:
+ * [global]
+ * krb5:request_timeout = 30
+ */
+ int timeout_sec = lp_parm_int(-1,
+ "krb5",
+ "request_timeout",
+ 15 /* default */);
if (!lp_create_krb5_conf()) {
return false;
@@ -1449,6 +1458,12 @@ bool create_local_private_krb5_conf_for_domain(const
char *realm,
file_contents =
talloc_asprintf(fname,
"[libdefaults]\n"
+#ifdef SAMBA4_USES_HEIMDAL
+ "\tkdc_timeout = %d\n"
+#else
+ "\trequest_timeout = %ds\n"
+ "\tudp_preference_limit = 0\n"
+#endif
"\tdefault_realm = %s\n"
"%s"
"\tdns_lookup_realm = false\n"
@@ -1458,6 +1473,7 @@ bool create_local_private_krb5_conf_for_domain(const char
*realm,
"\t%s = {\n"
"%s\t}\n"
"%s\n",
+ timeout_sec,
realm_upper,
enctypes,
realm_upper,
diff --git a/source3/script/tests/test_winbind_cache_sanity.sh
b/source3/script/tests/test_winbind_cache_sanity.sh
new file mode 100755
index 00000000000..65d4e4cb778
--- /dev/null
+++ b/source3/script/tests/test_winbind_cache_sanity.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+ cat <<EOF
+Usage: test_winbind_cache_sanity.sh DOMAIN CACHE
+EOF
+ exit 1
+fi
+
+DOMAIN="$1"
+CACHE="$2"
+shift 2
+ADDARGS="$*"
+
+TDBTOOL=tdbtool
+if test -x "$BINDIR"/tdbtool; then
+ TDBTOOL=$BINDIR/tdbtool
+fi
+DBWRAP_TOOL=$BINDIR/dbwrap_tool
+WBINFO=$BINDIR/wbinfo
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+
+#################################################
+## Test "$CACHE" presence
+#################################################
+
+testit "$CACHE presence" \
+ test -r "$CACHE" \
+ || failed=$((failed + 1))
+
+
+#################################################
+## Test very simple wbinfo query to fill up cache with NDR/ and SEQNUM/ entries
+#################################################
+
+separator=$("$WBINFO" --separator)
+
+testit "calling wbinfo -n$DOMAIN$separator to fillup cache" \
+ "$VALGRIND" "$WBINFO" -n "$DOMAIN$separator" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+
+#################################################
+## Test "WINBINDD_CACHE_VERSION" presence
+#################################################
+
+KEY="WINBINDD_CACHE_VERSION"
+WINBINDD_CACHE_VER2=2
+
+testit "$KEY presence via dbwrap" \
+ "$VALGRIND" "$DBWRAP_TOOL" --persistent "$CACHE" fetch $KEY uint32 \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+#tdbtool will never fail so we have to parse the output...
+testit_grep "$KEY presence via tdbtool" "data 4 bytes" \
+ "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY\\00" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+current_ver=$("$DBWRAP_TOOL" --persistent "$CACHE" fetch $KEY uint32)
+
+testit "$KEY value via dbwrap to be WINBINDD_CACHE_VER2" \
+ test "$current_ver" = $WINBINDD_CACHE_VER2 \
+ || failed=$((failed + 1))
+
+
+#################################################
+## Test "SEQNUM/$DOMAIN" presence
+#################################################
+
+KEY="SEQNUM/$DOMAIN"
+
+testit "$KEY SEQNUM presence via dbwrap" \
+ "$VALGRIND" "$DBWRAP_TOOL" --persistent "$CACHE" exists "$KEY" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+#tdbtool will never fail so we have to parse the output...
+testit_grep "$KEY SEQNUM presence via tdbtool" "data 8 bytes" \
+ "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY\\00" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+
+#################################################
+## Test
"NDR/$DOMAIN/3/\09\00\00\00\00\00\00\00\09\00\00\00$DOMAIN\00\00\00\00\01\00\00\00\00\00\00\00\01\00\00\00\00\00\00\00\00\00\00\00"
presence
+## this is the resulting cache entry for a simple
+## wbinfo -n $DOMAIN\ query
+#################################################
+
+opnum=$($PYTHON -c'from samba.dcerpc.winbind import wbint_LookupName;
print(wbint_LookupName.opnum())')
+KEY="NDR/$DOMAIN/$opnum/\\09\\00\\00\\00\\00\\00\\00\\00\\09\\00\\00\\00$DOMAIN\\00\\00\\00\\00\\01\\00\\00\\00\\00\\00\\00\\00\\01\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00"
+
+#DBWRAP_TOOL does not support non-null terminated keys so it cannot find it...
+#testit "$KEY NDR presence via dbwrap" \
+# "$VALGRIND" "$DBWRAP_TOOL" --persistent $CACHE exists $KEY \
+# "$ADDARGS" \
+# || failed=$((failed + 1))
+
+#tdbtool will never fail so we have to parse the output...
+# key 59 bytes
+testit_grep "$KEY NDR presence via tdbtool" "data 44 bytes" \
+ "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index efba899a920..395f435f697 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -731,6 +731,10 @@ plantestsuite("samba3.winbind_call_depth_trace", env,
[os.path.join(srcdir(),
"source3/script/tests/test_winbind_call_depth_trace.sh"),
smbcontrol, configuration, '$PREFIX', env])
+plantestsuite("samba3.winbind_cache_sanity", env,
+ [os.path.join(srcdir(),
+
"source3/script/tests/test_winbind_cache_sanity.sh"),
+ '$DOMAIN', '$LOCK_DIR/winbindd_cache.tdb'])
env = "fl2008r2dc:local"
plantestsuite("samba3.wbinfo_user_info", env,
diff --git a/source3/winbindd/winbindd_cache.c
b/source3/winbindd/winbindd_cache.c
index 96fee6c4218..95578452ee8 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -505,8 +505,8 @@ static NTSTATUS fetch_cache_seqnum( struct winbindd_domain
*domain, time_t now )
return NT_STATUS_OK;
}
-bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum,
- time_t last_seq_check)
+static bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum,
+ time_t last_seq_check)
{
size_t len = strlen(domain_name);
char keystr[len+8];
@@ -3167,10 +3167,40 @@ bool wcache_invalidate_cache_noinit(void)
return true;
}
-static bool init_wcache(void)
+static TDB_CONTEXT *wcache_open(void)
{
char *db_path;
+ TDB_CONTEXT *tdb = NULL;
+ bool wcache_wiped = !lp_winbind_offline_logon();
+ db_path = wcache_path();
+ if (db_path == NULL) {
+ return NULL;
+ }
+
+ /* when working offline we must not clear the cache on restart */
+ tdb = tdb_open_log(db_path,
+ WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
+ TDB_INCOMPATIBLE_HASH |
+ (lp_winbind_offline_logon()
+ ? TDB_DEFAULT
+ : (TDB_DEFAULT |
+ TDB_CLEAR_IF_FIRST)),
+ O_RDWR | O_CREAT,
+ 0600);
+ TALLOC_FREE(db_path);
+
+ if (wcache_wiped) {
+ tdb_store_uint32(tdb,
+ WINBINDD_CACHE_VERSION_KEYSTR,
+ WINBINDD_CACHE_VERSION);
+ }
+
+ return tdb;
+}
+
+static bool init_wcache(void)
+{
if (wcache == NULL) {
wcache = SMB_XMALLOC_P(struct winbind_cache);
ZERO_STRUCTP(wcache);
@@ -3179,23 +3209,19 @@ static bool init_wcache(void)
if (wcache->tdb != NULL)
return true;
- db_path = wcache_path();
- if (db_path == NULL) {
- return false;
- }
-
- /* when working offline we must not clear the cache on restart */
- wcache->tdb = tdb_open_log(db_path,
- WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
- TDB_INCOMPATIBLE_HASH |
- (lp_winbind_offline_logon() ?
TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)),
- O_RDWR|O_CREAT, 0600);
- TALLOC_FREE(db_path);
+ wcache->tdb = wcache_open();
if (wcache->tdb == NULL) {
DBG_ERR("Failed to open winbindd_cache.tdb!\n");
return false;
}
+ /*
+ * Create a dummy SEQNUM entry early, otherwise every call via the
+ * winbind NDR interface will fail to call wcache_store_ndr() when there
+ * is no SEQNUM present already
+ */
+ wcache_store_seqnum(lp_workgroup(), 0, 0);
+
return true;
}
@@ -3205,7 +3231,7 @@ static bool init_wcache(void)
only opener.
************************************************************************/
-bool initialize_winbindd_cache(void)
+static bool initialize_winbindd_cache(void)
{
bool cache_bad = false;
uint32_t vers = 0;
@@ -3390,8 +3416,6 @@ static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb,
TDB_DATA kbuf,
/* flush the cache */
static void wcache_flush_cache(void)
{
- char *db_path;
-
if (!wcache)
return;
if (wcache->tdb) {
@@ -3402,18 +3426,7 @@ static void wcache_flush_cache(void)
return;
}
- db_path = wcache_path();
- if (db_path == NULL) {
- return;
- }
-
- /* when working offline we must not clear the cache on restart */
- wcache->tdb = tdb_open_log(db_path,
- WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
- TDB_INCOMPATIBLE_HASH |
- (lp_winbind_offline_logon() ? TDB_DEFAULT :
(TDB_DEFAULT | TDB_CLEAR_IF_FIRST)),
- O_RDWR|O_CREAT, 0600);
- TALLOC_FREE(db_path);
+ wcache->tdb = wcache_open();
if (!wcache->tdb) {
DBG_ERR("Failed to open winbindd_cache.tdb!\n");
return;
@@ -4237,14 +4250,7 @@ int winbindd_validate_cache(void)
goto done;
}
- tdb = tdb_open_log(tdb_path,
- WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
- TDB_INCOMPATIBLE_HASH |
- ( lp_winbind_offline_logon()
- ? TDB_DEFAULT
- : TDB_DEFAULT | TDB_CLEAR_IF_FIRST ),
- O_RDWR|O_CREAT,
- 0600);
+ tdb = wcache_open();
if (!tdb) {
DBG_ERR("winbindd_validate_cache: "
"error opening/initializing tdb\n");
diff --git a/source3/winbindd/winbindd_proto.h
b/source3/winbindd/winbindd_proto.h
index ae41923b244..1b6a4f5d115 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -143,7 +143,6 @@ void wcache_invalidate_samlogon(struct winbindd_domain
*domain,
const struct dom_sid *user_sid);
bool wcache_invalidate_cache(void);
bool wcache_invalidate_cache_noinit(void);
-bool initialize_winbindd_cache(void);
void close_winbindd_cache(void);
bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
char **domain_name, char **name,
@@ -178,8 +177,6 @@ bool wcache_tdc_fetch_list( struct winbindd_tdc_domain
**domains, size_t *num_do
bool wcache_tdc_add_domain( struct winbindd_domain *domain );
struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const
char *name );
void wcache_tdc_clear( void );
-bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum,
- time_t last_seq_check);
bool wcache_fetch_ndr(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
uint32_t opnum, const DATA_BLOB *req, DATA_BLOB *resp);
void wcache_store_ndr(struct winbindd_domain *domain, uint32_t opnum,
--
Samba Shared Repository
