The branch, v4-24-test has been updated
via 9de3dbfe0dc s3:libads: Separate use of ads->config.flags for NBT_*
and DS_* values
via 425504a00f5 s3:libads: Reset ads->config.flags in ads_disconnect()
via 20980f69c3d printing: Fix compilation error for native 32-bit time_t
via 66924b3ba7f WHATSNEW: add ceph_new fscrypt note
via ab68cd21873 VERSION: Bump version up to Samba 4.24.0rc2...
from d753ebb10ff VERSION: Disable GIT_SNAPSHOT for the Samba 4.24.0rc1
release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-24-test
- Log -----------------------------------------------------------------
commit 9de3dbfe0dcee57520358d49629d8309e5a6b704
Author: Pavel Filipenský <[email protected]>
Date: Sun Jan 18 01:04:11 2026 +0100
s3:libads: Separate use of ads->config.flags for NBT_* and DS_* values
Use of ads->config.flags is overloaded.
It is used to:
- pass DS_* flags down to cldap_netlogon()
- store the server_type from NETLOGON_SAM_LOGON_RESPONSE
Both cases use different values and cannot be combined.
E.g. flags mess up with value 0x00000080
NBT_SERVER_CLOSEST 0x00000080
DS_PDC_REQUIRED 0x00000080
Let's create two separate flags
nbt_server_type server_flags; /* NBT_* cldap flags identifying the
services. */
uint32 required_flags; /* DS_* - Netlogon flags */
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Pavel Filipensky <[email protected]>
Autobuild-Date(master): Thu Jan 22 09:14:25 UTC 2026 on atb-devel-224
(cherry picked from commit 7483903575eab97773a992149d64511d5ec6f256)
Autobuild-User(v4-24-test): Björn Jacke <[email protected]>
Autobuild-Date(v4-24-test): Thu Jan 22 16:16:45 UTC 2026 on atb-devel-224
commit 425504a00f5f973cdbcbbd2dc88b240886754aad
Author: Pavel Filipenský <[email protected]>
Date: Mon Jan 19 14:33:52 2026 +0100
s3:libads: Reset ads->config.flags in ads_disconnect()
This is doing the same thing in ads_disconnect() as commit
a26f535 Clear previous CLDAP ping flags when reusing the ADS_STRUCT
did in ads_current_time()
In this case we:
1) found cached ADS_STRUCT which already has ads->config.flags set:
lookup_groupmem()
ads_cached_connection()
ads_cached_connection_reuse()
2) started search which immediately timeouts (the cached conn. was dead)
ads_do_search_retry_internal()
ldap_search_with_timeout() - IO_TIMEOUT
3) Retry loop finds a new DC and tries to connect
ads_do_search_retry_internal()
ads_disconnect()
ads_find_dc()
ads_try_connect()
netlogon_pings()
check_cldap_reply_required_flags()
4) check_cldap_reply_required_flags() fails since ads->config.flags
(stored possibly long time ago) contain:
NBT_SERVER_CLOSEST 0x00000080
which is misinterpreted as:
DS_PDC_REQUIRED 0x00000080
the newly found DC is not PDC (we asked for DS_ONLY_LDAP_NEEDED)
and since previous DC had NBT_SERVER_CLOSEST we want DS_PDC_REQUIRED
and fail.
We should anyway avoid mixing independent namespaces NBT_* and DS_*
in the same flag.
Next commit will do that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 9f3a35991feb01a8d2c2b69fa0b914bbc637a809)
commit 20980f69c3de13a5d14a37d954710be691ade890
Author: Michael Tokarev <[email protected]>
Date: Wed Jan 21 10:35:15 2026 +0530
printing: Fix compilation error for native 32-bit time_t
commit#e9a7dce599eb12d broke samba compilation for 32-bit time_t.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15976
Used correct pointer type to fix the warning to fix compialtion.
Pair-Programmed-With: Vinit Agnihotri <[email protected]>
Signed-off-by: Michael Tokarev <[email protected]>
Signed-off-by: Vinit Agnihotri <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
Autobuild-User(master): Volker Lendecke <[email protected]>
Autobuild-Date(master): Wed Jan 21 19:23:29 UTC 2026 on atb-devel-224
commit 66924b3ba7f5d6eac340d5b3e2082b953bba61fb
Author: John Mulligan <[email protected]>
Date: Wed Jan 21 09:58:41 2026 -0500
WHATSNEW: add ceph_new fscrypt note
Signed-off-by: John Mulligan <[email protected]>
Reviewed-by: Anoop C S <[email protected]>
Reviewed-by: Shachar Sharon <[email protected]>
commit ab68cd218738abd702805ca64379c2acb16c129c
Author: Björn Jacke <[email protected]>
Date: Thu Jan 22 13:48:11 2026 +0100
VERSION: Bump version up to Samba 4.24.0rc2...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Björn Jacke <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 4 ++--
WHATSNEW.txt | 15 ++++++++++++++
source3/libads/ldap.c | 45 ++++++++++++++++++++++--------------------
source3/librpc/idl/ads.idl | 4 +++-
source3/libsmb/namequery_dc.c | 4 +++-
source3/printing/printing.c | 7 +++++--
source3/winbindd/winbindd_cm.c | 6 +++---
7 files changed, 55 insertions(+), 30 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 54d4d37ad6f..aa63d828c27 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=1
+SAMBA_VERSION_RC_RELEASE=2
########################################################
# To mark SVN snapshots this should be set to 'yes' #
@@ -101,7 +101,7 @@ SAMBA_VERSION_RC_RELEASE=1
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
########################################################
-SAMBA_VERSION_IS_GIT_SNAPSHOT=no
+SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
########################################################
# This is for specifying a release nickname #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 345dc417e9c..e7e70473130 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -218,6 +218,21 @@ limits are exceeded, it dynamically injects millisecond
delays into async
operations to maintain the defined threshold.
+CephFS FSCrypt support for the VFS ceph_new module
+--------------------------------------------------
+The ceph_new VFS module can now make use of the FSCrypt feature recently added
+to CephFS. This enhancement enables data and file name encryption on a per
+share basis. A single CephFS file system may host a mix of encrypted and
+unencrypted directories.
+
+To obtain the encryption keys needed for FSCrypt the ceph_new module includes
+support for the Keybridge protocol. Keybridge is an RPC protocol based on
+Varlink that can retrieve keys from a local service via a UNIX socket. Users
+can choose to develop a custom Keybridge implementation or use the existing
+KMIP-compatible Keybridge server available as part of the sambacc project
+(https://github.com/samba-in-kubernetes/sambacc).
+
+
REMOVED FEATURES
================
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index e3e4ff2b240..cc1715d151d 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -237,7 +237,7 @@ bool ads_sitename_match(ADS_STRUCT *ads)
bool ads_closest_dc(ADS_STRUCT *ads)
{
- if (ads->config.flags & NBT_SERVER_CLOSEST) {
+ if (ads->config.server_flags & NBT_SERVER_CLOSEST) {
DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n"));
return True;
}
@@ -344,7 +344,7 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
sitename_store(cldap_reply->dns_domain, cldap_reply->client_site);
/* Leave this until last so that the flags are not clobbered */
- ads->config.flags = cldap_reply->server_type;
+ ads->config.server_flags = cldap_reply->server_type;
ret = true;
@@ -379,7 +379,8 @@ static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
ok = ads_cldap_netlogon_5(frame,
ss,
ads->server.realm,
- ads->config.flags | DS_ONLY_LDAP_NEEDED,
+ ads->config.required_flags |
+ DS_ONLY_LDAP_NEEDED,
&cldap_reply);
if (!ok) {
DBG_NOTICE("ads_cldap_netlogon_5(%s, %s) failed.\n",
@@ -491,20 +492,21 @@ again:
return status;
}
- status = netlogon_pings(frame, /* mem_ctx */
- lp_client_netlogon_ping_protocol(), /* proto */
- ts_list, /* servers */
- num_requests, /* num_servers */
- (struct netlogon_ping_filter){
- .ntversion = nt_version,
- .domain = ads->server.realm,
- .acct_ctrl = -1,
- .required_flags = ads->config.flags |
- DS_ONLY_LDAP_NEEDED,
- },
- 1, /* wanted_servers */
- endtime, /* timeout */
- &responses);
+ status = netlogon_pings(
+ frame, /* mem_ctx */
+ lp_client_netlogon_ping_protocol(), /* proto */
+ ts_list, /* servers */
+ num_requests, /* num_servers */
+ (struct netlogon_ping_filter){
+ .ntversion = nt_version,
+ .domain = ads->server.realm,
+ .acct_ctrl = -1,
+ .required_flags = ads->config.required_flags |
+ DS_ONLY_LDAP_NEEDED,
+ },
+ 1, /* wanted_servers */
+ endtime, /* timeout */
+ &responses);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("netlogon_pings(realm=%s, num_requests=%zu) "
"for count[%zu] - %s\n",
@@ -1265,6 +1267,7 @@ void ads_disconnect(ADS_STRUCT *ads)
if (ads->ldap_wrap_data.mem_ctx) {
talloc_free(ads->ldap_wrap_data.mem_ctx);
}
+ ads->config.server_flags = 0;
ads_zero_ldap(ads);
ZERO_STRUCT(ads->ldap_tls_data);
ZERO_STRUCT(ads->ldap_wrap_data);
@@ -3731,10 +3734,10 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
}
/*
- * Reset ads->config.flags as it can contain the flags
+ * Reset flags as it can contain the flags
* returned by the previous CLDAP ping when reusing the struct.
*/
- ads_s->config.flags = 0;
+ ads_s->config.server_flags = 0;
status = ads_connect_simple_anon(ads_s);
if ( !ADS_ERR_OK(status))
@@ -3820,10 +3823,10 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads,
uint32_t *val)
}
/*
- * Reset ads->config.flags as it can contain the flags
+ * Reset flags as it can contain the flags
* returned by the previous CLDAP ping when reusing the struct.
*/
- ads_s->config.flags = 0;
+ ads_s->config.server_flags = 0;
status = ads_connect_simple_anon(ads_s);
if ( !ADS_ERR_OK(status))
diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl
index 381447a1a29..20941e90346 100644
--- a/source3/librpc/idl/ads.idl
+++ b/source3/librpc/idl/ads.idl
@@ -6,6 +6,7 @@
*/
import "nbt.idl";
+import "netlogon.idl";
cpp_quote("#include <system/network.h>")
@@ -51,7 +52,8 @@ interface ads
} ads_auth;
typedef [nopull,nopush] struct {
- nbt_server_type flags; /* cldap flags identifying the services.
*/
+ nbt_server_type server_flags; /* NBT_* cldap flags identifying
the services. */
+ netr_DsRGetDCName_flags required_flags; /* DS_* - Netlogon
flags */
string workgroup;
string realm;
string bind_path;
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index 83236e3474c..b7b12ecb6f6 100644
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -109,7 +109,9 @@ static bool ads_dc_name(const char *domain,
}
#ifdef HAVE_ADS
- if (is_our_primary_domain(domain) && (ads->config.flags &
NBT_SERVER_KDC)) {
+ if (is_our_primary_domain(domain) &&
+ (ads->config.server_flags & NBT_SERVER_KDC))
+ {
if (ads_closest_dc(ads)) {
/* We're going to use this KDC for this
realm/domain.
If we are using sites, then force the krb5
libs
diff --git a/source3/printing/printing.c b/source3/printing/printing.c
index a9e8422efab..bcfd893456b 100644
--- a/source3/printing/printing.c
+++ b/source3/printing/printing.c
@@ -59,6 +59,7 @@ static int fetch_share_cache_time(const char *key_name,
time_t *curr_time)
{
char *key = NULL;
+ int64_t curr_time64 = -1;
key = talloc_asprintf(NULL, "%s/%s", key_name, sharename);
if (key == NULL) {
@@ -66,11 +67,12 @@ static int fetch_share_cache_time(const char *key_name,
return -1;
}
- if (tdb_fetch_int64(tdb, key, curr_time) != 0) {
+ if (tdb_fetch_int64(tdb, key, &curr_time64) != 0) {
DBG_ERR("No timing record found for[%s]!\n", sharename);
TALLOC_FREE(key);
return -1;
}
+ *curr_time = curr_time64;
TALLOC_FREE(key);
return 0;
@@ -82,6 +84,7 @@ static int update_share_cache_time(const char *key_name,
time_t curr_time)
{
char *key = NULL;
+ int64_t curr_time64 = curr_time;
key = talloc_asprintf(NULL, "%s/%s", key_name, sharename);
if (key == NULL) {
@@ -89,7 +92,7 @@ static int update_share_cache_time(const char *key_name,
return -1;
}
- if (tdb_store_int64(tdb, key, (int64_t)curr_time) != 0) {
+ if (tdb_store_int64(tdb, key, curr_time64) != 0) {
DBG_ERR("Unable to update print cache for %s\n", sharename);
TALLOC_FREE(key);
return -1;
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index d3b48a74131..e49c72dc332 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1053,7 +1053,7 @@ static bool dcip_check_name_ads(const struct
winbindd_domain *domain,
ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto out;
}
- ads->config.flags |= request_flags;
+ ads->config.required_flags |= request_flags;
ads->server.no_fallback = true;
ads_status = ads_connect_cldap_only(ads);
@@ -1069,9 +1069,9 @@ static bool dcip_check_name_ads(const struct
winbindd_domain *domain,
}
namecache_store(name, 0x20, 1, sa);
- DBG_DEBUG("CLDAP flags = 0x%"PRIx32"\n", ads->config.flags);
+ DBG_DEBUG("CLDAP flags = 0x%" PRIx32 "\n", ads->config.server_flags);
- if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
+ if (domain->primary && (ads->config.server_flags & NBT_SERVER_KDC)) {
if (ads_closest_dc(ads)) {
char *sitename = sitename_fetch(tmp_ctx,
ads->config.realm);
--
Samba Shared Repository
