The branch, v4-23-stable has been updated
via 028df22e46c VERSION: Disable GIT_SNAPSHOT for the upcoming release.
via c66fb7bd54f Add release notes for Samba 4.23.5
via 573959f753e s3:libads: Separate use of ads->config.flags for NBT_*
and DS_* values
via 1652a10806c s3:libads: Reset ads->config.flags in ads_disconnect()
via 36f0300cda5 s3:winbindd fix race condition in terminate_child
via 5085b8c1d66 s4/dlz: add support for bind 9.20
via 8b9278941c8 vfs_ceph_new: use vfs_ceph_iget/vfs_ceph_iput in
vfs_ceph_disk_free
via 5b31a12de43 mdssvc: make a copy of the elasticsearch:default_fields
via 7216b8850c8 VERSION: Bump version up to Samba 4.23.5...
from 75b4f6a0a66 VERSION: Disable GIT_SNAPSHOT for the 4.23.4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-23-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 51 +++++++++++++++++++++++++++++++++--
python/samba/provision/sambadns.py | 3 ++-
source3/libads/ldap.c | 45 ++++++++++++++++---------------
source3/librpc/idl/ads.idl | 4 ++-
source3/libsmb/namequery_dc.c | 4 ++-
source3/modules/vfs_ceph_new.c | 19 ++++++-------
source3/rpc_server/mdssvc/mdssvc_es.c | 10 ++++---
source3/winbindd/winbindd_cm.c | 6 ++---
source3/winbindd/winbindd_util.c | 2 +-
source4/setup/named.conf.dlz | 4 +--
11 files changed, 102 insertions(+), 48 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 7cdbe01b232..a31143ecba3 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2025"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=23
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1eab9c17ce7..0b8d0adc5e3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,51 @@
+ ==============================
+ Release Notes for Samba 4.23.5
+ January 23, 2026
+ ==============================
+
+
+This is the latest stable release of the Samba 4.23 release series.
+
+
+Changes since 4.23.4
+--------------------
+
+o Ralph Boehme <[email protected]>
+ * BUG 15959: New Spotlight default search field incorrectly initialized
+
+o Pavel Filipenský <[email protected]>
+ * BUG 15972: Winbind group resolution failure
+
+o Gary Lockyer <[email protected]>
+ * BUG 15937: winbindd crashes with Bad talloc magic value - unknown value
+
+o Michael Tokarev <[email protected]>
+ * BUG 15790: Bind dlz 9.20
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.23.4
December 12, 2025
@@ -54,8 +102,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.23.3
November 07, 2025
diff --git a/python/samba/provision/sambadns.py
b/python/samba/provision/sambadns.py
index 952e875c862..a3515bbe37b 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -1030,7 +1030,8 @@ def create_named_conf(paths, realm, dnsdomain,
dns_backend, logger):
bind9_14 = ''
elif bind_info.upper().find('BIND 9.16') != -1:
bind9_16 = ''
- elif bind_info.upper().find('BIND 9.18') != -1:
+ elif bind_info.upper().find('BIND 9.18') != -1 \
+ or bind_info.upper().find('BIND 9.20') != -1:
bind9_18 = ''
elif bind_info.upper().find('BIND 9.7') != -1:
raise ProvisioningError("DLZ option incompatible with BIND 9.7.")
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 49fa1d47298..ac57489d1eb 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -237,7 +237,7 @@ bool ads_sitename_match(ADS_STRUCT *ads)
bool ads_closest_dc(ADS_STRUCT *ads)
{
- if (ads->config.flags & NBT_SERVER_CLOSEST) {
+ if (ads->config.server_flags & NBT_SERVER_CLOSEST) {
DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n"));
return True;
}
@@ -344,7 +344,7 @@ static bool ads_fill_cldap_reply(ADS_STRUCT *ads,
sitename_store(cldap_reply->dns_domain, cldap_reply->client_site);
/* Leave this until last so that the flags are not clobbered */
- ads->config.flags = cldap_reply->server_type;
+ ads->config.server_flags = cldap_reply->server_type;
ret = true;
@@ -379,7 +379,8 @@ static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
ok = ads_cldap_netlogon_5(frame,
ss,
ads->server.realm,
- ads->config.flags | DS_ONLY_LDAP_NEEDED,
+ ads->config.required_flags |
+ DS_ONLY_LDAP_NEEDED,
&cldap_reply);
if (!ok) {
DBG_NOTICE("ads_cldap_netlogon_5(%s, %s) failed.\n",
@@ -490,20 +491,21 @@ again:
return status;
}
- status = netlogon_pings(frame, /* mem_ctx */
- lp_client_netlogon_ping_protocol(), /* proto */
- ts_list, /* servers */
- num_requests, /* num_servers */
- (struct netlogon_ping_filter){
- .ntversion = nt_version,
- .domain = ads->server.realm,
- .acct_ctrl = -1,
- .required_flags = ads->config.flags |
- DS_ONLY_LDAP_NEEDED,
- },
- 1, /* wanted_servers */
- endtime, /* timeout */
- &responses);
+ status = netlogon_pings(
+ frame, /* mem_ctx */
+ lp_client_netlogon_ping_protocol(), /* proto */
+ ts_list, /* servers */
+ num_requests, /* num_servers */
+ (struct netlogon_ping_filter){
+ .ntversion = nt_version,
+ .domain = ads->server.realm,
+ .acct_ctrl = -1,
+ .required_flags = ads->config.required_flags |
+ DS_ONLY_LDAP_NEEDED,
+ },
+ 1, /* wanted_servers */
+ endtime, /* timeout */
+ &responses);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("netlogon_pings(realm=%s, num_requests=%zu) "
"for count[%zu] - %s\n",
@@ -1261,6 +1263,7 @@ void ads_disconnect(ADS_STRUCT *ads)
if (ads->ldap_wrap_data.mem_ctx) {
talloc_free(ads->ldap_wrap_data.mem_ctx);
}
+ ads->config.server_flags = 0;
ads_zero_ldap(ads);
ZERO_STRUCT(ads->ldap_tls_data);
ZERO_STRUCT(ads->ldap_wrap_data);
@@ -3725,10 +3728,10 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
}
/*
- * Reset ads->config.flags as it can contain the flags
+ * Reset flags as it can contain the flags
* returned by the previous CLDAP ping when reusing the struct.
*/
- ads_s->config.flags = 0;
+ ads_s->config.server_flags = 0;
status = ads_connect_simple_anon(ads_s);
if ( !ADS_ERR_OK(status))
@@ -3814,10 +3817,10 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads,
uint32_t *val)
}
/*
- * Reset ads->config.flags as it can contain the flags
+ * Reset flags as it can contain the flags
* returned by the previous CLDAP ping when reusing the struct.
*/
- ads_s->config.flags = 0;
+ ads_s->config.server_flags = 0;
status = ads_connect_simple_anon(ads_s);
if ( !ADS_ERR_OK(status))
diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl
index 381447a1a29..20941e90346 100644
--- a/source3/librpc/idl/ads.idl
+++ b/source3/librpc/idl/ads.idl
@@ -6,6 +6,7 @@
*/
import "nbt.idl";
+import "netlogon.idl";
cpp_quote("#include <system/network.h>")
@@ -51,7 +52,8 @@ interface ads
} ads_auth;
typedef [nopull,nopush] struct {
- nbt_server_type flags; /* cldap flags identifying the services.
*/
+ nbt_server_type server_flags; /* NBT_* cldap flags identifying
the services. */
+ netr_DsRGetDCName_flags required_flags; /* DS_* - Netlogon
flags */
string workgroup;
string realm;
string bind_path;
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index 3a2f22129b8..3d771d77b8d 100644
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -109,7 +109,9 @@ static bool ads_dc_name(const char *domain,
}
#ifdef HAVE_ADS
- if (is_our_primary_domain(domain) && (ads->config.flags &
NBT_SERVER_KDC)) {
+ if (is_our_primary_domain(domain) &&
+ (ads->config.server_flags & NBT_SERVER_KDC))
+ {
if (ads_closest_dc(ads)) {
/* We're going to use this KDC for this
realm/domain.
If we are using sites, then force the krb5
libs
diff --git a/source3/modules/vfs_ceph_new.c b/source3/modules/vfs_ceph_new.c
index 3cd7cb8cb4e..6ea8e56c155 100644
--- a/source3/modules/vfs_ceph_new.c
+++ b/source3/modules/vfs_ceph_new.c
@@ -872,13 +872,14 @@ static int vfs_ceph_ll_statfs(const struct
vfs_handle_struct *handle,
struct statvfs *stbuf)
{
struct vfs_ceph_config *config = NULL;
+ int ret = -1;
SMB_VFS_HANDLE_GET_DATA(handle, config, struct vfs_ceph_config,
return -ENOMEM);
- DBG_DEBUG("[CEPH] ceph_ll_statfs: ino=%" PRIu64 "\n", iref->ino);
-
- return config->ceph_ll_statfs_fn(config->mount, iref->inode, stbuf);
+ ret = config->ceph_ll_statfs_fn(config->mount, iref->inode, stbuf);
+ DBG_DEBUG("[CEPH] ceph_ll_statfs: ino=%" PRIu64 " ret=%d\n", iref->ino,
ret);
+ return ret;
}
static int vfs_ceph_ll_getattr2(const struct vfs_handle_struct *handle,
@@ -2034,25 +2035,21 @@ static uint64_t vfs_ceph_disk_free(struct
vfs_handle_struct *handle,
uint64_t *dsize)
{
struct statvfs statvfs_buf = { 0 };
- struct Inode *inode = NULL;
int ret;
struct vfs_ceph_config *config = NULL;
+ struct vfs_ceph_iref iref = {0};
SMB_VFS_HANDLE_GET_DATA(handle, config, struct vfs_ceph_config,
return -ENOMEM);
- ret = config->ceph_ll_lookup_root_fn(config->mount, &inode);
+ ret = vfs_ceph_iget(handle, smb_fname->base_name, 0, &iref);
if (ret != 0) {
- DBG_DEBUG("[CEPH] disk_free: ceph_ll_lookup_root returned
ret=%d\n",
- ret);
errno = -ret;
return (uint64_t)(-1);
}
- ret = config->ceph_ll_statfs_fn(config->mount, inode, &statvfs_buf);
- config->ceph_ll_put_fn(config->mount, inode);
+ ret = vfs_ceph_ll_statfs(handle, &iref, &statvfs_buf);
+ vfs_ceph_iput(handle, &iref);
if (ret != 0) {
- DBG_DEBUG("[CEPH] disk_free: ceph_ll_statfs returned ino=%p"
- " ret=%d\n", inode, ret);
errno = -ret;
return (uint64_t)(-1);
}
diff --git a/source3/rpc_server/mdssvc/mdssvc_es.c
b/source3/rpc_server/mdssvc/mdssvc_es.c
index eb19d5fdc4a..59f91271e59 100644
--- a/source3/rpc_server/mdssvc/mdssvc_es.c
+++ b/source3/rpc_server/mdssvc/mdssvc_es.c
@@ -108,10 +108,12 @@ static bool mdssvc_es_init(struct mdssvc_ctx *mdssvc_ctx)
}
TALLOC_FREE(default_path);
- mdssvc_es_ctx->default_fields =
lp_parm_const_string(GLOBAL_SECTION_SNUM,
- "elasticsearch",
- "default_fields",
- default_fields);
+ default_fields = lp_parm_const_string(GLOBAL_SECTION_SNUM,
+ "elasticsearch",
+ "default_fields",
+ default_fields);
+ mdssvc_es_ctx->default_fields = talloc_strdup(mdssvc_es_ctx,
+ default_fields);
if (mdssvc_es_ctx->default_fields == NULL) {
TALLOC_FREE(mdssvc_es_ctx);
return false;
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 3963881ca45..6e11461e07e 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1051,7 +1051,7 @@ static bool dcip_check_name_ads(const struct
winbindd_domain *domain,
ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
goto out;
}
- ads->config.flags |= request_flags;
+ ads->config.required_flags |= request_flags;
ads->server.no_fallback = true;
ads_status = ads_connect_cldap_only(ads);
@@ -1067,9 +1067,9 @@ static bool dcip_check_name_ads(const struct
winbindd_domain *domain,
}
namecache_store(name, 0x20, 1, sa);
- DBG_DEBUG("CLDAP flags = 0x%"PRIx32"\n", ads->config.flags);
+ DBG_DEBUG("CLDAP flags = 0x%" PRIx32 "\n", ads->config.server_flags);
- if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) {
+ if (domain->primary && (ads->config.server_flags & NBT_SERVER_KDC)) {
if (ads_closest_dc(ads)) {
char *sitename = sitename_fetch(tmp_ctx,
ads->config.realm);
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 3c991425dd9..566794b86a0 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -971,13 +971,13 @@ static void terminate_child(struct tevent_req *subreq)
TALLOC_FREE(subreq);
if (c->pid != 0) {
+ TALLOC_FREE(c->monitor_fde);
kill(c->pid, SIGTERM);
c->pid = 0;
if (c->sock != -1) {
close(c->sock);
}
c->sock = -1;
- TALLOC_FREE(c->monitor_fde);
}
c = NULL;
diff --git a/source4/setup/named.conf.dlz b/source4/setup/named.conf.dlz
index cbe7d805f58..9753cdc503b 100644
--- a/source4/setup/named.conf.dlz
+++ b/source4/setup/named.conf.dlz
@@ -30,8 +30,8 @@ dlz "AD DNS Zone" {
# For BIND 9.16.x
${BIND9_16} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_16.so";
- #
- # For BIND 9.18.x
+
+ # For BIND 9.18.x and 9.20.x
${BIND9_18} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_18.so";
};
--
Samba Shared Repository
