Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:samba User: [email protected] Usertags: pu
[ Reason ] There are two upstream stable/bugfix has been released, with a number of bug fixes in various places. Besides that, there's a minor packaging bugs were fixed: #1048754 (fails to build twice in a row due to missing cleanup), [ Tests ] This release is used in our environment in production, with no regressions but with certain improvements (some bugs fixed in this release affected us too). Also this release has been tested by numerous users of my private (like a PPA) samba repository, which builds samba binaries for several debian/ubuntu releases from the debian sources (http://www.corpit.ru/mjt/packages/samba/). [ Risks ] This is samba stable series, and samba is known for its stability within stable series. I see no risks updating samba to the latest upstream version. The diffstat might look large(ish): 43 files changed, 709 insertions(+), 226 deletions(-) but each change is rather small and understandable. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] See the debian/changelog below. Each change links to an upstream bug report explaining what's being fixed. [ Other info ] It might be better to review individual upstream commits in the samba git repository on salsa, see https://salsa.debian.org/samba-team/samba/-/commits/upstream/4.22.8+dfsg and up to 4.22.6 (currently on trixie). There are two changes which were initially in Debian but are now included in the upstream release, - support for bind version 9.20 and reverting the use of hexchars in libldb. This also adds to the debdiff, - since the same changes are now in the upstream tarball, not in the debian/patches dir. Thanks, /mjt diff -Nru samba-4.22.6+dfsg/debian/changelog samba-4.22.8+dfsg/debian/changelog --- samba-4.22.6+dfsg/debian/changelog 2025-10-16 19:19:45.000000000 +0300 +++ samba-4.22.8+dfsg/debian/changelog 2026-02-19 15:17:34.000000000 +0300 @@ -1,3 +1,60 @@ +samba (2:4.22.8+dfsg-0+deb13u1) trixie; urgency=medium + + * new upstream stable/bugfix release: + - https://bugzilla.samba.org/show_bug.cgi?id=15790: + Bind dlz 9.20 + - https://bugzilla.samba.org/show_bug.cgi?id=15959: + New Spotlight default search field incorrectly initialized + - https://bugzilla.samba.org/show_bug.cgi?id=15964: + "net offlinejoin requestodj" manpage entry incorrectly mentiones + provided credentials + - https://bugzilla.samba.org/show_bug.cgi?id=15972: + Winbind group resolution failure + - https://bugzilla.samba.org/show_bug.cgi?id=15977: + ctdbd socket documentation is wrong + - https://bugzilla.samba.org/show_bug.cgi?id=15979: + possible memory leak on rpc_spoolss + - https://bugzilla.samba.org/show_bug.cgi?id=15984: + smbd: in contend_dirleases() don't bother checking when not enabled + * add-support-for-bind-9.20.patch: remove (now applied upstream) + * d/clean: also remove python/samba/provision/kerberos_implementation.py + (Closes: #1048754) + + -- Michael Tokarev <[email protected]> Thu, 19 Feb 2026 15:17:34 +0300 + +samba (2:4.22.7+dfsg-0+deb13u1) trixie; urgency=medium + + * new upstream stable/bugfix release: + - https://bugzilla.samba.org/show_bug.cgi?id=15809: + samba-bgqd: rework man page + - https://bugzilla.samba.org/show_bug.cgi?id=15897: + Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/') + in vfswrap_openat + - https://bugzilla.samba.org/show_bug.cgi?id=15926: + Samba 4.22 breaks Time Machine + - https://bugzilla.samba.org/show_bug.cgi?id=15930: + Searching for numbers doesn't work with Spotlight + - https://bugzilla.samba.org/show_bug.cgi?id=15935: + Crash in ctdbd on failed updateip + - https://bugzilla.samba.org/show_bug.cgi?id=15936: + samba-bgqd can't find [printers] share + - https://bugzilla.samba.org/show_bug.cgi?id=15940: + vfs_recycle does not update mtime + - https://bugzilla.samba.org/show_bug.cgi?id=15947: + mdssvc doesn't support $time.iso dates before 1970 + - https://bugzilla.samba.org/show_bug.cgi?id=15950: + ctdb can crash with inconsistent cluster lock configuration + - https://bugzilla.samba.org/show_bug.cgi?id=15955: + Winbind can hang forever in gssapi if there are network issues + - https://bugzilla.samba.org/show_bug.cgi?id=15961: + libldb requires linking libreplace on Linux + - https://bugzilla.samba.org/show_bug.cgi?id=15963: + Fix winbind cache consistency + * revert-ldb-use-hexchars_upper-from-replace.h.patch: remove + (now applied by upstream) + + -- Michael Tokarev <[email protected]> Thu, 18 Dec 2025 22:13:42 +0300 + samba (2:4.22.6+dfsg-0+deb13u1) trixie; urgency=medium * new upstream stable/security release: diff -Nru samba-4.22.6+dfsg/debian/clean samba-4.22.8+dfsg/debian/clean --- samba-4.22.6+dfsg/debian/clean 2025-10-16 11:31:54.000000000 +0300 +++ samba-4.22.8+dfsg/debian/clean 2026-02-19 14:59:08.000000000 +0300 @@ -7,3 +7,4 @@ third_party/waf/waflib/__pycache__/ third_party/waf/waflib/extras/__pycache__/ third_party/waf/waflib/Tools/__pycache__/ +python/samba/provision/kerberos_implementation.py diff -Nru samba-4.22.6+dfsg/debian/patches/add-support-for-bind-9.20.patch samba-4.22.8+dfsg/debian/patches/add-support-for-bind-9.20.patch --- samba-4.22.6+dfsg/debian/patches/add-support-for-bind-9.20.patch 2025-10-16 11:31:54.000000000 +0300 +++ samba-4.22.8+dfsg/debian/patches/add-support-for-bind-9.20.patch 1970-01-01 03:00:00.000000000 +0300 @@ -1,55 +0,0 @@ -From: Michael Tokarev <[email protected]> -Date: Tue, 3 Jun 2025 09:41:57 +0300 -Subject: s4/dlz: add support for bind 9.20 -Forwarded: yes, https://gitlab.com/samba-team/samba/-/merge_requests/4067 -Bug-Debian: https://bugs.debian.org/1107139 - -bind dlz interface does not change much, yet we build -dlz_bind9_NN for every bind9 version NN we support - -despite many of them differ only in soversion, with -the code being identical. - -For bind9_20, use dlz_bind9_18.so which we already have. - -It'd be nice to extract actual bind9 version string in -sambadns.py and use it in more direct way. - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=15790 -Signed-off-by: Michael Tokarev <[email protected]> ---- - python/samba/provision/sambadns.py | 3 ++- - source4/setup/named.conf.dlz | 4 ++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py -index 952e875c862..a3515bbe37b 100644 ---- a/python/samba/provision/sambadns.py -+++ b/python/samba/provision/sambadns.py -@@ -1030,7 +1030,8 @@ def create_named_conf(paths, realm, dnsdomain, dns_backend, logger): - bind9_14 = '' - elif bind_info.upper().find('BIND 9.16') != -1: - bind9_16 = '' -- elif bind_info.upper().find('BIND 9.18') != -1: -+ elif bind_info.upper().find('BIND 9.18') != -1 \ -+ or bind_info.upper().find('BIND 9.20') != -1: - bind9_18 = '' - elif bind_info.upper().find('BIND 9.7') != -1: - raise ProvisioningError("DLZ option incompatible with BIND 9.7.") -diff --git a/source4/setup/named.conf.dlz b/source4/setup/named.conf.dlz -index cbe7d805f58..9753cdc503b 100644 ---- a/source4/setup/named.conf.dlz -+++ b/source4/setup/named.conf.dlz -@@ -30,8 +30,8 @@ dlz "AD DNS Zone" { - - # For BIND 9.16.x - ${BIND9_16} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_16.so"; -- # -- # For BIND 9.18.x -+ -+ # For BIND 9.18.x and 9.20.x - ${BIND9_18} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_18.so"; - }; - --- -2.39.5 - diff -Nru samba-4.22.6+dfsg/debian/patches/revert-ldb-use-hexchars_upper-from-replace.h.patch samba-4.22.8+dfsg/debian/patches/revert-ldb-use-hexchars_upper-from-replace.h.patch --- samba-4.22.6+dfsg/debian/patches/revert-ldb-use-hexchars_upper-from-replace.h.patch 2025-10-16 11:31:54.000000000 +0300 +++ samba-4.22.8+dfsg/debian/patches/revert-ldb-use-hexchars_upper-from-replace.h.patch 1970-01-01 03:00:00.000000000 +0300 @@ -1,36 +0,0 @@ -From: Michael Tokarev <[email protected]> -Date: Thu, 6 Feb 2025 18:11:02 +0300 -Subject: Revert "ldb: User hexchars_upper from replace.h" -Forwarded: not-needed -Debian-Specific: yes - -This reverts commit 542cf01bfe530a83dfbc8a606d182c0a5a622059. - -This commit switched ldb code to use hexchars_upper from libreplace, -introducing circular dependency between libraries. Restore the status-quo. - ---- - lib/ldb/common/ldb_dn.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c -index 5b8c0f4f580..1321f0d8420 100644 ---- a/lib/ldb/common/ldb_dn.c -+++ b/lib/ldb/common/ldb_dn.c -@@ -232,10 +232,11 @@ static int ldb_dn_escape_internal(char *dst, const char *src, int len) - case '\0': { - /* any others get \XX form */ - unsigned char v; -+ const char *hexbytes = "0123456789ABCDEF"; - v = (const unsigned char)c; - *d++ = '\\'; -- *d++ = hexchars_upper[v>>4]; -- *d++ = hexchars_upper[v&0xF]; -+ *d++ = hexbytes[v>>4]; -+ *d++ = hexbytes[v&0xF]; - break; - } - default: --- -2.39.5 - diff -Nru samba-4.22.6+dfsg/debian/patches/series samba-4.22.8+dfsg/debian/patches/series --- samba-4.22.6+dfsg/debian/patches/series 2025-10-16 19:19:45.000000000 +0300 +++ samba-4.22.8+dfsg/debian/patches/series 2026-02-19 15:17:34.000000000 +0300 @@ -21,6 +21,4 @@ meaningful-error-if-no-samba-ad-provision.patch meaningful-error-if-no-python3-markdown.patch ctdb-use-run-instead-of-var-run.patch -revert-ldb-use-hexchars_upper-from-replace.h.patch replace-xpg-strerror.patch -add-support-for-bind-9.20.patch diff -Nru samba-4.22.6+dfsg/VERSION samba-4.22.8+dfsg/VERSION --- samba-4.22.6+dfsg/VERSION 2025-10-16 17:34:01.621333100 +0300 +++ samba-4.22.8+dfsg/VERSION 2026-02-19 12:46:34.625000500 +0300 @@ -27,7 +27,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=22 -SAMBA_VERSION_RELEASE=6 +SAMBA_VERSION_RELEASE=8 ######################################################## # If a official release has a serious bug # @@ -101,7 +101,7 @@ # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # ######################################################## -SAMBA_VERSION_IS_GIT_SNAPSHOT=no +SAMBA_VERSION_IS_GIT_SNAPSHOT=no ######################################################## # This is for specifying a release nickname # diff -Nru samba-4.22.6+dfsg/WHATSNEW.txt samba-4.22.8+dfsg/WHATSNEW.txt --- samba-4.22.6+dfsg/WHATSNEW.txt 2025-10-16 17:34:01.621333100 +0300 +++ samba-4.22.8+dfsg/WHATSNEW.txt 2026-02-19 12:46:34.625000500 +0300 @@ -1,4 +1,128 @@ ============================== + Release Notes for Samba 4.22.8 + February 19, 2026 + ============================== + + +This is the latest stable release of the Samba 4.22 release series. + + +Changes since 4.22.7 +-------------------- + +o Ralph Boehme <[email protected]> + * BUG 15959: New Spotlight default search field incorrectly initialized + * BUG 15984: smbd: in contend_dirleases() don't bother checking when not + enabled + +o Samuel Cabrero <[email protected]> + * BUG 15979: possible memory leak on rpc_spoolss + +o Günther Deschner <[email protected]> + * BUG 15964: "net offlinejoin requestodj" manpage entry incorrectly mentiones + provided credentials + +o Pavel Filipenský <[email protected]> + * BUG 15972: Winbind group resolution failure + +o Noel Power <[email protected]> + * BUG 15979: possible memory leak on rpc_spoolss + +o Martin Schwenke <[email protected]> + * BUG 15977: ctdbd socket documentation is wrong + +o Michael Tokarev <[email protected]> + * BUG 15790: Bind dlz 9.20 + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + ============================== + Release Notes for Samba 4.22.7 + December 18, 2025 + ============================== + + +This is the latest stable release of the Samba 4.22 release series. + + +Changes since 4.22.6 +-------------------- + +o Ralph Boehme <[email protected]> + * BUG 15926: Samba 4.22 breaks Time Machine + * BUG 15930: Searching for numbers doesn't work with Spotlight + * BUG 15947: mdssvc doesn't support $time.iso dates before 1970 + +o Günther Deschner <[email protected]> + * BUG 15963: Fix winbind cache consistency + +o Pavel Filipenský <[email protected]> + * BUG 15940: vfs_recycle does not update mtime + +o Volker Lendecke <[email protected]> + * BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/') + in vfswrap_openat + * BUG 15950: ctdb can crash with inconsistent cluster lock configuration + +o Anoop C S <[email protected]> + * BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/') + in vfswrap_openat + +o Andreas Schneider <[email protected]> + * BUG 15809: samba-bgqd: rework man page + * BUG 15936: samba-bgqd can't find [printers] share + * BUG 15955: Winbind can hang forever in gssapi if there are network issues. + * BUG 15961: libldb requires linking libreplace on Linux + +o Martin Schwenke <[email protected]> + * BUG 15935: Crash in ctdbd on failed updateip + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.22.6 October 16, 2025 ============================== @@ -59,8 +183,7 @@ ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.22.5 October 15, 2025 diff -Nru samba-4.22.6+dfsg/ctdb/config/events/legacy/10.interface.script samba-4.22.8+dfsg/ctdb/config/events/legacy/10.interface.script --- samba-4.22.6+dfsg/ctdb/config/events/legacy/10.interface.script 2025-02-06 13:31:53.712144000 +0300 +++ samba-4.22.8+dfsg/ctdb/config/events/legacy/10.interface.script 2026-02-19 12:44:03.051993400 +0300 @@ -78,6 +78,11 @@ "$ip" "$maskbits" "$_maskbits_in" fi else + if [ "$_iface_in" = "__none__" ]; then + echo "WARNING: Unable to determine interface for IP ${ip}" + iface="$_iface_in" + return + fi die "ERROR: Unable to determine interface for IP ${ip}" fi } @@ -214,10 +219,14 @@ exit 0 fi - ip_block "$ip" "$oiface" - - delete_ip_from_iface "$oiface" "$ip" "$maskbits" 2>/dev/null - delete_ip_from_iface "$niface" "$ip" "$maskbits" 2>/dev/null + # Behave more like takeip when the IP is not assigned. No + # need for a similar condition around ip_unblock()s because + # they will silently fail. + if [ "$oiface" != "__none__" ]; then + ip_block "$ip" "$oiface" + delete_ip_from_iface "$oiface" "$ip" "$maskbits" >/dev/null 2>&1 + fi + delete_ip_from_iface "$niface" "$ip" "$maskbits" >/dev/null 2>&1 add_ip_to_iface "$niface" "$ip" "$maskbits" || { ip_unblock "$ip" "$oiface" diff -Nru samba-4.22.6+dfsg/ctdb/config/functions samba-4.22.8+dfsg/ctdb/config/functions --- samba-4.22.6+dfsg/ctdb/config/functions 2025-02-06 13:31:53.712144000 +0300 +++ samba-4.22.8+dfsg/ctdb/config/functions 2026-02-19 12:44:03.055993300 +0300 @@ -630,6 +630,10 @@ _conns=$(get_tcp_connections_for_ip "$_ip" | awk '{ print $1, $2 ; print $2, $1 }') + if [ -z "$_conns" ]; then + return + fi + echo "$_conns" | awk '{ print "Tickle TCP connection", $1, $2 }' echo "$_conns" | ctdb tickle } diff -Nru samba-4.22.6+dfsg/ctdb/server/ctdb_recover.c samba-4.22.8+dfsg/ctdb/server/ctdb_recover.c --- samba-4.22.6+dfsg/ctdb/server/ctdb_recover.c 2025-02-06 13:31:53.732143900 +0300 +++ samba-4.22.8+dfsg/ctdb/server/ctdb_recover.c 2026-02-19 12:44:03.099993700 +0300 @@ -977,6 +977,8 @@ local == NULL ? "NULL" : local)); talloc_free(state); ctdb_shutdown_sequence(ctdb, 1); + /* In case above returns due to duplicate shutdown */ + return; } DEBUG(DEBUG_INFO, ("Recovery lock consistency check successful\n")); diff -Nru samba-4.22.6+dfsg/ctdb/server/ctdb_takeover.c samba-4.22.8+dfsg/ctdb/server/ctdb_takeover.c --- samba-4.22.6+dfsg/ctdb/server/ctdb_takeover.c 2025-06-05 18:38:33.746580800 +0300 +++ samba-4.22.8+dfsg/ctdb/server/ctdb_takeover.c 2026-02-19 12:44:03.103993700 +0300 @@ -617,7 +617,15 @@ */ ctdb_vnn_unassign_iface(ctdb, state->vnn); state->vnn->iface = state->old; - state->vnn->iface->references++; + /* + * state->old (above) can be NULL if the IP wasn't + * recorded as held by this node but the system thinks + * the IP was assigned. In that case, a move could + * still be desirable.. + */ + if (state->vnn->iface != NULL) { + state->vnn->iface->references++; + } ctdb_request_control_reply(ctdb, state->c, NULL, status, NULL); talloc_free(state); diff -Nru samba-4.22.6+dfsg/ctdb/tests/UNIT/eventscripts/10.interface.updateip.001.sh samba-4.22.8+dfsg/ctdb/tests/UNIT/eventscripts/10.interface.updateip.001.sh --- samba-4.22.6+dfsg/ctdb/tests/UNIT/eventscripts/10.interface.updateip.001.sh 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.22.8+dfsg/ctdb/tests/UNIT/eventscripts/10.interface.updateip.001.sh 2026-02-19 12:44:03.123993600 +0300 @@ -0,0 +1,16 @@ +#!/bin/sh + +. "${TEST_SCRIPTS_DIR}/unit.sh" + +define_test "error - update a non-existent ip" + +setup + +public_address=$(ctdb_get_1_public_address) +ip="${public_address% *}" +ip="${ip#* }" + +ok "WARNING: Unable to determine interface for IP ${ip}" +# Want separate words from public_address: interface IP maskbits +# shellcheck disable=SC2086 +simple_test "__none__" $public_address diff -Nru samba-4.22.6+dfsg/docs-xml/manpages/net.8.xml samba-4.22.8+dfsg/docs-xml/manpages/net.8.xml --- samba-4.22.6+dfsg/docs-xml/manpages/net.8.xml 2025-02-20 15:58:50.509504800 +0300 +++ samba-4.22.8+dfsg/docs-xml/manpages/net.8.xml 2026-02-19 12:46:34.629000400 +0300 @@ -3261,7 +3261,7 @@ <para> Example: - net offlinejoin requestodj -U administrator%secret loadfile=provisioning.txt + net offlinejoin requestodj loadfile=provisioning.txt </para> </refsect3> diff -Nru samba-4.22.6+dfsg/docs-xml/manpages/samba-bgqd.8.xml samba-4.22.8+dfsg/docs-xml/manpages/samba-bgqd.8.xml --- samba-4.22.6+dfsg/docs-xml/manpages/samba-bgqd.8.xml 2025-02-06 13:31:53.884144800 +0300 +++ samba-4.22.8+dfsg/docs-xml/manpages/samba-bgqd.8.xml 2026-02-19 12:44:03.163994000 +0300 @@ -14,29 +14,54 @@ <refnamediv> <refname>samba-bgqd</refname> <refpurpose>This is an internal helper program performing - asynchronous printing-related jobs.</refpurpose> + asynchronous printing-related tasks</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>samba-bgqd</command> + <arg choice="opt">-D|--daemon</arg> + <arg choice="opt">-i|--interactive</arg> + <arg choice="opt">-F|--foreground</arg> + <arg choice="opt">--no-process-group</arg> + <arg choice="opt">-d <debug level></arg> + <arg choice="opt">--debug-stdout</arg> + <arg choice="opt">--configfile=<configuration file></arg> + <arg choice="opt">--option=<name>=<value></arg> + <arg choice="opt">-l|--log-basename <log directory></arg> + <arg choice="opt">--ready-signal-fd <fd></arg> + <arg choice="opt">--parent-watch-fd <fd></arg> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>DESCRIPTION</title> - <para>This tool is part of the + <para>This program is part of the <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>7</manvolnum></citerefentry> suite.</para> - <para>samba-bgqd is an helper program to be spawned by smbd or - spoolssd to perform jobs like updating the printer list or - other management tasks asynchronously on demand. It is not - intended to be called by users or administrators.</para> + <para><command>samba-bgqd</command> is not intended to be invoked + directly by users.</para> + + <para>Likewise, while <command>samba-bgqd</command> is also not + intended to be run manually by system administrators, on systems with a + large number of printers configured via CUPS, it is recommended to run + <command>samba-bgqd</command> as a systemd service to improve + performance and responsiveness of printing operations.</para> </refsect1> <refsect1> + <title>SEE ALSO</title> + + <para> + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry>, and + <citerefentry><refentrytitle>smb.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. + </para> +</refsect1> +<refsect1> <title>AUTHOR</title> <para>The original Samba software and related utilities diff -Nru samba-4.22.6+dfsg/docs-xml/smbdotconf/misc/ctdbdsocket.xml samba-4.22.8+dfsg/docs-xml/smbdotconf/misc/ctdbdsocket.xml --- samba-4.22.6+dfsg/docs-xml/smbdotconf/misc/ctdbdsocket.xml 2025-02-06 13:31:53.908145000 +0300 +++ samba-4.22.8+dfsg/docs-xml/smbdotconf/misc/ctdbdsocket.xml 2026-02-19 12:46:34.629000400 +0300 @@ -4,12 +4,16 @@ function="_ctdbd_socket" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";> <description> - <para>If you set <value type="example">clustering=yes</value>, - you need to tell Samba where ctdbd listens on its unix domain - socket. The default path as of ctdb 1.0 is /tmp/ctdb.socket which - you have to explicitly set for Samba in smb.conf. - </para> + <para> + In a test environment, this parameter can be used when + <value type="example">clustering=yes</value> to specify an alternate + location for the CTDB Unix domain socket. + </para> + <para> + This parameter should not be set in production environments. If it + is not set then the (correct) build-time default is used. + </para> </description> <value type="default"></value> -<value type="example">/tmp/ctdb.socket</value> +<value type="example">/var/run/altctdb/ctdbd.socket</value> </samba:parameter> diff -Nru samba-4.22.6+dfsg/lib/ldb/common/ldb_dn.c samba-4.22.8+dfsg/lib/ldb/common/ldb_dn.c --- samba-4.22.6+dfsg/lib/ldb/common/ldb_dn.c 2025-02-06 13:31:53.980145500 +0300 +++ samba-4.22.8+dfsg/lib/ldb/common/ldb_dn.c 2026-02-19 12:44:03.247994700 +0300 @@ -232,10 +232,15 @@ case '\0': { /* any others get \XX form */ unsigned char v; + /* + * Do not use libreplace for this. We don't want to have + * a hard requirement for it. + */ + const char *hexbytes = "0123456789ABCDEF"; v = (const unsigned char)c; *d++ = '\\'; - *d++ = hexchars_upper[v>>4]; - *d++ = hexchars_upper[v&0xF]; + *d++ = hexbytes[v>>4]; + *d++ = hexbytes[v&0xF]; break; } default: @@ -2100,7 +2105,7 @@ unsigned int i; struct ldb_val v2; const struct ldb_dn_extended_syntax *ext_syntax; - + if ( ! ldb_dn_validate(dn)) { return LDB_ERR_OTHER; } diff -Nru samba-4.22.6+dfsg/python/samba/provision/sambadns.py samba-4.22.8+dfsg/python/samba/provision/sambadns.py --- samba-4.22.6+dfsg/python/samba/provision/sambadns.py 2025-02-06 13:31:54.316147300 +0300 +++ samba-4.22.8+dfsg/python/samba/provision/sambadns.py 2026-02-19 12:46:34.633000400 +0300 @@ -1030,7 +1030,8 @@ bind9_14 = '' elif bind_info.upper().find('BIND 9.16') != -1: bind9_16 = '' - elif bind_info.upper().find('BIND 9.18') != -1: + elif bind_info.upper().find('BIND 9.18') != -1 \ + or bind_info.upper().find('BIND 9.20') != -1: bind9_18 = '' elif bind_info.upper().find('BIND 9.7') != -1: raise ProvisioningError("DLZ option incompatible with BIND 9.7.") diff -Nru samba-4.22.6+dfsg/selftest/target/Samba3.pm samba-4.22.8+dfsg/selftest/target/Samba3.pm --- samba-4.22.6+dfsg/selftest/target/Samba3.pm 2025-10-16 17:34:01.645333300 +0300 +++ samba-4.22.8+dfsg/selftest/target/Samba3.pm 2026-02-19 12:44:03.567996700 +0300 @@ -3722,6 +3722,9 @@ path = $recycle_shrdir vfs objects = recycle recycle : repository = .trash + recycle : keeptree = yes + recycle : touch = yes + recycle : touch_mtime = yes recycle : exclude = *.tmp recycle : directory_mode = 755 diff -Nru samba-4.22.6+dfsg/source3/libads/kerberos.c samba-4.22.8+dfsg/source3/libads/kerberos.c --- samba-4.22.6+dfsg/source3/libads/kerberos.c 2025-08-21 18:22:16.459915600 +0300 +++ samba-4.22.8+dfsg/source3/libads/kerberos.c 2026-02-19 12:44:03.623997000 +0300 @@ -1380,6 +1380,15 @@ char *enctypes = NULL; const char *include_system_krb5 = ""; mode_t mask; + /* + * The default will be 15 seconds, it can be changed in the smb.conf: + * [global] + * krb5:request_timeout = 30 + */ + int timeout_sec = lp_parm_int(-1, + "krb5", + "request_timeout", + 15 /* default */); if (!lp_create_krb5_conf()) { return false; @@ -1449,6 +1458,12 @@ file_contents = talloc_asprintf(fname, "[libdefaults]\n" +#ifdef SAMBA4_USES_HEIMDAL + "\tkdc_timeout = %d\n" +#else + "\trequest_timeout = %ds\n" + "\tudp_preference_limit = 0\n" +#endif "\tdefault_realm = %s\n" "%s" "\tdns_lookup_realm = false\n" @@ -1458,6 +1473,7 @@ "\t%s = {\n" "%s\t}\n" "%s\n", + timeout_sec, realm_upper, enctypes, realm_upper, diff -Nru samba-4.22.6+dfsg/source3/libads/ldap.c samba-4.22.8+dfsg/source3/libads/ldap.c --- samba-4.22.6+dfsg/source3/libads/ldap.c 2025-08-21 18:22:16.463915800 +0300 +++ samba-4.22.8+dfsg/source3/libads/ldap.c 2026-02-19 12:46:34.633000400 +0300 @@ -237,7 +237,7 @@ bool ads_closest_dc(ADS_STRUCT *ads) { - if (ads->config.flags & NBT_SERVER_CLOSEST) { + if (ads->config.server_flags & NBT_SERVER_CLOSEST) { DEBUG(10,("ads_closest_dc: NBT_SERVER_CLOSEST flag set\n")); return True; } @@ -344,7 +344,7 @@ sitename_store(cldap_reply->dns_domain, cldap_reply->client_site); /* Leave this until last so that the flags are not clobbered */ - ads->config.flags = cldap_reply->server_type; + ads->config.server_flags = cldap_reply->server_type; ret = true; @@ -379,7 +379,8 @@ ok = ads_cldap_netlogon_5(frame, ss, ads->server.realm, - ads->config.flags | DS_ONLY_LDAP_NEEDED, + ads->config.required_flags | + DS_ONLY_LDAP_NEEDED, &cldap_reply); if (!ok) { DBG_NOTICE("ads_cldap_netlogon_5(%s, %s) failed.\n", @@ -490,20 +491,21 @@ return status; } - status = netlogon_pings(frame, /* mem_ctx */ - lp_client_netlogon_ping_protocol(), /* proto */ - ts_list, /* servers */ - num_requests, /* num_servers */ - (struct netlogon_ping_filter){ - .ntversion = nt_version, - .domain = ads->server.realm, - .acct_ctrl = -1, - .required_flags = ads->config.flags | - DS_ONLY_LDAP_NEEDED, - }, - 1, /* wanted_servers */ - endtime, /* timeout */ - &responses); + status = netlogon_pings( + frame, /* mem_ctx */ + lp_client_netlogon_ping_protocol(), /* proto */ + ts_list, /* servers */ + num_requests, /* num_servers */ + (struct netlogon_ping_filter){ + .ntversion = nt_version, + .domain = ads->server.realm, + .acct_ctrl = -1, + .required_flags = ads->config.required_flags | + DS_ONLY_LDAP_NEEDED, + }, + 1, /* wanted_servers */ + endtime, /* timeout */ + &responses); if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("netlogon_pings(realm=%s, num_requests=%zu) " "for count[%zu] - %s\n", @@ -1261,6 +1263,7 @@ if (ads->ldap_wrap_data.mem_ctx) { talloc_free(ads->ldap_wrap_data.mem_ctx); } + ads->config.server_flags = 0; ads_zero_ldap(ads); ZERO_STRUCT(ads->ldap_tls_data); ZERO_STRUCT(ads->ldap_wrap_data); @@ -3725,10 +3728,10 @@ } /* - * Reset ads->config.flags as it can contain the flags + * Reset flags as it can contain the flags * returned by the previous CLDAP ping when reusing the struct. */ - ads_s->config.flags = 0; + ads_s->config.server_flags = 0; status = ads_connect_simple_anon(ads_s); if ( !ADS_ERR_OK(status)) @@ -3814,10 +3817,10 @@ } /* - * Reset ads->config.flags as it can contain the flags + * Reset flags as it can contain the flags * returned by the previous CLDAP ping when reusing the struct. */ - ads_s->config.flags = 0; + ads_s->config.server_flags = 0; status = ads_connect_simple_anon(ads_s); if ( !ADS_ERR_OK(status)) diff -Nru samba-4.22.6+dfsg/source3/librpc/idl/ads.idl samba-4.22.8+dfsg/source3/librpc/idl/ads.idl --- samba-4.22.6+dfsg/source3/librpc/idl/ads.idl 2025-02-06 13:31:54.452148200 +0300 +++ samba-4.22.8+dfsg/source3/librpc/idl/ads.idl 2026-02-19 12:46:34.637000600 +0300 @@ -6,6 +6,7 @@ */ import "nbt.idl"; +import "netlogon.idl"; cpp_quote("#include <system/network.h>") @@ -51,7 +52,8 @@ } ads_auth; typedef [nopull,nopush] struct { - nbt_server_type flags; /* cldap flags identifying the services. */ + nbt_server_type server_flags; /* NBT_* cldap flags identifying the services. */ + netr_DsRGetDCName_flags required_flags; /* DS_* - Netlogon flags */ string workgroup; string realm; string bind_path; diff -Nru samba-4.22.6+dfsg/source3/libsmb/namequery_dc.c samba-4.22.8+dfsg/source3/libsmb/namequery_dc.c --- samba-4.22.6+dfsg/source3/libsmb/namequery_dc.c 2025-02-06 13:31:54.464148300 +0300 +++ samba-4.22.8+dfsg/source3/libsmb/namequery_dc.c 2026-02-19 12:46:34.637000600 +0300 @@ -109,7 +109,9 @@ } #ifdef HAVE_ADS - if (is_our_primary_domain(domain) && (ads->config.flags & NBT_SERVER_KDC)) { + if (is_our_primary_domain(domain) && + (ads->config.server_flags & NBT_SERVER_KDC)) + { if (ads_closest_dc(ads)) { /* We're going to use this KDC for this realm/domain. If we are using sites, then force the krb5 libs diff -Nru samba-4.22.6+dfsg/source3/modules/vfs_ceph_new.c samba-4.22.8+dfsg/source3/modules/vfs_ceph_new.c --- samba-4.22.6+dfsg/source3/modules/vfs_ceph_new.c 2025-10-16 17:34:01.669333500 +0300 +++ samba-4.22.8+dfsg/source3/modules/vfs_ceph_new.c 2026-02-19 12:46:34.641000500 +0300 @@ -864,13 +864,14 @@ struct statvfs *stbuf) { struct vfs_ceph_config *config = NULL; + int ret = -1; SMB_VFS_HANDLE_GET_DATA(handle, config, struct vfs_ceph_config, return -ENOMEM); - DBG_DEBUG("[CEPH] ceph_ll_statfs: ino=%" PRIu64 "\n", iref->ino); - - return config->ceph_ll_statfs_fn(config->mount, iref->inode, stbuf); + ret = config->ceph_ll_statfs_fn(config->mount, iref->inode, stbuf); + DBG_DEBUG("[CEPH] ceph_ll_statfs: ino=%" PRIu64 " ret=%d\n", iref->ino, ret); + return ret; } static int vfs_ceph_ll_getattr2(const struct vfs_handle_struct *handle, @@ -1986,23 +1987,21 @@ uint64_t *dsize) { struct statvfs statvfs_buf = { 0 }; - struct Inode *inode = NULL; int ret; struct vfs_ceph_config *config = NULL; + struct vfs_ceph_iref iref = {0}; SMB_VFS_HANDLE_GET_DATA(handle, config, struct vfs_ceph_config, return -ENOMEM); - ret = config->ceph_ll_lookup_root_fn(config->mount, &inode); + ret = vfs_ceph_iget(handle, smb_fname->base_name, 0, &iref); if (ret != 0) { - DBG_DEBUG("[CEPH] ceph_ll_lookup_root returned %d\n", ret); errno = -ret; return (uint64_t)(-1); } - ret = config->ceph_ll_statfs_fn(config->mount, inode, &statvfs_buf); - config->ceph_ll_put_fn(config->mount, inode); + ret = vfs_ceph_ll_statfs(handle, &iref, &statvfs_buf); + vfs_ceph_iput(handle, &iref); if (ret != 0) { - DBG_DEBUG("[CEPH] ceph_ll_statfs returned %d\n", ret); errno = -ret; return (uint64_t)(-1); } diff -Nru samba-4.22.6+dfsg/source3/modules/vfs_fruit.c samba-4.22.8+dfsg/source3/modules/vfs_fruit.c --- samba-4.22.6+dfsg/source3/modules/vfs_fruit.c 2025-10-16 17:34:01.669333500 +0300 +++ samba-4.22.8+dfsg/source3/modules/vfs_fruit.c 2026-02-19 12:44:03.667997400 +0300 @@ -4655,7 +4655,7 @@ DBG_DEBUG("%s\n", fsp_str_dbg(fsp)); - if (config->ignore_zero_aces && (psd->dacl->num_aces == 0)) { + if (config->ignore_zero_aces && (orig_num_aces == 0)) { /* * Just ignore Set-ACL requests with zero ACEs. */ diff -Nru samba-4.22.6+dfsg/source3/modules/vfs_recycle.c samba-4.22.8+dfsg/source3/modules/vfs_recycle.c --- samba-4.22.6+dfsg/source3/modules/vfs_recycle.c 2025-02-06 13:31:54.484148300 +0300 +++ samba-4.22.8+dfsg/source3/modules/vfs_recycle.c 2026-02-19 12:44:03.671997300 +0300 @@ -363,9 +363,9 @@ return False; } - /* + /* * Walk the components of path, looking for matches with the - * exclude list on each component. + * exclude list on each component. */ for (startp = path; startp; startp = endp) { @@ -612,7 +612,7 @@ goto done; } - if (config->keeptree) { + if (config->keeptree && !ISDOT(path_name)) { temp_name = talloc_asprintf(frame, "%s/%s", config->repository, path_name); diff -Nru samba-4.22.6+dfsg/source3/printing/print_cups.c samba-4.22.8+dfsg/source3/printing/print_cups.c --- samba-4.22.6+dfsg/source3/printing/print_cups.c 2025-02-06 13:31:54.508148400 +0300 +++ samba-4.22.8+dfsg/source3/printing/print_cups.c 2026-02-19 12:46:34.641000500 +0300 @@ -1130,6 +1130,9 @@ if (http) httpClose(http); + if (num_options) { + cupsFreeOptions(num_options, options); + } TALLOC_FREE(frame); return ret; diff -Nru samba-4.22.6+dfsg/source3/printing/printing.c samba-4.22.8+dfsg/source3/printing/printing.c --- samba-4.22.6+dfsg/source3/printing/printing.c 2025-02-06 13:31:54.508148400 +0300 +++ samba-4.22.8+dfsg/source3/printing/printing.c 2026-02-19 12:46:34.641000500 +0300 @@ -2836,7 +2836,7 @@ pjob->filename, pjob->size ? "deleted" : "zero length" )); unlink(pjob->filename); pjob_delete(global_event_context(), msg_ctx, sharename, jobid); - return NT_STATUS_OK; + goto out; } /* don't strip out characters like '$' from the printername */ @@ -2878,7 +2878,8 @@ /* make sure the database is up to date */ if (print_cache_expired(lp_const_servicename(snum), True)) print_queue_update(msg_ctx, snum, False); - +out: + talloc_free(tmp_ctx); return NT_STATUS_OK; fail: diff -Nru samba-4.22.6+dfsg/source3/printing/queue_process.c samba-4.22.8+dfsg/source3/printing/queue_process.c --- samba-4.22.6+dfsg/source3/printing/queue_process.c 2025-02-06 13:31:54.508148400 +0300 +++ samba-4.22.8+dfsg/source3/printing/queue_process.c 2026-02-19 12:44:03.699997400 +0300 @@ -265,6 +265,7 @@ DEBUG(10,("smb_conf_updated: Got message saying smb.conf was " "updated. Reloading.\n")); change_to_root_user(); + lp_load_with_shares(get_dyn_CONFIGFILE()); pcap_cache_reload(state->ev, msg_ctx, reload_pcap_change_notify); printing_subsystem_queue_tasks(state); } @@ -322,6 +323,8 @@ goto fail_free_handlers; } + /* Load shares, needed for [printers] */ + lp_load_with_shares(get_dyn_CONFIGFILE()); /* Initialize the printcap cache as soon as the daemon starts. */ pcap_cache_reload(state->ev, state->msg, reload_pcap_change_notify); diff -Nru samba-4.22.6+dfsg/source3/rpc_client/cli_pipe.c samba-4.22.8+dfsg/source3/rpc_client/cli_pipe.c --- samba-4.22.6+dfsg/source3/rpc_client/cli_pipe.c 2025-02-20 15:58:50.533505000 +0300 +++ samba-4.22.8+dfsg/source3/rpc_client/cli_pipe.c 2026-02-19 12:46:34.645000500 +0300 @@ -3624,7 +3624,7 @@ } if (local_server_name == NULL) { - local_server_name = get_myname(result); + local_server_name = get_myname(frame); } if (local_server_addr != NULL) { diff -Nru samba-4.22.6+dfsg/source3/rpc_server/mdssvc/es_parser.y samba-4.22.8+dfsg/source3/rpc_server/mdssvc/es_parser.y --- samba-4.22.6+dfsg/source3/rpc_server/mdssvc/es_parser.y 2025-10-16 17:34:01.673333600 +0300 +++ samba-4.22.8+dfsg/source3/rpc_server/mdssvc/es_parser.y 2026-02-19 12:44:03.715997700 +0300 @@ -219,6 +219,13 @@ } else { $$ = map_expr($3, '~', $5, $7); } +} +| FUNC_INRANGE OBRACE attribute COMMA isodate COMMA isodate CBRACE { + if ($3 == NULL) { + $$ = NULL; + } else { + $$ = map_expr($3, '~', $5, $7); + } }; attribute: @@ -412,7 +419,7 @@ end = ")"; break; default: - DBG_ERR("Mapping fts [%s] unexpected op [%c]\n", val, op); + DBG_DEBUG("Mapping fts [%s] unexpected op [%c]\n", val, op); return NULL; } @@ -487,15 +494,16 @@ static char *map_sldate_to_esdate(TALLOC_CTX *mem_ctx, const char *sldate) { + char *endp = NULL; struct tm *tm = NULL; char *esdate = NULL; char buf[21]; size_t len; time_t t; - int error; - t = (time_t)smb_strtoull(sldate, NULL, 10, &error, SMB_STR_STANDARD); - if (error != 0) { + errno = 0; + t = (time_t)strtoll(sldate, &endp, 10); + if (*sldate == '\0' || endp == sldate || *endp != '\0' || errno != 0) { DBG_ERR("smb_strtoull [%s] failed\n", sldate); return NULL; } @@ -508,7 +516,7 @@ } len = strftime(buf, sizeof(buf), - "%Y-%m-%dT%H:%M:%SZ", tm); + "%4Y-%m-%dT%H:%M:%SZ", tm); if (len != 20) { DBG_ERR("strftime [%s] failed\n", sldate); return NULL; diff -Nru samba-4.22.6+dfsg/source3/rpc_server/mdssvc/mdssvc_es.c samba-4.22.8+dfsg/source3/rpc_server/mdssvc/mdssvc_es.c --- samba-4.22.6+dfsg/source3/rpc_server/mdssvc/mdssvc_es.c 2025-10-16 17:34:01.673333600 +0300 +++ samba-4.22.8+dfsg/source3/rpc_server/mdssvc/mdssvc_es.c 2026-02-19 12:46:34.645000500 +0300 @@ -108,10 +108,12 @@ } TALLOC_FREE(default_path); - mdssvc_es_ctx->default_fields = lp_parm_const_string(GLOBAL_SECTION_SNUM, - "elasticsearch", - "default_fields", - default_fields); + default_fields = lp_parm_const_string(GLOBAL_SECTION_SNUM, + "elasticsearch", + "default_fields", + default_fields); + mdssvc_es_ctx->default_fields = talloc_strdup(mdssvc_es_ctx, + default_fields); if (mdssvc_es_ctx->default_fields == NULL) { TALLOC_FREE(mdssvc_es_ctx); return false; diff -Nru samba-4.22.6+dfsg/source3/rpc_server/mdssvc/test_mdsparser_es.c samba-4.22.8+dfsg/source3/rpc_server/mdssvc/test_mdsparser_es.c --- samba-4.22.6+dfsg/source3/rpc_server/mdssvc/test_mdsparser_es.c 2025-10-16 17:34:01.673333600 +0300 +++ samba-4.22.8+dfsg/source3/rpc_server/mdssvc/test_mdsparser_es.c 2026-02-19 12:44:03.715997700 +0300 @@ -54,6 +54,20 @@ "kMDItemFSContentChangeDate==$time.iso(2018-10-01T10:00:00Z)", "file.last_modified:2018\\\\-10\\\\-01T10\\\\:00\\\\:00Z" }, { + "kMDItemFSContentChangeDate==$time.iso(1960-10-01T10:00:00Z)", + "file.last_modified:1960\\\\-10\\\\-01T10\\\\:00\\\\:00Z" +#ifdef __LP64__ + }, { + "kMDItemFSContentChangeDate==$time.iso(1000-10-01T10:00:00Z)", + "file.last_modified:1000\\\\-10\\\\-01T10\\\\:00\\\\:00Z" + }, { + "kMDItemFSContentChangeDate==$time.iso(0000-10-01T10:00:00Z)", + "file.last_modified:0000\\\\-10\\\\-01T10\\\\:00\\\\:00Z" + }, { + "kMDItemFSContentChangeDate==$time.iso(9999-10-01T10:00:00Z)", + "file.last_modified:9999\\\\-10\\\\-01T10\\\\:00\\\\:00Z" +#endif + }, { "kMDItemFSContentChangeDate==\"1\"", "file.last_modified:2001\\\\-01\\\\-01T00\\\\:00\\\\:01Z" }, { @@ -155,6 +169,9 @@ }, { "InRange(kMDItemFSSize,1,2)", "file.filesize:[1 TO 2]" + }, { + "InRange(kMDItemContentCreationDate,$time.iso(2024-12-31T23:00:00Z),$time.iso(2025-12-31T23:00:00Z))", + "file.created:[2024\\\\-12\\\\-31T23\\\\:00\\\\:00Z TO 2025\\\\-12\\\\-31T23\\\\:00\\\\:00Z]" } }; diff -Nru samba-4.22.6+dfsg/source3/script/tests/test_recycle.sh samba-4.22.8+dfsg/source3/script/tests/test_recycle.sh --- samba-4.22.6+dfsg/source3/script/tests/test_recycle.sh 2025-02-06 13:31:54.548148600 +0300 +++ samba-4.22.8+dfsg/source3/script/tests/test_recycle.sh 2026-02-19 12:44:03.735997700 +0300 @@ -42,6 +42,7 @@ cd "$share_test_dir" || return rm -f testfile1 rm -f testfile2.tmp + rm -f test_mtime rm -rf .trash ) ( @@ -117,6 +118,38 @@ return 0 } +test_touch() +{ + tmpfile=$PREFIX/test_mtime + touch "$tmpfile" + if ! $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/recycle -I$SERVER_IP $ADDARGS -c "put $tmpfile test_mtime" ; then + printf "failed recycle smbclient" + return 1 + fi + rm -f "$tmpfile" + atime1=`stat -c '%x' "$share_test_dir/test_mtime"` + mtime1=`stat -c '%y' "$share_test_dir/test_mtime"` + if ! $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/recycle -I$SERVER_IP $ADDARGS -c 'del test_mtime' ; then + printf "failed recycle smbclient" + return 1 + fi + test -e "$share_test_dir/.trash/test_mtime" || { + printf ".trash/test_mtime expected to exist but does NOT exist\n" + return 1 + } + atime2=`stat -c '%x' "$share_test_dir/.trash/test_mtime"` + mtime2=`stat -c '%y' "$share_test_dir/.trash/test_mtime"` + test "$atime1" != "$atime2" || { + printf "recycle:touch failed: atime should differ: $atime1, $atime2\n" + return 1 + } + test "$mtime1" != "$mtime2" || { + printf "recycle:touch_mtime failed: mtime should differ: $mtime1, $mtime2\n" + return 1 + } + return 0 +} + test_recycle_crossrename() { tmpfile=$PREFIX/smbclient_interactive_prompt_commands @@ -168,6 +201,10 @@ test_recycle || failed=$((failed + 1)) +testit "recycle_touch" \ + test_touch || + failed=$((failed + 1)) + testit "recycle_crossrename" \ test_recycle_crossrename || failed=$((failed + 1)) diff -Nru samba-4.22.6+dfsg/source3/script/tests/test_winbind_cache_sanity.sh samba-4.22.8+dfsg/source3/script/tests/test_winbind_cache_sanity.sh --- samba-4.22.6+dfsg/source3/script/tests/test_winbind_cache_sanity.sh 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.22.8+dfsg/source3/script/tests/test_winbind_cache_sanity.sh 2026-02-19 12:44:03.743997800 +0300 @@ -0,0 +1,112 @@ +#!/bin/sh + +if [ $# -lt 2 ]; then + cat <<EOF +Usage: test_winbind_cache_sanity.sh DOMAIN CACHE +EOF + exit 1 +fi + +DOMAIN="$1" +CACHE="$2" +shift 2 +ADDARGS="$*" + +TDBTOOL=tdbtool +if test -x "$BINDIR"/tdbtool; then + TDBTOOL=$BINDIR/tdbtool +fi +DBWRAP_TOOL=$BINDIR/dbwrap_tool +WBINFO=$BINDIR/wbinfo + +incdir=$(dirname "$0")/../../../testprogs/blackbox +. "$incdir"/subunit.sh + + +################################################# +## Test "$CACHE" presence +################################################# + +testit "$CACHE presence" \ + test -r "$CACHE" \ + || failed=$((failed + 1)) + + +################################################# +## Test very simple wbinfo query to fill up cache with NDR/ and SEQNUM/ entries +################################################# + +separator=$("$WBINFO" --separator) + +testit "calling wbinfo -n$DOMAIN$separator to fillup cache" \ + "$VALGRIND" "$WBINFO" -n "$DOMAIN$separator" \ + "$ADDARGS" \ + || failed=$((failed + 1)) + + +################################################# +## Test "WINBINDD_CACHE_VERSION" presence +################################################# + +KEY="WINBINDD_CACHE_VERSION" +WINBINDD_CACHE_VER2=2 + +testit "$KEY presence via dbwrap" \ + "$VALGRIND" "$DBWRAP_TOOL" --persistent "$CACHE" fetch $KEY uint32 \ + "$ADDARGS" \ + || failed=$((failed + 1)) + +#tdbtool will never fail so we have to parse the output... +testit_grep "$KEY presence via tdbtool" "data 4 bytes" \ + "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY\\00" \ + "$ADDARGS" \ + || failed=$((failed + 1)) + +current_ver=$("$DBWRAP_TOOL" --persistent "$CACHE" fetch $KEY uint32) + +testit "$KEY value via dbwrap to be WINBINDD_CACHE_VER2" \ + test "$current_ver" = $WINBINDD_CACHE_VER2 \ + || failed=$((failed + 1)) + + +################################################# +## Test "SEQNUM/$DOMAIN" presence +################################################# + +KEY="SEQNUM/$DOMAIN" + +testit "$KEY SEQNUM presence via dbwrap" \ + "$VALGRIND" "$DBWRAP_TOOL" --persistent "$CACHE" exists "$KEY" \ + "$ADDARGS" \ + || failed=$((failed + 1)) + +#tdbtool will never fail so we have to parse the output... +testit_grep "$KEY SEQNUM presence via tdbtool" "data 8 bytes" \ + "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY\\00" \ + "$ADDARGS" \ + || failed=$((failed + 1)) + + +################################################# +## Test "NDR/$DOMAIN/3/\09\00\00\00\00\00\00\00\09\00\00\00$DOMAIN\00\00\00\00\01\00\00\00\00\00\00\00\01\00\00\00\00\00\00\00\00\00\00\00" presence +## this is the resulting cache entry for a simple +## wbinfo -n $DOMAIN\ query +################################################# + +opnum=$($PYTHON -c'from samba.dcerpc.winbind import wbint_LookupName; print(wbint_LookupName.opnum())') +KEY="NDR/$DOMAIN/$opnum/\\09\\00\\00\\00\\00\\00\\00\\00\\09\\00\\00\\00$DOMAIN\\00\\00\\00\\00\\01\\00\\00\\00\\00\\00\\00\\00\\01\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00" + +#DBWRAP_TOOL does not support non-null terminated keys so it cannot find it... +#testit "$KEY NDR presence via dbwrap" \ +# "$VALGRIND" "$DBWRAP_TOOL" --persistent $CACHE exists $KEY \ +# "$ADDARGS" \ +# || failed=$((failed + 1)) + +#tdbtool will never fail so we have to parse the output... +# key 59 bytes +testit_grep "$KEY NDR presence via tdbtool" "data 44 bytes" \ + "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY" \ + "$ADDARGS" \ + || failed=$((failed + 1)) + +testok "$0" "$failed" diff -Nru samba-4.22.6+dfsg/source3/selftest/tests.py samba-4.22.8+dfsg/source3/selftest/tests.py --- samba-4.22.6+dfsg/source3/selftest/tests.py 2025-10-15 15:19:02.314114800 +0300 +++ samba-4.22.8+dfsg/source3/selftest/tests.py 2026-02-19 12:44:03.747997800 +0300 @@ -727,6 +727,10 @@ [os.path.join(srcdir(), "source3/script/tests/test_winbind_call_depth_trace.sh"), smbcontrol, configuration, '$PREFIX', env]) +plantestsuite("samba3.winbind_cache_sanity", env, + [os.path.join(srcdir(), + "source3/script/tests/test_winbind_cache_sanity.sh"), + '$DOMAIN', '$LOCK_DIR/winbindd_cache.tdb']) env = "fl2008r2dc:local" plantestsuite("samba3.wbinfo_user_info", env, diff -Nru samba-4.22.6+dfsg/source3/smbd/filename.c samba-4.22.8+dfsg/source3/smbd/filename.c --- samba-4.22.6+dfsg/source3/smbd/filename.c 2025-02-06 13:31:54.560148700 +0300 +++ samba-4.22.8+dfsg/source3/smbd/filename.c 2026-02-19 12:44:03.751997700 +0300 @@ -753,19 +753,9 @@ } if (dirname[0] == '\0') { - smb_dirname = synthetic_smb_fname( - mem_ctx, - ".", - NULL, - NULL, - 0, - posix ? SMB_FILENAME_POSIX_PATH : 0); - if (smb_dirname == NULL) { - return NT_STATUS_NO_MEMORY; - } - status = openat_pathref_fsp_lcomp(basedir, - smb_dirname, - UCF_POSIX_PATHNAMES); + status = openat_pathref_fsp_dot( + mem_ctx, basedir, + posix ? SMB_FILENAME_POSIX_PATH : 0, &smb_dirname); } else { status = normalize_filename_case(conn, dirname, ucf_flags); if (!NT_STATUS_IS_OK(status)) { diff -Nru samba-4.22.6+dfsg/source3/smbd/files.c samba-4.22.8+dfsg/source3/smbd/files.c --- samba-4.22.6+dfsg/source3/smbd/files.c 2025-02-06 13:31:54.560148700 +0300 +++ samba-4.22.8+dfsg/source3/smbd/files.c 2026-02-19 12:44:03.751997700 +0300 @@ -1663,6 +1663,114 @@ return NT_STATUS_OK; } +NTSTATUS openat_pathref_fsp_dot(TALLOC_CTX *mem_ctx, + struct files_struct *dirfsp, + uint32_t flags, + struct smb_filename **_dot) +{ + struct connection_struct *conn = dirfsp->conn; + struct files_struct *fsp = NULL; + struct smb_filename *full_fname = NULL; + struct vfs_open_how how = { .flags = O_NOFOLLOW, }; + struct smb_filename *dot = NULL; + NTSTATUS status; + int fd; + +#ifdef O_DIRECTORY + how.flags |= O_DIRECTORY; +#endif + +#ifdef O_PATH + how.flags |= O_PATH; +#else + how.flags |= (O_RDONLY | O_NONBLOCK); +#endif + + dot = synthetic_smb_fname(mem_ctx, ".", NULL, NULL, 0, flags); + if (dot == NULL) { + return NT_STATUS_NO_MEMORY; + } + + status = fsp_new(conn, conn, &fsp); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("fsp_new() failed: %s\n", nt_errstr(status)); + return status; + } + + GetTimeOfDay(&fsp->open_time); + fsp_set_gen_id(fsp); + ZERO_STRUCT(conn->sconn->fsp_fi_cache); + + fsp->fsp_flags.is_pathref = true; + + full_fname = full_path_from_dirfsp_atname(conn, dirfsp, dot); + if (full_fname == NULL) { + DBG_DEBUG("full_path_from_dirfsp_atname(%s/%s) failed\n", + dirfsp->fsp_name->base_name, + dot->base_name); + file_free(NULL, fsp); + return NT_STATUS_NO_MEMORY; + } + + status = fsp_attach_smb_fname(fsp, &full_fname); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("fsp_attach_smb_fname(fsp, %s) failed: %s\n", + smb_fname_str_dbg(full_fname), + nt_errstr(status)); + file_free(NULL, fsp); + return status; + } + + fd = SMB_VFS_OPENAT(conn, dirfsp, dot, fsp, &how); + if (fd == -1) { + status = map_nt_error_from_unix(errno); + DBG_DEBUG("smb_vfs_openat(%s/%s) failed: %s\n", + dirfsp->fsp_name->base_name, + dot->base_name, + strerror(errno)); + file_free(NULL, fsp); + return status; + } + + fsp_set_fd(fsp, fd); + + status = vfs_stat_fsp(fsp); + + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("vfs_stat_fsp(\"/\") failed: %s\n", + nt_errstr(status)); + fd_close(fsp); + file_free(NULL, fsp); + return status; + } + + fsp->fsp_flags.is_directory = S_ISDIR(fsp->fsp_name->st.st_ex_mode); + fsp->fsp_flags.posix_open = + ((dot->flags & SMB_FILENAME_POSIX_PATH) != 0); + fsp->file_id = vfs_file_id_from_sbuf(conn, &fsp->fsp_name->st); + + dot->st = fsp->fsp_name->st; + + status = fsp_smb_fname_link(fsp, + &dot->fsp_link, + &dot->fsp); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("fsp_smb_fname_link() failed: %s\n", + nt_errstr(status)); + fd_close(fsp); + file_free(NULL, fsp); + return status; + } + + DBG_DEBUG("fsp [%s]: OK, fd=%d\n", fsp_str_dbg(fsp), fd); + + talloc_set_destructor(dot, smb_fname_fsp_destructor); + + *_dot = dot; + + return NT_STATUS_OK; +} + void smb_fname_fsp_unlink(struct smb_filename *smb_fname) { talloc_set_destructor(smb_fname, NULL); diff -Nru samba-4.22.6+dfsg/source3/smbd/proto.h samba-4.22.8+dfsg/source3/smbd/proto.h --- samba-4.22.6+dfsg/source3/smbd/proto.h 2025-06-05 18:38:33.770581000 +0300 +++ samba-4.22.8+dfsg/source3/smbd/proto.h 2026-02-19 12:44:03.759997800 +0300 @@ -402,6 +402,10 @@ NTSTATUS openat_pathref_fsp_lcomp(struct files_struct *dirfsp, struct smb_filename *smb_fname_rel, uint32_t ucf_flags); +NTSTATUS openat_pathref_fsp_dot(TALLOC_CTX *mem_ctx, + struct files_struct *dirfsp, + uint32_t flags, + struct smb_filename **_dot); NTSTATUS readlink_talloc( TALLOC_CTX *mem_ctx, struct files_struct *dirfsp, diff -Nru samba-4.22.6+dfsg/source3/smbd/smb2_oplock.c samba-4.22.8+dfsg/source3/smbd/smb2_oplock.c --- samba-4.22.6+dfsg/source3/smbd/smb2_oplock.c 2025-06-05 18:38:33.770581000 +0300 +++ samba-4.22.8+dfsg/source3/smbd/smb2_oplock.c 2026-02-19 12:46:34.645000500 +0300 @@ -1316,6 +1316,10 @@ int ret; bool ok; + if (!lp_smb3_directory_leases()) { + return; + } + if (lease != NULL) { DBG_DEBUG("Parent leasekey %"PRIx64"/%"PRIx64"\n", lease->parent_lease_key.data[0], diff -Nru samba-4.22.6+dfsg/source3/winbindd/winbindd_cache.c samba-4.22.8+dfsg/source3/winbindd/winbindd_cache.c --- samba-4.22.6+dfsg/source3/winbindd/winbindd_cache.c 2025-02-06 13:31:54.616149200 +0300 +++ samba-4.22.8+dfsg/source3/winbindd/winbindd_cache.c 2026-02-19 12:44:03.819998300 +0300 @@ -505,8 +505,8 @@ return NT_STATUS_OK; } -bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum, - time_t last_seq_check) +static bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum, + time_t last_seq_check) { size_t len = strlen(domain_name); char keystr[len+8]; @@ -3167,10 +3167,40 @@ return true; } -static bool init_wcache(void) +static TDB_CONTEXT *wcache_open(void) { char *db_path; + TDB_CONTEXT *tdb = NULL; + bool wcache_wiped = !lp_winbind_offline_logon(); + db_path = wcache_path(); + if (db_path == NULL) { + return NULL; + } + + /* when working offline we must not clear the cache on restart */ + tdb = tdb_open_log(db_path, + WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE, + TDB_INCOMPATIBLE_HASH | + (lp_winbind_offline_logon() + ? TDB_DEFAULT + : (TDB_DEFAULT | + TDB_CLEAR_IF_FIRST)), + O_RDWR | O_CREAT, + 0600); + TALLOC_FREE(db_path); + + if (wcache_wiped) { + tdb_store_uint32(tdb, + WINBINDD_CACHE_VERSION_KEYSTR, + WINBINDD_CACHE_VERSION); + } + + return tdb; +} + +static bool init_wcache(void) +{ if (wcache == NULL) { wcache = SMB_XMALLOC_P(struct winbind_cache); ZERO_STRUCTP(wcache); @@ -3179,23 +3209,19 @@ if (wcache->tdb != NULL) return true; - db_path = wcache_path(); - if (db_path == NULL) { - return false; - } - - /* when working offline we must not clear the cache on restart */ - wcache->tdb = tdb_open_log(db_path, - WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE, - TDB_INCOMPATIBLE_HASH | - (lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)), - O_RDWR|O_CREAT, 0600); - TALLOC_FREE(db_path); + wcache->tdb = wcache_open(); if (wcache->tdb == NULL) { DBG_ERR("Failed to open winbindd_cache.tdb!\n"); return false; } + /* + * Create a dummy SEQNUM entry early, otherwise every call via the + * winbind NDR interface will fail to call wcache_store_ndr() when there + * is no SEQNUM present already + */ + wcache_store_seqnum(lp_workgroup(), 0, 0); + return true; } @@ -3205,7 +3231,7 @@ only opener. ************************************************************************/ -bool initialize_winbindd_cache(void) +static bool initialize_winbindd_cache(void) { bool cache_bad = false; uint32_t vers = 0; @@ -3390,8 +3416,6 @@ /* flush the cache */ static void wcache_flush_cache(void) { - char *db_path; - if (!wcache) return; if (wcache->tdb) { @@ -3402,18 +3426,7 @@ return; } - db_path = wcache_path(); - if (db_path == NULL) { - return; - } - - /* when working offline we must not clear the cache on restart */ - wcache->tdb = tdb_open_log(db_path, - WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE, - TDB_INCOMPATIBLE_HASH | - (lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)), - O_RDWR|O_CREAT, 0600); - TALLOC_FREE(db_path); + wcache->tdb = wcache_open(); if (!wcache->tdb) { DBG_ERR("Failed to open winbindd_cache.tdb!\n"); return; @@ -4239,14 +4252,7 @@ goto done; } - tdb = tdb_open_log(tdb_path, - WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE, - TDB_INCOMPATIBLE_HASH | - ( lp_winbind_offline_logon() - ? TDB_DEFAULT - : TDB_DEFAULT | TDB_CLEAR_IF_FIRST ), - O_RDWR|O_CREAT, - 0600); + tdb = wcache_open(); if (!tdb) { DBG_ERR("winbindd_validate_cache: " "error opening/initializing tdb\n"); diff -Nru samba-4.22.6+dfsg/source3/winbindd/winbindd_cm.c samba-4.22.8+dfsg/source3/winbindd/winbindd_cm.c --- samba-4.22.6+dfsg/source3/winbindd/winbindd_cm.c 2025-08-21 18:22:16.475915700 +0300 +++ samba-4.22.8+dfsg/source3/winbindd/winbindd_cm.c 2026-02-19 12:46:34.649000600 +0300 @@ -1061,7 +1061,7 @@ ads_status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); goto out; } - ads->config.flags |= request_flags; + ads->config.required_flags |= request_flags; ads->server.no_fallback = true; ads_status = ads_connect_cldap_only(ads); @@ -1077,9 +1077,9 @@ } namecache_store(name, 0x20, 1, sa); - DBG_DEBUG("CLDAP flags = 0x%"PRIx32"\n", ads->config.flags); + DBG_DEBUG("CLDAP flags = 0x%" PRIx32 "\n", ads->config.server_flags); - if (domain->primary && (ads->config.flags & NBT_SERVER_KDC)) { + if (domain->primary && (ads->config.server_flags & NBT_SERVER_KDC)) { if (ads_closest_dc(ads)) { char *sitename = sitename_fetch(tmp_ctx, ads->config.realm); diff -Nru samba-4.22.6+dfsg/source3/winbindd/winbindd_proto.h samba-4.22.8+dfsg/source3/winbindd/winbindd_proto.h --- samba-4.22.6+dfsg/source3/winbindd/winbindd_proto.h 2025-08-21 18:22:16.479915600 +0300 +++ samba-4.22.8+dfsg/source3/winbindd/winbindd_proto.h 2026-02-19 12:44:03.823998200 +0300 @@ -143,7 +143,6 @@ const struct dom_sid *user_sid); bool wcache_invalidate_cache(void); bool wcache_invalidate_cache_noinit(void); -bool initialize_winbindd_cache(void); void close_winbindd_cache(void); bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, char **domain_name, char **name, @@ -178,8 +177,6 @@ bool wcache_tdc_add_domain( struct winbindd_domain *domain ); struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const char *name ); void wcache_tdc_clear( void ); -bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum, - time_t last_seq_check); bool wcache_fetch_ndr(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t opnum, const DATA_BLOB *req, DATA_BLOB *resp); void wcache_store_ndr(struct winbindd_domain *domain, uint32_t opnum, diff -Nru samba-4.22.6+dfsg/source4/setup/named.conf.dlz samba-4.22.8+dfsg/source4/setup/named.conf.dlz --- samba-4.22.6+dfsg/source4/setup/named.conf.dlz 2025-02-06 13:31:55.560154700 +0300 +++ samba-4.22.8+dfsg/source4/setup/named.conf.dlz 2026-02-19 12:46:34.649000600 +0300 @@ -30,8 +30,8 @@ # For BIND 9.16.x ${BIND9_16} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_16.so"; - # - # For BIND 9.18.x + + # For BIND 9.18.x and 9.20.x ${BIND9_18} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_18.so"; };
