[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.22] 32 commits: VERSION: Bump version up to Samba 4.22.4...
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Thu Aug 21 18:39:52 BST 2025
Michael Tokarev pushed to branch upstream_4.22 at Debian Samba Team / samba
Commits:
ef1a5896 by Jule Anger at 2025-07-07T18:16:50+02:00
VERSION: Bump version up to Samba 4.22.4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
69cccd4c by Jule Anger at 2025-07-17T09:47:19+00:00
WHATSNEW: fix typo
Found by script/codespell.sh.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
f186da9f by Aleksandr Sharov at 2025-07-17T10:48:14+00:00
Add check for the GPO link to have at least two attributes separated by semicolumn. Allows to handle empty links.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15877
RN: Fix handling of empty GPO link
Singed-off-by: Alex Sharov (kororland at gmail.com)
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jul 10 18:55:33 UTC 2025 on atb-devel-224
(cherry picked from commit 44ee31c0258b0afb3d3f2ce17942cc86e308a690)
Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-22-test): Thu Jul 17 10:48:14 UTC 2025 on atb-devel-224
- - - - -
e119cb0b by Ralph Boehme at 2025-07-21T09:30:29+00:00
libads: fix get_kdc_ip_string() ...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15881
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Mon Jul 7 16:46:29 UTC 2025 on atb-devel-224
(cherry picked from commit 88572cc8f629a737a1d5b33d5800f3692895233f)
Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-22-test): Mon Jul 21 09:30:29 UTC 2025 on atb-devel-224
- - - - -
f7b28aa9 by Stefan Metzmacher at 2025-08-07T12:53:16+00:00
s3:conncache: improve debugging for the negative connection cache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 613ac83fb7666f5b132187d5587053e0d7dcd46d)
- - - - -
48ce6782 by Stefan Metzmacher at 2025-08-07T12:53:16+00:00
winbindd: always use winbind_add_failed_connection_entry() wrapper
We should not use add_failed_connection_entry() directly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 7fed75c495ead8f476c805b91cc6624ebf933427)
- - - - -
04c938d8 by Stefan Metzmacher at 2025-08-07T12:53:16+00:00
winbindd: blacklist servers returning ACCESS_DENIED/authoritative=0
https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit ce80451f3af4418d1c83be009b58b3824c071cae)
- - - - -
213af0ed by Stefan Metzmacher at 2025-08-07T12:53:16+00:00
s3:libads: let cldap_ping_list() check for a blacklisted server name
If we black listed a server we should not use it even if
it responses to CLDAP requests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Pair-Programmed-With: Ralph Boehme <slow at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 08c8760ad9706b62755e35acaa121647344a4c9e)
- - - - -
a77d376a by Stefan Metzmacher at 2025-08-07T12:53:16+00:00
s3:libads: let get_kdc_ip_string() check for a blacklisted server name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 63051a2dcbe3a4a07f029e0c18aa90bd3f56b0a4)
- - - - -
10c00de2 by Ralph Boehme at 2025-08-07T12:53:16+00:00
s3/libads: get rid of additional loop calling add_failed_connection_entry()
Just call add_failed_connection_entry() in the initial loop at all places where
we have a "bad" result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit a397801598eef4b0381a64a37af1845e9e85a50f)
- - - - -
02080bdb by Ralph Boehme at 2025-08-07T12:53:17+00:00
libads: check for if DCs are in paused state when processing CLDAP replies
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit d3000d7df09de724694aa0682b9750b8c7767514)
- - - - -
a7eaa61f by Ralph Boehme at 2025-08-07T12:53:17+00:00
s3/libsmb: check command in make_dc_info_from_cldap_reply()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 5217bd1a2334825fed32f40c57f72464d126aac0)
- - - - -
4a05b06b by Ralph Boehme at 2025-08-07T13:50:32+00:00
s3/libsmb: check the negative-conn-cache in resolve_ads()
This way we throw away blacklisted servers right away when learning about them
from the DNS SRV query.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Jul 30 10:10:21 UTC 2025 on atb-devel-224
(cherry picked from commit c1ee6fe9a489a8923d607e14d26768935a398849)
Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-22-test): Thu Aug 7 13:50:32 UTC 2025 on atb-devel-224
- - - - -
b17dec31 by Günther Deschner at 2025-08-11T06:56:08+00:00
s3-selftest: add tests for "net ads kerberos" commands
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 18d0574a0fe4b5fd468f949cfaa507ab4519c9e6)
- - - - -
25f5debf by Günther Deschner at 2025-08-11T06:56:08+00:00
s3-net: fix "net ads kerberos" krb5ccname handling
We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is
not available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224
(cherry picked from commit 8a97afdae788e8d10a51035f8b287dc00293f90d)
- - - - -
fe8eafc2 by Pavel Filipenský at 2025-08-11T06:56:08+00:00
s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC
server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling
in dcip_check_name(). We should resolve the DC name using:
- CLDAP in dcip_check_name_ads()
instead of:
- NETBIOS in nbt_getdc() that fails if Windows is not providing netbios.
The impacted environment has:
domain->alt_name = example.com
domain->active_directory = 1
security = USER
server role = ROLE_IPA_DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Pair-programmed-with: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 4921c3304e5e0480e5bb80a757b3f04b3b92c3b1)
- - - - -
d14fa6eb by Pavel Filipenský at 2025-08-11T06:56:09+00:00
docs-xml: Make smb.conf 'server role' value consistent with ROLE_IPA_DC in libparam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d88268102ade07fab345e04109818d97d8843a14)
- - - - -
00adb310 by Pavel Filipenský at 2025-08-11T06:56:09+00:00
s3:netlogon: IPA DC is the PDC as well - allow ROLE_IPA_DC in _netr_DsRGetForestTrustInformation()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1dbafcc4e4ff8f39af5ca737b30e9821413dd1f2)
- - - - -
33647976 by Pavel Filipenský at 2025-08-11T07:53:47+00:00
s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in gensec
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Aug 5 14:51:51 UTC 2025 on atb-devel-224
(cherry picked from commit a4dff82e45308db3ccabac2a55c03d52f04d7b4d)
Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-22-test): Mon Aug 11 07:53:47 UTC 2025 on atb-devel-224
- - - - -
af6d23f9 by Srinivas Rao V at 2025-08-14T12:32:46+00:00
smbd: fix mode being sent to possibly_set_archive
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15880
possibly_set_archive is being passed smb_fname->st.st_ex_mode.
Inside the function same variable is getting assigned to itself.
Fixed this to send unx_mode to possibly_set_archive.
Signed-off-by: Srinivas Rao V <Srinivas.Rao.V at ibm.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Fri Jul 18 22:25:05 UTC 2025 on atb-devel-224
(cherry picked from commit 1d1acebf01902bef3a9ccae23c3be4cacbb777b2)
Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-22-test): Thu Aug 14 12:32:46 UTC 2025 on atb-devel-224
- - - - -
5f93ef72 by Volker Lendecke at 2025-08-21T08:58:34+00:00
ctdb: Fix a stuck cluster lock holder after a delayed leader bcast
If a delayed broadcast by a previous cluster lock holder arrives, the
new legitimate leader will accept this without questioning in
leader_handler(). Without this patch rec->leader will never be
overwritten, and because rec->pnn != rec->leader we'll also never send
out fresh leader broadcasts. And because we hold the cluster lock,
nobody else can step up.
Fix this in the next round of leader broadcast timeout.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15892
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Thu Aug 7 02:59:20 UTC 2025 on atb-devel-224
(cherry picked from commit 1a7cfd93432a227a972b34e1eb844134173be7b0)
Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-22-test): Thu Aug 21 08:58:34 UTC 2025 on atb-devel-224
- - - - -
a35b91ff by Rabinarayan Panigrahi at 2025-08-21T14:11:46+00:00
vfs_virsufilter: Fix the invocation of SMB_VFS_NEXT_CONNECT
virusfilter is failing if path is defined for virusfilter:quarantine
as next module is not initialized by mean time. So rearranged invocation
of SMB_VFS_NEXT_CONNECT call
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15663
Signed-off-by: Rabinarayan Panigrahi <rapanigr at redhat.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Anoop C S <anoopcs at samba.org>
Autobuild-Date(master): Mon Jul 21 11:28:12 UTC 2025 on atb-devel-224
(cherry picked from commit 605d4d065cd5951385a744230cf7f159468c02a2)
- - - - -
58aa90b3 by Volker Lendecke at 2025-08-21T14:11:46+00:00
vfs: Fix vfs_streams_depot's fstatat
a24c7d566f2 does not cover subdirectories
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15816
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Feb 26 09:00:34 UTC 2025 on atb-devel-224
(cherry picked from commit 125862c617efae6926c91acae44206f29e61b148)
- - - - -
e4420f35 by Ralph Boehme at 2025-08-21T14:11:46+00:00
tldap: use tevent_req_set_endtime() to terminate LDAP searches
Needed to detect unresponsive LDAP servers, otherwise we might be sitting up to
924.6 seconds after sending a request before the kernel notifies us of a broken
connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15844
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 4e79fe13325385ef4fe37baeec8656c9b332de19)
- - - - -
5e685641 by Ralph Boehme at 2025-08-21T14:11:46+00:00
idmap_ad: add and use ldap_timeout and fix LDAP server failover
The key parts are:
1. If an LDAP search fails with the hardcoded fatal error, remove the
retry. That would only retry the query against the same server, taken
from the DCINFO cache key. Instead, force a DC rediscovery.
2. Set a default ldap_timeout and pass it to tldap_search(). This
avoids tldap_search() hanging forever on a stale TCP connection.
3. The LDAP server idmap_ad is using is not necessarily the same DC
we're using for RPC, so in case we learn about a dead DC, put it in
the negative-conn-cache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15844
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 4d69ec473b7be763399c9787eda8e659a1582184)
- - - - -
0a1f0d01 by Ralph Boehme at 2025-08-21T14:11:46+00:00
libads: reverse termination condition in netlogon_pings_done()
No change in behaviour, prepares for upcoming change and minimizes its diff.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15844
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 6643d1fb3375903e2857e5bff33b39a4562c5a4d)
- - - - -
4725af8a by Ralph Boehme at 2025-08-21T14:11:46+00:00
libads: change netlogon_pings() behaviour wrt to min_servers parameter
Currently if a caller passes min_servers=X with X>1, netlogon_pings() will fail
if it can't contact X DCs. This is not really what we want. What we want is: we
want at least one DC, and up to X.
Change implemenentation in that sense and rename the min_servers argument to
wanted_servers to express this behaviour change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15844
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Aug 13 19:31:10 UTC 2025 on atb-devel-224
(cherry picked from commit 85dd55a5fef0049660126bdcd48abfa1c48da259)
- - - - -
8f00ba25 by Ralph Boehme at 2025-08-21T14:11:46+00:00
libads: fix get_kdc_ip_string()
Correctly handle the interaction between optionally passed in DC via
pss and DC lookup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 23f100f67c0586a940e91e9e1e6f42b804401322)
- - - - -
a31301e4 by Ralph Boehme at 2025-08-21T15:08:53+00:00
winbindd: use find_domain_from_name_noinit() in find_dns_domain_name()
Avoid triggering a connection to a DC of a trusted domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 9ad2e59a464bb472da2071c61a254547b6497625)
Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-22-test): Thu Aug 21 15:08:53 UTC 2025 on atb-devel-224
- - - - -
99b0baad by Jule Anger at 2025-08-21T17:21:11+02:00
WHATSNEW: Add release notes for Samba 4.22.4.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
356fafd5 by Jule Anger at 2025-08-21T17:21:11+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.22.4 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
021db3d9 by Michael Tokarev at 2025-08-21T19:19:19+03:00
New upstream version 4.22.4+dfsg
- - - - -
35 changed files:
- VERSION
- WHATSNEW.txt
- ctdb/server/ctdb_recoverd.c
- docs-xml/smbdotconf/security/serverrole.xml
- python/samba/gp/gpclass.py
- selftest/knownfail
- source3/lib/tldap.c
- source3/libads/cldap.c
- source3/libads/kerberos.c
- source3/libads/ldap.c
- source3/libads/netlogon_ping.c
- source3/libads/netlogon_ping.h
- source3/libsmb/conncache.c
- source3/libsmb/dsgetdcname.c
- source3/libsmb/namequery.c
- source3/modules/vfs_streams_depot.c
- source3/modules/vfs_virusfilter.c
- source3/rpc_server/netlogon/srv_netlog_nt.c
- + source3/script/tests/test_net_ads_kerberos.sh
- source3/selftest/tests.py
- source3/smbd/open.c
- source3/utils/net.c
- source3/utils/net.h
- source3/utils/net_ads.c
- source3/utils/ntlm_auth.c
- source3/winbindd/idmap_ad.c
- source3/winbindd/wb_queryuser.c
- source3/winbindd/wb_sids2xids.c
- source3/winbindd/wb_xids2sids.c
- source3/winbindd/winbindd_cm.c
- source3/winbindd/winbindd_pam.c
- source3/winbindd/winbindd_proto.h
- source3/winbindd/winbindd_util.c
- source4/libnet/libnet_site.c
- source4/torture/rpc/lsa.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/de20e0b7c9259273c993a3ba23de26ed60bcc25c...021db3d94bdce48aab41b1b92aee9b392c80d945
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/de20e0b7c9259273c993a3ba23de26ed60bcc25c...021db3d94bdce48aab41b1b92aee9b392c80d945
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20250821/047316fe/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list