[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.24] 52 commits: VERSION: Bump version up to Samba 4.24.0rc2...
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Wed Mar 18 11:50:25 GMT 2026
Michael Tokarev pushed to branch upstream_4.24 at Debian Samba Team / samba
Commits:
ab68cd21 by Björn Jacke at 2026-01-22T15:13:08+00:00
VERSION: Bump version up to Samba 4.24.0rc2...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Björn Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
- - - - -
66924b3b by John Mulligan at 2026-01-22T15:13:08+00:00
WHATSNEW: add ceph_new fscrypt note
Signed-off-by: John Mulligan <jmulligan at redhat.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Shachar Sharon <ssharon at redhat.com>
- - - - -
20980f69 by Michael Tokarev at 2026-01-22T15:13:08+00:00
printing: Fix compilation error for native 32-bit time_t
commit#e9a7dce599eb12d broke samba compilation for 32-bit time_t.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15976
Used correct pointer type to fix the warning to fix compialtion.
Pair-Programmed-With: Vinit Agnihotri <vagnihot at redhat.com>
Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>
Signed-off-by: Vinit Agnihotri <vagnihot at redhat.com>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Jan 21 19:23:29 UTC 2026 on atb-devel-224
- - - - -
425504a0 by Pavel Filipenský at 2026-01-22T15:13:08+00:00
s3:libads: Reset ads->config.flags in ads_disconnect()
This is doing the same thing in ads_disconnect() as commit
a26f535 Clear previous CLDAP ping flags when reusing the ADS_STRUCT
did in ads_current_time()
In this case we:
1) found cached ADS_STRUCT which already has ads->config.flags set:
lookup_groupmem()
ads_cached_connection()
ads_cached_connection_reuse()
2) started search which immediately timeouts (the cached conn. was dead)
ads_do_search_retry_internal()
ldap_search_with_timeout() - IO_TIMEOUT
3) Retry loop finds a new DC and tries to connect
ads_do_search_retry_internal()
ads_disconnect()
ads_find_dc()
ads_try_connect()
netlogon_pings()
check_cldap_reply_required_flags()
4) check_cldap_reply_required_flags() fails since ads->config.flags
(stored possibly long time ago) contain:
NBT_SERVER_CLOSEST 0x00000080
which is misinterpreted as:
DS_PDC_REQUIRED 0x00000080
the newly found DC is not PDC (we asked for DS_ONLY_LDAP_NEEDED)
and since previous DC had NBT_SERVER_CLOSEST we want DS_PDC_REQUIRED
and fail.
We should anyway avoid mixing independent namespaces NBT_* and DS_*
in the same flag.
Next commit will do that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 9f3a35991feb01a8d2c2b69fa0b914bbc637a809)
- - - - -
9de3dbfe by Pavel Filipenský at 2026-01-22T16:16:45+00:00
s3:libads: Separate use of ads->config.flags for NBT_* and DS_* values
Use of ads->config.flags is overloaded.
It is used to:
- pass DS_* flags down to cldap_netlogon()
- store the server_type from NETLOGON_SAM_LOGON_RESPONSE
Both cases use different values and cannot be combined.
E.g. flags mess up with value 0x00000080
NBT_SERVER_CLOSEST 0x00000080
DS_PDC_REQUIRED 0x00000080
Let's create two separate flags
nbt_server_type server_flags; /* NBT_* cldap flags identifying the services. */
uint32 required_flags; /* DS_* - Netlogon flags */
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Thu Jan 22 09:14:25 UTC 2026 on atb-devel-224
(cherry picked from commit 7483903575eab97773a992149d64511d5ec6f256)
Autobuild-User(v4-24-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-24-test): Thu Jan 22 16:16:45 UTC 2026 on atb-devel-224
- - - - -
df0fd8da by Martin Schwenke at 2026-01-31T10:31:22+00:00
docs-xml:smb.conf: Fix "ctdbd socket" documentation
This has been wrong for a very long time. I only noticed it just
now... :-(
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15977
Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Thu Jan 22 23:06:20 UTC 2026 on atb-devel-224
(cherry picked from commit 8c458675c10bfda66fb86c5ed67d1d6d0cbbaedf)
Autobuild-User(v4-24-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-24-test): Sat Jan 31 10:31:22 UTC 2026 on atb-devel-224
- - - - -
03fe9902 by Samuel Cabrero at 2026-02-04T15:13:10+00:00
s3:rpc_client: Fix memory leak opening local named pipe
If no local server name was passed to rpc_pipe_open_local_np() then
get_myname() was called with NULL talloc context instead of the
current stackframe.
This was causing an increase of memory usage on busy servers with long-living
rpcd_* workers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Jan 27 10:13:40 UTC 2026 on atb-devel-224
(cherry picked from commit 24dc455362fb49ef81c99d95880e106a234ce29a)
- - - - -
ef9bde01 by Noel Power at 2026-02-04T15:13:10+00:00
s3/printing: Fix leaked mem ctx returned from talloc_new
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit 5ba76344ef807577ea1fd4265d585285eb633971)
- - - - -
24174887 by Noel Power at 2026-02-04T16:18:26+00:00
s3/printing: Fix leaking parsed options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Fri Jan 30 11:09:44 UTC 2026 on atb-devel-224
(cherry picked from commit 22021dbfa7a94007a511d05f25e49ab73dacbcf5)
Autobuild-User(v4-24-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-24-test): Wed Feb 4 16:18:26 UTC 2026 on atb-devel-224
- - - - -
057af8b9 by Björn Jacke at 2026-02-06T10:23:32+01:00
WHATSNEW: Add release notes for Samba 4.24.0rc2.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
56028c75 by Björn Jacke at 2026-02-06T10:28:18+01:00
VERSION: Disable GIT_SNAPSHOT for the upcoming release.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
258392a6 by Björn Jacke at 2026-02-06T10:30:46+01:00
VERSION: Bump version up to Samba 4.24.0rc3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Björn Jacke <bjacke at samba.org>
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
10bd9b65 by Pavel Filipenský at 2026-02-07T15:11:13+00:00
s3:utils: 'net ads kerberos kinit' should use also default ccache name from krb5.conf
This is re-introducing the behavior from samba-4.20 where both these
commands operated on the same ccache (default_ccache_name in
[libdefaults] section of krb5.conf)
'net ads kerberos kinit -P'
'klist'
With samba-4.21 it no longer works, 'net ads kerberos kinit -P'
fallbacks to 'MEMORY:net' (which is of a very limited use, ticket
cannot be used by other process) and klist finds no ticket.
The order is changed from:
--use-krb5-ccache
env "KRB5CCNAME"
"MEMORY:net"
to ("MEMORY:net" is removed):
--use-krb5-ccache
env "KRB5CCNAME"
default_ccache_name
'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials.
Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name()
because of commit:
1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e)
- - - - -
0dd92538 by Pavel Filipenský at 2026-02-07T15:11:13+00:00
manpages: Update NET ADS KERBEROS KINIT manpage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Thu Feb 5 21:11:13 UTC 2026 on atb-devel-224
(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b)
- - - - -
0a6726fb by Andreas Schneider at 2026-02-07T16:14:24+00:00
s3:libads: Set NT_STATUS_UNSUCCESSFUL for IP address entry
This is what we do in libads/ldap.c too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15975
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
(cherry picked from commit 9e1bcf84d8a8386fb00aedf88e71b28504e449b4)
Autobuild-User(v4-24-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-24-test): Sat Feb 7 16:14:24 UTC 2026 on atb-devel-224
- - - - -
7e6a040a by Michael Tokarev at 2026-02-07T21:25:43+03:00
New upstream version 4.24.0~rc2+dfsg
- - - - -
bccbfb8a by Ralph Boehme at 2026-02-23T14:12:09+00:00
smbd: in contend_dirleases() don't bother checking when not enabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15984
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Martin Schwenke <martins at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Jan 26 12:09:13 UTC 2026 on atb-devel-224
(cherry picked from commit f11bce483a6403d9ed250c874105248c8e9782e2)
- - - - -
82670156 by Douglas Bagnall at 2026-02-23T14:12:09+00:00
build: allow `./configure _foo=x` to work like FOO=x
OpenWRT passes arguments like '_python_sysroot=x' after the './configure',
which it expects to work as if the occurred before the './configure'
-- that is, setting environment variables (let's assume its build
system is necessarily complex due to all the cross-compiles).
This used to work (or at least not cause a failure return code) until
the upgrade to waf 2.1.5 or 2.1.6 in mid-2025, when waf started using
the argparse parser.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15990
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Feb 18 00:00:30 UTC 2026 on atb-devel-224
(cherry picked from commit bd66dc2418318716083bf40e447f9815b199fc25)
- - - - -
fd5d2631 by Jennifer Sutton at 2026-02-23T14:12:09+00:00
CVE-2026-20833: python:tests: Set secure channel type for test credentials
This will ensure that we use the correct salting algorithm for AES when we
authenticate using gensec.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 5849c0c32810af1a10287afd02b990dde0f351d6)
- - - - -
f411cb87 by Jennifer Sutton at 2026-02-23T14:12:09+00:00
CVE-2026-20833: selftest: Avoid renaming ‘testallowed_account’
cli_credentials_get_keytab() uses the sAMAccountName to calculate the salt via
cli_credentials_get_salt_principal(). Changing the sAMAccountName means that
cli_credentials_get_keytab() will generate AES Kerberos keys using the wrong
salt, and gensec authentication will fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit dc9f690b3810e8c965a0602c8a25a1e83129702c)
- - - - -
0ba5ab0e by Jennifer Sutton at 2026-02-23T14:12:09+00:00
CVE-2026-20833: s4:kdc: Make default domain supported enctypes AES by default
If AES keys are available in the domain, assume that service accounts support
AES by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 802649fa35ed37de69f6ca0593a39399575ac6e4)
- - - - -
7824f15b by Jennifer Sutton at 2026-02-23T14:12:09+00:00
CVE-2026-20833: WHATSNEW: Document new default for ‘kdc default domain supported enctypes’
Signed-off-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Feb 18 01:52:23 UTC 2026 on atb-devel-224
(backported from commit 46a7952880d3b8ad20a718f587435371fa31d327)
[jsutton at samba.org: Fixed conflict in WHATSNEW.txt]
- - - - -
3ab52bf5 by Martin Schwenke at 2026-02-23T14:12:09+00:00
ctdb-tests: Update statd-callout unit test infrastructure
Don't cheat. Keep some state about what is happening, similar to what
statd_callout and statd_callout_helper are expected to keep. This
means hinting arguments to check_shared_storage_statd_state() and
check_statd_callout_smnotify() can be dropped.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15939
Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit 85afee0a83dd2f70b90cff4c1e21b865640261fb)
- - - - -
e1bf06d0 by Peter Schwenke at 2026-02-23T14:12:09+00:00
ctdb-scripts: Only send notifies for newly taken IPs
We no longer delete shared state (and send notifies) for
IPs previously held by the current node. The NFS lock manager
won't have released locks for these IPs, so won't generate
SM_MON on reclaim attempts. Therefore, there will be
no add-client to put them back.
We now record newly taken IP addresses in takeip,
and only send notifies for those during
ipreallocated. The extra notifies were also confusing
statd.
Update existing tests to always simulate taking all of a node's IPs.
This causes no output changes.
Test updates confirm the subtleties of the statd_callout_helper
behaviour change. These pretend to only take a single IP, so
SM_NOTIFY must not be sent for other IPs. Shared state should
remain for these other files.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15939
Signed-off-by: Peter Schwenke <pschwenke at ddn.com>
Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit e4914e6a4f1cb77eebf86c5ab3f241c2a9e5bd05)
- - - - -
386b73b5 by Peter Schwenke at 2026-02-23T14:12:09+00:00
ctdb-failover: Add sm-notify to statd_callout
sm-notify is required when an NFS client reboots.
rpc-statd on the client will send an sm-notify to
rpc-statd on the NFS sever.
Add a test case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15938
Signed-off-by: Peter Schwenke <pschwenke at ddn.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Anoop C S <anoopcs at samba.org>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Wed Feb 18 12:29:16 UTC 2026 on atb-devel-224
(cherry picked from commit 7c5ce115f2c11e5a2dd326238f08bc5e7c10641c)
- - - - -
716a9dd9 by Noel Power at 2026-02-23T14:12:09+00:00
selftest: Update tests to use --use-kereros=desired|required no creds
Add tests to call smbclient without passing credentials to
demonstrate failure with --use-kereros=desired
Also add knownfail
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a22af9420965083b99b956477d1833000b7f2414)
- - - - -
b81c865e by Noel Power at 2026-02-23T14:12:09+00:00
auth/credentials: Fix regression with --use-kerberos=desired for smbclient
As part of the gse_krb5 processing the following call chain
gensec_gse_client_start()
---> gensec_kerberos_possible()
---> cli_credentials_authentication_requested()
gensec_kerberos_possible() will always fail when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
It seems since use kerberos == desired is the default that it isn't
necessary to see if credentials were modified to indicated authentication
was requested. gensec_kerberos_possible() should afaics return true
if kerberos is desired OR required (regardless of whether credentials
were requested)
This commit removes the knownfail associated with this bug.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 88f42eb222f299189d5f5f8204ae353e63a50970)
- - - - -
bbc1d2a3 by Noel Power at 2026-02-23T14:12:09+00:00
s3/libsmb: cli_session_creds_init fails when kerberos is desired
There is a regression with code using cli_session_creds_init when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
Authentication succeeds when boolean fallback_after_kerberos is false
and fails when true.
There doesn't seem to be a good reason why the value of
fallback_after_kerberos should initialise the krb5 ccache or not.
It would seems that krb5 cache should be setup for creds
for *any* kerberos auth (whether fallback is enabled or not)
Partial patch from <will69 at gmx.de> (see bug referenced below)
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1c48599105736499d18aa1f647bce9e1f8dbdcca)
- - - - -
005b8a1f by Noel Power at 2026-02-23T14:12:09+00:00
s3/libsmb: block anon authentication fallback is use-kerberos = desired
When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED
libsmbclient method SMBC_server_internal will still try to fallback to
anon NTLM. This patch prevents that.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224
(cherry picked from commit bc868800276fe09cbcb206ebe4cb4da32af7599f)
- - - - -
a296e71d by Ralph Boehme at 2026-02-23T15:20:15+00:00
selftest: mark "smb2.lease.rename_dir_openfile" as flapping
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15978
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Björn Jacke <bjacke at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Feb 23 12:37:28 UTC 2026 on atb-devel-224
(cherry picked from commit 437436832fdddfda692fac01452ad7bc4a0b6e3d)
Autobuild-User(v4-24-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-24-test): Mon Feb 23 15:20:15 UTC 2026 on atb-devel-224
- - - - -
9261febb by Björn Jacke at 2026-02-23T16:41:56+01:00
Add release notes for Samba 4.24.0rc3.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
716494fe by Björn Jacke at 2026-02-23T16:56:33+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.24.0.rc4 release.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
fa0fe97f by Björn Jacke at 2026-02-23T16:58:00+01:00
VERSION: Bump version up to Samba 4.24.0rc4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
4c548c26 by Björn Jacke at 2026-02-23T17:01:32+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.24.0.rc3 release.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
2da23af9 by Gary Lockyer at 2026-03-13T12:53:12+00:00
s4:kdc:db-glue altSecurityIdentities DN and serial reversed
When altSecurityIdentities is set by RSAT / ADUC they store the
Issuer and Subject DN in last to first order i.e.
CN=Common Name, O=Organization, C=Country
Need to reverse that to first to last order, i.e.
C=Country, O=Organization, CN=Common name
Which is how they're stored on the X509 certificates.
Also the serial number is stored in reverse order.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
(cherry picked from commit 580051e5686d9a26d2502eb969f7a80e13519afb)
- - - - -
9a32efbc by Gary Lockyer at 2026-03-13T12:53:12+00:00
s4:kdc:db-glue:tests free principal
Call krb5_free_principal to quiet valgrind leak reports
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
(cherry picked from commit fb16086ba44ad1943ec6796c8d607ed4c37eb064)
- - - - -
17ee299e by Gary Lockyer at 2026-03-13T12:53:12+00:00
test:heimdal:pkinit fixes for SHA1-PUKEY calculation
The SHA1 hash for KB5014754 SHA1-PUKEY is calculate over the entire
certificate not just the public key.
BUG https://bugzilla.samba.org/show_bug.cgi?id=16001
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
(cherry picked from commit 76bf9214239759169ff4688b035c3f531e0db1bc)
- - - - -
87f4579c by Gary Lockyer at 2026-03-13T12:53:12+00:00
third_party:heimdal: import lorikeet-heimdal-202602190236
commits: 4223f36655031fd13ad3b0bedbc937dd9ba40c8d
1a9371036d4baa7da50e9260e411eefa6cee0811
53f5f685a474413d009249ecd7750399737dcd39
Action upstream feedback on KB5014754 changes.
pkinit:match_name Implement 3.1.5.2.1.3 Explicit Mapping
Calculate hash for KB5014754 SHA1-PUKEY over entire certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>
Autobuild-User(master): Jennifer Sutton <jsutton at samba.org>
Autobuild-Date(master): Mon Feb 23 21:18:57 UTC 2026 on atb-devel-224
(cherry picked from commit 3d4d7f3cb88180b205c67a6ca66373fe1fb6851e)
- - - - -
9ea92994 by Volker Lendecke at 2026-03-13T12:53:12+00:00
rpc: Don't offer spoolss RPC with "disable spoolss = yes"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=16019
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Mar 13 09:00:05 UTC 2026 on atb-devel-224
(cherry picked from commit 8497fb05d8d9c082b7ba318844970f0b3227aff9)
- - - - -
5abe6ef4 by Avan Thakkar at 2026-03-13T12:53:12+00:00
vfs_aio_ratelimit: introduce burst-aware token bucket model
Refactor the rate limiter to use a continuous token-bucket model with
configurable burst multiplier. This replaces the older time-window and
delay_max logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16000
Signed-off-by: Avan Thakkar <athakkar at redhat.com>
Reviewed-by: Shweta Sodani <ssodani at redhat.com>
Reviewed-by: Shachar Sharon <ssharon at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit f6a67c361bcb0d9f4a7f451dcfda800775b5be13)
- - - - -
c025dfa0 by Avan Thakkar at 2026-03-13T12:53:12+00:00
vfs_aio_ratelimit: Add per-share TDB persistence for local rate limiter state
Introduce local TDB storage for saving and restoring ratelimiter state
(iops_tokens, bytes_tokens, last timestamp). Each share now persists
its read/write limiter state under aio_ratelimit.tdb.
Added VERSION pseudo-key for schema versioning
On disconnect, save the latest state and close TDB.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16000
Signed-off-by: Avan Thakkar <athakkar at redhat.com>
Reviewed-by: Shweta Sodani <ssodani at redhat.com>
Reviewed-by: Shachar Sharon <ssharon at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit 306612e09c082282f39789c426ea85cc7e2bb6e3)
- - - - -
50865f5d by Avan Thakkar at 2026-03-13T12:53:12+00:00
vfs_aio_ratelimit: support human-readable bandwidth limits
Allow read_bw_limit and write_bw_limit to be specified using
size suffixes (K/M/G/T).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16000
Signed-off-by: Avan Thakkar <athakkar at redhat.com>
Reviewed-by: Shweta Sodani <ssodani at redhat.com>
Reviewed-by: Shachar Sharon <ssharon at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit d6332b2caf03e4fcbed0a67208251a27601c527d)
- - - - -
e323eb43 by Avan Thakkar at 2026-03-13T12:53:12+00:00
docs-xml/manpages: update doc to add burst_mult parameters
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16000
Signed-off-by: Avan Thakkar <athakkar at redhat.com>
Reviewed-by: Shweta Sodani <ssodani at redhat.com>
Reviewed-by: Shachar Sharon <ssharon at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit 9b54d8beaefd9b835b971dd0370d3a1f198121d8)
- - - - -
417ddbe6 by Avan Thakkar at 2026-03-13T13:58:34+00:00
s3:selftest: update aio_ratelimit tests for burst support
- Replace delay_max configuration with burst_mult parameters.
- Add three test cases: basic rate limiting, burst behavior, and recovery
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16000
Signed-off-by: Avan Thakkar <athakkar at redhat.com>
Reviewed-by: Shweta Sodani <ssodani at redhat.com>
Reviewed-by: Shachar Sharon <ssharon at redhat.com>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Anoop C S <anoopcs at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Fri Feb 27 11:52:46 UTC 2026 on atb-devel-224
(cherry picked from commit 83f4b51175cdaa20039de7e823bc4c6a15893628)
Autobuild-User(v4-24-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-24-test): Fri Mar 13 13:58:34 UTC 2026 on atb-devel-224
- - - - -
0e3c6806 by Björn Jacke at 2026-03-18T09:39:14+01:00
WHATSNEW: Add release notes for Samba 4.24.0.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
6443db05 by Björn Jacke at 2026-03-18T09:43:23+01:00
VERSION: Disable GIT_SNAPSHOT for the upcoming release.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
13391c7e by Björn Jacke at 2026-03-18T09:45:29+01:00
VERSION: Bump version up to Samba 4.24.0...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
d10801b6 by Björn Jacke at 2026-03-18T10:33:14+01:00
Revert "VERSION: Bump version up to Samba 4.24.0..."
This reverts commit 13391c7e68db2bf1516653b5621807a634c2a57a.
This was actually wrong and needs to be created again correctly.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
a72387a5 by Björn Jacke at 2026-03-18T10:35:25+01:00
Revert "VERSION: Disable GIT_SNAPSHOT for the upcoming release."
This reverts commit 6443db05ff69696fd51a263151736473ba0988f3.
This was actually wrong and needs to be created again correctly.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
5d0c9129 by Björn Jacke at 2026-03-18T10:36:16+01:00
Merge remote-tracking branch 'origin/v4-24-stable' into v4-24-test
The commit 4c548c2669cfc7dc1c33be914b5a9e75da134697 in v4-24-stable:
VERSION: Disable GIT_SNAPSHOT for the 4.24.0.rc3 release.
was adjusted with git commit --amend
after taking 716494fe2f185b8d6b333a8c6024b8f9d13e082b from v4-24-test:
VERSION: Disable GIT_SNAPSHOT for the 4.24.0.rc4 release.
In order to get the history in sync again this
is a merge using 'git merge -s ours origin/v4-24-stable'
it only links the split commit into the history,
while strategy 'ours' means the content is not changed at all.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
86f97e92 by Björn Jacke at 2026-03-18T10:59:47+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.24.0 release.
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
- - - - -
805a5066 by Michael Tokarev at 2026-03-18T14:16:28+03:00
New upstream version 4.24.0+dfsg
- - - - -
54 changed files:
- VERSION
- WHATSNEW.txt
- auth/gensec/gensec_util.c
- buildtools/wafsamba/samba_utils.py
- ctdb/config/events/legacy/60.nfs.script
- ctdb/failover/statd_callout.c
- ctdb/tests/UNIT/eventscripts/scripts/statd-callout.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.001.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.002.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.004.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.005.sh
- ctdb/tests/UNIT/eventscripts/statd-callout.006.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.008.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.050.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.108.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.150.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.208.sh
- + ctdb/tests/UNIT/eventscripts/statd-callout.250.sh
- ctdb/tools/statd_callout_helper
- docs-xml/manpages/net.8.xml
- docs-xml/manpages/vfs_aio_ratelimit.8.xml
- docs-xml/smbdotconf/misc/ctdbdsocket.xml
- docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
- lib/replace/replace.h
- python/samba/tests/blackbox/claims.py
- python/samba/tests/krb5/etype_tests.py
- python/samba/tests/krb5/kdc_base_test.py
- python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
- script/autobuild.py
- + selftest/flapping.d/smb2.lease
- selftest/knownfail_mit_kdc.d/etype
- selftest/target/Samba3.pm
- selftest/target/Samba4.pm
- source3/libads/kerberos.c
- source3/libads/ldap.c
- source3/librpc/idl/ads.idl
- source3/libsmb/cliconnect.c
- source3/libsmb/libsmb_server.c
- source3/libsmb/namequery_dc.c
- source3/modules/vfs_aio_ratelimit.c
- source3/printing/print_cups.c
- source3/printing/printing.c
- source3/rpc_client/cli_pipe.c
- source3/rpc_server/rpcd_spoolss.c
- source3/script/tests/test_aio_ratelimit.sh
- source3/script/tests/test_smbclient_kerberos.sh
- source3/smbd/smb2_oplock.c
- source3/utils/net.c
- source3/winbindd/winbindd_cm.c
- source4/kdc/db-glue.c
- source4/kdc/tests/db-glue-test.c
- third_party/heimdal/kdc/kerberos5.c
- third_party/heimdal/kdc/pkinit.c
- third_party/heimdal/lib/hx509/cert.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/505b112de236a66533d238f141b0559247eda716...805a5066aa2023639e450d5836228f9aa01694cb
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/505b112de236a66533d238f141b0559247eda716...805a5066aa2023639e450d5836228f9aa01694cb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20260318/5f971039/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list