The branch, v4-21-stable has been updated
via b901f39a1d0 VERSION: Disable GIT_SNAPSHOT for the 4.21.6 release.
via b10e124e280 WHATSNEW: Add release notes for Samba 4.21.6.
via bb4d8d322c2 CVE-2025-0620: smbd: smbd doesn't pick up group
membership changes when re-authenticating an expired SMB session
via 7f1fc08c428 ctdb-daemon: Modernise some DEBUGs
via 3a16697b9b2 ctdb-daemon: Add configuration option shutdown extra
timeout
via ffe9e620cc9 ctdb-daemon: Run "startipreallocate" event in SHUTDOWN
runstate
via dbb008703b6 ctdb-daemon: Add configuration option shutdown failover
timeout
via e7e4b44f372 ctdb-daemon: Add failover on shutdown
via 72b32a4ee76 ctdb-protocol: Add CTDB server SRVID range
via 1e773a73529 ctdb-daemon: Avoid aborting during early shutdown
via 84d23c82272 vfs_ceph_snapshots: Always calculate absolute snapshot
path
via c7164448f15 vfs_ceph_snapshots: Use full path from dirfsp at
smb_fname
via 8743dd673af lib/krb5_wrap: Fix placement of TALLOC_FREE(frame)
via 30d13d2c3cc s3:rpc_server: make sure we can bind to the same port
on all ip addresses
via 1da707f1093 vfs: Fix "wide links = yes"
via 2216a439605 python:gp_cert_auto_enrol: fix GUID stringification
via f3b9da3179e samba-tool gpo: better entities check copes with new
lines
via 0b7151d073d samba-tool gpo backup fix --generalize
via f5230c26adb pytest: samba-tool gpo: fix
has_difference(sortlines=True)
via d56d0122642 python:netcmd:gpo: fix crash when updating an MOTD GPO
via d1993a4a0e1 pytest: check we can set GPO more than once
via 7b1d705a7f8 s3:rpc_server/srvsvc: use brl_get_locks_readonly()
instead of brl_get_locks()
via cb5640df475 smbd: use share_mode_do_locked_brl() in
vfs_default_durable_reconnect()
via 6fdb9f945f4 smbd: use share_mode_do_locked_brl() in
vfs_default_durable_disconnect()
via a3ccc7507d0 smbd: use share_mode_do_locked_brl() in
strict_lock_check_default()
via 5988e475fa4 smbd: check can_lock in strict_lock_check_default()
via 343479f944f s3/locking: prepare brl_locktest() for upgradable
read-only locks
via 956ddc96f44 smbd: call locking_close_file() while still holding a
glock on the locking.tdb record
via 0b0064ec211 s3/brlock: remove brl_get_locks_for_locking()
via 85240e6ae95 smbd: use share_mode_do_locked_brl()
via 7f8e97c53e8 s3/locking: add brl_set_modified()
via 3ac1e43d46e s3/brlock: don't increment current_lock_count if
do_lock_fn() failed
via 0d06276060f s3/brlock: add share_mode_do_locked_brl()
via 5d32acadc9e s3/brlock: add brl_req_set()
via b7ef702691e s3/brlock: split out brl_get_locks_readonly_parse()
via e83bee64eec smbtorture: add test "open-brlock-deadlock"
via f9a71d8c465 dbwrap: check for option "tdb_hash_size:DBNAME.tdb" in
db_open()
via 07b53581ce2 VERSION: Bump version up to Samba 4.21.6...
from cc104bd1f42 VERSION: Disable GIT_SNAPSHOT for the 4.21.5 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 99 ++++-
ctdb/conf/ctdb_config.c | 8 +
ctdb/conf/ctdb_config.h | 2 +
ctdb/conf/failover_conf.c | 12 +
ctdb/conf/failover_conf.h | 3 +
ctdb/doc/ctdb.conf.5.xml | 50 +++
ctdb/protocol/protocol.h | 7 +
ctdb/server/ctdb_daemon.c | 229 +++++++++++-
ctdb/server/ctdb_monitor.c | 18 +
ctdb/server/ctdb_takeover.c | 5 +-
ctdb/tests/UNIT/cunit/config_test_001.sh | 2 +
lib/krb5_wrap/krb5_samba.c | 3 +-
python/samba/gp/gp_cert_auto_enroll_ext.py | 13 +-
python/samba/netcmd/gpo.py | 20 +-
python/samba/tests/gpo.py | 6 +-
python/samba/tests/samba_tool/gpo.py | 60 +++-
source3/lib/dbwrap/dbwrap_open.c | 5 +
source3/locking/brlock.c | 213 +++++++----
source3/locking/locking.c | 165 ++++-----
source3/locking/proto.h | 35 +-
source3/modules/vfs_ceph_snapshots.c | 36 +-
source3/modules/vfs_fruit.c | 91 +++--
source3/modules/vfs_widelinks.c | 10 +-
source3/rpc_server/rpc_sock_helper.c | 114 ++++--
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 12 +-
source3/smbd/blocking.c | 202 ++++++-----
source3/smbd/close.c | 26 +-
source3/smbd/conn.c | 4 +-
source3/smbd/durable.c | 556 ++++++++++++++++-------------
source3/smbd/proto.h | 19 +-
source3/smbd/smb2_lock.c | 77 ++--
source3/smbd/smb2_reply.c | 53 +--
source4/torture/smb2/lock.c | 283 +++++++++++++++
34 files changed, 1743 insertions(+), 697 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index f0179480db1..68f898ae004 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=5
+SAMBA_VERSION_RELEASE=6
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 873b4ec20df..b8967d54c82 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,99 @@
+ ==============================
+ Release Notes for Samba 4.21.6
+ June 03, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+It contains the security-relevant bugfix CVE-2025-0620:
+
+ smbd doesn't pick up group membership changes
+ when re-authenticating an expired SMB session:
+ https://www.samba.org/samba/security/CVE-2025-0620.html
+
+
+Description of CVE-2025-0620
+-----------------------------
+
+ With Kerberos authentication SMB sessions typically have an
+ associated lifetime, requiring re-authentication by the
+ client when the session expires. As part of the
+ re-authentication, Samba receives the current group
+ membership information and is expected to reflect this
+ change in further SMB request processing.
+
+ For historic reasons, Samba maintains a cache of
+ associations between a user's impersonation information and
+ connected shares. A recent change in this cache caused Samba
+ to not reflect group membership changes from session
+ re-authentication when processing further SMB requests.
+
+ As a result, when an administrator removes a user from a
+ particular group in Active Directory, this change will not
+ become effective unless the user disconnects from the server
+ and establishes a new connection.
+
+
+Changes since 4.21.5
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
+ * BUG 15829: samba-tool gpo backup creates entity backups it can't read.
+ * BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
+ prepended 0's.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15707: CVE-2025-0620 [SECURITY] smbd doesn't pick up group membership
+ changes when re-authenticating an expired SMB session.
+ * BUG 15767: Deadlock between two smbd processes.
+
+o Pavel Filipenský <pfilipen...@samba.org>
+ * BUG 15727: net ad join fails with "Failed to join domain: failed to create
+ kerberos keytab".
+
+o Andreas Hasenack <andreas.hasen...@canonical.com>
+ * BUG 15774: Running "gpo manage motd set" twice fails with backtrace.
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 15841: Wide link issue in samba 4.22.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15767: Deadlock between two smbd processes.
+ * BUG 15851: dcerpcd not able to bind to listening port.
+
+o Anoop C S <anoo...@samba.org>
+ * BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
+ level beyond share root.
+
+o Martin Schwenke <mschwe...@ddn.com>
+ * BUG 15858: CTDB does not put nodes running NFS into grace on graceful
+ shutdown.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.21.5
March 31, 2025
@@ -74,8 +170,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.21.4
February 17, 2025
diff --git a/ctdb/conf/ctdb_config.c b/ctdb/conf/ctdb_config.c
index e3e8cce8d6b..27623a8972a 100644
--- a/ctdb/conf/ctdb_config.c
+++ b/ctdb/conf/ctdb_config.c
@@ -106,6 +106,14 @@ static void setup_config_pointers(struct conf_context
*conf)
FAILOVER_CONF_SECTION,
FAILOVER_CONF_DISABLED,
&ctdb_config.failover_disabled);
+ conf_assign_integer_pointer(conf,
+ FAILOVER_CONF_SECTION,
+ FAILOVER_CONF_SHUTDOWN_EXTRA_TIMEOUT,
+ &ctdb_config.shutdown_extra_timeout);
+ conf_assign_integer_pointer(conf,
+ FAILOVER_CONF_SECTION,
+ FAILOVER_CONF_SHUTDOWN_FAILOVER_TIMEOUT,
+ &ctdb_config.shutdown_failover_timeout);
/*
* Legacy
diff --git a/ctdb/conf/ctdb_config.h b/ctdb/conf/ctdb_config.h
index 7b588c3cd59..656a99e36bc 100644
--- a/ctdb/conf/ctdb_config.h
+++ b/ctdb/conf/ctdb_config.h
@@ -43,6 +43,8 @@ struct ctdb_config {
/* Failover */
bool failover_disabled;
+ int shutdown_extra_timeout;
+ int shutdown_failover_timeout;
/* Legacy */
bool realtime_scheduling;
diff --git a/ctdb/conf/failover_conf.c b/ctdb/conf/failover_conf.c
index 3f9f749fcae..424021b7a22 100644
--- a/ctdb/conf/failover_conf.c
+++ b/ctdb/conf/failover_conf.c
@@ -50,4 +50,16 @@ void failover_conf_init(struct conf_context *conf)
FAILOVER_CONF_DISABLED,
false,
check_static_boolean_change);
+
+ conf_define_integer(conf,
+ FAILOVER_CONF_SECTION,
+ FAILOVER_CONF_SHUTDOWN_EXTRA_TIMEOUT,
+ 0,
+ NULL);
+
+ conf_define_integer(conf,
+ FAILOVER_CONF_SECTION,
+ FAILOVER_CONF_SHUTDOWN_FAILOVER_TIMEOUT,
+ 10,
+ NULL);
}
diff --git a/ctdb/conf/failover_conf.h b/ctdb/conf/failover_conf.h
index d7ac0ac507d..08f5fb8939c 100644
--- a/ctdb/conf/failover_conf.h
+++ b/ctdb/conf/failover_conf.h
@@ -25,6 +25,9 @@
#define FAILOVER_CONF_SECTION "failover"
#define FAILOVER_CONF_DISABLED "disabled"
+#define FAILOVER_CONF_SHUTDOWN_EXTRA_TIMEOUT "shutdown extra timeout"
+#define FAILOVER_CONF_SHUTDOWN_FAILOVER_TIMEOUT "shutdown failover timeout"
+
void failover_conf_init(struct conf_context *conf);
diff --git a/ctdb/doc/ctdb.conf.5.xml b/ctdb/doc/ctdb.conf.5.xml
index b9bf3a6d08b..5b2de2b7a07 100644
--- a/ctdb/doc/ctdb.conf.5.xml
+++ b/ctdb/doc/ctdb.conf.5.xml
@@ -454,6 +454,56 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>shutdown extra timeout = <parameter>TIMEOUT</parameter></term>
+ <listitem>
+ <para>
+ CTDB will wait for TIMEOUT seconds after failover
+ completes during shutdown. This can provide extra time
+ for SMB durable handles to be reclaimed. If set to 0 then
+ no extra timeout occurs.
+ </para>
+ <para>
+ This timeout only occurs if both of the following
+ conditions are true:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ shutdown failover timeout (below) is not 0
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Failover during shutdown completes and does not time out
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Default: <literal>0</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>shutdown failover timeout = <parameter>TIMEOUT</parameter></term>
+ <listitem>
+ <para>
+ CTDB will wait for TIMEOUT seconds for failover to
+ complete during shutdown. This allows NFS servers on
+ other nodes to go into grace during graceful shutdown of a
+ node. Failover during shutdown also helps with SMB
+ durable handle reclaim.
+ </para>
+ <para>
+ Set this to 0 to disable explicit failover on shutdown.
+ </para>
+ <para>
+ Default: <literal>10</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/ctdb/protocol/protocol.h b/ctdb/protocol/protocol.h
index c775c4bcc64..ecec0a45891 100644
--- a/ctdb/protocol/protocol.h
+++ b/ctdb/protocol/protocol.h
@@ -234,6 +234,13 @@ struct ctdb_call {
#define CTDB_SRVID_TEST_RANGE 0xAE00000000000000LL
+/* Range of ports reserved for CTDB server (top 8 bits)
+ * All ports matching the 8 top bits are reserved for exclusive use by
+ * the CTDB server
+ */
+#define CTDB_SRVID_SERVER_RANGE 0x9E00000000000000LL
+
+
enum ctdb_controls {CTDB_CONTROL_PROCESS_EXISTS = 0,
CTDB_CONTROL_STATISTICS = 1,
/* #2 removed */
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 97dfc80ffd1..25e742961bf 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -23,6 +23,7 @@
#include "system/wait.h"
#include "system/time.h"
+#include <errno.h>
#include <talloc.h>
/* Allow use of deprecated function tevent_loop_allow_nesting() */
#define TEVENT_DEPRECATED
@@ -41,6 +42,7 @@
#include "ctdb_client.h"
#include "protocol/protocol.h"
+#include "protocol/protocol_basic.h"
#include "protocol/protocol_api.h"
#include "common/rb_tree.h"
@@ -50,7 +52,9 @@
#include "common/logging.h"
#include "common/pidfile.h"
#include "common/sock_io.h"
+#include "common/srvid.h"
+#include "conf/ctdb_config.h"
#include "conf/node.h"
struct ctdb_client_pid_list {
@@ -2219,15 +2223,234 @@ done:
return ret;
}
+/*
+ * Construct a SRVID for accepting replies to this ctdbd. The bottom
+ * 24 bits of the PNN are used in the top half. extra_mask is used in
+ * the bottom half.
+ */
+
+static uint64_t ctdb_srvid_id(struct ctdb_context *ctdb, uint32_t extra_mask)
+{
+ uint64_t pnn_mask = (uint64_t)(ctdb->pnn & 0xFFFFFF) << 32;
+
+ return CTDB_SRVID_SERVER_RANGE | pnn_mask | extra_mask;
+}
+
+/*
+ * Do a takeover run on shutdown
+ *
+ * This allows for a graceful transition of resources to another node.
+ * This ensures all nodes go into grace for NFS and, with an extra
+ * timeout, allows data transfer for SMB durable handles.
+ *
+ * Nodes need to be in CTDB_RUNSTATE_RUNNING to host public IP
+ * addresses. So, this node will release all IPs. The good news is
+ * that a node can remain leader when in CTDB_RUNSTATE_SHUTDOWN, so
+ * shutting down the cluster will not be adversely delayed by this.
+ * The only issue to guard against is delaying shutdown of this node
+ * if it is the only node and doesn't have CTDB_CAP_RECMASTER, in
+ * which case there is no node to do the takeover run. Hence, the
+ * timeout.
+ */
+
+struct shutdown_takeover_state {
+ bool takeover_done;
+ bool timed_out;
+ struct tevent_timer *te;
+ unsigned int leader_broadcast_count;
+};
+
+static void shutdown_takeover_handler(uint64_t srvid,
+ TDB_DATA data,
+ void *private_data)
+{
+ struct shutdown_takeover_state *state = private_data;
+ int32_t result = 0;
+ size_t count = 0;
+ int ret = 0;
+
+ ret = ctdb_int32_pull(data.dptr, data.dsize, &result, &count);
+ if (ret == EMSGSIZE) {
+ /*
+ * Can't happen unless there's bug somewhere else, so
+ * just ignore - ctdb_shutdown_takeover() will
+ * probably time out...
+ */
+ DBG_WARNING("Wrong size for result\n");
+ return;
+ }
+
+ if (result == -1) {
+ /*
+ * No early return - can't afford endless retries
+ * during shutdown...
+ */
+ DBG_WARNING("Takeover run failed\n");
+ } else {
+ DBG_NOTICE("Takeover run successful by node=%"PRIi32"\n",
+ result);
+ }
+
+ state->takeover_done = true;
+}
+
+static void shutdown_timeout_handler(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval yt,
+ void *private_data)
+{
+ struct shutdown_takeover_state *state = private_data;
+
+ TALLOC_FREE(state->te);
+ state->timed_out = true;
+}
+
+static void shutdown_leader_handler(uint64_t srvid,
+ TDB_DATA data,
+ void *private_data)
+{
+ struct shutdown_takeover_state *state = private_data;
+ uint32_t pnn = 0;
+ size_t count = 0;
+ int ret = 0;
+
+ ret = ctdb_uint32_pull(data.dptr, data.dsize, &pnn, &count);
+ if (ret == EMSGSIZE) {
+ /*
+ * Can't happen unless there's bug somewhere else, so
+ * just ignore
+ */
+ DBG_WARNING("Wrong size for result\n");
+ return;
+ }
+
+ DBG_DEBUG("Leader broadcast received from node=%"PRIu32"\n", pnn);
+ state->leader_broadcast_count++;
+}
+
+static void ctdb_shutdown_takeover(struct ctdb_context *ctdb)
+{
+ struct shutdown_takeover_state state = {
+ .takeover_done = false,
+ .timed_out = false,
+ .te = NULL,
+ .leader_broadcast_count = 0,
+ };
+ /*
+ * This one is memcpy()ed onto the wire, so initialise below
+ * after ZERO_STRUCT(), to keep things valgrind clean
+ */
+ struct ctdb_srvid_message rd;
+ struct TDB_DATA rddata = {
+ .dptr = (uint8_t *)&rd,
+ .dsize = sizeof(rd),
+ };
+ int ret = 0;
+
+ if (ctdb_config.shutdown_failover_timeout <= 0) {
+ return;
+ }
+
+ ZERO_STRUCT(rd);
+ rd = (struct ctdb_srvid_message) {
+ .pnn = ctdb->pnn,
+ .srvid = ctdb_srvid_id(ctdb, 0),
+ };
+
+ ret = srvid_register(ctdb->srv,
+ ctdb->srv,
+ rd.srvid,
+ shutdown_takeover_handler,
+ &state);
+ if (ret != 0) {
+ DBG_WARNING("Failed to register takeover run handler\n");
+ return;
+ }
+
+ state.te = tevent_add_timer(
+ ctdb->ev,
+ ctdb->srv,
+ timeval_current_ofs(ctdb_config.shutdown_failover_timeout, 0),
+ shutdown_timeout_handler,
+ &state);
+ if (state.te == NULL) {
+ DBG_WARNING("Failed to set shutdown timeout\n");
+ goto done;
+ }
+
+ ret = srvid_register(ctdb->srv,
+ ctdb->srv,
+ CTDB_SRVID_LEADER,
+ shutdown_leader_handler,
+ &state);
+ if (ret != 0) {
+ /* Leader broadcasts provide extra information, so no
+ * problem if they can't be monitored...
+ */
+ DBG_WARNING("Failed to register leader handler\n");
+ }
+
+ ret = ctdb_daemon_send_message(ctdb,
+ CTDB_BROADCAST_CONNECTED,
+ CTDB_SRVID_TAKEOVER_RUN,
+ rddata);
+ if (ret != 0) {
+ DBG_WARNING("Failed to send IP takeover run request\n");
+ goto done;
+ }
+
+ while (!state.takeover_done && !state.timed_out) {
+ tevent_loop_once(ctdb->ev);
+ }
+
+ if (state.takeover_done) {
+ goto done;
+ }
+
+ if (state.timed_out) {
+ DBG_WARNING("Timed out waiting for takeover run "
+ "(%u leader broadcasts received)\n",
+ state.leader_broadcast_count);
+ }
+done:
+ srvid_deregister(ctdb->srv, CTDB_SRVID_TAKEOVER_RUN, &state);
+ srvid_deregister(ctdb->srv, CTDB_SRVID_LEADER, &state);
+ TALLOC_FREE(state.te);
--
Samba Shared Repository
