The branch, v4-23-stable has been updated
via 75b4f6a0a66 VERSION: Disable GIT_SNAPSHOT for the 4.23.4 release.
via 8f6303f7359 WHATSNEW: Add release notes for Samba 4.23.4
via 82bcd3d8046 Revert "ldb: User hexchars_upper from replace.h"
via 4ebdc808cc1 s3:libads: Set udp_preference_limit = 0 for MIT Kerberos
via 0c50f3d513d s3:libads: Set a request timeout for Kerberos requests
via f09e6d24233 s3-winbindd: make sure we always have
WINBINDD_CACHE_VERSION in winbindd_cache.tdb
via 57a6d19deea s3-winbindd: provide one wcache_open() function for all
tdb opens
via 4a31a42c102 s3-winbindd: make initialize_winbindd_cache() static
via 3c9b3169ebc s3-winbind: make wcache_store_seqnum static
via 971a37fa4c6 s3-winbindd: Fix winbind NDR caching.
via 603a8d2936e s3-selftest: add tests for winbindd_cache.tdb sanity
via b3f2445aef4 vfs_fruit: psd->dacl can be NULL, use orig_num_aces
via 441ad465dfc mdssvc: support a wider range of years [0000,9999] in
$time.iso
via 1bfd8466f65 ctdb: Fix ctdb startup with inconsistent cluster lock
settings
via 84a09551ff8 s3:printing: Load the shares for [printers] in
samba-bgqd
via f420862c9eb docs-xml: Improve the samba-bgqd manpage
via 15875ce6f0c smbd: Fix CID 1665417, UNUSED_VALUE in
openat_pathref_fsp_dot()
via ecbfd23640b smbd: Fix Bug 15897
via 0d94edcb98b smbd: Add openat_pathref_fsp_dot()
via 9d5de961df0 VERSION: Bump version up to Samba 4.23.4...
from 9e8dc8c1609 VERSION: Disable GIT_SNAPSHOT for the 4.23.3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-23-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 61 +++++++++++-
ctdb/server/ctdb_recover.c | 2 +
docs-xml/manpages/samba-bgqd.8.xml | 37 +++++--
lib/ldb/common/ldb_dn.c | 11 ++-
source3/libads/kerberos.c | 16 ++++
source3/modules/vfs_fruit.c | 2 +-
source3/printing/queue_process.c | 3 +
source3/rpc_server/mdssvc/es_parser.y | 9 +-
source3/rpc_server/mdssvc/test_mdsparser_es.c | 14 +++
source3/script/tests/test_winbind_cache_sanity.sh | 112 ++++++++++++++++++++++
source3/selftest/tests.py | 4 +
source3/smbd/filename.c | 16 +---
source3/smbd/files.c | 108 +++++++++++++++++++++
source3/smbd/proto.h | 4 +
source3/winbindd/winbindd_cache.c | 82 ++++++++--------
source3/winbindd/winbindd_proto.h | 3 -
17 files changed, 415 insertions(+), 71 deletions(-)
create mode 100755 source3/script/tests/test_winbind_cache_sanity.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index f35f7ab0abb..7cdbe01b232 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the
Samba Team 1992-2025"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=23
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a143f1c084c..1eab9c17ce7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,61 @@
+ ==============================
+ Release Notes for Samba 4.23.4
+ December 12, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.23 release series.
+
+
+Changes since 4.23.3
+--------------------
+
+o Ralph Boehme <[email protected]>
+ * BUG 15926: Samba 4.22 breaks Time Machine
+ * BUG 15947: mdssvc doesn't support $time.iso dates before 1970
+
+o Günther Deschner <[email protected]>
+ * BUG 15963: Fix winbind cache consistency
+
+o Volker Lendecke <[email protected]>
+ * BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] ==
'/')
+ in vfswrap_openat
+ * BUG 15950: ctdb can crash with inconsistent cluster lock configuration
+
+o Anoop C S <[email protected]>
+ * BUG 15897: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] ==
'/')
+ in vfswrap_openat
+
+o Andreas Schneider <[email protected]>
+ * BUG 15809: samba-bgqd: rework man page
+ * BUG 15936: samba-bgqd can't find [printers] share
+ * BUG 15955: Winbind can hang forever in gssapi if there are network issues.
+ * BUG 15961: libldb requires linking libreplace on Linux
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.23.3
November 07, 2025
@@ -48,8 +106,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.23.2
October 15, 2025
diff --git a/ctdb/server/ctdb_recover.c b/ctdb/server/ctdb_recover.c
index 5a40618487e..18dc250f5ce 100644
--- a/ctdb/server/ctdb_recover.c
+++ b/ctdb/server/ctdb_recover.c
@@ -977,6 +977,8 @@ static void start_recovery_reclock_callback(struct
ctdb_context *ctdb,
local == NULL ? "NULL" : local));
talloc_free(state);
ctdb_shutdown_sequence(ctdb, 1);
+ /* In case above returns due to duplicate shutdown */
+ return;
}
DEBUG(DEBUG_INFO,
("Recovery lock consistency check successful\n"));
diff --git a/docs-xml/manpages/samba-bgqd.8.xml
b/docs-xml/manpages/samba-bgqd.8.xml
index ef50a542a9e..9a16a2aaad0 100644
--- a/docs-xml/manpages/samba-bgqd.8.xml
+++ b/docs-xml/manpages/samba-bgqd.8.xml
@@ -14,28 +14,53 @@
<refnamediv>
<refname>samba-bgqd</refname>
<refpurpose>This is an internal helper program performing
- asynchronous printing-related jobs.</refpurpose>
+ asynchronous printing-related tasks</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>samba-bgqd</command>
+ <arg choice="opt">-D|--daemon</arg>
+ <arg choice="opt">-i|--interactive</arg>
+ <arg choice="opt">-F|--foreground</arg>
+ <arg choice="opt">--no-process-group</arg>
+ <arg choice="opt">-d <debug level></arg>
+ <arg choice="opt">--debug-stdout</arg>
+ <arg choice="opt">--configfile=<configuration file></arg>
+ <arg choice="opt">--option=<name>=<value></arg>
+ <arg choice="opt">-l|--log-basename <log directory></arg>
+ <arg choice="opt">--ready-signal-fd <fd></arg>
+ <arg choice="opt">--parent-watch-fd <fd></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
- <para>This tool is part of the
+ <para>This program is part of the
<citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
- <para>samba-bgqd is an helper program to be spawned by smbd or
- spoolssd to perform jobs like updating the printer list or
- other management tasks asynchronously on demand. It is not
- intended to be called by users or administrators.</para>
+ <para><command>samba-bgqd</command> is not intended to be invoked
+ directly by users.</para>
+
+ <para>Likewise, while <command>samba-bgqd</command> is also not
+ intended to be run manually by system administrators, on systems with a
+ large number of printers configured via CUPS, it is recommended to run
+ <command>samba-bgqd</command> as a systemd service to improve
+ performance and responsiveness of printing operations.</para>
</refsect1>
+<refsect1>
+ <title>SEE ALSO</title>
+
+ <para>
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>, and
+ <citerefentry><refentrytitle>smb.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry>.
+ </para>
+</refsect1>
<refsect1>
<title>AUTHOR</title>
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index 5b8c0f4f580..389da444904 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -232,10 +232,15 @@ static int ldb_dn_escape_internal(char *dst, const char
*src, int len)
case '\0': {
/* any others get \XX form */
unsigned char v;
+ /*
+ * Do not use libreplace for this. We don't want to have
+ * a hard requirement for it.
+ */
+ const char *hexbytes = "0123456789ABCDEF";
v = (const unsigned char)c;
*d++ = '\\';
- *d++ = hexchars_upper[v>>4];
- *d++ = hexchars_upper[v&0xF];
+ *d++ = hexbytes[v>>4];
+ *d++ = hexbytes[v&0xF];
break;
}
default:
@@ -2100,7 +2105,7 @@ int ldb_dn_set_extended_component(struct ldb_dn *dn,
unsigned int i;
struct ldb_val v2;
const struct ldb_dn_extended_syntax *ext_syntax;
-
+
if ( ! ldb_dn_validate(dn)) {
return LDB_ERR_OTHER;
}
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d8325201b2f..5593364c397 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1380,6 +1380,15 @@ bool create_local_private_krb5_conf_for_domain(const
char *realm,
char *enctypes = NULL;
const char *include_system_krb5 = "";
mode_t mask;
+ /*
+ * The default will be 15 seconds, it can be changed in the smb.conf:
+ * [global]
+ * krb5:request_timeout = 30
+ */
+ int timeout_sec = lp_parm_int(-1,
+ "krb5",
+ "request_timeout",
+ 15 /* default */);
if (!lp_create_krb5_conf()) {
return false;
@@ -1449,6 +1458,12 @@ bool create_local_private_krb5_conf_for_domain(const
char *realm,
file_contents =
talloc_asprintf(fname,
"[libdefaults]\n"
+#ifdef SAMBA4_USES_HEIMDAL
+ "\tkdc_timeout = %d\n"
+#else
+ "\trequest_timeout = %ds\n"
+ "\tudp_preference_limit = 0\n"
+#endif
"\tdefault_realm = %s\n"
"%s"
"\tdns_lookup_realm = false\n"
@@ -1458,6 +1473,7 @@ bool create_local_private_krb5_conf_for_domain(const char
*realm,
"\t%s = {\n"
"%s\t}\n"
"%s\n",
+ timeout_sec,
realm_upper,
enctypes,
realm_upper,
diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
index 302d90ce997..4da7c1efa07 100644
--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
@@ -4655,7 +4655,7 @@ static NTSTATUS fruit_fset_nt_acl(vfs_handle_struct
*handle,
DBG_DEBUG("%s\n", fsp_str_dbg(fsp));
- if (config->ignore_zero_aces && (psd->dacl->num_aces == 0)) {
+ if (config->ignore_zero_aces && (orig_num_aces == 0)) {
/*
* Just ignore Set-ACL requests with zero ACEs.
*/
diff --git a/source3/printing/queue_process.c b/source3/printing/queue_process.c
index 0f95bd736f2..51eafa31572 100644
--- a/source3/printing/queue_process.c
+++ b/source3/printing/queue_process.c
@@ -265,6 +265,7 @@ static void bq_smb_conf_updated(struct messaging_context
*msg_ctx,
DEBUG(10,("smb_conf_updated: Got message saying smb.conf was "
"updated. Reloading.\n"));
change_to_root_user();
+ lp_load_with_shares(get_dyn_CONFIGFILE());
pcap_cache_reload(state->ev, msg_ctx, reload_pcap_change_notify);
printing_subsystem_queue_tasks(state);
}
@@ -322,6 +323,8 @@ struct bq_state *register_printing_bq_handlers(
goto fail_free_handlers;
}
+ /* Load shares, needed for [printers] */
+ lp_load_with_shares(get_dyn_CONFIGFILE());
/* Initialize the printcap cache as soon as the daemon starts. */
pcap_cache_reload(state->ev, state->msg, reload_pcap_change_notify);
diff --git a/source3/rpc_server/mdssvc/es_parser.y
b/source3/rpc_server/mdssvc/es_parser.y
index 1f1c02ba1a5..267bc808091 100644
--- a/source3/rpc_server/mdssvc/es_parser.y
+++ b/source3/rpc_server/mdssvc/es_parser.y
@@ -494,15 +494,16 @@ static char *map_str(const struct es_attr_map *attr,
static char *map_sldate_to_esdate(TALLOC_CTX *mem_ctx,
const char *sldate)
{
+ char *endp = NULL;
struct tm *tm = NULL;
char *esdate = NULL;
char buf[21];
size_t len;
time_t t;
- int error;
- t = (time_t)smb_strtoull(sldate, NULL, 10, &error, SMB_STR_STANDARD);
- if (error != 0) {
+ errno = 0;
+ t = (time_t)strtoll(sldate, &endp, 10);
+ if (*sldate == '\0' || endp == sldate || *endp != '\0' || errno != 0) {
DBG_ERR("smb_strtoull [%s] failed\n", sldate);
return NULL;
}
@@ -515,7 +516,7 @@ static char *map_sldate_to_esdate(TALLOC_CTX *mem_ctx,
}
len = strftime(buf, sizeof(buf),
- "%Y-%m-%dT%H:%M:%SZ", tm);
+ "%4Y-%m-%dT%H:%M:%SZ", tm);
if (len != 20) {
DBG_ERR("strftime [%s] failed\n", sldate);
return NULL;
diff --git a/source3/rpc_server/mdssvc/test_mdsparser_es.c
b/source3/rpc_server/mdssvc/test_mdsparser_es.c
index 5015de82127..1de8a317930 100644
--- a/source3/rpc_server/mdssvc/test_mdsparser_es.c
+++ b/source3/rpc_server/mdssvc/test_mdsparser_es.c
@@ -53,6 +53,20 @@ static struct {
}, {
"kMDItemFSContentChangeDate==$time.iso(2018-10-01T10:00:00Z)",
"file.last_modified:2018\\\\-10\\\\-01T10\\\\:00\\\\:00Z"
+ }, {
+ "kMDItemFSContentChangeDate==$time.iso(1960-10-01T10:00:00Z)",
+ "file.last_modified:1960\\\\-10\\\\-01T10\\\\:00\\\\:00Z"
+#ifdef __LP64__
+ }, {
+ "kMDItemFSContentChangeDate==$time.iso(1000-10-01T10:00:00Z)",
+ "file.last_modified:1000\\\\-10\\\\-01T10\\\\:00\\\\:00Z"
+ }, {
+ "kMDItemFSContentChangeDate==$time.iso(0000-10-01T10:00:00Z)",
+ "file.last_modified:0000\\\\-10\\\\-01T10\\\\:00\\\\:00Z"
+ }, {
+ "kMDItemFSContentChangeDate==$time.iso(9999-10-01T10:00:00Z)",
+ "file.last_modified:9999\\\\-10\\\\-01T10\\\\:00\\\\:00Z"
+#endif
}, {
"kMDItemFSContentChangeDate==\"1\"",
"file.last_modified:2001\\\\-01\\\\-01T00\\\\:00\\\\:01Z"
diff --git a/source3/script/tests/test_winbind_cache_sanity.sh
b/source3/script/tests/test_winbind_cache_sanity.sh
new file mode 100755
index 00000000000..65d4e4cb778
--- /dev/null
+++ b/source3/script/tests/test_winbind_cache_sanity.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+ cat <<EOF
+Usage: test_winbind_cache_sanity.sh DOMAIN CACHE
+EOF
+ exit 1
+fi
+
+DOMAIN="$1"
+CACHE="$2"
+shift 2
+ADDARGS="$*"
+
+TDBTOOL=tdbtool
+if test -x "$BINDIR"/tdbtool; then
+ TDBTOOL=$BINDIR/tdbtool
+fi
+DBWRAP_TOOL=$BINDIR/dbwrap_tool
+WBINFO=$BINDIR/wbinfo
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+
+#################################################
+## Test "$CACHE" presence
+#################################################
+
+testit "$CACHE presence" \
+ test -r "$CACHE" \
+ || failed=$((failed + 1))
+
+
+#################################################
+## Test very simple wbinfo query to fill up cache with NDR/ and SEQNUM/ entries
+#################################################
+
+separator=$("$WBINFO" --separator)
+
+testit "calling wbinfo -n$DOMAIN$separator to fillup cache" \
+ "$VALGRIND" "$WBINFO" -n "$DOMAIN$separator" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+
+#################################################
+## Test "WINBINDD_CACHE_VERSION" presence
+#################################################
+
+KEY="WINBINDD_CACHE_VERSION"
+WINBINDD_CACHE_VER2=2
+
+testit "$KEY presence via dbwrap" \
+ "$VALGRIND" "$DBWRAP_TOOL" --persistent "$CACHE" fetch $KEY uint32 \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+#tdbtool will never fail so we have to parse the output...
+testit_grep "$KEY presence via tdbtool" "data 4 bytes" \
+ "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY\\00" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+current_ver=$("$DBWRAP_TOOL" --persistent "$CACHE" fetch $KEY uint32)
+
+testit "$KEY value via dbwrap to be WINBINDD_CACHE_VER2" \
+ test "$current_ver" = $WINBINDD_CACHE_VER2 \
+ || failed=$((failed + 1))
+
+
+#################################################
+## Test "SEQNUM/$DOMAIN" presence
+#################################################
+
+KEY="SEQNUM/$DOMAIN"
+
+testit "$KEY SEQNUM presence via dbwrap" \
+ "$VALGRIND" "$DBWRAP_TOOL" --persistent "$CACHE" exists "$KEY" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+#tdbtool will never fail so we have to parse the output...
+testit_grep "$KEY SEQNUM presence via tdbtool" "data 8 bytes" \
+ "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY\\00" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+
+#################################################
+## Test
"NDR/$DOMAIN/3/\09\00\00\00\00\00\00\00\09\00\00\00$DOMAIN\00\00\00\00\01\00\00\00\00\00\00\00\01\00\00\00\00\00\00\00\00\00\00\00"
presence
+## this is the resulting cache entry for a simple
+## wbinfo -n $DOMAIN\ query
+#################################################
+
+opnum=$($PYTHON -c'from samba.dcerpc.winbind import wbint_LookupName;
print(wbint_LookupName.opnum())')
+KEY="NDR/$DOMAIN/$opnum/\\09\\00\\00\\00\\00\\00\\00\\00\\09\\00\\00\\00$DOMAIN\\00\\00\\00\\00\\01\\00\\00\\00\\00\\00\\00\\00\\01\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00"
+
+#DBWRAP_TOOL does not support non-null terminated keys so it cannot find it...
+#testit "$KEY NDR presence via dbwrap" \
+# "$VALGRIND" "$DBWRAP_TOOL" --persistent $CACHE exists $KEY \
+# "$ADDARGS" \
+# || failed=$((failed + 1))
+
+#tdbtool will never fail so we have to parse the output...
+# key 59 bytes
+testit_grep "$KEY NDR presence via tdbtool" "data 44 bytes" \
+ "$VALGRIND" "$TDBTOOL" "$CACHE" show "$KEY" \
+ "$ADDARGS" \
+ || failed=$((failed + 1))
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index efba899a920..395f435f697 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -731,6 +731,10 @@ plantestsuite("samba3.winbind_call_depth_trace", env,
[os.path.join(srcdir(),
"source3/script/tests/test_winbind_call_depth_trace.sh"),
smbcontrol, configuration, '$PREFIX', env])
+plantestsuite("samba3.winbind_cache_sanity", env,
+ [os.path.join(srcdir(),
+
"source3/script/tests/test_winbind_cache_sanity.sh"),
+ '$DOMAIN', '$LOCK_DIR/winbindd_cache.tdb'])
env = "fl2008r2dc:local"
plantestsuite("samba3.wbinfo_user_info", env,
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index 6a9d5f99d2a..ec2f65553b6 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -767,19 +767,9 @@ filename_convert_dirfsp_nosymlink(TALLOC_CTX *mem_ctx,
}
if (dirname[0] == '\0') {
- smb_dirname = synthetic_smb_fname(
- mem_ctx,
- ".",
- NULL,
- NULL,
- 0,
- posix ? SMB_FILENAME_POSIX_PATH : 0);
- if (smb_dirname == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- status = openat_pathref_fsp_lcomp(basedir,
- smb_dirname,
- UCF_POSIX_PATHNAMES);
+ status = openat_pathref_fsp_dot(
+ mem_ctx, basedir,
+ posix ? SMB_FILENAME_POSIX_PATH : 0, &smb_dirname);
} else {
status = normalize_filename_case(conn, dirname, ucf_flags);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/files.c b/source3/smbd/files.c
index 4cc203d8a1a..334810e45f9 100644
--- a/source3/smbd/files.c
+++ b/source3/smbd/files.c
@@ -1664,6 +1664,114 @@ NTSTATUS openat_pathref_fsp_lcomp(struct files_struct
*dirfsp,
return NT_STATUS_OK;
}
+NTSTATUS openat_pathref_fsp_dot(TALLOC_CTX *mem_ctx,
+ struct files_struct *dirfsp,
--
Samba Shared Repository
