From slow at samba.org  Tue Jul  1 07:53:17 2025
From: slow at samba.org (=?UTF-8?Q?Ralph_B=C3=B6hme?=)
Date: Tue, 01 Jul 2025 07:53:17 +0000
Subject: [SCM] Samba Website Repository - branch master updated
Message-ID: <E1uWVnp-00DKae-Ca@hrx0.samba.org>

The branch, master has been updated
       via  ec77184 docs: remove links ti old and crufted translations
       via  18dfd18 docs: add a link to our Youtube channel
       via  66f414a support/germany: rework SerNet entry
      from  1ea5065 support: fix link to global support

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ec77184499f2d4bca1fff49d774e1d03c052f94b
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jul 1 09:52:46 2025 +0200

    docs: remove links ti old and crufted translations

commit 18dfd18f983547710afdf86f0e22bff7be04dada
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jul 1 09:52:30 2025 +0200

    docs: add a link to our Youtube channel

commit 66f414aff93ff256c62f1207080965d223598f76
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Jul 1 09:30:29 2025 +0200

    support/germany: rework SerNet entry

-----------------------------------------------------------------------

Summary of changes:
 docs/index.html      | 12 +++-------
 support/germany.html | 68 ++++++++++++++++++++++++++++++++++++----------------
 2 files changed, 51 insertions(+), 29 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs/index.html b/docs/index.html
index ce6445b..43447e5 100755
--- a/docs/index.html
+++ b/docs/index.html
@@ -12,7 +12,9 @@ earlier version of Samba then you may find some differences.</p>
 <ul>
   <li>The <a href="https://wiki.samba.org/index.php/Main_Page">Samba Wiki</a>
      is a comprehensive and certainly the most up to date documentation about
-     Samba.</li>
+     Samba</li>
+  <li>Live Presentations by Samba Team members
+  on <a href="https://www.youtube.com/playlist?list=PLbw4szFfveGrLSCyxZY2XL294I6F8-LCe">Youtube</a></li>
   <li><a href="https://wiki.samba.org/index.php/Presentations">Presentations</a> by Samba Team 
       members</li>
   <li><a href="man/">Samba man pages in html</a></li>
@@ -43,14 +45,6 @@ earlier version of Samba then you may find some differences.</p>
   <li>How to use <a href="swat_ssl.html">SWAT with SSL security (updated for OpenSSL)</a></li>
 </ul>
 
-<h4>Translations</h4>
-<ul>
-  <li><a href="http://www.samba.gr.jp/project/translation/Samba3-HOWTO/
-">Samba HOWTO Collection in Japanese (ancient old documentation!)</a></li>
-  <li><a href="http://smb-conf.ru/">Samba 3 smb.conf man page in Russian (ancient old documentation!)</a></li>
-  <li><a href="http://samba-doc.ru/samba3example/index.html">Samba 3 by Example in Russian (acncient old documentation)</a></li>
-</ul>
-
 <h3>Contributing</h3>
 <p>Contributions are always welcome to Samba documentation.  Like everything
    else concerning Samba, these docs are maintained by members of the Samba
diff --git a/support/germany.html b/support/germany.html
index 5426929..be909e5 100644
--- a/support/germany.html
+++ b/support/germany.html
@@ -11,35 +11,34 @@
 </a>
 </h3>
 
-<p>SerNet ist eine der f&uuml;hrenden Anbieterinnen von Dienstleistungen
-und Produkten rund um Samba, Linux und Open-Source-Software.</p>
+<p>SerNet ist eine der international f??hrenden Dienstleisterinnen f??r
+Samba, Linux und OpenSource-Themen und bietet Support, Beratung und
+Entwicklung f??r Samba. SerNet hat au??erdem SLAs mit weltweiter
+Abdeckung, 24/7-Verf??gbarkeit und verschiedenen Servicelevels im
+Portfolio.</p>
 
-<p>SerNet bietet Support f&uuml;r Samba auf Basis
-von <a href="https://samba.plus/services/sla">SLAs</a> (Service Level
-Agreements) weltweit an.</p>
+<p>Mit <a href="https://samba.plus/de/produkte/samba">SAMBA+</a>
+bietet SerNet eigene und immer aktuelle Samba-Pakete f??r alle
+wichtigen Linux-Systeme und IBM AIX an - f??r alle Plattformen aus der
+gleichen Quelle, mit gleicher Konfiguration und damit weitgehend
+identischem Verhalten. Alle wichtigen ActiveDirectory-Optionen und
+verschiedene Cluster-File-Systeme wie IBMs GPFS werden
+unterst??tzt.</p>
 
-<p>Mit <a href="https://samba.plus/products/samba">SAMBA+</a> bietet
-SerNet eigene und immer aktuelle Samba-Pakete f&uuml;r alle wichtigen
-Linux-Systeme und <a href="https://samba.plus/products/samba-aix">IBM
-AIX</a> an - f&uuml;r alle Plattformen aus der gleichen Quelle und mit
-gleicher Konfiguration und damit weitgehend identischem Verhalten.
-Alle wichtigen ActiveDirectory-Optionen und verschiedene
-Cluster-File-Systeme wie IBMs GPFS werden unterst&uuml;tzt.</p>
+<p>Mit der <a href="http://www.sambaXP.org/">sambaXP</a> veranstaltet
+SerNet seit 2002 j??hrlich die einzige internationale Entwickler:innen-
+und Anwender:innen-Konferenz zu Samba.</p>
 
-<p>SerNet veranstaltet mit
-der <a href="http://www.sambaXP.org/">sambaXP</a> die einzige
-internationale Entwickler:innen- und Anwender:innen-Konferenz zu Samba
-jedes Jahr im Mai seit 2002.</p>
-
-<p>Es werden regelm????ig verschiedene Webinare zu Samba angeboten, an
-denen die Teilnahme kostenlos ist.</p>
+<p>Regelm????ig finden
+verschiedene <a href="https://samba.plus/de/webinare">Webinare</a> zu
+Samba-Themen statt. Die Teilnahme ist kostenlos</p>
 
 <p>Mitglieder aus dem internationalen <a href="http://samba.TEAM"
 target=_blank>samba.TEAM</a> arbeiten bei SerNet:
 <ul>
 <li>Jule Anger ist die Release-Managerin des Samba-Teams.</li>
 <li>Bj&ouml;rn Baumbach ist Maintainer von SAMBA+ und behebt diverse Samba-Bugs.</li>
-<li>Ralph B&ouml;hme ist arbeitet haupts??chlich am Fileserver und ist Teamleiter des SerNet Samba Teams.</li>
+<li>Ralph B&ouml;hme arbeitet haupts??chlich am Fileserver und ist Teamleiter des SerNet Samba Teams.</li>
 <li>Bj&ouml;rn Jacke integriert Samba in Netzwerke aller Gr&ouml;&szlig;enordnungen.</li>
 <li>Volker Lendecke war eines der ersten Mitglieder im Sambateam und Mitgr&uuml;nder der SerNet.</li>
 <li>Stefan Metzmacher ist AD- und Sicherheitsspezialist und  einer der Hauptautoren von Samba 4.</li>
@@ -52,6 +51,35 @@ Weitere Informationen &uuml;ber SerNet finden Sie unter:<br>
 <a href="https://samba.plus" target=_blank>SAMBA.plus</a>
 </p>
 
+<pre>
+<small>
+<table width=100%>
+<tr>
+<td>SerNet GmbH</td>
+</tr>
+<tr>
+<td>Bahnhofsallee 1b
+</tr>
+<tr>
+<td>37081 G&ouml;ttingen</td>
+</tr>
+<tr>
+<td>Germany
+</tr>
+<tr>
+<td>
+<a href="https://www.sernet.de/">https://www.sernet.de/</a>
+</tr>
+<tr>
+<td>phone: <a href="tel:+49-551-370000-0">+49-551-370000-0</a>
+</tr>
+<tr>
+<td>mail: <a href="mailto:samba at sernet.de">samba at sernet.de</a>
+</tr>
+</table>
+</small>
+</pre>
+
 <hr />
 <h3><a href="http://www.itsd.de/">itsystems Deutschland AG</a></h3>
 <pre><small>


-- 
Samba Website Repository


From slow at samba.org  Mon Jul  7 10:45:02 2025
From: slow at samba.org (=?UTF-8?Q?Ralph_B=C3=B6hme?=)
Date: Mon, 07 Jul 2025 10:45:02 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1uYjLK-009KCE-19@hrx0.samba.org>

The branch, master has been updated
       via  2560c9b3224 s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name
       via  f86a4bf6848 s3:winbindd: avoid using any netlogon call to get a dc name
      from  d0be58d4c21 rpc registry: add ProductType for AD DC

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2560c9b3224816ffd371a62103f65b3aca301ad5
Author: G?nther Deschner <gd at samba.org>
Date:   Wed Jul 2 21:59:48 2025 +0200

    s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name
    
    when winbind calls to dsgetdcname internally, make sure to
    prefer the DNS domain name if we have it. Makes DNS lookups much more
    likely to succeed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph B?hme <slow at samba.org>
    Autobuild-Date(master): Mon Jul  7 10:44:37 UTC 2025 on atb-devel-224

commit f86a4bf6848ade2db7229d182576db3320c3ece7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri May 9 09:38:41 2025 +0200

    s3:winbindd: avoid using any netlogon call to get a dc name
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/wb_queryuser.c      |  17 +++-
 source3/winbindd/wb_sids2xids.c      |  17 +++-
 source3/winbindd/wb_xids2sids.c      |  12 ++-
 source3/winbindd/winbindd_cm.c       | 150 -----------------------------------
 source3/winbindd/winbindd_dual.c     |   6 +-
 source3/winbindd/winbindd_dual_srv.c | 105 ++----------------------
 source3/winbindd/winbindd_proto.h    |   1 +
 source3/winbindd/winbindd_util.c     |  19 +++++
 8 files changed, 65 insertions(+), 262 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index c2758f1b76a..db8e946ba71 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -289,10 +289,19 @@ static void wb_queryuser_done(struct tevent_req *subreq)
 
 	if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
 	    !state->tried_dclookup) {
-		D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n");
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, state->info->domain_name, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		const char *domain_name = find_dns_domain_name(
+			state->info->domain_name);
+
+		D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling "
+			"wb_dsgetdcname_send(%s)\n",
+			domain_name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index f0f6c23fc20..03e5e7e0258 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -612,13 +612,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
 	    !state->tried_dclookup) {
 
 		struct lsa_DomainInfo *d;
+		const char *domain_name = NULL;
 
-		D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n");
 		d = &state->idmap_doms.domains[state->dom_index];
 
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, d->name.string, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		domain_name = find_dns_domain_name(d->name.string);
+
+		D_DEBUG("Domain controller not found. Calling "
+			"wb_dsgetdcname_send(%s) to get it.\n",
+			domain_name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index 86bd7f9deab..6fcf524d94f 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -143,9 +143,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq)
 	if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
 	    !state->tried_dclookup) {
 
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, state->dom_map->name, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		const char *domain_name = find_dns_domain_name(
+			state->dom_map->name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index cc0b47b0600..15a2f60c532 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -477,140 +477,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds)
 	return ret;
 }
 
-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
-				     fstring dcname,
-				     struct sockaddr_storage *dc_ss,
-				     uint32_t request_flags)
-{
-	struct winbindd_domain *our_domain = NULL;
-	struct rpc_pipe_client *netlogon_pipe = NULL;
-	NTSTATUS result;
-	WERROR werr;
-	TALLOC_CTX *mem_ctx;
-	unsigned int orig_timeout;
-	const char *tmp = NULL;
-	const char *p;
-	struct dcerpc_binding_handle *b;
-
-	/* Hmmmm. We can only open one connection to the NETLOGON pipe at the
-	 * moment.... */
-
-	if (IS_DC) {
-		return False;
-	}
-
-	if (domain->primary) {
-		return False;
-	}
-
-	our_domain = find_our_domain();
-
-	if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
-		return False;
-	}
-
-	result = cm_connect_netlogon(our_domain, &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(result)) {
-		talloc_destroy(mem_ctx);
-		return False;
-	}
-
-	b = netlogon_pipe->binding_handle;
-
-	/* This call can take a long time - allow the server to time out.
-	   35 seconds should do it. */
-
-	orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
-	if (our_domain->active_directory) {
-		struct netr_DsRGetDCNameInfo *domain_info = NULL;
-
-		/*
-		 * TODO request flags are not respected in the server
-		 * (and in some cases, like REQUIRE_PDC, causes an error)
-		 */
-		result = dcerpc_netr_DsRGetDCName(b,
-						  mem_ctx,
-						  our_domain->dcname,
-						  domain->name,
-						  NULL,
-						  NULL,
-						  request_flags|DS_RETURN_DNS_NAME,
-						  &domain_info,
-						  &werr);
-		if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
-			tmp = talloc_strdup(
-				mem_ctx, domain_info->dc_unc);
-			if (tmp == NULL) {
-				DBG_ERR("talloc_strdup failed for dc_unc[%s]\n",
-					domain_info->dc_unc);
-				talloc_destroy(mem_ctx);
-				return false;
-			}
-			if (domain->alt_name == NULL) {
-				domain->alt_name = talloc_strdup(domain,
-								 domain_info->domain_name);
-				if (domain->alt_name == NULL) {
-					DBG_ERR("talloc_strdup failed for "
-						"domain_info->domain_name[%s]\n",
-						domain_info->domain_name);
-					talloc_destroy(mem_ctx);
-					return false;
-				}
-			}
-			if (domain->forest_name == NULL) {
-				domain->forest_name = talloc_strdup(domain,
-								    domain_info->forest_name);
-				if (domain->forest_name == NULL) {
-					DBG_ERR("talloc_strdup failed for "
-						"domain_info->forest_name[%s]\n",
-						domain_info->forest_name);
-					talloc_destroy(mem_ctx);
-					return false;
-				}
-			}
-		}
-	} else {
-		result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
-						  our_domain->dcname,
-						  domain->name,
-						  &tmp,
-						  &werr);
-	}
-
-	/* And restore our original timeout. */
-	rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
-			nt_errstr(result)));
-		talloc_destroy(mem_ctx);
-		return false;
-	}
-
-	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
-			   win_errstr(werr)));
-		talloc_destroy(mem_ctx);
-		return false;
-	}
-
-	/* dcerpc_netr_GetAnyDCName gives us a name with \\ */
-	p = strip_hostname(tmp);
-
-	fstrcpy(dcname, p);
-
-	talloc_destroy(mem_ctx);
-
-	DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
-
-	if (!resolve_name(dcname, dc_ss, 0x20, true)) {
-		return False;
-	}
-
-	return True;
-}
-
 /**
  * Helper function to assemble trust password and account name
  */
@@ -1297,24 +1163,8 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
 	struct  samba_sockaddr *sa_list = NULL;
 	size_t     salist_size = 0;
 	size_t     i;
-	bool    is_our_domain;
 	enum security_types sec = (enum security_types)lp_security();
 
-	is_our_domain = strequal(domain->name, lp_workgroup());
-
-	/* If not our domain, get the preferred DC, by asking our primary DC */
-	if ( !is_our_domain
-		&& get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
-		&& add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
-		       num_dcs) )
-	{
-		char addr[INET6_ADDRSTRLEN];
-		print_sockaddr(addr, sizeof(addr), &ss);
-		DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
-			   dcname, addr));
-		return True;
-	}
-
 	if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
 		char *sitename = NULL;
 
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 57e76884416..ccea44acf18 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -548,6 +548,7 @@ static void wb_domain_request_trigger(struct tevent_req *req,
 	struct wb_domain_request_state *state = tevent_req_data(
 		req, struct wb_domain_request_state);
 	struct winbindd_domain *domain = state->domain;
+	const char *domain_name = NULL;
 	struct tevent_req *subreq = NULL;
 	size_t shortest_queue_length;
 
@@ -623,8 +624,11 @@ static void wb_domain_request_trigger(struct tevent_req *req,
 	 * which is indicated by DS_RETURN_DNS_NAME.
 	 * For NT4 domains we still get the netbios name.
 	 */
+
+	domain_name = find_dns_domain_name(state->domain->name);
+
 	subreq = wb_dsgetdcname_send(state, state->ev,
-				     state->domain->name,
+				     domain_name,
 				     NULL, /* domain_guid */
 				     NULL, /* site_name */
 				     DS_RETURN_DNS_NAME); /* flags */
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index b1809809b13..c48ca15dd2b 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -661,106 +661,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p,
 
 NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r)
 {
-	struct winbindd_domain *domain = wb_child_domain();
-	struct rpc_pipe_client *netlogon_pipe;
-	struct netr_DsRGetDCNameInfo *dc_info;
-	NTSTATUS status;
-	WERROR werr;
-	unsigned int orig_timeout;
-	struct dcerpc_binding_handle *b;
-	bool retry = false;
-	bool try_dsrgetdcname = false;
-
-	if (domain == NULL) {
-		return dsgetdcname(p->mem_ctx, global_messaging_context(),
-				   r->in.domain_name, r->in.domain_guid,
-				   r->in.site_name ? r->in.site_name : "",
-				   r->in.flags,
-				   r->out.dc_info);
-	}
-
-	if (domain->active_directory) {
-		try_dsrgetdcname = true;
-	}
-
-reconnect:
-	status = cm_connect_netlogon(domain, &netlogon_pipe);
-
-	reset_cm_connection_on_error(domain, NULL, status);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
-		return status;
-	}
-
-	b = netlogon_pipe->binding_handle;
-
-	/* This call can take a long time - allow the server to time out.
-	   35 seconds should do it. */
-
-	orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
-	if (try_dsrgetdcname) {
-		status = dcerpc_netr_DsRGetDCName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, NULL, r->in.domain_guid,
-			r->in.flags, r->out.dc_info, &werr);
-		if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) {
-			goto done;
-		}
-		if (!retry &&
-		    reset_cm_connection_on_error(domain, NULL, status))
-		{
-			retry = true;
-			goto reconnect;
-		}
-		try_dsrgetdcname = false;
-		retry = false;
-	}
-
-	/*
-	 * Fallback to less capable methods
-	 */
-
-	dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo);
-	if (dc_info == NULL) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
-	}
-
-	if (r->in.flags & DS_PDC_REQUIRED) {
-		status = dcerpc_netr_GetDcName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, &dc_info->dc_unc, &werr);
-	} else {
-		status = dcerpc_netr_GetAnyDCName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, &dc_info->dc_unc, &werr);
-	}
-
-	if (!retry && reset_cm_connection_on_error(domain, b, status)) {
-		retry = true;
-		goto reconnect;
-	}
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
-			   nt_errstr(status)));
-		goto done;
-	}
-	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
-			   win_errstr(werr)));
-		status = werror_to_ntstatus(werr);
-		goto done;
-	}
-
-	*r->out.dc_info = dc_info;
-	status = NT_STATUS_OK;
-
-done:
-	/* And restore our original timeout. */
-	rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
-	return status;
+	return dsgetdcname(p->mem_ctx, global_messaging_context(),
+			   r->in.domain_name, r->in.domain_guid,
+			   r->in.site_name ? r->in.site_name : "",
+			   r->in.flags,
+			   r->out.dc_info);
 }
 
 NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 6d11a41d815..3734ab49086 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -608,6 +608,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
 		   struct dom_sid **sids, uint32_t *num_sids);
 bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
 		   struct unixid **pxids, uint32_t *pnum_xids);
+const char *find_dns_domain_name(const char *domain_name);
 
 /* The following definitions come from winbindd/winbindd_wins.c  */
 
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 05466177600..954d01928b2 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -2673,3 +2673,22 @@ fail:
 	TALLOC_FREE(xids);
 	return false;
 }
+
+/**
+ * Helper to extract the DNS Domain Name from a struct winbindd_domain
+ */
+const char *find_dns_domain_name(const char *domain_name)
+{
+	struct winbindd_domain *wbdom = NULL;
+
+	wbdom = find_domain_from_name(domain_name);
+	if (wbdom == NULL) {
+		return domain_name;
+	}
+
+	if (wbdom->active_directory && wbdom->alt_name != NULL) {
+		return wbdom->alt_name;
+	}
+
+	return wbdom->name;
+}


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 15:43:01 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 15:43:01 +0000
Subject: [SCM] Samba Shared Repository - branch v4-21-test updated
Message-ID: <E1uYnzh-003mKX-FL@hrx0.samba.org>

The branch, v4-21-test has been updated
       via  1967ce81998 s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name
       via  fc13e0918fd s3:winbindd: avoid using any netlogon call to get a dc name
      from  3490e76342a lib:util: Disable logging to syslog for startup messages

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-test


- Log -----------------------------------------------------------------
commit 1967ce819985be2e223c258284d5153713549108
Author: G?nther Deschner <gd at samba.org>
Date:   Wed Jul 2 21:59:48 2025 +0200

    s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name
    
    when winbind calls to dsgetdcname internally, make sure to
    prefer the DNS domain name if we have it. Makes DNS lookups much more
    likely to succeed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph B?hme <slow at samba.org>
    Autobuild-Date(master): Mon Jul  7 10:44:37 UTC 2025 on atb-devel-224
    
    (cherry picked from commit 2560c9b3224816ffd371a62103f65b3aca301ad5)
    
    Autobuild-User(v4-21-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-21-test): Mon Jul  7 15:42:19 UTC 2025 on atb-devel-224

commit fc13e0918fddac18800790926a71a9e60f8b95df
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri May 9 09:38:41 2025 +0200

    s3:winbindd: avoid using any netlogon call to get a dc name
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f86a4bf6848ade2db7229d182576db3320c3ece7)

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/wb_queryuser.c      |  17 +++-
 source3/winbindd/wb_sids2xids.c      |  17 +++-
 source3/winbindd/wb_xids2sids.c      |  12 ++-
 source3/winbindd/winbindd_cm.c       | 150 -----------------------------------
 source3/winbindd/winbindd_dual.c     |   6 +-
 source3/winbindd/winbindd_dual_srv.c | 105 ++----------------------
 source3/winbindd/winbindd_proto.h    |   1 +
 source3/winbindd/winbindd_util.c     |  19 +++++
 8 files changed, 65 insertions(+), 262 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index c2758f1b76a..db8e946ba71 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -289,10 +289,19 @@ static void wb_queryuser_done(struct tevent_req *subreq)
 
 	if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
 	    !state->tried_dclookup) {
-		D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n");
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, state->info->domain_name, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		const char *domain_name = find_dns_domain_name(
+			state->info->domain_name);
+
+		D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling "
+			"wb_dsgetdcname_send(%s)\n",
+			domain_name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index f0f6c23fc20..03e5e7e0258 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -612,13 +612,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
 	    !state->tried_dclookup) {
 
 		struct lsa_DomainInfo *d;
+		const char *domain_name = NULL;
 
-		D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n");
 		d = &state->idmap_doms.domains[state->dom_index];
 
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, d->name.string, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		domain_name = find_dns_domain_name(d->name.string);
+
+		D_DEBUG("Domain controller not found. Calling "
+			"wb_dsgetdcname_send(%s) to get it.\n",
+			domain_name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index 86bd7f9deab..6fcf524d94f 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -143,9 +143,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq)
 	if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
 	    !state->tried_dclookup) {
 
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, state->dom_map->name, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		const char *domain_name = find_dns_domain_name(
+			state->dom_map->name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 24616980af3..9e51ee2acfe 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -475,140 +475,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds)
 	return ret;
 }
 
-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
-				     fstring dcname,
-				     struct sockaddr_storage *dc_ss,
-				     uint32_t request_flags)
-{
-	struct winbindd_domain *our_domain = NULL;
-	struct rpc_pipe_client *netlogon_pipe = NULL;
-	NTSTATUS result;
-	WERROR werr;
-	TALLOC_CTX *mem_ctx;
-	unsigned int orig_timeout;
-	const char *tmp = NULL;
-	const char *p;
-	struct dcerpc_binding_handle *b;
-
-	/* Hmmmm. We can only open one connection to the NETLOGON pipe at the
-	 * moment.... */
-
-	if (IS_DC) {
-		return False;
-	}
-
-	if (domain->primary) {
-		return False;
-	}
-
-	our_domain = find_our_domain();
-
-	if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
-		return False;
-	}
-
-	result = cm_connect_netlogon(our_domain, &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(result)) {
-		talloc_destroy(mem_ctx);
-		return False;
-	}
-
-	b = netlogon_pipe->binding_handle;
-
-	/* This call can take a long time - allow the server to time out.
-	   35 seconds should do it. */
-
-	orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
-	if (our_domain->active_directory) {
-		struct netr_DsRGetDCNameInfo *domain_info = NULL;
-
-		/*
-		 * TODO request flags are not respected in the server
-		 * (and in some cases, like REQUIRE_PDC, causes an error)
-		 */
-		result = dcerpc_netr_DsRGetDCName(b,
-						  mem_ctx,
-						  our_domain->dcname,
-						  domain->name,
-						  NULL,
-						  NULL,
-						  request_flags|DS_RETURN_DNS_NAME,
-						  &domain_info,
-						  &werr);
-		if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
-			tmp = talloc_strdup(
-				mem_ctx, domain_info->dc_unc);
-			if (tmp == NULL) {
-				DBG_ERR("talloc_strdup failed for dc_unc[%s]\n",
-					domain_info->dc_unc);
-				talloc_destroy(mem_ctx);
-				return false;
-			}
-			if (domain->alt_name == NULL) {
-				domain->alt_name = talloc_strdup(domain,
-								 domain_info->domain_name);
-				if (domain->alt_name == NULL) {
-					DBG_ERR("talloc_strdup failed for "
-						"domain_info->domain_name[%s]\n",
-						domain_info->domain_name);
-					talloc_destroy(mem_ctx);
-					return false;
-				}
-			}
-			if (domain->forest_name == NULL) {
-				domain->forest_name = talloc_strdup(domain,
-								    domain_info->forest_name);
-				if (domain->forest_name == NULL) {
-					DBG_ERR("talloc_strdup failed for "
-						"domain_info->forest_name[%s]\n",
-						domain_info->forest_name);
-					talloc_destroy(mem_ctx);
-					return false;
-				}
-			}
-		}
-	} else {
-		result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
-						  our_domain->dcname,
-						  domain->name,
-						  &tmp,
-						  &werr);
-	}
-
-	/* And restore our original timeout. */
-	rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
-			nt_errstr(result)));
-		talloc_destroy(mem_ctx);
-		return false;
-	}
-
-	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
-			   win_errstr(werr)));
-		talloc_destroy(mem_ctx);
-		return false;
-	}
-
-	/* dcerpc_netr_GetAnyDCName gives us a name with \\ */
-	p = strip_hostname(tmp);
-
-	fstrcpy(dcname, p);
-
-	talloc_destroy(mem_ctx);
-
-	DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
-
-	if (!resolve_name(dcname, dc_ss, 0x20, true)) {
-		return False;
-	}
-
-	return True;
-}
-
 /**
  * Helper function to assemble trust password and account name
  */
@@ -1298,24 +1164,8 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
 	struct  samba_sockaddr *sa_list = NULL;
 	size_t     salist_size = 0;
 	size_t     i;
-	bool    is_our_domain;
 	enum security_types sec = (enum security_types)lp_security();
 
-	is_our_domain = strequal(domain->name, lp_workgroup());
-
-	/* If not our domain, get the preferred DC, by asking our primary DC */
-	if ( !is_our_domain
-		&& get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
-		&& add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
-		       num_dcs) )
-	{
-		char addr[INET6_ADDRSTRLEN];
-		print_sockaddr(addr, sizeof(addr), &ss);
-		DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
-			   dcname, addr));
-		return True;
-	}
-
 	if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
 		char *sitename = NULL;
 
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index c27fa2653f2..6570c3dec23 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -532,6 +532,7 @@ static void wb_domain_request_trigger(struct tevent_req *req,
 	struct wb_domain_request_state *state = tevent_req_data(
 		req, struct wb_domain_request_state);
 	struct winbindd_domain *domain = state->domain;
+	const char *domain_name = NULL;
 	struct tevent_req *subreq = NULL;
 	size_t shortest_queue_length;
 
@@ -604,8 +605,11 @@ static void wb_domain_request_trigger(struct tevent_req *req,
 	 * which is indicated by DS_RETURN_DNS_NAME.
 	 * For NT4 domains we still get the netbios name.
 	 */
+
+	domain_name = find_dns_domain_name(state->domain->name);
+
 	subreq = wb_dsgetdcname_send(state, state->ev,
-				     state->domain->name,
+				     domain_name,
 				     NULL, /* domain_guid */
 				     NULL, /* site_name */
 				     DS_RETURN_DNS_NAME); /* flags */
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 0c7e9dd5491..4f855d424e5 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -662,106 +662,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p,
 
 NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r)
 {
-	struct winbindd_domain *domain = wb_child_domain();
-	struct rpc_pipe_client *netlogon_pipe;
-	struct netr_DsRGetDCNameInfo *dc_info;
-	NTSTATUS status;
-	WERROR werr;
-	unsigned int orig_timeout;
-	struct dcerpc_binding_handle *b;
-	bool retry = false;
-	bool try_dsrgetdcname = false;
-
-	if (domain == NULL) {
-		return dsgetdcname(p->mem_ctx, global_messaging_context(),
-				   r->in.domain_name, r->in.domain_guid,
-				   r->in.site_name ? r->in.site_name : "",
-				   r->in.flags,
-				   r->out.dc_info);
-	}
-
-	if (domain->active_directory) {
-		try_dsrgetdcname = true;
-	}
-
-reconnect:
-	status = cm_connect_netlogon(domain, &netlogon_pipe);
-
-	reset_cm_connection_on_error(domain, NULL, status);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
-		return status;
-	}
-
-	b = netlogon_pipe->binding_handle;
-
-	/* This call can take a long time - allow the server to time out.
-	   35 seconds should do it. */
-
-	orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
-	if (try_dsrgetdcname) {
-		status = dcerpc_netr_DsRGetDCName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, NULL, r->in.domain_guid,
-			r->in.flags, r->out.dc_info, &werr);
-		if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) {
-			goto done;
-		}
-		if (!retry &&
-		    reset_cm_connection_on_error(domain, NULL, status))
-		{
-			retry = true;
-			goto reconnect;
-		}
-		try_dsrgetdcname = false;
-		retry = false;
-	}
-
-	/*
-	 * Fallback to less capable methods
-	 */
-
-	dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo);
-	if (dc_info == NULL) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
-	}
-
-	if (r->in.flags & DS_PDC_REQUIRED) {
-		status = dcerpc_netr_GetDcName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, &dc_info->dc_unc, &werr);
-	} else {
-		status = dcerpc_netr_GetAnyDCName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, &dc_info->dc_unc, &werr);
-	}
-
-	if (!retry && reset_cm_connection_on_error(domain, b, status)) {
-		retry = true;
-		goto reconnect;
-	}
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
-			   nt_errstr(status)));
-		goto done;
-	}
-	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
-			   win_errstr(werr)));
-		status = werror_to_ntstatus(werr);
-		goto done;
-	}
-
-	*r->out.dc_info = dc_info;
-	status = NT_STATUS_OK;
-
-done:
-	/* And restore our original timeout. */
-	rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
-	return status;
+	return dsgetdcname(p->mem_ctx, global_messaging_context(),
+			   r->in.domain_name, r->in.domain_guid,
+			   r->in.site_name ? r->in.site_name : "",
+			   r->in.flags,
+			   r->out.dc_info);
 }
 
 NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 5b90a7a731f..e318911d192 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -610,6 +610,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
 		   struct dom_sid **sids, uint32_t *num_sids);
 bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
 		   struct unixid **pxids, uint32_t *pnum_xids);
+const char *find_dns_domain_name(const char *domain_name);
 
 /* The following definitions come from winbindd/winbindd_wins.c  */
 
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 2234efeed54..c94d313e9fd 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -2241,3 +2241,22 @@ fail:
 	TALLOC_FREE(xids);
 	return false;
 }
+
+/**
+ * Helper to extract the DNS Domain Name from a struct winbindd_domain
+ */
+const char *find_dns_domain_name(const char *domain_name)
+{
+	struct winbindd_domain *wbdom = NULL;
+
+	wbdom = find_domain_from_name(domain_name);
+	if (wbdom == NULL) {
+		return domain_name;
+	}
+
+	if (wbdom->active_directory && wbdom->alt_name != NULL) {
+		return wbdom->alt_name;
+	}
+
+	return wbdom->name;
+}


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 15:44:01 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 15:44:01 +0000
Subject: [SCM] Samba Shared Repository - branch v4-22-test updated
Message-ID: <E1uYo0f-003mhb-Ho@hrx0.samba.org>

The branch, v4-22-test has been updated
       via  78d69a9eebe s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name
       via  b197ce8c6f1 s3:winbindd: avoid using any netlogon call to get a dc name
      from  7501696d552 lib:util: Disable logging to syslog for startup messages

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-test


- Log -----------------------------------------------------------------
commit 78d69a9eebe080aa2bcdf62be8360b581dd1e5f0
Author: G?nther Deschner <gd at samba.org>
Date:   Wed Jul 2 21:59:48 2025 +0200

    s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name
    
    when winbind calls to dsgetdcname internally, make sure to
    prefer the DNS domain name if we have it. Makes DNS lookups much more
    likely to succeed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph B?hme <slow at samba.org>
    Autobuild-Date(master): Mon Jul  7 10:44:37 UTC 2025 on atb-devel-224
    
    (cherry picked from commit 2560c9b3224816ffd371a62103f65b3aca301ad5)
    
    Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-22-test): Mon Jul  7 15:43:22 UTC 2025 on atb-devel-224

commit b197ce8c6f155e7d7dd3bd7a9b77172553eb78f7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri May 9 09:38:41 2025 +0200

    s3:winbindd: avoid using any netlogon call to get a dc name
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f86a4bf6848ade2db7229d182576db3320c3ece7)

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/wb_queryuser.c      |  17 +++-
 source3/winbindd/wb_sids2xids.c      |  17 +++-
 source3/winbindd/wb_xids2sids.c      |  12 ++-
 source3/winbindd/winbindd_cm.c       | 150 -----------------------------------
 source3/winbindd/winbindd_dual.c     |   6 +-
 source3/winbindd/winbindd_dual_srv.c | 105 ++----------------------
 source3/winbindd/winbindd_proto.h    |   1 +
 source3/winbindd/winbindd_util.c     |  19 +++++
 8 files changed, 65 insertions(+), 262 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index c2758f1b76a..db8e946ba71 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -289,10 +289,19 @@ static void wb_queryuser_done(struct tevent_req *subreq)
 
 	if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
 	    !state->tried_dclookup) {
-		D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n");
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, state->info->domain_name, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		const char *domain_name = find_dns_domain_name(
+			state->info->domain_name);
+
+		D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling "
+			"wb_dsgetdcname_send(%s)\n",
+			domain_name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index f0f6c23fc20..03e5e7e0258 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -612,13 +612,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
 	    !state->tried_dclookup) {
 
 		struct lsa_DomainInfo *d;
+		const char *domain_name = NULL;
 
-		D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n");
 		d = &state->idmap_doms.domains[state->dom_index];
 
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, d->name.string, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		domain_name = find_dns_domain_name(d->name.string);
+
+		D_DEBUG("Domain controller not found. Calling "
+			"wb_dsgetdcname_send(%s) to get it.\n",
+			domain_name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index 86bd7f9deab..6fcf524d94f 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -143,9 +143,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq)
 	if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
 	    !state->tried_dclookup) {
 
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, state->dom_map->name, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		const char *domain_name = find_dns_domain_name(
+			state->dom_map->name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 420ea961876..741761f606b 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -475,140 +475,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds)
 	return ret;
 }
 
-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
-				     fstring dcname,
-				     struct sockaddr_storage *dc_ss,
-				     uint32_t request_flags)
-{
-	struct winbindd_domain *our_domain = NULL;
-	struct rpc_pipe_client *netlogon_pipe = NULL;
-	NTSTATUS result;
-	WERROR werr;
-	TALLOC_CTX *mem_ctx;
-	unsigned int orig_timeout;
-	const char *tmp = NULL;
-	const char *p;
-	struct dcerpc_binding_handle *b;
-
-	/* Hmmmm. We can only open one connection to the NETLOGON pipe at the
-	 * moment.... */
-
-	if (IS_DC) {
-		return False;
-	}
-
-	if (domain->primary) {
-		return False;
-	}
-
-	our_domain = find_our_domain();
-
-	if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
-		return False;
-	}
-
-	result = cm_connect_netlogon(our_domain, &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(result)) {
-		talloc_destroy(mem_ctx);
-		return False;
-	}
-
-	b = netlogon_pipe->binding_handle;
-
-	/* This call can take a long time - allow the server to time out.
-	   35 seconds should do it. */
-
-	orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
-	if (our_domain->active_directory) {
-		struct netr_DsRGetDCNameInfo *domain_info = NULL;
-
-		/*
-		 * TODO request flags are not respected in the server
-		 * (and in some cases, like REQUIRE_PDC, causes an error)
-		 */
-		result = dcerpc_netr_DsRGetDCName(b,
-						  mem_ctx,
-						  our_domain->dcname,
-						  domain->name,
-						  NULL,
-						  NULL,
-						  request_flags|DS_RETURN_DNS_NAME,
-						  &domain_info,
-						  &werr);
-		if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
-			tmp = talloc_strdup(
-				mem_ctx, domain_info->dc_unc);
-			if (tmp == NULL) {
-				DBG_ERR("talloc_strdup failed for dc_unc[%s]\n",
-					domain_info->dc_unc);
-				talloc_destroy(mem_ctx);
-				return false;
-			}
-			if (domain->alt_name == NULL) {
-				domain->alt_name = talloc_strdup(domain,
-								 domain_info->domain_name);
-				if (domain->alt_name == NULL) {
-					DBG_ERR("talloc_strdup failed for "
-						"domain_info->domain_name[%s]\n",
-						domain_info->domain_name);
-					talloc_destroy(mem_ctx);
-					return false;
-				}
-			}
-			if (domain->forest_name == NULL) {
-				domain->forest_name = talloc_strdup(domain,
-								    domain_info->forest_name);
-				if (domain->forest_name == NULL) {
-					DBG_ERR("talloc_strdup failed for "
-						"domain_info->forest_name[%s]\n",
-						domain_info->forest_name);
-					talloc_destroy(mem_ctx);
-					return false;
-				}
-			}
-		}
-	} else {
-		result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
-						  our_domain->dcname,
-						  domain->name,
-						  &tmp,
-						  &werr);
-	}
-
-	/* And restore our original timeout. */
-	rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
-			nt_errstr(result)));
-		talloc_destroy(mem_ctx);
-		return false;
-	}
-
-	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
-			   win_errstr(werr)));
-		talloc_destroy(mem_ctx);
-		return false;
-	}
-
-	/* dcerpc_netr_GetAnyDCName gives us a name with \\ */
-	p = strip_hostname(tmp);
-
-	fstrcpy(dcname, p);
-
-	talloc_destroy(mem_ctx);
-
-	DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
-
-	if (!resolve_name(dcname, dc_ss, 0x20, true)) {
-		return False;
-	}
-
-	return True;
-}
-
 /**
  * Helper function to assemble trust password and account name
  */
@@ -1307,24 +1173,8 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
 	struct  samba_sockaddr *sa_list = NULL;
 	size_t     salist_size = 0;
 	size_t     i;
-	bool    is_our_domain;
 	enum security_types sec = (enum security_types)lp_security();
 
-	is_our_domain = strequal(domain->name, lp_workgroup());
-
-	/* If not our domain, get the preferred DC, by asking our primary DC */
-	if ( !is_our_domain
-		&& get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
-		&& add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
-		       num_dcs) )
-	{
-		char addr[INET6_ADDRSTRLEN];
-		print_sockaddr(addr, sizeof(addr), &ss);
-		DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
-			   dcname, addr));
-		return True;
-	}
-
 	if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
 		char *sitename = NULL;
 
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 614727aceb9..622d50c2b91 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -532,6 +532,7 @@ static void wb_domain_request_trigger(struct tevent_req *req,
 	struct wb_domain_request_state *state = tevent_req_data(
 		req, struct wb_domain_request_state);
 	struct winbindd_domain *domain = state->domain;
+	const char *domain_name = NULL;
 	struct tevent_req *subreq = NULL;
 	size_t shortest_queue_length;
 
@@ -604,8 +605,11 @@ static void wb_domain_request_trigger(struct tevent_req *req,
 	 * which is indicated by DS_RETURN_DNS_NAME.
 	 * For NT4 domains we still get the netbios name.
 	 */
+
+	domain_name = find_dns_domain_name(state->domain->name);
+
 	subreq = wb_dsgetdcname_send(state, state->ev,
-				     state->domain->name,
+				     domain_name,
 				     NULL, /* domain_guid */
 				     NULL, /* site_name */
 				     DS_RETURN_DNS_NAME); /* flags */
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 2572588f6d1..e59c42dbcda 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -660,106 +660,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p,
 
 NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r)
 {
-	struct winbindd_domain *domain = wb_child_domain();
-	struct rpc_pipe_client *netlogon_pipe;
-	struct netr_DsRGetDCNameInfo *dc_info;
-	NTSTATUS status;
-	WERROR werr;
-	unsigned int orig_timeout;
-	struct dcerpc_binding_handle *b;
-	bool retry = false;
-	bool try_dsrgetdcname = false;
-
-	if (domain == NULL) {
-		return dsgetdcname(p->mem_ctx, global_messaging_context(),
-				   r->in.domain_name, r->in.domain_guid,
-				   r->in.site_name ? r->in.site_name : "",
-				   r->in.flags,
-				   r->out.dc_info);
-	}
-
-	if (domain->active_directory) {
-		try_dsrgetdcname = true;
-	}
-
-reconnect:
-	status = cm_connect_netlogon(domain, &netlogon_pipe);
-
-	reset_cm_connection_on_error(domain, NULL, status);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
-		return status;
-	}
-
-	b = netlogon_pipe->binding_handle;
-
-	/* This call can take a long time - allow the server to time out.
-	   35 seconds should do it. */
-
-	orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
-	if (try_dsrgetdcname) {
-		status = dcerpc_netr_DsRGetDCName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, NULL, r->in.domain_guid,
-			r->in.flags, r->out.dc_info, &werr);
-		if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) {
-			goto done;
-		}
-		if (!retry &&
-		    reset_cm_connection_on_error(domain, NULL, status))
-		{
-			retry = true;
-			goto reconnect;
-		}
-		try_dsrgetdcname = false;
-		retry = false;
-	}
-
-	/*
-	 * Fallback to less capable methods
-	 */
-
-	dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo);
-	if (dc_info == NULL) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
-	}
-
-	if (r->in.flags & DS_PDC_REQUIRED) {
-		status = dcerpc_netr_GetDcName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, &dc_info->dc_unc, &werr);
-	} else {
-		status = dcerpc_netr_GetAnyDCName(b,
-			p->mem_ctx, domain->dcname,
-			r->in.domain_name, &dc_info->dc_unc, &werr);
-	}
-
-	if (!retry && reset_cm_connection_on_error(domain, b, status)) {
-		retry = true;
-		goto reconnect;
-	}
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
-			   nt_errstr(status)));
-		goto done;
-	}
-	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
-			   win_errstr(werr)));
-		status = werror_to_ntstatus(werr);
-		goto done;
-	}
-
-	*r->out.dc_info = dc_info;
-	status = NT_STATUS_OK;
-
-done:
-	/* And restore our original timeout. */
-	rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
-	return status;
+	return dsgetdcname(p->mem_ctx, global_messaging_context(),
+			   r->in.domain_name, r->in.domain_guid,
+			   r->in.site_name ? r->in.site_name : "",
+			   r->in.flags,
+			   r->out.dc_info);
 }
 
 NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 5d428ef2845..08e1c11f29b 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -608,6 +608,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr,
 		   struct dom_sid **sids, uint32_t *num_sids);
 bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
 		   struct unixid **pxids, uint32_t *pnum_xids);
+const char *find_dns_domain_name(const char *domain_name);
 
 /* The following definitions come from winbindd/winbindd_wins.c  */
 
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 48f4c9a67cb..ceb6a3136fb 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -2230,3 +2230,22 @@ fail:
 	TALLOC_FREE(xids);
 	return false;
 }
+
+/**
+ * Helper to extract the DNS Domain Name from a struct winbindd_domain
+ */
+const char *find_dns_domain_name(const char *domain_name)
+{
+	struct winbindd_domain *wbdom = NULL;
+
+	wbdom = find_domain_from_name(domain_name);
+	if (wbdom == NULL) {
+		return domain_name;
+	}
+
+	if (wbdom->active_directory && wbdom->alt_name != NULL) {
+		return wbdom->alt_name;
+	}
+
+	return wbdom->name;
+}


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 16:08:59 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 16:08:59 +0000
Subject: [SCM] Samba Shared Repository - branch v4-21-test updated
Message-ID: <E1uYoOp-005xcR-30@hrx0.samba.org>

The branch, v4-21-test has been updated
       via  693e4eaf28b VERSION: Bump version up to Samba 4.21.8...
       via  5da3e988292 VERSION: Disable GIT_SNAPSHOT for the 4.21.7 release.
       via  19f7837e498 WHATSNEW: Add release notes for Samba 4.21.7.
      from  1967ce81998 s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-test


- Log -----------------------------------------------------------------
commit 693e4eaf28b9ef0a52bd10eb686ce13150db20f2
Author: Jule Anger <janger at samba.org>
Date:   Mon Jul 7 18:06:15 2025 +0200

    VERSION: Bump version up to Samba 4.21.8...
    
    and re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit 5da3e988292b70c9fe6e9aaae7e34c215fe3d6c0
Author: Jule Anger <janger at samba.org>
Date:   Mon Jul 7 18:05:48 2025 +0200

    VERSION: Disable GIT_SNAPSHOT for the 4.21.7 release.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit 19f7837e4989e64ebe713976942ed229a7de09fe
Author: Jule Anger <janger at samba.org>
Date:   Mon Jul 7 18:05:10 2025 +0200

    WHATSNEW: Add release notes for Samba 4.21.7.
    
    Signed-off-by: Jule Anger <janger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION      |  2 +-
 WHATSNEW.txt | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 84 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index dede2e3c958..bade3afb096 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024"
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b8967d54c82..127fd8a3811 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,85 @@
+                   ==============================
+                   Release Notes for Samba 4.21.7
+                           July 07, 2025
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Important Change in Upcoming Microsoft Update
+---------------------------------------------
+
+On 8th of July, Microsoft will release an important security update for
+Active Directory Domain Controllers for Windows Server versions prior to
+2025.
+
+This update includes a change to the Microsoft RPC Netlogon protocol,
+which improves security by tightening access checks for a set of RPC
+requests. Samba running as domain members in these environments will be
+impacted by this change if a specific configuration is used, see below
+for which configuration is affected.
+
+Windows Server version 2025 is already equipped with these specific
+security hardenings, and Microsoft is now planning to deploy them to all
+supported Windows Server versions down to Windows Server 2008.
+
+
+Who is affected?
+
+Samba installations acting as member servers in Windows AD domains will
+be affected if they are configured to use the 'ad' idmapping backend.
+Samba servers not using this configuration will not be affected by the
+change ? at least to our current knowledge and understanding of the
+change ? and no further action is required.
+
+Current versions of Samba with the affected configuration will no longer
+function correctly once the Microsoft update has been applied. Users
+will not be able to connect to the SMB service provided by Samba for any
+domain configured to use the 'ad' idmapping backend.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15876.
+
+Changes since 4.21.6
+--------------------
+
+o  G?nther Deschner <gd at samba.org>
+   * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 15680: Trust domains are not created.
+   * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15680: Trust domains are not created.
+   * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.21.6
                            June 03, 2025
@@ -92,8 +174,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.21.5
                            March 31, 2025


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 16:12:52 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 16:12:52 +0000
Subject: [SCM] Samba Shared Repository - annotated tag samba-4.21.7 created
Message-ID: <E1uYoSa-006Q2h-RG@hrx0.samba.org>

The annotated tag, samba-4.21.7 has been created
        at  e1c081f5754ec2e131b516844ecf1a74055bd172 (tag)
   tagging  5da3e988292b70c9fe6e9aaae7e34c215fe3d6c0 (commit)
  replaces  samba-4.21.6
 tagged by  Jule Anger
        on  Mon Jul 7 18:11:05 2025 +0200

- Log -----------------------------------------------------------------
samba: tag release samba-4.21.7
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmhr8ZoACgkQqplEL7aA
tiDhrA/6AwMXY3OXNDhZZy2Rw3HFCMtPpNkh3wNEWQD9Mmm8tWQJ2YT1MLWcoGQX
NQR0QT/K/ySnIiId19k/aVo2lXxh0AcTDJ0tp55fbt1aGJ5W8C1bvoX3uA5ktyAQ
7HeMYsZxJgL1deluSe+o3mq/xE0uRsrGPTSIHmUEnXvBXPi/UFfADxqP+NQenfXj
9qJJ2nfM6Uez9jmkM9t3JQ4szYiuwVf7zAOPfMo3vPAH/9wSGWJ459CrrDF/4/PH
mKIdIbPJ5rQOPd4T3WDc69uo42y9+Tl33eCpHFV+mp6dPBWOZRBfGRci1Xn0xMEN
euSmdfdYxKdRpjfLD6YXWT1D2Gv/2/uORHBdWfs44CRvlp5xYYoVS8ko9JqI+xll
kvAG+s3RJuQfWA+LMeH7yp+5gsTl46XDpyQFct7lIGx1pWzxvD2T8/otEb7ipXEs
3OLmUiTpdHeg1PCJzjxwDI6JLfdvz7mVyD7Q3bcBVitMsG3Jr9ECYem/6aB3Epsy
1XFP/TvTh9FkgZc03MvAcOx4r+Lc5wmoHDAk+ljgdfHorCepeUcZcXYpc9yQyNxL
wHl+X8z6gEeMBRM8Yxih2wJjhjnbEAdr3cOMkWNT3EzbD4qWEJHt9h639I8pcHyn
j1ABYi6d4dmgmed0Hq5Qj/3TWK2IpSVcp8ojae1V4QH5uNN8VRA=
=q0Lk
-----END PGP SIGNATURE-----

Andreas Schneider (3):
      pidl: Update documentation for DCERPC interface connections
      python:lsa_utils: Don't use optional arguments for OpenPolicyFallback()
      lib:util: Disable logging to syslog for startup messages

G?nther Deschner (1):
      s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name

Jule Anger (3):
      VERSION: Bump version up to Samba 4.21.7...
      WHATSNEW: Add release notes for Samba 4.21.7.
      VERSION: Disable GIT_SNAPSHOT for the 4.21.7 release.

Stefan Metzmacher (79):
      librpc/rpc: map DCERPC_NCA_S_SERVER_TOO_BUSY to NT_STATUS_RPC_SERVER_TOO_BUSY
      librpc/rpc: map DCERPC_NCA_S_UNSUPPORTED_TYPE to NT_STATUS_RPC_UNSUPPORTED_TYPE
      s4:torture/rpc: avoid checking p->last_fault_code in iremotewinspool*
      s4:torture/rpc: remove useless usage of DCERPC_SIGN, DCERPC_SEAL
      s4:torture/rpc: avoid using DCERPC_NDR_REF_ALLOC in fsrvp.c
      librpc/rpc: add dcerpc_binding_handle_transport_{encrypted,session_key}()
      s4:librpc/rpc: add dcerpc_bh_transport_{encrypted,session_key}()
      s3:rpc_client: add rpccli_bh_transport_session_key()
      s4:pyrpc: let py_iface_transport_encrypted() use dcerpc_binding_handle_transport_encrypted()
      s4:librpc/rpc: remove unused dcerpc_transport_encrypted()
      s4:libnet: add struct dcerpc_binding_handle helper variables in libnet_passwd.c
      s4:libnet: make use of dcerpc_binding_handle_transport_session_key() in libnet_passwd.c
      xss4:pyrpc: make use of dcerpc_binding_handle_transport_session_key()
      s4:torture/rpc: make use of dcerpc_binding_handle_transport_session_key()
      s4:librpc/rpc: remove unused dcerpc_fetch_session_key()
      librpc/rpc: add dcerpc_binding_handle_auth_session_key()
      s4:librpc/rpc: add dcerpc_bh_auth_session_key()
      s3:rpc_client: add rpccli_bh_auth_session_key()
      s4:drepl: make use of dcerpc_binding_handle_auth_session_key()
      s4:libnet: make use of dcerpc_binding_handle_auth_session_key() in libnet_become_dc.c
      s4:py_net: make use of dcerpc_binding_handle_auth_session_key()
      s4:pyrpc: make use of dcerpc_binding_handle_auth_session_key()
      s4:torture/drs: make use of dcerpc_binding_handle_auth_session_key()
      s3:lib/netapi: make use of dcerpc_binding_handle_transport_session_key()
      s3:libnet_join: make use of dcerpc_binding_handle_transport_session_key()
      s3:utils/net_rpc: make use of dcerpc_binding_handle_transport_session_key()
      s3:rpc_client: make use of dcerpc_binding_handle_transport_session_key()
      s3:libnet_dssync: make use of dcerpc_binding_handle_auth_session_key()
      s3:rpcclient/cli_drsuapi: make use of dcerpc_binding_handle_auth_session_key()
      s3:rpc_client: remove unused cli_get_session_key()
      s3:rpc_client: the transport_session_key is per connection!
      s3:rpcclient: make use of dcerpc_binding_handle_auth_info()
      s3:winbindd: cm_connect_lsa_tcp() doesn't need to check for NCACN_IP_TCP or LEVEL_INTEGRITY
      s3:rpc_client: make use of struct samba_sockaddr in rpc_pipe_open_ncalrpc()
      s3:rpc_client: header signing is negotiated per transport connection
      librpc/rpc: add get_binding() to dcerpc_binding_handle_ops
      libcli/tstream_binding_handle: implement get_binding()
      s4:lib/messaging: implement irpc_bh_get_binding()
      s3:winbindd: implement wbint_bh_get_binding() in winbindd_dual_ndr.c
      s4:librpc/rpc: call dcerpc_binding_set_abstract_syntax after bind or alter context
      s4:librpc/rpc: implement dcerpc_bh_get_binding()
      s3:rpc_client: implement rpccli_bh_get_binding()
      librpc/rpc: add dcerpc_binding_handle_get_binding()
      librpc/rpc: add dcerpc_binding_handle_get_transport() helper function
      librpc/rpc: un-const dcerpc_default_transport_endpoint()
      s4:libnet: make use of dcerpc_binding_handle_get_binding()
      s4:libnet: make use of dcerpc_binding_handle_get_transport()
      s4:torture/rpc: make use of dcerpc_binding_handle_get_binding() and dcerpc_binding_get_flags()
      s4:tortore/rpc: make use of dcerpc_binding_get_abstract_syntax() and dcerpc_binding_get_flags()
      s4:torture/rpc: make use of dcerpc_binding_handle_get_transport()
      s4:librpc: make all but dcerpc_pipe->binding_handle internal struct members
      s3:rpc_client: remember rpc_pipe_client->print_username
      s3:rpc_client: remove references to rpc_pipe_client from wsp_cli.c
      s3:winbindd: make use of dcerpc_binding_handle_get_transport()
      s3:rpcclient: make use of dcerpc_binding_handle_get_transport()
      s3:lib/netapi: make use of dcerpc_binding_get_abstract_syntax()
      s3:libsmb: make use of dcerpc_binding_get_abstract_syntax()
      s3:librpc/rpc: split out dcerpc_internal.h for struct pipe_auth_data
      s3:rpc_client: make most of rpc_pipe_client internal struct members
      s3:rpc_client: only pass the pipe_name to rpc_transport_np_init_send()
      s3:rpc_client: add struct rpc_client_{association,connection} and helpers
      s3:rpc_client: convert rpc_pipe_open_ncalrpc() to rpc_client_{association,connection}
      s3:rpc_client: convert rpc_pipe_open_local_np() to rpc_client_{association,connection}
      s3:rpc_client: convert rpc_pipe_open_tcp_port() to rpc_client_{association,connection}
      s3:rpc_client: convert rpc_pipe_open_np() to rpc_client_{association,connection}
      s3:rpc_client: let cli_rpc_pipe_open() use rpc_client_connection_np()
      s3:rpc_client: make real use of rpc_client_{association,connection}
      s3:rpc_client: add cli_rpc_pipe_client_prepare_alter() helper
      s3:rpc_client: split out cli_rpc_pipe_client_auth_schannel()
      s3:rpc_client: add missing TALLOC_FREE(frame) in cli_rpc_pipe_open()
      s3:rpc_client: remember the local/remote ipv4 or ipv6 addresses
      s3:cli_pipe: pass target_service to cli_rpc_pipe_open_with_creds()
      s3:rpc_client: Add cli_rpc_pipe_reopen_np_noauth()
      s3:rpc_cerver: Use dcerpc_lsa_open_policy3() for internal RPC
      s3:rpc_client: Use cli_rpc_pipe_reopen_np_noauth() for OpenPolicy fallback
      dcesrv_core: Make dcesrv_call_disconnect_after() public
      librpc:pyrpc: Allow new authenticated rpc connection on the same transport as the basis_connection
      python:lsa_utils: Fix fallback to OpenPolicy2
      s3:winbindd: avoid using any netlogon call to get a dc name

-----------------------------------------------------------------------


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 16:13:31 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 16:13:31 +0000
Subject: [SCM] Samba Shared Repository - branch v4-21-stable updated
Message-ID: <E1uYoTC-006Ufx-If@hrx0.samba.org>

The branch, v4-21-stable has been updated
       via  5da3e988292 VERSION: Disable GIT_SNAPSHOT for the 4.21.7 release.
       via  19f7837e498 WHATSNEW: Add release notes for Samba 4.21.7.
       via  1967ce81998 s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name
       via  fc13e0918fd s3:winbindd: avoid using any netlogon call to get a dc name
       via  3490e76342a lib:util: Disable logging to syslog for startup messages
       via  ccb5e9694e3 python:lsa_utils: Fix fallback to OpenPolicy2
       via  b106c7d77ae python:lsa_utils: Don't use optional arguments for OpenPolicyFallback()
       via  e8e6b68539b pidl: Update documentation for DCERPC interface connections
       via  0a0d87f4093 librpc:pyrpc: Allow new authenticated rpc connection on the same transport as the basis_connection
       via  30b077b6781 dcesrv_core: Make dcesrv_call_disconnect_after() public
       via  1cbbe56266b s3:rpc_client: Use cli_rpc_pipe_reopen_np_noauth() for OpenPolicy fallback
       via  4ae32d6faa0 s3:rpc_cerver: Use dcerpc_lsa_open_policy3() for internal RPC
       via  fe5b8928443 s3:rpc_client: Add cli_rpc_pipe_reopen_np_noauth()
       via  1ba2acc9fc9 s3:cli_pipe: pass target_service to cli_rpc_pipe_open_with_creds()
       via  22900d278cb s3:rpc_client: remember the local/remote ipv4 or ipv6 addresses
       via  e568b119340 s3:rpc_client: add missing TALLOC_FREE(frame) in cli_rpc_pipe_open()
       via  4ead8424471 s3:rpc_client: split out cli_rpc_pipe_client_auth_schannel()
       via  bf717ca5c4d s3:rpc_client: add cli_rpc_pipe_client_prepare_alter() helper
       via  75e1c18d912 s3:rpc_client: make real use of rpc_client_{association,connection}
       via  cb3e074ec54 s3:rpc_client: let cli_rpc_pipe_open() use rpc_client_connection_np()
       via  4b1f27c3202 s3:rpc_client: convert rpc_pipe_open_np() to rpc_client_{association,connection}
       via  f019fa98dbf s3:rpc_client: convert rpc_pipe_open_tcp_port() to rpc_client_{association,connection}
       via  f81ee3b6d0f s3:rpc_client: convert rpc_pipe_open_local_np() to rpc_client_{association,connection}
       via  6f67e05fb70 s3:rpc_client: convert rpc_pipe_open_ncalrpc() to rpc_client_{association,connection}
       via  8dc83405eeb s3:rpc_client: add struct rpc_client_{association,connection} and helpers
       via  e42835a2f5f s3:rpc_client: only pass the pipe_name to rpc_transport_np_init_send()
       via  7e02cf063ac s3:rpc_client: make most of rpc_pipe_client internal struct members
       via  6c43234a06b s3:librpc/rpc: split out dcerpc_internal.h for struct pipe_auth_data
       via  6af9f50396d s3:libsmb: make use of dcerpc_binding_get_abstract_syntax()
       via  33b0b4bfe5f s3:lib/netapi: make use of dcerpc_binding_get_abstract_syntax()
       via  61a5a72a3cd s3:rpcclient: make use of dcerpc_binding_handle_get_transport()
       via  523484d1882 s3:winbindd: make use of dcerpc_binding_handle_get_transport()
       via  86e27e94b2b s3:rpc_client: remove references to rpc_pipe_client from wsp_cli.c
       via  2f753ed81ce s3:rpc_client: remember rpc_pipe_client->print_username
       via  91e8d63c638 s4:librpc: make all but dcerpc_pipe->binding_handle internal struct members
       via  ba777ee0532 s4:torture/rpc: make use of dcerpc_binding_handle_get_transport()
       via  a57ec7313cd s4:tortore/rpc: make use of dcerpc_binding_get_abstract_syntax() and dcerpc_binding_get_flags()
       via  087ccbdd863 s4:torture/rpc: make use of dcerpc_binding_handle_get_binding() and dcerpc_binding_get_flags()
       via  2ca22d00411 s4:libnet: make use of dcerpc_binding_handle_get_transport()
       via  5e2606c5ea3 s4:libnet: make use of dcerpc_binding_handle_get_binding()
       via  2edaf617e86 librpc/rpc: un-const dcerpc_default_transport_endpoint()
       via  57d161d54f0 librpc/rpc: add dcerpc_binding_handle_get_transport() helper function
       via  e94025e1a8e librpc/rpc: add dcerpc_binding_handle_get_binding()
       via  bac9282844a s3:rpc_client: implement rpccli_bh_get_binding()
       via  1ed6f5c6692 s4:librpc/rpc: implement dcerpc_bh_get_binding()
       via  d2d951bddd4 s4:librpc/rpc: call dcerpc_binding_set_abstract_syntax after bind or alter context
       via  a89c2664f68 s3:winbindd: implement wbint_bh_get_binding() in winbindd_dual_ndr.c
       via  296b5cd0665 s4:lib/messaging: implement irpc_bh_get_binding()
       via  51dc661d261 libcli/tstream_binding_handle: implement get_binding()
       via  20a42d2ca1b librpc/rpc: add get_binding() to dcerpc_binding_handle_ops
       via  3731bbfdc4a s3:rpc_client: header signing is negotiated per transport connection
       via  daefb7b2436 s3:rpc_client: make use of struct samba_sockaddr in rpc_pipe_open_ncalrpc()
       via  3db4cfe8a33 s3:winbindd: cm_connect_lsa_tcp() doesn't need to check for NCACN_IP_TCP or LEVEL_INTEGRITY
       via  1ff49833b6e s3:rpcclient: make use of dcerpc_binding_handle_auth_info()
       via  277f9ff99a8 s3:rpc_client: the transport_session_key is per connection!
       via  b640002afd6 s3:rpc_client: remove unused cli_get_session_key()
       via  95f7152911a s3:rpcclient/cli_drsuapi: make use of dcerpc_binding_handle_auth_session_key()
       via  3200bd21d4d s3:libnet_dssync: make use of dcerpc_binding_handle_auth_session_key()
       via  8c695f13b6b s3:rpc_client: make use of dcerpc_binding_handle_transport_session_key()
       via  5f1f651d0e5 s3:utils/net_rpc: make use of dcerpc_binding_handle_transport_session_key()
       via  505775ba876 s3:libnet_join: make use of dcerpc_binding_handle_transport_session_key()
       via  7092b9abf1d s3:lib/netapi: make use of dcerpc_binding_handle_transport_session_key()
       via  c924b4420de s4:torture/drs: make use of dcerpc_binding_handle_auth_session_key()
       via  c1875485f4b s4:pyrpc: make use of dcerpc_binding_handle_auth_session_key()
       via  dd0c6b46880 s4:py_net: make use of dcerpc_binding_handle_auth_session_key()
       via  37768515a52 s4:libnet: make use of dcerpc_binding_handle_auth_session_key() in libnet_become_dc.c
       via  7fae08c9dcd s4:drepl: make use of dcerpc_binding_handle_auth_session_key()
       via  2b7ae6f61af s3:rpc_client: add rpccli_bh_auth_session_key()
       via  0c0f83127cb s4:librpc/rpc: add dcerpc_bh_auth_session_key()
       via  ece818eb50c librpc/rpc: add dcerpc_binding_handle_auth_session_key()
       via  a835a9b2f58 s4:librpc/rpc: remove unused dcerpc_fetch_session_key()
       via  21882daef2e s4:torture/rpc: make use of dcerpc_binding_handle_transport_session_key()
       via  1fe021a0c41 xss4:pyrpc: make use of dcerpc_binding_handle_transport_session_key()
       via  9aa2be36397 s4:libnet: make use of dcerpc_binding_handle_transport_session_key() in libnet_passwd.c
       via  0b5624e50d3 s4:libnet: add struct dcerpc_binding_handle helper variables in libnet_passwd.c
       via  b1be2bb12d9 s4:librpc/rpc: remove unused dcerpc_transport_encrypted()
       via  7e5ac988114 s4:pyrpc: let py_iface_transport_encrypted() use dcerpc_binding_handle_transport_encrypted()
       via  30134801b6d s3:rpc_client: add rpccli_bh_transport_session_key()
       via  f596c49585f s4:librpc/rpc: add dcerpc_bh_transport_{encrypted,session_key}()
       via  c4990ed56f7 librpc/rpc: add dcerpc_binding_handle_transport_{encrypted,session_key}()
       via  b7cd9cf02aa s4:torture/rpc: avoid using DCERPC_NDR_REF_ALLOC in fsrvp.c
       via  5047e9863b9 s4:torture/rpc: remove useless usage of DCERPC_SIGN, DCERPC_SEAL
       via  59c5354117c s4:torture/rpc: avoid checking p->last_fault_code in iremotewinspool*
       via  a91f4b27c18 librpc/rpc: map DCERPC_NCA_S_UNSUPPORTED_TYPE to NT_STATUS_RPC_UNSUPPORTED_TYPE
       via  27b0b2c2dde librpc/rpc: map DCERPC_NCA_S_SERVER_TOO_BUSY to NT_STATUS_RPC_SERVER_TOO_BUSY
       via  a3e57f9df27 VERSION: Bump version up to Samba 4.21.7...
      from  b901f39a1d0 VERSION: Disable GIT_SNAPSHOT for the 4.21.6 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |   85 +-
 lib/util/debug.c                                   |   15 +
 lib/util/debug.h                                   |    9 +
 .../tstream_binding_handle.c                       |   19 +
 librpc/rpc/binding_handle.c                        |   44 +
 librpc/rpc/dcerpc_error.c                          |    4 +-
 librpc/rpc/dcerpc_util.c                           |    8 +-
 librpc/rpc/dcerpc_util.h                           |    6 +-
 librpc/rpc/dcesrv_core.c                           |    4 +-
 librpc/rpc/dcesrv_core.h                           |    3 +
 librpc/rpc/rpc_common.h                            |   26 +
 pidl/lib/Parse/Pidl/Samba4/Python.pm               |   29 +-
 python/samba/lsa_utils.py                          |   67 +-
 python/samba/netcmd/domain/trust.py                |   93 +-
 python/samba/tests/dcerpc/lsa_utils.py             |   51 +-
 source3/lib/netapi/cm.c                            |   15 +-
 source3/lib/netapi/joindomain.c                    |   12 +-
 source3/lib/netapi/localgroup.c                    |    2 +-
 source3/lib/netapi/user.c                          |    6 +-
 source3/libnet/libnet_dssync.c                     |   17 +-
 source3/libnet/libnet_join.c                       |    3 +-
 source3/librpc/rpc/dcerpc.h                        |   17 +-
 source3/librpc/rpc/dcerpc_helpers.c                |    1 +
 .../librpc/rpc/dcerpc_internal.h                   |   22 +-
 source3/libsmb/libsmb_xattr.c                      |   10 +-
 source3/libsmb/passchange.c                        |    1 +
 source3/rpc_client/cli_lsarpc.c                    |   15 +-
 source3/rpc_client/cli_lsarpc.h                    |    4 +-
 source3/rpc_client/cli_pipe.c                      | 1781 +++++++++++++++-----
 source3/rpc_client/cli_pipe.h                      |   21 +-
 source3/rpc_client/cli_spoolss.c                   |    6 +-
 source3/rpc_client/rpc_client.h                    |   39 +-
 source3/rpc_client/rpc_transport.h                 |    2 +-
 source3/rpc_client/rpc_transport_np.c              |    5 +-
 source3/rpc_client/wsp_cli.c                       |   71 +-
 source3/rpc_server/netlogon/srv_netlog_nt.c        |    2 +-
 source3/rpcclient/cmd_drsuapi.c                    |   15 +-
 source3/rpcclient/cmd_iremotewinspool.c            |    3 +-
 source3/rpcclient/cmd_lsarpc.c                     |   75 +-
 source3/rpcclient/cmd_samr.c                       |    3 +-
 source3/rpcclient/rpcclient.c                      |   26 +-
 source3/utils/net_rpc.c                            |   13 +-
 source3/utils/net_rpc_printer.c                    |    3 +-
 source3/utils/net_rpc_rights.c                     |    4 +-
 source3/utils/net_rpc_trust.c                      |    5 +-
 source3/winbindd/wb_queryuser.c                    |   17 +-
 source3/winbindd/wb_sids2xids.c                    |   17 +-
 source3/winbindd/wb_xids2sids.c                    |   12 +-
 source3/winbindd/winbindd_cm.c                     |  158 +-
 source3/winbindd/winbindd_dual.c                   |    6 +-
 source3/winbindd/winbindd_dual_ndr.c               |   47 +-
 source3/winbindd/winbindd_dual_srv.c               |  105 +-
 source3/winbindd/winbindd_msrpc.c                  |    4 +-
 source3/winbindd/winbindd_proto.h                  |    1 +
 source3/winbindd/winbindd_rpc.c                    |    7 +-
 source3/winbindd/winbindd_util.c                   |   19 +
 source3/wscript_build                              |    2 +-
 source4/dsdb/repl/drepl_out_helpers.c              |    7 +-
 source4/lib/messaging/messaging.c                  |   44 +-
 source4/libnet/libnet_become_dc.c                  |   29 +-
 source4/libnet/libnet_join.c                       |    3 +-
 source4/libnet/libnet_passwd.c                     |   55 +-
 source4/libnet/libnet_rpc.c                        |   27 +-
 source4/libnet/py_net.c                            |   12 +-
 source4/librpc/rpc/dcerpc.c                        |  121 ++
 source4/librpc/rpc/dcerpc.h                        |   22 +-
 source4/librpc/rpc/dcerpc_auth.c                   |    2 +
 source4/librpc/rpc/dcerpc_connect.c                |    1 +
 source4/librpc/rpc/dcerpc_roh.c                    |    2 +
 source4/librpc/rpc/dcerpc_schannel.c               |    2 +
 source4/librpc/rpc/dcerpc_secondary.c              |    1 +
 source4/librpc/rpc/dcerpc_smb.c                    |    2 +
 source4/librpc/rpc/dcerpc_sock.c                   |    2 +
 source4/librpc/rpc/dcerpc_util.c                   |   34 +-
 source4/librpc/rpc/pyrpc.c                         |   50 +-
 source4/librpc/rpc/pyrpc_util.c                    |   80 +-
 source4/rpc_server/remote/dcesrv_remote.c          |    2 +
 source4/torture/drs/rpc/dssync.c                   |    5 +-
 source4/torture/drs/rpc/msds_intid.c               |    5 +-
 source4/torture/rpc/alter_context.c                |   36 +-
 source4/torture/rpc/backupkey.c                    |    9 +-
 source4/torture/rpc/bind.c                         |    4 +-
 source4/torture/rpc/drsuapi.c                      |    5 +-
 source4/torture/rpc/dsgetinfo.c                    |    4 +-
 source4/torture/rpc/echo.c                         |   17 +-
 source4/torture/rpc/forest_trust.c                 |    5 +-
 source4/torture/rpc/fsrvp.c                        |   72 +-
 source4/torture/rpc/handles.c                      |   28 +-
 source4/torture/rpc/iremotewinspool.c              |   22 +-
 source4/torture/rpc/iremotewinspool_common.c       |    4 -
 source4/torture/rpc/iremotewinspool_common.h       |    1 -
 source4/torture/rpc/lsa.c                          |   22 +-
 source4/torture/rpc/lsa_lookup.c                   |    5 +-
 source4/torture/rpc/netlogon.c                     |   30 +-
 source4/torture/rpc/samba3rpc.c                    |   19 +-
 source4/torture/rpc/samr.c                         |   24 +-
 source4/torture/rpc/samsync.c                      |    6 +-
 source4/torture/rpc/session_key.c                  |    4 +-
 source4/torture/rpc/spoolss.c                      |    4 +-
 source4/torture/rpc/testjoin.c                     |    2 +-
 source4/torture/rpc/winreg.c                       |    8 +-
 source4/torture/rpc/wkssvc.c                       |    4 +-
 103 files changed, 2649 insertions(+), 1253 deletions(-)
 copy source4/echo_server/echo_server.h => source3/librpc/rpc/dcerpc_internal.h (64%)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 68f898ae004..4fff7d5eb09 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024"
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=21
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b8967d54c82..127fd8a3811 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,85 @@
+                   ==============================
+                   Release Notes for Samba 4.21.7
+                           July 07, 2025
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Important Change in Upcoming Microsoft Update
+---------------------------------------------
+
+On 8th of July, Microsoft will release an important security update for
+Active Directory Domain Controllers for Windows Server versions prior to
+2025.
+
+This update includes a change to the Microsoft RPC Netlogon protocol,
+which improves security by tightening access checks for a set of RPC
+requests. Samba running as domain members in these environments will be
+impacted by this change if a specific configuration is used, see below
+for which configuration is affected.
+
+Windows Server version 2025 is already equipped with these specific
+security hardenings, and Microsoft is now planning to deploy them to all
+supported Windows Server versions down to Windows Server 2008.
+
+
+Who is affected?
+
+Samba installations acting as member servers in Windows AD domains will
+be affected if they are configured to use the 'ad' idmapping backend.
+Samba servers not using this configuration will not be affected by the
+change ? at least to our current knowledge and understanding of the
+change ? and no further action is required.
+
+Current versions of Samba with the affected configuration will no longer
+function correctly once the Microsoft update has been applied. Users
+will not be able to connect to the SMB service provided by Samba for any
+domain configured to use the 'ad' idmapping backend.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15876.
+
+Changes since 4.21.6
+--------------------
+
+o  G?nther Deschner <gd at samba.org>
+   * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 15680: Trust domains are not created.
+   * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15680: Trust domains are not created.
+   * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.21.6
                            June 03, 2025
@@ -92,8 +174,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.21.5
                            March 31, 2025
diff --git a/lib/util/debug.c b/lib/util/debug.c
index 86f13f181cf..f79b8811a4b 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -95,6 +95,7 @@ static struct {
 	bool reopening_logs;
 	bool schedule_reopen_logs;
 	int forced_log_priority;
+	bool disable_syslog;
 
 	struct debug_settings settings;
 	debug_callback_fn callback;
@@ -302,6 +303,10 @@ static void debug_syslog_log(int msg_level, const char *msg, size_t msg_len)
 {
 	int priority;
 
+	if (state.disable_syslog) {
+		return;
+	}
+
 	priority = debug_level_to_priority(msg_level);
 
 	/*
@@ -1124,6 +1129,16 @@ void debug_set_forced_log_priority(int forced_log_priority)
 	state.forced_log_priority = forced_log_priority;
 }
 
+void debug_disable_syslog(void)
+{
+	state.disable_syslog = true;
+}
+
+void debug_enable_syslog(void)
+{
+	state.disable_syslog = false;
+}
+
 /**
  * Ensure debug logs are initialised.
  *
diff --git a/lib/util/debug.h b/lib/util/debug.h
index a4ad56048ff..5dc36369558 100644
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -276,9 +276,16 @@ void debuglevel_set_class(size_t idx, int level);
 #define DBGLVL_INFO	 5	/* informational message */
 #define DBGLVL_DEBUG	10	/* debug-level message */
 
+/*
+ * Logging to syslog will be disabled as messages on debug level 0 are always
+ * reported to syslog too. We don't want to clutter the syslog with startup
+ * messages from rpc on demand daemons.
+ */
 #define DBG_STARTUP_NOTICE(...) do { \
 	debug_set_forced_log_priority(DBGLVL_NOTICE); \
+	debug_disable_syslog(); \
 	D_ERR(__VA_ARGS__); \
+	debug_enable_syslog(); \
 	debug_set_forced_log_priority(-1); \
 } while(0)
 
@@ -362,6 +369,8 @@ void debug_set_settings(struct debug_settings *settings,
 			int syslog_level, bool syslog_only);
 void debug_set_hostname(const char *name);
 void debug_set_forced_log_priority(int forced_log_priority);
+void debug_disable_syslog(void);
+void debug_enable_syslog(void);
 bool reopen_logs_internal( void );
 void force_check_log_size( void );
 bool need_to_check_log_size( void );
diff --git a/libcli/tstream_binding_handle/tstream_binding_handle.c b/libcli/tstream_binding_handle/tstream_binding_handle.c
index 76f54a7f338..672fd3b89c6 100644
--- a/libcli/tstream_binding_handle/tstream_binding_handle.c
+++ b/libcli/tstream_binding_handle/tstream_binding_handle.c
@@ -35,8 +35,17 @@ struct tstream_bh_state {
 	size_t call_initial_read_size;
 	tstream_read_pdu_blob_full_fn_t *complete_pdu_fn;
 	void *complete_pdu_fn_private;
+	const struct dcerpc_binding *binding;
 };
 
+static const struct dcerpc_binding *tstream_bh_get_binding(struct dcerpc_binding_handle *h)
+{
+	struct tstream_bh_state *hs = dcerpc_binding_handle_data(
+		h, struct tstream_bh_state);
+
+	return hs->binding;
+}
+
 static bool tstream_bh_is_connected(struct dcerpc_binding_handle *h)
 {
 	struct tstream_bh_state *hs = dcerpc_binding_handle_data(
@@ -290,6 +299,7 @@ static NTSTATUS tstream_bh_call_recv(struct tevent_req *req,
 
 static const struct dcerpc_binding_handle_ops tstream_bh_ops = {
 	.name			= "tstream_binding_handle",
+	.get_binding		= tstream_bh_get_binding,
 	.is_connected		= tstream_bh_is_connected,
 	.set_timeout		= tstream_bh_set_timeout,
 	.raw_call_send		= tstream_bh_call_send,
@@ -309,6 +319,8 @@ struct dcerpc_binding_handle *tstream_binding_handle_create(
 {
 	struct dcerpc_binding_handle *h = NULL;
 	struct tstream_bh_state *hs = NULL;
+	struct dcerpc_binding *b = NULL;
+	NTSTATUS status;
 
 	h = dcerpc_binding_handle_create(mem_ctx,
 					 &tstream_bh_ops,
@@ -333,6 +345,13 @@ struct dcerpc_binding_handle *tstream_binding_handle_create(
 		return NULL;
 	}
 
+	status = dcerpc_parse_binding(hs, "", &b);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(h);
+		return NULL;
+	}
+	hs->binding = b;
+
 	if (max_data > 0) {
 		tstream_smbXcli_np_set_max_data(hs->stream, max_data);
 	}
diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
index 41675e10360..8ace6722a43 100644
--- a/librpc/rpc/binding_handle.c
+++ b/librpc/rpc/binding_handle.c
@@ -87,6 +87,17 @@ void dcerpc_binding_handle_set_sync_ev(struct dcerpc_binding_handle *h,
 	h->sync_ev = ev;
 }
 
+const struct dcerpc_binding *dcerpc_binding_handle_get_binding(struct dcerpc_binding_handle *h)
+{
+	return h->ops->get_binding(h);
+}
+
+enum dcerpc_transport_t dcerpc_binding_handle_get_transport(struct dcerpc_binding_handle *h)
+{
+	const struct dcerpc_binding *b = dcerpc_binding_handle_get_binding(h);
+	return dcerpc_binding_get_transport(b);
+}
+
 bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h)
 {
 	return h->ops->is_connected(h);
@@ -98,6 +109,27 @@ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
 	return h->ops->set_timeout(h, timeout);
 }
 
+bool dcerpc_binding_handle_transport_encrypted(struct dcerpc_binding_handle *h)
+{
+	if (h->ops->transport_encrypted == NULL) {
+		return false;
+	}
+
+	return h->ops->transport_encrypted(h);
+}
+
+NTSTATUS dcerpc_binding_handle_transport_session_key(
+		struct dcerpc_binding_handle *h,
+		TALLOC_CTX *mem_ctx,
+		DATA_BLOB *session_key)
+{
+	if (h->ops->transport_session_key == NULL) {
+		return NT_STATUS_NO_USER_SESSION_KEY;
+	}
+
+	return h->ops->transport_session_key(h, mem_ctx, session_key);
+}
+
 void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
 				     enum dcerpc_AuthType *auth_type,
 				     enum dcerpc_AuthLevel *auth_level)
@@ -123,6 +155,18 @@ void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
 	h->ops->auth_info(h, auth_type, auth_level);
 }
 
+NTSTATUS dcerpc_binding_handle_auth_session_key(
+		struct dcerpc_binding_handle *h,
+		TALLOC_CTX *mem_ctx,
+		DATA_BLOB *session_key)
+{
+	if (h->ops->auth_session_key == NULL) {
+		return NT_STATUS_NO_USER_SESSION_KEY;
+	}
+
+	return h->ops->auth_session_key(h, mem_ctx, session_key);
+}
+
 struct dcerpc_binding_handle_raw_call_state {
 	const struct dcerpc_binding_handle_ops *ops;
 	uint8_t *out_data;
diff --git a/librpc/rpc/dcerpc_error.c b/librpc/rpc/dcerpc_error.c
index d5b5b66ab6a..26c96336615 100644
--- a/librpc/rpc/dcerpc_error.c
+++ b/librpc/rpc/dcerpc_error.c
@@ -40,9 +40,9 @@ static const struct dcerpc_fault_table dcerpc_faults[] =
 	_FAULT_STR_NO_NT_MAPPING(DCERPC_NCA_S_YOU_CRASHED),
 	_FAULT_STR(DCERPC_NCA_S_PROTO_ERROR, NT_STATUS_RPC_PROTOCOL_ERROR),
 	_FAULT_STR_NO_NT_MAPPING(DCERPC_NCA_S_OUT_ARGS_TOO_BIG),
-	_FAULT_STR_NO_NT_MAPPING(DCERPC_NCA_S_SERVER_TOO_BUSY),
+	_FAULT_STR(DCERPC_NCA_S_SERVER_TOO_BUSY, NT_STATUS_RPC_SERVER_TOO_BUSY),
 	_FAULT_STR_NO_NT_MAPPING(DCERPC_NCA_S_FAULT_STRING_TOO_LARGE),
-	_FAULT_STR_NO_NT_MAPPING(DCERPC_NCA_S_UNSUPPORTED_TYPE),
+	_FAULT_STR(DCERPC_NCA_S_UNSUPPORTED_TYPE, NT_STATUS_RPC_UNSUPPORTED_TYPE),
 	_FAULT_STR_NO_NT_MAPPING(DCERPC_NCA_S_FAULT_ADDR_ERROR),
 	_FAULT_STR(DCERPC_NCA_S_FAULT_FP_DIV_BY_ZERO, NT_STATUS_RPC_FP_DIV_ZERO),
 	_FAULT_STR(DCERPC_NCA_S_FAULT_FP_UNDERFLOW, NT_STATUS_RPC_FP_UNDERFLOW),
diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 51a8a11ac4a..e01391e6dcd 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -647,13 +647,13 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
 	return NT_STATUS_OK;
 }
 
-const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
-					      enum dcerpc_transport_t transport,
-					      const struct ndr_interface_table *table)
+char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
+					enum dcerpc_transport_t transport,
+					const struct ndr_interface_table *table)
 {
 	NTSTATUS status;
 	const char *p = NULL;
-	const char *endpoint = NULL;
+	char *endpoint = NULL;
 	uint32_t i;
 	struct dcerpc_binding *default_binding = NULL;
 	TALLOC_CTX *frame = talloc_stackframe();
diff --git a/librpc/rpc/dcerpc_util.h b/librpc/rpc/dcerpc_util.h
index 4e49e3e8572..86c254e539c 100644
--- a/librpc/rpc/dcerpc_util.h
+++ b/librpc/rpc/dcerpc_util.h
@@ -36,9 +36,9 @@ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
 uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob);
 uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob);
 uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob);
-const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
-					      enum dcerpc_transport_t transport,
-					      const struct ndr_interface_table *table);
+char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
+					enum dcerpc_transport_t transport,
+					const struct ndr_interface_table *table);
 
 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
 				  const DATA_BLOB *blob,
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index 66478001640..7fb23d49d61 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -783,8 +783,8 @@ static void dcesrv_call_set_list(struct dcesrv_call_state *call,
 	}
 }
 
-static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
-					 const char *reason)
+void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
+				  const char *reason)
 {
 	struct dcesrv_auth *a = NULL;
 
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index 90f5bd21d64..0b69af575b2 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -566,6 +566,9 @@ NTSTATUS dcesrv_auth_session_key(struct dcesrv_call_state *call,
 NTSTATUS dcesrv_transport_session_key(struct dcesrv_call_state *call,
 				      DATA_BLOB *session_key);
 
+void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
+				  const char *reason);
+
 /* a useful macro for generating a RPC fault in the backend code */
 #define DCESRV_FAULT(code) do { \
 	dce_call->fault_code = code; \
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index 76557101dcd..493c3137126 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -172,13 +172,23 @@ enum dcerpc_transport_t dcerpc_transport_by_tower(const struct epm_tower *tower)
 struct dcerpc_binding_handle_ops {
 	const char *name;
 
+	const struct dcerpc_binding *(*get_binding)(struct dcerpc_binding_handle *h);
+
 	bool (*is_connected)(struct dcerpc_binding_handle *h);
 	uint32_t (*set_timeout)(struct dcerpc_binding_handle *h,
 				uint32_t timeout);
 
+	bool (*transport_encrypted)(struct dcerpc_binding_handle *h);
+	NTSTATUS (*transport_session_key)(struct dcerpc_binding_handle *h,
+					  TALLOC_CTX *mem_ctx,
+					  DATA_BLOB *session_key);
+
 	void (*auth_info)(struct dcerpc_binding_handle *h,
 			  enum dcerpc_AuthType *auth_type,
 			  enum dcerpc_AuthLevel *auth_level);
+	NTSTATUS (*auth_session_key)(struct dcerpc_binding_handle *h,
+				     TALLOC_CTX *mem_ctx,
+				     DATA_BLOB *session_key);
 
 	struct tevent_req *(*raw_call_send)(TALLOC_CTX *mem_ctx,
 					    struct tevent_context *ev,
@@ -245,15 +255,31 @@ void *_dcerpc_binding_handle_data(struct dcerpc_binding_handle *h);
 _DEPRECATED_ void dcerpc_binding_handle_set_sync_ev(struct dcerpc_binding_handle *h,
 						    struct tevent_context *ev);
 
+const struct dcerpc_binding *dcerpc_binding_handle_get_binding(struct dcerpc_binding_handle *h);
+
+enum dcerpc_transport_t dcerpc_binding_handle_get_transport(struct dcerpc_binding_handle *h);
+
 bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h);
 
 uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
 					   uint32_t timeout);
 
+bool dcerpc_binding_handle_transport_encrypted(struct dcerpc_binding_handle *h);
+
+NTSTATUS dcerpc_binding_handle_transport_session_key(
+		struct dcerpc_binding_handle *h,
+		TALLOC_CTX *mem_ctx,
+		DATA_BLOB *session_key);
+
 void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
 				     enum dcerpc_AuthType *auth_type,
 				     enum dcerpc_AuthLevel *auth_level);
 
+NTSTATUS dcerpc_binding_handle_auth_session_key(
+		struct dcerpc_binding_handle *h,
+		TALLOC_CTX *mem_ctx,
+		DATA_BLOB *session_key);
+
 struct tevent_req *dcerpc_binding_handle_raw_call_send(TALLOC_CTX *mem_ctx,
 						struct tevent_context *ev,
 						struct dcerpc_binding_handle *h,
diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm b/pidl/lib/Parse/Pidl/Samba4/Python.pm
index 63f0f72605d..9bcdea3b15b 100644
--- a/pidl/lib/Parse/Pidl/Samba4/Python.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm
@@ -1547,11 +1547,30 @@ sub Interface($$$)
 		$self->pidl("");
 
 		my $signature =
-"\"$interface->{NAME}(binding, lp_ctx=None, credentials=None) -> connection\\n\"
-\"\\n\"
-\"binding should be a DCE/RPC binding string (for example: ncacn_ip_tcp:127.0.0.1)\\n\"
-\"lp_ctx should be a path to a smb.conf file or a param.LoadParm object\\n\"
-\"credentials should be a credentials.Credentials object.\\n\\n\"";
+"\"$interface->{NAME}(binding, lp_ctx=None, credentials=None, basis_connection=None) -> connection\\n\"
+\"\\n\\n\"
+\"Parameters\\n\"
+\"----------\\n\"
+\"binding : str\\n\"
+\"    A DCE/RPC binding string (for example: ncacn_ip_tcp:127.0.0.1)\\n\"
+\"lp_ctx : param.LoadParm\\n\"
+\"    Should be a path to a smb.conf file or a param.LoadParm object\\n\"
+\"credentials : credentials.Credentials, optional\\n\"
+\"    A credentials.Credentials object (default is None).\\n\"
+\"basis_connection : samba.dcerpc.ClientConnection, optional\\n\"
+\"    A $interface->{NAME} client connection object (default is None).\\n\"
+\"\\n\\n\"
+\"Returns\\n\"
+\"-------\\n\"
+\"samba.dcerpc.ClientConnection\\n\"
+\"    A ClientConnection object\\n\"
+\"\\n\\n\"
+\"Raises\\n\"
+\"------\\n\"
+\"samba.NTSTATUSError\\n\"
+\"    An NTSTATUS error\\n\"
+\"\\n\"";
+
 
 		my $docstring = $self->DocString($interface, $interface->{NAME});
 
diff --git a/python/samba/lsa_utils.py b/python/samba/lsa_utils.py
index 043e65f3341..506dc399c93 100644
--- a/python/samba/lsa_utils.py
+++ b/python/samba/lsa_utils.py
@@ -20,24 +20,27 @@ from samba.dcerpc import lsa, drsblobs, misc
 from samba.ndr import ndr_pack
 from samba import (
     NTSTATUSError,
+    ntstatus,
     aead_aes_256_cbc_hmac_sha512,
     arcfour_encrypt,


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 16:18:22 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 16:18:22 +0000
Subject: [SCM] Samba Shared Repository - branch v4-22-test updated
Message-ID: <E1uYoXu-00785R-Ky@hrx0.samba.org>

The branch, v4-22-test has been updated
       via  ef1a5896a11 VERSION: Bump version up to Samba 4.22.4...
       via  70eeb722062 VERSION: Disable GIT_SNAPSHOT for the 4.22.3 release.
       via  22a95d2aa77 WHATSNEW: Add release notes for Samba 4.22.3.
      from  78d69a9eebe s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-test


- Log -----------------------------------------------------------------
commit ef1a5896a1116468cf80aec251c23e84940a6785
Author: Jule Anger <janger at samba.org>
Date:   Mon Jul 7 18:16:50 2025 +0200

    VERSION: Bump version up to Samba 4.22.4...
    
    and re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit 70eeb7220627eae6f6e0e76f1ec114a1ac965671
Author: Jule Anger <janger at samba.org>
Date:   Mon Jul 7 18:16:34 2025 +0200

    VERSION: Disable GIT_SNAPSHOT for the 4.22.3 release.
    
    Signed-off-by: Jule Anger <janger at samba.org>

commit 22a95d2aa7726dcc7502d6693ab5a88e0d419d5a
Author: Jule Anger <janger at samba.org>
Date:   Mon Jul 7 18:16:05 2025 +0200

    WHATSNEW: Add release notes for Samba 4.22.3.
    
    Signed-off-by: Jule Anger <janger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION      |  2 +-
 WHATSNEW.txt | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 87 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 401aa10d8bf..f139c253fa6 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2025"
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=22
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8b98a91f28a..57d9133b43f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,88 @@
+                   ==============================
+                   Release Notes for Samba 4.22.3
+                           July 07, 2025
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.22 release series.
+
+
+Important Change in Upcoming Microsoft Update
+---------------------------------------------
+
+On 8th of July, Microsoft will release an important security update for
+Active Directory Domain Controllers for Windows Server versions prior to
+2025.
+
+This update includes a change to the Microsoft RPC Netlogon protocol,
+which improves security by tightening access checks for a set of RPC
+requests. Samba running as domain members in these environments will be
+impacted by this change if a specific configuration is used, see below
+for which configuration is affected.
+
+Windows Server version 2025 is already equipped with these specific
+security hardenings, and Microsoft is now planning to deploy them to all
+supported Windows Server versions down to Windows Server 2008.
+
+
+Who is affected?
+
+Samba installations acting as member servers in Windows AD domains will
+be affected if they are configured to use the 'ad' idmapping backend.
+Samba servers not using this configuration will not be affected by the
+change ? at least to our current knowledge and understanding of the
+change ? and no further action is required.
+
+Current versions of Samba with the affected configuration will no longer
+function correctly once the Microsoft update has been applied. Users
+will not be able to connect to the SMB service provided by Samba for any
+domain configured to use the 'ad' idmapping backend.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15876.
+
+
+Changes since 4.22.2
+--------------------
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 15854: samba-tool cannot add user to group whose name is exactly 16
+     characters long.
+
+o  G?nther Deschner <gd at samba.org>
+   * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.22.2
                            June 05, 2025
@@ -80,8 +165,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.22.1
                            April 17, 2025


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 16:20:03 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 16:20:03 +0000
Subject: [SCM] Samba Shared Repository - annotated tag samba-4.22.3 created
Message-ID: <E1uYoZX-007YQS-L4@hrx0.samba.org>

The annotated tag, samba-4.22.3 has been created
        at  06e5a6c185150bca7cd283f92f873809ed68e4fa (tag)
   tagging  70eeb7220627eae6f6e0e76f1ec114a1ac965671 (commit)
  replaces  samba-4.22.2
 tagged by  Jule Anger
        on  Mon Jul 7 18:19:30 2025 +0200

- Log -----------------------------------------------------------------
samba: tag release samba-4.22.3
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmhr85IACgkQqplEL7aA
tiBpTA//exPL2PtWECN0gOZwoY8b2U+kSzeOkJcWjmYSyLSF1lOASyP/dBq3GhZ+
QETqtCBfDNrQuPlKUINpaaS7gVzMMG+JOIjNWnGMJZuQTAAI7pZIN0HAdYWE9K3Q
qbw2ykrG7t49dY6VJY5cnvU/OGenAs4IMLGCG0tPhZpwYLY5JuL04IPLsecYxr5G
MYOTT/FesEoT9CKIrLzfco3WDPY/MK+v6YQnjIeYNKX22p9dbDtEXbQkjOg775BS
qN6dlm+mHEwytfWQqQTCxFWsvlooy44RHtmhgJCvNpOK5nKK1rcOh3inMk3KF2ar
VRA9oycQ4iNaXG71H5OmXgwhAVlEF124t5ICtV4Q1ZxysnOi/afZ7xN81vnTv7fa
DmBKn4QW1T2AXMFp0AM5a4lCJD1KtmCZLwpYvqzXnN/Lj2ygMjJEdlQLyofuQBbf
AVNNcLDIdGHtTwZLAu1HtyiXB70ypgAY2KfBMUe79TXyXGUZsi/weG2suikIRhUX
S+DOMIeX8WO85uyWTUE+f22oqwlKRhb0AjskM/B+iagLRtvZNVd4cvl3xan2FW67
5inVmuayZ/+JOlJDFFCCicfBAsaTVvLole4ETffCC5xab4FB2XX95bWqLYzuWxno
keUGi00L8s6WSDgNNbzbeuECHgChDr0oN+zMjnY2ddHEj+c82lI=
=S7my
-----END PGP SIGNATURE-----

Andreas Schneider (1):
      lib:util: Disable logging to syslog for startup messages

Douglas Bagnall (3):
      pytest:samba-tool group: test addmembers
      pytest: samba-tool group: test with 16 character name
      python: Do not interpret 16 character group names as GUIDs

G?nther Deschner (1):
      s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name

Jule Anger (3):
      VERSION: Bump version up to Samba 4.22.3...
      WHATSNEW: Add release notes for Samba 4.22.3.
      VERSION: Disable GIT_SNAPSHOT for the 4.22.3 release.

Stefan Metzmacher (1):
      s3:winbindd: avoid using any netlogon call to get a dc name

-----------------------------------------------------------------------


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 16:21:19 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 16:21:19 +0000
Subject: [SCM] Samba Shared Repository - branch v4-22-stable updated
Message-ID: <E1uYoal-007meT-5l@hrx0.samba.org>

The branch, v4-22-stable has been updated
       via  70eeb722062 VERSION: Disable GIT_SNAPSHOT for the 4.22.3 release.
       via  22a95d2aa77 WHATSNEW: Add release notes for Samba 4.22.3.
       via  78d69a9eebe s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name
       via  b197ce8c6f1 s3:winbindd: avoid using any netlogon call to get a dc name
       via  7501696d552 lib:util: Disable logging to syslog for startup messages
       via  76d1b6b1807 python: Do not interpret 16 character group names as GUIDs
       via  de43d8e305d pytest: samba-tool group: test with 16 character name
       via  d80ff2e1e58 pytest:samba-tool group: test addmembers
       via  de600282aaf VERSION: Bump version up to Samba 4.22.3...
      from  64a23714e6d VERSION: Disable GIT_SNAPSHOT for the 4.22.2 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                |   2 +-
 WHATSNEW.txt                           |  88 ++++++++++++++++++-
 lib/util/debug.c                       |  15 ++++
 lib/util/debug.h                       |   9 ++
 python/samba/samdb.py                  |  10 ++-
 python/samba/tests/samba_tool/group.py |  17 +++-
 source3/winbindd/wb_queryuser.c        |  17 +++-
 source3/winbindd/wb_sids2xids.c        |  17 +++-
 source3/winbindd/wb_xids2sids.c        |  12 ++-
 source3/winbindd/winbindd_cm.c         | 150 ---------------------------------
 source3/winbindd/winbindd_dual.c       |   6 +-
 source3/winbindd/winbindd_dual_srv.c   | 105 ++---------------------
 source3/winbindd/winbindd_proto.h      |   1 +
 source3/winbindd/winbindd_util.c       |  19 +++++
 14 files changed, 201 insertions(+), 267 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 5b8bfb01ce6..171017d023a 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2025"
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=22
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8b98a91f28a..57d9133b43f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,88 @@
+                   ==============================
+                   Release Notes for Samba 4.22.3
+                           July 07, 2025
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.22 release series.
+
+
+Important Change in Upcoming Microsoft Update
+---------------------------------------------
+
+On 8th of July, Microsoft will release an important security update for
+Active Directory Domain Controllers for Windows Server versions prior to
+2025.
+
+This update includes a change to the Microsoft RPC Netlogon protocol,
+which improves security by tightening access checks for a set of RPC
+requests. Samba running as domain members in these environments will be
+impacted by this change if a specific configuration is used, see below
+for which configuration is affected.
+
+Windows Server version 2025 is already equipped with these specific
+security hardenings, and Microsoft is now planning to deploy them to all
+supported Windows Server versions down to Windows Server 2008.
+
+
+Who is affected?
+
+Samba installations acting as member servers in Windows AD domains will
+be affected if they are configured to use the 'ad' idmapping backend.
+Samba servers not using this configuration will not be affected by the
+change ? at least to our current knowledge and understanding of the
+change ? and no further action is required.
+
+Current versions of Samba with the affected configuration will no longer
+function correctly once the Microsoft update has been applied. Users
+will not be able to connect to the SMB service provided by Samba for any
+domain configured to use the 'ad' idmapping backend.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15876.
+
+
+Changes since 4.22.2
+--------------------
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 15854: samba-tool cannot add user to group whose name is exactly 16
+     characters long.
+
+o  G?nther Deschner <gd at samba.org>
+   * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.22.2
                            June 05, 2025
@@ -80,8 +165,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.22.1
                            April 17, 2025
diff --git a/lib/util/debug.c b/lib/util/debug.c
index 86f13f181cf..f79b8811a4b 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -95,6 +95,7 @@ static struct {
 	bool reopening_logs;
 	bool schedule_reopen_logs;
 	int forced_log_priority;
+	bool disable_syslog;
 
 	struct debug_settings settings;
 	debug_callback_fn callback;
@@ -302,6 +303,10 @@ static void debug_syslog_log(int msg_level, const char *msg, size_t msg_len)
 {
 	int priority;
 
+	if (state.disable_syslog) {
+		return;
+	}
+
 	priority = debug_level_to_priority(msg_level);
 
 	/*
@@ -1124,6 +1129,16 @@ void debug_set_forced_log_priority(int forced_log_priority)
 	state.forced_log_priority = forced_log_priority;
 }
 
+void debug_disable_syslog(void)
+{
+	state.disable_syslog = true;
+}
+
+void debug_enable_syslog(void)
+{
+	state.disable_syslog = false;
+}
+
 /**
  * Ensure debug logs are initialised.
  *
diff --git a/lib/util/debug.h b/lib/util/debug.h
index f188105c9f4..2a56c7d48fe 100644
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -276,9 +276,16 @@ void debuglevel_set_class(size_t idx, int level);
 #define DBGLVL_INFO	 5	/* informational message */
 #define DBGLVL_DEBUG	10	/* debug-level message */
 
+/*
+ * Logging to syslog will be disabled as messages on debug level 0 are always
+ * reported to syslog too. We don't want to clutter the syslog with startup
+ * messages from rpc on demand daemons.
+ */
 #define DBG_STARTUP_NOTICE(...) do { \
 	debug_set_forced_log_priority(DBGLVL_NOTICE); \
+	debug_disable_syslog(); \
 	D_ERR(__VA_ARGS__); \
+	debug_enable_syslog(); \
 	debug_set_forced_log_priority(-1); \
 } while(0)
 
@@ -362,6 +369,8 @@ void debug_set_settings(struct debug_settings *settings,
 			int syslog_level, bool syslog_only);
 void debug_set_hostname(const char *name);
 void debug_set_forced_log_priority(int forced_log_priority);
+void debug_disable_syslog(void);
+void debug_enable_syslog(void);
 bool reopen_logs_internal( void );
 void force_check_log_size( void );
 bool need_to_check_log_size( void );
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 0545aed98eb..7a1cee1e108 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -35,6 +35,7 @@ from samba.common import normalise_int32
 from samba.common import get_bytes, cmp
 from samba.dcerpc import security
 from samba import is_ad_dc_built
+from samba import string_is_guid
 from samba import NTSTATUSError, ntstatus
 import binascii
 
@@ -388,6 +389,13 @@ lockoutTime: 0
 
         partial_groupfilter = None
 
+        # If <group> looks like a SID, GUID, or DN, we use it
+        # accordingly, otherwise as a name.
+        #
+        # Because misc.GUID() will read any 16 byte sequence as a
+        # binary guid, we need to be careful not to read 16 character
+        # names as GUIDs.
+
         group_sid = None
         try:
             group_sid = security.dom_sid(group)
@@ -397,7 +405,7 @@ lockoutTime: 0
             partial_groupfilter = "(objectClass=*)"
 
         group_guid = None
-        if partial_groupfilter is None:
+        if partial_groupfilter is None and string_is_guid(group):
             try:
                 group_guid = misc.GUID(group)
             except NTSTATUSError as e:
diff --git a/python/samba/tests/samba_tool/group.py b/python/samba/tests/samba_tool/group.py
index e8c0960849f..1c5bc9690f9 100644
--- a/python/samba/tests/samba_tool/group.py
+++ b/python/samba/tests/samba_tool/group.py
@@ -38,7 +38,8 @@ class GroupCmdTestCase(SambaToolCmdTest):
         self.groups.append(self._randomGroup({"name": "testgroup1"}))
         self.groups.append(self._randomGroup({"name": "testgroup2"}))
         self.groups.append(self._randomGroup({"name": "testgroup3"}))
-        self.groups.append(self._randomGroup({"name": "testgroup4"}))
+        self.groups.append(self._randomGroup(
+            {"name": "16 character name for bug 15854"[:16]}))
         self.groups.append(self._randomGroup({"name": "testgroup5 (with brackets)"}))
         self.groups.append(self._randomPosixGroup({"name": "posixgroup1"}))
         self.groups.append(self._randomPosixGroup({"name": "posixgroup2"}))
@@ -334,6 +335,20 @@ class GroupCmdTestCase(SambaToolCmdTest):
             name = str(groupobj.get("dn", idx=0))
             self.assertMatch(out, name, "group '%s' not found" % name)
 
+    def test_addmember(self):
+        groups = [g['name'] for g in self.groups]
+        for parent, child in zip(groups, groups[1:]):
+            (result, out, err) = self.runsubcmd(
+                "group", "addmembers", parent, child)
+            self.assertCmdSuccess(result, out, err)
+
+        (result, out, err) = self.runsubcmd(
+            "group", "addmembers", groups[-1], ','.join(groups[:-1]))
+        self.assertCmdSuccess(result, out, err)
+
+        (result, out, err) = self.runsubcmd(
+            "group", "addmembers", groups[0], "alice,bob")
+        self.assertCmdSuccess(result, out, err)
 
     def test_move(self):
         full_ou_dn = str(self.samdb.normalize_dn_in_domain("OU=movetest_grp"))
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index c2758f1b76a..db8e946ba71 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -289,10 +289,19 @@ static void wb_queryuser_done(struct tevent_req *subreq)
 
 	if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
 	    !state->tried_dclookup) {
-		D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n");
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, state->info->domain_name, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		const char *domain_name = find_dns_domain_name(
+			state->info->domain_name);
+
+		D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling "
+			"wb_dsgetdcname_send(%s)\n",
+			domain_name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c
index f0f6c23fc20..03e5e7e0258 100644
--- a/source3/winbindd/wb_sids2xids.c
+++ b/source3/winbindd/wb_sids2xids.c
@@ -612,13 +612,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq)
 	    !state->tried_dclookup) {
 
 		struct lsa_DomainInfo *d;
+		const char *domain_name = NULL;
 
-		D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n");
 		d = &state->idmap_doms.domains[state->dom_index];
 
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, d->name.string, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		domain_name = find_dns_domain_name(d->name.string);
+
+		D_DEBUG("Domain controller not found. Calling "
+			"wb_dsgetdcname_send(%s) to get it.\n",
+			domain_name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index 86bd7f9deab..6fcf524d94f 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -143,9 +143,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq)
 	if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
 	    !state->tried_dclookup) {
 
-		subreq = wb_dsgetdcname_send(
-			state, state->ev, state->dom_map->name, NULL, NULL,
-			DS_RETURN_DNS_NAME);
+		const char *domain_name = find_dns_domain_name(
+			state->dom_map->name);
+
+		subreq = wb_dsgetdcname_send(state,
+					     state->ev,
+					     domain_name,
+					     NULL,
+					     NULL,
+					     DS_RETURN_DNS_NAME);
 		if (tevent_req_nomem(subreq, req)) {
 			return;
 		}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 420ea961876..741761f606b 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -475,140 +475,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds)
 	return ret;
 }
 
-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
-				     fstring dcname,
-				     struct sockaddr_storage *dc_ss,
-				     uint32_t request_flags)
-{
-	struct winbindd_domain *our_domain = NULL;
-	struct rpc_pipe_client *netlogon_pipe = NULL;
-	NTSTATUS result;
-	WERROR werr;
-	TALLOC_CTX *mem_ctx;
-	unsigned int orig_timeout;
-	const char *tmp = NULL;
-	const char *p;
-	struct dcerpc_binding_handle *b;
-
-	/* Hmmmm. We can only open one connection to the NETLOGON pipe at the
-	 * moment.... */
-
-	if (IS_DC) {
-		return False;
-	}
-
-	if (domain->primary) {
-		return False;
-	}
-
-	our_domain = find_our_domain();
-
-	if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
-		return False;
-	}
-
-	result = cm_connect_netlogon(our_domain, &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(result)) {
-		talloc_destroy(mem_ctx);
-		return False;
-	}
-
-	b = netlogon_pipe->binding_handle;
-
-	/* This call can take a long time - allow the server to time out.
-	   35 seconds should do it. */
-
-	orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
-	if (our_domain->active_directory) {
-		struct netr_DsRGetDCNameInfo *domain_info = NULL;
-
-		/*
-		 * TODO request flags are not respected in the server
-		 * (and in some cases, like REQUIRE_PDC, causes an error)
-		 */
-		result = dcerpc_netr_DsRGetDCName(b,
-						  mem_ctx,
-						  our_domain->dcname,
-						  domain->name,
-						  NULL,
-						  NULL,
-						  request_flags|DS_RETURN_DNS_NAME,
-						  &domain_info,
-						  &werr);
-		if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
-			tmp = talloc_strdup(
-				mem_ctx, domain_info->dc_unc);
-			if (tmp == NULL) {
-				DBG_ERR("talloc_strdup failed for dc_unc[%s]\n",
-					domain_info->dc_unc);
-				talloc_destroy(mem_ctx);
-				return false;
-			}
-			if (domain->alt_name == NULL) {
-				domain->alt_name = talloc_strdup(domain,
-								 domain_info->domain_name);
-				if (domain->alt_name == NULL) {
-					DBG_ERR("talloc_strdup failed for "
-						"domain_info->domain_name[%s]\n",
-						domain_info->domain_name);
-					talloc_destroy(mem_ctx);
-					return false;
-				}
-			}
-			if (domain->forest_name == NULL) {
-				domain->forest_name = talloc_strdup(domain,
-								    domain_info->forest_name);
-				if (domain->forest_name == NULL) {
-					DBG_ERR("talloc_strdup failed for "
-						"domain_info->forest_name[%s]\n",
-						domain_info->forest_name);
-					talloc_destroy(mem_ctx);
-					return false;
-				}
-			}
-		}
-	} else {
-		result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
-						  our_domain->dcname,
-						  domain->name,
-						  &tmp,
-						  &werr);
-	}
-
-	/* And restore our original timeout. */
-	rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
-			nt_errstr(result)));
-		talloc_destroy(mem_ctx);
-		return false;
-	}
-
-	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
-			   win_errstr(werr)));
-		talloc_destroy(mem_ctx);
-		return false;
-	}
-
-	/* dcerpc_netr_GetAnyDCName gives us a name with \\ */
-	p = strip_hostname(tmp);
-
-	fstrcpy(dcname, p);
-
-	talloc_destroy(mem_ctx);
-
-	DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
-
-	if (!resolve_name(dcname, dc_ss, 0x20, true)) {
-		return False;
-	}
-
-	return True;
-}
-
 /**
  * Helper function to assemble trust password and account name
  */
@@ -1307,24 +1173,8 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
 	struct  samba_sockaddr *sa_list = NULL;
 	size_t     salist_size = 0;
 	size_t     i;
-	bool    is_our_domain;
 	enum security_types sec = (enum security_types)lp_security();
 
-	is_our_domain = strequal(domain->name, lp_workgroup());
-
-	/* If not our domain, get the preferred DC, by asking our primary DC */
-	if ( !is_our_domain
-		&& get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
-		&& add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
-		       num_dcs) )
-	{
-		char addr[INET6_ADDRSTRLEN];
-		print_sockaddr(addr, sizeof(addr), &ss);


-- 
Samba Shared Repository


From janger at samba.org  Mon Jul  7 16:29:17 2025
From: janger at samba.org (Jule Anger)
Date: Mon, 07 Jul 2025 16:29:17 +0000
Subject: [SCM] Samba Website Repository - branch master updated
Message-ID: <E1uYoiT-008WO4-Ct@hrx0.samba.org>

The branch, master has been updated
       via  d42b09c NEWS[4.21.7]: Samba 4.22.3 and 4.21.7 Available for Download
      from  ec77184 docs: remove links ti old and crufted translations

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d42b09cfcc134c457566c964967fe18435ff4f2a
Author: Jule Anger <janger at samba.org>
Date:   Mon Jul 7 18:11:45 2025 +0200

    NEWS[4.21.7]: Samba 4.22.3 and 4.21.7 Available for Download
    
    Signed-off-by: Jule Anger <janger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 history/header_history.html                      |  2 +
 history/samba-4.21.7.html                        | 81 +++++++++++++++++++++++
 history/samba-4.22.3.html                        | 84 ++++++++++++++++++++++++
 posted_news/20250707-161349.4.21.7.body.html     | 21 ++++++
 posted_news/20250707-161349.4.21.7.headline.html |  3 +
 5 files changed, 191 insertions(+)
 create mode 100644 history/samba-4.21.7.html
 create mode 100644 history/samba-4.22.3.html
 create mode 100644 posted_news/20250707-161349.4.21.7.body.html
 create mode 100644 posted_news/20250707-161349.4.21.7.headline.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 9f73997..85ce85a 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,9 +9,11 @@
 		<li><a href="/samba/history/">Release Notes</a>
 		<li class="navSub">
 			<ul>
+			<li><a href="samba-4.22.3.html">samba-4.22.3</a></li>
 			<li><a href="samba-4.22.2.html">samba-4.22.2</a></li>
 			<li><a href="samba-4.22.1.html">samba-4.22.1</a></li>
 			<li><a href="samba-4.22.0.html">samba-4.22.0</a></li>
+			<li><a href="samba-4.21.7.html">samba-4.21.7</a></li>
 			<li><a href="samba-4.21.6.html">samba-4.21.6</a></li>
 			<li><a href="samba-4.21.5.html">samba-4.21.5</a></li>
 			<li><a href="samba-4.21.4.html">samba-4.21.4</a></li>
diff --git a/history/samba-4.21.7.html b/history/samba-4.21.7.html
new file mode 100644
index 0000000..6f1a119
--- /dev/null
+++ b/history/samba-4.21.7.html
@@ -0,0 +1,81 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.21.7 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.21.7 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.21.7.tar.gz">Samba 4.21.7 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.21.7.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.21.6-4.21.7.diffs.gz">Patch (gzipped) against Samba 4.21.6</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.21.6-4.21.7.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 4.21.7
+                           July 07, 2025
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+
+
+Important Change in Upcoming Microsoft Update
+---------------------------------------------
+
+On 8th of July, Microsoft will release an important security update for
+Active Directory Domain Controllers for Windows Server versions prior to
+2025.
+
+This update includes a change to the Microsoft RPC Netlogon protocol,
+which improves security by tightening access checks for a set of RPC
+requests. Samba running as domain members in these environments will be
+impacted by this change if a specific configuration is used, see below
+for which configuration is affected.
+
+Windows Server version 2025 is already equipped with these specific
+security hardenings, and Microsoft is now planning to deploy them to all
+supported Windows Server versions down to Windows Server 2008.
+
+
+Who is affected?
+
+Samba installations acting as member servers in Windows AD domains will
+be affected if they are configured to use the &apos;ad&apos; idmapping backend.
+Samba servers not using this configuration will not be affected by the
+change ??? at least to our current knowledge and understanding of the
+change ??? and no further action is required.
+
+Current versions of Samba with the affected configuration will no longer
+function correctly once the Microsoft update has been applied. Users
+will not be able to connect to the SMB service provided by Samba for any
+domain configured to use the &apos;ad&apos; idmapping backend.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15876.
+
+Changes since 4.21.6
+--------------------
+
+o  G&uuml;nther Deschner &lt;gd at samba.org&gt;
+   * BUG 15876: Windows security hardening locks out schannel&apos;ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Stefan Metzmacher &lt;metze at samba.org&gt;
+   * BUG 15680: Trust domains are not created.
+   * BUG 15876: Windows security hardening locks out schannel&apos;ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Andreas Schneider &lt;asn at samba.org&gt;
+   * BUG 15680: Trust domains are not created.
+   * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.22.3.html b/history/samba-4.22.3.html
new file mode 100644
index 0000000..bcc96a6
--- /dev/null
+++ b/history/samba-4.22.3.html
@@ -0,0 +1,84 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.22.3 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.22.3 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.22.3.tar.gz">Samba 4.22.3 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.22.3.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.22.2-4.22.3.diffs.gz">Patch (gzipped) against Samba 4.22.2</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.22.2-4.22.3.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 4.22.3
+                           July 07, 2025
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.22 release series.
+
+
+Important Change in Upcoming Microsoft Update
+---------------------------------------------
+
+On 8th of July, Microsoft will release an important security update for
+Active Directory Domain Controllers for Windows Server versions prior to
+2025.
+
+This update includes a change to the Microsoft RPC Netlogon protocol,
+which improves security by tightening access checks for a set of RPC
+requests. Samba running as domain members in these environments will be
+impacted by this change if a specific configuration is used, see below
+for which configuration is affected.
+
+Windows Server version 2025 is already equipped with these specific
+security hardenings, and Microsoft is now planning to deploy them to all
+supported Windows Server versions down to Windows Server 2008.
+
+
+Who is affected?
+
+Samba installations acting as member servers in Windows AD domains will
+be affected if they are configured to use the &apos;ad&apos; idmapping backend.
+Samba servers not using this configuration will not be affected by the
+change ??? at least to our current knowledge and understanding of the
+change ??? and no further action is required.
+
+Current versions of Samba with the affected configuration will no longer
+function correctly once the Microsoft update has been applied. Users
+will not be able to connect to the SMB service provided by Samba for any
+domain configured to use the &apos;ad&apos; idmapping backend.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15876.
+
+
+Changes since 4.22.2
+--------------------
+
+o  Douglas Bagnall &lt;douglas.bagnall at catalyst.net.nz&gt;
+   * BUG 15854: samba-tool cannot add user to group whose name is exactly 16
+     characters long.
+
+o  G&uuml;nther Deschner &lt;gd at samba.org&gt;
+   * BUG 15876: Windows security hardening locks out schannel&apos;ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Stefan Metzmacher &lt;metze at samba.org&gt;
+   * BUG 15876: Windows security hardening locks out schannel&apos;ed netlogon dc
+     calls like netr_DsRGetDCName.
+
+o  Andreas Schneider &lt;asn at samba.org&gt;
+   * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/posted_news/20250707-161349.4.21.7.body.html b/posted_news/20250707-161349.4.21.7.body.html
new file mode 100644
index 0000000..d15d7ca
--- /dev/null
+++ b/posted_news/20250707-161349.4.21.7.body.html
@@ -0,0 +1,21 @@
+<!-- BEGIN: posted_news/20250707-161349.4.21.7.body.html -->
+<h5><a name="4.21.7">07 July 2025</a></h5>
+<p class=headline>Samba 4.22.3 and 4.21.7 Available for Download</p>
+<p>
+These are the latest stable releases of the Samba 4.22 and the Samba 4.21
+release series.
+</p>
+<p>
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+</p>
+<p>
+The 4.22.3 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.22.3.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.22.2-4.22.3.diffs.gz">patch against Samba 4.22.2</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.22.3.html">the release notes for more info</a>.
+</p>
+<p>
+The 4.21.7 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.21.7.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.21.6-4.21.7.diffs.gz">patch against Samba 4.21.6</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.21.7.html">the release notes for more info</a>.
+</p>
+<!-- END: posted_news/20250707-161349.4.21.7.body.html -->
diff --git a/posted_news/20250707-161349.4.21.7.headline.html b/posted_news/20250707-161349.4.21.7.headline.html
new file mode 100644
index 0000000..8aa3cac
--- /dev/null
+++ b/posted_news/20250707-161349.4.21.7.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20250707-161349.4.21.7.headline.html -->
+<li> 07 July 2025 <a href="#4.21.7">Samba 4.22.3 and 4.21.7 Available for Download</a></li>
+<!-- END: posted_news/20250707-161349.4.21.7.headline.html -->


-- 
Samba Website Repository


From gd at samba.org  Mon Jul  7 16:47:01 2025
From: gd at samba.org (=?UTF-8?Q?G=C3=BCnther_Deschner?=)
Date: Mon, 07 Jul 2025 16:47:01 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1uYozd-0093NF-EE@hrx0.samba.org>

The branch, master has been updated
       via  88572cc8f62 libads: fix get_kdc_ip_string() ...
      from  2560c9b3224 s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 88572cc8f629a737a1d5b33d5800f3692895233f
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Jul 4 17:50:40 2025 +0200

    libads: fix get_kdc_ip_string() ...
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15881
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    
    Autobuild-User(master): G?nther Deschner <gd at samba.org>
    Autobuild-Date(master): Mon Jul  7 16:46:29 UTC 2025 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source3/libads/kerberos.c | 1 +
 1 file changed, 1 insertion(+)


Changeset truncated at 500 lines:

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 75803500d31..145bc36cdb2 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1230,6 +1230,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DBG_DEBUG("netlogon_pings failed: %s\n", nt_errstr(status));
+		result = talloc_move(mem_ctx, &kdc_str);
 		goto out;
 	}
 


-- 
Samba Shared Repository


From jra at samba.org  Mon Jul  7 17:46:01 2025
From: jra at samba.org (Jeremy Allison)
Date: Mon, 07 Jul 2025 17:46:01 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1uYpuj-00EMex-Qe@hrx0.samba.org>

The branch, master has been updated
       via  96870782516 smbd: avoid mangling names in smbd_dirptr_lanman2_match_fn() for POSIX
       via  e5ff201592e smbd: pass dirfsp instead of conn and dptr to smbd_dirptr_lanman2_entry() and get_lanman2_dir_entry()
       via  8b2ae47a511 libsmb: use parse_finfo_posix_info in is_bad_finfo_name()
       via  bc300c7a300 libsmb: set finfo->flags.posix in parse_finfo_posix_info()
       via  4b7175eae80 libsmb: add flags to struct file_info
       via  93ad870a1e4 tests: expand SMB3 POSIX test for Windows illegal characters behaviour
      from  88572cc8f62 libads: fix get_kdc_ip_string() ...

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9687078251620c50420ebbeb6d7d3d53c04705a7
Author: Ralph Boehme <slow at samba.org>
Date:   Sun May 25 20:05:59 2025 +0200

    smbd: avoid mangling names in smbd_dirptr_lanman2_match_fn() for POSIX
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15862
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Mon Jul  7 17:45:13 UTC 2025 on atb-devel-224

commit e5ff201592eec86b22ccaa977f3efd3c0e5f9053
Author: Ralph Boehme <slow at samba.org>
Date:   Sun May 25 20:04:53 2025 +0200

    smbd: pass dirfsp instead of conn and dptr to smbd_dirptr_lanman2_entry() and get_lanman2_dir_entry()
    
    No change in behaviour.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15862
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 8b2ae47a5110592cdaef070c972514a47bce0b50
Author: Ralph Boehme <slow at samba.org>
Date:   Mon May 26 10:37:42 2025 +0200

    libsmb: use parse_finfo_posix_info in is_bad_finfo_name()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15862
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit bc300c7a300bafe4dc417d074f56ffd2547dd2f9
Author: Ralph Boehme <slow at samba.org>
Date:   Mon May 26 10:37:18 2025 +0200

    libsmb: set finfo->flags.posix in parse_finfo_posix_info()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15862
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 4b7175eae803a026b9a0709ff1fe71b9cf43d631
Author: Ralph Boehme <slow at samba.org>
Date:   Mon May 26 10:35:21 2025 +0200

    libsmb: add flags to struct file_info
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15862
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 93ad870a1e497066f82e8ec85c8a643dcd15b4de
Author: Ralph Boehme <slow at samba.org>
Date:   Sun May 25 15:15:27 2025 +0200

    tests: expand SMB3 POSIX test for Windows illegal characters behaviour
    
    The test was testing file creation, but not FIND behaviour.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15862
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/tests/smb3unix.py      | 21 +++++++++++++++++++--
 source3/include/client.h            |  3 +++
 source3/libsmb/cli_smb2_fnum.c      |  1 +
 source3/libsmb/clilist.c            |  4 +++-
 source3/smbd/globals.h              |  3 +--
 source3/smbd/smb1_trans2.c          | 11 ++++-------
 source3/smbd/smb2_query_directory.c |  3 +--
 source3/smbd/smb2_trans2.c          | 13 ++++++++++---
 8 files changed, 42 insertions(+), 17 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/smb3unix.py b/python/samba/tests/smb3unix.py
index 5c8ab182061..289bc5ac5b4 100644
--- a/python/samba/tests/smb3unix.py
+++ b/python/samba/tests/smb3unix.py
@@ -182,13 +182,30 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests):
                 wire_mode = libsmb.unix_mode_to_wire(0o744)
                 f,_,cc_out = c.create_ex('\\%s' % fname,
                                 CreateDisposition=libsmb.FILE_CREATE,
-                                DesiredAccess=security.SEC_STD_DELETE,
+                                DesiredAccess=security.SEC_FILE_READ_ATTRIBUTE,
                                 CreateContexts=[posix_context(wire_mode)])
             except NTSTATUSError as e:
                 self.fail(e)
-            c.delete_on_close(f, True)
             c.close(f)
 
+        try:
+            res = c.list('', info_level=libsmb.SMB2_FIND_POSIX_INFORMATION)
+            found_files = {get_string(i['name']): i for i in res}
+            for fname in test_files:
+                self.assertTrue(fname in found_files)
+        except NTSTATUSError as e:
+            self.fail(e)
+        finally:
+            wire_mode = libsmb.unix_mode_to_wire(0o600)
+            for fname in test_files:
+                f,_,_ = c.create_ex('\\%s' % fname,
+                                CreateDisposition=libsmb.FILE_OPEN,
+                                DesiredAccess=security.SEC_STD_DELETE,
+                                CreateContexts=[posix_context(wire_mode)])
+                c.delete_on_close(f, True)
+                c.close(f)
+
+
     def test_posix_delete_on_close(self):
         c = libsmb.Conn(
             self.server_ip,
diff --git a/source3/include/client.h b/source3/include/client.h
index aaac2956f32..18f76019ae8 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -111,6 +111,9 @@ struct file_info {
 	nlink_t st_ex_nlink;
 	struct dom_sid owner_sid;
 	struct dom_sid group_sid;
+	struct {
+		bool posix : 1;
+	} flags;
 };
 
 #define CLI_FULL_CONNECTION_DONT_SPNEGO 0x0001
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index dcd6aa50c58..cbbd1208e04 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1334,6 +1334,7 @@ static NTSTATUS parse_finfo_posix_info(const uint8_t *dir_data,
 	finfo->st_ex_mode = wire_mode_to_unix(info.cc.posix_mode);
 	sid_copy(&finfo->owner_sid, &info.cc.owner);
 	sid_copy(&finfo->group_sid, &info.cc.group);
+	finfo->flags.posix = true;
 
 	if (dir_data_length < 4) {
 		return NT_STATUS_INFO_LENGTH_MISMATCH;
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index f954405ba10..9ec3e3240f4 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -66,7 +66,9 @@ NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
 	NTSTATUS status = NT_STATUS_OK;
 	bool windows_names = true;
 
-	if (cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP) {
+	if ((cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP)
+	    || finfo->flags.posix)
+	{
 		windows_names = false;
 	}
 	if (finfo->name != NULL) {
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index c74762248c1..e518c710cda 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -162,8 +162,7 @@ NTSTATUS smbd_do_qfsinfo(struct smbXsrv_connection *xconn,
 			 int *ret_data_len);
 
 NTSTATUS smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
-			       connection_struct *conn,
-			       struct dptr_struct *dirptr,
+			       struct files_struct *dirfsp,
 			       uint16_t flags2,
 			       const char *path_mask,
 			       uint32_t dirtype,
diff --git a/source3/smbd/smb1_trans2.c b/source3/smbd/smb1_trans2.c
index 643c05dd77e..568a5611223 100644
--- a/source3/smbd/smb1_trans2.c
+++ b/source3/smbd/smb1_trans2.c
@@ -769,8 +769,7 @@ static void call_trans2open(connection_struct *conn,
 }
 
 static NTSTATUS get_lanman2_dir_entry(TALLOC_CTX *ctx,
-				connection_struct *conn,
-				struct dptr_struct *dirptr,
+				struct files_struct *dirfsp,
 				uint16_t flags2,
 				const char *path_mask,
 				uint32_t dirtype,
@@ -792,7 +791,7 @@ static NTSTATUS get_lanman2_dir_entry(TALLOC_CTX *ctx,
 		align = 1;
 	}
 
-	return smbd_dirptr_lanman2_entry(ctx, conn, dirptr, flags2,
+	return smbd_dirptr_lanman2_entry(ctx, dirfsp, flags2,
 					 path_mask, dirtype, info_level,
 					 requires_resume_key, dont_descend,
 					 true, align, do_pad,
@@ -1108,8 +1107,7 @@ static void call_trans2findfirst(connection_struct *conn,
 	for (i=0;(i<maxentries) && !finished && !out_of_space;i++) {
 
 		ntstatus = get_lanman2_dir_entry(talloc_tos(),
-						 conn,
-						 fsp->dptr,
+						 fsp,
 						 req->flags2,
 						 mask,
 						 dirtype,
@@ -1568,8 +1566,7 @@ static void call_trans2findnext(connection_struct *conn,
 	for (i=0;(i<(int)maxentries) && !finished && !out_of_space ;i++) {
 
 		ntstatus = get_lanman2_dir_entry(ctx,
-						 conn,
-						 fsp->dptr,
+						 fsp,
 						 req->flags2,
 						 mask,
 						 dirtype,
diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c
index ba8b690e1d7..0e66705425a 100644
--- a/source3/smbd/smb2_query_directory.c
+++ b/source3/smbd/smb2_query_directory.c
@@ -534,8 +534,7 @@ static bool smb2_query_directory_next_entry(struct tevent_req *req)
 	SMB_ASSERT(space_remaining >= 0);
 
 	status = smbd_dirptr_lanman2_entry(state,
-					   state->dirfsp->conn,
-					   state->dirfsp->dptr,
+					   state->dirfsp,
 					   state->smbreq->flags2,
 					   state->in_file_name,
 					   state->dirtype,
diff --git a/source3/smbd/smb2_trans2.c b/source3/smbd/smb2_trans2.c
index 3483a413335..deb371beaba 100644
--- a/source3/smbd/smb2_trans2.c
+++ b/source3/smbd/smb2_trans2.c
@@ -920,6 +920,7 @@ struct smbd_dirptr_lanman2_state {
 	uint32_t info_level;
 	bool check_mangled_names;
 	bool case_sensitive;
+	bool posix_paths;
 };
 
 static bool smbd_dirptr_lanman2_match_fn(TALLOC_CTX *ctx,
@@ -936,7 +937,9 @@ static bool smbd_dirptr_lanman2_match_fn(TALLOC_CTX *ctx,
 	const char *fname;
 
 	/* Mangle fname if it's an illegal name. */
-	if (mangle_must_mangle(dname, state->conn->params)) {
+	if (!state->posix_paths &&
+	    mangle_must_mangle(dname, state->conn->params))
+	{
 		/*
 		 * Slow path - ensure we can push the original name as UCS2. If
 		 * not, then just don't return this name.
@@ -1758,8 +1761,7 @@ static NTSTATUS smbd_marshall_dir_entry(TALLOC_CTX *ctx,
 }
 
 NTSTATUS smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
-			       connection_struct *conn,
-			       struct dptr_struct *dirptr,
+			       struct files_struct *dirfsp,
 			       uint16_t flags2,
 			       const char *path_mask,
 			       uint32_t dirtype,
@@ -1778,6 +1780,8 @@ NTSTATUS smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
 			       struct ea_list *name_list,
 			       struct file_id *file_id)
 {
+	struct connection_struct *conn = dirfsp->conn;
+	struct dptr_struct *dirptr = dirfsp->dptr;
 	const char *p;
 	const char *mask = NULL;
 	uint32_t mode = 0;
@@ -1799,6 +1803,9 @@ NTSTATUS smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx,
 		state.check_mangled_names = true;
 	}
 	state.case_sensitive = dptr_case_sensitive(dirptr);
+	if (dirfsp->fsp_name->flags & SMB_FILENAME_POSIX_PATH) {
+		state.posix_paths = true;
+	}
 
 	p = strrchr_m(path_mask,'/');
 	if(p != NULL) {


-- 
Samba Shared Repository


From scabrero at samba.org  Tue Jul  8 07:22:02 2025
From: scabrero at samba.org (Samuel Cabrero)
Date: Tue, 08 Jul 2025 07:22:02 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1uZ2eQ-005ZMX-AH@hrx0.samba.org>

The branch, master has been updated
       via  0c4b632310b s3:winbind: Initialize and setup idmap child in winbindd_getgrnam()
       via  96ff0669806 s3:winbind: Initialize and setup idmap child in winbindd_getpwnam()
      from  96870782516 smbd: avoid mangling names in smbd_dirptr_lanman2_match_fn() for POSIX

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0c4b632310b6e946d8493735b8cdeeb0d2cc39fe
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Mon Jul 7 13:15:43 2025 +0200

    s3:winbind: Initialize and setup idmap child in winbindd_getgrnam()
    
    Make sure the idmap child is initialized before delegating the name unmapping.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15882
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Samuel Cabrero <scabrero at samba.org>
    Autobuild-Date(master): Tue Jul  8 07:21:26 UTC 2025 on atb-devel-224

commit 96ff066980649c5a7ec549983232a574d437eb71
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Mon Jul 7 13:04:15 2025 +0200

    s3:winbind: Initialize and setup idmap child in winbindd_getpwnam()
    
    Make sure the idmap child is initialized before delegating the name unmapping.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15882
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/winbindd/winbindd_getgrnam.c | 29 ++++++++++++++++++++++++++---
 source3/winbindd/winbindd_getpwnam.c | 33 ++++++++++++++++++++++++++++-----
 2 files changed, 54 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_getgrnam.c b/source3/winbindd/winbindd_getgrnam.c
index be19287c15b..0ea5f00a605 100644
--- a/source3/winbindd/winbindd_getgrnam.c
+++ b/source3/winbindd/winbindd_getgrnam.c
@@ -39,7 +39,7 @@ struct winbindd_getgrnam_state {
 	struct db_context *members;
 };
 
-static void winbindd_getgrnam_unmap_done(struct tevent_req *subreq);
+static void winbindd_getgrnam_initialized(struct tevent_req *subreq);
 struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx,
 					  struct tevent_context *ev,
 					  struct winbindd_cli_state *cli,
@@ -69,16 +69,39 @@ struct tevent_req *winbindd_getgrnam_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
+	subreq = wb_parent_idmap_setup_send(state, ev);
+	if (tevent_req_nomem(subreq, req)) {
+		return tevent_req_post(req, ev);
+	}
+	tevent_req_set_callback(subreq, winbindd_getgrnam_initialized, req);
+	return req;
+}
+
+static void winbindd_getgrnam_unmap_done(struct tevent_req *subreq);
+static void winbindd_getgrnam_initialized(struct tevent_req *subreq)
+{
+	struct tevent_req *req = tevent_req_callback_data(subreq,
+							  struct tevent_req);
+	struct winbindd_getgrnam_state *state = tevent_req_data(
+		req, struct winbindd_getgrnam_state);
+	const struct wb_parent_idmap_config *cfg = NULL;
+	NTSTATUS status;
+
+	status = wb_parent_idmap_setup_recv(subreq, &cfg);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
 	subreq = dcerpc_wbint_NormalizeNameUnmap_send(state,
 						      state->ev,
 						      idmap_child_handle(),
 						      state->request_name,
 						      &state->unmapped_name);
 	if (tevent_req_nomem(subreq, req)) {
-		return tevent_req_post(req, ev);
+		return;
 	}
 	tevent_req_set_callback(subreq, winbindd_getgrnam_unmap_done, req);
-	return req;
 }
 
 static void winbindd_getgrnam_lookupname_done(struct tevent_req *subreq);
diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c
index f22b724ab66..b286176dcb0 100644
--- a/source3/winbindd/winbindd_getpwnam.c
+++ b/source3/winbindd/winbindd_getpwnam.c
@@ -38,7 +38,7 @@ struct winbindd_getpwnam_state {
 static void winbindd_getpwnam_lookupname_done(struct tevent_req *subreq);
 static void winbindd_getpwnam_done(struct tevent_req *subreq);
 
-static void winbindd_getgrnam_unmap_done(struct tevent_req *subreq);
+static void winbindd_getpwnam_initialized(struct tevent_req *subreq);
 struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
 					  struct tevent_context *ev,
 					  struct winbindd_cli_state *cli,
@@ -68,19 +68,42 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
+	subreq = wb_parent_idmap_setup_send(state, ev);
+	if (tevent_req_nomem(subreq, req)) {
+		return tevent_req_post(req, ev);
+	}
+	tevent_req_set_callback(subreq, winbindd_getpwnam_initialized, req);
+	return req;
+}
+
+static void winbindd_getpwnam_unmap_done(struct tevent_req *subreq);
+static void winbindd_getpwnam_initialized(struct tevent_req *subreq)
+{
+	struct tevent_req *req = tevent_req_callback_data(subreq,
+							  struct tevent_req);
+	struct winbindd_getpwnam_state *state = tevent_req_data(
+		req, struct winbindd_getpwnam_state);
+	const struct wb_parent_idmap_config *cfg = NULL;
+	NTSTATUS status;
+
+	status = wb_parent_idmap_setup_recv(subreq, &cfg);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
 	subreq = dcerpc_wbint_NormalizeNameUnmap_send(state,
 						      state->ev,
 						      idmap_child_handle(),
 						      state->request_name,
 						      &state->unmapped_name);
 	if (tevent_req_nomem(subreq, req)) {
-		return tevent_req_post(req, ev);
+		return;
 	}
-	tevent_req_set_callback(subreq, winbindd_getgrnam_unmap_done, req);
-	return req;
+	tevent_req_set_callback(subreq, winbindd_getpwnam_unmap_done, req);
 }
 
-static void winbindd_getgrnam_unmap_done(struct tevent_req *subreq)
+static void winbindd_getpwnam_unmap_done(struct tevent_req *subreq)
 {
 	struct tevent_req *req = tevent_req_callback_data(subreq,
 							  struct tevent_req);


-- 
Samba Shared Repository


From asn at samba.org  Thu Jul 10 16:16:01 2025
From: asn at samba.org (Andreas Schneider)
Date: Thu, 10 Jul 2025 16:16:01 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1uZtwH-00CDw3-JB@hrx0.samba.org>

The branch, master has been updated
       via  3ca04b03bf4 tests: Rename local variable: prefix_abs -> prefix
       via  081d4fa10eb selftest: Remove no longer used PREFIX_ABS from environment
       via  b36a64289c3 tests: Replace PREFIX_ABS with PREFIX
       via  70c2b66fade selftest:s4: Delete no longer used hash key 'prefix_abs' from ctx
       via  ca0785ea674 selftest: Remove prefix_abs from ctx hash key
       via  a899b66548e selftest:s4: Fix prefix in setup functions
       via  8902d2aaa28 selftest:s3: Fix prefix in setup functions
       via  b3b69a60f95 selftest: Make '$prefix' absolute path and remove '$prefix_abs'
      from  0c4b632310b s3:winbind: Initialize and setup idmap child in winbindd_getgrnam()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3ca04b03bf454dfd46a8e68b66a343929337ce6a
Author: Pavel Filipensk? <pfilipensky at samba.org>
Date:   Fri Jul 4 15:10:58 2025 +0200

    tests: Rename local variable: prefix_abs -> prefix
    
    Signed-off-by: Pavel Filipensk? <pfilipensky at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Thu Jul 10 16:15:24 UTC 2025 on atb-devel-224

commit 081d4fa10eb893aeb9ada8f96b51c735819dee48
Author: Pavel Filipensk? <pfilipensky at samba.org>
Date:   Thu Jul 3 23:18:59 2025 +0200

    selftest: Remove no longer used PREFIX_ABS from environment
    
    Signed-off-by: Pavel Filipensk? <pfilipensky at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit b36a64289c33d579a2229e1bdfcd6932f0cb208e
Author: Pavel Filipensk? <pfilipensky at samba.org>
Date:   Thu Jul 3 23:07:37 2025 +0200

    tests: Replace PREFIX_ABS with PREFIX
    
    Signed-off-by: Pavel Filipensk? <pfilipensky at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 70c2b66fadea7c0f58e96c72357a5b1d115b2238
Author: Pavel Filipensk? <pfilipensky at samba.org>
Date:   Thu Jul 3 22:49:10 2025 +0200

    selftest:s4: Delete no longer used hash key 'prefix_abs' from ctx
    
    Signed-off-by: Pavel Filipensk? <pfilipensky at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ca0785ea674d52c06bd705a3a5b3224a74cc0dcd
Author: Pavel Filipensk? <pfilipensky at samba.org>
Date:   Thu Jul 3 22:48:38 2025 +0200

    selftest: Remove prefix_abs from ctx hash key
    
    prefix is an absolute path now.
    
    Signed-off-by: Pavel Filipensk? <pfilipensky at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit a899b66548e65ccd6ca014cb8ad18a6c0bfb1280
Author: Pavel Filipensk? <pfilipensky at samba.org>
Date:   Thu Jul 3 22:39:00 2025 +0200

    selftest:s4: Fix prefix in setup functions
    
    The parameter '$prefix' passed to setup_...() is already an absolute
    path, no need to maintain '$prefix_abs' in Samba4.pm.
    
    Signed-off-by: Pavel Filipensk? <pfilipensky at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 8902d2aaa28cab7ce3efc54b05a22e26af22479a
Author: Pavel Filipensk? <pfilipensky at samba.org>
Date:   Thu Jul 3 23:32:30 2025 +0200

    selftest:s3: Fix prefix in setup functions
    
    The parameter '$prefix' passed to setup_...() is already an absolute
    path, no need to maintain '$prefix_abs' in Samba3.pm.
    
    Signed-off-by: Pavel Filipensk? <pfilipensky at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit b3b69a60f95b01e8a7714f88332f49b924353302
Author: Pavel Filipensk? <pfilipensky at samba.org>
Date:   Thu Jul 3 21:56:59 2025 +0200

    selftest: Make '$prefix' absolute path and remove '$prefix_abs'
    
    This fixes the issue with failing test
    
    make -j20 test TESTS="samba4.blackbox.samba-tool_ntacl.ad_member"
    
    Due to ./st/ntacl_testdirtop/dir1/symlink: broken symbolic link
    to ./st/ntacl_testdirtop/testfile
    
    Signed-off-by: Pavel Filipensk? <pfilipensky at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/tests/blackbox/bug13653.py            |   2 +-
 python/samba/tests/smb3unix.py                     |   4 +-
 selftest/perf_tests.py                             |   2 +-
 selftest/selftest.pl                               |  17 +-
 selftest/target/Samba.pm                           |   2 +-
 selftest/target/Samba3.pm                          | 209 ++++++++++-----------
 selftest/target/Samba4.pm                          |  88 ++++-----
 selftest/tests.py                                  |  38 ++--
 source3/script/tests/test_chdir_cache.sh           |   8 +-
 source3/script/tests/test_dfree_quota.sh           |   2 +-
 source3/script/tests/test_groupmap.sh              |   2 +-
 source3/script/tests/test_smbspool.sh              |   6 +-
 source3/script/tests/test_smbstatus.sh             |   8 +-
 source3/script/tests/test_update_keytab.sh         |  10 +-
 .../script/tests/test_update_keytab_clustered.sh   |  16 +-
 source3/script/tests/test_veto_files.sh            |   4 +-
 .../script/tests/test_winbind_call_depth_trace.sh  |   5 +-
 source3/script/updatekeytab_test.sh                |   2 +-
 source4/selftest/tests.py                          |  40 ++--
 testprogs/blackbox/common-links.sh                 |  50 ++---
 testprogs/blackbox/dbcheck-links.sh                | 168 +++++++++--------
 testprogs/blackbox/dbcheck-oldrelease.sh           | 106 +++++------
 testprogs/blackbox/demote-saveddb.sh               |  10 +-
 testprogs/blackbox/functionalprep.sh               |  40 ++--
 testprogs/blackbox/join_ldapcmp.sh                 |   4 +-
 testprogs/blackbox/ldapcmp_restoredc.sh            |   8 +-
 testprogs/blackbox/runtime-links.sh                |  12 +-
 testprogs/blackbox/schemaupgrade.sh                |  22 +--
 testprogs/blackbox/test_client_etypes.sh           |   2 +-
 testprogs/blackbox/test_net_ads_fips.sh            |   2 +-
 testprogs/blackbox/test_net_offline.sh             |   2 +-
 testprogs/blackbox/test_old_enctypes.sh            |  10 +-
 testprogs/blackbox/test_primary_group.sh           |   6 +-
 testprogs/blackbox/test_special_group.sh           |   8 +-
 testprogs/blackbox/tombstones-expunge.sh           |  70 +++----
 testprogs/blackbox/upgradeprovision-oldrelease.sh  |  74 ++++----
 36 files changed, 520 insertions(+), 539 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/blackbox/bug13653.py b/python/samba/tests/blackbox/bug13653.py
index 215b9fcc378..ca5e99211a4 100644
--- a/python/samba/tests/blackbox/bug13653.py
+++ b/python/samba/tests/blackbox/bug13653.py
@@ -131,7 +131,7 @@ class Bug13653Tests(BlackboxTestCase):
         super().setUp()
         self.env = os.environ["TEST_ENV"]
         self.server = os.environ["SERVER"]
-        self.prefix = os.environ["PREFIX_ABS"]
+        self.prefix = os.environ["PREFIX"]
         lp = env_loadparm()
         creds = Credentials()
         session = system_session()
diff --git a/python/samba/tests/smb3unix.py b/python/samba/tests/smb3unix.py
index 289bc5ac5b4..075b2a07b17 100644
--- a/python/samba/tests/smb3unix.py
+++ b/python/samba/tests/smb3unix.py
@@ -37,8 +37,8 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests):
         super().setUp()
 
         self.samsid = os.environ["SAMSID"]
-        prefix_abs = os.environ["PREFIX_ABS"]
-        p = subprocess.run(['stat', '-f', '-c', '%T', prefix_abs], capture_output=True, text=True)
+        prefix = os.environ["PREFIX"]
+        p = subprocess.run(['stat', '-f', '-c', '%T', prefix], capture_output=True, text=True)
         self.fstype = p.stdout.strip().lower()
 
     def connections(self, share1=None, posix1=False, share2=None, posix2=True):
diff --git a/selftest/perf_tests.py b/selftest/perf_tests.py
index cfbbf0e056e..60cfeddb2d7 100644
--- a/selftest/perf_tests.py
+++ b/selftest/perf_tests.py
@@ -71,7 +71,7 @@ plantestsuite_loadlist("samba4.ldb.multi_connect.python(ad_dc_ntvfs)",
                        "ad_dc_ntvfs",
                        [python, os.path.join(samba4srcdir,
                                              "dsdb/tests/python/ad_dc_multi_bind.py"),
-                        'tdb://$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb',
+                        'tdb://$PREFIX/ad_dc_ntvfs/private/sam.ldb',
                         '$LOADLIST', '$LISTOPT'])
 
 plantestsuite_loadlist("samba4.ldap.vlv.python(ad_dc_ntvfs)", "ad_dc_ntvfs",
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 2455b75a36e..5f0daf7de68 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -299,6 +299,7 @@ my $torture_maxtime = ($ENV{TORTURE_MAXTIME} or 1200);
 $prefix =~ s+//+/+;
 $prefix =~ s+/\./+/+;
 $prefix =~ s+/$++;
+$prefix = abs_path($prefix);
 
 die("using an empty prefix isn't allowed") unless $prefix ne "";
 
@@ -314,19 +315,17 @@ chmod 0700, $prefix;
 # We need to have no umask limitations for the tests.
 umask 0000;
 
-my $prefix_abs = abs_path($prefix);
 my $tmpdir_abs = abs_path("$prefix/tmp");
 mkdir($tmpdir_abs, 0777) unless -d $tmpdir_abs;
 
 my $srcdir_abs = abs_path($srcdir);
 
-die("using an empty absolute prefix isn't allowed") unless $prefix_abs ne "";
-die("using '/' as absolute prefix isn't allowed") unless $prefix_abs ne "/";
+die("using an empty absolute prefix isn't allowed") unless $prefix ne "";
+die("using '/' as absolute prefix isn't allowed") unless $prefix ne "/";
 
 $ENV{SAMBA_SELFTEST} = "1";
 
 $ENV{PREFIX} = $prefix;
-$ENV{PREFIX_ABS} = $prefix_abs;
 $ENV{SRCDIR} = $srcdir;
 $ENV{SRCDIR_ABS} = $srcdir_abs;
 $ENV{BINDIR} = $bindir_abs;
@@ -435,7 +434,7 @@ $ENV{NSS_WRAPPER_MAX_HOSTENTS} = 200;
 
 my $socket_wrapper_dir;
 if ($opt_socket_wrapper) {
-	$socket_wrapper_dir = SocketWrapper::setup_dir("$prefix_abs/w", $opt_socket_wrapper_pcap);
+	$socket_wrapper_dir = SocketWrapper::setup_dir("$prefix/w", $opt_socket_wrapper_pcap);
 	print "SOCKET_WRAPPER_DIR=$socket_wrapper_dir\n";
 } elsif (not $opt_list) {
 	 unless ($< == 0) {
@@ -522,7 +521,7 @@ foreach (@opt_include) {
 $ENV{SOCKET_WRAPPER_IPV4_NETWORK} = "10.53.57.0";
 my $interfaces = Samba::get_interfaces_config("client", 6);
 
-my $clientdir = "$prefix_abs/client";
+my $clientdir = "$prefix/client";
 
 my $conffile = "$clientdir/client.conf";
 $ENV{SMB_CONF_PATH} = $conffile;
@@ -680,7 +679,7 @@ if ($#testlists == -1) {
 	die("No testlists specified");
 }
 
-$ENV{SELFTEST_PREFIX} = "$prefix_abs";
+$ENV{SELFTEST_PREFIX} = "$prefix";
 $ENV{SELFTEST_TMPDIR} = "$tmpdir_abs";
 $ENV{TMPDIR} = "$tmpdir_abs";
 $ENV{TEST_DATA_PREFIX} = "$tmpdir_abs";
@@ -912,8 +911,8 @@ sub teardown_env($)
 }
 
 # This 'global' file needs to be empty when we start
-unlink("$prefix_abs/dns_host_file");
-unlink("$prefix_abs/hosts");
+unlink("$prefix/dns_host_file");
+unlink("$prefix/hosts");
 
 if ($opt_random_order) {
 	require List::Util;
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 15d7692b5d6..5fc856f7886 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -222,7 +222,7 @@ sub prepare_keyblobs($)
 	my $pkinitkey_private = "$ca_pkinitdir/USER-$pkinitprincipalname-private-key.pem";
 
 	my $tlsdir = "$ctx->{tlsdir}";
-	my $pkinitdir = "$ctx->{prefix_abs}/pkinit";
+	my $pkinitdir = "$ctx->{prefix}/pkinit";
 	#TLS and PKINIT crypto blobs
 	my $dhfile = "$tlsdir/dhparms.pem";
 	my $cafile = "$tlsdir/ca.pem";
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 8906608bc1f..077f3000935 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -505,8 +505,7 @@ sub setup_clusteredmember
 
 	print "PROVISIONING CLUSTEREDMEMBER...\n";
 
-	my $prefix_abs = abs_path($prefix);
-	mkdir($prefix_abs, 0777);
+	mkdir($prefix, 0777);
 
 	my $ctdb_data = $self->setup_ctdb($prefix);
 
@@ -560,7 +559,7 @@ sub setup_clusteredmember
 		    server => "$server_name",
 		    password => "clustermember8pass",
 		    netbios_name => "CLUSTEREDMEMBER",
-		    share_dir => "${prefix_abs}/shared",
+		    share_dir => "${prefix}/shared",
 		    extra_options => $member_options,
 		    no_delete_prefix => 1);
 		if (not $node_ret) {
@@ -624,13 +623,13 @@ sub setup_clusteredmember
 
 	my $ctx;
 	$ctx = {};
-	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{krb5_conf} = "$prefix/lib/krb5.conf";
 	$ctx->{domain} = $dcvars->{DOMAIN};
 	$ctx->{realm} = $dcvars->{REALM};
 	$ctx->{dnsname} = lc($dcvars->{REALM});
 	$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
 	$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
-	$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+	$ctx->{krb5_ccname} = "$prefix/krb5cc_%{uid}";
 	Samba::mk_krb5_conf($ctx, "");
 
 	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -697,7 +696,7 @@ sub setup_clusteredmember
 	}
 	chomp @shares;
 
-	my $unclistdir = "${prefix_abs}/unclists";
+	my $unclistdir = "${prefix}/unclists";
 	mkdir($unclistdir, 0777);
 	foreach my $share (@shares) {
 		my $l = "${unclistdir}/${share}.txt";
@@ -744,12 +743,11 @@ sub provision_ad_member
 		return undef;
 	}
 
-	my $prefix_abs = abs_path($prefix);
 	my @dirs = ();
 
-	mkdir($prefix_abs, 0777);
+	mkdir($prefix, 0777);
 
-	my $share_dir="$prefix_abs/share";
+	my $share_dir="$prefix/share";
 	push(@dirs, $share_dir);
 
 	my $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}";
@@ -800,15 +798,15 @@ sub provision_ad_member
 	";
 		$keytab = "
 	sync machine password to keytab = \\
-	\"$prefix_abs/keytab0:account_name:machine_password\", \\
-	\"$prefix_abs/keytab0k:account_name:sync_kvno:machine_password:sync_etypes\", \\
-	\"$prefix_abs/keytab1:sync_spns:machine_password:sync_etypes\", \\
-	\"$prefix_abs/keytab1k:sync_spns:sync_kvno:machine_password:sync_etypes\", \\
-	\"$prefix_abs/keytab2:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\
-	\"$prefix_abs/keytab2k:spn_prefixes=host,imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\
-	\"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\", \\
-	\"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\", \\
-	\"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
+	\"$prefix/keytab0:account_name:machine_password\", \\
+	\"$prefix/keytab0k:account_name:sync_kvno:machine_password:sync_etypes\", \\
+	\"$prefix/keytab1:sync_spns:machine_password:sync_etypes\", \\
+	\"$prefix/keytab1k:sync_spns:sync_kvno:machine_password:sync_etypes\", \\
+	\"$prefix/keytab2:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\
+	\"$prefix/keytab2k:spn_prefixes=host,imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\
+	\"$prefix/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\", \\
+	\"$prefix/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\", \\
+	\"$prefix/keytab4k:account_name:sync_account_name:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
 	";
 	}
 
@@ -906,13 +904,13 @@ sub provision_ad_member
 
 	my $ctx;
 	$ctx = {};
-	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{krb5_conf} = "$prefix/lib/krb5.conf";
 	$ctx->{domain} = $dcvars->{DOMAIN};
 	$ctx->{realm} = $dcvars->{REALM};
 	$ctx->{dnsname} = lc($dcvars->{REALM});
 	$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
 	$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
-	$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+	$ctx->{krb5_ccname} = "$prefix/krb5cc_%{uid}";
 	Samba::mk_krb5_conf($ctx, "");
 
 	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -1025,7 +1023,7 @@ sub provision_ad_member
 
 		### Change SOCKET_WRAPPER_DIR so it can't connect to AD
 		my $swrap_env = $ENV{SOCKET_WRAPPER_DIR};
-		$ENV{SOCKET_WRAPPER_DIR} = "$prefix_abs";
+		$ENV{SOCKET_WRAPPER_DIR} = "$prefix";
 
 		# Start winbindd in offline mode
 		if (not $self->check_or_start(
@@ -1178,15 +1176,14 @@ sub setup_ad_member_rfc2307
 	$ret->{DOMSID} = $dcvars->{DOMSID};
 
 	my $ctx;
-	my $prefix_abs = abs_path($prefix);
 	$ctx = {};
-	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{krb5_conf} = "$prefix/lib/krb5.conf";
 	$ctx->{domain} = $dcvars->{DOMAIN};
 	$ctx->{realm} = $dcvars->{REALM};
 	$ctx->{dnsname} = lc($dcvars->{REALM});
 	$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
 	$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
-	$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+	$ctx->{krb5_ccname} = "$prefix/krb5cc_%{uid}";
 	Samba::mk_krb5_conf($ctx, "");
 
 	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -1281,15 +1278,14 @@ sub setup_admem_idmap_autorid
 	$ret->{DOMSID} = $dcvars->{DOMSID};
 
 	my $ctx;
-	my $prefix_abs = abs_path($prefix);
 	$ctx = {};
-	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{krb5_conf} = "$prefix/lib/krb5.conf";
 	$ctx->{domain} = $dcvars->{DOMAIN};
 	$ctx->{realm} = $dcvars->{REALM};
 	$ctx->{dnsname} = lc($dcvars->{REALM});
 	$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
 	$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
-	$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+	$ctx->{krb5_ccname} = "$prefix/krb5cc_%{uid}";
 	Samba::mk_krb5_conf($ctx, "");
 
 	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -1384,15 +1380,14 @@ sub setup_ad_member_idmap_rid
 	$ret->{DOMSID} = $dcvars->{DOMSID};
 
 	my $ctx;
-	my $prefix_abs = abs_path($prefix);
 	$ctx = {};
-	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{krb5_conf} = "$prefix/lib/krb5.conf";
 	$ctx->{domain} = $dcvars->{DOMAIN};
 	$ctx->{realm} = $dcvars->{REALM};
 	$ctx->{dnsname} = lc($dcvars->{REALM});
 	$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
 	$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
-	$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+	$ctx->{krb5_ccname} = "$prefix/krb5cc_%{uid}";
 	Samba::mk_krb5_conf($ctx, "");
 
 	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -1491,15 +1486,14 @@ sub setup_ad_member_idmap_ad
 	$ret->{DOMSID} = $dcvars->{DOMSID};
 
 	my $ctx;
-	my $prefix_abs = abs_path($prefix);
 	$ctx = {};
-	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{krb5_conf} = "$prefix/lib/krb5.conf";
 	$ctx->{domain} = $dcvars->{DOMAIN};
 	$ctx->{realm} = $dcvars->{REALM};
 	$ctx->{dnsname} = lc($dcvars->{REALM});
 	$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
 	$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
-	$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+	$ctx->{krb5_ccname} = "$prefix/krb5cc_%{uid}";
 	Samba::mk_krb5_conf($ctx, "");
 
 	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -1595,15 +1589,14 @@ sub setup_ad_member_oneway
 	$ret->{DOMSID} = $dcvars->{DOMSID};
 
 	my $ctx;
-	my $prefix_abs = abs_path($prefix);
 	$ctx = {};
-	$ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+	$ctx->{krb5_conf} = "$prefix/lib/krb5.conf";
 	$ctx->{domain} = $dcvars->{DOMAIN};
 	$ctx->{realm} = $dcvars->{REALM};
 	$ctx->{dnsname} = lc($dcvars->{REALM});
 	$ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
 	$ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
-	$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+	$ctx->{krb5_ccname} = "$prefix/krb5cc_%{uid}";
 	Samba::mk_krb5_conf($ctx, "");
 
 	$ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
@@ -1763,9 +1756,9 @@ sub setup_simpleserver
 
 	print "PROVISIONING simple server...";
 
-	my $prefix_abs = abs_path($path);
+	my $prefix = abs_path($path);
 
-	my $external_streams_depot="$prefix_abs/external_streams_depot";
+	my $external_streams_depot="$prefix/external_streams_depot";
 
 	my $simpleserver_options_globals = "
 	lanman auth = yes
@@ -1778,14 +1771,14 @@ sub setup_simpleserver
 
 	my $simpleserver_options = "
 [vfs_aio_pthread]
-	path = $prefix_abs/share
+	path = $prefix/share
 	read only = no
 	vfs objects = aio_pthread
 	aio_pthread:aio open = yes
 	smbd async dosmode = no
 
 [vfs_aio_pthread_async_dosmode_default1]
-	path = $prefix_abs/share
+	path = $prefix/share
 	read only = no
 	vfs objects = aio_pthread
 	store dos attributes = yes
@@ -1793,7 +1786,7 @@ sub setup_simpleserver
 	smbd async dosmode = yes
 
 [vfs_aio_pthread_async_dosmode_default2]
-	path = $prefix_abs/share
+	path = $prefix/share
 	read only = no
 	vfs objects = aio_pthread xattr_tdb
 	store dos attributes = yes
@@ -1801,30 +1794,30 @@ sub setup_simpleserver
 	smbd async dosmode = yes
 
 [async_dosmode_shadow_copy2]
-	path = $prefix_abs/share
+	path = $prefix/share
 	read only = no
 	vfs objects = shadow_copy2 xattr_tdb
 	smbd async dosmode = yes
 
 [vfs_aio_fork]
-	path = $prefix_abs/share
+	path = $prefix/share
         vfs objects = aio_fork
         read only = no
         vfs_aio_fork:erratic_testing_mode=yes
 
 [dosmode]
-	path = $prefix_abs/share
+	path = $prefix/share
 	vfs objects =
 	store dos attributes = yes
 	hide files = /hidefile/
 	hide dot files = yes
 
 [hidenewfiles]
-	path = $prefix_abs/share
+	path = $prefix/share
 	hide new files timeout = 5
 
 [external_streams_depot]
-	path = $prefix_abs/share
+	path = $prefix/share
 	read only = no
 	streams_depot:directory = $external_streams_depot
 ";
@@ -1842,7 +1835,7 @@ sub setup_simpleserver
 	remove_tree($external_streams_depot);
 	mkdir($external_streams_depot, 0777);
 
-	my $pam_service_dir = "$prefix_abs/pam_services";
+	my $pam_service_dir = "$prefix/pam_services";
 	remove_tree($pam_service_dir);
 	mkdir($pam_service_dir, 0777);
 	my $pam_service_file = "$pam_service_dir/samba";
@@ -1889,18 +1882,18 @@ sub create_file_chmod($$)
 sub setup_fileserver
 {
 	my ($self, $path, $more_conf, $server) = @_;
-	my $prefix_abs = abs_path($path);
+	my $prefix = abs_path($path);
 	my $srcdir_abs = abs_path($self->{srcdir});
 
 	print "PROVISIONING file server ...\n";
 
 	my @dirs = ();
 
-	mkdir($prefix_abs, 0777);
+	mkdir($prefix, 0777);
 
-	my $usershare_dir="$prefix_abs/lib/usershare";
+	my $usershare_dir="$prefix/lib/usershare";
 
-	my $share_dir="$prefix_abs/share";
+	my $share_dir="$prefix/share";
 
 	# Create share directory structure
 	my $lower_case_share_dir="$share_dir/lower-case";
@@ -1973,18 +1966,18 @@ sub setup_fileserver
 	usershare allow guests = yes
 	usershare prefix allow list = $usershare_sharedir
 
-	get quota command = $prefix_abs/getset_quota.py
-	set quota command = $prefix_abs/getset_quota.py
+	get quota command = $prefix/getset_quota.py
+	set quota command = $prefix/getset_quota.py
 	veto files : user1 = /user1file/
 	veto files : +group1 = /group1file/
 [tarmode]
 	path = $tarmode_sharedir
 	comment = tar test share
-	xattr_tdb:file = $prefix_abs/tarmode-xattr.tdb
+	xattr_tdb:file = $prefix/tarmode-xattr.tdb
 [tarmode2]
 	path = $tarmode2_sharedir
 	comment = tar test share
-	xattr_tdb:file = $prefix_abs/tarmode2-xattr.tdb
+	xattr_tdb:file = $prefix/tarmode2-xattr.tdb
 [spotlight]
 	path = $share_dir
 	spotlight = yes
@@ -2156,7 +2149,7 @@ sub setup_fileserver
 
 	$vars or return undef;
 
-	mkdir("$prefix_abs/lib", 0755);
+	mkdir("$prefix/lib", 0755);
 	remove_tree($usershare_dir);
 	mkdir($usershare_dir, 01770);
 
@@ -2228,7 +2221,7 @@ sub setup_fileserver
 sub setup_fileserver_smb1
 {
 	my ($self, $path) = @_;
-	my $prefix_abs = abs_path($path);
+	my $prefix = abs_path($path);
 	my $conf = "
 [global]
 	client min protocol = CORE
@@ -2236,17 +2229,17 @@ sub setup_fileserver_smb1
 	check parent directory delete on close = yes
 
 [hidenewfiles]
-	path = $prefix_abs/share
+	path = $prefix/share
 	hide new files timeout = 5
 [vfs_aio_pthread]
-	path = $prefix_abs/share
+	path = $prefix/share
 	read only = no
 	vfs objects = aio_pthread
 	aio_pthread:aio open = yes
 	smbd async dosmode = no
 
 [vfs_aio_pthread_async_dosmode_default1]
-	path = $prefix_abs/share
+	path = $prefix/share
 	read only = no
 	vfs objects = aio_pthread
 	store dos attributes = yes
@@ -2254,7 +2247,7 @@ sub setup_fileserver_smb1
 	smbd async dosmode = yes
 


-- 
Samba Shared Repository


From asn at samba.org  Thu Jul 10 18:56:01 2025
From: asn at samba.org (Andreas Schneider)
Date: Thu, 10 Jul 2025 18:56:01 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1uZwR7-000IqP-E6@hrx0.samba.org>

The branch, master has been updated
       via  44ee31c0258 Add check for the GPO link to have at least two attributes separated by semicolumn. Allows to handle empty links.
      from  3ca04b03bf4 tests: Rename local variable: prefix_abs -> prefix

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 44ee31c0258b0afb3d3f2ce17942cc86e308a690
Author: Aleksandr Sharov <asharov at redhat.com>
Date:   Fri Jul 4 15:32:28 2025 +0200

    Add check for the GPO link to have at least two attributes separated by semicolumn. Allows to handle empty links.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15877
    RN: Fix handling of empty GPO link
    
    Singed-off-by: Alex Sharov (kororland at gmail.com)
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Thu Jul 10 18:55:33 UTC 2025 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 python/samba/gp/gpclass.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index d86aacec138..07b4fb3e7bd 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -673,8 +673,10 @@ class GP_LINK:
         self.gp_opts = int(gPOptions)
 
     def gpo_parse_gplink(self, gPLink):
+        # normally formed link looks like [LDAP://host/path;options]
+        # empty link looks like [ ]
         for p in gPLink.decode().split(']'):
-            if not p:
+            if not p or ';' not in p:
                 continue
             log.debug('gpo_parse_gplink: processing link')
             p = p.lstrip('[')


-- 
Samba Shared Repository


From gd at samba.org  Tue Jul 15 16:04:09 2025
From: gd at samba.org (=?UTF-8?Q?G=C3=BCnther_Deschner?=)
Date: Tue, 15 Jul 2025 16:04:09 +0000
Subject: [SCM] Samba Website Repository - branch master updated
Message-ID: <E1ubi8X-00FkEG-8s@hrx0.samba.org>

The branch, master has been updated
       via  9ea2dce Add John to the team-list.
      from  d42b09c NEWS[4.21.7]: Samba 4.22.3 and 4.21.7 Available for Download

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9ea2dcef38e28126a23846d2ab5750d55305ad8c
Author: G??nther Deschner <gd at samba.org>
Date:   Tue Jul 15 18:03:42 2025 +0200

    Add John to the team-list.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 team/index.html | 1 +
 1 file changed, 1 insertion(+)


Changeset truncated at 500 lines:

diff --git a/team/index.html b/team/index.html
index 44005c8..76108af 100755
--- a/team/index.html
+++ b/team/index.html
@@ -84,6 +84,7 @@ mailing list</a> and start contributing to the development of Samba.</p>
 <li><a href="mailto:metze at samba.org">Stefan Metzmacher</a>&nbsp;(<a href="https://www.sernet.de/en/">SerNet</a>)</li>
 <li><a href="mailto:mmuehlfeld at samba.org">Marc Muehlfeld</a></li>
 <li><a href="mailto:dmulder at samba.org">David Mulder</a>&nbsp;(<a href="https://www.suse.com/">SUSE</a>)</li>
+<li><a href="mailto:jmulligan at samba.org">John Mulligan</a>&nbsp;(<a href="https://www.ibm.com/">IBM</a>)</li>
 <li><a href="mailto:mat at samba.org">Matthieu Patou</a></li>
 <li>Rowland Penny</li>
 <li>Noel Power&nbsp;(<a href="https://www.suse.com/">SUSE</a>)</li>


-- 
Samba Website Repository


From metze at samba.org  Thu Jul 17 10:01:01 2025
From: metze at samba.org (Stefan Metzmacher)
Date: Thu, 17 Jul 2025 10:01:01 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1ucLQD-006HyL-Jx@hrx0.samba.org>

The branch, master has been updated
       via  09c44603f58 s3:selftest: run smb2.{bench,connect,credits,ioctl,rw} over quic-ngtcp2
       via  2cab318e26f s3:libsmb: add support for userspace quic support using ngtcp2
       via  20e42cbbfef s4:lib/tls: add tstream_tls_ngtcp2_connect_send/recv
       via  a8c20805330 lib/tsocket: optimize tdgram_recvfrom_done() into tdgram_recvfrom_send()
       via  354b534fe03 s3:selftest: run smb2.{bench,connect,credits,ioctl,rw} over quic_ko_wrapper
       via  66a1112a826 selftest: let 'fileserver' support quic
       via  d45ea578b70 selftest: use quic_ko_wrapper if available
       via  aa84dee9227 third_party: add quic_ko_wrapper to simulate IPPROTO_QUIC sockets
       via  3082a45e10f third_party: import ngtcp2 v1.13.0 from https://github.com/ngtcp2/ngtcp2.git
       via  b52e1fd306c s3:libsmb: add support for SMB_TRANSPORT_TYPE_QUIC
       via  ded5ac15b67 s3:smbd: add support for SMB_TRANSPORT_TYPE_QUIC
       via  9c9364cf741 s4:lib/tls: add tstream_tls_params_quic_{prepare,enabled() and tstream_tls_quic_handshake[_{send,recv}]()
       via  02bb288d08f third_party: import quic from https://github.com/lxin/quic.git
       via  bd786a1e638 system_gnutls: print the found gnutls version and detected features
       via  f309c7381ed lib/param: allow smb_transport[s]_parse() to handle 'quic'
       via  82685568ebf libcli/smb: define SMB_TRANSPORT_TYPE_QUIC
      from  44ee31c0258 Add check for the GPO link to have at least two attributes separated by semicolumn. Allows to handle empty links.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 09c44603f588a4436d467983f650aee4fd0a71ff
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon May 19 14:56:14 2025 +0200

    s3:selftest: run smb2.{bench,connect,credits,ioctl,rw} over quic-ngtcp2
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Thu Jul 17 10:00:51 UTC 2025 on atb-devel-224

commit 2cab318e26f3378a956f43eb85e382be802d958c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue May 6 11:32:43 2025 +0200

    s3:libsmb: add support for userspace quic support using ngtcp2
    
    By default we fallback to ngtcp2 if the kernel has no quic.ko
    support.
    
    To force it the following option can be used:
    
      client smb transport:force_ngtcp2_quic=yes
    
    To disable it the following option can be used:
    
      client smb transport:allow_ngtcp2_quic=no
    
    From within libsmbclient.so we can't use it at all
    as there's no way monitor the connection in order
    to handle acked and keep alive pings.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 20e42cbbfefed95ae3764f86ab03c04b49934bae
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sun May 4 18:20:56 2025 +0200

    s4:lib/tls: add tstream_tls_ngtcp2_connect_send/recv
    
    This implemented a tstream_context for a single QUIC
    stream using libngtcp2 over an udp socket.
    
    This will allow us to support the SMB over QUIC protocol
    on the client side even without quic.ko kernel support.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit a8c208053306aa26c0faf1713bfcbc49d2825eda
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri May 16 16:29:19 2025 +0200

    lib/tsocket: optimize tdgram_recvfrom_done() into tdgram_recvfrom_send()
    
    For callers using tdgram_bsd_optimize_recvfrom() it is every useful
    to know it data was already waiting in the socket.
    
    In that case the result from tdgram_bsd_recvfrom_send() would
    already report tevent_req_is_in_progress() as false.
    
    But the result of tdgram_recvfrom_send() available to the
    caller would see tevent_req_is_in_progress() reporting true.
    
    With this change also the result of tdgram_recvfrom_send()
    would report tevent_req_is_in_progress() as false,
    which will be useful for callers, which would otherwise
    set a timeout on the request.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 354b534fe03ae7e3f01b63da7dc5ee14220efa46
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 29 16:20:35 2025 +0200

    s3:selftest: run smb2.{bench,connect,credits,ioctl,rw} over quic_ko_wrapper
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 66a1112a82668267755f3f589832a100d4869343
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri May 2 12:48:21 2025 +0200

    selftest: let 'fileserver' support quic
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit d45ea578b70f64ddd9c9d3a08096642b85400455
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 22 12:26:19 2025 +0200

    selftest: use quic_ko_wrapper if available
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit aa84dee922718cbb40ab2663a9442df726515312
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri May 2 14:44:42 2025 +0200

    third_party: add quic_ko_wrapper to simulate IPPROTO_QUIC sockets
    
    For now this is only part of Samba, so no real third_party,
    but in future we may decide have a standalone repository
    or move it to https://github.com/lxin/quic.git
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 3082a45e10f38df52fa1ee5966363305a97b3974
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri May 2 14:32:11 2025 +0200

    third_party: import ngtcp2 v1.13.0 from https://github.com/ngtcp2/ngtcp2.git
    
    This imports commit 7dd482f949f145632c482d01af2184954b471795.
    
    It will be used to implement a quic_ko_wrapper, but also
    used as userspace client too.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit b52e1fd306c97337c48664d3843065dd221777e0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Apr 4 01:17:19 2025 +0200

    s3:libsmb: add support for SMB_TRANSPORT_TYPE_QUIC
    
    This requires https://github.com/lxin/quic, which provides a kernel
    module quic.ko for Linux (tested with Linux 6.8 and 6.14).
    
    The userspace libquic is mirrored under third_party/quic for now.
    
    This can be activated by adding 'quic' to 'client smb transports'.
    
    The following smb.conf options are also relevant:
    'tls enabled'
    'tls ca directories'
    'tls trust system cas'
    'tls cafile'
    'tls crlfile'
    'tls verify peer'
    
    Note that tools like smbclient are able to take
    --option='client smb transports = quic" --option='tls verify peer=no_check'
    in order to test it without changing smb.conf,
    You may not want to use 'tls verify peer=no_check' for
    production, it would make the transport as unprotected
    as a tcp connection.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit ded5ac15b6707c359b6e84d1e85577b00b1f582d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 3 17:32:58 2025 +0200

    s3:smbd: add support for SMB_TRANSPORT_TYPE_QUIC
    
    This requires https://github.com/lxin/quic, which provides a kernel
    module quic.ko for Linux (tested with Linux 6.8 and 6.14).
    
    The userspace libquic is mirrored under third_party/quic for now.
    
    This can be activated by adding 'quic' to 'server smb transports'.
    
    The following smb.conf options are also relevant:
    'tls enabled'
    'tls cafile'
    'tls certfile'
    'tls keyfile'
    
    If the files pointed to by 'tls cafile', 'tls certfile' and
    'tls keyfile' all don't exist, self-signed tls certificates are
    generated automatically at startup.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 9c9364cf741016f81019cf85922bb4577e97d078
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Apr 7 13:46:23 2025 +0200

    s4:lib/tls: add tstream_tls_params_quic_{prepare,enabled() and tstream_tls_quic_handshake[_{send,recv}]()
    
    This requires https://github.com/lxin/quic, which provides a kernel
    module quic.ko for Linux (tested with Linux 6.8 and 6.14).
    
    The userspace libquic is mirrored under third_party/quic for now.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 02bb288d08f0a975aeba2932aac1536cad67a692
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 15 11:00:17 2025 +0200

    third_party: import quic from https://github.com/lxin/quic.git
    
    For now the VERSION argument to third_party/quic/update.sh
    is ignored as there are no versions yet. For now we require
    version 1.1 (not releases) for a system library, in order to make sure
    it is recent enough.
    
    This import is based on commit 846dddb24f007c8356ce3c19c74445160a8d94f7.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit bd786a1e63849ba2f081dfa2fc0d52a6f249cb87
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Apr 16 20:15:07 2025 +0200

    system_gnutls: print the found gnutls version and detected features
    
    This makes it easier to analyze build failures.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit f309c7381eda3107e7716958acd4f31119e0f7fd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 3 17:04:13 2025 +0200

    lib/param: allow smb_transport[s]_parse() to handle 'quic'
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 82685568ebfb6458a7b3399a2eb3dde99ff3dd76
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 3 17:03:57 2025 +0200

    libcli/smb: define SMB_TRANSPORT_TYPE_QUIC
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 buildtools/wafsamba/samba_third_party.py           |    17 +
 .../smbdotconf/protocol/clientsmbtransports.xml    |    21 +
 .../smbdotconf/protocol/serversmbtransports.xml    |    23 +
 lib/param/loadparm.c                               |     3 +
 lib/tsocket/tsocket.c                              |    16 +
 libcli/smb/smb_util.h                              |     1 +
 script/autobuild.py                                |     4 +-
 script/compare_cc_results.py                       |     1 +
 selftest/flapping.d/smb-over-quic                  |     5 +
 selftest/selftest.pl                               |    16 +
 selftest/target/Samba3.pm                          |     5 +
 selftest/wscript                                   |     4 +
 source3/libsmb/libsmb_context.c                    |     8 +
 source3/libsmb/smbsock_connect.c                   |   450 +
 source3/libsmb/smbsock_connect.h                   |     2 +
 source3/selftest/tests.py                          |    31 +
 source3/smbd/server.c                              |   207 +-
 source3/smbd/smb2_process.c                        |     2 +
 source3/utils/status_json.c                        |     3 +
 source3/wscript_build                              |     1 +
 source4/lib/tls/tls.h                              |    34 +
 source4/lib/tls/tls_tstream.c                      |  2380 +++-
 source4/lib/tls/wscript_build                      |     3 +
 source4/smb_server/smb_server.c                    |     5 +
 third_party/ngtcp2/crypto/CMakeLists.txt           |    62 +
 third_party/ngtcp2/crypto/Makefile.am              |    53 +
 third_party/ngtcp2/crypto/boringssl/.gitignore     |     2 +
 third_party/ngtcp2/crypto/boringssl/CMakeLists.txt |    64 +
 third_party/ngtcp2/crypto/boringssl/Makefile.am    |    39 +
 third_party/ngtcp2/crypto/boringssl/boringssl.c    |   666 +
 .../boringssl/libngtcp2_crypto_boringssl.pc.in     |    33 +
 third_party/ngtcp2/crypto/gnutls/.gitignore        |     1 +
 third_party/ngtcp2/crypto/gnutls/CMakeLists.txt    |    86 +
 third_party/ngtcp2/crypto/gnutls/Makefile.am       |    43 +
 third_party/ngtcp2/crypto/gnutls/gnutls.c          |   674 +
 .../crypto/gnutls/libngtcp2_crypto_gnutls.pc.in    |    33 +
 third_party/ngtcp2/crypto/includes/CMakeLists.txt  |    62 +
 third_party/ngtcp2/crypto/includes/Makefile.am     |    49 +
 .../ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto.h  |   963 ++
 .../includes/ngtcp2/ngtcp2_crypto_boringssl.h      |   104 +
 .../crypto/includes/ngtcp2/ngtcp2_crypto_gnutls.h  |   108 +
 .../crypto/includes/ngtcp2/ngtcp2_crypto_ossl.h    |   198 +
 .../crypto/includes/ngtcp2/ngtcp2_crypto_picotls.h |   246 +
 .../crypto/includes/ngtcp2/ngtcp2_crypto_quictls.h |   147 +
 .../crypto/includes/ngtcp2/ngtcp2_crypto_wolfssl.h |   106 +
 third_party/ngtcp2/crypto/ossl/.gitignore          |     1 +
 third_party/ngtcp2/crypto/ossl/CMakeLists.txt      |    86 +
 third_party/ngtcp2/crypto/ossl/Makefile.am         |    43 +
 .../ngtcp2/crypto/ossl/libngtcp2_crypto_ossl.pc.in |    33 +
 third_party/ngtcp2/crypto/ossl/ossl.c              |  1191 ++
 third_party/ngtcp2/crypto/picotls/.gitignore       |     2 +
 third_party/ngtcp2/crypto/picotls/CMakeLists.txt   |    65 +
 third_party/ngtcp2/crypto/picotls/Makefile.am      |    39 +
 .../crypto/picotls/libngtcp2_crypto_picotls.pc.in  |    33 +
 third_party/ngtcp2/crypto/picotls/picotls.c        |   714 +
 third_party/ngtcp2/crypto/quictls/.gitignore       |     1 +
 third_party/ngtcp2/crypto/quictls/CMakeLists.txt   |    86 +
 third_party/ngtcp2/crypto/quictls/Makefile.am      |    43 +
 .../crypto/quictls/libngtcp2_crypto_quictls.pc.in  |    33 +
 third_party/ngtcp2/crypto/quictls/quictls.c        |  1013 ++
 third_party/ngtcp2/crypto/shared.c                 |  1650 +++
 third_party/ngtcp2/crypto/shared.h                 |   397 +
 third_party/ngtcp2/crypto/wolfssl/.gitignore       |     1 +
 third_party/ngtcp2/crypto/wolfssl/CMakeLists.txt   |    84 +
 third_party/ngtcp2/crypto/wolfssl/Makefile.am      |    43 +
 .../crypto/wolfssl/libngtcp2_crypto_wolfssl.pc.in  |    33 +
 third_party/ngtcp2/crypto/wolfssl/wolfssl.c        |   545 +
 third_party/ngtcp2/lib/.gitignore                  |     2 +
 third_party/ngtcp2/lib/CMakeLists.txt              |   146 +
 third_party/ngtcp2/lib/Makefile.am                 |   130 +
 third_party/ngtcp2/lib/config.cmake.in             |     3 +
 third_party/ngtcp2/lib/includes/CMakeLists.txt     |     4 +
 third_party/ngtcp2/lib/includes/Makefile.am        |    25 +
 third_party/ngtcp2/lib/includes/ngtcp2/ngtcp2.h    |  5969 ++++++++
 .../ngtcp2/lib/includes/ngtcp2/version.h.in        |    51 +
 third_party/ngtcp2/lib/libngtcp2.pc.in             |    33 +
 third_party/ngtcp2/lib/ngtcp2_acktr.c              |   439 +
 third_party/ngtcp2/lib/ngtcp2_acktr.h              |   258 +
 third_party/ngtcp2/lib/ngtcp2_addr.c               |   118 +
 third_party/ngtcp2/lib/ngtcp2_addr.h               |    77 +
 third_party/ngtcp2/lib/ngtcp2_balloc.c             |    90 +
 third_party/ngtcp2/lib/ngtcp2_balloc.h             |    94 +
 third_party/ngtcp2/lib/ngtcp2_bbr.c                |  1421 ++
 third_party/ngtcp2/lib/ngtcp2_bbr.h                |   142 +
 third_party/ngtcp2/lib/ngtcp2_buf.c                |    56 +
 third_party/ngtcp2/lib/ngtcp2_buf.h                |   108 +
 third_party/ngtcp2/lib/ngtcp2_cc.c                 |   493 +
 third_party/ngtcp2/lib/ngtcp2_cc.h                 |   395 +
 third_party/ngtcp2/lib/ngtcp2_cid.c                |   157 +
 third_party/ngtcp2/lib/ngtcp2_cid.h                |   199 +
 third_party/ngtcp2/lib/ngtcp2_conn.c               | 13526 +++++++++++++++++++
 third_party/ngtcp2/lib/ngtcp2_conn.h               |  1121 ++
 third_party/ngtcp2/lib/ngtcp2_conn_stat.h          |   133 +
 third_party/ngtcp2/lib/ngtcp2_conv.c               |   222 +
 third_party/ngtcp2/lib/ngtcp2_conv.h               |   162 +
 third_party/ngtcp2/lib/ngtcp2_crypto.c             |   112 +
 third_party/ngtcp2/lib/ngtcp2_crypto.h             |   102 +
 third_party/ngtcp2/lib/ngtcp2_dcidtr.c             |   485 +
 third_party/ngtcp2/lib/ngtcp2_dcidtr.h             |   343 +
 third_party/ngtcp2/lib/ngtcp2_err.c                |   157 +
 third_party/ngtcp2/lib/ngtcp2_err.h                |    34 +
 third_party/ngtcp2/lib/ngtcp2_frame_chain.c        |   203 +
 third_party/ngtcp2/lib/ngtcp2_frame_chain.h        |   188 +
 third_party/ngtcp2/lib/ngtcp2_gaptr.c              |   178 +
 third_party/ngtcp2/lib/ngtcp2_gaptr.h              |    98 +
 third_party/ngtcp2/lib/ngtcp2_idtr.c               |    66 +
 third_party/ngtcp2/lib/ngtcp2_idtr.h               |    76 +
 third_party/ngtcp2/lib/ngtcp2_ksl.c                |   856 ++
 third_party/ngtcp2/lib/ngtcp2_ksl.h                |   425 +
 third_party/ngtcp2/lib/ngtcp2_log.c                |   834 ++
 third_party/ngtcp2/lib/ngtcp2_log.h                |   132 +
 third_party/ngtcp2/lib/ngtcp2_macro.h              |    81 +
 third_party/ngtcp2/lib/ngtcp2_map.c                |   306 +
 third_party/ngtcp2/lib/ngtcp2_map.h                |   128 +
 third_party/ngtcp2/lib/ngtcp2_mem.c                |   117 +
 third_party/ngtcp2/lib/ngtcp2_mem.h                |    72 +
 third_party/ngtcp2/lib/ngtcp2_net.h                |   141 +
 third_party/ngtcp2/lib/ngtcp2_objalloc.c           |    40 +
 third_party/ngtcp2/lib/ngtcp2_objalloc.h           |   147 +
 third_party/ngtcp2/lib/ngtcp2_opl.c                |    46 +
 third_party/ngtcp2/lib/ngtcp2_opl.h                |    65 +
 third_party/ngtcp2/lib/ngtcp2_path.c               |    77 +
 third_party/ngtcp2/lib/ngtcp2_path.h               |    49 +
 third_party/ngtcp2/lib/ngtcp2_pkt.c                |  2573 ++++
 third_party/ngtcp2/lib/ngtcp2_pkt.h                |  1230 ++
 third_party/ngtcp2/lib/ngtcp2_pktns_id.h           |    62 +
 third_party/ngtcp2/lib/ngtcp2_pmtud.c              |   167 +
 third_party/ngtcp2/lib/ngtcp2_pmtud.h              |   132 +
 third_party/ngtcp2/lib/ngtcp2_ppe.c                |   243 +
 third_party/ngtcp2/lib/ngtcp2_ppe.h                |   157 +
 third_party/ngtcp2/lib/ngtcp2_pq.c                 |   163 +
 third_party/ngtcp2/lib/ngtcp2_pq.h                 |   118 +
 third_party/ngtcp2/lib/ngtcp2_pv.c                 |   179 +
 third_party/ngtcp2/lib/ngtcp2_pv.h                 |   202 +
 third_party/ngtcp2/lib/ngtcp2_qlog.c               |  1223 ++
 third_party/ngtcp2/lib/ngtcp2_qlog.h               |   161 +
 third_party/ngtcp2/lib/ngtcp2_range.c              |    63 +
 third_party/ngtcp2/lib/ngtcp2_range.h              |    80 +
 third_party/ngtcp2/lib/ngtcp2_rcvry.h              |    40 +
 third_party/ngtcp2/lib/ngtcp2_ringbuf.c            |   127 +
 third_party/ngtcp2/lib/ngtcp2_ringbuf.h            |   132 +
 third_party/ngtcp2/lib/ngtcp2_rob.c                |   339 +
 third_party/ngtcp2/lib/ngtcp2_rob.h                |   191 +
 third_party/ngtcp2/lib/ngtcp2_rst.c                |   140 +
 third_party/ngtcp2/lib/ngtcp2_rst.h                |    94 +
 third_party/ngtcp2/lib/ngtcp2_rtb.c                |  1495 ++
 third_party/ngtcp2/lib/ngtcp2_rtb.h                |   321 +
 third_party/ngtcp2/lib/ngtcp2_settings.c           |    91 +
 third_party/ngtcp2/lib/ngtcp2_settings.h           |    73 +
 third_party/ngtcp2/lib/ngtcp2_str.c                |   233 +
 third_party/ngtcp2/lib/ngtcp2_str.h                |    94 +
 third_party/ngtcp2/lib/ngtcp2_strm.c               |   775 ++
 third_party/ngtcp2/lib/ngtcp2_strm.h               |   361 +
 third_party/ngtcp2/lib/ngtcp2_transport_params.c   |   889 ++
 third_party/ngtcp2/lib/ngtcp2_transport_params.h   |   118 +
 third_party/ngtcp2/lib/ngtcp2_tstamp.h             |    68 +
 third_party/ngtcp2/lib/ngtcp2_unreachable.c        |    74 +
 third_party/ngtcp2/lib/ngtcp2_unreachable.h        |    52 +
 third_party/ngtcp2/lib/ngtcp2_vec.c                |   219 +
 third_party/ngtcp2/lib/ngtcp2_vec.h                |   106 +
 third_party/ngtcp2/lib/ngtcp2_version.c            |    39 +
 third_party/ngtcp2/lib/ngtcp2_window_filter.c      |   116 +
 third_party/ngtcp2/lib/ngtcp2_window_filter.h      |    65 +
 third_party/ngtcp2/update.sh                       |    78 +
 third_party/ngtcp2/wscript                         |   131 +
 third_party/quic/COPYING                           |    37 +
 third_party/quic/libquic/Makefile.am               |    24 +
 third_party/quic/libquic/client.c                  |   227 +
 third_party/quic/libquic/handshake.c               |  1085 ++
 third_party/quic/libquic/libquic.pc.in             |    10 +
 third_party/quic/libquic/netinet/quic.h            |    95 +
 third_party/quic/libquic/quic.man                  |  1462 ++
 third_party/quic/libquic/server.c                  |   148 +
 third_party/quic/modules/include/uapi/linux/quic.h |   245 +
 third_party/quic/update.sh                         |    80 +
 third_party/quic/wscript                           |    58 +
 third_party/quic_ko_wrapper/quic_ko_wrapper.c      |  5552 ++++++++
 third_party/quic_ko_wrapper/quic_ko_wrapper.h      |    89 +
 third_party/quic_ko_wrapper/wscript                |   124 +
 third_party/wscript                                |     7 +
 wscript_configure_system_gnutls                    |     3 +
 181 files changed, 66701 insertions(+), 8 deletions(-)
 create mode 100644 selftest/flapping.d/smb-over-quic
 create mode 100644 third_party/ngtcp2/crypto/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/crypto/Makefile.am
 create mode 100644 third_party/ngtcp2/crypto/boringssl/.gitignore
 create mode 100644 third_party/ngtcp2/crypto/boringssl/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/crypto/boringssl/Makefile.am
 create mode 100644 third_party/ngtcp2/crypto/boringssl/boringssl.c
 create mode 100644 third_party/ngtcp2/crypto/boringssl/libngtcp2_crypto_boringssl.pc.in
 create mode 100644 third_party/ngtcp2/crypto/gnutls/.gitignore
 create mode 100644 third_party/ngtcp2/crypto/gnutls/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/crypto/gnutls/Makefile.am
 create mode 100644 third_party/ngtcp2/crypto/gnutls/gnutls.c
 create mode 100644 third_party/ngtcp2/crypto/gnutls/libngtcp2_crypto_gnutls.pc.in
 create mode 100644 third_party/ngtcp2/crypto/includes/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/crypto/includes/Makefile.am
 create mode 100644 third_party/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto.h
 create mode 100644 third_party/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto_boringssl.h
 create mode 100644 third_party/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto_gnutls.h
 create mode 100644 third_party/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto_ossl.h
 create mode 100644 third_party/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto_picotls.h
 create mode 100644 third_party/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto_quictls.h
 create mode 100644 third_party/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto_wolfssl.h
 create mode 100644 third_party/ngtcp2/crypto/ossl/.gitignore
 create mode 100644 third_party/ngtcp2/crypto/ossl/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/crypto/ossl/Makefile.am
 create mode 100644 third_party/ngtcp2/crypto/ossl/libngtcp2_crypto_ossl.pc.in
 create mode 100644 third_party/ngtcp2/crypto/ossl/ossl.c
 create mode 100644 third_party/ngtcp2/crypto/picotls/.gitignore
 create mode 100644 third_party/ngtcp2/crypto/picotls/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/crypto/picotls/Makefile.am
 create mode 100644 third_party/ngtcp2/crypto/picotls/libngtcp2_crypto_picotls.pc.in
 create mode 100644 third_party/ngtcp2/crypto/picotls/picotls.c
 create mode 100644 third_party/ngtcp2/crypto/quictls/.gitignore
 create mode 100644 third_party/ngtcp2/crypto/quictls/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/crypto/quictls/Makefile.am
 create mode 100644 third_party/ngtcp2/crypto/quictls/libngtcp2_crypto_quictls.pc.in
 create mode 100644 third_party/ngtcp2/crypto/quictls/quictls.c
 create mode 100644 third_party/ngtcp2/crypto/shared.c
 create mode 100644 third_party/ngtcp2/crypto/shared.h
 create mode 100644 third_party/ngtcp2/crypto/wolfssl/.gitignore
 create mode 100644 third_party/ngtcp2/crypto/wolfssl/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/crypto/wolfssl/Makefile.am
 create mode 100644 third_party/ngtcp2/crypto/wolfssl/libngtcp2_crypto_wolfssl.pc.in
 create mode 100644 third_party/ngtcp2/crypto/wolfssl/wolfssl.c
 create mode 100644 third_party/ngtcp2/lib/.gitignore
 create mode 100644 third_party/ngtcp2/lib/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/lib/Makefile.am
 create mode 100644 third_party/ngtcp2/lib/config.cmake.in
 create mode 100644 third_party/ngtcp2/lib/includes/CMakeLists.txt
 create mode 100644 third_party/ngtcp2/lib/includes/Makefile.am
 create mode 100644 third_party/ngtcp2/lib/includes/ngtcp2/ngtcp2.h
 create mode 100644 third_party/ngtcp2/lib/includes/ngtcp2/version.h.in
 create mode 100644 third_party/ngtcp2/lib/libngtcp2.pc.in
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_acktr.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_acktr.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_addr.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_addr.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_balloc.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_balloc.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_bbr.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_bbr.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_buf.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_buf.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_cc.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_cc.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_cid.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_cid.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_conn.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_conn.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_conn_stat.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_conv.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_conv.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_crypto.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_crypto.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_dcidtr.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_dcidtr.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_err.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_err.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_frame_chain.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_frame_chain.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_gaptr.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_gaptr.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_idtr.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_idtr.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_ksl.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_ksl.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_log.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_log.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_macro.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_map.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_map.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_mem.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_mem.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_net.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_objalloc.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_objalloc.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_opl.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_opl.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_path.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_path.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pkt.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pkt.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pktns_id.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pmtud.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pmtud.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_ppe.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_ppe.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pq.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pq.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pv.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_pv.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_qlog.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_qlog.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_range.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_range.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_rcvry.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_ringbuf.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_ringbuf.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_rob.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_rob.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_rst.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_rst.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_rtb.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_rtb.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_settings.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_settings.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_str.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_str.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_strm.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_strm.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_transport_params.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_transport_params.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_tstamp.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_unreachable.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_unreachable.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_vec.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_vec.h
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_version.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_window_filter.c
 create mode 100644 third_party/ngtcp2/lib/ngtcp2_window_filter.h
 create mode 100755 third_party/ngtcp2/update.sh
 create mode 100644 third_party/ngtcp2/wscript
 create mode 100644 third_party/quic/COPYING
 create mode 100644 third_party/quic/libquic/Makefile.am
 create mode 100644 third_party/quic/libquic/client.c
 create mode 100644 third_party/quic/libquic/handshake.c
 create mode 100644 third_party/quic/libquic/libquic.pc.in
 create mode 100644 third_party/quic/libquic/netinet/quic.h
 create mode 100644 third_party/quic/libquic/quic.man
 create mode 100644 third_party/quic/libquic/server.c
 create mode 100644 third_party/quic/modules/include/uapi/linux/quic.h
 create mode 100755 third_party/quic/update.sh
 create mode 100644 third_party/quic/wscript
 create mode 100644 third_party/quic_ko_wrapper/quic_ko_wrapper.c
 create mode 100644 third_party/quic_ko_wrapper/quic_ko_wrapper.h
 create mode 100644 third_party/quic_ko_wrapper/wscript


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py
index a3c45775a4b..b6c5ad60964 100644
--- a/buildtools/wafsamba/samba_third_party.py
+++ b/buildtools/wafsamba/samba_third_party.py
@@ -46,3 +46,20 @@ Build.BuildContext.CHECK_UID_WRAPPER = CHECK_UID_WRAPPER
 def CHECK_PAM_WRAPPER(conf):
     return conf.CHECK_BUNDLED_SYSTEM_PKG('pam_wrapper', minversion='1.1.8')
 Build.BuildContext.CHECK_PAM_WRAPPER = CHECK_PAM_WRAPPER
+
+ at conf
+def CHECK_LIBQUIC(conf):
+    return conf.CHECK_BUNDLED_SYSTEM_PKG('libquic', minversion='1.1')
+Build.BuildContext.CHECK_LIBQUIC = CHECK_LIBQUIC
+
+ at conf
+def CHECK_LIBNGTCP2(conf):
+    minversion = '1.12.0'
+    if not conf.CHECK_BUNDLED_SYSTEM_PKG('libngtcp2_crypto_gnutls',
+                                         minversion=minversion):
+        return False
+    if not conf.CHECK_BUNDLED_SYSTEM_PKG('libngtcp2',
+                                         minversion=minversion):
+        return False
+    return True
+Build.BuildContext.CHECK_LIBNGTCP2 = CHECK_LIBNGTCP2
diff --git a/docs-xml/smbdotconf/protocol/clientsmbtransports.xml b/docs-xml/smbdotconf/protocol/clientsmbtransports.xml
index 18adad501d6..94835e3d298 100644
--- a/docs-xml/smbdotconf/protocol/clientsmbtransports.xml
+++ b/docs-xml/smbdotconf/protocol/clientsmbtransports.xml
@@ -18,6 +18,25 @@
 	after ':', e.g. 'nbt:1139'.
 	</para>
 
+	<para>The transport 'quic' uses the quic protocol on top of udp.
+	The default port for 'quic' is 443. Other ports can be specified by adding it
+	after ':', e.g. 'quic:1443'.
+	The following options are also relevant:
+	<smbconfoption name="tls enabled"/>,
+	<smbconfoption name="tls ca directories"/>,
+	<smbconfoption name="tls trust system cas"/>,
+	<smbconfoption name="tls cafile"/>,
+	<smbconfoption name="tls certfile"/>,
+	<smbconfoption name="tls keyfile"/> and
+	<smbconfoption name="tls verify peer"/>.
+	</para>
+
+	<para>
+	Note: 'quic' requires the quic.ko kernel module for Linux from
+	https://github.com/lxin/quic (tested with Linux 6.14). Future
+	Linux versions may support it natively.
+	</para>
+
 	<para>Numerical ports are handled as 'tcp' except port '139' is handled as 'nbt'.
 	</para>
 
@@ -28,6 +47,8 @@
 <value type="example">445</value>
 <value type="example">tcp, tcp:1445</value>
 <value type="example">8000, nbt:1139</value>
+<value type="example">tcp, quic, nbt</value>
+<value type="example">+quic</value>
 
 <value type="default">tcp, nbt</value>
 </samba:parameter>
diff --git a/docs-xml/smbdotconf/protocol/serversmbtransports.xml b/docs-xml/smbdotconf/protocol/serversmbtransports.xml
index 83a4c62ddc0..f506e4e862a 100644
--- a/docs-xml/smbdotconf/protocol/serversmbtransports.xml
+++ b/docs-xml/smbdotconf/protocol/serversmbtransports.xml
@@ -19,6 +19,27 @@
 	after ':', e.g. 'nbt:1139'.
 	</para>
 
+	<para>The transport 'quic' uses the quic protocol on top of udp.
+	The default port for 'quic' is 443. Other ports can be specified by adding it
+	after ':', e.g. 'quic:1443'.
+	The following options are also relevant:
+	<smbconfoption name="tls enabled"/>,
+	<smbconfoption name="tls cafile"/>,
+	<smbconfoption name="tls certfile"/> and
+	<smbconfoption name="tls keyfile"/>.
+	If the files pointed to by
+	<smbconfoption name="tls cafile"/>,
+	<smbconfoption name="tls certfile"/> and
+	<smbconfoption name="tls keyfile"/> all do not exist,
+	a self-signed tls certificate is generated automatically at startup.
+	</para>
+
+	<para>
+	Note: 'quic' requires the quic.ko kernel module for Linux from
+	https://github.com/lxin/quic (tested with Linux 6.14). Future
+	Linux versions may support it natively.
+	</para>
+
 	<para>Numerical ports are handled as 'tcp' except port '139' is handled as 'nbt'.
 	</para>
 
@@ -29,6 +50,8 @@
 <value type="example">445</value>
 <value type="example">tcp, tcp:1445</value>
 <value type="example">8000, nbt:1139</value>
+<value type="example">tcp, quic, nbt</value>
+<value type="example">+quic</value>
 
 <value type="default">tcp, nbt</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 35a718441de..d6553d89011 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -1368,6 +1368,9 @@ bool smb_transport_parse(const char *_value, struct smb_transport *_t)
 	} else if (strcmp("nbt", value) == 0) {
 		t.type = SMB_TRANSPORT_TYPE_NBT;
 		t.port = 139;
+	} else if (strcmp("quic", value) == 0) {
+		t.type = SMB_TRANSPORT_TYPE_QUIC;
+		t.port = 443;
 	} else if (vparam != NULL) {
 		/*
 		 * a port number should not have
diff --git a/lib/tsocket/tsocket.c b/lib/tsocket/tsocket.c
index 68fdb6c3b40..3e62aac4f6b 100644
--- a/lib/tsocket/tsocket.c
+++ b/lib/tsocket/tsocket.c
@@ -214,6 +214,22 @@ struct tevent_req *tdgram_recvfrom_send(TALLOC_CTX *mem_ctx,
 		goto post;
 	}
 	tevent_req_set_callback(subreq, tdgram_recvfrom_done, req);
+	if (!tevent_req_is_in_progress(subreq)) {
+		/*
+		 * Allow the caller of
+		 * tdgram_recvfrom_send() to
+		 * see tevent_req_is_in_progress()
+		 * reporting false too.
+		 *
+		 * Useful for callers using
+		 * tdgram_bsd_optimize_recvfrom(true)
+		 * in order to check if data
+		 * was already waiting in the
+		 * receice buffer.
+		 */
+		tdgram_recvfrom_done(subreq);
+		goto post;
+	}
 
 	return req;
 
diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
index 6ec48625f05..c3533a2d2e1 100644
--- a/libcli/smb/smb_util.h
+++ b/libcli/smb/smb_util.h
@@ -61,6 +61,7 @@ enum smb_transport_type {
 	SMB_TRANSPORT_TYPE_UNKNOWN = 0,
 	SMB_TRANSPORT_TYPE_NBT,
 	SMB_TRANSPORT_TYPE_TCP,
+	SMB_TRANSPORT_TYPE_QUIC,
 };
 
 struct smb_transport {
diff --git a/script/autobuild.py b/script/autobuild.py
index 30ad08ca04d..8acf6cdc854 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -1088,7 +1088,7 @@ tasks = {
             ("allprivate-def-configure", "./configure.developer " + samba_configure_params + " --private-libraries=ALL"),
             ("allprivate-def-make", "nice -n 19 make -j 2"),
             # note wrapper libraries need to be public
-            ("allprivate-def-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so|pam_matrix.so' | wc -l | grep -q '^0'"),
+            ("allprivate-def-no-public", "ls ./bin/shared | egrep -v '^private$|lib[npqrsu][saueoi][smiscd].*-wrapper.so$|pam_set_items.so|pam_matrix.so' | wc -l | grep -q '^0'"),
             ("allprivate-def-only-private-ext", "ls ./bin/shared/private | egrep 'private-samba' | wc -l | grep -q '^0' && exit 1; exit 0"),
             ("allprivate-def-no-non-private-ext", "ls ./bin/shared/private | egrep -v 'private-samba|^libpypamtest.so$' | wc -l | grep -q '^0'"),
             ("allprivate-def-test", make_test(TESTS="samba3.smb2.create.*nt4_dc")),
@@ -1102,7 +1102,7 @@ tasks = {
             ("allprivate-ext-configure", "./configure.developer " + samba_configure_params + " --private-libraries=ALL --private-library-extension=private-library --private-extension-exception=pac,ndr"),
             ("allprivate-ext-make", "nice -n 19 make -j 2"),
             # note wrapper libraries need to be public
-            ("allprivate-ext-no-public", "ls ./bin/shared | egrep -v '^private$|lib[nprsu][saeoi][smscd].*-wrapper.so$|pam_set_items.so|pam_matrix.so' | wc -l | grep -q '^0'"),
+            ("allprivate-ext-no-public", "ls ./bin/shared | egrep -v '^private$|lib[npqrsu][saueoi][smiscd].*-wrapper.so$|pam_set_items.so|pam_matrix.so' | wc -l | grep -q '^0'"),
             ("allprivate-ext-no-private-default-ext", "ls ./bin/shared/private | grep 'private-samba' | wc -l | grep -q '^0'"),
             ("allprivate-ext-has-private-ext", "ls ./bin/shared/private | grep 'private-library' | wc -l | grep -q '^0' && exit 1; exit 0"),
             ("allprivate-ext-libndr-no-private-ext", "ls ./bin/shared/private | grep -v 'private-library' | grep 'libndr' | wc -l | grep -q '^1'"),
diff --git a/script/compare_cc_results.py b/script/compare_cc_results.py
index d97050c1870..031f6163441 100755
--- a/script/compare_cc_results.py
+++ b/script/compare_cc_results.py
@@ -19,6 +19,7 @@ exceptions = [
     'PAM_MATRIX_SO_PATH',
     'LIBUID_WRAPPER_SO_PATH',
     'LIBRESOLV_WRAPPER_SO_PATH',
+    'LIBQUIC_KO_WRAPPER_SO_PATH',
 ]
 
 if len(sys.argv) < 3:
diff --git a/selftest/flapping.d/smb-over-quic b/selftest/flapping.d/smb-over-quic
new file mode 100644
index 00000000000..c6b9fe8cb46
--- /dev/null
+++ b/selftest/flapping.d/smb-over-quic
@@ -0,0 +1,5 @@
+#
+# quic_ko_wrapper is not 100% reliable, it would need
+# helper threads in order to do background keepalives...
+#
+^samba3.smb2.bench.smb-over-quic-ko-bsd.oplock1.fileserver
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 5f0daf7de68..11065dd51d9 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -43,6 +43,7 @@ if ($@) {
 my $opt_help = 0;
 my $opt_target = "samba";
 my $opt_quick = 0;
+my $opt_quic_ko_wrapper = 0;
 my $opt_socket_wrapper = 0;
 my $opt_socket_wrapper_pcap = undef;
 my $opt_socket_wrapper_keep_pcap = undef;
@@ -58,6 +59,7 @@ my $opt_mitkrb5 = 0;
 my $opt_default_ldb_backend = "mdb";
 my $opt_resetup_env = undef;
 my $opt_load_list = undef;
+my $opt_libquic_ko_wrapper_so_path = "";
 my $opt_libnss_wrapper_so_path = "";
 my $opt_libresolv_wrapper_so_path = "";
 my $opt_libsocket_wrapper_so_path = "";
@@ -234,6 +236,7 @@ my $result = GetOptions (
 		'help|h|?' => \$opt_help,
 		'target=s' => \$opt_target,
 		'prefix=s' => \$prefix,
+		'quic-ko-wrapper' => \$opt_quic_ko_wrapper,
 		'socket-wrapper' => \$opt_socket_wrapper,
 		'socket-wrapper-pcap' => \$opt_socket_wrapper_pcap,
 		'socket-wrapper-keep-pcap' => \$opt_socket_wrapper_keep_pcap,
@@ -253,6 +256,7 @@ my $result = GetOptions (
 		'testlist=s' => \@testlists,
 		'random-order' => \$opt_random_order,
 		'load-list=s' => \$opt_load_list,
+		'quic_ko_wrapper_so_path=s' => \$opt_libquic_ko_wrapper_so_path,
 		'nss_wrapper_so_path=s' => \$opt_libnss_wrapper_so_path,
 		'resolv_wrapper_so_path=s' => \$opt_libresolv_wrapper_so_path,
 		'socket_wrapper_so_path=s' => \$opt_libsocket_wrapper_so_path,
@@ -373,6 +377,14 @@ if ($opt_libasan_so_path) {
 	}
 }
 
+if ($opt_libquic_ko_wrapper_so_path) {
+	if ($ld_preload) {
+		$ld_preload = "$ld_preload:$opt_libquic_ko_wrapper_so_path";
+	} else {
+		$ld_preload = "$opt_libquic_ko_wrapper_so_path";
+	}
+}
+
 if ($opt_libnss_wrapper_so_path) {
 	if ($ld_preload) {
 		$ld_preload = "$ld_preload:$opt_libnss_wrapper_so_path";
@@ -432,6 +444,10 @@ $ENV{UID_WRAPPER} = 1;
 # We are already hitting the limit, so double it.
 $ENV{NSS_WRAPPER_MAX_HOSTENTS} = 200;
 
+if ($opt_quic_ko_wrapper) {
+	$ENV{QUIC_KO_WRAPPER} = 1;
+}
+
 my $socket_wrapper_dir;
 if ($opt_socket_wrapper) {
 	$socket_wrapper_dir = SocketWrapper::setup_dir("$prefix/w", $opt_socket_wrapper_pcap);
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 077f3000935..a9efd07b0e4 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1954,6 +1954,8 @@ sub setup_fileserver
 
 	my $ip4 = Samba::get_ipv4_addr("FILESERVER");
 	my $fileserver_options = "
+	server smb transports = +quic
+
         smb3 unix extensions = yes
 	kernel change notify = yes
 	spotlight backend = elasticsearch
@@ -2679,6 +2681,9 @@ sub provision($$)
 	my $privatedir="$prefix/private";
 	push(@dirs,$privatedir);
 
+	my $tlsdir="$privatedir/tls";
+	push(@dirs, $tlsdir);
+
 	my $cachedir = "$prefix/cachedir";
 	push(@dirs, $cachedir);
 
diff --git a/selftest/wscript b/selftest/wscript
index 95e70706e63..4a7eee42712 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -259,6 +259,8 @@ def cmd_testonly(opt):
     # selftest can optionally use kernel namespaces instead of socket-wrapper
     if os.environ.get('USE_NAMESPACES') is None:
         env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
+        if CONFIG_SET(opt, 'QUIC_KO_WRAPPER'):
+            env.OPTIONS += " --quic_ko_wrapper_so_path=" + CONFIG_GET(opt, 'LIBQUIC_KO_WRAPPER_SO_PATH')
 
     if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
         env.OPTIONS += " --use-dns-faking"
@@ -357,6 +359,8 @@ def cmd_testonly(opt):
     if Options.options.LIST:
         cmd = '${CORE_COMMAND} --list'
     else:
+        if CONFIG_SET(opt, 'QUIC_KO_WRAPPER'):
+            env.OPTIONS += ' --quic-ko-wrapper'
         env.OPTIONS += ' --socket-wrapper'
         cmd = '(${CORE_COMMAND} && touch ${SELFTEST_PREFIX}/st_done) | ${FILTER_OPTIONS}'
 
diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
index 8e9fc615521..42082a0d94b 100644
--- a/source3/libsmb/libsmb_context.c
+++ b/source3/libsmb/libsmb_context.c
@@ -27,6 +27,7 @@
 #include "source3/libsmb/proto.h"
 #include "libsmbclient.h"
 #include "libsmb_internal.h"
+#include "libsmb/smbsock_connect.h"
 #include "secrets.h"
 #include "../libcli/smb/smbXcli_base.h"
 #include "auth/credentials/credentials.h"
@@ -52,6 +53,13 @@ SMBC_module_init(void * punused)
 	char *home = NULL;
 	TALLOC_CTX *frame = talloc_stackframe();
 
+	/*
+	 * We can't rely on periodic connection
+	 * monitoring, so we can't use
+	 * the ngtcp2 over udp quic support.
+	 */
+	smbsock_connect_require_bsd_socket = true;
+
 	setup_logging("libsmbclient", DEBUG_STDOUT);
 
 	/* Here we would open the smb.conf file if needed ... */
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
index 482f9d89613..5e7587ae314 100644
--- a/source3/libsmb/smbsock_connect.c
+++ b/source3/libsmb/smbsock_connect.c
@@ -22,12 +22,18 @@
 #include "../lib/async_req/async_sock.h"
 #include "../lib/util/tevent_ntstatus.h"
 #include "../lib/util/tevent_unix.h"
+#include "../lib/tsocket/tsocket.h"
 #include "client.h"
 #include "../libcli/smb/smbXcli_base.h"
 #include "async_smb.h"
 #include "../libcli/smb/read_smb.h"
 #include "libsmb/nmblib.h"
 #include "libsmb/smbsock_connect.h"
+#include "../source4/lib/tls/tls.h"
+
+#ifdef HAVE_LIBQUIC
+#include <netinet/quic.h>
+#endif
 
 struct cli_session_request_state {
 	struct tevent_context *ev;
@@ -367,21 +373,29 @@ struct smb_transports smbsock_transports_from_port(uint16_t port)
 	return ts;
 }
 
+bool smbsock_connect_require_bsd_socket;
+
 struct smbsock_connect_substate {
 	struct tevent_req *req;
 	size_t idx;
 	struct smb_transport transport;
 	struct tevent_req *subreq;
 	int sockfd;
+	struct samba_sockaddr laddr;
+	struct samba_sockaddr raddr;
 };
 
 struct smbsock_connect_state {
 	struct tevent_context *ev;
 	const struct sockaddr_storage *addr;
+	const char *target_name;
 	const char *called_name;
 	uint8_t called_type;
 	const char *calling_name;
 	uint8_t calling_type;
+	struct tstream_tls_params *quic_tlsp;
+	bool allow_ngtcp2;
+	bool force_ngtcp2;
 	struct tevent_req *wake_subreq;
 	uint8_t num_substates;
 	uint8_t submit_idx;
@@ -400,6 +414,19 @@ static bool smbsock_connect_submit_next(struct tevent_req *req);
 static void smbsock_connect_waited(struct tevent_req *subreq);
 static void smbsock_connect_nbt_connected(struct tevent_req *subreq);
 static void smbsock_connect_tcp_connected(struct tevent_req *subreq);
+#ifdef HAVE_LIBQUIC
+static void smbsock_connect_quic_connected(struct tevent_req *subreq);
+static void smbsock_connect_quic_ready(struct tevent_req *subreq);
+#endif /* HAVE_LIBQUIC */
+#ifdef HAVE_LIBNGTCP2
+static NTSTATUS smbsock_connect_ngtcp2_udp_sock(
+			const struct sockaddr_storage *addr,
+			uint16_t port,
+			int *_sockfd,
+			struct samba_sockaddr *laddr,
+			struct samba_sockaddr *raddr);
+static void smbsock_connect_ngtcp2_ready(struct tevent_req *subreq);
+#endif /* HAVE_LIBNGTCP2 */
 
 struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
 					struct tevent_context *ev,
@@ -418,6 +445,8 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
 	struct smb_transports ts = *transports;
 	uint8_t ti;
 	bool ok;
+	bool request_quic = false;
+	bool try_quic = false;
 
 	req = tevent_req_create(mem_ctx, &state, struct smbsock_connect_state);
 	if (req == NULL) {
@@ -425,6 +454,7 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
 	}
 	state->ev = ev;
 	state->addr = addr;
+	state->target_name = called_name;
 	state->called_name =
 		(called_name != NULL) ? called_name : "*SMBSERVER";
 	state->called_type =
@@ -449,6 +479,59 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
 
 	SMB_ASSERT(ts.num_transports <= ARRAY_SIZE(state->substates));
 
+	for (ti = 0; ti < ts.num_transports; ti++) {
+		const struct smb_transport *t = &ts.transports[ti];
+
+		if (t->type != SMB_TRANSPORT_TYPE_QUIC) {
+			continue;
+		}
+
+		if (state->target_name != NULL) {
+			request_quic = true;
+			break;
+		}
+	}
+
+	if (request_quic) {
+		NTSTATUS status;
+
+		status = tstream_tls_params_client_lpcfg(state,
+							 lp_ctx,
+							 state->target_name,
+							 &state->quic_tlsp);
+		if (tevent_req_nterror(req, status)) {
+			return tevent_req_post(req, ev);
+		}
+
+		status = tstream_tls_params_quic_prepare(state->quic_tlsp);
+		if (tevent_req_nterror(req, status)) {
+			return tevent_req_post(req, ev);
+		}
+
+		try_quic = tstream_tls_params_quic_enabled(state->quic_tlsp);
+
+		state->allow_ngtcp2 = lpcfg_parm_bool(lp_ctx,
+						      NULL,
+						      "client smb transport",
+						      "allow_ngtcp2_quic",
+						      try_quic);
+		state->force_ngtcp2 = lpcfg_parm_bool(lp_ctx,
+						      NULL,
+						      "client smb transport",
+						      "force_ngtcp2_quic",
+						      false);
+	}
+
+	if (smbsock_connect_require_bsd_socket) {
+		/*
+		 * This is libsmbclient in use
+		 * there's no periodic connection
+		 * monitoring, so we can't use
+		 * the ngtcp2 over udp quic support.
+		 */
+		state->allow_ngtcp2 = false;
+	}
+
 	for (ti = 0; ti < ts.num_transports; ti++) {
 		const struct smb_transport *t = &ts.transports[ti];
 		struct smbsock_connect_substate *s =
@@ -469,6 +552,17 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
 			break;
 		case SMB_TRANSPORT_TYPE_TCP:
 			break;
+		case SMB_TRANSPORT_TYPE_QUIC:
+			if (try_quic) {
+				break;
+			}
+
+			/*
+			 * Not supported yet or no
+			 * called_name as peer name
+			 * available.
+			 */


-- 
Samba Shared Repository


From janger at samba.org  Thu Jul 17 10:49:02 2025
From: janger at samba.org (Jule Anger)
Date: Thu, 17 Jul 2025 10:49:02 +0000
Subject: [SCM] Samba Shared Repository - branch v4-22-test updated
Message-ID: <E1ucMAg-00AXhN-1A@hrx0.samba.org>

The branch, v4-22-test has been updated
       via  f186da9fabf Add check for the GPO link to have at least two attributes separated by semicolumn. Allows to handle empty links.
       via  69cccd4c18c WHATSNEW: fix typo
      from  ef1a5896a11 VERSION: Bump version up to Samba 4.22.4...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-test


- Log -----------------------------------------------------------------
commit f186da9fabf16799352d130f4335971441f0475e
Author: Aleksandr Sharov <asharov at redhat.com>
Date:   Fri Jul 4 15:32:28 2025 +0200

    Add check for the GPO link to have at least two attributes separated by semicolumn. Allows to handle empty links.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15877
    RN: Fix handling of empty GPO link
    
    Singed-off-by: Alex Sharov (kororland at gmail.com)
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Thu Jul 10 18:55:33 UTC 2025 on atb-devel-224
    
    (cherry picked from commit 44ee31c0258b0afb3d3f2ce17942cc86e308a690)
    
    Autobuild-User(v4-22-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-22-test): Thu Jul 17 10:48:14 UTC 2025 on atb-devel-224

commit 69cccd4c18c55ea9d4181add16a4f705dc1fe537
Author: Jule Anger <janger at samba.org>
Date:   Thu Jul 17 11:38:11 2025 +0200

    WHATSNEW: fix typo
    
    Found by script/codespell.sh.
    
    Signed-off-by: Jule Anger <janger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt               | 2 +-
 python/samba/gp/gpclass.py | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 57d9133b43f..f02cc224d48 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -57,7 +57,7 @@ o  Stefan Metzmacher <metze at samba.org>
      calls like netr_DsRGetDCName.
 
 o  Andreas Schneider <asn at samba.org>
-   * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+   * BUG 15869: Startup messages of rpc daemons fills /var/log/messages.
 
 
 #######################################
diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index d86aacec138..07b4fb3e7bd 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -673,8 +673,10 @@ class GP_LINK:
         self.gp_opts = int(gPOptions)
 
     def gpo_parse_gplink(self, gPLink):
+        # normally formed link looks like [LDAP://host/path;options]
+        # empty link looks like [ ]
         for p in gPLink.decode().split(']'):
-            if not p:
+            if not p or ';' not in p:
                 continue
             log.debug('gpo_parse_gplink: processing link')
             p = p.lstrip('[')


-- 
Samba Shared Repository


From gd at samba.org  Thu Jul 17 23:14:01 2025
From: gd at samba.org (=?UTF-8?Q?G=C3=BCnther_Deschner?=)
Date: Thu, 17 Jul 2025 23:14:01 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1ucXnd-004vaU-Ih@hrx0.samba.org>

The branch, master has been updated
       via  12e50a8646d vfs_ceph_new: cleanup to async path
      from  09c44603f58 s3:selftest: run smb2.{bench,connect,credits,ioctl,rw} over quic-ngtcp2

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 12e50a8646d3702c654b200e73b15b40f2398333
Author: Shweta Sodani <ssodani at redhat.com>
Date:   Mon Jul 14 18:47:58 2025 +0530

    vfs_ceph_new: cleanup to async path
    
    Signed-off-by: Shweta Sodani <ssodani at redhat.com>
    Reviewed-by: Anoop C S <anoopcs at samba.org>
    Reviewed-by: Shachar Sharon <ssharon at redhat.com>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    
    Autobuild-User(master): G?nther Deschner <gd at samba.org>
    Autobuild-Date(master): Thu Jul 17 23:13:36 UTC 2025 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source3/modules/vfs_ceph_new.c | 101 ++++++++++++++++++++---------------------
 1 file changed, 48 insertions(+), 53 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_ceph_new.c b/source3/modules/vfs_ceph_new.c
index caafdad12af..996edc73458 100644
--- a/source3/modules/vfs_ceph_new.c
+++ b/source3/modules/vfs_ceph_new.c
@@ -2459,17 +2459,16 @@ struct vfs_ceph_aio_state {
 	struct vfs_ceph_fh *cfh;
 #if HAVE_CEPH_ASYNCIO
 	struct tevent_req *req;
-	bool orphaned;
 	struct tevent_immediate *im;
 	void *data;
-	size_t len;
-	off_t off;
-	bool write;
-	bool fsync;
-
 	struct ceph_ll_io_info io_info;
 	struct iovec iov;
+	bool orphaned;
+	bool write;
+	bool fsync;
 #endif
+	size_t len;
+	off_t off;
 	struct timespec start_time;
 	struct timespec finish_time;
 	ssize_t result;
@@ -2628,32 +2627,6 @@ static void vfs_ceph_aio_done(struct tevent_context *ev,
 	tevent_req_done(req);
 }
 
-static ssize_t vfs_ceph_aio_recv(struct tevent_req *req,
-				 struct vfs_aio_state *vfs_aio_state)
-{
-	struct vfs_ceph_aio_state *state = tevent_req_data(
-		req, struct vfs_ceph_aio_state);
-	ssize_t res = -1;
-
-	DBG_DEBUG("[CEPH] aio_recv: ino=%" PRIu64
-		  " fd=%d off=%jd len=%ju result=%ld\n",
-		  state->cfh->iref.ino,
-		  state->cfh->fd,
-		  state->off,
-		  state->len,
-		  state->result);
-
-	if (tevent_req_is_unix_error(req, &vfs_aio_state->error)) {
-		goto out;
-	}
-
-	*vfs_aio_state = state->vfs_aio_state;
-	res = state->result;
-out:
-	tevent_req_received(req);
-	return res;
-}
-
 #endif /* HAVE_CEPH_ASYNCIO */
 
 static void vfs_ceph_aio_prepare(struct vfs_handle_struct *handle,
@@ -2761,21 +2734,29 @@ static ssize_t vfs_ceph_pread_recv(struct tevent_req *req,
 {
 	struct vfs_ceph_aio_state *state = tevent_req_data(
 		req, struct vfs_ceph_aio_state);
+	ssize_t res = -1;
 
-	DBG_DEBUG("[CEPH] pread_recv: bytes_read=%zd\n", state->result);
+	DBG_DEBUG("[CEPH] pread_recv: bytes_read=%zd"
+		  " ino=%" PRIu64
+		  " fd=%d off=%jd len=%ju\n",
+		  state->result,
+		  state->cfh->iref.ino,
+		  state->cfh->fd,
+		  state->off,
+		  state->len);
 
 	SMBPROFILE_BYTES_ASYNC_END(state->profile_bytes);
 	SMBPROFILE_BYTES_ASYNC_END(state->profile_bytes_x);
 
-#if HAVE_CEPH_ASYNCIO
-	return vfs_ceph_aio_recv(req, vfs_aio_state);
-#endif
 	if (tevent_req_is_unix_error(req, &vfs_aio_state->error)) {
-		return -1;
+		goto out;
 	}
 
 	*vfs_aio_state = state->vfs_aio_state;
-	return state->result;
+	res = state->result;
+out:
+	tevent_req_received(req);
+	return res;
 }
 
 static ssize_t vfs_ceph_pwrite(struct vfs_handle_struct *handle,
@@ -2869,22 +2850,29 @@ static ssize_t vfs_ceph_pwrite_recv(struct tevent_req *req,
 {
 	struct vfs_ceph_aio_state *state = tevent_req_data(
 		req, struct vfs_ceph_aio_state);
+	ssize_t res = -1;
 
-	DBG_DEBUG("[CEPH] pwrite_recv: bytes_written=%zd\n", state->result);
+	DBG_DEBUG("[CEPH] pwrite_recv: bytes_written=%zd"
+		  " ino=%" PRIu64
+		  " fd=%d off=%jd len=%ju\n",
+		  state->result,
+		  state->cfh->iref.ino,
+		  state->cfh->fd,
+		  state->off,
+		  state->len);
 
 	SMBPROFILE_BYTES_ASYNC_END(state->profile_bytes);
 	SMBPROFILE_BYTES_ASYNC_END(state->profile_bytes_x);
 
-#if HAVE_CEPH_ASYNCIO
-	return vfs_ceph_aio_recv(req, vfs_aio_state);
-#endif
-
 	if (tevent_req_is_unix_error(req, &vfs_aio_state->error)) {
-		return -1;
+		goto out;
 	}
 
 	*vfs_aio_state = state->vfs_aio_state;
-	return state->result;
+	res = state->result;
+out:
+	tevent_req_received(req);
+	return res;
 }
 
 static off_t vfs_ceph_lseek(struct vfs_handle_struct *handle,
@@ -3063,24 +3051,31 @@ static int vfs_ceph_fsync_recv(struct tevent_req *req,
 {
 	struct vfs_ceph_aio_state *state = tevent_req_data(
 		req, struct vfs_ceph_aio_state);
+	ssize_t res = -1;
 
-	DBG_DEBUG("[CEPH] fsync_recv: error=%d duration=%" PRIu64 "\n",
+	DBG_DEBUG("[CEPH] fsync_recv: error=%d duration=%" PRIu64
+		  " ino=%" PRIu64
+		  " fd=%d off=%jd len=%ju result=%ld\n",
 		  state->vfs_aio_state.error,
-		  state->vfs_aio_state.duration);
+		  state->vfs_aio_state.duration,
+		  state->cfh->iref.ino,
+		  state->cfh->fd,
+		  state->off,
+		  state->len,
+		  state->result);
 
 	SMBPROFILE_BYTES_ASYNC_END(state->profile_bytes);
 	SMBPROFILE_BYTES_ASYNC_END(state->profile_bytes_x);
 
-#if HAVE_CEPH_ASYNCIO
-	return vfs_ceph_aio_recv(req, vfs_aio_state);
-#endif
-
 	if (tevent_req_is_unix_error(req, &vfs_aio_state->error)) {
-		return -1;
+		goto out;
 	}
 
 	*vfs_aio_state = state->vfs_aio_state;
-	return 0;
+	res = state->result;
+out:
+	tevent_req_received(req);
+	return res;
 }
 
 static int vfs_ceph_stat(struct vfs_handle_struct *handle,


-- 
Samba Shared Repository


From gd at samba.org  Fri Jul 18 22:26:02 2025
From: gd at samba.org (=?UTF-8?Q?G=C3=BCnther_Deschner?=)
Date: Fri, 18 Jul 2025 22:26:02 +0000
Subject: [SCM] Samba Shared Repository - branch master updated
Message-ID: <E1uctWk-004atv-7R@hrx0.samba.org>

The branch, master has been updated
       via  1d1acebf019 smbd: fix mode being sent to possibly_set_archive
      from  12e50a8646d vfs_ceph_new: cleanup to async path

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1d1acebf01902bef3a9ccae23c3be4cacbb777b2
Author: Srinivas Rao V <Srinivas.Rao.V at ibm.com>
Date:   Thu Jul 3 10:19:46 2025 -0400

    smbd: fix mode being sent to possibly_set_archive
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15880
    
    possibly_set_archive is being passed smb_fname->st.st_ex_mode.
    Inside the function same variable is getting assigned to itself.
    Fixed this to send unx_mode to possibly_set_archive.
    
    Signed-off-by: Srinivas Rao V <Srinivas.Rao.V at ibm.com>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    
    Autobuild-User(master): G?nther Deschner <gd at samba.org>
    Autobuild-Date(master): Fri Jul 18 22:25:05 UTC 2025 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/open.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 3ffcfa36bb1..e50b6b68fab 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -4255,7 +4255,7 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
 			     parent_dir_fname,
 			     info,
 			     new_dos_attributes,
-			     &smb_fname->st.st_ex_mode);
+			     &unx_mode);
 
 	/* Determine sparse flag. */
 	if (posix_open) {


-- 
Samba Shared Repository