diff --git a/.gitignore b/.gitignore
index 41cd890..a32ae18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/samba-4.15.5.tar.xz
+SOURCES/samba-4.16.4.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg
diff --git a/.samba.metadata b/.samba.metadata
index b1ff8f6..620213e 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1,2 +1,2 @@
-f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz
+c943ec2e8b9413cd3465e39481b49872b4486e86 SOURCES/samba-4.16.4.tar.xz
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
diff --git a/SOURCES/CVE-2022-32742-v4-15.patch b/SOURCES/CVE-2022-32742-v4-15.patch
deleted file mode 100644
index 314b144..0000000
--- a/SOURCES/CVE-2022-32742-v4-15.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From 9ccec2afdaf8af463f321eb37d3c3bb90d1d432e Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 7 Jun 2022 09:40:45 -0700
-Subject: [PATCH 1/2] CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
-
-Reproduces the test code in:
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
-
-Add knownfail.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
----
- selftest/knownfail.d/bad-write | 2 +
- source4/torture/raw/write.c | 89 ++++++++++++++++++++++++++++++++++
- 2 files changed, 91 insertions(+)
- create mode 100644 selftest/knownfail.d/bad-write
-
-diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write
-new file mode 100644
-index 00000000000..5fc16606a13
---- /dev/null
-+++ b/selftest/knownfail.d/bad-write
-@@ -0,0 +1,2 @@
-+^samba3.raw.write.bad-write\(nt4_dc_smb1\)
-+^samba3.raw.write.bad-write\(ad_dc_smb1\)
-diff --git a/source4/torture/raw/write.c b/source4/torture/raw/write.c
-index 0a2f50f425b..661485bb548 100644
---- a/source4/torture/raw/write.c
-+++ b/source4/torture/raw/write.c
-@@ -25,6 +25,7 @@
- #include "libcli/libcli.h"
- #include "torture/util.h"
- #include "torture/raw/proto.h"
-+#include "libcli/raw/raw_proto.h"
-
- #define CHECK_STATUS(status, correct) do { \
- if (!NT_STATUS_EQUAL(status, correct)) { \
-@@ -694,6 +695,93 @@ done:
- return ret;
- }
-
-+/*
-+ test a deliberately bad SMB1 write.
-+*/
-+static bool test_bad_write(struct torture_context *tctx,
-+ struct smbcli_state *cli)
-+{
-+ bool ret = false;
-+ int fnum = -1;
-+ struct smbcli_request *req = NULL;
-+ const char *fname = BASEDIR "\\badwrite.txt";
-+ bool ok = false;
-+
-+ if (!torture_setup_dir(cli, BASEDIR)) {
-+ torture_fail(tctx, "failed to setup basedir");
-+ }
-+
-+ torture_comment(tctx, "Testing RAW_BAD_WRITE\n");
-+
-+ fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE);
-+ if (fnum == -1) {
-+ torture_fail_goto(tctx,
-+ done,
-+ talloc_asprintf(tctx,
-+ "Failed to create %s - %s\n",
-+ fname,
-+ smbcli_errstr(cli->tree)));
-+ }
-+
-+ req = smbcli_request_setup(cli->tree,
-+ SMBwrite,
-+ 5,
-+ 0);
-+ if (req == NULL) {
-+ torture_fail_goto(tctx,
-+ done,
-+ talloc_asprintf(tctx, "talloc fail\n"));
-+ }
-+
-+ SSVAL(req->out.vwv, VWV(0), fnum);
-+ SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */
-+ SIVAL(req->out.vwv, VWV(2), 0); /* offset */
-+ SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */
-+
-+ if (!smbcli_request_send(req)) {
-+ torture_fail_goto(tctx,
-+ done,
-+ talloc_asprintf(tctx, "Send failed\n"));
-+ }
-+
-+ if (!smbcli_request_receive(req)) {
-+ torture_fail_goto(tctx,
-+ done,
-+ talloc_asprintf(tctx, "Reveive failed\n"));
-+ }
-+
-+ /*
-+ * Check for expected error codes.
-+ * ntvfs returns NT_STATUS_UNSUCCESSFUL.
-+ */
-+ ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) ||
-+ NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL));
-+
-+ if (!ok) {
-+ torture_fail_goto(tctx,
-+ done,
-+ talloc_asprintf(tctx,
-+ "Should have returned "
-+ "NT_STATUS_INVALID_PARAMETER or "
-+ "NT_STATUS_UNSUCCESSFUL "
-+ "got %s\n",
-+ nt_errstr(req->status)));
-+ }
-+
-+ ret = true;
-+
-+done:
-+ if (req != NULL) {
-+ smbcli_request_destroy(req);
-+ }
-+ if (fnum != -1) {
-+ smbcli_close(cli->tree, fnum);
-+ }
-+ smb_raw_exit(cli->session);
-+ smbcli_deltree(cli->tree, BASEDIR);
-+ return ret;
-+}
-+
- /*
- basic testing of write calls
- */
-@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx)
- torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock);
- torture_suite_add_1smb_test(suite, "write close", test_writeclose);
- torture_suite_add_1smb_test(suite, "writex", test_writex);
-+ torture_suite_add_1smb_test(suite, "bad-write", test_bad_write);
-
- return suite;
- }
---
-2.34.1
-
-
-From 9097c5363605e1d5f99ff5a59dc6795c612d472f Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Wed, 8 Jun 2022 13:50:51 -0700
-Subject: [PATCH 2/2] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
-
-Fixes the raw.write.bad-write test.
-
-NB. We need the two (==0) changes in source3/smbd/reply.c
-as the gcc optimizer now knows that the return from
-smbreq_bufrem() can never be less than zero.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
-
-Remove knownfail.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
-
----
- selftest/knownfail.d/bad-write | 2 --
- source3/include/smb_macros.h | 2 +-
- source3/smbd/reply.c | 4 ++--
- 3 files changed, 3 insertions(+), 5 deletions(-)
- delete mode 100644 selftest/knownfail.d/bad-write
-
-diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write
-deleted file mode 100644
-index 5fc16606a13..00000000000
---- a/selftest/knownfail.d/bad-write
-+++ /dev/null
-@@ -1,2 +0,0 @@
--^samba3.raw.write.bad-write\(nt4_dc_smb1\)
--^samba3.raw.write.bad-write\(ad_dc_smb1\)
-diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
-index 344a997cbd2..c75b93fcc25 100644
---- a/source3/include/smb_macros.h
-+++ b/source3/include/smb_macros.h
-@@ -152,7 +152,7 @@
-
- /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */
- #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf)))
--#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf))
-+#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf))
-
-
- /* Note that chain_size must be available as an extern int to this macro. */
-diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
-index d4573d3da55..e1a47a65662 100644
---- a/source3/smbd/reply.c
-+++ b/source3/smbd/reply.c
-@@ -345,7 +345,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
- {
- ssize_t bufrem = smbreq_bufrem(req, src);
-
-- if (bufrem < 0) {
-+ if (bufrem == 0) {
- *err = NT_STATUS_INVALID_PARAMETER;
- return 0;
- }
-@@ -383,7 +383,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
- {
- ssize_t bufrem = smbreq_bufrem(req, src);
-
-- if (bufrem < 0) {
-+ if (bufrem == 0) {
- return 0;
- }
-
---
-2.34.1
-
diff --git a/SOURCES/samba-4-15-fix-autorid.patch b/SOURCES/samba-4-15-fix-autorid.patch
deleted file mode 100644
index f63464c..0000000
--- a/SOURCES/samba-4-15-fix-autorid.patch
+++ /dev/null
@@ -1,231 +0,0 @@
-From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 1 Feb 2022 10:06:30 +0100
-Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range
-
-What we want to avoid:
-
-$ ./bin/testparm -s | grep "idmap config"
- idmap config * : rangesize = 10000
- idmap config * : range = 10000-19999
- idmap config * : backend = autorid
-
-$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
-S-1-5-32-544 SID_ALIAS (4)
-
-$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
-10000
-
-$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
-S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
-
-$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
-failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
-Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
-
-If only one range is configured we are either not able to map users/groups
-from our primary *and* the BUILTIN domain. We need at least two ranges to also
-cover the BUILTIN domain!
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f)
----
- source3/winbindd/idmap_autorid.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
-index ad53b5810ee..c7d56a37684 100644
---- a/source3/winbindd/idmap_autorid.c
-+++ b/source3/winbindd/idmap_autorid.c
-@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
- config->maxranges = (dom->high_id - dom->low_id + 1) /
- config->rangesize;
-
-- if (config->maxranges == 0) {
-- DEBUG(1, ("Allowed uid range is smaller than rangesize. "
-- "Increase uid range or decrease rangesize.\n"));
-+ if (config->maxranges < 2) {
-+ DBG_WARNING("Allowed idmap range is not a least double the "
-+ "size of the rangesize. Please increase idmap "
-+ "range.\n");
- status = NT_STATUS_INVALID_PARAMETER;
- goto error;
- }
---
-2.35.1
-
-
-From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 1 Feb 2022 10:07:50 +0100
-Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid
-
-What we want to avoid:
-
-$ ./bin/testparm -s | grep "idmap config"
- idmap config * : rangesize = 10000
- idmap config * : range = 10000-19999
- idmap config * : backend = autorid
-
-$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
-S-1-5-32-544 SID_ALIAS (4)
-
-$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
-10000
-
-$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
-S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
-
-$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
-failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
-Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
-
-If only one range is configured we are either not able to map users/groups
-from our primary *and* the BUILTIN domain. We need at least two ranges to also
-cover the BUILTIN domain!
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4)
----
- source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 51 insertions(+)
-
-diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
-index 98bcc219b1e..58ba46bc15f 100644
---- a/source3/utils/testparm.c
-+++ b/source3/utils/testparm.c
-@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string,
- return false; /* Keep scanning */
- }
-
-+static int idmap_config_int(const char *domname, const char *option, int def)
-+{
-+ int len = snprintf(NULL, 0, "idmap config %s", domname);
-+
-+ if (len == -1) {
-+ return def;
-+ }
-+ {
-+ char config_option[len+1];
-+ snprintf(config_option, sizeof(config_option),
-+ "idmap config %s", domname);
-+ return lp_parm_int(-1, config_option, option, def);
-+ }
-+}
-+
- static bool do_idmap_check(void)
- {
- struct idmap_domains *d;
-@@ -157,6 +172,42 @@ static bool do_idmap_check(void)
- rc);
- }
-
-+ /* Check autorid backend */
-+ if (strequal(lp_idmap_default_backend(), "autorid")) {
-+ struct idmap_config *c = NULL;
-+ bool found = false;
-+
-+ for (i = 0; i < d->count; i++) {
-+ c = &d->c[i];
-+
-+ if (strequal(c->backend, "autorid")) {
-+ found = true;
-+ break;
-+ }
-+ }
-+
-+ if (found) {
-+ uint32_t rangesize =
-+ idmap_config_int("*", "rangesize", 100000);
-+ uint32_t maxranges =
-+ (c->high - c->low + 1) / rangesize;
-+
-+ if (maxranges < 2) {
-+ fprintf(stderr,
-+ "ERROR: The idmap autorid range "
-+ "[%u-%u] needs to be at least twice as "
-+ "big as the rangesize [%u]!"
-+ "\n\n",
-+ c->low,
-+ c->high,
-+ rangesize);
-+ ok = false;
-+ goto done;
-+ }
-+ }
-+ }
-+
-+ /* Check for overlapping idmap ranges */
- for (i = 0; i < d->count; i++) {
- struct idmap_config *c = &d->c[i];
- uint32_t j;
---
-2.35.1
-
-
-From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 1 Feb 2022 10:05:19 +0100
-Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation
-
-What we want to avoid:
-
-$ ./bin/testparm -s | grep "idmap config"
- idmap config * : rangesize = 10000
- idmap config * : range = 10000-19999
- idmap config * : backend = autorid
-
-$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
-S-1-5-32-544 SID_ALIAS (4)
-
-$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
-10000
-
-$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
-S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
-
-$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
-failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
-Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
-
-If only one range is configured we are either not able to map users/groups
-from our primary *and* the BUILTIN domain. We need at least two ranges to also
-cover the BUILTIN domain!
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de)
----
- docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
-index 6c4da1cad8a..980718f0bd4 100644
---- a/docs-xml/manpages/idmap_autorid.8.xml
-+++ b/docs-xml/manpages/idmap_autorid.8.xml
-@@ -48,7 +48,13 @@
- and the corresponding map is discarded. It is
- intended as a way to avoid accidental UID/GID
- overlaps between local and remotely defined
-- IDs.
-+ IDs. Note that the range should be a multiple
-+ of the rangesize and needs to be at least twice
-+ as large in order to have sufficient id range
-+ space for the mandatory BUILTIN domain.
-+ With a default rangesize of 100000 the range
-+ needs to span at least 200000.
-+ This would be: range = 100000 - 299999.
- </para></listitem>
- </varlistentry>
-
---
-2.35.1
-
diff --git a/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch b/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch
deleted file mode 100644
index 2d7ad44..0000000
--- a/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch
+++ /dev/null
@@ -1,477 +0,0 @@
-From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 16:53:02 +0100
-Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- testprogs/blackbox/test_net_ads.sh | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
-index 76b394b10a9..cfafb945b62 100755
---- a/testprogs/blackbox/test_net_ads.sh
-+++ b/testprogs/blackbox/test_net_ads.sh
-@@ -51,6 +51,12 @@ fi
-
- testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
-
-+workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf")
-+testit "local krb5.conf created" \
-+ test -r \
-+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" ||
-+ failed=$((failed + 1))
-+
- testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
-
- netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
---
-2.35.1
-
-
-From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 12:03:40 +0100
-Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index 75beeef4a44..60fe03fd5d7 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -1,4 +1,4 @@
--/*
-+/*
- Unix SMB/CIFS implementation.
- kerberos utility library
- Copyright (C) Andrew Tridgell 2001
-@@ -37,11 +37,11 @@
- #define LIBADS_CCACHE_NAME "MEMORY:libads"
-
- /*
-- we use a prompter to avoid a crash bug in the kerberos libs when
-+ we use a prompter to avoid a crash bug in the kerberos libs when
- dealing with empty passwords
- this prompter is just a string copy ...
- */
--static krb5_error_code
-+static krb5_error_code
- kerb_prompter(krb5_context ctx, void *data,
- const char *name,
- const char *banner,
-@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
- krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
- }
-
-- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
-+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
- kerb_prompter, discard_const_p(char, password),
- 0, NULL, opt))) {
- goto out;
-@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name)
- }
-
- if ((code = krb5_cc_destroy (ctx, cc))) {
-- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
-+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
- error_message(code)));
- }
-
-@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal,
- int time_offset,
- const char *cache_name)
- {
-- return kerberos_kinit_password_ext(principal,
-- password,
-- time_offset,
-- 0,
-+ return kerberos_kinit_password_ext(principal,
-+ password,
-+ time_offset,
-+ 0,
- 0,
- cache_name,
- False,
---
-2.35.1
-
-
-From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 12:04:34 +0100
-Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string()
-
-This avoids useless allocations.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index 60fe03fd5d7..1bf149ef09b 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx,
- struct netlogon_samlogon_response **responses = NULL;
- NTSTATUS status;
- bool ok;
-- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
-- print_canonical_sockaddr_with_port(mem_ctx, pss));
-+ char *kdc_str = NULL;
-
-+ SMB_ASSERT(pss != NULL);
-+
-+ kdc_str = talloc_asprintf(mem_ctx,
-+ "\t\tkdc = %s\n",
-+ print_canonical_sockaddr_with_port(mem_ctx,
-+ pss));
- if (kdc_str == NULL) {
- TALLOC_FREE(frame);
- return NULL;
-@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx,
- }
- }
-
-- dc_addrs2 = talloc_zero_array(talloc_tos(),
-- struct tsocket_address *,
-- num_dcs);
--
- DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
- if (num_dcs == 0) {
- TALLOC_FREE(kdc_str);
- goto out;
- }
-+
-+ dc_addrs2 = talloc_zero_array(talloc_tos(),
-+ struct tsocket_address *,
-+ num_dcs);
- if (dc_addrs2 == NULL) {
- TALLOC_FREE(kdc_str);
- goto out;
---
-2.35.1
-
-
-From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 12:10:47 +0100
-Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index 1bf149ef09b..6a46d72a156 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
-
- result = kdc_str;
- out:
-- DBG_DEBUG("Returning\n%s\n", kdc_str);
-+ if (result != NULL) {
-+ DBG_DEBUG("Returning\n%s\n", kdc_str);
-+ } else {
-+ DBG_NOTICE("Failed to get KDC ip address\n");
-+ }
-
- TALLOC_FREE(ip_sa_site);
- TALLOC_FREE(ip_sa_nonsite);
---
-2.35.1
-
-
-From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 12:48:23 +0100
-Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in
- get_kdc_ip_string()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index 6a46d72a156..d1c410ffa4b 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
- }
-
- /* Append to the string - inefficient but not done often. */
-- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
-- kdc_str,
-- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
-- TALLOC_FREE(kdc_str);
-+ new_kdc_str = talloc_asprintf_append(
-+ kdc_str,
-+ "\t\tkdc = %s\n",
-+ print_canonical_sockaddr_with_port(
-+ mem_ctx, &dc_addrs[i]));
- if (new_kdc_str == NULL) {
- goto out;
- }
---
-2.35.1
-
-
-From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 12:56:58 +0100
-Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index d1c410ffa4b..aadc65a3edc 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
-
- SMB_ASSERT(pss != NULL);
-
-- kdc_str = talloc_asprintf(mem_ctx,
-+ kdc_str = talloc_asprintf(frame,
- "\t\tkdc = %s\n",
- print_canonical_sockaddr_with_port(mem_ctx,
- pss));
-@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
- */
-
- if (sitename) {
-- status = get_kdc_list(talloc_tos(),
-+ status = get_kdc_list(frame,
- realm,
- sitename,
- &ip_sa_site,
-@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
-
- /* Get all KDC's. */
-
-- status = get_kdc_list(talloc_tos(),
-+ status = get_kdc_list(frame,
- realm,
- NULL,
- &ip_sa_nonsite,
-@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
- kdc_str = new_kdc_str;
- }
-
-- result = kdc_str;
-+ result = talloc_move(mem_ctx, &kdc_str);
- out:
- if (result != NULL) {
- DBG_DEBUG("Returning\n%s\n", kdc_str);
-@@ -597,8 +597,6 @@ out:
- DBG_NOTICE("Failed to get KDC ip address\n");
- }
-
-- TALLOC_FREE(ip_sa_site);
-- TALLOC_FREE(ip_sa_nonsite);
- TALLOC_FREE(frame);
- return result;
- }
---
-2.35.1
-
-
-From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 12:57:18 +0100
-Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str
-
-This is allocated on the stackframe now!
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 12 +-----------
- 1 file changed, 1 insertion(+), 11 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index aadc65a3edc..2087dc1e6f9 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
- print_canonical_sockaddr_with_port(mem_ctx,
- pss));
- if (kdc_str == NULL) {
-- TALLOC_FREE(frame);
-- return NULL;
-+ goto out;
- }
-
- ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
- if (!ok) {
-- TALLOC_FREE(kdc_str);
- goto out;
- }
-
-@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
- if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("get_kdc_list fail %s\n",
- nt_errstr(status));
-- TALLOC_FREE(kdc_str);
- goto out;
- }
- DBG_DEBUG("got %zu addresses from site %s search\n",
-@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
- if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("get_kdc_list (site-less) fail %s\n",
- nt_errstr(status));
-- TALLOC_FREE(kdc_str);
- goto out;
- }
- DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
-@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
- if (count_site + count_nonsite < count_site) {
- /* Wrap check. */
- DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
-- TALLOC_FREE(kdc_str);
- goto out;
- }
-
-@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
- dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
- count_site + count_nonsite);
- if (dc_addrs == NULL) {
-- TALLOC_FREE(kdc_str);
- goto out;
- }
-
-@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
-
- DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
- if (num_dcs == 0) {
-- TALLOC_FREE(kdc_str);
- goto out;
- }
-
-@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
- struct tsocket_address *,
- num_dcs);
- if (dc_addrs2 == NULL) {
-- TALLOC_FREE(kdc_str);
- goto out;
- }
-
-@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
- status = map_nt_error_from_unix(errno);
- DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
- addr, nt_errstr(status)));
-- TALLOC_FREE(kdc_str);
- goto out;
- }
- }
-@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
- "%s\n", nt_errstr(status)));
-- TALLOC_FREE(kdc_str);
- goto out;
- }
-
---
-2.35.1
-
-
-From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 13:02:05 +0100
-Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for
- NULL in get_kdc_ip_string()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index 2087dc1e6f9..20dceeefb22 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx,
- NTSTATUS status;
- bool ok;
- char *kdc_str = NULL;
-+ char *canon_sockaddr = NULL;
-
- SMB_ASSERT(pss != NULL);
-
-+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
-+ if (canon_sockaddr == NULL) {
-+ goto out;
-+ }
-+
- kdc_str = talloc_asprintf(frame,
- "\t\tkdc = %s\n",
-- print_canonical_sockaddr_with_port(mem_ctx,
-- pss));
-+ canon_sockaddr);
- if (kdc_str == NULL) {
- goto out;
- }
---
-2.35.1
-
-
-From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 15 Mar 2022 13:10:06 +0100
-Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf
-
-We create an KDC ip string entry directly at the beginning, use it if we
-don't have any additional DCs.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/libads/kerberos.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index 20dceeefb22..3fd86e87064 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
-
- DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
- if (num_dcs == 0) {
-+ /*
-+ * We do not have additional KDCs, but we have the one passed
-+ * in via `pss`. So just use that one and leave.
-+ */
-+ result = talloc_move(mem_ctx, &kdc_str);
- goto out;
- }
-
---
-2.35.1
-
diff --git a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
deleted file mode 100644
index 93c2caa..0000000
--- a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
+++ /dev/null
@@ -1,411 +0,0 @@
-From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 22 Feb 2022 12:59:44 +0100
-Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error
- path
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
----
- source3/libads/authdata.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
-index dd21d895fc2..c048510d480 100644
---- a/source3/libads/authdata.c
-+++ b/source3/libads/authdata.c
-@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- {
- krb5_error_code ret;
- NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
-- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
-+ DATA_BLOB tkt = data_blob_null;
-+ DATA_BLOB tkt_wrapped = data_blob_null;
-+ DATA_BLOB ap_rep = data_blob_null;
-+ DATA_BLOB sesskey1 = data_blob_null;
- const char *auth_princ = NULL;
- const char *cc = "MEMORY:kerberos_return_pac";
- struct auth_session_info *session_info;
-@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- ZERO_STRUCT(sesskey1);
-
- if (!name || !pass) {
-- return NT_STATUS_INVALID_PARAMETER;
-+ status = NT_STATUS_INVALID_PARAMETER;
-+ goto out;
- }
-
- if (cache_name) {
-@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
-
- if (expire_time && renew_till_time &&
- (*expire_time == 0) && (*renew_till_time == 0)) {
-- return NT_STATUS_INVALID_LOGON_TYPE;
-+ status = NT_STATUS_INVALID_LOGON_TYPE;
-+ goto out;
- }
-
- ret = ads_krb5_cli_get_ticket(mem_ctx,
---
-2.35.1
-
-
-From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 22 Feb 2022 13:00:05 +0100
-Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug
- macro
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
----
- lib/krb5_wrap/krb5_samba.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index fff5b4e2a22..42d4b950f80 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
- goto done;
- }
-
-- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
-+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
-
- /* FIXME: we should not fall back to defaults */
- ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
---
-2.35.1
-
-
-From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 22 Feb 2022 14:28:28 +0100
-Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer
- debug macro
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
----
- lib/krb5_wrap/krb5_samba.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 42d4b950f80..76c2dcd2126 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
-
- ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
- if (ret) {
-- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
-+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
-+ "for client '%s' and service '%s' failed: %s\n",
-+ ccache_string, client_string, service_string,
-+ error_message(ret));
- goto done;
- }
-
---
-2.35.1
-
-
-From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 22 Feb 2022 13:08:56 +0100
-Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from
- kerberos_return_pac()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
----
- source3/libads/authdata.c | 22 +++++++++++++++++++++-
- source3/libads/kerberos_proto.h | 2 ++
- source3/utils/net_ads.c | 2 ++
- source3/winbindd/winbindd_pam.c | 2 ++
- 4 files changed, 27 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
-index c048510d480..bf9a2335445 100644
---- a/source3/libads/authdata.c
-+++ b/source3/libads/authdata.c
-@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- time_t renewable_time,
- const char *impersonate_princ_s,
- const char *local_service,
-+ char **_canon_principal,
-+ char **_canon_realm,
- struct PAC_DATA_CTR **_pac_data_ctr)
- {
- krb5_error_code ret;
-@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- struct auth4_context *auth_context;
- struct loadparm_context *lp_ctx;
- struct PAC_DATA_CTR *pac_data_ctr = NULL;
-+ char *canon_principal = NULL;
-+ char *canon_realm = NULL;
-
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
-@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- goto out;
- }
-
-+ if (_canon_principal != NULL) {
-+ *_canon_principal = NULL;
-+ }
-+
-+ if (_canon_realm != NULL) {
-+ *_canon_realm = NULL;
-+ }
-+
- if (cache_name) {
- cc = cache_name;
- }
-@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- request_pac,
- add_netbios_addr,
- renewable_time,
-- NULL, NULL, NULL,
-+ tmp_ctx,
-+ &canon_principal,
-+ &canon_realm,
- &status);
- if (ret) {
- DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
-@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- }
-
- *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
-+ if (_canon_principal != NULL) {
-+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
-+ }
-+ if (_canon_realm != NULL) {
-+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
-+ }
-
- out:
- talloc_free(tmp_ctx);
-diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
-index 3d7b5bc074b..807381248c8 100644
---- a/source3/libads/kerberos_proto.h
-+++ b/source3/libads/kerberos_proto.h
-@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
- time_t renewable_time,
- const char *impersonate_princ_s,
- const char *local_service,
-+ char **_canon_principal,
-+ char **_canon_realm,
- struct PAC_DATA_CTR **pac_data_ctr);
-
- /* The following definitions come from libads/krb5_setpw.c */
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 8f993f9ba4c..c41fb0afe9c 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
- 2592000, /* one month */
- impersonate_princ_s,
- local_service,
-+ NULL,
-+ NULL,
- pac_data_ctr);
- if (!NT_STATUS_IS_OK(status)) {
- d_printf(_("failed to query kerberos PAC: %s\n"),
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 7606bfb4ecd..025a5cbc111 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- NULL,
- local_service,
-+ NULL,
-+ NULL,
- &pac_data_ctr);
- if (user_ccache_file != NULL) {
- gain_root_privilege();
---
-2.35.1
-
-
-From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 22 Feb 2022 13:19:02 +0100
-Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache
- entry
-
-They will be used later to refresh the tickets.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
----
- source3/winbindd/winbindd.h | 2 ++
- source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++-
- source3/winbindd/winbindd_pam.c | 14 ++++++++++----
- source3/winbindd/winbindd_proto.h | 4 +++-
- 4 files changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
-index a6b2238cec1..dac4a1fa927 100644
---- a/source3/winbindd/winbindd.h
-+++ b/source3/winbindd/winbindd.h
-@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
- const char *service;
- const char *username;
- const char *realm;
-+ const char *canon_principal;
-+ const char *canon_realm;
- struct WINBINDD_MEMORY_CREDS *cred_ptr;
- int ref_count;
- uid_t uid;
-diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
-index c3077e21989..88847b1ab97 100644
---- a/source3/winbindd/winbindd_cred_cache.c
-+++ b/source3/winbindd/winbindd_cred_cache.c
-@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
- time_t create_time,
- time_t ticket_end,
- time_t renew_until,
-- bool postponed_request)
-+ bool postponed_request,
-+ const char *canon_principal,
-+ const char *canon_realm)
- {
- struct WINBINDD_CCACHE_ENTRY *entry = NULL;
- struct timeval t;
-@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
- goto no_mem;
- }
- }
-+ if (canon_principal != NULL) {
-+ entry->canon_principal = talloc_strdup(entry, canon_principal);
-+ if (entry->canon_principal == NULL) {
-+ goto no_mem;
-+ }
-+ }
-+ if (canon_realm != NULL) {
-+ entry->canon_realm = talloc_strdup(entry, canon_realm);
-+ if (entry->canon_realm == NULL) {
-+ goto no_mem;
-+ }
-+ }
-
- entry->ccname = talloc_strdup(entry, ccname);
- if (!entry->ccname) {
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 025a5cbc111..a24cef78440 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- const char *local_service;
- uint32_t i;
- struct netr_SamInfo6 *info6_copy = NULL;
-+ char *canon_principal = NULL;
-+ char *canon_realm = NULL;
- bool ok;
-
- *info6 = NULL;
-@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- NULL,
- local_service,
-- NULL,
-- NULL,
-+ &canon_principal,
-+ &canon_realm,
- &pac_data_ctr);
- if (user_ccache_file != NULL) {
- gain_root_privilege();
-@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- time(NULL),
- ticket_lifetime,
- renewal_until,
-- false);
-+ false,
-+ canon_principal,
-+ canon_realm);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
-@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
- time(NULL),
- time(NULL) + lp_winbind_cache_time(),
- time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
-- true);
-+ true,
-+ principal_s,
-+ realm);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
-diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
-index c0d653a6d77..16c23f3de40 100644
---- a/source3/winbindd/winbindd_proto.h
-+++ b/source3/winbindd/winbindd_proto.h
-@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
- time_t create_time,
- time_t ticket_end,
- time_t renew_until,
-- bool postponed_request);
-+ bool postponed_request,
-+ const char *canon_principal,
-+ const char *canon_realm);
- NTSTATUS remove_ccache(const char *username);
- struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
- NTSTATUS winbindd_add_memory_creds(const char *username,
---
-2.35.1
-
-
-From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@suse.de>
-Date: Tue, 22 Feb 2022 14:28:44 +0100
-Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the
- credentials
-
-The principal name stored in the winbindd ccache entry might be an
-enterprise principal name if enterprise principals are enabled. Use
-the canonical name to renew the credentials.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
----
- source3/winbindd/winbindd_cred_cache.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
-index 88847b1ab97..6c65db6a73f 100644
---- a/source3/winbindd/winbindd_cred_cache.c
-+++ b/source3/winbindd/winbindd_cred_cache.c
-@@ -209,7 +209,7 @@ rekinit:
- set_effective_uid(entry->uid);
-
- ret = smb_krb5_renew_ticket(entry->ccname,
-- entry->principal_name,
-+ entry->canon_principal,
- entry->service,
- &new_start);
- #if defined(DEBUG_KRB5_TKT_RENEWAL)
---
-2.35.1
-
diff --git a/SOURCES/samba-4-15-kerberos-clock-skew.patch b/SOURCES/samba-4-15-kerberos-clock-skew.patch
deleted file mode 100644
index 1e87049..0000000
--- a/SOURCES/samba-4-15-kerberos-clock-skew.patch
+++ /dev/null
@@ -1,347 +0,0 @@
-From 01205e1ff2a16ecdeb99fd4153f40f917decacee Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@samba.org>
-Date: Wed, 13 Apr 2022 11:01:00 +0200
-Subject: [PATCH 1/4] s3:winbind: Do not use domain's private data to store the
- SAMR pipes
-
-The domain's private_data pointer is also used to store a ADS_STRUCT,
-which is not allocated using talloc and there are many places casting
-this pointer directly.
-
-The recently added samba.tests.pam_winbind_setcred was randomly failing
-and after debugging it the problem was that kerberos authentication was
-failing because the time_offset passed to kerberos_return_pac() was
-wrong. This time_offset was retrieved from ads->auth.time_offset, where
-the ads pointer was directly casted from domain->private_data but
-private_data was pointing to a winbind_internal_pipes struct.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit e1f29b0970f4cac52a9cd517be6862cf69a1433a)
----
- source3/winbindd/winbindd.h | 6 ++++++
- source3/winbindd/winbindd_ndr.c | 3 +++
- source3/winbindd/winbindd_samr.c | 18 ++++++------------
- 3 files changed, 15 insertions(+), 12 deletions(-)
-
-diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
-index dac4a1fa927..762844502e5 100644
---- a/source3/winbindd/winbindd.h
-+++ b/source3/winbindd/winbindd.h
-@@ -43,6 +43,8 @@
-
- #define WB_REPLACE_CHAR '_'
-
-+struct winbind_internal_pipes;
-+
- struct winbindd_cli_state {
- struct winbindd_cli_state *prev, *next; /* Linked list pointers */
- int sock; /* Open socket from client */
-@@ -157,6 +159,10 @@ struct winbindd_domain {
-
- void *private_data;
-
-+ struct {
-+ struct winbind_internal_pipes *samr_pipes;
-+ } backend_data;
-+
- /* A working DC */
- char *dcname;
- const char *ping_dcname;
-diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
-index 157ce1bff27..36901776b98 100644
---- a/source3/winbindd/winbindd_ndr.c
-+++ b/source3/winbindd/winbindd_ndr.c
-@@ -144,6 +144,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
- ndr_print_bool(ndr, "startup", r->startup);
- ndr_print_winbindd_methods(ndr, "backend", r->backend);
- ndr_print_ptr(ndr, "private_data", r->private_data);
-+ ndr_print_ptr(ndr,
-+ "backend_data.samr_pipes",
-+ r->backend_data.samr_pipes);
- ndr_print_string(ndr, "dcname", r->dcname);
- ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr);
- ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check);
-diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
-index 5e23ff8217b..ce66adcc0c7 100644
---- a/source3/winbindd/winbindd_samr.c
-+++ b/source3/winbindd/winbindd_samr.c
-@@ -130,7 +130,7 @@ static NTSTATUS open_cached_internal_pipe_conn(
- {
- struct winbind_internal_pipes *internal_pipes = NULL;
-
-- if (domain->private_data == NULL) {
-+ if (domain->backend_data.samr_pipes == NULL) {
- TALLOC_CTX *frame = talloc_stackframe();
- NTSTATUS status;
-
-@@ -156,14 +156,14 @@ static NTSTATUS open_cached_internal_pipe_conn(
- return status;
- }
-
-- domain->private_data = talloc_move(domain, &internal_pipes);
-+ domain->backend_data.samr_pipes =
-+ talloc_move(domain, &internal_pipes);
-
- TALLOC_FREE(frame);
-
- }
-
-- internal_pipes = talloc_get_type_abort(
-- domain->private_data, struct winbind_internal_pipes);
-+ internal_pipes = domain->backend_data.samr_pipes;
-
- if (samr_domain_hnd) {
- *samr_domain_hnd = internal_pipes->samr_domain_hnd;
-@@ -188,23 +188,17 @@ static bool reset_connection_on_error(struct winbindd_domain *domain,
- struct rpc_pipe_client *p,
- NTSTATUS status)
- {
-- struct winbind_internal_pipes *internal_pipes = NULL;
- struct dcerpc_binding_handle *b = p->binding_handle;
-
-- internal_pipes = talloc_get_type_abort(
-- domain->private_data, struct winbind_internal_pipes);
--
- if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
- NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR))
- {
-- TALLOC_FREE(internal_pipes);
-- domain->private_data = NULL;
-+ TALLOC_FREE(domain->backend_data.samr_pipes);
- return true;
- }
-
- if (!dcerpc_binding_handle_is_connected(b)) {
-- TALLOC_FREE(internal_pipes);
-- domain->private_data = NULL;
-+ TALLOC_FREE(domain->backend_data.samr_pipes);
- return true;
- }
-
---
-2.35.1
-
-
-From 79ab2a5669a1e21e96f29cecc651dccacd7ace71 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@samba.org>
-Date: Wed, 13 Apr 2022 11:15:35 +0200
-Subject: [PATCH 2/4] s3:winbind: Simplify open_cached_internal_pipe_conn()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 91395e660a2b1b69bf74ca0b77aee416e2ac1db3)
----
- source3/winbindd/winbindd_samr.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
-index ce66adcc0c7..20b5d758d1a 100644
---- a/source3/winbindd/winbindd_samr.c
-+++ b/source3/winbindd/winbindd_samr.c
-@@ -128,9 +128,10 @@ static NTSTATUS open_cached_internal_pipe_conn(
- struct rpc_pipe_client **lsa_pipe,
- struct policy_handle *lsa_hnd)
- {
-- struct winbind_internal_pipes *internal_pipes = NULL;
-+ struct winbind_internal_pipes *internal_pipes =
-+ domain->backend_data.samr_pipes;
-
-- if (domain->backend_data.samr_pipes == NULL) {
-+ if (internal_pipes == NULL) {
- TALLOC_CTX *frame = talloc_stackframe();
- NTSTATUS status;
-
-@@ -157,14 +158,11 @@ static NTSTATUS open_cached_internal_pipe_conn(
- }
-
- domain->backend_data.samr_pipes =
-- talloc_move(domain, &internal_pipes);
-+ talloc_steal(domain, internal_pipes);
-
- TALLOC_FREE(frame);
--
- }
-
-- internal_pipes = domain->backend_data.samr_pipes;
--
- if (samr_domain_hnd) {
- *samr_domain_hnd = internal_pipes->samr_domain_hnd;
- }
---
-2.35.1
-
-
-From d57f54deef45c638093717378adc1a0743699ae8 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@samba.org>
-Date: Wed, 13 Apr 2022 11:31:45 +0200
-Subject: [PATCH 3/4] s3:winbind: Do not use domain's private data to store the
- ADS_STRUCT
-
-The ADS_STRUCT is not allocated using talloc and there are many places
-casting this pointer directly so use a typed pointer.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 3cb256439e9ceece26c2de82293c43486543e0cb)
----
- source3/winbindd/winbindd.h | 2 ++
- source3/winbindd/winbindd_ads.c | 10 +++++-----
- source3/winbindd/winbindd_ndr.c | 3 +++
- source3/winbindd/winbindd_pam.c | 6 ++----
- 4 files changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
-index 762844502e5..3cc88367b90 100644
---- a/source3/winbindd/winbindd.h
-+++ b/source3/winbindd/winbindd.h
-@@ -44,6 +44,7 @@
- #define WB_REPLACE_CHAR '_'
-
- struct winbind_internal_pipes;
-+struct ads_struct;
-
- struct winbindd_cli_state {
- struct winbindd_cli_state *prev, *next; /* Linked list pointers */
-@@ -161,6 +162,7 @@ struct winbindd_domain {
-
- struct {
- struct winbind_internal_pipes *samr_pipes;
-+ struct ads_struct *ads_conn;
- } backend_data;
-
- /* A working DC */
-diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
-index 6f01ef6e334..d350f160223 100644
---- a/source3/winbindd/winbindd_ads.c
-+++ b/source3/winbindd/winbindd_ads.c
-@@ -269,10 +269,10 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
- }
-
- DEBUG(10,("ads_cached_connection\n"));
-- ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
-+ ads_cached_connection_reuse(&domain->backend_data.ads_conn);
-
-- if (domain->private_data) {
-- return (ADS_STRUCT *)domain->private_data;
-+ if (domain->backend_data.ads_conn != NULL) {
-+ return domain->backend_data.ads_conn;
- }
-
- /* the machine acct password might have change - fetch it every time */
-@@ -303,7 +303,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
- }
-
- status = ads_cached_connection_connect(
-- (ADS_STRUCT **)&domain->private_data,
-+ &domain->backend_data.ads_conn,
- domain->alt_name,
- domain->name, NULL,
- password, realm,
-@@ -322,7 +322,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
- return NULL;
- }
-
-- return (ADS_STRUCT *)domain->private_data;
-+ return domain->backend_data.ads_conn;
- }
-
- /* Query display info for a realm. This is the basic user list fn */
-diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
-index 36901776b98..94ce9d73747 100644
---- a/source3/winbindd/winbindd_ndr.c
-+++ b/source3/winbindd/winbindd_ndr.c
-@@ -147,6 +147,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
- ndr_print_ptr(ndr,
- "backend_data.samr_pipes",
- r->backend_data.samr_pipes);
-+ ndr_print_ptr(ndr,
-+ "backend_data.ads_conn",
-+ r->backend_data.ads_conn);
- ndr_print_string(ndr, "dcname", r->dcname);
- ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr);
- ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check);
-diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
-index 1a2628b50ba..5505220335f 100644
---- a/source3/winbindd/winbindd_pam.c
-+++ b/source3/winbindd/winbindd_pam.c
-@@ -677,7 +677,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- fstring name_namespace, name_domain, name_user;
- time_t ticket_lifetime = 0;
- time_t renewal_until = 0;
-- ADS_STRUCT *ads;
- time_t time_offset = 0;
- const char *user_ccache_file;
- struct PAC_LOGON_INFO *logon_info = NULL;
-@@ -716,9 +715,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
- /* 2nd step:
- * get kerberos properties */
-
-- if (domain->private_data) {
-- ads = (ADS_STRUCT *)domain->private_data;
-- time_offset = ads->auth.time_offset;
-+ if (domain->backend_data.ads_conn != NULL) {
-+ time_offset = domain->backend_data.ads_conn->auth.time_offset;
- }
-
-
---
-2.35.1
-
-
-From e32528fd5abbace15b3aad2c7cec8d9c6ade7bf7 Mon Sep 17 00:00:00 2001
-From: Samuel Cabrero <scabrero@samba.org>
-Date: Wed, 13 Apr 2022 11:34:18 +0200
-Subject: [PATCH 4/4] s3:winbind: Remove no longer used domain's private_data
- pointer
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
-
-Signed-off-by: Samuel Cabrero <scabrero@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit a6d6ae3cfcd64a85f82ec5b12253ca0e237d95bb)
----
- source3/winbindd/winbindd.h | 4 ----
- source3/winbindd/winbindd_ndr.c | 1 -
- 2 files changed, 5 deletions(-)
-
-diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
-index 3cc88367b90..fe286a9a686 100644
---- a/source3/winbindd/winbindd.h
-+++ b/source3/winbindd/winbindd.h
-@@ -156,10 +156,6 @@ struct winbindd_domain {
- */
- struct winbindd_methods *backend;
-
-- /* Private data for the backends (used for connection cache) */
--
-- void *private_data;
--
- struct {
- struct winbind_internal_pipes *samr_pipes;
- struct ads_struct *ads_conn;
-diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
-index 94ce9d73747..b393586a692 100644
---- a/source3/winbindd/winbindd_ndr.c
-+++ b/source3/winbindd/winbindd_ndr.c
-@@ -143,7 +143,6 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
- ndr_print_time_t(ndr, "startup_time", r->startup_time);
- ndr_print_bool(ndr, "startup", r->startup);
- ndr_print_winbindd_methods(ndr, "backend", r->backend);
-- ndr_print_ptr(ndr, "private_data", r->private_data);
- ndr_print_ptr(ndr,
- "backend_data.samr_pipes",
- r->backend_data.samr_pipes);
---
-2.35.1
-
diff --git a/SOURCES/samba-4-15-smbd-upn.patch b/SOURCES/samba-4-15-smbd-upn.patch
deleted file mode 100644
index 703a7d6..0000000
--- a/SOURCES/samba-4-15-smbd-upn.patch
+++ /dev/null
@@ -1,273 +0,0 @@
-From 25465d0bc77dd712b3d94e488f2cf0583fd7ac04 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Tue, 26 Apr 2022 07:10:56 +0200
-Subject: [PATCH 1/5] s3:passdb: Remove trailing spaces in lookup_sid.c
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
-
-Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 756cd0eed30322ae6dbd5402ec11441387475884)
----
- source3/passdb/lookup_sid.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
-index a551bcfd24a..3a28cdc68a6 100644
---- a/source3/passdb/lookup_sid.c
-+++ b/source3/passdb/lookup_sid.c
-@@ -1,4 +1,4 @@
--/*
-+/*
- Unix SMB/CIFS implementation.
- uid/user handling
- Copyright (C) Andrew Tridgell 1992-1998
-@@ -72,7 +72,7 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid)
- If an explicit domain name was given in the form domain\user, it
- has to try that. If no explicit domain name was given, we have
- to do guesswork.
--*****************************************************************/
-+*****************************************************************/
-
- bool lookup_name(TALLOC_CTX *mem_ctx,
- const char *full_name, int flags,
-@@ -300,7 +300,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
- goto ok;
- }
-
-- /* 6. Builtin aliases */
-+ /* 6. Builtin aliases */
-
- if ((flags & LOOKUP_NAME_BUILTIN) &&
- lookup_builtin_name(name, &rid))
-@@ -882,7 +882,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
- }
-
- /* First build up the data structures:
-- *
-+ *
- * dom_infos is a list of domains referenced in the list of
- * SIDs. Later we will walk the list of domains and look up the RIDs
- * in bulk.
-@@ -1070,7 +1070,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
-
- /*****************************************************************
- *THE CANONICAL* convert SID to name function.
--*****************************************************************/
-+*****************************************************************/
-
- bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
- const char **ret_domain, const char **ret_name,
-@@ -1104,7 +1104,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
- goto done;
- }
-
-- if ((ret_name != NULL) &&
-+ if ((ret_name != NULL) &&
- !(*ret_name = talloc_strdup(mem_ctx, name->name))) {
- goto done;
- }
-@@ -1130,7 +1130,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
-
- /*****************************************************************
- *THE LEGACY* convert SID to id function.
--*****************************************************************/
-+*****************************************************************/
-
- static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id)
- {
-@@ -1465,7 +1465,7 @@ fail:
-
- /*****************************************************************
- *THE CANONICAL* convert SID to uid function.
--*****************************************************************/
-+*****************************************************************/
-
- bool sid_to_uid(const struct dom_sid *psid, uid_t *puid)
- {
-@@ -1527,7 +1527,7 @@ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid)
- /*****************************************************************
- *THE CANONICAL* convert SID to gid function.
- Group mapping is used for gids that maps to Wellknown SIDs
--*****************************************************************/
-+*****************************************************************/
-
- bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid)
- {
---
-2.36.0
-
-
-From e884efce61290ad6f4125ab4e3adb08bcc1a800d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Tue, 26 Apr 2022 07:12:02 +0200
-Subject: [PATCH 2/5] s3:passdb: Add support to handle UPNs in lookup_name()
-
-This address an issue if sssd is running and handling nsswitch. If we look up
-a user with getpwnam("DOMAIN\user") it will return user@REALM in the passwd
-structure. We need to be able to deal with that.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
-
-Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 2a03fb91c1120718ada9d4b8421044cb7eae7b83)
----
- source3/passdb/lookup_sid.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
-index 3a28cdc68a6..c14d7a7b123 100644
---- a/source3/passdb/lookup_sid.c
-+++ b/source3/passdb/lookup_sid.c
-@@ -100,8 +100,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
- PTR_DIFF(p, full_name));
- name = talloc_strdup(tmp_ctx, p+1);
- } else {
-- domain = talloc_strdup(tmp_ctx, "");
-- name = talloc_strdup(tmp_ctx, full_name);
-+ char *q = strchr_m(full_name, '@');
-+
-+ /* Set the domain for UPNs */
-+ if (q != NULL) {
-+ name = talloc_strndup(tmp_ctx,
-+ full_name,
-+ PTR_DIFF(q, full_name));
-+ domain = talloc_strdup(tmp_ctx, q + 1);
-+ } else {
-+ domain = talloc_strdup(tmp_ctx, "");
-+ name = talloc_strdup(tmp_ctx, full_name);
-+ }
- }
-
- if ((domain == NULL) || (name == NULL)) {
---
-2.36.0
-
-
-From cc548efd5fa1783e8412e7ac695c8d6be3323d67 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Tue, 26 Apr 2022 12:26:25 +0200
-Subject: [PATCH 3/5] s3:passdb: Use already defined pointer in
- lookup_name_smbconf()
-
-Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit ed8e466854d6d8d6120388716a7b604df7a4db27)
----
- source3/passdb/lookup_sid.c | 12 +++++-------
- 1 file changed, 5 insertions(+), 7 deletions(-)
-
-diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
-index c14d7a7b123..dbea5578f92 100644
---- a/source3/passdb/lookup_sid.c
-+++ b/source3/passdb/lookup_sid.c
-@@ -464,7 +464,7 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
- const char **ret_domain, const char **ret_name,
- struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
- {
-- char *qualified_name;
-+ char *qualified_name = NULL;
- const char *p;
-
- if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
-@@ -472,16 +472,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
- /* The name is already qualified with a domain. */
-
- if (*lp_winbind_separator() != '\\') {
-- char *tmp;
--
- /* lookup_name() needs '\\' as a separator */
-
-- tmp = talloc_strdup(mem_ctx, full_name);
-- if (!tmp) {
-+ qualified_name = talloc_strdup(mem_ctx, full_name);
-+ if (qualified_name == NULL) {
- return false;
- }
-- tmp[p - full_name] = '\\';
-- full_name = tmp;
-+ qualified_name[p - full_name] = '\\';
-+ full_name = qualified_name;
- }
-
- return lookup_name(mem_ctx, full_name, flags,
---
-2.36.0
-
-
-From 3ee3336f4a3fbb80ccabe6c1494a68286af55437 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Tue, 26 Apr 2022 07:24:10 +0200
-Subject: [PATCH 4/5] s3:passdb: Refactor lookup_name_smbconf()
-
-This will be changed to support UPNs too in the next patch.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
-
-Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 2690310743920dfe20ac235c1e3617e0f421eddc)
----
- source3/passdb/lookup_sid.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
-index dbea5578f92..de9dd123239 100644
---- a/source3/passdb/lookup_sid.c
-+++ b/source3/passdb/lookup_sid.c
-@@ -465,13 +465,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
- struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
- {
- char *qualified_name = NULL;
-- const char *p;
-+ const char *p = strchr_m(full_name, *lp_winbind_separator());
-+ bool is_qualified = p != NULL;
-
-- if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
-+ if (is_qualified) {
-
- /* The name is already qualified with a domain. */
-
-- if (*lp_winbind_separator() != '\\') {
-+ if (p != NULL && *lp_winbind_separator() != '\\') {
- /* lookup_name() needs '\\' as a separator */
-
- qualified_name = talloc_strdup(mem_ctx, full_name);
---
-2.36.0
-
-
-From 1baa5b170c36854eaa0a5f2c9aba29d50194f750 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Tue, 26 Apr 2022 07:39:12 +0200
-Subject: [PATCH 5/5] s3:passdb: Also allow to handle UPNs in
- lookup_name_smbconf()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
-
-Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 28fc44f2852046d03cada161ed1001d04d9e1554)
----
- source3/passdb/lookup_sid.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
-index de9dd123239..426ea3f81bd 100644
---- a/source3/passdb/lookup_sid.c
-+++ b/source3/passdb/lookup_sid.c
-@@ -466,8 +466,9 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
- {
- char *qualified_name = NULL;
- const char *p = strchr_m(full_name, *lp_winbind_separator());
-- bool is_qualified = p != NULL;
-+ bool is_qualified = p != NULL || strchr_m(full_name, '@') != NULL;
-
-+ /* For DOMAIN\user or user@REALM directly call lookup_name(). */
- if (is_qualified) {
-
- /* The name is already qualified with a domain. */
---
-2.36.0
-
diff --git a/SOURCES/samba-4-15-username-map.patch b/SOURCES/samba-4-15-username-map.patch
deleted file mode 100644
index 0687115..0000000
--- a/SOURCES/samba-4-15-username-map.patch
+++ /dev/null
@@ -1,321 +0,0 @@
-From 438284e1025a96dfa2eb0928de99226f580f356f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Fri, 1 Apr 2022 15:56:30 +0200
-Subject: [PATCH 1/5] selftest: Create users "jackthemapper" and "jacknomapper"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Reviewed-by: Noel Power <npower@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 1b0146182224fe01ed70815364656a626038685a)
----
- selftest/target/Samba3.pm | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 62fb3d1e39e..b0ea9804c50 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1466,8 +1466,10 @@ sub setup_ad_member_idmap_nss
- my $extra_member_options = "
- # bob:x:65521:65531:localbob gecos:/:/bin/false
- # jane:x:65520:65531:localjane gecos:/:/bin/false
-+ # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false
-+ # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false
- idmap config $dcvars->{DOMAIN} : backend = nss
-- idmap config $dcvars->{DOMAIN} : range = 65520-65521
-+ idmap config $dcvars->{DOMAIN} : range = 65518-65521
-
- # Support SMB1 so that we can use posix_whoami().
- client min protocol = CORE
-@@ -2532,6 +2534,8 @@ sub provision($$)
- my ($uid_slashuser);
- my ($uid_localbob);
- my ($uid_localjane);
-+ my ($uid_localjackthemapper);
-+ my ($uid_localjacknomapper);
-
- if ($unix_uid < 0xffff - 13) {
- $max_uid = 0xffff;
-@@ -2554,6 +2558,8 @@ sub provision($$)
- $uid_slashuser = $max_uid - 13;
- $uid_localbob = $max_uid - 14;
- $uid_localjane = $max_uid - 15;
-+ $uid_localjackthemapper = $max_uid - 16;
-+ $uid_localjacknomapper = $max_uid - 17;
-
- if ($unix_gids[0] < 0xffff - 8) {
- $max_gid = 0xffff;
-@@ -3298,6 +3304,8 @@ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
- slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
- bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false
- jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false
-+jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false
-+jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false
- ";
- if ($unix_uid != 0) {
- print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
-@@ -3362,6 +3370,8 @@ force_user:x:$gid_force_user:
- createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
- createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
- createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
-+ createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper");
-+ createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper");
-
- open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
- print DNS_UPDATE_LIST "A $server. $server_ip\n";
---
-2.34.1
-
-
-From 28bf2f4c52105fc11515c58e13b935ae046399b4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 5 Apr 2022 08:30:23 +0200
-Subject: [PATCH 2/5] selftest: Create groups "jackthemappergroup" and
- "jacknomappergroup"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Noel Power <npower@samba.org>
-(cherry picked from commit 26e4268d6e3bde74520e36f3ca3cc9d979292d1d)
----
- selftest/target/Samba3.pm | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index b0ea9804c50..131034a0e07 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -2527,6 +2527,8 @@ sub provision($$)
- my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
- my ($gid_userdup, $gid_everyone);
- my ($gid_force_user);
-+ my ($gid_jackthemapper);
-+ my ($gid_jacknomapper);
- my ($uid_user1);
- my ($uid_user2);
- my ($uid_gooduser);
-@@ -2575,6 +2577,8 @@ sub provision($$)
- $gid_userdup = $max_gid - 6;
- $gid_everyone = $max_gid - 7;
- $gid_force_user = $max_gid - 8;
-+ $gid_jackthemapper = $max_gid - 9;
-+ $gid_jacknomapper = $max_gid - 10;
-
- ##
- ## create conffile
-@@ -3325,6 +3329,8 @@ domadmins:X:$gid_domadmins:
- userdup:x:$gid_userdup:$unix_name
- everyone:x:$gid_everyone:
- force_user:x:$gid_force_user:
-+jackthemappergroup:x:$gid_jackthemapper:jackthemapper
-+jacknomappergroup:x:$gid_jacknomapper:jacknomapper
- ";
- if ($unix_gids[0] != 0) {
- print GROUP "root:x:$gid_root:
---
-2.34.1
-
-
-From deadcd6a919188a75157e54b2fd772e4bf18d4fc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 5 Apr 2022 08:31:41 +0200
-Subject: [PATCH 3/5] selftest: Add to "username.map" mapping for
- jackthemappergroup
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
-
-Only for environment ad_member_idmap_nss.
-
-* !jacknompapper = \@jackthemappergroup
- jackthemaper from group jackthemappergroup is mapped to jacknompapper
-
-* !root = jacknomappergroup
- since there is no '@' or '+' prefix, it is not an UNIX group mapping
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Noel Power <npower@samba.org>
-(cherry picked from commit 0feeb6d58a6d6b1949faa842473053af4562c979)
----
- selftest/target/Samba3.pm | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 131034a0e07..8d309f9c99a 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1490,6 +1490,8 @@ sub setup_ad_member_idmap_nss
-
- open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
- print USERMAP "
-+!jacknomapper = \@jackthemappergroup
-+!root = jacknomappergroup
- root = $dcvars->{DOMAIN}/root
- bob = $dcvars->{DOMAIN}/bob
- ";
---
-2.34.1
-
-
-From edf5d5641de92665c30804be6825040d7b0862af Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 5 Apr 2022 14:04:52 +0200
-Subject: [PATCH 4/5] s3:tests Test "username map" for UNIX groups
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Noel Power <npower@samba.org>
-(cherry picked from commit af8747a28bd62937a01fa4648f404bd0b09a44c0)
----
- selftest/knownfail.d/usernamemap | 1 +
- source3/script/tests/test_usernamemap.sh | 28 ++++++++++++++++++++++++
- source3/selftest/tests.py | 2 ++
- 3 files changed, 31 insertions(+)
- create mode 100644 selftest/knownfail.d/usernamemap
- create mode 100755 source3/script/tests/test_usernamemap.sh
-
-diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap
-new file mode 100644
-index 00000000000..1c720fe892d
---- /dev/null
-+++ b/selftest/knownfail.d/usernamemap
-@@ -0,0 +1 @@
-+samba3.blackbox.smbclient_usernamemap.jacknomapper
-diff --git a/source3/script/tests/test_usernamemap.sh b/source3/script/tests/test_usernamemap.sh
-new file mode 100755
-index 00000000000..3a3344a8781
---- /dev/null
-+++ b/source3/script/tests/test_usernamemap.sh
-@@ -0,0 +1,28 @@
-+#!/bin/sh
-+#
-+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
-+#
-+# Tests for "username map" smb.conf parameter for UNIX groups
-+
-+if [ $# -lt 2 ]; then
-+cat <<EOF
-+Usage: test_usernamemap.sh SERVER SMBCLIENT
-+EOF
-+exit 1;
-+fi
-+
-+SERVER="$1"
-+SMBCLIENT="$2"
-+SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
-+
-+incdir=$(dirname "$0")/../../../testprogs/blackbox
-+. "${incdir}"/subunit.sh
-+
-+failed=0
-+
-+# jackthemapper is mapped to jacknomapper, so we need jacknomapper password
-+testit "jackthemapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jackthemapper%nOmApsEcrEt" -c ls || failed=$((failed + 1))
-+# jacknomapper is not mapped, so we need jacknomapper password
-+testit "jacknomapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jacknomapper%nOmApsEcrEt" -c ls || failed=$((failed + 1))
-+
-+testok "$0" "${failed}"
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index 06c71363d5b..390e77ad41d 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -393,6 +393,8 @@ plantestsuite("samba3.blackbox.smbclient_basic.SMB2_10", "nt4_dc_schannel", [os.
- plantestsuite("samba3.blackbox.smbclient_basic.SMB3_02", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_02"])
- plantestsuite("samba3.blackbox.smbclient_basic.SMB3_11", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_11"])
-
-+plantestsuite("samba3.blackbox.smbclient_usernamemap", "ad_member_idmap_nss:local", [os.path.join(samba3srcdir, "script/tests/test_usernamemap.sh"), '$SERVER', smbclient3])
-+
- plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
- for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
- if "NT1" in options or "LANMAN2" in options:
---
-2.34.1
-
-
-From e1bb74a5fe7f0b4f5f16da5c355973e94f7a07ef Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Fri, 25 Mar 2022 11:11:50 +0100
-Subject: [PATCH 5/5] s3:auth: Fix user_in_list() for UNIX groups
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Noel Power <npower@samba.org>
-
-Autobuild-User(master): Noel Power <npower@samba.org>
-Autobuild-Date(master): Thu Apr 7 09:49:44 UTC 2022 on sn-devel-184
-
-(cherry picked from commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4)
----
- selftest/knownfail.d/usernamemap | 1 -
- source3/auth/user_util.c | 12 +++++++-----
- 2 files changed, 7 insertions(+), 6 deletions(-)
- delete mode 100644 selftest/knownfail.d/usernamemap
-
-diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap
-deleted file mode 100644
-index 1c720fe892d..00000000000
---- a/selftest/knownfail.d/usernamemap
-+++ /dev/null
-@@ -1 +0,0 @@
--samba3.blackbox.smbclient_usernamemap.jacknomapper
-diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c
-index 70b4f320c5e..aa765c2a692 100644
---- a/source3/auth/user_util.c
-+++ b/source3/auth/user_util.c
-@@ -143,11 +143,11 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
- return false;
- }
-
-- DBG_DEBUG("Checking user %s in list\n", user);
--
- while (*list) {
- const char *p = *list;
-- bool ok;
-+ bool check_unix_group = false;
-+
-+ DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list);
-
- /* Check raw username */
- if (strequal(user, p)) {
-@@ -155,11 +155,13 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
- }
-
- while (*p == '@' || *p == '&' || *p == '+') {
-+ if (*p == '@' || *p == '+') {
-+ check_unix_group = true;
-+ }
- p++;
- }
-
-- ok = user_in_group(user, p);
-- if (ok) {
-+ if (check_unix_group && user_in_group(user, p)) {
- return true;
- }
-
---
-2.34.1
-
diff --git a/SOURCES/samba-4.15.5.tar.asc b/SOURCES/samba-4.15.5.tar.asc
deleted file mode 100644
index 4e31e62..0000000
--- a/SOURCES/samba-4.15.5.tar.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA
-tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX
-KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9
-j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt
-b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY
-0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v
-/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj
-+rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9
-g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y
-5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ
-f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB
-OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo=
-=oc6g
------END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.16-waf-crypto.patch b/SOURCES/samba-4.16-waf-crypto.patch
new file mode 100644
index 0000000..337be97
--- /dev/null
+++ b/SOURCES/samba-4.16-waf-crypto.patch
@@ -0,0 +1,77 @@
+From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Apr 2022 11:24:04 +0200
+Subject: [PATCH 1/2] waf: Check for GnuTLS earlier
+
+As GnuTLS is an essential part we need to check for it early so we can react on
+GnuTLS features in other wscripts.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ wscript | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wscript b/wscript
+index d8220b35095..5b85d9a1682 100644
+--- a/wscript
++++ b/wscript
+@@ -189,6 +189,8 @@ def configure(conf):
+ conf.RECURSE('dynconfig')
+ conf.RECURSE('selftest')
+
++ conf.PROCESS_SEPARATE_RULE('system_gnutls')
++
+ conf.CHECK_CFG(package='zlib', minversion='1.2.3',
+ args='--cflags --libs',
+ mandatory=True)
+@@ -297,8 +299,6 @@ def configure(conf):
+ if not conf.CONFIG_GET('KRB5_VENDOR'):
+ conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
+
+- conf.PROCESS_SEPARATE_RULE('system_gnutls')
+-
+ conf.RECURSE('source4/dsdb/samdb/ldb_modules')
+ conf.RECURSE('source4/ntvfs/sysdep')
+ conf.RECURSE('lib/util')
+--
+2.35.1
+
+
+From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Apr 2022 11:25:31 +0200
+Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS
+ provides the cipher
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ third_party/wscript | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/third_party/wscript b/third_party/wscript
+index 1f4bc1ce1d7..a17c15bcaa7 100644
+--- a/third_party/wscript
++++ b/third_party/wscript
+@@ -5,7 +5,8 @@ from waflib import Options
+ def configure(conf):
+ conf.RECURSE('cmocka')
+ conf.RECURSE('popt')
+- conf.RECURSE('aesni-intel')
++ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
++ conf.RECURSE('aesni-intel')
+ if conf.CONFIG_GET('ENABLE_SELFTEST'):
+ conf.RECURSE('socket_wrapper')
+ conf.RECURSE('nss_wrapper')
+@@ -18,7 +19,8 @@ def configure(conf):
+ def build(bld):
+ bld.RECURSE('cmocka')
+ bld.RECURSE('popt')
+- bld.RECURSE('aesni-intel')
++ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
++ bld.RECURSE('aesni-intel')
+ if bld.CONFIG_GET('SOCKET_WRAPPER'):
+ bld.RECURSE('socket_wrapper')
+ if bld.CONFIG_GET('NSS_WRAPPER'):
+--
+2.35.1
+
diff --git a/SOURCES/samba-4.16.4.tar.asc b/SOURCES/samba-4.16.4.tar.asc
new file mode 100644
index 0000000..96aba0e
--- /dev/null
+++ b/SOURCES/samba-4.16.4.tar.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLg520ACgkQqplEL7aA
+tiBsuA//ZqQhoz1unYEMk6tqu528xGweYd488gjdKkszWPCI5NmGbmvN/tbhUIc3
+WbJO8oPEFN81+a0b7nsKxpgDt8IR00rx4mA3A5rh+Z1PTbUWpjBxchTsXZsEaDaE
+dA/pRes+rzDpjLg2VWAd+5SDwy1d5ZfZ+gX/qntfpgYLqiBfJNJJPxCEFqnG1IUF
+xaWwKQNuduq89Wr3LabSCjx4IMQEABr8VN+WZG5JhmKBaad1I5tOBOFypLS0iKUX
+bGsMr3itdKFvYmAFM2ZbY/Q7DZb5GIUvNOqyRcBYQe33tqS2GYjEHS0tbXoNP5l2
+gQcs3FiebX6Bi4I6EoFL380LLG1zskCV5xRtGIvrW7SOKCnkaswuxlHEQSVWFc0A
+2aZmT7RaKYwtm+0kD+Fq3PWBwPvLBgiCP9oohfOgqrW9VnIJNbyCyJcBbK8snS0a
+KIfr+hM+ccNBVhmpFWRjA0WkVW9d9/tcDFN63nTQJkZg4cXZboMVO7fjmo4U1oJK
+qIVU5Xr0e5TXLNWguvr6t03CUvtfgBHMYFrHRX4HJTN7Z3m4WxAYt+jspIavQP/S
+muj4g/INYmjZmBG2f9mign6Tt3MtOtHlymMFAJ1t1e+9B5v1dkmO4T6ffqbDgvg5
+bnAFUM5+bzW81DGJNbITDSNBU7PokwP4cQBNTVtgK38DW4BiPO8=
+=6kYO
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/samba-ctdb-etcd-reclock.patch b/SOURCES/samba-ctdb-etcd-reclock.patch
deleted file mode 100644
index 2a55408..0000000
--- a/SOURCES/samba-ctdb-etcd-reclock.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
-From: Martin Schwenke <martin@meltin.net>
-Date: Tue, 27 Apr 2021 15:46:14 +1000
-Subject: [PATCH] utils: Use Python 3
-
-Due to the number of flake8 and pylint warnings it is unclear if the
-source has Python 3 incompatibilities. These will be cleaned up in
-subsequent commits.
-
-Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
-Reviewed-by: Martin Schwenke <martin@meltin.net>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
-Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
----
- ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
-index 000c6bb7208..7f5194eff0a 100755
---- a/ctdb/utils/etcd/ctdb_etcd_lock
-+++ b/ctdb/utils/etcd/ctdb_etcd_lock
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/env python3
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
---
-2.31.1
-
diff --git a/SOURCES/samba-disable-ntlmssp.patch b/SOURCES/samba-disable-ntlmssp.patch
deleted file mode 100644
index d80e85b..0000000
--- a/SOURCES/samba-disable-ntlmssp.patch
+++ /dev/null
@@ -1,764 +0,0 @@
-From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Fri, 10 Dec 2021 16:08:04 +0100
-Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
----
- source3/utils/net_ads.c | 22 +++++++++++++++++++++-
- 1 file changed, 21 insertions(+), 1 deletion(-)
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 6ab4a0096b1..8f993f9ba4c 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
- char *cp;
- const char *realm = NULL;
- bool tried_closest_dc = false;
-+ enum credentials_use_kerberos krb5_state =
-+ CRED_USE_KERBEROS_DISABLED;
-
- /* lp_realm() should be handled by a command line param,
- However, the join requires that realm be set in smb.conf
-@@ -650,10 +652,28 @@ retry:
- ads->auth.password = smb_xstrdup(c->opt_password);
- }
-
-- ads->auth.flags |= auth_flags;
- SAFE_FREE(ads->auth.user_name);
- ads->auth.user_name = smb_xstrdup(c->opt_user_name);
-
-+ ads->auth.flags |= auth_flags;
-+
-+ /* The ADS code will handle FIPS mode */
-+ krb5_state = cli_credentials_get_kerberos_state(c->creds);
-+ switch (krb5_state) {
-+ case CRED_USE_KERBEROS_REQUIRED:
-+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
-+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ case CRED_USE_KERBEROS_DESIRED:
-+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
-+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ case CRED_USE_KERBEROS_DISABLED:
-+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
-+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ }
-+
- /*
- * If the username is of the form "name@realm",
- * extract the realm and convert to upper case.
---
-2.33.1
-
-
-From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Wed, 8 Dec 2021 16:05:17 +0100
-Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
----
- source3/libads/sasl.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index 60fa2bf80cb..b91e2d15bcf 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -1,18 +1,18 @@
--/*
-+/*
- Unix SMB/CIFS implementation.
- ads sasl code
- Copyright (C) Andrew Tridgell 2001
--
-+
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
--
-+
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
--
-+
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
- .disconnect = ads_sasl_gensec_disconnect
- };
-
--/*
-+/*
- perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
- we fit on one socket??)
- */
-@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
-
- #endif /* HAVE_KRB5 */
-
--/*
-+/*
- this performs a SASL/SPNEGO bind
- */
- static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
-@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- file_save("sasl_spnego.dat", blob.data, blob.length);
- #endif
-
-- /* the server sent us the first part of the SPNEGO exchange in the negprot
-+ /* the server sent us the first part of the SPNEGO exchange in the negprot
- reply */
- if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
- OIDs[0] == NULL) {
-@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
-
- #ifdef HAVE_KRB5
- if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
-- got_kerberos_mechanism)
-+ got_kerberos_mechanism)
- {
- mech = "KRB5";
-
-@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- "calling kinit\n", ads_errstr(status)));
- }
-
-- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
-+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
-
- if (ADS_ERR_OK(status)) {
- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- }
-
- /* only fallback to NTLMSSP if allowed */
-- if (ADS_ERR_OK(status) ||
-+ if (ADS_ERR_OK(status) ||
- !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
- goto done;
- }
-@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- #endif
-
- /* lets do NTLMSSP ... this has the big advantage that we don't need
-- to sync clocks, and we don't rely on special versions of the krb5
-+ to sync clocks, and we don't rely on special versions of the krb5
- library for HMAC_MD4 encryption */
- mech = "NTLMSSP";
- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
---
-2.33.1
-
-
-From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Thu, 9 Dec 2021 13:43:08 +0100
-Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
----
- source3/libads/sasl.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index b91e2d15bcf..992f7022a69 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
-
- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s, "
-- "fallback to NTLMSSP\n",
-+ "try to fallback to NTLMSSP\n",
- p.service, p.hostname,
- ads->auth.user_name,
- ads->auth.realm,
-@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- to sync clocks, and we don't rely on special versions of the krb5
- library for HMAC_MD4 encryption */
- mech = "NTLMSSP";
-+
-+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
-+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
-+ " disallowed.\n");
-+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
-+ goto done;
-+ }
-+
- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
- CRED_USE_KERBEROS_DISABLED,
- p.service, p.hostname,
---
-2.33.1
-
-
-From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Fri, 7 Jan 2022 10:31:19 +0100
-Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
----
- source3/libads/sasl.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index 992f7022a69..ea98aa47ecd 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- p.service, p.hostname,
- blob);
- if (!ADS_ERR_OK(status)) {
-- DEBUG(0,("kinit succeeded but "
-- "ads_sasl_spnego_gensec_bind(KRB5) failed "
-- "for %s/%s with user[%s] realm[%s]: %s\n",
-+ DBG_ERR("kinit succeeded but "
-+ "SPNEGO bind with Kerberos failed "
-+ "for %s/%s - user[%s], realm[%s]: %s\n",
- p.service, p.hostname,
- ads->auth.user_name,
- ads->auth.realm,
-- ads_errstr(status)));
-+ ads_errstr(status));
- }
- }
-
-@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- goto done;
- }
-
-- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
-- "for %s/%s with user[%s] realm[%s]: %s, "
-- "try to fallback to NTLMSSP\n",
-- p.service, p.hostname,
-- ads->auth.user_name,
-- ads->auth.realm,
-- ads_errstr(status)));
-+ DBG_WARNING("SASL bind with Kerberos failed "
-+ "for %s/%s - user[%s], realm[%s]: %s, "
-+ "try to fallback to NTLMSSP\n",
-+ p.service, p.hostname,
-+ ads->auth.user_name,
-+ ads->auth.realm,
-+ ads_errstr(status));
- }
- #endif
-
---
-2.33.1
-
-
-From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Mon, 3 Jan 2022 11:13:06 +0100
-Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
- without kerberos)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
----
- source3/libads/sasl.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index ea98aa47ecd..1bcfe0490a8 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- library for HMAC_MD4 encryption */
- mech = "NTLMSSP";
-
-+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
-+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
-+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
-+ goto done;
-+ }
-+
- if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
- DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
- " disallowed.\n");
---
-2.33.1
-
-
-From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Mon, 3 Jan 2022 15:33:46 +0100
-Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
- connections
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
----
- .../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++
- 1 file changed, 41 insertions(+)
- create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
-
-diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
-new file mode 100755
-index 00000000000..2822ab29d14
---- /dev/null
-+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
-@@ -0,0 +1,41 @@
-+#!/bin/sh
-+# Blackbox tests for diabing NTLMSSP for ldap clinet connections
-+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
-+
-+if [ $# -lt 2 ]; then
-+cat <<EOF
-+Usage: $0 USERNAME PASSWORD
-+EOF
-+exit 1;
-+fi
-+
-+USERNAME=$1
-+PASSWORD=$2
-+shift 2
-+
-+failed=0
-+. `dirname $0`/subunit.sh
-+
-+samba_testparm="$BINDIR/testparm"
-+samba_net="$BINDIR/net"
-+
-+unset GNUTLS_FORCE_FIPS_MODE
-+
-+# Checks that testparm reports: Weak crypto is allowed
-+testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
-+
-+# We should be allowed to use NTLM for connecting
-+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
-+
-+GNUTLS_FORCE_FIPS_MODE=1
-+export GNUTLS_FORCE_FIPS_MODE
-+
-+# Checks that testparm reports: Weak crypto is disallowed
-+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
-+
-+# We should not be allowed to use NTLM for connecting
-+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
-+
-+unset GNUTLS_FORCE_FIPS_MODE
-+
-+exit $failed
---
-2.33.1
-
-
-From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 4 Jan 2022 12:00:20 +0100
-Subject: [PATCH 07/10] s4:selftest: plan test suite
- samba4.blackbox.test_weak_disable_ntlmssp_ldap
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
----
- source4/selftest/tests.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
-index 1e4b2ae6dd3..3a6a716f061 100755
---- a/source4/selftest/tests.py
-+++ b/source4/selftest/tests.py
-@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
-
- if have_gnutls_fips_mode_support:
- plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
-+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
-
- for env in ["ad_dc_fips", "ad_member_fips"]:
- plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
---
-2.33.1
-
-
-From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 18 Jan 2022 19:47:38 +0100
-Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
----
- source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
- 1 file changed, 19 insertions(+), 19 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
-index 948c903f165..e415df347e6 100644
---- a/source3/winbindd/winbindd_ads.c
-+++ b/source3/winbindd/winbindd_ads.c
-@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
-
- if ( !winbindd_can_contact_domain( domain ) ) {
- DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
-- domain->name));
-+ domain->name));
- return NT_STATUS_OK;
- }
-
-@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
-
- if ( !winbindd_can_contact_domain( domain ) ) {
- DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
-- domain->name));
-+ domain->name));
- return NT_STATUS_OK;
- }
-
-@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
- * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
- * default value, it MUST be absent. In case of extensible matching the
- * "dnattr" boolean defaults to FALSE and so it must be only be present
-- * when set to TRUE.
-+ * when set to TRUE.
- *
- * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
- * filter using bitwise matching rule then the buggy AD fails to decode
-@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
- *
- * Thanks to Ralf Haferkamp for input and testing - Guenther */
-
-- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
-+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
- ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
-- ADS_LDAP_MATCHING_RULE_BIT_AND,
-+ ADS_LDAP_MATCHING_RULE_BIT_AND,
- enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
-
- if (filter == NULL) {
-@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
- DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
-
- done:
-- if (res)
-+ if (res)
- ads_msgfree(ads, res);
-
- return status;
-@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
- struct wb_acct_info **info)
- {
- /*
-- * This is a stub function only as we returned the domain
-+ * This is a stub function only as we returned the domain
- * local groups in enum_dom_groups() if the domain->native field
- * was true. This is a simple performance optimization when
- * using LDAP.
- *
-- * if we ever need to enumerate domain local groups separately,
-+ * if we ever need to enumerate domain local groups separately,
- * then this optimization in enum_dom_groups() will need
- * to be split out
- */
-@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
- tokenGroups are not available. */
- static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
-- const char *user_dn,
-+ const char *user_dn,
- struct dom_sid *primary_group,
- uint32_t *p_num_groups, struct dom_sid **user_sids)
- {
-@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
-
- if ( !winbindd_can_contact_domain( domain ) ) {
- DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
-- domain->name));
-+ domain->name));
- return NT_STATUS_OK;
- }
-
-@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
-
- DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
- done:
-- if (res)
-+ if (res)
- ads_msgfree(ads, res);
-
- return status;
-@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
- if (count != 1) {
- status = NT_STATUS_UNSUCCESSFUL;
- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
-- "invalid number of results (count=%d)\n",
-+ "invalid number of results (count=%d)\n",
- dom_sid_str_buf(sid, &buf),
- count));
- goto done;
- }
-
- if (!msg) {
-- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
-+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
- dom_sid_str_buf(sid, &buf)));
- status = NT_STATUS_UNSUCCESSFUL;
- goto done;
-@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
- }
-
- if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
-- DEBUG(1,("%s: No primary group for sid=%s !?\n",
-+ DEBUG(1,("%s: No primary group for sid=%s !?\n",
- domain->name,
- dom_sid_str_buf(sid, &buf)));
- goto done;
-@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
-
- count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
-
-- /* there must always be at least one group in the token,
-+ /* there must always be at least one group in the token,
- unless we are talking to a buggy Win2k server */
-
- /* actually this only happens when the machine account has no read
-@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
- /* lookup what groups this user is a member of by DN search on
- * "member" */
-
-- status = lookup_usergroups_member(domain, mem_ctx, user_dn,
-+ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
- &primary_group,
- &num_groups, user_sids);
- *p_num_groups = num_groups;
-@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
- DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
- "not map any SIDs at all.\n"));
- /* Don't handle this as an error here.
-- * There is nothing left to do with respect to the
-+ * There is nothing left to do with respect to the
- * overall result... */
- }
- else if (!NT_STATUS_IS_OK(status)) {
-@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
- NETR_TRUST_FLAG_IN_FOREST;
- } else {
- flags = NETR_TRUST_FLAG_IN_FOREST;
-- }
-+ }
-
- result = cm_connect_netlogon(domain, &cli);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(5, ("trusted_domains: Could not open a connection to %s "
-- "for PIPE_NETLOGON (%s)\n",
-+ "for PIPE_NETLOGON (%s)\n",
- domain->name, nt_errstr(result)));
- return NT_STATUS_UNSUCCESSFUL;
- }
---
-2.33.1
-
-
-From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 18 Jan 2022 19:44:54 +0100
-Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
- mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
----
- source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
-index e415df347e6..6f01ef6e334 100644
---- a/source3/winbindd/winbindd_ads.c
-+++ b/source3/winbindd/winbindd_ads.c
-@@ -34,6 +34,7 @@
- #include "../libds/common/flag_mapping.h"
- #include "libsmb/samlogon_cache.h"
- #include "passdb.h"
-+#include "auth/credentials/credentials.h"
-
- #ifdef HAVE_ADS
-
-@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
- ADS_STATUS status;
- struct sockaddr_storage dc_ss;
- fstring dc_name;
-+ enum credentials_use_kerberos krb5_state;
-
- if (auth_realm == NULL) {
- return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
-@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
- ads->auth.renewable = renewable;
- ads->auth.password = password;
-
-- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+ /* In FIPS mode, client use kerberos is forced to required. */
-+ krb5_state = lp_client_use_kerberos();
-+ switch (krb5_state) {
-+ case CRED_USE_KERBEROS_REQUIRED:
-+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
-+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ case CRED_USE_KERBEROS_DESIRED:
-+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
-+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ case CRED_USE_KERBEROS_DISABLED:
-+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
-+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ }
-
- ads->auth.realm = SMB_STRDUP(auth_realm);
- if (!strupper_m(ads->auth.realm)) {
---
-2.33.1
-
-
-From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Fri, 21 Jan 2022 12:01:33 +0100
-Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
- mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
-
-(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
----
- source3/libnet/libnet_join.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 02705f1c70c..4c67e9af5c4 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
- ADS_STATUS status;
- ADS_STRUCT *my_ads = NULL;
- char *cp;
-+ enum credentials_use_kerberos krb5_state;
-
- my_ads = ads_init(dns_domain_name,
- netbios_domain_name,
-@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
- }
-
-- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+ /* In FIPS mode, client use kerberos is forced to required. */
-+ krb5_state = lp_client_use_kerberos();
-+ switch (krb5_state) {
-+ case CRED_USE_KERBEROS_REQUIRED:
-+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
-+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ case CRED_USE_KERBEROS_DESIRED:
-+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
-+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ case CRED_USE_KERBEROS_DISABLED:
-+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
-+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+ break;
-+ }
-
- if (user_name) {
- SAFE_FREE(my_ads->auth.user_name);
---
-2.33.1
-
diff --git a/SOURCES/samba-disable-systemd-notifications.patch b/SOURCES/samba-disable-systemd-notifications.patch
deleted file mode 100644
index 9e57630..0000000
--- a/SOURCES/samba-disable-systemd-notifications.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
-From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
-Date: Mon, 24 Jan 2022 22:14:31 -0500
-Subject: [PATCH] printing/bgqd: Disable systemd notifications
-
-samba-bgqd daemon is started by existing Samba daemons. When running
-under systemd, those daemons control systemd notifications and
-samba-bgqd messages need to be silenced.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
-
-Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
----
- source3/printing/samba-bgqd.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
-index f21327fc622..59ed0cc40db 100644
---- a/source3/printing/samba-bgqd.c
-+++ b/source3/printing/samba-bgqd.c
-@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
-
- log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
-
-+ /* main process will notify systemd */
-+ daemon_sd_notifications(false);
-+
- if (!cmdline_daemon_cfg->fork) {
- daemon_status(progname, "Starting process ... ");
- } else {
---
-2.34.1
-
diff --git a/SOURCES/samba-glibc-dns.patch b/SOURCES/samba-glibc-dns.patch
deleted file mode 100644
index c01d481..0000000
--- a/SOURCES/samba-glibc-dns.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 7 Oct 2021 15:55:37 +0200
-Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34
-
-With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
-anymore. The res_* symbols have been moved from libresolv to libc. We are not
-able to intercept any traffic inside of libc.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- selftest/wscript | 2 +-
- third_party/resolv_wrapper/wscript | 13 +++++++++++++
- 2 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/selftest/wscript b/selftest/wscript
-index a6be06c2ae9..85d9338489a 100644
---- a/selftest/wscript
-+++ b/selftest/wscript
-@@ -252,7 +252,7 @@ def cmd_testonly(opt):
- if os.environ.get('USE_NAMESPACES') is None:
- env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
-
-- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
-+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
- env.OPTIONS += " --use-dns-faking"
-
- if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
-diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
-index a7f18389b0f..7e369bd90b5 100644
---- a/third_party/resolv_wrapper/wscript
-+++ b/third_party/resolv_wrapper/wscript
-@@ -1,6 +1,7 @@
- #!/usr/bin/env python
-
- import os
-+from waflib import Logs
-
- VERSION="1.1.7"
-
-@@ -49,6 +50,18 @@ def configure(conf):
- if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
- conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
-
-+ # If we find res_nquery in libc, we can't do resolv.conf redirect
-+ conf.CHECK_FUNCS('res_nquery __res_nquery')
-+ if (conf.CONFIG_SET('HAVE_RES_NQUERY')
-+ or conf.CONFIG_SET('HAVE___RES_NQUERY')):
-+ Logs.warn("Detection for resolv_wrapper: "
-+ "Only dns faking will be available")
-+ else:
-+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
-+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
-+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
-+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
-+
- conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
- conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
- conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
---
-2.33.1
-
diff --git a/SOURCES/samba-password-change-prompt.patch b/SOURCES/samba-password-change-prompt.patch
deleted file mode 100644
index 5dee86c..0000000
--- a/SOURCES/samba-password-change-prompt.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 17 Nov 2021 09:56:09 +0100
-Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
- off).
-
-This change disables the prompt for the change of an expired password by
-default (using the PAM_RADIO_TYPE mechanism if present).
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
----
- docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++
- nsswitch/pam_winbind.c | 12 ++++++++++--
- nsswitch/pam_winbind.h | 1 +
- 3 files changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
-index 0bc288f91a1..bae9298fc32 100644
---- a/docs-xml/manpages/pam_winbind.conf.5.xml
-+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
-@@ -194,6 +194,13 @@
- </para></listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>pwd_change_prompt = yes|no</term>
-+ <listitem><para>
-+ Generate prompt for changing an expired password. Defaults to "no".
-+ </para></listitem>
-+ </varlistentry>
-+
- </variablelist>
-
- </para>
-diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
-index 720a4b90d85..06098dd07d8 100644
---- a/nsswitch/pam_winbind.c
-+++ b/nsswitch/pam_winbind.c
-@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
- ctrl |= WINBIND_MKHOMEDIR;
- }
-
-+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
-+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
-+ }
-+
- config_from_pam:
- /* step through arguments */
- for (i=argc,v=argv; i-- > 0; ++v) {
-@@ -522,6 +526,8 @@ config_from_pam:
- else if (!strncasecmp(*v, "warn_pwd_expire",
- strlen("warn_pwd_expire")))
- ctrl |= WINBIND_WARN_PWD_EXPIRE;
-+ else if (!strcasecmp(*v, "pwd_change_prompt"))
-+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
- else if (type != PAM_WINBIND_CLEANUP) {
- __pam_log(pamh, ctrl, LOG_ERR,
- "pam_parse: unknown option: %s", *v);
-@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
- * successfully sent the warning message.
- * Give the user a chance to change pwd.
- */
-- if (ret == PAM_SUCCESS) {
-+ if (ret == PAM_SUCCESS &&
-+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
- if (change_pwd) {
- retval = _pam_winbind_change_pwd(ctx);
- if (retval) {
-@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
- * successfully sent the warning message.
- * Give the user a chance to change pwd.
- */
-- if (ret == PAM_SUCCESS) {
-+ if (ret == PAM_SUCCESS &&
-+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
- if (change_pwd) {
- retval = _pam_winbind_change_pwd(ctx);
- if (retval) {
-diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
-index c6786d65a4d..2f4a25729bd 100644
---- a/nsswitch/pam_winbind.h
-+++ b/nsswitch/pam_winbind.h
-@@ -157,6 +157,7 @@ do { \
- #define WINBIND_WARN_PWD_EXPIRE 0x00002000
- #define WINBIND_MKHOMEDIR 0x00004000
- #define WINBIND_TRY_AUTHTOK_ARG 0x00008000
-+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000
-
- #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
- #define _(string) dgettext(MODULE_NAME, string)
---
-2.35.1
-
diff --git a/SOURCES/samba-printing-win7.patch b/SOURCES/samba-printing-win7.patch
deleted file mode 100644
index d1a6b6a..0000000
--- a/SOURCES/samba-printing-win7.patch
+++ /dev/null
@@ -1,229 +0,0 @@
-From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 22 Jan 2022 01:08:26 +0100
-Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
-
-This is important for the source3/rpc_server code as it might
-be called embedded in smbd and may not run as root with access
-to our private tdb/ldb files.
-
-Note this is only really needed for 4.15 and older, as
-we no longer run the rpc_server embedded in smbd,
-but we better be consistent for now.
-
-This should be able to fix the problem the printing no longer works
-on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
-
-Windows uses NTLMSSP with privacy at the DCERPC layer on top
-of NCACN_NP (smb).
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
----
- librpc/rpc/dcesrv_auth.c | 5 +++++
- librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++
- librpc/rpc/dcesrv_core.h | 2 ++
- source3/rpc_server/rpc_config.c | 2 ++
- source4/rpc_server/service_rpc.c | 10 ++++++++++
- 5 files changed, 37 insertions(+)
-
-diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
-index fec8df513a83..99d8e0162160 100644
---- a/librpc/rpc/dcesrv_auth.c
-+++ b/librpc/rpc/dcesrv_auth.c
-@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
- auth->auth_level = call->in_auth_info.auth_level;
- auth->auth_context_id = call->in_auth_info.auth_context_id;
-
-+ cb->auth.become_root();
- status = cb->auth.gensec_prepare(
- auth,
- call,
- &auth->gensec_security,
- cb->auth.private_data);
-+ cb->auth.unbecome_root();
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
- nt_errstr(status)));
-@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
- NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
- {
- struct dcesrv_auth *auth = call->auth_state;
-+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
- const char *pdu = "<unknown>";
-
- switch (call->pkt.ptype) {
-@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
- return status;
- }
-
-+ cb->auth.become_root();
- status = gensec_session_info(auth->gensec_security,
- auth,
- &auth->session_info);
-+ cb->auth.unbecome_root();
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to establish session_info: %s\n",
- nt_errstr(status)));
-diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
-index d16159b0b6cd..ea91fc689b4a 100644
---- a/librpc/rpc/dcesrv_core.c
-+++ b/librpc/rpc/dcesrv_core.c
-@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
- struct dcerpc_binding *ep_2nd_description = NULL;
- const char *endpoint = NULL;
- struct dcesrv_auth *auth = call->auth_state;
-+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
- struct dcerpc_ack_ctx *ack_ctx_list = NULL;
- struct dcerpc_ack_ctx *ack_features = NULL;
- struct tevent_req *subreq = NULL;
-@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
- return dcesrv_auth_reply(call);
- }
-
-+ cb->auth.become_root();
- subreq = gensec_update_send(call, call->event_ctx,
- auth->gensec_security,
- call->in_auth_info.credentials);
-+ cb->auth.unbecome_root();
- if (subreq == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
- tevent_req_callback_data(subreq,
- struct dcesrv_call_state);
- struct dcesrv_connection *conn = call->conn;
-+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
- NTSTATUS status;
-
-+ cb->auth.become_root();
- status = gensec_update_recv(subreq, call,
- &call->out_auth_info->credentials);
-+ cb->auth.unbecome_root();
- TALLOC_FREE(subreq);
-
- status = dcesrv_auth_complete(call, status);
-@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
- {
- struct dcesrv_connection *conn = call->conn;
- struct dcesrv_auth *auth = call->auth_state;
-+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
- struct tevent_req *subreq = NULL;
- NTSTATUS status;
-
-@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
- return NT_STATUS_OK;
- }
-
-+ cb->auth.become_root();
- subreq = gensec_update_send(call, call->event_ctx,
- auth->gensec_security,
- call->in_auth_info.credentials);
-+ cb->auth.unbecome_root();
- if (subreq == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
- struct dcesrv_call_state);
- struct dcesrv_connection *conn = call->conn;
- struct dcesrv_auth *auth = call->auth_state;
-+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
- NTSTATUS status;
-
-+ cb->auth.become_root();
- status = gensec_update_recv(subreq, call,
- &call->out_auth_info->credentials);
-+ cb->auth.unbecome_root();
- TALLOC_FREE(subreq);
-
- status = dcesrv_auth_complete(call, status);
-@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
- struct ncacn_packet *pkt = &call->ack_pkt;
- uint32_t extra_flags = 0;
- struct dcesrv_auth *auth = call->auth_state;
-+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
- struct dcerpc_ack_ctx *ack_ctx_list = NULL;
- struct tevent_req *subreq = NULL;
- size_t i;
-@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
- return dcesrv_auth_reply(call);
- }
-
-+ cb->auth.become_root();
- subreq = gensec_update_send(call, call->event_ctx,
- auth->gensec_security,
- call->in_auth_info.credentials);
-+ cb->auth.unbecome_root();
- if (subreq == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
- tevent_req_callback_data(subreq,
- struct dcesrv_call_state);
- struct dcesrv_connection *conn = call->conn;
-+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
- NTSTATUS status;
-
-+ cb->auth.become_root();
- status = gensec_update_recv(subreq, call,
- &call->out_auth_info->credentials);
-+ cb->auth.unbecome_root();
- TALLOC_FREE(subreq);
-
- status = dcesrv_auth_complete(call, status);
-diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
-index d8d5f9030959..0538442e0ce6 100644
---- a/librpc/rpc/dcesrv_core.h
-+++ b/librpc/rpc/dcesrv_core.h
-@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
- struct gensec_security **out,
- void *private_data);
- void *private_data;
-+ void (*become_root)(void);
-+ void (*unbecome_root)(void);
- } auth;
- struct {
- NTSTATUS (*find)(
-diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
-index 2f1a01da1c0b..289c4f398409 100644
---- a/source3/rpc_server/rpc_config.c
-+++ b/source3/rpc_server/rpc_config.c
-@@ -31,6 +31,8 @@
- static struct dcesrv_context_callbacks srv_callbacks = {
- .log.successful_authz = dcesrv_log_successful_authz,
- .auth.gensec_prepare = dcesrv_auth_gensec_prepare,
-+ .auth.become_root = become_root,
-+ .auth.unbecome_root = unbecome_root,
- .assoc_group.find = dcesrv_assoc_group_find,
- };
-
-diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
-index d8c6746d7815..ebb50f8a7ef3 100644
---- a/source4/rpc_server/service_rpc.c
-+++ b/source4/rpc_server/service_rpc.c
-@@ -40,9 +40,19 @@
- #include "../libcli/named_pipe_auth/npa_tstream.h"
- #include "samba/process_model.h"
-
-+static void skip_become_root(void)
-+{
-+}
-+
-+static void skip_unbecome_root(void)
-+{
-+}
-+
- static struct dcesrv_context_callbacks srv_callbacks = {
- .log.successful_authz = log_successful_dcesrv_authz_event,
- .auth.gensec_prepare = dcesrv_gensec_prepare,
-+ .auth.become_root = skip_become_root,
-+ .auth.unbecome_root = skip_unbecome_root,
- .assoc_group.find = dcesrv_assoc_group_find,
- };
-
---
-2.25.1
-
diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch
index 8e84d96..5d3cb55 100644
--- a/SOURCES/samba-s4u.patch
+++ b/SOURCES/samba-s4u.patch
@@ -1,4 +1,4 @@
-From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
+From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:25:03 +0300
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
@@ -12,10 +12,10 @@ Pair-Programmed-With: Andreas Schneider <asn@samba.org>
3 files changed, 71 insertions(+), 106 deletions(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
-index f35210669c2..b1c7c5dcc5e 100644
+index 793fe366c35..22534c09974 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
-@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
@@ -36,7 +36,7 @@ index f35210669c2..b1c7c5dcc5e 100644
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
-@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
@@ -106,7 +106,7 @@ index f35210669c2..b1c7c5dcc5e 100644
if (code != 0) {
goto done;
}
-@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = mit_samba_reget_pac(mit_ctx,
context,
flags,
@@ -133,7 +133,7 @@ index f35210669c2..b1c7c5dcc5e 100644
return code;
}
-@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata **pac_auth_data = NULL;
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
@@ -141,7 +141,7 @@ index f35210669c2..b1c7c5dcc5e 100644
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
-@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
@@ -153,7 +153,7 @@ index f35210669c2..b1c7c5dcc5e 100644
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
/*
-@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
ks_client_princ = client->princ;
}
@@ -170,7 +170,7 @@ index f35210669c2..b1c7c5dcc5e 100644
if (client_entry == NULL) {
client_entry = client;
}
-@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
code = ks_verify_pac(context,
flags,
@@ -179,7 +179,7 @@ index f35210669c2..b1c7c5dcc5e 100644
client_entry,
server,
krbtgt,
-@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
is_as_req ? "AS-REQ" : "TGS-REQ",
client_name);
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
@@ -188,7 +188,7 @@ index f35210669c2..b1c7c5dcc5e 100644
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
-@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
signed_auth_data);
@@ -201,7 +201,7 @@ index f35210669c2..b1c7c5dcc5e 100644
done:
if (client_entry != NULL && client_entry != client) {
ks_free_principal(context, client_entry);
-@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
+@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
* server; -> delegating service
* proxy; -> target principal
*/
@@ -236,10 +236,10 @@ index f35210669c2..b1c7c5dcc5e 100644
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
-index 4239332f0d9..acc3cba6254 100644
+index cb72b5de294..03c2c2ea1de 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
-@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
+@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
@@ -247,7 +247,7 @@ index 4239332f0d9..acc3cba6254 100644
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
-@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
+@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
context,
*pac,
server->princ,
@@ -256,7 +256,7 @@ index 4239332f0d9..acc3cba6254 100644
deleg_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Update delegation info failed: %s\n",
-@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
+@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
}
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
@@ -309,10 +309,10 @@ index 4239332f0d9..acc3cba6254 100644
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
-index 636c77ec97c..9cb00c9610e 100644
+index 4431e82a1b2..9370ab533af 100644
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
-@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
+@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
@@ -320,7 +320,7 @@ index 636c77ec97c..9cb00c9610e 100644
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
-@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
+@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
DATA_BLOB *e_data);
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
@@ -333,10 +333,10 @@ index 636c77ec97c..9cb00c9610e 100644
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
char *pwd,
--
-2.33.1
+2.37.1
-From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
+From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:35:30 +0300
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
@@ -350,10 +350,10 @@ Pair-Programmed-With: Andreas Schneider <asn@samba.org>
3 files changed, 185 insertions(+), 13 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index fff5b4e2a22..791b417d5ba 100644
+index 4321f07ca09..3fd95e47fca 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return 0;
}
@@ -546,7 +546,7 @@ index fff5b4e2a22..791b417d5ba 100644
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
-index eab67f6d969..b5385c69a33 100644
+index a66b7465530..c8573f52bd9 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
@@ -611,66 +611,23 @@ index 544d9d853cc..c14d8c72d8c 100644
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
ccache,
--
-2.33.1
+2.37.1
-From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
+From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 19 Sep 2020 14:16:20 +0200
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
---
- source4/heimdal/lib/hdb/hdb.h | 1 +
- source4/kdc/db-glue.c | 8 ++++++--
- source4/kdc/mit_samba.c | 3 +++
- source4/kdc/sdb.h | 1 +
- 4 files changed, 11 insertions(+), 2 deletions(-)
+ source4/kdc/mit_samba.c | 3 +++
+ 1 file changed, 3 insertions(+)
-diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
-index 5ef9d9565f3..dafaffc6c2d 100644
---- a/source4/heimdal/lib/hdb/hdb.h
-+++ b/source4/heimdal/lib/hdb/hdb.h
-@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
- #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
- #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
- #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
-+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
-
- /* hdb_capability_flags */
- #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
-diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
-index aff74f2ee71..d16b4c3329a 100644
---- a/source4/kdc/db-glue.c
-+++ b/source4/kdc/db-glue.c
-@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
- }
- }
-
-- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
-+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
- ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
- if (ret) {
- krb5_clear_error_message(context);
- goto out;
- }
-- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
-+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
- /*
- * SDB_F_CANON maps from the canonicalize flag in the
- * packet, and has a different meaning between AS-REQ
- * and TGS-REQ. We only change the principal in the AS-REQ case
-+ *
-+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
-+ * the canonical name in all lookups, and takes care to canonicalize
-+ * only when appropriate.
- */
- ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
- if (ret) {
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
-index acc3cba6254..f0b9df8b613 100644
+index 03c2c2ea1de..30fade56531 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
-@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
+@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
@@ -680,18 +637,6 @@ index acc3cba6254..f0b9df8b613 100644
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
-diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
-index c929acccce6..a9115ec23d7 100644
---- a/source4/kdc/sdb.h
-+++ b/source4/kdc/sdb.h
-@@ -116,6 +116,7 @@ struct sdb_entry_ex {
- #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
- #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
- #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
-+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
-
- void sdb_free_entry(struct sdb_entry_ex *e);
- void free_sdb_entry(struct sdb_entry *s);
--
-2.33.1
+2.37.1
diff --git a/SOURCES/samba-virus_scanner.patch b/SOURCES/samba-virus_scanner.patch
deleted file mode 100644
index 6e243da..0000000
--- a/SOURCES/samba-virus_scanner.patch
+++ /dev/null
@@ -1,597 +0,0 @@
-From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 9 Feb 2022 16:33:10 +0100
-Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd
-
-We have the env variable SERVER_LOG_LEVEL which allows you to change
-the log level on the command line. If we force -d0 this will not work.
-
-make test TESTS="samba" SERVER_LOG_LEVEL=10
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
----
- selftest/target/Samba3.pm | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index b901fd2677a..64a9a791a61 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -2153,7 +2153,7 @@ sub make_bin_cmd
- {
- my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
-
-- my @optargs = ("-d0");
-+ my @optargs = ();
- if (defined($options)) {
- @optargs = split(/ /, $options);
- }
---
-2.34.1
-
-
-From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 8 Feb 2022 12:07:03 +0100
-Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses
- filename matching
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1)
----
- source3/modules/vfs_virusfilter.c | 12 +++++
- source3/modules/vfs_virusfilter_common.h | 4 ++
- source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++
- source3/modules/wscript_build | 1 +
- 4 files changed, 75 insertions(+)
- create mode 100644 source3/modules/vfs_virusfilter_dummy.c
-
-diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
-index 9fafe4e5d41..e6cbee7cd45 100644
---- a/source3/modules/vfs_virusfilter.c
-+++ b/source3/modules/vfs_virusfilter.c
-@@ -35,12 +35,14 @@
-
- enum virusfilter_scanner_enum {
- VIRUSFILTER_SCANNER_CLAMAV,
-+ VIRUSFILTER_SCANNER_DUMMY,
- VIRUSFILTER_SCANNER_FSAV,
- VIRUSFILTER_SCANNER_SOPHOS
- };
-
- static const struct enum_list scanner_list[] = {
- { VIRUSFILTER_SCANNER_CLAMAV, "clamav" },
-+ { VIRUSFILTER_SCANNER_DUMMY, "dummy" },
- { VIRUSFILTER_SCANNER_FSAV, "fsav" },
- { VIRUSFILTER_SCANNER_SOPHOS, "sophos" },
- { -1, NULL }
-@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect(
- int snum = SNUM(handle->conn);
- struct virusfilter_config *config = NULL;
- const char *exclude_files = NULL;
-+ const char *infected_files = NULL;
- const char *temp_quarantine_dir_mode = NULL;
- const char *infected_file_command = NULL;
- const char *scan_error_command = NULL;
-@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect(
- set_namearray(&config->exclude_files, exclude_files);
- }
-
-+ infected_files = lp_parm_const_string(
-+ snum, "virusfilter", "infected files", NULL);
-+ if (infected_files != NULL) {
-+ set_namearray(&config->infected_files, infected_files);
-+ }
-+
- config->cache_entry_limit = lp_parm_int(
- snum, "virusfilter", "cache entry limit", 100);
-
-@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect(
- case VIRUSFILTER_SCANNER_CLAMAV:
- ret = virusfilter_clamav_init(config);
- break;
-+ case VIRUSFILTER_SCANNER_DUMMY:
-+ ret = virusfilter_dummy_init(config);
-+ break;
- default:
- DBG_ERR("Unhandled scanner %d\n", backend);
- return -1;
-diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h
-index f71b0b949a7..463a9d74e9c 100644
---- a/source3/modules/vfs_virusfilter_common.h
-+++ b/source3/modules/vfs_virusfilter_common.h
-@@ -83,6 +83,9 @@ struct virusfilter_config {
- /* Exclude files */
- name_compare_entry *exclude_files;
-
-+ /* Infected files */
-+ name_compare_entry *infected_files;
-+
- /* Scan result cache */
- struct virusfilter_cache *cache;
- int cache_entry_limit;
-@@ -149,5 +152,6 @@ struct virusfilter_backend {
- int virusfilter_sophos_init(struct virusfilter_config *config);
- int virusfilter_fsav_init(struct virusfilter_config *config);
- int virusfilter_clamav_init(struct virusfilter_config *config);
-+int virusfilter_dummy_init(struct virusfilter_config *config);
-
- #endif /* _VIRUSFILTER_COMMON_H */
-diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c
-new file mode 100644
-index 00000000000..03405cd6629
---- /dev/null
-+++ b/source3/modules/vfs_virusfilter_dummy.c
-@@ -0,0 +1,58 @@
-+/*
-+ Samba-VirusFilter VFS modules
-+ Dummy scanner with infected files support.
-+ Copyright (C) 2022 Pavel Filipenský <pfilipen@redhat.com>
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "modules/vfs_virusfilter_utils.h"
-+
-+static virusfilter_result virusfilter_dummy_scan(
-+ struct vfs_handle_struct *handle,
-+ struct virusfilter_config *config,
-+ const struct files_struct *fsp,
-+ char **reportp)
-+{
-+ bool ok;
-+
-+ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp));
-+ ok = is_in_path(fsp->fsp_name->base_name,
-+ config->infected_files,
-+ false);
-+ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN;
-+}
-+
-+static struct virusfilter_backend_fns virusfilter_backend_dummy = {
-+ .connect = NULL,
-+ .disconnect = NULL,
-+ .scan_init = NULL,
-+ .scan = virusfilter_dummy_scan,
-+ .scan_end = NULL,
-+};
-+
-+int virusfilter_dummy_init(struct virusfilter_config *config)
-+{
-+ struct virusfilter_backend *backend = NULL;
-+
-+ backend = talloc_zero(config, struct virusfilter_backend);
-+ if (backend == NULL) {
-+ return -1;
-+ }
-+
-+ backend->fns = &virusfilter_backend_dummy;
-+ backend->name = "dummy";
-+ config->backend = backend;
-+ return 0;
-+}
-diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
-index 40df4539392..ff318c3fa06 100644
---- a/source3/modules/wscript_build
-+++ b/source3/modules/wscript_build
-@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
- vfs_virusfilter_sophos.c
- vfs_virusfilter_fsav.c
- vfs_virusfilter_clamav.c
-+ vfs_virusfilter_dummy.c
- ''',
- deps='samba-util VFS_VIRUSFILTER_UTILS',
- init_function='',
---
-2.34.1
-
-
-From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 8 Feb 2022 22:35:29 +0100
-Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and
- 'virusfilter:infected files'
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
----
- docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
-index 329a35af68a..88f91d73a42 100644
---- a/docs-xml/manpages/vfs_virusfilter.8.xml
-+++ b/docs-xml/manpages/vfs_virusfilter.8.xml
-@@ -48,6 +48,10 @@
- scanner</para></listitem>
- <listitem><para><emphasis>clamav</emphasis>, the ClamAV
- scanner</para></listitem>
-+ <listitem><para><emphasis>dummy</emphasis>, dummy scanner used in
-+ tests. Checks against the <emphasis>infected files</emphasis>
-+ parameter and flags any name that matches as infected.
-+ </para></listitem>
- </itemizedlist>
- </listitem>
- </varlistentry>
-@@ -264,6 +268,14 @@
- </listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>virusfilter:infected files = empty</term>
-+ <listitem>
-+ <para>Files that virusfilter <emphasis>dummy</emphasis> flags as infected.</para>
-+ <para>If this option is not set, the default is empty.</para>
-+ </listitem>
-+ </varlistentry>
-+
- <varlistentry>
- <term>virusfilter:block access on error = false</term>
- <listitem>
---
-2.34.1
-
-
-From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 8 Feb 2022 15:34:56 +0100
-Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a)
----
- selftest/target/Samba3.pm | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 64a9a791a61..7584a0e7ba9 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -188,7 +188,7 @@ sub getlog_env_app($$$)
- close(LOG);
-
- return "" if $out eq $title;
--
-+
- return $out;
- }
-
-@@ -2426,7 +2426,7 @@ sub provision($$)
- my $nmbdsockdir="$prefix_abs/nmbd";
- unlink($nmbdsockdir);
-
-- ##
-+ ##
- ## create the test directory layout
- ##
- die ("prefix_abs = ''") if $prefix_abs eq "";
-@@ -3290,7 +3290,7 @@ sub provision($$)
- unless (open(PASSWD, ">$nss_wrapper_passwd")) {
- warn("Unable to open $nss_wrapper_passwd");
- return undef;
-- }
-+ }
- print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
- $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
- pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
---
-2.34.1
-
-
-From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Tue, 8 Feb 2022 15:35:48 +0100
-Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
----
- selftest/knownfail.d/virus_scanner | 2 +
- selftest/target/Samba3.pm | 12 ++
- source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++
- source3/selftest/tests.py | 9 ++
- 4 files changed, 147 insertions(+)
- create mode 100644 selftest/knownfail.d/virus_scanner
- create mode 100755 source3/script/tests/test_virus_scanner.sh
-
-diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
-new file mode 100644
-index 00000000000..6df3fd20627
---- /dev/null
-+++ b/selftest/knownfail.d/virus_scanner
-@@ -0,0 +1,2 @@
-+^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
-+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 7584a0e7ba9..c1d0c60d96a 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1688,6 +1688,9 @@ sub setup_fileserver
- my $veto_sharedir="$share_dir/veto";
- push(@dirs,$veto_sharedir);
-
-+ my $virusfilter_sharedir="$share_dir/virusfilter";
-+ push(@dirs,$virusfilter_sharedir);
-+
- my $ip4 = Samba::get_ipv4_addr("FILESERVER");
- my $fileserver_options = "
- kernel change notify = yes
-@@ -1813,6 +1816,15 @@ sub setup_fileserver
- path = $veto_sharedir
- delete veto files = yes
-
-+[virusfilter]
-+ path = $virusfilter_sharedir
-+ vfs objects = acl_xattr virusfilter
-+ virusfilter:scanner = dummy
-+ virusfilter:min file size = 0
-+ virusfilter:infected files = *infected*
-+ virusfilter:infected file action = rename
-+ virusfilter:scan on close = yes
-+
- [homes]
- comment = Home directories
- browseable = No
-diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
-new file mode 100755
-index 00000000000..2234ea6ca89
---- /dev/null
-+++ b/source3/script/tests/test_virus_scanner.sh
-@@ -0,0 +1,124 @@
-+#!/bin/sh
-+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
-+# shellcheck disable=1091
-+
-+if [ $# -lt 4 ]; then
-+cat <<EOF
-+Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
-+EOF
-+exit 1;
-+fi
-+
-+SERVER_IP=${1}
-+SHARE=${2}
-+LOCAL_PATH=${3}
-+SMBCLIENT=${4}
-+
-+SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
-+
-+failed=0
-+sharedir="${LOCAL_PATH}/${SHARE}"
-+
-+incdir="$(dirname "$0")/../../../testprogs/blackbox"
-+. "${incdir}/subunit.sh"
-+
-+check_infected_read()
-+{
-+ rm -rf "${sharedir:?}"/*
-+
-+ if ! touch "${sharedir}/infected.txt"; then
-+ echo "ERROR: Cannot create ${sharedir}/infected.txt"
-+ return 1
-+ fi
-+
-+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
-+
-+ # check that virusfilter:rename prefix/suffix was added
-+ if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
-+ echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
-+ return 1
-+ fi
-+
-+ # check that file was not downloaded
-+ if [ -f "${sharedir}/infected.download.txt" ]; then
-+ echo "ERROR: {sharedir}/infected.download.txt should not exist."
-+ return 1
-+ fi
-+
-+ return 0
-+}
-+
-+check_infected_write()
-+{
-+ rm -rf "${sharedir:?}"/*
-+ smbfile=infected.upload.txt
-+ smbfilerenamed="virusfilter.${smbfile}.infected"
-+
-+ # non empty file is needed
-+ # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
-+ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
-+ echo "ERROR: Cannot create ${sharedir}/infected.txt"
-+ return 1
-+ fi
-+
-+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
-+
-+ # check that virusfilter:rename prefix/suffix was added
-+ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
-+ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
-+ return 1
-+ fi
-+
-+ # check that file was not uploaded
-+ if [ -f "${sharedir}/infected.upload.txt" ]; then
-+ echo "ERROR: {sharedir}/${smbfile} should not exist."
-+ return 1
-+ fi
-+
-+ return 0
-+}
-+
-+check_healthy_read()
-+{
-+ rm -rf "${sharedir:?}"/*
-+
-+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
-+ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
-+ return 1
-+ fi
-+
-+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
-+
-+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
-+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
-+ return 1
-+ fi
-+
-+ return 0
-+}
-+
-+check_healthy_write()
-+{
-+ rm -rf "${sharedir:?}"/*
-+
-+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
-+ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
-+ return 1
-+ fi
-+
-+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
-+
-+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
-+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
-+ return 1
-+ fi
-+
-+ return 0
-+}
-+
-+testit "check_infected_read" check_infected_read || failed=$((failed + 1))
-+testit "check_infected_write" check_infected_write || failed=$((failed + 1))
-+testit "check_healthy_read" check_healthy_read || failed=$((failed + 1))
-+testit "check_healthy_write" check_healthy_write || failed=$((failed + 1))
-+
-+testok "$0" "$failed"
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index 701be011f70..6b146c76381 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
- '$SERVER_IP',
- "tmp"])
-
-+env = 'fileserver'
-+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
-+ [os.path.join(samba3srcdir,
-+ "script/tests/test_virus_scanner.sh"),
-+ '$SERVER_IP',
-+ "virusfilter",
-+ '$LOCAL_PATH',
-+ smbclient3])
-+
- for env in ['fileserver', 'simpleserver']:
- plantestsuite("samba3.blackbox.smbclient.encryption", env,
- [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),
---
-2.34.1
-
-
-From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
-Date: Mon, 7 Feb 2022 23:06:10 +0100
-Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
-
-Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
-
-(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c)
----
- selftest/knownfail.d/virus_scanner | 2 --
- source3/modules/vfs_virusfilter.c | 6 +++---
- 2 files changed, 3 insertions(+), 5 deletions(-)
- delete mode 100644 selftest/knownfail.d/virus_scanner
-
-diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
-deleted file mode 100644
-index 6df3fd20627..00000000000
---- a/selftest/knownfail.d/virus_scanner
-+++ /dev/null
-@@ -1,2 +0,0 @@
--^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
--^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
-diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
-index e6cbee7cd45..d1554967ad1 100644
---- a/source3/modules/vfs_virusfilter.c
-+++ b/source3/modules/vfs_virusfilter.c
-@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
- */
- goto virusfilter_vfs_open_next;
- }
-- ret = S_ISREG(smb_fname->st.st_ex_mode);
-+ ret = S_ISREG(sbuf.st_ex_mode);
- if (ret == 0) {
- DBG_INFO("Not scanned: Directory or special file: %s/%s\n",
- cwd_fname, fname);
- goto virusfilter_vfs_open_next;
- }
- if (config->max_file_size > 0 &&
-- smb_fname->st.st_ex_size > config->max_file_size)
-+ sbuf.st_ex_size > config->max_file_size)
- {
- DBG_INFO("Not scanned: file size > max file size: %s/%s\n",
- cwd_fname, fname);
- goto virusfilter_vfs_open_next;
- }
- if (config->min_file_size > 0 &&
-- smb_fname->st.st_ex_size < config->min_file_size)
-+ sbuf.st_ex_size < config->min_file_size)
- {
- DBG_INFO("Not scanned: file size < min file size: %s/%s\n",
- cwd_fname, fname);
---
-2.34.1
-
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 3aaa858..9d452c6 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -52,7 +52,9 @@
# Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora
%if 0%{?fedora}
-%ifarch aarch64 ppc64le s390x x86_64
+# ppc64le excluded pending resolution of https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104172
+#%%ifarch aarch64 ppc64le s390x x86_64
+%ifarch aarch64 s390x x86_64
%bcond_without vfs_cephfs
%bcond_without ceph_mutex
%else
@@ -69,7 +71,7 @@
# Build vfs_gluster module by default on 64bit Fedora
%global is_rhgs 0
-%if "%{dist}" == ".el8rhgs" || "%{dist}" == ".el9rhgs"
+%if "%{dist}" == ".el7rhgs" || "%{dist}" == ".el8rhgs"
%global is_rhgs 1
%endif
@@ -132,13 +134,13 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
-%global baserelease 10
+%global baserelease 2
-%global samba_version 4.15.5
+%global samba_version 4.16.4
%global talloc_version 2.3.3
-%global tdb_version 1.4.4
-%global tevent_version 0.11.0
-%global ldb_version 2.4.1
+%global tdb_version 1.4.6
+%global tevent_version 0.12.0
+%global ldb_version 2.5.2
# This should be rc1 or nil
%global pre_release %nil
@@ -203,20 +205,8 @@ Source15: samba.abignore
Source201: README.downgrade
Patch0: samba-s4u.patch
-Patch1: samba-ctdb-etcd-reclock.patch
-Patch2: samba-glibc-dns.patch
-Patch3: samba-printing-win7.patch
-Patch4: samba-disable-systemd-notifications.patch
-Patch5: samba-disable-ntlmssp.patch
-Patch6: samba-password-change-prompt.patch
-Patch7: samba-virus_scanner.patch
-Patch8: samba-4-15-fix-autorid.patch
-Patch9: samba-4-15-fix-winbind-refresh-tickets.patch
-Patch10: samba-4-15-fix-create-local-krb5-conf.patch
-Patch11: samba-4-15-username-map.patch
-Patch12: samba-4-15-kerberos-clock-skew.patch
-Patch13: samba-4-15-smbd-upn.patch
-Patch14: CVE-2022-32742-v4-15.patch
+# https://gitlab.com/samba-team/samba/-/merge_requests/2477
+Patch1: samba-4.16-waf-crypto.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -338,7 +328,7 @@ BuildRequires: python3-etcd
# Add python3-iso8601 to avoid that the
# version in Samba is being packaged
BuildRequires: python3-iso8601
-BuildRequires: python3-pyasn1
+BuildRequires: python3-pyasn1 >= 0.4.8
BuildRequires: bind
BuildRequires: krb5-server >= %{required_mit_krb5}
@@ -375,12 +365,18 @@ BuildRequires: lmdb-devel
%if %{with dc} || %{with testsuite}
BuildRequires: bind
BuildRequires: krb5-server >= %{required_mit_krb5}
-BuildRequires: ldb-tools
BuildRequires: python3-gpg
BuildRequires: python3-markdown
BuildRequires: python3-setproctitle
BuildRequires: python3-cryptography
+
+%if %{without includelibs}
BuildRequires: tdb-tools
+BuildRequires: ldb-tools
+#endif without includelibs
+%endif
+
+#endif with dc || with testsuite
%endif
# filter out perl requirements pulled in from examples in the docdir.
@@ -439,8 +435,10 @@ SMB/CIFS clients.
Summary: Files used by both Samba servers and clients
BuildArch: noarch
-Requires(post): systemd
+Requires(post): (systemd-standalone-tmpfiles or systemd)
+%if 0%{?fedora}
Recommends: logrotate
+%endif
Provides: samba4-common = %{samba_depver}
Obsoletes: samba4-common < %{samba_depver}
@@ -503,6 +501,8 @@ Requires: python3-%{name} = %{samba_depver}
# samba-tool needs tdbbackup
Requires: tdb-tools
%if %{with dc}
+# samba-tool needs python3-samba-dc on a full build
+Requires: python3-%{name}-dc = %{samba_depver}
# samba-tool needs mdb_copy for domain backup or upgrade provision
Requires: lmdb
%endif
@@ -518,6 +518,8 @@ SMB/CIFS clients.
%package dc
Summary: Samba AD Domain Controller
Requires: %{name} = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Requires: %{name}-dc-provision = %{samba_depver}
Requires: %{name}-dc-libs = %{samba_depver}
@@ -558,6 +560,7 @@ The samba-dc-provision package provides files to setup a domain controller
### DC-LIBS
%package dc-libs
Summary: Samba AD Domain Controller Libraries
+Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
@@ -573,9 +576,11 @@ link against the SMB, RPC and other protocols.
### DC-BIND
%package dc-bind-dlz
Summary: Bind DLZ module for Samba AD
+Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-common = %{samba_depver}
Requires: %{name}-dc-libs = %{samba_depver}
Requires: %{name}-dc = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
Requires: bind
Provides: bundled(libreplace)
@@ -591,6 +596,9 @@ name server related details of Samba AD.
Summary: Developer tools for Samba libraries
Requires: %{name}-libs = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
+%if %{with dc}
+Requires: %{name}-dc-libs = %{samba_depver}
+%endif
Provides: samba4-devel = %{samba_depver}
Obsoletes: samba4-devel < %{samba_depver}
@@ -605,6 +613,7 @@ libraries in the Samba suite.
%package vfs-cephfs
Summary: Samba VFS module for Ceph distributed storage system
Requires: %{name} = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Provides: bundled(libreplace)
@@ -740,6 +749,9 @@ Summary: Samba Python3 libraries
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
+%if %{with dc}
+Requires: %{name}-dc-libs = %{samba_depver}
+%endif
Requires: python3-talloc
Requires: python3-tevent
Requires: python3-tdb
@@ -778,6 +790,8 @@ If you want to run full set of Samba tests, you need to install this package.
%if %{with dc} || %{with testsuite}
%package -n python3-samba-dc
Summary: Samba Python libraries for Samba AD
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-dc-libs = %{samba_depver}
Requires: python3-%{name} = %{samba_depver}
%description -n python3-samba-dc
@@ -1031,6 +1045,7 @@ and use CTDB instead.
Summary: CTDB PCP pmda support
Requires: ctdb = %{samba_depver}
Requires: pcp-libs
+Requires: %{name}-client-libs = %{samba_depver}
%description -n ctdb-pcp-pmda
Performance Co-Pilot (PCP) support for CTDB
@@ -1072,6 +1087,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB
xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
%autosetup -n samba-%{version}%{pre_release} -p1
+# Ensure we rely on GnuTLS and do not build any other crypto code shipping with
+# the sources.
+rm -rf third_party/{aesni-intel,heimdal}
+rm -f lib/crypto/{aes,rijndael}*.c
+
%build
%if %{with includelibs}
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -1086,7 +1106,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
#endif with includelibs
%endif
-%global _samba_libraries !zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib}
+%global _samba_libraries !popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib}
%global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2
%global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4
@@ -1625,7 +1645,17 @@ fi
%{_libdir}/samba/vfs/nfs4acl_xattr.so
%endif
+%dir %{_libexecdir}/samba
%{_libexecdir}/samba/samba-bgqd
+%{_libexecdir}/samba/samba-dcerpcd
+%{_libexecdir}/samba/rpcd_classic
+%{_libexecdir}/samba/rpcd_epmapper
+%{_libexecdir}/samba/rpcd_fsrvp
+%{_libexecdir}/samba/rpcd_lsad
+%{_libexecdir}/samba/rpcd_mdssvc
+%{_libexecdir}/samba/rpcd_rpcecho
+%{_libexecdir}/samba/rpcd_spoolss
+%{_libexecdir}/samba/rpcd_winreg
%dir %{_datadir}/samba
%dir %{_datadir}/samba/mdssvc
@@ -1639,6 +1669,7 @@ fi
%{_mandir}/man1/smbstatus.1*
%{_mandir}/man8/eventlogadm.8*
%{_mandir}/man8/samba-bgqd.8*
+%{_mandir}/man8/samba-dcerpcd.8*
%{_mandir}/man8/smbd.8*
%{_mandir}/man8/nmbd.8*
%{_mandir}/man8/vfs_acl_tdb.8*
@@ -1653,6 +1684,7 @@ fi
%{_mandir}/man8/vfs_crossrename.8*
%{_mandir}/man8/vfs_default_quota.8*
%{_mandir}/man8/vfs_dirsort.8*
+%{_mandir}/man8/vfs_expand_msdfs.8*
%{_mandir}/man8/vfs_extd_audit.8*
%{_mandir}/man8/vfs_fake_perms.8*
%{_mandir}/man8/vfs_fileid.8*
@@ -1863,7 +1895,6 @@ fi
%if %{without libwbclient}
%{_libdir}/samba/libwbclient.so.*
-%{_libdir}/samba/libwinbind-client-samba4.so
#endif without libwbclient
%endif
@@ -2071,6 +2102,7 @@ fi
%{_libdir}/samba/bind9/dlz_bind9_12.so
%{_libdir}/samba/bind9/dlz_bind9_14.so
%{_libdir}/samba/bind9/dlz_bind9_16.so
+%{_libdir}/samba/bind9/dlz_bind9_18.so
#endif with dc
%endif
@@ -2243,6 +2275,9 @@ fi
%{_libdir}/samba/libshares-samba4.so
%{_libdir}/samba/libsmbpasswdparser-samba4.so
%{_libdir}/samba/libxattr-tdb-samba4.so
+%{_libdir}/samba/libREG-FULL-samba4.so
+%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so
+%{_libdir}/samba/libRPC-WORKER-samba4.so
### LIBSMBCLIENT
%if %{with libsmbclient}
@@ -2262,7 +2297,6 @@ fi
%if %{with libwbclient}
%files -n libwbclient
%{_libdir}/samba/wbclient/libwbclient.so.*
-%{_libdir}/samba/libwinbind-client-samba4.so
### LIBWBCLIENT-DEVEL
%files -n libwbclient-devel
@@ -2333,7 +2367,11 @@ fi
%{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc
%{python3_sitearch}/samba/__pycache__/getopt.*.pyc
%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc
+%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc
+%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc
+%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc
+%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc
@@ -2449,7 +2487,11 @@ fi
%{python3_sitearch}/samba/emulate/__init__.py
%{python3_sitearch}/samba/emulate/traffic.py
%{python3_sitearch}/samba/emulate/traffic_packets.py
+%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py
+%{python3_sitearch}/samba/gp_chromium_ext.py
%{python3_sitearch}/samba/gp_ext_loader.py
+%{python3_sitearch}/samba/gp_firefox_ext.py
+%{python3_sitearch}/samba/gp_firewalld_ext.py
%{python3_sitearch}/samba/gp_msgs_ext.py
%{python3_sitearch}/samba/gp_smb_conf_ext.py
%{python3_sitearch}/samba/gp_sudoers_ext.py
@@ -2766,6 +2808,7 @@ fi
%{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/source.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/source_chars.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc
@@ -2934,15 +2977,17 @@ fi
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc
@@ -2959,26 +3004,28 @@ fi
%{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
%{python3_sitearch}/samba/tests/krb5/kdc_tests.py
%{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
+%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py
%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
+%{python3_sitearch}/samba/tests/krb5/pac_align_tests.py
%{python3_sitearch}/samba/tests/krb5/raw_testcase.py
%{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py
%{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py
%{python3_sitearch}/samba/tests/krb5/rodc_tests.py
-%{python3_sitearch}/samba/tests/krb5/salt_tests.py
%{python3_sitearch}/samba/tests/krb5/simple_tests.py
-%{python3_sitearch}/samba/tests/krb5/spn_tests.py
-%{python3_sitearch}/samba/tests/krb5/test_ccache.py
%{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py
+%{python3_sitearch}/samba/tests/krb5/test_ccache.py
%{python3_sitearch}/samba/tests/krb5/test_ldap.py
%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py
%{python3_sitearch}/samba/tests/krb5/test_rpc.py
%{python3_sitearch}/samba/tests/krb5/test_smb.py
%{python3_sitearch}/samba/tests/krb5/s4u_tests.py
+%{python3_sitearch}/samba/tests/krb5/salt_tests.py
+%{python3_sitearch}/samba/tests/krb5/spn_tests.py
%{python3_sitearch}/samba/tests/krb5/xrealm_tests.py
%{python3_sitearch}/samba/tests/krb5_credentials.py
%{python3_sitearch}/samba/tests/ldap_raw.py
-%{python3_sitearch}/samba/tests/ldap_referrals.py
%{python3_sitearch}/samba/tests/ldap_spn.py
+%{python3_sitearch}/samba/tests/ldap_referrals.py
%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py
%{python3_sitearch}/samba/tests/libsmb.py
%{python3_sitearch}/samba/tests/loadparm.py
@@ -3042,6 +3089,7 @@ fi
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_lmdb_size.*.pyc
+%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_member.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/ntacl.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/ou.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/passwordsettings.*.pyc
@@ -3078,6 +3126,7 @@ fi
%{python3_sitearch}/samba/tests/samba_tool/help.py
%{python3_sitearch}/samba/tests/samba_tool/join.py
%{python3_sitearch}/samba/tests/samba_tool/join_lmdb_size.py
+%{python3_sitearch}/samba/tests/samba_tool/join_member.py
%{python3_sitearch}/samba/tests/samba_tool/ntacl.py
%{python3_sitearch}/samba/tests/samba_tool/ou.py
%{python3_sitearch}/samba/tests/samba_tool/passwordsettings.py
@@ -3109,6 +3158,7 @@ fi
%{python3_sitearch}/samba/tests/smbd_base.py
%{python3_sitearch}/samba/tests/smbd_fuzztest.py
%{python3_sitearch}/samba/tests/source.py
+%{python3_sitearch}/samba/tests/source_chars.py
%{python3_sitearch}/samba/tests/strings.py
%{python3_sitearch}/samba/tests/subunitrun.py
%{python3_sitearch}/samba/tests/tdb_util.py
@@ -3130,7 +3180,6 @@ fi
%{_mandir}/man1/masktest.1*
%{_mandir}/man1/ndrdump.1*
%{_mandir}/man1/smbtorture.1*
-%{_mandir}/man1/vfstest.1*
%if %{with testsuite}
# files to ignore in testsuite mode
@@ -4114,21 +4163,39 @@ fi
%endif
%changelog
-* Mon Sep 12 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-10
-- resolves: rhbz#2126041 - Do not require samba package in python3-samba
+* Thu Aug 25 2022 Andreas Schneider <asn@redhat.com> - 4.16.4-2
+- resolves: rhbz#2120956 - Do not require samba package in python3-samba
-* Fri Sep 09 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-9
-- Fix CVE-2022-32742
-- resolves: rhbz#2125552
+* Thu Jul 28 2022 Andreas Schneider <asn@redhat.com> - 4.16.4-1
+- Rebase to version 4.16.4
+- resolves: rhbz#2108331 - Fix CVE-2022-32742
+
+* Mon Jul 18 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.3-0
+- related: rhbz#2077468 - Rebase Samba to 4.16.3
+- resolves: rhbz#2106672 - The pcap background queue process should not be stopped
+- resolves: rhbz#2106263 - Fix crash in rpcd_classic
+- resolves: rhbz#2100093 - Fix net ads info returns LDAP server and LDAP server name
+
+* Tue Jun 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.2-1
+- resolves: rhbz#2084162 - Fix printer displays only after 300 seconds timeout
+
+* Mon Jun 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.2-0
+- Fix rpminspect abidiff
+- related: rhbz#2077468 - Rebase Samba to 4.16.2
+
+* Mon May 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.1-0
+- Update to Samba 4.16.1
+- resolves: rhbz#2077468 Rebase Samba to the the latest 4.16.x release
* Wed Apr 27 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-8
-- resolves: rhbz#2079303 - Fix username map for unix groups
-- resolves: rhbz#2079299 - PAM Kerberos authentication fails with a clock skew error
-- resolves: rhbz#2079304 - Fix UPNs handling in lookup_name*() calls
+- resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls
+
+* Wed Apr 20 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-7
+- resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error
-* Wed Mar 16 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-5
-- resolves: rhbz#2064325 - Fix 'create krb5 conf = yes` when a KDC has a
- single IP address.
+* Wed Apr 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-6
+- resolves: rhbz#2059151 - Fix username map for unix groups
+- resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address.
* Thu Feb 24 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-4
- resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh