diff --git a/SOURCES/samba-4.16-share-enum.patch b/SOURCES/samba-4.16-share-enum.patch
new file mode 100644
index 0000000..d21ab77
--- /dev/null
+++ b/SOURCES/samba-4.16-share-enum.patch
@@ -0,0 +1,59 @@
+From 5c8e34cae96ee65d34da61801a0f04c562006369 Mon Sep 17 00:00:00 2001
+From: Andrew <awalker@ixsystems.com>
+Date: Fri, 16 Dec 2022 08:16:10 -0800
+Subject: [PATCH] rpc_server:srvsvc - retrieve share ACL via root context
+
+share_info.tdb has permissions of 0o600 and so we need
+to become_root() prior to retrieving the security info.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15265
+
+Signed-off-by: Andrew Walker <awalker@ixsystems.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Mon Dec 19 20:41:15 UTC 2022 on sn-devel-184
+
+(cherry picked from commit 80c0b416892bfacc0d919fe032461748d7962f05)
+---
+ source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+index 233718ff310..fbc617c3ac1 100644
+--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
++++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+@@ -540,6 +540,7 @@ static bool is_hidden_share(int snum)
+ static bool is_enumeration_allowed(struct pipes_struct *p,
+ int snum)
+ {
++ bool allowed;
+ struct dcesrv_call_state *dce_call = p->dce_call;
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
+@@ -556,9 +557,19 @@ static bool is_enumeration_allowed(struct pipes_struct *p,
+ return false;
+ }
+
+- return share_access_check(session_info->security_token,
+- lp_servicename(talloc_tos(), lp_sub, snum),
+- FILE_READ_DATA, NULL);
++
++ /*
++ * share_access_check() must be opened as root
++ * because it ultimately gets a R/W db handle on share_info.tdb
++ * which has 0o600 permissions
++ */
++ become_root();
++ allowed = share_access_check(session_info->security_token,
++ lp_servicename(talloc_tos(), lp_sub, snum),
++ FILE_READ_DATA, NULL);
++ unbecome_root();
++
++ return allowed;
+ }
+
+ /****************************************************************************
+--
+2.34.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 4bbf480..87cfd3e 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -134,7 +134,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
-%global baserelease 4
+%global baserelease 6
%global samba_version 4.16.4
%global talloc_version 2.3.3
@@ -209,6 +209,7 @@ Patch0: samba-s4u.patch
Patch1: samba-4.16-waf-crypto.patch
Patch2: CVE-2022-38023-v4-16.patch
Patch3: CVE-2022-38023-for-s3-v4-16.patch
+Patch4: samba-4.16-share-enum.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -221,6 +222,7 @@ Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-common-tools = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-dcerpc = %{samba_depver}
%if %{with libwbclient}
Requires(post): libwbclient = %{samba_depver}
Requires: libwbclient = %{samba_depver}
@@ -490,7 +492,7 @@ SMB/CIFS clients.
### COMMON-TOOLS
%package common-tools
-Summary: Tools for Samba servers and clients
+Summary: Tools for Samba clients
Requires: samba-common-libs = %{samba_depver}
Requires: samba-client-libs = %{samba_depver}
Requires: samba-libs = %{samba_depver}
@@ -498,22 +500,41 @@ Requires: samba-libs = %{samba_depver}
Requires: libwbclient = %{samba_depver}
%endif
+Provides: bundled(libreplace)
+
+%description common-tools
+The samba-common-tools package contains tools for SMB/CIFS clients.
+
+### SAMBA-TOOLS
+%package tools
+Summary: Tools for Samba servers
# samba-tool needs python3-samba
Requires: python3-%{name} = %{samba_depver}
# samba-tool needs tdbbackup
Requires: tdb-tools
-%if %{with dc}
-# samba-tool needs python3-samba-dc on a full build
+# samba-tool needs python3-samba-dc also on non-dc build
Requires: python3-%{name}-dc = %{samba_depver}
+%if %{with dc}
# samba-tool needs mdb_copy for domain backup or upgrade provision
Requires: lmdb
%endif
-Provides: bundled(libreplace)
+%description tools
+The samba-tools package contains tools for Samba servers
+and for GPO management on domain members.
-%description common-tools
-The samba-common-tools package contains tools for Samba servers and
-SMB/CIFS clients.
+### RPC
+%package dcerpc
+Summary: DCE RPC binaries
+Requires: samba-common-libs = %{samba_depver}
+Requires: samba-client-libs = %{samba_depver}
+Requires: samba-libs = %{samba_depver}
+%if %{with libwbclient}
+Requires: libwbclient = %{samba_depver}
+%endif
+
+%description dcerpc
+The samba-dcerpc package contains binaries that serve DCERPC over named pipes.
### DC
%if %{with dc} || %{with testsuite}
@@ -559,6 +580,9 @@ BuildArch: noarch
%description dc-provision
The samba-dc-provision package provides files to setup a domain controller
+#endif with dc || with testsuite
+%endif
+
### DC-LIBS
%package dc-libs
Summary: Samba AD Domain Controller Libraries
@@ -575,6 +599,7 @@ Provides: bundled(libreplace)
The %{name}-dc-libs package contains the libraries needed by the DC to
link against the SMB, RPC and other protocols.
+%if %{with dc} || %{with testsuite}
### DC-BIND
%package dc-bind-dlz
Summary: Bind DLZ module for Samba AD
@@ -751,9 +776,7 @@ Summary: Samba Python3 libraries
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
-%if %{with dc}
Requires: %{name}-dc-libs = %{samba_depver}
-%endif
Requires: python3-talloc
Requires: python3-tevent
Requires: python3-tdb
@@ -789,7 +812,6 @@ Requires: %{name}-libs = %{samba_depver}
The python3-%{name}-test package contains the Python libraries used by the test suite of Samba.
If you want to run full set of Samba tests, you need to install this package.
-%if %{with dc} || %{with testsuite}
%package -n python3-samba-dc
Summary: Samba Python libraries for Samba AD
Requires: %{name}-client-libs = %{samba_depver}
@@ -799,7 +821,6 @@ Requires: python3-%{name} = %{samba_depver}
%description -n python3-samba-dc
The python3-%{name}-dc package contains the Python libraries needed by programs
to manage Samba AD.
-%endif
### PIDL
%package pidl
@@ -881,11 +902,13 @@ Requires(post): %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Requires(post): %{name}-libs = %{samba_depver}
Requires: %{name}-winbind-modules = %{samba_depver}
+Recommends: %{name}-tools = %{samba_depver}
%if %{with libwbclient}
Requires(post): libwbclient = %{samba_depver}
Requires: libwbclient = %{samba_depver}
%endif
+Requires: %{name}-dcerpc = %{samba_depver}
Provides: samba4-winbind = %{samba_depver}
Obsoletes: samba4-winbind < %{samba_depver}
@@ -987,6 +1010,7 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB)
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-winbind-clients = %{samba_depver}
Requires: coreutils
# for ps and killall
@@ -1292,62 +1316,18 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%if %{without dc} && %{without testsuite}
for i in \
- %{_libdir}/samba/libdfs-server-ad-samba4.so \
- %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \
- %{_libdir}/samba/libscavenge-dns-records-samba4.so \
%{_mandir}/man8/samba.8 \
%{_mandir}/man8/samba_downgrade_db.8 \
%{_mandir}/man8/samba-gpupdate.8 \
%{_libdir}/samba/ldb/ildap.so \
%{_libdir}/samba/ldb/ldbsamba_extensions.so \
%{_unitdir}/samba.service \
- %{python3_sitearch}/samba/dcerpc/dnsserver.*.so \
- %{python3_sitearch}/samba/dnsserver.py \
- %{python3_sitearch}/samba/domain_update.py \
- %{python3_sitearch}/samba/forest_update.py \
- %{python3_sitearch}/samba/kcc/__init__.py \
- %{python3_sitearch}/samba/kcc/debug.py \
- %{python3_sitearch}/samba/kcc/graph.py \
- %{python3_sitearch}/samba/kcc/graph_utils.py \
- %{python3_sitearch}/samba/kcc/kcc_utils.py \
- %{python3_sitearch}/samba/kcc/ldif_import_export.py \
- %{python3_sitearch}/samba/kcc/__pycache__/__init__.*.pyc \
- %{python3_sitearch}/samba/kcc/__pycache__/debug.*.pyc \
- %{python3_sitearch}/samba/kcc/__pycache__/graph.*.pyc \
- %{python3_sitearch}/samba/kcc/__pycache__/graph_utils.*.pyc \
- %{python3_sitearch}/samba/kcc/__pycache__/kcc_utils.*.pyc \
- %{python3_sitearch}/samba/kcc/__pycache__/ldif_import_export.*.pyc \
- %{python3_sitearch}/samba/ms_forest_updates_markdown.py \
- %{python3_sitearch}/samba/ms_schema_markdown.py \
- %{python3_sitearch}/samba/provision/__init__.py \
- %{python3_sitearch}/samba/provision/backend.py \
- %{python3_sitearch}/samba/provision/common.py \
- %{python3_sitearch}/samba/provision/kerberos_implementation.py \
- %{python3_sitearch}/samba/provision/kerberos.py \
- %{python3_sitearch}/samba/provision/sambadns.py \
- %{python3_sitearch}/samba/provision/__pycache__/__init__.*.pyc \
- %{python3_sitearch}/samba/provision/__pycache__/backend.*.pyc \
- %{python3_sitearch}/samba/provision/__pycache__/common.*.pyc \
- %{python3_sitearch}/samba/provision/__pycache__/kerberos_implementation.*.pyc \
- %{python3_sitearch}/samba/provision/__pycache__/kerberos.*.pyc \
- %{python3_sitearch}/samba/provision/__pycache__/sambadns.*.pyc \
- %{python3_sitearch}/samba/__pycache__/domain_update.*.pyc \
- %{python3_sitearch}/samba/__pycache__/forest_update.*.pyc \
- %{python3_sitearch}/samba/__pycache__/ms_forest_updates_markdown.*.pyc \
- %{python3_sitearch}/samba/__pycache__/ms_schema_markdown.*.pyc \
- %{python3_sitearch}/samba/__pycache__/remove_dc.*.pyc \
- %{python3_sitearch}/samba/__pycache__/schema.*.pyc \
- %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc \
- %{python3_sitearch}/samba/remove_dc.py \
- %{python3_sitearch}/samba/samdb.py \
- %{python3_sitearch}/samba/schema.py \
%{python3_sitearch}/samba/third_party/iso8601/__init__.py \
%{python3_sitearch}/samba/third_party/iso8601/__pycache__/__init__.*.pyc \
%{python3_sitearch}/samba/third_party/iso8601/__pycache__/iso8601.*.pyc \
%{python3_sitearch}/samba/third_party/iso8601/__pycache__/test_iso8601.*.pyc \
%{python3_sitearch}/samba/third_party/iso8601/iso8601.py \
%{python3_sitearch}/samba/third_party/iso8601/test_iso8601.py \
- %{python3_sitearch}/samba/uptodateness.py \
%{_sbindir}/samba-gpupdate \
; do
rm -f %{buildroot}$i
@@ -1649,15 +1629,6 @@ fi
%dir %{_libexecdir}/samba
%{_libexecdir}/samba/samba-bgqd
-%{_libexecdir}/samba/samba-dcerpcd
-%{_libexecdir}/samba/rpcd_classic
-%{_libexecdir}/samba/rpcd_epmapper
-%{_libexecdir}/samba/rpcd_fsrvp
-%{_libexecdir}/samba/rpcd_lsad
-%{_libexecdir}/samba/rpcd_mdssvc
-%{_libexecdir}/samba/rpcd_rpcecho
-%{_libexecdir}/samba/rpcd_spoolss
-%{_libexecdir}/samba/rpcd_winreg
%dir %{_datadir}/samba
%dir %{_datadir}/samba/mdssvc
@@ -1671,7 +1642,6 @@ fi
%{_mandir}/man1/smbstatus.1*
%{_mandir}/man8/eventlogadm.8*
%{_mandir}/man8/samba-bgqd.8*
-%{_mandir}/man8/samba-dcerpcd.8*
%{_mandir}/man8/smbd.8*
%{_mandir}/man8/nmbd.8*
%{_mandir}/man8/vfs_acl_tdb.8*
@@ -1962,11 +1932,11 @@ fi
%{_libdir}/samba/pdb/smbpasswd.so
%{_libdir}/samba/pdb/tdbsam.so
+### COMMON-TOOLS
%files common-tools
%{_bindir}/net
%{_bindir}/pdbedit
%{_bindir}/profiles
-%{_bindir}/samba-tool
%{_bindir}/smbcontrol
%{_bindir}/smbpasswd
%{_bindir}/testparm
@@ -1975,9 +1945,27 @@ fi
%{_mandir}/man1/testparm.1*
%{_mandir}/man8/net.8*
%{_mandir}/man8/pdbedit.8*
-%{_mandir}/man8/samba-tool.8*
%{_mandir}/man8/smbpasswd.8*
+### TOOLS
+%files tools
+%{_bindir}/samba-tool
+%{_mandir}/man8/samba-tool.8*
+
+### RPC
+%files dcerpc
+%dir %{_libexecdir}/samba
+%{_libexecdir}/samba/samba-dcerpcd
+%{_libexecdir}/samba/rpcd_classic
+%{_libexecdir}/samba/rpcd_epmapper
+%{_libexecdir}/samba/rpcd_fsrvp
+%{_libexecdir}/samba/rpcd_lsad
+%{_libexecdir}/samba/rpcd_mdssvc
+%{_libexecdir}/samba/rpcd_rpcecho
+%{_libexecdir}/samba/rpcd_spoolss
+%{_libexecdir}/samba/rpcd_winreg
+%{_mandir}/man8/samba-dcerpcd.8*
+
### DC
%if %{with dc} || %{with testsuite}
%files dc
@@ -1993,7 +1981,6 @@ fi
%{_libdir}/krb5/plugins/kdb/samba.so
%{_libdir}/samba/auth/samba4.so
-%{_libdir}/samba/libpac-samba4.so
%dir %{_libdir}/samba/gensec
%{_libdir}/samba/gensec/krb5.so
%{_libdir}/samba/ldb/acl.so
@@ -2058,9 +2045,15 @@ fi
%license source4/setup/ad-schema/licence.txt
%{_datadir}/samba/setup
+#endif with dc || with testsuite
+%endif
### DC-LIBS
%files dc-libs
+%{_libdir}/samba/libauth4-samba4.so
+
+%if %{with dc} || %{with testsuite}
%{_libdir}/samba/libdb-glue-samba4.so
+%{_libdir}/samba/libpac-samba4.so
%{_libdir}/samba/libprocess-model-samba4.so
%{_libdir}/samba/libservice-samba4.so
@@ -2270,7 +2263,6 @@ fi
%{_libdir}/libdcerpc-samr.so.*
%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so
-%{_libdir}/samba/libauth4-samba4.so
%{_libdir}/samba/libauth-unix-token-samba4.so
%{_libdir}/samba/libdcerpc-samba4.so
%{_libdir}/samba/libdnsserver-common-samba4.so
@@ -2642,7 +2634,6 @@ fi
%{_libdir}/libsamba-policy.*.so
%{_libdir}/pkgconfig/samba-policy.*.pc
-%if %{with dc} || %{with testsuite}
%files -n python3-%{name}-dc
%{python3_sitearch}/samba/samdb.py
%{python3_sitearch}/samba/schema.py
@@ -2658,7 +2649,9 @@ fi
%{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc
%{python3_sitearch}/samba/dcerpc/dnsserver.*.so
+%if %{with dc} || %{with testsuite}
%{python3_sitearch}/samba/dckeytab.*.so
+%endif
%{python3_sitearch}/samba/domain_update.py
%{python3_sitearch}/samba/forest_update.py
%{python3_sitearch}/samba/ms_forest_updates_markdown.py
@@ -2699,7 +2692,6 @@ fi
%{python3_sitearch}/samba/remove_dc.py
%{python3_sitearch}/samba/uptodateness.py
-%endif
%files -n python3-%{name}-test
%dir %{python3_sitearch}/samba/tests
@@ -4165,6 +4157,15 @@ fi
%endif
%changelog
+* Thu Feb 16 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.16.4-6
+- resolves: rhbz#2170468 - Remove libnetapi dependency from dcerpc
+
+* Thu Feb 16 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.16.4-5
+- resolves: rhbz#2170394 - Fix share enum
+- resolves: rhbz#2170467 - Add to package ctdb dependency for package samba-winbind-clients
+- resolves: rhbz#2170468 - Add package dcerpc - fix winbind to retrieve user groups from AD
+- resolves: rhbz#2170469 - Create package samba-tools
+
* Mon Jan 16 2023 Andreas Schneider <asn@redhat.com> - 4.16.4-4
- related: rhbz#2154369 - Add additional patch for CVE-2022-38023