diff --git a/.gitignore b/.gitignore index 0db09e0..4dcddf1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.14.5.tar.xz +SOURCES/samba-4.15.2.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 707bb47..12ae262 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -46925b3ed9f63b1b936f2271253fdccccbf1575f SOURCES/samba-4.14.5.tar.xz +4ab5db6dd0103af6dce93c5931729849774aa45e SOURCES/samba-4.15.2.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch b/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch deleted file mode 100644 index de8d813..0000000 --- a/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4b192aaf503ea7f5eba27b6e43edcfe54ac6c5a6 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 26 May 2021 15:04:08 +0200 -Subject: [PATCH] s3:modules: Reduce debug level if file doesn't exists on dfs - share - -There is software out there trying to open desktop.ini in every -directory. Avoid spamming the logs with error messages. - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Fri Jun 18 18:14:11 UTC 2021 on sn-devel-184 - -(cherry picked from commit 4079efae76718a84a4cf24b6613cdc53cdb2dd39) ---- - source3/modules/vfs_default.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c -index 8d592bbad64..ea036b24ddf 100644 ---- a/source3/modules/vfs_default.c -+++ b/source3/modules/vfs_default.c -@@ -476,10 +476,17 @@ static NTSTATUS vfswrap_read_dfs_pathat(struct vfs_handle_struct *handle, - status = NT_STATUS_OBJECT_TYPE_MISMATCH; - } else { - status = map_nt_error_from_unix(errno); -- DBG_ERR("Error reading " -- "msdfs link %s: %s\n", -- smb_fname->base_name, -- strerror(errno)); -+ if (errno == ENOENT) { -+ DBG_NOTICE("Error reading " -+ "msdfs link %s: %s\n", -+ smb_fname->base_name, -+ strerror(errno)); -+ } else { -+ DBG_ERR("Error reading " -+ "msdfs link %s: %s\n", -+ smb_fname->base_name, -+ strerror(errno)); -+ } - } - goto err; - } --- -2.31.1 - diff --git a/SOURCES/samba-4.14.5.tar.asc b/SOURCES/samba-4.14.5.tar.asc deleted file mode 100644 index 24e5294..0000000 --- a/SOURCES/samba-4.14.5.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmC14EsACgkQqplEL7aA -tiDWUA//b0Dj/dJozZY/Q6OI9UjPNL9nvPGqpKF0Sl2sW5jO1KWdcq1OZk+H6eO5 -gaX9nuH8Qo/IMxVRIPZVW6lXwsLzSdAOhwPAV02D/feSNfuld078v5yN1My2x6gH -tmfEVXZJjNkObhLDz0Wgq3mxxKvwxSM4+q2SI9p2/Yk32+oT1l/EWT3WZRNa/I1x -MF8nr8p5BktPw7tQoITG/JhkWudfkPpvVA3LJYl+F0rjubMA3C3btvDNquPaNXQ0 -Jr0nOt8+OKpsrtBb6ED0su7CWqbHHjc7lTKLepruqnHzllk5/Tcsu6APVRb8qjim -B2ElieWYJKQ7vBchjuSw/3ufqOsJdvckO4znGM1bUFDnCV0DDOXPE/U5QmjcoQqE -kJ36m53WnGCHR3JbL+rSjrB1m0ip8tViNraV+Ch2sXNlNvKYPNNo3cgX62nnDWJz -aLlncx0W1LpZ8mhYVv0AvdoVKBDygzxheye8Fssz3Wz5RDzZ6Vm0AoJwBm+G8v1k -u0MXMyvBv1KLpBLL27PJm2m7r6KIDB0v9PuLK5iF107omkSWfY/lMLQR2UFph8oH -uCwV5PiEy/ecBhBfo3KzUG5yJLBBayYB2vGcXJh4yRpAByppFbpo3csr6UZSEsU8 -iImmN97Tg3QVd/FTn9qRiQ15NxzWC0XCE1glY87KqqC5kl5Lk9Y= -=i6jp ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.15-fix-recursive-dir-delete-symlinks.patch b/SOURCES/samba-4.15-fix-recursive-dir-delete-symlinks.patch new file mode 100644 index 0000000..6f025aa --- /dev/null +++ b/SOURCES/samba-4.15-fix-recursive-dir-delete-symlinks.patch @@ -0,0 +1,668 @@ +From 05cbf6e66f6989e383904ac582dae9515ac3a838 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 21 Oct 2021 16:37:27 -0700 +Subject: [PATCH 1/7] s3: smbd: Add two tests showing the ability to delete a + directory containing a dangling symlink over SMB2 depends on "delete veto + files" setting. + +Add knownfail. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit 942123b95923f35a32df4196a072a3ed3468396a) +--- + selftest/knownfail.d/rmdir_dangle_symlink | 1 + + selftest/target/Samba3.pm | 4 + + .../test_delete_veto_files_only_rmdir.sh | 183 ++++++++++++++++++ + source3/selftest/tests.py | 3 + + 4 files changed, 191 insertions(+) + create mode 100644 selftest/knownfail.d/rmdir_dangle_symlink + create mode 100755 source3/script/tests/test_delete_veto_files_only_rmdir.sh + +diff --git a/selftest/knownfail.d/rmdir_dangle_symlink b/selftest/knownfail.d/rmdir_dangle_symlink +new file mode 100644 +index 00000000000..c775dc5fe15 +--- /dev/null ++++ b/selftest/knownfail.d/rmdir_dangle_symlink +@@ -0,0 +1 @@ ++^samba3.blackbox.test_dangle_rmdir.rmdir can delete directory containing dangling symlink\(fileserver\) +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 2fdab781fda..8ecfc1aaf82 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1738,6 +1738,10 @@ sub setup_fileserver + veto files = /veto_name*/ + delete veto files = yes + ++[delete_veto_files_only] ++ path = $veto_sharedir ++ delete veto files = yes ++ + [homes] + comment = Home directories + browseable = No +diff --git a/source3/script/tests/test_delete_veto_files_only_rmdir.sh b/source3/script/tests/test_delete_veto_files_only_rmdir.sh +new file mode 100755 +index 00000000000..d2c3b2198f7 +--- /dev/null ++++ b/source3/script/tests/test_delete_veto_files_only_rmdir.sh +@@ -0,0 +1,183 @@ ++#!/bin/sh ++# ++# Check smbclient can (or cannot) delete a directory containing dangling symlinks. ++# BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 ++# ++ ++if [ $# -lt 6 ]; then ++cat < "$tmpfile" < "$tmpfile" < "$tmpfile" < "$tmpfile" < +Date: Mon, 25 Oct 2021 12:01:58 -0700 +Subject: [PATCH 2/7] s3: VFS: streams_depot. Allow unlinkat to cope with + dangling symlinks. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit 295d7d026babe3cd5123d0f53adcb16868907f05) +--- + source3/modules/vfs_streams_depot.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c +index 973edeeda24..ae73ba965a5 100644 +--- a/source3/modules/vfs_streams_depot.c ++++ b/source3/modules/vfs_streams_depot.c +@@ -823,6 +823,16 @@ static int streams_depot_unlink_internal(vfs_handle_struct *handle, + ret = SMB_VFS_NEXT_LSTAT(handle, full_fname); + } else { + ret = SMB_VFS_NEXT_STAT(handle, full_fname); ++ if (ret == -1 && (errno == ENOENT || errno == ELOOP)) { ++ if (VALID_STAT(smb_fname->st) && ++ S_ISLNK(smb_fname->st.st_ex_mode)) { ++ /* ++ * Original name was a link - Could be ++ * trying to remove a dangling symlink. ++ */ ++ ret = SMB_VFS_NEXT_LSTAT(handle, full_fname); ++ } ++ } + } + if (ret == -1) { + TALLOC_FREE(full_fname); +-- +2.30.2 + + +From 9938ef02b42f1578e758010b9c4b7a149a9d39c8 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 25 Oct 2021 12:02:43 -0700 +Subject: [PATCH 3/7] s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling + symlinks. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit f254be19d6501a4f573843af97963e350a9ee2ed) +--- + source3/modules/vfs_xattr_tdb.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c +index daa99b2cc3e..42c570b54b3 100644 +--- a/source3/modules/vfs_xattr_tdb.c ++++ b/source3/modules/vfs_xattr_tdb.c +@@ -520,6 +520,16 @@ static int xattr_tdb_unlinkat(vfs_handle_struct *handle, + ret = SMB_VFS_NEXT_LSTAT(handle, full_fname); + } else { + ret = SMB_VFS_NEXT_STAT(handle, full_fname); ++ if (ret == -1 && (errno == ENOENT || errno == ELOOP)) { ++ if (VALID_STAT(smb_fname->st) && ++ S_ISLNK(smb_fname->st.st_ex_mode)) { ++ /* ++ * Original name was a link - Could be ++ * trying to remove a dangling symlink. ++ */ ++ ret = SMB_VFS_NEXT_LSTAT(handle, full_fname); ++ } ++ } + } + if (ret == -1) { + goto out; +-- +2.30.2 + + +From 38ca6d51a07b2ff26e6447846d62c72aabee3606 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 25 Oct 2021 12:21:37 -0700 +Subject: [PATCH 4/7] s3: smbd: Fix rmdir_internals() to do an early return if + lp_delete_veto_files() is not set. + +Fix the comments to match what the code actually does. The +exit at the end of the scan directory loop if we find a client +visible filename is a change in behavior, but the previous +behavior (not exist on visible filename, but delete it) was +a bug and in non-tested code. Now it's testd. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit a37d16e7c55f85e3f2c9c8614755ea6307092d5f) +--- + source3/smbd/close.c | 36 ++++++++++++++++++++++-------------- + 1 file changed, 22 insertions(+), 14 deletions(-) + +diff --git a/source3/smbd/close.c b/source3/smbd/close.c +index 470ca7f1b6d..484442ddc17 100644 +--- a/source3/smbd/close.c ++++ b/source3/smbd/close.c +@@ -965,8 +965,6 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, struct files_struct *fsp) + struct smb_filename *smb_dname = fsp->fsp_name; + struct smb_filename *parent_fname = NULL; + struct smb_filename *at_fname = NULL; +- const struct loadparm_substitution *lp_sub = +- loadparm_s3_global_substitution(); + SMB_STRUCT_STAT st; + const char *dname = NULL; + char *talloced = NULL; +@@ -1026,9 +1024,7 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, struct files_struct *fsp) + return NT_STATUS_OK; + } + +- if (!((errno == ENOTEMPTY) || (errno == EEXIST)) || +- !*lp_veto_files(talloc_tos(), lp_sub, SNUM(conn))) +- { ++ if (!((errno == ENOTEMPTY) || (errno == EEXIST))) { + DEBUG(3,("rmdir_internals: couldn't remove directory %s : " + "%s\n", smb_fname_str_dbg(smb_dname), + strerror(errno))); +@@ -1036,11 +1032,21 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, struct files_struct *fsp) + return map_nt_error_from_unix(errno); + } + ++ /* ++ * Here we know the initial directory unlink failed with ++ * ENOTEMPTY or EEXIST so we know there are objects within. ++ * If we don't have permission to delete files non ++ * visible to the client just fail the directory delete. ++ */ ++ ++ if (!lp_delete_veto_files(SNUM(conn))) { ++ errno = ENOTEMPTY; ++ goto err; ++ } ++ + /* + * Check to see if the only thing in this directory are +- * vetoed files/directories. If so then delete them and +- * retry. If we fail to delete any of them (and we *don't* +- * do a recursive delete) then fail the rmdir. ++ * files non-visible to the client. If not, fail the delete. + */ + + dir_hnd = OpenDir(talloc_tos(), conn, smb_dname, NULL, 0); +@@ -1133,16 +1139,18 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, struct files_struct *fsp) + continue; + } + ++ /* ++ * We found a client visible name. ++ * We cannot delete this directory. ++ */ ++ DBG_DEBUG("got name %s - " ++ "can't delete directory %s\n", ++ dname, ++ fsp_str_dbg(fsp)); + TALLOC_FREE(talloced); + TALLOC_FREE(fullname); + TALLOC_FREE(smb_dname_full); + TALLOC_FREE(direntry_fname); +- } +- +- /* We only have veto files/directories. +- * Are we allowed to delete them ? */ +- +- if (!lp_delete_veto_files(SNUM(conn))) { + errno = ENOTEMPTY; + goto err; + } +-- +2.30.2 + + +From a8bc5af4ded62d80dca97622f5c90b0ebab5c130 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 25 Oct 2021 12:32:29 -0700 +Subject: [PATCH 5/7] s3: smbd: Fix logic in rmdir_internals() to cope with + dangling symlinks. + +Still need to add the same logic in can_delete_directory_fsp() +before we can delete the knownfail. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit 26fecad2e66e91a3913d88ee2e0889f266e91d89) +--- + source3/smbd/close.c | 56 ++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 51 insertions(+), 5 deletions(-) + +diff --git a/source3/smbd/close.c b/source3/smbd/close.c +index 484442ddc17..7178257efcc 100644 +--- a/source3/smbd/close.c ++++ b/source3/smbd/close.c +@@ -1103,15 +1103,61 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, struct files_struct *fsp) + goto err; + } + +- /* +- * is_visible_fsp() always returns true +- * for the symlink/MSDFS case. +- */ + if (S_ISLNK(smb_dname_full->st.st_ex_mode)) { ++ /* Could it be an msdfs link ? */ ++ if (lp_host_msdfs() && ++ lp_msdfs_root(SNUM(conn))) { ++ struct smb_filename *smb_atname; ++ smb_atname = synthetic_smb_fname(talloc_tos(), ++ dname, ++ NULL, ++ &smb_dname_full->st, ++ fsp->fsp_name->twrp, ++ fsp->fsp_name->flags); ++ if (smb_atname == NULL) { ++ TALLOC_FREE(talloced); ++ TALLOC_FREE(fullname); ++ TALLOC_FREE(smb_dname_full); ++ errno = ENOMEM; ++ goto err; ++ } ++ if (is_msdfs_link(fsp, smb_atname)) { ++ TALLOC_FREE(talloced); ++ TALLOC_FREE(fullname); ++ TALLOC_FREE(smb_dname_full); ++ TALLOC_FREE(smb_atname); ++ DBG_DEBUG("got msdfs link name %s " ++ "- can't delete directory %s\n", ++ dname, ++ fsp_str_dbg(fsp)); ++ errno = ENOTEMPTY; ++ goto err; ++ } ++ TALLOC_FREE(smb_atname); ++ } ++ ++ /* Not a DFS link - could it be a dangling symlink ? */ ++ ret = SMB_VFS_STAT(conn, smb_dname_full); ++ if (ret == -1 && (errno == ENOENT || errno == ELOOP)) { ++ /* ++ * Dangling symlink. ++ * Allow delete as "delete veto files = yes" ++ */ ++ TALLOC_FREE(talloced); ++ TALLOC_FREE(fullname); ++ TALLOC_FREE(smb_dname_full); ++ continue; ++ } ++ ++ DBG_DEBUG("got symlink name %s - " ++ "can't delete directory %s\n", ++ dname, ++ fsp_str_dbg(fsp)); + TALLOC_FREE(talloced); + TALLOC_FREE(fullname); + TALLOC_FREE(smb_dname_full); +- continue; ++ errno = ENOTEMPTY; ++ goto err; + } + + /* Not a symlink, get a pathref. */ +-- +2.30.2 + + +From a1fb0d7bcf0791066b23e909c4f3a7a89bab6034 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 25 Oct 2021 12:36:57 -0700 +Subject: [PATCH 6/7] s3: smbd: Fix logic in can_delete_directory_fsp() to cope + with dangling symlinks. + +Remove knownfail. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit e9ef970eee5eca8ab3720279c54098e91d2dfda9) +--- + selftest/knownfail.d/rmdir_dangle_symlink | 1 - + source3/smbd/dir.c | 55 ++++++++++++++++++++--- + 2 files changed, 49 insertions(+), 7 deletions(-) + delete mode 100644 selftest/knownfail.d/rmdir_dangle_symlink + +diff --git a/selftest/knownfail.d/rmdir_dangle_symlink b/selftest/knownfail.d/rmdir_dangle_symlink +deleted file mode 100644 +index c775dc5fe15..00000000000 +--- a/selftest/knownfail.d/rmdir_dangle_symlink ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.blackbox.test_dangle_rmdir.rmdir can delete directory containing dangling symlink\(fileserver\) +diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c +index 174f07b1159..4d61bb0d56d 100644 +--- a/source3/smbd/dir.c ++++ b/source3/smbd/dir.c +@@ -1922,16 +1922,59 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp) + break; + } + +- /* +- * is_visible_fsp() always returns true +- * for the symlink/MSDFS case. +- */ +- + if (S_ISLNK(smb_dname_full->st.st_ex_mode)) { ++ /* Could it be an msdfs link ? */ ++ if (lp_host_msdfs() && ++ lp_msdfs_root(SNUM(conn))) { ++ struct smb_filename *smb_dname; ++ smb_dname = synthetic_smb_fname(talloc_tos(), ++ dname, ++ NULL, ++ &smb_dname_full->st, ++ fsp->fsp_name->twrp, ++ fsp->fsp_name->flags); ++ if (smb_dname == NULL) { ++ TALLOC_FREE(talloced); ++ TALLOC_FREE(fullname); ++ TALLOC_FREE(smb_dname_full); ++ status = NT_STATUS_NO_MEMORY; ++ break; ++ } ++ if (is_msdfs_link(fsp, smb_dname)) { ++ TALLOC_FREE(talloced); ++ TALLOC_FREE(fullname); ++ TALLOC_FREE(smb_dname_full); ++ TALLOC_FREE(smb_dname); ++ DBG_DEBUG("got msdfs link name %s " ++ "- can't delete directory %s\n", ++ dname, ++ fsp_str_dbg(fsp)); ++ status = NT_STATUS_DIRECTORY_NOT_EMPTY; ++ break; ++ } ++ TALLOC_FREE(smb_dname); ++ } ++ /* Not a DFS link - could it be a dangling symlink ? */ ++ ret = SMB_VFS_STAT(conn, smb_dname_full); ++ if (ret == -1 && (errno == ENOENT || errno == ELOOP)) { ++ /* ++ * Dangling symlink. ++ * Allow if "delete veto files = yes" ++ */ ++ if (lp_delete_veto_files(SNUM(conn))) { ++ TALLOC_FREE(talloced); ++ TALLOC_FREE(fullname); ++ TALLOC_FREE(smb_dname_full); ++ continue; ++ } ++ } ++ DBG_DEBUG("got symlink name %s - " ++ "can't delete directory %s\n", ++ dname, ++ fsp_str_dbg(fsp)); + TALLOC_FREE(talloced); + TALLOC_FREE(fullname); + TALLOC_FREE(smb_dname_full); +- DBG_DEBUG("got name %s - can't delete\n", dname); + status = NT_STATUS_DIRECTORY_NOT_EMPTY; + break; + } +-- +2.30.2 + + +From 2a6f19df3f1588dbf60b86b520798b88861d2179 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 25 Oct 2021 12:42:02 -0700 +Subject: [PATCH 7/7] s3: docs-xml: Clarify the "delete veto files" paramter. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Fri Oct 29 14:57:14 UTC 2021 on sn-devel-184 + +(cherry picked from commit 0b818c6b77e972626d0b071bebcf4ce55619fb84) +--- + docs-xml/smbdotconf/filename/deletevetofiles.xml | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/smbdotconf/filename/deletevetofiles.xml b/docs-xml/smbdotconf/filename/deletevetofiles.xml +index 581dc05396d..570d4ac60a0 100644 +--- a/docs-xml/smbdotconf/filename/deletevetofiles.xml ++++ b/docs-xml/smbdotconf/filename/deletevetofiles.xml +@@ -4,9 +4,12 @@ + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + + This option is used when Samba is attempting to +- delete a directory that contains one or more vetoed directories +- (see the +- option). If this option is set to no (the default) then if a vetoed ++ delete a directory that contains one or more vetoed files ++ or directories or non-visible files or directories (such ++ as dangling symlinks that point nowhere). ++ (see the , , ++ , ++ options). If this option is set to no (the default) then if a vetoed + directory contains any non-vetoed files or directories then the + directory delete will fail. This is usually what you want. + +-- +2.30.2 + diff --git a/SOURCES/samba-4.15-fix-recursive-dir-delete.patch b/SOURCES/samba-4.15-fix-recursive-dir-delete.patch new file mode 100644 index 0000000..d61d434 --- /dev/null +++ b/SOURCES/samba-4.15-fix-recursive-dir-delete.patch @@ -0,0 +1,346 @@ +From 83499424ab011da66ded2df441277c2b89844c7b Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 21 Oct 2021 15:06:20 -0700 +Subject: [PATCH 1/2] s3: smbd: Add two tests showing recursive directory + delete of a directory containing veto file and msdfs links over SMB2. + +Add knownfail. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit ad0082d79a681b981154747dcde5713e1933b88f) +--- + selftest/knownfail.d/veto_rmdir | 1 + + selftest/target/Samba3.pm | 16 ++ + source3/script/tests/test_veto_rmdir.sh | 217 ++++++++++++++++++++++++ + source3/selftest/tests.py | 3 + + 4 files changed, 237 insertions(+) + create mode 100644 selftest/knownfail.d/veto_rmdir + create mode 100755 source3/script/tests/test_veto_rmdir.sh + +diff --git a/selftest/knownfail.d/veto_rmdir b/selftest/knownfail.d/veto_rmdir +new file mode 100644 +index 00000000000..ecced55d794 +--- /dev/null ++++ b/selftest/knownfail.d/veto_rmdir +@@ -0,0 +1 @@ ++^samba3.blackbox.test_veto_rmdir.rmdir can delete directory containing a veto file\(fileserver\) +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index fdbba8411bc..2fdab781fda 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1614,6 +1614,9 @@ sub setup_fileserver + my $bad_iconv_sharedir="$share_dir/bad_iconv"; + push(@dirs, $bad_iconv_sharedir); + ++ my $veto_sharedir="$share_dir/veto"; ++ push(@dirs,$veto_sharedir); ++ + my $ip4 = Samba::get_ipv4_addr("FILESERVER"); + my $fileserver_options = " + kernel change notify = yes +@@ -1722,6 +1725,19 @@ sub setup_fileserver + comment = smb username is [%U] + vfs objects = + ++[veto_files_nodelete] ++ path = $veto_sharedir ++ read only = no ++ msdfs root = yes ++ veto files = /veto_name*/ ++ delete veto files = no ++ ++[veto_files_delete] ++ path = $veto_sharedir ++ msdfs root = yes ++ veto files = /veto_name*/ ++ delete veto files = yes ++ + [homes] + comment = Home directories + browseable = No +diff --git a/source3/script/tests/test_veto_rmdir.sh b/source3/script/tests/test_veto_rmdir.sh +new file mode 100755 +index 00000000000..d3df8f1bba0 +--- /dev/null ++++ b/source3/script/tests/test_veto_rmdir.sh +@@ -0,0 +1,217 @@ ++#!/bin/sh ++# ++# Check smbclient can (or cannot) delete a directory containing veto files. ++# BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878 ++# ++ ++if [ $# -lt 6 ]; then ++cat < "$tmpfile" < "$tmpfile" < "$tmpfile" < "$tmpfile" < "$tmpfile" < +Date: Thu, 21 Oct 2021 16:18:24 -0700 +Subject: [PATCH 2/2] s3: smbd: Fix recursive directory delete of a directory + containing veto file and msdfs links. + +Remove knownfail. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit 73de1194c3c429ab93d722a852aa4f54213b112a) +--- + selftest/knownfail.d/veto_rmdir | 1 - + source3/smbd/close.c | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + delete mode 100644 selftest/knownfail.d/veto_rmdir + +diff --git a/selftest/knownfail.d/veto_rmdir b/selftest/knownfail.d/veto_rmdir +deleted file mode 100644 +index ecced55d794..00000000000 +--- a/selftest/knownfail.d/veto_rmdir ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.blackbox.test_veto_rmdir.rmdir can delete directory containing a veto file\(fileserver\) +diff --git a/source3/smbd/close.c b/source3/smbd/close.c +index 191626557dc..470ca7f1b6d 100644 +--- a/source3/smbd/close.c ++++ b/source3/smbd/close.c +@@ -1267,7 +1267,7 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, struct files_struct *fsp) + + /* Retry the rmdir */ + ret = SMB_VFS_UNLINKAT(conn, +- dirfsp, ++ parent_fname->fsp, + at_fname, + AT_REMOVEDIR); + +-- +2.30.2 + diff --git a/SOURCES/samba-4.15-fix-winbind-no-trusted-domain.patch b/SOURCES/samba-4.15-fix-winbind-no-trusted-domain.patch new file mode 100644 index 0000000..4924872 --- /dev/null +++ b/SOURCES/samba-4.15-fix-winbind-no-trusted-domain.patch @@ -0,0 +1,41 @@ +From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 9 Nov 2021 20:50:20 +0100 +Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression + +add_trusted_domain() should only reject domains +based on is_allowed_domain(), which now also +checks "allow trusted domains = no", if we don't +have an explicit trust to the domain (SEC_CHAN_NULL). + +We use at least SEC_CHAN_LOCAL for local domains like +BUILTIN. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 + +Signed-off-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 + +(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) +--- + source3/winbindd/winbindd_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 42ddbfd2f44..9d54e462c42 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, + return NT_STATUS_INVALID_PARAMETER; + } + +- if (!is_allowed_domain(domain_name)) { ++ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { + return NT_STATUS_NO_SUCH_DOMAIN; + } + +-- +2.33.1 + diff --git a/SOURCES/samba-4.15-ipa-dc-schannel.patch b/SOURCES/samba-4.15-ipa-dc-schannel.patch new file mode 100644 index 0000000..d315a5d --- /dev/null +++ b/SOURCES/samba-4.15-ipa-dc-schannel.patch @@ -0,0 +1,45 @@ +From 3fc4d1d3998f3956a84c855cb60a9dcb335e1f59 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 12 Nov 2021 19:06:01 +0200 +Subject: [PATCH] IPA DC: add missing checks + +When introducing FreeIPA support, two places were forgotten: + + - schannel gensec module needs to be aware of IPA DC + - _lsa_QueryInfoPolicy should treat IPA DC as PDC + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903 + +Signed-off-by: Alexander Bokovoy +--- + auth/gensec/schannel.c | 1 + + source3/rpc_server/lsa/srv_lsa_nt.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c +index 0cdae141ead..6ebbe8f3179 100644 +--- a/auth/gensec/schannel.c ++++ b/auth/gensec/schannel.c +@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: ++ case ROLE_IPA_DC: + return NT_STATUS_OK; + default: + return NT_STATUS_NOT_IMPLEMENTED; +diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c +index 8d71b5252ab..ea92a22cbc9 100644 +--- a/source3/rpc_server/lsa/srv_lsa_nt.c ++++ b/source3/rpc_server/lsa/srv_lsa_nt.c +@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p, + switch (lp_server_role()) { + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + name = get_global_sam_name(); + sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid()); + if (!sid) { +-- +2.33.1 + diff --git a/SOURCES/samba-4.15-logfile.patch b/SOURCES/samba-4.15-logfile.patch new file mode 100644 index 0000000..6300639 --- /dev/null +++ b/SOURCES/samba-4.15-logfile.patch @@ -0,0 +1,981 @@ +From 96d6bd4feb27b9b003aac44ef2ab7ef0a288272d Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 10 Nov 2021 20:18:07 +0100 +Subject: [PATCH 1/8] source3: move lib/substitute.c functions out of proto.h + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897 + +Signed-off-by: Ralph Boehme +--- + source3/auth/auth_generic.c | 1 + + source3/auth/auth_ntlmssp.c | 1 + + source3/auth/auth_util.c | 1 + + source3/include/proto.h | 33 ----------- + source3/lib/substitute.c | 1 + + source3/lib/substitute.h | 63 +++++++++++++++++++++ + source3/modules/vfs_expand_msdfs.c | 1 + + source3/modules/vfs_full_audit.c | 1 + + source3/modules/vfs_recycle.c | 1 + + source3/modules/vfs_unityed_media.c | 1 + + source3/modules/vfs_virusfilter_utils.c | 1 + + source3/nmbd/nmbd.c | 1 + + source3/nmbd/nmbd_synclists.c | 1 + + source3/param/loadparm.c | 1 + + source3/passdb/passdb.c | 1 + + source3/passdb/pdb_ldap.c | 1 + + source3/printing/print_generic.c | 1 + + source3/printing/printing.c | 1 + + source3/rpc_server/lsa/srv_lsa_nt.c | 1 + + source3/rpc_server/netlogon/srv_netlog_nt.c | 1 + + source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 1 + + source3/smbd/ipc.c | 1 + + source3/smbd/lanman.c | 1 + + source3/smbd/message.c | 1 + + source3/smbd/msdfs.c | 1 + + source3/smbd/process.c | 1 + + source3/smbd/reply.c | 1 + + source3/smbd/server.c | 1 + + source3/smbd/service.c | 1 + + source3/smbd/sesssetup.c | 1 + + source3/smbd/share_access.c | 1 + + source3/smbd/smb2_server.c | 1 + + source3/smbd/smb2_sesssetup.c | 1 + + source3/smbd/trans2.c | 1 + + source3/smbd/uid.c | 1 + + source3/torture/torture.c | 1 + + source3/utils/net_sam.c | 1 + + source3/winbindd/wb_getpwsid.c | 1 + + source3/winbindd/winbindd.c | 1 + + 39 files changed, 100 insertions(+), 33 deletions(-) + create mode 100644 source3/lib/substitute.h + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index fc7a7549e8e..ff51307e43a 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -36,6 +36,7 @@ + #include "auth/credentials/credentials.h" + #include "lib/param/loadparm.h" + #include "librpc/gen_ndr/dcerpc.h" ++#include "source3/lib/substitute.h" + + static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx, +diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c +index 676aa9d892c..f2deca09aa6 100644 +--- a/source3/auth/auth_ntlmssp.c ++++ b/source3/auth/auth_ntlmssp.c +@@ -25,6 +25,7 @@ + #include "auth.h" + #include "libcli/security/security.h" + #include "lib/util/tevent_ntstatus.h" ++#include "source3/lib/substitute.h" + + NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, + TALLOC_CTX *mem_ctx, +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index dec854d85c3..4527dedc49d 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -38,6 +38,7 @@ + #include "rpc_client/util_netlogon.h" + #include "source4/auth/auth.h" + #include "auth/auth_util.h" ++#include "source3/lib/substitute.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_AUTH +diff --git a/source3/include/proto.h b/source3/include/proto.h +index eb45179aebb..a96c2c8d110 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -139,39 +139,6 @@ int smbrun_no_sanitize(const char *cmd, int *outfd, char * const *env); + int smbrun(const char *cmd, int *outfd, char * const *env); + int smbrunsecret(const char *cmd, const char *secret); + +-/* The following definitions come from lib/substitute.c */ +- +-bool set_local_machine_name(const char *local_name, bool perm); +-const char *get_local_machine_name(void); +-bool set_remote_machine_name(const char *remote_name, bool perm); +-const char *get_remote_machine_name(void); +-void sub_set_smb_name(const char *name); +-void set_current_user_info(const char *smb_name, const char *unix_name, +- const char *domain); +-void sub_set_socket_ids(const char *peeraddr, const char *peername, +- const char *sockaddr); +-const char *get_current_username(void); +-void standard_sub_basic(const char *smb_name, const char *domain_name, +- char *str, size_t len); +-char *talloc_sub_basic(TALLOC_CTX *mem_ctx, const char *smb_name, +- const char *domain_name, const char *str); +-char *talloc_sub_specified(TALLOC_CTX *mem_ctx, +- const char *input_string, +- const char *username, +- const char *grpname, +- const char *domain, +- uid_t uid, +- gid_t gid); +-char *talloc_sub_advanced(TALLOC_CTX *mem_ctx, +- const char *servicename, const char *user, +- const char *connectpath, gid_t gid, +- const char *str); +-char *talloc_sub_full(TALLOC_CTX *mem_ctx, +- const char *servicename, const char *user, +- const char *connectpath, gid_t gid, +- const char *smb_name, const char *domain_name, +- const char *str); +- + /* The following definitions come from lib/sysquotas.c */ + + int sys_get_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp); +diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c +index b98a0acf1cb..a941b89f82a 100644 +--- a/source3/lib/substitute.c ++++ b/source3/lib/substitute.c +@@ -20,6 +20,7 @@ + + + #include "includes.h" ++#include "substitute.h" + #include "system/passwd.h" + #include "secrets.h" + #include "auth.h" +diff --git a/source3/lib/substitute.h b/source3/lib/substitute.h +new file mode 100644 +index 00000000000..2056d163dd7 +--- /dev/null ++++ b/source3/lib/substitute.h +@@ -0,0 +1,63 @@ ++/* ++ Unix SMB/CIFS implementation. ++ string substitution functions ++ Copyright (C) Andrew Tridgell 1992-2000 ++ Copyright (C) Gerald Carter 2006 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#ifndef SUBSTITUTE_H ++#define SUBSTITUTE_H ++ ++bool set_local_machine_name(const char *local_name, bool perm); ++const char *get_local_machine_name(void); ++bool set_remote_machine_name(const char *remote_name, bool perm); ++const char *get_remote_machine_name(void); ++void sub_set_socket_ids(const char *peeraddr, const char *peername, ++ const char *sockaddr); ++void set_current_user_info(const char *smb_name, ++ const char *unix_name, ++ const char *domain); ++const char *get_current_username(void); ++void standard_sub_basic(const char *smb_name, ++ const char *domain_name, ++ char *str, ++ size_t len); ++char *talloc_sub_basic(TALLOC_CTX *mem_ctx, ++ const char *smb_name, ++ const char *domain_name, ++ const char *str); ++char *talloc_sub_specified(TALLOC_CTX *mem_ctx, ++ const char *input_string, ++ const char *username, ++ const char *grpname, ++ const char *domain, ++ uid_t uid, ++ gid_t gid); ++char *talloc_sub_advanced(TALLOC_CTX *ctx, ++ const char *servicename, ++ const char *user, ++ const char *connectpath, ++ gid_t gid, ++ const char *str); ++char *talloc_sub_full(TALLOC_CTX *ctx, ++ const char *servicename, ++ const char *user, ++ const char *connectpath, ++ gid_t gid, ++ const char *smb_name, ++ const char *domain_name, ++ const char *str); ++#endif +diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c +index 34e7051dca5..fe3c6f47462 100644 +--- a/source3/modules/vfs_expand_msdfs.c ++++ b/source3/modules/vfs_expand_msdfs.c +@@ -25,6 +25,7 @@ + #include "auth.h" + #include "../lib/tsocket/tsocket.h" + #include "msdfs.h" ++#include "source3/lib/substitute.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_VFS +diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c +index ceda99d4568..c8dbc8c07bb 100644 +--- a/source3/modules/vfs_full_audit.c ++++ b/source3/modules/vfs_full_audit.c +@@ -73,6 +73,7 @@ + #include "passdb/machine_sid.h" + #include "lib/util/tevent_ntstatus.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + static int vfs_full_audit_debug_level = DBGC_VFS; + +diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c +index 1c18f232c32..7cbc938a57c 100644 +--- a/source3/modules/vfs_recycle.c ++++ b/source3/modules/vfs_recycle.c +@@ -27,6 +27,7 @@ + #include "system/filesys.h" + #include "../librpc/gen_ndr/ndr_netlogon.h" + #include "auth.h" ++#include "source3/lib/substitute.h" + + #define ALLOC_CHECK(ptr, label) do { if ((ptr) == NULL) { DEBUG(0, ("recycle.bin: out of memory!\n")); errno = ENOMEM; goto label; } } while(0) + +diff --git a/source3/modules/vfs_unityed_media.c b/source3/modules/vfs_unityed_media.c +index 62a1456b996..fbd4d968172 100644 +--- a/source3/modules/vfs_unityed_media.c ++++ b/source3/modules/vfs_unityed_media.c +@@ -62,6 +62,7 @@ + #include "../lib/tsocket/tsocket.h" + #include "lib/util/smb_strtox.h" + #include ++#include "source3/lib/substitute.h" + + #define UM_PARAM_TYPE_NAME "unityed_media" + +diff --git a/source3/modules/vfs_virusfilter_utils.c b/source3/modules/vfs_virusfilter_utils.c +index c7f8089ffc7..b8b44eb203b 100644 +--- a/source3/modules/vfs_virusfilter_utils.c ++++ b/source3/modules/vfs_virusfilter_utils.c +@@ -25,6 +25,7 @@ struct iovec; + #include "lib/util/iov_buf.h" + #include + #include "lib/tsocket/tsocket.h" ++#include "source3/lib/substitute.h" + + int virusfilter_debug_class = DBGC_VFS; + +diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c +index 44121e9915c..7470897587e 100644 +--- a/source3/nmbd/nmbd.c ++++ b/source3/nmbd/nmbd.c +@@ -29,6 +29,7 @@ + #include "util_cluster.h" + #include "lib/gencache.h" + #include "lib/global_contexts.h" ++#include "source3/lib/substitute.h" + + int ClientNMB = -1; + int ClientDGRAM = -1; +diff --git a/source3/nmbd/nmbd_synclists.c b/source3/nmbd/nmbd_synclists.c +index a65cbb87e0e..d291927fbc8 100644 +--- a/source3/nmbd/nmbd_synclists.c ++++ b/source3/nmbd/nmbd_synclists.c +@@ -33,6 +33,7 @@ + #include "libsmb/clirap.h" + #include "../libcli/smb/smbXcli_base.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + struct sync_record { + struct sync_record *next, *prev; +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index f54c08cc4a5..b56fd20e410 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -76,6 +76,7 @@ + #include "lib/crypto/gnutls_helpers.h" + #include "lib/util/string_wrappers.h" + #include "auth/credentials/credentials.h" ++#include "source3/lib/substitute.h" + + #ifdef HAVE_SYS_SYSCTL_H + #include +diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c +index 068c5a5ea70..863f260ea90 100644 +--- a/source3/passdb/passdb.c ++++ b/source3/passdb/passdb.c +@@ -33,6 +33,7 @@ + #include "auth/credentials/credentials.h" + #include "lib/param/param.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_PASSDB +diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c +index e6d8a84c60f..93da28b1941 100644 +--- a/source3/passdb/pdb_ldap.c ++++ b/source3/passdb/pdb_ldap.c +@@ -56,6 +56,7 @@ + #include "lib/util_sid_passdb.h" + #include "lib/util/smb_strtox.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_PASSDB +diff --git a/source3/printing/print_generic.c b/source3/printing/print_generic.c +index 743c311bbd5..8798a4cf34a 100644 +--- a/source3/printing/print_generic.c ++++ b/source3/printing/print_generic.c +@@ -20,6 +20,7 @@ + #include "includes.h" + #include "printing.h" + #include "smbd/proto.h" ++#include "source3/lib/substitute.h" + + extern userdom_struct current_user_info; + +diff --git a/source3/printing/printing.c b/source3/printing/printing.c +index 499334df03f..67d798fbb21 100644 +--- a/source3/printing/printing.c ++++ b/source3/printing/printing.c +@@ -40,6 +40,7 @@ + #include "lib/util/string_wrappers.h" + #include "lib/global_contexts.h" + #include "source3/printing/rap_jobid.h" ++#include "source3/lib/substitute.h" + + extern userdom_struct current_user_info; + +diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c +index d6d606ddeca..57f981cb358 100644 +--- a/source3/rpc_server/lsa/srv_lsa_nt.c ++++ b/source3/rpc_server/lsa/srv_lsa_nt.c +@@ -53,6 +53,7 @@ + #include "librpc/rpc/dcesrv_core.h" + #include "librpc/rpc/dcerpc_helper.h" + #include "lib/param/loadparm.h" ++#include "source3/lib/substitute.h" + + #include "lib/crypto/gnutls_helpers.h" + #include +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index eaacd8dbc6a..2906fa3f30f 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -49,6 +49,7 @@ + #include "lib/param/param.h" + #include "libsmb/dsgetdcname.h" + #include "lib/util/util_str_escape.h" ++#include "source3/lib/substitute.h" + + extern userdom_struct current_user_info; + +diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +index 8576e9d2ce2..fc27a459634 100644 +--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c ++++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +@@ -42,6 +42,7 @@ + #include "messages.h" + #include "serverid.h" + #include "lib/global_contexts.h" ++#include "source3/lib/substitute.h" + + extern const struct generic_mapping file_generic_mapping; + +diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c +index f1c8ea0c2ed..cf3b7c91c22 100644 +--- a/source3/smbd/ipc.c ++++ b/source3/smbd/ipc.c +@@ -29,6 +29,7 @@ + #include "smbd/globals.h" + #include "smbprofile.h" + #include "rpc_server/srv_pipe_hnd.h" ++#include "source3/lib/substitute.h" + + #define NERR_notsupported 50 + +diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c +index 9194113e768..eb8148753b9 100644 +--- a/source3/smbd/lanman.c ++++ b/source3/smbd/lanman.c +@@ -45,6 +45,7 @@ + #include "rpc_server/rpc_ncacn_np.h" + #include "lib/util/string_wrappers.h" + #include "source3/printing/rap_jobid.h" ++#include "source3/lib/substitute.h" + + #ifdef CHECK_TYPES + #undef CHECK_TYPES +diff --git a/source3/smbd/message.c b/source3/smbd/message.c +index b9728946889..7185bec1289 100644 +--- a/source3/smbd/message.c ++++ b/source3/smbd/message.c +@@ -27,6 +27,7 @@ + #include "smbd/smbd.h" + #include "smbd/globals.h" + #include "smbprofile.h" ++#include "source3/lib/substitute.h" + + extern userdom_struct current_user_info; + +diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c +index 995ed815d90..fd002e98071 100644 +--- a/source3/smbd/msdfs.c ++++ b/source3/smbd/msdfs.c +@@ -34,6 +34,7 @@ + #include "librpc/gen_ndr/ndr_dfsblobs.h" + #include "lib/tsocket/tsocket.h" + #include "lib/global_contexts.h" ++#include "source3/lib/substitute.h" + + /********************************************************************** + Parse a DFS pathname of the form \hostname\service\reqpath +diff --git a/source3/smbd/process.c b/source3/smbd/process.c +index 03409742752..5015c143a04 100644 +--- a/source3/smbd/process.c ++++ b/source3/smbd/process.c +@@ -46,6 +46,7 @@ + #include "libcli/smb/smbXcli_base.h" + #include "lib/util/time_basic.h" + #include "smb1_utils.h" ++#include "source3/lib/substitute.h" + + /* Internal message queue for deferred opens. */ + struct pending_message_list { +diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c +index 042e7f2329e..f85d1122a07 100644 +--- a/source3/smbd/reply.c ++++ b/source3/smbd/reply.c +@@ -50,6 +50,7 @@ + #include "libcli/smb/smb2_posix.h" + #include "lib/util/string_wrappers.h" + #include "source3/printing/rap_jobid.h" ++#include "source3/lib/substitute.h" + + /**************************************************************************** + Ensure we check the path in *exactly* the same way as W2K for a findfirst/findnext +diff --git a/source3/smbd/server.c b/source3/smbd/server.c +index d7f5b4b73c0..d02ff1bd883 100644 +--- a/source3/smbd/server.c ++++ b/source3/smbd/server.c +@@ -60,6 +60,7 @@ + #include "rpc_server/fssd.h" + #include "rpc_server/mdssd.h" + #include "lib/global_contexts.h" ++#include "source3/lib/substitute.h" + + #ifdef CLUSTER_SUPPORT + #include "ctdb_protocol.h" +diff --git a/source3/smbd/service.c b/source3/smbd/service.c +index afdea38b016..ef7c14d92d0 100644 +--- a/source3/smbd/service.c ++++ b/source3/smbd/service.c +@@ -34,6 +34,7 @@ + #include "lib/afs/afs_funcs.h" + #include "lib/util_path.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + bool canonicalize_connect_path(connection_struct *conn) + { +diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c +index 2bd527ce80e..1705b8920b6 100644 +--- a/source3/smbd/sesssetup.c ++++ b/source3/smbd/sesssetup.c +@@ -34,6 +34,7 @@ + #include "auth/gensec/gensec.h" + #include "../libcli/smb/smb_signing.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + /**************************************************************************** + Add the standard 'Samba' signature to the end of the session setup. +diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c +index debe4fc6385..c44c4bd8c69 100644 +--- a/source3/smbd/share_access.c ++++ b/source3/smbd/share_access.c +@@ -23,6 +23,7 @@ + #include "../libcli/security/security.h" + #include "passdb/lookup_sid.h" + #include "auth.h" ++#include "source3/lib/substitute.h" + + /* + * We dropped NIS support in 2021, but need to keep configs working. +diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c +index f359db0729d..f6b376e5a07 100644 +--- a/source3/smbd/smb2_server.c ++++ b/source3/smbd/smb2_server.c +@@ -33,6 +33,7 @@ + #include "lib/util/iov_buf.h" + #include "auth.h" + #include "libcli/smb/smbXcli_base.h" ++#include "source3/lib/substitute.h" + + #if defined(LINUX) + /* SIOCOUTQ TIOCOUTQ are the same */ +diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c +index 38049e8535f..14b806bc007 100644 +--- a/source3/smbd/smb2_sesssetup.c ++++ b/source3/smbd/smb2_sesssetup.c +@@ -28,6 +28,7 @@ + #include "../lib/tsocket/tsocket.h" + #include "../libcli/security/security.h" + #include "../lib/util/tevent_ntstatus.h" ++#include "source3/lib/substitute.h" + + #include "lib/crypto/gnutls_helpers.h" + #include +diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c +index cd6b61429c5..a86ac3228e3 100644 +--- a/source3/smbd/trans2.c ++++ b/source3/smbd/trans2.c +@@ -45,6 +45,7 @@ + #include "smb1_utils.h" + #include "libcli/smb/smb2_posix.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + #define DIR_ENTRY_SAFETY_MARGIN 4096 + +diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c +index b0d7f21c200..52918c4f181 100644 +--- a/source3/smbd/uid.c ++++ b/source3/smbd/uid.c +@@ -26,6 +26,7 @@ + #include "passdb/lookup_sid.h" + #include "auth.h" + #include "../auth/auth_util.h" ++#include "source3/lib/substitute.h" + + /* what user is current? */ + extern struct current_user current_user; +diff --git a/source3/torture/torture.c b/source3/torture/torture.c +index 79a9c65073c..d3e0e3cf095 100644 +--- a/source3/torture/torture.c ++++ b/source3/torture/torture.c +@@ -51,6 +51,7 @@ + #include "lib/param/param.h" + #include "auth/gensec/gensec.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + #include + #include +diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c +index 6a2c6c861f9..17cc47b2ddd 100644 +--- a/source3/utils/net_sam.c ++++ b/source3/utils/net_sam.c +@@ -33,6 +33,7 @@ + #include "idmap.h" + #include "lib/util/smb_strtox.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + /* + * Set a user's data +diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c +index fb0351ec201..7f168bdda7a 100644 +--- a/source3/winbindd/wb_getpwsid.c ++++ b/source3/winbindd/wb_getpwsid.c +@@ -22,6 +22,7 @@ + #include "librpc/gen_ndr/ndr_winbind_c.h" + #include "../libcli/security/security.h" + #include "lib/util/string_wrappers.h" ++#include "source3/lib/substitute.h" + + struct wb_getpwsid_state { + struct tevent_context *ev; +diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c +index 25d8b723010..290454619a4 100644 +--- a/source3/winbindd/winbindd.c ++++ b/source3/winbindd/winbindd.c +@@ -51,6 +51,7 @@ + #include "lib/gencache.h" + #include "rpc_server/rpc_config.h" + #include "lib/global_contexts.h" ++#include "source3/lib/substitute.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_WINBIND +-- +2.33.1 + + +From 1184733a1628c1187a215956195ca806419db16d Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 11 Nov 2021 05:23:09 +0100 +Subject: [PATCH 2/8] samba-bgqd: fix startup and logging + +Let samba-bgqd use the new POPT_COMMON_DAEMON infrastructure. + +The calls to setup_logging() can safely be removed as this is already taken care +of by samba_cmdline_init(). + +To avoid a logfile basename of ".log" when using "%m", we add a call to +set_remote_machine_name(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897 + +Signed-off-by: Ralph Boehme +--- + source3/printing/samba-bgqd.c | 35 ++++++++++------------------------- + 1 file changed, 10 insertions(+), 25 deletions(-) + +diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c +index 8ac6ec525b2..2cd6a8e007a 100644 +--- a/source3/printing/samba-bgqd.c ++++ b/source3/printing/samba-bgqd.c +@@ -40,6 +40,7 @@ + #include "source3/lib/util_procid.h" + #include "source3/auth/proto.h" + #include "source3/printing/queue_process.h" ++#include "source3/lib/substitute.h" + + static void watch_handler(struct tevent_req *req) + { +@@ -235,6 +236,7 @@ static int closeall_except_fd_params( + + int main(int argc, const char *argv[]) + { ++ struct samba_cmdline_daemon_cfg *cmdline_daemon_cfg = NULL; + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); + const char *progname = getprogname(); +@@ -245,8 +247,6 @@ int main(int argc, const char *argv[]) + struct tevent_req *watch_req = NULL; + struct tevent_signal *sigterm_handler = NULL; + struct bq_state *bq = NULL; +- int foreground = 0; +- int no_process_group = 0; + int log_stdout = 0; + int ready_signal_fd = -1; + int watch_fd = -1; +@@ -259,21 +259,7 @@ int main(int argc, const char *argv[]) + struct poptOption long_options[] = { + POPT_AUTOHELP + POPT_COMMON_SAMBA +- { +- .longName = "foreground", +- .shortName = 'F', +- .argInfo = POPT_ARG_NONE, +- .arg = &foreground, +- .descrip = "Run daemon in foreground " +- "(for daemontools, etc.)", +- }, +- { +- .longName = "no-process-group", +- .shortName = '\0', +- .argInfo = POPT_ARG_NONE, +- .arg = &no_process_group, +- .descrip = "Don't create a new process group" , +- }, ++ POPT_COMMON_DAEMON + + /* + * File descriptor to write the PID of the helper +@@ -311,6 +297,7 @@ int main(int argc, const char *argv[]) + frame = talloc_stackframe(); + + umask(0); ++ set_remote_machine_name("smbd-bgqd", true); + + ok = samba_cmdline_init(frame, + SAMBA_CMDLINE_CONFIG_SERVER, +@@ -320,6 +307,8 @@ int main(int argc, const char *argv[]) + exit(ENOMEM); + } + ++ cmdline_daemon_cfg = samba_cmdline_get_daemon_cfg(); ++ + pc = samba_popt_get_context(progname, + argc, + argv, +@@ -340,16 +329,12 @@ int main(int argc, const char *argv[]) + + log_stdout = (debug_get_log_type() == DEBUG_STDOUT); + +- if (foreground) { ++ if (!cmdline_daemon_cfg->fork) { + daemon_status(progname, "Starting process ... "); + } else { +- become_daemon(true, no_process_group, log_stdout); +- } +- +- if (log_stdout) { +- setup_logging(progname, DEBUG_STDOUT); +- } else { +- setup_logging(progname, DEBUG_FILE); ++ become_daemon(true, ++ cmdline_daemon_cfg->no_process_group, ++ log_stdout); + } + + BlockSignals(true, SIGPIPE); +-- +2.33.1 + + +From 1a0a1ccbe888332ea134b16bfac0d0d011bf1f4c Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 10 Nov 2021 18:27:08 +0100 +Subject: [PATCH 3/8] winbindd: remove is_default_dyn_LOGFILEBASE() logic + +Handling of -l commandline parameter is already implemented by lib/cmdline/. + +is_default_dyn_LOGFILEBASE() == true is the default case and this causes us to +temporarily overwrite the configured logfile with LOGFILEBASE/log.winbindd until +winbindd_reload_services_file() restores it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897 + +Signed-off-by: Ralph Boehme +--- + source3/winbindd/winbindd.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c +index 290454619a4..58c5ffbced4 100644 +--- a/source3/winbindd/winbindd.c ++++ b/source3/winbindd/winbindd.c +@@ -1717,15 +1717,6 @@ int main(int argc, const char **argv) + + poptFreeContext(pc); + +- if (is_default_dyn_LOGFILEBASE()) { +- char *lfile = NULL; +- if (asprintf(&lfile,"%s/log.winbindd", +- get_dyn_LOGFILEBASE()) > 0) { +- lp_set_logfile(lfile); +- SAFE_FREE(lfile); +- } +- } +- + reopen_logs(); + + DEBUG(0,("winbindd version %s started.\n", samba_version_string())); +-- +2.33.1 + + +From bcbf9fb6669933cc3dcf1f615d2885c542a08035 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 10 Nov 2021 14:13:11 +0100 +Subject: [PATCH 4/8] lib/debug: fix fd check before dup'ing to stderr + +Before I added per-class logfile and we had only one fd for the logfile the code +looked like this: + + /* Take over stderr to catch output into logs */ + if (state.fd > 0) { + if (dup2(state.fd, 2) == -1) { + /* Close stderr too, if dup2 can't point it - + at the logfile. There really isn't much + that can be done on such a fundamental + failure... */ + close_low_fd(2); + } + } + +In the current code the equivalent to state.fd is dbgc_config[DBGC_ALL].fd. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897 + +Signed-off-by: Ralph Boehme +--- + lib/util/debug.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/util/debug.c b/lib/util/debug.c +index 4fd17679227..b271608621a 100644 +--- a/lib/util/debug.c ++++ b/lib/util/debug.c +@@ -1125,7 +1125,6 @@ bool reopen_logs_internal(void) + { + struct debug_backend *b = NULL; + mode_t oldumask; +- int new_fd = 0; + size_t i; + bool ok; + +@@ -1190,7 +1189,7 @@ bool reopen_logs_internal(void) + * If log file was opened or created successfully, take over stderr to + * catch output into logs. + */ +- if (new_fd != -1) { ++ if (dbgc_config[DBGC_ALL].fd > 0) { + if (dup2(dbgc_config[DBGC_ALL].fd, 2) == -1) { + /* Close stderr too, if dup2 can't point it - + at the logfile. There really isn't much +-- +2.33.1 + + +From 9f76bd48d87eb03c66dfe942b4a84e997a8fe8ba Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 8 Nov 2021 19:41:50 +0100 +Subject: [PATCH 5/8] lib/debug: in debug_set_logfile() call + reopen_logs_internal() + +This simplifies the logging API for callers that typically would want to set +logging by just setup_logging() once without bothering that typically +configuration is loaded (via some lpcfg_load*() or lp_load*() varient) which +will only then pick up the configured logfile from smb.conf without actually +applying the new logifle to the logging subsytem. + +Therefor our daemons will additionally call reopen_logs() explicitly in their +startup code after config is loaded, eg + + setup_logging(getprogname(), DEBUG_FILE); + ... + lpcfg_load(lp_ctx, config_file); + ... + reopen_logs(); + +By calling reopen_logs_internal() implicitly from debug_set_logfile() there's no +need to call reopen_logs() explicitly anymore to apply the logfile. + +As reopen_logs() will also apply other logging configuration options, we have to +keep the explicit calls in the daemon code. But at least this allows consistent +logging setup wrt to the logfile in the new cmdline library. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897 + +Signed-off-by: Ralph Boehme +--- + lib/util/debug.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/util/debug.c b/lib/util/debug.c +index b271608621a..171b5e15008 100644 +--- a/lib/util/debug.c ++++ b/lib/util/debug.c +@@ -1018,6 +1018,8 @@ void debug_set_logfile(const char *name) + } + TALLOC_FREE(dbgc_config[DBGC_ALL].logfile); + dbgc_config[DBGC_ALL].logfile = talloc_strdup(NULL, name); ++ ++ reopen_logs_internal(); + } + + static void debug_close_fd(int fd) +-- +2.33.1 + + +From b80911bc1a306cac479ee3feabdcea124946cdde Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 8 Nov 2021 12:08:47 +0100 +Subject: [PATCH 6/8] lib/cmdline: fix indentation + +s/whitespace/tab/ + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897 + +Signed-off-by: Ralph Boehme +--- + lib/cmdline/cmdline_s3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/cmdline/cmdline_s3.c b/lib/cmdline/cmdline_s3.c +index 1f8d9ed5eb5..639d403aed3 100644 +--- a/lib/cmdline/cmdline_s3.c ++++ b/lib/cmdline/cmdline_s3.c +@@ -55,7 +55,7 @@ static bool _samba_cmdline_load_config_s3(void) + case SAMBA_CMDLINE_CONFIG_CLIENT: + ok = lp_load_client(config_file); + break; +- case SAMBA_CMDLINE_CONFIG_SERVER: ++ case SAMBA_CMDLINE_CONFIG_SERVER: + { + const struct samba_cmdline_daemon_cfg *cmdline_daemon_cfg = + samba_cmdline_get_daemon_cfg(); +-- +2.33.1 + + +From a6b6b0b6e6dfcd2c8e2c2085d20cd16c51e3b379 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 8 Nov 2021 12:09:16 +0100 +Subject: [PATCH 7/8] lib/cmdline: remember config_type in samba_cmdline_init() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897 + +Signed-off-by: Ralph Boehme +--- + lib/cmdline/cmdline_s4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/cmdline/cmdline_s4.c b/lib/cmdline/cmdline_s4.c +index 61c1b96ba8d..6ef6f59db49 100644 +--- a/lib/cmdline/cmdline_s4.c ++++ b/lib/cmdline/cmdline_s4.c +@@ -25,6 +25,7 @@ + #include "cmdline_private.h" + + static bool _require_smbconf; ++static enum samba_cmdline_config_type _config_type; + + static bool _samba_cmdline_load_config_s4(void) + { +@@ -81,6 +82,7 @@ bool samba_cmdline_init(TALLOC_CTX *mem_ctx, + return false; + } + _require_smbconf = require_smbconf; ++ _config_type = config_type; + + creds = cli_credentials_init(mem_ctx); + if (creds == NULL) { +-- +2.33.1 + + +From e1d6ab1b0dbd8ff30019edf804c4766b066db4b7 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 8 Nov 2021 12:09:43 +0100 +Subject: [PATCH 8/8] lib/cmdline: setup default file logging for servers + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14897 +RN: samba process doesn't log to logfile + +Signed-off-by: Ralph Boehme +--- + lib/cmdline/cmdline_s4.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/lib/cmdline/cmdline_s4.c b/lib/cmdline/cmdline_s4.c +index 6ef6f59db49..29e9f34bbe2 100644 +--- a/lib/cmdline/cmdline_s4.c ++++ b/lib/cmdline/cmdline_s4.c +@@ -44,6 +44,20 @@ static bool _samba_cmdline_load_config_s4(void) + } + } + ++ switch (_config_type) { ++ case SAMBA_CMDLINE_CONFIG_SERVER: { ++ const struct samba_cmdline_daemon_cfg *cmdline_daemon_cfg = ++ samba_cmdline_get_daemon_cfg(); ++ ++ if (!cmdline_daemon_cfg->interactive) { ++ setup_logging(getprogname(), DEBUG_FILE); ++ } ++ break; ++ } ++ default: ++ break; ++ } ++ + config_file = get_dyn_CONFIGFILE(); + ok = lpcfg_load(lp_ctx, config_file); + if (!ok) { +-- +2.33.1 + diff --git a/SOURCES/samba-4.15.1-winexe.patch b/SOURCES/samba-4.15.1-winexe.patch new file mode 100644 index 0000000..38460b3 --- /dev/null +++ b/SOURCES/samba-4.15.1-winexe.patch @@ -0,0 +1,61 @@ +From 3d02bf10d7738fe604b524863764de3ca1faa081 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 4 Nov 2021 22:22:44 +0100 +Subject: [PATCH] s3-winexe: Fix winexe core dump (use-after-free) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14893 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Fri Nov 5 11:43:57 UTC 2021 on sn-devel-184 + +(cherry picked from commit e9495d2ed28a26899dc3dd77bdfe56e284980218) +--- + examples/winexe/winexe.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c +index 3e0813a4091..59fb9dbdebb 100644 +--- a/examples/winexe/winexe.c ++++ b/examples/winexe/winexe.c +@@ -220,8 +220,6 @@ static void parse_args(int argc, const char *argv[], + *port_str = '\0'; + } + +- poptFreeContext(pc); +- + if (options->runas == NULL && options->runas_file != NULL) { + struct cli_credentials *runas_cred; + const char *user; +@@ -253,9 +251,19 @@ static void parse_args(int argc, const char *argv[], + + options->credentials = samba_cmdline_get_creds(); + +- options->hostname = argv_new[0] + 2; ++ options->hostname = talloc_strdup(mem_ctx, argv_new[0] + 2); ++ if (options->hostname == NULL) { ++ DBG_ERR("Out of memory\n"); ++ exit(1); ++ } + options->port = port; +- options->cmd = argv_new[1]; ++ options->cmd = talloc_strdup(mem_ctx, argv_new[1]); ++ if (options->cmd == NULL) { ++ DBG_ERR("Out of memory\n"); ++ exit(1); ++ } ++ ++ poptFreeContext(pc); + + options->flags = flag_interactive; + if (flag_reinstall) { +-- +2.33.1 + diff --git a/SOURCES/samba-4.15.2-smbclient_anonymous.patch b/SOURCES/samba-4.15.2-smbclient_anonymous.patch new file mode 100644 index 0000000..477ddef --- /dev/null +++ b/SOURCES/samba-4.15.2-smbclient_anonymous.patch @@ -0,0 +1,58 @@ +From 61fd63d70578043de9f3bff1c3267c499dbf50a0 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 10 Nov 2021 12:06:51 +0100 +Subject: [PATCH] auth:creds: Guess the username first via getpwuid(my_id) + +If we have a container, we often don't have USER or LOGNAME set. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14883 + +Tested-by: Anoop C S +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit c28be4067463e582e378df402f812e510883d606) +--- + auth/credentials/credentials.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c +index 02a3cf3b354..c5a6ba6940c 100644 +--- a/auth/credentials/credentials.c ++++ b/auth/credentials/credentials.c +@@ -30,6 +30,7 @@ + #include "tevent.h" + #include "param/param.h" + #include "system/filesys.h" ++#include "system/passwd.h" + + /** + * Create a new credentials structure +@@ -1159,6 +1160,7 @@ _PUBLIC_ bool cli_credentials_guess(struct cli_credentials *cred, + { + const char *error_string; + const char *env = NULL; ++ struct passwd *pwd = NULL; + bool ok; + + if (lp_ctx != NULL) { +@@ -1168,6 +1170,17 @@ _PUBLIC_ bool cli_credentials_guess(struct cli_credentials *cred, + } + } + ++ pwd = getpwuid(getuid()); ++ if (pwd != NULL) { ++ size_t len = strlen(pwd->pw_name); ++ ++ if (len > 0 && len <= 1024) { ++ (void)cli_credentials_parse_string(cred, ++ pwd->pw_name, ++ CRED_GUESS_ENV); ++ } ++ } ++ + env = getenv("LOGNAME"); + if (env != NULL) { + size_t len = strlen(env); +-- +2.33.1 + diff --git a/SOURCES/samba-4.15.2.tar.asc b/SOURCES/samba-4.15.2.tar.asc new file mode 100644 index 0000000..b55faa8 --- /dev/null +++ b/SOURCES/samba-4.15.2.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGJC1MACgkQqplEL7aA +tiCwkhAAgHQFzw/TiURShe+AAw9eE168VXPICTBPNSRRiYH2FBbqG4qSHxG/SSAr +Fq8tMAoGhVuPC+Rjie7wMYoF9R7wd3X+KQ2GzLismbHS6Cn2C1EJ0cX/UJqP+Qpu +vitKHTpczNqEtWbYiMO2NKuLz1pyGl8/i/HErlVmSVFrHUnyLDXkZn1R1+R8b4hg +9Nj27L41ndAqyws24MCKoWNuhkwCN3QLf/n4/b22wZwJyNmiwvJlH5nK0RF4gY1T +Ne09HHNovcBvIgtJCp+ABcSKVQXGj2L47XDLBEXU4AeM+dzbRP0dBOCzs50ZbYQ1 +8JMq7+r/MWSKuiDf1ofW6EYZPcxRsKcFGhpnP7rlMucxNRN358CqTaVW8qmhBRDV +9mglTBX6ie+Jj8fYP7Ak5rc+LYxolfTZmniH+dk7HH4QUdXjL/P3SpSwhwNmxtmc +JCWP4Tszw0tpRwoGRdt3A+I1/YRRCftSL5/Nm8q+ERyW77uVH+IkWdAsjuZUHyod +sT1+YQGoPrBRmESpugqqKQKQ9/CgVL1PZLjfKAgFP2a5/gwTr12rjXXn7uEMShjq +WDduBZRH6873IcVYkV/TVmqd+AfHk31d4B4Djzy7itGqF4XNCpWFlmLj4kApNY99 +IXPfzua5Owjc8LIZssRSmPE0BLa1ElCfPvk6q2IJnpWZ04EdCjo= +=sYeb +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-ctdb-etcd-reclock.patch b/SOURCES/samba-ctdb-etcd-reclock.patch new file mode 100644 index 0000000..2a55408 --- /dev/null +++ b/SOURCES/samba-ctdb-etcd-reclock.patch @@ -0,0 +1,30 @@ +From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001 +From: Martin Schwenke +Date: Tue, 27 Apr 2021 15:46:14 +1000 +Subject: [PATCH] utils: Use Python 3 + +Due to the number of flake8 and pylint warnings it is unclear if the +source has Python 3 incompatibilities. These will be cleaned up in +subsequent commits. + +Signed-off-by: "L.P.H. van Belle" +Reviewed-by: Martin Schwenke +Reviewed-by: David Disseldorp +Reviewed-by: Jose A. Rivera +--- + ctdb/utils/etcd/ctdb_etcd_lock | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock +index 000c6bb7208..7f5194eff0a 100755 +--- a/ctdb/utils/etcd/ctdb_etcd_lock ++++ b/ctdb/utils/etcd/ctdb_etcd_lock +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/env python3 + # + # This program is free software: you can redistribute it and/or modify + # it under the terms of the GNU General Public License as published by +-- +2.31.1 + diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch new file mode 100644 index 0000000..8e84d96 --- /dev/null +++ b/SOURCES/samba-s4u.patch @@ -0,0 +1,697 @@ +From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 27 Sep 2019 18:25:03 +0300 +Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support + +Signed-off-by: Isaac Boukris +Pair-Programmed-With: Andreas Schneider +--- + source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------ + source4/kdc/mit_samba.c | 47 ++------- + source4/kdc/mit_samba.h | 6 +- + 3 files changed, 71 insertions(+), 106 deletions(-) + +diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c +index f35210669c2..b1c7c5dcc5e 100644 +--- a/source4/kdc/mit-kdb/kdb_samba_policies.c ++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c +@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, + krb5_keyblock *krbtgt_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, +- krb5_pac *pac) ++ krb5_pac *out_pac) + { + struct mit_samba_context *mit_ctx; + krb5_authdata **authdata = NULL; +- krb5_pac ipac = NULL; +- DATA_BLOB logon_data = { NULL, 0 }; ++ krb5_keyblock *header_server_key = NULL; ++ krb5_key_data *impersonator_kd = NULL; ++ krb5_keyblock impersonator_key = {0}; + krb5_error_code code; ++ krb5_pac pac; ++ ++ *out_pac = NULL; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { +@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, + code = krb5_pac_parse(context, + authdata[0]->contents, + authdata[0]->length, +- &ipac); ++ &pac); + if (code != 0) { + goto done; + } + +- /* TODO: verify this is correct +- * +- * In the constrained delegation case, the PAC is from a service +- * ticket rather than a TGT; we must verify the server and KDC +- * signatures to assert that the server did not forge the PAC. ++ /* ++ * For constrained delegation in MIT version < 1.18 we aren't provided ++ * with the 2nd ticket server key to verify the PAC. ++ * We can workaround that by fetching the key from the client db entry, ++ * which is the impersonator account in that version. ++ * TODO: use the provided entry in the new 1.18 version. + */ + if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { +- code = krb5_pac_verify(context, +- ipac, +- authtime, +- client_princ, +- server_key, +- krbtgt_key); ++ /* The impersonator must be local. */ ++ if (client == NULL) { ++ code = KRB5KDC_ERR_BADOPTION; ++ goto done; ++ } ++ /* Fetch and decrypt 2nd ticket server's current key. */ ++ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, ++ &impersonator_kd); ++ if (code != 0) { ++ goto done; ++ } ++ code = krb5_dbe_decrypt_key_data(context, NULL, ++ impersonator_kd, ++ &impersonator_key, NULL); ++ if (code != 0) { ++ goto done; ++ } ++ header_server_key = &impersonator_key; + } else { +- code = krb5_pac_verify(context, +- ipac, +- authtime, +- client_princ, +- krbtgt_key, +- NULL); +- } +- if (code != 0) { +- goto done; ++ header_server_key = krbtgt_key; + } + +- /* check and update PAC */ +- code = krb5_pac_parse(context, +- authdata[0]->contents, +- authdata[0]->length, +- pac); ++ code = krb5_pac_verify(context, pac, authtime, client_princ, ++ header_server_key, NULL); + if (code != 0) { + goto done; + } +@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, + code = mit_samba_reget_pac(mit_ctx, + context, + flags, +- client_princ, + client, + server, + krbtgt, + krbtgt_key, +- pac); ++ &pac); ++ if (code != 0) { ++ goto done; ++ } ++ ++ *out_pac = pac; ++ pac = NULL; + + done: ++ krb5_free_keyblock_contents(context, &impersonator_key); + krb5_free_authdata(context, authdata); +- krb5_pac_free(context, ipac); +- free(logon_data.data); ++ krb5_pac_free(context, pac); + + return code; + } +@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krb5_authdata **pac_auth_data = NULL; + krb5_authdata **authdata = NULL; + krb5_boolean is_as_req; ++ krb5_const_principal pac_client; + krb5_error_code code; + krb5_pac pac = NULL; + krb5_data pac_data; +@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; + +- /* FIXME: We don't support S4U yet */ +- if (flags & KRB5_KDB_FLAGS_S4U) { +- return KRB5_KDB_DBTYPE_NOSUP; +- } +- + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); + + /* +@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + ks_client_princ = client->princ; + } + ++ /* In protocol transition, we are currently not provided with the tgt ++ * client name to verify the PAC, we could probably skip the name ++ * verification and just verify the signatures, but since we don't ++ * support cross-realm nor aliases, we can just use server->princ */ ++ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { ++ pac_client = server->princ; ++ } else { ++ pac_client = ks_client_princ; ++ } ++ + if (client_entry == NULL) { + client_entry = client; + } +@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + + code = ks_verify_pac(context, + flags, +- ks_client_princ, ++ pac_client, + client_entry, + server, + krbtgt, +@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + is_as_req ? "AS-REQ" : "TGS-REQ", + client_name); + code = krb5_pac_sign(context, pac, authtime, ks_client_princ, +- server_key, krbtgt_key, &pac_data); ++ server_key, krbtgt_key, &pac_data); + if (code != 0) { + DBG_ERR("krb5_pac_sign failed: %d\n", code); + goto done; +@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + KRB5_AUTHDATA_IF_RELEVANT, + authdata, + signed_auth_data); +- if (code != 0) { +- goto done; +- } +- +- code = 0; +- + done: + if (client_entry != NULL && client_entry != client) { + ks_free_principal(context, client_entry); +@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, + * server; -> delegating service + * proxy; -> target principal + */ +- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); +- +- char *target_name = NULL; +- bool is_enterprise; +- krb5_error_code code; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { + return KRB5_KDB_DBNOTINITED; + } + +- code = krb5_unparse_name(context, proxy, &target_name); +- if (code) { +- goto done; +- } +- +- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); +- +- code = mit_samba_check_s4u2proxy(mit_ctx, +- delegating_service, +- target_name, +- is_enterprise); +- +-done: +- free(target_name); +- return code; ++ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); + } + + +diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c +index 4239332f0d9..acc3cba6254 100644 +--- a/source4/kdc/mit_samba.c ++++ b/source4/kdc/mit_samba.c +@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, + krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, +- krb5_const_principal client_principal, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, +@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + context, + *pac, + server->princ, +- discard_const(client_principal), ++ client->princ, + deleg_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Update delegation info failed: %s\n", +@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, + } + + int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, +- krb5_db_entry *kentry, +- const char *target_name, +- bool is_nt_enterprise_name) ++ const krb5_db_entry *server, ++ krb5_const_principal target_principal) + { +-#if 1 +- /* +- * This is disabled because mit_samba_update_pac_data() does not handle +- * S4U_DELEGATION_INFO +- */ +- +- return KRB5KDC_ERR_BADOPTION; +-#else +- krb5_principal target_principal; +- int flags = 0; +- int ret; +- +- if (is_nt_enterprise_name) { +- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; +- } +- +- ret = krb5_parse_name_flags(ctx->context, target_name, +- flags, &target_principal); +- if (ret) { +- return ret; +- } +- +- ret = samba_kdc_check_s4u2proxy(ctx->context, +- ctx->db_ctx, +- skdc_entry, +- target_principal); +- +- krb5_free_principal(ctx->context, target_principal); +- +- return ret; +-#endif ++ struct samba_kdc_entry *server_skdc_entry = ++ talloc_get_type_abort(server->e_data, ++ struct samba_kdc_entry); ++ ++ return samba_kdc_check_s4u2proxy(ctx->context, ++ ctx->db_ctx, ++ server_skdc_entry, ++ target_principal); + } + + static krb5_error_code mit_samba_change_pwd_error(krb5_context context, +diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h +index 636c77ec97c..9cb00c9610e 100644 +--- a/source4/kdc/mit_samba.h ++++ b/source4/kdc/mit_samba.h +@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, + krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, +- krb5_const_principal client_principal, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, +@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, + DATA_BLOB *e_data); + + int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, +- krb5_db_entry *kentry, +- const char *target_name, +- bool is_nt_enterprise_name); ++ const krb5_db_entry *server, ++ krb5_const_principal target_principal); + + int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, + char *pwd, +-- +2.33.1 + + +From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 27 Sep 2019 18:35:30 +0300 +Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build + +Signed-off-by: Isaac Boukris +Pair-Programmed-With: Andreas Schneider +--- + lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ + lib/krb5_wrap/krb5_samba.h | 2 - + source4/auth/kerberos/kerberos_util.c | 11 -- + 3 files changed, 185 insertions(+), 13 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index fff5b4e2a22..791b417d5ba 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + + return 0; + } ++ ++#else /* MIT */ ++ ++static bool princ_compare_no_dollar(krb5_context ctx, ++ krb5_principal a, ++ krb5_principal b) ++{ ++ bool cmp; ++ krb5_principal mod = NULL; ++ ++ if (a->length == 1 && b->length == 1 && ++ a->data[0].length != 0 && b->data[0].length != 0 && ++ a->data[0].data[a->data[0].length -1] != ++ b->data[0].data[b->data[0].length -1]) { ++ if (a->data[0].data[a->data[0].length -1] == '$') { ++ mod = a; ++ mod->data[0].length--; ++ } else if (b->data[0].data[b->data[0].length -1] == '$') { ++ mod = b; ++ mod->data[0].length--; ++ } ++ } ++ ++ cmp = krb5_principal_compare_flags(ctx, a, b, ++ KRB5_PRINCIPAL_COMPARE_CASEFOLD); ++ ++ if (mod != NULL) { ++ mod->data[0].length++; ++ } ++ ++ return cmp; ++} ++ ++krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, ++ krb5_ccache store_cc, ++ krb5_principal init_principal, ++ const char *init_password, ++ krb5_principal impersonate_principal, ++ const char *self_service, ++ const char *target_service, ++ krb5_get_init_creds_opt *krb_options, ++ time_t *expire_time, ++ time_t *kdc_time) ++{ ++ krb5_error_code code; ++ krb5_principal self_princ = NULL; ++ krb5_principal target_princ = NULL; ++ krb5_creds *store_creds; ++ krb5_creds *s4u2self_creds = NULL; ++ krb5_creds *s4u2proxy_creds = NULL; ++ krb5_creds init_creds = {0}; ++ krb5_creds mcreds = {0}; ++ krb5_flags options = KRB5_GC_NO_STORE; ++ krb5_ccache tmp_cc; ++ bool s4u2proxy; ++ ++ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); ++ if (code != 0) { ++ return code; ++ } ++ ++ code = krb5_get_init_creds_password(ctx, &init_creds, ++ init_principal, ++ init_password, ++ NULL, NULL, ++ 0, ++ NULL, ++ krb_options); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* ++ * Check if we also need S4U2Proxy or if S4U2Self is ++ * enough in order to get a ticket for the target. ++ */ ++ if (target_service == NULL) { ++ s4u2proxy = false; ++ } else if (strcmp(target_service, self_service) == 0) { ++ s4u2proxy = false; ++ } else { ++ s4u2proxy = true; ++ } ++ ++ code = krb5_parse_name(ctx, self_service, &self_princ); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt ++ * client and the request server to be the same principal name. */ ++ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { ++ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ++ goto done; ++ } ++ ++ mcreds.client = impersonate_principal; ++ mcreds.server = init_creds.client; ++ ++ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, ++ NULL, &s4u2self_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ if (s4u2proxy) { ++ code = krb5_parse_name(ctx, target_service, &target_princ); ++ if (code != 0) { ++ goto done; ++ } ++ ++ mcreds.client = init_creds.client; ++ mcreds.server = target_princ; ++ mcreds.second_ticket = s4u2self_creds->ticket; ++ ++ code = krb5_get_credentials(ctx, options | ++ KRB5_GC_CONSTRAINED_DELEGATION, ++ tmp_cc, &mcreds, &s4u2proxy_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* Check KDC support of S4U2Proxy extension */ ++ if (!krb5_principal_compare(ctx, s4u2self_creds->client, ++ s4u2proxy_creds->client)) { ++ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ++ goto done; ++ } ++ ++ store_creds = s4u2proxy_creds; ++ } else { ++ store_creds = s4u2self_creds;; ++ ++ /* We need to save the ticket with the requested server name ++ * or the caller won't be able to find it in cache. */ ++ if (!krb5_principal_compare(ctx, self_princ, ++ store_creds->server)) { ++ krb5_free_principal(ctx, store_creds->server); ++ store_creds->server = NULL; ++ code = krb5_copy_principal(ctx, self_princ, ++ &store_creds->server); ++ if (code != 0) { ++ goto done; ++ } ++ } ++ } ++ ++ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_store_cred(ctx, store_cc, store_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ if (expire_time) { ++ *expire_time = (time_t) store_creds->times.endtime; ++ } ++ ++ if (kdc_time) { ++ *kdc_time = (time_t) store_creds->times.starttime; ++ } ++ ++done: ++ krb5_cc_destroy(ctx, tmp_cc); ++ krb5_free_cred_contents(ctx, &init_creds); ++ krb5_free_creds(ctx, s4u2self_creds); ++ krb5_free_creds(ctx, s4u2proxy_creds); ++ krb5_free_principal(ctx, self_princ); ++ krb5_free_principal(ctx, target_princ); ++ ++ return code; ++} + #endif + + #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) +diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h +index eab67f6d969..b5385c69a33 100644 +--- a/lib/krb5_wrap/krb5_samba.h ++++ b/lib/krb5_wrap/krb5_samba.h +@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +-#ifdef SAMBA4_USES_HEIMDAL + krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + krb5_ccache store_cc, + krb5_principal init_principal, +@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +-#endif + + #if defined(HAVE_KRB5_MAKE_PRINCIPAL) + #define smb_krb5_make_principal krb5_make_principal +diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c +index 544d9d853cc..c14d8c72d8c 100644 +--- a/source4/auth/kerberos/kerberos_util.c ++++ b/source4/auth/kerberos/kerberos_util.c +@@ -234,9 +234,7 @@ done: + { + krb5_error_code ret; + const char *password; +-#ifdef SAMBA4_USES_HEIMDAL + const char *self_service; +-#endif + const char *target_service; + time_t kdc_time = 0; + krb5_principal princ; +@@ -268,9 +266,7 @@ done: + return ret; + } + +-#ifdef SAMBA4_USES_HEIMDAL + self_service = cli_credentials_get_self_service(credentials); +-#endif + target_service = cli_credentials_get_target_service(credentials); + + password = cli_credentials_get_password(credentials); +@@ -331,7 +327,6 @@ done: + #endif + if (password) { + if (impersonate_principal) { +-#ifdef SAMBA4_USES_HEIMDAL + ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, + ccache, + princ, +@@ -342,12 +337,6 @@ done: + krb_options, + NULL, + &kdc_time); +-#else +- talloc_free(mem_ctx); +- (*error_string) = "INTERNAL error: s4u2 ops " +- "are not supported with MIT build yet"; +- return EINVAL; +-#endif + } else { + ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, + ccache, +-- +2.33.1 + + +From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 19 Sep 2020 14:16:20 +0200 +Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code + +--- + source4/heimdal/lib/hdb/hdb.h | 1 + + source4/kdc/db-glue.c | 8 ++++++-- + source4/kdc/mit_samba.c | 3 +++ + source4/kdc/sdb.h | 1 + + 4 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h +index 5ef9d9565f3..dafaffc6c2d 100644 +--- a/source4/heimdal/lib/hdb/hdb.h ++++ b/source4/heimdal/lib/hdb/hdb.h +@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; + #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ + #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ + #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ ++#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ + + /* hdb_capability_flags */ + #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index aff74f2ee71..d16b4c3329a 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, + } + } + +- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { ++ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ? + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + if (ret) { + krb5_clear_error_message(context); + goto out; + } +- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { ++ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){ + /* + * SDB_F_CANON maps from the canonicalize flag in the + * packet, and has a different meaning between AS-REQ + * and TGS-REQ. We only change the principal in the AS-REQ case ++ * ++ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants ++ * the canonical name in all lookups, and takes care to canonicalize ++ * only when appropriate. + */ + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + if (ret) { +diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c +index acc3cba6254..f0b9df8b613 100644 +--- a/source4/kdc/mit_samba.c ++++ b/source4/kdc/mit_samba.c +@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, + if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { + sflags |= SDB_F_CANON; + } ++#if KRB5_KDB_API_VERSION >= 10 ++ sflags |= SDB_F_FORCE_CANON; ++#endif + if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | + KRB5_KDB_FLAG_INCLUDE_PAC)) { + /* +diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h +index c929acccce6..a9115ec23d7 100644 +--- a/source4/kdc/sdb.h ++++ b/source4/kdc/sdb.h +@@ -116,6 +116,7 @@ struct sdb_entry_ex { + #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ + #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ + #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ ++#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ + + void sdb_free_entry(struct sdb_entry_ex *e); + void free_sdb_entry(struct sdb_entry *s); +-- +2.33.1 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 8d636fa..ac7c219 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -1,13 +1,20 @@ +# Define _make_verbose if it doesn't exist (RHEL8) +%{!?_make_verbose:%define _make_verbose V=1 VERBOSE=1} + # The testsuite is disabled by default. # # To build and run the tests use: # +# fedpkg local --with testsuite +# or # rpmbuild --rebuild --with testsuite samba.src.rpm # %bcond_with testsuite # Build with internal talloc, tevent, tdb and ldb. # +# fedpkg local --with=testsuite --with=includelibs +# or # rpmbuild --rebuild --with=testsuite --with=includelibs samba.src.rpm # %bcond_with includelibs @@ -42,18 +49,21 @@ %bcond_without winexe %endif -# Build vfs_ceph module by default on 64bit Fedora +# Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora %if 0%{?fedora} %ifarch aarch64 ppc64le s390x x86_64 %bcond_without vfs_cephfs +%bcond_without ceph_mutex %else %bcond_with vfs_cephfs +%bcond_with ceph_mutex #endifarch %endif %else %bcond_with vfs_cephfs +%bcond_with ceph_mutex #endif fedora %endif @@ -106,15 +116,29 @@ #endif fedora || rhel >= 8 %endif +# Build the ctdb-pcp-pmda package by default on Fedora +%if 0%{?fedora} +%bcond_without pcp_pmda +%else +%bcond_with pcp_pmda +%endif + +# Build the etcd helpers by default on Fedora +%if 0%{?fedora} +%bcond_without etcd_mutex +%else +%bcond_with etcd_mutex +%endif + %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %global baserelease 2 -%global samba_version 4.14.5 -%global talloc_version 2.3.2 -%global tdb_version 1.4.3 -%global tevent_version 0.10.2 -%global ldb_version 2.3.0 +%global samba_version 4.15.2 +%global talloc_version 2.3.3 +%global tdb_version 1.4.4 +%global tevent_version 0.11.0 +%global ldb_version 2.4.1 # This should be rc1 or nil %global pre_release %nil @@ -177,7 +201,15 @@ Source14: samba.pamd Source201: README.downgrade -Patch0: samba-4.14-raise-dfs-enoent-debug-level.patch +Patch0: samba-s4u.patch +Patch1: samba-ctdb-etcd-reclock.patch +Patch2: samba-4.15.1-winexe.patch +Patch3: samba-4.15-fix-winbind-no-trusted-domain.patch +Patch4: samba-4.15-logfile.patch +Patch5: samba-4.15.2-smbclient_anonymous.patch +Patch6: samba-4.15-ipa-dc-schannel.patch +Patch7: samba-4.15-fix-recursive-dir-delete.patch +Patch8: samba-4.15-fix-recursive-dir-delete-symlinks.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -285,6 +317,16 @@ BuildRequires: libcephfs-devel BuildRequires: liburing-devel >= 0.4 %endif +%if %{with pcp_pmda} +BuildRequires: pcp-libs-devel +%endif +%if %{with ceph_mutex} +BuildRequires: librados-devel +%endif +%if %{with etcd_mutex} +BuildRequires: python3-etcd +%endif + %if %{with dc} || %{with testsuite} # Add python3-iso8601 to avoid that the # version in Samba is being packaged @@ -314,9 +356,13 @@ BuildRequires: python3-tdb >= %{tdb_version} BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: python3-ldb >= %{ldb_version} BuildRequires: python3-ldb-devel >= %{ldb_version} -%else +%endif + +%if %{with includelibs} || %{with testsuite} +# lmdb-devel is required for the mdb ldb module, if samba is configured +# to build includelibs we need lmdb-devel for building that module on our own BuildRequires: lmdb-devel -#endif without testsuite +#endif without includelibs %endif %if %{with dc} || %{with testsuite} @@ -326,6 +372,7 @@ BuildRequires: ldb-tools BuildRequires: python3-gpg BuildRequires: python3-markdown BuildRequires: python3-setproctitle +BuildRequires: python3-cryptography BuildRequires: tdb-tools %endif @@ -423,7 +470,7 @@ Obsoletes: ctdb-tests-debuginfo < %{samba_depver} # endif with clustering %endif -# If only build glusterfs for RHGS and Fedora, so obsolete it on other version +# We only build glusterfs for RHGS and Fedora, so obsolete it on other versions # of the distro %if %{without vfs_glusterfs} Obsoletes: samba-vfs-glusterfs < %{samba_depver} @@ -444,6 +491,15 @@ Requires: samba-libs = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif +# samba-tool needs python3-samba +Requires: python3-%{name} = %{samba_depver} +# samba-tool needs tdbbackup +Requires: tdb-tools +%if %{with dc} +# samba-tool needs mdb_copy for domain backup or upgrade provision +Requires: lmdb +%endif + Provides: bundled(libreplace) %description common-tools @@ -465,10 +521,6 @@ Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif -# samba-tool needs tdbbackup -Requires: tdb-tools -# samba-tool needs mdb_copy -Requires: lmdb Requires: ldb-tools Requires: python3-setproctitle # Force using libldb version to be the same as build version @@ -704,7 +756,7 @@ Summary: Samba python devel files Requires: python3-%{name} = %{samba_depver} %description -n python3-%{name}-devel -The python3-%{name}-devel package contains the Python 3 defel files. +The python3-%{name}-devel package contains the Python 3 devel files. %package -n python3-samba-test Summary: Samba Python libraries @@ -799,9 +851,12 @@ Summary: Samba winbind Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires(post): %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires(post): %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires(post): %{name}-libs = %{samba_depver} Requires: %{name}-winbind-modules = %{samba_depver} %if %{with libwbclient} @@ -961,6 +1016,45 @@ and use CTDB instead. #endif with testsuite %endif + +%if %{with pcp_pmda} + +%package -n ctdb-pcp-pmda +Summary: CTDB PCP pmda support +Requires: ctdb = %{samba_depver} +Requires: pcp-libs + +%description -n ctdb-pcp-pmda +Performance Co-Pilot (PCP) support for CTDB + +#endif with pcp_pmda +%endif + +%if %{with etcd_mutex} + +%package -n ctdb-etcd-mutex +Summary: CTDB ETCD mutex helper +Requires: ctdb = %{samba_depver} +Requires: python3-etcd + +%description -n ctdb-etcd-mutex +Support for using an existing ETCD cluster as a mutex helper for CTDB + +#endif with etcd_mutex +%endif + +%if %{with ceph_mutex} + +%package -n ctdb-ceph-mutex +Summary: CTDB ceph mutex helper +Requires: ctdb = %{samba_depver} + +%description -n ctdb-ceph-mutex +Support for using an existing CEPH cluster as a mutex helper for CTDB + +#endif with ceph_mutex +%endif + #endif with clustering %endif @@ -1051,8 +1145,18 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" %if %{with testsuite} --enable-selftest \ %endif +%if %{with pcp_pmda} + --enable-pmda \ +%endif +%if %{with ceph_mutex} + --enable-ceph-reclock \ +%endif +%if %{with etcd_mutex} + --enable-etcd-reclock \ +%endif --with-profiling-data \ --with-systemd \ + --with-quotas \ --systemd-install-services \ --with-systemddir=/usr/lib/systemd/system \ --systemd-smb-extra=%{_systemd_extra} \ @@ -1061,7 +1165,7 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" --systemd-samba-extra=%{_systemd_extra} # Do not use %%make_build, make is just a wrapper around waf in Samba! -%{__make} %{?_smp_mflags} V=1 +%{__make} %{?_smp_mflags} %{_make_verbose} pushd pidl %__perl Makefile.PL PREFIX=%{_prefix} @@ -1070,7 +1174,8 @@ pushd pidl popd %install -%make_install +# Do not use %%make_install, make is just a wrapper around waf in Samba! +%{__make} %{?_smp_mflags} %{_make_verbose} install DESTDIR=%{buildroot} install -d -m 0755 %{buildroot}/usr/{sbin,bin} install -d -m 0755 %{buildroot}%{_libdir}/security @@ -1158,12 +1263,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if %{without dc} && %{without testsuite} for i in \ %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdnsserver-common-samba4.so \ %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ %{_libdir}/samba/libscavenge-dns-records-samba4.so \ %{_mandir}/man8/samba.8 \ %{_mandir}/man8/samba_downgrade_db.8 \ - %{_mandir}/man8/samba-tool.8 \ %{_mandir}/man8/samba-gpupdate.8 \ %{_libdir}/samba/ldb/ildap.so \ %{_libdir}/samba/ldb/ldbsamba_extensions.so \ @@ -1514,6 +1617,8 @@ fi %{_libdir}/samba/vfs/nfs4acl_xattr.so %endif +%{_libexecdir}/samba/samba-bgqd + %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc %{_datadir}/samba/mdssvc/elasticsearch_mappings.json @@ -1525,6 +1630,7 @@ fi %config(noreplace) %{_sysconfdir}/pam.d/samba %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* +%{_mandir}/man8/samba-bgqd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1575,9 +1681,8 @@ fi %{_bindir}/cifsdd %{_bindir}/dbwrap_tool %{_bindir}/dumpmscat -%exclude %{_bindir}/findsmb %{_bindir}/mvxattr -%{_bindir}/mdfind +%{_bindir}/mdsearch %{_bindir}/nmblookup %{_bindir}/oLschema2ldif %{_bindir}/regdiff @@ -1604,9 +1709,8 @@ fi %{_mandir}/man1/regpatch.1* %{_mandir}/man1/regshell.1* %{_mandir}/man1/regtree.1* -%exclude %{_mandir}/man1/findsmb.1* %{_mandir}/man1/log2pcap.1* -%{_mandir}/man1/mdfind.1* +%{_mandir}/man1/mdsearch.1* %{_mandir}/man1/mvxattr.1* %{_mandir}/man1/rpcclient.1* %{_mandir}/man1/sharesec.1* @@ -1687,11 +1791,12 @@ fi %{_libdir}/samba/libclidns-samba4.so %{_libdir}/samba/libcluster-samba4.so %{_libdir}/samba/libcmdline-contexts-samba4.so -%{_libdir}/samba/libcmdline-credentials-samba4.so %{_libdir}/samba/libcommon-auth-samba4.so %{_libdir}/samba/libctdb-event-client-samba4.so %{_libdir}/samba/libdbwrap-samba4.so +%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so %{_libdir}/samba/libdcerpc-samba-samba4.so +%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so %{_libdir}/samba/libevents-samba4.so %{_libdir}/samba/libflag-mapping-samba4.so %{_libdir}/samba/libgenrand-samba4.so @@ -1745,7 +1850,6 @@ fi %{_libdir}/samba/libtime-basic-samba4.so %{_libdir}/samba/libtorture-samba4.so %{_libdir}/samba/libtrusts-util-samba4.so -%{_libdir}/samba/libutil-cmdline-samba4.so %{_libdir}/samba/libutil-reg-samba4.so %{_libdir}/samba/libutil-setid-samba4.so %{_libdir}/samba/libutil-tdb-samba4.so @@ -1771,7 +1875,7 @@ fi %{_libdir}/samba/ldb/asq.so %{_libdir}/samba/ldb/ldb.so -#%%{_libdir}/samba/ldb/mdb.so +%{_libdir}/samba/ldb/mdb.so %{_libdir}/samba/ldb/paged_searches.so %{_libdir}/samba/ldb/rdn_name.so %{_libdir}/samba/ldb/sample.so @@ -1809,8 +1913,7 @@ fi ### COMMON-libs %files common-libs # common libraries -%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so -%{_libdir}/samba/libpopt-samba3-samba4.so +%{_libdir}/samba/libcmdline-samba4.so %dir %{_libdir}/samba/ldb @@ -1823,6 +1926,7 @@ fi %{_bindir}/net %{_bindir}/pdbedit %{_bindir}/profiles +%{_bindir}/samba-tool %{_bindir}/smbcontrol %{_bindir}/smbpasswd %{_bindir}/testparm @@ -1831,13 +1935,13 @@ fi %{_mandir}/man1/testparm.1* %{_mandir}/man8/net.8* %{_mandir}/man8/pdbedit.8* +%{_mandir}/man8/samba-tool.8* %{_mandir}/man8/smbpasswd.8* ### DC %if %{with dc} || %{with testsuite} %files dc %{_unitdir}/samba.service -%{_bindir}/samba-tool %{_sbindir}/samba %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_downgrade_db @@ -1905,7 +2009,6 @@ fi %{_mandir}/man8/samba.8* %{_mandir}/man8/samba_downgrade_db.8* %{_mandir}/man8/samba-gpupdate.8* -%{_mandir}/man8/samba-tool.8* %dir %{_datadir}/samba/admx %{_datadir}/samba/admx/samba.admx %dir %{_datadir}/samba/admx/en-US @@ -1948,7 +2051,6 @@ fi %endif %{_libdir}/libdcerpc-server.so.* -%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libdsdb-module-samba4.so %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %{_libdir}/samba/libscavenge-dns-records-samba4.so @@ -1957,8 +2059,6 @@ fi %files dc-bind-dlz %attr(770,root,named) %dir /var/lib/samba/bind-dns %dir %{_libdir}/samba/bind9 -%{_libdir}/samba/bind9/dlz_bind9.so -%{_libdir}/samba/bind9/dlz_bind9_9.so %{_libdir}/samba/bind9/dlz_bind9_10.so %{_libdir}/samba/bind9/dlz_bind9_11.so %{_libdir}/samba/bind9/dlz_bind9_12.so @@ -2132,6 +2232,7 @@ fi %{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so %{_libdir}/samba/libdcerpc-samba4.so +%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libshares-samba4.so %{_libdir}/samba/libsmbpasswdparser-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so @@ -2226,6 +2327,7 @@ fi %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc %{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc @@ -2248,7 +2350,14 @@ fi %{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc %{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so @@ -2277,6 +2386,7 @@ fi %{python3_sitearch}/samba/dcerpc/idmap.*.so %{python3_sitearch}/samba/dcerpc/initshutdown.*.so %{python3_sitearch}/samba/dcerpc/irpc.*.so +%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so %{python3_sitearch}/samba/dcerpc/krb5pac.*.so %{python3_sitearch}/samba/dcerpc/lsa.*.so %{python3_sitearch}/samba/dcerpc/messaging.*.so @@ -2305,9 +2415,12 @@ fi %{python3_sitearch}/samba/descriptor.py %{python3_sitearch}/samba/dnsresolver.py %{python3_sitearch}/samba/drs_utils.py +%{python3_sitearch}/samba/dsdb.*.so +%{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py %{python3_sitearch}/samba/gpclass.py +%{python3_sitearch}/samba/gp_gnome_settings_ext.py %{python3_sitearch}/samba/gp_scripts_ext.py %{python3_sitearch}/samba/gp_sec_ext.py %{python3_sitearch}/samba/gpo.*.so @@ -2318,6 +2431,7 @@ fi %{python3_sitearch}/samba/messaging.*.so %{python3_sitearch}/samba/ndr.py %{python3_sitearch}/samba/net.*.so +%{python3_sitearch}/samba/net_s3.*.so %{python3_sitearch}/samba/ntstatus.*.so %{python3_sitearch}/samba/posix_eadb.*.so %dir %{python3_sitearch}/samba/emulate @@ -2440,7 +2554,14 @@ fi %{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py +%{python3_sitearch}/samba/vgp_access_ext.py +%{python3_sitearch}/samba/vgp_files_ext.py +%{python3_sitearch}/samba/vgp_issue_ext.py +%{python3_sitearch}/samba/vgp_motd_ext.py +%{python3_sitearch}/samba/vgp_openssh_ext.py +%{python3_sitearch}/samba/vgp_startup_scripts_ext.py %{python3_sitearch}/samba/vgp_sudoers_ext.py +%{python3_sitearch}/samba/vgp_symlink_ext.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so @@ -2487,8 +2608,6 @@ fi %{python3_sitearch}/samba/dcerpc/dnsserver.*.so %{python3_sitearch}/samba/dckeytab.*.so -%{python3_sitearch}/samba/dsdb.*.so -%{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/domain_update.py %{python3_sitearch}/samba/forest_update.py %{python3_sitearch}/samba/ms_forest_updates_markdown.py @@ -2555,6 +2674,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dckeytab.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_aging.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_forwarder.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_invalid.*.pyc @@ -2562,6 +2682,8 @@ fi %{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_dns.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc %{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc @@ -2573,17 +2695,22 @@ fi %{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc %{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc %{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/gpo_member.*.pyc %{python3_sitearch}/samba/tests/__pycache__/graph.*.pyc %{python3_sitearch}/samba/tests/__pycache__/group_audit.*.pyc %{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc %{python3_sitearch}/samba/tests/__pycache__/join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc %{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc @@ -2619,10 +2746,12 @@ fi %{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3_net_join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc @@ -2657,7 +2786,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc -%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdfind.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc @@ -2673,7 +2802,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/bug13653.py %{python3_sitearch}/samba/tests/blackbox/check_output.py %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py -%{python3_sitearch}/samba/tests/blackbox/mdfind.py +%{python3_sitearch}/samba/tests/blackbox/mdsearch.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py @@ -2701,6 +2830,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc @@ -2720,6 +2850,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py %{python3_sitearch}/samba/tests/dcerpc/integer.py +%{python3_sitearch}/samba/tests/dcerpc/lsa.py %{python3_sitearch}/samba/tests/dcerpc/mdssvc.py %{python3_sitearch}/samba/tests/dcerpc/misc.py %{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py @@ -2735,6 +2866,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/unix.py %{python3_sitearch}/samba/tests/dckeytab.py %{python3_sitearch}/samba/tests/dns.py +%{python3_sitearch}/samba/tests/dns_aging.py %{python3_sitearch}/samba/tests/dns_base.py %{python3_sitearch}/samba/tests/dns_forwarder.py %dir %{python3_sitearch}/samba/tests/dns_forwarder_helpers @@ -2745,6 +2877,8 @@ fi %{python3_sitearch}/samba/tests/dns_tkey.py %{python3_sitearch}/samba/tests/dns_wildcard.py %{python3_sitearch}/samba/tests/dsdb.py +%{python3_sitearch}/samba/tests/dsdb_api.py +%{python3_sitearch}/samba/tests/dsdb_dns.py %{python3_sitearch}/samba/tests/dsdb_lock.py %{python3_sitearch}/samba/tests/dsdb_schema_attributes.py %{python3_sitearch}/samba/tests/docs.py @@ -2764,9 +2898,11 @@ fi %{python3_sitearch}/samba/tests/get_opt.py %{python3_sitearch}/samba/tests/glue.py %{python3_sitearch}/samba/tests/gpo.py +%{python3_sitearch}/samba/tests/gpo_member.py %{python3_sitearch}/samba/tests/graph.py %{python3_sitearch}/samba/tests/group_audit.py %{python3_sitearch}/samba/tests/hostconfig.py +%{python3_sitearch}/samba/tests/imports.py %{python3_sitearch}/samba/tests/join.py %dir %{python3_sitearch}/samba/tests/kcc %{python3_sitearch}/samba/tests/kcc/__init__.py @@ -2782,37 +2918,64 @@ fi %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py %dir %{python3_sitearch}/samba/tests/krb5 %dir %{python3_sitearch}/samba/tests/krb5/__pycache__ +%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_min_domain_uid.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_rpc.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_smb.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/xrealm_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/alias_tests.py %{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py +%{python3_sitearch}/samba/tests/krb5/as_req_tests.py %{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/fast_tests.py %{python3_sitearch}/samba/tests/krb5/kcrypto.py %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py +%{python3_sitearch}/samba/tests/krb5/rodc_tests.py +%{python3_sitearch}/samba/tests/krb5/salt_tests.py %{python3_sitearch}/samba/tests/krb5/simple_tests.py +%{python3_sitearch}/samba/tests/krb5/spn_tests.py +%{python3_sitearch}/samba/tests/krb5/test_ccache.py +%{python3_sitearch}/samba/tests/krb5/test_ldap.py +%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py +%{python3_sitearch}/samba/tests/krb5/test_rpc.py +%{python3_sitearch}/samba/tests/krb5/test_smb.py %{python3_sitearch}/samba/tests/krb5/s4u_tests.py %{python3_sitearch}/samba/tests/krb5/xrealm_tests.py %{python3_sitearch}/samba/tests/krb5_credentials.py %{python3_sitearch}/samba/tests/ldap_raw.py %{python3_sitearch}/samba/tests/ldap_referrals.py +%{python3_sitearch}/samba/tests/ldap_spn.py +%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py +%{python3_sitearch}/samba/tests/ndr.py %{python3_sitearch}/samba/tests/netbios.py %{python3_sitearch}/samba/tests/netcmd.py %{python3_sitearch}/samba/tests/net_join_no_spnego.py @@ -2848,6 +3011,7 @@ fi %{python3_sitearch}/samba/tests/s3passdb.py %{python3_sitearch}/samba/tests/s3registry.py %{python3_sitearch}/samba/tests/s3windb.py +%{python3_sitearch}/samba/tests/s3_net_join.py %{python3_sitearch}/samba/tests/samba3sam.py %{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py %dir %{python3_sitearch}/samba/tests/samba_tool @@ -2864,6 +3028,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/forest.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/fsmo.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo_exts.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/group.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc @@ -2875,6 +3040,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/promote_dc_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_password_check.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_userPassword_crypt.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc @@ -2898,6 +3064,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/forest.py %{python3_sitearch}/samba/tests/samba_tool/fsmo.py %{python3_sitearch}/samba/tests/samba_tool/gpo.py +%{python3_sitearch}/samba/tests/samba_tool/gpo_exts.py %{python3_sitearch}/samba/tests/samba_tool/group.py %{python3_sitearch}/samba/tests/samba_tool/help.py %{python3_sitearch}/samba/tests/samba_tool/join.py @@ -2909,6 +3076,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/promote_dc_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/provision_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/provision_password_check.py +%{python3_sitearch}/samba/tests/samba_tool/provision_userPassword_crypt.py %{python3_sitearch}/samba/tests/samba_tool/rodc.py %{python3_sitearch}/samba/tests/samba_tool/schema.py %{python3_sitearch}/samba/tests/samba_tool/sites.py @@ -2924,6 +3092,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/visualize_drs.py %{python3_sitearch}/samba/tests/samdb.py %{python3_sitearch}/samba/tests/samdb_api.py +%{python3_sitearch}/samba/tests/sddl.py %{python3_sitearch}/samba/tests/security.py %{python3_sitearch}/samba/tests/segfault.py %{python3_sitearch}/samba/tests/smb.py @@ -3067,6 +3236,7 @@ fi %{_libexecdir}/ctdb/ctdb_recovery_helper %{_libexecdir}/ctdb/ctdb_takeover_helper %{_libexecdir}/ctdb/smnotify +%{_libexecdir}/ctdb/tdb_mutex_check %dir %{_localstatedir}/lib/ctdb/ %dir %{_localstatedir}/lib/ctdb/persistent @@ -3897,6 +4067,33 @@ fi #endif with selftest %endif +%if %{with pcp_pmda} +%files -n ctdb-pcp-pmda +%dir %{_localstatedir}/lib/pcp/pmdas/ctdb +%{_localstatedir}/lib/pcp/pmdas/ctdb/Install +%{_localstatedir}/lib/pcp/pmdas/ctdb/README +%{_localstatedir}/lib/pcp/pmdas/ctdb/Remove +%{_localstatedir}/lib/pcp/pmdas/ctdb/domain.h +%{_localstatedir}/lib/pcp/pmdas/ctdb/help +%{_localstatedir}/lib/pcp/pmdas/ctdb/pmdactdb +%{_localstatedir}/lib/pcp/pmdas/ctdb/pmns +#endif with pcp_pmda +%endif + +%if %{with etcd_mutex} +%files -n ctdb-etcd-mutex +%{_libexecdir}/ctdb/ctdb_etcd_lock +%{_mandir}/man7/ctdb-etcd.7.gz +#endif with etcd_mutex +%endif + +%if %{with ceph_mutex} +%files -n ctdb-ceph-mutex +%{_libexecdir}/ctdb/ctdb_mutex_ceph_rados_helper +%{_mandir}/man7/ctdb_mutex_ceph_rados_helper.7.gz +#endif with ceph_mutex +%endif + #endif with clustering %endif @@ -3908,6 +4105,35 @@ fi %endif %changelog +* Fri Dec 03 2021 Andreas Schneider - 4.15.2-2 +- related: rhbz#2013596 - Remove unneeded lmdb dependency + +* Thu Nov 25 2021 Pavel Filipenský - 4.15.2-1 +- resolves: rhbz#2013596 - Rebase to version 4.15.2 +- resolves: rhbz#1999294 - Remove noisy error message in winbindd +- resolves: rhbz#1958881 - Don't require winbind being online for krb5 auth + with one-way trusts +- resolves: rhbz#2019461 - Fix deleting directories with dangling symlinks + +* Mon Nov 22 2021 Andreas Schneider - 4.14.5-14 +- related: rbhz#2019674 - Fix CVE-2020-25717 +- Fix running ktest (selftest) + +* Sat Nov 13 2021 Alexander Bokovoy - 4.14.5-13 +- related: rbhz#2019674 - Fix CVE-2020-25717 +- Add missing checks for IPA DC server role + +* Wed Nov 10 2021 Andreas Schneider - 4.14.5-12 +- related: rbhz#2019674 - Fix regression with 'allow trusted domains = no' + +* Tue Nov 09 2021 Andreas Schneider - 4.14.5-11 +- resolves: rhbz#2021425 - Add missing PAC buffer types to krb5pac.idl + +* Fri Nov 05 2021 Andreas Schneider - 4.14.4-3 +- resolves: rhbz#2019662 - Fix CVE-2016-2124 +- resolves: rhbz#2019668 - Fix CVE-2021-23192 +- resolves: rbhz#2019674 - Fix CVE-2020-25717 + * Tue Jul 13 2021 Andreas Schneider - 4.14.4-2 - related: rhbz#1980346 - Rebuild for libtalloc 0.11.0