diff --git a/.gitignore b/.gitignore
index 1b087cf..99161ff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-SOURCES/samba-4.9.1.tar.xz
+SOURCES/samba-4.10.4.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
index 638f3b8..1e4e8c9 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1,2 +1,2 @@
6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-81b7c9a13d48fa25c58c90ae85e7d256e9952227 SOURCES/samba-4.9.1.tar.xz
+c24e15add96d79950552f0ffbb44234e4142342c SOURCES/samba-4.10.4.tar.xz
diff --git a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt
new file mode 100644
index 0000000..eec8124
--- /dev/null
+++ b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt
@@ -0,0 +1,393 @@
+From 5e94fe726e9af81374c697ce603b3728ccaaebf3 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 12 Jul 2019 12:10:35 -0700
+Subject: [PATCH 1/6] CVE-2019-10197: smbd: separate out impersonation debug
+ info into a new function.
+
+Will be called on elsewhere on successful impersonation.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/uid.c | 37 +++++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index a4bcb747d37e..ce8e8d92131c 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -279,6 +279,28 @@ static bool check_user_ok(connection_struct *conn,
+ return(True);
+ }
+
++static void print_impersonation_info(connection_struct *conn)
++{
++ struct smb_filename *cwdfname = NULL;
++
++ if (!CHECK_DEBUGLVL(DBGLVL_INFO)) {
++ return;
++ }
++
++ cwdfname = vfs_GetWd(talloc_tos(), conn);
++ if (cwdfname == NULL) {
++ return;
++ }
++
++ DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
++ (int)getuid(),
++ (int)geteuid(),
++ (int)getgid(),
++ (int)getegid(),
++ cwdfname->base_name);
++ TALLOC_FREE(cwdfname);
++}
++
+ /****************************************************************************
+ Become the user of a connection number without changing the security context
+ stack, but modify the current_user entries.
+@@ -415,20 +437,7 @@ static bool change_to_user_internal(connection_struct *conn,
+ current_user.done_chdir = true;
+ }
+
+- if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
+- struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn);
+- if (cwdfname == NULL) {
+- return false;
+- }
+- DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
+- (int)getuid(),
+- (int)geteuid(),
+- (int)getgid(),
+- (int)getegid(),
+- cwdfname->base_name);
+- TALLOC_FREE(cwdfname);
+- }
+-
++ print_impersonation_info(conn);
+ return true;
+ }
+
+--
+2.17.1
+
+
+From b4cd0dcbc38ae61cfb075e5f659384df889e99f7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 11 Jul 2019 17:01:29 +0200
+Subject: [PATCH 2/6] CVE-2019-10197: smbd: make sure that
+ change_to_user_internal() always resets current_user.done_chdir
+
+We should not leave current_user.done_chdir as true if we didn't call
+chdir_current_service() with success.
+
+This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when
+chdir_current_service() worked once on one share but later failed on another
+share.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/smbd/uid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index ce8e8d92131c..77a81f602988 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -427,6 +427,7 @@ static bool change_to_user_internal(connection_struct *conn,
+ current_user.conn = conn;
+ current_user.vuid = vuid;
+ current_user.need_chdir = conn->tcon_done;
++ current_user.done_chdir = false;
+
+ if (current_user.need_chdir) {
+ ok = chdir_current_service(conn);
+--
+2.17.1
+
+
+From b1496ce793129302c9959ebc6330219c6a3143f0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 18 Jun 2019 14:04:08 +0200
+Subject: [PATCH 3/6] CVE-2019-10197: smbd: make sure we reset
+ current_user.{need,done}_chdir in become_root()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/uid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index 77a81f602988..50868ba8572a 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -624,6 +624,9 @@ void smbd_become_root(void)
+ }
+ push_conn_ctx();
+ set_root_sec_ctx();
++
++ current_user.need_chdir = false;
++ current_user.done_chdir = false;
+ }
+
+ /* Unbecome the root user */
+--
+2.17.1
+
+
+From 03a0719d6d5c1a81b44bc3cedc76563a1eb04491 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 30 Jul 2019 17:16:59 +0200
+Subject: [PATCH 4/6] CVE-2019-10197: selftest: make fsrvp_share its own
+ independent subdirectory
+
+The next patch will otherwise break the fsrvp related tests.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/target/Samba3.pm | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 9d88253c9fe7..f7eb314138a0 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1540,6 +1540,9 @@ sub provision($$$$$$$$$)
+ my $widelinks_linkdir="$shrdir/widelinks_foo";
+ push(@dirs,$widelinks_linkdir);
+
++ my $fsrvp_shrdir="$shrdir/fsrvp";
++ push(@dirs,$fsrvp_shrdir);
++
+ my $shadow_tstdir="$shrdir/shadow";
+ push(@dirs,$shadow_tstdir);
+ my $shadow_mntdir="$shadow_tstdir/mount";
+@@ -2083,14 +2086,14 @@ sub provision($$$$$$$$$)
+ guest ok = yes
+
+ [fsrvp_share]
+- path = $shrdir
++ path = $fsrvp_shrdir
+ comment = fake shapshots using rsync
+ vfs objects = shell_snap shadow_copy2
+ shell_snap:check path command = $fake_snap_pl --check
+ shell_snap:create command = $fake_snap_pl --create
+ shell_snap:delete command = $fake_snap_pl --delete
+ # a relative path here fails, the snapshot dir is no longer found
+- shadow:snapdir = $shrdir/.snapshots
++ shadow:snapdir = $fsrvp_shrdir/.snapshots
+
+ [shadow1]
+ path = $shadow_shrdir
+--
+2.17.1
+
+
+From 409447f3258b87745a2248570278b1c6da8991f4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 16 Jul 2019 15:40:38 +0200
+Subject: [PATCH 5/6] CVE-2019-10197: test_smbclient_s3.sh: add regression test
+ for the no permission on share root problem
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/knownfail.d/CVE-2019-10197 | 1 +
+ selftest/target/Samba3.pm | 12 +++++++++
+ source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++++++++++
+ 3 files changed, 43 insertions(+)
+ create mode 100644 selftest/knownfail.d/CVE-2019-10197
+
+diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197
+new file mode 100644
+index 000000000000..f7056bbf3ad4
+--- /dev/null
++++ b/selftest/knownfail.d/CVE-2019-10197
+@@ -0,0 +1 @@
++^samba3.blackbox.smbclient_s3.*.noperm.share.regression
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index f7eb314138a0..2f491441815f 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1516,6 +1516,9 @@ sub provision($$$$$$$$$)
+ my $ro_shrdir="$shrdir/root-tmp";
+ push(@dirs,$ro_shrdir);
+
++ my $noperm_shrdir="$shrdir/noperm-tmp";
++ push(@dirs,$noperm_shrdir);
++
+ my $msdfs_shrdir="$shrdir/msdfsshare";
+ push(@dirs,$msdfs_shrdir);
+
+@@ -1586,6 +1589,11 @@ sub provision($$$$$$$$$)
+ chmod 0755, $piddir;
+
+
++ ##
++ ## Create a directory without permissions to enter
++ ##
++ chmod 0000, $noperm_shrdir;
++
+ ##
+ ## create ro and msdfs share layout
+ ##
+@@ -1902,6 +1910,10 @@ sub provision($$$$$$$$$)
+ [ro-tmp]
+ path = $ro_shrdir
+ guest ok = yes
++[noperm]
++ path = $noperm_shrdir
++ wide links = yes
++ guest ok = yes
+ [write-list-tmp]
+ path = $shrdir
+ read only = yes
+diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
+index bf033ccd2fbf..0bae1d78fac9 100755
+--- a/source3/script/tests/test_smbclient_s3.sh
++++ b/source3/script/tests/test_smbclient_s3.sh
+@@ -1329,6 +1329,32 @@ EOF
+ fi
+ }
+
++#
++# Regression test for CVE-2019-10197
++# we should always get ACCESS_DENIED
++#
++test_noperm_share_regression()
++{
++ cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls" 2>&1'
++ eval echo "$cmd"
++ out=`eval $cmd`
++ ret=$?
++ if [ $ret -eq 0 ] ; then
++ echo "$out"
++ echo "failed accessing no perm share should not work"
++ return 1
++ fi
++
++ num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l`
++ if [ "$num" -ne "2" ] ; then
++ echo "$out"
++ echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected"
++ return 1
++ fi
++
++ return 0
++}
++
+ # Test smbclient deltree command
+ test_deltree()
+ {
+@@ -1857,6 +1883,10 @@ testit "follow local symlinks" \
+ test_local_symlinks || \
+ failed=`expr $failed + 1`
+
++testit "noperm share regression" \
++ test_noperm_share_regression || \
++ failed=`expr $failed + 1`
++
+ testit "smbclient deltree command" \
+ test_deltree || \
+ failed=`expr $failed + 1`
+--
+2.17.1
+
+
+From 501e034aa5b6ba50bf14e41c59674fbbc28a2e9c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 11 Jul 2019 17:02:15 +0200
+Subject: [PATCH 6/6] CVE-2019-10197: smbd: split change_to_user_impersonate()
+ out of change_to_user_internal()
+
+This makes sure we always call chdir_current_service() even
+when we still impersonated the user. Which is important
+in order to run the SMB* request within the correct working directory
+and only if the user has permissions to enter that directory.
+
+It makes sure we always update conn->lastused_count
+in chdir_current_service() for each request.
+
+Note that vfs_ChDir() (called from chdir_current_service())
+maintains its own cache and avoids calling SMB_VFS_CHDIR()
+if possible.
+
+It means we still avoid syscalls if we get a multiple requests
+for the same session/tcon tuple.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ selftest/knownfail.d/CVE-2019-10197 | 1 -
+ source3/smbd/uid.c | 21 +++++++++++++++++----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+ delete mode 100644 selftest/knownfail.d/CVE-2019-10197
+
+diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197
+deleted file mode 100644
+index f7056bbf3ad4..000000000000
+--- a/selftest/knownfail.d/CVE-2019-10197
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.blackbox.smbclient_s3.*.noperm.share.regression
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index 50868ba8572a..5c39baade5cf 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -306,9 +306,9 @@ static void print_impersonation_info(connection_struct *conn)
+ stack, but modify the current_user entries.
+ ****************************************************************************/
+
+-static bool change_to_user_internal(connection_struct *conn,
+- const struct auth_session_info *session_info,
+- uint64_t vuid)
++static bool change_to_user_impersonate(connection_struct *conn,
++ const struct auth_session_info *session_info,
++ uint64_t vuid)
+ {
+ int snum;
+ gid_t gid;
+@@ -321,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn,
+
+ if ((current_user.conn == conn) &&
+ (current_user.vuid == vuid) &&
+- (current_user.need_chdir == conn->tcon_done) &&
+ (current_user.ut.uid == session_info->unix_token->uid))
+ {
+ DBG_INFO("Skipping user change - already user\n");
+@@ -426,6 +425,20 @@ static bool change_to_user_internal(connection_struct *conn,
+
+ current_user.conn = conn;
+ current_user.vuid = vuid;
++ return true;
++}
++
++static bool change_to_user_internal(connection_struct *conn,
++ const struct auth_session_info *session_info,
++ uint64_t vuid)
++{
++ bool ok;
++
++ ok = change_to_user_impersonate(conn, session_info, vuid);
++ if (!ok) {
++ return false;
++ }
++
+ current_user.need_chdir = conn->tcon_done;
+ current_user.done_chdir = false;
+
+--
+2.17.1
+
diff --git a/SOURCES/CVE-2019-10218-4.11.patch b/SOURCES/CVE-2019-10218-4.11.patch
new file mode 100644
index 0000000..49bec9e
--- /dev/null
+++ b/SOURCES/CVE-2019-10218-4.11.patch
@@ -0,0 +1,170 @@
+From d429b48596c63140696ba600bddb0908f2350f70 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 5 Aug 2019 13:39:53 -0700
+Subject: [PATCH 1/2] CVE-2019-10218 - s3: libsmb: Protect SMB1 client code
+ from evil server returned names.
+
+Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/clilist.c | 75 ++++++++++++++++++++++++++++++++++++++++
+ source3/libsmb/proto.h | 3 ++
+ 2 files changed, 78 insertions(+)
+
+diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
+index 5cb1fce4338..4f518339e2b 100644
+--- a/source3/libsmb/clilist.c
++++ b/source3/libsmb/clilist.c
+@@ -24,6 +24,66 @@
+ #include "trans2.h"
+ #include "../libcli/smb/smbXcli_base.h"
+
++/****************************************************************************
++ Check if a returned directory name is safe.
++****************************************************************************/
++
++static NTSTATUS is_bad_name(bool windows_names, const char *name)
++{
++ const char *bad_name_p = NULL;
++
++ bad_name_p = strchr(name, '/');
++ if (bad_name_p != NULL) {
++ /*
++ * Windows and POSIX names can't have '/'.
++ * Server is attacking us.
++ */
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++ if (windows_names) {
++ bad_name_p = strchr(name, '\\');
++ if (bad_name_p != NULL) {
++ /*
++ * Windows names can't have '\\'.
++ * Server is attacking us.
++ */
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++ }
++ return NT_STATUS_OK;
++}
++
++/****************************************************************************
++ Check if a returned directory name is safe. Disconnect if server is
++ sending bad names.
++****************************************************************************/
++
++NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
++ const struct file_info *finfo)
++{
++ NTSTATUS status = NT_STATUS_OK;
++ bool windows_names = true;
++
++ if (cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP) {
++ windows_names = false;
++ }
++ if (finfo->name != NULL) {
++ status = is_bad_name(windows_names, finfo->name);
++ if (!NT_STATUS_IS_OK(status)) {
++ DBG_ERR("bad finfo->name\n");
++ return status;
++ }
++ }
++ if (finfo->short_name != NULL) {
++ status = is_bad_name(windows_names, finfo->short_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ DBG_ERR("bad finfo->short_name\n");
++ return status;
++ }
++ }
++ return NT_STATUS_OK;
++}
++
+ /****************************************************************************
+ Calculate a safe next_entry_offset.
+ ****************************************************************************/
+@@ -492,6 +552,13 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ TALLOC_FREE(finfo);
+ return NT_STATUS_NO_MEMORY;
+ }
++
++ status = is_bad_finfo_name(state->cli, finfo);
++ if (!NT_STATUS_IS_OK(status)) {
++ smbXcli_conn_disconnect(state->cli->conn, status);
++ TALLOC_FREE(finfo);
++ return status;
++ }
+ }
+ *pfinfo = finfo;
+ return NT_STATUS_OK;
+@@ -727,6 +794,14 @@ static void cli_list_trans_done(struct tevent_req *subreq)
+ ff_eos = true;
+ break;
+ }
++
++ status = is_bad_finfo_name(state->cli, finfo);
++ if (!NT_STATUS_IS_OK(status)) {
++ smbXcli_conn_disconnect(state->cli->conn, status);
++ tevent_req_nterror(req, status);
++ return;
++ }
++
+ if (!state->first && (state->mask[0] != '\0') &&
+ strcsequal(finfo->name, state->mask)) {
+ DEBUG(1, ("Error: Looping in FIND_NEXT as name %s has "
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index 6a647da58c8..48855d7112c 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -760,6 +760,9 @@ NTSTATUS cli_posix_whoami(struct cli_state *cli,
+
+ /* The following definitions come from libsmb/clilist.c */
+
++NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
++ const struct file_info *finfo);
++
+ NTSTATUS cli_list_old(struct cli_state *cli,const char *Mask,uint16_t attribute,
+ NTSTATUS (*fn)(const char *, struct file_info *,
+ const char *, void *), void *state);
+--
+2.23.0.866.gb869b98d4c-goog
+
+
+From c61e75b5755efab938c1b2045eb4d539a0724c47 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 6 Aug 2019 12:08:09 -0700
+Subject: [PATCH 2/2] CVE-2019-10218 - s3: libsmb: Protect SMB2 client code
+ from evil server returned names.
+
+Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/cli_smb2_fnum.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
+index 535beaab841..3fa322c243b 100644
+--- a/source3/libsmb/cli_smb2_fnum.c
++++ b/source3/libsmb/cli_smb2_fnum.c
+@@ -1442,6 +1442,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli,
+ goto fail;
+ }
+
++ /* Protect against server attack. */
++ status = is_bad_finfo_name(cli, finfo);
++ if (!NT_STATUS_IS_OK(status)) {
++ smbXcli_conn_disconnect(cli->conn, status);
++ goto fail;
++ }
++
+ if (dir_check_ftype((uint32_t)finfo->mode,
+ (uint32_t)attribute)) {
+ /*
+--
+2.23.0.866.gb869b98d4c-goog
+
diff --git a/SOURCES/samba-4.10-fix-netbios-join.patch b/SOURCES/samba-4.10-fix-netbios-join.patch
new file mode 100644
index 0000000..9dd2eec
--- /dev/null
+++ b/SOURCES/samba-4.10-fix-netbios-join.patch
@@ -0,0 +1,723 @@
+From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 30 Aug 2019 00:22:15 +0300
+Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and
+ lp_dnsdomain()
+
+This make the join process much more reliable, and avoids "Constraint
+violation" error when the fqdn returned from getaddrinfo has already
+got assigned an SPN.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 31 +++++++++++-------------------
+ testprogs/blackbox/test_net_ads.sh | 7 +++++--
+ 2 files changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 7943bef2cf6..818b3039cb9 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ }
+ }
+
+- if (!name_to_fqdn(my_fqdn, r->in.machine_name)
+- || (strchr(my_fqdn, '.') == NULL)) {
+- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
+- r->out.dns_domain_name);
+- }
++ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+
+ if (!strlower_m(my_fqdn)) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+- if (!strequal(my_fqdn, r->in.machine_name)) {
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+- if (!spn) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++ if (spn == NULL) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
++ ok = ads_element_in_array(spn_array, num_spns, spn);
++ if (!ok) {
++ ok = add_string_to_array(spn_array, spn,
++ &spn_array, &num_spns);
+ if (!ok) {
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ }
+
+@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ /*
+ * Add HOST/netbiosname.domainname
+ */
+- if (r->out.dns_domain_name == NULL) {
+- continue;
+- }
+ fstr_sprintf(my_fqdn, "%s.%s",
+ *netbios_aliases,
+- r->out.dns_domain_name);
++ lp_dnsdomain());
+
+ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+ if (spn == NULL) {
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index cc8345c4624..ef6f99ddea4 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
+ netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+ uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]')
+ lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]')
+-fqdns="$netbios.$lc_realm"
++fqdn="$netbios.$lc_realm"
+
+ krb_princ="primary/instance@$REALM"
+ testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin
+ service="nfs"
+ testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+-search_str="$service/$fqdns@$REALM"
++search_str="$service/$fqdn@$REALM"
+ found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+ testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+
+@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
+
+ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+
++testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
++testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++
+ ##Goodbye...
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+--
+2.21.0
+
+
+From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 20:00:34 +0300
+Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit
+ room for indentation
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------
+ 1 file changed, 47 insertions(+), 48 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 818b3039cb9..67ab50c68a8 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ /* Windows only creates HOST/shortname & HOST/fqdn. */
+
+ spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
+- if (!spn) {
++ if (spn == NULL) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ if (!strupper_m(spn)) {
+@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ }
+ }
+
+- netbios_aliases = lp_netbios_aliases();
+- if (netbios_aliases != NULL) {
+- for (; *netbios_aliases != NULL; netbios_aliases++) {
+- /*
+- * Add HOST/NETBIOSNAME
+- */
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
+- if (spn == NULL) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
+- if (!strupper_m(spn)) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ for (netbios_aliases = lp_netbios_aliases();
++ netbios_aliases != NULL && *netbios_aliases != NULL;
++ netbios_aliases++) {
++ /*
++ * Add HOST/NETBIOSNAME
++ */
++ spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
++ if (spn == NULL) {
++ TALLOC_FREE(spn);
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ if (!strupper_m(spn)) {
++ TALLOC_FREE(spn);
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (ok) {
+- TALLOC_FREE(spn);
+- continue;
+- }
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ ok = ads_element_in_array(spn_array, num_spns, spn);
++ if (ok) {
++ TALLOC_FREE(spn);
++ continue;
++ }
++ ok = add_string_to_array(spn_array, spn,
++ &spn_array, &num_spns);
++ if (!ok) {
+ TALLOC_FREE(spn);
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ TALLOC_FREE(spn);
+
+- /*
+- * Add HOST/netbiosname.domainname
+- */
+- fstr_sprintf(my_fqdn, "%s.%s",
+- *netbios_aliases,
+- lp_dnsdomain());
++ /*
++ * Add HOST/netbiosname.domainname
++ */
++ fstr_sprintf(my_fqdn, "%s.%s",
++ *netbios_aliases,
++ lp_dnsdomain());
+
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+- if (spn == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++ if (spn == NULL) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (ok) {
+- TALLOC_FREE(spn);
+- continue;
+- }
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ ok = ads_element_in_array(spn_array, num_spns, spn);
++ if (ok) {
++ TALLOC_FREE(spn);
++ continue;
++ }
++ ok = add_string_to_array(spn_array, spn,
++ &spn_array, &num_spns);
++ if (!ok) {
+ TALLOC_FREE(spn);
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
++ TALLOC_FREE(spn);
+ }
+
+ /* make sure to NULL terminate the array */
+--
+2.21.0
+
+
+From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 21:29:47 +0300
+Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling
+
+and avoid a possible memory leak when passing null to
+add_string_to_array() as mem_ctx.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 74 ++++++++++++++++++++----------------
+ 1 file changed, 42 insertions(+), 32 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 67ab50c68a8..43035370526 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
+ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
++ TALLOC_CTX *frame = talloc_stackframe();
+ ADS_STATUS status;
+ ADS_MODLIST mods;
+ fstring my_fqdn;
+@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+- status = libnet_join_get_machine_spns(mem_ctx,
++ status = libnet_join_get_machine_spns(frame,
+ r,
+ discard_const_p(char **, &spn_array),
+ &num_spns);
+@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+
+ /* Windows only creates HOST/shortname & HOST/fqdn. */
+
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
++ spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name);
+ if (spn == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ if (!strupper_m(spn)) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (!ok) {
+- ok = add_string_to_array(spn_array, spn,
++ ok = add_string_to_array(frame, spn,
+ &spn_array, &num_spns);
+ if (!ok) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ }
+
+ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+
+ if (!strlower_m(my_fqdn)) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
+ if (spn == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (!ok) {
+- ok = add_string_to_array(spn_array, spn,
++ ok = add_string_to_array(frame, spn,
+ &spn_array, &num_spns);
+ if (!ok) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ }
+
+@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ /*
+ * Add HOST/NETBIOSNAME
+ */
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
++ spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases);
+ if (spn == NULL) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ if (!strupper_m(spn)) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (ok) {
+- TALLOC_FREE(spn);
+ continue;
+ }
+ ok = add_string_to_array(spn_array, spn,
+ &spn_array, &num_spns);
+ if (!ok) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+- TALLOC_FREE(spn);
+
+ /*
+ * Add HOST/netbiosname.domainname
+@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ *netbios_aliases,
+ lp_dnsdomain());
+
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
+ if (spn == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (ok) {
+- TALLOC_FREE(spn);
+ continue;
+ }
+ ok = add_string_to_array(spn_array, spn,
+ &spn_array, &num_spns);
+ if (!ok) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+- TALLOC_FREE(spn);
+ }
+
+ /* make sure to NULL terminate the array */
+- spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
++ spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);
+ if (spn_array == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ spn_array[num_spns] = NULL;
+
+ mods = ads_init_mods(mem_ctx);
+ if (!mods) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ /* fields of primary importance */
+
+ status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
+ if (!ADS_ERR_OK(status)) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
+ spn_array);
+ if (!ADS_ERR_OK(status)) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+- return ads_gen_mod(r->in.ads, r->out.dn, mods);
++ status = ads_gen_mod(r->in.ads, r->out.dn, mods);
++
++done:
++ TALLOC_FREE(frame);
++ return status;
+ }
+
+ /****************************************************************
+--
+2.21.0
+
+
+From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 23:15:57 +0300
+Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to
+ array
+
+and do not skip adding a fully qualified spn to netbios-aliases
+in case a short spn already existed.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 56 +++++++++++++++---------------------
+ 1 file changed, 23 insertions(+), 33 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 43035370526..a1d8a25bbc2 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
++static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const char *spn,
++ const char ***array, size_t *num)
++{
++ bool ok = ads_element_in_array(*array, *num, spn);
++ if (!ok) {
++ ok = add_string_to_array(mem_ctx, spn, array, num);
++ if (!ok) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ }
++ return ADS_SUCCESS;
++}
++
+ /****************************************************************
+ Set a machines dNSHostName and servicePrincipalName attributes
+ ****************************************************************/
+@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ const char **spn_array = NULL;
+ size_t num_spns = 0;
+ char *spn = NULL;
+- bool ok;
+ const char **netbios_aliases = NULL;
+
+ /* Find our DN */
+@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (!ok) {
+- ok = add_string_to_array(frame, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- goto done;
+- }
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
+ }
+
+ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (!ok) {
+- ok = add_string_to_array(frame, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- goto done;
+- }
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
+ }
+
+ for (netbios_aliases = lp_netbios_aliases();
+@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (ok) {
+- continue;
+- }
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (ok) {
+- continue;
+- }
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+ }
+--
+2.21.0
+
+
+From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 17 Sep 2019 21:38:07 +0300
+Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml
+
+diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml
+new file mode 100644
+index 00000000000..ddc04ee9f81
+--- /dev/null
++++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml
+@@ -0,0 +1,11 @@
++<samba:parameter name="additional dns hostnames"
++ context="G"
++ type="cmdlist"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++ <description>
++ <para> A list of additional DNS names by which this host can be identified
++ </para>
++</description>
++<value type="default"><comment>empty string (no additional dns names)</comment></value>
++<value type="example"> host2.example.com host3.other.com </value>
++</samba:parameter>
+--
+2.21.0
+
+
+From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 13 Sep 2019 10:56:10 +0300
+Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames
+ entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+and set msDS-AdditionalDnsHostName to the specified list.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184
+---
+ source3/libnet/libnet_join.c | 27 +++++++++++++++++++++++++++
+ testprogs/blackbox/test_net_ads.sh | 10 +++++++++-
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index a1d8a25bbc2..eb8e0ea17f7 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ size_t num_spns = 0;
+ char *spn = NULL;
+ const char **netbios_aliases = NULL;
++ const char **addl_hostnames = NULL;
+
+ /* Find our DN */
+
+@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ }
+ }
+
++ for (addl_hostnames = lp_additional_dns_hostnames();
++ addl_hostnames != NULL && *addl_hostnames != NULL;
++ addl_hostnames++) {
++
++ spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames);
++ if (spn == NULL) {
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
++ }
++ }
++
+ /* make sure to NULL terminate the array */
+ spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);
+ if (spn_array == NULL) {
+@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
++ addl_hostnames = lp_additional_dns_hostnames();
++ if (addl_hostnames != NULL && *addl_hostnames != NULL) {
++ status = ads_mod_strlist(mem_ctx, &mods,
++ "msDS-AdditionalDnsHostName",
++ addl_hostnames);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
++ }
++ }
++
+ status = ads_gen_mod(r->in.ads, r->out.dn, mods);
+
+ done:
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index ef6f99ddea4..8bcff006b8e 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com"
+ computers_dn="CN=Computers,$base_dn"
+ testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1`
+
+-testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++dns_alias1="${netbios}_alias1.other.${lc_realm}"
++dns_alias2="${netbios}_alias2.other2.${lc_realm}"
++testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+
+ testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
+ testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
++testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++
++testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
++testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
++
+ ##Goodbye...
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.10-fix-spnego-downgrade.patch b/SOURCES/samba-4.10-fix-spnego-downgrade.patch
new file mode 100644
index 0000000..0f3c786
--- /dev/null
+++ b/SOURCES/samba-4.10-fix-spnego-downgrade.patch
@@ -0,0 +1,160 @@
+From 55d19011faa99fae6ddcd778e433a0b253e0c7b4 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 16:31:21 +0300
+Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic
+ token
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/gensec/spnego.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index 0b3fbdce7ac..6bb5c8b6417 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -136,6 +136,7 @@ struct spnego_state {
+ bool done_mic_check;
+
+ bool simulate_w2k;
++ bool no_optimistic;
+
+ /*
+ * The following is used to implement
+@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
+
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
++ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
++ "spnego",
++ "client_no_optimistic",
++ false);
+
+ gensec_security->private_data = spnego_state;
+ return NT_STATUS_OK;
+@@ -1923,6 +1928,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
+ * blob and NT_STATUS_OK.
+ */
+ state->sub.status = NT_STATUS_OK;
++ } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
++ spnego_state->no_optimistic) {
++ /*
++ * Skip optimistic token per conf.
++ */
++ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+ /*
+ * MORE_PROCESSING_REQUIRED =>
+--
+2.21.0
+
+
+From e03ce41c911d5fead3f11c2eedce6baf7164e232 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 16:39:43 +0300
+Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/knownfail.d/spnego_no_optimistic | 1 +
+ source4/selftest/tests.py | 4 ++++
+ 2 files changed, 5 insertions(+)
+ create mode 100644 selftest/knownfail.d/spnego_no_optimistic
+
+diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
+new file mode 100644
+index 00000000000..54f51446be0
+--- /dev/null
++++ b/selftest/knownfail.d/spnego_no_optimistic
+@@ -0,0 +1 @@
++^samba4.smb.spnego.*.no_optimistic
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index aa54308c524..9c3c77f1c56 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -513,6 +513,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha
+ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon")
+ plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon")
+
++# Test SPNEGO without issuing an optimistic token
++opt='--option=spnego:client_no_optimistic=yes'
++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic")
++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic")
+
+ wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""]
+
+--
+2.21.0
+
+
+From 7e1be4ab8ff1ab8869b79f42828489dfa5450f2b Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 17:04:12 +0300
+Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
+---
+ auth/gensec/spnego.c | 13 +++++++++++++
+ selftest/knownfail.d/spnego_no_optimistic | 1 -
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+ delete mode 100644 selftest/knownfail.d/spnego_no_optimistic
+
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index 6bb5c8b6417..5f78267281d 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -1300,6 +1300,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
+ spnego_state->mic_requested = true;
+ }
+
++ if (sub_in.length == 0) {
++ spnego_state->no_optimistic = true;
++ }
++
+ /*
+ * Note that 'cur_sec' is temporary memory, but
+ * cur_sec->oid points to a const string in the
+@@ -1934,6 +1938,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
+ * Skip optimistic token per conf.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
++ } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
++ state->sub.in.length == 0 && spnego_state->no_optimistic) {
++ /*
++ * If we didn't like the mechanism for which the client sent us
++ * an optimistic token, or if he didn't send any, don't call
++ * the sub mechanism just yet.
++ */
++ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
++ spnego_state->no_optimistic = false;
+ } else {
+ /*
+ * MORE_PROCESSING_REQUIRED =>
+diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
+deleted file mode 100644
+index 54f51446be0..00000000000
+--- a/selftest/knownfail.d/spnego_no_optimistic
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba4.smb.spnego.*.no_optimistic
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.10-fix_gencache_debug_message.patch b/SOURCES/samba-4.10-fix_gencache_debug_message.patch
deleted file mode 100644
index 2440c97..0000000
--- a/SOURCES/samba-4.10-fix_gencache_debug_message.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 17 Jan 2019 13:58:14 +0100
-Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries.
-
-To get correct values, we need to cast 'timeout' to 'long int' first in
-order to do calculation in that integer space! Calculations are don in
-the space of the lvalue!
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
----
- source3/lib/gencache.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
-index ab12fc1c531..9f4e1cfcaa3 100644
---- a/source3/lib/gencache.c
-+++ b/source3/lib/gencache.c
-@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob,
- dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len };
- dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length };
-
-- DEBUG(10, ("Adding cache entry with key=[%s] and timeout="
-- "[%s] (%d seconds %s)\n", keystr,
-+ DBG_DEBUG("Adding cache entry with key=[%s] and timeout="
-+ "[%s] (%ld seconds %s)\n", keystr,
- timestring(talloc_tos(), timeout),
-- (int)(timeout - time(NULL)),
-- timeout > time(NULL) ? "ahead" : "in the past"));
-+ ((long int)timeout) - time(NULL),
-+ timeout > time(NULL) ? "ahead" : "in the past");
-
- ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr),
- dbufs, 2, 0);
---
-2.20.1
-
diff --git a/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch b/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch
new file mode 100644
index 0000000..b3e0247
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch
@@ -0,0 +1,1276 @@
+From 0d1179d5c3585678e6b4097425a4137b8666d333 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 8 Aug 2019 14:35:38 +0200
+Subject: [PATCH 01/11] testprogs: Fix failure count in test_net_ads.sh
+
+There are missing ` at the end of the line.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37)
+---
+ testprogs/blackbox/test_net_ads.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index d3c4de5b741..512aa9d2952 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -141,10 +141,10 @@ testit "test spn service doensn't exist in AD but is present in keytab file afte
+ # SPN parser is very basic but does detect some illegal combination
+
+ windows_spn="$spn_service/$spn_host:"
+-testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1
++testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+ windows_spn="$spn_service/$spn_host/"
+-testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1
++testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+ testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
+--
+2.23.0
+
+
+From 5acc6ededece33202fe3aa26cb9de9c052e32ba2 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Aug 2019 17:06:58 +0200
+Subject: [PATCH 02/11] s3:libads: Use ldap_add_ext_s() in ads_gen_add()
+
+ldap_add_s() is marked as deprecated.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64)
+---
+ source3/libads/ldap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 8d13a7cf18c..d409d4ab78e 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1596,7 +1596,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
+ /* make sure the end of the list is NULL */
+ mods[i] = NULL;
+
+- ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
++ ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL);
+ ads_print_error(ret, ads->ldap.ld);
+ TALLOC_FREE(utf8_dn);
+ return ADS_ERROR(ret);
+--
+2.23.0
+
+
+From 17d370a97ee2c7e6359aafc0248efae90c654857 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Aug 2019 17:41:40 +0200
+Subject: [PATCH 03/11] s3:libnet: Require sealed LDAP SASL connections for
+ joining
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f)
+---
+ libgpo/pygpo.c | 2 +-
+ source3/lib/netapi/joindomain.c | 5 ++++-
+ source3/libads/ads_proto.h | 9 ++++++++-
+ source3/libads/ads_struct.c | 14 +++++++++++++-
+ source3/libads/ldap.c | 4 ++--
+ source3/libnet/libnet_join.c | 3 ++-
+ source3/libsmb/namequery_dc.c | 2 +-
+ source3/printing/nt_printing_ads.c | 6 +++---
+ source3/utils/net_ads.c | 13 +++++++++----
+ source3/winbindd/winbindd_ads.c | 5 ++++-
+ source3/winbindd/winbindd_cm.c | 5 ++++-
+ 11 files changed, 51 insertions(+), 17 deletions(-)
+
+diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
+index cd107318860..4db8cad7ca4 100644
+--- a/libgpo/pygpo.c
++++ b/libgpo/pygpo.c
+@@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds)
+ return -1;
+ }
+
+- self->ads_ptr = ads_init(realm, workgroup, ldap_server);
++ self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN);
+ if (self->ads_ptr == NULL) {
+ return -1;
+ }
+diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
+index ff2154ba803..8d0752f4531 100644
+--- a/source3/lib/netapi/joindomain.c
++++ b/source3/lib/netapi/joindomain.c
+@@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
+
+ dc = strip_hostname(info->dc_unc);
+
+- ads = ads_init(info->domain_name, info->domain_name, dc);
++ ads = ads_init(info->domain_name,
++ info->domain_name,
++ dc,
++ ADS_SASL_PLAIN);
+ if (!ads) {
+ return WERR_GEN_FAILURE;
+ }
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index 154bf67f964..92bb3a22cdb 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -32,6 +32,12 @@
+ #ifndef _LIBADS_ADS_PROTO_H_
+ #define _LIBADS_ADS_PROTO_H_
+
++enum ads_sasl_state_e {
++ ADS_SASL_PLAIN = 0,
++ ADS_SASL_SIGN,
++ ADS_SASL_SEAL,
++};
++
+ /* The following definitions come from libads/ads_struct.c */
+
+ char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
+@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm);
+ char *ads_build_domain(const char *dn);
+ ADS_STRUCT *ads_init(const char *realm,
+ const char *workgroup,
+- const char *ldap_server);
++ const char *ldap_server,
++ enum ads_sasl_state_e sasl_state);
+ bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
+ void ads_destroy(ADS_STRUCT **ads);
+
+diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
+index 3ab682c0e38..043a1b21247 100644
+--- a/source3/libads/ads_struct.c
++++ b/source3/libads/ads_struct.c
+@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn)
+ */
+ ADS_STRUCT *ads_init(const char *realm,
+ const char *workgroup,
+- const char *ldap_server)
++ const char *ldap_server,
++ enum ads_sasl_state_e sasl_state)
+ {
+ ADS_STRUCT *ads;
+ int wrap_flags;
+@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm,
+ wrap_flags = 0;
+ }
+
++ switch (sasl_state) {
++ case ADS_SASL_PLAIN:
++ break;
++ case ADS_SASL_SIGN:
++ wrap_flags |= ADS_AUTH_SASL_SIGN;
++ break;
++ case ADS_SASL_SEAL:
++ wrap_flags |= ADS_AUTH_SASL_SEAL;
++ break;
++ }
++
+ ads->auth.flags = wrap_flags;
+
+ /* Start with the configured page size when the connection is new,
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index d409d4ab78e..7bdda4b1768 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2964,7 +2964,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
+
+ if ( !ads->ldap.ld ) {
+ if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
+- ads->server.ldap_server )) == NULL )
++ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
+ {
+ status = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+@@ -3026,7 +3026,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val)
+
+ if ( !ads->ldap.ld ) {
+ if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup,
+- ads->server.ldap_server )) == NULL )
++ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
+ {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto done;
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index b876d7ea89f..a512afc238a 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+
+ my_ads = ads_init(dns_domain_name,
+ netbios_domain_name,
+- dc_name);
++ dc_name,
++ ADS_SASL_SEAL);
+ if (!my_ads) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
+index 4ee5b5278e4..f63dde61603 100644
+--- a/source3/libsmb/namequery_dc.c
++++ b/source3/libsmb/namequery_dc.c
+@@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain,
+
+ /* Try this 3 times then give up. */
+ for( i =0 ; i < 3; i++) {
+- ads = ads_init(realm, domain, NULL);
++ ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN);
+ if (!ads) {
+ TALLOC_FREE(sitename);
+ return False;
+diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c
+index 2588e1de7e7..a82f1361fc8 100644
+--- a/source3/printing/nt_printing_ads.c
++++ b/source3/printing/nt_printing_ads.c
+@@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer,
+ return WERR_NOT_ENOUGH_MEMORY;
+ }
+
+- ads = ads_init(lp_realm(), lp_workgroup(), NULL);
++ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
+ if (ads == NULL) {
+ result = WERR_RPC_S_SERVER_UNAVAILABLE;
+ goto out;
+@@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx,
+
+ TALLOC_FREE(sinfo2);
+
+- ads = ads_init(lp_realm(), lp_workgroup(), NULL);
++ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
+ if (!ads) {
+ DEBUG(3, ("ads_init() failed\n"));
+ win_rc = WERR_RPC_S_SERVER_UNAVAILABLE;
+@@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx)
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY;
+
+- ads = ads_init(lp_realm(), lp_workgroup(), NULL);
++ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
+ if (!ads) {
+ DEBUG(3, ("ads_init() failed\n"));
+ return WERR_RPC_S_SERVER_UNAVAILABLE;
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index d33031a0dbd..07a22098fb1 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -620,7 +620,10 @@ retry_connect:
+ realm = assume_own_realm(c);
+ }
+
+- ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
++ ads = ads_init(realm,
++ c->opt_target_workgroup,
++ c->opt_host,
++ ADS_SASL_PLAIN);
+
+ if (!c->opt_user_name) {
+ c->opt_user_name = "administrator";
+@@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha
+ ADS_STRUCT *ads;
+ ADS_STATUS status;
+
+- if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
++ ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN);
++ if (ads == NULL ) {
+ return -1;
+ }
+
+@@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st
+ * kinit with the machine password to do dns update.
+ */
+
+- ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name);
++ ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN);
+
+ if (ads_dns == NULL) {
+ d_fprintf(stderr, _("DNS update failed: out of memory!\n"));
+@@ -2654,7 +2658,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv)
+
+ /* use the realm so we can eventually change passwords for users
+ in realms other than default */
+- if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
++ ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN);
++ if (ads == NULL) {
+ return -1;
+ }
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 922ca43764b..556b4523866 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ /* we don't want this to affect the users ccache */
+ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
+
+- ads = ads_init(target_realm, target_dom_name, ldap_server);
++ ads = ads_init(target_realm,
++ target_dom_name,
++ ldap_server,
++ ADS_SASL_SEAL);
+ if (!ads) {
+ DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
+ return ADS_ERROR(LDAP_NO_MEMORY);
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 22d3dcaa92b..4bd03ed8b7a 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
+
+ print_sockaddr(addr, sizeof(addr), pss);
+
+- ads = ads_init(domain->alt_name, domain->name, addr);
++ ads = ads_init(domain->alt_name,
++ domain->name,
++ addr,
++ ADS_SASL_PLAIN);
+ ads->auth.flags |= ADS_AUTH_NO_BIND;
+ ads->config.flags |= request_flags;
+ ads->server.no_fallback = true;
+--
+2.23.0
+
+
+From 244ecd7d839340858e96d75118548942b44bbd5c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Aug 2019 16:30:07 +0200
+Subject: [PATCH 04/11] s3:libads: Cleanup error code paths in
+ ads_create_machine_acct()
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a)
+---
+ source3/libads/ldap.c | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 7bdda4b1768..e492d0688a5 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2092,11 +2092,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ uint32_t etype_list)
+ {
+ ADS_STATUS ret;
+- char *samAccountName, *controlstr;
+- TALLOC_CTX *ctx;
++ char *samAccountName = NULL;
++ char *controlstr = NULL;
++ TALLOC_CTX *ctx = NULL;
+ ADS_MODLIST mods;
+ char *machine_escaped = NULL;
+- char *new_dn;
++ char *new_dn = NULL;
+ const char *objectClass[] = {"top", "person", "organizationalPerson",
+ "user", "computer", NULL};
+ LDAPMessage *res = NULL;
+@@ -2110,13 +2111,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ return ret;
+ }
+
+- if (!(ctx = talloc_init("ads_add_machine_acct")))
++ ctx = talloc_init("ads_add_machine_acct");
++ if (ctx == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+-
+- ret = ADS_ERROR(LDAP_NO_MEMORY);
++ }
+
+ machine_escaped = escape_rdn_val_string_alloc(machine_name);
+- if (!machine_escaped) {
++ if (machine_escaped == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+@@ -2131,17 +2133,26 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ ads_msgfree(ads, res);
+
+ new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
+- samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
++ if (new_dn == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
+
+- if ( !new_dn || !samAccountName ) {
++ samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
++ if (samAccountName == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+- if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
++ controlstr = talloc_asprintf(ctx, "%u", acct_control);
++ if (controlstr == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+- if (!(mods = ads_init_mods(ctx))) {
++ mods = ads_init_mods(ctx);
++ if (mods == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+@@ -2155,6 +2166,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+
+ etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
+ if (etype_list_str == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+ ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
+--
+2.23.0
+
+
+From 8d0e49716b7039fee4785186c67de774b34bd85b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 21 Aug 2019 12:22:32 +0200
+Subject: [PATCH 05/11] s3:libads: Use a talloc_asprintf in
+ ads_find_machine_acct()
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357)
+---
+ source3/libads/ldap.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index e492d0688a5..3bc9a2a06aa 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1367,18 +1367,22 @@ char *ads_parent_dn(const char *dn)
+ ADS_STATUS status;
+ char *expr;
+ const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL};
++ TALLOC_CTX *frame = talloc_stackframe();
+
+ *res = NULL;
+
+ /* the easiest way to find a machine account anywhere in the tree
+ is to look for hostname$ */
+- if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
+- DEBUG(1, ("asprintf failed!\n"));
+- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
++ expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine);
++ if (expr == NULL) {
++ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
++ goto done;
+ }
+
+ status = ads_search(ads, res, expr, attrs);
+- SAFE_FREE(expr);
++
++done:
++ TALLOC_FREE(frame);
+ return status;
+ }
+
+--
+2.23.0
+
+
+From be247641382d1cc730ab5cd1e8bebe92e1d3a6fc Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 14 Aug 2019 13:01:19 +0200
+Subject: [PATCH 06/11] s3:libads: Fix detection if acount already exists in
+ ads_find_machine_count()
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d)
+---
+ source3/libads/ldap.c | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 3bc9a2a06aa..ec6ad61a55c 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1366,7 +1366,21 @@ char *ads_parent_dn(const char *dn)
+ {
+ ADS_STATUS status;
+ char *expr;
+- const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL};
++ const char *attrs[] = {
++ /* This is how Windows checks for machine accounts */
++ "objectClass",
++ "SamAccountName",
++ "userAccountControl",
++ "DnsHostName",
++ "ServicePrincipalName",
++ "unicodePwd",
++
++ /* Additional attributes Samba checks */
++ "msDS-SupportedEncryptionTypes",
++ "nTSecurityDescriptor",
++
++ NULL
++ };
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ *res = NULL;
+@@ -1380,6 +1394,11 @@ char *ads_parent_dn(const char *dn)
+ }
+
+ status = ads_search(ads, res, expr, attrs);
++ if (ADS_ERR_OK(status)) {
++ if (ads_count_replies(ads, *res) != 1) {
++ status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
++ }
++ }
+
+ done:
+ TALLOC_FREE(frame);
+@@ -1867,11 +1886,11 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
+ char *dn_string = NULL;
+
+ ret = ads_find_machine_acct(ads, &res, machine_name);
+- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
++ if (!ADS_ERR_OK(ret)) {
+ DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
+ DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
+ ads_msgfree(ads, res);
+- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
++ return ret;
+ }
+
+ DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
+@@ -2027,12 +2046,12 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
+ const char **servicePrincipalName = spns;
+
+ ret = ads_find_machine_acct(ads, &res, machine_name);
+- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
++ if (!ADS_ERR_OK(ret)) {
+ DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
+ machine_name));
+ DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n"));
+ ads_msgfree(ads, res);
+- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
++ return ret;
+ }
+
+ DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
+@@ -2127,7 +2146,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ }
+
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+- if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
++ if (ADS_ERR_OK(ret)) {
+ DBG_DEBUG("Host account for %s already exists.\n",
+ machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+@@ -3684,14 +3703,15 @@ ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
+ TALLOC_FREE(hostnameDN);
+
+ status = ads_find_machine_acct(ads, &res, host);
+- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
++ if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
++ (status.err.rc != LDAP_NO_SUCH_OBJECT)) {
+ DEBUG(3, ("Failed to remove host account.\n"));
+ SAFE_FREE(host);
+ return status;
+ }
+
+ SAFE_FREE(host);
+- return status;
++ return ADS_SUCCESS;
+ }
+
+ /**
+--
+2.23.0
+
+
+From d7485cee3652a91ac199f912d656713cf1ddafa9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 14 Aug 2019 12:17:20 +0200
+Subject: [PATCH 07/11] s3:libads: Don't set supported encryption types during
+ account creation
+
+This is already handled by libnet_join_post_processing_ads_modify()
+which calls libnet_join_set_etypes() if encrytion types should be set.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38)
+---
+ source3/libads/ldap.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index ec6ad61a55c..8fbd97e25e2 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2127,12 +2127,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
+ UF_DONT_EXPIRE_PASSWD |\
+ UF_ACCOUNTDISABLE );
+- uint32_t func_level = 0;
+-
+- ret = ads_domain_func_level(ads, &func_level);
+- if (!ADS_ERR_OK(ret)) {
+- return ret;
+- }
+
+ ctx = talloc_init("ads_add_machine_acct");
+ if (ctx == NULL) {
+@@ -2184,18 +2178,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+ ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+
+- if (func_level >= DS_DOMAIN_FUNCTION_2008) {
+- const char *etype_list_str;
+-
+- etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
+- if (etype_list_str == NULL) {
+- ret = ADS_ERROR(LDAP_NO_MEMORY);
+- goto done;
+- }
+- ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
+- etype_list_str);
+- }
+-
+ ret = ads_gen_add(ads, new_dn, mods);
+
+ done:
+--
+2.23.0
+
+
+From f8f7158ac639c516e6dcdeca9d41b94ba6d06134 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Aug 2019 16:34:34 +0200
+Subject: [PATCH 08/11] s3:libads: Fix creating machine account using LDAP
+
+This implements the same behaviour as Windows.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292)
+---
+ source3/libads/ads_proto.h | 4 +-
+ source3/libads/ldap.c | 118 +++++++++++++++++++++++++++++++----
+ source3/libnet/libnet_join.c | 23 ++++---
+ 3 files changed, 124 insertions(+), 21 deletions(-)
+
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index 92bb3a22cdb..495ef5d3325 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -114,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_
+ const char **spns);
+ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ const char *machine_name,
++ const char *machine_password,
+ const char *org_unit,
+- uint32_t etype_list);
++ uint32_t etype_list,
++ const char *dns_domain_name);
+ ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ const char *org_unit, bool *moved);
+ int ads_count_replies(ADS_STRUCT *ads, void *res);
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 8fbd97e25e2..81efda0cf30 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1516,7 +1516,6 @@ ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ name, (const void **) vals);
+ }
+
+-#if 0
+ /**
+ * Add a single ber-encoded value to a mod list
+ * @param ctx An initialized TALLOC_CTX
+@@ -1537,7 +1536,6 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
+ name, (const void **) values);
+ }
+-#endif
+
+ static void ads_print_error(int ret, LDAP *ld)
+ {
+@@ -2111,8 +2109,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
+
+ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ const char *machine_name,
++ const char *machine_password,
+ const char *org_unit,
+- uint32_t etype_list)
++ uint32_t etype_list,
++ const char *dns_domain_name)
+ {
+ ADS_STATUS ret;
+ char *samAccountName = NULL;
+@@ -2120,13 +2120,23 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ TALLOC_CTX *ctx = NULL;
+ ADS_MODLIST mods;
+ char *machine_escaped = NULL;
++ char *dns_hostname = NULL;
+ char *new_dn = NULL;
+- const char *objectClass[] = {"top", "person", "organizationalPerson",
+- "user", "computer", NULL};
++ char *utf8_pw = NULL;
++ size_t utf8_pw_len = 0;
++ char *utf16_pw = NULL;
++ size_t utf16_pw_len = 0;
++ struct berval machine_pw_val;
++ bool ok;
++ const char **spn_array = NULL;
++ size_t num_spns = 0;
++ const char *spn_prefix[] = {
++ "HOST",
++ "RestrictedKrbHost",
++ };
++ size_t i;
+ LDAPMessage *res = NULL;
+- uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
+- UF_DONT_EXPIRE_PASSWD |\
+- UF_ACCOUNTDISABLE );
++ uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT;
+
+ ctx = talloc_init("ads_add_machine_acct");
+ if (ctx == NULL) {
+@@ -2139,10 +2149,9 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ goto done;
+ }
+
++ /* Check if the machine account already exists. */
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ if (ADS_ERR_OK(ret)) {
+- DBG_DEBUG("Host account for %s already exists.\n",
+- machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ ads_msgfree(ads, res);
+ goto done;
+@@ -2155,28 +2164,111 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ goto done;
+ }
+
++ /* Create machine account */
++
+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+ if (samAccountName == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
++ dns_hostname = talloc_asprintf(ctx,
++ "%s.%s",
++ machine_name,
++ dns_domain_name);
++ if (dns_hostname == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ /* Add dns_hostname SPNs */
++ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
++ char *spn = talloc_asprintf(ctx,
++ "%s/%s",
++ spn_prefix[i],
++ dns_hostname);
++ if (spn == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ ok = add_string_to_array(spn_array,
++ spn,
++ &spn_array,
++ &num_spns);
++ if (!ok) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++ }
++
++ /* Add machine_name SPNs */
++ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
++ char *spn = talloc_asprintf(ctx,
++ "%s/%s",
++ spn_prefix[i],
++ machine_name);
++ if (spn == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ ok = add_string_to_array(spn_array,
++ spn,
++ &spn_array,
++ &num_spns);
++ if (!ok) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++ }
++
++ /* Make sure to NULL terminate the array */
++ spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1);
++ if (spn_array == NULL) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ spn_array[num_spns] = NULL;
++
+ controlstr = talloc_asprintf(ctx, "%u", acct_control);
+ if (controlstr == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
++ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
++ if (utf8_pw == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++ utf8_pw_len = strlen(utf8_pw);
++
++ ok = convert_string_talloc(ctx,
++ CH_UTF8, CH_UTF16MUNGED,
++ utf8_pw, utf8_pw_len,
++ (void *)&utf16_pw, &utf16_pw_len);
++ if (!ok) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ machine_pw_val = (struct berval) {
++ .bv_val = utf16_pw,
++ .bv_len = utf16_pw_len,
++ };
++
+ mods = ads_init_mods(ctx);
+ if (mods == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+- ads_mod_str(ctx, &mods, "cn", machine_name);
+- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
+- ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
++ ads_mod_str(ctx, &mods, "objectClass", "Computer");
++ ads_mod_str(ctx, &mods, "SamAccountName", samAccountName);
+ ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
++ ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname);
++ ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array);
++ ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val);
+
+ ret = ads_gen_add(ads, new_dn, mods);
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index a512afc238a..d5c8599beee 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -338,10 +338,22 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
+ /* Attempt to create the machine account and bail if this fails.
+ Assume that the admin wants exactly what they requested */
+
++ if (r->in.machine_password == NULL) {
++ r->in.machine_password =
++ trust_pw_new_value(mem_ctx,
++ r->in.secure_channel_type,
++ SEC_ADS);
++ if (r->in.machine_password == NULL) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ }
++
+ status = ads_create_machine_acct(r->in.ads,
+ r->in.machine_name,
++ r->in.machine_password,
+ r->in.account_ou,
+- r->in.desired_encryption_types);
++ r->in.desired_encryption_types,
++ r->out.dns_domain_name);
+
+ if (ADS_ERR_OK(status)) {
+ DEBUG(1,("machine account creation created\n"));
+@@ -2668,12 +2680,11 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ if (ADS_ERR_OK(ads_status)) {
+
+ /*
+- * LDAP object create succeeded, now go to the rpc
+- * password set routines
++ * LDAP object creation succeeded.
+ */
+-
+ r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
+- goto rpc_join;
++
++ return WERR_OK;
+ }
+
+ if (initial_account_ou != NULL) {
+@@ -2687,8 +2698,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
+ r->in.account_ou, ads_errstr(ads_status));
+ }
+- rpc_join:
+-
+ #endif /* HAVE_ADS */
+
+ if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
+--
+2.23.0
+
+
+From f37eaa71dbd1cb206e8f3bcf251fc42308aa561d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 14 Aug 2019 10:15:19 +0200
+Subject: [PATCH 09/11] s3:libnet: Improve debug messages
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94)
+---
+ source3/libnet/libnet_join.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index d5c8599beee..31d1d221ed3 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -356,7 +356,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
+ r->out.dns_domain_name);
+
+ if (ADS_ERR_OK(status)) {
+- DEBUG(1,("machine account creation created\n"));
++ DBG_WARNING("Machine account successfully created\n");
+ return status;
+ } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
+ (status.err.rc == LDAP_ALREADY_EXISTS)) {
+@@ -364,7 +364,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
+ }
+
+ if (!ADS_ERR_OK(status)) {
+- DEBUG(1,("machine account creation failed\n"));
++ DBG_WARNING("Failed to create machine account\n");
+ return status;
+ }
+
+--
+2.23.0
+
+
+From d590cf9739393e15aa4d9cc86ca56f93db6f1a2b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 8 Aug 2019 14:40:04 +0200
+Subject: [PATCH 10/11] s3:libads: Just change the machine password if account
+ already exists
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521)
+---
+ source3/libads/ldap.c | 167 ++++++++++++++++++++++++++++++-----
+ source3/libnet/libnet_join.c | 1 +
+ 2 files changed, 146 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 81efda0cf30..afae46d2e79 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2098,6 +2098,127 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
+ return ret;
+ }
+
++static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads,
++ LDAPMessage *msg)
++{
++ uint32_t acct_ctrl = 0;
++ bool ok;
++
++ ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl);
++ if (!ok) {
++ return 0;
++ }
++
++ return acct_ctrl;
++}
++
++static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads,
++ LDAPMessage *msg,
++ const struct berval *machine_pw_val)
++{
++ ADS_MODLIST mods;
++ ADS_STATUS ret;
++ TALLOC_CTX *frame = talloc_stackframe();
++ uint32_t acct_control;
++ char *control_str = NULL;
++ const char *attrs[] = {
++ "objectSid",
++ NULL
++ };
++ LDAPMessage *res = NULL;
++ char *dn = NULL;
++
++ dn = ads_get_dn(ads, frame, msg);
++ if (dn == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ acct_control = ads_get_acct_ctrl(ads, msg);
++ if (acct_control == 0) {
++ ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
++ goto done;
++ }
++
++ /*
++ * Changing the password, disables the account. So we need to change the
++ * userAccountControl flags to enable it again.
++ */
++ mods = ads_init_mods(frame);
++ if (mods == NULL) {
++ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val);
++
++ ret = ads_gen_mod(ads, dn, mods);
++ if (!ADS_ERR_OK(ret)) {
++ goto done;
++ }
++ TALLOC_FREE(mods);
++
++ /*
++ * To activate the account, we need to disable and enable it.
++ */
++ acct_control |= UF_ACCOUNTDISABLE;
++
++ control_str = talloc_asprintf(frame, "%u", acct_control);
++ if (control_str == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ mods = ads_init_mods(frame);
++ if (mods == NULL) {
++ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ ads_mod_str(frame, &mods, "userAccountControl", control_str);
++
++ ret = ads_gen_mod(ads, dn, mods);
++ if (!ADS_ERR_OK(ret)) {
++ goto done;
++ }
++ TALLOC_FREE(mods);
++ TALLOC_FREE(control_str);
++
++ /*
++ * Enable the account again.
++ */
++ acct_control &= ~UF_ACCOUNTDISABLE;
++
++ control_str = talloc_asprintf(frame, "%u", acct_control);
++ if (control_str == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ mods = ads_init_mods(frame);
++ if (mods == NULL) {
++ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ ads_mod_str(frame, &mods, "userAccountControl", control_str);
++
++ ret = ads_gen_mod(ads, dn, mods);
++ if (!ADS_ERR_OK(ret)) {
++ goto done;
++ }
++ TALLOC_FREE(mods);
++ TALLOC_FREE(control_str);
++
++ ret = ads_search_dn(ads, &res, dn, attrs);
++ ads_msgfree(ads, res);
++
++done:
++ talloc_free(frame);
++
++ return ret;
++}
++
+ /**
+ * adds a machine account to the ADS server
+ * @param ads An intialized ADS_STRUCT
+@@ -2149,11 +2270,34 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ goto done;
+ }
+
++ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
++ if (utf8_pw == NULL) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++ utf8_pw_len = strlen(utf8_pw);
++
++ ok = convert_string_talloc(ctx,
++ CH_UTF8, CH_UTF16MUNGED,
++ utf8_pw, utf8_pw_len,
++ (void *)&utf16_pw, &utf16_pw_len);
++ if (!ok) {
++ ret = ADS_ERROR(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ machine_pw_val = (struct berval) {
++ .bv_val = utf16_pw,
++ .bv_len = utf16_pw_len,
++ };
++
+ /* Check if the machine account already exists. */
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ if (ADS_ERR_OK(ret)) {
+- ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
++ /* Change the machine account password */
++ ret = ads_change_machine_acct(ads, res, &machine_pw_val);
+ ads_msgfree(ads, res);
++
+ goto done;
+ }
+ ads_msgfree(ads, res);
+@@ -2236,27 +2380,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ goto done;
+ }
+
+- utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
+- if (utf8_pw == NULL) {
+- ret = ADS_ERROR(LDAP_NO_MEMORY);
+- goto done;
+- }
+- utf8_pw_len = strlen(utf8_pw);
+-
+- ok = convert_string_talloc(ctx,
+- CH_UTF8, CH_UTF16MUNGED,
+- utf8_pw, utf8_pw_len,
+- (void *)&utf16_pw, &utf16_pw_len);
+- if (!ok) {
+- ret = ADS_ERROR(LDAP_NO_MEMORY);
+- goto done;
+- }
+-
+- machine_pw_val = (struct berval) {
+- .bv_val = utf16_pw,
+- .bv_len = utf16_pw_len,
+- };
+-
+ mods = ads_init_mods(ctx);
+ if (mods == NULL) {
+ ret = ADS_ERROR(LDAP_NO_MEMORY);
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 31d1d221ed3..1052afde641 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -968,6 +968,7 @@ static ADS_STATUS libnet_join_post_processing_ads_modify(TALLOC_CTX *mem_ctx,
+
+ if (r->in.ads->auth.ccache_name != NULL) {
+ ads_kdestroy(r->in.ads->auth.ccache_name);
++ r->in.ads->auth.ccache_name = NULL;
+ }
+
+ ads_destroy(&r->in.ads);
+--
+2.23.0
+
+
+From 2209c01f8069d47b47c8fc5df376cc9c41c552e1 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 22 Aug 2019 16:31:30 +0200
+Subject: [PATCH 11/11] testprogs: Add test for 'net ads join createcomputer='
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184
+
+(cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f)
+---
+ testprogs/blackbox/test_net_ads.sh | 32 ++++++++++++++++++++++++++++--
+ 1 file changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 512aa9d2952..cc8345c4624 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -31,6 +31,16 @@ if [ -x "$BINDIR/ldbsearch" ]; then
+ ldbsearch="$BINDIR/ldbsearch"
+ fi
+
++ldbadd="ldbadd"
++if [ -x "$BINDIR/ldbadd" ]; then
++ ldbadd="$BINDIR/ldbadd"
++fi
++
++ldbdel="ldbdel"
++if [ -x "$BINDIR/ldbdel" ]; then
++ ldbdel="$BINDIR/ldbdel"
++fi
++
+ # Load test functions
+ . `dirname $0`/subunit.sh
+
+@@ -188,8 +198,9 @@ testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME%
+
+ testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1`
+
+-computers_ldb_ou="CN=Computers,DC=addom,DC=samba,DC=example,DC=com"
+-testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_ldb_ou" || failed=`expr $failed + 1`
++base_dn="DC=addom,DC=samba,DC=example,DC=com"
++computers_dn="CN=Computers,$base_dn"
++testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1`
+
+ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+@@ -198,6 +209,23 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+ ##Goodbye...
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
++#
++# Test createcomputer option of 'net ads join'
++#
++testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER <<EOF
++dn: OU=Servers,$base_dn
++objectClass: organizationalUnit
++EOF
++
++testit "join+createcomputer" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createcomputer=Servers || failed=`expr $failed + 1`
++
++testit "ldb check for existence of machine account in OU=Servers" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,OU=Servers,$base_dn" || failed=`expr $failed + 1`
++
++## Goodbye...
++testit "leave+createcomputer" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++
++testit "Remove OU=Servers" $VALGRIND $ldbdel -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER "OU=Servers,$base_dn"
++
+ rm -rf $BASEDIR/$WORKDIR
+
+ exit $failed
+--
+2.23.0
+
diff --git a/SOURCES/samba-4.10-fix_smbspool.patch b/SOURCES/samba-4.10-fix_smbspool.patch
new file mode 100644
index 0000000..fa12f06
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_smbspool.patch
@@ -0,0 +1,1127 @@
+From 16056895403f3c673dc5adc531b7e739d46292fb Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 16:55:49 +0200
+Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups
+
+This is required to access files in /var/spool/cups which have been
+temporarily created in there by CUPS.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b)
+---
+ source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 5c4da33238b..e6684fc0d0c 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -82,6 +82,7 @@ int main(int argc, char *argv[])
+ {
+ char smbspool_cmd[PATH_MAX] = {0};
+ struct passwd *pwd;
++ struct group *g = NULL;
+ char gen_cc[PATH_MAX] = {0};
+ struct stat sb;
+ char *env = NULL;
+@@ -89,6 +90,7 @@ int main(int argc, char *argv[])
+ char device_uri[4096] = {0};
+ uid_t uid = (uid_t)-1;
+ gid_t gid = (gid_t)-1;
++ gid_t groups[1] = { (gid_t)-1 };
+ unsigned long tmp;
+ int cmp;
+ int rc;
+@@ -176,6 +178,26 @@ int main(int argc, char *argv[])
+ return CUPS_BACKEND_FAILED;
+ }
+
++ /*
++ * We need the primary group of the 'lp' user. This is needed to access
++ * temporary files in /var/spool/cups/.
++ */
++ g = getgrnam("lp");
++ if (g == NULL) {
++ CUPS_SMB_ERROR("Failed to find user 'lp' - %s",
++ strerror(errno));
++ return CUPS_BACKEND_FAILED;
++ }
++
++ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid);
++ groups[0] = g->gr_gid;
++ rc = setgroups(sizeof(groups), groups);
++ if (rc != 0) {
++ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s",
++ strerror(errno));
++ return CUPS_BACKEND_FAILED;
++ }
++
+ CUPS_SMB_DEBUG("Switching to gid=%d", gid);
+ rc = setgid(gid);
+ if (rc != 0) {
+--
+2.21.0
+
+
+From a6b29458e833db85057ef1b7c0403e90f76adfa4 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 13:41:02 +0200
+Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate
+ with
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5)
+---
+ source3/client/smbspool.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 22071613677..efbdd418fdb 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -616,6 +616,7 @@ static bool kerberos_ccache_is_valid(void) {
+ return false;
+ } else {
+ krb5_principal default_princ = NULL;
++ char *princ_name = NULL;
+
+ code = krb5_cc_get_principal(ctx,
+ ccache,
+@@ -625,6 +626,16 @@ static bool kerberos_ccache_is_valid(void) {
+ krb5_free_context(ctx);
+ return false;
+ }
++
++ code = krb5_unparse_name(ctx,
++ default_princ,
++ &princ_name);
++ if (code == 0) {
++ fprintf(stderr,
++ "DEBUG: Try to authenticate as %s\n",
++ princ_name);
++ krb5_free_unparsed_name(ctx, princ_name);
++ }
+ krb5_free_principal(ctx, default_princ);
+ }
+ krb5_cc_close(ctx, ccache);
+--
+2.21.0
+
+
+From b64ed8bb51c7c78d757881fc3944f7bc812f5457 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 14:25:00 +0200
+Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba)
+---
+ source3/client/smbspool_krb5_wrapper.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index e6684fc0d0c..2cdcd372ec6 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -219,10 +219,14 @@ int main(int argc, char *argv[])
+ env = getenv("KRB5CCNAME");
+ if (env != NULL && env[0] != 0) {
+ snprintf(gen_cc, sizeof(gen_cc), "%s", env);
++ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache",
++ gen_cc);
+
+ goto create_env;
+ }
+
++ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
++
+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
+
+ rc = lstat(gen_cc, &sb);
+--
+2.21.0
+
+
+From 3b7be905d256955e7e8c056f14626547e08fea2d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 17:10:57 +0200
+Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858)
+---
+ source3/client/smbspool_krb5_wrapper.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 2cdcd372ec6..3266b90ec1a 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -227,13 +227,13 @@ int main(int argc, char *argv[])
+
+ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
+
+- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
++ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
+
+ rc = lstat(gen_cc, &sb);
+ if (rc == 0) {
+- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid);
++ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
+ } else {
+- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid);
++ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
+
+ rc = lstat(gen_cc, &sb);
+ if (rc == 0 && S_ISDIR(sb.st_mode)) {
+--
+2.21.0
+
+
+From 6e2069b014358b6f7e04121fa39c5f2750506d78 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 17:40:43 +0200
+Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is
+ not set
+
+This could also support the new KCM credential cache storage.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3)
+---
+ source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++--------
+ source3/wscript_build | 1 +
+ 2 files changed, 55 insertions(+), 25 deletions(-)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 3266b90ec1a..bff1df417e8 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -21,6 +21,7 @@
+
+ #include "includes.h"
+ #include "system/filesys.h"
++#include "system/kerberos.h"
+ #include "system/passwd.h"
+
+ #include <errno.h>
+@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
+ buffer);
+ }
+
++static bool kerberos_get_default_ccache(char *ccache_buf, size_t len)
++{
++ krb5_context ctx;
++ const char *ccache_name = NULL;
++ char *full_ccache_name = NULL;
++ krb5_ccache ccache = NULL;
++ krb5_error_code code;
++
++ code = krb5_init_context(&ctx);
++ if (code != 0) {
++ return false;
++ }
++
++ ccache_name = krb5_cc_default_name(ctx);
++ if (ccache_name == NULL) {
++ krb5_free_context(ctx);
++ return false;
++ }
++
++ code = krb5_cc_resolve(ctx, ccache_name, &ccache);
++ if (code != 0) {
++ krb5_free_context(ctx);
++ return false;
++ }
++
++ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name);
++ krb5_cc_close(ctx, ccache);
++ if (code != 0) {
++ krb5_free_context(ctx);
++ return false;
++ }
++
++ snprintf(ccache_buf, len, "%s", full_ccache_name);
++
++#ifdef SAMBA4_USES_HEIMDAL
++ free(full_ccache_name);
++#else
++ krb5_free_string(ctx, full_ccache_name);
++#endif
++ krb5_free_context(ctx);
++
++ return true;
++}
++
+ /*
+ * This is a helper binary to execute smbspool.
+ *
+@@ -84,7 +129,6 @@ int main(int argc, char *argv[])
+ struct passwd *pwd;
+ struct group *g = NULL;
+ char gen_cc[PATH_MAX] = {0};
+- struct stat sb;
+ char *env = NULL;
+ char auth_info_required[256] = {0};
+ char device_uri[4096] = {0};
+@@ -92,6 +136,7 @@ int main(int argc, char *argv[])
+ gid_t gid = (gid_t)-1;
+ gid_t groups[1] = { (gid_t)-1 };
+ unsigned long tmp;
++ bool ok;
+ int cmp;
+ int rc;
+
+@@ -225,32 +270,16 @@ int main(int argc, char *argv[])
+ goto create_env;
+ }
+
+- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
+-
+- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
+-
+- rc = lstat(gen_cc, &sb);
+- if (rc == 0) {
+- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
+- } else {
+- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
+-
+- rc = lstat(gen_cc, &sb);
+- if (rc == 0 && S_ISDIR(sb.st_mode)) {
+- snprintf(gen_cc,
+- sizeof(gen_cc),
+- "DIR:/run/user/%d/krb5cc",
+- uid);
+- } else {
+-#if defined(__linux__)
+- snprintf(gen_cc,
+- sizeof(gen_cc),
+- "KEYRING:persistent:%d",
+- uid);
+-#endif
+- }
++ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc));
++ if (ok) {
++ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]",
++ gen_cc);
++ goto create_env;
+ }
+
++ /* Fallback to a FILE ccache */
++ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
++
+ create_env:
+ /*
+ * Make sure we do not have LD_PRELOAD or other security relevant
+diff --git a/source3/wscript_build b/source3/wscript_build
+index f67ce59fe52..8e34b7d0261 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -1134,6 +1134,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
+ deps='''
+ DYNCONFIG
+ cups
++ krb5
+ ''',
+ install_path='${LIBEXECDIR}/samba',
+ enabled=bld.CONFIG_SET('HAVE_CUPS'))
+--
+2.21.0
+
+
+From d6673500b639ad1402014aa35113bd395e35d4f5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 16:48:31 +0200
+Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd)
+---
+ source3/client/smbspool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index efbdd418fdb..ef16c2bed42 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -224,7 +224,9 @@ main(int argc, /* I - Number of command-line arguments */
+
+ fp = fopen(print_file, "rb");
+ if (fp == NULL) {
+- perror("ERROR: Unable to open print file");
++ fprintf(stderr,
++ "ERROR: Unable to open print file: %s",
++ print_file);
+ goto done;
+ }
+
+--
+2.21.0
+
+
+From ea931f33d92506cdab17a7b746e43831d6bf2112 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 18:54:02 +0200
+Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos
+
+If username and password is given, then fallback to NTLM. However try
+kinit first. Also we correctly handle NULL passwords in the meantime and
+this makes it easier to deal with issues.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d)
+---
+ source3/client/smbspool.c | 90 ++++++++++++++++++++++-----------------
+ 1 file changed, 51 insertions(+), 39 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index ef16c2bed42..f21aac2ac58 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -88,8 +88,8 @@ main(int argc, /* I - Number of command-line arguments */
+ int port; /* Port number */
+ char uri[1024], /* URI */
+ *sep, /* Pointer to separator */
+- *tmp, *tmp2, /* Temp pointers to do escaping */
+- *password; /* Password */
++ *tmp, *tmp2; /* Temp pointers to do escaping */
++ const char *password = NULL; /* Password */
+ char *username, /* Username */
+ *server, /* Server name */
+ *printer;/* Printer name */
+@@ -293,8 +293,6 @@ main(int argc, /* I - Number of command-line arguments */
+ if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
+ *tmp2++ = '\0';
+ password = uri_unescape_alloc(tmp2);
+- } else {
+- password = empty_str;
+ }
+ username = uri_unescape_alloc(tmp);
+ } else {
+@@ -302,14 +300,15 @@ main(int argc, /* I - Number of command-line arguments */
+ username = empty_str;
+ }
+
+- if ((password = getenv("AUTH_PASSWORD")) == NULL) {
+- password = empty_str;
++ env = getenv("AUTH_PASSWORD");
++ if (env != NULL && strlen(env) > 0) {
++ password = env;
+ }
+
+ server = uri + 6;
+ }
+
+- if (password != empty_str) {
++ if (password != NULL) {
+ auth_info_required = "username,password";
+ }
+
+@@ -514,6 +513,7 @@ smb_complete_connection(const char *myname,
+ NTSTATUS nt_status;
+ struct cli_credentials *creds = NULL;
+ bool use_kerberos = false;
++ bool fallback_after_kerberos = false;
+
+ /* Start the SMB connection */
+ *need_auth = false;
+@@ -524,27 +524,21 @@ smb_complete_connection(const char *myname,
+ return NULL;
+ }
+
+- /*
+- * We pretty much guarantee password must be valid or a pointer to a
+- * 0 char.
+- */
+- if (!password) {
+- *need_auth = true;
+- return NULL;
+- }
+-
+ if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+- auth_info_required = "negotiate";
+ use_kerberos = true;
+ }
+
++ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) {
++ fallback_after_kerberos = true;
++ }
++
+ creds = cli_session_creds_init(cli,
+ username,
+ workgroup,
+ NULL, /* realm */
+ password,
+ use_kerberos,
+- false, /* fallback_after_kerberos */
++ fallback_after_kerberos,
+ false, /* use_ccache */
+ false); /* password_is_nt_hash */
+ if (creds == NULL) {
+@@ -663,6 +657,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */
+ struct cli_state *cli; /* New connection */
+ char *myname = NULL; /* Client name */
+ struct passwd *pwd;
++ int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
++ bool use_kerberos = false;
++ const char *user = username;
++ int cmp;
+
+ /*
+ * Get the names and addresses of the client and server...
+@@ -672,42 +670,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */
+ return NULL;
+ }
+
+- /*
+- * See if we have a username first. This is for backwards compatible
+- * behavior with 3.0.14a
+- */
+
+- if (username == NULL || username[0] == '\0') {
+- if (kerberos_ccache_is_valid()) {
+- goto kerberos_auth;
++ cmp = strcmp(auth_info_required, "negotiate");
++ if (cmp == 0) {
++ if (!kerberos_ccache_is_valid()) {
++ return NULL;
+ }
++ user = jobusername;
++
++ use_kerberos = true;
++ fprintf(stderr,
++ "DEBUG: Try to connect using Kerberos ...\n");
++ }
++
++ cmp = strcmp(auth_info_required, "username,password");
++ if (cmp == 0) {
++ if (username == NULL || username[0] == '\0') {
++ return NULL;
++ }
++
++ /* Fallback to NTLM */
++ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
++
++ fprintf(stderr,
++ "DEBUG: Try to connect using username/password ...\n");
++ }
++
++ cmp = strcmp(auth_info_required, "none");
++ if (cmp == 0) {
++ fprintf(stderr,
++ "DEBUG: This backend doesn't support none auth ...\n");
++ return NULL;
+ }
+
+ cli = smb_complete_connection(myname,
+ server,
+ port,
+- username,
++ user,
+ password,
+ workgroup,
+ share,
+- 0,
++ flags,
+ need_auth);
+ if (cli != NULL) {
+- fputs("DEBUG: Connected with username/password...\n", stderr);
++ fprintf(stderr, "DEBUG: SMB connection established.\n");
+ return (cli);
+ }
+
+-kerberos_auth:
+- /*
+- * Try to use the user kerberos credentials (if any) to authenticate
+- */
+- cli = smb_complete_connection(myname, server, port, jobusername, "",
+- workgroup, share,
+- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
+-
+- if (cli) {
+- fputs("DEBUG: Connected using Kerberos...\n", stderr);
+- return (cli);
++ if (!use_kerberos) {
++ fprintf(stderr, "ERROR: SMB connection failed!\n");
++ return NULL;
+ }
+
+ /* give a chance for a passwordless NTLMSSP session setup */
+--
+2.21.0
+
+
+From 8689e83030160fbdbe9b72ff0c86826b49f707a1 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 18:24:32 +0200
+Subject: [PATCH 8/9] s3:smbspool: Add debug messages to
+ kerberos_ccache_is_valid()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3)
+---
+ source3/client/smbspool.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index f21aac2ac58..79e210dd12e 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -602,12 +602,15 @@ static bool kerberos_ccache_is_valid(void) {
+
+ ccache_name = krb5_cc_default_name(ctx);
+ if (ccache_name == NULL) {
++ DBG_ERR("Failed to get default ccache name\n");
+ krb5_free_context(ctx);
+ return false;
+ }
+
+ code = krb5_cc_resolve(ctx, ccache_name, &ccache);
+ if (code != 0) {
++ DBG_ERR("Failed to resolve ccache name: %s\n",
++ ccache_name);
+ krb5_free_context(ctx);
+ return false;
+ } else {
+@@ -618,6 +621,9 @@ static bool kerberos_ccache_is_valid(void) {
+ ccache,
+ &default_princ);
+ if (code != 0) {
++ DBG_ERR("Failed to get default principal from "
++ "ccache: %s\n",
++ ccache_name);
+ krb5_cc_close(ctx, ccache);
+ krb5_free_context(ctx);
+ return false;
+--
+2.21.0
+
+
+From d1cee66a5e66d83b2aee3a803351c51d4f5a8118 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 14 May 2019 11:35:46 +0200
+Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes
+
+This allows us to simplify some code and return better errors.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea)
+---
+ source3/client/smbspool.c | 250 ++++++++++++++++++++++----------------
+ 1 file changed, 145 insertions(+), 105 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 79e210dd12e..ad988eb0df9 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -61,12 +61,27 @@
+ * Local functions...
+ */
+
+-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
++static int get_exit_code(NTSTATUS nt_status);
+ static void list_devices(void);
+-static struct cli_state *smb_complete_connection(const char *, const char *,
+- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
+-static struct cli_state *smb_connect(const char *, const char *, int, const
+- char *, const char *, const char *, const char *, bool *need_auth);
++static NTSTATUS
++smb_complete_connection(struct cli_state **output_cli,
++ const char *myname,
++ const char *server,
++ int port,
++ const char *username,
++ const char *password,
++ const char *workgroup,
++ const char *share,
++ int flags);
++static NTSTATUS
++smb_connect(struct cli_state **output_cli,
++ const char *workgroup,
++ const char *server,
++ const int port,
++ const char *share,
++ const char *username,
++ const char *password,
++ const char *jobusername);
+ static int smb_print(struct cli_state *, const char *, FILE *);
+ static char *uri_unescape_alloc(const char *);
+ #if 0
+@@ -90,16 +105,15 @@ main(int argc, /* I - Number of command-line arguments */
+ *sep, /* Pointer to separator */
+ *tmp, *tmp2; /* Temp pointers to do escaping */
+ const char *password = NULL; /* Password */
+- char *username, /* Username */
+- *server, /* Server name */
++ const char *username = NULL; /* Username */
++ char *server, /* Server name */
+ *printer;/* Printer name */
+ const char *workgroup; /* Workgroup */
+ FILE *fp; /* File to print */
+ int status = 1; /* Status of LPD job */
+- struct cli_state *cli; /* SMB interface */
+- char empty_str[] = "";
++ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
++ struct cli_state *cli = NULL; /* SMB interface */
+ int tries = 0;
+- bool need_auth = true;
+ const char *dev_uri = NULL;
+ const char *env = NULL;
+ const char *config_file = NULL;
+@@ -296,8 +310,9 @@ main(int argc, /* I - Number of command-line arguments */
+ }
+ username = uri_unescape_alloc(tmp);
+ } else {
+- if ((username = getenv("AUTH_USERNAME")) == NULL) {
+- username = empty_str;
++ env = getenv("AUTH_USERNAME");
++ if (env != NULL && strlen(env) > 0) {
++ username = env;
+ }
+
+ env = getenv("AUTH_PASSWORD");
+@@ -369,27 +384,39 @@ main(int argc, /* I - Number of command-line arguments */
+ load_interfaces();
+
+ do {
+- cli = smb_connect(workgroup,
+- server,
+- port,
+- printer,
+- username,
+- password,
+- print_user,
+- &need_auth);
+- if (cli == NULL) {
+- if (need_auth) {
+- exit(2);
++ nt_status = smb_connect(&cli,
++ workgroup,
++ server,
++ port,
++ printer,
++ username,
++ password,
++ print_user);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ status = get_exit_code(nt_status);
++ if (status == 2) {
++ fprintf(stderr,
++ "DEBUG: Unable to connect to CIFS "
++ "host: %s",
++ nt_errstr(nt_status));
++ goto done;
+ } else if (getenv("CLASS") == NULL) {
+- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
++ fprintf(stderr,
++ "ERROR: Unable to connect to CIFS "
++ "host: %s. Will retry in 60 "
++ "seconds...\n",
++ nt_errstr(nt_status));
+ sleep(60);
+ tries++;
+ } else {
+- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
++ fprintf(stderr,
++ "ERROR: Unable to connect to CIFS "
++ "host: %s. Trying next printer...\n",
++ nt_errstr(nt_status));
+ goto done;
+ }
+ }
+- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
++ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT));
+
+ if (cli == NULL) {
+ fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
+@@ -436,10 +463,9 @@ done:
+ */
+
+ static int
+-get_exit_code(struct cli_state * cli,
+- NTSTATUS nt_status)
++get_exit_code(NTSTATUS nt_status)
+ {
+- int i;
++ size_t i;
+
+ /* List of NTSTATUS errors that are considered
+ * authentication errors
+@@ -455,17 +481,16 @@ get_exit_code(struct cli_state * cli,
+ };
+
+
+- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
+- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
++ fprintf(stderr,
++ "DEBUG: get_exit_code(nt_status=%s [%x])\n",
++ nt_errstr(nt_status), NT_STATUS_V(nt_status));
+
+ for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
+ if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
+ continue;
+ }
+
+- if (cli) {
+- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
+- }
++ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
+
+ /*
+ * 2 = authentication required...
+@@ -498,16 +523,16 @@ list_devices(void)
+ }
+
+
+-static struct cli_state *
+-smb_complete_connection(const char *myname,
++static NTSTATUS
++smb_complete_connection(struct cli_state **output_cli,
++ const char *myname,
+ const char *server,
+ int port,
+ const char *username,
+ const char *password,
+ const char *workgroup,
+ const char *share,
+- int flags,
+- bool *need_auth)
++ int flags)
+ {
+ struct cli_state *cli; /* New connection */
+ NTSTATUS nt_status;
+@@ -516,12 +541,11 @@ smb_complete_connection(const char *myname,
+ bool fallback_after_kerberos = false;
+
+ /* Start the SMB connection */
+- *need_auth = false;
+ nt_status = cli_start_connection(&cli, myname, server, NULL, port,
+ SMB_SIGNING_DEFAULT, flags);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
+- return NULL;
++ return nt_status;
+ }
+
+ if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+@@ -544,20 +568,16 @@ smb_complete_connection(const char *myname,
+ if (creds == NULL) {
+ fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
+ cli_shutdown(cli);
+- return NULL;
++ return NT_STATUS_NO_MEMORY;
+ }
+
+ nt_status = cli_session_setup_creds(cli, creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
+
+- if (get_exit_code(cli, nt_status) == 2) {
+- *need_auth = true;
+- }
+-
+ cli_shutdown(cli);
+
+- return NULL;
++ return nt_status;
+ }
+
+ nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
+@@ -565,13 +585,9 @@ smb_complete_connection(const char *myname,
+ fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
+ nt_errstr(nt_status));
+
+- if (get_exit_code(cli, nt_status) == 2) {
+- *need_auth = true;
+- }
+-
+ cli_shutdown(cli);
+
+- return NULL;
++ return nt_status;
+ }
+ #if 0
+ /* Need to work out how to specify this on the URL. */
+@@ -584,7 +600,8 @@ smb_complete_connection(const char *myname,
+ }
+ #endif
+
+- return cli;
++ *output_cli = cli;
++ return NT_STATUS_OK;
+ }
+
+ static bool kerberos_ccache_is_valid(void) {
+@@ -650,49 +667,48 @@ static bool kerberos_ccache_is_valid(void) {
+ * 'smb_connect()' - Return a connection to a server.
+ */
+
+-static struct cli_state * /* O - SMB connection */
+-smb_connect(const char *workgroup, /* I - Workgroup */
++static NTSTATUS
++smb_connect(struct cli_state **output_cli,
++ const char *workgroup, /* I - Workgroup */
+ const char *server, /* I - Server */
+ const int port, /* I - Port */
+ const char *share, /* I - Printer */
+ const char *username, /* I - Username */
+ const char *password, /* I - Password */
+- const char *jobusername, /* I - User who issued the print job */
+- bool *need_auth)
+-{ /* O - Need authentication? */
+- struct cli_state *cli; /* New connection */
++ const char *jobusername) /* I - User who issued the print job */
++{
++ struct cli_state *cli = NULL; /* New connection */
+ char *myname = NULL; /* Client name */
+ struct passwd *pwd;
+ int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
+ bool use_kerberos = false;
+ const char *user = username;
+- int cmp;
++ NTSTATUS nt_status;
+
+ /*
+ * Get the names and addresses of the client and server...
+ */
+ myname = get_myname(talloc_tos());
+ if (!myname) {
+- return NULL;
++ return NT_STATUS_NO_MEMORY;
+ }
+
+
+- cmp = strcmp(auth_info_required, "negotiate");
+- if (cmp == 0) {
++ if (strcmp(auth_info_required, "negotiate") == 0) {
+ if (!kerberos_ccache_is_valid()) {
+- return NULL;
++ fprintf(stderr,
++ "ERROR: No valid Kerberos credential cache "
++ "found!\n");
++ return NT_STATUS_LOGON_FAILURE;
+ }
+ user = jobusername;
+
+ use_kerberos = true;
+ fprintf(stderr,
+ "DEBUG: Try to connect using Kerberos ...\n");
+- }
+-
+- cmp = strcmp(auth_info_required, "username,password");
+- if (cmp == 0) {
+- if (username == NULL || username[0] == '\0') {
+- return NULL;
++ } else if (strcmp(auth_info_required, "username,password") == 0) {
++ if (username == NULL) {
++ return NT_STATUS_INVALID_ACCOUNT_NAME;
+ }
+
+ /* Fallback to NTLM */
+@@ -700,59 +716,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */
+
+ fprintf(stderr,
+ "DEBUG: Try to connect using username/password ...\n");
+- }
++ } else {
++ if (username != NULL) {
++ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
++ } else if (kerberos_ccache_is_valid()) {
++ auth_info_required = "negotiate";
+
+- cmp = strcmp(auth_info_required, "none");
+- if (cmp == 0) {
+- fprintf(stderr,
+- "DEBUG: This backend doesn't support none auth ...\n");
+- return NULL;
++ user = jobusername;
++ use_kerberos = true;
++ } else {
++ fprintf(stderr,
++ "DEBUG: This backend requires credentials!\n");
++ return NT_STATUS_ACCESS_DENIED;
++ }
+ }
+
+- cli = smb_complete_connection(myname,
+- server,
+- port,
+- user,
+- password,
+- workgroup,
+- share,
+- flags,
+- need_auth);
+- if (cli != NULL) {
++ nt_status = smb_complete_connection(&cli,
++ myname,
++ server,
++ port,
++ user,
++ password,
++ workgroup,
++ share,
++ flags);
++ if (NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "DEBUG: SMB connection established.\n");
+- return (cli);
++
++ *output_cli = cli;
++ return NT_STATUS_OK;
+ }
+
+ if (!use_kerberos) {
+ fprintf(stderr, "ERROR: SMB connection failed!\n");
+- return NULL;
++ return nt_status;
+ }
+
+ /* give a chance for a passwordless NTLMSSP session setup */
+ pwd = getpwuid(geteuid());
+ if (pwd == NULL) {
+- return NULL;
+- }
+-
+- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
+- workgroup, share, 0, need_auth);
+-
+- if (cli) {
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
++ nt_status = smb_complete_connection(&cli,
++ myname,
++ server,
++ port,
++ pwd->pw_name,
++ "",
++ workgroup,
++ share,
++ 0);
++ if (NT_STATUS_IS_OK(nt_status)) {
+ fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
+- return (cli);
++
++ *output_cli = cli;
++ return NT_STATUS_OK;
+ }
+
+ /*
+ * last try. Use anonymous authentication
+ */
+
+- cli = smb_complete_connection(myname, server, port, "", "",
+- workgroup, share, 0, need_auth);
+- /*
+- * Return the new connection...
+- */
+-
+- return (cli);
++ nt_status = smb_complete_connection(&cli,
++ myname,
++ server,
++ port,
++ "",
++ "",
++ workgroup,
++ share,
++ 0);
++ if (NT_STATUS_IS_OK(nt_status)) {
++ *output_cli = cli;
++ return NT_STATUS_OK;
++ }
++
++ return nt_status;
+ }
+
+
+@@ -798,7 +838,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: %s opening remote spool %s\n",
+ nt_errstr(nt_status), title);
+- return get_exit_code(cli, nt_status);
++ return get_exit_code(nt_status);
+ }
+
+ /*
+@@ -816,7 +856,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
+ tbytes, nbytes, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+- int ret = get_exit_code(cli, status);
++ int ret = get_exit_code(status);
+ fprintf(stderr, "ERROR: Error writing spool: %s\n",
+ nt_errstr(status));
+ fprintf(stderr, "DEBUG: Returning status %d...\n",
+@@ -832,7 +872,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: %s closing remote spool %s\n",
+ nt_errstr(nt_status), title);
+- return get_exit_code(cli, nt_status);
++ return get_exit_code(nt_status);
+ } else {
+ return (0);
+ }
+--
+2.21.0
+
+From ffa5f8b65c662130c2d23e47df6d00fef3b73cc3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 18 Jun 2019 14:43:50 +0200
+Subject: [PATCH] s3:client: Link smbspool_krb5_wrapper against krb5samba
+
+Heimdal doesn't provide krb5_free_unparsed_name(), so we need to use the
+function we provide in krb5samba.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 9268919e046190c7b423133de3f9d0edada3f1b8)
+---
+ source3/wscript_build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 1ebb006781a..26e251f442a 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -1133,7 +1133,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
+ deps='''
+ DYNCONFIG
+ cups
+- krb5
++ krb5samba
+ ''',
+ install_path='${LIBEXECDIR}/samba',
+ enabled=bld.CONFIG_SET('HAVE_CUPS'))
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch b/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch
deleted file mode 100644
index d72091e..0000000
--- a/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001
-From: Bryan Mason <bmason@redhat.com>
-Date: Mon, 16 Sep 2019 12:35:06 -0700
-Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI
-
-CUPS sanitizes argv[0] by removing username/password, so use
-DEVICE_URI environment variable first.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128
-
-Signed-off-by: Bryan Mason <bmason@redhat.com>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184
-
-(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931)
----
- source3/client/smbspool.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index ad988eb0df9..36f7f67ca94 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */
-
- /*
- * Find the URI ...
-- */
-- if (dev_uri == NULL) {
-- env = getenv("DEVICE_URI");
-- if (env != NULL && env[0] != '\0') {
-- dev_uri = env;
-- }
-- }
-+ *
-+ * The URI in argv[0] is sanitized to remove username/password, so
-+ * use DEVICE_URI if available. Otherwise keep the URI already
-+ * discovered in argv.
-+ */
-+ env = getenv("DEVICE_URI");
-+ if (env != NULL && env[0] != '\0') {
-+ dev_uri = env;
-+ }
-
- if (dev_uri == NULL) {
- fprintf(stderr,
---
-2.23.0
-
diff --git a/SOURCES/samba-4.10-fix_smbspool_username_password.patch b/SOURCES/samba-4.10-fix_smbspool_username_password.patch
new file mode 100644
index 0000000..d72091e
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_smbspool_username_password.patch
@@ -0,0 +1,52 @@
+From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001
+From: Bryan Mason <bmason@redhat.com>
+Date: Mon, 16 Sep 2019 12:35:06 -0700
+Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI
+
+CUPS sanitizes argv[0] by removing username/password, so use
+DEVICE_URI environment variable first.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128
+
+Signed-off-by: Bryan Mason <bmason@redhat.com>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184
+
+(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931)
+---
+ source3/client/smbspool.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index ad988eb0df9..36f7f67ca94 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */
+
+ /*
+ * Find the URI ...
+- */
+- if (dev_uri == NULL) {
+- env = getenv("DEVICE_URI");
+- if (env != NULL && env[0] != '\0') {
+- dev_uri = env;
+- }
+- }
++ *
++ * The URI in argv[0] is sanitized to remove username/password, so
++ * use DEVICE_URI if available. Otherwise keep the URI already
++ * discovered in argv.
++ */
++ env = getenv("DEVICE_URI");
++ if (env != NULL && env[0] != '\0') {
++ dev_uri = env;
++ }
+
+ if (dev_uri == NULL) {
+ fprintf(stderr,
+--
+2.23.0
+
diff --git a/SOURCES/samba-4.10-fix_spnego_downgrade.patch b/SOURCES/samba-4.10-fix_spnego_downgrade.patch
deleted file mode 100644
index e762571..0000000
--- a/SOURCES/samba-4.10-fix_spnego_downgrade.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-From a8021d9515ecf75d52d038fe78f72da2c79731af Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Wed, 4 Sep 2019 16:31:21 +0300
-Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic
- token
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
-
-Signed-off-by: Isaac Boukris <iboukris@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- auth/gensec/spnego.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
-index dc73e324d99..97472c26837 100644
---- a/auth/gensec/spnego.c
-+++ b/auth/gensec/spnego.c
-@@ -136,6 +136,7 @@ struct spnego_state {
- bool done_mic_check;
-
- bool simulate_w2k;
-+ bool no_optimistic;
-
- /*
- * The following is used to implement
-@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
-
- spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
- "spnego", "simulate_w2k", false);
-+ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
-+ "spnego",
-+ "client_no_optimistic",
-+ false);
-
- gensec_security->private_data = spnego_state;
- return NT_STATUS_OK;
-@@ -1944,6 +1949,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
- * blob and NT_STATUS_OK.
- */
- state->sub.status = NT_STATUS_OK;
-+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
-+ spnego_state->no_optimistic) {
-+ /*
-+ * Skip optimistic token per conf.
-+ */
-+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- } else {
- /*
- * MORE_PROCESSING_REQUIRED =>
---
-2.21.0
-
-
-From aa379f36ac5feb718c924b030308a29769657f7b Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Wed, 4 Sep 2019 16:39:43 +0300
-Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
-
-Signed-off-by: Isaac Boukris <iboukris@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- selftest/knownfail.d/spnego_no_optimistic | 1 +
- source4/selftest/tests.py | 4 ++++
- 2 files changed, 5 insertions(+)
- create mode 100644 selftest/knownfail.d/spnego_no_optimistic
-
-diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
-new file mode 100644
-index 00000000000..54f51446be0
---- /dev/null
-+++ b/selftest/knownfail.d/spnego_no_optimistic
-@@ -0,0 +1 @@
-+^samba4.smb.spnego.*.no_optimistic
-diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
-index 34ebe10cd79..d73d426ee3c 100755
---- a/source4/selftest/tests.py
-+++ b/source4/selftest/tests.py
-@@ -542,6 +542,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha
- plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon")
- plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon")
-
-+# Test SPNEGO without issuing an optimistic token
-+opt='--option=spnego:client_no_optimistic=yes'
-+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic")
-+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic")
-
- wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""]
-
---
-2.21.0
-
-
-From 0119cf5a2888cd3d97927cb77872fbad82362020 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Wed, 4 Sep 2019 17:04:12 +0300
-Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
-
-Signed-off-by: Isaac Boukris <iboukris@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
----
- auth/gensec/spnego.c | 13 +++++++++++++
- selftest/knownfail.d/spnego_no_optimistic | 1 -
- 4 files changed, 13 insertions(+), 4 deletions(-)
- delete mode 100644 selftest/knownfail.d/spnego_no_optimistic
-
-diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
-index 97472c26837..ddbe03c5d6b 100644
---- a/auth/gensec/spnego.c
-+++ b/auth/gensec/spnego.c
-@@ -1321,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
- spnego_state->mic_requested = true;
- }
-
-+ if (sub_in.length == 0) {
-+ spnego_state->no_optimistic = true;
-+ }
-+
- /*
- * Note that 'cur_sec' is temporary memory, but
- * cur_sec->oid points to a const string in the
-@@ -1955,6 +1959,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
- * Skip optimistic token per conf.
- */
- state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
-+ } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
-+ state->sub.in.length == 0 && spnego_state->no_optimistic) {
-+ /*
-+ * If we didn't like the mechanism for which the client sent us
-+ * an optimistic token, or if he didn't send any, don't call
-+ * the sub mechanism just yet.
-+ */
-+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
-+ spnego_state->no_optimistic = false;
- } else {
- /*
- * MORE_PROCESSING_REQUIRED =>
-diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
-deleted file mode 100644
-index 54f51446be0..00000000000
---- a/selftest/knownfail.d/spnego_no_optimistic
-+++ /dev/null
-@@ -1 +0,0 @@
--^samba4.smb.spnego.*.no_optimistic
---
-2.21.0
-
diff --git a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch
new file mode 100644
index 0000000..c196b55
--- /dev/null
+++ b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch
@@ -0,0 +1,48 @@
+From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001
+From: Evgeny Sinelnikov <sin@altlinux.org>
+Date: Wed, 31 Jul 2019 23:17:20 +0400
+Subject: [PATCH] s3:ldap: Fix join with don't exists machine account
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add check for requested replies of existing machine object during join
+machine to domain. This solves regression fail during join with error:
+"None of the information to be translated has been translated."
+
+https://bugzilla.samba.org/show_bug.cgi?id=14007
+
+Reviewed-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184
+---
+ source3/libads/ldap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 4f3d43b02b1..2110390b65f 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ }
+
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+- ads_msgfree(ads, res);
+- if (ADS_ERR_OK(ret)) {
++ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
+ DBG_DEBUG("Host account for %s already exists.\n",
+ machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
++ ads_msgfree(ads, res);
+ goto done;
+ }
++ ads_msgfree(ads, res);
+
+ new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.10.4.tar.asc b/SOURCES/samba-4.10.4.tar.asc
new file mode 100644
index 0000000..29f805c
--- /dev/null
+++ b/SOURCES/samba-4.10.4.tar.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXOUjjhUcc2FtYmEtYnVn
+c0BzYW1iYS5vcmcACgkQbzORW2Vot+oeXQCgkgjBBjMDA7WRd7pl8akT65XmGaAA
+n3v79/BJYEuD3vw98M5nW4GBN6C9
+=/Xfk
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch
new file mode 100644
index 0000000..61635f8
--- /dev/null
+++ b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch
@@ -0,0 +1,124 @@
+From 41794e74876f3cba648b18b3f4bdedac9717061e Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 23 May 2019 13:33:21 -0700
+Subject: [PATCH] s3: winbind: Fix crash when invoking winbind idmap scripts.
+
+Previously the private context was caching a pointer to
+a string returned from lp_XXX(). This string can change
+on config file reload. Ensure the string is talloc_strup'ed
+onto the owning context instead.
+
+Reported by Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13956
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit a1f95ba5db6fc017fad35377fbf76c048f2dd8ab)
+---
+ source3/winbindd/idmap_script.c | 20 ++++++++++++++++----
+ source3/winbindd/idmap_tdb2.c | 22 +++++++++++++++++-----
+ 2 files changed, 33 insertions(+), 9 deletions(-)
+
+diff --git a/source3/winbindd/idmap_script.c b/source3/winbindd/idmap_script.c
+index 7ad6b806fb8..f382f896b35 100644
+--- a/source3/winbindd/idmap_script.c
++++ b/source3/winbindd/idmap_script.c
+@@ -615,6 +615,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
+ NTSTATUS ret;
+ struct idmap_script_context *ctx;
+ const char * idmap_script = NULL;
++ const char *ctx_script = NULL;
+
+ DEBUG(10, ("%s called ...\n", __func__));
+
+@@ -625,7 +626,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
+ goto failed;
+ }
+
+- ctx->script = idmap_config_const_string(dom->name, "script", NULL);
++ ctx_script = idmap_config_const_string(dom->name, "script", NULL);
+
+ /* Do we even need to handle this? */
+ idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
+@@ -634,13 +635,24 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
+ " Please use 'idmap config * : script' instead!\n"));
+ }
+
+- if (strequal(dom->name, "*") && ctx->script == NULL) {
++ if (strequal(dom->name, "*") && ctx_script == NULL) {
+ /* fall back to idmap:script for backwards compatibility */
+- ctx->script = idmap_script;
++ ctx_script = idmap_script;
+ }
+
+- if (ctx->script) {
++ if (ctx_script) {
+ DEBUG(1, ("using idmap script '%s'\n", ctx->script));
++ /*
++ * We must ensure this memory is owned by ctx.
++ * The ctx_script const pointer is a pointer into
++ * the config file data and may become invalid
++ * on config file reload. BUG: 13956
++ */
++ ctx->script = talloc_strdup(ctx, ctx_script);
++ if (ctx->script == NULL) {
++ ret = NT_STATUS_NO_MEMORY;
++ goto failed;
++ }
+ }
+
+ dom->private_data = ctx;
+diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
+index b784546bb33..eceab9c0784 100644
+--- a/source3/winbindd/idmap_tdb2.c
++++ b/source3/winbindd/idmap_tdb2.c
+@@ -522,6 +522,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
+ struct idmap_tdb_common_context *commonctx;
+ struct idmap_tdb2_context *ctx;
+ const char * idmap_script = NULL;
++ const char *ctx_script = NULL;
+
+ commonctx = talloc_zero(dom, struct idmap_tdb_common_context);
+ if(!commonctx) {
+@@ -543,7 +544,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
+ goto failed;
+ }
+
+- ctx->script = idmap_config_const_string(dom->name, "script", NULL);
++ ctx_script = idmap_config_const_string(dom->name, "script", NULL);
+
+ idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
+ if (idmap_script != NULL) {
+@@ -551,13 +552,24 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
+ " Please use 'idmap config * : script' instead!\n"));
+ }
+
+- if (strequal(dom->name, "*") && ctx->script == NULL) {
++ if (strequal(dom->name, "*") && ctx_script == NULL) {
+ /* fall back to idmap:script for backwards compatibility */
+- ctx->script = idmap_script;
++ ctx_script = idmap_script;
+ }
+
+- if (ctx->script) {
+- DEBUG(1, ("using idmap script '%s'\n", ctx->script));
++ if (ctx_script) {
++ DEBUG(1, ("using idmap script '%s'\n", ctx_script));
++ /*
++ * We must ensure this memory is owned by ctx.
++ * The ctx_script const pointer is a pointer into
++ * the config file data and may become invalid
++ * on config file reload. BUG: 13956
++ */
++ ctx->script = talloc_strdup(ctx, ctx_script);
++ if (ctx->script == NULL) {
++ ret = NT_STATUS_NO_MEMORY;
++ goto failed;
++ }
+ }
+
+ commonctx->max_id = dom->high_id;
+--
+2.22.0.rc1.257.g3120a18244-goog
+
diff --git a/SOURCES/samba-4.9-CVE-2019-3880.patch b/SOURCES/samba-4.9-CVE-2019-3880.patch
deleted file mode 100644
index eded5d9..0000000
--- a/SOURCES/samba-4.9-CVE-2019-3880.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 21 Mar 2019 14:51:30 -0700
-Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
- SaveKey/RestoreKey.
-
-The were not using VFS backend calls and could only work
-locally, and were unsafe against symlink races and other
-security issues.
-
-If the incoming handle is valid, return WERR_BAD_PATHNAME.
-
-[MS-RRP] states "The format of the file name is implementation-specific"
-so ensure we don't allow this.
-
-As reported by Michael Hanselmann.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
----
- source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
- 1 file changed, 4 insertions(+), 88 deletions(-)
-
-diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
-index d9ee8d0602d..816c6bb2a12 100644
---- a/source3/rpc_server/winreg/srv_winreg_nt.c
-+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
-@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
- }
-
- /*******************************************************************
-- ********************************************************************/
--
--static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
--{
-- char *p = NULL;
-- int num_services = lp_numservices();
-- int snum = -1;
-- const char *share_path = NULL;
-- char *fname = *pp_fname;
--
-- /* convert to a unix path, stripping the C:\ along the way */
--
-- if (!(p = valid_share_pathname(ctx, fname))) {
-- return -1;
-- }
--
-- /* has to exist within a valid file share */
--
-- for (snum=0; snum<num_services; snum++) {
-- if (!lp_snum_ok(snum) || lp_printable(snum)) {
-- continue;
-- }
--
-- share_path = lp_path(talloc_tos(), snum);
--
-- /* make sure we have a path (e.g. [homes] ) */
-- if (strlen(share_path) == 0) {
-- continue;
-- }
--
-- if (strncmp(share_path, p, strlen(share_path)) == 0) {
-- break;
-- }
-- }
--
-- *pp_fname = p;
-- return (snum < num_services) ? snum : -1;
--}
--
--/*******************************************************************
- _winreg_RestoreKey
- ********************************************************************/
-
-@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
- struct winreg_RestoreKey *r)
- {
- struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
-- char *fname = NULL;
-- int snum = -1;
-
-- if ( !regkey )
-+ if ( !regkey ) {
- return WERR_INVALID_HANDLE;
--
-- if ( !r->in.filename || !r->in.filename->name )
-- return WERR_INVALID_PARAMETER;
--
-- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
-- if (!fname) {
-- return WERR_NOT_ENOUGH_MEMORY;
- }
--
-- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
-- "\"%s\"\n", regkey->key->name, fname));
--
-- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
-- return WERR_BAD_PATHNAME;
--
-- /* user must posses SeRestorePrivilege for this this proceed */
--
-- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
-- return WERR_ACCESS_DENIED;
-- }
--
-- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
-- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
--
-- return reg_restorekey(regkey, fname);
-+ return WERR_BAD_PATHNAME;
- }
-
- /*******************************************************************
-@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
- struct winreg_SaveKey *r)
- {
- struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
-- char *fname = NULL;
-- int snum = -1;
-
-- if ( !regkey )
-+ if ( !regkey ) {
- return WERR_INVALID_HANDLE;
--
-- if ( !r->in.filename || !r->in.filename->name )
-- return WERR_INVALID_PARAMETER;
--
-- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
-- if (!fname) {
-- return WERR_NOT_ENOUGH_MEMORY;
- }
--
-- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
-- regkey->key->name, fname));
--
-- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
-- return WERR_BAD_PATHNAME;
--
-- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
-- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
--
-- return reg_savekey(regkey, fname);
-+ return WERR_BAD_PATHNAME;
- }
-
- /*******************************************************************
---
-2.11.0
-
diff --git a/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch b/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch
deleted file mode 100644
index 08c88a1..0000000
--- a/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch
+++ /dev/null
@@ -1,280 +0,0 @@
-From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 4 Sep 2018 15:48:03 +0200
-Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6)
----
- source3/include/libsmbclient.h | 19 ++-
- source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++
- source3/libsmb/libsmb_setget.c | 18 +++
- source3/libsmb/wscript | 2 +-
- 4 files changed, 222 insertions(+), 2 deletions(-)
- create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs
-
-diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
-index ca5c7f87f71..5e4a1715402 100644
---- a/source3/include/libsmbclient.h
-+++ b/source3/include/libsmbclient.h
-@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c);
- void
- smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b);
-
--
-+/**
-+ * @brief Set the 'client min protocol' and the 'client max protocol'.
-+ *
-+ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max
-+ * protocol' set in the smb.conf file!
-+ *
-+ * @param[in] c The smbc context to use.
-+ *
-+ * @param[in] min_proto The minimal protocol to use or NULL for leaving it
-+ * untouched.
-+ *
-+ * @param[in] max_proto The maximum protocol to use or NULL for leaving it
-+ * untouched.
-+ *
-+ * @returns true for success, false otherwise
-+ */
-+smbc_bool
-+smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto);
-
- /*************************************
- * Getters and setters for FUNCTIONS *
-diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs
-new file mode 100644
-index 00000000000..b4245979c24
---- /dev/null
-+++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs
-@@ -0,0 +1,185 @@
-+smbc_chmod: int (const char *, mode_t)
-+smbc_close: int (int)
-+smbc_closedir: int (int)
-+smbc_creat: int (const char *, mode_t)
-+smbc_fgetxattr: int (int, const char *, const void *, size_t)
-+smbc_flistxattr: int (int, char *, size_t)
-+smbc_free_context: int (SMBCCTX *, int)
-+smbc_fremovexattr: int (int, const char *)
-+smbc_fsetxattr: int (int, const char *, const void *, size_t, int)
-+smbc_fstat: int (int, struct stat *)
-+smbc_fstatvfs: int (int, struct statvfs *)
-+smbc_ftruncate: int (int, off_t)
-+smbc_getDebug: int (SMBCCTX *)
-+smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *)
-+smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *)
-+smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *)
-+smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *)
-+smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *)
-+smbc_getFunctionClose: smbc_close_fn (SMBCCTX *)
-+smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *)
-+smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *)
-+smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *)
-+smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *)
-+smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *)
-+smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *)
-+smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *)
-+smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *)
-+smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *)
-+smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *)
-+smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *)
-+smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *)
-+smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *)
-+smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *)
-+smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *)
-+smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *)
-+smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *)
-+smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *)
-+smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *)
-+smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *)
-+smbc_getFunctionRead: smbc_read_fn (SMBCCTX *)
-+smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *)
-+smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *)
-+smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *)
-+smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *)
-+smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *)
-+smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *)
-+smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *)
-+smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *)
-+smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *)
-+smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *)
-+smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *)
-+smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *)
-+smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *)
-+smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *)
-+smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *)
-+smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *)
-+smbc_getNetbiosName: const char *(SMBCCTX *)
-+smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *)
-+smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *)
-+smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *)
-+smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *)
-+smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *)
-+smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *)
-+smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *)
-+smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *)
-+smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *)
-+smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *)
-+smbc_getOptionUseCCache: smbc_bool (SMBCCTX *)
-+smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *)
-+smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *)
-+smbc_getOptionUserData: void *(SMBCCTX *)
-+smbc_getPort: uint16_t (SMBCCTX *)
-+smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *)
-+smbc_getTimeout: int (SMBCCTX *)
-+smbc_getUser: const char *(SMBCCTX *)
-+smbc_getWorkgroup: const char *(SMBCCTX *)
-+smbc_getdents: int (unsigned int, struct smbc_dirent *, int)
-+smbc_getxattr: int (const char *, const char *, const void *, size_t)
-+smbc_init: int (smbc_get_auth_data_fn, int)
-+smbc_init_context: SMBCCTX *(SMBCCTX *)
-+smbc_lgetxattr: int (const char *, const char *, const void *, size_t)
-+smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn)
-+smbc_listxattr: int (const char *, char *, size_t)
-+smbc_llistxattr: int (const char *, char *, size_t)
-+smbc_lremovexattr: int (const char *, const char *)
-+smbc_lseek: off_t (int, off_t, int)
-+smbc_lseekdir: int (int, off_t)
-+smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int)
-+smbc_mkdir: int (const char *, mode_t)
-+smbc_new_context: SMBCCTX *(void)
-+smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *)
-+smbc_open: int (const char *, int, mode_t)
-+smbc_open_print_job: int (const char *)
-+smbc_opendir: int (const char *)
-+smbc_option_get: void *(SMBCCTX *, char *)
-+smbc_option_set: void (SMBCCTX *, char *, ...)
-+smbc_print_file: int (const char *, const char *)
-+smbc_read: ssize_t (int, void *, size_t)
-+smbc_readdir: struct smbc_dirent *(unsigned int)
-+smbc_readdirplus: const struct libsmb_file_info *(unsigned int)
-+smbc_removexattr: int (const char *, const char *)
-+smbc_rename: int (const char *, const char *)
-+smbc_rmdir: int (const char *)
-+smbc_setConfiguration: int (SMBCCTX *, const char *)
-+smbc_setDebug: void (SMBCCTX *, int)
-+smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn)
-+smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn)
-+smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn)
-+smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn)
-+smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn)
-+smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn)
-+smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn)
-+smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn)
-+smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn)
-+smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn)
-+smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn)
-+smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn)
-+smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn)
-+smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn)
-+smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn)
-+smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn)
-+smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn)
-+smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn)
-+smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn)
-+smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn)
-+smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn)
-+smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn)
-+smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn)
-+smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn)
-+smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn)
-+smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn)
-+smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn)
-+smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn)
-+smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn)
-+smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn)
-+smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn)
-+smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn)
-+smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn)
-+smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn)
-+smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn)
-+smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn)
-+smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn)
-+smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn)
-+smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn)
-+smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn)
-+smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn)
-+smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn)
-+smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn)
-+smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn)
-+smbc_setNetbiosName: void (SMBCCTX *, const char *)
-+smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int)
-+smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode)
-+smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *)
-+smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level)
-+smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionUserData: void (SMBCCTX *, void *)
-+smbc_setPort: void (SMBCCTX *, uint16_t)
-+smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *)
-+smbc_setTimeout: void (SMBCCTX *, int)
-+smbc_setUser: void (SMBCCTX *, const char *)
-+smbc_setWorkgroup: void (SMBCCTX *, const char *)
-+smbc_set_context: SMBCCTX *(SMBCCTX *)
-+smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *)
-+smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *)
-+smbc_setxattr: int (const char *, const char *, const void *, size_t, int)
-+smbc_stat: int (const char *, struct stat *)
-+smbc_statvfs: int (char *, struct statvfs *)
-+smbc_telldir: off_t (int)
-+smbc_unlink: int (const char *)
-+smbc_unlink_print_job: int (const char *, int)
-+smbc_urldecode: int (char *, char *, size_t)
-+smbc_urlencode: int (char *, char *, int)
-+smbc_utime: int (const char *, struct utimbuf *)
-+smbc_utimes: int (const char *, struct timeval *)
-+smbc_version: const char *(void)
-+smbc_write: ssize_t (int, const void *, size_t)
-diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c
-index 60b822a395c..b1c4ff3b557 100644
---- a/source3/libsmb/libsmb_setget.c
-+++ b/source3/libsmb/libsmb_setget.c
-@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b)
- }
- }
-
-+smbc_bool
-+smbc_setOptionProtocols(SMBCCTX *c,
-+ const char *min_proto,
-+ const char *max_proto)
-+{
-+ bool ok = true;
-+
-+ if (min_proto != NULL) {
-+ ok = lp_set_cmdline("client min protocol", min_proto);
-+ }
-+
-+ if (max_proto != NULL) {
-+ ok &= lp_set_cmdline("client min protocol", max_proto);
-+ }
-+
-+ return ok;
-+}
-+
- /** Get the function for obtaining authentication data */
- smbc_get_auth_data_fn
- smbc_getFunctionAuthData(SMBCCTX *c)
-diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript
-index 5482aea7d9c..298afc3c0e3 100644
---- a/source3/libsmb/wscript
-+++ b/source3/libsmb/wscript
-@@ -27,5 +27,5 @@ def build(bld):
- public_headers='../include/libsmbclient.h',
- abi_directory='ABI',
- abi_match='smbc_*',
-- vnum='0.4.0',
-+ vnum='0.5.0',
- pc_files='smbclient.pc')
---
-2.19.2
-
diff --git a/SOURCES/samba-4.9-disable_netbios.patch b/SOURCES/samba-4.9-disable_netbios.patch
deleted file mode 100644
index 4191502..0000000
--- a/SOURCES/samba-4.9-disable_netbios.patch
+++ /dev/null
@@ -1,252 +0,0 @@
-From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Thu, 3 Jan 2019 12:07:01 -0500
-Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect
-
-If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
-for a port 139 connection in the low level socket connection code.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Noel Power <nopower@suse.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9)
----
- source3/libsmb/smbsock_connect.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
-index 9f915e1bb42..bb3cb07646c 100644
---- a/source3/libsmb/smbsock_connect.c
-+++ b/source3/libsmb/smbsock_connect.c
-@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
- tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup);
-
- if (port == NBT_SMB_PORT) {
-+ if (lp_disable_netbios()) {
-+ tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
-+ return tevent_req_post(req, ev);
-+ }
-+
- state->req_139 = nb_connect_send(state, state->ev, state->addr,
- state->called_name,
- state->called_type,
---
-2.20.1
-
-
-From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Dec 2018 14:40:33 -0500
-Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios
-
-With a preceding patch, cli_connect_nb() will return
-NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
-
-Print an informative error message to indicate Netbios is disabled
-if this occurs.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Noel Power <nopower@suse.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b)
----
- source3/libsmb/clidfs.c | 10 +++++++---
- source3/libsmb/libsmb_server.c | 4 ++++
- 2 files changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
-index 0dfb8b33606..4342a3b1d1b 100644
---- a/source3/libsmb/clidfs.c
-+++ b/source3/libsmb/clidfs.c
-@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
- flags, &c);
-
- if (!NT_STATUS_IS_OK(status)) {
-- d_printf("Connection to %s failed (Error %s)\n",
-- server,
-- nt_errstr(status));
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+ DBG_ERR("NetBIOS support disabled, unable to connect");
-+ }
-+
-+ DBG_WARNING("Connection to %s failed (Error %s)\n",
-+ server,
-+ nt_errstr(status));
- return status;
- }
-
-diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
-index 67dfcf72327..0067df48cac 100644
---- a/source3/libsmb/libsmb_server.c
-+++ b/source3/libsmb/libsmb_server.c
-@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
- }
-
- if (!NT_STATUS_IS_OK(status)) {
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+ DBG_ERR("NetBIOS support disabled, unable to connect");
-+ }
-+
- errno = map_errno_from_nt_status(status);
- return NULL;
- }
---
-2.20.1
-
-
-From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Dec 2018 14:57:59 -0500
-Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios
-
-With a preceding patch, cli_connect_nb() will return
-NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
-
-Print an informative error message to indicate Netbios is disabled
-if this occurs.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Noel Power <nopower@suse.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)
----
- source3/libsmb/passchange.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
-index 48ffba8036f..f60e3079975 100644
---- a/source3/libsmb/passchange.c
-+++ b/source3/libsmb/passchange.c
-@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine,
- result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL,
- SMB_SIGNING_IPC_DEFAULT, 0, &cli);
- if (!NT_STATUS_IS_OK(result)) {
-- if (asprintf(err_str, "Unable to connect to SMB server on "
-- "machine %s. Error was : %s.\n",
-- remote_machine, nt_errstr(result))==-1) {
-- *err_str = NULL;
-+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
-+ if (asprintf(err_str, "Unable to connect to SMB server on "
-+ "machine %s. NetBIOS support disabled\n",
-+ remote_machine) == -1) {
-+ *err_str = NULL;
-+ }
-+ } else {
-+ if (asprintf(err_str, "Unable to connect to SMB server on "
-+ "machine %s. Error was : %s.\n",
-+ remote_machine, nt_errstr(result))==-1) {
-+ *err_str = NULL;
-+ }
- }
- return result;
- }
---
-2.20.1
-
-
-From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Dec 2018 15:17:24 -0500
-Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios
-
-With a preceding patch, cli_connect_nb() will return
-NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
-
-Print an informative error message to indicate Netbios is disabled
-if this occurs.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Noel Power <nopower@suse.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397)
----
- source3/utils/net_rpc.c | 3 +++
- source3/utils/net_time.c | 9 +++++++--
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 67fff2f4d1b..91ad90f9594 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags)
- lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT,
- 0, &cli);
- if (!NT_STATUS_IS_OK(status)) {
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+ DBG_ERR("NetBIOS support disabled, unable to connect\n");
-+ }
- return false;
- }
- status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE,
-diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c
-index 0091fc86333..5e6cf2ea15d 100644
---- a/source3/utils/net_time.c
-+++ b/source3/utils/net_time.c
-@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host,
- status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(),
- SMB_SIGNING_DEFAULT, 0, &cli);
- if (!NT_STATUS_IS_OK(status)) {
-- fprintf(stderr, _("Can't contact server %s. Error %s\n"),
-- host, nt_errstr(status));
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+ fprintf(stderr, "Can't contact server %s. NetBIOS support disabled,"
-+ " Error %s\n", host, nt_errstr(status));
-+ } else {
-+ fprintf(stderr, "Can't contact server %s. Error %s\n",
-+ host, nt_errstr(status));
-+ }
- goto done;
- }
-
---
-2.20.1
-
-
-From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 14 Jan 2019 10:36:47 -0500
-Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in
- smbsock_connect_send
-
-If disable_netbios is set, return before the tevent timer is triggered
-to prevent outgoing netbios connections.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)
----
- source3/libsmb/smbsock_connect.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
-index bb3cb07646c..be52b9a4f79 100644
---- a/source3/libsmb/smbsock_connect.c
-+++ b/source3/libsmb/smbsock_connect.c
-@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
- tevent_req_set_callback(state->req_445, smbsock_connect_connected,
- req);
-
-+ /*
-+ * Check for disable_netbios
-+ */
-+ if (lp_disable_netbios()) {
-+ return req;
-+ }
-+
- /*
- * After 5 msecs, fire the 139 (NBT) request
- */
---
-2.20.1
-
diff --git a/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch b/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch
deleted file mode 100644
index 748a515..0000000
--- a/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 22 Mar 2019 14:39:11 +0100
-Subject: [PATCH] docs: Update smbclient manpage for --max-protocol
-
-We default to SMB3 now.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
----
- docs-xml/manpages/smbclient.1.xml | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
-index e71a21a95e3..e25f7d3517b 100644
---- a/docs-xml/manpages/smbclient.1.xml
-+++ b/docs-xml/manpages/smbclient.1.xml
-@@ -261,9 +261,9 @@
- <listitem><para>This allows the user to select the
- highest SMB protocol level that smbclient will use to
- connect to the server. By default this is set to
-- NT1, which is the highest available SMB1 protocol.
-- To connect using SMB2 or SMB3 protocol, use the
-- strings SMB2 or SMB3 respectively. Note that to connect
-+ highest available SMB3 protocol version.
-+ To connect using SMB2 or SMB1 protocol, use the
-+ strings SMB2 or NT1 respectively. Note that to connect
- to a Windows 2012 server with encrypted transport selecting
- a max-protocol of SMB3 is required.
- </para></listitem>
---
-2.21.0
-
diff --git a/SOURCES/samba-4.9-fix_builtin_groups_creation.patch b/SOURCES/samba-4.9-fix_builtin_groups_creation.patch
deleted file mode 100644
index 18aad34..0000000
--- a/SOURCES/samba-4.9-fix_builtin_groups_creation.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 1e8931dfc24a2576a3b1fe9115c4ccbfefbbd298 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 19 Dec 2018 09:38:33 +0100
-Subject: [PATCH] s3:auth: ignore create_builtin_guests() failing without a
- valid idmap configuration
-
-This happens on standalone servers, where winbindd is automatically
-started by init scripts if it's installed. But it's not really
-used and may not have a valid idmap configuration (
-"idmap config * : range" has no default!)
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit 865538fabaea33741f5fa542dbc3f2e08308c2c1)
----
- source3/auth/token_util.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
-index f5b0e6944335..ee38d6c9645b 100644
---- a/source3/auth/token_util.c
-+++ b/source3/auth/token_util.c
-@@ -745,7 +745,23 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
- status = create_builtin_guests(domain_sid);
- unbecome_root();
-
-- if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
-+ /*
-+ * NT_STATUS_PROTOCOL_UNREACHABLE:
-+ * => winbindd is not running.
-+ *
-+ * NT_STATUS_ACCESS_DENIED:
-+ * => no idmap config at all
-+ * and wbint_AllocateGid()/winbind_allocate_gid()
-+ * failed.
-+ *
-+ * NT_STATUS_NO_SUCH_GROUP:
-+ * => no idmap config at all and
-+ * "tdbsam:map builtin = no" means
-+ * wbint_Sids2UnixIDs() fails.
-+ */
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
-+ NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
-+ NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
- /*
- * Add BUILTIN\Guests directly to token.
- * But only if the token already indicates
---
-2.17.1
-
diff --git a/SOURCES/samba-4.9-fix_cups_printing.patch b/SOURCES/samba-4.9-fix_cups_printing.patch
deleted file mode 100644
index 80da965..0000000
--- a/SOURCES/samba-4.9-fix_cups_printing.patch
+++ /dev/null
@@ -1,1094 +0,0 @@
-From 1f64c74fec614bde510411b339e731f53b4707dd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 16:55:49 +0200
-Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups
-
-This is required to access files in /var/spool/cups which have been
-temporarily created in there by CUPS.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b)
----
- source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 5c4da33238b..e6684fc0d0c 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -82,6 +82,7 @@ int main(int argc, char *argv[])
- {
- char smbspool_cmd[PATH_MAX] = {0};
- struct passwd *pwd;
-+ struct group *g = NULL;
- char gen_cc[PATH_MAX] = {0};
- struct stat sb;
- char *env = NULL;
-@@ -89,6 +90,7 @@ int main(int argc, char *argv[])
- char device_uri[4096] = {0};
- uid_t uid = (uid_t)-1;
- gid_t gid = (gid_t)-1;
-+ gid_t groups[1] = { (gid_t)-1 };
- unsigned long tmp;
- int cmp;
- int rc;
-@@ -176,6 +178,26 @@ int main(int argc, char *argv[])
- return CUPS_BACKEND_FAILED;
- }
-
-+ /*
-+ * We need the primary group of the 'lp' user. This is needed to access
-+ * temporary files in /var/spool/cups/.
-+ */
-+ g = getgrnam("lp");
-+ if (g == NULL) {
-+ CUPS_SMB_ERROR("Failed to find user 'lp' - %s",
-+ strerror(errno));
-+ return CUPS_BACKEND_FAILED;
-+ }
-+
-+ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid);
-+ groups[0] = g->gr_gid;
-+ rc = setgroups(sizeof(groups), groups);
-+ if (rc != 0) {
-+ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s",
-+ strerror(errno));
-+ return CUPS_BACKEND_FAILED;
-+ }
-+
- CUPS_SMB_DEBUG("Switching to gid=%d", gid);
- rc = setgid(gid);
- if (rc != 0) {
---
-2.21.0
-
-
-From e634ee57d57cf4e5e2c8922f27576d402c6f06af Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 13:41:02 +0200
-Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate
- with
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5)
----
- source3/client/smbspool.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index c404b3a3f69..78c13b9ebdb 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -612,6 +612,7 @@ static bool kerberos_ccache_is_valid(void) {
- return false;
- } else {
- krb5_principal default_princ = NULL;
-+ char *princ_name = NULL;
-
- code = krb5_cc_get_principal(ctx,
- ccache,
-@@ -621,6 +622,16 @@ static bool kerberos_ccache_is_valid(void) {
- krb5_free_context(ctx);
- return false;
- }
-+
-+ code = krb5_unparse_name(ctx,
-+ default_princ,
-+ &princ_name);
-+ if (code == 0) {
-+ fprintf(stderr,
-+ "DEBUG: Try to authenticate as %s\n",
-+ princ_name);
-+ krb5_free_unparsed_name(ctx, princ_name);
-+ }
- krb5_free_principal(ctx, default_princ);
- }
- krb5_cc_close(ctx, ccache);
---
-2.21.0
-
-
-From 997a9c4e9eed11d5c9e1635db3fe402c3c686989 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 14:25:00 +0200
-Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba)
----
- source3/client/smbspool_krb5_wrapper.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index e6684fc0d0c..2cdcd372ec6 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -219,10 +219,14 @@ int main(int argc, char *argv[])
- env = getenv("KRB5CCNAME");
- if (env != NULL && env[0] != 0) {
- snprintf(gen_cc, sizeof(gen_cc), "%s", env);
-+ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache",
-+ gen_cc);
-
- goto create_env;
- }
-
-+ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
-+
- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
-
- rc = lstat(gen_cc, &sb);
---
-2.21.0
-
-
-From 793b16c22b0732a48de9bc927aab012bab87e8e4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 17:10:57 +0200
-Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858)
----
- source3/client/smbspool_krb5_wrapper.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 2cdcd372ec6..3266b90ec1a 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -227,13 +227,13 @@ int main(int argc, char *argv[])
-
- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
-
-- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
-
- rc = lstat(gen_cc, &sb);
- if (rc == 0) {
-- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
- } else {
-- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
-
- rc = lstat(gen_cc, &sb);
- if (rc == 0 && S_ISDIR(sb.st_mode)) {
---
-2.21.0
-
-
-From a2eb883469617688bef4f5c5dbbb1fc916299923 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 17:40:43 +0200
-Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is
- not set
-
-This could also support the new KCM credential cache storage.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3)
----
- source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++--------
- source3/wscript_build | 1 +
- 2 files changed, 55 insertions(+), 25 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 3266b90ec1a..bff1df417e8 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -21,6 +21,7 @@
-
- #include "includes.h"
- #include "system/filesys.h"
-+#include "system/kerberos.h"
- #include "system/passwd.h"
-
- #include <errno.h>
-@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
- buffer);
- }
-
-+static bool kerberos_get_default_ccache(char *ccache_buf, size_t len)
-+{
-+ krb5_context ctx;
-+ const char *ccache_name = NULL;
-+ char *full_ccache_name = NULL;
-+ krb5_ccache ccache = NULL;
-+ krb5_error_code code;
-+
-+ code = krb5_init_context(&ctx);
-+ if (code != 0) {
-+ return false;
-+ }
-+
-+ ccache_name = krb5_cc_default_name(ctx);
-+ if (ccache_name == NULL) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ code = krb5_cc_resolve(ctx, ccache_name, &ccache);
-+ if (code != 0) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name);
-+ krb5_cc_close(ctx, ccache);
-+ if (code != 0) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ snprintf(ccache_buf, len, "%s", full_ccache_name);
-+
-+#ifdef SAMBA4_USES_HEIMDAL
-+ free(full_ccache_name);
-+#else
-+ krb5_free_string(ctx, full_ccache_name);
-+#endif
-+ krb5_free_context(ctx);
-+
-+ return true;
-+}
-+
- /*
- * This is a helper binary to execute smbspool.
- *
-@@ -84,7 +129,6 @@ int main(int argc, char *argv[])
- struct passwd *pwd;
- struct group *g = NULL;
- char gen_cc[PATH_MAX] = {0};
-- struct stat sb;
- char *env = NULL;
- char auth_info_required[256] = {0};
- char device_uri[4096] = {0};
-@@ -92,6 +136,7 @@ int main(int argc, char *argv[])
- gid_t gid = (gid_t)-1;
- gid_t groups[1] = { (gid_t)-1 };
- unsigned long tmp;
-+ bool ok;
- int cmp;
- int rc;
-
-@@ -225,32 +270,16 @@ int main(int argc, char *argv[])
- goto create_env;
- }
-
-- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
--
-- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
--
-- rc = lstat(gen_cc, &sb);
-- if (rc == 0) {
-- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
-- } else {
-- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
--
-- rc = lstat(gen_cc, &sb);
-- if (rc == 0 && S_ISDIR(sb.st_mode)) {
-- snprintf(gen_cc,
-- sizeof(gen_cc),
-- "DIR:/run/user/%d/krb5cc",
-- uid);
-- } else {
--#if defined(__linux__)
-- snprintf(gen_cc,
-- sizeof(gen_cc),
-- "KEYRING:persistent:%d",
-- uid);
--#endif
-- }
-+ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc));
-+ if (ok) {
-+ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]",
-+ gen_cc);
-+ goto create_env;
- }
-
-+ /* Fallback to a FILE ccache */
-+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
-+
- create_env:
- /*
- * Make sure we do not have LD_PRELOAD or other security relevant
-diff --git a/source3/wscript_build b/source3/wscript_build
-index bbcfc72a714..a601ab4e9b1 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -1137,6 +1137,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
- deps='''
- DYNCONFIG
- cups
-+ krb5
- ''',
- install_path='${LIBEXECDIR}/samba',
- enabled=bld.CONFIG_SET('HAVE_CUPS'))
---
-2.21.0
-
-
-From ec526ef97fc6edf0342dea9ee82ecc14433cc063 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 16:48:31 +0200
-Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd)
----
- source3/client/smbspool.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 78c13b9ebdb..805ad88b88d 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -223,7 +223,9 @@ main(int argc, /* I - Number of command-line arguments */
-
- fp = fopen(print_file, "rb");
- if (fp == NULL) {
-- perror("ERROR: Unable to open print file");
-+ fprintf(stderr,
-+ "ERROR: Unable to open print file: %s",
-+ print_file);
- goto done;
- }
-
---
-2.21.0
-
-
-From cd9e3a2a7666dfe545a8d0e9a68def6aa536641b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 18:54:02 +0200
-Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos
-
-If username and password is given, then fallback to NTLM. However try
-kinit first. Also we correctly handle NULL passwords in the meantime and
-this makes it easier to deal with issues.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d)
----
- source3/client/smbspool.c | 90 ++++++++++++++++++++++-----------------
- 1 file changed, 51 insertions(+), 39 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 805ad88b88d..d336cd08209 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -87,8 +87,8 @@ main(int argc, /* I - Number of command-line arguments */
- int port; /* Port number */
- char uri[1024], /* URI */
- *sep, /* Pointer to separator */
-- *tmp, *tmp2, /* Temp pointers to do escaping */
-- *password; /* Password */
-+ *tmp, *tmp2; /* Temp pointers to do escaping */
-+ const char *password = NULL; /* Password */
- char *username, /* Username */
- *server, /* Server name */
- *printer;/* Printer name */
-@@ -292,8 +292,6 @@ main(int argc, /* I - Number of command-line arguments */
- if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
- *tmp2++ = '\0';
- password = uri_unescape_alloc(tmp2);
-- } else {
-- password = empty_str;
- }
- username = uri_unescape_alloc(tmp);
- } else {
-@@ -301,14 +299,15 @@ main(int argc, /* I - Number of command-line arguments */
- username = empty_str;
- }
-
-- if ((password = getenv("AUTH_PASSWORD")) == NULL) {
-- password = empty_str;
-+ env = getenv("AUTH_PASSWORD");
-+ if (env != NULL && strlen(env) > 0) {
-+ password = env;
- }
-
- server = uri + 6;
- }
-
-- if (password != empty_str) {
-+ if (password != NULL) {
- auth_info_required = "username,password";
- }
-
-@@ -513,6 +512,7 @@ smb_complete_connection(const char *myname,
- NTSTATUS nt_status;
- struct cli_credentials *creds = NULL;
- bool use_kerberos = false;
-+ bool fallback_after_kerberos = false;
-
- /* Start the SMB connection */
- *need_auth = false;
-@@ -523,27 +523,21 @@ smb_complete_connection(const char *myname,
- return NULL;
- }
-
-- /*
-- * We pretty much guarantee password must be valid or a pointer to a
-- * 0 char.
-- */
-- if (!password) {
-- *need_auth = true;
-- return NULL;
-- }
--
- if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-- auth_info_required = "negotiate";
- use_kerberos = true;
- }
-
-+ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) {
-+ fallback_after_kerberos = true;
-+ }
-+
- creds = cli_session_creds_init(cli,
- username,
- workgroup,
- NULL, /* realm */
- password,
- use_kerberos,
-- false, /* fallback_after_kerberos */
-+ fallback_after_kerberos,
- false, /* use_ccache */
- false); /* password_is_nt_hash */
- if (creds == NULL) {
-@@ -659,6 +653,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */
- struct cli_state *cli; /* New connection */
- char *myname = NULL; /* Client name */
- struct passwd *pwd;
-+ int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
-+ bool use_kerberos = false;
-+ const char *user = username;
-+ int cmp;
-
- /*
- * Get the names and addresses of the client and server...
-@@ -668,42 +666,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */
- return NULL;
- }
-
-- /*
-- * See if we have a username first. This is for backwards compatible
-- * behavior with 3.0.14a
-- */
-
-- if (username == NULL || username[0] == '\0') {
-- if (kerberos_ccache_is_valid()) {
-- goto kerberos_auth;
-+ cmp = strcmp(auth_info_required, "negotiate");
-+ if (cmp == 0) {
-+ if (!kerberos_ccache_is_valid()) {
-+ return NULL;
- }
-+ user = jobusername;
-+
-+ use_kerberos = true;
-+ fprintf(stderr,
-+ "DEBUG: Try to connect using Kerberos ...\n");
-+ }
-+
-+ cmp = strcmp(auth_info_required, "username,password");
-+ if (cmp == 0) {
-+ if (username == NULL || username[0] == '\0') {
-+ return NULL;
-+ }
-+
-+ /* Fallback to NTLM */
-+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
-+
-+ fprintf(stderr,
-+ "DEBUG: Try to connect using username/password ...\n");
-+ }
-+
-+ cmp = strcmp(auth_info_required, "none");
-+ if (cmp == 0) {
-+ fprintf(stderr,
-+ "DEBUG: This backend doesn't support none auth ...\n");
-+ return NULL;
- }
-
- cli = smb_complete_connection(myname,
- server,
- port,
-- username,
-+ user,
- password,
- workgroup,
- share,
-- 0,
-+ flags,
- need_auth);
- if (cli != NULL) {
-- fputs("DEBUG: Connected with username/password...\n", stderr);
-+ fprintf(stderr, "DEBUG: SMB connection established.\n");
- return (cli);
- }
-
--kerberos_auth:
-- /*
-- * Try to use the user kerberos credentials (if any) to authenticate
-- */
-- cli = smb_complete_connection(myname, server, port, jobusername, "",
-- workgroup, share,
-- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
--
-- if (cli) {
-- fputs("DEBUG: Connected using Kerberos...\n", stderr);
-- return (cli);
-+ if (!use_kerberos) {
-+ fprintf(stderr, "ERROR: SMB connection failed!\n");
-+ return NULL;
- }
-
- /* give a chance for a passwordless NTLMSSP session setup */
---
-2.21.0
-
-
-From f470477d71214b00a4b33f6934d7dbef3b3fce1d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 18:24:32 +0200
-Subject: [PATCH 8/9] s3:smbspool: Add debug messages to
- kerberos_ccache_is_valid()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3)
----
- source3/client/smbspool.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index d336cd08209..221c50af196 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -599,11 +599,15 @@ static bool kerberos_ccache_is_valid(void) {
-
- ccache_name = krb5_cc_default_name(ctx);
- if (ccache_name == NULL) {
-+ DBG_ERR("Failed to get default ccache name\n");
-+ krb5_free_context(ctx);
- return false;
- }
-
- code = krb5_cc_resolve(ctx, ccache_name, &ccache);
- if (code != 0) {
-+ DBG_ERR("Failed to resolve ccache name: %s\n",
-+ ccache_name);
- krb5_free_context(ctx);
- return false;
- } else {
-@@ -614,6 +618,9 @@ static bool kerberos_ccache_is_valid(void) {
- ccache,
- &default_princ);
- if (code != 0) {
-+ DBG_ERR("Failed to get default principal from "
-+ "ccache: %s\n",
-+ ccache_name);
- krb5_cc_close(ctx, ccache);
- krb5_free_context(ctx);
- return false;
---
-2.21.0
-
-
-From 27511ca2bbb05134681714475c634473b5125503 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 14 May 2019 11:35:46 +0200
-Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes
-
-This allows us to simplify some code and return better errors.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea)
----
- source3/client/smbspool.c | 250 ++++++++++++++++++++++----------------
- 1 file changed, 145 insertions(+), 105 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 221c50af196..5ab286cd3e9 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -60,12 +60,27 @@
- * Local functions...
- */
-
--static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
-+static int get_exit_code(NTSTATUS nt_status);
- static void list_devices(void);
--static struct cli_state *smb_complete_connection(const char *, const char *,
-- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
--static struct cli_state *smb_connect(const char *, const char *, int, const
-- char *, const char *, const char *, const char *, bool *need_auth);
-+static NTSTATUS
-+smb_complete_connection(struct cli_state **output_cli,
-+ const char *myname,
-+ const char *server,
-+ int port,
-+ const char *username,
-+ const char *password,
-+ const char *workgroup,
-+ const char *share,
-+ int flags);
-+static NTSTATUS
-+smb_connect(struct cli_state **output_cli,
-+ const char *workgroup,
-+ const char *server,
-+ const int port,
-+ const char *share,
-+ const char *username,
-+ const char *password,
-+ const char *jobusername);
- static int smb_print(struct cli_state *, const char *, FILE *);
- static char *uri_unescape_alloc(const char *);
- #if 0
-@@ -89,16 +104,15 @@ main(int argc, /* I - Number of command-line arguments */
- *sep, /* Pointer to separator */
- *tmp, *tmp2; /* Temp pointers to do escaping */
- const char *password = NULL; /* Password */
-- char *username, /* Username */
-- *server, /* Server name */
-+ const char *username = NULL; /* Username */
-+ char *server, /* Server name */
- *printer;/* Printer name */
- const char *workgroup; /* Workgroup */
- FILE *fp; /* File to print */
- int status = 1; /* Status of LPD job */
-- struct cli_state *cli; /* SMB interface */
-- char empty_str[] = "";
-+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-+ struct cli_state *cli = NULL; /* SMB interface */
- int tries = 0;
-- bool need_auth = true;
- const char *dev_uri = NULL;
- const char *env = NULL;
- const char *config_file = NULL;
-@@ -295,8 +309,9 @@ main(int argc, /* I - Number of command-line arguments */
- }
- username = uri_unescape_alloc(tmp);
- } else {
-- if ((username = getenv("AUTH_USERNAME")) == NULL) {
-- username = empty_str;
-+ env = getenv("AUTH_USERNAME");
-+ if (env != NULL && strlen(env) > 0) {
-+ username = env;
- }
-
- env = getenv("AUTH_PASSWORD");
-@@ -368,27 +383,39 @@ main(int argc, /* I - Number of command-line arguments */
- load_interfaces();
-
- do {
-- cli = smb_connect(workgroup,
-- server,
-- port,
-- printer,
-- username,
-- password,
-- print_user,
-- &need_auth);
-- if (cli == NULL) {
-- if (need_auth) {
-- exit(2);
-+ nt_status = smb_connect(&cli,
-+ workgroup,
-+ server,
-+ port,
-+ printer,
-+ username,
-+ password,
-+ print_user);
-+ if (!NT_STATUS_IS_OK(nt_status)) {
-+ status = get_exit_code(nt_status);
-+ if (status == 2) {
-+ fprintf(stderr,
-+ "DEBUG: Unable to connect to CIFS "
-+ "host: %s",
-+ nt_errstr(nt_status));
-+ goto done;
- } else if (getenv("CLASS") == NULL) {
-- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
-+ fprintf(stderr,
-+ "ERROR: Unable to connect to CIFS "
-+ "host: %s. Will retry in 60 "
-+ "seconds...\n",
-+ nt_errstr(nt_status));
- sleep(60);
- tries++;
- } else {
-- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
-+ fprintf(stderr,
-+ "ERROR: Unable to connect to CIFS "
-+ "host: %s. Trying next printer...\n",
-+ nt_errstr(nt_status));
- goto done;
- }
- }
-- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
-+ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT));
-
- if (cli == NULL) {
- fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
-@@ -435,10 +462,9 @@ done:
- */
-
- static int
--get_exit_code(struct cli_state * cli,
-- NTSTATUS nt_status)
-+get_exit_code(NTSTATUS nt_status)
- {
-- int i;
-+ size_t i;
-
- /* List of NTSTATUS errors that are considered
- * authentication errors
-@@ -454,17 +480,16 @@ get_exit_code(struct cli_state * cli,
- };
-
-
-- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
-- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
-+ fprintf(stderr,
-+ "DEBUG: get_exit_code(nt_status=%s [%x])\n",
-+ nt_errstr(nt_status), NT_STATUS_V(nt_status));
-
- for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
- if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
- continue;
- }
-
-- if (cli) {
-- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
-- }
-+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
-
- /*
- * 2 = authentication required...
-@@ -497,16 +522,16 @@ list_devices(void)
- }
-
-
--static struct cli_state *
--smb_complete_connection(const char *myname,
-+static NTSTATUS
-+smb_complete_connection(struct cli_state **output_cli,
-+ const char *myname,
- const char *server,
- int port,
- const char *username,
- const char *password,
- const char *workgroup,
- const char *share,
-- int flags,
-- bool *need_auth)
-+ int flags)
- {
- struct cli_state *cli; /* New connection */
- NTSTATUS nt_status;
-@@ -515,12 +540,11 @@ smb_complete_connection(const char *myname,
- bool fallback_after_kerberos = false;
-
- /* Start the SMB connection */
-- *need_auth = false;
- nt_status = cli_start_connection(&cli, myname, server, NULL, port,
- SMB_SIGNING_DEFAULT, flags);
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
-- return NULL;
-+ return nt_status;
- }
-
- if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-@@ -543,20 +567,16 @@ smb_complete_connection(const char *myname,
- if (creds == NULL) {
- fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
- cli_shutdown(cli);
-- return NULL;
-+ return NT_STATUS_NO_MEMORY;
- }
-
- nt_status = cli_session_setup_creds(cli, creds);
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status) == 2) {
-- *need_auth = true;
-- }
--
- cli_shutdown(cli);
-
-- return NULL;
-+ return nt_status;
- }
-
- nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
-@@ -564,13 +584,9 @@ smb_complete_connection(const char *myname,
- fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
- nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status) == 2) {
-- *need_auth = true;
-- }
--
- cli_shutdown(cli);
-
-- return NULL;
-+ return nt_status;
- }
- #if 0
- /* Need to work out how to specify this on the URL. */
-@@ -583,7 +599,8 @@ smb_complete_connection(const char *myname,
- }
- #endif
-
-- return cli;
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- static bool kerberos_ccache_is_valid(void) {
-@@ -647,49 +664,48 @@ static bool kerberos_ccache_is_valid(void) {
- * 'smb_connect()' - Return a connection to a server.
- */
-
--static struct cli_state * /* O - SMB connection */
--smb_connect(const char *workgroup, /* I - Workgroup */
-+static NTSTATUS
-+smb_connect(struct cli_state **output_cli,
-+ const char *workgroup, /* I - Workgroup */
- const char *server, /* I - Server */
- const int port, /* I - Port */
- const char *share, /* I - Printer */
- const char *username, /* I - Username */
- const char *password, /* I - Password */
-- const char *jobusername, /* I - User who issued the print job */
-- bool *need_auth)
--{ /* O - Need authentication? */
-- struct cli_state *cli; /* New connection */
-+ const char *jobusername) /* I - User who issued the print job */
-+{
-+ struct cli_state *cli = NULL; /* New connection */
- char *myname = NULL; /* Client name */
- struct passwd *pwd;
- int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
- bool use_kerberos = false;
- const char *user = username;
-- int cmp;
-+ NTSTATUS nt_status;
-
- /*
- * Get the names and addresses of the client and server...
- */
- myname = get_myname(talloc_tos());
- if (!myname) {
-- return NULL;
-+ return NT_STATUS_NO_MEMORY;
- }
-
-
-- cmp = strcmp(auth_info_required, "negotiate");
-- if (cmp == 0) {
-+ if (strcmp(auth_info_required, "negotiate") == 0) {
- if (!kerberos_ccache_is_valid()) {
-- return NULL;
-+ fprintf(stderr,
-+ "ERROR: No valid Kerberos credential cache "
-+ "found!\n");
-+ return NT_STATUS_LOGON_FAILURE;
- }
- user = jobusername;
-
- use_kerberos = true;
- fprintf(stderr,
- "DEBUG: Try to connect using Kerberos ...\n");
-- }
--
-- cmp = strcmp(auth_info_required, "username,password");
-- if (cmp == 0) {
-- if (username == NULL || username[0] == '\0') {
-- return NULL;
-+ } else if (strcmp(auth_info_required, "username,password") == 0) {
-+ if (username == NULL) {
-+ return NT_STATUS_INVALID_ACCOUNT_NAME;
- }
-
- /* Fallback to NTLM */
-@@ -697,59 +713,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */
-
- fprintf(stderr,
- "DEBUG: Try to connect using username/password ...\n");
-- }
-+ } else {
-+ if (username != NULL) {
-+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
-+ } else if (kerberos_ccache_is_valid()) {
-+ auth_info_required = "negotiate";
-
-- cmp = strcmp(auth_info_required, "none");
-- if (cmp == 0) {
-- fprintf(stderr,
-- "DEBUG: This backend doesn't support none auth ...\n");
-- return NULL;
-+ user = jobusername;
-+ use_kerberos = true;
-+ } else {
-+ fprintf(stderr,
-+ "DEBUG: This backend requires credentials!\n");
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
- }
-
-- cli = smb_complete_connection(myname,
-- server,
-- port,
-- user,
-- password,
-- workgroup,
-- share,
-- flags,
-- need_auth);
-- if (cli != NULL) {
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ user,
-+ password,
-+ workgroup,
-+ share,
-+ flags);
-+ if (NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "DEBUG: SMB connection established.\n");
-- return (cli);
-+
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- if (!use_kerberos) {
- fprintf(stderr, "ERROR: SMB connection failed!\n");
-- return NULL;
-+ return nt_status;
- }
-
- /* give a chance for a passwordless NTLMSSP session setup */
- pwd = getpwuid(geteuid());
- if (pwd == NULL) {
-- return NULL;
-- }
--
-- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
-- workgroup, share, 0, need_auth);
--
-- if (cli) {
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ pwd->pw_name,
-+ "",
-+ workgroup,
-+ share,
-+ 0);
-+ if (NT_STATUS_IS_OK(nt_status)) {
- fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
-- return (cli);
-+
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- /*
- * last try. Use anonymous authentication
- */
-
-- cli = smb_complete_connection(myname, server, port, "", "",
-- workgroup, share, 0, need_auth);
-- /*
-- * Return the new connection...
-- */
--
-- return (cli);
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ "",
-+ "",
-+ workgroup,
-+ share,
-+ 0);
-+ if (NT_STATUS_IS_OK(nt_status)) {
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
-+ }
-+
-+ return nt_status;
- }
-
-
-@@ -795,7 +835,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s opening remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status);
-+ return get_exit_code(nt_status);
- }
-
- /*
-@@ -813,7 +853,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
- tbytes, nbytes, NULL);
- if (!NT_STATUS_IS_OK(status)) {
-- int ret = get_exit_code(cli, status);
-+ int ret = get_exit_code(status);
- fprintf(stderr, "ERROR: Error writing spool: %s\n",
- nt_errstr(status));
- fprintf(stderr, "DEBUG: Returning status %d...\n",
-@@ -829,7 +869,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s closing remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status);
-+ return get_exit_code(nt_status);
- } else {
- return (0);
- }
---
-2.21.0
-
diff --git a/SOURCES/samba-4.9-fix_debug_segfault.patch b/SOURCES/samba-4.9-fix_debug_segfault.patch
deleted file mode 100644
index edbbd33..0000000
--- a/SOURCES/samba-4.9-fix_debug_segfault.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 7 Nov 2018 14:32:29 +0100
-Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation
-
-This fixes a segfault in pyglue:
-
-==10142== Process terminating with default action of signal 11 (SIGSEGV)
-==10142== Bad permissions for mapped region at address 0x6F00A20
-==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165)
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0)
----
- lib/util/debug.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/util/debug.c b/lib/util/debug.c
-index d41e0f99c77..847ec1f0a0c 100644
---- a/lib/util/debug.c
-+++ b/lib/util/debug.c
-@@ -557,10 +557,10 @@ static const char *default_classname_table[] = {
- * This is to allow reading of DEBUGLEVEL_CLASS before the debug
- * system has been initialized.
- */
--static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
-+static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
-
- static size_t debug_num_classes = 0;
--int *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial);
-+int *DEBUGLEVEL_CLASS = debug_class_list_initial;
-
-
- /* -------------------------------------------------------------------------- **
---
-2.19.1
-
diff --git a/SOURCES/samba-4.9-fix_force_group_panic.patch b/SOURCES/samba-4.9-fix_force_group_panic.patch
deleted file mode 100644
index e228ccf..0000000
--- a/SOURCES/samba-4.9-fix_force_group_panic.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 18 Jan 2019 14:24:30 -0800
-Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an
- existing share connection.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-smbd could crash if "force group" is added to a
-share definition whilst an existing connection
-to that share exists. In that case, don't change
-the existing credentials for force group, only
-do so for new connections.
-
-Remove knownfail from regression test.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-
-Autobuild-User(master): Ralph Böhme <slow@samba.org>
-Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
-
-(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
----
- source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++--
- 2 files changed, 33 insertions(+), 4 deletions(-)
-
-diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
-index 9d5321cf4cc..ced2d450f8e 100644
---- a/source3/smbd/uid.c
-+++ b/source3/smbd/uid.c
-@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn,
- int snum;
- gid_t gid;
- uid_t uid;
-+ const char *force_group_name;
- char group_c;
- int num_groups = 0;
- gid_t *group_list = NULL;
-@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn,
- * See if we should force group for this service. If so this overrides
- * any group set in the force user code.
- */
-- if((group_c = *lp_force_group(talloc_tos(), snum))) {
-+ force_group_name = lp_force_group(talloc_tos(), snum);
-+ group_c = *force_group_name;
-
-- SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
-+ if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
-+ /*
-+ * This can happen if "force group" is added to a
-+ * share definition whilst an existing connection
-+ * to that share exists. In that case, don't change
-+ * the existing credentials for force group, only
-+ * do so for new connections.
-+ *
-+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
-+ */
-+ DBG_INFO("Not forcing group %s on existing connection to "
-+ "share %s for SMB user %s (unix user %s)\n",
-+ force_group_name,
-+ lp_const_servicename(snum),
-+ session_info->unix_info->sanitized_username,
-+ session_info->unix_info->unix_name);
-+ }
-+
-+ if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
-+ /*
-+ * Only force group for connections where
-+ * conn->force_group_gid has already been set
-+ * to the correct value (i.e. the connection
-+ * happened after the 'force group' definition
-+ * was added to the share definition. Connections
-+ * that were made before force group was added
-+ * should stay with their existing credentials.
-+ *
-+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
-+ */
-
- if (group_c == '+') {
- int i;
---
-2.20.1.495.gaa96b0ce6b-goog
-
diff --git a/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch b/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch
deleted file mode 100644
index 8cd6b4e..0000000
--- a/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch
+++ /dev/null
@@ -1,544 +0,0 @@
-From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 29 Mar 2019 11:34:53 +0100
-Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails
-
-Currently we just get an error but don't know what exactly we tried to
-do in 'net ads join -d10'.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
----
- source3/libads/ldap.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index 13846695bd4..110f74a2dbb 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
- if (ret != 0) {
- char *ld_error = NULL;
- ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
-- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
-- ldap_err2string(ret), ld_error));
-+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
-+ ret,
-+ ldap_err2string(ret),
-+ ld_error);
- SAFE_FREE(ld_error);
- }
- }
-@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
- (char) 1};
- LDAPControl *controls[2];
-
-+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
-+
- controls[0] = &PermitModify;
- controls[1] = NULL;
-
-@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
- char *utf8_dn = NULL;
- size_t converted_size;
-
-+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
-+
- if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
- DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
-@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
-+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
-+
- ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
- ads_print_error(ret, ads->ldap.ld);
- TALLOC_FREE(utf8_dn);
---
-2.21.0
-
-
-From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 27 Mar 2019 16:45:39 +0100
-Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
----
- source3/libsmb/cliconnect.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index 837299d9220..9a3d3c769f9 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
- return NT_STATUS_OK;
- }
-
-+ DBG_INFO("Doing kinit for %s to access %s\n",
-+ user_principal, target_hostname);
-
- /*
- * TODO: This should be done within the gensec layer
-@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
- */
- }
-
-+ DBG_DEBUG("Successfully authenticated as %s to access %s using "
-+ "Kerberos\n",
-+ user_principal,
-+ target_hostname);
-+
- TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
-@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
- return tevent_req_post(req, ev);
- }
-
-+ DBG_INFO("Connect to %s as %s using SPNEGO\n",
-+ target_hostname,
-+ cli_credentials_get_principal(creds, talloc_tos()));
-+
- subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
- target_service, target_hostname);
- if (tevent_req_nomem(subreq, req)) {
-@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
- return tevent_req_post(req, ev);
- }
-
-+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
-+
- if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
- uint8_t *bytes = NULL;
---
-2.21.0
-
-
-From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001
-From: Guenther Deschner <gd@samba.org>
-Date: Mon, 1 Apr 2019 17:46:39 +0200
-Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin()
-
-A newline is missing but also use DBG_INFO macro and cleanup spelling.
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
----
- source3/libnet/libnet_join.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 27fc5135442..ddc00f7ad7c 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
- return WERR_NERR_DEFAULTJOINREQUIRED;
- }
-
-- DEBUG(5, ("failed to precreate account in ou %s: %s",
-- r->in.account_ou, ads_errstr(ads_status)));
-+ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
-+ r->in.account_ou, ads_errstr(ads_status));
- }
- rpc_join:
-
---
-2.21.0
-
-
-From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001
-From: Guenther Deschner <gd@samba.org>
-Date: Wed, 27 Mar 2019 17:51:04 +0100
-Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output
-
-This got lost somehow during refactoring. This is still viable
-information when trying to figure out what is going wrong when
-authenticating a user over NTLMSSP.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
----
- auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
- 1 file changed, 32 insertions(+)
-
-diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
-index ab406a2c5be..8e49dcee5ea 100644
---- a/auth/ntlmssp/ntlmssp_client.c
-+++ b/auth/ntlmssp/ntlmssp_client.c
-@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
- }
- }
-
-+ if (DEBUGLEVEL >= 10) {
-+ struct CHALLENGE_MESSAGE *challenge =
-+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
-+ if (challenge != NULL) {
-+ NTSTATUS status;
-+ challenge->NegotiateFlags = chal_flags;
-+ status = ntlmssp_pull_CHALLENGE_MESSAGE(
-+ &in, challenge, challenge);
-+ if (NT_STATUS_IS_OK(status)) {
-+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
-+ challenge);
-+ }
-+ TALLOC_FREE(challenge);
-+ }
-+ }
-+
- if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
- ntlmssp_state->server.is_standalone = true;
- } else {
-@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
- return nt_status;
- }
-
-+ if (DEBUGLEVEL >= 10) {
-+ struct AUTHENTICATE_MESSAGE *authenticate =
-+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
-+ if (authenticate != NULL) {
-+ NTSTATUS status;
-+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
-+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
-+ out, authenticate, authenticate);
-+ if (NT_STATUS_IS_OK(status)) {
-+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
-+ authenticate);
-+ }
-+ TALLOC_FREE(authenticate);
-+ }
-+ }
-+
- /*
- * We always include the MIC, even without:
- * av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
---
-2.21.0
-
-
-From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 1 Apr 2019 15:59:10 +0200
-Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username
- when using NTLM
-
-If we want to authenticate using -Wadmin@otherdomain the DC should do
-take care of the authentication with the right DC for us.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
----
- auth/credentials/credentials.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index 4663185c979..7ef58d0752c 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
- const char **username,
- const char **domain)
- {
-- if (cred->principal_obtained > cred->username_obtained) {
-+ if (cred->principal_obtained >= cred->username_obtained) {
- *domain = talloc_strdup(mem_ctx, "");
- *username = cli_credentials_get_principal(cred, mem_ctx);
- } else {
---
-2.21.0
-
-
-From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 1 Apr 2019 16:39:45 +0200
-Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf
-
-Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
----
- source3/libnet/libnet_join.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index ddc00f7ad7c..e052306523d 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
- }
-
- /* The domain parameter is only used as modifier
-- * to krb5.conf file name. .JOIN is is not a valid
-+ * to krb5.conf file name. _JOIN_ is is not a valid
- * NetBIOS name so it cannot clash with another domain
- * -- Uri.
- */
-- create_local_private_krb5_conf_for_domain(
-- pre_connect_realm, ".JOIN", sitename, &ss);
-+ create_local_private_krb5_conf_for_domain(pre_connect_realm,
-+ "_JOIN_",
-+ sitename,
-+ &ss);
- }
-
- status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
---
-2.21.0
-
-
-From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 1 Apr 2019 16:47:26 +0200
-Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not
- configured
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
----
- source3/libads/kerberos.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index e623f2456a8..360cdd741da 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
- }
- #endif
-
-+ /*
-+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
-+ * KDCs which are not configured via DNS SRV records, eg. if we do:
-+ *
-+ * net ads join -Uadmin@otherdomain
-+ */
- file_contents =
- talloc_asprintf(fname,
-- "[libdefaults]\n\tdefault_realm = %s\n"
-+ "[libdefaults]\n"
-+ "\tdefault_realm = %s\n"
- "%s"
-- "\tdns_lookup_realm = false\n\n"
-+ "\tdns_lookup_realm = false\n"
-+ "\tdns_lookup_kdc = true\n\n"
- "[realms]\n\t%s = {\n"
- "%s\t}\n"
- "%s\n",
---
-2.21.0
-
-
-From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001
-From: Guenther Deschner <gd@samba.org>
-Date: Mon, 1 Apr 2019 17:40:03 +0200
-Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing
- accounts
-
-This avoids numerous LDAP constraint violation errors when we try to
-re-precreate an already existing machine account.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
----
- source3/libads/ldap.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index 110f74a2dbb..e191ea792a8 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
- goto done;
- }
-
-+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
-+ ads_msgfree(ads, res);
-+ if (ADS_ERR_OK(ret)) {
-+ DBG_DEBUG("Host account for %s already exists.\n",
-+ machine_escaped);
-+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
-+ goto done;
-+ }
-+
- new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
- samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
-
-@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
-
- done:
- SAFE_FREE(machine_escaped);
-- ads_msgfree(ads, res);
- talloc_destroy(ctx);
-
- return ret;
---
-2.21.0
-
-
-From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 2 Apr 2019 13:14:06 +0200
-Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads
- layer
-
-Otherwise we could loose the information that a non-default domain name
-has been used for admin creds.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
----
- source3/libnet/libnet_join.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index e052306523d..fc7429e6a23 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
- password = r->in.machine_password;
- ccname = "MEMORY:libnet_join_machine_creds";
- } else {
-+ char *p = NULL;
-+
- username = r->in.admin_account;
-+
-+ p = strchr(r->in.admin_account, '@');
-+ if (p == NULL) {
-+ username = talloc_asprintf(mem_ctx, "%s@%s",
-+ r->in.admin_account,
-+ r->in.admin_domain);
-+ }
-+ if (username == NULL) {
-+ return ADS_ERROR(LDAP_NO_MEMORY);
-+ }
- password = r->in.admin_password;
-
- /*
---
-2.21.0
-
-
-From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 2 Apr 2019 13:16:11 +0200
-Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD
- connect fails
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
----
- source3/libnet/libnet_join.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index fc7429e6a23..6d3fc1fe01f 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
-
- ads_status = libnet_join_connect_ads_user(mem_ctx, r);
- if (!ADS_ERR_OK(ads_status)) {
-+ libnet_join_set_error_string(mem_ctx, r,
-+ "failed to connect to AD: %s",
-+ ads_errstr(ads_status));
- return WERR_NERR_DEFAULTJOINREQUIRED;
- }
-
---
-2.21.0
-
-
-From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 2 Apr 2019 13:16:55 +0200
-Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in
- libnet_join
-
-When a non-DNS and non-default admin domain is provided during the join
-sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME'
-(e.g. when the winbind krb5 locator is not installed). In that case lets
-fallback to NTLMSSP, like we do in winbind.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144
-
-(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
----
- source3/libnet/libnet_join.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 6d3fc1fe01f..b876d7ea89f 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
- }
-
-+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+
- if (user_name) {
- SAFE_FREE(my_ads->auth.user_name);
- my_ads->auth.user_name = SMB_STRDUP(user_name);
---
-2.21.0
-
diff --git a/SOURCES/samba-4.9-fix_net_ads_krb5.patch b/SOURCES/samba-4.9-fix_net_ads_krb5.patch
deleted file mode 100644
index a8aedde..0000000
--- a/SOURCES/samba-4.9-fix_net_ads_krb5.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Dec 2018 11:26:11 -0500
-Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
-
-This affects net rpc getsid and net rpc changetrustpw commands.
-This avoids an anonymous IPC connection being made when -k is used,
-this only affects net rpc getsid and net rpc changetrustpw commands.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Noel Power <npower@samba.org>
----
- source3/utils/net_rpc.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index b99a036fca1..67fff2f4d1b 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
-
- int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
- {
-+ int conn_flags = NET_FLAGS_PDC;
-+
-+ if (!c->opt_user_specified && !c->opt_kerberos) {
-+ conn_flags |= NET_FLAGS_ANONYMOUS;
-+ }
-+
- if (c->display_usage) {
- d_printf( "%s\n"
- "net rpc changetrustpw\n"
-@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
- }
-
- return run_rpc_command(c, NULL, &ndr_table_netlogon,
-- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
-+ conn_flags,
- rpc_changetrustpw_internals,
- argc, argv);
- }
-@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
- {
- int conn_flags = NET_FLAGS_PDC;
-
-- if (!c->opt_user_specified) {
-+ if (!c->opt_user_specified && !c->opt_kerberos) {
- conn_flags |= NET_FLAGS_ANONYMOUS;
- }
-
---
-2.20.1
-
diff --git a/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch b/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch
deleted file mode 100644
index 013eebc..0000000
--- a/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch
+++ /dev/null
@@ -1,521 +0,0 @@
-From 7c0a36d527800cd9d148c64b24371c76ac73db63 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 10:15:05 +0100
-Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a)
----
- source3/script/tests/test_smbspool.sh | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
-index d95ed064634..f28c0909334 100755
---- a/source3/script/tests/test_smbspool.sh
-+++ b/source3/script/tests/test_smbspool.sh
-@@ -99,8 +99,8 @@ test_vlp_verify()
- fi
-
- jobid=$(echo "$out" | awk '/[0-9]+/ { print $1 };')
-- if [ $jobid -lt 1000 || $jobid -gt 2000 ]; then
-- echo "failed to get jobid"
-+ if [ -z "$jobid" ] || [ $jobid -lt 100 || [ $jobid -gt 2000 ]; then
-+ echo "Invalid jobid: $jobid"
- echo "$out"
- return 1
- fi
---
-2.20.1
-
-
-From 3cce23b5b863abf2c2352f5a066dc005d9728b18 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 09:40:58 +0100
-Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to
- smbspool
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a)
----
- source3/client/smbspool_krb5_wrapper.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index dee3b4c54be..5c4da33238b 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -84,24 +84,36 @@ int main(int argc, char *argv[])
- struct passwd *pwd;
- char gen_cc[PATH_MAX] = {0};
- struct stat sb;
-- char *env;
-+ char *env = NULL;
-+ char auth_info_required[256] = {0};
-+ char device_uri[4096] = {0};
- uid_t uid = (uid_t)-1;
- gid_t gid = (gid_t)-1;
- unsigned long tmp;
- int cmp;
- int rc;
-
-+ env = getenv("DEVICE_URI");
-+ if (env != NULL && strlen(env) > 2) {
-+ snprintf(device_uri, sizeof(device_uri), "%s", env);
-+ }
-+
- /* Check if AuthInfoRequired is set to negotiate */
- env = getenv("AUTH_INFO_REQUIRED");
-
- /* If not set, then just call smbspool. */
-- if (env == NULL) {
-+ if (env == NULL || env[0] == 0) {
- CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
- "execute smbspool");
- goto smbspool;
- } else {
- CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
-
-+ snprintf(auth_info_required,
-+ sizeof(auth_info_required),
-+ "%s",
-+ env);
-+
- cmp = strcmp(env, "username,password");
- if (cmp == 0) {
- CUPS_SMB_DEBUG("Authenticate using username/password - "
-@@ -223,12 +235,18 @@ create_env:
- #else
- {
- extern char **environ;
-- environ = calloc(1, sizeof(*environ));
-+ environ = calloc(3, sizeof(*environ));
- }
- #endif
-
- CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc);
- setenv("KRB5CCNAME", gen_cc, 1);
-+ if (device_uri[0] != '\0') {
-+ setenv("DEVICE_URI", device_uri, 1);
-+ }
-+ if (auth_info_required[0] != '\0') {
-+ setenv("AUTH_INFO_REQUIRED", auth_info_required, 1);
-+ }
-
- smbspool:
- snprintf(smbspool_cmd,
---
-2.20.1
-
-
-From 0c03a0baf57ef4503e98b9e2ddd5695e6c8dd3fd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 4 Jan 2019 09:21:24 +0100
-Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set
- by cups
-
-This should not switch to username,password if cups has been configured
-to use negotiate (Kerberos authentication).
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)
----
- source3/client/smbspool.c | 32 ++++++++++++++++++++------------
- 1 file changed, 20 insertions(+), 12 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 389e4ea553f..3dbf6be014b 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -60,7 +60,7 @@
- * Local functions...
- */
-
--static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
-+static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
- static void list_devices(void);
- static struct cli_state *smb_complete_connection(const char *, const char *,
- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
-@@ -72,6 +72,8 @@ static char *uri_unescape_alloc(const char *);
- static bool smb_encrypt;
- #endif
-
-+static const char *auth_info_required;
-+
- /*
- * 'main()' - Main entry for SMB backend.
- */
-@@ -185,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */
- }
- }
-
-+ auth_info_required = getenv("AUTH_INFO_REQUIRED");
-+ if (auth_info_required == NULL) {
-+ auth_info_required = "none";
-+ }
-+
- cmp = strncmp(dev_uri, "smb://", 6);
- if (cmp != 0) {
- fprintf(stderr,
-@@ -233,6 +240,10 @@ main(int argc, /* I - Number of command-line arguments */
- server = uri + 6;
- }
-
-+ if (password != empty_str) {
-+ auth_info_required = "username,password";
-+ }
-+
- tmp = server;
-
- if ((sep = strchr_m(tmp, '/')) == NULL) {
-@@ -352,8 +363,7 @@ done:
-
- static int
- get_exit_code(struct cli_state * cli,
-- NTSTATUS nt_status,
-- bool use_kerberos)
-+ NTSTATUS nt_status)
- {
- int i;
-
-@@ -380,10 +390,7 @@ get_exit_code(struct cli_state * cli,
- }
-
- if (cli) {
-- if (use_kerberos)
-- fputs("ATTR: auth-info-required=negotiate\n", stderr);
-- else
-- fputs("ATTR: auth-info-required=username,password\n", stderr);
-+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
- }
-
- /*
-@@ -452,6 +459,7 @@ smb_complete_connection(const char *myname,
- }
-
- if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-+ auth_info_required = "negotiate";
- use_kerberos = true;
- }
-
-@@ -474,7 +482,7 @@ smb_complete_connection(const char *myname,
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
-+ if (get_exit_code(cli, nt_status) == 2) {
- *need_auth = true;
- }
-
-@@ -488,7 +496,7 @@ smb_complete_connection(const char *myname,
- fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
- nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
-+ if (get_exit_code(cli, nt_status) == 2) {
- *need_auth = true;
- }
-
-@@ -677,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s opening remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status, false);
-+ return get_exit_code(cli, nt_status);
- }
-
- /*
-@@ -695,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
- tbytes, nbytes, NULL);
- if (!NT_STATUS_IS_OK(status)) {
-- int ret = get_exit_code(cli, status, false);
-+ int ret = get_exit_code(cli, status);
- fprintf(stderr, "ERROR: Error writing spool: %s\n",
- nt_errstr(status));
- fprintf(stderr, "DEBUG: Returning status %d...\n",
-@@ -711,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s closing remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status, false);
-+ return get_exit_code(cli, nt_status);
- } else {
- return (0);
- }
---
-2.20.1
-
-
-From 59c5b1c6bad46ac523504120833080836cdc19a1 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 10:09:14 +0100
-Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title
-
-We can't be sure we can write to the input buffer.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282)
----
- source3/client/smbspool.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 3dbf6be014b..94c7ea368a2 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *,
- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
- static struct cli_state *smb_connect(const char *, const char *, int, const
- char *, const char *, const char *, const char *, bool *need_auth);
--static int smb_print(struct cli_state *, char *, FILE *);
-+static int smb_print(struct cli_state *, const char *, FILE *);
- static char *uri_unescape_alloc(const char *);
- #if 0
- static bool smb_encrypt;
-@@ -655,7 +655,7 @@ kerberos_auth:
-
- static int /* O - 0 = success, non-0 = failure */
- smb_print(struct cli_state * cli, /* I - SMB connection */
-- char *title, /* I - Title/job name */
-+ const char *print_title, /* I - Title/job name */
- FILE * fp)
- { /* I - File to print */
- uint16_t fnum; /* File number */
-@@ -663,12 +663,18 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- tbytes; /* Total bytes read */
- char buffer[8192], /* Buffer for copy */
- *ptr; /* Pointer into title */
-+ char title[1024] = {0};
-+ int len;
- NTSTATUS nt_status;
-
-
- /*
-- * Sanitize the title...
-- */
-+ * Sanitize the title...
-+ */
-+ len = snprintf(title, sizeof(title), "%s", print_title);
-+ if (len != strlen(print_title)) {
-+ return 2;
-+ }
-
- for (ptr = title; *ptr; ptr++) {
- if (!isalnum((int) *ptr) && !isspace((int) *ptr)) {
---
-2.20.1
-
-
-From 912e8b22b3b35c17bce35d10d543cc1505a15c46 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 11:40:30 +0100
-Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling
-
-If we are executed as a CUPS backend, argv[0] is set to the device uri.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-
-(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a)
----
- source3/client/smbspool.c | 120 ++++++++++++++++++++++++++++++--------
- 1 file changed, 96 insertions(+), 24 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 94c7ea368a2..97d00bdd011 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */
- char empty_str[] = "";
- int tries = 0;
- bool need_auth = true;
-- const char *dev_uri;
-+ const char *dev_uri = NULL;
-+ const char *env = NULL;
- const char *config_file = NULL;
- TALLOC_CTX *frame = talloc_stackframe();
-- bool device_uri_cmdline = false;
-+ const char *print_user = NULL;
-+ const char *print_title = NULL;
- const char *print_file = NULL;
- const char *print_copies = NULL;
- int cmp;
-@@ -139,21 +141,81 @@ main(int argc, /* I - Number of command-line arguments */
- }
-
- /*
-- * If we have 6 arguments find out if we have the device_uri from the
-- * command line or the print data
-+ * Find out if we have the device_uri in the command line.
-+ *
-+ * If we are started as a CUPS backend argv[0] is normally the
-+ * device_uri!
- */
-- if (argc == 7) {
-- cmp = strncmp(argv[1], "smb://", 6);
-- if (cmp == 0) {
-- device_uri_cmdline = true;
-+ if (argc == 8) {
-+ /*
-+ * smbspool <uri> <job> <user> <title> <copies> <options> <file>
-+ * 0 1 2 3 4 5 6 7
-+ */
-+
-+ dev_uri = argv[1];
-+
-+ print_user = argv[3];
-+ print_title = argv[4];
-+ print_copies = argv[5];
-+ print_file = argv[7];
-+ } else if (argc == 7) {
-+ int cmp1;
-+ int cmp2;
-+
-+ /*
-+ * <uri> <job> <user> <title> <copies> <options> <file>
-+ * smbspool <uri> <job> <user> <title> <copies> <options>
-+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
-+ */
-+ cmp1 = strncmp(argv[0], "smb://", 6);
-+ cmp2 = strncmp(argv[1], "smb://", 6);
-+
-+ if (cmp1 == 0) {
-+ /*
-+ * <uri> <job> <user> <title> <copies> <options> <file>
-+ * 0 1 2 3 4 5 6
-+ */
-+ dev_uri = argv[0];
-+
-+ print_user = argv[2];
-+ print_title = argv[3];
-+ print_copies = argv[4];
-+ print_file = argv[6];
-+ } else if (cmp2 == 0) {
-+ /*
-+ * smbspool <uri> <job> <user> <title> <copies> <options>
-+ * 0 1 2 3 4 5 6
-+ */
-+ dev_uri = argv[1];
-+
-+ print_user = argv[3];
-+ print_title = argv[4];
-+ print_copies = argv[5];
-+ print_file = NULL;
- } else {
-+ /*
-+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
-+ * 0 1 2 3 4 5 6
-+ */
-+ print_user = argv[2];
-+ print_title = argv[3];
- print_copies = argv[4];
- print_file = argv[6];
- }
-- } else if (argc == 8) {
-- device_uri_cmdline = true;
-- print_copies = argv[5];
-- print_file = argv[7];
-+ } else if (argc == 6) {
-+ /*
-+ * <uri> <job> <user> <title> <copies> <options>
-+ * smbspool <job> <user> <title> <copies> <options> | DEVICE_URI
-+ * 0 1 2 3 4 5
-+ */
-+ cmp = strncmp(argv[0], "smb://", 6);
-+ if (cmp == 0) {
-+ dev_uri = argv[0];
-+ }
-+
-+ print_user = argv[2];
-+ print_title = argv[3];
-+ print_copies = argv[4];
- }
-
- if (print_file != NULL) {
-@@ -178,18 +240,17 @@ main(int argc, /* I - Number of command-line arguments */
- /*
- * Find the URI ...
- */
-- if (device_uri_cmdline) {
-- dev_uri = argv[1];
-- } else {
-- dev_uri = getenv("DEVICE_URI");
-- if (dev_uri == NULL || strlen(dev_uri) == 0) {
-- dev_uri = "";
-+ if (dev_uri == NULL) {
-+ env = getenv("DEVICE_URI");
-+ if (env != NULL && env[0] != '\0') {
-+ dev_uri = env;
- }
- }
-
-- auth_info_required = getenv("AUTH_INFO_REQUIRED");
-- if (auth_info_required == NULL) {
-- auth_info_required = "none";
-+ if (dev_uri == NULL) {
-+ fprintf(stderr,
-+ "ERROR: No valid device URI has been specified\n");
-+ goto done;
- }
-
- cmp = strncmp(dev_uri, "smb://", 6);
-@@ -205,6 +266,11 @@ main(int argc, /* I - Number of command-line arguments */
- goto done;
- }
-
-+ auth_info_required = getenv("AUTH_INFO_REQUIRED");
-+ if (auth_info_required == NULL) {
-+ auth_info_required = "none";
-+ }
-+
- /*
- * Extract the destination from the URI...
- */
-@@ -301,8 +367,14 @@ main(int argc, /* I - Number of command-line arguments */
- load_interfaces();
-
- do {
-- cli = smb_connect(workgroup, server, port, printer,
-- username, password, argv[3], &need_auth);
-+ cli = smb_connect(workgroup,
-+ server,
-+ port,
-+ printer,
-+ username,
-+ password,
-+ print_user,
-+ &need_auth);
- if (cli == NULL) {
- if (need_auth) {
- exit(2);
-@@ -338,7 +410,7 @@ main(int argc, /* I - Number of command-line arguments */
- */
-
- for (i = 0; i < copies; i++) {
-- status = smb_print(cli, argv[4] /* title */ , fp);
-+ status = smb_print(cli, print_title, fp);
- if (status != 0) {
- break;
- }
---
-2.20.1
-
diff --git a/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch b/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch
deleted file mode 100644
index b04c8cc..0000000
--- a/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From be97b5934ca163259676be27d5c254da30080fbe Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 May 2019 16:18:51 +0200
-Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos
- credentials
-
-This is a regression which has been introduced with Samba 4.8.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a)
----
- source3/client/smbspool.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 97d00bdd011..c404b3a3f69 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */
- * behavior with 3.0.14a
- */
-
-- if (username != NULL && username[0] != '\0') {
-+ if (username == NULL || username[0] == '\0') {
- if (kerberos_ccache_is_valid()) {
- goto kerberos_auth;
- }
---
-2.21.0
-
diff --git a/SOURCES/samba-4.9-fix_testparm_crash.patch b/SOURCES/samba-4.9-fix_testparm_crash.patch
deleted file mode 100644
index 74a8a52..0000000
--- a/SOURCES/samba-4.9-fix_testparm_crash.patch
+++ /dev/null
@@ -1,2126 +0,0 @@
-From 425bed0731a02b2e310b8835e9b75bff73582d99 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Mon, 9 Jul 2018 17:11:57 +0200
-Subject: [PATCH 01/22] s3:lib/server_contexts: make server_event_ctx and
- server_msg_ctx static
-
-server_event_ctx and server_msg_ctx static shouldn't be accessible from
-outside this compilation unit.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit d920a725ee19215190bbccaefd5b426bedc98860)
----
- source3/lib/server_contexts.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/lib/server_contexts.c b/source3/lib/server_contexts.c
-index 50072e680b6..b21cf0a4c81 100644
---- a/source3/lib/server_contexts.c
-+++ b/source3/lib/server_contexts.c
-@@ -21,7 +21,7 @@
- #include "includes.h"
- #include "messages.h"
-
--struct tevent_context *server_event_ctx = NULL;
-+static struct tevent_context *server_event_ctx = NULL;
-
- struct tevent_context *server_event_context(void)
- {
-@@ -44,7 +44,7 @@ void server_event_context_free(void)
- TALLOC_FREE(server_event_ctx);
- }
-
--struct messaging_context *server_msg_ctx = NULL;
-+static struct messaging_context *server_msg_ctx = NULL;
-
- struct messaging_context *server_messaging_context(void)
- {
---
-2.13.6
-
-
-From 1e8feaa20bfba475d6e2cbe69b5e1447586a7411 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 13 Aug 2018 15:07:20 -0700
-Subject: [PATCH 02/22] s3/lib:popt_common: Move setup_logging to common
- callback
-
-The flag is set in the common callback, so be consistent
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit dff1028e8ba4c70e726283c12531853681034014)
----
- source3/lib/popt_common.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
-index cc93a756c3b..454884fbb5c 100644
---- a/source3/lib/popt_common.c
-+++ b/source3/lib/popt_common.c
-@@ -93,6 +93,10 @@ static void popt_common_callback(poptContext con,
- }
- }
-
-+ if (override_logfile) {
-+ setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE );
-+ }
-+
- /* Further 'every Samba program must do this' hooks here. */
- return;
- }
-@@ -288,10 +292,6 @@ static void popt_common_credentials_callback(poptContext con,
- if (reason == POPT_CALLBACK_REASON_POST) {
- bool ok;
-
-- if (override_logfile) {
-- setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE );
-- }
--
- ok = lp_load_client(get_dyn_CONFIGFILE());
- if (!ok) {
- const char *pname = poptGetInvocationName(con);
---
-2.13.6
-
-
-From a1954bee751b35c3888be7c3c36ce59bb857e3f3 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 13 Aug 2018 15:39:08 -0700
-Subject: [PATCH 03/22] s3:lib: Move popt_common_credentials to separate file
-
-This is only used by command line utilities and has additional
-dependencies. Move to a separate file to contain the dependencies to the
-command line tools.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit b7464fd89bc22b71c82bbaa424bcbfcf947db651)
----
- source3/client/client.c | 2 +-
- source3/include/popt_common.h | 10 --
- source3/include/popt_common_cmdline.h | 47 +++++++
- source3/lib/popt_common.c | 208 -----------------------------
- source3/lib/popt_common_cmdline.c | 241 ++++++++++++++++++++++++++++++++++
- source3/rpcclient/cmd_spoolss.c | 2 +-
- source3/rpcclient/rpcclient.c | 2 +-
- source3/rpcclient/wscript_build | 2 +-
- source3/utils/net.c | 2 +-
- source3/utils/regedit.c | 2 +-
- source3/utils/smbcacls.c | 2 +-
- source3/utils/smbcquotas.c | 2 +-
- source3/utils/smbget.c | 2 +-
- source3/utils/smbtree.c | 2 +-
- source3/utils/wscript_build | 14 +-
- source3/wscript_build | 9 +-
- 16 files changed, 313 insertions(+), 236 deletions(-)
- create mode 100644 source3/include/popt_common_cmdline.h
- create mode 100644 source3/lib/popt_common_cmdline.c
-
-diff --git a/source3/client/client.c b/source3/client/client.c
-index 25ba01d6216..2f193459d5d 100644
---- a/source3/client/client.c
-+++ b/source3/client/client.c
-@@ -23,7 +23,7 @@
-
- #include "includes.h"
- #include "system/filesys.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpc_client/cli_pipe.h"
- #include "client/client_proto.h"
- #include "client/clitar_proto.h"
-diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h
-index a8c778473e9..e001a5369b7 100644
---- a/source3/include/popt_common.h
-+++ b/source3/include/popt_common.h
-@@ -21,7 +21,6 @@
- #define _POPT_COMMON_H
-
- #include <popt.h>
--#include "auth_info.h"
-
- /* Common popt structures */
- extern struct poptOption popt_common_samba[];
-@@ -41,19 +40,10 @@ extern const struct poptOption popt_common_dynconfig[];
- #define POPT_COMMON_CONNECTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_connection, 0, "Connection options:", NULL },
- #define POPT_COMMON_VERSION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_version, 0, "Common samba options:", NULL },
- #define POPT_COMMON_CONFIGFILE { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile, 0, "Common samba config:", NULL },
--#define POPT_COMMON_CREDENTIALS { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_credentials, 0, "Authentication options:", NULL },
- #define POPT_COMMON_DYNCONFIG { NULL, 0, POPT_ARG_INCLUDE_TABLE, \
- discard_const_p(poptOption, popt_common_dynconfig), 0, \
- "Build-time configuration overrides:", NULL },
- #define POPT_COMMON_DEBUGLEVEL { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debuglevel, 0, "Common samba debugging:", NULL },
- #define POPT_COMMON_OPTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_option, 0, "Common samba commandline config:", NULL },
-
--struct user_auth_info *popt_get_cmdline_auth_info(void);
--void popt_free_cmdline_auth_info(void);
--
--void popt_common_credentials_set_ignore_missing_conf(void);
--void popt_common_credentials_set_delay_post(void);
--void popt_common_credentials_post(void);
--void popt_burn_cmdline_password(int argc, char *argv[]);
--
- #endif /* _POPT_COMMON_H */
-diff --git a/source3/include/popt_common_cmdline.h b/source3/include/popt_common_cmdline.h
-new file mode 100644
-index 00000000000..21130cff071
---- /dev/null
-+++ b/source3/include/popt_common_cmdline.h
-@@ -0,0 +1,47 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+ Common popt arguments
-+ Copyright (C) Jelmer Vernooij 2003
-+ Copyright (C) Christof Schmitt 2018
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+
-+#ifndef _POPT_COMMON_CREDENTIALS_H
-+#define _POPT_COMMON_CREDENTIALS_H
-+
-+#include "popt_common.h"
-+
-+extern struct poptOption popt_common_credentials[];
-+#define POPT_COMMON_CREDENTIALS \
-+ { \
-+ NULL, \
-+ 0, \
-+ POPT_ARG_INCLUDE_TABLE, \
-+ popt_common_credentials, \
-+ 0, \
-+ "Authentication options:", \
-+ NULL \
-+ },
-+
-+struct user_auth_info *popt_get_cmdline_auth_info(void);
-+void popt_free_cmdline_auth_info(void);
-+
-+void popt_common_credentials_set_ignore_missing_conf(void);
-+void popt_common_credentials_set_delay_post(void);
-+void popt_common_credentials_post(void);
-+void popt_burn_cmdline_password(int argc, char *argv[]);
-+
-+#endif
-diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
-index 454884fbb5c..11db080c82d 100644
---- a/source3/lib/popt_common.c
-+++ b/source3/lib/popt_common.c
-@@ -213,211 +213,3 @@ struct poptOption popt_common_option[] = {
- { "option", 0, POPT_ARG_STRING, NULL, OPT_OPTION, "Set smb.conf option from command line", "name=value" },
- POPT_TABLEEND
- };
--
--/* Handle command line options:
-- * -U,--user
-- * -A,--authentication-file
-- * -k,--use-kerberos
-- * -N,--no-pass
-- * -S,--signing
-- * -P --machine-pass
-- * -e --encrypt
-- * -C --use-ccache
-- */
--
--static struct user_auth_info *cmdline_auth_info;
--
--struct user_auth_info *popt_get_cmdline_auth_info(void)
--{
-- return cmdline_auth_info;
--}
--void popt_free_cmdline_auth_info(void)
--{
-- TALLOC_FREE(cmdline_auth_info);
--}
--
--static bool popt_common_credentials_ignore_missing_conf;
--static bool popt_common_credentials_delay_post;
--
--void popt_common_credentials_set_ignore_missing_conf(void)
--{
-- popt_common_credentials_delay_post = true;
--}
--
--void popt_common_credentials_set_delay_post(void)
--{
-- popt_common_credentials_delay_post = true;
--}
--
--void popt_common_credentials_post(void)
--{
-- if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
-- !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
-- {
-- fprintf(stderr,
-- "Failed to use machine account credentials\n");
-- exit(1);
-- }
--
-- set_cmdline_auth_info_getpass(cmdline_auth_info);
--
-- /*
-- * When we set the username during the handling of the options passed to
-- * the binary we haven't loaded the config yet. This means that we
-- * didnn't take the 'winbind separator' into account.
-- *
-- * The username might contain the domain name and thus it hasn't been
-- * correctly parsed yet. If we have a username we need to set it again
-- * to run the string parser for the username correctly.
-- */
-- reset_cmdline_auth_info_username(cmdline_auth_info);
--}
--
--static void popt_common_credentials_callback(poptContext con,
-- enum poptCallbackReason reason,
-- const struct poptOption *opt,
-- const char *arg, const void *data)
--{
-- if (reason == POPT_CALLBACK_REASON_PRE) {
-- struct user_auth_info *auth_info =
-- user_auth_info_init(NULL);
-- if (auth_info == NULL) {
-- fprintf(stderr, "user_auth_info_init() failed\n");
-- exit(1);
-- }
-- cmdline_auth_info = auth_info;
-- return;
-- }
--
-- if (reason == POPT_CALLBACK_REASON_POST) {
-- bool ok;
--
-- ok = lp_load_client(get_dyn_CONFIGFILE());
-- if (!ok) {
-- const char *pname = poptGetInvocationName(con);
--
-- fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
-- pname, get_dyn_CONFIGFILE());
-- if (!popt_common_credentials_ignore_missing_conf) {
-- exit(1);
-- }
-- }
--
-- load_interfaces();
--
-- set_cmdline_auth_info_guess(cmdline_auth_info);
--
-- if (popt_common_credentials_delay_post) {
-- return;
-- }
--
-- popt_common_credentials_post();
-- return;
-- }
--
-- switch(opt->val) {
-- case 'U':
-- set_cmdline_auth_info_username(cmdline_auth_info, arg);
-- break;
--
-- case 'A':
-- set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
-- break;
--
-- case 'k':
--#ifndef HAVE_KRB5
-- d_printf("No kerberos support compiled in\n");
-- exit(1);
--#else
-- set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
--#endif
-- break;
--
-- case 'S':
-- if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
-- arg)) {
-- fprintf(stderr, "Unknown signing option %s\n", arg );
-- exit(1);
-- }
-- break;
-- case 'P':
-- set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
-- break;
-- case 'N':
-- set_cmdline_auth_info_password(cmdline_auth_info, "");
-- break;
-- case 'e':
-- set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
-- break;
-- case 'C':
-- set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
-- break;
-- case 'H':
-- set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
-- break;
-- }
--}
--
--/**
-- * @brief Burn the commandline password.
-- *
-- * This function removes the password from the command line so we
-- * don't leak the password e.g. in 'ps aux'.
-- *
-- * It should be called after processing the options and you should pass down
-- * argv from main().
-- *
-- * @param[in] argc The number of arguments.
-- *
-- * @param[in] argv[] The argument array we will find the array.
-- */
--void popt_burn_cmdline_password(int argc, char *argv[])
--{
-- bool found = false;
-- char *p = NULL;
-- int i, ulen = 0;
--
-- for (i = 0; i < argc; i++) {
-- p = argv[i];
-- if (strncmp(p, "-U", 2) == 0) {
-- ulen = 2;
-- found = true;
-- } else if (strncmp(p, "--user", 6) == 0) {
-- ulen = 6;
-- found = true;
-- }
--
-- if (found) {
-- if (p == NULL) {
-- return;
-- }
--
-- if (strlen(p) == ulen) {
-- continue;
-- }
--
-- p = strchr_m(p, '%');
-- if (p != NULL) {
-- memset(p, '\0', strlen(p));
-- }
-- found = false;
-- }
-- }
--}
--
--struct poptOption popt_common_credentials[] = {
-- { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
-- (void *)popt_common_credentials_callback, 0, NULL },
-- { "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "USERNAME" },
-- { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N', "Don't ask for a password" },
-- { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" },
-- { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
-- { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
-- {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" },
-- {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport" },
-- {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C',
-- "Use the winbind ccache for authentication" },
-- {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H',
-- "The supplied password is the NT hash" },
-- POPT_TABLEEND
--};
-diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c
-new file mode 100644
-index 00000000000..57f77e0868a
---- /dev/null
-+++ b/source3/lib/popt_common_cmdline.c
-@@ -0,0 +1,241 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+ Common popt routines only used by cmdline utils
-+
-+ Copyright (C) Tim Potter 2001,2002
-+ Copyright (C) Jelmer Vernooij 2002,2003
-+ Copyright (C) James Peach 2006
-+ Copyright (C) Christof Schmitt 2018
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+/* Handle command line options:
-+ * -U,--user
-+ * -A,--authentication-file
-+ * -k,--use-kerberos
-+ * -N,--no-pass
-+ * -S,--signing
-+ * -P --machine-pass
-+ * -e --encrypt
-+ * -C --use-ccache
-+ */
-+
-+#include "popt_common_cmdline.h"
-+#include "includes.h"
-+#include "auth_info.h"
-+
-+static struct user_auth_info *cmdline_auth_info;
-+
-+struct user_auth_info *popt_get_cmdline_auth_info(void)
-+{
-+ return cmdline_auth_info;
-+}
-+void popt_free_cmdline_auth_info(void)
-+{
-+ TALLOC_FREE(cmdline_auth_info);
-+}
-+
-+static bool popt_common_credentials_ignore_missing_conf;
-+static bool popt_common_credentials_delay_post;
-+
-+void popt_common_credentials_set_ignore_missing_conf(void)
-+{
-+ popt_common_credentials_delay_post = true;
-+}
-+
-+void popt_common_credentials_set_delay_post(void)
-+{
-+ popt_common_credentials_delay_post = true;
-+}
-+
-+void popt_common_credentials_post(void)
-+{
-+ if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
-+ !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
-+ {
-+ fprintf(stderr,
-+ "Failed to use machine account credentials\n");
-+ exit(1);
-+ }
-+
-+ set_cmdline_auth_info_getpass(cmdline_auth_info);
-+
-+ /*
-+ * When we set the username during the handling of the options passed to
-+ * the binary we haven't loaded the config yet. This means that we
-+ * didn't take the 'winbind separator' into account.
-+ *
-+ * The username might contain the domain name and thus it hasn't been
-+ * correctly parsed yet. If we have a username we need to set it again
-+ * to run the string parser for the username correctly.
-+ */
-+ reset_cmdline_auth_info_username(cmdline_auth_info);
-+}
-+
-+static void popt_common_credentials_callback(poptContext con,
-+ enum poptCallbackReason reason,
-+ const struct poptOption *opt,
-+ const char *arg, const void *data)
-+{
-+ if (reason == POPT_CALLBACK_REASON_PRE) {
-+ struct user_auth_info *auth_info =
-+ user_auth_info_init(NULL);
-+ if (auth_info == NULL) {
-+ fprintf(stderr, "user_auth_info_init() failed\n");
-+ exit(1);
-+ }
-+ cmdline_auth_info = auth_info;
-+ return;
-+ }
-+
-+ if (reason == POPT_CALLBACK_REASON_POST) {
-+ bool ok;
-+
-+ ok = lp_load_client(get_dyn_CONFIGFILE());
-+ if (!ok) {
-+ const char *pname = poptGetInvocationName(con);
-+
-+ fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
-+ pname, get_dyn_CONFIGFILE());
-+ if (!popt_common_credentials_ignore_missing_conf) {
-+ exit(1);
-+ }
-+ }
-+
-+ load_interfaces();
-+
-+ set_cmdline_auth_info_guess(cmdline_auth_info);
-+
-+ if (popt_common_credentials_delay_post) {
-+ return;
-+ }
-+
-+ popt_common_credentials_post();
-+ return;
-+ }
-+
-+ switch(opt->val) {
-+ case 'U':
-+ set_cmdline_auth_info_username(cmdline_auth_info, arg);
-+ break;
-+
-+ case 'A':
-+ set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
-+ break;
-+
-+ case 'k':
-+#ifndef HAVE_KRB5
-+ d_printf("No kerberos support compiled in\n");
-+ exit(1);
-+#else
-+ set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
-+#endif
-+ break;
-+
-+ case 'S':
-+ if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
-+ arg)) {
-+ fprintf(stderr, "Unknown signing option %s\n", arg );
-+ exit(1);
-+ }
-+ break;
-+ case 'P':
-+ set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
-+ break;
-+ case 'N':
-+ set_cmdline_auth_info_password(cmdline_auth_info, "");
-+ break;
-+ case 'e':
-+ set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
-+ break;
-+ case 'C':
-+ set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
-+ break;
-+ case 'H':
-+ set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
-+ break;
-+ }
-+}
-+
-+/**
-+ * @brief Burn the commandline password.
-+ *
-+ * This function removes the password from the command line so we
-+ * don't leak the password e.g. in 'ps aux'.
-+ *
-+ * It should be called after processing the options and you should pass down
-+ * argv from main().
-+ *
-+ * @param[in] argc The number of arguments.
-+ *
-+ * @param[in] argv[] The argument array we will find the array.
-+ */
-+void popt_burn_cmdline_password(int argc, char *argv[])
-+{
-+ bool found = false;
-+ char *p = NULL;
-+ int i, ulen = 0;
-+
-+ for (i = 0; i < argc; i++) {
-+ p = argv[i];
-+ if (strncmp(p, "-U", 2) == 0) {
-+ ulen = 2;
-+ found = true;
-+ } else if (strncmp(p, "--user", 6) == 0) {
-+ ulen = 6;
-+ found = true;
-+ }
-+
-+ if (found) {
-+ if (p == NULL) {
-+ return;
-+ }
-+
-+ if (strlen(p) == ulen) {
-+ continue;
-+ }
-+
-+ p = strchr_m(p, '%');
-+ if (p != NULL) {
-+ memset(p, '\0', strlen(p));
-+ }
-+ found = false;
-+ }
-+ }
-+}
-+
-+struct poptOption popt_common_credentials[] = {
-+ { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
-+ (void *)popt_common_credentials_callback, 0, NULL },
-+ { "user", 'U', POPT_ARG_STRING, NULL, 'U',
-+ "Set the network username", "USERNAME" },
-+ { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N',
-+ "Don't ask for a password" },
-+ { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',
-+ "Use kerberos (active directory) authentication" },
-+ { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A',
-+ "Get the credentials from a file", "FILE" },
-+ { "signing", 'S', POPT_ARG_STRING, NULL, 'S',
-+ "Set the client signing state", "on|off|required" },
-+ {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P',
-+ "Use stored machine account password" },
-+ {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e',
-+ "Encrypt SMB transport" },
-+ {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C',
-+ "Use the winbind ccache for authentication" },
-+ {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H',
-+ "The supplied password is the NT hash" },
-+ POPT_TABLEEND
-+};
-diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
-index 1d24476e9a5..8d330afdeb0 100644
---- a/source3/rpcclient/cmd_spoolss.c
-+++ b/source3/rpcclient/cmd_spoolss.c
-@@ -33,7 +33,7 @@
- #include "../libcli/security/security_descriptor.h"
- #include "../libcli/registry/util_reg.h"
- #include "libsmb/libsmb.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
-
- #define RPCCLIENT_PRINTERNAME(_printername, _cli, _arg) \
- { \
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index b4e25e6e479..f7e196226cf 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -21,7 +21,7 @@
-
- #include "includes.h"
- #include "../libcli/auth/netlogon_creds_cli.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpcclient.h"
- #include "../libcli/auth/libcli_auth.h"
- #include "../librpc/gen_ndr/ndr_lsa_c.h"
-diff --git a/source3/rpcclient/wscript_build b/source3/rpcclient/wscript_build
-index c24a5670db9..11a64f3248a 100644
---- a/source3/rpcclient/wscript_build
-+++ b/source3/rpcclient/wscript_build
-@@ -25,7 +25,7 @@ bld.SAMBA3_BINARY('rpcclient',
- ''',
- deps='''
- talloc
-- popt_samba3
-+ popt_samba3_cmdline
- pdb
- libsmb
- smbconf
-diff --git a/source3/utils/net.c b/source3/utils/net.c
-index 44daa6088ca..76b8677bf78 100644
---- a/source3/utils/net.c
-+++ b/source3/utils/net.c
-@@ -41,7 +41,7 @@
- /*****************************************************/
-
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "utils/net.h"
- #include "secrets.h"
- #include "lib/netapi/netapi.h"
-diff --git a/source3/utils/regedit.c b/source3/utils/regedit.c
-index 27bd6f8f2c2..20115ae1624 100644
---- a/source3/utils/regedit.c
-+++ b/source3/utils/regedit.c
-@@ -18,7 +18,7 @@
- */
-
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "lib/util/data_blob.h"
- #include "lib/registry/registry.h"
- #include "regedit.h"
-diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
-index 0a5eeb31d0b..33eb78c41ec 100644
---- a/source3/utils/smbcacls.c
-+++ b/source3/utils/smbcacls.c
-@@ -22,7 +22,7 @@
- */
-
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpc_client/cli_pipe.h"
- #include "../librpc/gen_ndr/ndr_lsa.h"
- #include "rpc_client/cli_lsarpc.h"
-diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
-index 798b8b6f177..a4b1b8111a5 100644
---- a/source3/utils/smbcquotas.c
-+++ b/source3/utils/smbcquotas.c
-@@ -22,7 +22,7 @@
- */
-
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpc_client/cli_pipe.h"
- #include "../librpc/gen_ndr/ndr_lsa.h"
- #include "rpc_client/cli_lsarpc.h"
-diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
-index e1be42917fb..37462fa131f 100644
---- a/source3/utils/smbget.c
-+++ b/source3/utils/smbget.c
-@@ -18,7 +18,7 @@
-
- #include "includes.h"
- #include "system/filesys.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "libsmbclient.h"
-
- static int columns = 0;
-diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
-index 3b539ef1045..fb0f165a18d 100644
---- a/source3/utils/smbtree.c
-+++ b/source3/utils/smbtree.c
-@@ -20,7 +20,7 @@
- */
-
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpc_client/cli_pipe.h"
- #include "../librpc/gen_ndr/ndr_srvsvc_c.h"
- #include "libsmb/libsmb.h"
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 93e6abaac0d..67bb87e7a74 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -27,7 +27,7 @@ bld.SAMBA3_BINARY('smbtree',
- smbconf
- libsmb
- msrpc3
-- popt_samba3
-+ popt_samba3_cmdline
- RPC_NDR_SRVSVC''')
-
- bld.SAMBA3_BINARY('smbpasswd',
-@@ -52,7 +52,7 @@ bld.SAMBA3_BINARY('smbget',
- source='smbget.c',
- deps='''
- talloc
-- popt_samba3
-+ popt_samba3_cmdline
- smbclient''')
-
- bld.SAMBA3_BINARY('nmblookup',
-@@ -67,7 +67,7 @@ bld.SAMBA3_BINARY('smbcacls',
- source='smbcacls.c ../lib/util_sd.c',
- deps='''
- talloc
-- popt_samba3
-+ popt_samba3_cmdline
- msrpc3
- libcli_lsa3
- krb5samba''')
-@@ -76,7 +76,7 @@ bld.SAMBA3_BINARY('smbcquotas',
- source='smbcquotas.c',
- deps='''
- talloc
-- popt_samba3
-+ popt_samba3_cmdline
- libsmb
- msrpc3
- libcli_lsa3''')
-@@ -150,7 +150,9 @@ bld.SAMBA3_BINARY('samba-regedit',
- regedit_wrap.c regedit_treeview.c
- regedit_valuelist.c regedit_dialog.c
- regedit_hexedit.c regedit_list.c""",
-- deps='ncurses menu panel form registry smbconf popt_samba3',
-+ deps='''
-+ ncurses menu panel form registry smbconf popt_samba3_cmdline
-+ ''',
- enabled=bld.env.build_regedit)
-
- bld.SAMBA3_BINARY('testparm',
-@@ -217,7 +219,7 @@ bld.SAMBA3_BINARY('net',
- netapi
- addns
- samba_intl
-- popt_samba3
-+ popt_samba3_cmdline
- pdb
- libsmb
- smbconf
-diff --git a/source3/wscript_build b/source3/wscript_build
-index c7c69a9bee1..5ecf23d531d 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -268,7 +268,12 @@ bld.SAMBA3_SUBSYSTEM('REG_FULL',
-
- bld.SAMBA3_LIBRARY('popt_samba3',
- source='lib/popt_common.c',
-- deps='popt samba-util util_cmdline',
-+ deps='popt samba-util smbconf',
-+ private_library=True)
-+
-+bld.SAMBA3_LIBRARY('popt_samba3_cmdline',
-+ source='lib/popt_common_cmdline.c',
-+ deps='popt_samba3 util_cmdline',
- private_library=True)
-
- bld.SAMBA3_LIBRARY('util_cmdline',
-@@ -1094,7 +1099,7 @@ bld.SAMBA3_BINARY('client/smbclient',
- ''',
- deps='''
- talloc
-- popt_samba3
-+ popt_samba3_cmdline
- smbconf
- ndr-standard
- SMBREADLINE
---
-2.13.6
-
-
-From a98b2df2121c129326c64e35ba63e780aeb44a19 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 14:44:28 -0700
-Subject: [PATCH 04/22] s3:lib: Introduce cmdline context wrapper
-
-Command line tools need acccess to the same messaging context provided
-by server_messaging_context, as common code for db_open uses that
-context. We want to have additional checking for command line tools
-without having that code part of the servers. Introduce a wrapper
-library to use for command line tools with the additional checks, that
-then acquires the server_messaging_context.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 8c3b62e6231e62feafacf2a7ee4c9d41cd27a4a1)
----
- source3/lib/cmdline_contexts.c | 70 ++++++++++++++++++++++++++++++++++++++++++
- source3/lib/cmdline_contexts.h | 27 ++++++++++++++++
- source3/wscript_build | 5 +++
- 3 files changed, 102 insertions(+)
- create mode 100644 source3/lib/cmdline_contexts.c
- create mode 100644 source3/lib/cmdline_contexts.h
-
-diff --git a/source3/lib/cmdline_contexts.c b/source3/lib/cmdline_contexts.c
-new file mode 100644
-index 00000000000..5713f7f7956
---- /dev/null
-+++ b/source3/lib/cmdline_contexts.c
-@@ -0,0 +1,70 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+ cmdline context wrapper.
-+
-+ Copyright (C) Christof Schmitt <cs@samba.org> 2018
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "cmdline_contexts.h"
-+#include "includes.h"
-+#include "messages.h"
-+
-+struct messaging_context *cmdline_messaging_context(const char *config_file)
-+{
-+ struct messaging_context *msg_ctx = NULL;
-+
-+ /*
-+ * Ensure that a config is loaded, in case the underlying
-+ * messaging_init needs to create directories or sockets.
-+ */
-+ if (!lp_loaded()) {
-+ if (!lp_load_initial_only(config_file)) {
-+ return NULL;
-+ }
-+ }
-+
-+ /*
-+ * Clustered Samba can only work as root due to required
-+ * access to the registry and ctdb, which in turn requires
-+ * messaging access as root.
-+ */
-+ if (lp_clustering() && geteuid() != 0) {
-+ fprintf(stderr, "Cluster mode requires running as root.\n");
-+ exit(1);
-+ }
-+
-+ msg_ctx = server_messaging_context();
-+ if (msg_ctx == NULL) {
-+ if (geteuid() == 0) {
-+ fprintf(stderr,
-+ "Unable to initialize messaging context!\n");
-+ exit(1);
-+ } else {
-+ /*
-+ * Non-cluster, non-root: Log error, but leave
-+ * it up to the caller how to proceed.
-+ */
-+ DBG_NOTICE("Unable to initialize messaging context.\n");
-+ }
-+ }
-+
-+ return msg_ctx;
-+}
-+
-+void cmdline_messaging_context_free(void)
-+{
-+ server_messaging_context_free();
-+}
-diff --git a/source3/lib/cmdline_contexts.h b/source3/lib/cmdline_contexts.h
-new file mode 100644
-index 00000000000..21f81f0f1cd
---- /dev/null
-+++ b/source3/lib/cmdline_contexts.h
-@@ -0,0 +1,27 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+ cmdline context wrapper.
-+
-+ Copyright (C) Christof Schmitt <cs@samba.org> 2018
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#ifndef _LIB_CMDLINE_CONTEXTS_H
-+#define _LIB_CMDLINE_CONTEXTS_H
-+
-+struct messaging_context *cmdline_messaging_context(const char *config_file);
-+void cmdline_messaging_context_free(void);
-+
-+#endif
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 5ecf23d531d..6fb09f7fbeb 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -281,6 +281,11 @@ bld.SAMBA3_LIBRARY('util_cmdline',
- deps='secrets3',
- private_library=True)
-
-+bld.SAMBA3_LIBRARY('cmdline_contexts',
-+ source='lib/cmdline_contexts.c',
-+ deps='samba3core',
-+ private_library=True)
-+
- bld.SAMBA3_SUBSYSTEM('KRBCLIENT',
- source='libads/kerberos.c libads/ads_status.c',
- public_deps='krb5samba asn1util k5crypto gssapi LIBTSOCKET CLDAP LIBNMB')
---
-2.13.6
-
-
-From d5d7a587f7476835bc48aae0dda5e064c2fd573c Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 10 Jul 2018 08:11:31 +0200
-Subject: [PATCH 05/22] s3:loadparm: reinit_globals in
- lp_load_with_registry_shares()
-
-This was set to false in 0e0d77519c27038b30fec92d542198e97be767d9 based
-on the assumption that callers would have no need to call
-lp_load_initial_only() with a later call to lp_load_something().
-
-This is not quite correct, since for accessing registry config on a
-cluster with include=registry, we need messaging up and running which
-*itself* requires loadparm to be initialized to get the statedir,
-lockdir asf. directories.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit 3aca3f24d4bdacc11278388934b0b411d518d7b0)
----
- source3/param/loadparm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 291ba57e0bb..322934c55f0 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -4120,7 +4120,7 @@ bool lp_load_with_registry_shares(const char *pszFname)
- false, /* global_only */
- true, /* save_defaults */
- false, /* add_ipc */
-- false, /* reinit_globals */
-+ true, /* reinit_globals */
- true, /* allow_include_registry */
- true); /* load_all_shares*/
- }
---
-2.13.6
-
-
-From 88291681f03bb928d31e89717d2a19292f433024 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 10 Jul 2018 10:38:10 +0200
-Subject: [PATCH 06/22] selftest: pass configfile to pdbedit
-
-This is needed otherwise pdbedit fails to initialize messaging in
-autobuild.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit 10e1a6ebb3d95b8a1584a9b90c2584536aa9c96d)
----
- testprogs/blackbox/test_pdbtest.sh | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh
-index 2ffded9af4e..02615094451 100755
---- a/testprogs/blackbox/test_pdbtest.sh
-+++ b/testprogs/blackbox/test_pdbtest.sh
-@@ -44,12 +44,12 @@ send ${NEWUSERPASS}\n
- send ${NEWUSERPASS}\n
- EOF
-
--testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1`
-+testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -s $SMB_CONF -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1`
- USERPASS=$NEWUSERPASS
-
- test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@ || failed=`expr $failed + 1`
-
--testit "modify user" $VALGRIND $pdbedit --modify $USER --drive="D:" $@ || failed=`expr $failed + 1`
-+testit "modify user" $VALGRIND $pdbedit -s $SMB_CONF --modify $USER --drive="D:" $@ || failed=`expr $failed + 1`
-
- test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1`
-
-@@ -87,11 +87,11 @@ test_smbclient "Test login with no expiry (ntlm)" 'ls' "$unc" -k no -U$USER%$NEW
- NEWUSERPASS=testPaSS@03%
- NEWUSERHASH=062519096c45739c1938800f80906731
-
--testit "Set user password with password hash" $VALGRIND $pdbedit -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1`
-+testit "Set user password with password hash" $VALGRIND $pdbedit -s $SMB_CONF -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1`
-
- test_smbclient "Test login with new password (from hash)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS || failed=`expr $failed + 1`
-
--testit "del user" $VALGRIND $pdbedit -x $USER $@ || failed=`expr $failed + 1`
-+testit "del user" $VALGRIND $pdbedit -s $SMB_CONF -x $USER $@ || failed=`expr $failed + 1`
-
- rm ./tmpsmbpasswdscript
-
---
-2.13.6
-
-
-From 31a50b15bfbe2c97ca19313e2536332979bfcef2 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 10 Jul 2018 15:26:40 +0200
-Subject: [PATCH 07/22] s3:popt_common: use cmdline_messaging_context() in
- popt_common_credentials_callback()
-
-This adds a call to cmdline_messaging_context() to the popt
-popt_common_credentials_callback() hook and ensures that any client tool
-that uses POPT_COMMON_CREDENTIALS gets an implicit messaging context,
-ensuring it doesn't crash in the subsequent lp_load_client() with
-include=registry in a cluster.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit 2c63ce94ef3a55ab0aa1aae4f6fee88e29ac2efe)
----
- source3/lib/popt_common_cmdline.c | 8 ++++++++
- source3/wscript_build | 2 +-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c
-index 57f77e0868a..d1ba90dd43e 100644
---- a/source3/lib/popt_common_cmdline.c
-+++ b/source3/lib/popt_common_cmdline.c
-@@ -35,6 +35,7 @@
- #include "popt_common_cmdline.h"
- #include "includes.h"
- #include "auth_info.h"
-+#include "cmdline_contexts.h"
-
- static struct user_auth_info *cmdline_auth_info;
-
-@@ -101,8 +102,15 @@ static void popt_common_credentials_callback(poptContext con,
- }
-
- if (reason == POPT_CALLBACK_REASON_POST) {
-+ struct messaging_context *msg_ctx = NULL;
- bool ok;
-
-+ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
-+ if (msg_ctx == NULL) {
-+ fprintf(stderr, "Unable to initialize "
-+ "messaging context\n");
-+ }
-+
- ok = lp_load_client(get_dyn_CONFIGFILE());
- if (!ok) {
- const char *pname = poptGetInvocationName(con);
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 6fb09f7fbeb..250b7f1ff52 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -273,7 +273,7 @@ bld.SAMBA3_LIBRARY('popt_samba3',
-
- bld.SAMBA3_LIBRARY('popt_samba3_cmdline',
- source='lib/popt_common_cmdline.c',
-- deps='popt_samba3 util_cmdline',
-+ deps='popt_samba3 util_cmdline cmdline_contexts',
- private_library=True)
-
- bld.SAMBA3_LIBRARY('util_cmdline',
---
-2.13.6
-
-
-From db6cce7786809a96f81c575a3cbbbf87bdec3047 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Tue, 21 Aug 2018 14:58:01 -0700
-Subject: [PATCH 08/22] test:doc: Skip 'clustering=yes'
-
-As testparm will error out when running clustering=yes as non-root, skip
-this step to avoid a test failure.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(backported from commit 3ecb9ed7b079fc1bf74c311cf5f1684086b36883)
----
- python/samba/tests/docs.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
-index 0f029ae02d2..620383caebd 100644
---- a/python/samba/tests/docs.py
-+++ b/python/samba/tests/docs.py
-@@ -163,7 +163,8 @@ import xml.etree.ElementTree as ET
- 'registry shares',
- 'smb ports',
- 'rpc server dynamic port range',
-- 'name resolve order'])
-+ 'name resolve order',
-+ 'clustering'])
- self._test_empty(['bin/testparm'])
-
- def test_default_s4(self):
---
-2.13.6
-
-
-From 7608714a4a0796c8ef747c0cbce160fc3d0fa325 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 15:38:33 -0700
-Subject: [PATCH 09/22] s3:smbpasswd: Use cmdline_messaging_context
-
-smbpasswd does not use POPT_CREDENTIALS. Call cmdline_messaging_context
-to initialize a messaging_context with proper error checking before
-calling lp_load_global.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 29fd2c2e5ad3c2d44f3629c6b7b4139772fe350c)
----
- source3/utils/smbpasswd.c | 17 +++--------------
- source3/utils/wscript_build | 4 +++-
- 2 files changed, 6 insertions(+), 15 deletions(-)
-
-diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
-index 04f34aa9b69..8e2b9d7f80f 100644
---- a/source3/utils/smbpasswd.c
-+++ b/source3/utils/smbpasswd.c
-@@ -23,6 +23,7 @@
- #include "../lib/util/util_pw.h"
- #include "libsmb/proto.h"
- #include "passdb.h"
-+#include "cmdline_contexts.h"
-
- /*
- * Next two lines needed for SunOS and don't
-@@ -196,6 +197,8 @@ static int process_options(int argc, char **argv, int local_flags)
- usage();
- }
-
-+ cmdline_messaging_context(configfile);
-+
- if (!lp_load_global(configfile)) {
- fprintf(stderr, "Can't load %s - run testparm to debug it\n",
- configfile);
-@@ -614,7 +617,6 @@ static int process_nonroot(int local_flags)
- int main(int argc, char **argv)
- {
- TALLOC_CTX *frame = talloc_stackframe();
-- struct messaging_context *msg_ctx = NULL;
- int local_flags = 0;
- int ret;
-
-@@ -632,19 +634,6 @@ int main(int argc, char **argv)
-
- setup_logging("smbpasswd", DEBUG_STDERR);
-
-- msg_ctx = server_messaging_context();
-- if (msg_ctx == NULL) {
-- if (geteuid() != 0) {
-- DBG_NOTICE("Unable to initialize messaging context. "
-- "Must be root to do that.\n");
-- } else {
-- fprintf(stderr,
-- "smbpasswd is not able to initialize the "
-- "messaging context!\n");
-- return 1;
-- }
-- }
--
- /*
- * Set the machine NETBIOS name if not already
- * set from the config file.
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 67bb87e7a74..06a986cada4 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -37,7 +37,9 @@ bld.SAMBA3_BINARY('smbpasswd',
- smbconf
- pdb
- PASSWD_UTIL
-- PASSCHANGE''')
-+ PASSCHANGE
-+ cmdline_contexts
-+ ''')
-
- bld.SAMBA3_BINARY('pdbedit',
- source='pdbedit.c',
---
-2.13.6
-
-
-From 305cf6a251e395c895f04b2590125dec430a08e6 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 15:46:27 -0700
-Subject: [PATCH 10/22] s3:smbstatus: Use cmdline_messaging_context
-
-Use cmdline_messaging_context to initialize a messaging context instead
-of open coding the same steps.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit d7fa3815a83a50fd9e3d78cac0d5ef3eb79235e5)
----
- source3/utils/status.c | 25 +++----------------------
- source3/wscript_build | 1 +
- 2 files changed, 4 insertions(+), 22 deletions(-)
-
-diff --git a/source3/utils/status.c b/source3/utils/status.c
-index d04efedee3f..1d68219a5ac 100644
---- a/source3/utils/status.c
-+++ b/source3/utils/status.c
-@@ -48,6 +48,7 @@
- #include "serverid.h"
- #include "status_profile.h"
- #include "smbd/notifyd/notifyd.h"
-+#include "cmdline_contexts.h"
-
- #define SMB_MAXPIDS 2048
- static uid_t Ucrit_uid = 0; /* added by OH */
-@@ -528,7 +529,6 @@ int main(int argc, const char *argv[])
- };
- TALLOC_CTX *frame = talloc_stackframe();
- int ret = 0;
-- struct tevent_context *ev;
- struct messaging_context *msg_ctx = NULL;
- char *db_path;
- bool ok;
-@@ -607,28 +607,9 @@ int main(int argc, const char *argv[])
- d_printf("using configfile = %s\n", get_dyn_CONFIGFILE());
- }
-
-- if (!lp_load_initial_only(get_dyn_CONFIGFILE())) {
-- fprintf(stderr, "Can't load %s - run testparm to debug it\n",
-- get_dyn_CONFIGFILE());
-- ret = -1;
-- goto done;
-- }
--
--
-- /*
-- * This implicitly initializes the global ctdbd connection,
-- * usable by the db_open() calls further down.
-- */
-- ev = samba_tevent_context_init(NULL);
-- if (ev == NULL) {
-- fprintf(stderr, "samba_tevent_context_init failed\n");
-- ret = -1;
-- goto done;
-- }
--
-- msg_ctx = messaging_init(NULL, ev);
-+ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
- if (msg_ctx == NULL) {
-- fprintf(stderr, "messaging_init failed\n");
-+ fprintf(stderr, "Could not initialize messaging, not root?\n");
- ret = -1;
- goto done;
- }
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 250b7f1ff52..36cfd5dada7 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -1157,6 +1157,7 @@ bld.SAMBA3_BINARY('smbstatus',
- talloc
- smbconf
- popt_samba3
-+ cmdline_contexts
- smbd_base
- LOCKING
- PROFILE
---
-2.13.6
-
-
-From 27e80482d1d37aaacbca7ca6eff6000c78349da7 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 15:54:11 -0700
-Subject: [PATCH 11/22] rpcclient: Use cmdline_messaging_context
-
-Use cmdline_messaging_context with its error checking instead of open
-coding the same steps.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit dd3ae2ffdc66be4707471bfccf27ef446b5599cb)
----
- source3/rpcclient/rpcclient.c | 28 ++--------------------------
- 1 file changed, 2 insertions(+), 26 deletions(-)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index f7e196226cf..9f95f1a7a8c 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -35,6 +35,7 @@
- #include "auth/gensec/gensec.h"
- #include "../libcli/smb/smbXcli_base.h"
- #include "messages.h"
-+#include "cmdline_contexts.h"
-
- enum pipe_auth_type_spnego {
- PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
-@@ -950,7 +951,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
- const char *binding_string = NULL;
- const char *host;
- int signing_state = SMB_SIGNING_IPC_DEFAULT;
-- struct tevent_context *ev_ctx = NULL;
-
- /* make sure the vars that get altered (4th field) are in
- a fixed location or certain compilers complain */
-@@ -1016,30 +1016,7 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
- poptFreeContext(pc);
- popt_burn_cmdline_password(argc, argv);
-
-- ev_ctx = samba_tevent_context_init(frame);
-- if (ev_ctx == NULL) {
-- fprintf(stderr, "Could not init event context\n");
-- result = 1;
-- goto done;
-- }
--
-- nt_status = messaging_init_client(ev_ctx,
-- ev_ctx,
-- &rpcclient_msg_ctx);
-- if (geteuid() != 0 &&
-- NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
-- /*
-- * Normal to fail to initialize messaging context
-- * if we're not root as we don't have ability to
-- * read lock directory.
-- */
-- DBG_NOTICE("Unable to initialize messaging context. "
-- "Must be root to do that.\n");
-- } else if (!NT_STATUS_IS_OK(nt_status)) {
-- fprintf(stderr, "Could not init messaging context\n");
-- result = 1;
-- goto done;
-- }
-+ rpcclient_msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
-
- if (!init_names()) {
- result = 1;
-@@ -1258,7 +1235,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
- popt_free_cmdline_auth_info();
- netlogon_creds_cli_close_global_db();
- TALLOC_FREE(rpcclient_msg_ctx);
-- TALLOC_FREE(ev_ctx);
- TALLOC_FREE(frame);
- return result;
- }
---
-2.13.6
-
-
-From eaa0cb2c039c9c8ef838f259efcaffc59033bbbf Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:01:00 -0700
-Subject: [PATCH 12/22] s3:net: Use cmdline_messaging_context
-
-Use cmdline_messaging_context with its error checking instead of open
-coding the same steps.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit f2b659e4f518ccb06f221dd028f99883ca1a1847)
----
- source3/utils/net.c | 29 ++---------------------------
- 1 file changed, 2 insertions(+), 27 deletions(-)
-
-diff --git a/source3/utils/net.c b/source3/utils/net.c
-index 76b8677bf78..759d8cd442b 100644
---- a/source3/utils/net.c
-+++ b/source3/utils/net.c
-@@ -48,6 +48,7 @@
- #include "../libcli/security/security.h"
- #include "passdb.h"
- #include "messages.h"
-+#include "cmdline_contexts.h"
-
- #ifdef WITH_FAKE_KASERVER
- #include "utils/net_afs.h"
-@@ -915,9 +916,7 @@ static struct functable net_func[] = {
- const char **argv_const = discard_const_p(const char *, argv);
- poptContext pc;
- TALLOC_CTX *frame = talloc_stackframe();
-- struct tevent_context *ev;
- struct net_context *c = talloc_zero(frame, struct net_context);
-- NTSTATUS status;
-
- struct poptOption long_options[] = {
- {"help", 'h', POPT_ARG_NONE, 0, 'h'},
-@@ -1031,31 +1030,7 @@ static struct functable net_func[] = {
- }
- }
-
-- if (!lp_load_initial_only(get_dyn_CONFIGFILE())) {
-- d_fprintf(stderr, "Can't load %s - run testparm to debug it\n",
-- get_dyn_CONFIGFILE());
-- exit(1);
-- }
--
-- ev = samba_tevent_context_init(c);
-- if (ev == NULL) {
-- d_fprintf(stderr, "samba_tevent_context_init failed\n");
-- exit(1);
-- }
-- status = messaging_init_client(c, ev, &c->msg_ctx);
-- if (geteuid() != 0 &&
-- NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
-- /*
-- * Normal to fail to initialize messaging context
-- * if we're not root as we don't have ability to
-- * read lock directory.
-- */
-- DBG_NOTICE("Unable to initialize messaging context. "
-- "Must be root to do that.\n");
-- } else if (!NT_STATUS_IS_OK(status)) {
-- d_fprintf(stderr, "Failed to init messaging context\n");
-- exit(1);
-- }
-+ c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
-
- if (!lp_load_global(get_dyn_CONFIGFILE())) {
- d_fprintf(stderr, "Can't load %s - run testparm to debug it\n",
---
-2.13.6
-
-
-From 8cb95d9ad621db6adf627b439745691c8ff09d66 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 10 Jul 2018 16:29:46 +0200
-Subject: [PATCH 13/22] s3:messaging: remove unused messaging_init_client()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit f56496b11469f0e9af9ba81cefb796ca1febabb1)
----
- source3/include/messages.h | 3 ---
- source3/lib/messages.c | 9 ---------
- 2 files changed, 12 deletions(-)
-
-diff --git a/source3/include/messages.h b/source3/include/messages.h
-index 29c394af317..f7b40664b0b 100644
---- a/source3/include/messages.h
-+++ b/source3/include/messages.h
-@@ -46,9 +46,6 @@ struct messaging_rec;
-
- struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev);
--NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx,
-- struct tevent_context *ev,
-- struct messaging_context **pmsg_ctx);
-
- struct server_id messaging_server_id(const struct messaging_context *msg_ctx);
- struct tevent_context *messaging_tevent_context(
-diff --git a/source3/lib/messages.c b/source3/lib/messages.c
-index dab53f1c48e..90fffa2c872 100644
---- a/source3/lib/messages.c
-+++ b/source3/lib/messages.c
-@@ -635,15 +635,6 @@ struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx,
- return ctx;
- }
-
--NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx,
-- struct tevent_context *ev,
-- struct messaging_context **pmsg_ctx)
--{
-- return messaging_init_internal(mem_ctx,
-- ev,
-- pmsg_ctx);
--}
--
- struct server_id messaging_server_id(const struct messaging_context *msg_ctx)
- {
- return msg_ctx->id;
---
-2.13.6
-
-
-From 37ad220effcfea97929483e84477fae2e48d0be8 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:08:21 -0700
-Subject: [PATCH 14/22] s3:pdbedit: Use cmdline_messaging_context
-
-Initialize the messaging context through cmdline_messaging_context to
-allow access to config in clustered Samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 4661537c201acebee991d219d151cb481f56265c)
----
- source3/utils/pdbedit.c | 3 +++
- source3/utils/wscript_build | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
-index 5c947e2fbde..a2394880c65 100644
---- a/source3/utils/pdbedit.c
-+++ b/source3/utils/pdbedit.c
-@@ -25,6 +25,7 @@
- #include "../librpc/gen_ndr/samr.h"
- #include "../libcli/security/security.h"
- #include "passdb.h"
-+#include "cmdline_contexts.h"
-
- #define BIT_BACKEND 0x00000004
- #define BIT_VERBOSE 0x00000008
-@@ -1121,6 +1122,8 @@ int main(int argc, const char **argv)
- if (user_name == NULL)
- user_name = poptGetArg(pc);
-
-+ cmdline_messaging_context(get_dyn_CONFIGFILE());
-+
- if (!lp_load_global(get_dyn_CONFIGFILE())) {
- fprintf(stderr, "Can't load %s - run testparm to debug it\n", get_dyn_CONFIGFILE());
- exit(1);
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 06a986cada4..570c4506bee 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -47,6 +47,7 @@ bld.SAMBA3_BINARY('pdbedit',
- talloc
- smbconf
- popt_samba3
-+ cmdline_contexts
- pdb
- PASSWD_UTIL''')
-
---
-2.13.6
-
-
-From 375f013eaeb9d4c2592f68cd10374f61e2d12533 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:11:11 -0700
-Subject: [PATCH 15/22] s3:testparm: Use cmdline_messaging_context
-
-Call cmdline_messaging_context to initialize a messaging config before
-accessing clustered Samba config.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit ea7a4ff7ae5ef2b22fb7ef5640d6b946c064cfc3)
----
- source3/utils/testparm.c | 3 +++
- source3/utils/wscript_build | 4 +++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
-index 8113eea0020..88dfc42d492 100644
---- a/source3/utils/testparm.c
-+++ b/source3/utils/testparm.c
-@@ -35,6 +35,7 @@
- #include "system/filesys.h"
- #include "popt_common.h"
- #include "lib/param/loadparm.h"
-+#include "cmdline_contexts.h"
-
- #include <regex.h>
-
-@@ -698,6 +699,8 @@ static void do_per_share_checks(int s)
- goto done;
- }
-
-+ cmdline_messaging_context(config_file);
-+
- fprintf(stderr,"Load smb config files from %s\n",config_file);
-
- if (!lp_load_with_registry_shares(config_file)) {
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 570c4506bee..ffa0762d828 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -163,7 +163,9 @@ bld.SAMBA3_BINARY('testparm',
- deps='''
- talloc
- smbconf
-- popt_samba3''')
-+ popt_samba3
-+ cmdline_contexts
-+ ''')
-
- bld.SAMBA3_BINARY('net',
- source='''net.c
---
-2.13.6
-
-
-From 96d91b1d4c60552b1ed7058a4d9ed2b06a929c57 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:15:02 -0700
-Subject: [PATCH 16/22] s3:sharesec: Use cmdline_messaging_context
-
-Call cmdline_messasging_context to initialize messaging context before
-accessing clustered Samba config.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit cab8f27bbc927e48c52bac6350325e8ec38092b2)
----
- source3/utils/sharesec.c | 2 ++
- source3/utils/wscript_build | 4 +++-
- 2 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
-index d9f81587f0e..375ae582ae5 100644
---- a/source3/utils/sharesec.c
-+++ b/source3/utils/sharesec.c
-@@ -28,6 +28,7 @@ struct cli_state;
- #include "../libcli/security/security.h"
- #include "passdb/machine_sid.h"
- #include "util_sd.h"
-+#include "cmdline_contexts.h"
-
- static TALLOC_CTX *ctx;
-
-@@ -420,6 +421,7 @@ int main(int argc, const char *argv[])
-
- setlinebuf(stdout);
-
-+ cmdline_messaging_context(get_dyn_CONFIGFILE());
- lp_load_with_registry_shares(get_dyn_CONFIGFILE());
-
- /* check for initializing secrets.tdb first */
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index ffa0762d828..7e586dc268d 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -98,7 +98,9 @@ bld.SAMBA3_BINARY('sharesec',
- talloc
- msrpc3
- libcli_lsa3
-- popt_samba3''')
-+ popt_samba3
-+ cmdline_contexts
-+ ''')
-
- bld.SAMBA3_BINARY('log2pcap',
- source='log2pcaphex.c',
---
-2.13.6
-
-
-From 389d7e32dc9f02b037ab9c2d0db1095f88f64145 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:18:20 -0700
-Subject: [PATCH 17/22] s3: ntlm_auth: Use cmdline_messaging_context
-
-Call cmdline_messaging_context to initialize the messaging context
-before accessing clustered Samba config.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 9ed617474f588ceb42c8929ee8a51071a408c219)
----
- source3/utils/ntlm_auth.c | 3 +++
- source3/utils/wscript_build | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
-index 7d27712980b..b8014ec1034 100644
---- a/source3/utils/ntlm_auth.c
-+++ b/source3/utils/ntlm_auth.c
-@@ -47,6 +47,7 @@
- #include "nsswitch/libwbclient/wbclient.h"
- #include "lib/param/loadparm.h"
- #include "lib/util/base64.h"
-+#include "cmdline_contexts.h"
-
- #if HAVE_KRB5
- #include "auth/kerberos/pac_utils.h"
-@@ -2380,6 +2381,8 @@ enum {
-
- poptFreeContext(pc);
-
-+ cmdline_messaging_context(get_dyn_CONFIGFILE());
-+
- if (!lp_load_global(get_dyn_CONFIGFILE())) {
- d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n",
- get_dyn_CONFIGFILE(), strerror(errno));
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 7e586dc268d..92404a61c2d 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -128,6 +128,7 @@ bld.SAMBA3_BINARY('ntlm_auth',
- tiniparser
- libsmb
- popt_samba3
-+ cmdline_contexts
- gse gensec''')
-
- bld.SAMBA3_BINARY('dbwrap_tool',
---
-2.13.6
-
-
-From 6a08003f378ddc270597465509cf4b34837d8dc8 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:21:51 -0700
-Subject: [PATCH 18/22] s3:eventlogadm: Use cmdline_messaging_context
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 095123df945270bc51635a19125a7abdfcd4ab80)
----
- source3/utils/eventlogadm.c | 4 ++++
- source3/utils/wscript_build | 1 +
- 2 files changed, 5 insertions(+)
-
-diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c
-index 5ef091a9ae3..db874dfae8a 100644
---- a/source3/utils/eventlogadm.c
-+++ b/source3/utils/eventlogadm.c
-@@ -30,6 +30,7 @@
- #include "registry/reg_util_token.h"
- #include "registry/reg_backend_db.h"
- #include "../libcli/registry/util_reg.h"
-+#include "cmdline_contexts.h"
-
- extern int optind;
- extern char *optarg;
-@@ -472,6 +473,9 @@ int main( int argc, char *argv[] )
- exit( 1 );
- }
-
-+ cmdline_messaging_context(configfile == NULL ?
-+ get_dyn_CONFIGFILE() : configfile);
-+
- if ( configfile == NULL ) {
- lp_load_global(get_dyn_CONFIGFILE());
- } else if (!lp_load_global(configfile)) {
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 92404a61c2d..eabebcf3d52 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -89,6 +89,7 @@ bld.SAMBA3_BINARY('eventlogadm',
- deps='''
- talloc
- smbconf
-+ cmdline_contexts
- LIBEVENTLOG''',
- install_path='${SBINDIR}')
-
---
-2.13.6
-
-
-From 6f32f75ad43b4e49de5af794beb134252267b768 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Tue, 21 Aug 2018 12:34:34 -0700
-Subject: [PATCH 19/22] s3:dbwrap_tool: Use cmdline_messaging_context
-
-Initialize the messaging context through cmdline_messaging_context to
-allow access to config in clustered Samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 7eeff96b826711b5a8d44ab24603dafcc0343d84)
----
- source3/utils/dbwrap_tool.c | 3 +++
- source3/utils/wscript_build | 4 +++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
-index 94aacd8ba26..b182e9cbfab 100644
---- a/source3/utils/dbwrap_tool.c
-+++ b/source3/utils/dbwrap_tool.c
-@@ -28,6 +28,7 @@
- #include "dbwrap/dbwrap_watch.h"
- #include "messages.h"
- #include "util_tdb.h"
-+#include "cmdline_contexts.h"
-
- enum dbwrap_op { OP_FETCH, OP_STORE, OP_DELETE, OP_ERASE, OP_LISTKEYS,
- OP_EXISTS };
-@@ -428,6 +429,8 @@ int main(int argc, const char **argv)
- while (extra_argv[extra_argc]) extra_argc++;
- }
-
-+ cmdline_messaging_context(get_dyn_CONFIGFILE());
-+
- lp_load_global(get_dyn_CONFIGFILE());
-
- if ((extra_argc < 2) || (extra_argc > 5)) {
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index eabebcf3d52..11bd2015c3a 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -136,7 +136,9 @@ bld.SAMBA3_BINARY('dbwrap_tool',
- source='dbwrap_tool.c',
- deps='''
- talloc
-- popt_samba3''')
-+ popt_samba3
-+ cmdline_contexts
-+ ''')
-
- bld.SAMBA3_BINARY('dbwrap_torture',
- source='dbwrap_torture.c',
---
-2.13.6
-
-
-From f23f129047edd4b6fd6163a7795e48be3e59b49c Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Tue, 21 Aug 2018 12:35:11 -0700
-Subject: [PATCH 20/22] s3:smbcontrol: Use cmdline_messaging_context
-
-Initialize the messaging context through cmdline_messaging_context to
-allow access to config in clustered Samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit de040eafbd7d729316d757c14c44df163a4b36ad)
----
- source3/utils/smbcontrol.c | 19 +++++++++++--------
- source3/utils/wscript_build | 1 +
- 2 files changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/source3/utils/smbcontrol.c b/source3/utils/smbcontrol.c
-index bd89b9ebf0a..ecf27801f8a 100644
---- a/source3/utils/smbcontrol.c
-+++ b/source3/utils/smbcontrol.c
-@@ -35,6 +35,7 @@
- #include "util_tdb.h"
- #include "../lib/util/pidfile.h"
- #include "serverid.h"
-+#include "cmdline_contexts.h"
-
- #if HAVE_LIBUNWIND_H
- #include <libunwind.h>
-@@ -1609,21 +1610,23 @@ int main(int argc, const char **argv)
- if (argc <= 1)
- usage(pc);
-
-+ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
-+ if (msg_ctx == NULL) {
-+ fprintf(stderr,
-+ "Could not init messaging context, not root?\n");
-+ TALLOC_FREE(frame);
-+ exit(1);
-+ }
-+
-+ evt_ctx = server_event_context();
-+
- lp_load_global(get_dyn_CONFIGFILE());
-
- /* Need to invert sense of return code -- samba
- * routines mostly return True==1 for success, but
- * shell needs 0. */
-
-- if (!(evt_ctx = samba_tevent_context_init(NULL)) ||
-- !(msg_ctx = messaging_init(NULL, evt_ctx))) {
-- fprintf(stderr, "could not init messaging context\n");
-- TALLOC_FREE(frame);
-- exit(1);
-- }
--
- ret = !do_command(evt_ctx, msg_ctx, argc, argv);
-- TALLOC_FREE(msg_ctx);
- TALLOC_FREE(frame);
- return ret;
- }
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 11bd2015c3a..6793c6d5c8a 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -18,6 +18,7 @@ bld.SAMBA3_BINARY('smbcontrol',
- talloc
- smbconf
- popt_samba3
-+ cmdline_contexts
- PRINTBASE''')
-
- bld.SAMBA3_BINARY('smbtree',
---
-2.13.6
-
-
-From 4f57a7b28cc1b705f34444f795724e3d3a06d99c Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Tue, 21 Aug 2018 16:11:02 -0700
-Subject: [PATCH 21/22] s3:smbget: Use cmdline_messaging_context
-
-Initialize the messaging context through cmdline_messaging_context to
-allow access to config in clustered Samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 20ed13923ed3c55e1b293e5440028d29384e9d3a)
----
- source3/utils/smbget.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
-index 37462fa131f..4653c6894e0 100644
---- a/source3/utils/smbget.c
-+++ b/source3/utils/smbget.c
-@@ -20,6 +20,7 @@
- #include "system/filesys.h"
- #include "popt_common_cmdline.h"
- #include "libsmbclient.h"
-+#include "cmdline_contexts.h"
-
- static int columns = 0;
-
-@@ -879,6 +880,8 @@ int main(int argc, char **argv)
-
- popt_burn_cmdline_password(argc, argv);
-
-+ cmdline_messaging_context(get_dyn_CONFIGFILE());
-+
- if (smbc_init(get_auth_data, opt.debuglevel) < 0) {
- fprintf(stderr, "Unable to initialize libsmbclient\n");
- return 1;
---
-2.13.6
-
-
-From 8fb42e4a751af55e6e56cd4e64029228f1cc36c3 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Fri, 7 Sep 2018 07:27:46 +0200
-Subject: [PATCH 22/22] examples: Fix the smb2mount build
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 94852e3544bf2cace3ddba8b9c89d986d77fdab5)
----
- examples/fuse/smb2mount.c | 2 +-
- examples/fuse/wscript_build | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/examples/fuse/smb2mount.c b/examples/fuse/smb2mount.c
-index 816b0b597ad..ec4be809f6d 100644
---- a/examples/fuse/smb2mount.c
-+++ b/examples/fuse/smb2mount.c
-@@ -20,7 +20,7 @@
-
- #include "source3/include/includes.h"
- #include "popt.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "client.h"
- #include "libsmb/proto.h"
- #include "clifuse.h"
-diff --git a/examples/fuse/wscript_build b/examples/fuse/wscript_build
-index 9ec5fc0a0f2..31341e4357d 100644
---- a/examples/fuse/wscript_build
-+++ b/examples/fuse/wscript_build
-@@ -3,5 +3,5 @@
- if bld.env.HAVE_FUSE:
- bld.SAMBA_BINARY('smb2mount',
- source='smb2mount.c clifuse.c',
-- deps='smbconf popt_samba3 libsmb fuse',
-+ deps='smbconf popt_samba3_cmdline libsmb fuse',
- install=False)
---
-2.13.6
-
diff --git a/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch b/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch
deleted file mode 100644
index 3d678a2..0000000
--- a/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 29 Oct 2018 19:45:58 +0100
-Subject: [PATCH] s3:winbind: Check return code of initialize_password_db()
-
-See https://retrace.fedoraproject.org/faf/reports/1577174/
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac)
----
- source3/winbindd/winbindd.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
-index 254d93b344d..a8ffc31778c 100644
---- a/source3/winbindd/winbindd.c
-+++ b/source3/winbindd/winbindd.c
-@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv)
- if (!NT_STATUS_IS_OK(status)) {
- exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
- }
-- initialize_password_db(true, server_event_context());
-+
-+ ok = initialize_password_db(true, server_event_context());
-+ if (!ok) {
-+ exit_daemon("Failed to initialize passdb backend! "
-+ "Check the 'passdb backend' variable in your "
-+ "smb.conf file.", EINVAL);
-+ }
-
- /*
- * Do not initialize the parent-child-pipe before becoming
---
-2.19.1
-
diff --git a/SOURCES/samba-4.9-harden_homes_share.patch b/SOURCES/samba-4.9-harden_homes_share.patch
deleted file mode 100644
index 60ca5c6..0000000
--- a/SOURCES/samba-4.9-harden_homes_share.patch
+++ /dev/null
@@ -1,402 +0,0 @@
-From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 15 Nov 2018 16:06:49 +0100
-Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0)
----
- selftest/target/Samba3.pm | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 438cb3409bb..373f8152ca3 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$)
- my ($gid_force_user);
- my ($uid_user1);
- my ($uid_user2);
-+ my ($uid_gooduser);
-+ my ($uid_eviluser);
-
-- if ($unix_uid < 0xffff - 10) {
-+ if ($unix_uid < 0xffff - 12) {
- $max_uid = 0xffff;
- } else {
- $max_uid = $unix_uid;
-@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$)
- $uid_smbget = $max_uid - 8;
- $uid_user1 = $max_uid - 9;
- $uid_user2 = $max_uid - 10;
-+ $uid_gooduser = $max_uid - 11;
-+ $uid_eviluser = $max_uid - 12;
-
- if ($unix_gids[0] < 0xffff - 8) {
- $max_gid = 0xffff;
-@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f
- smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
- user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
- user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
-+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
-+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
- ";
- if ($unix_uid != 0) {
- print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
-@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user:
- createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user");
- createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1");
- createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
-+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
-+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
-
- open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
- print DNS_UPDATE_LIST "A $server. $server_ip\n";
---
-2.19.2
-
-
-From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 16 Nov 2018 15:40:59 +0100
-Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes'
- share
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This adds a test for CVE-2009-2813.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6)
----
- selftest/target/Samba3.pm | 4 ++
- source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++
- source3/selftest/tests.py | 1 +
- 3 files changed, 104 insertions(+)
- create mode 100755 source3/script/tests/test_homes.sh
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 373f8152ca3..2031003210c 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -921,6 +921,10 @@ sub setup_fileserver
- comment = inherit only unix owner
- inherit owner = unix only
- acl_xattr:ignore system acls = yes
-+[homes]
-+ comment = Home directories
-+ browseable = No
-+ read only = No
- ";
-
- my $vars = $self->provision($path, "WORKGROUP",
-diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
-new file mode 100755
-index 00000000000..06de0a0c301
---- /dev/null
-+++ b/source3/script/tests/test_homes.sh
-@@ -0,0 +1,99 @@
-+#!/bin/sh
-+
-+# Copyright (c) Andreas Schneider <asn@samba.org>
-+# License: GPLv3
-+
-+if [ $# -lt 7 ]; then
-+ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION"
-+ exit 1
-+fi
-+
-+SERVER="${1}"
-+USERNAME="${2}"
-+PASSWORD="${3}"
-+LOCAL_PATH="${4}"
-+PREFIX="${5}"
-+SMBCLIENT="${6}"
-+CONFIGURATION="${7}"
-+shift 7
-+
-+incdir=`dirname $0`/../../../testprogs/blackbox
-+. $incdir/subunit.sh
-+
-+failed=0
-+
-+test_gooduser_home()
-+{
-+ tmpfile=$PREFIX/smbclient_homes_gooduser_commands
-+ cat > $tmpfile <<EOF
-+ls
-+quit
-+EOF
-+
-+ USERNAME=gooduser
-+
-+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
-+ eval echo "$cmd"
-+ out=$(eval $cmd)
-+ ret=$?
-+ rm -f $tmpfile
-+
-+ if [ $ret -ne 0 ] ; then
-+ echo "$out"
-+ echo "failed to connect error $ret"
-+ return 1
-+ fi
-+
-+ echo "$out" | grep 'Try "help" to get a list of possible commands.'
-+ ret=$?
-+ if [ $ret -ne 0 ] ; then
-+ echo "$out"
-+ echo 'failed - should get: Try "help" to get a list of possible commands.'
-+ return 1
-+ fi
-+
-+ return 0
-+}
-+
-+test_eviluser_home()
-+{
-+ tmpfile=$PREFIX/smbclient_homes_eviluser_commands
-+ cat > $tmpfile <<EOF
-+ls
-+quit
-+EOF
-+
-+ USERNAME=eviluser
-+
-+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
-+ eval echo "$cmd"
-+ out=$(eval $cmd)
-+ ret=$?
-+ rm -f $tmpfile
-+
-+ if [ $ret -ne 1 ] ; then
-+ echo "$out"
-+ echo "The server should reject connecting ret=$ret"
-+ return 1
-+ fi
-+
-+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
-+ ret=$?
-+ if [ $ret -ne 0 ] ; then
-+ echo "$out"
-+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
-+ return 1
-+ fi
-+
-+ return 0
-+}
-+
-+testit "test gooduser home" \
-+ test_gooduser_home || \
-+ failed=`expr $failed + 1`
-+
-+testit "test eviluser home reject" \
-+ test_eviluser_home || \
-+ failed=`expr $failed + 1`
-+
-+testok $0 $failed
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index 09cd5159a0d..4aef7a4d596 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -290,6 +290,7 @@ for env in ["fileserver"]:
- plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1'])
- plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3'])
- plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp'])
-+ plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration])
-
- #
- # tar command tests
---
-2.19.2
-
-
-From 274e960fde8e680a487fd7f3af57c824f9a5151b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 22 Nov 2018 18:23:24 +0100
-Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home
- dir
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If "/" (root) is returned as the home directory, prevent exporting it.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af)
----
- source3/param/service.c | 6 +++++-
- source3/smbd/password.c | 7 +++++++
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/source3/param/service.c b/source3/param/service.c
-index b21be6093d4..22f46f08894 100644
---- a/source3/param/service.c
-+++ b/source3/param/service.c
-@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out)
- DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out,
- phome_dir?phome_dir:"(NULL)"));
-
-- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir);
-+ if (!strequal(phome_dir, "/")) {
-+ iService = add_home_service(*p_service_out,
-+ *p_service_out, /* username */
-+ phome_dir);
-+ }
- }
-
- /* If we still don't have a service, attempt to add it as a printer. */
-diff --git a/source3/smbd/password.c b/source3/smbd/password.c
-index f472bda2c70..0576d2563eb 100644
---- a/source3/smbd/password.c
-+++ b/source3/smbd/password.c
-@@ -129,6 +129,13 @@ int register_homes_share(const char *username)
- return -1;
- }
-
-+ if (strequal(pwd->pw_dir, "/")) {
-+ DBG_NOTICE("Invalid home directory defined for user '%s'\n",
-+ username);
-+ TALLOC_FREE(pwd);
-+ return -1;
-+ }
-+
- DEBUG(3, ("Adding homes service for user '%s' using home directory: "
- "'%s'\n", username, pwd->pw_dir));
-
---
-2.19.2
-
-
-From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 3 Dec 2018 11:05:46 +0100
-Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed
- as home dir
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144
-
-(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87)
----
- selftest/target/Samba3.pm | 6 ++++-
- source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++
- 2 files changed, 42 insertions(+), 1 deletion(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 2031003210c..583396b3818 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$)
- my ($uid_user2);
- my ($uid_gooduser);
- my ($uid_eviluser);
-+ my ($uid_slashuser);
-
-- if ($unix_uid < 0xffff - 12) {
-+ if ($unix_uid < 0xffff - 13) {
- $max_uid = 0xffff;
- } else {
- $max_uid = $unix_uid;
-@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$)
- $uid_user2 = $max_uid - 10;
- $uid_gooduser = $max_uid - 11;
- $uid_eviluser = $max_uid - 12;
-+ $uid_slashuser = $max_uid - 13;
-
- if ($unix_gids[0] < 0xffff - 8) {
- $max_gid = 0xffff;
-@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
- user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
- gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
- eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
-+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
- ";
- if ($unix_uid != 0) {
- print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
-@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user:
- createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
- createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
- createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
-+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
-
- open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
- print DNS_UPDATE_LIST "A $server. $server_ip\n";
-diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
-index 06de0a0c301..90e84550dbc 100755
---- a/source3/script/tests/test_homes.sh
-+++ b/source3/script/tests/test_homes.sh
-@@ -88,6 +88,39 @@ EOF
- return 0
- }
-
-+test_slashuser_home()
-+{
-+ tmpfile=$PREFIX/smbclient_homes_slashuser_commands
-+ cat > $tmpfile <<EOF
-+ls
-+quit
-+EOF
-+
-+ USERNAME=slashuser
-+
-+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
-+ eval echo "$cmd"
-+ out=$(eval $cmd)
-+ ret=$?
-+ rm -f $tmpfile
-+
-+ if [ $ret -ne 1 ] ; then
-+ echo "$out"
-+ echo "The server should reject connecting ret=$ret"
-+ return 1
-+ fi
-+
-+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
-+ ret=$?
-+ if [ $ret -ne 0 ] ; then
-+ echo "$out"
-+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
-+ return 1
-+ fi
-+
-+ return 0
-+}
-+
- testit "test gooduser home" \
- test_gooduser_home || \
- failed=`expr $failed + 1`
-@@ -96,4 +129,8 @@ testit "test eviluser home reject" \
- test_eviluser_home || \
- failed=`expr $failed + 1`
-
-+testit "test slashuser home reject" \
-+ test_slashuser_home || \
-+ failed=`expr $failed + 1`
-+
- testok $0 $failed
---
-2.19.2
diff --git a/SOURCES/samba-4.9-net_ads_join_createcomputer.patch b/SOURCES/samba-4.9-net_ads_join_createcomputer.patch
deleted file mode 100644
index c196b55..0000000
--- a/SOURCES/samba-4.9-net_ads_join_createcomputer.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001
-From: Evgeny Sinelnikov <sin@altlinux.org>
-Date: Wed, 31 Jul 2019 23:17:20 +0400
-Subject: [PATCH] s3:ldap: Fix join with don't exists machine account
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add check for requested replies of existing machine object during join
-machine to domain. This solves regression fail during join with error:
-"None of the information to be translated has been translated."
-
-https://bugzilla.samba.org/show_bug.cgi?id=14007
-
-Reviewed-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184
----
- source3/libads/ldap.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index 4f3d43b02b1..2110390b65f 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
- }
-
- ret = ads_find_machine_acct(ads, &res, machine_escaped);
-- ads_msgfree(ads, res);
-- if (ADS_ERR_OK(ret)) {
-+ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
- DBG_DEBUG("Host account for %s already exists.\n",
- machine_escaped);
- ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
-+ ads_msgfree(ads, res);
- goto done;
- }
-+ ads_msgfree(ads, res);
-
- new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
- samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
---
-2.21.0
-
diff --git a/SOURCES/samba-4.9-net_ads_leave_keep_account.patch b/SOURCES/samba-4.9-net_ads_leave_keep_account.patch
deleted file mode 100644
index 4590081..0000000
--- a/SOURCES/samba-4.9-net_ads_leave_keep_account.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 1038892f651cbc1a924cd7e74b393eb356dd5266 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Wed, 27 Jun 2018 11:32:31 -0400
-Subject: [PATCH] s3:libads: Add net ads leave keep-account option
-
-Add the ability to leave the domain with --keep-account argument to avoid
-removal of the host machine account.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694)
----
- docs-xml/manpages/net.8.xml | 9 ++++++++-
- source3/libnet/libnet_join.c | 2 ++
- source3/utils/net.c | 3 ++-
- source3/utils/net.h | 1 +
- source3/utils/net_ads.c | 9 +++++++--
- 5 files changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index 3154ee5ff85..d2bcd24c502 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -377,6 +377,13 @@
- </para></listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>--keep-account</term>
-+ <listitem><para>Prevent the machine account removal as
-+ part of "net ads leave".
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.encrypt;
- &popt.common.samba.client;
-
-@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller.
- </refsect2>
-
- <refsect2>
--<title>ADS LEAVE</title>
-+<title>ADS LEAVE [--keep-account]</title>
-
- <para>Make the remote host leave the domain it is part of. </para>
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index a9405e8d288..27fc5135442 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
- return ntstatus_to_werror(status);
- }
-
-+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
-+ r->in.domain_name);
- r->out.disabled_machine_account = true;
- }
-
-diff --git a/source3/utils/net.c b/source3/utils/net.c
-index 759d8cd442b..b3bd4b67118 100644
---- a/source3/utils/net.c
-+++ b/source3/utils/net.c
-@@ -970,8 +970,9 @@ static struct functable net_func[] = {
- {"wipe", 0, POPT_ARG_NONE, &c->opt_wipe},
- /* Options for 'net registry import' */
- {"precheck", 0, POPT_ARG_STRING, &c->opt_precheck},
-- /* Options for 'net ads join' */
-+ /* Options for 'net ads join or leave' */
- {"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates},
-+ {"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account},
- POPT_COMMON_SAMBA
- { 0, 0, 0, 0}
- };
-diff --git a/source3/utils/net.h b/source3/utils/net.h
-index d6dfeb6208f..5e70fd3aafa 100644
---- a/source3/utils/net.h
-+++ b/source3/utils/net.h
-@@ -85,6 +85,7 @@ struct net_context {
- int opt_wipe;
- const char *opt_precheck;
- int opt_no_dns_updates;
-+ int opt_keep_account;
-
- int opt_have_ip;
- struct sockaddr_storage opt_dest_ip;
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index ffa67d8f525..afe47dad839 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
-
- if (c->display_usage) {
- d_printf( "%s\n"
-- "net ads leave\n"
-+ "net ads leave [--keep-account]\n"
- " %s\n",
- _("Usage:"),
- _("Leave an AD domain"));
-@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
- WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
- r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
- WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
-- r->in.delete_machine_account = true;
-+ if (c->opt_keep_account) {
-+ r->in.delete_machine_account = false;
-+ } else {
-+ r->in.delete_machine_account = true;
-+ }
-+
- r->in.msg_ctx = c->msg_ctx;
-
- werr = libnet_Unjoin(ctx, r);
---
-2.17.1
-
diff --git a/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
new file mode 100644
index 0000000..5bf463b
--- /dev/null
+++ b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
@@ -0,0 +1,75 @@
+From 54db478fccac0ac3b0cc63f5eacfeae23bc26d4a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Tue, 7 Jan 2020 19:25:53 +0200
+Subject: [PATCH 1/2] s3-rpcserver: fix security level check for
+ DsRGetForestTrustInformation
+
+Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
+didn't change since DCE RPC channel refactoring.
+
+With the current code we return RPC faul as can be seen in the logs:
+
+2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
+ netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
+ in: struct netr_DsRGetForestTrustInformation
+ server_name : *
+ server_name : '\\some-dc.example.com'
+ trusted_domain_name : NULL
+ flags : 0x00000000 (0)
+[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
+ api_rpcTNP: fault(5) return.
+
+This is due to this check in processing a request:
+ if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+ && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return WERR_ACCESS_DENIED;
+ }
+
+and since we get AuthZ response,
+
+ Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
+ Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
+[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
+ JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
+ "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
+ "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
+ "serviceDescription": "netlogon", "authType": "ncacn_np",
+ "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
+ "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
+ "transportProtection": "SMB", "accountFlags": "0x00000010"}}
+
+this means we are actually getting anonymous DCE/RPC access to netlogon
+on top of authenticated SMB connection. In such case we have exactly
+auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
+DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
+
+Update the code to follow the same security level check as in s4 variant
+of the call.
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index cbbf9feedc7..52b17c10e61 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2451,10 +2451,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
+ {
+ NTSTATUS status;
+ struct lsa_ForestTrustInformation *info, **info_ptr;
++ enum security_user_level security_level;
+
+- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+- p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
++ security_level = security_session_user_level(p->session_info, NULL);
++ if (security_level < SECURITY_USER) {
+ return WERR_ACCESS_DENIED;
+ }
+
+--
+2.24.1
+
diff --git a/SOURCES/samba-4.9-static_analysis_fixes.patch b/SOURCES/samba-4.9-static_analysis_fixes.patch
deleted file mode 100644
index 06b10cf..0000000
--- a/SOURCES/samba-4.9-static_analysis_fixes.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:09:23 +0100
-Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name
-
-This could be passed uninitialized to dcerpc_netr_DsRGetDCName()
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d)
----
- source3/rpcclient/cmd_netlogon.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index 8d62ef7e095..631740562c6 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli,
- WERROR werr = WERR_OK;
- uint32_t flags = DS_RETURN_DNS_NAME;
- const char *server_name = cli->desthost;
-- const char *domain_name;
-+ const char *domain_name = NULL;
- struct GUID domain_guid = GUID_zero();
- struct GUID site_guid = GUID_zero();
- struct netr_DsRGetDCNameInfo *info = NULL;
---
-2.19.2
-
-
-From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:13:51 +0100
-Subject: [PATCH 2/5] librpc:ndr: Initialize inblob
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83)
----
- librpc/ndr/ndr_backupkey.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c
-index 827bc694230..adb6e393287 100644
---- a/librpc/ndr/ndr_backupkey.c
-+++ b/librpc/ndr/ndr_backupkey.c
-@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name,
- ndr->flags |= LIBNDR_PRINT_SET_VALUES;
- }
- if (flags & NDR_IN) {
-- union bkrp_data_in_blob inblob;
-+ union bkrp_data_in_blob inblob = {
-+ .empty._empty_ = '\0',
-+ };
- DATA_BLOB blob;
- uint32_t level;
- enum ndr_err_code ndr_err;
---
-2.19.2
-
-
-From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:16:06 +0100
-Subject: [PATCH 3/5] libgpo: Make sure status is intialized
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7)
----
- libgpo/gpo_ldap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
-index fec00053b49..f087203f28a 100644
---- a/libgpo/gpo_ldap.c
-+++ b/libgpo/gpo_ldap.c
-@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
- const char *guid_name,
- struct GROUP_POLICY_OBJECT *gpo)
- {
-- ADS_STATUS status;
-+ ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
- LDAPMessage *res = NULL;
- char *dn;
- const char *filter;
---
-2.19.2
-
-
-From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:17:37 +0100
-Subject: [PATCH 4/5] lib:util Always initialize start and space
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45)
----
- lib/util/talloc_report.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c
-index 63213a014b6..bed0fd91e43 100644
---- a/lib/util/talloc_report.c
-+++ b/lib/util/talloc_report.c
-@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
- const char *fmt, va_list ap)
- {
- ssize_t str_len = *pstr_len;
-- size_t buflen, needed, space;
-- char *start, *tmpbuf;
-+ size_t buflen, needed, space = 0;
-+ char *start = NULL, *tmpbuf = NULL;
- va_list ap2;
- int printlen;
-
-@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
- if (buflen > str_len) {
- start = buf + str_len;
- space = buflen - str_len;
-- } else {
-- start = NULL;
-- space = 0;
- }
-
- va_copy(ap2, ap);
---
-2.19.2
-
-
-From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:21:15 +0100
-Subject: [PATCH 5/5] ctdb: Fix an out of bound array access
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9)
----
- ctdb/common/logging.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
-index dc8c4f75058..55e5d541735 100644
---- a/ctdb/common/logging.c
-+++ b/ctdb/common/logging.c
-@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level)
- {
- int i;
-
-- for (i=0; ARRAY_SIZE(log_string_map); i++) {
-+ for (i=0; i < ARRAY_SIZE(log_string_map); i++) {
- if (log_string_map[i].log_level == log_level) {
- return log_string_map[i].log_string;
- }
---
-2.19.2
diff --git a/SOURCES/samba-4.9.0rc5-stack-protector.patch b/SOURCES/samba-4.9.0rc5-stack-protector.patch
deleted file mode 100644
index 51bc83a..0000000
--- a/SOURCES/samba-4.9.0rc5-stack-protector.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 3 Sep 2018 10:35:08 +0200
-Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support
-
-The -fstack-protector* flags are compiler only flags, don't pass them to
-the linker.
-
-https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371)
----
- buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++-------------
- 1 file changed, 19 insertions(+), 17 deletions(-)
-
-diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
-index c4391d0c4dc..bfd6f9710db 100644
---- a/buildtools/wafsamba/samba_autoconf.py
-+++ b/buildtools/wafsamba/samba_autoconf.py
-@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None):
- return
-
- # we need to build real code that can't be optimized away to test
-- if conf.check(fragment='''
-- #include <stdio.h>
--
-- int main(void)
-- {
-- char t[100000];
-- while (fgets(t, sizeof(t), stdin));
-- return 0;
-- }
-- ''',
-- execute=0,
-- ccflags='-fstack-protector',
-- ldflags='-fstack-protector',
-- mandatory=False,
-- msg='Checking if toolchain accepts -fstack-protector'):
-- conf.ADD_CFLAGS('-fstack-protector')
-- conf.ADD_LDFLAGS('-fstack-protector')
-+ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector']
-+ for stack_protect_flag in stack_protect_list:
-+ flag_supported = conf.check(fragment='''
-+ #include <stdio.h>
-+
-+ int main(void)
-+ {
-+ char t[100000];
-+ while (fgets(t, sizeof(t), stdin));
-+ return 0;
-+ }
-+ ''',
-+ execute=0,
-+ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag],
-+ mandatory=False,
-+ msg='Checking if compiler accepts %s' % (stack_protect_flag))
-+ if flag_supported:
-+ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
-+ break
-
- if Options.options.debug:
- conf.ADD_CFLAGS('-g', testflags=True)
---
-2.18.0
-
-
-From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 3 Sep 2018 10:49:52 +0200
-Subject: [PATCH 2/2] waf: Add -fstack-clash-protection
-
-https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0)
----
- buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
-index bfd6f9710db..f2b3ec8db8d 100644
---- a/buildtools/wafsamba/samba_autoconf.py
-+++ b/buildtools/wafsamba/samba_autoconf.py
-@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None):
- conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
- break
-
-+ flag_supported = conf.check(fragment='''
-+ #include <stdio.h>
-+
-+ int main(void)
-+ {
-+ char t[100000];
-+ while (fgets(t, sizeof(t), stdin));
-+ return 0;
-+ }
-+ ''',
-+ execute=0,
-+ ccflags=[ '-Werror', '-fstack-clash-protection'],
-+ mandatory=False,
-+ msg='Checking if compiler accepts -fstack-clash-protection')
-+ if flag_supported:
-+ conf.ADD_CFLAGS('-fstack-clash-protection')
-+
- if Options.options.debug:
- conf.ADD_CFLAGS('-g', testflags=True)
-
---
-2.18.0
-
diff --git a/SOURCES/samba-4.9.1.tar.asc b/SOURCES/samba-4.9.1.tar.asc
deleted file mode 100644
index 3a95975..0000000
--- a/SOURCES/samba-4.9.1.tar.asc
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
-Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg==
-=2NTz
------END PGP SIGNATURE-----
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 0543006..90d65b7 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -8,11 +8,11 @@
%define main_release 10
-%define samba_version 4.9.1
-%define talloc_version 2.1.14
-%define tdb_version 1.3.16
-%define tevent_version 0.9.37
-%define ldb_version 1.4.2
+%define samba_version 4.10.4
+%define talloc_version 2.1.16
+%define tdb_version 1.3.18
+%define tevent_version 0.9.39
+%define ldb_version 1.5.4
# This should be rc1 or nil
%define pre_release %nil
@@ -63,7 +63,7 @@
%global with_intel_aes_accel 1
%endif
-%global libwbc_alternatives_version 0.14
+%global libwbc_alternatives_version 0.15
%global libwbc_alternatives_suffix %nil
%if 0%{?__isa_bits} == 64
%global libwbc_alternatives_suffix -64
@@ -127,29 +127,17 @@ Source14: samba.pamd
Source200: README.dc
Source201: README.downgrade
-Patch0: samba-4.9.0rc5-stack-protector.patch
-Patch1: samba-4.9-harden_homes_share.patch
-Patch2: samba-4.9-static_analysis_fixes.patch
-Patch3: samba-4.9-fix_debug_segfault.patch
-Patch4: samba-4.9-fix_winbind_passdb_segfault.patch
-Patch5: samba-4.9-fix_testparm_crash.patch
-Patch6: samba-4.9-disable_netbios.patch
-Patch7: samba-4.9-net_ads_leave_keep_account.patch
-Patch8: samba-4.9-fix_force_group_panic.patch
-Patch9: samba-4.10-fix_gencache_debug_message.patch
-Patch10: samba-4.9-fix_net_ads_krb5.patch
-Patch11: samba-4.9-add_smbc_setOptionProtocols.patch
-Patch12: samba-4.9-fix_smbspool_as_cups_backend.patch
-Patch13: samba-4.9-doc_smbclient_max_protocol.patch
-Patch14: samba-4.9-fix_net_ads_join_admin_otherdomain.patch
-Patch15: samba-4.9-CVE-2019-3880.patch
-Patch16: samba-4.9-fix_smbspool_krb5_auth.patch
-Patch17: samba-4.9-fix_cups_printing.patch
-Patch18: samba-4.9-net_ads_join_createcomputer.patch
-Patch19: samba-4.10-fix_smbspool_username_passwd.patch
-Patch20: samba-4.9-fix_builtin_groups_creation.patch
-Patch21: samba-4.10-fix_winbind_trustdom_enum.patch
-Patch22: samba-4.10-fix_spnego_downgrade.patch
+Patch0: samba-4.10-fix_smbspool.patch
+Patch1: samba-4.10.6-fix_idmap_tdb2.patch
+Patch2: samba-4.10-net_ads_join_createcomputer.patch
+Patch3: CVE-2019-10197-v4-10-metze03.patches.txt
+Patch4: samba-4.10-fix_smbspool_username_password.patch
+Patch5: samba-4.10-fix_winbind_trustdom_enum.patch
+Patch6: samba-4.10-fix-spnego-downgrade.patch
+Patch7: samba-4.10-fix_net_ads_join_hardened_env.patch
+Patch8: samba-4.10-fix-netbios-join.patch
+Patch9: CVE-2019-10218-4.11.patch
+Patch10: samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -223,6 +211,8 @@ BuildRequires: python2-markdown
BuildRequires: quota-devel
BuildRequires: readline-devel
BuildRequires: sed
+BuildRequires: libtasn1-devel
+BuildRequires: libtasn1-tools
BuildRequires: xfsprogs-devel
BuildRequires: xz
BuildRequires: zlib-devel >= 1.2.3
@@ -240,6 +230,8 @@ BuildRequires: libcephfs-devel
BuildRequires: gnutls-devel >= 3.4.7
# Required by samba-tool to run tests
BuildRequires: python2-crypto
+%else
+BuildRequires: gnutls-devel >= 3.2.0
%endif
# pidl requirements
@@ -814,6 +806,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
%global _samba_private_libraries %{_libsmbclient}%{_libwbclient}
+export PYTHON=/usr/bin/python2
%configure \
--enable-fhs \
--with-piddir=/run \
@@ -865,7 +858,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
make %{?_smp_mflags}
%install
-rm -rf %{buildroot}
+PYTHON=/usr/bin/python2 \
make %{?_smp_mflags} install DESTDIR=%{buildroot}
export PYTHON=%{__python2}
@@ -1061,7 +1054,7 @@ find %{buildroot}%{python2_sitearch} -name "*.pyc" -print -delete
%if %{with testsuite}
%check
-TDB_NO_FSYNC=1 make %{?_smp_mflags} test
+PYTHON=/usr/bin/python2 TDB_NO_FSYNC=1 make %{?_smp_mflags} test
%endif
%post
@@ -1239,7 +1232,7 @@ rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
%license COPYING
-%doc README WHATSNEW.txt
+%doc README.md WHATSNEW.txt
%doc examples/autofs examples/LDAP examples/misc
%doc examples/printer-accounting examples/printing
%doc packaging/README.downgrade
@@ -1276,6 +1269,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/vfs/fileid.so
%{_libdir}/samba/vfs/fruit.so
%{_libdir}/samba/vfs/full_audit.so
+%{_libdir}/samba/vfs/glusterfs_fuse.so
%{_libdir}/samba/vfs/linux_xfs_sgid.so
%{_libdir}/samba/vfs/media_harmony.so
%{_libdir}/samba/vfs/netatalk.so
@@ -1313,7 +1307,6 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_aio_pthread.8*
%{_mandir}/man8/vfs_audit.8*
%{_mandir}/man8/vfs_btrfs.8*
-%{_mandir}/man8/vfs_cacheprime.8*
%{_mandir}/man8/vfs_cap.8*
%{_mandir}/man8/vfs_catia.8*
%{_mandir}/man8/vfs_commit.8*
@@ -1325,13 +1318,11 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_fileid.8*
%{_mandir}/man8/vfs_fruit.8*
%{_mandir}/man8/vfs_full_audit.8*
-%{_mandir}/man8/vfs_gpfs.8*
+%{_mandir}/man8/vfs_glusterfs_fuse.8*
%{_mandir}/man8/vfs_linux_xfs_sgid.8*
%{_mandir}/man8/vfs_media_harmony.8*
%{_mandir}/man8/vfs_netatalk.8*
-%{_mandir}/man8/vfs_nfs4acl_xattr.8*
%{_mandir}/man8/vfs_offline.8*
-%{_mandir}/man8/vfs_prealloc.8*
%{_mandir}/man8/vfs_preopen.8*
%{_mandir}/man8/vfs_readahead.8*
%{_mandir}/man8/vfs_readonly.8*
@@ -1344,7 +1335,6 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_streams_xattr.8*
%{_mandir}/man8/vfs_syncops.8*
%{_mandir}/man8/vfs_time_audit.8*
-%{_mandir}/man8/vfs_tsmsm.8*
%{_mandir}/man8/vfs_unityed_media.8*
%{_mandir}/man8/vfs_virusfilter.8*
%{_mandir}/man8/vfs_worm.8*
@@ -1354,10 +1344,6 @@ rm -rf %{buildroot}
%exclude %{_mandir}/man8/vfs_glusterfs.8*
%endif
-%if ! %{with_vfs_cephfs}
-%exclude %{_mandir}/man8/vfs_ceph.8*
-%endif
-
%attr(775,root,printadmin) %dir /var/lib/samba/drivers
### CLIENT
@@ -1430,8 +1416,11 @@ rm -rf %{buildroot}
%{_bindir}/ldbrename
%{_bindir}/ldbsearch
%{_libdir}/samba/libldb-cmdline-samba4.so
+%{_libdir}/samba/libldb-key-value-samba4.so
+%{_libdir}/samba/libldb-tdb-err-map-samba4.so
+%{_libdir}/samba/libldb-tdb-int-samba4.so
%{_libdir}/samba/ldb/asq.so
-%{_libdir}/samba/ldb/paged_results.so
+%{_libdir}/samba/ldb/ldb.so
%{_libdir}/samba/ldb/paged_searches.so
%{_libdir}/samba/ldb/rdn_name.so
%{_libdir}/samba/ldb/sample.so
@@ -1481,6 +1470,8 @@ rm -rf %{buildroot}
%{_libdir}/samba/libcli-smb-common-samba4.so
%{_libdir}/samba/libcli-spoolss-samba4.so
%{_libdir}/samba/libcliauth-samba4.so
+%{_libdir}/samba/libclidns-samba4.so
+%{_libdir}/samba/libcmdline-contexts-samba4.so
%{_libdir}/samba/libcmdline-credentials-samba4.so
%{_libdir}/samba/libcommon-auth-samba4.so
%{_libdir}/samba/libctdb-event-client-samba4.so
@@ -1827,16 +1818,14 @@ rm -rf %{buildroot}
%{_includedir}/samba-4.0/util/byteorder.h
%{_includedir}/samba-4.0/util/data_blob.h
%{_includedir}/samba-4.0/util/debug.h
+%{_includedir}/samba-4.0/util/discard.h
%{_includedir}/samba-4.0/util/fault.h
%{_includedir}/samba-4.0/util/genrand.h
%{_includedir}/samba-4.0/util/idtree.h
%{_includedir}/samba-4.0/util/idtree_random.h
-%{_includedir}/samba-4.0/util/memory.h
-%{_includedir}/samba-4.0/util/safe_string.h
%{_includedir}/samba-4.0/util/signal.h
%{_includedir}/samba-4.0/util/string_wrappers.h
%{_includedir}/samba-4.0/util/substitute.h
-%{_includedir}/samba-4.0/util/talloc_stack.h
%{_includedir}/samba-4.0/util/tevent_ntstatus.h
%{_includedir}/samba-4.0/util/tevent_unix.h
%{_includedir}/samba-4.0/util/tevent_werror.h
@@ -2015,9 +2004,11 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/descriptor.py*
%{python_sitearch}/samba/gensec.so
%{python_sitearch}/samba/getopt.py*
+%{python_sitearch}/samba/gp_ext_loader.py*
%{python_sitearch}/samba/hostconfig.py*
%{python_sitearch}/samba/idmap.py*
%{python_sitearch}/samba/join.py*
+%{python_sitearch}/samba/logger.py*
%{python_sitearch}/samba/messaging.so
%{python_sitearch}/samba/ms_display_specifiers.py*
%{python_sitearch}/samba/ms_schema.py*
@@ -2036,8 +2027,10 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/sites.py*
%{python_sitearch}/samba/smb.so
%{python_sitearch}/samba/subnets.py*
+
%{python_sitearch}/samba/upgrade.py*
%{python_sitearch}/samba/upgradehelpers.py*
+%{python_sitearch}/samba/uptodateness.py*
%{python_sitearch}/samba/werror.so
%{python_sitearch}/samba/xattr.py*
%{python_sitearch}/samba/xattr_native.so
@@ -2056,6 +2049,7 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/dcerpc/drsuapi.so
%{python_sitearch}/samba/dcerpc/echo.so
%{python_sitearch}/samba/dcerpc/epmapper.so
+%{python_sitearch}/samba/dcerpc/preg.so
%{python_sitearch}/samba/dcerpc/idmap.so
%{python_sitearch}/samba/dcerpc/initshutdown.so
%{python_sitearch}/samba/dcerpc/irpc.so
@@ -2071,11 +2065,15 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/dcerpc/security.so
%{python_sitearch}/samba/dcerpc/server_id.so
%{python_sitearch}/samba/dcerpc/smb_acl.so
+%{python_sitearch}/samba/dcerpc/spoolss.so
%{python_sitearch}/samba/dcerpc/srvsvc.so
%{python_sitearch}/samba/dcerpc/svcctl.so
%{python_sitearch}/samba/dcerpc/unixinfo.so
%{python_sitearch}/samba/dcerpc/winbind.so
+%{python_sitearch}/samba/dcerpc/windows_event_ids.so
%{python_sitearch}/samba/dcerpc/winreg.so
+%{python_sitearch}/samba/dcerpc/winspool.so
+%{python_sitearch}/samba/dcerpc/witness.so
%{python_sitearch}/samba/dcerpc/wkssvc.so
%{python_sitearch}/samba/dcerpc/xattr.so
@@ -2084,6 +2082,14 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/emulate/traffic.py*
%{python_sitearch}/samba/emulate/traffic_packets.py*
+%dir %{python_sitearch}/samba/gp_parse
+%{python_sitearch}/samba/gp_parse/__init__.py*
+%{python_sitearch}/samba/gp_parse/gp_aas.py*
+%{python_sitearch}/samba/gp_parse/gp_csv.py*
+%{python_sitearch}/samba/gp_parse/gp_inf.py*
+%{python_sitearch}/samba/gp_parse/gp_ini.py*
+%{python_sitearch}/samba/gp_parse/gp_pol.py*
+
%dir %{python_sitearch}/samba/netcmd
%{python_sitearch}/samba/netcmd/__init__.py*
%{python_sitearch}/samba/netcmd/common.py*
@@ -2178,64 +2184,28 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/auth_log_netlogon_bad_creds.py*
%{python_sitearch}/samba/tests/auth_log_pass_change.py*
%{python_sitearch}/samba/tests/auth_log_samlogon.py*
-%dir %{python_sitearch}/samba/tests/blackbox
-%{python_sitearch}/samba/tests/blackbox/__init__.py*
-%{python_sitearch}/samba/tests/blackbox/check_output.py*
-%{python_sitearch}/samba/tests/blackbox/ndrdump.py*
-%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py*
-%{python_sitearch}/samba/tests/blackbox/smbcontrol.py*
-%{python_sitearch}/samba/tests/blackbox/traffic_learner.py*
-%{python_sitearch}/samba/tests/blackbox/traffic_replay.py*
-%{python_sitearch}/samba/tests/blackbox/traffic_summary.py*
+%{python_sitearch}/samba/tests/complex_expressions.py*
%{python_sitearch}/samba/tests/common.py*
%{python_sitearch}/samba/tests/core.py*
%{python_sitearch}/samba/tests/credentials.py*
-%dir %{python_sitearch}/samba/tests/dcerpc
-%{python_sitearch}/samba/tests/dcerpc/__init__.py*
-%{python_sitearch}/samba/tests/dcerpc/array.py*
-%{python_sitearch}/samba/tests/dcerpc/bare.py*
-%{python_sitearch}/samba/tests/dcerpc/dnsserver.py*
-%{python_sitearch}/samba/tests/dcerpc/integer.py*
-%{python_sitearch}/samba/tests/dcerpc/misc.py*
-%{python_sitearch}/samba/tests/dcerpc/raw_protocol.py*
-%{python_sitearch}/samba/tests/dcerpc/raw_testcase.py*
-%{python_sitearch}/samba/tests/dcerpc/registry.py*
-%{python_sitearch}/samba/tests/dcerpc/rpc_talloc.py*
-%{python_sitearch}/samba/tests/dcerpc/rpcecho.py*
-%{python_sitearch}/samba/tests/dcerpc/sam.py*
-%{python_sitearch}/samba/tests/dcerpc/srvsvc.py*
-%{python_sitearch}/samba/tests/dcerpc/string.py*
-%{python_sitearch}/samba/tests/dcerpc/testrpc.py*
-%{python_sitearch}/samba/tests/dcerpc/unix.py*
%{python_sitearch}/samba/tests/dns.py*
%{python_sitearch}/samba/tests/dns_base.py*
%{python_sitearch}/samba/tests/dns_forwarder.py*
-%dir %{python_sitearch}/samba/tests/dns_forwarder_helpers
-%{python_sitearch}/samba/tests/dns_forwarder_helpers/server.py*
%{python_sitearch}/samba/tests/dns_tkey.py*
%{python_sitearch}/samba/tests/dns_wildcard.py*
%{python_sitearch}/samba/tests/docs.py*
%{python_sitearch}/samba/tests/dsdb.py*
%{python_sitearch}/samba/tests/dsdb_lock.py*
%{python_sitearch}/samba/tests/dsdb_schema_attributes.py*
-%dir %{python_sitearch}/samba/tests/emulate
-%{python_sitearch}/samba/tests/emulate/__init__.py*
-%{python_sitearch}/samba/tests/emulate/traffic.py*
-%{python_sitearch}/samba/tests/emulate/traffic_packet.py*
+%{python_sitearch}/samba/tests/domain_backup_offline.py*
%{python_sitearch}/samba/tests/encrypted_secrets.py*
%{python_sitearch}/samba/tests/gensec.py*
%{python_sitearch}/samba/tests/get_opt.py*
%{python_sitearch}/samba/tests/glue.py*
%{python_sitearch}/samba/tests/graph.py*
%{python_sitearch}/samba/tests/hostconfig.py*
+%{python_sitearch}/samba/tests/libsmb.py*
%{python_sitearch}/samba/tests/join.py*
-%dir %{python_sitearch}/samba/tests/kcc
-%{python_sitearch}/samba/tests/kcc/__init__.py*
-%{python_sitearch}/samba/tests/kcc/graph.py*
-%{python_sitearch}/samba/tests/kcc/graph_utils.py*
-%{python_sitearch}/samba/tests/kcc/kcc_utils.py*
-%{python_sitearch}/samba/tests/kcc/ldif_import_export.py*
-%{python_sitearch}/samba/tests/libsmb_samba_internal.py*
%{python_sitearch}/samba/tests/lsa_string.py*
%{python_sitearch}/samba/tests/messaging.py*
%{python_sitearch}/samba/tests/net_join.py*
@@ -2243,8 +2213,12 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/netcmd.py*
%{python_sitearch}/samba/tests/netlogonsvc.py*
%{python_sitearch}/samba/tests/ntacls.py*
+%{python_sitearch}/samba/tests/ntlm_auth.py*
+%{python_sitearch}/samba/tests/ntlm_auth_base.py*
+%{python_sitearch}/samba/tests/ntlm_auth_krb5.py*
%{python_sitearch}/samba/tests/ntlmdisabled.py*
%{python_sitearch}/samba/tests/pam_winbind.py*
+%{python_sitearch}/samba/tests/pam_winbind_chauthtok.py*
%{python_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py*
%{python_sitearch}/samba/tests/param.py*
%{python_sitearch}/samba/tests/password_hash.py*
@@ -2254,10 +2228,71 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/password_hash_ldap.py*
%{python_sitearch}/samba/tests/policy.py*
%{python_sitearch}/samba/tests/posixacl.py*
+%{python_sitearch}/samba/tests/prefork_restart.py*
+%{python_sitearch}/samba/tests/process_limits.py*
%{python_sitearch}/samba/tests/provision.py*
%{python_sitearch}/samba/tests/py_credentials.py*
%{python_sitearch}/samba/tests/registry.py*
%{python_sitearch}/samba/tests/samba3sam.py*
+%{python_sitearch}/samba/tests/samdb.py*
+%{python_sitearch}/samba/tests/smbd_base.py*
+%{python_sitearch}/samba/tests/security.py*
+%{python_sitearch}/samba/tests/source.py*
+%{python_sitearch}/samba/tests/strings.py*
+%{python_sitearch}/samba/tests/subunitrun.py*
+%{python_sitearch}/samba/tests/tdb_util.py*
+%{python_sitearch}/samba/tests/upgrade.py*
+%{python_sitearch}/samba/tests/upgradeprovision.py*
+%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py*
+%{python_sitearch}/samba/tests/xattr.py*
+
+%dir %{python_sitearch}/samba/tests/blackbox
+%{python_sitearch}/samba/tests/blackbox/__init__.py*
+%{python_sitearch}/samba/tests/blackbox/bug13653.py*
+%{python_sitearch}/samba/tests/blackbox/check_output.py*
+%{python_sitearch}/samba/tests/blackbox/netads_json.py*
+%{python_sitearch}/samba/tests/blackbox/ndrdump.py*
+%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py*
+%{python_sitearch}/samba/tests/blackbox/smbcontrol.py*
+%{python_sitearch}/samba/tests/blackbox/smbcontrol_process.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_learner.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_replay.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_summary.py*
+
+%dir %{python_sitearch}/samba/tests/dcerpc
+%{python_sitearch}/samba/tests/dcerpc/__init__.py*
+%{python_sitearch}/samba/tests/dcerpc/array.py*
+%{python_sitearch}/samba/tests/dcerpc/bare.py*
+%{python_sitearch}/samba/tests/dcerpc/dnsserver.py*
+%{python_sitearch}/samba/tests/dcerpc/integer.py*
+%{python_sitearch}/samba/tests/dcerpc/misc.py*
+%{python_sitearch}/samba/tests/dcerpc/raw_protocol.py*
+%{python_sitearch}/samba/tests/dcerpc/raw_testcase.py*
+%{python_sitearch}/samba/tests/dcerpc/registry.py*
+%{python_sitearch}/samba/tests/dcerpc/rpc_talloc.py*
+%{python_sitearch}/samba/tests/dcerpc/rpcecho.py*
+%{python_sitearch}/samba/tests/dcerpc/sam.py*
+%{python_sitearch}/samba/tests/dcerpc/srvsvc.py*
+%{python_sitearch}/samba/tests/dcerpc/string_tests.py*
+%{python_sitearch}/samba/tests/dcerpc/testrpc.py*
+%{python_sitearch}/samba/tests/dcerpc/unix.py*
+
+%dir %{python_sitearch}/samba/tests/dns_forwarder_helpers
+%{python_sitearch}/samba/tests/dns_forwarder_helpers/server.py*
+%{python_sitearch}/samba/tests/dns_forwarder_helpers/dns_hub.py*
+
+%dir %{python_sitearch}/samba/tests/emulate
+%{python_sitearch}/samba/tests/emulate/__init__.py*
+%{python_sitearch}/samba/tests/emulate/traffic.py*
+%{python_sitearch}/samba/tests/emulate/traffic_packet.py*
+
+%dir %{python_sitearch}/samba/tests/kcc
+%{python_sitearch}/samba/tests/kcc/__init__.py*
+%{python_sitearch}/samba/tests/kcc/graph.py*
+%{python_sitearch}/samba/tests/kcc/graph_utils.py*
+%{python_sitearch}/samba/tests/kcc/kcc_utils.py*
+%{python_sitearch}/samba/tests/kcc/ldif_import_export.py*
+
%dir %{python_sitearch}/samba/tests/samba_tool
%{python_sitearch}/samba/tests/samba_tool/__init__.py*
%{python_sitearch}/samba/tests/samba_tool/base.py*
@@ -2279,17 +2314,6 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/samba_tool/user_wdigest.py*
%{python_sitearch}/samba/tests/samba_tool/visualize.py*
%{python_sitearch}/samba/tests/samba_tool/visualize_drs.py*
-%{python_sitearch}/samba/tests/samdb.py*
-%{python_sitearch}/samba/tests/security.py*
-%{python_sitearch}/samba/tests/source.py*
-%{python_sitearch}/samba/tests/strings.py*
-%{python_sitearch}/samba/tests/subunitrun.py*
-%{python_sitearch}/samba/tests/tdb_util.py*
-%{python_sitearch}/samba/tests/unicodenames.py*
-%{python_sitearch}/samba/tests/upgrade.py*
-%{python_sitearch}/samba/tests/upgradeprovision.py*
-%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py*
-%{python_sitearch}/samba/tests/xattr.py*
### TEST
%files test
@@ -2321,6 +2345,7 @@ rm -rf %{buildroot}
%else
%{_libdir}/samba/libdsdb-module-samba4.so
%endif
+%{_libdir}/samba/libcmocka-samba4.so
### WINBIND
%files winbind
@@ -2403,6 +2428,7 @@ rm -rf %{buildroot}
%{_sbindir}/ctdbd
%{_sbindir}/ctdbd_wrapper
%{_bindir}/ctdb
+%{_bindir}/ctdb_local_daemons
%{_bindir}/ping_pong
%{_bindir}/ltdbtool
%{_bindir}/ctdb_diagnostics
@@ -2478,6 +2504,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/conf_test
%{_libexecdir}/ctdb/tests/ctdb_packet_parse
%{_libexecdir}/ctdb/tests/ctdb_takeover_tests
+%{_libexecdir}/ctdb/tests/ctdb_io_test
%{_libexecdir}/ctdb/tests/db_hash_test
%{_libexecdir}/ctdb/tests/dummy_client
%{_libexecdir}/ctdb/tests/errcode
@@ -2512,6 +2539,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/sock_daemon_test
%{_libexecdir}/ctdb/tests/sock_io_test
%{_libexecdir}/ctdb/tests/srvid_test
+%{_libexecdir}/ctdb/tests/system_socket_test
%{_libexecdir}/ctdb/tests/test_mutex_raw
%{_libexecdir}/ctdb/tests/transaction_loop
%{_libexecdir}/ctdb/tests/tunnel_cmd
@@ -2523,7 +2551,6 @@ rm -rf %{buildroot}
%dir %{_datadir}/ctdb/tests/complex
%{_datadir}/ctdb/tests/complex/README
-%{_datadir}/ctdb/tests/complex/00_ctdb_init.sh
%{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh
%{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh
%{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh
@@ -2556,6 +2583,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/cunit/config_test_005.sh
%{_datadir}/ctdb/tests/cunit/config_test_006.sh
%{_datadir}/ctdb/tests/cunit/config_test_007.sh
+%{_datadir}/ctdb/tests/cunit/ctdb_io_test_001.sh
%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh
%{_datadir}/ctdb/tests/cunit/event_protocol_test_001.sh
%{_datadir}/ctdb/tests/cunit/event_script_test_001.sh
@@ -2579,7 +2607,11 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh
%{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh
%{_datadir}/ctdb/tests/cunit/srvid_test_001.sh
-
+%{_datadir}/ctdb/tests/cunit/system_socket_test_001.sh
+%dir %{_datadir}/ctdb/tests/etc-ctdb
+%dir %{_datadir}/ctdb/tests/etc-ctdb/events
+%dir %{_datadir}/ctdb/tests/etc-ctdb/events/legacy
+%{_datadir}/ctdb/tests/etc-ctdb/events/legacy/00.test.script
%dir %{_datadir}/ctdb/tests/eventd
%{_datadir}/ctdb/tests/eventd/README
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb
@@ -2921,6 +2953,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/onnode/0004.sh
%{_datadir}/ctdb/tests/onnode/0005.sh
%{_datadir}/ctdb/tests/onnode/0006.sh
+%{_datadir}/ctdb/tests/onnode/0010.sh
+%{_datadir}/ctdb/tests/onnode/0011.sh
%{_datadir}/ctdb/tests/onnode/0070.sh
%{_datadir}/ctdb/tests/onnode/0071.sh
%{_datadir}/ctdb/tests/onnode/0072.sh
@@ -2957,12 +2991,9 @@ rm -rf %{buildroot}
%dir %{_datadir}/ctdb/tests/simple
%{_datadir}/ctdb/tests/simple/README
-%{_datadir}/ctdb/tests/simple/00_ctdb_init.sh
%{_datadir}/ctdb/tests/simple/00_ctdb_onnode.sh
-%{_datadir}/ctdb/tests/simple/01_ctdb_version.sh
-%{_datadir}/ctdb/tests/simple/02_ctdb_listvars.sh
-%{_datadir}/ctdb/tests/simple/03_ctdb_getvar.sh
-%{_datadir}/ctdb/tests/simple/04_ctdb_setvar.sh
+%{_datadir}/ctdb/tests/simple/01_ctdb_reclock_command.sh
+%{_datadir}/ctdb/tests/simple/02_ctdb_tunables.sh
%{_datadir}/ctdb/tests/simple/05_ctdb_listnodes.sh
%{_datadir}/ctdb/tests/simple/06_ctdb_getpid.sh
%{_datadir}/ctdb/tests/simple/07_ctdb_process_exists.sh
@@ -2985,11 +3016,9 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/26_ctdb_config_check_error_on_unreachable_ctdb.sh
%{_datadir}/ctdb/tests/simple/27_ctdb_detach.sh
%{_datadir}/ctdb/tests/simple/28_zero_eventscripts.sh
-%{_datadir}/ctdb/tests/simple/31_ctdb_disable.sh
-%{_datadir}/ctdb/tests/simple/32_ctdb_enable.sh
+%{_datadir}/ctdb/tests/simple/32_ctdb_disable_enable.sh
%{_datadir}/ctdb/tests/simple/35_ctdb_getreclock.sh
-%{_datadir}/ctdb/tests/simple/41_ctdb_stop.sh
-%{_datadir}/ctdb/tests/simple/42_ctdb_continue.sh
+%{_datadir}/ctdb/tests/simple/42_ctdb_stop_continue.sh
%{_datadir}/ctdb/tests/simple/43_stop_recmaster_yield.sh
%{_datadir}/ctdb/tests/simple/51_message_ring.sh
%{_datadir}/ctdb/tests/simple/52_fetch_ring.sh
@@ -2999,6 +3028,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/56_replicated_transaction_recovery.sh
%{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh
%{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh
+%{_datadir}/ctdb/tests/simple/69_recovery_resurrect_deleted.sh
%{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh
%{_datadir}/ctdb/tests/simple/71_ctdb_wipedb.sh
%{_datadir}/ctdb/tests/simple/72_update_record_persistent.sh
@@ -3011,17 +3041,10 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh
%{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh
%{_datadir}/ctdb/tests/simple/90_debug_hung_script.sh
-%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh
-
-%dir %{_datadir}/ctdb/tests/simple/etc-ctdb
-%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events
-%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy
-%{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy/00.test.script
%dir %{_datadir}/ctdb/tests/simple/scripts
%{_datadir}/ctdb/tests/simple/scripts/local.bash
%{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash
-%{_datadir}/ctdb/tests/simple/scripts/ssh_local_daemons.sh
%dir %{_datadir}/ctdb/tests/takeover
%{_datadir}/ctdb/tests/takeover/README
@@ -3245,20 +3268,42 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
-* Mon Oct 21 2019 Isaac Boukris <iboukris@redhat.com> - 4.9.1.10
-- resolves: #1763650 - Fix spnego downgrade
+* Wed Jan 08 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.10.4-10
+- resolves: #1786324 - fix security level check for DsRGetForestTrustInformation
+
+* Thu Oct 31 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-9
+- resolves: #1764468 - Fix CVE-2019-10218
+
+* Wed Oct 30 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-8
+- resolves: #1656541 - Fix join using netbios name
+
+* Mon Oct 14 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-7
+- resolves: #1657428 - Fix spnego downgrade
+- resolves: #1663064 - Fix net ads join in hardened environments
-* Tue Oct 08 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-9
-- resolves: #1759445 - Fix trusted domain enumeration in windind caused
+* Fri Oct 04 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-6
+- resolves: #1753254 - Fix trusted domain enumeration in windind caused
a Active Directory update
-* Tue Sep 24 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-8
-- resolves: #1754838 - Fix username/password auth with smbspool
-- resolves: #1754835 - Fix builtin groups creation.
+* Thu Sep 19 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-5
+- resolves: #1751335 - Fix username/passwd auth with smbspool
+
+* Mon Sep 16 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-4
+- resolves: #1740986 - Fix issues creating BUILTIN\Guests
+
+* Thu Sep 05 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.4-3
+- resolves: #1746240 - Security fix for CVE-2019-10197
+
+* Wed Sep 04 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.4-2
+- resolves: #1740000 - Fix 'net ads join createcomputer=<accountou>'
+* Wed Aug 14 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-1
+- resolves: #1497809 - Add --resolve-uids for 'smbstatus -L'
+- resolves: #1714947 - Fix idmap_tdb2 scripts
-* Fri Sep 06 2019 Guenther Deschner <gdeschner@redhat.com> - 4.9.1-7
-- resolves: #1749300 - Fix 'net ads join createcomputer=<accountou>'
+* Wed Aug 14 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-0
+- resolves: #1724991 - Update to version 4.10.4
+- resolves: #1595277 - Update manpage for 'net ads lookup'
* Fri May 24 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-6
- related: #1703204 - Fix printing with smbspool as CUPS backend