diff --git a/.gitignore b/.gitignore index a32ae18..32bbc7f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.16.4.tar.xz +SOURCES/samba-4.17.2.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 620213e..fed6dd2 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -c943ec2e8b9413cd3465e39481b49872b4486e86 SOURCES/samba-4.16.4.tar.xz +2ce56aa6580d92541db898115f4da2d0512b51ad SOURCES/samba-4.17.2.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/samba-4.16-waf-crypto.patch b/SOURCES/samba-4.16-waf-crypto.patch deleted file mode 100644 index 337be97..0000000 --- a/SOURCES/samba-4.16-waf-crypto.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:24:04 +0200 -Subject: [PATCH 1/2] waf: Check for GnuTLS earlier - -As GnuTLS is an essential part we need to check for it early so we can react on -GnuTLS features in other wscripts. - -Signed-off-by: Andreas Schneider ---- - wscript | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/wscript b/wscript -index d8220b35095..5b85d9a1682 100644 ---- a/wscript -+++ b/wscript -@@ -189,6 +189,8 @@ def configure(conf): - conf.RECURSE('dynconfig') - conf.RECURSE('selftest') - -+ conf.PROCESS_SEPARATE_RULE('system_gnutls') -+ - conf.CHECK_CFG(package='zlib', minversion='1.2.3', - args='--cflags --libs', - mandatory=True) -@@ -297,8 +299,6 @@ def configure(conf): - if not conf.CONFIG_GET('KRB5_VENDOR'): - conf.PROCESS_SEPARATE_RULE('embedded_heimdal') - -- conf.PROCESS_SEPARATE_RULE('system_gnutls') -- - conf.RECURSE('source4/dsdb/samdb/ldb_modules') - conf.RECURSE('source4/ntvfs/sysdep') - conf.RECURSE('lib/util') --- -2.35.1 - - -From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:25:31 +0200 -Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS - provides the cipher - -Signed-off-by: Andreas Schneider ---- - third_party/wscript | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/third_party/wscript b/third_party/wscript -index 1f4bc1ce1d7..a17c15bcaa7 100644 ---- a/third_party/wscript -+++ b/third_party/wscript -@@ -5,7 +5,8 @@ from waflib import Options - def configure(conf): - conf.RECURSE('cmocka') - conf.RECURSE('popt') -- conf.RECURSE('aesni-intel') -+ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ conf.RECURSE('aesni-intel') - if conf.CONFIG_GET('ENABLE_SELFTEST'): - conf.RECURSE('socket_wrapper') - conf.RECURSE('nss_wrapper') -@@ -18,7 +19,8 @@ def configure(conf): - def build(bld): - bld.RECURSE('cmocka') - bld.RECURSE('popt') -- bld.RECURSE('aesni-intel') -+ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ bld.RECURSE('aesni-intel') - if bld.CONFIG_GET('SOCKET_WRAPPER'): - bld.RECURSE('socket_wrapper') - if bld.CONFIG_GET('NSS_WRAPPER'): --- -2.35.1 - diff --git a/SOURCES/samba-4.16.4.tar.asc b/SOURCES/samba-4.16.4.tar.asc deleted file mode 100644 index 96aba0e..0000000 --- a/SOURCES/samba-4.16.4.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLg520ACgkQqplEL7aA -tiBsuA//ZqQhoz1unYEMk6tqu528xGweYd488gjdKkszWPCI5NmGbmvN/tbhUIc3 -WbJO8oPEFN81+a0b7nsKxpgDt8IR00rx4mA3A5rh+Z1PTbUWpjBxchTsXZsEaDaE -dA/pRes+rzDpjLg2VWAd+5SDwy1d5ZfZ+gX/qntfpgYLqiBfJNJJPxCEFqnG1IUF -xaWwKQNuduq89Wr3LabSCjx4IMQEABr8VN+WZG5JhmKBaad1I5tOBOFypLS0iKUX -bGsMr3itdKFvYmAFM2ZbY/Q7DZb5GIUvNOqyRcBYQe33tqS2GYjEHS0tbXoNP5l2 -gQcs3FiebX6Bi4I6EoFL380LLG1zskCV5xRtGIvrW7SOKCnkaswuxlHEQSVWFc0A -2aZmT7RaKYwtm+0kD+Fq3PWBwPvLBgiCP9oohfOgqrW9VnIJNbyCyJcBbK8snS0a -KIfr+hM+ccNBVhmpFWRjA0WkVW9d9/tcDFN63nTQJkZg4cXZboMVO7fjmo4U1oJK -qIVU5Xr0e5TXLNWguvr6t03CUvtfgBHMYFrHRX4HJTN7Z3m4WxAYt+jspIavQP/S -muj4g/INYmjZmBG2f9mign6Tt3MtOtHlymMFAJ1t1e+9B5v1dkmO4T6ffqbDgvg5 -bnAFUM5+bzW81DGJNbITDSNBU7PokwP4cQBNTVtgK38DW4BiPO8= -=6kYO ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.17.2.tar.asc b/SOURCES/samba-4.17.2.tar.asc new file mode 100644 index 0000000..146e2fb --- /dev/null +++ b/SOURCES/samba-4.17.2.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNWbqoACgkQqplEL7aA +tiBRRBAArva0cDJeuSvlmC5t+i+WZTrFwg7txiu6a+GccMxwVIu9Ab2BeJSHA2Fe +Ghh9VGDkaaRlzyJNHZtnt5xn9tRcSVVAy4+8/hSroP0uW97JIyGRfnWNExsEyM6w +uSGFLsDpVsvpzMCfJqRm2umCO+XZ90M2ZQs6AlqbqyF6lHAY4jzI75o56T9GxijV +wx4gCdFSFQas79G/apNhuAuotqZHwEPxb8vUkoEgS1PbfbiVoYoI6RQDZ7WpOfwM +nKO3rbTGOZBGX7oJPUfSGPww/xrhoxaHv/9ixwruEqEPTUFQk+lWnY2DJ7EGGW5U +D7wSs/iW/TgDZAFsEv928odHNluSIZYktDBoKAG6cS/iiA3Bqv0U97CZBrJWj3P6 +vjpJECOHJDSq8UeimP4aToFP9NvZNr+GawNpOkL3N6lfPOIk7naRdqN7C01kNIoA +UX90K31J5YK440jlSwJ/uJAS1p1slvcsr+OYlAsRSc+Dug2biKonqv42qBgA+SvI +8pNOQVwINqujL/utoNbQ0Nu54RJ67C6l1Jh77Ng8OhtAtm5Jojm6ceXzms4pJCJ8 +8t/RO3/TqOl7ZxlBSsdiTt0peOAO/fvxpJYM3mVgWQBfjSNkHM8QhDJALXgKoJv3 +FXZG0peM5inxK70bDAN+fc0Ika74bT505OOtPzlwmjwxzHSKAJM= +=9Stz +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch deleted file mode 100644 index 5d3cb55..0000000 --- a/SOURCES/samba-s4u.patch +++ /dev/null @@ -1,642 +0,0 @@ -From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:25:03 +0300 -Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------ - source4/kdc/mit_samba.c | 47 ++------- - source4/kdc/mit_samba.h | 6 +- - 3 files changed, 71 insertions(+), 106 deletions(-) - -diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index 793fe366c35..22534c09974 100644 ---- a/source4/kdc/mit-kdb/kdb_samba_policies.c -+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, - krb5_keyblock *krbtgt_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, -- krb5_pac *pac) -+ krb5_pac *out_pac) - { - struct mit_samba_context *mit_ctx; - krb5_authdata **authdata = NULL; -- krb5_pac ipac = NULL; -- DATA_BLOB logon_data = { NULL, 0 }; -+ krb5_keyblock *header_server_key = NULL; -+ krb5_key_data *impersonator_kd = NULL; -+ krb5_keyblock impersonator_key = {0}; - krb5_error_code code; -+ krb5_pac pac; -+ -+ *out_pac = NULL; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { -@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = krb5_pac_parse(context, - authdata[0]->contents, - authdata[0]->length, -- &ipac); -+ &pac); - if (code != 0) { - goto done; - } - -- /* TODO: verify this is correct -- * -- * In the constrained delegation case, the PAC is from a service -- * ticket rather than a TGT; we must verify the server and KDC -- * signatures to assert that the server did not forge the PAC. -+ /* -+ * For constrained delegation in MIT version < 1.18 we aren't provided -+ * with the 2nd ticket server key to verify the PAC. -+ * We can workaround that by fetching the key from the client db entry, -+ * which is the impersonator account in that version. -+ * TODO: use the provided entry in the new 1.18 version. - */ - if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- server_key, -- krbtgt_key); -+ /* The impersonator must be local. */ -+ if (client == NULL) { -+ code = KRB5KDC_ERR_BADOPTION; -+ goto done; -+ } -+ /* Fetch and decrypt 2nd ticket server's current key. */ -+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, -+ &impersonator_kd); -+ if (code != 0) { -+ goto done; -+ } -+ code = krb5_dbe_decrypt_key_data(context, NULL, -+ impersonator_kd, -+ &impersonator_key, NULL); -+ if (code != 0) { -+ goto done; -+ } -+ header_server_key = &impersonator_key; - } else { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- krbtgt_key, -- NULL); -- } -- if (code != 0) { -- goto done; -+ header_server_key = krbtgt_key; - } - -- /* check and update PAC */ -- code = krb5_pac_parse(context, -- authdata[0]->contents, -- authdata[0]->length, -- pac); -+ code = krb5_pac_verify(context, pac, authtime, client_princ, -+ header_server_key, NULL); - if (code != 0) { - goto done; - } -@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = mit_samba_reget_pac(mit_ctx, - context, - flags, -- client_princ, - client, - server, - krbtgt, - krbtgt_key, -- pac); -+ &pac); -+ if (code != 0) { -+ goto done; -+ } -+ -+ *out_pac = pac; -+ pac = NULL; - - done: -+ krb5_free_keyblock_contents(context, &impersonator_key); - krb5_free_authdata(context, authdata); -- krb5_pac_free(context, ipac); -- free(logon_data.data); -+ krb5_pac_free(context, pac); - - return code; - } -@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krb5_authdata **pac_auth_data = NULL; - krb5_authdata **authdata = NULL; - krb5_boolean is_as_req; -+ krb5_const_principal pac_client; - krb5_error_code code; - krb5_pac pac = NULL; - krb5_data pac_data; -@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; - krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; - -- /* FIXME: We don't support S4U yet */ -- if (flags & KRB5_KDB_FLAGS_S4U) { -- return KRB5_KDB_DBTYPE_NOSUP; -- } -- - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); - - /* -@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - ks_client_princ = client->princ; - } - -+ /* In protocol transition, we are currently not provided with the tgt -+ * client name to verify the PAC, we could probably skip the name -+ * verification and just verify the signatures, but since we don't -+ * support cross-realm nor aliases, we can just use server->princ */ -+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { -+ pac_client = server->princ; -+ } else { -+ pac_client = ks_client_princ; -+ } -+ - if (client_entry == NULL) { - client_entry = client; - } -@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - - code = ks_verify_pac(context, - flags, -- ks_client_princ, -+ pac_client, - client_entry, - server, - krbtgt, -@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - is_as_req ? "AS-REQ" : "TGS-REQ", - client_name); - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, -- server_key, krbtgt_key, &pac_data); -+ server_key, krbtgt_key, &pac_data); - if (code != 0) { - DBG_ERR("krb5_pac_sign failed: %d\n", code); - goto done; -@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - KRB5_AUTHDATA_IF_RELEVANT, - authdata, - signed_auth_data); -- if (code != 0) { -- goto done; -- } -- -- code = 0; -- - done: - if (client_entry != NULL && client_entry != client) { - ks_free_principal(context, client_entry); -@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, - * server; -> delegating service - * proxy; -> target principal - */ -- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); -- -- char *target_name = NULL; -- bool is_enterprise; -- krb5_error_code code; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { - return KRB5_KDB_DBNOTINITED; - } - -- code = krb5_unparse_name(context, proxy, &target_name); -- if (code) { -- goto done; -- } -- -- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); -- -- code = mit_samba_check_s4u2proxy(mit_ctx, -- delegating_service, -- target_name, -- is_enterprise); -- --done: -- free(target_name); -- return code; -+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); - } - - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index cb72b5de294..03c2c2ea1de 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - context, - *pac, - server->princ, -- discard_const(client_principal), -+ client->princ, - deleg_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Update delegation info failed: %s\n", -@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - } - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name) -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal) - { --#if 1 -- /* -- * This is disabled because mit_samba_update_pac_data() does not handle -- * S4U_DELEGATION_INFO -- */ -- -- return KRB5KDC_ERR_BADOPTION; --#else -- krb5_principal target_principal; -- int flags = 0; -- int ret; -- -- if (is_nt_enterprise_name) { -- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; -- } -- -- ret = krb5_parse_name_flags(ctx->context, target_name, -- flags, &target_principal); -- if (ret) { -- return ret; -- } -- -- ret = samba_kdc_check_s4u2proxy(ctx->context, -- ctx->db_ctx, -- skdc_entry, -- target_principal); -- -- krb5_free_principal(ctx->context, target_principal); -- -- return ret; --#endif -+ struct samba_kdc_entry *server_skdc_entry = -+ talloc_get_type_abort(server->e_data, -+ struct samba_kdc_entry); -+ -+ return samba_kdc_check_s4u2proxy(ctx->context, -+ ctx->db_ctx, -+ server_skdc_entry, -+ target_principal); - } - - static krb5_error_code mit_samba_change_pwd_error(krb5_context context, -diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 4431e82a1b2..9370ab533af 100644 ---- a/source4/kdc/mit_samba.h -+++ b/source4/kdc/mit_samba.h -@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - DATA_BLOB *e_data); - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name); -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal); - - int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, - char *pwd, --- -2.37.1 - - -From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:35:30 +0300 -Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ - lib/krb5_wrap/krb5_samba.h | 2 - - source4/auth/kerberos/kerberos_util.c | 11 -- - 3 files changed, 185 insertions(+), 13 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 4321f07ca09..3fd95e47fca 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - - return 0; - } -+ -+#else /* MIT */ -+ -+static bool princ_compare_no_dollar(krb5_context ctx, -+ krb5_principal a, -+ krb5_principal b) -+{ -+ bool cmp; -+ krb5_principal mod = NULL; -+ -+ if (a->length == 1 && b->length == 1 && -+ a->data[0].length != 0 && b->data[0].length != 0 && -+ a->data[0].data[a->data[0].length -1] != -+ b->data[0].data[b->data[0].length -1]) { -+ if (a->data[0].data[a->data[0].length -1] == '$') { -+ mod = a; -+ mod->data[0].length--; -+ } else if (b->data[0].data[b->data[0].length -1] == '$') { -+ mod = b; -+ mod->data[0].length--; -+ } -+ } -+ -+ cmp = krb5_principal_compare_flags(ctx, a, b, -+ KRB5_PRINCIPAL_COMPARE_CASEFOLD); -+ -+ if (mod != NULL) { -+ mod->data[0].length++; -+ } -+ -+ return cmp; -+} -+ -+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, -+ krb5_ccache store_cc, -+ krb5_principal init_principal, -+ const char *init_password, -+ krb5_principal impersonate_principal, -+ const char *self_service, -+ const char *target_service, -+ krb5_get_init_creds_opt *krb_options, -+ time_t *expire_time, -+ time_t *kdc_time) -+{ -+ krb5_error_code code; -+ krb5_principal self_princ = NULL; -+ krb5_principal target_princ = NULL; -+ krb5_creds *store_creds; -+ krb5_creds *s4u2self_creds = NULL; -+ krb5_creds *s4u2proxy_creds = NULL; -+ krb5_creds init_creds = {0}; -+ krb5_creds mcreds = {0}; -+ krb5_flags options = KRB5_GC_NO_STORE; -+ krb5_ccache tmp_cc; -+ bool s4u2proxy; -+ -+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); -+ if (code != 0) { -+ return code; -+ } -+ -+ code = krb5_get_init_creds_password(ctx, &init_creds, -+ init_principal, -+ init_password, -+ NULL, NULL, -+ 0, -+ NULL, -+ krb_options); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* -+ * Check if we also need S4U2Proxy or if S4U2Self is -+ * enough in order to get a ticket for the target. -+ */ -+ if (target_service == NULL) { -+ s4u2proxy = false; -+ } else if (strcmp(target_service, self_service) == 0) { -+ s4u2proxy = false; -+ } else { -+ s4u2proxy = true; -+ } -+ -+ code = krb5_parse_name(ctx, self_service, &self_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt -+ * client and the request server to be the same principal name. */ -+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ mcreds.client = impersonate_principal; -+ mcreds.server = init_creds.client; -+ -+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, -+ NULL, &s4u2self_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (s4u2proxy) { -+ code = krb5_parse_name(ctx, target_service, &target_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ mcreds.client = init_creds.client; -+ mcreds.server = target_princ; -+ mcreds.second_ticket = s4u2self_creds->ticket; -+ -+ code = krb5_get_credentials(ctx, options | -+ KRB5_GC_CONSTRAINED_DELEGATION, -+ tmp_cc, &mcreds, &s4u2proxy_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* Check KDC support of S4U2Proxy extension */ -+ if (!krb5_principal_compare(ctx, s4u2self_creds->client, -+ s4u2proxy_creds->client)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ store_creds = s4u2proxy_creds; -+ } else { -+ store_creds = s4u2self_creds;; -+ -+ /* We need to save the ticket with the requested server name -+ * or the caller won't be able to find it in cache. */ -+ if (!krb5_principal_compare(ctx, self_princ, -+ store_creds->server)) { -+ krb5_free_principal(ctx, store_creds->server); -+ store_creds->server = NULL; -+ code = krb5_copy_principal(ctx, self_princ, -+ &store_creds->server); -+ if (code != 0) { -+ goto done; -+ } -+ } -+ } -+ -+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, store_cc, store_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (expire_time) { -+ *expire_time = (time_t) store_creds->times.endtime; -+ } -+ -+ if (kdc_time) { -+ *kdc_time = (time_t) store_creds->times.starttime; -+ } -+ -+done: -+ krb5_cc_destroy(ctx, tmp_cc); -+ krb5_free_cred_contents(ctx, &init_creds); -+ krb5_free_creds(ctx, s4u2self_creds); -+ krb5_free_creds(ctx, s4u2proxy_creds); -+ krb5_free_principal(ctx, self_princ); -+ krb5_free_principal(ctx, target_princ); -+ -+ return code; -+} - #endif - - #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) -diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index a66b7465530..c8573f52bd9 100644 ---- a/lib/krb5_wrap/krb5_samba.h -+++ b/lib/krb5_wrap/krb5_samba.h -@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#ifdef SAMBA4_USES_HEIMDAL - krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_ccache store_cc, - krb5_principal init_principal, -@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#endif - - #if defined(HAVE_KRB5_MAKE_PRINCIPAL) - #define smb_krb5_make_principal krb5_make_principal -diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c -index 544d9d853cc..c14d8c72d8c 100644 ---- a/source4/auth/kerberos/kerberos_util.c -+++ b/source4/auth/kerberos/kerberos_util.c -@@ -234,9 +234,7 @@ done: - { - krb5_error_code ret; - const char *password; --#ifdef SAMBA4_USES_HEIMDAL - const char *self_service; --#endif - const char *target_service; - time_t kdc_time = 0; - krb5_principal princ; -@@ -268,9 +266,7 @@ done: - return ret; - } - --#ifdef SAMBA4_USES_HEIMDAL - self_service = cli_credentials_get_self_service(credentials); --#endif - target_service = cli_credentials_get_target_service(credentials); - - password = cli_credentials_get_password(credentials); -@@ -331,7 +327,6 @@ done: - #endif - if (password) { - if (impersonate_principal) { --#ifdef SAMBA4_USES_HEIMDAL - ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, - ccache, - princ, -@@ -342,12 +337,6 @@ done: - krb_options, - NULL, - &kdc_time); --#else -- talloc_free(mem_ctx); -- (*error_string) = "INTERNAL error: s4u2 ops " -- "are not supported with MIT build yet"; -- return EINVAL; --#endif - } else { - ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, - ccache, --- -2.37.1 - - -From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 19 Sep 2020 14:16:20 +0200 -Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code - ---- - source4/kdc/mit_samba.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 03c2c2ea1de..30fade56531 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, - if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { - sflags |= SDB_F_CANON; - } -+#if KRB5_KDB_API_VERSION >= 10 -+ sflags |= SDB_F_FORCE_CANON; -+#endif - if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | - KRB5_KDB_FLAG_INCLUDE_PAC)) { - /* --- -2.37.1 - diff --git a/SOURCES/samba-systemd-sysusers.conf b/SOURCES/samba-systemd-sysusers.conf new file mode 100644 index 0000000..60ad7a5 --- /dev/null +++ b/SOURCES/samba-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g printadmin - diff --git a/SOURCES/samba-usershares-systemd-sysusers.conf b/SOURCES/samba-usershares-systemd-sysusers.conf new file mode 100644 index 0000000..33f8fcb --- /dev/null +++ b/SOURCES/samba-usershares-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g usershares - diff --git a/SOURCES/smb.conf.example b/SOURCES/smb.conf.example index e672ce9..4e6b5d4 100644 --- a/SOURCES/smb.conf.example +++ b/SOURCES/smb.conf.example @@ -281,7 +281,7 @@ [printers] comment = All Printers - path = /var/spool/samba + path = /var/tmp browseable = no guest ok = no writable = no diff --git a/SOURCES/smb.conf.vendor b/SOURCES/smb.conf.vendor index fe3f806..e45384d 100644 --- a/SOURCES/smb.conf.vendor +++ b/SOURCES/smb.conf.vendor @@ -2,6 +2,10 @@ # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. +# +# Note: +# SMB1 is disabled by default. This means clients without support for SMB2 or +# SMB3 are no longer able to connect to smbd (by default). [global] workgroup = SAMBA @@ -14,6 +18,9 @@ load printers = yes cups options = raw + # Install samba-usershares package for support + include = /etc/samba/usershares.conf + [homes] comment = Home Directories valid users = %S, %D%w%S diff --git a/SOURCES/usershares.conf.vendor b/SOURCES/usershares.conf.vendor new file mode 100644 index 0000000..38a7885 --- /dev/null +++ b/SOURCES/usershares.conf.vendor @@ -0,0 +1,3 @@ +[global] + usershare max shares = 100 + usershare allow guests = yes diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 9d452c6..27c41b8 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -134,14 +134,9 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") +%global samba_version 4.17.2 %global baserelease 2 - -%global samba_version 4.16.4 -%global talloc_version 2.3.3 -%global tdb_version 1.4.6 -%global tevent_version 0.12.0 -%global ldb_version 2.5.2 -# This should be rc1 or nil +# This should be rc1 or %%nil %global pre_release %nil %global samba_release %{baserelease} @@ -149,6 +144,37 @@ %global samba_release 0.%{baserelease}.%{pre_release} %endif + +# If one of those versions change, we need to make sure we rebuilt or adapt +# projects comsuming those. This is e.g. sssd, openchange, evolution-mapi, ... +%global libdcerpc_binding_so_version 0 +%global libdcerpc_server_core_so_version 0 +%global libdcerpc_so_version 0 +%global libndr_krb5pac_so_version 0 +%global libndr_nbt_so_version 0 +%global libndr_so_version 3 +%global libndr_standard_so_version 0 +%global libnetapi_so_version 1 +%global libsamba_credentials_so_version 1 +%global libsamba_errors_so_version 1 +%global libsamba_hostconfig_so_version 0 +%global libsamba_passdb_so_version 0 +%global libsamba_util_so_version 0 +%global libsamdb_so_version 0 +%global libsmbconf_so_version 0 +%global libsmbldap_so_version 2 +%global libtevent_util_so_version 0 + +%global libsmbclient_so_version 0 +%global libwbclient_so_version 0 + +%global talloc_version 2.3.4 +%global tdb_version 1.4.7 +%global tevent_version 0.13.0 +%global ldb_version 2.6.1 + +%global required_mit_krb5 1.18 + # This is a network daemon, do a hardened build # Enables PIE and full RELRO protection %global _hardened_build 1 @@ -165,25 +191,19 @@ %global libwbc_alternatives_suffix -64 %endif -%global required_mit_krb5 1.18 - %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" Name: samba Version: %{samba_version} Release: %{samba_release}%{?dist} -%if 0%{?rhel} -Epoch: 0 -%else +%if 0%{?fedora} Epoch: 2 +%else +Epoch: 0 %endif -%if 0%{?epoch} > 0 %global samba_depver %{epoch}:%{version}-%{release} -%else -%global samba_depver %{version}-%{release} -%endif Summary: Server and Client software to interoperate with Windows machines License: GPLv3+ and LGPLv3+ @@ -200,18 +220,14 @@ Source11: smb.conf.vendor Source12: smb.conf.example Source13: pam_winbind.conf Source14: samba.pamd -Source15: samba.abignore +Source15: usershares.conf.vendor +Source16: samba-systemd-sysusers.conf +Source17: samba-usershares-systemd-sysusers.conf Source201: README.downgrade - -Patch0: samba-s4u.patch -# https://gitlab.com/samba-team/samba/-/merge_requests/2477 -Patch1: samba-4.16-waf-crypto.patch +Source202: samba.abignore Requires(pre): /usr/sbin/groupadd -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} @@ -219,6 +235,7 @@ Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} @@ -292,6 +309,7 @@ BuildRequires: readline-devel BuildRequires: rpcgen BuildRequires: rpcsvc-proto-devel BuildRequires: sed +BuildRequires: systemd-rpm-macros BuildRequires: libtasn1-devel # We need asn1Parser BuildRequires: libtasn1-tools @@ -492,6 +510,8 @@ Summary: Tools for Samba servers and clients Requires: samba-common-libs = %{samba_depver} Requires: samba-client-libs = %{samba_depver} Requires: samba-libs = %{samba_depver} +Requires: samba-ldb-ldap-modules = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -520,6 +540,7 @@ Summary: Samba AD Domain Controller Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-provision = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} @@ -599,6 +620,7 @@ Requires: %{name}-client-libs = %{samba_depver} %if %{with dc} Requires: %{name}-dc-libs = %{samba_depver} %endif +Requires: libnetapi = %{samba_depver} Provides: samba4-devel = %{samba_depver} Obsoletes: samba4-devel < %{samba_depver} @@ -661,6 +683,22 @@ Provides: bundled(libreplace) Samba VFS module for GlusterFS integration. %endif +### GPUPDATE +%if %{with dc} +%package gpupdate +Summary: Samba GPO support for clients +Requires: cepces +Requires: certmonger +Requires: %{name}-ldb-ldap-modules = %{samba_depver} +Requires: python3-%{name} = %{samba_depver} + +%description gpupdate +This package provides the samba-gpupdate tool to apply Group Policy Objects +(GPO) on Samba clients. + +# /with dc +%endif + ### KRB5-PRINTING %package krb5-printing Summary: Samba CUPS backend for printing with Kerberos @@ -676,6 +714,16 @@ If you need Kerberos for print jobs to a printer connection to cups via the SMB backend, then you need to install that package. It will allow cups to access the Kerberos credentials cache of the user issuing the print job. +### LDB-LDAP-MODULES +%package ldb-ldap-modules +Summary: Samba ldap modules for ldb +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} + +%description ldb-ldap-modules +This package contains the ldb ldap modules required by samba-tool and +samba-gpupdate. + ### LIBS %package libs Summary: Samba libraries @@ -694,6 +742,25 @@ Provides: bundled(libreplace) The %{name}-libs package contains the libraries needed by programs that link against the SMB, RPC and other protocols provided by the Samba suite. +### LIBNETAPI +%package -n libnetapi +Summary: The NETAPI library +Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} + +%description -n libnetapi +This contains the NETAPI library from the Samba suite. + +%package -n libnetapi-devel +Summary: Developer tools for the NETAPI library +Requires: libnetapi = %{samba_depver} + +%description -n libnetapi-devel +The libnetapi-devel package contains the header files and libraries needed to +develop programs that link against the NETAPI library in the Samba suite. + ### LIBSMBCLIENT %if %{with libsmbclient} %package -n libsmbclient @@ -830,6 +897,7 @@ Requires: %{name}-test-libs = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} %endif Requires: %{name}-libs = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif @@ -866,6 +934,17 @@ Provides: bundled(libreplace) %description test-libs %{name}-test-libs provides libraries required by the testing tools. +### USERSHARES +%package usershares +Summary: Provides support for non-root user shares +Requires: %{name} = %{samba_depver} +Requires: %{name}-common-tools = %{samba_depver} + +%description usershares +Installing this package will provide a configuration file, group and +directories to support non-root user shares. You can configure them +as a user using the `net usershare` command. + ### WINBIND %package winbind Summary: Samba winbind @@ -985,6 +1064,7 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB) Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-winbind-clients = %{samba_depver} Requires: coreutils # for ps and killall @@ -1084,7 +1164,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB %prep +%if 0%{?fedora} || 0%{?rhel} >= 9 +xzcat %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=- +%else xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - +%endif %autosetup -n samba-%{version}%{pre_release} -p1 # Ensure we rely on GnuTLS and do not build any other crypto code shipping with @@ -1190,6 +1274,9 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" --systemd-smb-extra=%{_systemd_extra} \ --systemd-nmb-extra=%{_systemd_extra} \ --systemd-winbind-extra=%{_systemd_extra} \ +%if %{with clustering} + --systemd-ctdb-extra=%{_systemd_extra} \ +%endif --systemd-samba-extra=%{_systemd_extra} # Do not use %%make_build, make is just a wrapper around waf in Samba! @@ -1213,6 +1300,7 @@ install -d -m 0755 %{buildroot}/var/lib/samba/lock install -d -m 0755 %{buildroot}/var/lib/samba/private install -d -m 0755 %{buildroot}/var/lib/samba/scripts install -d -m 0755 %{buildroot}/var/lib/samba/sysvol +install -d -m 0755 %{buildroot}/var/lib/samba/usershares install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged install -d -m 0755 %{buildroot}/var/log/samba/old install -d -m 0755 %{buildroot}/run/samba @@ -1240,6 +1328,7 @@ install -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/logrotate.d/samba install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/samba/smb.conf install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/samba/smb.conf.example +install -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/samba/usershares.conf install -d -m 0755 %{buildroot}%{_sysconfdir}/security install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf @@ -1262,6 +1351,10 @@ echo "d /run/samba 755 root root" > %{buildroot}%{_tmpfilesdir}/samba.conf echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf %endif +install -d -m 0755 %{buildroot}%{_sysusersdir} +install -m 0644 %{SOURCE16} %{buildroot}%{_sysusersdir}/samba.conf +install -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/samba-usershares.conf + install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba %if %{with clustering} @@ -1275,10 +1368,6 @@ install -m 0644 ctdb/config/ctdb.conf %{buildroot}%{_sysconfdir}/ctdb/ctdb.conf install -m 0644 %{SOURCE201} packaging/README.downgrade -%if %{with clustering} -install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir} -%endif - # NetworkManager online/offline script install -d -m 0755 %{buildroot}%{_prefix}/lib/NetworkManager/dispatcher.d/ install -m 0755 packaging/NetworkManager/30-winbind-systemd \ @@ -1296,8 +1385,6 @@ for i in \ %{_mandir}/man8/samba.8 \ %{_mandir}/man8/samba_downgrade_db.8 \ %{_mandir}/man8/samba-gpupdate.8 \ - %{_libdir}/samba/ldb/ildap.so \ - %{_libdir}/samba/ldb/ldbsamba_extensions.so \ %{_unitdir}/samba.service \ %{python3_sitearch}/samba/dcerpc/dnsserver.*.so \ %{python3_sitearch}/samba/dnsserver.py \ @@ -1428,7 +1515,11 @@ export WINBINDD_DONT_LOG_STDOUT=1 %systemd_postun_with_restart nmb.service %pre common +%if 0%{?fedora} || 0%{?rhel} > 8 +%sysusers_create_compat %{SOURCE16} +%else getent group printadmin >/dev/null || groupadd -r printadmin || : +%endif %post common %{?ldconfig} @@ -1536,6 +1627,13 @@ fi %ldconfig_scriptlets test +%pre usershares +%if 0%{?fedora} || 0%{?rhel} > 8 +%sysusers_create_compat %{SOURCE17} +%else +getent group usershares >/dev/null || groupadd -r usershares || : +%endif + %pre winbind /usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : @@ -1794,23 +1892,22 @@ fi ### CLIENT-LIBS %files client-libs -%{_libdir}/libdcerpc-binding.so.* -%{_libdir}/libdcerpc-server-core.so.* -%{_libdir}/libdcerpc.so.* -%{_libdir}/libndr-krb5pac.so.* -%{_libdir}/libndr-nbt.so.* -%{_libdir}/libndr-standard.so.* -%{_libdir}/libndr.so.* -%{_libdir}/libnetapi.so.* -%{_libdir}/libsamba-credentials.so.* -%{_libdir}/libsamba-errors.so.* -%{_libdir}/libsamba-hostconfig.so.* -%{_libdir}/libsamba-passdb.so.* -%{_libdir}/libsamba-util.so.* -%{_libdir}/libsamdb.so.* -%{_libdir}/libsmbconf.so.* -%{_libdir}/libsmbldap.so.* -%{_libdir}/libtevent-util.so.* +%{_libdir}/libdcerpc-binding.so.%{libdcerpc_binding_so_version}* +%{_libdir}/libdcerpc-server-core.so.%{libdcerpc_server_core_so_version}* +%{_libdir}/libdcerpc.so.%{libdcerpc_so_version}* +%{_libdir}/libndr-krb5pac.so.%{libndr_krb5pac_so_version}* +%{_libdir}/libndr-nbt.so.%{libndr_nbt_so_version}* +%{_libdir}/libndr-standard.so.%{libndr_standard_so_version}* +%{_libdir}/libndr.so.%{libndr_so_version}* +%{_libdir}/libsamba-credentials.so.%{libsamba_credentials_so_version}* +%{_libdir}/libsamba-errors.so.%{libsamba_errors_so_version}* +%{_libdir}/libsamba-hostconfig.so.%{libsamba_hostconfig_so_version}* +%{_libdir}/libsamba-passdb.so.%{libsamba_passdb_so_version}* +%{_libdir}/libsamba-util.so.%{libsamba_util_so_version}* +%{_libdir}/libsamdb.so.%{libsamdb_so_version}* +%{_libdir}/libsmbconf.so.%{libsmbconf_so_version}* +%{_libdir}/libsmbldap.so.%{libsmbldap_so_version}* +%{_libdir}/libtevent-util.so.%{libtevent_util_so_version}* %dir %{_libdir}/samba %{_libdir}/samba/libCHARSET3-samba4.so @@ -1899,7 +1996,7 @@ fi %endif %if %{without libsmbclient} -%{_libdir}/samba/libsmbclient.so.* +%{_libdir}/samba/libsmbclient.so.%{libsmbclient_so_version}* %{_mandir}/man7/libsmbclient.7* #endif without libsmbclient %endif @@ -1929,6 +2026,7 @@ fi ### COMMON %files common %{_tmpfilesdir}/samba.conf +%{_sysusersdir}/samba.conf %dir %{_sysconfdir}/logrotate.d/ %config(noreplace) %{_sysconfdir}/logrotate.d/samba %attr(0700,root,root) %dir /var/log/samba @@ -1948,7 +2046,7 @@ fi %{_mandir}/man5/smbpasswd.5* %{_mandir}/man7/samba.7* -### COMMON-libs +### COMMON-LIBS %files common-libs # common libraries %{_libdir}/samba/libcmdline-samba4.so @@ -1983,7 +2081,6 @@ fi %{_sbindir}/samba %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_downgrade_db -%{_sbindir}/samba-gpupdate %{_sbindir}/samba_kcc %{_sbindir}/samba_spnupdate %{_sbindir}/samba_upgradedns @@ -2008,10 +2105,8 @@ fi %{_libdir}/samba/ldb/extended_dn_out.so %{_libdir}/samba/ldb/extended_dn_store.so %{_libdir}/samba/ldb/group_audit_log.so -%{_libdir}/samba/ldb/ildap.so %{_libdir}/samba/ldb/instancetype.so %{_libdir}/samba/ldb/lazy_commit.so -%{_libdir}/samba/ldb/ldbsamba_extensions.so %{_libdir}/samba/ldb/linked_attributes.so %{_libdir}/samba/ldb/new_partition.so %{_libdir}/samba/ldb/objectclass.so @@ -2046,7 +2141,6 @@ fi %dir /var/lib/samba/sysvol %{_mandir}/man8/samba.8* %{_mandir}/man8/samba_downgrade_db.8* -%{_mandir}/man8/samba-gpupdate.8* %dir %{_datadir}/samba/admx %{_datadir}/samba/admx/samba.admx %dir %{_datadir}/samba/admx/en-US @@ -2156,7 +2250,6 @@ fi %{_includedir}/samba-4.0/ndr/ndr_krb5pac.h %{_includedir}/samba-4.0/ndr/ndr_svcctl.h %{_includedir}/samba-4.0/ndr/ndr_nbt.h -%{_includedir}/samba-4.0/netapi.h %{_includedir}/samba-4.0/param.h %{_includedir}/samba-4.0/passdb.h %{_includedir}/samba-4.0/policy.h @@ -2197,7 +2290,6 @@ fi %{_libdir}/libndr-nbt.so %{_libdir}/libndr-standard.so %{_libdir}/libndr.so -%{_libdir}/libnetapi.so %{_libdir}/libsamba-credentials.so %{_libdir}/libsamba-errors.so %{_libdir}/libsamba-hostconfig.so @@ -2211,7 +2303,6 @@ fi %{_libdir}/pkgconfig/ndr_krb5pac.pc %{_libdir}/pkgconfig/ndr_nbt.pc %{_libdir}/pkgconfig/ndr_standard.pc -%{_libdir}/pkgconfig/netapi.pc %{_libdir}/pkgconfig/samba-credentials.pc %{_libdir}/pkgconfig/samba-hostconfig.pc %{_libdir}/pkgconfig/samba-util.pc @@ -2258,11 +2349,23 @@ fi %{_mandir}/man8/vfs_glusterfs.8* %endif +### GPUPDATE +%if %{with dc} +%files gpupdate +%{_mandir}/man8/samba-gpupdate.8* +%{_sbindir}/samba-gpupdate +%endif + ### KRB5-PRINTING %files krb5-printing %attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper %{_mandir}/man8/smbspool_krb5_wrapper.8* +### LDB-LDAP-MODULES +%files ldb-ldap-modules +%{_libdir}/samba/ldb/ldbsamba_extensions.so +%{_libdir}/samba/ldb/ildap.so + ### LIBS %files libs %{_libdir}/libdcerpc-samr.so.* @@ -2279,6 +2382,16 @@ fi %{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so %{_libdir}/samba/libRPC-WORKER-samba4.so +### LIBNETAPI +%files -n libnetapi +%{_libdir}/libnetapi.so.%{libnetapi_so_version}* + +### LIBNETAPI-DEVEL +%files -n libnetapi-devel +%{_includedir}/samba-4.0/netapi.h +%{_libdir}/libnetapi.so +%{_libdir}/pkgconfig/netapi.pc + ### LIBSMBCLIENT %if %{with libsmbclient} %files -n libsmbclient @@ -2296,7 +2409,7 @@ fi ### LIBWBCLIENT %if %{with libwbclient} %files -n libwbclient -%{_libdir}/samba/wbclient/libwbclient.so.* +%{_libdir}/samba/wbclient/libwbclient.so.%{libwbclient_so_version}* ### LIBWBCLIENT-DEVEL %files -n libwbclient-devel @@ -2366,18 +2479,6 @@ fi %{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc -%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_smb_conf_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_sudoers_ext.*.pyc %{python3_sitearch}/samba/__pycache__/graph.*.pyc %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/__pycache__/idmap.*.pyc @@ -2395,14 +2496,6 @@ fi %{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so @@ -2464,11 +2557,6 @@ fi %{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py -%{python3_sitearch}/samba/gpclass.py -%{python3_sitearch}/samba/gp_gnome_settings_ext.py -%{python3_sitearch}/samba/gp_scripts_ext.py -%{python3_sitearch}/samba/gp_sec_ext.py -%{python3_sitearch}/samba/gpo.*.so %{python3_sitearch}/samba/graph.py %{python3_sitearch}/samba/hostconfig.py %{python3_sitearch}/samba/idmap.py @@ -2487,14 +2575,57 @@ fi %{python3_sitearch}/samba/emulate/__init__.py %{python3_sitearch}/samba/emulate/traffic.py %{python3_sitearch}/samba/emulate/traffic_packets.py -%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py -%{python3_sitearch}/samba/gp_chromium_ext.py -%{python3_sitearch}/samba/gp_ext_loader.py -%{python3_sitearch}/samba/gp_firefox_ext.py -%{python3_sitearch}/samba/gp_firewalld_ext.py -%{python3_sitearch}/samba/gp_msgs_ext.py -%{python3_sitearch}/samba/gp_smb_conf_ext.py -%{python3_sitearch}/samba/gp_sudoers_ext.py +%dir %{python3_sitearch}/samba/gp +%dir %{python3_sitearch}/samba/gp/__pycache__ +%{python3_sitearch}/samba/gp/__pycache__/gpclass.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_crontab_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_chromium_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_firefox_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_firewalld_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_gnome_settings_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_msgs_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_scripts_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_sec_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_smb_conf_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_access_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_files_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_issue_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_motd_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_openssh_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_startup_scripts_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_symlink_ext.*.pyc +%{python3_sitearch}/samba/gp/gpclass.py +%{python3_sitearch}/samba/gp/gp_gnome_settings_ext.py +%{python3_sitearch}/samba/gp/gp_scripts_ext.py +%{python3_sitearch}/samba/gp/gp_sec_ext.py +%{python3_sitearch}/samba/gp/gp_centrify_crontab_ext.py +%{python3_sitearch}/samba/gp/gp_centrify_sudoers_ext.py +%{python3_sitearch}/samba/gp/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp/gp_chromium_ext.py +%{python3_sitearch}/samba/gp/gp_ext_loader.py +%{python3_sitearch}/samba/gp/gp_firefox_ext.py +%{python3_sitearch}/samba/gp/gp_firewalld_ext.py +%{python3_sitearch}/samba/gp/gp_msgs_ext.py +%{python3_sitearch}/samba/gp/gp_smb_conf_ext.py +%{python3_sitearch}/samba/gp/gp_sudoers_ext.py +%dir %{python3_sitearch}/samba/gp/util +%dir %{python3_sitearch}/samba/gp/util/__pycache__ +%{python3_sitearch}/samba/gp/util/__pycache__/logging.*.pyc +%{python3_sitearch}/samba/gp/util/logging.py +%{python3_sitearch}/samba/gp/vgp_access_ext.py +%{python3_sitearch}/samba/gp/vgp_files_ext.py +%{python3_sitearch}/samba/gp/vgp_issue_ext.py +%{python3_sitearch}/samba/gp/vgp_motd_ext.py +%{python3_sitearch}/samba/gp/vgp_openssh_ext.py +%{python3_sitearch}/samba/gp/vgp_startup_scripts_ext.py +%{python3_sitearch}/samba/gp/vgp_sudoers_ext.py +%{python3_sitearch}/samba/gp/vgp_symlink_ext.py +%{python3_sitearch}/samba/gpo.*.so %dir %{python3_sitearch}/samba/gp_parse %{python3_sitearch}/samba/gp_parse/__init__.py %dir %{python3_sitearch}/samba/gp_parse/__pycache__ @@ -2589,9 +2720,11 @@ fi %{python3_sitearch}/samba/samba3/mdscli.*.so %{python3_sitearch}/samba/samba3/param.*.so %{python3_sitearch}/samba/samba3/passdb.*.so +%{python3_sitearch}/samba/samba3/smbconf.*.so %{python3_sitearch}/samba/samba3/smbd.*.so %{python3_sitearch}/samba/sd_utils.py %{python3_sitearch}/samba/sites.py +%{python3_sitearch}/samba/smbconf.*.so %{python3_sitearch}/samba/subnets.py %dir %{python3_sitearch}/samba/subunit %{python3_sitearch}/samba/subunit/__init__.py @@ -2603,14 +2736,6 @@ fi %{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py -%{python3_sitearch}/samba/vgp_access_ext.py -%{python3_sitearch}/samba/vgp_files_ext.py -%{python3_sitearch}/samba/vgp_issue_ext.py -%{python3_sitearch}/samba/vgp_motd_ext.py -%{python3_sitearch}/samba/vgp_openssh_ext.py -%{python3_sitearch}/samba/vgp_startup_scripts_ext.py -%{python3_sitearch}/samba/vgp_sudoers_ext.py -%{python3_sitearch}/samba/vgp_symlink_ext.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so @@ -2756,6 +2881,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/logfiles.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc @@ -2773,6 +2899,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ntlm_auth_krb5.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_chauthtok.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/pam_winbind_setcred.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_warn_pwd_expire.*.pyc %{python3_sitearch}/samba/tests/__pycache__/param.*.pyc %{python3_sitearch}/samba/tests/__pycache__/password_hash.*.pyc @@ -2803,7 +2930,9 @@ fi %{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sid_strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smbconf.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb-notify.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc @@ -2838,6 +2967,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_dns.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls.*.pyc @@ -2854,6 +2984,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py %{python3_sitearch}/samba/tests/blackbox/mdsearch.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py +%{python3_sitearch}/samba/tests/blackbox/netads_dns.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py %{python3_sitearch}/samba/tests/blackbox/smbcacls.py @@ -2978,8 +3109,11 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/lockout_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/nt_hash_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/protected_users_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc @@ -3005,8 +3139,11 @@ fi %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py %{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py +%{python3_sitearch}/samba/tests/krb5/lockout_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +%{python3_sitearch}/samba/tests/krb5/nt_hash_tests.py %{python3_sitearch}/samba/tests/krb5/pac_align_tests.py +%{python3_sitearch}/samba/tests/krb5/protected_users_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py @@ -3029,6 +3166,7 @@ fi %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py +%{python3_sitearch}/samba/tests/logfiles.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py %{python3_sitearch}/samba/tests/ndr.py @@ -3045,6 +3183,7 @@ fi %{python3_sitearch}/samba/tests/ntlm_auth_krb5.py %{python3_sitearch}/samba/tests/pam_winbind.py %{python3_sitearch}/samba/tests/pam_winbind_chauthtok.py +%{python3_sitearch}/samba/tests/pam_winbind_setcred.py %{python3_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py %{python3_sitearch}/samba/tests/param.py %{python3_sitearch}/samba/tests/password_hash.py @@ -3153,7 +3292,9 @@ fi %{python3_sitearch}/samba/tests/sddl.py %{python3_sitearch}/samba/tests/security.py %{python3_sitearch}/samba/tests/segfault.py +%{python3_sitearch}/samba/tests/sid_strings.py %{python3_sitearch}/samba/tests/smb.py +%{python3_sitearch}/samba/tests/smbconf.py %{python3_sitearch}/samba/tests/smb-notify.py %{python3_sitearch}/samba/tests/smbd_base.py %{python3_sitearch}/samba/tests/smbd_fuzztest.py @@ -3196,6 +3337,12 @@ fi %{_libdir}/samba/libdsdb-module-samba4.so %endif +### USERSHARES +%files usershares +%config(noreplace) %{_sysconfdir}/samba/usershares.conf +%attr(1770,root,usershares) %dir /var/lib/samba/usershares +%{_sysusersdir}/samba-usershares.conf + ### WINBIND %files winbind %{_libdir}/samba/idmap @@ -3274,7 +3421,6 @@ fi %config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check %{_sbindir}/ctdbd -%{_sbindir}/ctdbd_wrapper %{_bindir}/ctdb %{_bindir}/ctdb_diagnostics %{_bindir}/ltdbtool @@ -3307,7 +3453,6 @@ fi %{_mandir}/man1/onnode.1.gz %{_mandir}/man1/ltdbtool.1.gz %{_mandir}/man1/ping_pong.1.gz -%{_mandir}/man1/ctdbd_wrapper.1.gz %{_mandir}/man5/ctdb.conf.5.gz %{_mandir}/man5/ctdb-script.options.5.gz %{_mandir}/man5/ctdb.sysconfig.5.gz @@ -4163,6 +4308,15 @@ fi %endif %changelog +* Wed Nov 02 2022 Pavel Filipenský - 4.17.2-2 +- Always add epoch to samba_depver to fix osci.brew-build.rpmdeplint.functional +- related: rhbz#2132051 + +* Wed Oct 26 2022 Andreas Schneider - 4.17.2-1 +- resolves: rhbz#2132051 - Update to version 4.17.2 +- resolves: rhbz#2126174 - Fix CVE-2022-1615 +- resolves: rhbz#2108487 - ctdb: Add dependency to samba-winbind-clients + * Thu Aug 25 2022 Andreas Schneider - 4.16.4-2 - resolves: rhbz#2120956 - Do not require samba package in python3-samba