diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..15a87be --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg +SOURCES/samba-4.6.2.tar.xz diff --git a/.samba.metadata b/.samba.metadata new file mode 100644 index 0000000..ac19222 --- /dev/null +++ b/.samba.metadata @@ -0,0 +1,2 @@ +6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg +57a1a9dce118fa9059f9d3e7a595db3491e265bc SOURCES/samba-4.6.2.tar.xz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/CVE-2017-12150.patch b/SOURCES/CVE-2017-12150.patch new file mode 100644 index 0000000..7eb1ef8 --- /dev/null +++ b/SOURCES/CVE-2017-12150.patch @@ -0,0 +1,381 @@ +From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 29 Aug 2017 17:06:21 +0200 +Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed + username into a specified one + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 + +Signed-off-by: Stefan Metzmacher +--- + source3/include/auth_info.h | 1 + + source3/lib/popt_common.c | 6 +----- + source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++ + 3 files changed, 31 insertions(+), 5 deletions(-) + +diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h +index c6f71ad..8212c27 100644 +--- a/source3/include/auth_info.h ++++ b/source3/include/auth_info.h +@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info, + const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info); + void set_cmdline_auth_info_username(struct user_auth_info *auth_info, + const char *username); ++void reset_cmdline_auth_info_username(struct user_auth_info *auth_info); + const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info); + void set_cmdline_auth_info_domain(struct user_auth_info *auth_info, + const char *domain); +diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c +index 9928c70..36b5e92 100644 +--- a/source3/lib/popt_common.c ++++ b/source3/lib/popt_common.c +@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void) + void popt_common_credentials_post(void) + { + struct user_auth_info *auth_info = cmdline_auth_info; +- const char *username = NULL; + + if (get_cmdline_auth_info_use_machine_account(auth_info) && + !set_cmdline_auth_info_machine_account_creds(auth_info)) +@@ -259,10 +258,7 @@ void popt_common_credentials_post(void) + * correctly parsed yet. If we have a username we need to set it again + * to run the string parser for the username correctly. + */ +- username = get_cmdline_auth_info_username(auth_info); +- if (username != NULL && username[0] != '\0') { +- set_cmdline_auth_info_username(auth_info, username); +- } ++ reset_cmdline_auth_info_username(auth_info); + } + + static void popt_common_credentials_callback(poptContext con, +diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c +index ad51a4f..80142e2 100644 +--- a/source3/lib/util_cmdline.c ++++ b/source3/lib/util_cmdline.c +@@ -37,6 +37,7 @@ + struct user_auth_info { + struct cli_credentials *creds; + struct loadparm_context *lp_ctx; ++ bool got_username; + bool got_pass; + int signing_state; + bool smb_encrypt; +@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info, + if (!ok) { + exit(EIO); + } ++ auth_info->got_username = true; + } + + const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info) +@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info, + exit(ENOMEM); + } + ++ auth_info->got_username = true; + if (strchr_m(username, '%') != NULL) { + auth_info->got_pass = true; + } + } + ++void reset_cmdline_auth_info_username(struct user_auth_info *auth_info) ++{ ++ const char *username = NULL; ++ const char *new_val = NULL; ++ ++ if (!auth_info->got_username) { ++ return; ++ } ++ ++ username = cli_credentials_get_username(auth_info->creds); ++ if (username == NULL) { ++ return; ++ } ++ if (username[0] == '\0') { ++ return; ++ } ++ ++ cli_credentials_parse_string(auth_info->creds, ++ username, ++ CRED_SPECIFIED); ++ new_val = cli_credentials_get_username(auth_info->creds); ++ if (new_val == NULL) { ++ exit(ENOMEM); ++ } ++} ++ + const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info) + { + const char *domain = NULL; +-- +1.9.1 + + +From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 3 Nov 2016 17:16:43 +0100 +Subject: [PATCH 2/7] CVE-2017-12150: s3:lib: + get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED + +This is an addition to the fixes for CVE-2015-5296. + +It applies to smb2mount -e, smbcacls -e and smbcquotas -e. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 + +Signed-off-by: Stefan Metzmacher +--- + source3/lib/util_cmdline.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c +index 80142e2..90ee67c 100644 +--- a/source3/lib/util_cmdline.c ++++ b/source3/lib/util_cmdline.c +@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info, + + int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info) + { ++ if (auth_info->smb_encrypt) { ++ return SMB_SIGNING_REQUIRED; ++ } + return auth_info->signing_state; + } + +-- +1.9.1 + + +From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 9 Dec 2016 09:26:32 +0100 +Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of + SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 + +Signed-off-by: Stefan Metzmacher +--- + source3/libsmb/pylibsmb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c +index 59c0998..350c6d4 100644 +--- a/source3/libsmb/pylibsmb.c ++++ b/source3/libsmb/pylibsmb.c +@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args, + + req = cli_full_connection_creds_send( + NULL, self->ev, "myname", host, NULL, 0, share, "?????", +- cli_creds, 0, 0); ++ cli_creds, 0, SMB_SIGNING_DEFAULT); + if (!py_tevent_req_wait_exc(self->ev, req)) { + return -1; + } +-- +1.9.1 + + +From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 12 Dec 2016 05:49:46 +0100 +Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED + in gpo_connect_server() + +It's important that we use a signed connection to get the GPOs! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 + +Signed-off-by: Stefan Metzmacher +--- + libgpo/gpo_fetch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c +index 836bc23..3740d4e 100644 +--- a/libgpo/gpo_fetch.c ++++ b/libgpo/gpo_fetch.c +@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads, + ads->auth.password, + CLI_FULL_CONNECTION_USE_KERBEROS | + CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS, +- Undefined); ++ SMB_SIGNING_REQUIRED); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("check_refresh_gpo: " + "failed to connect: %s\n", +-- +1.9.1 + + +From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 29 Aug 2017 15:24:14 +0200 +Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials: + cli_credentials_authentication_requested() should check for + NTLM_CCACHE/SIGN/SEAL + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 + +Signed-off-by: Stefan Metzmacher +--- + auth/credentials/credentials.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c +index 06648c7..5e3b5e8 100644 +--- a/auth/credentials/credentials.c ++++ b/auth/credentials/credentials.c +@@ -25,6 +25,7 @@ + #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ + #include "auth/credentials/credentials.h" + #include "auth/credentials/credentials_internal.h" ++#include "auth/gensec/gensec.h" + #include "libcli/auth/libcli_auth.h" + #include "tevent.h" + #include "param/param.h" +@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre + + _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) + { ++ uint32_t gensec_features = 0; ++ + if (cred->bind_dn) { + return true; + } +@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c + return true; + } + ++ gensec_features = cli_credentials_get_gensec_features(cred); ++ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) { ++ return true; ++ } ++ ++ if (gensec_features & GENSEC_FEATURE_SIGN) { ++ return true; ++ } ++ ++ if (gensec_features & GENSEC_FEATURE_SEAL) { ++ return true; ++ } ++ + return false; + } + +-- +1.9.1 + + +From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 29 Aug 2017 15:35:49 +0200 +Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add + smbXcli_conn_signing_mandatory() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 + +Signed-off-by: Stefan Metzmacher +--- + libcli/smb/smbXcli_base.c | 5 +++++ + libcli/smb/smbXcli_base.h | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c +index b21d796..239e5eb 100644 +--- a/libcli/smb/smbXcli_base.c ++++ b/libcli/smb/smbXcli_base.c +@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn) + return false; + } + ++bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn) ++{ ++ return conn->mandatory_signing; ++} ++ + void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options) + { + set_socket_options(conn->sock_fd, options); +diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h +index e48fc35..2594f07 100644 +--- a/libcli/smb/smbXcli_base.h ++++ b/libcli/smb/smbXcli_base.h +@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn); + + enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn); + bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn); ++bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn); + + void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options); + const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn); +-- +1.9.1 + + +From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 12 Dec 2016 06:07:56 +0100 +Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if + authentication was not requested + +With forced encryption or required signing we should also don't fallback. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 + +Signed-off-by: Stefan Metzmacher +--- + source3/libsmb/clidfs.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c +index 75012b2..fdcd665 100644 +--- a/source3/libsmb/clidfs.c ++++ b/source3/libsmb/clidfs.c +@@ -26,6 +26,7 @@ + #include "trans2.h" + #include "libsmb/nmblib.h" + #include "../libcli/smb/smbXcli_base.h" ++#include "auth/credentials/credentials.h" + + /******************************************************************** + Important point. +@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, + char *servicename; + char *sharename; + char *newserver, *newshare; +- const char *username; +- const char *password; +- const char *domain; + NTSTATUS status; + int flags = 0; + int signing_state = get_cmdline_auth_info_signing_state(auth_info); +@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, + smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS); + } + +- username = get_cmdline_auth_info_username(auth_info); +- password = get_cmdline_auth_info_password(auth_info); +- domain = get_cmdline_auth_info_domain(auth_info); +- if ((domain == NULL) || (domain[0] == '\0')) { +- domain = lp_workgroup(); +- } +- + creds = get_cmdline_auth_info_creds(auth_info); + + status = cli_session_setup_creds(c, creds); + if (!NT_STATUS_IS_OK(status)) { + /* If a password was not supplied then + * try again with a null username. */ +- if (password[0] || !username[0] || +- get_cmdline_auth_info_use_kerberos(auth_info) || ++ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) || ++ cli_credentials_authentication_requested(creds) || ++ cli_credentials_is_anonymous(creds) || + !NT_STATUS_IS_OK(status = cli_session_setup_anon(c))) + { + d_printf("session setup failed: %s\n", +-- +1.9.1 + diff --git a/SOURCES/CVE-2017-12151.patch b/SOURCES/CVE-2017-12151.patch new file mode 100644 index 0000000..bfd6f80 --- /dev/null +++ b/SOURCES/CVE-2017-12151.patch @@ -0,0 +1,111 @@ +From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 14 Aug 2017 12:13:18 +0200 +Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add + cli_state_is_encryption_on() helper function + +This allows to check if the current cli_state uses encryption +(either via unix extentions or via SMB3). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 + +Signed-off-by: Stefan Metzmacher +--- + source3/libsmb/clientgen.c | 13 +++++++++++++ + source3/libsmb/proto.h | 1 + + 2 files changed, 14 insertions(+) + +diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c +index bc5c1b1ce3c..3e8523e5ce8 100644 +--- a/source3/libsmb/clientgen.c ++++ b/source3/libsmb/clientgen.c +@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli) + return cli->smb1.pid; + } + ++bool cli_state_is_encryption_on(struct cli_state *cli) ++{ ++ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) { ++ return smb1cli_conn_encryption_on(cli->conn); ++ } ++ ++ if (cli->smb2.tcon == NULL) { ++ return false; ++ } ++ ++ return smb2cli_tcon_is_encryption_on(cli->smb2.tcon); ++} ++ + bool cli_state_has_tcon(struct cli_state *cli) + { + uint16_t tid = cli_state_get_tid(cli); +diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h +index 764f3fc1b12..67fa43e4e4a 100644 +--- a/source3/libsmb/proto.h ++++ b/source3/libsmb/proto.h +@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli); + uint16_t cli_state_get_vc_num(struct cli_state *cli); + uint32_t cli_setpid(struct cli_state *cli, uint32_t pid); + uint32_t cli_getpid(struct cli_state *cli); ++bool cli_state_is_encryption_on(struct cli_state *cli); + bool cli_state_has_tcon(struct cli_state *cli); + uint16_t cli_state_get_tid(struct cli_state *cli); + uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid); +-- +2.13.5 + + +From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 17 Dec 2016 10:36:49 +0100 +Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of + cli_state_is_encryption_on() + +This will keep enforced encryption across dfs referrals. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 + +Signed-off-by: Stefan Metzmacher +--- + source3/libsmb/clidfs.c | 4 ++-- + source3/libsmb/libsmb_context.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c +index c477d7c6a46..99818a681e3 100644 +--- a/source3/libsmb/clidfs.c ++++ b/source3/libsmb/clidfs.c +@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, + "IPC$", + dfs_auth_info, + false, +- smb1cli_conn_encryption_on(rootcli->conn), ++ cli_state_is_encryption_on(rootcli), + smbXcli_conn_protocol(rootcli->conn), + 0, + 0x20, +@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, + dfs_refs[count].share, + dfs_auth_info, + false, +- smb1cli_conn_encryption_on(rootcli->conn), ++ cli_state_is_encryption_on(rootcli), + smbXcli_conn_protocol(rootcli->conn), + 0, + 0x20, +diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c +index ed6ca2b1b9f..b55cf1e2d15 100644 +--- a/source3/libsmb/libsmb_context.c ++++ b/source3/libsmb/libsmb_context.c +@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context, + + for (s = context->internal->servers; s; s = s->next) { + num_servers++; +- if (!smb1cli_conn_encryption_on(s->cli->conn)) { ++ if (!cli_state_is_encryption_on(s->cli)) { + return (void *)false; + } + } +-- +2.13.5 + diff --git a/SOURCES/CVE-2017-12163.patch b/SOURCES/CVE-2017-12163.patch new file mode 100644 index 0000000..1e9f99e --- /dev/null +++ b/SOURCES/CVE-2017-12163.patch @@ -0,0 +1,141 @@ +From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 8 Sep 2017 10:13:14 -0700 +Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from + writing server memory to file. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 + +Signed-off-by: Jeremy Allison +Signed-off-by: Stefan Metzmacher +--- + source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c +index 317143f..7b07078 100644 +--- a/source3/smbd/reply.c ++++ b/source3/smbd/reply.c +@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req) + } + + /* Ensure we don't write bytes past the end of this packet. */ ++ /* ++ * This already protects us against CVE-2017-12163. ++ */ + if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + error_to_writebrawerr(req); +@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req) + exit_server_cleanly("secondary writebraw failed"); + } + ++ /* ++ * We are not vulnerable to CVE-2017-12163 ++ * here as we are guarenteed to have numtowrite ++ * bytes available - we just read from the client. ++ */ + nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite); + if (nwritten == -1) { + TALLOC_FREE(buf); +@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req) + connection_struct *conn = req->conn; + ssize_t nwritten = -1; + size_t numtowrite; ++ size_t remaining; + off_t startpos; + const char *data; + NTSTATUS status = NT_STATUS_OK; +@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req) + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + data = (const char *)req->buf + 3; + ++ /* ++ * Ensure client isn't asking us to write more than ++ * they sent. CVE-2017-12163. ++ */ ++ remaining = smbreq_bufrem(req, data); ++ if (numtowrite > remaining) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ END_PROFILE(SMBwriteunlock); ++ return; ++ } ++ + if (!fsp->print_file && numtowrite > 0) { + init_strict_lock_struct(fsp, (uint64_t)req->smbpid, + (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, +@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req) + { + connection_struct *conn = req->conn; + size_t numtowrite; ++ size_t remaining; + ssize_t nwritten = -1; + off_t startpos; + const char *data; +@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req) + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + data = (const char *)req->buf + 3; + ++ /* ++ * Ensure client isn't asking us to write more than ++ * they sent. CVE-2017-12163. ++ */ ++ remaining = smbreq_bufrem(req, data); ++ if (numtowrite > remaining) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ END_PROFILE(SMBwrite); ++ return; ++ } ++ + if (!fsp->print_file) { + init_strict_lock_struct(fsp, (uint64_t)req->smbpid, + (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, +@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req) + goto out; + } + } else { ++ /* ++ * This already protects us against CVE-2017-12163. ++ */ + if (smb_doff > smblen || smb_doff + numtowrite < numtowrite || + smb_doff + numtowrite > smblen) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); +@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req) + { + connection_struct *conn = req->conn; + size_t numtowrite; ++ size_t remaining; + ssize_t nwritten = -1; + NTSTATUS close_status = NT_STATUS_OK; + off_t startpos; +@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req) + mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4)); + data = (const char *)req->buf + 1; + ++ /* ++ * Ensure client isn't asking us to write more than ++ * they sent. CVE-2017-12163. ++ */ ++ remaining = smbreq_bufrem(req, data); ++ if (numtowrite > remaining) { ++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ END_PROFILE(SMBwriteclose); ++ return; ++ } ++ + if (fsp->print_file == NULL) { + init_strict_lock_struct(fsp, (uint64_t)req->smbpid, + (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, +@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req) + + numtowrite = SVAL(req->buf, 1); + ++ /* ++ * This already protects us against CVE-2017-12163. ++ */ + if (req->buflen < numtowrite + 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBsplwr); +-- +1.9.1 + diff --git a/SOURCES/CVE-2017-14746.patch b/SOURCES/CVE-2017-14746.patch new file mode 100644 index 0000000..d33d24d --- /dev/null +++ b/SOURCES/CVE-2017-14746.patch @@ -0,0 +1,63 @@ +From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 19 Sep 2017 16:11:33 -0700 +Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When setting up the chain, always use 'next->' variables +not the 'req->' one. + +Bug discovered by 连一汉 + +CVE-2017-14746 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041 + +Signed-off-by: Jeremy Allison +--- + source3/smbd/process.c | 7 ++++--- + source3/smbd/reply.c | 5 +++++ + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/source3/smbd/process.c b/source3/smbd/process.c +index b65ae2c1b1c..9b2b0a669a2 100644 +--- a/source3/smbd/process.c ++++ b/source3/smbd/process.c +@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req) + + next->vuid = SVAL(req->outbuf, smb_uid); + next->tid = SVAL(req->outbuf, smb_tid); +- status = smb1srv_tcon_lookup(req->xconn, req->tid, ++ status = smb1srv_tcon_lookup(req->xconn, next->tid, + now, &tcon); ++ + if (NT_STATUS_IS_OK(status)) { +- req->conn = tcon->compat; ++ next->conn = tcon->compat; + } else { +- req->conn = NULL; ++ next->conn = NULL; + } + next->chain_fsp = req->chain_fsp; + next->inbuf = req->inbuf; +diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c +index 7b07078249b..81acedf0413 100644 +--- a/source3/smbd/reply.c ++++ b/source3/smbd/reply.c +@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req) + } + + TALLOC_FREE(tcon); ++ /* ++ * This tree id is gone. Make sure we can't re-use it ++ * by accident. ++ */ ++ req->tid = 0; + } + + if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) { +-- +2.14.2.920.gcf0c67979c-goog + diff --git a/SOURCES/CVE-2017-15275.patch b/SOURCES/CVE-2017-15275.patch new file mode 100644 index 0000000..f0510f9 --- /dev/null +++ b/SOURCES/CVE-2017-15275.patch @@ -0,0 +1,45 @@ +From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 20 Sep 2017 11:04:50 -0700 +Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when + talloc buffer is grown. + +Ensure we zero out unused grown area. + +CVE-2017-15275 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 + +Signed-off-by: Jeremy Allison +--- + source3/smbd/srvstr.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c +index 56dceba8c6c..c2d70b32c32 100644 +--- a/source3/smbd/srvstr.c ++++ b/source3/smbd/srvstr.c +@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags) + DEBUG(0, ("srvstr_push failed\n")); + return -1; + } ++ ++ /* ++ * Ensure we clear out the extra data we have ++ * grown the buffer by, but not written to. ++ */ ++ if (buf_size + result < buf_size) { ++ return -1; ++ } ++ if (grow_size < result) { ++ return -1; ++ } ++ ++ memset(tmp + buf_size + result, '\0', grow_size - result); ++ + set_message_bcc((char *)tmp, smb_buflen(tmp) + result); + + *outbuf = tmp; +-- +2.14.2.920.gcf0c67979c-goog + diff --git a/SOURCES/CVE-2017-7494.patch b/SOURCES/CVE-2017-7494.patch new file mode 100644 index 0000000..34b4437 --- /dev/null +++ b/SOURCES/CVE-2017-7494.patch @@ -0,0 +1,34 @@ +From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Mon, 8 May 2017 21:40:40 +0200 +Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with / + inside + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780 + +Signed-off-by: Volker Lendecke +Reviewed-by: Jeremy Allison +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_server/srv_pipe.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c +index 0633b5f..c3f0cd8 100644 +--- a/source3/rpc_server/srv_pipe.c ++++ b/source3/rpc_server/srv_pipe.c +@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax) + { + NTSTATUS status; + ++ if (strchr(pipename, '/')) { ++ DEBUG(1, ("Refusing open on pipe %s\n", pipename)); ++ return false; ++ } ++ + if (lp_disable_spoolss() && strequal(pipename, "spoolss")) { + DEBUG(10, ("refusing spoolss access\n")); + return false; +-- +1.9.1 + diff --git a/SOURCES/README.dc b/SOURCES/README.dc new file mode 100644 index 0000000..4c101a5 --- /dev/null +++ b/SOURCES/README.dc @@ -0,0 +1,20 @@ +MIT Kerberos 5 Support +======================= + +Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of +choice. The Samba build in Fedora is using MIT Kerberos implementation in order +to allow system-wide interoperability between both desktop and server +applications running on the same machine. + +At the moment the Samba Active Directory Domain Controller implementation is +not available with MIT Kereberos. FreeIPA and Samba Team members are currently +working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux +distribution integration of Samba AD DC features. + +We have just finished migrating the file server and all client utilities to MIT +Kerberos. The result of this work is available in samba-* packages in Fedora. +We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos +KDC will be ready. + +In case of further questions do not hesitate to send your inquiries to +samba-owner@fedoraproject.org diff --git a/SOURCES/README.downgrade b/SOURCES/README.downgrade new file mode 100644 index 0000000..5cb0aaa --- /dev/null +++ b/SOURCES/README.downgrade @@ -0,0 +1,29 @@ +Downgrading Samba +================= + +Short version: data-preserving downgrades between Samba versions are not supported + +Long version: +With Samba development there are cases when on-disk database format evolves. +In general, Samba Team attempts to maintain forward compatibility and +automatically upgrade databases during runtime when requires. +However, when downgrade is required Samba will not perform downgrade to +existing databases. It may be impossible if new features that caused database +upgrade are in use. Thus, one needs to consider a downgrade procedure before +actually downgrading Samba setup. + +Please always perform back up prior both upgrading and downgrading across major +version changes. Restoring database files is easiest and simplest way to get to +previously working setup. + +Easiest way to downgrade is to remove all created databases and start from scratch. +This means losing all authentication and domain relationship data, as well as +user databases (in case of tdb storage), printers, registry settings, and winbindd +caches. + +Remove databases in following locations: +/var/lib/samba/*.tdb +/var/lib/samba/private/*.tdb + +In particular, registry settings are known to prevent running downgraded versions +(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4. diff --git a/SOURCES/pam_winbind.conf b/SOURCES/pam_winbind.conf new file mode 100644 index 0000000..dd0b112 --- /dev/null +++ b/SOURCES/pam_winbind.conf @@ -0,0 +1,38 @@ +# +# pam_winbind configuration file +# +# /etc/security/pam_winbind.conf +# + +[global] + +# turn on debugging +;debug = no + +# turn on extended PAM state debugging +;debug_state = no + +# request a cached login if possible +# (needs "winbind offline logon = yes" in smb.conf) +;cached_login = no + +# authenticate using kerberos +;krb5_auth = no + +# when using kerberos, request a "FILE" krb5 credential cache type +# (leave empty to just do krb5 authentication but not have a ticket +# afterwards) +;krb5_ccache_type = + +# make successful authentication dependend on membership of one SID +# (can also take a name) +;require_membership_of = + +# password expiry warning period in days +;warn_pwd_expire = 14 + +# omit pam conversations +;silent = no + +# create homedirectory on the fly +;mkhomedir = no diff --git a/SOURCES/samba-4.6.2.tar.asc b/SOURCES/samba-4.6.2.tar.asc new file mode 100644 index 0000000..9d1e563 --- /dev/null +++ b/SOURCES/samba-4.6.2.tar.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz +DQw3KuAbWCKIgkHcy1zZr2o= +=bIg5 +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch new file mode 100644 index 0000000..f89ec30 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch @@ -0,0 +1,37 @@ +From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 5 Jan 2017 09:34:36 +0100 +Subject: [PATCH] replace: Include sysmacros.h + +In the GNU C Library, "makedev" is defined by . For +historical compatibility, it is currently defined by as +well, but it is planned to remove this soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686 + +Signed-off-by: Andreas Schneider +Reviewed-by: Volker Lendecke + +(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741) +--- + lib/replace/replace.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/replace/replace.h b/lib/replace/replace.h +index c69a069e4b3..1dbeacfff66 100644 +--- a/lib/replace/replace.h ++++ b/lib/replace/replace.h +@@ -171,6 +171,10 @@ + #include + #endif + ++#ifdef HAVE_SYS_SYSMACROS_H ++#include ++#endif ++ + #ifdef HAVE_SETPROCTITLE_H + #include + #endif +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch new file mode 100644 index 0000000..02db440 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch @@ -0,0 +1,1731 @@ +From 76aae7405595ca76bc0419a97f4a69e0ed528b32 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 29 Dec 2016 14:00:36 +0100 +Subject: [PATCH 01/20] s4:gensec_gssapi: the value + gensec_get_target_principal() should overwrite gensec_get_target_hostname() + +If gensec_get_target_principal() has a value, we no longer have to verify +the gensec_get_target_hostname() value, it can be just an ipadress. + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 48bcca566ebb3a5385b15b0525d7fbdd06361e04) +--- + source4/auth/gensec/gensec_gssapi.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index a6c4019aa6f..3974c3d42a0 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -307,7 +307,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + gss_buffer_desc name_token; + gss_OID name_type; + OM_uint32 maj_stat, min_stat; ++ const char *target_principal = NULL; + const char *hostname = gensec_get_target_hostname(gensec_security); ++ const char *service = gensec_get_target_service(gensec_security); ++ const char *realm = cli_credentials_get_realm(creds); ++ ++ target_principal = gensec_get_target_principal(gensec_security); ++ if (target_principal != NULL) { ++ goto do_start; ++ } + + if (!hostname) { + DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n")); +@@ -322,6 +330,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + return NT_STATUS_INVALID_PARAMETER; + } + ++do_start: ++ + nt_status = gensec_gssapi_start(gensec_security); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; +@@ -333,16 +343,18 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); + } + +- gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security); +- if (gensec_gssapi_state->target_principal) { ++ if (target_principal != NULL) { + name_type = GSS_C_NULL_OID; + } else { +- gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s", +- gensec_get_target_service(gensec_security), +- hostname, cli_credentials_get_realm(creds)); +- ++ target_principal = talloc_asprintf(gensec_gssapi_state, ++ "%s/%s@%s", service, hostname, realm); ++ if (target_principal == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } + name_type = GSS_C_NT_USER_NAME; + } ++ gensec_gssapi_state->target_principal = target_principal; ++ + name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal); + name_token.length = strlen(gensec_gssapi_state->target_principal); + +-- +2.12.0 + + +From 12d74cd165db3603ba2f3a58343e9a82fb22ee93 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 29 Dec 2016 15:20:00 +0100 +Subject: [PATCH 02/20] s4:gensec_gssapi: require a realm in + gensec_gssapi_client_start() + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3a870baee8d9dbe5359f04a108814afc27e57d46) +--- + source4/auth/gensec/gensec_gssapi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index 3974c3d42a0..957cfa4229d 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -330,6 +330,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + return NT_STATUS_INVALID_PARAMETER; + } + ++ if (realm == NULL) { ++ const char *cred_name = cli_credentials_get_unparsed_name(creds, ++ gensec_security); ++ DEBUG(3, ("cli_credentials(%s) without realm, " ++ "cannot use kerberos for this connection %s/%s\n", ++ cred_name, service, hostname)); ++ talloc_free(discard_const_p(char, cred_name)); ++ return NT_STATUS_INVALID_PARAMETER; ++ } ++ + do_start: + + nt_status = gensec_gssapi_start(gensec_security); +-- +2.12.0 + + +From beb9e4379333872ff1e5a3422ba70ccb409e9915 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 6 Mar 2017 09:13:09 +0100 +Subject: [PATCH 03/20] testprogs: Use smbclient by default in + test_kinit_trusts + +This is the tool we use by default and we should test with it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 9b3ff90dbc5cc1017dfc89831a1081272e6c2356) +--- + testprogs/blackbox/test_kinit_trusts_heimdal.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh +index 073e0e7517e..040bf919203 100755 +--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh ++++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh +@@ -32,7 +32,7 @@ if test -x $samba4bindir/samba4kinit; then + samba4kinit=$samba4bindir/samba4kinit + fi + +-smbclient="$samba4bindir/smbclient4" ++smbclient="$samba4bindir/smbclient" + wbinfo="$samba4bindir/wbinfo" + rpcclient="$samba4bindir/rpcclient" + samba_tool="$samba4bindir/samba-tool" +-- +2.12.0 + + +From 7feebdec869ed633bea612630ebca8d9b85a3e2e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 6 Mar 2017 09:15:45 +0100 +Subject: [PATCH 04/20] testprogs: Add kinit_trusts tests with smbclient4 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 42bd003f468ab95b6ac97c774e2cd217d06c05ed) +--- + testprogs/blackbox/test_kinit_trusts_heimdal.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh +index 040bf919203..e67f77361a4 100755 +--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh ++++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh +@@ -52,8 +52,16 @@ rm -rf $KRB5CCNAME_PATH + echo $TRUST_PASSWORD > $PREFIX/tmppassfile + testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` + test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1` ++rm -rf $KRB5CCNAME_PATH ++ ++# Test with smbclient4 ++smbclient="$samba4bindir/smbclient4" ++testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` ++test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` ++rm -rf $KRB5CCNAME_PATH + + testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` ++smbclient="$samba4bindir/smbclient" + test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1` + + if test x"${TYPE}" = x"forest" ;then +-- +2.12.0 + + +From cae7475df03e7d464dc8642a7a02dad388215d1e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 10:40:08 +0100 +Subject: [PATCH 05/20] krb5_wrap: Do not return an empty realm from + smb_krb5_get_realm_from_hostname() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 946f9dd1170be63b91e31ce825ea123f3c07329b) +--- + lib/krb5_wrap/krb5_samba.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 10b42dec53f..9dc7304d566 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2691,7 +2691,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + goto out; + } + +- if (realm_list && realm_list[0]) { ++ if (realm_list != NULL && ++ realm_list[0] != NULL && ++ realm_list[0][0] != '\0') { + realm = talloc_strdup(mem_ctx, realm_list[0]); + } + +-- +2.12.0 + + +From 1d2b4a00e2a1213df81192e01f2d833ed4a6ec54 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 10:48:52 +0100 +Subject: [PATCH 06/20] krb5_wrap: Try to guess the correct realm from the + service hostname + +If we do not get a realm mapping from the krb5.conf or from the Kerberos +library try to guess it from the service hostname. The guessing of the +realm from the service hostname is already implemented in Heimdal. This +makes the behavior of smb_krb5_get_realm_from_hostname() consistent +with both MIT and Heimdal. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 65228925ab3c4da4ae299f77cae219fc7d37cc68) +--- + lib/krb5_wrap/krb5_samba.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 9dc7304d566..f8ef9f1df0f 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2695,6 +2695,19 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + realm_list[0] != NULL && + realm_list[0][0] != '\0') { + realm = talloc_strdup(mem_ctx, realm_list[0]); ++ } else { ++ const char *p = NULL; ++ ++ /* ++ * "dc6.samba2003.example.com" ++ * returns a realm of "SAMBA2003.EXAMPLE.COM" ++ * ++ * "dc6." returns realm as NULL ++ */ ++ p = strchr_m(hostname, '.'); ++ if (p != NULL && p[1] != '\0') { ++ realm = talloc_strdup_upper(mem_ctx, p + 1); ++ } + } + + out: +-- +2.12.0 + + +From 0e99683587c9047055ca6432fae0a11604710b69 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 11:56:30 +0100 +Subject: [PATCH 07/20] krb5_wrap: pass client_realm to + smb_krb5_get_realm_from_hostname() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit f0c4fcace586197d5c170f6a9dcc175df23e3802) +--- + lib/krb5_wrap/krb5_samba.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index f8ef9f1df0f..36bcc65e22a 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2664,7 +2664,8 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) + ************************************************************************/ + + static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, +- const char *hostname) ++ const char *hostname, ++ const char *client_realm) + { + #if defined(HAVE_KRB5_REALM_TYPE) + /* Heimdal. */ +@@ -2695,6 +2696,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + realm_list[0] != NULL && + realm_list[0][0] != '\0') { + realm = talloc_strdup(mem_ctx, realm_list[0]); ++ if (realm == NULL) { ++ goto out; ++ } + } else { + const char *p = NULL; + +@@ -2707,9 +2711,16 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + p = strchr_m(hostname, '.'); + if (p != NULL && p[1] != '\0') { + realm = talloc_strdup_upper(mem_ctx, p + 1); ++ if (realm == NULL) { ++ goto out; ++ } + } + } + ++ if (realm == NULL) { ++ realm = talloc_strdup(mem_ctx, client_realm); ++ } ++ + out: + + if (ctx) { +@@ -2752,7 +2763,8 @@ char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, + if (host) { + /* DNS name. */ + realm = smb_krb5_get_realm_from_hostname(talloc_tos(), +- remote_name); ++ remote_name, ++ default_realm); + } else { + /* NetBIOS name - use our realm. */ + realm = smb_krb5_get_default_realm_from_ccache(talloc_tos()); +-- +2.12.0 + + +From 6876b0d12f8aad4448f4a7d770db7ff129df6c50 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 11:56:30 +0100 +Subject: [PATCH 08/20] krb5_wrap: Make smb_krb5_get_realm_from_hostname() + public + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 339a2ecb3f05d0c9e860a5dd59b8bdbc51d4ffa7) +--- + lib/krb5_wrap/krb5_samba.c | 28 +++++++++++++++++++++------- + lib/krb5_wrap/krb5_samba.h | 4 ++++ + 2 files changed, 25 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 36bcc65e22a..2b0ec6bfa0e 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2659,13 +2659,27 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) + return realm; + } + +-/************************************************************************ +- Routine to get the realm from a given DNS name. +-************************************************************************/ +- +-static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, +- const char *hostname, +- const char *client_realm) ++/** ++ * @brief Get the realm from the service hostname. ++ * ++ * This function will look for a domain realm mapping in the [domain_realm] ++ * section of the krb5.conf first and fallback to extract the realm from ++ * the provided service hostname. As a last resort it will return the ++ * provided client_realm. ++ * ++ * @param[in] mem_ctx The talloc context ++ * ++ * @param[in] hostname The service hostname ++ * ++ * @param[in] client_realm If we can not find a mapping, fall back to ++ * this realm. ++ * ++ * @return The realm to use for the service hostname, NULL if a fatal error ++ * occured. ++ */ ++char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, ++ const char *hostname, ++ const char *client_realm) + { + #if defined(HAVE_KRB5_REALM_TYPE) + /* Heimdal. */ +diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h +index 71e81ea26e1..accae449a0e 100644 +--- a/lib/krb5_wrap/krb5_samba.h ++++ b/lib/krb5_wrap/krb5_samba.h +@@ -314,6 +314,10 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context, + krb5_principal principal, + const char *realm); + ++char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, ++ const char *hostname, ++ const char *client_realm); ++ + char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, + const char *service, + const char *remote_name, +-- +2.12.0 + + +From 08a81c315129c3d07637a8a5064b4ef988864efd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 6 Mar 2017 09:19:13 +0100 +Subject: [PATCH 09/20] s4:gensec-gssapi: Create a helper function to setup + server_principal + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 8f7c4529420316b553c80cd3d19b6996525b029a) +--- + source4/auth/gensec/gensec_gssapi.c | 88 +++++++++++++++++++++++++------------ + source4/auth/gensec/gensec_gssapi.h | 2 +- + 2 files changed, 61 insertions(+), 29 deletions(-) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index 957cfa4229d..ec57d193714 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -83,6 +83,56 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st + return 0; + } + ++static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx, ++ const char *target_principal, ++ const char *service, ++ const char *hostname, ++ const char *realm, ++ const gss_OID mech, ++ char **pserver_principal, ++ gss_name_t *pserver_name) ++{ ++ char *server_principal = NULL; ++ gss_buffer_desc name_token; ++ gss_OID name_type; ++ OM_uint32 maj_stat, min_stat = 0; ++ ++ if (target_principal != NULL) { ++ server_principal = talloc_strdup(mem_ctx, target_principal); ++ name_type = GSS_C_NULL_OID; ++ } else { ++ server_principal = talloc_asprintf(mem_ctx, ++ "%s/%s@%s", ++ service, hostname, realm); ++ name_type = GSS_C_NT_USER_NAME; ++ } ++ if (server_principal == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ name_token.value = (uint8_t *)server_principal; ++ name_token.length = strlen(server_principal); ++ ++ maj_stat = gss_import_name(&min_stat, ++ &name_token, ++ name_type, ++ pserver_name); ++ if (maj_stat) { ++ DBG_WARNING("GSS Import name of %s failed: %s\n", ++ server_principal, ++ gssapi_error_string(mem_ctx, ++ maj_stat, ++ min_stat, ++ mech)); ++ TALLOC_FREE(server_principal); ++ return NT_STATUS_INVALID_PARAMETER; ++ } ++ ++ *pserver_principal = server_principal; ++ ++ return NT_STATUS_OK; ++} ++ + static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) + { + struct gensec_gssapi_state *gensec_gssapi_state; +@@ -304,9 +354,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + struct gensec_gssapi_state *gensec_gssapi_state; + struct cli_credentials *creds = gensec_get_credentials(gensec_security); + NTSTATUS nt_status; +- gss_buffer_desc name_token; +- gss_OID name_type; +- OM_uint32 maj_stat, min_stat; + const char *target_principal = NULL; + const char *hostname = gensec_get_target_hostname(gensec_security); + const char *service = gensec_get_target_service(gensec_security); +@@ -353,31 +400,16 @@ do_start: + gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); + } + +- if (target_principal != NULL) { +- name_type = GSS_C_NULL_OID; +- } else { +- target_principal = talloc_asprintf(gensec_gssapi_state, +- "%s/%s@%s", service, hostname, realm); +- if (target_principal == NULL) { +- return NT_STATUS_NO_MEMORY; +- } +- name_type = GSS_C_NT_USER_NAME; +- } +- gensec_gssapi_state->target_principal = target_principal; +- +- name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal); +- name_token.length = strlen(gensec_gssapi_state->target_principal); +- +- +- maj_stat = gss_import_name (&min_stat, +- &name_token, +- name_type, +- &gensec_gssapi_state->server_name); +- if (maj_stat) { +- DEBUG(2, ("GSS Import name of %s failed: %s\n", +- (char *)name_token.value, +- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); +- return NT_STATUS_INVALID_PARAMETER; ++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, ++ target_principal, ++ service, ++ hostname, ++ realm, ++ gensec_gssapi_state->gss_oid, ++ &gensec_gssapi_state->target_principal, ++ &gensec_gssapi_state->server_name); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; + } + + return NT_STATUS_OK; +diff --git a/source4/auth/gensec/gensec_gssapi.h b/source4/auth/gensec/gensec_gssapi.h +index cf0e3a8d914..d788b5ebc38 100644 +--- a/source4/auth/gensec/gensec_gssapi.h ++++ b/source4/auth/gensec/gensec_gssapi.h +@@ -65,5 +65,5 @@ struct gensec_gssapi_state { + int gss_exchange_count; + size_t sig_size; + +- const char *target_principal; ++ char *target_principal; + }; +-- +2.12.0 + + +From 78a76c53e9b0e7caf67a43eeb7929a4fe94fa25e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 12:34:59 +0100 +Subject: [PATCH 10/20] s4:gensec_gssapi: Move setup of service_principal to + update function + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit bf6358bf035e7ad48bd15cc2164afab2a19e7ad6) +--- + source4/auth/gensec/gensec_gssapi.c | 33 ++++++++++++++++++++------------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index ec57d193714..6cb4431e0d9 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -400,18 +400,6 @@ do_start: + gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); + } + +- nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, +- target_principal, +- service, +- hostname, +- realm, +- gensec_gssapi_state->gss_oid, +- &gensec_gssapi_state->target_principal, +- &gensec_gssapi_state->server_name); +- if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; +- } +- + return NT_STATUS_OK; + } + +@@ -452,7 +440,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + OM_uint32 min_stat2; + gss_buffer_desc input_token = { 0, NULL }; + gss_buffer_desc output_token = { 0, NULL }; +- ++ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); ++ const char *target_principal = gensec_get_target_principal(gensec_security); ++ const char *hostname = gensec_get_target_hostname(gensec_security); ++ const char *service = gensec_get_target_service(gensec_security); ++ const char *client_realm = cli_credentials_get_realm(cli_creds); + gss_OID gss_oid_p = NULL; + OM_uint32 time_req = 0; + OM_uint32 time_rec = 0; +@@ -491,6 +483,21 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + return NT_STATUS_INTERNAL_ERROR; + } + #endif ++ ++ if (gensec_gssapi_state->server_name == NULL) { ++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, ++ target_principal, ++ service, ++ hostname, ++ client_realm, ++ gensec_gssapi_state->gss_oid, ++ &gensec_gssapi_state->target_principal, ++ &gensec_gssapi_state->server_name); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; ++ } ++ } ++ + maj_stat = gss_init_sec_context(&min_stat, + gensec_gssapi_state->client_cred->creds, + &gensec_gssapi_state->gssapi_context, +-- +2.12.0 + + +From 7541d4a3c1a665925c8d3aa97963729874c70761 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 11:03:17 +0100 +Subject: [PATCH 11/20] s4:gensec_gssapi: Use + smb_krb5_get_realm_from_hostname() + +With credentials for administrator@FOREST1.EXAMPLE.COM +this patch changes the target_principal for +the ldap service of host dc2.forest2.example.com +from + + ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM + +to + + ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM + +Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM +should be used in order to allow the KDC of FOREST1.EXAMPLE.COM +to generate a referral ticket for +krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. + +The problem is that KDCs only return such referral tickets +if there's a forest trust between FOREST1.EXAMPLE.COM +and FOREST2.EXAMPLE.COM. If there's only an external domain +trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM +the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN +when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. + +In the case of an external trust the client can still ask +explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM +and the KDC of FOREST1.EXAMPLE.COM will generate it. + +From there the client can use the +krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM +ticket and ask a KDC of FOREST2.EXAMPLE.COM for a +service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. + +With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior +when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as +target principal. As _krb5_get_cred_kdc_any() first calls +get_cred_kdc_referral() (which always starts with the client realm) +and falls back to get_cred_kdc_capath() (which starts with the given realm). + +MIT krb5 only tries the given realm of the target principal, +if we want to autodetect support for transitive forest trusts, +we'll have to do the fallback ourself. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 3781eb250173981a8890b82d1ff9358f144034cd) +--- + source4/auth/gensec/gensec_gssapi.c | 62 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 61 insertions(+), 1 deletion(-) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index 6cb4431e0d9..57392a04e60 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -445,6 +445,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + const char *hostname = gensec_get_target_hostname(gensec_security); + const char *service = gensec_get_target_service(gensec_security); + const char *client_realm = cli_credentials_get_realm(cli_creds); ++ const char *server_realm = NULL; + gss_OID gss_oid_p = NULL; + OM_uint32 time_req = 0; + OM_uint32 time_rec = 0; +@@ -484,12 +485,71 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + } + #endif + ++ /* ++ * With credentials for ++ * administrator@FOREST1.EXAMPLE.COM this patch changes ++ * the target_principal for the ldap service of host ++ * dc2.forest2.example.com from ++ * ++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM ++ * ++ * to ++ * ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM ++ * ++ * Typically ++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM ++ * should be used in order to allow the KDC of ++ * FOREST1.EXAMPLE.COM to generate a referral ticket ++ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. ++ * ++ * The problem is that KDCs only return such referral ++ * tickets if there's a forest trust between ++ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If ++ * there's only an external domain trust between ++ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC ++ * of FOREST1.EXAMPLE.COM will respond with ++ * S_PRINCIPAL_UNKNOWN when being asked for ++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. ++ * ++ * In the case of an external trust the client can ++ * still ask explicitly for ++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and ++ * the KDC of FOREST1.EXAMPLE.COM will generate it. ++ * ++ * From there the client can use the ++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ++ * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a ++ * service ticket for ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. ++ * ++ * With Heimdal we'll get the fallback on ++ * S_PRINCIPAL_UNKNOWN behavior when we pass ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as ++ * target principal. As _krb5_get_cred_kdc_any() first ++ * calls get_cred_kdc_referral() (which always starts ++ * with the client realm) and falls back to ++ * get_cred_kdc_capath() (which starts with the given ++ * realm). ++ * ++ * MIT krb5 only tries the given realm of the target ++ * principal, if we want to autodetect support for ++ * transitive forest trusts, would have to do the ++ * fallback ourself. ++ */ + if (gensec_gssapi_state->server_name == NULL) { ++ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, ++ hostname, ++ client_realm); ++ if (server_realm == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ + nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, + target_principal, + service, + hostname, +- client_realm, ++ server_realm, + gensec_gssapi_state->gss_oid, + &gensec_gssapi_state->target_principal, + &gensec_gssapi_state->server_name); +-- +2.12.0 + + +From 97935a1164d328b466bc305c37869e78d306173a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 13:10:05 +0100 +Subject: [PATCH 12/20] s4:gensec_gssapi: Correctly handle external trusts with + MIT + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 2dd4887648bf006a577e03fc027e881738ca04ab) +--- + source4/auth/gensec/gensec_gssapi.c | 51 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index 57392a04e60..61911aae9d9 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -464,6 +464,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: + { ++ bool fallback = false; + #ifdef SAMBA4_USES_HEIMDAL + struct gsskrb5_send_to_kdc send_to_kdc; + krb5_error_code ret; +@@ -537,6 +538,48 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + * transitive forest trusts, would have to do the + * fallback ourself. + */ ++#ifndef SAMBA4_USES_HEIMDAL ++ if (gensec_gssapi_state->server_name == NULL) { ++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, ++ target_principal, ++ service, ++ hostname, ++ client_realm, ++ gensec_gssapi_state->gss_oid, ++ &gensec_gssapi_state->target_principal, ++ &gensec_gssapi_state->server_name); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; ++ } ++ ++ maj_stat = gss_init_sec_context(&min_stat, ++ gensec_gssapi_state->client_cred->creds, ++ &gensec_gssapi_state->gssapi_context, ++ gensec_gssapi_state->server_name, ++ gensec_gssapi_state->gss_oid, ++ gensec_gssapi_state->gss_want_flags, ++ time_req, ++ gensec_gssapi_state->input_chan_bindings, ++ &input_token, ++ &gss_oid_p, ++ &output_token, ++ &gensec_gssapi_state->gss_got_flags, /* ret flags */ ++ &time_rec); ++ if (maj_stat != GSS_S_FAILURE) { ++ goto init_sec_context_done; ++ } ++ if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { ++ goto init_sec_context_done; ++ } ++ if (target_principal != NULL) { ++ goto init_sec_context_done; ++ } ++ ++ fallback = true; ++ TALLOC_FREE(gensec_gssapi_state->target_principal); ++ gss_release_name(&min_stat2, &gensec_gssapi_state->server_name); ++ } ++#endif /* !SAMBA4_USES_HEIMDAL */ + if (gensec_gssapi_state->server_name == NULL) { + server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, + hostname, +@@ -545,6 +588,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + return NT_STATUS_NO_MEMORY; + } + ++ if (fallback && ++ strequal(client_realm, server_realm)) { ++ goto init_sec_context_done; ++ } ++ + nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, + target_principal, + service, +@@ -571,6 +619,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + &output_token, + &gensec_gssapi_state->gss_got_flags, /* ret flags */ + &time_rec); ++ goto init_sec_context_done; ++ /* JUMP! */ ++init_sec_context_done: + if (gss_oid_p) { + gensec_gssapi_state->gss_oid = gss_oid_p; + } +-- +2.12.0 + + +From 71a49b84ebb8d45d91d21ebf92d3c7302b24f490 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 07:54:29 +0100 +Subject: [PATCH 13/20] s3:gse: Use smb_krb5_get_realm_from_hostname() + +With credentials for administrator@FOREST1.EXAMPLE.COM +this patch changes the target_principal for +the ldap service of host dc2.forest2.example.com +from + + ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM + +to + + ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM + +Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM +should be used in order to allow the KDC of FOREST1.EXAMPLE.COM +to generate a referral ticket for +krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. + +The problem is that KDCs only return such referral tickets +if there's a forest trust between FOREST1.EXAMPLE.COM +and FOREST2.EXAMPLE.COM. If there's only an external domain +trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM +the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN +when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. + +In the case of an external trust the client can still ask +explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM +and the KDC of FOREST1.EXAMPLE.COM will generate it. + +From there the client can use the +krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM +ticket and ask a KDC of FOREST2.EXAMPLE.COM for a +service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. + +With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior +when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as +target principal. As _krb5_get_cred_kdc_any() first calls +get_cred_kdc_referral() (which always starts with the client realm) +and falls back to get_cred_kdc_capath() (which starts with the given realm). + +MIT krb5 only tries the given realm of the target principal, +if we want to autodetect support for transitive forest trusts, +we'll have to do the fallback ourself. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit a3d95ed9037fb8b14a451da02dcadf011485ae34) +--- + source3/librpc/crypto/gse.c | 93 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 68 insertions(+), 25 deletions(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index abf20bc7dfd..57632f6cc8f 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -120,6 +120,54 @@ static int gse_context_destructor(void *ptr) + return 0; + } + ++static NTSTATUS gse_setup_server_principal(TALLOC_CTX *mem_ctx, ++ const char *target_principal, ++ const char *service, ++ const char *hostname, ++ const char *realm, ++ char **pserver_principal, ++ gss_name_t *pserver_name) ++{ ++ char *server_principal = NULL; ++ gss_buffer_desc name_token; ++ gss_OID name_type; ++ OM_uint32 maj_stat, min_stat = 0; ++ ++ if (target_principal != NULL) { ++ server_principal = talloc_strdup(mem_ctx, target_principal); ++ name_type = GSS_C_NULL_OID; ++ } else { ++ server_principal = talloc_asprintf(mem_ctx, ++ "%s/%s@%s", ++ service, ++ hostname, ++ realm); ++ name_type = GSS_C_NT_USER_NAME; ++ } ++ if (server_principal == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ name_token.value = (uint8_t *)server_principal; ++ name_token.length = strlen(server_principal); ++ ++ maj_stat = gss_import_name(&min_stat, ++ &name_token, ++ name_type, ++ pserver_name); ++ if (maj_stat) { ++ DBG_WARNING("GSS Import name of %s failed: %s\n", ++ server_principal, ++ gse_errstr(mem_ctx, maj_stat, min_stat)); ++ TALLOC_FREE(server_principal); ++ return NT_STATUS_INVALID_PARAMETER; ++ } ++ ++ *pserver_principal = server_principal; ++ ++ return NT_STATUS_OK; ++} ++ + static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, + bool do_sign, bool do_seal, + const char *ccache_name, +@@ -203,11 +251,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + { + struct gse_context *gse_ctx; + OM_uint32 gss_maj, gss_min; +- gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER; + #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X + gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X); + #endif ++ char *server_principal = NULL; ++ char *server_realm = NULL; + NTSTATUS status; + + if (!server || !service) { +@@ -223,30 +272,24 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + + /* Guess the realm based on the supplied service, and avoid the GSS libs + doing DNS lookups which may fail. +- +- TODO: Loop with the KDC on some more combinations (local +- realm in particular), possibly falling back to +- GSS_C_NT_HOSTBASED_SERVICE + */ +- name_buffer.value = +- smb_krb5_get_principal_from_service_hostname(gse_ctx, +- service, +- server, +- realm); +- if (!name_buffer.value) { +- status = NT_STATUS_NO_MEMORY; +- goto err_out; ++ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, ++ server, ++ realm); ++ if (server_realm == NULL) { ++ return NT_STATUS_NO_MEMORY; + } +- name_buffer.length = strlen((char *)name_buffer.value); +- gss_maj = gss_import_name(&gss_min, &name_buffer, +- GSS_C_NT_USER_NAME, +- &gse_ctx->server_name); +- if (gss_maj) { +- DEBUG(5, ("gss_import_name failed for %s, with [%s]\n", +- (char *)name_buffer.value, +- gse_errstr(gse_ctx, gss_maj, gss_min))); +- status = NT_STATUS_INTERNAL_ERROR; +- goto err_out; ++ ++ status = gse_setup_server_principal(mem_ctx, ++ NULL, ++ service, ++ server, ++ server_realm, ++ &server_principal, ++ &gse_ctx->server_name); ++ TALLOC_FREE(server_realm); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } + + /* TODO: get krb5 ticket using username/password, if no valid +@@ -299,11 +342,11 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + #endif + + *_gse_ctx = gse_ctx; +- TALLOC_FREE(name_buffer.value); ++ TALLOC_FREE(server_principal); + return NT_STATUS_OK; + + err_out: +- TALLOC_FREE(name_buffer.value); ++ TALLOC_FREE(server_principal); + TALLOC_FREE(gse_ctx); + return status; + } +-- +2.12.0 + + +From 905cdd3ee1fea0bf0e2081da4489934944c55fa9 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 09:10:12 +0100 +Subject: [PATCH 14/20] krb5_wrap: Remove obsolete + smb_krb5_get_principal_from_service_hostname() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 804e828d52ec922f3970e847652ab1ee5538b9b0) +--- + lib/krb5_wrap/krb5_samba.c | 111 --------------------------------------------- + lib/krb5_wrap/krb5_samba.h | 5 -- + 2 files changed, 116 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 2b0ec6bfa0e..0b67ea52a19 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2604,61 +2604,6 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context, + } + + +-/************************************************************************ +- Routine to get the default realm from the kerberos credentials cache. +- Caller must free if the return value is not NULL. +-************************************************************************/ +- +-static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) +-{ +- char *realm = NULL; +- krb5_context ctx = NULL; +- krb5_ccache cc = NULL; +- krb5_principal princ = NULL; +- +- initialize_krb5_error_table(); +- if (krb5_init_context(&ctx)) { +- return NULL; +- } +- +- DEBUG(5,("kerberos_get_default_realm_from_ccache: " +- "Trying to read krb5 cache: %s\n", +- krb5_cc_default_name(ctx))); +- if (krb5_cc_default(ctx, &cc)) { +- DEBUG(5,("kerberos_get_default_realm_from_ccache: " +- "failed to read default cache\n")); +- goto out; +- } +- if (krb5_cc_get_principal(ctx, cc, &princ)) { +- DEBUG(5,("kerberos_get_default_realm_from_ccache: " +- "failed to get default principal\n")); +- goto out; +- } +- +-#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM) +- realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ)); +-#elif defined(HAVE_KRB5_PRINC_REALM) +- { +- krb5_data *realm_data = krb5_princ_realm(ctx, princ); +- realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length); +- } +-#endif +- +- out: +- +- if (ctx) { +- if (princ) { +- krb5_free_principal(ctx, princ); +- } +- if (cc) { +- krb5_cc_close(ctx, cc); +- } +- krb5_free_context(ctx); +- } +- +- return realm; +-} +- + /** + * @brief Get the realm from the service hostname. + * +@@ -2749,62 +2694,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + } + + /** +- * @brief Get the principal as a string from the service hostname. +- * +- * @param[in] mem_ctx The talloc context +- * +- * @param[in] service The service name +- * +- * @param[in] remote_name The remote name +- * +- * @param[in] default_realm The default_realm if we cannot get it from the +- * hostname or netbios name. +- * +- * @return A talloc'ed principal string or NULL if an error occured. +- * +- * The caller needs to free the principal with talloc_free() if it isn't needed +- * anymore. +- */ +-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, +- const char *service, +- const char *remote_name, +- const char *default_realm) +-{ +- char *realm = NULL; +- char *host = NULL; +- char *principal; +- host = strchr_m(remote_name, '.'); +- if (host) { +- /* DNS name. */ +- realm = smb_krb5_get_realm_from_hostname(talloc_tos(), +- remote_name, +- default_realm); +- } else { +- /* NetBIOS name - use our realm. */ +- realm = smb_krb5_get_default_realm_from_ccache(talloc_tos()); +- } +- +- if (realm == NULL || *realm == '\0') { +- realm = talloc_strdup(talloc_tos(), default_realm); +- if (!realm) { +- return NULL; +- } +- DEBUG(3,("Cannot get realm from, " +- "desthost %s or default ccache. Using default " +- "smb.conf realm %s\n", +- remote_name, +- realm)); +- } +- +- principal = talloc_asprintf(mem_ctx, +- "%s/%s@%s", +- service, remote_name, +- realm); +- TALLOC_FREE(realm); +- return principal; +-} +- +-/** + * @brief Get an error string from a Kerberos error code. + * + * @param[in] context The library context. +diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h +index accae449a0e..c921538efcb 100644 +--- a/lib/krb5_wrap/krb5_samba.h ++++ b/lib/krb5_wrap/krb5_samba.h +@@ -318,11 +318,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + const char *hostname, + const char *client_realm); + +-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, +- const char *service, +- const char *remote_name, +- const char *default_realm); +- + char *smb_get_krb5_error_message(krb5_context context, + krb5_error_code code, + TALLOC_CTX *mem_ctx); +-- +2.12.0 + + +From 0ea7203430b580e93816035b8201ddd11346cd4e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 6 Mar 2017 08:16:11 +0100 +Subject: [PATCH 15/20] s3:gse: Pass down the gensec_security pointer + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit e6b1e58874de30d094f9bce474479cfddb39d3fc) +--- + source3/librpc/crypto/gse.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index 57632f6cc8f..5a39522a828 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -352,10 +352,13 @@ err_out: + } + + static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, +- struct gse_context *gse_ctx, ++ struct gensec_security *gensec_security, + const DATA_BLOB *token_in, + DATA_BLOB *token_out) + { ++ struct gse_context *gse_ctx = ++ talloc_get_type_abort(gensec_security->private_data, ++ struct gse_context); + OM_uint32 gss_maj, gss_min; + gss_buffer_desc in_data; + gss_buffer_desc out_data; +@@ -542,10 +545,13 @@ done: + } + + static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx, +- struct gse_context *gse_ctx, ++ struct gensec_security *gensec_security, + const DATA_BLOB *token_in, + DATA_BLOB *token_out) + { ++ struct gse_context *gse_ctx = ++ talloc_get_type_abort(gensec_security->private_data, ++ struct gse_context); + OM_uint32 gss_maj, gss_min; + gss_buffer_desc in_data; + gss_buffer_desc out_data; +@@ -762,17 +768,16 @@ static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security, + const DATA_BLOB in, DATA_BLOB *out) + { + NTSTATUS status; +- struct gse_context *gse_ctx = +- talloc_get_type_abort(gensec_security->private_data, +- struct gse_context); + + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: +- status = gse_get_client_auth_token(mem_ctx, gse_ctx, ++ status = gse_get_client_auth_token(mem_ctx, ++ gensec_security, + &in, out); + break; + case GENSEC_SERVER: +- status = gse_get_server_auth_token(mem_ctx, gse_ctx, ++ status = gse_get_server_auth_token(mem_ctx, ++ gensec_security, + &in, out); + break; + } +-- +2.12.0 + + +From 36b353247939414cd7f91abd27bfc553bd62c06f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 08:05:26 +0100 +Subject: [PATCH 16/20] s3:gse: Move setup of service_principal to update + function + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 3ba1ad1f8c7871070d0ecbe5d49c5c44afe98bbf) +--- + source3/librpc/crypto/gse.c | 97 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 71 insertions(+), 26 deletions(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index 5a39522a828..3580181061e 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -255,8 +255,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X); + #endif +- char *server_principal = NULL; +- char *server_realm = NULL; + NTSTATUS status; + + if (!server || !service) { +@@ -270,28 +268,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- /* Guess the realm based on the supplied service, and avoid the GSS libs +- doing DNS lookups which may fail. +- */ +- server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, +- server, +- realm); +- if (server_realm == NULL) { +- return NT_STATUS_NO_MEMORY; +- } +- +- status = gse_setup_server_principal(mem_ctx, +- NULL, +- service, +- server, +- server_realm, +- &server_principal, +- &gse_ctx->server_name); +- TALLOC_FREE(server_realm); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- + /* TODO: get krb5 ticket using username/password, if no valid + * one already available in ccache */ + +@@ -342,11 +318,9 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + #endif + + *_gse_ctx = gse_ctx; +- TALLOC_FREE(server_principal); + return NT_STATUS_OK; + + err_out: +- TALLOC_FREE(server_principal); + TALLOC_FREE(gse_ctx); + return status; + } +@@ -366,10 +340,81 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + NTSTATUS status; + OM_uint32 time_rec = 0; + struct timeval tv; ++ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); ++ const char *hostname = gensec_get_target_hostname(gensec_security); ++ const char *service = gensec_get_target_service(gensec_security); ++ const char *client_realm = cli_credentials_get_realm(cli_creds); ++ char *server_principal = NULL; ++ char *server_realm = NULL; + + in_data.value = token_in->data; + in_data.length = token_in->length; + ++ /* ++ * With credentials for administrator@FOREST1.EXAMPLE.COM this patch ++ * changes the target_principal for the ldap service of host ++ * dc2.forest2.example.com from ++ * ++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM ++ * ++ * to ++ * ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM ++ * ++ * Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be ++ * used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a ++ * referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. ++ * ++ * The problem is that KDCs only return such referral tickets if ++ * there's a forest trust between FOREST1.EXAMPLE.COM and ++ * FOREST2.EXAMPLE.COM. If there's only an external domain trust ++ * between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of ++ * FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being ++ * asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. ++ * ++ * In the case of an external trust the client can still ask explicitly ++ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of ++ * FOREST1.EXAMPLE.COM will generate it. ++ * ++ * From there the client can use the ++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC ++ * of FOREST2.EXAMPLE.COM for a service ticket for ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. ++ * ++ * With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior ++ * when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as ++ * target principal. As _krb5_get_cred_kdc_any() first calls ++ * get_cred_kdc_referral() (which always starts with the client realm) ++ * and falls back to get_cred_kdc_capath() (which starts with the given ++ * realm). ++ * ++ * MIT krb5 only tries the given realm of the target principal, if we ++ * want to autodetect support for transitive forest trusts, would have ++ * to do the fallback ourself. ++ */ ++ if (gse_ctx->server_name == NULL) { ++ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, ++ hostname, ++ client_realm); ++ if (server_realm == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ status = gse_setup_server_principal(mem_ctx, ++ NULL, ++ service, ++ hostname, ++ server_realm, ++ &server_principal, ++ &gse_ctx->server_name); ++ TALLOC_FREE(server_realm); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ TALLOC_FREE(server_principal); ++ } ++ + gss_maj = gss_init_sec_context(&gss_min, + gse_ctx->creds, + &gse_ctx->gssapi_context, +-- +2.12.0 + + +From 5ca321eaa79cdf9de1166f49365051d4d67560f9 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 08:11:07 +0100 +Subject: [PATCH 17/20] s3:gse: Check if we have a target_princpal set we + should use + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit ada31d65d6c5929d2fbddfea5611a5f5fe5a0d74) +--- + source3/librpc/crypto/gse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index 3580181061e..721fd8c1625 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -341,6 +341,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + OM_uint32 time_rec = 0; + struct timeval tv; + struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); ++ const char *target_principal = gensec_get_target_principal(gensec_security); + const char *hostname = gensec_get_target_hostname(gensec_security); + const char *service = gensec_get_target_service(gensec_security); + const char *client_realm = cli_credentials_get_realm(cli_creds); +@@ -401,7 +402,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + } + + status = gse_setup_server_principal(mem_ctx, +- NULL, ++ target_principal, + service, + hostname, + server_realm, +-- +2.12.0 + + +From 8b88c6bf158e5da0cc238472390f3346aa05ef53 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 08:18:27 +0100 +Subject: [PATCH 18/20] s3:gse: Correctly handle external trusts with MIT + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit b8bca7d08fe05758e536767b1146cdcdd8b9fee3) +--- + source3/librpc/crypto/gse.c | 54 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index 721fd8c1625..3abf774633b 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -347,6 +347,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + const char *client_realm = cli_credentials_get_realm(cli_creds); + char *server_principal = NULL; + char *server_realm = NULL; ++ bool fallback = false; + + in_data.value = token_in->data; + in_data.length = token_in->length; +@@ -393,6 +394,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + * want to autodetect support for transitive forest trusts, would have + * to do the fallback ourself. + */ ++#ifndef SAMBA4_USES_HEIMDAL ++ if (gse_ctx->server_name == NULL) { ++ OM_uint32 gss_min2 = 0; ++ ++ status = gse_setup_server_principal(mem_ctx, ++ target_principal, ++ service, ++ hostname, ++ client_realm, ++ &server_principal, ++ &gse_ctx->server_name); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ gss_maj = gss_init_sec_context(&gss_min, ++ gse_ctx->creds, ++ &gse_ctx->gssapi_context, ++ gse_ctx->server_name, ++ &gse_ctx->gss_mech, ++ gse_ctx->gss_want_flags, ++ 0, ++ GSS_C_NO_CHANNEL_BINDINGS, ++ &in_data, ++ NULL, ++ &out_data, ++ &gse_ctx->gss_got_flags, ++ &time_rec); ++ if (gss_maj != GSS_S_FAILURE) { ++ goto init_sec_context_done; ++ } ++ if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { ++ goto init_sec_context_done; ++ } ++ if (target_principal != NULL) { ++ goto init_sec_context_done; ++ } ++ ++ fallback = true; ++ TALLOC_FREE(server_principal); ++ gss_release_name(&gss_min2, &gse_ctx->server_name); ++ } ++#endif /* !SAMBA4_USES_HEIMDAL */ ++ + if (gse_ctx->server_name == NULL) { + server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, + hostname, +@@ -401,6 +446,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + ++ if (fallback && ++ strequal(client_realm, server_realm)) { ++ goto init_sec_context_done; ++ } ++ + status = gse_setup_server_principal(mem_ctx, + target_principal, + service, +@@ -425,6 +475,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + 0, GSS_C_NO_CHANNEL_BINDINGS, + &in_data, NULL, &out_data, + &gse_ctx->gss_got_flags, &time_rec); ++ goto init_sec_context_done; ++ /* JUMP! */ ++init_sec_context_done: ++ + switch (gss_maj) { + case GSS_S_COMPLETE: + /* we are done with it */ +-- +2.12.0 + + +From 290de34d42477022d8b5a236b3d0953a178c5e40 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sun, 29 Jan 2017 17:19:14 +0100 +Subject: [PATCH 19/20] HEIMDAL:kdc: make it possible to disable the principal + based referral detection + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 209886e95c3afe1e4e50bacc30b40a543856a7a0) +--- + source4/heimdal/kdc/default_config.c | 1 + + source4/heimdal/kdc/kdc.h | 2 ++ + source4/heimdal/kdc/krb5tgs.c | 4 +++- + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c +index 6fbf5fdae15..0129c5d3c54 100644 +--- a/source4/heimdal/kdc/default_config.c ++++ b/source4/heimdal/kdc/default_config.c +@@ -55,6 +55,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) + c->preauth_use_strongest_session_key = FALSE; + c->tgs_use_strongest_session_key = FALSE; + c->use_strongest_server_key = TRUE; ++ c->autodetect_referrals = TRUE; + c->check_ticket_addresses = TRUE; + c->allow_null_ticket_addresses = TRUE; + c->allow_anonymous = FALSE; +diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h +index 9d52fd4c2ec..16263d6919b 100644 +--- a/source4/heimdal/kdc/kdc.h ++++ b/source4/heimdal/kdc/kdc.h +@@ -69,6 +69,8 @@ typedef struct krb5_kdc_configuration { + krb5_boolean allow_anonymous; + enum krb5_kdc_trpolicy trpolicy; + ++ krb5_boolean autodetect_referrals; ++ + krb5_boolean enable_pkinit; + krb5_boolean pkinit_princ_in_cert; + const char *pkinit_kdc_identity; +diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c +index 334a6eb1dc8..a888788bb6f 100644 +--- a/source4/heimdal/kdc/krb5tgs.c ++++ b/source4/heimdal/kdc/krb5tgs.c +@@ -1660,7 +1660,9 @@ server_lookup: + Realm req_rlm; + krb5_realm *realms; + +- if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { ++ if (!config->autodetect_referrals) { ++ /* noop */ ++ } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { + if(nloop++ < 2) { + new_rlm = find_rpath(context, tgt->crealm, req_rlm); + if(new_rlm) { +-- +2.12.0 + + +From b98d399a9b3076443fa12fab5f5e13b8d6e2fe26 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sun, 29 Jan 2017 17:20:09 +0100 +Subject: [PATCH 20/20] s4:kdc: disable principal based autodetected referral + detection + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3314bf52aaef60ef5cc1110587b53064df7c475d) +--- + source4/kdc/kdc-heimdal.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c +index f2927e5cb9f..061296a4f40 100644 +--- a/source4/kdc/kdc-heimdal.c ++++ b/source4/kdc/kdc-heimdal.c +@@ -379,6 +379,8 @@ static void kdc_task_init(struct task_server *task) + kdc_config->tgs_use_strongest_session_key = false; + kdc_config->use_strongest_server_key = true; + ++ kdc_config->autodetect_referrals = false; ++ + /* Register hdb-samba4 hooks for use as a keytab */ + + kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context); +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch new file mode 100644 index 0000000..dbce123 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch @@ -0,0 +1,39 @@ +From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 20 Mar 2017 16:08:20 +0100 +Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +--- + source3/libsmb/cliconnect.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index 029c3d4760e..93f873079db 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, + 0 /* no time correction for now */, + NULL); + if (ret != 0) { +- DEBUG(0, ("Kinit for %s to access %s failed: %s\n", +- user_principal, target_hostname, +- error_message(ret))); ++ int dbglvl = DBGLVL_WARNING; ++ ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ dbglvl = DBGLVL_ERR; ++ } ++ ++ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n", ++ user_principal, target_hostname, ++ error_message(ret))); + if (krb5_state == CRED_MUST_USE_KERBEROS) { + TALLOC_FREE(frame); + return krb5_to_nt_status(ret); +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch new file mode 100644 index 0000000..6d96e52 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch @@ -0,0 +1,293 @@ +From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 17:30:37 +0100 +Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters + +The old behaviour is: + + for var in $* + do + echo "$var" + done + +And you get this: + +$ sh test.sh 1 2 '3 4' +1 +2 +3 +4 + +Changing it to: + + for var in "$@" + do + echo "$var" + done + +will correctly expand to: + +$ sh test.sh 1 2 '3 4' +1 +2 +3 4 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144 + +(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71) +--- + testprogs/blackbox/subunit.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh +index 0791d775d27..5c81ce20a11 100755 +--- a/testprogs/blackbox/subunit.sh ++++ b/testprogs/blackbox/subunit.sh +@@ -78,7 +78,7 @@ subunit_skip_test () { + testit () { + name="$1" + shift +- cmdline="$*" ++ cmdline="$@" + subunit_start_test "$name" + output=`$cmdline 2>&1` + status=$? +@@ -93,7 +93,7 @@ testit () { + testit_expect_failure () { + name="$1" + shift +- cmdline="$*" ++ cmdline="$@" + subunit_start_test "$name" + output=`$cmdline 2>&1` + status=$? +-- +2.12.0 + + +From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 16:11:39 +0100 +Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4) +--- + lib/krb5_wrap/krb5_samba.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 10b42dec53f..fd8e4a96071 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context, + goto open_keytab; + } + ++ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req); ++ + return KRB5_KT_BADNAME; + + open_keytab: +-- +2.12.0 + + +From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 16:24:52 +0100 +Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad) +--- + source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++------- + 1 file changed, 57 insertions(+), 12 deletions(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 3c73b089bbb..96df10fcf65 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -34,6 +34,57 @@ + + #ifdef HAVE_ADS + ++/* This MAX_NAME_LEN is a constant defined in krb5.h */ ++#ifndef MAX_KEYTAB_NAME_LEN ++#define MAX_KEYTAB_NAME_LEN 1100 ++#endif ++ ++static krb5_error_code ads_keytab_open(krb5_context context, ++ krb5_keytab *keytab) ++{ ++ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0}; ++ const char *keytab_name = NULL; ++ krb5_error_code ret = 0; ++ ++ switch (lp_kerberos_method()) { ++ case KERBEROS_VERIFY_SYSTEM_KEYTAB: ++ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB: ++ ret = krb5_kt_default_name(context, ++ keytab_str, ++ sizeof(keytab_str) - 2); ++ if (ret != 0) { ++ DBG_WARNING("Failed to get default keytab name"); ++ goto out; ++ } ++ keytab_name = keytab_str; ++ break; ++ case KERBEROS_VERIFY_DEDICATED_KEYTAB: ++ keytab_name = lp_dedicated_keytab_file(); ++ break; ++ default: ++ DBG_ERR("Invalid kerberos method set (%d)\n", ++ lp_kerberos_method()); ++ ret = KRB5_KT_BADNAME; ++ goto out; ++ } ++ ++ if (keytab_name == NULL || keytab_name[0] == '\0') { ++ DBG_ERR("Invalid keytab name\n"); ++ ret = KRB5_KT_BADNAME; ++ goto out; ++ } ++ ++ ret = smb_krb5_kt_open(context, keytab_name, true, keytab); ++ if (ret != 0) { ++ DBG_WARNING("smb_krb5_kt_open failed (%s)\n", ++ error_message(ret)); ++ goto out; ++ } ++ ++out: ++ return ret; ++} ++ + /********************************************************************** + Adds a single service principal, i.e. 'host' to the system keytab + ***********************************************************************/ +@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) + return -1; + } + +- ret = smb_krb5_kt_open(context, NULL, True, &keytab); +- if (ret) { +- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", +- error_message(ret))); ++ ret = ads_keytab_open(context, &keytab); ++ if (ret != 0) { + goto out; + } + +@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads) + return ret; + } + +- ret = smb_krb5_kt_open(context, NULL, True, &keytab); +- if (ret) { +- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", +- error_message(ret))); ++ ret = ads_keytab_open(context, &keytab); ++ if (ret != 0) { + goto out; + } + +@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads) + DEBUG(3, (__location__ ": Searching for keytab entries to preserve " + "and update.\n")); + +- ret = smb_krb5_kt_open(context, NULL, True, &keytab); +- if (ret) { +- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", +- error_message(ret))); ++ ret = ads_keytab_open(context, &keytab); ++ if (ret != 0) { + goto done; + } + +-- +2.12.0 + + +From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 17:28:58 +0100 +Subject: [PATCH 4/5] param: Allow to specify kerberos method on the + commandline + +We support --option for our tools but you cannot set an option where the +value of the option includes a space. + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0) +--- + lib/param/param_table.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/param/param_table.c b/lib/param/param_table.c +index 4b5234a7c9e..9a944ef19b3 100644 +--- a/lib/param/param_table.c ++++ b/lib/param/param_table.c +@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = { + static const struct enum_list enum_kerberos_method[] = { + {KERBEROS_VERIFY_SECRETS, "default"}, + {KERBEROS_VERIFY_SECRETS, "secrets only"}, ++ {KERBEROS_VERIFY_SECRETS, "secretsonly"}, + {KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"}, ++ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"}, + {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"}, ++ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"}, + {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"}, ++ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"}, + {-1, NULL} + }; + +-- +2.12.0 + + +From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 16:34:05 +0100 +Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab + +This checks that a 'net ads join' can create the keytab and make sure we +will not regress in future. + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3) +--- + testprogs/blackbox/test_net_ads.sh | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 8e915cdcf1f..99b886f53eb 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + + + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++# Test with kerberos method = secrets and keytab ++dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab" ++testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` ++ ++testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++rm -f $dedicated_keytab_file ++ + testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` + + testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch new file mode 100644 index 0000000..4e21154 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch @@ -0,0 +1,245 @@ +From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 4 May 2017 17:48:42 +0200 +Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with + COPY_FROM_DIRECTORY + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05) +--- + source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++------------- + 1 file changed, 35 insertions(+), 16 deletions(-) + +diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c +index 394a3e5..49be5d9 100644 +--- a/source3/printing/nt_printing.c ++++ b/source3/printing/nt_printing.c +@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver + static uint32_t get_correct_cversion(struct auth_session_info *session_info, + const char *architecture, + const char *driverpath_in, ++ const char *driver_directory, + WERROR *perr) + { + int cversion = -1; + NTSTATUS nt_status; + struct smb_filename *smb_fname = NULL; +- char *driverpath = NULL; + files_struct *fsp = NULL; + connection_struct *conn = NULL; + char *oldcwd; + char *printdollar = NULL; ++ char *printdollar_path = NULL; ++ char *working_dir = NULL; + int printdollar_snum; + + *perr = WERR_INVALID_PARAMETER; +@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info, + return -1; + } + ++ printdollar_path = lp_path(talloc_tos(), printdollar_snum); ++ if (printdollar_path == NULL) { ++ *perr = WERR_NOT_ENOUGH_MEMORY; ++ return -1; ++ } ++ ++ working_dir = talloc_asprintf(talloc_tos(), ++ "%s/%s", ++ printdollar_path, ++ architecture); ++ /* ++ * If the driver has been uploaded into a temorpary driver ++ * directory, switch to the driver directory. ++ */ ++ if (driver_directory != NULL) { ++ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s", ++ printdollar_path, ++ architecture, ++ driver_directory); ++ } ++ + nt_status = create_conn_struct_cwd(talloc_tos(), + server_event_context(), + server_messaging_context(), + &conn, + printdollar_snum, +- lp_path(talloc_tos(), printdollar_snum), ++ working_dir, + session_info, &oldcwd); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("get_correct_cversion: create_conn_struct " +@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info, + goto error_free_conn; + } + +- /* Open the driver file (Portable Executable format) and determine the +- * deriver the cversion. */ +- driverpath = talloc_asprintf(talloc_tos(), +- "%s/%s", +- architecture, +- driverpath_in); +- if (!driverpath) { +- *perr = WERR_NOT_ENOUGH_MEMORY; +- goto error_exit; +- } +- +- nt_status = driver_unix_convert(conn, driverpath, &smb_fname); ++ /* ++ * We switch to the directory where the driver files are located, ++ * so only work on the file names ++ */ ++ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname); + if (!NT_STATUS_IS_OK(nt_status)) { + *perr = ntstatus_to_werror(nt_status); + goto error_exit; +@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx, + * NT2K: cversion=3 + */ + +- *version = get_correct_cversion(session_info, short_architecture, +- *driver_path, &err); ++ *version = get_correct_cversion(session_info, ++ short_architecture, ++ *driver_path, ++ *driver_directory, ++ &err); + if (*version == -1) { + return err; + } +-- +2.9.3 + + +From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 5 May 2017 11:11:25 +0200 +Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test + for 64bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e) +--- + source4/torture/rpc/spoolss.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c +index 409ba57..c4b7bf1 100644 +--- a/source4/torture/rpc/spoolss.c ++++ b/source4/torture/rpc/spoolss.c +@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx, + } + + static bool test_driver_copy_from_directory(struct torture_context *tctx, +- struct dcerpc_pipe *p) ++ struct dcerpc_pipe *p, ++ const char *architecture) + { + struct torture_driver_context *d; + struct spoolss_StringArray *a; +@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx, + d = talloc_zero(tctx, struct torture_driver_context); + torture_assert_not_null(tctx, d, "ENOMEM"); + +- d->local.environment = +- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64); ++ d->local.environment = talloc_strdup(d, architecture); + torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM"); + + d->local.driver_directory = +@@ -11208,6 +11208,12 @@ done: + return ok; + } + ++static bool test_driver_copy_from_directory_64(struct torture_context *tctx, ++ struct dcerpc_pipe *p) ++{ ++ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64); ++} ++ + static bool test_del_driver_all_files(struct torture_context *tctx, + struct dcerpc_pipe *p) + { +@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx) + torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers); + + torture_rpc_tcase_add_test(tcase, +- "test_driver_copy_from_directory", +- test_driver_copy_from_directory); ++ "test_driver_copy_from_directory_64", ++ test_driver_copy_from_directory_64); + + torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files); + +-- +2.9.3 + + +From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 5 May 2017 11:12:02 +0200 +Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for + copy_from_directory + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0) +--- + source4/torture/rpc/spoolss.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c +index c4b7bf1..e17ac6f 100644 +--- a/source4/torture/rpc/spoolss.c ++++ b/source4/torture/rpc/spoolss.c +@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx, + d->local.environment = talloc_strdup(d, architecture); + torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM"); + +- d->local.driver_directory = +- talloc_asprintf(d, "/usr/share/cups/drivers/x64"); ++ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) { ++ d->local.driver_directory = ++ talloc_strdup(d, "/usr/share/cups/drivers/x64"); ++ } else { ++ d->local.driver_directory = ++ talloc_strdup(d, "/usr/share/cups/drivers/i386"); ++ } + torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM"); + + d->remote.driver_upload_directory = GUID_string2(d, &guid); +@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx, + return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64); + } + ++static bool test_driver_copy_from_directory_32(struct torture_context *tctx, ++ struct dcerpc_pipe *p) ++{ ++ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86); ++} ++ + static bool test_del_driver_all_files(struct torture_context *tctx, + struct dcerpc_pipe *p) + { +@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx) + "test_driver_copy_from_directory_64", + test_driver_copy_from_directory_64); + ++ torture_rpc_tcase_add_test(tcase, ++ "test_driver_copy_from_directory_32", ++ test_driver_copy_from_directory_32); ++ + torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files); + + torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files); +-- +2.9.3 + diff --git a/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch new file mode 100644 index 0000000..7441e1d --- /dev/null +++ b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch @@ -0,0 +1,211 @@ +From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 14 Mar 2017 16:12:20 +0100 +Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file + +The arguments get passed in the wrong order to read_target_host(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 + +Signed-off-by: Andreas Schneider +(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0) +--- + source3/modules/vfs_expand_msdfs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c +index ffbfa333bad..e42d0098b32 100644 +--- a/source3/modules/vfs_expand_msdfs.c ++++ b/source3/modules/vfs_expand_msdfs.c +@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx, + return NULL; + } + +- targethost = read_target_host( +- ctx, raddr, mapfilename); ++ targethost = read_target_host(ctx, mapfilename, raddr); + if (targethost == NULL) { + DEBUG(1, ("Could not expand target host from file %s\n", + mapfilename)); +-- +2.12.0 + +From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 21 Mar 2017 15:32:37 +0100 +Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to + get_referred_path() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 + +Pair-Programmed-With: Ralph Boehme + +Signed-off-by: Andreas Schneider +Signed-off-by: Ralph Boehme +Reviewed-by: Jeremy Allison +(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e) +--- + source3/modules/vfs_default.c | 2 ++ + source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++ + source3/smbd/msdfs.c | 12 +++++++----- + source3/smbd/proto.h | 12 +++++++----- + 4 files changed, 22 insertions(+), 10 deletions(-) + +diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c +index e0b6125f7d8..dcae861103d 100644 +--- a/source3/modules/vfs_default.c ++++ b/source3/modules/vfs_default.c +@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle, + + /* The following call can change cwd. */ + status = get_referred_path(r, pathnamep, ++ handle->conn->sconn->remote_address, ++ handle->conn->sconn->local_address, + !handle->conn->sconn->using_smb2, + junction, &consumedcnt, &self_referral); + if (!NT_STATUS_IS_OK(status)) { +diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c +index ab2af53c0ba..0a4d6d31b7c 100644 +--- a/source3/rpc_server/dfs/srv_dfs_nt.c ++++ b/source3/rpc_server/dfs/srv_dfs_nt.c +@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r) + + /* The following call can change the cwd. */ + status = get_referred_path(ctx, r->in.path, ++ p->remote_address, ++ p->local_address, + true, /*allow_broken_path */ + jn, &consumedcnt, &self_ref); + if(!NT_STATUS_IS_OK(status)) { +@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r) + } + + status = get_referred_path(ctx, r->in.dfs_entry_path, ++ p->remote_address, ++ p->local_address, + true, /*allow_broken_path */ + jn, &consumedcnt, &self_ref); + if(!NT_STATUS_IS_OK(status)) { +@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r) + + /* The following call can change the cwd. */ + status = get_referred_path(ctx, r->in.dfs_entry_path, ++ p->remote_address, ++ p->local_address, + true, /*allow_broken_path */ + jn, &consumedcnt, &self_ref); + if(!NT_STATUS_IS_OK(status) || +diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c +index 61538cec832..3cf82d3b430 100644 +--- a/source3/smbd/msdfs.c ++++ b/source3/smbd/msdfs.c +@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx, + **********************************************************************/ + + NTSTATUS get_referred_path(TALLOC_CTX *ctx, +- const char *dfs_path, +- bool allow_broken_path, +- struct junction_map *jucn, +- int *consumedcntp, +- bool *self_referralp) ++ const char *dfs_path, ++ const struct tsocket_address *remote_address, ++ const struct tsocket_address *local_address, ++ bool allow_broken_path, ++ struct junction_map *jucn, ++ int *consumedcntp, ++ bool *self_referralp) + { + struct connection_struct *conn; + char *targetpath = NULL; +diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h +index c1b8201b472..e64457cf9e0 100644 +--- a/source3/smbd/proto.h ++++ b/source3/smbd/proto.h +@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn, + SMB_STRUCT_STAT *sbufp); + struct junction_map; + NTSTATUS get_referred_path(TALLOC_CTX *ctx, +- const char *dfs_path, +- bool allow_broken_path, +- struct junction_map *jucn, +- int *consumedcntp, +- bool *self_referralp); ++ const char *dfs_path, ++ const struct tsocket_address *remote_address, ++ const struct tsocket_address *local_address, ++ bool allow_broken_path, ++ struct junction_map *jucn, ++ int *consumedcntp, ++ bool *self_referralp); + int setup_dfs_referral(connection_struct *orig_conn, + const char *dfs_path, + int max_referral_level, +-- +2.13.0 + + +From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 21 Mar 2017 15:45:34 +0100 +Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake + connection + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 + +Pair-Programmed-With: Ralph Boehme + +Signed-off-by: Andreas Schneider +Signed-off-by: Ralph Boehme +Reviewed-by: Jeremy Allison + +(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9) +--- + source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c +index 3cf82d3b430..c25fb17cee8 100644 +--- a/source3/smbd/msdfs.c ++++ b/source3/smbd/msdfs.c +@@ -31,6 +31,7 @@ + #include "lib/param/loadparm.h" + #include "libcli/security/security.h" + #include "librpc/gen_ndr/ndr_dfsblobs.h" ++#include "lib/tsocket/tsocket.h" + + /********************************************************************** + Parse a DFS pathname of the form \hostname\service\reqpath +@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx, + return status; + } + ++ /* ++ * TODO ++ * ++ * The remote and local address should be passed down to ++ * create_conn_struct_cwd. ++ */ ++ if (conn->sconn->remote_address == NULL) { ++ conn->sconn->remote_address = ++ tsocket_address_copy(remote_address, conn->sconn); ++ if (conn->sconn->remote_address == NULL) { ++ TALLOC_FREE(pdp); ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ if (conn->sconn->local_address == NULL) { ++ conn->sconn->local_address = ++ tsocket_address_copy(local_address, conn->sconn); ++ if (conn->sconn->local_address == NULL) { ++ TALLOC_FREE(pdp); ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ + /* If this is a DFS path dfs_lookup should return + * NT_STATUS_PATH_NOT_COVERED. */ + +-- +2.13.0 + diff --git a/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch b/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch new file mode 100644 index 0000000..83a4985 --- /dev/null +++ b/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch @@ -0,0 +1,74 @@ +From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 9 Aug 2017 18:14:23 +0200 +Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956 + +Signed-off-by: Andreas Schneider +Reviewed-by: Richard Sharpe +(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d) +--- + source3/libads/krb5_setpw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c +index 630c2e46631..bc96ac603b1 100644 +--- a/source3/libads/krb5_setpw.c ++++ b/source3/libads/krb5_setpw.c +@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, + ret = krb5_set_password(context, + &creds, + discard_const_p(char, newpw), +- princ, ++ NULL, + &result_code, + &result_code_string, + &result_string); +-- +2.14.0 + + +From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 9 Aug 2017 12:14:34 +0200 +Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw' + +BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956 + +Signed-off-by: Andreas Schneider +Reviewed-by: Richard Sharpe + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144 + +(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f) +--- + testprogs/blackbox/test_net_ads.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 99b886f53eb..bbd99b676bd 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed + + testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` + ++testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` ++ + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + + # Test with kerberos method = secrets and keytab +@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC + + testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` + ++testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` ++ + testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + rm -f $dedicated_keytab_file + +-- +2.14.0 + diff --git a/SOURCES/samba-v4-6-fix_path_substitutions.patch b/SOURCES/samba-v4-6-fix_path_substitutions.patch new file mode 100644 index 0000000..178c44d --- /dev/null +++ b/SOURCES/samba-v4-6-fix_path_substitutions.patch @@ -0,0 +1,194 @@ +From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Fri, 17 Mar 2017 13:52:57 +0100 +Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user + information + +This fixes the substitution for 'template homedir'. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 + +Signed-off-by: Volker Lendecke +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144 + +(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5) +--- + source3/winbindd/wb_queryuser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c +index be4d3d3e665..69b4c8dad5a 100644 +--- a/source3/winbindd/wb_queryuser.c ++++ b/source3/winbindd/wb_queryuser.c +@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq) + NTSTATUS status; + const char *domain_name; + +- status = wb_lookupsid_recv(subreq, state, &type, &domain_name, ++ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name, + &state->info->primary_group_name); + TALLOC_FREE(subreq); + if (tevent_req_nterror(req, status)) { +-- +2.12.0 + + +From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 15 Mar 2017 12:37:08 +0100 +Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660) +--- + selftest/target/Samba3.pm | 19 ++++++++++++++++++- + source3/script/tests/test_substitutions.sh | 9 +++++++-- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index f5b2c510224..1e053f12297 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -394,16 +394,33 @@ sub setup_admember($$$$) + $substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users"; + push(@dirs, $substitution_path); + ++ # Using '/' as the winbind separator is a bad idea ... ++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN"; ++ push(@dirs, $substitution_path); ++ ++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice"; ++ push(@dirs, $substitution_path); ++ ++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN"; ++ push(@dirs, $substitution_path); ++ ++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users"; ++ push(@dirs, $substitution_path); ++ + my $member_options = " + security = ads + workgroup = $dcvars->{DOMAIN} + realm = $dcvars->{REALM} + netbios aliases = foo bar + +-[subDUG] ++[sub_dug] + path = $share_dir/D_%D/U_%U/G_%G + writeable = yes + ++[sub_dug2] ++ path = $share_dir/D_%D/u_%u/g_%g ++ writeable = yes ++ + "; + + my $ret = $self->provision($prefix, +diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh +index 0852ad969f0..1a46f11c85d 100755 +--- a/source3/script/tests/test_substitutions.sh ++++ b/source3/script/tests/test_substitutions.sh +@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient" + . $samba_srcdir/testprogs/blackbox/subunit.sh + . $samba_srcdir/testprogs/blackbox/common_test_fns.inc + +-SMB_UNC="//$SERVER/subDUG" ++SMB_UNC="//$SERVER/sub_dug" + +-test_smbclient "Test login to share with substitution" \ ++test_smbclient "Test login to share with substitution (DUG)" \ ++ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1) ++ ++SMB_UNC="//$SERVER/sub_dug2" ++ ++test_smbclient "Test login to share with substitution (Dug)" \ + "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1) + + exit $failed +-- +2.12.0 + + +From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 17 Mar 2017 10:04:19 +0100 +Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 + +With this set, the samba3.local.nss test for ad_member will ensure that +we correctly substitute those smb.conf options. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144 + +(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03) +--- + nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------ + selftest/target/Samba3.pm | 1 + + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh +index cfe582df068..f9c040e5f43 100755 +--- a/nsswitch/tests/test_wbinfo.sh ++++ b/nsswitch/tests/test_wbinfo.sh +@@ -205,13 +205,18 @@ subunit_start_test "$test_name" + # The full name (GECOS) is based on name (the RDN, in this case CN) + # and displayName in winbindd_ads, and is based only on displayName in + # winbindd_msrpc and winbindd_rpc. Allow both versions. +-expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false" +-expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false" ++if test "$TARGET" = "ad_member"; then ++ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false" ++ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false" ++else ++ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false" ++ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false" ++fi + +-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then ++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then + subunit_pass_test "$test_name" + else +- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" ++ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" + failed=`expr $failed + 1` + fi + +@@ -227,10 +232,10 @@ fi + + test_name="confirm output of wbinfo --uid-info against $TARGET" + subunit_start_test "$test_name" +-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then ++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then + subunit_pass_test "$test_name" + else +- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" ++ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" + failed=`expr $failed + 1` + fi + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 1e053f12297..cb4970828a5 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -412,6 +412,7 @@ sub setup_admember($$$$) + workgroup = $dcvars->{DOMAIN} + realm = $dcvars->{REALM} + netbios aliases = foo bar ++ template homedir = /home/%D/%G/%U + + [sub_dug] + path = $share_dir/D_%D/U_%U/G_%G +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch new file mode 100644 index 0000000..7b754ae --- /dev/null +++ b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch @@ -0,0 +1,339 @@ +From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 15 Mar 2017 17:04:30 +0000 +Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of + smb_bytes_pull_str() + +This function needs to get the whole smb buffer in order to get +the alignment for unicode correct. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24) +--- + libcli/smb/smb1cli_session.c | 28 +++++++++++++------------- + libcli/smb/smb_util.h | 3 ++- + libcli/smb/util.c | 47 +++++++++++++++++++++++++++++--------------- + 3 files changed, 47 insertions(+), 31 deletions(-) + +diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c +index 9d92aa6aed4..11614df0ae4 100644 +--- a/libcli/smb/smb1cli_session.c ++++ b/libcli/smb/smb1cli_session.c +@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq) + p = bytes; + + status = smb_bytes_pull_str(state, &state->out_native_os, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } + p += ret; + + status = smb_bytes_pull_str(state, &state->out_native_lm, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } +@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq) + p = bytes; + + status = smb_bytes_pull_str(state, &state->out_native_os, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } + p += ret; + + status = smb_bytes_pull_str(state, &state->out_native_lm, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } + p += ret; + + status = smb_bytes_pull_str(state, &state->out_primary_domain, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } +@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq) + p += out_security_blob_length; + + status = smb_bytes_pull_str(state, &state->out_native_os, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } + p += ret; + + status = smb_bytes_pull_str(state, &state->out_native_lm, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } +diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h +index 7e6f0a4ebc4..2884786339d 100644 +--- a/libcli/smb/smb_util.h ++++ b/libcli/smb/smb_util.h +@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf, + const uint8_t *bytes, size_t num_bytes); + NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2, + const uint8_t *buf, size_t buf_len, +- size_t *pbuf_consumed); ++ const uint8_t *position, ++ size_t *_consumed); +diff --git a/libcli/smb/util.c b/libcli/smb/util.c +index ef8c9fafa35..7ef909c6077 100644 +--- a/libcli/smb/util.c ++++ b/libcli/smb/util.c +@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf, + static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, + bool ucs2, bool align_odd, + const uint8_t *buf, size_t buf_len, +- size_t *pbuf_consumed) ++ const uint8_t *position, ++ size_t *p_consumed) + { + size_t pad = 0; ++ size_t offset; + char *str = NULL; + size_t str_len = 0; + bool ok; + + *_str = NULL; +- if (pbuf_consumed != NULL) { +- *pbuf_consumed = 0; ++ if (p_consumed != NULL) { ++ *p_consumed = 0; ++ } ++ ++ if (position < buf) { ++ return NT_STATUS_INTERNAL_ERROR; ++ } ++ ++ offset = PTR_DIFF(position, buf); ++ if (offset > buf_len) { ++ return NT_STATUS_BUFFER_TOO_SMALL; + } + + if (ucs2 && +- ((align_odd && (buf_len % 2 == 0)) || +- (!align_odd && (buf_len % 2 == 1)))) { +- if (buf_len < 1) { +- return NT_STATUS_BUFFER_TOO_SMALL; +- } +- pad = 1; +- buf_len -= pad; +- buf += pad; ++ ((align_odd && (offset % 2 == 0)) || ++ (!align_odd && (offset % 2 == 1)))) { ++ pad += 1; ++ offset += 1; ++ } ++ ++ if (offset > buf_len) { ++ return NT_STATUS_BUFFER_TOO_SMALL; + } + ++ buf_len -= offset; ++ buf += offset; ++ + if (ucs2) { + buf_len = utf16_len_n(buf, buf_len); + } else { +@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, + return map_nt_error_from_unix_common(errno); + } + +- if (pbuf_consumed != NULL) { +- *pbuf_consumed = buf_len + pad; ++ if (p_consumed != NULL) { ++ *p_consumed = buf_len + pad; + } + *_str = str; +- return NT_STATUS_OK;; ++ return NT_STATUS_OK; + } + + NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2, + const uint8_t *buf, size_t buf_len, +- size_t *_buf_consumed) ++ const uint8_t *position, ++ size_t *_consumed) + { + return internal_bytes_pull_str(mem_ctx, _str, ucs2, true, +- buf, buf_len, _buf_consumed); ++ buf, buf_len, position, _consumed); + } +-- +2.13.1 + + +From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 15 Mar 2017 17:04:44 +0000 +Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper + function + +This function updates cli->server_{os,type,domain} to valid values +after a session setup. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3) +--- + source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++-------------- + 1 file changed, 52 insertions(+), 22 deletions(-) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index a2362ceb863..ef03da17eec 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, + return NT_STATUS_OK; + } + ++static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli, ++ const char *native_os, ++ const char *native_lm, ++ const char *primary_domain) ++{ ++#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0') ++ ++ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) { ++ cli->server_os = talloc_strdup(cli, native_os); ++ if (cli->server_os == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ ++ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) { ++ cli->server_type = talloc_strdup(cli, native_lm); ++ if (cli->server_type == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ ++ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) { ++ cli->server_domain = talloc_strdup(cli, primary_domain); ++ if (cli->server_domain == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ ++#undef _VALID_STRING ++ return NT_STATUS_OK; ++} ++ + /******************************************************** + Utility function to ensure we always return at least + a valid char * pointer to an empty string for the +@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) + subreq, struct tevent_req); + struct cli_sesssetup_blob_state *state = tevent_req_data( + req, struct cli_sesssetup_blob_state); +- struct cli_state *cli = state->cli; + NTSTATUS status; + + if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { +@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) + return; + } + +- if (cli->server_os == NULL) { +- cli->server_os = talloc_move(cli, &state->out_native_os); +- } +- if (cli->server_type == NULL) { +- cli->server_type = talloc_move(cli, &state->out_native_lm); +- } +- + state->status = status; + ++ status = cli_state_update_after_sesssetup(state->cli, ++ state->out_native_os, ++ state->out_native_lm, ++ NULL); ++ if (tevent_req_nterror(req, status)) { ++ return; ++ } ++ + if (state->blob.length != 0) { + /* + * More to send +@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq) + return; + } + +- if (cli->server_os == NULL) { +- cli->server_os = talloc_move(cli, &state->out_native_os); +- } +- if (cli->server_type == NULL) { +- cli->server_type = talloc_move(cli, &state->out_native_lm); +- } +- if (cli->server_domain == NULL) { +- cli->server_domain = talloc_move(cli, &state->out_primary_domain); ++ status = cli_state_update_after_sesssetup(state->cli, ++ state->out_native_os, ++ state->out_native_lm, ++ state->out_primary_domain); ++ if (tevent_req_nterror(req, status)) { ++ return; + } + + ok = smb1cli_conn_activate_signing(cli->conn, +@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq) + subreq, struct tevent_req); + struct cli_session_setup_creds_state *state = tevent_req_data( + req, struct cli_session_setup_creds_state); +- struct cli_state *cli = state->cli; + NTSTATUS status; + + status = smb1cli_session_setup_lm21_recv(subreq, state, +@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq) + return; + } + +- if (cli->server_os == NULL) { +- cli->server_os = talloc_move(cli, &state->out_native_os); +- } +- if (cli->server_type == NULL) { +- cli->server_type = talloc_move(cli, &state->out_native_lm); ++ status = cli_state_update_after_sesssetup(state->cli, ++ state->out_native_os, ++ state->out_native_lm, ++ NULL); ++ if (tevent_req_nterror(req, status)) { ++ return; + } + + tevent_req_done(req); +-- +2.13.1 + diff --git a/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch new file mode 100644 index 0000000..5c52aa9 --- /dev/null +++ b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch @@ -0,0 +1,162 @@ +From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 19 Jun 2017 14:50:33 +0200 +Subject: [PATCH 1/2] s3:popt_common: Reparse the username in + popt_common_credentials_post() + +When we parse the username in the options handling, the smb.conf file +has not been loaded yet. So we are not aware of a 'winbind separator' +set in the config file. + +We need to read and set the username again in the post-processing of the +credentials. + +https://bugzilla.samba.org/show_bug.cgi?id=12849 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b) +--- + source3/lib/popt_common.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c +index 3589a4fbd2b..9928c708e89 100644 +--- a/source3/lib/popt_common.c ++++ b/source3/lib/popt_common.c +@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void) + void popt_common_credentials_post(void) + { + struct user_auth_info *auth_info = cmdline_auth_info; ++ const char *username = NULL; + + if (get_cmdline_auth_info_use_machine_account(auth_info) && + !set_cmdline_auth_info_machine_account_creds(auth_info)) +@@ -248,6 +249,20 @@ void popt_common_credentials_post(void) + } + + set_cmdline_auth_info_getpass(auth_info); ++ ++ /* ++ * When we set the username during the handling of the options passed to ++ * the binary we haven't loaded the config yet. This means that we ++ * didnn't take the 'winbind separator' into account. ++ * ++ * The username might contain the domain name and thus it hasn't been ++ * correctly parsed yet. If we have a username we need to set it again ++ * to run the string parser for the username correctly. ++ */ ++ username = get_cmdline_auth_info_username(auth_info); ++ if (username != NULL && username[0] != '\0') { ++ set_cmdline_auth_info_username(auth_info, username); ++ } + } + + static void popt_common_credentials_callback(poptContext con, +-- +2.13.1 + + +From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 19 Jun 2017 15:52:23 +0200 +Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144 + +(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af) +--- + source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++ + source3/selftest/tests.py | 1 + + 2 files changed, 63 insertions(+) + create mode 100755 source3/script/tests/test_smbclient_basic.sh + +diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh +new file mode 100755 +index 00000000000..90e579b68e9 +--- /dev/null ++++ b/source3/script/tests/test_smbclient_basic.sh +@@ -0,0 +1,62 @@ ++#!/bin/sh ++ ++# this runs the file serving tests that are expected to pass with samba3 against shares with various options ++ ++if [ $# -lt 5 ]; then ++cat < ++EOF ++exit 1; ++fi ++ ++SERVER="$1" ++SERVER_IP="$2" ++USERNAME="$3" ++PASSWORD="$4" ++smbclient="$5" ++CONFIGURATION="$6" ++shift 6 ++ADDARGS="$@" ++ ++incdir=`dirname $0`/../../../testprogs/blackbox ++. $incdir/subunit.sh ++ ++test_smbclient() { ++ name="$1" ++ cmd="$2" ++ shift ++ shift ++ echo "test: $name" ++ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@ ++ status=$? ++ if [ x$status = x0 ]; then ++ echo "success: $name" ++ else ++ echo "failure: $name" ++ fi ++ return $status ++} ++ ++# TEST using \ as the separator (default) ++test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1` ++# TEST using / as the separator (default) ++test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1` ++ ++# TEST using 'winbind separator = +' ++test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1` ++ ++# TEST using 'winbind separator = +' set in a config file ++smbclient_config="$PREFIX/tmpsmbconf" ++cat > $smbclient_config < +Date: Tue, 21 Mar 2017 09:57:30 +0100 +Subject: [PATCH 1/2] s3:libads: Remove obsolete + smb_krb5_get_ntstatus_from_init_creds() + +There is no way we can get a better error code out of this. The original +function called was krb5_get_init_creds_opt_get_error() which has been +deprecated in 2008. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 + +Signed-off-by: Andreas Schneider +Reviewed-by: Uri Simchoni +(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e) +--- + source3/libads/kerberos.c | 169 ---------------------------------------------- + 1 file changed, 169 deletions(-) + +Index: samba-4.6.2/source3/libads/kerberos.c +=================================================================== +--- samba-4.6.2.orig/source3/libads/kerberos.c ++++ samba-4.6.2/source3/libads/kerberos.c +@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da + return 0; + } + +-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, +- DATA_BLOB *edata, +- DATA_BLOB *edata_out) +-{ +- DATA_BLOB edata_contents; +- ASN1_DATA *data; +- int edata_type; +- +- if (!edata->length) { +- return false; +- } +- +- data = asn1_init(mem_ctx); +- if (data == NULL) { +- return false; +- } +- +- if (!asn1_load(data, *edata)) goto err; +- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err; +- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err; +- if (!asn1_read_Integer(data, &edata_type)) goto err; +- +- if (edata_type != KRB5_PADATA_PW_SALT) { +- DEBUG(0,("edata is not of required type %d but of type %d\n", +- KRB5_PADATA_PW_SALT, edata_type)); +- goto err; +- } +- +- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err; +- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err; +- if (!asn1_end_tag(data)) goto err; +- if (!asn1_end_tag(data)) goto err; +- if (!asn1_end_tag(data)) goto err; +- asn1_free(data); +- +- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length); +- +- data_blob_free(&edata_contents); +- +- return true; +- +- err: +- +- asn1_free(data); +- return false; +-} +- +- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error, +- NTSTATUS *nt_status) +-{ +- DATA_BLOB edata; +- DATA_BLOB unwrapped_edata; +- TALLOC_CTX *mem_ctx; +- struct KRB5_EDATA_NTSTATUS parsed_edata; +- enum ndr_err_code ndr_err; +- +-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR +- edata = data_blob(error->e_data->data, error->e_data->length); +-#else +- edata = data_blob(error->e_data.data, error->e_data.length); +-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */ +- +-#ifdef DEVELOPER +- dump_data(10, edata.data, edata.length); +-#endif /* DEVELOPER */ +- +- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error"); +- if (mem_ctx == NULL) { +- data_blob_free(&edata); +- return False; +- } +- +- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) { +- data_blob_free(&edata); +- TALLOC_FREE(mem_ctx); +- return False; +- } +- +- data_blob_free(&edata); +- +- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, +- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS); +- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { +- data_blob_free(&unwrapped_edata); +- TALLOC_FREE(mem_ctx); +- return False; +- } +- +- data_blob_free(&unwrapped_edata); +- +- if (nt_status) { +- *nt_status = parsed_edata.ntstatus; +- } +- +- TALLOC_FREE(mem_ctx); +- +- return True; +-} +- +-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx, +- krb5_principal client, +- krb5_get_init_creds_opt *opt, +- NTSTATUS *nt_status) +-{ +- krb5_init_creds_context icc; +- krb5_error_code code; +-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR +- /* HEIMDAL */ +- krb5_error error; +-#else +- krb5_error *error = NULL; +-#endif +- bool ok; +- +- code = krb5_init_creds_init(ctx, +- client, +- NULL, +- NULL, +- 0, +- opt, +- &icc); +- if (code != 0) { +- DBG_WARNING("krb5_init_creds_init failed with: %s\n", +- error_message(code)); +- return false; +- } +- +- code = krb5_init_creds_get_error(ctx, +- icc, +- &error); +- if (code != 0) { +- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n", +- error_message(code)); +- return false; +- } +- krb5_init_creds_free(ctx, icc); +- +-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR +- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status); +- +- krb5_free_error_contents(ctx, &error); +-#else +- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status); +- +- krb5_free_error(ctx, error); +-#endif +- +- return ok; +-} +- + /* + simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL + place in default cache location. +@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch + } + out: + if (ntstatus) { +- +- NTSTATUS status; +- + /* fast path */ + if (code == 0) { + *ntstatus = NT_STATUS_OK; + goto cleanup; + } + +- /* try to get ntstatus code out of krb5_error when we have it +- * inside the krb5_get_init_creds_opt - gd */ +- +- if (opt != NULL) { +- bool ok; +- +- ok = smb_krb5_get_ntstatus_from_init_creds(ctx, +- me, +- opt, +- &status); +- if (ok) { +- *ntstatus = status; +- goto cleanup; +- } +- } +- + /* fall back to self-made-mapping */ + *ntstatus = krb5_to_nt_status(code); + } +Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh +=================================================================== +--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh ++++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh +@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d + + testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1` + ++testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` ++ ++testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` ++ + rm -f $KRB5CCNAME_PATH + + exit $failed diff --git a/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch new file mode 100644 index 0000000..f29cddb --- /dev/null +++ b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch @@ -0,0 +1,76 @@ +From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 20 Jun 2017 10:27:07 +0200 +Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851 + +Signed-off-by: Andreas Schneider +Reviewed-by: Volker Lendecke +--- + source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c +index 8c764f77b08..b0bf6784ba6 100644 +--- a/source3/winbindd/wb_getpwsid.c ++++ b/source3/winbindd/wb_getpwsid.c +@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) + req, struct wb_getpwsid_state); + struct winbindd_pw *pw = state->pw; + struct wbint_userinfo *info; ++ struct winbindd_domain *domain = NULL; + fstring acct_name, output_username; ++ char *mapped_name = NULL; + char *tmp; + NTSTATUS status; + +@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) + return; + } + +- fill_domain_username(output_username, info->domain_name, +- acct_name, true); ++ domain = find_domain_from_name_noinit(info->domain_name); ++ if (tevent_req_nomem(domain, req)) { ++ return; ++ } ++ ++ /* ++ * TODO: ++ * This function should be called in 'idmap winbind child'. It shouldn't ++ * be a blocking call, but for this we need to add a new function for ++ * winbind.idl. This is a fix which can be backported for now. ++ */ ++ status = normalize_name_map(state, ++ domain, ++ acct_name, ++ &mapped_name); ++ if (NT_STATUS_IS_OK(status)) { ++ fill_domain_username(output_username, ++ info->domain_name, ++ mapped_name, true); ++ fstrcpy(acct_name, mapped_name); ++ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) { ++ fstrcpy(acct_name, mapped_name); ++ } else { ++ fill_domain_username(output_username, ++ info->domain_name, ++ acct_name, true); ++ } ++ + strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name)); + + strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "", +@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) + TALLOC_FREE(tmp); + + tmp = talloc_sub_specified( +- state, info->shell, info->acct_name, ++ state, info->shell, acct_name, + info->primary_group_name, info->domain_name, + pw->pw_uid, pw->pw_gid); + if (tevent_req_nomem(tmp, req)) { +-- +2.13.1 + diff --git a/SOURCES/samba-v4.6-credentials-fix-realm.patch b/SOURCES/samba-v4.6-credentials-fix-realm.patch new file mode 100644 index 0000000..8583d5b --- /dev/null +++ b/SOURCES/samba-v4.6-credentials-fix-realm.patch @@ -0,0 +1,54 @@ +commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c +Author: Andreas Schneider +Date: Wed Dec 21 22:17:22 2016 +0100 + + auth/credentials: Always set the the realm if we set the principal from the ccache + + This fixes a bug in gensec_gssapi_client_start() where an invalid realm + is used to get a Kerberos ticket. + + Signed-off-by: Andreas Schneider + Reviewed-by: Stefan Metzmacher + (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7) + +diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c +index 0e68012..1912c48 100644 +--- a/auth/credentials/credentials_krb5.c ++++ b/auth/credentials/credentials_krb5.c +@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, + enum credentials_obtained obtained, + const char **error_string) + { +- ++ bool ok; ++ char *realm; + krb5_principal princ; + krb5_error_code ret; + char *name; +@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, + return ret; + } + +- cli_credentials_set_principal(cred, name, obtained); +- ++ ok = cli_credentials_set_principal(cred, name, obtained); ++ if (!ok) { ++ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); ++ return ENOMEM; ++ } + free(name); + ++ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context, ++ princ); + krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); ++ if (realm == NULL) { ++ return ENOMEM; ++ } ++ ok = cli_credentials_set_realm(cred, realm, obtained); ++ SAFE_FREE(realm); ++ if (!ok) { ++ return ENOMEM; ++ } + + /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */ + cred->ccache_obtained = obtained; diff --git a/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch b/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch new file mode 100644 index 0000000..5c66709 --- /dev/null +++ b/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch @@ -0,0 +1,391 @@ +From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:08:46 +0200 +Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29) +--- + source3/include/proto.h | 3 ++- + source3/libsmb/passchange.c | 5 +++-- + source3/utils/smbpasswd.c | 3 ++- + 3 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/source3/include/proto.h b/source3/include/proto.h +index baa579995a5..9deb27b416b 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain, + + /* The following definitions come from libsmb/passchange.c */ + +-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, ++NTSTATUS remote_password_change(const char *remote_machine, ++ const char *domain, const char *user_name, + const char *old_passwd, const char *new_passwd, + char **err_str); + +diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c +index c89b7ca85d1..48ffba8036f 100644 +--- a/source3/libsmb/passchange.c ++++ b/source3/libsmb/passchange.c +@@ -30,7 +30,8 @@ + Change a password on a remote machine using IPC calls. + *************************************************************/ + +-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, ++NTSTATUS remote_password_change(const char *remote_machine, ++ const char *domain, const char *user_name, + const char *old_passwd, const char *new_passwd, + char **err_str) + { +@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam + + creds = cli_session_creds_init(cli, + user_name, +- NULL, /* domain */ ++ domain, + NULL, /* realm */ + old_passwd, + false, /* use_kerberos */ +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 437a5e551bb..4d7a3c739bc 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username, + fprintf(stderr, "Invalid remote operation!\n"); + return NT_STATUS_UNSUCCESSFUL; + } +- ret = remote_password_change(remote_mach, username, ++ ret = remote_password_change(remote_mach, ++ NULL, username, + old_passwd, new_pw, &err_str); + } else { + ret = local_password_change(username, local_flags, new_pw, +-- +2.14.1 + + +From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:10:06 +0200 +Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950) +--- + source3/include/proto.h | 7 ------- + source3/libsmb/proto.h | 10 ++++++++++ + source3/utils/smbpasswd.c | 1 + + 3 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/source3/include/proto.h b/source3/include/proto.h +index 9deb27b416b..67e1a9d750e 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain, + fstring srv_name, + struct sockaddr_storage *ss_out); + +-/* The following definitions come from libsmb/passchange.c */ +- +-NTSTATUS remote_password_change(const char *remote_machine, +- const char *domain, const char *user_name, +- const char *old_passwd, const char *new_passwd, +- char **err_str); +- + /* The following definitions come from libsmb/smberr.c */ + + const char *smb_dos_err_name(uint8_t e_class, uint16_t num); +diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h +index a583a8ee159..44f4d04cff5 100644 +--- a/source3/libsmb/proto.h ++++ b/source3/libsmb/proto.h +@@ -31,6 +31,9 @@ + + struct smb_trans_enc_state; + struct cli_credentials; ++struct cli_state; ++struct file_info; ++struct print_job_info; + + /* The following definitions come from libsmb/cliconnect.c */ + +@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname, + TALLOC_CTX *mem_ctx, char **psubstitute_name, + char **pprint_name, uint32_t *pflags); + ++/* The following definitions come from libsmb/passchange.c */ ++ ++NTSTATUS remote_password_change(const char *remote_machine, ++ const char *domain, const char *user_name, ++ const char *old_passwd, const char *new_passwd, ++ char **err_str); ++ + #endif /* _LIBSMB_PROTO_H_ */ +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 4d7a3c739bc..6eb2deb7a3b 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -21,6 +21,7 @@ + #include "secrets.h" + #include "../librpc/gen_ndr/samr.h" + #include "../lib/util/util_pw.h" ++#include "libsmb/proto.h" + #include "passdb.h" + + /* +-- +2.14.1 + + +From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:13:15 +0200 +Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change() + in smbpasswd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373) +--- + source3/utils/smbpasswd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 6eb2deb7a3b..b0e08cc0e58 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get) + Change a password either locally or remotely. + *************************************************************/ + +-static NTSTATUS password_change(const char *remote_mach, char *username, +- char *old_passwd, char *new_pw, ++static NTSTATUS password_change(const char *remote_mach, ++ const char *username, ++ const char *old_passwd, const char *new_pw, + int local_flags) + { + NTSTATUS ret; +-- +2.14.1 + + +From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:14:57 +0200 +Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit b483340639157fe95777672f5723455c48c3c616) +--- + source3/utils/smbpasswd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index b0e08cc0e58..92712e38f6b 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get) + *************************************************************/ + + static NTSTATUS password_change(const char *remote_mach, +- const char *username, ++ const char *domain, const char *username, + const char *old_passwd, const char *new_pw, + int local_flags) + { +@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach, + return NT_STATUS_UNSUCCESSFUL; + } + ret = remote_password_change(remote_mach, +- NULL, username, ++ domain, username, + old_passwd, new_pw, &err_str); + } else { + ret = local_password_change(username, local_flags, new_pw, +@@ -466,7 +466,8 @@ static int process_root(int local_flags) + } + } + +- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, ++ if (!NT_STATUS_IS_OK(password_change(remote_machine, ++ NULL, user_name, + old_passwd, new_passwd, + local_flags))) { + result = 1; +@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags) + exit(1); + } + +- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw, +- new_pw, 0))) { ++ if (!NT_STATUS_IS_OK(password_change(remote_machine, ++ NULL, user_name, ++ old_pw, new_pw, 0))) { + result = 1; + goto done; + } +-- +2.14.1 + + +From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:17:08 +0200 +Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name + in smbpasswd + +If a local user wants to change his password using smbpasswd and the +machine is a domain member, we need to make sure we authenticate against +our SAM and not ask winbind. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02) +--- + source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 92712e38f6b..556e6869da7 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -58,7 +58,7 @@ static void usage(void) + printf(" -c smb.conf file Use the given path to the smb.conf file\n"); + printf(" -D LEVEL debug level\n"); + printf(" -r MACHINE remote machine\n"); +- printf(" -U USER remote username\n"); ++ printf(" -U USER remote username (e.g. SAM/user)\n"); + + printf("extra options when run by root or in local mode:\n"); + printf(" -a add user\n"); +@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags) + + user_name[0] = '\0'; + +- while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) { ++ while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) { + switch(ch) { + case 'L': + if (getuid() != 0) { +@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags) + int result = 0; + char *old_pw = NULL; + char *new_pw = NULL; ++ const char *username = user_name; ++ const char *domain = NULL; ++ char *p = NULL; + + if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) { + /* Extra flags that we can't honor non-root */ +@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags) + } + } + ++ /* Allow domain as part of the username */ ++ if ((p = strchr_m(user_name, '\\')) || ++ (p = strchr_m(user_name, '/')) || ++ (p = strchr_m(user_name, *lp_winbind_separator()))) { ++ *p = '\0'; ++ username = p + 1; ++ domain = user_name; ++ } ++ + /* + * A non-root user is always setting a password + * via a remote machine (even if that machine is +@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags) + + load_interfaces(); /* Delayed from main() */ + +- if (remote_machine == NULL) { ++ if (remote_machine != NULL) { ++ if (!is_ipaddress(remote_machine)) { ++ domain = remote_machine; ++ } ++ } else { + remote_machine = "127.0.0.1"; ++ ++ /* ++ * If we deal with a local user, change the password for the ++ * user in our SAM. ++ */ ++ domain = get_global_sam_name(); + } + + if (remote_machine != NULL) { +@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags) + } + + if (!NT_STATUS_IS_OK(password_change(remote_machine, +- NULL, user_name, ++ domain, username, + old_pw, new_pw, 0))) { + result = 1; + goto done; + } + +- printf("Password changed for user %s\n", user_name); ++ printf("Password changed for user %s\n", username); + + done: + SAFE_FREE(old_pw); +-- +2.14.1 + + +From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 22 Aug 2017 15:46:07 +0200 +Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Review with: git show -U20 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e) +--- + source3/utils/smbpasswd.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 556e6869da7..fb7ad283995 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags) + domain = get_global_sam_name(); + } + +- if (remote_machine != NULL) { +- old_pw = get_pass("Old SMB password:",stdin_passwd_get); +- if (old_pw == NULL) { +- fprintf(stderr, "Unable to get old password.\n"); +- exit(1); +- } ++ old_pw = get_pass("Old SMB password:",stdin_passwd_get); ++ if (old_pw == NULL) { ++ fprintf(stderr, "Unable to get old password.\n"); ++ exit(1); + } + + if (!new_passwd) { +-- +2.14.1 + diff --git a/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch b/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch new file mode 100644 index 0000000..74daaa8 --- /dev/null +++ b/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch @@ -0,0 +1,53 @@ +From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 30 May 2017 16:30:33 +0200 +Subject: [PATCH] libcli:smb2: Gracefully handle not supported for + FSCTL_VALIDATE_NEGOTIATE_INFO + +If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only +server then gracefully handle NT_STATUS_NOT_SUPPORTED too. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808 + +Signed-off-by: Andreas Schneider +Signed-off-by: Guenther Deschner +Pair-Programmed-With: Guenther Deschner +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144 + +(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a) +--- + libcli/smb/smbXcli_base.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c +index a7b24f01497..593edf9ce78 100644 +--- a/libcli/smb/smbXcli_base.c ++++ b/libcli/smb/smbXcli_base.c +@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) + tevent_req_done(req); + return; + } ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { ++ /* ++ * The response was signed, but not supported ++ * ++ * This might be returned by older Windows versions or by ++ * NetApp SMB server implementations. ++ * ++ * See ++ * ++ * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/ ++ * ++ */ ++ tevent_req_done(req); ++ return; ++ } + if (tevent_req_nterror(req, status)) { + return; + } +-- +2.13.1.518.g3df882009-goog + diff --git a/SOURCES/samba-v4.6-gss_krb5_import_cred.patch b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch new file mode 100644 index 0000000..72f2904 --- /dev/null +++ b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch @@ -0,0 +1,543 @@ +From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 17:08:09 +0200 +Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108) +--- + wscript_configure_system_mitkrb5 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 +index 06a9821..d3e8ebf 100644 +--- a/wscript_configure_system_mitkrb5 ++++ b/wscript_configure_system_mitkrb5 +@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN(''' + gsskrb5_extract_authz_data_from_sec_context + gss_krb5_export_lucid_sec_context + gss_import_cred gss_export_cred ++ gss_acquire_cred_from + ''', 'gssapi gssapi_krb5') + conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers) + conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') +-- +2.9.3 + + +From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 16:14:57 +0200 +Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper + +Wrap gss_krb5_import_cred() to allow re-implementing it with +gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from() +works fine with GSSAPI interposer (GSS-proxy) while +gss_krb5_import_cred() is not interposed yet. + +The wrapper has additional parameter, krb5_context handle, to facilitate +with credentials cache name discovery. All our callers to +gss_krb5_import_cred() already have krb5 context handy. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d) +--- + lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++ + lib/krb5_wrap/gss_samba.h | 13 +++++ + 2 files changed, 134 insertions(+) + +diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c +index b444633..757ffc5 100644 +--- a/lib/krb5_wrap/gss_samba.c ++++ b/lib/krb5_wrap/gss_samba.c +@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid) + } + #endif /* !HAVE_GSS_OID_EQUAL */ + ++ ++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() ++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly ++ * interposed by GSSPROXY while gss_krb5_import_cred() is not. ++ * ++ * This wrapper requires a proper krb5_context to resolve ccache name. ++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ ++uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, ++ krb5_ccache id, krb5_principal keytab_principal, ++ krb5_keytab keytab, gss_cred_id_t *cred) ++{ ++ uint32_t major_status = 0; ++ ++#if HAVE_GSS_ACQUIRE_CRED_FROM ++ uint32_t minor = 0; ++ gss_key_value_element_desc ccache_element = { ++ .key = "ccache", ++ .value = NULL, ++ }; ++ ++ gss_key_value_element_desc keytab_element = { ++ .key = "keytab", ++ .value = NULL, ++ }; ++ ++ gss_key_value_element_desc elements[2]; ++ ++ gss_key_value_set_desc cred_store = { ++ .elements = &ccache_element, ++ .count = 1, ++ }; ++ ++ gss_OID_set mech_set = GSS_C_NO_OID_SET; ++ gss_cred_usage_t cred_usage = GSS_C_INITIATE; ++ gss_name_t name = NULL; ++ gss_buffer_desc pr_name = { ++ .value = NULL, ++ .length = 0, ++ }; ++ ++ if (id != NULL) { ++ major_status = krb5_cc_get_full_name(ctx, ++ id, ++ discard_const(&ccache_element.value)); ++ if (major_status != 0) { ++ return major_status; ++ } ++ } ++ ++ if (keytab != NULL) { ++ keytab_element.value = malloc(4096); ++ if (!keytab_element.value) { ++ return ENOMEM; ++ } ++ major_status = krb5_kt_get_name(ctx, ++ keytab, ++ discard_const(keytab_element.value), 4096); ++ if (major_status != 0) { ++ free(discard_const(keytab_element.value)); ++ return major_status; ++ } ++ cred_usage = GSS_C_ACCEPT; ++ cred_store.elements = &keytab_element; ++ ++ if (keytab_principal != NULL) { ++ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value); ++ if (major_status != 0) { ++ free(discard_const(keytab_element.value)); ++ return major_status; ++ } ++ pr_name.length = strlen(pr_name.value); ++ ++ major_status = gss_import_name(minor_status, ++ &pr_name, ++ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME), ++ &name); ++ if (major_status != 0) { ++ krb5_free_unparsed_name(ctx, pr_name.value); ++ free(discard_const(keytab_element.value)); ++ return major_status; ++ } ++ } ++ } ++ ++ if (id != NULL && keytab != NULL) { ++ elements[0] = ccache_element; ++ elements[1] = keytab_element; ++ ++ cred_store.elements = elements; ++ cred_store.count = 2; ++ cred_usage = GSS_C_BOTH; ++ } ++ ++ major_status = gss_acquire_cred_from(minor_status, ++ name, ++ 0, ++ mech_set, ++ cred_usage, ++ &cred_store, ++ cred, ++ NULL, ++ NULL); ++ ++ if (pr_name.value != NULL) { ++ (void)gss_release_name(&minor, &name); ++ krb5_free_unparsed_name(ctx, pr_name.value); ++ } ++ if (keytab_element.value != NULL) { ++ free(discard_const(keytab_element.value)); ++ } ++ krb5_free_string(ctx, discard_const(ccache_element.value)); ++#else ++ major_status = gss_krb5_import_cred(minor_status, ++ id, ++ keytab_principal, ++ keytab, cred); ++#endif ++ return major_status; ++} ++ ++ + #endif /* HAVE_GSSAPI */ +diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h +index 5319932..89aee34 100644 +--- a/lib/krb5_wrap/gss_samba.h ++++ b/lib/krb5_wrap/gss_samba.h +@@ -25,6 +25,7 @@ + #ifdef HAVE_GSSAPI + + #include "system/gssapi.h" ++#include "krb5_samba.h" + + #if defined(HAVE_GSS_OID_EQUAL) + #define smb_gss_oid_equal gss_oid_equal +@@ -32,5 +33,17 @@ + int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid); + #endif /* HAVE_GSS_OID_EQUAL */ + ++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() ++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly ++ * interposed by GSS-proxy while gss_krb5_import_cred() is not. ++ * ++ * This wrapper requires a proper krb5_context to resolve the ccache name for ++ * gss_acquire_cred_from(). ++ * ++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ ++uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx, ++ krb5_ccache id, krb5_principal keytab_principal, ++ krb5_keytab keytab, gss_cred_id_t *cred); ++ + #endif /* HAVE_GSSAPI */ + #endif /* _GSS_SAMBA_H */ +-- +2.9.3 + + +From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 16:57:13 +0200 +Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1) +--- + auth/credentials/credentials_krb5.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c +index e974df9..0e68012 100644 +--- a/auth/credentials/credentials_krb5.c ++++ b/auth/credentials/credentials_krb5.c +@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + return ENOMEM; + } + +- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, +- &gcc->creds); ++ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, ++ ccache->ccache, NULL, NULL, ++ &gcc->creds); + if ((maj_stat == GSS_S_FAILURE) && + (min_stat == (OM_uint32)KRB5_CC_END || + min_stat == (OM_uint32)KRB5_CC_NOTFOUND || +@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + return ret; + } + +- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, +- &gcc->creds); ++ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, ++ ccache->ccache, NULL, NULL, ++ &gcc->creds); + + } + +@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + } else { + ret = EINVAL; + } +- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret)); ++ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret)); + return ret; + } + +@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, + + if (ktc->password_based || obtained < CRED_SPECIFIED) { + /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */ +- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab, +- &gcc->creds); ++ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context, ++ NULL, NULL, ktc->keytab, ++ &gcc->creds); + } else { + /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */ +- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, +- &gcc->creds); ++ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context, ++ NULL, princ, ktc->keytab, ++ &gcc->creds); + } + if (maj_stat) { + if (min_stat) { +-- +2.9.3 + + +From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 16:57:50 +0200 +Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9) +--- + source3/libads/sasl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 8570788..30127fa 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred) + goto done; + } + +- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred); ++ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred); + if (maj != GSS_S_COMPLETE) { + status = ADS_ERROR_GSS(maj, min); + goto done; +-- +2.9.3 + + +From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 16:58:14 +0200 +Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7) +--- + source3/librpc/crypto/gse.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index abf20bc..f4238f3 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + /* TODO: get krb5 ticket using username/password, if no valid + * one already available in ccache */ + +- gss_maj = gss_krb5_import_cred(&gss_min, +- gse_ctx->ccache, +- NULL, /* keytab_principal */ +- NULL, /* keytab */ +- &gse_ctx->creds); ++ gss_maj = smb_gss_krb5_import_cred(&gss_min, ++ gse_ctx->k5ctx, ++ gse_ctx->ccache, ++ NULL, /* keytab_principal */ ++ NULL, /* keytab */ ++ &gse_ctx->creds); + if (gss_maj) { + char *ccache = NULL; + int kret; +@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + ccache = NULL; + } + +- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -" ++ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -" + "the caller may retry after a kinit.\n", + ccache, gse_errstr(gse_ctx, gss_maj, gss_min))); + SAFE_FREE(ccache); +@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, + } + + /* This creates a GSSAPI cred_id_t with the keytab set */ +- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, +- &gse_ctx->creds); ++ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx, ++ NULL, NULL, gse_ctx->keytab, ++ &gse_ctx->creds); + + if (gss_maj != 0 + && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { +- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n", ++ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", + gse_errstr(gse_ctx, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto done; +-- +2.9.3 + + +From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 8 Mar 2017 12:38:49 +0200 +Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred + wrapper + +MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing +credentials from a keytab without specifying actual principal. +This was fixed in MIT krb5 1.9.2 (see commit +71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git +master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5). + +Move fallback code to the smb_gss_krb5_import_cred wrapper. We only +expect this fallback to happen with krb5 GSSAPI mechanism, thus hard +code use of krb5 mech when calling to gss_acquire_cred. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Alexander Bokovoy +Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144 + +(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32) +--- + lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++--- + source3/librpc/crypto/gse.c | 49 +-------------------------------------------- + 2 files changed, 44 insertions(+), 51 deletions(-) + +diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c +index 757ffc5..9e5ad4a 100644 +--- a/lib/krb5_wrap/gss_samba.c ++++ b/lib/krb5_wrap/gss_samba.c +@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, + krb5_free_string(ctx, discard_const(ccache_element.value)); + #else + major_status = gss_krb5_import_cred(minor_status, +- id, +- keytab_principal, +- keytab, cred); ++ id, ++ keytab_principal, ++ keytab, cred); ++ ++ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { ++ if ((keytab_principal == NULL) && (keytab != NULL)) { ++ /* No principal was specified and MIT krb5 1.9 version failed. ++ * We have to fall back to set global acceptor identity */ ++ gss_OID_set_desc mech_set; ++ char *kt_name = NULL; ++ ++ kt_name = malloc(4096); ++ if (!kt_name) { ++ return ENOMEM; ++ } ++ ++ major_status = krb5_kt_get_name(ctx, ++ keytab, ++ kt_name, 4096); ++ if (major_status != 0) { ++ free(kt_name); ++ return major_status; ++ } ++ ++ major_status = gsskrb5_register_acceptor_identity(kt_name); ++ if (major_status) { ++ free(kt_name); ++ return major_status; ++ } ++ ++ /* We are dealing with krb5 GSSAPI mech in this fallback */ ++ mech_set.count = 1; ++ mech_set.elements = gss_mech_krb5; ++ major_status = gss_acquire_cred(minor_status, ++ GSS_C_NO_NAME, ++ GSS_C_INDEFINITE, ++ &mech_set, ++ GSS_C_ACCEPT, ++ cred, ++ NULL, NULL); ++ free(kt_name); ++ } ++ } + #endif + return major_status; + } +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index f4238f3..a111320 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, + NULL, NULL, gse_ctx->keytab, + &gse_ctx->creds); + +- if (gss_maj != 0 +- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { ++ if (gss_maj != 0) { + DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", + gse_errstr(gse_ctx, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto done; +- +- /* This is the error the MIT krb5 1.9 gives when it +- * implements the function, but we do not specify the +- * principal. However, when we specify the principal +- * as host$@REALM the GSS acceptor fails with 'wrong +- * principal in request'. Work around the issue by +- * falling back to the alternate approach below. */ +- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) +- /* FIXME!!! +- * This call sets the default keytab for the whole server, not +- * just for this context. Need to find a way that does not alter +- * the state of the whole server ... */ +- { +- const char *ktname; +- gss_OID_set_desc mech_set; +- +- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx, +- gse_ctx->keytab, &ktname); +- if (ret) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- +- ret = gsskrb5_register_acceptor_identity(ktname); +- if (ret) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- +- mech_set.count = 1; +- mech_set.elements = &gse_ctx->gss_mech; +- +- gss_maj = gss_acquire_cred(&gss_min, +- GSS_C_NO_NAME, +- GSS_C_INDEFINITE, +- &mech_set, +- GSS_C_ACCEPT, +- &gse_ctx->creds, +- NULL, NULL); +- +- if (gss_maj) { +- DEBUG(0, ("gss_acquire_creds failed with [%s]\n", +- gse_errstr(gse_ctx, gss_maj, gss_min))); +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } + } + + status = NT_STATUS_OK; +-- +2.9.3 + diff --git a/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch new file mode 100644 index 0000000..73c72cd --- /dev/null +++ b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch @@ -0,0 +1,179 @@ +From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 10 Mar 2017 16:20:06 +0200 +Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement a small Python module that exposes arcfour_crypt_blob() +function widely used in Samba C code. + +When Samba Python bindings are used to call LSA CreateTrustedDomainEx2, +there is a need to encrypt trusted credentials with RC4 cipher. + +Current Samba Python code relies on Python runtime to provide RC4 +cipher. However, in FIPS 140-2 mode system crypto libraries do not +provide access RC4 cipher at all. According to Microsoft dochelp team, +Windows is treating AuthenticationInformation blob encryption as 'plain +text' in terms of FIPS 140-2, thus doing application-level encryption. + +Replace samba.arcfour_encrypt() implementation with a call to +samba.crypto.arcfour_crypt_blob(). + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Simo Sorce +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144 + +(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c) +--- + lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ + lib/crypto/wscript_build | 7 ++++ + python/samba/__init__.py | 16 ++------- + 3 files changed, 99 insertions(+), 14 deletions(-) + create mode 100644 lib/crypto/py_crypto.c + +diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c +new file mode 100644 +index 0000000..bf7f9f4 +--- /dev/null ++++ b/lib/crypto/py_crypto.c +@@ -0,0 +1,90 @@ ++/* ++ Unix SMB/CIFS implementation. ++ Samba crypto functions ++ ++ Copyright (C) Alexander Bokovoy 2017 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include ++#include "includes.h" ++#include "python/py3compat.h" ++#include "lib/crypto/arcfour.h" ++ ++static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs) ++{ ++ DATA_BLOB data, key; ++ PyObject *py_data, *py_key, *result; ++ TALLOC_CTX *ctx; ++ ++ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key)) ++ return NULL; ++ ++ if (!PyBytes_Check(py_data)) { ++ PyErr_Format(PyExc_TypeError, "bytes expected"); ++ return NULL; ++ } ++ ++ if (!PyBytes_Check(py_key)) { ++ PyErr_Format(PyExc_TypeError, "bytes expected"); ++ return NULL; ++ } ++ ++ ctx = talloc_new(NULL); ++ ++ data.length = PyBytes_Size(py_data); ++ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length); ++ if (!data.data) { ++ talloc_free(ctx); ++ return PyErr_NoMemory(); ++ } ++ ++ key.data = (uint8_t *)PyBytes_AsString(py_key); ++ key.length = PyBytes_Size(py_key); ++ ++ arcfour_crypt_blob(data.data, data.length, &key); ++ ++ result = PyBytes_FromStringAndSize((const char*) data.data, data.length); ++ talloc_free(ctx); ++ return result; ++} ++ ++ ++static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n" ++ "Encrypt the data with RC4 algorithm using the key"; ++ ++static PyMethodDef py_crypto_methods[] = { ++ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc }, ++ { NULL }, ++}; ++ ++static struct PyModuleDef moduledef = { ++ PyModuleDef_HEAD_INIT, ++ .m_name = "crypto", ++ .m_doc = "Crypto functions required for SMB", ++ .m_size = -1, ++ .m_methods = py_crypto_methods, ++}; ++ ++MODULE_INIT_FUNC(crypto) ++{ ++ PyObject *m; ++ ++ m = PyModule_Create(&moduledef); ++ if (m == NULL) ++ return NULL; ++ ++ return m; ++} +diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build +index 7f94532..d1f152e 100644 +--- a/lib/crypto/wscript_build ++++ b/lib/crypto/wscript_build +@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', + autoproto='test_proto.h', + deps='LIBCRYPTO' + ) ++ ++for env in bld.gen_python_environments(): ++ bld.SAMBA_PYTHON('python_crypto', ++ source='py_crypto.c', ++ deps='LIBCRYPTO', ++ realname='samba/crypto.so' ++ ) +diff --git a/python/samba/__init__.py b/python/samba/__init__.py +index 19d5e38..fa4244a 100644 +--- a/python/samba/__init__.py ++++ b/python/samba/__init__.py +@@ -371,20 +371,8 @@ def string_to_byte_array(string): + return blob + + def arcfour_encrypt(key, data): +- try: +- from Crypto.Cipher import ARC4 +- c = ARC4.new(key) +- return c.encrypt(data) +- except ImportError as e: +- pass +- try: +- from M2Crypto.RC4 import RC4 +- c = RC4(key) +- return c.update(data) +- except ImportError as e: +- pass +- raise Exception("arcfour_encrypt() requires " + +- "python*-crypto or python*-m2crypto or m2crypto") ++ from samba.crypto import arcfour_crypt_blob ++ return arcfour_crypt_blob(data, key) + + import _glue + version = _glue.version +-- +2.9.3 + diff --git a/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch new file mode 100644 index 0000000..f2f7cb6 --- /dev/null +++ b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch @@ -0,0 +1,405 @@ +From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 16 Jan 2017 11:43:12 +0100 +Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows + +Since Windows Server 2008 Microsoft uses a different port range for RPC +services. Before it was 1024-65535 and they changed it to 49152-65535. + +We should use the same range as these are the ports the firewall in AD +networks normally allow. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3) +--- + source3/rpc_server/rpc_server.c | 4 ++-- + source4/smbd/service_stream.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c +index 5effe66d9bb..37fe68fc36d 100644 +--- a/source3/rpc_server/rpc_server.c ++++ b/source3/rpc_server/rpc_server.c +@@ -34,8 +34,8 @@ + #include "rpc_server/srv_pipe_hnd.h" + #include "rpc_server/srv_pipe.h" + +-#define SERVER_TCP_LOW_PORT 1024 +-#define SERVER_TCP_HIGH_PORT 1300 ++#define SERVER_TCP_LOW_PORT 49152 ++#define SERVER_TCP_HIGH_PORT 65535 + + /* Creates a pipes_struct and initializes it with the information + * sent from the client */ +diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c +index f0a379acf6a..96a303fc6a9 100644 +--- a/source4/smbd/service_stream.c ++++ b/source4/smbd/service_stream.c +@@ -30,8 +30,8 @@ + #include "lib/util/util_net.h" + + /* the range of ports to try for dcerpc over tcp endpoints */ +-#define SERVER_TCP_LOW_PORT 1024 +-#define SERVER_TCP_HIGH_PORT 1300 ++#define SERVER_TCP_LOW_PORT 49152 ++#define SERVER_TCP_HIGH_PORT 65535 + + /* size of listen() backlog in smbd */ + #define SERVER_LISTEN_BACKLOG 10 +-- +2.11.0 + + +From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 16 Jan 2017 12:05:09 +0100 +Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC + services + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d) +--- + docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++-- + .../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++ + lib/param/loadparm.c | 47 ++++++++++++++++++++++ + lib/param/loadparm.h | 9 ++++- + lib/param/param.h | 3 ++ + python/samba/tests/docs.py | 11 +++-- + source3/include/proto.h | 2 + + source3/param/loadparm.c | 16 ++++++++ + source3/rpc_server/rpc_server.c | 5 +-- + source4/smbd/service_stream.c | 8 ++-- + 10 files changed, 120 insertions(+), 17 deletions(-) + create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml + +diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml +index 8a70835612f..0fd87d69212 100644 +--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml ++++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml +@@ -4,11 +4,19 @@ + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + + Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic. +- This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used. +- The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000. ++ This controls the default port for all protocols, except for NETLOGON. ++ If unset, the first available port from is used, e.g. 49152. ++ The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000. + Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000. + ++ This option applies currently only when ++ samba 8 ++ runs as an active directory domain controller. ++ ++ The default value 0 causes Samba to select the first available port from . + +-The default value 0 causes Samba to select the first available port after 1024. ++ ++rpc server dynamic port range ++ + 0 + +diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml +new file mode 100644 +index 00000000000..a9c51d2fe41 +--- /dev/null ++++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml +@@ -0,0 +1,22 @@ ++ ++ ++ ++ This parameter tells the RPC server which port range it is ++ allowed to use to create a listening socket for LSA, SAM, ++ Netlogon and others without wellknown tcp ports. ++ The first value is the lowest number of the port ++ range and the second the hightest. ++ ++ ++ This applies to RPC servers in all server roles. ++ ++ ++ ++rpc server port ++ ++49152-65535 ++ +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 6aa757f7c6b..3b54ff232aa 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx) + return lp_ctx->sDefault; + } + ++int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx) ++{ ++ return lp_ctx->globals->rpc_low_port; ++} ++ ++int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx) ++{ ++ return lp_ctx->globals->rpc_high_port; ++} ++ + /** + * Convenience routine to grab string parameters into temporary memory + * and run standard_sub_basic on them. +@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service * + return true; + } + ++bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx, ++ struct loadparm_service *service, ++ const char *pszParmValue, ++ char **ptr) ++{ ++ int low_port = -1, high_port = -1; ++ int rc; ++ ++ if (pszParmValue == NULL || pszParmValue[0] == '\0') { ++ return false; ++ } ++ ++ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port); ++ if (rc != 2) { ++ return false; ++ } ++ ++ if (low_port > high_port) { ++ return false; ++ } ++ ++ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) { ++ return false; ++ } ++ ++ lp_ctx->globals->rpc_low_port = low_port; ++ lp_ctx->globals->rpc_high_port = high_port; ++ ++ return true; ++} ++ + bool handle_smb2_max_credits(struct loadparm_context *lp_ctx, + struct loadparm_service *service, + const char *pszParmValue, char **ptr) +@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global); + /* This appears odd, but globals in s3 isn't a pointer */ + lp_ctx->globals->ctx = lp_ctx->globals; ++ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT; ++ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT; + lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service); + lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters()); + +@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + + lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all"); + ++ lpcfg_do_global_parameter(lp_ctx, ++ "rpc server dynamic port range", ++ "49152-65535"); ++ + /* Allow modules to adjust defaults */ + for (defaults_hook = defaults_hooks; defaults_hook; + defaults_hook = defaults_hook->next) { +diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h +index f9fb7d8d804..c63683d6b66 100644 +--- a/lib/param/loadparm.h ++++ b/lib/param/loadparm.h +@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX, + #endif /* DEVELOPER */ + }; + ++#define SERVER_TCP_LOW_PORT 49152 ++#define SERVER_TCP_HIGH_PORT 65535 ++ ++#define SERVER_TCP_PORT_MIN 1024 ++#define SERVER_TCP_PORT_MAX 65535 + + + +@@ -272,7 +277,9 @@ enum inheritowner_options { + #define LOADPARM_EXTRA_GLOBALS \ + struct parmlist_entry *param_opt; \ + char *dnsdomain; \ +- char *realm_original; ++ char *realm_original; \ ++ int rpc_low_port; \ ++ int rpc_high_port; + + const char* server_role_str(uint32_t role); + int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master); +diff --git a/lib/param/param.h b/lib/param/param.h +index 66037e2ef1b..e123e67a990 100644 +--- a/lib/param/param.h ++++ b/lib/param/param.h +@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx, + time_t *usr_tkt_lifetime, + time_t *renewal_lifetime); + ++int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx); ++int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx); ++ + /* The following definitions come from lib/version.c */ + + const char *samba_version_string(void); +diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py +index 22e022583f6..65df573a350 100644 +--- a/python/samba/tests/docs.py ++++ b/python/samba/tests/docs.py +@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase): + 'lprm command', 'lpq command', 'print command', 'template homedir', + 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build', + 'max open files', 'fss: prune stale', 'fss: sequence timeout', +- 'include system krb5 conf']) ++ 'include system krb5 conf', 'rpc server dynamic port range']) + + def setUp(self): + super(SmbDotConfTests, self).setUp() +@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase): + exceptions = ['client lanman auth', + 'client plaintext auth', + 'registry shares', +- 'smb ports']) ++ 'smb ports', ++ 'rpc server dynamic port range']) + self._test_empty(['bin/testparm']) + + def test_default_s4(self): + self._test_default(['bin/samba-tool', 'testparm']) + self._set_defaults(['bin/samba-tool', 'testparm']) + self._set_arbitrary(['bin/samba-tool', 'testparm'], +- exceptions = ['smb ports']) ++ exceptions = ['smb ports', ++ 'rpc server dynamic port range']) + self._test_empty(['bin/samba-tool', 'testparm']) + + def _test_default(self, program): +@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase): + + for tuples in self.defaults: + param, default, context, param_type = tuples ++ + if param in self.special_cases: + continue + section = None +@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase): + for tuples in self.defaults: + param, default, context, param_type = tuples + +- if param in ['printing']: ++ if param in ['printing', 'rpc server dynamic port range']: + continue + + section = None +diff --git a/source3/include/proto.h b/source3/include/proto.h +index 642900ed67c..b3d3ca0e5d1 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void); + int lp_smb2_max_credits(void); + int lp_cups_encrypt(void); + bool lp_widelinks(int ); ++int lp_rpc_low_port(void); ++int lp_rpc_high_port(void); + + int lp_wi_scan_global_parametrics( + const char *regex, size_t max_matches, +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index d8da749ccba..2c8380067f6 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.aio_max_threads = 100; + ++ lpcfg_string_set(Globals.ctx, ++ &Globals.rpc_server_dynamic_port_range, ++ "49152-65535"); ++ Globals.rpc_low_port = SERVER_TCP_LOW_PORT; ++ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT; ++ + /* Now put back the settings that were set with lp_set_cmdline() */ + apply_lp_set_cmdline(); + } +@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void) + return client_ipc_signing; + } + ++int lp_rpc_low_port(void) ++{ ++ return Globals.rpc_low_port; ++} ++ ++int lp_rpc_high_port(void) ++{ ++ return Globals.rpc_high_port; ++} ++ + struct loadparm_global * get_globals(void) + { + return &Globals; +diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c +index 37fe68fc36d..f7fb8ef5207 100644 +--- a/source3/rpc_server/rpc_server.c ++++ b/source3/rpc_server/rpc_server.c +@@ -34,9 +34,6 @@ + #include "rpc_server/srv_pipe_hnd.h" + #include "rpc_server/srv_pipe.h" + +-#define SERVER_TCP_LOW_PORT 49152 +-#define SERVER_TCP_HIGH_PORT 65535 +- + /* Creates a pipes_struct and initializes it with the information + * sent from the client */ + int make_server_pipes_struct(TALLOC_CTX *mem_ctx, +@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port) + if (*port == 0) { + uint16_t i; + +- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) { ++ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) { + fd = open_socket_in(SOCK_STREAM, + i, + 0, +diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c +index 96a303fc6a9..deb96d8d69d 100644 +--- a/source4/smbd/service_stream.c ++++ b/source4/smbd/service_stream.c +@@ -29,10 +29,6 @@ + #include "../lib/tsocket/tsocket.h" + #include "lib/util/util_net.h" + +-/* the range of ports to try for dcerpc over tcp endpoints */ +-#define SERVER_TCP_LOW_PORT 49152 +-#define SERVER_TCP_HIGH_PORT 65535 +- + /* size of listen() backlog in smbd */ + #define SERVER_LISTEN_BACKLOG 10 + +@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx, + if (!port) { + status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0); + } else if (*port == 0) { +- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) { ++ for (i = lpcfg_rpc_low_port(lp_ctx); ++ i <= lpcfg_rpc_high_port(lp_ctx); ++ i++) { + socket_address->port = i; + status = socket_listen(stream_socket->sock, socket_address, + SERVER_LISTEN_BACKLOG, 0); +-- +2.11.0 + diff --git a/SOURCES/samba.log b/SOURCES/samba.log new file mode 100644 index 0000000..6ccd04d --- /dev/null +++ b/SOURCES/samba.log @@ -0,0 +1,7 @@ +/var/log/samba/* { + notifempty + olddir /var/log/samba/old + missingok + sharedscripts + copytruncate +} diff --git a/SOURCES/samba.pamd b/SOURCES/samba.pamd new file mode 100644 index 0000000..66cd2a9 --- /dev/null +++ b/SOURCES/samba.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_nologin.so +auth include password-auth +account include password-auth +session include password-auth +password include password-auth diff --git a/SOURCES/smb.conf.example b/SOURCES/smb.conf.example new file mode 100644 index 0000000..e672ce9 --- /dev/null +++ b/SOURCES/smb.conf.example @@ -0,0 +1,313 @@ +# This is the main Samba configuration file. For detailed information about the +# options listed here, refer to the smb.conf(5) manual page. Samba has a huge +# number of configurable options, most of which are not shown in this example. +# +# The Samba Wiki contains a lot of step-by-step guides installing, configuring, +# and using Samba: +# https://wiki.samba.org/index.php/User_Documentation +# +# In this file, lines starting with a semicolon (;) or a hash (#) are +# comments and are ignored. This file uses hashes to denote commentary and +# semicolons for parts of the file you may wish to configure. +# +# NOTE: Run the "testparm" command after modifying this file to check for basic +# syntax errors. +# +#--------------- +# Security-Enhanced Linux (SELinux) Notes: +# +# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the +# useradd and groupadd family of binaries. Run the following command as the +# root user to turn this Boolean on: +# setsebool -P samba_domain_controller on +# +# Turn the samba_enable_home_dirs Boolean on if you want to share home +# directories via Samba. Run the following command as the root user to turn this +# Boolean on: +# setsebool -P samba_enable_home_dirs on +# +# If you create a new directory, such as a new top-level directory, label it +# with samba_share_t so that SELinux allows Samba to read and write to it. Do +# not label system directories, such as /etc/ and /home/, with samba_share_t, as +# such directories should already have an SELinux label. +# +# Run the "ls -ldZ /path/to/directory" command to view the current SELinux +# label for a given directory. +# +# Set SELinux labels only on files and directories you have created. Use the +# chcon command to temporarily change a label: +# chcon -t samba_share_t /path/to/directory +# +# Changes made via chcon are lost when the file system is relabeled or commands +# such as restorecon are run. +# +# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system +# directories. To share such directories and only allow read-only permissions: +# setsebool -P samba_export_all_ro on +# To share such directories and allow read and write permissions: +# setsebool -P samba_export_all_rw on +# +# To run scripts (preexec/root prexec/print command/...), copy them to the +# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them. +# Note that if you move the scripts to /var/lib/samba/scripts/, they retain +# their existing SELinux labels, which may be labels that SELinux does not allow +# smbd to run. Copying the scripts will result in the correct SELinux labels. +# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to +# apply the correct SELinux labels to these files. +# +#-------------- +# +#======================= Global Settings ===================================== + +[global] + +# ----------------------- Network-Related Options ------------------------- +# +# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP. +# +# server string = the equivalent of the Windows NT Description field. +# +# netbios name = used to specify a server name that is not tied to the hostname, +# maximum is 15 characters. +# +# interfaces = used to configure Samba to listen on multiple network interfaces. +# If you have multiple interfaces, you can use the "interfaces =" option to +# configure which of those interfaces Samba listens on. Never omit the localhost +# interface (lo). +# +# hosts allow = the hosts allowed to connect. This option can also be used on a +# per-share basis. +# +# hosts deny = the hosts not allowed to connect. This option can also be used on +# a per-share basis. +# + workgroup = MYGROUP + server string = Samba Server Version %v + +; netbios name = MYSERVER + +; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 +; hosts allow = 127. 192.168.12. 192.168.13. + +# --------------------------- Logging Options ----------------------------- +# +# log file = specify where log files are written to and how they are split. +# +# max log size = specify the maximum size log files are allowed to reach. Log +# files are rotated when they reach the size specified with "max log size". +# + + # log files split per-machine: + log file = /var/log/samba/log.%m + # maximum size of 50KB per log file, then rotate: + max log size = 50 + +# ----------------------- Standalone Server Options ------------------------ +# +# security = the mode Samba runs in. This can be set to user, share +# (deprecated), or server (deprecated). +# +# passdb backend = the backend used to store user information in. New +# installations should use either tdbsam or ldapsam. No additional configuration +# is required for tdbsam. The "smbpasswd" utility is available for backwards +# compatibility. +# + + security = user + passdb backend = tdbsam + + +# ----------------------- Domain Members Options ------------------------ +# +# security = must be set to domain or ads. +# +# passdb backend = the backend used to store user information in. New +# installations should use either tdbsam or ldapsam. No additional configuration +# is required for tdbsam. The "smbpasswd" utility is available for backwards +# compatibility. +# +# realm = only use the realm option when the "security = ads" option is set. +# The realm option specifies the Active Directory realm the host is a part of. +# +# password server = only use this option when the "security = server" +# option is set, or if you cannot use DNS to locate a Domain Controller. The +# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]: +# +# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] +# +# Use "password server = *" to automatically locate Domain Controllers. + +; security = domain +; passdb backend = tdbsam +; realm = MY_REALM + +; password server = + +# ----------------------- Domain Controller Options ------------------------ +# +# security = must be set to user for domain controllers. +# +# passdb backend = the backend used to store user information in. New +# installations should use either tdbsam or ldapsam. No additional configuration +# is required for tdbsam. The "smbpasswd" utility is available for backwards +# compatibility. +# +# domain master = specifies Samba to be the Domain Master Browser, allowing +# Samba to collate browse lists between subnets. Do not use the "domain master" +# option if you already have a Windows NT domain controller performing this task. +# +# domain logons = allows Samba to provide a network logon service for Windows +# workstations. +# +# logon script = specifies a script to run at login time on the client. These +# scripts must be provided in a share named NETLOGON. +# +# logon path = specifies (with a UNC path) where user profiles are stored. +# +# +; security = user +; passdb backend = tdbsam + +; domain master = yes +; domain logons = yes + + # the following login script name is determined by the machine name + # (%m): +; logon script = %m.bat + # the following login script name is determined by the UNIX user used: +; logon script = %u.bat +; logon path = \\%L\Profiles\%u + # use an empty path to disable profile support: +; logon path = + + # various scripts can be used on a domain controller or a stand-alone + # machine to add or delete corresponding UNIX accounts: + +; add user script = /usr/sbin/useradd "%u" -n -g users +; add group script = /usr/sbin/groupadd "%g" +; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" +; delete user script = /usr/sbin/userdel "%u" +; delete user from group script = /usr/sbin/userdel "%u" "%g" +; delete group script = /usr/sbin/groupdel "%g" + + +# ----------------------- Browser Control Options ---------------------------- +# +# local master = when set to no, Samba does not become the master browser on +# your network. When set to yes, normal election rules apply. +# +# os level = determines the precedence the server has in master browser +# elections. The default value should be reasonable. +# +# preferred master = when set to yes, Samba forces a local browser election at +# start up (and gives itself a slightly higher chance of winning the election). +# +; local master = no +; os level = 33 +; preferred master = yes + +#----------------------------- Name Resolution ------------------------------- +# +# This section details the support for the Windows Internet Name Service (WINS). +# +# Note: Samba can be either a WINS server or a WINS client, but not both. +# +# wins support = when set to yes, the NMBD component of Samba enables its WINS +# server. +# +# wins server = tells the NMBD component of Samba to be a WINS client. +# +# wins proxy = when set to yes, Samba answers name resolution queries on behalf +# of a non WINS capable client. For this to work, there must be at least one +# WINS server on the network. The default is no. +# +# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS +# nslookups. + +; wins support = yes +; wins server = w.x.y.z +; wins proxy = yes + +; dns proxy = yes + +# --------------------------- Printing Options ----------------------------- +# +# The options in this section allow you to configure a non-default printing +# system. +# +# load printers = when set you yes, the list of printers is automatically +# loaded, rather than setting them up individually. +# +# cups options = allows you to pass options to the CUPS library. Setting this +# option to raw, for example, allows you to use drivers on your Windows clients. +# +# printcap name = used to specify an alternative printcap file. +# + + load printers = yes + cups options = raw + +; printcap name = /etc/printcap + # obtain a list of printers automatically on UNIX System V systems: +; printcap name = lpstat +; printing = cups + +# --------------------------- File System Options --------------------------- +# +# The options in this section can be un-commented if the file system supports +# extended attributes, and those attributes are enabled (usually via the +# "user_xattr" mount option). These options allow the administrator to specify +# that DOS attributes are stored in extended attributes and also make sure that +# Samba does not change the permission bits. +# +# Note: These options can be used on a per-share basis. Setting them globally +# (in the [global] section) makes them the default for all shares. + +; map archive = no +; map hidden = no +; map read only = no +; map system = no +; store dos attributes = yes + + +#============================ Share Definitions ============================== + +[homes] + comment = Home Directories + browseable = no + writable = yes +; valid users = %S +; valid users = MYDOMAIN\%S + +[printers] + comment = All Printers + path = /var/spool/samba + browseable = no + guest ok = no + writable = no + printable = yes + +# Un-comment the following and create the netlogon directory for Domain Logons: +; [netlogon] +; comment = Network Logon Service +; path = /var/lib/samba/netlogon +; guest ok = yes +; writable = no +; share modes = no + +# Un-comment the following to provide a specific roaming profile share. +# The default is to use the user's home directory: +; [Profiles] +; path = /var/lib/samba/profiles +; browseable = no +; guest ok = yes + +# A publicly accessible directory that is read only, except for users in the +# "staff" group (which have write permissions): +; [public] +; comment = Public Stuff +; path = /home/samba +; public = yes +; writable = no +; printable = no +; write list = +staff diff --git a/SOURCES/smb.conf.vendor b/SOURCES/smb.conf.vendor new file mode 100644 index 0000000..86c0aac --- /dev/null +++ b/SOURCES/smb.conf.vendor @@ -0,0 +1,36 @@ +# See smb.conf.example for a more detailed config file or +# read the smb.conf manpage. +# Run 'testparm' to verify the config is correct after +# you modified it. + +[global] + workgroup = SAMBA + security = user + + passdb backend = tdbsam + + printing = cups + printcap name = cups + load printers = yes + cups options = raw + +[homes] + comment = Home Directories + valid users = %S, %D%w%S + browseable = No + read only = No + inherit acls = Yes + +[printers] + comment = All Printers + path = /var/tmp + printable = Yes + create mask = 0600 + browseable = No + +[print$] + comment = Printer Drivers + path = /var/lib/samba/drivers + write list = root + create mask = 0664 + directory mask = 0775 diff --git a/SPECS/samba.spec b/SPECS/samba.spec new file mode 100644 index 0000000..538d62f --- /dev/null +++ b/SPECS/samba.spec @@ -0,0 +1,4747 @@ +# rpmbuild --rebuild --with testsuite --without clustering samba.src.rpm +# +# The testsuite is disabled by default. Set --with testsuite or bcond_without +# to run the Samba torture testsuite. +%bcond_with testsuite +# ctdb is enabled by default, you can disable it with: --without clustering +%bcond_without clustering + +%define main_release 12 + +%define samba_version 4.6.2 +%define talloc_version 2.1.9 +%define tdb_version 1.3.12 +%define tevent_version 0.9.31 +%define ldb_version 1.1.29 +# This should be rc1 or nil +%define pre_release %nil + +%if "x%{?pre_release}" != "x" +%define samba_release 0.%{main_release}.%{pre_release}%{?dist} +%else +%define samba_release %{main_release}%{?dist} +%endif + +# This is a network daemon, do a hardened build +# Enables PIE and full RELRO protection +%global _hardened_build 1 + +%global with_libsmbclient 1 +%global with_libwbclient 1 + +%global with_internal_talloc 0 +%global with_internal_tevent 0 +%global with_internal_tdb 0 +%global with_internal_ldb 0 + +%global with_profiling 1 + +%global with_vfs_cephfs 1 +%if 0%{?rhel} +%global with_vfs_cephfs 0 +%endif + +%global with_vfs_glusterfs 1 +%if 0%{?rhel} +%global with_vfs_glusterfs 0 +# Only enable on x86_64 +%ifarch x86_64 +%global with_vfs_glusterfs 1 +%endif +%endif + +%global libwbc_alternatives_version 0.13 +%global libwbc_alternatives_suffix %nil +%if 0%{?__isa_bits} == 64 +%global libwbc_alternatives_suffix -64 +%endif + +%global with_mitkrb5 1 +%global with_dc 0 + +%if %{with testsuite} +# The testsuite only works with a full build right now. +%global with_mitkrb5 0 +%global with_dc 1 +%endif + +%global required_mit_krb5 1.15.1 + +%global with_clustering_support 0 + +%if %{with clustering} +%global with_clustering_support 1 +%endif + +%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +Name: samba +Version: %{samba_version} +Release: %{samba_release} + +%if 0%{?rhel} +Epoch: 0 +%else +Epoch: 2 +%endif + +%if 0%{?epoch} > 0 +%define samba_depver %{epoch}:%{version}-%{release} +%else +%define samba_depver %{version}-%{release} +%endif + +Summary: Server and Client software to interoperate with Windows machines +License: GPLv3+ and LGPLv3+ +URL: http://www.samba.org/ + +Source0: samba-%{version}%{pre_release}.tar.xz +Source1: samba-%{version}%{pre_release}.tar.asc +Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg + +# Red Hat specific replacement-files +Source10: samba.log +Source11: smb.conf.vendor +Source12: smb.conf.example +Source13: pam_winbind.conf +Source14: samba.pamd + +Source200: README.dc +Source201: README.downgrade + +Patch0: samba-v4.6-gss_krb5_import_cred.patch +Patch1: samba-v4.6-credentials-fix-realm.patch +Patch2: samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch +Patch3: samba-v4-6-fix-building-with-new-glibc.patch +Patch4: samba-v4-6-fix-cross-realm-refferals.patch +Patch5: samba-v4-6-fix-kerberos-debug-message.patch +Patch6: samba-v4-6-fix-net-ads-keytab-handling.patch +Patch7: samba-v4-6-fix_winbind_child_crash.patch +Patch8: samba-v4-6-fix_path_substitutions.patch +Patch9: samba-v4-6-fix-spoolss-32bit-driver-upload.patch +Patch10: CVE-2017-7494.patch +Patch11: samba-v4-6-fix-vfs-expand-msdfs.patch +Patch12: samba-v4.7-config-dynamic-rpc-port-range.patch +Patch13: samba-v4-6-fix_smbclient_session_setup_info.patch +Patch14: samba-v4-6-fix_smbclient_username_parsing.patch +Patch15: samba-v4-6-fix_winbind_normalize_names.patch +Patch16: samba-v4-6-fix_net_ads_changetrustpw.patch +Patch17: samba-v4.6-fix_smbpasswd_user_pwd_change.patch +Patch18: samba-v4.6-graceful_fsctl_validate_negotiate_info.patch +Patch19: CVE-2017-12150.patch +Patch20: CVE-2017-12151.patch +Patch21: CVE-2017-12163.patch +Patch22: CVE-2017-14746.patch +Patch23: CVE-2017-15275.patch + +Requires(pre): /usr/sbin/groupadd +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-common-tools = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif + +Requires: pam + +Provides: samba4 = %{samba_depver} +Obsoletes: samba4 < %{samba_depver} + +# We don't build it outdated docs anymore +Provides: samba-doc = %{samba_depver} +Obsoletes: samba-doc < %{samba_depver} + +# Is not supported yet +Provides: samba-domainjoin-gui = %{samba_depver} +Obsoletes: samba-domainjoin-gui < %{samba_depver} + +# SWAT been deprecated and removed from samba +Provides: samba-swat = %{samba_depver} +Obsoletes: samba-swat < %{samba_depver} + +Provides: samba4-swat = %{samba_depver} +Obsoletes: samba4-swat < %{samba_depver} + +BuildRequires: cups-devel +BuildRequires: dbus-devel +BuildRequires: docbook-style-xsl +BuildRequires: e2fsprogs-devel +BuildRequires: gawk +BuildRequires: gnupg2 +BuildRequires: krb5-devel >= %{required_mit_krb5} +BuildRequires: libacl-devel +BuildRequires: libaio-devel +BuildRequires: libarchive-devel +BuildRequires: libattr-devel +BuildRequires: libcap-devel +BuildRequires: libuuid-devel +BuildRequires: libxslt +BuildRequires: ncurses-devel +BuildRequires: openldap-devel +BuildRequires: pam-devel +#BuildRequires: perl-generators +BuildRequires: perl(Test::More) +BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(Parse::Yapp) +BuildRequires: popt-devel +BuildRequires: python-devel +#BuildRequires: python2-pygpgme +#BuildRequires: python2-subunit +BuildRequires: python-tevent +BuildRequires: quota-devel +BuildRequires: readline-devel +BuildRequires: sed +BuildRequires: xfsprogs-devel +BuildRequires: xz +BuildRequires: zlib-devel >= 1.2.3 + +BuildRequires: pkgconfig(libsystemd) + +%if %{with_vfs_glusterfs} +BuildRequires: glusterfs-api-devel >= 3.4.0.16 +BuildRequires: glusterfs-devel >= 3.4.0.16 +%endif +%if %{with_vfs_cephfs} +BuildRequires: libcephfs1-devel +%endif +%if %{with_dc} +BuildRequires: gnutls-devel >= 3.4.7 +# Required by samba-tool to run tests +BuildRequires: python-crypto +%endif + +# pidl requirements +BuildRequires: perl(Parse::Yapp) + +%if ! %with_internal_talloc +%global libtalloc_version 2.1.9 + +BuildRequires: libtalloc-devel >= %{libtalloc_version} +BuildRequires: pytalloc-devel >= %{libtalloc_version} +%endif + +%if ! %with_internal_tevent +%global libtevent_version 0.9.31 + +BuildRequires: libtevent-devel >= %{libtevent_version} +BuildRequires: python-tevent >= %{libtevent_version} +%endif + +%if ! %with_internal_ldb +%global libldb_version 1.1.29 + +BuildRequires: libldb-devel >= %{libldb_version} +BuildRequires: pyldb-devel >= %{libldb_version} +%endif + +%if ! %with_internal_tdb +%global libtdb_version 1.3.12 + +BuildRequires: libtdb-devel >= %{libtdb_version} +BuildRequires: python-tdb >= %{libtdb_version} +%endif + +%if %{with testsuite} +BuildRequires: ldb-tools +BuildRequires: libcmocka-devel +BuildRequires: python2-pygpgme +%endif + +# filter out perl requirements pulled in from examples in the docdir. +%{?filter_setup: +%filter_provides_in %{_docdir} +%filter_requires_in %{_docdir} +%filter_setup +} + +### SAMBA +%description +Samba is the standard Windows interoperability suite of programs for Linux and +Unix. + +### CLIENT +%package client +Summary: Samba client programs +Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +%if %with_libsmbclient +Requires: libsmbclient = %{samba_depver} +%endif + +Provides: samba4-client = %{samba_depver} +Obsoletes: samba4-client < %{samba_depver} + +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives + +%description client +The %{name}-client package provides some SMB/CIFS clients to complement +the built-in SMB/CIFS filesystem in Linux. These clients allow access +of SMB/CIFS shares and printing to SMB/CIFS printers. + +### CLIENT-LIBS +%package client-libs +Summary: Samba client libraries +Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif +Requires: krb5-libs >= %{required_mit_krb5} + +%description client-libs +The samba-client-libs package contains internal libraries needed by the +SMB/CIFS clients. + +### COMMON +%package common +Summary: Files used by both Samba servers and clients +BuildArch: noarch + +Requires(post): systemd + +Provides: samba4-common = %{samba_depver} +Obsoletes: samba4-common < %{samba_depver} + +%description common +samba-common provides files necessary for both the server and client +packages of Samba. + +### COMMON-LIBS +%package common-libs +Summary: Libraries used by both Samba servers and clients +Requires(pre): samba-common = %{samba_depver} +Requires: samba-common = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif + +%description common-libs +The samba-common-libs package contains internal libraries needed by the +SMB/CIFS clients. + +### COMMON-TOOLS +%package common-tools +Summary: Tools for Samba servers and clients +Requires: samba-common-libs = %{samba_depver} +Requires: samba-client-libs = %{samba_depver} +Requires: samba-libs = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif + +%description common-tools +The samba-common-tools package contains tools for Samba servers and +SMB/CIFS clients. + +### DC +%package dc +Summary: Samba AD Domain Controller +Requires: %{name} = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-dc-libs = %{samba_depver} +Requires: %{name}-python = %{samba_depver} +Requires: %{name}-winbind = %{samba_depver} +%if %{with_dc} +# samba-tool requirements +Requires: python-crypto +%endif + +Provides: samba4-dc = %{samba_depver} +Obsoletes: samba4-dc < %{samba_depver} + +%description dc +The samba-dc package provides AD Domain Controller functionality + +### DC-LIBS +%package dc-libs +Summary: Samba AD Domain Controller Libraries +Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} + +Provides: samba4-dc-libs = %{samba_depver} +Obsoletes: samba4-dc-libs < %{samba_depver} + +%description dc-libs +The %{name}-dc-libs package contains the libraries needed by the DC to +link against the SMB, RPC and other protocols. + +### DEVEL +%package devel +Summary: Developer tools for Samba libraries +Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} + +Provides: samba4-devel = %{samba_depver} +Obsoletes: samba4-devel < %{samba_depver} + +%description devel +The %{name}-devel package contains the header files for the libraries +needed to develop programs that link against the SMB, RPC and other +libraries in the Samba suite. + +### CEPH +%if %{with_vfs_cephfs} +%package vfs-cephfs +Summary: Samba VFS module for Ceph distributed storage system +Requires: libcephfs1 +Requires: %{name} = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} + +%description vfs-cephfs +Samba VFS module for Ceph distributed storage system integration. +%endif + +### GLUSTER +%if %{with_vfs_glusterfs} +%package vfs-glusterfs +Summary: Samba VFS module for GlusterFS +Requires: glusterfs-api >= 3.4.0.16 +Requires: glusterfs >= 3.4.0.16 +Requires: %{name} = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} + +Obsoletes: samba-glusterfs < %{samba_depver} +Provides: samba-glusterfs = %{samba_depver} + +%description vfs-glusterfs +Samba VFS module for GlusterFS integration. +%endif + +### KRB5-PRINTING +%package krb5-printing +Summary: Samba CUPS backend for printing with Kerberos +Requires(pre): %{name}-client +Requires: %{name}-client + +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives + +%description krb5-printing +If you need Kerberos for print jobs to a printer connection to cups via the SMB +backend, then you need to install that package. It will allow cups to access +the Kerberos credentials cache of the user issuing the print job. + +### LIBS +%package libs +Summary: Samba libraries +Requires: %{name}-client-libs = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif + +Provides: samba4-libs = %{samba_depver} +Obsoletes: samba4-libs < %{samba_depver} + +%description libs +The %{name}-libs package contains the libraries needed by programs that link +against the SMB, RPC and other protocols provided by the Samba suite. + +### LIBSMBCLIENT +%if %with_libsmbclient +%package -n libsmbclient +Summary: The SMB client library +Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} + +%description -n libsmbclient +The libsmbclient contains the SMB client library from the Samba suite. + +%package -n libsmbclient-devel +Summary: Developer tools for the SMB client library +Requires: libsmbclient = %{samba_depver} + +%description -n libsmbclient-devel +The libsmbclient-devel package contains the header files and libraries needed +to develop programs that link against the SMB client library in the Samba +suite. +%endif # with_libsmbclient + +### LIBWBCLIENT +%if %with_libwbclient +%package -n libwbclient +Summary: The winbind client library +Requires: %{name}-client-libs = %{samba_depver} + +%description -n libwbclient +The libwbclient package contains the winbind client library from the Samba +suite. + +%package -n libwbclient-devel +Summary: Developer tools for the winbind library +Requires: libwbclient = %{samba_depver} + +Provides: samba-winbind-devel = %{samba_depver} +Obsoletes: samba-winbind-devel < %{samba_depver} + +%description -n libwbclient-devel +The libwbclient-devel package provides developer tools for the wbclient +library. +%endif # with_libwbclient + +### PYTHON +%package python +Summary: Samba Python libraries +Requires: %{name} = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} +Requires: python-tevent +Requires: python-tdb +Requires: pyldb +Requires: pytalloc + +Provides: samba4-python = %{samba_depver} +Obsoletes: samba4-python < %{samba_depver} + +%description python +The %{name}-python package contains the Python libraries needed by programs +that use SMB, RPC and other Samba provided protocols in Python programs. + +### PIDL +%package pidl +Summary: Perl IDL compiler +Requires: perl(Parse::Yapp) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +BuildArch: noarch + +Provides: samba4-pidl = %{samba_depver} +Obsoletes: samba4-pidl < %{samba_depver} + +%description pidl +The %{name}-pidl package contains the Perl IDL compiler used by Samba +and Wireshark to parse IDL and similar protocols + +### TEST +%package test +Summary: Testing tools for Samba servers and clients +Requires: %{name} = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-winbind = %{samba_depver} + +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-test-libs = %{samba_depver} +%if %with_dc +Requires: %{name}-dc-libs = %{samba_depver} +%endif +Requires: %{name}-libs = %{samba_depver} +%if %with_libsmbclient +Requires: libsmbclient = %{samba_depver} +%endif +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif + +Provides: samba4-test = %{samba_depver} +Obsoletes: samba4-test < %{samba_depver} + +%description test +%{name}-test provides testing tools for both the server and client +packages of Samba. + +### TEST-LIBS +%package test-libs +Summary: Libraries need by the testing tools for Samba servers and clients +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} + +Provides: %{name}-test-devel = %{samba_depver} +Obsoletes: %{name}-test-devel < %{samba_depver} + +%description test-libs +%{name}-test-libs provides libraries required by the testing tools. + +### WINBIND +%package winbind +Summary: Samba winbind +Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-common-tools = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-winbind-modules = %{samba_depver} + +Provides: samba4-winbind = %{samba_depver} +Obsoletes: samba4-winbind < %{samba_depver} + +%description winbind +The samba-winbind package provides the winbind NSS library, and some client +tools. Winbind enables Linux to be a full member in Windows domains and to use +Windows user and group accounts on Linux. + +### WINBIND-CLIENTS +%package winbind-clients +Summary: Samba winbind clients +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-winbind = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif + +Provides: samba4-winbind-clients = %{samba_depver} +Obsoletes: samba4-winbind-clients < %{samba_depver} + +%description winbind-clients +The samba-winbind-clients package provides the wbinfo and ntlm_auth +tool. + +### WINBIND-KRB5-LOCATOR +%package winbind-krb5-locator +Summary: Samba winbind krb5 locator +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +Requires: %{name}-winbind = %{samba_depver} +%else +Requires: %{name}-libs = %{samba_depver} +%endif + +Provides: samba4-winbind-krb5-locator = %{samba_depver} +Obsoletes: samba4-winbind-krb5-locator < %{samba_depver} + +# Handle winbind_krb5_locator.so as alternatives to allow +# IPA AD trusts case where it should not be used by libkrb5 +# The plugin will be diverted to /dev/null by the FreeIPA +# freeipa-server-trust-ad subpackage due to higher priority +# and restored to the proper one on uninstall +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Requires(preun): %{_sbindir}/update-alternatives + +%description winbind-krb5-locator +The winbind krb5 locator is a plugin for the system kerberos library to allow +the local kerberos library to use the same KDC as samba and winbind use + +### WINBIND-MODULES +%package winbind-modules +Summary: Samba winbind modules +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif +Requires: pam + +%description winbind-modules +The samba-winbind-modules package provides the NSS library and a PAM module +necessary to communicate to the Winbind Daemon + +### CTDB +%if %with_clustering_support +%package -n ctdb +Summary: A Clustered Database based on Samba's Trivial Database (TDB) + +Requires: %{name}-client-libs = %{samba_depver} + +Requires: coreutils +Requires: fileutils +# for ps and killall +Requires: psmisc +Requires: sed +Requires: tdb-tools +Requires: gawk +# for pkill and pidof: +Requires: procps-ng +# for netstat: +Requires: net-tools +Requires: ethtool +# for ip: +Requires: iproute +Requires: iptables +# for flock, getopt, kill: +Requires: util-linux + +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description -n ctdb +CTDB is a cluster implementation of the TDB database used by Samba and other +projects to store temporary data. If an application is already using TDB for +temporary data it is very easy to convert that application to be cluster aware +and use CTDB instead. + +### CTDB-TEST +%package -n ctdb-tests +Summary: CTDB clustered database test suite + +Requires: samba-client-libs = %{samba_depver} + +Requires: ctdb = %{samba_depver} +Requires: nc + +Provides: ctdb-devel = %{samba_depver} +Obsoletes: ctdb-devel < %{samba_depver} + +%description -n ctdb-tests +Test suite for CTDB. +CTDB is a cluster implementation of the TDB database used by Samba and other +projects to store temporary data. If an application is already using TDB for +temporary data it is very easy to convert that application to be cluster aware +and use CTDB instead. +%endif # with_clustering_support + + + +%prep +xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - +%autosetup -n samba-%{version}%{pre_release} -p1 + +%build +%global _talloc_lib ,talloc,pytalloc,pytalloc-util +%global _tevent_lib ,tevent,pytevent +%global _tdb_lib ,tdb,pytdb +%global _ldb_lib ,ldb,pyldb,pyldb-util + +%if ! %{with_internal_talloc} +%global _talloc_lib ,!talloc,!pytalloc,!pytalloc-util +%endif + +%if ! %{with_internal_tevent} +%global _tevent_lib ,!tevent,!pytevent +%endif + +%if ! %{with_internal_tdb} +%global _tdb_lib ,!tdb,!pytdb +%endif + +%if ! %{with_internal_ldb} +%global _ldb_lib ,!ldb,!pyldb,!pyldb-util +%endif + +%global _samba4_libraries heimdal,!zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} + +%global _samba4_idmap_modules idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 +%global _samba4_pdb_modules pdb_tdbsam,pdb_ldap,pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 +%global _samba4_auth_modules auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4 + +%global _samba4_modules %{_samba4_idmap_modules},%{_samba4_pdb_modules},%{_samba4_auth_modules} + +%global _libsmbclient %nil +%global _libwbclient %nil + +%if ! %with_libsmbclient +%global _libsmbclient smbclient, +%endif + +%if ! %with_libwbclient +%global _libwbclient wbclient, +%endif + +%global _samba4_private_libraries %{_libsmbclient}%{_libwbclient} + +%configure \ + --enable-fhs \ + --with-piddir=/run \ + --with-sockets-dir=/run/samba \ + --with-modulesdir=%{_libdir}/samba \ + --with-pammodulesdir=%{_libdir}/security \ + --with-lockdir=/var/lib/samba/lock \ + --with-statedir=/var/lib/samba \ + --with-cachedir=/var/lib/samba \ + --disable-rpath-install \ + --with-shared-modules=%{_samba4_modules} \ + --bundled-libraries=%{_samba4_libraries} \ + --with-pam \ + --with-pie \ + --with-relro \ + --without-fam \ +%if (! %with_libsmbclient) || (! %with_libwbclient) + --private-libraries=%{_samba4_private_libraries} \ +%endif +%if %with_mitkrb5 + --with-system-mitkrb5 \ +%endif +%if ! %with_dc + --without-ad-dc \ +%endif +%if ! %with_vfs_glusterfs + --disable-glusterfs \ +%endif +%if %with_clustering_support + --with-cluster-support \ +%endif +%if %with_profiling + --with-profiling-data \ +%endif +%if %{with testsuite} + --enable-selftest \ +%endif + --with-systemd + +make %{?_smp_mflags} + +%install +rm -rf %{buildroot} +make %{?_smp_mflags} install DESTDIR=%{buildroot} + +install -d -m 0755 %{buildroot}/usr/{sbin,bin} +install -d -m 0755 %{buildroot}%{_libdir}/security +install -d -m 0755 %{buildroot}/var/lib/samba +install -d -m 0755 %{buildroot}/var/lib/samba/drivers +install -d -m 0755 %{buildroot}/var/lib/samba/lock +install -d -m 0755 %{buildroot}/var/lib/samba/private +install -d -m 0755 %{buildroot}/var/lib/samba/scripts +install -d -m 0755 %{buildroot}/var/lib/samba/sysvol +install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged +install -d -m 0755 %{buildroot}/var/log/samba/old +install -d -m 0755 %{buildroot}/var/spool/samba +install -d -m 0755 %{buildroot}/var/run/samba +install -d -m 0755 %{buildroot}/var/run/winbindd +install -d -m 0755 %{buildroot}/%{_libdir}/samba +install -d -m 0755 %{buildroot}/%{_libdir}/samba/ldb +install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig + +# Move libwbclient.so* into private directory, it cannot be just libdir/samba +# because samba uses rpath with this directory. +install -d -m 0755 %{buildroot}/%{_libdir}/samba/wbclient +mv %{buildroot}/%{_libdir}/libwbclient.so* %{buildroot}/%{_libdir}/samba/wbclient +if [ ! -f %{buildroot}/%{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} ] +then + echo "Expected libwbclient version not found, please check if version has changed." + exit -1 +fi + + +touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb + +# Install other stuff +install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d +install -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/logrotate.d/samba + +install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/samba/smb.conf +install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/samba/smb.conf.example + +install -d -m 0755 %{buildroot}%{_sysconfdir}/security +install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf + +install -d -m 0755 %{buildroot}%{_sysconfdir}/pam.d +install -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/samba + +echo 127.0.0.1 localhost > %{buildroot}%{_sysconfdir}/samba/lmhosts + +# openLDAP database schema +install -d -m 0755 %{buildroot}%{_sysconfdir}/openldap/schema +install -m644 examples/LDAP/samba.schema %{buildroot}%{_sysconfdir}/openldap/schema/samba.schema + +install -m 0744 packaging/printing/smbprint %{buildroot}%{_bindir}/smbprint + +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -m644 packaging/systemd/samba.conf.tmp %{buildroot}%{_tmpfilesdir}/samba.conf +# create /run/samba too. +echo "d /run/samba 755 root root" >> %{buildroot}%{_tmpfilesdir}/samba.conf +%if %with_clustering_support +echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf +%endif + +install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig +install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba +%if %with_clustering_support +cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb <tmp$i.service + install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service +done +%if %with_clustering_support +install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir} +%endif + +# NetworkManager online/offline script +install -d -m 0755 %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/ +install -m 0755 packaging/NetworkManager/30-winbind-systemd \ + %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind + +# winbind krb5 locator +install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5 +touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so + +%if ! %with_dc +for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \ + %{_libdir}/samba/libdnsserver-common-samba4.so \ + %{_mandir}/man8/samba.8 \ + %{_mandir}/man8/samba-tool.8 \ + %{_libdir}/samba/ldb/ildap.so \ + %{_libdir}/samba/ldb/ldbsamba_extensions.so ; do + rm -f %{buildroot}$i +done +%endif + +# This makes the right links, as rpmlint requires that +# the ldconfig-created links be recorded in the RPM. +/sbin/ldconfig -N -n %{buildroot}%{_libdir} + +%if %{with testsuite} +%check +TDB_NO_FSYNC=1 make %{?_smp_mflags} test +%endif + +%post +%systemd_post smb.service +%systemd_post nmb.service + +%preun +%systemd_preun smb.service +%systemd_preun nmb.service + +%postun +%systemd_postun_with_restart smb.service +%systemd_postun_with_restart nmb.service + +%post common +/sbin/ldconfig +/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/samba.conf +if [ -d /var/cache/samba ]; then + mv /var/cache/samba/netsamlogon_cache.tdb /var/lib/samba/ 2>/dev/null + mv /var/cache/samba/winbindd_cache.tdb /var/lib/samba/ 2>/dev/null + rm -rf /var/cache/samba/ + ln -sf /var/cache/samba /var/lib/samba/ +fi + +%post client +%{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \ + cups_backend_smb \ + %{_bindir}/smbspool 10 + +%postun client +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove cups_backend_smb %{_bindir}/smbspool +fi + +%post client-libs -p /sbin/ldconfig + +%postun client-libs -p /sbin/ldconfig + +%post common-libs -p /sbin/ldconfig + +%postun common-libs -p /sbin/ldconfig + +%if %with_dc +%post dc-libs -p /sbin/ldconfig + +%postun dc-libs -p /sbin/ldconfig +%endif + +%post krb5-printing +%{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \ + cups_backend_smb \ + %{_libexecdir}/samba/smbspool_krb5_wrapper 50 + +%postun krb5-printing +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove cups_backend_smb %{_libexecdir}/samba/smbspool_krb5_wrapper +fi + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + +%if %with_libsmbclient +%post -n libsmbclient -p /sbin/ldconfig + +%postun -n libsmbclient -p /sbin/ldconfig +%endif + +%if %with_libwbclient +%posttrans -n libwbclient +# It has to be posttrans here to make sure all files of a previous version +# without alternatives support are removed +%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \ + libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} 10 +/sbin/ldconfig + +%preun -n libwbclient +%{_sbindir}/update-alternatives --remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +/sbin/ldconfig + +%posttrans -n libwbclient-devel +%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \ + libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so 10 + +%preun -n libwbclient-devel +# alternatives checks if the file which should be removed is a link or not, but +# not if it points to the /etc/alternatives directory or to some other place. +# When downgrading to a version where alternatives is not used and +# libwbclient.so is a link and not a file it will be removed. The following +# check removes the alternatives files manually if that is the case. +if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then + /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null +else + %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so +fi + +%endif # with_libwbclient + +%post test -p /sbin/ldconfig + +%postun test -p /sbin/ldconfig + +%pre winbind +/usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : + +%post winbind +%systemd_post winbind.service + +%preun winbind +%systemd_preun winbind.service + +%postun winbind +%systemd_postun_with_restart smb.service +%systemd_postun_with_restart nmb.service + +%postun winbind-krb5-locator +if [ "$1" -ge "1" ]; then + if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/winbind_krb5_locator.so" ]; then + %{_sbindir}/update-alternatives --set winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so + fi +fi + +%post winbind-krb5-locator +%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ + winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so 10 + +%preun winbind-krb5-locator +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so +fi + +%post winbind-modules -p /sbin/ldconfig + +%postun winbind-modules -p /sbin/ldconfig + +%if %with_clustering_support +%post -n ctdb +/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/ctdb.conf +%systemd_post ctdb.service + +%preun -n ctdb +%systemd_preun ctdb.service + +%postun -n ctdb +%systemd_postun_with_restart ctdb.service +%endif + + +%clean +rm -rf %{buildroot} + +### SAMBA +%files +%defattr(-,root,root,-) +%license COPYING +%doc README WHATSNEW.txt +%doc examples/autofs examples/LDAP examples/misc +%doc examples/printer-accounting examples/printing +%doc packaging/README.downgrade +%{_bindir}/smbstatus +%{_bindir}/eventlogadm +%{_sbindir}/nmbd +%{_sbindir}/smbd +%dir %{_libdir}/samba/auth +%{_libdir}/samba/auth/script.so +%{_libdir}/samba/auth/unix.so +%{_libdir}/samba/auth/wbc.so +%dir %{_libdir}/samba/vfs +%{_libdir}/samba/vfs/acl_tdb.so +%{_libdir}/samba/vfs/acl_xattr.so +%{_libdir}/samba/vfs/aio_fork.so +%{_libdir}/samba/vfs/aio_linux.so +%{_libdir}/samba/vfs/aio_pthread.so +%{_libdir}/samba/vfs/audit.so +%{_libdir}/samba/vfs/btrfs.so +%{_libdir}/samba/vfs/cap.so +%{_libdir}/samba/vfs/catia.so +%{_libdir}/samba/vfs/commit.so +%{_libdir}/samba/vfs/crossrename.so +%{_libdir}/samba/vfs/default_quota.so +%{_libdir}/samba/vfs/dirsort.so +%{_libdir}/samba/vfs/expand_msdfs.so +%{_libdir}/samba/vfs/extd_audit.so +%{_libdir}/samba/vfs/fake_perms.so +%{_libdir}/samba/vfs/fileid.so +%{_libdir}/samba/vfs/fruit.so +%{_libdir}/samba/vfs/full_audit.so +%{_libdir}/samba/vfs/linux_xfs_sgid.so +%{_libdir}/samba/vfs/media_harmony.so +%{_libdir}/samba/vfs/netatalk.so +%{_libdir}/samba/vfs/offline.so +%{_libdir}/samba/vfs/preopen.so +%{_libdir}/samba/vfs/readahead.so +%{_libdir}/samba/vfs/readonly.so +%{_libdir}/samba/vfs/recycle.so +%{_libdir}/samba/vfs/shadow_copy.so +%{_libdir}/samba/vfs/shadow_copy2.so +%{_libdir}/samba/vfs/shell_snap.so +%{_libdir}/samba/vfs/snapper.so +%{_libdir}/samba/vfs/streams_depot.so +%{_libdir}/samba/vfs/streams_xattr.so +%{_libdir}/samba/vfs/syncops.so +%{_libdir}/samba/vfs/time_audit.so +%{_libdir}/samba/vfs/unityed_media.so +%{_libdir}/samba/vfs/worm.so +%{_libdir}/samba/vfs/xattr_tdb.so + +%{_unitdir}/nmb.service +%{_unitdir}/smb.service +%attr(1777,root,root) %dir /var/spool/samba +%dir %{_sysconfdir}/openldap/schema +%config %{_sysconfdir}/openldap/schema/samba.schema +%config(noreplace) %{_sysconfdir}/pam.d/samba +%{_mandir}/man1/smbstatus.1* +%{_mandir}/man8/eventlogadm.8* +%{_mandir}/man8/smbd.8* +%{_mandir}/man8/nmbd.8* +%{_mandir}/man8/vfs_acl_tdb.8* +%{_mandir}/man8/vfs_acl_xattr.8* +%{_mandir}/man8/vfs_aio_fork.8* +%{_mandir}/man8/vfs_aio_linux.8* +%{_mandir}/man8/vfs_aio_pthread.8* +%{_mandir}/man8/vfs_audit.8* +%{_mandir}/man8/vfs_btrfs.8* +%{_mandir}/man8/vfs_cacheprime.8* +%{_mandir}/man8/vfs_cap.8* +%{_mandir}/man8/vfs_catia.8* +%{_mandir}/man8/vfs_commit.8* +%{_mandir}/man8/vfs_crossrename.8* +%{_mandir}/man8/vfs_default_quota.8* +%{_mandir}/man8/vfs_dirsort.8* +%{_mandir}/man8/vfs_extd_audit.8* +%{_mandir}/man8/vfs_fake_perms.8* +%{_mandir}/man8/vfs_fileid.8* +%{_mandir}/man8/vfs_fruit.8* +%{_mandir}/man8/vfs_full_audit.8* +%{_mandir}/man8/vfs_gpfs.8* +%{_mandir}/man8/vfs_linux_xfs_sgid.8* +%{_mandir}/man8/vfs_media_harmony.8* +%{_mandir}/man8/vfs_netatalk.8* +%{_mandir}/man8/vfs_offline.8* +%{_mandir}/man8/vfs_prealloc.8* +%{_mandir}/man8/vfs_preopen.8* +%{_mandir}/man8/vfs_readahead.8* +%{_mandir}/man8/vfs_readonly.8* +%{_mandir}/man8/vfs_recycle.8* +%{_mandir}/man8/vfs_shadow_copy.8* +%{_mandir}/man8/vfs_shadow_copy2.8* +%{_mandir}/man8/vfs_shell_snap.8* +%{_mandir}/man8/vfs_snapper.8* +%{_mandir}/man8/vfs_streams_depot.8* +%{_mandir}/man8/vfs_streams_xattr.8* +%{_mandir}/man8/vfs_syncops.8* +%{_mandir}/man8/vfs_time_audit.8* +%{_mandir}/man8/vfs_tsmsm.8* +%{_mandir}/man8/vfs_unityed_media.8* +%{_mandir}/man8/vfs_worm.8* +%{_mandir}/man8/vfs_xattr_tdb.8* + +%if ! %{with_vfs_glusterfs} +%exclude %{_mandir}/man8/vfs_glusterfs.8* +%endif + +%if ! %{with_vfs_cephfs} +%exclude %{_mandir}/man8/vfs_ceph.8* +%endif + +%dir /var/lib/samba/drivers +%dir /var/lib/samba/lock + +### CLIENT +%files client +%defattr(-,root,root) +%{_bindir}/cifsdd +%{_bindir}/dbwrap_tool +%{_bindir}/findsmb +%{_bindir}/nmblookup +%{_bindir}/oLschema2ldif +%{_bindir}/mvxattr +%{_bindir}/regdiff +%{_bindir}/regpatch +%{_bindir}/regshell +%{_bindir}/regtree +%{_bindir}/rpcclient +%{_bindir}/samba-regedit +%{_bindir}/sharesec +%{_bindir}/smbcacls +%{_bindir}/smbclient +%{_bindir}/smbcquotas +%{_bindir}/smbget +%{_bindir}/smbprint +%{_bindir}/smbspool +%{_bindir}/smbtar +%{_bindir}/smbtree +%dir %{_libexecdir}/samba +%ghost %{_libexecdir}/samba/cups_backend_smb +%{_mandir}/man1/dbwrap_tool.1* +%{_mandir}/man1/nmblookup.1* +%{_mandir}/man1/oLschema2ldif.1* +%{_mandir}/man1/regdiff.1* +%{_mandir}/man1/regpatch.1* +%{_mandir}/man1/regshell.1* +%{_mandir}/man1/regtree.1* +%{_mandir}/man1/findsmb.1* +%{_mandir}/man1/log2pcap.1* +%{_mandir}/man1/mvxattr.1* +%{_mandir}/man1/rpcclient.1* +%{_mandir}/man1/sharesec.1* +%{_mandir}/man1/smbcacls.1* +%{_mandir}/man1/smbclient.1* +%{_mandir}/man1/smbcquotas.1* +%{_mandir}/man1/smbget.1* +%{_mandir}/man5/smbgetrc.5* +%{_mandir}/man1/smbtar.1* +%{_mandir}/man1/smbtree.1* +%{_mandir}/man8/cifsdd.8.* +%{_mandir}/man8/samba-regedit.8* +%{_mandir}/man8/smbspool.8* + +%if %{with_internal_tdb} +%{_bindir}/tdbbackup +%{_bindir}/tdbdump +%{_bindir}/tdbrestore +%{_bindir}/tdbtool +%{_mandir}/man8/tdbbackup.8* +%{_mandir}/man8/tdbdump.8* +%{_mandir}/man8/tdbrestore.8* +%{_mandir}/man8/tdbtool.8* +%endif + +%if %with_internal_ldb +%{_bindir}/ldbadd +%{_bindir}/ldbdel +%{_bindir}/ldbedit +%{_bindir}/ldbmodify +%{_bindir}/ldbrename +%{_bindir}/ldbsearch +%{_libdir}/samba/libldb-cmdline-samba4.so +%{_libdir}/samba/ldb/asq.so +%{_libdir}/samba/ldb/paged_results.so +%{_libdir}/samba/ldb/paged_searches.so +%{_libdir}/samba/ldb/rdn_name.so +%{_libdir}/samba/ldb/sample.so +%{_libdir}/samba/ldb/server_sort.so +%{_libdir}/samba/ldb/skel.so +%{_libdir}/samba/ldb/tdb.so +%{_mandir}/man1/ldbadd.1.gz +%{_mandir}/man1/ldbdel.1.gz +%{_mandir}/man1/ldbedit.1.gz +%{_mandir}/man1/ldbmodify.1.gz +%{_mandir}/man1/ldbrename.1.gz +%{_mandir}/man1/ldbsearch.1.gz +%endif + +### CLIENT-LIBS +%files client-libs +%defattr(-,root,root) +%{_libdir}/libdcerpc-binding.so.* +%{_libdir}/libndr.so.* +%{_libdir}/libndr-krb5pac.so.* +%{_libdir}/libndr-nbt.so.* +%{_libdir}/libndr-standard.so.* +%{_libdir}/libnetapi.so.* +%{_libdir}/libsamba-credentials.so.* +%{_libdir}/libsamba-errors.so.* +%{_libdir}/libsamba-passdb.so.* +%{_libdir}/libsamba-util.so.* +%{_libdir}/libsamba-hostconfig.so.* +%{_libdir}/libsamdb.so.* +%{_libdir}/libsmbconf.so.* +%{_libdir}/libsmbldap.so.* +%{_libdir}/libtevent-util.so.* +%{_libdir}/libdcerpc.so.* + +%dir %{_libdir}/samba +%{_libdir}/samba/libCHARSET3-samba4.so +%{_libdir}/samba/libaddns-samba4.so +%{_libdir}/samba/libads-samba4.so +%{_libdir}/samba/libasn1util-samba4.so +%{_libdir}/samba/libauth-sam-reply-samba4.so +%{_libdir}/samba/libauth-samba4.so +%{_libdir}/samba/libauthkrb5-samba4.so +%{_libdir}/samba/libcli-cldap-samba4.so +%{_libdir}/samba/libcli-ldap-common-samba4.so +%{_libdir}/samba/libcli-ldap-samba4.so +%{_libdir}/samba/libcli-nbt-samba4.so +%{_libdir}/samba/libcli-smb-common-samba4.so +%{_libdir}/samba/libcli-spoolss-samba4.so +%{_libdir}/samba/libcliauth-samba4.so +%{_libdir}/samba/libcmdline-credentials-samba4.so +%{_libdir}/samba/libdbwrap-samba4.so +%{_libdir}/samba/libdcerpc-samba-samba4.so +%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so +%{_libdir}/samba/libevents-samba4.so +%{_libdir}/samba/libflag-mapping-samba4.so +%{_libdir}/samba/libgenrand-samba4.so +%{_libdir}/samba/libgensec-samba4.so +%{_libdir}/samba/libgpo-samba4.so +%{_libdir}/samba/libgse-samba4.so +%{_libdir}/samba/libhttp-samba4.so +%{_libdir}/samba/libinterfaces-samba4.so +%{_libdir}/samba/libiov-buf-samba4.so +%{_libdir}/samba/libkrb5samba-samba4.so +%{_libdir}/samba/libldbsamba-samba4.so +%{_libdir}/samba/liblibcli-lsa3-samba4.so +%{_libdir}/samba/liblibcli-netlogon3-samba4.so +%{_libdir}/samba/liblibsmb-samba4.so +%{_libdir}/samba/libmessages-dgm-samba4.so +%{_libdir}/samba/libmessages-util-samba4.so +%{_libdir}/samba/libmsghdr-samba4.so +%{_libdir}/samba/libmsrpc3-samba4.so +%{_libdir}/samba/libndr-samba-samba4.so +%{_libdir}/samba/libndr-samba4.so +%{_libdir}/samba/libnet-keytab-samba4.so +%{_libdir}/samba/libnetif-samba4.so +%{_libdir}/samba/libnpa-tstream-samba4.so +%{_libdir}/samba/libposix-eadb-samba4.so +%{_libdir}/samba/libprinting-migrate-samba4.so +%{_libdir}/samba/libreplace-samba4.so +%{_libdir}/samba/libregistry-samba4.so +%{_libdir}/samba/libsamba-cluster-support-samba4.so +%{_libdir}/samba/libsamba-debug-samba4.so +%{_libdir}/samba/libsamba-modules-samba4.so +%{_libdir}/samba/libsamba-security-samba4.so +%{_libdir}/samba/libsamba-sockets-samba4.so +%{_libdir}/samba/libsamba3-util-samba4.so +%{_libdir}/samba/libsamdb-common-samba4.so +%{_libdir}/samba/libsecrets3-samba4.so +%{_libdir}/samba/libserver-id-db-samba4.so +%{_libdir}/samba/libserver-role-samba4.so +%{_libdir}/samba/libsmb-transport-samba4.so +%{_libdir}/samba/libsmbclient-raw-samba4.so +%{_libdir}/samba/libsmbd-base-samba4.so +%{_libdir}/samba/libsmbd-conn-samba4.so +%{_libdir}/samba/libsmbd-shim-samba4.so +%{_libdir}/samba/libsmbldaphelper-samba4.so +%{_libdir}/samba/libsys-rw-samba4.so +%{_libdir}/samba/libsocket-blocking-samba4.so +%{_libdir}/samba/libtalloc-report-samba4.so +%{_libdir}/samba/libtdb-wrap-samba4.so +%{_libdir}/samba/libtime-basic-samba4.so +%{_libdir}/samba/libtorture-samba4.so +%{_libdir}/samba/libtrusts-util-samba4.so +%{_libdir}/samba/libutil-cmdline-samba4.so +%{_libdir}/samba/libutil-reg-samba4.so +%{_libdir}/samba/libutil-setid-samba4.so +%{_libdir}/samba/libutil-tdb-samba4.so + +%if ! %with_libwbclient +%{_libdir}/samba/libwbclient.so.* +%{_libdir}/samba/libwinbind-client-samba4.so +%endif # ! with_libwbclient + +%if ! %with_libsmbclient +%{_libdir}/samba/libsmbclient.so.* +%{_mandir}/man7/libsmbclient.7* +%endif # ! with_libsmbclient + +%if %{with_internal_talloc} +%{_libdir}/samba/libtalloc.so.2 +%{_libdir}/samba/libtalloc.so.%{talloc_version} +%{_libdir}/samba/libpytalloc-util.so.2 +%{_libdir}/samba/libpytalloc-util.so.%{talloc_version} +%{_mandir}/man3/talloc.3.gz +%endif + +%if %{with_internal_tevent} +%{_libdir}/samba/libtevent.so.0 +%{_libdir}/samba/libtevent.so.%{tevent_version} +%endif + +%if %{with_internal_tdb} +%{_libdir}/samba/libtdb.so.1 +%{_libdir}/samba/libtdb.so.%{tdb_version} +%endif + +%if %{with_internal_ldb} +%{_libdir}/samba/libldb.so.1 +%{_libdir}/samba/libldb.so.%{ldb_version} +%{_libdir}/samba/libpyldb-util.so.1 +%{_libdir}/samba/libpyldb-util.so.%{ldb_version} +%{_mandir}/man3/ldb.3.gz +%endif + +### COMMON +%files common +%defattr(-,root,root) +%{_tmpfilesdir}/samba.conf +%dir %{_sysconfdir}/logrotate.d/ +%config(noreplace) %{_sysconfdir}/logrotate.d/samba +%attr(0700,root,root) %dir /var/log/samba +%attr(0700,root,root) %dir /var/log/samba/old +%ghost %dir /var/run/samba +%ghost %dir /var/run/winbindd +%dir /var/lib/samba +%attr(700,root,root) %dir /var/lib/samba/private +%attr(755,root,root) %dir %{_sysconfdir}/samba +%config(noreplace) %{_sysconfdir}/samba/smb.conf +%{_sysconfdir}/samba/smb.conf.example +%config(noreplace) %{_sysconfdir}/samba/lmhosts +%config(noreplace) %{_sysconfdir}/sysconfig/samba +%{_mandir}/man5/lmhosts.5* +%{_mandir}/man5/smb.conf.5* +%{_mandir}/man5/smbpasswd.5* +%{_mandir}/man7/samba.7* + +### COMMON-libs +%files common-libs +%defattr(-,root,root) +# common libraries +%{_libdir}/samba/libpopt-samba3-samba4.so + +%dir %{_libdir}/samba/ldb + +%dir %{_libdir}/samba/pdb +%{_libdir}/samba/pdb/ldapsam.so +%{_libdir}/samba/pdb/smbpasswd.so +%{_libdir}/samba/pdb/tdbsam.so +%{_libdir}/samba/pdb/wbc_sam.so + +%files common-tools +%defattr(-,root,root) +%{_bindir}/net +%{_bindir}/pdbedit +%{_bindir}/profiles +%{_bindir}/smbcontrol +%{_bindir}/smbpasswd +%{_bindir}/testparm +%{_mandir}/man1/profiles.1* +%{_mandir}/man1/smbcontrol.1* +%{_mandir}/man1/testparm.1* +%{_mandir}/man8/net.8* +%{_mandir}/man8/pdbedit.8* +%{_mandir}/man8/smbpasswd.8* + +### DC +%files dc +%defattr(-,root,root) + +%if %with_dc +%{_bindir}/samba-tool +%{_sbindir}/samba +%{_sbindir}/samba_kcc +%{_sbindir}/samba_dnsupdate +%{_sbindir}/samba_spnupdate +%{_sbindir}/samba_upgradedns +%{_libdir}/samba/auth/samba4.so +%{_libdir}/samba/bind9/dlz_bind9.so +%{_libdir}/samba/bind9/dlz_bind9_10.so +%{_libdir}/samba/libheimntlm-samba4.so.1 +%{_libdir}/samba/libheimntlm-samba4.so.1.0.1 +%{_libdir}/samba/libkdc-samba4.so.2 +%{_libdir}/samba/libkdc-samba4.so.2.0.0 +%{_libdir}/samba/libpac-samba4.so +%dir %{_libdir}/samba/gensec +%{_libdir}/samba/gensec/krb5.so +%{_libdir}/samba/ldb/acl.so +%{_libdir}/samba/ldb/aclread.so +%{_libdir}/samba/ldb/anr.so +%{_libdir}/samba/ldb/descriptor.so +%{_libdir}/samba/ldb/dirsync.so +%{_libdir}/samba/ldb/dns_notify.so +%{_libdir}/samba/ldb/extended_dn_in.so +%{_libdir}/samba/ldb/extended_dn_out.so +%{_libdir}/samba/ldb/extended_dn_store.so +%{_libdir}/samba/ldb/ildap.so +%{_libdir}/samba/ldb/instancetype.so +%{_libdir}/samba/ldb/lazy_commit.so +%{_libdir}/samba/ldb/ldbsamba_extensions.so +%{_libdir}/samba/ldb/linked_attributes.so +%{_libdir}/samba/ldb/local_password.so +%{_libdir}/samba/ldb/new_partition.so +%{_libdir}/samba/ldb/objectclass.so +%{_libdir}/samba/ldb/objectclass_attrs.so +%{_libdir}/samba/ldb/objectguid.so +%{_libdir}/samba/ldb/operational.so +%{_libdir}/samba/ldb/partition.so +%{_libdir}/samba/ldb/password_hash.so +%{_libdir}/samba/ldb/ranged_results.so +%{_libdir}/samba/ldb/repl_meta_data.so +%{_libdir}/samba/ldb/resolve_oids.so +%{_libdir}/samba/ldb/rootdse.so +%{_libdir}/samba/ldb/samba3sam.so +%{_libdir}/samba/ldb/samba3sid.so +%{_libdir}/samba/ldb/samba_dsdb.so +%{_libdir}/samba/ldb/samba_secrets.so +%{_libdir}/samba/ldb/samldb.so +%{_libdir}/samba/ldb/schema_data.so +%{_libdir}/samba/ldb/schema_load.so +%{_libdir}/samba/ldb/secrets_tdb_sync.so +%{_libdir}/samba/ldb/show_deleted.so +%{_libdir}/samba/ldb/simple_dn.so +%{_libdir}/samba/ldb/simple_ldap_map.so +%{_libdir}/samba/ldb/subtree_delete.so +%{_libdir}/samba/ldb/subtree_rename.so +%{_libdir}/samba/ldb/tombstone_reanimate.so +%{_libdir}/samba/ldb/update_keytab.so +%{_libdir}/samba/ldb/wins_ldb.so +%{_libdir}/samba/vfs/posix_eadb.so +%dir /var/lib/samba/sysvol +%{_datadir}/samba/setup +%{_mandir}/man8/samba.8* +%{_mandir}/man8/samba-tool.8* +%else # with_dc +%doc packaging/README.dc +%endif # with_dc + +### DC-LIBS +%files dc-libs +%defattr(-,root,root) +%if %with_dc +%{_libdir}/samba/libprocess-model-samba4.so +%{_libdir}/samba/libservice-samba4.so +%dir %{_libdir}/samba/process_model +%{_libdir}/samba/process_model/standard.so +%dir %{_libdir}/samba/service +%{_libdir}/samba/service/cldap.so +%{_libdir}/samba/service/dcerpc.so +%{_libdir}/samba/service/dns.so +%{_libdir}/samba/service/dns_update.so +%{_libdir}/samba/service/drepl.so +%{_libdir}/samba/service/kcc.so +%{_libdir}/samba/service/kdc.so +%{_libdir}/samba/service/ldap.so +%{_libdir}/samba/service/nbtd.so +%{_libdir}/samba/service/ntp_signd.so +%{_libdir}/samba/service/s3fs.so +%{_libdir}/samba/service/web.so +%{_libdir}/samba/service/winbindd.so +%{_libdir}/samba/service/wrepl.so +%{_libdir}/libdcerpc-server.so.* +%{_libdir}/samba/libdfs-server-ad-samba4.so +%{_libdir}/samba/libdnsserver-common-samba4.so +%{_libdir}/samba/libdsdb-module-samba4.so +%{_libdir}/samba/libntvfs-samba4.so +%{_libdir}/samba/bind9/dlz_bind9_9.so +%else +%doc packaging/README.dc-libs +%endif # with_dc + +### DEVEL +%files devel +%defattr(-,root,root) +%{_includedir}/samba-4.0/charset.h +%{_includedir}/samba-4.0/core/doserr.h +%{_includedir}/samba-4.0/core/error.h +%{_includedir}/samba-4.0/core/hresult.h +%{_includedir}/samba-4.0/core/ntstatus.h +%{_includedir}/samba-4.0/core/werror.h +%{_includedir}/samba-4.0/credentials.h +%{_includedir}/samba-4.0/dcerpc.h +%{_includedir}/samba-4.0/domain_credentials.h +%{_includedir}/samba-4.0/gen_ndr/atsvc.h +%{_includedir}/samba-4.0/gen_ndr/auth.h +%{_includedir}/samba-4.0/gen_ndr/dcerpc.h +%{_includedir}/samba-4.0/gen_ndr/krb5pac.h +%{_includedir}/samba-4.0/gen_ndr/lsa.h +%{_includedir}/samba-4.0/gen_ndr/misc.h +%{_includedir}/samba-4.0/gen_ndr/nbt.h +%{_includedir}/samba-4.0/gen_ndr/drsblobs.h +%{_includedir}/samba-4.0/gen_ndr/drsuapi.h +%{_includedir}/samba-4.0/gen_ndr/ndr_drsblobs.h +%{_includedir}/samba-4.0/gen_ndr/ndr_drsuapi.h +%{_includedir}/samba-4.0/gen_ndr/ndr_atsvc.h +%{_includedir}/samba-4.0/gen_ndr/ndr_dcerpc.h +%{_includedir}/samba-4.0/gen_ndr/ndr_krb5pac.h +%{_includedir}/samba-4.0/gen_ndr/ndr_misc.h +%{_includedir}/samba-4.0/gen_ndr/ndr_nbt.h +%{_includedir}/samba-4.0/gen_ndr/ndr_samr.h +%{_includedir}/samba-4.0/gen_ndr/ndr_samr_c.h +%{_includedir}/samba-4.0/gen_ndr/ndr_svcctl.h +%{_includedir}/samba-4.0/gen_ndr/ndr_svcctl_c.h +%{_includedir}/samba-4.0/gen_ndr/netlogon.h +%{_includedir}/samba-4.0/gen_ndr/samr.h +%{_includedir}/samba-4.0/gen_ndr/security.h +%{_includedir}/samba-4.0/gen_ndr/server_id.h +%{_includedir}/samba-4.0/gen_ndr/svcctl.h +%{_includedir}/samba-4.0/ldb_wrap.h +%{_includedir}/samba-4.0/lookup_sid.h +%{_includedir}/samba-4.0/machine_sid.h +%{_includedir}/samba-4.0/ndr.h +%dir %{_includedir}/samba-4.0/ndr +%{_includedir}/samba-4.0/ndr/ndr_dcerpc.h +%{_includedir}/samba-4.0/ndr/ndr_drsblobs.h +%{_includedir}/samba-4.0/ndr/ndr_drsuapi.h +%{_includedir}/samba-4.0/ndr/ndr_krb5pac.h +%{_includedir}/samba-4.0/ndr/ndr_svcctl.h +%{_includedir}/samba-4.0/ndr/ndr_nbt.h +%{_includedir}/samba-4.0/netapi.h +%{_includedir}/samba-4.0/param.h +%{_includedir}/samba-4.0/passdb.h +%{_includedir}/samba-4.0/policy.h +%{_includedir}/samba-4.0/rpc_common.h +%{_includedir}/samba-4.0/samba/session.h +%{_includedir}/samba-4.0/samba/version.h +%{_includedir}/samba-4.0/share.h +%{_includedir}/samba-4.0/smb2_lease_struct.h +%{_includedir}/samba-4.0/smbconf.h +%{_includedir}/samba-4.0/smb_ldap.h +%{_includedir}/samba-4.0/smbldap.h +%{_includedir}/samba-4.0/tdr.h +%{_includedir}/samba-4.0/tsocket.h +%{_includedir}/samba-4.0/tsocket_internal.h +%dir %{_includedir}/samba-4.0/util +%{_includedir}/samba-4.0/util/attr.h +%{_includedir}/samba-4.0/util/blocking.h +%{_includedir}/samba-4.0/util/byteorder.h +%{_includedir}/samba-4.0/util/data_blob.h +%{_includedir}/samba-4.0/util/debug.h +%{_includedir}/samba-4.0/util/fault.h +%{_includedir}/samba-4.0/util/genrand.h +%{_includedir}/samba-4.0/util/idtree.h +%{_includedir}/samba-4.0/util/idtree_random.h +%{_includedir}/samba-4.0/util/memory.h +%{_includedir}/samba-4.0/util/safe_string.h +%{_includedir}/samba-4.0/util/signal.h +%{_includedir}/samba-4.0/util/string_wrappers.h +%{_includedir}/samba-4.0/util/substitute.h +%{_includedir}/samba-4.0/util/talloc_stack.h +%{_includedir}/samba-4.0/util/tevent_ntstatus.h +%{_includedir}/samba-4.0/util/tevent_unix.h +%{_includedir}/samba-4.0/util/tevent_werror.h +%{_includedir}/samba-4.0/util/time.h +%{_includedir}/samba-4.0/util_ldb.h +%{_libdir}/libdcerpc-binding.so +%{_libdir}/libdcerpc-samr.so +%{_libdir}/libdcerpc.so +%{_libdir}/libndr-krb5pac.so +%{_libdir}/libndr-nbt.so +%{_libdir}/libndr-standard.so +%{_libdir}/libndr.so +%{_libdir}/libnetapi.so +%{_libdir}/libsamba-credentials.so +%{_libdir}/libsamba-errors.so +%{_libdir}/libsamba-hostconfig.so +%{_libdir}/libsamba-policy.so +%{_libdir}/libsamba-util.so +%{_libdir}/libsamdb.so +%{_libdir}/libsmbconf.so +%{_libdir}/libtevent-util.so +%{_libdir}/pkgconfig/dcerpc.pc +%{_libdir}/pkgconfig/dcerpc_samr.pc +%{_libdir}/pkgconfig/ndr.pc +%{_libdir}/pkgconfig/ndr_krb5pac.pc +%{_libdir}/pkgconfig/ndr_nbt.pc +%{_libdir}/pkgconfig/ndr_standard.pc +%{_libdir}/pkgconfig/netapi.pc +%{_libdir}/pkgconfig/samba-credentials.pc +%{_libdir}/pkgconfig/samba-hostconfig.pc +%{_libdir}/pkgconfig/samba-policy.pc +%{_libdir}/pkgconfig/samba-util.pc +%{_libdir}/pkgconfig/samdb.pc +%{_libdir}/libsamba-passdb.so +%{_libdir}/libsmbldap.so + +%if %with_dc +%{_includedir}/samba-4.0/dcerpc_server.h +%{_libdir}/libdcerpc-server.so +%{_libdir}/pkgconfig/dcerpc_server.pc +%endif + +%if ! %with_libsmbclient +%{_includedir}/samba-4.0/libsmbclient.h +%endif # ! with_libsmbclient + +%if ! %with_libwbclient +%{_includedir}/samba-4.0/wbclient.h +%endif # ! with_libwbclient + +### VFS-CEPHFS +%if %{with_vfs_cephfs} +%files vfs-cephfs +%{_libdir}/samba/vfs/ceph.so +%{_mandir}/man8/vfs_ceph.8* +%endif + +### VFS-GLUSTERFS +%if %{with_vfs_glusterfs} +%files vfs-glusterfs +%{_libdir}/samba/vfs/glusterfs.so +%{_mandir}/man8/vfs_glusterfs.8* +%endif + +### KRB5-PRINTING +%files krb5-printing +%defattr(-,root,root) +%attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper +%{_mandir}/man8/smbspool_krb5_wrapper.8* + +### LIBS +%files libs +%defattr(-,root,root) +%{_libdir}/libdcerpc-samr.so.* +%{_libdir}/libsamba-policy.so.* + +# libraries needed by the public libraries +%{_libdir}/samba/libMESSAGING-samba4.so +%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so +%{_libdir}/samba/libauth4-samba4.so +%{_libdir}/samba/libauth-unix-token-samba4.so +%{_libdir}/samba/libcluster-samba4.so +%{_libdir}/samba/libdcerpc-samba4.so +%{_libdir}/samba/libnon-posix-acls-samba4.so +%{_libdir}/samba/libsamba-net-samba4.so +%{_libdir}/samba/libsamba-python-samba4.so +%{_libdir}/samba/libshares-samba4.so +%{_libdir}/samba/libsmbpasswdparser-samba4.so +%{_libdir}/samba/libxattr-tdb-samba4.so + +%if %with_dc +%{_libdir}/samba/libdb-glue-samba4.so +%{_libdir}/samba/libHDB-SAMBA4-samba4.so +%{_libdir}/samba/libasn1-samba4.so.8 +%{_libdir}/samba/libasn1-samba4.so.8.0.0 +%{_libdir}/samba/libcom_err-samba4.so.0 +%{_libdir}/samba/libcom_err-samba4.so.0.25 +%{_libdir}/samba/libgssapi-samba4.so.2 +%{_libdir}/samba/libgssapi-samba4.so.2.0.0 +%{_libdir}/samba/libhcrypto-samba4.so.5 +%{_libdir}/samba/libhcrypto-samba4.so.5.0.1 +%{_libdir}/samba/libhdb-samba4.so.11 +%{_libdir}/samba/libhdb-samba4.so.11.0.2 +%{_libdir}/samba/libheimbase-samba4.so.1 +%{_libdir}/samba/libheimbase-samba4.so.1.0.0 +%{_libdir}/samba/libhx509-samba4.so.5 +%{_libdir}/samba/libhx509-samba4.so.5.0.0 +%{_libdir}/samba/libkrb5-samba4.so.26 +%{_libdir}/samba/libkrb5-samba4.so.26.0.0 +%{_libdir}/samba/libroken-samba4.so.19 +%{_libdir}/samba/libroken-samba4.so.19.0.1 +%{_libdir}/samba/libwind-samba4.so.0 +%{_libdir}/samba/libwind-samba4.so.0.0.0 +%endif + +### LIBSMBCLIENT +%if %with_libsmbclient +%files -n libsmbclient +%defattr(-,root,root) +%{_libdir}/libsmbclient.so.* + +### LIBSMBCLIENT-DEVEL +%files -n libsmbclient-devel +%defattr(-,root,root) +%{_includedir}/samba-4.0/libsmbclient.h +%{_libdir}/libsmbclient.so +%{_libdir}/pkgconfig/smbclient.pc +%{_mandir}/man7/libsmbclient.7* +%endif # with_libsmbclient + +### LIBWBCLIENT +%if %with_libwbclient +%files -n libwbclient +%defattr(-,root,root) +%{_libdir}/samba/wbclient/libwbclient.so.* +%{_libdir}/samba/libwinbind-client-samba4.so + +### LIBWBCLIENT-DEVEL +%files -n libwbclient-devel +%defattr(-,root,root) +%{_includedir}/samba-4.0/wbclient.h +%{_libdir}/samba/wbclient/libwbclient.so +%{_libdir}/pkgconfig/wbclient.pc +%endif # with_libwbclient + +### PIDL +%files pidl +%defattr(-,root,root,-) +%attr(755,root,root) %{_bindir}/pidl +%dir %{perl_vendorlib}/Parse +%{perl_vendorlib}/Parse/Pidl.pm +%dir %{perl_vendorlib}/Parse/Pidl +%{perl_vendorlib}/Parse/Pidl/CUtil.pm +%{perl_vendorlib}/Parse/Pidl/Samba4.pm +%{perl_vendorlib}/Parse/Pidl/Expr.pm +%{perl_vendorlib}/Parse/Pidl/ODL.pm +%{perl_vendorlib}/Parse/Pidl/Typelist.pm +%{perl_vendorlib}/Parse/Pidl/IDL.pm +%{perl_vendorlib}/Parse/Pidl/Compat.pm +%dir %{perl_vendorlib}/Parse/Pidl/Wireshark +%{perl_vendorlib}/Parse/Pidl/Wireshark/Conformance.pm +%{perl_vendorlib}/Parse/Pidl/Wireshark/NDR.pm +%{perl_vendorlib}/Parse/Pidl/Dump.pm +%dir %{perl_vendorlib}/Parse/Pidl/Samba3 +%{perl_vendorlib}/Parse/Pidl/Samba3/ServerNDR.pm +%{perl_vendorlib}/Parse/Pidl/Samba3/ClientNDR.pm +%dir %{perl_vendorlib}/Parse/Pidl/Samba4 +%{perl_vendorlib}/Parse/Pidl/Samba4/Header.pm +%dir %{perl_vendorlib}/Parse/Pidl/Samba4/COM +%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Header.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Proxy.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Stub.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/Python.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/Template.pm +%dir %{perl_vendorlib}/Parse/Pidl/Samba4/NDR +%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Server.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Client.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Parser.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/TDR.pm +%{perl_vendorlib}/Parse/Pidl/NDR.pm +%{perl_vendorlib}/Parse/Pidl/Util.pm +%{_mandir}/man1/pidl* +%{_mandir}/man3/Parse::Pidl* + +### PYTHON +%files python +%defattr(-,root,root,-) +%{python_sitearch}/* + +### TEST +%files test +%defattr(-,root,root) +%{_bindir}/gentest +%{_bindir}/locktest +%{_bindir}/masktest +%{_bindir}/ndrdump +%{_bindir}/smbtorture +%{_mandir}/man1/gentest.1* +%{_mandir}/man1/locktest.1* +%{_mandir}/man1/masktest.1* +%{_mandir}/man1/ndrdump.1* +%{_mandir}/man1/smbtorture.1* +%{_mandir}/man1/vfstest.1* + +%if %{with testsuite} +# files to ignore in testsuite mode +%{_libdir}/samba/libnss-wrapper.so +%{_libdir}/samba/libsocket-wrapper.so +%{_libdir}/samba/libuid-wrapper.so +%endif + +### TEST-LIBS +%files test-libs +%defattr(-,root,root) +%if %with_dc +%{_libdir}/samba/libdlz-bind9-for-torture-samba4.so +%else +%{_libdir}/samba/libdsdb-module-samba4.so +%endif + +### WINBIND +%files winbind +%defattr(-,root,root) +%{_libdir}/samba/idmap +%{_libdir}/samba/nss_info +%{_libdir}/samba/libnss-info-samba4.so +%{_libdir}/samba/libidmap-samba4.so +%{_sbindir}/winbindd +%attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged +%{_unitdir}/winbind.service +%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind +%{_mandir}/man8/winbindd.8* +%{_mandir}/man8/idmap_*.8* + +### WINBIND-CLIENTS +%files winbind-clients +%defattr(-,root,root) +%{_bindir}/ntlm_auth +%{_bindir}/wbinfo +%{_mandir}/man1/ntlm_auth.1.gz +%{_mandir}/man1/wbinfo.1* + +### WINBIND-KRB5-LOCATOR +%files winbind-krb5-locator +%defattr(-,root,root) +%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%{_libdir}/winbind_krb5_locator.so +%{_mandir}/man7/winbind_krb5_locator.7* + +### WINBIND-MODULES +%files winbind-modules +%defattr(-,root,root) +%{_libdir}/libnss_winbind.so* +%{_libdir}/libnss_wins.so* +%{_libdir}/security/pam_winbind.so +%config(noreplace) %{_sysconfdir}/security/pam_winbind.conf +%{_mandir}/man5/pam_winbind.conf.5* +%{_mandir}/man8/pam_winbind.8* + +%if %with_clustering_support +%files -n ctdb +%defattr(-,root,root) +%doc ctdb/README +# Obsolete +%config(noreplace, missingok) %{_sysconfdir}/sysconfig/ctdb + +%dir %{_sysconfdir}/ctdb +%config(noreplace) %{_sysconfdir}/ctdb/ctdbd.conf +%config(noreplace) %{_sysconfdir}/ctdb/notify.sh +%config(noreplace) %{_sysconfdir}/ctdb/debug-hung-script.sh +%config(noreplace) %{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh +%config(noreplace) %{_sysconfdir}/ctdb/gcore_trace.sh +%config(noreplace) %{_sysconfdir}/ctdb/debug_locks.sh + +%{_sysconfdir}/ctdb/functions +%{_sysconfdir}/ctdb/nfs-linux-kernel-callout +%{_sysconfdir}/ctdb/statd-callout +%config %{_sysconfdir}/sudoers.d/ctdb + +# CTDB scripts, no config files +# script with executable bit means activated +%dir %{_sysconfdir}/ctdb/events.d +%{_sysconfdir}/ctdb/events.d/00.ctdb +%{_sysconfdir}/ctdb/events.d/01.reclock +%{_sysconfdir}/ctdb/events.d/05.system +%{_sysconfdir}/ctdb/events.d/06.nfs +%{_sysconfdir}/ctdb/events.d/10.external +%{_sysconfdir}/ctdb/events.d/10.interface +%{_sysconfdir}/ctdb/events.d/11.natgw +%{_sysconfdir}/ctdb/events.d/11.routing +%{_sysconfdir}/ctdb/events.d/13.per_ip_routing +%{_sysconfdir}/ctdb/events.d/20.multipathd +%{_sysconfdir}/ctdb/events.d/31.clamd +%{_sysconfdir}/ctdb/events.d/40.vsftpd +%{_sysconfdir}/ctdb/events.d/41.httpd +%{_sysconfdir}/ctdb/events.d/49.winbind +%{_sysconfdir}/ctdb/events.d/50.samba +%{_sysconfdir}/ctdb/events.d/60.nfs +%{_sysconfdir}/ctdb/events.d/70.iscsi +%{_sysconfdir}/ctdb/events.d/91.lvs +%{_sysconfdir}/ctdb/events.d/99.timeout +%{_sysconfdir}/ctdb/events.d/README +%dir %{_sysconfdir}/ctdb/notify.d +%{_sysconfdir}/ctdb/notify.d/README + +# CTDB scripts, no config files +# script with executable bit means activated +%dir %{_sysconfdir}/ctdb/nfs-checks.d +%{_sysconfdir}/ctdb/nfs-checks.d/README +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/00.portmapper.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/10.status.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/20.nfs.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/30.nlockmgr.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/40.mountd.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check + +%{_sbindir}/ctdbd +%{_sbindir}/ctdbd_wrapper +%{_bindir}/ctdb +%{_bindir}/ping_pong +%{_bindir}/ltdbtool +%{_bindir}/ctdb_diagnostics +%{_bindir}/onnode + +%dir %{_libexecdir}/ctdb +%{_libexecdir}/ctdb/ctdb_event +%{_libexecdir}/ctdb/ctdb_eventd +%{_libexecdir}/ctdb/ctdb_killtcp +%{_libexecdir}/ctdb/ctdb_lock_helper +%{_libexecdir}/ctdb/ctdb_lvs +%{_libexecdir}/ctdb/ctdb_mutex_fcntl_helper +%{_libexecdir}/ctdb/ctdb_natgw +%{_libexecdir}/ctdb/ctdb_recovery_helper +%{_libexecdir}/ctdb/ctdb_takeover_helper +%{_libexecdir}/ctdb/smnotify + +%dir %{_localstatedir}/lib/ctdb/ + +%{_mandir}/man1/ctdb.1.gz +%{_mandir}/man1/ctdb_diagnostics.1.gz +%{_mandir}/man1/ctdbd.1.gz +%{_mandir}/man1/onnode.1.gz +%{_mandir}/man1/ltdbtool.1.gz +%{_mandir}/man1/ping_pong.1.gz +%{_mandir}/man1/ctdbd_wrapper.1.gz +%{_mandir}/man5/ctdbd.conf.5.gz +%{_mandir}/man7/ctdb.7.gz +%{_mandir}/man7/ctdb-tunables.7.gz +%{_mandir}/man7/ctdb-statistics.7.gz + +%{_tmpfilesdir}/ctdb.conf + +%{_unitdir}/ctdb.service + + +%files -n ctdb-tests +%defattr(-,root,root) +%doc ctdb/tests/README +%{_bindir}/ctdb_run_tests +%{_bindir}/ctdb_run_cluster_tests + +%dir %{_libexecdir}/ctdb +%dir %{_libexecdir}/ctdb/tests +%{_libexecdir}/ctdb/tests/comm_client_test +%{_libexecdir}/ctdb/tests/comm_server_test +%{_libexecdir}/ctdb/tests/comm_test +%{_libexecdir}/ctdb/tests/ctdb_packet_parse +%{_libexecdir}/ctdb/tests/ctdb_takeover_tests +%{_libexecdir}/ctdb/tests/db_hash_test +%{_libexecdir}/ctdb/tests/fake_ctdbd +%{_libexecdir}/ctdb/tests/fetch_loop +%{_libexecdir}/ctdb/tests/fetch_loop_key +%{_libexecdir}/ctdb/tests/fetch_readonly +%{_libexecdir}/ctdb/tests/fetch_readonly_loop +%{_libexecdir}/ctdb/tests/fetch_ring +%{_libexecdir}/ctdb/tests/g_lock_loop +%{_libexecdir}/ctdb/tests/lock_tdb +%{_libexecdir}/ctdb/tests/message_ring +%{_libexecdir}/ctdb/tests/pidfile_test +%{_libexecdir}/ctdb/tests/pkt_read_test +%{_libexecdir}/ctdb/tests/pkt_write_test +%{_libexecdir}/ctdb/tests/porting_tests +%{_libexecdir}/ctdb/tests/protocol_client_test +%{_libexecdir}/ctdb/tests/protocol_types_test +%{_libexecdir}/ctdb/tests/protocol_util_test +%{_libexecdir}/ctdb/tests/rb_test +%{_libexecdir}/ctdb/tests/reqid_test +%{_libexecdir}/ctdb/tests/run_proc_test +%{_libexecdir}/ctdb/tests/sock_daemon_test +%{_libexecdir}/ctdb/tests/sock_io_test +%{_libexecdir}/ctdb/tests/srvid_test +%{_libexecdir}/ctdb/tests/test_mutex_raw +%{_libexecdir}/ctdb/tests/transaction_loop +%{_libexecdir}/ctdb/tests/update_record +%{_libexecdir}/ctdb/tests/update_record_persistent + +%dir %{_datadir}/ctdb +%dir %{_datadir}/ctdb/tests + +%dir %{_datadir}/ctdb/tests/complex +%{_datadir}/ctdb/tests/complex/README +%{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh +%{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh +%{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh +%{_datadir}/ctdb/tests/complex/31_nfs_tickle.sh +%{_datadir}/ctdb/tests/complex/32_cifs_tickle.sh +%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh +%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh +%{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh +%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh +%{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh +%{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh +%{_datadir}/ctdb/tests/complex/44_failover_nfs_oneway.sh +%{_datadir}/ctdb/tests/complex/45_failover_nfs_kill.sh +%{_datadir}/ctdb/tests/complex/60_rogueip_releaseip.sh +%{_datadir}/ctdb/tests/complex/61_rogueip_takeip.sh +%{_datadir}/ctdb/tests/complex/90_debug_hung_script.sh + +%dir %{_datadir}/ctdb/tests/complex/scripts +%{_datadir}/ctdb/tests/complex/scripts/local.bash + +%dir %{_datadir}/ctdb/tests/cunit +%{_datadir}/ctdb/tests/cunit/comm_test_001.sh +%{_datadir}/ctdb/tests/cunit/comm_test_002.sh +%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh +%{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh +%{_datadir}/ctdb/tests/cunit/pkt_read_001.sh +%{_datadir}/ctdb/tests/cunit/pkt_write_001.sh +%{_datadir}/ctdb/tests/cunit/porting_tests_001.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_001.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_003.sh +%{_datadir}/ctdb/tests/cunit/rb_test_001.sh +%{_datadir}/ctdb/tests/cunit/reqid_test_001.sh +%{_datadir}/ctdb/tests/cunit/run_proc_001.sh +%{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh +%{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh +%{_datadir}/ctdb/tests/cunit/srvid_test_001.sh + +%dir %{_datadir}/ctdb/tests/eventd +%{_datadir}/ctdb/tests/eventd/README +%{_datadir}/ctdb/tests/eventd/eventd_001.sh +%{_datadir}/ctdb/tests/eventd/eventd_002.sh +%{_datadir}/ctdb/tests/eventd/eventd_003.sh +%{_datadir}/ctdb/tests/eventd/eventd_004.sh +%{_datadir}/ctdb/tests/eventd/eventd_005.sh +%{_datadir}/ctdb/tests/eventd/eventd_006.sh +%{_datadir}/ctdb/tests/eventd/eventd_007.sh +%{_datadir}/ctdb/tests/eventd/eventd_011.sh +%{_datadir}/ctdb/tests/eventd/eventd_012.sh +%{_datadir}/ctdb/tests/eventd/eventd_013.sh +%{_datadir}/ctdb/tests/eventd/eventd_014.sh +%{_datadir}/ctdb/tests/eventd/eventd_021.sh +%{_datadir}/ctdb/tests/eventd/eventd_022.sh +%{_datadir}/ctdb/tests/eventd/eventd_023.sh +%{_datadir}/ctdb/tests/eventd/eventd_024.sh +%{_datadir}/ctdb/tests/eventd/eventd_031.sh +%{_datadir}/ctdb/tests/eventd/eventd_032.sh +%{_datadir}/ctdb/tests/eventd/eventd_033.sh +%{_datadir}/ctdb/tests/eventd/eventd_041.sh +%{_datadir}/ctdb/tests/eventd/eventd_042.sh +%{_datadir}/ctdb/tests/eventd/eventd_043.sh +%{_datadir}/ctdb/tests/eventd/eventd_051.sh +%dir %{_datadir}/ctdb/tests/eventd/scripts +%{_datadir}/ctdb/tests/eventd/scripts/local.sh + +%dir %{_datadir}/ctdb/tests/events.d +%{_datadir}/ctdb/tests/events.d/00.test + +%dir %{_datadir}/ctdb/tests/eventscripts +%{_datadir}/ctdb/tests/eventscripts/README +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.001.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.002.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.003.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.004.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.005.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.006.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.007.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.008.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.009.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.001.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.002.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.003.sh +%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.004.sh +%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.003.sh +%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.004.sh +%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.005.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.003.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.004.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.005.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.006.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.007.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.011.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.012.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.013.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.014.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.015.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.016.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.017.sh +%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.018.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.init.022.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.init.023.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.003.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.004.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.005.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.006.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.007.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.008.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.009.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.010.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.011.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.012.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.013.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.014.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.015.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.016.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.017.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.018.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.multi.001.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.001.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.010.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.011.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.002.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.003.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.001.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.002.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.003.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.004.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.011.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.012.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.013.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.014.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.015.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.021.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.022.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.023.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.024.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.025.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.031.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.041.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.042.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.051.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.052.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.053.sh +%{_datadir}/ctdb/tests/eventscripts/11.natgw.054.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.001.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.002.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.003.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.004.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.005.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.006.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.007.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.008.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.009.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.010.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.011.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.012.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.013.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.014.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.015.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.016.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.017.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.018.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.019.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.021.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.022.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.023.sh +%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.024.sh +%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh +%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh +%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.050.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.051.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.050.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.051.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.104.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.105.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.106.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.107.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.110.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.111.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.112.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.113.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.001.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.002.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.011.sh +%{_datadir}/ctdb/tests/eventscripts/50.samba.startup.011.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.101.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.102.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.103.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.104.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.105.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.106.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.107.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.108.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.111.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.112.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.113.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.114.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.121.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.122.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.131.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.132.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.141.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.142.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.143.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.144.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.151.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.152.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.153.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.161.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.162.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.001.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.002.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.001.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.011.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.012.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.013.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.014.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.003.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.shutdown.001.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.shutdown.002.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.startup.001.sh +%{_datadir}/ctdb/tests/eventscripts/91.lvs.startup.002.sh +%{_datadir}/ctdb/tests/eventscripts/statd-callout.001.sh +%{_datadir}/ctdb/tests/eventscripts/statd-callout.002.sh +%{_datadir}/ctdb/tests/eventscripts/statd-callout.003.sh +%{_datadir}/ctdb/tests/eventscripts/statd-callout.004.sh +%{_datadir}/ctdb/tests/eventscripts/statd-callout.005.sh +%{_datadir}/ctdb/tests/eventscripts/statd-callout.006.sh +%{_datadir}/ctdb/tests/eventscripts/statd-callout.007.sh + +%dir %{_datadir}/ctdb/tests/eventscripts/etc-ctdb +%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/events.d +%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/functions +%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-checks.d +%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-linux-kernel-callout +%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/public_addresses +%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/rc.local +%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/statd-callout + +%dir %{_datadir}/ctdb/tests/eventscripts/etc +%dir %{_datadir}/ctdb/tests/eventscripts/etc/init.d +%{_datadir}/ctdb/tests/eventscripts/etc/init.d/nfs +%{_datadir}/ctdb/tests/eventscripts/etc/init.d/nfslock + +%dir %{_datadir}/ctdb/tests/eventscripts/etc/samba +%{_datadir}/ctdb/tests/eventscripts/etc/samba/smb.conf + +%dir %{_datadir}/ctdb/tests/eventscripts/etc/sysconfig +%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/ctdb +%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/nfs + +%dir %{_datadir}/ctdb/tests/eventscripts/scripts +%{_datadir}/ctdb/tests/eventscripts/scripts/local.sh + +%dir %{_datadir}/ctdb/tests/eventscripts/stubs +%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb +%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_killtcp +%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_lvs +%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_natgw +%{_datadir}/ctdb/tests/eventscripts/stubs/date +%{_datadir}/ctdb/tests/eventscripts/stubs/df +%{_datadir}/ctdb/tests/eventscripts/stubs/ethtool +%{_datadir}/ctdb/tests/eventscripts/stubs/exportfs +%{_datadir}/ctdb/tests/eventscripts/stubs/id +%{_datadir}/ctdb/tests/eventscripts/stubs/ip +%{_datadir}/ctdb/tests/eventscripts/stubs/ip6tables +%{_datadir}/ctdb/tests/eventscripts/stubs/iptables +%{_datadir}/ctdb/tests/eventscripts/stubs/ipvsadm +%{_datadir}/ctdb/tests/eventscripts/stubs/kill +%{_datadir}/ctdb/tests/eventscripts/stubs/killall +%{_datadir}/ctdb/tests/eventscripts/stubs/multipath +%{_datadir}/ctdb/tests/eventscripts/stubs/net +%{_datadir}/ctdb/tests/eventscripts/stubs/netstat +%{_datadir}/ctdb/tests/eventscripts/stubs/nmap +%{_datadir}/ctdb/tests/eventscripts/stubs/pidof +%{_datadir}/ctdb/tests/eventscripts/stubs/pkill +%{_datadir}/ctdb/tests/eventscripts/stubs/ps +%{_datadir}/ctdb/tests/eventscripts/stubs/rm +%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.lockd +%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.mountd +%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.rquotad +%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.statd +%{_datadir}/ctdb/tests/eventscripts/stubs/rpcinfo +%{_datadir}/ctdb/tests/eventscripts/stubs/service +%{_datadir}/ctdb/tests/eventscripts/stubs/sleep +%{_datadir}/ctdb/tests/eventscripts/stubs/smnotify +%{_datadir}/ctdb/tests/eventscripts/stubs/ss +%{_datadir}/ctdb/tests/eventscripts/stubs/tdbdump +%{_datadir}/ctdb/tests/eventscripts/stubs/tdbtool +%{_datadir}/ctdb/tests/eventscripts/stubs/testparm +%{_datadir}/ctdb/tests/eventscripts/stubs/timeout +%{_datadir}/ctdb/tests/eventscripts/stubs/wbinfo + +%dir %{_datadir}/ctdb/tests/onnode +%{_datadir}/ctdb/tests/onnode/README +%{_datadir}/ctdb/tests/onnode/0001.sh +%{_datadir}/ctdb/tests/onnode/0002.sh +%{_datadir}/ctdb/tests/onnode/0003.sh +%{_datadir}/ctdb/tests/onnode/0004.sh +%{_datadir}/ctdb/tests/onnode/0005.sh +%{_datadir}/ctdb/tests/onnode/0006.sh +%{_datadir}/ctdb/tests/onnode/0070.sh +%{_datadir}/ctdb/tests/onnode/0071.sh +%{_datadir}/ctdb/tests/onnode/0072.sh +%{_datadir}/ctdb/tests/onnode/0075.sh +%{_datadir}/ctdb/tests/onnode/functions +%{_datadir}/ctdb/tests/onnode/nodes + +%dir %{_datadir}/ctdb/tests/onnode/scripts +%{_datadir}/ctdb/tests/onnode/scripts/local.sh + +%dir %{_datadir}/ctdb/tests/onnode/stubs +%{_datadir}/ctdb/tests/onnode/stubs/ctdb +%{_datadir}/ctdb/tests/onnode/stubs/onnode-buggy-001 +%{_datadir}/ctdb/tests/onnode/stubs/ssh + +%dir %{_datadir}/ctdb/tests/scripts +%{_datadir}/ctdb/tests/scripts/common.sh +%{_datadir}/ctdb/tests/scripts/integration.bash +%{_datadir}/ctdb/tests/scripts/script_install_paths.sh +%{_datadir}/ctdb/tests/scripts/test_wrap +%{_datadir}/ctdb/tests/scripts/unit.sh + +%dir %{_datadir}/ctdb/tests/shellcheck +%{_datadir}/ctdb/tests/shellcheck/base_scripts.sh +%{_datadir}/ctdb/tests/shellcheck/ctdb_helpers.sh +%{_datadir}/ctdb/tests/shellcheck/ctdbd_wrapper.sh +%{_datadir}/ctdb/tests/shellcheck/event_scripts.sh +%{_datadir}/ctdb/tests/shellcheck/functions.sh +%{_datadir}/ctdb/tests/shellcheck/init_script.sh +%{_datadir}/ctdb/tests/shellcheck/tools.sh + +%dir %{_datadir}/ctdb/tests/shellcheck/scripts +%{_datadir}/ctdb/tests/shellcheck/scripts/local.sh + +%dir %{_datadir}/ctdb/tests/simple +%{_datadir}/ctdb/tests/simple/README +%{_datadir}/ctdb/tests/simple/00_ctdb_init.sh +%{_datadir}/ctdb/tests/simple/00_ctdb_onnode.sh +%{_datadir}/ctdb/tests/simple/01_ctdb_version.sh +%{_datadir}/ctdb/tests/simple/02_ctdb_listvars.sh +%{_datadir}/ctdb/tests/simple/03_ctdb_getvar.sh +%{_datadir}/ctdb/tests/simple/04_ctdb_setvar.sh +%{_datadir}/ctdb/tests/simple/05_ctdb_listnodes.sh +%{_datadir}/ctdb/tests/simple/06_ctdb_getpid.sh +%{_datadir}/ctdb/tests/simple/07_ctdb_process_exists.sh +%{_datadir}/ctdb/tests/simple/08_ctdb_isnotrecmaster.sh +%{_datadir}/ctdb/tests/simple/09_ctdb_ping.sh +%{_datadir}/ctdb/tests/simple/11_ctdb_ip.sh +%{_datadir}/ctdb/tests/simple/12_ctdb_getdebug.sh +%{_datadir}/ctdb/tests/simple/13_ctdb_setdebug.sh +%{_datadir}/ctdb/tests/simple/14_ctdb_statistics.sh +%{_datadir}/ctdb/tests/simple/15_ctdb_statisticsreset.sh +%{_datadir}/ctdb/tests/simple/16_ctdb_config_add_ip.sh +%{_datadir}/ctdb/tests/simple/17_ctdb_config_delete_ip.sh +%{_datadir}/ctdb/tests/simple/18_ctdb_reloadips.sh +%{_datadir}/ctdb/tests/simple/19_ip_takeover_noop.sh +%{_datadir}/ctdb/tests/simple/20_delip_iface_gc.sh +%{_datadir}/ctdb/tests/simple/23_ctdb_moveip.sh +%{_datadir}/ctdb/tests/simple/24_ctdb_getdbmap.sh +%{_datadir}/ctdb/tests/simple/25_dumpmemory.sh +%{_datadir}/ctdb/tests/simple/26_ctdb_config_check_error_on_unreachable_ctdb.sh +%{_datadir}/ctdb/tests/simple/27_ctdb_detach.sh +%{_datadir}/ctdb/tests/simple/28_zero_eventscripts.sh +%{_datadir}/ctdb/tests/simple/31_ctdb_disable.sh +%{_datadir}/ctdb/tests/simple/32_ctdb_enable.sh +%{_datadir}/ctdb/tests/simple/35_ctdb_getreclock.sh +%{_datadir}/ctdb/tests/simple/41_ctdb_stop.sh +%{_datadir}/ctdb/tests/simple/42_ctdb_continue.sh +%{_datadir}/ctdb/tests/simple/43_stop_recmaster_yield.sh +%{_datadir}/ctdb/tests/simple/51_message_ring.sh +%{_datadir}/ctdb/tests/simple/52_fetch_ring.sh +%{_datadir}/ctdb/tests/simple/53_transaction_loop.sh +%{_datadir}/ctdb/tests/simple/54_transaction_loop_recovery.sh +%{_datadir}/ctdb/tests/simple/55_ctdb_ptrans.sh +%{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh +%{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh +%{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh +%{_datadir}/ctdb/tests/simple/71_ctdb_wipedb.sh +%{_datadir}/ctdb/tests/simple/72_update_record_persistent.sh +%{_datadir}/ctdb/tests/simple/73_tunable_NoIPTakeover.sh +%{_datadir}/ctdb/tests/simple/75_readonly_records_basic.sh +%{_datadir}/ctdb/tests/simple/76_ctdb_pdb_recovery.sh +%{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh +%{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh +%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh +%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh +%{_datadir}/ctdb/tests/simple/functions +# This is a dangling symlink but needed for testing +%{_datadir}/ctdb/tests/simple/nodes + +%dir %{_datadir}/ctdb/tests/simple/scripts +%{_datadir}/ctdb/tests/simple/scripts/local.bash +%{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash + +%dir %{_datadir}/ctdb/tests/takeover +%{_datadir}/ctdb/tests/takeover/README +%{_datadir}/ctdb/tests/takeover/det.001.sh +%{_datadir}/ctdb/tests/takeover/det.002.sh +%{_datadir}/ctdb/tests/takeover/det.003.sh +%{_datadir}/ctdb/tests/takeover/lcp2.001.sh +%{_datadir}/ctdb/tests/takeover/lcp2.002.sh +%{_datadir}/ctdb/tests/takeover/lcp2.003.sh +%{_datadir}/ctdb/tests/takeover/lcp2.004.sh +%{_datadir}/ctdb/tests/takeover/lcp2.005.sh +%{_datadir}/ctdb/tests/takeover/lcp2.006.sh +%{_datadir}/ctdb/tests/takeover/lcp2.007.sh +%{_datadir}/ctdb/tests/takeover/lcp2.008.sh +%{_datadir}/ctdb/tests/takeover/lcp2.009.sh +%{_datadir}/ctdb/tests/takeover/lcp2.010.sh +%{_datadir}/ctdb/tests/takeover/lcp2.011.sh +%{_datadir}/ctdb/tests/takeover/lcp2.012.sh +%{_datadir}/ctdb/tests/takeover/lcp2.013.sh +%{_datadir}/ctdb/tests/takeover/lcp2.014.sh +%{_datadir}/ctdb/tests/takeover/lcp2.015.sh +%{_datadir}/ctdb/tests/takeover/lcp2.016.sh +%{_datadir}/ctdb/tests/takeover/lcp2.017.sh +%{_datadir}/ctdb/tests/takeover/lcp2.018.sh +%{_datadir}/ctdb/tests/takeover/lcp2.019.sh +%{_datadir}/ctdb/tests/takeover/lcp2.022.sh +%{_datadir}/ctdb/tests/takeover/lcp2.023.sh +%{_datadir}/ctdb/tests/takeover/lcp2.024.sh +%{_datadir}/ctdb/tests/takeover/lcp2.025.sh +%{_datadir}/ctdb/tests/takeover/lcp2.026.sh +%{_datadir}/ctdb/tests/takeover/lcp2.027.sh +%{_datadir}/ctdb/tests/takeover/lcp2.028.sh +%{_datadir}/ctdb/tests/takeover/lcp2.029.sh +%{_datadir}/ctdb/tests/takeover/lcp2.030.sh +%{_datadir}/ctdb/tests/takeover/lcp2.031.sh +%{_datadir}/ctdb/tests/takeover/lcp2.032.sh +%{_datadir}/ctdb/tests/takeover/lcp2.033.sh +%{_datadir}/ctdb/tests/takeover/nondet.001.sh +%{_datadir}/ctdb/tests/takeover/nondet.002.sh +%{_datadir}/ctdb/tests/takeover/nondet.003.sh + +%dir %{_datadir}/ctdb/tests/takeover/scripts +%{_datadir}/ctdb/tests/takeover/scripts/local.sh + +%dir %{_datadir}/ctdb/tests/takeover_helper +%{_datadir}/ctdb/tests/takeover_helper/000.sh +%{_datadir}/ctdb/tests/takeover_helper/010.sh +%{_datadir}/ctdb/tests/takeover_helper/011.sh +%{_datadir}/ctdb/tests/takeover_helper/012.sh +%{_datadir}/ctdb/tests/takeover_helper/013.sh +%{_datadir}/ctdb/tests/takeover_helper/014.sh +%{_datadir}/ctdb/tests/takeover_helper/015.sh +%{_datadir}/ctdb/tests/takeover_helper/016.sh +%{_datadir}/ctdb/tests/takeover_helper/017.sh +%{_datadir}/ctdb/tests/takeover_helper/018.sh +%{_datadir}/ctdb/tests/takeover_helper/019.sh +%{_datadir}/ctdb/tests/takeover_helper/020.sh +%{_datadir}/ctdb/tests/takeover_helper/021.sh +%{_datadir}/ctdb/tests/takeover_helper/022.sh +%{_datadir}/ctdb/tests/takeover_helper/023.sh +%{_datadir}/ctdb/tests/takeover_helper/024.sh +%{_datadir}/ctdb/tests/takeover_helper/025.sh +%{_datadir}/ctdb/tests/takeover_helper/026.sh +%{_datadir}/ctdb/tests/takeover_helper/027.sh +%{_datadir}/ctdb/tests/takeover_helper/028.sh +%{_datadir}/ctdb/tests/takeover_helper/110.sh +%{_datadir}/ctdb/tests/takeover_helper/111.sh +%{_datadir}/ctdb/tests/takeover_helper/120.sh +%{_datadir}/ctdb/tests/takeover_helper/121.sh +%{_datadir}/ctdb/tests/takeover_helper/122.sh +%{_datadir}/ctdb/tests/takeover_helper/130.sh +%{_datadir}/ctdb/tests/takeover_helper/131.sh +%{_datadir}/ctdb/tests/takeover_helper/132.sh +%{_datadir}/ctdb/tests/takeover_helper/140.sh +%{_datadir}/ctdb/tests/takeover_helper/150.sh +%{_datadir}/ctdb/tests/takeover_helper/160.sh +%{_datadir}/ctdb/tests/takeover_helper/210.sh +%{_datadir}/ctdb/tests/takeover_helper/211.sh +%{_datadir}/ctdb/tests/takeover_helper/220.sh +%{_datadir}/ctdb/tests/takeover_helper/230.sh +%{_datadir}/ctdb/tests/takeover_helper/240.sh +%{_datadir}/ctdb/tests/takeover_helper/250.sh +%{_datadir}/ctdb/tests/takeover_helper/260.sh + +%dir %{_datadir}/ctdb/tests/takeover_helper/scripts +%{_datadir}/ctdb/tests/takeover_helper/scripts/local.sh + +%dir %{_datadir}/ctdb/tests/tool +%{_datadir}/ctdb/tests/tool/README +%{_datadir}/ctdb/tests/tool/ctdb.ban.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.ban.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.ban.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.continue.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.continue.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.continue.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.disable.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.disable.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.disablemonitor.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.enable.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.enable.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.enable.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.enablemonitor.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.getdbmap.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.getmonmode.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getpid.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getreclock.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getreclock.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.getvar.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.getvar.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.ifaces.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.ip.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.ip.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.ip.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.ip.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.ip.005.sh +%{_datadir}/ctdb/tests/tool/ctdb.ip.006.sh +%{_datadir}/ctdb/tests/tool/ctdb.ip.007.sh +%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.listnodes.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.listnodes.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.listvars.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.lvs.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.lvs.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.lvs.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.lvs.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.lvs.005.sh +%{_datadir}/ctdb/tests/tool/ctdb.lvs.006.sh +%{_datadir}/ctdb/tests/tool/ctdb.lvs.007.sh +%{_datadir}/ctdb/tests/tool/ctdb.lvs.008.sh +%{_datadir}/ctdb/tests/tool/ctdb.natgw.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.natgw.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.natgw.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.natgw.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.natgw.005.sh +%{_datadir}/ctdb/tests/tool/ctdb.natgw.006.sh +%{_datadir}/ctdb/tests/tool/ctdb.natgw.007.sh +%{_datadir}/ctdb/tests/tool/ctdb.natgw.008.sh +%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.ping.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.pnn.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.process-exists.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.recmaster.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.recmaster.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.recover.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.011.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.012.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.013.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.014.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.015.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.016.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.017.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.018.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.019.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.020.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.021.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.023.sh +%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.024.sh +%{_datadir}/ctdb/tests/tool/ctdb.runstate.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.runstate.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.runstate.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.runstate.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.runstate.005.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdebug.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdebug.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdebug.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.setifacelink.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.setifacelink.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.setvar.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.setvar.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.status.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.status.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.stop.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.stop.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.stop.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.unban.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.unban.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.unban.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.uptime.001.sh + +%dir %{_datadir}/ctdb/tests/tool/scripts +%{_datadir}/ctdb/tests/tool/scripts/local.sh + +%endif # with_clustering_support + +%changelog +* Fri Nov 17 2017 Andreas Schneider - 4.6.2-12 +- resolves: #1514314 - Fix CVE-2017-14746 and CVE-2017-15275 + +* Thu Sep 14 2017 Andreas Schneider - 4.6.2-11 +- resolves: #1491213 - CVE-2017-12150 CVE-2017-12151 CVE-2017-12163 + +* Wed Aug 23 2017 Andreas Schneider - 4.6.2-10 +- resolves: #1484423 - Require at least krb5 version 1.15.1 +- resolves: #1484713 - Fix password changes for users via smbpasswd +- resolves: #1484723 - Be more graceful on FSCTL_VALIDATE_NEGOTIATE_INFO + returned errors + +* Mon Aug 14 2017 Andreas Schneider - 4.6.2-9 +- resolves: #1481188 - Fix 'net ads changetrustpw' + +* Thu Jun 22 2017 Andreas Schneider - 4.6.2-8 +- resolves: #1459936 - Fix regression with "follow symlinks = no" + +* Tue Jun 20 2017 Andreas Schneider - 4.6.2-7 +- resolves: #1461336 - Fix smbclient username parsing +- resolves: #1460937 - Fix username normalization with winbind + +* Tue Jun 13 2017 Andreas Schneider - 4.6.2-6 +- resolves: #1459179 - Fix smbclient session setup printing + +* Wed Jun 07 2017 Andreas Schneider - 4.6.2-5 +- related: #1277999 - Add missing patchset + +* Wed May 31 2017 Andreas Schneider - 4.6.2-4 +- resolves: #1431986 - Fix expand_msdfs VFS module + +* Thu May 18 2017 Guenther Deschner - 4.6.2-3 +- resolves: #1450785 - Security fix for CVE-2017-7494 + +* Tue May 09 2017 Andreas Schneider - 4.6.2-2 +- resolves: #1448544 - Fix spoolss 32bit driver upload + +* Mon Apr 03 2017 Andreas Schneider - 4.6.2-1 +- resolves: #1435734 - Fix refreshing winbind tickets + +* Fri Mar 31 2017 Guenther Deschner - 4.6.2-0 +- Update to Samba 4.6.2 +- related: #1430260 - Security fix for CVE-2017-2619 + +* Thu Mar 23 2017 Guenther Deschner - 4.6.1-0 +- Update to Samba 4.6.1 +- resolves: #1430260 - Security fix for CVE-2017-2619 + +* Tue Mar 21 2017 Andreas Schneider - 4.6.0-5 +- related: #1391954 - Fix kerberos cross-realm referrals +- resolves: #1430755 - Fix 'net ads' keytab handling + +* Wed Mar 15 2017 Alexander Bokovoy - 4.6.0-4 +- Export internal arcfour_crypt_blob in Python as samba.arcfour_encrypt +- related: #1391954 - Update to Samba 4.6.0 + +* Fri Mar 10 2017 Alexander Bokovoy - 4.6.0-3 +- Ensure we set realm when updating ccache in auth/credentials +- resolves: #1430759 - use GSSAPI gss_acquire_cred_from call for gssproxy support + +* Fri Mar 10 2017 Alexander Bokovoy - 4.6.0-2 +- resolves: #1430759 - use GSSAPI gss_acquire_cred_from call for gssproxy support + +* Tue Mar 07 2017 Andreas Schneider - 4.6.0-1 +- related: #1391954 - Update to Samba 4.6.0 +- resolves: #1401505 - Improved idmap_hash documentation +- resolves: #1218926 - Samba ignores default_keytab_name in krb5.conf +- resolves: #1389786 - Add 'net ads dns unregister' + +* Thu Mar 02 2017 Andreas Schneider - 4.6.0-0.1.rc4 +- related: #1391954 - Update to Samba 4.6.0rc4 +- resolves: #1420130 - samba_krb5_wrapper does not list devices when called with + no arguments +- resolves: #1277999 - Change RPC port range to Windows defaults + +* Wed Feb 15 2017 Andreas Schneider - 4.6.0-0.1.rc3 +- resolves: #1391954 - Update to Samba 4.6.0rc3 +- resolves: #1271082 - Wrong groups listed when id command is called before login +- resolves: #1327810 - Use 'printcap cache time' for the house keeping interval +- resolves: #1356932 - Improve documentation for 'ldap ssl' in smb.conf manpage +- resolves: #1365111 - Fix printer removal if "List in Directory" checkbox is + unticked and printer is not listed in AD +- resolves: #1368439 - Fix ntlm_auth wrong password issues +- resolves: #1397871 - Include the system krb5.conf in winbinds generated conf +- resolves: #1397891 - Fix marsalling of spoolss SetPrinter info level 2 +- resolves: #1397895 - Add missing support APD_COPY_FROM_DIRECTORY in + AddPrinterDriver +- resolves: #1403242 - Samba can not access trusted domains through transitive + trusts +- resolves: #1403975 - Fix trusted domain logins +- resolves: #1411978 - Include the system krb5.conf in winbinds generated conf +- resolves: #1416746 - Fix division by zero error in ctdb 05.system event script + +* Tue Nov 15 2016 Andreas Schneider - 4.4.4-11 +- related: #1377729 - Fix return code if ip not defined in gethostbyname + +* Wed Nov 09 2016 Andreas Schneider - 4.4.4-11 +- related: #1377307 - Add missing patch to patchset + +* Tue Nov 08 2016 Andreas Schneider - 4.4.4-10 +- resolves: #1377690 - Fix linking nss_wins with libreplace +- resolves: #1377729 - Fix nss_wins function definitions for gethostbyname* +- resolves: #1377307 - Fix %G substitution in AD case +- resolves: #1377751 - Fix regression of smbclient unable to connect to + Apple and Azure + +* Wed Aug 31 2016 Andreas Schneider - 4.4.4-9 +- related: #1365479 - Fix idmap range check + +* Fri Aug 26 2016 Andreas Schneider - 4.4.4-8 +- related: #1193493 - Fix smbget url credentials parsing + +* Tue Aug 23 2016 Andreas Schneider - 4.4.4-7 +- resolves: #1365479 - Fix idmap range checks for ad and hash backend + +* Tue Aug 16 2016 Andreas Schneider - 4.4.4-6 +- resolves: #1367316 - Increase required Kerbersion version number +- resolves: #1366477 - Fix using the right krb5 ccache in libads +- resolves: #1356501 - Fix high CPU usage with smbclient connection to + non-reachable IP + +* Wed Aug 03 2016 Andreas Schneider - 4.4.4-5 +- resolves: #1359091 - Package /usr/lib/samba/ldb in the common-libs package +- resolves: #1360788 - Fix multilib issue with ctdb-tests package +- resolves: #1362385 - Fix Samba ignoring supplementary groups +- resolves: #1364051 - Fix smbd panic with stale ctdb entries + +* Mon Jul 04 2016 Andreas Schneider - 4.4.4-4 +- resolves: #1351655 - Fix winbind meomory leak with each cached credentials + login +- resolves: #1351961 - Fix CVE-2016-2119 + +* Thu Jun 23 2016 Andreas Schneider - 4.4.4-3 +- related: #1260214 - Correctly warn about missing realm for ad domains + with 'security=domain' + +* Tue Jun 21 2016 Andreas Schneider - 4.4.4-2 +- resolves: #1348223 - Fix sasl wrapped ldap connections + +* Wed Jun 08 2016 Andreas Schneider - 4.4.4-1 +- resolves: #1303076 - Rebase Samba to version 4.4.4 +- resolves: #1314673 - Fix CVE-2015-7560 +- resolves: #1263322 - Add '--no-dns-updates' option to 'net ads join' +- resolves: #1264433 - Fix segfault in pam_winbind.so with invalid config + options +- resolves: #1193504 - Fix smbget to retrieve files recursively +- resolves: #1193502 - Fix smbget to use command line credentials +- resolves: #1193493 - Fix smbget url credentials parsing +- resolves: #1273999 - Support printing with Kerberos credentials on newer + CUPS versions +- resolves: #1296821 - Define /etc/pam.d/samba as a non replaceable config +- resolves: #1261107 - Fix memory leak because of missing talloc stackframe +- resolves: #1333562 - Fix memory leak after smbc_free_context() +- resolves: #1315422 - Fix regression from CVE-2015-5252 +- resolves: #1316899 - Fixed idmap_hash module issues when used with others +- resolves: #1322691 - Fix badlock related bugs +- Fix CVE-2015-5370 +- Fix CVE-2016-2110 +- Fix CVE-2016-2111 +- Fix CVE-2016-2112 +- Fix CVE-2016-2113 +- Fix CVE-2016-2114 +- Fix CVE-2016-2115 +- Fix CVE-2016-2118 +- resolves: #1327951 - Fix regression with anonymous connections from OS X +- resolves: #1327845 - Fix pcap_cache_reload() with spoolssd +- resolves: #1289640 - Fix ctdb selinux issue with read only tracking dbs +- resolves: #1341208 - Fix enumerating groups over NSS with idmap_ad +- resolves: #1345827 - Fix resolving trusted domain users on domain member +- resolves: #1346334 - Fix typo in smb.conf.example +- resolves: #1335292 - Fix site-aware 'net ads join -k' +- resolves: #1260214 - Accept empty realm for ad domains with 'security=domain' + +* Tue May 24 2016 Guenther Deschner - 4.2.10-8 +- Fix krb5 encryption type setup during join (as admin and non-admin user) +- resolves: #1312109 + +* Mon May 02 2016 Alexander Bokovoy - 4.2.10-7 +- Fix regressions introduced with security tightening as part of Badlock release +- resolves: #1330199 + +* Tue Apr 12 2016 Alexander Bokovoy - 4.2.10-6 +- Fix domain member winbind not being able to talk to trusted domains' DCs +- relates: #1322691 + +* Mon Apr 11 2016 Alexander Bokovoy - 4.2.10-5 +- Fix crash in smb.conf processing +- relates: #1322691 + +* Fri Apr 08 2016 Alexander Bokovoy - 4.2.10-4 +- Fix LDAP SASL bind with arcfour-hmac-md5 +- resolves: #1322691 + +* Thu Apr 07 2016 Alexander Bokovoy - 4.2.10-3 +- Make sure the package owns /var/lib/samba and uses it for cache purposes +- resolves: #1322691 + +* Wed Apr 06 2016 Alexander Bokovoy - 4.2.10-2 +- Remove ldb modules and internal libraries for DC when not packaging DC build +- resolves: #1322691 + +* Mon Apr 04 2016 Alexander Bokovoy - 4.2.10-1 +- resolves: #1322691 + +* Fri Mar 04 2016 Andreas Schneider - 4.2.3-12 +- resolves: #1314673 - Fix CVE-2015-7560 + +* Fri Dec 11 2015 Guenther Deschner - 4.2.3-11 +- resolves: #1290711 +- CVE-2015-3223 Remote DoS in Samba (AD) LDAP server +- CVE-2015-5299 Missing access control check in shadow copy code +- CVE-2015-5252 Insufficient symlink verification in smbd +- CVE-2015-5296 Samba client requesting encryption vulnerable to + downgrade attack + +* Tue Oct 27 2015 Andreas Schneider - 4.2.3-10 +- related: #1273393 - Fix use after free with nss_wins module loaded + +* Thu Oct 22 2015 Andreas Schneider - 4.2.3-9 +- resolves: #1273912 - Fix dependencies to samba-common +- resolves: #1273393 - Fix user after free in smb name resolution + +* Wed Oct 21 2015 Andreas Schneider - 4.2.3-8 +- resolves: #1271608 - Fix upgrade path from previous rhel version + +* Tue Sep 01 2015 Andreas Schneider - 4.2.3-7 +- resolves: #1258293 - Fix quota on XFS filesystems + +* Mon Aug 24 2015 Andreas Schneider - 4.2.3-6 +- resolves: #1255322 - Fix 'map to guest = Bad uid' option +- resolves: #1255326 - Fix segfault with 'mangling method = hash' + +* Wed Aug 19 2015 Andreas Schneider - 4.2.3-5 +- resolves: #1253193 - Fix 'force group' + +* Wed Jul 29 2015 Andreas Schneider - 4.2.3-4 +- resolves: #1246166 - Fix a 'net ads keytab' segfault + +* Tue Jul 21 2015 Andreas Schneider - 4.2.3-3 +- resolves: #1225719 - Fix possible segfault if we can't connect to the DC + +* Mon Jul 20 2015 Andreas Schneider - 4.2.3-2 +- resolves: #1238194 - Fix the 'dfree command' +- resolves: #1216062 - Document netbios name length limitation + +* Tue Jul 14 2015 Andreas Schneider - 4.2.3-1 +- related: #1196140 - Rebase to version 4.2.3 +- resolves: #1237036 - Fix DCERPC PDU calculation +- resolves: #1237039 - Fix winbind request cancellation +- resolves: #1223981 - Fix possible segfault with smbX protocol setting + +* Mon Jun 22 2015 Andreas Schneider - 4.2.2-3 +- resolves: #1228809 - Allow reauthentication without signing + +* Thu Jun 18 2015 Andreas Schneider - 4.2.2-2 +- related: #1196140 - Add missing build dependency for libarchive +- related: #1196140 - Make sure we do a hardened build + +* Wed Jun 17 2015 Andreas Schneider - 4.2.2-1 +- resolves: #1196140 - Rebase Samba to version 4.2.2 +- resolves: #1186403 - Split patches to fix multiarch conflicts +- resolves: #1167325 - Retrieve printer GUID from AD if it is not in the + registry +- resolves: #1220174 - Fix issues with winbind library dependencies +- resolves: #1211658 - Fix stale cache entries on printer rename +- resolves: #1228809 - Fix reconnect on session exparation + +* Tue May 12 2015 - Guenther Deschner - 4.1.12-22 +- resolves: #1202347 - Fix NETLOGON authentication without winbindd. + +* Thu Apr 09 2015 Andreas Schneider - 4.1.12-21 +- related: #1205703 - Rebuild Samba with new binutils package. + +* Thu Apr 02 2015 Andreas Schneider - 4.1.12-20 +- resolves: #1205703 - Fix build with RELRO support. + +* Mon Feb 16 2015 - Guenther Deschner - 4.1.12-19 +- related: #1191341 - Update patchset for CVE-2015-0240. + +* Thu Feb 12 2015 - Guenther Deschner - 4.1.12-18 +- resolves: #1191341 - CVE-2015-0240: RCE in netlogon server. + +* Fri Jan 09 2015 - Andreas Schneider - 4.1.12-17 +- related: #1177768 - Add missing requires to libwbclient. + +* Thu Jan 08 2015 Andreas Schneider - 4.1.12-16 +- related: #1177768 - Add missing requires to libwbclient. + +* Thu Jan 08 2015 Andreas Schneider - 4.1.12-15 +- resolves: #1177768 - Fix possible segfault with 'net ads kerberos pac dump'. + +* Tue Dec 16 2014 - Andreas Schneider - 4.1.12-14 +- resolves: #1171689 - Fix smbstatus if executed as user to print error message. + +* Fri Dec 12 2014 - Andreas Schneider - 4.1.12-13 +- resolves: #1172089 - Fix 'net rpc join' with schannel changes. +- resolves: #1170883 - Fix 'net time system' segfault. + +* Tue Nov 25 2014 - Andreas Schneider - 4.1.12-12 +- related: #1162526 - Fix multilib with using alternatives for libwbclient. + +* Tue Nov 25 2014 - Andreas Schneider - 4.1.12-11 +- resolves: #1163748 - Fix smbclient -L fails against new Windows versions + over TCP. +- resolves: #1167849 - Fix smbstatus --profile always returning EXIT_FAILURE. + +* Thu Nov 20 2014 - Andreas Schneider - 4.1.12-10 +- related: #1162526 - Fix multilib with using alternatives for libwbclient. + +* Thu Nov 20 2014 - Andreas Schneider - 4.1.12-9 +- resolves: #1162552 - Fix net ads join segfault on big endian systems. +- resolves: #1164203 - Fix net ads join segfault with existing keytab. + +* Thu Nov 13 2014 - Guenther Deschner - 4.1.12-8 +- related: #1162526 - Fix multilib issues when using alternatives for libwbclient. + +* Wed Nov 12 2014 - Andreas Schneider - 4.1.12-7 +- resolves: #1162526 - Use alternatives for libwbclient. + +* Mon Nov 03 2014 - Andreas Schneider - 4.1.12-6 +- related: #1156391 - Fix netbios name truncation during registration. + +* Wed Oct 29 2014 - Andreas Schneider - 4.1.12-5 +- resolves: #1156391 - Fix netbios name truncation during registration. + +* Thu Oct 09 2014 - Guenther Deschner - 4.1.12-4 +- related: #1117770 - Fix empty full_name field with samlogon. + +* Fri Sep 26 2014 - Guenther Deschner - 4.1.12-3 +- resolves: #878351 - Fix usage of AES keys by default. +- resolves: #861366 - Fix KRB5 locator to use same KDC for joining and DNS update. + +* Tue Sep 16 2014 - Andreas Schneider - 4.1.12-2 +- resolves: #1138554 - Fix consuming a lot of CPU when re-reading printcap info. +- resolves: #1134323 - Fix running Samba on little endian Power8 (ppc64le). +- resolves: #1113064 - Fix case sensitivity options with SMB2 protocols. +- resolves: #1088924 - Fix applying ACL masks when setting ACLs. +- resolves: #1135723 - Fix 'force user' regression. +- resolves: #1117770 - Fix empty full_name field with samlogon. +- resolves: #1101210 - Fix telling systemd that nmbd is waiting for interfaces. +- resolves: #1127931 - Fix getgroups() with idmap_ad returning non-mapped groups. +- resolves: #1144963 - Fix idmap_ad with SFU against trusted domains. +- resolves: #1140568 - Fix a segfault in the smbclient echo command. +- resolves: #1089940 - Improve service principal guessing in 'net ads'. +- resolves: #955561 - Fix overwriting of SPNs in AD during 'net ads join'. +- resolves: #955562 - Add precreated SPNS from AD during keytab initialization. + +* Mon Sep 08 2014 - Andreas Schneider - 4.1.12-1 +- related: #1110820 - Rebase Samba to latest release. + +* Tue Aug 26 2014 - Andreas Schneider - 4.1.11-1 +- resolves: #1110820 - Rebase Samba to latest release. + +* Mon Aug 25 2014 - Andreas Schneider - 4.1.1-37 +- resolves: #1072352 - Make pidl a noarch subpackage. +- resolves: #1133516 - Create a samba-test-libs package. +- resolves: #1132873 - Add support to rebuild without clustering. + +* Fri Aug 01 2014 - Guenther Deschner - 4.1.1-36 +- resolves: #1126014 - CVE-2014-3560: remote code execution in nmbd. + +* Wed Jul 02 2014 - Guenther Deschner - 4.1.1-35 +- resolves: #1115060 - Fix potential Samba file corruption. + +* Wed Jun 11 2014 - Guenther Deschner - 4.1.1-34 +- resolves: #1105505 - CVE-2014-0244: DoS in nmbd. +- resolves: #1108845 - CVE-2014-3493: DoS in smbd with unicode path names. +- resolves: #1105574 - CVE-2014-0178: Uninitialized memory exposure. + +* Mon May 05 2014 - Andreas Schneider - 4.1.1-33 +- related: #717484 - Add missing configure line to enable profiling data support. + +* Tue Apr 22 2014 - Guenther Deschner - 4.1.1-32 +- related: #1082653 - Reuse IPv6 address during the AD domain join. + +* Thu Apr 03 2014 - Guenther Deschner - 4.1.1-31 +- resolves: #1082653 - Add IPv6 workaround for MIT kerberos. + +* Thu Apr 03 2014 - Alexander Bokovoy - 4.1.1-30 +- resolves: #1083859 - Force KRB5CCNAME in Samba systemd units. +- related: #1082598 - Fully enables systemd integration. + +* Tue Apr 01 2014 - Andreas Schneider - 4.1.1-29 +- resolves: #1082598 - Add missing BuildRequires for systemd-devel. + +* Wed Mar 26 2014 - Andreas Schneider - 4.1.1-28 +- resolves: #1077918 - Make daemons systemd aware. + +* Mon Mar 24 2014 - Andreas Schneider - 4.1.1-27 +- resolves: #1077857 - Fix internal error received while adding trust. + +* Fri Mar 21 2014 - Guenther Deschner - 4.1.1-26 +- resolves: #1079008 - Fix fragmented rpc handling. + +* Tue Mar 18 2014 - Andreas Schneider - 4.1.1-25 +- resolves: #1077651 - Fix 'force user' option for shares. + +* Wed Mar 12 2014 - Guenther Deschner - 4.1.1-24 +- resolves: #1053748 - Enhance "net ads kerberos pac" tool. + +* Mon Mar 10 2014 - Andreas Schneider - 4.1.1-23 +- resolves: #1072804 - Fix CVE-2013-4496. +- resolves: #1072804 - Fix CVE-2013-6442. + +* Fri Mar 07 2014 - Guenther Deschner - 4.1.1-22 +- resolves: #1024788 - Fix joining over IPv6. + +* Tue Mar 04 2014 - Andreas Schneider - 4.1.1-21 +- resolves: #1066536 - Fix NBT queries with more than 9 or more components. + +* Thu Feb 27 2014 - Andreas Schneider - 4.1.1-20 +- resolves: #1070692 - Don't package perl(Parse::Yapp::Driver) + +* Tue Feb 25 2014 - Andreas Schneider - 4.1.1-19 +- related: #1067606 - Add missing directories. + +* Tue Feb 25 2014 - Andreas Schneider - 4.1.1-18 +- related: #1067606 - Fix installation of pidl files. + +* Tue Feb 25 2014 - Andreas Schneider - 4.1.1-17 +- resolves: #1067606 - Fix wbinfo with one-way trust. +- resolves: #1069569 - Fix memory leak reading the printer list. + +* Thu Feb 20 2014 - Andreas Schneider - 4.1.1-16 +- resolves: #1063186 - Fix force_user with security=ads. + +* Wed Feb 05 2014 - Andreas Schneider - 4.1.1-15 +- resolves: #1029001 - Fix force_user with security=ads. + +* Tue Jan 28 2014 Daniel Mach - 4.1.1-14 +- Mass rebuild 2014-01-24 + +* Mon Jan 13 2014 - Andreas Schneider - 4.1.1-13 +- resolves: #1051582 - Fix warnings an resource leaks reported by rpmdiff. + +* Fri Jan 10 2014 - Andreas Schneider - 4.1.1-12 +- resolves: #1050886 - Fix full CPU utilization in winbindd. +- resolves: #1051400 - Fix segfault in smbd. +- resolves: #1051402 - Fix SMB2 server panic when a smb2 brlock times out. + +* Thu Jan 09 2014 - Andreas Schneider - 4.1.1-11 +- resolves: #1042845 - Do not build with libbsd. + +* Fri Dec 27 2013 Daniel Mach - 4.1.1-10 +- Mass rebuild 2013-12-27 + +* Wed Dec 11 2013 - Andreas Schneider - 4.1.1-9 +- resolves: #1033122 - Fix dropbox regression. +- resolves: #1040464 - Fix %G substituion for config parameters. + +* Wed Dec 11 2013 - Guenther Deschner - 4.1.1-8 +- resolves: #1040052 - Fix winbind debug message NULL pointer derreference. + +* Mon Dec 09 2013 - Andreas Schneider - 4.1.1-7 +- resolves: #1039499 - Fix CVE-2012-6150. + +* Fri Nov 29 2013 - Guenther Deschner - 4.1.1-6 +- resolves: #1033109 - Fix winbind cache keysize limitations. + +* Wed Nov 27 2013 - Andreas Schneider - 4.1.1-5 +- resolves: #1034160 - Make sure we don't build the fam notify module. + +* Mon Nov 25 2013 - Andreas Schneider - 4.1.1-4 +- resolves: #1034048 - Fix group name substitution in template homedir. +- resolves: #1018041 - Fix CVE-2013-4408. +- related: #884169 - Fix several covscan warnings. + +* Mon Nov 18 2013 - Guenther Deschner - 4.1.1-3 +- resolves: #948509 - Fix manpage correctness. + +* Fri Nov 15 2013 - Andreas Schneider - 4.1.1-2 +- related: #884169 - Fix strict aliasing warnings. + +* Mon Nov 11 2013 - Andreas Schneider - 4.1.1-1 +- resolves: #1024543 - Fix CVE-2013-4475. +- Update to Samba 4.1.1. + +* Mon Nov 11 2013 - Andreas Schneider - 4.1.0-5 +- related: #884169 - Fix the upgrade path. + +* Wed Oct 30 2013 - Andreas Schneider - 4.1.0-4 +- related: #884169 - Add direct dependency to samba-libs in the + glusterfs package. +- resolves: #996567 - Fix userPrincipalName composition. +- related: #884169 - Fix memset call with zero length in in ntdb. + +* Fri Oct 18 2013 - Andreas Schneider - 4.1.0-3 +- resolves: #1019384 - Build glusterfs VFS plguin. + +* Tue Oct 15 2013 - Andreas Schneider - 4.1.0-2 +- related: #1014656 - Fix dependency of samba-winbind-modules package. + +* Fri Oct 11 2013 - Andreas Schneider - 4.1.0-1 +- related: #985609 - Update to Samba 4.1.0. + +* Tue Oct 01 2013 - Andreas Schneider - 2:4.1.0-0.8 +- related: #985609 - Update to Samba 4.1.0rc4. +- resolves: #1014656 - Split out a samba-winbind-modules package. + +* Wed Sep 11 2013 - Andreas Schneider - 2:4.1.0-0.7 +- related: #985609 - Update to Samba 4.1.0rc3. +- resolves: #1005422 - Add support for KEYRING ccache type in pam_winbindd. + +* Wed Sep 04 2013 - Andreas Schneider - 2:4.1.0-0.6 +- resolves: #717484 - Enable profiling data support. + +* Thu Aug 22 2013 - Guenther Deschner - 2:4.1.0-0.5 +- resolves: #996160 - Fix winbind with trusted domains. + +* Wed Aug 14 2013 - Andreas Schneider 2:4.1.0-0.4 +- resolves: #996160 - Fix winbind nbt name lookup segfault. + +* Mon Aug 12 2013 - Andreas Schneider - 2:4.1.0-0.3 +- related: #985609 - Update to Samba 4.1.0rc2. + +* Wed Jul 24 2013 - Andreas Schneider - 2:4.1.0-0.2 +- resolves: #985985 - Fix file conflict between samba and wine. +- resolves: #985107 - Add support for new default location for Kerberos + credential caches. + +* Sat Jul 20 2013 Petr Pisar - 2:4.1.0-0.1.rc1.1 +- Perl 5.18 rebuild + +* Wed Jul 17 2013 - Andreas Schneider - 2:4.1.0-0.1 +- Update to Samba 4.1.0rc1. +- resolves: #985609 + +* Mon Jul 15 2013 - Andreas Schneider - 2:4.0.7-2 +- resolves: #972692 - Build with PIE and full RELRO. +- resolves: #884169 - Add explicit dependencies suggested by rpmdiff. +- resolves: #981033 - Local user's krb5cc deleted by winbind. +- resolves: #984331 - Fix samba-common tmpfiles configuration file in wrong + directory. + +* Wed Jul 03 2013 - Andreas Schneider - 2:4.0.7-1 +- Update to Samba 4.0.7. + +* Fri Jun 07 2013 - Andreas Schneider - 2:4.0.6-3 +- Add UPN enumeration to passdb internal API (bso #9779). + +* Wed May 22 2013 - Andreas Schneider - 2:4.0.6-2 +- resolves: #966130 - Fix build with MIT Kerberos. +- List vfs modules in spec file. + +* Tue May 21 2013 - Andreas Schneider - 2:4.0.6-1 +- Update to Samba 4.0.6. +- Remove SWAT. + +* Wed Apr 10 2013 - Andreas Schneider - 2:4.0.5-1 +- Update to Samba 4.0.5. +- Add UPN enumeration to passdb internal API (bso #9779). +- resolves: #928947 - samba-doc is obsolete now. +- resolves: #948606 - LogRotate should be optional, and not a hard "Requires". + +* Fri Mar 22 2013 - Andreas Schneider - 2:4.0.4-3 +- resolves: #919405 - Fix and improve large_readx handling for broken clients. +- resolves: #924525 - Don't use waf caching. + +* Wed Mar 20 2013 - Andreas Schneider - 2:4.0.4-2 +- resolves: #923765 - Improve packaging of README files. + +* Wed Mar 20 2013 - Andreas Schneider - 2:4.0.4-1 +- Update to Samba 4.0.4. + +* Mon Mar 11 2013 - Andreas Schneider - 2:4.0.3-4 +- resolves: #919333 - Create /run/samba too. + +* Mon Mar 04 2013 - Andreas Schneider - 2:4.0.3-3 +- Fix the cache dir to be /var/lib/samba to support upgrades. + +* Thu Feb 14 2013 - Andreas Schneider - 2:4.0.3-2 +- resolves: #907915 - libreplace.so => not found + +* Thu Feb 07 2013 - Andreas Schneider - 2:4.0.3-1 +- Update to Samba 4.0.3. +- resolves: #907544 - Add unowned directory /usr/lib64/samba. +- resolves: #906517 - Fix pidl code generation with gcc 4.8. +- resolves: #908353 - Fix passdb backend ldapsam as module. + +* Wed Jan 30 2013 - Andreas Schneider - 2:4.0.2-1 +- Update to Samba 4.0.2. +- Fixes CVE-2013-0213. +- Fixes CVE-2013-0214. +- resolves: #906002 +- resolves: #905700 +- resolves: #905704 +- Fix conn->share_access which is reset between user switches. +- resolves: #903806 +- Add missing example and make sure we don't introduce perl dependencies. +- resolves: #639470 + +* Wed Jan 16 2013 - Andreas Schneider - 2:4.0.1-1 +- Update to Samba 4.0.1. +- Fixes CVE-2013-0172. + +* Mon Dec 17 2012 - Andreas Schneider - 2:4.0.0-174 +- Fix typo in winbind-krb-locator post uninstall script. + +* Tue Dec 11 2012 - Andreas Schneider - 2:4.0.0-173 +- Update to Samba 4.0.0. + +* Thu Dec 06 2012 - Andreas Schneider - 2:4.0.0-171.rc6 +- Fix typo in winbind-krb-locator post uninstall script. + +* Tue Dec 04 2012 - Andreas Schneider - 2:4.0.0-170.rc6 +- Update to Samba 4.0.0rc6. +- Add /etc/pam.d/samba for swat to work correctly. +- resolves #882700 + +* Fri Nov 23 2012 Guenther Deschner - 2:4.0.0-169.rc5 +- Make sure ncacn_ip_tcp client code looks for NBT_NAME_SERVER name types. + +* Thu Nov 15 2012 - Andreas Schneider - 2:4.0.0-168.rc5 +- Reduce dependencies of samba-devel and create samba-test-devel package. + +* Tue Nov 13 2012 - Andreas Schneider - 2:4.0.0-167.rc5 +- Use workaround for winbind default domain only when set. +- Build with old ctdb support. + +* Tue Nov 13 2012 - Andreas Schneider - 2:4.0.0-166.rc5 +- Update to Samba 4.0.0rc5. + +* Mon Nov 05 2012 - Andreas Schneider - 2:4.0.0-165.rc4 +- Fix library dependencies of libnetapi. + +* Mon Nov 05 2012 - Andreas Schneider - 2:4.0.0-164.rc4 +- resolves: #872818 - Fix perl dependencies. + +* Tue Oct 30 2012 - Andreas Schneider - 2:4.0.0-163.rc4 +- Update to Samba 4.0.0rc4. + +* Mon Oct 29 2012 - Andreas Schneider - 2:4.0.0-162.rc3 +- resolves: #870630 - Fix scriptlets interpeting a comment as argument. + +* Fri Oct 26 2012 - Andreas Schneider - 2:4.0.0-161.rc3 +- Add missing Requries for python modules. +- Add NetworkManager dispatcher script for winbind. + +* Fri Oct 19 2012 - Andreas Schneider - 2:4.0.0-160.rc3 +- resolves: #867893 - Move /var/log/samba to samba-common package for + winbind which requires it. + +* Thu Oct 18 2012 - Andreas Schneider - 2:4.0.0-159.rc3 +- Compile default auth methods into smbd. + +* Tue Oct 16 2012 - Andreas Schneider - 2:4.0.0-158.rc3 +- Move pam_winbind.conf and the manpages to the right package. + +* Tue Oct 16 2012 - Andreas Schneider - 2:4.0.0-157.rc3 +* resolves: #866959 - Build auth_builtin as static module. + +* Tue Oct 16 2012 - Andreas Schneider - 2:4.0.0-156.rc3 +- Update systemd Requires to reflect latest packaging guidelines. + +* Tue Oct 16 2012 - Andreas Schneider - 2:4.0.0-155.rc3 +- Add back the AES patches which didn't make it in rc3. + +* Tue Oct 16 2012 - Andreas Schneider - 2:4.0.0-154.rc3 +- Update to 4.0.0rc3. +- resolves: #805562 - Unable to share print queues. +- resolves: #863388 - Unable to reload smbd configuration with systemctl. + +* Wed Oct 10 2012 - Alexander Bokovoy - 2:4.0.0-153.rc2 +- Use alternatives to configure winbind_krb5_locator.so +- Fix Requires for winbind. + +* Thu Oct 04 2012 - Andreas Schneider - 2:4.0.0-152.rc2 +- Add kerberos AES support. +- Fix printing initialization. + +* Tue Oct 02 2012 - Andreas Schneider - 2:4.0.0-151.rc2 +- Update to 4.0.0rc2. + +* Wed Sep 26 2012 - Andreas Schneider - 2:4.0.0-150.rc1 +- Fix Obsoletes/Provides for update from samba4. +- Bump release number to be bigger than samba4. + +* Wed Sep 26 2012 - Andreas Schneider - 2:4.0.0-96.rc1 +- Package smbprint again. + +* Wed Sep 26 2012 - Andreas Schneider - 2:4.0.0-95.rc1 +- Update to 4.0.0rc1. + +* Mon Aug 20 2012 Guenther Deschner - 2:3.6.7-94.2 +- Update to 3.6.7 + +* Sat Jul 21 2012 Fedora Release Engineering - 2:3.6.6-93.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jul 19 2012 Guenther Deschner - 2:3.6.6-93 +- Fix printing tdb upgrade for 3.6.6 +- resolves: #841609 + +* Sun Jul 15 2012 Ville Skyttä - 2:3.6.6-92 +- Call ldconfig at libwbclient and -winbind-clients post(un)install time. +- Fix empty localization files, use %%find_lang to find and %%lang-mark them. +- Escape macros in %%changelog. +- Fix source tarball URL. + +* Tue Jun 26 2012 Guenther Deschner - 2:3.6.6-91 +- Update to 3.6.6 + +* Thu Jun 21 2012 Andreas Schneider - 2:3.6.5-90 +- Fix ldonfig. +- Require systemd for samba-common package. +- resolves: #829197 + +* Mon Jun 18 2012 Andreas Schneider - 2:3.6.5-89 +- Fix usrmove paths. +- resolves: #829197 + +* Tue May 15 2012 Andreas Schneider - 2:3.6.5-88 +- Move tmpfiles.d config to common package as it is needed for smbd and + winbind. +- Make sure tmpfiles get created after installation. + +* Wed May 09 2012 Guenther Deschner - 2:3.6.5-87 +- Correctly use system iniparser library + +* Fri May 04 2012 Andreas Schneider - 2:3.6.5-86 +- Bump Epoch to fix a problem with a Samba4 update in testing. + +* Mon Apr 30 2012 Guenther Deschner - 1:3.6.5-85 +- Security Release, fixes CVE-2012-2111 +- resolves: #817551 + +* Mon Apr 23 2012 Andreas Schneider - 1:3.6.4-84 +- Fix creation of /var/run/samba. +- resolves: #751625 + +* Fri Apr 20 2012 Guenther Deschner - 1:3.6.4-83 +- Avoid private krb5_locate_kdc usage +- resolves: #754783 + +* Thu Apr 12 2012 Jon Ciesla - 1:3.6.4-82 +- Update to 3.6.4 +- Fixes CVE-2012-1182 + +* Mon Mar 19 2012 Andreas Schneider - 1:3.6.3-81 +- Fix provides for of libwclient-devel for samba-winbind-devel. + +* Thu Feb 23 2012 Andreas Schneider - 1:3.6.3-80 +- Add commented out 'max protocol' to the default config. + +* Mon Feb 13 2012 Andreas Schneider - 1:3.6.3-79 +- Create a libwbclient package. +- Replace winbind-devel with libwbclient-devel package. + +* Mon Jan 30 2012 Andreas Schneider - 1:3.6.3-78 +- Update to 3.6.3 +- Fixes CVE-2012-0817 + +* Sat Jan 14 2012 Fedora Release Engineering - 1:3.6.1-77.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 05 2011 Andreas Schneider - 1:3.6.1-77 +- Fix winbind cache upgrade. +- resolves: #760137 + +* Fri Nov 18 2011 Andreas Schneider - 1:3.6.1-76 +- Fix piddir to match with systemd files. +- Fix crash bug in the debug system. +- resolves: #754525 + +* Fri Nov 04 2011 Andreas Schneider - 1:3.6.1-75 +- Fix systemd dependencies +- resolves: #751397 + +* Wed Oct 26 2011 Andreas Schneider - 1:3.6.1-74 +- Update to 3.6.1 + +* Tue Oct 04 2011 Guenther Deschner - 1:3.6.0-73 +- Fix nmbd startup +- resolves: #741630 + +* Tue Sep 20 2011 Tom Callaway - 1:3.6.0-72 +- convert to systemd +- restore epoch from f15 + +* Sat Aug 13 2011 Guenther Deschner - 3.6.0-71 +- Update to 3.6.0 final + +* Sun Jul 31 2011 Guenther Deschner - 3.6.0rc3-70 +- Update to 3.6.0rc3 + +* Tue Jun 07 2011 Guenther Deschner - 3.6.0rc2-69 +- Update to 3.6.0rc2 + +* Tue May 17 2011 Guenther Deschner - 3.6.0rc1-68 +- Update to 3.6.0rc1 + +* Wed Apr 27 2011 Guenther Deschner - 3.6.0pre3-67 +- Update to 3.6.0pre3 + +* Wed Apr 13 2011 Guenther Deschner - 3.6.0pre2-66 +- Update to 3.6.0pre2 + +* Fri Mar 11 2011 Guenther Deschner - 3.6.0pre1-65 +- Enable quota support + +* Wed Feb 09 2011 Fedora Release Engineering - 0:3.6.0-64pre1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Nov 24 2010 Guenther Deschner - 3.6.0pre1-64 +- Add %%ghost entry for /var/run using tmpfs +- resolves: #656685 + +* Thu Aug 26 2010 Guenther Deschner - 3.6.0pre1-63 +- Put winbind krb5 locator plugin into a separate rpm +- resolves: #627181 + +* Tue Aug 03 2010 Guenther Deschner - 3.6.0pre1-62 +- Update to 3.6.0pre1 + +* Wed Jun 23 2010 Guenther Deschner - 3.5.4-61 +- Update to 3.5.4 + +* Wed May 19 2010 Guenther Deschner - 3.5.3-60 +- Update to 3.5.3 +- Make sure nmb and smb initscripts return LSB compliant return codes +- Fix winbind over ipv6 + +* Wed Apr 07 2010 Guenther Deschner - 3.5.2-59 +- Update to 3.5.2 + +* Mon Mar 08 2010 Simo Sorce - 3.5.1-58 +- Security update to 3.5.1 +- Fixes CVE-2010-0728 + +* Mon Mar 08 2010 Guenther Deschner - 3.5.0-57 +- Remove cifs.upcall and mount.cifs entirely + +* Mon Mar 01 2010 Guenther Deschner - 3.5.0-56 +- Update to 3.5.0 + +* Fri Feb 19 2010 Guenther Deschner - 3.5.0rc3-55 +- Update to 3.5.0rc3 + +* Tue Jan 26 2010 Guenther Deschner - 3.5.0rc2-54 +- Update to 3.5.0rc2 + +* Fri Jan 15 2010 Jeff Layton - 3.5.0rc1-53 +- separate out CIFS tools into cifs-utils package + +* Fri Jan 08 2010 Guenther Deschner - 3.5.0rc1-52 +- Update to 3.5.0rc1 + +* Tue Dec 15 2009 Guenther Deschner - 3.5.0pre2-51 +- Update to 3.5.0pre2 +- Remove umount.cifs + +* Wed Nov 25 2009 Guenther Deschner - 3.4.3-49 +- Various updates to inline documentation in default smb.conf file +- resolves: #483703 + +* Thu Oct 29 2009 Guenther Deschner - 3.4.3-48 +- Update to 3.4.3 + +* Fri Oct 09 2009 Simo Sorce - 3.4.2-47 +- Spec file cleanup +- Fix sources upstream location +- Remove conditionals to build talloc and tdb, now they are completely indepent + packages in Fedora +- Add defattr() where missing +- Turn all tabs into 4 spaces +- Remove unused migration script +- Split winbind-clients out of main winbind package to avoid multilib to include + huge packages for no good reason + +* Thu Oct 01 2009 Guenther Deschner - 3.4.2-0.46 +- Update to 3.4.2 +- Security Release, fixes CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906 + +* Wed Sep 16 2009 Tomas Mraz - 3.4.1-0.45 +- Use password-auth common PAM configuration instead of system-auth + +* Wed Sep 09 2009 Guenther Deschner - 3.4.1-0.44 +- Update to 3.4.1 + +* Thu Aug 20 2009 Guenther Deschner - 3.4.0-0.43 +- Fix cli_read() +- resolves: #516165 + +* Thu Aug 06 2009 Guenther Deschner - 3.4.0-0.42 +- Fix required talloc version number +- resolves: #516086 + +* Sun Jul 26 2009 Fedora Release Engineering - 0:3.4.0-0.41.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Jul 17 2009 Guenther Deschner - 3.4.0-0.41 +- Fix Bug #6551 (vuid and tid not set in sessionsetupX and tconX) +- Specify required talloc and tdb version for BuildRequires + +* Fri Jul 03 2009 Guenther Deschner - 3.4.0-0.40 +- Update to 3.4.0 + +* Fri Jun 19 2009 Guenther Deschner - 3.4.0rc1-0.39 +- Update to 3.4.0rc1 + +* Mon Jun 08 2009 Guenther Deschner - 3.4.0pre2-0.38 +- Update to 3.4.0pre2 + +* Thu Apr 30 2009 Guenther Deschner - 3.4.0pre1-0.37 +- Update to 3.4.0pre1 + +* Wed Apr 29 2009 Guenther Deschner - 3.3.4-0.36 +- Update to 3.3.4 + +* Mon Apr 20 2009 Guenther Deschner - 3.3.3-0.35 +- Enable build of idmap_tdb2 for clustered setups + +* Wed Apr 1 2009 Guenther Deschner - 3.3.3-0.34 +- Update to 3.3.3 + +* Thu Mar 26 2009 Simo Sorce - 3.3.2-0.33 +- Fix nmbd init script nmbd reload was causing smbd not nmbd to reload the + configuration +- Fix upstream bug 6224, nmbd was waiting 5+ minutes before running elections on + startup, causing your own machine not to show up in the network for 5 minutes + if it was the only client in that workgroup (fix committed upstream) + +* Thu Mar 12 2009 Guenther Deschner - 3.3.2-0.31 +- Update to 3.3.2 +- resolves: #489547 + +* Thu Mar 5 2009 Guenther Deschner - 3.3.1-0.30 +- Add libcap-devel to requires list (resolves: #488559) + +* Tue Mar 3 2009 Simo Sorce - 3.3.1-0.29 +- Make the talloc and ldb packages optionsl and disable their build within + the samba3 package, they are now built as part of the samba4 package + until they will both be released as independent packages. + +* Wed Feb 25 2009 Guenther Deschner - 3.3.1-0.28 +- Enable cluster support + +* Tue Feb 24 2009 Guenther Deschner - 3.3.1-0.27 +- Update to 3.3.1 + +* Sat Feb 21 2009 Simo Sorce - 3.3.0-0.26 +- Rename ldb* tools to ldb3* to avoid conflicts with newer ldb releases + +* Tue Feb 3 2009 Guenther Deschner - 3.3.0-0.25 +- Update to 3.3.0 final +- Add upstream fix for ldap connections to AD (Bug #6073) +- Remove bogus perl dependencies (resolves: #473051) + +* Fri Nov 28 2008 Guenther Deschner - 3.3.0-0rc1.24 +- Update to 3.3.0rc1 + +* Thu Nov 27 2008 Simo Sorce - 3.2.5-0.23 +- Security Release, fixes CVE-2008-4314 + +* Thu Sep 18 2008 Guenther Deschner - 3.2.4-0.22 +- Update to 3.2.4 +- resolves: #456889 +- move cifs.upcall to /usr/sbin + +* Wed Aug 27 2008 Guenther Deschner - 3.2.3-0.21 +- Security fix for CVE-2008-3789 + +* Mon Aug 25 2008 Guenther Deschner - 3.2.2-0.20 +- Update to 3.2.2 + +* Mon Aug 11 2008 Simo Sorce - 3.2.1-0.19 +- Add fix for CUPS problem, fixes bug #453951 + +* Wed Aug 6 2008 Simo Sorce - 3.2.1-0.18 +- Update to 3.2.1 + +* Tue Jul 1 2008 Guenther Deschner - 3.2.0-2.17 +- Update to 3.2.0 final +- resolves: #452622 + +* Tue Jun 10 2008 Guenther Deschner - 3.2.0-1.rc2.16 +- Update to 3.2.0rc2 +- resolves: #449522 +- resolves: #448107 + +* Fri May 30 2008 Guenther Deschner - 3.2.0-1.rc1.15 +- Fix security=server +- resolves: #449038, #449039 + +* Wed May 28 2008 Guenther Deschner - 3.2.0-1.rc1.14 +- Add fix for CVE-2008-1105 +- resolves: #446724 + +* Fri May 23 2008 Guenther Deschner - 3.2.0-1.rc1.13 +- Update to 3.2.0rc1 + +* Wed May 21 2008 Simo Sorce - 3.2.0-1.pre3.12 +- make it possible to print against Vista and XP SP3 as servers +- resolves: #439154 + +* Thu May 15 2008 Guenther Deschner - 3.2.0-1.pre3.11 +- Add "net ads join createcomputer=ou1/ou2/ou3" fix (BZO #5465) + +* Fri May 09 2008 Guenther Deschner - 3.2.0-1.pre3.10 +- Add smbclient fix (BZO #5452) + +* Fri Apr 25 2008 Guenther Deschner - 3.2.0-1.pre3.9 +- Update to 3.2.0pre3 + +* Tue Mar 18 2008 Guenther Deschner - 3.2.0-1.pre2.8 +- Add fixes for libsmbclient and support for r/o relocations + +* Mon Mar 10 2008 Guenther Deschner - 3.2.0-1.pre2.7 +- Fix libnetconf, libnetapi and msrpc DSSETUP call + +* Thu Mar 06 2008 Guenther Deschner - 3.2.0-1.pre2.6 +- Create separate packages for samba-winbind and samba-winbind-devel +- Add cifs.spnego helper + +* Wed Mar 05 2008 Guenther Deschner - 3.2.0-1.pre2.3 +- Update to 3.2.0pre2 +- Add talloc and tdb lib and devel packages +- Add domainjoin-gui package + +* Fri Feb 22 2008 Simo Sorce - 3.2.0-0.pre1.3 +- Try to fix GCC 4.3 build +- Add --with-dnsupdate flag and also make sure other flags are required just to + be sure the features are included without relying on autodetection to be + successful + +* Tue Feb 19 2008 Fedora Release Engineering - 0:3.2.0-1.pre1.2 +- Autorebuild for GCC 4.3 + +* Tue Dec 04 2007 Release Engineering - 3.2.0-0.pre1.2 +- Rebuild for openldap bump + +* Thu Oct 18 2007 Guenther Deschner 3.2.0-0.pre1.1.fc9 +- 32/64bit padding fix (affects multilib installations) + +* Mon Oct 8 2007 Simo Sorce 3.2.0-0.pre1.fc9 +- New major relase, minor switched from 0 to 2 +- License change, the code is now GPLv3+ +- Numerous improvements and bugfixes included +- package libsmbsharemodes too +- remove smbldap-tools as they are already packaged separately in Fedora +- Fix bug 245506 + +* Tue Oct 2 2007 Simo Sorce 3.0.26a-1.fc8 +- rebuild with AD DNS Update support + +* Tue Sep 11 2007 Simo Sorce 3.0.26a-0.fc8 +- upgrade to the latest upstream realease +- includes security fixes released today in 3.0.26 + +* Fri Aug 24 2007 Simo Sorce 3.0.25c-4.fc8 +- add fix reported upstream for heavy idmap_ldap memleak + +* Tue Aug 21 2007 Simo Sorce 3.0.25c-3.fc8 +- fix a few places were "open" is used an interfere with the new glibc + +* Tue Aug 21 2007 Simo Sorce 3.0.25c-2.fc8 +- remove old source +- add patch to fix samba bugzilla 4772 + +* Tue Aug 21 2007 Guenther Deschner 3.0.25c-0.fc8 +- update to 3.0.25c + +* Fri Jun 29 2007 Simo Sorce 3.0.25b-3.fc8 +- handle cases defined in #243766 + +* Tue Jun 26 2007 Simo Sorce 3.0.25b-2.fc8 +- update to 3.0.25b +- better error codes for init scripts: #244823 + +* Tue May 29 2007 Günther Deschner +- fix pam_smbpass patch. + +* Fri May 25 2007 Simo Sorce +- update to 3.0.25a as it contains many fixes +- add a fix for pam_smbpass made by Günther but committed upstream after 3.0.25a was cut. + +* Mon May 14 2007 Simo Sorce +- final 3.0.25 +- includes security fixes for CVE-2007-2444,CVE-2007-2446,CVE-2007-2447 + +* Mon Apr 30 2007 Günther Deschner +- move to 3.0.25rc3 + +* Thu Apr 19 2007 Simo Sorce +- fixes in the spec file +- moved to 3.0.25rc1 +- addedd patches (merged upstream so they will be removed in 3.0.25rc2) + +* Wed Apr 4 2007 Simo Sorce 3.0.24-12.fc7 +- fixes in smb.conf +- advice in smb.conf to put scripts in /var/lib/samba/scripts +- create /var/lib/samba/scripts so that selinux can be happy +- fix Vista problems with msdfs errors + +* Tue Apr 03 2007 Guenther Deschner 3.0.24-11.fc7 +- enable PAM and NSS dlopen checks during build +- fix unresolved symbols in libnss_wins.so (bug #198230) + +* Fri Mar 30 2007 Simo Sorce 3.0.24-10.fc7 +- set passdb backend = tdbsam as default in smb.conf +- remove samba-docs dependency from swat, that was a mistake +- put back COPYING and other files in samba-common +- put examples in samba not in samba-docs +- leave only stuff under docs/ in samba-doc + +* Thu Mar 29 2007 Simo Sorce 3.0.24-9.fc7 +- integrate most of merge review proposed changes (bug #226387) +- remove libsmbclient-devel-static and simply stop shipping the + static version of smbclient as it seem this is deprecated and + actively discouraged + +* Wed Mar 28 2007 Simo Sorce 3.0.24-8.fc7 +- fix for bug #176649 + +* Mon Mar 26 2007 Simo Sorce +- remove patch for bug 106483 as it introduces a new bug that prevents + the use of a credentials file with the smbclient tar command +- move the samba private dir from being the same as the config dir + (/etc/samba) to /var/lib/samba/private + +* Mon Mar 26 2007 Simo Sorce 3.0.24-7.fc7 +- make winbindd start earlier in the init process, at the same time + ypbind is usually started as well +- add a sepoarate init script for nmbd called nmb, we need to be able + to restart nmbd without dropping al smbd connections unnecessarily + +* Fri Mar 23 2007 Simo Sorce +- add samba.schema to /etc/openldap/schema + +* Thu Mar 22 2007 Florian La Roche +- adjust the Requires: for the scripts, add "chkconfig --add smb" + +* Tue Mar 20 2007 Simo Sorce 3.0.24-6.fc7 +- do not put comments inline on smb.conf options, they may be read + as part of the value (for example log files names) + +* Mon Mar 19 2007 Simo Sorce 3.0.24-5.fc7 +- actually use the correct samba.pamd file not the old samba.pamd.stack file +- fix logifles and use upstream convention of log.* instead of our old *.log + Winbindd creates its own log.* files anyway so we will be more consistent +- install our own (enhanced) default smb.conf file +- Fix pam_winbind acct_mgmt PAM result code (prevented local users from + logging in). Fixed by Guenther. +- move some files from samba to samba-common as they are used with winbindd + as well + +* Fri Mar 16 2007 Guenther Deschner 3.0.24-4.fc7 +- fix arch macro which reported Vista to Samba clients. + +* Thu Mar 15 2007 Simo Sorce 3.0.24-3.fc7 +- Directories reorg, tdb files must go to /var/lib, not + to /var/cache, add migration script in %%post common +- Split out libsmbclient, devel and doc packages +- Remove libmsrpc.[h|so] for now as they are not really usable +- Remove kill -HUP from rotate, samba use -HUP for other things + noit to reopen logs + +* Tue Feb 20 2007 Simo Sorce 3.0.24-2.fc7 +- New upstream release +- Fix packaging issue wrt idmap modules used only by smbd +- Addedd Vista Patchset for compatibility with Windows Vista +- Change default of "msdfs root", it seem to cause problems with + some applications and it has been proposed to change it for + 3.0.25 upstream + +* Fri Sep 1 2006 Jay Fenlason 3.0.23c-2 +- New upstream release. + +* Tue Aug 8 2006 Jay Fenlason 3.0.23b-2 +- New upstream release. + +* Mon Jul 24 2006 Jay Fenlason 3.0.23a-3 +- Fix the -logfiles patch to close + bz#199607 Samba compiled with wrong log path. + bz#199206 smb.conf has incorrect log file path + +* Mon Jul 24 2006 Jay Fenlason 3.0.23a-2 +- Upgrade to new upstream 3.0.23a +- include upstream samr_alias patch + +* Tue Jul 11 2006 Jay Fenlason 3.0.23-2 +- New upstream release. +- Use modified filter-requires-samba.sh from packaging/RHEL/setup/ + to get rid of bogus dependency on perl(Unicode::MapUTF8) +- Update the -logfiles and -smb.conf patches to work with 3.0.23 + +* Thu Jul 6 2006 Jay Fenlason 3.0.23-0.RC3 +- New upstream RC release. +- Update the -logfiles, and -passwd patches for + 3.0.23rc3 +- Include the change to smb.init from Bastien Nocera ) + to close + bz#182560 Wrong retval for initscript when smbd is dead +- Update this spec file to build with 3.0.23rc3 +- Remove the -install.mount.smbfs patch, since we don't install + mount.smbfs any more. + +* Wed Jun 14 2006 Tomas Mraz - 2.0.21c-3 +- rebuilt with new gnutls + +* Fri Mar 17 2006 Jay Fenlason 2.0.21c-2 +- New upstream version. + +* Mon Feb 13 2006 Jay Fenlason 3.0.21b-2 +- New upstream version. +- Since the rawhide kernel has dropped support for smbfs, remove smbmount + and smbumount. Users should use mount.cifs instead. +- Upgrade to 3.0.21b + +* Fri Feb 10 2006 Jesse Keating - 0:3.0.20b-2.1.1 +- bump again for double-long bug on ppc(64) + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Sun Nov 13 2005 Jay Fenlason 3.0.20b-2 +- turn on -DLDAP_DEPRECATED to allow access to ldap functions that have + been depricated in 2.3.11, but which don't have well-documented + replacements (ldap_simple_bind_s(), for example). +- Upgrade to 3.0.20b, which includes all the previous upstream patches. +- Updated the -warnings patch for 3.0.20a. +- Include --with-shared-modules=idmap_ad,idmap_rid to close + bz#156810 --with-shared-modules=idmap_ad,idmap_rid +- Include the new samba.pamd from Tomas Mraz (tmraz@redhat.com) to close + bz#170259 pam_stack is deprecated + +* Sun Nov 13 2005 Warren Togami 3.0.20-3 +- epochs from deps, req exact release +- rebuild against new openssl + +* Mon Aug 22 2005 Jay Fenlason 3.0.20-2 +- New upstream release + Includes five upstream patches -bug3010_v1, -groupname_enumeration_v3, + -regcreatekey_winxp_v1, -usrmgr_groups_v1, and -winbindd_v1 + This obsoletes the -pie and -delim patches + the -warning and -gcc4 patches are obsolete too + The -man, -passwd, and -smbspool patches were updated to match 3.0.20pre1 + Also, the -quoting patch was implemented differently upstream + There is now a umount.cifs executable and manpage + We run autogen.sh as part of the build phase + The testprns command is now gone + libsmbclient now has a man page +- Include -bug106483 patch to close + bz#106483 smbclient: -N negates the provided password, despite documentation +- Added the -warnings patch to quiet some compiler warnings. +- Removed many obsolete patches from CVS. + +* Mon May 2 2005 Jay Fenlason 3.0.14a-2 +- New upstream release. +- the -64bit-timestamps, -clitar, -establish_trust, user_rights_v1, + winbind_find_dc_v2 patches are now obsolete. + +* Thu Apr 7 2005 Jay Fenlason 3.0.13-2 +- New upstream release +- add my -quoting patch, to fix swat with strings that contain + html meta-characters, and to use correct quote characters in + lists, closing bz#134310 +- include the upstream winbindd_2k3sp1 patch +- include the -smbclient patch. +- include the -hang patch from upstream. + +* Thu Mar 24 2005 Florian La Roche +- add a "exit 0" to the postun of the main samba package + +* Wed Mar 2 2005 Tomas Mraz 3.0.11-5 +- rebuild with openssl-0.9.7e + +* Thu Feb 24 2005 Jay Fenlason 3.0.11-4 +- Use the updated filter-requires-samba.sh file, so we don't accidentally + pick up a dependency on perl(Crypt::SmbHash) + +* Fri Feb 18 2005 Jay Fenlason 3.0.11-3 +- add -gcc4 patch to compile with gcc 4. +- remove the now obsolete -smbclient-kerberos.patch +- Include four upstream patches from + http://samba.org/~jerry/patches/post-3.0.11/ + (Slightly modified the winbind_find_dc_v2 patch to apply easily with + rpmbuild). + +* Fri Feb 4 2005 Jay Fenlason 3.0.11-2 +- include -smbspool patch to close bz#104136 + +* Wed Jan 12 2005 Jay Fenlason 3.0.10-4 +- Update the -man patch to fix ntlm_auth.1 too. +- Move pam_smbpass.so to the -common package, so both the 32 + and 64-bit versions will be installed on multiarch platforms. + This closes bz#143617 +- Added new -delim patch to fix mount.cifs so it can accept + passwords with commas in them (via environment or credentials + file) to close bz#144198 + +* Wed Jan 12 2005 Tim Waugh 3.0.10-3 +- Rebuilt for new readline. + +* Fri Dec 17 2004 Jay Fenlason 3.0.10-2 +- New upstream release that closes CAN-2004-1154 bz#142544 +- Include the -64bit patch from Nalin. This closes bz#142873 +- Update the -logfiles patch to work with 3.0.10 +- Create /var/run/winbindd and make it part of the -common rpm to close + bz#142242 + +* Mon Nov 22 2004 Jay Fenlason 3.0.9-2 +- New upstream release. This obsoletes the -secret patch. + Include my changetrustpw patch to make "net ads changetrustpw" stop + aborting. This closes #134694 +- Remove obsolete triggers for ancient samba versions. +- Move /var/log/samba to the -common rpm. This closes #76628 +- Remove the hack needed to get around the bad docs files in the + 3.0.8 tarball. +- Change the comment in winbind.init to point at the correct pidfile. + This closes #76641 + +* Mon Nov 22 2004 Than Ngo 3.0.8-4 +- fix unresolved symbols in libsmbclient which caused applications + such as KDE's konqueror to fail when accessing smb:// URLs. #139894 + +* Thu Nov 11 2004 Jay Fenlason 3.0.8-3.1 +- Rescue the install.mount.smbfs patch from Juanjo Villaplana + (villapla@si.uji.es) to prevent building the srpm from trashing your + installed /usr/bin/smbmount + +* Tue Nov 9 2004 Jay Fenlason 3.0.8-3 +- Include the corrected docs tarball, and use it instead of the + obsolete docs from the upstream 3.0.8 tarball. +- Update the logfiles patch to work with the updated docs. + +* Mon Nov 8 2004 Jay Fenlason 3.0.8-2 +- New upstream version fixes CAN-2004-0930. This obsoletes the + disable-sendfile, salt, signing-shortkey and fqdn patches. +- Add my ugly non-ascii-domain patch. +- Updated the pie patch for 3.0.8. +- Updated the logfiles patch for 3.0.8. + +* Tue Oct 26 2004 Jay Fenlason 3.0.8-0.pre2 +- New upstream version +- Add Nalin's signing-shortkey patch. + +* Tue Oct 19 2004 Jay Fenlason 3.0.8-0.pre1.3 +- disable the -salt patch, because it causes undefined references in + libsmbclient that prevent gnome-vfs from building. + +* Fri Oct 15 2004 Jay Fenlason 3.0.8-0.pre1.2 +- Re-enable the x_fclose patch that was accidentally disabled + in 3.0.8-0.pre1.1. This closes #135832 +- include Nalin's -fqdn and -salt patches. + +* Wed Oct 13 2004 Jay Fenlason 3.0.8-0.pre1.1 +- Include disable-sendfile patch to default "use sendfile" to "no". + This closes #132779 + +* Wed Oct 6 2004 Jay Fenlason +- Include patch from Steven Lawrance (slawrance@yahoo.com) that modifies + smbmnt to work with 32-bit uids. + +* Mon Sep 27 2004 Jay Fenlason 3.0.8-0.pre1 +- new upstream release. This obsoletes the ldapsam_compat patches. + +* Wed Sep 15 2004 Jay Fenlason 3.0.7-4 +- Update docs section to not carryover the docs/manpages directory + This moved many files from /usr/share/doc/samba-3.0.7/docs/* to + /usr/share/doc/samba-3.0.7/* +- Modify spec file as suggested by Rex Dieter (rdieter@math.unl.edu) + to correctly create libsmbclient.so.0 and to use %%_initrddir instead + of rolling our own. This closes #132642 +- Add patch to default "use sendfile" to no, since sendfile appears to + be broken +- Add patch from Volker Lendecke to help make + ldapsam_compat work again. +- Add patch from "Vince Brimhall" for ldapsam_compat + These two patches close bugzilla #132169 + +* Mon Sep 13 2004 Jay Fenlason 3.0.7-3 +- Upgrade to 3.0.7, which fixes CAN-2004-0807 CAN-2004-0808 + This obsoletes the 3.0.6-schema patch. +- Update BuildRequires line to include openldap-devel openssl-devel + and cups-devel + +* Mon Aug 16 2004 Jay Fenlason 3.0.6-3 +- New upstream version. +- Include post 3.0.6 patch from "Gerald (Jerry) Carter" + to fix a duplicate in the LDAP schema. +- Include 64-bit timestamp patch from Ravikumar (rkumar@hp.com) + to allow correct timestamp handling on 64-bit platforms and fix #126109. +- reenable the -pie patch. Samba is too widely used, and too vulnerable + to potential security holes to disable an important security feature + like -pie. The correct fix is to have the toolchain not create broken + executables when programs compiled -pie are stripped. +- Remove obsolete patches. +- Modify this spec file to put libsmbclient.{a,so} in the right place on + x86_64 machines. + +* Thu Aug 5 2004 Jason Vas Dias 3.0.5-3 +- Removed '-pie' patch - 3.0.5 uses -fPIC/-PIC, and the combination +- resulted in executables getting corrupt stacks, causing smbmnt to +- get a SIGBUS in the mount() call (bug 127420). + +* Fri Jul 30 2004 Jay Fenlason 3.0.5-2 +- Upgrade to 3.0.5, which is a regression from 3.0.5pre1 for a + security fix. +- Include the 3.0.4-backport patch from the 3E branch. This restores + some of the 3.0.5pre1 and 3.0.5rc1 functionality. + +* Tue Jul 20 2004 Jay Fenlason 3.0.5-0.pre1.1 +- Backport base64_decode patche to close CAN-2004-0500 +- Backport hash patch to close CAN-2004-0686 +- use_authtok patch from Nalin Dahyabhai +- smbclient-kerberos patch from Alexander Larsson +- passwd patch uses "*" instead of "x" for "hashed" passwords for + accounts created by winbind. "x" means "password is in /etc/shadow" to + brain-damaged pam_unix module. + +* Fri Jul 2 2004 Jay Fenlason 3.0.5.0pre1.0 +- New upstream version +- use %% { SOURCE1 } instead of a hardcoded path +- include -winbind patch from Gerald (Jerry) Carter (jerry@samba.org) + https://bugzilla.samba.org/show_bug.cgi?id=1315 + to make winbindd work against Windows versions that do not have + 128 bit encryption enabled. +- Moved %%{_bindir}/net to the -common package, so that folks who just + want to use winbind, etc don't have to install -client in order to + "net join" their domain. +- New upstream version obsoletes the patches added in 3.0.3-5 +- Remove smbgetrc.5 man page, since we don't ship smbget. + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue May 4 2004 Jay Fenlason 3.0.3-5 +- Patch to allow password changes from machines patched with + Microsoft hotfix MS04-011. +- Include patches for https://bugzilla.samba.org/show_bug.cgi?id=1302 + and https://bugzilla.samba.org/show_bug.cgi?id=1309 + +* Thu Apr 29 2004 Jay Fenlason 3.0.3-4 +- Samba 3.0.3 released. + +* Wed Apr 21 2004 jay Fenlason 3.0.3-3.rc1 +- New upstream version +- updated spec file to make libsmbclient.so executable. This closes + bugzilla #121356 + +* Mon Apr 5 2004 Jay Fenlason 3.0.3-2.pre2 +- New upstream version +- Updated configure line to remove --with-fhs and to explicitly set all + the directories that --with-fhs was setting. We were overriding most of + them anyway. This closes #118598 + +* Mon Mar 15 2004 Jay Fenlason 3.0.3-1.pre1 +- New upstream version. +- Updated -pie and -logfiles patches for 3.0.3pre1 +- add krb5-devel to buildrequires, fixes #116560 +- Add patch from Miloslav Trmac (mitr@volny.cz) to allow non-root to run + "service smb status". This fixes #116559 + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Mon Feb 16 2004 Jay Fenlason 3.0.2a-1 +- Upgrade to 3.0.2a + +* Mon Feb 16 2004 Karsten Hopp 3.0.2-7 +- fix ownership in -common package + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Jay Fenlason +- Change all requires lines to list an explicit epoch. Closes #102715 +- Add an explicit Epoch so that %%{epoch} is defined. + +* Mon Feb 9 2004 Jay Fenlason 3.0.2-5 +- New upstream version: 3.0.2 final includes security fix for #114995 + (CAN-2004-0082) +- Edit postun script for the -common package to restart winbind when + appropriate. Fixes bugzilla #114051. + +* Mon Feb 2 2004 Jay Fenlason 3.0.2-3rc2 +- add %%dir entries for %%{_libdir}/samba and %%{_libdir}/samba/charset +- Upgrade to new upstream version +- build mount.cifs for the new cifs filesystem in the 2.6 kernel. + +* Mon Jan 19 2004 Jay Fenlason 3.0.2-1rc1 +- Upgrade to new upstream version + +* Wed Dec 17 2003 Felipe Alfaro Solana 3.0.1-1 +- Update to 3.0.1 +- Removed testparm patch as it's already merged +- Removed Samba.7* man pages +- Fixed .buildroot patch +- Fixed .pie patch +- Added new /usr/bin/tdbdump file + +* Thu Sep 25 2003 Jay Fenlason 3.0.0-15 +- New 3.0.0 final release +- merge nmbd-netbiosname and testparm patches from 3E branch +- updated the -logfiles patch to work against 3.0.0 +- updated the pie patch +- update the VERSION file during build +- use make -j if avaliable +- merge the winbindd_privileged change from 3E +- merge the "rm /usr/lib" patch that allows Samba to build on 64-bit + platforms despite the broken Makefile + +* Mon Aug 18 2003 Jay Fenlason +- Merge from samba-3E-branch after samba-3.0.0rc1 was released + +* Wed Jul 23 2003 Jay Fenlason 3.0.0-3beta3 +- Merge from 3.0.0-2beta3.3E +- (Correct log file names (#100981).) +- (Fix pidfile directory in samab.log) +- (Remove obsolete samba-3.0.0beta2.tar.bz2.md5 file) +- (Move libsmbclient to the -common package (#99449)) + +* Sun Jun 22 2003 Nalin Dahyabhai 2.2.8a-4 +- rebuild + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Wed May 28 2003 Jay Fenlason 2.2.8a-2 +- add libsmbclient.so for gnome-vfs-extras +- Edit specfile to specify /var/run for pid files +- Move /tmp/.winbindd/socket to /var/run/winbindd/socket + +* Wed May 14 2003 Florian La Roche +- add proper ldconfig calls + +* Thu Apr 24 2003 Jay Fenlason 2.2.8a-1 +- upgrade to 2.2.8a +- remove old .md5 files +- add "pid directory = /var/run" to the smb.conf file. Fixes #88495 +- Patch from jra@dp.samba.org to fix a delete-on-close regression + +* Mon Mar 24 2003 Jay Fenlason 2.2.8-0 +- Upgrade to 2.2.8 +- removed commented out patches. +- removed old patches and .md5 files from the repository. +- remove duplicate /sbin/chkconfig --del winbind which causes + warnings when removing samba. +- Fixed minor bug in smbprint that causes it to fail when called with + more than 10 parameters: the accounting file (and spool directory + derived from it) were being set wrong due to missing {}. This closes + bug #86473. +- updated smb.conf patch, includes new defaults to close bug #84822. + +* Mon Feb 24 2003 Elliot Lee +- rebuilt + +* Thu Feb 20 2003 Jonathan Blandford 2.2.7a-5 +- remove swat.desktop file + +* Thu Feb 20 2003 Nalin Dahyabhai 2.2.7a-4 +- relink libnss_wins.so with SHLD="%%{__cc} -lnsl" to force libnss_wins.so to + link with libnsl, avoiding unresolved symbol errors on functions in libnsl + +* Mon Feb 10 2003 Jay Fenlason 2.2.7a-3 +- edited spec file to put .so files in the correct directories + on 64-bit platforms that have 32-bit compatability issues + (sparc64, x86_64, etc). This fixes bugzilla #83782. +- Added samba-2.2.7a-error.patch from twaugh. This fixes + bugzilla #82454. + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Thu Jan 9 2003 Jay Fenlason 2.2.7a-1 +- Update to 2.2.7a +- Change default printing system to CUPS +- Turn on pam_smbpass +- Turn on msdfs + +* Sat Jan 4 2003 Jeff Johnson 2.2.7-5 +- use internal dep generator. + +* Sat Dec 14 2002 Tim Powers 2.2.7-4 +- don't use rpms internal dep generator + +* Mon Dec 02 2002 Elliot Lee 2.2.7-3 +- Fix missing doc files. +- Fix multilib issues + +* Wed Nov 20 2002 Bill Nottingham 2.2.7-2 +- update to 2.2.7 +- add patch for LFS in smbclient () + +* Wed Aug 28 2002 Trond Eivind Glomsød 2.2.5-10 +- logrotate fixes (#65007) + +* Mon Aug 26 2002 Trond Eivind Glomsrød 2.2.5-9 +- /usr/lib was used in place of %%{_libdir} in three locations (#72554) + +* Mon Aug 5 2002 Trond Eivind Glomsrød 2.2.5-8 +- Initscript fix (#70720) + +* Fri Jul 26 2002 Trond Eivind Glomsrød 2.2.5-7 +- Enable VFS support and compile the "recycling" module (#69796) +- more selective includes of the examples dir + +* Tue Jul 23 2002 Trond Eivind Glomsrød 2.2.5-6 +- Fix the lpq parser for better handling of LPRng systems (#69352) + +* Tue Jul 23 2002 Trond Eivind Glomsrød 2.2.5-5 +- desktop file fixes (#69505) + +* Wed Jun 26 2002 Trond Eivind Glomsrød 2.2.5-4 +- Enable ACLs + +* Tue Jun 25 2002 Trond Eivind Glomsrød 2.2.5-3 +- Make it not depend on Net::LDAP - those are doc files and examples + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu Jun 20 2002 Trond Eivind Glomsrød 2.2.5-1 +- 2.2.5 + +* Fri Jun 14 2002 Trond Eivind Glomsrød 2.2.4-5 +- Move the post/preun of winbind into the -common subpackage, + where the script is (#66128) + +* Tue Jun 4 2002 Trond Eivind Glomsrød 2.2.4-4 +- Fix pidfile locations so it runs properly again (2.2.4 + added a new directtive - #65007) + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Tue May 14 2002 Trond Eivind Glomsrød 2.2.4-2 +- Fix #64804 + +* Thu May 9 2002 Trond Eivind Glomsrød 2.2.4-1 +- 2.2.4 +- Removed some zero-length and CVS internal files +- Make it build + +* Wed Apr 10 2002 Trond Eivind Glomsrød 2.2.3a-6 +- Don't use /etc/samba.d in smbadduser, it should be /etc/samba + +* Thu Apr 4 2002 Trond Eivind Glomsrød 2.2.3a-5 +- Add libsmbclient.a w/headerfile for KDE (#62202) + +* Tue Mar 26 2002 Trond Eivind Glomsrød 2.2.3a-4 +- Make the logrotate script look the correct place for the pid files + +* Thu Mar 14 2002 Nalin Dahyabhai 2.2.3a-3 +- include interfaces.o in pam_smbpass.so, which needs symbols from interfaces.o + (patch posted to samba-list by Ilia Chipitsine) + +* Thu Feb 21 2002 Trond Eivind Glomsrød 2.2.3a-2 +- Rebuild + +* Thu Feb 7 2002 Trond Eivind Glomsrød 2.2.3a-1 +- 2.2.3a + +* Mon Feb 4 2002 Trond Eivind Glomsrød 2.2.3-1 +- 2.2.3 + +* Thu Nov 29 2001 Trond Eivind Glomsrød 2.2.2-8 +- New pam configuration file for samba + +* Tue Nov 27 2001 Trond Eivind Glomsrød 2.2.2-7 +- Enable PAM session controll and password sync + +* Tue Nov 13 2001 Trond Eivind Glomsrød 2.2.2-6 +- Move winbind files to samba-common. Add separate initscript for + winbind +- Fixes for winbind - protect global variables with mutex, use + more secure getenv + +* Thu Nov 8 2001 Trond Eivind Glomsrød 2.2.2-5 +- Teach smbadduser about "getent passwd" +- Fix more pid-file references +- Add (conditional) winbindd startup to the initscript, configured in + /etc/sysconfig/samba + +* Wed Nov 7 2001 Trond Eivind Glomsrød 2.2.2-4 +- Fix pid-file reference in logrotate script +- include pam and nss modules for winbind + +* Mon Nov 5 2001 Trond Eivind Glomsrød 2.2.2-3 +- Add "--with-utmp" to configure options (#55372) +- Include winbind, pam_smbpass.so, rpcclient and smbcacls +- start using /var/cache/samba, we need to keep state and there is + more than just locks involved + +* Sat Nov 03 2001 Florian La Roche 2.2.2-2 +- add "reload" to the usage string in the startup script + +* Mon Oct 15 2001 Trond Eivind Glomsrød 2.2.2-1 +- 2.2.2 + +* Tue Sep 18 2001 Trond Eivind Glomsrød 2.2.1a-5 +- Add patch from Jeremy Allison to fix IA64 alignment problems (#51497) + +* Mon Aug 13 2001 Trond Eivind Glomsrød +- Don't include smbpasswd in samba, it's in samba-common (#51598) +- Add a disabled "obey pam restrictions" statement - it's not + active, as we use encrypted passwords, but if the admin turns + encrypted passwords off the choice is available. (#31351) + +* Wed Aug 8 2001 Trond Eivind Glomsrød +- Use /var/cache/samba instead of /var/lock/samba +- Remove "domain controller" keyword from smb.conf, it's + deprecated (from #13704) +- Sync some examples with smb.conf.default +- Fix password synchronization (#16987) + +* Fri Jul 20 2001 Trond Eivind Glomsrød +- Tweaks of BuildRequires (#49581) + +* Wed Jul 11 2001 Trond Eivind Glomsrød +- 2.2.1a bugfix release + +* Tue Jul 10 2001 Trond Eivind Glomsrød +- 2.2.1, which should work better for XP + +* Sat Jun 23 2001 Trond Eivind Glomsrød +- 2.2.0a security fix +- Mark lograte and pam configuration files as noreplace + +* Fri Jun 22 2001 Trond Eivind Glomsrød +- Add the /etc/samba directory to samba-common + +* Thu Jun 21 2001 Trond Eivind Glomsrød +- Add improvements to the smb.conf as suggested in #16931 + +* Tue Jun 19 2001 Trond Eivind Glomsrød +- (these changes are from the non-head version) +- Don't include /usr/sbin/samba, it's the same as the initscript +- unset TMPDIR, as samba can't write into a TMPDIR owned + by root (#41193) +- Add pidfile: lines for smbd and nmbd and a config: line + in the initscript (#15343) +- don't use make -j +- explicitly include /usr/share/samba, not just the files in it + +* Tue Jun 19 2001 Bill Nottingham +- mount.smb/mount.smbfs go in /sbin, *not* %%{_sbindir} + +* Fri Jun 8 2001 Preston Brown +- enable encypted passwords by default + +* Thu Jun 7 2001 Helge Deller +- build as 2.2.0-1 release +- skip the documentation-directories docbook, manpages and yodldocs +- don't include *.sgml documentation in package +- moved codepage-directory to /usr/share/samba/codepages +- make it compile with glibc-2.2.3-10 and kernel-headers-2.4.2-2 + +* Mon May 21 2001 Helge Deller +- updated to samba 2.2.0 +- moved codepages to %%{_datadir}/samba/codepages +- use all available CPUs for building rpm packages +- use %%{_xxx} defines at most places in spec-file +- "License:" replaces "Copyright:" +- dropped excludearch sparc +- de-activated japanese patches 100 and 200 for now + (they need to be fixed and tested wth 2.2.0) +- separated swat.desktop file from spec-file and added + german translations +- moved /etc/sysconfig/samba to a separate source-file +- use htmlview instead of direct call to netscape in + swat.desktop-file + +* Mon May 7 2001 Bill Nottingham +- device-remove security fix again () + +* Fri Apr 20 2001 Bill Nottingham +- fix tempfile security problems, officially () +- update to 2.0.8 + +* Sun Apr 8 2001 Bill Nottingham +- turn of SSL, kerberos + +* Thu Apr 5 2001 Bill Nottingham +- fix tempfile security problems (patch from ) + +* Thu Mar 29 2001 Bill Nottingham +- fix quota support, and quotas with the 2.4 kernel (#31362, #33915) + +* Mon Mar 26 2001 Nalin Dahyabhai +- tweak the PAM code some more to try to do a setcred() after initgroups() +- pull in all of the optflags on i386 and sparc +- don't explicitly enable Kerberos support -- it's only used for password + checking, and if PAM is enabled it's a no-op anyway + +* Mon Mar 5 2001 Tim Waugh +- exit successfully from preun script (bug #30644). + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Wed Feb 14 2001 Bill Nottingham +- updated japanese stuff (#27683) + +* Fri Feb 9 2001 Bill Nottingham +- fix trigger (#26859) + +* Wed Feb 7 2001 Bill Nottingham +- add i18n support, japanese patch (#26253) + +* Wed Feb 7 2001 Trond Eivind Glomsrød +- i18n improvements in initscript (#26537) + +* Wed Jan 31 2001 Bill Nottingham +- put smbpasswd in samba-common (#25429) + +* Wed Jan 24 2001 Bill Nottingham +- new i18n stuff + +* Sun Jan 21 2001 Bill Nottingham +- rebuild + +* Thu Jan 18 2001 Bill Nottingham +- i18n-ize initscript +- add a sysconfig file for daemon options (#23550) +- clarify smbpasswd man page (#23370) +- build with LFS support (#22388) +- avoid extraneous pam error messages (#10666) +- add Urban Widmark's bug fixes for smbmount (#19623) +- fix setgid directory modes (#11911) +- split swat into subpackage (#19706) + +* Wed Oct 25 2000 Nalin Dahyabhai +- set a default CA certificate path in smb.conf (#19010) +- require openssl >= 0.9.5a-20 to make sure we have a ca-bundle.crt file + +* Mon Oct 16 2000 Bill Nottingham +- fix swat only_from line (#18726, others) +- fix attempt to write outside buildroot on install (#17943) + +* Mon Aug 14 2000 Bill Nottingham +- add smbspool back in (#15827) +- fix absolute symlinks (#16125) + +* Sun Aug 6 2000 Philipp Knirsch +- bugfix for smbadduser script (#15148) + +* Mon Jul 31 2000 Matt Wilson +- patch configure.ing (patch11) to disable cups test +- turn off swat by default + +* Fri Jul 28 2000 Bill Nottingham +- fix condrestart stuff + +* Fri Jul 21 2000 Bill Nottingham +- add copytruncate to logrotate file (#14360) +- fix init script (#13708) + +* Sat Jul 15 2000 Bill Nottingham +- move initscript back +- remove 'Using Samba' book from %%doc +- move stuff to /etc/samba (#13708) +- default configuration tweaks (#13704) +- some logrotate tweaks + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Tue Jul 11 2000 Bill Nottingham +- fix logrotate script (#13698) + +* Thu Jul 6 2000 Bill Nottingham +- fix initscripts req (prereq /etc/init.d) + +* Wed Jul 5 2000 Than Ngo +- add initdir macro to handle the initscript directory +- add a new macro to handle /etc/pam.d/system-auth + +* Thu Jun 29 2000 Nalin Dahyabhai +- enable Kerberos 5 and SSL support +- patch for duplicate profile.h headers + +* Thu Jun 29 2000 Bill Nottingham +- fix init script + +* Tue Jun 27 2000 Bill Nottingham +- rename samba logs (#11606) + +* Mon Jun 26 2000 Bill Nottingham +- initscript munging + +* Fri Jun 16 2000 Bill Nottingham +- configure the swat stuff usefully +- re-integrate some specfile tweaks that got lost somewhere + +* Thu Jun 15 2000 Bill Nottingham +- rebuild to get rid of cups dependency + +* Wed Jun 14 2000 Nalin Dahyabhai +- tweak logrotate configurations to use the PID file in /var/lock/samba + +* Sun Jun 11 2000 Bill Nottingham +- rebuild in new environment + +* Thu Jun 1 2000 Nalin Dahyabhai +- change PAM setup to use system-auth + +* Mon May 8 2000 Bill Nottingham +- fixes for ia64 + +* Sat May 6 2000 Bill Nottingham +- switch to %%configure + +* Wed Apr 26 2000 Nils Philippsen +- version 2.0.7 + +* Sun Mar 26 2000 Florian La Roche +- simplify preun + +* Thu Mar 16 2000 Bill Nottingham +- fix yp_get_default_domain in autoconf +- only link against readline for smbclient +- fix log rotation (#9909) + +* Fri Feb 25 2000 Bill Nottingham +- fix trigger, again. + +* Mon Feb 7 2000 Bill Nottingham +- fix trigger. + +* Fri Feb 4 2000 Bill Nottingham +- turn on quota support + +* Mon Jan 31 2000 Cristian Gafton +- rebuild to fox dependencies +- man pages are compressed + +* Fri Jan 21 2000 Bill Nottingham +- munge post scripts slightly + +* Wed Jan 19 2000 Bill Nottingham +- turn on mmap again. Wheee. +- ship smbmount on alpha + +* Mon Dec 6 1999 Bill Nottingham +- turn off mmap. ;) + +* Wed Dec 1 1999 Bill Nottingham +- change /var/log/samba to 0700 +- turn on mmap support + +* Thu Nov 11 1999 Bill Nottingham +- update to 2.0.6 + +* Fri Oct 29 1999 Bill Nottingham +- add a %%defattr for -common + +* Tue Oct 5 1999 Bill Nottingham +- shift some files into -client +- remove /home/samba from package. + +* Tue Sep 28 1999 Bill Nottingham +- initscript oopsie. killproc -HUP, not other way around. + +* Sun Sep 26 1999 Bill Nottingham +- script cleanups. Again. + +* Wed Sep 22 1999 Bill Nottingham +- add a patch to fix dropped reconnection attempts + +* Mon Sep 6 1999 Jeff Johnson +- use cp rather than mv to preserve /etc/services perms (#4938 et al). +- use mktemp to generate /etc/tmp.XXXXXX file name. +- add prereqs on sed/mktemp/killall (need to move killall to /bin). +- fix trigger syntax (i.e. "samba < 1.9.18p7" not "samba < samba-1.9.18p7") + +* Mon Aug 30 1999 Bill Nottingham +- sed "s|nawk|gawk|" /usr/bin/convert_smbpasswd + +* Sat Aug 21 1999 Bill Nottingham +- fix typo in mount.smb + +* Fri Aug 20 1999 Bill Nottingham +- add a %%trigger to work around (sort of) broken scripts in + previous releases + +* Mon Aug 16 1999 Bill Nottingham +- initscript munging + +* Mon Aug 9 1999 Bill Nottingham +- add domain parsing to mount.smb + +* Fri Aug 6 1999 Bill Nottingham +- add a -common package, shuffle files around. + +* Fri Jul 23 1999 Bill Nottingham +- add a chmod in %%postun so /etc/services & inetd.conf don't become unreadable + +* Wed Jul 21 1999 Bill Nottingham +- update to 2.0.5 +- fix mount.smb - smbmount options changed again......... +- fix postun. oops. +- update some stuff from the samba team's spec file. + +* Fri Jun 18 1999 Bill Nottingham +- split off clients into separate package +- don't run samba by default + +* Mon Jun 14 1999 Bill Nottingham +- fix one problem with mount.smb script +- fix smbpasswd on sparc with a really ugly kludge + +* Thu Jun 10 1999 Dale Lovelace +- fixed logrotate script + +* Tue May 25 1999 Bill Nottingham +- turn of 64-bit locking on 32-bit platforms + +* Thu May 20 1999 Bill Nottingham +- so many releases, so little time +- explicitly uncomment 'printing = bsd' in sample config + +* Tue May 18 1999 Bill Nottingham +- update to 2.0.4a +- fix mount.smb arg ordering + +* Fri Apr 16 1999 Bill Nottingham +- go back to stop/start for restart (-HUP didn't work in testing) + +* Fri Mar 26 1999 Bill Nottingham +- add a mount.smb to make smb mounting a little easier. +- smb filesystems apparently don't work on alpha. Oops. + +* Thu Mar 25 1999 Bill Nottingham +- always create codepages + +* Tue Mar 23 1999 Bill Nottingham +- logrotate changes + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 3) + +* Fri Mar 19 1999 Preston Brown +- updated init script to use graceful restart (not stop/start) + +* Tue Mar 9 1999 Bill Nottingham +- update to 2.0.3 + +* Thu Feb 18 1999 Bill Nottingham +- update to 2.0.2 + +* Mon Feb 15 1999 Bill Nottingham +- swat swat + +* Tue Feb 9 1999 Bill Nottingham +- fix bash2 breakage in post script + +* Fri Feb 5 1999 Bill Nottingham +- update to 2.0.0 + +* Mon Oct 12 1998 Cristian Gafton +- make sure all binaries are stripped + +* Thu Sep 17 1998 Jeff Johnson +- update to 1.9.18p10. +- fix %%triggerpostun. + +* Tue Jul 07 1998 Erik Troan +- updated postun triggerscript to check $0 +- clear /etc/codepages from %%preun instead of %%postun + +* Mon Jun 08 1998 Erik Troan +- made the %%postun script a tad less agressive; no reason to remove + the logs or lock file (after all, if the lock file is still there, + samba is still running) +- the %%postun and %%preun should only exectute if this is the final + removal +- migrated %%triggerpostun from Red Hat's samba package to work around + packaging problems in some Red Hat samba releases + +* Sun Apr 26 1998 John H Terpstra +- minor tidy up in preparation for release of 1.9.18p5 +- added findsmb utility from SGI package + +* Wed Mar 18 1998 John H Terpstra +- Updated version and codepage info. +- Release to test name resolve order + +* Sat Jan 24 1998 John H Terpstra +- Many optimisations (some suggested by Manoj Kasichainula +- Use of chkconfig in place of individual symlinks to /etc/rc.d/init/smb +- Compounded make line +- Updated smb.init restart mechanism +- Use compound mkdir -p line instead of individual calls to mkdir +- Fixed smb.conf file path for log files +- Fixed smb.conf file path for incoming smb print spool directory +- Added a number of options to smb.conf file +- Added smbadduser command (missed from all previous RPMs) - Doooh! +- Added smbuser file and smb.conf file updates for username map +