diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..15a87be
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
+SOURCES/samba-4.6.2.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
new file mode 100644
index 0000000..ac19222
--- /dev/null
+++ b/.samba.metadata
@@ -0,0 +1,2 @@
+6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
+57a1a9dce118fa9059f9d3e7a595db3491e265bc SOURCES/samba-4.6.2.tar.xz
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/CVE-2017-12150.patch b/SOURCES/CVE-2017-12150.patch
new file mode 100644
index 0000000..7eb1ef8
--- /dev/null
+++ b/SOURCES/CVE-2017-12150.patch
@@ -0,0 +1,381 @@
+From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 29 Aug 2017 17:06:21 +0200
+Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed
+ username into a specified one
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/include/auth_info.h | 1 +
+ source3/lib/popt_common.c | 6 +-----
+ source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++
+ 3 files changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
+index c6f71ad..8212c27 100644
+--- a/source3/include/auth_info.h
++++ b/source3/include/auth_info.h
+@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
+ const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
+ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
+ const char *username);
++void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);
+ const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);
+ void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
+ const char *domain);
+diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
+index 9928c70..36b5e92 100644
+--- a/source3/lib/popt_common.c
++++ b/source3/lib/popt_common.c
+@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)
+ void popt_common_credentials_post(void)
+ {
+ struct user_auth_info *auth_info = cmdline_auth_info;
+- const char *username = NULL;
+
+ if (get_cmdline_auth_info_use_machine_account(auth_info) &&
+ !set_cmdline_auth_info_machine_account_creds(auth_info))
+@@ -259,10 +258,7 @@ void popt_common_credentials_post(void)
+ * correctly parsed yet. If we have a username we need to set it again
+ * to run the string parser for the username correctly.
+ */
+- username = get_cmdline_auth_info_username(auth_info);
+- if (username != NULL && username[0] != '\0') {
+- set_cmdline_auth_info_username(auth_info, username);
+- }
++ reset_cmdline_auth_info_username(auth_info);
+ }
+
+ static void popt_common_credentials_callback(poptContext con,
+diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
+index ad51a4f..80142e2 100644
+--- a/source3/lib/util_cmdline.c
++++ b/source3/lib/util_cmdline.c
+@@ -37,6 +37,7 @@
+ struct user_auth_info {
+ struct cli_credentials *creds;
+ struct loadparm_context *lp_ctx;
++ bool got_username;
+ bool got_pass;
+ int signing_state;
+ bool smb_encrypt;
+@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
+ if (!ok) {
+ exit(EIO);
+ }
++ auth_info->got_username = true;
+ }
+
+ const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
+@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
+ exit(ENOMEM);
+ }
+
++ auth_info->got_username = true;
+ if (strchr_m(username, '%') != NULL) {
+ auth_info->got_pass = true;
+ }
+ }
+
++void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
++{
++ const char *username = NULL;
++ const char *new_val = NULL;
++
++ if (!auth_info->got_username) {
++ return;
++ }
++
++ username = cli_credentials_get_username(auth_info->creds);
++ if (username == NULL) {
++ return;
++ }
++ if (username[0] == '\0') {
++ return;
++ }
++
++ cli_credentials_parse_string(auth_info->creds,
++ username,
++ CRED_SPECIFIED);
++ new_val = cli_credentials_get_username(auth_info->creds);
++ if (new_val == NULL) {
++ exit(ENOMEM);
++ }
++}
++
+ const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
+ {
+ const char *domain = NULL;
+--
+1.9.1
+
+
+From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 3 Nov 2016 17:16:43 +0100
+Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:
+ get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
+
+This is an addition to the fixes for CVE-2015-5296.
+
+It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/lib/util_cmdline.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
+index 80142e2..90ee67c 100644
+--- a/source3/lib/util_cmdline.c
++++ b/source3/lib/util_cmdline.c
+@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
+
+ int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
+ {
++ if (auth_info->smb_encrypt) {
++ return SMB_SIGNING_REQUIRED;
++ }
+ return auth_info->signing_state;
+ }
+
+--
+1.9.1
+
+
+From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 9 Dec 2016 09:26:32 +0100
+Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of
+ SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/pylibsmb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
+index 59c0998..350c6d4 100644
+--- a/source3/libsmb/pylibsmb.c
++++ b/source3/libsmb/pylibsmb.c
+@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
+
+ req = cli_full_connection_creds_send(
+ NULL, self->ev, "myname", host, NULL, 0, share, "?????",
+- cli_creds, 0, 0);
++ cli_creds, 0, SMB_SIGNING_DEFAULT);
+ if (!py_tevent_req_wait_exc(self->ev, req)) {
+ return -1;
+ }
+--
+1.9.1
+
+
+From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Dec 2016 05:49:46 +0100
+Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
+ in gpo_connect_server()
+
+It's important that we use a signed connection to get the GPOs!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libgpo/gpo_fetch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
+index 836bc23..3740d4e 100644
+--- a/libgpo/gpo_fetch.c
++++ b/libgpo/gpo_fetch.c
+@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
+ ads->auth.password,
+ CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
+- Undefined);
++ SMB_SIGNING_REQUIRED);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("check_refresh_gpo: "
+ "failed to connect: %s\n",
+--
+1.9.1
+
+
+From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 29 Aug 2017 15:24:14 +0200
+Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:
+ cli_credentials_authentication_requested() should check for
+ NTLM_CCACHE/SIGN/SEAL
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/credentials/credentials.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index 06648c7..5e3b5e8 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -25,6 +25,7 @@
+ #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
+ #include "auth/credentials/credentials.h"
+ #include "auth/credentials/credentials_internal.h"
++#include "auth/gensec/gensec.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "tevent.h"
+ #include "param/param.h"
+@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
+
+ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
+ {
++ uint32_t gensec_features = 0;
++
+ if (cred->bind_dn) {
+ return true;
+ }
+@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
+ return true;
+ }
+
++ gensec_features = cli_credentials_get_gensec_features(cred);
++ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
++ return true;
++ }
++
++ if (gensec_features & GENSEC_FEATURE_SIGN) {
++ return true;
++ }
++
++ if (gensec_features & GENSEC_FEATURE_SEAL) {
++ return true;
++ }
++
+ return false;
+ }
+
+--
+1.9.1
+
+
+From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 29 Aug 2017 15:35:49 +0200
+Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add
+ smbXcli_conn_signing_mandatory()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libcli/smb/smbXcli_base.c | 5 +++++
+ libcli/smb/smbXcli_base.h | 1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
+index b21d796..239e5eb 100644
+--- a/libcli/smb/smbXcli_base.c
++++ b/libcli/smb/smbXcli_base.c
+@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
+ return false;
+ }
+
++bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
++{
++ return conn->mandatory_signing;
++}
++
+ void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
+ {
+ set_socket_options(conn->sock_fd, options);
+diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
+index e48fc35..2594f07 100644
+--- a/libcli/smb/smbXcli_base.h
++++ b/libcli/smb/smbXcli_base.h
+@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
+
+ enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
+ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
++bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
+
+ void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
+ const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
+--
+1.9.1
+
+
+From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Dec 2016 06:07:56 +0100
+Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
+ authentication was not requested
+
+With forced encryption or required signing we should also don't fallback.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clidfs.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index 75012b2..fdcd665 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -26,6 +26,7 @@
+ #include "trans2.h"
+ #include "libsmb/nmblib.h"
+ #include "../libcli/smb/smbXcli_base.h"
++#include "auth/credentials/credentials.h"
+
+ /********************************************************************
+ Important point.
+@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
+ char *servicename;
+ char *sharename;
+ char *newserver, *newshare;
+- const char *username;
+- const char *password;
+- const char *domain;
+ NTSTATUS status;
+ int flags = 0;
+ int signing_state = get_cmdline_auth_info_signing_state(auth_info);
+@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
+ smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
+ }
+
+- username = get_cmdline_auth_info_username(auth_info);
+- password = get_cmdline_auth_info_password(auth_info);
+- domain = get_cmdline_auth_info_domain(auth_info);
+- if ((domain == NULL) || (domain[0] == '\0')) {
+- domain = lp_workgroup();
+- }
+-
+ creds = get_cmdline_auth_info_creds(auth_info);
+
+ status = cli_session_setup_creds(c, creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ /* If a password was not supplied then
+ * try again with a null username. */
+- if (password[0] || !username[0] ||
+- get_cmdline_auth_info_use_kerberos(auth_info) ||
++ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
++ cli_credentials_authentication_requested(creds) ||
++ cli_credentials_is_anonymous(creds) ||
+ !NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
+ {
+ d_printf("session setup failed: %s\n",
+--
+1.9.1
+
diff --git a/SOURCES/CVE-2017-12151.patch b/SOURCES/CVE-2017-12151.patch
new file mode 100644
index 0000000..bfd6f80
--- /dev/null
+++ b/SOURCES/CVE-2017-12151.patch
@@ -0,0 +1,111 @@
+From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 14 Aug 2017 12:13:18 +0200
+Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add
+ cli_state_is_encryption_on() helper function
+
+This allows to check if the current cli_state uses encryption
+(either via unix extentions or via SMB3).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clientgen.c | 13 +++++++++++++
+ source3/libsmb/proto.h | 1 +
+ 2 files changed, 14 insertions(+)
+
+diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
+index bc5c1b1ce3c..3e8523e5ce8 100644
+--- a/source3/libsmb/clientgen.c
++++ b/source3/libsmb/clientgen.c
+@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli)
+ return cli->smb1.pid;
+ }
+
++bool cli_state_is_encryption_on(struct cli_state *cli)
++{
++ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
++ return smb1cli_conn_encryption_on(cli->conn);
++ }
++
++ if (cli->smb2.tcon == NULL) {
++ return false;
++ }
++
++ return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);
++}
++
+ bool cli_state_has_tcon(struct cli_state *cli)
+ {
+ uint16_t tid = cli_state_get_tid(cli);
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index 764f3fc1b12..67fa43e4e4a 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);
+ uint16_t cli_state_get_vc_num(struct cli_state *cli);
+ uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);
+ uint32_t cli_getpid(struct cli_state *cli);
++bool cli_state_is_encryption_on(struct cli_state *cli);
+ bool cli_state_has_tcon(struct cli_state *cli);
+ uint16_t cli_state_get_tid(struct cli_state *cli);
+ uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid);
+--
+2.13.5
+
+
+From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 17 Dec 2016 10:36:49 +0100
+Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of
+ cli_state_is_encryption_on()
+
+This will keep enforced encryption across dfs referrals.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clidfs.c | 4 ++--
+ source3/libsmb/libsmb_context.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index c477d7c6a46..99818a681e3 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
+ "IPC$",
+ dfs_auth_info,
+ false,
+- smb1cli_conn_encryption_on(rootcli->conn),
++ cli_state_is_encryption_on(rootcli),
+ smbXcli_conn_protocol(rootcli->conn),
+ 0,
+ 0x20,
+@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
+ dfs_refs[count].share,
+ dfs_auth_info,
+ false,
+- smb1cli_conn_encryption_on(rootcli->conn),
++ cli_state_is_encryption_on(rootcli),
+ smbXcli_conn_protocol(rootcli->conn),
+ 0,
+ 0x20,
+diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
+index ed6ca2b1b9f..b55cf1e2d15 100644
+--- a/source3/libsmb/libsmb_context.c
++++ b/source3/libsmb/libsmb_context.c
+@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,
+
+ for (s = context->internal->servers; s; s = s->next) {
+ num_servers++;
+- if (!smb1cli_conn_encryption_on(s->cli->conn)) {
++ if (!cli_state_is_encryption_on(s->cli)) {
+ return (void *)false;
+ }
+ }
+--
+2.13.5
+
diff --git a/SOURCES/CVE-2017-12163.patch b/SOURCES/CVE-2017-12163.patch
new file mode 100644
index 0000000..1e9f99e
--- /dev/null
+++ b/SOURCES/CVE-2017-12163.patch
@@ -0,0 +1,141 @@
+From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 8 Sep 2017 10:13:14 -0700
+Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
+ writing server memory to file.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index 317143f..7b07078 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
+ }
+
+ /* Ensure we don't write bytes past the end of this packet. */
++ /*
++ * This already protects us against CVE-2017-12163.
++ */
+ if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ error_to_writebrawerr(req);
+@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
+ exit_server_cleanly("secondary writebraw failed");
+ }
+
++ /*
++ * We are not vulnerable to CVE-2017-12163
++ * here as we are guarenteed to have numtowrite
++ * bytes available - we just read from the client.
++ */
+ nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
+ if (nwritten == -1) {
+ TALLOC_FREE(buf);
+@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
+ connection_struct *conn = req->conn;
+ ssize_t nwritten = -1;
+ size_t numtowrite;
++ size_t remaining;
+ off_t startpos;
+ const char *data;
+ NTSTATUS status = NT_STATUS_OK;
+@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
+ startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+ data = (const char *)req->buf + 3;
+
++ /*
++ * Ensure client isn't asking us to write more than
++ * they sent. CVE-2017-12163.
++ */
++ remaining = smbreq_bufrem(req, data);
++ if (numtowrite > remaining) {
++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++ END_PROFILE(SMBwriteunlock);
++ return;
++ }
++
+ if (!fsp->print_file && numtowrite > 0) {
+ init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
+ {
+ connection_struct *conn = req->conn;
+ size_t numtowrite;
++ size_t remaining;
+ ssize_t nwritten = -1;
+ off_t startpos;
+ const char *data;
+@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
+ startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+ data = (const char *)req->buf + 3;
+
++ /*
++ * Ensure client isn't asking us to write more than
++ * they sent. CVE-2017-12163.
++ */
++ remaining = smbreq_bufrem(req, data);
++ if (numtowrite > remaining) {
++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++ END_PROFILE(SMBwrite);
++ return;
++ }
++
+ if (!fsp->print_file) {
+ init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
+ goto out;
+ }
+ } else {
++ /*
++ * This already protects us against CVE-2017-12163.
++ */
+ if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
+ smb_doff + numtowrite > smblen) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
+ {
+ connection_struct *conn = req->conn;
+ size_t numtowrite;
++ size_t remaining;
+ ssize_t nwritten = -1;
+ NTSTATUS close_status = NT_STATUS_OK;
+ off_t startpos;
+@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
+ mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
+ data = (const char *)req->buf + 1;
+
++ /*
++ * Ensure client isn't asking us to write more than
++ * they sent. CVE-2017-12163.
++ */
++ remaining = smbreq_bufrem(req, data);
++ if (numtowrite > remaining) {
++ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++ END_PROFILE(SMBwriteclose);
++ return;
++ }
++
+ if (fsp->print_file == NULL) {
+ init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
+
+ numtowrite = SVAL(req->buf, 1);
+
++ /*
++ * This already protects us against CVE-2017-12163.
++ */
+ if (req->buflen < numtowrite + 3) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBsplwr);
+--
+1.9.1
+
diff --git a/SOURCES/CVE-2017-14746.patch b/SOURCES/CVE-2017-14746.patch
new file mode 100644
index 0000000..d33d24d
--- /dev/null
+++ b/SOURCES/CVE-2017-14746.patch
@@ -0,0 +1,63 @@
+From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 19 Sep 2017 16:11:33 -0700
+Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When setting up the chain, always use 'next->' variables
+not the 'req->' one.
+
+Bug discovered by 连一汉 <lianyihan@360.cn>
+
+CVE-2017-14746
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/process.c | 7 ++++---
+ source3/smbd/reply.c | 5 +++++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/source3/smbd/process.c b/source3/smbd/process.c
+index b65ae2c1b1c..9b2b0a669a2 100644
+--- a/source3/smbd/process.c
++++ b/source3/smbd/process.c
+@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
+
+ next->vuid = SVAL(req->outbuf, smb_uid);
+ next->tid = SVAL(req->outbuf, smb_tid);
+- status = smb1srv_tcon_lookup(req->xconn, req->tid,
++ status = smb1srv_tcon_lookup(req->xconn, next->tid,
+ now, &tcon);
++
+ if (NT_STATUS_IS_OK(status)) {
+- req->conn = tcon->compat;
++ next->conn = tcon->compat;
+ } else {
+- req->conn = NULL;
++ next->conn = NULL;
+ }
+ next->chain_fsp = req->chain_fsp;
+ next->inbuf = req->inbuf;
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index 7b07078249b..81acedf0413 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
+ }
+
+ TALLOC_FREE(tcon);
++ /*
++ * This tree id is gone. Make sure we can't re-use it
++ * by accident.
++ */
++ req->tid = 0;
+ }
+
+ if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
+--
+2.14.2.920.gcf0c67979c-goog
+
diff --git a/SOURCES/CVE-2017-15275.patch b/SOURCES/CVE-2017-15275.patch
new file mode 100644
index 0000000..f0510f9
--- /dev/null
+++ b/SOURCES/CVE-2017-15275.patch
@@ -0,0 +1,45 @@
+From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 20 Sep 2017 11:04:50 -0700
+Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
+ talloc buffer is grown.
+
+Ensure we zero out unused grown area.
+
+CVE-2017-15275
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/srvstr.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
+index 56dceba8c6c..c2d70b32c32 100644
+--- a/source3/smbd/srvstr.c
++++ b/source3/smbd/srvstr.c
+@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
+ DEBUG(0, ("srvstr_push failed\n"));
+ return -1;
+ }
++
++ /*
++ * Ensure we clear out the extra data we have
++ * grown the buffer by, but not written to.
++ */
++ if (buf_size + result < buf_size) {
++ return -1;
++ }
++ if (grow_size < result) {
++ return -1;
++ }
++
++ memset(tmp + buf_size + result, '\0', grow_size - result);
++
+ set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
+
+ *outbuf = tmp;
+--
+2.14.2.920.gcf0c67979c-goog
+
diff --git a/SOURCES/CVE-2017-7494.patch b/SOURCES/CVE-2017-7494.patch
new file mode 100644
index 0000000..34b4437
--- /dev/null
+++ b/SOURCES/CVE-2017-7494.patch
@@ -0,0 +1,34 @@
+From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Mon, 8 May 2017 21:40:40 +0200
+Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
+ inside
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_server/srv_pipe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index 0633b5f..c3f0cd8 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
+ {
+ NTSTATUS status;
+
++ if (strchr(pipename, '/')) {
++ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
++ return false;
++ }
++
+ if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
+ DEBUG(10, ("refusing spoolss access\n"));
+ return false;
+--
+1.9.1
+
diff --git a/SOURCES/README.dc b/SOURCES/README.dc
new file mode 100644
index 0000000..4c101a5
--- /dev/null
+++ b/SOURCES/README.dc
@@ -0,0 +1,20 @@
+MIT Kerberos 5 Support
+=======================
+
+Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of
+choice. The Samba build in Fedora is using MIT Kerberos implementation in order
+to allow system-wide interoperability between both desktop and server
+applications running on the same machine.
+
+At the moment the Samba Active Directory Domain Controller implementation is
+not available with MIT Kereberos. FreeIPA and Samba Team members are currently
+working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux
+distribution integration of Samba AD DC features.
+
+We have just finished migrating the file server and all client utilities to MIT
+Kerberos. The result of this work is available in samba-* packages in Fedora.
+We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos
+KDC will be ready.
+
+In case of further questions do not hesitate to send your inquiries to
+samba-owner@fedoraproject.org
diff --git a/SOURCES/README.downgrade b/SOURCES/README.downgrade
new file mode 100644
index 0000000..5cb0aaa
--- /dev/null
+++ b/SOURCES/README.downgrade
@@ -0,0 +1,29 @@
+Downgrading Samba
+=================
+
+Short version: data-preserving downgrades between Samba versions are not supported
+
+Long version:
+With Samba development there are cases when on-disk database format evolves.
+In general, Samba Team attempts to maintain forward compatibility and
+automatically upgrade databases during runtime when requires.
+However, when downgrade is required Samba will not perform downgrade to
+existing databases. It may be impossible if new features that caused database
+upgrade are in use. Thus, one needs to consider a downgrade procedure before
+actually downgrading Samba setup.
+
+Please always perform back up prior both upgrading and downgrading across major
+version changes. Restoring database files is easiest and simplest way to get to
+previously working setup.
+
+Easiest way to downgrade is to remove all created databases and start from scratch.
+This means losing all authentication and domain relationship data, as well as
+user databases (in case of tdb storage), printers, registry settings, and winbindd
+caches.
+
+Remove databases in following locations:
+/var/lib/samba/*.tdb
+/var/lib/samba/private/*.tdb
+
+In particular, registry settings are known to prevent running downgraded versions
+(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.
diff --git a/SOURCES/pam_winbind.conf b/SOURCES/pam_winbind.conf
new file mode 100644
index 0000000..dd0b112
--- /dev/null
+++ b/SOURCES/pam_winbind.conf
@@ -0,0 +1,38 @@
+#
+# pam_winbind configuration file
+#
+# /etc/security/pam_winbind.conf
+#
+
+[global]
+
+# turn on debugging
+;debug = no
+
+# turn on extended PAM state debugging
+;debug_state = no
+
+# request a cached login if possible
+# (needs "winbind offline logon = yes" in smb.conf)
+;cached_login = no
+
+# authenticate using kerberos
+;krb5_auth = no
+
+# when using kerberos, request a "FILE" krb5 credential cache type
+# (leave empty to just do krb5 authentication but not have a ticket
+# afterwards)
+;krb5_ccache_type =
+
+# make successful authentication dependend on membership of one SID
+# (can also take a name)
+;require_membership_of =
+
+# password expiry warning period in days
+;warn_pwd_expire = 14
+
+# omit pam conversations
+;silent = no
+
+# create homedirectory on the fly
+;mkhomedir = no
diff --git a/SOURCES/samba-4.6.2.tar.asc b/SOURCES/samba-4.6.2.tar.asc
new file mode 100644
index 0000000..9d1e563
--- /dev/null
+++ b/SOURCES/samba-4.6.2.tar.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz
+DQw3KuAbWCKIgkHcy1zZr2o=
+=bIg5
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch
new file mode 100644
index 0000000..f89ec30
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch
@@ -0,0 +1,37 @@
+From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 5 Jan 2017 09:34:36 +0100
+Subject: [PATCH] replace: Include sysmacros.h
+
+In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
+historical compatibility, it is currently defined by <sys/types.h> as
+well, but it is planned to remove this soon.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+
+(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741)
+---
+ lib/replace/replace.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/replace/replace.h b/lib/replace/replace.h
+index c69a069e4b3..1dbeacfff66 100644
+--- a/lib/replace/replace.h
++++ b/lib/replace/replace.h
+@@ -171,6 +171,10 @@
+ #include <sys/types.h>
+ #endif
+
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
++
+ #ifdef HAVE_SETPROCTITLE_H
+ #include <setproctitle.h>
+ #endif
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch
new file mode 100644
index 0000000..02db440
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch
@@ -0,0 +1,1731 @@
+From 76aae7405595ca76bc0419a97f4a69e0ed528b32 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 29 Dec 2016 14:00:36 +0100
+Subject: [PATCH 01/20] s4:gensec_gssapi: the value
+ gensec_get_target_principal() should overwrite gensec_get_target_hostname()
+
+If gensec_get_target_principal() has a value, we no longer have to verify
+the gensec_get_target_hostname() value, it can be just an ipadress.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 48bcca566ebb3a5385b15b0525d7fbdd06361e04)
+---
+ source4/auth/gensec/gensec_gssapi.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index a6c4019aa6f..3974c3d42a0 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -307,7 +307,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ gss_buffer_desc name_token;
+ gss_OID name_type;
+ OM_uint32 maj_stat, min_stat;
++ const char *target_principal = NULL;
+ const char *hostname = gensec_get_target_hostname(gensec_security);
++ const char *service = gensec_get_target_service(gensec_security);
++ const char *realm = cli_credentials_get_realm(creds);
++
++ target_principal = gensec_get_target_principal(gensec_security);
++ if (target_principal != NULL) {
++ goto do_start;
++ }
+
+ if (!hostname) {
+ DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n"));
+@@ -322,6 +330,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
++do_start:
++
+ nt_status = gensec_gssapi_start(gensec_security);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+@@ -333,16 +343,18 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+ }
+
+- gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security);
+- if (gensec_gssapi_state->target_principal) {
++ if (target_principal != NULL) {
+ name_type = GSS_C_NULL_OID;
+ } else {
+- gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s",
+- gensec_get_target_service(gensec_security),
+- hostname, cli_credentials_get_realm(creds));
+-
++ target_principal = talloc_asprintf(gensec_gssapi_state,
++ "%s/%s@%s", service, hostname, realm);
++ if (target_principal == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
+ name_type = GSS_C_NT_USER_NAME;
+ }
++ gensec_gssapi_state->target_principal = target_principal;
++
+ name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
+ name_token.length = strlen(gensec_gssapi_state->target_principal);
+
+--
+2.12.0
+
+
+From 12d74cd165db3603ba2f3a58343e9a82fb22ee93 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 29 Dec 2016 15:20:00 +0100
+Subject: [PATCH 02/20] s4:gensec_gssapi: require a realm in
+ gensec_gssapi_client_start()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3a870baee8d9dbe5359f04a108814afc27e57d46)
+---
+ source4/auth/gensec/gensec_gssapi.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 3974c3d42a0..957cfa4229d 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -330,6 +330,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
++ if (realm == NULL) {
++ const char *cred_name = cli_credentials_get_unparsed_name(creds,
++ gensec_security);
++ DEBUG(3, ("cli_credentials(%s) without realm, "
++ "cannot use kerberos for this connection %s/%s\n",
++ cred_name, service, hostname));
++ talloc_free(discard_const_p(char, cred_name));
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
+ do_start:
+
+ nt_status = gensec_gssapi_start(gensec_security);
+--
+2.12.0
+
+
+From beb9e4379333872ff1e5a3422ba70ccb409e9915 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 6 Mar 2017 09:13:09 +0100
+Subject: [PATCH 03/20] testprogs: Use smbclient by default in
+ test_kinit_trusts
+
+This is the tool we use by default and we should test with it.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 9b3ff90dbc5cc1017dfc89831a1081272e6c2356)
+---
+ testprogs/blackbox/test_kinit_trusts_heimdal.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+index 073e0e7517e..040bf919203 100755
+--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
++++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+@@ -32,7 +32,7 @@ if test -x $samba4bindir/samba4kinit; then
+ samba4kinit=$samba4bindir/samba4kinit
+ fi
+
+-smbclient="$samba4bindir/smbclient4"
++smbclient="$samba4bindir/smbclient"
+ wbinfo="$samba4bindir/wbinfo"
+ rpcclient="$samba4bindir/rpcclient"
+ samba_tool="$samba4bindir/samba-tool"
+--
+2.12.0
+
+
+From 7feebdec869ed633bea612630ebca8d9b85a3e2e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 6 Mar 2017 09:15:45 +0100
+Subject: [PATCH 04/20] testprogs: Add kinit_trusts tests with smbclient4
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 42bd003f468ab95b6ac97c774e2cd217d06c05ed)
+---
+ testprogs/blackbox/test_kinit_trusts_heimdal.sh | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+index 040bf919203..e67f77361a4 100755
+--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
++++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+@@ -52,8 +52,16 @@ rm -rf $KRB5CCNAME_PATH
+ echo $TRUST_PASSWORD > $PREFIX/tmppassfile
+ testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+ test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
++rm -rf $KRB5CCNAME_PATH
++
++# Test with smbclient4
++smbclient="$samba4bindir/smbclient4"
++testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
++test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
++rm -rf $KRB5CCNAME_PATH
+
+ testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
++smbclient="$samba4bindir/smbclient"
+ test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+
+ if test x"${TYPE}" = x"forest" ;then
+--
+2.12.0
+
+
+From cae7475df03e7d464dc8642a7a02dad388215d1e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 10:40:08 +0100
+Subject: [PATCH 05/20] krb5_wrap: Do not return an empty realm from
+ smb_krb5_get_realm_from_hostname()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 946f9dd1170be63b91e31ce825ea123f3c07329b)
+---
+ lib/krb5_wrap/krb5_samba.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 10b42dec53f..9dc7304d566 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2691,7 +2691,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ goto out;
+ }
+
+- if (realm_list && realm_list[0]) {
++ if (realm_list != NULL &&
++ realm_list[0] != NULL &&
++ realm_list[0][0] != '\0') {
+ realm = talloc_strdup(mem_ctx, realm_list[0]);
+ }
+
+--
+2.12.0
+
+
+From 1d2b4a00e2a1213df81192e01f2d833ed4a6ec54 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 10:48:52 +0100
+Subject: [PATCH 06/20] krb5_wrap: Try to guess the correct realm from the
+ service hostname
+
+If we do not get a realm mapping from the krb5.conf or from the Kerberos
+library try to guess it from the service hostname. The guessing of the
+realm from the service hostname is already implemented in Heimdal. This
+makes the behavior of smb_krb5_get_realm_from_hostname() consistent
+with both MIT and Heimdal.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 65228925ab3c4da4ae299f77cae219fc7d37cc68)
+---
+ lib/krb5_wrap/krb5_samba.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 9dc7304d566..f8ef9f1df0f 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2695,6 +2695,19 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ realm_list[0] != NULL &&
+ realm_list[0][0] != '\0') {
+ realm = talloc_strdup(mem_ctx, realm_list[0]);
++ } else {
++ const char *p = NULL;
++
++ /*
++ * "dc6.samba2003.example.com"
++ * returns a realm of "SAMBA2003.EXAMPLE.COM"
++ *
++ * "dc6." returns realm as NULL
++ */
++ p = strchr_m(hostname, '.');
++ if (p != NULL && p[1] != '\0') {
++ realm = talloc_strdup_upper(mem_ctx, p + 1);
++ }
+ }
+
+ out:
+--
+2.12.0
+
+
+From 0e99683587c9047055ca6432fae0a11604710b69 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 11:56:30 +0100
+Subject: [PATCH 07/20] krb5_wrap: pass client_realm to
+ smb_krb5_get_realm_from_hostname()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit f0c4fcace586197d5c170f6a9dcc175df23e3802)
+---
+ lib/krb5_wrap/krb5_samba.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index f8ef9f1df0f..36bcc65e22a 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2664,7 +2664,8 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
+ ************************************************************************/
+
+ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+- const char *hostname)
++ const char *hostname,
++ const char *client_realm)
+ {
+ #if defined(HAVE_KRB5_REALM_TYPE)
+ /* Heimdal. */
+@@ -2695,6 +2696,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ realm_list[0] != NULL &&
+ realm_list[0][0] != '\0') {
+ realm = talloc_strdup(mem_ctx, realm_list[0]);
++ if (realm == NULL) {
++ goto out;
++ }
+ } else {
+ const char *p = NULL;
+
+@@ -2707,9 +2711,16 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ p = strchr_m(hostname, '.');
+ if (p != NULL && p[1] != '\0') {
+ realm = talloc_strdup_upper(mem_ctx, p + 1);
++ if (realm == NULL) {
++ goto out;
++ }
+ }
+ }
+
++ if (realm == NULL) {
++ realm = talloc_strdup(mem_ctx, client_realm);
++ }
++
+ out:
+
+ if (ctx) {
+@@ -2752,7 +2763,8 @@ char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+ if (host) {
+ /* DNS name. */
+ realm = smb_krb5_get_realm_from_hostname(talloc_tos(),
+- remote_name);
++ remote_name,
++ default_realm);
+ } else {
+ /* NetBIOS name - use our realm. */
+ realm = smb_krb5_get_default_realm_from_ccache(talloc_tos());
+--
+2.12.0
+
+
+From 6876b0d12f8aad4448f4a7d770db7ff129df6c50 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 11:56:30 +0100
+Subject: [PATCH 08/20] krb5_wrap: Make smb_krb5_get_realm_from_hostname()
+ public
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 339a2ecb3f05d0c9e860a5dd59b8bdbc51d4ffa7)
+---
+ lib/krb5_wrap/krb5_samba.c | 28 +++++++++++++++++++++-------
+ lib/krb5_wrap/krb5_samba.h | 4 ++++
+ 2 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 36bcc65e22a..2b0ec6bfa0e 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2659,13 +2659,27 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
+ return realm;
+ }
+
+-/************************************************************************
+- Routine to get the realm from a given DNS name.
+-************************************************************************/
+-
+-static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+- const char *hostname,
+- const char *client_realm)
++/**
++ * @brief Get the realm from the service hostname.
++ *
++ * This function will look for a domain realm mapping in the [domain_realm]
++ * section of the krb5.conf first and fallback to extract the realm from
++ * the provided service hostname. As a last resort it will return the
++ * provided client_realm.
++ *
++ * @param[in] mem_ctx The talloc context
++ *
++ * @param[in] hostname The service hostname
++ *
++ * @param[in] client_realm If we can not find a mapping, fall back to
++ * this realm.
++ *
++ * @return The realm to use for the service hostname, NULL if a fatal error
++ * occured.
++ */
++char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
++ const char *hostname,
++ const char *client_realm)
+ {
+ #if defined(HAVE_KRB5_REALM_TYPE)
+ /* Heimdal. */
+diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
+index 71e81ea26e1..accae449a0e 100644
+--- a/lib/krb5_wrap/krb5_samba.h
++++ b/lib/krb5_wrap/krb5_samba.h
+@@ -314,6 +314,10 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
+ krb5_principal principal,
+ const char *realm);
+
++char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
++ const char *hostname,
++ const char *client_realm);
++
+ char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+ const char *service,
+ const char *remote_name,
+--
+2.12.0
+
+
+From 08a81c315129c3d07637a8a5064b4ef988864efd Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 6 Mar 2017 09:19:13 +0100
+Subject: [PATCH 09/20] s4:gensec-gssapi: Create a helper function to setup
+ server_principal
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 8f7c4529420316b553c80cd3d19b6996525b029a)
+---
+ source4/auth/gensec/gensec_gssapi.c | 88 +++++++++++++++++++++++++------------
+ source4/auth/gensec/gensec_gssapi.h | 2 +-
+ 2 files changed, 61 insertions(+), 29 deletions(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 957cfa4229d..ec57d193714 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -83,6 +83,56 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st
+ return 0;
+ }
+
++static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx,
++ const char *target_principal,
++ const char *service,
++ const char *hostname,
++ const char *realm,
++ const gss_OID mech,
++ char **pserver_principal,
++ gss_name_t *pserver_name)
++{
++ char *server_principal = NULL;
++ gss_buffer_desc name_token;
++ gss_OID name_type;
++ OM_uint32 maj_stat, min_stat = 0;
++
++ if (target_principal != NULL) {
++ server_principal = talloc_strdup(mem_ctx, target_principal);
++ name_type = GSS_C_NULL_OID;
++ } else {
++ server_principal = talloc_asprintf(mem_ctx,
++ "%s/%s@%s",
++ service, hostname, realm);
++ name_type = GSS_C_NT_USER_NAME;
++ }
++ if (server_principal == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ name_token.value = (uint8_t *)server_principal;
++ name_token.length = strlen(server_principal);
++
++ maj_stat = gss_import_name(&min_stat,
++ &name_token,
++ name_type,
++ pserver_name);
++ if (maj_stat) {
++ DBG_WARNING("GSS Import name of %s failed: %s\n",
++ server_principal,
++ gssapi_error_string(mem_ctx,
++ maj_stat,
++ min_stat,
++ mech));
++ TALLOC_FREE(server_principal);
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ *pserver_principal = server_principal;
++
++ return NT_STATUS_OK;
++}
++
+ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
+ {
+ struct gensec_gssapi_state *gensec_gssapi_state;
+@@ -304,9 +354,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ struct gensec_gssapi_state *gensec_gssapi_state;
+ struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+ NTSTATUS nt_status;
+- gss_buffer_desc name_token;
+- gss_OID name_type;
+- OM_uint32 maj_stat, min_stat;
+ const char *target_principal = NULL;
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+@@ -353,31 +400,16 @@ do_start:
+ gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+ }
+
+- if (target_principal != NULL) {
+- name_type = GSS_C_NULL_OID;
+- } else {
+- target_principal = talloc_asprintf(gensec_gssapi_state,
+- "%s/%s@%s", service, hostname, realm);
+- if (target_principal == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- name_type = GSS_C_NT_USER_NAME;
+- }
+- gensec_gssapi_state->target_principal = target_principal;
+-
+- name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
+- name_token.length = strlen(gensec_gssapi_state->target_principal);
+-
+-
+- maj_stat = gss_import_name (&min_stat,
+- &name_token,
+- name_type,
+- &gensec_gssapi_state->server_name);
+- if (maj_stat) {
+- DEBUG(2, ("GSS Import name of %s failed: %s\n",
+- (char *)name_token.value,
+- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+- return NT_STATUS_INVALID_PARAMETER;
++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
++ target_principal,
++ service,
++ hostname,
++ realm,
++ gensec_gssapi_state->gss_oid,
++ &gensec_gssapi_state->target_principal,
++ &gensec_gssapi_state->server_name);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ return nt_status;
+ }
+
+ return NT_STATUS_OK;
+diff --git a/source4/auth/gensec/gensec_gssapi.h b/source4/auth/gensec/gensec_gssapi.h
+index cf0e3a8d914..d788b5ebc38 100644
+--- a/source4/auth/gensec/gensec_gssapi.h
++++ b/source4/auth/gensec/gensec_gssapi.h
+@@ -65,5 +65,5 @@ struct gensec_gssapi_state {
+ int gss_exchange_count;
+ size_t sig_size;
+
+- const char *target_principal;
++ char *target_principal;
+ };
+--
+2.12.0
+
+
+From 78a76c53e9b0e7caf67a43eeb7929a4fe94fa25e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 12:34:59 +0100
+Subject: [PATCH 10/20] s4:gensec_gssapi: Move setup of service_principal to
+ update function
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit bf6358bf035e7ad48bd15cc2164afab2a19e7ad6)
+---
+ source4/auth/gensec/gensec_gssapi.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index ec57d193714..6cb4431e0d9 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -400,18 +400,6 @@ do_start:
+ gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+ }
+
+- nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+- target_principal,
+- service,
+- hostname,
+- realm,
+- gensec_gssapi_state->gss_oid,
+- &gensec_gssapi_state->target_principal,
+- &gensec_gssapi_state->server_name);
+- if (!NT_STATUS_IS_OK(nt_status)) {
+- return nt_status;
+- }
+-
+ return NT_STATUS_OK;
+ }
+
+@@ -452,7 +440,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ OM_uint32 min_stat2;
+ gss_buffer_desc input_token = { 0, NULL };
+ gss_buffer_desc output_token = { 0, NULL };
+-
++ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
++ const char *target_principal = gensec_get_target_principal(gensec_security);
++ const char *hostname = gensec_get_target_hostname(gensec_security);
++ const char *service = gensec_get_target_service(gensec_security);
++ const char *client_realm = cli_credentials_get_realm(cli_creds);
+ gss_OID gss_oid_p = NULL;
+ OM_uint32 time_req = 0;
+ OM_uint32 time_rec = 0;
+@@ -491,6 +483,21 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ #endif
++
++ if (gensec_gssapi_state->server_name == NULL) {
++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
++ target_principal,
++ service,
++ hostname,
++ client_realm,
++ gensec_gssapi_state->gss_oid,
++ &gensec_gssapi_state->target_principal,
++ &gensec_gssapi_state->server_name);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ return nt_status;
++ }
++ }
++
+ maj_stat = gss_init_sec_context(&min_stat,
+ gensec_gssapi_state->client_cred->creds,
+ &gensec_gssapi_state->gssapi_context,
+--
+2.12.0
+
+
+From 7541d4a3c1a665925c8d3aa97963729874c70761 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 11:03:17 +0100
+Subject: [PATCH 11/20] s4:gensec_gssapi: Use
+ smb_krb5_get_realm_from_hostname()
+
+With credentials for administrator@FOREST1.EXAMPLE.COM
+this patch changes the target_principal for
+the ldap service of host dc2.forest2.example.com
+from
+
+ ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+
+to
+
+ ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
+
+Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
+to generate a referral ticket for
+krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
+
+The problem is that KDCs only return such referral tickets
+if there's a forest trust between FOREST1.EXAMPLE.COM
+and FOREST2.EXAMPLE.COM. If there's only an external domain
+trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
+the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
+when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
+
+In the case of an external trust the client can still ask
+explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+and the KDC of FOREST1.EXAMPLE.COM will generate it.
+
+From there the client can use the
+krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
+service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
+
+With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
+when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
+target principal. As _krb5_get_cred_kdc_any() first calls
+get_cred_kdc_referral() (which always starts with the client realm)
+and falls back to get_cred_kdc_capath() (which starts with the given realm).
+
+MIT krb5 only tries the given realm of the target principal,
+if we want to autodetect support for transitive forest trusts,
+we'll have to do the fallback ourself.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 3781eb250173981a8890b82d1ff9358f144034cd)
+---
+ source4/auth/gensec/gensec_gssapi.c | 62 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 6cb4431e0d9..57392a04e60 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -445,6 +445,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+ const char *client_realm = cli_credentials_get_realm(cli_creds);
++ const char *server_realm = NULL;
+ gss_OID gss_oid_p = NULL;
+ OM_uint32 time_req = 0;
+ OM_uint32 time_rec = 0;
+@@ -484,12 +485,71 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ }
+ #endif
+
++ /*
++ * With credentials for
++ * administrator@FOREST1.EXAMPLE.COM this patch changes
++ * the target_principal for the ldap service of host
++ * dc2.forest2.example.com from
++ *
++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
++ *
++ * to
++ *
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
++ *
++ * Typically
++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
++ * should be used in order to allow the KDC of
++ * FOREST1.EXAMPLE.COM to generate a referral ticket
++ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
++ *
++ * The problem is that KDCs only return such referral
++ * tickets if there's a forest trust between
++ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If
++ * there's only an external domain trust between
++ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC
++ * of FOREST1.EXAMPLE.COM will respond with
++ * S_PRINCIPAL_UNKNOWN when being asked for
++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
++ *
++ * In the case of an external trust the client can
++ * still ask explicitly for
++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and
++ * the KDC of FOREST1.EXAMPLE.COM will generate it.
++ *
++ * From there the client can use the
++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
++ * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
++ * service ticket for
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
++ *
++ * With Heimdal we'll get the fallback on
++ * S_PRINCIPAL_UNKNOWN behavior when we pass
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
++ * target principal. As _krb5_get_cred_kdc_any() first
++ * calls get_cred_kdc_referral() (which always starts
++ * with the client realm) and falls back to
++ * get_cred_kdc_capath() (which starts with the given
++ * realm).
++ *
++ * MIT krb5 only tries the given realm of the target
++ * principal, if we want to autodetect support for
++ * transitive forest trusts, would have to do the
++ * fallback ourself.
++ */
+ if (gensec_gssapi_state->server_name == NULL) {
++ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
++ hostname,
++ client_realm);
++ if (server_realm == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+ target_principal,
+ service,
+ hostname,
+- client_realm,
++ server_realm,
+ gensec_gssapi_state->gss_oid,
+ &gensec_gssapi_state->target_principal,
+ &gensec_gssapi_state->server_name);
+--
+2.12.0
+
+
+From 97935a1164d328b466bc305c37869e78d306173a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 13:10:05 +0100
+Subject: [PATCH 12/20] s4:gensec_gssapi: Correctly handle external trusts with
+ MIT
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 2dd4887648bf006a577e03fc027e881738ca04ab)
+---
+ source4/auth/gensec/gensec_gssapi.c | 51 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 57392a04e60..61911aae9d9 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -464,6 +464,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+ {
++ bool fallback = false;
+ #ifdef SAMBA4_USES_HEIMDAL
+ struct gsskrb5_send_to_kdc send_to_kdc;
+ krb5_error_code ret;
+@@ -537,6 +538,48 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ * transitive forest trusts, would have to do the
+ * fallback ourself.
+ */
++#ifndef SAMBA4_USES_HEIMDAL
++ if (gensec_gssapi_state->server_name == NULL) {
++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
++ target_principal,
++ service,
++ hostname,
++ client_realm,
++ gensec_gssapi_state->gss_oid,
++ &gensec_gssapi_state->target_principal,
++ &gensec_gssapi_state->server_name);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ return nt_status;
++ }
++
++ maj_stat = gss_init_sec_context(&min_stat,
++ gensec_gssapi_state->client_cred->creds,
++ &gensec_gssapi_state->gssapi_context,
++ gensec_gssapi_state->server_name,
++ gensec_gssapi_state->gss_oid,
++ gensec_gssapi_state->gss_want_flags,
++ time_req,
++ gensec_gssapi_state->input_chan_bindings,
++ &input_token,
++ &gss_oid_p,
++ &output_token,
++ &gensec_gssapi_state->gss_got_flags, /* ret flags */
++ &time_rec);
++ if (maj_stat != GSS_S_FAILURE) {
++ goto init_sec_context_done;
++ }
++ if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
++ goto init_sec_context_done;
++ }
++ if (target_principal != NULL) {
++ goto init_sec_context_done;
++ }
++
++ fallback = true;
++ TALLOC_FREE(gensec_gssapi_state->target_principal);
++ gss_release_name(&min_stat2, &gensec_gssapi_state->server_name);
++ }
++#endif /* !SAMBA4_USES_HEIMDAL */
+ if (gensec_gssapi_state->server_name == NULL) {
+ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
+ hostname,
+@@ -545,6 +588,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ return NT_STATUS_NO_MEMORY;
+ }
+
++ if (fallback &&
++ strequal(client_realm, server_realm)) {
++ goto init_sec_context_done;
++ }
++
+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+ target_principal,
+ service,
+@@ -571,6 +619,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ &output_token,
+ &gensec_gssapi_state->gss_got_flags, /* ret flags */
+ &time_rec);
++ goto init_sec_context_done;
++ /* JUMP! */
++init_sec_context_done:
+ if (gss_oid_p) {
+ gensec_gssapi_state->gss_oid = gss_oid_p;
+ }
+--
+2.12.0
+
+
+From 71a49b84ebb8d45d91d21ebf92d3c7302b24f490 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 07:54:29 +0100
+Subject: [PATCH 13/20] s3:gse: Use smb_krb5_get_realm_from_hostname()
+
+With credentials for administrator@FOREST1.EXAMPLE.COM
+this patch changes the target_principal for
+the ldap service of host dc2.forest2.example.com
+from
+
+ ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+
+to
+
+ ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
+
+Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
+to generate a referral ticket for
+krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
+
+The problem is that KDCs only return such referral tickets
+if there's a forest trust between FOREST1.EXAMPLE.COM
+and FOREST2.EXAMPLE.COM. If there's only an external domain
+trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
+the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
+when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
+
+In the case of an external trust the client can still ask
+explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+and the KDC of FOREST1.EXAMPLE.COM will generate it.
+
+From there the client can use the
+krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
+service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
+
+With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
+when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
+target principal. As _krb5_get_cred_kdc_any() first calls
+get_cred_kdc_referral() (which always starts with the client realm)
+and falls back to get_cred_kdc_capath() (which starts with the given realm).
+
+MIT krb5 only tries the given realm of the target principal,
+if we want to autodetect support for transitive forest trusts,
+we'll have to do the fallback ourself.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit a3d95ed9037fb8b14a451da02dcadf011485ae34)
+---
+ source3/librpc/crypto/gse.c | 93 +++++++++++++++++++++++++++++++++------------
+ 1 file changed, 68 insertions(+), 25 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index abf20bc7dfd..57632f6cc8f 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -120,6 +120,54 @@ static int gse_context_destructor(void *ptr)
+ return 0;
+ }
+
++static NTSTATUS gse_setup_server_principal(TALLOC_CTX *mem_ctx,
++ const char *target_principal,
++ const char *service,
++ const char *hostname,
++ const char *realm,
++ char **pserver_principal,
++ gss_name_t *pserver_name)
++{
++ char *server_principal = NULL;
++ gss_buffer_desc name_token;
++ gss_OID name_type;
++ OM_uint32 maj_stat, min_stat = 0;
++
++ if (target_principal != NULL) {
++ server_principal = talloc_strdup(mem_ctx, target_principal);
++ name_type = GSS_C_NULL_OID;
++ } else {
++ server_principal = talloc_asprintf(mem_ctx,
++ "%s/%s@%s",
++ service,
++ hostname,
++ realm);
++ name_type = GSS_C_NT_USER_NAME;
++ }
++ if (server_principal == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ name_token.value = (uint8_t *)server_principal;
++ name_token.length = strlen(server_principal);
++
++ maj_stat = gss_import_name(&min_stat,
++ &name_token,
++ name_type,
++ pserver_name);
++ if (maj_stat) {
++ DBG_WARNING("GSS Import name of %s failed: %s\n",
++ server_principal,
++ gse_errstr(mem_ctx, maj_stat, min_stat));
++ TALLOC_FREE(server_principal);
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ *pserver_principal = server_principal;
++
++ return NT_STATUS_OK;
++}
++
+ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ bool do_sign, bool do_seal,
+ const char *ccache_name,
+@@ -203,11 +251,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ {
+ struct gse_context *gse_ctx;
+ OM_uint32 gss_maj, gss_min;
+- gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
+ #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
+ gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+ gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
+ #endif
++ char *server_principal = NULL;
++ char *server_realm = NULL;
+ NTSTATUS status;
+
+ if (!server || !service) {
+@@ -223,30 +272,24 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+
+ /* Guess the realm based on the supplied service, and avoid the GSS libs
+ doing DNS lookups which may fail.
+-
+- TODO: Loop with the KDC on some more combinations (local
+- realm in particular), possibly falling back to
+- GSS_C_NT_HOSTBASED_SERVICE
+ */
+- name_buffer.value =
+- smb_krb5_get_principal_from_service_hostname(gse_ctx,
+- service,
+- server,
+- realm);
+- if (!name_buffer.value) {
+- status = NT_STATUS_NO_MEMORY;
+- goto err_out;
++ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
++ server,
++ realm);
++ if (server_realm == NULL) {
++ return NT_STATUS_NO_MEMORY;
+ }
+- name_buffer.length = strlen((char *)name_buffer.value);
+- gss_maj = gss_import_name(&gss_min, &name_buffer,
+- GSS_C_NT_USER_NAME,
+- &gse_ctx->server_name);
+- if (gss_maj) {
+- DEBUG(5, ("gss_import_name failed for %s, with [%s]\n",
+- (char *)name_buffer.value,
+- gse_errstr(gse_ctx, gss_maj, gss_min)));
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto err_out;
++
++ status = gse_setup_server_principal(mem_ctx,
++ NULL,
++ service,
++ server,
++ server_realm,
++ &server_principal,
++ &gse_ctx->server_name);
++ TALLOC_FREE(server_realm);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+
+ /* TODO: get krb5 ticket using username/password, if no valid
+@@ -299,11 +342,11 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ #endif
+
+ *_gse_ctx = gse_ctx;
+- TALLOC_FREE(name_buffer.value);
++ TALLOC_FREE(server_principal);
+ return NT_STATUS_OK;
+
+ err_out:
+- TALLOC_FREE(name_buffer.value);
++ TALLOC_FREE(server_principal);
+ TALLOC_FREE(gse_ctx);
+ return status;
+ }
+--
+2.12.0
+
+
+From 905cdd3ee1fea0bf0e2081da4489934944c55fa9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 09:10:12 +0100
+Subject: [PATCH 14/20] krb5_wrap: Remove obsolete
+ smb_krb5_get_principal_from_service_hostname()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 804e828d52ec922f3970e847652ab1ee5538b9b0)
+---
+ lib/krb5_wrap/krb5_samba.c | 111 ---------------------------------------------
+ lib/krb5_wrap/krb5_samba.h | 5 --
+ 2 files changed, 116 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 2b0ec6bfa0e..0b67ea52a19 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2604,61 +2604,6 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
+ }
+
+
+-/************************************************************************
+- Routine to get the default realm from the kerberos credentials cache.
+- Caller must free if the return value is not NULL.
+-************************************************************************/
+-
+-static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
+-{
+- char *realm = NULL;
+- krb5_context ctx = NULL;
+- krb5_ccache cc = NULL;
+- krb5_principal princ = NULL;
+-
+- initialize_krb5_error_table();
+- if (krb5_init_context(&ctx)) {
+- return NULL;
+- }
+-
+- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
+- "Trying to read krb5 cache: %s\n",
+- krb5_cc_default_name(ctx)));
+- if (krb5_cc_default(ctx, &cc)) {
+- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
+- "failed to read default cache\n"));
+- goto out;
+- }
+- if (krb5_cc_get_principal(ctx, cc, &princ)) {
+- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
+- "failed to get default principal\n"));
+- goto out;
+- }
+-
+-#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
+- realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ));
+-#elif defined(HAVE_KRB5_PRINC_REALM)
+- {
+- krb5_data *realm_data = krb5_princ_realm(ctx, princ);
+- realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length);
+- }
+-#endif
+-
+- out:
+-
+- if (ctx) {
+- if (princ) {
+- krb5_free_principal(ctx, princ);
+- }
+- if (cc) {
+- krb5_cc_close(ctx, cc);
+- }
+- krb5_free_context(ctx);
+- }
+-
+- return realm;
+-}
+-
+ /**
+ * @brief Get the realm from the service hostname.
+ *
+@@ -2749,62 +2694,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ }
+
+ /**
+- * @brief Get the principal as a string from the service hostname.
+- *
+- * @param[in] mem_ctx The talloc context
+- *
+- * @param[in] service The service name
+- *
+- * @param[in] remote_name The remote name
+- *
+- * @param[in] default_realm The default_realm if we cannot get it from the
+- * hostname or netbios name.
+- *
+- * @return A talloc'ed principal string or NULL if an error occured.
+- *
+- * The caller needs to free the principal with talloc_free() if it isn't needed
+- * anymore.
+- */
+-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+- const char *service,
+- const char *remote_name,
+- const char *default_realm)
+-{
+- char *realm = NULL;
+- char *host = NULL;
+- char *principal;
+- host = strchr_m(remote_name, '.');
+- if (host) {
+- /* DNS name. */
+- realm = smb_krb5_get_realm_from_hostname(talloc_tos(),
+- remote_name,
+- default_realm);
+- } else {
+- /* NetBIOS name - use our realm. */
+- realm = smb_krb5_get_default_realm_from_ccache(talloc_tos());
+- }
+-
+- if (realm == NULL || *realm == '\0') {
+- realm = talloc_strdup(talloc_tos(), default_realm);
+- if (!realm) {
+- return NULL;
+- }
+- DEBUG(3,("Cannot get realm from, "
+- "desthost %s or default ccache. Using default "
+- "smb.conf realm %s\n",
+- remote_name,
+- realm));
+- }
+-
+- principal = talloc_asprintf(mem_ctx,
+- "%s/%s@%s",
+- service, remote_name,
+- realm);
+- TALLOC_FREE(realm);
+- return principal;
+-}
+-
+-/**
+ * @brief Get an error string from a Kerberos error code.
+ *
+ * @param[in] context The library context.
+diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
+index accae449a0e..c921538efcb 100644
+--- a/lib/krb5_wrap/krb5_samba.h
++++ b/lib/krb5_wrap/krb5_samba.h
+@@ -318,11 +318,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ const char *hostname,
+ const char *client_realm);
+
+-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+- const char *service,
+- const char *remote_name,
+- const char *default_realm);
+-
+ char *smb_get_krb5_error_message(krb5_context context,
+ krb5_error_code code,
+ TALLOC_CTX *mem_ctx);
+--
+2.12.0
+
+
+From 0ea7203430b580e93816035b8201ddd11346cd4e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 6 Mar 2017 08:16:11 +0100
+Subject: [PATCH 15/20] s3:gse: Pass down the gensec_security pointer
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit e6b1e58874de30d094f9bce474479cfddb39d3fc)
+---
+ source3/librpc/crypto/gse.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 57632f6cc8f..5a39522a828 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -352,10 +352,13 @@ err_out:
+ }
+
+ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+- struct gse_context *gse_ctx,
++ struct gensec_security *gensec_security,
+ const DATA_BLOB *token_in,
+ DATA_BLOB *token_out)
+ {
++ struct gse_context *gse_ctx =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct gse_context);
+ OM_uint32 gss_maj, gss_min;
+ gss_buffer_desc in_data;
+ gss_buffer_desc out_data;
+@@ -542,10 +545,13 @@ done:
+ }
+
+ static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
+- struct gse_context *gse_ctx,
++ struct gensec_security *gensec_security,
+ const DATA_BLOB *token_in,
+ DATA_BLOB *token_out)
+ {
++ struct gse_context *gse_ctx =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct gse_context);
+ OM_uint32 gss_maj, gss_min;
+ gss_buffer_desc in_data;
+ gss_buffer_desc out_data;
+@@ -762,17 +768,16 @@ static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security,
+ const DATA_BLOB in, DATA_BLOB *out)
+ {
+ NTSTATUS status;
+- struct gse_context *gse_ctx =
+- talloc_get_type_abort(gensec_security->private_data,
+- struct gse_context);
+
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+- status = gse_get_client_auth_token(mem_ctx, gse_ctx,
++ status = gse_get_client_auth_token(mem_ctx,
++ gensec_security,
+ &in, out);
+ break;
+ case GENSEC_SERVER:
+- status = gse_get_server_auth_token(mem_ctx, gse_ctx,
++ status = gse_get_server_auth_token(mem_ctx,
++ gensec_security,
+ &in, out);
+ break;
+ }
+--
+2.12.0
+
+
+From 36b353247939414cd7f91abd27bfc553bd62c06f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 08:05:26 +0100
+Subject: [PATCH 16/20] s3:gse: Move setup of service_principal to update
+ function
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 3ba1ad1f8c7871070d0ecbe5d49c5c44afe98bbf)
+---
+ source3/librpc/crypto/gse.c | 97 +++++++++++++++++++++++++++++++++------------
+ 1 file changed, 71 insertions(+), 26 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 5a39522a828..3580181061e 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -255,8 +255,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+ gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
+ #endif
+- char *server_principal = NULL;
+- char *server_realm = NULL;
+ NTSTATUS status;
+
+ if (!server || !service) {
+@@ -270,28 +268,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- /* Guess the realm based on the supplied service, and avoid the GSS libs
+- doing DNS lookups which may fail.
+- */
+- server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
+- server,
+- realm);
+- if (server_realm == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- status = gse_setup_server_principal(mem_ctx,
+- NULL,
+- service,
+- server,
+- server_realm,
+- &server_principal,
+- &gse_ctx->server_name);
+- TALLOC_FREE(server_realm);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+ /* TODO: get krb5 ticket using username/password, if no valid
+ * one already available in ccache */
+
+@@ -342,11 +318,9 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ #endif
+
+ *_gse_ctx = gse_ctx;
+- TALLOC_FREE(server_principal);
+ return NT_STATUS_OK;
+
+ err_out:
+- TALLOC_FREE(server_principal);
+ TALLOC_FREE(gse_ctx);
+ return status;
+ }
+@@ -366,10 +340,81 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ NTSTATUS status;
+ OM_uint32 time_rec = 0;
+ struct timeval tv;
++ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
++ const char *hostname = gensec_get_target_hostname(gensec_security);
++ const char *service = gensec_get_target_service(gensec_security);
++ const char *client_realm = cli_credentials_get_realm(cli_creds);
++ char *server_principal = NULL;
++ char *server_realm = NULL;
+
+ in_data.value = token_in->data;
+ in_data.length = token_in->length;
+
++ /*
++ * With credentials for administrator@FOREST1.EXAMPLE.COM this patch
++ * changes the target_principal for the ldap service of host
++ * dc2.forest2.example.com from
++ *
++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
++ *
++ * to
++ *
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
++ *
++ * Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be
++ * used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a
++ * referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
++ *
++ * The problem is that KDCs only return such referral tickets if
++ * there's a forest trust between FOREST1.EXAMPLE.COM and
++ * FOREST2.EXAMPLE.COM. If there's only an external domain trust
++ * between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of
++ * FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being
++ * asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
++ *
++ * In the case of an external trust the client can still ask explicitly
++ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of
++ * FOREST1.EXAMPLE.COM will generate it.
++ *
++ * From there the client can use the
++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC
++ * of FOREST2.EXAMPLE.COM for a service ticket for
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
++ *
++ * With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
++ * when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
++ * target principal. As _krb5_get_cred_kdc_any() first calls
++ * get_cred_kdc_referral() (which always starts with the client realm)
++ * and falls back to get_cred_kdc_capath() (which starts with the given
++ * realm).
++ *
++ * MIT krb5 only tries the given realm of the target principal, if we
++ * want to autodetect support for transitive forest trusts, would have
++ * to do the fallback ourself.
++ */
++ if (gse_ctx->server_name == NULL) {
++ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
++ hostname,
++ client_realm);
++ if (server_realm == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ status = gse_setup_server_principal(mem_ctx,
++ NULL,
++ service,
++ hostname,
++ server_realm,
++ &server_principal,
++ &gse_ctx->server_name);
++ TALLOC_FREE(server_realm);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ TALLOC_FREE(server_principal);
++ }
++
+ gss_maj = gss_init_sec_context(&gss_min,
+ gse_ctx->creds,
+ &gse_ctx->gssapi_context,
+--
+2.12.0
+
+
+From 5ca321eaa79cdf9de1166f49365051d4d67560f9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 08:11:07 +0100
+Subject: [PATCH 17/20] s3:gse: Check if we have a target_princpal set we
+ should use
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit ada31d65d6c5929d2fbddfea5611a5f5fe5a0d74)
+---
+ source3/librpc/crypto/gse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 3580181061e..721fd8c1625 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -341,6 +341,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ OM_uint32 time_rec = 0;
+ struct timeval tv;
+ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
++ const char *target_principal = gensec_get_target_principal(gensec_security);
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+ const char *client_realm = cli_credentials_get_realm(cli_creds);
+@@ -401,7 +402,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ }
+
+ status = gse_setup_server_principal(mem_ctx,
+- NULL,
++ target_principal,
+ service,
+ hostname,
+ server_realm,
+--
+2.12.0
+
+
+From 8b88c6bf158e5da0cc238472390f3346aa05ef53 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 08:18:27 +0100
+Subject: [PATCH 18/20] s3:gse: Correctly handle external trusts with MIT
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit b8bca7d08fe05758e536767b1146cdcdd8b9fee3)
+---
+ source3/librpc/crypto/gse.c | 54 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 721fd8c1625..3abf774633b 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -347,6 +347,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ const char *client_realm = cli_credentials_get_realm(cli_creds);
+ char *server_principal = NULL;
+ char *server_realm = NULL;
++ bool fallback = false;
+
+ in_data.value = token_in->data;
+ in_data.length = token_in->length;
+@@ -393,6 +394,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ * want to autodetect support for transitive forest trusts, would have
+ * to do the fallback ourself.
+ */
++#ifndef SAMBA4_USES_HEIMDAL
++ if (gse_ctx->server_name == NULL) {
++ OM_uint32 gss_min2 = 0;
++
++ status = gse_setup_server_principal(mem_ctx,
++ target_principal,
++ service,
++ hostname,
++ client_realm,
++ &server_principal,
++ &gse_ctx->server_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ gss_maj = gss_init_sec_context(&gss_min,
++ gse_ctx->creds,
++ &gse_ctx->gssapi_context,
++ gse_ctx->server_name,
++ &gse_ctx->gss_mech,
++ gse_ctx->gss_want_flags,
++ 0,
++ GSS_C_NO_CHANNEL_BINDINGS,
++ &in_data,
++ NULL,
++ &out_data,
++ &gse_ctx->gss_got_flags,
++ &time_rec);
++ if (gss_maj != GSS_S_FAILURE) {
++ goto init_sec_context_done;
++ }
++ if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
++ goto init_sec_context_done;
++ }
++ if (target_principal != NULL) {
++ goto init_sec_context_done;
++ }
++
++ fallback = true;
++ TALLOC_FREE(server_principal);
++ gss_release_name(&gss_min2, &gse_ctx->server_name);
++ }
++#endif /* !SAMBA4_USES_HEIMDAL */
++
+ if (gse_ctx->server_name == NULL) {
+ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
+ hostname,
+@@ -401,6 +446,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
++ if (fallback &&
++ strequal(client_realm, server_realm)) {
++ goto init_sec_context_done;
++ }
++
+ status = gse_setup_server_principal(mem_ctx,
+ target_principal,
+ service,
+@@ -425,6 +475,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ 0, GSS_C_NO_CHANNEL_BINDINGS,
+ &in_data, NULL, &out_data,
+ &gse_ctx->gss_got_flags, &time_rec);
++ goto init_sec_context_done;
++ /* JUMP! */
++init_sec_context_done:
++
+ switch (gss_maj) {
+ case GSS_S_COMPLETE:
+ /* we are done with it */
+--
+2.12.0
+
+
+From 290de34d42477022d8b5a236b3d0953a178c5e40 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 29 Jan 2017 17:19:14 +0100
+Subject: [PATCH 19/20] HEIMDAL:kdc: make it possible to disable the principal
+ based referral detection
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 209886e95c3afe1e4e50bacc30b40a543856a7a0)
+---
+ source4/heimdal/kdc/default_config.c | 1 +
+ source4/heimdal/kdc/kdc.h | 2 ++
+ source4/heimdal/kdc/krb5tgs.c | 4 +++-
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
+index 6fbf5fdae15..0129c5d3c54 100644
+--- a/source4/heimdal/kdc/default_config.c
++++ b/source4/heimdal/kdc/default_config.c
+@@ -55,6 +55,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
+ c->preauth_use_strongest_session_key = FALSE;
+ c->tgs_use_strongest_session_key = FALSE;
+ c->use_strongest_server_key = TRUE;
++ c->autodetect_referrals = TRUE;
+ c->check_ticket_addresses = TRUE;
+ c->allow_null_ticket_addresses = TRUE;
+ c->allow_anonymous = FALSE;
+diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h
+index 9d52fd4c2ec..16263d6919b 100644
+--- a/source4/heimdal/kdc/kdc.h
++++ b/source4/heimdal/kdc/kdc.h
+@@ -69,6 +69,8 @@ typedef struct krb5_kdc_configuration {
+ krb5_boolean allow_anonymous;
+ enum krb5_kdc_trpolicy trpolicy;
+
++ krb5_boolean autodetect_referrals;
++
+ krb5_boolean enable_pkinit;
+ krb5_boolean pkinit_princ_in_cert;
+ const char *pkinit_kdc_identity;
+diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
+index 334a6eb1dc8..a888788bb6f 100644
+--- a/source4/heimdal/kdc/krb5tgs.c
++++ b/source4/heimdal/kdc/krb5tgs.c
+@@ -1660,7 +1660,9 @@ server_lookup:
+ Realm req_rlm;
+ krb5_realm *realms;
+
+- if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
++ if (!config->autodetect_referrals) {
++ /* noop */
++ } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
+ if(nloop++ < 2) {
+ new_rlm = find_rpath(context, tgt->crealm, req_rlm);
+ if(new_rlm) {
+--
+2.12.0
+
+
+From b98d399a9b3076443fa12fab5f5e13b8d6e2fe26 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 29 Jan 2017 17:20:09 +0100
+Subject: [PATCH 20/20] s4:kdc: disable principal based autodetected referral
+ detection
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3314bf52aaef60ef5cc1110587b53064df7c475d)
+---
+ source4/kdc/kdc-heimdal.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
+index f2927e5cb9f..061296a4f40 100644
+--- a/source4/kdc/kdc-heimdal.c
++++ b/source4/kdc/kdc-heimdal.c
+@@ -379,6 +379,8 @@ static void kdc_task_init(struct task_server *task)
+ kdc_config->tgs_use_strongest_session_key = false;
+ kdc_config->use_strongest_server_key = true;
+
++ kdc_config->autodetect_referrals = false;
++
+ /* Register hdb-samba4 hooks for use as a keytab */
+
+ kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch
new file mode 100644
index 0000000..dbce123
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch
@@ -0,0 +1,39 @@
+From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 20 Mar 2017 16:08:20 +0100
+Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/cliconnect.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 029c3d4760e..93f873079db 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ 0 /* no time correction for now */,
+ NULL);
+ if (ret != 0) {
+- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
+- user_principal, target_hostname,
+- error_message(ret)));
++ int dbglvl = DBGLVL_WARNING;
++
++ if (krb5_state == CRED_MUST_USE_KERBEROS) {
++ dbglvl = DBGLVL_ERR;
++ }
++
++ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
++ user_principal, target_hostname,
++ error_message(ret)));
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ TALLOC_FREE(frame);
+ return krb5_to_nt_status(ret);
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch
new file mode 100644
index 0000000..6d96e52
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch
@@ -0,0 +1,293 @@
+From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 17:30:37 +0100
+Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters
+
+The old behaviour is:
+
+ for var in $*
+ do
+ echo "$var"
+ done
+
+And you get this:
+
+$ sh test.sh 1 2 '3 4'
+1
+2
+3
+4
+
+Changing it to:
+
+ for var in "$@"
+ do
+ echo "$var"
+ done
+
+will correctly expand to:
+
+$ sh test.sh 1 2 '3 4'
+1
+2
+3 4
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
+
+(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)
+---
+ testprogs/blackbox/subunit.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
+index 0791d775d27..5c81ce20a11 100755
+--- a/testprogs/blackbox/subunit.sh
++++ b/testprogs/blackbox/subunit.sh
+@@ -78,7 +78,7 @@ subunit_skip_test () {
+ testit () {
+ name="$1"
+ shift
+- cmdline="$*"
++ cmdline="$@"
+ subunit_start_test "$name"
+ output=`$cmdline 2>&1`
+ status=$?
+@@ -93,7 +93,7 @@ testit () {
+ testit_expect_failure () {
+ name="$1"
+ shift
+- cmdline="$*"
++ cmdline="$@"
+ subunit_start_test "$name"
+ output=`$cmdline 2>&1`
+ status=$?
+--
+2.12.0
+
+
+From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:11:39 +0100
+Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)
+---
+ lib/krb5_wrap/krb5_samba.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 10b42dec53f..fd8e4a96071 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
+ goto open_keytab;
+ }
+
++ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
++
+ return KRB5_KT_BADNAME;
+
+ open_keytab:
+--
+2.12.0
+
+
+From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:24:52 +0100
+Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
+---
+ source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 57 insertions(+), 12 deletions(-)
+
+diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
+index 3c73b089bbb..96df10fcf65 100644
+--- a/source3/libads/kerberos_keytab.c
++++ b/source3/libads/kerberos_keytab.c
+@@ -34,6 +34,57 @@
+
+ #ifdef HAVE_ADS
+
++/* This MAX_NAME_LEN is a constant defined in krb5.h */
++#ifndef MAX_KEYTAB_NAME_LEN
++#define MAX_KEYTAB_NAME_LEN 1100
++#endif
++
++static krb5_error_code ads_keytab_open(krb5_context context,
++ krb5_keytab *keytab)
++{
++ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
++ const char *keytab_name = NULL;
++ krb5_error_code ret = 0;
++
++ switch (lp_kerberos_method()) {
++ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
++ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
++ ret = krb5_kt_default_name(context,
++ keytab_str,
++ sizeof(keytab_str) - 2);
++ if (ret != 0) {
++ DBG_WARNING("Failed to get default keytab name");
++ goto out;
++ }
++ keytab_name = keytab_str;
++ break;
++ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
++ keytab_name = lp_dedicated_keytab_file();
++ break;
++ default:
++ DBG_ERR("Invalid kerberos method set (%d)\n",
++ lp_kerberos_method());
++ ret = KRB5_KT_BADNAME;
++ goto out;
++ }
++
++ if (keytab_name == NULL || keytab_name[0] == '\0') {
++ DBG_ERR("Invalid keytab name\n");
++ ret = KRB5_KT_BADNAME;
++ goto out;
++ }
++
++ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
++ if (ret != 0) {
++ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
++ error_message(ret));
++ goto out;
++ }
++
++out:
++ return ret;
++}
++
+ /**********************************************************************
+ Adds a single service principal, i.e. 'host' to the system keytab
+ ***********************************************************************/
+@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
+ return -1;
+ }
+
+- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+- if (ret) {
+- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+- error_message(ret)));
++ ret = ads_keytab_open(context, &keytab);
++ if (ret != 0) {
+ goto out;
+ }
+
+@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
+ return ret;
+ }
+
+- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+- if (ret) {
+- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+- error_message(ret)));
++ ret = ads_keytab_open(context, &keytab);
++ if (ret != 0) {
+ goto out;
+ }
+
+@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+ DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
+ "and update.\n"));
+
+- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+- if (ret) {
+- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+- error_message(ret)));
++ ret = ads_keytab_open(context, &keytab);
++ if (ret != 0) {
+ goto done;
+ }
+
+--
+2.12.0
+
+
+From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 17:28:58 +0100
+Subject: [PATCH 4/5] param: Allow to specify kerberos method on the
+ commandline
+
+We support --option for our tools but you cannot set an option where the
+value of the option includes a space.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)
+---
+ lib/param/param_table.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index 4b5234a7c9e..9a944ef19b3 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
+ static const struct enum_list enum_kerberos_method[] = {
+ {KERBEROS_VERIFY_SECRETS, "default"},
+ {KERBEROS_VERIFY_SECRETS, "secrets only"},
++ {KERBEROS_VERIFY_SECRETS, "secretsonly"},
+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
++ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
++ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
++ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
+ {-1, NULL}
+ };
+
+--
+2.12.0
+
+
+From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:34:05 +0100
+Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab
+
+This checks that a 'net ads join' can create the keytab and make sure we
+will not regress in future.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
+---
+ testprogs/blackbox/test_net_ads.sh | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 8e915cdcf1f..99b886f53eb 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed +
+
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
++# Test with kerberos method = secrets and keytab
++dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
++testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
++
++testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
++
++testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++rm -f $dedicated_keytab_file
++
+ testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+
+ testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch
new file mode 100644
index 0000000..4e21154
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch
@@ -0,0 +1,245 @@
+From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 4 May 2017 17:48:42 +0200
+Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with
+ COPY_FROM_DIRECTORY
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05)
+---
+ source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++-------------
+ 1 file changed, 35 insertions(+), 16 deletions(-)
+
+diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
+index 394a3e5..49be5d9 100644
+--- a/source3/printing/nt_printing.c
++++ b/source3/printing/nt_printing.c
+@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver
+ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ const char *architecture,
+ const char *driverpath_in,
++ const char *driver_directory,
+ WERROR *perr)
+ {
+ int cversion = -1;
+ NTSTATUS nt_status;
+ struct smb_filename *smb_fname = NULL;
+- char *driverpath = NULL;
+ files_struct *fsp = NULL;
+ connection_struct *conn = NULL;
+ char *oldcwd;
+ char *printdollar = NULL;
++ char *printdollar_path = NULL;
++ char *working_dir = NULL;
+ int printdollar_snum;
+
+ *perr = WERR_INVALID_PARAMETER;
+@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ return -1;
+ }
+
++ printdollar_path = lp_path(talloc_tos(), printdollar_snum);
++ if (printdollar_path == NULL) {
++ *perr = WERR_NOT_ENOUGH_MEMORY;
++ return -1;
++ }
++
++ working_dir = talloc_asprintf(talloc_tos(),
++ "%s/%s",
++ printdollar_path,
++ architecture);
++ /*
++ * If the driver has been uploaded into a temorpary driver
++ * directory, switch to the driver directory.
++ */
++ if (driver_directory != NULL) {
++ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s",
++ printdollar_path,
++ architecture,
++ driver_directory);
++ }
++
+ nt_status = create_conn_struct_cwd(talloc_tos(),
+ server_event_context(),
+ server_messaging_context(),
+ &conn,
+ printdollar_snum,
+- lp_path(talloc_tos(), printdollar_snum),
++ working_dir,
+ session_info, &oldcwd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0,("get_correct_cversion: create_conn_struct "
+@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ goto error_free_conn;
+ }
+
+- /* Open the driver file (Portable Executable format) and determine the
+- * deriver the cversion. */
+- driverpath = talloc_asprintf(talloc_tos(),
+- "%s/%s",
+- architecture,
+- driverpath_in);
+- if (!driverpath) {
+- *perr = WERR_NOT_ENOUGH_MEMORY;
+- goto error_exit;
+- }
+-
+- nt_status = driver_unix_convert(conn, driverpath, &smb_fname);
++ /*
++ * We switch to the directory where the driver files are located,
++ * so only work on the file names
++ */
++ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ *perr = ntstatus_to_werror(nt_status);
+ goto error_exit;
+@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx,
+ * NT2K: cversion=3
+ */
+
+- *version = get_correct_cversion(session_info, short_architecture,
+- *driver_path, &err);
++ *version = get_correct_cversion(session_info,
++ short_architecture,
++ *driver_path,
++ *driver_directory,
++ &err);
+ if (*version == -1) {
+ return err;
+ }
+--
+2.9.3
+
+
+From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 5 May 2017 11:11:25 +0200
+Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test
+ for 64bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e)
+---
+ source4/torture/rpc/spoolss.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
+index 409ba57..c4b7bf1 100644
+--- a/source4/torture/rpc/spoolss.c
++++ b/source4/torture/rpc/spoolss.c
+@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx,
+ }
+
+ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+- struct dcerpc_pipe *p)
++ struct dcerpc_pipe *p,
++ const char *architecture)
+ {
+ struct torture_driver_context *d;
+ struct spoolss_StringArray *a;
+@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+ d = talloc_zero(tctx, struct torture_driver_context);
+ torture_assert_not_null(tctx, d, "ENOMEM");
+
+- d->local.environment =
+- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64);
++ d->local.environment = talloc_strdup(d, architecture);
+ torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
+
+ d->local.driver_directory =
+@@ -11208,6 +11208,12 @@ done:
+ return ok;
+ }
+
++static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
++ struct dcerpc_pipe *p)
++{
++ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
++}
++
+ static bool test_del_driver_all_files(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+ {
+@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
+ torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers);
+
+ torture_rpc_tcase_add_test(tcase,
+- "test_driver_copy_from_directory",
+- test_driver_copy_from_directory);
++ "test_driver_copy_from_directory_64",
++ test_driver_copy_from_directory_64);
+
+ torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
+
+--
+2.9.3
+
+
+From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 5 May 2017 11:12:02 +0200
+Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for
+ copy_from_directory
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0)
+---
+ source4/torture/rpc/spoolss.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
+index c4b7bf1..e17ac6f 100644
+--- a/source4/torture/rpc/spoolss.c
++++ b/source4/torture/rpc/spoolss.c
+@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+ d->local.environment = talloc_strdup(d, architecture);
+ torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
+
+- d->local.driver_directory =
+- talloc_asprintf(d, "/usr/share/cups/drivers/x64");
++ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) {
++ d->local.driver_directory =
++ talloc_strdup(d, "/usr/share/cups/drivers/x64");
++ } else {
++ d->local.driver_directory =
++ talloc_strdup(d, "/usr/share/cups/drivers/i386");
++ }
+ torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM");
+
+ d->remote.driver_upload_directory = GUID_string2(d, &guid);
+@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
+ }
+
++static bool test_driver_copy_from_directory_32(struct torture_context *tctx,
++ struct dcerpc_pipe *p)
++{
++ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86);
++}
++
+ static bool test_del_driver_all_files(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+ {
+@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
+ "test_driver_copy_from_directory_64",
+ test_driver_copy_from_directory_64);
+
++ torture_rpc_tcase_add_test(tcase,
++ "test_driver_copy_from_directory_32",
++ test_driver_copy_from_directory_32);
++
+ torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
+
+ torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files);
+--
+2.9.3
+
diff --git a/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch
new file mode 100644
index 0000000..7441e1d
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch
@@ -0,0 +1,211 @@
+From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 14 Mar 2017 16:12:20 +0100
+Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file
+
+The arguments get passed in the wrong order to read_target_host().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)
+---
+ source3/modules/vfs_expand_msdfs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
+index ffbfa333bad..e42d0098b32 100644
+--- a/source3/modules/vfs_expand_msdfs.c
++++ b/source3/modules/vfs_expand_msdfs.c
+@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
+ return NULL;
+ }
+
+- targethost = read_target_host(
+- ctx, raddr, mapfilename);
++ targethost = read_target_host(ctx, mapfilename, raddr);
+ if (targethost == NULL) {
+ DEBUG(1, ("Could not expand target host from file %s\n",
+ mapfilename));
+--
+2.12.0
+
+From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 15:32:37 +0100
+Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to
+ get_referred_path()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e)
+---
+ source3/modules/vfs_default.c | 2 ++
+ source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++
+ source3/smbd/msdfs.c | 12 +++++++-----
+ source3/smbd/proto.h | 12 +++++++-----
+ 4 files changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
+index e0b6125f7d8..dcae861103d 100644
+--- a/source3/modules/vfs_default.c
++++ b/source3/modules/vfs_default.c
+@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle,
+
+ /* The following call can change cwd. */
+ status = get_referred_path(r, pathnamep,
++ handle->conn->sconn->remote_address,
++ handle->conn->sconn->local_address,
+ !handle->conn->sconn->using_smb2,
+ junction, &consumedcnt, &self_referral);
+ if (!NT_STATUS_IS_OK(status)) {
+diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c
+index ab2af53c0ba..0a4d6d31b7c 100644
+--- a/source3/rpc_server/dfs/srv_dfs_nt.c
++++ b/source3/rpc_server/dfs/srv_dfs_nt.c
+@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r)
+
+ /* The following call can change the cwd. */
+ status = get_referred_path(ctx, r->in.path,
++ p->remote_address,
++ p->local_address,
+ true, /*allow_broken_path */
+ jn, &consumedcnt, &self_ref);
+ if(!NT_STATUS_IS_OK(status)) {
+@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r)
+ }
+
+ status = get_referred_path(ctx, r->in.dfs_entry_path,
++ p->remote_address,
++ p->local_address,
+ true, /*allow_broken_path */
+ jn, &consumedcnt, &self_ref);
+ if(!NT_STATUS_IS_OK(status)) {
+@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r)
+
+ /* The following call can change the cwd. */
+ status = get_referred_path(ctx, r->in.dfs_entry_path,
++ p->remote_address,
++ p->local_address,
+ true, /*allow_broken_path */
+ jn, &consumedcnt, &self_ref);
+ if(!NT_STATUS_IS_OK(status) ||
+diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
+index 61538cec832..3cf82d3b430 100644
+--- a/source3/smbd/msdfs.c
++++ b/source3/smbd/msdfs.c
+@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx,
+ **********************************************************************/
+
+ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+- const char *dfs_path,
+- bool allow_broken_path,
+- struct junction_map *jucn,
+- int *consumedcntp,
+- bool *self_referralp)
++ const char *dfs_path,
++ const struct tsocket_address *remote_address,
++ const struct tsocket_address *local_address,
++ bool allow_broken_path,
++ struct junction_map *jucn,
++ int *consumedcntp,
++ bool *self_referralp)
+ {
+ struct connection_struct *conn;
+ char *targetpath = NULL;
+diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
+index c1b8201b472..e64457cf9e0 100644
+--- a/source3/smbd/proto.h
++++ b/source3/smbd/proto.h
+@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn,
+ SMB_STRUCT_STAT *sbufp);
+ struct junction_map;
+ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+- const char *dfs_path,
+- bool allow_broken_path,
+- struct junction_map *jucn,
+- int *consumedcntp,
+- bool *self_referralp);
++ const char *dfs_path,
++ const struct tsocket_address *remote_address,
++ const struct tsocket_address *local_address,
++ bool allow_broken_path,
++ struct junction_map *jucn,
++ int *consumedcntp,
++ bool *self_referralp);
+ int setup_dfs_referral(connection_struct *orig_conn,
+ const char *dfs_path,
+ int max_referral_level,
+--
+2.13.0
+
+
+From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 15:45:34 +0100
+Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake
+ connection
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9)
+---
+ source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
+index 3cf82d3b430..c25fb17cee8 100644
+--- a/source3/smbd/msdfs.c
++++ b/source3/smbd/msdfs.c
+@@ -31,6 +31,7 @@
+ #include "lib/param/loadparm.h"
+ #include "libcli/security/security.h"
+ #include "librpc/gen_ndr/ndr_dfsblobs.h"
++#include "lib/tsocket/tsocket.h"
+
+ /**********************************************************************
+ Parse a DFS pathname of the form \hostname\service\reqpath
+@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+ return status;
+ }
+
++ /*
++ * TODO
++ *
++ * The remote and local address should be passed down to
++ * create_conn_struct_cwd.
++ */
++ if (conn->sconn->remote_address == NULL) {
++ conn->sconn->remote_address =
++ tsocket_address_copy(remote_address, conn->sconn);
++ if (conn->sconn->remote_address == NULL) {
++ TALLOC_FREE(pdp);
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++ if (conn->sconn->local_address == NULL) {
++ conn->sconn->local_address =
++ tsocket_address_copy(local_address, conn->sconn);
++ if (conn->sconn->local_address == NULL) {
++ TALLOC_FREE(pdp);
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
+ /* If this is a DFS path dfs_lookup should return
+ * NT_STATUS_PATH_NOT_COVERED. */
+
+--
+2.13.0
+
diff --git a/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch b/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch
new file mode 100644
index 0000000..83a4985
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch
@@ -0,0 +1,74 @@
+From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 9 Aug 2017 18:14:23 +0200
+Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d)
+---
+ source3/libads/krb5_setpw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
+index 630c2e46631..bc96ac603b1 100644
+--- a/source3/libads/krb5_setpw.c
++++ b/source3/libads/krb5_setpw.c
+@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
+ ret = krb5_set_password(context,
+ &creds,
+ discard_const_p(char, newpw),
+- princ,
++ NULL,
+ &result_code,
+ &result_code_string,
+ &result_string);
+--
+2.14.0
+
+
+From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 9 Aug 2017 12:14:34 +0200
+Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw'
+
+BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144
+
+(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f)
+---
+ testprogs/blackbox/test_net_ads.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 99b886f53eb..bbd99b676bd 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
+
+ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+
++testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
++
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+ # Test with kerberos method = secrets and keytab
+@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC
+
+ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+
++testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
++
+ testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ rm -f $dedicated_keytab_file
+
+--
+2.14.0
+
diff --git a/SOURCES/samba-v4-6-fix_path_substitutions.patch b/SOURCES/samba-v4-6-fix_path_substitutions.patch
new file mode 100644
index 0000000..178c44d
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_path_substitutions.patch
@@ -0,0 +1,194 @@
+From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Fri, 17 Mar 2017 13:52:57 +0100
+Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user
+ information
+
+This fixes the substitution for 'template homedir'.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
+
+(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5)
+---
+ source3/winbindd/wb_queryuser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
+index be4d3d3e665..69b4c8dad5a 100644
+--- a/source3/winbindd/wb_queryuser.c
++++ b/source3/winbindd/wb_queryuser.c
+@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq)
+ NTSTATUS status;
+ const char *domain_name;
+
+- status = wb_lookupsid_recv(subreq, state, &type, &domain_name,
++ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name,
+ &state->info->primary_group_name);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+--
+2.12.0
+
+
+From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 15 Mar 2017 12:37:08 +0100
+Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660)
+---
+ selftest/target/Samba3.pm | 19 ++++++++++++++++++-
+ source3/script/tests/test_substitutions.sh | 9 +++++++--
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index f5b2c510224..1e053f12297 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -394,16 +394,33 @@ sub setup_admember($$$$)
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users";
+ push(@dirs, $substitution_path);
+
++ # Using '/' as the winbind separator is a bad idea ...
++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN";
++ push(@dirs, $substitution_path);
++
++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice";
++ push(@dirs, $substitution_path);
++
++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN";
++ push(@dirs, $substitution_path);
++
++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users";
++ push(@dirs, $substitution_path);
++
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ netbios aliases = foo bar
+
+-[subDUG]
++[sub_dug]
+ path = $share_dir/D_%D/U_%U/G_%G
+ writeable = yes
+
++[sub_dug2]
++ path = $share_dir/D_%D/u_%u/g_%g
++ writeable = yes
++
+ ";
+
+ my $ret = $self->provision($prefix,
+diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
+index 0852ad969f0..1a46f11c85d 100755
+--- a/source3/script/tests/test_substitutions.sh
++++ b/source3/script/tests/test_substitutions.sh
+@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient"
+ . $samba_srcdir/testprogs/blackbox/subunit.sh
+ . $samba_srcdir/testprogs/blackbox/common_test_fns.inc
+
+-SMB_UNC="//$SERVER/subDUG"
++SMB_UNC="//$SERVER/sub_dug"
+
+-test_smbclient "Test login to share with substitution" \
++test_smbclient "Test login to share with substitution (DUG)" \
++ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
++
++SMB_UNC="//$SERVER/sub_dug2"
++
++test_smbclient "Test login to share with substitution (Dug)" \
+ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
+
+ exit $failed
+--
+2.12.0
+
+
+From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 17 Mar 2017 10:04:19 +0100
+Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+With this set, the samba3.local.nss test for ad_member will ensure that
+we correctly substitute those smb.conf options.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
+
+(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03)
+---
+ nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------
+ selftest/target/Samba3.pm | 1 +
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
+index cfe582df068..f9c040e5f43 100755
+--- a/nsswitch/tests/test_wbinfo.sh
++++ b/nsswitch/tests/test_wbinfo.sh
+@@ -205,13 +205,18 @@ subunit_start_test "$test_name"
+ # The full name (GECOS) is based on name (the RDN, in this case CN)
+ # and displayName in winbindd_ads, and is based only on displayName in
+ # winbindd_msrpc and winbindd_rpc. Allow both versions.
+-expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
+-expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
++if test "$TARGET" = "ad_member"; then
++ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false"
++ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false"
++else
++ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
++ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
++fi
+
+-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
+ subunit_pass_test "$test_name"
+ else
+- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
++ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+ fi
+
+@@ -227,10 +232,10 @@ fi
+
+ test_name="confirm output of wbinfo --uid-info against $TARGET"
+ subunit_start_test "$test_name"
+-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
+ subunit_pass_test "$test_name"
+ else
+- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
++ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+ fi
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 1e053f12297..cb4970828a5 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -412,6 +412,7 @@ sub setup_admember($$$$)
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ netbios aliases = foo bar
++ template homedir = /home/%D/%G/%U
+
+ [sub_dug]
+ path = $share_dir/D_%D/U_%U/G_%G
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch
new file mode 100644
index 0000000..7b754ae
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch
@@ -0,0 +1,339 @@
+From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 15 Mar 2017 17:04:30 +0000
+Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of
+ smb_bytes_pull_str()
+
+This function needs to get the whole smb buffer in order to get
+the alignment for unicode correct.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24)
+---
+ libcli/smb/smb1cli_session.c | 28 +++++++++++++-------------
+ libcli/smb/smb_util.h | 3 ++-
+ libcli/smb/util.c | 47 +++++++++++++++++++++++++++++---------------
+ 3 files changed, 47 insertions(+), 31 deletions(-)
+
+diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c
+index 9d92aa6aed4..11614df0ae4 100644
+--- a/libcli/smb/smb1cli_session.c
++++ b/libcli/smb/smb1cli_session.c
+@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq)
+ p = bytes;
+
+ status = smb_bytes_pull_str(state, &state->out_native_os,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ p += ret;
+
+ status = smb_bytes_pull_str(state, &state->out_native_lm,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq)
+ p = bytes;
+
+ status = smb_bytes_pull_str(state, &state->out_native_os,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ p += ret;
+
+ status = smb_bytes_pull_str(state, &state->out_native_lm,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ p += ret;
+
+ status = smb_bytes_pull_str(state, &state->out_primary_domain,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq)
+ p += out_security_blob_length;
+
+ status = smb_bytes_pull_str(state, &state->out_native_os,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ p += ret;
+
+ status = smb_bytes_pull_str(state, &state->out_native_lm,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
+index 7e6f0a4ebc4..2884786339d 100644
+--- a/libcli/smb/smb_util.h
++++ b/libcli/smb/smb_util.h
+@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
+ const uint8_t *bytes, size_t num_bytes);
+ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
+ const uint8_t *buf, size_t buf_len,
+- size_t *pbuf_consumed);
++ const uint8_t *position,
++ size_t *_consumed);
+diff --git a/libcli/smb/util.c b/libcli/smb/util.c
+index ef8c9fafa35..7ef909c6077 100644
+--- a/libcli/smb/util.c
++++ b/libcli/smb/util.c
+@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
+ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
+ bool ucs2, bool align_odd,
+ const uint8_t *buf, size_t buf_len,
+- size_t *pbuf_consumed)
++ const uint8_t *position,
++ size_t *p_consumed)
+ {
+ size_t pad = 0;
++ size_t offset;
+ char *str = NULL;
+ size_t str_len = 0;
+ bool ok;
+
+ *_str = NULL;
+- if (pbuf_consumed != NULL) {
+- *pbuf_consumed = 0;
++ if (p_consumed != NULL) {
++ *p_consumed = 0;
++ }
++
++ if (position < buf) {
++ return NT_STATUS_INTERNAL_ERROR;
++ }
++
++ offset = PTR_DIFF(position, buf);
++ if (offset > buf_len) {
++ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ if (ucs2 &&
+- ((align_odd && (buf_len % 2 == 0)) ||
+- (!align_odd && (buf_len % 2 == 1)))) {
+- if (buf_len < 1) {
+- return NT_STATUS_BUFFER_TOO_SMALL;
+- }
+- pad = 1;
+- buf_len -= pad;
+- buf += pad;
++ ((align_odd && (offset % 2 == 0)) ||
++ (!align_odd && (offset % 2 == 1)))) {
++ pad += 1;
++ offset += 1;
++ }
++
++ if (offset > buf_len) {
++ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
++ buf_len -= offset;
++ buf += offset;
++
+ if (ucs2) {
+ buf_len = utf16_len_n(buf, buf_len);
+ } else {
+@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
+ return map_nt_error_from_unix_common(errno);
+ }
+
+- if (pbuf_consumed != NULL) {
+- *pbuf_consumed = buf_len + pad;
++ if (p_consumed != NULL) {
++ *p_consumed = buf_len + pad;
+ }
+ *_str = str;
+- return NT_STATUS_OK;;
++ return NT_STATUS_OK;
+ }
+
+ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
+ const uint8_t *buf, size_t buf_len,
+- size_t *_buf_consumed)
++ const uint8_t *position,
++ size_t *_consumed)
+ {
+ return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
+- buf, buf_len, _buf_consumed);
++ buf, buf_len, position, _consumed);
+ }
+--
+2.13.1
+
+
+From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 15 Mar 2017 17:04:44 +0000
+Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper
+ function
+
+This function updates cli->server_{os,type,domain} to valid values
+after a session setup.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3)
+---
+ source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++--------------
+ 1 file changed, 52 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index a2362ceb863..ef03da17eec 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ return NT_STATUS_OK;
+ }
+
++static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli,
++ const char *native_os,
++ const char *native_lm,
++ const char *primary_domain)
++{
++#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0')
++
++ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) {
++ cli->server_os = talloc_strdup(cli, native_os);
++ if (cli->server_os == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
++ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) {
++ cli->server_type = talloc_strdup(cli, native_lm);
++ if (cli->server_type == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
++ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) {
++ cli->server_domain = talloc_strdup(cli, primary_domain);
++ if (cli->server_domain == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
++#undef _VALID_STRING
++ return NT_STATUS_OK;
++}
++
+ /********************************************************
+ Utility function to ensure we always return at least
+ a valid char * pointer to an empty string for the
+@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
+ subreq, struct tevent_req);
+ struct cli_sesssetup_blob_state *state = tevent_req_data(
+ req, struct cli_sesssetup_blob_state);
+- struct cli_state *cli = state->cli;
+ NTSTATUS status;
+
+ if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
+@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
+ return;
+ }
+
+- if (cli->server_os == NULL) {
+- cli->server_os = talloc_move(cli, &state->out_native_os);
+- }
+- if (cli->server_type == NULL) {
+- cli->server_type = talloc_move(cli, &state->out_native_lm);
+- }
+-
+ state->status = status;
+
++ status = cli_state_update_after_sesssetup(state->cli,
++ state->out_native_os,
++ state->out_native_lm,
++ NULL);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
+ if (state->blob.length != 0) {
+ /*
+ * More to send
+@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq)
+ return;
+ }
+
+- if (cli->server_os == NULL) {
+- cli->server_os = talloc_move(cli, &state->out_native_os);
+- }
+- if (cli->server_type == NULL) {
+- cli->server_type = talloc_move(cli, &state->out_native_lm);
+- }
+- if (cli->server_domain == NULL) {
+- cli->server_domain = talloc_move(cli, &state->out_primary_domain);
++ status = cli_state_update_after_sesssetup(state->cli,
++ state->out_native_os,
++ state->out_native_lm,
++ state->out_primary_domain);
++ if (tevent_req_nterror(req, status)) {
++ return;
+ }
+
+ ok = smb1cli_conn_activate_signing(cli->conn,
+@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
+ subreq, struct tevent_req);
+ struct cli_session_setup_creds_state *state = tevent_req_data(
+ req, struct cli_session_setup_creds_state);
+- struct cli_state *cli = state->cli;
+ NTSTATUS status;
+
+ status = smb1cli_session_setup_lm21_recv(subreq, state,
+@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
+ return;
+ }
+
+- if (cli->server_os == NULL) {
+- cli->server_os = talloc_move(cli, &state->out_native_os);
+- }
+- if (cli->server_type == NULL) {
+- cli->server_type = talloc_move(cli, &state->out_native_lm);
++ status = cli_state_update_after_sesssetup(state->cli,
++ state->out_native_os,
++ state->out_native_lm,
++ NULL);
++ if (tevent_req_nterror(req, status)) {
++ return;
+ }
+
+ tevent_req_done(req);
+--
+2.13.1
+
diff --git a/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch
new file mode 100644
index 0000000..5c52aa9
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch
@@ -0,0 +1,162 @@
+From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 19 Jun 2017 14:50:33 +0200
+Subject: [PATCH 1/2] s3:popt_common: Reparse the username in
+ popt_common_credentials_post()
+
+When we parse the username in the options handling, the smb.conf file
+has not been loaded yet. So we are not aware of a 'winbind separator'
+set in the config file.
+
+We need to read and set the username again in the post-processing of the
+credentials.
+
+https://bugzilla.samba.org/show_bug.cgi?id=12849
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b)
+---
+ source3/lib/popt_common.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
+index 3589a4fbd2b..9928c708e89 100644
+--- a/source3/lib/popt_common.c
++++ b/source3/lib/popt_common.c
+@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void)
+ void popt_common_credentials_post(void)
+ {
+ struct user_auth_info *auth_info = cmdline_auth_info;
++ const char *username = NULL;
+
+ if (get_cmdline_auth_info_use_machine_account(auth_info) &&
+ !set_cmdline_auth_info_machine_account_creds(auth_info))
+@@ -248,6 +249,20 @@ void popt_common_credentials_post(void)
+ }
+
+ set_cmdline_auth_info_getpass(auth_info);
++
++ /*
++ * When we set the username during the handling of the options passed to
++ * the binary we haven't loaded the config yet. This means that we
++ * didnn't take the 'winbind separator' into account.
++ *
++ * The username might contain the domain name and thus it hasn't been
++ * correctly parsed yet. If we have a username we need to set it again
++ * to run the string parser for the username correctly.
++ */
++ username = get_cmdline_auth_info_username(auth_info);
++ if (username != NULL && username[0] != '\0') {
++ set_cmdline_auth_info_username(auth_info, username);
++ }
+ }
+
+ static void popt_common_credentials_callback(poptContext con,
+--
+2.13.1
+
+
+From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 19 Jun 2017 15:52:23 +0200
+Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144
+
+(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af)
+---
+ source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++
+ source3/selftest/tests.py | 1 +
+ 2 files changed, 63 insertions(+)
+ create mode 100755 source3/script/tests/test_smbclient_basic.sh
+
+diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh
+new file mode 100755
+index 00000000000..90e579b68e9
+--- /dev/null
++++ b/source3/script/tests/test_smbclient_basic.sh
+@@ -0,0 +1,62 @@
++#!/bin/sh
++
++# this runs the file serving tests that are expected to pass with samba3 against shares with various options
++
++if [ $# -lt 5 ]; then
++cat <<EOF
++Usage: test_smbclient_basic.sh SERVER SERVER_IP DOMAIN USERNAME PASSWORD SMBCLIENT <smbclient arguments>
++EOF
++exit 1;
++fi
++
++SERVER="$1"
++SERVER_IP="$2"
++USERNAME="$3"
++PASSWORD="$4"
++smbclient="$5"
++CONFIGURATION="$6"
++shift 6
++ADDARGS="$@"
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++
++test_smbclient() {
++ name="$1"
++ cmd="$2"
++ shift
++ shift
++ echo "test: $name"
++ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@
++ status=$?
++ if [ x$status = x0 ]; then
++ echo "success: $name"
++ else
++ echo "failure: $name"
++ fi
++ return $status
++}
++
++# TEST using \ as the separator (default)
++test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
++# TEST using / as the separator (default)
++test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
++
++# TEST using 'winbind separator = +'
++test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1`
++
++# TEST using 'winbind separator = +' set in a config file
++smbclient_config="$PREFIX/tmpsmbconf"
++cat > $smbclient_config <<EOF
++[global]
++ include = $(echo $CONFIGURATION | cut -d= -f2)
++ winbind separator = +
++EOF
++
++SAVE_CONFIGURATION="$CONFIGURATION"
++CONFIGURATION="--configfile=$smbclient_config"
++test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD || failed=`expr $failed + 1`
++CONFIGURATION="$SAVE_CONFIGURATION"
++rm -rf $smbclient_config
++
++exit $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index dfe7866b283..d3cb071b903 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -152,6 +152,7 @@ plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3s
+ plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+ plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+
++plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
+ for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
+ env = "nt4_dc"
+ plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+--
+2.13.1
+
diff --git a/SOURCES/samba-v4-6-fix_winbind_child_crash.patch b/SOURCES/samba-v4-6-fix_winbind_child_crash.patch
new file mode 100644
index 0000000..d081a40
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_winbind_child_crash.patch
@@ -0,0 +1,227 @@
+From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 09:57:30 +0100
+Subject: [PATCH 1/2] s3:libads: Remove obsolete
+ smb_krb5_get_ntstatus_from_init_creds()
+
+There is no way we can get a better error code out of this. The original
+function called was krb5_get_init_creds_opt_get_error() which has been
+deprecated in 2008.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
+---
+ source3/libads/kerberos.c | 169 ----------------------------------------------
+ 1 file changed, 169 deletions(-)
+
+Index: samba-4.6.2/source3/libads/kerberos.c
+===================================================================
+--- samba-4.6.2.orig/source3/libads/kerberos.c
++++ samba-4.6.2/source3/libads/kerberos.c
+@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da
+ return 0;
+ }
+
+-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
+- DATA_BLOB *edata,
+- DATA_BLOB *edata_out)
+-{
+- DATA_BLOB edata_contents;
+- ASN1_DATA *data;
+- int edata_type;
+-
+- if (!edata->length) {
+- return false;
+- }
+-
+- data = asn1_init(mem_ctx);
+- if (data == NULL) {
+- return false;
+- }
+-
+- if (!asn1_load(data, *edata)) goto err;
+- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
+- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
+- if (!asn1_read_Integer(data, &edata_type)) goto err;
+-
+- if (edata_type != KRB5_PADATA_PW_SALT) {
+- DEBUG(0,("edata is not of required type %d but of type %d\n",
+- KRB5_PADATA_PW_SALT, edata_type));
+- goto err;
+- }
+-
+- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
+- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
+- if (!asn1_end_tag(data)) goto err;
+- if (!asn1_end_tag(data)) goto err;
+- if (!asn1_end_tag(data)) goto err;
+- asn1_free(data);
+-
+- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
+-
+- data_blob_free(&edata_contents);
+-
+- return true;
+-
+- err:
+-
+- asn1_free(data);
+- return false;
+-}
+-
+- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
+- NTSTATUS *nt_status)
+-{
+- DATA_BLOB edata;
+- DATA_BLOB unwrapped_edata;
+- TALLOC_CTX *mem_ctx;
+- struct KRB5_EDATA_NTSTATUS parsed_edata;
+- enum ndr_err_code ndr_err;
+-
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+- edata = data_blob(error->e_data->data, error->e_data->length);
+-#else
+- edata = data_blob(error->e_data.data, error->e_data.length);
+-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+-
+-#ifdef DEVELOPER
+- dump_data(10, edata.data, edata.length);
+-#endif /* DEVELOPER */
+-
+- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
+- if (mem_ctx == NULL) {
+- data_blob_free(&edata);
+- return False;
+- }
+-
+- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
+- data_blob_free(&edata);
+- TALLOC_FREE(mem_ctx);
+- return False;
+- }
+-
+- data_blob_free(&edata);
+-
+- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx,
+- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
+- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+- data_blob_free(&unwrapped_edata);
+- TALLOC_FREE(mem_ctx);
+- return False;
+- }
+-
+- data_blob_free(&unwrapped_edata);
+-
+- if (nt_status) {
+- *nt_status = parsed_edata.ntstatus;
+- }
+-
+- TALLOC_FREE(mem_ctx);
+-
+- return True;
+-}
+-
+-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
+- krb5_principal client,
+- krb5_get_init_creds_opt *opt,
+- NTSTATUS *nt_status)
+-{
+- krb5_init_creds_context icc;
+- krb5_error_code code;
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+- /* HEIMDAL */
+- krb5_error error;
+-#else
+- krb5_error *error = NULL;
+-#endif
+- bool ok;
+-
+- code = krb5_init_creds_init(ctx,
+- client,
+- NULL,
+- NULL,
+- 0,
+- opt,
+- &icc);
+- if (code != 0) {
+- DBG_WARNING("krb5_init_creds_init failed with: %s\n",
+- error_message(code));
+- return false;
+- }
+-
+- code = krb5_init_creds_get_error(ctx,
+- icc,
+- &error);
+- if (code != 0) {
+- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
+- error_message(code));
+- return false;
+- }
+- krb5_init_creds_free(ctx, icc);
+-
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
+-
+- krb5_free_error_contents(ctx, &error);
+-#else
+- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
+-
+- krb5_free_error(ctx, error);
+-#endif
+-
+- return ok;
+-}
+-
+ /*
+ simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
+ place in default cache location.
+@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch
+ }
+ out:
+ if (ntstatus) {
+-
+- NTSTATUS status;
+-
+ /* fast path */
+ if (code == 0) {
+ *ntstatus = NT_STATUS_OK;
+ goto cleanup;
+ }
+
+- /* try to get ntstatus code out of krb5_error when we have it
+- * inside the krb5_get_init_creds_opt - gd */
+-
+- if (opt != NULL) {
+- bool ok;
+-
+- ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
+- me,
+- opt,
+- &status);
+- if (ok) {
+- *ntstatus = status;
+- goto cleanup;
+- }
+- }
+-
+ /* fall back to self-made-mapping */
+ *ntstatus = krb5_to_nt_status(code);
+ }
+Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh
+===================================================================
+--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh
++++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh
+@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d
+
+ testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
+
++testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
++
++testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
++
+ rm -f $KRB5CCNAME_PATH
+
+ exit $failed
diff --git a/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch
new file mode 100644
index 0000000..f29cddb
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch
@@ -0,0 +1,76 @@
+From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 20 Jun 2017 10:27:07 +0200
+Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
+index 8c764f77b08..b0bf6784ba6 100644
+--- a/source3/winbindd/wb_getpwsid.c
++++ b/source3/winbindd/wb_getpwsid.c
+@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ req, struct wb_getpwsid_state);
+ struct winbindd_pw *pw = state->pw;
+ struct wbint_userinfo *info;
++ struct winbindd_domain *domain = NULL;
+ fstring acct_name, output_username;
++ char *mapped_name = NULL;
+ char *tmp;
+ NTSTATUS status;
+
+@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ return;
+ }
+
+- fill_domain_username(output_username, info->domain_name,
+- acct_name, true);
++ domain = find_domain_from_name_noinit(info->domain_name);
++ if (tevent_req_nomem(domain, req)) {
++ return;
++ }
++
++ /*
++ * TODO:
++ * This function should be called in 'idmap winbind child'. It shouldn't
++ * be a blocking call, but for this we need to add a new function for
++ * winbind.idl. This is a fix which can be backported for now.
++ */
++ status = normalize_name_map(state,
++ domain,
++ acct_name,
++ &mapped_name);
++ if (NT_STATUS_IS_OK(status)) {
++ fill_domain_username(output_username,
++ info->domain_name,
++ mapped_name, true);
++ fstrcpy(acct_name, mapped_name);
++ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
++ fstrcpy(acct_name, mapped_name);
++ } else {
++ fill_domain_username(output_username,
++ info->domain_name,
++ acct_name, true);
++ }
++
+ strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
+
+ strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "",
+@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ TALLOC_FREE(tmp);
+
+ tmp = talloc_sub_specified(
+- state, info->shell, info->acct_name,
++ state, info->shell, acct_name,
+ info->primary_group_name, info->domain_name,
+ pw->pw_uid, pw->pw_gid);
+ if (tevent_req_nomem(tmp, req)) {
+--
+2.13.1
+
diff --git a/SOURCES/samba-v4.6-credentials-fix-realm.patch b/SOURCES/samba-v4.6-credentials-fix-realm.patch
new file mode 100644
index 0000000..8583d5b
--- /dev/null
+++ b/SOURCES/samba-v4.6-credentials-fix-realm.patch
@@ -0,0 +1,54 @@
+commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
+Author: Andreas Schneider <asn@samba.org>
+Date: Wed Dec 21 22:17:22 2016 +0100
+
+ auth/credentials: Always set the the realm if we set the principal from the ccache
+
+ This fixes a bug in gensec_gssapi_client_start() where an invalid realm
+ is used to get a Kerberos ticket.
+
+ Signed-off-by: Andreas Schneider <asn@samba.org>
+ Reviewed-by: Stefan Metzmacher <metze@samba.org>
+ (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
+
+diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
+index 0e68012..1912c48 100644
+--- a/auth/credentials/credentials_krb5.c
++++ b/auth/credentials/credentials_krb5.c
+@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ enum credentials_obtained obtained,
+ const char **error_string)
+ {
+-
++ bool ok;
++ char *realm;
+ krb5_principal princ;
+ krb5_error_code ret;
+ char *name;
+@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ return ret;
+ }
+
+- cli_credentials_set_principal(cred, name, obtained);
+-
++ ok = cli_credentials_set_principal(cred, name, obtained);
++ if (!ok) {
++ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
++ return ENOMEM;
++ }
+ free(name);
+
++ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
++ princ);
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
++ if (realm == NULL) {
++ return ENOMEM;
++ }
++ ok = cli_credentials_set_realm(cred, realm, obtained);
++ SAFE_FREE(realm);
++ if (!ok) {
++ return ENOMEM;
++ }
+
+ /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
+ cred->ccache_obtained = obtained;
diff --git a/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch b/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch
new file mode 100644
index 0000000..5c66709
--- /dev/null
+++ b/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch
@@ -0,0 +1,391 @@
+From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:08:46 +0200
+Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29)
+---
+ source3/include/proto.h | 3 ++-
+ source3/libsmb/passchange.c | 5 +++--
+ source3/utils/smbpasswd.c | 3 ++-
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index baa579995a5..9deb27b416b 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain,
+
+ /* The following definitions come from libsmb/passchange.c */
+
+-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
++NTSTATUS remote_password_change(const char *remote_machine,
++ const char *domain, const char *user_name,
+ const char *old_passwd, const char *new_passwd,
+ char **err_str);
+
+diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
+index c89b7ca85d1..48ffba8036f 100644
+--- a/source3/libsmb/passchange.c
++++ b/source3/libsmb/passchange.c
+@@ -30,7 +30,8 @@
+ Change a password on a remote machine using IPC calls.
+ *************************************************************/
+
+-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
++NTSTATUS remote_password_change(const char *remote_machine,
++ const char *domain, const char *user_name,
+ const char *old_passwd, const char *new_passwd,
+ char **err_str)
+ {
+@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
+
+ creds = cli_session_creds_init(cli,
+ user_name,
+- NULL, /* domain */
++ domain,
+ NULL, /* realm */
+ old_passwd,
+ false, /* use_kerberos */
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 437a5e551bb..4d7a3c739bc 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username,
+ fprintf(stderr, "Invalid remote operation!\n");
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+- ret = remote_password_change(remote_mach, username,
++ ret = remote_password_change(remote_mach,
++ NULL, username,
+ old_passwd, new_pw, &err_str);
+ } else {
+ ret = local_password_change(username, local_flags, new_pw,
+--
+2.14.1
+
+
+From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:10:06 +0200
+Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950)
+---
+ source3/include/proto.h | 7 -------
+ source3/libsmb/proto.h | 10 ++++++++++
+ source3/utils/smbpasswd.c | 1 +
+ 3 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 9deb27b416b..67e1a9d750e 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain,
+ fstring srv_name,
+ struct sockaddr_storage *ss_out);
+
+-/* The following definitions come from libsmb/passchange.c */
+-
+-NTSTATUS remote_password_change(const char *remote_machine,
+- const char *domain, const char *user_name,
+- const char *old_passwd, const char *new_passwd,
+- char **err_str);
+-
+ /* The following definitions come from libsmb/smberr.c */
+
+ const char *smb_dos_err_name(uint8_t e_class, uint16_t num);
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index a583a8ee159..44f4d04cff5 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -31,6 +31,9 @@
+
+ struct smb_trans_enc_state;
+ struct cli_credentials;
++struct cli_state;
++struct file_info;
++struct print_job_info;
+
+ /* The following definitions come from libsmb/cliconnect.c */
+
+@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,
+ TALLOC_CTX *mem_ctx, char **psubstitute_name,
+ char **pprint_name, uint32_t *pflags);
+
++/* The following definitions come from libsmb/passchange.c */
++
++NTSTATUS remote_password_change(const char *remote_machine,
++ const char *domain, const char *user_name,
++ const char *old_passwd, const char *new_passwd,
++ char **err_str);
++
+ #endif /* _LIBSMB_PROTO_H_ */
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 4d7a3c739bc..6eb2deb7a3b 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -21,6 +21,7 @@
+ #include "secrets.h"
+ #include "../librpc/gen_ndr/samr.h"
+ #include "../lib/util/util_pw.h"
++#include "libsmb/proto.h"
+ #include "passdb.h"
+
+ /*
+--
+2.14.1
+
+
+From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:13:15 +0200
+Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change()
+ in smbpasswd
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373)
+---
+ source3/utils/smbpasswd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 6eb2deb7a3b..b0e08cc0e58 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get)
+ Change a password either locally or remotely.
+ *************************************************************/
+
+-static NTSTATUS password_change(const char *remote_mach, char *username,
+- char *old_passwd, char *new_pw,
++static NTSTATUS password_change(const char *remote_mach,
++ const char *username,
++ const char *old_passwd, const char *new_pw,
+ int local_flags)
+ {
+ NTSTATUS ret;
+--
+2.14.1
+
+
+From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:14:57 +0200
+Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit b483340639157fe95777672f5723455c48c3c616)
+---
+ source3/utils/smbpasswd.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index b0e08cc0e58..92712e38f6b 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get)
+ *************************************************************/
+
+ static NTSTATUS password_change(const char *remote_mach,
+- const char *username,
++ const char *domain, const char *username,
+ const char *old_passwd, const char *new_pw,
+ int local_flags)
+ {
+@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach,
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ ret = remote_password_change(remote_mach,
+- NULL, username,
++ domain, username,
+ old_passwd, new_pw, &err_str);
+ } else {
+ ret = local_password_change(username, local_flags, new_pw,
+@@ -466,7 +466,8 @@ static int process_root(int local_flags)
+ }
+ }
+
+- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,
++ if (!NT_STATUS_IS_OK(password_change(remote_machine,
++ NULL, user_name,
+ old_passwd, new_passwd,
+ local_flags))) {
+ result = 1;
+@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags)
+ exit(1);
+ }
+
+- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw,
+- new_pw, 0))) {
++ if (!NT_STATUS_IS_OK(password_change(remote_machine,
++ NULL, user_name,
++ old_pw, new_pw, 0))) {
+ result = 1;
+ goto done;
+ }
+--
+2.14.1
+
+
+From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:17:08 +0200
+Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name
+ in smbpasswd
+
+If a local user wants to change his password using smbpasswd and the
+machine is a domain member, we need to make sure we authenticate against
+our SAM and not ask winbind.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02)
+---
+ source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++-----
+ 1 file changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 92712e38f6b..556e6869da7 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -58,7 +58,7 @@ static void usage(void)
+ printf(" -c smb.conf file Use the given path to the smb.conf file\n");
+ printf(" -D LEVEL debug level\n");
+ printf(" -r MACHINE remote machine\n");
+- printf(" -U USER remote username\n");
++ printf(" -U USER remote username (e.g. SAM/user)\n");
+
+ printf("extra options when run by root or in local mode:\n");
+ printf(" -a add user\n");
+@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags)
+
+ user_name[0] = '\0';
+
+- while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
++ while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) {
+ switch(ch) {
+ case 'L':
+ if (getuid() != 0) {
+@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags)
+ int result = 0;
+ char *old_pw = NULL;
+ char *new_pw = NULL;
++ const char *username = user_name;
++ const char *domain = NULL;
++ char *p = NULL;
+
+ if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) {
+ /* Extra flags that we can't honor non-root */
+@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags)
+ }
+ }
+
++ /* Allow domain as part of the username */
++ if ((p = strchr_m(user_name, '\\')) ||
++ (p = strchr_m(user_name, '/')) ||
++ (p = strchr_m(user_name, *lp_winbind_separator()))) {
++ *p = '\0';
++ username = p + 1;
++ domain = user_name;
++ }
++
+ /*
+ * A non-root user is always setting a password
+ * via a remote machine (even if that machine is
+@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags)
+
+ load_interfaces(); /* Delayed from main() */
+
+- if (remote_machine == NULL) {
++ if (remote_machine != NULL) {
++ if (!is_ipaddress(remote_machine)) {
++ domain = remote_machine;
++ }
++ } else {
+ remote_machine = "127.0.0.1";
++
++ /*
++ * If we deal with a local user, change the password for the
++ * user in our SAM.
++ */
++ domain = get_global_sam_name();
+ }
+
+ if (remote_machine != NULL) {
+@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags)
+ }
+
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
+- NULL, user_name,
++ domain, username,
+ old_pw, new_pw, 0))) {
+ result = 1;
+ goto done;
+ }
+
+- printf("Password changed for user %s\n", user_name);
++ printf("Password changed for user %s\n", username);
+
+ done:
+ SAFE_FREE(old_pw);
+--
+2.14.1
+
+
+From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 22 Aug 2017 15:46:07 +0200
+Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Review with: git show -U20
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e)
+---
+ source3/utils/smbpasswd.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 556e6869da7..fb7ad283995 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags)
+ domain = get_global_sam_name();
+ }
+
+- if (remote_machine != NULL) {
+- old_pw = get_pass("Old SMB password:",stdin_passwd_get);
+- if (old_pw == NULL) {
+- fprintf(stderr, "Unable to get old password.\n");
+- exit(1);
+- }
++ old_pw = get_pass("Old SMB password:",stdin_passwd_get);
++ if (old_pw == NULL) {
++ fprintf(stderr, "Unable to get old password.\n");
++ exit(1);
+ }
+
+ if (!new_passwd) {
+--
+2.14.1
+
diff --git a/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch b/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
new file mode 100644
index 0000000..74daaa8
--- /dev/null
+++ b/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
@@ -0,0 +1,53 @@
+From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 30 May 2017 16:30:33 +0200
+Subject: [PATCH] libcli:smb2: Gracefully handle not supported for
+ FSCTL_VALIDATE_NEGOTIATE_INFO
+
+If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
+server then gracefully handle NT_STATUS_NOT_SUPPORTED too.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
+
+(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a)
+---
+ libcli/smb/smbXcli_base.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
+index a7b24f01497..593edf9ce78 100644
+--- a/libcli/smb/smbXcli_base.c
++++ b/libcli/smb/smbXcli_base.c
+@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
+ tevent_req_done(req);
+ return;
+ }
++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
++ /*
++ * The response was signed, but not supported
++ *
++ * This might be returned by older Windows versions or by
++ * NetApp SMB server implementations.
++ *
++ * See
++ *
++ * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/
++ *
++ */
++ tevent_req_done(req);
++ return;
++ }
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+--
+2.13.1.518.g3df882009-goog
+
diff --git a/SOURCES/samba-v4.6-gss_krb5_import_cred.patch b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch
new file mode 100644
index 0000000..72f2904
--- /dev/null
+++ b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch
@@ -0,0 +1,543 @@
+From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 17:08:09 +0200
+Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)
+---
+ wscript_configure_system_mitkrb5 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
+index 06a9821..d3e8ebf 100644
+--- a/wscript_configure_system_mitkrb5
++++ b/wscript_configure_system_mitkrb5
+@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN('''
+ gsskrb5_extract_authz_data_from_sec_context
+ gss_krb5_export_lucid_sec_context
+ gss_import_cred gss_export_cred
++ gss_acquire_cred_from
+ ''', 'gssapi gssapi_krb5')
+ conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers)
+ conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
+--
+2.9.3
+
+
+From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:14:57 +0200
+Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
+
+Wrap gss_krb5_import_cred() to allow re-implementing it with
+gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
+works fine with GSSAPI interposer (GSS-proxy) while
+gss_krb5_import_cred() is not interposed yet.
+
+The wrapper has additional parameter, krb5_context handle, to facilitate
+with credentials cache name discovery. All our callers to
+gss_krb5_import_cred() already have krb5 context handy.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
+---
+ lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++
+ lib/krb5_wrap/gss_samba.h | 13 +++++
+ 2 files changed, 134 insertions(+)
+
+diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
+index b444633..757ffc5 100644
+--- a/lib/krb5_wrap/gss_samba.c
++++ b/lib/krb5_wrap/gss_samba.c
+@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
+ }
+ #endif /* !HAVE_GSS_OID_EQUAL */
+
++
++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
++ * interposed by GSSPROXY while gss_krb5_import_cred() is not.
++ *
++ * This wrapper requires a proper krb5_context to resolve ccache name.
++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
++uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
++ krb5_ccache id, krb5_principal keytab_principal,
++ krb5_keytab keytab, gss_cred_id_t *cred)
++{
++ uint32_t major_status = 0;
++
++#if HAVE_GSS_ACQUIRE_CRED_FROM
++ uint32_t minor = 0;
++ gss_key_value_element_desc ccache_element = {
++ .key = "ccache",
++ .value = NULL,
++ };
++
++ gss_key_value_element_desc keytab_element = {
++ .key = "keytab",
++ .value = NULL,
++ };
++
++ gss_key_value_element_desc elements[2];
++
++ gss_key_value_set_desc cred_store = {
++ .elements = &ccache_element,
++ .count = 1,
++ };
++
++ gss_OID_set mech_set = GSS_C_NO_OID_SET;
++ gss_cred_usage_t cred_usage = GSS_C_INITIATE;
++ gss_name_t name = NULL;
++ gss_buffer_desc pr_name = {
++ .value = NULL,
++ .length = 0,
++ };
++
++ if (id != NULL) {
++ major_status = krb5_cc_get_full_name(ctx,
++ id,
++ discard_const(&ccache_element.value));
++ if (major_status != 0) {
++ return major_status;
++ }
++ }
++
++ if (keytab != NULL) {
++ keytab_element.value = malloc(4096);
++ if (!keytab_element.value) {
++ return ENOMEM;
++ }
++ major_status = krb5_kt_get_name(ctx,
++ keytab,
++ discard_const(keytab_element.value), 4096);
++ if (major_status != 0) {
++ free(discard_const(keytab_element.value));
++ return major_status;
++ }
++ cred_usage = GSS_C_ACCEPT;
++ cred_store.elements = &keytab_element;
++
++ if (keytab_principal != NULL) {
++ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
++ if (major_status != 0) {
++ free(discard_const(keytab_element.value));
++ return major_status;
++ }
++ pr_name.length = strlen(pr_name.value);
++
++ major_status = gss_import_name(minor_status,
++ &pr_name,
++ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
++ &name);
++ if (major_status != 0) {
++ krb5_free_unparsed_name(ctx, pr_name.value);
++ free(discard_const(keytab_element.value));
++ return major_status;
++ }
++ }
++ }
++
++ if (id != NULL && keytab != NULL) {
++ elements[0] = ccache_element;
++ elements[1] = keytab_element;
++
++ cred_store.elements = elements;
++ cred_store.count = 2;
++ cred_usage = GSS_C_BOTH;
++ }
++
++ major_status = gss_acquire_cred_from(minor_status,
++ name,
++ 0,
++ mech_set,
++ cred_usage,
++ &cred_store,
++ cred,
++ NULL,
++ NULL);
++
++ if (pr_name.value != NULL) {
++ (void)gss_release_name(&minor, &name);
++ krb5_free_unparsed_name(ctx, pr_name.value);
++ }
++ if (keytab_element.value != NULL) {
++ free(discard_const(keytab_element.value));
++ }
++ krb5_free_string(ctx, discard_const(ccache_element.value));
++#else
++ major_status = gss_krb5_import_cred(minor_status,
++ id,
++ keytab_principal,
++ keytab, cred);
++#endif
++ return major_status;
++}
++
++
+ #endif /* HAVE_GSSAPI */
+diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
+index 5319932..89aee34 100644
+--- a/lib/krb5_wrap/gss_samba.h
++++ b/lib/krb5_wrap/gss_samba.h
+@@ -25,6 +25,7 @@
+ #ifdef HAVE_GSSAPI
+
+ #include "system/gssapi.h"
++#include "krb5_samba.h"
+
+ #if defined(HAVE_GSS_OID_EQUAL)
+ #define smb_gss_oid_equal gss_oid_equal
+@@ -32,5 +33,17 @@
+ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
+ #endif /* HAVE_GSS_OID_EQUAL */
+
++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
++ * interposed by GSS-proxy while gss_krb5_import_cred() is not.
++ *
++ * This wrapper requires a proper krb5_context to resolve the ccache name for
++ * gss_acquire_cred_from().
++ *
++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
++uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
++ krb5_ccache id, krb5_principal keytab_principal,
++ krb5_keytab keytab, gss_cred_id_t *cred);
++
+ #endif /* HAVE_GSSAPI */
+ #endif /* _GSS_SAMBA_H */
+--
+2.9.3
+
+
+From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:57:13 +0200
+Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)
+---
+ auth/credentials/credentials_krb5.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
+index e974df9..0e68012 100644
+--- a/auth/credentials/credentials_krb5.c
++++ b/auth/credentials/credentials_krb5.c
+@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ return ENOMEM;
+ }
+
+- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
+- &gcc->creds);
++ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
++ ccache->ccache, NULL, NULL,
++ &gcc->creds);
+ if ((maj_stat == GSS_S_FAILURE) &&
+ (min_stat == (OM_uint32)KRB5_CC_END ||
+ min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
+@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ return ret;
+ }
+
+- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
+- &gcc->creds);
++ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
++ ccache->ccache, NULL, NULL,
++ &gcc->creds);
+
+ }
+
+@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ } else {
+ ret = EINVAL;
+ }
+- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
++ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
+ return ret;
+ }
+
+@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
+
+ if (ktc->password_based || obtained < CRED_SPECIFIED) {
+ /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
+- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
+- &gcc->creds);
++ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
++ NULL, NULL, ktc->keytab,
++ &gcc->creds);
+ } else {
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
+- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
+- &gcc->creds);
++ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
++ NULL, princ, ktc->keytab,
++ &gcc->creds);
+ }
+ if (maj_stat) {
+ if (min_stat) {
+--
+2.9.3
+
+
+From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:57:50 +0200
+Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)
+---
+ source3/libads/sasl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 8570788..30127fa 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
+ goto done;
+ }
+
+- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
++ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred);
+ if (maj != GSS_S_COMPLETE) {
+ status = ADS_ERROR_GSS(maj, min);
+ goto done;
+--
+2.9.3
+
+
+From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:58:14 +0200
+Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)
+---
+ source3/librpc/crypto/gse.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index abf20bc..f4238f3 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ /* TODO: get krb5 ticket using username/password, if no valid
+ * one already available in ccache */
+
+- gss_maj = gss_krb5_import_cred(&gss_min,
+- gse_ctx->ccache,
+- NULL, /* keytab_principal */
+- NULL, /* keytab */
+- &gse_ctx->creds);
++ gss_maj = smb_gss_krb5_import_cred(&gss_min,
++ gse_ctx->k5ctx,
++ gse_ctx->ccache,
++ NULL, /* keytab_principal */
++ NULL, /* keytab */
++ &gse_ctx->creds);
+ if (gss_maj) {
+ char *ccache = NULL;
+ int kret;
+@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ ccache = NULL;
+ }
+
+- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
++ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -"
+ "the caller may retry after a kinit.\n",
+ ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
+ SAFE_FREE(ccache);
+@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
+ }
+
+ /* This creates a GSSAPI cred_id_t with the keytab set */
+- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
+- &gse_ctx->creds);
++ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx,
++ NULL, NULL, gse_ctx->keytab,
++ &gse_ctx->creds);
+
+ if (gss_maj != 0
+ && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
+- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
++ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
+ gse_errstr(gse_ctx, gss_maj, gss_min)));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+--
+2.9.3
+
+
+From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Wed, 8 Mar 2017 12:38:49 +0200
+Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
+ wrapper
+
+MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
+credentials from a keytab without specifying actual principal.
+This was fixed in MIT krb5 1.9.2 (see commit
+71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
+master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
+
+Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
+expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
+code use of krb5 mech when calling to gss_acquire_cred.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
+Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
+
+(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)
+---
+ lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++---
+ source3/librpc/crypto/gse.c | 49 +--------------------------------------------
+ 2 files changed, 44 insertions(+), 51 deletions(-)
+
+diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
+index 757ffc5..9e5ad4a 100644
+--- a/lib/krb5_wrap/gss_samba.c
++++ b/lib/krb5_wrap/gss_samba.c
+@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
+ krb5_free_string(ctx, discard_const(ccache_element.value));
+ #else
+ major_status = gss_krb5_import_cred(minor_status,
+- id,
+- keytab_principal,
+- keytab, cred);
++ id,
++ keytab_principal,
++ keytab, cred);
++
++ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
++ if ((keytab_principal == NULL) && (keytab != NULL)) {
++ /* No principal was specified and MIT krb5 1.9 version failed.
++ * We have to fall back to set global acceptor identity */
++ gss_OID_set_desc mech_set;
++ char *kt_name = NULL;
++
++ kt_name = malloc(4096);
++ if (!kt_name) {
++ return ENOMEM;
++ }
++
++ major_status = krb5_kt_get_name(ctx,
++ keytab,
++ kt_name, 4096);
++ if (major_status != 0) {
++ free(kt_name);
++ return major_status;
++ }
++
++ major_status = gsskrb5_register_acceptor_identity(kt_name);
++ if (major_status) {
++ free(kt_name);
++ return major_status;
++ }
++
++ /* We are dealing with krb5 GSSAPI mech in this fallback */
++ mech_set.count = 1;
++ mech_set.elements = gss_mech_krb5;
++ major_status = gss_acquire_cred(minor_status,
++ GSS_C_NO_NAME,
++ GSS_C_INDEFINITE,
++ &mech_set,
++ GSS_C_ACCEPT,
++ cred,
++ NULL, NULL);
++ free(kt_name);
++ }
++ }
+ #endif
+ return major_status;
+ }
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index f4238f3..a111320 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
+ NULL, NULL, gse_ctx->keytab,
+ &gse_ctx->creds);
+
+- if (gss_maj != 0
+- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
++ if (gss_maj != 0) {
+ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
+ gse_errstr(gse_ctx, gss_maj, gss_min)));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+-
+- /* This is the error the MIT krb5 1.9 gives when it
+- * implements the function, but we do not specify the
+- * principal. However, when we specify the principal
+- * as host$@REALM the GSS acceptor fails with 'wrong
+- * principal in request'. Work around the issue by
+- * falling back to the alternate approach below. */
+- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
+- /* FIXME!!!
+- * This call sets the default keytab for the whole server, not
+- * just for this context. Need to find a way that does not alter
+- * the state of the whole server ... */
+- {
+- const char *ktname;
+- gss_OID_set_desc mech_set;
+-
+- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx,
+- gse_ctx->keytab, &ktname);
+- if (ret) {
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+-
+- ret = gsskrb5_register_acceptor_identity(ktname);
+- if (ret) {
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+-
+- mech_set.count = 1;
+- mech_set.elements = &gse_ctx->gss_mech;
+-
+- gss_maj = gss_acquire_cred(&gss_min,
+- GSS_C_NO_NAME,
+- GSS_C_INDEFINITE,
+- &mech_set,
+- GSS_C_ACCEPT,
+- &gse_ctx->creds,
+- NULL, NULL);
+-
+- if (gss_maj) {
+- DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
+- gse_errstr(gse_ctx, gss_maj, gss_min)));
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+ }
+
+ status = NT_STATUS_OK;
+--
+2.9.3
+
diff --git a/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
new file mode 100644
index 0000000..73c72cd
--- /dev/null
+++ b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
@@ -0,0 +1,179 @@
+From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 10 Mar 2017 16:20:06 +0200
+Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implement a small Python module that exposes arcfour_crypt_blob()
+function widely used in Samba C code.
+
+When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
+there is a need to encrypt trusted credentials with RC4 cipher.
+
+Current Samba Python code relies on Python runtime to provide RC4
+cipher. However, in FIPS 140-2 mode system crypto libraries do not
+provide access RC4 cipher at all. According to Microsoft dochelp team,
+Windows is treating AuthenticationInformation blob encryption as 'plain
+text' in terms of FIPS 140-2, thus doing application-level encryption.
+
+Replace samba.arcfour_encrypt() implementation with a call to
+samba.crypto.arcfour_crypt_blob().
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
+
+(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
+---
+ lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/crypto/wscript_build | 7 ++++
+ python/samba/__init__.py | 16 ++-------
+ 3 files changed, 99 insertions(+), 14 deletions(-)
+ create mode 100644 lib/crypto/py_crypto.c
+
+diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
+new file mode 100644
+index 0000000..bf7f9f4
+--- /dev/null
++++ b/lib/crypto/py_crypto.c
+@@ -0,0 +1,90 @@
++/*
++ Unix SMB/CIFS implementation.
++ Samba crypto functions
++
++ Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <Python.h>
++#include "includes.h"
++#include "python/py3compat.h"
++#include "lib/crypto/arcfour.h"
++
++static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
++{
++ DATA_BLOB data, key;
++ PyObject *py_data, *py_key, *result;
++ TALLOC_CTX *ctx;
++
++ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
++ return NULL;
++
++ if (!PyBytes_Check(py_data)) {
++ PyErr_Format(PyExc_TypeError, "bytes expected");
++ return NULL;
++ }
++
++ if (!PyBytes_Check(py_key)) {
++ PyErr_Format(PyExc_TypeError, "bytes expected");
++ return NULL;
++ }
++
++ ctx = talloc_new(NULL);
++
++ data.length = PyBytes_Size(py_data);
++ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
++ if (!data.data) {
++ talloc_free(ctx);
++ return PyErr_NoMemory();
++ }
++
++ key.data = (uint8_t *)PyBytes_AsString(py_key);
++ key.length = PyBytes_Size(py_key);
++
++ arcfour_crypt_blob(data.data, data.length, &key);
++
++ result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
++ talloc_free(ctx);
++ return result;
++}
++
++
++static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
++ "Encrypt the data with RC4 algorithm using the key";
++
++static PyMethodDef py_crypto_methods[] = {
++ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
++ { NULL },
++};
++
++static struct PyModuleDef moduledef = {
++ PyModuleDef_HEAD_INIT,
++ .m_name = "crypto",
++ .m_doc = "Crypto functions required for SMB",
++ .m_size = -1,
++ .m_methods = py_crypto_methods,
++};
++
++MODULE_INIT_FUNC(crypto)
++{
++ PyObject *m;
++
++ m = PyModule_Create(&moduledef);
++ if (m == NULL)
++ return NULL;
++
++ return m;
++}
+diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
+index 7f94532..d1f152e 100644
+--- a/lib/crypto/wscript_build
++++ b/lib/crypto/wscript_build
+@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
+ autoproto='test_proto.h',
+ deps='LIBCRYPTO'
+ )
++
++for env in bld.gen_python_environments():
++ bld.SAMBA_PYTHON('python_crypto',
++ source='py_crypto.c',
++ deps='LIBCRYPTO',
++ realname='samba/crypto.so'
++ )
+diff --git a/python/samba/__init__.py b/python/samba/__init__.py
+index 19d5e38..fa4244a 100644
+--- a/python/samba/__init__.py
++++ b/python/samba/__init__.py
+@@ -371,20 +371,8 @@ def string_to_byte_array(string):
+ return blob
+
+ def arcfour_encrypt(key, data):
+- try:
+- from Crypto.Cipher import ARC4
+- c = ARC4.new(key)
+- return c.encrypt(data)
+- except ImportError as e:
+- pass
+- try:
+- from M2Crypto.RC4 import RC4
+- c = RC4(key)
+- return c.update(data)
+- except ImportError as e:
+- pass
+- raise Exception("arcfour_encrypt() requires " +
+- "python*-crypto or python*-m2crypto or m2crypto")
++ from samba.crypto import arcfour_crypt_blob
++ return arcfour_crypt_blob(data, key)
+
+ import _glue
+ version = _glue.version
+--
+2.9.3
+
diff --git a/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch
new file mode 100644
index 0000000..f2f7cb6
--- /dev/null
+++ b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch
@@ -0,0 +1,405 @@
+From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 16 Jan 2017 11:43:12 +0100
+Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows
+
+Since Windows Server 2008 Microsoft uses a different port range for RPC
+services. Before it was 1024-65535 and they changed it to 49152-65535.
+
+We should use the same range as these are the ports the firewall in AD
+networks normally allow.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3)
+---
+ source3/rpc_server/rpc_server.c | 4 ++--
+ source4/smbd/service_stream.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
+index 5effe66d9bb..37fe68fc36d 100644
+--- a/source3/rpc_server/rpc_server.c
++++ b/source3/rpc_server/rpc_server.c
+@@ -34,8 +34,8 @@
+ #include "rpc_server/srv_pipe_hnd.h"
+ #include "rpc_server/srv_pipe.h"
+
+-#define SERVER_TCP_LOW_PORT 1024
+-#define SERVER_TCP_HIGH_PORT 1300
++#define SERVER_TCP_LOW_PORT 49152
++#define SERVER_TCP_HIGH_PORT 65535
+
+ /* Creates a pipes_struct and initializes it with the information
+ * sent from the client */
+diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
+index f0a379acf6a..96a303fc6a9 100644
+--- a/source4/smbd/service_stream.c
++++ b/source4/smbd/service_stream.c
+@@ -30,8 +30,8 @@
+ #include "lib/util/util_net.h"
+
+ /* the range of ports to try for dcerpc over tcp endpoints */
+-#define SERVER_TCP_LOW_PORT 1024
+-#define SERVER_TCP_HIGH_PORT 1300
++#define SERVER_TCP_LOW_PORT 49152
++#define SERVER_TCP_HIGH_PORT 65535
+
+ /* size of listen() backlog in smbd */
+ #define SERVER_LISTEN_BACKLOG 10
+--
+2.11.0
+
+
+From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 16 Jan 2017 12:05:09 +0100
+Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC
+ services
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d)
+---
+ docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++--
+ .../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++
+ lib/param/loadparm.c | 47 ++++++++++++++++++++++
+ lib/param/loadparm.h | 9 ++++-
+ lib/param/param.h | 3 ++
+ python/samba/tests/docs.py | 11 +++--
+ source3/include/proto.h | 2 +
+ source3/param/loadparm.c | 16 ++++++++
+ source3/rpc_server/rpc_server.c | 5 +--
+ source4/smbd/service_stream.c | 8 ++--
+ 10 files changed, 120 insertions(+), 17 deletions(-)
+ create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+
+diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml
+index 8a70835612f..0fd87d69212 100644
+--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml
++++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml
+@@ -4,11 +4,19 @@
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para>
+- <para>This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used.</para>
+- <para>The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000.</para>
++ <para>This controls the default port for all protocols, except for NETLOGON.</para>
++ <para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para>
++ <para>The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000.</para>
+ <para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para>
+
++ <para>This option applies currently only when
++ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
++ runs as an active directory domain controller.</para>
++
++ <para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para>
+ </description>
+-<para>The default value 0 causes Samba to select the first available port after 1024.</para>
++
++<related>rpc server dynamic port range</related>
++
+ <value type="default">0</value>
+ </samba:parameter>
+diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+new file mode 100644
+index 00000000000..a9c51d2fe41
+--- /dev/null
++++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+@@ -0,0 +1,22 @@
++<samba:parameter name="rpc server dynamic port range"
++ context="G"
++ type="string"
++ handler="handle_rpc_server_dynamic_port_range"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>
++ This parameter tells the RPC server which port range it is
++ allowed to use to create a listening socket for LSA, SAM,
++ Netlogon and others without wellknown tcp ports.
++ The first value is the lowest number of the port
++ range and the second the hightest.
++ </para>
++ <para>
++ This applies to RPC servers in all server roles.
++ </para>
++</description>
++
++<related>rpc server port</related>
++
++<value type="default">49152-65535</value>
++</samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 6aa757f7c6b..3b54ff232aa 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx)
+ return lp_ctx->sDefault;
+ }
+
++int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
++{
++ return lp_ctx->globals->rpc_low_port;
++}
++
++int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
++{
++ return lp_ctx->globals->rpc_high_port;
++}
++
+ /**
+ * Convenience routine to grab string parameters into temporary memory
+ * and run standard_sub_basic on them.
+@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
+ return true;
+ }
+
++bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
++ struct loadparm_service *service,
++ const char *pszParmValue,
++ char **ptr)
++{
++ int low_port = -1, high_port = -1;
++ int rc;
++
++ if (pszParmValue == NULL || pszParmValue[0] == '\0') {
++ return false;
++ }
++
++ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
++ if (rc != 2) {
++ return false;
++ }
++
++ if (low_port > high_port) {
++ return false;
++ }
++
++ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
++ return false;
++ }
++
++ lp_ctx->globals->rpc_low_port = low_port;
++ lp_ctx->globals->rpc_high_port = high_port;
++
++ return true;
++}
++
+ bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue, char **ptr)
+@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
+ /* This appears odd, but globals in s3 isn't a pointer */
+ lp_ctx->globals->ctx = lp_ctx->globals;
++ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
++ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
+ lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
+ lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
+
+@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+
+ lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
+
++ lpcfg_do_global_parameter(lp_ctx,
++ "rpc server dynamic port range",
++ "49152-65535");
++
+ /* Allow modules to adjust defaults */
+ for (defaults_hook = defaults_hooks; defaults_hook;
+ defaults_hook = defaults_hook->next) {
+diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
+index f9fb7d8d804..c63683d6b66 100644
+--- a/lib/param/loadparm.h
++++ b/lib/param/loadparm.h
+@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
+ #endif /* DEVELOPER */
+ };
+
++#define SERVER_TCP_LOW_PORT 49152
++#define SERVER_TCP_HIGH_PORT 65535
++
++#define SERVER_TCP_PORT_MIN 1024
++#define SERVER_TCP_PORT_MAX 65535
+
+
+
+@@ -272,7 +277,9 @@ enum inheritowner_options {
+ #define LOADPARM_EXTRA_GLOBALS \
+ struct parmlist_entry *param_opt; \
+ char *dnsdomain; \
+- char *realm_original;
++ char *realm_original; \
++ int rpc_low_port; \
++ int rpc_high_port;
+
+ const char* server_role_str(uint32_t role);
+ int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
+diff --git a/lib/param/param.h b/lib/param/param.h
+index 66037e2ef1b..e123e67a990 100644
+--- a/lib/param/param.h
++++ b/lib/param/param.h
+@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
+ time_t *usr_tkt_lifetime,
+ time_t *renewal_lifetime);
+
++int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx);
++int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx);
++
+ /* The following definitions come from lib/version.c */
+
+ const char *samba_version_string(void);
+diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
+index 22e022583f6..65df573a350 100644
+--- a/python/samba/tests/docs.py
++++ b/python/samba/tests/docs.py
+@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase):
+ 'lprm command', 'lpq command', 'print command', 'template homedir',
+ 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
+ 'max open files', 'fss: prune stale', 'fss: sequence timeout',
+- 'include system krb5 conf'])
++ 'include system krb5 conf', 'rpc server dynamic port range'])
+
+ def setUp(self):
+ super(SmbDotConfTests, self).setUp()
+@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase):
+ exceptions = ['client lanman auth',
+ 'client plaintext auth',
+ 'registry shares',
+- 'smb ports'])
++ 'smb ports',
++ 'rpc server dynamic port range'])
+ self._test_empty(['bin/testparm'])
+
+ def test_default_s4(self):
+ self._test_default(['bin/samba-tool', 'testparm'])
+ self._set_defaults(['bin/samba-tool', 'testparm'])
+ self._set_arbitrary(['bin/samba-tool', 'testparm'],
+- exceptions = ['smb ports'])
++ exceptions = ['smb ports',
++ 'rpc server dynamic port range'])
+ self._test_empty(['bin/samba-tool', 'testparm'])
+
+ def _test_default(self, program):
+@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase):
+
+ for tuples in self.defaults:
+ param, default, context, param_type = tuples
++
+ if param in self.special_cases:
+ continue
+ section = None
+@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase):
+ for tuples in self.defaults:
+ param, default, context, param_type = tuples
+
+- if param in ['printing']:
++ if param in ['printing', 'rpc server dynamic port range']:
+ continue
+
+ section = None
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 642900ed67c..b3d3ca0e5d1 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void);
+ int lp_smb2_max_credits(void);
+ int lp_cups_encrypt(void);
+ bool lp_widelinks(int );
++int lp_rpc_low_port(void);
++int lp_rpc_high_port(void);
+
+ int lp_wi_scan_global_parametrics(
+ const char *regex, size_t max_matches,
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index d8da749ccba..2c8380067f6 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+
+ Globals.aio_max_threads = 100;
+
++ lpcfg_string_set(Globals.ctx,
++ &Globals.rpc_server_dynamic_port_range,
++ "49152-65535");
++ Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
++ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
++
+ /* Now put back the settings that were set with lp_set_cmdline() */
+ apply_lp_set_cmdline();
+ }
+@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void)
+ return client_ipc_signing;
+ }
+
++int lp_rpc_low_port(void)
++{
++ return Globals.rpc_low_port;
++}
++
++int lp_rpc_high_port(void)
++{
++ return Globals.rpc_high_port;
++}
++
+ struct loadparm_global * get_globals(void)
+ {
+ return &Globals;
+diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
+index 37fe68fc36d..f7fb8ef5207 100644
+--- a/source3/rpc_server/rpc_server.c
++++ b/source3/rpc_server/rpc_server.c
+@@ -34,9 +34,6 @@
+ #include "rpc_server/srv_pipe_hnd.h"
+ #include "rpc_server/srv_pipe.h"
+
+-#define SERVER_TCP_LOW_PORT 49152
+-#define SERVER_TCP_HIGH_PORT 65535
+-
+ /* Creates a pipes_struct and initializes it with the information
+ * sent from the client */
+ int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
+@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port)
+ if (*port == 0) {
+ uint16_t i;
+
+- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) {
++ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
+ fd = open_socket_in(SOCK_STREAM,
+ i,
+ 0,
+diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
+index 96a303fc6a9..deb96d8d69d 100644
+--- a/source4/smbd/service_stream.c
++++ b/source4/smbd/service_stream.c
+@@ -29,10 +29,6 @@
+ #include "../lib/tsocket/tsocket.h"
+ #include "lib/util/util_net.h"
+
+-/* the range of ports to try for dcerpc over tcp endpoints */
+-#define SERVER_TCP_LOW_PORT 49152
+-#define SERVER_TCP_HIGH_PORT 65535
+-
+ /* size of listen() backlog in smbd */
+ #define SERVER_LISTEN_BACKLOG 10
+
+@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx,
+ if (!port) {
+ status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
+ } else if (*port == 0) {
+- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) {
++ for (i = lpcfg_rpc_low_port(lp_ctx);
++ i <= lpcfg_rpc_high_port(lp_ctx);
++ i++) {
+ socket_address->port = i;
+ status = socket_listen(stream_socket->sock, socket_address,
+ SERVER_LISTEN_BACKLOG, 0);
+--
+2.11.0
+
diff --git a/SOURCES/samba.log b/SOURCES/samba.log
new file mode 100644
index 0000000..6ccd04d
--- /dev/null
+++ b/SOURCES/samba.log
@@ -0,0 +1,7 @@
+/var/log/samba/* {
+ notifempty
+ olddir /var/log/samba/old
+ missingok
+ sharedscripts
+ copytruncate
+}
diff --git a/SOURCES/samba.pamd b/SOURCES/samba.pamd
new file mode 100644
index 0000000..66cd2a9
--- /dev/null
+++ b/SOURCES/samba.pamd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth required pam_nologin.so
+auth include password-auth
+account include password-auth
+session include password-auth
+password include password-auth
diff --git a/SOURCES/smb.conf.example b/SOURCES/smb.conf.example
new file mode 100644
index 0000000..e672ce9
--- /dev/null
+++ b/SOURCES/smb.conf.example
@@ -0,0 +1,313 @@
+# This is the main Samba configuration file. For detailed information about the
+# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
+# number of configurable options, most of which are not shown in this example.
+#
+# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
+# and using Samba:
+# https://wiki.samba.org/index.php/User_Documentation
+#
+# In this file, lines starting with a semicolon (;) or a hash (#) are
+# comments and are ignored. This file uses hashes to denote commentary and
+# semicolons for parts of the file you may wish to configure.
+#
+# NOTE: Run the "testparm" command after modifying this file to check for basic
+# syntax errors.
+#
+#---------------
+# Security-Enhanced Linux (SELinux) Notes:
+#
+# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
+# useradd and groupadd family of binaries. Run the following command as the
+# root user to turn this Boolean on:
+# setsebool -P samba_domain_controller on
+#
+# Turn the samba_enable_home_dirs Boolean on if you want to share home
+# directories via Samba. Run the following command as the root user to turn this
+# Boolean on:
+# setsebool -P samba_enable_home_dirs on
+#
+# If you create a new directory, such as a new top-level directory, label it
+# with samba_share_t so that SELinux allows Samba to read and write to it. Do
+# not label system directories, such as /etc/ and /home/, with samba_share_t, as
+# such directories should already have an SELinux label.
+#
+# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
+# label for a given directory.
+#
+# Set SELinux labels only on files and directories you have created. Use the
+# chcon command to temporarily change a label:
+# chcon -t samba_share_t /path/to/directory
+#
+# Changes made via chcon are lost when the file system is relabeled or commands
+# such as restorecon are run.
+#
+# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
+# directories. To share such directories and only allow read-only permissions:
+# setsebool -P samba_export_all_ro on
+# To share such directories and allow read and write permissions:
+# setsebool -P samba_export_all_rw on
+#
+# To run scripts (preexec/root prexec/print command/...), copy them to the
+# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
+# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
+# their existing SELinux labels, which may be labels that SELinux does not allow
+# smbd to run. Copying the scripts will result in the correct SELinux labels.
+# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
+# apply the correct SELinux labels to these files.
+#
+#--------------
+#
+#======================= Global Settings =====================================
+
+[global]
+
+# ----------------------- Network-Related Options -------------------------
+#
+# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
+#
+# server string = the equivalent of the Windows NT Description field.
+#
+# netbios name = used to specify a server name that is not tied to the hostname,
+# maximum is 15 characters.
+#
+# interfaces = used to configure Samba to listen on multiple network interfaces.
+# If you have multiple interfaces, you can use the "interfaces =" option to
+# configure which of those interfaces Samba listens on. Never omit the localhost
+# interface (lo).
+#
+# hosts allow = the hosts allowed to connect. This option can also be used on a
+# per-share basis.
+#
+# hosts deny = the hosts not allowed to connect. This option can also be used on
+# a per-share basis.
+#
+ workgroup = MYGROUP
+ server string = Samba Server Version %v
+
+; netbios name = MYSERVER
+
+; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
+; hosts allow = 127. 192.168.12. 192.168.13.
+
+# --------------------------- Logging Options -----------------------------
+#
+# log file = specify where log files are written to and how they are split.
+#
+# max log size = specify the maximum size log files are allowed to reach. Log
+# files are rotated when they reach the size specified with "max log size".
+#
+
+ # log files split per-machine:
+ log file = /var/log/samba/log.%m
+ # maximum size of 50KB per log file, then rotate:
+ max log size = 50
+
+# ----------------------- Standalone Server Options ------------------------
+#
+# security = the mode Samba runs in. This can be set to user, share
+# (deprecated), or server (deprecated).
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+
+ security = user
+ passdb backend = tdbsam
+
+
+# ----------------------- Domain Members Options ------------------------
+#
+# security = must be set to domain or ads.
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+# realm = only use the realm option when the "security = ads" option is set.
+# The realm option specifies the Active Directory realm the host is a part of.
+#
+# password server = only use this option when the "security = server"
+# option is set, or if you cannot use DNS to locate a Domain Controller. The
+# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
+#
+# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
+#
+# Use "password server = *" to automatically locate Domain Controllers.
+
+; security = domain
+; passdb backend = tdbsam
+; realm = MY_REALM
+
+; password server = <NT-Server-Name>
+
+# ----------------------- Domain Controller Options ------------------------
+#
+# security = must be set to user for domain controllers.
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+# domain master = specifies Samba to be the Domain Master Browser, allowing
+# Samba to collate browse lists between subnets. Do not use the "domain master"
+# option if you already have a Windows NT domain controller performing this task.
+#
+# domain logons = allows Samba to provide a network logon service for Windows
+# workstations.
+#
+# logon script = specifies a script to run at login time on the client. These
+# scripts must be provided in a share named NETLOGON.
+#
+# logon path = specifies (with a UNC path) where user profiles are stored.
+#
+#
+; security = user
+; passdb backend = tdbsam
+
+; domain master = yes
+; domain logons = yes
+
+ # the following login script name is determined by the machine name
+ # (%m):
+; logon script = %m.bat
+ # the following login script name is determined by the UNIX user used:
+; logon script = %u.bat
+; logon path = \\%L\Profiles\%u
+ # use an empty path to disable profile support:
+; logon path =
+
+ # various scripts can be used on a domain controller or a stand-alone
+ # machine to add or delete corresponding UNIX accounts:
+
+; add user script = /usr/sbin/useradd "%u" -n -g users
+; add group script = /usr/sbin/groupadd "%g"
+; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
+; delete user script = /usr/sbin/userdel "%u"
+; delete user from group script = /usr/sbin/userdel "%u" "%g"
+; delete group script = /usr/sbin/groupdel "%g"
+
+
+# ----------------------- Browser Control Options ----------------------------
+#
+# local master = when set to no, Samba does not become the master browser on
+# your network. When set to yes, normal election rules apply.
+#
+# os level = determines the precedence the server has in master browser
+# elections. The default value should be reasonable.
+#
+# preferred master = when set to yes, Samba forces a local browser election at
+# start up (and gives itself a slightly higher chance of winning the election).
+#
+; local master = no
+; os level = 33
+; preferred master = yes
+
+#----------------------------- Name Resolution -------------------------------
+#
+# This section details the support for the Windows Internet Name Service (WINS).
+#
+# Note: Samba can be either a WINS server or a WINS client, but not both.
+#
+# wins support = when set to yes, the NMBD component of Samba enables its WINS
+# server.
+#
+# wins server = tells the NMBD component of Samba to be a WINS client.
+#
+# wins proxy = when set to yes, Samba answers name resolution queries on behalf
+# of a non WINS capable client. For this to work, there must be at least one
+# WINS server on the network. The default is no.
+#
+# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
+# nslookups.
+
+; wins support = yes
+; wins server = w.x.y.z
+; wins proxy = yes
+
+; dns proxy = yes
+
+# --------------------------- Printing Options -----------------------------
+#
+# The options in this section allow you to configure a non-default printing
+# system.
+#
+# load printers = when set you yes, the list of printers is automatically
+# loaded, rather than setting them up individually.
+#
+# cups options = allows you to pass options to the CUPS library. Setting this
+# option to raw, for example, allows you to use drivers on your Windows clients.
+#
+# printcap name = used to specify an alternative printcap file.
+#
+
+ load printers = yes
+ cups options = raw
+
+; printcap name = /etc/printcap
+ # obtain a list of printers automatically on UNIX System V systems:
+; printcap name = lpstat
+; printing = cups
+
+# --------------------------- File System Options ---------------------------
+#
+# The options in this section can be un-commented if the file system supports
+# extended attributes, and those attributes are enabled (usually via the
+# "user_xattr" mount option). These options allow the administrator to specify
+# that DOS attributes are stored in extended attributes and also make sure that
+# Samba does not change the permission bits.
+#
+# Note: These options can be used on a per-share basis. Setting them globally
+# (in the [global] section) makes them the default for all shares.
+
+; map archive = no
+; map hidden = no
+; map read only = no
+; map system = no
+; store dos attributes = yes
+
+
+#============================ Share Definitions ==============================
+
+[homes]
+ comment = Home Directories
+ browseable = no
+ writable = yes
+; valid users = %S
+; valid users = MYDOMAIN\%S
+
+[printers]
+ comment = All Printers
+ path = /var/spool/samba
+ browseable = no
+ guest ok = no
+ writable = no
+ printable = yes
+
+# Un-comment the following and create the netlogon directory for Domain Logons:
+; [netlogon]
+; comment = Network Logon Service
+; path = /var/lib/samba/netlogon
+; guest ok = yes
+; writable = no
+; share modes = no
+
+# Un-comment the following to provide a specific roaming profile share.
+# The default is to use the user's home directory:
+; [Profiles]
+; path = /var/lib/samba/profiles
+; browseable = no
+; guest ok = yes
+
+# A publicly accessible directory that is read only, except for users in the
+# "staff" group (which have write permissions):
+; [public]
+; comment = Public Stuff
+; path = /home/samba
+; public = yes
+; writable = no
+; printable = no
+; write list = +staff
diff --git a/SOURCES/smb.conf.vendor b/SOURCES/smb.conf.vendor
new file mode 100644
index 0000000..86c0aac
--- /dev/null
+++ b/SOURCES/smb.conf.vendor
@@ -0,0 +1,36 @@
+# See smb.conf.example for a more detailed config file or
+# read the smb.conf manpage.
+# Run 'testparm' to verify the config is correct after
+# you modified it.
+
+[global]
+ workgroup = SAMBA
+ security = user
+
+ passdb backend = tdbsam
+
+ printing = cups
+ printcap name = cups
+ load printers = yes
+ cups options = raw
+
+[homes]
+ comment = Home Directories
+ valid users = %S, %D%w%S
+ browseable = No
+ read only = No
+ inherit acls = Yes
+
+[printers]
+ comment = All Printers
+ path = /var/tmp
+ printable = Yes
+ create mask = 0600
+ browseable = No
+
+[print$]
+ comment = Printer Drivers
+ path = /var/lib/samba/drivers
+ write list = root
+ create mask = 0664
+ directory mask = 0775
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
new file mode 100644
index 0000000..538d62f
--- /dev/null
+++ b/SPECS/samba.spec
@@ -0,0 +1,4747 @@
+# rpmbuild --rebuild --with testsuite --without clustering samba.src.rpm
+#
+# The testsuite is disabled by default. Set --with testsuite or bcond_without
+# to run the Samba torture testsuite.
+%bcond_with testsuite
+# ctdb is enabled by default, you can disable it with: --without clustering
+%bcond_without clustering
+
+%define main_release 12
+
+%define samba_version 4.6.2
+%define talloc_version 2.1.9
+%define tdb_version 1.3.12
+%define tevent_version 0.9.31
+%define ldb_version 1.1.29
+# This should be rc1 or nil
+%define pre_release %nil
+
+%if "x%{?pre_release}" != "x"
+%define samba_release 0.%{main_release}.%{pre_release}%{?dist}
+%else
+%define samba_release %{main_release}%{?dist}
+%endif
+
+# This is a network daemon, do a hardened build
+# Enables PIE and full RELRO protection
+%global _hardened_build 1
+
+%global with_libsmbclient 1
+%global with_libwbclient 1
+
+%global with_internal_talloc 0
+%global with_internal_tevent 0
+%global with_internal_tdb 0
+%global with_internal_ldb 0
+
+%global with_profiling 1
+
+%global with_vfs_cephfs 1
+%if 0%{?rhel}
+%global with_vfs_cephfs 0
+%endif
+
+%global with_vfs_glusterfs 1
+%if 0%{?rhel}
+%global with_vfs_glusterfs 0
+# Only enable on x86_64
+%ifarch x86_64
+%global with_vfs_glusterfs 1
+%endif
+%endif
+
+%global libwbc_alternatives_version 0.13
+%global libwbc_alternatives_suffix %nil
+%if 0%{?__isa_bits} == 64
+%global libwbc_alternatives_suffix -64
+%endif
+
+%global with_mitkrb5 1
+%global with_dc 0
+
+%if %{with testsuite}
+# The testsuite only works with a full build right now.
+%global with_mitkrb5 0
+%global with_dc 1
+%endif
+
+%global required_mit_krb5 1.15.1
+
+%global with_clustering_support 0
+
+%if %{with clustering}
+%global with_clustering_support 1
+%endif
+
+%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+
+Name: samba
+Version: %{samba_version}
+Release: %{samba_release}
+
+%if 0%{?rhel}
+Epoch: 0
+%else
+Epoch: 2
+%endif
+
+%if 0%{?epoch} > 0
+%define samba_depver %{epoch}:%{version}-%{release}
+%else
+%define samba_depver %{version}-%{release}
+%endif
+
+Summary: Server and Client software to interoperate with Windows machines
+License: GPLv3+ and LGPLv3+
+URL: http://www.samba.org/
+
+Source0: samba-%{version}%{pre_release}.tar.xz
+Source1: samba-%{version}%{pre_release}.tar.asc
+Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
+
+# Red Hat specific replacement-files
+Source10: samba.log
+Source11: smb.conf.vendor
+Source12: smb.conf.example
+Source13: pam_winbind.conf
+Source14: samba.pamd
+
+Source200: README.dc
+Source201: README.downgrade
+
+Patch0: samba-v4.6-gss_krb5_import_cred.patch
+Patch1: samba-v4.6-credentials-fix-realm.patch
+Patch2: samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
+Patch3: samba-v4-6-fix-building-with-new-glibc.patch
+Patch4: samba-v4-6-fix-cross-realm-refferals.patch
+Patch5: samba-v4-6-fix-kerberos-debug-message.patch
+Patch6: samba-v4-6-fix-net-ads-keytab-handling.patch
+Patch7: samba-v4-6-fix_winbind_child_crash.patch
+Patch8: samba-v4-6-fix_path_substitutions.patch
+Patch9: samba-v4-6-fix-spoolss-32bit-driver-upload.patch
+Patch10: CVE-2017-7494.patch
+Patch11: samba-v4-6-fix-vfs-expand-msdfs.patch
+Patch12: samba-v4.7-config-dynamic-rpc-port-range.patch
+Patch13: samba-v4-6-fix_smbclient_session_setup_info.patch
+Patch14: samba-v4-6-fix_smbclient_username_parsing.patch
+Patch15: samba-v4-6-fix_winbind_normalize_names.patch
+Patch16: samba-v4-6-fix_net_ads_changetrustpw.patch
+Patch17: samba-v4.6-fix_smbpasswd_user_pwd_change.patch
+Patch18: samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
+Patch19: CVE-2017-12150.patch
+Patch20: CVE-2017-12151.patch
+Patch21: CVE-2017-12163.patch
+Patch22: CVE-2017-14746.patch
+Patch23: CVE-2017-15275.patch
+
+Requires(pre): /usr/sbin/groupadd
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+
+Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-common-libs = %{samba_depver}
+Requires: %{name}-common-tools = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+%endif
+
+Requires: pam
+
+Provides: samba4 = %{samba_depver}
+Obsoletes: samba4 < %{samba_depver}
+
+# We don't build it outdated docs anymore
+Provides: samba-doc = %{samba_depver}
+Obsoletes: samba-doc < %{samba_depver}
+
+# Is not supported yet
+Provides: samba-domainjoin-gui = %{samba_depver}
+Obsoletes: samba-domainjoin-gui < %{samba_depver}
+
+# SWAT been deprecated and removed from samba
+Provides: samba-swat = %{samba_depver}
+Obsoletes: samba-swat < %{samba_depver}
+
+Provides: samba4-swat = %{samba_depver}
+Obsoletes: samba4-swat < %{samba_depver}
+
+BuildRequires: cups-devel
+BuildRequires: dbus-devel
+BuildRequires: docbook-style-xsl
+BuildRequires: e2fsprogs-devel
+BuildRequires: gawk
+BuildRequires: gnupg2
+BuildRequires: krb5-devel >= %{required_mit_krb5}
+BuildRequires: libacl-devel
+BuildRequires: libaio-devel
+BuildRequires: libarchive-devel
+BuildRequires: libattr-devel
+BuildRequires: libcap-devel
+BuildRequires: libuuid-devel
+BuildRequires: libxslt
+BuildRequires: ncurses-devel
+BuildRequires: openldap-devel
+BuildRequires: pam-devel
+#BuildRequires: perl-generators
+BuildRequires: perl(Test::More)
+BuildRequires: perl(ExtUtils::MakeMaker)
+BuildRequires: perl(Parse::Yapp)
+BuildRequires: popt-devel
+BuildRequires: python-devel
+#BuildRequires: python2-pygpgme
+#BuildRequires: python2-subunit
+BuildRequires: python-tevent
+BuildRequires: quota-devel
+BuildRequires: readline-devel
+BuildRequires: sed
+BuildRequires: xfsprogs-devel
+BuildRequires: xz
+BuildRequires: zlib-devel >= 1.2.3
+
+BuildRequires: pkgconfig(libsystemd)
+
+%if %{with_vfs_glusterfs}
+BuildRequires: glusterfs-api-devel >= 3.4.0.16
+BuildRequires: glusterfs-devel >= 3.4.0.16
+%endif
+%if %{with_vfs_cephfs}
+BuildRequires: libcephfs1-devel
+%endif
+%if %{with_dc}
+BuildRequires: gnutls-devel >= 3.4.7
+# Required by samba-tool to run tests
+BuildRequires: python-crypto
+%endif
+
+# pidl requirements
+BuildRequires: perl(Parse::Yapp)
+
+%if ! %with_internal_talloc
+%global libtalloc_version 2.1.9
+
+BuildRequires: libtalloc-devel >= %{libtalloc_version}
+BuildRequires: pytalloc-devel >= %{libtalloc_version}
+%endif
+
+%if ! %with_internal_tevent
+%global libtevent_version 0.9.31
+
+BuildRequires: libtevent-devel >= %{libtevent_version}
+BuildRequires: python-tevent >= %{libtevent_version}
+%endif
+
+%if ! %with_internal_ldb
+%global libldb_version 1.1.29
+
+BuildRequires: libldb-devel >= %{libldb_version}
+BuildRequires: pyldb-devel >= %{libldb_version}
+%endif
+
+%if ! %with_internal_tdb
+%global libtdb_version 1.3.12
+
+BuildRequires: libtdb-devel >= %{libtdb_version}
+BuildRequires: python-tdb >= %{libtdb_version}
+%endif
+
+%if %{with testsuite}
+BuildRequires: ldb-tools
+BuildRequires: libcmocka-devel
+BuildRequires: python2-pygpgme
+%endif
+
+# filter out perl requirements pulled in from examples in the docdir.
+%{?filter_setup:
+%filter_provides_in %{_docdir}
+%filter_requires_in %{_docdir}
+%filter_setup
+}
+
+### SAMBA
+%description
+Samba is the standard Windows interoperability suite of programs for Linux and
+Unix.
+
+### CLIENT
+%package client
+Summary: Samba client programs
+Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-common-libs = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+%if %with_libsmbclient
+Requires: libsmbclient = %{samba_depver}
+%endif
+
+Provides: samba4-client = %{samba_depver}
+Obsoletes: samba4-client < %{samba_depver}
+
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+
+%description client
+The %{name}-client package provides some SMB/CIFS clients to complement
+the built-in SMB/CIFS filesystem in Linux. These clients allow access
+of SMB/CIFS shares and printing to SMB/CIFS printers.
+
+### CLIENT-LIBS
+%package client-libs
+Summary: Samba client libraries
+Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+%endif
+Requires: krb5-libs >= %{required_mit_krb5}
+
+%description client-libs
+The samba-client-libs package contains internal libraries needed by the
+SMB/CIFS clients.
+
+### COMMON
+%package common
+Summary: Files used by both Samba servers and clients
+BuildArch: noarch
+
+Requires(post): systemd
+
+Provides: samba4-common = %{samba_depver}
+Obsoletes: samba4-common < %{samba_depver}
+
+%description common
+samba-common provides files necessary for both the server and client
+packages of Samba.
+
+### COMMON-LIBS
+%package common-libs
+Summary: Libraries used by both Samba servers and clients
+Requires(pre): samba-common = %{samba_depver}
+Requires: samba-common = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+%endif
+
+%description common-libs
+The samba-common-libs package contains internal libraries needed by the
+SMB/CIFS clients.
+
+### COMMON-TOOLS
+%package common-tools
+Summary: Tools for Samba servers and clients
+Requires: samba-common-libs = %{samba_depver}
+Requires: samba-client-libs = %{samba_depver}
+Requires: samba-libs = %{samba_depver}
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+%endif
+
+%description common-tools
+The samba-common-tools package contains tools for Samba servers and
+SMB/CIFS clients.
+
+### DC
+%package dc
+Summary: Samba AD Domain Controller
+Requires: %{name} = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-dc-libs = %{samba_depver}
+Requires: %{name}-python = %{samba_depver}
+Requires: %{name}-winbind = %{samba_depver}
+%if %{with_dc}
+# samba-tool requirements
+Requires: python-crypto
+%endif
+
+Provides: samba4-dc = %{samba_depver}
+Obsoletes: samba4-dc < %{samba_depver}
+
+%description dc
+The samba-dc package provides AD Domain Controller functionality
+
+### DC-LIBS
+%package dc-libs
+Summary: Samba AD Domain Controller Libraries
+Requires: %{name}-common-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+
+Provides: samba4-dc-libs = %{samba_depver}
+Obsoletes: samba4-dc-libs < %{samba_depver}
+
+%description dc-libs
+The %{name}-dc-libs package contains the libraries needed by the DC to
+link against the SMB, RPC and other protocols.
+
+### DEVEL
+%package devel
+Summary: Developer tools for Samba libraries
+Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+
+Provides: samba4-devel = %{samba_depver}
+Obsoletes: samba4-devel < %{samba_depver}
+
+%description devel
+The %{name}-devel package contains the header files for the libraries
+needed to develop programs that link against the SMB, RPC and other
+libraries in the Samba suite.
+
+### CEPH
+%if %{with_vfs_cephfs}
+%package vfs-cephfs
+Summary: Samba VFS module for Ceph distributed storage system
+Requires: libcephfs1
+Requires: %{name} = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+
+%description vfs-cephfs
+Samba VFS module for Ceph distributed storage system integration.
+%endif
+
+### GLUSTER
+%if %{with_vfs_glusterfs}
+%package vfs-glusterfs
+Summary: Samba VFS module for GlusterFS
+Requires: glusterfs-api >= 3.4.0.16
+Requires: glusterfs >= 3.4.0.16
+Requires: %{name} = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+
+Obsoletes: samba-glusterfs < %{samba_depver}
+Provides: samba-glusterfs = %{samba_depver}
+
+%description vfs-glusterfs
+Samba VFS module for GlusterFS integration.
+%endif
+
+### KRB5-PRINTING
+%package krb5-printing
+Summary: Samba CUPS backend for printing with Kerberos
+Requires(pre): %{name}-client
+Requires: %{name}-client
+
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+
+%description krb5-printing
+If you need Kerberos for print jobs to a printer connection to cups via the SMB
+backend, then you need to install that package. It will allow cups to access
+the Kerberos credentials cache of the user issuing the print job.
+
+### LIBS
+%package libs
+Summary: Samba libraries
+Requires: %{name}-client-libs = %{samba_depver}
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+%endif
+
+Provides: samba4-libs = %{samba_depver}
+Obsoletes: samba4-libs < %{samba_depver}
+
+%description libs
+The %{name}-libs package contains the libraries needed by programs that link
+against the SMB, RPC and other protocols provided by the Samba suite.
+
+### LIBSMBCLIENT
+%if %with_libsmbclient
+%package -n libsmbclient
+Summary: The SMB client library
+Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+
+%description -n libsmbclient
+The libsmbclient contains the SMB client library from the Samba suite.
+
+%package -n libsmbclient-devel
+Summary: Developer tools for the SMB client library
+Requires: libsmbclient = %{samba_depver}
+
+%description -n libsmbclient-devel
+The libsmbclient-devel package contains the header files and libraries needed
+to develop programs that link against the SMB client library in the Samba
+suite.
+%endif # with_libsmbclient
+
+### LIBWBCLIENT
+%if %with_libwbclient
+%package -n libwbclient
+Summary: The winbind client library
+Requires: %{name}-client-libs = %{samba_depver}
+
+%description -n libwbclient
+The libwbclient package contains the winbind client library from the Samba
+suite.
+
+%package -n libwbclient-devel
+Summary: Developer tools for the winbind library
+Requires: libwbclient = %{samba_depver}
+
+Provides: samba-winbind-devel = %{samba_depver}
+Obsoletes: samba-winbind-devel < %{samba_depver}
+
+%description -n libwbclient-devel
+The libwbclient-devel package provides developer tools for the wbclient
+library.
+%endif # with_libwbclient
+
+### PYTHON
+%package python
+Summary: Samba Python libraries
+Requires: %{name} = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+Requires: python-tevent
+Requires: python-tdb
+Requires: pyldb
+Requires: pytalloc
+
+Provides: samba4-python = %{samba_depver}
+Obsoletes: samba4-python < %{samba_depver}
+
+%description python
+The %{name}-python package contains the Python libraries needed by programs
+that use SMB, RPC and other Samba provided protocols in Python programs.
+
+### PIDL
+%package pidl
+Summary: Perl IDL compiler
+Requires: perl(Parse::Yapp)
+Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+BuildArch: noarch
+
+Provides: samba4-pidl = %{samba_depver}
+Obsoletes: samba4-pidl < %{samba_depver}
+
+%description pidl
+The %{name}-pidl package contains the Perl IDL compiler used by Samba
+and Wireshark to parse IDL and similar protocols
+
+### TEST
+%package test
+Summary: Testing tools for Samba servers and clients
+Requires: %{name} = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-winbind = %{samba_depver}
+
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-test-libs = %{samba_depver}
+%if %with_dc
+Requires: %{name}-dc-libs = %{samba_depver}
+%endif
+Requires: %{name}-libs = %{samba_depver}
+%if %with_libsmbclient
+Requires: libsmbclient = %{samba_depver}
+%endif
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+%endif
+
+Provides: samba4-test = %{samba_depver}
+Obsoletes: samba4-test < %{samba_depver}
+
+%description test
+%{name}-test provides testing tools for both the server and client
+packages of Samba.
+
+### TEST-LIBS
+%package test-libs
+Summary: Libraries need by the testing tools for Samba servers and clients
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+
+Provides: %{name}-test-devel = %{samba_depver}
+Obsoletes: %{name}-test-devel < %{samba_depver}
+
+%description test-libs
+%{name}-test-libs provides libraries required by the testing tools.
+
+### WINBIND
+%package winbind
+Summary: Samba winbind
+Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-common-libs = %{samba_depver}
+Requires: %{name}-common-tools = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-winbind-modules = %{samba_depver}
+
+Provides: samba4-winbind = %{samba_depver}
+Obsoletes: samba4-winbind < %{samba_depver}
+
+%description winbind
+The samba-winbind package provides the winbind NSS library, and some client
+tools. Winbind enables Linux to be a full member in Windows domains and to use
+Windows user and group accounts on Linux.
+
+### WINBIND-CLIENTS
+%package winbind-clients
+Summary: Samba winbind clients
+Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-common-libs = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-winbind = %{samba_depver}
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+%endif
+
+Provides: samba4-winbind-clients = %{samba_depver}
+Obsoletes: samba4-winbind-clients < %{samba_depver}
+
+%description winbind-clients
+The samba-winbind-clients package provides the wbinfo and ntlm_auth
+tool.
+
+### WINBIND-KRB5-LOCATOR
+%package winbind-krb5-locator
+Summary: Samba winbind krb5 locator
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+Requires: %{name}-winbind = %{samba_depver}
+%else
+Requires: %{name}-libs = %{samba_depver}
+%endif
+
+Provides: samba4-winbind-krb5-locator = %{samba_depver}
+Obsoletes: samba4-winbind-krb5-locator < %{samba_depver}
+
+# Handle winbind_krb5_locator.so as alternatives to allow
+# IPA AD trusts case where it should not be used by libkrb5
+# The plugin will be diverted to /dev/null by the FreeIPA
+# freeipa-server-trust-ad subpackage due to higher priority
+# and restored to the proper one on uninstall
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Requires(preun): %{_sbindir}/update-alternatives
+
+%description winbind-krb5-locator
+The winbind krb5 locator is a plugin for the system kerberos library to allow
+the local kerberos library to use the same KDC as samba and winbind use
+
+### WINBIND-MODULES
+%package winbind-modules
+Summary: Samba winbind modules
+Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+%if %with_libwbclient
+Requires: libwbclient = %{samba_depver}
+%endif
+Requires: pam
+
+%description winbind-modules
+The samba-winbind-modules package provides the NSS library and a PAM module
+necessary to communicate to the Winbind Daemon
+
+### CTDB
+%if %with_clustering_support
+%package -n ctdb
+Summary: A Clustered Database based on Samba's Trivial Database (TDB)
+
+Requires: %{name}-client-libs = %{samba_depver}
+
+Requires: coreutils
+Requires: fileutils
+# for ps and killall
+Requires: psmisc
+Requires: sed
+Requires: tdb-tools
+Requires: gawk
+# for pkill and pidof:
+Requires: procps-ng
+# for netstat:
+Requires: net-tools
+Requires: ethtool
+# for ip:
+Requires: iproute
+Requires: iptables
+# for flock, getopt, kill:
+Requires: util-linux
+
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+
+%description -n ctdb
+CTDB is a cluster implementation of the TDB database used by Samba and other
+projects to store temporary data. If an application is already using TDB for
+temporary data it is very easy to convert that application to be cluster aware
+and use CTDB instead.
+
+### CTDB-TEST
+%package -n ctdb-tests
+Summary: CTDB clustered database test suite
+
+Requires: samba-client-libs = %{samba_depver}
+
+Requires: ctdb = %{samba_depver}
+Requires: nc
+
+Provides: ctdb-devel = %{samba_depver}
+Obsoletes: ctdb-devel < %{samba_depver}
+
+%description -n ctdb-tests
+Test suite for CTDB.
+CTDB is a cluster implementation of the TDB database used by Samba and other
+projects to store temporary data. If an application is already using TDB for
+temporary data it is very easy to convert that application to be cluster aware
+and use CTDB instead.
+%endif # with_clustering_support
+
+
+
+%prep
+xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
+%autosetup -n samba-%{version}%{pre_release} -p1
+
+%build
+%global _talloc_lib ,talloc,pytalloc,pytalloc-util
+%global _tevent_lib ,tevent,pytevent
+%global _tdb_lib ,tdb,pytdb
+%global _ldb_lib ,ldb,pyldb,pyldb-util
+
+%if ! %{with_internal_talloc}
+%global _talloc_lib ,!talloc,!pytalloc,!pytalloc-util
+%endif
+
+%if ! %{with_internal_tevent}
+%global _tevent_lib ,!tevent,!pytevent
+%endif
+
+%if ! %{with_internal_tdb}
+%global _tdb_lib ,!tdb,!pytdb
+%endif
+
+%if ! %{with_internal_ldb}
+%global _ldb_lib ,!ldb,!pyldb,!pyldb-util
+%endif
+
+%global _samba4_libraries heimdal,!zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib}
+
+%global _samba4_idmap_modules idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2
+%global _samba4_pdb_modules pdb_tdbsam,pdb_ldap,pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4
+%global _samba4_auth_modules auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4
+
+%global _samba4_modules %{_samba4_idmap_modules},%{_samba4_pdb_modules},%{_samba4_auth_modules}
+
+%global _libsmbclient %nil
+%global _libwbclient %nil
+
+%if ! %with_libsmbclient
+%global _libsmbclient smbclient,
+%endif
+
+%if ! %with_libwbclient
+%global _libwbclient wbclient,
+%endif
+
+%global _samba4_private_libraries %{_libsmbclient}%{_libwbclient}
+
+%configure \
+ --enable-fhs \
+ --with-piddir=/run \
+ --with-sockets-dir=/run/samba \
+ --with-modulesdir=%{_libdir}/samba \
+ --with-pammodulesdir=%{_libdir}/security \
+ --with-lockdir=/var/lib/samba/lock \
+ --with-statedir=/var/lib/samba \
+ --with-cachedir=/var/lib/samba \
+ --disable-rpath-install \
+ --with-shared-modules=%{_samba4_modules} \
+ --bundled-libraries=%{_samba4_libraries} \
+ --with-pam \
+ --with-pie \
+ --with-relro \
+ --without-fam \
+%if (! %with_libsmbclient) || (! %with_libwbclient)
+ --private-libraries=%{_samba4_private_libraries} \
+%endif
+%if %with_mitkrb5
+ --with-system-mitkrb5 \
+%endif
+%if ! %with_dc
+ --without-ad-dc \
+%endif
+%if ! %with_vfs_glusterfs
+ --disable-glusterfs \
+%endif
+%if %with_clustering_support
+ --with-cluster-support \
+%endif
+%if %with_profiling
+ --with-profiling-data \
+%endif
+%if %{with testsuite}
+ --enable-selftest \
+%endif
+ --with-systemd
+
+make %{?_smp_mflags}
+
+%install
+rm -rf %{buildroot}
+make %{?_smp_mflags} install DESTDIR=%{buildroot}
+
+install -d -m 0755 %{buildroot}/usr/{sbin,bin}
+install -d -m 0755 %{buildroot}%{_libdir}/security
+install -d -m 0755 %{buildroot}/var/lib/samba
+install -d -m 0755 %{buildroot}/var/lib/samba/drivers
+install -d -m 0755 %{buildroot}/var/lib/samba/lock
+install -d -m 0755 %{buildroot}/var/lib/samba/private
+install -d -m 0755 %{buildroot}/var/lib/samba/scripts
+install -d -m 0755 %{buildroot}/var/lib/samba/sysvol
+install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged
+install -d -m 0755 %{buildroot}/var/log/samba/old
+install -d -m 0755 %{buildroot}/var/spool/samba
+install -d -m 0755 %{buildroot}/var/run/samba
+install -d -m 0755 %{buildroot}/var/run/winbindd
+install -d -m 0755 %{buildroot}/%{_libdir}/samba
+install -d -m 0755 %{buildroot}/%{_libdir}/samba/ldb
+install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig
+
+# Move libwbclient.so* into private directory, it cannot be just libdir/samba
+# because samba uses rpath with this directory.
+install -d -m 0755 %{buildroot}/%{_libdir}/samba/wbclient
+mv %{buildroot}/%{_libdir}/libwbclient.so* %{buildroot}/%{_libdir}/samba/wbclient
+if [ ! -f %{buildroot}/%{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} ]
+then
+ echo "Expected libwbclient version not found, please check if version has changed."
+ exit -1
+fi
+
+
+touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb
+
+# Install other stuff
+install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d
+install -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/logrotate.d/samba
+
+install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/samba/smb.conf
+install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/samba/smb.conf.example
+
+install -d -m 0755 %{buildroot}%{_sysconfdir}/security
+install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf
+
+install -d -m 0755 %{buildroot}%{_sysconfdir}/pam.d
+install -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/samba
+
+echo 127.0.0.1 localhost > %{buildroot}%{_sysconfdir}/samba/lmhosts
+
+# openLDAP database schema
+install -d -m 0755 %{buildroot}%{_sysconfdir}/openldap/schema
+install -m644 examples/LDAP/samba.schema %{buildroot}%{_sysconfdir}/openldap/schema/samba.schema
+
+install -m 0744 packaging/printing/smbprint %{buildroot}%{_bindir}/smbprint
+
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -m644 packaging/systemd/samba.conf.tmp %{buildroot}%{_tmpfilesdir}/samba.conf
+# create /run/samba too.
+echo "d /run/samba 755 root root" >> %{buildroot}%{_tmpfilesdir}/samba.conf
+%if %with_clustering_support
+echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf
+%endif
+
+install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig
+install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba
+%if %with_clustering_support
+cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb <<EOF
+# CTDB configuration is now in %{_sysconfdir}/ctdb/ctdbd.conf
+EOF
+
+install -d -m 0755 %{buildroot}%{_sysconfdir}/ctdb
+install -m 0644 ctdb/config/ctdbd.conf %{buildroot}%{_sysconfdir}/ctdb/ctdbd.conf
+%endif
+
+install -m 0644 %{SOURCE201} packaging/README.downgrade
+
+%if ! %with_dc
+install -m 0644 %{SOURCE200} packaging/README.dc
+install -m 0644 %{SOURCE200} packaging/README.dc-libs
+%endif
+
+install -d -m 0755 %{buildroot}%{_unitdir}
+for i in nmb smb winbind ; do
+ cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba@g' >tmp$i.service
+ install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
+done
+%if %with_clustering_support
+install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
+%endif
+
+# NetworkManager online/offline script
+install -d -m 0755 %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/
+install -m 0755 packaging/NetworkManager/30-winbind-systemd \
+ %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind
+
+# winbind krb5 locator
+install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5
+touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+
+%if ! %with_dc
+for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \
+ %{_libdir}/samba/libdnsserver-common-samba4.so \
+ %{_mandir}/man8/samba.8 \
+ %{_mandir}/man8/samba-tool.8 \
+ %{_libdir}/samba/ldb/ildap.so \
+ %{_libdir}/samba/ldb/ldbsamba_extensions.so ; do
+ rm -f %{buildroot}$i
+done
+%endif
+
+# This makes the right links, as rpmlint requires that
+# the ldconfig-created links be recorded in the RPM.
+/sbin/ldconfig -N -n %{buildroot}%{_libdir}
+
+%if %{with testsuite}
+%check
+TDB_NO_FSYNC=1 make %{?_smp_mflags} test
+%endif
+
+%post
+%systemd_post smb.service
+%systemd_post nmb.service
+
+%preun
+%systemd_preun smb.service
+%systemd_preun nmb.service
+
+%postun
+%systemd_postun_with_restart smb.service
+%systemd_postun_with_restart nmb.service
+
+%post common
+/sbin/ldconfig
+/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/samba.conf
+if [ -d /var/cache/samba ]; then
+ mv /var/cache/samba/netsamlogon_cache.tdb /var/lib/samba/ 2>/dev/null
+ mv /var/cache/samba/winbindd_cache.tdb /var/lib/samba/ 2>/dev/null
+ rm -rf /var/cache/samba/
+ ln -sf /var/cache/samba /var/lib/samba/
+fi
+
+%post client
+%{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \
+ cups_backend_smb \
+ %{_bindir}/smbspool 10
+
+%postun client
+if [ $1 -eq 0 ] ; then
+ %{_sbindir}/update-alternatives --remove cups_backend_smb %{_bindir}/smbspool
+fi
+
+%post client-libs -p /sbin/ldconfig
+
+%postun client-libs -p /sbin/ldconfig
+
+%post common-libs -p /sbin/ldconfig
+
+%postun common-libs -p /sbin/ldconfig
+
+%if %with_dc
+%post dc-libs -p /sbin/ldconfig
+
+%postun dc-libs -p /sbin/ldconfig
+%endif
+
+%post krb5-printing
+%{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \
+ cups_backend_smb \
+ %{_libexecdir}/samba/smbspool_krb5_wrapper 50
+
+%postun krb5-printing
+if [ $1 -eq 0 ] ; then
+ %{_sbindir}/update-alternatives --remove cups_backend_smb %{_libexecdir}/samba/smbspool_krb5_wrapper
+fi
+
+%post libs -p /sbin/ldconfig
+
+%postun libs -p /sbin/ldconfig
+
+%if %with_libsmbclient
+%post -n libsmbclient -p /sbin/ldconfig
+
+%postun -n libsmbclient -p /sbin/ldconfig
+%endif
+
+%if %with_libwbclient
+%posttrans -n libwbclient
+# It has to be posttrans here to make sure all files of a previous version
+# without alternatives support are removed
+%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
+ libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} 10
+/sbin/ldconfig
+
+%preun -n libwbclient
+%{_sbindir}/update-alternatives --remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version}
+/sbin/ldconfig
+
+%posttrans -n libwbclient-devel
+%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \
+ libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so 10
+
+%preun -n libwbclient-devel
+# alternatives checks if the file which should be removed is a link or not, but
+# not if it points to the /etc/alternatives directory or to some other place.
+# When downgrading to a version where alternatives is not used and
+# libwbclient.so is a link and not a file it will be removed. The following
+# check removes the alternatives files manually if that is the case.
+if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then
+ /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null
+else
+ %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so
+fi
+
+%endif # with_libwbclient
+
+%post test -p /sbin/ldconfig
+
+%postun test -p /sbin/ldconfig
+
+%pre winbind
+/usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || :
+
+%post winbind
+%systemd_post winbind.service
+
+%preun winbind
+%systemd_preun winbind.service
+
+%postun winbind
+%systemd_postun_with_restart smb.service
+%systemd_postun_with_restart nmb.service
+
+%postun winbind-krb5-locator
+if [ "$1" -ge "1" ]; then
+ if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/winbind_krb5_locator.so" ]; then
+ %{_sbindir}/update-alternatives --set winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so
+ fi
+fi
+
+%post winbind-krb5-locator
+%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
+ winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so 10
+
+%preun winbind-krb5-locator
+if [ $1 -eq 0 ]; then
+ %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so
+fi
+
+%post winbind-modules -p /sbin/ldconfig
+
+%postun winbind-modules -p /sbin/ldconfig
+
+%if %with_clustering_support
+%post -n ctdb
+/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/ctdb.conf
+%systemd_post ctdb.service
+
+%preun -n ctdb
+%systemd_preun ctdb.service
+
+%postun -n ctdb
+%systemd_postun_with_restart ctdb.service
+%endif
+
+
+%clean
+rm -rf %{buildroot}
+
+### SAMBA
+%files
+%defattr(-,root,root,-)
+%license COPYING
+%doc README WHATSNEW.txt
+%doc examples/autofs examples/LDAP examples/misc
+%doc examples/printer-accounting examples/printing
+%doc packaging/README.downgrade
+%{_bindir}/smbstatus
+%{_bindir}/eventlogadm
+%{_sbindir}/nmbd
+%{_sbindir}/smbd
+%dir %{_libdir}/samba/auth
+%{_libdir}/samba/auth/script.so
+%{_libdir}/samba/auth/unix.so
+%{_libdir}/samba/auth/wbc.so
+%dir %{_libdir}/samba/vfs
+%{_libdir}/samba/vfs/acl_tdb.so
+%{_libdir}/samba/vfs/acl_xattr.so
+%{_libdir}/samba/vfs/aio_fork.so
+%{_libdir}/samba/vfs/aio_linux.so
+%{_libdir}/samba/vfs/aio_pthread.so
+%{_libdir}/samba/vfs/audit.so
+%{_libdir}/samba/vfs/btrfs.so
+%{_libdir}/samba/vfs/cap.so
+%{_libdir}/samba/vfs/catia.so
+%{_libdir}/samba/vfs/commit.so
+%{_libdir}/samba/vfs/crossrename.so
+%{_libdir}/samba/vfs/default_quota.so
+%{_libdir}/samba/vfs/dirsort.so
+%{_libdir}/samba/vfs/expand_msdfs.so
+%{_libdir}/samba/vfs/extd_audit.so
+%{_libdir}/samba/vfs/fake_perms.so
+%{_libdir}/samba/vfs/fileid.so
+%{_libdir}/samba/vfs/fruit.so
+%{_libdir}/samba/vfs/full_audit.so
+%{_libdir}/samba/vfs/linux_xfs_sgid.so
+%{_libdir}/samba/vfs/media_harmony.so
+%{_libdir}/samba/vfs/netatalk.so
+%{_libdir}/samba/vfs/offline.so
+%{_libdir}/samba/vfs/preopen.so
+%{_libdir}/samba/vfs/readahead.so
+%{_libdir}/samba/vfs/readonly.so
+%{_libdir}/samba/vfs/recycle.so
+%{_libdir}/samba/vfs/shadow_copy.so
+%{_libdir}/samba/vfs/shadow_copy2.so
+%{_libdir}/samba/vfs/shell_snap.so
+%{_libdir}/samba/vfs/snapper.so
+%{_libdir}/samba/vfs/streams_depot.so
+%{_libdir}/samba/vfs/streams_xattr.so
+%{_libdir}/samba/vfs/syncops.so
+%{_libdir}/samba/vfs/time_audit.so
+%{_libdir}/samba/vfs/unityed_media.so
+%{_libdir}/samba/vfs/worm.so
+%{_libdir}/samba/vfs/xattr_tdb.so
+
+%{_unitdir}/nmb.service
+%{_unitdir}/smb.service
+%attr(1777,root,root) %dir /var/spool/samba
+%dir %{_sysconfdir}/openldap/schema
+%config %{_sysconfdir}/openldap/schema/samba.schema
+%config(noreplace) %{_sysconfdir}/pam.d/samba
+%{_mandir}/man1/smbstatus.1*
+%{_mandir}/man8/eventlogadm.8*
+%{_mandir}/man8/smbd.8*
+%{_mandir}/man8/nmbd.8*
+%{_mandir}/man8/vfs_acl_tdb.8*
+%{_mandir}/man8/vfs_acl_xattr.8*
+%{_mandir}/man8/vfs_aio_fork.8*
+%{_mandir}/man8/vfs_aio_linux.8*
+%{_mandir}/man8/vfs_aio_pthread.8*
+%{_mandir}/man8/vfs_audit.8*
+%{_mandir}/man8/vfs_btrfs.8*
+%{_mandir}/man8/vfs_cacheprime.8*
+%{_mandir}/man8/vfs_cap.8*
+%{_mandir}/man8/vfs_catia.8*
+%{_mandir}/man8/vfs_commit.8*
+%{_mandir}/man8/vfs_crossrename.8*
+%{_mandir}/man8/vfs_default_quota.8*
+%{_mandir}/man8/vfs_dirsort.8*
+%{_mandir}/man8/vfs_extd_audit.8*
+%{_mandir}/man8/vfs_fake_perms.8*
+%{_mandir}/man8/vfs_fileid.8*
+%{_mandir}/man8/vfs_fruit.8*
+%{_mandir}/man8/vfs_full_audit.8*
+%{_mandir}/man8/vfs_gpfs.8*
+%{_mandir}/man8/vfs_linux_xfs_sgid.8*
+%{_mandir}/man8/vfs_media_harmony.8*
+%{_mandir}/man8/vfs_netatalk.8*
+%{_mandir}/man8/vfs_offline.8*
+%{_mandir}/man8/vfs_prealloc.8*
+%{_mandir}/man8/vfs_preopen.8*
+%{_mandir}/man8/vfs_readahead.8*
+%{_mandir}/man8/vfs_readonly.8*
+%{_mandir}/man8/vfs_recycle.8*
+%{_mandir}/man8/vfs_shadow_copy.8*
+%{_mandir}/man8/vfs_shadow_copy2.8*
+%{_mandir}/man8/vfs_shell_snap.8*
+%{_mandir}/man8/vfs_snapper.8*
+%{_mandir}/man8/vfs_streams_depot.8*
+%{_mandir}/man8/vfs_streams_xattr.8*
+%{_mandir}/man8/vfs_syncops.8*
+%{_mandir}/man8/vfs_time_audit.8*
+%{_mandir}/man8/vfs_tsmsm.8*
+%{_mandir}/man8/vfs_unityed_media.8*
+%{_mandir}/man8/vfs_worm.8*
+%{_mandir}/man8/vfs_xattr_tdb.8*
+
+%if ! %{with_vfs_glusterfs}
+%exclude %{_mandir}/man8/vfs_glusterfs.8*
+%endif
+
+%if ! %{with_vfs_cephfs}
+%exclude %{_mandir}/man8/vfs_ceph.8*
+%endif
+
+%dir /var/lib/samba/drivers
+%dir /var/lib/samba/lock
+
+### CLIENT
+%files client
+%defattr(-,root,root)
+%{_bindir}/cifsdd
+%{_bindir}/dbwrap_tool
+%{_bindir}/findsmb
+%{_bindir}/nmblookup
+%{_bindir}/oLschema2ldif
+%{_bindir}/mvxattr
+%{_bindir}/regdiff
+%{_bindir}/regpatch
+%{_bindir}/regshell
+%{_bindir}/regtree
+%{_bindir}/rpcclient
+%{_bindir}/samba-regedit
+%{_bindir}/sharesec
+%{_bindir}/smbcacls
+%{_bindir}/smbclient
+%{_bindir}/smbcquotas
+%{_bindir}/smbget
+%{_bindir}/smbprint
+%{_bindir}/smbspool
+%{_bindir}/smbtar
+%{_bindir}/smbtree
+%dir %{_libexecdir}/samba
+%ghost %{_libexecdir}/samba/cups_backend_smb
+%{_mandir}/man1/dbwrap_tool.1*
+%{_mandir}/man1/nmblookup.1*
+%{_mandir}/man1/oLschema2ldif.1*
+%{_mandir}/man1/regdiff.1*
+%{_mandir}/man1/regpatch.1*
+%{_mandir}/man1/regshell.1*
+%{_mandir}/man1/regtree.1*
+%{_mandir}/man1/findsmb.1*
+%{_mandir}/man1/log2pcap.1*
+%{_mandir}/man1/mvxattr.1*
+%{_mandir}/man1/rpcclient.1*
+%{_mandir}/man1/sharesec.1*
+%{_mandir}/man1/smbcacls.1*
+%{_mandir}/man1/smbclient.1*
+%{_mandir}/man1/smbcquotas.1*
+%{_mandir}/man1/smbget.1*
+%{_mandir}/man5/smbgetrc.5*
+%{_mandir}/man1/smbtar.1*
+%{_mandir}/man1/smbtree.1*
+%{_mandir}/man8/cifsdd.8.*
+%{_mandir}/man8/samba-regedit.8*
+%{_mandir}/man8/smbspool.8*
+
+%if %{with_internal_tdb}
+%{_bindir}/tdbbackup
+%{_bindir}/tdbdump
+%{_bindir}/tdbrestore
+%{_bindir}/tdbtool
+%{_mandir}/man8/tdbbackup.8*
+%{_mandir}/man8/tdbdump.8*
+%{_mandir}/man8/tdbrestore.8*
+%{_mandir}/man8/tdbtool.8*
+%endif
+
+%if %with_internal_ldb
+%{_bindir}/ldbadd
+%{_bindir}/ldbdel
+%{_bindir}/ldbedit
+%{_bindir}/ldbmodify
+%{_bindir}/ldbrename
+%{_bindir}/ldbsearch
+%{_libdir}/samba/libldb-cmdline-samba4.so
+%{_libdir}/samba/ldb/asq.so
+%{_libdir}/samba/ldb/paged_results.so
+%{_libdir}/samba/ldb/paged_searches.so
+%{_libdir}/samba/ldb/rdn_name.so
+%{_libdir}/samba/ldb/sample.so
+%{_libdir}/samba/ldb/server_sort.so
+%{_libdir}/samba/ldb/skel.so
+%{_libdir}/samba/ldb/tdb.so
+%{_mandir}/man1/ldbadd.1.gz
+%{_mandir}/man1/ldbdel.1.gz
+%{_mandir}/man1/ldbedit.1.gz
+%{_mandir}/man1/ldbmodify.1.gz
+%{_mandir}/man1/ldbrename.1.gz
+%{_mandir}/man1/ldbsearch.1.gz
+%endif
+
+### CLIENT-LIBS
+%files client-libs
+%defattr(-,root,root)
+%{_libdir}/libdcerpc-binding.so.*
+%{_libdir}/libndr.so.*
+%{_libdir}/libndr-krb5pac.so.*
+%{_libdir}/libndr-nbt.so.*
+%{_libdir}/libndr-standard.so.*
+%{_libdir}/libnetapi.so.*
+%{_libdir}/libsamba-credentials.so.*
+%{_libdir}/libsamba-errors.so.*
+%{_libdir}/libsamba-passdb.so.*
+%{_libdir}/libsamba-util.so.*
+%{_libdir}/libsamba-hostconfig.so.*
+%{_libdir}/libsamdb.so.*
+%{_libdir}/libsmbconf.so.*
+%{_libdir}/libsmbldap.so.*
+%{_libdir}/libtevent-util.so.*
+%{_libdir}/libdcerpc.so.*
+
+%dir %{_libdir}/samba
+%{_libdir}/samba/libCHARSET3-samba4.so
+%{_libdir}/samba/libaddns-samba4.so
+%{_libdir}/samba/libads-samba4.so
+%{_libdir}/samba/libasn1util-samba4.so
+%{_libdir}/samba/libauth-sam-reply-samba4.so
+%{_libdir}/samba/libauth-samba4.so
+%{_libdir}/samba/libauthkrb5-samba4.so
+%{_libdir}/samba/libcli-cldap-samba4.so
+%{_libdir}/samba/libcli-ldap-common-samba4.so
+%{_libdir}/samba/libcli-ldap-samba4.so
+%{_libdir}/samba/libcli-nbt-samba4.so
+%{_libdir}/samba/libcli-smb-common-samba4.so
+%{_libdir}/samba/libcli-spoolss-samba4.so
+%{_libdir}/samba/libcliauth-samba4.so
+%{_libdir}/samba/libcmdline-credentials-samba4.so
+%{_libdir}/samba/libdbwrap-samba4.so
+%{_libdir}/samba/libdcerpc-samba-samba4.so
+%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
+%{_libdir}/samba/libevents-samba4.so
+%{_libdir}/samba/libflag-mapping-samba4.so
+%{_libdir}/samba/libgenrand-samba4.so
+%{_libdir}/samba/libgensec-samba4.so
+%{_libdir}/samba/libgpo-samba4.so
+%{_libdir}/samba/libgse-samba4.so
+%{_libdir}/samba/libhttp-samba4.so
+%{_libdir}/samba/libinterfaces-samba4.so
+%{_libdir}/samba/libiov-buf-samba4.so
+%{_libdir}/samba/libkrb5samba-samba4.so
+%{_libdir}/samba/libldbsamba-samba4.so
+%{_libdir}/samba/liblibcli-lsa3-samba4.so
+%{_libdir}/samba/liblibcli-netlogon3-samba4.so
+%{_libdir}/samba/liblibsmb-samba4.so
+%{_libdir}/samba/libmessages-dgm-samba4.so
+%{_libdir}/samba/libmessages-util-samba4.so
+%{_libdir}/samba/libmsghdr-samba4.so
+%{_libdir}/samba/libmsrpc3-samba4.so
+%{_libdir}/samba/libndr-samba-samba4.so
+%{_libdir}/samba/libndr-samba4.so
+%{_libdir}/samba/libnet-keytab-samba4.so
+%{_libdir}/samba/libnetif-samba4.so
+%{_libdir}/samba/libnpa-tstream-samba4.so
+%{_libdir}/samba/libposix-eadb-samba4.so
+%{_libdir}/samba/libprinting-migrate-samba4.so
+%{_libdir}/samba/libreplace-samba4.so
+%{_libdir}/samba/libregistry-samba4.so
+%{_libdir}/samba/libsamba-cluster-support-samba4.so
+%{_libdir}/samba/libsamba-debug-samba4.so
+%{_libdir}/samba/libsamba-modules-samba4.so
+%{_libdir}/samba/libsamba-security-samba4.so
+%{_libdir}/samba/libsamba-sockets-samba4.so
+%{_libdir}/samba/libsamba3-util-samba4.so
+%{_libdir}/samba/libsamdb-common-samba4.so
+%{_libdir}/samba/libsecrets3-samba4.so
+%{_libdir}/samba/libserver-id-db-samba4.so
+%{_libdir}/samba/libserver-role-samba4.so
+%{_libdir}/samba/libsmb-transport-samba4.so
+%{_libdir}/samba/libsmbclient-raw-samba4.so
+%{_libdir}/samba/libsmbd-base-samba4.so
+%{_libdir}/samba/libsmbd-conn-samba4.so
+%{_libdir}/samba/libsmbd-shim-samba4.so
+%{_libdir}/samba/libsmbldaphelper-samba4.so
+%{_libdir}/samba/libsys-rw-samba4.so
+%{_libdir}/samba/libsocket-blocking-samba4.so
+%{_libdir}/samba/libtalloc-report-samba4.so
+%{_libdir}/samba/libtdb-wrap-samba4.so
+%{_libdir}/samba/libtime-basic-samba4.so
+%{_libdir}/samba/libtorture-samba4.so
+%{_libdir}/samba/libtrusts-util-samba4.so
+%{_libdir}/samba/libutil-cmdline-samba4.so
+%{_libdir}/samba/libutil-reg-samba4.so
+%{_libdir}/samba/libutil-setid-samba4.so
+%{_libdir}/samba/libutil-tdb-samba4.so
+
+%if ! %with_libwbclient
+%{_libdir}/samba/libwbclient.so.*
+%{_libdir}/samba/libwinbind-client-samba4.so
+%endif # ! with_libwbclient
+
+%if ! %with_libsmbclient
+%{_libdir}/samba/libsmbclient.so.*
+%{_mandir}/man7/libsmbclient.7*
+%endif # ! with_libsmbclient
+
+%if %{with_internal_talloc}
+%{_libdir}/samba/libtalloc.so.2
+%{_libdir}/samba/libtalloc.so.%{talloc_version}
+%{_libdir}/samba/libpytalloc-util.so.2
+%{_libdir}/samba/libpytalloc-util.so.%{talloc_version}
+%{_mandir}/man3/talloc.3.gz
+%endif
+
+%if %{with_internal_tevent}
+%{_libdir}/samba/libtevent.so.0
+%{_libdir}/samba/libtevent.so.%{tevent_version}
+%endif
+
+%if %{with_internal_tdb}
+%{_libdir}/samba/libtdb.so.1
+%{_libdir}/samba/libtdb.so.%{tdb_version}
+%endif
+
+%if %{with_internal_ldb}
+%{_libdir}/samba/libldb.so.1
+%{_libdir}/samba/libldb.so.%{ldb_version}
+%{_libdir}/samba/libpyldb-util.so.1
+%{_libdir}/samba/libpyldb-util.so.%{ldb_version}
+%{_mandir}/man3/ldb.3.gz
+%endif
+
+### COMMON
+%files common
+%defattr(-,root,root)
+%{_tmpfilesdir}/samba.conf
+%dir %{_sysconfdir}/logrotate.d/
+%config(noreplace) %{_sysconfdir}/logrotate.d/samba
+%attr(0700,root,root) %dir /var/log/samba
+%attr(0700,root,root) %dir /var/log/samba/old
+%ghost %dir /var/run/samba
+%ghost %dir /var/run/winbindd
+%dir /var/lib/samba
+%attr(700,root,root) %dir /var/lib/samba/private
+%attr(755,root,root) %dir %{_sysconfdir}/samba
+%config(noreplace) %{_sysconfdir}/samba/smb.conf
+%{_sysconfdir}/samba/smb.conf.example
+%config(noreplace) %{_sysconfdir}/samba/lmhosts
+%config(noreplace) %{_sysconfdir}/sysconfig/samba
+%{_mandir}/man5/lmhosts.5*
+%{_mandir}/man5/smb.conf.5*
+%{_mandir}/man5/smbpasswd.5*
+%{_mandir}/man7/samba.7*
+
+### COMMON-libs
+%files common-libs
+%defattr(-,root,root)
+# common libraries
+%{_libdir}/samba/libpopt-samba3-samba4.so
+
+%dir %{_libdir}/samba/ldb
+
+%dir %{_libdir}/samba/pdb
+%{_libdir}/samba/pdb/ldapsam.so
+%{_libdir}/samba/pdb/smbpasswd.so
+%{_libdir}/samba/pdb/tdbsam.so
+%{_libdir}/samba/pdb/wbc_sam.so
+
+%files common-tools
+%defattr(-,root,root)
+%{_bindir}/net
+%{_bindir}/pdbedit
+%{_bindir}/profiles
+%{_bindir}/smbcontrol
+%{_bindir}/smbpasswd
+%{_bindir}/testparm
+%{_mandir}/man1/profiles.1*
+%{_mandir}/man1/smbcontrol.1*
+%{_mandir}/man1/testparm.1*
+%{_mandir}/man8/net.8*
+%{_mandir}/man8/pdbedit.8*
+%{_mandir}/man8/smbpasswd.8*
+
+### DC
+%files dc
+%defattr(-,root,root)
+
+%if %with_dc
+%{_bindir}/samba-tool
+%{_sbindir}/samba
+%{_sbindir}/samba_kcc
+%{_sbindir}/samba_dnsupdate
+%{_sbindir}/samba_spnupdate
+%{_sbindir}/samba_upgradedns
+%{_libdir}/samba/auth/samba4.so
+%{_libdir}/samba/bind9/dlz_bind9.so
+%{_libdir}/samba/bind9/dlz_bind9_10.so
+%{_libdir}/samba/libheimntlm-samba4.so.1
+%{_libdir}/samba/libheimntlm-samba4.so.1.0.1
+%{_libdir}/samba/libkdc-samba4.so.2
+%{_libdir}/samba/libkdc-samba4.so.2.0.0
+%{_libdir}/samba/libpac-samba4.so
+%dir %{_libdir}/samba/gensec
+%{_libdir}/samba/gensec/krb5.so
+%{_libdir}/samba/ldb/acl.so
+%{_libdir}/samba/ldb/aclread.so
+%{_libdir}/samba/ldb/anr.so
+%{_libdir}/samba/ldb/descriptor.so
+%{_libdir}/samba/ldb/dirsync.so
+%{_libdir}/samba/ldb/dns_notify.so
+%{_libdir}/samba/ldb/extended_dn_in.so
+%{_libdir}/samba/ldb/extended_dn_out.so
+%{_libdir}/samba/ldb/extended_dn_store.so
+%{_libdir}/samba/ldb/ildap.so
+%{_libdir}/samba/ldb/instancetype.so
+%{_libdir}/samba/ldb/lazy_commit.so
+%{_libdir}/samba/ldb/ldbsamba_extensions.so
+%{_libdir}/samba/ldb/linked_attributes.so
+%{_libdir}/samba/ldb/local_password.so
+%{_libdir}/samba/ldb/new_partition.so
+%{_libdir}/samba/ldb/objectclass.so
+%{_libdir}/samba/ldb/objectclass_attrs.so
+%{_libdir}/samba/ldb/objectguid.so
+%{_libdir}/samba/ldb/operational.so
+%{_libdir}/samba/ldb/partition.so
+%{_libdir}/samba/ldb/password_hash.so
+%{_libdir}/samba/ldb/ranged_results.so
+%{_libdir}/samba/ldb/repl_meta_data.so
+%{_libdir}/samba/ldb/resolve_oids.so
+%{_libdir}/samba/ldb/rootdse.so
+%{_libdir}/samba/ldb/samba3sam.so
+%{_libdir}/samba/ldb/samba3sid.so
+%{_libdir}/samba/ldb/samba_dsdb.so
+%{_libdir}/samba/ldb/samba_secrets.so
+%{_libdir}/samba/ldb/samldb.so
+%{_libdir}/samba/ldb/schema_data.so
+%{_libdir}/samba/ldb/schema_load.so
+%{_libdir}/samba/ldb/secrets_tdb_sync.so
+%{_libdir}/samba/ldb/show_deleted.so
+%{_libdir}/samba/ldb/simple_dn.so
+%{_libdir}/samba/ldb/simple_ldap_map.so
+%{_libdir}/samba/ldb/subtree_delete.so
+%{_libdir}/samba/ldb/subtree_rename.so
+%{_libdir}/samba/ldb/tombstone_reanimate.so
+%{_libdir}/samba/ldb/update_keytab.so
+%{_libdir}/samba/ldb/wins_ldb.so
+%{_libdir}/samba/vfs/posix_eadb.so
+%dir /var/lib/samba/sysvol
+%{_datadir}/samba/setup
+%{_mandir}/man8/samba.8*
+%{_mandir}/man8/samba-tool.8*
+%else # with_dc
+%doc packaging/README.dc
+%endif # with_dc
+
+### DC-LIBS
+%files dc-libs
+%defattr(-,root,root)
+%if %with_dc
+%{_libdir}/samba/libprocess-model-samba4.so
+%{_libdir}/samba/libservice-samba4.so
+%dir %{_libdir}/samba/process_model
+%{_libdir}/samba/process_model/standard.so
+%dir %{_libdir}/samba/service
+%{_libdir}/samba/service/cldap.so
+%{_libdir}/samba/service/dcerpc.so
+%{_libdir}/samba/service/dns.so
+%{_libdir}/samba/service/dns_update.so
+%{_libdir}/samba/service/drepl.so
+%{_libdir}/samba/service/kcc.so
+%{_libdir}/samba/service/kdc.so
+%{_libdir}/samba/service/ldap.so
+%{_libdir}/samba/service/nbtd.so
+%{_libdir}/samba/service/ntp_signd.so
+%{_libdir}/samba/service/s3fs.so
+%{_libdir}/samba/service/web.so
+%{_libdir}/samba/service/winbindd.so
+%{_libdir}/samba/service/wrepl.so
+%{_libdir}/libdcerpc-server.so.*
+%{_libdir}/samba/libdfs-server-ad-samba4.so
+%{_libdir}/samba/libdnsserver-common-samba4.so
+%{_libdir}/samba/libdsdb-module-samba4.so
+%{_libdir}/samba/libntvfs-samba4.so
+%{_libdir}/samba/bind9/dlz_bind9_9.so
+%else
+%doc packaging/README.dc-libs
+%endif # with_dc
+
+### DEVEL
+%files devel
+%defattr(-,root,root)
+%{_includedir}/samba-4.0/charset.h
+%{_includedir}/samba-4.0/core/doserr.h
+%{_includedir}/samba-4.0/core/error.h
+%{_includedir}/samba-4.0/core/hresult.h
+%{_includedir}/samba-4.0/core/ntstatus.h
+%{_includedir}/samba-4.0/core/werror.h
+%{_includedir}/samba-4.0/credentials.h
+%{_includedir}/samba-4.0/dcerpc.h
+%{_includedir}/samba-4.0/domain_credentials.h
+%{_includedir}/samba-4.0/gen_ndr/atsvc.h
+%{_includedir}/samba-4.0/gen_ndr/auth.h
+%{_includedir}/samba-4.0/gen_ndr/dcerpc.h
+%{_includedir}/samba-4.0/gen_ndr/krb5pac.h
+%{_includedir}/samba-4.0/gen_ndr/lsa.h
+%{_includedir}/samba-4.0/gen_ndr/misc.h
+%{_includedir}/samba-4.0/gen_ndr/nbt.h
+%{_includedir}/samba-4.0/gen_ndr/drsblobs.h
+%{_includedir}/samba-4.0/gen_ndr/drsuapi.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_drsblobs.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_drsuapi.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_atsvc.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_dcerpc.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_krb5pac.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_misc.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_nbt.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_samr.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_samr_c.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_svcctl.h
+%{_includedir}/samba-4.0/gen_ndr/ndr_svcctl_c.h
+%{_includedir}/samba-4.0/gen_ndr/netlogon.h
+%{_includedir}/samba-4.0/gen_ndr/samr.h
+%{_includedir}/samba-4.0/gen_ndr/security.h
+%{_includedir}/samba-4.0/gen_ndr/server_id.h
+%{_includedir}/samba-4.0/gen_ndr/svcctl.h
+%{_includedir}/samba-4.0/ldb_wrap.h
+%{_includedir}/samba-4.0/lookup_sid.h
+%{_includedir}/samba-4.0/machine_sid.h
+%{_includedir}/samba-4.0/ndr.h
+%dir %{_includedir}/samba-4.0/ndr
+%{_includedir}/samba-4.0/ndr/ndr_dcerpc.h
+%{_includedir}/samba-4.0/ndr/ndr_drsblobs.h
+%{_includedir}/samba-4.0/ndr/ndr_drsuapi.h
+%{_includedir}/samba-4.0/ndr/ndr_krb5pac.h
+%{_includedir}/samba-4.0/ndr/ndr_svcctl.h
+%{_includedir}/samba-4.0/ndr/ndr_nbt.h
+%{_includedir}/samba-4.0/netapi.h
+%{_includedir}/samba-4.0/param.h
+%{_includedir}/samba-4.0/passdb.h
+%{_includedir}/samba-4.0/policy.h
+%{_includedir}/samba-4.0/rpc_common.h
+%{_includedir}/samba-4.0/samba/session.h
+%{_includedir}/samba-4.0/samba/version.h
+%{_includedir}/samba-4.0/share.h
+%{_includedir}/samba-4.0/smb2_lease_struct.h
+%{_includedir}/samba-4.0/smbconf.h
+%{_includedir}/samba-4.0/smb_ldap.h
+%{_includedir}/samba-4.0/smbldap.h
+%{_includedir}/samba-4.0/tdr.h
+%{_includedir}/samba-4.0/tsocket.h
+%{_includedir}/samba-4.0/tsocket_internal.h
+%dir %{_includedir}/samba-4.0/util
+%{_includedir}/samba-4.0/util/attr.h
+%{_includedir}/samba-4.0/util/blocking.h
+%{_includedir}/samba-4.0/util/byteorder.h
+%{_includedir}/samba-4.0/util/data_blob.h
+%{_includedir}/samba-4.0/util/debug.h
+%{_includedir}/samba-4.0/util/fault.h
+%{_includedir}/samba-4.0/util/genrand.h
+%{_includedir}/samba-4.0/util/idtree.h
+%{_includedir}/samba-4.0/util/idtree_random.h
+%{_includedir}/samba-4.0/util/memory.h
+%{_includedir}/samba-4.0/util/safe_string.h
+%{_includedir}/samba-4.0/util/signal.h
+%{_includedir}/samba-4.0/util/string_wrappers.h
+%{_includedir}/samba-4.0/util/substitute.h
+%{_includedir}/samba-4.0/util/talloc_stack.h
+%{_includedir}/samba-4.0/util/tevent_ntstatus.h
+%{_includedir}/samba-4.0/util/tevent_unix.h
+%{_includedir}/samba-4.0/util/tevent_werror.h
+%{_includedir}/samba-4.0/util/time.h
+%{_includedir}/samba-4.0/util_ldb.h
+%{_libdir}/libdcerpc-binding.so
+%{_libdir}/libdcerpc-samr.so
+%{_libdir}/libdcerpc.so
+%{_libdir}/libndr-krb5pac.so
+%{_libdir}/libndr-nbt.so
+%{_libdir}/libndr-standard.so
+%{_libdir}/libndr.so
+%{_libdir}/libnetapi.so
+%{_libdir}/libsamba-credentials.so
+%{_libdir}/libsamba-errors.so
+%{_libdir}/libsamba-hostconfig.so
+%{_libdir}/libsamba-policy.so
+%{_libdir}/libsamba-util.so
+%{_libdir}/libsamdb.so
+%{_libdir}/libsmbconf.so
+%{_libdir}/libtevent-util.so
+%{_libdir}/pkgconfig/dcerpc.pc
+%{_libdir}/pkgconfig/dcerpc_samr.pc
+%{_libdir}/pkgconfig/ndr.pc
+%{_libdir}/pkgconfig/ndr_krb5pac.pc
+%{_libdir}/pkgconfig/ndr_nbt.pc
+%{_libdir}/pkgconfig/ndr_standard.pc
+%{_libdir}/pkgconfig/netapi.pc
+%{_libdir}/pkgconfig/samba-credentials.pc
+%{_libdir}/pkgconfig/samba-hostconfig.pc
+%{_libdir}/pkgconfig/samba-policy.pc
+%{_libdir}/pkgconfig/samba-util.pc
+%{_libdir}/pkgconfig/samdb.pc
+%{_libdir}/libsamba-passdb.so
+%{_libdir}/libsmbldap.so
+
+%if %with_dc
+%{_includedir}/samba-4.0/dcerpc_server.h
+%{_libdir}/libdcerpc-server.so
+%{_libdir}/pkgconfig/dcerpc_server.pc
+%endif
+
+%if ! %with_libsmbclient
+%{_includedir}/samba-4.0/libsmbclient.h
+%endif # ! with_libsmbclient
+
+%if ! %with_libwbclient
+%{_includedir}/samba-4.0/wbclient.h
+%endif # ! with_libwbclient
+
+### VFS-CEPHFS
+%if %{with_vfs_cephfs}
+%files vfs-cephfs
+%{_libdir}/samba/vfs/ceph.so
+%{_mandir}/man8/vfs_ceph.8*
+%endif
+
+### VFS-GLUSTERFS
+%if %{with_vfs_glusterfs}
+%files vfs-glusterfs
+%{_libdir}/samba/vfs/glusterfs.so
+%{_mandir}/man8/vfs_glusterfs.8*
+%endif
+
+### KRB5-PRINTING
+%files krb5-printing
+%defattr(-,root,root)
+%attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper
+%{_mandir}/man8/smbspool_krb5_wrapper.8*
+
+### LIBS
+%files libs
+%defattr(-,root,root)
+%{_libdir}/libdcerpc-samr.so.*
+%{_libdir}/libsamba-policy.so.*
+
+# libraries needed by the public libraries
+%{_libdir}/samba/libMESSAGING-samba4.so
+%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so
+%{_libdir}/samba/libauth4-samba4.so
+%{_libdir}/samba/libauth-unix-token-samba4.so
+%{_libdir}/samba/libcluster-samba4.so
+%{_libdir}/samba/libdcerpc-samba4.so
+%{_libdir}/samba/libnon-posix-acls-samba4.so
+%{_libdir}/samba/libsamba-net-samba4.so
+%{_libdir}/samba/libsamba-python-samba4.so
+%{_libdir}/samba/libshares-samba4.so
+%{_libdir}/samba/libsmbpasswdparser-samba4.so
+%{_libdir}/samba/libxattr-tdb-samba4.so
+
+%if %with_dc
+%{_libdir}/samba/libdb-glue-samba4.so
+%{_libdir}/samba/libHDB-SAMBA4-samba4.so
+%{_libdir}/samba/libasn1-samba4.so.8
+%{_libdir}/samba/libasn1-samba4.so.8.0.0
+%{_libdir}/samba/libcom_err-samba4.so.0
+%{_libdir}/samba/libcom_err-samba4.so.0.25
+%{_libdir}/samba/libgssapi-samba4.so.2
+%{_libdir}/samba/libgssapi-samba4.so.2.0.0
+%{_libdir}/samba/libhcrypto-samba4.so.5
+%{_libdir}/samba/libhcrypto-samba4.so.5.0.1
+%{_libdir}/samba/libhdb-samba4.so.11
+%{_libdir}/samba/libhdb-samba4.so.11.0.2
+%{_libdir}/samba/libheimbase-samba4.so.1
+%{_libdir}/samba/libheimbase-samba4.so.1.0.0
+%{_libdir}/samba/libhx509-samba4.so.5
+%{_libdir}/samba/libhx509-samba4.so.5.0.0
+%{_libdir}/samba/libkrb5-samba4.so.26
+%{_libdir}/samba/libkrb5-samba4.so.26.0.0
+%{_libdir}/samba/libroken-samba4.so.19
+%{_libdir}/samba/libroken-samba4.so.19.0.1
+%{_libdir}/samba/libwind-samba4.so.0
+%{_libdir}/samba/libwind-samba4.so.0.0.0
+%endif
+
+### LIBSMBCLIENT
+%if %with_libsmbclient
+%files -n libsmbclient
+%defattr(-,root,root)
+%{_libdir}/libsmbclient.so.*
+
+### LIBSMBCLIENT-DEVEL
+%files -n libsmbclient-devel
+%defattr(-,root,root)
+%{_includedir}/samba-4.0/libsmbclient.h
+%{_libdir}/libsmbclient.so
+%{_libdir}/pkgconfig/smbclient.pc
+%{_mandir}/man7/libsmbclient.7*
+%endif # with_libsmbclient
+
+### LIBWBCLIENT
+%if %with_libwbclient
+%files -n libwbclient
+%defattr(-,root,root)
+%{_libdir}/samba/wbclient/libwbclient.so.*
+%{_libdir}/samba/libwinbind-client-samba4.so
+
+### LIBWBCLIENT-DEVEL
+%files -n libwbclient-devel
+%defattr(-,root,root)
+%{_includedir}/samba-4.0/wbclient.h
+%{_libdir}/samba/wbclient/libwbclient.so
+%{_libdir}/pkgconfig/wbclient.pc
+%endif # with_libwbclient
+
+### PIDL
+%files pidl
+%defattr(-,root,root,-)
+%attr(755,root,root) %{_bindir}/pidl
+%dir %{perl_vendorlib}/Parse
+%{perl_vendorlib}/Parse/Pidl.pm
+%dir %{perl_vendorlib}/Parse/Pidl
+%{perl_vendorlib}/Parse/Pidl/CUtil.pm
+%{perl_vendorlib}/Parse/Pidl/Samba4.pm
+%{perl_vendorlib}/Parse/Pidl/Expr.pm
+%{perl_vendorlib}/Parse/Pidl/ODL.pm
+%{perl_vendorlib}/Parse/Pidl/Typelist.pm
+%{perl_vendorlib}/Parse/Pidl/IDL.pm
+%{perl_vendorlib}/Parse/Pidl/Compat.pm
+%dir %{perl_vendorlib}/Parse/Pidl/Wireshark
+%{perl_vendorlib}/Parse/Pidl/Wireshark/Conformance.pm
+%{perl_vendorlib}/Parse/Pidl/Wireshark/NDR.pm
+%{perl_vendorlib}/Parse/Pidl/Dump.pm
+%dir %{perl_vendorlib}/Parse/Pidl/Samba3
+%{perl_vendorlib}/Parse/Pidl/Samba3/ServerNDR.pm
+%{perl_vendorlib}/Parse/Pidl/Samba3/ClientNDR.pm
+%dir %{perl_vendorlib}/Parse/Pidl/Samba4
+%{perl_vendorlib}/Parse/Pidl/Samba4/Header.pm
+%dir %{perl_vendorlib}/Parse/Pidl/Samba4/COM
+%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Header.pm
+%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Proxy.pm
+%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Stub.pm
+%{perl_vendorlib}/Parse/Pidl/Samba4/Python.pm
+%{perl_vendorlib}/Parse/Pidl/Samba4/Template.pm
+%dir %{perl_vendorlib}/Parse/Pidl/Samba4/NDR
+%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Server.pm
+%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Client.pm
+%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Parser.pm
+%{perl_vendorlib}/Parse/Pidl/Samba4/TDR.pm
+%{perl_vendorlib}/Parse/Pidl/NDR.pm
+%{perl_vendorlib}/Parse/Pidl/Util.pm
+%{_mandir}/man1/pidl*
+%{_mandir}/man3/Parse::Pidl*
+
+### PYTHON
+%files python
+%defattr(-,root,root,-)
+%{python_sitearch}/*
+
+### TEST
+%files test
+%defattr(-,root,root)
+%{_bindir}/gentest
+%{_bindir}/locktest
+%{_bindir}/masktest
+%{_bindir}/ndrdump
+%{_bindir}/smbtorture
+%{_mandir}/man1/gentest.1*
+%{_mandir}/man1/locktest.1*
+%{_mandir}/man1/masktest.1*
+%{_mandir}/man1/ndrdump.1*
+%{_mandir}/man1/smbtorture.1*
+%{_mandir}/man1/vfstest.1*
+
+%if %{with testsuite}
+# files to ignore in testsuite mode
+%{_libdir}/samba/libnss-wrapper.so
+%{_libdir}/samba/libsocket-wrapper.so
+%{_libdir}/samba/libuid-wrapper.so
+%endif
+
+### TEST-LIBS
+%files test-libs
+%defattr(-,root,root)
+%if %with_dc
+%{_libdir}/samba/libdlz-bind9-for-torture-samba4.so
+%else
+%{_libdir}/samba/libdsdb-module-samba4.so
+%endif
+
+### WINBIND
+%files winbind
+%defattr(-,root,root)
+%{_libdir}/samba/idmap
+%{_libdir}/samba/nss_info
+%{_libdir}/samba/libnss-info-samba4.so
+%{_libdir}/samba/libidmap-samba4.so
+%{_sbindir}/winbindd
+%attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged
+%{_unitdir}/winbind.service
+%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind
+%{_mandir}/man8/winbindd.8*
+%{_mandir}/man8/idmap_*.8*
+
+### WINBIND-CLIENTS
+%files winbind-clients
+%defattr(-,root,root)
+%{_bindir}/ntlm_auth
+%{_bindir}/wbinfo
+%{_mandir}/man1/ntlm_auth.1.gz
+%{_mandir}/man1/wbinfo.1*
+
+### WINBIND-KRB5-LOCATOR
+%files winbind-krb5-locator
+%defattr(-,root,root)
+%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+%{_libdir}/winbind_krb5_locator.so
+%{_mandir}/man7/winbind_krb5_locator.7*
+
+### WINBIND-MODULES
+%files winbind-modules
+%defattr(-,root,root)
+%{_libdir}/libnss_winbind.so*
+%{_libdir}/libnss_wins.so*
+%{_libdir}/security/pam_winbind.so
+%config(noreplace) %{_sysconfdir}/security/pam_winbind.conf
+%{_mandir}/man5/pam_winbind.conf.5*
+%{_mandir}/man8/pam_winbind.8*
+
+%if %with_clustering_support
+%files -n ctdb
+%defattr(-,root,root)
+%doc ctdb/README
+# Obsolete
+%config(noreplace, missingok) %{_sysconfdir}/sysconfig/ctdb
+
+%dir %{_sysconfdir}/ctdb
+%config(noreplace) %{_sysconfdir}/ctdb/ctdbd.conf
+%config(noreplace) %{_sysconfdir}/ctdb/notify.sh
+%config(noreplace) %{_sysconfdir}/ctdb/debug-hung-script.sh
+%config(noreplace) %{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh
+%config(noreplace) %{_sysconfdir}/ctdb/gcore_trace.sh
+%config(noreplace) %{_sysconfdir}/ctdb/debug_locks.sh
+
+%{_sysconfdir}/ctdb/functions
+%{_sysconfdir}/ctdb/nfs-linux-kernel-callout
+%{_sysconfdir}/ctdb/statd-callout
+%config %{_sysconfdir}/sudoers.d/ctdb
+
+# CTDB scripts, no config files
+# script with executable bit means activated
+%dir %{_sysconfdir}/ctdb/events.d
+%{_sysconfdir}/ctdb/events.d/00.ctdb
+%{_sysconfdir}/ctdb/events.d/01.reclock
+%{_sysconfdir}/ctdb/events.d/05.system
+%{_sysconfdir}/ctdb/events.d/06.nfs
+%{_sysconfdir}/ctdb/events.d/10.external
+%{_sysconfdir}/ctdb/events.d/10.interface
+%{_sysconfdir}/ctdb/events.d/11.natgw
+%{_sysconfdir}/ctdb/events.d/11.routing
+%{_sysconfdir}/ctdb/events.d/13.per_ip_routing
+%{_sysconfdir}/ctdb/events.d/20.multipathd
+%{_sysconfdir}/ctdb/events.d/31.clamd
+%{_sysconfdir}/ctdb/events.d/40.vsftpd
+%{_sysconfdir}/ctdb/events.d/41.httpd
+%{_sysconfdir}/ctdb/events.d/49.winbind
+%{_sysconfdir}/ctdb/events.d/50.samba
+%{_sysconfdir}/ctdb/events.d/60.nfs
+%{_sysconfdir}/ctdb/events.d/70.iscsi
+%{_sysconfdir}/ctdb/events.d/91.lvs
+%{_sysconfdir}/ctdb/events.d/99.timeout
+%{_sysconfdir}/ctdb/events.d/README
+%dir %{_sysconfdir}/ctdb/notify.d
+%{_sysconfdir}/ctdb/notify.d/README
+
+# CTDB scripts, no config files
+# script with executable bit means activated
+%dir %{_sysconfdir}/ctdb/nfs-checks.d
+%{_sysconfdir}/ctdb/nfs-checks.d/README
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/00.portmapper.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/10.status.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/20.nfs.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/30.nlockmgr.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/40.mountd.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check
+
+%{_sbindir}/ctdbd
+%{_sbindir}/ctdbd_wrapper
+%{_bindir}/ctdb
+%{_bindir}/ping_pong
+%{_bindir}/ltdbtool
+%{_bindir}/ctdb_diagnostics
+%{_bindir}/onnode
+
+%dir %{_libexecdir}/ctdb
+%{_libexecdir}/ctdb/ctdb_event
+%{_libexecdir}/ctdb/ctdb_eventd
+%{_libexecdir}/ctdb/ctdb_killtcp
+%{_libexecdir}/ctdb/ctdb_lock_helper
+%{_libexecdir}/ctdb/ctdb_lvs
+%{_libexecdir}/ctdb/ctdb_mutex_fcntl_helper
+%{_libexecdir}/ctdb/ctdb_natgw
+%{_libexecdir}/ctdb/ctdb_recovery_helper
+%{_libexecdir}/ctdb/ctdb_takeover_helper
+%{_libexecdir}/ctdb/smnotify
+
+%dir %{_localstatedir}/lib/ctdb/
+
+%{_mandir}/man1/ctdb.1.gz
+%{_mandir}/man1/ctdb_diagnostics.1.gz
+%{_mandir}/man1/ctdbd.1.gz
+%{_mandir}/man1/onnode.1.gz
+%{_mandir}/man1/ltdbtool.1.gz
+%{_mandir}/man1/ping_pong.1.gz
+%{_mandir}/man1/ctdbd_wrapper.1.gz
+%{_mandir}/man5/ctdbd.conf.5.gz
+%{_mandir}/man7/ctdb.7.gz
+%{_mandir}/man7/ctdb-tunables.7.gz
+%{_mandir}/man7/ctdb-statistics.7.gz
+
+%{_tmpfilesdir}/ctdb.conf
+
+%{_unitdir}/ctdb.service
+
+
+%files -n ctdb-tests
+%defattr(-,root,root)
+%doc ctdb/tests/README
+%{_bindir}/ctdb_run_tests
+%{_bindir}/ctdb_run_cluster_tests
+
+%dir %{_libexecdir}/ctdb
+%dir %{_libexecdir}/ctdb/tests
+%{_libexecdir}/ctdb/tests/comm_client_test
+%{_libexecdir}/ctdb/tests/comm_server_test
+%{_libexecdir}/ctdb/tests/comm_test
+%{_libexecdir}/ctdb/tests/ctdb_packet_parse
+%{_libexecdir}/ctdb/tests/ctdb_takeover_tests
+%{_libexecdir}/ctdb/tests/db_hash_test
+%{_libexecdir}/ctdb/tests/fake_ctdbd
+%{_libexecdir}/ctdb/tests/fetch_loop
+%{_libexecdir}/ctdb/tests/fetch_loop_key
+%{_libexecdir}/ctdb/tests/fetch_readonly
+%{_libexecdir}/ctdb/tests/fetch_readonly_loop
+%{_libexecdir}/ctdb/tests/fetch_ring
+%{_libexecdir}/ctdb/tests/g_lock_loop
+%{_libexecdir}/ctdb/tests/lock_tdb
+%{_libexecdir}/ctdb/tests/message_ring
+%{_libexecdir}/ctdb/tests/pidfile_test
+%{_libexecdir}/ctdb/tests/pkt_read_test
+%{_libexecdir}/ctdb/tests/pkt_write_test
+%{_libexecdir}/ctdb/tests/porting_tests
+%{_libexecdir}/ctdb/tests/protocol_client_test
+%{_libexecdir}/ctdb/tests/protocol_types_test
+%{_libexecdir}/ctdb/tests/protocol_util_test
+%{_libexecdir}/ctdb/tests/rb_test
+%{_libexecdir}/ctdb/tests/reqid_test
+%{_libexecdir}/ctdb/tests/run_proc_test
+%{_libexecdir}/ctdb/tests/sock_daemon_test
+%{_libexecdir}/ctdb/tests/sock_io_test
+%{_libexecdir}/ctdb/tests/srvid_test
+%{_libexecdir}/ctdb/tests/test_mutex_raw
+%{_libexecdir}/ctdb/tests/transaction_loop
+%{_libexecdir}/ctdb/tests/update_record
+%{_libexecdir}/ctdb/tests/update_record_persistent
+
+%dir %{_datadir}/ctdb
+%dir %{_datadir}/ctdb/tests
+
+%dir %{_datadir}/ctdb/tests/complex
+%{_datadir}/ctdb/tests/complex/README
+%{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh
+%{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh
+%{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh
+%{_datadir}/ctdb/tests/complex/31_nfs_tickle.sh
+%{_datadir}/ctdb/tests/complex/32_cifs_tickle.sh
+%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh
+%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh
+%{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh
+%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh
+%{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh
+%{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh
+%{_datadir}/ctdb/tests/complex/44_failover_nfs_oneway.sh
+%{_datadir}/ctdb/tests/complex/45_failover_nfs_kill.sh
+%{_datadir}/ctdb/tests/complex/60_rogueip_releaseip.sh
+%{_datadir}/ctdb/tests/complex/61_rogueip_takeip.sh
+%{_datadir}/ctdb/tests/complex/90_debug_hung_script.sh
+
+%dir %{_datadir}/ctdb/tests/complex/scripts
+%{_datadir}/ctdb/tests/complex/scripts/local.bash
+
+%dir %{_datadir}/ctdb/tests/cunit
+%{_datadir}/ctdb/tests/cunit/comm_test_001.sh
+%{_datadir}/ctdb/tests/cunit/comm_test_002.sh
+%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh
+%{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh
+%{_datadir}/ctdb/tests/cunit/pkt_read_001.sh
+%{_datadir}/ctdb/tests/cunit/pkt_write_001.sh
+%{_datadir}/ctdb/tests/cunit/porting_tests_001.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_001.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_003.sh
+%{_datadir}/ctdb/tests/cunit/rb_test_001.sh
+%{_datadir}/ctdb/tests/cunit/reqid_test_001.sh
+%{_datadir}/ctdb/tests/cunit/run_proc_001.sh
+%{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh
+%{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh
+%{_datadir}/ctdb/tests/cunit/srvid_test_001.sh
+
+%dir %{_datadir}/ctdb/tests/eventd
+%{_datadir}/ctdb/tests/eventd/README
+%{_datadir}/ctdb/tests/eventd/eventd_001.sh
+%{_datadir}/ctdb/tests/eventd/eventd_002.sh
+%{_datadir}/ctdb/tests/eventd/eventd_003.sh
+%{_datadir}/ctdb/tests/eventd/eventd_004.sh
+%{_datadir}/ctdb/tests/eventd/eventd_005.sh
+%{_datadir}/ctdb/tests/eventd/eventd_006.sh
+%{_datadir}/ctdb/tests/eventd/eventd_007.sh
+%{_datadir}/ctdb/tests/eventd/eventd_011.sh
+%{_datadir}/ctdb/tests/eventd/eventd_012.sh
+%{_datadir}/ctdb/tests/eventd/eventd_013.sh
+%{_datadir}/ctdb/tests/eventd/eventd_014.sh
+%{_datadir}/ctdb/tests/eventd/eventd_021.sh
+%{_datadir}/ctdb/tests/eventd/eventd_022.sh
+%{_datadir}/ctdb/tests/eventd/eventd_023.sh
+%{_datadir}/ctdb/tests/eventd/eventd_024.sh
+%{_datadir}/ctdb/tests/eventd/eventd_031.sh
+%{_datadir}/ctdb/tests/eventd/eventd_032.sh
+%{_datadir}/ctdb/tests/eventd/eventd_033.sh
+%{_datadir}/ctdb/tests/eventd/eventd_041.sh
+%{_datadir}/ctdb/tests/eventd/eventd_042.sh
+%{_datadir}/ctdb/tests/eventd/eventd_043.sh
+%{_datadir}/ctdb/tests/eventd/eventd_051.sh
+%dir %{_datadir}/ctdb/tests/eventd/scripts
+%{_datadir}/ctdb/tests/eventd/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/events.d
+%{_datadir}/ctdb/tests/events.d/00.test
+
+%dir %{_datadir}/ctdb/tests/eventscripts
+%{_datadir}/ctdb/tests/eventscripts/README
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.001.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.002.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.003.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.004.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.005.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.006.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.007.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.008.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.009.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.002.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.003.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.004.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.005.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.005.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.006.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.007.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.011.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.012.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.013.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.014.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.015.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.016.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.017.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.018.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.022.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.023.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.005.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.006.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.007.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.008.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.009.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.010.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.011.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.012.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.013.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.014.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.015.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.016.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.017.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.018.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.multi.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.010.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.011.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.003.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.001.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.002.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.003.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.004.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.011.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.012.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.013.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.014.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.015.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.021.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.022.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.023.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.024.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.025.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.031.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.041.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.042.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.051.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.052.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.053.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.054.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.001.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.002.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.003.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.004.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.005.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.006.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.007.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.008.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.009.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.010.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.011.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.012.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.013.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.014.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.015.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.016.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.017.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.018.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.019.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.021.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.022.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.023.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.024.sh
+%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.050.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.051.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.050.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.051.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.104.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.105.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.106.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.107.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.110.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.111.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.112.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.113.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.001.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.002.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.011.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.startup.011.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.101.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.102.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.103.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.104.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.105.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.106.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.107.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.108.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.111.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.112.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.113.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.114.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.121.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.122.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.131.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.132.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.141.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.142.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.143.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.144.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.151.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.152.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.153.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.161.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.162.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.001.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.002.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.001.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.011.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.012.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.013.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.014.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.shutdown.001.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.shutdown.002.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.startup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.startup.002.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.001.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.002.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.003.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.004.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.005.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.006.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.007.sh
+
+%dir %{_datadir}/ctdb/tests/eventscripts/etc-ctdb
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/events.d
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/functions
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-checks.d
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-linux-kernel-callout
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/public_addresses
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/rc.local
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/statd-callout
+
+%dir %{_datadir}/ctdb/tests/eventscripts/etc
+%dir %{_datadir}/ctdb/tests/eventscripts/etc/init.d
+%{_datadir}/ctdb/tests/eventscripts/etc/init.d/nfs
+%{_datadir}/ctdb/tests/eventscripts/etc/init.d/nfslock
+
+%dir %{_datadir}/ctdb/tests/eventscripts/etc/samba
+%{_datadir}/ctdb/tests/eventscripts/etc/samba/smb.conf
+
+%dir %{_datadir}/ctdb/tests/eventscripts/etc/sysconfig
+%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/ctdb
+%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/nfs
+
+%dir %{_datadir}/ctdb/tests/eventscripts/scripts
+%{_datadir}/ctdb/tests/eventscripts/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/eventscripts/stubs
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_killtcp
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_lvs
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_natgw
+%{_datadir}/ctdb/tests/eventscripts/stubs/date
+%{_datadir}/ctdb/tests/eventscripts/stubs/df
+%{_datadir}/ctdb/tests/eventscripts/stubs/ethtool
+%{_datadir}/ctdb/tests/eventscripts/stubs/exportfs
+%{_datadir}/ctdb/tests/eventscripts/stubs/id
+%{_datadir}/ctdb/tests/eventscripts/stubs/ip
+%{_datadir}/ctdb/tests/eventscripts/stubs/ip6tables
+%{_datadir}/ctdb/tests/eventscripts/stubs/iptables
+%{_datadir}/ctdb/tests/eventscripts/stubs/ipvsadm
+%{_datadir}/ctdb/tests/eventscripts/stubs/kill
+%{_datadir}/ctdb/tests/eventscripts/stubs/killall
+%{_datadir}/ctdb/tests/eventscripts/stubs/multipath
+%{_datadir}/ctdb/tests/eventscripts/stubs/net
+%{_datadir}/ctdb/tests/eventscripts/stubs/netstat
+%{_datadir}/ctdb/tests/eventscripts/stubs/nmap
+%{_datadir}/ctdb/tests/eventscripts/stubs/pidof
+%{_datadir}/ctdb/tests/eventscripts/stubs/pkill
+%{_datadir}/ctdb/tests/eventscripts/stubs/ps
+%{_datadir}/ctdb/tests/eventscripts/stubs/rm
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.lockd
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.mountd
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.rquotad
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.statd
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpcinfo
+%{_datadir}/ctdb/tests/eventscripts/stubs/service
+%{_datadir}/ctdb/tests/eventscripts/stubs/sleep
+%{_datadir}/ctdb/tests/eventscripts/stubs/smnotify
+%{_datadir}/ctdb/tests/eventscripts/stubs/ss
+%{_datadir}/ctdb/tests/eventscripts/stubs/tdbdump
+%{_datadir}/ctdb/tests/eventscripts/stubs/tdbtool
+%{_datadir}/ctdb/tests/eventscripts/stubs/testparm
+%{_datadir}/ctdb/tests/eventscripts/stubs/timeout
+%{_datadir}/ctdb/tests/eventscripts/stubs/wbinfo
+
+%dir %{_datadir}/ctdb/tests/onnode
+%{_datadir}/ctdb/tests/onnode/README
+%{_datadir}/ctdb/tests/onnode/0001.sh
+%{_datadir}/ctdb/tests/onnode/0002.sh
+%{_datadir}/ctdb/tests/onnode/0003.sh
+%{_datadir}/ctdb/tests/onnode/0004.sh
+%{_datadir}/ctdb/tests/onnode/0005.sh
+%{_datadir}/ctdb/tests/onnode/0006.sh
+%{_datadir}/ctdb/tests/onnode/0070.sh
+%{_datadir}/ctdb/tests/onnode/0071.sh
+%{_datadir}/ctdb/tests/onnode/0072.sh
+%{_datadir}/ctdb/tests/onnode/0075.sh
+%{_datadir}/ctdb/tests/onnode/functions
+%{_datadir}/ctdb/tests/onnode/nodes
+
+%dir %{_datadir}/ctdb/tests/onnode/scripts
+%{_datadir}/ctdb/tests/onnode/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/onnode/stubs
+%{_datadir}/ctdb/tests/onnode/stubs/ctdb
+%{_datadir}/ctdb/tests/onnode/stubs/onnode-buggy-001
+%{_datadir}/ctdb/tests/onnode/stubs/ssh
+
+%dir %{_datadir}/ctdb/tests/scripts
+%{_datadir}/ctdb/tests/scripts/common.sh
+%{_datadir}/ctdb/tests/scripts/integration.bash
+%{_datadir}/ctdb/tests/scripts/script_install_paths.sh
+%{_datadir}/ctdb/tests/scripts/test_wrap
+%{_datadir}/ctdb/tests/scripts/unit.sh
+
+%dir %{_datadir}/ctdb/tests/shellcheck
+%{_datadir}/ctdb/tests/shellcheck/base_scripts.sh
+%{_datadir}/ctdb/tests/shellcheck/ctdb_helpers.sh
+%{_datadir}/ctdb/tests/shellcheck/ctdbd_wrapper.sh
+%{_datadir}/ctdb/tests/shellcheck/event_scripts.sh
+%{_datadir}/ctdb/tests/shellcheck/functions.sh
+%{_datadir}/ctdb/tests/shellcheck/init_script.sh
+%{_datadir}/ctdb/tests/shellcheck/tools.sh
+
+%dir %{_datadir}/ctdb/tests/shellcheck/scripts
+%{_datadir}/ctdb/tests/shellcheck/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/simple
+%{_datadir}/ctdb/tests/simple/README
+%{_datadir}/ctdb/tests/simple/00_ctdb_init.sh
+%{_datadir}/ctdb/tests/simple/00_ctdb_onnode.sh
+%{_datadir}/ctdb/tests/simple/01_ctdb_version.sh
+%{_datadir}/ctdb/tests/simple/02_ctdb_listvars.sh
+%{_datadir}/ctdb/tests/simple/03_ctdb_getvar.sh
+%{_datadir}/ctdb/tests/simple/04_ctdb_setvar.sh
+%{_datadir}/ctdb/tests/simple/05_ctdb_listnodes.sh
+%{_datadir}/ctdb/tests/simple/06_ctdb_getpid.sh
+%{_datadir}/ctdb/tests/simple/07_ctdb_process_exists.sh
+%{_datadir}/ctdb/tests/simple/08_ctdb_isnotrecmaster.sh
+%{_datadir}/ctdb/tests/simple/09_ctdb_ping.sh
+%{_datadir}/ctdb/tests/simple/11_ctdb_ip.sh
+%{_datadir}/ctdb/tests/simple/12_ctdb_getdebug.sh
+%{_datadir}/ctdb/tests/simple/13_ctdb_setdebug.sh
+%{_datadir}/ctdb/tests/simple/14_ctdb_statistics.sh
+%{_datadir}/ctdb/tests/simple/15_ctdb_statisticsreset.sh
+%{_datadir}/ctdb/tests/simple/16_ctdb_config_add_ip.sh
+%{_datadir}/ctdb/tests/simple/17_ctdb_config_delete_ip.sh
+%{_datadir}/ctdb/tests/simple/18_ctdb_reloadips.sh
+%{_datadir}/ctdb/tests/simple/19_ip_takeover_noop.sh
+%{_datadir}/ctdb/tests/simple/20_delip_iface_gc.sh
+%{_datadir}/ctdb/tests/simple/23_ctdb_moveip.sh
+%{_datadir}/ctdb/tests/simple/24_ctdb_getdbmap.sh
+%{_datadir}/ctdb/tests/simple/25_dumpmemory.sh
+%{_datadir}/ctdb/tests/simple/26_ctdb_config_check_error_on_unreachable_ctdb.sh
+%{_datadir}/ctdb/tests/simple/27_ctdb_detach.sh
+%{_datadir}/ctdb/tests/simple/28_zero_eventscripts.sh
+%{_datadir}/ctdb/tests/simple/31_ctdb_disable.sh
+%{_datadir}/ctdb/tests/simple/32_ctdb_enable.sh
+%{_datadir}/ctdb/tests/simple/35_ctdb_getreclock.sh
+%{_datadir}/ctdb/tests/simple/41_ctdb_stop.sh
+%{_datadir}/ctdb/tests/simple/42_ctdb_continue.sh
+%{_datadir}/ctdb/tests/simple/43_stop_recmaster_yield.sh
+%{_datadir}/ctdb/tests/simple/51_message_ring.sh
+%{_datadir}/ctdb/tests/simple/52_fetch_ring.sh
+%{_datadir}/ctdb/tests/simple/53_transaction_loop.sh
+%{_datadir}/ctdb/tests/simple/54_transaction_loop_recovery.sh
+%{_datadir}/ctdb/tests/simple/55_ctdb_ptrans.sh
+%{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh
+%{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh
+%{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh
+%{_datadir}/ctdb/tests/simple/71_ctdb_wipedb.sh
+%{_datadir}/ctdb/tests/simple/72_update_record_persistent.sh
+%{_datadir}/ctdb/tests/simple/73_tunable_NoIPTakeover.sh
+%{_datadir}/ctdb/tests/simple/75_readonly_records_basic.sh
+%{_datadir}/ctdb/tests/simple/76_ctdb_pdb_recovery.sh
+%{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh
+%{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh
+%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh
+%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh
+%{_datadir}/ctdb/tests/simple/functions
+# This is a dangling symlink but needed for testing
+%{_datadir}/ctdb/tests/simple/nodes
+
+%dir %{_datadir}/ctdb/tests/simple/scripts
+%{_datadir}/ctdb/tests/simple/scripts/local.bash
+%{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash
+
+%dir %{_datadir}/ctdb/tests/takeover
+%{_datadir}/ctdb/tests/takeover/README
+%{_datadir}/ctdb/tests/takeover/det.001.sh
+%{_datadir}/ctdb/tests/takeover/det.002.sh
+%{_datadir}/ctdb/tests/takeover/det.003.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.001.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.002.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.003.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.004.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.005.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.006.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.007.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.008.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.009.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.010.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.011.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.012.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.013.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.014.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.015.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.016.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.017.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.018.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.019.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.022.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.023.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.024.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.025.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.026.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.027.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.028.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.029.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.030.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.031.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.032.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.033.sh
+%{_datadir}/ctdb/tests/takeover/nondet.001.sh
+%{_datadir}/ctdb/tests/takeover/nondet.002.sh
+%{_datadir}/ctdb/tests/takeover/nondet.003.sh
+
+%dir %{_datadir}/ctdb/tests/takeover/scripts
+%{_datadir}/ctdb/tests/takeover/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/takeover_helper
+%{_datadir}/ctdb/tests/takeover_helper/000.sh
+%{_datadir}/ctdb/tests/takeover_helper/010.sh
+%{_datadir}/ctdb/tests/takeover_helper/011.sh
+%{_datadir}/ctdb/tests/takeover_helper/012.sh
+%{_datadir}/ctdb/tests/takeover_helper/013.sh
+%{_datadir}/ctdb/tests/takeover_helper/014.sh
+%{_datadir}/ctdb/tests/takeover_helper/015.sh
+%{_datadir}/ctdb/tests/takeover_helper/016.sh
+%{_datadir}/ctdb/tests/takeover_helper/017.sh
+%{_datadir}/ctdb/tests/takeover_helper/018.sh
+%{_datadir}/ctdb/tests/takeover_helper/019.sh
+%{_datadir}/ctdb/tests/takeover_helper/020.sh
+%{_datadir}/ctdb/tests/takeover_helper/021.sh
+%{_datadir}/ctdb/tests/takeover_helper/022.sh
+%{_datadir}/ctdb/tests/takeover_helper/023.sh
+%{_datadir}/ctdb/tests/takeover_helper/024.sh
+%{_datadir}/ctdb/tests/takeover_helper/025.sh
+%{_datadir}/ctdb/tests/takeover_helper/026.sh
+%{_datadir}/ctdb/tests/takeover_helper/027.sh
+%{_datadir}/ctdb/tests/takeover_helper/028.sh
+%{_datadir}/ctdb/tests/takeover_helper/110.sh
+%{_datadir}/ctdb/tests/takeover_helper/111.sh
+%{_datadir}/ctdb/tests/takeover_helper/120.sh
+%{_datadir}/ctdb/tests/takeover_helper/121.sh
+%{_datadir}/ctdb/tests/takeover_helper/122.sh
+%{_datadir}/ctdb/tests/takeover_helper/130.sh
+%{_datadir}/ctdb/tests/takeover_helper/131.sh
+%{_datadir}/ctdb/tests/takeover_helper/132.sh
+%{_datadir}/ctdb/tests/takeover_helper/140.sh
+%{_datadir}/ctdb/tests/takeover_helper/150.sh
+%{_datadir}/ctdb/tests/takeover_helper/160.sh
+%{_datadir}/ctdb/tests/takeover_helper/210.sh
+%{_datadir}/ctdb/tests/takeover_helper/211.sh
+%{_datadir}/ctdb/tests/takeover_helper/220.sh
+%{_datadir}/ctdb/tests/takeover_helper/230.sh
+%{_datadir}/ctdb/tests/takeover_helper/240.sh
+%{_datadir}/ctdb/tests/takeover_helper/250.sh
+%{_datadir}/ctdb/tests/takeover_helper/260.sh
+
+%dir %{_datadir}/ctdb/tests/takeover_helper/scripts
+%{_datadir}/ctdb/tests/takeover_helper/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/tool
+%{_datadir}/ctdb/tests/tool/README
+%{_datadir}/ctdb/tests/tool/ctdb.ban.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ban.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ban.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.continue.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.continue.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.continue.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disable.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disable.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disablemonitor.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.enable.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.enable.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.enable.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.enablemonitor.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbmap.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getmonmode.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getpid.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getreclock.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getreclock.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getvar.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getvar.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ifaces.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.006.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.007.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.listnodes.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.listnodes.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.listvars.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.006.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.007.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.008.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.006.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.007.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.008.sh
+%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ping.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.pnn.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.process-exists.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.recmaster.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.recmaster.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.recover.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.011.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.012.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.013.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.014.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.015.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.016.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.017.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.018.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.019.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.020.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.021.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.023.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.024.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdebug.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdebug.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdebug.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setifacelink.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setifacelink.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setvar.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setvar.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.status.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.status.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.stop.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.stop.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.stop.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.unban.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.unban.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.unban.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.uptime.001.sh
+
+%dir %{_datadir}/ctdb/tests/tool/scripts
+%{_datadir}/ctdb/tests/tool/scripts/local.sh
+
+%endif # with_clustering_support
+
+%changelog
+* Fri Nov 17 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-12
+- resolves: #1514314 - Fix CVE-2017-14746 and CVE-2017-15275
+
+* Thu Sep 14 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-11
+- resolves: #1491213 - CVE-2017-12150 CVE-2017-12151 CVE-2017-12163
+
+* Wed Aug 23 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-10
+- resolves: #1484423 - Require at least krb5 version 1.15.1
+- resolves: #1484713 - Fix password changes for users via smbpasswd
+- resolves: #1484723 - Be more graceful on FSCTL_VALIDATE_NEGOTIATE_INFO
+ returned errors
+
+* Mon Aug 14 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-9
+- resolves: #1481188 - Fix 'net ads changetrustpw'
+
+* Thu Jun 22 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-8
+- resolves: #1459936 - Fix regression with "follow symlinks = no"
+
+* Tue Jun 20 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-7
+- resolves: #1461336 - Fix smbclient username parsing
+- resolves: #1460937 - Fix username normalization with winbind
+
+* Tue Jun 13 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-6
+- resolves: #1459179 - Fix smbclient session setup printing
+
+* Wed Jun 07 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-5
+- related: #1277999 - Add missing patchset
+
+* Wed May 31 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-4
+- resolves: #1431986 - Fix expand_msdfs VFS module
+
+* Thu May 18 2017 Guenther Deschner <gdeschner@redhat.com> - 4.6.2-3
+- resolves: #1450785 - Security fix for CVE-2017-7494
+
+* Tue May 09 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-2
+- resolves: #1448544 - Fix spoolss 32bit driver upload
+
+* Mon Apr 03 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-1
+- resolves: #1435734 - Fix refreshing winbind tickets
+
+* Fri Mar 31 2017 Guenther Deschner <gdeschner@redhat.com> - 4.6.2-0
+- Update to Samba 4.6.2
+- related: #1430260 - Security fix for CVE-2017-2619
+
+* Thu Mar 23 2017 Guenther Deschner <gdeschner@redhat.com> - 4.6.1-0
+- Update to Samba 4.6.1
+- resolves: #1430260 - Security fix for CVE-2017-2619
+
+* Tue Mar 21 2017 Andreas Schneider <asn@redhat.com> - 4.6.0-5
+- related: #1391954 - Fix kerberos cross-realm referrals
+- resolves: #1430755 - Fix 'net ads' keytab handling
+
+* Wed Mar 15 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-4
+- Export internal arcfour_crypt_blob in Python as samba.arcfour_encrypt
+- related: #1391954 - Update to Samba 4.6.0
+
+* Fri Mar 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-3
+- Ensure we set realm when updating ccache in auth/credentials
+- resolves: #1430759 - use GSSAPI gss_acquire_cred_from call for gssproxy support
+
+* Fri Mar 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-2
+- resolves: #1430759 - use GSSAPI gss_acquire_cred_from call for gssproxy support
+
+* Tue Mar 07 2017 Andreas Schneider <asn@redhat.com> - 4.6.0-1
+- related: #1391954 - Update to Samba 4.6.0
+- resolves: #1401505 - Improved idmap_hash documentation
+- resolves: #1218926 - Samba ignores default_keytab_name in krb5.conf
+- resolves: #1389786 - Add 'net ads dns unregister'
+
+* Thu Mar 02 2017 Andreas Schneider <asn@redhat.com> - 4.6.0-0.1.rc4
+- related: #1391954 - Update to Samba 4.6.0rc4
+- resolves: #1420130 - samba_krb5_wrapper does not list devices when called with
+ no arguments
+- resolves: #1277999 - Change RPC port range to Windows defaults
+
+* Wed Feb 15 2017 Andreas Schneider <asn@redhat.com> - 4.6.0-0.1.rc3
+- resolves: #1391954 - Update to Samba 4.6.0rc3
+- resolves: #1271082 - Wrong groups listed when id command is called before login
+- resolves: #1327810 - Use 'printcap cache time' for the house keeping interval
+- resolves: #1356932 - Improve documentation for 'ldap ssl' in smb.conf manpage
+- resolves: #1365111 - Fix printer removal if "List in Directory" checkbox is
+ unticked and printer is not listed in AD
+- resolves: #1368439 - Fix ntlm_auth wrong password issues
+- resolves: #1397871 - Include the system krb5.conf in winbinds generated conf
+- resolves: #1397891 - Fix marsalling of spoolss SetPrinter info level 2
+- resolves: #1397895 - Add missing support APD_COPY_FROM_DIRECTORY in
+ AddPrinterDriver
+- resolves: #1403242 - Samba can not access trusted domains through transitive
+ trusts
+- resolves: #1403975 - Fix trusted domain logins
+- resolves: #1411978 - Include the system krb5.conf in winbinds generated conf
+- resolves: #1416746 - Fix division by zero error in ctdb 05.system event script
+
+* Tue Nov 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-11
+- related: #1377729 - Fix return code if ip not defined in gethostbyname
+
+* Wed Nov 09 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-11
+- related: #1377307 - Add missing patch to patchset
+
+* Tue Nov 08 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-10
+- resolves: #1377690 - Fix linking nss_wins with libreplace
+- resolves: #1377729 - Fix nss_wins function definitions for gethostbyname*
+- resolves: #1377307 - Fix %G substitution in AD case
+- resolves: #1377751 - Fix regression of smbclient unable to connect to
+ Apple and Azure
+
+* Wed Aug 31 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-9
+- related: #1365479 - Fix idmap range check
+
+* Fri Aug 26 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-8
+- related: #1193493 - Fix smbget url credentials parsing
+
+* Tue Aug 23 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-7
+- resolves: #1365479 - Fix idmap range checks for ad and hash backend
+
+* Tue Aug 16 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-6
+- resolves: #1367316 - Increase required Kerbersion version number
+- resolves: #1366477 - Fix using the right krb5 ccache in libads
+- resolves: #1356501 - Fix high CPU usage with smbclient connection to
+ non-reachable IP
+
+* Wed Aug 03 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-5
+- resolves: #1359091 - Package /usr/lib/samba/ldb in the common-libs package
+- resolves: #1360788 - Fix multilib issue with ctdb-tests package
+- resolves: #1362385 - Fix Samba ignoring supplementary groups
+- resolves: #1364051 - Fix smbd panic with stale ctdb entries
+
+* Mon Jul 04 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-4
+- resolves: #1351655 - Fix winbind meomory leak with each cached credentials
+ login
+- resolves: #1351961 - Fix CVE-2016-2119
+
+* Thu Jun 23 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-3
+- related: #1260214 - Correctly warn about missing realm for ad domains
+ with 'security=domain'
+
+* Tue Jun 21 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-2
+- resolves: #1348223 - Fix sasl wrapped ldap connections
+
+* Wed Jun 08 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-1
+- resolves: #1303076 - Rebase Samba to version 4.4.4
+- resolves: #1314673 - Fix CVE-2015-7560
+- resolves: #1263322 - Add '--no-dns-updates' option to 'net ads join'
+- resolves: #1264433 - Fix segfault in pam_winbind.so with invalid config
+ options
+- resolves: #1193504 - Fix smbget to retrieve files recursively
+- resolves: #1193502 - Fix smbget to use command line credentials
+- resolves: #1193493 - Fix smbget url credentials parsing
+- resolves: #1273999 - Support printing with Kerberos credentials on newer
+ CUPS versions
+- resolves: #1296821 - Define /etc/pam.d/samba as a non replaceable config
+- resolves: #1261107 - Fix memory leak because of missing talloc stackframe
+- resolves: #1333562 - Fix memory leak after smbc_free_context()
+- resolves: #1315422 - Fix regression from CVE-2015-5252
+- resolves: #1316899 - Fixed idmap_hash module issues when used with others
+- resolves: #1322691 - Fix badlock related bugs
+- Fix CVE-2015-5370
+- Fix CVE-2016-2110
+- Fix CVE-2016-2111
+- Fix CVE-2016-2112
+- Fix CVE-2016-2113
+- Fix CVE-2016-2114
+- Fix CVE-2016-2115
+- Fix CVE-2016-2118
+- resolves: #1327951 - Fix regression with anonymous connections from OS X
+- resolves: #1327845 - Fix pcap_cache_reload() with spoolssd
+- resolves: #1289640 - Fix ctdb selinux issue with read only tracking dbs
+- resolves: #1341208 - Fix enumerating groups over NSS with idmap_ad
+- resolves: #1345827 - Fix resolving trusted domain users on domain member
+- resolves: #1346334 - Fix typo in smb.conf.example
+- resolves: #1335292 - Fix site-aware 'net ads join -k'
+- resolves: #1260214 - Accept empty realm for ad domains with 'security=domain'
+
+* Tue May 24 2016 Guenther Deschner <gdeschner@redhat.com> - 4.2.10-8
+- Fix krb5 encryption type setup during join (as admin and non-admin user)
+- resolves: #1312109
+
+* Mon May 02 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.10-7
+- Fix regressions introduced with security tightening as part of Badlock release
+- resolves: #1330199
+
+* Tue Apr 12 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.10-6
+- Fix domain member winbind not being able to talk to trusted domains' DCs
+- relates: #1322691
+
+* Mon Apr 11 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.10-5
+- Fix crash in smb.conf processing
+- relates: #1322691
+
+* Fri Apr 08 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.10-4
+- Fix LDAP SASL bind with arcfour-hmac-md5
+- resolves: #1322691
+
+* Thu Apr 07 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.10-3
+- Make sure the package owns /var/lib/samba and uses it for cache purposes
+- resolves: #1322691
+
+* Wed Apr 06 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.10-2
+- Remove ldb modules and internal libraries for DC when not packaging DC build
+- resolves: #1322691
+
+* Mon Apr 04 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.10-1
+- resolves: #1322691
+
+* Fri Mar 04 2016 Andreas Schneider <asn@redhat.com> - 4.2.3-12
+- resolves: #1314673 - Fix CVE-2015-7560
+
+* Fri Dec 11 2015 Guenther Deschner <gdeschner@redhat.com> - 4.2.3-11
+- resolves: #1290711
+- CVE-2015-3223 Remote DoS in Samba (AD) LDAP server
+- CVE-2015-5299 Missing access control check in shadow copy code
+- CVE-2015-5252 Insufficient symlink verification in smbd
+- CVE-2015-5296 Samba client requesting encryption vulnerable to
+ downgrade attack
+
+* Tue Oct 27 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-10
+- related: #1273393 - Fix use after free with nss_wins module loaded
+
+* Thu Oct 22 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-9
+- resolves: #1273912 - Fix dependencies to samba-common
+- resolves: #1273393 - Fix user after free in smb name resolution
+
+* Wed Oct 21 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-8
+- resolves: #1271608 - Fix upgrade path from previous rhel version
+
+* Tue Sep 01 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-7
+- resolves: #1258293 - Fix quota on XFS filesystems
+
+* Mon Aug 24 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-6
+- resolves: #1255322 - Fix 'map to guest = Bad uid' option
+- resolves: #1255326 - Fix segfault with 'mangling method = hash'
+
+* Wed Aug 19 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-5
+- resolves: #1253193 - Fix 'force group'
+
+* Wed Jul 29 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-4
+- resolves: #1246166 - Fix a 'net ads keytab' segfault
+
+* Tue Jul 21 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-3
+- resolves: #1225719 - Fix possible segfault if we can't connect to the DC
+
+* Mon Jul 20 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-2
+- resolves: #1238194 - Fix the 'dfree command'
+- resolves: #1216062 - Document netbios name length limitation
+
+* Tue Jul 14 2015 Andreas Schneider <asn@redhat.com> - 4.2.3-1
+- related: #1196140 - Rebase to version 4.2.3
+- resolves: #1237036 - Fix DCERPC PDU calculation
+- resolves: #1237039 - Fix winbind request cancellation
+- resolves: #1223981 - Fix possible segfault with smbX protocol setting
+
+* Mon Jun 22 2015 Andreas Schneider <asn@redhat.com> - 4.2.2-3
+- resolves: #1228809 - Allow reauthentication without signing
+
+* Thu Jun 18 2015 Andreas Schneider <asn@redhat.com> - 4.2.2-2
+- related: #1196140 - Add missing build dependency for libarchive
+- related: #1196140 - Make sure we do a hardened build
+
+* Wed Jun 17 2015 Andreas Schneider <asn@redhat.com> - 4.2.2-1
+- resolves: #1196140 - Rebase Samba to version 4.2.2
+- resolves: #1186403 - Split patches to fix multiarch conflicts
+- resolves: #1167325 - Retrieve printer GUID from AD if it is not in the
+ registry
+- resolves: #1220174 - Fix issues with winbind library dependencies
+- resolves: #1211658 - Fix stale cache entries on printer rename
+- resolves: #1228809 - Fix reconnect on session exparation
+
+* Tue May 12 2015 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-22
+- resolves: #1202347 - Fix NETLOGON authentication without winbindd.
+
+* Thu Apr 09 2015 Andreas Schneider <asn@redhat.com> - 4.1.12-21
+- related: #1205703 - Rebuild Samba with new binutils package.
+
+* Thu Apr 02 2015 Andreas Schneider <asn@redhat.com> - 4.1.12-20
+- resolves: #1205703 - Fix build with RELRO support.
+
+* Mon Feb 16 2015 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-19
+- related: #1191341 - Update patchset for CVE-2015-0240.
+
+* Thu Feb 12 2015 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-18
+- resolves: #1191341 - CVE-2015-0240: RCE in netlogon server.
+
+* Fri Jan 09 2015 - Andreas Schneider <asn@redhat.com> - 4.1.12-17
+- related: #1177768 - Add missing requires to libwbclient.
+
+* Thu Jan 08 2015 Andreas Schneider <asn@redhat.com> - 4.1.12-16
+- related: #1177768 - Add missing requires to libwbclient.
+
+* Thu Jan 08 2015 Andreas Schneider <asn@redhat.com> - 4.1.12-15
+- resolves: #1177768 - Fix possible segfault with 'net ads kerberos pac dump'.
+
+* Tue Dec 16 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-14
+- resolves: #1171689 - Fix smbstatus if executed as user to print error message.
+
+* Fri Dec 12 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-13
+- resolves: #1172089 - Fix 'net rpc join' with schannel changes.
+- resolves: #1170883 - Fix 'net time system' segfault.
+
+* Tue Nov 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-12
+- related: #1162526 - Fix multilib with using alternatives for libwbclient.
+
+* Tue Nov 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-11
+- resolves: #1163748 - Fix smbclient -L fails against new Windows versions
+ over TCP.
+- resolves: #1167849 - Fix smbstatus --profile always returning EXIT_FAILURE.
+
+* Thu Nov 20 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-10
+- related: #1162526 - Fix multilib with using alternatives for libwbclient.
+
+* Thu Nov 20 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-9
+- resolves: #1162552 - Fix net ads join segfault on big endian systems.
+- resolves: #1164203 - Fix net ads join segfault with existing keytab.
+
+* Thu Nov 13 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-8
+- related: #1162526 - Fix multilib issues when using alternatives for libwbclient.
+
+* Wed Nov 12 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-7
+- resolves: #1162526 - Use alternatives for libwbclient.
+
+* Mon Nov 03 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-6
+- related: #1156391 - Fix netbios name truncation during registration.
+
+* Wed Oct 29 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-5
+- resolves: #1156391 - Fix netbios name truncation during registration.
+
+* Thu Oct 09 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-4
+- related: #1117770 - Fix empty full_name field with samlogon.
+
+* Fri Sep 26 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-3
+- resolves: #878351 - Fix usage of AES keys by default.
+- resolves: #861366 - Fix KRB5 locator to use same KDC for joining and DNS update.
+
+* Tue Sep 16 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-2
+- resolves: #1138554 - Fix consuming a lot of CPU when re-reading printcap info.
+- resolves: #1134323 - Fix running Samba on little endian Power8 (ppc64le).
+- resolves: #1113064 - Fix case sensitivity options with SMB2 protocols.
+- resolves: #1088924 - Fix applying ACL masks when setting ACLs.
+- resolves: #1135723 - Fix 'force user' regression.
+- resolves: #1117770 - Fix empty full_name field with samlogon.
+- resolves: #1101210 - Fix telling systemd that nmbd is waiting for interfaces.
+- resolves: #1127931 - Fix getgroups() with idmap_ad returning non-mapped groups.
+- resolves: #1144963 - Fix idmap_ad with SFU against trusted domains.
+- resolves: #1140568 - Fix a segfault in the smbclient echo command.
+- resolves: #1089940 - Improve service principal guessing in 'net ads'.
+- resolves: #955561 - Fix overwriting of SPNs in AD during 'net ads join'.
+- resolves: #955562 - Add precreated SPNS from AD during keytab initialization.
+
+* Mon Sep 08 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-1
+- related: #1110820 - Rebase Samba to latest release.
+
+* Tue Aug 26 2014 - Andreas Schneider <asn@redhat.com> - 4.1.11-1
+- resolves: #1110820 - Rebase Samba to latest release.
+
+* Mon Aug 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-37
+- resolves: #1072352 - Make pidl a noarch subpackage.
+- resolves: #1133516 - Create a samba-test-libs package.
+- resolves: #1132873 - Add support to rebuild without clustering.
+
+* Fri Aug 01 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-36
+- resolves: #1126014 - CVE-2014-3560: remote code execution in nmbd.
+
+* Wed Jul 02 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-35
+- resolves: #1115060 - Fix potential Samba file corruption.
+
+* Wed Jun 11 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-34
+- resolves: #1105505 - CVE-2014-0244: DoS in nmbd.
+- resolves: #1108845 - CVE-2014-3493: DoS in smbd with unicode path names.
+- resolves: #1105574 - CVE-2014-0178: Uninitialized memory exposure.
+
+* Mon May 05 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-33
+- related: #717484 - Add missing configure line to enable profiling data support.
+
+* Tue Apr 22 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-32
+- related: #1082653 - Reuse IPv6 address during the AD domain join.
+
+* Thu Apr 03 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-31
+- resolves: #1082653 - Add IPv6 workaround for MIT kerberos.
+
+* Thu Apr 03 2014 - Alexander Bokovoy <abokovoy@redhat.com> - 4.1.1-30
+- resolves: #1083859 - Force KRB5CCNAME in Samba systemd units.
+- related: #1082598 - Fully enables systemd integration.
+
+* Tue Apr 01 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-29
+- resolves: #1082598 - Add missing BuildRequires for systemd-devel.
+
+* Wed Mar 26 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-28
+- resolves: #1077918 - Make daemons systemd aware.
+
+* Mon Mar 24 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-27
+- resolves: #1077857 - Fix internal error received while adding trust.
+
+* Fri Mar 21 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-26
+- resolves: #1079008 - Fix fragmented rpc handling.
+
+* Tue Mar 18 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-25
+- resolves: #1077651 - Fix 'force user' option for shares.
+
+* Wed Mar 12 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-24
+- resolves: #1053748 - Enhance "net ads kerberos pac" tool.
+
+* Mon Mar 10 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-23
+- resolves: #1072804 - Fix CVE-2013-4496.
+- resolves: #1072804 - Fix CVE-2013-6442.
+
+* Fri Mar 07 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-22
+- resolves: #1024788 - Fix joining over IPv6.
+
+* Tue Mar 04 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-21
+- resolves: #1066536 - Fix NBT queries with more than 9 or more components.
+
+* Thu Feb 27 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-20
+- resolves: #1070692 - Don't package perl(Parse::Yapp::Driver)
+
+* Tue Feb 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-19
+- related: #1067606 - Add missing directories.
+
+* Tue Feb 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-18
+- related: #1067606 - Fix installation of pidl files.
+
+* Tue Feb 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-17
+- resolves: #1067606 - Fix wbinfo with one-way trust.
+- resolves: #1069569 - Fix memory leak reading the printer list.
+
+* Thu Feb 20 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-16
+- resolves: #1063186 - Fix force_user with security=ads.
+
+* Wed Feb 05 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-15
+- resolves: #1029001 - Fix force_user with security=ads.
+
+* Tue Jan 28 2014 Daniel Mach <dmach@redhat.com> - 4.1.1-14
+- Mass rebuild 2014-01-24
+
+* Mon Jan 13 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-13
+- resolves: #1051582 - Fix warnings an resource leaks reported by rpmdiff.
+
+* Fri Jan 10 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-12
+- resolves: #1050886 - Fix full CPU utilization in winbindd.
+- resolves: #1051400 - Fix segfault in smbd.
+- resolves: #1051402 - Fix SMB2 server panic when a smb2 brlock times out.
+
+* Thu Jan 09 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-11
+- resolves: #1042845 - Do not build with libbsd.
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 4.1.1-10
+- Mass rebuild 2013-12-27
+
+* Wed Dec 11 2013 - Andreas Schneider <asn@redhat.com> - 4.1.1-9
+- resolves: #1033122 - Fix dropbox regression.
+- resolves: #1040464 - Fix %G substituion for config parameters.
+
+* Wed Dec 11 2013 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-8
+- resolves: #1040052 - Fix winbind debug message NULL pointer derreference.
+
+* Mon Dec 09 2013 - Andreas Schneider <asn@redhat.com> - 4.1.1-7
+- resolves: #1039499 - Fix CVE-2012-6150.
+
+* Fri Nov 29 2013 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-6
+- resolves: #1033109 - Fix winbind cache keysize limitations.
+
+* Wed Nov 27 2013 - Andreas Schneider <asn@redhat.com> - 4.1.1-5
+- resolves: #1034160 - Make sure we don't build the fam notify module.
+
+* Mon Nov 25 2013 - Andreas Schneider <asn@redhat.com> - 4.1.1-4
+- resolves: #1034048 - Fix group name substitution in template homedir.
+- resolves: #1018041 - Fix CVE-2013-4408.
+- related: #884169 - Fix several covscan warnings.
+
+* Mon Nov 18 2013 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-3
+- resolves: #948509 - Fix manpage correctness.
+
+* Fri Nov 15 2013 - Andreas Schneider <asn@redhat.com> - 4.1.1-2
+- related: #884169 - Fix strict aliasing warnings.
+
+* Mon Nov 11 2013 - Andreas Schneider <asn@redhat.com> - 4.1.1-1
+- resolves: #1024543 - Fix CVE-2013-4475.
+- Update to Samba 4.1.1.
+
+* Mon Nov 11 2013 - Andreas Schneider <asn@redhat.com> - 4.1.0-5
+- related: #884169 - Fix the upgrade path.
+
+* Wed Oct 30 2013 - Andreas Schneider <asn@redhat.com> - 4.1.0-4
+- related: #884169 - Add direct dependency to samba-libs in the
+ glusterfs package.
+- resolves: #996567 - Fix userPrincipalName composition.
+- related: #884169 - Fix memset call with zero length in in ntdb.
+
+* Fri Oct 18 2013 - Andreas Schneider <asn@redhat.com> - 4.1.0-3
+- resolves: #1019384 - Build glusterfs VFS plguin.
+
+* Tue Oct 15 2013 - Andreas Schneider <asn@redhat.com> - 4.1.0-2
+- related: #1014656 - Fix dependency of samba-winbind-modules package.
+
+* Fri Oct 11 2013 - Andreas Schneider <asn@redhat.com> - 4.1.0-1
+- related: #985609 - Update to Samba 4.1.0.
+
+* Tue Oct 01 2013 - Andreas Schneider <asn@redhat.com> - 2:4.1.0-0.8
+- related: #985609 - Update to Samba 4.1.0rc4.
+- resolves: #1014656 - Split out a samba-winbind-modules package.
+
+* Wed Sep 11 2013 - Andreas Schneider <asn@redhat.com> - 2:4.1.0-0.7
+- related: #985609 - Update to Samba 4.1.0rc3.
+- resolves: #1005422 - Add support for KEYRING ccache type in pam_winbindd.
+
+* Wed Sep 04 2013 - Andreas Schneider <asn@redhat.com> - 2:4.1.0-0.6
+- resolves: #717484 - Enable profiling data support.
+
+* Thu Aug 22 2013 - Guenther Deschner <gdeschner@redhat.com> - 2:4.1.0-0.5
+- resolves: #996160 - Fix winbind with trusted domains.
+
+* Wed Aug 14 2013 - Andreas Schneider <asn@redhat.com> 2:4.1.0-0.4
+- resolves: #996160 - Fix winbind nbt name lookup segfault.
+
+* Mon Aug 12 2013 - Andreas Schneider <asn@redhat.com> - 2:4.1.0-0.3
+- related: #985609 - Update to Samba 4.1.0rc2.
+
+* Wed Jul 24 2013 - Andreas Schneider <asn@redhat.com> - 2:4.1.0-0.2
+- resolves: #985985 - Fix file conflict between samba and wine.
+- resolves: #985107 - Add support for new default location for Kerberos
+ credential caches.
+
+* Sat Jul 20 2013 Petr Pisar <ppisar@redhat.com> - 2:4.1.0-0.1.rc1.1
+- Perl 5.18 rebuild
+
+* Wed Jul 17 2013 - Andreas Schneider <asn@redhat.com> - 2:4.1.0-0.1
+- Update to Samba 4.1.0rc1.
+- resolves: #985609
+
+* Mon Jul 15 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.7-2
+- resolves: #972692 - Build with PIE and full RELRO.
+- resolves: #884169 - Add explicit dependencies suggested by rpmdiff.
+- resolves: #981033 - Local user's krb5cc deleted by winbind.
+- resolves: #984331 - Fix samba-common tmpfiles configuration file in wrong
+ directory.
+
+* Wed Jul 03 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.7-1
+- Update to Samba 4.0.7.
+
+* Fri Jun 07 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.6-3
+- Add UPN enumeration to passdb internal API (bso #9779).
+
+* Wed May 22 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.6-2
+- resolves: #966130 - Fix build with MIT Kerberos.
+- List vfs modules in spec file.
+
+* Tue May 21 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.6-1
+- Update to Samba 4.0.6.
+- Remove SWAT.
+
+* Wed Apr 10 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.5-1
+- Update to Samba 4.0.5.
+- Add UPN enumeration to passdb internal API (bso #9779).
+- resolves: #928947 - samba-doc is obsolete now.
+- resolves: #948606 - LogRotate should be optional, and not a hard "Requires".
+
+* Fri Mar 22 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.4-3
+- resolves: #919405 - Fix and improve large_readx handling for broken clients.
+- resolves: #924525 - Don't use waf caching.
+
+* Wed Mar 20 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.4-2
+- resolves: #923765 - Improve packaging of README files.
+
+* Wed Mar 20 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.4-1
+- Update to Samba 4.0.4.
+
+* Mon Mar 11 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.3-4
+- resolves: #919333 - Create /run/samba too.
+
+* Mon Mar 04 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.3-3
+- Fix the cache dir to be /var/lib/samba to support upgrades.
+
+* Thu Feb 14 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.3-2
+- resolves: #907915 - libreplace.so => not found
+
+* Thu Feb 07 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.3-1
+- Update to Samba 4.0.3.
+- resolves: #907544 - Add unowned directory /usr/lib64/samba.
+- resolves: #906517 - Fix pidl code generation with gcc 4.8.
+- resolves: #908353 - Fix passdb backend ldapsam as module.
+
+* Wed Jan 30 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.2-1
+- Update to Samba 4.0.2.
+- Fixes CVE-2013-0213.
+- Fixes CVE-2013-0214.
+- resolves: #906002
+- resolves: #905700
+- resolves: #905704
+- Fix conn->share_access which is reset between user switches.
+- resolves: #903806
+- Add missing example and make sure we don't introduce perl dependencies.
+- resolves: #639470
+
+* Wed Jan 16 2013 - Andreas Schneider <asn@redhat.com> - 2:4.0.1-1
+- Update to Samba 4.0.1.
+- Fixes CVE-2013-0172.
+
+* Mon Dec 17 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-174
+- Fix typo in winbind-krb-locator post uninstall script.
+
+* Tue Dec 11 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-173
+- Update to Samba 4.0.0.
+
+* Thu Dec 06 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-171.rc6
+- Fix typo in winbind-krb-locator post uninstall script.
+
+* Tue Dec 04 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-170.rc6
+- Update to Samba 4.0.0rc6.
+- Add /etc/pam.d/samba for swat to work correctly.
+- resolves #882700
+
+* Fri Nov 23 2012 Guenther Deschner <gdeschner@redhat.com> - 2:4.0.0-169.rc5
+- Make sure ncacn_ip_tcp client code looks for NBT_NAME_SERVER name types.
+
+* Thu Nov 15 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-168.rc5
+- Reduce dependencies of samba-devel and create samba-test-devel package.
+
+* Tue Nov 13 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-167.rc5
+- Use workaround for winbind default domain only when set.
+- Build with old ctdb support.
+
+* Tue Nov 13 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-166.rc5
+- Update to Samba 4.0.0rc5.
+
+* Mon Nov 05 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-165.rc4
+- Fix library dependencies of libnetapi.
+
+* Mon Nov 05 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-164.rc4
+- resolves: #872818 - Fix perl dependencies.
+
+* Tue Oct 30 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-163.rc4
+- Update to Samba 4.0.0rc4.
+
+* Mon Oct 29 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-162.rc3
+- resolves: #870630 - Fix scriptlets interpeting a comment as argument.
+
+* Fri Oct 26 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-161.rc3
+- Add missing Requries for python modules.
+- Add NetworkManager dispatcher script for winbind.
+
+* Fri Oct 19 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-160.rc3
+- resolves: #867893 - Move /var/log/samba to samba-common package for
+ winbind which requires it.
+
+* Thu Oct 18 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-159.rc3
+- Compile default auth methods into smbd.
+
+* Tue Oct 16 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-158.rc3
+- Move pam_winbind.conf and the manpages to the right package.
+
+* Tue Oct 16 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-157.rc3
+* resolves: #866959 - Build auth_builtin as static module.
+
+* Tue Oct 16 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-156.rc3
+- Update systemd Requires to reflect latest packaging guidelines.
+
+* Tue Oct 16 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-155.rc3
+- Add back the AES patches which didn't make it in rc3.
+
+* Tue Oct 16 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-154.rc3
+- Update to 4.0.0rc3.
+- resolves: #805562 - Unable to share print queues.
+- resolves: #863388 - Unable to reload smbd configuration with systemctl.
+
+* Wed Oct 10 2012 - Alexander Bokovoy <abokovoy@redhat.com> - 2:4.0.0-153.rc2
+- Use alternatives to configure winbind_krb5_locator.so
+- Fix Requires for winbind.
+
+* Thu Oct 04 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-152.rc2
+- Add kerberos AES support.
+- Fix printing initialization.
+
+* Tue Oct 02 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-151.rc2
+- Update to 4.0.0rc2.
+
+* Wed Sep 26 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-150.rc1
+- Fix Obsoletes/Provides for update from samba4.
+- Bump release number to be bigger than samba4.
+
+* Wed Sep 26 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-96.rc1
+- Package smbprint again.
+
+* Wed Sep 26 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-95.rc1
+- Update to 4.0.0rc1.
+
+* Mon Aug 20 2012 Guenther Deschner <gdeschner@redhat.com> - 2:3.6.7-94.2
+- Update to 3.6.7
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:3.6.6-93.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Jul 19 2012 Guenther Deschner <gdeschner@redhat.com> - 2:3.6.6-93
+- Fix printing tdb upgrade for 3.6.6
+- resolves: #841609
+
+* Sun Jul 15 2012 Ville Skyttä <ville.skytta@iki.fi> - 2:3.6.6-92
+- Call ldconfig at libwbclient and -winbind-clients post(un)install time.
+- Fix empty localization files, use %%find_lang to find and %%lang-mark them.
+- Escape macros in %%changelog.
+- Fix source tarball URL.
+
+* Tue Jun 26 2012 Guenther Deschner <gdeschner@redhat.com> - 2:3.6.6-91
+- Update to 3.6.6
+
+* Thu Jun 21 2012 Andreas Schneider <asn@redhat.com> - 2:3.6.5-90
+- Fix ldonfig.
+- Require systemd for samba-common package.
+- resolves: #829197
+
+* Mon Jun 18 2012 Andreas Schneider <asn@redhat.com> - 2:3.6.5-89
+- Fix usrmove paths.
+- resolves: #829197
+
+* Tue May 15 2012 Andreas Schneider <asn@redhat.com> - 2:3.6.5-88
+- Move tmpfiles.d config to common package as it is needed for smbd and
+ winbind.
+- Make sure tmpfiles get created after installation.
+
+* Wed May 09 2012 Guenther Deschner <gdeschner@redhat.com> - 2:3.6.5-87
+- Correctly use system iniparser library
+
+* Fri May 04 2012 Andreas Schneider <asn@redhat.com> - 2:3.6.5-86
+- Bump Epoch to fix a problem with a Samba4 update in testing.
+
+* Mon Apr 30 2012 Guenther Deschner <gdeschner@redhat.com> - 1:3.6.5-85
+- Security Release, fixes CVE-2012-2111
+- resolves: #817551
+
+* Mon Apr 23 2012 Andreas Schneider <asn@redhat.com> - 1:3.6.4-84
+- Fix creation of /var/run/samba.
+- resolves: #751625
+
+* Fri Apr 20 2012 Guenther Deschner <gdeschner@redhat.com> - 1:3.6.4-83
+- Avoid private krb5_locate_kdc usage
+- resolves: #754783
+
+* Thu Apr 12 2012 Jon Ciesla <limburgher@gmail.com> - 1:3.6.4-82
+- Update to 3.6.4
+- Fixes CVE-2012-1182
+
+* Mon Mar 19 2012 Andreas Schneider <asn@redhat.com> - 1:3.6.3-81
+- Fix provides for of libwclient-devel for samba-winbind-devel.
+
+* Thu Feb 23 2012 Andreas Schneider <asn@redhat.com> - 1:3.6.3-80
+- Add commented out 'max protocol' to the default config.
+
+* Mon Feb 13 2012 Andreas Schneider <asn@redhat.com> - 1:3.6.3-79
+- Create a libwbclient package.
+- Replace winbind-devel with libwbclient-devel package.
+
+* Mon Jan 30 2012 Andreas Schneider <asn@redhat.com> - 1:3.6.3-78
+- Update to 3.6.3
+- Fixes CVE-2012-0817
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.6.1-77.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Mon Dec 05 2011 Andreas Schneider <asn@redhat.com> - 1:3.6.1-77
+- Fix winbind cache upgrade.
+- resolves: #760137
+
+* Fri Nov 18 2011 Andreas Schneider <asn@redhat.com> - 1:3.6.1-76
+- Fix piddir to match with systemd files.
+- Fix crash bug in the debug system.
+- resolves: #754525
+
+* Fri Nov 04 2011 Andreas Schneider <asn@redhat.com> - 1:3.6.1-75
+- Fix systemd dependencies
+- resolves: #751397
+
+* Wed Oct 26 2011 Andreas Schneider <asn@redhat.com> - 1:3.6.1-74
+- Update to 3.6.1
+
+* Tue Oct 04 2011 Guenther Deschner <gdeschner@redhat.com> - 1:3.6.0-73
+- Fix nmbd startup
+- resolves: #741630
+
+* Tue Sep 20 2011 Tom Callaway <spot@fedoraproject.org> - 1:3.6.0-72
+- convert to systemd
+- restore epoch from f15
+
+* Sat Aug 13 2011 Guenther Deschner <gdeschner@redhat.com> - 3.6.0-71
+- Update to 3.6.0 final
+
+* Sun Jul 31 2011 Guenther Deschner <gdeschner@redhat.com> - 3.6.0rc3-70
+- Update to 3.6.0rc3
+
+* Tue Jun 07 2011 Guenther Deschner <gdeschner@redhat.com> - 3.6.0rc2-69
+- Update to 3.6.0rc2
+
+* Tue May 17 2011 Guenther Deschner <gdeschner@redhat.com> - 3.6.0rc1-68
+- Update to 3.6.0rc1
+
+* Wed Apr 27 2011 Guenther Deschner <gdeschner@redhat.com> - 3.6.0pre3-67
+- Update to 3.6.0pre3
+
+* Wed Apr 13 2011 Guenther Deschner <gdeschner@redhat.com> - 3.6.0pre2-66
+- Update to 3.6.0pre2
+
+* Fri Mar 11 2011 Guenther Deschner <gdeschner@redhat.com> - 3.6.0pre1-65
+- Enable quota support
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0:3.6.0-64pre1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Nov 24 2010 Guenther Deschner <gdeschner@redhat.com> - 3.6.0pre1-64
+- Add %%ghost entry for /var/run using tmpfs
+- resolves: #656685
+
+* Thu Aug 26 2010 Guenther Deschner <gdeschner@redhat.com> - 3.6.0pre1-63
+- Put winbind krb5 locator plugin into a separate rpm
+- resolves: #627181
+
+* Tue Aug 03 2010 Guenther Deschner <gdeschner@redhat.com> - 3.6.0pre1-62
+- Update to 3.6.0pre1
+
+* Wed Jun 23 2010 Guenther Deschner <gdeschner@redhat.com> - 3.5.4-61
+- Update to 3.5.4
+
+* Wed May 19 2010 Guenther Deschner <gdeschner@redhat.com> - 3.5.3-60
+- Update to 3.5.3
+- Make sure nmb and smb initscripts return LSB compliant return codes
+- Fix winbind over ipv6
+
+* Wed Apr 07 2010 Guenther Deschner <gdeschner@redhat.com> - 3.5.2-59
+- Update to 3.5.2
+
+* Mon Mar 08 2010 Simo Sorce <ssorce@redhat.com> - 3.5.1-58
+- Security update to 3.5.1
+- Fixes CVE-2010-0728
+
+* Mon Mar 08 2010 Guenther Deschner <gdeschner@redhat.com> - 3.5.0-57
+- Remove cifs.upcall and mount.cifs entirely
+
+* Mon Mar 01 2010 Guenther Deschner <gdeschner@redhat.com> - 3.5.0-56
+- Update to 3.5.0
+
+* Fri Feb 19 2010 Guenther Deschner <gdeschner@redhat.com> - 3.5.0rc3-55
+- Update to 3.5.0rc3
+
+* Tue Jan 26 2010 Guenther Deschner <gdeschner@redhat.com> - 3.5.0rc2-54
+- Update to 3.5.0rc2
+
+* Fri Jan 15 2010 Jeff Layton <jlayton@redhat.com> - 3.5.0rc1-53
+- separate out CIFS tools into cifs-utils package
+
+* Fri Jan 08 2010 Guenther Deschner <gdeschner@redhat.com> - 3.5.0rc1-52
+- Update to 3.5.0rc1
+
+* Tue Dec 15 2009 Guenther Deschner <gdeschner@redhat.com> - 3.5.0pre2-51
+- Update to 3.5.0pre2
+- Remove umount.cifs
+
+* Wed Nov 25 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-49
+- Various updates to inline documentation in default smb.conf file
+- resolves: #483703
+
+* Thu Oct 29 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-48
+- Update to 3.4.3
+
+* Fri Oct 09 2009 Simo Sorce <ssorce@redhat.com> - 3.4.2-47
+- Spec file cleanup
+- Fix sources upstream location
+- Remove conditionals to build talloc and tdb, now they are completely indepent
+ packages in Fedora
+- Add defattr() where missing
+- Turn all tabs into 4 spaces
+- Remove unused migration script
+- Split winbind-clients out of main winbind package to avoid multilib to include
+ huge packages for no good reason
+
+* Thu Oct 01 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.2-0.46
+- Update to 3.4.2
+- Security Release, fixes CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906
+
+* Wed Sep 16 2009 Tomas Mraz <tmraz@redhat.com> - 3.4.1-0.45
+- Use password-auth common PAM configuration instead of system-auth
+
+* Wed Sep 09 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.1-0.44
+- Update to 3.4.1
+
+* Thu Aug 20 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0-0.43
+- Fix cli_read()
+- resolves: #516165
+
+* Thu Aug 06 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0-0.42
+- Fix required talloc version number
+- resolves: #516086
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0:3.4.0-0.41.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Fri Jul 17 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0-0.41
+- Fix Bug #6551 (vuid and tid not set in sessionsetupX and tconX)
+- Specify required talloc and tdb version for BuildRequires
+
+* Fri Jul 03 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0-0.40
+- Update to 3.4.0
+
+* Fri Jun 19 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0rc1-0.39
+- Update to 3.4.0rc1
+
+* Mon Jun 08 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0pre2-0.38
+- Update to 3.4.0pre2
+
+* Thu Apr 30 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0pre1-0.37
+- Update to 3.4.0pre1
+
+* Wed Apr 29 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.4-0.36
+- Update to 3.3.4
+
+* Mon Apr 20 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.3-0.35
+- Enable build of idmap_tdb2 for clustered setups
+
+* Wed Apr 1 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.3-0.34
+- Update to 3.3.3
+
+* Thu Mar 26 2009 Simo Sorce <ssorce@redhat.com> - 3.3.2-0.33
+- Fix nmbd init script nmbd reload was causing smbd not nmbd to reload the
+ configuration
+- Fix upstream bug 6224, nmbd was waiting 5+ minutes before running elections on
+ startup, causing your own machine not to show up in the network for 5 minutes
+ if it was the only client in that workgroup (fix committed upstream)
+
+* Thu Mar 12 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.2-0.31
+- Update to 3.3.2
+- resolves: #489547
+
+* Thu Mar 5 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.1-0.30
+- Add libcap-devel to requires list (resolves: #488559)
+
+* Tue Mar 3 2009 Simo Sorce <ssorce@redhat.com> - 3.3.1-0.29
+- Make the talloc and ldb packages optionsl and disable their build within
+ the samba3 package, they are now built as part of the samba4 package
+ until they will both be released as independent packages.
+
+* Wed Feb 25 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.1-0.28
+- Enable cluster support
+
+* Tue Feb 24 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.1-0.27
+- Update to 3.3.1
+
+* Sat Feb 21 2009 Simo Sorce <ssorce@redhat.com> - 3.3.0-0.26
+- Rename ldb* tools to ldb3* to avoid conflicts with newer ldb releases
+
+* Tue Feb 3 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.0-0.25
+- Update to 3.3.0 final
+- Add upstream fix for ldap connections to AD (Bug #6073)
+- Remove bogus perl dependencies (resolves: #473051)
+
+* Fri Nov 28 2008 Guenther Deschner <gdeschner@redhat.com> - 3.3.0-0rc1.24
+- Update to 3.3.0rc1
+
+* Thu Nov 27 2008 Simo Sorce <ssorce@redhat.com> - 3.2.5-0.23
+- Security Release, fixes CVE-2008-4314
+
+* Thu Sep 18 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.4-0.22
+- Update to 3.2.4
+- resolves: #456889
+- move cifs.upcall to /usr/sbin
+
+* Wed Aug 27 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.3-0.21
+- Security fix for CVE-2008-3789
+
+* Mon Aug 25 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.2-0.20
+- Update to 3.2.2
+
+* Mon Aug 11 2008 Simo Sorce <ssorce@redhat.com> - 3.2.1-0.19
+- Add fix for CUPS problem, fixes bug #453951
+
+* Wed Aug 6 2008 Simo Sorce <ssorce@redhat.com> - 3.2.1-0.18
+- Update to 3.2.1
+
+* Tue Jul 1 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-2.17
+- Update to 3.2.0 final
+- resolves: #452622
+
+* Tue Jun 10 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc2.16
+- Update to 3.2.0rc2
+- resolves: #449522
+- resolves: #448107
+
+* Fri May 30 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc1.15
+- Fix security=server
+- resolves: #449038, #449039
+
+* Wed May 28 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc1.14
+- Add fix for CVE-2008-1105
+- resolves: #446724
+
+* Fri May 23 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc1.13
+- Update to 3.2.0rc1
+
+* Wed May 21 2008 Simo Sorce <ssorce@redhat.com> - 3.2.0-1.pre3.12
+- make it possible to print against Vista and XP SP3 as servers
+- resolves: #439154
+
+* Thu May 15 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre3.11
+- Add "net ads join createcomputer=ou1/ou2/ou3" fix (BZO #5465)
+
+* Fri May 09 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre3.10
+- Add smbclient fix (BZO #5452)
+
+* Fri Apr 25 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre3.9
+- Update to 3.2.0pre3
+
+* Tue Mar 18 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre2.8
+- Add fixes for libsmbclient and support for r/o relocations
+
+* Mon Mar 10 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre2.7
+- Fix libnetconf, libnetapi and msrpc DSSETUP call
+
+* Thu Mar 06 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre2.6
+- Create separate packages for samba-winbind and samba-winbind-devel
+- Add cifs.spnego helper
+
+* Wed Mar 05 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre2.3
+- Update to 3.2.0pre2
+- Add talloc and tdb lib and devel packages
+- Add domainjoin-gui package
+
+* Fri Feb 22 2008 Simo Sorce <ssorce@redhat.com> - 3.2.0-0.pre1.3
+- Try to fix GCC 4.3 build
+- Add --with-dnsupdate flag and also make sure other flags are required just to
+ be sure the features are included without relying on autodetection to be
+ successful
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0:3.2.0-1.pre1.2
+- Autorebuild for GCC 4.3
+
+* Tue Dec 04 2007 Release Engineering <rel-eng at fedoraproject dot org> - 3.2.0-0.pre1.2
+- Rebuild for openldap bump
+
+* Thu Oct 18 2007 Guenther Deschner <gdeschner@redhat.com> 3.2.0-0.pre1.1.fc9
+- 32/64bit padding fix (affects multilib installations)
+
+* Mon Oct 8 2007 Simo Sorce <ssorce@redhat.com> 3.2.0-0.pre1.fc9
+- New major relase, minor switched from 0 to 2
+- License change, the code is now GPLv3+
+- Numerous improvements and bugfixes included
+- package libsmbsharemodes too
+- remove smbldap-tools as they are already packaged separately in Fedora
+- Fix bug 245506
+
+* Tue Oct 2 2007 Simo Sorce <ssorce@redhat.com> 3.0.26a-1.fc8
+- rebuild with AD DNS Update support
+
+* Tue Sep 11 2007 Simo Sorce <ssorce@redhat.com> 3.0.26a-0.fc8
+- upgrade to the latest upstream realease
+- includes security fixes released today in 3.0.26
+
+* Fri Aug 24 2007 Simo Sorce <ssorce@redhat.com> 3.0.25c-4.fc8
+- add fix reported upstream for heavy idmap_ldap memleak
+
+* Tue Aug 21 2007 Simo Sorce <ssorce@redhat.com> 3.0.25c-3.fc8
+- fix a few places were "open" is used an interfere with the new glibc
+
+* Tue Aug 21 2007 Simo Sorce <ssorce@redhat.com> 3.0.25c-2.fc8
+- remove old source
+- add patch to fix samba bugzilla 4772
+
+* Tue Aug 21 2007 Guenther Deschner <gdeschner@redhat.com> 3.0.25c-0.fc8
+- update to 3.0.25c
+
+* Fri Jun 29 2007 Simo Sorce <ssorce@redhat.com> 3.0.25b-3.fc8
+- handle cases defined in #243766
+
+* Tue Jun 26 2007 Simo Sorce <ssorce@redhat.com> 3.0.25b-2.fc8
+- update to 3.0.25b
+- better error codes for init scripts: #244823
+
+* Tue May 29 2007 Günther Deschner <gdeschner@redhat.com>
+- fix pam_smbpass patch.
+
+* Fri May 25 2007 Simo Sorce <ssorce@redhat.com>
+- update to 3.0.25a as it contains many fixes
+- add a fix for pam_smbpass made by Günther but committed upstream after 3.0.25a was cut.
+
+* Mon May 14 2007 Simo Sorce <ssorce@redhat.com>
+- final 3.0.25
+- includes security fixes for CVE-2007-2444,CVE-2007-2446,CVE-2007-2447
+
+* Mon Apr 30 2007 Günther Deschner <gdeschner@redhat.com>
+- move to 3.0.25rc3
+
+* Thu Apr 19 2007 Simo Sorce <ssorce@redhat.com>
+- fixes in the spec file
+- moved to 3.0.25rc1
+- addedd patches (merged upstream so they will be removed in 3.0.25rc2)
+
+* Wed Apr 4 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-12.fc7
+- fixes in smb.conf
+- advice in smb.conf to put scripts in /var/lib/samba/scripts
+- create /var/lib/samba/scripts so that selinux can be happy
+- fix Vista problems with msdfs errors
+
+* Tue Apr 03 2007 Guenther Deschner <gdeschner@redhat.com> 3.0.24-11.fc7
+- enable PAM and NSS dlopen checks during build
+- fix unresolved symbols in libnss_wins.so (bug #198230)
+
+* Fri Mar 30 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-10.fc7
+- set passdb backend = tdbsam as default in smb.conf
+- remove samba-docs dependency from swat, that was a mistake
+- put back COPYING and other files in samba-common
+- put examples in samba not in samba-docs
+- leave only stuff under docs/ in samba-doc
+
+* Thu Mar 29 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-9.fc7
+- integrate most of merge review proposed changes (bug #226387)
+- remove libsmbclient-devel-static and simply stop shipping the
+ static version of smbclient as it seem this is deprecated and
+ actively discouraged
+
+* Wed Mar 28 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-8.fc7
+- fix for bug #176649
+
+* Mon Mar 26 2007 Simo Sorce <ssorce@redhat.com>
+- remove patch for bug 106483 as it introduces a new bug that prevents
+ the use of a credentials file with the smbclient tar command
+- move the samba private dir from being the same as the config dir
+ (/etc/samba) to /var/lib/samba/private
+
+* Mon Mar 26 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-7.fc7
+- make winbindd start earlier in the init process, at the same time
+ ypbind is usually started as well
+- add a sepoarate init script for nmbd called nmb, we need to be able
+ to restart nmbd without dropping al smbd connections unnecessarily
+
+* Fri Mar 23 2007 Simo Sorce <ssorce@redhat.com>
+- add samba.schema to /etc/openldap/schema
+
+* Thu Mar 22 2007 Florian La Roche <laroche@redhat.com>
+- adjust the Requires: for the scripts, add "chkconfig --add smb"
+
+* Tue Mar 20 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-6.fc7
+- do not put comments inline on smb.conf options, they may be read
+ as part of the value (for example log files names)
+
+* Mon Mar 19 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-5.fc7
+- actually use the correct samba.pamd file not the old samba.pamd.stack file
+- fix logifles and use upstream convention of log.* instead of our old *.log
+ Winbindd creates its own log.* files anyway so we will be more consistent
+- install our own (enhanced) default smb.conf file
+- Fix pam_winbind acct_mgmt PAM result code (prevented local users from
+ logging in). Fixed by Guenther.
+- move some files from samba to samba-common as they are used with winbindd
+ as well
+
+* Fri Mar 16 2007 Guenther Deschner <gdeschner@redhat.com> 3.0.24-4.fc7
+- fix arch macro which reported Vista to Samba clients.
+
+* Thu Mar 15 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-3.fc7
+- Directories reorg, tdb files must go to /var/lib, not
+ to /var/cache, add migration script in %%post common
+- Split out libsmbclient, devel and doc packages
+- Remove libmsrpc.[h|so] for now as they are not really usable
+- Remove kill -HUP from rotate, samba use -HUP for other things
+ noit to reopen logs
+
+* Tue Feb 20 2007 Simo Sorce <ssorce@redhat.com> 3.0.24-2.fc7
+- New upstream release
+- Fix packaging issue wrt idmap modules used only by smbd
+- Addedd Vista Patchset for compatibility with Windows Vista
+- Change default of "msdfs root", it seem to cause problems with
+ some applications and it has been proposed to change it for
+ 3.0.25 upstream
+
+* Fri Sep 1 2006 Jay Fenlason <fenlason@redhat.com> 3.0.23c-2
+- New upstream release.
+
+* Tue Aug 8 2006 Jay Fenlason <fenlason@redhat.com> 3.0.23b-2
+- New upstream release.
+
+* Mon Jul 24 2006 Jay Fenlason <fenlason@redhat.com> 3.0.23a-3
+- Fix the -logfiles patch to close
+ bz#199607 Samba compiled with wrong log path.
+ bz#199206 smb.conf has incorrect log file path
+
+* Mon Jul 24 2006 Jay Fenlason <fenlason@redhat.com> 3.0.23a-2
+- Upgrade to new upstream 3.0.23a
+- include upstream samr_alias patch
+
+* Tue Jul 11 2006 Jay Fenlason <fenlason@redhat.com> 3.0.23-2
+- New upstream release.
+- Use modified filter-requires-samba.sh from packaging/RHEL/setup/
+ to get rid of bogus dependency on perl(Unicode::MapUTF8)
+- Update the -logfiles and -smb.conf patches to work with 3.0.23
+
+* Thu Jul 6 2006 Jay Fenlason <fenlason@redhat.com> 3.0.23-0.RC3
+- New upstream RC release.
+- Update the -logfiles, and -passwd patches for
+ 3.0.23rc3
+- Include the change to smb.init from Bastien Nocera <bnocera@redhat.com>)
+ to close
+ bz#182560 Wrong retval for initscript when smbd is dead
+- Update this spec file to build with 3.0.23rc3
+- Remove the -install.mount.smbfs patch, since we don't install
+ mount.smbfs any more.
+
+* Wed Jun 14 2006 Tomas Mraz <tmraz@redhat.com> - 2.0.21c-3
+- rebuilt with new gnutls
+
+* Fri Mar 17 2006 Jay Fenlason <fenlason@redhat.com> 2.0.21c-2
+- New upstream version.
+
+* Mon Feb 13 2006 Jay Fenlason <fenlason@redhat.com> 3.0.21b-2
+- New upstream version.
+- Since the rawhide kernel has dropped support for smbfs, remove smbmount
+ and smbumount. Users should use mount.cifs instead.
+- Upgrade to 3.0.21b
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 0:3.0.20b-2.1.1
+- bump again for double-long bug on ppc(64)
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Sun Nov 13 2005 Jay Fenlason <fenlason@redhat.com> 3.0.20b-2
+- turn on -DLDAP_DEPRECATED to allow access to ldap functions that have
+ been depricated in 2.3.11, but which don't have well-documented
+ replacements (ldap_simple_bind_s(), for example).
+- Upgrade to 3.0.20b, which includes all the previous upstream patches.
+- Updated the -warnings patch for 3.0.20a.
+- Include --with-shared-modules=idmap_ad,idmap_rid to close
+ bz#156810 --with-shared-modules=idmap_ad,idmap_rid
+- Include the new samba.pamd from Tomas Mraz (tmraz@redhat.com) to close
+ bz#170259 pam_stack is deprecated
+
+* Sun Nov 13 2005 Warren Togami <wtogami@redhat.com> 3.0.20-3
+- epochs from deps, req exact release
+- rebuild against new openssl
+
+* Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 3.0.20-2
+- New upstream release
+ Includes five upstream patches -bug3010_v1, -groupname_enumeration_v3,
+ -regcreatekey_winxp_v1, -usrmgr_groups_v1, and -winbindd_v1
+ This obsoletes the -pie and -delim patches
+ the -warning and -gcc4 patches are obsolete too
+ The -man, -passwd, and -smbspool patches were updated to match 3.0.20pre1
+ Also, the -quoting patch was implemented differently upstream
+ There is now a umount.cifs executable and manpage
+ We run autogen.sh as part of the build phase
+ The testprns command is now gone
+ libsmbclient now has a man page
+- Include -bug106483 patch to close
+ bz#106483 smbclient: -N negates the provided password, despite documentation
+- Added the -warnings patch to quiet some compiler warnings.
+- Removed many obsolete patches from CVS.
+
+* Mon May 2 2005 Jay Fenlason <fenlason@redhat.com> 3.0.14a-2
+- New upstream release.
+- the -64bit-timestamps, -clitar, -establish_trust, user_rights_v1,
+ winbind_find_dc_v2 patches are now obsolete.
+
+* Thu Apr 7 2005 Jay Fenlason <fenlason@redhat.com> 3.0.13-2
+- New upstream release
+- add my -quoting patch, to fix swat with strings that contain
+ html meta-characters, and to use correct quote characters in
+ lists, closing bz#134310
+- include the upstream winbindd_2k3sp1 patch
+- include the -smbclient patch.
+- include the -hang patch from upstream.
+
+* Thu Mar 24 2005 Florian La Roche <laroche@redhat.com>
+- add a "exit 0" to the postun of the main samba package
+
+* Wed Mar 2 2005 Tomas Mraz <tmraz@redhat.com> 3.0.11-5
+- rebuild with openssl-0.9.7e
+
+* Thu Feb 24 2005 Jay Fenlason <fenlason@redhat.com> 3.0.11-4
+- Use the updated filter-requires-samba.sh file, so we don't accidentally
+ pick up a dependency on perl(Crypt::SmbHash)
+
+* Fri Feb 18 2005 Jay Fenlason <fenlason@redhat.com> 3.0.11-3
+- add -gcc4 patch to compile with gcc 4.
+- remove the now obsolete -smbclient-kerberos.patch
+- Include four upstream patches from
+ http://samba.org/~jerry/patches/post-3.0.11/
+ (Slightly modified the winbind_find_dc_v2 patch to apply easily with
+ rpmbuild).
+
+* Fri Feb 4 2005 Jay Fenlason <fenlason@redhat.com> 3.0.11-2
+- include -smbspool patch to close bz#104136
+
+* Wed Jan 12 2005 Jay Fenlason <fenlason@redhat.com> 3.0.10-4
+- Update the -man patch to fix ntlm_auth.1 too.
+- Move pam_smbpass.so to the -common package, so both the 32
+ and 64-bit versions will be installed on multiarch platforms.
+ This closes bz#143617
+- Added new -delim patch to fix mount.cifs so it can accept
+ passwords with commas in them (via environment or credentials
+ file) to close bz#144198
+
+* Wed Jan 12 2005 Tim Waugh <twaugh@redhat.com> 3.0.10-3
+- Rebuilt for new readline.
+
+* Fri Dec 17 2004 Jay Fenlason <fenlason@redhat.com> 3.0.10-2
+- New upstream release that closes CAN-2004-1154 bz#142544
+- Include the -64bit patch from Nalin. This closes bz#142873
+- Update the -logfiles patch to work with 3.0.10
+- Create /var/run/winbindd and make it part of the -common rpm to close
+ bz#142242
+
+* Mon Nov 22 2004 Jay Fenlason <fenlason@redhat.com> 3.0.9-2
+- New upstream release. This obsoletes the -secret patch.
+ Include my changetrustpw patch to make "net ads changetrustpw" stop
+ aborting. This closes #134694
+- Remove obsolete triggers for ancient samba versions.
+- Move /var/log/samba to the -common rpm. This closes #76628
+- Remove the hack needed to get around the bad docs files in the
+ 3.0.8 tarball.
+- Change the comment in winbind.init to point at the correct pidfile.
+ This closes #76641
+
+* Mon Nov 22 2004 Than Ngo <than@redhat.com> 3.0.8-4
+- fix unresolved symbols in libsmbclient which caused applications
+ such as KDE's konqueror to fail when accessing smb:// URLs. #139894
+
+* Thu Nov 11 2004 Jay Fenlason <fenlason@redhat.com> 3.0.8-3.1
+- Rescue the install.mount.smbfs patch from Juanjo Villaplana
+ (villapla@si.uji.es) to prevent building the srpm from trashing your
+ installed /usr/bin/smbmount
+
+* Tue Nov 9 2004 Jay Fenlason <fenlason@redhat.com> 3.0.8-3
+- Include the corrected docs tarball, and use it instead of the
+ obsolete docs from the upstream 3.0.8 tarball.
+- Update the logfiles patch to work with the updated docs.
+
+* Mon Nov 8 2004 Jay Fenlason <fenlason@redhat.com> 3.0.8-2
+- New upstream version fixes CAN-2004-0930. This obsoletes the
+ disable-sendfile, salt, signing-shortkey and fqdn patches.
+- Add my <fenlason@redhat.com> ugly non-ascii-domain patch.
+- Updated the pie patch for 3.0.8.
+- Updated the logfiles patch for 3.0.8.
+
+* Tue Oct 26 2004 Jay Fenlason <fenlason@redhat.com> 3.0.8-0.pre2
+- New upstream version
+- Add Nalin's signing-shortkey patch.
+
+* Tue Oct 19 2004 Jay Fenlason <fenlason@redhat.com> 3.0.8-0.pre1.3
+- disable the -salt patch, because it causes undefined references in
+ libsmbclient that prevent gnome-vfs from building.
+
+* Fri Oct 15 2004 Jay Fenlason <fenlason@redhat.com> 3.0.8-0.pre1.2
+- Re-enable the x_fclose patch that was accidentally disabled
+ in 3.0.8-0.pre1.1. This closes #135832
+- include Nalin's -fqdn and -salt patches.
+
+* Wed Oct 13 2004 Jay Fenlason <fenlason@redhat.com> 3.0.8-0.pre1.1
+- Include disable-sendfile patch to default "use sendfile" to "no".
+ This closes #132779
+
+* Wed Oct 6 2004 Jay Fenlason <fenlason@redhat.com>
+- Include patch from Steven Lawrance (slawrance@yahoo.com) that modifies
+ smbmnt to work with 32-bit uids.
+
+* Mon Sep 27 2004 Jay Fenlason <fenlason@redhat.com> 3.0.8-0.pre1
+- new upstream release. This obsoletes the ldapsam_compat patches.
+
+* Wed Sep 15 2004 Jay Fenlason <fenlason@redhat.com> 3.0.7-4
+- Update docs section to not carryover the docs/manpages directory
+ This moved many files from /usr/share/doc/samba-3.0.7/docs/* to
+ /usr/share/doc/samba-3.0.7/*
+- Modify spec file as suggested by Rex Dieter (rdieter@math.unl.edu)
+ to correctly create libsmbclient.so.0 and to use %%_initrddir instead
+ of rolling our own. This closes #132642
+- Add patch to default "use sendfile" to no, since sendfile appears to
+ be broken
+- Add patch from Volker Lendecke <vl@samba.org> to help make
+ ldapsam_compat work again.
+- Add patch from "Vince Brimhall" <vbrimhall@novell.com> for ldapsam_compat
+ These two patches close bugzilla #132169
+
+* Mon Sep 13 2004 Jay Fenlason <fenlason@redhat.com> 3.0.7-3
+- Upgrade to 3.0.7, which fixes CAN-2004-0807 CAN-2004-0808
+ This obsoletes the 3.0.6-schema patch.
+- Update BuildRequires line to include openldap-devel openssl-devel
+ and cups-devel
+
+* Mon Aug 16 2004 Jay Fenlason <fenlason@redhat.com> 3.0.6-3
+- New upstream version.
+- Include post 3.0.6 patch from "Gerald (Jerry) Carter" <jerry@samba.org>
+ to fix a duplicate in the LDAP schema.
+- Include 64-bit timestamp patch from Ravikumar (rkumar@hp.com)
+ to allow correct timestamp handling on 64-bit platforms and fix #126109.
+- reenable the -pie patch. Samba is too widely used, and too vulnerable
+ to potential security holes to disable an important security feature
+ like -pie. The correct fix is to have the toolchain not create broken
+ executables when programs compiled -pie are stripped.
+- Remove obsolete patches.
+- Modify this spec file to put libsmbclient.{a,so} in the right place on
+ x86_64 machines.
+
+* Thu Aug 5 2004 Jason Vas Dias <jvdias@redhat.com> 3.0.5-3
+- Removed '-pie' patch - 3.0.5 uses -fPIC/-PIC, and the combination
+- resulted in executables getting corrupt stacks, causing smbmnt to
+- get a SIGBUS in the mount() call (bug 127420).
+
+* Fri Jul 30 2004 Jay Fenlason <fenlason@redhat.com> 3.0.5-2
+- Upgrade to 3.0.5, which is a regression from 3.0.5pre1 for a
+ security fix.
+- Include the 3.0.4-backport patch from the 3E branch. This restores
+ some of the 3.0.5pre1 and 3.0.5rc1 functionality.
+
+* Tue Jul 20 2004 Jay Fenlason <fenlason@redhat.com> 3.0.5-0.pre1.1
+- Backport base64_decode patche to close CAN-2004-0500
+- Backport hash patch to close CAN-2004-0686
+- use_authtok patch from Nalin Dahyabhai <nalin@redhat.com>
+- smbclient-kerberos patch from Alexander Larsson <alexl@redhat.com>
+- passwd patch uses "*" instead of "x" for "hashed" passwords for
+ accounts created by winbind. "x" means "password is in /etc/shadow" to
+ brain-damaged pam_unix module.
+
+* Fri Jul 2 2004 Jay Fenlason <fenlason@redhat.com> 3.0.5.0pre1.0
+- New upstream version
+- use %% { SOURCE1 } instead of a hardcoded path
+- include -winbind patch from Gerald (Jerry) Carter (jerry@samba.org)
+ https://bugzilla.samba.org/show_bug.cgi?id=1315
+ to make winbindd work against Windows versions that do not have
+ 128 bit encryption enabled.
+- Moved %%{_bindir}/net to the -common package, so that folks who just
+ want to use winbind, etc don't have to install -client in order to
+ "net join" their domain.
+- New upstream version obsoletes the patches added in 3.0.3-5
+- Remove smbgetrc.5 man page, since we don't ship smbget.
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue May 4 2004 Jay Fenlason <fenlason@redhat.com> 3.0.3-5
+- Patch to allow password changes from machines patched with
+ Microsoft hotfix MS04-011.
+- Include patches for https://bugzilla.samba.org/show_bug.cgi?id=1302
+ and https://bugzilla.samba.org/show_bug.cgi?id=1309
+
+* Thu Apr 29 2004 Jay Fenlason <fenlason@redhat.com> 3.0.3-4
+- Samba 3.0.3 released.
+
+* Wed Apr 21 2004 jay Fenlason <fenlason@redhat.com> 3.0.3-3.rc1
+- New upstream version
+- updated spec file to make libsmbclient.so executable. This closes
+ bugzilla #121356
+
+* Mon Apr 5 2004 Jay Fenlason <fenlason@redhat.com> 3.0.3-2.pre2
+- New upstream version
+- Updated configure line to remove --with-fhs and to explicitly set all
+ the directories that --with-fhs was setting. We were overriding most of
+ them anyway. This closes #118598
+
+* Mon Mar 15 2004 Jay Fenlason <fenlason@redhat.com> 3.0.3-1.pre1
+- New upstream version.
+- Updated -pie and -logfiles patches for 3.0.3pre1
+- add krb5-devel to buildrequires, fixes #116560
+- Add patch from Miloslav Trmac (mitr@volny.cz) to allow non-root to run
+ "service smb status". This fixes #116559
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Mon Feb 16 2004 Jay Fenlason <fenlason@redhat.com> 3.0.2a-1
+- Upgrade to 3.0.2a
+
+* Mon Feb 16 2004 Karsten Hopp <karsten@redhat.de> 3.0.2-7
+- fix ownership in -common package
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Feb 13 2004 Jay Fenlason <fenlason@redhat.com>
+- Change all requires lines to list an explicit epoch. Closes #102715
+- Add an explicit Epoch so that %%{epoch} is defined.
+
+* Mon Feb 9 2004 Jay Fenlason <fenlason@redhat.com> 3.0.2-5
+- New upstream version: 3.0.2 final includes security fix for #114995
+ (CAN-2004-0082)
+- Edit postun script for the -common package to restart winbind when
+ appropriate. Fixes bugzilla #114051.
+
+* Mon Feb 2 2004 Jay Fenlason <fenlason@redhat.com> 3.0.2-3rc2
+- add %%dir entries for %%{_libdir}/samba and %%{_libdir}/samba/charset
+- Upgrade to new upstream version
+- build mount.cifs for the new cifs filesystem in the 2.6 kernel.
+
+* Mon Jan 19 2004 Jay Fenlason <fenlason@redhat.com> 3.0.2-1rc1
+- Upgrade to new upstream version
+
+* Wed Dec 17 2003 Felipe Alfaro Solana <felipe_alfaro@linuxmail.org> 3.0.1-1
+- Update to 3.0.1
+- Removed testparm patch as it's already merged
+- Removed Samba.7* man pages
+- Fixed .buildroot patch
+- Fixed .pie patch
+- Added new /usr/bin/tdbdump file
+
+* Thu Sep 25 2003 Jay Fenlason <fenlason@redhat.com> 3.0.0-15
+- New 3.0.0 final release
+- merge nmbd-netbiosname and testparm patches from 3E branch
+- updated the -logfiles patch to work against 3.0.0
+- updated the pie patch
+- update the VERSION file during build
+- use make -j if avaliable
+- merge the winbindd_privileged change from 3E
+- merge the "rm /usr/lib" patch that allows Samba to build on 64-bit
+ platforms despite the broken Makefile
+
+* Mon Aug 18 2003 Jay Fenlason <fenlason@redhat.com>
+- Merge from samba-3E-branch after samba-3.0.0rc1 was released
+
+* Wed Jul 23 2003 Jay Fenlason <fenlason@redhat.com> 3.0.0-3beta3
+- Merge from 3.0.0-2beta3.3E
+- (Correct log file names (#100981).)
+- (Fix pidfile directory in samab.log)
+- (Remove obsolete samba-3.0.0beta2.tar.bz2.md5 file)
+- (Move libsmbclient to the -common package (#99449))
+
+* Sun Jun 22 2003 Nalin Dahyabhai <nalin@redhat.com> 2.2.8a-4
+- rebuild
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Wed May 28 2003 Jay Fenlason <fenlason@redhat.com> 2.2.8a-2
+- add libsmbclient.so for gnome-vfs-extras
+- Edit specfile to specify /var/run for pid files
+- Move /tmp/.winbindd/socket to /var/run/winbindd/socket
+
+* Wed May 14 2003 Florian La Roche <Florian.LaRoche@redhat.de>
+- add proper ldconfig calls
+
+* Thu Apr 24 2003 Jay Fenlason <fenlason@redhat.com> 2.2.8a-1
+- upgrade to 2.2.8a
+- remove old .md5 files
+- add "pid directory = /var/run" to the smb.conf file. Fixes #88495
+- Patch from jra@dp.samba.org to fix a delete-on-close regression
+
+* Mon Mar 24 2003 Jay Fenlason <fenlason@redhat.com> 2.2.8-0
+- Upgrade to 2.2.8
+- removed commented out patches.
+- removed old patches and .md5 files from the repository.
+- remove duplicate /sbin/chkconfig --del winbind which causes
+ warnings when removing samba.
+- Fixed minor bug in smbprint that causes it to fail when called with
+ more than 10 parameters: the accounting file (and spool directory
+ derived from it) were being set wrong due to missing {}. This closes
+ bug #86473.
+- updated smb.conf patch, includes new defaults to close bug #84822.
+
+* Mon Feb 24 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Thu Feb 20 2003 Jonathan Blandford <jrb@redhat.com> 2.2.7a-5
+- remove swat.desktop file
+
+* Thu Feb 20 2003 Nalin Dahyabhai <nalin@redhat.com> 2.2.7a-4
+- relink libnss_wins.so with SHLD="%%{__cc} -lnsl" to force libnss_wins.so to
+ link with libnsl, avoiding unresolved symbol errors on functions in libnsl
+
+* Mon Feb 10 2003 Jay Fenlason <fenlason@redhat.com> 2.2.7a-3
+- edited spec file to put .so files in the correct directories
+ on 64-bit platforms that have 32-bit compatability issues
+ (sparc64, x86_64, etc). This fixes bugzilla #83782.
+- Added samba-2.2.7a-error.patch from twaugh. This fixes
+ bugzilla #82454.
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Thu Jan 9 2003 Jay Fenlason <fenlason@redhat.com> 2.2.7a-1
+- Update to 2.2.7a
+- Change default printing system to CUPS
+- Turn on pam_smbpass
+- Turn on msdfs
+
+* Sat Jan 4 2003 Jeff Johnson <jbj@redhat.com> 2.2.7-5
+- use internal dep generator.
+
+* Sat Dec 14 2002 Tim Powers <timp@redhat.com> 2.2.7-4
+- don't use rpms internal dep generator
+
+* Mon Dec 02 2002 Elliot Lee <sopwith@redhat.com> 2.2.7-3
+- Fix missing doc files.
+- Fix multilib issues
+
+* Wed Nov 20 2002 Bill Nottingham <notting@redhat.com> 2.2.7-2
+- update to 2.2.7
+- add patch for LFS in smbclient (<tcallawa@redhat.com>)
+
+* Wed Aug 28 2002 Trond Eivind Glomsød <teg@redhat.com> 2.2.5-10
+- logrotate fixes (#65007)
+
+* Mon Aug 26 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.5-9
+- /usr/lib was used in place of %%{_libdir} in three locations (#72554)
+
+* Mon Aug 5 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.5-8
+- Initscript fix (#70720)
+
+* Fri Jul 26 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.5-7
+- Enable VFS support and compile the "recycling" module (#69796)
+- more selective includes of the examples dir
+
+* Tue Jul 23 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.5-6
+- Fix the lpq parser for better handling of LPRng systems (#69352)
+
+* Tue Jul 23 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.5-5
+- desktop file fixes (#69505)
+
+* Wed Jun 26 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.5-4
+- Enable ACLs
+
+* Tue Jun 25 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.5-3
+- Make it not depend on Net::LDAP - those are doc files and examples
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu Jun 20 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.5-1
+- 2.2.5
+
+* Fri Jun 14 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.4-5
+- Move the post/preun of winbind into the -common subpackage,
+ where the script is (#66128)
+
+* Tue Jun 4 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.4-4
+- Fix pidfile locations so it runs properly again (2.2.4
+ added a new directtive - #65007)
+
+* Thu May 23 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Tue May 14 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.4-2
+- Fix #64804
+
+* Thu May 9 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.4-1
+- 2.2.4
+- Removed some zero-length and CVS internal files
+- Make it build
+
+* Wed Apr 10 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.3a-6
+- Don't use /etc/samba.d in smbadduser, it should be /etc/samba
+
+* Thu Apr 4 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.3a-5
+- Add libsmbclient.a w/headerfile for KDE (#62202)
+
+* Tue Mar 26 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.3a-4
+- Make the logrotate script look the correct place for the pid files
+
+* Thu Mar 14 2002 Nalin Dahyabhai <nalin@redhat.com> 2.2.3a-3
+- include interfaces.o in pam_smbpass.so, which needs symbols from interfaces.o
+ (patch posted to samba-list by Ilia Chipitsine)
+
+* Thu Feb 21 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.3a-2
+- Rebuild
+
+* Thu Feb 7 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.3a-1
+- 2.2.3a
+
+* Mon Feb 4 2002 Trond Eivind Glomsrød <teg@redhat.com> 2.2.3-1
+- 2.2.3
+
+* Thu Nov 29 2001 Trond Eivind Glomsrød <teg@redhat.com> 2.2.2-8
+- New pam configuration file for samba
+
+* Tue Nov 27 2001 Trond Eivind Glomsrød <teg@redhat.com> 2.2.2-7
+- Enable PAM session controll and password sync
+
+* Tue Nov 13 2001 Trond Eivind Glomsrød <teg@redhat.com> 2.2.2-6
+- Move winbind files to samba-common. Add separate initscript for
+ winbind
+- Fixes for winbind - protect global variables with mutex, use
+ more secure getenv
+
+* Thu Nov 8 2001 Trond Eivind Glomsrød <teg@redhat.com> 2.2.2-5
+- Teach smbadduser about "getent passwd"
+- Fix more pid-file references
+- Add (conditional) winbindd startup to the initscript, configured in
+ /etc/sysconfig/samba
+
+* Wed Nov 7 2001 Trond Eivind Glomsrød <teg@redhat.com> 2.2.2-4
+- Fix pid-file reference in logrotate script
+- include pam and nss modules for winbind
+
+* Mon Nov 5 2001 Trond Eivind Glomsrød <teg@redhat.com> 2.2.2-3
+- Add "--with-utmp" to configure options (#55372)
+- Include winbind, pam_smbpass.so, rpcclient and smbcacls
+- start using /var/cache/samba, we need to keep state and there is
+ more than just locks involved
+
+* Sat Nov 03 2001 Florian La Roche <Florian.LaRoche@redhat.de> 2.2.2-2
+- add "reload" to the usage string in the startup script
+
+* Mon Oct 15 2001 Trond Eivind Glomsrød <teg@redhat.com> 2.2.2-1
+- 2.2.2
+
+* Tue Sep 18 2001 Trond Eivind Glomsrød <teg@redhat.com> 2.2.1a-5
+- Add patch from Jeremy Allison to fix IA64 alignment problems (#51497)
+
+* Mon Aug 13 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- Don't include smbpasswd in samba, it's in samba-common (#51598)
+- Add a disabled "obey pam restrictions" statement - it's not
+ active, as we use encrypted passwords, but if the admin turns
+ encrypted passwords off the choice is available. (#31351)
+
+* Wed Aug 8 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- Use /var/cache/samba instead of /var/lock/samba
+- Remove "domain controller" keyword from smb.conf, it's
+ deprecated (from #13704)
+- Sync some examples with smb.conf.default
+- Fix password synchronization (#16987)
+
+* Fri Jul 20 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- Tweaks of BuildRequires (#49581)
+
+* Wed Jul 11 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- 2.2.1a bugfix release
+
+* Tue Jul 10 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- 2.2.1, which should work better for XP
+
+* Sat Jun 23 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- 2.2.0a security fix
+- Mark lograte and pam configuration files as noreplace
+
+* Fri Jun 22 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- Add the /etc/samba directory to samba-common
+
+* Thu Jun 21 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- Add improvements to the smb.conf as suggested in #16931
+
+* Tue Jun 19 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- (these changes are from the non-head version)
+- Don't include /usr/sbin/samba, it's the same as the initscript
+- unset TMPDIR, as samba can't write into a TMPDIR owned
+ by root (#41193)
+- Add pidfile: lines for smbd and nmbd and a config: line
+ in the initscript (#15343)
+- don't use make -j
+- explicitly include /usr/share/samba, not just the files in it
+
+* Tue Jun 19 2001 Bill Nottingham <notting@redhat.com>
+- mount.smb/mount.smbfs go in /sbin, *not* %%{_sbindir}
+
+* Fri Jun 8 2001 Preston Brown <pbrown@redhat.com>
+- enable encypted passwords by default
+
+* Thu Jun 7 2001 Helge Deller <hdeller@redhat.de>
+- build as 2.2.0-1 release
+- skip the documentation-directories docbook, manpages and yodldocs
+- don't include *.sgml documentation in package
+- moved codepage-directory to /usr/share/samba/codepages
+- make it compile with glibc-2.2.3-10 and kernel-headers-2.4.2-2
+
+* Mon May 21 2001 Helge Deller <hdeller@redhat.de>
+- updated to samba 2.2.0
+- moved codepages to %%{_datadir}/samba/codepages
+- use all available CPUs for building rpm packages
+- use %%{_xxx} defines at most places in spec-file
+- "License:" replaces "Copyright:"
+- dropped excludearch sparc
+- de-activated japanese patches 100 and 200 for now
+ (they need to be fixed and tested wth 2.2.0)
+- separated swat.desktop file from spec-file and added
+ german translations
+- moved /etc/sysconfig/samba to a separate source-file
+- use htmlview instead of direct call to netscape in
+ swat.desktop-file
+
+* Mon May 7 2001 Bill Nottingham <notting@redhat.com>
+- device-remove security fix again (<tridge@samba.org>)
+
+* Fri Apr 20 2001 Bill Nottingham <notting@redhat.com>
+- fix tempfile security problems, officially (<tridge@samba.org>)
+- update to 2.0.8
+
+* Sun Apr 8 2001 Bill Nottingham <notting@redhat.com>
+- turn of SSL, kerberos
+
+* Thu Apr 5 2001 Bill Nottingham <notting@redhat.com>
+- fix tempfile security problems (patch from <Marcus.Meissner@caldera.de>)
+
+* Thu Mar 29 2001 Bill Nottingham <notting@redhat.com>
+- fix quota support, and quotas with the 2.4 kernel (#31362, #33915)
+
+* Mon Mar 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- tweak the PAM code some more to try to do a setcred() after initgroups()
+- pull in all of the optflags on i386 and sparc
+- don't explicitly enable Kerberos support -- it's only used for password
+ checking, and if PAM is enabled it's a no-op anyway
+
+* Mon Mar 5 2001 Tim Waugh <twaugh@redhat.com>
+- exit successfully from preun script (bug #30644).
+
+* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Wed Feb 14 2001 Bill Nottingham <notting@redhat.com>
+- updated japanese stuff (#27683)
+
+* Fri Feb 9 2001 Bill Nottingham <notting@redhat.com>
+- fix trigger (#26859)
+
+* Wed Feb 7 2001 Bill Nottingham <notting@redhat.com>
+- add i18n support, japanese patch (#26253)
+
+* Wed Feb 7 2001 Trond Eivind Glomsrød <teg@redhat.com>
+- i18n improvements in initscript (#26537)
+
+* Wed Jan 31 2001 Bill Nottingham <notting@redhat.com>
+- put smbpasswd in samba-common (#25429)
+
+* Wed Jan 24 2001 Bill Nottingham <notting@redhat.com>
+- new i18n stuff
+
+* Sun Jan 21 2001 Bill Nottingham <notting@redhat.com>
+- rebuild
+
+* Thu Jan 18 2001 Bill Nottingham <notting@redhat.com>
+- i18n-ize initscript
+- add a sysconfig file for daemon options (#23550)
+- clarify smbpasswd man page (#23370)
+- build with LFS support (#22388)
+- avoid extraneous pam error messages (#10666)
+- add Urban Widmark's bug fixes for smbmount (#19623)
+- fix setgid directory modes (#11911)
+- split swat into subpackage (#19706)
+
+* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- set a default CA certificate path in smb.conf (#19010)
+- require openssl >= 0.9.5a-20 to make sure we have a ca-bundle.crt file
+
+* Mon Oct 16 2000 Bill Nottingham <notting@redhat.com>
+- fix swat only_from line (#18726, others)
+- fix attempt to write outside buildroot on install (#17943)
+
+* Mon Aug 14 2000 Bill Nottingham <notting@redhat.com>
+- add smbspool back in (#15827)
+- fix absolute symlinks (#16125)
+
+* Sun Aug 6 2000 Philipp Knirsch <pknirsch@redhat.com>
+- bugfix for smbadduser script (#15148)
+
+* Mon Jul 31 2000 Matt Wilson <msw@redhat.com>
+- patch configure.ing (patch11) to disable cups test
+- turn off swat by default
+
+* Fri Jul 28 2000 Bill Nottingham <notting@redhat.com>
+- fix condrestart stuff
+
+* Fri Jul 21 2000 Bill Nottingham <notting@redhat.com>
+- add copytruncate to logrotate file (#14360)
+- fix init script (#13708)
+
+* Sat Jul 15 2000 Bill Nottingham <notting@redhat.com>
+- move initscript back
+- remove 'Using Samba' book from %%doc
+- move stuff to /etc/samba (#13708)
+- default configuration tweaks (#13704)
+- some logrotate tweaks
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Tue Jul 11 2000 Bill Nottingham <notting@redhat.com>
+- fix logrotate script (#13698)
+
+* Thu Jul 6 2000 Bill Nottingham <notting@redhat.com>
+- fix initscripts req (prereq /etc/init.d)
+
+* Wed Jul 5 2000 Than Ngo <than@redhat.de>
+- add initdir macro to handle the initscript directory
+- add a new macro to handle /etc/pam.d/system-auth
+
+* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- enable Kerberos 5 and SSL support
+- patch for duplicate profile.h headers
+
+* Thu Jun 29 2000 Bill Nottingham <notting@redhat.com>
+- fix init script
+
+* Tue Jun 27 2000 Bill Nottingham <notting@redhat.com>
+- rename samba logs (#11606)
+
+* Mon Jun 26 2000 Bill Nottingham <notting@redhat.com>
+- initscript munging
+
+* Fri Jun 16 2000 Bill Nottingham <notting@redhat.com>
+- configure the swat stuff usefully
+- re-integrate some specfile tweaks that got lost somewhere
+
+* Thu Jun 15 2000 Bill Nottingham <notting@redhat.com>
+- rebuild to get rid of cups dependency
+
+* Wed Jun 14 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak logrotate configurations to use the PID file in /var/lock/samba
+
+* Sun Jun 11 2000 Bill Nottingham <notting@redhat.com>
+- rebuild in new environment
+
+* Thu Jun 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- change PAM setup to use system-auth
+
+* Mon May 8 2000 Bill Nottingham <notting@redhat.com>
+- fixes for ia64
+
+* Sat May 6 2000 Bill Nottingham <notting@redhat.com>
+- switch to %%configure
+
+* Wed Apr 26 2000 Nils Philippsen <nils@redhat.de>
+- version 2.0.7
+
+* Sun Mar 26 2000 Florian La Roche <Florian.LaRoche@redhat.com>
+- simplify preun
+
+* Thu Mar 16 2000 Bill Nottingham <notting@redhat.com>
+- fix yp_get_default_domain in autoconf
+- only link against readline for smbclient
+- fix log rotation (#9909)
+
+* Fri Feb 25 2000 Bill Nottingham <notting@redhat.com>
+- fix trigger, again.
+
+* Mon Feb 7 2000 Bill Nottingham <notting@redhat.com>
+- fix trigger.
+
+* Fri Feb 4 2000 Bill Nottingham <notting@redhat.com>
+- turn on quota support
+
+* Mon Jan 31 2000 Cristian Gafton <gafton@redhat.com>
+- rebuild to fox dependencies
+- man pages are compressed
+
+* Fri Jan 21 2000 Bill Nottingham <notting@redhat.com>
+- munge post scripts slightly
+
+* Wed Jan 19 2000 Bill Nottingham <notting@redhat.com>
+- turn on mmap again. Wheee.
+- ship smbmount on alpha
+
+* Mon Dec 6 1999 Bill Nottingham <notting@redhat.com>
+- turn off mmap. ;)
+
+* Wed Dec 1 1999 Bill Nottingham <notting@redhat.com>
+- change /var/log/samba to 0700
+- turn on mmap support
+
+* Thu Nov 11 1999 Bill Nottingham <notting@redhat.com>
+- update to 2.0.6
+
+* Fri Oct 29 1999 Bill Nottingham <notting@redhat.com>
+- add a %%defattr for -common
+
+* Tue Oct 5 1999 Bill Nottingham <notting@redhat.com>
+- shift some files into -client
+- remove /home/samba from package.
+
+* Tue Sep 28 1999 Bill Nottingham <notting@redhat.com>
+- initscript oopsie. killproc <name> -HUP, not other way around.
+
+* Sun Sep 26 1999 Bill Nottingham <notting@redhat.com>
+- script cleanups. Again.
+
+* Wed Sep 22 1999 Bill Nottingham <notting@redhat.com>
+- add a patch to fix dropped reconnection attempts
+
+* Mon Sep 6 1999 Jeff Johnson <jbj@redhat.com>
+- use cp rather than mv to preserve /etc/services perms (#4938 et al).
+- use mktemp to generate /etc/tmp.XXXXXX file name.
+- add prereqs on sed/mktemp/killall (need to move killall to /bin).
+- fix trigger syntax (i.e. "samba < 1.9.18p7" not "samba < samba-1.9.18p7")
+
+* Mon Aug 30 1999 Bill Nottingham <notting@redhat.com>
+- sed "s|nawk|gawk|" /usr/bin/convert_smbpasswd
+
+* Sat Aug 21 1999 Bill Nottingham <notting@redhat.com>
+- fix typo in mount.smb
+
+* Fri Aug 20 1999 Bill Nottingham <notting@redhat.com>
+- add a %%trigger to work around (sort of) broken scripts in
+ previous releases
+
+* Mon Aug 16 1999 Bill Nottingham <notting@redhat.com>
+- initscript munging
+
+* Mon Aug 9 1999 Bill Nottingham <notting@redhat.com>
+- add domain parsing to mount.smb
+
+* Fri Aug 6 1999 Bill Nottingham <notting@redhat.com>
+- add a -common package, shuffle files around.
+
+* Fri Jul 23 1999 Bill Nottingham <notting@redhat.com>
+- add a chmod in %%postun so /etc/services & inetd.conf don't become unreadable
+
+* Wed Jul 21 1999 Bill Nottingham <notting@redhat.com>
+- update to 2.0.5
+- fix mount.smb - smbmount options changed again.........
+- fix postun. oops.
+- update some stuff from the samba team's spec file.
+
+* Fri Jun 18 1999 Bill Nottingham <notting@redhat.com>
+- split off clients into separate package
+- don't run samba by default
+
+* Mon Jun 14 1999 Bill Nottingham <notting@redhat.com>
+- fix one problem with mount.smb script
+- fix smbpasswd on sparc with a really ugly kludge
+
+* Thu Jun 10 1999 Dale Lovelace <dale@redhat.com>
+- fixed logrotate script
+
+* Tue May 25 1999 Bill Nottingham <notting@redhat.com>
+- turn of 64-bit locking on 32-bit platforms
+
+* Thu May 20 1999 Bill Nottingham <notting@redhat.com>
+- so many releases, so little time
+- explicitly uncomment 'printing = bsd' in sample config
+
+* Tue May 18 1999 Bill Nottingham <notting@redhat.com>
+- update to 2.0.4a
+- fix mount.smb arg ordering
+
+* Fri Apr 16 1999 Bill Nottingham <notting@redhat.com>
+- go back to stop/start for restart (-HUP didn't work in testing)
+
+* Fri Mar 26 1999 Bill Nottingham <notting@redhat.com>
+- add a mount.smb to make smb mounting a little easier.
+- smb filesystems apparently don't work on alpha. Oops.
+
+* Thu Mar 25 1999 Bill Nottingham <notting@redhat.com>
+- always create codepages
+
+* Tue Mar 23 1999 Bill Nottingham <notting@redhat.com>
+- logrotate changes
+
+* Sun Mar 21 1999 Cristian Gafton <gafton@redhat.com>
+- auto rebuild in the new build environment (release 3)
+
+* Fri Mar 19 1999 Preston Brown <pbrown@redhat.com>
+- updated init script to use graceful restart (not stop/start)
+
+* Tue Mar 9 1999 Bill Nottingham <notting@redhat.com>
+- update to 2.0.3
+
+* Thu Feb 18 1999 Bill Nottingham <notting@redhat.com>
+- update to 2.0.2
+
+* Mon Feb 15 1999 Bill Nottingham <notting@redhat.com>
+- swat swat
+
+* Tue Feb 9 1999 Bill Nottingham <notting@redhat.com>
+- fix bash2 breakage in post script
+
+* Fri Feb 5 1999 Bill Nottingham <notting@redhat.com>
+- update to 2.0.0
+
+* Mon Oct 12 1998 Cristian Gafton <gafton@redhat.com>
+- make sure all binaries are stripped
+
+* Thu Sep 17 1998 Jeff Johnson <jbj@redhat.com>
+- update to 1.9.18p10.
+- fix %%triggerpostun.
+
+* Tue Jul 07 1998 Erik Troan <ewt@redhat.com>
+- updated postun triggerscript to check $0
+- clear /etc/codepages from %%preun instead of %%postun
+
+* Mon Jun 08 1998 Erik Troan <ewt@redhat.com>
+- made the %%postun script a tad less agressive; no reason to remove
+ the logs or lock file (after all, if the lock file is still there,
+ samba is still running)
+- the %%postun and %%preun should only exectute if this is the final
+ removal
+- migrated %%triggerpostun from Red Hat's samba package to work around
+ packaging problems in some Red Hat samba releases
+
+* Sun Apr 26 1998 John H Terpstra <jht@samba.anu.edu.au>
+- minor tidy up in preparation for release of 1.9.18p5
+- added findsmb utility from SGI package
+
+* Wed Mar 18 1998 John H Terpstra <jht@samba.anu.edu.au>
+- Updated version and codepage info.
+- Release to test name resolve order
+
+* Sat Jan 24 1998 John H Terpstra <jht@samba.anu.edu.au>
+- Many optimisations (some suggested by Manoj Kasichainula <manojk@io.com>
+- Use of chkconfig in place of individual symlinks to /etc/rc.d/init/smb
+- Compounded make line
+- Updated smb.init restart mechanism
+- Use compound mkdir -p line instead of individual calls to mkdir
+- Fixed smb.conf file path for log files
+- Fixed smb.conf file path for incoming smb print spool directory
+- Added a number of options to smb.conf file
+- Added smbadduser command (missed from all previous RPMs) - Doooh!
+- Added smbuser file and smb.conf file updates for username map
+