diff --git a/.gitignore b/.gitignore
index d0d9bc1..1b087cf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-SOURCES/samba-4.8.3.tar.xz
+SOURCES/samba-4.9.1.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
index c121f9a..638f3b8 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1,2 +1,2 @@
6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-ee51f44b1b61cb189f0145b477300d4d58b1dff6 SOURCES/samba-4.8.3.tar.xz
+81b7c9a13d48fa25c58c90ae85e7d256e9952227 SOURCES/samba-4.9.1.tar.xz
diff --git a/SOURCES/CVE-2018-10858.patch b/SOURCES/CVE-2018-10858.patch
deleted file mode 100644
index 03d7718..0000000
--- a/SOURCES/CVE-2018-10858.patch
+++ /dev/null
@@ -1,199 +0,0 @@
-From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 15 Jun 2018 15:07:17 -0700
-Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in
- buffer.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
-
-CVE-2018-10858: Insufficient input validation on client directory
- listing in libsmbclient.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- source3/libsmb/libsmb_path.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
-index 01b0a61e483..ed70ab37550 100644
---- a/source3/libsmb/libsmb_path.c
-+++ b/source3/libsmb/libsmb_path.c
-@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
- }
- }
-
-- *dest++ = '\0';
-- max_dest_len--;
-+ if (max_dest_len == 0) {
-+ /* Ensure we return -1 if no null termination. */
-+ return -1;
-+ }
-+
-+ *dest++ = '\0';
-+ max_dest_len--;
-
- return max_dest_len;
- }
---
-2.11.0
-
-
-From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 15 Jun 2018 15:08:17 -0700
-Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns
- from malicious servers.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
-
-CVE-2018-10858: Insufficient input validation on client directory
- listing in libsmbclient.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------
- source3/libsmb/libsmb_path.c | 2 +-
- 2 files changed, 51 insertions(+), 8 deletions(-)
-
-diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
-index 72441c46736..54c2bcb3c73 100644
---- a/source3/libsmb/libsmb_dir.c
-+++ b/source3/libsmb/libsmb_dir.c
-@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context,
-
- }
-
--static void
-+static int
- smbc_readdir_internal(SMBCCTX * context,
- struct smbc_dirent *dest,
- struct smbc_dirent *src,
- int max_namebuf_len)
- {
- if (smbc_getOptionUrlEncodeReaddirEntries(context)) {
-+ int remaining_len;
-
- /* url-encode the name. get back remaining buffer space */
-- max_namebuf_len =
-+ remaining_len =
- smbc_urlencode(dest->name, src->name, max_namebuf_len);
-
-+ /* -1 means no null termination. */
-+ if (remaining_len < 0) {
-+ return -1;
-+ }
-+
- /* We now know the name length */
- dest->namelen = strlen(dest->name);
-
-+ if (dest->namelen + 1 < 1) {
-+ /* Integer wrap. */
-+ return -1;
-+ }
-+
-+ if (dest->namelen + 1 >= max_namebuf_len) {
-+ /* Out of space for comment. */
-+ return -1;
-+ }
-+
- /* Save the pointer to the beginning of the comment */
- dest->comment = dest->name + dest->namelen + 1;
-
-+ if (remaining_len < 1) {
-+ /* No room for comment null termination. */
-+ return -1;
-+ }
-+
- /* Copy the comment */
-- strncpy(dest->comment, src->comment, max_namebuf_len - 1);
-- dest->comment[max_namebuf_len - 1] = '\0';
-+ strlcpy(dest->comment, src->comment, remaining_len);
-
- /* Save other fields */
- dest->smbc_type = src->smbc_type;
-@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context,
- } else {
-
- /* No encoding. Just copy the entry as is. */
-+ if (src->dirlen > max_namebuf_len) {
-+ return -1;
-+ }
- memcpy(dest, src, src->dirlen);
-+ if (src->namelen + 1 < 1) {
-+ /* Integer wrap */
-+ return -1;
-+ }
-+ if (src->namelen + 1 >= max_namebuf_len) {
-+ /* Comment off the end. */
-+ return -1;
-+ }
- dest->comment = (char *)(&dest->name + src->namelen + 1);
- }
--
-+ return 0;
- }
-
- /*
-@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context,
- SMBCFILE *dir)
- {
- int maxlen;
-+ int ret;
- struct smbc_dirent *dirp, *dirent;
- TALLOC_CTX *frame = talloc_stackframe();
-
-@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context,
- dirp = &context->internal->dirent;
- maxlen = sizeof(context->internal->_dirent_name);
-
-- smbc_readdir_internal(context, dirp, dirent, maxlen);
-+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen);
-+ if (ret == -1) {
-+ errno = EINVAL;
-+ TALLOC_FREE(frame);
-+ return NULL;
-+ }
-
- dir->dir_next = dir->dir_next->next;
-
-@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context,
- */
-
- while ((dirlist = dir->dir_next)) {
-+ int ret;
- struct smbc_dirent *dirent;
- struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir;
-
-@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context,
- /* Do urlencoding of next entry, if so selected */
- dirent = &context->internal->dirent;
- maxlen = sizeof(context->internal->_dirent_name);
-- smbc_readdir_internal(context, dirent,
-+ ret = smbc_readdir_internal(context, dirent,
- dirlist->dirent, maxlen);
-+ if (ret == -1) {
-+ errno = EINVAL;
-+ TALLOC_FREE(frame);
-+ return -1;
-+ }
-
- reqd = dirent->dirlen;
-
-diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
-index ed70ab37550..5b53b386a67 100644
---- a/source3/libsmb/libsmb_path.c
-+++ b/source3/libsmb/libsmb_path.c
-@@ -173,7 +173,7 @@ smbc_urlencode(char *dest,
- }
- }
-
-- if (max_dest_len == 0) {
-+ if (max_dest_len <= 0) {
- /* Ensure we return -1 if no null termination. */
- return -1;
- }
---
-2.11.0
-
diff --git a/SOURCES/CVE-2018-1139.patch b/SOURCES/CVE-2018-1139.patch
deleted file mode 100644
index 77774ec..0000000
--- a/SOURCES/CVE-2018-1139.patch
+++ /dev/null
@@ -1,753 +0,0 @@
-From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
-From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Date: Thu, 22 Feb 2018 11:54:45 +1300
-Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
- with_cmocka flag
-
-We have cmocka in third_party, so we are never without it.
-
-Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
-by Andrew Bartlett)
----
- selftest/tests.py | 18 ++++++++----------
- 1 file changed, 8 insertions(+), 10 deletions(-)
-
-diff --git a/selftest/tests.py b/selftest/tests.py
-index 126e1184230..3f5097b680c 100644
---- a/selftest/tests.py
-+++ b/selftest/tests.py
-@@ -38,7 +38,6 @@ finally:
- f.close()
-
- have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
--with_cmocka = ("HAVE_CMOCKA" in config_hash)
- with_pam = ("WITH_PAM" in config_hash)
- pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
-
-@@ -168,13 +167,12 @@ if with_pam:
- valgrindify(python), pam_wrapper_so_path,
- "$DOMAIN", "alice", "Secret007"])
-
--if with_cmocka:
-- plantestsuite("samba.unittests.krb5samba", "none",
-- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
-- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
-- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
-- plantestsuite("samba.unittests.lib_util_modules", "none",
-- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
-+plantestsuite("samba.unittests.krb5samba", "none",
-+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
-+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
-+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
-+plantestsuite("samba.unittests.lib_util_modules", "none",
-+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
-
-- plantestsuite("samba.unittests.smb1cli_session", "none",
-- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
-+plantestsuite("samba.unittests.smb1cli_session", "none",
-+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
---
-2.14.4
-
-
-From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Fri, 27 Jul 2018 08:44:24 +1200
-Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
- ntlm_password_check()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
----
- libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
- libcli/auth/wscript_build | 13 ++
- selftest/knownfail.d/ntlm | 2 +
- selftest/tests.py | 2 +
- 4 files changed, 430 insertions(+)
- create mode 100644 libcli/auth/tests/ntlm_check.c
- create mode 100644 selftest/knownfail.d/ntlm
-
-diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
-new file mode 100644
-index 00000000000..e87a0a276d4
---- /dev/null
-+++ b/libcli/auth/tests/ntlm_check.c
-@@ -0,0 +1,413 @@
-+/*
-+ * Unit tests for the ntlm_check password hash check library.
-+ *
-+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
-+ *
-+ */
-+
-+/*
-+ * from cmocka.c:
-+ * These headers or their equivalents should be included prior to
-+ * including
-+ * this header file.
-+ *
-+ * #include <stdarg.h>
-+ * #include <stddef.h>
-+ * #include <setjmp.h>
-+ *
-+ * This allows test applications to use custom definitions of C standard
-+ * library functions and types.
-+ *
-+ */
-+
-+/*
-+ * Note that the messaging routines (audit_message_send and get_event_server)
-+ * are not tested by these unit tests. Currently they are for integration
-+ * test support, and as such are exercised by the integration tests.
-+ */
-+#include <stdarg.h>
-+#include <stddef.h>
-+#include <setjmp.h>
-+#include <cmocka.h>
-+
-+#include "includes.h"
-+#include "../lib/crypto/crypto.h"
-+#include "librpc/gen_ndr/netlogon.h"
-+#include "libcli/auth/libcli_auth.h"
-+#include "auth/credentials/credentials.h"
-+
-+struct ntlm_state {
-+ const char *username;
-+ const char *domain;
-+ DATA_BLOB challenge;
-+ DATA_BLOB ntlm;
-+ DATA_BLOB lm;
-+ DATA_BLOB ntlm_key;
-+ DATA_BLOB lm_key;
-+ const struct samr_Password *nt_hash;
-+};
-+
-+static int test_ntlm_setup_with_options(void **state,
-+ int flags, bool upn)
-+{
-+ NTSTATUS status;
-+ DATA_BLOB challenge = {
-+ .data = discard_const_p(uint8_t, "I am a teapot"),
-+ .length = 8
-+ };
-+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
-+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
-+ NULL,
-+ "serverdom");
-+ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
-+ cli_credentials_set_username(creds,
-+ "testuser",
-+ CRED_SPECIFIED);
-+ cli_credentials_set_domain(creds,
-+ "testdom",
-+ CRED_SPECIFIED);
-+ cli_credentials_set_workstation(creds,
-+ "testwksta",
-+ CRED_SPECIFIED);
-+ cli_credentials_set_password(creds,
-+ "testpass",
-+ CRED_SPECIFIED);
-+
-+ if (upn) {
-+ cli_credentials_set_principal(creds,
-+ "testuser@samba.org",
-+ CRED_SPECIFIED);
-+ }
-+
-+ cli_credentials_get_ntlm_username_domain(creds,
-+ ntlm_state,
-+ &ntlm_state->username,
-+ &ntlm_state->domain);
-+
-+ status = cli_credentials_get_ntlm_response(creds,
-+ ntlm_state,
-+ &flags,
-+ challenge,
-+ NULL,
-+ target_info,
-+ &ntlm_state->lm,
-+ &ntlm_state->ntlm,
-+ &ntlm_state->lm_key,
-+ &ntlm_state->ntlm_key);
-+ ntlm_state->challenge = challenge;
-+
-+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
-+ ntlm_state);
-+
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return -1;
-+ }
-+
-+ *state = ntlm_state;
-+ return 0;
-+}
-+
-+static int test_ntlm_setup(void **state) {
-+ return test_ntlm_setup_with_options(state, 0, false);
-+}
-+
-+static int test_ntlm_and_lm_setup(void **state) {
-+ return test_ntlm_setup_with_options(state,
-+ CLI_CRED_LANMAN_AUTH,
-+ false);
-+}
-+
-+static int test_ntlm2_setup(void **state) {
-+ return test_ntlm_setup_with_options(state,
-+ CLI_CRED_NTLM2,
-+ false);
-+}
-+
-+static int test_ntlmv2_setup(void **state) {
-+ return test_ntlm_setup_with_options(state,
-+ CLI_CRED_NTLMv2_AUTH,
-+ false);
-+}
-+
-+static int test_ntlm_teardown(void **state)
-+{
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ TALLOC_FREE(ntlm_state);
-+ *state = NULL;
-+ return 0;
-+}
-+
-+static void test_ntlm_allowed(void **state)
-+{
-+ DATA_BLOB user_sess_key, lm_sess_key;
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ NTSTATUS status;
-+ status = ntlm_password_check(ntlm_state,
-+ false,
-+ NTLM_AUTH_ON,
-+ 0,
-+ &ntlm_state->challenge,
-+ &ntlm_state->lm,
-+ &ntlm_state->ntlm,
-+ ntlm_state->username,
-+ ntlm_state->username,
-+ ntlm_state->domain,
-+ NULL,
-+ ntlm_state->nt_hash,
-+ &user_sess_key,
-+ &lm_sess_key);
-+
-+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
-+}
-+
-+static void test_ntlm_allowed_lm_supplied(void **state)
-+{
-+ return test_ntlm_allowed(state);
-+}
-+
-+static void test_ntlm_disabled(void **state)
-+{
-+ DATA_BLOB user_sess_key, lm_sess_key;
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ NTSTATUS status;
-+ status = ntlm_password_check(ntlm_state,
-+ false,
-+ NTLM_AUTH_DISABLED,
-+ 0,
-+ &ntlm_state->challenge,
-+ &ntlm_state->lm,
-+ &ntlm_state->ntlm,
-+ ntlm_state->username,
-+ ntlm_state->username,
-+ ntlm_state->domain,
-+ NULL,
-+ ntlm_state->nt_hash,
-+ &user_sess_key,
-+ &lm_sess_key);
-+
-+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
-+}
-+
-+static void test_ntlm2(void **state)
-+{
-+ DATA_BLOB user_sess_key, lm_sess_key;
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ NTSTATUS status;
-+ status = ntlm_password_check(ntlm_state,
-+ false,
-+ NTLM_AUTH_ON,
-+ 0,
-+ &ntlm_state->challenge,
-+ &ntlm_state->lm,
-+ &ntlm_state->ntlm,
-+ ntlm_state->username,
-+ ntlm_state->username,
-+ ntlm_state->domain,
-+ NULL,
-+ ntlm_state->nt_hash,
-+ &user_sess_key,
-+ &lm_sess_key);
-+
-+ /*
-+ * NTLM2 session security (where the real challenge is the
-+ * MD5(challenge, client-challenge) (in the first 8 bytes of
-+ * the lm) isn't decoded by ntlm_password_check(), it must
-+ * first be converted back into normal NTLM by the NTLMSSP
-+ * layer
-+ */
-+ assert_int_equal(NT_STATUS_V(status),
-+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
-+}
-+
-+static void test_ntlm_mschapv2_only_allowed(void **state)
-+{
-+ DATA_BLOB user_sess_key, lm_sess_key;
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ NTSTATUS status;
-+ status = ntlm_password_check(ntlm_state,
-+ false,
-+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
-+ MSV1_0_ALLOW_MSVCHAPV2,
-+ &ntlm_state->challenge,
-+ &ntlm_state->lm,
-+ &ntlm_state->ntlm,
-+ ntlm_state->username,
-+ ntlm_state->username,
-+ ntlm_state->domain,
-+ NULL,
-+ ntlm_state->nt_hash,
-+ &user_sess_key,
-+ &lm_sess_key);
-+
-+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
-+}
-+
-+static void test_ntlm_mschapv2_only_denied(void **state)
-+{
-+ DATA_BLOB user_sess_key, lm_sess_key;
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ NTSTATUS status;
-+ status = ntlm_password_check(ntlm_state,
-+ false,
-+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
-+ 0,
-+ &ntlm_state->challenge,
-+ &ntlm_state->lm,
-+ &ntlm_state->ntlm,
-+ ntlm_state->username,
-+ ntlm_state->username,
-+ ntlm_state->domain,
-+ NULL,
-+ ntlm_state->nt_hash,
-+ &user_sess_key,
-+ &lm_sess_key);
-+
-+ assert_int_equal(NT_STATUS_V(status),
-+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
-+}
-+
-+static void test_ntlmv2_only_ntlmv2(void **state)
-+{
-+ DATA_BLOB user_sess_key, lm_sess_key;
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ NTSTATUS status;
-+ status = ntlm_password_check(ntlm_state,
-+ false,
-+ NTLM_AUTH_NTLMV2_ONLY,
-+ 0,
-+ &ntlm_state->challenge,
-+ &ntlm_state->lm,
-+ &ntlm_state->ntlm,
-+ ntlm_state->username,
-+ ntlm_state->username,
-+ ntlm_state->domain,
-+ NULL,
-+ ntlm_state->nt_hash,
-+ &user_sess_key,
-+ &lm_sess_key);
-+
-+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
-+}
-+
-+static void test_ntlmv2_only_ntlm(void **state)
-+{
-+ DATA_BLOB user_sess_key, lm_sess_key;
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ NTSTATUS status;
-+ status = ntlm_password_check(ntlm_state,
-+ false,
-+ NTLM_AUTH_NTLMV2_ONLY,
-+ 0,
-+ &ntlm_state->challenge,
-+ &ntlm_state->lm,
-+ &ntlm_state->ntlm,
-+ ntlm_state->username,
-+ ntlm_state->username,
-+ ntlm_state->domain,
-+ NULL,
-+ ntlm_state->nt_hash,
-+ &user_sess_key,
-+ &lm_sess_key);
-+
-+ assert_int_equal(NT_STATUS_V(status),
-+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
-+}
-+
-+static void test_ntlmv2_only_ntlm_and_lanman(void **state)
-+{
-+ return test_ntlmv2_only_ntlm(state);
-+}
-+
-+static void test_ntlmv2_only_ntlm_once(void **state)
-+{
-+ DATA_BLOB user_sess_key, lm_sess_key;
-+ struct ntlm_state *ntlm_state
-+ = talloc_get_type_abort(*state,
-+ struct ntlm_state);
-+ NTSTATUS status;
-+ status = ntlm_password_check(ntlm_state,
-+ false,
-+ NTLM_AUTH_NTLMV2_ONLY,
-+ 0,
-+ &ntlm_state->challenge,
-+ &data_blob_null,
-+ &ntlm_state->ntlm,
-+ ntlm_state->username,
-+ ntlm_state->username,
-+ ntlm_state->domain,
-+ NULL,
-+ ntlm_state->nt_hash,
-+ &user_sess_key,
-+ &lm_sess_key);
-+
-+ assert_int_equal(NT_STATUS_V(status),
-+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
-+}
-+
-+int main(int argc, const char **argv)
-+{
-+ const struct CMUnitTest tests[] = {
-+ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
-+ test_ntlm_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
-+ test_ntlm_and_lm_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
-+ test_ntlm_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlm2,
-+ test_ntlm2_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
-+ test_ntlm_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
-+ test_ntlm_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
-+ test_ntlm_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
-+ test_ntlm_and_lm_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
-+ test_ntlm_setup,
-+ test_ntlm_teardown),
-+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
-+ test_ntlmv2_setup,
-+ test_ntlm_teardown)
-+ };
-+
-+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
-+ return cmocka_run_group_tests(tests, NULL, NULL);
-+}
-diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
-index 475b7d69406..d319d9b879e 100644
---- a/libcli/auth/wscript_build
-+++ b/libcli/auth/wscript_build
-@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
- bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
- source='spnego_parse.c',
- deps='asn1util')
-+
-+bld.SAMBA_BINARY(
-+ 'test_ntlm_check',
-+ source='tests/ntlm_check.c',
-+ deps='''
-+ NTLM_CHECK
-+ CREDENTIALS_NTLM
-+ samba-credentials
-+ cmocka
-+ talloc
-+ ''',
-+ install=False
-+ )
-diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
-new file mode 100644
-index 00000000000..c6e6a3739ba
---- /dev/null
-+++ b/selftest/knownfail.d/ntlm
-@@ -0,0 +1,2 @@
-+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
-+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
-diff --git a/selftest/tests.py b/selftest/tests.py
-index 3f5097b680c..dc6486c13f8 100644
---- a/selftest/tests.py
-+++ b/selftest/tests.py
-@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
-
- plantestsuite("samba.unittests.smb1cli_session", "none",
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
-+plantestsuite("samba.unittests.ntlm_check", "none",
-+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
---
-2.14.4
-
-
-From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 14 Mar 2018 15:36:05 +0100
-Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
- hash_password_check()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
-
-CVE-2018-1139: Weak authentication protocol allowed.
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- libcli/auth/ntlm_check.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
-index 3b02adc1d48..1c6499bd210 100644
---- a/libcli/auth/ntlm_check.c
-+++ b/libcli/auth/ntlm_check.c
-@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
- const struct samr_Password *stored_nt)
- {
- if (stored_nt == NULL) {
-- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
-+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
- username));
- }
-
-@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
- if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
- return NT_STATUS_OK;
- } else {
-- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
-+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- } else if (client_lanman && stored_lanman) {
- if (!lanman_auth) {
-- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
-+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
- if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
- return NT_STATUS_OK;
- } else {
-- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
-+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
---
-2.14.4
-
-
-From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 14 Mar 2018 15:35:01 +0100
-Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
- ntlm_password_check().
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
-
-CVE-2018-1139: Weak authentication protocol allowed.
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/utils/ntlm_auth.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
-index 3f544902a24..8f77680416f 100644
---- a/source3/utils/ntlm_auth.c
-+++ b/source3/utils/ntlm_auth.c
-@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
- *pauthoritative = 1;
-
- nt_status = ntlm_password_check(mem_ctx,
-- true, true, 0,
-+ true, NTLM_AUTH_ON, 0,
- &auth4_context->challenge.data,
- &user_info->password.response.lanman,
- &user_info->password.response.nt,
-@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
-
- nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
- nt_status = ntlm_password_check(mem_ctx,
-- true, true, 0,
-+ true,
-+ NTLM_AUTH_ON,
-+ 0,
- &challenge,
- &lm_response,
- &nt_response,
---
-2.14.4
-
-
-From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 16 Mar 2018 17:25:12 +0100
-Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
- via SMB1 when it is disabled.
-
-Right now, this test will succeed.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
-
-CVE-2018-1139: Weak authentication protocol allowed.
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/selftest/tests.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index 9092c1776c8..034c014e5b8 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
- plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
- plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
-
--for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
-+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
- for env in ["nt4_member", "ad_member"]:
- plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
- plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
---
-2.14.4
-
-
-From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 13 Mar 2018 16:56:20 +0100
-Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
- when it is disabled via "ntlm auth".
-
-This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
-
-Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
-
-In order to demonstrate simply run:
-
-smbclient //server/share -U user%password -mNT1 -c quit \
---option="client ntlmv2 auth"=no \
---option="client use spnego"=no
-
-against a server that uses "ntlm auth = ntlmv2-only" (our default
-setting).
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
-
-CVE-2018-1139: Weak authentication protocol allowed.
-
-Guenther
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- libcli/auth/ntlm_check.c | 2 +-
- selftest/knownfail | 3 ++-
- selftest/knownfail.d/ntlm | 2 --
- 3 files changed, 3 insertions(+), 4 deletions(-)
- delete mode 100644 selftest/knownfail.d/ntlm
-
-diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
-index 1c6499bd210..b68e9c87888 100644
---- a/libcli/auth/ntlm_check.c
-+++ b/libcli/auth/ntlm_check.c
-@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- - I think this is related to Win9X pass-though authentication
- */
- DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
-- if (ntlm_auth) {
-+ if (ntlm_auth == NTLM_AUTH_ON) {
- if (smb_pwd_check_ntlmv1(mem_ctx,
- lm_response,
- stored_nt->hash, challenge,
-diff --git a/selftest/knownfail b/selftest/knownfail
-index ba16fd72290..84776d4f35d 100644
---- a/selftest/knownfail
-+++ b/selftest/knownfail
-@@ -303,8 +303,9 @@
- ^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
- # fl2000dc doesn't support AES
- ^samba4.krb5.kdc.*as-req-aes.*fl2000dc
--# nt4_member and ad_member don't support ntlmv1
-+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
- ^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
-+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
- #nt-vfs server blocks read with execute access
- ^samba4.smb2.read.access
- #ntvfs server blocks copychunk with execute access on read handle
-diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
-deleted file mode 100644
-index c6e6a3739ba..00000000000
---- a/selftest/knownfail.d/ntlm
-+++ /dev/null
-@@ -1,2 +0,0 @@
--^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
--^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
---
-2.14.4
-
diff --git a/SOURCES/samba-4.10-fix_gencache_debug_message.patch b/SOURCES/samba-4.10-fix_gencache_debug_message.patch
new file mode 100644
index 0000000..2440c97
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_gencache_debug_message.patch
@@ -0,0 +1,38 @@
+From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 17 Jan 2019 13:58:14 +0100
+Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries.
+
+To get correct values, we need to cast 'timeout' to 'long int' first in
+order to do calculation in that integer space! Calculations are don in
+the space of the lvalue!
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/lib/gencache.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
+index ab12fc1c531..9f4e1cfcaa3 100644
+--- a/source3/lib/gencache.c
++++ b/source3/lib/gencache.c
+@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob,
+ dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len };
+ dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length };
+
+- DEBUG(10, ("Adding cache entry with key=[%s] and timeout="
+- "[%s] (%d seconds %s)\n", keystr,
++ DBG_DEBUG("Adding cache entry with key=[%s] and timeout="
++ "[%s] (%ld seconds %s)\n", keystr,
+ timestring(talloc_tos(), timeout),
+- (int)(timeout - time(NULL)),
+- timeout > time(NULL) ? "ahead" : "in the past"));
++ ((long int)timeout) - time(NULL),
++ timeout > time(NULL) ? "ahead" : "in the past");
+
+ ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr),
+ dbufs, 2, 0);
+--
+2.20.1
+
diff --git a/SOURCES/samba-4.8-fix_cups_smbspool_backend.part1.patch b/SOURCES/samba-4.8-fix_cups_smbspool_backend.part1.patch
deleted file mode 100644
index 61fd9bd..0000000
--- a/SOURCES/samba-4.8-fix_cups_smbspool_backend.part1.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 56fb8aec557bb5b7264df2713b85b282e1c81f84 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 May 2019 16:18:51 +0200
-Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos
- credentials
-
-This is a regression which has been introduced with Samba 4.8.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a)
----
- source3/client/smbspool.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 8be1009c0a8..ecaaf3c3f22 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */
- * behavior with 3.0.14a
- */
-
-- if (username != NULL && username[0] != '\0') {
-+ if (username == NULL || username[0] == '\0') {
- if (kerberos_ccache_is_valid()) {
- goto kerberos_auth;
- }
---
-2.21.0
-
diff --git a/SOURCES/samba-4.8-fix_cups_smbspool_backend.part2.patch b/SOURCES/samba-4.8-fix_cups_smbspool_backend.part2.patch
deleted file mode 100644
index f682db0..0000000
--- a/SOURCES/samba-4.8-fix_cups_smbspool_backend.part2.patch
+++ /dev/null
@@ -1,1094 +0,0 @@
-From ab9266a2907fe523937d8576f6de7313d577c2e8 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 16:55:49 +0200
-Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups
-
-This is required to access files in /var/spool/cups which have been
-temporarily created in there by CUPS.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b)
----
- source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 5c4da33238b..e6684fc0d0c 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -82,6 +82,7 @@ int main(int argc, char *argv[])
- {
- char smbspool_cmd[PATH_MAX] = {0};
- struct passwd *pwd;
-+ struct group *g = NULL;
- char gen_cc[PATH_MAX] = {0};
- struct stat sb;
- char *env = NULL;
-@@ -89,6 +90,7 @@ int main(int argc, char *argv[])
- char device_uri[4096] = {0};
- uid_t uid = (uid_t)-1;
- gid_t gid = (gid_t)-1;
-+ gid_t groups[1] = { (gid_t)-1 };
- unsigned long tmp;
- int cmp;
- int rc;
-@@ -176,6 +178,26 @@ int main(int argc, char *argv[])
- return CUPS_BACKEND_FAILED;
- }
-
-+ /*
-+ * We need the primary group of the 'lp' user. This is needed to access
-+ * temporary files in /var/spool/cups/.
-+ */
-+ g = getgrnam("lp");
-+ if (g == NULL) {
-+ CUPS_SMB_ERROR("Failed to find user 'lp' - %s",
-+ strerror(errno));
-+ return CUPS_BACKEND_FAILED;
-+ }
-+
-+ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid);
-+ groups[0] = g->gr_gid;
-+ rc = setgroups(sizeof(groups), groups);
-+ if (rc != 0) {
-+ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s",
-+ strerror(errno));
-+ return CUPS_BACKEND_FAILED;
-+ }
-+
- CUPS_SMB_DEBUG("Switching to gid=%d", gid);
- rc = setgid(gid);
- if (rc != 0) {
---
-2.21.0
-
-
-From d3ab97ba608b0c3000e733e3e56dd7da7bae617a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 13:41:02 +0200
-Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate
- with
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5)
----
- source3/client/smbspool.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index ecaaf3c3f22..98959bb677b 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -612,6 +612,7 @@ static bool kerberos_ccache_is_valid(void) {
- return false;
- } else {
- krb5_principal default_princ = NULL;
-+ char *princ_name = NULL;
-
- code = krb5_cc_get_principal(ctx,
- ccache,
-@@ -621,6 +622,16 @@ static bool kerberos_ccache_is_valid(void) {
- krb5_free_context(ctx);
- return false;
- }
-+
-+ code = krb5_unparse_name(ctx,
-+ default_princ,
-+ &princ_name);
-+ if (code == 0) {
-+ fprintf(stderr,
-+ "DEBUG: Try to authenticate as %s\n",
-+ princ_name);
-+ krb5_free_unparsed_name(ctx, princ_name);
-+ }
- krb5_free_principal(ctx, default_princ);
- }
- krb5_cc_close(ctx, ccache);
---
-2.21.0
-
-
-From b8588870940e282aa2d5f9d553771fcba91681c7 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 14:25:00 +0200
-Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba)
----
- source3/client/smbspool_krb5_wrapper.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index e6684fc0d0c..2cdcd372ec6 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -219,10 +219,14 @@ int main(int argc, char *argv[])
- env = getenv("KRB5CCNAME");
- if (env != NULL && env[0] != 0) {
- snprintf(gen_cc, sizeof(gen_cc), "%s", env);
-+ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache",
-+ gen_cc);
-
- goto create_env;
- }
-
-+ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
-+
- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
-
- rc = lstat(gen_cc, &sb);
---
-2.21.0
-
-
-From 30feae8f20fb60999727cc4a6777b2823db46a64 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 17:10:57 +0200
-Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858)
----
- source3/client/smbspool_krb5_wrapper.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 2cdcd372ec6..3266b90ec1a 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -227,13 +227,13 @@ int main(int argc, char *argv[])
-
- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
-
-- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
-
- rc = lstat(gen_cc, &sb);
- if (rc == 0) {
-- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
- } else {
-- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
-
- rc = lstat(gen_cc, &sb);
- if (rc == 0 && S_ISDIR(sb.st_mode)) {
---
-2.21.0
-
-
-From 98b782f300a899ad39fe17fa62ccbe4932e8cd29 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 17:40:43 +0200
-Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is
- not set
-
-This could also support the new KCM credential cache storage.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3)
----
- source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++--------
- source3/wscript_build | 1 +
- 2 files changed, 55 insertions(+), 25 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 3266b90ec1a..bff1df417e8 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -21,6 +21,7 @@
-
- #include "includes.h"
- #include "system/filesys.h"
-+#include "system/kerberos.h"
- #include "system/passwd.h"
-
- #include <errno.h>
-@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
- buffer);
- }
-
-+static bool kerberos_get_default_ccache(char *ccache_buf, size_t len)
-+{
-+ krb5_context ctx;
-+ const char *ccache_name = NULL;
-+ char *full_ccache_name = NULL;
-+ krb5_ccache ccache = NULL;
-+ krb5_error_code code;
-+
-+ code = krb5_init_context(&ctx);
-+ if (code != 0) {
-+ return false;
-+ }
-+
-+ ccache_name = krb5_cc_default_name(ctx);
-+ if (ccache_name == NULL) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ code = krb5_cc_resolve(ctx, ccache_name, &ccache);
-+ if (code != 0) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name);
-+ krb5_cc_close(ctx, ccache);
-+ if (code != 0) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ snprintf(ccache_buf, len, "%s", full_ccache_name);
-+
-+#ifdef SAMBA4_USES_HEIMDAL
-+ free(full_ccache_name);
-+#else
-+ krb5_free_string(ctx, full_ccache_name);
-+#endif
-+ krb5_free_context(ctx);
-+
-+ return true;
-+}
-+
- /*
- * This is a helper binary to execute smbspool.
- *
-@@ -84,7 +129,6 @@ int main(int argc, char *argv[])
- struct passwd *pwd;
- struct group *g = NULL;
- char gen_cc[PATH_MAX] = {0};
-- struct stat sb;
- char *env = NULL;
- char auth_info_required[256] = {0};
- char device_uri[4096] = {0};
-@@ -92,6 +136,7 @@ int main(int argc, char *argv[])
- gid_t gid = (gid_t)-1;
- gid_t groups[1] = { (gid_t)-1 };
- unsigned long tmp;
-+ bool ok;
- int cmp;
- int rc;
-
-@@ -225,32 +270,16 @@ int main(int argc, char *argv[])
- goto create_env;
- }
-
-- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
--
-- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
--
-- rc = lstat(gen_cc, &sb);
-- if (rc == 0) {
-- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
-- } else {
-- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
--
-- rc = lstat(gen_cc, &sb);
-- if (rc == 0 && S_ISDIR(sb.st_mode)) {
-- snprintf(gen_cc,
-- sizeof(gen_cc),
-- "DIR:/run/user/%d/krb5cc",
-- uid);
-- } else {
--#if defined(__linux__)
-- snprintf(gen_cc,
-- sizeof(gen_cc),
-- "KEYRING:persistent:%d",
-- uid);
--#endif
-- }
-+ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc));
-+ if (ok) {
-+ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]",
-+ gen_cc);
-+ goto create_env;
- }
-
-+ /* Fallback to a FILE ccache */
-+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
-+
- create_env:
- /*
- * Make sure we do not have LD_PRELOAD or other security relevant
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 15c93e46bc3..694acbfa754 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -1120,6 +1120,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
- deps='''
- DYNCONFIG
- cups
-+ krb5
- ''',
- install_path='${LIBEXECDIR}/samba',
- enabled=bld.CONFIG_SET('HAVE_CUPS'))
---
-2.21.0
-
-
-From 0ffe2ecb356780264b157a03157875758431102f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 16:48:31 +0200
-Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd)
----
- source3/client/smbspool.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 98959bb677b..43f0cbc04e1 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -223,7 +223,9 @@ main(int argc, /* I - Number of command-line arguments */
-
- fp = fopen(print_file, "rb");
- if (fp == NULL) {
-- perror("ERROR: Unable to open print file");
-+ fprintf(stderr,
-+ "ERROR: Unable to open print file: %s",
-+ print_file);
- goto done;
- }
-
---
-2.21.0
-
-
-From 9d662cda9def334de3a27cab7d77ab6c9deb3f16 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 18:54:02 +0200
-Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos
-
-If username and password is given, then fallback to NTLM. However try
-kinit first. Also we correctly handle NULL passwords in the meantime and
-this makes it easier to deal with issues.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d)
----
- source3/client/smbspool.c | 90 ++++++++++++++++++++++-----------------
- 1 file changed, 51 insertions(+), 39 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 43f0cbc04e1..f8e6a76ba11 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -87,8 +87,8 @@ main(int argc, /* I - Number of command-line arguments */
- int port; /* Port number */
- char uri[1024], /* URI */
- *sep, /* Pointer to separator */
-- *tmp, *tmp2, /* Temp pointers to do escaping */
-- *password; /* Password */
-+ *tmp, *tmp2; /* Temp pointers to do escaping */
-+ const char *password = NULL; /* Password */
- char *username, /* Username */
- *server, /* Server name */
- *printer;/* Printer name */
-@@ -292,8 +292,6 @@ main(int argc, /* I - Number of command-line arguments */
- if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
- *tmp2++ = '\0';
- password = uri_unescape_alloc(tmp2);
-- } else {
-- password = empty_str;
- }
- username = uri_unescape_alloc(tmp);
- } else {
-@@ -301,14 +299,15 @@ main(int argc, /* I - Number of command-line arguments */
- username = empty_str;
- }
-
-- if ((password = getenv("AUTH_PASSWORD")) == NULL) {
-- password = empty_str;
-+ env = getenv("AUTH_PASSWORD");
-+ if (env != NULL && strlen(env) > 0) {
-+ password = env;
- }
-
- server = uri + 6;
- }
-
-- if (password != empty_str) {
-+ if (password != NULL) {
- auth_info_required = "username,password";
- }
-
-@@ -513,6 +512,7 @@ smb_complete_connection(const char *myname,
- NTSTATUS nt_status;
- struct cli_credentials *creds = NULL;
- bool use_kerberos = false;
-+ bool fallback_after_kerberos = false;
-
- /* Start the SMB connection */
- *need_auth = false;
-@@ -523,27 +523,21 @@ smb_complete_connection(const char *myname,
- return NULL;
- }
-
-- /*
-- * We pretty much guarantee password must be valid or a pointer to a
-- * 0 char.
-- */
-- if (!password) {
-- *need_auth = true;
-- return NULL;
-- }
--
- if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-- auth_info_required = "negotiate";
- use_kerberos = true;
- }
-
-+ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) {
-+ fallback_after_kerberos = true;
-+ }
-+
- creds = cli_session_creds_init(cli,
- username,
- workgroup,
- NULL, /* realm */
- password,
- use_kerberos,
-- false, /* fallback_after_kerberos */
-+ fallback_after_kerberos,
- false, /* use_ccache */
- false); /* password_is_nt_hash */
- if (creds == NULL) {
-@@ -659,6 +653,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */
- struct cli_state *cli; /* New connection */
- char *myname = NULL; /* Client name */
- struct passwd *pwd;
-+ int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
-+ bool use_kerberos = false;
-+ const char *user = username;
-+ int cmp;
-
- /*
- * Get the names and addresses of the client and server...
-@@ -668,42 +666,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */
- return NULL;
- }
-
-- /*
-- * See if we have a username first. This is for backwards compatible
-- * behavior with 3.0.14a
-- */
-
-- if (username == NULL || username[0] == '\0') {
-- if (kerberos_ccache_is_valid()) {
-- goto kerberos_auth;
-+ cmp = strcmp(auth_info_required, "negotiate");
-+ if (cmp == 0) {
-+ if (!kerberos_ccache_is_valid()) {
-+ return NULL;
- }
-+ user = jobusername;
-+
-+ use_kerberos = true;
-+ fprintf(stderr,
-+ "DEBUG: Try to connect using Kerberos ...\n");
-+ }
-+
-+ cmp = strcmp(auth_info_required, "username,password");
-+ if (cmp == 0) {
-+ if (username == NULL || username[0] == '\0') {
-+ return NULL;
-+ }
-+
-+ /* Fallback to NTLM */
-+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
-+
-+ fprintf(stderr,
-+ "DEBUG: Try to connect using username/password ...\n");
-+ }
-+
-+ cmp = strcmp(auth_info_required, "none");
-+ if (cmp == 0) {
-+ fprintf(stderr,
-+ "DEBUG: This backend doesn't support none auth ...\n");
-+ return NULL;
- }
-
- cli = smb_complete_connection(myname,
- server,
- port,
-- username,
-+ user,
- password,
- workgroup,
- share,
-- 0,
-+ flags,
- need_auth);
- if (cli != NULL) {
-- fputs("DEBUG: Connected with username/password...\n", stderr);
-+ fprintf(stderr, "DEBUG: SMB connection established.\n");
- return (cli);
- }
-
--kerberos_auth:
-- /*
-- * Try to use the user kerberos credentials (if any) to authenticate
-- */
-- cli = smb_complete_connection(myname, server, port, jobusername, "",
-- workgroup, share,
-- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
--
-- if (cli) {
-- fputs("DEBUG: Connected using Kerberos...\n", stderr);
-- return (cli);
-+ if (!use_kerberos) {
-+ fprintf(stderr, "ERROR: SMB connection failed!\n");
-+ return NULL;
- }
-
- /* give a chance for a passwordless NTLMSSP session setup */
---
-2.21.0
-
-
-From 56f58726a1f3b98e64e9f6b27c275cc0044e2a9f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 18:24:32 +0200
-Subject: [PATCH 8/9] s3:smbspool: Add debug messages to
- kerberos_ccache_is_valid()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3)
----
- source3/client/smbspool.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index f8e6a76ba11..ed5837daa0d 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -599,11 +599,15 @@ static bool kerberos_ccache_is_valid(void) {
-
- ccache_name = krb5_cc_default_name(ctx);
- if (ccache_name == NULL) {
-+ DBG_ERR("Failed to get default ccache name\n");
-+ krb5_free_context(ctx);
- return false;
- }
-
- code = krb5_cc_resolve(ctx, ccache_name, &ccache);
- if (code != 0) {
-+ DBG_ERR("Failed to resolve ccache name: %s\n",
-+ ccache_name);
- krb5_free_context(ctx);
- return false;
- } else {
-@@ -614,6 +618,9 @@ static bool kerberos_ccache_is_valid(void) {
- ccache,
- &default_princ);
- if (code != 0) {
-+ DBG_ERR("Failed to get default principal from "
-+ "ccache: %s\n",
-+ ccache_name);
- krb5_cc_close(ctx, ccache);
- krb5_free_context(ctx);
- return false;
---
-2.21.0
-
-
-From cec536a0437b28e207cb69c318cb5769575d1761 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 14 May 2019 11:35:46 +0200
-Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes
-
-This allows us to simplify some code and return better errors.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea)
----
- source3/client/smbspool.c | 250 ++++++++++++++++++++++----------------
- 1 file changed, 145 insertions(+), 105 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index ed5837daa0d..1c09ca0826d 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -60,12 +60,27 @@
- * Local functions...
- */
-
--static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
-+static int get_exit_code(NTSTATUS nt_status);
- static void list_devices(void);
--static struct cli_state *smb_complete_connection(const char *, const char *,
-- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
--static struct cli_state *smb_connect(const char *, const char *, int, const
-- char *, const char *, const char *, const char *, bool *need_auth);
-+static NTSTATUS
-+smb_complete_connection(struct cli_state **output_cli,
-+ const char *myname,
-+ const char *server,
-+ int port,
-+ const char *username,
-+ const char *password,
-+ const char *workgroup,
-+ const char *share,
-+ int flags);
-+static NTSTATUS
-+smb_connect(struct cli_state **output_cli,
-+ const char *workgroup,
-+ const char *server,
-+ const int port,
-+ const char *share,
-+ const char *username,
-+ const char *password,
-+ const char *jobusername);
- static int smb_print(struct cli_state *, const char *, FILE *);
- static char *uri_unescape_alloc(const char *);
- #if 0
-@@ -89,16 +104,15 @@ main(int argc, /* I - Number of command-line arguments */
- *sep, /* Pointer to separator */
- *tmp, *tmp2; /* Temp pointers to do escaping */
- const char *password = NULL; /* Password */
-- char *username, /* Username */
-- *server, /* Server name */
-+ const char *username = NULL; /* Username */
-+ char *server, /* Server name */
- *printer;/* Printer name */
- const char *workgroup; /* Workgroup */
- FILE *fp; /* File to print */
- int status = 1; /* Status of LPD job */
-- struct cli_state *cli; /* SMB interface */
-- char empty_str[] = "";
-+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-+ struct cli_state *cli = NULL; /* SMB interface */
- int tries = 0;
-- bool need_auth = true;
- const char *dev_uri = NULL;
- const char *env = NULL;
- const char *config_file = NULL;
-@@ -295,8 +309,9 @@ main(int argc, /* I - Number of command-line arguments */
- }
- username = uri_unescape_alloc(tmp);
- } else {
-- if ((username = getenv("AUTH_USERNAME")) == NULL) {
-- username = empty_str;
-+ env = getenv("AUTH_USERNAME");
-+ if (env != NULL && strlen(env) > 0) {
-+ username = env;
- }
-
- env = getenv("AUTH_PASSWORD");
-@@ -368,27 +383,39 @@ main(int argc, /* I - Number of command-line arguments */
- load_interfaces();
-
- do {
-- cli = smb_connect(workgroup,
-- server,
-- port,
-- printer,
-- username,
-- password,
-- print_user,
-- &need_auth);
-- if (cli == NULL) {
-- if (need_auth) {
-- exit(2);
-+ nt_status = smb_connect(&cli,
-+ workgroup,
-+ server,
-+ port,
-+ printer,
-+ username,
-+ password,
-+ print_user);
-+ if (!NT_STATUS_IS_OK(nt_status)) {
-+ status = get_exit_code(nt_status);
-+ if (status == 2) {
-+ fprintf(stderr,
-+ "DEBUG: Unable to connect to CIFS "
-+ "host: %s",
-+ nt_errstr(nt_status));
-+ goto done;
- } else if (getenv("CLASS") == NULL) {
-- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
-+ fprintf(stderr,
-+ "ERROR: Unable to connect to CIFS "
-+ "host: %s. Will retry in 60 "
-+ "seconds...\n",
-+ nt_errstr(nt_status));
- sleep(60);
- tries++;
- } else {
-- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
-+ fprintf(stderr,
-+ "ERROR: Unable to connect to CIFS "
-+ "host: %s. Trying next printer...\n",
-+ nt_errstr(nt_status));
- goto done;
- }
- }
-- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
-+ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT));
-
- if (cli == NULL) {
- fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
-@@ -435,10 +462,9 @@ done:
- */
-
- static int
--get_exit_code(struct cli_state * cli,
-- NTSTATUS nt_status)
-+get_exit_code(NTSTATUS nt_status)
- {
-- int i;
-+ size_t i;
-
- /* List of NTSTATUS errors that are considered
- * authentication errors
-@@ -454,17 +480,16 @@ get_exit_code(struct cli_state * cli,
- };
-
-
-- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
-- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
-+ fprintf(stderr,
-+ "DEBUG: get_exit_code(nt_status=%s [%x])\n",
-+ nt_errstr(nt_status), NT_STATUS_V(nt_status));
-
- for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
- if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
- continue;
- }
-
-- if (cli) {
-- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
-- }
-+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
-
- /*
- * 2 = authentication required...
-@@ -497,16 +522,16 @@ list_devices(void)
- }
-
-
--static struct cli_state *
--smb_complete_connection(const char *myname,
-+static NTSTATUS
-+smb_complete_connection(struct cli_state **output_cli,
-+ const char *myname,
- const char *server,
- int port,
- const char *username,
- const char *password,
- const char *workgroup,
- const char *share,
-- int flags,
-- bool *need_auth)
-+ int flags)
- {
- struct cli_state *cli; /* New connection */
- NTSTATUS nt_status;
-@@ -515,12 +540,11 @@ smb_complete_connection(const char *myname,
- bool fallback_after_kerberos = false;
-
- /* Start the SMB connection */
-- *need_auth = false;
- nt_status = cli_start_connection(&cli, myname, server, NULL, port,
- SMB_SIGNING_DEFAULT, flags);
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
-- return NULL;
-+ return nt_status;
- }
-
- if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-@@ -543,20 +567,16 @@ smb_complete_connection(const char *myname,
- if (creds == NULL) {
- fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
- cli_shutdown(cli);
-- return NULL;
-+ return NT_STATUS_NO_MEMORY;
- }
-
- nt_status = cli_session_setup_creds(cli, creds);
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status) == 2) {
-- *need_auth = true;
-- }
--
- cli_shutdown(cli);
-
-- return NULL;
-+ return nt_status;
- }
-
- nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
-@@ -564,13 +584,9 @@ smb_complete_connection(const char *myname,
- fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
- nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status) == 2) {
-- *need_auth = true;
-- }
--
- cli_shutdown(cli);
-
-- return NULL;
-+ return nt_status;
- }
- #if 0
- /* Need to work out how to specify this on the URL. */
-@@ -583,7 +599,8 @@ smb_complete_connection(const char *myname,
- }
- #endif
-
-- return cli;
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- static bool kerberos_ccache_is_valid(void) {
-@@ -647,49 +664,48 @@ static bool kerberos_ccache_is_valid(void) {
- * 'smb_connect()' - Return a connection to a server.
- */
-
--static struct cli_state * /* O - SMB connection */
--smb_connect(const char *workgroup, /* I - Workgroup */
-+static NTSTATUS
-+smb_connect(struct cli_state **output_cli,
-+ const char *workgroup, /* I - Workgroup */
- const char *server, /* I - Server */
- const int port, /* I - Port */
- const char *share, /* I - Printer */
- const char *username, /* I - Username */
- const char *password, /* I - Password */
-- const char *jobusername, /* I - User who issued the print job */
-- bool *need_auth)
--{ /* O - Need authentication? */
-- struct cli_state *cli; /* New connection */
-+ const char *jobusername) /* I - User who issued the print job */
-+{
-+ struct cli_state *cli = NULL; /* New connection */
- char *myname = NULL; /* Client name */
- struct passwd *pwd;
- int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
- bool use_kerberos = false;
- const char *user = username;
-- int cmp;
-+ NTSTATUS nt_status;
-
- /*
- * Get the names and addresses of the client and server...
- */
- myname = get_myname(talloc_tos());
- if (!myname) {
-- return NULL;
-+ return NT_STATUS_NO_MEMORY;
- }
-
-
-- cmp = strcmp(auth_info_required, "negotiate");
-- if (cmp == 0) {
-+ if (strcmp(auth_info_required, "negotiate") == 0) {
- if (!kerberos_ccache_is_valid()) {
-- return NULL;
-+ fprintf(stderr,
-+ "ERROR: No valid Kerberos credential cache "
-+ "found!\n");
-+ return NT_STATUS_LOGON_FAILURE;
- }
- user = jobusername;
-
- use_kerberos = true;
- fprintf(stderr,
- "DEBUG: Try to connect using Kerberos ...\n");
-- }
--
-- cmp = strcmp(auth_info_required, "username,password");
-- if (cmp == 0) {
-- if (username == NULL || username[0] == '\0') {
-- return NULL;
-+ } else if (strcmp(auth_info_required, "username,password") == 0) {
-+ if (username == NULL) {
-+ return NT_STATUS_INVALID_ACCOUNT_NAME;
- }
-
- /* Fallback to NTLM */
-@@ -697,59 +713,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */
-
- fprintf(stderr,
- "DEBUG: Try to connect using username/password ...\n");
-- }
-+ } else {
-+ if (username != NULL) {
-+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
-+ } else if (kerberos_ccache_is_valid()) {
-+ auth_info_required = "negotiate";
-
-- cmp = strcmp(auth_info_required, "none");
-- if (cmp == 0) {
-- fprintf(stderr,
-- "DEBUG: This backend doesn't support none auth ...\n");
-- return NULL;
-+ user = jobusername;
-+ use_kerberos = true;
-+ } else {
-+ fprintf(stderr,
-+ "DEBUG: This backend requires credentials!\n");
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
- }
-
-- cli = smb_complete_connection(myname,
-- server,
-- port,
-- user,
-- password,
-- workgroup,
-- share,
-- flags,
-- need_auth);
-- if (cli != NULL) {
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ user,
-+ password,
-+ workgroup,
-+ share,
-+ flags);
-+ if (NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "DEBUG: SMB connection established.\n");
-- return (cli);
-+
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- if (!use_kerberos) {
- fprintf(stderr, "ERROR: SMB connection failed!\n");
-- return NULL;
-+ return nt_status;
- }
-
- /* give a chance for a passwordless NTLMSSP session setup */
- pwd = getpwuid(geteuid());
- if (pwd == NULL) {
-- return NULL;
-- }
--
-- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
-- workgroup, share, 0, need_auth);
--
-- if (cli) {
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ pwd->pw_name,
-+ "",
-+ workgroup,
-+ share,
-+ 0);
-+ if (NT_STATUS_IS_OK(nt_status)) {
- fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
-- return (cli);
-+
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- /*
- * last try. Use anonymous authentication
- */
-
-- cli = smb_complete_connection(myname, server, port, "", "",
-- workgroup, share, 0, need_auth);
-- /*
-- * Return the new connection...
-- */
--
-- return (cli);
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ "",
-+ "",
-+ workgroup,
-+ share,
-+ 0);
-+ if (NT_STATUS_IS_OK(nt_status)) {
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
-+ }
-+
-+ return nt_status;
- }
-
-
-@@ -795,7 +835,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s opening remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status);
-+ return get_exit_code(nt_status);
- }
-
- /*
-@@ -813,7 +853,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
- tbytes, nbytes, NULL);
- if (!NT_STATUS_IS_OK(status)) {
-- int ret = get_exit_code(cli, status);
-+ int ret = get_exit_code(status);
- fprintf(stderr, "ERROR: Error writing spool: %s\n",
- nt_errstr(status));
- fprintf(stderr, "DEBUG: Returning status %d...\n",
-@@ -829,7 +869,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s closing remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status);
-+ return get_exit_code(nt_status);
- } else {
- return (0);
- }
---
-2.21.0
-
diff --git a/SOURCES/samba-4.8-fix_smbspool_as_cups_backend.patch b/SOURCES/samba-4.8-fix_smbspool_as_cups_backend.patch
deleted file mode 100644
index 581cc98..0000000
--- a/SOURCES/samba-4.8-fix_smbspool_as_cups_backend.patch
+++ /dev/null
@@ -1,557 +0,0 @@
-From c4c36c2ecc0ed1254e02f046ce08b4937fe26ee6 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 10:15:05 +0100
-Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a)
----
- source3/script/tests/test_smbspool.sh | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
-index d95ed064634..f28c0909334 100755
---- a/source3/script/tests/test_smbspool.sh
-+++ b/source3/script/tests/test_smbspool.sh
-@@ -99,8 +99,8 @@ test_vlp_verify()
- fi
-
- jobid=$(echo "$out" | awk '/[0-9]+/ { print $1 };')
-- if [ $jobid -lt 1000 || $jobid -gt 2000 ]; then
-- echo "failed to get jobid"
-+ if [ -z "$jobid" ] || [ $jobid -lt 100 || [ $jobid -gt 2000 ]; then
-+ echo "Invalid jobid: $jobid"
- echo "$out"
- return 1
- fi
---
-2.20.1
-
-
-From 72f86fe6f41bbe7891fe81811b3234b6662de8da Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 09:40:58 +0100
-Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to
- smbspool
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a)
----
- source3/client/smbspool_krb5_wrapper.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index dee3b4c54be..5c4da33238b 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -84,24 +84,36 @@ int main(int argc, char *argv[])
- struct passwd *pwd;
- char gen_cc[PATH_MAX] = {0};
- struct stat sb;
-- char *env;
-+ char *env = NULL;
-+ char auth_info_required[256] = {0};
-+ char device_uri[4096] = {0};
- uid_t uid = (uid_t)-1;
- gid_t gid = (gid_t)-1;
- unsigned long tmp;
- int cmp;
- int rc;
-
-+ env = getenv("DEVICE_URI");
-+ if (env != NULL && strlen(env) > 2) {
-+ snprintf(device_uri, sizeof(device_uri), "%s", env);
-+ }
-+
- /* Check if AuthInfoRequired is set to negotiate */
- env = getenv("AUTH_INFO_REQUIRED");
-
- /* If not set, then just call smbspool. */
-- if (env == NULL) {
-+ if (env == NULL || env[0] == 0) {
- CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
- "execute smbspool");
- goto smbspool;
- } else {
- CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
-
-+ snprintf(auth_info_required,
-+ sizeof(auth_info_required),
-+ "%s",
-+ env);
-+
- cmp = strcmp(env, "username,password");
- if (cmp == 0) {
- CUPS_SMB_DEBUG("Authenticate using username/password - "
-@@ -223,12 +235,18 @@ create_env:
- #else
- {
- extern char **environ;
-- environ = calloc(1, sizeof(*environ));
-+ environ = calloc(3, sizeof(*environ));
- }
- #endif
-
- CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc);
- setenv("KRB5CCNAME", gen_cc, 1);
-+ if (device_uri[0] != '\0') {
-+ setenv("DEVICE_URI", device_uri, 1);
-+ }
-+ if (auth_info_required[0] != '\0') {
-+ setenv("AUTH_INFO_REQUIRED", auth_info_required, 1);
-+ }
-
- smbspool:
- snprintf(smbspool_cmd,
---
-2.20.1
-
-
-From 47771d9ceff2771b5fda430e1836237d85300407 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 4 Jan 2019 09:21:24 +0100
-Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set
- by cups
-
-This should not switch to username,password if cups has been configured
-to use negotiate (Kerberos authentication).
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)
----
- source3/client/smbspool.c | 42 ++++++++++++++++++++++-----------------
- 1 file changed, 24 insertions(+), 18 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index d6e944d547c..e94d5b33324 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -60,7 +60,7 @@
- * Local functions...
- */
-
--static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
-+static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
- static void list_devices(void);
- static struct cli_state *smb_complete_connection(const char *, const char *,
- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
-@@ -72,6 +72,8 @@ static char *uri_unescape_alloc(const char *);
- static bool smb_encrypt;
- #endif
-
-+static const char *auth_info_required;
-+
- /*
- * 'main()' - Main entry for SMB backend.
- */
-@@ -94,7 +96,7 @@ main(int argc, /* I - Number of command-line arguments */
- FILE *fp; /* File to print */
- int status = 1; /* Status of LPD job */
- struct cli_state *cli; /* SMB interface */
-- char null_str[1];
-+ char empty_str[] = "";
- int tries = 0;
- bool need_auth = true;
- const char *dev_uri;
-@@ -106,8 +108,6 @@ main(int argc, /* I - Number of command-line arguments */
- int cmp;
- int len;
-
-- null_str[0] = '\0';
--
- if (argc == 1) {
- /*
- * NEW! In CUPS 1.1 the backends are run with no arguments
-@@ -187,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */
- }
- }
-
-+ auth_info_required = getenv("AUTH_INFO_REQUIRED");
-+ if (auth_info_required == NULL) {
-+ auth_info_required = "none";
-+ }
-+
- cmp = strncmp(dev_uri, "smb://", 6);
- if (cmp != 0) {
- fprintf(stderr,
-@@ -220,21 +225,25 @@ main(int argc, /* I - Number of command-line arguments */
- *tmp2++ = '\0';
- password = uri_unescape_alloc(tmp2);
- } else {
-- password = null_str;
-+ password = empty_str;
- }
- username = uri_unescape_alloc(tmp);
- } else {
- if ((username = getenv("AUTH_USERNAME")) == NULL) {
-- username = null_str;
-+ username = empty_str;
- }
-
- if ((password = getenv("AUTH_PASSWORD")) == NULL) {
-- password = null_str;
-+ password = empty_str;
- }
-
- server = uri + 6;
- }
-
-+ if (password != empty_str) {
-+ auth_info_required = "username,password";
-+ }
-+
- tmp = server;
-
- if ((sep = strchr_m(tmp, '/')) == NULL) {
-@@ -354,8 +363,7 @@ done:
-
- static int
- get_exit_code(struct cli_state * cli,
-- NTSTATUS nt_status,
-- bool use_kerberos)
-+ NTSTATUS nt_status)
- {
- int i;
-
-@@ -382,10 +390,7 @@ get_exit_code(struct cli_state * cli,
- }
-
- if (cli) {
-- if (use_kerberos)
-- fputs("ATTR: auth-info-required=negotiate\n", stderr);
-- else
-- fputs("ATTR: auth-info-required=username,password\n", stderr);
-+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
- }
-
- /*
-@@ -454,6 +459,7 @@ smb_complete_connection(const char *myname,
- }
-
- if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-+ auth_info_required = "negotiate";
- use_kerberos = true;
- }
-
-@@ -476,7 +482,7 @@ smb_complete_connection(const char *myname,
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
-+ if (get_exit_code(cli, nt_status) == 2) {
- *need_auth = true;
- }
-
-@@ -490,7 +496,7 @@ smb_complete_connection(const char *myname,
- fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
- nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
-+ if (get_exit_code(cli, nt_status) == 2) {
- *need_auth = true;
- }
-
-@@ -679,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s opening remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status, false);
-+ return get_exit_code(cli, nt_status);
- }
-
- /*
-@@ -697,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
- tbytes, nbytes, NULL);
- if (!NT_STATUS_IS_OK(status)) {
-- int ret = get_exit_code(cli, status, false);
-+ int ret = get_exit_code(cli, status);
- fprintf(stderr, "ERROR: Error writing spool: %s\n",
- nt_errstr(status));
- fprintf(stderr, "DEBUG: Returning status %d...\n",
-@@ -713,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s closing remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status, false);
-+ return get_exit_code(cli, nt_status);
- } else {
- return (0);
- }
---
-2.20.1
-
-
-From 6e83c1c9c02889bf9b7d42366ae25cd7b8738810 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 10:09:14 +0100
-Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title
-
-We can't be sure we can write to the input buffer.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282)
----
- source3/client/smbspool.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index e94d5b33324..4d78db7f77c 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *,
- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
- static struct cli_state *smb_connect(const char *, const char *, int, const
- char *, const char *, const char *, const char *, bool *need_auth);
--static int smb_print(struct cli_state *, char *, FILE *);
-+static int smb_print(struct cli_state *, const char *, FILE *);
- static char *uri_unescape_alloc(const char *);
- #if 0
- static bool smb_encrypt;
-@@ -655,7 +655,7 @@ kerberos_auth:
-
- static int /* O - 0 = success, non-0 = failure */
- smb_print(struct cli_state * cli, /* I - SMB connection */
-- char *title, /* I - Title/job name */
-+ const char *print_title, /* I - Title/job name */
- FILE * fp)
- { /* I - File to print */
- uint16_t fnum; /* File number */
-@@ -663,12 +663,18 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- tbytes; /* Total bytes read */
- char buffer[8192], /* Buffer for copy */
- *ptr; /* Pointer into title */
-+ char title[1024] = {0};
-+ int len;
- NTSTATUS nt_status;
-
-
- /*
-- * Sanitize the title...
-- */
-+ * Sanitize the title...
-+ */
-+ len = snprintf(title, sizeof(title), "%s", print_title);
-+ if (len != strlen(print_title)) {
-+ return 2;
-+ }
-
- for (ptr = title; *ptr; ptr++) {
- if (!isalnum((int) *ptr) && !isspace((int) *ptr)) {
---
-2.20.1
-
-
-From 5a17e86e0dde91b52afd4a192fd5a635a83b412d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 11:40:30 +0100
-Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling
-
-If we are executed as a CUPS backend, argv[0] is set to the device uri.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-
-(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a)
----
- source3/client/smbspool.c | 120 ++++++++++++++++++++++++++++++--------
- 1 file changed, 96 insertions(+), 24 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 4d78db7f77c..8be1009c0a8 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */
- char empty_str[] = "";
- int tries = 0;
- bool need_auth = true;
-- const char *dev_uri;
-+ const char *dev_uri = NULL;
-+ const char *env = NULL;
- const char *config_file = NULL;
- TALLOC_CTX *frame = talloc_stackframe();
-- bool device_uri_cmdline = false;
-+ const char *print_user = NULL;
-+ const char *print_title = NULL;
- const char *print_file = NULL;
- const char *print_copies = NULL;
- int cmp;
-@@ -139,21 +141,81 @@ main(int argc, /* I - Number of command-line arguments */
- }
-
- /*
-- * If we have 6 arguments find out if we have the device_uri from the
-- * command line or the print data
-+ * Find out if we have the device_uri in the command line.
-+ *
-+ * If we are started as a CUPS backend argv[0] is normally the
-+ * device_uri!
- */
-- if (argc == 7) {
-- cmp = strncmp(argv[1], "smb://", 6);
-- if (cmp == 0) {
-- device_uri_cmdline = true;
-+ if (argc == 8) {
-+ /*
-+ * smbspool <uri> <job> <user> <title> <copies> <options> <file>
-+ * 0 1 2 3 4 5 6 7
-+ */
-+
-+ dev_uri = argv[1];
-+
-+ print_user = argv[3];
-+ print_title = argv[4];
-+ print_copies = argv[5];
-+ print_file = argv[7];
-+ } else if (argc == 7) {
-+ int cmp1;
-+ int cmp2;
-+
-+ /*
-+ * <uri> <job> <user> <title> <copies> <options> <file>
-+ * smbspool <uri> <job> <user> <title> <copies> <options>
-+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
-+ */
-+ cmp1 = strncmp(argv[0], "smb://", 6);
-+ cmp2 = strncmp(argv[1], "smb://", 6);
-+
-+ if (cmp1 == 0) {
-+ /*
-+ * <uri> <job> <user> <title> <copies> <options> <file>
-+ * 0 1 2 3 4 5 6
-+ */
-+ dev_uri = argv[0];
-+
-+ print_user = argv[2];
-+ print_title = argv[3];
-+ print_copies = argv[4];
-+ print_file = argv[6];
-+ } else if (cmp2 == 0) {
-+ /*
-+ * smbspool <uri> <job> <user> <title> <copies> <options>
-+ * 0 1 2 3 4 5 6
-+ */
-+ dev_uri = argv[1];
-+
-+ print_user = argv[3];
-+ print_title = argv[4];
-+ print_copies = argv[5];
-+ print_file = NULL;
- } else {
-+ /*
-+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
-+ * 0 1 2 3 4 5 6
-+ */
-+ print_user = argv[2];
-+ print_title = argv[3];
- print_copies = argv[4];
- print_file = argv[6];
- }
-- } else if (argc == 8) {
-- device_uri_cmdline = true;
-- print_copies = argv[5];
-- print_file = argv[7];
-+ } else if (argc == 6) {
-+ /*
-+ * <uri> <job> <user> <title> <copies> <options>
-+ * smbspool <job> <user> <title> <copies> <options> | DEVICE_URI
-+ * 0 1 2 3 4 5
-+ */
-+ cmp = strncmp(argv[0], "smb://", 6);
-+ if (cmp == 0) {
-+ dev_uri = argv[0];
-+ }
-+
-+ print_user = argv[2];
-+ print_title = argv[3];
-+ print_copies = argv[4];
- }
-
- if (print_file != NULL) {
-@@ -178,18 +240,17 @@ main(int argc, /* I - Number of command-line arguments */
- /*
- * Find the URI ...
- */
-- if (device_uri_cmdline) {
-- dev_uri = argv[1];
-- } else {
-- dev_uri = getenv("DEVICE_URI");
-- if (dev_uri == NULL || strlen(dev_uri) == 0) {
-- dev_uri = "";
-+ if (dev_uri == NULL) {
-+ env = getenv("DEVICE_URI");
-+ if (env != NULL && env[0] != '\0') {
-+ dev_uri = env;
- }
- }
-
-- auth_info_required = getenv("AUTH_INFO_REQUIRED");
-- if (auth_info_required == NULL) {
-- auth_info_required = "none";
-+ if (dev_uri == NULL) {
-+ fprintf(stderr,
-+ "ERROR: No valid device URI has been specified\n");
-+ goto done;
- }
-
- cmp = strncmp(dev_uri, "smb://", 6);
-@@ -205,6 +266,11 @@ main(int argc, /* I - Number of command-line arguments */
- goto done;
- }
-
-+ auth_info_required = getenv("AUTH_INFO_REQUIRED");
-+ if (auth_info_required == NULL) {
-+ auth_info_required = "none";
-+ }
-+
- /*
- * Extract the destination from the URI...
- */
-@@ -301,8 +367,14 @@ main(int argc, /* I - Number of command-line arguments */
- load_interfaces();
-
- do {
-- cli = smb_connect(workgroup, server, port, printer,
-- username, password, argv[3], &need_auth);
-+ cli = smb_connect(workgroup,
-+ server,
-+ port,
-+ printer,
-+ username,
-+ password,
-+ print_user,
-+ &need_auth);
- if (cli == NULL) {
- if (need_auth) {
- exit(2);
-@@ -338,7 +410,7 @@ main(int argc, /* I - Number of command-line arguments */
- */
-
- for (i = 0; i < copies; i++) {
-- status = smb_print(cli, argv[4] /* title */ , fp);
-+ status = smb_print(cli, print_title, fp);
- if (status != 0) {
- break;
- }
---
-2.20.1
-
diff --git a/SOURCES/samba-4.8.3-fix_krb5_plugins.patch b/SOURCES/samba-4.8.3-fix_krb5_plugins.patch
deleted file mode 100644
index 86aeadb..0000000
--- a/SOURCES/samba-4.8.3-fix_krb5_plugins.patch
+++ /dev/null
@@ -1,270 +0,0 @@
-From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 27 Jun 2018 14:06:39 +0200
-Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- nsswitch/wscript_build | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
-index 15e93db2f05..576855bb56c 100644
---- a/nsswitch/wscript_build
-+++ b/nsswitch/wscript_build
-@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
- )
-
- if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
-- bld.SAMBA_LIBRARY('winbind_krb5_locator',
-- source='winbind_krb5_locator.c',
-- deps='wbclient krb5 com_err',
-- realname='winbind_krb5_locator.so')
-+ bld.SAMBA_LIBRARY('winbind_krb5_locator',
-+ source='winbind_krb5_locator.c',
-+ deps='wbclient krb5 com_err',
-+ realname='winbind_krb5_locator.so',
-+ install_path='${MODULESDIR}/krb5')
-
- if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
- bld.SAMBA_LIBRARY('winbind_krb5_localauth',
- source='krb5_plugin/winbind_krb5_localauth.c',
- deps='wbclient krb5 com_err',
-- realname='winbind-krb5-localauth.so')
-+ realname='winbind_krb5_localauth.so',
-+ install_path='${MODULESDIR}/krb5')
-
- bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
- source='wb_reqtrans.c',
---
-2.17.1
-
-
-From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 27 Jun 2018 14:08:56 +0200
-Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin
- subdir
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0
- nsswitch/wscript_build | 2 +-
- 2 files changed, 1 insertion(+), 1 deletion(-)
- rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%)
-
-diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c
-similarity index 100%
-rename from nsswitch/winbind_krb5_locator.c
-rename to nsswitch/krb5_plugin/winbind_krb5_locator.c
-diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
-index 576855bb56c..dd1952b799b 100644
---- a/nsswitch/wscript_build
-+++ b/nsswitch/wscript_build
-@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
-
- if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
- bld.SAMBA_LIBRARY('winbind_krb5_locator',
-- source='winbind_krb5_locator.c',
-+ source='krb5_plugin/winbind_krb5_locator.c',
- deps='wbclient krb5 com_err',
- realname='winbind_krb5_locator.so',
- install_path='${MODULESDIR}/krb5')
---
-2.17.1
-
-
-From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 27 Jun 2018 15:14:15 +0200
-Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8
-
-The vfs and idmap manpages are in volume 8 too.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- ...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++---
- docs-xml/wscript_build | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
- rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%)
-
-diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml
-similarity index 96%
-rename from docs-xml/manpages/winbind_krb5_locator.7.xml
-rename to docs-xml/manpages/winbind_krb5_locator.8.xml
-index 17e401a9da0..0af0c2cc95f 100644
---- a/docs-xml/manpages/winbind_krb5_locator.7.xml
-+++ b/docs-xml/manpages/winbind_krb5_locator.8.xml
-@@ -1,12 +1,12 @@
- <?xml version="1.0" encoding="iso-8859-1"?>
- <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
--<refentry id="winbind_krb5_locator.7">
-+<refentry id="winbind_krb5_locator.8">
-
- <refmeta>
- <refentrytitle>winbind_krb5_locator</refentrytitle>
-- <manvolnum>7</manvolnum>
-+ <manvolnum>8</manvolnum>
- <refmiscinfo class="source">Samba</refmiscinfo>
-- <refmiscinfo class="manual">7</refmiscinfo>
-+ <refmiscinfo class="manual">8</refmiscinfo>
- <refmiscinfo class="version">&doc.version;</refmiscinfo>
- </refmeta>
-
-diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
-index 954c62a29bc..2d686eb38b0 100644
---- a/docs-xml/wscript_build
-+++ b/docs-xml/wscript_build
-@@ -103,7 +103,7 @@ pam_winbind_manpages = '''
- manpages/pam_winbind.conf.5
- '''
-
--krb5_locator_manpages = 'manpages/winbind_krb5_locator.7'
-+krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
-
- def smbdotconf_generate_parameter_list(task):
- parameter_all = task.outputs[0].bldpath(task.env)
---
-2.17.1
-
-
-From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 27 Jun 2018 15:06:07 +0200
-Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- .../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++
- docs-xml/wscript_build | 4 +
- 2 files changed, 90 insertions(+)
- create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml
-
-diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml
-new file mode 100644
-index 00000000000..a382e71ead3
---- /dev/null
-+++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml
-@@ -0,0 +1,86 @@
-+<?xml version="1.0" encoding="iso-8859-1"?>
-+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-+<refentry id="winbind_krb5_localauth.8">
-+
-+<refmeta>
-+ <refentrytitle>winbind_krb5_localauth</refentrytitle>
-+ <manvolnum>8</manvolnum>
-+ <refmiscinfo class="source">Samba</refmiscinfo>
-+ <refmiscinfo class="manual">8</refmiscinfo>
-+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
-+</refmeta>
-+
-+
-+<refnamediv>
-+ <refname>winbind_krb5_localauth</refname>
-+ <refpurpose>A plugin for MIT Kerberos for mapping user accounts.</refpurpose>
-+</refnamediv>
-+
-+
-+<refsect1>
-+ <title>DESCRIPTION</title>
-+
-+ <para>
-+ This plugin is part of the
-+ <citerefentry><refentrytitle>samba</refentrytitle>
-+ <manvolnum>7</manvolnum></citerefentry> suite.
-+ </para>
-+
-+ <para>
-+ <command>winbind_krb5_localauth</command> is a plugin that
-+ permits the MIT Kerberos libraries that Kerberos principals can
-+ be validated against local user accounts.
-+ </para>
-+</refsect1>
-+<refsect1>
-+ <title>PREREQUISITES</title>
-+ <para>
-+ MIT Kerberos (at least version 1.12) is required.
-+ </para>
-+
-+ <para>
-+ The plugin queries the <citerefentry><refentrytitle>winbindd</refentrytitle>
-+ <manvolnum>8</manvolnum></citerefentry> daemon which needs to be configured
-+ and started separately.
-+ </para>
-+
-+ <para>
-+ The following sections needs to be added to the
-+ <filename>krb5.conf</filename> file.
-+
-+ <programlisting>
-+[plugins]
-+ localauth = {
-+ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
-+ enable_only = winbind
-+ }
-+ </programlisting>
-+ </para>
-+</refsect1>
-+
-+<refsect1>
-+ <title>VERSION</title>
-+
-+ <para>
-+ This man page is part of version &doc.version; of the Samba
-+ suite.
-+ </para>
-+</refsect1>
-+
-+<refsect1>
-+ <title>AUTHOR</title>
-+
-+ <para>
-+ The original Samba software and related utilities were created
-+ by Andrew Tridgell. Samba is now developed by the Samba Team as
-+ an Open Source project similar to the way the Linux kernel is
-+ developed.
-+ </para>
-+
-+ <para>
-+ The winbind_krb5_localauth manpage was written by Andreas
-+ Schneider.
-+ </para>
-+</refsect1>
-+
-+</refentry>
-diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
-index 2d686eb38b0..ec5d28fc62a 100644
---- a/docs-xml/wscript_build
-+++ b/docs-xml/wscript_build
-@@ -104,6 +104,7 @@ pam_winbind_manpages = '''
- '''
-
- krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
-+krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8'
-
- def smbdotconf_generate_parameter_list(task):
- parameter_all = task.outputs[0].bldpath(task.env)
-@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']):
- if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
- bld.SAMBAMANPAGES(krb5_locator_manpages)
-
-+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
-+ bld.SAMBAMANPAGES(krb5_localauth_manpages)
-+
- if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'):
- bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8')
---
-2.17.1
-
diff --git a/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch b/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch
deleted file mode 100644
index f3b9d89..0000000
--- a/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 2 Jul 2018 16:18:52 +0200
-Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c)
----
- nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++-----
- selftest/knownfail.d/upn_handling | 2 +
- source3/selftest/tests.py | 4 +-
- 3 files changed, 66 insertions(+), 11 deletions(-)
-
-diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
-index 2803ac1408b..da30f97be74 100755
---- a/nsswitch/tests/test_wbinfo_user_info.sh
-+++ b/nsswitch/tests/test_wbinfo_user_info.sh
-@@ -2,19 +2,20 @@
- # Blackbox test for wbinfo lookup for account name and upn
- # Copyright (c) 2018 Andreas Schneider <asn@samba.org>
-
--if [ $# -lt 5 ]; then
-+if [ $# -lt 6 ]; then
- cat <<EOF
--Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
-+Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
- EOF
- exit 1;
- fi
-
- DOMAIN=$1
- REALM=$2
--USERNAME1=$3
--UPN_NAME1=$4
--USERNAME2=$5
--UPN_NAME2=$6
-+OWN_DOMAIN=$3
-+USERNAME1=$4
-+UPN_NAME1=$5
-+USERNAME2=$6
-+UPN_NAME2=$7
- shift 6
-
- failed=0
-@@ -31,9 +32,9 @@ test_user_info()
- {
- local cmd out ret user domain upn userinfo
-
-- domain="$1"
-- user="$2"
-- upn="$3"
-+ local domain="$1"
-+ local user="$2"
-+ local upn="$3"
-
- if [ $# -lt 3 ]; then
- userinfo="$domain/$user"
-@@ -62,6 +63,39 @@ test_user_info()
- return 0
- }
-
-+test_getpwnam()
-+{
-+ local cmd out ret
-+
-+ local lookup_username=$1
-+ local expected_return=$2
-+ local expected_output=$3
-+
-+ cmd='getent passwd $lookup_username'
-+ eval echo "$cmd"
-+ out=$(eval $cmd)
-+ ret=$?
-+
-+ if [ $ret -ne $expected_return ]; then
-+ echo "return code: $ret, expected return code is: $expected_return"
-+ echo "$out"
-+ return 1
-+ fi
-+
-+ if [ -n "$expected_output" ]; then
-+ echo "$out" | grep "$expected_output"
-+ ret=$?
-+
-+ if [ $ret -ne 0 ]; then
-+ echo "Unable to find $expected_output in:"
-+ echo "$out"
-+ return 1
-+ fi
-+ fi
-+
-+ return 0
-+}
-+
- testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
- testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
-
-@@ -80,4 +114,23 @@ UPN3="$UPN_NAME3@${REALM}.upn"
- testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
- testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
-
-+testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
-+
-+testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
-+
-+# We should not be able to lookup the user just by the name
-+test_ret=0
-+test_output="$DOMAIN/$USERNAME1"
-+
-+if [ "$ENVNAME" = "ad_member" ]; then
-+ test_ret=2
-+ test_output=""
-+fi
-+if [ "$ENVNAME" = "fl2008r2dc" ]; then
-+ test_ret=0
-+ test_output="$OWN_DOMAIN/$USERNAME1"
-+fi
-+
-+testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1)
-+
- exit $failed
-diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
-index bcbedb4f903..7dc9b71dc5e 100644
---- a/selftest/knownfail.d/upn_handling
-+++ b/selftest/knownfail.d/upn_handling
-@@ -1,8 +1,10 @@
- ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
- ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
-+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
- ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
- ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
- ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
- ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
- ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
- ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
-+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index f43d2b14d3a..a9cb2dad792 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -216,13 +216,13 @@ env = "ad_member:local"
- plantestsuite("samba3.wbinfo_user_info", env,
- [ os.path.join(srcdir(),
- "nsswitch/tests/test_wbinfo_user_info.sh"),
-- '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
-+ '$DOMAIN', '$REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
-
- env = "fl2008r2dc:local"
- plantestsuite("samba3.wbinfo_user_info", env,
- [ os.path.join(srcdir(),
- "nsswitch/tests/test_wbinfo_user_info.sh"),
-- '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
-+ '$TRUST_DOMAIN', '$TRUST_REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
-
- env = "ad_member"
- t = "WBCLIENT-MULTI-PING"
---
-2.13.6
-
-
-From 495f43f5fa972076de996f9c639657672e378c7d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 2 Jul 2018 16:38:01 +0200
-Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-
-Autobuild-User(master): Ralph Böhme <slow@samba.org>
-Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144
-
-(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c)
----
- selftest/knownfail.d/upn_handling | 2 --
- source3/winbindd/winbindd_util.c | 2 ++
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
-index 7dc9b71dc5e..bcbedb4f903 100644
---- a/selftest/knownfail.d/upn_handling
-+++ b/selftest/knownfail.d/upn_handling
-@@ -1,10 +1,8 @@
- ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
- ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
--^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
- ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
- ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
- ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
- ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
- ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
- ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
--^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
-diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
-index aa633419c9a..7a5fb73cdef 100644
---- a/source3/winbindd/winbindd_util.c
-+++ b/source3/winbindd/winbindd_util.c
-@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
- } else if (assume_domain(lp_workgroup())) {
- fstrcpy(domain, lp_workgroup());
- fstrcpy(namespace, domain);
-+ } else {
-+ fstrcpy(namespace, lp_netbios_name());
- }
- }
-
---
-2.13.6
-
diff --git a/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch b/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch
deleted file mode 100644
index 6ee5623..0000000
--- a/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 25 Jun 2018 09:58:56 -0400
-Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add quiet command-line argument to allow suppressing the help log
-message printed automatically after establishing a smbclient connection
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Björn Baumbach <bb@sernet.de>
-(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72)
----
- source3/client/client.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/source3/client/client.c b/source3/client/client.c
-index 2c1c76036f7..c836e5a0477 100644
---- a/source3/client/client.c
-+++ b/source3/client/client.c
-@@ -52,6 +52,7 @@ static int port = 0;
- static char *service;
- static char *desthost;
- static bool grepable = false;
-+static bool quiet = false;
- static char *cmdstr = NULL;
- const char *cmd_ptr = NULL;
-
-@@ -6059,7 +6060,9 @@ static int process_stdin(void)
- {
- int rc = 0;
-
-- d_printf("Try \"help\" to get a list of possible commands.\n");
-+ if (!quiet) {
-+ d_printf("Try \"help\" to get a list of possible commands.\n");
-+ }
-
- while (!finished) {
- TALLOC_CTX *frame = talloc_stackframe();
-@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[])
- { "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" },
- { "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" },
- { "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" },
-+ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" },
- { "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" },
- POPT_COMMON_SAMBA
- POPT_COMMON_CONNECTION
-@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[])
- case 'g':
- grepable=true;
- break;
-+ case 'q':
-+ quiet=true;
-+ break;
- case 'e':
- smb_encrypt=true;
- break;
---
-2.17.1
diff --git a/SOURCES/samba-4.8.3.tar.asc b/SOURCES/samba-4.8.3.tar.asc
deleted file mode 100644
index 149c42f..0000000
--- a/SOURCES/samba-4.8.3.tar.asc
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iFwEABECABwFAlsyUq4VHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
-U/4AoLhX0k1+ci295ajuSRq9yyBHIMysAJ49UqQcyMAhTdRz/BmgwC9hgrBldg==
-=em2I
------END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.9-CVE-2019-3880.patch b/SOURCES/samba-4.9-CVE-2019-3880.patch
new file mode 100644
index 0000000..eded5d9
--- /dev/null
+++ b/SOURCES/samba-4.9-CVE-2019-3880.patch
@@ -0,0 +1,151 @@
+From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 21 Mar 2019 14:51:30 -0700
+Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
+ SaveKey/RestoreKey.
+
+The were not using VFS backend calls and could only work
+locally, and were unsafe against symlink races and other
+security issues.
+
+If the incoming handle is valid, return WERR_BAD_PATHNAME.
+
+[MS-RRP] states "The format of the file name is implementation-specific"
+so ensure we don't allow this.
+
+As reported by Michael Hanselmann.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
+ 1 file changed, 4 insertions(+), 88 deletions(-)
+
+diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
+index d9ee8d0602d..816c6bb2a12 100644
+--- a/source3/rpc_server/winreg/srv_winreg_nt.c
++++ b/source3/rpc_server/winreg/srv_winreg_nt.c
+@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
+ }
+
+ /*******************************************************************
+- ********************************************************************/
+-
+-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
+-{
+- char *p = NULL;
+- int num_services = lp_numservices();
+- int snum = -1;
+- const char *share_path = NULL;
+- char *fname = *pp_fname;
+-
+- /* convert to a unix path, stripping the C:\ along the way */
+-
+- if (!(p = valid_share_pathname(ctx, fname))) {
+- return -1;
+- }
+-
+- /* has to exist within a valid file share */
+-
+- for (snum=0; snum<num_services; snum++) {
+- if (!lp_snum_ok(snum) || lp_printable(snum)) {
+- continue;
+- }
+-
+- share_path = lp_path(talloc_tos(), snum);
+-
+- /* make sure we have a path (e.g. [homes] ) */
+- if (strlen(share_path) == 0) {
+- continue;
+- }
+-
+- if (strncmp(share_path, p, strlen(share_path)) == 0) {
+- break;
+- }
+- }
+-
+- *pp_fname = p;
+- return (snum < num_services) ? snum : -1;
+-}
+-
+-/*******************************************************************
+ _winreg_RestoreKey
+ ********************************************************************/
+
+@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
+ struct winreg_RestoreKey *r)
+ {
+ struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
+- char *fname = NULL;
+- int snum = -1;
+
+- if ( !regkey )
++ if ( !regkey ) {
+ return WERR_INVALID_HANDLE;
+-
+- if ( !r->in.filename || !r->in.filename->name )
+- return WERR_INVALID_PARAMETER;
+-
+- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
+- if (!fname) {
+- return WERR_NOT_ENOUGH_MEMORY;
+ }
+-
+- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
+- "\"%s\"\n", regkey->key->name, fname));
+-
+- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
+- return WERR_BAD_PATHNAME;
+-
+- /* user must posses SeRestorePrivilege for this this proceed */
+-
+- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
+- return WERR_ACCESS_DENIED;
+- }
+-
+- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
+- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
+-
+- return reg_restorekey(regkey, fname);
++ return WERR_BAD_PATHNAME;
+ }
+
+ /*******************************************************************
+@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
+ struct winreg_SaveKey *r)
+ {
+ struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
+- char *fname = NULL;
+- int snum = -1;
+
+- if ( !regkey )
++ if ( !regkey ) {
+ return WERR_INVALID_HANDLE;
+-
+- if ( !r->in.filename || !r->in.filename->name )
+- return WERR_INVALID_PARAMETER;
+-
+- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
+- if (!fname) {
+- return WERR_NOT_ENOUGH_MEMORY;
+ }
+-
+- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
+- regkey->key->name, fname));
+-
+- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
+- return WERR_BAD_PATHNAME;
+-
+- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
+- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
+-
+- return reg_savekey(regkey, fname);
++ return WERR_BAD_PATHNAME;
+ }
+
+ /*******************************************************************
+--
+2.11.0
+
diff --git a/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch b/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch
new file mode 100644
index 0000000..08c88a1
--- /dev/null
+++ b/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch
@@ -0,0 +1,280 @@
+From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 4 Sep 2018 15:48:03 +0200
+Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6)
+---
+ source3/include/libsmbclient.h | 19 ++-
+ source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++
+ source3/libsmb/libsmb_setget.c | 18 +++
+ source3/libsmb/wscript | 2 +-
+ 4 files changed, 222 insertions(+), 2 deletions(-)
+ create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs
+
+diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
+index ca5c7f87f71..5e4a1715402 100644
+--- a/source3/include/libsmbclient.h
++++ b/source3/include/libsmbclient.h
+@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c);
+ void
+ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b);
+
+-
++/**
++ * @brief Set the 'client min protocol' and the 'client max protocol'.
++ *
++ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max
++ * protocol' set in the smb.conf file!
++ *
++ * @param[in] c The smbc context to use.
++ *
++ * @param[in] min_proto The minimal protocol to use or NULL for leaving it
++ * untouched.
++ *
++ * @param[in] max_proto The maximum protocol to use or NULL for leaving it
++ * untouched.
++ *
++ * @returns true for success, false otherwise
++ */
++smbc_bool
++smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto);
+
+ /*************************************
+ * Getters and setters for FUNCTIONS *
+diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs
+new file mode 100644
+index 00000000000..b4245979c24
+--- /dev/null
++++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs
+@@ -0,0 +1,185 @@
++smbc_chmod: int (const char *, mode_t)
++smbc_close: int (int)
++smbc_closedir: int (int)
++smbc_creat: int (const char *, mode_t)
++smbc_fgetxattr: int (int, const char *, const void *, size_t)
++smbc_flistxattr: int (int, char *, size_t)
++smbc_free_context: int (SMBCCTX *, int)
++smbc_fremovexattr: int (int, const char *)
++smbc_fsetxattr: int (int, const char *, const void *, size_t, int)
++smbc_fstat: int (int, struct stat *)
++smbc_fstatvfs: int (int, struct statvfs *)
++smbc_ftruncate: int (int, off_t)
++smbc_getDebug: int (SMBCCTX *)
++smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *)
++smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *)
++smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *)
++smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *)
++smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *)
++smbc_getFunctionClose: smbc_close_fn (SMBCCTX *)
++smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *)
++smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *)
++smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *)
++smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *)
++smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *)
++smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *)
++smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *)
++smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *)
++smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *)
++smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *)
++smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *)
++smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *)
++smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *)
++smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *)
++smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *)
++smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *)
++smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *)
++smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *)
++smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *)
++smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *)
++smbc_getFunctionRead: smbc_read_fn (SMBCCTX *)
++smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *)
++smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *)
++smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *)
++smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *)
++smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *)
++smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *)
++smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *)
++smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *)
++smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *)
++smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *)
++smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *)
++smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *)
++smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *)
++smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *)
++smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *)
++smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *)
++smbc_getNetbiosName: const char *(SMBCCTX *)
++smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *)
++smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *)
++smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *)
++smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *)
++smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *)
++smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *)
++smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *)
++smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *)
++smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *)
++smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *)
++smbc_getOptionUseCCache: smbc_bool (SMBCCTX *)
++smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *)
++smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *)
++smbc_getOptionUserData: void *(SMBCCTX *)
++smbc_getPort: uint16_t (SMBCCTX *)
++smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *)
++smbc_getTimeout: int (SMBCCTX *)
++smbc_getUser: const char *(SMBCCTX *)
++smbc_getWorkgroup: const char *(SMBCCTX *)
++smbc_getdents: int (unsigned int, struct smbc_dirent *, int)
++smbc_getxattr: int (const char *, const char *, const void *, size_t)
++smbc_init: int (smbc_get_auth_data_fn, int)
++smbc_init_context: SMBCCTX *(SMBCCTX *)
++smbc_lgetxattr: int (const char *, const char *, const void *, size_t)
++smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn)
++smbc_listxattr: int (const char *, char *, size_t)
++smbc_llistxattr: int (const char *, char *, size_t)
++smbc_lremovexattr: int (const char *, const char *)
++smbc_lseek: off_t (int, off_t, int)
++smbc_lseekdir: int (int, off_t)
++smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int)
++smbc_mkdir: int (const char *, mode_t)
++smbc_new_context: SMBCCTX *(void)
++smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *)
++smbc_open: int (const char *, int, mode_t)
++smbc_open_print_job: int (const char *)
++smbc_opendir: int (const char *)
++smbc_option_get: void *(SMBCCTX *, char *)
++smbc_option_set: void (SMBCCTX *, char *, ...)
++smbc_print_file: int (const char *, const char *)
++smbc_read: ssize_t (int, void *, size_t)
++smbc_readdir: struct smbc_dirent *(unsigned int)
++smbc_readdirplus: const struct libsmb_file_info *(unsigned int)
++smbc_removexattr: int (const char *, const char *)
++smbc_rename: int (const char *, const char *)
++smbc_rmdir: int (const char *)
++smbc_setConfiguration: int (SMBCCTX *, const char *)
++smbc_setDebug: void (SMBCCTX *, int)
++smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn)
++smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn)
++smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn)
++smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn)
++smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn)
++smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn)
++smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn)
++smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn)
++smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn)
++smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn)
++smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn)
++smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn)
++smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn)
++smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn)
++smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn)
++smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn)
++smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn)
++smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn)
++smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn)
++smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn)
++smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn)
++smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn)
++smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn)
++smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn)
++smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn)
++smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn)
++smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn)
++smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn)
++smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn)
++smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn)
++smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn)
++smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn)
++smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn)
++smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn)
++smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn)
++smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn)
++smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn)
++smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn)
++smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn)
++smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn)
++smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn)
++smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn)
++smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn)
++smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn)
++smbc_setNetbiosName: void (SMBCCTX *, const char *)
++smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int)
++smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool)
++smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool)
++smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool)
++smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool)
++smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool)
++smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool)
++smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode)
++smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *)
++smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level)
++smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool)
++smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool)
++smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool)
++smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool)
++smbc_setOptionUserData: void (SMBCCTX *, void *)
++smbc_setPort: void (SMBCCTX *, uint16_t)
++smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *)
++smbc_setTimeout: void (SMBCCTX *, int)
++smbc_setUser: void (SMBCCTX *, const char *)
++smbc_setWorkgroup: void (SMBCCTX *, const char *)
++smbc_set_context: SMBCCTX *(SMBCCTX *)
++smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *)
++smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *)
++smbc_setxattr: int (const char *, const char *, const void *, size_t, int)
++smbc_stat: int (const char *, struct stat *)
++smbc_statvfs: int (char *, struct statvfs *)
++smbc_telldir: off_t (int)
++smbc_unlink: int (const char *)
++smbc_unlink_print_job: int (const char *, int)
++smbc_urldecode: int (char *, char *, size_t)
++smbc_urlencode: int (char *, char *, int)
++smbc_utime: int (const char *, struct utimbuf *)
++smbc_utimes: int (const char *, struct timeval *)
++smbc_version: const char *(void)
++smbc_write: ssize_t (int, const void *, size_t)
+diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c
+index 60b822a395c..b1c4ff3b557 100644
+--- a/source3/libsmb/libsmb_setget.c
++++ b/source3/libsmb/libsmb_setget.c
+@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b)
+ }
+ }
+
++smbc_bool
++smbc_setOptionProtocols(SMBCCTX *c,
++ const char *min_proto,
++ const char *max_proto)
++{
++ bool ok = true;
++
++ if (min_proto != NULL) {
++ ok = lp_set_cmdline("client min protocol", min_proto);
++ }
++
++ if (max_proto != NULL) {
++ ok &= lp_set_cmdline("client min protocol", max_proto);
++ }
++
++ return ok;
++}
++
+ /** Get the function for obtaining authentication data */
+ smbc_get_auth_data_fn
+ smbc_getFunctionAuthData(SMBCCTX *c)
+diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript
+index 5482aea7d9c..298afc3c0e3 100644
+--- a/source3/libsmb/wscript
++++ b/source3/libsmb/wscript
+@@ -27,5 +27,5 @@ def build(bld):
+ public_headers='../include/libsmbclient.h',
+ abi_directory='ABI',
+ abi_match='smbc_*',
+- vnum='0.4.0',
++ vnum='0.5.0',
+ pc_files='smbclient.pc')
+--
+2.19.2
+
diff --git a/SOURCES/samba-4.9-disable_netbios.patch b/SOURCES/samba-4.9-disable_netbios.patch
new file mode 100644
index 0000000..4191502
--- /dev/null
+++ b/SOURCES/samba-4.9-disable_netbios.patch
@@ -0,0 +1,252 @@
+From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Thu, 3 Jan 2019 12:07:01 -0500
+Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect
+
+If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
+for a port 139 connection in the low level socket connection code.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
+
+Signed-off-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Noel Power <nopower@suse.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9)
+---
+ source3/libsmb/smbsock_connect.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
+index 9f915e1bb42..bb3cb07646c 100644
+--- a/source3/libsmb/smbsock_connect.c
++++ b/source3/libsmb/smbsock_connect.c
+@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
+ tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup);
+
+ if (port == NBT_SMB_PORT) {
++ if (lp_disable_netbios()) {
++ tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
++ return tevent_req_post(req, ev);
++ }
++
+ state->req_139 = nb_connect_send(state, state->ev, state->addr,
+ state->called_name,
+ state->called_type,
+--
+2.20.1
+
+
+From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Mon, 17 Dec 2018 14:40:33 -0500
+Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios
+
+With a preceding patch, cli_connect_nb() will return
+NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
+
+Print an informative error message to indicate Netbios is disabled
+if this occurs.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
+
+Signed-off-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Noel Power <nopower@suse.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b)
+---
+ source3/libsmb/clidfs.c | 10 +++++++---
+ source3/libsmb/libsmb_server.c | 4 ++++
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index 0dfb8b33606..4342a3b1d1b 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
+ flags, &c);
+
+ if (!NT_STATUS_IS_OK(status)) {
+- d_printf("Connection to %s failed (Error %s)\n",
+- server,
+- nt_errstr(status));
++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
++ DBG_ERR("NetBIOS support disabled, unable to connect");
++ }
++
++ DBG_WARNING("Connection to %s failed (Error %s)\n",
++ server,
++ nt_errstr(status));
+ return status;
+ }
+
+diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
+index 67dfcf72327..0067df48cac 100644
+--- a/source3/libsmb/libsmb_server.c
++++ b/source3/libsmb/libsmb_server.c
+@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
++ DBG_ERR("NetBIOS support disabled, unable to connect");
++ }
++
+ errno = map_errno_from_nt_status(status);
+ return NULL;
+ }
+--
+2.20.1
+
+
+From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Mon, 17 Dec 2018 14:57:59 -0500
+Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios
+
+With a preceding patch, cli_connect_nb() will return
+NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
+
+Print an informative error message to indicate Netbios is disabled
+if this occurs.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
+
+Signed-off-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Noel Power <nopower@suse.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)
+---
+ source3/libsmb/passchange.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
+index 48ffba8036f..f60e3079975 100644
+--- a/source3/libsmb/passchange.c
++++ b/source3/libsmb/passchange.c
+@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine,
+ result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL,
+ SMB_SIGNING_IPC_DEFAULT, 0, &cli);
+ if (!NT_STATUS_IS_OK(result)) {
+- if (asprintf(err_str, "Unable to connect to SMB server on "
+- "machine %s. Error was : %s.\n",
+- remote_machine, nt_errstr(result))==-1) {
+- *err_str = NULL;
++ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
++ if (asprintf(err_str, "Unable to connect to SMB server on "
++ "machine %s. NetBIOS support disabled\n",
++ remote_machine) == -1) {
++ *err_str = NULL;
++ }
++ } else {
++ if (asprintf(err_str, "Unable to connect to SMB server on "
++ "machine %s. Error was : %s.\n",
++ remote_machine, nt_errstr(result))==-1) {
++ *err_str = NULL;
++ }
+ }
+ return result;
+ }
+--
+2.20.1
+
+
+From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Mon, 17 Dec 2018 15:17:24 -0500
+Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios
+
+With a preceding patch, cli_connect_nb() will return
+NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
+
+Print an informative error message to indicate Netbios is disabled
+if this occurs.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
+
+Signed-off-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Noel Power <nopower@suse.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397)
+---
+ source3/utils/net_rpc.c | 3 +++
+ source3/utils/net_time.c | 9 +++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index 67fff2f4d1b..91ad90f9594 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags)
+ lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT,
+ 0, &cli);
+ if (!NT_STATUS_IS_OK(status)) {
++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
++ DBG_ERR("NetBIOS support disabled, unable to connect\n");
++ }
+ return false;
+ }
+ status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE,
+diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c
+index 0091fc86333..5e6cf2ea15d 100644
+--- a/source3/utils/net_time.c
++++ b/source3/utils/net_time.c
+@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host,
+ status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(),
+ SMB_SIGNING_DEFAULT, 0, &cli);
+ if (!NT_STATUS_IS_OK(status)) {
+- fprintf(stderr, _("Can't contact server %s. Error %s\n"),
+- host, nt_errstr(status));
++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
++ fprintf(stderr, "Can't contact server %s. NetBIOS support disabled,"
++ " Error %s\n", host, nt_errstr(status));
++ } else {
++ fprintf(stderr, "Can't contact server %s. Error %s\n",
++ host, nt_errstr(status));
++ }
+ goto done;
+ }
+
+--
+2.20.1
+
+
+From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Mon, 14 Jan 2019 10:36:47 -0500
+Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in
+ smbsock_connect_send
+
+If disable_netbios is set, return before the tevent timer is triggered
+to prevent outgoing netbios connections.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
+
+Signed-off-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)
+---
+ source3/libsmb/smbsock_connect.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
+index bb3cb07646c..be52b9a4f79 100644
+--- a/source3/libsmb/smbsock_connect.c
++++ b/source3/libsmb/smbsock_connect.c
+@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
+ tevent_req_set_callback(state->req_445, smbsock_connect_connected,
+ req);
+
++ /*
++ * Check for disable_netbios
++ */
++ if (lp_disable_netbios()) {
++ return req;
++ }
++
+ /*
+ * After 5 msecs, fire the 139 (NBT) request
+ */
+--
+2.20.1
+
diff --git a/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch b/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch
new file mode 100644
index 0000000..748a515
--- /dev/null
+++ b/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch
@@ -0,0 +1,37 @@
+From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 22 Mar 2019 14:39:11 +0100
+Subject: [PATCH] docs: Update smbclient manpage for --max-protocol
+
+We default to SMB3 now.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
+---
+ docs-xml/manpages/smbclient.1.xml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
+index e71a21a95e3..e25f7d3517b 100644
+--- a/docs-xml/manpages/smbclient.1.xml
++++ b/docs-xml/manpages/smbclient.1.xml
+@@ -261,9 +261,9 @@
+ <listitem><para>This allows the user to select the
+ highest SMB protocol level that smbclient will use to
+ connect to the server. By default this is set to
+- NT1, which is the highest available SMB1 protocol.
+- To connect using SMB2 or SMB3 protocol, use the
+- strings SMB2 or SMB3 respectively. Note that to connect
++ highest available SMB3 protocol version.
++ To connect using SMB2 or SMB1 protocol, use the
++ strings SMB2 or NT1 respectively. Note that to connect
+ to a Windows 2012 server with encrypted transport selecting
+ a max-protocol of SMB3 is required.
+ </para></listitem>
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.9-fix_cups_printing.patch b/SOURCES/samba-4.9-fix_cups_printing.patch
new file mode 100644
index 0000000..80da965
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_cups_printing.patch
@@ -0,0 +1,1094 @@
+From 1f64c74fec614bde510411b339e731f53b4707dd Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 16:55:49 +0200
+Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups
+
+This is required to access files in /var/spool/cups which have been
+temporarily created in there by CUPS.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b)
+---
+ source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 5c4da33238b..e6684fc0d0c 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -82,6 +82,7 @@ int main(int argc, char *argv[])
+ {
+ char smbspool_cmd[PATH_MAX] = {0};
+ struct passwd *pwd;
++ struct group *g = NULL;
+ char gen_cc[PATH_MAX] = {0};
+ struct stat sb;
+ char *env = NULL;
+@@ -89,6 +90,7 @@ int main(int argc, char *argv[])
+ char device_uri[4096] = {0};
+ uid_t uid = (uid_t)-1;
+ gid_t gid = (gid_t)-1;
++ gid_t groups[1] = { (gid_t)-1 };
+ unsigned long tmp;
+ int cmp;
+ int rc;
+@@ -176,6 +178,26 @@ int main(int argc, char *argv[])
+ return CUPS_BACKEND_FAILED;
+ }
+
++ /*
++ * We need the primary group of the 'lp' user. This is needed to access
++ * temporary files in /var/spool/cups/.
++ */
++ g = getgrnam("lp");
++ if (g == NULL) {
++ CUPS_SMB_ERROR("Failed to find user 'lp' - %s",
++ strerror(errno));
++ return CUPS_BACKEND_FAILED;
++ }
++
++ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid);
++ groups[0] = g->gr_gid;
++ rc = setgroups(sizeof(groups), groups);
++ if (rc != 0) {
++ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s",
++ strerror(errno));
++ return CUPS_BACKEND_FAILED;
++ }
++
+ CUPS_SMB_DEBUG("Switching to gid=%d", gid);
+ rc = setgid(gid);
+ if (rc != 0) {
+--
+2.21.0
+
+
+From e634ee57d57cf4e5e2c8922f27576d402c6f06af Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 13:41:02 +0200
+Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate
+ with
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5)
+---
+ source3/client/smbspool.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index c404b3a3f69..78c13b9ebdb 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -612,6 +612,7 @@ static bool kerberos_ccache_is_valid(void) {
+ return false;
+ } else {
+ krb5_principal default_princ = NULL;
++ char *princ_name = NULL;
+
+ code = krb5_cc_get_principal(ctx,
+ ccache,
+@@ -621,6 +622,16 @@ static bool kerberos_ccache_is_valid(void) {
+ krb5_free_context(ctx);
+ return false;
+ }
++
++ code = krb5_unparse_name(ctx,
++ default_princ,
++ &princ_name);
++ if (code == 0) {
++ fprintf(stderr,
++ "DEBUG: Try to authenticate as %s\n",
++ princ_name);
++ krb5_free_unparsed_name(ctx, princ_name);
++ }
+ krb5_free_principal(ctx, default_princ);
+ }
+ krb5_cc_close(ctx, ccache);
+--
+2.21.0
+
+
+From 997a9c4e9eed11d5c9e1635db3fe402c3c686989 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 14:25:00 +0200
+Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba)
+---
+ source3/client/smbspool_krb5_wrapper.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index e6684fc0d0c..2cdcd372ec6 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -219,10 +219,14 @@ int main(int argc, char *argv[])
+ env = getenv("KRB5CCNAME");
+ if (env != NULL && env[0] != 0) {
+ snprintf(gen_cc, sizeof(gen_cc), "%s", env);
++ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache",
++ gen_cc);
+
+ goto create_env;
+ }
+
++ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
++
+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
+
+ rc = lstat(gen_cc, &sb);
+--
+2.21.0
+
+
+From 793b16c22b0732a48de9bc927aab012bab87e8e4 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 17:10:57 +0200
+Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858)
+---
+ source3/client/smbspool_krb5_wrapper.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 2cdcd372ec6..3266b90ec1a 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -227,13 +227,13 @@ int main(int argc, char *argv[])
+
+ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
+
+- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
++ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
+
+ rc = lstat(gen_cc, &sb);
+ if (rc == 0) {
+- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid);
++ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
+ } else {
+- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid);
++ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
+
+ rc = lstat(gen_cc, &sb);
+ if (rc == 0 && S_ISDIR(sb.st_mode)) {
+--
+2.21.0
+
+
+From a2eb883469617688bef4f5c5dbbb1fc916299923 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 17:40:43 +0200
+Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is
+ not set
+
+This could also support the new KCM credential cache storage.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3)
+---
+ source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++--------
+ source3/wscript_build | 1 +
+ 2 files changed, 55 insertions(+), 25 deletions(-)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 3266b90ec1a..bff1df417e8 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -21,6 +21,7 @@
+
+ #include "includes.h"
+ #include "system/filesys.h"
++#include "system/kerberos.h"
+ #include "system/passwd.h"
+
+ #include <errno.h>
+@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
+ buffer);
+ }
+
++static bool kerberos_get_default_ccache(char *ccache_buf, size_t len)
++{
++ krb5_context ctx;
++ const char *ccache_name = NULL;
++ char *full_ccache_name = NULL;
++ krb5_ccache ccache = NULL;
++ krb5_error_code code;
++
++ code = krb5_init_context(&ctx);
++ if (code != 0) {
++ return false;
++ }
++
++ ccache_name = krb5_cc_default_name(ctx);
++ if (ccache_name == NULL) {
++ krb5_free_context(ctx);
++ return false;
++ }
++
++ code = krb5_cc_resolve(ctx, ccache_name, &ccache);
++ if (code != 0) {
++ krb5_free_context(ctx);
++ return false;
++ }
++
++ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name);
++ krb5_cc_close(ctx, ccache);
++ if (code != 0) {
++ krb5_free_context(ctx);
++ return false;
++ }
++
++ snprintf(ccache_buf, len, "%s", full_ccache_name);
++
++#ifdef SAMBA4_USES_HEIMDAL
++ free(full_ccache_name);
++#else
++ krb5_free_string(ctx, full_ccache_name);
++#endif
++ krb5_free_context(ctx);
++
++ return true;
++}
++
+ /*
+ * This is a helper binary to execute smbspool.
+ *
+@@ -84,7 +129,6 @@ int main(int argc, char *argv[])
+ struct passwd *pwd;
+ struct group *g = NULL;
+ char gen_cc[PATH_MAX] = {0};
+- struct stat sb;
+ char *env = NULL;
+ char auth_info_required[256] = {0};
+ char device_uri[4096] = {0};
+@@ -92,6 +136,7 @@ int main(int argc, char *argv[])
+ gid_t gid = (gid_t)-1;
+ gid_t groups[1] = { (gid_t)-1 };
+ unsigned long tmp;
++ bool ok;
+ int cmp;
+ int rc;
+
+@@ -225,32 +270,16 @@ int main(int argc, char *argv[])
+ goto create_env;
+ }
+
+- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
+-
+- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
+-
+- rc = lstat(gen_cc, &sb);
+- if (rc == 0) {
+- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
+- } else {
+- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
+-
+- rc = lstat(gen_cc, &sb);
+- if (rc == 0 && S_ISDIR(sb.st_mode)) {
+- snprintf(gen_cc,
+- sizeof(gen_cc),
+- "DIR:/run/user/%d/krb5cc",
+- uid);
+- } else {
+-#if defined(__linux__)
+- snprintf(gen_cc,
+- sizeof(gen_cc),
+- "KEYRING:persistent:%d",
+- uid);
+-#endif
+- }
++ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc));
++ if (ok) {
++ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]",
++ gen_cc);
++ goto create_env;
+ }
+
++ /* Fallback to a FILE ccache */
++ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
++
+ create_env:
+ /*
+ * Make sure we do not have LD_PRELOAD or other security relevant
+diff --git a/source3/wscript_build b/source3/wscript_build
+index bbcfc72a714..a601ab4e9b1 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -1137,6 +1137,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
+ deps='''
+ DYNCONFIG
+ cups
++ krb5
+ ''',
+ install_path='${LIBEXECDIR}/samba',
+ enabled=bld.CONFIG_SET('HAVE_CUPS'))
+--
+2.21.0
+
+
+From ec526ef97fc6edf0342dea9ee82ecc14433cc063 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 16:48:31 +0200
+Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd)
+---
+ source3/client/smbspool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 78c13b9ebdb..805ad88b88d 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -223,7 +223,9 @@ main(int argc, /* I - Number of command-line arguments */
+
+ fp = fopen(print_file, "rb");
+ if (fp == NULL) {
+- perror("ERROR: Unable to open print file");
++ fprintf(stderr,
++ "ERROR: Unable to open print file: %s",
++ print_file);
+ goto done;
+ }
+
+--
+2.21.0
+
+
+From cd9e3a2a7666dfe545a8d0e9a68def6aa536641b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 18:54:02 +0200
+Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos
+
+If username and password is given, then fallback to NTLM. However try
+kinit first. Also we correctly handle NULL passwords in the meantime and
+this makes it easier to deal with issues.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d)
+---
+ source3/client/smbspool.c | 90 ++++++++++++++++++++++-----------------
+ 1 file changed, 51 insertions(+), 39 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 805ad88b88d..d336cd08209 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -87,8 +87,8 @@ main(int argc, /* I - Number of command-line arguments */
+ int port; /* Port number */
+ char uri[1024], /* URI */
+ *sep, /* Pointer to separator */
+- *tmp, *tmp2, /* Temp pointers to do escaping */
+- *password; /* Password */
++ *tmp, *tmp2; /* Temp pointers to do escaping */
++ const char *password = NULL; /* Password */
+ char *username, /* Username */
+ *server, /* Server name */
+ *printer;/* Printer name */
+@@ -292,8 +292,6 @@ main(int argc, /* I - Number of command-line arguments */
+ if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
+ *tmp2++ = '\0';
+ password = uri_unescape_alloc(tmp2);
+- } else {
+- password = empty_str;
+ }
+ username = uri_unescape_alloc(tmp);
+ } else {
+@@ -301,14 +299,15 @@ main(int argc, /* I - Number of command-line arguments */
+ username = empty_str;
+ }
+
+- if ((password = getenv("AUTH_PASSWORD")) == NULL) {
+- password = empty_str;
++ env = getenv("AUTH_PASSWORD");
++ if (env != NULL && strlen(env) > 0) {
++ password = env;
+ }
+
+ server = uri + 6;
+ }
+
+- if (password != empty_str) {
++ if (password != NULL) {
+ auth_info_required = "username,password";
+ }
+
+@@ -513,6 +512,7 @@ smb_complete_connection(const char *myname,
+ NTSTATUS nt_status;
+ struct cli_credentials *creds = NULL;
+ bool use_kerberos = false;
++ bool fallback_after_kerberos = false;
+
+ /* Start the SMB connection */
+ *need_auth = false;
+@@ -523,27 +523,21 @@ smb_complete_connection(const char *myname,
+ return NULL;
+ }
+
+- /*
+- * We pretty much guarantee password must be valid or a pointer to a
+- * 0 char.
+- */
+- if (!password) {
+- *need_auth = true;
+- return NULL;
+- }
+-
+ if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+- auth_info_required = "negotiate";
+ use_kerberos = true;
+ }
+
++ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) {
++ fallback_after_kerberos = true;
++ }
++
+ creds = cli_session_creds_init(cli,
+ username,
+ workgroup,
+ NULL, /* realm */
+ password,
+ use_kerberos,
+- false, /* fallback_after_kerberos */
++ fallback_after_kerberos,
+ false, /* use_ccache */
+ false); /* password_is_nt_hash */
+ if (creds == NULL) {
+@@ -659,6 +653,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */
+ struct cli_state *cli; /* New connection */
+ char *myname = NULL; /* Client name */
+ struct passwd *pwd;
++ int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
++ bool use_kerberos = false;
++ const char *user = username;
++ int cmp;
+
+ /*
+ * Get the names and addresses of the client and server...
+@@ -668,42 +666,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */
+ return NULL;
+ }
+
+- /*
+- * See if we have a username first. This is for backwards compatible
+- * behavior with 3.0.14a
+- */
+
+- if (username == NULL || username[0] == '\0') {
+- if (kerberos_ccache_is_valid()) {
+- goto kerberos_auth;
++ cmp = strcmp(auth_info_required, "negotiate");
++ if (cmp == 0) {
++ if (!kerberos_ccache_is_valid()) {
++ return NULL;
+ }
++ user = jobusername;
++
++ use_kerberos = true;
++ fprintf(stderr,
++ "DEBUG: Try to connect using Kerberos ...\n");
++ }
++
++ cmp = strcmp(auth_info_required, "username,password");
++ if (cmp == 0) {
++ if (username == NULL || username[0] == '\0') {
++ return NULL;
++ }
++
++ /* Fallback to NTLM */
++ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
++
++ fprintf(stderr,
++ "DEBUG: Try to connect using username/password ...\n");
++ }
++
++ cmp = strcmp(auth_info_required, "none");
++ if (cmp == 0) {
++ fprintf(stderr,
++ "DEBUG: This backend doesn't support none auth ...\n");
++ return NULL;
+ }
+
+ cli = smb_complete_connection(myname,
+ server,
+ port,
+- username,
++ user,
+ password,
+ workgroup,
+ share,
+- 0,
++ flags,
+ need_auth);
+ if (cli != NULL) {
+- fputs("DEBUG: Connected with username/password...\n", stderr);
++ fprintf(stderr, "DEBUG: SMB connection established.\n");
+ return (cli);
+ }
+
+-kerberos_auth:
+- /*
+- * Try to use the user kerberos credentials (if any) to authenticate
+- */
+- cli = smb_complete_connection(myname, server, port, jobusername, "",
+- workgroup, share,
+- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
+-
+- if (cli) {
+- fputs("DEBUG: Connected using Kerberos...\n", stderr);
+- return (cli);
++ if (!use_kerberos) {
++ fprintf(stderr, "ERROR: SMB connection failed!\n");
++ return NULL;
+ }
+
+ /* give a chance for a passwordless NTLMSSP session setup */
+--
+2.21.0
+
+
+From f470477d71214b00a4b33f6934d7dbef3b3fce1d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 18:24:32 +0200
+Subject: [PATCH 8/9] s3:smbspool: Add debug messages to
+ kerberos_ccache_is_valid()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3)
+---
+ source3/client/smbspool.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index d336cd08209..221c50af196 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -599,11 +599,15 @@ static bool kerberos_ccache_is_valid(void) {
+
+ ccache_name = krb5_cc_default_name(ctx);
+ if (ccache_name == NULL) {
++ DBG_ERR("Failed to get default ccache name\n");
++ krb5_free_context(ctx);
+ return false;
+ }
+
+ code = krb5_cc_resolve(ctx, ccache_name, &ccache);
+ if (code != 0) {
++ DBG_ERR("Failed to resolve ccache name: %s\n",
++ ccache_name);
+ krb5_free_context(ctx);
+ return false;
+ } else {
+@@ -614,6 +618,9 @@ static bool kerberos_ccache_is_valid(void) {
+ ccache,
+ &default_princ);
+ if (code != 0) {
++ DBG_ERR("Failed to get default principal from "
++ "ccache: %s\n",
++ ccache_name);
+ krb5_cc_close(ctx, ccache);
+ krb5_free_context(ctx);
+ return false;
+--
+2.21.0
+
+
+From 27511ca2bbb05134681714475c634473b5125503 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 14 May 2019 11:35:46 +0200
+Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes
+
+This allows us to simplify some code and return better errors.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea)
+---
+ source3/client/smbspool.c | 250 ++++++++++++++++++++++----------------
+ 1 file changed, 145 insertions(+), 105 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 221c50af196..5ab286cd3e9 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -60,12 +60,27 @@
+ * Local functions...
+ */
+
+-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
++static int get_exit_code(NTSTATUS nt_status);
+ static void list_devices(void);
+-static struct cli_state *smb_complete_connection(const char *, const char *,
+- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
+-static struct cli_state *smb_connect(const char *, const char *, int, const
+- char *, const char *, const char *, const char *, bool *need_auth);
++static NTSTATUS
++smb_complete_connection(struct cli_state **output_cli,
++ const char *myname,
++ const char *server,
++ int port,
++ const char *username,
++ const char *password,
++ const char *workgroup,
++ const char *share,
++ int flags);
++static NTSTATUS
++smb_connect(struct cli_state **output_cli,
++ const char *workgroup,
++ const char *server,
++ const int port,
++ const char *share,
++ const char *username,
++ const char *password,
++ const char *jobusername);
+ static int smb_print(struct cli_state *, const char *, FILE *);
+ static char *uri_unescape_alloc(const char *);
+ #if 0
+@@ -89,16 +104,15 @@ main(int argc, /* I - Number of command-line arguments */
+ *sep, /* Pointer to separator */
+ *tmp, *tmp2; /* Temp pointers to do escaping */
+ const char *password = NULL; /* Password */
+- char *username, /* Username */
+- *server, /* Server name */
++ const char *username = NULL; /* Username */
++ char *server, /* Server name */
+ *printer;/* Printer name */
+ const char *workgroup; /* Workgroup */
+ FILE *fp; /* File to print */
+ int status = 1; /* Status of LPD job */
+- struct cli_state *cli; /* SMB interface */
+- char empty_str[] = "";
++ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
++ struct cli_state *cli = NULL; /* SMB interface */
+ int tries = 0;
+- bool need_auth = true;
+ const char *dev_uri = NULL;
+ const char *env = NULL;
+ const char *config_file = NULL;
+@@ -295,8 +309,9 @@ main(int argc, /* I - Number of command-line arguments */
+ }
+ username = uri_unescape_alloc(tmp);
+ } else {
+- if ((username = getenv("AUTH_USERNAME")) == NULL) {
+- username = empty_str;
++ env = getenv("AUTH_USERNAME");
++ if (env != NULL && strlen(env) > 0) {
++ username = env;
+ }
+
+ env = getenv("AUTH_PASSWORD");
+@@ -368,27 +383,39 @@ main(int argc, /* I - Number of command-line arguments */
+ load_interfaces();
+
+ do {
+- cli = smb_connect(workgroup,
+- server,
+- port,
+- printer,
+- username,
+- password,
+- print_user,
+- &need_auth);
+- if (cli == NULL) {
+- if (need_auth) {
+- exit(2);
++ nt_status = smb_connect(&cli,
++ workgroup,
++ server,
++ port,
++ printer,
++ username,
++ password,
++ print_user);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ status = get_exit_code(nt_status);
++ if (status == 2) {
++ fprintf(stderr,
++ "DEBUG: Unable to connect to CIFS "
++ "host: %s",
++ nt_errstr(nt_status));
++ goto done;
+ } else if (getenv("CLASS") == NULL) {
+- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
++ fprintf(stderr,
++ "ERROR: Unable to connect to CIFS "
++ "host: %s. Will retry in 60 "
++ "seconds...\n",
++ nt_errstr(nt_status));
+ sleep(60);
+ tries++;
+ } else {
+- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
++ fprintf(stderr,
++ "ERROR: Unable to connect to CIFS "
++ "host: %s. Trying next printer...\n",
++ nt_errstr(nt_status));
+ goto done;
+ }
+ }
+- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
++ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT));
+
+ if (cli == NULL) {
+ fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
+@@ -435,10 +462,9 @@ done:
+ */
+
+ static int
+-get_exit_code(struct cli_state * cli,
+- NTSTATUS nt_status)
++get_exit_code(NTSTATUS nt_status)
+ {
+- int i;
++ size_t i;
+
+ /* List of NTSTATUS errors that are considered
+ * authentication errors
+@@ -454,17 +480,16 @@ get_exit_code(struct cli_state * cli,
+ };
+
+
+- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
+- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
++ fprintf(stderr,
++ "DEBUG: get_exit_code(nt_status=%s [%x])\n",
++ nt_errstr(nt_status), NT_STATUS_V(nt_status));
+
+ for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
+ if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
+ continue;
+ }
+
+- if (cli) {
+- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
+- }
++ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
+
+ /*
+ * 2 = authentication required...
+@@ -497,16 +522,16 @@ list_devices(void)
+ }
+
+
+-static struct cli_state *
+-smb_complete_connection(const char *myname,
++static NTSTATUS
++smb_complete_connection(struct cli_state **output_cli,
++ const char *myname,
+ const char *server,
+ int port,
+ const char *username,
+ const char *password,
+ const char *workgroup,
+ const char *share,
+- int flags,
+- bool *need_auth)
++ int flags)
+ {
+ struct cli_state *cli; /* New connection */
+ NTSTATUS nt_status;
+@@ -515,12 +540,11 @@ smb_complete_connection(const char *myname,
+ bool fallback_after_kerberos = false;
+
+ /* Start the SMB connection */
+- *need_auth = false;
+ nt_status = cli_start_connection(&cli, myname, server, NULL, port,
+ SMB_SIGNING_DEFAULT, flags);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
+- return NULL;
++ return nt_status;
+ }
+
+ if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+@@ -543,20 +567,16 @@ smb_complete_connection(const char *myname,
+ if (creds == NULL) {
+ fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
+ cli_shutdown(cli);
+- return NULL;
++ return NT_STATUS_NO_MEMORY;
+ }
+
+ nt_status = cli_session_setup_creds(cli, creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
+
+- if (get_exit_code(cli, nt_status) == 2) {
+- *need_auth = true;
+- }
+-
+ cli_shutdown(cli);
+
+- return NULL;
++ return nt_status;
+ }
+
+ nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
+@@ -564,13 +584,9 @@ smb_complete_connection(const char *myname,
+ fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
+ nt_errstr(nt_status));
+
+- if (get_exit_code(cli, nt_status) == 2) {
+- *need_auth = true;
+- }
+-
+ cli_shutdown(cli);
+
+- return NULL;
++ return nt_status;
+ }
+ #if 0
+ /* Need to work out how to specify this on the URL. */
+@@ -583,7 +599,8 @@ smb_complete_connection(const char *myname,
+ }
+ #endif
+
+- return cli;
++ *output_cli = cli;
++ return NT_STATUS_OK;
+ }
+
+ static bool kerberos_ccache_is_valid(void) {
+@@ -647,49 +664,48 @@ static bool kerberos_ccache_is_valid(void) {
+ * 'smb_connect()' - Return a connection to a server.
+ */
+
+-static struct cli_state * /* O - SMB connection */
+-smb_connect(const char *workgroup, /* I - Workgroup */
++static NTSTATUS
++smb_connect(struct cli_state **output_cli,
++ const char *workgroup, /* I - Workgroup */
+ const char *server, /* I - Server */
+ const int port, /* I - Port */
+ const char *share, /* I - Printer */
+ const char *username, /* I - Username */
+ const char *password, /* I - Password */
+- const char *jobusername, /* I - User who issued the print job */
+- bool *need_auth)
+-{ /* O - Need authentication? */
+- struct cli_state *cli; /* New connection */
++ const char *jobusername) /* I - User who issued the print job */
++{
++ struct cli_state *cli = NULL; /* New connection */
+ char *myname = NULL; /* Client name */
+ struct passwd *pwd;
+ int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
+ bool use_kerberos = false;
+ const char *user = username;
+- int cmp;
++ NTSTATUS nt_status;
+
+ /*
+ * Get the names and addresses of the client and server...
+ */
+ myname = get_myname(talloc_tos());
+ if (!myname) {
+- return NULL;
++ return NT_STATUS_NO_MEMORY;
+ }
+
+
+- cmp = strcmp(auth_info_required, "negotiate");
+- if (cmp == 0) {
++ if (strcmp(auth_info_required, "negotiate") == 0) {
+ if (!kerberos_ccache_is_valid()) {
+- return NULL;
++ fprintf(stderr,
++ "ERROR: No valid Kerberos credential cache "
++ "found!\n");
++ return NT_STATUS_LOGON_FAILURE;
+ }
+ user = jobusername;
+
+ use_kerberos = true;
+ fprintf(stderr,
+ "DEBUG: Try to connect using Kerberos ...\n");
+- }
+-
+- cmp = strcmp(auth_info_required, "username,password");
+- if (cmp == 0) {
+- if (username == NULL || username[0] == '\0') {
+- return NULL;
++ } else if (strcmp(auth_info_required, "username,password") == 0) {
++ if (username == NULL) {
++ return NT_STATUS_INVALID_ACCOUNT_NAME;
+ }
+
+ /* Fallback to NTLM */
+@@ -697,59 +713,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */
+
+ fprintf(stderr,
+ "DEBUG: Try to connect using username/password ...\n");
+- }
++ } else {
++ if (username != NULL) {
++ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
++ } else if (kerberos_ccache_is_valid()) {
++ auth_info_required = "negotiate";
+
+- cmp = strcmp(auth_info_required, "none");
+- if (cmp == 0) {
+- fprintf(stderr,
+- "DEBUG: This backend doesn't support none auth ...\n");
+- return NULL;
++ user = jobusername;
++ use_kerberos = true;
++ } else {
++ fprintf(stderr,
++ "DEBUG: This backend requires credentials!\n");
++ return NT_STATUS_ACCESS_DENIED;
++ }
+ }
+
+- cli = smb_complete_connection(myname,
+- server,
+- port,
+- user,
+- password,
+- workgroup,
+- share,
+- flags,
+- need_auth);
+- if (cli != NULL) {
++ nt_status = smb_complete_connection(&cli,
++ myname,
++ server,
++ port,
++ user,
++ password,
++ workgroup,
++ share,
++ flags);
++ if (NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "DEBUG: SMB connection established.\n");
+- return (cli);
++
++ *output_cli = cli;
++ return NT_STATUS_OK;
+ }
+
+ if (!use_kerberos) {
+ fprintf(stderr, "ERROR: SMB connection failed!\n");
+- return NULL;
++ return nt_status;
+ }
+
+ /* give a chance for a passwordless NTLMSSP session setup */
+ pwd = getpwuid(geteuid());
+ if (pwd == NULL) {
+- return NULL;
+- }
+-
+- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
+- workgroup, share, 0, need_auth);
+-
+- if (cli) {
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
++ nt_status = smb_complete_connection(&cli,
++ myname,
++ server,
++ port,
++ pwd->pw_name,
++ "",
++ workgroup,
++ share,
++ 0);
++ if (NT_STATUS_IS_OK(nt_status)) {
+ fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
+- return (cli);
++
++ *output_cli = cli;
++ return NT_STATUS_OK;
+ }
+
+ /*
+ * last try. Use anonymous authentication
+ */
+
+- cli = smb_complete_connection(myname, server, port, "", "",
+- workgroup, share, 0, need_auth);
+- /*
+- * Return the new connection...
+- */
+-
+- return (cli);
++ nt_status = smb_complete_connection(&cli,
++ myname,
++ server,
++ port,
++ "",
++ "",
++ workgroup,
++ share,
++ 0);
++ if (NT_STATUS_IS_OK(nt_status)) {
++ *output_cli = cli;
++ return NT_STATUS_OK;
++ }
++
++ return nt_status;
+ }
+
+
+@@ -795,7 +835,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: %s opening remote spool %s\n",
+ nt_errstr(nt_status), title);
+- return get_exit_code(cli, nt_status);
++ return get_exit_code(nt_status);
+ }
+
+ /*
+@@ -813,7 +853,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
+ tbytes, nbytes, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+- int ret = get_exit_code(cli, status);
++ int ret = get_exit_code(status);
+ fprintf(stderr, "ERROR: Error writing spool: %s\n",
+ nt_errstr(status));
+ fprintf(stderr, "DEBUG: Returning status %d...\n",
+@@ -829,7 +869,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: %s closing remote spool %s\n",
+ nt_errstr(nt_status), title);
+- return get_exit_code(cli, nt_status);
++ return get_exit_code(nt_status);
+ } else {
+ return (0);
+ }
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.9-fix_debug_segfault.patch b/SOURCES/samba-4.9-fix_debug_segfault.patch
new file mode 100644
index 0000000..edbbd33
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_debug_segfault.patch
@@ -0,0 +1,40 @@
+From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 7 Nov 2018 14:32:29 +0100
+Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation
+
+This fixes a segfault in pyglue:
+
+==10142== Process terminating with default action of signal 11 (SIGSEGV)
+==10142== Bad permissions for mapped region at address 0x6F00A20
+==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165)
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0)
+---
+ lib/util/debug.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/util/debug.c b/lib/util/debug.c
+index d41e0f99c77..847ec1f0a0c 100644
+--- a/lib/util/debug.c
++++ b/lib/util/debug.c
+@@ -557,10 +557,10 @@ static const char *default_classname_table[] = {
+ * This is to allow reading of DEBUGLEVEL_CLASS before the debug
+ * system has been initialized.
+ */
+-static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
++static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
+
+ static size_t debug_num_classes = 0;
+-int *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial);
++int *DEBUGLEVEL_CLASS = debug_class_list_initial;
+
+
+ /* -------------------------------------------------------------------------- **
+--
+2.19.1
+
diff --git a/SOURCES/samba-4.9-fix_force_group_panic.patch b/SOURCES/samba-4.9-fix_force_group_panic.patch
new file mode 100644
index 0000000..e228ccf
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_force_group_panic.patch
@@ -0,0 +1,87 @@
+From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 18 Jan 2019 14:24:30 -0800
+Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an
+ existing share connection.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+smbd could crash if "force group" is added to a
+share definition whilst an existing connection
+to that share exists. In that case, don't change
+the existing credentials for force group, only
+do so for new connections.
+
+Remove knownfail from regression test.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
+
+(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
+---
+ source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++--
+ 2 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index 9d5321cf4cc..ced2d450f8e 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn,
+ int snum;
+ gid_t gid;
+ uid_t uid;
++ const char *force_group_name;
+ char group_c;
+ int num_groups = 0;
+ gid_t *group_list = NULL;
+@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn,
+ * See if we should force group for this service. If so this overrides
+ * any group set in the force user code.
+ */
+- if((group_c = *lp_force_group(talloc_tos(), snum))) {
++ force_group_name = lp_force_group(talloc_tos(), snum);
++ group_c = *force_group_name;
+
+- SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
++ if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
++ /*
++ * This can happen if "force group" is added to a
++ * share definition whilst an existing connection
++ * to that share exists. In that case, don't change
++ * the existing credentials for force group, only
++ * do so for new connections.
++ *
++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
++ */
++ DBG_INFO("Not forcing group %s on existing connection to "
++ "share %s for SMB user %s (unix user %s)\n",
++ force_group_name,
++ lp_const_servicename(snum),
++ session_info->unix_info->sanitized_username,
++ session_info->unix_info->unix_name);
++ }
++
++ if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
++ /*
++ * Only force group for connections where
++ * conn->force_group_gid has already been set
++ * to the correct value (i.e. the connection
++ * happened after the 'force group' definition
++ * was added to the share definition. Connections
++ * that were made before force group was added
++ * should stay with their existing credentials.
++ *
++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
++ */
+
+ if (group_c == '+') {
+ int i;
+--
+2.20.1.495.gaa96b0ce6b-goog
+
diff --git a/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch b/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch
new file mode 100644
index 0000000..8cd6b4e
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch
@@ -0,0 +1,544 @@
+From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 29 Mar 2019 11:34:53 +0100
+Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails
+
+Currently we just get an error but don't know what exactly we tried to
+do in 'net ads join -d10'.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
+---
+ source3/libads/ldap.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 13846695bd4..110f74a2dbb 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
+ if (ret != 0) {
+ char *ld_error = NULL;
+ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
+- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
+- ldap_err2string(ret), ld_error));
++ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
++ ret,
++ ldap_err2string(ret),
++ ld_error);
+ SAFE_FREE(ld_error);
+ }
+ }
+@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
+ (char) 1};
+ LDAPControl *controls[2];
+
++ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
++
+ controls[0] = &PermitModify;
+ controls[1] = NULL;
+
+@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
+ char *utf8_dn = NULL;
+ size_t converted_size;
+
++ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
++
+ if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
+ DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
+ return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+
++ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
++
+ ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
+ ads_print_error(ret, ads->ldap.ld);
+ TALLOC_FREE(utf8_dn);
+--
+2.21.0
+
+
+From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 27 Mar 2019 16:45:39 +0100
+Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
+---
+ source3/libsmb/cliconnect.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 837299d9220..9a3d3c769f9 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ return NT_STATUS_OK;
+ }
+
++ DBG_INFO("Doing kinit for %s to access %s\n",
++ user_principal, target_hostname);
+
+ /*
+ * TODO: This should be done within the gensec layer
+@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ */
+ }
+
++ DBG_DEBUG("Successfully authenticated as %s to access %s using "
++ "Kerberos\n",
++ user_principal,
++ target_hostname);
++
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
+ return tevent_req_post(req, ev);
+ }
+
++ DBG_INFO("Connect to %s as %s using SPNEGO\n",
++ target_hostname,
++ cli_credentials_get_principal(creds, talloc_tos()));
++
+ subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
+ target_service, target_hostname);
+ if (tevent_req_nomem(subreq, req)) {
+@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
+ return tevent_req_post(req, ev);
+ }
+
++ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
++
+ if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
+ bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
+ uint8_t *bytes = NULL;
+--
+2.21.0
+
+
+From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001
+From: Guenther Deschner <gd@samba.org>
+Date: Mon, 1 Apr 2019 17:46:39 +0200
+Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin()
+
+A newline is missing but also use DBG_INFO macro and cleanup spelling.
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
+---
+ source3/libnet/libnet_join.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 27fc5135442..ddc00f7ad7c 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ return WERR_NERR_DEFAULTJOINREQUIRED;
+ }
+
+- DEBUG(5, ("failed to precreate account in ou %s: %s",
+- r->in.account_ou, ads_errstr(ads_status)));
++ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
++ r->in.account_ou, ads_errstr(ads_status));
+ }
+ rpc_join:
+
+--
+2.21.0
+
+
+From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001
+From: Guenther Deschner <gd@samba.org>
+Date: Wed, 27 Mar 2019 17:51:04 +0100
+Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output
+
+This got lost somehow during refactoring. This is still viable
+information when trying to figure out what is going wrong when
+authenticating a user over NTLMSSP.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
+---
+ auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
+index ab406a2c5be..8e49dcee5ea 100644
+--- a/auth/ntlmssp/ntlmssp_client.c
++++ b/auth/ntlmssp/ntlmssp_client.c
+@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
+ }
+ }
+
++ if (DEBUGLEVEL >= 10) {
++ struct CHALLENGE_MESSAGE *challenge =
++ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
++ if (challenge != NULL) {
++ NTSTATUS status;
++ challenge->NegotiateFlags = chal_flags;
++ status = ntlmssp_pull_CHALLENGE_MESSAGE(
++ &in, challenge, challenge);
++ if (NT_STATUS_IS_OK(status)) {
++ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
++ challenge);
++ }
++ TALLOC_FREE(challenge);
++ }
++ }
++
+ if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
+ ntlmssp_state->server.is_standalone = true;
+ } else {
+@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
+ return nt_status;
+ }
+
++ if (DEBUGLEVEL >= 10) {
++ struct AUTHENTICATE_MESSAGE *authenticate =
++ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
++ if (authenticate != NULL) {
++ NTSTATUS status;
++ authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
++ status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
++ out, authenticate, authenticate);
++ if (NT_STATUS_IS_OK(status)) {
++ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
++ authenticate);
++ }
++ TALLOC_FREE(authenticate);
++ }
++ }
++
+ /*
+ * We always include the MIC, even without:
+ * av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
+--
+2.21.0
+
+
+From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 1 Apr 2019 15:59:10 +0200
+Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username
+ when using NTLM
+
+If we want to authenticate using -Wadmin@otherdomain the DC should do
+take care of the authentication with the right DC for us.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
+---
+ auth/credentials/credentials.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index 4663185c979..7ef58d0752c 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
+ const char **username,
+ const char **domain)
+ {
+- if (cred->principal_obtained > cred->username_obtained) {
++ if (cred->principal_obtained >= cred->username_obtained) {
+ *domain = talloc_strdup(mem_ctx, "");
+ *username = cli_credentials_get_principal(cred, mem_ctx);
+ } else {
+--
+2.21.0
+
+
+From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 1 Apr 2019 16:39:45 +0200
+Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf
+
+Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
+---
+ source3/libnet/libnet_join.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index ddc00f7ad7c..e052306523d 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ }
+
+ /* The domain parameter is only used as modifier
+- * to krb5.conf file name. .JOIN is is not a valid
++ * to krb5.conf file name. _JOIN_ is is not a valid
+ * NetBIOS name so it cannot clash with another domain
+ * -- Uri.
+ */
+- create_local_private_krb5_conf_for_domain(
+- pre_connect_realm, ".JOIN", sitename, &ss);
++ create_local_private_krb5_conf_for_domain(pre_connect_realm,
++ "_JOIN_",
++ sitename,
++ &ss);
+ }
+
+ status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
+--
+2.21.0
+
+
+From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 1 Apr 2019 16:47:26 +0200
+Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not
+ configured
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
+---
+ source3/libads/kerberos.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index e623f2456a8..360cdd741da 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
+ }
+ #endif
+
++ /*
++ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
++ * KDCs which are not configured via DNS SRV records, eg. if we do:
++ *
++ * net ads join -Uadmin@otherdomain
++ */
+ file_contents =
+ talloc_asprintf(fname,
+- "[libdefaults]\n\tdefault_realm = %s\n"
++ "[libdefaults]\n"
++ "\tdefault_realm = %s\n"
+ "%s"
+- "\tdns_lookup_realm = false\n\n"
++ "\tdns_lookup_realm = false\n"
++ "\tdns_lookup_kdc = true\n\n"
+ "[realms]\n\t%s = {\n"
+ "%s\t}\n"
+ "%s\n",
+--
+2.21.0
+
+
+From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001
+From: Guenther Deschner <gd@samba.org>
+Date: Mon, 1 Apr 2019 17:40:03 +0200
+Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing
+ accounts
+
+This avoids numerous LDAP constraint violation errors when we try to
+re-precreate an already existing machine account.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
+---
+ source3/libads/ldap.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 110f74a2dbb..e191ea792a8 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ goto done;
+ }
+
++ ret = ads_find_machine_acct(ads, &res, machine_escaped);
++ ads_msgfree(ads, res);
++ if (ADS_ERR_OK(ret)) {
++ DBG_DEBUG("Host account for %s already exists.\n",
++ machine_escaped);
++ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
++ goto done;
++ }
++
+ new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+
+@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+
+ done:
+ SAFE_FREE(machine_escaped);
+- ads_msgfree(ads, res);
+ talloc_destroy(ctx);
+
+ return ret;
+--
+2.21.0
+
+
+From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 2 Apr 2019 13:14:06 +0200
+Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads
+ layer
+
+Otherwise we could loose the information that a non-default domain name
+has been used for admin creds.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
+---
+ source3/libnet/libnet_join.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index e052306523d..fc7429e6a23 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
+ password = r->in.machine_password;
+ ccname = "MEMORY:libnet_join_machine_creds";
+ } else {
++ char *p = NULL;
++
+ username = r->in.admin_account;
++
++ p = strchr(r->in.admin_account, '@');
++ if (p == NULL) {
++ username = talloc_asprintf(mem_ctx, "%s@%s",
++ r->in.admin_account,
++ r->in.admin_domain);
++ }
++ if (username == NULL) {
++ return ADS_ERROR(LDAP_NO_MEMORY);
++ }
+ password = r->in.admin_password;
+
+ /*
+--
+2.21.0
+
+
+From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 2 Apr 2019 13:16:11 +0200
+Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD
+ connect fails
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
+---
+ source3/libnet/libnet_join.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index fc7429e6a23..6d3fc1fe01f 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+
+ ads_status = libnet_join_connect_ads_user(mem_ctx, r);
+ if (!ADS_ERR_OK(ads_status)) {
++ libnet_join_set_error_string(mem_ctx, r,
++ "failed to connect to AD: %s",
++ ads_errstr(ads_status));
+ return WERR_NERR_DEFAULTJOINREQUIRED;
+ }
+
+--
+2.21.0
+
+
+From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 2 Apr 2019 13:16:55 +0200
+Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in
+ libnet_join
+
+When a non-DNS and non-default admin domain is provided during the join
+sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME'
+(e.g. when the winbind krb5 locator is not installed). In that case lets
+fallback to NTLMSSP, like we do in winbind.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144
+
+(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
+---
+ source3/libnet/libnet_join.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 6d3fc1fe01f..b876d7ea89f 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++
+ if (user_name) {
+ SAFE_FREE(my_ads->auth.user_name);
+ my_ads->auth.user_name = SMB_STRDUP(user_name);
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.9-fix_net_ads_krb5.patch b/SOURCES/samba-4.9-fix_net_ads_krb5.patch
new file mode 100644
index 0000000..a8aedde
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_net_ads_krb5.patch
@@ -0,0 +1,56 @@
+From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Mon, 17 Dec 2018 11:26:11 -0500
+Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
+
+This affects net rpc getsid and net rpc changetrustpw commands.
+This avoids an anonymous IPC connection being made when -k is used,
+this only affects net rpc getsid and net rpc changetrustpw commands.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726
+
+Signed-off-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+---
+ source3/utils/net_rpc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index b99a036fca1..67fff2f4d1b 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
+
+ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
+ {
++ int conn_flags = NET_FLAGS_PDC;
++
++ if (!c->opt_user_specified && !c->opt_kerberos) {
++ conn_flags |= NET_FLAGS_ANONYMOUS;
++ }
++
+ if (c->display_usage) {
+ d_printf( "%s\n"
+ "net rpc changetrustpw\n"
+@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
+ }
+
+ return run_rpc_command(c, NULL, &ndr_table_netlogon,
+- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
++ conn_flags,
+ rpc_changetrustpw_internals,
+ argc, argv);
+ }
+@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
+ {
+ int conn_flags = NET_FLAGS_PDC;
+
+- if (!c->opt_user_specified) {
++ if (!c->opt_user_specified && !c->opt_kerberos) {
+ conn_flags |= NET_FLAGS_ANONYMOUS;
+ }
+
+--
+2.20.1
+
diff --git a/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch b/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch
new file mode 100644
index 0000000..013eebc
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch
@@ -0,0 +1,521 @@
+From 7c0a36d527800cd9d148c64b24371c76ac73db63 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 12 Mar 2019 10:15:05 +0100
+Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Bryan Mason <bmason@redhat.com>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a)
+---
+ source3/script/tests/test_smbspool.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
+index d95ed064634..f28c0909334 100755
+--- a/source3/script/tests/test_smbspool.sh
++++ b/source3/script/tests/test_smbspool.sh
+@@ -99,8 +99,8 @@ test_vlp_verify()
+ fi
+
+ jobid=$(echo "$out" | awk '/[0-9]+/ { print $1 };')
+- if [ $jobid -lt 1000 || $jobid -gt 2000 ]; then
+- echo "failed to get jobid"
++ if [ -z "$jobid" ] || [ $jobid -lt 100 || [ $jobid -gt 2000 ]; then
++ echo "Invalid jobid: $jobid"
+ echo "$out"
+ return 1
+ fi
+--
+2.20.1
+
+
+From 3cce23b5b863abf2c2352f5a066dc005d9728b18 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 12 Mar 2019 09:40:58 +0100
+Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to
+ smbspool
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Bryan Mason <bmason@redhat.com>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a)
+---
+ source3/client/smbspool_krb5_wrapper.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index dee3b4c54be..5c4da33238b 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -84,24 +84,36 @@ int main(int argc, char *argv[])
+ struct passwd *pwd;
+ char gen_cc[PATH_MAX] = {0};
+ struct stat sb;
+- char *env;
++ char *env = NULL;
++ char auth_info_required[256] = {0};
++ char device_uri[4096] = {0};
+ uid_t uid = (uid_t)-1;
+ gid_t gid = (gid_t)-1;
+ unsigned long tmp;
+ int cmp;
+ int rc;
+
++ env = getenv("DEVICE_URI");
++ if (env != NULL && strlen(env) > 2) {
++ snprintf(device_uri, sizeof(device_uri), "%s", env);
++ }
++
+ /* Check if AuthInfoRequired is set to negotiate */
+ env = getenv("AUTH_INFO_REQUIRED");
+
+ /* If not set, then just call smbspool. */
+- if (env == NULL) {
++ if (env == NULL || env[0] == 0) {
+ CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
+ "execute smbspool");
+ goto smbspool;
+ } else {
+ CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
+
++ snprintf(auth_info_required,
++ sizeof(auth_info_required),
++ "%s",
++ env);
++
+ cmp = strcmp(env, "username,password");
+ if (cmp == 0) {
+ CUPS_SMB_DEBUG("Authenticate using username/password - "
+@@ -223,12 +235,18 @@ create_env:
+ #else
+ {
+ extern char **environ;
+- environ = calloc(1, sizeof(*environ));
++ environ = calloc(3, sizeof(*environ));
+ }
+ #endif
+
+ CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc);
+ setenv("KRB5CCNAME", gen_cc, 1);
++ if (device_uri[0] != '\0') {
++ setenv("DEVICE_URI", device_uri, 1);
++ }
++ if (auth_info_required[0] != '\0') {
++ setenv("AUTH_INFO_REQUIRED", auth_info_required, 1);
++ }
+
+ smbspool:
+ snprintf(smbspool_cmd,
+--
+2.20.1
+
+
+From 0c03a0baf57ef4503e98b9e2ddd5695e6c8dd3fd Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 4 Jan 2019 09:21:24 +0100
+Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set
+ by cups
+
+This should not switch to username,password if cups has been configured
+to use negotiate (Kerberos authentication).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Bryan Mason <bmason@redhat.com>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)
+---
+ source3/client/smbspool.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 389e4ea553f..3dbf6be014b 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -60,7 +60,7 @@
+ * Local functions...
+ */
+
+-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
++static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
+ static void list_devices(void);
+ static struct cli_state *smb_complete_connection(const char *, const char *,
+ int, const char *, const char *, const char *, const char *, int, bool *need_auth);
+@@ -72,6 +72,8 @@ static char *uri_unescape_alloc(const char *);
+ static bool smb_encrypt;
+ #endif
+
++static const char *auth_info_required;
++
+ /*
+ * 'main()' - Main entry for SMB backend.
+ */
+@@ -185,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */
+ }
+ }
+
++ auth_info_required = getenv("AUTH_INFO_REQUIRED");
++ if (auth_info_required == NULL) {
++ auth_info_required = "none";
++ }
++
+ cmp = strncmp(dev_uri, "smb://", 6);
+ if (cmp != 0) {
+ fprintf(stderr,
+@@ -233,6 +240,10 @@ main(int argc, /* I - Number of command-line arguments */
+ server = uri + 6;
+ }
+
++ if (password != empty_str) {
++ auth_info_required = "username,password";
++ }
++
+ tmp = server;
+
+ if ((sep = strchr_m(tmp, '/')) == NULL) {
+@@ -352,8 +363,7 @@ done:
+
+ static int
+ get_exit_code(struct cli_state * cli,
+- NTSTATUS nt_status,
+- bool use_kerberos)
++ NTSTATUS nt_status)
+ {
+ int i;
+
+@@ -380,10 +390,7 @@ get_exit_code(struct cli_state * cli,
+ }
+
+ if (cli) {
+- if (use_kerberos)
+- fputs("ATTR: auth-info-required=negotiate\n", stderr);
+- else
+- fputs("ATTR: auth-info-required=username,password\n", stderr);
++ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
+ }
+
+ /*
+@@ -452,6 +459,7 @@ smb_complete_connection(const char *myname,
+ }
+
+ if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
++ auth_info_required = "negotiate";
+ use_kerberos = true;
+ }
+
+@@ -474,7 +482,7 @@ smb_complete_connection(const char *myname,
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
+
+- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
++ if (get_exit_code(cli, nt_status) == 2) {
+ *need_auth = true;
+ }
+
+@@ -488,7 +496,7 @@ smb_complete_connection(const char *myname,
+ fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
+ nt_errstr(nt_status));
+
+- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
++ if (get_exit_code(cli, nt_status) == 2) {
+ *need_auth = true;
+ }
+
+@@ -677,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: %s opening remote spool %s\n",
+ nt_errstr(nt_status), title);
+- return get_exit_code(cli, nt_status, false);
++ return get_exit_code(cli, nt_status);
+ }
+
+ /*
+@@ -695,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
+ tbytes, nbytes, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+- int ret = get_exit_code(cli, status, false);
++ int ret = get_exit_code(cli, status);
+ fprintf(stderr, "ERROR: Error writing spool: %s\n",
+ nt_errstr(status));
+ fprintf(stderr, "DEBUG: Returning status %d...\n",
+@@ -711,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr, "ERROR: %s closing remote spool %s\n",
+ nt_errstr(nt_status), title);
+- return get_exit_code(cli, nt_status, false);
++ return get_exit_code(cli, nt_status);
+ } else {
+ return (0);
+ }
+--
+2.20.1
+
+
+From 59c5b1c6bad46ac523504120833080836cdc19a1 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 12 Mar 2019 10:09:14 +0100
+Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title
+
+We can't be sure we can write to the input buffer.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Bryan Mason <bmason@redhat.com>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282)
+---
+ source3/client/smbspool.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 3dbf6be014b..94c7ea368a2 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *,
+ int, const char *, const char *, const char *, const char *, int, bool *need_auth);
+ static struct cli_state *smb_connect(const char *, const char *, int, const
+ char *, const char *, const char *, const char *, bool *need_auth);
+-static int smb_print(struct cli_state *, char *, FILE *);
++static int smb_print(struct cli_state *, const char *, FILE *);
+ static char *uri_unescape_alloc(const char *);
+ #if 0
+ static bool smb_encrypt;
+@@ -655,7 +655,7 @@ kerberos_auth:
+
+ static int /* O - 0 = success, non-0 = failure */
+ smb_print(struct cli_state * cli, /* I - SMB connection */
+- char *title, /* I - Title/job name */
++ const char *print_title, /* I - Title/job name */
+ FILE * fp)
+ { /* I - File to print */
+ uint16_t fnum; /* File number */
+@@ -663,12 +663,18 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
+ tbytes; /* Total bytes read */
+ char buffer[8192], /* Buffer for copy */
+ *ptr; /* Pointer into title */
++ char title[1024] = {0};
++ int len;
+ NTSTATUS nt_status;
+
+
+ /*
+- * Sanitize the title...
+- */
++ * Sanitize the title...
++ */
++ len = snprintf(title, sizeof(title), "%s", print_title);
++ if (len != strlen(print_title)) {
++ return 2;
++ }
+
+ for (ptr = title; *ptr; ptr++) {
+ if (!isalnum((int) *ptr) && !isspace((int) *ptr)) {
+--
+2.20.1
+
+
+From 912e8b22b3b35c17bce35d10d543cc1505a15c46 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 12 Mar 2019 11:40:30 +0100
+Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling
+
+If we are executed as a CUPS backend, argv[0] is set to the device uri.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Bryan Mason <bmason@redhat.com>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+
+(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a)
+---
+ source3/client/smbspool.c | 120 ++++++++++++++++++++++++++++++--------
+ 1 file changed, 96 insertions(+), 24 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 94c7ea368a2..97d00bdd011 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */
+ char empty_str[] = "";
+ int tries = 0;
+ bool need_auth = true;
+- const char *dev_uri;
++ const char *dev_uri = NULL;
++ const char *env = NULL;
+ const char *config_file = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+- bool device_uri_cmdline = false;
++ const char *print_user = NULL;
++ const char *print_title = NULL;
+ const char *print_file = NULL;
+ const char *print_copies = NULL;
+ int cmp;
+@@ -139,21 +141,81 @@ main(int argc, /* I - Number of command-line arguments */
+ }
+
+ /*
+- * If we have 6 arguments find out if we have the device_uri from the
+- * command line or the print data
++ * Find out if we have the device_uri in the command line.
++ *
++ * If we are started as a CUPS backend argv[0] is normally the
++ * device_uri!
+ */
+- if (argc == 7) {
+- cmp = strncmp(argv[1], "smb://", 6);
+- if (cmp == 0) {
+- device_uri_cmdline = true;
++ if (argc == 8) {
++ /*
++ * smbspool <uri> <job> <user> <title> <copies> <options> <file>
++ * 0 1 2 3 4 5 6 7
++ */
++
++ dev_uri = argv[1];
++
++ print_user = argv[3];
++ print_title = argv[4];
++ print_copies = argv[5];
++ print_file = argv[7];
++ } else if (argc == 7) {
++ int cmp1;
++ int cmp2;
++
++ /*
++ * <uri> <job> <user> <title> <copies> <options> <file>
++ * smbspool <uri> <job> <user> <title> <copies> <options>
++ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
++ */
++ cmp1 = strncmp(argv[0], "smb://", 6);
++ cmp2 = strncmp(argv[1], "smb://", 6);
++
++ if (cmp1 == 0) {
++ /*
++ * <uri> <job> <user> <title> <copies> <options> <file>
++ * 0 1 2 3 4 5 6
++ */
++ dev_uri = argv[0];
++
++ print_user = argv[2];
++ print_title = argv[3];
++ print_copies = argv[4];
++ print_file = argv[6];
++ } else if (cmp2 == 0) {
++ /*
++ * smbspool <uri> <job> <user> <title> <copies> <options>
++ * 0 1 2 3 4 5 6
++ */
++ dev_uri = argv[1];
++
++ print_user = argv[3];
++ print_title = argv[4];
++ print_copies = argv[5];
++ print_file = NULL;
+ } else {
++ /*
++ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
++ * 0 1 2 3 4 5 6
++ */
++ print_user = argv[2];
++ print_title = argv[3];
+ print_copies = argv[4];
+ print_file = argv[6];
+ }
+- } else if (argc == 8) {
+- device_uri_cmdline = true;
+- print_copies = argv[5];
+- print_file = argv[7];
++ } else if (argc == 6) {
++ /*
++ * <uri> <job> <user> <title> <copies> <options>
++ * smbspool <job> <user> <title> <copies> <options> | DEVICE_URI
++ * 0 1 2 3 4 5
++ */
++ cmp = strncmp(argv[0], "smb://", 6);
++ if (cmp == 0) {
++ dev_uri = argv[0];
++ }
++
++ print_user = argv[2];
++ print_title = argv[3];
++ print_copies = argv[4];
+ }
+
+ if (print_file != NULL) {
+@@ -178,18 +240,17 @@ main(int argc, /* I - Number of command-line arguments */
+ /*
+ * Find the URI ...
+ */
+- if (device_uri_cmdline) {
+- dev_uri = argv[1];
+- } else {
+- dev_uri = getenv("DEVICE_URI");
+- if (dev_uri == NULL || strlen(dev_uri) == 0) {
+- dev_uri = "";
++ if (dev_uri == NULL) {
++ env = getenv("DEVICE_URI");
++ if (env != NULL && env[0] != '\0') {
++ dev_uri = env;
+ }
+ }
+
+- auth_info_required = getenv("AUTH_INFO_REQUIRED");
+- if (auth_info_required == NULL) {
+- auth_info_required = "none";
++ if (dev_uri == NULL) {
++ fprintf(stderr,
++ "ERROR: No valid device URI has been specified\n");
++ goto done;
+ }
+
+ cmp = strncmp(dev_uri, "smb://", 6);
+@@ -205,6 +266,11 @@ main(int argc, /* I - Number of command-line arguments */
+ goto done;
+ }
+
++ auth_info_required = getenv("AUTH_INFO_REQUIRED");
++ if (auth_info_required == NULL) {
++ auth_info_required = "none";
++ }
++
+ /*
+ * Extract the destination from the URI...
+ */
+@@ -301,8 +367,14 @@ main(int argc, /* I - Number of command-line arguments */
+ load_interfaces();
+
+ do {
+- cli = smb_connect(workgroup, server, port, printer,
+- username, password, argv[3], &need_auth);
++ cli = smb_connect(workgroup,
++ server,
++ port,
++ printer,
++ username,
++ password,
++ print_user,
++ &need_auth);
+ if (cli == NULL) {
+ if (need_auth) {
+ exit(2);
+@@ -338,7 +410,7 @@ main(int argc, /* I - Number of command-line arguments */
+ */
+
+ for (i = 0; i < copies; i++) {
+- status = smb_print(cli, argv[4] /* title */ , fp);
++ status = smb_print(cli, print_title, fp);
+ if (status != 0) {
+ break;
+ }
+--
+2.20.1
+
diff --git a/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch b/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch
new file mode 100644
index 0000000..b04c8cc
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch
@@ -0,0 +1,33 @@
+From be97b5934ca163259676be27d5c254da30080fbe Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 May 2019 16:18:51 +0200
+Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos
+ credentials
+
+This is a regression which has been introduced with Samba 4.8.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a)
+---
+ source3/client/smbspool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 97d00bdd011..c404b3a3f69 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */
+ * behavior with 3.0.14a
+ */
+
+- if (username != NULL && username[0] != '\0') {
++ if (username == NULL || username[0] == '\0') {
+ if (kerberos_ccache_is_valid()) {
+ goto kerberos_auth;
+ }
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.9-fix_testparm_crash.patch b/SOURCES/samba-4.9-fix_testparm_crash.patch
new file mode 100644
index 0000000..74a8a52
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_testparm_crash.patch
@@ -0,0 +1,2126 @@
+From 425bed0731a02b2e310b8835e9b75bff73582d99 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Mon, 9 Jul 2018 17:11:57 +0200
+Subject: [PATCH 01/22] s3:lib/server_contexts: make server_event_ctx and
+ server_msg_ctx static
+
+server_event_ctx and server_msg_ctx static shouldn't be accessible from
+outside this compilation unit.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Christof Schmitt <cs@samba.org>
+(cherry picked from commit d920a725ee19215190bbccaefd5b426bedc98860)
+---
+ source3/lib/server_contexts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/lib/server_contexts.c b/source3/lib/server_contexts.c
+index 50072e680b6..b21cf0a4c81 100644
+--- a/source3/lib/server_contexts.c
++++ b/source3/lib/server_contexts.c
+@@ -21,7 +21,7 @@
+ #include "includes.h"
+ #include "messages.h"
+
+-struct tevent_context *server_event_ctx = NULL;
++static struct tevent_context *server_event_ctx = NULL;
+
+ struct tevent_context *server_event_context(void)
+ {
+@@ -44,7 +44,7 @@ void server_event_context_free(void)
+ TALLOC_FREE(server_event_ctx);
+ }
+
+-struct messaging_context *server_msg_ctx = NULL;
++static struct messaging_context *server_msg_ctx = NULL;
+
+ struct messaging_context *server_messaging_context(void)
+ {
+--
+2.13.6
+
+
+From 1e8feaa20bfba475d6e2cbe69b5e1447586a7411 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 13 Aug 2018 15:07:20 -0700
+Subject: [PATCH 02/22] s3/lib:popt_common: Move setup_logging to common
+ callback
+
+The flag is set in the common callback, so be consistent
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit dff1028e8ba4c70e726283c12531853681034014)
+---
+ source3/lib/popt_common.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
+index cc93a756c3b..454884fbb5c 100644
+--- a/source3/lib/popt_common.c
++++ b/source3/lib/popt_common.c
+@@ -93,6 +93,10 @@ static void popt_common_callback(poptContext con,
+ }
+ }
+
++ if (override_logfile) {
++ setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE );
++ }
++
+ /* Further 'every Samba program must do this' hooks here. */
+ return;
+ }
+@@ -288,10 +292,6 @@ static void popt_common_credentials_callback(poptContext con,
+ if (reason == POPT_CALLBACK_REASON_POST) {
+ bool ok;
+
+- if (override_logfile) {
+- setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE );
+- }
+-
+ ok = lp_load_client(get_dyn_CONFIGFILE());
+ if (!ok) {
+ const char *pname = poptGetInvocationName(con);
+--
+2.13.6
+
+
+From a1954bee751b35c3888be7c3c36ce59bb857e3f3 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 13 Aug 2018 15:39:08 -0700
+Subject: [PATCH 03/22] s3:lib: Move popt_common_credentials to separate file
+
+This is only used by command line utilities and has additional
+dependencies. Move to a separate file to contain the dependencies to the
+command line tools.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit b7464fd89bc22b71c82bbaa424bcbfcf947db651)
+---
+ source3/client/client.c | 2 +-
+ source3/include/popt_common.h | 10 --
+ source3/include/popt_common_cmdline.h | 47 +++++++
+ source3/lib/popt_common.c | 208 -----------------------------
+ source3/lib/popt_common_cmdline.c | 241 ++++++++++++++++++++++++++++++++++
+ source3/rpcclient/cmd_spoolss.c | 2 +-
+ source3/rpcclient/rpcclient.c | 2 +-
+ source3/rpcclient/wscript_build | 2 +-
+ source3/utils/net.c | 2 +-
+ source3/utils/regedit.c | 2 +-
+ source3/utils/smbcacls.c | 2 +-
+ source3/utils/smbcquotas.c | 2 +-
+ source3/utils/smbget.c | 2 +-
+ source3/utils/smbtree.c | 2 +-
+ source3/utils/wscript_build | 14 +-
+ source3/wscript_build | 9 +-
+ 16 files changed, 313 insertions(+), 236 deletions(-)
+ create mode 100644 source3/include/popt_common_cmdline.h
+ create mode 100644 source3/lib/popt_common_cmdline.c
+
+diff --git a/source3/client/client.c b/source3/client/client.c
+index 25ba01d6216..2f193459d5d 100644
+--- a/source3/client/client.c
++++ b/source3/client/client.c
+@@ -23,7 +23,7 @@
+
+ #include "includes.h"
+ #include "system/filesys.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "rpc_client/cli_pipe.h"
+ #include "client/client_proto.h"
+ #include "client/clitar_proto.h"
+diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h
+index a8c778473e9..e001a5369b7 100644
+--- a/source3/include/popt_common.h
++++ b/source3/include/popt_common.h
+@@ -21,7 +21,6 @@
+ #define _POPT_COMMON_H
+
+ #include <popt.h>
+-#include "auth_info.h"
+
+ /* Common popt structures */
+ extern struct poptOption popt_common_samba[];
+@@ -41,19 +40,10 @@ extern const struct poptOption popt_common_dynconfig[];
+ #define POPT_COMMON_CONNECTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_connection, 0, "Connection options:", NULL },
+ #define POPT_COMMON_VERSION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_version, 0, "Common samba options:", NULL },
+ #define POPT_COMMON_CONFIGFILE { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile, 0, "Common samba config:", NULL },
+-#define POPT_COMMON_CREDENTIALS { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_credentials, 0, "Authentication options:", NULL },
+ #define POPT_COMMON_DYNCONFIG { NULL, 0, POPT_ARG_INCLUDE_TABLE, \
+ discard_const_p(poptOption, popt_common_dynconfig), 0, \
+ "Build-time configuration overrides:", NULL },
+ #define POPT_COMMON_DEBUGLEVEL { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debuglevel, 0, "Common samba debugging:", NULL },
+ #define POPT_COMMON_OPTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_option, 0, "Common samba commandline config:", NULL },
+
+-struct user_auth_info *popt_get_cmdline_auth_info(void);
+-void popt_free_cmdline_auth_info(void);
+-
+-void popt_common_credentials_set_ignore_missing_conf(void);
+-void popt_common_credentials_set_delay_post(void);
+-void popt_common_credentials_post(void);
+-void popt_burn_cmdline_password(int argc, char *argv[]);
+-
+ #endif /* _POPT_COMMON_H */
+diff --git a/source3/include/popt_common_cmdline.h b/source3/include/popt_common_cmdline.h
+new file mode 100644
+index 00000000000..21130cff071
+--- /dev/null
++++ b/source3/include/popt_common_cmdline.h
+@@ -0,0 +1,47 @@
++/*
++ Unix SMB/CIFS implementation.
++ Common popt arguments
++ Copyright (C) Jelmer Vernooij 2003
++ Copyright (C) Christof Schmitt 2018
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++
++#ifndef _POPT_COMMON_CREDENTIALS_H
++#define _POPT_COMMON_CREDENTIALS_H
++
++#include "popt_common.h"
++
++extern struct poptOption popt_common_credentials[];
++#define POPT_COMMON_CREDENTIALS \
++ { \
++ NULL, \
++ 0, \
++ POPT_ARG_INCLUDE_TABLE, \
++ popt_common_credentials, \
++ 0, \
++ "Authentication options:", \
++ NULL \
++ },
++
++struct user_auth_info *popt_get_cmdline_auth_info(void);
++void popt_free_cmdline_auth_info(void);
++
++void popt_common_credentials_set_ignore_missing_conf(void);
++void popt_common_credentials_set_delay_post(void);
++void popt_common_credentials_post(void);
++void popt_burn_cmdline_password(int argc, char *argv[]);
++
++#endif
+diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
+index 454884fbb5c..11db080c82d 100644
+--- a/source3/lib/popt_common.c
++++ b/source3/lib/popt_common.c
+@@ -213,211 +213,3 @@ struct poptOption popt_common_option[] = {
+ { "option", 0, POPT_ARG_STRING, NULL, OPT_OPTION, "Set smb.conf option from command line", "name=value" },
+ POPT_TABLEEND
+ };
+-
+-/* Handle command line options:
+- * -U,--user
+- * -A,--authentication-file
+- * -k,--use-kerberos
+- * -N,--no-pass
+- * -S,--signing
+- * -P --machine-pass
+- * -e --encrypt
+- * -C --use-ccache
+- */
+-
+-static struct user_auth_info *cmdline_auth_info;
+-
+-struct user_auth_info *popt_get_cmdline_auth_info(void)
+-{
+- return cmdline_auth_info;
+-}
+-void popt_free_cmdline_auth_info(void)
+-{
+- TALLOC_FREE(cmdline_auth_info);
+-}
+-
+-static bool popt_common_credentials_ignore_missing_conf;
+-static bool popt_common_credentials_delay_post;
+-
+-void popt_common_credentials_set_ignore_missing_conf(void)
+-{
+- popt_common_credentials_delay_post = true;
+-}
+-
+-void popt_common_credentials_set_delay_post(void)
+-{
+- popt_common_credentials_delay_post = true;
+-}
+-
+-void popt_common_credentials_post(void)
+-{
+- if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
+- !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
+- {
+- fprintf(stderr,
+- "Failed to use machine account credentials\n");
+- exit(1);
+- }
+-
+- set_cmdline_auth_info_getpass(cmdline_auth_info);
+-
+- /*
+- * When we set the username during the handling of the options passed to
+- * the binary we haven't loaded the config yet. This means that we
+- * didnn't take the 'winbind separator' into account.
+- *
+- * The username might contain the domain name and thus it hasn't been
+- * correctly parsed yet. If we have a username we need to set it again
+- * to run the string parser for the username correctly.
+- */
+- reset_cmdline_auth_info_username(cmdline_auth_info);
+-}
+-
+-static void popt_common_credentials_callback(poptContext con,
+- enum poptCallbackReason reason,
+- const struct poptOption *opt,
+- const char *arg, const void *data)
+-{
+- if (reason == POPT_CALLBACK_REASON_PRE) {
+- struct user_auth_info *auth_info =
+- user_auth_info_init(NULL);
+- if (auth_info == NULL) {
+- fprintf(stderr, "user_auth_info_init() failed\n");
+- exit(1);
+- }
+- cmdline_auth_info = auth_info;
+- return;
+- }
+-
+- if (reason == POPT_CALLBACK_REASON_POST) {
+- bool ok;
+-
+- ok = lp_load_client(get_dyn_CONFIGFILE());
+- if (!ok) {
+- const char *pname = poptGetInvocationName(con);
+-
+- fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
+- pname, get_dyn_CONFIGFILE());
+- if (!popt_common_credentials_ignore_missing_conf) {
+- exit(1);
+- }
+- }
+-
+- load_interfaces();
+-
+- set_cmdline_auth_info_guess(cmdline_auth_info);
+-
+- if (popt_common_credentials_delay_post) {
+- return;
+- }
+-
+- popt_common_credentials_post();
+- return;
+- }
+-
+- switch(opt->val) {
+- case 'U':
+- set_cmdline_auth_info_username(cmdline_auth_info, arg);
+- break;
+-
+- case 'A':
+- set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
+- break;
+-
+- case 'k':
+-#ifndef HAVE_KRB5
+- d_printf("No kerberos support compiled in\n");
+- exit(1);
+-#else
+- set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
+-#endif
+- break;
+-
+- case 'S':
+- if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
+- arg)) {
+- fprintf(stderr, "Unknown signing option %s\n", arg );
+- exit(1);
+- }
+- break;
+- case 'P':
+- set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
+- break;
+- case 'N':
+- set_cmdline_auth_info_password(cmdline_auth_info, "");
+- break;
+- case 'e':
+- set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
+- break;
+- case 'C':
+- set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
+- break;
+- case 'H':
+- set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
+- break;
+- }
+-}
+-
+-/**
+- * @brief Burn the commandline password.
+- *
+- * This function removes the password from the command line so we
+- * don't leak the password e.g. in 'ps aux'.
+- *
+- * It should be called after processing the options and you should pass down
+- * argv from main().
+- *
+- * @param[in] argc The number of arguments.
+- *
+- * @param[in] argv[] The argument array we will find the array.
+- */
+-void popt_burn_cmdline_password(int argc, char *argv[])
+-{
+- bool found = false;
+- char *p = NULL;
+- int i, ulen = 0;
+-
+- for (i = 0; i < argc; i++) {
+- p = argv[i];
+- if (strncmp(p, "-U", 2) == 0) {
+- ulen = 2;
+- found = true;
+- } else if (strncmp(p, "--user", 6) == 0) {
+- ulen = 6;
+- found = true;
+- }
+-
+- if (found) {
+- if (p == NULL) {
+- return;
+- }
+-
+- if (strlen(p) == ulen) {
+- continue;
+- }
+-
+- p = strchr_m(p, '%');
+- if (p != NULL) {
+- memset(p, '\0', strlen(p));
+- }
+- found = false;
+- }
+- }
+-}
+-
+-struct poptOption popt_common_credentials[] = {
+- { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
+- (void *)popt_common_credentials_callback, 0, NULL },
+- { "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "USERNAME" },
+- { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N', "Don't ask for a password" },
+- { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" },
+- { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
+- { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
+- {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" },
+- {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport" },
+- {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C',
+- "Use the winbind ccache for authentication" },
+- {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H',
+- "The supplied password is the NT hash" },
+- POPT_TABLEEND
+-};
+diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c
+new file mode 100644
+index 00000000000..57f77e0868a
+--- /dev/null
++++ b/source3/lib/popt_common_cmdline.c
+@@ -0,0 +1,241 @@
++/*
++ Unix SMB/CIFS implementation.
++ Common popt routines only used by cmdline utils
++
++ Copyright (C) Tim Potter 2001,2002
++ Copyright (C) Jelmer Vernooij 2002,2003
++ Copyright (C) James Peach 2006
++ Copyright (C) Christof Schmitt 2018
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++/* Handle command line options:
++ * -U,--user
++ * -A,--authentication-file
++ * -k,--use-kerberos
++ * -N,--no-pass
++ * -S,--signing
++ * -P --machine-pass
++ * -e --encrypt
++ * -C --use-ccache
++ */
++
++#include "popt_common_cmdline.h"
++#include "includes.h"
++#include "auth_info.h"
++
++static struct user_auth_info *cmdline_auth_info;
++
++struct user_auth_info *popt_get_cmdline_auth_info(void)
++{
++ return cmdline_auth_info;
++}
++void popt_free_cmdline_auth_info(void)
++{
++ TALLOC_FREE(cmdline_auth_info);
++}
++
++static bool popt_common_credentials_ignore_missing_conf;
++static bool popt_common_credentials_delay_post;
++
++void popt_common_credentials_set_ignore_missing_conf(void)
++{
++ popt_common_credentials_delay_post = true;
++}
++
++void popt_common_credentials_set_delay_post(void)
++{
++ popt_common_credentials_delay_post = true;
++}
++
++void popt_common_credentials_post(void)
++{
++ if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
++ !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
++ {
++ fprintf(stderr,
++ "Failed to use machine account credentials\n");
++ exit(1);
++ }
++
++ set_cmdline_auth_info_getpass(cmdline_auth_info);
++
++ /*
++ * When we set the username during the handling of the options passed to
++ * the binary we haven't loaded the config yet. This means that we
++ * didn't take the 'winbind separator' into account.
++ *
++ * The username might contain the domain name and thus it hasn't been
++ * correctly parsed yet. If we have a username we need to set it again
++ * to run the string parser for the username correctly.
++ */
++ reset_cmdline_auth_info_username(cmdline_auth_info);
++}
++
++static void popt_common_credentials_callback(poptContext con,
++ enum poptCallbackReason reason,
++ const struct poptOption *opt,
++ const char *arg, const void *data)
++{
++ if (reason == POPT_CALLBACK_REASON_PRE) {
++ struct user_auth_info *auth_info =
++ user_auth_info_init(NULL);
++ if (auth_info == NULL) {
++ fprintf(stderr, "user_auth_info_init() failed\n");
++ exit(1);
++ }
++ cmdline_auth_info = auth_info;
++ return;
++ }
++
++ if (reason == POPT_CALLBACK_REASON_POST) {
++ bool ok;
++
++ ok = lp_load_client(get_dyn_CONFIGFILE());
++ if (!ok) {
++ const char *pname = poptGetInvocationName(con);
++
++ fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
++ pname, get_dyn_CONFIGFILE());
++ if (!popt_common_credentials_ignore_missing_conf) {
++ exit(1);
++ }
++ }
++
++ load_interfaces();
++
++ set_cmdline_auth_info_guess(cmdline_auth_info);
++
++ if (popt_common_credentials_delay_post) {
++ return;
++ }
++
++ popt_common_credentials_post();
++ return;
++ }
++
++ switch(opt->val) {
++ case 'U':
++ set_cmdline_auth_info_username(cmdline_auth_info, arg);
++ break;
++
++ case 'A':
++ set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
++ break;
++
++ case 'k':
++#ifndef HAVE_KRB5
++ d_printf("No kerberos support compiled in\n");
++ exit(1);
++#else
++ set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
++#endif
++ break;
++
++ case 'S':
++ if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
++ arg)) {
++ fprintf(stderr, "Unknown signing option %s\n", arg );
++ exit(1);
++ }
++ break;
++ case 'P':
++ set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
++ break;
++ case 'N':
++ set_cmdline_auth_info_password(cmdline_auth_info, "");
++ break;
++ case 'e':
++ set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
++ break;
++ case 'C':
++ set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
++ break;
++ case 'H':
++ set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
++ break;
++ }
++}
++
++/**
++ * @brief Burn the commandline password.
++ *
++ * This function removes the password from the command line so we
++ * don't leak the password e.g. in 'ps aux'.
++ *
++ * It should be called after processing the options and you should pass down
++ * argv from main().
++ *
++ * @param[in] argc The number of arguments.
++ *
++ * @param[in] argv[] The argument array we will find the array.
++ */
++void popt_burn_cmdline_password(int argc, char *argv[])
++{
++ bool found = false;
++ char *p = NULL;
++ int i, ulen = 0;
++
++ for (i = 0; i < argc; i++) {
++ p = argv[i];
++ if (strncmp(p, "-U", 2) == 0) {
++ ulen = 2;
++ found = true;
++ } else if (strncmp(p, "--user", 6) == 0) {
++ ulen = 6;
++ found = true;
++ }
++
++ if (found) {
++ if (p == NULL) {
++ return;
++ }
++
++ if (strlen(p) == ulen) {
++ continue;
++ }
++
++ p = strchr_m(p, '%');
++ if (p != NULL) {
++ memset(p, '\0', strlen(p));
++ }
++ found = false;
++ }
++ }
++}
++
++struct poptOption popt_common_credentials[] = {
++ { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
++ (void *)popt_common_credentials_callback, 0, NULL },
++ { "user", 'U', POPT_ARG_STRING, NULL, 'U',
++ "Set the network username", "USERNAME" },
++ { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N',
++ "Don't ask for a password" },
++ { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',
++ "Use kerberos (active directory) authentication" },
++ { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A',
++ "Get the credentials from a file", "FILE" },
++ { "signing", 'S', POPT_ARG_STRING, NULL, 'S',
++ "Set the client signing state", "on|off|required" },
++ {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P',
++ "Use stored machine account password" },
++ {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e',
++ "Encrypt SMB transport" },
++ {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C',
++ "Use the winbind ccache for authentication" },
++ {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H',
++ "The supplied password is the NT hash" },
++ POPT_TABLEEND
++};
+diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
+index 1d24476e9a5..8d330afdeb0 100644
+--- a/source3/rpcclient/cmd_spoolss.c
++++ b/source3/rpcclient/cmd_spoolss.c
+@@ -33,7 +33,7 @@
+ #include "../libcli/security/security_descriptor.h"
+ #include "../libcli/registry/util_reg.h"
+ #include "libsmb/libsmb.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+
+ #define RPCCLIENT_PRINTERNAME(_printername, _cli, _arg) \
+ { \
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index b4e25e6e479..f7e196226cf 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -21,7 +21,7 @@
+
+ #include "includes.h"
+ #include "../libcli/auth/netlogon_creds_cli.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "rpcclient.h"
+ #include "../libcli/auth/libcli_auth.h"
+ #include "../librpc/gen_ndr/ndr_lsa_c.h"
+diff --git a/source3/rpcclient/wscript_build b/source3/rpcclient/wscript_build
+index c24a5670db9..11a64f3248a 100644
+--- a/source3/rpcclient/wscript_build
++++ b/source3/rpcclient/wscript_build
+@@ -25,7 +25,7 @@ bld.SAMBA3_BINARY('rpcclient',
+ ''',
+ deps='''
+ talloc
+- popt_samba3
++ popt_samba3_cmdline
+ pdb
+ libsmb
+ smbconf
+diff --git a/source3/utils/net.c b/source3/utils/net.c
+index 44daa6088ca..76b8677bf78 100644
+--- a/source3/utils/net.c
++++ b/source3/utils/net.c
+@@ -41,7 +41,7 @@
+ /*****************************************************/
+
+ #include "includes.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "utils/net.h"
+ #include "secrets.h"
+ #include "lib/netapi/netapi.h"
+diff --git a/source3/utils/regedit.c b/source3/utils/regedit.c
+index 27bd6f8f2c2..20115ae1624 100644
+--- a/source3/utils/regedit.c
++++ b/source3/utils/regedit.c
+@@ -18,7 +18,7 @@
+ */
+
+ #include "includes.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "lib/util/data_blob.h"
+ #include "lib/registry/registry.h"
+ #include "regedit.h"
+diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
+index 0a5eeb31d0b..33eb78c41ec 100644
+--- a/source3/utils/smbcacls.c
++++ b/source3/utils/smbcacls.c
+@@ -22,7 +22,7 @@
+ */
+
+ #include "includes.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "rpc_client/cli_pipe.h"
+ #include "../librpc/gen_ndr/ndr_lsa.h"
+ #include "rpc_client/cli_lsarpc.h"
+diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
+index 798b8b6f177..a4b1b8111a5 100644
+--- a/source3/utils/smbcquotas.c
++++ b/source3/utils/smbcquotas.c
+@@ -22,7 +22,7 @@
+ */
+
+ #include "includes.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "rpc_client/cli_pipe.h"
+ #include "../librpc/gen_ndr/ndr_lsa.h"
+ #include "rpc_client/cli_lsarpc.h"
+diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
+index e1be42917fb..37462fa131f 100644
+--- a/source3/utils/smbget.c
++++ b/source3/utils/smbget.c
+@@ -18,7 +18,7 @@
+
+ #include "includes.h"
+ #include "system/filesys.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "libsmbclient.h"
+
+ static int columns = 0;
+diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
+index 3b539ef1045..fb0f165a18d 100644
+--- a/source3/utils/smbtree.c
++++ b/source3/utils/smbtree.c
+@@ -20,7 +20,7 @@
+ */
+
+ #include "includes.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "rpc_client/cli_pipe.h"
+ #include "../librpc/gen_ndr/ndr_srvsvc_c.h"
+ #include "libsmb/libsmb.h"
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index 93e6abaac0d..67bb87e7a74 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -27,7 +27,7 @@ bld.SAMBA3_BINARY('smbtree',
+ smbconf
+ libsmb
+ msrpc3
+- popt_samba3
++ popt_samba3_cmdline
+ RPC_NDR_SRVSVC''')
+
+ bld.SAMBA3_BINARY('smbpasswd',
+@@ -52,7 +52,7 @@ bld.SAMBA3_BINARY('smbget',
+ source='smbget.c',
+ deps='''
+ talloc
+- popt_samba3
++ popt_samba3_cmdline
+ smbclient''')
+
+ bld.SAMBA3_BINARY('nmblookup',
+@@ -67,7 +67,7 @@ bld.SAMBA3_BINARY('smbcacls',
+ source='smbcacls.c ../lib/util_sd.c',
+ deps='''
+ talloc
+- popt_samba3
++ popt_samba3_cmdline
+ msrpc3
+ libcli_lsa3
+ krb5samba''')
+@@ -76,7 +76,7 @@ bld.SAMBA3_BINARY('smbcquotas',
+ source='smbcquotas.c',
+ deps='''
+ talloc
+- popt_samba3
++ popt_samba3_cmdline
+ libsmb
+ msrpc3
+ libcli_lsa3''')
+@@ -150,7 +150,9 @@ bld.SAMBA3_BINARY('samba-regedit',
+ regedit_wrap.c regedit_treeview.c
+ regedit_valuelist.c regedit_dialog.c
+ regedit_hexedit.c regedit_list.c""",
+- deps='ncurses menu panel form registry smbconf popt_samba3',
++ deps='''
++ ncurses menu panel form registry smbconf popt_samba3_cmdline
++ ''',
+ enabled=bld.env.build_regedit)
+
+ bld.SAMBA3_BINARY('testparm',
+@@ -217,7 +219,7 @@ bld.SAMBA3_BINARY('net',
+ netapi
+ addns
+ samba_intl
+- popt_samba3
++ popt_samba3_cmdline
+ pdb
+ libsmb
+ smbconf
+diff --git a/source3/wscript_build b/source3/wscript_build
+index c7c69a9bee1..5ecf23d531d 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -268,7 +268,12 @@ bld.SAMBA3_SUBSYSTEM('REG_FULL',
+
+ bld.SAMBA3_LIBRARY('popt_samba3',
+ source='lib/popt_common.c',
+- deps='popt samba-util util_cmdline',
++ deps='popt samba-util smbconf',
++ private_library=True)
++
++bld.SAMBA3_LIBRARY('popt_samba3_cmdline',
++ source='lib/popt_common_cmdline.c',
++ deps='popt_samba3 util_cmdline',
+ private_library=True)
+
+ bld.SAMBA3_LIBRARY('util_cmdline',
+@@ -1094,7 +1099,7 @@ bld.SAMBA3_BINARY('client/smbclient',
+ ''',
+ deps='''
+ talloc
+- popt_samba3
++ popt_samba3_cmdline
+ smbconf
+ ndr-standard
+ SMBREADLINE
+--
+2.13.6
+
+
+From a98b2df2121c129326c64e35ba63e780aeb44a19 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 14:44:28 -0700
+Subject: [PATCH 04/22] s3:lib: Introduce cmdline context wrapper
+
+Command line tools need acccess to the same messaging context provided
+by server_messaging_context, as common code for db_open uses that
+context. We want to have additional checking for command line tools
+without having that code part of the servers. Introduce a wrapper
+library to use for command line tools with the additional checks, that
+then acquires the server_messaging_context.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 8c3b62e6231e62feafacf2a7ee4c9d41cd27a4a1)
+---
+ source3/lib/cmdline_contexts.c | 70 ++++++++++++++++++++++++++++++++++++++++++
+ source3/lib/cmdline_contexts.h | 27 ++++++++++++++++
+ source3/wscript_build | 5 +++
+ 3 files changed, 102 insertions(+)
+ create mode 100644 source3/lib/cmdline_contexts.c
+ create mode 100644 source3/lib/cmdline_contexts.h
+
+diff --git a/source3/lib/cmdline_contexts.c b/source3/lib/cmdline_contexts.c
+new file mode 100644
+index 00000000000..5713f7f7956
+--- /dev/null
++++ b/source3/lib/cmdline_contexts.c
+@@ -0,0 +1,70 @@
++/*
++ Unix SMB/CIFS implementation.
++ cmdline context wrapper.
++
++ Copyright (C) Christof Schmitt <cs@samba.org> 2018
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "cmdline_contexts.h"
++#include "includes.h"
++#include "messages.h"
++
++struct messaging_context *cmdline_messaging_context(const char *config_file)
++{
++ struct messaging_context *msg_ctx = NULL;
++
++ /*
++ * Ensure that a config is loaded, in case the underlying
++ * messaging_init needs to create directories or sockets.
++ */
++ if (!lp_loaded()) {
++ if (!lp_load_initial_only(config_file)) {
++ return NULL;
++ }
++ }
++
++ /*
++ * Clustered Samba can only work as root due to required
++ * access to the registry and ctdb, which in turn requires
++ * messaging access as root.
++ */
++ if (lp_clustering() && geteuid() != 0) {
++ fprintf(stderr, "Cluster mode requires running as root.\n");
++ exit(1);
++ }
++
++ msg_ctx = server_messaging_context();
++ if (msg_ctx == NULL) {
++ if (geteuid() == 0) {
++ fprintf(stderr,
++ "Unable to initialize messaging context!\n");
++ exit(1);
++ } else {
++ /*
++ * Non-cluster, non-root: Log error, but leave
++ * it up to the caller how to proceed.
++ */
++ DBG_NOTICE("Unable to initialize messaging context.\n");
++ }
++ }
++
++ return msg_ctx;
++}
++
++void cmdline_messaging_context_free(void)
++{
++ server_messaging_context_free();
++}
+diff --git a/source3/lib/cmdline_contexts.h b/source3/lib/cmdline_contexts.h
+new file mode 100644
+index 00000000000..21f81f0f1cd
+--- /dev/null
++++ b/source3/lib/cmdline_contexts.h
+@@ -0,0 +1,27 @@
++/*
++ Unix SMB/CIFS implementation.
++ cmdline context wrapper.
++
++ Copyright (C) Christof Schmitt <cs@samba.org> 2018
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#ifndef _LIB_CMDLINE_CONTEXTS_H
++#define _LIB_CMDLINE_CONTEXTS_H
++
++struct messaging_context *cmdline_messaging_context(const char *config_file);
++void cmdline_messaging_context_free(void);
++
++#endif
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 5ecf23d531d..6fb09f7fbeb 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -281,6 +281,11 @@ bld.SAMBA3_LIBRARY('util_cmdline',
+ deps='secrets3',
+ private_library=True)
+
++bld.SAMBA3_LIBRARY('cmdline_contexts',
++ source='lib/cmdline_contexts.c',
++ deps='samba3core',
++ private_library=True)
++
+ bld.SAMBA3_SUBSYSTEM('KRBCLIENT',
+ source='libads/kerberos.c libads/ads_status.c',
+ public_deps='krb5samba asn1util k5crypto gssapi LIBTSOCKET CLDAP LIBNMB')
+--
+2.13.6
+
+
+From d5d7a587f7476835bc48aae0dda5e064c2fd573c Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 10 Jul 2018 08:11:31 +0200
+Subject: [PATCH 05/22] s3:loadparm: reinit_globals in
+ lp_load_with_registry_shares()
+
+This was set to false in 0e0d77519c27038b30fec92d542198e97be767d9 based
+on the assumption that callers would have no need to call
+lp_load_initial_only() with a later call to lp_load_something().
+
+This is not quite correct, since for accessing registry config on a
+cluster with include=registry, we need messaging up and running which
+*itself* requires loadparm to be initialized to get the statedir,
+lockdir asf. directories.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Christof Schmitt <cs@samba.org>
+(cherry picked from commit 3aca3f24d4bdacc11278388934b0b411d518d7b0)
+---
+ source3/param/loadparm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 291ba57e0bb..322934c55f0 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -4120,7 +4120,7 @@ bool lp_load_with_registry_shares(const char *pszFname)
+ false, /* global_only */
+ true, /* save_defaults */
+ false, /* add_ipc */
+- false, /* reinit_globals */
++ true, /* reinit_globals */
+ true, /* allow_include_registry */
+ true); /* load_all_shares*/
+ }
+--
+2.13.6
+
+
+From 88291681f03bb928d31e89717d2a19292f433024 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 10 Jul 2018 10:38:10 +0200
+Subject: [PATCH 06/22] selftest: pass configfile to pdbedit
+
+This is needed otherwise pdbedit fails to initialize messaging in
+autobuild.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Christof Schmitt <cs@samba.org>
+(cherry picked from commit 10e1a6ebb3d95b8a1584a9b90c2584536aa9c96d)
+---
+ testprogs/blackbox/test_pdbtest.sh | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh
+index 2ffded9af4e..02615094451 100755
+--- a/testprogs/blackbox/test_pdbtest.sh
++++ b/testprogs/blackbox/test_pdbtest.sh
+@@ -44,12 +44,12 @@ send ${NEWUSERPASS}\n
+ send ${NEWUSERPASS}\n
+ EOF
+
+-testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1`
++testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -s $SMB_CONF -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1`
+ USERPASS=$NEWUSERPASS
+
+ test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@ || failed=`expr $failed + 1`
+
+-testit "modify user" $VALGRIND $pdbedit --modify $USER --drive="D:" $@ || failed=`expr $failed + 1`
++testit "modify user" $VALGRIND $pdbedit -s $SMB_CONF --modify $USER --drive="D:" $@ || failed=`expr $failed + 1`
+
+ test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1`
+
+@@ -87,11 +87,11 @@ test_smbclient "Test login with no expiry (ntlm)" 'ls' "$unc" -k no -U$USER%$NEW
+ NEWUSERPASS=testPaSS@03%
+ NEWUSERHASH=062519096c45739c1938800f80906731
+
+-testit "Set user password with password hash" $VALGRIND $pdbedit -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1`
++testit "Set user password with password hash" $VALGRIND $pdbedit -s $SMB_CONF -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1`
+
+ test_smbclient "Test login with new password (from hash)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS || failed=`expr $failed + 1`
+
+-testit "del user" $VALGRIND $pdbedit -x $USER $@ || failed=`expr $failed + 1`
++testit "del user" $VALGRIND $pdbedit -s $SMB_CONF -x $USER $@ || failed=`expr $failed + 1`
+
+ rm ./tmpsmbpasswdscript
+
+--
+2.13.6
+
+
+From 31a50b15bfbe2c97ca19313e2536332979bfcef2 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 10 Jul 2018 15:26:40 +0200
+Subject: [PATCH 07/22] s3:popt_common: use cmdline_messaging_context() in
+ popt_common_credentials_callback()
+
+This adds a call to cmdline_messaging_context() to the popt
+popt_common_credentials_callback() hook and ensures that any client tool
+that uses POPT_COMMON_CREDENTIALS gets an implicit messaging context,
+ensuring it doesn't crash in the subsequent lp_load_client() with
+include=registry in a cluster.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Christof Schmitt <cs@samba.org>
+(cherry picked from commit 2c63ce94ef3a55ab0aa1aae4f6fee88e29ac2efe)
+---
+ source3/lib/popt_common_cmdline.c | 8 ++++++++
+ source3/wscript_build | 2 +-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c
+index 57f77e0868a..d1ba90dd43e 100644
+--- a/source3/lib/popt_common_cmdline.c
++++ b/source3/lib/popt_common_cmdline.c
+@@ -35,6 +35,7 @@
+ #include "popt_common_cmdline.h"
+ #include "includes.h"
+ #include "auth_info.h"
++#include "cmdline_contexts.h"
+
+ static struct user_auth_info *cmdline_auth_info;
+
+@@ -101,8 +102,15 @@ static void popt_common_credentials_callback(poptContext con,
+ }
+
+ if (reason == POPT_CALLBACK_REASON_POST) {
++ struct messaging_context *msg_ctx = NULL;
+ bool ok;
+
++ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
++ if (msg_ctx == NULL) {
++ fprintf(stderr, "Unable to initialize "
++ "messaging context\n");
++ }
++
+ ok = lp_load_client(get_dyn_CONFIGFILE());
+ if (!ok) {
+ const char *pname = poptGetInvocationName(con);
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 6fb09f7fbeb..250b7f1ff52 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -273,7 +273,7 @@ bld.SAMBA3_LIBRARY('popt_samba3',
+
+ bld.SAMBA3_LIBRARY('popt_samba3_cmdline',
+ source='lib/popt_common_cmdline.c',
+- deps='popt_samba3 util_cmdline',
++ deps='popt_samba3 util_cmdline cmdline_contexts',
+ private_library=True)
+
+ bld.SAMBA3_LIBRARY('util_cmdline',
+--
+2.13.6
+
+
+From db6cce7786809a96f81c575a3cbbbf87bdec3047 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Tue, 21 Aug 2018 14:58:01 -0700
+Subject: [PATCH 08/22] test:doc: Skip 'clustering=yes'
+
+As testparm will error out when running clustering=yes as non-root, skip
+this step to avoid a test failure.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(backported from commit 3ecb9ed7b079fc1bf74c311cf5f1684086b36883)
+---
+ python/samba/tests/docs.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
+index 0f029ae02d2..620383caebd 100644
+--- a/python/samba/tests/docs.py
++++ b/python/samba/tests/docs.py
+@@ -163,7 +163,8 @@ import xml.etree.ElementTree as ET
+ 'registry shares',
+ 'smb ports',
+ 'rpc server dynamic port range',
+- 'name resolve order'])
++ 'name resolve order',
++ 'clustering'])
+ self._test_empty(['bin/testparm'])
+
+ def test_default_s4(self):
+--
+2.13.6
+
+
+From 7608714a4a0796c8ef747c0cbce160fc3d0fa325 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 15:38:33 -0700
+Subject: [PATCH 09/22] s3:smbpasswd: Use cmdline_messaging_context
+
+smbpasswd does not use POPT_CREDENTIALS. Call cmdline_messaging_context
+to initialize a messaging_context with proper error checking before
+calling lp_load_global.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 29fd2c2e5ad3c2d44f3629c6b7b4139772fe350c)
+---
+ source3/utils/smbpasswd.c | 17 +++--------------
+ source3/utils/wscript_build | 4 +++-
+ 2 files changed, 6 insertions(+), 15 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 04f34aa9b69..8e2b9d7f80f 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -23,6 +23,7 @@
+ #include "../lib/util/util_pw.h"
+ #include "libsmb/proto.h"
+ #include "passdb.h"
++#include "cmdline_contexts.h"
+
+ /*
+ * Next two lines needed for SunOS and don't
+@@ -196,6 +197,8 @@ static int process_options(int argc, char **argv, int local_flags)
+ usage();
+ }
+
++ cmdline_messaging_context(configfile);
++
+ if (!lp_load_global(configfile)) {
+ fprintf(stderr, "Can't load %s - run testparm to debug it\n",
+ configfile);
+@@ -614,7 +617,6 @@ static int process_nonroot(int local_flags)
+ int main(int argc, char **argv)
+ {
+ TALLOC_CTX *frame = talloc_stackframe();
+- struct messaging_context *msg_ctx = NULL;
+ int local_flags = 0;
+ int ret;
+
+@@ -632,19 +634,6 @@ int main(int argc, char **argv)
+
+ setup_logging("smbpasswd", DEBUG_STDERR);
+
+- msg_ctx = server_messaging_context();
+- if (msg_ctx == NULL) {
+- if (geteuid() != 0) {
+- DBG_NOTICE("Unable to initialize messaging context. "
+- "Must be root to do that.\n");
+- } else {
+- fprintf(stderr,
+- "smbpasswd is not able to initialize the "
+- "messaging context!\n");
+- return 1;
+- }
+- }
+-
+ /*
+ * Set the machine NETBIOS name if not already
+ * set from the config file.
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index 67bb87e7a74..06a986cada4 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -37,7 +37,9 @@ bld.SAMBA3_BINARY('smbpasswd',
+ smbconf
+ pdb
+ PASSWD_UTIL
+- PASSCHANGE''')
++ PASSCHANGE
++ cmdline_contexts
++ ''')
+
+ bld.SAMBA3_BINARY('pdbedit',
+ source='pdbedit.c',
+--
+2.13.6
+
+
+From 305cf6a251e395c895f04b2590125dec430a08e6 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 15:46:27 -0700
+Subject: [PATCH 10/22] s3:smbstatus: Use cmdline_messaging_context
+
+Use cmdline_messaging_context to initialize a messaging context instead
+of open coding the same steps.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit d7fa3815a83a50fd9e3d78cac0d5ef3eb79235e5)
+---
+ source3/utils/status.c | 25 +++----------------------
+ source3/wscript_build | 1 +
+ 2 files changed, 4 insertions(+), 22 deletions(-)
+
+diff --git a/source3/utils/status.c b/source3/utils/status.c
+index d04efedee3f..1d68219a5ac 100644
+--- a/source3/utils/status.c
++++ b/source3/utils/status.c
+@@ -48,6 +48,7 @@
+ #include "serverid.h"
+ #include "status_profile.h"
+ #include "smbd/notifyd/notifyd.h"
++#include "cmdline_contexts.h"
+
+ #define SMB_MAXPIDS 2048
+ static uid_t Ucrit_uid = 0; /* added by OH */
+@@ -528,7 +529,6 @@ int main(int argc, const char *argv[])
+ };
+ TALLOC_CTX *frame = talloc_stackframe();
+ int ret = 0;
+- struct tevent_context *ev;
+ struct messaging_context *msg_ctx = NULL;
+ char *db_path;
+ bool ok;
+@@ -607,28 +607,9 @@ int main(int argc, const char *argv[])
+ d_printf("using configfile = %s\n", get_dyn_CONFIGFILE());
+ }
+
+- if (!lp_load_initial_only(get_dyn_CONFIGFILE())) {
+- fprintf(stderr, "Can't load %s - run testparm to debug it\n",
+- get_dyn_CONFIGFILE());
+- ret = -1;
+- goto done;
+- }
+-
+-
+- /*
+- * This implicitly initializes the global ctdbd connection,
+- * usable by the db_open() calls further down.
+- */
+- ev = samba_tevent_context_init(NULL);
+- if (ev == NULL) {
+- fprintf(stderr, "samba_tevent_context_init failed\n");
+- ret = -1;
+- goto done;
+- }
+-
+- msg_ctx = messaging_init(NULL, ev);
++ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
+ if (msg_ctx == NULL) {
+- fprintf(stderr, "messaging_init failed\n");
++ fprintf(stderr, "Could not initialize messaging, not root?\n");
+ ret = -1;
+ goto done;
+ }
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 250b7f1ff52..36cfd5dada7 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -1157,6 +1157,7 @@ bld.SAMBA3_BINARY('smbstatus',
+ talloc
+ smbconf
+ popt_samba3
++ cmdline_contexts
+ smbd_base
+ LOCKING
+ PROFILE
+--
+2.13.6
+
+
+From 27e80482d1d37aaacbca7ca6eff6000c78349da7 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 15:54:11 -0700
+Subject: [PATCH 11/22] rpcclient: Use cmdline_messaging_context
+
+Use cmdline_messaging_context with its error checking instead of open
+coding the same steps.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit dd3ae2ffdc66be4707471bfccf27ef446b5599cb)
+---
+ source3/rpcclient/rpcclient.c | 28 ++--------------------------
+ 1 file changed, 2 insertions(+), 26 deletions(-)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index f7e196226cf..9f95f1a7a8c 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -35,6 +35,7 @@
+ #include "auth/gensec/gensec.h"
+ #include "../libcli/smb/smbXcli_base.h"
+ #include "messages.h"
++#include "cmdline_contexts.h"
+
+ enum pipe_auth_type_spnego {
+ PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
+@@ -950,7 +951,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
+ const char *binding_string = NULL;
+ const char *host;
+ int signing_state = SMB_SIGNING_IPC_DEFAULT;
+- struct tevent_context *ev_ctx = NULL;
+
+ /* make sure the vars that get altered (4th field) are in
+ a fixed location or certain compilers complain */
+@@ -1016,30 +1016,7 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
+ poptFreeContext(pc);
+ popt_burn_cmdline_password(argc, argv);
+
+- ev_ctx = samba_tevent_context_init(frame);
+- if (ev_ctx == NULL) {
+- fprintf(stderr, "Could not init event context\n");
+- result = 1;
+- goto done;
+- }
+-
+- nt_status = messaging_init_client(ev_ctx,
+- ev_ctx,
+- &rpcclient_msg_ctx);
+- if (geteuid() != 0 &&
+- NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
+- /*
+- * Normal to fail to initialize messaging context
+- * if we're not root as we don't have ability to
+- * read lock directory.
+- */
+- DBG_NOTICE("Unable to initialize messaging context. "
+- "Must be root to do that.\n");
+- } else if (!NT_STATUS_IS_OK(nt_status)) {
+- fprintf(stderr, "Could not init messaging context\n");
+- result = 1;
+- goto done;
+- }
++ rpcclient_msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
+
+ if (!init_names()) {
+ result = 1;
+@@ -1258,7 +1235,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
+ popt_free_cmdline_auth_info();
+ netlogon_creds_cli_close_global_db();
+ TALLOC_FREE(rpcclient_msg_ctx);
+- TALLOC_FREE(ev_ctx);
+ TALLOC_FREE(frame);
+ return result;
+ }
+--
+2.13.6
+
+
+From eaa0cb2c039c9c8ef838f259efcaffc59033bbbf Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 16:01:00 -0700
+Subject: [PATCH 12/22] s3:net: Use cmdline_messaging_context
+
+Use cmdline_messaging_context with its error checking instead of open
+coding the same steps.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit f2b659e4f518ccb06f221dd028f99883ca1a1847)
+---
+ source3/utils/net.c | 29 ++---------------------------
+ 1 file changed, 2 insertions(+), 27 deletions(-)
+
+diff --git a/source3/utils/net.c b/source3/utils/net.c
+index 76b8677bf78..759d8cd442b 100644
+--- a/source3/utils/net.c
++++ b/source3/utils/net.c
+@@ -48,6 +48,7 @@
+ #include "../libcli/security/security.h"
+ #include "passdb.h"
+ #include "messages.h"
++#include "cmdline_contexts.h"
+
+ #ifdef WITH_FAKE_KASERVER
+ #include "utils/net_afs.h"
+@@ -915,9 +916,7 @@ static struct functable net_func[] = {
+ const char **argv_const = discard_const_p(const char *, argv);
+ poptContext pc;
+ TALLOC_CTX *frame = talloc_stackframe();
+- struct tevent_context *ev;
+ struct net_context *c = talloc_zero(frame, struct net_context);
+- NTSTATUS status;
+
+ struct poptOption long_options[] = {
+ {"help", 'h', POPT_ARG_NONE, 0, 'h'},
+@@ -1031,31 +1030,7 @@ static struct functable net_func[] = {
+ }
+ }
+
+- if (!lp_load_initial_only(get_dyn_CONFIGFILE())) {
+- d_fprintf(stderr, "Can't load %s - run testparm to debug it\n",
+- get_dyn_CONFIGFILE());
+- exit(1);
+- }
+-
+- ev = samba_tevent_context_init(c);
+- if (ev == NULL) {
+- d_fprintf(stderr, "samba_tevent_context_init failed\n");
+- exit(1);
+- }
+- status = messaging_init_client(c, ev, &c->msg_ctx);
+- if (geteuid() != 0 &&
+- NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+- /*
+- * Normal to fail to initialize messaging context
+- * if we're not root as we don't have ability to
+- * read lock directory.
+- */
+- DBG_NOTICE("Unable to initialize messaging context. "
+- "Must be root to do that.\n");
+- } else if (!NT_STATUS_IS_OK(status)) {
+- d_fprintf(stderr, "Failed to init messaging context\n");
+- exit(1);
+- }
++ c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
+
+ if (!lp_load_global(get_dyn_CONFIGFILE())) {
+ d_fprintf(stderr, "Can't load %s - run testparm to debug it\n",
+--
+2.13.6
+
+
+From 8cb95d9ad621db6adf627b439745691c8ff09d66 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 10 Jul 2018 16:29:46 +0200
+Subject: [PATCH 13/22] s3:messaging: remove unused messaging_init_client()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Christof Schmitt <cs@samba.org>
+(cherry picked from commit f56496b11469f0e9af9ba81cefb796ca1febabb1)
+---
+ source3/include/messages.h | 3 ---
+ source3/lib/messages.c | 9 ---------
+ 2 files changed, 12 deletions(-)
+
+diff --git a/source3/include/messages.h b/source3/include/messages.h
+index 29c394af317..f7b40664b0b 100644
+--- a/source3/include/messages.h
++++ b/source3/include/messages.h
+@@ -46,9 +46,6 @@ struct messaging_rec;
+
+ struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev);
+-NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx,
+- struct tevent_context *ev,
+- struct messaging_context **pmsg_ctx);
+
+ struct server_id messaging_server_id(const struct messaging_context *msg_ctx);
+ struct tevent_context *messaging_tevent_context(
+diff --git a/source3/lib/messages.c b/source3/lib/messages.c
+index dab53f1c48e..90fffa2c872 100644
+--- a/source3/lib/messages.c
++++ b/source3/lib/messages.c
+@@ -635,15 +635,6 @@ struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx,
+ return ctx;
+ }
+
+-NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx,
+- struct tevent_context *ev,
+- struct messaging_context **pmsg_ctx)
+-{
+- return messaging_init_internal(mem_ctx,
+- ev,
+- pmsg_ctx);
+-}
+-
+ struct server_id messaging_server_id(const struct messaging_context *msg_ctx)
+ {
+ return msg_ctx->id;
+--
+2.13.6
+
+
+From 37ad220effcfea97929483e84477fae2e48d0be8 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 16:08:21 -0700
+Subject: [PATCH 14/22] s3:pdbedit: Use cmdline_messaging_context
+
+Initialize the messaging context through cmdline_messaging_context to
+allow access to config in clustered Samba.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 4661537c201acebee991d219d151cb481f56265c)
+---
+ source3/utils/pdbedit.c | 3 +++
+ source3/utils/wscript_build | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
+index 5c947e2fbde..a2394880c65 100644
+--- a/source3/utils/pdbedit.c
++++ b/source3/utils/pdbedit.c
+@@ -25,6 +25,7 @@
+ #include "../librpc/gen_ndr/samr.h"
+ #include "../libcli/security/security.h"
+ #include "passdb.h"
++#include "cmdline_contexts.h"
+
+ #define BIT_BACKEND 0x00000004
+ #define BIT_VERBOSE 0x00000008
+@@ -1121,6 +1122,8 @@ int main(int argc, const char **argv)
+ if (user_name == NULL)
+ user_name = poptGetArg(pc);
+
++ cmdline_messaging_context(get_dyn_CONFIGFILE());
++
+ if (!lp_load_global(get_dyn_CONFIGFILE())) {
+ fprintf(stderr, "Can't load %s - run testparm to debug it\n", get_dyn_CONFIGFILE());
+ exit(1);
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index 06a986cada4..570c4506bee 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -47,6 +47,7 @@ bld.SAMBA3_BINARY('pdbedit',
+ talloc
+ smbconf
+ popt_samba3
++ cmdline_contexts
+ pdb
+ PASSWD_UTIL''')
+
+--
+2.13.6
+
+
+From 375f013eaeb9d4c2592f68cd10374f61e2d12533 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 16:11:11 -0700
+Subject: [PATCH 15/22] s3:testparm: Use cmdline_messaging_context
+
+Call cmdline_messaging_context to initialize a messaging config before
+accessing clustered Samba config.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit ea7a4ff7ae5ef2b22fb7ef5640d6b946c064cfc3)
+---
+ source3/utils/testparm.c | 3 +++
+ source3/utils/wscript_build | 4 +++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
+index 8113eea0020..88dfc42d492 100644
+--- a/source3/utils/testparm.c
++++ b/source3/utils/testparm.c
+@@ -35,6 +35,7 @@
+ #include "system/filesys.h"
+ #include "popt_common.h"
+ #include "lib/param/loadparm.h"
++#include "cmdline_contexts.h"
+
+ #include <regex.h>
+
+@@ -698,6 +699,8 @@ static void do_per_share_checks(int s)
+ goto done;
+ }
+
++ cmdline_messaging_context(config_file);
++
+ fprintf(stderr,"Load smb config files from %s\n",config_file);
+
+ if (!lp_load_with_registry_shares(config_file)) {
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index 570c4506bee..ffa0762d828 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -163,7 +163,9 @@ bld.SAMBA3_BINARY('testparm',
+ deps='''
+ talloc
+ smbconf
+- popt_samba3''')
++ popt_samba3
++ cmdline_contexts
++ ''')
+
+ bld.SAMBA3_BINARY('net',
+ source='''net.c
+--
+2.13.6
+
+
+From 96d91b1d4c60552b1ed7058a4d9ed2b06a929c57 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 16:15:02 -0700
+Subject: [PATCH 16/22] s3:sharesec: Use cmdline_messaging_context
+
+Call cmdline_messasging_context to initialize messaging context before
+accessing clustered Samba config.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit cab8f27bbc927e48c52bac6350325e8ec38092b2)
+---
+ source3/utils/sharesec.c | 2 ++
+ source3/utils/wscript_build | 4 +++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
+index d9f81587f0e..375ae582ae5 100644
+--- a/source3/utils/sharesec.c
++++ b/source3/utils/sharesec.c
+@@ -28,6 +28,7 @@ struct cli_state;
+ #include "../libcli/security/security.h"
+ #include "passdb/machine_sid.h"
+ #include "util_sd.h"
++#include "cmdline_contexts.h"
+
+ static TALLOC_CTX *ctx;
+
+@@ -420,6 +421,7 @@ int main(int argc, const char *argv[])
+
+ setlinebuf(stdout);
+
++ cmdline_messaging_context(get_dyn_CONFIGFILE());
+ lp_load_with_registry_shares(get_dyn_CONFIGFILE());
+
+ /* check for initializing secrets.tdb first */
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index ffa0762d828..7e586dc268d 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -98,7 +98,9 @@ bld.SAMBA3_BINARY('sharesec',
+ talloc
+ msrpc3
+ libcli_lsa3
+- popt_samba3''')
++ popt_samba3
++ cmdline_contexts
++ ''')
+
+ bld.SAMBA3_BINARY('log2pcap',
+ source='log2pcaphex.c',
+--
+2.13.6
+
+
+From 389d7e32dc9f02b037ab9c2d0db1095f88f64145 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 16:18:20 -0700
+Subject: [PATCH 17/22] s3: ntlm_auth: Use cmdline_messaging_context
+
+Call cmdline_messaging_context to initialize the messaging context
+before accessing clustered Samba config.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 9ed617474f588ceb42c8929ee8a51071a408c219)
+---
+ source3/utils/ntlm_auth.c | 3 +++
+ source3/utils/wscript_build | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 7d27712980b..b8014ec1034 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -47,6 +47,7 @@
+ #include "nsswitch/libwbclient/wbclient.h"
+ #include "lib/param/loadparm.h"
+ #include "lib/util/base64.h"
++#include "cmdline_contexts.h"
+
+ #if HAVE_KRB5
+ #include "auth/kerberos/pac_utils.h"
+@@ -2380,6 +2381,8 @@ enum {
+
+ poptFreeContext(pc);
+
++ cmdline_messaging_context(get_dyn_CONFIGFILE());
++
+ if (!lp_load_global(get_dyn_CONFIGFILE())) {
+ d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n",
+ get_dyn_CONFIGFILE(), strerror(errno));
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index 7e586dc268d..92404a61c2d 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -128,6 +128,7 @@ bld.SAMBA3_BINARY('ntlm_auth',
+ tiniparser
+ libsmb
+ popt_samba3
++ cmdline_contexts
+ gse gensec''')
+
+ bld.SAMBA3_BINARY('dbwrap_tool',
+--
+2.13.6
+
+
+From 6a08003f378ddc270597465509cf4b34837d8dc8 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Mon, 20 Aug 2018 16:21:51 -0700
+Subject: [PATCH 18/22] s3:eventlogadm: Use cmdline_messaging_context
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 095123df945270bc51635a19125a7abdfcd4ab80)
+---
+ source3/utils/eventlogadm.c | 4 ++++
+ source3/utils/wscript_build | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c
+index 5ef091a9ae3..db874dfae8a 100644
+--- a/source3/utils/eventlogadm.c
++++ b/source3/utils/eventlogadm.c
+@@ -30,6 +30,7 @@
+ #include "registry/reg_util_token.h"
+ #include "registry/reg_backend_db.h"
+ #include "../libcli/registry/util_reg.h"
++#include "cmdline_contexts.h"
+
+ extern int optind;
+ extern char *optarg;
+@@ -472,6 +473,9 @@ int main( int argc, char *argv[] )
+ exit( 1 );
+ }
+
++ cmdline_messaging_context(configfile == NULL ?
++ get_dyn_CONFIGFILE() : configfile);
++
+ if ( configfile == NULL ) {
+ lp_load_global(get_dyn_CONFIGFILE());
+ } else if (!lp_load_global(configfile)) {
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index 92404a61c2d..eabebcf3d52 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -89,6 +89,7 @@ bld.SAMBA3_BINARY('eventlogadm',
+ deps='''
+ talloc
+ smbconf
++ cmdline_contexts
+ LIBEVENTLOG''',
+ install_path='${SBINDIR}')
+
+--
+2.13.6
+
+
+From 6f32f75ad43b4e49de5af794beb134252267b768 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Tue, 21 Aug 2018 12:34:34 -0700
+Subject: [PATCH 19/22] s3:dbwrap_tool: Use cmdline_messaging_context
+
+Initialize the messaging context through cmdline_messaging_context to
+allow access to config in clustered Samba.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 7eeff96b826711b5a8d44ab24603dafcc0343d84)
+---
+ source3/utils/dbwrap_tool.c | 3 +++
+ source3/utils/wscript_build | 4 +++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
+index 94aacd8ba26..b182e9cbfab 100644
+--- a/source3/utils/dbwrap_tool.c
++++ b/source3/utils/dbwrap_tool.c
+@@ -28,6 +28,7 @@
+ #include "dbwrap/dbwrap_watch.h"
+ #include "messages.h"
+ #include "util_tdb.h"
++#include "cmdline_contexts.h"
+
+ enum dbwrap_op { OP_FETCH, OP_STORE, OP_DELETE, OP_ERASE, OP_LISTKEYS,
+ OP_EXISTS };
+@@ -428,6 +429,8 @@ int main(int argc, const char **argv)
+ while (extra_argv[extra_argc]) extra_argc++;
+ }
+
++ cmdline_messaging_context(get_dyn_CONFIGFILE());
++
+ lp_load_global(get_dyn_CONFIGFILE());
+
+ if ((extra_argc < 2) || (extra_argc > 5)) {
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index eabebcf3d52..11bd2015c3a 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -136,7 +136,9 @@ bld.SAMBA3_BINARY('dbwrap_tool',
+ source='dbwrap_tool.c',
+ deps='''
+ talloc
+- popt_samba3''')
++ popt_samba3
++ cmdline_contexts
++ ''')
+
+ bld.SAMBA3_BINARY('dbwrap_torture',
+ source='dbwrap_torture.c',
+--
+2.13.6
+
+
+From f23f129047edd4b6fd6163a7795e48be3e59b49c Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Tue, 21 Aug 2018 12:35:11 -0700
+Subject: [PATCH 20/22] s3:smbcontrol: Use cmdline_messaging_context
+
+Initialize the messaging context through cmdline_messaging_context to
+allow access to config in clustered Samba.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit de040eafbd7d729316d757c14c44df163a4b36ad)
+---
+ source3/utils/smbcontrol.c | 19 +++++++++++--------
+ source3/utils/wscript_build | 1 +
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/source3/utils/smbcontrol.c b/source3/utils/smbcontrol.c
+index bd89b9ebf0a..ecf27801f8a 100644
+--- a/source3/utils/smbcontrol.c
++++ b/source3/utils/smbcontrol.c
+@@ -35,6 +35,7 @@
+ #include "util_tdb.h"
+ #include "../lib/util/pidfile.h"
+ #include "serverid.h"
++#include "cmdline_contexts.h"
+
+ #if HAVE_LIBUNWIND_H
+ #include <libunwind.h>
+@@ -1609,21 +1610,23 @@ int main(int argc, const char **argv)
+ if (argc <= 1)
+ usage(pc);
+
++ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
++ if (msg_ctx == NULL) {
++ fprintf(stderr,
++ "Could not init messaging context, not root?\n");
++ TALLOC_FREE(frame);
++ exit(1);
++ }
++
++ evt_ctx = server_event_context();
++
+ lp_load_global(get_dyn_CONFIGFILE());
+
+ /* Need to invert sense of return code -- samba
+ * routines mostly return True==1 for success, but
+ * shell needs 0. */
+
+- if (!(evt_ctx = samba_tevent_context_init(NULL)) ||
+- !(msg_ctx = messaging_init(NULL, evt_ctx))) {
+- fprintf(stderr, "could not init messaging context\n");
+- TALLOC_FREE(frame);
+- exit(1);
+- }
+-
+ ret = !do_command(evt_ctx, msg_ctx, argc, argv);
+- TALLOC_FREE(msg_ctx);
+ TALLOC_FREE(frame);
+ return ret;
+ }
+diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
+index 11bd2015c3a..6793c6d5c8a 100644
+--- a/source3/utils/wscript_build
++++ b/source3/utils/wscript_build
+@@ -18,6 +18,7 @@ bld.SAMBA3_BINARY('smbcontrol',
+ talloc
+ smbconf
+ popt_samba3
++ cmdline_contexts
+ PRINTBASE''')
+
+ bld.SAMBA3_BINARY('smbtree',
+--
+2.13.6
+
+
+From 4f57a7b28cc1b705f34444f795724e3d3a06d99c Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Tue, 21 Aug 2018 16:11:02 -0700
+Subject: [PATCH 21/22] s3:smbget: Use cmdline_messaging_context
+
+Initialize the messaging context through cmdline_messaging_context to
+allow access to config in clustered Samba.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 20ed13923ed3c55e1b293e5440028d29384e9d3a)
+---
+ source3/utils/smbget.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
+index 37462fa131f..4653c6894e0 100644
+--- a/source3/utils/smbget.c
++++ b/source3/utils/smbget.c
+@@ -20,6 +20,7 @@
+ #include "system/filesys.h"
+ #include "popt_common_cmdline.h"
+ #include "libsmbclient.h"
++#include "cmdline_contexts.h"
+
+ static int columns = 0;
+
+@@ -879,6 +880,8 @@ int main(int argc, char **argv)
+
+ popt_burn_cmdline_password(argc, argv);
+
++ cmdline_messaging_context(get_dyn_CONFIGFILE());
++
+ if (smbc_init(get_auth_data, opt.debuglevel) < 0) {
+ fprintf(stderr, "Unable to initialize libsmbclient\n");
+ return 1;
+--
+2.13.6
+
+
+From 8fb42e4a751af55e6e56cd4e64029228f1cc36c3 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Fri, 7 Sep 2018 07:27:46 +0200
+Subject: [PATCH 22/22] examples: Fix the smb2mount build
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 94852e3544bf2cace3ddba8b9c89d986d77fdab5)
+---
+ examples/fuse/smb2mount.c | 2 +-
+ examples/fuse/wscript_build | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/examples/fuse/smb2mount.c b/examples/fuse/smb2mount.c
+index 816b0b597ad..ec4be809f6d 100644
+--- a/examples/fuse/smb2mount.c
++++ b/examples/fuse/smb2mount.c
+@@ -20,7 +20,7 @@
+
+ #include "source3/include/includes.h"
+ #include "popt.h"
+-#include "popt_common.h"
++#include "popt_common_cmdline.h"
+ #include "client.h"
+ #include "libsmb/proto.h"
+ #include "clifuse.h"
+diff --git a/examples/fuse/wscript_build b/examples/fuse/wscript_build
+index 9ec5fc0a0f2..31341e4357d 100644
+--- a/examples/fuse/wscript_build
++++ b/examples/fuse/wscript_build
+@@ -3,5 +3,5 @@
+ if bld.env.HAVE_FUSE:
+ bld.SAMBA_BINARY('smb2mount',
+ source='smb2mount.c clifuse.c',
+- deps='smbconf popt_samba3 libsmb fuse',
++ deps='smbconf popt_samba3_cmdline libsmb fuse',
+ install=False)
+--
+2.13.6
+
diff --git a/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch b/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch
new file mode 100644
index 0000000..3d678a2
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch
@@ -0,0 +1,39 @@
+From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 29 Oct 2018 19:45:58 +0100
+Subject: [PATCH] s3:winbind: Check return code of initialize_password_db()
+
+See https://retrace.fedoraproject.org/faf/reports/1577174/
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac)
+---
+ source3/winbindd/winbindd.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
+index 254d93b344d..a8ffc31778c 100644
+--- a/source3/winbindd/winbindd.c
++++ b/source3/winbindd/winbindd.c
+@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv)
+ if (!NT_STATUS_IS_OK(status)) {
+ exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
+ }
+- initialize_password_db(true, server_event_context());
++
++ ok = initialize_password_db(true, server_event_context());
++ if (!ok) {
++ exit_daemon("Failed to initialize passdb backend! "
++ "Check the 'passdb backend' variable in your "
++ "smb.conf file.", EINVAL);
++ }
+
+ /*
+ * Do not initialize the parent-child-pipe before becoming
+--
+2.19.1
+
diff --git a/SOURCES/samba-4.9-harden_homes_share.patch b/SOURCES/samba-4.9-harden_homes_share.patch
new file mode 100644
index 0000000..60ca5c6
--- /dev/null
+++ b/SOURCES/samba-4.9-harden_homes_share.patch
@@ -0,0 +1,402 @@
+From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 15 Nov 2018 16:06:49 +0100
+Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Böhme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0)
+---
+ selftest/target/Samba3.pm | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 438cb3409bb..373f8152ca3 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$)
+ my ($gid_force_user);
+ my ($uid_user1);
+ my ($uid_user2);
++ my ($uid_gooduser);
++ my ($uid_eviluser);
+
+- if ($unix_uid < 0xffff - 10) {
++ if ($unix_uid < 0xffff - 12) {
+ $max_uid = 0xffff;
+ } else {
+ $max_uid = $unix_uid;
+@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$)
+ $uid_smbget = $max_uid - 8;
+ $uid_user1 = $max_uid - 9;
+ $uid_user2 = $max_uid - 10;
++ $uid_gooduser = $max_uid - 11;
++ $uid_eviluser = $max_uid - 12;
+
+ if ($unix_gids[0] < 0xffff - 8) {
+ $max_gid = 0xffff;
+@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f
+ smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
+ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
+ user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
++gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
++eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
+ ";
+ if ($unix_uid != 0) {
+ print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
+@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user:
+ createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user");
+ createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1");
+ createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
++ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
++ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
+
+ open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
+ print DNS_UPDATE_LIST "A $server. $server_ip\n";
+--
+2.19.2
+
+
+From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 16 Nov 2018 15:40:59 +0100
+Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes'
+ share
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This adds a test for CVE-2009-2813.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Böhme <slow@samba.org>
+(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6)
+---
+ selftest/target/Samba3.pm | 4 ++
+ source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++
+ source3/selftest/tests.py | 1 +
+ 3 files changed, 104 insertions(+)
+ create mode 100755 source3/script/tests/test_homes.sh
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 373f8152ca3..2031003210c 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -921,6 +921,10 @@ sub setup_fileserver
+ comment = inherit only unix owner
+ inherit owner = unix only
+ acl_xattr:ignore system acls = yes
++[homes]
++ comment = Home directories
++ browseable = No
++ read only = No
+ ";
+
+ my $vars = $self->provision($path, "WORKGROUP",
+diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
+new file mode 100755
+index 00000000000..06de0a0c301
+--- /dev/null
++++ b/source3/script/tests/test_homes.sh
+@@ -0,0 +1,99 @@
++#!/bin/sh
++
++# Copyright (c) Andreas Schneider <asn@samba.org>
++# License: GPLv3
++
++if [ $# -lt 7 ]; then
++ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION"
++ exit 1
++fi
++
++SERVER="${1}"
++USERNAME="${2}"
++PASSWORD="${3}"
++LOCAL_PATH="${4}"
++PREFIX="${5}"
++SMBCLIENT="${6}"
++CONFIGURATION="${7}"
++shift 7
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++
++failed=0
++
++test_gooduser_home()
++{
++ tmpfile=$PREFIX/smbclient_homes_gooduser_commands
++ cat > $tmpfile <<EOF
++ls
++quit
++EOF
++
++ USERNAME=gooduser
++
++ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
++ eval echo "$cmd"
++ out=$(eval $cmd)
++ ret=$?
++ rm -f $tmpfile
++
++ if [ $ret -ne 0 ] ; then
++ echo "$out"
++ echo "failed to connect error $ret"
++ return 1
++ fi
++
++ echo "$out" | grep 'Try "help" to get a list of possible commands.'
++ ret=$?
++ if [ $ret -ne 0 ] ; then
++ echo "$out"
++ echo 'failed - should get: Try "help" to get a list of possible commands.'
++ return 1
++ fi
++
++ return 0
++}
++
++test_eviluser_home()
++{
++ tmpfile=$PREFIX/smbclient_homes_eviluser_commands
++ cat > $tmpfile <<EOF
++ls
++quit
++EOF
++
++ USERNAME=eviluser
++
++ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
++ eval echo "$cmd"
++ out=$(eval $cmd)
++ ret=$?
++ rm -f $tmpfile
++
++ if [ $ret -ne 1 ] ; then
++ echo "$out"
++ echo "The server should reject connecting ret=$ret"
++ return 1
++ fi
++
++ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
++ ret=$?
++ if [ $ret -ne 0 ] ; then
++ echo "$out"
++ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
++ return 1
++ fi
++
++ return 0
++}
++
++testit "test gooduser home" \
++ test_gooduser_home || \
++ failed=`expr $failed + 1`
++
++testit "test eviluser home reject" \
++ test_eviluser_home || \
++ failed=`expr $failed + 1`
++
++testok $0 $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 09cd5159a0d..4aef7a4d596 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -290,6 +290,7 @@ for env in ["fileserver"]:
+ plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1'])
+ plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3'])
+ plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp'])
++ plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration])
+
+ #
+ # tar command tests
+--
+2.19.2
+
+
+From 274e960fde8e680a487fd7f3af57c824f9a5151b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 22 Nov 2018 18:23:24 +0100
+Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home
+ dir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If "/" (root) is returned as the home directory, prevent exporting it.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Böhme <slow@samba.org>
+(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af)
+---
+ source3/param/service.c | 6 +++++-
+ source3/smbd/password.c | 7 +++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/source3/param/service.c b/source3/param/service.c
+index b21be6093d4..22f46f08894 100644
+--- a/source3/param/service.c
++++ b/source3/param/service.c
+@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out)
+ DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out,
+ phome_dir?phome_dir:"(NULL)"));
+
+- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir);
++ if (!strequal(phome_dir, "/")) {
++ iService = add_home_service(*p_service_out,
++ *p_service_out, /* username */
++ phome_dir);
++ }
+ }
+
+ /* If we still don't have a service, attempt to add it as a printer. */
+diff --git a/source3/smbd/password.c b/source3/smbd/password.c
+index f472bda2c70..0576d2563eb 100644
+--- a/source3/smbd/password.c
++++ b/source3/smbd/password.c
+@@ -129,6 +129,13 @@ int register_homes_share(const char *username)
+ return -1;
+ }
+
++ if (strequal(pwd->pw_dir, "/")) {
++ DBG_NOTICE("Invalid home directory defined for user '%s'\n",
++ username);
++ TALLOC_FREE(pwd);
++ return -1;
++ }
++
+ DEBUG(3, ("Adding homes service for user '%s' using home directory: "
+ "'%s'\n", username, pwd->pw_dir));
+
+--
+2.19.2
+
+
+From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 3 Dec 2018 11:05:46 +0100
+Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed
+ as home dir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Böhme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144
+
+(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87)
+---
+ selftest/target/Samba3.pm | 6 ++++-
+ source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 2031003210c..583396b3818 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$)
+ my ($uid_user2);
+ my ($uid_gooduser);
+ my ($uid_eviluser);
++ my ($uid_slashuser);
+
+- if ($unix_uid < 0xffff - 12) {
++ if ($unix_uid < 0xffff - 13) {
+ $max_uid = 0xffff;
+ } else {
+ $max_uid = $unix_uid;
+@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$)
+ $uid_user2 = $max_uid - 10;
+ $uid_gooduser = $max_uid - 11;
+ $uid_eviluser = $max_uid - 12;
++ $uid_slashuser = $max_uid - 13;
+
+ if ($unix_gids[0] < 0xffff - 8) {
+ $max_gid = 0xffff;
+@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
+ user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
+ gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
+ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
++slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
+ ";
+ if ($unix_uid != 0) {
+ print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
+@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user:
+ createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
++ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
+
+ open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
+ print DNS_UPDATE_LIST "A $server. $server_ip\n";
+diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
+index 06de0a0c301..90e84550dbc 100755
+--- a/source3/script/tests/test_homes.sh
++++ b/source3/script/tests/test_homes.sh
+@@ -88,6 +88,39 @@ EOF
+ return 0
+ }
+
++test_slashuser_home()
++{
++ tmpfile=$PREFIX/smbclient_homes_slashuser_commands
++ cat > $tmpfile <<EOF
++ls
++quit
++EOF
++
++ USERNAME=slashuser
++
++ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
++ eval echo "$cmd"
++ out=$(eval $cmd)
++ ret=$?
++ rm -f $tmpfile
++
++ if [ $ret -ne 1 ] ; then
++ echo "$out"
++ echo "The server should reject connecting ret=$ret"
++ return 1
++ fi
++
++ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
++ ret=$?
++ if [ $ret -ne 0 ] ; then
++ echo "$out"
++ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
++ return 1
++ fi
++
++ return 0
++}
++
+ testit "test gooduser home" \
+ test_gooduser_home || \
+ failed=`expr $failed + 1`
+@@ -96,4 +129,8 @@ testit "test eviluser home reject" \
+ test_eviluser_home || \
+ failed=`expr $failed + 1`
+
++testit "test slashuser home reject" \
++ test_slashuser_home || \
++ failed=`expr $failed + 1`
++
+ testok $0 $failed
+--
+2.19.2
diff --git a/SOURCES/samba-4.9-net_ads_leave_keep_account.patch b/SOURCES/samba-4.9-net_ads_leave_keep_account.patch
new file mode 100644
index 0000000..4590081
--- /dev/null
+++ b/SOURCES/samba-4.9-net_ads_leave_keep_account.patch
@@ -0,0 +1,119 @@
+From 1038892f651cbc1a924cd7e74b393eb356dd5266 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Wed, 27 Jun 2018 11:32:31 -0400
+Subject: [PATCH] s3:libads: Add net ads leave keep-account option
+
+Add the ability to leave the domain with --keep-account argument to avoid
+removal of the host machine account.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498
+
+Signed-off-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694)
+---
+ docs-xml/manpages/net.8.xml | 9 ++++++++-
+ source3/libnet/libnet_join.c | 2 ++
+ source3/utils/net.c | 3 ++-
+ source3/utils/net.h | 1 +
+ source3/utils/net_ads.c | 9 +++++++--
+ 5 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
+index 3154ee5ff85..d2bcd24c502 100644
+--- a/docs-xml/manpages/net.8.xml
++++ b/docs-xml/manpages/net.8.xml
+@@ -377,6 +377,13 @@
+ </para></listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term>--keep-account</term>
++ <listitem><para>Prevent the machine account removal as
++ part of "net ads leave".
++ </para></listitem>
++ </varlistentry>
++
+ &stdarg.encrypt;
+ &popt.common.samba.client;
+
+@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller.
+ </refsect2>
+
+ <refsect2>
+-<title>ADS LEAVE</title>
++<title>ADS LEAVE [--keep-account]</title>
+
+ <para>Make the remote host leave the domain it is part of. </para>
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index a9405e8d288..27fc5135442 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
+ return ntstatus_to_werror(status);
+ }
+
++ r->out.dns_domain_name = talloc_strdup(mem_ctx,
++ r->in.domain_name);
+ r->out.disabled_machine_account = true;
+ }
+
+diff --git a/source3/utils/net.c b/source3/utils/net.c
+index 759d8cd442b..b3bd4b67118 100644
+--- a/source3/utils/net.c
++++ b/source3/utils/net.c
+@@ -970,8 +970,9 @@ static struct functable net_func[] = {
+ {"wipe", 0, POPT_ARG_NONE, &c->opt_wipe},
+ /* Options for 'net registry import' */
+ {"precheck", 0, POPT_ARG_STRING, &c->opt_precheck},
+- /* Options for 'net ads join' */
++ /* Options for 'net ads join or leave' */
+ {"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates},
++ {"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account},
+ POPT_COMMON_SAMBA
+ { 0, 0, 0, 0}
+ };
+diff --git a/source3/utils/net.h b/source3/utils/net.h
+index d6dfeb6208f..5e70fd3aafa 100644
+--- a/source3/utils/net.h
++++ b/source3/utils/net.h
+@@ -85,6 +85,7 @@ struct net_context {
+ int opt_wipe;
+ const char *opt_precheck;
+ int opt_no_dns_updates;
++ int opt_keep_account;
+
+ int opt_have_ip;
+ struct sockaddr_storage opt_dest_ip;
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index ffa67d8f525..afe47dad839 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
+
+ if (c->display_usage) {
+ d_printf( "%s\n"
+- "net ads leave\n"
++ "net ads leave [--keep-account]\n"
+ " %s\n",
+ _("Usage:"),
+ _("Leave an AD domain"));
+@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
+ WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
+ r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
+ WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+- r->in.delete_machine_account = true;
++ if (c->opt_keep_account) {
++ r->in.delete_machine_account = false;
++ } else {
++ r->in.delete_machine_account = true;
++ }
++
+ r->in.msg_ctx = c->msg_ctx;
+
+ werr = libnet_Unjoin(ctx, r);
+--
+2.17.1
+
diff --git a/SOURCES/samba-4.9-static_analysis_fixes.patch b/SOURCES/samba-4.9-static_analysis_fixes.patch
new file mode 100644
index 0000000..06b10cf
--- /dev/null
+++ b/SOURCES/samba-4.9-static_analysis_fixes.patch
@@ -0,0 +1,179 @@
+From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 12 Nov 2018 10:09:23 +0100
+Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name
+
+This could be passed uninitialized to dcerpc_netr_DsRGetDCName()
+
+Found by cppcheck.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d)
+---
+ source3/rpcclient/cmd_netlogon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index 8d62ef7e095..631740562c6 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli,
+ WERROR werr = WERR_OK;
+ uint32_t flags = DS_RETURN_DNS_NAME;
+ const char *server_name = cli->desthost;
+- const char *domain_name;
++ const char *domain_name = NULL;
+ struct GUID domain_guid = GUID_zero();
+ struct GUID site_guid = GUID_zero();
+ struct netr_DsRGetDCNameInfo *info = NULL;
+--
+2.19.2
+
+
+From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 12 Nov 2018 10:13:51 +0100
+Subject: [PATCH 2/5] librpc:ndr: Initialize inblob
+
+Found by cppcheck.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83)
+---
+ librpc/ndr/ndr_backupkey.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c
+index 827bc694230..adb6e393287 100644
+--- a/librpc/ndr/ndr_backupkey.c
++++ b/librpc/ndr/ndr_backupkey.c
+@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name,
+ ndr->flags |= LIBNDR_PRINT_SET_VALUES;
+ }
+ if (flags & NDR_IN) {
+- union bkrp_data_in_blob inblob;
++ union bkrp_data_in_blob inblob = {
++ .empty._empty_ = '\0',
++ };
+ DATA_BLOB blob;
+ uint32_t level;
+ enum ndr_err_code ndr_err;
+--
+2.19.2
+
+
+From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 12 Nov 2018 10:16:06 +0100
+Subject: [PATCH 3/5] libgpo: Make sure status is intialized
+
+Found by cppcheck.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7)
+---
+ libgpo/gpo_ldap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
+index fec00053b49..f087203f28a 100644
+--- a/libgpo/gpo_ldap.c
++++ b/libgpo/gpo_ldap.c
+@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
+ const char *guid_name,
+ struct GROUP_POLICY_OBJECT *gpo)
+ {
+- ADS_STATUS status;
++ ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ LDAPMessage *res = NULL;
+ char *dn;
+ const char *filter;
+--
+2.19.2
+
+
+From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 12 Nov 2018 10:17:37 +0100
+Subject: [PATCH 4/5] lib:util Always initialize start and space
+
+Found by cppcheck.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45)
+---
+ lib/util/talloc_report.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c
+index 63213a014b6..bed0fd91e43 100644
+--- a/lib/util/talloc_report.c
++++ b/lib/util/talloc_report.c
+@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
+ const char *fmt, va_list ap)
+ {
+ ssize_t str_len = *pstr_len;
+- size_t buflen, needed, space;
+- char *start, *tmpbuf;
++ size_t buflen, needed, space = 0;
++ char *start = NULL, *tmpbuf = NULL;
+ va_list ap2;
+ int printlen;
+
+@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
+ if (buflen > str_len) {
+ start = buf + str_len;
+ space = buflen - str_len;
+- } else {
+- start = NULL;
+- space = 0;
+ }
+
+ va_copy(ap2, ap);
+--
+2.19.2
+
+
+From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 12 Nov 2018 10:21:15 +0100
+Subject: [PATCH 5/5] ctdb: Fix an out of bound array access
+
+Found by cppcheck.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9)
+---
+ ctdb/common/logging.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
+index dc8c4f75058..55e5d541735 100644
+--- a/ctdb/common/logging.c
++++ b/ctdb/common/logging.c
+@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level)
+ {
+ int i;
+
+- for (i=0; ARRAY_SIZE(log_string_map); i++) {
++ for (i=0; i < ARRAY_SIZE(log_string_map); i++) {
+ if (log_string_map[i].log_level == log_level) {
+ return log_string_map[i].log_string;
+ }
+--
+2.19.2
diff --git a/SOURCES/samba-4.9.0rc5-stack-protector.patch b/SOURCES/samba-4.9.0rc5-stack-protector.patch
new file mode 100644
index 0000000..51bc83a
--- /dev/null
+++ b/SOURCES/samba-4.9.0rc5-stack-protector.patch
@@ -0,0 +1,117 @@
+From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 3 Sep 2018 10:35:08 +0200
+Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support
+
+The -fstack-protector* flags are compiler only flags, don't pass them to
+the linker.
+
+https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371)
+---
+ buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
+index c4391d0c4dc..bfd6f9710db 100644
+--- a/buildtools/wafsamba/samba_autoconf.py
++++ b/buildtools/wafsamba/samba_autoconf.py
+@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None):
+ return
+
+ # we need to build real code that can't be optimized away to test
+- if conf.check(fragment='''
+- #include <stdio.h>
+-
+- int main(void)
+- {
+- char t[100000];
+- while (fgets(t, sizeof(t), stdin));
+- return 0;
+- }
+- ''',
+- execute=0,
+- ccflags='-fstack-protector',
+- ldflags='-fstack-protector',
+- mandatory=False,
+- msg='Checking if toolchain accepts -fstack-protector'):
+- conf.ADD_CFLAGS('-fstack-protector')
+- conf.ADD_LDFLAGS('-fstack-protector')
++ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector']
++ for stack_protect_flag in stack_protect_list:
++ flag_supported = conf.check(fragment='''
++ #include <stdio.h>
++
++ int main(void)
++ {
++ char t[100000];
++ while (fgets(t, sizeof(t), stdin));
++ return 0;
++ }
++ ''',
++ execute=0,
++ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag],
++ mandatory=False,
++ msg='Checking if compiler accepts %s' % (stack_protect_flag))
++ if flag_supported:
++ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
++ break
+
+ if Options.options.debug:
+ conf.ADD_CFLAGS('-g', testflags=True)
+--
+2.18.0
+
+
+From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 3 Sep 2018 10:49:52 +0200
+Subject: [PATCH 2/2] waf: Add -fstack-clash-protection
+
+https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0)
+---
+ buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
+index bfd6f9710db..f2b3ec8db8d 100644
+--- a/buildtools/wafsamba/samba_autoconf.py
++++ b/buildtools/wafsamba/samba_autoconf.py
+@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None):
+ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
+ break
+
++ flag_supported = conf.check(fragment='''
++ #include <stdio.h>
++
++ int main(void)
++ {
++ char t[100000];
++ while (fgets(t, sizeof(t), stdin));
++ return 0;
++ }
++ ''',
++ execute=0,
++ ccflags=[ '-Werror', '-fstack-clash-protection'],
++ mandatory=False,
++ msg='Checking if compiler accepts -fstack-clash-protection')
++ if flag_supported:
++ conf.ADD_CFLAGS('-fstack-clash-protection')
++
+ if Options.options.debug:
+ conf.ADD_CFLAGS('-g', testflags=True)
+
+--
+2.18.0
+
diff --git a/SOURCES/samba-4.9.1.tar.asc b/SOURCES/samba-4.9.1.tar.asc
new file mode 100644
index 0000000..3a95975
--- /dev/null
+++ b/SOURCES/samba-4.9.1.tar.asc
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
+Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg==
+=2NTz
+-----END PGP SIGNATURE-----
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 152ff2a..50ebc80 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -8,11 +8,11 @@
%define main_release 6
-%define samba_version 4.8.3
-%define talloc_version 2.1.11
-%define tdb_version 1.3.15
-%define tevent_version 0.9.36
-%define ldb_version 1.3.4
+%define samba_version 4.9.1
+%define talloc_version 2.1.14
+%define tdb_version 1.3.16
+%define tevent_version 0.9.37
+%define ldb_version 1.4.2
# This should be rc1 or nil
%define pre_release %nil
@@ -127,14 +127,24 @@ Source14: samba.pamd
Source200: README.dc
Source201: README.downgrade
-Patch0: samba-4.8.3-fix_krb5_plugins.patch
-Patch1: samba-4.8.3-fix_winbind_getpwnam_local_user.patch
-Patch2: samba-4.8.3-smbclient_quiet_argument.patch
-Patch3: CVE-2018-1139.patch
-Patch4: CVE-2018-10858.patch
-Patch5: samba-4.8-fix_smbspool_as_cups_backend.patch
-Patch6: samba-4.8-fix_cups_smbspool_backend.part1.patch
-Patch7: samba-4.8-fix_cups_smbspool_backend.part2.patch
+Patch0: samba-4.9.0rc5-stack-protector.patch
+Patch1: samba-4.9-harden_homes_share.patch
+Patch2: samba-4.9-static_analysis_fixes.patch
+Patch3: samba-4.9-fix_debug_segfault.patch
+Patch4: samba-4.9-fix_winbind_passdb_segfault.patch
+Patch5: samba-4.9-fix_testparm_crash.patch
+Patch6: samba-4.9-disable_netbios.patch
+Patch7: samba-4.9-net_ads_leave_keep_account.patch
+Patch8: samba-4.9-fix_force_group_panic.patch
+Patch9: samba-4.10-fix_gencache_debug_message.patch
+Patch10: samba-4.9-fix_net_ads_krb5.patch
+Patch11: samba-4.9-add_smbc_setOptionProtocols.patch
+Patch12: samba-4.9-fix_smbspool_as_cups_backend.patch
+Patch13: samba-4.9-doc_smbclient_max_protocol.patch
+Patch14: samba-4.9-fix_net_ads_join_admin_otherdomain.patch
+Patch15: samba-4.9-CVE-2019-3880.patch
+Patch16: samba-4.9-fix_smbspool_krb5_auth.patch
+Patch17: samba-4.9-fix_cups_printing.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -178,6 +188,7 @@ BuildRequires: docbook-style-xsl
BuildRequires: e2fsprogs-devel
BuildRequires: gawk
BuildRequires: gnupg2
+BuildRequires: jansson-devel
BuildRequires: krb5-devel >= %{required_mit_krb5}
BuildRequires: libacl-devel
BuildRequires: libaio-devel
@@ -190,6 +201,7 @@ BuildRequires: libxslt
BuildRequires: ncurses-devel
BuildRequires: openldap-devel
BuildRequires: pam-devel
+BuildRequires: perl-interpreter
BuildRequires: perl(Test::More)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Parse::Yapp)
@@ -563,6 +575,7 @@ managing Samba AD.
### PIDL
%package pidl
Summary: Perl IDL compiler
+Requires: perl-interpreter
Requires: perl(Parse::Yapp)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
BuildArch: noarch
@@ -700,7 +713,6 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB)
Requires: %{name}-client-libs = %{samba_depver}
Requires: coreutils
-Requires: fileutils
# for ps and killall
Requires: psmisc
Requires: sed
@@ -874,8 +886,8 @@ install -d -m 0755 %{buildroot}/var/lib/samba/sysvol
install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged
install -d -m 0755 %{buildroot}/var/log/samba/old
install -d -m 0755 %{buildroot}/var/spool/samba
-install -d -m 0755 %{buildroot}/var/run/samba
-install -d -m 0755 %{buildroot}/var/run/winbindd
+install -d -m 0755 %{buildroot}/run/samba
+install -d -m 0755 %{buildroot}/run/winbindd
install -d -m 0755 %{buildroot}/%{_libdir}/samba
install -d -m 0755 %{buildroot}/%{_libdir}/samba/ldb
install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig
@@ -915,22 +927,21 @@ install -m644 examples/LDAP/samba.schema %{buildroot}%{_sysconfdir}/openldap/sch
install -m 0744 packaging/printing/smbprint %{buildroot}%{_bindir}/smbprint
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
-install -m644 packaging/systemd/samba.conf.tmp %{buildroot}%{_tmpfilesdir}/samba.conf
-# create /run/samba too.
-echo "d /run/samba 755 root root" >> %{buildroot}%{_tmpfilesdir}/samba.conf
+# Create /run/samba too.
+echo "d /run/samba 755 root root" > %{buildroot}%{_tmpfilesdir}/samba.conf
%if %with_clustering_support
-echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf
+echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf
%endif
install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig
install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba
%if %with_clustering_support
cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb <<EOF
-# CTDB configuration is now in %{_sysconfdir}/ctdb/ctdbd.conf
+# CTDB configuration is now in %{_sysconfdir}/ctdb/ctdb.conf
EOF
install -d -m 0755 %{buildroot}%{_sysconfdir}/ctdb
-install -m 0644 ctdb/config/ctdbd.conf %{buildroot}%{_sysconfdir}/ctdb/ctdbd.conf
+install -m 0644 ctdb/config/ctdb.conf %{buildroot}%{_sysconfdir}/ctdb/ctdb.conf
%endif
install -m 0644 %{SOURCE201} packaging/README.downgrade
@@ -962,8 +973,10 @@ for i in \
%{_libdir}/samba/ldb/ldbsamba_extensions.so \
%{_mandir}/man8/samba.8 \
%{_mandir}/man8/samba-tool.8 \
- %{_mandir}/man8/samba_gpoupdate.8 \
- %{_sbindir}/samba_gpoupdate \
+ %{_mandir}/man8/samba-gpupdate.8 \
+ %{_sbindir}/samba-gpupdate \
+ %{_libdir}/libsamba-policy.so \
+ %{_libdir}/pkgconfig/samba-policy.pc \
%{python_sitearch}/samba/colour.py* \
%{python_sitearch}/samba/domain_update.py* \
%{python_sitearch}/samba/forest_update.py* \
@@ -998,6 +1011,35 @@ for i in \
%{python_sitearch}/samba/schema.py* \
%{python_sitearch}/samba/tests/krb5_credentials.py* \
%{python_sitearch}/samba/tests/password_quality.py* \
+ %{python_sitearch}/samba/gp_sec_ext.py* \
+ %{python_sitearch}/samba/mdb_util.py* \
+ %{python_sitearch}/samba/tests/audit_log_base.py* \
+ %{python_sitearch}/samba/tests/audit_log_dsdb.py* \
+ %{python_sitearch}/samba/tests/audit_log_pass_change.py* \
+ %{python_sitearch}/samba/tests/dckeytab.py* \
+ %{python_sitearch}/samba/tests/dns_invalid.py* \
+ %{python_sitearch}/samba/tests/domain_backup.py* \
+ %{python_sitearch}/samba/tests/getdcname.py* \
+ %{python_sitearch}/samba/tests/gpo.py* \
+ %{python_sitearch}/samba/tests/group_audit.py* \
+ %{python_sitearch}/samba/tests/loadparm.py* \
+ %{python_sitearch}/samba/tests/netbios.py* \
+ %{python_sitearch}/samba/tests/ntacls_backup.py* \
+ %{python_sitearch}/samba/tests/password_test.py* \
+ %{python_sitearch}/samba/tests/pso.py* \
+ %{python_sitearch}/samba/tests/s3idmapdb.py* \
+ %{python_sitearch}/samba/tests/s3param.py* \
+ %{python_sitearch}/samba/tests/s3passdb.py* \
+ %{python_sitearch}/samba/tests/s3registry.py* \
+ %{python_sitearch}/samba/tests/s3windb.py* \
+ %{python_sitearch}/samba/tests/samba_tool/computer.py* \
+ %{python_sitearch}/samba/tests/samba_tool/demote.py* \
+ %{python_sitearch}/samba/tests/samba_tool/forest.py* \
+ %{python_sitearch}/samba/tests/samba_tool/ou.py* \
+ %{python_sitearch}/samba/tests/samba_tool/passwordsettings.py* \
+ %{python_sitearch}/samba/tests/samba_tool/schema.py* \
+ %{python_sitearch}/samba/tests/samdb_api.py* \
+ %{python_sitearch}/samba/tests/smb.py* \
%{_unitdir}/samba.service \
; do
rm -f %{buildroot}$i
@@ -1197,7 +1239,7 @@ rm -rf %{buildroot}
%doc examples/printer-accounting examples/printing
%doc packaging/README.downgrade
%{_bindir}/smbstatus
-%{_bindir}/eventlogadm
+%{_sbindir}/eventlogadm
%{_sbindir}/nmbd
%{_sbindir}/smbd
%if %with_dc
@@ -1421,6 +1463,7 @@ rm -rf %{buildroot}
%dir %{_libdir}/samba
%{_libdir}/samba/libCHARSET3-samba4.so
+%{_libdir}/samba/libMESSAGING-SEND-samba4.so
%{_libdir}/samba/libaddns-samba4.so
%{_libdir}/samba/libads-samba4.so
%{_libdir}/samba/libasn1util-samba4.so
@@ -1435,6 +1478,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libcliauth-samba4.so
%{_libdir}/samba/libcmdline-credentials-samba4.so
%{_libdir}/samba/libcommon-auth-samba4.so
+%{_libdir}/samba/libctdb-event-client-samba4.so
%{_libdir}/samba/libdbwrap-samba4.so
%{_libdir}/samba/libdcerpc-samba-samba4.so
%{_libdir}/samba/libevents-samba4.so
@@ -1536,8 +1580,8 @@ rm -rf %{buildroot}
%config(noreplace) %{_sysconfdir}/logrotate.d/samba
%attr(0700,root,root) %dir /var/log/samba
%attr(0700,root,root) %dir /var/log/samba/old
-%ghost %dir /var/run/samba
-%ghost %dir /var/run/winbindd
+%ghost %dir /run/samba
+%ghost %dir /run/winbindd
%dir /var/lib/samba
%attr(700,root,root) %dir /var/lib/samba/private
%dir /var/lib/samba/lock
@@ -1555,6 +1599,8 @@ rm -rf %{buildroot}
%files common-libs
%defattr(-,root,root)
# common libraries
+%{_libdir}/samba/libcmdline-contexts-samba4.so
+%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so
%{_libdir}/samba/libpopt-samba3-samba4.so
%if %{with_intel_aes_accel}
%{_libdir}/samba/libaesni-intel-samba4.so
@@ -1592,20 +1638,20 @@ rm -rf %{buildroot}
%{_sbindir}/samba
%{_sbindir}/samba_kcc
%{_sbindir}/samba_dnsupdate
-%{_sbindir}/samba_gpoupdate
+%{_sbindir}/samba_gpupdate
%{_sbindir}/samba_spnupdate
%{_sbindir}/samba_upgradedns
%{_libdir}/krb5/plugins/kdb/samba.so
%{_libdir}/samba/auth/samba4.so
-%{_libdir}/samba/libgpo-samba4.so
%{_libdir}/samba/libpac-samba4.so
%dir %{_libdir}/samba/gensec
%{_libdir}/samba/gensec/krb5.so
%{_libdir}/samba/ldb/acl.so
%{_libdir}/samba/ldb/aclread.so
%{_libdir}/samba/ldb/anr.so
+%{_libdir}/samba/ldb/audit_log.so
%{_libdir}/samba/ldb/descriptor.so
%{_libdir}/samba/ldb/dirsync.so
%{_libdir}/samba/ldb/dns_notify.so
@@ -1614,6 +1660,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/ldb/extended_dn_in.so
%{_libdir}/samba/ldb/extended_dn_out.so
%{_libdir}/samba/ldb/extended_dn_store.so
+%{_libdir}/samba/ldb/group_audit_log.so
%{_libdir}/samba/ldb/ildap.so
%{_libdir}/samba/ldb/instancetype.so
%{_libdir}/samba/ldb/lazy_commit.so
@@ -1654,7 +1701,7 @@ rm -rf %{buildroot}
%{_datadir}/samba/setup
%{_mandir}/man8/samba.8*
%{_mandir}/man8/samba-tool.8*
-%{_mandir}/man8/samba_gpoupdate.8*
+%{_mandir}/man8/samba_gpupdate.8*
%else # with_dc
%doc packaging/README.dc
%endif # with_dc
@@ -1688,6 +1735,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libdnsserver-common-samba4.so
%{_libdir}/samba/libdsdb-module-samba4.so
%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
+%{_libdir}/samba/libscavenge-dns-records-samba4.so
%else
%doc packaging/README.dc-libs
%endif # with_dc
@@ -1801,7 +1849,6 @@ rm -rf %{buildroot}
%{_libdir}/libsamba-credentials.so
%{_libdir}/libsamba-errors.so
%{_libdir}/libsamba-hostconfig.so
-%{_libdir}/libsamba-policy.so
%{_libdir}/libsamba-util.so
%{_libdir}/libsamdb.so
%{_libdir}/libsmbconf.so
@@ -1815,7 +1862,6 @@ rm -rf %{buildroot}
%{_libdir}/pkgconfig/netapi.pc
%{_libdir}/pkgconfig/samba-credentials.pc
%{_libdir}/pkgconfig/samba-hostconfig.pc
-%{_libdir}/pkgconfig/samba-policy.pc
%{_libdir}/pkgconfig/samba-util.pc
%{_libdir}/pkgconfig/samdb.pc
%{_libdir}/libsamba-passdb.so
@@ -1825,6 +1871,9 @@ rm -rf %{buildroot}
%{_includedir}/samba-4.0/dcerpc_server.h
%{_libdir}/libdcerpc-server.so
%{_libdir}/pkgconfig/dcerpc_server.pc
+
+%{_libdir}/libsamba-policy.so
+%{_libdir}/pkgconfig/samba-policy.pc
%endif
%if ! %with_libsmbclient
@@ -1859,11 +1908,9 @@ rm -rf %{buildroot}
%files libs
%defattr(-,root,root)
%{_libdir}/libdcerpc-samr.so.*
-%{_libdir}/libsamba-policy.so.*
# libraries needed by the public libraries
%{_libdir}/samba/libMESSAGING-samba4.so
-%{_libdir}/samba/libMESSAGING-SEND-samba4.so
%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so
%{_libdir}/samba/libauth4-samba4.so
%{_libdir}/samba/libauth-unix-token-samba4.so
@@ -1948,6 +1995,8 @@ rm -rf %{buildroot}
### PYTHON
%files python
%defattr(-,root,root,-)
+%{_libdir}/libsamba-policy.so.*
+
%dir %{python_sitearch}/samba
%{python_sitearch}/samba/__init__.py*
%{python_sitearch}/samba/_glue.so
@@ -1958,6 +2007,37 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/credentials.so
%{python_sitearch}/samba/crypto.so
%{python_sitearch}/samba/dbchecker.py*
+%{python_sitearch}/samba/descriptor.py*
+%{python_sitearch}/samba/gensec.so
+%{python_sitearch}/samba/getopt.py*
+%{python_sitearch}/samba/hostconfig.py*
+%{python_sitearch}/samba/idmap.py*
+%{python_sitearch}/samba/join.py*
+%{python_sitearch}/samba/messaging.so
+%{python_sitearch}/samba/ms_display_specifiers.py*
+%{python_sitearch}/samba/ms_schema.py*
+%{python_sitearch}/samba/ndr.py*
+%{python_sitearch}/samba/net.so
+%{python_sitearch}/samba/netbios.so
+%{python_sitearch}/samba/ntacls.py*
+%{python_sitearch}/samba/ntstatus.so
+%{python_sitearch}/samba/param.so
+%{python_sitearch}/samba/policy.so
+%{python_sitearch}/samba/posix_eadb.so
+%{python_sitearch}/samba/registry.so
+%{python_sitearch}/samba/remove_dc.py*
+%{python_sitearch}/samba/sd_utils.py*
+%{python_sitearch}/samba/security.so
+%{python_sitearch}/samba/sites.py*
+%{python_sitearch}/samba/smb.so
+%{python_sitearch}/samba/subnets.py*
+%{python_sitearch}/samba/upgrade.py*
+%{python_sitearch}/samba/upgradehelpers.py*
+%{python_sitearch}/samba/werror.so
+%{python_sitearch}/samba/xattr.py*
+%{python_sitearch}/samba/xattr_native.so
+%{python_sitearch}/samba/xattr_tdb.so
+
%dir %{python_sitearch}/samba/dcerpc
%{python_sitearch}/samba/dcerpc/__init__.py*
%{python_sitearch}/samba/dcerpc/atsvc.so
@@ -1993,79 +2073,73 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/dcerpc/winreg.so
%{python_sitearch}/samba/dcerpc/wkssvc.so
%{python_sitearch}/samba/dcerpc/xattr.so
-%{python_sitearch}/samba/descriptor.py*
-%{python_sitearch}/samba/gensec.so
-%{python_sitearch}/samba/getopt.py*
-%{python_sitearch}/samba/hostconfig.py*
-%{python_sitearch}/samba/idmap.py*
-%{python_sitearch}/samba/join.py*
-%{python_sitearch}/samba/messaging.so
-%{python_sitearch}/samba/ms_display_specifiers.py*
-%{python_sitearch}/samba/ms_schema.py*
-%{python_sitearch}/samba/ndr.py*
-%{python_sitearch}/samba/net.so
-%{python_sitearch}/samba/netbios.so
+
%dir %{python_sitearch}/samba/emulate
%{python_sitearch}/samba/emulate/__init__.py*
%{python_sitearch}/samba/emulate/traffic.py*
%{python_sitearch}/samba/emulate/traffic_packets.py*
+
%dir %{python_sitearch}/samba/netcmd
%{python_sitearch}/samba/netcmd/__init__.py*
%{python_sitearch}/samba/netcmd/common.py*
+%{python_sitearch}/samba/netcmd/computer.py*
%{python_sitearch}/samba/netcmd/dbcheck.py*
%{python_sitearch}/samba/netcmd/delegation.py*
%{python_sitearch}/samba/netcmd/dns.py*
%{python_sitearch}/samba/netcmd/domain.py*
+%{python_sitearch}/samba/netcmd/domain_backup.py*
%{python_sitearch}/samba/netcmd/drs.py*
%{python_sitearch}/samba/netcmd/dsacl.py*
+%{python_sitearch}/samba/netcmd/forest.py*
%{python_sitearch}/samba/netcmd/gpo.py*
%{python_sitearch}/samba/netcmd/group.py*
%{python_sitearch}/samba/netcmd/ldapcmp.py*
%{python_sitearch}/samba/netcmd/main.py*
%{python_sitearch}/samba/netcmd/nettime.py*
%{python_sitearch}/samba/netcmd/ntacl.py*
+%{python_sitearch}/samba/netcmd/ou.py*
%{python_sitearch}/samba/netcmd/processes.py*
+%{python_sitearch}/samba/netcmd/pso.py*
+%{python_sitearch}/samba/netcmd/schema.py*
%{python_sitearch}/samba/netcmd/sites.py*
%{python_sitearch}/samba/netcmd/spn.py*
%{python_sitearch}/samba/netcmd/testparm.py*
%{python_sitearch}/samba/netcmd/user.py*
-%{python_sitearch}/samba/ntacls.py*
-%{python_sitearch}/samba/ntstatus.so
-%{python_sitearch}/samba/param.so
-%{python_sitearch}/samba/policy.so
-%{python_sitearch}/samba/posix_eadb.so
-%{python_sitearch}/samba/registry.so
-%{python_sitearch}/samba/remove_dc.py*
+
%dir %{python_sitearch}/samba/samba3
%{python_sitearch}/samba/samba3/__init__.py*
%{python_sitearch}/samba/samba3/libsmb_samba_internal.so
%{python_sitearch}/samba/samba3/param.so
%{python_sitearch}/samba/samba3/passdb.so
%{python_sitearch}/samba/samba3/smbd.so
-%{python_sitearch}/samba/sd_utils.py*
-%{python_sitearch}/samba/security.so
-%{python_sitearch}/samba/sites.py*
-%{python_sitearch}/samba/smb.so
-%{python_sitearch}/samba/subnets.py*
+
%dir %{python_sitearch}/samba/subunit
%{python_sitearch}/samba/subunit/__init__.py*
%{python_sitearch}/samba/subunit/run.py*
%{python_sitearch}/samba/tdb_util.py*
+
%dir %{python_sitearch}/samba/third_party
%{python_sitearch}/samba/third_party/__init__.py*
-%{python_sitearch}/samba/upgrade.py*
-%{python_sitearch}/samba/upgradehelpers.py*
-%{python_sitearch}/samba/werror.so
-%{python_sitearch}/samba/xattr.py*
-%{python_sitearch}/samba/xattr_native.so
-%{python_sitearch}/samba/xattr_tdb.so
%if %{with_dc}
%files python-dc
%defattr(-,root,root,-)
+%{python_sitearch}/samba/domain_update.py*
+%{python_sitearch}/samba/dckeytab.so
+%{python_sitearch}/samba/dsdb.so
+%{python_sitearch}/samba/dsdb_dns.so
+%{python_sitearch}/samba/dnsserver.py*
+%{python_sitearch}/samba/forest_update.py*
+%{python_sitearch}/samba/gpclass.py*
+%{python_sitearch}/samba/gpo.so
+%{python_sitearch}/samba/gp_sec_ext.py*
+%{python_sitearch}/samba/mdb_util.py*
+%{python_sitearch}/samba/ms_forest_updates_markdown.py*
+%{python_sitearch}/samba/ms_schema_markdown.py*
+%{python_sitearch}/samba/samdb.py*
+%{python_sitearch}/samba/schema.py*
+
%{python_sitearch}/samba/dcerpc/dnsserver.so
-%{python_sitearch}/samba/netcmd/fsmo.py*
-%{python_sitearch}/samba/netcmd/rodc.py*
%dir %{python_sitearch}/samba/kcc
%{python_sitearch}/samba/kcc/__init__.py*
@@ -2085,20 +2159,6 @@ rm -rf %{buildroot}
%dir %{python_sitearch}/samba/web_server
%{python_sitearch}/samba/web_server/__init__.py*
-
-%{python_sitearch}/samba/domain_update.py*
-%{python_sitearch}/samba/dckeytab.so
-%{python_sitearch}/samba/dnsserver.py*
-%{python_sitearch}/samba/drs_utils.py*
-%{python_sitearch}/samba/dsdb.so
-%{python_sitearch}/samba/dsdb_dns.so
-%{python_sitearch}/samba/forest_update.py*
-%{python_sitearch}/samba/gpclass.py*
-%{python_sitearch}/samba/gpo.so
-%{python_sitearch}/samba/ms_forest_updates_markdown.py*
-%{python_sitearch}/samba/ms_schema_markdown.py*
-%{python_sitearch}/samba/samdb.py*
-%{python_sitearch}/samba/schema.py*
%endif
%files python-test
@@ -2192,7 +2252,6 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/provision.py*
%{python_sitearch}/samba/tests/py_credentials.py*
%{python_sitearch}/samba/tests/registry.py*
-%{python_sitearch}/samba/tests/samba3.py*
%{python_sitearch}/samba/tests/samba3sam.py*
%dir %{python_sitearch}/samba/tests/samba_tool
%{python_sitearch}/samba/tests/samba_tool/__init__.py*
@@ -2303,15 +2362,15 @@ rm -rf %{buildroot}
%files -n ctdb
%defattr(-,root,root)
%doc ctdb/README
+%doc ctdb/doc/examples
# Obsolete
%config(noreplace, missingok) %{_sysconfdir}/sysconfig/ctdb
%dir %{_sysconfdir}/ctdb
-%config(noreplace) %{_sysconfdir}/ctdb/ctdbd.conf
+%config(noreplace) %{_sysconfdir}/ctdb/ctdb.conf
%config(noreplace) %{_sysconfdir}/ctdb/notify.sh
%config(noreplace) %{_sysconfdir}/ctdb/debug-hung-script.sh
%config(noreplace) %{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh
-%config(noreplace) %{_sysconfdir}/ctdb/gcore_trace.sh
%config(noreplace) %{_sysconfdir}/ctdb/debug_locks.sh
%{_sysconfdir}/ctdb/functions
@@ -2321,29 +2380,9 @@ rm -rf %{buildroot}
# CTDB scripts, no config files
# script with executable bit means activated
-%dir %{_sysconfdir}/ctdb/events.d
-%{_sysconfdir}/ctdb/events.d/00.ctdb
-%{_sysconfdir}/ctdb/events.d/01.reclock
-%{_sysconfdir}/ctdb/events.d/05.system
-%{_sysconfdir}/ctdb/events.d/06.nfs
-%{_sysconfdir}/ctdb/events.d/10.external
-%{_sysconfdir}/ctdb/events.d/10.interface
-%{_sysconfdir}/ctdb/events.d/11.natgw
-%{_sysconfdir}/ctdb/events.d/11.routing
-%{_sysconfdir}/ctdb/events.d/13.per_ip_routing
-%{_sysconfdir}/ctdb/events.d/20.multipathd
-%{_sysconfdir}/ctdb/events.d/31.clamd
-%{_sysconfdir}/ctdb/events.d/40.vsftpd
-%{_sysconfdir}/ctdb/events.d/41.httpd
-%{_sysconfdir}/ctdb/events.d/49.winbind
-%{_sysconfdir}/ctdb/events.d/50.samba
-%{_sysconfdir}/ctdb/events.d/60.nfs
-%{_sysconfdir}/ctdb/events.d/70.iscsi
-%{_sysconfdir}/ctdb/events.d/91.lvs
-%{_sysconfdir}/ctdb/events.d/99.timeout
-%{_sysconfdir}/ctdb/events.d/README
-%dir %{_sysconfdir}/ctdb/notify.d
-%{_sysconfdir}/ctdb/notify.d/README
+%dir %{_sysconfdir}/ctdb/events
+%dir %{_sysconfdir}/ctdb/events/notification
+%{_sysconfdir}/ctdb/events/notification/README
# CTDB scripts, no config files
# script with executable bit means activated
@@ -2365,13 +2404,15 @@ rm -rf %{buildroot}
%{_bindir}/onnode
%dir %{_libexecdir}/ctdb
-%{_libexecdir}/ctdb/ctdb_event
-%{_libexecdir}/ctdb/ctdb_eventd
+%{_libexecdir}/ctdb/ctdb-config
+%{_libexecdir}/ctdb/ctdb-event
+%{_libexecdir}/ctdb/ctdb-eventd
%{_libexecdir}/ctdb/ctdb_killtcp
%{_libexecdir}/ctdb/ctdb_lock_helper
%{_libexecdir}/ctdb/ctdb_lvs
%{_libexecdir}/ctdb/ctdb_mutex_fcntl_helper
%{_libexecdir}/ctdb/ctdb_natgw
+%{_libexecdir}/ctdb/ctdb-path
%{_libexecdir}/ctdb/ctdb_recovery_helper
%{_libexecdir}/ctdb/ctdb_takeover_helper
%{_libexecdir}/ctdb/smnotify
@@ -2385,7 +2426,9 @@ rm -rf %{buildroot}
%{_mandir}/man1/ltdbtool.1.gz
%{_mandir}/man1/ping_pong.1.gz
%{_mandir}/man1/ctdbd_wrapper.1.gz
-%{_mandir}/man5/ctdbd.conf.5.gz
+%{_mandir}/man5/ctdb.conf.5.gz
+%{_mandir}/man5/ctdb-script.options.5.gz
+%{_mandir}/man5/ctdb.sysconfig.5.gz
%{_mandir}/man7/ctdb.7.gz
%{_mandir}/man7/ctdb-tunables.7.gz
%{_mandir}/man7/ctdb-statistics.7.gz
@@ -2394,6 +2437,27 @@ rm -rf %{buildroot}
%{_unitdir}/ctdb.service
+%dir %{_datadir}/ctdb
+%dir %{_datadir}/ctdb/events
+%dir %{_datadir}/ctdb/events/legacy/
+%{_datadir}/ctdb/events/legacy/00.ctdb.script
+%{_datadir}/ctdb/events/legacy/01.reclock.script
+%{_datadir}/ctdb/events/legacy/05.system.script
+%{_datadir}/ctdb/events/legacy/06.nfs.script
+%{_datadir}/ctdb/events/legacy/10.interface.script
+%{_datadir}/ctdb/events/legacy/11.natgw.script
+%{_datadir}/ctdb/events/legacy/11.routing.script
+%{_datadir}/ctdb/events/legacy/13.per_ip_routing.script
+%{_datadir}/ctdb/events/legacy/20.multipathd.script
+%{_datadir}/ctdb/events/legacy/31.clamd.script
+%{_datadir}/ctdb/events/legacy/40.vsftpd.script
+%{_datadir}/ctdb/events/legacy/41.httpd.script
+%{_datadir}/ctdb/events/legacy/49.winbind.script
+%{_datadir}/ctdb/events/legacy/50.samba.script
+%{_datadir}/ctdb/events/legacy/60.nfs.script
+%{_datadir}/ctdb/events/legacy/70.iscsi.script
+%{_datadir}/ctdb/events/legacy/91.lvs.script
+
%files -n ctdb-tests
%defattr(-,root,root)
%doc ctdb/tests/README
@@ -2402,13 +2466,18 @@ rm -rf %{buildroot}
%dir %{_libexecdir}/ctdb
%dir %{_libexecdir}/ctdb/tests
+%{_libexecdir}/ctdb/tests/cmdline_test
%{_libexecdir}/ctdb/tests/comm_client_test
%{_libexecdir}/ctdb/tests/comm_server_test
%{_libexecdir}/ctdb/tests/comm_test
+%{_libexecdir}/ctdb/tests/conf_test
%{_libexecdir}/ctdb/tests/ctdb_packet_parse
%{_libexecdir}/ctdb/tests/ctdb_takeover_tests
%{_libexecdir}/ctdb/tests/db_hash_test
%{_libexecdir}/ctdb/tests/dummy_client
+%{_libexecdir}/ctdb/tests/errcode
+%{_libexecdir}/ctdb/tests/event_protocol_test
+%{_libexecdir}/ctdb/tests/event_script_test
%{_libexecdir}/ctdb/tests/fake_ctdbd
%{_libexecdir}/ctdb/tests/fetch_loop
%{_libexecdir}/ctdb/tests/fetch_loop_key
@@ -2417,6 +2486,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/fetch_ring
%{_libexecdir}/ctdb/tests/g_lock_loop
%{_libexecdir}/ctdb/tests/hash_count_test
+%{_libexecdir}/ctdb/tests/line_test
%{_libexecdir}/ctdb/tests/lock_tdb
%{_libexecdir}/ctdb/tests/message_ring
%{_libexecdir}/ctdb/tests/pidfile_test
@@ -2426,7 +2496,6 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/protocol_basic_test
%{_libexecdir}/ctdb/tests/protocol_ctdb_compat_test
%{_libexecdir}/ctdb/tests/protocol_ctdb_test
-%{_libexecdir}/ctdb/tests/protocol_event_test
%{_libexecdir}/ctdb/tests/protocol_types_compat_test
%{_libexecdir}/ctdb/tests/protocol_types_test
%{_libexecdir}/ctdb/tests/protocol_util_test
@@ -2434,6 +2503,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/reqid_test
%{_libexecdir}/ctdb/tests/run_event_test
%{_libexecdir}/ctdb/tests/run_proc_test
+%{_libexecdir}/ctdb/tests/sigcode
%{_libexecdir}/ctdb/tests/sock_daemon_test
%{_libexecdir}/ctdb/tests/sock_io_test
%{_libexecdir}/ctdb/tests/srvid_test
@@ -2444,11 +2514,11 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/update_record
%{_libexecdir}/ctdb/tests/update_record_persistent
-%dir %{_datadir}/ctdb
%dir %{_datadir}/ctdb/tests
%dir %{_datadir}/ctdb/tests/complex
%{_datadir}/ctdb/tests/complex/README
+%{_datadir}/ctdb/tests/complex/00_ctdb_init.sh
%{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh
%{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh
%{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh
@@ -2456,7 +2526,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/complex/32_cifs_tickle.sh
%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh
%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh
-%{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh
%{_datadir}/ctdb/tests/complex/36_smb_reset_server.sh
%{_datadir}/ctdb/tests/complex/37_nfs_reset_server.sh
%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh
@@ -2466,16 +2535,28 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/complex/45_failover_nfs_kill.sh
%{_datadir}/ctdb/tests/complex/60_rogueip_releaseip.sh
%{_datadir}/ctdb/tests/complex/61_rogueip_takeip.sh
-%{_datadir}/ctdb/tests/complex/90_debug_hung_script.sh
%dir %{_datadir}/ctdb/tests/complex/scripts
%{_datadir}/ctdb/tests/complex/scripts/local.bash
%dir %{_datadir}/ctdb/tests/cunit
+%{_datadir}/ctdb/tests/cunit/cmdline_test_001.sh
%{_datadir}/ctdb/tests/cunit/comm_test_001.sh
%{_datadir}/ctdb/tests/cunit/comm_test_002.sh
+%{_datadir}/ctdb/tests/cunit/conf_test_001.sh
+%{_datadir}/ctdb/tests/cunit/config_test_001.sh
+%{_datadir}/ctdb/tests/cunit/config_test_002.sh
+%{_datadir}/ctdb/tests/cunit/config_test_003.sh
+%{_datadir}/ctdb/tests/cunit/config_test_004.sh
+%{_datadir}/ctdb/tests/cunit/config_test_005.sh
+%{_datadir}/ctdb/tests/cunit/config_test_006.sh
+%{_datadir}/ctdb/tests/cunit/config_test_007.sh
%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh
+%{_datadir}/ctdb/tests/cunit/event_protocol_test_001.sh
+%{_datadir}/ctdb/tests/cunit/event_script_test_001.sh
%{_datadir}/ctdb/tests/cunit/hash_count_test_001.sh
+%{_datadir}/ctdb/tests/cunit/line_test_001.sh
+%{_datadir}/ctdb/tests/cunit/path_tests_001.sh
%{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh
%{_datadir}/ctdb/tests/cunit/pkt_read_001.sh
%{_datadir}/ctdb/tests/cunit/pkt_write_001.sh
@@ -2484,7 +2565,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_012.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_101.sh
-%{_datadir}/ctdb/tests/cunit/protocol_test_102.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_111.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_201.sh
%{_datadir}/ctdb/tests/cunit/rb_test_001.sh
@@ -2497,6 +2577,36 @@ rm -rf %{buildroot}
%dir %{_datadir}/ctdb/tests/eventd
%{_datadir}/ctdb/tests/eventd/README
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/ctdb.conf
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/debug-script.sh
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data/README
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data/03.notalink.script
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/empty
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/empty/README
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/01.test.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/02.test.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/03.test.script
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/01.disabled.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/02.enabled.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/README.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/a.script
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data/01.dummy.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data/02.disabled.script
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/empty
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/empty/README
+%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/01.disabled.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/02.enabled.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/a.script
+%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/README.script
%{_datadir}/ctdb/tests/eventd/eventd_001.sh
%{_datadir}/ctdb/tests/eventd/eventd_002.sh
%{_datadir}/ctdb/tests/eventd/eventd_003.sh
@@ -2504,6 +2614,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventd/eventd_005.sh
%{_datadir}/ctdb/tests/eventd/eventd_006.sh
%{_datadir}/ctdb/tests/eventd/eventd_007.sh
+%{_datadir}/ctdb/tests/eventd/eventd_008.sh
+%{_datadir}/ctdb/tests/eventd/eventd_009.sh
%{_datadir}/ctdb/tests/eventd/eventd_011.sh
%{_datadir}/ctdb/tests/eventd/eventd_012.sh
%{_datadir}/ctdb/tests/eventd/eventd_013.sh
@@ -2518,13 +2630,12 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventd/eventd_041.sh
%{_datadir}/ctdb/tests/eventd/eventd_042.sh
%{_datadir}/ctdb/tests/eventd/eventd_043.sh
+%{_datadir}/ctdb/tests/eventd/eventd_044.sh
%{_datadir}/ctdb/tests/eventd/eventd_051.sh
+%{_datadir}/ctdb/tests/eventd/eventd_052.sh
%dir %{_datadir}/ctdb/tests/eventd/scripts
%{_datadir}/ctdb/tests/eventd/scripts/local.sh
-%dir %{_datadir}/ctdb/tests/events.d
-%{_datadir}/ctdb/tests/events.d/00.test
-
%dir %{_datadir}/ctdb/tests/eventscripts
%{_datadir}/ctdb/tests/eventscripts/README
%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.001.sh
@@ -2579,8 +2690,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.004.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.005.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.006.sh
-%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.007.sh
-%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.008.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.009.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.010.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.011.sh
@@ -2647,29 +2756,18 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh
-%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.003.sh
-%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh
-%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.002.sh
-%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.002.sh
-%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh
-%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.002.sh
-%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.002.sh
-%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh
-%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.002.sh
-%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.002.sh
-%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.104.sh
@@ -2683,7 +2781,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.002.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.011.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.startup.011.sh
-%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.102.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.103.sh
@@ -2741,13 +2838,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/statd-callout.007.sh
%dir %{_datadir}/ctdb/tests/eventscripts/etc-ctdb
-%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/events.d
-%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/functions
-%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-checks.d
-%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-linux-kernel-callout
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/public_addresses
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/rc.local
-%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/statd-callout
%dir %{_datadir}/ctdb/tests/eventscripts/etc
%dir %{_datadir}/ctdb/tests/eventscripts/etc/init.d
@@ -2758,14 +2850,30 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/etc/samba/smb.conf
%dir %{_datadir}/ctdb/tests/eventscripts/etc/sysconfig
-%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/ctdb
%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/nfs
%dir %{_datadir}/ctdb/tests/eventscripts/scripts
%{_datadir}/ctdb/tests/eventscripts/scripts/local.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/00.ctdb.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/01.reclock.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/05.system.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/06.nfs.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/10.interface.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/11.natgw.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/13.per_ip_routing.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/20.multipathd.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/31.clamd.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/40.vsftpd.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/41.httpd.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/49.winbind.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/50.samba.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/60.nfs.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/91.lvs.sh
+%{_datadir}/ctdb/tests/eventscripts/scripts/statd-callout.sh
%dir %{_datadir}/ctdb/tests/eventscripts/stubs
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb-config
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_killtcp
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_lvs
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_natgw
@@ -2782,8 +2890,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/stubs/killall
%{_datadir}/ctdb/tests/eventscripts/stubs/multipath
%{_datadir}/ctdb/tests/eventscripts/stubs/net
-%{_datadir}/ctdb/tests/eventscripts/stubs/netstat
-%{_datadir}/ctdb/tests/eventscripts/stubs/nmap
%{_datadir}/ctdb/tests/eventscripts/stubs/pidof
%{_datadir}/ctdb/tests/eventscripts/stubs/pkill
%{_datadir}/ctdb/tests/eventscripts/stubs/ps
@@ -2814,8 +2920,9 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/onnode/0071.sh
%{_datadir}/ctdb/tests/onnode/0072.sh
%{_datadir}/ctdb/tests/onnode/0075.sh
-%{_datadir}/ctdb/tests/onnode/functions
-%{_datadir}/ctdb/tests/onnode/nodes
+
+%dir %{_datadir}/ctdb/tests/onnode/etc-ctdb
+%{_datadir}/ctdb/tests/onnode/etc-ctdb/nodes
%dir %{_datadir}/ctdb/tests/onnode/scripts
%{_datadir}/ctdb/tests/onnode/scripts/local.sh
@@ -2895,16 +3002,21 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/76_ctdb_pdb_recovery.sh
%{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh
%{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh
+%{_datadir}/ctdb/tests/simple/79_volatile_db_traverse.sh
%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh
%{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh
+%{_datadir}/ctdb/tests/simple/90_debug_hung_script.sh
%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh
-%{_datadir}/ctdb/tests/simple/functions
-# This is a dangling symlink but needed for testing
-%{_datadir}/ctdb/tests/simple/nodes
+
+%dir %{_datadir}/ctdb/tests/simple/etc-ctdb
+%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events
+%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy
+%{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy/00.test.script
%dir %{_datadir}/ctdb/tests/simple/scripts
%{_datadir}/ctdb/tests/simple/scripts/local.bash
%{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash
+%{_datadir}/ctdb/tests/simple/scripts/ssh_local_daemons.sh
%dir %{_datadir}/ctdb/tests/takeover
%{_datadir}/ctdb/tests/takeover/README
@@ -2927,14 +3039,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/takeover/lcp2.014.sh
%{_datadir}/ctdb/tests/takeover/lcp2.015.sh
%{_datadir}/ctdb/tests/takeover/lcp2.016.sh
-%{_datadir}/ctdb/tests/takeover/lcp2.017.sh
-%{_datadir}/ctdb/tests/takeover/lcp2.018.sh
-%{_datadir}/ctdb/tests/takeover/lcp2.019.sh
-%{_datadir}/ctdb/tests/takeover/lcp2.022.sh
-%{_datadir}/ctdb/tests/takeover/lcp2.023.sh
%{_datadir}/ctdb/tests/takeover/lcp2.024.sh
%{_datadir}/ctdb/tests/takeover/lcp2.025.sh
-%{_datadir}/ctdb/tests/takeover/lcp2.026.sh
%{_datadir}/ctdb/tests/takeover/lcp2.027.sh
%{_datadir}/ctdb/tests/takeover/lcp2.028.sh
%{_datadir}/ctdb/tests/takeover/lcp2.029.sh
@@ -2958,12 +3064,10 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/takeover_helper/012.sh
%{_datadir}/ctdb/tests/takeover_helper/013.sh
%{_datadir}/ctdb/tests/takeover_helper/014.sh
-%{_datadir}/ctdb/tests/takeover_helper/015.sh
%{_datadir}/ctdb/tests/takeover_helper/016.sh
%{_datadir}/ctdb/tests/takeover_helper/017.sh
%{_datadir}/ctdb/tests/takeover_helper/018.sh
%{_datadir}/ctdb/tests/takeover_helper/019.sh
-%{_datadir}/ctdb/tests/takeover_helper/020.sh
%{_datadir}/ctdb/tests/takeover_helper/021.sh
%{_datadir}/ctdb/tests/takeover_helper/022.sh
%{_datadir}/ctdb/tests/takeover_helper/023.sh
@@ -2998,12 +3102,20 @@ rm -rf %{buildroot}
%dir %{_datadir}/ctdb/tests/tool
%{_datadir}/ctdb/tests/tool/README
+%{_datadir}/ctdb/tests/tool/ctdb.attach.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.attach.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.attach.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.ban.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.ban.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.ban.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.catdb.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.catdb.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.cattdb.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.cattdb.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.continue.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.continue.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.continue.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.deletekey.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh
@@ -3061,11 +3173,15 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.004.sh
%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.005.sh
%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.006.sh
+%{_datadir}/ctdb/tests/tool/ctdb.pdelete.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.ping.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.pnn.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.process-exists.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.process-exists.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.process-exists.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.pstore.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ptrans.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.readkey.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.recmaster.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.recmaster.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.recover.001.sh
@@ -3116,6 +3232,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.unban.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.unban.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.uptime.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.writekey.001.sh
%dir %{_datadir}/ctdb/tests/tool/scripts
%{_datadir}/ctdb/tests/tool/scripts/local.sh
@@ -3123,11 +3240,45 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
-* Tue May 28 2019 Andreas Schneider <asn@redhat.com> - 4.8.3-6
-- resolves: #1713637 - Fix smbspool with krb5 as CUPS backend
-
-* Wed Mar 20 2019 Andreas Schneider <asn@redhat.com> - 4.8.3-5
-- resolves: #1690517 - Fix smbspool as CUPS backend
+* Fri May 24 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-6
+- related: #1703204 - Fix printing with smbspool as CUPS backend
+
+* Fri May 10 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-5
+- resolves: #1703204 - Fix smbspool krb5 authentication
+
+* Thu Mar 28 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-4
+- resolves: #1690222 - Fix --max-protocol documentation of smbclient
+- resolves: #1518353 - Fix 'net ads join -Uadmin@forestdomain'
+- resolves: #1696524 - Fix CVE-2019-3880
+
+* Thu Mar 14 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-3
+- resolves: #1479451 - Fix 'net' command auth with Kerberos
+- resolves: #1686158 - Fix printing with CUPS
+- resolves: #1662408 - Fix username/password printing with CUPS
+
+* Mon Feb 11 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-2
+- resolves: #1674403 - Fix panic when setting 'force group' on a share with
+ an active connections
+- resolves: #1670720 - Fix installation of samba-python
+- resolves: #1669476 - Fix user lookup via UPN
+
+* Fri Jan 18 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-1
+- resolves: #1649434 - Update to version 4.9.1
+- resolves: #1648852 - Fix out of bound array access in ctdb
+- resolves: #1647960 - Fix segfault in the debug system with hardended build
+- resolves: #1644328 - Fix segfault if wrong 'passdb backend' is configured
+- resolves: #1650452 - Add smbc_setOptionProtocols()
+- resolves: #1659513 - Fix testparm/pdbedit crash
+- resolves: #1529301 - Added new 'net ads spn' command
+- resolves: #1595277 - Fix manpage for 'net ads lookup'
+- resolves: #1600274 - Fix vfs_audit log which does not show full path names
+- resolves: #1623140 - Fix handling the 'disable netbios' option
+- resolves: #1624227 - Connect to spoolss with the correct version information
+- resolves: #1659533 - Fix new file and folder creation with vfs_glusterfs
+- resolves: #1579401 - Implement 'net ads leave --keep-account'
+- resolves: #1624227 - Fix spoolss client operations against newer Windows
+ versions
+- resolves: #1656405 - Fix looking up local system accounts
* Thu Aug 09 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-4
- resolves: #1614132 - Fix delete-on-close after smb2_find