diff --git a/.gitignore b/.gitignore
index 6547baf..15a87be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-SOURCES/samba-4.4.4.tar.xz
+SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
+SOURCES/samba-4.6.2.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
index 7f1ab09..ac19222 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1 +1,2 @@
-f0b397800ce12a06021480f10846362ba2663f25 SOURCES/samba-4.4.4.tar.xz
+6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
+57a1a9dce118fa9059f9d3e7a595db3491e265bc SOURCES/samba-4.6.2.tar.xz
diff --git a/SOURCES/CVE-2016-2119-v4-4.patch b/SOURCES/CVE-2016-2119-v4-4.patch
deleted file mode 100644
index 55da381..0000000
--- a/SOURCES/CVE-2016-2119-v4-4.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 3f8b6a3c56ec188d662767027703999faf14e71f Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 20 Apr 2016 11:26:57 +0200
-Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if
- we require signing
-
-Note real anonymous sessions (with "" as username) don't hit this
-as we don't even call smb2cli_session_set_session_key() in that case.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- libcli/smb/smbXcli_base.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
-index 4332374..691b8ff 100644
---- a/libcli/smb/smbXcli_base.c
-+++ b/libcli/smb/smbXcli_base.c
-@@ -5312,6 +5312,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session)
- return false;
- }
-
-+ if (session->conn->mandatory_signing) {
-+ return false;
-+ }
-+
- if (session->conn->protocol >= PROTOCOL_SMB2_02) {
- if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
- return true;
-@@ -5571,7 +5575,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
- const struct iovec *recv_iov)
- {
- struct smbXcli_conn *conn = session->conn;
-- uint16_t no_sign_flags;
-+ uint16_t no_sign_flags = 0;
- uint8_t session_key[16];
- bool check_signature = true;
- uint32_t hdr_flags;
-@@ -5596,7 +5600,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
- return NT_STATUS_INVALID_PARAMETER_MIX;
- }
-
-- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
-+ if (!conn->mandatory_signing) {
-+ /*
-+ * only allow guest sessions without
-+ * mandatory signing.
-+ *
-+ * If we try an authentication with username != ""
-+ * and the server let us in without verifying the
-+ * password we don't have a negotiated session key
-+ * for signing.
-+ */
-+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST;
-+ }
-
- if (session->smb2->session_flags & no_sign_flags) {
- session->smb2->should_sign = false;
---
-1.9.1
-
-
-From 11db8ea97ddb3cf9fde48dbe5df14a71ebc308db Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 28 Apr 2016 02:36:35 +0200
-Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding
- smbXcli_session_is_guest() with mandatory signing
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/libsmb/cliconnect.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index ea92c8f..ebba8f2 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -1588,6 +1588,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq)
- * have a negotiated session key.
- *
- * So just pretend we are completely done.
-+ *
-+ * Note that smbXcli_session_is_guest()
-+ * always returns false if we require signing.
- */
- state->blob_in = data_blob_null;
- state->local_ready = true;
---
-1.9.1
-
-
-From 28ed026b9486fb248daf713655ea307c478d2832 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 28 Apr 2016 02:24:52 +0200
-Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for
- guest logins and mandatory signing
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/script/tests/test_smbclient_ntlm.sh | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh
-index b8fc564..33a927f 100755
---- a/source3/script/tests/test_smbclient_ntlm.sh
-+++ b/source3/script/tests/test_smbclient_ntlm.sh
-@@ -37,4 +37,8 @@ else
-
- testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
- testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
-+
-+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS
-+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS
-+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS
- fi
---
-1.9.1
-
diff --git a/SOURCES/CVE-2016-2125-v4-4.patch b/SOURCES/CVE-2016-2125-v4-4.patch
deleted file mode 100644
index 20a98a8..0000000
--- a/SOURCES/CVE-2016-2125-v4-4.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From f775874f1c9e388d51fe04cb9df849c66bc6e8b6 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 23 Nov 2016 11:41:10 +0100
-Subject: [PATCH 1/3] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
- in nsupdate-gss
-
-This is just an example script that's not directly used by samba,
-but we should avoid sending delegated credentials to dns servers.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Simo Sorce <idra@samba.org>
----
- source4/scripting/bin/nsupdate-gss | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
-index dec5916..509220d 100755
---- a/source4/scripting/bin/nsupdate-gss
-+++ b/source4/scripting/bin/nsupdate-gss
-@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
- my $flags =
- GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
-- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
-+ GSS_C_INTEG_FLAG;
-
-
- $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
---
-1.9.1
-
-
-From 1bee1eb5d75191e142c503cf9c5dc36df2453307 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 23 Nov 2016 11:42:59 +0100
-Subject: [PATCH 2/3] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
-
-We should only use GSS_C_DELEG_POLICY_FLAG in order to let
-the KDC decide if we should send delegated credentials to
-a remote server.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Simo Sorce <idra@samba.org>
----
- source3/librpc/crypto/gse.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index 963c98a..c4c4bbc 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
- memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
-
- gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
-- GSS_C_DELEG_FLAG |
- GSS_C_DELEG_POLICY_FLAG |
- GSS_C_REPLAY_FLAG |
- GSS_C_SEQUENCE_FLAG;
---
-1.9.1
-
-
-From 2c9d1648745ddc9facaf5b9cc84ea7f1117d7710 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 23 Nov 2016 11:44:22 +0100
-Subject: [PATCH 3/3] CVE-2016-2125: s4:gensec_gssapi: don't use
- GSS_C_DELEG_FLAG by default
-
-This disabled the usage of GSS_C_DELEG_FLAG by default, as
-GSS_C_DELEG_POLICY_FLAG is still used by default we let the
-KDC decide if we should send delegated credentials to a remote server.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Simo Sorce <idra@samba.org>
----
- source4/auth/gensec/gensec_gssapi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index e0b2bf2..e2994f6 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
- gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
- }
-- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
-+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
- gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
- }
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
---
-1.9.1
-
diff --git a/SOURCES/CVE-2016-2126-v4-4.patch b/SOURCES/CVE-2016-2126-v4-4.patch
deleted file mode 100644
index fd854ba..0000000
--- a/SOURCES/CVE-2016-2126-v4-4.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 77631ca7c747796bf3d4dc347afb3f0cb5e4be78 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 22 Nov 2016 17:08:46 +0100
-Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types
- in check_pac_checksum()
-
-aes based checksums can only be checked with the
-corresponding aes based keytype.
-
-Otherwise we may trigger an undefined code path
-deep in the kerberos libraries, which can leed to
-segmentation faults.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
-index 32d9d7f..7b6efdc 100644
---- a/auth/kerberos/kerberos_pac.c
-+++ b/auth/kerberos/kerberos_pac.c
-@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
- krb5_boolean checksum_valid = false;
- krb5_data input;
-
-+ switch (sig->type) {
-+ case CKSUMTYPE_HMAC_MD5:
-+ /* ignores the key type */
-+ break;
-+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
-+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
-+ return EINVAL;
-+ }
-+ /* ok */
-+ break;
-+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
-+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
-+ return EINVAL;
-+ }
-+ /* ok */
-+ break;
-+ default:
-+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
-+ (int)sig->type));
-+ return EINVAL;
-+ }
-+
- #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
- cksum.cksumtype = (krb5_cksumtype)sig->type;
- cksum.checksum.length = sig->signature.length;
---
-1.9.1
-
-From b6da00dee93b832e271040d80d4f6b6165b51f08 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 19 Jul 2016 16:31:01 +0200
-Subject: [PATCH] krb5_wrap: provide CKSUMTYPE_HMAC_SHA1_96_AES_*
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-MIT only defined this as CKSUMTYPE_HMAC_SHA1_96_AES128,
-while Heimdal has CKSUMTYPE_HMAC_SHA1_96_AES_128.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit bb64c550ae19b08ad4e6d8d26f68c2474cb251e6)
----
- lib/krb5_wrap/krb5_samba.h | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
-index cef9144..20ef6a3 100644
---- a/lib/krb5_wrap/krb5_samba.h
-+++ b/lib/krb5_wrap/krb5_samba.h
-@@ -74,6 +74,17 @@
- #define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
- #endif
-
-+/*
-+ * CKSUMTYPE_HMAC_SHA1_96_AES_* in Heimdal
-+ * CKSUMTYPE_HMAC_SHA1_96_AES* in MIT
-+ */
-+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
-+#define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128
-+#endif
-+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
-+#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
-+#endif
-+
- typedef struct {
- #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
- krb5_address **addrs;
---
-1.9.1
-
diff --git a/SOURCES/CVE-2017-2619-v4-4.patch b/SOURCES/CVE-2017-2619-v4-4.patch
deleted file mode 100644
index 9d07941..0000000
--- a/SOURCES/CVE-2017-2619-v4-4.patch
+++ /dev/null
@@ -1,986 +0,0 @@
-From 72e7e7b7d378e7ba3afe18ea41802aac5366b094 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Sun, 19 Mar 2017 15:58:17 +0100
-Subject: [PATCH 01/13] CVE-2017-2619: s3/smbd: re-open directory after
- dptr_CloseDir()
-
-dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
-have to reopen it.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/smb2_query_directory.c | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c
-index 4b6ca1b..1703310 100644
---- a/source3/smbd/smb2_query_directory.c
-+++ b/source3/smbd/smb2_query_directory.c
-@@ -24,6 +24,7 @@
- #include "../libcli/smb/smb_common.h"
- #include "trans2.h"
- #include "../lib/util/tevent_ntstatus.h"
-+#include "system/filesys.h"
-
- static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
-@@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
- }
-
- if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) {
-+ int flags;
-+
- dptr_CloseDir(fsp);
-+
-+ /*
-+ * dptr_CloseDir() will close and invalidate the fsp's file
-+ * descriptor, we have to reopen it.
-+ */
-+
-+ flags = O_RDONLY;
-+#ifdef O_DIRECTORY
-+ flags |= O_DIRECTORY;
-+#endif
-+ status = fd_open(conn, fsp, flags, 0);
-+ if (tevent_req_nterror(req, status)) {
-+ return tevent_req_post(req, ev);
-+ }
- }
-
- if (!smbreq->posix_pathnames) {
---
-2.9.3
-
-
-From f9a9e7ed2f11c8eb9f8f9f40ec054e9735614e91 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Sun, 19 Mar 2017 18:52:10 +0100
-Subject: [PATCH 02/13] CVE-2017-2619: s4/torture: add SMB2_FIND tests with
- SMB2_CONTINUE_FLAG_REOPEN flag
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source4/torture/smb2/dir.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/source4/torture/smb2/dir.c b/source4/torture/smb2/dir.c
-index 98844b4..db8e456 100644
---- a/source4/torture/smb2/dir.c
-+++ b/source4/torture/smb2/dir.c
-@@ -674,7 +674,7 @@ bool fill_result(void *private_data,
- return true;
- }
-
--enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART};
-+enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART, CONT_REOPEN};
-
- static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
- TALLOC_CTX *tctx,
-@@ -700,6 +700,9 @@ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
-
- /* The search should start from the beginning everytime */
- f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART;
-+ if (cont_type == CONT_REOPEN) {
-+ f.in.continue_flags = SMB2_CONTINUE_FLAG_REOPEN;
-+ }
-
- do {
- status = smb2_find_level(tree, tree, &f, &count, &d);
-@@ -803,18 +806,23 @@ static bool test_many_files(struct torture_context *tctx,
- {"SMB2_FIND_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_SINGLE},
- {"SMB2_FIND_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_INDEX},
- {"SMB2_FIND_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_RESTART},
-+ {"SMB2_FIND_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_REOPEN},
- {"SMB2_FIND_DIRECTORY_INFO", "SINGLE", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_SINGLE},
- {"SMB2_FIND_DIRECTORY_INFO", "INDEX", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_INDEX},
- {"SMB2_FIND_DIRECTORY_INFO", "RESTART", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_RESTART},
-+ {"SMB2_FIND_DIRECTORY_INFO", "REOPEN", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_REOPEN},
- {"SMB2_FIND_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_SINGLE},
- {"SMB2_FIND_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_INDEX},
- {"SMB2_FIND_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_RESTART},
-+ {"SMB2_FIND_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_REOPEN},
- {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_SINGLE},
- {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_INDEX},
- {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_RESTART},
-+ {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_REOPEN},
- {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_SINGLE},
- {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_INDEX},
-- {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART}
-+ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART},
-+ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_REOPEN},
- };
-
- smb2_deltree(tree, DNAME);
---
-2.9.3
-
-
-From d329035b5bda87ab95a33b8d4af1936079db6fd1 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 11:55:56 -0800
-Subject: [PATCH 03/13] CVE-2017-2619: s3: smbd: Create wrapper function for
- OpenDir in preparation for making robust.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/dir.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index 3805915..cbd32e3 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1588,7 +1588,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp)
- Open a directory.
- ********************************************************************/
-
--struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
-+static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
-+ connection_struct *conn,
- const char *name,
- const char *mask,
- uint32_t attr)
-@@ -1628,6 +1629,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
- return NULL;
- }
-
-+struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
-+ const char *name,
-+ const char *mask,
-+ uint32_t attr)
-+{
-+ return OpenDir_internal(mem_ctx,
-+ conn,
-+ name,
-+ mask,
-+ attr);
-+}
-+
- /*******************************************************************
- Open a directory from an fsp.
- ********************************************************************/
---
-2.9.3
-
-
-From 484dda03a69f5c687b6ec6db1332bcc51e72e0c2 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 16:25:26 -0800
-Subject: [PATCH 04/13] CVE-2017-2619: s3: smbd: Opendir_internal() early
- return if SMB_VFS_OPENDIR failed.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/dir.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index cbd32e3..ea4b301 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1601,20 +1601,12 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-- dirp->conn = conn;
-- dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
--
- dirp->dir_path = talloc_strdup(dirp, name);
- if (!dirp->dir_path) {
- errno = ENOMEM;
- goto fail;
- }
-
-- if (sconn && !sconn->using_smb2) {
-- sconn->searches.dirhandles_open++;
-- }
-- talloc_set_destructor(dirp, smb_Dir_destructor);
--
- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
- if (!dirp->dir) {
- DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
-@@ -1622,6 +1614,14 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
- goto fail;
- }
-
-+ dirp->conn = conn;
-+ dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
-+
-+ if (sconn && !sconn->using_smb2) {
-+ sconn->searches.dirhandles_open++;
-+ }
-+ talloc_set_destructor(dirp, smb_Dir_destructor);
-+
- return dirp;
-
- fail:
---
-2.9.3
-
-
-From 84d4bbde7c1682e4c8daf680f930a14e3444f659 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 16:35:00 -0800
-Subject: [PATCH 05/13] CVE-2017-2619: s3: smbd: Create and use
- open_dir_safely(). Use from OpenDir().
-
-Hardens OpenDir against TOC/TOU races.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/dir.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 61 insertions(+), 9 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index ea4b301..39a6e67 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1601,15 +1601,9 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-- dirp->dir_path = talloc_strdup(dirp, name);
-- if (!dirp->dir_path) {
-- errno = ENOMEM;
-- goto fail;
-- }
--
-- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
-+ dirp->dir = SMB_VFS_OPENDIR(conn, name, mask, attr);
- if (!dirp->dir) {
-- DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
-+ DEBUG(5,("OpenDir: Can't open %s. %s\n", name,
- strerror(errno) ));
- goto fail;
- }
-@@ -1629,12 +1623,70 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-+/****************************************************************************
-+ Open a directory handle by pathname, ensuring it's under the share path.
-+****************************************************************************/
-+
-+static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx,
-+ connection_struct *conn,
-+ const char *name,
-+ const char *wcard,
-+ uint32_t attr)
-+{
-+ struct smb_Dir *dir_hnd = NULL;
-+ char *saved_dir = vfs_GetWd(ctx, conn);
-+ NTSTATUS status;
-+
-+ if (saved_dir == NULL) {
-+ return NULL;
-+ }
-+
-+ if (vfs_ChDir(conn, name) == -1) {
-+ goto out;
-+ }
-+
-+ /*
-+ * Now the directory is pinned, use
-+ * REALPATH to ensure we can access it.
-+ */
-+ status = check_name(conn, ".");
-+ if (!NT_STATUS_IS_OK(status)) {
-+ goto out;
-+ }
-+
-+ dir_hnd = OpenDir_internal(ctx,
-+ conn,
-+ ".",
-+ wcard,
-+ attr);
-+
-+ if (dir_hnd == NULL) {
-+ goto out;
-+ }
-+
-+ /*
-+ * OpenDir_internal only gets "." as the dir name.
-+ * Store the real dir name here.
-+ */
-+
-+ dir_hnd->dir_path = talloc_strdup(dir_hnd, name);
-+ if (!dir_hnd->dir_path) {
-+ errno = ENOMEM;
-+ }
-+
-+ out:
-+
-+ vfs_ChDir(conn, saved_dir);
-+ TALLOC_FREE(saved_dir);
-+ return dir_hnd;
-+}
-+
- struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
- const char *name,
- const char *mask,
- uint32_t attr)
- {
-- return OpenDir_internal(mem_ctx,
-+ return open_dir_safely(mem_ctx,
- conn,
- name,
- mask,
---
-2.9.3
-
-
-From 8aece1e0d15bf059daf70259142e8ad35a7658ed Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 12:13:20 -0800
-Subject: [PATCH 06/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() use early
- returns.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/dir.c | 34 +++++++++++++++++++++-------------
- 1 file changed, 21 insertions(+), 13 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index 39a6e67..ea4f1ab 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1706,7 +1706,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- struct smbd_server_connection *sconn = conn->sconn;
-
- if (!dirp) {
-- return NULL;
-+ goto fail;
-+ }
-+
-+ if (!fsp->is_directory) {
-+ errno = EBADF;
-+ goto fail;
-+ }
-+
-+ if (fsp->fh->fd == -1) {
-+ errno = EBADF;
-+ goto fail;
- }
-
- dirp->conn = conn;
-@@ -1723,18 +1733,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- }
- talloc_set_destructor(dirp, smb_Dir_destructor);
-
-- if (fsp->is_directory && fsp->fh->fd != -1) {
-- dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
-- if (dirp->dir != NULL) {
-- dirp->fsp = fsp;
-- } else {
-- DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
-- "NULL (%s)\n",
-- dirp->dir_path,
-- strerror(errno)));
-- if (errno != ENOSYS) {
-- return NULL;
-- }
-+ dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
-+ if (dirp->dir != NULL) {
-+ dirp->fsp = fsp;
-+ } else {
-+ DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
-+ "NULL (%s)\n",
-+ dirp->dir_path,
-+ strerror(errno)));
-+ if (errno != ENOSYS) {
-+ return NULL;
- }
- }
-
---
-2.9.3
-
-
-From 16fa5af1a491c410d4579434b7e9f6e388ea319b Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 12:15:59 -0800
-Subject: [PATCH 07/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory
- leak on error.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/dir.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index ea4f1ab..b8034be 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1742,7 +1742,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- dirp->dir_path,
- strerror(errno)));
- if (errno != ENOSYS) {
-- return NULL;
-+ goto fail;
- }
- }
-
---
-2.9.3
-
-
-From 2c1830915b0b59646503ee4d043fd9176090627f Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 12:32:07 -0800
-Subject: [PATCH 08/13] CVE-2017-2619: s3: smbd: Move the reference counting
- and destructor setup to just before retuning success.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/dir.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index b8034be..6b62f14 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1728,11 +1728,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- goto fail;
- }
-
-- if (sconn && !sconn->using_smb2) {
-- sconn->searches.dirhandles_open++;
-- }
-- talloc_set_destructor(dirp, smb_Dir_destructor);
--
- dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
- if (dirp->dir != NULL) {
- dirp->fsp = fsp;
-@@ -1757,6 +1752,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- goto fail;
- }
-
-+ if (sconn && !sconn->using_smb2) {
-+ sconn->searches.dirhandles_open++;
-+ }
-+ talloc_set_destructor(dirp, smb_Dir_destructor);
-+
- return dirp;
-
- fail:
---
-2.9.3
-
-
-From 72bf8c2c2b2c4aff1ac4da52aa087c060ea5eef1 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 12:35:32 -0800
-Subject: [PATCH 09/13] CVE-2017-2619: s3: smbd: Correctly fallback to
- open_dir_safely if FDOPENDIR not supported on system.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/dir.c | 15 +++++++--------
- 1 file changed, 7 insertions(+), 8 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index 6b62f14..3432788 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1742,14 +1742,13 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- }
-
- if (dirp->dir == NULL) {
-- /* FDOPENDIR didn't work. Use OPENDIR instead. */
-- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
-- }
--
-- if (!dirp->dir) {
-- DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", dirp->dir_path,
-- strerror(errno) ));
-- goto fail;
-+ /* FDOPENDIR is not supported. Use OPENDIR instead. */
-+ TALLOC_FREE(dirp);
-+ return open_dir_safely(mem_ctx,
-+ conn,
-+ fsp->fsp_name->base_name,
-+ mask,
-+ attr);
- }
-
- if (sconn && !sconn->using_smb2) {
---
-2.9.3
-
-
-From 015e488ce39e097944acdad7a88a801386d9935b Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 15 Dec 2016 12:52:13 -0800
-Subject: [PATCH 10/13] CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We
- insist on O_NOFOLLOW existing.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/open.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index 1c67684..a014b5e 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -363,8 +363,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
- struct smb_filename *smb_fname = fsp->fsp_name;
- NTSTATUS status = NT_STATUS_OK;
-
--#ifdef O_NOFOLLOW
-- /*
-+ /*
- * Never follow symlinks on a POSIX client. The
- * client should be doing this.
- */
-@@ -372,12 +371,10 @@ NTSTATUS fd_open(struct connection_struct *conn,
- if ((fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) || !lp_follow_symlinks(SNUM(conn))) {
- flags |= O_NOFOLLOW;
- }
--#endif
-
- fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
- if (fsp->fh->fd == -1) {
- int posix_errno = errno;
--#ifdef O_NOFOLLOW
- #if defined(ENOTSUP) && defined(OSF1)
- /* handle special Tru64 errno */
- if (errno == ENOTSUP) {
-@@ -394,7 +391,6 @@ NTSTATUS fd_open(struct connection_struct *conn,
- if (errno == EMLINK) {
- posix_errno = ELOOP;
- }
--#endif /* O_NOFOLLOW */
- status = map_nt_error_from_unix(posix_errno);
- if (errno == EMFILE) {
- static time_t last_warned = 0L;
---
-2.9.3
-
-
-From b7199aaa0a4d10dd6b3d2a040e345a209ec0c42f Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 15 Dec 2016 12:56:08 -0800
-Subject: [PATCH 11/13] CVE-2017-2619: s3: smbd: Move special handling of
- symlink errno's into a utility function.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/open.c | 43 ++++++++++++++++++++++++++-----------------
- 1 file changed, 26 insertions(+), 17 deletions(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index a014b5e..b4b77cd 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -352,6 +352,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
- }
-
- /****************************************************************************
-+ Handle differing symlink errno's
-+****************************************************************************/
-+
-+static int link_errno_convert(int err)
-+{
-+#if defined(ENOTSUP) && defined(OSF1)
-+ /* handle special Tru64 errno */
-+ if (err == ENOTSUP) {
-+ err = ELOOP;
-+ }
-+#endif /* ENOTSUP */
-+#ifdef EFTYPE
-+ /* fix broken NetBSD errno */
-+ if (err == EFTYPE) {
-+ err = ELOOP;
-+ }
-+#endif /* EFTYPE */
-+ /* fix broken FreeBSD errno */
-+ if (err == EMLINK) {
-+ err = ELOOP;
-+ }
-+ return err;
-+}
-+
-+/****************************************************************************
- fd support routines - attempt to do a dos_open.
- ****************************************************************************/
-
-@@ -374,23 +399,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
-
- fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
- if (fsp->fh->fd == -1) {
-- int posix_errno = errno;
--#if defined(ENOTSUP) && defined(OSF1)
-- /* handle special Tru64 errno */
-- if (errno == ENOTSUP) {
-- posix_errno = ELOOP;
-- }
--#endif /* ENOTSUP */
--#ifdef EFTYPE
-- /* fix broken NetBSD errno */
-- if (errno == EFTYPE) {
-- posix_errno = ELOOP;
-- }
--#endif /* EFTYPE */
-- /* fix broken FreeBSD errno */
-- if (errno == EMLINK) {
-- posix_errno = ELOOP;
-- }
-+ int posix_errno = link_errno_convert(errno);
- status = map_nt_error_from_unix(posix_errno);
- if (errno == EMFILE) {
- static time_t last_warned = 0L;
---
-2.9.3
-
-
-From eda8d6ed343b32efb7055778b13252842b8c4f61 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 15 Dec 2016 13:04:46 -0800
-Subject: [PATCH 12/13] CVE-2017-2619: s3: smbd: Add the core functions to
- prevent symlink open races.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/open.c | 237 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 237 insertions(+)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index b4b77cd..aa5df2c 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -376,6 +376,243 @@ static int link_errno_convert(int err)
- return err;
- }
-
-+static int non_widelink_open(struct connection_struct *conn,
-+ const char *conn_rootdir,
-+ files_struct *fsp,
-+ struct smb_filename *smb_fname,
-+ int flags,
-+ mode_t mode,
-+ unsigned int link_depth);
-+
-+/****************************************************************************
-+ Follow a symlink in userspace.
-+****************************************************************************/
-+
-+static int process_symlink_open(struct connection_struct *conn,
-+ const char *conn_rootdir,
-+ files_struct *fsp,
-+ struct smb_filename *smb_fname,
-+ int flags,
-+ mode_t mode,
-+ unsigned int link_depth)
-+{
-+ int fd = -1;
-+ char *link_target = NULL;
-+ int link_len = -1;
-+ char *oldwd = NULL;
-+ size_t rootdir_len = 0;
-+ char *resolved_name = NULL;
-+ bool matched = false;
-+ int saved_errno = 0;
-+
-+ /*
-+ * Ensure we don't get stuck in a symlink loop.
-+ */
-+ link_depth++;
-+ if (link_depth >= 20) {
-+ errno = ELOOP;
-+ goto out;
-+ }
-+
-+ /* Allocate space for the link target. */
-+ link_target = talloc_array(talloc_tos(), char, PATH_MAX);
-+ if (link_target == NULL) {
-+ errno = ENOMEM;
-+ goto out;
-+ }
-+
-+ /* Read the link target. */
-+ link_len = SMB_VFS_READLINK(conn,
-+ smb_fname->base_name,
-+ link_target,
-+ PATH_MAX - 1);
-+ if (link_len == -1) {
-+ goto out;
-+ }
-+
-+ /* Ensure it's at least null terminated. */
-+ link_target[link_len] = '\0';
-+
-+ /* Convert to an absolute path. */
-+ resolved_name = SMB_VFS_REALPATH(conn, link_target);
-+ if (resolved_name == NULL) {
-+ goto out;
-+ }
-+
-+ /*
-+ * We know conn_rootdir starts with '/' and
-+ * does not end in '/'. FIXME ! Should we
-+ * smb_assert this ?
-+ */
-+ rootdir_len = strlen(conn_rootdir);
-+
-+ matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
-+ if (!matched) {
-+ errno = EACCES;
-+ goto out;
-+ }
-+
-+ /*
-+ * Turn into a path relative to the share root.
-+ */
-+ if (resolved_name[rootdir_len] == '\0') {
-+ /* Link to the root of the share. */
-+ smb_fname->base_name = talloc_strdup(talloc_tos(), ".");
-+ if (smb_fname->base_name == NULL) {
-+ errno = ENOMEM;
-+ goto out;
-+ }
-+ } else if (resolved_name[rootdir_len] == '/') {
-+ smb_fname->base_name = &resolved_name[rootdir_len+1];
-+ } else {
-+ errno = EACCES;
-+ goto out;
-+ }
-+
-+ oldwd = vfs_GetWd(talloc_tos(), conn);
-+ if (oldwd == NULL) {
-+ goto out;
-+ }
-+
-+ /* Ensure we operate from the root of the share. */
-+ if (vfs_ChDir(conn, conn_rootdir) == -1) {
-+ goto out;
-+ }
-+
-+ /* And do it all again.. */
-+ fd = non_widelink_open(conn,
-+ conn_rootdir,
-+ fsp,
-+ smb_fname,
-+ flags,
-+ mode,
-+ link_depth);
-+ if (fd == -1) {
-+ saved_errno = errno;
-+ }
-+
-+ out:
-+
-+ SAFE_FREE(resolved_name);
-+ TALLOC_FREE(link_target);
-+ if (oldwd != NULL) {
-+ int ret = vfs_ChDir(conn, oldwd);
-+ if (ret == -1) {
-+ smb_panic("unable to get back to old directory\n");
-+ }
-+ TALLOC_FREE(oldwd);
-+ }
-+ if (saved_errno != 0) {
-+ errno = saved_errno;
-+ }
-+ return fd;
-+}
-+
-+/****************************************************************************
-+ Non-widelink open.
-+****************************************************************************/
-+
-+static int non_widelink_open(struct connection_struct *conn,
-+ const char *conn_rootdir,
-+ files_struct *fsp,
-+ struct smb_filename *smb_fname,
-+ int flags,
-+ mode_t mode,
-+ unsigned int link_depth)
-+{
-+ NTSTATUS status;
-+ int fd = -1;
-+ struct smb_filename *smb_fname_rel = NULL;
-+ int saved_errno = 0;
-+ char *oldwd = NULL;
-+ char *parent_dir = NULL;
-+ const char *final_component = NULL;
-+
-+ if (!parent_dirname(talloc_tos(),
-+ smb_fname->base_name,
-+ &parent_dir,
-+ &final_component)) {
-+ goto out;
-+ }
-+
-+ oldwd = vfs_GetWd(talloc_tos(), conn);
-+ if (oldwd == NULL) {
-+ goto out;
-+ }
-+
-+ /* Pin parent directory in place. */
-+ if (vfs_ChDir(conn, parent_dir) == -1) {
-+ goto out;
-+ }
-+
-+ /* Ensure the relative path is below the share. */
-+ status = check_reduced_name(conn, final_component);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ saved_errno = map_errno_from_nt_status(status);
-+ goto out;
-+ }
-+
-+ smb_fname_rel = synthetic_smb_fname(talloc_tos(),
-+ final_component,
-+ smb_fname->stream_name,
-+ &smb_fname->st);
-+
-+ flags |= O_NOFOLLOW;
-+
-+ {
-+ struct smb_filename *tmp_name = fsp->fsp_name;
-+ fsp->fsp_name = smb_fname_rel;
-+ fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode);
-+ fsp->fsp_name = tmp_name;
-+ }
-+
-+ if (fd == -1) {
-+ saved_errno = link_errno_convert(errno);
-+ if (saved_errno == ELOOP) {
-+ if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
-+ /* Never follow symlinks on posix open. */
-+ goto out;
-+ }
-+ if (!lp_follow_symlinks(SNUM(conn))) {
-+ /* Explicitly no symlinks. */
-+ goto out;
-+ }
-+ /*
-+ * We have a symlink. Follow in userspace
-+ * to ensure it's under the share definition.
-+ */
-+ fd = process_symlink_open(conn,
-+ conn_rootdir,
-+ fsp,
-+ smb_fname_rel,
-+ flags,
-+ mode,
-+ link_depth);
-+ if (fd == -1) {
-+ saved_errno =
-+ link_errno_convert(errno);
-+ }
-+ }
-+ }
-+
-+ out:
-+
-+ TALLOC_FREE(parent_dir);
-+ TALLOC_FREE(smb_fname_rel);
-+
-+ if (oldwd != NULL) {
-+ int ret = vfs_ChDir(conn, oldwd);
-+ if (ret == -1) {
-+ smb_panic("unable to get back to old directory\n");
-+ }
-+ TALLOC_FREE(oldwd);
-+ }
-+ if (saved_errno != 0) {
-+ errno = saved_errno;
-+ }
-+ return fd;
-+}
-+
- /****************************************************************************
- fd support routines - attempt to do a dos_open.
- ****************************************************************************/
---
-2.9.3
-
-
-From 81094d0c7519936b08d22efc22ba78e5bab24cd1 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 15 Dec 2016 13:06:31 -0800
-Subject: [PATCH 13/13] CVE-2017-2619: s3: smbd: Use the new
- non_widelink_open() function.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
----
- source3/smbd/open.c | 23 ++++++++++++++++++++++-
- 1 file changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index aa5df2c..0b66487 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -634,7 +634,28 @@ NTSTATUS fd_open(struct connection_struct *conn,
- flags |= O_NOFOLLOW;
- }
-
-- fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
-+ /* Ensure path is below share definition. */
-+ if (!lp_widelinks(SNUM(conn))) {
-+ const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn,
-+ smb_fname->base_name);
-+ if (conn_rootdir == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ /*
-+ * Only follow symlinks within a share
-+ * definition.
-+ */
-+ fsp->fh->fd = non_widelink_open(conn,
-+ conn_rootdir,
-+ fsp,
-+ smb_fname,
-+ flags,
-+ mode,
-+ 0);
-+ } else {
-+ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
-+ }
-+
- if (fsp->fh->fd == -1) {
- int posix_errno = link_errno_convert(errno);
- status = map_nt_error_from_unix(posix_errno);
---
-2.9.3
-
diff --git a/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch b/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch
deleted file mode 100644
index ebd1cdf..0000000
--- a/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-From a24fa6abf4f8a937554d292448a765677f9dec53 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 31 May 2016 18:47:34 +0200
-Subject: [PATCH] s3:libnet: accept empty realm for AD domains when only
- security=domain is set.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Initial patch from Matt Rogers @ RedHat.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
-
-Guenther
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Wed Jun 15 20:28:31 CEST 2016 on sn-devel-144
-
-(cherry picked from commit 234a470f198f8f09f46aaeaf58f966faccedef18)
----
- source3/libnet/libnet_join.c | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index a28864d..b5a5ae2 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2367,9 +2367,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
- W_ERROR_HAVE_NO_MEMORY(wrong_conf);
- }
-
-+ /*
-+ * We should generate the warning for the special case when
-+ * domain is AD, "security = domain" and the realm parameter is
-+ * not set.
-+ */
-+ if (lp_security() == SEC_DOMAIN &&
-+ r->out.domain_is_ad &&
-+ !valid_realm) {
-+ libnet_join_set_error_string(mem_ctx, r,
-+ "Warning: when joining AD domains with security=domain, "
-+ "\"realm\" should be defined in the configuration (%s) "
-+ "and configuration modification was not requested",
-+ wrong_conf);
-+ return WERR_OK;
-+ }
-+
- libnet_join_set_error_string(mem_ctx, r,
- "Invalid configuration (%s) and configuration modification "
- "was not requested", wrong_conf);
-+
- return WERR_CAN_NOT_COMPLETE;
- }
-
---
-2.9.0
-
-From 872207a7dcbb6272e6a4e8bf2fd366128a63e087 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 15 Jun 2016 16:04:29 +0200
-Subject: [PATCH 1/2] s3-libnet: Print error string even on successfuly
- completion of libnetjoin.
-
-Sometimes useful information should be printed to the users.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 632faa87610b3afca3f8d3e9f3f46ee6b87f362a)
----
- source3/utils/net_ads.c | 5 +++++
- source3/utils/net_rpc.c | 10 ++++++++++
- 2 files changed, 15 insertions(+)
-
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index 90af09e..c61aa0d 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -1596,6 +1596,11 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
- r->out.netbios_domain_name);
- }
-
-+ /* print out informative error string in case there is one */
-+ if (r->out.error_string != NULL) {
-+ d_printf("%s\n", r->out.error_string);
-+ }
-+
- /*
- * We try doing the dns update (if it was compiled in
- * and if it was not disabled on the command line).
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 93caf04..1e3e286 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -428,6 +428,11 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
- r->out.netbios_domain_name);
- }
-
-+ /* print out informative error string in case there is one */
-+ if (r->out.error_string != NULL) {
-+ d_printf("%s\n", r->out.error_string);
-+ }
-+
- TALLOC_FREE(mem_ctx);
-
- return 0;
-@@ -607,6 +612,11 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a
- r->out.netbios_domain_name);
- }
-
-+ /* print out informative error string in case there is one */
-+ if (r->out.error_string != NULL) {
-+ d_printf("%s\n", r->out.error_string);
-+ }
-+
- TALLOC_FREE(mem_ctx);
-
- return 0;
---
-2.5.5
-
-
-From 3f5af70f63f2ca141da8bd28ae131079b7f93f55 Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Wed, 15 Jun 2016 23:03:32 +0200
-Subject: [PATCH 2/2] libnet: ignore realm setting for domain security joins to
- AD domains if 'winbind rpc only = true'
-
-Inspired by initial patch from Matt Rogers @ RedHat.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-
-Autobuild-User(master): Michael Adam <obnox@samba.org>
-Autobuild-Date(master): Wed Jun 22 05:05:47 CEST 2016 on sn-devel-144
-
-(cherry picked from commit e29d8f108cd090706dc3f54282f5c33ec30df899)
----
- source3/libnet/libnet_join.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index c007183..bab58f3 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2303,6 +2303,7 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
- bool valid_security = false;
- bool valid_workgroup = false;
- bool valid_realm = false;
-+ bool ignored_realm = false;
-
- /* check if configuration is already set correctly */
-
-@@ -2322,11 +2323,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
- valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
- switch (lp_security()) {
- case SEC_DOMAIN:
-+ if (!valid_realm && lp_winbind_rpc_only()) {
-+ valid_realm = true;
-+ ignored_realm = true;
-+ }
- case SEC_ADS:
- valid_security = true;
- }
-
- if (valid_workgroup && valid_realm && valid_security) {
-+ if (ignored_realm && !r->in.modify_config)
-+ {
-+ libnet_join_set_error_string(mem_ctx, r,
-+ "Warning: ignoring realm when "
-+ "joining AD domain with "
-+ "'security=domain' and "
-+ "'winbind rpc only = yes'. "
-+ "(realm set to '%s', "
-+ "should be '%s').", lp_realm(),
-+ r->out.dns_domain_name);
-+ }
- /* nothing to be done */
- return WERR_OK;
- }
---
-2.5.5
-
diff --git a/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch b/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch
deleted file mode 100644
index 68d48a1..0000000
--- a/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 10 Jun 2016 16:51:18 +0200
-Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain
- DCs
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee)
----
- source3/winbindd/winbindd_cm.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 45e3fad..f1f98db 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
- struct cli_credentials *creds;
- NTSTATUS status;
- bool force_machine_account = false;
-+ bool ok;
-
- /* If we are a DC and this is not our own domain */
-
-@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
- CRED_DONT_USE_KERBEROS);
- }
-
-- if (creds_domain != domain) {
-+ /*
-+ * When we contact our own domain and get a list of the trusted domain
-+ * we have the information if we are able to contact the DC with
-+ * with our machine account password.
-+ */
-+ ok = winbindd_can_contact_domain(domain);
-+ if (!ok) {
- /*
- * We can only use schannel against a direct trust
- */
-@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
-
- sec_chan_type = cli_credentials_get_secure_channel_type(creds);
- if (sec_chan_type == SEC_CHAN_NULL) {
-+ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n",
-+ domain->name);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
-
-@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
- conn->netlogon_flags = netlogon_creds->negotiate_flags;
- TALLOC_FREE(netlogon_creds);
-
-+ /*
-+ * FIXME: Document in which case we are not able to contact
-+ * a DC without schannel. Which information do we try to get
-+ * from this DC?
-+ */
- if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
- result = NT_STATUS_DOWNGRADE_DETECTED;
---
-2.8.4
-
diff --git a/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch b/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch
deleted file mode 100644
index 6c50408..0000000
--- a/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From a3978285d05eb0bd9b52b0d1c2908388005b32e1 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Tue, 14 Jun 2016 22:37:31 +0300
-Subject: [PATCH] libnet_join: use sitename if it was set by pre-join detection
-
-When domain member is joined to AD, we need to use the same DC to
-authenticate against after the join because the machine account might
-not be replicated yet to other domain controllers, including off-site.
-
-Bug https://bugzilla.samba.org/show_bug.cgi?id=11769 dealt with
-detection of the site pre-join. However, we rewrite private local
-krb5.conf afterwards without taking the discovered site name into
-account.
-
-Fix this by reusing the site discovered pre-join.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11975
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Jun 15 15:25:44 CEST 2016 on sn-devel-144
-
-(cherry picked from commit 4c408f6de5c32a41fbb44971419118e5425d13e7)
----
- source3/libnet/libnet_join.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index a28864d..c007183 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2500,7 +2500,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
-
- create_local_private_krb5_conf_for_domain(
- r->out.dns_domain_name, r->out.netbios_domain_name,
-- NULL, smbXcli_conn_remote_sockaddr(cli->conn));
-+ sitename, smbXcli_conn_remote_sockaddr(cli->conn));
-
- if (r->out.domain_is_ad &&
- !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
---
-2.9.0
-
diff --git a/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch b/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch
deleted file mode 100644
index e71bc79..0000000
--- a/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From f8d4a51b02abd2f7bb4c5a874d8d83f4dedc7a6a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 29 Jun 2016 13:38:19 +0200
-Subject: [PATCH] s3-winbind: Fix memory leak with each cached credential login
-
-When we allow offline logon and have a lot of logins, windbind will leak
-4k of memory which each log in. On systems with heavy load this can grow
-quickly and the OOM killer will kill Winbind.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11999
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Jun 29 19:03:53 CEST 2016 on sn-devel-144
-
-(cherry picked from commit 826f61960ec74deedc9d556a3b8fe04d9178dcd8)
----
- source3/winbindd/winbindd_cache.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
-index cf3ed71..5dd9f4f 100644
---- a/source3/winbindd/winbindd_cache.c
-+++ b/source3/winbindd/winbindd_cache.c
-@@ -3471,7 +3471,7 @@ NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const
- struct winbind_cache *cache = get_cache(domain);
- NTSTATUS status;
- int ret;
-- struct cred_list *cred, *oldest = NULL;
-+ struct cred_list *cred, *next, *oldest = NULL;
-
- if (!cache->tdb) {
- return NT_STATUS_INTERNAL_DB_ERROR;
-@@ -3540,7 +3540,11 @@ NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const
- status = NT_STATUS_UNSUCCESSFUL;
- }
- done:
-- SAFE_FREE(wcache_cred_list);
-+ for (cred = wcache_cred_list; cred; cred = next) {
-+ next = cred->next;
-+ DLIST_REMOVE(wcache_cred_list, cred);
-+ SAFE_FREE(cred);
-+ }
- SAFE_FREE(oldest);
-
- return status;
---
-2.9.0
-
diff --git a/SOURCES/samba-4.4.6-fix_nss_wins.patch b/SOURCES/samba-4.4.6-fix_nss_wins.patch
deleted file mode 100644
index ac848bc..0000000
--- a/SOURCES/samba-4.4.6-fix_nss_wins.patch
+++ /dev/null
@@ -1,314 +0,0 @@
-From 119825e3df9b65ea24f28a7faf39b54861d62f0c Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 19 Sep 2016 16:21:31 +0200
-Subject: [PATCH] waf: Explicitly link libreplace against libnss_wins.so
-
-If we do not specify replace as a depencency here, it will not link to
-libreplace using an rpath.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Jim McDonough <jmcd@samba.org>
-
-(cherry picked from commit d8a5565ae647352d11d622bd4e73ff4568678a7c)
----
- nsswitch/wscript_build | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
-index f286896..ab8f8ea 100644
---- a/nsswitch/wscript_build
-+++ b/nsswitch/wscript_build
-@@ -42,7 +42,7 @@ if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)):
- bld.SAMBA3_LIBRARY('nss_wins',
- keep_underscore=True,
- source='wins.c',
-- deps='''wbclient''',
-+ deps='wbclient replace',
- public_headers=[],
- public_headers_install=False,
- pc_files=[],
---
-2.10.0
-
-From 33bc85d9060340e4ce3d2edecb3fb76dd85a5195 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 19 Sep 2016 16:17:11 +0200
-Subject: [PATCH 1/2] nsswitch: Add missing arguments to wins gethostbyname*
-
-The errno pointer argument is missing.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Jim McDonough <jmcd@samba.org>
-(cherry picked from commit 124ae4e861f048fe015bff32ace4abff4d3e6c62)
----
- nsswitch/wins.c | 51 +++++++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 41 insertions(+), 10 deletions(-)
-
-diff --git a/nsswitch/wins.c b/nsswitch/wins.c
-index fc65c03..be84f2e 100644
---- a/nsswitch/wins.c
-+++ b/nsswitch/wins.c
-@@ -39,10 +39,19 @@ static pthread_mutex_t wins_nss_mutex = PTHREAD_MUTEX_INITIALIZER;
- #define INADDRSZ 4
- #endif
-
--NSS_STATUS _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he,
-- char *buffer, size_t buflen, int *h_errnop);
--NSS_STATUS _nss_wins_gethostbyname2_r(const char *name, int af, struct hostent *he,
-- char *buffer, size_t buflen, int *h_errnop);
-+NSS_STATUS _nss_wins_gethostbyname_r(const char *hostname,
-+ struct hostent *he,
-+ char *buffer,
-+ size_t buflen,
-+ int *errnop,
-+ int *h_errnop);
-+NSS_STATUS _nss_wins_gethostbyname2_r(const char *name,
-+ int af,
-+ struct hostent *he,
-+ char *buffer,
-+ size_t buflen,
-+ int *errnop,
-+ int *h_errnop);
-
- static char *lookup_byname_backend(const char *name)
- {
-@@ -225,8 +234,12 @@ gethostbyname() - we ignore any domain portion of the name and only
- handle names that are at most 15 characters long
- **************************************************************************/
- NSS_STATUS
--_nss_wins_gethostbyname_r(const char *hostname, struct hostent *he,
-- char *buffer, size_t buflen, int *h_errnop)
-+_nss_wins_gethostbyname_r(const char *hostname,
-+ struct hostent *he,
-+ char *buffer,
-+ size_t buflen,
-+ int *errnop,
-+ int *h_errnop)
- {
- NSS_STATUS nss_status = NSS_STATUS_SUCCESS;
- char *ip;
-@@ -247,6 +260,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he,
-
- ip = lookup_byname_backend(name);
- if (ip == NULL) {
-+ *errnop = EINVAL;
- nss_status = NSS_STATUS_NOTFOUND;
- goto out;
- }
-@@ -254,6 +268,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he,
- rc = inet_pton(AF_INET, ip, &in);
- wbcFreeMemory(ip);
- if (rc == 0) {
-+ *errnop = errno;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -263,6 +278,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he,
- namelen = strlen(name) + 1;
-
- if ((he->h_name = get_static(&buffer, &buflen, namelen)) == NULL) {
-+ *errnop = EAGAIN;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -275,18 +291,21 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he,
- i = sizeof(char*) - i;
-
- if (get_static(&buffer, &buflen, i) == NULL) {
-+ *errnop = EAGAIN;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-
- if ((he->h_addr_list = (char **)get_static(
- &buffer, &buflen, 2 * sizeof(char *))) == NULL) {
-+ *errnop = EAGAIN;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-
- if ((he->h_addr_list[0] = get_static(&buffer, &buflen,
- INADDRSZ)) == NULL) {
-+ *errnop = EAGAIN;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -306,12 +325,14 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he,
- i = sizeof(char*) - i;
-
- if (get_static(&buffer, &buflen, i) == NULL) {
-+ *errnop = EAGAIN;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-
- if ((he->h_aliases = (char **)get_static(
- &buffer, &buflen, sizeof(char *))) == NULL) {
-+ *errnop = EAGAIN;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -330,17 +351,27 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he,
-
-
- NSS_STATUS
--_nss_wins_gethostbyname2_r(const char *name, int af, struct hostent *he,
-- char *buffer, size_t buflen, int *h_errnop)
-+_nss_wins_gethostbyname2_r(const char *name,
-+ int af,
-+ struct hostent *he,
-+ char *buffer,
-+ size_t buflen,
-+ int *errnop,
-+ int *h_errnop)
- {
- NSS_STATUS nss_status;
-
- if(af!=AF_INET) {
-+ *errnop = EAFNOSUPPORT;
- *h_errnop = NO_DATA;
- nss_status = NSS_STATUS_UNAVAIL;
- } else {
-- nss_status = _nss_wins_gethostbyname_r(
-- name, he, buffer, buflen, h_errnop);
-+ nss_status = _nss_wins_gethostbyname_r(name,
-+ he,
-+ buffer,
-+ buflen,
-+ errnop,
-+ h_errnop);
- }
- return nss_status;
- }
---
-2.10.0
-
-
-From b8d9c7b69509555f40335a0dd7b93ef032354b0d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 20 Sep 2016 13:26:52 +0200
-Subject: [PATCH 2/2] nsswitch: Also set h_errnop for nss_wins functions
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jim McDonough <jmcd@samba.org>
-
-(cherry picked from commit 382345126c56e26d3dbc319f1c7c1dae3c4fafc9)
----
- nsswitch/wins.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/nsswitch/wins.c b/nsswitch/wins.c
-index be84f2e..dccb6dd 100644
---- a/nsswitch/wins.c
-+++ b/nsswitch/wins.c
-@@ -261,6 +261,7 @@ _nss_wins_gethostbyname_r(const char *hostname,
- ip = lookup_byname_backend(name);
- if (ip == NULL) {
- *errnop = EINVAL;
-+ *h_errnop = NETDB_INTERNAL;
- nss_status = NSS_STATUS_NOTFOUND;
- goto out;
- }
-@@ -269,6 +270,7 @@ _nss_wins_gethostbyname_r(const char *hostname,
- wbcFreeMemory(ip);
- if (rc == 0) {
- *errnop = errno;
-+ *h_errnop = NETDB_INTERNAL;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -279,6 +281,7 @@ _nss_wins_gethostbyname_r(const char *hostname,
-
- if ((he->h_name = get_static(&buffer, &buflen, namelen)) == NULL) {
- *errnop = EAGAIN;
-+ *h_errnop = NETDB_INTERNAL;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -292,6 +295,7 @@ _nss_wins_gethostbyname_r(const char *hostname,
-
- if (get_static(&buffer, &buflen, i) == NULL) {
- *errnop = EAGAIN;
-+ *h_errnop = NETDB_INTERNAL;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -299,6 +303,7 @@ _nss_wins_gethostbyname_r(const char *hostname,
- if ((he->h_addr_list = (char **)get_static(
- &buffer, &buflen, 2 * sizeof(char *))) == NULL) {
- *errnop = EAGAIN;
-+ *h_errnop = NETDB_INTERNAL;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -306,6 +311,7 @@ _nss_wins_gethostbyname_r(const char *hostname,
- if ((he->h_addr_list[0] = get_static(&buffer, &buflen,
- INADDRSZ)) == NULL) {
- *errnop = EAGAIN;
-+ *h_errnop = NETDB_INTERNAL;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -326,6 +332,7 @@ _nss_wins_gethostbyname_r(const char *hostname,
-
- if (get_static(&buffer, &buflen, i) == NULL) {
- *errnop = EAGAIN;
-+ *h_errnop = NETDB_INTERNAL;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-@@ -333,12 +340,14 @@ _nss_wins_gethostbyname_r(const char *hostname,
- if ((he->h_aliases = (char **)get_static(
- &buffer, &buflen, sizeof(char *))) == NULL) {
- *errnop = EAGAIN;
-+ *h_errnop = NETDB_INTERNAL;
- nss_status = NSS_STATUS_TRYAGAIN;
- goto out;
- }
-
- he->h_aliases[0] = NULL;
-
-+ *h_errnop = NETDB_SUCCESS;
- nss_status = NSS_STATUS_SUCCESS;
-
- out:
---
-2.10.0
-
-From c91544eb234af9a13ab08f2b1e31d2915965985b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Sun, 13 Nov 2016 17:40:21 +0100
-Subject: [PATCH] nss_wins: Fix errno values for HOST_NOT_FOUND
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- nsswitch/wins.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/nsswitch/wins.c b/nsswitch/wins.c
-index dccb6dd..19d3c5b 100644
---- a/nsswitch/wins.c
-+++ b/nsswitch/wins.c
-@@ -260,8 +260,7 @@ _nss_wins_gethostbyname_r(const char *hostname,
-
- ip = lookup_byname_backend(name);
- if (ip == NULL) {
-- *errnop = EINVAL;
-- *h_errnop = NETDB_INTERNAL;
-+ *h_errnop = HOST_NOT_FOUND;
- nss_status = NSS_STATUS_NOTFOUND;
- goto out;
- }
---
-2.10.2
-
diff --git a/SOURCES/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch b/SOURCES/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
deleted file mode 100644
index 488e8d6..0000000
--- a/SOURCES/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 1 Sep 2016 08:08:23 +0200
-Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB
- servers
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Christian Ambach <ambi@samba.org>
-
-Autobuild-User(master): Christian Ambach <ambi@samba.org>
-Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144
-
-(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2)
----
- auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 68 insertions(+), 1 deletion(-)
-
-diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
-index ef30ab7..5f5047a 100644
---- a/auth/gensec/spnego.c
-+++ b/auth/gensec/spnego.c
-@@ -55,9 +55,11 @@ struct spnego_state {
-
- DATA_BLOB mech_types;
- size_t num_targs;
-+ bool downgraded;
- bool mic_requested;
- bool needs_mic_sign;
- bool needs_mic_check;
-+ bool may_skip_mic_check;
- bool done_mic_check;
-
- bool simulate_w2k;
-@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
- * Indicate the downgrade and request a
- * mic.
- */
-+ spnego_state->downgraded = true;
- spnego_state->mic_requested = true;
- break;
- }
-@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
- DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
- gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
- gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
--
-+ spnego_state->downgraded = true;
- spnego_state->no_response_expected = false;
- talloc_free(spnego_state->sub_sec_security);
- nt_status = gensec_subcontext_start(spnego_state,
-@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-+ if (spnego.negTokenTarg.mechListMIC.length == 0
-+ && spnego_state->may_skip_mic_check) {
-+ /*
-+ * In this case we don't require
-+ * a mechListMIC from the server.
-+ *
-+ * This works around bugs in the Azure
-+ * and Apple spnego implementations.
-+ *
-+ * See
-+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
-+ */
-+ spnego_state->needs_mic_check = false;
-+ nt_status = NT_STATUS_OK;
-+ goto client_response;
-+ }
-+
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
-@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
- */
- new_spnego = false;
- }
-+
- break;
-
- case SPNEGO_ACCEPT_INCOMPLETE:
-+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
-+ new_spnego = true;
-+ break;
-+ }
-+
-+ if (spnego_state->downgraded) {
-+ /*
-+ * A downgrade should be protected if
-+ * supported
-+ */
-+ break;
-+ }
-+
-+ /*
-+ * The caller may just asked for
-+ * GENSEC_FEATURE_SESSION_KEY, this
-+ * is only reflected in the want_features.
-+ *
-+ * As it will imply
-+ * gensec_have_features(GENSEC_FEATURE_SIGN)
-+ * to return true.
-+ */
-+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
-+ break;
-+ }
-+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
-+ break;
-+ }
-+ /*
-+ * Here we're sure our preferred mech was
-+ * selected by the server and our caller doesn't
-+ * need GENSEC_FEATURE_SIGN nor
-+ * GENSEC_FEATURE_SEAL support.
-+ *
-+ * In this case we don't require
-+ * a mechListMIC from the server.
-+ *
-+ * This works around bugs in the Azure
-+ * and Apple spnego implementations.
-+ *
-+ * See
-+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
-+ */
-+ spnego_state->may_skip_mic_check = true;
-+ break;
-+
- case SPNEGO_REQUEST_MIC:
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
- new_spnego = true;
---
-2.8.0.rc3.226.g39d4020
-
diff --git a/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch b/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch
deleted file mode 100644
index c75593a..0000000
--- a/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From eb09689c3c1eeae14eeb08352c5342d89b7bf96d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 3 Aug 2016 13:23:31 +0200
-Subject: [PATCH] ctdb-waf: Move ctdb tests to libexec directory
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12104
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Martin Schwenke <martin@meltin.net>
-
-(cherry picked from commit f9c85d04e9edb3af9479e9c83d5b1ec77b9c2ee2)
----
- ctdb/wscript | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/ctdb/wscript b/ctdb/wscript
-index 5739269..a6d1e68 100755
---- a/ctdb/wscript
-+++ b/ctdb/wscript
-@@ -208,7 +208,7 @@ def configure(conf):
-
- conf.env.CTDB_TEST_DATADIR = os.path.join(conf.env.EXEC_PREFIX,
- 'share/ctdb-tests')
-- conf.env.CTDB_TEST_LIBDIR = os.path.join(conf.env.LIBDIR, 'ctdb-tests')
-+ conf.env.CTDB_TEST_LIBEXECDIR = os.path.join(conf.env.LIBEXECDIR, 'ctdb/tests')
-
- # Allow unified compilation and separate compilation of utilities
- # to find includes
-@@ -637,12 +637,12 @@ def build(bld):
- bld.SAMBA_BINARY(target,
- source=src,
- deps='talloc tevent tdb tevent-unix-util',
-- install_path='${CTDB_TEST_LIBDIR}')
-+ install_path='${CTDB_TEST_LIBEXECDIR}')
-
- bld.SAMBA_BINARY('reqid_test',
- source='tests/src/reqid_test.c',
- deps='samba-util',
-- install_path='${CTDB_TEST_LIBDIR}')
-+ install_path='${CTDB_TEST_LIBEXECDIR}')
-
- # Test binaries
- ctdb_tests = [
-@@ -671,7 +671,7 @@ def build(bld):
- source=src,
- includes='include',
- deps='ctdb-client ctdb-common ctdb-util',
-- install_path='${CTDB_TEST_LIBDIR}')
-+ install_path='${CTDB_TEST_LIBEXECDIR}')
-
- bld.SAMBA_BINARY('ctdb_takeover_tests',
- source='tests/src/ctdb_takeover_tests.c',
-@@ -680,21 +680,21 @@ def build(bld):
- ctdb-protocol''' +
- ib_deps,
- includes='include',
-- install_path='${CTDB_TEST_LIBDIR}')
-+ install_path='${CTDB_TEST_LIBEXECDIR}')
-
- bld.SAMBA_BINARY('ctdb_functest',
- source='tests/src/ctdb_functest.c',
- deps='''replace tdb tevent talloc popt ctdb-system
- samba-util tdb-wrap''',
- includes='include',
-- install_path='${CTDB_TEST_LIBDIR}')
-+ install_path='${CTDB_TEST_LIBEXECDIR}')
-
- bld.SAMBA_BINARY('ctdb_stubtest',
- source='tests/src/ctdb_test.c',
- deps='''replace tdb tevent talloc popt ctdb-system
- samba-util tdb-wrap''',
- includes='include',
-- install_path='${CTDB_TEST_LIBDIR}')
-+ install_path='${CTDB_TEST_LIBEXECDIR}')
-
- if bld.env.HAVE_INFINIBAND:
- bld.SAMBA_BINARY('ibwrapper_test',
-@@ -702,7 +702,7 @@ def build(bld):
- includes='include',
- deps='replace talloc ctdb-client ctdb-common' +
- ib_deps,
-- install_path='${CTDB_TEST_LIBDIR}')
-+ install_path='${CTDB_TEST_LIBEXECDIR}')
-
- test_subdirs = [
- 'complex',
-@@ -734,7 +734,7 @@ def build(bld):
- destname=os.path.join('scripts', t))
-
- sed_expr = 's@^TEST_SCRIPTS_DIR=.*@&\\nexport TEST_BIN_DIR=\"%s\"@' % (
-- bld.env.CTDB_TEST_LIBDIR)
-+ bld.env.CTDB_TEST_LIBEXECDIR)
- bld.SAMBA_GENERATOR('ctdb-test-wrap',
- source='tests/scripts/test_wrap',
- target='test_wrap',
-@@ -743,7 +743,7 @@ def build(bld):
- destname='test_wrap', chmod=0755)
-
- sed_expr1 = 's@^test_dir=.*@test_dir=%s\\nexport TEST_BIN_DIR=\"%s\"@' % (
-- bld.env.CTDB_TEST_DATADIR, bld.env.CTDB_TEST_LIBDIR)
-+ bld.env.CTDB_TEST_DATADIR, bld.env.CTDB_TEST_LIBEXECDIR)
- sed_expr2 = 's@^\(export CTDB_TESTS_ARE_INSTALLED\)=false@\\1=true@'
- bld.SAMBA_GENERATOR('ctdb-test-runner',
- source='tests/run_tests.sh',
---
-2.9.2
-
diff --git a/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch b/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch
deleted file mode 100644
index 44c16a1..0000000
--- a/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From d29b108d879b4de27d235a1692e090c0993582df Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 6 Jul 2016 12:48:11 +0200
-Subject: [PATCH 1/2] libads: ensure the right ccache is used during gssapi
- bind
-
-When doing gssapi sasl bind:
-1. Try working without kinit only if a password is not
- provided
-2. When using kinit, ensure the KRB5CCNAME env var is set
- to a private memory ccache, so that the bind is on behalf
- of the requested user.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
-(cherry picked from commit 2672968851966e5c01e4fc4d906b45b5c047e655)
----
- source3/libads/sasl.c | 23 ++++++++++++++++-------
- 1 file changed, 16 insertions(+), 7 deletions(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index d76d872..6c054cd 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -26,6 +26,7 @@
- #include "smb_krb5.h"
- #include "system/gssapi.h"
- #include "lib/param/loadparm.h"
-+#include "krb5_env.h"
-
- #ifdef HAVE_LDAP
-
-@@ -1015,21 +1016,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
- {
- ADS_STATUS status;
- struct ads_service_principal p;
-+ const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
-
- status = ads_generate_service_principal(ads, &p);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
-
-- status = ads_sasl_gssapi_do_bind(ads, p.name);
-- if (ADS_ERR_OK(status)) {
-- ads_free_service_principal(&p);
-- return status;
-- }
-+ if (ads->auth.password == NULL ||
-+ ads->auth.password[0] == '\0') {
-+ status = ads_sasl_gssapi_do_bind(ads, p.name);
-+ if (ADS_ERR_OK(status)) {
-+ ads_free_service_principal(&p);
-+ return status;
-+ }
-
-- DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
-- "calling kinit\n", ads_errstr(status)));
-+ DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
-+ "calling kinit\n", ads_errstr(status)));
-+ }
-
-+ if (ads->auth.ccache_name != NULL) {
-+ ccache_name = ads->auth.ccache_name;
-+ }
-+ setenv(KRB5_ENV_CCNAME, ccache_name, 1);
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
-
- if (ADS_ERR_OK(status)) {
---
-2.5.5
-
-
-From 416ba773c332288e948871d8f649c0310a94f906 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 6 Jul 2016 12:44:11 +0200
-Subject: [PATCH 2/2] libads: ensure the right ccache is used during spnego
- bind
-
-When doing spnego sasl bind:
-1. Try working without kinit only if a password is not
- provided
-2. When using kinit, ensure the KRB5CCNAME env var is set
- to a private memory ccache, so that the bind is on behalf
- of the requested user.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144
-
-(cherry picked from commit a1743de74f09d5bf695f077f5127d02352a014e2)
----
- source3/libads/sasl.c | 29 ++++++++++++++++++++---------
- 1 file changed, 20 insertions(+), 9 deletions(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index 6c054cd..85a2eb0 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -749,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism)
- {
-- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-- CRED_MUST_USE_KERBEROS,
-- p.service, p.hostname,
-- blob);
-- if (ADS_ERR_OK(status)) {
-- ads_free_service_principal(&p);
-- goto done;
-+ const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
-+ if (ads->auth.ccache_name != NULL) {
-+ ccache_name = ads->auth.ccache_name;
- }
-
-- DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
-- "calling kinit\n", ads_errstr(status)));
-+ if (ads->auth.password == NULL ||
-+ ads->auth.password[0] == '\0')
-+ {
-+
-+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-+ CRED_MUST_USE_KERBEROS,
-+ p.service, p.hostname,
-+ blob);
-+ if (ADS_ERR_OK(status)) {
-+ ads_free_service_principal(&p);
-+ goto done;
-+ }
-+
-+ DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
-+ "calling kinit\n", ads_errstr(status)));
-+ }
-
-+ setenv(KRB5_ENV_CCNAME, ccache_name, 1);
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
-
- if (ADS_ERR_OK(status)) {
---
-2.5.5
-
diff --git a/SOURCES/samba-4.4.7-fix_group_substituion_with_ad.patch b/SOURCES/samba-4.4.7-fix_group_substituion_with_ad.patch
deleted file mode 100644
index 0941e07..0000000
--- a/SOURCES/samba-4.4.7-fix_group_substituion_with_ad.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 6dfc274ce5ae036a95ac2d7f6f9182c7f5a5b50f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 19 Sep 2016 13:59:54 +0200
-Subject: [PATCH] s3-lib: Fix %G substitution in AD member environment
-
-If we are a domain member we should look up the user with the domain
-name specified else it will only work if we have
-'winbind use default domain' set.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12276
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 619ca5f63c47ff8b021692aaa756dcb0d883b8dd)
----
- source3/lib/substitute.c | 24 ++++++++++++++++++------
- 1 file changed, 18 insertions(+), 6 deletions(-)
-
-diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
-index 4e2ce9b..1f98327 100644
---- a/source3/lib/substitute.c
-+++ b/source3/lib/substitute.c
-@@ -499,15 +499,18 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx,
- break;
- case 'G' : {
- struct passwd *pass;
-+ bool is_domain_name = false;
-+ const char *sep = lp_winbind_separator();
-
- if (domain_name != NULL && domain_name[0] != '\0' &&
-- !strequal(domain_name, my_sam_name()))
-- {
-+ (lp_security() == SEC_ADS ||
-+ lp_security() == SEC_DOMAIN)) {
- r = talloc_asprintf(tmp_ctx,
- "%s%c%s",
- domain_name,
-- *lp_winbind_separator(),
-+ *sep,
- smb_name);
-+ is_domain_name = true;
- } else {
- r = talloc_strdup(tmp_ctx, smb_name);
- }
-@@ -517,9 +520,18 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx,
-
- pass = Get_Pwnam_alloc(tmp_ctx, r);
- if (pass != NULL) {
-- a_string = realloc_string_sub(
-- a_string, "%G",
-- gidtoname(pass->pw_gid));
-+ char *group_name;
-+
-+ group_name = gidtoname(pass->pw_gid);
-+ if (is_domain_name) {
-+ p = strchr_m(group_name, *sep);
-+ if (p != NULL) {
-+ group_name = p + 1;
-+ }
-+ }
-+ a_string = realloc_string_sub(a_string,
-+ "%G",
-+ group_name);
- }
- TALLOC_FREE(pass);
- break;
---
-2.10.1
-
-From d851e487422808b6d3ba2738daa1c697e569bd27 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Wed, 12 Oct 2016 12:35:12 +0200
-Subject: [PATCH] lib: Fix CID 1373623 Dereference after null check
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We should not overload "p", this is used in the outer loop
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12276
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 6ec81ca3c196f3c4659a4e1c473759b393708d12)
----
- source3/lib/substitute.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
-index 1f98327..f56e2c4 100644
---- a/source3/lib/substitute.c
-+++ b/source3/lib/substitute.c
-@@ -524,9 +524,10 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx,
-
- group_name = gidtoname(pass->pw_gid);
- if (is_domain_name) {
-- p = strchr_m(group_name, *sep);
-- if (p != NULL) {
-- group_name = p + 1;
-+ char *group_sep;
-+ group_sep = strchr_m(group_name, *sep);
-+ if (group_sep != NULL) {
-+ group_name = group_sep + 1;
- }
- }
- a_string = realloc_string_sub(a_string,
---
-2.10.1
-
diff --git a/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch b/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch
deleted file mode 100644
index 34ca572..0000000
--- a/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 70bab87ab37d30521a65056fd6f6a3f4f8bf6716 Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Mon, 15 Aug 2016 23:07:33 +0200
-Subject: [PATCH 1/2] idmap: don't generally forbid id==0 from
- idmap_unix_id_is_in_range()
-
-If the range allows it, then id==0 should not be forbidden.
-This seems to have been taken in from idmap_ldap when the
-function was originally created.
-
-See 634cd2e0451d4388c3e3f78239495cf595368b15 .
-The other backends don't seem to have had that
-extra check for id == 0.
-
-The reasoning for this change is that the range check should
-apply to all cases. If the range includes the 0, then it
-should be possible to get it as result. In particular,
-this way, the function becomes applicable also to the
-passdb backend case, e.g. in a samba4-ad-dc setup where
-the Admin gets uid == 0.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit c21976d4b1c604699299f2c0f768c1add93b349d)
----
- source3/winbindd/idmap_util.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c
-index f90565f..b6f7b52 100644
---- a/source3/winbindd/idmap_util.c
-+++ b/source3/winbindd/idmap_util.c
-@@ -160,11 +160,6 @@ backend:
- */
- bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom)
- {
-- if (id == 0) {
-- /* 0 is not an allowed unix id for id mapping */
-- return false;
-- }
--
- if ((dom->low_id && (id < dom->low_id)) ||
- (dom->high_id && (id > dom->high_id)))
- {
---
-2.7.4
-
-
-From 739167276bc26dfc62acdd96cc9cadb5f88dd02b Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Tue, 9 Aug 2016 18:25:12 +0200
-Subject: [PATCH 2/2] idmap: centrally check that unix IDs returned by the
- idmap backends are in range
-
-Note: in the long run, it might be good to move this kind of
-exit check (before handing the result back to the client)
-to the parent winbindd code.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155
-
-Signed-off-by: Michael Adam <obnox@samba.org>
-
-(Backported from master commit b2bf61307cffd8ff7b6fb9852c107ab763653119.)
----
- source3/winbindd/winbindd_dual_srv.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
-index cdd9bbd..630d28a 100644
---- a/source3/winbindd/winbindd_dual_srv.c
-+++ b/source3/winbindd/winbindd_dual_srv.c
-@@ -203,6 +203,10 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p,
- for (j=0; j<num_ids; j++) {
- struct wbint_TransID *id = &r->in.ids->ids[id_idx[j]];
-
-+ if (!idmap_unix_id_is_in_range(ids[j].xid.id, dom)) {
-+ ids[j].status = ID_UNMAPPED;
-+ }
-+
- if (ids[j].status != ID_MAPPED) {
- id->xid.id = UINT32_MAX;
- id->xid.type = ID_TYPE_NOT_SPECIFIED;
---
-2.7.4
-
diff --git a/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch b/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch
deleted file mode 100644
index 2fc8f57..0000000
--- a/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From b863a62ef2c1e71f3cdf4c74994369baa45dbce7 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Wed, 3 Aug 2016 15:00:45 +0200
-Subject: [PATCH] async_req: make async_connect_send() "reentrant"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Allow callers to pass in socket fds that where already passed to an
-earlier call of async_connect_send(). Callers expect this behaviour and
-it was working until 05d4dbda8357712cb81008e0d611fdb0e7239587 broke it.
-
-The proper fix would be to change callers to close the fd and start from
-scratch with a fresh socket.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=12105
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Ralph Böhme <slow@samba.org>
-Autobuild-Date(master): Thu Aug 4 05:03:21 CEST 2016 on sn-devel-144
-
-(cherry picked from commit 9c6a4ea2788808bdcc7bfea798d838ea56c3b5ec)
----
- lib/async_req/async_sock.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
-index c14acf3..3af1748 100644
---- a/lib/async_req/async_sock.c
-+++ b/lib/async_req/async_sock.c
-@@ -128,11 +128,21 @@ struct tevent_req *async_connect_send(
- }
-
- /*
-- * The only errno indicating that the connect is still in
-- * flight is EINPROGRESS, everything else is an error
-+ * The only errno indicating that an initial connect is still
-+ * in flight is EINPROGRESS.
-+ *
-+ * We get EALREADY when someone calls us a second time for a
-+ * given fd and the connect is still in flight (and returned
-+ * EINPROGRESS the first time).
-+ *
-+ * This allows callers like open_socket_out_send() to reuse
-+ * fds and call us with an fd for which the connect is still
-+ * in flight. The proper thing to do for callers would be
-+ * closing the fd and starting from scratch with a fresh
-+ * socket.
- */
-
-- if (errno != EINPROGRESS) {
-+ if (errno != EINPROGRESS && errno != EALREADY) {
- tevent_req_error(req, errno);
- return tevent_req_post(req, ev);
- }
---
-2.7.4
-
diff --git a/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch b/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch
deleted file mode 100644
index ecde81b..0000000
--- a/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 8fec0f145a06d900bbcfc8959749cc78ab6be8ed Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 25 Aug 2016 14:24:08 +0200
-Subject: [PATCH] s3-util: Fix asking for username and password in smbget.
-
-If the user specified the username in the URI with with:
-
- smb://DOMAIN;user:secret@server/share
-
-the tool should not prompt for the username nor the password.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12175
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-(cherry picked from commit f5401ff3146aabc5fb2dac25e4856c6c3756c8f7)
----
- source3/utils/smbget.c | 26 ++++++++++++--------------
- 1 file changed, 12 insertions(+), 14 deletions(-)
-
-diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
-index 4909fa2..74ca7f8 100644
---- a/source3/utils/smbget.c
-+++ b/source3/utils/smbget.c
-@@ -105,7 +105,6 @@ static void get_auth_data(const char *srv, const char *shr, char *wg, int wglen,
- static char *savedwg;
- static char *savedun;
- static char *savedpw;
-- char tmp[128];
-
- if (hasasked) {
- strncpy(wg, savedwg, wglen - 1);
-@@ -115,23 +114,22 @@ static void get_auth_data(const char *srv, const char *shr, char *wg, int wglen,
- }
- hasasked = true;
-
-- if (!opt.nonprompt && !opt.username_specified) {
-- printf("Username for %s at %s [guest] ", shr, srv);
-- if (fgets(tmp, sizeof(tmp), stdin) == NULL) {
-- return;
-- }
-- if ((strlen(tmp) > 0) && (tmp[strlen(tmp) - 1] == '\n')) {
-- tmp[strlen(tmp) - 1] = '\0';
-- }
-- strncpy(un, tmp, unlen - 1);
-- } else if (opt.username != NULL) {
-+ /*
-+ * If no user has been specified un is initialized with the current
-+ * username of the user who started smbget.
-+ */
-+ if (opt.username_specified) {
- strncpy(un, opt.username, unlen - 1);
- }
-
-- if (!opt.nonprompt && !opt.password_specified) {
-+ if (!opt.nonprompt && !opt.password_specified && pw[0] == '\0') {
- char *prompt;
-- if (asprintf(&prompt, "Password for %s at %s: ", shr, srv) ==
-- -1) {
-+ int rc;
-+
-+ rc = asprintf(&prompt,
-+ "Password for [%s] connecting to //%s/%s: ",
-+ un, shr, srv);
-+ if (rc == -1) {
- return;
- }
- (void)samba_getpass(prompt, pw, pwlen, false, false);
---
-2.9.3
-
diff --git a/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch b/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch
deleted file mode 100644
index 0802eb5..0000000
--- a/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From 66668deb267d63f17c70aaea6f720a7c440bb71c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 10 Oct 2016 15:53:26 +0200
-Subject: [PATCH 1/3] HEIMDAL:lib/krb5: destroy a memory ccache on reinit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
-(cherry picked from commit 2abc3710a8a63327a769ba0482c553ed274b2113)
----
- source4/heimdal/lib/krb5/mcache.c | 52 ++++++++++++++++++++++++++-------------
- 1 file changed, 35 insertions(+), 17 deletions(-)
-
-diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c
-index e4b90c1..dc79b87 100644
---- a/source4/heimdal/lib/krb5/mcache.c
-+++ b/source4/heimdal/lib/krb5/mcache.c
-@@ -155,13 +155,47 @@ mcc_gen_new(krb5_context context, krb5_ccache *id)
- return 0;
- }
-
-+static void KRB5_CALLCONV
-+mcc_destroy_internal(krb5_context context,
-+ krb5_mcache *m)
-+{
-+ struct link *l;
-+
-+ if (m->primary_principal != NULL) {
-+ krb5_free_principal (context, m->primary_principal);
-+ m->primary_principal = NULL;
-+ }
-+ m->dead = 1;
-+
-+ l = m->creds;
-+ while (l != NULL) {
-+ struct link *old;
-+
-+ krb5_free_cred_contents (context, &l->cred);
-+ old = l;
-+ l = l->next;
-+ free (old);
-+ }
-+
-+ m->creds = NULL;
-+ return;
-+}
-+
- static krb5_error_code KRB5_CALLCONV
- mcc_initialize(krb5_context context,
- krb5_ccache id,
- krb5_principal primary_principal)
- {
- krb5_mcache *m = MCACHE(id);
-+ /*
-+ * It's important to destroy any existing
-+ * creds here, that matches the baheviour
-+ * of all other backends and also the
-+ * MEMORY: backend in MIT.
-+ */
-+ mcc_destroy_internal(context, m);
- m->dead = 0;
-+ m->kdc_offset = 0;
- m->mtime = time(NULL);
- return krb5_copy_principal (context,
- primary_principal,
-@@ -195,7 +229,6 @@ mcc_destroy(krb5_context context,
- krb5_ccache id)
- {
- krb5_mcache **n, *m = MCACHE(id);
-- struct link *l;
-
- if (m->refcnt == 0)
- krb5_abortx(context, "mcc_destroy: refcnt already 0");
-@@ -211,22 +244,7 @@ mcc_destroy(krb5_context context,
- }
- }
- HEIMDAL_MUTEX_unlock(&mcc_mutex);
-- if (m->primary_principal != NULL) {
-- krb5_free_principal (context, m->primary_principal);
-- m->primary_principal = NULL;
-- }
-- m->dead = 1;
--
-- l = m->creds;
-- while (l != NULL) {
-- struct link *old;
--
-- krb5_free_cred_contents (context, &l->cred);
-- old = l;
-- l = l->next;
-- free (old);
-- }
-- m->creds = NULL;
-+ mcc_destroy_internal(context, m);
- }
- return 0;
- }
---
-1.9.1
-
-
-From 5484f6cb0d812d11234347f592dff1a15ef5ef50 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 10 Oct 2016 17:07:12 +0200
-Subject: [PATCH 2/3] s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor
- set "KRB5CCNAME"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
-(cherry picked from commit 890b1bbdb8e965c4ff6e35214acc96ffbbff5dfd)
----
- source3/libads/sasl.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index 85a2eb0..4e4486f 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -1027,7 +1027,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
- {
- ADS_STATUS status;
- struct ads_service_principal p;
-- const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
-
- status = ads_generate_service_principal(ads, &p);
- if (!ADS_ERR_OK(status)) {
-@@ -1046,10 +1045,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
- "calling kinit\n", ads_errstr(status)));
- }
-
-- if (ads->auth.ccache_name != NULL) {
-- ccache_name = ads->auth.ccache_name;
-- }
-- setenv(KRB5_ENV_CCNAME, ccache_name, 1);
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
-
- if (ADS_ERR_OK(status)) {
---
-1.9.1
-
-
-From 012e763219f42071ced497fcc0ecd387789efd4f Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 10 Oct 2016 17:07:12 +0200
-Subject: [PATCH 3/3] s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set
- "KRB5CCNAME"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
-
-(cherry picked from commit a5f895a53016af71db53967062728fec5bc307ca)
----
- source3/libads/sasl.c | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index 4e4486f..39c60c3 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -749,11 +749,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism)
- {
-- const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
-- if (ads->auth.ccache_name != NULL) {
-- ccache_name = ads->auth.ccache_name;
-- }
--
- if (ads->auth.password == NULL ||
- ads->auth.password[0] == '\0')
- {
-@@ -771,7 +766,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
- "calling kinit\n", ads_errstr(status)));
- }
-
-- setenv(KRB5_ENV_CCNAME, ccache_name, 1);
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
-
- if (ADS_ERR_OK(status)) {
---
-1.9.1
-
diff --git a/SOURCES/samba-4.6.2.tar.asc b/SOURCES/samba-4.6.2.tar.asc
new file mode 100644
index 0000000..9d1e563
--- /dev/null
+++ b/SOURCES/samba-4.6.2.tar.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz
+DQw3KuAbWCKIgkHcy1zZr2o=
+=bIg5
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch
new file mode 100644
index 0000000..f89ec30
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch
@@ -0,0 +1,37 @@
+From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 5 Jan 2017 09:34:36 +0100
+Subject: [PATCH] replace: Include sysmacros.h
+
+In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
+historical compatibility, it is currently defined by <sys/types.h> as
+well, but it is planned to remove this soon.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+
+(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741)
+---
+ lib/replace/replace.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/replace/replace.h b/lib/replace/replace.h
+index c69a069e4b3..1dbeacfff66 100644
+--- a/lib/replace/replace.h
++++ b/lib/replace/replace.h
+@@ -171,6 +171,10 @@
+ #include <sys/types.h>
+ #endif
+
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
++
+ #ifdef HAVE_SETPROCTITLE_H
+ #include <setproctitle.h>
+ #endif
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch
new file mode 100644
index 0000000..02db440
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch
@@ -0,0 +1,1731 @@
+From 76aae7405595ca76bc0419a97f4a69e0ed528b32 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 29 Dec 2016 14:00:36 +0100
+Subject: [PATCH 01/20] s4:gensec_gssapi: the value
+ gensec_get_target_principal() should overwrite gensec_get_target_hostname()
+
+If gensec_get_target_principal() has a value, we no longer have to verify
+the gensec_get_target_hostname() value, it can be just an ipadress.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 48bcca566ebb3a5385b15b0525d7fbdd06361e04)
+---
+ source4/auth/gensec/gensec_gssapi.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index a6c4019aa6f..3974c3d42a0 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -307,7 +307,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ gss_buffer_desc name_token;
+ gss_OID name_type;
+ OM_uint32 maj_stat, min_stat;
++ const char *target_principal = NULL;
+ const char *hostname = gensec_get_target_hostname(gensec_security);
++ const char *service = gensec_get_target_service(gensec_security);
++ const char *realm = cli_credentials_get_realm(creds);
++
++ target_principal = gensec_get_target_principal(gensec_security);
++ if (target_principal != NULL) {
++ goto do_start;
++ }
+
+ if (!hostname) {
+ DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n"));
+@@ -322,6 +330,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
++do_start:
++
+ nt_status = gensec_gssapi_start(gensec_security);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+@@ -333,16 +343,18 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+ }
+
+- gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security);
+- if (gensec_gssapi_state->target_principal) {
++ if (target_principal != NULL) {
+ name_type = GSS_C_NULL_OID;
+ } else {
+- gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s",
+- gensec_get_target_service(gensec_security),
+- hostname, cli_credentials_get_realm(creds));
+-
++ target_principal = talloc_asprintf(gensec_gssapi_state,
++ "%s/%s@%s", service, hostname, realm);
++ if (target_principal == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
+ name_type = GSS_C_NT_USER_NAME;
+ }
++ gensec_gssapi_state->target_principal = target_principal;
++
+ name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
+ name_token.length = strlen(gensec_gssapi_state->target_principal);
+
+--
+2.12.0
+
+
+From 12d74cd165db3603ba2f3a58343e9a82fb22ee93 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 29 Dec 2016 15:20:00 +0100
+Subject: [PATCH 02/20] s4:gensec_gssapi: require a realm in
+ gensec_gssapi_client_start()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3a870baee8d9dbe5359f04a108814afc27e57d46)
+---
+ source4/auth/gensec/gensec_gssapi.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 3974c3d42a0..957cfa4229d 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -330,6 +330,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
++ if (realm == NULL) {
++ const char *cred_name = cli_credentials_get_unparsed_name(creds,
++ gensec_security);
++ DEBUG(3, ("cli_credentials(%s) without realm, "
++ "cannot use kerberos for this connection %s/%s\n",
++ cred_name, service, hostname));
++ talloc_free(discard_const_p(char, cred_name));
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
+ do_start:
+
+ nt_status = gensec_gssapi_start(gensec_security);
+--
+2.12.0
+
+
+From beb9e4379333872ff1e5a3422ba70ccb409e9915 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 6 Mar 2017 09:13:09 +0100
+Subject: [PATCH 03/20] testprogs: Use smbclient by default in
+ test_kinit_trusts
+
+This is the tool we use by default and we should test with it.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 9b3ff90dbc5cc1017dfc89831a1081272e6c2356)
+---
+ testprogs/blackbox/test_kinit_trusts_heimdal.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+index 073e0e7517e..040bf919203 100755
+--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
++++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+@@ -32,7 +32,7 @@ if test -x $samba4bindir/samba4kinit; then
+ samba4kinit=$samba4bindir/samba4kinit
+ fi
+
+-smbclient="$samba4bindir/smbclient4"
++smbclient="$samba4bindir/smbclient"
+ wbinfo="$samba4bindir/wbinfo"
+ rpcclient="$samba4bindir/rpcclient"
+ samba_tool="$samba4bindir/samba-tool"
+--
+2.12.0
+
+
+From 7feebdec869ed633bea612630ebca8d9b85a3e2e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 6 Mar 2017 09:15:45 +0100
+Subject: [PATCH 04/20] testprogs: Add kinit_trusts tests with smbclient4
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 42bd003f468ab95b6ac97c774e2cd217d06c05ed)
+---
+ testprogs/blackbox/test_kinit_trusts_heimdal.sh | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+index 040bf919203..e67f77361a4 100755
+--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
++++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+@@ -52,8 +52,16 @@ rm -rf $KRB5CCNAME_PATH
+ echo $TRUST_PASSWORD > $PREFIX/tmppassfile
+ testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+ test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
++rm -rf $KRB5CCNAME_PATH
++
++# Test with smbclient4
++smbclient="$samba4bindir/smbclient4"
++testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
++test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
++rm -rf $KRB5CCNAME_PATH
+
+ testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
++smbclient="$samba4bindir/smbclient"
+ test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+
+ if test x"${TYPE}" = x"forest" ;then
+--
+2.12.0
+
+
+From cae7475df03e7d464dc8642a7a02dad388215d1e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 10:40:08 +0100
+Subject: [PATCH 05/20] krb5_wrap: Do not return an empty realm from
+ smb_krb5_get_realm_from_hostname()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 946f9dd1170be63b91e31ce825ea123f3c07329b)
+---
+ lib/krb5_wrap/krb5_samba.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 10b42dec53f..9dc7304d566 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2691,7 +2691,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ goto out;
+ }
+
+- if (realm_list && realm_list[0]) {
++ if (realm_list != NULL &&
++ realm_list[0] != NULL &&
++ realm_list[0][0] != '\0') {
+ realm = talloc_strdup(mem_ctx, realm_list[0]);
+ }
+
+--
+2.12.0
+
+
+From 1d2b4a00e2a1213df81192e01f2d833ed4a6ec54 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 10:48:52 +0100
+Subject: [PATCH 06/20] krb5_wrap: Try to guess the correct realm from the
+ service hostname
+
+If we do not get a realm mapping from the krb5.conf or from the Kerberos
+library try to guess it from the service hostname. The guessing of the
+realm from the service hostname is already implemented in Heimdal. This
+makes the behavior of smb_krb5_get_realm_from_hostname() consistent
+with both MIT and Heimdal.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 65228925ab3c4da4ae299f77cae219fc7d37cc68)
+---
+ lib/krb5_wrap/krb5_samba.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 9dc7304d566..f8ef9f1df0f 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2695,6 +2695,19 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ realm_list[0] != NULL &&
+ realm_list[0][0] != '\0') {
+ realm = talloc_strdup(mem_ctx, realm_list[0]);
++ } else {
++ const char *p = NULL;
++
++ /*
++ * "dc6.samba2003.example.com"
++ * returns a realm of "SAMBA2003.EXAMPLE.COM"
++ *
++ * "dc6." returns realm as NULL
++ */
++ p = strchr_m(hostname, '.');
++ if (p != NULL && p[1] != '\0') {
++ realm = talloc_strdup_upper(mem_ctx, p + 1);
++ }
+ }
+
+ out:
+--
+2.12.0
+
+
+From 0e99683587c9047055ca6432fae0a11604710b69 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 11:56:30 +0100
+Subject: [PATCH 07/20] krb5_wrap: pass client_realm to
+ smb_krb5_get_realm_from_hostname()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit f0c4fcace586197d5c170f6a9dcc175df23e3802)
+---
+ lib/krb5_wrap/krb5_samba.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index f8ef9f1df0f..36bcc65e22a 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2664,7 +2664,8 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
+ ************************************************************************/
+
+ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+- const char *hostname)
++ const char *hostname,
++ const char *client_realm)
+ {
+ #if defined(HAVE_KRB5_REALM_TYPE)
+ /* Heimdal. */
+@@ -2695,6 +2696,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ realm_list[0] != NULL &&
+ realm_list[0][0] != '\0') {
+ realm = talloc_strdup(mem_ctx, realm_list[0]);
++ if (realm == NULL) {
++ goto out;
++ }
+ } else {
+ const char *p = NULL;
+
+@@ -2707,9 +2711,16 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ p = strchr_m(hostname, '.');
+ if (p != NULL && p[1] != '\0') {
+ realm = talloc_strdup_upper(mem_ctx, p + 1);
++ if (realm == NULL) {
++ goto out;
++ }
+ }
+ }
+
++ if (realm == NULL) {
++ realm = talloc_strdup(mem_ctx, client_realm);
++ }
++
+ out:
+
+ if (ctx) {
+@@ -2752,7 +2763,8 @@ char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+ if (host) {
+ /* DNS name. */
+ realm = smb_krb5_get_realm_from_hostname(talloc_tos(),
+- remote_name);
++ remote_name,
++ default_realm);
+ } else {
+ /* NetBIOS name - use our realm. */
+ realm = smb_krb5_get_default_realm_from_ccache(talloc_tos());
+--
+2.12.0
+
+
+From 6876b0d12f8aad4448f4a7d770db7ff129df6c50 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 11:56:30 +0100
+Subject: [PATCH 08/20] krb5_wrap: Make smb_krb5_get_realm_from_hostname()
+ public
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 339a2ecb3f05d0c9e860a5dd59b8bdbc51d4ffa7)
+---
+ lib/krb5_wrap/krb5_samba.c | 28 +++++++++++++++++++++-------
+ lib/krb5_wrap/krb5_samba.h | 4 ++++
+ 2 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 36bcc65e22a..2b0ec6bfa0e 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2659,13 +2659,27 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
+ return realm;
+ }
+
+-/************************************************************************
+- Routine to get the realm from a given DNS name.
+-************************************************************************/
+-
+-static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+- const char *hostname,
+- const char *client_realm)
++/**
++ * @brief Get the realm from the service hostname.
++ *
++ * This function will look for a domain realm mapping in the [domain_realm]
++ * section of the krb5.conf first and fallback to extract the realm from
++ * the provided service hostname. As a last resort it will return the
++ * provided client_realm.
++ *
++ * @param[in] mem_ctx The talloc context
++ *
++ * @param[in] hostname The service hostname
++ *
++ * @param[in] client_realm If we can not find a mapping, fall back to
++ * this realm.
++ *
++ * @return The realm to use for the service hostname, NULL if a fatal error
++ * occured.
++ */
++char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
++ const char *hostname,
++ const char *client_realm)
+ {
+ #if defined(HAVE_KRB5_REALM_TYPE)
+ /* Heimdal. */
+diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
+index 71e81ea26e1..accae449a0e 100644
+--- a/lib/krb5_wrap/krb5_samba.h
++++ b/lib/krb5_wrap/krb5_samba.h
+@@ -314,6 +314,10 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
+ krb5_principal principal,
+ const char *realm);
+
++char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
++ const char *hostname,
++ const char *client_realm);
++
+ char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+ const char *service,
+ const char *remote_name,
+--
+2.12.0
+
+
+From 08a81c315129c3d07637a8a5064b4ef988864efd Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 6 Mar 2017 09:19:13 +0100
+Subject: [PATCH 09/20] s4:gensec-gssapi: Create a helper function to setup
+ server_principal
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 8f7c4529420316b553c80cd3d19b6996525b029a)
+---
+ source4/auth/gensec/gensec_gssapi.c | 88 +++++++++++++++++++++++++------------
+ source4/auth/gensec/gensec_gssapi.h | 2 +-
+ 2 files changed, 61 insertions(+), 29 deletions(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 957cfa4229d..ec57d193714 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -83,6 +83,56 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st
+ return 0;
+ }
+
++static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx,
++ const char *target_principal,
++ const char *service,
++ const char *hostname,
++ const char *realm,
++ const gss_OID mech,
++ char **pserver_principal,
++ gss_name_t *pserver_name)
++{
++ char *server_principal = NULL;
++ gss_buffer_desc name_token;
++ gss_OID name_type;
++ OM_uint32 maj_stat, min_stat = 0;
++
++ if (target_principal != NULL) {
++ server_principal = talloc_strdup(mem_ctx, target_principal);
++ name_type = GSS_C_NULL_OID;
++ } else {
++ server_principal = talloc_asprintf(mem_ctx,
++ "%s/%s@%s",
++ service, hostname, realm);
++ name_type = GSS_C_NT_USER_NAME;
++ }
++ if (server_principal == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ name_token.value = (uint8_t *)server_principal;
++ name_token.length = strlen(server_principal);
++
++ maj_stat = gss_import_name(&min_stat,
++ &name_token,
++ name_type,
++ pserver_name);
++ if (maj_stat) {
++ DBG_WARNING("GSS Import name of %s failed: %s\n",
++ server_principal,
++ gssapi_error_string(mem_ctx,
++ maj_stat,
++ min_stat,
++ mech));
++ TALLOC_FREE(server_principal);
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ *pserver_principal = server_principal;
++
++ return NT_STATUS_OK;
++}
++
+ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
+ {
+ struct gensec_gssapi_state *gensec_gssapi_state;
+@@ -304,9 +354,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
+ struct gensec_gssapi_state *gensec_gssapi_state;
+ struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+ NTSTATUS nt_status;
+- gss_buffer_desc name_token;
+- gss_OID name_type;
+- OM_uint32 maj_stat, min_stat;
+ const char *target_principal = NULL;
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+@@ -353,31 +400,16 @@ do_start:
+ gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+ }
+
+- if (target_principal != NULL) {
+- name_type = GSS_C_NULL_OID;
+- } else {
+- target_principal = talloc_asprintf(gensec_gssapi_state,
+- "%s/%s@%s", service, hostname, realm);
+- if (target_principal == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- name_type = GSS_C_NT_USER_NAME;
+- }
+- gensec_gssapi_state->target_principal = target_principal;
+-
+- name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
+- name_token.length = strlen(gensec_gssapi_state->target_principal);
+-
+-
+- maj_stat = gss_import_name (&min_stat,
+- &name_token,
+- name_type,
+- &gensec_gssapi_state->server_name);
+- if (maj_stat) {
+- DEBUG(2, ("GSS Import name of %s failed: %s\n",
+- (char *)name_token.value,
+- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+- return NT_STATUS_INVALID_PARAMETER;
++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
++ target_principal,
++ service,
++ hostname,
++ realm,
++ gensec_gssapi_state->gss_oid,
++ &gensec_gssapi_state->target_principal,
++ &gensec_gssapi_state->server_name);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ return nt_status;
+ }
+
+ return NT_STATUS_OK;
+diff --git a/source4/auth/gensec/gensec_gssapi.h b/source4/auth/gensec/gensec_gssapi.h
+index cf0e3a8d914..d788b5ebc38 100644
+--- a/source4/auth/gensec/gensec_gssapi.h
++++ b/source4/auth/gensec/gensec_gssapi.h
+@@ -65,5 +65,5 @@ struct gensec_gssapi_state {
+ int gss_exchange_count;
+ size_t sig_size;
+
+- const char *target_principal;
++ char *target_principal;
+ };
+--
+2.12.0
+
+
+From 78a76c53e9b0e7caf67a43eeb7929a4fe94fa25e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 12:34:59 +0100
+Subject: [PATCH 10/20] s4:gensec_gssapi: Move setup of service_principal to
+ update function
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit bf6358bf035e7ad48bd15cc2164afab2a19e7ad6)
+---
+ source4/auth/gensec/gensec_gssapi.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index ec57d193714..6cb4431e0d9 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -400,18 +400,6 @@ do_start:
+ gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+ }
+
+- nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+- target_principal,
+- service,
+- hostname,
+- realm,
+- gensec_gssapi_state->gss_oid,
+- &gensec_gssapi_state->target_principal,
+- &gensec_gssapi_state->server_name);
+- if (!NT_STATUS_IS_OK(nt_status)) {
+- return nt_status;
+- }
+-
+ return NT_STATUS_OK;
+ }
+
+@@ -452,7 +440,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ OM_uint32 min_stat2;
+ gss_buffer_desc input_token = { 0, NULL };
+ gss_buffer_desc output_token = { 0, NULL };
+-
++ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
++ const char *target_principal = gensec_get_target_principal(gensec_security);
++ const char *hostname = gensec_get_target_hostname(gensec_security);
++ const char *service = gensec_get_target_service(gensec_security);
++ const char *client_realm = cli_credentials_get_realm(cli_creds);
+ gss_OID gss_oid_p = NULL;
+ OM_uint32 time_req = 0;
+ OM_uint32 time_rec = 0;
+@@ -491,6 +483,21 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ #endif
++
++ if (gensec_gssapi_state->server_name == NULL) {
++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
++ target_principal,
++ service,
++ hostname,
++ client_realm,
++ gensec_gssapi_state->gss_oid,
++ &gensec_gssapi_state->target_principal,
++ &gensec_gssapi_state->server_name);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ return nt_status;
++ }
++ }
++
+ maj_stat = gss_init_sec_context(&min_stat,
+ gensec_gssapi_state->client_cred->creds,
+ &gensec_gssapi_state->gssapi_context,
+--
+2.12.0
+
+
+From 7541d4a3c1a665925c8d3aa97963729874c70761 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 11:03:17 +0100
+Subject: [PATCH 11/20] s4:gensec_gssapi: Use
+ smb_krb5_get_realm_from_hostname()
+
+With credentials for administrator@FOREST1.EXAMPLE.COM
+this patch changes the target_principal for
+the ldap service of host dc2.forest2.example.com
+from
+
+ ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+
+to
+
+ ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
+
+Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
+to generate a referral ticket for
+krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
+
+The problem is that KDCs only return such referral tickets
+if there's a forest trust between FOREST1.EXAMPLE.COM
+and FOREST2.EXAMPLE.COM. If there's only an external domain
+trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
+the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
+when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
+
+In the case of an external trust the client can still ask
+explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+and the KDC of FOREST1.EXAMPLE.COM will generate it.
+
+From there the client can use the
+krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
+service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
+
+With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
+when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
+target principal. As _krb5_get_cred_kdc_any() first calls
+get_cred_kdc_referral() (which always starts with the client realm)
+and falls back to get_cred_kdc_capath() (which starts with the given realm).
+
+MIT krb5 only tries the given realm of the target principal,
+if we want to autodetect support for transitive forest trusts,
+we'll have to do the fallback ourself.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 3781eb250173981a8890b82d1ff9358f144034cd)
+---
+ source4/auth/gensec/gensec_gssapi.c | 62 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 6cb4431e0d9..57392a04e60 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -445,6 +445,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+ const char *client_realm = cli_credentials_get_realm(cli_creds);
++ const char *server_realm = NULL;
+ gss_OID gss_oid_p = NULL;
+ OM_uint32 time_req = 0;
+ OM_uint32 time_rec = 0;
+@@ -484,12 +485,71 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ }
+ #endif
+
++ /*
++ * With credentials for
++ * administrator@FOREST1.EXAMPLE.COM this patch changes
++ * the target_principal for the ldap service of host
++ * dc2.forest2.example.com from
++ *
++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
++ *
++ * to
++ *
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
++ *
++ * Typically
++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
++ * should be used in order to allow the KDC of
++ * FOREST1.EXAMPLE.COM to generate a referral ticket
++ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
++ *
++ * The problem is that KDCs only return such referral
++ * tickets if there's a forest trust between
++ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If
++ * there's only an external domain trust between
++ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC
++ * of FOREST1.EXAMPLE.COM will respond with
++ * S_PRINCIPAL_UNKNOWN when being asked for
++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
++ *
++ * In the case of an external trust the client can
++ * still ask explicitly for
++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and
++ * the KDC of FOREST1.EXAMPLE.COM will generate it.
++ *
++ * From there the client can use the
++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
++ * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
++ * service ticket for
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
++ *
++ * With Heimdal we'll get the fallback on
++ * S_PRINCIPAL_UNKNOWN behavior when we pass
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
++ * target principal. As _krb5_get_cred_kdc_any() first
++ * calls get_cred_kdc_referral() (which always starts
++ * with the client realm) and falls back to
++ * get_cred_kdc_capath() (which starts with the given
++ * realm).
++ *
++ * MIT krb5 only tries the given realm of the target
++ * principal, if we want to autodetect support for
++ * transitive forest trusts, would have to do the
++ * fallback ourself.
++ */
+ if (gensec_gssapi_state->server_name == NULL) {
++ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
++ hostname,
++ client_realm);
++ if (server_realm == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+ target_principal,
+ service,
+ hostname,
+- client_realm,
++ server_realm,
+ gensec_gssapi_state->gss_oid,
+ &gensec_gssapi_state->target_principal,
+ &gensec_gssapi_state->server_name);
+--
+2.12.0
+
+
+From 97935a1164d328b466bc305c37869e78d306173a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 8 Mar 2017 13:10:05 +0100
+Subject: [PATCH 12/20] s4:gensec_gssapi: Correctly handle external trusts with
+ MIT
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 2dd4887648bf006a577e03fc027e881738ca04ab)
+---
+ source4/auth/gensec/gensec_gssapi.c | 51 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 57392a04e60..61911aae9d9 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -464,6 +464,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+ {
++ bool fallback = false;
+ #ifdef SAMBA4_USES_HEIMDAL
+ struct gsskrb5_send_to_kdc send_to_kdc;
+ krb5_error_code ret;
+@@ -537,6 +538,48 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ * transitive forest trusts, would have to do the
+ * fallback ourself.
+ */
++#ifndef SAMBA4_USES_HEIMDAL
++ if (gensec_gssapi_state->server_name == NULL) {
++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
++ target_principal,
++ service,
++ hostname,
++ client_realm,
++ gensec_gssapi_state->gss_oid,
++ &gensec_gssapi_state->target_principal,
++ &gensec_gssapi_state->server_name);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ return nt_status;
++ }
++
++ maj_stat = gss_init_sec_context(&min_stat,
++ gensec_gssapi_state->client_cred->creds,
++ &gensec_gssapi_state->gssapi_context,
++ gensec_gssapi_state->server_name,
++ gensec_gssapi_state->gss_oid,
++ gensec_gssapi_state->gss_want_flags,
++ time_req,
++ gensec_gssapi_state->input_chan_bindings,
++ &input_token,
++ &gss_oid_p,
++ &output_token,
++ &gensec_gssapi_state->gss_got_flags, /* ret flags */
++ &time_rec);
++ if (maj_stat != GSS_S_FAILURE) {
++ goto init_sec_context_done;
++ }
++ if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
++ goto init_sec_context_done;
++ }
++ if (target_principal != NULL) {
++ goto init_sec_context_done;
++ }
++
++ fallback = true;
++ TALLOC_FREE(gensec_gssapi_state->target_principal);
++ gss_release_name(&min_stat2, &gensec_gssapi_state->server_name);
++ }
++#endif /* !SAMBA4_USES_HEIMDAL */
+ if (gensec_gssapi_state->server_name == NULL) {
+ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
+ hostname,
+@@ -545,6 +588,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ return NT_STATUS_NO_MEMORY;
+ }
+
++ if (fallback &&
++ strequal(client_realm, server_realm)) {
++ goto init_sec_context_done;
++ }
++
+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+ target_principal,
+ service,
+@@ -571,6 +619,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
+ &output_token,
+ &gensec_gssapi_state->gss_got_flags, /* ret flags */
+ &time_rec);
++ goto init_sec_context_done;
++ /* JUMP! */
++init_sec_context_done:
+ if (gss_oid_p) {
+ gensec_gssapi_state->gss_oid = gss_oid_p;
+ }
+--
+2.12.0
+
+
+From 71a49b84ebb8d45d91d21ebf92d3c7302b24f490 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 07:54:29 +0100
+Subject: [PATCH 13/20] s3:gse: Use smb_krb5_get_realm_from_hostname()
+
+With credentials for administrator@FOREST1.EXAMPLE.COM
+this patch changes the target_principal for
+the ldap service of host dc2.forest2.example.com
+from
+
+ ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+
+to
+
+ ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
+
+Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
+to generate a referral ticket for
+krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
+
+The problem is that KDCs only return such referral tickets
+if there's a forest trust between FOREST1.EXAMPLE.COM
+and FOREST2.EXAMPLE.COM. If there's only an external domain
+trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
+the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
+when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
+
+In the case of an external trust the client can still ask
+explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+and the KDC of FOREST1.EXAMPLE.COM will generate it.
+
+From there the client can use the
+krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
+service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
+
+With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
+when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
+target principal. As _krb5_get_cred_kdc_any() first calls
+get_cred_kdc_referral() (which always starts with the client realm)
+and falls back to get_cred_kdc_capath() (which starts with the given realm).
+
+MIT krb5 only tries the given realm of the target principal,
+if we want to autodetect support for transitive forest trusts,
+we'll have to do the fallback ourself.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit a3d95ed9037fb8b14a451da02dcadf011485ae34)
+---
+ source3/librpc/crypto/gse.c | 93 +++++++++++++++++++++++++++++++++------------
+ 1 file changed, 68 insertions(+), 25 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index abf20bc7dfd..57632f6cc8f 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -120,6 +120,54 @@ static int gse_context_destructor(void *ptr)
+ return 0;
+ }
+
++static NTSTATUS gse_setup_server_principal(TALLOC_CTX *mem_ctx,
++ const char *target_principal,
++ const char *service,
++ const char *hostname,
++ const char *realm,
++ char **pserver_principal,
++ gss_name_t *pserver_name)
++{
++ char *server_principal = NULL;
++ gss_buffer_desc name_token;
++ gss_OID name_type;
++ OM_uint32 maj_stat, min_stat = 0;
++
++ if (target_principal != NULL) {
++ server_principal = talloc_strdup(mem_ctx, target_principal);
++ name_type = GSS_C_NULL_OID;
++ } else {
++ server_principal = talloc_asprintf(mem_ctx,
++ "%s/%s@%s",
++ service,
++ hostname,
++ realm);
++ name_type = GSS_C_NT_USER_NAME;
++ }
++ if (server_principal == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ name_token.value = (uint8_t *)server_principal;
++ name_token.length = strlen(server_principal);
++
++ maj_stat = gss_import_name(&min_stat,
++ &name_token,
++ name_type,
++ pserver_name);
++ if (maj_stat) {
++ DBG_WARNING("GSS Import name of %s failed: %s\n",
++ server_principal,
++ gse_errstr(mem_ctx, maj_stat, min_stat));
++ TALLOC_FREE(server_principal);
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ *pserver_principal = server_principal;
++
++ return NT_STATUS_OK;
++}
++
+ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ bool do_sign, bool do_seal,
+ const char *ccache_name,
+@@ -203,11 +251,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ {
+ struct gse_context *gse_ctx;
+ OM_uint32 gss_maj, gss_min;
+- gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
+ #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
+ gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+ gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
+ #endif
++ char *server_principal = NULL;
++ char *server_realm = NULL;
+ NTSTATUS status;
+
+ if (!server || !service) {
+@@ -223,30 +272,24 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+
+ /* Guess the realm based on the supplied service, and avoid the GSS libs
+ doing DNS lookups which may fail.
+-
+- TODO: Loop with the KDC on some more combinations (local
+- realm in particular), possibly falling back to
+- GSS_C_NT_HOSTBASED_SERVICE
+ */
+- name_buffer.value =
+- smb_krb5_get_principal_from_service_hostname(gse_ctx,
+- service,
+- server,
+- realm);
+- if (!name_buffer.value) {
+- status = NT_STATUS_NO_MEMORY;
+- goto err_out;
++ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
++ server,
++ realm);
++ if (server_realm == NULL) {
++ return NT_STATUS_NO_MEMORY;
+ }
+- name_buffer.length = strlen((char *)name_buffer.value);
+- gss_maj = gss_import_name(&gss_min, &name_buffer,
+- GSS_C_NT_USER_NAME,
+- &gse_ctx->server_name);
+- if (gss_maj) {
+- DEBUG(5, ("gss_import_name failed for %s, with [%s]\n",
+- (char *)name_buffer.value,
+- gse_errstr(gse_ctx, gss_maj, gss_min)));
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto err_out;
++
++ status = gse_setup_server_principal(mem_ctx,
++ NULL,
++ service,
++ server,
++ server_realm,
++ &server_principal,
++ &gse_ctx->server_name);
++ TALLOC_FREE(server_realm);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+
+ /* TODO: get krb5 ticket using username/password, if no valid
+@@ -299,11 +342,11 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ #endif
+
+ *_gse_ctx = gse_ctx;
+- TALLOC_FREE(name_buffer.value);
++ TALLOC_FREE(server_principal);
+ return NT_STATUS_OK;
+
+ err_out:
+- TALLOC_FREE(name_buffer.value);
++ TALLOC_FREE(server_principal);
+ TALLOC_FREE(gse_ctx);
+ return status;
+ }
+--
+2.12.0
+
+
+From 905cdd3ee1fea0bf0e2081da4489934944c55fa9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 09:10:12 +0100
+Subject: [PATCH 14/20] krb5_wrap: Remove obsolete
+ smb_krb5_get_principal_from_service_hostname()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 804e828d52ec922f3970e847652ab1ee5538b9b0)
+---
+ lib/krb5_wrap/krb5_samba.c | 111 ---------------------------------------------
+ lib/krb5_wrap/krb5_samba.h | 5 --
+ 2 files changed, 116 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 2b0ec6bfa0e..0b67ea52a19 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2604,61 +2604,6 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
+ }
+
+
+-/************************************************************************
+- Routine to get the default realm from the kerberos credentials cache.
+- Caller must free if the return value is not NULL.
+-************************************************************************/
+-
+-static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
+-{
+- char *realm = NULL;
+- krb5_context ctx = NULL;
+- krb5_ccache cc = NULL;
+- krb5_principal princ = NULL;
+-
+- initialize_krb5_error_table();
+- if (krb5_init_context(&ctx)) {
+- return NULL;
+- }
+-
+- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
+- "Trying to read krb5 cache: %s\n",
+- krb5_cc_default_name(ctx)));
+- if (krb5_cc_default(ctx, &cc)) {
+- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
+- "failed to read default cache\n"));
+- goto out;
+- }
+- if (krb5_cc_get_principal(ctx, cc, &princ)) {
+- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
+- "failed to get default principal\n"));
+- goto out;
+- }
+-
+-#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
+- realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ));
+-#elif defined(HAVE_KRB5_PRINC_REALM)
+- {
+- krb5_data *realm_data = krb5_princ_realm(ctx, princ);
+- realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length);
+- }
+-#endif
+-
+- out:
+-
+- if (ctx) {
+- if (princ) {
+- krb5_free_principal(ctx, princ);
+- }
+- if (cc) {
+- krb5_cc_close(ctx, cc);
+- }
+- krb5_free_context(ctx);
+- }
+-
+- return realm;
+-}
+-
+ /**
+ * @brief Get the realm from the service hostname.
+ *
+@@ -2749,62 +2694,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ }
+
+ /**
+- * @brief Get the principal as a string from the service hostname.
+- *
+- * @param[in] mem_ctx The talloc context
+- *
+- * @param[in] service The service name
+- *
+- * @param[in] remote_name The remote name
+- *
+- * @param[in] default_realm The default_realm if we cannot get it from the
+- * hostname or netbios name.
+- *
+- * @return A talloc'ed principal string or NULL if an error occured.
+- *
+- * The caller needs to free the principal with talloc_free() if it isn't needed
+- * anymore.
+- */
+-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+- const char *service,
+- const char *remote_name,
+- const char *default_realm)
+-{
+- char *realm = NULL;
+- char *host = NULL;
+- char *principal;
+- host = strchr_m(remote_name, '.');
+- if (host) {
+- /* DNS name. */
+- realm = smb_krb5_get_realm_from_hostname(talloc_tos(),
+- remote_name,
+- default_realm);
+- } else {
+- /* NetBIOS name - use our realm. */
+- realm = smb_krb5_get_default_realm_from_ccache(talloc_tos());
+- }
+-
+- if (realm == NULL || *realm == '\0') {
+- realm = talloc_strdup(talloc_tos(), default_realm);
+- if (!realm) {
+- return NULL;
+- }
+- DEBUG(3,("Cannot get realm from, "
+- "desthost %s or default ccache. Using default "
+- "smb.conf realm %s\n",
+- remote_name,
+- realm));
+- }
+-
+- principal = talloc_asprintf(mem_ctx,
+- "%s/%s@%s",
+- service, remote_name,
+- realm);
+- TALLOC_FREE(realm);
+- return principal;
+-}
+-
+-/**
+ * @brief Get an error string from a Kerberos error code.
+ *
+ * @param[in] context The library context.
+diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
+index accae449a0e..c921538efcb 100644
+--- a/lib/krb5_wrap/krb5_samba.h
++++ b/lib/krb5_wrap/krb5_samba.h
+@@ -318,11 +318,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ const char *hostname,
+ const char *client_realm);
+
+-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+- const char *service,
+- const char *remote_name,
+- const char *default_realm);
+-
+ char *smb_get_krb5_error_message(krb5_context context,
+ krb5_error_code code,
+ TALLOC_CTX *mem_ctx);
+--
+2.12.0
+
+
+From 0ea7203430b580e93816035b8201ddd11346cd4e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 6 Mar 2017 08:16:11 +0100
+Subject: [PATCH 15/20] s3:gse: Pass down the gensec_security pointer
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit e6b1e58874de30d094f9bce474479cfddb39d3fc)
+---
+ source3/librpc/crypto/gse.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 57632f6cc8f..5a39522a828 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -352,10 +352,13 @@ err_out:
+ }
+
+ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+- struct gse_context *gse_ctx,
++ struct gensec_security *gensec_security,
+ const DATA_BLOB *token_in,
+ DATA_BLOB *token_out)
+ {
++ struct gse_context *gse_ctx =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct gse_context);
+ OM_uint32 gss_maj, gss_min;
+ gss_buffer_desc in_data;
+ gss_buffer_desc out_data;
+@@ -542,10 +545,13 @@ done:
+ }
+
+ static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
+- struct gse_context *gse_ctx,
++ struct gensec_security *gensec_security,
+ const DATA_BLOB *token_in,
+ DATA_BLOB *token_out)
+ {
++ struct gse_context *gse_ctx =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct gse_context);
+ OM_uint32 gss_maj, gss_min;
+ gss_buffer_desc in_data;
+ gss_buffer_desc out_data;
+@@ -762,17 +768,16 @@ static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security,
+ const DATA_BLOB in, DATA_BLOB *out)
+ {
+ NTSTATUS status;
+- struct gse_context *gse_ctx =
+- talloc_get_type_abort(gensec_security->private_data,
+- struct gse_context);
+
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+- status = gse_get_client_auth_token(mem_ctx, gse_ctx,
++ status = gse_get_client_auth_token(mem_ctx,
++ gensec_security,
+ &in, out);
+ break;
+ case GENSEC_SERVER:
+- status = gse_get_server_auth_token(mem_ctx, gse_ctx,
++ status = gse_get_server_auth_token(mem_ctx,
++ gensec_security,
+ &in, out);
+ break;
+ }
+--
+2.12.0
+
+
+From 36b353247939414cd7f91abd27bfc553bd62c06f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 08:05:26 +0100
+Subject: [PATCH 16/20] s3:gse: Move setup of service_principal to update
+ function
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 3ba1ad1f8c7871070d0ecbe5d49c5c44afe98bbf)
+---
+ source3/librpc/crypto/gse.c | 97 +++++++++++++++++++++++++++++++++------------
+ 1 file changed, 71 insertions(+), 26 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 5a39522a828..3580181061e 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -255,8 +255,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+ gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
+ #endif
+- char *server_principal = NULL;
+- char *server_realm = NULL;
+ NTSTATUS status;
+
+ if (!server || !service) {
+@@ -270,28 +268,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- /* Guess the realm based on the supplied service, and avoid the GSS libs
+- doing DNS lookups which may fail.
+- */
+- server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
+- server,
+- realm);
+- if (server_realm == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- status = gse_setup_server_principal(mem_ctx,
+- NULL,
+- service,
+- server,
+- server_realm,
+- &server_principal,
+- &gse_ctx->server_name);
+- TALLOC_FREE(server_realm);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+ /* TODO: get krb5 ticket using username/password, if no valid
+ * one already available in ccache */
+
+@@ -342,11 +318,9 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ #endif
+
+ *_gse_ctx = gse_ctx;
+- TALLOC_FREE(server_principal);
+ return NT_STATUS_OK;
+
+ err_out:
+- TALLOC_FREE(server_principal);
+ TALLOC_FREE(gse_ctx);
+ return status;
+ }
+@@ -366,10 +340,81 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ NTSTATUS status;
+ OM_uint32 time_rec = 0;
+ struct timeval tv;
++ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
++ const char *hostname = gensec_get_target_hostname(gensec_security);
++ const char *service = gensec_get_target_service(gensec_security);
++ const char *client_realm = cli_credentials_get_realm(cli_creds);
++ char *server_principal = NULL;
++ char *server_realm = NULL;
+
+ in_data.value = token_in->data;
+ in_data.length = token_in->length;
+
++ /*
++ * With credentials for administrator@FOREST1.EXAMPLE.COM this patch
++ * changes the target_principal for the ldap service of host
++ * dc2.forest2.example.com from
++ *
++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
++ *
++ * to
++ *
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
++ *
++ * Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be
++ * used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a
++ * referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
++ *
++ * The problem is that KDCs only return such referral tickets if
++ * there's a forest trust between FOREST1.EXAMPLE.COM and
++ * FOREST2.EXAMPLE.COM. If there's only an external domain trust
++ * between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of
++ * FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being
++ * asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
++ *
++ * In the case of an external trust the client can still ask explicitly
++ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of
++ * FOREST1.EXAMPLE.COM will generate it.
++ *
++ * From there the client can use the
++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC
++ * of FOREST2.EXAMPLE.COM for a service ticket for
++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
++ *
++ * With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
++ * when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
++ * target principal. As _krb5_get_cred_kdc_any() first calls
++ * get_cred_kdc_referral() (which always starts with the client realm)
++ * and falls back to get_cred_kdc_capath() (which starts with the given
++ * realm).
++ *
++ * MIT krb5 only tries the given realm of the target principal, if we
++ * want to autodetect support for transitive forest trusts, would have
++ * to do the fallback ourself.
++ */
++ if (gse_ctx->server_name == NULL) {
++ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
++ hostname,
++ client_realm);
++ if (server_realm == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ status = gse_setup_server_principal(mem_ctx,
++ NULL,
++ service,
++ hostname,
++ server_realm,
++ &server_principal,
++ &gse_ctx->server_name);
++ TALLOC_FREE(server_realm);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ TALLOC_FREE(server_principal);
++ }
++
+ gss_maj = gss_init_sec_context(&gss_min,
+ gse_ctx->creds,
+ &gse_ctx->gssapi_context,
+--
+2.12.0
+
+
+From 5ca321eaa79cdf9de1166f49365051d4d67560f9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 08:11:07 +0100
+Subject: [PATCH 17/20] s3:gse: Check if we have a target_princpal set we
+ should use
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit ada31d65d6c5929d2fbddfea5611a5f5fe5a0d74)
+---
+ source3/librpc/crypto/gse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 3580181061e..721fd8c1625 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -341,6 +341,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ OM_uint32 time_rec = 0;
+ struct timeval tv;
+ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
++ const char *target_principal = gensec_get_target_principal(gensec_security);
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+ const char *client_realm = cli_credentials_get_realm(cli_creds);
+@@ -401,7 +402,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ }
+
+ status = gse_setup_server_principal(mem_ctx,
+- NULL,
++ target_principal,
+ service,
+ hostname,
+ server_realm,
+--
+2.12.0
+
+
+From 8b88c6bf158e5da0cc238472390f3346aa05ef53 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Mar 2017 08:18:27 +0100
+Subject: [PATCH 18/20] s3:gse: Correctly handle external trusts with MIT
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit b8bca7d08fe05758e536767b1146cdcdd8b9fee3)
+---
+ source3/librpc/crypto/gse.c | 54 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 721fd8c1625..3abf774633b 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -347,6 +347,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ const char *client_realm = cli_credentials_get_realm(cli_creds);
+ char *server_principal = NULL;
+ char *server_realm = NULL;
++ bool fallback = false;
+
+ in_data.value = token_in->data;
+ in_data.length = token_in->length;
+@@ -393,6 +394,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ * want to autodetect support for transitive forest trusts, would have
+ * to do the fallback ourself.
+ */
++#ifndef SAMBA4_USES_HEIMDAL
++ if (gse_ctx->server_name == NULL) {
++ OM_uint32 gss_min2 = 0;
++
++ status = gse_setup_server_principal(mem_ctx,
++ target_principal,
++ service,
++ hostname,
++ client_realm,
++ &server_principal,
++ &gse_ctx->server_name);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ gss_maj = gss_init_sec_context(&gss_min,
++ gse_ctx->creds,
++ &gse_ctx->gssapi_context,
++ gse_ctx->server_name,
++ &gse_ctx->gss_mech,
++ gse_ctx->gss_want_flags,
++ 0,
++ GSS_C_NO_CHANNEL_BINDINGS,
++ &in_data,
++ NULL,
++ &out_data,
++ &gse_ctx->gss_got_flags,
++ &time_rec);
++ if (gss_maj != GSS_S_FAILURE) {
++ goto init_sec_context_done;
++ }
++ if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
++ goto init_sec_context_done;
++ }
++ if (target_principal != NULL) {
++ goto init_sec_context_done;
++ }
++
++ fallback = true;
++ TALLOC_FREE(server_principal);
++ gss_release_name(&gss_min2, &gse_ctx->server_name);
++ }
++#endif /* !SAMBA4_USES_HEIMDAL */
++
+ if (gse_ctx->server_name == NULL) {
+ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
+ hostname,
+@@ -401,6 +446,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
++ if (fallback &&
++ strequal(client_realm, server_realm)) {
++ goto init_sec_context_done;
++ }
++
+ status = gse_setup_server_principal(mem_ctx,
+ target_principal,
+ service,
+@@ -425,6 +475,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
+ 0, GSS_C_NO_CHANNEL_BINDINGS,
+ &in_data, NULL, &out_data,
+ &gse_ctx->gss_got_flags, &time_rec);
++ goto init_sec_context_done;
++ /* JUMP! */
++init_sec_context_done:
++
+ switch (gss_maj) {
+ case GSS_S_COMPLETE:
+ /* we are done with it */
+--
+2.12.0
+
+
+From 290de34d42477022d8b5a236b3d0953a178c5e40 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 29 Jan 2017 17:19:14 +0100
+Subject: [PATCH 19/20] HEIMDAL:kdc: make it possible to disable the principal
+ based referral detection
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 209886e95c3afe1e4e50bacc30b40a543856a7a0)
+---
+ source4/heimdal/kdc/default_config.c | 1 +
+ source4/heimdal/kdc/kdc.h | 2 ++
+ source4/heimdal/kdc/krb5tgs.c | 4 +++-
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
+index 6fbf5fdae15..0129c5d3c54 100644
+--- a/source4/heimdal/kdc/default_config.c
++++ b/source4/heimdal/kdc/default_config.c
+@@ -55,6 +55,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
+ c->preauth_use_strongest_session_key = FALSE;
+ c->tgs_use_strongest_session_key = FALSE;
+ c->use_strongest_server_key = TRUE;
++ c->autodetect_referrals = TRUE;
+ c->check_ticket_addresses = TRUE;
+ c->allow_null_ticket_addresses = TRUE;
+ c->allow_anonymous = FALSE;
+diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h
+index 9d52fd4c2ec..16263d6919b 100644
+--- a/source4/heimdal/kdc/kdc.h
++++ b/source4/heimdal/kdc/kdc.h
+@@ -69,6 +69,8 @@ typedef struct krb5_kdc_configuration {
+ krb5_boolean allow_anonymous;
+ enum krb5_kdc_trpolicy trpolicy;
+
++ krb5_boolean autodetect_referrals;
++
+ krb5_boolean enable_pkinit;
+ krb5_boolean pkinit_princ_in_cert;
+ const char *pkinit_kdc_identity;
+diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
+index 334a6eb1dc8..a888788bb6f 100644
+--- a/source4/heimdal/kdc/krb5tgs.c
++++ b/source4/heimdal/kdc/krb5tgs.c
+@@ -1660,7 +1660,9 @@ server_lookup:
+ Realm req_rlm;
+ krb5_realm *realms;
+
+- if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
++ if (!config->autodetect_referrals) {
++ /* noop */
++ } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
+ if(nloop++ < 2) {
+ new_rlm = find_rpath(context, tgt->crealm, req_rlm);
+ if(new_rlm) {
+--
+2.12.0
+
+
+From b98d399a9b3076443fa12fab5f5e13b8d6e2fe26 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 29 Jan 2017 17:20:09 +0100
+Subject: [PATCH 20/20] s4:kdc: disable principal based autodetected referral
+ detection
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3314bf52aaef60ef5cc1110587b53064df7c475d)
+---
+ source4/kdc/kdc-heimdal.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
+index f2927e5cb9f..061296a4f40 100644
+--- a/source4/kdc/kdc-heimdal.c
++++ b/source4/kdc/kdc-heimdal.c
+@@ -379,6 +379,8 @@ static void kdc_task_init(struct task_server *task)
+ kdc_config->tgs_use_strongest_session_key = false;
+ kdc_config->use_strongest_server_key = true;
+
++ kdc_config->autodetect_referrals = false;
++
+ /* Register hdb-samba4 hooks for use as a keytab */
+
+ kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch
new file mode 100644
index 0000000..dbce123
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch
@@ -0,0 +1,39 @@
+From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 20 Mar 2017 16:08:20 +0100
+Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/cliconnect.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 029c3d4760e..93f873079db 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ 0 /* no time correction for now */,
+ NULL);
+ if (ret != 0) {
+- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
+- user_principal, target_hostname,
+- error_message(ret)));
++ int dbglvl = DBGLVL_WARNING;
++
++ if (krb5_state == CRED_MUST_USE_KERBEROS) {
++ dbglvl = DBGLVL_ERR;
++ }
++
++ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
++ user_principal, target_hostname,
++ error_message(ret)));
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ TALLOC_FREE(frame);
+ return krb5_to_nt_status(ret);
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch
new file mode 100644
index 0000000..6d96e52
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch
@@ -0,0 +1,293 @@
+From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 17:30:37 +0100
+Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters
+
+The old behaviour is:
+
+ for var in $*
+ do
+ echo "$var"
+ done
+
+And you get this:
+
+$ sh test.sh 1 2 '3 4'
+1
+2
+3
+4
+
+Changing it to:
+
+ for var in "$@"
+ do
+ echo "$var"
+ done
+
+will correctly expand to:
+
+$ sh test.sh 1 2 '3 4'
+1
+2
+3 4
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
+
+(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)
+---
+ testprogs/blackbox/subunit.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
+index 0791d775d27..5c81ce20a11 100755
+--- a/testprogs/blackbox/subunit.sh
++++ b/testprogs/blackbox/subunit.sh
+@@ -78,7 +78,7 @@ subunit_skip_test () {
+ testit () {
+ name="$1"
+ shift
+- cmdline="$*"
++ cmdline="$@"
+ subunit_start_test "$name"
+ output=`$cmdline 2>&1`
+ status=$?
+@@ -93,7 +93,7 @@ testit () {
+ testit_expect_failure () {
+ name="$1"
+ shift
+- cmdline="$*"
++ cmdline="$@"
+ subunit_start_test "$name"
+ output=`$cmdline 2>&1`
+ status=$?
+--
+2.12.0
+
+
+From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:11:39 +0100
+Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)
+---
+ lib/krb5_wrap/krb5_samba.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 10b42dec53f..fd8e4a96071 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
+ goto open_keytab;
+ }
+
++ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
++
+ return KRB5_KT_BADNAME;
+
+ open_keytab:
+--
+2.12.0
+
+
+From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:24:52 +0100
+Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
+---
+ source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 57 insertions(+), 12 deletions(-)
+
+diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
+index 3c73b089bbb..96df10fcf65 100644
+--- a/source3/libads/kerberos_keytab.c
++++ b/source3/libads/kerberos_keytab.c
+@@ -34,6 +34,57 @@
+
+ #ifdef HAVE_ADS
+
++/* This MAX_NAME_LEN is a constant defined in krb5.h */
++#ifndef MAX_KEYTAB_NAME_LEN
++#define MAX_KEYTAB_NAME_LEN 1100
++#endif
++
++static krb5_error_code ads_keytab_open(krb5_context context,
++ krb5_keytab *keytab)
++{
++ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
++ const char *keytab_name = NULL;
++ krb5_error_code ret = 0;
++
++ switch (lp_kerberos_method()) {
++ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
++ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
++ ret = krb5_kt_default_name(context,
++ keytab_str,
++ sizeof(keytab_str) - 2);
++ if (ret != 0) {
++ DBG_WARNING("Failed to get default keytab name");
++ goto out;
++ }
++ keytab_name = keytab_str;
++ break;
++ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
++ keytab_name = lp_dedicated_keytab_file();
++ break;
++ default:
++ DBG_ERR("Invalid kerberos method set (%d)\n",
++ lp_kerberos_method());
++ ret = KRB5_KT_BADNAME;
++ goto out;
++ }
++
++ if (keytab_name == NULL || keytab_name[0] == '\0') {
++ DBG_ERR("Invalid keytab name\n");
++ ret = KRB5_KT_BADNAME;
++ goto out;
++ }
++
++ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
++ if (ret != 0) {
++ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
++ error_message(ret));
++ goto out;
++ }
++
++out:
++ return ret;
++}
++
+ /**********************************************************************
+ Adds a single service principal, i.e. 'host' to the system keytab
+ ***********************************************************************/
+@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
+ return -1;
+ }
+
+- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+- if (ret) {
+- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+- error_message(ret)));
++ ret = ads_keytab_open(context, &keytab);
++ if (ret != 0) {
+ goto out;
+ }
+
+@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
+ return ret;
+ }
+
+- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+- if (ret) {
+- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+- error_message(ret)));
++ ret = ads_keytab_open(context, &keytab);
++ if (ret != 0) {
+ goto out;
+ }
+
+@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+ DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
+ "and update.\n"));
+
+- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+- if (ret) {
+- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+- error_message(ret)));
++ ret = ads_keytab_open(context, &keytab);
++ if (ret != 0) {
+ goto done;
+ }
+
+--
+2.12.0
+
+
+From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 17:28:58 +0100
+Subject: [PATCH 4/5] param: Allow to specify kerberos method on the
+ commandline
+
+We support --option for our tools but you cannot set an option where the
+value of the option includes a space.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)
+---
+ lib/param/param_table.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index 4b5234a7c9e..9a944ef19b3 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
+ static const struct enum_list enum_kerberos_method[] = {
+ {KERBEROS_VERIFY_SECRETS, "default"},
+ {KERBEROS_VERIFY_SECRETS, "secrets only"},
++ {KERBEROS_VERIFY_SECRETS, "secretsonly"},
+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
++ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
++ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
++ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
+ {-1, NULL}
+ };
+
+--
+2.12.0
+
+
+From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:34:05 +0100
+Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab
+
+This checks that a 'net ads join' can create the keytab and make sure we
+will not regress in future.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
+---
+ testprogs/blackbox/test_net_ads.sh | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 8e915cdcf1f..99b886f53eb 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed +
+
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
++# Test with kerberos method = secrets and keytab
++dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
++testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
++
++testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
++
++testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++rm -f $dedicated_keytab_file
++
+ testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+
+ testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch
new file mode 100644
index 0000000..4e21154
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch
@@ -0,0 +1,245 @@
+From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 4 May 2017 17:48:42 +0200
+Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with
+ COPY_FROM_DIRECTORY
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05)
+---
+ source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++-------------
+ 1 file changed, 35 insertions(+), 16 deletions(-)
+
+diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
+index 394a3e5..49be5d9 100644
+--- a/source3/printing/nt_printing.c
++++ b/source3/printing/nt_printing.c
+@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver
+ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ const char *architecture,
+ const char *driverpath_in,
++ const char *driver_directory,
+ WERROR *perr)
+ {
+ int cversion = -1;
+ NTSTATUS nt_status;
+ struct smb_filename *smb_fname = NULL;
+- char *driverpath = NULL;
+ files_struct *fsp = NULL;
+ connection_struct *conn = NULL;
+ char *oldcwd;
+ char *printdollar = NULL;
++ char *printdollar_path = NULL;
++ char *working_dir = NULL;
+ int printdollar_snum;
+
+ *perr = WERR_INVALID_PARAMETER;
+@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ return -1;
+ }
+
++ printdollar_path = lp_path(talloc_tos(), printdollar_snum);
++ if (printdollar_path == NULL) {
++ *perr = WERR_NOT_ENOUGH_MEMORY;
++ return -1;
++ }
++
++ working_dir = talloc_asprintf(talloc_tos(),
++ "%s/%s",
++ printdollar_path,
++ architecture);
++ /*
++ * If the driver has been uploaded into a temorpary driver
++ * directory, switch to the driver directory.
++ */
++ if (driver_directory != NULL) {
++ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s",
++ printdollar_path,
++ architecture,
++ driver_directory);
++ }
++
+ nt_status = create_conn_struct_cwd(talloc_tos(),
+ server_event_context(),
+ server_messaging_context(),
+ &conn,
+ printdollar_snum,
+- lp_path(talloc_tos(), printdollar_snum),
++ working_dir,
+ session_info, &oldcwd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0,("get_correct_cversion: create_conn_struct "
+@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ goto error_free_conn;
+ }
+
+- /* Open the driver file (Portable Executable format) and determine the
+- * deriver the cversion. */
+- driverpath = talloc_asprintf(talloc_tos(),
+- "%s/%s",
+- architecture,
+- driverpath_in);
+- if (!driverpath) {
+- *perr = WERR_NOT_ENOUGH_MEMORY;
+- goto error_exit;
+- }
+-
+- nt_status = driver_unix_convert(conn, driverpath, &smb_fname);
++ /*
++ * We switch to the directory where the driver files are located,
++ * so only work on the file names
++ */
++ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ *perr = ntstatus_to_werror(nt_status);
+ goto error_exit;
+@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx,
+ * NT2K: cversion=3
+ */
+
+- *version = get_correct_cversion(session_info, short_architecture,
+- *driver_path, &err);
++ *version = get_correct_cversion(session_info,
++ short_architecture,
++ *driver_path,
++ *driver_directory,
++ &err);
+ if (*version == -1) {
+ return err;
+ }
+--
+2.9.3
+
+
+From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 5 May 2017 11:11:25 +0200
+Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test
+ for 64bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e)
+---
+ source4/torture/rpc/spoolss.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
+index 409ba57..c4b7bf1 100644
+--- a/source4/torture/rpc/spoolss.c
++++ b/source4/torture/rpc/spoolss.c
+@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx,
+ }
+
+ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+- struct dcerpc_pipe *p)
++ struct dcerpc_pipe *p,
++ const char *architecture)
+ {
+ struct torture_driver_context *d;
+ struct spoolss_StringArray *a;
+@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+ d = talloc_zero(tctx, struct torture_driver_context);
+ torture_assert_not_null(tctx, d, "ENOMEM");
+
+- d->local.environment =
+- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64);
++ d->local.environment = talloc_strdup(d, architecture);
+ torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
+
+ d->local.driver_directory =
+@@ -11208,6 +11208,12 @@ done:
+ return ok;
+ }
+
++static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
++ struct dcerpc_pipe *p)
++{
++ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
++}
++
+ static bool test_del_driver_all_files(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+ {
+@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
+ torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers);
+
+ torture_rpc_tcase_add_test(tcase,
+- "test_driver_copy_from_directory",
+- test_driver_copy_from_directory);
++ "test_driver_copy_from_directory_64",
++ test_driver_copy_from_directory_64);
+
+ torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
+
+--
+2.9.3
+
+
+From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 5 May 2017 11:12:02 +0200
+Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for
+ copy_from_directory
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0)
+---
+ source4/torture/rpc/spoolss.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
+index c4b7bf1..e17ac6f 100644
+--- a/source4/torture/rpc/spoolss.c
++++ b/source4/torture/rpc/spoolss.c
+@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+ d->local.environment = talloc_strdup(d, architecture);
+ torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
+
+- d->local.driver_directory =
+- talloc_asprintf(d, "/usr/share/cups/drivers/x64");
++ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) {
++ d->local.driver_directory =
++ talloc_strdup(d, "/usr/share/cups/drivers/x64");
++ } else {
++ d->local.driver_directory =
++ talloc_strdup(d, "/usr/share/cups/drivers/i386");
++ }
+ torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM");
+
+ d->remote.driver_upload_directory = GUID_string2(d, &guid);
+@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
+ }
+
++static bool test_driver_copy_from_directory_32(struct torture_context *tctx,
++ struct dcerpc_pipe *p)
++{
++ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86);
++}
++
+ static bool test_del_driver_all_files(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+ {
+@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
+ "test_driver_copy_from_directory_64",
+ test_driver_copy_from_directory_64);
+
++ torture_rpc_tcase_add_test(tcase,
++ "test_driver_copy_from_directory_32",
++ test_driver_copy_from_directory_32);
++
+ torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
+
+ torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files);
+--
+2.9.3
+
diff --git a/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch
new file mode 100644
index 0000000..7441e1d
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch
@@ -0,0 +1,211 @@
+From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 14 Mar 2017 16:12:20 +0100
+Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file
+
+The arguments get passed in the wrong order to read_target_host().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)
+---
+ source3/modules/vfs_expand_msdfs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
+index ffbfa333bad..e42d0098b32 100644
+--- a/source3/modules/vfs_expand_msdfs.c
++++ b/source3/modules/vfs_expand_msdfs.c
+@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
+ return NULL;
+ }
+
+- targethost = read_target_host(
+- ctx, raddr, mapfilename);
++ targethost = read_target_host(ctx, mapfilename, raddr);
+ if (targethost == NULL) {
+ DEBUG(1, ("Could not expand target host from file %s\n",
+ mapfilename));
+--
+2.12.0
+
+From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 15:32:37 +0100
+Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to
+ get_referred_path()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e)
+---
+ source3/modules/vfs_default.c | 2 ++
+ source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++
+ source3/smbd/msdfs.c | 12 +++++++-----
+ source3/smbd/proto.h | 12 +++++++-----
+ 4 files changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
+index e0b6125f7d8..dcae861103d 100644
+--- a/source3/modules/vfs_default.c
++++ b/source3/modules/vfs_default.c
+@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle,
+
+ /* The following call can change cwd. */
+ status = get_referred_path(r, pathnamep,
++ handle->conn->sconn->remote_address,
++ handle->conn->sconn->local_address,
+ !handle->conn->sconn->using_smb2,
+ junction, &consumedcnt, &self_referral);
+ if (!NT_STATUS_IS_OK(status)) {
+diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c
+index ab2af53c0ba..0a4d6d31b7c 100644
+--- a/source3/rpc_server/dfs/srv_dfs_nt.c
++++ b/source3/rpc_server/dfs/srv_dfs_nt.c
+@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r)
+
+ /* The following call can change the cwd. */
+ status = get_referred_path(ctx, r->in.path,
++ p->remote_address,
++ p->local_address,
+ true, /*allow_broken_path */
+ jn, &consumedcnt, &self_ref);
+ if(!NT_STATUS_IS_OK(status)) {
+@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r)
+ }
+
+ status = get_referred_path(ctx, r->in.dfs_entry_path,
++ p->remote_address,
++ p->local_address,
+ true, /*allow_broken_path */
+ jn, &consumedcnt, &self_ref);
+ if(!NT_STATUS_IS_OK(status)) {
+@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r)
+
+ /* The following call can change the cwd. */
+ status = get_referred_path(ctx, r->in.dfs_entry_path,
++ p->remote_address,
++ p->local_address,
+ true, /*allow_broken_path */
+ jn, &consumedcnt, &self_ref);
+ if(!NT_STATUS_IS_OK(status) ||
+diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
+index 61538cec832..3cf82d3b430 100644
+--- a/source3/smbd/msdfs.c
++++ b/source3/smbd/msdfs.c
+@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx,
+ **********************************************************************/
+
+ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+- const char *dfs_path,
+- bool allow_broken_path,
+- struct junction_map *jucn,
+- int *consumedcntp,
+- bool *self_referralp)
++ const char *dfs_path,
++ const struct tsocket_address *remote_address,
++ const struct tsocket_address *local_address,
++ bool allow_broken_path,
++ struct junction_map *jucn,
++ int *consumedcntp,
++ bool *self_referralp)
+ {
+ struct connection_struct *conn;
+ char *targetpath = NULL;
+diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
+index c1b8201b472..e64457cf9e0 100644
+--- a/source3/smbd/proto.h
++++ b/source3/smbd/proto.h
+@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn,
+ SMB_STRUCT_STAT *sbufp);
+ struct junction_map;
+ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+- const char *dfs_path,
+- bool allow_broken_path,
+- struct junction_map *jucn,
+- int *consumedcntp,
+- bool *self_referralp);
++ const char *dfs_path,
++ const struct tsocket_address *remote_address,
++ const struct tsocket_address *local_address,
++ bool allow_broken_path,
++ struct junction_map *jucn,
++ int *consumedcntp,
++ bool *self_referralp);
+ int setup_dfs_referral(connection_struct *orig_conn,
+ const char *dfs_path,
+ int max_referral_level,
+--
+2.13.0
+
+
+From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 15:45:34 +0100
+Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake
+ connection
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9)
+---
+ source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
+index 3cf82d3b430..c25fb17cee8 100644
+--- a/source3/smbd/msdfs.c
++++ b/source3/smbd/msdfs.c
+@@ -31,6 +31,7 @@
+ #include "lib/param/loadparm.h"
+ #include "libcli/security/security.h"
+ #include "librpc/gen_ndr/ndr_dfsblobs.h"
++#include "lib/tsocket/tsocket.h"
+
+ /**********************************************************************
+ Parse a DFS pathname of the form \hostname\service\reqpath
+@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+ return status;
+ }
+
++ /*
++ * TODO
++ *
++ * The remote and local address should be passed down to
++ * create_conn_struct_cwd.
++ */
++ if (conn->sconn->remote_address == NULL) {
++ conn->sconn->remote_address =
++ tsocket_address_copy(remote_address, conn->sconn);
++ if (conn->sconn->remote_address == NULL) {
++ TALLOC_FREE(pdp);
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++ if (conn->sconn->local_address == NULL) {
++ conn->sconn->local_address =
++ tsocket_address_copy(local_address, conn->sconn);
++ if (conn->sconn->local_address == NULL) {
++ TALLOC_FREE(pdp);
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
+ /* If this is a DFS path dfs_lookup should return
+ * NT_STATUS_PATH_NOT_COVERED. */
+
+--
+2.13.0
+
diff --git a/SOURCES/samba-v4-6-fix_path_substitutions.patch b/SOURCES/samba-v4-6-fix_path_substitutions.patch
new file mode 100644
index 0000000..178c44d
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_path_substitutions.patch
@@ -0,0 +1,194 @@
+From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Fri, 17 Mar 2017 13:52:57 +0100
+Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user
+ information
+
+This fixes the substitution for 'template homedir'.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
+
+(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5)
+---
+ source3/winbindd/wb_queryuser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
+index be4d3d3e665..69b4c8dad5a 100644
+--- a/source3/winbindd/wb_queryuser.c
++++ b/source3/winbindd/wb_queryuser.c
+@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq)
+ NTSTATUS status;
+ const char *domain_name;
+
+- status = wb_lookupsid_recv(subreq, state, &type, &domain_name,
++ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name,
+ &state->info->primary_group_name);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+--
+2.12.0
+
+
+From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 15 Mar 2017 12:37:08 +0100
+Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660)
+---
+ selftest/target/Samba3.pm | 19 ++++++++++++++++++-
+ source3/script/tests/test_substitutions.sh | 9 +++++++--
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index f5b2c510224..1e053f12297 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -394,16 +394,33 @@ sub setup_admember($$$$)
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users";
+ push(@dirs, $substitution_path);
+
++ # Using '/' as the winbind separator is a bad idea ...
++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN";
++ push(@dirs, $substitution_path);
++
++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice";
++ push(@dirs, $substitution_path);
++
++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN";
++ push(@dirs, $substitution_path);
++
++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users";
++ push(@dirs, $substitution_path);
++
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ netbios aliases = foo bar
+
+-[subDUG]
++[sub_dug]
+ path = $share_dir/D_%D/U_%U/G_%G
+ writeable = yes
+
++[sub_dug2]
++ path = $share_dir/D_%D/u_%u/g_%g
++ writeable = yes
++
+ ";
+
+ my $ret = $self->provision($prefix,
+diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
+index 0852ad969f0..1a46f11c85d 100755
+--- a/source3/script/tests/test_substitutions.sh
++++ b/source3/script/tests/test_substitutions.sh
+@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient"
+ . $samba_srcdir/testprogs/blackbox/subunit.sh
+ . $samba_srcdir/testprogs/blackbox/common_test_fns.inc
+
+-SMB_UNC="//$SERVER/subDUG"
++SMB_UNC="//$SERVER/sub_dug"
+
+-test_smbclient "Test login to share with substitution" \
++test_smbclient "Test login to share with substitution (DUG)" \
++ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
++
++SMB_UNC="//$SERVER/sub_dug2"
++
++test_smbclient "Test login to share with substitution (Dug)" \
+ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
+
+ exit $failed
+--
+2.12.0
+
+
+From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 17 Mar 2017 10:04:19 +0100
+Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+With this set, the samba3.local.nss test for ad_member will ensure that
+we correctly substitute those smb.conf options.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
+
+(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03)
+---
+ nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------
+ selftest/target/Samba3.pm | 1 +
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
+index cfe582df068..f9c040e5f43 100755
+--- a/nsswitch/tests/test_wbinfo.sh
++++ b/nsswitch/tests/test_wbinfo.sh
+@@ -205,13 +205,18 @@ subunit_start_test "$test_name"
+ # The full name (GECOS) is based on name (the RDN, in this case CN)
+ # and displayName in winbindd_ads, and is based only on displayName in
+ # winbindd_msrpc and winbindd_rpc. Allow both versions.
+-expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
+-expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
++if test "$TARGET" = "ad_member"; then
++ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false"
++ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false"
++else
++ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
++ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
++fi
+
+-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
+ subunit_pass_test "$test_name"
+ else
+- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
++ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+ fi
+
+@@ -227,10 +232,10 @@ fi
+
+ test_name="confirm output of wbinfo --uid-info against $TARGET"
+ subunit_start_test "$test_name"
+-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
+ subunit_pass_test "$test_name"
+ else
+- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
++ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ failed=`expr $failed + 1`
+ fi
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 1e053f12297..cb4970828a5 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -412,6 +412,7 @@ sub setup_admember($$$$)
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ netbios aliases = foo bar
++ template homedir = /home/%D/%G/%U
+
+ [sub_dug]
+ path = $share_dir/D_%D/U_%U/G_%G
+--
+2.12.0
+
diff --git a/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch
new file mode 100644
index 0000000..7b754ae
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch
@@ -0,0 +1,339 @@
+From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 15 Mar 2017 17:04:30 +0000
+Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of
+ smb_bytes_pull_str()
+
+This function needs to get the whole smb buffer in order to get
+the alignment for unicode correct.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24)
+---
+ libcli/smb/smb1cli_session.c | 28 +++++++++++++-------------
+ libcli/smb/smb_util.h | 3 ++-
+ libcli/smb/util.c | 47 +++++++++++++++++++++++++++++---------------
+ 3 files changed, 47 insertions(+), 31 deletions(-)
+
+diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c
+index 9d92aa6aed4..11614df0ae4 100644
+--- a/libcli/smb/smb1cli_session.c
++++ b/libcli/smb/smb1cli_session.c
+@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq)
+ p = bytes;
+
+ status = smb_bytes_pull_str(state, &state->out_native_os,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ p += ret;
+
+ status = smb_bytes_pull_str(state, &state->out_native_lm,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq)
+ p = bytes;
+
+ status = smb_bytes_pull_str(state, &state->out_native_os,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ p += ret;
+
+ status = smb_bytes_pull_str(state, &state->out_native_lm,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ p += ret;
+
+ status = smb_bytes_pull_str(state, &state->out_primary_domain,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq)
+ p += out_security_blob_length;
+
+ status = smb_bytes_pull_str(state, &state->out_native_os,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ p += ret;
+
+ status = smb_bytes_pull_str(state, &state->out_native_lm,
+- use_unicode, p,
+- bytes+num_bytes-p, &ret);
++ use_unicode, bytes, num_bytes,
++ p, &ret);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
+index 7e6f0a4ebc4..2884786339d 100644
+--- a/libcli/smb/smb_util.h
++++ b/libcli/smb/smb_util.h
+@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
+ const uint8_t *bytes, size_t num_bytes);
+ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
+ const uint8_t *buf, size_t buf_len,
+- size_t *pbuf_consumed);
++ const uint8_t *position,
++ size_t *_consumed);
+diff --git a/libcli/smb/util.c b/libcli/smb/util.c
+index ef8c9fafa35..7ef909c6077 100644
+--- a/libcli/smb/util.c
++++ b/libcli/smb/util.c
+@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
+ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
+ bool ucs2, bool align_odd,
+ const uint8_t *buf, size_t buf_len,
+- size_t *pbuf_consumed)
++ const uint8_t *position,
++ size_t *p_consumed)
+ {
+ size_t pad = 0;
++ size_t offset;
+ char *str = NULL;
+ size_t str_len = 0;
+ bool ok;
+
+ *_str = NULL;
+- if (pbuf_consumed != NULL) {
+- *pbuf_consumed = 0;
++ if (p_consumed != NULL) {
++ *p_consumed = 0;
++ }
++
++ if (position < buf) {
++ return NT_STATUS_INTERNAL_ERROR;
++ }
++
++ offset = PTR_DIFF(position, buf);
++ if (offset > buf_len) {
++ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ if (ucs2 &&
+- ((align_odd && (buf_len % 2 == 0)) ||
+- (!align_odd && (buf_len % 2 == 1)))) {
+- if (buf_len < 1) {
+- return NT_STATUS_BUFFER_TOO_SMALL;
+- }
+- pad = 1;
+- buf_len -= pad;
+- buf += pad;
++ ((align_odd && (offset % 2 == 0)) ||
++ (!align_odd && (offset % 2 == 1)))) {
++ pad += 1;
++ offset += 1;
++ }
++
++ if (offset > buf_len) {
++ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
++ buf_len -= offset;
++ buf += offset;
++
+ if (ucs2) {
+ buf_len = utf16_len_n(buf, buf_len);
+ } else {
+@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
+ return map_nt_error_from_unix_common(errno);
+ }
+
+- if (pbuf_consumed != NULL) {
+- *pbuf_consumed = buf_len + pad;
++ if (p_consumed != NULL) {
++ *p_consumed = buf_len + pad;
+ }
+ *_str = str;
+- return NT_STATUS_OK;;
++ return NT_STATUS_OK;
+ }
+
+ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
+ const uint8_t *buf, size_t buf_len,
+- size_t *_buf_consumed)
++ const uint8_t *position,
++ size_t *_consumed)
+ {
+ return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
+- buf, buf_len, _buf_consumed);
++ buf, buf_len, position, _consumed);
+ }
+--
+2.13.1
+
+
+From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 15 Mar 2017 17:04:44 +0000
+Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper
+ function
+
+This function updates cli->server_{os,type,domain} to valid values
+after a session setup.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3)
+---
+ source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++--------------
+ 1 file changed, 52 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index a2362ceb863..ef03da17eec 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ return NT_STATUS_OK;
+ }
+
++static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli,
++ const char *native_os,
++ const char *native_lm,
++ const char *primary_domain)
++{
++#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0')
++
++ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) {
++ cli->server_os = talloc_strdup(cli, native_os);
++ if (cli->server_os == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
++ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) {
++ cli->server_type = talloc_strdup(cli, native_lm);
++ if (cli->server_type == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
++ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) {
++ cli->server_domain = talloc_strdup(cli, primary_domain);
++ if (cli->server_domain == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
++#undef _VALID_STRING
++ return NT_STATUS_OK;
++}
++
+ /********************************************************
+ Utility function to ensure we always return at least
+ a valid char * pointer to an empty string for the
+@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
+ subreq, struct tevent_req);
+ struct cli_sesssetup_blob_state *state = tevent_req_data(
+ req, struct cli_sesssetup_blob_state);
+- struct cli_state *cli = state->cli;
+ NTSTATUS status;
+
+ if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
+@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
+ return;
+ }
+
+- if (cli->server_os == NULL) {
+- cli->server_os = talloc_move(cli, &state->out_native_os);
+- }
+- if (cli->server_type == NULL) {
+- cli->server_type = talloc_move(cli, &state->out_native_lm);
+- }
+-
+ state->status = status;
+
++ status = cli_state_update_after_sesssetup(state->cli,
++ state->out_native_os,
++ state->out_native_lm,
++ NULL);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
+ if (state->blob.length != 0) {
+ /*
+ * More to send
+@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq)
+ return;
+ }
+
+- if (cli->server_os == NULL) {
+- cli->server_os = talloc_move(cli, &state->out_native_os);
+- }
+- if (cli->server_type == NULL) {
+- cli->server_type = talloc_move(cli, &state->out_native_lm);
+- }
+- if (cli->server_domain == NULL) {
+- cli->server_domain = talloc_move(cli, &state->out_primary_domain);
++ status = cli_state_update_after_sesssetup(state->cli,
++ state->out_native_os,
++ state->out_native_lm,
++ state->out_primary_domain);
++ if (tevent_req_nterror(req, status)) {
++ return;
+ }
+
+ ok = smb1cli_conn_activate_signing(cli->conn,
+@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
+ subreq, struct tevent_req);
+ struct cli_session_setup_creds_state *state = tevent_req_data(
+ req, struct cli_session_setup_creds_state);
+- struct cli_state *cli = state->cli;
+ NTSTATUS status;
+
+ status = smb1cli_session_setup_lm21_recv(subreq, state,
+@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
+ return;
+ }
+
+- if (cli->server_os == NULL) {
+- cli->server_os = talloc_move(cli, &state->out_native_os);
+- }
+- if (cli->server_type == NULL) {
+- cli->server_type = talloc_move(cli, &state->out_native_lm);
++ status = cli_state_update_after_sesssetup(state->cli,
++ state->out_native_os,
++ state->out_native_lm,
++ NULL);
++ if (tevent_req_nterror(req, status)) {
++ return;
+ }
+
+ tevent_req_done(req);
+--
+2.13.1
+
diff --git a/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch
new file mode 100644
index 0000000..5c52aa9
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch
@@ -0,0 +1,162 @@
+From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 19 Jun 2017 14:50:33 +0200
+Subject: [PATCH 1/2] s3:popt_common: Reparse the username in
+ popt_common_credentials_post()
+
+When we parse the username in the options handling, the smb.conf file
+has not been loaded yet. So we are not aware of a 'winbind separator'
+set in the config file.
+
+We need to read and set the username again in the post-processing of the
+credentials.
+
+https://bugzilla.samba.org/show_bug.cgi?id=12849
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b)
+---
+ source3/lib/popt_common.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
+index 3589a4fbd2b..9928c708e89 100644
+--- a/source3/lib/popt_common.c
++++ b/source3/lib/popt_common.c
+@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void)
+ void popt_common_credentials_post(void)
+ {
+ struct user_auth_info *auth_info = cmdline_auth_info;
++ const char *username = NULL;
+
+ if (get_cmdline_auth_info_use_machine_account(auth_info) &&
+ !set_cmdline_auth_info_machine_account_creds(auth_info))
+@@ -248,6 +249,20 @@ void popt_common_credentials_post(void)
+ }
+
+ set_cmdline_auth_info_getpass(auth_info);
++
++ /*
++ * When we set the username during the handling of the options passed to
++ * the binary we haven't loaded the config yet. This means that we
++ * didnn't take the 'winbind separator' into account.
++ *
++ * The username might contain the domain name and thus it hasn't been
++ * correctly parsed yet. If we have a username we need to set it again
++ * to run the string parser for the username correctly.
++ */
++ username = get_cmdline_auth_info_username(auth_info);
++ if (username != NULL && username[0] != '\0') {
++ set_cmdline_auth_info_username(auth_info, username);
++ }
+ }
+
+ static void popt_common_credentials_callback(poptContext con,
+--
+2.13.1
+
+
+From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 19 Jun 2017 15:52:23 +0200
+Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144
+
+(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af)
+---
+ source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++
+ source3/selftest/tests.py | 1 +
+ 2 files changed, 63 insertions(+)
+ create mode 100755 source3/script/tests/test_smbclient_basic.sh
+
+diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh
+new file mode 100755
+index 00000000000..90e579b68e9
+--- /dev/null
++++ b/source3/script/tests/test_smbclient_basic.sh
+@@ -0,0 +1,62 @@
++#!/bin/sh
++
++# this runs the file serving tests that are expected to pass with samba3 against shares with various options
++
++if [ $# -lt 5 ]; then
++cat <<EOF
++Usage: test_smbclient_basic.sh SERVER SERVER_IP DOMAIN USERNAME PASSWORD SMBCLIENT <smbclient arguments>
++EOF
++exit 1;
++fi
++
++SERVER="$1"
++SERVER_IP="$2"
++USERNAME="$3"
++PASSWORD="$4"
++smbclient="$5"
++CONFIGURATION="$6"
++shift 6
++ADDARGS="$@"
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++
++test_smbclient() {
++ name="$1"
++ cmd="$2"
++ shift
++ shift
++ echo "test: $name"
++ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@
++ status=$?
++ if [ x$status = x0 ]; then
++ echo "success: $name"
++ else
++ echo "failure: $name"
++ fi
++ return $status
++}
++
++# TEST using \ as the separator (default)
++test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
++# TEST using / as the separator (default)
++test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
++
++# TEST using 'winbind separator = +'
++test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1`
++
++# TEST using 'winbind separator = +' set in a config file
++smbclient_config="$PREFIX/tmpsmbconf"
++cat > $smbclient_config <<EOF
++[global]
++ include = $(echo $CONFIGURATION | cut -d= -f2)
++ winbind separator = +
++EOF
++
++SAVE_CONFIGURATION="$CONFIGURATION"
++CONFIGURATION="--configfile=$smbclient_config"
++test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD || failed=`expr $failed + 1`
++CONFIGURATION="$SAVE_CONFIGURATION"
++rm -rf $smbclient_config
++
++exit $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index dfe7866b283..d3cb071b903 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -152,6 +152,7 @@ plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3s
+ plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+ plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+
++plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
+ for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
+ env = "nt4_dc"
+ plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+--
+2.13.1
+
diff --git a/SOURCES/samba-v4-6-fix_winbind_child_crash.patch b/SOURCES/samba-v4-6-fix_winbind_child_crash.patch
new file mode 100644
index 0000000..d081a40
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_winbind_child_crash.patch
@@ -0,0 +1,227 @@
+From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 09:57:30 +0100
+Subject: [PATCH 1/2] s3:libads: Remove obsolete
+ smb_krb5_get_ntstatus_from_init_creds()
+
+There is no way we can get a better error code out of this. The original
+function called was krb5_get_init_creds_opt_get_error() which has been
+deprecated in 2008.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
+---
+ source3/libads/kerberos.c | 169 ----------------------------------------------
+ 1 file changed, 169 deletions(-)
+
+Index: samba-4.6.2/source3/libads/kerberos.c
+===================================================================
+--- samba-4.6.2.orig/source3/libads/kerberos.c
++++ samba-4.6.2/source3/libads/kerberos.c
+@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da
+ return 0;
+ }
+
+-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
+- DATA_BLOB *edata,
+- DATA_BLOB *edata_out)
+-{
+- DATA_BLOB edata_contents;
+- ASN1_DATA *data;
+- int edata_type;
+-
+- if (!edata->length) {
+- return false;
+- }
+-
+- data = asn1_init(mem_ctx);
+- if (data == NULL) {
+- return false;
+- }
+-
+- if (!asn1_load(data, *edata)) goto err;
+- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
+- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
+- if (!asn1_read_Integer(data, &edata_type)) goto err;
+-
+- if (edata_type != KRB5_PADATA_PW_SALT) {
+- DEBUG(0,("edata is not of required type %d but of type %d\n",
+- KRB5_PADATA_PW_SALT, edata_type));
+- goto err;
+- }
+-
+- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
+- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
+- if (!asn1_end_tag(data)) goto err;
+- if (!asn1_end_tag(data)) goto err;
+- if (!asn1_end_tag(data)) goto err;
+- asn1_free(data);
+-
+- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
+-
+- data_blob_free(&edata_contents);
+-
+- return true;
+-
+- err:
+-
+- asn1_free(data);
+- return false;
+-}
+-
+- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
+- NTSTATUS *nt_status)
+-{
+- DATA_BLOB edata;
+- DATA_BLOB unwrapped_edata;
+- TALLOC_CTX *mem_ctx;
+- struct KRB5_EDATA_NTSTATUS parsed_edata;
+- enum ndr_err_code ndr_err;
+-
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+- edata = data_blob(error->e_data->data, error->e_data->length);
+-#else
+- edata = data_blob(error->e_data.data, error->e_data.length);
+-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+-
+-#ifdef DEVELOPER
+- dump_data(10, edata.data, edata.length);
+-#endif /* DEVELOPER */
+-
+- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
+- if (mem_ctx == NULL) {
+- data_blob_free(&edata);
+- return False;
+- }
+-
+- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
+- data_blob_free(&edata);
+- TALLOC_FREE(mem_ctx);
+- return False;
+- }
+-
+- data_blob_free(&edata);
+-
+- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx,
+- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
+- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+- data_blob_free(&unwrapped_edata);
+- TALLOC_FREE(mem_ctx);
+- return False;
+- }
+-
+- data_blob_free(&unwrapped_edata);
+-
+- if (nt_status) {
+- *nt_status = parsed_edata.ntstatus;
+- }
+-
+- TALLOC_FREE(mem_ctx);
+-
+- return True;
+-}
+-
+-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
+- krb5_principal client,
+- krb5_get_init_creds_opt *opt,
+- NTSTATUS *nt_status)
+-{
+- krb5_init_creds_context icc;
+- krb5_error_code code;
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+- /* HEIMDAL */
+- krb5_error error;
+-#else
+- krb5_error *error = NULL;
+-#endif
+- bool ok;
+-
+- code = krb5_init_creds_init(ctx,
+- client,
+- NULL,
+- NULL,
+- 0,
+- opt,
+- &icc);
+- if (code != 0) {
+- DBG_WARNING("krb5_init_creds_init failed with: %s\n",
+- error_message(code));
+- return false;
+- }
+-
+- code = krb5_init_creds_get_error(ctx,
+- icc,
+- &error);
+- if (code != 0) {
+- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
+- error_message(code));
+- return false;
+- }
+- krb5_init_creds_free(ctx, icc);
+-
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
+-
+- krb5_free_error_contents(ctx, &error);
+-#else
+- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
+-
+- krb5_free_error(ctx, error);
+-#endif
+-
+- return ok;
+-}
+-
+ /*
+ simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
+ place in default cache location.
+@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch
+ }
+ out:
+ if (ntstatus) {
+-
+- NTSTATUS status;
+-
+ /* fast path */
+ if (code == 0) {
+ *ntstatus = NT_STATUS_OK;
+ goto cleanup;
+ }
+
+- /* try to get ntstatus code out of krb5_error when we have it
+- * inside the krb5_get_init_creds_opt - gd */
+-
+- if (opt != NULL) {
+- bool ok;
+-
+- ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
+- me,
+- opt,
+- &status);
+- if (ok) {
+- *ntstatus = status;
+- goto cleanup;
+- }
+- }
+-
+ /* fall back to self-made-mapping */
+ *ntstatus = krb5_to_nt_status(code);
+ }
+Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh
+===================================================================
+--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh
++++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh
+@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d
+
+ testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
+
++testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
++
++testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
++
+ rm -f $KRB5CCNAME_PATH
+
+ exit $failed
diff --git a/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch
new file mode 100644
index 0000000..f29cddb
--- /dev/null
+++ b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch
@@ -0,0 +1,76 @@
+From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 20 Jun 2017 10:27:07 +0200
+Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
+index 8c764f77b08..b0bf6784ba6 100644
+--- a/source3/winbindd/wb_getpwsid.c
++++ b/source3/winbindd/wb_getpwsid.c
+@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ req, struct wb_getpwsid_state);
+ struct winbindd_pw *pw = state->pw;
+ struct wbint_userinfo *info;
++ struct winbindd_domain *domain = NULL;
+ fstring acct_name, output_username;
++ char *mapped_name = NULL;
+ char *tmp;
+ NTSTATUS status;
+
+@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ return;
+ }
+
+- fill_domain_username(output_username, info->domain_name,
+- acct_name, true);
++ domain = find_domain_from_name_noinit(info->domain_name);
++ if (tevent_req_nomem(domain, req)) {
++ return;
++ }
++
++ /*
++ * TODO:
++ * This function should be called in 'idmap winbind child'. It shouldn't
++ * be a blocking call, but for this we need to add a new function for
++ * winbind.idl. This is a fix which can be backported for now.
++ */
++ status = normalize_name_map(state,
++ domain,
++ acct_name,
++ &mapped_name);
++ if (NT_STATUS_IS_OK(status)) {
++ fill_domain_username(output_username,
++ info->domain_name,
++ mapped_name, true);
++ fstrcpy(acct_name, mapped_name);
++ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
++ fstrcpy(acct_name, mapped_name);
++ } else {
++ fill_domain_username(output_username,
++ info->domain_name,
++ acct_name, true);
++ }
++
+ strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
+
+ strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "",
+@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ TALLOC_FREE(tmp);
+
+ tmp = talloc_sub_specified(
+- state, info->shell, info->acct_name,
++ state, info->shell, acct_name,
+ info->primary_group_name, info->domain_name,
+ pw->pw_uid, pw->pw_gid);
+ if (tevent_req_nomem(tmp, req)) {
+--
+2.13.1
+
diff --git a/SOURCES/samba-v4.6-credentials-fix-realm.patch b/SOURCES/samba-v4.6-credentials-fix-realm.patch
new file mode 100644
index 0000000..8583d5b
--- /dev/null
+++ b/SOURCES/samba-v4.6-credentials-fix-realm.patch
@@ -0,0 +1,54 @@
+commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
+Author: Andreas Schneider <asn@samba.org>
+Date: Wed Dec 21 22:17:22 2016 +0100
+
+ auth/credentials: Always set the the realm if we set the principal from the ccache
+
+ This fixes a bug in gensec_gssapi_client_start() where an invalid realm
+ is used to get a Kerberos ticket.
+
+ Signed-off-by: Andreas Schneider <asn@samba.org>
+ Reviewed-by: Stefan Metzmacher <metze@samba.org>
+ (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
+
+diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
+index 0e68012..1912c48 100644
+--- a/auth/credentials/credentials_krb5.c
++++ b/auth/credentials/credentials_krb5.c
+@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ enum credentials_obtained obtained,
+ const char **error_string)
+ {
+-
++ bool ok;
++ char *realm;
+ krb5_principal princ;
+ krb5_error_code ret;
+ char *name;
+@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ return ret;
+ }
+
+- cli_credentials_set_principal(cred, name, obtained);
+-
++ ok = cli_credentials_set_principal(cred, name, obtained);
++ if (!ok) {
++ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
++ return ENOMEM;
++ }
+ free(name);
+
++ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
++ princ);
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
++ if (realm == NULL) {
++ return ENOMEM;
++ }
++ ok = cli_credentials_set_realm(cred, realm, obtained);
++ SAFE_FREE(realm);
++ if (!ok) {
++ return ENOMEM;
++ }
+
+ /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
+ cred->ccache_obtained = obtained;
diff --git a/SOURCES/samba-v4.6-gss_krb5_import_cred.patch b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch
new file mode 100644
index 0000000..72f2904
--- /dev/null
+++ b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch
@@ -0,0 +1,543 @@
+From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 17:08:09 +0200
+Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)
+---
+ wscript_configure_system_mitkrb5 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
+index 06a9821..d3e8ebf 100644
+--- a/wscript_configure_system_mitkrb5
++++ b/wscript_configure_system_mitkrb5
+@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN('''
+ gsskrb5_extract_authz_data_from_sec_context
+ gss_krb5_export_lucid_sec_context
+ gss_import_cred gss_export_cred
++ gss_acquire_cred_from
+ ''', 'gssapi gssapi_krb5')
+ conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers)
+ conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
+--
+2.9.3
+
+
+From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:14:57 +0200
+Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
+
+Wrap gss_krb5_import_cred() to allow re-implementing it with
+gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
+works fine with GSSAPI interposer (GSS-proxy) while
+gss_krb5_import_cred() is not interposed yet.
+
+The wrapper has additional parameter, krb5_context handle, to facilitate
+with credentials cache name discovery. All our callers to
+gss_krb5_import_cred() already have krb5 context handy.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
+---
+ lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++
+ lib/krb5_wrap/gss_samba.h | 13 +++++
+ 2 files changed, 134 insertions(+)
+
+diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
+index b444633..757ffc5 100644
+--- a/lib/krb5_wrap/gss_samba.c
++++ b/lib/krb5_wrap/gss_samba.c
+@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
+ }
+ #endif /* !HAVE_GSS_OID_EQUAL */
+
++
++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
++ * interposed by GSSPROXY while gss_krb5_import_cred() is not.
++ *
++ * This wrapper requires a proper krb5_context to resolve ccache name.
++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
++uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
++ krb5_ccache id, krb5_principal keytab_principal,
++ krb5_keytab keytab, gss_cred_id_t *cred)
++{
++ uint32_t major_status = 0;
++
++#if HAVE_GSS_ACQUIRE_CRED_FROM
++ uint32_t minor = 0;
++ gss_key_value_element_desc ccache_element = {
++ .key = "ccache",
++ .value = NULL,
++ };
++
++ gss_key_value_element_desc keytab_element = {
++ .key = "keytab",
++ .value = NULL,
++ };
++
++ gss_key_value_element_desc elements[2];
++
++ gss_key_value_set_desc cred_store = {
++ .elements = &ccache_element,
++ .count = 1,
++ };
++
++ gss_OID_set mech_set = GSS_C_NO_OID_SET;
++ gss_cred_usage_t cred_usage = GSS_C_INITIATE;
++ gss_name_t name = NULL;
++ gss_buffer_desc pr_name = {
++ .value = NULL,
++ .length = 0,
++ };
++
++ if (id != NULL) {
++ major_status = krb5_cc_get_full_name(ctx,
++ id,
++ discard_const(&ccache_element.value));
++ if (major_status != 0) {
++ return major_status;
++ }
++ }
++
++ if (keytab != NULL) {
++ keytab_element.value = malloc(4096);
++ if (!keytab_element.value) {
++ return ENOMEM;
++ }
++ major_status = krb5_kt_get_name(ctx,
++ keytab,
++ discard_const(keytab_element.value), 4096);
++ if (major_status != 0) {
++ free(discard_const(keytab_element.value));
++ return major_status;
++ }
++ cred_usage = GSS_C_ACCEPT;
++ cred_store.elements = &keytab_element;
++
++ if (keytab_principal != NULL) {
++ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
++ if (major_status != 0) {
++ free(discard_const(keytab_element.value));
++ return major_status;
++ }
++ pr_name.length = strlen(pr_name.value);
++
++ major_status = gss_import_name(minor_status,
++ &pr_name,
++ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
++ &name);
++ if (major_status != 0) {
++ krb5_free_unparsed_name(ctx, pr_name.value);
++ free(discard_const(keytab_element.value));
++ return major_status;
++ }
++ }
++ }
++
++ if (id != NULL && keytab != NULL) {
++ elements[0] = ccache_element;
++ elements[1] = keytab_element;
++
++ cred_store.elements = elements;
++ cred_store.count = 2;
++ cred_usage = GSS_C_BOTH;
++ }
++
++ major_status = gss_acquire_cred_from(minor_status,
++ name,
++ 0,
++ mech_set,
++ cred_usage,
++ &cred_store,
++ cred,
++ NULL,
++ NULL);
++
++ if (pr_name.value != NULL) {
++ (void)gss_release_name(&minor, &name);
++ krb5_free_unparsed_name(ctx, pr_name.value);
++ }
++ if (keytab_element.value != NULL) {
++ free(discard_const(keytab_element.value));
++ }
++ krb5_free_string(ctx, discard_const(ccache_element.value));
++#else
++ major_status = gss_krb5_import_cred(minor_status,
++ id,
++ keytab_principal,
++ keytab, cred);
++#endif
++ return major_status;
++}
++
++
+ #endif /* HAVE_GSSAPI */
+diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
+index 5319932..89aee34 100644
+--- a/lib/krb5_wrap/gss_samba.h
++++ b/lib/krb5_wrap/gss_samba.h
+@@ -25,6 +25,7 @@
+ #ifdef HAVE_GSSAPI
+
+ #include "system/gssapi.h"
++#include "krb5_samba.h"
+
+ #if defined(HAVE_GSS_OID_EQUAL)
+ #define smb_gss_oid_equal gss_oid_equal
+@@ -32,5 +33,17 @@
+ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
+ #endif /* HAVE_GSS_OID_EQUAL */
+
++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
++ * interposed by GSS-proxy while gss_krb5_import_cred() is not.
++ *
++ * This wrapper requires a proper krb5_context to resolve the ccache name for
++ * gss_acquire_cred_from().
++ *
++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
++uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
++ krb5_ccache id, krb5_principal keytab_principal,
++ krb5_keytab keytab, gss_cred_id_t *cred);
++
+ #endif /* HAVE_GSSAPI */
+ #endif /* _GSS_SAMBA_H */
+--
+2.9.3
+
+
+From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:57:13 +0200
+Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)
+---
+ auth/credentials/credentials_krb5.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
+index e974df9..0e68012 100644
+--- a/auth/credentials/credentials_krb5.c
++++ b/auth/credentials/credentials_krb5.c
+@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ return ENOMEM;
+ }
+
+- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
+- &gcc->creds);
++ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
++ ccache->ccache, NULL, NULL,
++ &gcc->creds);
+ if ((maj_stat == GSS_S_FAILURE) &&
+ (min_stat == (OM_uint32)KRB5_CC_END ||
+ min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
+@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ return ret;
+ }
+
+- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
+- &gcc->creds);
++ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
++ ccache->ccache, NULL, NULL,
++ &gcc->creds);
+
+ }
+
+@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ } else {
+ ret = EINVAL;
+ }
+- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
++ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
+ return ret;
+ }
+
+@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
+
+ if (ktc->password_based || obtained < CRED_SPECIFIED) {
+ /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
+- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
+- &gcc->creds);
++ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
++ NULL, NULL, ktc->keytab,
++ &gcc->creds);
+ } else {
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
+- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
+- &gcc->creds);
++ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
++ NULL, princ, ktc->keytab,
++ &gcc->creds);
+ }
+ if (maj_stat) {
+ if (min_stat) {
+--
+2.9.3
+
+
+From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:57:50 +0200
+Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)
+---
+ source3/libads/sasl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 8570788..30127fa 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
+ goto done;
+ }
+
+- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
++ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred);
+ if (maj != GSS_S_COMPLETE) {
+ status = ADS_ERROR_GSS(maj, min);
+ goto done;
+--
+2.9.3
+
+
+From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:58:14 +0200
+Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)
+---
+ source3/librpc/crypto/gse.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index abf20bc..f4238f3 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ /* TODO: get krb5 ticket using username/password, if no valid
+ * one already available in ccache */
+
+- gss_maj = gss_krb5_import_cred(&gss_min,
+- gse_ctx->ccache,
+- NULL, /* keytab_principal */
+- NULL, /* keytab */
+- &gse_ctx->creds);
++ gss_maj = smb_gss_krb5_import_cred(&gss_min,
++ gse_ctx->k5ctx,
++ gse_ctx->ccache,
++ NULL, /* keytab_principal */
++ NULL, /* keytab */
++ &gse_ctx->creds);
+ if (gss_maj) {
+ char *ccache = NULL;
+ int kret;
+@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ ccache = NULL;
+ }
+
+- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
++ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -"
+ "the caller may retry after a kinit.\n",
+ ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
+ SAFE_FREE(ccache);
+@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
+ }
+
+ /* This creates a GSSAPI cred_id_t with the keytab set */
+- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
+- &gse_ctx->creds);
++ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx,
++ NULL, NULL, gse_ctx->keytab,
++ &gse_ctx->creds);
+
+ if (gss_maj != 0
+ && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
+- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
++ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
+ gse_errstr(gse_ctx, gss_maj, gss_min)));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+--
+2.9.3
+
+
+From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Wed, 8 Mar 2017 12:38:49 +0200
+Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
+ wrapper
+
+MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
+credentials from a keytab without specifying actual principal.
+This was fixed in MIT krb5 1.9.2 (see commit
+71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
+master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
+
+Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
+expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
+code use of krb5 mech when calling to gss_acquire_cred.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
+Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
+
+(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)
+---
+ lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++---
+ source3/librpc/crypto/gse.c | 49 +--------------------------------------------
+ 2 files changed, 44 insertions(+), 51 deletions(-)
+
+diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
+index 757ffc5..9e5ad4a 100644
+--- a/lib/krb5_wrap/gss_samba.c
++++ b/lib/krb5_wrap/gss_samba.c
+@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
+ krb5_free_string(ctx, discard_const(ccache_element.value));
+ #else
+ major_status = gss_krb5_import_cred(minor_status,
+- id,
+- keytab_principal,
+- keytab, cred);
++ id,
++ keytab_principal,
++ keytab, cred);
++
++ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
++ if ((keytab_principal == NULL) && (keytab != NULL)) {
++ /* No principal was specified and MIT krb5 1.9 version failed.
++ * We have to fall back to set global acceptor identity */
++ gss_OID_set_desc mech_set;
++ char *kt_name = NULL;
++
++ kt_name = malloc(4096);
++ if (!kt_name) {
++ return ENOMEM;
++ }
++
++ major_status = krb5_kt_get_name(ctx,
++ keytab,
++ kt_name, 4096);
++ if (major_status != 0) {
++ free(kt_name);
++ return major_status;
++ }
++
++ major_status = gsskrb5_register_acceptor_identity(kt_name);
++ if (major_status) {
++ free(kt_name);
++ return major_status;
++ }
++
++ /* We are dealing with krb5 GSSAPI mech in this fallback */
++ mech_set.count = 1;
++ mech_set.elements = gss_mech_krb5;
++ major_status = gss_acquire_cred(minor_status,
++ GSS_C_NO_NAME,
++ GSS_C_INDEFINITE,
++ &mech_set,
++ GSS_C_ACCEPT,
++ cred,
++ NULL, NULL);
++ free(kt_name);
++ }
++ }
+ #endif
+ return major_status;
+ }
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index f4238f3..a111320 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
+ NULL, NULL, gse_ctx->keytab,
+ &gse_ctx->creds);
+
+- if (gss_maj != 0
+- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
++ if (gss_maj != 0) {
+ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
+ gse_errstr(gse_ctx, gss_maj, gss_min)));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+-
+- /* This is the error the MIT krb5 1.9 gives when it
+- * implements the function, but we do not specify the
+- * principal. However, when we specify the principal
+- * as host$@REALM the GSS acceptor fails with 'wrong
+- * principal in request'. Work around the issue by
+- * falling back to the alternate approach below. */
+- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
+- /* FIXME!!!
+- * This call sets the default keytab for the whole server, not
+- * just for this context. Need to find a way that does not alter
+- * the state of the whole server ... */
+- {
+- const char *ktname;
+- gss_OID_set_desc mech_set;
+-
+- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx,
+- gse_ctx->keytab, &ktname);
+- if (ret) {
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+-
+- ret = gsskrb5_register_acceptor_identity(ktname);
+- if (ret) {
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+-
+- mech_set.count = 1;
+- mech_set.elements = &gse_ctx->gss_mech;
+-
+- gss_maj = gss_acquire_cred(&gss_min,
+- GSS_C_NO_NAME,
+- GSS_C_INDEFINITE,
+- &mech_set,
+- GSS_C_ACCEPT,
+- &gse_ctx->creds,
+- NULL, NULL);
+-
+- if (gss_maj) {
+- DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
+- gse_errstr(gse_ctx, gss_maj, gss_min)));
+- status = NT_STATUS_INTERNAL_ERROR;
+- goto done;
+- }
+ }
+
+ status = NT_STATUS_OK;
+--
+2.9.3
+
diff --git a/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
new file mode 100644
index 0000000..73c72cd
--- /dev/null
+++ b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
@@ -0,0 +1,179 @@
+From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 10 Mar 2017 16:20:06 +0200
+Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implement a small Python module that exposes arcfour_crypt_blob()
+function widely used in Samba C code.
+
+When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
+there is a need to encrypt trusted credentials with RC4 cipher.
+
+Current Samba Python code relies on Python runtime to provide RC4
+cipher. However, in FIPS 140-2 mode system crypto libraries do not
+provide access RC4 cipher at all. According to Microsoft dochelp team,
+Windows is treating AuthenticationInformation blob encryption as 'plain
+text' in terms of FIPS 140-2, thus doing application-level encryption.
+
+Replace samba.arcfour_encrypt() implementation with a call to
+samba.crypto.arcfour_crypt_blob().
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
+
+(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
+---
+ lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/crypto/wscript_build | 7 ++++
+ python/samba/__init__.py | 16 ++-------
+ 3 files changed, 99 insertions(+), 14 deletions(-)
+ create mode 100644 lib/crypto/py_crypto.c
+
+diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
+new file mode 100644
+index 0000000..bf7f9f4
+--- /dev/null
++++ b/lib/crypto/py_crypto.c
+@@ -0,0 +1,90 @@
++/*
++ Unix SMB/CIFS implementation.
++ Samba crypto functions
++
++ Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <Python.h>
++#include "includes.h"
++#include "python/py3compat.h"
++#include "lib/crypto/arcfour.h"
++
++static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
++{
++ DATA_BLOB data, key;
++ PyObject *py_data, *py_key, *result;
++ TALLOC_CTX *ctx;
++
++ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
++ return NULL;
++
++ if (!PyBytes_Check(py_data)) {
++ PyErr_Format(PyExc_TypeError, "bytes expected");
++ return NULL;
++ }
++
++ if (!PyBytes_Check(py_key)) {
++ PyErr_Format(PyExc_TypeError, "bytes expected");
++ return NULL;
++ }
++
++ ctx = talloc_new(NULL);
++
++ data.length = PyBytes_Size(py_data);
++ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
++ if (!data.data) {
++ talloc_free(ctx);
++ return PyErr_NoMemory();
++ }
++
++ key.data = (uint8_t *)PyBytes_AsString(py_key);
++ key.length = PyBytes_Size(py_key);
++
++ arcfour_crypt_blob(data.data, data.length, &key);
++
++ result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
++ talloc_free(ctx);
++ return result;
++}
++
++
++static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
++ "Encrypt the data with RC4 algorithm using the key";
++
++static PyMethodDef py_crypto_methods[] = {
++ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
++ { NULL },
++};
++
++static struct PyModuleDef moduledef = {
++ PyModuleDef_HEAD_INIT,
++ .m_name = "crypto",
++ .m_doc = "Crypto functions required for SMB",
++ .m_size = -1,
++ .m_methods = py_crypto_methods,
++};
++
++MODULE_INIT_FUNC(crypto)
++{
++ PyObject *m;
++
++ m = PyModule_Create(&moduledef);
++ if (m == NULL)
++ return NULL;
++
++ return m;
++}
+diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
+index 7f94532..d1f152e 100644
+--- a/lib/crypto/wscript_build
++++ b/lib/crypto/wscript_build
+@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
+ autoproto='test_proto.h',
+ deps='LIBCRYPTO'
+ )
++
++for env in bld.gen_python_environments():
++ bld.SAMBA_PYTHON('python_crypto',
++ source='py_crypto.c',
++ deps='LIBCRYPTO',
++ realname='samba/crypto.so'
++ )
+diff --git a/python/samba/__init__.py b/python/samba/__init__.py
+index 19d5e38..fa4244a 100644
+--- a/python/samba/__init__.py
++++ b/python/samba/__init__.py
+@@ -371,20 +371,8 @@ def string_to_byte_array(string):
+ return blob
+
+ def arcfour_encrypt(key, data):
+- try:
+- from Crypto.Cipher import ARC4
+- c = ARC4.new(key)
+- return c.encrypt(data)
+- except ImportError as e:
+- pass
+- try:
+- from M2Crypto.RC4 import RC4
+- c = RC4(key)
+- return c.update(data)
+- except ImportError as e:
+- pass
+- raise Exception("arcfour_encrypt() requires " +
+- "python*-crypto or python*-m2crypto or m2crypto")
++ from samba.crypto import arcfour_crypt_blob
++ return arcfour_crypt_blob(data, key)
+
+ import _glue
+ version = _glue.version
+--
+2.9.3
+
diff --git a/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch
new file mode 100644
index 0000000..f2f7cb6
--- /dev/null
+++ b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch
@@ -0,0 +1,405 @@
+From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 16 Jan 2017 11:43:12 +0100
+Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows
+
+Since Windows Server 2008 Microsoft uses a different port range for RPC
+services. Before it was 1024-65535 and they changed it to 49152-65535.
+
+We should use the same range as these are the ports the firewall in AD
+networks normally allow.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3)
+---
+ source3/rpc_server/rpc_server.c | 4 ++--
+ source4/smbd/service_stream.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
+index 5effe66d9bb..37fe68fc36d 100644
+--- a/source3/rpc_server/rpc_server.c
++++ b/source3/rpc_server/rpc_server.c
+@@ -34,8 +34,8 @@
+ #include "rpc_server/srv_pipe_hnd.h"
+ #include "rpc_server/srv_pipe.h"
+
+-#define SERVER_TCP_LOW_PORT 1024
+-#define SERVER_TCP_HIGH_PORT 1300
++#define SERVER_TCP_LOW_PORT 49152
++#define SERVER_TCP_HIGH_PORT 65535
+
+ /* Creates a pipes_struct and initializes it with the information
+ * sent from the client */
+diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
+index f0a379acf6a..96a303fc6a9 100644
+--- a/source4/smbd/service_stream.c
++++ b/source4/smbd/service_stream.c
+@@ -30,8 +30,8 @@
+ #include "lib/util/util_net.h"
+
+ /* the range of ports to try for dcerpc over tcp endpoints */
+-#define SERVER_TCP_LOW_PORT 1024
+-#define SERVER_TCP_HIGH_PORT 1300
++#define SERVER_TCP_LOW_PORT 49152
++#define SERVER_TCP_HIGH_PORT 65535
+
+ /* size of listen() backlog in smbd */
+ #define SERVER_LISTEN_BACKLOG 10
+--
+2.11.0
+
+
+From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 16 Jan 2017 12:05:09 +0100
+Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC
+ services
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d)
+---
+ docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++--
+ .../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++
+ lib/param/loadparm.c | 47 ++++++++++++++++++++++
+ lib/param/loadparm.h | 9 ++++-
+ lib/param/param.h | 3 ++
+ python/samba/tests/docs.py | 11 +++--
+ source3/include/proto.h | 2 +
+ source3/param/loadparm.c | 16 ++++++++
+ source3/rpc_server/rpc_server.c | 5 +--
+ source4/smbd/service_stream.c | 8 ++--
+ 10 files changed, 120 insertions(+), 17 deletions(-)
+ create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+
+diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml
+index 8a70835612f..0fd87d69212 100644
+--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml
++++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml
+@@ -4,11 +4,19 @@
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ <para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para>
+- <para>This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used.</para>
+- <para>The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000.</para>
++ <para>This controls the default port for all protocols, except for NETLOGON.</para>
++ <para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para>
++ <para>The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000.</para>
+ <para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para>
+
++ <para>This option applies currently only when
++ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
++ runs as an active directory domain controller.</para>
++
++ <para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para>
+ </description>
+-<para>The default value 0 causes Samba to select the first available port after 1024.</para>
++
++<related>rpc server dynamic port range</related>
++
+ <value type="default">0</value>
+ </samba:parameter>
+diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+new file mode 100644
+index 00000000000..a9c51d2fe41
+--- /dev/null
++++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+@@ -0,0 +1,22 @@
++<samba:parameter name="rpc server dynamic port range"
++ context="G"
++ type="string"
++ handler="handle_rpc_server_dynamic_port_range"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>
++ This parameter tells the RPC server which port range it is
++ allowed to use to create a listening socket for LSA, SAM,
++ Netlogon and others without wellknown tcp ports.
++ The first value is the lowest number of the port
++ range and the second the hightest.
++ </para>
++ <para>
++ This applies to RPC servers in all server roles.
++ </para>
++</description>
++
++<related>rpc server port</related>
++
++<value type="default">49152-65535</value>
++</samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 6aa757f7c6b..3b54ff232aa 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx)
+ return lp_ctx->sDefault;
+ }
+
++int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
++{
++ return lp_ctx->globals->rpc_low_port;
++}
++
++int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
++{
++ return lp_ctx->globals->rpc_high_port;
++}
++
+ /**
+ * Convenience routine to grab string parameters into temporary memory
+ * and run standard_sub_basic on them.
+@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
+ return true;
+ }
+
++bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
++ struct loadparm_service *service,
++ const char *pszParmValue,
++ char **ptr)
++{
++ int low_port = -1, high_port = -1;
++ int rc;
++
++ if (pszParmValue == NULL || pszParmValue[0] == '\0') {
++ return false;
++ }
++
++ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
++ if (rc != 2) {
++ return false;
++ }
++
++ if (low_port > high_port) {
++ return false;
++ }
++
++ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
++ return false;
++ }
++
++ lp_ctx->globals->rpc_low_port = low_port;
++ lp_ctx->globals->rpc_high_port = high_port;
++
++ return true;
++}
++
+ bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue, char **ptr)
+@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
+ /* This appears odd, but globals in s3 isn't a pointer */
+ lp_ctx->globals->ctx = lp_ctx->globals;
++ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
++ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
+ lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
+ lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
+
+@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+
+ lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
+
++ lpcfg_do_global_parameter(lp_ctx,
++ "rpc server dynamic port range",
++ "49152-65535");
++
+ /* Allow modules to adjust defaults */
+ for (defaults_hook = defaults_hooks; defaults_hook;
+ defaults_hook = defaults_hook->next) {
+diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
+index f9fb7d8d804..c63683d6b66 100644
+--- a/lib/param/loadparm.h
++++ b/lib/param/loadparm.h
+@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
+ #endif /* DEVELOPER */
+ };
+
++#define SERVER_TCP_LOW_PORT 49152
++#define SERVER_TCP_HIGH_PORT 65535
++
++#define SERVER_TCP_PORT_MIN 1024
++#define SERVER_TCP_PORT_MAX 65535
+
+
+
+@@ -272,7 +277,9 @@ enum inheritowner_options {
+ #define LOADPARM_EXTRA_GLOBALS \
+ struct parmlist_entry *param_opt; \
+ char *dnsdomain; \
+- char *realm_original;
++ char *realm_original; \
++ int rpc_low_port; \
++ int rpc_high_port;
+
+ const char* server_role_str(uint32_t role);
+ int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
+diff --git a/lib/param/param.h b/lib/param/param.h
+index 66037e2ef1b..e123e67a990 100644
+--- a/lib/param/param.h
++++ b/lib/param/param.h
+@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
+ time_t *usr_tkt_lifetime,
+ time_t *renewal_lifetime);
+
++int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx);
++int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx);
++
+ /* The following definitions come from lib/version.c */
+
+ const char *samba_version_string(void);
+diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
+index 22e022583f6..65df573a350 100644
+--- a/python/samba/tests/docs.py
++++ b/python/samba/tests/docs.py
+@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase):
+ 'lprm command', 'lpq command', 'print command', 'template homedir',
+ 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
+ 'max open files', 'fss: prune stale', 'fss: sequence timeout',
+- 'include system krb5 conf'])
++ 'include system krb5 conf', 'rpc server dynamic port range'])
+
+ def setUp(self):
+ super(SmbDotConfTests, self).setUp()
+@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase):
+ exceptions = ['client lanman auth',
+ 'client plaintext auth',
+ 'registry shares',
+- 'smb ports'])
++ 'smb ports',
++ 'rpc server dynamic port range'])
+ self._test_empty(['bin/testparm'])
+
+ def test_default_s4(self):
+ self._test_default(['bin/samba-tool', 'testparm'])
+ self._set_defaults(['bin/samba-tool', 'testparm'])
+ self._set_arbitrary(['bin/samba-tool', 'testparm'],
+- exceptions = ['smb ports'])
++ exceptions = ['smb ports',
++ 'rpc server dynamic port range'])
+ self._test_empty(['bin/samba-tool', 'testparm'])
+
+ def _test_default(self, program):
+@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase):
+
+ for tuples in self.defaults:
+ param, default, context, param_type = tuples
++
+ if param in self.special_cases:
+ continue
+ section = None
+@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase):
+ for tuples in self.defaults:
+ param, default, context, param_type = tuples
+
+- if param in ['printing']:
++ if param in ['printing', 'rpc server dynamic port range']:
+ continue
+
+ section = None
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 642900ed67c..b3d3ca0e5d1 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void);
+ int lp_smb2_max_credits(void);
+ int lp_cups_encrypt(void);
+ bool lp_widelinks(int );
++int lp_rpc_low_port(void);
++int lp_rpc_high_port(void);
+
+ int lp_wi_scan_global_parametrics(
+ const char *regex, size_t max_matches,
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index d8da749ccba..2c8380067f6 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+
+ Globals.aio_max_threads = 100;
+
++ lpcfg_string_set(Globals.ctx,
++ &Globals.rpc_server_dynamic_port_range,
++ "49152-65535");
++ Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
++ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
++
+ /* Now put back the settings that were set with lp_set_cmdline() */
+ apply_lp_set_cmdline();
+ }
+@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void)
+ return client_ipc_signing;
+ }
+
++int lp_rpc_low_port(void)
++{
++ return Globals.rpc_low_port;
++}
++
++int lp_rpc_high_port(void)
++{
++ return Globals.rpc_high_port;
++}
++
+ struct loadparm_global * get_globals(void)
+ {
+ return &Globals;
+diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
+index 37fe68fc36d..f7fb8ef5207 100644
+--- a/source3/rpc_server/rpc_server.c
++++ b/source3/rpc_server/rpc_server.c
+@@ -34,9 +34,6 @@
+ #include "rpc_server/srv_pipe_hnd.h"
+ #include "rpc_server/srv_pipe.h"
+
+-#define SERVER_TCP_LOW_PORT 49152
+-#define SERVER_TCP_HIGH_PORT 65535
+-
+ /* Creates a pipes_struct and initializes it with the information
+ * sent from the client */
+ int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
+@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port)
+ if (*port == 0) {
+ uint16_t i;
+
+- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) {
++ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
+ fd = open_socket_in(SOCK_STREAM,
+ i,
+ 0,
+diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
+index 96a303fc6a9..deb96d8d69d 100644
+--- a/source4/smbd/service_stream.c
++++ b/source4/smbd/service_stream.c
+@@ -29,10 +29,6 @@
+ #include "../lib/tsocket/tsocket.h"
+ #include "lib/util/util_net.h"
+
+-/* the range of ports to try for dcerpc over tcp endpoints */
+-#define SERVER_TCP_LOW_PORT 49152
+-#define SERVER_TCP_HIGH_PORT 65535
+-
+ /* size of listen() backlog in smbd */
+ #define SERVER_LISTEN_BACKLOG 10
+
+@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx,
+ if (!port) {
+ status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
+ } else if (*port == 0) {
+- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) {
++ for (i = lpcfg_rpc_low_port(lp_ctx);
++ i <= lpcfg_rpc_high_port(lp_ctx);
++ i++) {
+ socket_address->port = i;
+ status = socket_listen(stream_socket->sock, socket_address,
+ SERVER_LISTEN_BACKLOG, 0);
+--
+2.11.0
+
diff --git a/SOURCES/samba.xinetd b/SOURCES/samba.xinetd
deleted file mode 100644
index 8b62348..0000000
--- a/SOURCES/samba.xinetd
+++ /dev/null
@@ -1,15 +0,0 @@
-# default: off
-# description: SWAT is the Samba Web Admin Tool. Use swat \
-# to configure your Samba server. To use SWAT, \
-# connect to port 901 with your favorite web browser.
-service swat
-{
- port = 901
- socket_type = stream
- wait = no
- only_from = 127.0.0.1
- user = root
- server = /usr/sbin/swat
- log_on_failure += USERID
- disable = yes
-}
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 153d214..fe73e2e 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,13 +6,13 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 14
+%define main_release 8
-%define samba_version 4.4.4
-%define talloc_version 2.1.6
-%define tdb_version 1.3.8
-%define tevent_version 0.9.28
-%define ldb_version 1.1.26
+%define samba_version 4.6.2
+%define talloc_version 2.1.9
+%define tdb_version 1.3.12
+%define tevent_version 0.9.31
+%define ldb_version 1.1.29
# This should be rc1 or nil
%define pre_release %nil
@@ -50,7 +50,7 @@
%endif
%endif
-%global libwbc_alternatives_version 0.12
+%global libwbc_alternatives_version 0.13
%global libwbc_alternatives_suffix %nil
%if 0%{?__isa_bits} == 64
%global libwbc_alternatives_suffix -64
@@ -65,6 +65,11 @@
%global with_dc 1
%endif
+%global required_mit_krb5 1.10
+%if %{with_dc}
+%global required_mit_krb5 1.15.1
+%endif
+
%global with_clustering_support 0
%if %{with clustering}
@@ -91,42 +96,38 @@ Epoch: 2
Summary: Server and Client software to interoperate with Windows machines
License: GPLv3+ and LGPLv3+
-Group: System Environment/Daemons
URL: http://www.samba.org/
Source0: samba-%{version}%{pre_release}.tar.xz
+Source1: samba-%{version}%{pre_release}.tar.asc
+Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
# Red Hat specific replacement-files
-Source1: samba.log
-Source2: samba.xinetd
-Source3: smb.conf.vendor
-Source4: smb.conf.example
-Source5: pam_winbind.conf
-Source6: samba.pamd
+Source10: samba.log
+Source11: smb.conf.vendor
+Source12: smb.conf.example
+Source13: pam_winbind.conf
+Source14: samba.pamd
Source200: README.dc
Source201: README.downgrade
-Patch0: samba-4.4.5-fix_resolving_trusted_domain_users.patch
-Patch1: samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch
-Patch2: samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch
-Patch3: samba-4.4.5-fix_winbind_cached_creds_memleak.patch
-Patch4: CVE-2016-2119-v4-4.patch
-Patch5: samba-4.4.7-fix-ctdb-test-install-dir.patch
-Patch6: samba-4.4.7-fix_ads_krb5_ccname_handling.patch
-Patch7: samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch
-Patch8: samba-4.4.7-fix_idmap_range_checks.patch
-Patch9: samba-4.4.7-fix_smget_auth_callback.patch
-Patch10: samba-4.4.6-fix_nss_wins.patch
-Patch11: samba-4.4.7-fix_group_substituion_with_ad.patch
-Patch12: samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
-Patch13: samba-4.4.x-fix_libads_krb5_memcache.patch
-Patch14: CVE-2016-2125-v4-4.patch
-Patch15: CVE-2016-2126-v4-4.patch
-Patch16: CVE-2017-2619-v4-4.patch
-Patch17: CVE-2017-7494.patch
-
-BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+Patch0: samba-v4.6-gss_krb5_import_cred.patch
+Patch1: samba-v4.6-credentials-fix-realm.patch
+Patch2: samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
+Patch3: samba-v4-6-fix-building-with-new-glibc.patch
+Patch4: samba-v4-6-fix-cross-realm-refferals.patch
+Patch5: samba-v4-6-fix-kerberos-debug-message.patch
+Patch6: samba-v4-6-fix-net-ads-keytab-handling.patch
+Patch7: samba-v4-6-fix_winbind_child_crash.patch
+Patch8: samba-v4-6-fix_path_substitutions.patch
+Patch9: samba-v4-6-fix-spoolss-32bit-driver-upload.patch
+Patch10: CVE-2017-7494.patch
+Patch11: samba-v4-6-fix-vfs-expand-msdfs.patch
+Patch12: samba-v4.7-config-dynamic-rpc-port-range.patch
+Patch13: samba-v4-6-fix_smbclient_session_setup_info.patch
+Patch14: samba-v4-6-fix_smbclient_username_parsing.patch
+Patch15: samba-v4-6-fix_winbind_normalize_names.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -134,6 +135,7 @@ Requires(preun): systemd
Requires(postun): systemd
Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-common-tools = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
@@ -167,7 +169,8 @@ BuildRequires: dbus-devel
BuildRequires: docbook-style-xsl
BuildRequires: e2fsprogs-devel
BuildRequires: gawk
-BuildRequires: krb5-devel >= 1.14
+BuildRequires: gnupg2
+BuildRequires: krb5-devel >= %{required_mit_krb5}
BuildRequires: libacl-devel
BuildRequires: libaio-devel
BuildRequires: libarchive-devel
@@ -178,16 +181,20 @@ BuildRequires: libxslt
BuildRequires: ncurses-devel
BuildRequires: openldap-devel
BuildRequires: pam-devel
+#BuildRequires: perl-generators
+BuildRequires: perl(Test::More)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Parse::Yapp)
BuildRequires: popt-devel
-BuildRequires: python
BuildRequires: python-devel
+#BuildRequires: python2-pygpgme
+#BuildRequires: python2-subunit
BuildRequires: python-tevent
BuildRequires: quota-devel
BuildRequires: readline-devel
BuildRequires: sed
BuildRequires: xfsprogs-devel
+BuildRequires: xz
BuildRequires: zlib-devel >= 1.2.3
BuildRequires: pkgconfig(libsystemd)
@@ -199,40 +206,38 @@ BuildRequires: glusterfs-devel >= 3.4.0.16
%if %{with_vfs_cephfs}
BuildRequires: libcephfs1-devel
%endif
-
-# Allow build with testsuite which uses heimdal
-#%if %{with_dc}
-#BuildRequires: gnutls-devel >= 3.4.7
-# Required by samba-tool
-#BuildRequires: python-crypto
-#%endif
+%if %{with_dc}
+BuildRequires: gnutls-devel >= 3.4.7
+# Required by samba-tool to run tests
+BuildRequires: python-crypto
+%endif
# pidl requirements
BuildRequires: perl(Parse::Yapp)
%if ! %with_internal_talloc
-%global libtalloc_version 2.1.6
+%global libtalloc_version 2.1.9
BuildRequires: libtalloc-devel >= %{libtalloc_version}
BuildRequires: pytalloc-devel >= %{libtalloc_version}
%endif
%if ! %with_internal_tevent
-%global libtevent_version 0.9.28
+%global libtevent_version 0.9.31
BuildRequires: libtevent-devel >= %{libtevent_version}
BuildRequires: python-tevent >= %{libtevent_version}
%endif
%if ! %with_internal_ldb
-%global libldb_version 1.1.26
+%global libldb_version 1.1.29
BuildRequires: libldb-devel >= %{libldb_version}
BuildRequires: pyldb-devel >= %{libldb_version}
%endif
%if ! %with_internal_tdb
-%global libtdb_version 1.3.8
+%global libtdb_version 1.3.12
BuildRequires: libtdb-devel >= %{libtdb_version}
BuildRequires: python-tdb >= %{libtdb_version}
@@ -240,6 +245,8 @@ BuildRequires: python-tdb >= %{libtdb_version}
%if %{with testsuite}
BuildRequires: ldb-tools
+BuildRequires: libcmocka-devel
+BuildRequires: python2-pygpgme
%endif
# filter out perl requirements pulled in from examples in the docdir.
@@ -257,8 +264,8 @@ Unix.
### CLIENT
%package client
Summary: Samba client programs
-Group: Applications/System
Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
%if %with_libsmbclient
@@ -279,8 +286,8 @@ of SMB/CIFS shares and printing to SMB/CIFS printers.
### CLIENT-LIBS
%package client-libs
Summary: Samba client libraries
-Group: Applications/System
Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
%if %with_libwbclient
Requires: libwbclient = %{samba_depver}
%endif
@@ -292,7 +299,6 @@ SMB/CIFS clients.
### COMMON
%package common
Summary: Files used by both Samba servers and clients
-Group: Applications/System
BuildArch: noarch
Requires(post): systemd
@@ -307,8 +313,8 @@ packages of Samba.
### COMMON-LIBS
%package common-libs
Summary: Libraries used by both Samba servers and clients
-Group: Applications/System
Requires(pre): samba-common = %{samba_depver}
+Requires: samba-common = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
%if %with_libwbclient
Requires: libwbclient = %{samba_depver}
@@ -321,7 +327,6 @@ SMB/CIFS clients.
### COMMON-TOOLS
%package common-tools
Summary: Tools for Samba servers and clients
-Group: Applications/System
Requires: samba-common-libs = %{samba_depver}
Requires: samba-client-libs = %{samba_depver}
Requires: samba-libs = %{samba_depver}
@@ -336,7 +341,6 @@ SMB/CIFS clients.
### DC
%package dc
Summary: Samba AD Domain Controller
-Group: Applications/System
Requires: %{name} = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Requires: %{name}-dc-libs = %{samba_depver}
@@ -356,7 +360,6 @@ The samba-dc package provides AD Domain Controller functionality
### DC-LIBS
%package dc-libs
Summary: Samba AD Domain Controller Libraries
-Group: Applications/System
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
@@ -370,7 +373,6 @@ link against the SMB, RPC and other protocols.
### DEVEL
%package devel
Summary: Developer tools for Samba libraries
-Group: Development/Libraries
Requires: %{name}-libs = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
@@ -386,7 +388,6 @@ libraries in the Samba suite.
%if %{with_vfs_cephfs}
%package vfs-cephfs
Summary: Samba VFS module for Ceph distributed storage system
-Group: Applications/System
Requires: libcephfs1
Requires: %{name} = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
@@ -399,7 +400,6 @@ Samba VFS module for Ceph distributed storage system integration.
%if %{with_vfs_glusterfs}
%package vfs-glusterfs
Summary: Samba VFS module for GlusterFS
-Group: Applications/System
Requires: glusterfs-api >= 3.4.0.16
Requires: glusterfs >= 3.4.0.16
Requires: %{name} = %{samba_depver}
@@ -416,8 +416,8 @@ Samba VFS module for GlusterFS integration.
### KRB5-PRINTING
%package krb5-printing
Summary: Samba CUPS backend for printing with Kerberos
-Group: Applications/System
Requires(pre): %{name}-client
+Requires: %{name}-client
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
@@ -430,7 +430,6 @@ the Kerberos credentials cache of the user issuing the print job.
### LIBS
%package libs
Summary: Samba libraries
-Group: Applications/System
Requires: krb5-libs >= 1.14
Requires: %{name}-client-libs = %{samba_depver}
%if %with_libwbclient
@@ -448,8 +447,8 @@ against the SMB, RPC and other protocols provided by the Samba suite.
%if %with_libsmbclient
%package -n libsmbclient
Summary: The SMB client library
-Group: Applications/System
Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
%description -n libsmbclient
@@ -457,7 +456,6 @@ The libsmbclient contains the SMB client library from the Samba suite.
%package -n libsmbclient-devel
Summary: Developer tools for the SMB client library
-Group: Development/Libraries
Requires: libsmbclient = %{samba_depver}
%description -n libsmbclient-devel
@@ -470,7 +468,6 @@ suite.
%if %with_libwbclient
%package -n libwbclient
Summary: The winbind client library
-Group: Applications/System
Requires: %{name}-client-libs = %{samba_depver}
%description -n libwbclient
@@ -479,7 +476,6 @@ suite.
%package -n libwbclient-devel
Summary: Developer tools for the winbind library
-Group: Development/Libraries
Requires: libwbclient = %{samba_depver}
Provides: samba-winbind-devel = %{samba_depver}
@@ -493,7 +489,6 @@ library.
### PYTHON
%package python
Summary: Samba Python libraries
-Group: Applications/System
Requires: %{name} = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
@@ -512,7 +507,6 @@ that use SMB, RPC and other Samba provided protocols in Python programs.
### PIDL
%package pidl
Summary: Perl IDL compiler
-Group: Development/Tools
Requires: perl(Parse::Yapp)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
BuildArch: noarch
@@ -527,7 +521,6 @@ and Wireshark to parse IDL and similar protocols
### TEST
%package test
Summary: Testing tools for Samba servers and clients
-Group: Applications/System
Requires: %{name} = %{samba_depver}
Requires: %{name}-common = %{samba_depver}
Requires: %{name}-winbind = %{samba_depver}
@@ -556,7 +549,6 @@ packages of Samba.
### TEST-LIBS
%package test-libs
Summary: Libraries need by the testing tools for Samba servers and clients
-Group: Applications/System
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
@@ -569,8 +561,8 @@ Obsoletes: %{name}-test-devel < %{samba_depver}
### WINBIND
%package winbind
Summary: Samba winbind
-Group: Applications/System
Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-common-tools = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
@@ -588,7 +580,6 @@ Windows user and group accounts on Linux.
### WINBIND-CLIENTS
%package winbind-clients
Summary: Samba winbind clients
-Group: Applications/System
Requires: %{name}-common = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
@@ -608,7 +599,6 @@ tool.
### WINBIND-KRB5-LOCATOR
%package winbind-krb5-locator
Summary: Samba winbind krb5 locator
-Group: Applications/System
%if %with_libwbclient
Requires: libwbclient = %{samba_depver}
Requires: %{name}-winbind = %{samba_depver}
@@ -635,7 +625,6 @@ the local kerberos library to use the same KDC as samba and winbind use
### WINBIND-MODULES
%package winbind-modules
Summary: Samba winbind modules
-Group: Applications/System
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
%if %with_libwbclient
@@ -651,7 +640,6 @@ necessary to communicate to the Winbind Daemon
%if %with_clustering_support
%package -n ctdb
Summary: A Clustered Database based on Samba's Trivial Database (TDB)
-Group: System Environment/Daemons
Requires: %{name}-client-libs = %{samba_depver}
@@ -686,7 +674,6 @@ and use CTDB instead.
### CTDB-TEST
%package -n ctdb-tests
Summary: CTDB clustered database test suite
-Group: Development/Tools
Requires: samba-client-libs = %{samba_depver}
@@ -707,26 +694,8 @@ and use CTDB instead.
%prep
-%setup -q -n samba-%{version}%{pre_release}
-
-%patch0 -p1 -b .samba-4.4.5-fix_resolving_trusted_domain_users.patch
-%patch1 -p1 -b .samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch
-%patch2 -p1 -b .samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch
-%patch3 -p1 -b .samba-4.4.5-fix_winbind_cached_creds_memleak.patch
-%patch4 -p1 -b .CVE-2016-2119-v4-4.patch
-%patch5 -p1 -b .samba-4.4.7-fix-ctdb-test-install-dir.patch
-%patch6 -p1 -b .samba-4.4.7-fix_ads_krb5_ccname_handling.patch
-%patch7 -p1 -b .samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch
-%patch8 -p1 -b .samba-4.4.7-fix_idmap_range_checks.patch
-%patch9 -p1 -b .samba-4.4.7-fix_smget_auth_callback.patch
-%patch10 -p1 -b .samba-4.4.6-fix_nss_wins.patch
-%patch11 -p1 -b .samba-4.4.7-fix_group_substituion_with_ad.patch
-%patch12 -p1 -b .samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
-%patch13 -p1 -b .samba-4.4.x-fix_libads_krb5_memcache.patch
-%patch14 -p1 -b .CVE-2016-2125-v4-4.patch
-%patch15 -p1 -b .CVE-2016-2126-v4-4.patch
-%patch16 -p1 -b .CVE-2017-2619-v4-4.patch
-%patch17 -p1 -b .CVE-2017-7494.patch
+xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
+%autosetup -n samba-%{version}%{pre_release} -p1
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -848,16 +817,16 @@ touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb
# Install other stuff
install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d
-install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/samba
+install -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/logrotate.d/samba
-install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/samba/smb.conf
-install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/samba/smb.conf.example
+install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/samba/smb.conf
+install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/samba/smb.conf.example
install -d -m 0755 %{buildroot}%{_sysconfdir}/security
-install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf
+install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf
install -d -m 0755 %{buildroot}%{_sysconfdir}/pam.d
-install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/samba
+install -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/samba
echo 127.0.0.1 localhost > %{buildroot}%{_sysconfdir}/samba/lmhosts
@@ -878,7 +847,12 @@ echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf
install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig
install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba
%if %with_clustering_support
-install -m 0644 ctdb/config/ctdb.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/ctdb
+cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb <<EOF
+# CTDB configuration is now in %{_sysconfdir}/ctdb/ctdbd.conf
+EOF
+
+install -d -m 0755 %{buildroot}%{_sysconfdir}/ctdb
+install -m 0644 ctdb/config/ctdbd.conf %{buildroot}%{_sysconfdir}/ctdb/ctdbd.conf
%endif
install -m 0644 %{SOURCE201} packaging/README.downgrade
@@ -894,7 +868,7 @@ for i in nmb smb winbind ; do
install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
done
%if %with_clustering_support
-install -m 0755 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
+install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
%endif
# NetworkManager online/offline script
@@ -1078,7 +1052,8 @@ rm -rf %{buildroot}
### SAMBA
%files
%defattr(-,root,root,-)
-%doc COPYING README WHATSNEW.txt
+%license COPYING
+%doc README WHATSNEW.txt
%doc examples/autofs examples/LDAP examples/misc
%doc examples/printer-accounting examples/printing
%doc packaging/README.downgrade
@@ -1198,8 +1173,10 @@ rm -rf %{buildroot}
%defattr(-,root,root)
%{_bindir}/cifsdd
%{_bindir}/dbwrap_tool
+%{_bindir}/findsmb
%{_bindir}/nmblookup
%{_bindir}/oLschema2ldif
+%{_bindir}/mvxattr
%{_bindir}/regdiff
%{_bindir}/regpatch
%{_bindir}/regshell
@@ -1224,8 +1201,9 @@ rm -rf %{buildroot}
%{_mandir}/man1/regpatch.1*
%{_mandir}/man1/regshell.1*
%{_mandir}/man1/regtree.1*
-%exclude %{_mandir}/man1/findsmb.1*
+%{_mandir}/man1/findsmb.1*
%{_mandir}/man1/log2pcap.1*
+%{_mandir}/man1/mvxattr.1*
%{_mandir}/man1/rpcclient.1*
%{_mandir}/man1/sharesec.1*
%{_mandir}/man1/smbcacls.1*
@@ -1291,7 +1269,6 @@ rm -rf %{buildroot}
%{_libdir}/libsamdb.so.*
%{_libdir}/libsmbconf.so.*
%{_libdir}/libsmbldap.so.*
-%{_libdir}/libtevent-unix-util.so.*
%{_libdir}/libtevent-util.so.*
%{_libdir}/libdcerpc.so.*
@@ -1313,6 +1290,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libcmdline-credentials-samba4.so
%{_libdir}/samba/libdbwrap-samba4.so
%{_libdir}/samba/libdcerpc-samba-samba4.so
+%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
%{_libdir}/samba/libevents-samba4.so
%{_libdir}/samba/libflag-mapping-samba4.so
%{_libdir}/samba/libgenrand-samba4.so
@@ -1336,6 +1314,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libnet-keytab-samba4.so
%{_libdir}/samba/libnetif-samba4.so
%{_libdir}/samba/libnpa-tstream-samba4.so
+%{_libdir}/samba/libposix-eadb-samba4.so
%{_libdir}/samba/libprinting-migrate-samba4.so
%{_libdir}/samba/libreplace-samba4.so
%{_libdir}/samba/libregistry-samba4.so
@@ -1355,7 +1334,6 @@ rm -rf %{buildroot}
%{_libdir}/samba/libsmbd-conn-samba4.so
%{_libdir}/samba/libsmbd-shim-samba4.so
%{_libdir}/samba/libsmbldaphelper-samba4.so
-%{_libdir}/samba/libsmbregistry-samba4.so
%{_libdir}/samba/libsys-rw-samba4.so
%{_libdir}/samba/libsocket-blocking-samba4.so
%{_libdir}/samba/libtalloc-report-samba4.so
@@ -1432,8 +1410,6 @@ rm -rf %{buildroot}
# common libraries
%{_libdir}/samba/libpopt-samba3-samba4.so
-# We need this directory here because the net tool is looking
-# for it.
%dir %{_libdir}/samba/ldb
%dir %{_libdir}/samba/pdb
@@ -1557,7 +1533,6 @@ rm -rf %{buildroot}
%{_libdir}/samba/libdnsserver-common-samba4.so
%{_libdir}/samba/libdsdb-module-samba4.so
%{_libdir}/samba/libntvfs-samba4.so
-%{_libdir}/samba/libposix-eadb-samba4.so
%{_libdir}/samba/bind9/dlz_bind9_9.so
%else
%doc packaging/README.dc-libs
@@ -1608,6 +1583,7 @@ rm -rf %{buildroot}
%{_includedir}/samba-4.0/ndr/ndr_dcerpc.h
%{_includedir}/samba-4.0/ndr/ndr_drsblobs.h
%{_includedir}/samba-4.0/ndr/ndr_drsuapi.h
+%{_includedir}/samba-4.0/ndr/ndr_krb5pac.h
%{_includedir}/samba-4.0/ndr/ndr_svcctl.h
%{_includedir}/samba-4.0/ndr/ndr_nbt.h
%{_includedir}/samba-4.0/netapi.h
@@ -1645,7 +1621,6 @@ rm -rf %{buildroot}
%{_includedir}/samba-4.0/util/tevent_unix.h
%{_includedir}/samba-4.0/util/tevent_werror.h
%{_includedir}/samba-4.0/util/time.h
-%{_includedir}/samba-4.0/util/xfile.h
%{_includedir}/samba-4.0/util_ldb.h
%{_libdir}/libdcerpc-binding.so
%{_libdir}/libdcerpc-samr.so
@@ -1662,7 +1637,6 @@ rm -rf %{buildroot}
%{_libdir}/libsamba-util.so
%{_libdir}/libsamdb.so
%{_libdir}/libsmbconf.so
-%{_libdir}/libtevent-unix-util.so
%{_libdir}/libtevent-util.so
%{_libdir}/pkgconfig/dcerpc.pc
%{_libdir}/pkgconfig/dcerpc_samr.pc
@@ -1906,37 +1880,29 @@ rm -rf %{buildroot}
%files -n ctdb
%defattr(-,root,root)
%doc ctdb/README
-%config(noreplace) %{_sysconfdir}/sysconfig/ctdb
-%{_sysconfdir}/ctdb/notify.sh
-%{_sysconfdir}/ctdb/debug-hung-script.sh
-%{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh
-%{_sysconfdir}/ctdb/gcore_trace.sh
-%{_sysconfdir}/ctdb/functions
-%{_sysconfdir}/ctdb/debug_locks.sh
-%dir %{_localstatedir}/lib/ctdb/
-
-%{_unitdir}/ctdb.service
+# Obsolete
+%config(noreplace, missingok) %{_sysconfdir}/sysconfig/ctdb
%dir %{_sysconfdir}/ctdb
-%{_sysconfdir}/ctdb/statd-callout
-# CTDB scripts, no config files
-# script with executable bit means activated
-%dir %{_sysconfdir}/ctdb/nfs-checks.d
-%{_sysconfdir}/ctdb/nfs-checks.d/00.portmapper.check
-%{_sysconfdir}/ctdb/nfs-checks.d/10.status.check
-%{_sysconfdir}/ctdb/nfs-checks.d/20.nfs.check
-%{_sysconfdir}/ctdb/nfs-checks.d/30.nlockmgr.check
-%{_sysconfdir}/ctdb/nfs-checks.d/40.mountd.check
-%{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check
-%{_sysconfdir}/ctdb/nfs-checks.d/README
+%config(noreplace) %{_sysconfdir}/ctdb/ctdbd.conf
+%config(noreplace) %{_sysconfdir}/ctdb/notify.sh
+%config(noreplace) %{_sysconfdir}/ctdb/debug-hung-script.sh
+%config(noreplace) %{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh
+%config(noreplace) %{_sysconfdir}/ctdb/gcore_trace.sh
+%config(noreplace) %{_sysconfdir}/ctdb/debug_locks.sh
+
+%{_sysconfdir}/ctdb/functions
%{_sysconfdir}/ctdb/nfs-linux-kernel-callout
+%{_sysconfdir}/ctdb/statd-callout
%config %{_sysconfdir}/sudoers.d/ctdb
+
# CTDB scripts, no config files
# script with executable bit means activated
%dir %{_sysconfdir}/ctdb/events.d
%{_sysconfdir}/ctdb/events.d/00.ctdb
%{_sysconfdir}/ctdb/events.d/01.reclock
%{_sysconfdir}/ctdb/events.d/05.system
+%{_sysconfdir}/ctdb/events.d/06.nfs
%{_sysconfdir}/ctdb/events.d/10.external
%{_sysconfdir}/ctdb/events.d/10.interface
%{_sysconfdir}/ctdb/events.d/11.natgw
@@ -1955,7 +1921,18 @@ rm -rf %{buildroot}
%{_sysconfdir}/ctdb/events.d/README
%dir %{_sysconfdir}/ctdb/notify.d
%{_sysconfdir}/ctdb/notify.d/README
-%{_tmpfilesdir}/ctdb.conf
+
+# CTDB scripts, no config files
+# script with executable bit means activated
+%dir %{_sysconfdir}/ctdb/nfs-checks.d
+%{_sysconfdir}/ctdb/nfs-checks.d/README
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/00.portmapper.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/10.status.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/20.nfs.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/30.nlockmgr.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/40.mountd.check
+%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check
+
%{_sbindir}/ctdbd
%{_sbindir}/ctdbd_wrapper
%{_bindir}/ctdb
@@ -1963,14 +1940,23 @@ rm -rf %{buildroot}
%{_bindir}/ltdbtool
%{_bindir}/ctdb_diagnostics
%{_bindir}/onnode
+
%dir %{_libexecdir}/ctdb
+%{_libexecdir}/ctdb/ctdb_event
+%{_libexecdir}/ctdb/ctdb_eventd
+%{_libexecdir}/ctdb/ctdb_killtcp
+%{_libexecdir}/ctdb/ctdb_lock_helper
+%{_libexecdir}/ctdb/ctdb_lvs
+%{_libexecdir}/ctdb/ctdb_mutex_fcntl_helper
%{_libexecdir}/ctdb/ctdb_natgw
%{_libexecdir}/ctdb/ctdb_recovery_helper
+%{_libexecdir}/ctdb/ctdb_takeover_helper
%{_libexecdir}/ctdb/smnotify
-%{_libexecdir}/ctdb/ctdb_lock_helper
-%{_libexecdir}/ctdb/ctdb_event_helper
+
+%dir %{_localstatedir}/lib/ctdb/
%{_mandir}/man1/ctdb.1.gz
+%{_mandir}/man1/ctdb_diagnostics.1.gz
%{_mandir}/man1/ctdbd.1.gz
%{_mandir}/man1/onnode.1.gz
%{_mandir}/man1/ltdbtool.1.gz
@@ -1981,78 +1967,777 @@ rm -rf %{buildroot}
%{_mandir}/man7/ctdb-tunables.7.gz
%{_mandir}/man7/ctdb-statistics.7.gz
+%{_tmpfilesdir}/ctdb.conf
+
+%{_unitdir}/ctdb.service
+
+
%files -n ctdb-tests
%defattr(-,root,root)
+%doc ctdb/tests/README
+%{_bindir}/ctdb_run_tests
+%{_bindir}/ctdb_run_cluster_tests
+
+%dir %{_libexecdir}/ctdb
%dir %{_libexecdir}/ctdb/tests
%{_libexecdir}/ctdb/tests/comm_client_test
%{_libexecdir}/ctdb/tests/comm_server_test
%{_libexecdir}/ctdb/tests/comm_test
-%{_libexecdir}/ctdb/tests/ctdb_bench
-%{_libexecdir}/ctdb/tests/ctdb_fetch
-%{_libexecdir}/ctdb/tests/ctdb_fetch_one
-%{_libexecdir}/ctdb/tests/ctdb_fetch_readonly_loop
-%{_libexecdir}/ctdb/tests/ctdb_fetch_readonly_once
-%{_libexecdir}/ctdb/tests/ctdb_functest
-%{_libexecdir}/ctdb/tests/ctdb_lock_tdb
-%{_libexecdir}/ctdb/tests/ctdb_persistent
-%{_libexecdir}/ctdb/tests/ctdb_porting_tests
-%{_libexecdir}/ctdb/tests/ctdb_randrec
-%{_libexecdir}/ctdb/tests/ctdb_store
-%{_libexecdir}/ctdb/tests/ctdb_stubtest
+%{_libexecdir}/ctdb/tests/ctdb_packet_parse
%{_libexecdir}/ctdb/tests/ctdb_takeover_tests
-%{_libexecdir}/ctdb/tests/ctdb_trackingdb_test
-%{_libexecdir}/ctdb/tests/ctdb_transaction
-%{_libexecdir}/ctdb/tests/ctdb_traverse
-%{_libexecdir}/ctdb/tests/ctdb_update_record
-%{_libexecdir}/ctdb/tests/ctdb_update_record_persistent
%{_libexecdir}/ctdb/tests/db_hash_test
+%{_libexecdir}/ctdb/tests/fake_ctdbd
+%{_libexecdir}/ctdb/tests/fetch_loop
+%{_libexecdir}/ctdb/tests/fetch_loop_key
+%{_libexecdir}/ctdb/tests/fetch_readonly
+%{_libexecdir}/ctdb/tests/fetch_readonly_loop
+%{_libexecdir}/ctdb/tests/fetch_ring
+%{_libexecdir}/ctdb/tests/g_lock_loop
+%{_libexecdir}/ctdb/tests/lock_tdb
+%{_libexecdir}/ctdb/tests/message_ring
+%{_libexecdir}/ctdb/tests/pidfile_test
%{_libexecdir}/ctdb/tests/pkt_read_test
%{_libexecdir}/ctdb/tests/pkt_write_test
+%{_libexecdir}/ctdb/tests/porting_tests
%{_libexecdir}/ctdb/tests/protocol_client_test
%{_libexecdir}/ctdb/tests/protocol_types_test
+%{_libexecdir}/ctdb/tests/protocol_util_test
%{_libexecdir}/ctdb/tests/rb_test
%{_libexecdir}/ctdb/tests/reqid_test
+%{_libexecdir}/ctdb/tests/run_proc_test
+%{_libexecdir}/ctdb/tests/sock_daemon_test
+%{_libexecdir}/ctdb/tests/sock_io_test
%{_libexecdir}/ctdb/tests/srvid_test
-%{_bindir}/ctdb_run_tests
-%{_bindir}/ctdb_run_cluster_tests
-%dir %{_datadir}/ctdb-tests/eventscripts
-%{_datadir}/ctdb-tests/eventscripts/etc-ctdb/events.d
-%{_datadir}/ctdb-tests/eventscripts/etc-ctdb/functions
-%{_datadir}/ctdb-tests/eventscripts/etc-ctdb/nfs-checks.d
-%{_datadir}/ctdb-tests/eventscripts/etc-ctdb/nfs-linux-kernel-callout
-%{_datadir}/ctdb-tests/eventscripts/etc-ctdb/statd-callout
-%dir %{_datadir}/ctdb-tests/onnode
-%{_datadir}/ctdb-tests/onnode/functions
-%dir %{_datadir}/ctdb-tests/scripts
-%{_datadir}/ctdb-tests/scripts/common.sh
-%{_datadir}/ctdb-tests/scripts/integration.bash
-%{_datadir}/ctdb-tests/scripts/test_wrap
-%{_datadir}/ctdb-tests/scripts/unit.sh
-%dir %{_datadir}/ctdb-tests/simple
-%{_datadir}/ctdb-tests/simple/functions
-%{_datadir}/ctdb-tests/simple/nodes
-%doc ctdb/tests/README
+%{_libexecdir}/ctdb/tests/test_mutex_raw
+%{_libexecdir}/ctdb/tests/transaction_loop
+%{_libexecdir}/ctdb/tests/update_record
+%{_libexecdir}/ctdb/tests/update_record_persistent
+
+%dir %{_datadir}/ctdb
+%dir %{_datadir}/ctdb/tests
+
+%dir %{_datadir}/ctdb/tests/complex
+%{_datadir}/ctdb/tests/complex/README
+%{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh
+%{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh
+%{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh
+%{_datadir}/ctdb/tests/complex/31_nfs_tickle.sh
+%{_datadir}/ctdb/tests/complex/32_cifs_tickle.sh
+%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh
+%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh
+%{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh
+%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh
+%{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh
+%{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh
+%{_datadir}/ctdb/tests/complex/44_failover_nfs_oneway.sh
+%{_datadir}/ctdb/tests/complex/45_failover_nfs_kill.sh
+%{_datadir}/ctdb/tests/complex/60_rogueip_releaseip.sh
+%{_datadir}/ctdb/tests/complex/61_rogueip_takeip.sh
+%{_datadir}/ctdb/tests/complex/90_debug_hung_script.sh
+
+%dir %{_datadir}/ctdb/tests/complex/scripts
+%{_datadir}/ctdb/tests/complex/scripts/local.bash
+
+%dir %{_datadir}/ctdb/tests/cunit
+%{_datadir}/ctdb/tests/cunit/comm_test_001.sh
+%{_datadir}/ctdb/tests/cunit/comm_test_002.sh
+%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh
+%{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh
+%{_datadir}/ctdb/tests/cunit/pkt_read_001.sh
+%{_datadir}/ctdb/tests/cunit/pkt_write_001.sh
+%{_datadir}/ctdb/tests/cunit/porting_tests_001.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_001.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_003.sh
+%{_datadir}/ctdb/tests/cunit/rb_test_001.sh
+%{_datadir}/ctdb/tests/cunit/reqid_test_001.sh
+%{_datadir}/ctdb/tests/cunit/run_proc_001.sh
+%{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh
+%{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh
+%{_datadir}/ctdb/tests/cunit/srvid_test_001.sh
+
+%dir %{_datadir}/ctdb/tests/eventd
+%{_datadir}/ctdb/tests/eventd/README
+%{_datadir}/ctdb/tests/eventd/eventd_001.sh
+%{_datadir}/ctdb/tests/eventd/eventd_002.sh
+%{_datadir}/ctdb/tests/eventd/eventd_003.sh
+%{_datadir}/ctdb/tests/eventd/eventd_004.sh
+%{_datadir}/ctdb/tests/eventd/eventd_005.sh
+%{_datadir}/ctdb/tests/eventd/eventd_006.sh
+%{_datadir}/ctdb/tests/eventd/eventd_007.sh
+%{_datadir}/ctdb/tests/eventd/eventd_011.sh
+%{_datadir}/ctdb/tests/eventd/eventd_012.sh
+%{_datadir}/ctdb/tests/eventd/eventd_013.sh
+%{_datadir}/ctdb/tests/eventd/eventd_014.sh
+%{_datadir}/ctdb/tests/eventd/eventd_021.sh
+%{_datadir}/ctdb/tests/eventd/eventd_022.sh
+%{_datadir}/ctdb/tests/eventd/eventd_023.sh
+%{_datadir}/ctdb/tests/eventd/eventd_024.sh
+%{_datadir}/ctdb/tests/eventd/eventd_031.sh
+%{_datadir}/ctdb/tests/eventd/eventd_032.sh
+%{_datadir}/ctdb/tests/eventd/eventd_033.sh
+%{_datadir}/ctdb/tests/eventd/eventd_041.sh
+%{_datadir}/ctdb/tests/eventd/eventd_042.sh
+%{_datadir}/ctdb/tests/eventd/eventd_043.sh
+%{_datadir}/ctdb/tests/eventd/eventd_051.sh
+%dir %{_datadir}/ctdb/tests/eventd/scripts
+%{_datadir}/ctdb/tests/eventd/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/events.d
+%{_datadir}/ctdb/tests/events.d/00.test
+
+%dir %{_datadir}/ctdb/tests/eventscripts
+%{_datadir}/ctdb/tests/eventscripts/README
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.001.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.002.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.003.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.004.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.005.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.006.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.007.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.008.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.009.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.002.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.003.sh
+%{_datadir}/ctdb/tests/eventscripts/00.ctdb.setup.004.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/01.reclock.monitor.005.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.005.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.006.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.007.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.011.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.012.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.013.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.014.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.015.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.016.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.017.sh
+%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.018.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.022.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.init.023.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.005.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.006.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.007.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.008.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.009.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.010.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.011.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.012.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.013.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.014.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.015.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.016.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.017.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.018.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.multi.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.010.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.011.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.003.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.001.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.002.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.003.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.004.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.011.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.012.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.013.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.014.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.015.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.021.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.022.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.023.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.024.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.025.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.031.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.041.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.042.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.051.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.052.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.053.sh
+%{_datadir}/ctdb/tests/eventscripts/11.natgw.054.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.001.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.002.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.003.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.004.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.005.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.006.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.007.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.008.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.009.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.010.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.011.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.012.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.013.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.014.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.015.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.016.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.017.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.018.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.019.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.021.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.022.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.023.sh
+%{_datadir}/ctdb/tests/eventscripts/13.per_ip_routing.024.sh
+%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.050.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.051.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.050.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.051.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.104.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.105.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.106.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.107.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.110.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.111.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.112.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.113.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.001.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.002.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.011.sh
+%{_datadir}/ctdb/tests/eventscripts/50.samba.startup.011.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.101.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.102.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.103.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.104.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.105.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.106.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.107.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.108.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.111.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.112.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.113.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.114.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.121.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.122.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.131.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.132.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.141.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.142.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.143.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.144.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.151.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.152.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.153.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.161.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.162.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.001.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.002.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.001.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.011.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.012.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.013.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.014.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.monitor.003.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.shutdown.001.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.shutdown.002.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.startup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/91.lvs.startup.002.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.001.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.002.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.003.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.004.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.005.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.006.sh
+%{_datadir}/ctdb/tests/eventscripts/statd-callout.007.sh
+
+%dir %{_datadir}/ctdb/tests/eventscripts/etc-ctdb
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/events.d
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/functions
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-checks.d
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-linux-kernel-callout
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/public_addresses
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/rc.local
+%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/statd-callout
+
+%dir %{_datadir}/ctdb/tests/eventscripts/etc
+%dir %{_datadir}/ctdb/tests/eventscripts/etc/init.d
+%{_datadir}/ctdb/tests/eventscripts/etc/init.d/nfs
+%{_datadir}/ctdb/tests/eventscripts/etc/init.d/nfslock
+
+%dir %{_datadir}/ctdb/tests/eventscripts/etc/samba
+%{_datadir}/ctdb/tests/eventscripts/etc/samba/smb.conf
+
+%dir %{_datadir}/ctdb/tests/eventscripts/etc/sysconfig
+%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/ctdb
+%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/nfs
+
+%dir %{_datadir}/ctdb/tests/eventscripts/scripts
+%{_datadir}/ctdb/tests/eventscripts/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/eventscripts/stubs
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_killtcp
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_lvs
+%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_natgw
+%{_datadir}/ctdb/tests/eventscripts/stubs/date
+%{_datadir}/ctdb/tests/eventscripts/stubs/df
+%{_datadir}/ctdb/tests/eventscripts/stubs/ethtool
+%{_datadir}/ctdb/tests/eventscripts/stubs/exportfs
+%{_datadir}/ctdb/tests/eventscripts/stubs/id
+%{_datadir}/ctdb/tests/eventscripts/stubs/ip
+%{_datadir}/ctdb/tests/eventscripts/stubs/ip6tables
+%{_datadir}/ctdb/tests/eventscripts/stubs/iptables
+%{_datadir}/ctdb/tests/eventscripts/stubs/ipvsadm
+%{_datadir}/ctdb/tests/eventscripts/stubs/kill
+%{_datadir}/ctdb/tests/eventscripts/stubs/killall
+%{_datadir}/ctdb/tests/eventscripts/stubs/multipath
+%{_datadir}/ctdb/tests/eventscripts/stubs/net
+%{_datadir}/ctdb/tests/eventscripts/stubs/netstat
+%{_datadir}/ctdb/tests/eventscripts/stubs/nmap
+%{_datadir}/ctdb/tests/eventscripts/stubs/pidof
+%{_datadir}/ctdb/tests/eventscripts/stubs/pkill
+%{_datadir}/ctdb/tests/eventscripts/stubs/ps
+%{_datadir}/ctdb/tests/eventscripts/stubs/rm
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.lockd
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.mountd
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.rquotad
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpc.statd
+%{_datadir}/ctdb/tests/eventscripts/stubs/rpcinfo
+%{_datadir}/ctdb/tests/eventscripts/stubs/service
+%{_datadir}/ctdb/tests/eventscripts/stubs/sleep
+%{_datadir}/ctdb/tests/eventscripts/stubs/smnotify
+%{_datadir}/ctdb/tests/eventscripts/stubs/ss
+%{_datadir}/ctdb/tests/eventscripts/stubs/tdbdump
+%{_datadir}/ctdb/tests/eventscripts/stubs/tdbtool
+%{_datadir}/ctdb/tests/eventscripts/stubs/testparm
+%{_datadir}/ctdb/tests/eventscripts/stubs/timeout
+%{_datadir}/ctdb/tests/eventscripts/stubs/wbinfo
+
+%dir %{_datadir}/ctdb/tests/onnode
+%{_datadir}/ctdb/tests/onnode/README
+%{_datadir}/ctdb/tests/onnode/0001.sh
+%{_datadir}/ctdb/tests/onnode/0002.sh
+%{_datadir}/ctdb/tests/onnode/0003.sh
+%{_datadir}/ctdb/tests/onnode/0004.sh
+%{_datadir}/ctdb/tests/onnode/0005.sh
+%{_datadir}/ctdb/tests/onnode/0006.sh
+%{_datadir}/ctdb/tests/onnode/0070.sh
+%{_datadir}/ctdb/tests/onnode/0071.sh
+%{_datadir}/ctdb/tests/onnode/0072.sh
+%{_datadir}/ctdb/tests/onnode/0075.sh
+%{_datadir}/ctdb/tests/onnode/functions
+%{_datadir}/ctdb/tests/onnode/nodes
+
+%dir %{_datadir}/ctdb/tests/onnode/scripts
+%{_datadir}/ctdb/tests/onnode/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/onnode/stubs
+%{_datadir}/ctdb/tests/onnode/stubs/ctdb
+%{_datadir}/ctdb/tests/onnode/stubs/onnode-buggy-001
+%{_datadir}/ctdb/tests/onnode/stubs/ssh
+
+%dir %{_datadir}/ctdb/tests/scripts
+%{_datadir}/ctdb/tests/scripts/common.sh
+%{_datadir}/ctdb/tests/scripts/integration.bash
+%{_datadir}/ctdb/tests/scripts/script_install_paths.sh
+%{_datadir}/ctdb/tests/scripts/test_wrap
+%{_datadir}/ctdb/tests/scripts/unit.sh
+
+%dir %{_datadir}/ctdb/tests/shellcheck
+%{_datadir}/ctdb/tests/shellcheck/base_scripts.sh
+%{_datadir}/ctdb/tests/shellcheck/ctdb_helpers.sh
+%{_datadir}/ctdb/tests/shellcheck/ctdbd_wrapper.sh
+%{_datadir}/ctdb/tests/shellcheck/event_scripts.sh
+%{_datadir}/ctdb/tests/shellcheck/functions.sh
+%{_datadir}/ctdb/tests/shellcheck/init_script.sh
+%{_datadir}/ctdb/tests/shellcheck/tools.sh
+
+%dir %{_datadir}/ctdb/tests/shellcheck/scripts
+%{_datadir}/ctdb/tests/shellcheck/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/simple
+%{_datadir}/ctdb/tests/simple/README
+%{_datadir}/ctdb/tests/simple/00_ctdb_init.sh
+%{_datadir}/ctdb/tests/simple/00_ctdb_onnode.sh
+%{_datadir}/ctdb/tests/simple/01_ctdb_version.sh
+%{_datadir}/ctdb/tests/simple/02_ctdb_listvars.sh
+%{_datadir}/ctdb/tests/simple/03_ctdb_getvar.sh
+%{_datadir}/ctdb/tests/simple/04_ctdb_setvar.sh
+%{_datadir}/ctdb/tests/simple/05_ctdb_listnodes.sh
+%{_datadir}/ctdb/tests/simple/06_ctdb_getpid.sh
+%{_datadir}/ctdb/tests/simple/07_ctdb_process_exists.sh
+%{_datadir}/ctdb/tests/simple/08_ctdb_isnotrecmaster.sh
+%{_datadir}/ctdb/tests/simple/09_ctdb_ping.sh
+%{_datadir}/ctdb/tests/simple/11_ctdb_ip.sh
+%{_datadir}/ctdb/tests/simple/12_ctdb_getdebug.sh
+%{_datadir}/ctdb/tests/simple/13_ctdb_setdebug.sh
+%{_datadir}/ctdb/tests/simple/14_ctdb_statistics.sh
+%{_datadir}/ctdb/tests/simple/15_ctdb_statisticsreset.sh
+%{_datadir}/ctdb/tests/simple/16_ctdb_config_add_ip.sh
+%{_datadir}/ctdb/tests/simple/17_ctdb_config_delete_ip.sh
+%{_datadir}/ctdb/tests/simple/18_ctdb_reloadips.sh
+%{_datadir}/ctdb/tests/simple/19_ip_takeover_noop.sh
+%{_datadir}/ctdb/tests/simple/20_delip_iface_gc.sh
+%{_datadir}/ctdb/tests/simple/23_ctdb_moveip.sh
+%{_datadir}/ctdb/tests/simple/24_ctdb_getdbmap.sh
+%{_datadir}/ctdb/tests/simple/25_dumpmemory.sh
+%{_datadir}/ctdb/tests/simple/26_ctdb_config_check_error_on_unreachable_ctdb.sh
+%{_datadir}/ctdb/tests/simple/27_ctdb_detach.sh
+%{_datadir}/ctdb/tests/simple/28_zero_eventscripts.sh
+%{_datadir}/ctdb/tests/simple/31_ctdb_disable.sh
+%{_datadir}/ctdb/tests/simple/32_ctdb_enable.sh
+%{_datadir}/ctdb/tests/simple/35_ctdb_getreclock.sh
+%{_datadir}/ctdb/tests/simple/41_ctdb_stop.sh
+%{_datadir}/ctdb/tests/simple/42_ctdb_continue.sh
+%{_datadir}/ctdb/tests/simple/43_stop_recmaster_yield.sh
+%{_datadir}/ctdb/tests/simple/51_message_ring.sh
+%{_datadir}/ctdb/tests/simple/52_fetch_ring.sh
+%{_datadir}/ctdb/tests/simple/53_transaction_loop.sh
+%{_datadir}/ctdb/tests/simple/54_transaction_loop_recovery.sh
+%{_datadir}/ctdb/tests/simple/55_ctdb_ptrans.sh
+%{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh
+%{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh
+%{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh
+%{_datadir}/ctdb/tests/simple/71_ctdb_wipedb.sh
+%{_datadir}/ctdb/tests/simple/72_update_record_persistent.sh
+%{_datadir}/ctdb/tests/simple/73_tunable_NoIPTakeover.sh
+%{_datadir}/ctdb/tests/simple/75_readonly_records_basic.sh
+%{_datadir}/ctdb/tests/simple/76_ctdb_pdb_recovery.sh
+%{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh
+%{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh
+%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh
+%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh
+%{_datadir}/ctdb/tests/simple/functions
+# This is a dangling symlink but needed for testing
+%{_datadir}/ctdb/tests/simple/nodes
+
+%dir %{_datadir}/ctdb/tests/simple/scripts
+%{_datadir}/ctdb/tests/simple/scripts/local.bash
+%{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash
+
+%dir %{_datadir}/ctdb/tests/takeover
+%{_datadir}/ctdb/tests/takeover/README
+%{_datadir}/ctdb/tests/takeover/det.001.sh
+%{_datadir}/ctdb/tests/takeover/det.002.sh
+%{_datadir}/ctdb/tests/takeover/det.003.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.001.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.002.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.003.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.004.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.005.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.006.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.007.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.008.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.009.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.010.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.011.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.012.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.013.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.014.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.015.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.016.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.017.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.018.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.019.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.022.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.023.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.024.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.025.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.026.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.027.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.028.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.029.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.030.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.031.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.032.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.033.sh
+%{_datadir}/ctdb/tests/takeover/nondet.001.sh
+%{_datadir}/ctdb/tests/takeover/nondet.002.sh
+%{_datadir}/ctdb/tests/takeover/nondet.003.sh
+
+%dir %{_datadir}/ctdb/tests/takeover/scripts
+%{_datadir}/ctdb/tests/takeover/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/takeover_helper
+%{_datadir}/ctdb/tests/takeover_helper/000.sh
+%{_datadir}/ctdb/tests/takeover_helper/010.sh
+%{_datadir}/ctdb/tests/takeover_helper/011.sh
+%{_datadir}/ctdb/tests/takeover_helper/012.sh
+%{_datadir}/ctdb/tests/takeover_helper/013.sh
+%{_datadir}/ctdb/tests/takeover_helper/014.sh
+%{_datadir}/ctdb/tests/takeover_helper/015.sh
+%{_datadir}/ctdb/tests/takeover_helper/016.sh
+%{_datadir}/ctdb/tests/takeover_helper/017.sh
+%{_datadir}/ctdb/tests/takeover_helper/018.sh
+%{_datadir}/ctdb/tests/takeover_helper/019.sh
+%{_datadir}/ctdb/tests/takeover_helper/020.sh
+%{_datadir}/ctdb/tests/takeover_helper/021.sh
+%{_datadir}/ctdb/tests/takeover_helper/022.sh
+%{_datadir}/ctdb/tests/takeover_helper/023.sh
+%{_datadir}/ctdb/tests/takeover_helper/024.sh
+%{_datadir}/ctdb/tests/takeover_helper/025.sh
+%{_datadir}/ctdb/tests/takeover_helper/026.sh
+%{_datadir}/ctdb/tests/takeover_helper/027.sh
+%{_datadir}/ctdb/tests/takeover_helper/028.sh
+%{_datadir}/ctdb/tests/takeover_helper/110.sh
+%{_datadir}/ctdb/tests/takeover_helper/111.sh
+%{_datadir}/ctdb/tests/takeover_helper/120.sh
+%{_datadir}/ctdb/tests/takeover_helper/121.sh
+%{_datadir}/ctdb/tests/takeover_helper/122.sh
+%{_datadir}/ctdb/tests/takeover_helper/130.sh
+%{_datadir}/ctdb/tests/takeover_helper/131.sh
+%{_datadir}/ctdb/tests/takeover_helper/132.sh
+%{_datadir}/ctdb/tests/takeover_helper/140.sh
+%{_datadir}/ctdb/tests/takeover_helper/150.sh
+%{_datadir}/ctdb/tests/takeover_helper/160.sh
+%{_datadir}/ctdb/tests/takeover_helper/210.sh
+%{_datadir}/ctdb/tests/takeover_helper/211.sh
+%{_datadir}/ctdb/tests/takeover_helper/220.sh
+%{_datadir}/ctdb/tests/takeover_helper/230.sh
+%{_datadir}/ctdb/tests/takeover_helper/240.sh
+%{_datadir}/ctdb/tests/takeover_helper/250.sh
+%{_datadir}/ctdb/tests/takeover_helper/260.sh
+
+%dir %{_datadir}/ctdb/tests/takeover_helper/scripts
+%{_datadir}/ctdb/tests/takeover_helper/scripts/local.sh
+
+%dir %{_datadir}/ctdb/tests/tool
+%{_datadir}/ctdb/tests/tool/README
+%{_datadir}/ctdb/tests/tool/ctdb.ban.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ban.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ban.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.continue.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.continue.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.continue.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disable.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disable.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.disablemonitor.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.enable.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.enable.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.enable.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.enablemonitor.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbmap.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getmonmode.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getpid.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getreclock.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getreclock.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getvar.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.getvar.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ifaces.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.006.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ip.007.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ipinfo.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.listnodes.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.listnodes.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.listvars.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.006.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.007.sh
+%{_datadir}/ctdb/tests/tool/ctdb.lvs.008.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.006.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.007.sh
+%{_datadir}/ctdb/tests/tool/ctdb.natgw.008.sh
+%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.ping.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.pnn.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.process-exists.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.recmaster.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.recmaster.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.recover.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.011.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.012.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.013.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.014.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.015.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.016.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.017.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.018.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.019.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.020.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.021.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.023.sh
+%{_datadir}/ctdb/tests/tool/ctdb.reloadnodes.024.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.runstate.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdebug.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdebug.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdebug.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setifacelink.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setifacelink.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setvar.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setvar.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.status.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.status.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.stop.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.stop.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.stop.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.unban.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.unban.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.unban.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.uptime.001.sh
+
+%dir %{_datadir}/ctdb/tests/tool/scripts
+%{_datadir}/ctdb/tests/tool/scripts/local.sh
+
%endif # with_clustering_support
%changelog
-* Thu May 18 2017 Guenther Deschner <gdeschner@redhat.com> - 4.4.4-14
-- resolves: #1450784 - Security fix for CVE-2017-7494
-
-* Wed Apr 05 2017 Andreas Schneider <asn@redhat.com> - 4.4.4-13
-- resolves: #1437816 - Fix krb5 memory cache in libads sasl code
-- resolves: #1437741 - Fix CVE-2016-2125, CVE-2016-2126 and CVE-2017-2619
-
-* Tue Nov 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-12
-- related: #1393051 - Fix return code if ip not defined in gethostbyname
+* Thu Jun 22 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-8
+- resolves: #1459936 - Fix regression with "follow symlinks = no"
+
+* Tue Jun 20 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-7
+- resolves: #1461336 - Fix smbclient username parsing
+- resolves: #1460937 - Fix username normalization with winbind
+
+* Tue Jun 13 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-6
+- resolves: #1459179 - Fix smbclient session setup printing
+
+* Wed Jun 07 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-5
+- related: #1277999 - Add missing patchset
+
+* Wed May 31 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-4
+- resolves: #1431986 - Fix expand_msdfs VFS module
+
+* Thu May 18 2017 Guenther Deschner <gdeschner@redhat.com> - 4.6.2-3
+- resolves: #1450785 - Security fix for CVE-2017-7494
+
+* Tue May 09 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-2
+- resolves: #1448544 - Fix spoolss 32bit driver upload
+
+* Mon Apr 03 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-1
+- resolves: #1435734 - Fix refreshing winbind tickets
+
+* Fri Mar 31 2017 Guenther Deschner <gdeschner@redhat.com> - 4.6.2-0
+- Update to Samba 4.6.2
+- related: #1430260 - Security fix for CVE-2017-2619
+
+* Thu Mar 23 2017 Guenther Deschner <gdeschner@redhat.com> - 4.6.1-0
+- Update to Samba 4.6.1
+- resolves: #1430260 - Security fix for CVE-2017-2619
+
+* Tue Mar 21 2017 Andreas Schneider <asn@redhat.com> - 4.6.0-5
+- related: #1391954 - Fix kerberos cross-realm referrals
+- resolves: #1430755 - Fix 'net ads' keytab handling
+
+* Wed Mar 15 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-4
+- Export internal arcfour_crypt_blob in Python as samba.arcfour_encrypt
+- related: #1391954 - Update to Samba 4.6.0
+
+* Fri Mar 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-3
+- Ensure we set realm when updating ccache in auth/credentials
+- resolves: #1430759 - use GSSAPI gss_acquire_cred_from call for gssproxy support
+
+* Fri Mar 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-2
+- resolves: #1430759 - use GSSAPI gss_acquire_cred_from call for gssproxy support
+
+* Tue Mar 07 2017 Andreas Schneider <asn@redhat.com> - 4.6.0-1
+- related: #1391954 - Update to Samba 4.6.0
+- resolves: #1401505 - Improved idmap_hash documentation
+- resolves: #1218926 - Samba ignores default_keytab_name in krb5.conf
+- resolves: #1389786 - Add 'net ads dns unregister'
+
+* Thu Mar 02 2017 Andreas Schneider <asn@redhat.com> - 4.6.0-0.1.rc4
+- related: #1391954 - Update to Samba 4.6.0rc4
+- resolves: #1420130 - samba_krb5_wrapper does not list devices when called with
+ no arguments
+- resolves: #1277999 - Change RPC port range to Windows defaults
+
+* Wed Feb 15 2017 Andreas Schneider <asn@redhat.com> - 4.6.0-0.1.rc3
+- resolves: #1391954 - Update to Samba 4.6.0rc3
+- resolves: #1271082 - Wrong groups listed when id command is called before login
+- resolves: #1327810 - Use 'printcap cache time' for the house keeping interval
+- resolves: #1356932 - Improve documentation for 'ldap ssl' in smb.conf manpage
+- resolves: #1365111 - Fix printer removal if "List in Directory" checkbox is
+ unticked and printer is not listed in AD
+- resolves: #1368439 - Fix ntlm_auth wrong password issues
+- resolves: #1397871 - Include the system krb5.conf in winbinds generated conf
+- resolves: #1397891 - Fix marsalling of spoolss SetPrinter info level 2
+- resolves: #1397895 - Add missing support APD_COPY_FROM_DIRECTORY in
+ AddPrinterDriver
+- resolves: #1403242 - Samba can not access trusted domains through transitive
+ trusts
+- resolves: #1403975 - Fix trusted domain logins
+- resolves: #1411978 - Include the system krb5.conf in winbinds generated conf
+- resolves: #1416746 - Fix division by zero error in ctdb 05.system event script
+
+* Tue Nov 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-11
+- related: #1377729 - Fix return code if ip not defined in gethostbyname
* Wed Nov 09 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-11
-- related: #1393048 - Add missing patch to patchset
+- related: #1377307 - Add missing patch to patchset
* Tue Nov 08 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-10
-- resolves: #1393050 - Fix linking nss_wins with libreplace
-- resolves: #1393051 - Fix nss_wins function definitions for gethostbyname*
-- resolves: #1393048 - Fix %G substitution in AD case
-- resolves: #1393052 - Fix regression of smbclient unable to connect to
+- resolves: #1377690 - Fix linking nss_wins with libreplace
+- resolves: #1377729 - Fix nss_wins function definitions for gethostbyname*
+- resolves: #1377307 - Fix %G substitution in AD case
+- resolves: #1377751 - Fix regression of smbclient unable to connect to
Apple and Azure
* Wed Aug 31 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-9