diff --git a/.gitignore b/.gitignore
index 15a87be..e6501c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-SOURCES/samba-4.6.2.tar.xz
+SOURCES/samba-4.7.1.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
index ac19222..44641bf 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1,2 +1,2 @@
6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-57a1a9dce118fa9059f9d3e7a595db3491e265bc SOURCES/samba-4.6.2.tar.xz
+3c58fef85ceff87968b9e79c665e861f5442f0f1 SOURCES/samba-4.7.1.tar.xz
diff --git a/SOURCES/CVE-2017-12150.patch b/SOURCES/CVE-2017-12150.patch
deleted file mode 100644
index 7eb1ef8..0000000
--- a/SOURCES/CVE-2017-12150.patch
+++ /dev/null
@@ -1,381 +0,0 @@
-From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 29 Aug 2017 17:06:21 +0200
-Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed
- username into a specified one
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/include/auth_info.h | 1 +
- source3/lib/popt_common.c | 6 +-----
- source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++
- 3 files changed, 31 insertions(+), 5 deletions(-)
-
-diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
-index c6f71ad..8212c27 100644
---- a/source3/include/auth_info.h
-+++ b/source3/include/auth_info.h
-@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
- const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
- void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
- const char *username);
-+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);
- const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);
- void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
- const char *domain);
-diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
-index 9928c70..36b5e92 100644
---- a/source3/lib/popt_common.c
-+++ b/source3/lib/popt_common.c
-@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)
- void popt_common_credentials_post(void)
- {
- struct user_auth_info *auth_info = cmdline_auth_info;
-- const char *username = NULL;
-
- if (get_cmdline_auth_info_use_machine_account(auth_info) &&
- !set_cmdline_auth_info_machine_account_creds(auth_info))
-@@ -259,10 +258,7 @@ void popt_common_credentials_post(void)
- * correctly parsed yet. If we have a username we need to set it again
- * to run the string parser for the username correctly.
- */
-- username = get_cmdline_auth_info_username(auth_info);
-- if (username != NULL && username[0] != '\0') {
-- set_cmdline_auth_info_username(auth_info, username);
-- }
-+ reset_cmdline_auth_info_username(auth_info);
- }
-
- static void popt_common_credentials_callback(poptContext con,
-diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
-index ad51a4f..80142e2 100644
---- a/source3/lib/util_cmdline.c
-+++ b/source3/lib/util_cmdline.c
-@@ -37,6 +37,7 @@
- struct user_auth_info {
- struct cli_credentials *creds;
- struct loadparm_context *lp_ctx;
-+ bool got_username;
- bool got_pass;
- int signing_state;
- bool smb_encrypt;
-@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
- if (!ok) {
- exit(EIO);
- }
-+ auth_info->got_username = true;
- }
-
- const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
-@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
- exit(ENOMEM);
- }
-
-+ auth_info->got_username = true;
- if (strchr_m(username, '%') != NULL) {
- auth_info->got_pass = true;
- }
- }
-
-+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
-+{
-+ const char *username = NULL;
-+ const char *new_val = NULL;
-+
-+ if (!auth_info->got_username) {
-+ return;
-+ }
-+
-+ username = cli_credentials_get_username(auth_info->creds);
-+ if (username == NULL) {
-+ return;
-+ }
-+ if (username[0] == '\0') {
-+ return;
-+ }
-+
-+ cli_credentials_parse_string(auth_info->creds,
-+ username,
-+ CRED_SPECIFIED);
-+ new_val = cli_credentials_get_username(auth_info->creds);
-+ if (new_val == NULL) {
-+ exit(ENOMEM);
-+ }
-+}
-+
- const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
- {
- const char *domain = NULL;
---
-1.9.1
-
-
-From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 3 Nov 2016 17:16:43 +0100
-Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:
- get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
-
-This is an addition to the fixes for CVE-2015-5296.
-
-It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/lib/util_cmdline.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
-index 80142e2..90ee67c 100644
---- a/source3/lib/util_cmdline.c
-+++ b/source3/lib/util_cmdline.c
-@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
-
- int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
- {
-+ if (auth_info->smb_encrypt) {
-+ return SMB_SIGNING_REQUIRED;
-+ }
- return auth_info->signing_state;
- }
-
---
-1.9.1
-
-
-From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 9 Dec 2016 09:26:32 +0100
-Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of
- SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/libsmb/pylibsmb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
-index 59c0998..350c6d4 100644
---- a/source3/libsmb/pylibsmb.c
-+++ b/source3/libsmb/pylibsmb.c
-@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
-
- req = cli_full_connection_creds_send(
- NULL, self->ev, "myname", host, NULL, 0, share, "?????",
-- cli_creds, 0, 0);
-+ cli_creds, 0, SMB_SIGNING_DEFAULT);
- if (!py_tevent_req_wait_exc(self->ev, req)) {
- return -1;
- }
---
-1.9.1
-
-
-From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 12 Dec 2016 05:49:46 +0100
-Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
- in gpo_connect_server()
-
-It's important that we use a signed connection to get the GPOs!
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- libgpo/gpo_fetch.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
-index 836bc23..3740d4e 100644
---- a/libgpo/gpo_fetch.c
-+++ b/libgpo/gpo_fetch.c
-@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
- ads->auth.password,
- CLI_FULL_CONNECTION_USE_KERBEROS |
- CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
-- Undefined);
-+ SMB_SIGNING_REQUIRED);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("check_refresh_gpo: "
- "failed to connect: %s\n",
---
-1.9.1
-
-
-From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 29 Aug 2017 15:24:14 +0200
-Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:
- cli_credentials_authentication_requested() should check for
- NTLM_CCACHE/SIGN/SEAL
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- auth/credentials/credentials.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index 06648c7..5e3b5e8 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -25,6 +25,7 @@
- #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
- #include "auth/credentials/credentials.h"
- #include "auth/credentials/credentials_internal.h"
-+#include "auth/gensec/gensec.h"
- #include "libcli/auth/libcli_auth.h"
- #include "tevent.h"
- #include "param/param.h"
-@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
-
- _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
- {
-+ uint32_t gensec_features = 0;
-+
- if (cred->bind_dn) {
- return true;
- }
-@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
- return true;
- }
-
-+ gensec_features = cli_credentials_get_gensec_features(cred);
-+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
-+ return true;
-+ }
-+
-+ if (gensec_features & GENSEC_FEATURE_SIGN) {
-+ return true;
-+ }
-+
-+ if (gensec_features & GENSEC_FEATURE_SEAL) {
-+ return true;
-+ }
-+
- return false;
- }
-
---
-1.9.1
-
-
-From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 29 Aug 2017 15:35:49 +0200
-Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add
- smbXcli_conn_signing_mandatory()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- libcli/smb/smbXcli_base.c | 5 +++++
- libcli/smb/smbXcli_base.h | 1 +
- 2 files changed, 6 insertions(+)
-
-diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
-index b21d796..239e5eb 100644
---- a/libcli/smb/smbXcli_base.c
-+++ b/libcli/smb/smbXcli_base.c
-@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
- return false;
- }
-
-+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
-+{
-+ return conn->mandatory_signing;
-+}
-+
- void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
- {
- set_socket_options(conn->sock_fd, options);
-diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
-index e48fc35..2594f07 100644
---- a/libcli/smb/smbXcli_base.h
-+++ b/libcli/smb/smbXcli_base.h
-@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
-
- enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
- bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
-+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
-
- void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
- const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
---
-1.9.1
-
-
-From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 12 Dec 2016 06:07:56 +0100
-Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
- authentication was not requested
-
-With forced encryption or required signing we should also don't fallback.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/libsmb/clidfs.c | 16 ++++------------
- 1 file changed, 4 insertions(+), 12 deletions(-)
-
-diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
-index 75012b2..fdcd665 100644
---- a/source3/libsmb/clidfs.c
-+++ b/source3/libsmb/clidfs.c
-@@ -26,6 +26,7 @@
- #include "trans2.h"
- #include "libsmb/nmblib.h"
- #include "../libcli/smb/smbXcli_base.h"
-+#include "auth/credentials/credentials.h"
-
- /********************************************************************
- Important point.
-@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
- char *servicename;
- char *sharename;
- char *newserver, *newshare;
-- const char *username;
-- const char *password;
-- const char *domain;
- NTSTATUS status;
- int flags = 0;
- int signing_state = get_cmdline_auth_info_signing_state(auth_info);
-@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
- smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
- }
-
-- username = get_cmdline_auth_info_username(auth_info);
-- password = get_cmdline_auth_info_password(auth_info);
-- domain = get_cmdline_auth_info_domain(auth_info);
-- if ((domain == NULL) || (domain[0] == '\0')) {
-- domain = lp_workgroup();
-- }
--
- creds = get_cmdline_auth_info_creds(auth_info);
-
- status = cli_session_setup_creds(c, creds);
- if (!NT_STATUS_IS_OK(status)) {
- /* If a password was not supplied then
- * try again with a null username. */
-- if (password[0] || !username[0] ||
-- get_cmdline_auth_info_use_kerberos(auth_info) ||
-+ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
-+ cli_credentials_authentication_requested(creds) ||
-+ cli_credentials_is_anonymous(creds) ||
- !NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
- {
- d_printf("session setup failed: %s\n",
---
-1.9.1
-
diff --git a/SOURCES/CVE-2017-12151.patch b/SOURCES/CVE-2017-12151.patch
deleted file mode 100644
index bfd6f80..0000000
--- a/SOURCES/CVE-2017-12151.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 14 Aug 2017 12:13:18 +0200
-Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add
- cli_state_is_encryption_on() helper function
-
-This allows to check if the current cli_state uses encryption
-(either via unix extentions or via SMB3).
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/libsmb/clientgen.c | 13 +++++++++++++
- source3/libsmb/proto.h | 1 +
- 2 files changed, 14 insertions(+)
-
-diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
-index bc5c1b1ce3c..3e8523e5ce8 100644
---- a/source3/libsmb/clientgen.c
-+++ b/source3/libsmb/clientgen.c
-@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli)
- return cli->smb1.pid;
- }
-
-+bool cli_state_is_encryption_on(struct cli_state *cli)
-+{
-+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
-+ return smb1cli_conn_encryption_on(cli->conn);
-+ }
-+
-+ if (cli->smb2.tcon == NULL) {
-+ return false;
-+ }
-+
-+ return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);
-+}
-+
- bool cli_state_has_tcon(struct cli_state *cli)
- {
- uint16_t tid = cli_state_get_tid(cli);
-diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
-index 764f3fc1b12..67fa43e4e4a 100644
---- a/source3/libsmb/proto.h
-+++ b/source3/libsmb/proto.h
-@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);
- uint16_t cli_state_get_vc_num(struct cli_state *cli);
- uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);
- uint32_t cli_getpid(struct cli_state *cli);
-+bool cli_state_is_encryption_on(struct cli_state *cli);
- bool cli_state_has_tcon(struct cli_state *cli);
- uint16_t cli_state_get_tid(struct cli_state *cli);
- uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid);
---
-2.13.5
-
-
-From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 17 Dec 2016 10:36:49 +0100
-Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of
- cli_state_is_encryption_on()
-
-This will keep enforced encryption across dfs referrals.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/libsmb/clidfs.c | 4 ++--
- source3/libsmb/libsmb_context.c | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
-index c477d7c6a46..99818a681e3 100644
---- a/source3/libsmb/clidfs.c
-+++ b/source3/libsmb/clidfs.c
-@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
- "IPC$",
- dfs_auth_info,
- false,
-- smb1cli_conn_encryption_on(rootcli->conn),
-+ cli_state_is_encryption_on(rootcli),
- smbXcli_conn_protocol(rootcli->conn),
- 0,
- 0x20,
-@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
- dfs_refs[count].share,
- dfs_auth_info,
- false,
-- smb1cli_conn_encryption_on(rootcli->conn),
-+ cli_state_is_encryption_on(rootcli),
- smbXcli_conn_protocol(rootcli->conn),
- 0,
- 0x20,
-diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
-index ed6ca2b1b9f..b55cf1e2d15 100644
---- a/source3/libsmb/libsmb_context.c
-+++ b/source3/libsmb/libsmb_context.c
-@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,
-
- for (s = context->internal->servers; s; s = s->next) {
- num_servers++;
-- if (!smb1cli_conn_encryption_on(s->cli->conn)) {
-+ if (!cli_state_is_encryption_on(s->cli)) {
- return (void *)false;
- }
- }
---
-2.13.5
-
diff --git a/SOURCES/CVE-2017-12163.patch b/SOURCES/CVE-2017-12163.patch
deleted file mode 100644
index 1e9f99e..0000000
--- a/SOURCES/CVE-2017-12163.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 8 Sep 2017 10:13:14 -0700
-Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
- writing server memory to file.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 50 insertions(+)
-
-diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
-index 317143f..7b07078 100644
---- a/source3/smbd/reply.c
-+++ b/source3/smbd/reply.c
-@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
- }
-
- /* Ensure we don't write bytes past the end of this packet. */
-+ /*
-+ * This already protects us against CVE-2017-12163.
-+ */
- if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
- reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
- error_to_writebrawerr(req);
-@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
- exit_server_cleanly("secondary writebraw failed");
- }
-
-+ /*
-+ * We are not vulnerable to CVE-2017-12163
-+ * here as we are guarenteed to have numtowrite
-+ * bytes available - we just read from the client.
-+ */
- nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
- if (nwritten == -1) {
- TALLOC_FREE(buf);
-@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
- connection_struct *conn = req->conn;
- ssize_t nwritten = -1;
- size_t numtowrite;
-+ size_t remaining;
- off_t startpos;
- const char *data;
- NTSTATUS status = NT_STATUS_OK;
-@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
- startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
- data = (const char *)req->buf + 3;
-
-+ /*
-+ * Ensure client isn't asking us to write more than
-+ * they sent. CVE-2017-12163.
-+ */
-+ remaining = smbreq_bufrem(req, data);
-+ if (numtowrite > remaining) {
-+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+ END_PROFILE(SMBwriteunlock);
-+ return;
-+ }
-+
- if (!fsp->print_file && numtowrite > 0) {
- init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
- (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
- {
- connection_struct *conn = req->conn;
- size_t numtowrite;
-+ size_t remaining;
- ssize_t nwritten = -1;
- off_t startpos;
- const char *data;
-@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
- startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
- data = (const char *)req->buf + 3;
-
-+ /*
-+ * Ensure client isn't asking us to write more than
-+ * they sent. CVE-2017-12163.
-+ */
-+ remaining = smbreq_bufrem(req, data);
-+ if (numtowrite > remaining) {
-+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+ END_PROFILE(SMBwrite);
-+ return;
-+ }
-+
- if (!fsp->print_file) {
- init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
- (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
- goto out;
- }
- } else {
-+ /*
-+ * This already protects us against CVE-2017-12163.
-+ */
- if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
- smb_doff + numtowrite > smblen) {
- reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
- {
- connection_struct *conn = req->conn;
- size_t numtowrite;
-+ size_t remaining;
- ssize_t nwritten = -1;
- NTSTATUS close_status = NT_STATUS_OK;
- off_t startpos;
-@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
- mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
- data = (const char *)req->buf + 1;
-
-+ /*
-+ * Ensure client isn't asking us to write more than
-+ * they sent. CVE-2017-12163.
-+ */
-+ remaining = smbreq_bufrem(req, data);
-+ if (numtowrite > remaining) {
-+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+ END_PROFILE(SMBwriteclose);
-+ return;
-+ }
-+
- if (fsp->print_file == NULL) {
- init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
- (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
-
- numtowrite = SVAL(req->buf, 1);
-
-+ /*
-+ * This already protects us against CVE-2017-12163.
-+ */
- if (req->buflen < numtowrite + 3) {
- reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
- END_PROFILE(SMBsplwr);
---
-1.9.1
-
diff --git a/SOURCES/CVE-2017-7494.patch b/SOURCES/CVE-2017-7494.patch
deleted file mode 100644
index 34b4437..0000000
--- a/SOURCES/CVE-2017-7494.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Mon, 8 May 2017 21:40:40 +0200
-Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
- inside
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/rpc_server/srv_pipe.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 0633b5f..c3f0cd8 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
- {
- NTSTATUS status;
-
-+ if (strchr(pipename, '/')) {
-+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
-+ return false;
-+ }
-+
- if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
- DEBUG(10, ("refusing spoolss access\n"));
- return false;
---
-1.9.1
-
diff --git a/SOURCES/samba-4.6.2.tar.asc b/SOURCES/samba-4.6.2.tar.asc
deleted file mode 100644
index 9d1e563..0000000
--- a/SOURCES/samba-4.6.2.tar.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz
-DQw3KuAbWCKIgkHcy1zZr2o=
-=bIg5
------END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.7-fix_aesni_intel_support.patch b/SOURCES/samba-4.7-fix_aesni_intel_support.patch
new file mode 100644
index 0000000..9e37d86
--- /dev/null
+++ b/SOURCES/samba-4.7-fix_aesni_intel_support.patch
@@ -0,0 +1,72 @@
+From db7947e144d10c15468991cad50315b70f2609d5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
+Date: Mon, 4 Dec 2017 10:49:19 +0100
+Subject: [PATCH 1/2] third_party: Link th aesni-intel library with -z
+ noexecstack
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13174
+
+Signed-off-by: Björn Baumbach <bb@sernet.de>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ third_party/aesni-intel/wscript | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
+index eb92d6626fe..0ccd9eb1e5b 100644
+--- a/third_party/aesni-intel/wscript
++++ b/third_party/aesni-intel/wscript
+@@ -12,6 +12,8 @@ def configure(conf):
+ raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
+ else:
+ raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
++ if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
++ raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
+
+ def build(bld):
+ if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
+@@ -20,4 +22,5 @@ def build(bld):
+ bld.SAMBA_LIBRARY('aesni-intel',
+ source='aesni-intel_asm.c',
+ cflags='-Wp,-E,-lang-asm',
++ ldflags='-Wl,-z,noexecstack',
+ private_library=True)
+--
+2.15.0
+
+
+From ded56e00f81614e128301d75e38e4b692a712cc4 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Dec 2017 11:00:10 +0100
+Subject: [PATCH 2/2] third_party: Fix a typo in the option name
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ third_party/aesni-intel/wscript | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
+index 0ccd9eb1e5b..f0723a52501 100644
+--- a/third_party/aesni-intel/wscript
++++ b/third_party/aesni-intel/wscript
+@@ -9,11 +9,11 @@ def configure(conf):
+ print("Compiling with Intel AES instructions")
+ conf.DEFINE('HAVE_AESNI_INTEL', 1)
+ else:
+- raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
++ raise Utils.WafError('--accel-aes=intelaesni selected and non x86_64 CPU')
+ else:
+- raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
++ raise Utils.WafError('--accel-aes=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
+ if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
+- raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
++ raise Utils.WafError('--accel-aes=intelaesni selected and linker rejects -z noexecstack')
+
+ def build(bld):
+ if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
+--
+2.15.0
+
diff --git a/SOURCES/samba-4.7-fix_samba_with_systemd.patch b/SOURCES/samba-4.7-fix_samba_with_systemd.patch
new file mode 100644
index 0000000..a12f130
--- /dev/null
+++ b/SOURCES/samba-4.7-fix_samba_with_systemd.patch
@@ -0,0 +1,313 @@
+From e696afd2d810fef403c6e5d35a44cc0f22128310 Mon Sep 17 00:00:00 2001
+From: Gary Lockyer <gary@catalyst.net.nz>
+Date: Mon, 21 Aug 2017 15:12:04 +1200
+Subject: [PATCH 1/4] s4/smbd: set the process group.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Set the process group in the samba daemon, the --no-process-group option
+allows this to be disabled. The no-process-group option needs to be
+disabled in self test.
+
+Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Mon Sep 18 04:39:50 CEST 2017 on sn-devel-144
+---
+ selftest/target/Samba4.pm | 2 +-
+ source4/smbd/server.c | 18 +++++++++++++++++-
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index 772f982cb9d..6a1856ef642 100755
+--- a/selftest/target/Samba4.pm
++++ b/selftest/target/Samba4.pm
+@@ -158,7 +158,7 @@ sub check_or_start($$$)
+ close($env_vars->{STDIN_PIPE});
+ open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
++ exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
+ }
+ $env_vars->{SAMBA_PID} = $pid;
+ print "DONE ($pid)\n";
+diff --git a/source4/smbd/server.c b/source4/smbd/server.c
+index a8bad06bed3..ba520e0a8f5 100644
+--- a/source4/smbd/server.c
++++ b/source4/smbd/server.c
+@@ -341,6 +341,7 @@ static int binary_smbd_main(const char *binary_name,
+ {
+ bool opt_daemon = false;
+ bool opt_interactive = false;
++ bool opt_no_process_group = false;
+ int opt;
+ poptContext pc;
+ #define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
+@@ -356,7 +357,8 @@ static int binary_smbd_main(const char *binary_name,
+ OPT_DAEMON = 1000,
+ OPT_INTERACTIVE,
+ OPT_PROCESS_MODEL,
+- OPT_SHOW_BUILD
++ OPT_SHOW_BUILD,
++ OPT_NO_PROCESS_GROUP,
+ };
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+@@ -371,6 +373,8 @@ static int binary_smbd_main(const char *binary_name,
+ "till autotermination", "seconds"},
+ {"show-build", 'b', POPT_ARG_NONE, NULL, OPT_SHOW_BUILD,
+ "show build info", NULL },
++ {"no-process-group", '\0', POPT_ARG_NONE, NULL,
++ OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
+ POPT_COMMON_SAMBA
+ POPT_COMMON_VERSION
+ { NULL }
+@@ -393,6 +397,9 @@ static int binary_smbd_main(const char *binary_name,
+ case OPT_SHOW_BUILD:
+ show_build();
+ break;
++ case OPT_NO_PROCESS_GROUP:
++ opt_no_process_group = true;
++ break;
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+@@ -508,6 +515,15 @@ static int binary_smbd_main(const char *binary_name,
+ stdin_event_flags = 0;
+ }
+
++#if HAVE_SETPGID
++ /*
++ * If we're interactive we want to set our own process group for
++ * signal management, unless --no-process-group specified.
++ */
++ if (opt_interactive && !opt_no_process_group)
++ setpgid((pid_t)0, (pid_t)0);
++#endif
++
+ /* catch EOF on stdin */
+ #ifdef SIGTTIN
+ signal(SIGTTIN, SIG_IGN);
+--
+2.15.0
+
+
+From 1e3f38e58d52c7424831855c8db63c391e0b4b75 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 15 Nov 2017 10:00:52 +0100
+Subject: [PATCH 2/4] s4:samba: Do not segfault if we run into issues
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit bfafabfb942668328401a3c89fc55b50dc56c209)
+---
+ source4/smbd/server.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/source4/smbd/server.c b/source4/smbd/server.c
+index ba520e0a8f5..406f79593b9 100644
+--- a/source4/smbd/server.c
++++ b/source4/smbd/server.c
+@@ -100,8 +100,16 @@ static void cleanup_tmp_files(struct loadparm_context *lp_ctx)
+ {
+ char *path;
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
++ if (mem_ctx == NULL) {
++ exit_daemon("Failed to create memory context",
++ ENOMEM);
++ }
+
+ path = smbd_tmp_path(mem_ctx, lp_ctx, NULL);
++ if (path == NULL) {
++ exit_daemon("Failed to cleanup temporary files",
++ EINVAL);
++ }
+
+ recursive_delete(path);
+ talloc_free(mem_ctx);
+--
+2.15.0
+
+
+From b7d08eda158ba540dc7ca8755a6a8fdf34e52501 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 10 Nov 2017 09:18:18 +0100
+Subject: [PATCH 3/4] s4:samba: Allow samba daemon to run in foreground
+
+We are passing the no_process_group to become_daemon() that setsid() is
+not called. In case we are double forking, we run in SysV daemon mode,
+setsid() should be called!
+
+See:
+https://www.freedesktop.org/software/systemd/man/daemon.html
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+(cherry picked from commit 8736013dc42c5755b75bbb2e843a290bcd545909)
+---
+ source3/smbd/server.c | 2 +-
+ source4/smbd/server.c | 13 ++++++++++---
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/source3/smbd/server.c b/source3/smbd/server.c
+index 181bcd1e123..252b43190d7 100644
+--- a/source3/smbd/server.c
++++ b/source3/smbd/server.c
+@@ -1592,7 +1592,7 @@ extern void build_options(bool screen);
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, "Become a daemon (default)" },
+- {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon)"},
++ {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon) and log to stdout"},
+ {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FORK, "Run daemon in foreground (for daemontools, etc.)" },
+ {"no-process-group", '\0', POPT_ARG_NONE, NULL, OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
+ {"log-stdout", 'S', POPT_ARG_NONE, NULL, OPT_LOG_STDOUT, "Log to stdout" },
+diff --git a/source4/smbd/server.c b/source4/smbd/server.c
+index 406f79593b9..2349d5c7fa0 100644
+--- a/source4/smbd/server.c
++++ b/source4/smbd/server.c
+@@ -348,6 +348,7 @@ static int binary_smbd_main(const char *binary_name,
+ const char *argv[])
+ {
+ bool opt_daemon = false;
++ bool opt_fork = true;
+ bool opt_interactive = false;
+ bool opt_no_process_group = false;
+ int opt;
+@@ -363,6 +364,7 @@ static int binary_smbd_main(const char *binary_name,
+ struct stat st;
+ enum {
+ OPT_DAEMON = 1000,
++ OPT_FOREGROUND,
+ OPT_INTERACTIVE,
+ OPT_PROCESS_MODEL,
+ OPT_SHOW_BUILD,
+@@ -372,6 +374,8 @@ static int binary_smbd_main(const char *binary_name,
+ POPT_AUTOHELP
+ {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON,
+ "Become a daemon (default)", NULL },
++ {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FOREGROUND,
++ "Run the daemon in foreground", NULL },
+ {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE,
+ "Run interactive (not a daemon)", NULL},
+ {"model", 'M', POPT_ARG_STRING, NULL, OPT_PROCESS_MODEL,
+@@ -396,6 +400,9 @@ static int binary_smbd_main(const char *binary_name,
+ case OPT_DAEMON:
+ opt_daemon = true;
+ break;
++ case OPT_FOREGROUND:
++ opt_fork = false;
++ break;
+ case OPT_INTERACTIVE:
+ opt_interactive = true;
+ break;
+@@ -422,7 +429,7 @@ static int binary_smbd_main(const char *binary_name,
+ "not allowed together with -D|--daemon\n\n");
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+- } else if (!opt_interactive) {
++ } else if (!opt_interactive && !opt_fork) {
+ /* default is --daemon */
+ opt_daemon = true;
+ }
+@@ -458,8 +465,8 @@ static int binary_smbd_main(const char *binary_name,
+ }
+
+ if (opt_daemon) {
+- DEBUG(3,("Becoming a daemon.\n"));
+- become_daemon(true, false, false);
++ DBG_NOTICE("Becoming a daemon.\n");
++ become_daemon(opt_fork, opt_no_process_group, false);
+ }
+
+ /* Create the memory context to hang everything off. */
+--
+2.15.0
+
+
+From 90588e8d08dcf38d97249eb39d87c5eb36f1fcd3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 10 Nov 2017 09:32:27 +0100
+Subject: [PATCH 4/4] systemd: Start processes in forground and without a
+ process group
+
+We should not double fork in notify mode or systemd think something
+during startup will be wrong and send SIGTERM to the process. So
+sometimes the daemon will not start up correctly.
+
+systemd will also handle the process group.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+(cherry picked from commit 8b6f58194da7e849cdb9d20712dff49b17a93a77)
+---
+ packaging/systemd/nmb.service | 2 +-
+ packaging/systemd/samba.service | 2 +-
+ packaging/systemd/smb.service | 2 +-
+ packaging/systemd/winbind.service | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service
+index 992c0cd9d2b..71c93d6088b 100644
+--- a/packaging/systemd/nmb.service
++++ b/packaging/systemd/nmb.service
+@@ -7,7 +7,7 @@ Type=notify
+ NotifyAccess=all
+ PIDFile=/run/nmbd.pid
+ EnvironmentFile=-/etc/sysconfig/samba
+-ExecStart=/usr/sbin/nmbd $NMBDOPTIONS
++ExecStart=/usr/sbin/nmbd --foreground --no-process-group $NMBDOPTIONS
+ ExecReload=/usr/bin/kill -HUP $MAINPID
+ LimitCORE=infinity
+
+diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service
+index 824f89c2030..1b64c3b779d 100644
+--- a/packaging/systemd/samba.service
++++ b/packaging/systemd/samba.service
+@@ -8,7 +8,7 @@ NotifyAccess=all
+ PIDFile=/run/samba.pid
+ LimitNOFILE=16384
+ EnvironmentFile=-/etc/sysconfig/samba
+-ExecStart=/usr/sbin/samba $SAMBAOPTIONS
++ExecStart=/usr/sbin/samba --foreground --no-process-group $SAMBAOPTIONS
+ ExecReload=/usr/bin/kill -HUP $MAINPID
+
+ [Install]
+diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service
+index 6053a5caaa5..adf6684c7d9 100644
+--- a/packaging/systemd/smb.service
++++ b/packaging/systemd/smb.service
+@@ -8,7 +8,7 @@ NotifyAccess=all
+ PIDFile=/run/smbd.pid
+ LimitNOFILE=16384
+ EnvironmentFile=-/etc/sysconfig/samba
+-ExecStart=/usr/sbin/smbd $SMBDOPTIONS
++ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS
+ ExecReload=/usr/bin/kill -HUP $MAINPID
+ LimitCORE=infinity
+
+diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service
+index c511488166e..46b3797251d 100644
+--- a/packaging/systemd/winbind.service
++++ b/packaging/systemd/winbind.service
+@@ -7,7 +7,7 @@ Type=notify
+ NotifyAccess=all
+ PIDFile=/run/winbindd.pid
+ EnvironmentFile=-/etc/sysconfig/samba
+-ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS"
++ExecStart=/usr/sbin/winbindd --foreground --no-process-group "$WINBINDOPTIONS"
+ ExecReload=/usr/bin/kill -HUP $MAINPID
+ LimitCORE=infinity
+
+--
+2.15.0
+
diff --git a/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch b/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch
new file mode 100644
index 0000000..cc1aaec
--- /dev/null
+++ b/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch
@@ -0,0 +1,47 @@
+From a751c29e4ff3fbdf573252b791775fd805cd7759 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 29 Nov 2017 09:21:30 -0800
+Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in
+ cli_smb2_close_fnum_recv().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
+frees req, then uses the state pointer which was owned by req.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Böhme <slow@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144
+
+(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787)
+---
+ source3/libsmb/cli_smb2_fnum.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
+index 5d46d543002..237e6bb2b54 100644
+--- a/source3/libsmb/cli_smb2_fnum.c
++++ b/source3/libsmb/cli_smb2_fnum.c
+@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
+ {
+ struct cli_smb2_close_fnum_state *state = tevent_req_data(
+ req, struct cli_smb2_close_fnum_state);
+- NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
+- state->cli->raw_status = status;
++ NTSTATUS status = NT_STATUS_OK;
++
++ if (tevent_req_is_nterror(req, &status)) {
++ state->cli->raw_status = status;
++ }
++ tevent_req_received(req);
+ return status;
+ }
+
+--
+2.15.0.531.g2ccb3012c9-goog
+
diff --git a/SOURCES/samba-4.7-fix_smbclient_volume.patch b/SOURCES/samba-4.7-fix_smbclient_volume.patch
new file mode 100644
index 0000000..1f0692a
--- /dev/null
+++ b/SOURCES/samba-4.7-fix_smbclient_volume.patch
@@ -0,0 +1,165 @@
+From b428a334105a28f55b784d284e865b3c42f1f96d Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 14 Nov 2017 13:52:03 -0800
+Subject: [PATCH] s3: libsmb: smbc_statvfs is missing the supporting SMB2
+ calls.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13138
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit eefc7a27155b70d027b1193187dd435267d863ea)
+---
+ source3/libsmb/cli_smb2_fnum.c | 97 ++++++++++++++++++++++++++++++++++++++++++
+ source3/libsmb/cli_smb2_fnum.h | 6 +++
+ source3/libsmb/clifsinfo.c | 9 ++++
+ 3 files changed, 112 insertions(+)
+
+diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
+index a478c41f068..89cb1f479d5 100644
+--- a/source3/libsmb/cli_smb2_fnum.c
++++ b/source3/libsmb/cli_smb2_fnum.c
+@@ -1992,6 +1992,103 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, const char *path,
+ return status;
+ }
+
++/***************************************************************
++ Wrapper that allows SMB2 to query file system sizes.
++ Synchronous only.
++***************************************************************/
++
++NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
++ uint64_t *total_allocation_units,
++ uint64_t *caller_allocation_units,
++ uint64_t *actual_allocation_units,
++ uint64_t *sectors_per_allocation_unit,
++ uint64_t *bytes_per_sector)
++{
++ NTSTATUS status;
++ uint16_t fnum = 0xffff;
++ DATA_BLOB outbuf = data_blob_null;
++ struct smb2_hnd *ph = NULL;
++ TALLOC_CTX *frame = talloc_stackframe();
++
++ if (smbXcli_conn_has_async_calls(cli->conn)) {
++ /*
++ * Can't use sync call while an async call is in flight
++ */
++ status = NT_STATUS_INVALID_PARAMETER;
++ goto fail;
++ }
++
++ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
++ status = NT_STATUS_INVALID_PARAMETER;
++ goto fail;
++ }
++
++ /* First open the top level directory. */
++ status =
++ cli_smb2_create_fnum(cli, "", 0, /* create_flags */
++ FILE_READ_ATTRIBUTES, /* desired_access */
++ FILE_ATTRIBUTE_DIRECTORY, /* file attributes */
++ FILE_SHARE_READ | FILE_SHARE_WRITE |
++ FILE_SHARE_DELETE, /* share_access */
++ FILE_OPEN, /* create_disposition */
++ FILE_DIRECTORY_FILE, /* create_options */
++ &fnum,
++ NULL);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ goto fail;
++ }
++
++ status = map_fnum_to_smb2_handle(cli, fnum, &ph);
++ if (!NT_STATUS_IS_OK(status)) {
++ goto fail;
++ }
++
++ /* getinfo on the returned handle with info_type SMB2_GETINFO_FS (2),
++ level 7 (SMB_FS_FULL_SIZE_INFORMATION). */
++
++ status = smb2cli_query_info(cli->conn,
++ cli->timeout,
++ cli->smb2.session,
++ cli->smb2.tcon,
++ SMB2_GETINFO_FS, /* in_info_type */
++ /* in_file_info_class */
++ SMB_FS_FULL_SIZE_INFORMATION - 1000,
++ 0xFFFF, /* in_max_output_length */
++ NULL, /* in_input_buffer */
++ 0, /* in_additional_info */
++ 0, /* in_flags */
++ ph->fid_persistent,
++ ph->fid_volatile,
++ frame,
++ &outbuf);
++ if (!NT_STATUS_IS_OK(status)) {
++ goto fail;
++ }
++
++ if (outbuf.length < 32) {
++ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
++ goto fail;
++ }
++
++ *total_allocation_units = BIG_UINT(outbuf.data, 0);
++ *caller_allocation_units = BIG_UINT(outbuf.data, 8);
++ *actual_allocation_units = BIG_UINT(outbuf.data, 16);
++ *sectors_per_allocation_unit = (uint64_t)IVAL(outbuf.data, 24);
++ *bytes_per_sector = (uint64_t)IVAL(outbuf.data, 28);
++
++fail:
++
++ if (fnum != 0xffff) {
++ cli_smb2_close_fnum(cli, fnum);
++ }
++
++ cli->raw_status = status;
++
++ TALLOC_FREE(frame);
++ return status;
++}
++
+ /***************************************************************
+ Wrapper that allows SMB2 to query file system attributes.
+ Synchronous only.
+diff --git a/source3/libsmb/cli_smb2_fnum.h b/source3/libsmb/cli_smb2_fnum.h
+index 9a709e85d96..c9325b66902 100644
+--- a/source3/libsmb/cli_smb2_fnum.h
++++ b/source3/libsmb/cli_smb2_fnum.h
+@@ -136,6 +136,12 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli,
+ uint64_t *total,
+ uint64_t *avail);
+ NTSTATUS cli_smb2_get_fs_attr_info(struct cli_state *cli, uint32_t *fs_attr);
++NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
++ uint64_t *total_allocation_units,
++ uint64_t *caller_allocation_units,
++ uint64_t *actual_allocation_units,
++ uint64_t *sectors_per_allocation_unit,
++ uint64_t *bytes_per_sector);
+ NTSTATUS cli_smb2_query_security_descriptor(struct cli_state *cli,
+ uint16_t fnum,
+ uint32_t sec_info,
+diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
+index 119b1216fb2..46236390022 100644
+--- a/source3/libsmb/clifsinfo.c
++++ b/source3/libsmb/clifsinfo.c
+@@ -439,6 +439,15 @@ NTSTATUS cli_get_fs_full_size_info(struct cli_state *cli,
+ uint32_t rdata_count;
+ NTSTATUS status;
+
++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
++ return cli_smb2_get_fs_full_size_info(cli,
++ total_allocation_units,
++ caller_allocation_units,
++ actual_allocation_units,
++ sectors_per_allocation_unit,
++ bytes_per_sector);
++ }
++
+ SSVAL(setup, 0, TRANSACT2_QFSINFO);
+ SSVAL(param, 0, SMB_FS_FULL_SIZE_INFORMATION);
+
+--
+2.15.0.448.gf294e3d99a-goog
+
diff --git a/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch b/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch
new file mode 100644
index 0000000..e9d581c
--- /dev/null
+++ b/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch
@@ -0,0 +1,66 @@
+From 79381295b788a8196ccbf2ff378268286d7782d5 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 8 Sep 2017 16:20:34 -0700
+Subject: [PATCH] libsmbclient: Allow server (NetApp) to return
+ STATUS_INVALID_PARAMETER from an echo.
+
+It does this if we send a session ID of zero. The server still replied.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Sat Nov 11 08:44:37 CET 2017 on sn-devel-144
+
+(cherry picked from commit a0f6ea8dec1ab3d19bc93da12a9b0a1c0ccf6142)
+---
+ source3/client/client.c | 8 +++++++-
+ source3/libsmb/libsmb_server.c | 11 ++++++++++-
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/source3/client/client.c b/source3/client/client.c
+index b4a6c7d0389..9c57375881d 100644
+--- a/source3/client/client.c
++++ b/source3/client/client.c
+@@ -5900,7 +5900,13 @@ static void readline_callback(void)
+ /* Ping the server to keep the connection alive using SMBecho. */
+ memset(garbage, 0xf0, sizeof(garbage));
+ status = cli_echo(cli, 1, data_blob_const(garbage, sizeof(garbage)));
+- if (NT_STATUS_IS_OK(status)) {
++ if (NT_STATUS_IS_OK(status) ||
++ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
++ /*
++ * Even if server returns NT_STATUS_INVALID_PARAMETER
++ * it still responded.
++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
++ */
+ return;
+ }
+
+diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
+index b0e5926fa65..2d41f2facf3 100644
+--- a/source3/libsmb/libsmb_server.c
++++ b/source3/libsmb/libsmb_server.c
+@@ -61,7 +61,16 @@ SMBC_check_server(SMBCCTX * context,
+ 1,
+ data_blob_const(data, sizeof(data)));
+ if (!NT_STATUS_IS_OK(status)) {
+- return 1;
++ /*
++ * Some NetApp servers return
++ * NT_STATUS_INVALID_PARAMETER.That's OK, they still
++ * replied.
++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
++ */
++ if (!NT_STATUS_EQUAL(status,
++ NT_STATUS_INVALID_PARAMETER)) {
++ return 1;
++ }
+ }
+ server->last_echo_time = now;
+ }
+--
+2.15.0.448.gf294e3d99a-goog
+
diff --git a/SOURCES/samba-4.7-net_ads_keytab_list.patch b/SOURCES/samba-4.7-net_ads_keytab_list.patch
new file mode 100644
index 0000000..f77b271
--- /dev/null
+++ b/SOURCES/samba-4.7-net_ads_keytab_list.patch
@@ -0,0 +1,84 @@
+From b1f54d6b0a24a91ac3ef8b99b22ff68c2d0ca13d Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Thu, 23 Nov 2017 15:55:21 +0000
+Subject: [PATCH 1/2] s3:libads: net ads keytab list fails with "Key table name
+ malformed"
+
+When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open
+instead, this function will determine the correct keytab to use.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463)
+---
+ source3/libads/kerberos_keytab.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
+index ff12ec04af6..ffd100c5636 100644
+--- a/source3/libads/kerberos_keytab.c
++++ b/source3/libads/kerberos_keytab.c
+@@ -639,7 +639,11 @@ int ads_keytab_list(const char *keytab_name)
+ return ret;
+ }
+
+- ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
++ if (keytab_name == NULL) {
++ ret = ads_keytab_open(context, &keytab);
++ } else {
++ ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
++ }
+ if (ret) {
+ DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+ error_message(ret)));
+--
+2.15.0
+
+
+From 6e067b990a8cbb0589d3a83e699aa766a6fee939 Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Fri, 24 Nov 2017 07:06:27 +0000
+Subject: [PATCH 2/2] testprogs: Test net ads keytab list
+
+Test that correct keytab is picked up.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 4be05c835e9d8b8f13856d592aaf42b40ce397c2)
+---
+ testprogs/blackbox/test_net_ads.sh | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index bbd99b676bd..c5dbaf69ba2 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -46,6 +46,19 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
+ testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
+ testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++
++# if there is no keytab, try and create it
++if [ ! -f $dedicated_keytab_file ]; then
++ if [ $(command -v ktutil) >/dev/null ]; then
++ printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil
++ fi
++fi
++
++if [ -f $dedicated_keytab_file ]; then
++ testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
++ testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1`
++fi
++
+ rm -f $dedicated_keytab_file
+
+ testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+--
+2.15.0
+
diff --git a/SOURCES/samba-4.7.1.tar.asc b/SOURCES/samba-4.7.1.tar.asc
new file mode 100644
index 0000000..78fce48
--- /dev/null
+++ b/SOURCES/samba-4.7.1.tar.asc
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iFwEABECABwFAln7BUkVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
+uE8AoLwq4CwndlLlfxZ771nZUMjKVQrmAKCMHeFPFaVfKPhVWW37nQxQ3EXeew==
+=LZI3
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch
deleted file mode 100644
index f89ec30..0000000
--- a/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 5 Jan 2017 09:34:36 +0100
-Subject: [PATCH] replace: Include sysmacros.h
-
-In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
-historical compatibility, it is currently defined by <sys/types.h> as
-well, but it is planned to remove this soon.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-
-(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741)
----
- lib/replace/replace.h | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/lib/replace/replace.h b/lib/replace/replace.h
-index c69a069e4b3..1dbeacfff66 100644
---- a/lib/replace/replace.h
-+++ b/lib/replace/replace.h
-@@ -171,6 +171,10 @@
- #include <sys/types.h>
- #endif
-
-+#ifdef HAVE_SYS_SYSMACROS_H
-+#include <sys/sysmacros.h>
-+#endif
-+
- #ifdef HAVE_SETPROCTITLE_H
- #include <setproctitle.h>
- #endif
---
-2.12.0
-
diff --git a/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch
deleted file mode 100644
index 02db440..0000000
--- a/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch
+++ /dev/null
@@ -1,1731 +0,0 @@
-From 76aae7405595ca76bc0419a97f4a69e0ed528b32 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 29 Dec 2016 14:00:36 +0100
-Subject: [PATCH 01/20] s4:gensec_gssapi: the value
- gensec_get_target_principal() should overwrite gensec_get_target_hostname()
-
-If gensec_get_target_principal() has a value, we no longer have to verify
-the gensec_get_target_hostname() value, it can be just an ipadress.
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 48bcca566ebb3a5385b15b0525d7fbdd06361e04)
----
- source4/auth/gensec/gensec_gssapi.c | 24 ++++++++++++++++++------
- 1 file changed, 18 insertions(+), 6 deletions(-)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index a6c4019aa6f..3974c3d42a0 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -307,7 +307,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
- gss_buffer_desc name_token;
- gss_OID name_type;
- OM_uint32 maj_stat, min_stat;
-+ const char *target_principal = NULL;
- const char *hostname = gensec_get_target_hostname(gensec_security);
-+ const char *service = gensec_get_target_service(gensec_security);
-+ const char *realm = cli_credentials_get_realm(creds);
-+
-+ target_principal = gensec_get_target_principal(gensec_security);
-+ if (target_principal != NULL) {
-+ goto do_start;
-+ }
-
- if (!hostname) {
- DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n"));
-@@ -322,6 +330,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-+do_start:
-+
- nt_status = gensec_gssapi_start(gensec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
-@@ -333,16 +343,18 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
- gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
- }
-
-- gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security);
-- if (gensec_gssapi_state->target_principal) {
-+ if (target_principal != NULL) {
- name_type = GSS_C_NULL_OID;
- } else {
-- gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s",
-- gensec_get_target_service(gensec_security),
-- hostname, cli_credentials_get_realm(creds));
--
-+ target_principal = talloc_asprintf(gensec_gssapi_state,
-+ "%s/%s@%s", service, hostname, realm);
-+ if (target_principal == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
- name_type = GSS_C_NT_USER_NAME;
- }
-+ gensec_gssapi_state->target_principal = target_principal;
-+
- name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
- name_token.length = strlen(gensec_gssapi_state->target_principal);
-
---
-2.12.0
-
-
-From 12d74cd165db3603ba2f3a58343e9a82fb22ee93 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 29 Dec 2016 15:20:00 +0100
-Subject: [PATCH 02/20] s4:gensec_gssapi: require a realm in
- gensec_gssapi_client_start()
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 3a870baee8d9dbe5359f04a108814afc27e57d46)
----
- source4/auth/gensec/gensec_gssapi.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index 3974c3d42a0..957cfa4229d 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -330,6 +330,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-+ if (realm == NULL) {
-+ const char *cred_name = cli_credentials_get_unparsed_name(creds,
-+ gensec_security);
-+ DEBUG(3, ("cli_credentials(%s) without realm, "
-+ "cannot use kerberos for this connection %s/%s\n",
-+ cred_name, service, hostname));
-+ talloc_free(discard_const_p(char, cred_name));
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
- do_start:
-
- nt_status = gensec_gssapi_start(gensec_security);
---
-2.12.0
-
-
-From beb9e4379333872ff1e5a3422ba70ccb409e9915 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 6 Mar 2017 09:13:09 +0100
-Subject: [PATCH 03/20] testprogs: Use smbclient by default in
- test_kinit_trusts
-
-This is the tool we use by default and we should test with it.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 9b3ff90dbc5cc1017dfc89831a1081272e6c2356)
----
- testprogs/blackbox/test_kinit_trusts_heimdal.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
-index 073e0e7517e..040bf919203 100755
---- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
-+++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
-@@ -32,7 +32,7 @@ if test -x $samba4bindir/samba4kinit; then
- samba4kinit=$samba4bindir/samba4kinit
- fi
-
--smbclient="$samba4bindir/smbclient4"
-+smbclient="$samba4bindir/smbclient"
- wbinfo="$samba4bindir/wbinfo"
- rpcclient="$samba4bindir/rpcclient"
- samba_tool="$samba4bindir/samba-tool"
---
-2.12.0
-
-
-From 7feebdec869ed633bea612630ebca8d9b85a3e2e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 6 Mar 2017 09:15:45 +0100
-Subject: [PATCH 04/20] testprogs: Add kinit_trusts tests with smbclient4
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 42bd003f468ab95b6ac97c774e2cd217d06c05ed)
----
- testprogs/blackbox/test_kinit_trusts_heimdal.sh | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
-index 040bf919203..e67f77361a4 100755
---- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
-+++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
-@@ -52,8 +52,16 @@ rm -rf $KRB5CCNAME_PATH
- echo $TRUST_PASSWORD > $PREFIX/tmppassfile
- testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
- test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
-+rm -rf $KRB5CCNAME_PATH
-+
-+# Test with smbclient4
-+smbclient="$samba4bindir/smbclient4"
-+testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
-+test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
-+rm -rf $KRB5CCNAME_PATH
-
- testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
-+smbclient="$samba4bindir/smbclient"
- test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
-
- if test x"${TYPE}" = x"forest" ;then
---
-2.12.0
-
-
-From cae7475df03e7d464dc8642a7a02dad388215d1e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 8 Mar 2017 10:40:08 +0100
-Subject: [PATCH 05/20] krb5_wrap: Do not return an empty realm from
- smb_krb5_get_realm_from_hostname()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 946f9dd1170be63b91e31ce825ea123f3c07329b)
----
- lib/krb5_wrap/krb5_samba.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 10b42dec53f..9dc7304d566 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2691,7 +2691,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
- goto out;
- }
-
-- if (realm_list && realm_list[0]) {
-+ if (realm_list != NULL &&
-+ realm_list[0] != NULL &&
-+ realm_list[0][0] != '\0') {
- realm = talloc_strdup(mem_ctx, realm_list[0]);
- }
-
---
-2.12.0
-
-
-From 1d2b4a00e2a1213df81192e01f2d833ed4a6ec54 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 8 Mar 2017 10:48:52 +0100
-Subject: [PATCH 06/20] krb5_wrap: Try to guess the correct realm from the
- service hostname
-
-If we do not get a realm mapping from the krb5.conf or from the Kerberos
-library try to guess it from the service hostname. The guessing of the
-realm from the service hostname is already implemented in Heimdal. This
-makes the behavior of smb_krb5_get_realm_from_hostname() consistent
-with both MIT and Heimdal.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 65228925ab3c4da4ae299f77cae219fc7d37cc68)
----
- lib/krb5_wrap/krb5_samba.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 9dc7304d566..f8ef9f1df0f 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2695,6 +2695,19 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
- realm_list[0] != NULL &&
- realm_list[0][0] != '\0') {
- realm = talloc_strdup(mem_ctx, realm_list[0]);
-+ } else {
-+ const char *p = NULL;
-+
-+ /*
-+ * "dc6.samba2003.example.com"
-+ * returns a realm of "SAMBA2003.EXAMPLE.COM"
-+ *
-+ * "dc6." returns realm as NULL
-+ */
-+ p = strchr_m(hostname, '.');
-+ if (p != NULL && p[1] != '\0') {
-+ realm = talloc_strdup_upper(mem_ctx, p + 1);
-+ }
- }
-
- out:
---
-2.12.0
-
-
-From 0e99683587c9047055ca6432fae0a11604710b69 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 8 Mar 2017 11:56:30 +0100
-Subject: [PATCH 07/20] krb5_wrap: pass client_realm to
- smb_krb5_get_realm_from_hostname()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit f0c4fcace586197d5c170f6a9dcc175df23e3802)
----
- lib/krb5_wrap/krb5_samba.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index f8ef9f1df0f..36bcc65e22a 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2664,7 +2664,8 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
- ************************************************************************/
-
- static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
-- const char *hostname)
-+ const char *hostname,
-+ const char *client_realm)
- {
- #if defined(HAVE_KRB5_REALM_TYPE)
- /* Heimdal. */
-@@ -2695,6 +2696,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
- realm_list[0] != NULL &&
- realm_list[0][0] != '\0') {
- realm = talloc_strdup(mem_ctx, realm_list[0]);
-+ if (realm == NULL) {
-+ goto out;
-+ }
- } else {
- const char *p = NULL;
-
-@@ -2707,9 +2711,16 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
- p = strchr_m(hostname, '.');
- if (p != NULL && p[1] != '\0') {
- realm = talloc_strdup_upper(mem_ctx, p + 1);
-+ if (realm == NULL) {
-+ goto out;
-+ }
- }
- }
-
-+ if (realm == NULL) {
-+ realm = talloc_strdup(mem_ctx, client_realm);
-+ }
-+
- out:
-
- if (ctx) {
-@@ -2752,7 +2763,8 @@ char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
- if (host) {
- /* DNS name. */
- realm = smb_krb5_get_realm_from_hostname(talloc_tos(),
-- remote_name);
-+ remote_name,
-+ default_realm);
- } else {
- /* NetBIOS name - use our realm. */
- realm = smb_krb5_get_default_realm_from_ccache(talloc_tos());
---
-2.12.0
-
-
-From 6876b0d12f8aad4448f4a7d770db7ff129df6c50 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 8 Mar 2017 11:56:30 +0100
-Subject: [PATCH 08/20] krb5_wrap: Make smb_krb5_get_realm_from_hostname()
- public
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 339a2ecb3f05d0c9e860a5dd59b8bdbc51d4ffa7)
----
- lib/krb5_wrap/krb5_samba.c | 28 +++++++++++++++++++++-------
- lib/krb5_wrap/krb5_samba.h | 4 ++++
- 2 files changed, 25 insertions(+), 7 deletions(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 36bcc65e22a..2b0ec6bfa0e 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2659,13 +2659,27 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
- return realm;
- }
-
--/************************************************************************
-- Routine to get the realm from a given DNS name.
--************************************************************************/
--
--static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
-- const char *hostname,
-- const char *client_realm)
-+/**
-+ * @brief Get the realm from the service hostname.
-+ *
-+ * This function will look for a domain realm mapping in the [domain_realm]
-+ * section of the krb5.conf first and fallback to extract the realm from
-+ * the provided service hostname. As a last resort it will return the
-+ * provided client_realm.
-+ *
-+ * @param[in] mem_ctx The talloc context
-+ *
-+ * @param[in] hostname The service hostname
-+ *
-+ * @param[in] client_realm If we can not find a mapping, fall back to
-+ * this realm.
-+ *
-+ * @return The realm to use for the service hostname, NULL if a fatal error
-+ * occured.
-+ */
-+char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
-+ const char *hostname,
-+ const char *client_realm)
- {
- #if defined(HAVE_KRB5_REALM_TYPE)
- /* Heimdal. */
-diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
-index 71e81ea26e1..accae449a0e 100644
---- a/lib/krb5_wrap/krb5_samba.h
-+++ b/lib/krb5_wrap/krb5_samba.h
-@@ -314,6 +314,10 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
- krb5_principal principal,
- const char *realm);
-
-+char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
-+ const char *hostname,
-+ const char *client_realm);
-+
- char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
- const char *service,
- const char *remote_name,
---
-2.12.0
-
-
-From 08a81c315129c3d07637a8a5064b4ef988864efd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 6 Mar 2017 09:19:13 +0100
-Subject: [PATCH 09/20] s4:gensec-gssapi: Create a helper function to setup
- server_principal
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 8f7c4529420316b553c80cd3d19b6996525b029a)
----
- source4/auth/gensec/gensec_gssapi.c | 88 +++++++++++++++++++++++++------------
- source4/auth/gensec/gensec_gssapi.h | 2 +-
- 2 files changed, 61 insertions(+), 29 deletions(-)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index 957cfa4229d..ec57d193714 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -83,6 +83,56 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st
- return 0;
- }
-
-+static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx,
-+ const char *target_principal,
-+ const char *service,
-+ const char *hostname,
-+ const char *realm,
-+ const gss_OID mech,
-+ char **pserver_principal,
-+ gss_name_t *pserver_name)
-+{
-+ char *server_principal = NULL;
-+ gss_buffer_desc name_token;
-+ gss_OID name_type;
-+ OM_uint32 maj_stat, min_stat = 0;
-+
-+ if (target_principal != NULL) {
-+ server_principal = talloc_strdup(mem_ctx, target_principal);
-+ name_type = GSS_C_NULL_OID;
-+ } else {
-+ server_principal = talloc_asprintf(mem_ctx,
-+ "%s/%s@%s",
-+ service, hostname, realm);
-+ name_type = GSS_C_NT_USER_NAME;
-+ }
-+ if (server_principal == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ name_token.value = (uint8_t *)server_principal;
-+ name_token.length = strlen(server_principal);
-+
-+ maj_stat = gss_import_name(&min_stat,
-+ &name_token,
-+ name_type,
-+ pserver_name);
-+ if (maj_stat) {
-+ DBG_WARNING("GSS Import name of %s failed: %s\n",
-+ server_principal,
-+ gssapi_error_string(mem_ctx,
-+ maj_stat,
-+ min_stat,
-+ mech));
-+ TALLOC_FREE(server_principal);
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
-+ *pserver_principal = server_principal;
-+
-+ return NT_STATUS_OK;
-+}
-+
- static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
- {
- struct gensec_gssapi_state *gensec_gssapi_state;
-@@ -304,9 +354,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
- struct gensec_gssapi_state *gensec_gssapi_state;
- struct cli_credentials *creds = gensec_get_credentials(gensec_security);
- NTSTATUS nt_status;
-- gss_buffer_desc name_token;
-- gss_OID name_type;
-- OM_uint32 maj_stat, min_stat;
- const char *target_principal = NULL;
- const char *hostname = gensec_get_target_hostname(gensec_security);
- const char *service = gensec_get_target_service(gensec_security);
-@@ -353,31 +400,16 @@ do_start:
- gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
- }
-
-- if (target_principal != NULL) {
-- name_type = GSS_C_NULL_OID;
-- } else {
-- target_principal = talloc_asprintf(gensec_gssapi_state,
-- "%s/%s@%s", service, hostname, realm);
-- if (target_principal == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
-- name_type = GSS_C_NT_USER_NAME;
-- }
-- gensec_gssapi_state->target_principal = target_principal;
--
-- name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
-- name_token.length = strlen(gensec_gssapi_state->target_principal);
--
--
-- maj_stat = gss_import_name (&min_stat,
-- &name_token,
-- name_type,
-- &gensec_gssapi_state->server_name);
-- if (maj_stat) {
-- DEBUG(2, ("GSS Import name of %s failed: %s\n",
-- (char *)name_token.value,
-- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-- return NT_STATUS_INVALID_PARAMETER;
-+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
-+ target_principal,
-+ service,
-+ hostname,
-+ realm,
-+ gensec_gssapi_state->gss_oid,
-+ &gensec_gssapi_state->target_principal,
-+ &gensec_gssapi_state->server_name);
-+ if (!NT_STATUS_IS_OK(nt_status)) {
-+ return nt_status;
- }
-
- return NT_STATUS_OK;
-diff --git a/source4/auth/gensec/gensec_gssapi.h b/source4/auth/gensec/gensec_gssapi.h
-index cf0e3a8d914..d788b5ebc38 100644
---- a/source4/auth/gensec/gensec_gssapi.h
-+++ b/source4/auth/gensec/gensec_gssapi.h
-@@ -65,5 +65,5 @@ struct gensec_gssapi_state {
- int gss_exchange_count;
- size_t sig_size;
-
-- const char *target_principal;
-+ char *target_principal;
- };
---
-2.12.0
-
-
-From 78a76c53e9b0e7caf67a43eeb7929a4fe94fa25e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 8 Mar 2017 12:34:59 +0100
-Subject: [PATCH 10/20] s4:gensec_gssapi: Move setup of service_principal to
- update function
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit bf6358bf035e7ad48bd15cc2164afab2a19e7ad6)
----
- source4/auth/gensec/gensec_gssapi.c | 33 ++++++++++++++++++++-------------
- 1 file changed, 20 insertions(+), 13 deletions(-)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index ec57d193714..6cb4431e0d9 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -400,18 +400,6 @@ do_start:
- gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
- }
-
-- nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
-- target_principal,
-- service,
-- hostname,
-- realm,
-- gensec_gssapi_state->gss_oid,
-- &gensec_gssapi_state->target_principal,
-- &gensec_gssapi_state->server_name);
-- if (!NT_STATUS_IS_OK(nt_status)) {
-- return nt_status;
-- }
--
- return NT_STATUS_OK;
- }
-
-@@ -452,7 +440,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- OM_uint32 min_stat2;
- gss_buffer_desc input_token = { 0, NULL };
- gss_buffer_desc output_token = { 0, NULL };
--
-+ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
-+ const char *target_principal = gensec_get_target_principal(gensec_security);
-+ const char *hostname = gensec_get_target_hostname(gensec_security);
-+ const char *service = gensec_get_target_service(gensec_security);
-+ const char *client_realm = cli_credentials_get_realm(cli_creds);
- gss_OID gss_oid_p = NULL;
- OM_uint32 time_req = 0;
- OM_uint32 time_rec = 0;
-@@ -491,6 +483,21 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- return NT_STATUS_INTERNAL_ERROR;
- }
- #endif
-+
-+ if (gensec_gssapi_state->server_name == NULL) {
-+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
-+ target_principal,
-+ service,
-+ hostname,
-+ client_realm,
-+ gensec_gssapi_state->gss_oid,
-+ &gensec_gssapi_state->target_principal,
-+ &gensec_gssapi_state->server_name);
-+ if (!NT_STATUS_IS_OK(nt_status)) {
-+ return nt_status;
-+ }
-+ }
-+
- maj_stat = gss_init_sec_context(&min_stat,
- gensec_gssapi_state->client_cred->creds,
- &gensec_gssapi_state->gssapi_context,
---
-2.12.0
-
-
-From 7541d4a3c1a665925c8d3aa97963729874c70761 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 8 Mar 2017 11:03:17 +0100
-Subject: [PATCH 11/20] s4:gensec_gssapi: Use
- smb_krb5_get_realm_from_hostname()
-
-With credentials for administrator@FOREST1.EXAMPLE.COM
-this patch changes the target_principal for
-the ldap service of host dc2.forest2.example.com
-from
-
- ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
-
-to
-
- ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
-
-Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
-should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
-to generate a referral ticket for
-krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
-
-The problem is that KDCs only return such referral tickets
-if there's a forest trust between FOREST1.EXAMPLE.COM
-and FOREST2.EXAMPLE.COM. If there's only an external domain
-trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
-the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
-when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
-
-In the case of an external trust the client can still ask
-explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
-and the KDC of FOREST1.EXAMPLE.COM will generate it.
-
-From there the client can use the
-krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
-ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
-service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
-
-With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
-when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
-target principal. As _krb5_get_cred_kdc_any() first calls
-get_cred_kdc_referral() (which always starts with the client realm)
-and falls back to get_cred_kdc_capath() (which starts with the given realm).
-
-MIT krb5 only tries the given realm of the target principal,
-if we want to autodetect support for transitive forest trusts,
-we'll have to do the fallback ourself.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 3781eb250173981a8890b82d1ff9358f144034cd)
----
- source4/auth/gensec/gensec_gssapi.c | 62 ++++++++++++++++++++++++++++++++++++-
- 1 file changed, 61 insertions(+), 1 deletion(-)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index 6cb4431e0d9..57392a04e60 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -445,6 +445,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- const char *hostname = gensec_get_target_hostname(gensec_security);
- const char *service = gensec_get_target_service(gensec_security);
- const char *client_realm = cli_credentials_get_realm(cli_creds);
-+ const char *server_realm = NULL;
- gss_OID gss_oid_p = NULL;
- OM_uint32 time_req = 0;
- OM_uint32 time_rec = 0;
-@@ -484,12 +485,71 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- }
- #endif
-
-+ /*
-+ * With credentials for
-+ * administrator@FOREST1.EXAMPLE.COM this patch changes
-+ * the target_principal for the ldap service of host
-+ * dc2.forest2.example.com from
-+ *
-+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
-+ *
-+ * to
-+ *
-+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
-+ *
-+ * Typically
-+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
-+ * should be used in order to allow the KDC of
-+ * FOREST1.EXAMPLE.COM to generate a referral ticket
-+ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
-+ *
-+ * The problem is that KDCs only return such referral
-+ * tickets if there's a forest trust between
-+ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If
-+ * there's only an external domain trust between
-+ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC
-+ * of FOREST1.EXAMPLE.COM will respond with
-+ * S_PRINCIPAL_UNKNOWN when being asked for
-+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
-+ *
-+ * In the case of an external trust the client can
-+ * still ask explicitly for
-+ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and
-+ * the KDC of FOREST1.EXAMPLE.COM will generate it.
-+ *
-+ * From there the client can use the
-+ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
-+ * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
-+ * service ticket for
-+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
-+ *
-+ * With Heimdal we'll get the fallback on
-+ * S_PRINCIPAL_UNKNOWN behavior when we pass
-+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
-+ * target principal. As _krb5_get_cred_kdc_any() first
-+ * calls get_cred_kdc_referral() (which always starts
-+ * with the client realm) and falls back to
-+ * get_cred_kdc_capath() (which starts with the given
-+ * realm).
-+ *
-+ * MIT krb5 only tries the given realm of the target
-+ * principal, if we want to autodetect support for
-+ * transitive forest trusts, would have to do the
-+ * fallback ourself.
-+ */
- if (gensec_gssapi_state->server_name == NULL) {
-+ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
-+ hostname,
-+ client_realm);
-+ if (server_realm == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
- nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
- target_principal,
- service,
- hostname,
-- client_realm,
-+ server_realm,
- gensec_gssapi_state->gss_oid,
- &gensec_gssapi_state->target_principal,
- &gensec_gssapi_state->server_name);
---
-2.12.0
-
-
-From 97935a1164d328b466bc305c37869e78d306173a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 8 Mar 2017 13:10:05 +0100
-Subject: [PATCH 12/20] s4:gensec_gssapi: Correctly handle external trusts with
- MIT
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 2dd4887648bf006a577e03fc027e881738ca04ab)
----
- source4/auth/gensec/gensec_gssapi.c | 51 +++++++++++++++++++++++++++++++++++++
- 1 file changed, 51 insertions(+)
-
-diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
-index 57392a04e60..61911aae9d9 100644
---- a/source4/auth/gensec/gensec_gssapi.c
-+++ b/source4/auth/gensec/gensec_gssapi.c
-@@ -464,6 +464,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- switch (gensec_security->gensec_role) {
- case GENSEC_CLIENT:
- {
-+ bool fallback = false;
- #ifdef SAMBA4_USES_HEIMDAL
- struct gsskrb5_send_to_kdc send_to_kdc;
- krb5_error_code ret;
-@@ -537,6 +538,48 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- * transitive forest trusts, would have to do the
- * fallback ourself.
- */
-+#ifndef SAMBA4_USES_HEIMDAL
-+ if (gensec_gssapi_state->server_name == NULL) {
-+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
-+ target_principal,
-+ service,
-+ hostname,
-+ client_realm,
-+ gensec_gssapi_state->gss_oid,
-+ &gensec_gssapi_state->target_principal,
-+ &gensec_gssapi_state->server_name);
-+ if (!NT_STATUS_IS_OK(nt_status)) {
-+ return nt_status;
-+ }
-+
-+ maj_stat = gss_init_sec_context(&min_stat,
-+ gensec_gssapi_state->client_cred->creds,
-+ &gensec_gssapi_state->gssapi_context,
-+ gensec_gssapi_state->server_name,
-+ gensec_gssapi_state->gss_oid,
-+ gensec_gssapi_state->gss_want_flags,
-+ time_req,
-+ gensec_gssapi_state->input_chan_bindings,
-+ &input_token,
-+ &gss_oid_p,
-+ &output_token,
-+ &gensec_gssapi_state->gss_got_flags, /* ret flags */
-+ &time_rec);
-+ if (maj_stat != GSS_S_FAILURE) {
-+ goto init_sec_context_done;
-+ }
-+ if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
-+ goto init_sec_context_done;
-+ }
-+ if (target_principal != NULL) {
-+ goto init_sec_context_done;
-+ }
-+
-+ fallback = true;
-+ TALLOC_FREE(gensec_gssapi_state->target_principal);
-+ gss_release_name(&min_stat2, &gensec_gssapi_state->server_name);
-+ }
-+#endif /* !SAMBA4_USES_HEIMDAL */
- if (gensec_gssapi_state->server_name == NULL) {
- server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
- hostname,
-@@ -545,6 +588,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- return NT_STATUS_NO_MEMORY;
- }
-
-+ if (fallback &&
-+ strequal(client_realm, server_realm)) {
-+ goto init_sec_context_done;
-+ }
-+
- nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
- target_principal,
- service,
-@@ -571,6 +619,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- &output_token,
- &gensec_gssapi_state->gss_got_flags, /* ret flags */
- &time_rec);
-+ goto init_sec_context_done;
-+ /* JUMP! */
-+init_sec_context_done:
- if (gss_oid_p) {
- gensec_gssapi_state->gss_oid = gss_oid_p;
- }
---
-2.12.0
-
-
-From 71a49b84ebb8d45d91d21ebf92d3c7302b24f490 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Mar 2017 07:54:29 +0100
-Subject: [PATCH 13/20] s3:gse: Use smb_krb5_get_realm_from_hostname()
-
-With credentials for administrator@FOREST1.EXAMPLE.COM
-this patch changes the target_principal for
-the ldap service of host dc2.forest2.example.com
-from
-
- ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
-
-to
-
- ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
-
-Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
-should be used in order to allow the KDC of FOREST1.EXAMPLE.COM
-to generate a referral ticket for
-krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
-
-The problem is that KDCs only return such referral tickets
-if there's a forest trust between FOREST1.EXAMPLE.COM
-and FOREST2.EXAMPLE.COM. If there's only an external domain
-trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM
-the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN
-when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
-
-In the case of an external trust the client can still ask
-explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
-and the KDC of FOREST1.EXAMPLE.COM will generate it.
-
-From there the client can use the
-krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
-ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
-service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
-
-With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
-when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
-target principal. As _krb5_get_cred_kdc_any() first calls
-get_cred_kdc_referral() (which always starts with the client realm)
-and falls back to get_cred_kdc_capath() (which starts with the given realm).
-
-MIT krb5 only tries the given realm of the target principal,
-if we want to autodetect support for transitive forest trusts,
-we'll have to do the fallback ourself.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit a3d95ed9037fb8b14a451da02dcadf011485ae34)
----
- source3/librpc/crypto/gse.c | 93 +++++++++++++++++++++++++++++++++------------
- 1 file changed, 68 insertions(+), 25 deletions(-)
-
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index abf20bc7dfd..57632f6cc8f 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -120,6 +120,54 @@ static int gse_context_destructor(void *ptr)
- return 0;
- }
-
-+static NTSTATUS gse_setup_server_principal(TALLOC_CTX *mem_ctx,
-+ const char *target_principal,
-+ const char *service,
-+ const char *hostname,
-+ const char *realm,
-+ char **pserver_principal,
-+ gss_name_t *pserver_name)
-+{
-+ char *server_principal = NULL;
-+ gss_buffer_desc name_token;
-+ gss_OID name_type;
-+ OM_uint32 maj_stat, min_stat = 0;
-+
-+ if (target_principal != NULL) {
-+ server_principal = talloc_strdup(mem_ctx, target_principal);
-+ name_type = GSS_C_NULL_OID;
-+ } else {
-+ server_principal = talloc_asprintf(mem_ctx,
-+ "%s/%s@%s",
-+ service,
-+ hostname,
-+ realm);
-+ name_type = GSS_C_NT_USER_NAME;
-+ }
-+ if (server_principal == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ name_token.value = (uint8_t *)server_principal;
-+ name_token.length = strlen(server_principal);
-+
-+ maj_stat = gss_import_name(&min_stat,
-+ &name_token,
-+ name_type,
-+ pserver_name);
-+ if (maj_stat) {
-+ DBG_WARNING("GSS Import name of %s failed: %s\n",
-+ server_principal,
-+ gse_errstr(mem_ctx, maj_stat, min_stat));
-+ TALLOC_FREE(server_principal);
-+ return NT_STATUS_INVALID_PARAMETER;
-+ }
-+
-+ *pserver_principal = server_principal;
-+
-+ return NT_STATUS_OK;
-+}
-+
- static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
- bool do_sign, bool do_seal,
- const char *ccache_name,
-@@ -203,11 +251,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
- {
- struct gse_context *gse_ctx;
- OM_uint32 gss_maj, gss_min;
-- gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
- #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
- gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
- gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
- #endif
-+ char *server_principal = NULL;
-+ char *server_realm = NULL;
- NTSTATUS status;
-
- if (!server || !service) {
-@@ -223,30 +272,24 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
-
- /* Guess the realm based on the supplied service, and avoid the GSS libs
- doing DNS lookups which may fail.
--
-- TODO: Loop with the KDC on some more combinations (local
-- realm in particular), possibly falling back to
-- GSS_C_NT_HOSTBASED_SERVICE
- */
-- name_buffer.value =
-- smb_krb5_get_principal_from_service_hostname(gse_ctx,
-- service,
-- server,
-- realm);
-- if (!name_buffer.value) {
-- status = NT_STATUS_NO_MEMORY;
-- goto err_out;
-+ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
-+ server,
-+ realm);
-+ if (server_realm == NULL) {
-+ return NT_STATUS_NO_MEMORY;
- }
-- name_buffer.length = strlen((char *)name_buffer.value);
-- gss_maj = gss_import_name(&gss_min, &name_buffer,
-- GSS_C_NT_USER_NAME,
-- &gse_ctx->server_name);
-- if (gss_maj) {
-- DEBUG(5, ("gss_import_name failed for %s, with [%s]\n",
-- (char *)name_buffer.value,
-- gse_errstr(gse_ctx, gss_maj, gss_min)));
-- status = NT_STATUS_INTERNAL_ERROR;
-- goto err_out;
-+
-+ status = gse_setup_server_principal(mem_ctx,
-+ NULL,
-+ service,
-+ server,
-+ server_realm,
-+ &server_principal,
-+ &gse_ctx->server_name);
-+ TALLOC_FREE(server_realm);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
- }
-
- /* TODO: get krb5 ticket using username/password, if no valid
-@@ -299,11 +342,11 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
- #endif
-
- *_gse_ctx = gse_ctx;
-- TALLOC_FREE(name_buffer.value);
-+ TALLOC_FREE(server_principal);
- return NT_STATUS_OK;
-
- err_out:
-- TALLOC_FREE(name_buffer.value);
-+ TALLOC_FREE(server_principal);
- TALLOC_FREE(gse_ctx);
- return status;
- }
---
-2.12.0
-
-
-From 905cdd3ee1fea0bf0e2081da4489934944c55fa9 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Mar 2017 09:10:12 +0100
-Subject: [PATCH 14/20] krb5_wrap: Remove obsolete
- smb_krb5_get_principal_from_service_hostname()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 804e828d52ec922f3970e847652ab1ee5538b9b0)
----
- lib/krb5_wrap/krb5_samba.c | 111 ---------------------------------------------
- lib/krb5_wrap/krb5_samba.h | 5 --
- 2 files changed, 116 deletions(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 2b0ec6bfa0e..0b67ea52a19 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2604,61 +2604,6 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
- }
-
-
--/************************************************************************
-- Routine to get the default realm from the kerberos credentials cache.
-- Caller must free if the return value is not NULL.
--************************************************************************/
--
--static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
--{
-- char *realm = NULL;
-- krb5_context ctx = NULL;
-- krb5_ccache cc = NULL;
-- krb5_principal princ = NULL;
--
-- initialize_krb5_error_table();
-- if (krb5_init_context(&ctx)) {
-- return NULL;
-- }
--
-- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
-- "Trying to read krb5 cache: %s\n",
-- krb5_cc_default_name(ctx)));
-- if (krb5_cc_default(ctx, &cc)) {
-- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
-- "failed to read default cache\n"));
-- goto out;
-- }
-- if (krb5_cc_get_principal(ctx, cc, &princ)) {
-- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
-- "failed to get default principal\n"));
-- goto out;
-- }
--
--#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
-- realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ));
--#elif defined(HAVE_KRB5_PRINC_REALM)
-- {
-- krb5_data *realm_data = krb5_princ_realm(ctx, princ);
-- realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length);
-- }
--#endif
--
-- out:
--
-- if (ctx) {
-- if (princ) {
-- krb5_free_principal(ctx, princ);
-- }
-- if (cc) {
-- krb5_cc_close(ctx, cc);
-- }
-- krb5_free_context(ctx);
-- }
--
-- return realm;
--}
--
- /**
- * @brief Get the realm from the service hostname.
- *
-@@ -2749,62 +2694,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
- }
-
- /**
-- * @brief Get the principal as a string from the service hostname.
-- *
-- * @param[in] mem_ctx The talloc context
-- *
-- * @param[in] service The service name
-- *
-- * @param[in] remote_name The remote name
-- *
-- * @param[in] default_realm The default_realm if we cannot get it from the
-- * hostname or netbios name.
-- *
-- * @return A talloc'ed principal string or NULL if an error occured.
-- *
-- * The caller needs to free the principal with talloc_free() if it isn't needed
-- * anymore.
-- */
--char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
-- const char *service,
-- const char *remote_name,
-- const char *default_realm)
--{
-- char *realm = NULL;
-- char *host = NULL;
-- char *principal;
-- host = strchr_m(remote_name, '.');
-- if (host) {
-- /* DNS name. */
-- realm = smb_krb5_get_realm_from_hostname(talloc_tos(),
-- remote_name,
-- default_realm);
-- } else {
-- /* NetBIOS name - use our realm. */
-- realm = smb_krb5_get_default_realm_from_ccache(talloc_tos());
-- }
--
-- if (realm == NULL || *realm == '\0') {
-- realm = talloc_strdup(talloc_tos(), default_realm);
-- if (!realm) {
-- return NULL;
-- }
-- DEBUG(3,("Cannot get realm from, "
-- "desthost %s or default ccache. Using default "
-- "smb.conf realm %s\n",
-- remote_name,
-- realm));
-- }
--
-- principal = talloc_asprintf(mem_ctx,
-- "%s/%s@%s",
-- service, remote_name,
-- realm);
-- TALLOC_FREE(realm);
-- return principal;
--}
--
--/**
- * @brief Get an error string from a Kerberos error code.
- *
- * @param[in] context The library context.
-diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
-index accae449a0e..c921538efcb 100644
---- a/lib/krb5_wrap/krb5_samba.h
-+++ b/lib/krb5_wrap/krb5_samba.h
-@@ -318,11 +318,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
- const char *hostname,
- const char *client_realm);
-
--char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
-- const char *service,
-- const char *remote_name,
-- const char *default_realm);
--
- char *smb_get_krb5_error_message(krb5_context context,
- krb5_error_code code,
- TALLOC_CTX *mem_ctx);
---
-2.12.0
-
-
-From 0ea7203430b580e93816035b8201ddd11346cd4e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 6 Mar 2017 08:16:11 +0100
-Subject: [PATCH 15/20] s3:gse: Pass down the gensec_security pointer
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit e6b1e58874de30d094f9bce474479cfddb39d3fc)
----
- source3/librpc/crypto/gse.c | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index 57632f6cc8f..5a39522a828 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -352,10 +352,13 @@ err_out:
- }
-
- static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
-- struct gse_context *gse_ctx,
-+ struct gensec_security *gensec_security,
- const DATA_BLOB *token_in,
- DATA_BLOB *token_out)
- {
-+ struct gse_context *gse_ctx =
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct gse_context);
- OM_uint32 gss_maj, gss_min;
- gss_buffer_desc in_data;
- gss_buffer_desc out_data;
-@@ -542,10 +545,13 @@ done:
- }
-
- static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
-- struct gse_context *gse_ctx,
-+ struct gensec_security *gensec_security,
- const DATA_BLOB *token_in,
- DATA_BLOB *token_out)
- {
-+ struct gse_context *gse_ctx =
-+ talloc_get_type_abort(gensec_security->private_data,
-+ struct gse_context);
- OM_uint32 gss_maj, gss_min;
- gss_buffer_desc in_data;
- gss_buffer_desc out_data;
-@@ -762,17 +768,16 @@ static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security,
- const DATA_BLOB in, DATA_BLOB *out)
- {
- NTSTATUS status;
-- struct gse_context *gse_ctx =
-- talloc_get_type_abort(gensec_security->private_data,
-- struct gse_context);
-
- switch (gensec_security->gensec_role) {
- case GENSEC_CLIENT:
-- status = gse_get_client_auth_token(mem_ctx, gse_ctx,
-+ status = gse_get_client_auth_token(mem_ctx,
-+ gensec_security,
- &in, out);
- break;
- case GENSEC_SERVER:
-- status = gse_get_server_auth_token(mem_ctx, gse_ctx,
-+ status = gse_get_server_auth_token(mem_ctx,
-+ gensec_security,
- &in, out);
- break;
- }
---
-2.12.0
-
-
-From 36b353247939414cd7f91abd27bfc553bd62c06f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Mar 2017 08:05:26 +0100
-Subject: [PATCH 16/20] s3:gse: Move setup of service_principal to update
- function
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 3ba1ad1f8c7871070d0ecbe5d49c5c44afe98bbf)
----
- source3/librpc/crypto/gse.c | 97 +++++++++++++++++++++++++++++++++------------
- 1 file changed, 71 insertions(+), 26 deletions(-)
-
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index 5a39522a828..3580181061e 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -255,8 +255,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
- gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
- gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
- #endif
-- char *server_principal = NULL;
-- char *server_realm = NULL;
- NTSTATUS status;
-
- if (!server || !service) {
-@@ -270,28 +268,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
- return NT_STATUS_NO_MEMORY;
- }
-
-- /* Guess the realm based on the supplied service, and avoid the GSS libs
-- doing DNS lookups which may fail.
-- */
-- server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
-- server,
-- realm);
-- if (server_realm == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- status = gse_setup_server_principal(mem_ctx,
-- NULL,
-- service,
-- server,
-- server_realm,
-- &server_principal,
-- &gse_ctx->server_name);
-- TALLOC_FREE(server_realm);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
- /* TODO: get krb5 ticket using username/password, if no valid
- * one already available in ccache */
-
-@@ -342,11 +318,9 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
- #endif
-
- *_gse_ctx = gse_ctx;
-- TALLOC_FREE(server_principal);
- return NT_STATUS_OK;
-
- err_out:
-- TALLOC_FREE(server_principal);
- TALLOC_FREE(gse_ctx);
- return status;
- }
-@@ -366,10 +340,81 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
- NTSTATUS status;
- OM_uint32 time_rec = 0;
- struct timeval tv;
-+ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
-+ const char *hostname = gensec_get_target_hostname(gensec_security);
-+ const char *service = gensec_get_target_service(gensec_security);
-+ const char *client_realm = cli_credentials_get_realm(cli_creds);
-+ char *server_principal = NULL;
-+ char *server_realm = NULL;
-
- in_data.value = token_in->data;
- in_data.length = token_in->length;
-
-+ /*
-+ * With credentials for administrator@FOREST1.EXAMPLE.COM this patch
-+ * changes the target_principal for the ldap service of host
-+ * dc2.forest2.example.com from
-+ *
-+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
-+ *
-+ * to
-+ *
-+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
-+ *
-+ * Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be
-+ * used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a
-+ * referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
-+ *
-+ * The problem is that KDCs only return such referral tickets if
-+ * there's a forest trust between FOREST1.EXAMPLE.COM and
-+ * FOREST2.EXAMPLE.COM. If there's only an external domain trust
-+ * between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of
-+ * FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being
-+ * asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
-+ *
-+ * In the case of an external trust the client can still ask explicitly
-+ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of
-+ * FOREST1.EXAMPLE.COM will generate it.
-+ *
-+ * From there the client can use the
-+ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC
-+ * of FOREST2.EXAMPLE.COM for a service ticket for
-+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
-+ *
-+ * With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior
-+ * when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
-+ * target principal. As _krb5_get_cred_kdc_any() first calls
-+ * get_cred_kdc_referral() (which always starts with the client realm)
-+ * and falls back to get_cred_kdc_capath() (which starts with the given
-+ * realm).
-+ *
-+ * MIT krb5 only tries the given realm of the target principal, if we
-+ * want to autodetect support for transitive forest trusts, would have
-+ * to do the fallback ourself.
-+ */
-+ if (gse_ctx->server_name == NULL) {
-+ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
-+ hostname,
-+ client_realm);
-+ if (server_realm == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ status = gse_setup_server_principal(mem_ctx,
-+ NULL,
-+ service,
-+ hostname,
-+ server_realm,
-+ &server_principal,
-+ &gse_ctx->server_name);
-+ TALLOC_FREE(server_realm);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ TALLOC_FREE(server_principal);
-+ }
-+
- gss_maj = gss_init_sec_context(&gss_min,
- gse_ctx->creds,
- &gse_ctx->gssapi_context,
---
-2.12.0
-
-
-From 5ca321eaa79cdf9de1166f49365051d4d67560f9 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Mar 2017 08:11:07 +0100
-Subject: [PATCH 17/20] s3:gse: Check if we have a target_princpal set we
- should use
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit ada31d65d6c5929d2fbddfea5611a5f5fe5a0d74)
----
- source3/librpc/crypto/gse.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index 3580181061e..721fd8c1625 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -341,6 +341,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
- OM_uint32 time_rec = 0;
- struct timeval tv;
- struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
-+ const char *target_principal = gensec_get_target_principal(gensec_security);
- const char *hostname = gensec_get_target_hostname(gensec_security);
- const char *service = gensec_get_target_service(gensec_security);
- const char *client_realm = cli_credentials_get_realm(cli_creds);
-@@ -401,7 +402,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
- }
-
- status = gse_setup_server_principal(mem_ctx,
-- NULL,
-+ target_principal,
- service,
- hostname,
- server_realm,
---
-2.12.0
-
-
-From 8b88c6bf158e5da0cc238472390f3346aa05ef53 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Mar 2017 08:18:27 +0100
-Subject: [PATCH 18/20] s3:gse: Correctly handle external trusts with MIT
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit b8bca7d08fe05758e536767b1146cdcdd8b9fee3)
----
- source3/librpc/crypto/gse.c | 54 +++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 54 insertions(+)
-
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index 721fd8c1625..3abf774633b 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -347,6 +347,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
- const char *client_realm = cli_credentials_get_realm(cli_creds);
- char *server_principal = NULL;
- char *server_realm = NULL;
-+ bool fallback = false;
-
- in_data.value = token_in->data;
- in_data.length = token_in->length;
-@@ -393,6 +394,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
- * want to autodetect support for transitive forest trusts, would have
- * to do the fallback ourself.
- */
-+#ifndef SAMBA4_USES_HEIMDAL
-+ if (gse_ctx->server_name == NULL) {
-+ OM_uint32 gss_min2 = 0;
-+
-+ status = gse_setup_server_principal(mem_ctx,
-+ target_principal,
-+ service,
-+ hostname,
-+ client_realm,
-+ &server_principal,
-+ &gse_ctx->server_name);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ gss_maj = gss_init_sec_context(&gss_min,
-+ gse_ctx->creds,
-+ &gse_ctx->gssapi_context,
-+ gse_ctx->server_name,
-+ &gse_ctx->gss_mech,
-+ gse_ctx->gss_want_flags,
-+ 0,
-+ GSS_C_NO_CHANNEL_BINDINGS,
-+ &in_data,
-+ NULL,
-+ &out_data,
-+ &gse_ctx->gss_got_flags,
-+ &time_rec);
-+ if (gss_maj != GSS_S_FAILURE) {
-+ goto init_sec_context_done;
-+ }
-+ if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
-+ goto init_sec_context_done;
-+ }
-+ if (target_principal != NULL) {
-+ goto init_sec_context_done;
-+ }
-+
-+ fallback = true;
-+ TALLOC_FREE(server_principal);
-+ gss_release_name(&gss_min2, &gse_ctx->server_name);
-+ }
-+#endif /* !SAMBA4_USES_HEIMDAL */
-+
- if (gse_ctx->server_name == NULL) {
- server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
- hostname,
-@@ -401,6 +446,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
- return NT_STATUS_NO_MEMORY;
- }
-
-+ if (fallback &&
-+ strequal(client_realm, server_realm)) {
-+ goto init_sec_context_done;
-+ }
-+
- status = gse_setup_server_principal(mem_ctx,
- target_principal,
- service,
-@@ -425,6 +475,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
- 0, GSS_C_NO_CHANNEL_BINDINGS,
- &in_data, NULL, &out_data,
- &gse_ctx->gss_got_flags, &time_rec);
-+ goto init_sec_context_done;
-+ /* JUMP! */
-+init_sec_context_done:
-+
- switch (gss_maj) {
- case GSS_S_COMPLETE:
- /* we are done with it */
---
-2.12.0
-
-
-From 290de34d42477022d8b5a236b3d0953a178c5e40 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 29 Jan 2017 17:19:14 +0100
-Subject: [PATCH 19/20] HEIMDAL:kdc: make it possible to disable the principal
- based referral detection
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 209886e95c3afe1e4e50bacc30b40a543856a7a0)
----
- source4/heimdal/kdc/default_config.c | 1 +
- source4/heimdal/kdc/kdc.h | 2 ++
- source4/heimdal/kdc/krb5tgs.c | 4 +++-
- 3 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
-index 6fbf5fdae15..0129c5d3c54 100644
---- a/source4/heimdal/kdc/default_config.c
-+++ b/source4/heimdal/kdc/default_config.c
-@@ -55,6 +55,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
- c->preauth_use_strongest_session_key = FALSE;
- c->tgs_use_strongest_session_key = FALSE;
- c->use_strongest_server_key = TRUE;
-+ c->autodetect_referrals = TRUE;
- c->check_ticket_addresses = TRUE;
- c->allow_null_ticket_addresses = TRUE;
- c->allow_anonymous = FALSE;
-diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h
-index 9d52fd4c2ec..16263d6919b 100644
---- a/source4/heimdal/kdc/kdc.h
-+++ b/source4/heimdal/kdc/kdc.h
-@@ -69,6 +69,8 @@ typedef struct krb5_kdc_configuration {
- krb5_boolean allow_anonymous;
- enum krb5_kdc_trpolicy trpolicy;
-
-+ krb5_boolean autodetect_referrals;
-+
- krb5_boolean enable_pkinit;
- krb5_boolean pkinit_princ_in_cert;
- const char *pkinit_kdc_identity;
-diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
-index 334a6eb1dc8..a888788bb6f 100644
---- a/source4/heimdal/kdc/krb5tgs.c
-+++ b/source4/heimdal/kdc/krb5tgs.c
-@@ -1660,7 +1660,9 @@ server_lookup:
- Realm req_rlm;
- krb5_realm *realms;
-
-- if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
-+ if (!config->autodetect_referrals) {
-+ /* noop */
-+ } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
- if(nloop++ < 2) {
- new_rlm = find_rpath(context, tgt->crealm, req_rlm);
- if(new_rlm) {
---
-2.12.0
-
-
-From b98d399a9b3076443fa12fab5f5e13b8d6e2fe26 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 29 Jan 2017 17:20:09 +0100
-Subject: [PATCH 20/20] s4:kdc: disable principal based autodetected referral
- detection
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 3314bf52aaef60ef5cc1110587b53064df7c475d)
----
- source4/kdc/kdc-heimdal.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
-index f2927e5cb9f..061296a4f40 100644
---- a/source4/kdc/kdc-heimdal.c
-+++ b/source4/kdc/kdc-heimdal.c
-@@ -379,6 +379,8 @@ static void kdc_task_init(struct task_server *task)
- kdc_config->tgs_use_strongest_session_key = false;
- kdc_config->use_strongest_server_key = true;
-
-+ kdc_config->autodetect_referrals = false;
-+
- /* Register hdb-samba4 hooks for use as a keytab */
-
- kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
---
-2.12.0
-
diff --git a/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch
deleted file mode 100644
index dbce123..0000000
--- a/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 20 Mar 2017 16:08:20 +0100
-Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- source3/libsmb/cliconnect.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index 029c3d4760e..93f873079db 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
- 0 /* no time correction for now */,
- NULL);
- if (ret != 0) {
-- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
-- user_principal, target_hostname,
-- error_message(ret)));
-+ int dbglvl = DBGLVL_WARNING;
-+
-+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
-+ dbglvl = DBGLVL_ERR;
-+ }
-+
-+ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
-+ user_principal, target_hostname,
-+ error_message(ret)));
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
- TALLOC_FREE(frame);
- return krb5_to_nt_status(ret);
---
-2.12.0
-
diff --git a/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch
deleted file mode 100644
index 6d96e52..0000000
--- a/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch
+++ /dev/null
@@ -1,293 +0,0 @@
-From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 Mar 2017 17:30:37 +0100
-Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters
-
-The old behaviour is:
-
- for var in $*
- do
- echo "$var"
- done
-
-And you get this:
-
-$ sh test.sh 1 2 '3 4'
-1
-2
-3
-4
-
-Changing it to:
-
- for var in "$@"
- do
- echo "$var"
- done
-
-will correctly expand to:
-
-$ sh test.sh 1 2 '3 4'
-1
-2
-3 4
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
-
-(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)
----
- testprogs/blackbox/subunit.sh | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
-index 0791d775d27..5c81ce20a11 100755
---- a/testprogs/blackbox/subunit.sh
-+++ b/testprogs/blackbox/subunit.sh
-@@ -78,7 +78,7 @@ subunit_skip_test () {
- testit () {
- name="$1"
- shift
-- cmdline="$*"
-+ cmdline="$@"
- subunit_start_test "$name"
- output=`$cmdline 2>&1`
- status=$?
-@@ -93,7 +93,7 @@ testit () {
- testit_expect_failure () {
- name="$1"
- shift
-- cmdline="$*"
-+ cmdline="$@"
- subunit_start_test "$name"
- output=`$cmdline 2>&1`
- status=$?
---
-2.12.0
-
-
-From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 Mar 2017 16:11:39 +0100
-Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)
----
- lib/krb5_wrap/krb5_samba.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 10b42dec53f..fd8e4a96071 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
- goto open_keytab;
- }
-
-+ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
-+
- return KRB5_KT_BADNAME;
-
- open_keytab:
---
-2.12.0
-
-
-From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 Mar 2017 16:24:52 +0100
-Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
----
- source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++-------
- 1 file changed, 57 insertions(+), 12 deletions(-)
-
-diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
-index 3c73b089bbb..96df10fcf65 100644
---- a/source3/libads/kerberos_keytab.c
-+++ b/source3/libads/kerberos_keytab.c
-@@ -34,6 +34,57 @@
-
- #ifdef HAVE_ADS
-
-+/* This MAX_NAME_LEN is a constant defined in krb5.h */
-+#ifndef MAX_KEYTAB_NAME_LEN
-+#define MAX_KEYTAB_NAME_LEN 1100
-+#endif
-+
-+static krb5_error_code ads_keytab_open(krb5_context context,
-+ krb5_keytab *keytab)
-+{
-+ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
-+ const char *keytab_name = NULL;
-+ krb5_error_code ret = 0;
-+
-+ switch (lp_kerberos_method()) {
-+ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
-+ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
-+ ret = krb5_kt_default_name(context,
-+ keytab_str,
-+ sizeof(keytab_str) - 2);
-+ if (ret != 0) {
-+ DBG_WARNING("Failed to get default keytab name");
-+ goto out;
-+ }
-+ keytab_name = keytab_str;
-+ break;
-+ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
-+ keytab_name = lp_dedicated_keytab_file();
-+ break;
-+ default:
-+ DBG_ERR("Invalid kerberos method set (%d)\n",
-+ lp_kerberos_method());
-+ ret = KRB5_KT_BADNAME;
-+ goto out;
-+ }
-+
-+ if (keytab_name == NULL || keytab_name[0] == '\0') {
-+ DBG_ERR("Invalid keytab name\n");
-+ ret = KRB5_KT_BADNAME;
-+ goto out;
-+ }
-+
-+ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
-+ if (ret != 0) {
-+ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
-+ error_message(ret));
-+ goto out;
-+ }
-+
-+out:
-+ return ret;
-+}
-+
- /**********************************************************************
- Adds a single service principal, i.e. 'host' to the system keytab
- ***********************************************************************/
-@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
- return -1;
- }
-
-- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
-- if (ret) {
-- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
-- error_message(ret)));
-+ ret = ads_keytab_open(context, &keytab);
-+ if (ret != 0) {
- goto out;
- }
-
-@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
- return ret;
- }
-
-- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
-- if (ret) {
-- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
-- error_message(ret)));
-+ ret = ads_keytab_open(context, &keytab);
-+ if (ret != 0) {
- goto out;
- }
-
-@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
- DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
- "and update.\n"));
-
-- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
-- if (ret) {
-- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
-- error_message(ret)));
-+ ret = ads_keytab_open(context, &keytab);
-+ if (ret != 0) {
- goto done;
- }
-
---
-2.12.0
-
-
-From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 Mar 2017 17:28:58 +0100
-Subject: [PATCH 4/5] param: Allow to specify kerberos method on the
- commandline
-
-We support --option for our tools but you cannot set an option where the
-value of the option includes a space.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)
----
- lib/param/param_table.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/lib/param/param_table.c b/lib/param/param_table.c
-index 4b5234a7c9e..9a944ef19b3 100644
---- a/lib/param/param_table.c
-+++ b/lib/param/param_table.c
-@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
- static const struct enum_list enum_kerberos_method[] = {
- {KERBEROS_VERIFY_SECRETS, "default"},
- {KERBEROS_VERIFY_SECRETS, "secrets only"},
-+ {KERBEROS_VERIFY_SECRETS, "secretsonly"},
- {KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
-+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
- {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
-+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
- {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
-+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
- {-1, NULL}
- };
-
---
-2.12.0
-
-
-From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 Mar 2017 16:34:05 +0100
-Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab
-
-This checks that a 'net ads join' can create the keytab and make sure we
-will not regress in future.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
----
- testprogs/blackbox/test_net_ads.sh | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
-index 8e915cdcf1f..99b886f53eb 100755
---- a/testprogs/blackbox/test_net_ads.sh
-+++ b/testprogs/blackbox/test_net_ads.sh
-@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed +
-
- testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
-
-+# Test with kerberos method = secrets and keytab
-+dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
-+testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
-+
-+testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
-+
-+testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
-+rm -f $dedicated_keytab_file
-+
- testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
-
- testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
---
-2.12.0
-
diff --git a/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch
deleted file mode 100644
index 4e21154..0000000
--- a/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 4 May 2017 17:48:42 +0200
-Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with
- COPY_FROM_DIRECTORY
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05)
----
- source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++-------------
- 1 file changed, 35 insertions(+), 16 deletions(-)
-
-diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
-index 394a3e5..49be5d9 100644
---- a/source3/printing/nt_printing.c
-+++ b/source3/printing/nt_printing.c
-@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver
- static uint32_t get_correct_cversion(struct auth_session_info *session_info,
- const char *architecture,
- const char *driverpath_in,
-+ const char *driver_directory,
- WERROR *perr)
- {
- int cversion = -1;
- NTSTATUS nt_status;
- struct smb_filename *smb_fname = NULL;
-- char *driverpath = NULL;
- files_struct *fsp = NULL;
- connection_struct *conn = NULL;
- char *oldcwd;
- char *printdollar = NULL;
-+ char *printdollar_path = NULL;
-+ char *working_dir = NULL;
- int printdollar_snum;
-
- *perr = WERR_INVALID_PARAMETER;
-@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
- return -1;
- }
-
-+ printdollar_path = lp_path(talloc_tos(), printdollar_snum);
-+ if (printdollar_path == NULL) {
-+ *perr = WERR_NOT_ENOUGH_MEMORY;
-+ return -1;
-+ }
-+
-+ working_dir = talloc_asprintf(talloc_tos(),
-+ "%s/%s",
-+ printdollar_path,
-+ architecture);
-+ /*
-+ * If the driver has been uploaded into a temorpary driver
-+ * directory, switch to the driver directory.
-+ */
-+ if (driver_directory != NULL) {
-+ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s",
-+ printdollar_path,
-+ architecture,
-+ driver_directory);
-+ }
-+
- nt_status = create_conn_struct_cwd(talloc_tos(),
- server_event_context(),
- server_messaging_context(),
- &conn,
- printdollar_snum,
-- lp_path(talloc_tos(), printdollar_snum),
-+ working_dir,
- session_info, &oldcwd);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0,("get_correct_cversion: create_conn_struct "
-@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
- goto error_free_conn;
- }
-
-- /* Open the driver file (Portable Executable format) and determine the
-- * deriver the cversion. */
-- driverpath = talloc_asprintf(talloc_tos(),
-- "%s/%s",
-- architecture,
-- driverpath_in);
-- if (!driverpath) {
-- *perr = WERR_NOT_ENOUGH_MEMORY;
-- goto error_exit;
-- }
--
-- nt_status = driver_unix_convert(conn, driverpath, &smb_fname);
-+ /*
-+ * We switch to the directory where the driver files are located,
-+ * so only work on the file names
-+ */
-+ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname);
- if (!NT_STATUS_IS_OK(nt_status)) {
- *perr = ntstatus_to_werror(nt_status);
- goto error_exit;
-@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx,
- * NT2K: cversion=3
- */
-
-- *version = get_correct_cversion(session_info, short_architecture,
-- *driver_path, &err);
-+ *version = get_correct_cversion(session_info,
-+ short_architecture,
-+ *driver_path,
-+ *driver_directory,
-+ &err);
- if (*version == -1) {
- return err;
- }
---
-2.9.3
-
-
-From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 5 May 2017 11:11:25 +0200
-Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test
- for 64bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e)
----
- source4/torture/rpc/spoolss.c | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
-index 409ba57..c4b7bf1 100644
---- a/source4/torture/rpc/spoolss.c
-+++ b/source4/torture/rpc/spoolss.c
-@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx,
- }
-
- static bool test_driver_copy_from_directory(struct torture_context *tctx,
-- struct dcerpc_pipe *p)
-+ struct dcerpc_pipe *p,
-+ const char *architecture)
- {
- struct torture_driver_context *d;
- struct spoolss_StringArray *a;
-@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
- d = talloc_zero(tctx, struct torture_driver_context);
- torture_assert_not_null(tctx, d, "ENOMEM");
-
-- d->local.environment =
-- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64);
-+ d->local.environment = talloc_strdup(d, architecture);
- torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
-
- d->local.driver_directory =
-@@ -11208,6 +11208,12 @@ done:
- return ok;
- }
-
-+static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
-+ struct dcerpc_pipe *p)
-+{
-+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
-+}
-+
- static bool test_del_driver_all_files(struct torture_context *tctx,
- struct dcerpc_pipe *p)
- {
-@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
- torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers);
-
- torture_rpc_tcase_add_test(tcase,
-- "test_driver_copy_from_directory",
-- test_driver_copy_from_directory);
-+ "test_driver_copy_from_directory_64",
-+ test_driver_copy_from_directory_64);
-
- torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
-
---
-2.9.3
-
-
-From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 5 May 2017 11:12:02 +0200
-Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for
- copy_from_directory
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0)
----
- source4/torture/rpc/spoolss.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
-index c4b7bf1..e17ac6f 100644
---- a/source4/torture/rpc/spoolss.c
-+++ b/source4/torture/rpc/spoolss.c
-@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
- d->local.environment = talloc_strdup(d, architecture);
- torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
-
-- d->local.driver_directory =
-- talloc_asprintf(d, "/usr/share/cups/drivers/x64");
-+ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) {
-+ d->local.driver_directory =
-+ talloc_strdup(d, "/usr/share/cups/drivers/x64");
-+ } else {
-+ d->local.driver_directory =
-+ talloc_strdup(d, "/usr/share/cups/drivers/i386");
-+ }
- torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM");
-
- d->remote.driver_upload_directory = GUID_string2(d, &guid);
-@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
- return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
- }
-
-+static bool test_driver_copy_from_directory_32(struct torture_context *tctx,
-+ struct dcerpc_pipe *p)
-+{
-+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86);
-+}
-+
- static bool test_del_driver_all_files(struct torture_context *tctx,
- struct dcerpc_pipe *p)
- {
-@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
- "test_driver_copy_from_directory_64",
- test_driver_copy_from_directory_64);
-
-+ torture_rpc_tcase_add_test(tcase,
-+ "test_driver_copy_from_directory_32",
-+ test_driver_copy_from_directory_32);
-+
- torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
-
- torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files);
---
-2.9.3
-
diff --git a/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch
deleted file mode 100644
index 7441e1d..0000000
--- a/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch
+++ /dev/null
@@ -1,211 +0,0 @@
-From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 14 Mar 2017 16:12:20 +0100
-Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file
-
-The arguments get passed in the wrong order to read_target_host().
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)
----
- source3/modules/vfs_expand_msdfs.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
-index ffbfa333bad..e42d0098b32 100644
---- a/source3/modules/vfs_expand_msdfs.c
-+++ b/source3/modules/vfs_expand_msdfs.c
-@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
- return NULL;
- }
-
-- targethost = read_target_host(
-- ctx, raddr, mapfilename);
-+ targethost = read_target_host(ctx, mapfilename, raddr);
- if (targethost == NULL) {
- DEBUG(1, ("Could not expand target host from file %s\n",
- mapfilename));
---
-2.12.0
-
-From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 21 Mar 2017 15:32:37 +0100
-Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to
- get_referred_path()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
-
-Pair-Programmed-With: Ralph Boehme <slow@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e)
----
- source3/modules/vfs_default.c | 2 ++
- source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++
- source3/smbd/msdfs.c | 12 +++++++-----
- source3/smbd/proto.h | 12 +++++++-----
- 4 files changed, 22 insertions(+), 10 deletions(-)
-
-diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
-index e0b6125f7d8..dcae861103d 100644
---- a/source3/modules/vfs_default.c
-+++ b/source3/modules/vfs_default.c
-@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle,
-
- /* The following call can change cwd. */
- status = get_referred_path(r, pathnamep,
-+ handle->conn->sconn->remote_address,
-+ handle->conn->sconn->local_address,
- !handle->conn->sconn->using_smb2,
- junction, &consumedcnt, &self_referral);
- if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c
-index ab2af53c0ba..0a4d6d31b7c 100644
---- a/source3/rpc_server/dfs/srv_dfs_nt.c
-+++ b/source3/rpc_server/dfs/srv_dfs_nt.c
-@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r)
-
- /* The following call can change the cwd. */
- status = get_referred_path(ctx, r->in.path,
-+ p->remote_address,
-+ p->local_address,
- true, /*allow_broken_path */
- jn, &consumedcnt, &self_ref);
- if(!NT_STATUS_IS_OK(status)) {
-@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r)
- }
-
- status = get_referred_path(ctx, r->in.dfs_entry_path,
-+ p->remote_address,
-+ p->local_address,
- true, /*allow_broken_path */
- jn, &consumedcnt, &self_ref);
- if(!NT_STATUS_IS_OK(status)) {
-@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r)
-
- /* The following call can change the cwd. */
- status = get_referred_path(ctx, r->in.dfs_entry_path,
-+ p->remote_address,
-+ p->local_address,
- true, /*allow_broken_path */
- jn, &consumedcnt, &self_ref);
- if(!NT_STATUS_IS_OK(status) ||
-diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
-index 61538cec832..3cf82d3b430 100644
---- a/source3/smbd/msdfs.c
-+++ b/source3/smbd/msdfs.c
-@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx,
- **********************************************************************/
-
- NTSTATUS get_referred_path(TALLOC_CTX *ctx,
-- const char *dfs_path,
-- bool allow_broken_path,
-- struct junction_map *jucn,
-- int *consumedcntp,
-- bool *self_referralp)
-+ const char *dfs_path,
-+ const struct tsocket_address *remote_address,
-+ const struct tsocket_address *local_address,
-+ bool allow_broken_path,
-+ struct junction_map *jucn,
-+ int *consumedcntp,
-+ bool *self_referralp)
- {
- struct connection_struct *conn;
- char *targetpath = NULL;
-diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
-index c1b8201b472..e64457cf9e0 100644
---- a/source3/smbd/proto.h
-+++ b/source3/smbd/proto.h
-@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn,
- SMB_STRUCT_STAT *sbufp);
- struct junction_map;
- NTSTATUS get_referred_path(TALLOC_CTX *ctx,
-- const char *dfs_path,
-- bool allow_broken_path,
-- struct junction_map *jucn,
-- int *consumedcntp,
-- bool *self_referralp);
-+ const char *dfs_path,
-+ const struct tsocket_address *remote_address,
-+ const struct tsocket_address *local_address,
-+ bool allow_broken_path,
-+ struct junction_map *jucn,
-+ int *consumedcntp,
-+ bool *self_referralp);
- int setup_dfs_referral(connection_struct *orig_conn,
- const char *dfs_path,
- int max_referral_level,
---
-2.13.0
-
-
-From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 21 Mar 2017 15:45:34 +0100
-Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake
- connection
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
-
-Pair-Programmed-With: Ralph Boehme <slow@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9)
----
- source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
-index 3cf82d3b430..c25fb17cee8 100644
---- a/source3/smbd/msdfs.c
-+++ b/source3/smbd/msdfs.c
-@@ -31,6 +31,7 @@
- #include "lib/param/loadparm.h"
- #include "libcli/security/security.h"
- #include "librpc/gen_ndr/ndr_dfsblobs.h"
-+#include "lib/tsocket/tsocket.h"
-
- /**********************************************************************
- Parse a DFS pathname of the form \hostname\service\reqpath
-@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
- return status;
- }
-
-+ /*
-+ * TODO
-+ *
-+ * The remote and local address should be passed down to
-+ * create_conn_struct_cwd.
-+ */
-+ if (conn->sconn->remote_address == NULL) {
-+ conn->sconn->remote_address =
-+ tsocket_address_copy(remote_address, conn->sconn);
-+ if (conn->sconn->remote_address == NULL) {
-+ TALLOC_FREE(pdp);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+ if (conn->sconn->local_address == NULL) {
-+ conn->sconn->local_address =
-+ tsocket_address_copy(local_address, conn->sconn);
-+ if (conn->sconn->local_address == NULL) {
-+ TALLOC_FREE(pdp);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+
- /* If this is a DFS path dfs_lookup should return
- * NT_STATUS_PATH_NOT_COVERED. */
-
---
-2.13.0
-
diff --git a/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch b/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch
deleted file mode 100644
index 83a4985..0000000
--- a/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 9 Aug 2017 18:14:23 +0200
-Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
-(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d)
----
- source3/libads/krb5_setpw.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
-index 630c2e46631..bc96ac603b1 100644
---- a/source3/libads/krb5_setpw.c
-+++ b/source3/libads/krb5_setpw.c
-@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
- ret = krb5_set_password(context,
- &creds,
- discard_const_p(char, newpw),
-- princ,
-+ NULL,
- &result_code,
- &result_code_string,
- &result_string);
---
-2.14.0
-
-
-From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 9 Aug 2017 12:14:34 +0200
-Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw'
-
-BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144
-
-(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f)
----
- testprogs/blackbox/test_net_ads.sh | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
-index 99b886f53eb..bbd99b676bd 100755
---- a/testprogs/blackbox/test_net_ads.sh
-+++ b/testprogs/blackbox/test_net_ads.sh
-@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
-
- testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
-
-+testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
-+
- testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
-
- # Test with kerberos method = secrets and keytab
-@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC
-
- testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
-
-+testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
-+
- testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
- rm -f $dedicated_keytab_file
-
---
-2.14.0
-
diff --git a/SOURCES/samba-v4-6-fix_path_substitutions.patch b/SOURCES/samba-v4-6-fix_path_substitutions.patch
deleted file mode 100644
index 178c44d..0000000
--- a/SOURCES/samba-v4-6-fix_path_substitutions.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Fri, 17 Mar 2017 13:52:57 +0100
-Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user
- information
-
-This fixes the substitution for 'template homedir'.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Volker Lendecke <vl@samba.org>
-Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
-
-(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5)
----
- source3/winbindd/wb_queryuser.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
-index be4d3d3e665..69b4c8dad5a 100644
---- a/source3/winbindd/wb_queryuser.c
-+++ b/source3/winbindd/wb_queryuser.c
-@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq)
- NTSTATUS status;
- const char *domain_name;
-
-- status = wb_lookupsid_recv(subreq, state, &type, &domain_name,
-+ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name,
- &state->info->primary_group_name);
- TALLOC_FREE(subreq);
- if (tevent_req_nterror(req, status)) {
---
-2.12.0
-
-
-From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 15 Mar 2017 12:37:08 +0100
-Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660)
----
- selftest/target/Samba3.pm | 19 ++++++++++++++++++-
- source3/script/tests/test_substitutions.sh | 9 +++++++--
- 2 files changed, 25 insertions(+), 3 deletions(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index f5b2c510224..1e053f12297 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -394,16 +394,33 @@ sub setup_admember($$$$)
- $substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users";
- push(@dirs, $substitution_path);
-
-+ # Using '/' as the winbind separator is a bad idea ...
-+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN";
-+ push(@dirs, $substitution_path);
-+
-+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice";
-+ push(@dirs, $substitution_path);
-+
-+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN";
-+ push(@dirs, $substitution_path);
-+
-+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users";
-+ push(@dirs, $substitution_path);
-+
- my $member_options = "
- security = ads
- workgroup = $dcvars->{DOMAIN}
- realm = $dcvars->{REALM}
- netbios aliases = foo bar
-
--[subDUG]
-+[sub_dug]
- path = $share_dir/D_%D/U_%U/G_%G
- writeable = yes
-
-+[sub_dug2]
-+ path = $share_dir/D_%D/u_%u/g_%g
-+ writeable = yes
-+
- ";
-
- my $ret = $self->provision($prefix,
-diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
-index 0852ad969f0..1a46f11c85d 100755
---- a/source3/script/tests/test_substitutions.sh
-+++ b/source3/script/tests/test_substitutions.sh
-@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient"
- . $samba_srcdir/testprogs/blackbox/subunit.sh
- . $samba_srcdir/testprogs/blackbox/common_test_fns.inc
-
--SMB_UNC="//$SERVER/subDUG"
-+SMB_UNC="//$SERVER/sub_dug"
-
--test_smbclient "Test login to share with substitution" \
-+test_smbclient "Test login to share with substitution (DUG)" \
-+ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
-+
-+SMB_UNC="//$SERVER/sub_dug2"
-+
-+test_smbclient "Test login to share with substitution (Dug)" \
- "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
-
- exit $failed
---
-2.12.0
-
-
-From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 17 Mar 2017 10:04:19 +0100
-Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
-
-With this set, the samba3.local.nss test for ad_member will ensure that
-we correctly substitute those smb.conf options.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
-
-(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03)
----
- nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------
- selftest/target/Samba3.pm | 1 +
- 2 files changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
-index cfe582df068..f9c040e5f43 100755
---- a/nsswitch/tests/test_wbinfo.sh
-+++ b/nsswitch/tests/test_wbinfo.sh
-@@ -205,13 +205,18 @@ subunit_start_test "$test_name"
- # The full name (GECOS) is based on name (the RDN, in this case CN)
- # and displayName in winbindd_ads, and is based only on displayName in
- # winbindd_msrpc and winbindd_rpc. Allow both versions.
--expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
--expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
-+if test "$TARGET" = "ad_member"; then
-+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false"
-+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false"
-+else
-+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
-+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
-+fi
-
--if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
-+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
- subunit_pass_test "$test_name"
- else
-- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
-+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
- failed=`expr $failed + 1`
- fi
-
-@@ -227,10 +232,10 @@ fi
-
- test_name="confirm output of wbinfo --uid-info against $TARGET"
- subunit_start_test "$test_name"
--if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
-+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
- subunit_pass_test "$test_name"
- else
-- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
-+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
- failed=`expr $failed + 1`
- fi
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 1e053f12297..cb4970828a5 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -412,6 +412,7 @@ sub setup_admember($$$$)
- workgroup = $dcvars->{DOMAIN}
- realm = $dcvars->{REALM}
- netbios aliases = foo bar
-+ template homedir = /home/%D/%G/%U
-
- [sub_dug]
- path = $share_dir/D_%D/U_%U/G_%G
---
-2.12.0
-
diff --git a/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch
deleted file mode 100644
index 7b754ae..0000000
--- a/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch
+++ /dev/null
@@ -1,339 +0,0 @@
-From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 15 Mar 2017 17:04:30 +0000
-Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of
- smb_bytes_pull_str()
-
-This function needs to get the whole smb buffer in order to get
-the alignment for unicode correct.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24)
----
- libcli/smb/smb1cli_session.c | 28 +++++++++++++-------------
- libcli/smb/smb_util.h | 3 ++-
- libcli/smb/util.c | 47 +++++++++++++++++++++++++++++---------------
- 3 files changed, 47 insertions(+), 31 deletions(-)
-
-diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c
-index 9d92aa6aed4..11614df0ae4 100644
---- a/libcli/smb/smb1cli_session.c
-+++ b/libcli/smb/smb1cli_session.c
-@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq)
- p = bytes;
-
- status = smb_bytes_pull_str(state, &state->out_native_os,
-- use_unicode, p,
-- bytes+num_bytes-p, &ret);
-+ use_unicode, bytes, num_bytes,
-+ p, &ret);
- if (tevent_req_nterror(req, status)) {
- return;
- }
- p += ret;
-
- status = smb_bytes_pull_str(state, &state->out_native_lm,
-- use_unicode, p,
-- bytes+num_bytes-p, &ret);
-+ use_unicode, bytes, num_bytes,
-+ p, &ret);
- if (tevent_req_nterror(req, status)) {
- return;
- }
-@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq)
- p = bytes;
-
- status = smb_bytes_pull_str(state, &state->out_native_os,
-- use_unicode, p,
-- bytes+num_bytes-p, &ret);
-+ use_unicode, bytes, num_bytes,
-+ p, &ret);
- if (tevent_req_nterror(req, status)) {
- return;
- }
- p += ret;
-
- status = smb_bytes_pull_str(state, &state->out_native_lm,
-- use_unicode, p,
-- bytes+num_bytes-p, &ret);
-+ use_unicode, bytes, num_bytes,
-+ p, &ret);
- if (tevent_req_nterror(req, status)) {
- return;
- }
- p += ret;
-
- status = smb_bytes_pull_str(state, &state->out_primary_domain,
-- use_unicode, p,
-- bytes+num_bytes-p, &ret);
-+ use_unicode, bytes, num_bytes,
-+ p, &ret);
- if (tevent_req_nterror(req, status)) {
- return;
- }
-@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq)
- p += out_security_blob_length;
-
- status = smb_bytes_pull_str(state, &state->out_native_os,
-- use_unicode, p,
-- bytes+num_bytes-p, &ret);
-+ use_unicode, bytes, num_bytes,
-+ p, &ret);
- if (tevent_req_nterror(req, status)) {
- return;
- }
- p += ret;
-
- status = smb_bytes_pull_str(state, &state->out_native_lm,
-- use_unicode, p,
-- bytes+num_bytes-p, &ret);
-+ use_unicode, bytes, num_bytes,
-+ p, &ret);
- if (tevent_req_nterror(req, status)) {
- return;
- }
-diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
-index 7e6f0a4ebc4..2884786339d 100644
---- a/libcli/smb/smb_util.h
-+++ b/libcli/smb/smb_util.h
-@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
- const uint8_t *bytes, size_t num_bytes);
- NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
- const uint8_t *buf, size_t buf_len,
-- size_t *pbuf_consumed);
-+ const uint8_t *position,
-+ size_t *_consumed);
-diff --git a/libcli/smb/util.c b/libcli/smb/util.c
-index ef8c9fafa35..7ef909c6077 100644
---- a/libcli/smb/util.c
-+++ b/libcli/smb/util.c
-@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
- static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
- bool ucs2, bool align_odd,
- const uint8_t *buf, size_t buf_len,
-- size_t *pbuf_consumed)
-+ const uint8_t *position,
-+ size_t *p_consumed)
- {
- size_t pad = 0;
-+ size_t offset;
- char *str = NULL;
- size_t str_len = 0;
- bool ok;
-
- *_str = NULL;
-- if (pbuf_consumed != NULL) {
-- *pbuf_consumed = 0;
-+ if (p_consumed != NULL) {
-+ *p_consumed = 0;
-+ }
-+
-+ if (position < buf) {
-+ return NT_STATUS_INTERNAL_ERROR;
-+ }
-+
-+ offset = PTR_DIFF(position, buf);
-+ if (offset > buf_len) {
-+ return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
- if (ucs2 &&
-- ((align_odd && (buf_len % 2 == 0)) ||
-- (!align_odd && (buf_len % 2 == 1)))) {
-- if (buf_len < 1) {
-- return NT_STATUS_BUFFER_TOO_SMALL;
-- }
-- pad = 1;
-- buf_len -= pad;
-- buf += pad;
-+ ((align_odd && (offset % 2 == 0)) ||
-+ (!align_odd && (offset % 2 == 1)))) {
-+ pad += 1;
-+ offset += 1;
-+ }
-+
-+ if (offset > buf_len) {
-+ return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
-+ buf_len -= offset;
-+ buf += offset;
-+
- if (ucs2) {
- buf_len = utf16_len_n(buf, buf_len);
- } else {
-@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
- return map_nt_error_from_unix_common(errno);
- }
-
-- if (pbuf_consumed != NULL) {
-- *pbuf_consumed = buf_len + pad;
-+ if (p_consumed != NULL) {
-+ *p_consumed = buf_len + pad;
- }
- *_str = str;
-- return NT_STATUS_OK;;
-+ return NT_STATUS_OK;
- }
-
- NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
- const uint8_t *buf, size_t buf_len,
-- size_t *_buf_consumed)
-+ const uint8_t *position,
-+ size_t *_consumed)
- {
- return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
-- buf, buf_len, _buf_consumed);
-+ buf, buf_len, position, _consumed);
- }
---
-2.13.1
-
-
-From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 15 Mar 2017 17:04:44 +0000
-Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper
- function
-
-This function updates cli->server_{os,type,domain} to valid values
-after a session setup.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3)
----
- source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++--------------
- 1 file changed, 52 insertions(+), 22 deletions(-)
-
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index a2362ceb863..ef03da17eec 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
- return NT_STATUS_OK;
- }
-
-+static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli,
-+ const char *native_os,
-+ const char *native_lm,
-+ const char *primary_domain)
-+{
-+#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0')
-+
-+ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) {
-+ cli->server_os = talloc_strdup(cli, native_os);
-+ if (cli->server_os == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+
-+ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) {
-+ cli->server_type = talloc_strdup(cli, native_lm);
-+ if (cli->server_type == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+
-+ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) {
-+ cli->server_domain = talloc_strdup(cli, primary_domain);
-+ if (cli->server_domain == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+
-+#undef _VALID_STRING
-+ return NT_STATUS_OK;
-+}
-+
- /********************************************************
- Utility function to ensure we always return at least
- a valid char * pointer to an empty string for the
-@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
- subreq, struct tevent_req);
- struct cli_sesssetup_blob_state *state = tevent_req_data(
- req, struct cli_sesssetup_blob_state);
-- struct cli_state *cli = state->cli;
- NTSTATUS status;
-
- if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
-@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
- return;
- }
-
-- if (cli->server_os == NULL) {
-- cli->server_os = talloc_move(cli, &state->out_native_os);
-- }
-- if (cli->server_type == NULL) {
-- cli->server_type = talloc_move(cli, &state->out_native_lm);
-- }
--
- state->status = status;
-
-+ status = cli_state_update_after_sesssetup(state->cli,
-+ state->out_native_os,
-+ state->out_native_lm,
-+ NULL);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
-+ }
-+
- if (state->blob.length != 0) {
- /*
- * More to send
-@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq)
- return;
- }
-
-- if (cli->server_os == NULL) {
-- cli->server_os = talloc_move(cli, &state->out_native_os);
-- }
-- if (cli->server_type == NULL) {
-- cli->server_type = talloc_move(cli, &state->out_native_lm);
-- }
-- if (cli->server_domain == NULL) {
-- cli->server_domain = talloc_move(cli, &state->out_primary_domain);
-+ status = cli_state_update_after_sesssetup(state->cli,
-+ state->out_native_os,
-+ state->out_native_lm,
-+ state->out_primary_domain);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
- }
-
- ok = smb1cli_conn_activate_signing(cli->conn,
-@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
- subreq, struct tevent_req);
- struct cli_session_setup_creds_state *state = tevent_req_data(
- req, struct cli_session_setup_creds_state);
-- struct cli_state *cli = state->cli;
- NTSTATUS status;
-
- status = smb1cli_session_setup_lm21_recv(subreq, state,
-@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
- return;
- }
-
-- if (cli->server_os == NULL) {
-- cli->server_os = talloc_move(cli, &state->out_native_os);
-- }
-- if (cli->server_type == NULL) {
-- cli->server_type = talloc_move(cli, &state->out_native_lm);
-+ status = cli_state_update_after_sesssetup(state->cli,
-+ state->out_native_os,
-+ state->out_native_lm,
-+ NULL);
-+ if (tevent_req_nterror(req, status)) {
-+ return;
- }
-
- tevent_req_done(req);
---
-2.13.1
-
diff --git a/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch
deleted file mode 100644
index 5c52aa9..0000000
--- a/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 19 Jun 2017 14:50:33 +0200
-Subject: [PATCH 1/2] s3:popt_common: Reparse the username in
- popt_common_credentials_post()
-
-When we parse the username in the options handling, the smb.conf file
-has not been loaded yet. So we are not aware of a 'winbind separator'
-set in the config file.
-
-We need to read and set the username again in the post-processing of the
-credentials.
-
-https://bugzilla.samba.org/show_bug.cgi?id=12849
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b)
----
- source3/lib/popt_common.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
-index 3589a4fbd2b..9928c708e89 100644
---- a/source3/lib/popt_common.c
-+++ b/source3/lib/popt_common.c
-@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void)
- void popt_common_credentials_post(void)
- {
- struct user_auth_info *auth_info = cmdline_auth_info;
-+ const char *username = NULL;
-
- if (get_cmdline_auth_info_use_machine_account(auth_info) &&
- !set_cmdline_auth_info_machine_account_creds(auth_info))
-@@ -248,6 +249,20 @@ void popt_common_credentials_post(void)
- }
-
- set_cmdline_auth_info_getpass(auth_info);
-+
-+ /*
-+ * When we set the username during the handling of the options passed to
-+ * the binary we haven't loaded the config yet. This means that we
-+ * didnn't take the 'winbind separator' into account.
-+ *
-+ * The username might contain the domain name and thus it hasn't been
-+ * correctly parsed yet. If we have a username we need to set it again
-+ * to run the string parser for the username correctly.
-+ */
-+ username = get_cmdline_auth_info_username(auth_info);
-+ if (username != NULL && username[0] != '\0') {
-+ set_cmdline_auth_info_username(auth_info, username);
-+ }
- }
-
- static void popt_common_credentials_callback(poptContext con,
---
-2.13.1
-
-
-From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 19 Jun 2017 15:52:23 +0200
-Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144
-
-(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af)
----
- source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++
- source3/selftest/tests.py | 1 +
- 2 files changed, 63 insertions(+)
- create mode 100755 source3/script/tests/test_smbclient_basic.sh
-
-diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh
-new file mode 100755
-index 00000000000..90e579b68e9
---- /dev/null
-+++ b/source3/script/tests/test_smbclient_basic.sh
-@@ -0,0 +1,62 @@
-+#!/bin/sh
-+
-+# this runs the file serving tests that are expected to pass with samba3 against shares with various options
-+
-+if [ $# -lt 5 ]; then
-+cat <<EOF
-+Usage: test_smbclient_basic.sh SERVER SERVER_IP DOMAIN USERNAME PASSWORD SMBCLIENT <smbclient arguments>
-+EOF
-+exit 1;
-+fi
-+
-+SERVER="$1"
-+SERVER_IP="$2"
-+USERNAME="$3"
-+PASSWORD="$4"
-+smbclient="$5"
-+CONFIGURATION="$6"
-+shift 6
-+ADDARGS="$@"
-+
-+incdir=`dirname $0`/../../../testprogs/blackbox
-+. $incdir/subunit.sh
-+
-+test_smbclient() {
-+ name="$1"
-+ cmd="$2"
-+ shift
-+ shift
-+ echo "test: $name"
-+ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@
-+ status=$?
-+ if [ x$status = x0 ]; then
-+ echo "success: $name"
-+ else
-+ echo "failure: $name"
-+ fi
-+ return $status
-+}
-+
-+# TEST using \ as the separator (default)
-+test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
-+# TEST using / as the separator (default)
-+test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
-+
-+# TEST using 'winbind separator = +'
-+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1`
-+
-+# TEST using 'winbind separator = +' set in a config file
-+smbclient_config="$PREFIX/tmpsmbconf"
-+cat > $smbclient_config <<EOF
-+[global]
-+ include = $(echo $CONFIGURATION | cut -d= -f2)
-+ winbind separator = +
-+EOF
-+
-+SAVE_CONFIGURATION="$CONFIGURATION"
-+CONFIGURATION="--configfile=$smbclient_config"
-+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD || failed=`expr $failed + 1`
-+CONFIGURATION="$SAVE_CONFIGURATION"
-+rm -rf $smbclient_config
-+
-+exit $failed
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index dfe7866b283..d3cb071b903 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -152,6 +152,7 @@ plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3s
- plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
- plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
-
-+plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
- for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
- env = "nt4_dc"
- plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
---
-2.13.1
-
diff --git a/SOURCES/samba-v4-6-fix_winbind_child_crash.patch b/SOURCES/samba-v4-6-fix_winbind_child_crash.patch
deleted file mode 100644
index d081a40..0000000
--- a/SOURCES/samba-v4-6-fix_winbind_child_crash.patch
+++ /dev/null
@@ -1,227 +0,0 @@
-From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 21 Mar 2017 09:57:30 +0100
-Subject: [PATCH 1/2] s3:libads: Remove obsolete
- smb_krb5_get_ntstatus_from_init_creds()
-
-There is no way we can get a better error code out of this. The original
-function called was krb5_get_init_creds_opt_get_error() which has been
-deprecated in 2008.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Uri Simchoni <uri@samba.org>
-(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
----
- source3/libads/kerberos.c | 169 ----------------------------------------------
- 1 file changed, 169 deletions(-)
-
-Index: samba-4.6.2/source3/libads/kerberos.c
-===================================================================
---- samba-4.6.2.orig/source3/libads/kerberos.c
-+++ samba-4.6.2/source3/libads/kerberos.c
-@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da
- return 0;
- }
-
--static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
-- DATA_BLOB *edata,
-- DATA_BLOB *edata_out)
--{
-- DATA_BLOB edata_contents;
-- ASN1_DATA *data;
-- int edata_type;
--
-- if (!edata->length) {
-- return false;
-- }
--
-- data = asn1_init(mem_ctx);
-- if (data == NULL) {
-- return false;
-- }
--
-- if (!asn1_load(data, *edata)) goto err;
-- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
-- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
-- if (!asn1_read_Integer(data, &edata_type)) goto err;
--
-- if (edata_type != KRB5_PADATA_PW_SALT) {
-- DEBUG(0,("edata is not of required type %d but of type %d\n",
-- KRB5_PADATA_PW_SALT, edata_type));
-- goto err;
-- }
--
-- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
-- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
-- if (!asn1_end_tag(data)) goto err;
-- if (!asn1_end_tag(data)) goto err;
-- if (!asn1_end_tag(data)) goto err;
-- asn1_free(data);
--
-- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
--
-- data_blob_free(&edata_contents);
--
-- return true;
--
-- err:
--
-- asn1_free(data);
-- return false;
--}
--
-- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
-- NTSTATUS *nt_status)
--{
-- DATA_BLOB edata;
-- DATA_BLOB unwrapped_edata;
-- TALLOC_CTX *mem_ctx;
-- struct KRB5_EDATA_NTSTATUS parsed_edata;
-- enum ndr_err_code ndr_err;
--
--#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
-- edata = data_blob(error->e_data->data, error->e_data->length);
--#else
-- edata = data_blob(error->e_data.data, error->e_data.length);
--#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
--
--#ifdef DEVELOPER
-- dump_data(10, edata.data, edata.length);
--#endif /* DEVELOPER */
--
-- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
-- if (mem_ctx == NULL) {
-- data_blob_free(&edata);
-- return False;
-- }
--
-- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
-- data_blob_free(&edata);
-- TALLOC_FREE(mem_ctx);
-- return False;
-- }
--
-- data_blob_free(&edata);
--
-- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx,
-- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
-- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-- data_blob_free(&unwrapped_edata);
-- TALLOC_FREE(mem_ctx);
-- return False;
-- }
--
-- data_blob_free(&unwrapped_edata);
--
-- if (nt_status) {
-- *nt_status = parsed_edata.ntstatus;
-- }
--
-- TALLOC_FREE(mem_ctx);
--
-- return True;
--}
--
--static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
-- krb5_principal client,
-- krb5_get_init_creds_opt *opt,
-- NTSTATUS *nt_status)
--{
-- krb5_init_creds_context icc;
-- krb5_error_code code;
--#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
-- /* HEIMDAL */
-- krb5_error error;
--#else
-- krb5_error *error = NULL;
--#endif
-- bool ok;
--
-- code = krb5_init_creds_init(ctx,
-- client,
-- NULL,
-- NULL,
-- 0,
-- opt,
-- &icc);
-- if (code != 0) {
-- DBG_WARNING("krb5_init_creds_init failed with: %s\n",
-- error_message(code));
-- return false;
-- }
--
-- code = krb5_init_creds_get_error(ctx,
-- icc,
-- &error);
-- if (code != 0) {
-- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
-- error_message(code));
-- return false;
-- }
-- krb5_init_creds_free(ctx, icc);
--
--#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
-- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
--
-- krb5_free_error_contents(ctx, &error);
--#else
-- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
--
-- krb5_free_error(ctx, error);
--#endif
--
-- return ok;
--}
--
- /*
- simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
- place in default cache location.
-@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch
- }
- out:
- if (ntstatus) {
--
-- NTSTATUS status;
--
- /* fast path */
- if (code == 0) {
- *ntstatus = NT_STATUS_OK;
- goto cleanup;
- }
-
-- /* try to get ntstatus code out of krb5_error when we have it
-- * inside the krb5_get_init_creds_opt - gd */
--
-- if (opt != NULL) {
-- bool ok;
--
-- ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
-- me,
-- opt,
-- &status);
-- if (ok) {
-- *ntstatus = status;
-- goto cleanup;
-- }
-- }
--
- /* fall back to self-made-mapping */
- *ntstatus = krb5_to_nt_status(code);
- }
-Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh
-===================================================================
---- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh
-+++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh
-@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d
-
- testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
-
-+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
-+
-+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
-+
- rm -f $KRB5CCNAME_PATH
-
- exit $failed
diff --git a/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch
deleted file mode 100644
index f29cddb..0000000
--- a/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 20 Jun 2017 10:27:07 +0200
-Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
----
- source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++---
- 1 file changed, 31 insertions(+), 3 deletions(-)
-
-diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
-index 8c764f77b08..b0bf6784ba6 100644
---- a/source3/winbindd/wb_getpwsid.c
-+++ b/source3/winbindd/wb_getpwsid.c
-@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
- req, struct wb_getpwsid_state);
- struct winbindd_pw *pw = state->pw;
- struct wbint_userinfo *info;
-+ struct winbindd_domain *domain = NULL;
- fstring acct_name, output_username;
-+ char *mapped_name = NULL;
- char *tmp;
- NTSTATUS status;
-
-@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
- return;
- }
-
-- fill_domain_username(output_username, info->domain_name,
-- acct_name, true);
-+ domain = find_domain_from_name_noinit(info->domain_name);
-+ if (tevent_req_nomem(domain, req)) {
-+ return;
-+ }
-+
-+ /*
-+ * TODO:
-+ * This function should be called in 'idmap winbind child'. It shouldn't
-+ * be a blocking call, but for this we need to add a new function for
-+ * winbind.idl. This is a fix which can be backported for now.
-+ */
-+ status = normalize_name_map(state,
-+ domain,
-+ acct_name,
-+ &mapped_name);
-+ if (NT_STATUS_IS_OK(status)) {
-+ fill_domain_username(output_username,
-+ info->domain_name,
-+ mapped_name, true);
-+ fstrcpy(acct_name, mapped_name);
-+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
-+ fstrcpy(acct_name, mapped_name);
-+ } else {
-+ fill_domain_username(output_username,
-+ info->domain_name,
-+ acct_name, true);
-+ }
-+
- strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
-
- strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "",
-@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
- TALLOC_FREE(tmp);
-
- tmp = talloc_sub_specified(
-- state, info->shell, info->acct_name,
-+ state, info->shell, acct_name,
- info->primary_group_name, info->domain_name,
- pw->pw_uid, pw->pw_gid);
- if (tevent_req_nomem(tmp, req)) {
---
-2.13.1
-
diff --git a/SOURCES/samba-v4.6-credentials-fix-realm.patch b/SOURCES/samba-v4.6-credentials-fix-realm.patch
deleted file mode 100644
index 8583d5b..0000000
--- a/SOURCES/samba-v4.6-credentials-fix-realm.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
-Author: Andreas Schneider <asn@samba.org>
-Date: Wed Dec 21 22:17:22 2016 +0100
-
- auth/credentials: Always set the the realm if we set the principal from the ccache
-
- This fixes a bug in gensec_gssapi_client_start() where an invalid realm
- is used to get a Kerberos ticket.
-
- Signed-off-by: Andreas Schneider <asn@samba.org>
- Reviewed-by: Stefan Metzmacher <metze@samba.org>
- (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
-
-diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
-index 0e68012..1912c48 100644
---- a/auth/credentials/credentials_krb5.c
-+++ b/auth/credentials/credentials_krb5.c
-@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
- enum credentials_obtained obtained,
- const char **error_string)
- {
--
-+ bool ok;
-+ char *realm;
- krb5_principal princ;
- krb5_error_code ret;
- char *name;
-@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
- return ret;
- }
-
-- cli_credentials_set_principal(cred, name, obtained);
--
-+ ok = cli_credentials_set_principal(cred, name, obtained);
-+ if (!ok) {
-+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
-+ return ENOMEM;
-+ }
- free(name);
-
-+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
-+ princ);
- krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
-+ if (realm == NULL) {
-+ return ENOMEM;
-+ }
-+ ok = cli_credentials_set_realm(cred, realm, obtained);
-+ SAFE_FREE(realm);
-+ if (!ok) {
-+ return ENOMEM;
-+ }
-
- /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
- cred->ccache_obtained = obtained;
diff --git a/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch b/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch
deleted file mode 100644
index 5c66709..0000000
--- a/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch
+++ /dev/null
@@ -1,391 +0,0 @@
-From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 18 Aug 2017 16:08:46 +0200
-Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29)
----
- source3/include/proto.h | 3 ++-
- source3/libsmb/passchange.c | 5 +++--
- source3/utils/smbpasswd.c | 3 ++-
- 3 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index baa579995a5..9deb27b416b 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain,
-
- /* The following definitions come from libsmb/passchange.c */
-
--NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
-+NTSTATUS remote_password_change(const char *remote_machine,
-+ const char *domain, const char *user_name,
- const char *old_passwd, const char *new_passwd,
- char **err_str);
-
-diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
-index c89b7ca85d1..48ffba8036f 100644
---- a/source3/libsmb/passchange.c
-+++ b/source3/libsmb/passchange.c
-@@ -30,7 +30,8 @@
- Change a password on a remote machine using IPC calls.
- *************************************************************/
-
--NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
-+NTSTATUS remote_password_change(const char *remote_machine,
-+ const char *domain, const char *user_name,
- const char *old_passwd, const char *new_passwd,
- char **err_str)
- {
-@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
-
- creds = cli_session_creds_init(cli,
- user_name,
-- NULL, /* domain */
-+ domain,
- NULL, /* realm */
- old_passwd,
- false, /* use_kerberos */
-diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
-index 437a5e551bb..4d7a3c739bc 100644
---- a/source3/utils/smbpasswd.c
-+++ b/source3/utils/smbpasswd.c
-@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username,
- fprintf(stderr, "Invalid remote operation!\n");
- return NT_STATUS_UNSUCCESSFUL;
- }
-- ret = remote_password_change(remote_mach, username,
-+ ret = remote_password_change(remote_mach,
-+ NULL, username,
- old_passwd, new_pw, &err_str);
- } else {
- ret = local_password_change(username, local_flags, new_pw,
---
-2.14.1
-
-
-From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 18 Aug 2017 16:10:06 +0200
-Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950)
----
- source3/include/proto.h | 7 -------
- source3/libsmb/proto.h | 10 ++++++++++
- source3/utils/smbpasswd.c | 1 +
- 3 files changed, 11 insertions(+), 7 deletions(-)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 9deb27b416b..67e1a9d750e 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain,
- fstring srv_name,
- struct sockaddr_storage *ss_out);
-
--/* The following definitions come from libsmb/passchange.c */
--
--NTSTATUS remote_password_change(const char *remote_machine,
-- const char *domain, const char *user_name,
-- const char *old_passwd, const char *new_passwd,
-- char **err_str);
--
- /* The following definitions come from libsmb/smberr.c */
-
- const char *smb_dos_err_name(uint8_t e_class, uint16_t num);
-diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
-index a583a8ee159..44f4d04cff5 100644
---- a/source3/libsmb/proto.h
-+++ b/source3/libsmb/proto.h
-@@ -31,6 +31,9 @@
-
- struct smb_trans_enc_state;
- struct cli_credentials;
-+struct cli_state;
-+struct file_info;
-+struct print_job_info;
-
- /* The following definitions come from libsmb/cliconnect.c */
-
-@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,
- TALLOC_CTX *mem_ctx, char **psubstitute_name,
- char **pprint_name, uint32_t *pflags);
-
-+/* The following definitions come from libsmb/passchange.c */
-+
-+NTSTATUS remote_password_change(const char *remote_machine,
-+ const char *domain, const char *user_name,
-+ const char *old_passwd, const char *new_passwd,
-+ char **err_str);
-+
- #endif /* _LIBSMB_PROTO_H_ */
-diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
-index 4d7a3c739bc..6eb2deb7a3b 100644
---- a/source3/utils/smbpasswd.c
-+++ b/source3/utils/smbpasswd.c
-@@ -21,6 +21,7 @@
- #include "secrets.h"
- #include "../librpc/gen_ndr/samr.h"
- #include "../lib/util/util_pw.h"
-+#include "libsmb/proto.h"
- #include "passdb.h"
-
- /*
---
-2.14.1
-
-
-From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 18 Aug 2017 16:13:15 +0200
-Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change()
- in smbpasswd
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373)
----
- source3/utils/smbpasswd.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
-index 6eb2deb7a3b..b0e08cc0e58 100644
---- a/source3/utils/smbpasswd.c
-+++ b/source3/utils/smbpasswd.c
-@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get)
- Change a password either locally or remotely.
- *************************************************************/
-
--static NTSTATUS password_change(const char *remote_mach, char *username,
-- char *old_passwd, char *new_pw,
-+static NTSTATUS password_change(const char *remote_mach,
-+ const char *username,
-+ const char *old_passwd, const char *new_pw,
- int local_flags)
- {
- NTSTATUS ret;
---
-2.14.1
-
-
-From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 18 Aug 2017 16:14:57 +0200
-Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit b483340639157fe95777672f5723455c48c3c616)
----
- source3/utils/smbpasswd.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
-index b0e08cc0e58..92712e38f6b 100644
---- a/source3/utils/smbpasswd.c
-+++ b/source3/utils/smbpasswd.c
-@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get)
- *************************************************************/
-
- static NTSTATUS password_change(const char *remote_mach,
-- const char *username,
-+ const char *domain, const char *username,
- const char *old_passwd, const char *new_pw,
- int local_flags)
- {
-@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach,
- return NT_STATUS_UNSUCCESSFUL;
- }
- ret = remote_password_change(remote_mach,
-- NULL, username,
-+ domain, username,
- old_passwd, new_pw, &err_str);
- } else {
- ret = local_password_change(username, local_flags, new_pw,
-@@ -466,7 +466,8 @@ static int process_root(int local_flags)
- }
- }
-
-- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,
-+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
-+ NULL, user_name,
- old_passwd, new_passwd,
- local_flags))) {
- result = 1;
-@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags)
- exit(1);
- }
-
-- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw,
-- new_pw, 0))) {
-+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
-+ NULL, user_name,
-+ old_pw, new_pw, 0))) {
- result = 1;
- goto done;
- }
---
-2.14.1
-
-
-From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 18 Aug 2017 16:17:08 +0200
-Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name
- in smbpasswd
-
-If a local user wants to change his password using smbpasswd and the
-machine is a domain member, we need to make sure we authenticate against
-our SAM and not ask winbind.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02)
----
- source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++-----
- 1 file changed, 27 insertions(+), 5 deletions(-)
-
-diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
-index 92712e38f6b..556e6869da7 100644
---- a/source3/utils/smbpasswd.c
-+++ b/source3/utils/smbpasswd.c
-@@ -58,7 +58,7 @@ static void usage(void)
- printf(" -c smb.conf file Use the given path to the smb.conf file\n");
- printf(" -D LEVEL debug level\n");
- printf(" -r MACHINE remote machine\n");
-- printf(" -U USER remote username\n");
-+ printf(" -U USER remote username (e.g. SAM/user)\n");
-
- printf("extra options when run by root or in local mode:\n");
- printf(" -a add user\n");
-@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags)
-
- user_name[0] = '\0';
-
-- while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
-+ while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) {
- switch(ch) {
- case 'L':
- if (getuid() != 0) {
-@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags)
- int result = 0;
- char *old_pw = NULL;
- char *new_pw = NULL;
-+ const char *username = user_name;
-+ const char *domain = NULL;
-+ char *p = NULL;
-
- if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) {
- /* Extra flags that we can't honor non-root */
-@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags)
- }
- }
-
-+ /* Allow domain as part of the username */
-+ if ((p = strchr_m(user_name, '\\')) ||
-+ (p = strchr_m(user_name, '/')) ||
-+ (p = strchr_m(user_name, *lp_winbind_separator()))) {
-+ *p = '\0';
-+ username = p + 1;
-+ domain = user_name;
-+ }
-+
- /*
- * A non-root user is always setting a password
- * via a remote machine (even if that machine is
-@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags)
-
- load_interfaces(); /* Delayed from main() */
-
-- if (remote_machine == NULL) {
-+ if (remote_machine != NULL) {
-+ if (!is_ipaddress(remote_machine)) {
-+ domain = remote_machine;
-+ }
-+ } else {
- remote_machine = "127.0.0.1";
-+
-+ /*
-+ * If we deal with a local user, change the password for the
-+ * user in our SAM.
-+ */
-+ domain = get_global_sam_name();
- }
-
- if (remote_machine != NULL) {
-@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags)
- }
-
- if (!NT_STATUS_IS_OK(password_change(remote_machine,
-- NULL, user_name,
-+ domain, username,
- old_pw, new_pw, 0))) {
- result = 1;
- goto done;
- }
-
-- printf("Password changed for user %s\n", user_name);
-+ printf("Password changed for user %s\n", username);
-
- done:
- SAFE_FREE(old_pw);
---
-2.14.1
-
-
-From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 22 Aug 2017 15:46:07 +0200
-Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
-
-Review with: git show -U20
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlet <abartlet@samba.org>
-(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e)
----
- source3/utils/smbpasswd.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
-index 556e6869da7..fb7ad283995 100644
---- a/source3/utils/smbpasswd.c
-+++ b/source3/utils/smbpasswd.c
-@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags)
- domain = get_global_sam_name();
- }
-
-- if (remote_machine != NULL) {
-- old_pw = get_pass("Old SMB password:",stdin_passwd_get);
-- if (old_pw == NULL) {
-- fprintf(stderr, "Unable to get old password.\n");
-- exit(1);
-- }
-+ old_pw = get_pass("Old SMB password:",stdin_passwd_get);
-+ if (old_pw == NULL) {
-+ fprintf(stderr, "Unable to get old password.\n");
-+ exit(1);
- }
-
- if (!new_passwd) {
---
-2.14.1
-
diff --git a/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch b/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
deleted file mode 100644
index 74daaa8..0000000
--- a/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 30 May 2017 16:30:33 +0200
-Subject: [PATCH] libcli:smb2: Gracefully handle not supported for
- FSCTL_VALIDATE_NEGOTIATE_INFO
-
-If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
-server then gracefully handle NT_STATUS_NOT_SUPPORTED too.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Volker Lendecke <vl@samba.org>
-Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
-
-(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a)
----
- libcli/smb/smbXcli_base.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
-index a7b24f01497..593edf9ce78 100644
---- a/libcli/smb/smbXcli_base.c
-+++ b/libcli/smb/smbXcli_base.c
-@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
- tevent_req_done(req);
- return;
- }
-+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+ /*
-+ * The response was signed, but not supported
-+ *
-+ * This might be returned by older Windows versions or by
-+ * NetApp SMB server implementations.
-+ *
-+ * See
-+ *
-+ * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/
-+ *
-+ */
-+ tevent_req_done(req);
-+ return;
-+ }
- if (tevent_req_nterror(req, status)) {
- return;
- }
---
-2.13.1.518.g3df882009-goog
-
diff --git a/SOURCES/samba-v4.6-gss_krb5_import_cred.patch b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch
deleted file mode 100644
index 72f2904..0000000
--- a/SOURCES/samba-v4.6-gss_krb5_import_cred.patch
+++ /dev/null
@@ -1,543 +0,0 @@
-From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Fri, 3 Mar 2017 17:08:09 +0200
-Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)
----
- wscript_configure_system_mitkrb5 | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
-index 06a9821..d3e8ebf 100644
---- a/wscript_configure_system_mitkrb5
-+++ b/wscript_configure_system_mitkrb5
-@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN('''
- gsskrb5_extract_authz_data_from_sec_context
- gss_krb5_export_lucid_sec_context
- gss_import_cred gss_export_cred
-+ gss_acquire_cred_from
- ''', 'gssapi gssapi_krb5')
- conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers)
- conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
---
-2.9.3
-
-
-From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Fri, 3 Mar 2017 16:14:57 +0200
-Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
-
-Wrap gss_krb5_import_cred() to allow re-implementing it with
-gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
-works fine with GSSAPI interposer (GSS-proxy) while
-gss_krb5_import_cred() is not interposed yet.
-
-The wrapper has additional parameter, krb5_context handle, to facilitate
-with credentials cache name discovery. All our callers to
-gss_krb5_import_cred() already have krb5 context handy.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
----
- lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++
- lib/krb5_wrap/gss_samba.h | 13 +++++
- 2 files changed, 134 insertions(+)
-
-diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
-index b444633..757ffc5 100644
---- a/lib/krb5_wrap/gss_samba.c
-+++ b/lib/krb5_wrap/gss_samba.c
-@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
- }
- #endif /* !HAVE_GSS_OID_EQUAL */
-
-+
-+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
-+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
-+ * interposed by GSSPROXY while gss_krb5_import_cred() is not.
-+ *
-+ * This wrapper requires a proper krb5_context to resolve ccache name.
-+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
-+uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
-+ krb5_ccache id, krb5_principal keytab_principal,
-+ krb5_keytab keytab, gss_cred_id_t *cred)
-+{
-+ uint32_t major_status = 0;
-+
-+#if HAVE_GSS_ACQUIRE_CRED_FROM
-+ uint32_t minor = 0;
-+ gss_key_value_element_desc ccache_element = {
-+ .key = "ccache",
-+ .value = NULL,
-+ };
-+
-+ gss_key_value_element_desc keytab_element = {
-+ .key = "keytab",
-+ .value = NULL,
-+ };
-+
-+ gss_key_value_element_desc elements[2];
-+
-+ gss_key_value_set_desc cred_store = {
-+ .elements = &ccache_element,
-+ .count = 1,
-+ };
-+
-+ gss_OID_set mech_set = GSS_C_NO_OID_SET;
-+ gss_cred_usage_t cred_usage = GSS_C_INITIATE;
-+ gss_name_t name = NULL;
-+ gss_buffer_desc pr_name = {
-+ .value = NULL,
-+ .length = 0,
-+ };
-+
-+ if (id != NULL) {
-+ major_status = krb5_cc_get_full_name(ctx,
-+ id,
-+ discard_const(&ccache_element.value));
-+ if (major_status != 0) {
-+ return major_status;
-+ }
-+ }
-+
-+ if (keytab != NULL) {
-+ keytab_element.value = malloc(4096);
-+ if (!keytab_element.value) {
-+ return ENOMEM;
-+ }
-+ major_status = krb5_kt_get_name(ctx,
-+ keytab,
-+ discard_const(keytab_element.value), 4096);
-+ if (major_status != 0) {
-+ free(discard_const(keytab_element.value));
-+ return major_status;
-+ }
-+ cred_usage = GSS_C_ACCEPT;
-+ cred_store.elements = &keytab_element;
-+
-+ if (keytab_principal != NULL) {
-+ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
-+ if (major_status != 0) {
-+ free(discard_const(keytab_element.value));
-+ return major_status;
-+ }
-+ pr_name.length = strlen(pr_name.value);
-+
-+ major_status = gss_import_name(minor_status,
-+ &pr_name,
-+ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
-+ &name);
-+ if (major_status != 0) {
-+ krb5_free_unparsed_name(ctx, pr_name.value);
-+ free(discard_const(keytab_element.value));
-+ return major_status;
-+ }
-+ }
-+ }
-+
-+ if (id != NULL && keytab != NULL) {
-+ elements[0] = ccache_element;
-+ elements[1] = keytab_element;
-+
-+ cred_store.elements = elements;
-+ cred_store.count = 2;
-+ cred_usage = GSS_C_BOTH;
-+ }
-+
-+ major_status = gss_acquire_cred_from(minor_status,
-+ name,
-+ 0,
-+ mech_set,
-+ cred_usage,
-+ &cred_store,
-+ cred,
-+ NULL,
-+ NULL);
-+
-+ if (pr_name.value != NULL) {
-+ (void)gss_release_name(&minor, &name);
-+ krb5_free_unparsed_name(ctx, pr_name.value);
-+ }
-+ if (keytab_element.value != NULL) {
-+ free(discard_const(keytab_element.value));
-+ }
-+ krb5_free_string(ctx, discard_const(ccache_element.value));
-+#else
-+ major_status = gss_krb5_import_cred(minor_status,
-+ id,
-+ keytab_principal,
-+ keytab, cred);
-+#endif
-+ return major_status;
-+}
-+
-+
- #endif /* HAVE_GSSAPI */
-diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
-index 5319932..89aee34 100644
---- a/lib/krb5_wrap/gss_samba.h
-+++ b/lib/krb5_wrap/gss_samba.h
-@@ -25,6 +25,7 @@
- #ifdef HAVE_GSSAPI
-
- #include "system/gssapi.h"
-+#include "krb5_samba.h"
-
- #if defined(HAVE_GSS_OID_EQUAL)
- #define smb_gss_oid_equal gss_oid_equal
-@@ -32,5 +33,17 @@
- int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
- #endif /* HAVE_GSS_OID_EQUAL */
-
-+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
-+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
-+ * interposed by GSS-proxy while gss_krb5_import_cred() is not.
-+ *
-+ * This wrapper requires a proper krb5_context to resolve the ccache name for
-+ * gss_acquire_cred_from().
-+ *
-+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
-+uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
-+ krb5_ccache id, krb5_principal keytab_principal,
-+ krb5_keytab keytab, gss_cred_id_t *cred);
-+
- #endif /* HAVE_GSSAPI */
- #endif /* _GSS_SAMBA_H */
---
-2.9.3
-
-
-From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Fri, 3 Mar 2017 16:57:13 +0200
-Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)
----
- auth/credentials/credentials_krb5.c | 22 +++++++++++++---------
- 1 file changed, 13 insertions(+), 9 deletions(-)
-
-diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
-index e974df9..0e68012 100644
---- a/auth/credentials/credentials_krb5.c
-+++ b/auth/credentials/credentials_krb5.c
-@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
- return ENOMEM;
- }
-
-- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
-- &gcc->creds);
-+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
-+ ccache->ccache, NULL, NULL,
-+ &gcc->creds);
- if ((maj_stat == GSS_S_FAILURE) &&
- (min_stat == (OM_uint32)KRB5_CC_END ||
- min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
-@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
- return ret;
- }
-
-- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
-- &gcc->creds);
-+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
-+ ccache->ccache, NULL, NULL,
-+ &gcc->creds);
-
- }
-
-@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
- } else {
- ret = EINVAL;
- }
-- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
-+ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
- return ret;
- }
-
-@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
-
- if (ktc->password_based || obtained < CRED_SPECIFIED) {
- /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
-- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
-- &gcc->creds);
-+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
-+ NULL, NULL, ktc->keytab,
-+ &gcc->creds);
- } else {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
-- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
-- &gcc->creds);
-+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
-+ NULL, princ, ktc->keytab,
-+ &gcc->creds);
- }
- if (maj_stat) {
- if (min_stat) {
---
-2.9.3
-
-
-From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Fri, 3 Mar 2017 16:57:50 +0200
-Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)
----
- source3/libads/sasl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index 8570788..30127fa 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
- goto done;
- }
-
-- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
-+ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred);
- if (maj != GSS_S_COMPLETE) {
- status = ADS_ERROR_GSS(maj, min);
- goto done;
---
-2.9.3
-
-
-From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Fri, 3 Mar 2017 16:58:14 +0200
-Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)
----
- source3/librpc/crypto/gse.c | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index abf20bc..f4238f3 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
- /* TODO: get krb5 ticket using username/password, if no valid
- * one already available in ccache */
-
-- gss_maj = gss_krb5_import_cred(&gss_min,
-- gse_ctx->ccache,
-- NULL, /* keytab_principal */
-- NULL, /* keytab */
-- &gse_ctx->creds);
-+ gss_maj = smb_gss_krb5_import_cred(&gss_min,
-+ gse_ctx->k5ctx,
-+ gse_ctx->ccache,
-+ NULL, /* keytab_principal */
-+ NULL, /* keytab */
-+ &gse_ctx->creds);
- if (gss_maj) {
- char *ccache = NULL;
- int kret;
-@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
- ccache = NULL;
- }
-
-- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
-+ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -"
- "the caller may retry after a kinit.\n",
- ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
- SAFE_FREE(ccache);
-@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
- }
-
- /* This creates a GSSAPI cred_id_t with the keytab set */
-- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
-- &gse_ctx->creds);
-+ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx,
-+ NULL, NULL, gse_ctx->keytab,
-+ &gse_ctx->creds);
-
- if (gss_maj != 0
- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
-- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
-+ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
- gse_errstr(gse_ctx, gss_maj, gss_min)));
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
---
-2.9.3
-
-
-From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Wed, 8 Mar 2017 12:38:49 +0200
-Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
- wrapper
-
-MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
-credentials from a keytab without specifying actual principal.
-This was fixed in MIT krb5 1.9.2 (see commit
-71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
-master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
-
-Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
-expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
-code use of krb5 mech when calling to gss_acquire_cred.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
-Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
-
-(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)
----
- lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++---
- source3/librpc/crypto/gse.c | 49 +--------------------------------------------
- 2 files changed, 44 insertions(+), 51 deletions(-)
-
-diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
-index 757ffc5..9e5ad4a 100644
---- a/lib/krb5_wrap/gss_samba.c
-+++ b/lib/krb5_wrap/gss_samba.c
-@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
- krb5_free_string(ctx, discard_const(ccache_element.value));
- #else
- major_status = gss_krb5_import_cred(minor_status,
-- id,
-- keytab_principal,
-- keytab, cred);
-+ id,
-+ keytab_principal,
-+ keytab, cred);
-+
-+ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
-+ if ((keytab_principal == NULL) && (keytab != NULL)) {
-+ /* No principal was specified and MIT krb5 1.9 version failed.
-+ * We have to fall back to set global acceptor identity */
-+ gss_OID_set_desc mech_set;
-+ char *kt_name = NULL;
-+
-+ kt_name = malloc(4096);
-+ if (!kt_name) {
-+ return ENOMEM;
-+ }
-+
-+ major_status = krb5_kt_get_name(ctx,
-+ keytab,
-+ kt_name, 4096);
-+ if (major_status != 0) {
-+ free(kt_name);
-+ return major_status;
-+ }
-+
-+ major_status = gsskrb5_register_acceptor_identity(kt_name);
-+ if (major_status) {
-+ free(kt_name);
-+ return major_status;
-+ }
-+
-+ /* We are dealing with krb5 GSSAPI mech in this fallback */
-+ mech_set.count = 1;
-+ mech_set.elements = gss_mech_krb5;
-+ major_status = gss_acquire_cred(minor_status,
-+ GSS_C_NO_NAME,
-+ GSS_C_INDEFINITE,
-+ &mech_set,
-+ GSS_C_ACCEPT,
-+ cred,
-+ NULL, NULL);
-+ free(kt_name);
-+ }
-+ }
- #endif
- return major_status;
- }
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index f4238f3..a111320 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
- NULL, NULL, gse_ctx->keytab,
- &gse_ctx->creds);
-
-- if (gss_maj != 0
-- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
-+ if (gss_maj != 0) {
- DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
- gse_errstr(gse_ctx, gss_maj, gss_min)));
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
--
-- /* This is the error the MIT krb5 1.9 gives when it
-- * implements the function, but we do not specify the
-- * principal. However, when we specify the principal
-- * as host$@REALM the GSS acceptor fails with 'wrong
-- * principal in request'. Work around the issue by
-- * falling back to the alternate approach below. */
-- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
-- /* FIXME!!!
-- * This call sets the default keytab for the whole server, not
-- * just for this context. Need to find a way that does not alter
-- * the state of the whole server ... */
-- {
-- const char *ktname;
-- gss_OID_set_desc mech_set;
--
-- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx,
-- gse_ctx->keytab, &ktname);
-- if (ret) {
-- status = NT_STATUS_INTERNAL_ERROR;
-- goto done;
-- }
--
-- ret = gsskrb5_register_acceptor_identity(ktname);
-- if (ret) {
-- status = NT_STATUS_INTERNAL_ERROR;
-- goto done;
-- }
--
-- mech_set.count = 1;
-- mech_set.elements = &gse_ctx->gss_mech;
--
-- gss_maj = gss_acquire_cred(&gss_min,
-- GSS_C_NO_NAME,
-- GSS_C_INDEFINITE,
-- &mech_set,
-- GSS_C_ACCEPT,
-- &gse_ctx->creds,
-- NULL, NULL);
--
-- if (gss_maj) {
-- DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
-- gse_errstr(gse_ctx, gss_maj, gss_min)));
-- status = NT_STATUS_INTERNAL_ERROR;
-- goto done;
-- }
- }
-
- status = NT_STATUS_OK;
---
-2.9.3
-
diff --git a/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
deleted file mode 100644
index 73c72cd..0000000
--- a/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Fri, 10 Mar 2017 16:20:06 +0200
-Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Implement a small Python module that exposes arcfour_crypt_blob()
-function widely used in Samba C code.
-
-When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
-there is a need to encrypt trusted credentials with RC4 cipher.
-
-Current Samba Python code relies on Python runtime to provide RC4
-cipher. However, in FIPS 140-2 mode system crypto libraries do not
-provide access RC4 cipher at all. According to Microsoft dochelp team,
-Windows is treating AuthenticationInformation blob encryption as 'plain
-text' in terms of FIPS 140-2, thus doing application-level encryption.
-
-Replace samba.arcfour_encrypt() implementation with a call to
-samba.crypto.arcfour_crypt_blob().
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Simo Sorce <idra@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
-
-(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
----
- lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
- lib/crypto/wscript_build | 7 ++++
- python/samba/__init__.py | 16 ++-------
- 3 files changed, 99 insertions(+), 14 deletions(-)
- create mode 100644 lib/crypto/py_crypto.c
-
-diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
-new file mode 100644
-index 0000000..bf7f9f4
---- /dev/null
-+++ b/lib/crypto/py_crypto.c
-@@ -0,0 +1,90 @@
-+/*
-+ Unix SMB/CIFS implementation.
-+ Samba crypto functions
-+
-+ Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 3 of the License, or
-+ (at your option) any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program. If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include <Python.h>
-+#include "includes.h"
-+#include "python/py3compat.h"
-+#include "lib/crypto/arcfour.h"
-+
-+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
-+{
-+ DATA_BLOB data, key;
-+ PyObject *py_data, *py_key, *result;
-+ TALLOC_CTX *ctx;
-+
-+ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
-+ return NULL;
-+
-+ if (!PyBytes_Check(py_data)) {
-+ PyErr_Format(PyExc_TypeError, "bytes expected");
-+ return NULL;
-+ }
-+
-+ if (!PyBytes_Check(py_key)) {
-+ PyErr_Format(PyExc_TypeError, "bytes expected");
-+ return NULL;
-+ }
-+
-+ ctx = talloc_new(NULL);
-+
-+ data.length = PyBytes_Size(py_data);
-+ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
-+ if (!data.data) {
-+ talloc_free(ctx);
-+ return PyErr_NoMemory();
-+ }
-+
-+ key.data = (uint8_t *)PyBytes_AsString(py_key);
-+ key.length = PyBytes_Size(py_key);
-+
-+ arcfour_crypt_blob(data.data, data.length, &key);
-+
-+ result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
-+ talloc_free(ctx);
-+ return result;
-+}
-+
-+
-+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
-+ "Encrypt the data with RC4 algorithm using the key";
-+
-+static PyMethodDef py_crypto_methods[] = {
-+ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
-+ { NULL },
-+};
-+
-+static struct PyModuleDef moduledef = {
-+ PyModuleDef_HEAD_INIT,
-+ .m_name = "crypto",
-+ .m_doc = "Crypto functions required for SMB",
-+ .m_size = -1,
-+ .m_methods = py_crypto_methods,
-+};
-+
-+MODULE_INIT_FUNC(crypto)
-+{
-+ PyObject *m;
-+
-+ m = PyModule_Create(&moduledef);
-+ if (m == NULL)
-+ return NULL;
-+
-+ return m;
-+}
-diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
-index 7f94532..d1f152e 100644
---- a/lib/crypto/wscript_build
-+++ b/lib/crypto/wscript_build
-@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
- autoproto='test_proto.h',
- deps='LIBCRYPTO'
- )
-+
-+for env in bld.gen_python_environments():
-+ bld.SAMBA_PYTHON('python_crypto',
-+ source='py_crypto.c',
-+ deps='LIBCRYPTO',
-+ realname='samba/crypto.so'
-+ )
-diff --git a/python/samba/__init__.py b/python/samba/__init__.py
-index 19d5e38..fa4244a 100644
---- a/python/samba/__init__.py
-+++ b/python/samba/__init__.py
-@@ -371,20 +371,8 @@ def string_to_byte_array(string):
- return blob
-
- def arcfour_encrypt(key, data):
-- try:
-- from Crypto.Cipher import ARC4
-- c = ARC4.new(key)
-- return c.encrypt(data)
-- except ImportError as e:
-- pass
-- try:
-- from M2Crypto.RC4 import RC4
-- c = RC4(key)
-- return c.update(data)
-- except ImportError as e:
-- pass
-- raise Exception("arcfour_encrypt() requires " +
-- "python*-crypto or python*-m2crypto or m2crypto")
-+ from samba.crypto import arcfour_crypt_blob
-+ return arcfour_crypt_blob(data, key)
-
- import _glue
- version = _glue.version
---
-2.9.3
-
diff --git a/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch
deleted file mode 100644
index f2f7cb6..0000000
--- a/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch
+++ /dev/null
@@ -1,405 +0,0 @@
-From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 16 Jan 2017 11:43:12 +0100
-Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows
-
-Since Windows Server 2008 Microsoft uses a different port range for RPC
-services. Before it was 1024-65535 and they changed it to 49152-65535.
-
-We should use the same range as these are the ports the firewall in AD
-networks normally allow.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3)
----
- source3/rpc_server/rpc_server.c | 4 ++--
- source4/smbd/service_stream.c | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
-index 5effe66d9bb..37fe68fc36d 100644
---- a/source3/rpc_server/rpc_server.c
-+++ b/source3/rpc_server/rpc_server.c
-@@ -34,8 +34,8 @@
- #include "rpc_server/srv_pipe_hnd.h"
- #include "rpc_server/srv_pipe.h"
-
--#define SERVER_TCP_LOW_PORT 1024
--#define SERVER_TCP_HIGH_PORT 1300
-+#define SERVER_TCP_LOW_PORT 49152
-+#define SERVER_TCP_HIGH_PORT 65535
-
- /* Creates a pipes_struct and initializes it with the information
- * sent from the client */
-diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
-index f0a379acf6a..96a303fc6a9 100644
---- a/source4/smbd/service_stream.c
-+++ b/source4/smbd/service_stream.c
-@@ -30,8 +30,8 @@
- #include "lib/util/util_net.h"
-
- /* the range of ports to try for dcerpc over tcp endpoints */
--#define SERVER_TCP_LOW_PORT 1024
--#define SERVER_TCP_HIGH_PORT 1300
-+#define SERVER_TCP_LOW_PORT 49152
-+#define SERVER_TCP_HIGH_PORT 65535
-
- /* size of listen() backlog in smbd */
- #define SERVER_LISTEN_BACKLOG 10
---
-2.11.0
-
-
-From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 16 Jan 2017 12:05:09 +0100
-Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC
- services
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d)
----
- docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++--
- .../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++
- lib/param/loadparm.c | 47 ++++++++++++++++++++++
- lib/param/loadparm.h | 9 ++++-
- lib/param/param.h | 3 ++
- python/samba/tests/docs.py | 11 +++--
- source3/include/proto.h | 2 +
- source3/param/loadparm.c | 16 ++++++++
- source3/rpc_server/rpc_server.c | 5 +--
- source4/smbd/service_stream.c | 8 ++--
- 10 files changed, 120 insertions(+), 17 deletions(-)
- create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
-
-diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml
-index 8a70835612f..0fd87d69212 100644
---- a/docs-xml/smbdotconf/protocol/rpcserverport.xml
-+++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml
-@@ -4,11 +4,19 @@
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
- <description>
- <para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para>
-- <para>This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used.</para>
-- <para>The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000.</para>
-+ <para>This controls the default port for all protocols, except for NETLOGON.</para>
-+ <para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para>
-+ <para>The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000.</para>
- <para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para>
-
-+ <para>This option applies currently only when
-+ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
-+ runs as an active directory domain controller.</para>
-+
-+ <para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para>
- </description>
--<para>The default value 0 causes Samba to select the first available port after 1024.</para>
-+
-+<related>rpc server dynamic port range</related>
-+
- <value type="default">0</value>
- </samba:parameter>
-diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
-new file mode 100644
-index 00000000000..a9c51d2fe41
---- /dev/null
-+++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
-@@ -0,0 +1,22 @@
-+<samba:parameter name="rpc server dynamic port range"
-+ context="G"
-+ type="string"
-+ handler="handle_rpc_server_dynamic_port_range"
-+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+ <para>
-+ This parameter tells the RPC server which port range it is
-+ allowed to use to create a listening socket for LSA, SAM,
-+ Netlogon and others without wellknown tcp ports.
-+ The first value is the lowest number of the port
-+ range and the second the hightest.
-+ </para>
-+ <para>
-+ This applies to RPC servers in all server roles.
-+ </para>
-+</description>
-+
-+<related>rpc server port</related>
-+
-+<value type="default">49152-65535</value>
-+</samba:parameter>
-diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
-index 6aa757f7c6b..3b54ff232aa 100644
---- a/lib/param/loadparm.c
-+++ b/lib/param/loadparm.c
-@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx)
- return lp_ctx->sDefault;
- }
-
-+int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
-+{
-+ return lp_ctx->globals->rpc_low_port;
-+}
-+
-+int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
-+{
-+ return lp_ctx->globals->rpc_high_port;
-+}
-+
- /**
- * Convenience routine to grab string parameters into temporary memory
- * and run standard_sub_basic on them.
-@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
- return true;
- }
-
-+bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
-+ struct loadparm_service *service,
-+ const char *pszParmValue,
-+ char **ptr)
-+{
-+ int low_port = -1, high_port = -1;
-+ int rc;
-+
-+ if (pszParmValue == NULL || pszParmValue[0] == '\0') {
-+ return false;
-+ }
-+
-+ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
-+ if (rc != 2) {
-+ return false;
-+ }
-+
-+ if (low_port > high_port) {
-+ return false;
-+ }
-+
-+ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
-+ return false;
-+ }
-+
-+ lp_ctx->globals->rpc_low_port = low_port;
-+ lp_ctx->globals->rpc_high_port = high_port;
-+
-+ return true;
-+}
-+
- bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
- struct loadparm_service *service,
- const char *pszParmValue, char **ptr)
-@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
- lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
- /* This appears odd, but globals in s3 isn't a pointer */
- lp_ctx->globals->ctx = lp_ctx->globals;
-+ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
-+ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
- lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
- lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
-
-@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
-
- lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
-
-+ lpcfg_do_global_parameter(lp_ctx,
-+ "rpc server dynamic port range",
-+ "49152-65535");
-+
- /* Allow modules to adjust defaults */
- for (defaults_hook = defaults_hooks; defaults_hook;
- defaults_hook = defaults_hook->next) {
-diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
-index f9fb7d8d804..c63683d6b66 100644
---- a/lib/param/loadparm.h
-+++ b/lib/param/loadparm.h
-@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
- #endif /* DEVELOPER */
- };
-
-+#define SERVER_TCP_LOW_PORT 49152
-+#define SERVER_TCP_HIGH_PORT 65535
-+
-+#define SERVER_TCP_PORT_MIN 1024
-+#define SERVER_TCP_PORT_MAX 65535
-
-
-
-@@ -272,7 +277,9 @@ enum inheritowner_options {
- #define LOADPARM_EXTRA_GLOBALS \
- struct parmlist_entry *param_opt; \
- char *dnsdomain; \
-- char *realm_original;
-+ char *realm_original; \
-+ int rpc_low_port; \
-+ int rpc_high_port;
-
- const char* server_role_str(uint32_t role);
- int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
-diff --git a/lib/param/param.h b/lib/param/param.h
-index 66037e2ef1b..e123e67a990 100644
---- a/lib/param/param.h
-+++ b/lib/param/param.h
-@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
- time_t *usr_tkt_lifetime,
- time_t *renewal_lifetime);
-
-+int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx);
-+int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx);
-+
- /* The following definitions come from lib/version.c */
-
- const char *samba_version_string(void);
-diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
-index 22e022583f6..65df573a350 100644
---- a/python/samba/tests/docs.py
-+++ b/python/samba/tests/docs.py
-@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase):
- 'lprm command', 'lpq command', 'print command', 'template homedir',
- 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
- 'max open files', 'fss: prune stale', 'fss: sequence timeout',
-- 'include system krb5 conf'])
-+ 'include system krb5 conf', 'rpc server dynamic port range'])
-
- def setUp(self):
- super(SmbDotConfTests, self).setUp()
-@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase):
- exceptions = ['client lanman auth',
- 'client plaintext auth',
- 'registry shares',
-- 'smb ports'])
-+ 'smb ports',
-+ 'rpc server dynamic port range'])
- self._test_empty(['bin/testparm'])
-
- def test_default_s4(self):
- self._test_default(['bin/samba-tool', 'testparm'])
- self._set_defaults(['bin/samba-tool', 'testparm'])
- self._set_arbitrary(['bin/samba-tool', 'testparm'],
-- exceptions = ['smb ports'])
-+ exceptions = ['smb ports',
-+ 'rpc server dynamic port range'])
- self._test_empty(['bin/samba-tool', 'testparm'])
-
- def _test_default(self, program):
-@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase):
-
- for tuples in self.defaults:
- param, default, context, param_type = tuples
-+
- if param in self.special_cases:
- continue
- section = None
-@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase):
- for tuples in self.defaults:
- param, default, context, param_type = tuples
-
-- if param in ['printing']:
-+ if param in ['printing', 'rpc server dynamic port range']:
- continue
-
- section = None
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 642900ed67c..b3d3ca0e5d1 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void);
- int lp_smb2_max_credits(void);
- int lp_cups_encrypt(void);
- bool lp_widelinks(int );
-+int lp_rpc_low_port(void);
-+int lp_rpc_high_port(void);
-
- int lp_wi_scan_global_parametrics(
- const char *regex, size_t max_matches,
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index d8da749ccba..2c8380067f6 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
-
- Globals.aio_max_threads = 100;
-
-+ lpcfg_string_set(Globals.ctx,
-+ &Globals.rpc_server_dynamic_port_range,
-+ "49152-65535");
-+ Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
-+ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
-+
- /* Now put back the settings that were set with lp_set_cmdline() */
- apply_lp_set_cmdline();
- }
-@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void)
- return client_ipc_signing;
- }
-
-+int lp_rpc_low_port(void)
-+{
-+ return Globals.rpc_low_port;
-+}
-+
-+int lp_rpc_high_port(void)
-+{
-+ return Globals.rpc_high_port;
-+}
-+
- struct loadparm_global * get_globals(void)
- {
- return &Globals;
-diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
-index 37fe68fc36d..f7fb8ef5207 100644
---- a/source3/rpc_server/rpc_server.c
-+++ b/source3/rpc_server/rpc_server.c
-@@ -34,9 +34,6 @@
- #include "rpc_server/srv_pipe_hnd.h"
- #include "rpc_server/srv_pipe.h"
-
--#define SERVER_TCP_LOW_PORT 49152
--#define SERVER_TCP_HIGH_PORT 65535
--
- /* Creates a pipes_struct and initializes it with the information
- * sent from the client */
- int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
-@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port)
- if (*port == 0) {
- uint16_t i;
-
-- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) {
-+ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
- fd = open_socket_in(SOCK_STREAM,
- i,
- 0,
-diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
-index 96a303fc6a9..deb96d8d69d 100644
---- a/source4/smbd/service_stream.c
-+++ b/source4/smbd/service_stream.c
-@@ -29,10 +29,6 @@
- #include "../lib/tsocket/tsocket.h"
- #include "lib/util/util_net.h"
-
--/* the range of ports to try for dcerpc over tcp endpoints */
--#define SERVER_TCP_LOW_PORT 49152
--#define SERVER_TCP_HIGH_PORT 65535
--
- /* size of listen() backlog in smbd */
- #define SERVER_LISTEN_BACKLOG 10
-
-@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx,
- if (!port) {
- status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
- } else if (*port == 0) {
-- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) {
-+ for (i = lpcfg_rpc_low_port(lp_ctx);
-+ i <= lpcfg_rpc_high_port(lp_ctx);
-+ i++) {
- socket_address->port = i;
- status = socket_listen(stream_socket->sock, socket_address,
- SERVER_LISTEN_BACKLOG, 0);
---
-2.11.0
-
diff --git a/SOURCES/smb.conf.vendor b/SOURCES/smb.conf.vendor
index 86c0aac..fe3f806 100644
--- a/SOURCES/smb.conf.vendor
+++ b/SOURCES/smb.conf.vendor
@@ -31,6 +31,7 @@
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
- write list = root
+ write list = @printadmin root
+ force group = @printadmin
create mask = 0664
directory mask = 0775
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 538d62f..09e2455 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,13 +6,13 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 12
+%define main_release 6
-%define samba_version 4.6.2
+%define samba_version 4.7.1
%define talloc_version 2.1.9
-%define tdb_version 1.3.12
-%define tevent_version 0.9.31
-%define ldb_version 1.1.29
+%define tdb_version 1.3.14
+%define tevent_version 0.9.33
+%define ldb_version 1.2.2
# This should be rc1 or nil
%define pre_release %nil
@@ -36,9 +36,11 @@
%global with_profiling 1
-%global with_vfs_cephfs 1
-%if 0%{?rhel}
%global with_vfs_cephfs 0
+%if 0%{?fedora}
+%ifarch aarch64 ppc64le s390x x86_64
+%global with_vfs_cephfs 1
+%endif
%endif
%global with_vfs_glusterfs 1
@@ -50,18 +52,25 @@
%endif
%endif
-%global libwbc_alternatives_version 0.13
+%global with_intel_aes_accel 0
+%ifarch x86_64
+%global with_intel_aes_accel 1
+%endif
+
+%global libwbc_alternatives_version 0.14
%global libwbc_alternatives_suffix %nil
%if 0%{?__isa_bits} == 64
%global libwbc_alternatives_suffix -64
%endif
%global with_mitkrb5 1
+%global with_dc 1
+
+%if 0%{?rhel}
%global with_dc 0
+%endif
%if %{with testsuite}
-# The testsuite only works with a full build right now.
-%global with_mitkrb5 0
%global with_dc 1
%endif
@@ -95,8 +104,9 @@ Summary: Server and Client software to interoperate with Windows machines
License: GPLv3+ and LGPLv3+
URL: http://www.samba.org/
+# This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%{version}%{pre_release}.tar.gz
Source0: samba-%{version}%{pre_release}.tar.xz
-Source1: samba-%{version}%{pre_release}.tar.asc
+Source1: https://ftp.samba.org/pub/samba/samba-%{version}%{pre_release}.tar.asc
Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
# Red Hat specific replacement-files
@@ -109,30 +119,14 @@ Source14: samba.pamd
Source200: README.dc
Source201: README.downgrade
-Patch0: samba-v4.6-gss_krb5_import_cred.patch
-Patch1: samba-v4.6-credentials-fix-realm.patch
-Patch2: samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
-Patch3: samba-v4-6-fix-building-with-new-glibc.patch
-Patch4: samba-v4-6-fix-cross-realm-refferals.patch
-Patch5: samba-v4-6-fix-kerberos-debug-message.patch
-Patch6: samba-v4-6-fix-net-ads-keytab-handling.patch
-Patch7: samba-v4-6-fix_winbind_child_crash.patch
-Patch8: samba-v4-6-fix_path_substitutions.patch
-Patch9: samba-v4-6-fix-spoolss-32bit-driver-upload.patch
-Patch10: CVE-2017-7494.patch
-Patch11: samba-v4-6-fix-vfs-expand-msdfs.patch
-Patch12: samba-v4.7-config-dynamic-rpc-port-range.patch
-Patch13: samba-v4-6-fix_smbclient_session_setup_info.patch
-Patch14: samba-v4-6-fix_smbclient_username_parsing.patch
-Patch15: samba-v4-6-fix_winbind_normalize_names.patch
-Patch16: samba-v4-6-fix_net_ads_changetrustpw.patch
-Patch17: samba-v4.6-fix_smbpasswd_user_pwd_change.patch
-Patch18: samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
-Patch19: CVE-2017-12150.patch
-Patch20: CVE-2017-12151.patch
-Patch21: CVE-2017-12163.patch
-Patch22: CVE-2017-14746.patch
-Patch23: CVE-2017-15275.patch
+Patch0: CVE-2017-14746.patch
+Patch1: CVE-2017-15275.patch
+Patch2: samba-4.7-fix_smbclient_volume.patch
+Patch3: samba-4.7-fix_samba_with_systemd.patch
+Patch4: samba-4.7-net_ads_keytab_list.patch
+Patch5: samba-4.7-fix_aesni_intel_support.patch
+Patch6: samba-4.7-handle_smb_echo_gracefully.patch
+Patch7: samba-4.7-fix_smb2_client_read_after_free.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -169,6 +163,7 @@ Obsoletes: samba-swat < %{samba_depver}
Provides: samba4-swat = %{samba_depver}
Obsoletes: samba4-swat < %{samba_depver}
+BuildRequires: avahi-devel
BuildRequires: cups-devel
BuildRequires: dbus-devel
BuildRequires: docbook-style-xsl
@@ -181,20 +176,25 @@ BuildRequires: libaio-devel
BuildRequires: libarchive-devel
BuildRequires: libattr-devel
BuildRequires: libcap-devel
+BuildRequires: libcmocka-devel
BuildRequires: libuuid-devel
BuildRequires: libxslt
BuildRequires: ncurses-devel
BuildRequires: openldap-devel
BuildRequires: pam-devel
-#BuildRequires: perl-generators
BuildRequires: perl(Test::More)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Parse::Yapp)
BuildRequires: popt-devel
-BuildRequires: python-devel
-#BuildRequires: python2-pygpgme
-#BuildRequires: python2-subunit
-BuildRequires: python-tevent
+BuildRequires: python2-devel
+BuildRequires: python-dns
+# This is required to avoid packaging the in tree
+# copy of Samba
+BuildRequires: python-iso8601
+%if %{with testsuite}
+BuildRequires: python2-pygpgme
+BuildRequires: python2-subunit
+%endif
BuildRequires: quota-devel
BuildRequires: readline-devel
BuildRequires: sed
@@ -209,12 +209,12 @@ BuildRequires: glusterfs-api-devel >= 3.4.0.16
BuildRequires: glusterfs-devel >= 3.4.0.16
%endif
%if %{with_vfs_cephfs}
-BuildRequires: libcephfs1-devel
+BuildRequires: libcephfs-devel
%endif
%if %{with_dc}
BuildRequires: gnutls-devel >= 3.4.7
# Required by samba-tool to run tests
-BuildRequires: python-crypto
+BuildRequires: python2-crypto
%endif
# pidl requirements
@@ -228,21 +228,21 @@ BuildRequires: pytalloc-devel >= %{libtalloc_version}
%endif
%if ! %with_internal_tevent
-%global libtevent_version 0.9.31
+%global libtevent_version 0.9.33
BuildRequires: libtevent-devel >= %{libtevent_version}
BuildRequires: python-tevent >= %{libtevent_version}
%endif
%if ! %with_internal_ldb
-%global libldb_version 1.1.29
+%global libldb_version 1.2.2
BuildRequires: libldb-devel >= %{libldb_version}
BuildRequires: pyldb-devel >= %{libldb_version}
%endif
%if ! %with_internal_tdb
-%global libtdb_version 1.3.12
+%global libtdb_version 1.3.14
BuildRequires: libtdb-devel >= %{libtdb_version}
BuildRequires: python-tdb >= %{libtdb_version}
@@ -250,16 +250,18 @@ BuildRequires: python-tdb >= %{libtdb_version}
%if %{with testsuite}
BuildRequires: ldb-tools
-BuildRequires: libcmocka-devel
+BuildRequires: tdb-tools
BuildRequires: python2-pygpgme
%endif
+%if %{with_dc}
+BuildRequires: krb5-server >= %{required_mit_krb5}
+BuildRequires: bind
+%endif
+
# filter out perl requirements pulled in from examples in the docdir.
-%{?filter_setup:
-%filter_provides_in %{_docdir}
-%filter_requires_in %{_docdir}
-%filter_setup
-}
+%global __requires_exclude_from ^%{_docdir}/.*$
+%global __provides_exclude_from ^%{_docdir}/.*$
### SAMBA
%description
@@ -350,11 +352,20 @@ Summary: Samba AD Domain Controller
Requires: %{name} = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Requires: %{name}-dc-libs = %{samba_depver}
-Requires: %{name}-python = %{samba_depver}
Requires: %{name}-winbind = %{samba_depver}
%if %{with_dc}
-# samba-tool requirements
-Requires: python-crypto
+# samba-tool requirements, explicitly require python2 right now
+Requires: python2
+Requires: python2-%{name} = %{samba_depver}
+Requires: python2-crypto
+
+### Note that samba-dc right now cannot be used with Python 3
+### so we should make sure it does use python2 explicitly
+%if 0
+Requires: python3-crypto
+Requires: python3-%{name} = %{samba_depver}
+%endif
+Requires: krb5-server >= %{required_mit_krb5}
%endif
Provides: samba4-dc = %{samba_depver}
@@ -376,6 +387,20 @@ Obsoletes: samba4-dc-libs < %{samba_depver}
The %{name}-dc-libs package contains the libraries needed by the DC to
link against the SMB, RPC and other protocols.
+### DC-BIND
+%if %with_dc
+%package dc-bind-dlz
+Summary: Bind DLZ module for Samba AD
+Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-dc-libs = %{samba_depver}
+Requires: %{name}-dc = %{samba_depver}
+Requires: bind
+
+%description dc-bind-dlz
+The %{name}-dc-bind-dlz package contains the libraries for bind to manage all
+name server related details of Samba AD.
+%endif # with_dc
+
### DEVEL
%package devel
Summary: Developer tools for Samba libraries
@@ -394,7 +419,6 @@ libraries in the Samba suite.
%if %{with_vfs_cephfs}
%package vfs-cephfs
Summary: Samba VFS module for Ceph distributed storage system
-Requires: libcephfs1
Requires: %{name} = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
@@ -501,6 +525,7 @@ Requires: python-tevent
Requires: python-tdb
Requires: pyldb
Requires: pytalloc
+Requires: python-dns
Provides: samba4-python = %{samba_depver}
Obsoletes: samba4-python < %{samba_depver}
@@ -509,6 +534,24 @@ Obsoletes: samba4-python < %{samba_depver}
The %{name}-python package contains the Python libraries needed by programs
that use SMB, RPC and other Samba provided protocols in Python programs.
+%package python-test
+Summary: Samba Python libraries
+Requires: samba-python = %{samba_depver}
+
+%description python-test
+The %{name}-python-test package contains the Python libraries used by the test suite of Samba.
+If you want to run full set of Samba tests, you need to install this package.
+
+%if %{with_dc}
+%package python-dc
+Summary: Samba Python libraries for Samba AD
+Requires: samba-python = %{samba_depver}
+
+%description python-dc
+The %{name}-python-dc package contains the Python libraries needed by programs
+managing Samba AD.
+%endif
+
### PIDL
%package pidl
Summary: Perl IDL compiler
@@ -724,13 +767,14 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
%global _ldb_lib ,!ldb,!pyldb,!pyldb-util
%endif
-%global _samba4_libraries heimdal,!zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib}
+%global _samba_libraries !zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib}
-%global _samba4_idmap_modules idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2
-%global _samba4_pdb_modules pdb_tdbsam,pdb_ldap,pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4
-%global _samba4_auth_modules auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4
+%global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2
+%global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4
+%global _samba_auth_modules auth_wbc,auth_unix,auth_server,auth_script,auth_samba4
+%global _samba_vfs_modules vfs_dfs_samba4
-%global _samba4_modules %{_samba4_idmap_modules},%{_samba4_pdb_modules},%{_samba4_auth_modules}
+%global _samba_modules %{_samba_idmap_modules},%{_samba_pdb_modules},%{_samba_auth_modules},%{_samba_vfs_modules}
%global _libsmbclient %nil
%global _libwbclient %nil
@@ -743,7 +787,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
%global _libwbclient wbclient,
%endif
-%global _samba4_private_libraries %{_libsmbclient}%{_libwbclient}
+%global _samba_private_libraries %{_libsmbclient}%{_libwbclient}
%configure \
--enable-fhs \
@@ -755,14 +799,14 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
--with-statedir=/var/lib/samba \
--with-cachedir=/var/lib/samba \
--disable-rpath-install \
- --with-shared-modules=%{_samba4_modules} \
- --bundled-libraries=%{_samba4_libraries} \
+ --with-shared-modules=%{_samba_modules} \
+ --bundled-libraries=%{_samba_libraries} \
--with-pam \
--with-pie \
--with-relro \
--without-fam \
%if (! %with_libsmbclient) || (! %with_libwbclient)
- --private-libraries=%{_samba4_private_libraries} \
+ --private-libraries=%{_samba_private_libraries} \
%endif
%if %with_mitkrb5
--with-system-mitkrb5 \
@@ -782,6 +826,9 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
%if %{with testsuite}
--enable-selftest \
%endif
+%if %with_intel_aes_accel
+ --accel-aes=intelaesni \
+%endif
--with-systemd
make %{?_smp_mflags}
@@ -790,6 +837,18 @@ make %{?_smp_mflags}
rm -rf %{buildroot}
make %{?_smp_mflags} install DESTDIR=%{buildroot}
+export PYTHON=%{__python2}
+# Workaround: make sure all general Python shebangs are pointing to Python 2
+# otherwise it will not work when default python is different from Python 2.
+# Samba tools aren't ready for Python 3 yet.
+for i in %{buildroot}%{_bindir} %{buildroot}%{_sbindir} ; do
+ find $i \
+ ! -name '*.pyc' -a \
+ ! -name '*.pyo' -a \
+ -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+ -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
+done
+
install -d -m 0755 %{buildroot}/usr/{sbin,bin}
install -d -m 0755 %{buildroot}%{_libdir}/security
install -d -m 0755 %{buildroot}/var/lib/samba
@@ -868,7 +927,11 @@ install -m 0644 %{SOURCE200} packaging/README.dc-libs
%endif
install -d -m 0755 %{buildroot}%{_unitdir}
-for i in nmb smb winbind ; do
+services="nmb smb winbind"
+%if %with_dc
+services="$services samba"
+%endif
+for i in $services ; do
cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba@g' >tmp$i.service
install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
done
@@ -887,12 +950,37 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%if ! %with_dc
for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \
- %{_libdir}/samba/libdnsserver-common-samba4.so \
- %{_mandir}/man8/samba.8 \
- %{_mandir}/man8/samba-tool.8 \
- %{_libdir}/samba/ldb/ildap.so \
- %{_libdir}/samba/ldb/ldbsamba_extensions.so ; do
- rm -f %{buildroot}$i
+ %{_libdir}/samba/libdnsserver-common-samba4.so \
+ %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \
+ %{_mandir}/man8/samba.8 \
+ %{_mandir}/man8/samba-tool.8 \
+ %{_libdir}/samba/ldb/ildap.so \
+ %{_libdir}/samba/ldb/ldbsamba_extensions.so \
+ %{python_sitearch}/samba/dcerpc/dnsserver.so \
+ %{python_sitearch}/samba/netcmd/fsmo.py* \
+ %{python_sitearch}/samba/netcmd/rodc.py* \
+ %{python_sitearch}/samba/kcc/__init__.py* \
+ %{python_sitearch}/samba/kcc/debug.py* \
+ %{python_sitearch}/samba/kcc/graph.py* \
+ %{python_sitearch}/samba/kcc/graph_utils.py* \
+ %{python_sitearch}/samba/kcc/kcc_utils.py* \
+ %{python_sitearch}/samba/kcc/ldif_import_export.py* \
+ %{python_sitearch}/samba/provision/__init__.py* \
+ %{python_sitearch}/samba/provision/backend.py* \
+ %{python_sitearch}/samba/provision/common.py* \
+ %{python_sitearch}/samba/provision/kerberos.py* \
+ %{python_sitearch}/samba/provision/kerberos_implementation.py* \
+ %{python_sitearch}/samba/provision/sambadns.py* \
+ %{python_sitearch}/samba/web_server/__init__.py* \
+ %{python_sitearch}/samba/dckeytab.so \
+ %{python_sitearch}/samba/dnsserver.py* \
+ %{python_sitearch}/samba/drs_utils.py* \
+ %{python_sitearch}/samba/dsdb.so \
+ %{python_sitearch}/samba/dsdb_dns.so \
+ %{python_sitearch}/samba/samdb.py* \
+ %{python_sitearch}/samba/schema.py* \
+ ; do
+ rm -f %{buildroot}$i
done
%endif
@@ -900,6 +988,10 @@ done
# the ldconfig-created links be recorded in the RPM.
/sbin/ldconfig -N -n %{buildroot}%{_libdir}
+# FIXME
+find %{buildroot}%{python2_sitearch} -name "*.pyc" -print -delete
+
+
%if %{with testsuite}
%check
TDB_NO_FSYNC=1 make %{?_smp_mflags} test
@@ -917,6 +1009,9 @@ TDB_NO_FSYNC=1 make %{?_smp_mflags} test
%systemd_postun_with_restart smb.service
%systemd_postun_with_restart nmb.service
+%pre common
+getent group printadmin >/dev/null || groupadd -r printadmin || :
+
%post common
/sbin/ldconfig
/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/samba.conf
@@ -949,6 +1044,15 @@ fi
%post dc-libs -p /sbin/ldconfig
%postun dc-libs -p /sbin/ldconfig
+
+%post dc
+%systemd_post samba.service
+
+%preun dc
+%systemd_preun samba.service
+
+%postun dc
+%systemd_postun_with_restart samba.service
%endif
%post krb5-printing
@@ -975,17 +1079,27 @@ fi
%posttrans -n libwbclient
# It has to be posttrans here to make sure all files of a previous version
# without alternatives support are removed
-%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
- libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} 10
+%{_sbindir}/update-alternatives \
+ --install \
+ %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
+ libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
+ %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} \
+ 10
/sbin/ldconfig
%preun -n libwbclient
-%{_sbindir}/update-alternatives --remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version}
+%{_sbindir}/update-alternatives \
+ --remove \
+ libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
+ %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version}
/sbin/ldconfig
%posttrans -n libwbclient-devel
-%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \
- libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so 10
+%{_sbindir}/update-alternatives \
+ --install %{_libdir}/libwbclient.so \
+ libwbclient.so%{libwbc_alternatives_suffix} \
+ %{_libdir}/samba/wbclient/libwbclient.so \
+ 10
%preun -n libwbclient-devel
# alternatives checks if the file which should be removed is a link or not, but
@@ -1066,10 +1180,13 @@ rm -rf %{buildroot}
%{_bindir}/eventlogadm
%{_sbindir}/nmbd
%{_sbindir}/smbd
+%if %with_dc
+# This is only used by vfs_dfs_samba4
+%{_libdir}/samba/libdfs-server-ad-samba4.so
+%endif
%dir %{_libdir}/samba/auth
%{_libdir}/samba/auth/script.so
%{_libdir}/samba/auth/unix.so
-%{_libdir}/samba/auth/wbc.so
%dir %{_libdir}/samba/vfs
%{_libdir}/samba/vfs/acl_tdb.so
%{_libdir}/samba/vfs/acl_xattr.so
@@ -1083,6 +1200,9 @@ rm -rf %{buildroot}
%{_libdir}/samba/vfs/commit.so
%{_libdir}/samba/vfs/crossrename.so
%{_libdir}/samba/vfs/default_quota.so
+%if %with_dc
+%{_libdir}/samba/vfs/dfs_samba4.so
+%endif
%{_libdir}/samba/vfs/dirsort.so
%{_libdir}/samba/vfs/expand_msdfs.so
%{_libdir}/samba/vfs/extd_audit.so
@@ -1170,8 +1290,7 @@ rm -rf %{buildroot}
%exclude %{_mandir}/man8/vfs_ceph.8*
%endif
-%dir /var/lib/samba/drivers
-%dir /var/lib/samba/lock
+%attr(775,root,printadmin) %dir /var/lib/samba/drivers
### CLIENT
%files client
@@ -1179,9 +1298,9 @@ rm -rf %{buildroot}
%{_bindir}/cifsdd
%{_bindir}/dbwrap_tool
%{_bindir}/findsmb
+%{_bindir}/mvxattr
%{_bindir}/nmblookup
%{_bindir}/oLschema2ldif
-%{_bindir}/mvxattr
%{_bindir}/regdiff
%{_bindir}/regpatch
%{_bindir}/regshell
@@ -1282,7 +1401,6 @@ rm -rf %{buildroot}
%{_libdir}/samba/libaddns-samba4.so
%{_libdir}/samba/libads-samba4.so
%{_libdir}/samba/libasn1util-samba4.so
-%{_libdir}/samba/libauth-sam-reply-samba4.so
%{_libdir}/samba/libauth-samba4.so
%{_libdir}/samba/libauthkrb5-samba4.so
%{_libdir}/samba/libcli-cldap-samba4.so
@@ -1293,9 +1411,9 @@ rm -rf %{buildroot}
%{_libdir}/samba/libcli-spoolss-samba4.so
%{_libdir}/samba/libcliauth-samba4.so
%{_libdir}/samba/libcmdline-credentials-samba4.so
+%{_libdir}/samba/libcommon-auth-samba4.so
%{_libdir}/samba/libdbwrap-samba4.so
%{_libdir}/samba/libdcerpc-samba-samba4.so
-%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
%{_libdir}/samba/libevents-samba4.so
%{_libdir}/samba/libflag-mapping-samba4.so
%{_libdir}/samba/libgenrand-samba4.so
@@ -1399,6 +1517,7 @@ rm -rf %{buildroot}
%ghost %dir /var/run/winbindd
%dir /var/lib/samba
%attr(700,root,root) %dir /var/lib/samba/private
+%dir /var/lib/samba/lock
%attr(755,root,root) %dir %{_sysconfdir}/samba
%config(noreplace) %{_sysconfdir}/samba/smb.conf
%{_sysconfdir}/samba/smb.conf.example
@@ -1414,6 +1533,9 @@ rm -rf %{buildroot}
%defattr(-,root,root)
# common libraries
%{_libdir}/samba/libpopt-samba3-samba4.so
+%if %{with_intel_aes_accel}
+%{_libdir}/samba/libaesni-intel-samba4.so
+%endif
%dir %{_libdir}/samba/ldb
@@ -1421,7 +1543,6 @@ rm -rf %{buildroot}
%{_libdir}/samba/pdb/ldapsam.so
%{_libdir}/samba/pdb/smbpasswd.so
%{_libdir}/samba/pdb/tdbsam.so
-%{_libdir}/samba/pdb/wbc_sam.so
%files common-tools
%defattr(-,root,root)
@@ -1443,19 +1564,17 @@ rm -rf %{buildroot}
%defattr(-,root,root)
%if %with_dc
+%{_unitdir}/samba.service
%{_bindir}/samba-tool
%{_sbindir}/samba
%{_sbindir}/samba_kcc
%{_sbindir}/samba_dnsupdate
%{_sbindir}/samba_spnupdate
%{_sbindir}/samba_upgradedns
+
+%{_libdir}/krb5/plugins/kdb/samba.so
+
%{_libdir}/samba/auth/samba4.so
-%{_libdir}/samba/bind9/dlz_bind9.so
-%{_libdir}/samba/bind9/dlz_bind9_10.so
-%{_libdir}/samba/libheimntlm-samba4.so.1
-%{_libdir}/samba/libheimntlm-samba4.so.1.0.1
-%{_libdir}/samba/libkdc-samba4.so.2
-%{_libdir}/samba/libkdc-samba4.so.2.0.0
%{_libdir}/samba/libpac-samba4.so
%dir %{_libdir}/samba/gensec
%{_libdir}/samba/gensec/krb5.so
@@ -1465,6 +1584,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/ldb/descriptor.so
%{_libdir}/samba/ldb/dirsync.so
%{_libdir}/samba/ldb/dns_notify.so
+%{_libdir}/samba/ldb/dsdb_notification.so
%{_libdir}/samba/ldb/extended_dn_in.so
%{_libdir}/samba/ldb/extended_dn_out.so
%{_libdir}/samba/ldb/extended_dn_store.so
@@ -1500,6 +1620,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/ldb/subtree_rename.so
%{_libdir}/samba/ldb/tombstone_reanimate.so
%{_libdir}/samba/ldb/update_keytab.so
+%{_libdir}/samba/ldb/vlv.so
%{_libdir}/samba/ldb/wins_ldb.so
%{_libdir}/samba/vfs/posix_eadb.so
%dir /var/lib/samba/sysvol
@@ -1514,6 +1635,7 @@ rm -rf %{buildroot}
%files dc-libs
%defattr(-,root,root)
%if %with_dc
+%{_libdir}/samba/libdb-glue-samba4.so
%{_libdir}/samba/libprocess-model-samba4.so
%{_libdir}/samba/libservice-samba4.so
%dir %{_libdir}/samba/process_model
@@ -1534,15 +1656,24 @@ rm -rf %{buildroot}
%{_libdir}/samba/service/winbindd.so
%{_libdir}/samba/service/wrepl.so
%{_libdir}/libdcerpc-server.so.*
-%{_libdir}/samba/libdfs-server-ad-samba4.so
%{_libdir}/samba/libdnsserver-common-samba4.so
%{_libdir}/samba/libdsdb-module-samba4.so
-%{_libdir}/samba/libntvfs-samba4.so
-%{_libdir}/samba/bind9/dlz_bind9_9.so
+%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
%else
%doc packaging/README.dc-libs
%endif # with_dc
+### DC-BIND
+%if %with_dc
+%files dc-bind-dlz
+%attr(770,root,named) %dir /var/lib/samba/bind-dns
+%dir %{_libdir}/samba/bind9
+%{_libdir}/samba/bind9/dlz_bind9.so
+%{_libdir}/samba/bind9/dlz_bind9_9.so
+%{_libdir}/samba/bind9/dlz_bind9_10.so
+%{_libdir}/samba/bind9/dlz_bind9_11.so
+%endif # with_dc
+
### DEVEL
%files devel
%defattr(-,root,root)
@@ -1551,7 +1682,9 @@ rm -rf %{buildroot}
%{_includedir}/samba-4.0/core/error.h
%{_includedir}/samba-4.0/core/hresult.h
%{_includedir}/samba-4.0/core/ntstatus.h
+%{_includedir}/samba-4.0/core/ntstatus_gen.h
%{_includedir}/samba-4.0/core/werror.h
+%{_includedir}/samba-4.0/core/werror_gen.h
%{_includedir}/samba-4.0/credentials.h
%{_includedir}/samba-4.0/dcerpc.h
%{_includedir}/samba-4.0/domain_credentials.h
@@ -1626,6 +1759,7 @@ rm -rf %{buildroot}
%{_includedir}/samba-4.0/util/tevent_unix.h
%{_includedir}/samba-4.0/util/tevent_werror.h
%{_includedir}/samba-4.0/util/time.h
+%{_includedir}/samba-4.0/util/tfork.h
%{_includedir}/samba-4.0/util_ldb.h
%{_libdir}/libdcerpc-binding.so
%{_libdir}/libdcerpc-samr.so
@@ -1700,6 +1834,7 @@ rm -rf %{buildroot}
# libraries needed by the public libraries
%{_libdir}/samba/libMESSAGING-samba4.so
+%{_libdir}/samba/libMESSAGING-SEND-samba4.so
%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so
%{_libdir}/samba/libauth4-samba4.so
%{_libdir}/samba/libauth-unix-token-samba4.so
@@ -1712,31 +1847,6 @@ rm -rf %{buildroot}
%{_libdir}/samba/libsmbpasswdparser-samba4.so
%{_libdir}/samba/libxattr-tdb-samba4.so
-%if %with_dc
-%{_libdir}/samba/libdb-glue-samba4.so
-%{_libdir}/samba/libHDB-SAMBA4-samba4.so
-%{_libdir}/samba/libasn1-samba4.so.8
-%{_libdir}/samba/libasn1-samba4.so.8.0.0
-%{_libdir}/samba/libcom_err-samba4.so.0
-%{_libdir}/samba/libcom_err-samba4.so.0.25
-%{_libdir}/samba/libgssapi-samba4.so.2
-%{_libdir}/samba/libgssapi-samba4.so.2.0.0
-%{_libdir}/samba/libhcrypto-samba4.so.5
-%{_libdir}/samba/libhcrypto-samba4.so.5.0.1
-%{_libdir}/samba/libhdb-samba4.so.11
-%{_libdir}/samba/libhdb-samba4.so.11.0.2
-%{_libdir}/samba/libheimbase-samba4.so.1
-%{_libdir}/samba/libheimbase-samba4.so.1.0.0
-%{_libdir}/samba/libhx509-samba4.so.5
-%{_libdir}/samba/libhx509-samba4.so.5.0.0
-%{_libdir}/samba/libkrb5-samba4.so.26
-%{_libdir}/samba/libkrb5-samba4.so.26.0.0
-%{_libdir}/samba/libroken-samba4.so.19
-%{_libdir}/samba/libroken-samba4.so.19.0.1
-%{_libdir}/samba/libwind-samba4.so.0
-%{_libdir}/samba/libwind-samba4.so.0.0.0
-%endif
-
### LIBSMBCLIENT
%if %with_libsmbclient
%files -n libsmbclient
@@ -1809,7 +1919,256 @@ rm -rf %{buildroot}
### PYTHON
%files python
%defattr(-,root,root,-)
-%{python_sitearch}/*
+%dir %{python_sitearch}/samba
+%{python_sitearch}/samba/__init__.py*
+%{python_sitearch}/samba/_glue.so
+%{python_sitearch}/samba/_ldb.so
+%{python_sitearch}/samba/auth.so
+%{python_sitearch}/samba/common.py*
+%{python_sitearch}/samba/compat.py*
+%{python_sitearch}/samba/credentials.so
+%{python_sitearch}/samba/crypto.so
+%{python_sitearch}/samba/dbchecker.py*
+%dir %{python_sitearch}/samba/dcerpc
+%{python_sitearch}/samba/dcerpc/__init__.py*
+%{python_sitearch}/samba/dcerpc/atsvc.so
+%{python_sitearch}/samba/dcerpc/auth.so
+%{python_sitearch}/samba/dcerpc/base.so
+%{python_sitearch}/samba/dcerpc/dcerpc.so
+%{python_sitearch}/samba/dcerpc/dfs.so
+%{python_sitearch}/samba/dcerpc/dns.so
+%{python_sitearch}/samba/dcerpc/dnsp.so
+%{python_sitearch}/samba/dcerpc/drsblobs.so
+%{python_sitearch}/samba/dcerpc/drsuapi.so
+%{python_sitearch}/samba/dcerpc/echo.so
+%{python_sitearch}/samba/dcerpc/epmapper.so
+%{python_sitearch}/samba/dcerpc/idmap.so
+%{python_sitearch}/samba/dcerpc/initshutdown.so
+%{python_sitearch}/samba/dcerpc/irpc.so
+%{python_sitearch}/samba/dcerpc/krb5pac.so
+%{python_sitearch}/samba/dcerpc/lsa.so
+%{python_sitearch}/samba/dcerpc/messaging.so
+%{python_sitearch}/samba/dcerpc/mgmt.so
+%{python_sitearch}/samba/dcerpc/misc.so
+%{python_sitearch}/samba/dcerpc/nbt.so
+%{python_sitearch}/samba/dcerpc/netlogon.so
+%{python_sitearch}/samba/dcerpc/ntlmssp.so
+%{python_sitearch}/samba/dcerpc/samr.so
+%{python_sitearch}/samba/dcerpc/security.so
+%{python_sitearch}/samba/dcerpc/server_id.so
+%{python_sitearch}/samba/dcerpc/smb_acl.so
+%{python_sitearch}/samba/dcerpc/srvsvc.so
+%{python_sitearch}/samba/dcerpc/svcctl.so
+%{python_sitearch}/samba/dcerpc/unixinfo.so
+%{python_sitearch}/samba/dcerpc/winbind.so
+%{python_sitearch}/samba/dcerpc/winreg.so
+%{python_sitearch}/samba/dcerpc/wkssvc.so
+%{python_sitearch}/samba/dcerpc/xattr.so
+%{python_sitearch}/samba/descriptor.py*
+%{python_sitearch}/samba/gensec.so
+%{python_sitearch}/samba/getopt.py*
+%{python_sitearch}/samba/hostconfig.py*
+%{python_sitearch}/samba/idmap.py*
+%{python_sitearch}/samba/join.py*
+%{python_sitearch}/samba/messaging.so
+%{python_sitearch}/samba/ms_display_specifiers.py*
+%{python_sitearch}/samba/ms_schema.py*
+%{python_sitearch}/samba/ndr.py*
+%{python_sitearch}/samba/net.so
+%{python_sitearch}/samba/netbios.so
+%dir %{python_sitearch}/samba/netcmd
+%{python_sitearch}/samba/netcmd/__init__.py*
+%{python_sitearch}/samba/netcmd/common.py*
+%{python_sitearch}/samba/netcmd/dbcheck.py*
+%{python_sitearch}/samba/netcmd/delegation.py*
+%{python_sitearch}/samba/netcmd/dns.py*
+%{python_sitearch}/samba/netcmd/domain.py*
+%{python_sitearch}/samba/netcmd/drs.py*
+%{python_sitearch}/samba/netcmd/dsacl.py*
+%{python_sitearch}/samba/netcmd/gpo.py*
+%{python_sitearch}/samba/netcmd/group.py*
+%{python_sitearch}/samba/netcmd/ldapcmp.py*
+%{python_sitearch}/samba/netcmd/main.py*
+%{python_sitearch}/samba/netcmd/nettime.py*
+%{python_sitearch}/samba/netcmd/ntacl.py*
+%{python_sitearch}/samba/netcmd/processes.py*
+%{python_sitearch}/samba/netcmd/sites.py*
+%{python_sitearch}/samba/netcmd/spn.py*
+%{python_sitearch}/samba/netcmd/testparm.py*
+%{python_sitearch}/samba/netcmd/user.py*
+%{python_sitearch}/samba/ntacls.py*
+%{python_sitearch}/samba/ntstatus.so
+%{python_sitearch}/samba/param.so
+%{python_sitearch}/samba/policy.so
+%{python_sitearch}/samba/posix_eadb.so
+%{python_sitearch}/samba/registry.so
+%{python_sitearch}/samba/remove_dc.py*
+%dir %{python_sitearch}/samba/samba3
+%{python_sitearch}/samba/samba3/__init__.py*
+%{python_sitearch}/samba/samba3/libsmb_samba_internal.so
+%{python_sitearch}/samba/samba3/param.so
+%{python_sitearch}/samba/samba3/passdb.so
+%{python_sitearch}/samba/samba3/smbd.so
+%{python_sitearch}/samba/sd_utils.py*
+%{python_sitearch}/samba/security.so
+%{python_sitearch}/samba/sites.py*
+%{python_sitearch}/samba/smb.so
+%{python_sitearch}/samba/subnets.py*
+%dir %{python_sitearch}/samba/subunit
+%{python_sitearch}/samba/subunit/__init__.py*
+%{python_sitearch}/samba/subunit/run.py*
+%{python_sitearch}/samba/tdb_util.py*
+%dir %{python_sitearch}/samba/third_party
+%{python_sitearch}/samba/third_party/__init__.py*
+%{python_sitearch}/samba/upgrade.py*
+%{python_sitearch}/samba/upgradehelpers.py*
+%{python_sitearch}/samba/werror.so
+%{python_sitearch}/samba/xattr.py*
+%{python_sitearch}/samba/xattr_native.so
+%{python_sitearch}/samba/xattr_tdb.so
+
+%if %{with_dc}
+%files python-dc
+%defattr(-,root,root,-)
+%{python_sitearch}/samba/dcerpc/dnsserver.so
+%{python_sitearch}/samba/netcmd/fsmo.py*
+%{python_sitearch}/samba/netcmd/rodc.py*
+
+%dir %{python_sitearch}/samba/kcc
+%{python_sitearch}/samba/kcc/__init__.py*
+%{python_sitearch}/samba/kcc/debug.py*
+%{python_sitearch}/samba/kcc/graph.py*
+%{python_sitearch}/samba/kcc/graph_utils.py*
+%{python_sitearch}/samba/kcc/kcc_utils.py*
+%{python_sitearch}/samba/kcc/ldif_import_export.py*
+
+%dir %{python_sitearch}/samba/provision
+%{python_sitearch}/samba/provision/__init__.py*
+%{python_sitearch}/samba/provision/backend.py*
+%{python_sitearch}/samba/provision/common.py*
+%{python_sitearch}/samba/provision/kerberos.py*
+%{python_sitearch}/samba/provision/kerberos_implementation.py*
+%{python_sitearch}/samba/provision/sambadns.py*
+
+%dir %{python_sitearch}/samba/web_server
+%{python_sitearch}/samba/web_server/__init__.py*
+
+%{python_sitearch}/samba/dckeytab.so
+%{python_sitearch}/samba/dnsserver.py*
+%{python_sitearch}/samba/drs_utils.py*
+%{python_sitearch}/samba/dsdb.so
+%{python_sitearch}/samba/dsdb_dns.so
+%{python_sitearch}/samba/samdb.py*
+%{python_sitearch}/samba/schema.py*
+%endif
+
+%files python-test
+%defattr(-,root,root,-)
+%dir %{python_sitearch}/samba/tests
+%{python_sitearch}/samba/tests/__init__.py*
+%{python_sitearch}/samba/tests/auth.py*
+%{python_sitearch}/samba/tests/auth_log.py*
+%{python_sitearch}/samba/tests/auth_log_base.py*
+%{python_sitearch}/samba/tests/auth_log_ncalrpc.py*
+%{python_sitearch}/samba/tests/auth_log_netlogon.py*
+%{python_sitearch}/samba/tests/auth_log_netlogon_bad_creds.py*
+%{python_sitearch}/samba/tests/auth_log_pass_change.py*
+%{python_sitearch}/samba/tests/auth_log_samlogon.py*
+%dir %{python_sitearch}/samba/tests/blackbox
+%{python_sitearch}/samba/tests/blackbox/__init__.py*
+%{python_sitearch}/samba/tests/blackbox/ndrdump.py*
+%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py*
+%{python_sitearch}/samba/tests/common.py*
+%{python_sitearch}/samba/tests/core.py*
+%{python_sitearch}/samba/tests/credentials.py*
+%dir %{python_sitearch}/samba/tests/dcerpc
+%{python_sitearch}/samba/tests/dcerpc/__init__.py*
+%{python_sitearch}/samba/tests/dcerpc/array.py*
+%{python_sitearch}/samba/tests/dcerpc/bare.py*
+%{python_sitearch}/samba/tests/dcerpc/dnsserver.py*
+%{python_sitearch}/samba/tests/dcerpc/integer.py*
+%{python_sitearch}/samba/tests/dcerpc/misc.py*
+%{python_sitearch}/samba/tests/dcerpc/raw_protocol.py*
+%{python_sitearch}/samba/tests/dcerpc/raw_testcase.py*
+%{python_sitearch}/samba/tests/dcerpc/registry.py*
+%{python_sitearch}/samba/tests/dcerpc/rpc_talloc.py*
+%{python_sitearch}/samba/tests/dcerpc/rpcecho.py*
+%{python_sitearch}/samba/tests/dcerpc/sam.py*
+%{python_sitearch}/samba/tests/dcerpc/srvsvc.py*
+%{python_sitearch}/samba/tests/dcerpc/string.py*
+%{python_sitearch}/samba/tests/dcerpc/testrpc.py*
+%{python_sitearch}/samba/tests/dcerpc/unix.py*
+%{python_sitearch}/samba/tests/dns.py*
+%{python_sitearch}/samba/tests/dns_base.py*
+%{python_sitearch}/samba/tests/dns_forwarder.py*
+%dir %{python_sitearch}/samba/tests/dns_forwarder_helpers
+%{python_sitearch}/samba/tests/dns_forwarder_helpers/server.py*
+%{python_sitearch}/samba/tests/dns_tkey.py*
+%{python_sitearch}/samba/tests/dns_wildcard.py*
+%{python_sitearch}/samba/tests/docs.py*
+%{python_sitearch}/samba/tests/dsdb.py*
+%{python_sitearch}/samba/tests/dsdb_schema_attributes.py*
+%{python_sitearch}/samba/tests/gensec.py*
+%{python_sitearch}/samba/tests/get_opt.py*
+%{python_sitearch}/samba/tests/glue.py*
+%{python_sitearch}/samba/tests/hostconfig.py*
+%{python_sitearch}/samba/tests/join.py*
+%dir %{python_sitearch}/samba/tests/kcc
+%{python_sitearch}/samba/tests/kcc/__init__.py*
+%{python_sitearch}/samba/tests/kcc/graph.py*
+%{python_sitearch}/samba/tests/kcc/graph_utils.py*
+%{python_sitearch}/samba/tests/kcc/kcc_utils.py*
+%{python_sitearch}/samba/tests/kcc/ldif_import_export.py*
+%{python_sitearch}/samba/tests/libsmb_samba_internal.py*
+%{python_sitearch}/samba/tests/lsa_string.py*
+%{python_sitearch}/samba/tests/messaging.py*
+%{python_sitearch}/samba/tests/net_join.py*
+%{python_sitearch}/samba/tests/net_join_no_spnego.py*
+%{python_sitearch}/samba/tests/netcmd.py*
+%{python_sitearch}/samba/tests/netlogonsvc.py*
+%{python_sitearch}/samba/tests/ntacls.py*
+%{python_sitearch}/samba/tests/ntlmauth.py*
+%{python_sitearch}/samba/tests/pam_winbind.py*
+%{python_sitearch}/samba/tests/param.py*
+%{python_sitearch}/samba/tests/password_hash.py*
+%{python_sitearch}/samba/tests/password_hash_fl2003.py*
+%{python_sitearch}/samba/tests/password_hash_fl2008.py*
+%{python_sitearch}/samba/tests/password_hash_gpgme.py*
+%{python_sitearch}/samba/tests/password_hash_ldap.py*
+%{python_sitearch}/samba/tests/policy.py*
+%{python_sitearch}/samba/tests/posixacl.py*
+%{python_sitearch}/samba/tests/provision.py*
+%{python_sitearch}/samba/tests/py_credentials.py*
+%{python_sitearch}/samba/tests/registry.py*
+%{python_sitearch}/samba/tests/samba3.py*
+%{python_sitearch}/samba/tests/samba3sam.py*
+%dir %{python_sitearch}/samba/tests/samba_tool
+%{python_sitearch}/samba/tests/samba_tool/__init__.py*
+%{python_sitearch}/samba/tests/samba_tool/base.py*
+%{python_sitearch}/samba/tests/samba_tool/dnscmd.py*
+%{python_sitearch}/samba/tests/samba_tool/fsmo.py*
+%{python_sitearch}/samba/tests/samba_tool/gpo.py*
+%{python_sitearch}/samba/tests/samba_tool/group.py*
+%{python_sitearch}/samba/tests/samba_tool/join.py*
+%{python_sitearch}/samba/tests/samba_tool/ntacl.py*
+%{python_sitearch}/samba/tests/samba_tool/processes.py*
+%{python_sitearch}/samba/tests/samba_tool/rodc.py*
+%{python_sitearch}/samba/tests/samba_tool/sites.py*
+%{python_sitearch}/samba/tests/samba_tool/timecmd.py*
+%{python_sitearch}/samba/tests/samba_tool/user.py*
+%{python_sitearch}/samba/tests/samba_tool/user_check_password_script.py*
+%{python_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py*
+%{python_sitearch}/samba/tests/samba_tool/user_wdigest.py*
+%{python_sitearch}/samba/tests/samdb.py*
+%{python_sitearch}/samba/tests/security.py*
+%{python_sitearch}/samba/tests/source.py*
+%{python_sitearch}/samba/tests/strings.py*
+%{python_sitearch}/samba/tests/subunitrun.py*
+%{python_sitearch}/samba/tests/unicodenames.py*
+%{python_sitearch}/samba/tests/upgrade.py*
+%{python_sitearch}/samba/tests/upgradeprovision.py*
+%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py*
+%{python_sitearch}/samba/tests/xattr.py*
### TEST
%files test
@@ -1976,7 +2335,6 @@ rm -rf %{buildroot}
%{_unitdir}/ctdb.service
-
%files -n ctdb-tests
%defattr(-,root,root)
%doc ctdb/tests/README
@@ -1991,6 +2349,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/ctdb_packet_parse
%{_libexecdir}/ctdb/tests/ctdb_takeover_tests
%{_libexecdir}/ctdb/tests/db_hash_test
+%{_libexecdir}/ctdb/tests/dummy_client
%{_libexecdir}/ctdb/tests/fake_ctdbd
%{_libexecdir}/ctdb/tests/fetch_loop
%{_libexecdir}/ctdb/tests/fetch_loop_key
@@ -1998,6 +2357,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/fetch_readonly_loop
%{_libexecdir}/ctdb/tests/fetch_ring
%{_libexecdir}/ctdb/tests/g_lock_loop
+%{_libexecdir}/ctdb/tests/hash_count_test
%{_libexecdir}/ctdb/tests/lock_tdb
%{_libexecdir}/ctdb/tests/message_ring
%{_libexecdir}/ctdb/tests/pidfile_test
@@ -2009,6 +2369,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/protocol_util_test
%{_libexecdir}/ctdb/tests/rb_test
%{_libexecdir}/ctdb/tests/reqid_test
+%{_libexecdir}/ctdb/tests/run_event_test
%{_libexecdir}/ctdb/tests/run_proc_test
%{_libexecdir}/ctdb/tests/sock_daemon_test
%{_libexecdir}/ctdb/tests/sock_io_test
@@ -2047,6 +2408,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/cunit/comm_test_001.sh
%{_datadir}/ctdb/tests/cunit/comm_test_002.sh
%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh
+%{_datadir}/ctdb/tests/cunit/hash_count_test_001.sh
%{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh
%{_datadir}/ctdb/tests/cunit/pkt_read_001.sh
%{_datadir}/ctdb/tests/cunit/pkt_write_001.sh
@@ -2056,6 +2418,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/cunit/protocol_test_003.sh
%{_datadir}/ctdb/tests/cunit/rb_test_001.sh
%{_datadir}/ctdb/tests/cunit/reqid_test_001.sh
+%{_datadir}/ctdb/tests/cunit/run_event_001.sh
%{_datadir}/ctdb/tests/cunit/run_proc_001.sh
%{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh
%{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh
@@ -2126,6 +2489,10 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.016.sh
%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.017.sh
%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.018.sh
+%{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.001.sh
+%{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
+%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.001.sh
+%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh
@@ -2154,6 +2521,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.010.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.011.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.012.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.013.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh
@@ -2212,19 +2581,14 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh
-%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.050.sh
-%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.051.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh
-%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.050.sh
-%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.051.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.104.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.105.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.106.sh
-%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.107.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.110.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.111.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.112.sh
@@ -2242,6 +2606,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.106.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.107.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.108.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.109.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.111.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.112.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.113.sh
@@ -2261,6 +2626,14 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.162.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.001.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.002.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.releaseip.001.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.shutdown.001.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.startup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.startup.002.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.takeip.001.sh
+%{_datadir}/ctdb/tests/eventscripts/60.nfs.takeip.002.sh
%{_datadir}/ctdb/tests/eventscripts/91.lvs.001.sh
%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.011.sh
%{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.012.sh
@@ -2409,6 +2782,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/18_ctdb_reloadips.sh
%{_datadir}/ctdb/tests/simple/19_ip_takeover_noop.sh
%{_datadir}/ctdb/tests/simple/20_delip_iface_gc.sh
+%{_datadir}/ctdb/tests/simple/21_ctdb_attach.sh
%{_datadir}/ctdb/tests/simple/23_ctdb_moveip.sh
%{_datadir}/ctdb/tests/simple/24_ctdb_getdbmap.sh
%{_datadir}/ctdb/tests/simple/25_dumpmemory.sh
@@ -2426,6 +2800,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/53_transaction_loop.sh
%{_datadir}/ctdb/tests/simple/54_transaction_loop_recovery.sh
%{_datadir}/ctdb/tests/simple/55_ctdb_ptrans.sh
+%{_datadir}/ctdb/tests/simple/56_replicated_transaction_recovery.sh
%{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh
%{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh
%{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh
@@ -2482,6 +2857,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/takeover/lcp2.031.sh
%{_datadir}/ctdb/tests/takeover/lcp2.032.sh
%{_datadir}/ctdb/tests/takeover/lcp2.033.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.034.sh
%{_datadir}/ctdb/tests/takeover/nondet.001.sh
%{_datadir}/ctdb/tests/takeover/nondet.002.sh
%{_datadir}/ctdb/tests/takeover/nondet.003.sh
@@ -2510,6 +2886,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/takeover_helper/026.sh
%{_datadir}/ctdb/tests/takeover_helper/027.sh
%{_datadir}/ctdb/tests/takeover_helper/028.sh
+%{_datadir}/ctdb/tests/takeover_helper/030.sh
+%{_datadir}/ctdb/tests/takeover_helper/031.sh
%{_datadir}/ctdb/tests/takeover_helper/110.sh
%{_datadir}/ctdb/tests/takeover_helper/111.sh
%{_datadir}/ctdb/tests/takeover_helper/120.sh
@@ -2596,9 +2974,15 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.natgw.008.sh
%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.003.sh
+%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.005.sh
+%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.006.sh
%{_datadir}/ctdb/tests/tool/ctdb.ping.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.pnn.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.process-exists.001.sh
+%{_datadir}/ctdb/tests/tool/ctdb.process-exists.002.sh
+%{_datadir}/ctdb/tests/tool/ctdb.process-exists.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.recmaster.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.recmaster.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.recover.001.sh
@@ -2627,10 +3011,12 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.005.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.004.sh
+%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.005.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdebug.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdebug.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.setdebug.003.sh
@@ -2654,20 +3040,58 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
-* Fri Nov 17 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-12
-- resolves: #1514314 - Fix CVE-2017-14746 and CVE-2017-15275
+* Wed Dec 20 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-6
+- resolves: #1476153 - Handle SMB echo responses more gracefully
+- resolves: #1523212 - Fix SMB2 client read-after-free issue
+
+* Mon Dec 04 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-5
+- resolves: #1505940 - Fix 'net ads keytab list'
+- resolves: #1518732 - Enable AES-NI to make SMB3 encryption and signing
+ faster
+
+* Tue Nov 28 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-4
+- resolves: #1510872 - Fix systemd startup of samba daemons
+
+* Thu Nov 23 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-3
+- resolves: #1498353 - Fix broken MacOSX client which can't handle file_ids
+ correctly
+- resolves: #1495490 - Fix client rename over SMB2
+- resolves: #1510598 - Fix client volume cmd over SMB2
+
+* Fri Nov 17 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-2
+- resolves: #1514316 - CVE-2017-14746 CVE-2017-15275
+
+* Thu Nov 02 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-1
+- related: #1470048 - Update to version 4.7.1
+
+* Thu Oct 26 2017 Andreas Schneider <asn@redhat.com> - 4.7.0-4
+- resolves: #1506489 - Fix python dependency issues
+
+* Wed Oct 25 2017 Andreas Schneider <asn@redhat.com> - 4.7.0-3
+- related: #1470048 - Fix dependency issues
+- resolves: #1486318 - Move /var/lib/samba/lock to common package
+- resolves: #1497162 - Fix smbcacls command line password handling
+
+* Tue Oct 24 2017 Andreas Schneider <asn@redhat.com> - 4.7.0-2
+- related: #1470048 - Fix package names
+
+* Mon Oct 23 2017 Andreas Schneider <asn@redhat.com> - 4.7.0-1
+- resolves: #1470048 - Rebase Samba to version 4.7.0
+- resolves: #1335710 - Improve performance of smbd for a lot
+ of new client connections
* Thu Sep 14 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-11
-- resolves: #1491213 - CVE-2017-12150 CVE-2017-12151 CVE-2017-12163
+- resolves: #1491214 - CVE-2017-12150 CVE-2017-12151 CVE-2017-12163
* Wed Aug 23 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-10
-- resolves: #1484423 - Require at least krb5 version 1.15.1
-- resolves: #1484713 - Fix password changes for users via smbpasswd
-- resolves: #1484723 - Be more graceful on FSCTL_VALIDATE_NEGOTIATE_INFO
+- resolves: #1480310 - Require at least krb5 version 1.15.1
+- resolves: #1482133 - Fix password changes for users via smbpasswd
+- resolves: #1452003 - Be more graceful on FSCTL_VALIDATE_NEGOTIATE_INFO
returned errors
+- resolves: #1485390 - Do not print kerberos warning when not enforced
* Mon Aug 14 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-9
-- resolves: #1481188 - Fix 'net ads changetrustpw'
+- resolves: #1479897 - Fix 'net ads changetrustpw'
* Thu Jun 22 2017 Andreas Schneider <asn@redhat.com> - 4.6.2-8
- resolves: #1459936 - Fix regression with "follow symlinks = no"