diff --git a/1528.patch b/1528.patch new file mode 100644 index 0000000..52ecfab --- /dev/null +++ b/1528.patch @@ -0,0 +1,66 @@ +From e3629a3924107507be9ddb2c001f9843854ddf3b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 25 Aug 2020 17:39:18 +0200 +Subject: [PATCH] third_party: Update resolv_wrapper to version 1.1.7 + +This fixes some Samba tests which redirect stderr to stdout and then get +more messages than expected. + +Signed-off-by: Andreas Schneider +--- + buildtools/wafsamba/samba_third_party.py | 2 +- + third_party/resolv_wrapper/resolv_wrapper.c | 4 ++-- + third_party/resolv_wrapper/wscript | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py +index 318da4f4eff..bc2b21f2a55 100644 +--- a/buildtools/wafsamba/samba_third_party.py ++++ b/buildtools/wafsamba/samba_third_party.py +@@ -34,7 +34,7 @@ Build.BuildContext.CHECK_NSS_WRAPPER = CHECK_NSS_WRAPPER + + @conf + def CHECK_RESOLV_WRAPPER(conf): +- return conf.CHECK_BUNDLED_SYSTEM_PKG('resolv_wrapper', minversion='1.1.6') ++ return conf.CHECK_BUNDLED_SYSTEM_PKG('resolv_wrapper', minversion='1.1.7') + Build.BuildContext.CHECK_RESOLV_WRAPPER = CHECK_RESOLV_WRAPPER + + @conf +diff --git a/third_party/resolv_wrapper/resolv_wrapper.c b/third_party/resolv_wrapper/resolv_wrapper.c +index 0d3f34ce591..b69a55a80e0 100644 +--- a/third_party/resolv_wrapper/resolv_wrapper.c ++++ b/third_party/resolv_wrapper/resolv_wrapper.c +@@ -1844,7 +1844,7 @@ static int rwrap_parse_resolv_conf(struct __res_state *state, + + fp = fopen(resolv_conf, "r"); + if (fp == NULL) { +- RWRAP_LOG(RWRAP_LOG_ERROR, ++ RWRAP_LOG(RWRAP_LOG_WARN, + "Opening %s failed: %s", + resolv_conf, strerror(errno)); + return -1; +@@ -1930,7 +1930,7 @@ static int rwrap_parse_resolv_conf(struct __res_state *state, + fclose(fp); + + if (nserv == 0) { +- RWRAP_LOG(RWRAP_LOG_ERROR, ++ RWRAP_LOG(RWRAP_LOG_WARN, + "No usable nameservers found in %s", + resolv_conf); + errno = ESRCH; +diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript +index ea3df498a6e..a7f18389b0f 100644 +--- a/third_party/resolv_wrapper/wscript ++++ b/third_party/resolv_wrapper/wscript +@@ -2,7 +2,7 @@ + + import os + +-VERSION="1.1.6" ++VERSION="1.1.7" + + def configure(conf): + if conf.CHECK_RESOLV_WRAPPER(): +-- +GitLab + diff --git a/1624.patch b/1624.patch new file mode 100644 index 0000000..124c239 --- /dev/null +++ b/1624.patch @@ -0,0 +1,1389 @@ +From 9cf2118afce0b1534c0daea4ab97f29225f7fcb1 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 21 Oct 2020 07:43:08 +0200 +Subject: [PATCH 1/9] python: Create targetdir recursively + +This fixes `make test` in a release tarball. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + python/samba/netcmd/domain.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py +index 000688f4e7a..5f08ddf6007 100644 +--- a/python/samba/netcmd/domain.py ++++ b/python/samba/netcmd/domain.py +@@ -445,7 +445,7 @@ class cmd_domain_provision(Command): + + if targetdir is not None: + if not os.path.isdir(targetdir): +- os.mkdir(targetdir) ++ os.makedirs(targetdir) + + eadb = True + +-- +GitLab + + +From f69a5a15550a2330710ba09e06daf826deedeb34 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 22 Oct 2020 11:39:04 +0200 +Subject: [PATCH 2/9] testprogs: Add remove_directory to common test functions + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/common_test_fns.inc | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/testprogs/blackbox/common_test_fns.inc b/testprogs/blackbox/common_test_fns.inc +index a5611c63fa0..7b421e9eb08 100755 +--- a/testprogs/blackbox/common_test_fns.inc ++++ b/testprogs/blackbox/common_test_fns.inc +@@ -107,3 +107,14 @@ kerberos_kinit() { + fi + return $status + } ++ ++remove_directory() { ++ local xdir=${1} ++ shift ++ ++ if [ "$xdir" == "/" ] || [ ! -d "$xdir" ] || [ ! $(ls -A "$xdir") ]; then ++ return ++ fi ++ ++ rm -rf "$xdir" ++} +-- +GitLab + + +From 5c65e1a9e99d9dcfadb90433b2465db277814666 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 20 Oct 2020 20:47:43 +0200 +Subject: [PATCH 3/9] testprogs: Fix and improve demote-saveddb test + +This fixes running `make test` in a release tarball! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/demote-saveddb.sh | 75 ++++++++++++++++------------ + 1 file changed, 43 insertions(+), 32 deletions(-) + +diff --git a/testprogs/blackbox/demote-saveddb.sh b/testprogs/blackbox/demote-saveddb.sh +index 3d5fabd72e3..d8fccf32011 100755 +--- a/testprogs/blackbox/demote-saveddb.sh ++++ b/testprogs/blackbox/demote-saveddb.sh +@@ -10,58 +10,69 @@ fi + PREFIX_ABS="$1" + shift 1 + +-. `dirname $0`/subunit.sh ++failed=0 + +-tree_dir=`dirname $0`/../../source4/selftest/provisions/multi-dc-samba-master-c596ac6 ++. `dirname $0`/subunit.sh ++. `dirname $0`/common_test_fns.inc + +-undump() { +- if test -x $BINDIR/tdbrestore; +- then +- `dirname $0`/../../source4/selftest/provisions/undump.sh $tree_dir $PREFIX_ABS $BINDIR/tdbrestore +- else +- `dirname $0`/../../source4/selftest/provisions/undump.sh $tree_dir $PREFIX_ABS +- fi +-} ++samba_tree_dir="$SRCDIR_ABS/source4/selftest/provisions/multi-dc-samba-master-c596ac6" + +-demote() { +- $PYTHON $BINDIR/samba-tool domain demote -H tdb://$PREFIX_ABS/private/sam.ldb --remove-other-dead-server=$1 +-} ++samba_tdbrestore="tdbrestore" ++if [ -x $BINDIR/tdbrestore ]; then ++ samba_tdbrestore="$BINDIR/tdbrestore" ++fi + ++# The undump script and the provision data is not part of release tarballs, ++# skip the tests in this case! ++samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" ++if [ ! -x $samba_undump ] || [ ! -d $samba_tree_dir ]; then ++ subunit_start_test "undump" ++ subunit_skip_test "undump" < +Date: Wed, 21 Oct 2020 17:04:12 +0200 +Subject: [PATCH 4/9] testprogs: Fix and improve tombstones-expunge test + +This fixes running `make test` in a release tarball! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/tombstones-expunge.sh | 94 +++++++++++++----------- + 1 file changed, 50 insertions(+), 44 deletions(-) + +diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh +index aa37cfe278f..9e0588377d7 100755 +--- a/testprogs/blackbox/tombstones-expunge.sh ++++ b/testprogs/blackbox/tombstones-expunge.sh +@@ -11,9 +11,12 @@ PREFIX_ABS="$1" + RELEASE="$2" + shift 2 + ++failed=0 ++ + . `dirname $0`/subunit.sh ++. `dirname $0`/common_test_fns.inc + +-release_dir=`dirname $0`/../../source4/selftest/provisions/$RELEASE ++release_dir="$SRCDIR_ABS/source4/selftest/provisions/$RELEASE" + + ldbadd="ldbadd" + if [ -x "$BINDIR/ldbadd" ]; then +@@ -35,13 +38,28 @@ if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" + fi + ++samba_tdbrestore="tdbrestore" ++if [ -x "$BINDIR/tdbrestore" ]; then ++ samba_tdbrestore="$BINDIR/tdbrestore" ++fi ++ ++samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" ++if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then ++ subunit_start_test $RELEASE ++ subunit_skip_test $RELEASE < +Date: Wed, 21 Oct 2020 17:35:34 +0200 +Subject: [PATCH 5/9] testprogs: Fix and improve runtime-links test + +This fixes running `make test` in a release tarball! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/common-links.sh | 16 +++---- + testprogs/blackbox/runtime-links.sh | 65 ++++++++++++++++------------- + 2 files changed, 44 insertions(+), 37 deletions(-) + +diff --git a/testprogs/blackbox/common-links.sh b/testprogs/blackbox/common-links.sh +index ee7310b5108..363234ae11c 100644 +--- a/testprogs/blackbox/common-links.sh ++++ b/testprogs/blackbox/common-links.sh +@@ -1,4 +1,4 @@ +-release_dir=`dirname $0`/../../source4/selftest/provisions/$RELEASE ++release_dir=$SRCDIR_ABS/source4/selftest/provisions/$RELEASE + + ldbadd="ldbadd" + if [ -x "$BINDIR/ldbadd" ]; then +@@ -25,13 +25,15 @@ if [ -x "$BINDIR/ldbrename" ]; then + ldbrename="$BINDIR/ldbrename" + fi + ++samba_tdbrestore="tdbrestore" ++if [ -x "$BINDIR/tdbrestore" ]; then ++ samba_tdbrestore="$BINDIR/tdbrestore" ++fi ++ ++samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" ++ + undump() { +- if test -x $BINDIR/tdbrestore; +- then +- `dirname $0`/../../source4/selftest/provisions/undump.sh $release_dir $PREFIX_ABS/$RELEASE $BINDIR/tdbrestore +- else +- `dirname $0`/../../source4/selftest/provisions/undump.sh $release_dir $PREFIX_ABS/$RELEASE +- fi ++ $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore + } + + add_dangling_link() { +diff --git a/testprogs/blackbox/runtime-links.sh b/testprogs/blackbox/runtime-links.sh +index 344b822f07e..f8de66c60e7 100755 +--- a/testprogs/blackbox/runtime-links.sh ++++ b/testprogs/blackbox/runtime-links.sh +@@ -11,10 +11,28 @@ PREFIX_ABS="$1" + RELEASE="$2" + shift 2 + ++failed=0 ++ + . `dirname $0`/subunit.sh + + . `dirname $0`/common-links.sh + ++. `dirname $0`/common_test_fns.inc ++ ++if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then ++ subunit_start_test $RELEASE ++ subunit_skip_test $RELEASE < +Date: Wed, 21 Oct 2020 17:41:27 +0200 +Subject: [PATCH 6/9] testprogs: Fix and improve dbcheck-links test + +This fixes running `make test` in a release tarball! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/dbcheck-links.sh | 160 ++++++++++++++-------------- + 1 file changed, 82 insertions(+), 78 deletions(-) + +diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh +index eb0e0b3163f..ead59d691e0 100755 +--- a/testprogs/blackbox/dbcheck-links.sh ++++ b/testprogs/blackbox/dbcheck-links.sh +@@ -14,6 +14,23 @@ shift 2 + . `dirname $0`/subunit.sh + + . `dirname $0`/common-links.sh ++. `dirname $0`/common_test_fns.inc ++ ++failed=0 ++ ++if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then ++ subunit_start_test $RELEASE ++ subunit_skip_test $RELEASE < +Date: Wed, 21 Oct 2020 17:54:54 +0200 +Subject: [PATCH 7/9] testprogs: Fix and improve functionalprep test + +This fixes running `make test` in a release tarball! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/functionalprep.sh | 77 ++++++++++++++++------------ + 1 file changed, 44 insertions(+), 33 deletions(-) + +diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh +index 1d37611ef7a..a5ac4b8bc7f 100755 +--- a/testprogs/blackbox/functionalprep.sh ++++ b/testprogs/blackbox/functionalprep.sh +@@ -10,45 +10,56 @@ fi + PREFIX_ABS="$1" + shift 1 + ++failed=0 ++ + . `dirname $0`/subunit.sh ++. `dirname $0`/common_test_fns.inc + + RELEASE="release-4-8-0-pre1" +-release_dir=`dirname $0`/../../source4/selftest/provisions/$RELEASE ++release_dir="$SRCDIR_ABS/source4/selftest/provisions/$RELEASE" + + OLD_RELEASE="release-4-1-0rc3" +-old_release_dir=`dirname $0`/../../source4/selftest/provisions/$OLD_RELEASE ++old_release_dir="$SRCDIR_ABS/source4/selftest/provisions/$OLD_RELEASE" + +-cleanup_output_directories() +-{ +- if [ -d $PREFIX_ABS/2012R2_schema ]; then +- rm -fr $PREFIX_ABS/2012R2_schema +- fi ++samba_tdbrestore="tdbrestore" ++if [ -x "$BINDIR/tdbrestore" ]; then ++ samba_tdbrestore="$BINDIR/tdbrestore" ++fi ++ ++samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" ++ ++if [ ! -x $samba_undump ] || [ ! -d $release_dir ] || [ ! -d $old_release_dir ]; then ++ subunit_start_test $RELEASE ++ subunit_skip_test $RELEASE < +Date: Wed, 21 Oct 2020 18:03:25 +0200 +Subject: [PATCH 8/9] testprogs: Fix and improve dbcheck-oldrelease test + +This fixes running `make test` in a release tarball! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/dbcheck-oldrelease.sh | 240 ++++++++++++----------- + 1 file changed, 123 insertions(+), 117 deletions(-) + +diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh +index 41c55178d4e..9e9924654be 100755 +--- a/testprogs/blackbox/dbcheck-oldrelease.sh ++++ b/testprogs/blackbox/dbcheck-oldrelease.sh +@@ -11,7 +11,10 @@ PREFIX_ABS="$1" + RELEASE="$2" + shift 2 + ++failed=0 ++ + . `dirname $0`/subunit.sh ++. `dirname $0`/common_test_fns.inc + + release_dir=`dirname $0`/../../source4/selftest/provisions/$RELEASE + +@@ -30,13 +33,94 @@ if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" + fi + ++samba_tdbrestore="tdbrestore" ++if [ -x "$BINDIR/tdbrestore" ]; then ++ samba_tdbrestore="$BINDIR/tdbrestore" ++fi ++ ++samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" ++if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then ++ subunit_start_test $RELEASE ++ subunit_skip_test $RELEASE < +Date: Wed, 21 Oct 2020 19:14:32 +0200 +Subject: [PATCH 9/9] testprogs: Fix and improve upgradeprovision-oldrelease + test + +This fixes running `make test` in a release tarball! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14542 + +Signed-off-by: Andreas Schneider +--- + .../blackbox/upgradeprovision-oldrelease.sh | 254 +++++++++--------- + 1 file changed, 121 insertions(+), 133 deletions(-) + +diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh +index 208baa54a02..5b095fca05e 100755 +--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh ++++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh +@@ -11,37 +11,113 @@ PREFIX_ABS="$1" + RELEASE="$2" + shift 2 + ++failed=0 ++ + . `dirname $0`/subunit.sh ++. `dirname $0`/common_test_fns.inc + +-release_dir=`dirname $0`/../../source4/selftest/provisions/${RELEASE} ++release_dir="$SRCDIR_ABS/source4/selftest/provisions/${RELEASE}" + + LDBDEL_BIN=ldbdel + if [ -x "$BINDIR/ldbdel" ]; then + LDBDEL_BIN=$BINDIR/ldbdel + fi + ++samba_tdbrestore="tdbrestore" ++if [ -x "$BINDIR/tdbrestore" ]; then ++ samba_tdbrestore="$BINDIR/tdbrestore" ++fi ++ ++samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh" ++if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then ++ subunit_start_test "${RELEASE}" ++ subunit_skip_test "${RELEASE}" < $PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf +- +- cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade_full/private/ +- cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade_full/ +- mkdir $PREFIX_ABS/${RELEASE}_upgrade_full/etc/ +- cat $release_dir/etc/smb.conf.template | \ +- sed "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade_full|g" \ +- > $PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf ++ $samba_undump $release_dir $PREFIX_ABS/${RELEASE}_upgrade $samba_tdbrestore ++ $samba_undump $release_dir $PREFIX_ABS/${RELEASE}_upgrade_full $samba_tdbrestore ++ ++ cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade/private/ ++ cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade/ ++ mkdir $PREFIX_ABS/${RELEASE}_upgrade/etc/ ++ sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade|g" $release_dir/etc/smb.conf.template \ ++ > $PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf ++ ++ cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade_full/private/ ++ cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade_full/ ++ mkdir $PREFIX_ABS/${RELEASE}_upgrade_full/etc/ ++ sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade_full|g" $release_dir/etc/smb.conf.template \ ++ > $PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf + } + + remove_dns_user() { +@@ -122,116 +198,28 @@ ldapcmp_full_sd() { + $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --sd --skip-missing-dn + } + +-if [ -d $PREFIX_ABS/${RELEASE}_upgrade ]; then +- rm -fr $PREFIX_ABS/${RELEASE}_upgrade +-fi +- +-if [ -d $PREFIX_ABS/${RELEASE}_upgrade_full ]; then +- rm -fr $PREFIX_ABS/${RELEASE}_upgrade_full +-fi +- +-if [ -d $PREFIX_ABS/${RELEASE}_upgrade_reference ]; then +- rm -fr $PREFIX_ABS/${RELEASE}_upgrade_reference +-fi +- +-if [ -d $release_dir ]; then +- testit $RELEASE undump +- testit "remove_dns_user" remove_dns_user +- testit "upgradeprovision" upgradeprovision +- testit "upgradeprovision_full" upgradeprovision_full +- testit "reindex" reindex +- testit_expect_failure "dbcheck" dbcheck +- testit_expect_failure "dbcheck_full" dbcheck_full +- testit "dbcheck_clean" dbcheck_clean +- testit "dbcheck_full_clean" dbcheck_full_clean +- testit "dbcheck_full_clean_well_known_acls" dbcheck_full_clean_well_known_acls +- testit "referenceprovision" referenceprovision +- testit "samba_upgradedns" samba_upgradedns +- testit "ldapcmp" ldapcmp +- testit "ldapcmp_sd" ldapcmp_sd +- testit "ldapcmp_full_sd" ldapcmp_full_sd +-else +- subunit_start_test "${RELEASE}" +- subunit_skip_test "${RELEASE}" < +Date: Thu, 22 Oct 2020 11:08:19 +0200 +Subject: [PATCH 1/5] s3:script: Fix test_dfree_quota.sh + +source3/script/tests/test_dfree_quota.sh: line 200: [: missing `]' + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550 + +Signed-off-by: Andreas Schneider +--- + source3/script/tests/test_dfree_quota.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/script/tests/test_dfree_quota.sh b/source3/script/tests/test_dfree_quota.sh +index e86d431180a..a1403a8c4ba 100755 +--- a/source3/script/tests/test_dfree_quota.sh ++++ b/source3/script/tests/test_dfree_quota.sh +@@ -197,7 +197,7 @@ test_smbcquotas() { + return $status + } + +-if [ $protocol != "SMB3" -a $protocol != "NT1"]; then ++if [ $protocol != "SMB3" ] && [ $protocol != "NT1" ]; then + echo "unsupported protocol $protocol" | subunit_fail_test "Test dfree quota" + failed=`expr $failed + 1` + fi +-- +GitLab + + +From 4867cafe766fa8aa69ce005dc5c4f05a4af676c8 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 22 Oct 2020 17:40:01 +0200 +Subject: [PATCH 2/5] buildtools: Do not install binaries which are for + selftest + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550 + +Signed-off-by: Andreas Schneider +--- + buildtools/wafsamba/wafsamba.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py +index 9f6ee4f5c7f..9dd6d05b91b 100644 +--- a/buildtools/wafsamba/wafsamba.py ++++ b/buildtools/wafsamba/wafsamba.py +@@ -365,8 +365,10 @@ def SAMBA_BINARY(bld, binname, source, + for_selftest=False): + '''define a Samba binary''' + +- if for_selftest and not bld.CONFIG_GET('ENABLE_SELFTEST'): +- enabled=False ++ if for_selftest: ++ install=False ++ if not bld.CONFIG_GET('ENABLE_SELFTEST'): ++ enabled=False + + if not enabled: + SET_TARGET_TYPE(bld, binname, 'DISABLED') +-- +GitLab + + +From a4d5a21880b1cc8adfcbebd6940d06e2fdab3f14 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 22 Oct 2020 17:41:01 +0200 +Subject: [PATCH 3/5] unittests: Mark test binaries for selftest + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550 + +Signed-off-by: Andreas Schneider +--- + testsuite/unittests/wscript | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/testsuite/unittests/wscript b/testsuite/unittests/wscript +index 40fcb01ad57..2b4b37b92de 100644 +--- a/testsuite/unittests/wscript ++++ b/testsuite/unittests/wscript +@@ -9,7 +9,7 @@ def build(bld): + bld.SAMBA_BINARY('test_krb5samba', + source='test_krb5_samba.c', + deps='krb5samba cmocka', +- install=False) ++ for_selftest=True) + + bld.SAMBA_BINARY('test_sambafs_srv_pipe', + source='test_sambafs_srv_pipe.c', +@@ -18,7 +18,7 @@ def build(bld): + RPC_SAMR + cmocka + ''', +- install=False) ++ for_selftest=True) + + bld.SAMBA_BINARY('test_lib_util_modules', + source='test_lib_util_modules.c', +@@ -26,7 +26,7 @@ def build(bld): + samba-modules + cmocka + ''', +- install=False) ++ for_selftest=True) + + bld.SAMBA_MODULE('rpc_test_dummy_module', + source='rpc_test_dummy_module.c', +-- +GitLab + + +From d399761e8261a4de5ce9449f97ade61388e8a1e2 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 23 Oct 2020 08:53:43 +0200 +Subject: [PATCH 4/5] s3:modules: Do not install vfs modules only used for + testing + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550 + +Signed-off-by: Andreas Schneider +--- + source3/modules/wscript_build | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build +index c4f3db22296..36b047ef79b 100644 +--- a/source3/modules/wscript_build ++++ b/source3/modules/wscript_build +@@ -114,7 +114,8 @@ bld.SAMBA3_MODULE('vfs_fake_acls', + deps='samba-util', + init_function='', + internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_fake_acls'), +- enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fake_acls')) ++ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fake_acls'), ++ install=False) + + bld.SAMBA3_MODULE('vfs_recycle', + subsystem='vfs', +@@ -622,21 +623,24 @@ bld.SAMBA3_MODULE('vfs_fake_dfq', + source='vfs_fake_dfq.c', + init_function='', + internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_fake_dfq'), +- enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fake_dfq')) ++ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fake_dfq'), ++ install=False) + + bld.SAMBA3_MODULE('vfs_error_inject', + subsystem='vfs', + source='vfs_error_inject.c', + init_function='', + internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_error_inject'), +- enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_error_inject')) ++ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_error_inject'), ++ install=False) + + bld.SAMBA3_MODULE('vfs_delay_inject', + subsystem='vfs', + source='vfs_delay_inject.c', + init_function='', + internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_delay_inject'), +- enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_delay_inject')) ++ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_delay_inject'), ++ install=False) + + bld.SAMBA3_MODULE('vfs_widelinks', + subsystem='vfs', +-- +GitLab + + +From 58e412ac6d9822aa65639d7c1171a2723ca3ee8a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 23 Oct 2020 08:57:12 +0200 +Subject: [PATCH 5/5] examples:auth: Do not install example plugin + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550 + +Signed-off-by: Andreas Schneider +--- + examples/auth/wscript_build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/examples/auth/wscript_build b/examples/auth/wscript_build +index 91f5302918b..03221238e5f 100644 +--- a/examples/auth/wscript_build ++++ b/examples/auth/wscript_build +@@ -6,4 +6,5 @@ bld.SAMBA3_MODULE('auth_skel', + deps='samba-util', + init_function='', + internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_skel'), +- enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_skel')) ++ enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_skel'), ++ install=False) +-- +GitLab + diff --git a/samba-dnspython-2.0.0-v4.13.patch b/samba-dnspython-2.0.0-v4.13.patch new file mode 100644 index 0000000..88aead2 --- /dev/null +++ b/samba-dnspython-2.0.0-v4.13.patch @@ -0,0 +1,143 @@ +From 12b51be8633689763080f2eb1e0b13487e3e71e1 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 24 Oct 2020 12:17:44 +0300 +Subject: [PATCH] DNS Resolver: support both dnspython before and after 2.0.0 + +`dnspython` 2.0.0 has many changes and several deprecations like: + +``` +> dns.resolver.resolve() has been added, allowing control of whether +search lists are used. dns.resolver.query() is retained for backwards +compatibility, but deprecated. The default for search list behavior can +be set at in the resolver object with the use_search_by_default +parameter. The default is False. + +> dns.resolver.resolve_address() has been added, allowing easy +address-to-name lookups. +``` + +The new class `DNSResolver`: +- provides the compatibility layer +- defaults the previous behavior (the search list configured in the + system's resolver configuration is used for relative names) +- defaults lifetime to 15sec (determines the number of seconds + to spend trying to get an answer to the question) + +The compatibility shim was developed by Stanislav Levin for FreeIPA and +adopted for Samba by Alexander Bokovoy. + +Signed-off-by: Stanislav Levin +Signed-off-by: Alexander Bokovoy +--- + python/samba/dnsresolver.py | 68 +++++++++++++++++++++++++++ + source4/scripting/bin/samba_dnsupdate | 5 +- + 2 files changed, 71 insertions(+), 2 deletions(-) + create mode 100644 python/samba/dnsresolver.py + +diff --git a/python/samba/dnsresolver.py b/python/samba/dnsresolver.py +new file mode 100644 +index 00000000000..a627555a855 +--- /dev/null ++++ b/python/samba/dnsresolver.py +@@ -0,0 +1,68 @@ ++# Samba wrapper for DNS resolvers ++# ++# Copyright (C) Stanislav Levin ++# Copyright (C) Alexander Bokovoy ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++import dns.resolver ++import dns.rdatatype ++import dns.reversename ++ ++class DNSResolver(dns.resolver.Resolver): ++ """DNS stub resolver compatible with both dnspython < 2.0.0 ++ and dnspython >= 2.0.0. ++ ++ Set `use_search_by_default` attribute to `True`, which ++ determines the default for whether the search list configured ++ in the system's resolver configuration is used for relative ++ names, and whether the resolver's domain may be added to relative ++ names. ++ ++ Increase the default lifetime which determines the number of seconds ++ to spend trying to get an answer to the question. dnspython 2.0.0 ++ changes this to 5sec, while the previous one was 30sec. ++ """ ++ def __init__(self, *args, **kwargs): ++ super().__init__(*args, **kwargs) ++ self.reset_defaults() ++ self.resolve = getattr(super(), "resolve", self.query) ++ self.resolve_address = getattr( ++ super(), ++ "resolve_address", ++ self._resolve_address ++ ) ++ ++ def reset_defaults(self): ++ self.use_search_by_default = True ++ # the default is 5sec ++ self.lifetime = 15 ++ ++ def reset(self): ++ super().reset() ++ self.reset_defaults() ++ ++ def _resolve_address(self, ip_address, *args, **kwargs): ++ """Query nameservers for PTR records. ++ ++ :param ip_address: IPv4 or IPv6 address ++ :type ip_address: str ++ """ ++ return self.resolve( ++ dns.reversename.from_address(ip_address), ++ rdtype=dns.rdatatype.PTR, ++ *args, ++ **kwargs, ++ ) +diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate +index 44eb1cadd27..fe04ce71338 100755 +--- a/source4/scripting/bin/samba_dnsupdate ++++ b/source4/scripting/bin/samba_dnsupdate +@@ -53,6 +53,7 @@ from samba.compat import get_string + from samba.compat import text_type + import ldb + ++from samba.dnsresolver import DNSResolver + import dns.resolver + import dns.exception + +@@ -259,7 +260,7 @@ def hostname_match(h1, h2): + + def get_resolver(d=None): + resolv_conf = os.getenv('RESOLV_CONF', default='/etc/resolv.conf') +- resolver = dns.resolver.Resolver(filename=resolv_conf, configure=True) ++ resolver = DNSResolver(filename=resolv_conf, configure=True) + + if d is not None and d.nameservers != []: + resolver.nameservers = d.nameservers +@@ -271,7 +272,7 @@ def check_one_dns_name(name, name_type, d=None): + if d and not d.nameservers: + d.nameservers = resolver.nameservers + # dns.resolver.Answer +- return resolver.query(name, name_type) ++ return resolver.resolve(name, name_type) + + def check_dns_name(d): + """check that a DNS entry exists.""" +-- +2.28.0 + diff --git a/samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch b/samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch new file mode 100644 index 0000000..e0ed8ae --- /dev/null +++ b/samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch @@ -0,0 +1,210 @@ +From 81d6949acdad70ecfb130d3286eeab1b3a51937f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 7 Oct 2020 19:25:24 +0300 +Subject: [PATCH 1/2] cli_credentials_parse_string: fix parsing of principals + +When parsing a principal-like name, user name was left with full +principal instead of taking only the left part before '@' sign. + +>>> from samba import credentials +>>> t = credentials.Credentials() +>>> t.parse_string('admin@realm.test', credentials.SPECIFIED) +>>> t.get_username() +'admin@realm.test' + +The issue is that cli_credentials_set_username() does a talloc_strdup() +of the argument, so we need to change order of assignment to allow +talloc_strdup() to copy the right part of the string. + +Signed-off-by: Alexander Bokovoy +--- + auth/credentials/credentials.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c +index 77c35dd104b..06ac79058f9 100644 +--- a/auth/credentials/credentials.c ++++ b/auth/credentials/credentials.c +@@ -840,11 +840,10 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials, + * in order to undo the effect of + * cli_credentials_guess(). + */ +- cli_credentials_set_username(credentials, uname, obtained); +- cli_credentials_set_domain(credentials, "", obtained); +- + cli_credentials_set_principal(credentials, uname, obtained); + *p = 0; ++ cli_credentials_set_username(credentials, uname, obtained); ++ cli_credentials_set_domain(credentials, "", obtained); + cli_credentials_set_realm(credentials, p+1, obtained); + return; + } else if ((p = strchr_m(uname,'\\')) +-- +2.28.0 + + +From fa38bebb993011428612d51819530218d8358f5e Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 13 Jan 2020 16:04:20 +0200 +Subject: [PATCH 2/2] lookup_name: allow lookup for own realm + +When using security tab in Windows Explorer, a lookup over a trusted +forest might come as realm\name instead of NetBIOS domain name: + +-------------------------------------------------------------------- +[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) + lsa_LookupNames3: struct lsa_LookupNames3 + in: struct lsa_LookupNames3 + handle : * + handle: struct policy_handle + handle_type : 0x00000000 (0) + uuid : 0000000e-0000-0000-1c5e-a750e5810000 + num_names : 0x00000001 (1) + names: ARRAY(1) + names: struct lsa_String + length : 0x001e (30) + size : 0x0020 (32) + string : * + string : 'ipa.test\admins' + sids : * + sids: struct lsa_TransSidArray3 + count : 0x00000000 (0) + sids : NULL + level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6) + count : * + count : 0x00000000 (0) + lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0) + client_revision : LSA_CLIENT_REVISION_2 (2) +-------------------------------------------------------------------- + +Allow this lookup using realm to be done against primary domain. + +Refactor user name parsing code to reuse cli_credentials_* API to be +consistent with other places. cli_credentials_parse_string() handles +both domain and realm-based user name variants. + +Signed-off-by: Alexander Bokovoy +--- + source3/passdb/lookup_sid.c | 75 ++++++++++++++++++++++++++----------- + 1 file changed, 53 insertions(+), 22 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index 82c47b3145b..39d599fed27 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -29,6 +29,7 @@ + #include "../libcli/security/security.h" + #include "lib/winbind_util.h" + #include "../librpc/gen_ndr/idmap.h" ++#include "auth/credentials/credentials.h" + + static bool lookup_unix_user_name(const char *name, struct dom_sid *sid) + { +@@ -78,52 +79,82 @@ bool lookup_name(TALLOC_CTX *mem_ctx, + const char **ret_domain, const char **ret_name, + struct dom_sid *ret_sid, enum lsa_SidType *ret_type) + { +- char *p; + const char *tmp; + const char *domain = NULL; + const char *name = NULL; ++ const char *realm = NULL; + uint32_t rid; + struct dom_sid sid; + enum lsa_SidType type; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); ++ struct cli_credentials *creds = NULL; + + if (tmp_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return false; + } + +- p = strchr_m(full_name, '\\'); +- +- if (p != NULL) { +- domain = talloc_strndup(tmp_ctx, full_name, +- PTR_DIFF(p, full_name)); +- name = talloc_strdup(tmp_ctx, p+1); +- } else { +- domain = talloc_strdup(tmp_ctx, ""); +- name = talloc_strdup(tmp_ctx, full_name); ++ creds = cli_credentials_init(tmp_ctx); ++ if (creds == NULL) { ++ DEBUG(0, ("cli_credentials_init failed\n")); ++ return false; + } + +- if ((domain == NULL) || (name == NULL)) { +- DEBUG(0, ("talloc failed\n")); +- TALLOC_FREE(tmp_ctx); ++ cli_credentials_parse_string(creds, full_name, CRED_SPECIFIED); ++ name = cli_credentials_get_username(creds); ++ domain = cli_credentials_get_domain(creds); ++ realm = cli_credentials_get_realm(creds); ++ ++ /* At this point we have: ++ * - name -- normal name or empty string ++ * - domain -- either NULL or domain name ++ * - realm -- either NULL or realm name ++ * ++ * domain and realm are exclusive to each other ++ * the code below in lookup_name assumes domain ++ * to be at least empty string, not NULL ++ */ ++ ++ if ((name == NULL) || (name[0] == '\0')) { ++ DEBUG(0, ("lookup_name with empty name, exit\n")); + return false; + } + ++ if ((domain == NULL) && (realm == NULL)) { ++ domain = talloc_strdup(creds, ""); ++ } ++ + DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n", + full_name, domain, name)); + DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags)); + +- if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) && +- strequal(domain, get_global_sam_name())) +- { ++ /* Windows clients may send a LookupNames request with both NetBIOS ++ * domain name- and realm-qualified user names. Thus, we need to check ++ * both against both of the SAM domain name and realm, if set. Since ++ * domain name and realm in the request are exclusive, test the one ++ * that is specified. cli_credentials_parse_string() will either set ++ * realm or wouldn't so we can use it to detect if realm was specified. ++ */ ++ if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) { ++ const char *domain_name = realm ? realm : domain; ++ bool check_global_sam = false; ++ ++ if (domain_name[0] != '\0') { ++ check_global_sam = strequal(domain_name, get_global_sam_name()); ++ if (!check_global_sam && lp_realm() != NULL) { ++ check_global_sam = strequal(domain_name, lp_realm()); ++ } ++ } + +- /* It's our own domain, lookup the name in passdb */ +- if (lookup_global_sam_name(name, flags, &rid, &type)) { +- sid_compose(&sid, get_global_sam_sid(), rid); +- goto ok; ++ if (check_global_sam) { ++ /* It's our own domain, lookup the name in passdb */ ++ if (lookup_global_sam_name(name, flags, &rid, &type)) { ++ sid_compose(&sid, get_global_sam_sid(), rid); ++ goto ok; ++ } ++ TALLOC_FREE(tmp_ctx); ++ return false; + } +- TALLOC_FREE(tmp_ctx); +- return false; + } + + if ((flags & LOOKUP_NAME_BUILTIN) && +-- +2.28.0 + diff --git a/samba-s4u.patch b/samba-s4u.patch new file mode 100644 index 0000000..83ed873 --- /dev/null +++ b/samba-s4u.patch @@ -0,0 +1,726 @@ +From fe300549844509624d944b93fc64dc6d382e71c1 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 27 Sep 2019 18:25:03 +0300 +Subject: [PATCH 3/7] mit-kdc: add basic loacl realm S4U support + +Signed-off-by: Isaac Boukris +Pair-Programmed-With: Andreas Schneider +--- + source4/kdc/mit-kdb/kdb_samba_policies.c | 148 +++++++++--------- + source4/kdc/mit_samba.c | 47 ++---- + source4/kdc/mit_samba.h | 6 +- + wscript_configure_system_mitkrb5 | 3 + + 6 files changed, 91 insertions(+), 115 deletions(-) + +diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c +index 9197551ed61..944324d9a2f 100644 +--- a/source4/kdc/mit-kdb/kdb_samba_policies.c ++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c +@@ -192,13 +192,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, + krb5_keyblock *krbtgt_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, +- krb5_pac *pac) ++ krb5_pac *out_pac) + { + struct mit_samba_context *mit_ctx; + krb5_authdata **authdata = NULL; +- krb5_pac ipac = NULL; +- DATA_BLOB logon_data = { NULL, 0 }; ++ krb5_keyblock *header_server_key = NULL; ++ krb5_key_data *impersonator_kd = NULL; ++ krb5_keyblock impersonator_key = {0}; + krb5_error_code code; ++ krb5_pac pac; ++ ++ *out_pac = NULL; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { +@@ -230,41 +234,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, + code = krb5_pac_parse(context, + authdata[0]->contents, + authdata[0]->length, +- &ipac); ++ &pac); + if (code != 0) { + goto done; + } + +- /* TODO: verify this is correct +- * +- * In the constrained delegation case, the PAC is from a service +- * ticket rather than a TGT; we must verify the server and KDC +- * signatures to assert that the server did not forge the PAC. ++ /* ++ * For constrained delegation in MIT version < 1.18 we aren't provided ++ * with the 2nd ticket server key to verify the PAC. ++ * We can workaround that by fetching the key from the client db entry, ++ * which is the impersonator account in that version. ++ * TODO: use the provided entry in the new 1.18 version. + */ + if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { +- code = krb5_pac_verify(context, +- ipac, +- authtime, +- client_princ, +- server_key, +- krbtgt_key); ++ /* The impersonator must be local. */ ++ if (client == NULL) { ++ code = KRB5KDC_ERR_BADOPTION; ++ goto done; ++ } ++ /* Fetch and decrypt 2nd ticket server's current key. */ ++ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, ++ &impersonator_kd); ++ if (code != 0) { ++ goto done; ++ } ++ code = krb5_dbe_decrypt_key_data(context, NULL, ++ impersonator_kd, ++ &impersonator_key, NULL); ++ if (code != 0) { ++ goto done; ++ } ++ header_server_key = &impersonator_key; + } else { +- code = krb5_pac_verify(context, +- ipac, +- authtime, +- client_princ, +- krbtgt_key, +- NULL); +- } +- if (code != 0) { +- goto done; ++ header_server_key = krbtgt_key; + } + +- /* check and update PAC */ +- code = krb5_pac_parse(context, +- authdata[0]->contents, +- authdata[0]->length, +- pac); ++ code = krb5_pac_verify(context, pac, authtime, client_princ, ++ header_server_key, NULL); + if (code != 0) { + goto done; + } +@@ -272,17 +278,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, + code = mit_samba_reget_pac(mit_ctx, + context, + flags, +- client_princ, + client, + server, + krbtgt, + krbtgt_key, +- pac); ++ &pac); ++ if (code != 0) { ++ goto done; ++ } ++ ++ *out_pac = pac; ++ pac = NULL; + + done: ++ krb5_free_keyblock_contents(context, &impersonator_key); + krb5_free_authdata(context, authdata); +- krb5_pac_free(context, ipac); +- free(logon_data.data); ++ krb5_pac_free(context, pac); + + return code; + } +@@ -324,7 +335,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + { + #endif + krb5_authdata **authdata = NULL; +- krb5_boolean is_as_req; ++ krb5_const_principal pac_client; + krb5_error_code code; + krb5_pac pac = NULL; + krb5_data pac_data; +@@ -334,24 +345,21 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; + #endif + +- /* FIXME: We don't support S4U yet */ +- if (flags & KRB5_KDB_FLAGS_S4U) { +- return KRB5_KDB_DBTYPE_NOSUP; +- } +- +- is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); +- +- if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { +- code = ks_get_pac(context, client, client_key, &pac); +- if (code != 0) { +- goto done; +- } ++ /* In protocol transition, we are currently not provided with the tgt ++ * client name to verify the PAC, we could probably skip the name ++ * verification and just verify the signatures, but since we don't ++ * support cross-realm nor aliases, we can just use server->princ */ ++ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { ++ pac_client = server->princ; ++ } else { ++ pac_client = client_princ; + } + +- if (!is_as_req) { ++ /* TGS request */ ++ if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) { + code = ks_verify_pac(context, + flags, +- client_princ, ++ pac_client, + client, + server, + krbtgt, +@@ -363,14 +371,28 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + if (code != 0) { + goto done; + } ++ ++ /* We require PAC as we don't support LSA_TRUST_TYPE_MIT */ ++ if (pac == NULL) { ++ code = KRB5_KDB_DBTYPE_NOSUP; ++ goto done; ++ } + } + +- if (pac == NULL && client != NULL) { ++ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { ++ krb5_pac_free(context, pac); ++ pac = NULL; ++ } + ++ /* AS request or local realm protocol transition */ ++ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) || ++ (client != NULL && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION))) { + code = ks_get_pac(context, client, client_key, &pac); + if (code != 0) { + goto done; + } ++ /* We require a pac! */ ++ SMB_ASSERT(pac != NULL); + } + + if (pac == NULL) { +@@ -379,7 +401,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + } + + code = krb5_pac_sign(context, pac, authtime, client_princ, +- server_key, krbtgt_key, &pac_data); ++ server_key, krbtgt_key, &pac_data); + if (code != 0) { + DBG_ERR("krb5_pac_sign failed: %d\n", code); + goto done; +@@ -405,11 +427,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + KRB5_AUTHDATA_IF_RELEVANT, + authdata, + signed_auth_data); +- if (code != 0) { +- goto done; +- } +- +- code = 0; + + done: + krb5_pac_free(context, pac); +@@ -432,32 +449,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, + * server; -> delegating service + * proxy; -> target principal + */ +- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); +- +- char *target_name = NULL; +- bool is_enterprise; +- krb5_error_code code; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { + return KRB5_KDB_DBNOTINITED; + } + +- code = krb5_unparse_name(context, proxy, &target_name); +- if (code) { +- goto done; +- } +- +- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); +- +- code = mit_samba_check_s4u2proxy(mit_ctx, +- delegating_service, +- target_name, +- is_enterprise); +- +-done: +- free(target_name); +- return code; ++ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); + } + + +diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c +index 54dcd545ea1..f23327c9613 100644 +--- a/source4/kdc/mit_samba.c ++++ b/source4/kdc/mit_samba.c +@@ -467,7 +467,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, + krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, +- krb5_const_principal client_principal, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, +@@ -615,7 +614,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + context, + *pac, + server->princ, +- discard_const(client_principal), ++ client->princ, + deleg_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Update delegation info failed: %s\n", +@@ -937,41 +936,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, + } + + int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, +- krb5_db_entry *kentry, +- const char *target_name, +- bool is_nt_enterprise_name) ++ const krb5_db_entry *server, ++ krb5_const_principal target_principal) + { +-#if 1 +- /* +- * This is disabled because mit_samba_update_pac_data() does not handle +- * S4U_DELEGATION_INFO +- */ +- +- return KRB5KDC_ERR_BADOPTION; +-#else +- krb5_principal target_principal; +- int flags = 0; +- int ret; +- +- if (is_nt_enterprise_name) { +- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; +- } +- +- ret = krb5_parse_name_flags(ctx->context, target_name, +- flags, &target_principal); +- if (ret) { +- return ret; +- } +- +- ret = samba_kdc_check_s4u2proxy(ctx->context, +- ctx->db_ctx, +- skdc_entry, +- target_principal); +- +- krb5_free_principal(ctx->context, target_principal); +- +- return ret; +-#endif ++ struct samba_kdc_entry *server_skdc_entry = ++ talloc_get_type_abort(server->e_data, ++ struct samba_kdc_entry); ++ ++ return samba_kdc_check_s4u2proxy(ctx->context, ++ ctx->db_ctx, ++ server_skdc_entry, ++ target_principal); + } + + static krb5_error_code mit_samba_change_pwd_error(krb5_context context, +diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h +index ba824557bd5..5aadf206443 100644 +--- a/source4/kdc/mit_samba.h ++++ b/source4/kdc/mit_samba.h +@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, + krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, +- krb5_const_principal client_principal, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, +@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, + DATA_BLOB *e_data); + + int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, +- krb5_db_entry *kentry, +- const char *target_name, +- bool is_nt_enterprise_name); ++ const krb5_db_entry *server, ++ krb5_const_principal target_principal); + + int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, + char *pwd, +-- +2.25.4 + +From ff1b225493ede3d43cfad571770dacb73f75ec42 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 27 Sep 2019 18:35:30 +0300 +Subject: [PATCH 5/7] krb5-mit: enable S4U client support for MIT build + +Signed-off-by: Isaac Boukris +Pair-Programmed-With: Andreas Schneider +--- + lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ + lib/krb5_wrap/krb5_samba.h | 2 - + source4/auth/kerberos/kerberos_util.c | 11 -- + 4 files changed, 185 insertions(+), 14 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 20ce86c708d..e72ab3c30f7 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2568,6 +2568,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + + return 0; + } ++ ++#else /* MIT */ ++ ++static bool princ_compare_no_dollar(krb5_context ctx, ++ krb5_principal a, ++ krb5_principal b) ++{ ++ bool cmp; ++ krb5_principal mod = NULL; ++ ++ if (a->length == 1 && b->length == 1 && ++ a->data[0].length != 0 && b->data[0].length != 0 && ++ a->data[0].data[a->data[0].length -1] != ++ b->data[0].data[b->data[0].length -1]) { ++ if (a->data[0].data[a->data[0].length -1] == '$') { ++ mod = a; ++ mod->data[0].length--; ++ } else if (b->data[0].data[b->data[0].length -1] == '$') { ++ mod = b; ++ mod->data[0].length--; ++ } ++ } ++ ++ cmp = krb5_principal_compare_flags(ctx, a, b, ++ KRB5_PRINCIPAL_COMPARE_CASEFOLD); ++ ++ if (mod != NULL) { ++ mod->data[0].length++; ++ } ++ ++ return cmp; ++} ++ ++krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, ++ krb5_ccache store_cc, ++ krb5_principal init_principal, ++ const char *init_password, ++ krb5_principal impersonate_principal, ++ const char *self_service, ++ const char *target_service, ++ krb5_get_init_creds_opt *krb_options, ++ time_t *expire_time, ++ time_t *kdc_time) ++{ ++ krb5_error_code code; ++ krb5_principal self_princ = NULL; ++ krb5_principal target_princ = NULL; ++ krb5_creds *store_creds; ++ krb5_creds *s4u2self_creds = NULL; ++ krb5_creds *s4u2proxy_creds = NULL; ++ krb5_creds init_creds = {0}; ++ krb5_creds mcreds = {0}; ++ krb5_flags options = KRB5_GC_NO_STORE; ++ krb5_ccache tmp_cc; ++ bool s4u2proxy; ++ ++ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); ++ if (code != 0) { ++ return code; ++ } ++ ++ code = krb5_get_init_creds_password(ctx, &init_creds, ++ init_principal, ++ init_password, ++ NULL, NULL, ++ 0, ++ NULL, ++ krb_options); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* ++ * Check if we also need S4U2Proxy or if S4U2Self is ++ * enough in order to get a ticket for the target. ++ */ ++ if (target_service == NULL) { ++ s4u2proxy = false; ++ } else if (strcmp(target_service, self_service) == 0) { ++ s4u2proxy = false; ++ } else { ++ s4u2proxy = true; ++ } ++ ++ code = krb5_parse_name(ctx, self_service, &self_princ); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt ++ * client and the request server to be the same principal name. */ ++ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { ++ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ++ goto done; ++ } ++ ++ mcreds.client = impersonate_principal; ++ mcreds.server = init_creds.client; ++ ++ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, ++ NULL, &s4u2self_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ if (s4u2proxy) { ++ code = krb5_parse_name(ctx, target_service, &target_princ); ++ if (code != 0) { ++ goto done; ++ } ++ ++ mcreds.client = init_creds.client; ++ mcreds.server = target_princ; ++ mcreds.second_ticket = s4u2self_creds->ticket; ++ ++ code = krb5_get_credentials(ctx, options | ++ KRB5_GC_CONSTRAINED_DELEGATION, ++ tmp_cc, &mcreds, &s4u2proxy_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* Check KDC support of S4U2Proxy extension */ ++ if (!krb5_principal_compare(ctx, s4u2self_creds->client, ++ s4u2proxy_creds->client)) { ++ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ++ goto done; ++ } ++ ++ store_creds = s4u2proxy_creds; ++ } else { ++ store_creds = s4u2self_creds;; ++ ++ /* We need to save the ticket with the requested server name ++ * or the caller won't be able to find it in cache. */ ++ if (!krb5_principal_compare(ctx, self_princ, ++ store_creds->server)) { ++ krb5_free_principal(ctx, store_creds->server); ++ store_creds->server = NULL; ++ code = krb5_copy_principal(ctx, self_princ, ++ &store_creds->server); ++ if (code != 0) { ++ goto done; ++ } ++ } ++ } ++ ++ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_store_cred(ctx, store_cc, store_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ if (expire_time) { ++ *expire_time = (time_t) store_creds->times.endtime; ++ } ++ ++ if (kdc_time) { ++ *kdc_time = (time_t) store_creds->times.starttime; ++ } ++ ++done: ++ krb5_cc_destroy(ctx, tmp_cc); ++ krb5_free_cred_contents(ctx, &init_creds); ++ krb5_free_creds(ctx, s4u2self_creds); ++ krb5_free_creds(ctx, s4u2proxy_creds); ++ krb5_free_principal(ctx, self_princ); ++ krb5_free_principal(ctx, target_princ); ++ ++ return code; ++} + #endif + + #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) +diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h +index ca9a893e4f7..3264ce5eb3b 100644 +--- a/lib/krb5_wrap/krb5_samba.h ++++ b/lib/krb5_wrap/krb5_samba.h +@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +-#ifdef SAMBA4_USES_HEIMDAL + krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + krb5_ccache store_cc, + krb5_principal init_principal, +@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +-#endif + + #if defined(HAVE_KRB5_MAKE_PRINCIPAL) + #define smb_krb5_make_principal krb5_make_principal +diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c +index 544d9d853cc..c14d8c72d8c 100644 +--- a/source4/auth/kerberos/kerberos_util.c ++++ b/source4/auth/kerberos/kerberos_util.c +@@ -234,9 +234,7 @@ done: + { + krb5_error_code ret; + const char *password; +-#ifdef SAMBA4_USES_HEIMDAL + const char *self_service; +-#endif + const char *target_service; + time_t kdc_time = 0; + krb5_principal princ; +@@ -268,9 +266,7 @@ done: + return ret; + } + +-#ifdef SAMBA4_USES_HEIMDAL + self_service = cli_credentials_get_self_service(credentials); +-#endif + target_service = cli_credentials_get_target_service(credentials); + + password = cli_credentials_get_password(credentials); +@@ -331,7 +327,6 @@ done: + #endif + if (password) { + if (impersonate_principal) { +-#ifdef SAMBA4_USES_HEIMDAL + ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, + ccache, + princ, +@@ -342,12 +337,6 @@ done: + krb_options, + NULL, + &kdc_time); +-#else +- talloc_free(mem_ctx); +- (*error_string) = "INTERNAL error: s4u2 ops " +- "are not supported with MIT build yet"; +- return EINVAL; +-#endif + } else { + ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, + ccache, +-- +2.25.4 + + + +From cf1b9bdc09180d68e2b30258839d2f78b7af9c62 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 19 Sep 2020 14:16:20 +0200 +Subject: [PATCH 7/7] wip: for canonicalization with new MIT kdc code + +--- + source4/heimdal/lib/hdb/hdb.h | 1 + + source4/kdc/db-glue.c | 8 ++++++-- + source4/kdc/mit_samba.c | 3 +++ + source4/kdc/sdb.h | 1 + + 4 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h +index 6a09ecb6fe1..bc5211fef35 100644 +--- a/source4/heimdal/lib/hdb/hdb.h ++++ b/source4/heimdal/lib/hdb/hdb.h +@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; + #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ + #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ + #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ ++#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ + + /* hdb_capability_flags */ + #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index a560a1cd84b..c27b6a8ef4c 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, + } + } + +- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { ++ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ? + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + if (ret) { + krb5_clear_error_message(context); + goto out; + } +- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { ++ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){ + /* + * SDB_F_CANON maps from the canonicalize flag in the + * packet, and has a different meaning between AS-REQ + * and TGS-REQ. We only change the principal in the AS-REQ case ++ * ++ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants ++ * the canonical name in all lookups, and takes care to canonicalize ++ * only when appropriate. + */ + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + if (ret) { +diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c +index f23327c9613..4084e893cc2 100644 +--- a/source4/kdc/mit_samba.c ++++ b/source4/kdc/mit_samba.c +@@ -198,6 +198,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, + if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { + sflags |= SDB_F_CANON; + } ++#if KRB5_KDB_API_VERSION >= 10 ++ sflags |= SDB_F_FORCE_CANON; ++#endif + if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | + KRB5_KDB_FLAG_INCLUDE_PAC)) { + /* +diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h +index c929acccce6..a9115ec23d7 100644 +--- a/source4/kdc/sdb.h ++++ b/source4/kdc/sdb.h +@@ -116,6 +116,7 @@ struct sdb_entry_ex { + #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ + #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ + #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ ++#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ + + void sdb_free_entry(struct sdb_entry_ex *e); + void free_sdb_entry(struct sdb_entry *s); +-- +2.25.4 + diff --git a/samba-systemd-notification.patch b/samba-systemd-notification.patch new file mode 100644 index 0000000..1011460 --- /dev/null +++ b/samba-systemd-notification.patch @@ -0,0 +1,118 @@ +From 9dd1a4809b1b6d65bfb2258b443b0fe36e0a32f7 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 24 Oct 2020 16:52:43 +0300 +Subject: [PATCH] daemons: report status to systemd even when running in + foreground + +When systemd launches samba services, the configuration we have in +systemd service files expects that the main process (/usr/sbin/*) +would use sd_notify() to report back its status. However, we only use +sd_notify() when running become_daemon(). + +As a result, samba/smbd/winbindd/nmbd processes never report back its +status and the status updates from other childs (smbd, winbindd, etc) +are not accepted as we now have implied NotifyAccess=main since commit +d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc + +This leads to a timeout and killing samba process by systemd. Situation +is reproducible in Fedora 33, for example. + +Make sure that we have required status updates for all daemons in case +we aren't runnning in interactive mode. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552 + +Signed-off-by: Alexander Bokovoy +--- + source3/nmbd/nmbd.c | 4 +++- + source3/smbd/server.c | 4 +++- + source3/winbindd/winbindd.c | 5 ++++- + source4/smbd/server.c | 4 +++- + 4 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c +index 0b881d13f7b..f6aeba1f714 100644 +--- a/source3/nmbd/nmbd.c ++++ b/source3/nmbd/nmbd.c +@@ -1009,6 +1009,8 @@ static bool open_sockets(bool isdaemon, int port) + if (is_daemon && !opt_interactive) { + DEBUG(3, ("Becoming a daemon.\n")); + become_daemon(Fork, no_process_group, log_stdout); ++ } else if (!opt_interactive) { ++ daemon_status("nmbd", "Starting process..."); + } + + #ifdef HAVE_SETPGID +@@ -1135,7 +1137,7 @@ static bool open_sockets(bool isdaemon, int port) + exit_daemon( "NMBD failed to setup packet server.", EACCES); + } + +- if (is_daemon && !opt_interactive) { ++ if (!opt_interactive) { + daemon_ready("nmbd"); + } + +diff --git a/source3/smbd/server.c b/source3/smbd/server.c +index 153dd3c9323..3d9db5d8407 100644 +--- a/source3/smbd/server.c ++++ b/source3/smbd/server.c +@@ -1893,6 +1893,8 @@ extern void build_options(bool screen); + if (is_daemon && !interactive) { + DEBUG(3, ("Becoming a daemon.\n")); + become_daemon(Fork, no_process_group, log_stdout); ++ } else { ++ daemon_status("smbd", "Starting process ..."); + } + + #ifdef HAVE_SETPGID +@@ -2100,7 +2102,7 @@ extern void build_options(bool screen); + exit_daemon("Samba cannot setup ep pipe", EACCES); + } + +- if (is_daemon && !interactive) { ++ if (!interactive) { + daemon_ready("smbd"); + } + +diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c +index 4397a1bc0d1..1e08237905a 100644 +--- a/source3/winbindd/winbindd.c ++++ b/source3/winbindd/winbindd.c +@@ -1880,8 +1880,11 @@ int main(int argc, const char **argv) + BlockSignals(False, SIGHUP); + BlockSignals(False, SIGCHLD); + +- if (!interactive) ++ if (!interactive) { + become_daemon(Fork, no_process_group, log_stdout); ++ } else { ++ daemon_status("winbindd", "Starting process ..."); ++ } + + pidfile_create(lp_pid_directory(), "winbindd"); + +diff --git a/source4/smbd/server.c b/source4/smbd/server.c +index 95acb99b86c..ee2e7508bb3 100644 +--- a/source4/smbd/server.c ++++ b/source4/smbd/server.c +@@ -648,6 +648,8 @@ static int binary_smbd_main(const char *binary_name, + if (opt_daemon) { + DBG_NOTICE("Becoming a daemon.\n"); + become_daemon(opt_fork, opt_no_process_group, false); ++ } else if (!opt_interactive) { ++ daemon_status("samba", "Starting process..."); + } + + /* Create the memory context to hang everything off. */ +@@ -931,7 +933,7 @@ static int binary_smbd_main(const char *binary_name, + } + } + +- if (opt_daemon) { ++ if (!opt_interactive) { + daemon_ready("samba"); + } + +-- +2.28.0 + diff --git a/samba.spec b/samba.spec index 7948d6b..9841740 100644 --- a/samba.spec +++ b/samba.spec @@ -1,27 +1,96 @@ -# rpmbuild --rebuild --with testsuite --without clustering samba.src.rpm +# The testsuite is disabled by default. +# +# To build and run the tests use: +# +# rpmbuild --rebuild --with testsuite samba.src.rpm # -# The testsuite is disabled by default. Set --with testsuite or bcond_without -# to run the Samba torture testsuite. %bcond_with testsuite + +# Build with internal talloc, tevent, tdb and ldb. +# +# rpmbuild --rebuild --with=testsuite --with=includelibs samba.src.rpm +# +%bcond_with includelibs + # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering +# Build with Active Directory Domain Controller support by default on Fedora +%if 0%{?fedora} +%bcond_without dc +%else +%bcond_with dc +%endif + +# Build a libsmbclient package by default +%bcond_without libsmbclient + +# Build a libwbclient package by default +%bcond_without libwbclient + +# Build with winexe by default +%bcond_without winexe + +# Build vfs_ceph module by default on 64bit Fedora +%if 0%{?fedora} + +%ifarch aarch64 ppc64le s390x x86_64 +%bcond_without vfs_cephfs +%else +%bcond_with vfs_cephfs +#endifarch +%endif + +%else +%bcond_with vfs_cephfs +#endif fedora +%endif + +# Build vfs_gluster module by default on 64bit Fedora +%if 0%{?fedora} + +%ifarch aarch64 ppc64le s390x x86_64 +%bcond_without vfs_glusterfs +%else +%bcond_with vfs_glusterfs +#endifarch +%endif + +%else +%bcond_with vfs_glusterfs +#endif fedora +%endif + +# Build vfs_io_uring module by default on 64bit Fedora +%if 0%{?fedora} + +%ifarch aarch64 ppc64le s390x x86_64 +%bcond_without vfs_io_uring +%else +%bcond_with vfs_io_uring +#endifarch +%endif + +%else +%bcond_with vfs_io_uring +#endif fedora +%endif + %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%define main_release 11 +%global main_release 14 -%define samba_version 4.13.0 -%define talloc_version 2.3.1 -%define tdb_version 1.4.3 -%define tevent_version 0.10.2 -%define ldb_version 2.2.0 +%global samba_version 4.13.0 +%global talloc_version 2.3.1 +%global tdb_version 1.4.3 +%global tevent_version 0.10.2 +%global ldb_version 2.2.0 # This should be rc1 or nil -%define pre_release %nil +%global pre_release %nil +%global samba_release %{main_release}%{?dist} %if "x%{?pre_release}" != "x" -%define samba_release 0.%{main_release}.%{pre_release}%{?dist} -%else -%define samba_release %{main_release}%{?dist} +%global samba_release 0.%{main_release}.%{pre_release}%{?dist} %endif # This is a network daemon, do a hardened build @@ -34,67 +103,14 @@ # https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md %undefine _strict_symbol_defs_build -%global with_libsmbclient 1 -%global with_libwbclient 1 - -%global with_profiling 1 - -%global with_vfs_cephfs 0 -%if 0%{?fedora} -%ifarch aarch64 ppc64le s390x x86_64 -%global with_vfs_cephfs 1 -#endifarch -%endif -#endif fedora -%endif - -%global with_vfs_glusterfs 1 -%if 0%{?rhel} -%global with_vfs_glusterfs 0 -# Only enable on x86_64 -%ifarch x86_64 -%global with_vfs_glusterfs 1 -#endif arch -%endif -#endif rhel -%endif - %global libwbc_alternatives_version 0.15 %global libwbc_alternatives_suffix %nil %if 0%{?__isa_bits} == 64 %global libwbc_alternatives_suffix -64 %endif -%global with_dc 1 - -%if 0%{?rhel} -%global with_dc 0 -%endif - -%if %{with testsuite} -%global with_dc 1 -%endif - %global required_mit_krb5 1.18 -%global with_clustering_support 0 - -%if %{with clustering} -%global with_clustering_support 1 -%endif - -# Enable winexe by default -%bcond_without winexe - -%global with_vfs_io_uring 0 -# We need liburing >= 0.4 which is not available in RHEL yet -%if 0%{?fedora} -%ifarch aarch64 ppc64le s390x x86_64 i686 -%global with_vfs_io_uring 1 -%endif -# /fedora -%endif - %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" Name: samba @@ -108,9 +124,9 @@ Epoch: 2 %endif %if 0%{?epoch} > 0 -%define samba_depver %{epoch}:%{version}-%{release} +%global samba_depver %{epoch}:%{version}-%{release} %else -%define samba_depver %{version}-%{release} +%global samba_depver %{version}-%{release} %endif Summary: Server and Client software to interoperate with Windows machines @@ -130,6 +146,17 @@ Source13: pam_winbind.conf Source14: samba.pamd Source201: README.downgrade +Patch1: samba-s4u.patch +Patch2: samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch +Patch3: samba-dnspython-2.0.0-v4.13.patch +Patch4: samba-systemd-notification.patch + +# Fix `make test` in release tarballs +Patch5: https://gitlab.com/samba-team/samba/-/merge_requests/1624.patch +# Update resolv_wrapper to version 1.1.7 +Patch6: https://gitlab.com/samba-team/samba/-/merge_requests/1528.patch +# Do not install test binaries for selftest +Patch7: https://gitlab.com/samba-team/samba/-/merge_requests/1635.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -142,7 +169,7 @@ Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -220,27 +247,27 @@ BuildRequires: zlib-devel >= 1.2.3 BuildRequires: pkgconfig(libsystemd) -%if %{with_vfs_glusterfs} +%if %{with vfs_glusterfs} BuildRequires: glusterfs-api-devel >= 3.4.0.16 BuildRequires: glusterfs-devel >= 3.4.0.16 %endif -%if %{with_vfs_cephfs} +%if %{with vfs_cephfs} BuildRequires: libcephfs-devel %endif -%if %{with_vfs_io_uring} +%if %{with vfs_io_uring} BuildRequires: liburing-devel >= 0.4 %endif -%if %{with_dc} +%if %{with dc} || %{with testsuite} # Add python3-iso8601 to avoid that the # version in Samba is being packaged BuildRequires: python3-iso8601 BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} -#endif with_dc +#endif with dc %endif # pidl requirements @@ -248,6 +275,7 @@ BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(FindBin) BuildRequires: perl(Parse::Yapp) +%if %{without testsuite} BuildRequires: libtalloc-devel >= %{talloc_version} BuildRequires: python3-talloc-devel >= %{talloc_version} @@ -259,17 +287,18 @@ BuildRequires: python3-tdb >= %{tdb_version} BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: python3-ldb-devel >= %{ldb_version} - -%if %{with testsuite} || %{with_dc} -BuildRequires: ldb-tools -BuildRequires: tdb-tools -BuildRequires: python3-gpg -BuildRequires: python3-markdown +%else +BuildRequires: lmdb-devel +#endif without testsuite %endif -%if %{with_dc} -BuildRequires: krb5-server >= %{required_mit_krb5} +%if %{with dc} || %{with testsuite} BuildRequires: bind +BuildRequires: krb5-server >= %{required_mit_krb5} +BuildRequires: ldb-tools +BuildRequires: python3-gpg +BuildRequires: python3-markdown +BuildRequires: tdb-tools %endif # filter out perl requirements pulled in from examples in the docdir. @@ -288,10 +317,10 @@ Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} -%if %with_libsmbclient +%if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -312,7 +341,7 @@ Summary: Samba client libraries Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif Requires: krb5-libs >= %{required_mit_krb5} @@ -332,7 +361,7 @@ Recommends: logrotate Provides: samba4-common = %{samba_depver} Obsoletes: samba4-common < %{samba_depver} -%if ! %{with_dc} +%if %{with dc} || %{with testsuite} Obsoletes: samba-dc < %{samba_depver} Obsoletes: samba-dc-libs < %{samba_depver} Obsoletes: samba-dc-bind-dlz < %{samba_depver} @@ -348,7 +377,7 @@ Summary: Libraries used by both Samba servers and clients Requires(pre): samba-common = %{samba_depver} Requires: samba-common = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -362,7 +391,7 @@ Summary: Tools for Samba servers and clients Requires: samba-common-libs = %{samba_depver} Requires: samba-client-libs = %{samba_depver} Requires: samba-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -371,7 +400,7 @@ The samba-common-tools package contains tools for Samba servers and SMB/CIFS clients. ### DC -%if %{with_dc} +%if %{with dc} || %{with testsuite} %package dc Summary: Samba AD Domain Controller Requires: %{name} = %{samba_depver} @@ -431,7 +460,7 @@ Requires: bind %description dc-bind-dlz The %{name}-dc-bind-dlz package contains the libraries for bind to manage all name server related details of Samba AD. -#endif with_dc +#endif with dc %endif ### DEVEL @@ -449,7 +478,7 @@ needed to develop programs that link against the SMB, RPC and other libraries in the Samba suite. ### CEPH -%if %{with_vfs_cephfs} +%if %{with vfs_cephfs} %package vfs-cephfs Summary: Samba VFS module for Ceph distributed storage system Requires: %{name} = %{samba_depver} @@ -457,11 +486,11 @@ Requires: %{name}-libs = %{samba_depver} %description vfs-cephfs Samba VFS module for Ceph distributed storage system integration. -#endif with_vfs_cephfs +#endif with vfs_cephfs %endif ### GLUSTER -%if %{with_vfs_glusterfs} +%if %{with vfs_glusterfs} %package vfs-glusterfs Summary: Samba VFS module for GlusterFS Requires: glusterfs-api >= 3.4.0.16 @@ -470,7 +499,7 @@ Requires: %{name} = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -501,7 +530,7 @@ the Kerberos credentials cache of the user issuing the print job. Summary: Samba libraries Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -513,14 +542,14 @@ The %{name}-libs package contains the libraries needed by programs that link against the SMB, RPC and other protocols provided by the Samba suite. ### LIBSMBCLIENT -%if %with_libsmbclient +%if %{with libsmbclient} %package -n libsmbclient Summary: The SMB client library Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -535,11 +564,11 @@ Requires: libsmbclient = %{samba_depver} The libsmbclient-devel package contains the header files and libraries needed to develop programs that link against the SMB client library in the Samba suite. -#endif with_libsmbclient +#endif {with libsmbclient} %endif ### LIBWBCLIENT -%if %with_libwbclient +%if %{with libwbclient} %package -n libwbclient Summary: The winbind client library Requires: %{name}-client-libs = %{samba_depver} @@ -558,7 +587,7 @@ Obsoletes: samba-winbind-devel < %{samba_depver} %description -n libwbclient-devel The libwbclient-devel package provides developer tools for the wbclient library. -#endif with_libwbclient +#endif {with libwbclient} %endif ### PYTHON3 @@ -573,10 +602,10 @@ Requires: python3-tevent Requires: python3-tdb Requires: python3-ldb Requires: python3-dns -%if %with_libsmbclient +%if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -594,7 +623,7 @@ Requires: %{name}-libs = %{samba_depver} The python3-%{name}-test package contains the Python libraries used by the test suite of Samba. If you want to run full set of Samba tests, you need to install this package. -%if %{with_dc} +%if %{with dc} || %{with testsuite} %package -n python3-samba-dc Summary: Samba Python libraries for Samba AD Requires: python3-%{name} = %{samba_depver} @@ -631,14 +660,14 @@ Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-test-libs = %{samba_depver} -%if %with_dc +%if %{with dc} || %{with testsuite} Requires: %{name}-dc-libs = %{samba_depver} %endif Requires: %{name}-libs = %{samba_depver} -%if %with_libsmbclient +%if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif Requires: python3-%{name} = %{samba_depver} @@ -657,7 +686,7 @@ Summary: Libraries need by the testing tools for Samba servers and clients Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -698,7 +727,7 @@ Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-winbind = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -712,7 +741,7 @@ tool. ### WINBIND-KRB5-LOCATOR %package winbind-krb5-locator Summary: Samba winbind krb5 locator -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} Requires: %{name}-winbind = %{samba_depver} %else @@ -741,7 +770,7 @@ the local kerberos library to use the same KDC as samba and winbind use Summary: Samba winbind modules Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} -%if %with_libwbclient +%if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif Requires: pam @@ -761,7 +790,7 @@ Winexe is a Remote Windows®-command executor %endif ### CTDB -%if %with_clustering_support +%if %{with clustering} %package -n ctdb Summary: A Clustered Database based on Samba's Trivial Database (TDB) @@ -814,7 +843,7 @@ CTDB is a cluster implementation of the TDB database used by Samba and other projects to store temporary data. If an application is already using TDB for temporary data it is very easy to convert that application to be cluster aware and use CTDB instead. -#endif with_clustering_support +#endif with clustering %endif @@ -824,33 +853,42 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %autosetup -n samba-%{version}%{pre_release} -p1 %build +%if %{with includelibs} %global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _tevent_lib ,tevent,pytevent %global _tdb_lib ,tdb,pytdb %global _ldb_lib ,ldb,pyldb,pyldb-util - +%else %global _talloc_lib ,!talloc,!pytalloc,!pytalloc-util %global _tevent_lib ,!tevent,!pytevent %global _tdb_lib ,!tdb,!pytdb %global _ldb_lib ,!ldb,!pyldb,!pyldb-util +#endif with includelibs +%endif %global _samba_libraries !zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} %global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2 %global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 + +%if %{with testsuite} +%global _samba_auth_modules auth_wbc,auth_unix,auth_server,auth_samba4,auth_skel +%global _samba_vfs_modules vfs_dfs_samba4,vfs_fake_dfq +%else %global _samba_auth_modules auth_wbc,auth_unix,auth_server,auth_samba4 %global _samba_vfs_modules vfs_dfs_samba4 +%endif %global _samba_modules %{_samba_idmap_modules},%{_samba_pdb_modules},%{_samba_auth_modules},%{_samba_vfs_modules} %global _libsmbclient %nil %global _libwbclient %nil -%if ! %with_libsmbclient +%if %{without libsmbclient} %global _libsmbclient smbclient, %endif -%if ! %with_libwbclient +%if %{without libwbclient} %global _libwbclient wbclient, %endif @@ -878,23 +916,20 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" --with-pie \ --with-relro \ --without-fam \ -%if (! %with_libsmbclient) || (! %with_libwbclient) +%if (%{without libsmbclient}) || (%{without libwbclient}) --private-libraries=%{_samba_private_libraries} \ %endif --with-system-mitkrb5 \ --with-experimental-mit-ad-dc \ -%if ! %with_dc +%if %{without dc} && %{without testsuite} --without-ad-dc \ %endif -%if ! %with_vfs_glusterfs +%if %{without vfs_glusterfs} --disable-glusterfs \ %endif -%if %with_clustering_support +%if %{with clustering} --with-cluster-support \ %endif -%if %with_profiling - --with-profiling-data \ -%endif %if %{with testsuite} --enable-selftest \ %endif @@ -906,7 +941,8 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" --systemd-winbind-extra=%{_systemd_extra} \ --systemd-samba-extra=%{_systemd_extra} -%make_build +# Do not use %%make_build, make is just a wrapper around waf in Samba! +%{__make} %{?_smp_mflags} %{_make_verbose} pushd pidl %__perl Makefile.PL PREFIX=%{_prefix} @@ -971,13 +1007,13 @@ install -m 0744 packaging/printing/smbprint %{buildroot}%{_bindir}/smbprint install -d -m 0755 %{buildroot}%{_tmpfilesdir} # Create /run/samba. echo "d /run/samba 755 root root" > %{buildroot}%{_tmpfilesdir}/samba.conf -%if %with_clustering_support +%if %{with clustering} echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf %endif install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba -%if %with_clustering_support +%if %{with clustering} cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb <> selftest/knownfail.d/fedora.%{dist} +done +cat selftest/knownfail.d/fedora.%{dist} + +export TDB_NO_FSYNC=1 +export NMBD_DONT_LOG_STDOUT=1 +export SMBD_DONT_LOG_STDOUT=1 +export WINBINDD_DONT_LOG_STDOUT=1 +make %{?_smp_mflags} test FAIL_IMMEDIATELY=1 #endif with testsuite %endif @@ -1145,7 +1205,7 @@ fi %ldconfig_scriptlets common-libs -%if %{with_dc} +%if %{with dc} || %{with testsuite} %ldconfig_scriptlets dc-libs %post dc @@ -1156,7 +1216,7 @@ fi %postun dc %systemd_postun_with_restart samba.service -#endif with_dc +#endif with dc %endif %post krb5-printing @@ -1171,11 +1231,11 @@ fi %ldconfig_scriptlets libs -%if %with_libsmbclient +%if %{with libsmbclient} %ldconfig_scriptlets -n libsmbclient %endif -%if %with_libwbclient +%if %{with libwbclient} %posttrans -n libwbclient # It has to be posttrans here to make sure all files of a previous version # without alternatives support are removed @@ -1222,7 +1282,7 @@ if [ $1 -eq 0 ]; then fi fi -#endif with_libwbclient +#endif {with libwbclient} %endif %ldconfig_scriptlets test @@ -1257,7 +1317,7 @@ fi %ldconfig_scriptlets winbind-modules -%if %with_clustering_support +%if %{with clustering} %post -n ctdb /usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/ctdb.conf %systemd_post ctdb.service @@ -1281,7 +1341,7 @@ fi %{_sbindir}/eventlogadm %{_sbindir}/nmbd %{_sbindir}/smbd -%if %{with_dc} +%if %{with dc} || %{with testsuite} # This is only used by vfs_dfs_samba4 %{_libdir}/samba/libdfs-server-ad-samba4.so %endif @@ -1299,7 +1359,7 @@ fi %{_libdir}/samba/vfs/commit.so %{_libdir}/samba/vfs/crossrename.so %{_libdir}/samba/vfs/default_quota.so -%if %{with_dc} +%if %{with dc} || %{with testsuite} %{_libdir}/samba/vfs/dfs_samba4.so %endif %{_libdir}/samba/vfs/dirsort.so @@ -1311,7 +1371,7 @@ fi %{_libdir}/samba/vfs/full_audit.so %{_libdir}/samba/vfs/gpfs.so %{_libdir}/samba/vfs/glusterfs_fuse.so -%if %{with_vfs_io_uring} +%if %{with vfs_io_uring} %{_libdir}/samba/vfs/io_uring.so %endif %{_libdir}/samba/vfs/linux_xfs_sgid.so @@ -1335,6 +1395,10 @@ fi %{_libdir}/samba/vfs/worm.so %{_libdir}/samba/vfs/xattr_tdb.so +%if %{with testsuite} +%{_libdir}/samba/vfs/nfs4acl_xattr.so +%endif + %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc %{_datadir}/samba/mdssvc/elasticsearch_mappings.json @@ -1368,7 +1432,7 @@ fi %{_mandir}/man8/vfs_full_audit.8* %{_mandir}/man8/vfs_gpfs.8* %{_mandir}/man8/vfs_glusterfs_fuse.8* -%if %{with_vfs_io_uring} +%if %{with vfs_io_uring} %{_mandir}/man8/vfs_io_uring.8* %endif %{_mandir}/man8/vfs_linux_xfs_sgid.8* @@ -1448,6 +1512,31 @@ fi %{_mandir}/man8/samba-regedit.8* %{_mandir}/man8/smbspool.8* +%if %{with includelibs} +%{_bindir}/ldbadd +%{_bindir}/ldbdel +%{_bindir}/ldbedit +%{_bindir}/ldbmodify +%{_bindir}/ldbrename +%{_bindir}/ldbsearch +%{_bindir}/tdbbackup +%{_bindir}/tdbdump +%{_bindir}/tdbrestore +%{_bindir}/tdbtool + +%{_mandir}/man1/ldbadd.1.gz +%{_mandir}/man1/ldbdel.1.gz +%{_mandir}/man1/ldbedit.1.gz +%{_mandir}/man1/ldbmodify.1.gz +%{_mandir}/man1/ldbrename.1.gz +%{_mandir}/man1/ldbsearch.1.gz +%{_mandir}/man8/tdbbackup.8.gz +%{_mandir}/man8/tdbdump.8.gz +%{_mandir}/man8/tdbrestore.8.gz +%{_mandir}/man8/tdbtool.8.gz +#endif with includelibs +%endif + ### CLIENT-LIBS %files client-libs %{_libdir}/libdcerpc-binding.so.* @@ -1550,16 +1639,28 @@ fi %{_libdir}/samba/libutil-setid-samba4.so %{_libdir}/samba/libutil-tdb-samba4.so -%if ! %with_libwbclient +%if %{without libwbclient} %{_libdir}/samba/libwbclient.so.* %{_libdir}/samba/libwinbind-client-samba4.so -#endif ! with_libwbclient +#endif without libwbclient %endif -%if ! %with_libsmbclient +%if %{without libsmbclient} %{_libdir}/samba/libsmbclient.so.* %{_mandir}/man7/libsmbclient.7* -#endif ! with_libsmbclient +#endif without libsmbclient +%endif + +%if %{with includelibs} +%{_libdir}/samba/libldb-*.so +%{_libdir}/samba/libldb.so.* +%{_libdir}/samba/libtalloc.so.* +%{_libdir}/samba/libtdb.so.* +%{_libdir}/samba/libtevent.so.* + +%{_mandir}/man3/ldb.3.gz +%{_mandir}/man3/talloc.3.gz +#endif with includelibs %endif ### COMMON @@ -1612,7 +1713,7 @@ fi %{_mandir}/man8/smbpasswd.8* ### DC -%if %{with_dc} +%if %{with dc} || %{with testsuite} %files dc %{_unitdir}/samba.service %{_bindir}/samba-tool @@ -1677,6 +1778,20 @@ fi %{_libdir}/samba/ldb/update_keytab.so %{_libdir}/samba/ldb/vlv.so %{_libdir}/samba/ldb/wins_ldb.so + +%if %{with includelibs} +%{_libdir}/samba/ldb/asq.so +%{_libdir}/samba/ldb/ldb.so +%{_libdir}/samba/ldb/mdb.so +%{_libdir}/samba/ldb/paged_searches.so +%{_libdir}/samba/ldb/rdn_name.so +%{_libdir}/samba/ldb/sample.so +%{_libdir}/samba/ldb/server_sort.so +%{_libdir}/samba/ldb/skel.so +%{_libdir}/samba/ldb/tdb.so +#endif with includelibs +%endif + %{_libdir}/samba/vfs/posix_eadb.so %dir /var/lib/samba/sysvol %{_mandir}/man8/samba.8* @@ -1697,6 +1812,11 @@ fi %{_libdir}/samba/libdb-glue-samba4.so %{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libservice-samba4.so + +%if %{with testsuite} +%{_libdir}/samba/libntvfs-samba4.so +%endif + %dir %{_libdir}/samba/process_model %{_libdir}/samba/process_model/prefork.so %{_libdir}/samba/process_model/standard.so @@ -1714,6 +1834,11 @@ fi %{_libdir}/samba/service/s3fs.so %{_libdir}/samba/service/winbindd.so %{_libdir}/samba/service/wrepl.so + +%if %{with testsuite} +%{_libdir}/samba/service/smb.so +%endif + %{_libdir}/libdcerpc-server.so.* %{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libdsdb-module-samba4.so @@ -1729,7 +1854,7 @@ fi %{_libdir}/samba/bind9/dlz_bind9_10.so %{_libdir}/samba/bind9/dlz_bind9_11.so %{_libdir}/samba/bind9/dlz_bind9_12.so -#endif with_dc +#endif with dc %endif ### DEVEL @@ -1846,24 +1971,24 @@ fi %{_libdir}/libsamba-passdb.so %{_libdir}/libsmbldap.so -%if %with_dc +%if %{with dc} || %{with testsuite} %{_includedir}/samba-4.0/dcerpc_server.h %{_libdir}/libdcerpc-server.so %{_libdir}/pkgconfig/dcerpc_server.pc %endif -%if ! %with_libsmbclient +%if %{without libsmbclient} %{_includedir}/samba-4.0/libsmbclient.h -#endif ! with_libsmbclient +#endif without libsmbclient %endif -%if ! %with_libwbclient +%if %{without libwbclient} %{_includedir}/samba-4.0/wbclient.h -#endif ! with_libwbclient +#endif without libwbclient %endif ### VFS-CEPHFS -%if %{with_vfs_cephfs} +%if %{with vfs_cephfs} %files vfs-cephfs %{_libdir}/samba/vfs/ceph.so %{_libdir}/samba/vfs/ceph_snapshots.so @@ -1872,7 +1997,7 @@ fi %endif ### VFS-GLUSTERFS -%if %{with_vfs_glusterfs} +%if %{with vfs_glusterfs} %files vfs-glusterfs %{_libdir}/samba/vfs/glusterfs.so %{_mandir}/man8/vfs_glusterfs.8* @@ -1897,7 +2022,7 @@ fi %{_libdir}/samba/libxattr-tdb-samba4.so ### LIBSMBCLIENT -%if %with_libsmbclient +%if %{with libsmbclient} %files -n libsmbclient %{_libdir}/libsmbclient.so.* @@ -1907,11 +2032,11 @@ fi %{_libdir}/libsmbclient.so %{_libdir}/pkgconfig/smbclient.pc %{_mandir}/man7/libsmbclient.7* -#endif with_libsmbclient +#endif {with libsmbclient} %endif ### LIBWBCLIENT -%if %with_libwbclient +%if %{with libwbclient} %files -n libwbclient %{_libdir}/samba/wbclient/libwbclient.so.* %{_libdir}/samba/libwinbind-client-samba4.so @@ -1921,7 +2046,7 @@ fi %{_includedir}/samba-4.0/wbclient.h %{_libdir}/samba/wbclient/libwbclient.so %{_libdir}/pkgconfig/wbclient.pc -#endif with_libwbclient +#endif {with libwbclient} %endif ### PIDL @@ -1982,6 +2107,7 @@ fi %{python3_sitearch}/samba/__pycache__/compat.*.pyc %{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc %{python3_sitearch}/samba/__pycache__/descriptor.*.pyc +%{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc @@ -2059,6 +2185,7 @@ fi %{python3_sitearch}/samba/dcerpc/wkssvc.*.so %{python3_sitearch}/samba/dcerpc/xattr.*.so %{python3_sitearch}/samba/descriptor.py +%{python3_sitearch}/samba/dnsresolver.py %{python3_sitearch}/samba/drs_utils.py %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py @@ -2211,7 +2338,22 @@ fi %{_libdir}/samba/libsamba-net.*-samba4.so %{_libdir}/samba/libsamba-python.*-samba4.so -%if %{with_dc} +%if %{with testsuite} +%{_libdir}/samba/libpyldb-util.*.so.* + +%{python3_sitearch}/__pycache__/_ldb_text*.pyc +%{python3_sitearch}/__pycache__/_tdb_text*.pyc +%{python3_sitearch}/__pycache__/tevent*.pyc +%{python3_sitearch}/_ldb_text.py +%{python3_sitearch}/_tdb_text.py +%{python3_sitearch}/_tevent.cpython*.so +%{python3_sitearch}/ldb.cpython*.so +%{python3_sitearch}/tdb.cpython*.so +%{python3_sitearch}/tevent.py +#endif with testsuite +%endif + +%if %{with dc} || %{with testsuite} %files -n python3-%{name}-dc %{python3_sitearch}/samba/samdb.py %{python3_sitearch}/samba/schema.py @@ -2678,7 +2820,7 @@ fi ### TEST-LIBS %files test-libs -%if %with_dc +%if %{with dc} || %{with testsuite} %{_libdir}/samba/libdlz-bind9-for-torture-samba4.so %else %{_libdir}/samba/libdsdb-module-samba4.so @@ -2722,7 +2864,7 @@ fi %{_mandir}/man5/pam_winbind.conf.5* %{_mandir}/man8/pam_winbind.8* -%if %with_clustering_support +%if %{with clustering} %files -n ctdb %doc ctdb/README %doc ctdb/doc/examples @@ -3608,7 +3750,7 @@ fi %dir %{_datadir}/ctdb/tests/UNIT/tool/scripts %{_datadir}/ctdb/tests/UNIT/tool/scripts/local.sh -#endif with_clustering_support +#endif with clustering %endif %if %{with winexe} @@ -3619,6 +3761,20 @@ fi %endif %changelog +* Mon Oct 26 2020 Andreas Schneider - 4.13.0-14 +- Fixed dbcheck running in a release tarball +- Updated internal resolv_wrapper copy to verison 1.1.7 + +* Sun Oct 25 2020 Alexander Bokovoy - 4.13.0-13 +- Report 'samba' daemon status back to systemd +- Support dnspython 2.0.0 or later in samba_dnsupdate + +* Thu Oct 22 2020 Alexander Bokovoy - 4.13.0-12 +- Add preliminary support for S4U operations in Samba AD DC + resolves: #1836630 - Samba DC: Remote Desktop cannot access files +- Fix lookup_unix_user_name to allow lookup of realm-qualified users and groups + required for upcoming FreeIPA Global Catalog support + * Tue Sep 22 2020 Guenther Deschner - 4.13.0-11 - Update to Samba 4.13.0