Update to version 4.21.3

- related: RHEL-59777

.gitignore

@@ -369,3 +369,5 @@ samba-3.6.0pre1.tar.gz
 /samba-4.21.1.tar.xz
 /samba-4.21.2.tar.asc
 /samba-4.21.2.tar.xz
+/samba-4.21.3.tar.asc
+/samba-4.21.3.tar.xz

redhat-4.21.patch

@@ -1,7 +1,7 @@
 From 2d9ab68f501f5796bdf4662a058a2adff30d497e Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 22 Jul 2024 12:26:55 +0200
-Subject: [PATCH] s3:notifyd: Use a watcher per db record
+Subject: [PATCH 1/2] s3:notifyd: Use a watcher per db record
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -509,5 +509,157 @@ index 36c08f47c54..db8e6e1c005 100644
  
  #endif
 -- 
-2.46.1
+2.47.1
+
+
+From 7da7ec8baccf75e801ac65e2177d67f1618681e0 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Thu, 5 Dec 2024 16:35:51 +1300
+Subject: [PATCH 2/2] util: add a crypt wrapper, derived from
+ dsdb:password_hash
+
+This is going to be used by the dsdb password_hash module, and exposed
+to Python via pyglue.
+
+We're doing this because Python 3.13 has dropped crypt from the Python
+standard library.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15756
+
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 93bc860e8f344a96d0496edbc5d463f2c5411fcd)
+---
+ lib/util/util_crypt.c  | 90 ++++++++++++++++++++++++++++++++++++++++++
+ lib/util/util_crypt.h  |  5 +++
+ lib/util/wscript_build |  6 +++
+ 3 files changed, 101 insertions(+)
+ create mode 100644 lib/util/util_crypt.c
+ create mode 100644 lib/util/util_crypt.h
+
+diff --git a/lib/util/util_crypt.c b/lib/util/util_crypt.c
+new file mode 100644
+index 00000000000..0f7b2d0fd31
+--- /dev/null
++++ b/lib/util/util_crypt.c
+@@ -0,0 +1,90 @@
++#include <replace.h>
++#include "data_blob.h"
++#include <talloc.h>
++#include <crypt.h>
++#include "util_crypt.h"
++
++
++static int crypt_as_best_we_can(const char *phrase,
++				const char *setting,
++				const char **hashp)
++{
++	int ret = 0;
++	const char *hash = NULL;
++
++#if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT_RN)
++	struct crypt_data crypt_data = {
++		.initialized = 0        /* working storage used by crypt */
++	};
++#endif
++
++	/*
++	 * crypt_r() and crypt() may return a null pointer upon error
++	 * depending on how libcrypt was configured, so we prefer
++	 * crypt_rn() from libcrypt / libxcrypt which always returns
++	 * NULL on error.
++	 *
++	 * POSIX specifies returning a null pointer and setting
++	 * errno.
++	 *
++	 * RHEL 7 (which does not use libcrypt / libxcrypt) returns a
++	 * non-NULL pointer from crypt_r() on success but (always?)
++	 * sets errno during internal processing in the NSS crypto
++	 * subsystem.
++	 *
++	 * By preferring crypt_rn we avoid the 'return non-NULL but
++	 * set-errno' that we otherwise cannot tell apart from the
++	 * RHEL 7 behaviour.
++	 */
++	errno = 0;
++
++#ifdef HAVE_CRYPT_RN
++	hash = crypt_rn(phrase, setting,
++			&crypt_data,
++			sizeof(crypt_data));
++#elif HAVE_CRYPT_R
++	hash = crypt_r(phrase, setting, &crypt_data);
++#else
++	/*
++	 * No crypt_r falling back to crypt, which is NOT thread safe
++	 * Thread safety MT-Unsafe race:crypt
++	 */
++	hash = crypt(phrase, setting);
++#endif
++	/*
++	* On error, crypt() and crypt_r() may return a null pointer,
++	* or a pointer to an invalid hash beginning with a '*'.
++	*/
++	ret = errno;
++	errno = 0;
++	if (hash == NULL || hash[0] == '*') {
++		if (ret == 0) {
++			/* this is annoying */
++			ret = ENOTRECOVERABLE;
++		}
++	}
++
++	*hashp = hash;
++	return ret;
++}
++
++
++int talloc_crypt_blob(TALLOC_CTX *mem_ctx,
++		      const char *phrase,
++		      const char *setting,
++		      DATA_BLOB *blob)
++{
++	const char *hash = NULL;
++	int ret = crypt_as_best_we_can(phrase, setting, &hash);
++	if (ret != 0) {
++		blob->data = NULL;
++		blob->length = 0;
++		return ret;
++	}
++	blob->length = strlen(hash);
++	blob->data = talloc_memdup(mem_ctx, hash, blob->length);
++	if (blob->data == NULL) {
++		return ENOMEM;
++	}
++	return 0;
++}
+diff --git a/lib/util/util_crypt.h b/lib/util/util_crypt.h
+new file mode 100644
+index 00000000000..8c289e489e8
+--- /dev/null
++++ b/lib/util/util_crypt.h
+@@ -0,0 +1,5 @@
++
++int talloc_crypt_blob(TALLOC_CTX *mem_ctx,
++		      const char *phrase,
++		      const char *cmd,
++		      DATA_BLOB *blob);
+diff --git a/lib/util/wscript_build b/lib/util/wscript_build
+index b4fcfeaba07..7de9c0b7b17 100644
+--- a/lib/util/wscript_build
++++ b/lib/util/wscript_build
+@@ -253,6 +253,12 @@ else:
+                       private_library=True,
+                       local_include=False)
+ 
++    bld.SAMBA_LIBRARY('util_crypt',
++                      source='util_crypt.c',
++                      deps='talloc crypt',
++                      private_library=True,
++                      local_include=False)
++
+ 
+     bld.SAMBA_SUBSYSTEM('UNIX_PRIVS',
+                         source='unix_privs.c',
+-- 
+2.47.1
 

sources

@@ -1,2 +1,2 @@
-SHA512 (samba-4.21.2.tar.asc) = f3da123d2e86a7e07c4fcb83924edd29195d865091d80125f3531c463662a8a38ba6d8c467932af8cd065d0cc4467131c83a4e3783573b757f6ed9c2bde0befc
+SHA512 (samba-4.21.3.tar.asc) = 11e40d32b783b7d57d3f35fe96a17e897719f65d796d965b371dfb58b8cf1f8ffe60c3047bea8c2b2b0d475fa55cd25237b9ba84d44b3d65a8cd53c6af760957
-SHA512 (samba-4.21.2.tar.xz) = c26311a60d3994561aa12c36e54bc37d1161ec1063aa9876ea03dee24984e9c827e5836dc86bc392e37193010275a642b960e775b5a9e029246ba56ae1697682
+SHA512 (samba-4.21.3.tar.xz) = 62eb3bfe1aa1cc8aa68055d4caf21bdea6d6f5b0f767566bef1da210100b5dd17b7d60f5c47da01b0123d3a2c1c3689b1960ef2c2cbd4f804ff998ead994fc3f