Merge branch 'c8' into a8

2023-11-23 10:33:34 +03:00 · 2023-11-23 10:33:34 +03:00 · 791775af87
parent bb27d63e76 9fb77a900a
commit 791775af87
14 changed files with 171 additions and 915 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/samba-4.17.5.tar.xz
+SOURCES/samba-4.18.6.tar.xz
 SOURCES/samba-pubkey_AA99442FB680B620.gpg
--- a/.samba.metadata
+++ b/.samba.metadata
@ -1,2 +1,2 @@
-68926a886d20bbd5b4d768d9788d4b5a5ca399e5 SOURCES/samba-4.17.5.tar.xz
+12b41f2a849cb6c40e9f5b174bb1cd823a060bd7 SOURCES/samba-4.18.6.tar.xz
 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
--- a/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
+++ b/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
@ -1,38 +0,0 @@
-From 5f87888ed53320538cf773d64868390d8641a40e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jul 2023 17:20:32 +0200
-Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
- response level 2
-
-We don't have any documentation about this yet, but tests against
-a Windows Server 2022 patched with KB5028166 revealed that
-the response for query_level=2 is exactly the same as
-for querey_level=1.
-
-Until we know the reason for query_level=2 we won't
-use it as client nor support it in the server, but
-we want ndrdump to work.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
- librpc/idl/netlogon.idl | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
-index 48a8c8f9310..85dd73ee7e4 100644
--- a/librpc/idl/netlogon.idl
-+++ b/librpc/idl/netlogon.idl
-@@ -1236,6 +1236,7 @@ interface netlogon
- 	/* Function 0x15 */
- 	typedef [switch_type(uint32)] union {
- 		[case(1)] netr_NegotiateFlags server_capabilities;
-+		[case(2)] netr_NegotiateFlags server_capabilities;
- 	} netr_Capabilities;
- 
- 	NTSTATUS netr_LogonGetCapabilities(
-- 
-2.39.3
-
--- a/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
+++ b/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
@ -1,128 +0,0 @@
-From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jul 2023 17:25:05 +0200
-Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
- netr_LogonGetCapabilities with different levels
-
-The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
-for unsupported query_levels, we allow it to work with servers
-with or without support for query_level=2.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
- .../knownfail.d/netr_LogonGetCapabilities     |  3 +
- source4/torture/rpc/netlogon.c                | 77 ++++++++++++++++++-
- 2 files changed, 79 insertions(+), 1 deletion(-)
- create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
-
-diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
-new file mode 100644
-index 00000000000..30aadf3bb9d
--- /dev/null
-+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
-@@ -0,0 +1,3 @@
-+^samba3.rpc.schannel.*\.schannel\(nt4_dc
-+^samba3.rpc.schannel.*\.schannel\(ad_dc
-+^samba4.rpc.schannel.*\.schannel\(ad_dc
-diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
-index 1f068eb7826..a3d190f13dd 100644
--- a/source4/torture/rpc/netlogon.c
-+++ b/source4/torture/rpc/netlogon.c
-@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
- 	r.out.capabilities = &capabilities;
- 	r.out.return_authenticator = &return_auth;
- 
-	torture_comment(tctx, "Testing LogonGetCapabilities\n");
-+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
- 
-+	r.in.query_level = 0;
-+	ZERO_STRUCT(return_auth);
-+
-+	/*
-+	 * we need to operate on a temporary copy of creds
-+	 * because dcerpc_netr_LogonGetCapabilities with
-+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
-+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
-+	 * without looking a the authenticator.
-+	 */
-+	tmp_creds = *creds;
-+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
-+
-+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
-+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
-+				      "LogonGetCapabilities query_level=0 failed");
-+
-+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
-+
-+	r.in.query_level = 3;
-+	ZERO_STRUCT(return_auth);
-+
-+	/*
-+	 * we need to operate on a temporary copy of creds
-+	 * because dcerpc_netr_LogonGetCapabilities with
-+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
-+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
-+	 * without looking a the authenticator.
-+	 */
-+	tmp_creds = *creds;
-+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
-+
-+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
-+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
-+				      "LogonGetCapabilities query_level=0 failed");
-+
-+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
-+
-+	r.in.query_level = 1;
- 	ZERO_STRUCT(return_auth);
- 
- 	/*
-@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
- 
- 	*creds = tmp_creds;
- 
-+	torture_assert(tctx, netlogon_creds_client_check(creds,
-+							 &r.out.return_authenticator->cred),
-+		       "Credential chaining failed");
-+
-+	torture_assert_int_equal(tctx, creds->negotiate_flags,
-+				 capabilities.server_capabilities,
-+				 "negotiate flags");
-+
-+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
-+
-+	r.in.query_level = 2;
-+	ZERO_STRUCT(return_auth);
-+
-+	/*
-+	 * we need to operate on a temporary copy of creds
-+	 * because dcerpc_netr_LogonGetCapabilities with
-+	 * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
-+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
-+	 * without looking a the authenticator.
-+	 */
-+	tmp_creds = *creds;
-+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
-+
-+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
-+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
-+		/*
-+		 * an server without KB5028166 returns
-+		 * DCERPC_NCA_S_FAULT_INVALID_TAG =>
-+		 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
-+		 */
-+		return true;
-+	}
-+	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
-+
-+	*creds = tmp_creds;
-+
- 	torture_assert(tctx, netlogon_creds_client_check(creds,
- 							 &r.out.return_authenticator->cred),
- 		       "Credential chaining failed");
-- 
-2.39.3
-
--- a/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
+++ b/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
@ -1,89 +0,0 @@
-From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jul 2023 16:11:48 +0200
-Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
- invalid netr_LogonGetCapabilities levels
-
-This is important as Windows clients with KB5028166 seem to
-call netr_LogonGetCapabilities with query_level=2 after
-a call with query_level=1.
-
-An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
-for query_level values other than 1.
-While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
-later fails to marshall the response, which results
-in DCERPC_FAULT_BAD_STUB_DATA instead.
-
-Because we don't have any documentation for level 2 yet,
-we just try to behave like an unpatched server and
-generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
-DCERPC_FAULT_BAD_STUB_DATA.
-Which allows patched Windows clients to keep working
-against a Samba DC.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
- .../knownfail.d/netr_LogonGetCapabilities     |  2 --
- source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
- 2 files changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
-index 30aadf3bb9d..99c7ac711ed 100644
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
-+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
-@@ -1,3 +1 @@
- ^samba3.rpc.schannel.*\.schannel\(nt4_dc
-^samba3.rpc.schannel.*\.schannel\(ad_dc
-^samba4.rpc.schannel.*\.schannel\(ad_dc
-diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-index 6ccba65d3bf..dc2167f08b2 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
-+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
- 	struct netlogon_creds_CredentialState *creds;
- 	NTSTATUS status;
- 
-+	switch (r->in.query_level) {
-+	case 1:
-+		break;
-+	case 2:
-+		/*
-+		 * Until we know the details behind KB5028166
-+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
-+		 * like an unpatched Windows Server.
-+		 */
-+		FALL_THROUGH;
-+	default:
-+		/*
-+		 * There would not be a way to marshall the
-+		 * the response. Which would mean our final
-+		 * ndr_push would fail an we would return
-+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
-+		 *
-+		 * But it's important to match a Windows server
-+		 * especially before KB5028166, see also our bug #15418
-+		 * Otherwise Windows client would stop talking to us.
-+		 */
-+		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
-+	}
-+
- 	status = dcesrv_netr_creds_server_step_check(dce_call,
- 						     mem_ctx,
- 						     r->in.computer_name,
-@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
- 	}
- 	NT_STATUS_NOT_OK_RETURN(status);
- 
-	if (r->in.query_level != 1) {
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
- 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
- 
- 	return NT_STATUS_OK;
-- 
-2.39.3
-
--- a/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
+++ b/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
@ -1,93 +0,0 @@
-From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jul 2023 16:11:48 +0200
-Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
- invalid netr_LogonGetCapabilities levels
-
-This is important as Windows clients with KB5028166 seem to
-call netr_LogonGetCapabilities with query_level=2 after
-a call with query_level=1.
-
-An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
-for query_level values other than 1.
-While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
-later fails to marshall the response, which results
-in DCERPC_FAULT_BAD_STUB_DATA instead.
-
-Because we don't have any documentation for level 2 yet,
-we just try to behave like an unpatched server and
-generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
-DCERPC_FAULT_BAD_STUB_DATA.
-Which allows patched Windows clients to keep working
-against a Samba DC.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
---
- .../knownfail.d/netr_LogonGetCapabilities     |  1 -
- source3/rpc_server/netlogon/srv_netlog_nt.c   | 29 ++++++++++++++++---
- 2 files changed, 25 insertions(+), 5 deletions(-)
- delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
-
-diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
-deleted file mode 100644
-index 99c7ac711ed..00000000000
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
-+++ /dev/null
-@@ -1 +0,0 @@
-^samba3.rpc.schannel.*\.schannel\(nt4_dc
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index 3ba58e61206..e8aa14167fc 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
- 	struct netlogon_creds_CredentialState *creds;
- 	NTSTATUS status;
- 
-+	switch (r->in.query_level) {
-+	case 1:
-+		break;
-+	case 2:
-+		/*
-+		 * Until we know the details behind KB5028166
-+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
-+		 * like an unpatched Windows Server.
-+		 */
-+		FALL_THROUGH;
-+	default:
-+		/*
-+		 * There would not be a way to marshall the
-+		 * the response. Which would mean our final
-+		 * ndr_push would fail an we would return
-+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
-+		 *
-+		 * But it's important to match a Windows server
-+		 * especially before KB5028166, see also our bug #15418
-+		 * Otherwise Windows client would stop talking to us.
-+		 */
-+		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
-+		return NT_STATUS_NOT_SUPPORTED;
-+	}
-+
- 	become_root();
- 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
- 						p->mem_ctx,
-@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
- 		return status;
- 	}
- 
-	if (r->in.query_level != 1) {
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
- 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
- 
- 	return NT_STATUS_OK;
-- 
-2.39.3
-
--- a/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
+++ b/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
@ -1,137 +0,0 @@
-From a9a2b182df738fd283f820e162d189d20010ad63 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 20 Jun 2023 12:46:31 +0200
-Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory
- signing
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- .../samba3.smb2.session-require-signing       |  1 +
- selftest/target/Samba3.pm                     |  1 +
- source3/selftest/tests.py                     |  2 +
- source4/torture/smb2/session.c                | 64 +++++++++++++++++++
- source4/torture/smb2/smb2.c                   |  1 +
- 5 files changed, 69 insertions(+)
- create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
-
-diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
-new file mode 100644
-index 00000000000..53b7a7022a8
--- /dev/null
-+++ b/selftest/knownfail.d/samba3.smb2.session-require-signing
-@@ -0,0 +1 @@
-+^samba3.smb2.session-require-signing.bug15397
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index d9e17473615..b4c3c130e9a 100755
--- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid
- 	# values required for tests to succeed
- 	create krb5 conf = no
-         map to guest = bad user
-+	server signing = required
- ";
- 
- 	my $ret = $self->provision(
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index b069630605a..d2b5409d0a9 100755
--- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -1097,6 +1097,8 @@ for t in tests:
-         # Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf,
-         # ad_member_idmap_rid sets "create krb5.conf = no"
-         plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
-+    elif t == "smb2.session-require-signing":
-+        plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD')
-     elif t == "rpc.lsa":
-         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
-         plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
-diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
-index 51df51542d4..823304f190f 100644
--- a/source4/torture/smb2/session.c
-+++ b/source4/torture/smb2/session.c
-@@ -5498,3 +5498,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
- 
- 	return suite;
- }
-+
-+static bool test_session_require_sign_bug15397(struct torture_context *tctx,
-+					       struct smb2_tree *_tree)
-+{
-+	const char *host = torture_setting_string(tctx, "host", NULL);
-+	const char *share = torture_setting_string(tctx, "share", NULL);
-+	struct cli_credentials *_creds = samba_cmdline_get_creds();
-+	struct cli_credentials *creds = NULL;
-+	struct smbcli_options options;
-+	struct smb2_tree *tree = NULL;
-+	uint8_t security_mode;
-+	NTSTATUS status;
-+	bool ok = true;
-+
-+	/*
-+	 * Setup our own connection so we can control the signing flags
-+	 */
-+
-+	creds = cli_credentials_shallow_copy(tctx, _creds);
-+	torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
-+
-+	options = _tree->session->transport->options;
-+	options.client_guid = GUID_random();
-+	options.signing = SMB_SIGNING_IF_REQUIRED;
-+
-+	status = smb2_connect(tctx,
-+			      host,
-+			      lpcfg_smb_ports(tctx->lp_ctx),
-+			      share,
-+			      lpcfg_resolve_context(tctx->lp_ctx),
-+			      creds,
-+			      &tree,
-+			      tctx->ev,
-+			      &options,
-+			      lpcfg_socket_options(tctx->lp_ctx),
-+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
-+	torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
-+					"smb2_connect failed");
-+
-+	security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
-+
-+	torture_assert_int_equal_goto(
-+		tctx,
-+		security_mode,
-+		SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
-+		ok,
-+		done,
-+		"Signing not required");
-+
-+done:
-+	return ok;
-+}
-+
-+struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
-+{
-+	struct torture_suite *suite =
-+	    torture_suite_create(ctx, "session-require-signing");
-+
-+	torture_suite_add_1smb2_test(suite, "bug15397",
-+				     test_session_require_sign_bug15397);
-+
-+	suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
-+	return suite;
-+}
-diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c
-index c595b108ce8..5b6477e47bc 100644
--- a/source4/torture/smb2/smb2.c
-+++ b/source4/torture/smb2/smb2.c
-@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx)
- 	torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite));
- 	torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock);
- 	torture_suite_add_suite(suite, torture_smb2_session_init(suite));
-+	torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite));
- 	torture_suite_add_suite(suite, torture_smb2_replay_init(suite));
- 	torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode);
- 	torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode);
-- 
-2.39.3
-
--- a/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
+++ b/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
@ -1,131 +0,0 @@
-From 1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Wed, 21 Jun 2023 15:06:12 +0200
-Subject: [PATCH 2/5] CVE-2023-3347: smbd: pass lp_ctx to
- smb[1|2]_srv_init_signing()
-
-No change in behaviour.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- source3/smbd/proto.h        |  3 ++-
- source3/smbd/smb1_signing.c | 10 ++--------
- source3/smbd/smb1_signing.h |  3 ++-
- source3/smbd/smb2_signing.c | 25 +++++++++++++++----------
- 4 files changed, 21 insertions(+), 20 deletions(-)
-
-diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
-index a39f0a2edfa..3884617e77b 100644
--- a/source3/smbd/proto.h
-+++ b/source3/smbd/proto.h
-@@ -52,7 +52,8 @@ struct dcesrv_context;
- 
- /* The following definitions come from smbd/smb2_signing.c */
- 
-bool smb2_srv_init_signing(struct smbXsrv_connection *conn);
-+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
-+			   struct smbXsrv_connection *conn);
- bool srv_init_signing(struct smbXsrv_connection *conn);
- 
- /* The following definitions come from smbd/aio.c  */
-diff --git a/source3/smbd/smb1_signing.c b/source3/smbd/smb1_signing.c
-index 6bcb0629c4f..aa3027d5318 100644
--- a/source3/smbd/smb1_signing.c
-+++ b/source3/smbd/smb1_signing.c
-@@ -170,18 +170,13 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr)
-  Called by server negprot when signing has been negotiated.
- ************************************************************/
- 
-bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
-+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
-+			   struct smbXsrv_connection *conn)
- {
- 	bool allowed = true;
- 	bool desired;
- 	bool mandatory = false;
- 
-	struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
-	if (lp_ctx == NULL) {
-		DEBUG(10, ("loadparm_init_s3 failed\n"));
-		return false;
-	}
-
- 	/*
- 	 * if the client and server allow signing,
- 	 * we desire to use it.
-@@ -195,7 +190,6 @@ bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
- 	 */
- 
- 	desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
-	talloc_unlink(conn, lp_ctx);
- 
- 	if (lp_async_smb_echo_handler()) {
- 		struct smbd_shm_signing *s;
-diff --git a/source3/smbd/smb1_signing.h b/source3/smbd/smb1_signing.h
-index 56c59c5bbc2..26f60420dfa 100644
--- a/source3/smbd/smb1_signing.h
-+++ b/source3/smbd/smb1_signing.h
-@@ -33,4 +33,5 @@ bool smb1_srv_is_signing_negotiated(struct smbXsrv_connection *conn);
- void smb1_srv_set_signing(struct smbXsrv_connection *conn,
- 		     const DATA_BLOB user_session_key,
- 		     const DATA_BLOB response);
-bool smb1_srv_init_signing(struct smbXsrv_connection *conn);
-+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
-+			   struct smbXsrv_connection *conn);
-diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
-index 4691ef4d613..c1f876f9cd7 100644
--- a/source3/smbd/smb2_signing.c
-+++ b/source3/smbd/smb2_signing.c
-@@ -26,32 +26,37 @@
- #include "lib/param/param.h"
- #include "smb2_signing.h"
- 
-bool smb2_srv_init_signing(struct smbXsrv_connection *conn)
-+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
-+			   struct smbXsrv_connection *conn)
- {
-	struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
-	if (lp_ctx == NULL) {
-		DBG_DEBUG("loadparm_init_s3 failed\n");
-		return false;
-	}
-
- 	/*
- 	 * For SMB2 all we need to know is if signing is mandatory.
- 	 * It is always allowed and desired, whatever the smb.conf says.
- 	 */
- 	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-	talloc_unlink(conn, lp_ctx);
- 	return true;
- }
- 
- bool srv_init_signing(struct smbXsrv_connection *conn)
- {
-+	struct loadparm_context *lp_ctx = NULL;
-+	bool ok;
-+
-+	lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
-+	if (lp_ctx == NULL) {
-+		DBG_DEBUG("loadparm_init_s3 failed\n");
-+		return false;
-+	}
-+
- #if defined(WITH_SMB1SERVER)
- 	if (conn->protocol >= PROTOCOL_SMB2_02) {
- #endif
-		return smb2_srv_init_signing(conn);
-+		ok = smb2_srv_init_signing(lp_ctx, conn);
- #if defined(WITH_SMB1SERVER)
- 	} else {
-		return smb1_srv_init_signing(conn);
-+		ok = smb1_srv_init_signing(lp_ctx, conn);
- 	}
- #endif
-+	talloc_unlink(conn, lp_ctx);
-+	return ok;
- }
-- 
-2.39.3
-
--- a/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
+++ b/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
@ -1,73 +0,0 @@
-From 59131d6c345864dcf1ed3331c52ce35ddc5db2dc Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Wed, 21 Jun 2023 15:10:58 +0200
-Subject: [PATCH 3/5] CVE-2023-3347: smbd: inline smb2_srv_init_signing() code
- in srv_init_signing()
-
-It's now a one-line function, imho the overall code is simpler if that code is
-just inlined.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- source3/smbd/proto.h        |  2 --
- source3/smbd/smb2_signing.c | 19 ++++++-------------
- 2 files changed, 6 insertions(+), 15 deletions(-)
-
-diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
-index 3884617e77b..78e1b48be09 100644
--- a/source3/smbd/proto.h
-+++ b/source3/smbd/proto.h
-@@ -52,8 +52,6 @@ struct dcesrv_context;
- 
- /* The following definitions come from smbd/smb2_signing.c */
- 
-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
-			   struct smbXsrv_connection *conn);
- bool srv_init_signing(struct smbXsrv_connection *conn);
- 
- /* The following definitions come from smbd/aio.c  */
-diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
-index c1f876f9cd7..ef4a54d5710 100644
--- a/source3/smbd/smb2_signing.c
-+++ b/source3/smbd/smb2_signing.c
-@@ -26,21 +26,10 @@
- #include "lib/param/param.h"
- #include "smb2_signing.h"
- 
-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
-			   struct smbXsrv_connection *conn)
-{
-	/*
-	 * For SMB2 all we need to know is if signing is mandatory.
-	 * It is always allowed and desired, whatever the smb.conf says.
-	 */
-	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-	return true;
-}
-
- bool srv_init_signing(struct smbXsrv_connection *conn)
- {
- 	struct loadparm_context *lp_ctx = NULL;
-	bool ok;
-+	bool ok = true;
- 
- 	lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
- 	if (lp_ctx == NULL) {
-@@ -51,7 +40,11 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
- #if defined(WITH_SMB1SERVER)
- 	if (conn->protocol >= PROTOCOL_SMB2_02) {
- #endif
-		ok = smb2_srv_init_signing(lp_ctx, conn);
-+		/*
-+		 * For SMB2 all we need to know is if signing is mandatory.
-+		 * It is always allowed and desired, whatever the smb.conf says.
-+		 */
-+		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
- #if defined(WITH_SMB1SERVER)
- 	} else {
- 		ok = smb1_srv_init_signing(lp_ctx, conn);
-- 
-2.39.3
-
--- a/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
+++ b/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
@ -1,36 +0,0 @@
-From 5a222ac37183ba5dd717d81c7e57f78e59695a67 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 20 Jun 2023 18:13:23 +0200
-Subject: [PATCH 4/5] CVE-2023-3347: smbd: remove comment in
- smbd_smb2_request_process_negprot()
-
-This is just going to bitrot. Anyone who's interested can just grep for
-"signing_mandatory" and look up what it does.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- source3/smbd/smb2_negprot.c | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
-index 9d4ce160e5c..885769be24d 100644
--- a/source3/smbd/smb2_negprot.c
-+++ b/source3/smbd/smb2_negprot.c
-@@ -368,12 +368,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
- 	}
- 
- 	security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
-	/*
-	 * We use xconn->smb2.signing_mandatory set up via
-	 * srv_init_signing() -> smb2_srv_init_signing().
-	 * This calls lpcfg_server_signing_allowed() to get the correct
-	 * defaults, e.g. signing_required for an ad_dc.
-	 */
- 	if (xconn->smb2.signing_mandatory) {
- 		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
- 	}
-- 
-2.39.3
-
--- a/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch
+++ b/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch
@ -1,63 +0,0 @@
-From 9bab902fc50f88869b253c4089d83b3e33a1075a Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 20 Jun 2023 15:33:02 +0200
-Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory"
-
-This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
-calling srv_init_signing() very early after accepting the connection in
-smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-
-Autobuild-User(master): Jule Anger <janger@samba.org>
-Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224
---
- .../samba3.smb2.session-require-signing       |  1 -
- source3/smbd/smb2_signing.c                   | 19 ++++++++-----------
- 2 files changed, 8 insertions(+), 12 deletions(-)
- delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
-
-diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
-deleted file mode 100644
-index 53b7a7022a8..00000000000
--- a/selftest/knownfail.d/samba3.smb2.session-require-signing
-+++ /dev/null
-@@ -1 +0,0 @@
-^samba3.smb2.session-require-signing.bug15397
-diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
-index ef4a54d5710..73d07380dfa 100644
--- a/source3/smbd/smb2_signing.c
-+++ b/source3/smbd/smb2_signing.c
-@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
- 		return false;
- 	}
- 
-+	/*
-+	 * For SMB2 all we need to know is if signing is mandatory.
-+	 * It is always allowed and desired, whatever the smb.conf says.
-+	 */
-+	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-+
- #if defined(WITH_SMB1SERVER)
-	if (conn->protocol >= PROTOCOL_SMB2_02) {
-#endif
-		/*
-		 * For SMB2 all we need to know is if signing is mandatory.
-		 * It is always allowed and desired, whatever the smb.conf says.
-		 */
-		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-#if defined(WITH_SMB1SERVER)
-	} else {
-		ok = smb1_srv_init_signing(lp_ctx, conn);
-	}
-+	ok = smb1_srv_init_signing(lp_ctx, conn);
- #endif
-+
- 	talloc_unlink(conn, lp_ctx);
- 	return ok;
- }
-- 
-2.39.3
-
--- a/SOURCES/samba-4.17.5.tar.asc
+++ b/SOURCES/samba-4.17.5.tar.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmPSvJEACgkQqplEL7aA
-tiDXbA//bPY+2A4y8zPJLibWjRtmv76xTgj1EJMZoC5d7+5PXQfuVhVULGYrxriF
-MIF4CtTnMDk20mihnQb03csGpZGvqfBKbZg6jYolqeTmwRDgKXf9dxLxYYBGswPN
-JXiF/ZvDQzEorrsz24o7i9Pe44IXpdf7+3RjIXhKjCa2vFQibTndGRhYb0UYiR9S
-DELp6V/rmV9/BrYWVhHVnuzROzNWsrXIyu1GPNRWdX6ptJmjq6f8wZUP0NODYsBP
-e0+BpXwob795tDSAMBnbnp7ZsHRYgB2/iWDTe19MF5LjHCcPwRWmzfZjiWQuz11D
-kg7RUmlTkpU0mrToM+Uyg3Lhc8sayojDTHkIuIPBTuirdKuyP5Zov1wCaPuvf8Ew
-LCQlQsC2AVeko8xY7P5ieXrmsfncoKR23S0MaKM6oNXooMJcNFnemMvCsOGGeGCi
-HJa1whPdI5Cj3zLB5X35UNMmauS7qWyyj3lS2horg8L/iIQ3R3q+0Xkd5VmX1BXz
-EhVDvOnb1F7E9HFlxhZRJFufpnHrGZX6ZYe6BqP8oU092UUU5JMeIqe20wG/dAtX
-B91QhITdPDnM4KrSbch9i+BKW1xD8srRXu4yqMTZp6X6dPh6lnzVn6vj4uKNCMwz
-2qLa3Rl+cRON1uTeFJXSTHg/diHjKriu3+bCqm0RlHAFLMtvudk=
-=gZl3
-----END PGP SIGNATURE-----
--- a/SOURCES/samba-4.18.6.tar.asc
+++ b/SOURCES/samba-4.18.6.tar.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmTc/5EACgkQqplEL7aA
+tiB+4RAAkcRhO1/ZC7sXgqAqTZY05On8g2GLeuBh2Q+u7QIyjcDLuJWzp0TkrbMn
+LBGtFAyCxM1JbW/K1UNafeQcf3UKzY1nIPtUpqVjN7qMxt0BDZ6MsXGbB/qhyGMZ
+YnsZ8of/8NOUKx5KbrSeN5TqjICWTVRKi7KPcBrD51sTSt5unXYrolyJpKoPjYYU
+lQS8cnh/shfvvFX4fYf9XtFS2OcQqCTFrLeajb6DU7Ep6ZBZa9r3m5Gk3ZvhBu9r
+qowmQDqbNfo++wIkOaehD6tQsWcY2XvfBCFLqtSnF1SraN0jpdYr08dbcRGyuhFd
+DS9+4BwCCML0mip7aaP6NHZpN+LvyYkAKPuKo8mW8pxe3i8ctxcTyN6SfmZA6RlE
+bcmRQSkBD/e0jjBX5nR0zsaT01bgE1bBvbro0ZKHpR7/k6WeV+k6jDmqqXnYj3uB
+61fCtf41w1b2pMhty70niga2gxaHrSqu9gqSl2wk/uMhwtdntqrJtaWIChWM0CRs
+b6pfbjEZM2NDhsLe3idvY9Hl1hlKrMtoLJTu7fksTDVJzWPfqOCyIOc1DkxbCqlG
+XB9fbre57DWIpRvNK4pu108LiGbavK2rLC6wlcjshP3/9BA3c3HO/JPQGtDAn1UE
+JVQlYT1Fzzp9RU8U5Khz9D7pB3k6K19ZIo3q5xTA/V5O6axB5WM=
+=GnJM
+-----END PGP SIGNATURE-----
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@ -2,7 +2,7 @@
 #
 # To build and run the tests use:
 #
-# fedpkg local --with testsuite
+# fedpkg mockbuild --with testsuite
 # or
 # rpmbuild --rebuild --with testsuite samba.src.rpm
 #
@ -10,12 +10,15 @@

 # Build with internal talloc, tevent, tdb and ldb.
 #
-# fedpkg local --with=testsuite --with=includelibs
+# fedpkg mockbuild --with=testsuite --with=includelibs
 # or
 # rpmbuild --rebuild --with=testsuite --with=includelibs samba.src.rpm
 #
 %bcond_with includelibs

+# fedpkg mockbuild --with=ccache
+%bcond_with ccache
+
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering

@ -134,8 +137,8 @@

 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")

-%global samba_version 4.17.5
-%global baserelease 3
+%global samba_version 4.18.6
+%global baserelease 1
 # This should be rc1 or %%nil
 %global pre_release %nil

@ -168,10 +171,10 @@
 %global libsmbclient_so_version 0
 %global libwbclient_so_version 0

-%global talloc_version 2.3.4
-%global tdb_version 1.4.7
-%global tevent_version 0.13.0
-%global ldb_version 2.6.1
+%global talloc_version 2.4.0
+%global tdb_version 1.4.8
+%global tevent_version 0.14.1
+%global ldb_version 2.7.2

 %global required_mit_krb5 1.18

@ -185,7 +188,7 @@
 # https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md
 %undefine _strict_symbol_defs_build

-%global libwbc_alternatives_version 0.15
+%global libwbc_alternatives_version 0.16
 %global libwbc_alternatives_suffix %nil
 %if 0%{?__isa_bits} == 64
 %global libwbc_alternatives_suffix -64
@ -210,7 +213,7 @@ Epoch:          0
 %global samba_depver %{epoch}:%{version}-%{release}

 Summary:        Server and Client software to interoperate with Windows machines
-License:        GPLv3+ and LGPLv3+
+License:        GPL-3.0-or-later AND LGPL-3.0-or-later
 URL:            https://www.samba.org

 # This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%%{version}%%{pre_release}.tar.gz
@ -231,20 +234,6 @@ Source17:       samba-usershares-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore

-# Patches were taken from upstream and backported
-# https://github.com/samba-team/samba/commit/dfeabce44fbb78083fbbb2aa634fc4172cf83db9
-Patch0001: 0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
-Patch0002: 0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
-Patch0003: 0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
-Patch0004: 0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
-
-# https://github.com/samba-team/samba/commit/9bab902fc50f88869b253c4089d83b3e33a1075a
-Patch0005: 0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
-Patch0006: 0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
-Patch0007: 0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
-Patch0008: 0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
-Patch0009: 0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch 
-
 Requires(pre): /usr/sbin/groupadd

 Requires(pre): %{name}-common = %{samba_depver}
@ -284,6 +273,7 @@ Provides: bundled(libreplace)

 BuildRequires: make
 BuildRequires: gcc
+BuildRequires: glibc-gconv-extra
 BuildRequires: avahi-devel
 BuildRequires: bison
 BuildRequires: cups-devel
@ -340,6 +330,10 @@ BuildRequires: zlib-devel >= 1.2.3

 BuildRequires: pkgconfig(libsystemd)

+%if 0%{?fedora} >= 37
+BuildRequires: mold
+%endif
+
 %if %{with vfs_glusterfs}
 BuildRequires: glusterfs-api-devel >= 3.4.0.16
 BuildRequires: glusterfs-devel >= 3.4.0.16
@ -458,6 +452,8 @@ Requires: %{name}-common-libs = %{samba_depver}
 Requires: libwbclient = %{samba_depver}
 %endif
 Requires: krb5-libs >= %{required_mit_krb5}
+# This is needed for charset conversion
+Requires: glibc-gconv-extra

 %description client-libs
 The samba-client-libs package contains internal libraries needed by the
@ -541,13 +537,13 @@ The samba-common-tools package contains tools for SMB/CIFS clients.
 Summary: Tools for Samba servers
 # samba-tool needs python3-samba
 Requires: python3-%{name} = %{samba_depver}
-# samba-tool needs tdbbackup
-Requires: tdb-tools
 # samba-tool needs python3-samba-dc also on non-dc build
 Requires: python3-%{name}-dc = %{samba_depver}
 %if %{with dc}
-# samba-tool needs mdb_copy for domain backup or upgrade provision
+# samba-tool needs mdb_copy and tdbackup for domain backup or upgrade provision
 Requires: lmdb
+Requires: tdb-tools
+Requires: python3-gpg
 %endif

 %description tools
@ -576,6 +572,7 @@ Requires: %{name} = %{samba_depver}
 Requires: %{name}-client-libs = %{samba_depver}
 Requires: %{name}-common-libs = %{samba_depver}
 Requires: %{name}-common-tools = %{samba_depver}
+Requires: %{name}-tools = %{samba_depver}
 Requires: %{name}-libs = %{samba_depver}
 Requires: %{name}-dc-provision = %{samba_depver}
 Requires: %{name}-dc-libs = %{samba_depver}
@ -596,6 +593,7 @@ Requires: python3-setproctitle
 Requires: python3-%{name} = %{samba_depver}
 Requires: python3-%{name}-dc = %{samba_depver}
 Requires: krb5-server >= %{required_mit_krb5}
+Requires: bind-utils

 Provides: samba4-dc = %{samba_depver}
 Obsoletes: samba4-dc < %{samba_depver}
@ -831,6 +829,7 @@ suite.
 %package -n libwbclient
 Summary: The winbind client library
 Requires: %{name}-client-libs = %{samba_depver}
+Conflicts: sssd-libwbclient

 %description -n libwbclient
 The libwbclient package contains the winbind client library from the Samba
@ -839,6 +838,7 @@ suite.
 %package -n libwbclient-devel
 Summary: Developer tools for the winbind library
 Requires: libwbclient = %{samba_depver}
+Conflicts: sssd-libwbclient-devel

 Provides: samba-winbind-devel = %{samba_depver}
 Obsoletes: samba-winbind-devel < %{samba_depver}
@ -909,7 +909,6 @@ Summary: Perl IDL compiler
 Requires: perl-interpreter
 Requires: perl(FindBin)
 Requires: perl(Parse::Yapp)
-Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 BuildArch: noarch

 Provides: samba4-pidl = %{samba_depver}
@ -995,7 +994,7 @@ Requires(post): %{name}-client-libs = %{samba_depver}
 Requires: %{name}-libs = %{samba_depver}
 Requires(post): %{name}-libs = %{samba_depver}
 Requires: %{name}-winbind-modules = %{samba_depver}
-Recommends: %{name}-tools = %{samba_depver}
+Suggests: %{name}-tools = %{samba_depver}

 %if %{with libwbclient}
 Requires(post): libwbclient = %{samba_depver}
@ -1086,14 +1085,14 @@ necessary to communicate to the Winbind Daemon
 %if %{with winexe}
 %package winexe
 Summary: Samba Winexe Windows Binary
-License: GPLv3
+License: GPL-3.0-only
 Requires: %{name}-client-libs = %{samba_depver}
 Requires: %{name}-common-libs = %{samba_depver}

 Provides: bundled(libreplace)

 %description winexe
-Winexe is a Remote Windows®-command executor
+Winexe is a Remote Windows-command executor
 %endif

 ### CTDB
@ -1263,6 +1262,15 @@ export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')"
 # Use the gold linker
 export LDFLAGS="%{__global_ldflags} -fuse-ld=gold"

+# Add support for mock ccache plugin
+%if %{with ccache}
+CCACHE="$(command -v ccache)"
+if [ -n "${CCACHE}" ]; then
+    ${CCACHE} -s
+    export CC="${CCACHE} gcc"
+fi
+%endif
+
 %configure \
        --enable-fhs \
        --with-piddir=/run \
@ -1348,17 +1356,6 @@ install -d -m 0755 %{buildroot}/%{_libdir}/samba
 install -d -m 0755 %{buildroot}/%{_libdir}/samba/ldb
 install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig

-# Move libwbclient.so* into private directory, it cannot be just libdir/samba
-# because samba uses rpath with this directory.
-install -d -m 0755 %{buildroot}/%{_libdir}/samba/wbclient
-mv %{buildroot}/%{_libdir}/libwbclient.so* %{buildroot}/%{_libdir}/samba/wbclient
-if [ ! -f %{buildroot}/%{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} ]
-then
-    echo "Expected libwbclient version not found, please check if version has changed."
-    exit -1
-fi
-
-
 touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb

 # Install other stuff
@ -1565,52 +1562,13 @@ fi
 %endif

 %if %{with libwbclient}
-%posttrans -n libwbclient
-# It has to be posttrans here to make sure all files of a previous version
-# without alternatives support are removed
-%{_sbindir}/update-alternatives \
-        --install \
-        %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
-        libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
-        %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} \
-        10
+%pre -n libwbclient
+if [ $1 -gt 1 ] ; then
+    rm -rf %{_libdir}/samba/wbclient/
+    rm -f /etc/alternatives/libwbclient.so*
+    rm -f /var/lib/alternatives/libwbclient.so*
+fi
 %{?ldconfig}
-
-%preun -n libwbclient
-if [ $1 -eq 0 ]; then
-    %{_sbindir}/update-alternatives \
-            --remove \
-            libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
-            %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version}
-fi
-/sbin/ldconfig
-
-%posttrans -n libwbclient-devel
-%{_sbindir}/update-alternatives \
-        --install %{_libdir}/libwbclient.so \
-        libwbclient.so%{libwbc_alternatives_suffix} \
-        %{_libdir}/samba/wbclient/libwbclient.so \
-        10
-
-%preun -n libwbclient-devel
-# alternatives checks if the file which should be removed is a link or not, but
-# not if it points to the /etc/alternatives directory or to some other place.
-# When downgrading to a version where alternatives is not used and
-# libwbclient.so is a link and not a file it will be removed. The following
-# check removes the alternatives files manually if that is the case.
-if [ $1 -eq 0 ]; then
-    if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then
-        /bin/rm -f \
-            /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} \
-            /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null
-    else
-        %{_sbindir}/update-alternatives \
-            --remove \
-            libwbclient.so%{libwbc_alternatives_suffix} \
-            %{_libdir}/samba/wbclient/libwbclient.so
-    fi
-fi
-
 #endif {with libwbclient}
 %endif

@ -1957,6 +1915,7 @@ fi
 %{_libdir}/samba/libsmbd-base-samba4.so
 %{_libdir}/samba/libsmbd-shim-samba4.so
 %{_libdir}/samba/libsmbldaphelper-samba4.so
+%{_libdir}/samba/libstable-sort-samba4.so
 %{_libdir}/samba/libsys-rw-samba4.so
 %{_libdir}/samba/libsocket-blocking-samba4.so
 %{_libdir}/samba/libtalloc-report-printf-samba4.so
@ -1982,10 +1941,9 @@ fi

 %if %{with includelibs}
 %{_libdir}/samba/libldb-*.so
-%{_libdir}/samba/libldb.so.*
-%{_libdir}/samba/libtalloc.so.*
-%{_libdir}/samba/libtdb.so.*
-%{_libdir}/samba/libtevent.so.*
+%{_libdir}/samba/libtalloc-samba4.so
+%{_libdir}/samba/libtdb-samba4.so
+%{_libdir}/samba/libtevent-samba4.so

 %{_libdir}/samba/ldb/asq.so
 %{_libdir}/samba/ldb/ldb.so
@ -2138,9 +2096,13 @@ fi
 %{_mandir}/man8/samba.8*
 %{_mandir}/man8/samba_downgrade_db.8*
 %dir %{_datadir}/samba/admx
+%{_datadir}/samba/admx/GNOME_Settings.admx
 %{_datadir}/samba/admx/samba.admx
 %dir %{_datadir}/samba/admx/en-US
+%{_datadir}/samba/admx/en-US/GNOME_Settings.adml
 %{_datadir}/samba/admx/en-US/samba.adml
+%dir %{_datadir}/samba/admx/ru-RU
+%{_datadir}/samba/admx/ru-RU/GNOME_Settings.adml

 %files dc-provision
 %license source4/setup/ad-schema/licence.txt
@ -2218,6 +2180,7 @@ fi
 %{_includedir}/samba-4.0/domain_credentials.h
 %{_includedir}/samba-4.0/gen_ndr/atsvc.h
 %{_includedir}/samba-4.0/gen_ndr/auth.h
+%{_includedir}/samba-4.0/gen_ndr/claims.h
 %{_includedir}/samba-4.0/gen_ndr/dcerpc.h
 %{_includedir}/samba-4.0/gen_ndr/krb5pac.h
 %{_includedir}/samba-4.0/gen_ndr/lsa.h
@ -2410,12 +2373,12 @@ fi
 ### LIBWBCLIENT
 %if %{with libwbclient}
 %files -n libwbclient
-%{_libdir}/samba/wbclient/libwbclient.so.%{libwbclient_so_version}*
+%{_libdir}/libwbclient.so.%{libwbclient_so_version}*

 ### LIBWBCLIENT-DEVEL
 %files -n libwbclient-devel
 %{_includedir}/samba-4.0/wbclient.h
-%{_libdir}/samba/wbclient/libwbclient.so
+%{_libdir}/libwbclient.so
 %{_libdir}/pkgconfig/wbclient.pc
 #endif {with libwbclient}
 %endif
@ -2490,6 +2453,7 @@ fi
 %{python3_sitearch}/samba/__pycache__/ms_schema.*.pyc
 %{python3_sitearch}/samba/__pycache__/ndr.*.pyc
 %{python3_sitearch}/samba/__pycache__/ntacls.*.pyc
+%{python3_sitearch}/samba/__pycache__/safe_tarfile.*.pyc
 %{python3_sitearch}/samba/__pycache__/sd_utils.*.pyc
 %{python3_sitearch}/samba/__pycache__/sites.*.pyc
 %{python3_sitearch}/samba/__pycache__/subnets.*.pyc
@ -2505,6 +2469,7 @@ fi
 %{python3_sitearch}/samba/dbchecker.py
 %{python3_sitearch}/samba/colour.py
 %{python3_sitearch}/samba/common.py
+%{python3_sitearch}/samba/compression.*.so
 %{python3_sitearch}/samba/credentials.*.so
 %{python3_sitearch}/samba/crypto.*.so
 %dir %{python3_sitearch}/samba/dcerpc
@ -2514,6 +2479,7 @@ fi
 %{python3_sitearch}/samba/dcerpc/atsvc.*.so
 %{python3_sitearch}/samba/dcerpc/auth.*.so
 %{python3_sitearch}/samba/dcerpc/base.*.so
+%{python3_sitearch}/samba/dcerpc/claims.*.so
 %{python3_sitearch}/samba/dcerpc/dcerpc.*.so
 %{python3_sitearch}/samba/dcerpc/dfs.*.so
 %{python3_sitearch}/samba/dcerpc/dns.*.so
@ -2710,7 +2676,9 @@ fi
 %{python3_sitearch}/samba/param.*.so
 %{python3_sitearch}/samba/policy.*.so
 %{python3_sitearch}/samba/registry.*.so
+%{python3_sitearch}/samba/reparse_symlink.*.so
 %{python3_sitearch}/samba/security.*.so
+%{python3_sitearch}/samba/safe_tarfile.py
 %dir %{python3_sitearch}/samba/samba3
 %{python3_sitearch}/samba/samba3/__init__.py
 %dir %{python3_sitearch}/samba/samba3/__pycache__
@ -2746,8 +2714,8 @@ fi
 %{_libdir}/samba/libsamba-python.cpython*.so

 %if %{with includelibs}
-%{_libdir}/samba/libpyldb-util.cpython*.so.*
-%{_libdir}/samba/libpytalloc-util.cpython*.so.*
+%{_libdir}/samba/libpyldb-util.cpython*.so
+%{_libdir}/samba/libpytalloc-util.cpython*.so

 %{python3_sitearch}/__pycache__/_ldb_text*.pyc
 %{python3_sitearch}/__pycache__/_tdb_text*.pyc
@ -2844,6 +2812,7 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/auth_log_winbind.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/common.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/compression.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/core.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/credentials.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc
@ -2884,6 +2853,7 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/logfiles.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/libsmb-basic.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc
@ -2918,12 +2888,14 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/pso.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/py_credentials.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/registry.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/reparsepoints.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3idmapdb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3param.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3_net_join.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/safe_tarfile.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc
@ -2933,6 +2905,9 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/sid_strings.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/smb1posix.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/smb2symlink.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/smb3unix.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/smbconf.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/smb-notify.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc
@ -2998,6 +2973,7 @@ fi
 %{python3_sitearch}/samba/tests/blackbox/traffic_replay.py
 %{python3_sitearch}/samba/tests/blackbox/traffic_summary.py
 %{python3_sitearch}/samba/tests/common.py
+%{python3_sitearch}/samba/tests/compression.py
 %{python3_sitearch}/samba/tests/complex_expressions.py
 %{python3_sitearch}/samba/tests/core.py
 %{python3_sitearch}/samba/tests/credentials.py
@ -3103,9 +3079,11 @@ fi
 %{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/claims_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/group_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
@ -3134,9 +3112,11 @@ fi
 %{python3_sitearch}/samba/tests/krb5/alias_tests.py
 %{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py
 %{python3_sitearch}/samba/tests/krb5/as_req_tests.py
+%{python3_sitearch}/samba/tests/krb5/claims_tests.py
 %{python3_sitearch}/samba/tests/krb5/compatability_tests.py
 %{python3_sitearch}/samba/tests/krb5/etype_tests.py
 %{python3_sitearch}/samba/tests/krb5/fast_tests.py
+%{python3_sitearch}/samba/tests/krb5/group_tests.py
 %{python3_sitearch}/samba/tests/krb5/kcrypto.py
 %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
 %{python3_sitearch}/samba/tests/krb5/kdc_tests.py
@ -3168,6 +3148,7 @@ fi
 %{python3_sitearch}/samba/tests/ldap_referrals.py
 %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py
 %{python3_sitearch}/samba/tests/libsmb.py
+%{python3_sitearch}/samba/tests/libsmb-basic.py
 %{python3_sitearch}/samba/tests/loadparm.py
 %{python3_sitearch}/samba/tests/logfiles.py
 %{python3_sitearch}/samba/tests/lsa_string.py
@ -3204,12 +3185,14 @@ fi
 %{python3_sitearch}/samba/tests/pso.py
 %{python3_sitearch}/samba/tests/py_credentials.py
 %{python3_sitearch}/samba/tests/registry.py
+%{python3_sitearch}/samba/tests/reparsepoints.py
 %{python3_sitearch}/samba/tests/s3idmapdb.py
 %{python3_sitearch}/samba/tests/s3param.py
 %{python3_sitearch}/samba/tests/s3passdb.py
 %{python3_sitearch}/samba/tests/s3registry.py
 %{python3_sitearch}/samba/tests/s3windb.py
 %{python3_sitearch}/samba/tests/s3_net_join.py
+%{python3_sitearch}/samba/tests/safe_tarfile.py
 %{python3_sitearch}/samba/tests/samba3sam.py
 %{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py
 %dir %{python3_sitearch}/samba/tests/samba_tool
@ -3297,6 +3280,9 @@ fi
 %{python3_sitearch}/samba/tests/segfault.py
 %{python3_sitearch}/samba/tests/sid_strings.py
 %{python3_sitearch}/samba/tests/smb.py
+%{python3_sitearch}/samba/tests/smb1posix.py
+%{python3_sitearch}/samba/tests/smb2symlink.py
+%{python3_sitearch}/samba/tests/smb3unix.py
 %{python3_sitearch}/samba/tests/smbconf.py
 %{python3_sitearch}/samba/tests/smb-notify.py
 %{python3_sitearch}/samba/tests/smbd_base.py
@ -3326,6 +3312,7 @@ fi
 %{_mandir}/man1/smbtorture.1*

 %if %{with testsuite}
+%{_mandir}/man1/vfstest.1*
 # files to ignore in testsuite mode
 %{_libdir}/samba/libnss-wrapper.so
 %{_libdir}/samba/libsocket-wrapper.so
@ -3543,7 +3530,10 @@ fi
 %{_libexecdir}/ctdb/tests/sock_io_test
 %{_libexecdir}/ctdb/tests/srvid_test
 %{_libexecdir}/ctdb/tests/system_socket_test
+%{_libexecdir}/ctdb/tests/tmon_ping_test
+%{_libexecdir}/ctdb/tests/tmon_test
 %{_libexecdir}/ctdb/tests/transaction_loop
+%{_libexecdir}/ctdb/tests/tunable_test
 %{_libexecdir}/ctdb/tests/tunnel_cmd
 %{_libexecdir}/ctdb/tests/tunnel_test
 %{_libexecdir}/ctdb/tests/update_record
@ -3630,13 +3620,19 @@ fi
 %{_datadir}/ctdb/tests/INTEGRATION/simple/basics.005.process_exists.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/basics.010.statistics.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/basics.011.statistics_reset.sh
-%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.002.recmaster_yield.sh
+%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.001.stop_leader_yield.sh
+%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.002.ban_leader_yield.sh
+%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.003.capability_leader_yield.sh
+%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.006.stop_leader_yield_no_lock.sh
+%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.007.ban_leader_yield_no_lock.sh
+%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.008.capability_leader_yield_no_lock.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.010.getrelock.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.012.reclock_command.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.015.reclock_remove_lock.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.016.reclock_move_lock_dir.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.020.message_ring.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.021.tunnel_ring.sh
+%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.030.node_stall_leader_timeout.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.090.unreachable.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.091.version_check.sh
 %{_datadir}/ctdb/tests/INTEGRATION/simple/debug.001.getdebug.sh
@ -3662,6 +3658,7 @@ fi
 %{_datadir}/ctdb/tests/UNIT/cunit/cmdline_test_001.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/comm_test_001.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/comm_test_002.sh
+%{_datadir}/ctdb/tests/UNIT/cunit/conf_test_001.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/config_test_001.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/config_test_002.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/config_test_003.sh
@ -3669,7 +3666,6 @@ fi
 %{_datadir}/ctdb/tests/UNIT/cunit/config_test_005.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/config_test_006.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/config_test_007.sh
-%{_datadir}/ctdb/tests/UNIT/cunit/conf_test_001.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/ctdb_io_test_001.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/db_hash_test_001.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/event_protocol_test_001.sh
@ -3697,6 +3693,9 @@ fi
 %{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_001.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_002.sh
 %{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_003.sh
+%{_datadir}/ctdb/tests/UNIT/cunit/tmon_test_001.sh
+%{_datadir}/ctdb/tests/UNIT/cunit/tmon_test_002.sh
+%{_datadir}/ctdb/tests/UNIT/cunit/tunable_test_001.sh
 %dir %{_datadir}/ctdb/tests/UNIT/eventd
 %dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb
 %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/ctdb.conf
@ -3767,10 +3766,6 @@ fi
 %{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.007.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.008.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.009.sh
-%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.setup.001.sh
-%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.setup.002.sh
-%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.setup.003.sh
-%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.setup.004.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.001.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.002.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.003.sh
@ -3947,6 +3942,22 @@ fi
 %{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.shutdown.002.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.startup.001.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.startup.002.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.001.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.002.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.003.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.004.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.005.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.006.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.007.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.008.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.021.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.022.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.023.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.024.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.025.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.026.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.027.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.028.sh
 %dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc
 %dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc-ctdb
 %{_datadir}/ctdb/tests/UNIT/eventscripts/etc-ctdb/public_addresses
@ -3976,6 +3987,7 @@ fi
 %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/50.samba.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/60.nfs.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/91.lvs.sh
+%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/debug_locks.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/local.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/statd-callout.sh
 %{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.001.sh
@ -3995,6 +4007,7 @@ fi
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/df
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ethtool
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/exportfs
+%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/gstack
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/id
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ip
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ip6tables
@ -4003,21 +4016,24 @@ fi
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/kill
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/killall
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/multipath
-%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/nfsconf
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/net
+%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/nfs-fake-callout
+%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/nfsconf
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pidof
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pkill
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ps
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rm
-%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpcinfo
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.lockd
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.mountd
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.rquotad
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.statd
+%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpcinfo
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/service
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/sleep
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/smnotify
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ss
+%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/stat
+%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/tdb_mutex_check
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/tdbdump
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/tdbtool
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/testparm
@ -4045,7 +4061,6 @@ fi
 %{_datadir}/ctdb/tests/UNIT/onnode/stubs/ssh
 %dir %{_datadir}/ctdb/tests/UNIT/shellcheck
 %{_datadir}/ctdb/tests/UNIT/shellcheck/base_scripts.sh
-%{_datadir}/ctdb/tests/UNIT/shellcheck/ctdbd_wrapper.sh
 %{_datadir}/ctdb/tests/UNIT/shellcheck/ctdb_helpers.sh
 %{_datadir}/ctdb/tests/UNIT/shellcheck/event_scripts.sh
 %{_datadir}/ctdb/tests/UNIT/shellcheck/functions.sh
@ -4180,6 +4195,8 @@ fi
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.002.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.003.sh
+%{_datadir}/ctdb/tests/UNIT/tool/ctdb.leader.001.sh
+%{_datadir}/ctdb/tests/UNIT/tool/ctdb.leader.002.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.listnodes.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.listnodes.002.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.listvars.001.sh
@ -4207,6 +4224,7 @@ fi
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.004.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.005.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.006.sh
+%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.007.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.pdelete.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.ping.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.pnn.001.sh
@ -4216,8 +4234,6 @@ fi
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.pstore.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.ptrans.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.readkey.001.sh
-%{_datadir}/ctdb/tests/UNIT/tool/ctdb.recmaster.001.sh
-%{_datadir}/ctdb/tests/UNIT/tool/ctdb.recmaster.002.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.recover.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.002.sh
@ -4259,6 +4275,7 @@ fi
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.setvar.002.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.status.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.status.002.sh
+%{_datadir}/ctdb/tests/UNIT/tool/ctdb.status.003.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.001.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.002.sh
 %{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.003.sh
@ -4311,9 +4328,36 @@ fi
 %endif

 %changelog
-* Thu Aug 03 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.17.5-3.alma
- Fix CVE-2023-3347
- netlogon: add support for netr_LogonGetCapabilities response level 2
+* Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-1
+- related: rhbz#2190417 - Update to version 4.18.6
+- resolves: rhbz#2232564 - Fix the rpc dsgetinfo command
+
+* Thu Jul 20 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.5-0
+- resolves: rhbz#2222894 - Fix CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968
+
+* Mon Jul 17 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-2
+- resolves: rhbz#2222884 - Fix trust relationship between workstation and DC
+
+* Mon Jul 10 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-1
+- resolves: rhbz#2221594 - Fix broken symlink for libwbclient
+- resolves: rhbz#2221600 - Fix segfault of winbind child when listing users with `winbind scan trusted domains = yes`
+- resolves: rhbz#2175385 - Fix access of Samba share with veto files = /.*/
+- resolves: rhbz#2218237 - Fix Python tarfile extraction to avoid a warning
+
+* Thu Jul 06 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.4-0
+- resolves: rhbz#2190417 - Update to version 4.18.4
+
+* Tue Jun 13 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.3-0
+- resolves: rhbz#2190417 - Update to version 4.18.3
+
+* Tue Jun 06 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.2-2
+- resolves: rhbz#2190417 - Rebuild to trigger distrobaker sync
+
+* Wed May 24 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.2-1
+- resolves: rhbz#2190417 - Add missing tests to fix osci.brew-build.tier0.functional
+
+* Mon May 22 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.2-0
+- resolves: rhbz#2190417 - Update to version 4.18.2

 * Wed Feb 15 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-2
 - resolves: rhbz#2169339 - Fix winbind memory leak