diff --git a/.gitignore b/.gitignore index a32ae18..db71ada 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.16.4.tar.xz +SOURCES/samba-4.17.5.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 620213e..a072d0f 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -c943ec2e8b9413cd3465e39481b49872b4486e86 SOURCES/samba-4.16.4.tar.xz +68926a886d20bbd5b4d768d9788d4b5a5ca399e5 SOURCES/samba-4.17.5.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/samba-4.16-waf-crypto.patch b/SOURCES/samba-4.16-waf-crypto.patch deleted file mode 100644 index 337be97..0000000 --- a/SOURCES/samba-4.16-waf-crypto.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:24:04 +0200 -Subject: [PATCH 1/2] waf: Check for GnuTLS earlier - -As GnuTLS is an essential part we need to check for it early so we can react on -GnuTLS features in other wscripts. - -Signed-off-by: Andreas Schneider ---- - wscript | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/wscript b/wscript -index d8220b35095..5b85d9a1682 100644 ---- a/wscript -+++ b/wscript -@@ -189,6 +189,8 @@ def configure(conf): - conf.RECURSE('dynconfig') - conf.RECURSE('selftest') - -+ conf.PROCESS_SEPARATE_RULE('system_gnutls') -+ - conf.CHECK_CFG(package='zlib', minversion='1.2.3', - args='--cflags --libs', - mandatory=True) -@@ -297,8 +299,6 @@ def configure(conf): - if not conf.CONFIG_GET('KRB5_VENDOR'): - conf.PROCESS_SEPARATE_RULE('embedded_heimdal') - -- conf.PROCESS_SEPARATE_RULE('system_gnutls') -- - conf.RECURSE('source4/dsdb/samdb/ldb_modules') - conf.RECURSE('source4/ntvfs/sysdep') - conf.RECURSE('lib/util') --- -2.35.1 - - -From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:25:31 +0200 -Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS - provides the cipher - -Signed-off-by: Andreas Schneider ---- - third_party/wscript | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/third_party/wscript b/third_party/wscript -index 1f4bc1ce1d7..a17c15bcaa7 100644 ---- a/third_party/wscript -+++ b/third_party/wscript -@@ -5,7 +5,8 @@ from waflib import Options - def configure(conf): - conf.RECURSE('cmocka') - conf.RECURSE('popt') -- conf.RECURSE('aesni-intel') -+ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ conf.RECURSE('aesni-intel') - if conf.CONFIG_GET('ENABLE_SELFTEST'): - conf.RECURSE('socket_wrapper') - conf.RECURSE('nss_wrapper') -@@ -18,7 +19,8 @@ def configure(conf): - def build(bld): - bld.RECURSE('cmocka') - bld.RECURSE('popt') -- bld.RECURSE('aesni-intel') -+ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ bld.RECURSE('aesni-intel') - if bld.CONFIG_GET('SOCKET_WRAPPER'): - bld.RECURSE('socket_wrapper') - if bld.CONFIG_GET('NSS_WRAPPER'): --- -2.35.1 - diff --git a/SOURCES/samba-4.16.4.tar.asc b/SOURCES/samba-4.16.4.tar.asc deleted file mode 100644 index 96aba0e..0000000 --- a/SOURCES/samba-4.16.4.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLg520ACgkQqplEL7aA -tiBsuA//ZqQhoz1unYEMk6tqu528xGweYd488gjdKkszWPCI5NmGbmvN/tbhUIc3 -WbJO8oPEFN81+a0b7nsKxpgDt8IR00rx4mA3A5rh+Z1PTbUWpjBxchTsXZsEaDaE -dA/pRes+rzDpjLg2VWAd+5SDwy1d5ZfZ+gX/qntfpgYLqiBfJNJJPxCEFqnG1IUF -xaWwKQNuduq89Wr3LabSCjx4IMQEABr8VN+WZG5JhmKBaad1I5tOBOFypLS0iKUX -bGsMr3itdKFvYmAFM2ZbY/Q7DZb5GIUvNOqyRcBYQe33tqS2GYjEHS0tbXoNP5l2 -gQcs3FiebX6Bi4I6EoFL380LLG1zskCV5xRtGIvrW7SOKCnkaswuxlHEQSVWFc0A -2aZmT7RaKYwtm+0kD+Fq3PWBwPvLBgiCP9oohfOgqrW9VnIJNbyCyJcBbK8snS0a -KIfr+hM+ccNBVhmpFWRjA0WkVW9d9/tcDFN63nTQJkZg4cXZboMVO7fjmo4U1oJK -qIVU5Xr0e5TXLNWguvr6t03CUvtfgBHMYFrHRX4HJTN7Z3m4WxAYt+jspIavQP/S -muj4g/INYmjZmBG2f9mign6Tt3MtOtHlymMFAJ1t1e+9B5v1dkmO4T6ffqbDgvg5 -bnAFUM5+bzW81DGJNbITDSNBU7PokwP4cQBNTVtgK38DW4BiPO8= -=6kYO ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.17.5.tar.asc b/SOURCES/samba-4.17.5.tar.asc new file mode 100644 index 0000000..6d0b732 --- /dev/null +++ b/SOURCES/samba-4.17.5.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmPSvJEACgkQqplEL7aA +tiDXbA//bPY+2A4y8zPJLibWjRtmv76xTgj1EJMZoC5d7+5PXQfuVhVULGYrxriF +MIF4CtTnMDk20mihnQb03csGpZGvqfBKbZg6jYolqeTmwRDgKXf9dxLxYYBGswPN +JXiF/ZvDQzEorrsz24o7i9Pe44IXpdf7+3RjIXhKjCa2vFQibTndGRhYb0UYiR9S +DELp6V/rmV9/BrYWVhHVnuzROzNWsrXIyu1GPNRWdX6ptJmjq6f8wZUP0NODYsBP +e0+BpXwob795tDSAMBnbnp7ZsHRYgB2/iWDTe19MF5LjHCcPwRWmzfZjiWQuz11D +kg7RUmlTkpU0mrToM+Uyg3Lhc8sayojDTHkIuIPBTuirdKuyP5Zov1wCaPuvf8Ew +LCQlQsC2AVeko8xY7P5ieXrmsfncoKR23S0MaKM6oNXooMJcNFnemMvCsOGGeGCi +HJa1whPdI5Cj3zLB5X35UNMmauS7qWyyj3lS2horg8L/iIQ3R3q+0Xkd5VmX1BXz +EhVDvOnb1F7E9HFlxhZRJFufpnHrGZX6ZYe6BqP8oU092UUU5JMeIqe20wG/dAtX +B91QhITdPDnM4KrSbch9i+BKW1xD8srRXu4yqMTZp6X6dPh6lnzVn6vj4uKNCMwz +2qLa3Rl+cRON1uTeFJXSTHg/diHjKriu3+bCqm0RlHAFLMtvudk= +=gZl3 +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch deleted file mode 100644 index 5d3cb55..0000000 --- a/SOURCES/samba-s4u.patch +++ /dev/null @@ -1,642 +0,0 @@ -From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:25:03 +0300 -Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------ - source4/kdc/mit_samba.c | 47 ++------- - source4/kdc/mit_samba.h | 6 +- - 3 files changed, 71 insertions(+), 106 deletions(-) - -diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index 793fe366c35..22534c09974 100644 ---- a/source4/kdc/mit-kdb/kdb_samba_policies.c -+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, - krb5_keyblock *krbtgt_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, -- krb5_pac *pac) -+ krb5_pac *out_pac) - { - struct mit_samba_context *mit_ctx; - krb5_authdata **authdata = NULL; -- krb5_pac ipac = NULL; -- DATA_BLOB logon_data = { NULL, 0 }; -+ krb5_keyblock *header_server_key = NULL; -+ krb5_key_data *impersonator_kd = NULL; -+ krb5_keyblock impersonator_key = {0}; - krb5_error_code code; -+ krb5_pac pac; -+ -+ *out_pac = NULL; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { -@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = krb5_pac_parse(context, - authdata[0]->contents, - authdata[0]->length, -- &ipac); -+ &pac); - if (code != 0) { - goto done; - } - -- /* TODO: verify this is correct -- * -- * In the constrained delegation case, the PAC is from a service -- * ticket rather than a TGT; we must verify the server and KDC -- * signatures to assert that the server did not forge the PAC. -+ /* -+ * For constrained delegation in MIT version < 1.18 we aren't provided -+ * with the 2nd ticket server key to verify the PAC. -+ * We can workaround that by fetching the key from the client db entry, -+ * which is the impersonator account in that version. -+ * TODO: use the provided entry in the new 1.18 version. - */ - if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- server_key, -- krbtgt_key); -+ /* The impersonator must be local. */ -+ if (client == NULL) { -+ code = KRB5KDC_ERR_BADOPTION; -+ goto done; -+ } -+ /* Fetch and decrypt 2nd ticket server's current key. */ -+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, -+ &impersonator_kd); -+ if (code != 0) { -+ goto done; -+ } -+ code = krb5_dbe_decrypt_key_data(context, NULL, -+ impersonator_kd, -+ &impersonator_key, NULL); -+ if (code != 0) { -+ goto done; -+ } -+ header_server_key = &impersonator_key; - } else { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- krbtgt_key, -- NULL); -- } -- if (code != 0) { -- goto done; -+ header_server_key = krbtgt_key; - } - -- /* check and update PAC */ -- code = krb5_pac_parse(context, -- authdata[0]->contents, -- authdata[0]->length, -- pac); -+ code = krb5_pac_verify(context, pac, authtime, client_princ, -+ header_server_key, NULL); - if (code != 0) { - goto done; - } -@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = mit_samba_reget_pac(mit_ctx, - context, - flags, -- client_princ, - client, - server, - krbtgt, - krbtgt_key, -- pac); -+ &pac); -+ if (code != 0) { -+ goto done; -+ } -+ -+ *out_pac = pac; -+ pac = NULL; - - done: -+ krb5_free_keyblock_contents(context, &impersonator_key); - krb5_free_authdata(context, authdata); -- krb5_pac_free(context, ipac); -- free(logon_data.data); -+ krb5_pac_free(context, pac); - - return code; - } -@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krb5_authdata **pac_auth_data = NULL; - krb5_authdata **authdata = NULL; - krb5_boolean is_as_req; -+ krb5_const_principal pac_client; - krb5_error_code code; - krb5_pac pac = NULL; - krb5_data pac_data; -@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; - krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; - -- /* FIXME: We don't support S4U yet */ -- if (flags & KRB5_KDB_FLAGS_S4U) { -- return KRB5_KDB_DBTYPE_NOSUP; -- } -- - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); - - /* -@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - ks_client_princ = client->princ; - } - -+ /* In protocol transition, we are currently not provided with the tgt -+ * client name to verify the PAC, we could probably skip the name -+ * verification and just verify the signatures, but since we don't -+ * support cross-realm nor aliases, we can just use server->princ */ -+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { -+ pac_client = server->princ; -+ } else { -+ pac_client = ks_client_princ; -+ } -+ - if (client_entry == NULL) { - client_entry = client; - } -@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - - code = ks_verify_pac(context, - flags, -- ks_client_princ, -+ pac_client, - client_entry, - server, - krbtgt, -@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - is_as_req ? "AS-REQ" : "TGS-REQ", - client_name); - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, -- server_key, krbtgt_key, &pac_data); -+ server_key, krbtgt_key, &pac_data); - if (code != 0) { - DBG_ERR("krb5_pac_sign failed: %d\n", code); - goto done; -@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - KRB5_AUTHDATA_IF_RELEVANT, - authdata, - signed_auth_data); -- if (code != 0) { -- goto done; -- } -- -- code = 0; -- - done: - if (client_entry != NULL && client_entry != client) { - ks_free_principal(context, client_entry); -@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, - * server; -> delegating service - * proxy; -> target principal - */ -- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); -- -- char *target_name = NULL; -- bool is_enterprise; -- krb5_error_code code; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { - return KRB5_KDB_DBNOTINITED; - } - -- code = krb5_unparse_name(context, proxy, &target_name); -- if (code) { -- goto done; -- } -- -- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); -- -- code = mit_samba_check_s4u2proxy(mit_ctx, -- delegating_service, -- target_name, -- is_enterprise); -- --done: -- free(target_name); -- return code; -+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); - } - - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index cb72b5de294..03c2c2ea1de 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - context, - *pac, - server->princ, -- discard_const(client_principal), -+ client->princ, - deleg_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Update delegation info failed: %s\n", -@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - } - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name) -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal) - { --#if 1 -- /* -- * This is disabled because mit_samba_update_pac_data() does not handle -- * S4U_DELEGATION_INFO -- */ -- -- return KRB5KDC_ERR_BADOPTION; --#else -- krb5_principal target_principal; -- int flags = 0; -- int ret; -- -- if (is_nt_enterprise_name) { -- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; -- } -- -- ret = krb5_parse_name_flags(ctx->context, target_name, -- flags, &target_principal); -- if (ret) { -- return ret; -- } -- -- ret = samba_kdc_check_s4u2proxy(ctx->context, -- ctx->db_ctx, -- skdc_entry, -- target_principal); -- -- krb5_free_principal(ctx->context, target_principal); -- -- return ret; --#endif -+ struct samba_kdc_entry *server_skdc_entry = -+ talloc_get_type_abort(server->e_data, -+ struct samba_kdc_entry); -+ -+ return samba_kdc_check_s4u2proxy(ctx->context, -+ ctx->db_ctx, -+ server_skdc_entry, -+ target_principal); - } - - static krb5_error_code mit_samba_change_pwd_error(krb5_context context, -diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 4431e82a1b2..9370ab533af 100644 ---- a/source4/kdc/mit_samba.h -+++ b/source4/kdc/mit_samba.h -@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - DATA_BLOB *e_data); - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name); -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal); - - int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, - char *pwd, --- -2.37.1 - - -From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:35:30 +0300 -Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ - lib/krb5_wrap/krb5_samba.h | 2 - - source4/auth/kerberos/kerberos_util.c | 11 -- - 3 files changed, 185 insertions(+), 13 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 4321f07ca09..3fd95e47fca 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - - return 0; - } -+ -+#else /* MIT */ -+ -+static bool princ_compare_no_dollar(krb5_context ctx, -+ krb5_principal a, -+ krb5_principal b) -+{ -+ bool cmp; -+ krb5_principal mod = NULL; -+ -+ if (a->length == 1 && b->length == 1 && -+ a->data[0].length != 0 && b->data[0].length != 0 && -+ a->data[0].data[a->data[0].length -1] != -+ b->data[0].data[b->data[0].length -1]) { -+ if (a->data[0].data[a->data[0].length -1] == '$') { -+ mod = a; -+ mod->data[0].length--; -+ } else if (b->data[0].data[b->data[0].length -1] == '$') { -+ mod = b; -+ mod->data[0].length--; -+ } -+ } -+ -+ cmp = krb5_principal_compare_flags(ctx, a, b, -+ KRB5_PRINCIPAL_COMPARE_CASEFOLD); -+ -+ if (mod != NULL) { -+ mod->data[0].length++; -+ } -+ -+ return cmp; -+} -+ -+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, -+ krb5_ccache store_cc, -+ krb5_principal init_principal, -+ const char *init_password, -+ krb5_principal impersonate_principal, -+ const char *self_service, -+ const char *target_service, -+ krb5_get_init_creds_opt *krb_options, -+ time_t *expire_time, -+ time_t *kdc_time) -+{ -+ krb5_error_code code; -+ krb5_principal self_princ = NULL; -+ krb5_principal target_princ = NULL; -+ krb5_creds *store_creds; -+ krb5_creds *s4u2self_creds = NULL; -+ krb5_creds *s4u2proxy_creds = NULL; -+ krb5_creds init_creds = {0}; -+ krb5_creds mcreds = {0}; -+ krb5_flags options = KRB5_GC_NO_STORE; -+ krb5_ccache tmp_cc; -+ bool s4u2proxy; -+ -+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); -+ if (code != 0) { -+ return code; -+ } -+ -+ code = krb5_get_init_creds_password(ctx, &init_creds, -+ init_principal, -+ init_password, -+ NULL, NULL, -+ 0, -+ NULL, -+ krb_options); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* -+ * Check if we also need S4U2Proxy or if S4U2Self is -+ * enough in order to get a ticket for the target. -+ */ -+ if (target_service == NULL) { -+ s4u2proxy = false; -+ } else if (strcmp(target_service, self_service) == 0) { -+ s4u2proxy = false; -+ } else { -+ s4u2proxy = true; -+ } -+ -+ code = krb5_parse_name(ctx, self_service, &self_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt -+ * client and the request server to be the same principal name. */ -+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ mcreds.client = impersonate_principal; -+ mcreds.server = init_creds.client; -+ -+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, -+ NULL, &s4u2self_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (s4u2proxy) { -+ code = krb5_parse_name(ctx, target_service, &target_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ mcreds.client = init_creds.client; -+ mcreds.server = target_princ; -+ mcreds.second_ticket = s4u2self_creds->ticket; -+ -+ code = krb5_get_credentials(ctx, options | -+ KRB5_GC_CONSTRAINED_DELEGATION, -+ tmp_cc, &mcreds, &s4u2proxy_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* Check KDC support of S4U2Proxy extension */ -+ if (!krb5_principal_compare(ctx, s4u2self_creds->client, -+ s4u2proxy_creds->client)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ store_creds = s4u2proxy_creds; -+ } else { -+ store_creds = s4u2self_creds;; -+ -+ /* We need to save the ticket with the requested server name -+ * or the caller won't be able to find it in cache. */ -+ if (!krb5_principal_compare(ctx, self_princ, -+ store_creds->server)) { -+ krb5_free_principal(ctx, store_creds->server); -+ store_creds->server = NULL; -+ code = krb5_copy_principal(ctx, self_princ, -+ &store_creds->server); -+ if (code != 0) { -+ goto done; -+ } -+ } -+ } -+ -+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, store_cc, store_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (expire_time) { -+ *expire_time = (time_t) store_creds->times.endtime; -+ } -+ -+ if (kdc_time) { -+ *kdc_time = (time_t) store_creds->times.starttime; -+ } -+ -+done: -+ krb5_cc_destroy(ctx, tmp_cc); -+ krb5_free_cred_contents(ctx, &init_creds); -+ krb5_free_creds(ctx, s4u2self_creds); -+ krb5_free_creds(ctx, s4u2proxy_creds); -+ krb5_free_principal(ctx, self_princ); -+ krb5_free_principal(ctx, target_princ); -+ -+ return code; -+} - #endif - - #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) -diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index a66b7465530..c8573f52bd9 100644 ---- a/lib/krb5_wrap/krb5_samba.h -+++ b/lib/krb5_wrap/krb5_samba.h -@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#ifdef SAMBA4_USES_HEIMDAL - krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_ccache store_cc, - krb5_principal init_principal, -@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#endif - - #if defined(HAVE_KRB5_MAKE_PRINCIPAL) - #define smb_krb5_make_principal krb5_make_principal -diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c -index 544d9d853cc..c14d8c72d8c 100644 ---- a/source4/auth/kerberos/kerberos_util.c -+++ b/source4/auth/kerberos/kerberos_util.c -@@ -234,9 +234,7 @@ done: - { - krb5_error_code ret; - const char *password; --#ifdef SAMBA4_USES_HEIMDAL - const char *self_service; --#endif - const char *target_service; - time_t kdc_time = 0; - krb5_principal princ; -@@ -268,9 +266,7 @@ done: - return ret; - } - --#ifdef SAMBA4_USES_HEIMDAL - self_service = cli_credentials_get_self_service(credentials); --#endif - target_service = cli_credentials_get_target_service(credentials); - - password = cli_credentials_get_password(credentials); -@@ -331,7 +327,6 @@ done: - #endif - if (password) { - if (impersonate_principal) { --#ifdef SAMBA4_USES_HEIMDAL - ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, - ccache, - princ, -@@ -342,12 +337,6 @@ done: - krb_options, - NULL, - &kdc_time); --#else -- talloc_free(mem_ctx); -- (*error_string) = "INTERNAL error: s4u2 ops " -- "are not supported with MIT build yet"; -- return EINVAL; --#endif - } else { - ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, - ccache, --- -2.37.1 - - -From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 19 Sep 2020 14:16:20 +0200 -Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code - ---- - source4/kdc/mit_samba.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 03c2c2ea1de..30fade56531 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, - if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { - sflags |= SDB_F_CANON; - } -+#if KRB5_KDB_API_VERSION >= 10 -+ sflags |= SDB_F_FORCE_CANON; -+#endif - if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | - KRB5_KDB_FLAG_INCLUDE_PAC)) { - /* --- -2.37.1 - diff --git a/SOURCES/samba-systemd-sysusers.conf b/SOURCES/samba-systemd-sysusers.conf new file mode 100644 index 0000000..60ad7a5 --- /dev/null +++ b/SOURCES/samba-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g printadmin - diff --git a/SOURCES/samba-usershares-systemd-sysusers.conf b/SOURCES/samba-usershares-systemd-sysusers.conf new file mode 100644 index 0000000..33f8fcb --- /dev/null +++ b/SOURCES/samba-usershares-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g usershares - diff --git a/SOURCES/usershares.conf.vendor b/SOURCES/usershares.conf.vendor new file mode 100644 index 0000000..38a7885 --- /dev/null +++ b/SOURCES/usershares.conf.vendor @@ -0,0 +1,3 @@ +[global] + usershare max shares = 100 + usershare allow guests = yes diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 11a7cd8..dc69bc8 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -134,14 +134,9 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 100 - -%global samba_version 4.16.4 -%global talloc_version 2.3.3 -%global tdb_version 1.4.6 -%global tevent_version 0.12.0 -%global ldb_version 2.5.2 -# This should be rc1 or nil +%global samba_version 4.17.5 +%global baserelease 102 +# This should be rc1 or %%nil %global pre_release %nil %global samba_release %{baserelease} @@ -149,6 +144,37 @@ %global samba_release 0.%{baserelease}.%{pre_release} %endif + +# If one of those versions change, we need to make sure we rebuilt or adapt +# projects comsuming those. This is e.g. sssd, openchange, evolution-mapi, ... +%global libdcerpc_binding_so_version 0 +%global libdcerpc_server_core_so_version 0 +%global libdcerpc_so_version 0 +%global libndr_krb5pac_so_version 0 +%global libndr_nbt_so_version 0 +%global libndr_so_version 3 +%global libndr_standard_so_version 0 +%global libnetapi_so_version 1 +%global libsamba_credentials_so_version 1 +%global libsamba_errors_so_version 1 +%global libsamba_hostconfig_so_version 0 +%global libsamba_passdb_so_version 0 +%global libsamba_util_so_version 0 +%global libsamdb_so_version 0 +%global libsmbconf_so_version 0 +%global libsmbldap_so_version 2 +%global libtevent_util_so_version 0 + +%global libsmbclient_so_version 0 +%global libwbclient_so_version 0 + +%global talloc_version 2.3.4 +%global tdb_version 1.4.7 +%global tevent_version 0.13.0 +%global ldb_version 2.6.1 + +%global required_mit_krb5 1.20.1 + # This is a network daemon, do a hardened build # Enables PIE and full RELRO protection %global _hardened_build 1 @@ -165,25 +191,23 @@ %global libwbc_alternatives_suffix -64 %endif -%global required_mit_krb5 1.19 - %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" +# Make a copy of this variable to prevent repeated evaluation of the +# embedded shell command. Avoid recursive macro definition if undefined. +%{?python3_sitearch: %global python3_sitearch %{python3_sitearch}} + Name: samba Version: %{samba_version} Release: %{samba_release}%{?dist} -%if 0%{?rhel} -Epoch: 0 -%else +%if 0%{?fedora} Epoch: 2 +%else +Epoch: 0 %endif -%if 0%{?epoch} > 0 %global samba_depver %{epoch}:%{version}-%{release} -%else -%global samba_depver %{version}-%{release} -%endif Summary: Server and Client software to interoperate with Windows machines License: GPLv3+ and LGPLv3+ @@ -200,18 +224,14 @@ Source11: smb.conf.vendor Source12: smb.conf.example Source13: pam_winbind.conf Source14: samba.pamd -Source15: samba.abignore +Source15: usershares.conf.vendor +Source16: samba-systemd-sysusers.conf +Source17: samba-usershares-systemd-sysusers.conf Source201: README.downgrade - -Patch0: samba-s4u.patch -# https://gitlab.com/samba-team/samba/-/merge_requests/2477 -Patch1: samba-4.16-waf-crypto.patch +Source202: samba.abignore Requires(pre): /usr/sbin/groupadd -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} @@ -219,6 +239,8 @@ Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-dcerpc = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} @@ -284,14 +306,17 @@ BuildRequires: perl-generators BuildRequires: perl(Archive::Tar) BuildRequires: perl(Test::More) BuildRequires: popt-devel +BuildRequires: python3-cryptography BuildRequires: python3-devel BuildRequires: python3-dns +BuildRequires: python3-requests BuildRequires: python3-setuptools BuildRequires: quota-devel BuildRequires: readline-devel BuildRequires: rpcgen BuildRequires: rpcsvc-proto-devel BuildRequires: sed +BuildRequires: systemd-rpm-macros BuildRequires: libtasn1-devel # We need asn1Parser BuildRequires: libtasn1-tools @@ -324,17 +349,6 @@ BuildRequires: librados-devel BuildRequires: python3-etcd %endif -%if %{with dc} || %{with testsuite} -# Add python3-iso8601 to avoid that the -# version in Samba is being packaged -BuildRequires: python3-iso8601 -BuildRequires: python3-pyasn1 >= 0.4.8 - -BuildRequires: bind -BuildRequires: krb5-server >= %{required_mit_krb5} -#endif with dc -%endif - # pidl requirements BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(FindBin) @@ -365,10 +379,15 @@ BuildRequires: lmdb-devel %if %{with dc} || %{with testsuite} BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} +%if 0%{?fedora} || 0%{?rhel} >= 9 +BuildRequires: python3-dateutil +%else +BuildRequires: python3-iso8601 +%endif BuildRequires: python3-gpg BuildRequires: python3-markdown +BuildRequires: python3-pyasn1 >= 0.4.8 BuildRequires: python3-setproctitle -BuildRequires: python3-cryptography %if %{without includelibs} BuildRequires: tdb-tools @@ -488,30 +507,52 @@ SMB/CIFS clients. ### COMMON-TOOLS %package common-tools -Summary: Tools for Samba servers and clients +Summary: Tools for Samba clients Requires: samba-common-libs = %{samba_depver} Requires: samba-client-libs = %{samba_depver} Requires: samba-libs = %{samba_depver} +Requires: samba-ldb-ldap-modules = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif -# samba-tool needs python3-samba -Requires: python3-%{name} = %{samba_depver} -# samba-tool needs tdbbackup -Requires: tdb-tools -%if %{with dc} -# samba-tool needs python3-samba-dc on a full build -Requires: python3-%{name}-dc = %{samba_depver} -# samba-tool needs mdb_copy for domain backup or upgrade provision -Requires: lmdb -%endif - Provides: bundled(libreplace) %description common-tools -The samba-common-tools package contains tools for Samba servers and -SMB/CIFS clients. +The samba-common-tools package contains tools for SMB/CIFS clients. + +### SAMBA-TOOLS +%package tools +Summary: Tools for Samba servers +# samba-tool needs python3-samba +Requires: python3-%{name} = %{samba_depver} +# samba-tool needs tdbbackup +Requires: tdb-tools +# samba-tool needs python3-samba-dc also on non-dc build +Requires: python3-%{name}-dc = %{samba_depver} +%if %{with dc} +# samba-tool needs mdb_copy for domain backup or upgrade provision +Requires: lmdb +%endif + +%description tools +The samba-tools package contains tools for Samba servers +and for GPO management on domain members. + +### RPC +%package dcerpc +Summary: DCE RPC binaries +Requires: samba-common-libs = %{samba_depver} +Requires: samba-client-libs = %{samba_depver} +Requires: samba-libs = %{samba_depver} +Requires: libnetapi = %{samba_depver} +%if %{with libwbclient} +Requires: libwbclient = %{samba_depver} +%endif + +%description dcerpc +The samba-dcerpc package contains binaries that serve DCERPC over named pipes. ### DC %if %{with dc} || %{with testsuite} @@ -520,6 +561,7 @@ Summary: Samba AD Domain Controller Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-provision = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} @@ -557,6 +599,9 @@ BuildArch: noarch %description dc-provision The samba-dc-provision package provides files to setup a domain controller +#endif with dc || with testsuite +%endif + ### DC-LIBS %package dc-libs Summary: Samba AD Domain Controller Libraries @@ -573,6 +618,7 @@ Provides: bundled(libreplace) The %{name}-dc-libs package contains the libraries needed by the DC to link against the SMB, RPC and other protocols. +%if %{with dc} || %{with testsuite} ### DC-BIND %package dc-bind-dlz Summary: Bind DLZ module for Samba AD @@ -599,6 +645,7 @@ Requires: %{name}-client-libs = %{samba_depver} %if %{with dc} Requires: %{name}-dc-libs = %{samba_depver} %endif +Requires: libnetapi = %{samba_depver} Provides: samba4-devel = %{samba_depver} Obsoletes: samba4-devel < %{samba_depver} @@ -661,6 +708,22 @@ Provides: bundled(libreplace) Samba VFS module for GlusterFS integration. %endif +### GPUPDATE +%if %{with dc} +%package gpupdate +Summary: Samba GPO support for clients +Requires: cepces +Requires: certmonger +Requires: %{name}-ldb-ldap-modules = %{samba_depver} +Requires: python3-%{name} = %{samba_depver} + +%description gpupdate +This package provides the samba-gpupdate tool to apply Group Policy Objects +(GPO) on Samba clients. + +# /with dc +%endif + ### KRB5-PRINTING %package krb5-printing Summary: Samba CUPS backend for printing with Kerberos @@ -676,6 +739,16 @@ If you need Kerberos for print jobs to a printer connection to cups via the SMB backend, then you need to install that package. It will allow cups to access the Kerberos credentials cache of the user issuing the print job. +### LDB-LDAP-MODULES +%package ldb-ldap-modules +Summary: Samba ldap modules for ldb +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} + +%description ldb-ldap-modules +This package contains the ldb ldap modules required by samba-tool and +samba-gpupdate. + ### LIBS %package libs Summary: Samba libraries @@ -694,6 +767,25 @@ Provides: bundled(libreplace) The %{name}-libs package contains the libraries needed by programs that link against the SMB, RPC and other protocols provided by the Samba suite. +### LIBNETAPI +%package -n libnetapi +Summary: The NETAPI library +Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} + +%description -n libnetapi +This contains the NETAPI library from the Samba suite. + +%package -n libnetapi-devel +Summary: Developer tools for the NETAPI library +Requires: libnetapi = %{samba_depver} + +%description -n libnetapi-devel +The libnetapi-devel package contains the header files and libraries needed to +develop programs that link against the NETAPI library in the Samba suite. + ### LIBSMBCLIENT %if %{with libsmbclient} %package -n libsmbclient @@ -746,18 +838,17 @@ library. ### PYTHON3 %package -n python3-%{name} Summary: Samba Python3 libraries -Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} -%if %{with dc} Requires: %{name}-dc-libs = %{samba_depver} -%endif -Requires: python3-talloc -Requires: python3-tevent -Requires: python3-tdb -Requires: python3-ldb +Requires: python3-cryptography Requires: python3-dns +Requires: python3-ldb +Requires: python3-requests +Requires: python3-talloc +Requires: python3-tdb +Requires: python3-tevent %if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif @@ -788,7 +879,6 @@ Requires: %{name}-libs = %{samba_depver} The python3-%{name}-test package contains the Python libraries used by the test suite of Samba. If you want to run full set of Samba tests, you need to install this package. -%if %{with dc} || %{with testsuite} %package -n python3-samba-dc Summary: Samba Python libraries for Samba AD Requires: %{name}-client-libs = %{samba_depver} @@ -798,7 +888,6 @@ Requires: python3-%{name} = %{samba_depver} %description -n python3-samba-dc The python3-%{name}-dc package contains the Python libraries needed by programs to manage Samba AD. -%endif ### PIDL %package pidl @@ -831,6 +920,7 @@ Requires: %{name}-test-libs = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} %endif Requires: %{name}-libs = %{samba_depver} +Requires: libnetapi = %{samba_depver} %if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif @@ -867,6 +957,17 @@ Provides: bundled(libreplace) %description test-libs %{name}-test-libs provides libraries required by the testing tools. +### USERSHARES +%package usershares +Summary: Provides support for non-root user shares +Requires: %{name} = %{samba_depver} +Requires: %{name}-common-tools = %{samba_depver} + +%description usershares +Installing this package will provide a configuration file, group and +directories to support non-root user shares. You can configure them +as a user using the `net usershare` command. + ### WINBIND %package winbind Summary: Samba winbind @@ -880,11 +981,13 @@ Requires(post): %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires(post): %{name}-libs = %{samba_depver} Requires: %{name}-winbind-modules = %{samba_depver} +Recommends: %{name}-tools = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif +Requires: %{name}-dcerpc = %{samba_depver} Provides: samba4-winbind = %{samba_depver} Obsoletes: samba4-winbind < %{samba_depver} @@ -986,6 +1089,7 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB) Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-winbind-clients = %{samba_depver} Requires: coreutils # for ps and killall @@ -1085,7 +1189,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB %prep +%if 0%{?fedora} || 0%{?rhel} >= 9 +xzcat %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=- +%else xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - +%endif %autosetup -n samba-%{version}%{pre_release} -p1 # Ensure we rely on GnuTLS and do not build any other crypto code shipping with @@ -1191,6 +1299,9 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" --systemd-smb-extra=%{_systemd_extra} \ --systemd-nmb-extra=%{_systemd_extra} \ --systemd-winbind-extra=%{_systemd_extra} \ +%if %{with clustering} + --systemd-ctdb-extra=%{_systemd_extra} \ +%endif --systemd-samba-extra=%{_systemd_extra} # Do not use %%make_build, make is just a wrapper around waf in Samba! @@ -1214,6 +1325,7 @@ install -d -m 0755 %{buildroot}/var/lib/samba/lock install -d -m 0755 %{buildroot}/var/lib/samba/private install -d -m 0755 %{buildroot}/var/lib/samba/scripts install -d -m 0755 %{buildroot}/var/lib/samba/sysvol +install -d -m 0755 %{buildroot}/var/lib/samba/usershares install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged install -d -m 0755 %{buildroot}/var/log/samba/old install -d -m 0755 %{buildroot}/run/samba @@ -1241,6 +1353,7 @@ install -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/logrotate.d/samba install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/samba/smb.conf install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/samba/smb.conf.example +install -m 0644 %{SOURCE15} %{buildroot}%{_sysconfdir}/samba/usershares.conf install -d -m 0755 %{buildroot}%{_sysconfdir}/security install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf @@ -1263,6 +1376,10 @@ echo "d /run/samba 755 root root" > %{buildroot}%{_tmpfilesdir}/samba.conf echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf %endif +install -d -m 0755 %{buildroot}%{_sysusersdir} +install -m 0644 %{SOURCE16} %{buildroot}%{_sysusersdir}/samba.conf +install -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/samba-usershares.conf + install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba %if %{with clustering} @@ -1276,10 +1393,6 @@ install -m 0644 ctdb/config/ctdb.conf %{buildroot}%{_sysconfdir}/ctdb/ctdb.conf install -m 0644 %{SOURCE201} packaging/README.downgrade -%if %{with clustering} -install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir} -%endif - # NetworkManager online/offline script install -d -m 0755 %{buildroot}%{_prefix}/lib/NetworkManager/dispatcher.d/ install -m 0755 packaging/NetworkManager/30-winbind-systemd \ @@ -1291,62 +1404,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if %{without dc} && %{without testsuite} for i in \ - %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ - %{_libdir}/samba/libscavenge-dns-records-samba4.so \ %{_mandir}/man8/samba.8 \ %{_mandir}/man8/samba_downgrade_db.8 \ %{_mandir}/man8/samba-gpupdate.8 \ - %{_libdir}/samba/ldb/ildap.so \ - %{_libdir}/samba/ldb/ldbsamba_extensions.so \ %{_unitdir}/samba.service \ - %{python3_sitearch}/samba/dcerpc/dnsserver.*.so \ - %{python3_sitearch}/samba/dnsserver.py \ - %{python3_sitearch}/samba/domain_update.py \ - %{python3_sitearch}/samba/forest_update.py \ - %{python3_sitearch}/samba/kcc/__init__.py \ - %{python3_sitearch}/samba/kcc/debug.py \ - %{python3_sitearch}/samba/kcc/graph.py \ - %{python3_sitearch}/samba/kcc/graph_utils.py \ - %{python3_sitearch}/samba/kcc/kcc_utils.py \ - %{python3_sitearch}/samba/kcc/ldif_import_export.py \ - %{python3_sitearch}/samba/kcc/__pycache__/__init__.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/debug.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/graph.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/graph_utils.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/kcc_utils.*.pyc \ - %{python3_sitearch}/samba/kcc/__pycache__/ldif_import_export.*.pyc \ - %{python3_sitearch}/samba/ms_forest_updates_markdown.py \ - %{python3_sitearch}/samba/ms_schema_markdown.py \ - %{python3_sitearch}/samba/provision/__init__.py \ - %{python3_sitearch}/samba/provision/backend.py \ - %{python3_sitearch}/samba/provision/common.py \ - %{python3_sitearch}/samba/provision/kerberos_implementation.py \ - %{python3_sitearch}/samba/provision/kerberos.py \ - %{python3_sitearch}/samba/provision/sambadns.py \ - %{python3_sitearch}/samba/provision/__pycache__/__init__.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/backend.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/common.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/kerberos_implementation.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/kerberos.*.pyc \ - %{python3_sitearch}/samba/provision/__pycache__/sambadns.*.pyc \ - %{python3_sitearch}/samba/__pycache__/domain_update.*.pyc \ - %{python3_sitearch}/samba/__pycache__/forest_update.*.pyc \ - %{python3_sitearch}/samba/__pycache__/ms_forest_updates_markdown.*.pyc \ - %{python3_sitearch}/samba/__pycache__/ms_schema_markdown.*.pyc \ - %{python3_sitearch}/samba/__pycache__/remove_dc.*.pyc \ - %{python3_sitearch}/samba/__pycache__/schema.*.pyc \ - %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc \ - %{python3_sitearch}/samba/remove_dc.py \ - %{python3_sitearch}/samba/samdb.py \ - %{python3_sitearch}/samba/schema.py \ - %{python3_sitearch}/samba/third_party/iso8601/__init__.py \ - %{python3_sitearch}/samba/third_party/iso8601/__pycache__/__init__.*.pyc \ - %{python3_sitearch}/samba/third_party/iso8601/__pycache__/iso8601.*.pyc \ - %{python3_sitearch}/samba/third_party/iso8601/__pycache__/test_iso8601.*.pyc \ - %{python3_sitearch}/samba/third_party/iso8601/iso8601.py \ - %{python3_sitearch}/samba/third_party/iso8601/test_iso8601.py \ - %{python3_sitearch}/samba/uptodateness.py \ %{_sbindir}/samba-gpupdate \ ; do rm -f %{buildroot}$i @@ -1429,7 +1490,11 @@ export WINBINDD_DONT_LOG_STDOUT=1 %systemd_postun_with_restart nmb.service %pre common +%if 0%{?fedora} || 0%{?rhel} > 8 +%sysusers_create_compat %{SOURCE16} +%else getent group printadmin >/dev/null || groupadd -r printadmin || : +%endif %post common %{?ldconfig} @@ -1537,6 +1602,13 @@ fi %ldconfig_scriptlets test +%pre usershares +%if 0%{?fedora} || 0%{?rhel} > 8 +%sysusers_create_compat %{SOURCE17} +%else +getent group usershares >/dev/null || groupadd -r usershares || : +%endif + %pre winbind /usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : @@ -1648,15 +1720,6 @@ fi %dir %{_libexecdir}/samba %{_libexecdir}/samba/samba-bgqd -%{_libexecdir}/samba/samba-dcerpcd -%{_libexecdir}/samba/rpcd_classic -%{_libexecdir}/samba/rpcd_epmapper -%{_libexecdir}/samba/rpcd_fsrvp -%{_libexecdir}/samba/rpcd_lsad -%{_libexecdir}/samba/rpcd_mdssvc -%{_libexecdir}/samba/rpcd_rpcecho -%{_libexecdir}/samba/rpcd_spoolss -%{_libexecdir}/samba/rpcd_winreg %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc @@ -1670,7 +1733,6 @@ fi %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* %{_mandir}/man8/samba-bgqd.8* -%{_mandir}/man8/samba-dcerpcd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1795,23 +1857,22 @@ fi ### CLIENT-LIBS %files client-libs -%{_libdir}/libdcerpc-binding.so.* -%{_libdir}/libdcerpc-server-core.so.* -%{_libdir}/libdcerpc.so.* -%{_libdir}/libndr-krb5pac.so.* -%{_libdir}/libndr-nbt.so.* -%{_libdir}/libndr-standard.so.* -%{_libdir}/libndr.so.* -%{_libdir}/libnetapi.so.* -%{_libdir}/libsamba-credentials.so.* -%{_libdir}/libsamba-errors.so.* -%{_libdir}/libsamba-hostconfig.so.* -%{_libdir}/libsamba-passdb.so.* -%{_libdir}/libsamba-util.so.* -%{_libdir}/libsamdb.so.* -%{_libdir}/libsmbconf.so.* -%{_libdir}/libsmbldap.so.* -%{_libdir}/libtevent-util.so.* +%{_libdir}/libdcerpc-binding.so.%{libdcerpc_binding_so_version}* +%{_libdir}/libdcerpc-server-core.so.%{libdcerpc_server_core_so_version}* +%{_libdir}/libdcerpc.so.%{libdcerpc_so_version}* +%{_libdir}/libndr-krb5pac.so.%{libndr_krb5pac_so_version}* +%{_libdir}/libndr-nbt.so.%{libndr_nbt_so_version}* +%{_libdir}/libndr-standard.so.%{libndr_standard_so_version}* +%{_libdir}/libndr.so.%{libndr_so_version}* +%{_libdir}/libsamba-credentials.so.%{libsamba_credentials_so_version}* +%{_libdir}/libsamba-errors.so.%{libsamba_errors_so_version}* +%{_libdir}/libsamba-hostconfig.so.%{libsamba_hostconfig_so_version}* +%{_libdir}/libsamba-passdb.so.%{libsamba_passdb_so_version}* +%{_libdir}/libsamba-util.so.%{libsamba_util_so_version}* +%{_libdir}/libsamdb.so.%{libsamdb_so_version}* +%{_libdir}/libsmbconf.so.%{libsmbconf_so_version}* +%{_libdir}/libsmbldap.so.%{libsmbldap_so_version}* +%{_libdir}/libtevent-util.so.%{libtevent_util_so_version}* %dir %{_libdir}/samba %{_libdir}/samba/libCHARSET3-samba4.so @@ -1900,7 +1961,7 @@ fi %endif %if %{without libsmbclient} -%{_libdir}/samba/libsmbclient.so.* +%{_libdir}/samba/libsmbclient.so.%{libsmbclient_so_version}* %{_mandir}/man7/libsmbclient.7* #endif without libsmbclient %endif @@ -1930,6 +1991,7 @@ fi ### COMMON %files common %{_tmpfilesdir}/samba.conf +%{_sysusersdir}/samba.conf %dir %{_sysconfdir}/logrotate.d/ %config(noreplace) %{_sysconfdir}/logrotate.d/samba %attr(0700,root,root) %dir /var/log/samba @@ -1949,7 +2011,7 @@ fi %{_mandir}/man5/smbpasswd.5* %{_mandir}/man7/samba.7* -### COMMON-libs +### COMMON-LIBS %files common-libs # common libraries %{_libdir}/samba/libcmdline-samba4.so @@ -1961,11 +2023,11 @@ fi %{_libdir}/samba/pdb/smbpasswd.so %{_libdir}/samba/pdb/tdbsam.so +### COMMON-TOOLS %files common-tools %{_bindir}/net %{_bindir}/pdbedit %{_bindir}/profiles -%{_bindir}/samba-tool %{_bindir}/smbcontrol %{_bindir}/smbpasswd %{_bindir}/testparm @@ -1974,9 +2036,27 @@ fi %{_mandir}/man1/testparm.1* %{_mandir}/man8/net.8* %{_mandir}/man8/pdbedit.8* -%{_mandir}/man8/samba-tool.8* %{_mandir}/man8/smbpasswd.8* +### TOOLS +%files tools +%{_bindir}/samba-tool +%{_mandir}/man8/samba-tool.8* + +### RPC +%files dcerpc +%dir %{_libexecdir}/samba +%{_libexecdir}/samba/samba-dcerpcd +%{_libexecdir}/samba/rpcd_classic +%{_libexecdir}/samba/rpcd_epmapper +%{_libexecdir}/samba/rpcd_fsrvp +%{_libexecdir}/samba/rpcd_lsad +%{_libexecdir}/samba/rpcd_mdssvc +%{_libexecdir}/samba/rpcd_rpcecho +%{_libexecdir}/samba/rpcd_spoolss +%{_libexecdir}/samba/rpcd_winreg +%{_mandir}/man8/samba-dcerpcd.8* + ### DC %if %{with dc} || %{with testsuite} %files dc @@ -1984,7 +2064,6 @@ fi %{_sbindir}/samba %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_downgrade_db -%{_sbindir}/samba-gpupdate %{_sbindir}/samba_kcc %{_sbindir}/samba_spnupdate %{_sbindir}/samba_upgradedns @@ -1992,7 +2071,6 @@ fi %{_libdir}/krb5/plugins/kdb/samba.so %{_libdir}/samba/auth/samba4.so -%{_libdir}/samba/libpac-samba4.so %dir %{_libdir}/samba/gensec %{_libdir}/samba/gensec/krb5.so %{_libdir}/samba/ldb/acl.so @@ -2009,10 +2087,8 @@ fi %{_libdir}/samba/ldb/extended_dn_out.so %{_libdir}/samba/ldb/extended_dn_store.so %{_libdir}/samba/ldb/group_audit_log.so -%{_libdir}/samba/ldb/ildap.so %{_libdir}/samba/ldb/instancetype.so %{_libdir}/samba/ldb/lazy_commit.so -%{_libdir}/samba/ldb/ldbsamba_extensions.so %{_libdir}/samba/ldb/linked_attributes.so %{_libdir}/samba/ldb/new_partition.so %{_libdir}/samba/ldb/objectclass.so @@ -2047,7 +2123,6 @@ fi %dir /var/lib/samba/sysvol %{_mandir}/man8/samba.8* %{_mandir}/man8/samba_downgrade_db.8* -%{_mandir}/man8/samba-gpupdate.8* %dir %{_datadir}/samba/admx %{_datadir}/samba/admx/samba.admx %dir %{_datadir}/samba/admx/en-US @@ -2057,9 +2132,15 @@ fi %license source4/setup/ad-schema/licence.txt %{_datadir}/samba/setup +#endif with dc || with testsuite +%endif ### DC-LIBS %files dc-libs +%{_libdir}/samba/libauth4-samba4.so + +%if %{with dc} || %{with testsuite} %{_libdir}/samba/libdb-glue-samba4.so +%{_libdir}/samba/libpac-samba4.so %{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libservice-samba4.so @@ -2157,7 +2238,6 @@ fi %{_includedir}/samba-4.0/ndr/ndr_krb5pac.h %{_includedir}/samba-4.0/ndr/ndr_svcctl.h %{_includedir}/samba-4.0/ndr/ndr_nbt.h -%{_includedir}/samba-4.0/netapi.h %{_includedir}/samba-4.0/param.h %{_includedir}/samba-4.0/passdb.h %{_includedir}/samba-4.0/policy.h @@ -2198,7 +2278,6 @@ fi %{_libdir}/libndr-nbt.so %{_libdir}/libndr-standard.so %{_libdir}/libndr.so -%{_libdir}/libnetapi.so %{_libdir}/libsamba-credentials.so %{_libdir}/libsamba-errors.so %{_libdir}/libsamba-hostconfig.so @@ -2212,7 +2291,6 @@ fi %{_libdir}/pkgconfig/ndr_krb5pac.pc %{_libdir}/pkgconfig/ndr_nbt.pc %{_libdir}/pkgconfig/ndr_standard.pc -%{_libdir}/pkgconfig/netapi.pc %{_libdir}/pkgconfig/samba-credentials.pc %{_libdir}/pkgconfig/samba-hostconfig.pc %{_libdir}/pkgconfig/samba-util.pc @@ -2259,17 +2337,28 @@ fi %{_mandir}/man8/vfs_glusterfs.8* %endif +### GPUPDATE +%if %{with dc} +%files gpupdate +%{_mandir}/man8/samba-gpupdate.8* +%{_sbindir}/samba-gpupdate +%endif + ### KRB5-PRINTING %files krb5-printing %attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper %{_mandir}/man8/smbspool_krb5_wrapper.8* +### LDB-LDAP-MODULES +%files ldb-ldap-modules +%{_libdir}/samba/ldb/ldbsamba_extensions.so +%{_libdir}/samba/ldb/ildap.so + ### LIBS %files libs %{_libdir}/libdcerpc-samr.so.* %{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so -%{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so %{_libdir}/samba/libdcerpc-samba4.so %{_libdir}/samba/libdnsserver-common-samba4.so @@ -2280,6 +2369,16 @@ fi %{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so %{_libdir}/samba/libRPC-WORKER-samba4.so +### LIBNETAPI +%files -n libnetapi +%{_libdir}/libnetapi.so.%{libnetapi_so_version}* + +### LIBNETAPI-DEVEL +%files -n libnetapi-devel +%{_includedir}/samba-4.0/netapi.h +%{_libdir}/libnetapi.so +%{_libdir}/pkgconfig/netapi.pc + ### LIBSMBCLIENT %if %{with libsmbclient} %files -n libsmbclient @@ -2297,7 +2396,7 @@ fi ### LIBWBCLIENT %if %{with libwbclient} %files -n libwbclient -%{_libdir}/samba/wbclient/libwbclient.so.* +%{_libdir}/samba/wbclient/libwbclient.so.%{libwbclient_so_version}* ### LIBWBCLIENT-DEVEL %files -n libwbclient-devel @@ -2367,18 +2466,6 @@ fi %{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc -%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_smb_conf_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_sudoers_ext.*.pyc %{python3_sitearch}/samba/__pycache__/graph.*.pyc %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/__pycache__/idmap.*.pyc @@ -2396,14 +2483,6 @@ fi %{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so @@ -2465,11 +2544,6 @@ fi %{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py -%{python3_sitearch}/samba/gpclass.py -%{python3_sitearch}/samba/gp_gnome_settings_ext.py -%{python3_sitearch}/samba/gp_scripts_ext.py -%{python3_sitearch}/samba/gp_sec_ext.py -%{python3_sitearch}/samba/gpo.*.so %{python3_sitearch}/samba/graph.py %{python3_sitearch}/samba/hostconfig.py %{python3_sitearch}/samba/idmap.py @@ -2488,14 +2562,57 @@ fi %{python3_sitearch}/samba/emulate/__init__.py %{python3_sitearch}/samba/emulate/traffic.py %{python3_sitearch}/samba/emulate/traffic_packets.py -%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py -%{python3_sitearch}/samba/gp_chromium_ext.py -%{python3_sitearch}/samba/gp_ext_loader.py -%{python3_sitearch}/samba/gp_firefox_ext.py -%{python3_sitearch}/samba/gp_firewalld_ext.py -%{python3_sitearch}/samba/gp_msgs_ext.py -%{python3_sitearch}/samba/gp_smb_conf_ext.py -%{python3_sitearch}/samba/gp_sudoers_ext.py +%dir %{python3_sitearch}/samba/gp +%dir %{python3_sitearch}/samba/gp/__pycache__ +%{python3_sitearch}/samba/gp/__pycache__/gpclass.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_crontab_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_chromium_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_firefox_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_firewalld_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_gnome_settings_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_msgs_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_scripts_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_sec_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_smb_conf_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_access_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_files_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_issue_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_motd_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_openssh_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_startup_scripts_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_symlink_ext.*.pyc +%{python3_sitearch}/samba/gp/gpclass.py +%{python3_sitearch}/samba/gp/gp_gnome_settings_ext.py +%{python3_sitearch}/samba/gp/gp_scripts_ext.py +%{python3_sitearch}/samba/gp/gp_sec_ext.py +%{python3_sitearch}/samba/gp/gp_centrify_crontab_ext.py +%{python3_sitearch}/samba/gp/gp_centrify_sudoers_ext.py +%{python3_sitearch}/samba/gp/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp/gp_chromium_ext.py +%{python3_sitearch}/samba/gp/gp_ext_loader.py +%{python3_sitearch}/samba/gp/gp_firefox_ext.py +%{python3_sitearch}/samba/gp/gp_firewalld_ext.py +%{python3_sitearch}/samba/gp/gp_msgs_ext.py +%{python3_sitearch}/samba/gp/gp_smb_conf_ext.py +%{python3_sitearch}/samba/gp/gp_sudoers_ext.py +%dir %{python3_sitearch}/samba/gp/util +%dir %{python3_sitearch}/samba/gp/util/__pycache__ +%{python3_sitearch}/samba/gp/util/__pycache__/logging.*.pyc +%{python3_sitearch}/samba/gp/util/logging.py +%{python3_sitearch}/samba/gp/vgp_access_ext.py +%{python3_sitearch}/samba/gp/vgp_files_ext.py +%{python3_sitearch}/samba/gp/vgp_issue_ext.py +%{python3_sitearch}/samba/gp/vgp_motd_ext.py +%{python3_sitearch}/samba/gp/vgp_openssh_ext.py +%{python3_sitearch}/samba/gp/vgp_startup_scripts_ext.py +%{python3_sitearch}/samba/gp/vgp_sudoers_ext.py +%{python3_sitearch}/samba/gp/vgp_symlink_ext.py +%{python3_sitearch}/samba/gpo.*.so %dir %{python3_sitearch}/samba/gp_parse %{python3_sitearch}/samba/gp_parse/__init__.py %dir %{python3_sitearch}/samba/gp_parse/__pycache__ @@ -2590,9 +2707,11 @@ fi %{python3_sitearch}/samba/samba3/mdscli.*.so %{python3_sitearch}/samba/samba3/param.*.so %{python3_sitearch}/samba/samba3/passdb.*.so +%{python3_sitearch}/samba/samba3/smbconf.*.so %{python3_sitearch}/samba/samba3/smbd.*.so %{python3_sitearch}/samba/sd_utils.py %{python3_sitearch}/samba/sites.py +%{python3_sitearch}/samba/smbconf.*.so %{python3_sitearch}/samba/subnets.py %dir %{python3_sitearch}/samba/subunit %{python3_sitearch}/samba/subunit/__init__.py @@ -2604,14 +2723,6 @@ fi %{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py -%{python3_sitearch}/samba/vgp_access_ext.py -%{python3_sitearch}/samba/vgp_files_ext.py -%{python3_sitearch}/samba/vgp_issue_ext.py -%{python3_sitearch}/samba/vgp_motd_ext.py -%{python3_sitearch}/samba/vgp_openssh_ext.py -%{python3_sitearch}/samba/vgp_startup_scripts_ext.py -%{python3_sitearch}/samba/vgp_sudoers_ext.py -%{python3_sitearch}/samba/vgp_symlink_ext.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so @@ -2641,7 +2752,6 @@ fi %{_libdir}/libsamba-policy.*.so %{_libdir}/pkgconfig/samba-policy.*.pc -%if %{with dc} || %{with testsuite} %files -n python3-%{name}-dc %{python3_sitearch}/samba/samdb.py %{python3_sitearch}/samba/schema.py @@ -2657,7 +2767,9 @@ fi %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc %{python3_sitearch}/samba/dcerpc/dnsserver.*.so +%if %{with dc} || %{with testsuite} %{python3_sitearch}/samba/dckeytab.*.so +%endif %{python3_sitearch}/samba/domain_update.py %{python3_sitearch}/samba/forest_update.py %{python3_sitearch}/samba/ms_forest_updates_markdown.py @@ -2698,7 +2810,6 @@ fi %{python3_sitearch}/samba/remove_dc.py %{python3_sitearch}/samba/uptodateness.py -%endif %files -n python3-%{name}-test %dir %{python3_sitearch}/samba/tests @@ -2757,6 +2868,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/logfiles.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc @@ -2774,6 +2886,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ntlm_auth_krb5.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_chauthtok.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/pam_winbind_setcred.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_warn_pwd_expire.*.pyc %{python3_sitearch}/samba/tests/__pycache__/param.*.pyc %{python3_sitearch}/samba/tests/__pycache__/password_hash.*.pyc @@ -2804,7 +2917,9 @@ fi %{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sid_strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smbconf.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb-notify.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc @@ -2839,6 +2954,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_dns.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls.*.pyc @@ -2855,6 +2971,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py %{python3_sitearch}/samba/tests/blackbox/mdsearch.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py +%{python3_sitearch}/samba/tests/blackbox/netads_dns.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py %{python3_sitearch}/samba/tests/blackbox/smbcacls.py @@ -2973,14 +3090,18 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/lockout_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/nt_hash_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/protected_users_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc @@ -3000,14 +3121,18 @@ fi %{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py %{python3_sitearch}/samba/tests/krb5/as_req_tests.py %{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/etype_tests.py %{python3_sitearch}/samba/tests/krb5/fast_tests.py %{python3_sitearch}/samba/tests/krb5/kcrypto.py %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py %{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py +%{python3_sitearch}/samba/tests/krb5/lockout_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +%{python3_sitearch}/samba/tests/krb5/nt_hash_tests.py %{python3_sitearch}/samba/tests/krb5/pac_align_tests.py +%{python3_sitearch}/samba/tests/krb5/protected_users_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py @@ -3030,6 +3155,7 @@ fi %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py +%{python3_sitearch}/samba/tests/logfiles.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py %{python3_sitearch}/samba/tests/ndr.py @@ -3046,6 +3172,7 @@ fi %{python3_sitearch}/samba/tests/ntlm_auth_krb5.py %{python3_sitearch}/samba/tests/pam_winbind.py %{python3_sitearch}/samba/tests/pam_winbind_chauthtok.py +%{python3_sitearch}/samba/tests/pam_winbind_setcred.py %{python3_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py %{python3_sitearch}/samba/tests/param.py %{python3_sitearch}/samba/tests/password_hash.py @@ -3154,7 +3281,9 @@ fi %{python3_sitearch}/samba/tests/sddl.py %{python3_sitearch}/samba/tests/security.py %{python3_sitearch}/samba/tests/segfault.py +%{python3_sitearch}/samba/tests/sid_strings.py %{python3_sitearch}/samba/tests/smb.py +%{python3_sitearch}/samba/tests/smbconf.py %{python3_sitearch}/samba/tests/smb-notify.py %{python3_sitearch}/samba/tests/smbd_base.py %{python3_sitearch}/samba/tests/smbd_fuzztest.py @@ -3197,6 +3326,12 @@ fi %{_libdir}/samba/libdsdb-module-samba4.so %endif +### USERSHARES +%files usershares +%config(noreplace) %{_sysconfdir}/samba/usershares.conf +%attr(1770,root,usershares) %dir /var/lib/samba/usershares +%{_sysusersdir}/samba-usershares.conf + ### WINBIND %files winbind %{_libdir}/samba/idmap @@ -3275,7 +3410,6 @@ fi %config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check %{_sbindir}/ctdbd -%{_sbindir}/ctdbd_wrapper %{_bindir}/ctdb %{_bindir}/ctdb_diagnostics %{_bindir}/ltdbtool @@ -3308,7 +3442,6 @@ fi %{_mandir}/man1/onnode.1.gz %{_mandir}/man1/ltdbtool.1.gz %{_mandir}/man1/ping_pong.1.gz -%{_mandir}/man1/ctdbd_wrapper.1.gz %{_mandir}/man5/ctdb.conf.5.gz %{_mandir}/man5/ctdb-script.options.5.gz %{_mandir}/man5/ctdb.sysconfig.5.gz @@ -4164,6 +4297,43 @@ fi %endif %changelog +* Wed Feb 15 2023 Pavel Filipenský - 4.17.5-102 +- resolves: rhbz#2169980 - Fix winbind memory leak +- resolves: rhbz#2156056 - Fix Samba shares not accessible issue + +* Mon Feb 13 2023 Pavel Filipenský - 4.17.5-101 +- resolves: rhbz#2168534 - Create package samba-tools + +* Fri Jan 27 2023 Pavel Filipenský - 4.17.5-100 +- related: rhbz#2131993 - Update to version 4.17.5 + +* Thu Dec 22 2022 Pavel Filipenský - 4.17.4-102 +- related: rhbz#2131993 - Create package dc-libs also for 'non-dc build' + +* Wed Dec 21 2022 Pavel Filipenský - 4.17.4-101 +- related: rhbz#2131993 - Rebuild for MIT Kerberos 1.20.1 + +* Mon Dec 19 2022 Pavel Filipenský - 4.17.4-100 +- related: rhbz#2131993 - Update to version 4.17.4 +- resolves: rhbz#2154373 - Fix CVE-2022-38023 +- resolves: rhbz#2143196 - Fix %U include directive for share listing (netshareenum) +- resolves: rhbz#2114884 - Fix id command to return new groups after successful user login +- resolves: rhbz#2154885 - Fix Winbind to retrieve user groups from Active Directory + +* Wed Nov 02 2022 Pavel Filipenský - 4.17.2-103 +- Always add epoch to samba_depver to fix osci.brew-build.rpmdeplint.functional +- related: rhbz#2131993 + +* Wed Oct 26 2022 Andreas Schneider - 4.17.2-102 +- Fix CVE-2022-1615 GnuTLS gnutls_rnd() can fail and give predictable random values +- resolves: rhbz#2126175 + +* Wed Oct 26 2022 Andreas Schneider - 4.17.2-101 +- resolves: rhbz#2131993 - Update to version 4.17.2 + +* Thu Aug 25 2022 Andreas Schneider - 4.16.4-101 +- resolves: rhbz#2121317 - Do not require samba package in python3-samba + * Wed Jul 27 2022 Andreas Schneider - 4.16.4-100 - Rebase to version 4.16.4 - resolves: rhbz#2108332 - Fix CVE-2022-32742