From aec19cff4b0c1d7836a75c34594a327fe492936f Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 30 Mar 2026 11:03:00 -0400 Subject: [PATCH] import CS samba-4.23.5-6.el9 --- .gitignore | 2 +- .samba.metadata | 2 +- SOURCES/redhat-4.22.patch | 492 ------------------ SOURCES/redhat-4.23.patch | 957 +++++++++++++++++++++++++++++++++++ SOURCES/samba-4.22.4.tar.asc | 16 - SOURCES/samba-4.23.5.tar.asc | 16 + SOURCES/smb.conf.vendor | 3 + SPECS/samba.spec | 144 +++++- 8 files changed, 1114 insertions(+), 518 deletions(-) delete mode 100644 SOURCES/redhat-4.22.patch create mode 100644 SOURCES/redhat-4.23.patch delete mode 100644 SOURCES/samba-4.22.4.tar.asc create mode 100644 SOURCES/samba-4.23.5.tar.asc diff --git a/.gitignore b/.gitignore index 8a9f3b9..2de4b69 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.22.4.tar.xz +SOURCES/samba-4.23.5.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 8bd141f..646b34e 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -1437538612045e08c3dde1527825d11a11a6d71f SOURCES/samba-4.22.4.tar.xz +19e3789510e8306f9584f56e198559f5c1c5bbc2 SOURCES/samba-4.23.5.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/redhat-4.22.patch b/SOURCES/redhat-4.22.patch deleted file mode 100644 index ae37fbd..0000000 --- a/SOURCES/redhat-4.22.patch +++ /dev/null @@ -1,492 +0,0 @@ -From b0ff8644c06b01252bdbac6a31c77c5781d4b5a0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 29 Jul 2025 11:19:07 +0200 -Subject: [PATCH 1/3] selftest: Add the short name for localvampiredc to hosts - file -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 5d2f60ae5aa96751b74901ae5384291ef338b152) ---- - selftest/target/Samba4.pm | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index 9da339f6239..af0434a8e6b 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -878,7 +878,7 @@ nogroup:x:65534:nobody - - my $hostname = lc($ctx->{hostname}); - open(HOSTS, ">>$ctx->{nsswrap_hosts}"); -- if ($hostname eq "localdc") { -+ if ($hostname eq "localdc" || $hostname eq "localvampiredc") { - print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n"; - print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n"; - } else { --- -2.51.0 - - -From 03431792b4707e50afc8f9e356f08a91f4fb67c3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 4 Aug 2025 11:20:54 +0200 -Subject: [PATCH 2/3] tests: Add test for 'net ads join' to a preferred DC -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 36f6ac547c09f492d1dcab11570e8bcbd377cf26) ---- - selftest/knownfail | 1 + - source4/selftest/tests.py | 1 + - .../test_net_ads_join_to_preferred_dc.sh | 61 +++++++++++++++++++ - 3 files changed, 63 insertions(+) - create mode 100755 testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh - -diff --git a/selftest/knownfail b/selftest/knownfail -index ab2d79d7114..7c0e9dd00e7 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -335,6 +335,7 @@ - ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.* - ^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean - ^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing -+^samba4.blackbox.net_ads_join.join - - # We currently don't send referrals for LDAP modify of non-replicated attrs - ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 9c5e85e428a..14a41ba77ed 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -902,6 +902,7 @@ plantestsuite("samba4.blackbox.rfc2307_mapping", - plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', r"CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX/chgdcpass', "aes256-cts-hmac-sha1-96", '$PREFIX/chgdcpass', smbclient3]) - plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass']) - plantestsuite("samba4.blackbox.net_ads", "ad_dc:client", [os.path.join(bbdir, "test_net_ads.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS']) -+plantestsuite("samba4.blackbox.net_ads_join", "vampire_dc:client", [os.path.join(bbdir, "test_net_ads_join_to_preferred_dc.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX']) - plantestsuite("samba4.blackbox.net_offlinejoin", "ad_dc:client", [os.path.join(bbdir, "test_net_offline.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS']) - plantestsuite("samba4.blackbox.client_etypes_all(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'all', '17_18_23']) - plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'legacy', '23']) -diff --git a/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh b/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh -new file mode 100755 -index 00000000000..1bebc2f4dbe ---- /dev/null -+++ b/testprogs/blackbox/test_net_ads_join_to_preferred_dc.sh -@@ -0,0 +1,61 @@ -+if [ $# -lt 4 ]; then -+ cat </dev/null | sha1sum | cut -b 1-10) -+ -+RUNDIR=$(pwd) -+cd $BASEDIR -+WORKDIR=$(mktemp -d -p .) -+WORKDIR=$(basename $WORKDIR) -+cp -a client/* $WORKDIR/ -+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf -+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf -+rm -f $WORKDIR/private/secrets.tdb -+cd $RUNDIR -+ -+failed=0 -+ -+net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads" -+ -+# Load test functions -+. $(dirname $0)/subunit.sh -+. "$(dirname "${0}")/common_test_fns.inc" -+ -+# This test is run in environment with two DCs ('localdc' and 'localvampiredc') -+# The 'net ads join' has these two steps: -+# 1. create machine account at DC ('-S' points to 'localvampiredc') -+# 2. create keytab and sync the KVNO from a DC -+# -+# It must be ensured that in step #2 the keytab code contacts the same DC -+# ('localvampiredc'). The configuration below tries to break it. -+# We disable [SAF/DOMAIN/...] and [SAFJOIN/DOMAIN/...] by setting TTL to '-1' -+# And via setting 'password server' to 'localdc' we manage that -+# get_dc_list() returns 'localdc' instead of 'localvampiredc' -+# -+# As long as the keytab code is not explicitly told to use the same DC as join, -+# we get failure: -+# gensec_gse_client_prepare_ccache: Kinit for F0D26C71F6$@SAMBA.EXAMPLE.COM to access ldap/localdc.samba.example.com failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE -+ -+cat <>$BASEDIR/$WORKDIR/client.conf -+sync machine password to keytab = $BASEDIR/keytab:account_name:machine_password:sync_kvno -+password server = $DC_SERVER -+saf: join ttl = -1 -+saf: ttl = -1 -+EOF -+ -+testit "join" $VALGRIND $net_tool ads join -S$SERVER -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) -+ -+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1) -+ -+rm -rf $BASEDIR/$WORKDIR -+ -+exit $failed --- -2.51.0 - - -From 5cff37091161976a979752351003c9c1deb0d39f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 28 Jul 2025 10:43:36 +0200 -Subject: [PATCH 3/3] s3:net: Pass down the server from cmdline to - sync_pw2keytabs() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This makes sure that during 'net ads join' the keytab create code -- sync_pw2keytabs() talks to the same DC at what the machine account -was created. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905 - -Signed-off-by: Andreas Schneider -Signed-off-by: Pavel Filipenský -Pair-Programmed-With: Pavel Filipenský - -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Pavel Filipensky -Autobuild-Date(master): Fri Sep 5 13:38:33 UTC 2025 on atb-devel-224 - -(cherry picked from commit 5d1d3a8b568b5a07ed1ed537d20aa93820cecc14) ---- - selftest/knownfail | 1 - - source3/include/secrets.h | 25 ++++++++++++++---------- - source3/libads/ads_proto.h | 2 +- - source3/libads/kerberos_keytab.c | 24 ++++++++++++++++++++--- - source3/libads/trusts_util.c | 15 ++++++++------ - source3/libads/util.c | 10 ++++++---- - source3/libnet/libnet_join.c | 2 +- - source3/passdb/machine_account_secrets.c | 10 ++++++---- - source3/utils/net.c | 10 ++++++---- - source3/utils/net_ads.c | 2 +- - 10 files changed, 66 insertions(+), 35 deletions(-) - -diff --git a/selftest/knownfail b/selftest/knownfail -index 7c0e9dd00e7..ab2d79d7114 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -335,7 +335,6 @@ - ^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.* - ^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean - ^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing --^samba4.blackbox.net_ads_join.join - - # We currently don't send referrals for LDAP modify of non-replicated attrs - ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -diff --git a/source3/include/secrets.h b/source3/include/secrets.h -index a454c8bb8ff..061b9c6ef34 100644 ---- a/source3/include/secrets.h -+++ b/source3/include/secrets.h -@@ -125,12 +125,15 @@ char *secrets_domain_info_string(TALLOC_CTX *mem_ctx, const struct secrets_domai - NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain, - TALLOC_CTX *mem_ctx, - struct secrets_domain_info1 **pinfo); --NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname, -- const char *cleartext_unix, -- TALLOC_CTX *mem_ctx, -- struct secrets_domain_info1 **pinfo, -- struct secrets_domain_info1_change **pprev, -- NTSTATUS (*sync_pw2keytabs_fn)(void)); -+NTSTATUS secrets_prepare_password_change( -+ const char *domain, -+ const char *dcname, -+ const char *cleartext_unix, -+ TALLOC_CTX *mem_ctx, -+ struct secrets_domain_info1 **pinfo, -+ struct secrets_domain_info1_change **pprev, -+ NTSTATUS (*sync_pw2keytabs_fn)(const char *), -+ const char *opt_host); - NTSTATUS secrets_failed_password_change(const char *change_server, - NTSTATUS local_status, - NTSTATUS remote_status, -@@ -139,10 +142,12 @@ NTSTATUS secrets_defer_password_change(const char *change_server, - NTSTATUS local_status, - NTSTATUS remote_status, - const struct secrets_domain_info1 *info); --NTSTATUS secrets_finish_password_change(const char *change_server, -- NTTIME change_time, -- const struct secrets_domain_info1 *info, -- NTSTATUS (*sync_pw2keytabs_fn)(void)); -+NTSTATUS secrets_finish_password_change( -+ const char *change_server, -+ NTTIME change_time, -+ const struct secrets_domain_info1 *info, -+ NTSTATUS (*sync_pw2keytabs_fn)(const char *), -+ const char *prefer_dc); - bool secrets_delete_machine_password_ex(const char *domain, const char *realm); - bool secrets_delete_domain_sid(const char *domain); - char *secrets_fetch_prev_machine_password(const char *domain); -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h -index 8440c35e46d..2e67eef155c 100644 ---- a/source3/libads/ads_proto.h -+++ b/source3/libads/ads_proto.h -@@ -230,6 +230,6 @@ struct spn_struct { - /* parse a windows style SPN, returns NULL if parsing fails */ - struct spn_struct *parse_spn(TALLOC_CTX *ctx, const char *srvprinc); - --NTSTATUS sync_pw2keytabs(void); -+NTSTATUS sync_pw2keytabs(const char *prefer_dc); - - #endif /* _LIBADS_ADS_PROTO_H_ */ -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index 49a892e5a55..1d4f9c12e1d 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -84,6 +84,7 @@ struct pw2kt_global_state { - char *ad_upn; - char *ad_sam_account; - char **ad_spn_array; -+ const char *prefer_dc; - size_t ad_num_spns; - /* This is from secrets.db */ - struct secrets_domain_info1 *info; -@@ -869,8 +870,11 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_global_state *state) - int count; - bool ok; - TALLOC_CTX *tmp_ctx = talloc_stackframe(); -- ADS_STRUCT *ads = ads_init( -- tmp_ctx, lp_realm(), lp_workgroup(), NULL, ADS_SASL_SIGN); -+ ADS_STRUCT *ads = ads_init(tmp_ctx, -+ lp_realm(), -+ lp_workgroup(), -+ state->prefer_dc, -+ ADS_SASL_SIGN); - - if (ads == NULL) { - DBG_ERR("ads_init() failed\n"); -@@ -1029,7 +1033,20 @@ static bool pw2kt_default_keytab_name(char *name_str, size_t name_size) - return true; - } - --NTSTATUS sync_pw2keytabs(void) -+/** -+ * @internal -+ * -+ * @brief Sync machine password from secrets to keytab -+ * -+ * @param prefer_dc The DC we should talk to. This is especially important -+ * during domain join. Pass NULL if we should pick a random -+ * one. -+ * -+ * @return An NTSTATUS error code. -+ * -+ * @see NT_STATUS_IS_OK() -+ */ -+NTSTATUS sync_pw2keytabs(const char *prefer_dc) - { - TALLOC_CTX *frame = talloc_stackframe(); - const struct loadparm_substitution *lp_sub = -@@ -1055,6 +1072,7 @@ NTSTATUS sync_pw2keytabs(void) - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } -+ state->prefer_dc = prefer_dc; - - lp_ptr = lp_sync_machine_password_to_keytab(); - if (lp_ptr == NULL) { -diff --git a/source3/libads/trusts_util.c b/source3/libads/trusts_util.c -index 6a39f32f350..c51c556e86b 100644 ---- a/source3/libads/trusts_util.c -+++ b/source3/libads/trusts_util.c -@@ -360,10 +360,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, - &info, - &prev, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ NULL /* opt_host */); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("secrets_prepare_password_change() failed for domain %s!\n", - domain)); -@@ -610,10 +611,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, - prev->password->change_time, - info, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ prev->password->change_server); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("secrets_prepare_password_change() failed for domain %s!\n", - domain)); -@@ -759,10 +761,11 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, - info->next_change->change_time, - info, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ info->next_change->change_server); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("secrets_finish_password_change() failed for domain %s!\n", - domain)); -diff --git a/source3/libads/util.c b/source3/libads/util.c -index 243dd09f3d0..360e556ab9b 100644 ---- a/source3/libads/util.c -+++ b/source3/libads/util.c -@@ -59,10 +59,11 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip - &info, - &prev, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ ads->auth.kdc_server); - if (!NT_STATUS_IS_OK(status)) { - return ADS_ERROR_NT(status); - } -@@ -138,10 +139,11 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip - now, - info, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ ads->auth.kdc_server); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1,("Failed to save machine password\n")); - return ADS_ERROR_NT(status); -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 5796c68e2e0..cb997dcbe23 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -867,7 +867,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, - static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { -- NTSTATUS ntstatus = sync_pw2keytabs(); -+ NTSTATUS ntstatus = sync_pw2keytabs(r->in.dc_name); - - return NT_STATUS_IS_OK(ntstatus); - } -diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c -index 0679535f026..568d77a3892 100644 ---- a/source3/passdb/machine_account_secrets.c -+++ b/source3/passdb/machine_account_secrets.c -@@ -1674,7 +1674,8 @@ NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname, - TALLOC_CTX *mem_ctx, - struct secrets_domain_info1 **pinfo, - struct secrets_domain_info1_change **pprev, -- NTSTATUS (*sync_pw2keytabs_fn)(void)) -+ NTSTATUS (*sync_pw2keytabs_fn)(const char *), -+ const char *opt_host) - { - TALLOC_CTX *frame = talloc_stackframe(); - struct db_context *db = NULL; -@@ -1770,7 +1771,7 @@ NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname, - } - - if (prev == NULL && sync_pw2keytabs_fn != NULL) { -- status = sync_pw2keytabs_fn(); -+ status = sync_pw2keytabs_fn(opt_host); - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("Sync of machine password failed.\n"); - dbwrap_transaction_cancel(db); -@@ -2023,7 +2024,8 @@ NTSTATUS secrets_defer_password_change(const char *change_server, - NTSTATUS secrets_finish_password_change(const char *change_server, - NTTIME change_time, - const struct secrets_domain_info1 *cookie, -- NTSTATUS (*sync_pw2keytabs_fn)(void)) -+ NTSTATUS (*sync_pw2keytabs_fn)(const char *), -+ const char *prefer_dc) - { - const char *domain = cookie->domain_info.name.string; - TALLOC_CTX *frame = talloc_stackframe(); -@@ -2102,7 +2104,7 @@ NTSTATUS secrets_finish_password_change(const char *change_server, - } - - if (sync_pw2keytabs_fn != NULL) { -- status = sync_pw2keytabs_fn(); -+ status = sync_pw2keytabs_fn(prefer_dc); - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("Sync of machine password failed.\n"); - TALLOC_FREE(frame); -diff --git a/source3/utils/net.c b/source3/utils/net.c -index 7ce93ced79e..ecabd980d0c 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -235,10 +235,11 @@ static int net_changesecretpw(struct net_context *c, int argc, - &info, - &prev, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ c->opt_host); - if (!NT_STATUS_IS_OK(status)) { - d_fprintf(stderr, - _("Unable to write the machine account password in the secrets database")); -@@ -261,10 +262,11 @@ static int net_changesecretpw(struct net_context *c, int argc, - now, - info, - #ifdef HAVE_ADS -- sync_pw2keytabs); -+ sync_pw2keytabs, - #else -- NULL); -+ NULL, - #endif -+ c->opt_host); - if (!NT_STATUS_IS_OK(status)) { - d_fprintf(stderr, - _("Unable to write the machine account password in the secrets database")); -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 46531210411..753b957e43f 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2965,7 +2965,7 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a - net_use_krb_machine_account(c); - } - -- ntstatus = sync_pw2keytabs(); -+ ntstatus = sync_pw2keytabs(c->opt_host); - ret = NT_STATUS_IS_OK(ntstatus) ? 0 : 1; - return ret; - } --- -2.51.0 - diff --git a/SOURCES/redhat-4.23.patch b/SOURCES/redhat-4.23.patch new file mode 100644 index 0000000..6652d4b --- /dev/null +++ b/SOURCES/redhat-4.23.patch @@ -0,0 +1,957 @@ +From e8384b6daea3b8091ad1bcfce84efc9e2c6a746d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 22 Jan 2026 14:27:09 +0100 +Subject: [PATCH 01/13] s3:libads: Allocate cli_credentials on a stackframe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes: +ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158 + +What happens: + +* `struct cli_credentials *creds` is allocated on `ads` talloc context +* gensec_set_credentials() creates a talloc_reference to `creds` +* TALLOC_FREE(creds) sees two parents and complains + +All other code is using temporary talloc_stackframe() for `creds`. +Do it here as well. + +Signed-off-by: Pavel Filipenský +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224 +--- + source3/libads/ldap_utils.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c +index 9d6d962a2bc..d01afa69697 100644 +--- a/source3/libads/ldap_utils.c ++++ b/source3/libads/ldap_utils.c +@@ -99,6 +99,7 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind + struct cli_credentials *creds = NULL; + char *cred_name = NULL; + NTSTATUS ntstatus; ++ TALLOC_CTX *frame = talloc_stackframe(); + + if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) && + ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) && +@@ -119,18 +120,20 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind + DBG_NOTICE("Search for %s in <%s> failed: %s\n", + expr, bp, ads_errstr(status)); + SAFE_FREE(bp); ++ TALLOC_FREE(frame); + return status; + } + + ntstatus = ads->auth.reconnect_state->fn(ads, + ads->auth.reconnect_state->private_data, +- ads, &creds); ++ frame, &creds); + if (!NT_STATUS_IS_OK(ntstatus)) { + DBG_WARNING("Failed to get creds for realm(%s): %s\n", + ads->server.realm, nt_errstr(ntstatus)); + DBG_WARNING("Search for %s in <%s> failed: %s\n", + expr, bp, ads_errstr(status)); + SAFE_FREE(bp); ++ TALLOC_FREE(frame); + return status; + } + +@@ -151,11 +154,11 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind + * callers depend on it being around. + */ + ads_disconnect(ads); +- TALLOC_FREE(creds); ++ TALLOC_FREE(frame); + SAFE_FREE(bp); + return status; + } +- TALLOC_FREE(creds); ++ TALLOC_FREE(frame); + + *res = NULL; + +-- +2.53.0 + + +From 7af95c7cb142aeb5f422a69d3b7a0ea3c0d2c2c2 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 26 Jan 2026 13:36:02 +0100 +Subject: [PATCH 02/13] s3:rpc_client: Fix memory leak opening local named pipe + +If no local server name was passed to rpc_pipe_open_local_np() then +get_myname() was called with NULL talloc context instead of the +current stackframe. + +This was causing an increase of memory usage on busy servers with long-living +rpcd_* workers. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Noel Power +Reviewed-by: Volker Lendecke + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Tue Jan 27 10:13:40 UTC 2026 on atb-devel-224 + +(cherry picked from commit 24dc455362fb49ef81c99d95880e106a234ce29a) +--- + source3/rpc_client/cli_pipe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c +index e3f48526492..c61b8eb16cf 100644 +--- a/source3/rpc_client/cli_pipe.c ++++ b/source3/rpc_client/cli_pipe.c +@@ -3625,7 +3625,7 @@ NTSTATUS rpc_pipe_open_local_np( + } + + if (local_server_name == NULL) { +- local_server_name = get_myname(result); ++ local_server_name = get_myname(frame); + } + + if (local_server_addr != NULL) { +-- +2.53.0 + + +From ab1287f78bd9d2397c8eb26fbedafa028e2aaa16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:17:33 +0100 +Subject: [PATCH 03/13] s3-selftest: mention in-memory ccache usage when + nothing is provided + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + source3/script/tests/test_net_ads_kerberos.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index 8a3c9ef2bc7..92d3996d078 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -30,6 +30,7 @@ KRB5CCNAME="FILE:$KRB5CCNAME_PATH" + ## Test "net ads kerberos kinit" variants + ################################################# + ++#simply uses in memory ccache + testit "net_ads_kerberos_kinit" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ +@@ -50,6 +51,7 @@ rm -f "$KRB5CCNAME_PATH" + # --use-krb5-ccache=${KRB5CCNAME} \ + # || failed=$((failed + 1)) + ++#simply uses in memory ccache + testit "net_ads_kerberos_kinit (-P)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -P "$ADDARGS" \ +-- +2.53.0 + + +From 0aa0d39e9a5deb77114f40930b599f11fd7cf3b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:18:41 +0100 +Subject: [PATCH 04/13] s3-selftest: verify KRB5CCNAME presence after kinit + using klist + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + source3/script/tests/test_net_ads_kerberos.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index 92d3996d078..c53520cf733 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -14,6 +14,12 @@ PREFIX="$4" + shift 4 + ADDARGS="$*" + ++if [ -x $(which klist) ]; then ++ KLIST=$(which klist); ++else ++ KLIST="test -e"; ++fi ++ + incdir=$(dirname "$0")/../../../testprogs/blackbox + . "$incdir"/subunit.sh + +@@ -41,6 +47,9 @@ testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ + || failed=$((failed + 1)) ++testit "klist env $KRB5CCNAME" \ ++ "$KLIST" "$KRB5CCNAME" \ ++ || failed=$((failed +1)) + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +@@ -62,6 +71,9 @@ testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -P "$ADDARGS" \ + || failed=$((failed + 1)) ++testit "klist env $KRB5CCNAME" \ ++ "$KLIST" "$KRB5CCNAME" \ ++ || failed=$((failed +1)) + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-- +2.53.0 + + +From b9c07d59c6a20931b80fa104629477ab8f78b4ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:01:31 +0100 +Subject: [PATCH 05/13] s3-selftest: Activate "net ads kerberos kinit" tests + with --use-krb5-ccache + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + selftest/knownfail | 2 ++ + source3/script/tests/test_net_ads_kerberos.sh | 30 +++++++++++-------- + 2 files changed, 20 insertions(+), 12 deletions(-) + +diff --git a/selftest/knownfail b/selftest/knownfail +index ab2d79d7114..76f1dae605d 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -338,3 +338,5 @@ + + # We currently don't send referrals for LDAP modify of non-replicated attrs + ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* ++ ++^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.* +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index c53520cf733..b7933bab6a6 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -53,12 +53,15 @@ testit "klist env $KRB5CCNAME" \ + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-# --use-krb5-ccache is not working +-#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \ +-# $VALGRIND $BINDIR/net ads kerberos kinit \ +-# -U$USERNAME%$PASSWORD $ADDARGS \ +-# --use-krb5-ccache=${KRB5CCNAME} \ +-# || failed=$((failed + 1)) ++testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \ ++ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ ++ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ ++ --use-krb5-ccache="${KRB5CCNAME_PATH}" \ ++ || failed=$((failed + 1)) ++testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \ ++ "$KLIST" "$KRB5CCNAME_PATH" \ ++ || failed=$((failed +1)) ++rm -f "$KRB5CCNAME_PATH" + + #simply uses in memory ccache + testit "net_ads_kerberos_kinit (-P)" \ +@@ -77,12 +80,15 @@ testit "klist env $KRB5CCNAME" \ + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-# --use-krb5-ccache is not working +-#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \ +-# $VALGRIND $BINDIR/net ads kerberos kinit \ +-# -P $ADDARGS \ +-# --use-krb5-ccache=${KRB5CCNAME} \ +-# || failed=$((failed + 1)) ++testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \ ++ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ ++ -P "$ADDARGS" \ ++ --use-krb5-ccache="${KRB5CCNAME_PATH}" \ ++ || failed=$((failed + 1)) ++testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \ ++ "$KLIST" "$KRB5CCNAME_PATH" \ ++ || failed=$((failed +1)) ++rm -f "$KRB5CCNAME_PATH" + + + ################################################# +-- +2.53.0 + + +From c82b7636b633575621e8e5964a93332956c238ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 16:56:44 +0100 +Subject: [PATCH 06/13] s3-net: properly setup krb5 ccache name via + --use-krb5-ccache + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + selftest/knownfail | 2 -- + source3/utils/net.c | 19 ++++++++++++------- + source3/utils/net_ads.c | 4 ++++ + 3 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/selftest/knownfail b/selftest/knownfail +index 76f1dae605d..ab2d79d7114 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -338,5 +338,3 @@ + + # We currently don't send referrals for LDAP modify of non-replicated attrs + ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* +- +-^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.* +diff --git a/source3/utils/net.c b/source3/utils/net.c +index ecabd980d0c..271c96cf804 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -1396,7 +1396,7 @@ static struct functable net_func[] = { + cli_credentials_get_principal_obtained(c->creds); + enum credentials_obtained password_obtained = + cli_credentials_get_password_obtained(c->creds); +- char *krb5ccname = NULL; ++ const char *krb5ccname = NULL; + + if (principal_obtained == CRED_SPECIFIED) { + c->explicit_credentials = true; +@@ -1415,15 +1415,20 @@ static struct functable net_func[] = { + } + + /* cli_credentials_get_ccache_name_obtained() would not work +- * here, we also cannot get the content of --use-krb5-ccache= so +- * for now at least honour the KRB5CCNAME environment variable +- * to get 'net ads kerberos' functions to work at all - gd */ +- +- krb5ccname = getenv("KRB5CCNAME"); +- if (krb5ccname == NULL) { ++ * here but we can now access the content of the ++ * --use-krb5-ccache option via cli credentials. Fallback to ++ * KRB5CCNAME environment variable to get 'net ads kerberos' ++ * functions to work at all - gd */ ++ ++ krb5ccname = cli_credentials_get_out_ccache_name(c->creds); ++ if (krb5ccname == NULL || krb5ccname[0] == '\0') { ++ krb5ccname = getenv("KRB5CCNAME"); ++ } ++ if (krb5ccname == NULL || krb5ccname[0] == '\0') { + krb5ccname = talloc_strdup(c, "MEMORY:net"); + } + if (krb5ccname == NULL) { ++ DBG_ERR("Not able to setup krb5 ccache"); + exit(1); + } + c->opt_krb5_ccache = krb5ccname; +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index d49b7537e71..5c57a0b290e 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -3245,7 +3245,11 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** + if (ret) { + d_printf(_("failed to kinit password: %s\n"), + nt_errstr(status)); ++ return ret; + } ++ ++ d_printf("Stored Kerberos TGT in: %s\n", c->opt_krb5_ccache); ++ + return ret; + } + +-- +2.53.0 + + +From 4f5ffea631d805564f7e92cc5f0f2f7ad55ba493 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Sat, 13 Dec 2025 13:49:37 +0100 +Subject: [PATCH 07/13] doc-xml: Document "net ads kerberos" commands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Mon Jan 5 15:49:04 UTC 2026 on atb-devel-224 +--- + docs-xml/manpages/net.8.xml | 139 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 139 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index d9293d0bb34..737415b3722 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1810,7 +1810,146 @@ the following entry types; + + + ++ ++ ADS KERBEROS ++ ++ ++ Issue Kerberos operations against an Active Directory KDC. ++ ++ ++ ++ ++ ++ ADS KERBEROS KINIT ++ ++ ++ Issue a kinit request for a given user. When no other options are ++ defined the ticket granting ticket (TGT) will be stored in a memory cache. ++ ++ ++ ++ To store the TGT in a different location either use the ++ option or set the ++ KRB5CCNAME environment variable. ++ ++ ++Example: net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache ++ ++ ++ ++ ++ ADS KERBEROS RENEW ++ ++ ++ Renew an already acquired ticket granting ticket (TGT). ++ ++ ++Example: net ads kerberos renew ++ ++ ++ ++ ++ ADS KERBEROS PAC ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ ++ ++ ++ The following commands are provided: ++ ++ ++ ++net ads kerberos pac dump - Dump a PAC to stdout. ++net ads kerneros pac save - Save a PAC to a file. ++ ++ ++ ++ All commands allow to define an impersonation principal to do a Kerberos ++ Service for User (S4U2SELF) operation via ++ the impersonate=STRING option. ++ The impersonation principal can have multiple different formats: ++ ++ ++ ++ ++ user@MY.REALM ++ This is the default format. ++ ++ ++ user@MY.REALM@MY.REALM ++ The Kerberos Service for User (S4U2SELF) also supports ++ Enterprise Principals. ++ ++ ++ user@UPN.SUFFIX@MY.REALM ++ Enterprise Principal using a defined upn suffix. ++ ++ ++ user@WORKGROUP@MY.REALM ++ Enterprise Principal with netbios domain name. ++ This format is currently not supported by Samba AD. ++ ++ + ++ ++ By default net will request a service ticket for the local service ++ of the joined machine. A different service can be defined via ++ local_service=STRING. ++ ++ ++ ++ ++ ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int] ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ The PAC will be printed on stdout. ++ ++ ++ ++ When no specific pac_buffer is selected, all buffers will be printed. ++ It is possible to select a specific one via ++ pac_buffer_type=INT from this list: ++ ++ ++ ++1 PAC_TYPE_LOGON_INFO ++2 PAC_TYPE_CREDENTIAL_INFO ++6 PAC_TYPE_SRV_CHECKSUM ++7 PAC_TYPE_KDC_CHECKSUM ++10 PAC_TYPE_LOGON_NAME ++11 PAC_TYPE_CONSTRAINED_DELEGATION ++12 PAC_TYPE_UPN_DNS_INFO ++13 PAC_TYPE_CLIENT_CLAIMS_INFO ++14 PAC_TYPE_DEVICE_INFO ++15 PAC_TYPE_DEVICE_CLAIMS_INFO ++16 PAC_TYPE_TICKET_CHECKSUM ++17 PAC_TYPE_ATTRIBUTES_INFO ++18 PAC_TYPE_REQUESTER_SID ++19 PAC_TYPE_FULL_CHECKSUM ++ ++ ++Example: net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM ++ ++ ++ ++ ++ ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string] ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ The PAC will be saved in a file. ++ ++ ++ ++ The filename to store the PAC can be set via the ++ filename=STRING option. ++ ++ ++Example: net ads kerberos pac save -U user%password filename=/tmp/pacstore ++ ++ + + SAM CREATEBUILTINGROUP <NAME> + +-- +2.53.0 + + +From f634526bd95b8396ea7f5f1c8ed059eb01a5286b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 3 Feb 2026 12:53:10 +0100 +Subject: [PATCH 08/13] s3:utils: 'net ads kerberos kinit' should use also + default ccache name from krb5.conf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is re-introducing the behavior from samba-4.20 where both these +commands operated on the same ccache (default_ccache_name in +[libdefaults] section of krb5.conf) + + 'net ads kerberos kinit -P' + 'klist' + + With samba-4.21 it no longer works, 'net ads kerberos kinit -P' + fallbacks to 'MEMORY:net' (which is of a very limited use, ticket + cannot be used by other process) and klist finds no ticket. + + The order is changed from: + + --use-krb5-ccache + env "KRB5CCNAME" + "MEMORY:net" + +to ("MEMORY:net" is removed): + + --use-krb5-ccache + env "KRB5CCNAME" + default_ccache_name + +'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials. + +Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name() +because of commit: +1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e) +--- + source3/utils/net.c | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +diff --git a/source3/utils/net.c b/source3/utils/net.c +index 271c96cf804..0ce03f8213d 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -54,6 +54,7 @@ + #include "source3/utils/passwd_proto.h" + #include "auth/gensec/gensec.h" + #include "lib/param/param.h" ++#include "lib/krb5_wrap/krb5_samba.h" + + #ifdef WITH_FAKE_KASERVER + #include "utils/net_afs.h" +@@ -1414,18 +1415,33 @@ static struct functable net_func[] = { + CRED_SPECIFIED); + } + +- /* cli_credentials_get_ccache_name_obtained() would not work +- * here but we can now access the content of the +- * --use-krb5-ccache option via cli credentials. Fallback to +- * KRB5CCNAME environment variable to get 'net ads kerberos' +- * functions to work at all - gd */ +- ++ /* ++ * Priority order for krb5 credential cache name ++ * ++ * via cli_credentials_get_out_ccache_name() : ++ * ++ * 1. '--use-krb5-ccache' option ++ * ++ * via krb5_cc_default_name() : ++ * ++ * 2. KRB5CCNAME environment variable ++ * 3. default_ccache_name in [libdefaults] section of krb5.conf ++ * 4. ...more - krb5_cc_default_name() always returns something ++ * - see documentation ++ */ + krb5ccname = cli_credentials_get_out_ccache_name(c->creds); + if (krb5ccname == NULL || krb5ccname[0] == '\0') { +- krb5ccname = getenv("KRB5CCNAME"); +- } +- if (krb5ccname == NULL || krb5ccname[0] == '\0') { +- krb5ccname = talloc_strdup(c, "MEMORY:net"); ++ krb5_context ct = NULL; ++ krb5_error_code ret = smb_krb5_init_context_common(&ct); ++ ++ if (ret == 0) { ++ krb5ccname = smb_force_krb5_cc_default_name(ct); ++ if (krb5ccname != NULL) { ++ krb5ccname = talloc_strdup(c, ++ krb5ccname); ++ } ++ krb5_free_context(ct); ++ } + } + if (krb5ccname == NULL) { + DBG_ERR("Not able to setup krb5 ccache"); +-- +2.53.0 + + +From 0ca830d6ddded29b2b5d1969ebcbc4df1156656e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 5 Feb 2026 16:04:25 +0100 +Subject: [PATCH 09/13] manpages: Update NET ADS KERBEROS KINIT manpage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Pavel Filipensky +Autobuild-Date(master): Thu Feb 5 21:11:13 UTC 2026 on atb-devel-224 + +(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b) +--- + docs-xml/manpages/net.8.xml | 36 ++++++++++++++++++++++++++++-------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 737415b3722..b793361a27f 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1823,17 +1823,37 @@ the following entry types; + ADS KERBEROS KINIT + + +- Issue a kinit request for a given user. When no other options are +- defined the ticket granting ticket (TGT) will be stored in a memory cache. ++ Issue a kinit request for a given user. The following methods can be used ++ to specify where to store the ticket granting ticket (TGT) (in order of ++ precedence): + + +- +- To store the TGT in a different location either use the +- option or set the +- KRB5CCNAME environment variable. +- ++ ++ ++ option ++ ++ ++ KRB5CCNAME environment variable ++ ++ ++ default_ccache_name setting in krb5.conf ++ ++ + +-Example: net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache ++Examples: ++ ++Use file based cache (FILE:/tmp/krb5cache) ++ ++net ads kerberos kinit -P --use-krb5-ccache=/tmp/krb5cache ++ ++ ++ ++Use memory cache (MEMORY:net) to verify the authentication ++ ++net ads kerberos kinit -P --use-krb5-ccache=MEMORY:net ++ ++ ++ + + + +-- +2.53.0 + + +From 44b613d80c6a3818cc6ca593d57d51cd1bc00aa5 Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Fri, 13 Feb 2026 11:54:46 +0000 +Subject: [PATCH 10/13] selftest: Update tests to use + --use-kereros=desired|required no creds + +Add tests to call smbclient without passing credentials to +demonstrate failure with --use-kereros=desired + +Also add knownfail + +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider +(cherry picked from commit a22af9420965083b99b956477d1833000b7f2414) +--- + selftest/knownfail | 2 ++ + source3/script/tests/test_smbclient_kerberos.sh | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/selftest/knownfail b/selftest/knownfail +index ab2d79d7114..f0a5f7bb935 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -315,6 +315,8 @@ + # ad_member don't support ntlmv1 (not even over SMB1) + ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member + ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member ++# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789 ++samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).* + #nt-vfs server blocks read with execute access + ^samba4.smb2.read.access + #ntvfs server blocks copychunk with execute access on read handle +diff --git a/source3/script/tests/test_smbclient_kerberos.sh b/source3/script/tests/test_smbclient_kerberos.sh +index 31678d17e28..1139efd70d7 100755 +--- a/source3/script/tests/test_smbclient_kerberos.sh ++++ b/source3/script/tests/test_smbclient_kerberos.sh +@@ -73,6 +73,18 @@ test_smbclient "smbclient.smb3.kerberos.desired[//${SERVER}/tmp]" \ + --use-kerberos=desired -U${USERNAME}%${PASSWORD} -mSMB3 || + failed=$(expr $failed + 1) + ++test_smbclient "smbclient.smb3.kerberos.desired (no user/pass) [//${SERVER}/tmp]" \ ++ "ls; quit" //${SERVER}/tmp \ ++ --use-kerberos=desired -mSMB3 || ++ failed=$(expr $failed + 1) ++ ++test_smbclient "smbclient.smb3.kerberos.required (no user/pass) [//${SERVER}/tmp]" \ ++ "ls; quit" //${SERVER}/tmp \ ++ --use-kerberos=required -mSMB3 || ++ failed=$(expr $failed + 1) ++ ++ ++ + $samba_kdestroy + + rm -rf $KRB5CCNAME_PATH +-- +2.53.0 + + +From 65f70c0505759489a8b219e1297f8cdee2cc260a Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Mon, 19 Jan 2026 15:46:59 +0000 +Subject: [PATCH 11/13] auth/credentials: Fix regression with + --use-kerberos=desired for smbclient + +As part of the gse_krb5 processing the following call chain + +gensec_gse_client_start() + ---> gensec_kerberos_possible() + ---> cli_credentials_authentication_requested() + +gensec_kerberos_possible() will always fail when +cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED + +It seems since use kerberos == desired is the default that it isn't +necessary to see if credentials were modified to indicated authentication +was requested. gensec_kerberos_possible() should afaics return true +if kerberos is desired OR required (regardless of whether credentials +were requested) + +This commit removes the knownfail associated with this bug. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 +Signed-off-by: +Reviewed-by: Andreas Schneider +(cherry picked from commit 88f42eb222f299189d5f5f8204ae353e63a50970) +--- + auth/gensec/gensec_util.c | 5 ----- + selftest/knownfail | 2 -- + 2 files changed, 7 deletions(-) + +diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c +index 0c7688d33d2..af6d198d48f 100644 +--- a/auth/gensec/gensec_util.c ++++ b/auth/gensec/gensec_util.c +@@ -362,7 +362,6 @@ char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_securi + NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security) + { + struct cli_credentials *creds = gensec_get_credentials(gensec_security); +- bool auth_requested = cli_credentials_authentication_requested(creds); + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(creds); + char *user_principal = NULL; +@@ -370,10 +369,6 @@ NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security) + const char *target_principal = gensec_get_target_principal(gensec_security); + const char *hostname = gensec_get_target_hostname(gensec_security); + +- if (!auth_requested) { +- return NT_STATUS_INVALID_PARAMETER; +- } +- + if (krb5_state == CRED_USE_KERBEROS_DISABLED) { + return NT_STATUS_INVALID_PARAMETER; + } +diff --git a/selftest/knownfail b/selftest/knownfail +index f0a5f7bb935..ab2d79d7114 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -315,8 +315,6 @@ + # ad_member don't support ntlmv1 (not even over SMB1) + ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member + ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member +-# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789 +-samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).* + #nt-vfs server blocks read with execute access + ^samba4.smb2.read.access + #ntvfs server blocks copychunk with execute access on read handle +-- +2.53.0 + + +From 8c955cad98b197936fceaf98306047e1f929ddfe Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Mon, 19 Jan 2026 16:10:10 +0000 +Subject: [PATCH 12/13] s3/libsmb: cli_session_creds_init fails when kerberos + is desired + +There is a regression with code using cli_session_creds_init when +cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED + +Authentication succeeds when boolean fallback_after_kerberos is false +and fails when true. +There doesn't seem to be a good reason why the value of +fallback_after_kerberos should initialise the krb5 ccache or not. +It would seems that krb5 cache should be setup for creds +for *any* kerberos auth (whether fallback is enabled or not) + +Partial patch from (see bug referenced below) +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider +(cherry picked from commit 1c48599105736499d18aa1f647bce9e1f8dbdcca) +--- + source3/libsmb/cliconnect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index 116f746d37e..3fd423d8e5f 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -218,7 +218,7 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx, + goto fail; + } + } +- } else if (use_kerberos && !fallback_after_kerberos) { ++ } else if (use_kerberos) { + const char *error_string = NULL; + int rc; + +-- +2.53.0 + + +From 015167aea7ece2bb683f86aa4b8c688d7a83267d Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Mon, 19 Jan 2026 16:18:02 +0000 +Subject: [PATCH 13/13] s3/libsmb: block anon authentication fallback is + use-kerberos = desired + +When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED +libsmbclient method SMBC_server_internal will still try to fallback to +anon NTLM. This patch prevents that. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789 +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Noel Power +Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224 + +(cherry picked from commit bc868800276fe09cbcb206ebe4cb4da32af7599f) +--- + source3/libsmb/libsmb_server.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c +index f9b52e1f05a..8c7208aaee0 100644 +--- a/source3/libsmb/libsmb_server.c ++++ b/source3/libsmb/libsmb_server.c +@@ -632,6 +632,8 @@ SMBC_server_internal(TALLOC_CTX *ctx, + password_used = ""; + + if (smbc_getOptionNoAutoAnonymousLogin(context) || ++ cli_credentials_get_kerberos_state(creds) == ++ CRED_USE_KERBEROS_REQUIRED || + !NT_STATUS_IS_OK(cli_session_setup_anon(c))) { + + cli_shutdown(c); +-- +2.53.0 + diff --git a/SOURCES/samba-4.22.4.tar.asc b/SOURCES/samba-4.22.4.tar.asc deleted file mode 100644 index ba5e216..0000000 --- a/SOURCES/samba-4.22.4.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAminOhEACgkQqplEL7aA -tiDtRg//e/Jocf1iPjaEtiR2tGQSnqQPdaaRId8luFu0ykevvIiR+GL2IctJnvWZ -IYL/svmWAlLULgb+13S1Gs7CGYTievrh+OaEnuo+CmnGpNYUFO/yyymBW9eWFGA4 -bA6ilMjE2KgyCakvBT22mL9IFGZQsKQh46YXjs4hCKZdadx733/Znwj/kIkm0Wxl -S6gnxstroM5zUbA/Xw26KUOBTd0mTZXXKH14HSH1XX3RNgA0/FsZ+kde4Y+VUwP+ -t/LvuNqN2s/pyUeKd8eoiZv7zTwUT1gsvoBTWP8kzmubtBbxz4abJ9QCEb/HEdkv -iMh1RbRQZRKpmIo/NzAMRhxDyuVtzg69Egn19iLjnPfmrpqDZpxhi5csNumIFKsi -bFmT7/KTZfKvsg9h5SfHL3JeblYbEQNjIhDutdZ3yJ+JymAkaWjChHqY0wTwiZbX -pHing+t+c4SRx2064/jBFn48kdj1JweEaGSGdEEwa7zejMHLcl7vKheyGqSTWMYH -XiBtm1kN2gLrgazLFNXKTD9YectYPmRkiv6f1hUhqLfac2jkwIdWeT1LIPqJ2fMw -YrNk4UYYS4L7PZSXUJ3r88RGPWJvTa7WQrM556uxcspCr7W6TauMRe0hKquqOekH -0J4jD+hmfuEQ/LryC29rSLSNG0N99v2nWuAn78KxUk7FuZ9H4og= -=D+9R ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.23.5.tar.asc b/SOURCES/samba-4.23.5.tar.asc new file mode 100644 index 0000000..cb3ee28 --- /dev/null +++ b/SOURCES/samba-4.23.5.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmlzV8sACgkQqplEL7aA +tiCrUxAAkEcyHkI48DZpwRd+0rP2IJC+6vpGj/RSGHdlyztw3R+49EOW9HURNqsl +8FHHUairod5CzyXc2UfoZNHuo5s3YE2WOuxSur2W8/FYPVllX9sOvNilaQsplvDX +8zMsQ4Ky5z57EeScDFaGl/NPypLcJ5i2hrBHRrn4Gsa5koKs9M+BlO1/xH8TBFPG +hAAXaLFw8pkMFDEIIrRMdOGAUeNaBq3dVkfzPAgd6FYAAUjuP/3O2gM87zLPgbf1 +5Deg+HYNLhKaAUNJPs3OuiLZTN3FpRAif/DKJCL16kbNxygN71OXI1vf20BooNpj +qTx3xseHraHkTy3HElru5CTlW+jYPLd7UqHcH0g+wRp/xlwH5vR7vc+wZpyFmOfm +OThXsVzZKzwQo9Ce+N9vs0FgSR0BLXvHHIs77XV0BdC3G/tE+iOPsp1GFbmhC5Dn +F/hqFmbKBBNiqv2v1s3mT1rX8DNeUaHA44coJJnr8vc9fMtrqkDuBiAOtzknm+j+ +IW3NLWsvl2y94anc9Aq6Ffanc1qSwVvdFNb/d1dZjR7sLP19UdJAFZTiJ/V2yQET +++AX9DKBtIO0KguJowEROrRu+inOT/Rs4PLwxxbtEVxqmqH7An+nO0FzV+xSjI/1 +l+zLG3njDFDSDS/cXvrnzvFAWqs/5pKmlhcDzAicnuUgIzsKd08= +=qxcw +-----END PGP SIGNATURE----- diff --git a/SOURCES/smb.conf.vendor b/SOURCES/smb.conf.vendor index 2ba7edc..f237c86 100644 --- a/SOURCES/smb.conf.vendor +++ b/SOURCES/smb.conf.vendor @@ -18,6 +18,9 @@ load printers = yes cups options = raw + # Install samba-usershares package for support + include = /etc/samba/usershares.conf + [homes] comment = Home Directories valid users = %S, %D%w%S diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 3fdcf3c..00a8f44 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -117,13 +117,20 @@ %bcond etcd_mutex 0 %endif +# Build the prometheus exporter by default on Fedora +%if 0%{?fedora} +%bcond prometheus 1 +%else +%bcond prometheus 0 +%endif + %ifarch aarch64 ppc64le s390x x86_64 %bcond lmdb 1 %else %bcond lmdb 0 %endif -%global samba_version 4.22.4 +%global samba_version 4.23.5 # The release field is extended: # [.][.]%%{?dist}[.] @@ -169,8 +176,8 @@ %global libwbclient_so_version 0 %global talloc_version 2.4.3 -%global tdb_version 1.4.13 -%global tevent_version 0.16.2 +%global tdb_version 1.4.14 +%global tevent_version 0.17.1 %global required_mit_krb5 1.20.1 @@ -229,11 +236,11 @@ Source202: samba.abignore # # git clone git@gitlab.com:samba-redhat/samba.git # cd samba -# git checkout v4-22-redhat -# git format-patch --stdout -l1 --no-renames -N > redhat-4.22.patch +# git checkout v4-23-redhat +# git format-patch --stdout -l1 --no-renames -N > redhat-4.23.patch # where N is number of commits -Patch0: redhat-4.22.patch +Patch0: redhat-4.23.patch Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} @@ -334,6 +341,11 @@ BuildRequires: xz BuildRequires: zlib-devel >= 1.2.3 BuildRequires: pkgconfig(libsystemd) +# TODO FIXME This is not in RHEL yet +%if 0%{?fedora} >= 43 +BuildRequires: pkgconfig(libngtcp2) +BuildRequires: pkgconfig(libngtcp2_crypto_gnutls) +%endif %ifnarch i686 %if 0%{?fedora} >= 37 @@ -363,6 +375,9 @@ BuildRequires: librados-devel %if %{with etcd_mutex} BuildRequires: python3-etcd %endif +%if %{with prometheus} +BuildRequires: libevent-devel +%endif BuildRequires: cepces-certmonger >= 0.3.8 @@ -1224,6 +1239,18 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB #endif with clustering %endif +%if %{with prometheus} + +%package prometheus +Summary: SMB Prometheus exporter +Requires: samba = %{samba_depver} + +%description prometheus +Support for exporting metrics via Prometheus + +#endif with prometheus +%endif + ### LIBLDB %package -n libldb Summary: A schema-less, ldap like, API and database @@ -1232,7 +1259,6 @@ License: LGPL-3.0-or-later Requires: libtalloc%{?_isa} >= %{talloc_version} Requires: libtdb%{?_isa} >= %{tdb_version} Requires: libtevent%{?_isa} >= %{tevent_version} -Requires: samba-common-libs = %{samba_depver} # /endif without includelibs %endif @@ -1375,6 +1401,8 @@ if [ -n "${CCACHE}" ]; then fi %endif +# workaround https://gitlab.com/ita1024/waf/-/issues/2472 +export PYTHONARCHDIR=%{python3_sitearch} %configure \ --enable-fhs \ --with-piddir=/run \ @@ -1414,6 +1442,9 @@ fi %endif %if %{with etcd_mutex} --enable-etcd-reclock \ +%endif +%if %{with prometheus} + --with-prometheus-exporter \ %endif --with-profiling-data \ --with-systemd \ @@ -2013,22 +2044,27 @@ fi %{_libdir}/samba/libndr-samba4-private-samba.so %{_libdir}/samba/libnet-keytab-private-samba.so %{_libdir}/samba/libnetif-private-samba.so +%if 0%{?rhel} +%{_libdir}/samba/libngtcp2-crypto-gnutls-private-samba.so +%{_libdir}/samba/libngtcp2-private-samba.so +%endif %{_libdir}/samba/libnpa-tstream-private-samba.so %{_libdir}/samba/libposix-eadb-private-samba.so %{_libdir}/samba/libprinter-driver-private-samba.so %{_libdir}/samba/libprinting-migrate-private-samba.so +%{_libdir}/samba/libquic-private-samba.so %{_libdir}/samba/libregistry-private-samba.so %{_libdir}/samba/libsamba-cluster-support-private-samba.so %{_libdir}/samba/libsamba-debug-private-samba.so %{_libdir}/samba/libsamba-modules-private-samba.so %{_libdir}/samba/libsamba-security-private-samba.so +%{_libdir}/samba/libsamba-security-trusts-private-samba.so %{_libdir}/samba/libsamba-sockets-private-samba.so %{_libdir}/samba/libsamba3-util-private-samba.so %{_libdir}/samba/libsamdb-common-private-samba.so %{_libdir}/samba/libsecrets3-private-samba.so %{_libdir}/samba/libserver-id-db-private-samba.so %{_libdir}/samba/libserver-role-private-samba.so -%{_libdir}/samba/libsmb-transport-private-samba.so %{_libdir}/samba/libsmbclient-raw-private-samba.so %{_libdir}/samba/libsmbd-base-private-samba.so %{_libdir}/samba/libsmbd-shim-private-samba.so @@ -2124,6 +2160,7 @@ fi %{_mandir}/man8/net.8* %{_mandir}/man8/pdbedit.8* %{_mandir}/man8/smbpasswd.8* +%{_datadir}/locale/*/LC_MESSAGES/net.mo ### TOOLS %files tools @@ -2201,6 +2238,7 @@ fi %{_libdir}/samba/ldb/subtree_delete.so %{_libdir}/samba/ldb/subtree_rename.so %{_libdir}/samba/ldb/tombstone_reanimate.so +%{_libdir}/samba/ldb/trust_notify.so %{_libdir}/samba/ldb/unique_object_sids.so %{_libdir}/samba/ldb/update_keytab.so %{_libdir}/samba/ldb/vlv.so @@ -2246,6 +2284,7 @@ fi %{_libdir}/samba/service/dns.so %{_libdir}/samba/service/dns_update.so %{_libdir}/samba/service/drepl.so +%{_libdir}/samba/service/ft_scanner.so %{_libdir}/samba/service/kcc.so %{_libdir}/samba/service/kdc.so %{_libdir}/samba/service/ldap.so @@ -2598,6 +2637,7 @@ fi %{python3_sitearch}/samba/dcerpc/atsvc.*.so %{python3_sitearch}/samba/dcerpc/auth.*.so %{python3_sitearch}/samba/dcerpc/base.*.so +%{python3_sitearch}/samba/dcerpc/bcrypt_rsakey_blob.*.so %{python3_sitearch}/samba/dcerpc/claims.*.so %{python3_sitearch}/samba/dcerpc/conditional_ace.*.so %{python3_sitearch}/samba/dcerpc/dcerpc.*.so @@ -2613,6 +2653,7 @@ fi %{python3_sitearch}/samba/dcerpc/idmap.*.so %{python3_sitearch}/samba/dcerpc/initshutdown.*.so %{python3_sitearch}/samba/dcerpc/irpc.*.so +%{python3_sitearch}/samba/dcerpc/keycredlink.*.so %{python3_sitearch}/samba/dcerpc/krb5ccache.*.so %{python3_sitearch}/samba/dcerpc/krb5pac.*.so %{python3_sitearch}/samba/dcerpc/lsa.*.so @@ -2634,6 +2675,7 @@ fi %{python3_sitearch}/samba/dcerpc/spoolss.*.so %{python3_sitearch}/samba/dcerpc/srvsvc.*.so %{python3_sitearch}/samba/dcerpc/svcctl.*.so +%{python3_sitearch}/samba/dcerpc/tpm20_rsakey_blob.*.so %{python3_sitearch}/samba/dcerpc/unixinfo.*.so %{python3_sitearch}/samba/dcerpc/winbind.*.so %{python3_sitearch}/samba/dcerpc/windows_event_ids.*.so @@ -3137,6 +3179,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/auth_log_netlogon_bad_creds.*.pyc %{python3_sitearch}/samba/tests/__pycache__/auth_log_samlogon.*.pyc %{python3_sitearch}/samba/tests/__pycache__/auth_log_winbind.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/bcrypt_rsakey_blob.*.pyc %{python3_sitearch}/samba/tests/__pycache__/common.*.pyc %{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc %{python3_sitearch}/samba/tests/__pycache__/compression.*.pyc @@ -3178,6 +3221,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc %{python3_sitearch}/samba/tests/__pycache__/join.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/key_credential_link.*.pyc %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc @@ -3255,6 +3299,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc %{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc %{python3_sitearch}/samba/tests/__pycache__/token_factory.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/tpm20_rsakey_blob.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgradeprovision.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgradeprovisionneeddc.*.pyc @@ -3272,6 +3317,7 @@ fi %{python3_sitearch}/samba/tests/auth_log_pass_change.py %{python3_sitearch}/samba/tests/auth_log_samlogon.py %{python3_sitearch}/samba/tests/auth_log_winbind.py +%{python3_sitearch}/samba/tests/bcrypt_rsakey_blob.py %dir %{python3_sitearch}/samba/tests/blackbox %{python3_sitearch}/samba/tests/blackbox/__init__.py %dir %{python3_sitearch}/samba/tests/blackbox/__pycache__ @@ -3340,6 +3386,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/dfs.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc @@ -3360,6 +3407,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/array.py %{python3_sitearch}/samba/tests/dcerpc/bare.py %{python3_sitearch}/samba/tests/dcerpc/binding.py +%{python3_sitearch}/samba/tests/dcerpc/dfs.py %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py %{python3_sitearch}/samba/tests/dcerpc/integer.py %{python3_sitearch}/samba/tests/dcerpc/lsa.py @@ -3432,6 +3480,7 @@ fi %{python3_sitearch}/samba/tests/kcc/graph_utils.py %{python3_sitearch}/samba/tests/kcc/kcc_utils.py %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py +%{python3_sitearch}/samba/tests/key_credential_link.py %dir %{python3_sitearch}/samba/tests/krb5 %dir %{python3_sitearch}/samba/tests/krb5/__pycache__ %{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc @@ -3547,6 +3596,12 @@ fi %{python3_sitearch}/samba/tests/net_join_no_spnego.py %{python3_sitearch}/samba/tests/net_join.py %{python3_sitearch}/samba/tests/netlogonsvc.py +%dir %{python3_sitearch}/samba/tests/nss +%dir %{python3_sitearch}/samba/tests/nss/__pycache__ +%{python3_sitearch}/samba/tests/nss/__pycache__/base.*.pyc +%{python3_sitearch}/samba/tests/nss/__pycache__/group.*.pyc +%{python3_sitearch}/samba/tests/nss/base.py +%{python3_sitearch}/samba/tests/nss/group.py %{python3_sitearch}/samba/tests/ntacls.py %{python3_sitearch}/samba/tests/ntacls_backup.py %{python3_sitearch}/samba/tests/ntlmdisabled.py @@ -3707,10 +3762,21 @@ fi %{python3_sitearch}/samba/tests/subunitrun.py %{python3_sitearch}/samba/tests/tdb_util.py %{python3_sitearch}/samba/tests/token_factory.py +%{python3_sitearch}/samba/tests/tpm20_rsakey_blob.py %{python3_sitearch}/samba/tests/upgrade.py %{python3_sitearch}/samba/tests/upgradeprovision.py %{python3_sitearch}/samba/tests/upgradeprovisionneeddc.py %{python3_sitearch}/samba/tests/usage.py +%dir %{python3_sitearch}/samba/tests/varlink +%dir %{python3_sitearch}/samba/tests/varlink/__pycache__ +%{python3_sitearch}/samba/tests/varlink/__pycache__/base.*.pyc +%{python3_sitearch}/samba/tests/varlink/__pycache__/getgrouprecord.*.pyc +%{python3_sitearch}/samba/tests/varlink/__pycache__/getmemberships.*.pyc +%{python3_sitearch}/samba/tests/varlink/__pycache__/getuserrecord.*.pyc +%{python3_sitearch}/samba/tests/varlink/base.py +%{python3_sitearch}/samba/tests/varlink/getgrouprecord.py +%{python3_sitearch}/samba/tests/varlink/getmemberships.py +%{python3_sitearch}/samba/tests/varlink/getuserrecord.py %{python3_sitearch}/samba/tests/xattr.py ### TEST @@ -3779,6 +3845,7 @@ fi %config(noreplace) %{_sysconfdir}/security/pam_winbind.conf %{_mandir}/man5/pam_winbind.conf.5* %{_mandir}/man8/pam_winbind.8* +%{_datadir}/locale/*/LC_MESSAGES/pam_winbind.mo %if %{with clustering} %files -n ctdb @@ -3928,6 +3995,13 @@ fi %{_mandir}/man1/winexe.1.gz %endif +%if %{with prometheus} +%files prometheus +%{_bindir}/smb_prometheus_endpoint +%{_mandir}/man8/smb_prometheus_endpoint.8.gz +#endif with prometheus + +%endif %files -n libldb %license lib/ldb/LICENSE %{_libdir}/libldb.so.* @@ -3989,6 +4063,60 @@ fi %changelog ## START: Generated by rpmautospec +* Thu Feb 19 2026 Pavel Filipenský - 0:4.23.5-6 +- Fix regression with --use-kerberos=desired for smbclient +- resolves: RHEL-150824 + +* Wed Feb 11 2026 Pavel Filipenský - 0:4.23.5-5 +- Fix 'net ads kerberos kinit' to use default ccache name from krb5.conf +- resolves: RHEL-147419 + +* Wed Feb 11 2026 Pavel Filipenský - 0:4.23.5-4 +- Fix samba-bgqd to load [printers] share +- resolves: RHEL-147858 + +* Tue Jan 27 2026 Pavel Filipenský - 0:4.23.5-3 +- Fix 'net ads kerberos kinit -P' with option '--use-krb5-ccache' +- resolves: RHEL-144590 + +* Tue Jan 27 2026 Pavel Filipenský - 0:4.23.5-2 +- Fix winbind memory leak seen with long living rpcd_* workers +- resolves: RHEL-144480 + +* Fri Jan 23 2026 Pavel Filipenský - 0:4.23.5-1 +- Update to version 4.23.5 +- resolves: RHEL-143401 - Fix winbind group resolution +- resolves: RHEL-141027 - Fix winbind crash + +* Thu Dec 18 2025 Pavel Filipenský - 0:4.23.4-2 +- Remove libldb dependency to samba-common-libs +- resolves: RHEL-133003 + +* Mon Dec 15 2025 Pavel Filipenský - 0:4.23.4-1 +- Update to version 4.23.4 +- resolves: RHEL-114548 - Update to version 4.23.4 +- resolves: RHEL-132995 - Fix Time Machine backup +- resolves: RHEL-133003 - Remove unexpected dependency of libldb to samba + +* Mon Dec 15 2025 Pavel Filipenský - 0:4.23.3-2 +- Remove osci.brew-build.tier0.functional from gating.yaml + +* Fri Nov 07 2025 Pavel Filipenský - 0:4.23.3-1 +- Update to version 4.23.3 +- resolves: RHEL-114548 + +* Thu Sep 18 2025 Pavel Filipenský - 0:4.23.0-3 +- Update to pre-version of 4.23.1 +- resolves: RHEL-114548 + +* Thu Sep 18 2025 Pavel Filipenský - 0:4.23.0-2 +- smb.conf: include /etc/samba/usershares.conf +- related: RHEL-114548 + +* Sat Sep 13 2025 Pavel Filipenský - 0:4.23.0-1 +- Update to version 4.23.0 +- resolves: RHEL-114548 + * Thu Sep 11 2025 Pavel Filipenský - 0:4.22.4-6 - resolves: RHEL-104147 - Fix 'net ads join' in setups with multiple DCs