diff --git a/.gitignore b/.gitignore index ac72e46..0027479 100644 --- a/.gitignore +++ b/.gitignore @@ -365,3 +365,5 @@ samba-3.6.0pre1.tar.gz /samba-4.20.2.tar.asc /samba-4.21.0.tar.asc /samba-4.21.0.tar.xz +/samba-4.21.1.tar.asc +/samba-4.21.1.tar.xz diff --git a/samba-4.21.0-s3-notifyd.patch b/redhat-4.21.patch similarity index 99% rename from samba-4.21.0-s3-notifyd.patch rename to redhat-4.21.patch index 31463fd..8364334 100644 --- a/samba-4.21.0-s3-notifyd.patch +++ b/redhat-4.21.patch @@ -1,4 +1,4 @@ -From c9a7bc3e8f36cb9d6746e23ea56f9c27b82dcf49 Mon Sep 17 00:00:00 2001 +From 2d9ab68f501f5796bdf4662a058a2adff30d497e Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jul 2024 12:26:55 +0200 Subject: [PATCH] s3:notifyd: Use a watcher per db record diff --git a/samba-4.21.0-backport-freeipa-support.patch b/samba-4.21.0-backport-freeipa-support.patch deleted file mode 100644 index d1c5776..0000000 --- a/samba-4.21.0-backport-freeipa-support.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 26797d7bd2662718b3eb795f1b8e6100d51e3ab7 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 3 Sep 2024 08:48:24 +0300 -Subject: [PATCH] sync machine password to keytab: handle FreeIPA use case -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FreeIPA uses own procedure to retrieve keytabs and during the setup of -Samba on FreeIPA client the keytab is already present, only machine -account needs to be set in the secrets database. - -'sync machine password to keytab' option handling broke this use case by -always attempting to contact a domain controller and failing to do so -(Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199). - -The original synchronizing machine account password to keytab feature -did not have a mechanism to disable its logic at all. - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Pavel Filipenský - -Autobuild-User(master): Alexander Bokovoy -Autobuild-Date(master): Fri Sep 13 13:16:09 UTC 2024 on atb-devel-224 - -(cherry picked from commit 4f577c7b6894132be4842944f2f950b087312b16) ---- - .../security/syncmachinepasswordtokeytab.xml | 29 +++++++++++++++++-- - source3/libads/kerberos_keytab.c | 5 ++++ - source3/utils/net.c | 8 +++++ - source3/utils/testparm.c | 3 +- - 4 files changed, 41 insertions(+), 4 deletions(-) - -diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml -index 4cad9da73f2..f7dc30023d4 100644 ---- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml -+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml -@@ -18,7 +18,11 @@ or by winbindd doing regular updates (see -+If no value is present and is different from -+'secrets only', the behavior differs between winbind and net utility: -+ -+ -+ -+ winbind uses value -+ /path/to/keytab:sync_spns:sync_kvno:machine_password -+ where the path to the keytab is obtained either from the krb5 library or from -+ . -+ -+ -+ -+ net changesecretpw -f command uses the default 'disabled' value. -+ -+ No other net subcommands use the 'disabled' value. -+ -+ -+ -+If a single value 'disabled' is present, the synchronization process is -+disabled. This is required for FreeIPA domain member setup where keytab -+synchronization uses a protocol not implemented by Samba. - - - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index 6ede567b75f..dbf8af44c1f 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -904,6 +904,11 @@ NTSTATUS sync_pw2keytabs(void) - goto params_ready; - } - -+ if ((*lp_ptr != NULL) && strequal_m(*lp_ptr, "disabled")) { -+ DBG_DEBUG("'sync machine password to keytab' is explicitly disabled.\n"); -+ return NT_STATUS_OK; -+ } -+ - line = lp_ptr; - while (*line) { - DBG_DEBUG("Scanning line: %s\n", *line); -diff --git a/source3/utils/net.c b/source3/utils/net.c -index 7b40d2bee95..c432ebe991f 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -207,6 +207,14 @@ static int net_changesecretpw(struct net_context *c, int argc, - struct timeval tv = timeval_current(); - NTTIME now = timeval_to_nttime(&tv); - -+#ifdef HAVE_ADS -+ if (USE_KERBEROS_KEYTAB) { -+ if (lp_sync_machine_password_to_keytab() == NULL) { -+ lp_do_parameter(-1, "sync machine password to keytab", "disabled"); -+ } -+ } -+#endif -+ - if (c->opt_stdin) { - set_line_buffering(stdin); - set_line_buffering(stdout); -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index e3ed336a79a..a31a7a8a30a 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -803,7 +803,8 @@ static int do_global_checks(void) - "instead of 'kerberos method'.\n\n"); - } - -- if (lp_ptr != NULL) { -+ if (lp_ptr != NULL && -+ ((*lp_ptr != NULL) && !strequal_m(*lp_ptr, "disabled"))) { - while (*lp_ptr) { - ret |= pw2kt_check_line(*lp_ptr++); - } --- -2.46.0 - diff --git a/samba-4.21.0-ldb-lmdb.patch b/samba-4.21.0-ldb-lmdb.patch deleted file mode 100644 index 894014a..0000000 --- a/samba-4.21.0-ldb-lmdb.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 9f265d6f3b852a9eed9f19147585fe2801507f63 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 24 Sep 2024 15:48:23 +0200 -Subject: [PATCH] ldb: Build lmdb backend also in non-AD case - -We should build with lmdb support also if it is not in AD case. The lmdb -backend is also used e.g. by sssd. - -If you don't want to build it, you can always specify --without-ldb-lmdb - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15721 - -Signed-off-by: Andreas Schneider ---- - lib/ldb/wscript | 22 +++++++++------------- - 1 file changed, 9 insertions(+), 13 deletions(-) - -diff --git a/lib/ldb/wscript b/lib/ldb/wscript -index 87aa3bb6d77..f234fa79c10 100644 ---- a/lib/ldb/wscript -+++ b/lib/ldb/wscript -@@ -33,21 +33,17 @@ def configure(conf): - conf.CONFIG_GET('ENABLE_SELFTEST'): - Logs.warn("NOTE: Some AD DC parts of selftest will fail") - -+ conf.env.REQUIRE_LMDB = False -+ elif Options.options.without_ldb_lmdb: -+ if not Options.options.without_ad_dc and \ -+ conf.CONFIG_GET('ENABLE_SELFTEST'): -+ raise Errors.WafError('--without-ldb-lmdb conflicts ' -+ 'with --enable-selftest while ' -+ 'building the AD DC') -+ - conf.env.REQUIRE_LMDB = False - else: -- if Options.options.without_ad_dc: -- conf.env.REQUIRE_LMDB = False -- else: -- if Options.options.without_ldb_lmdb: -- if not Options.options.without_ad_dc and \ -- conf.CONFIG_GET('ENABLE_SELFTEST'): -- raise Errors.WafError('--without-ldb-lmdb conflicts ' -- 'with --enable-selftest while ' -- 'building the AD DC') -- -- conf.env.REQUIRE_LMDB = False -- else: -- conf.env.REQUIRE_LMDB = True -+ conf.env.REQUIRE_LMDB = True - - # if lmdb support is enabled then we require lmdb - # is present, build the mdb back end and enable lmdb support in --- -GitLab - diff --git a/samba.spec b/samba.spec index fa036c5..fb00bac 100644 --- a/samba.spec +++ b/samba.spec @@ -150,7 +150,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global samba_version 4.21.0 +%global samba_version 4.21.1 # The release field is extended: # [.][.]%%{?dist}[.] @@ -252,10 +252,15 @@ Source18: samba-winbind-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore -Patch0: samba-4.21.0-backport-freeipa-support.patch -# https://gitlab.com/samba-team/samba/-/merge_requests/3807 -Patch1: samba-4.21.0-ldb-lmdb.patch -Patch2: samba-4.21.0-s3-notifyd.patch +# Patch0 is created using: +# +# git clone git@gitlab.com:samba-redhat/samba.git +# cd samba +# git checkout v4-21-redhat +# git format-patch --stdout -l1 --no-renames -N > redhat-4.21.patch +# where N is number of commits + +Patch0: redhat-4.21.patch Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} diff --git a/sources b/sources index d7668eb..28e2450 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (samba-4.21.0.tar.asc) = 7fffbd0b88b42dd7f340e4bcae17da4a68a0f8de86a1e71534a4a02a477a746e4cdb16df7c0da33aaf13278cefb452bd9b7c61ed029e248576f7158e8bec339e -SHA512 (samba-4.21.0.tar.xz) = d05c823afc04669766130745c139e7d129eb9961525453d6da8b5ee6693d4c08192496d07e5c211e86d553956504fb9df16611cc9268111b71b95c7f2fa868a0 +SHA512 (samba-4.21.1.tar.asc) = 2c1e4b347044e15a852ced8bb412a3f372fd2c2b5e0001b1a773f7283f2d8fa62942143b46cbc3f16b18882255cf0aac4426002453971361b0002357657484f1 +SHA512 (samba-4.21.1.tar.xz) = 182759820708c9df26fbcb09e755e81236ecacf543f3e18a05dbd0ea551ab072d338fe239eb99ff506f158ec45e981a893ce46eacdde6e073ee85ceb43e2669a