diff --git a/.gitignore b/.gitignore index 775a82a..8073517 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.19.4.tar.xz -SOURCES/samba-pubkey_AA99442FB680B620.gpg +samba-4.21.3.tar.xz +samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata deleted file mode 100644 index 8a5c50b..0000000 --- a/.samba.metadata +++ /dev/null @@ -1,2 +0,0 @@ -6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz -971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/README.downgrade b/README.downgrade similarity index 100% rename from SOURCES/README.downgrade rename to README.downgrade diff --git a/SOURCES/samba-4.19-redhat.patch b/SOURCES/samba-4.19-redhat.patch deleted file mode 100644 index ba1902f..0000000 --- a/SOURCES/samba-4.19-redhat.patch +++ /dev/null @@ -1,2450 +0,0 @@ -From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Thu, 17 Aug 2023 01:05:54 +0300 -Subject: [PATCH 01/31] gp: Support more global trust directories - -In addition to the SUSE global trust directory, add support for RHEL and -Debian-based distributions (including Ubuntu). - -To determine the correct directory to use, we iterate over the variants -and stop at the first which is a directory. - -In case none is found, fallback to the first option which will produce a -warning as it did previously. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 312c8ddf467..1b90ab46e90 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -45,10 +45,12 @@ cert_wrap = b""" - -----BEGIN CERTIFICATE----- - %s - -----END CERTIFICATE-----""" --global_trust_dir = '/etc/pki/trust/anchors' - endpoint_re = '(https|HTTPS)://(?P[a-zA-Z0-9.-]+)/ADPolicyProvider' + \ - '_CEP_(?P[a-zA-Z]+)/service.svc/CEP' - -+global_trust_dirs = ['/etc/pki/trust/anchors', # SUSE -+ '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora -+ '/usr/local/share/ca-certificates'] # Debian/Ubuntu - - def octet_string_to_objectGUID(data): - """Convert an octet string to an objectGUID.""" -@@ -249,12 +251,20 @@ def getca(ca, url, trust_dir): - return root_certs - - -+def find_global_trust_dir(): -+ """Return the global trust dir using known paths from various Linux distros.""" -+ for trust_dir in global_trust_dirs: -+ if os.path.isdir(trust_dir): -+ return trust_dir -+ return global_trust_dirs[0] -+ - def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - """Install the root certificate chain.""" - data = dict({'files': [], 'templates': []}, **ca) - url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] - root_certs = getca(ca, url, trust_dir) - data['files'].extend(root_certs) -+ global_trust_dir = find_global_trust_dir() - for src in root_certs: - # Symlink the certs to global trust dir - dst = os.path.join(global_trust_dir, os.path.basename(src)) --- -2.48.1 - - -From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Thu, 17 Aug 2023 01:09:28 +0300 -Subject: [PATCH 02/31] gp: Support update-ca-trust helper - -This is used on RHEL/Fedora instead of update-ca-certificates. They -behave similarly so it's enough to change the command name. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit fa80d1d86439749c44e60cf9075e84dc9ed3c268) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 1b90ab46e90..cefdafa21b2 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -258,6 +258,10 @@ def find_global_trust_dir(): - return trust_dir - return global_trust_dirs[0] - -+def update_ca_command(): -+ """Return the command to update the CA trust store.""" -+ return which('update-ca-certificates') or which('update-ca-trust') -+ - def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - """Install the root certificate chain.""" - data = dict({'files': [], 'templates': []}, **ca) -@@ -283,7 +287,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - # already exists. Ignore the FileExistsError. Preserve the - # existing symlink in the unapply data. - data['files'].append(dst) -- update = which('update-ca-certificates') -+ update = update_ca_command() - if update is not None: - Popen([update]).wait() - # Setup Certificate Auto Enrollment --- -2.48.1 - - -From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 11 Aug 2023 18:46:42 +0300 -Subject: [PATCH 03/31] gp: Change root cert extension suffix - -On Ubuntu, certificates must end in '.crt' in order to be considered by -the `update-ca-certificates` helper. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit bce3a89204545dcab5fb39a712590f6e166f997b) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index cefdafa21b2..c562722906b 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -241,7 +241,8 @@ def getca(ca, url, trust_dir): - certs = load_der_pkcs7_certificates(r.content) - for i in range(0, len(certs)): - cert = certs[i].public_bytes(Encoding.PEM) -- dest = '%s.%d' % (root_cert, i) -+ filename, extension = root_cert.rsplit('.', 1) -+ dest = '%s.%d.%s' % (filename, i, extension) - with open(dest, 'wb') as w: - w.write(cert) - root_certs.append(dest) --- -2.48.1 - - -From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 18 Aug 2023 17:06:43 +0300 -Subject: [PATCH 04/31] gp: Test with binary content for certificate data - -This fails all GPO-related tests that call `gpupdate --rsop`. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70) ---- - python/samba/tests/gpo.py | 8 ++++---- - selftest/knownfail.d/gpo | 13 +++++++++++++ - 2 files changed, 17 insertions(+), 4 deletions(-) - create mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py -index e4b75cc62a4..963f873f755 100644 ---- a/python/samba/tests/gpo.py -+++ b/python/samba/tests/gpo.py -@@ -6783,14 +6783,14 @@ class GPOTests(tests.TestCase): - ldb.add({'dn': certa_dn, - 'objectClass': 'certificationAuthority', - 'authorityRevocationList': ['XXX'], -- 'cACertificate': 'XXX', -+ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', - 'certificateRevocationList': ['XXX'], - }) - # Write the dummy pKIEnrollmentService - enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) - ldb.add({'dn': enroll_dn, - 'objectClass': 'pKIEnrollmentService', -- 'cACertificate': 'XXXX', -+ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', - 'certificateTemplates': ['Machine'], - 'dNSHostName': hostname, - }) -@@ -7201,14 +7201,14 @@ class GPOTests(tests.TestCase): - ldb.add({'dn': certa_dn, - 'objectClass': 'certificationAuthority', - 'authorityRevocationList': ['XXX'], -- 'cACertificate': 'XXX', -+ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', - 'certificateRevocationList': ['XXX'], - }) - # Write the dummy pKIEnrollmentService - enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) - ldb.add({'dn': enroll_dn, - 'objectClass': 'pKIEnrollmentService', -- 'cACertificate': 'XXXX', -+ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', - 'certificateTemplates': ['Machine'], - 'dNSHostName': hostname, - }) -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -new file mode 100644 -index 00000000000..0aad59607c2 ---- /dev/null -+++ b/selftest/knownfail.d/gpo -@@ -0,0 +1,13 @@ -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.48.1 - - -From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Wed, 16 Aug 2023 12:20:11 +0300 -Subject: [PATCH 05/31] gp: Convert CA certificates to base64 - -I don't know whether this applies universally, but in our case the -contents of `es['cACertificate'][0]` are binary, so cleanly converting -to a string fails with the following: - -'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte - -We found a fix to be encoding the certificate to base64 when -constructing the CA list. - -Section 4.4.5.2 of MS-CAESO also suggests that the content of -`cACertificate` is binary (OCTET string). - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit 157335ee93eb866f9b6a47486a5668d6e76aced5) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 5 ++--- - selftest/knownfail.d/gpo | 13 ------------- - 2 files changed, 2 insertions(+), 16 deletions(-) - delete mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index c562722906b..c8b5368c16a 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -158,7 +158,7 @@ def fetch_certification_authorities(ldb): - for es in res: - data = { 'name': get_string(es['cn'][0]), - 'hostname': get_string(es['dNSHostName'][0]), -- 'cACertificate': get_string(es['cACertificate'][0]) -+ 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0])) - } - result.append(data) - return result -@@ -176,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None): - return {'msPKI-Minimal-Key-Size': ['2048']} - - def format_root_cert(cert): -- cert = base64.b64encode(cert.encode()) -- return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL) -+ return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL) - - def find_cepces_submit(): - certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger', -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -deleted file mode 100644 -index 0aad59607c2..00000000000 ---- a/selftest/knownfail.d/gpo -+++ /dev/null -@@ -1,13 +0,0 @@ --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.48.1 - - -From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 18 Aug 2023 17:16:23 +0300 -Subject: [PATCH 06/31] gp: Test adding new cert templates enforces changes - -Ensure that cepces-submit reporting additional templates and re-applying -will enforce the updated policy. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit 2d6943a864405f324c467e8c3464c31ac08457b0) ---- - python/samba/tests/bin/cepces-submit | 3 +- - python/samba/tests/gpo.py | 48 ++++++++++++++++++++++++++++ - selftest/knownfail.d/gpo | 2 ++ - 3 files changed, 52 insertions(+), 1 deletion(-) - create mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit -index 668682a9f58..de63164692b 100755 ---- a/python/samba/tests/bin/cepces-submit -+++ b/python/samba/tests/bin/cepces-submit -@@ -14,4 +14,5 @@ if __name__ == "__main__": - assert opts.auth == 'Kerberos' - if 'CERTMONGER_OPERATION' in os.environ and \ - os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES': -- print('Machine') # Report a Machine template -+ templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',') -+ print('\n'.join(templates)) # Report the requested templates -diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py -index 963f873f755..e75c411bde7 100644 ---- a/python/samba/tests/gpo.py -+++ b/python/samba/tests/gpo.py -@@ -6812,6 +6812,23 @@ class GPOTests(tests.TestCase): - self.assertTrue(os.path.exists(machine_crt), - 'Machine key was not generated') - -+ # Subsequent apply should react to new certificate templates -+ os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' -+ self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') -+ ext.process_group_policy([], gpos, dname, dname) -+ self.assertTrue(os.path.exists(ca_crt), -+ 'Root CA certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine key was not generated') -+ workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca_cn) -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation certificate was not requested') -+ workstation_key = os.path.join(dname, '%s.Workstation.key' % ca_cn) -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation key was not generated') -+ - # Verify RSOP does not fail - ext.rsop([g for g in gpos if g.name == guid][0]) - -@@ -6829,11 +6846,17 @@ class GPOTests(tests.TestCase): - 'Machine certificate was not removed') - self.assertFalse(os.path.exists(machine_crt), - 'Machine key was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation certificate was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation key was not removed') - out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() - self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed') - out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() - self.assertNotIn(b'Machine', out, - 'Machine certificate not removed') -+ self.assertNotIn(b'Workstation', out, -+ 'Workstation certificate not removed') - - # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate - ldb.delete(certa_dn) -@@ -7233,6 +7256,25 @@ class GPOTests(tests.TestCase): - self.assertTrue(os.path.exists(machine_crt), - 'Machine key was not generated') - -+ # Subsequent apply should react to new certificate templates -+ os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' -+ self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') -+ ext.process_group_policy([], gpos, dname, dname) -+ for ca in ca_list: -+ self.assertTrue(os.path.exists(ca_crt), -+ 'Root CA certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine key was not generated') -+ -+ workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca) -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation certificate was not requested') -+ workstation_key = os.path.join(dname, '%s.Workstation.key' % ca) -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation key was not generated') -+ - # Verify RSOP does not fail - ext.rsop([g for g in gpos if g.name == guid][0]) - -@@ -7250,12 +7292,18 @@ class GPOTests(tests.TestCase): - 'Machine certificate was not removed') - self.assertFalse(os.path.exists(machine_crt), - 'Machine key was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation certificate was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation key was not removed') - out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() - for ca in ca_list: - self.assertNotIn(get_bytes(ca), out, 'CA was not removed') - out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() - self.assertNotIn(b'Machine', out, - 'Machine certificate not removed') -+ self.assertNotIn(b'Workstation', out, -+ 'Workstation certificate not removed') - - # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate - ldb.delete(certa_dn) -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -new file mode 100644 -index 00000000000..4edc1dce730 ---- /dev/null -+++ b/selftest/knownfail.d/gpo -@@ -0,0 +1,2 @@ -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.48.1 - - -From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Wed, 16 Aug 2023 12:37:17 +0300 -Subject: [PATCH 07/31] gp: Template changes should invalidate cache - -If certificate templates are added or removed, the autoenroll extension -should react to this and reapply the policy. Previously this wasn't -taken into account. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 15 ++++++++++----- - selftest/knownfail.d/gpo | 2 -- - 2 files changed, 10 insertions(+), 7 deletions(-) - delete mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index c8b5368c16a..8233713e8ad 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -262,6 +262,11 @@ def update_ca_command(): - """Return the command to update the CA trust store.""" - return which('update-ca-certificates') or which('update-ca-trust') - -+def changed(new_data, old_data): -+ """Return True if any key present in both dicts has changed.""" -+ return any((new_data[k] != old_data[k] if k in old_data else False) \ -+ for k in new_data.keys()) -+ - def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - """Install the root certificate chain.""" - data = dict({'files': [], 'templates': []}, **ca) -@@ -351,12 +356,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): - # If the policy has changed, unapply, then apply new policy - old_val = self.cache_get_attribute_value(guid, attribute) - old_data = json.loads(old_val) if old_val is not None else {} -- if all([(ca[k] == old_data[k] if k in old_data else False) \ -- for k in ca.keys()]) or \ -- self.cache_get_apply_state() == GPOSTATE.ENFORCE: -+ templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] -+ new_data = { 'templates': templates, **ca } -+ if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: - self.unapply(guid, attribute, old_val) -- # If policy is already applied, skip application -- if old_val is not None and \ -+ # If policy is already applied and unchanged, skip application -+ if old_val is not None and not changed(new_data, old_data) and \ - self.cache_get_apply_state() != GPOSTATE.ENFORCE: - return - -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -deleted file mode 100644 -index 4edc1dce730..00000000000 ---- a/selftest/knownfail.d/gpo -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.48.1 - - -From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 18 Aug 2023 17:26:59 +0300 -Subject: [PATCH 08/31] gp: Test disabled enrollment unapplies policy - -For this we need to stage a Registry.pol file with certificate -autoenrollment enabled, but with checkboxes unticked. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit ee814f7707a8ddef2657212cd6d31799501b7bb3) ---- - python/samba/tests/gpo.py | 54 +++++++++++++++++++++++++++++++++++++++ - selftest/knownfail.d/gpo | 1 + - 2 files changed, 55 insertions(+) - create mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py -index e75c411bde7..580f3568de8 100644 ---- a/python/samba/tests/gpo.py -+++ b/python/samba/tests/gpo.py -@@ -281,6 +281,28 @@ b""" - - """ - -+auto_enroll_unchecked_reg_pol = \ -+b""" -+ -+ -+ -+ Software\Policies\Microsoft\Cryptography\AutoEnrollment -+ AEPolicy -+ 0 -+ -+ -+ Software\Policies\Microsoft\Cryptography\AutoEnrollment -+ OfflineExpirationPercent -+ 10 -+ -+ -+ Software\Policies\Microsoft\Cryptography\AutoEnrollment -+ OfflineExpirationStoreNames -+ MY -+ -+ -+""" -+ - advanced_enroll_reg_pol = \ - b""" - -@@ -6836,6 +6858,38 @@ class GPOTests(tests.TestCase): - ret = rsop(self.lp) - self.assertEqual(ret, 0, 'gpupdate --rsop failed!') - -+ # Remove policy by staging pol file with auto-enroll unchecked -+ parser.load_xml(etree.fromstring(auto_enroll_unchecked_reg_pol.strip())) -+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) -+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) -+ ext.process_group_policy([], gpos, dname, dname) -+ self.assertFalse(os.path.exists(ca_crt), -+ 'Root CA certificate was not removed') -+ self.assertFalse(os.path.exists(machine_crt), -+ 'Machine certificate was not removed') -+ self.assertFalse(os.path.exists(machine_crt), -+ 'Machine key was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation certificate was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation key was not removed') -+ -+ # Reapply policy by staging the enabled pol file -+ parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip())) -+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) -+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) -+ ext.process_group_policy([], gpos, dname, dname) -+ self.assertTrue(os.path.exists(ca_crt), -+ 'Root CA certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine key was not generated') -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation certificate was not requested') -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation key was not generated') -+ - # Remove policy - gp_db = store.get_gplog(machine_creds.get_username()) - del_gpos = get_deleted_gpos_list(gp_db, []) -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -new file mode 100644 -index 00000000000..83bc9f0ac1f ---- /dev/null -+++ b/selftest/knownfail.d/gpo -@@ -0,0 +1 @@ -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.48.1 - - -From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Wed, 16 Aug 2023 12:33:59 +0300 -Subject: [PATCH 09/31] gp: Send list of keys instead of dict to remove - -`cache_get_all_attribute_values` returns a dict whereas we need to pass -a list of keys to `remove`. These will be interpolated in the gpdb search. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder - -Autobuild-User(master): Andrew Bartlett -Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224 - -(cherry picked from commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 2 +- - selftest/knownfail.d/gpo | 1 - - 2 files changed, 1 insertion(+), 2 deletions(-) - delete mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 8233713e8ad..64c35782ae8 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -415,7 +415,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): - # remove any existing policy - ca_attrs = \ - self.cache_get_all_attribute_values(gpo.name) -- self.clean(gpo.name, remove=ca_attrs) -+ self.clean(gpo.name, remove=list(ca_attrs.keys())) - - def __read_cep_data(self, guid, ldb, end_point_information, - trust_dir, private_dir): -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -deleted file mode 100644 -index 83bc9f0ac1f..00000000000 ---- a/selftest/knownfail.d/gpo -+++ /dev/null -@@ -1 +0,0 @@ --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.48.1 - - -From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 9 Jan 2024 08:50:01 +0100 -Subject: [PATCH 10/31] python:gp: Print a nice message if cepces-submit can't - be found - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -(cherry picked from commit 8eb42425a8eb1b30ca0e94dfc01d8175ae5cde4b) - -Autobuild-User(v4-19-test): Jule Anger -Autobuild-Date(v4-19-test): Mon Jan 15 11:11:31 UTC 2024 on atb-devel-224 ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 24 ++++++++++++---------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 64c35782ae8..08d1a7348cd 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -185,17 +185,19 @@ def find_cepces_submit(): - - def get_supported_templates(server): - cepces_submit = find_cepces_submit() -- if os.path.exists(cepces_submit): -- env = os.environ -- env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' -- p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], -- env=env, stdout=PIPE, stderr=PIPE) -- out, err = p.communicate() -- if p.returncode != 0: -- data = { 'Error': err.decode() } -- log.error('Failed to fetch the list of supported templates.', data) -- return out.strip().split() -- return [] -+ if not cepces_submit or not os.path.exists(cepces_submit): -+ log.error('Failed to find cepces-submit') -+ return [] -+ -+ env = os.environ -+ env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' -+ p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], -+ env=env, stdout=PIPE, stderr=PIPE) -+ out, err = p.communicate() -+ if p.returncode != 0: -+ data = {'Error': err.decode()} -+ log.error('Failed to fetch the list of supported templates.', data) -+ return out.strip().split() - - - def getca(ca, url, trust_dir): --- -2.48.1 - - -From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Mon, 8 Jan 2024 18:05:08 +0200 -Subject: [PATCH 11/31] gpo: Test certificate policy without NDES - -As of 8231eaf856b, the NDES feature is no longer required on Windows, as -cert auto-enroll can use the certificate from the LDAP request. - -However, 157335ee93e changed the implementation to convert the LDAP -certificate to base64 due to it failing to cleanly convert to a string. - -Because of insufficient test coverage I missed handling the part where -NDES is disabled or not reachable and the LDAP certificate was imported. -The call to load_der_x509_certificate now fails with an error because it -expects binary data, yet it receives a base64 encoded string. - -This adds a test to confirm the issue. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557 - -Signed-off-by: Gabriel Nagy -Reviewed-by: David Mulder -Reviewed-by: Andreas Schneider -(cherry picked from commit 0d1ff69936f18ea729fc11fbbb1569a833302572) ---- - python/samba/tests/gpo.py | 126 ++++++++++++++++++++++++++++++++++++-- - selftest/knownfail.d/gpo | 1 + - 2 files changed, 121 insertions(+), 6 deletions(-) - create mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py -index 580f3568de8..a78af17dba4 100644 ---- a/python/samba/tests/gpo.py -+++ b/python/samba/tests/gpo.py -@@ -102,17 +102,21 @@ def dummy_certificate(): - - # Dummy requests structure for Certificate Auto Enrollment - class dummy_requests(object): -- @staticmethod -- def get(url=None, params=None): -+ class exceptions(object): -+ ConnectionError = Exception -+ -+ def __init__(self, want_exception=False): -+ self.want_exception = want_exception -+ -+ def get(self, url=None, params=None): -+ if self.want_exception: -+ raise self.exceptions.ConnectionError -+ - dummy = requests.Response() - dummy._content = dummy_certificate() - dummy.headers = {'Content-Type': 'application/x-x509-ca-cert'} - return dummy - -- class exceptions(object): -- ConnectionError = Exception --cae.requests = dummy_requests -- - realm = os.environ.get('REALM') - policies = realm + '/POLICIES' - realm = realm.lower() -@@ -6764,6 +6768,114 @@ class GPOTests(tests.TestCase): - # Unstage the Registry.pol file - unstage_file(reg_pol) - -+ def test_gp_cert_auto_enroll_ext_without_ndes(self): -+ local_path = self.lp.cache_path('gpo_cache') -+ guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' -+ reg_pol = os.path.join(local_path, policies, guid, -+ 'MACHINE/REGISTRY.POL') -+ cache_dir = self.lp.get('cache directory') -+ store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) -+ -+ machine_creds = Credentials() -+ machine_creds.guess(self.lp) -+ machine_creds.set_machine_account() -+ -+ # Initialize the group policy extension -+ cae.requests = dummy_requests(want_exception=True) -+ ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, -+ machine_creds.get_username(), store) -+ -+ gpos = get_gpo_list(self.server, machine_creds, self.lp, -+ machine_creds.get_username()) -+ -+ # Stage the Registry.pol file with test data -+ parser = GPPolParser() -+ parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip())) -+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) -+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) -+ -+ # Write the dummy CA entry, Enrollment Services, and Templates Entries -+ admin_creds = Credentials() -+ admin_creds.set_username(os.environ.get('DC_USERNAME')) -+ admin_creds.set_password(os.environ.get('DC_PASSWORD')) -+ admin_creds.set_realm(os.environ.get('REALM')) -+ hostname = get_dc_hostname(machine_creds, self.lp) -+ url = 'ldap://%s' % hostname -+ ldb = Ldb(url=url, session_info=system_session(), -+ lp=self.lp, credentials=admin_creds) -+ # Write the dummy CA -+ confdn = 'CN=Public Key Services,CN=Services,CN=Configuration,%s' % base_dn -+ ca_cn = '%s-CA' % hostname.replace('.', '-') -+ certa_dn = 'CN=%s,CN=Certification Authorities,%s' % (ca_cn, confdn) -+ ldb.add({'dn': certa_dn, -+ 'objectClass': 'certificationAuthority', -+ 'authorityRevocationList': ['XXX'], -+ 'cACertificate': dummy_certificate(), -+ 'certificateRevocationList': ['XXX'], -+ }) -+ # Write the dummy pKIEnrollmentService -+ enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) -+ ldb.add({'dn': enroll_dn, -+ 'objectClass': 'pKIEnrollmentService', -+ 'cACertificate': dummy_certificate(), -+ 'certificateTemplates': ['Machine'], -+ 'dNSHostName': hostname, -+ }) -+ # Write the dummy pKICertificateTemplate -+ template_dn = 'CN=Machine,CN=Certificate Templates,%s' % confdn -+ ldb.add({'dn': template_dn, -+ 'objectClass': 'pKICertificateTemplate', -+ }) -+ -+ with TemporaryDirectory() as dname: -+ try: -+ ext.process_group_policy([], gpos, dname, dname) -+ except Exception as e: -+ self.fail(str(e)) -+ -+ ca_crt = os.path.join(dname, '%s.crt' % ca_cn) -+ self.assertTrue(os.path.exists(ca_crt), -+ 'Root CA certificate was not requested') -+ machine_crt = os.path.join(dname, '%s.Machine.crt' % ca_cn) -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine certificate was not requested') -+ machine_key = os.path.join(dname, '%s.Machine.key' % ca_cn) -+ self.assertTrue(os.path.exists(machine_key), -+ 'Machine key was not generated') -+ -+ # Verify RSOP does not fail -+ ext.rsop([g for g in gpos if g.name == guid][0]) -+ -+ # Check that a call to gpupdate --rsop also succeeds -+ ret = rsop(self.lp) -+ self.assertEqual(ret, 0, 'gpupdate --rsop failed!') -+ -+ # Remove policy -+ gp_db = store.get_gplog(machine_creds.get_username()) -+ del_gpos = get_deleted_gpos_list(gp_db, []) -+ ext.process_group_policy(del_gpos, [], dname) -+ self.assertFalse(os.path.exists(ca_crt), -+ 'Root CA certificate was not removed') -+ self.assertFalse(os.path.exists(machine_crt), -+ 'Machine certificate was not removed') -+ self.assertFalse(os.path.exists(machine_key), -+ 'Machine key was not removed') -+ out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() -+ self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed') -+ out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() -+ self.assertNotIn(b'Machine', out, -+ 'Machine certificate not removed') -+ self.assertNotIn(b'Workstation', out, -+ 'Workstation certificate not removed') -+ -+ # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate -+ ldb.delete(certa_dn) -+ ldb.delete(enroll_dn) -+ ldb.delete(template_dn) -+ -+ # Unstage the Registry.pol file -+ unstage_file(reg_pol) -+ - def test_gp_cert_auto_enroll_ext(self): - local_path = self.lp.cache_path('gpo_cache') - guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' -@@ -6777,6 +6889,7 @@ class GPOTests(tests.TestCase): - machine_creds.set_machine_account() - - # Initialize the group policy extension -+ cae.requests = dummy_requests() - ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, - machine_creds.get_username(), store) - -@@ -7241,6 +7354,7 @@ class GPOTests(tests.TestCase): - machine_creds.set_machine_account() - - # Initialize the group policy extension -+ cae.requests = dummy_requests() - ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, - machine_creds.get_username(), store) - -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -new file mode 100644 -index 00000000000..f1e590bc7d8 ---- /dev/null -+++ b/selftest/knownfail.d/gpo -@@ -0,0 +1 @@ -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes --- -2.48.1 - - -From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Thu, 18 Jan 2024 20:23:24 +0200 -Subject: [PATCH 12/31] gpo: Decode base64 root cert before importing - -The reasoning behind this is described in the previous commit message, -but essentially this should either be wrapped in certificate blocks and -imported as PEM, or converted back to binary and imported as DER. - -I've opted for the latter since it's how it used to work before it -regressed in 157335ee93e. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557 - -Signed-off-by: Gabriel Nagy -Reviewed-by: David Mulder -Reviewed-by: Andreas Schneider -(cherry picked from commit 3f3ddfa699a33c2c8a59f7fb9ee044bb2a6e0e06) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 5 +++-- - selftest/knownfail.d/gpo | 1 - - 2 files changed, 3 insertions(+), 3 deletions(-) - delete mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 08d1a7348cd..cd5e54f1110 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -217,10 +217,11 @@ def getca(ca, url, trust_dir): - ' installed or not configured.') - if 'cACertificate' in ca: - log.warn('Installing the server certificate only.') -+ der_certificate = base64.b64decode(ca['cACertificate']) - try: -- cert = load_der_x509_certificate(ca['cACertificate']) -+ cert = load_der_x509_certificate(der_certificate) - except TypeError: -- cert = load_der_x509_certificate(ca['cACertificate'], -+ cert = load_der_x509_certificate(der_certificate, - default_backend()) - cert_data = cert.public_bytes(Encoding.PEM) - with open(root_cert, 'wb') as w: -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -deleted file mode 100644 -index f1e590bc7d8..00000000000 ---- a/selftest/knownfail.d/gpo -+++ /dev/null -@@ -1 +0,0 @@ --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes --- -2.48.1 - - -From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 19 Jan 2024 11:36:19 +0200 -Subject: [PATCH 13/31] gpo: Do not get templates list on first run - -This is a visual fix and has no impact on functionality apart from -cleaner log messages. - -The point of this is to get the list of supported templates in order to -compute a diff between the current applied templates and the updated -list, so we are able to unapply and reapply the policy in case there are -differences. - -However this code path is executed on first applies as well, at which -point the root CA is not yet set up. This causes the -`get_supported_templates` call to fail, which is not a hard failure but -still pollutes the logs. In this case it's safe to avoid executing the -command as the policy will be applied regardless. - -Signed-off-by: Gabriel Nagy -Reviewed-by: David Mulder -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Jan 22 16:48:57 UTC 2024 on atb-devel-224 - -(cherry picked from commit 8579340fc540633c13c017d896034904a8dbd55c) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index cd5e54f1110..559c903e1a2 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -359,7 +359,8 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): - # If the policy has changed, unapply, then apply new policy - old_val = self.cache_get_attribute_value(guid, attribute) - old_data = json.loads(old_val) if old_val is not None else {} -- templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] -+ templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] \ -+ if old_val is not None else [] - new_data = { 'templates': templates, **ca } - if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: - self.unapply(guid, attribute, old_val) --- -2.48.1 - - -From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001 -From: David Mulder -Date: Fri, 5 Jan 2024 08:47:07 -0700 -Subject: [PATCH 14/31] gp: Skip site GP list if no site is found - -[MS-GPOL] 3.2.5.1.4 Site Search says if the site -search returns ERROR_NO_SITENAME, the GP site -search should be skipped. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15548 - -Signed-off-by: David Mulder -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Jan 23 11:20:35 UTC 2024 on atb-devel-224 - -(cherry picked from commit f05b61b4991e7f51bd184d76a79f8b50114a0ff3) ---- - python/samba/gp/gpclass.py | 30 ++++++++++++++++++------------ - 1 file changed, 18 insertions(+), 12 deletions(-) - -diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py -index 617ef79350c..babd8f90748 100644 ---- a/python/samba/gp/gpclass.py -+++ b/python/samba/gp/gpclass.py -@@ -866,19 +866,25 @@ def get_gpo_list(dc_hostname, creds, lp, username): - - # (S)ite - if gpo_list_machine: -- site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username) -- - try: -- log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn) -- gp_link = get_gpo_link(samdb, site_dn) -- except ldb.LdbError as e: -- (enum, estr) = e.args -- log.debug(estr) -- else: -- add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list, -- site_dn, gp_link, -- gpo.GP_LINK_SITE, -- add_only_forced_gpos, token) -+ site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username) -+ -+ try: -+ log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn) -+ gp_link = get_gpo_link(samdb, site_dn) -+ except ldb.LdbError as e: -+ (enum, estr) = e.args -+ log.debug(estr) -+ else: -+ add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list, -+ site_dn, gp_link, -+ gpo.GP_LINK_SITE, -+ add_only_forced_gpos, token) -+ except ldb.LdbError: -+ # [MS-GPOL] 3.2.5.1.4 Site Search: If the method returns -+ # ERROR_NO_SITENAME, the remainder of this message MUST be skipped -+ # and the protocol sequence MUST continue at GPO Search -+ pass - - # (L)ocal - gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy", --- -2.48.1 - - -From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 14:14:30 +0100 -Subject: [PATCH 15/31] python:gp: Avoid path check for cepces-submit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -find_cepces_submit() uses which(), which returns None if not found. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 6a9630eff624643fd725219775784e68d967d04c) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 559c903e1a2..7325d5132cf 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -185,7 +185,7 @@ def find_cepces_submit(): - - def get_supported_templates(server): - cepces_submit = find_cepces_submit() -- if not cepces_submit or not os.path.exists(cepces_submit): -+ if not cepces_submit: - log.error('Failed to find cepces-submit') - return [] - -@@ -301,7 +301,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - # Setup Certificate Auto Enrollment - getcert = which('getcert') - cepces_submit = find_cepces_submit() -- if getcert is not None and os.path.exists(cepces_submit): -+ if getcert is not None and cepces_submit is not None: - p = Popen([getcert, 'add-ca', '-c', ca['name'], '-e', - '%s --server=%s --auth=%s' % (cepces_submit, - ca['hostname'], auth)], --- -2.48.1 - - -From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 14:07:47 +0100 -Subject: [PATCH 16/31] python:gp: Improve logging for certificate enrollment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 6d5507e05050690cd4c56f3f97f5fb7de0338b87) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 7325d5132cf..a25a9678587 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -274,6 +274,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - """Install the root certificate chain.""" - data = dict({'files': [], 'templates': []}, **ca) - url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] -+ -+ log.info("Try to get root or server certificates") -+ - root_certs = getca(ca, url, trust_dir) - data['files'].extend(root_certs) - global_trust_dir = find_global_trust_dir() -@@ -283,6 +286,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - try: - os.symlink(src, dst) - data['files'].append(dst) -+ log.info("Created symlink: %s -> %s" % (src, dst)) - except PermissionError: - log.warn('Failed to symlink root certificate to the' - ' admin trust anchors') -@@ -295,9 +299,14 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - # already exists. Ignore the FileExistsError. Preserve the - # existing symlink in the unapply data. - data['files'].append(dst) -+ - update = update_ca_command() -+ log.info("Running %s" % (update)) - if update is not None: -- Popen([update]).wait() -+ ret = Popen([update]).wait() -+ if ret != 0: -+ log.error('Failed to run %s' % (update)) -+ - # Setup Certificate Auto Enrollment - getcert = which('getcert') - cepces_submit = find_cepces_submit() --- -2.48.1 - - -From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 15:04:36 +0100 -Subject: [PATCH 17/31] python:gp: Do not print an error, if CA already exists -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We will get an exit status for duplicate in future: -https://www.pagure.io/certmonger/issue/269 -We can't really fix that right now, as older version of certmonger -don't support the `-v` option. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 728757cd1ff0465967fcbda100254c9312e87c93) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index a25a9678587..0b23cd688db 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -318,8 +318,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - out, err = p.communicate() - log.debug(out.decode()) - if p.returncode != 0: -- data = { 'Error': err.decode(), 'CA': ca['name'] } -- log.error('Failed to add Certificate Authority', data) -+ if p.returncode == 2: -+ log.info('The CA [%s] already exists' % ca['name']) -+ else: -+ data = {'Error': err.decode(), 'CA': ca['name']} -+ log.error('Failed to add Certificate Authority', data) -+ - supported_templates = get_supported_templates(ca['hostname']) - for template in supported_templates: - attrs = fetch_template_attrs(ldb, template) --- -2.48.1 - - -From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 15:05:02 +0100 -Subject: [PATCH 18/31] python:gp: Do not print an error if template already - exists -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We will get an exit status for duplicate in future: -https://www.pagure.io/certmonger/issue/269 -We can't really fix that right now, as older version of certmonger -don't support the `-v` option. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 98dc44286ea102ef7701ccdea26bbde32b523a7e) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 0b23cd688db..db681cb6f69 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -338,8 +338,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - out, err = p.communicate() - log.debug(out.decode()) - if p.returncode != 0: -- data = { 'Error': err.decode(), 'Certificate': nickname } -- log.error('Failed to request certificate', data) -+ if p.returncode == 2: -+ log.info('The template [%s] already exists' % (nickname)) -+ else: -+ data = {'Error': err.decode(), 'Certificate': nickname} -+ log.error('Failed to request certificate', data) -+ - data['files'].extend([keyfile, certfile]) - data['templates'].append(nickname) - if update is not None: --- -2.48.1 - - -From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 15:05:24 +0100 -Subject: [PATCH 19/31] python:gp: Log an error if update fails -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 367756b85a9ac8daaac2326392bcd1373feed3b7) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index db681cb6f69..c8ad2039dc6 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -347,7 +347,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - data['files'].extend([keyfile, certfile]) - data['templates'].append(nickname) - if update is not None: -- Popen([update]).wait() -+ ret = Popen([update]).wait() -+ if ret != 0: -+ log.error('Failed to run %s' % (update)) - else: - log.warn('certmonger and cepces must be installed for ' + - 'certificate auto enrollment to work') --- -2.48.1 - - -From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 15:46:24 +0100 -Subject: [PATCH 20/31] python:gp: Improve working of log messages to avoid - confusion -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We should not use the word "Failed". We are totally fine if we can't -connect to NDES in the meantime. This logs: - -Try to get root or server certificates. -Unable to install root certificates (requires NDES). -Installing the server certificate only. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Jan 29 10:37:29 UTC 2024 on atb-devel-224 - -(cherry picked from commit 1f823424418e814d9dc0785658e2a7d92643dab2) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index c8ad2039dc6..2b7f7d22c2b 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -209,12 +209,10 @@ def getca(ca, url, trust_dir): - r = requests.get(url=url, params={'operation': 'GetCACert', - 'message': 'CAIdentifier'}) - except requests.exceptions.ConnectionError: -- log.warn('Failed to establish a new connection') -+ log.warn('Could not connect to Network Device Enrollment Service.') - r = None - if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html': -- log.warn('Failed to fetch the root certificate chain.') -- log.warn('The Network Device Enrollment Service is either not' + -- ' installed or not configured.') -+ log.warn('Unable to fetch root certificates (requires NDES).') - if 'cACertificate' in ca: - log.warn('Installing the server certificate only.') - der_certificate = base64.b64decode(ca['cACertificate']) --- -2.48.1 - - -From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 29 Jan 2024 17:46:30 +0100 -Subject: [PATCH 21/31] python:gp: Fix logging with gp - -This allows enable INFO level logging with: `samba-gpupdate -d3` - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15558 - -Signed-off-by: Andreas Schneider -Reviewed-by: Joseph Sutton -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Jan 30 07:18:05 UTC 2024 on atb-devel-224 - -(cherry picked from commit 145194071b10c4c1857f28fe79c57fd63ffab889) ---- - python/samba/gp/util/logging.py | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/python/samba/gp/util/logging.py b/python/samba/gp/util/logging.py -index a74a8707d50..c3de32825db 100644 ---- a/python/samba/gp/util/logging.py -+++ b/python/samba/gp/util/logging.py -@@ -24,9 +24,10 @@ import gettext - import random - import sys - --logger = logging.getLogger() -+logger = logging.getLogger("gp") -+ -+ - def logger_init(name, log_level): -- logger = logging.getLogger(name) - logger.addHandler(logging.StreamHandler(sys.stdout)) - logger.setLevel(logging.CRITICAL) - if log_level == 1: --- -2.48.1 - - -From 14ceb0b5f2f954bbabdaf78b8185fc515e3c8294 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Wed, 13 Mar 2024 13:55:41 +0100 -Subject: [PATCH 22/31] docs-xml: Add parameter all_groupmem to idmap_ad -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider -(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c) ---- - docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml -index b364bbfa231..de6d36afe95 100644 ---- a/docs-xml/manpages/idmap_ad.8.xml -+++ b/docs-xml/manpages/idmap_ad.8.xml -@@ -100,6 +100,16 @@ - - - -+ all_groupmem = yes/no -+ -+ If set to yes winbind will retrieve all -+ group members for getgrnam(3), getgrgid(3) and getgrent(3) calls, -+ including those with missing uidNumber. -+ -+ Default: no -+ -+ -+ - deny ous - This parameter is a list of OUs from - which objects will not be mapped via the ad idmap --- -2.48.1 - - -From ac4184c8c3220263cb6f1a46a012533ed1c4e047 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 12 Mar 2024 13:20:24 +0100 -Subject: [PATCH 23/31] s3:winbindd: Improve performance of lookup_groupmem() - in idmap_ad -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The LDAP query of lookup_groupmem() returns all group members from AD -even those with missing uidNumber. Such group members are useless in -UNIX environment for idmap_ad backend since there is no uid mapping. - -'test_user' is member of group "Domanin Users" with 200K members, -only 20K members have set uidNumber. - -Without this fix: - -$ time id test_user - -real 1m5.946s -user 0m0.019s -sys 0m0.012s - -With this fix: - -$ time id test_user - -real 0m3.544s -user 0m0.004s -sys 0m0.007s - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider -(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf) ---- - source3/winbindd/winbindd_ads.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index d7a665abbc6..e625aa6473f 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -1037,7 +1037,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, - } - - static NTSTATUS add_primary_group_members( -- ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, -+ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname, - char ***all_members, size_t *num_all_members) - { - char *filter; -@@ -1049,10 +1049,13 @@ static NTSTATUS add_primary_group_members( - char **members; - size_t num_members; - ads_control args; -+ bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false); - - filter = talloc_asprintf( -- mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", -- (unsigned)rid); -+ mem_ctx, -+ "(&(objectCategory=user)(primaryGroupID=%u)%s)", -+ (unsigned)rid, -+ all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))"); - if (filter == NULL) { - goto done; - } -@@ -1204,7 +1207,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - - DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); - -- status = add_primary_group_members(ads, mem_ctx, rid, -+ status = add_primary_group_members(ads, mem_ctx, rid, domain->name, - &members, &num_members); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("%s: add_primary_group_members failed: %s\n", --- -2.48.1 - - -From d0e2002efcc37055b35c351a6b936e6ab89fad32 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 25 Mar 2024 22:38:18 +0100 -Subject: [PATCH 24/31] selftest: Add "winbind expand groups = 1" to - setup_ad_member_idmap_ad -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider -(backported from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a) ---- - selftest/target/Samba3.pm | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 44ac4a5901a..606c65f8ab1 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1412,6 +1412,7 @@ sub setup_ad_member_idmap_ad - idmap config $dcvars->{TRUST_DOMAIN} : backend = ad - idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 - gensec_gssapi:requested_life_time = 5 -+ winbind expand groups = 1 - "; - - my $ret = $self->provision( --- -2.48.1 - - -From 9625b6aed981aa4e70fe11d9d1acdb54db7591a3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Thu, 14 Mar 2024 15:24:21 +0100 -Subject: [PATCH 25/31] tests: Add a test for "all_groups=no" to - test_idmap_ad.sh -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Pavel Filipensky -Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224 - -(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967) ---- - nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh -index 7ae112ada71..1d4bd395ba9 100755 ---- a/nsswitch/tests/test_idmap_ad.sh -+++ b/nsswitch/tests/test_idmap_ad.sh -@@ -94,6 +94,14 @@ gidNumber: 2000001 - unixHomeDirectory: /home/forbidden - loginShell: /bin/tcsh - gecos: User in forbidden OU -+ -+dn: CN=no_posix_id,CN=Users,$BASE_DN -+changetype: add -+objectClass: user -+samaccountName: no_posix_id -+unixHomeDirectory: /home/no_posix_id -+loginShell: /bin/sh -+gecos: User without uidNumber and gidNumber - EOF - - # -@@ -171,6 +179,17 @@ then - failed=$(($failed + 1)) - fi - -+# -+# Test 6: Make sure that with the default "all_groups=no" -+# the group "domain users" will not show user "no_posix_id" -+# but will show "SAMBA2008R2/administrator" -+# -+ -+dom_users="$DOMAIN/domain users" # Extra step to make sure that all is one word -+out="$($wbinfo --group-info "$dom_users")" -+testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1) -+testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1) -+ - # - # Trusted domain test 1: Test uid of Administrator, should be 2500000 - # -@@ -241,6 +260,9 @@ gidNumber: 2000002 - dn: cn=forbidden,ou=sub,$BASE_DN - changetype: delete - -+dn: CN=no_posix_id,CN=Users,$BASE_DN -+changetype: delete -+ - dn: ou=sub,$BASE_DN - changetype: delete - EOF --- -2.48.1 - - -From e5890e63c35a4a5af29ae16e6dd734c4a3a304cc Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 28 May 2024 13:51:53 +0200 -Subject: [PATCH 26/31] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs - IP - -Remove the requirement to provide an IP address. We should look up the -IP of the KDC and use it for the specified realm/workgroup. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 28aa0b815baf4668e3df01d52597c40fd430e2fb) ---- - source3/libads/kerberos.c | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 50f4a6de3c6..ddf97c11973 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -437,23 +437,23 @@ static char *get_kdc_ip_string(char *mem_ctx, - char *kdc_str = NULL; - char *canon_sockaddr = NULL; - -- SMB_ASSERT(pss != NULL); -- -- canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); -- if (canon_sockaddr == NULL) { -- goto out; -- } -+ if (pss != NULL) { -+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); -+ if (canon_sockaddr == NULL) { -+ goto out; -+ } - -- kdc_str = talloc_asprintf(frame, -- "\t\tkdc = %s\n", -- canon_sockaddr); -- if (kdc_str == NULL) { -- goto out; -- } -+ kdc_str = talloc_asprintf(frame, -+ "\t\tkdc = %s\n", -+ canon_sockaddr); -+ if (kdc_str == NULL) { -+ goto out; -+ } - -- ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); -- if (!ok) { -- goto out; -+ ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); -+ if (!ok) { -+ goto out; -+ } - } - - /* --- -2.48.1 - - -From 96a1ecd8db249fa03db60259cf76fdef9c1bd749 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 28 May 2024 13:53:51 +0200 -Subject: [PATCH 27/31] s3:libads: Do not fail if we don't get an IP passed - down - -The IP should be optional and we should look it up if not provided. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2) ---- - source3/libads/kerberos.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index ddf97c11973..f74d8eb567c 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -704,7 +704,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, - return false; - } - -- if (domain == NULL || pss == NULL) { -+ if (domain == NULL) { - return false; - } - --- -2.48.1 - - -From 4934642b7a7d92c6d81ba25ef6e4b66e3805f708 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 28 May 2024 13:54:24 +0200 -Subject: [PATCH 28/31] s3:winbind: Fix idmap_ad creating an invalid local - krb5.conf - -In case of a trusted domain, we are providing the realm of the primary -trust but specify the KDC IP of the trusted domain. This leads to -Kerberos ticket requests to the trusted domain KDC which doesn't know -about the machine account. However we need a ticket from our primary -trust KDC. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(backported from commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee) ---- - source3/winbindd/idmap_ad.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c -index 5c9fe07db95..b8002825161 100644 ---- a/source3/winbindd/idmap_ad.c -+++ b/source3/winbindd/idmap_ad.c -@@ -320,7 +320,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, - struct tldap_context **pld) - { - struct netr_DsRGetDCNameInfo *dcinfo; -- struct sockaddr_storage dcaddr; -+ struct sockaddr_storage dcaddr = { -+ .ss_family = AF_UNSPEC, -+ }; -+ struct sockaddr_storage *pdcaddr = NULL; - struct cli_credentials *creds; - struct loadparm_context *lp_ctx; - struct tldap_context *ld; -@@ -362,9 +365,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, - * create_local_private_krb5_conf_for_domain() can deal with - * sitename==NULL - */ -+ if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup())) -+ { -+ pdcaddr = &dcaddr; -+ } - - ok = create_local_private_krb5_conf_for_domain( -- lp_realm(), lp_workgroup(), sitename, &dcaddr); -+ lp_realm(), lp_workgroup(), sitename, pdcaddr); - TALLOC_FREE(sitename); - if (!ok) { - DBG_DEBUG("Could not create private krb5.conf\n"); --- -2.48.1 - - -From cccc902c64c93db317bf4707d0af5e56b2887286 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jul 2024 12:26:55 +0200 -Subject: [PATCH 29/31] s3:notifyd: Use a watcher per db record -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This fixes a O(n²) performance regression in notifyd. The problem was -that we had a watcher per notify instance. This changes the code to have -a watcher per notify db entry. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14430 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Oct 1 14:22:43 UTC 2024 on atb-devel-224 - -(cherry picked from commit af011b987a4ad0d3753d83cc0b8d97ad64ba874a) ---- - source3/smbd/notifyd/notifyd.c | 214 ++++++++++++++++++------- - source3/smbd/notifyd/notifyd_db.c | 5 +- - source3/smbd/notifyd/notifyd_entry.c | 51 ++++-- - source3/smbd/notifyd/notifyd_private.h | 46 ++++-- - 4 files changed, 228 insertions(+), 88 deletions(-) - -diff --git a/source3/smbd/notifyd/notifyd.c b/source3/smbd/notifyd/notifyd.c -index ca303bd4d51..b368b8390fa 100644 ---- a/source3/smbd/notifyd/notifyd.c -+++ b/source3/smbd/notifyd/notifyd.c -@@ -337,6 +337,7 @@ static bool notifyd_apply_rec_change( - struct messaging_context *msg_ctx) - { - struct db_record *rec = NULL; -+ struct notifyd_watcher watcher = {}; - struct notifyd_instance *instances = NULL; - size_t num_instances; - size_t i; -@@ -344,6 +345,7 @@ static bool notifyd_apply_rec_change( - TDB_DATA value; - NTSTATUS status; - bool ok = false; -+ bool new_watcher = false; - - if (pathlen == 0) { - DBG_WARNING("pathlen==0\n"); -@@ -374,8 +376,12 @@ static bool notifyd_apply_rec_change( - value = dbwrap_record_get_value(rec); - - if (value.dsize != 0) { -- if (!notifyd_parse_entry(value.dptr, value.dsize, NULL, -- &num_instances)) { -+ ok = notifyd_parse_entry(value.dptr, -+ value.dsize, -+ &watcher, -+ NULL, -+ &num_instances); -+ if (!ok) { - goto fail; - } - } -@@ -390,8 +396,22 @@ static bool notifyd_apply_rec_change( - goto fail; - } - -- if (value.dsize != 0) { -- memcpy(instances, value.dptr, value.dsize); -+ if (num_instances > 0) { -+ struct notifyd_instance *tmp = NULL; -+ size_t num_tmp = 0; -+ -+ ok = notifyd_parse_entry(value.dptr, -+ value.dsize, -+ NULL, -+ &tmp, -+ &num_tmp); -+ if (!ok) { -+ goto fail; -+ } -+ -+ memcpy(instances, -+ tmp, -+ sizeof(struct notifyd_instance) * num_tmp); - } - - for (i=0; ifilter, -- .internal_subdir_filter = chg->subdir_filter - }; - - num_instances += 1; - } - -- if ((instance->instance.filter != 0) || -- (instance->instance.subdir_filter != 0)) { -- int ret; -+ /* -+ * Calculate an intersection of the instances filters for the watcher. -+ */ -+ if (instance->instance.filter > 0) { -+ uint32_t filter = instance->instance.filter; -+ -+ if ((watcher.filter & filter) != filter) { -+ watcher.filter |= filter; -+ -+ new_watcher = true; -+ } -+ } -+ -+ /* -+ * Calculate an intersection of the instances subdir_filters for the -+ * watcher. -+ */ -+ if (instance->instance.subdir_filter > 0) { -+ uint32_t subdir_filter = instance->instance.subdir_filter; - -- TALLOC_FREE(instance->sys_watch); -+ if ((watcher.subdir_filter & subdir_filter) != subdir_filter) { -+ watcher.subdir_filter |= subdir_filter; - -- ret = sys_notify_watch(entries, sys_notify_ctx, path, -- &instance->internal_filter, -- &instance->internal_subdir_filter, -- notifyd_sys_callback, msg_ctx, -- &instance->sys_watch); -- if (ret != 0) { -- DBG_WARNING("sys_notify_watch for [%s] returned %s\n", -- path, strerror(errno)); -+ new_watcher = true; - } - } - - if ((instance->instance.filter == 0) && - (instance->instance.subdir_filter == 0)) { -+ uint32_t tmp_filter = 0; -+ uint32_t tmp_subdir_filter = 0; -+ - /* This is a delete request */ -- TALLOC_FREE(instance->sys_watch); - *instance = instances[num_instances-1]; - num_instances -= 1; -+ -+ for (i = 0; i < num_instances; i++) { -+ struct notifyd_instance *tmp = &instances[i]; -+ -+ tmp_filter |= tmp->instance.filter; -+ tmp_subdir_filter |= tmp->instance.subdir_filter; -+ } -+ -+ /* -+ * If the filter has changed, register a new watcher with the -+ * changed filter. -+ */ -+ if (watcher.filter != tmp_filter || -+ watcher.subdir_filter != tmp_subdir_filter) -+ { -+ watcher.filter = tmp_filter; -+ watcher.subdir_filter = tmp_subdir_filter; -+ -+ new_watcher = true; -+ } -+ } -+ -+ if (new_watcher) { -+ /* -+ * In case we removed all notify instances, we want to remove -+ * the watcher. We won't register a new one, if no filters are -+ * set anymore. -+ */ -+ -+ TALLOC_FREE(watcher.sys_watch); -+ -+ watcher.sys_filter = watcher.filter; -+ watcher.sys_subdir_filter = watcher.subdir_filter; -+ -+ /* -+ * Only register a watcher if we have filter. -+ */ -+ if (watcher.filter != 0 || watcher.subdir_filter != 0) { -+ int ret = sys_notify_watch(entries, -+ sys_notify_ctx, -+ path, -+ &watcher.sys_filter, -+ &watcher.sys_subdir_filter, -+ notifyd_sys_callback, -+ msg_ctx, -+ &watcher.sys_watch); -+ if (ret != 0) { -+ DBG_WARNING("sys_notify_watch for [%s] " -+ "returned %s\n", -+ path, -+ strerror(errno)); -+ } -+ } - } - - DBG_DEBUG("%s has %zu instances\n", path, num_instances); - - if (num_instances == 0) { -+ TALLOC_FREE(watcher.sys_watch); -+ - status = dbwrap_record_delete(rec); - if (!NT_STATUS_IS_OK(status)) { - DBG_WARNING("dbwrap_record_delete returned %s\n", -@@ -456,13 +541,21 @@ static bool notifyd_apply_rec_change( - goto fail; - } - } else { -- value = make_tdb_data( -- (uint8_t *)instances, -- sizeof(struct notifyd_instance) * num_instances); -+ struct TDB_DATA iov[2] = { -+ { -+ .dptr = (uint8_t *)&watcher, -+ .dsize = sizeof(struct notifyd_watcher), -+ }, -+ { -+ .dptr = (uint8_t *)instances, -+ .dsize = sizeof(struct notifyd_instance) * -+ num_instances, -+ }, -+ }; - -- status = dbwrap_record_store(rec, value, 0); -+ status = dbwrap_record_storev(rec, iov, ARRAY_SIZE(iov), 0); - if (!NT_STATUS_IS_OK(status)) { -- DBG_WARNING("dbwrap_record_store returned %s\n", -+ DBG_WARNING("dbwrap_record_storev returned %s\n", - nt_errstr(status)); - goto fail; - } -@@ -706,12 +799,18 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data, - .when = tstate->msg->when }; - struct iovec iov[2]; - size_t path_len = key.dsize; -+ struct notifyd_watcher watcher = {}; - struct notifyd_instance *instances = NULL; - size_t num_instances = 0; - size_t i; -+ bool ok; - -- if (!notifyd_parse_entry(data.dptr, data.dsize, &instances, -- &num_instances)) { -+ ok = notifyd_parse_entry(data.dptr, -+ data.dsize, -+ &watcher, -+ &instances, -+ &num_instances); -+ if (!ok) { - DBG_DEBUG("Could not parse notifyd_entry\n"); - return; - } -@@ -734,9 +833,11 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data, - - if (tstate->covered_by_sys_notify) { - if (tstate->recursive) { -- i_filter = instance->internal_subdir_filter; -+ i_filter = watcher.sys_subdir_filter & -+ instance->instance.subdir_filter; - } else { -- i_filter = instance->internal_filter; -+ i_filter = watcher.sys_filter & -+ instance->instance.filter; - } - } else { - if (tstate->recursive) { -@@ -1142,46 +1243,39 @@ static int notifyd_add_proxy_syswatches(struct db_record *rec, - struct db_context *db = dbwrap_record_get_db(rec); - TDB_DATA key = dbwrap_record_get_key(rec); - TDB_DATA value = dbwrap_record_get_value(rec); -- struct notifyd_instance *instances = NULL; -- size_t num_instances = 0; -- size_t i; -+ struct notifyd_watcher watcher = {}; - char path[key.dsize+1]; - bool ok; -+ int ret; - - memcpy(path, key.dptr, key.dsize); - path[key.dsize] = '\0'; - -- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances, -- &num_instances); -+ /* This is a remote database, we just need the watcher. */ -+ ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL); - if (!ok) { - DBG_WARNING("Could not parse notifyd entry for %s\n", path); - return 0; - } - -- for (i=0; iinstance.filter; -- uint32_t subdir_filter = instance->instance.subdir_filter; -- int ret; -+ watcher.sys_watch = NULL; -+ watcher.sys_filter = watcher.filter; -+ watcher.sys_subdir_filter = watcher.subdir_filter; - -- /* -- * This is a remote database. Pointers that we were -- * given don't make sense locally. Initialize to NULL -- * in case sys_notify_watch fails. -- */ -- instances[i].sys_watch = NULL; -- -- ret = state->sys_notify_watch( -- db, state->sys_notify_ctx, path, -- &filter, &subdir_filter, -- notifyd_sys_callback, state->msg_ctx, -- &instance->sys_watch); -- if (ret != 0) { -- DBG_WARNING("inotify_watch returned %s\n", -- strerror(errno)); -- } -+ ret = state->sys_notify_watch(db, -+ state->sys_notify_ctx, -+ path, -+ &watcher.filter, -+ &watcher.subdir_filter, -+ notifyd_sys_callback, -+ state->msg_ctx, -+ &watcher.sys_watch); -+ if (ret != 0) { -+ DBG_WARNING("inotify_watch returned %s\n", strerror(errno)); - } - -+ memcpy(value.dptr, &watcher, sizeof(struct notifyd_watcher)); -+ - return 0; - } - -@@ -1189,21 +1283,17 @@ static int notifyd_db_del_syswatches(struct db_record *rec, void *private_data) - { - TDB_DATA key = dbwrap_record_get_key(rec); - TDB_DATA value = dbwrap_record_get_value(rec); -- struct notifyd_instance *instances = NULL; -- size_t num_instances = 0; -- size_t i; -+ struct notifyd_watcher watcher = {}; - bool ok; - -- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances, -- &num_instances); -+ ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL); - if (!ok) { - DBG_WARNING("Could not parse notifyd entry for %.*s\n", - (int)key.dsize, (char *)key.dptr); - return 0; - } -- for (i=0; ientries database - */ - --bool notifyd_parse_entry( -- uint8_t *buf, -- size_t buflen, -- struct notifyd_instance **instances, -- size_t *num_instances) -+/** -+ * @brief Parse a notifyd database entry. -+ * -+ * The memory we pass down needs to be aligned. If it isn't aligned we can run -+ * into obscure errors as we just point into the data buffer. -+ * -+ * @param data The data to parse -+ * @param data_len The length of the data to parse -+ * @param watcher A pointer to store the watcher data or NULL. -+ * @param instances A pointer to store the array of notify instances or NULL. -+ * @param pnum_instances The number of elements in the array. If you just want -+ * the number of elements pass NULL for the watcher and instances pointers. -+ * -+ * @return true on success, false if an error occurred. -+ */ -+bool notifyd_parse_entry(uint8_t *data, -+ size_t data_len, -+ struct notifyd_watcher *watcher, -+ struct notifyd_instance **instances, -+ size_t *pnum_instances) - { -- if ((buflen % sizeof(struct notifyd_instance)) != 0) { -- DBG_WARNING("invalid buffer size: %zu\n", buflen); -+ size_t ilen; -+ -+ if (data_len < sizeof(struct notifyd_watcher)) { - return false; - } - -- if (instances != NULL) { -- *instances = (struct notifyd_instance *)buf; -+ if (watcher != NULL) { -+ *watcher = *((struct notifyd_watcher *)(uintptr_t)data); - } -- if (num_instances != NULL) { -- *num_instances = buflen / sizeof(struct notifyd_instance); -+ -+ ilen = data_len - sizeof(struct notifyd_watcher); -+ if ((ilen % sizeof(struct notifyd_instance)) != 0) { -+ return false; -+ } -+ -+ if (pnum_instances != NULL) { -+ *pnum_instances = ilen / sizeof(struct notifyd_instance); - } -+ if (instances != NULL) { -+ /* The (uintptr_t) cast removes a warning from -Wcast-align. */ -+ *instances = -+ (struct notifyd_instance *)(uintptr_t) -+ (data + sizeof(struct notifyd_watcher)); -+ } -+ - return true; - } -diff --git a/source3/smbd/notifyd/notifyd_private.h b/source3/smbd/notifyd/notifyd_private.h -index 36c08f47c54..db8e6e1c005 100644 ---- a/source3/smbd/notifyd/notifyd_private.h -+++ b/source3/smbd/notifyd/notifyd_private.h -@@ -20,30 +20,48 @@ - #include "lib/util/server_id.h" - #include "notifyd.h" - -+ - /* -- * notifyd's representation of a notify instance -+ * Representation of a watcher for a path -+ * -+ * This will be stored in the db. - */ --struct notifyd_instance { -- struct server_id client; -- struct notify_instance instance; -- -- void *sys_watch; /* inotify/fam/etc handle */ -+struct notifyd_watcher { -+ /* -+ * This is an intersections of the filter the watcher is listening for. -+ */ -+ uint32_t filter; -+ uint32_t subdir_filter; - - /* -- * Filters after sys_watch took responsibility of some bits -+ * Those are inout variables passed to the sys_watcher. The sys_watcher -+ * will remove the bits it can't handle. - */ -- uint32_t internal_filter; -- uint32_t internal_subdir_filter; -+ uint32_t sys_filter; -+ uint32_t sys_subdir_filter; -+ -+ /* The handle for inotify/fam etc. */ -+ void *sys_watch; -+}; -+ -+/* -+ * Representation of a notifyd instance -+ * -+ * This will be stored in the db. -+ */ -+struct notifyd_instance { -+ struct server_id client; -+ struct notify_instance instance; - }; - - /* - * Parse an entry in the notifyd_context->entries database - */ - --bool notifyd_parse_entry( -- uint8_t *buf, -- size_t buflen, -- struct notifyd_instance **instances, -- size_t *num_instances); -+bool notifyd_parse_entry(uint8_t *data, -+ size_t data_len, -+ struct notifyd_watcher *watcher, -+ struct notifyd_instance **instances, -+ size_t *num_instances); - - #endif --- -2.48.1 - - -From b04cb93ee52aac0ce7213d0581d69e852df52d4a Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Mon, 5 Feb 2024 15:03:48 +0100 -Subject: [PATCH 30/31] smbd: simplify handling of failing fstat() after - unlinking file - -close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the -fstat() triggered in fd_close() by fsp->fsp_flags.fstat_before_close being true. - -This avoids getting an EACCESS error when doing an fstat() on the removed file -which seems to happen with some FUSE filesystems. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 - -Signed-off-by: Ralph Boehme -Reviewed-by: Jeremy Allison -(cherry picked from commit 6e6324cff29089a636823786183222a73fe7cb28) ---- - source3/smbd/close.c | 1 + - source3/smbd/open.c | 15 +-------------- - 2 files changed, 2 insertions(+), 14 deletions(-) - -diff --git a/source3/smbd/close.c b/source3/smbd/close.c -index af5e78daa10..e16cb2d3485 100644 ---- a/source3/smbd/close.c -+++ b/source3/smbd/close.c -@@ -603,6 +603,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp, - */ - - fsp->fsp_flags.delete_on_close = false; -+ fsp->fsp_flags.fstat_before_close = false; - lck_state.reset_delete_on_close = true; - - done: -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index 3581c4b9173..93c12e00eb0 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -997,20 +997,7 @@ NTSTATUS fd_close(files_struct *fsp) - if (fsp->fsp_flags.fstat_before_close) { - status = vfs_stat_fsp(fsp); - if (!NT_STATUS_IS_OK(status)) { -- /* -- * If this is a stream and delete-on-close was set, the -- * backing object (an xattr from streams_xattr) might -- * already be deleted so fstat() fails with -- * NT_STATUS_NOT_FOUND. So if fsp refers to a stream we -- * ignore the error and only bail for normal files where -- * an fstat() should still work. NB. We cannot use -- * fsp_is_alternate_stream(fsp) for this as the base_fsp -- * has already been closed at this point and so the value -- * fsp_is_alternate_stream() checks for is already NULL. -- */ -- if (fsp->fsp_name->stream_name == NULL) { -- return status; -- } -+ return status; - } - } - --- -2.48.1 - - -From 29f0c0fb2f1cb0cfc4c615d31e82048b46a2cb0d Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Tue, 20 Feb 2024 09:26:29 +0000 -Subject: [PATCH 31/31] s3/smbd: If we fail to close file_handle ensure we - should reset the fd - -if fsp_flags.fstat_before_close == true then close_file_smb will call -vfs_stat which can fail. If it does fail then the fd associated -with the file handle will still be set (and we will hit an assert -is the file handle destructor) when calling file_free. -We need to set fd to -1 to avoid that. To achieve that we capture and -return the vfs_stat_fsp failure status while still processing the rest -of the fd_close logic. - -[2024/02/20 09:23:48.454671, 0, pid=9744] ../../source3/smbd/smb2_close.c:226(smbd_smb2_close) - smbd_smb2_close: close_file[]: NT_STATUS_ACCESS_DENIED -[2024/02/20 09:23:48.454757, 0, pid=9744] ../../source3/smbd/fd_handle.c:40(fd_handle_destructor) - PANIC: assert failed at ../../source3/smbd/fd_handle.c(40): (fh->fd == -1) || (fh->fd == AT_FDCWD) -[2024/02/20 09:23:48.454781, 0, pid=9744] ../../lib/util/fault.c:178(smb_panic_log) - =============================================================== -[2024/02/20 09:23:48.454804, 0, pid=9744] ../../lib/util/fault.c:185(smb_panic_log) - INTERNAL ERROR: assert failed: (fh->fd == -1) || (fh->fd == AT_FDCWD) in smbd (smbd[192.168.10) (client [192.168.100.15]) pid 9744 (4.21.0pre1-DEVELOPERBUILD) -[2024/02/20 09:23:48.454844, 0, pid=9744] ../../lib/util/fault.c:190(smb_panic_log) - If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting -[2024/02/20 09:23:48.454869, 0, pid=9744] ../../lib/util/fault.c:191(smb_panic_log) - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527 -Signed-off-by: Noel Power -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Noel Power -Autobuild-Date(master): Wed Mar 13 10:34:45 UTC 2024 on atb-devel-224 - -(cherry picked from commit 6ee3f809a54d7b833ff798e68a93ada00a215d4d) ---- - source3/smbd/open.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index 93c12e00eb0..74be444fef5 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -987,7 +987,7 @@ NTSTATUS fd_openat(const struct files_struct *dirfsp, - - NTSTATUS fd_close(files_struct *fsp) - { -- NTSTATUS status; -+ NTSTATUS stat_status = NT_STATUS_OK; - int ret; - - if (fsp == fsp->conn->cwd_fsp) { -@@ -995,10 +995,12 @@ NTSTATUS fd_close(files_struct *fsp) - } - - if (fsp->fsp_flags.fstat_before_close) { -- status = vfs_stat_fsp(fsp); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -+ /* -+ * capture status, if failure -+ * continue close processing -+ * and return status -+ */ -+ stat_status = vfs_stat_fsp(fsp); - } - - if (fsp->dptr) { -@@ -1020,7 +1022,7 @@ NTSTATUS fd_close(files_struct *fsp) - if (ret == -1) { - return map_nt_error_from_unix(errno); - } -- return NT_STATUS_OK; -+ return stat_status; - } - - /**************************************************************************** --- -2.48.1 - diff --git a/SOURCES/samba-4.19.4.tar.asc b/SOURCES/samba-4.19.4.tar.asc deleted file mode 100644 index c4690ac..0000000 --- a/SOURCES/samba-4.19.4.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA -tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub -Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ -2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq -XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln -iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x -svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar -JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8 -ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ -vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo -+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++ -1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY= -=kOPP ------END PGP SIGNATURE----- diff --git a/SOURCES/pam_winbind.conf b/pam_winbind.conf similarity index 100% rename from SOURCES/pam_winbind.conf rename to pam_winbind.conf diff --git a/redhat-4.21.patch b/redhat-4.21.patch new file mode 100644 index 0000000..1f78869 --- /dev/null +++ b/redhat-4.21.patch @@ -0,0 +1,2582 @@ +From 9032322cc713e82a316b271bb2fa0a867c69b021 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 22 Jul 2024 12:26:55 +0200 +Subject: [PATCH 1/6] s3:notifyd: Use a watcher per db record +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes a O(n²) performance regression in notifyd. The problem was +that we had a watcher per notify instance. This changes the code to have +a watcher per notify db entry. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14430 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit af011b987a4ad0d3753d83cc0b8d97ad64ba874a) +--- + source3/smbd/notifyd/notifyd.c | 214 ++++++++++++++++++------- + source3/smbd/notifyd/notifyd_db.c | 5 +- + source3/smbd/notifyd/notifyd_entry.c | 51 ++++-- + source3/smbd/notifyd/notifyd_private.h | 46 ++++-- + 4 files changed, 228 insertions(+), 88 deletions(-) + +diff --git a/source3/smbd/notifyd/notifyd.c b/source3/smbd/notifyd/notifyd.c +index 64dd26a7e11..0b07ab3e435 100644 +--- a/source3/smbd/notifyd/notifyd.c ++++ b/source3/smbd/notifyd/notifyd.c +@@ -337,6 +337,7 @@ static bool notifyd_apply_rec_change( + struct messaging_context *msg_ctx) + { + struct db_record *rec = NULL; ++ struct notifyd_watcher watcher = {}; + struct notifyd_instance *instances = NULL; + size_t num_instances; + size_t i; +@@ -344,6 +345,7 @@ static bool notifyd_apply_rec_change( + TDB_DATA value; + NTSTATUS status; + bool ok = false; ++ bool new_watcher = false; + + if (pathlen == 0) { + DBG_WARNING("pathlen==0\n"); +@@ -374,8 +376,12 @@ static bool notifyd_apply_rec_change( + value = dbwrap_record_get_value(rec); + + if (value.dsize != 0) { +- if (!notifyd_parse_entry(value.dptr, value.dsize, NULL, +- &num_instances)) { ++ ok = notifyd_parse_entry(value.dptr, ++ value.dsize, ++ &watcher, ++ NULL, ++ &num_instances); ++ if (!ok) { + goto fail; + } + } +@@ -390,8 +396,22 @@ static bool notifyd_apply_rec_change( + goto fail; + } + +- if (value.dsize != 0) { +- memcpy(instances, value.dptr, value.dsize); ++ if (num_instances > 0) { ++ struct notifyd_instance *tmp = NULL; ++ size_t num_tmp = 0; ++ ++ ok = notifyd_parse_entry(value.dptr, ++ value.dsize, ++ NULL, ++ &tmp, ++ &num_tmp); ++ if (!ok) { ++ goto fail; ++ } ++ ++ memcpy(instances, ++ tmp, ++ sizeof(struct notifyd_instance) * num_tmp); + } + + for (i=0; ifilter, +- .internal_subdir_filter = chg->subdir_filter + }; + + num_instances += 1; + } + +- if ((instance->instance.filter != 0) || +- (instance->instance.subdir_filter != 0)) { +- int ret; ++ /* ++ * Calculate an intersection of the instances filters for the watcher. ++ */ ++ if (instance->instance.filter > 0) { ++ uint32_t filter = instance->instance.filter; ++ ++ if ((watcher.filter & filter) != filter) { ++ watcher.filter |= filter; ++ ++ new_watcher = true; ++ } ++ } ++ ++ /* ++ * Calculate an intersection of the instances subdir_filters for the ++ * watcher. ++ */ ++ if (instance->instance.subdir_filter > 0) { ++ uint32_t subdir_filter = instance->instance.subdir_filter; + +- TALLOC_FREE(instance->sys_watch); ++ if ((watcher.subdir_filter & subdir_filter) != subdir_filter) { ++ watcher.subdir_filter |= subdir_filter; + +- ret = sys_notify_watch(entries, sys_notify_ctx, path, +- &instance->internal_filter, +- &instance->internal_subdir_filter, +- notifyd_sys_callback, msg_ctx, +- &instance->sys_watch); +- if (ret != 0) { +- DBG_WARNING("sys_notify_watch for [%s] returned %s\n", +- path, strerror(errno)); ++ new_watcher = true; + } + } + + if ((instance->instance.filter == 0) && + (instance->instance.subdir_filter == 0)) { ++ uint32_t tmp_filter = 0; ++ uint32_t tmp_subdir_filter = 0; ++ + /* This is a delete request */ +- TALLOC_FREE(instance->sys_watch); + *instance = instances[num_instances-1]; + num_instances -= 1; ++ ++ for (i = 0; i < num_instances; i++) { ++ struct notifyd_instance *tmp = &instances[i]; ++ ++ tmp_filter |= tmp->instance.filter; ++ tmp_subdir_filter |= tmp->instance.subdir_filter; ++ } ++ ++ /* ++ * If the filter has changed, register a new watcher with the ++ * changed filter. ++ */ ++ if (watcher.filter != tmp_filter || ++ watcher.subdir_filter != tmp_subdir_filter) ++ { ++ watcher.filter = tmp_filter; ++ watcher.subdir_filter = tmp_subdir_filter; ++ ++ new_watcher = true; ++ } ++ } ++ ++ if (new_watcher) { ++ /* ++ * In case we removed all notify instances, we want to remove ++ * the watcher. We won't register a new one, if no filters are ++ * set anymore. ++ */ ++ ++ TALLOC_FREE(watcher.sys_watch); ++ ++ watcher.sys_filter = watcher.filter; ++ watcher.sys_subdir_filter = watcher.subdir_filter; ++ ++ /* ++ * Only register a watcher if we have filter. ++ */ ++ if (watcher.filter != 0 || watcher.subdir_filter != 0) { ++ int ret = sys_notify_watch(entries, ++ sys_notify_ctx, ++ path, ++ &watcher.sys_filter, ++ &watcher.sys_subdir_filter, ++ notifyd_sys_callback, ++ msg_ctx, ++ &watcher.sys_watch); ++ if (ret != 0) { ++ DBG_WARNING("sys_notify_watch for [%s] " ++ "returned %s\n", ++ path, ++ strerror(errno)); ++ } ++ } + } + + DBG_DEBUG("%s has %zu instances\n", path, num_instances); + + if (num_instances == 0) { ++ TALLOC_FREE(watcher.sys_watch); ++ + status = dbwrap_record_delete(rec); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("dbwrap_record_delete returned %s\n", +@@ -456,13 +541,21 @@ static bool notifyd_apply_rec_change( + goto fail; + } + } else { +- value = make_tdb_data( +- (uint8_t *)instances, +- sizeof(struct notifyd_instance) * num_instances); ++ struct TDB_DATA iov[2] = { ++ { ++ .dptr = (uint8_t *)&watcher, ++ .dsize = sizeof(struct notifyd_watcher), ++ }, ++ { ++ .dptr = (uint8_t *)instances, ++ .dsize = sizeof(struct notifyd_instance) * ++ num_instances, ++ }, ++ }; + +- status = dbwrap_record_store(rec, value, 0); ++ status = dbwrap_record_storev(rec, iov, ARRAY_SIZE(iov), 0); + if (!NT_STATUS_IS_OK(status)) { +- DBG_WARNING("dbwrap_record_store returned %s\n", ++ DBG_WARNING("dbwrap_record_storev returned %s\n", + nt_errstr(status)); + goto fail; + } +@@ -706,12 +799,18 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data, + .when = tstate->msg->when }; + struct iovec iov[2]; + size_t path_len = key.dsize; ++ struct notifyd_watcher watcher = {}; + struct notifyd_instance *instances = NULL; + size_t num_instances = 0; + size_t i; ++ bool ok; + +- if (!notifyd_parse_entry(data.dptr, data.dsize, &instances, +- &num_instances)) { ++ ok = notifyd_parse_entry(data.dptr, ++ data.dsize, ++ &watcher, ++ &instances, ++ &num_instances); ++ if (!ok) { + DBG_DEBUG("Could not parse notifyd_entry\n"); + return; + } +@@ -734,9 +833,11 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data, + + if (tstate->covered_by_sys_notify) { + if (tstate->recursive) { +- i_filter = instance->internal_subdir_filter; ++ i_filter = watcher.sys_subdir_filter & ++ instance->instance.subdir_filter; + } else { +- i_filter = instance->internal_filter; ++ i_filter = watcher.sys_filter & ++ instance->instance.filter; + } + } else { + if (tstate->recursive) { +@@ -1146,46 +1247,39 @@ static int notifyd_add_proxy_syswatches(struct db_record *rec, + struct db_context *db = dbwrap_record_get_db(rec); + TDB_DATA key = dbwrap_record_get_key(rec); + TDB_DATA value = dbwrap_record_get_value(rec); +- struct notifyd_instance *instances = NULL; +- size_t num_instances = 0; +- size_t i; ++ struct notifyd_watcher watcher = {}; + char path[key.dsize+1]; + bool ok; ++ int ret; + + memcpy(path, key.dptr, key.dsize); + path[key.dsize] = '\0'; + +- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances, +- &num_instances); ++ /* This is a remote database, we just need the watcher. */ ++ ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL); + if (!ok) { + DBG_WARNING("Could not parse notifyd entry for %s\n", path); + return 0; + } + +- for (i=0; iinstance.filter; +- uint32_t subdir_filter = instance->instance.subdir_filter; +- int ret; ++ watcher.sys_watch = NULL; ++ watcher.sys_filter = watcher.filter; ++ watcher.sys_subdir_filter = watcher.subdir_filter; + +- /* +- * This is a remote database. Pointers that we were +- * given don't make sense locally. Initialize to NULL +- * in case sys_notify_watch fails. +- */ +- instances[i].sys_watch = NULL; +- +- ret = state->sys_notify_watch( +- db, state->sys_notify_ctx, path, +- &filter, &subdir_filter, +- notifyd_sys_callback, state->msg_ctx, +- &instance->sys_watch); +- if (ret != 0) { +- DBG_WARNING("inotify_watch returned %s\n", +- strerror(errno)); +- } ++ ret = state->sys_notify_watch(db, ++ state->sys_notify_ctx, ++ path, ++ &watcher.filter, ++ &watcher.subdir_filter, ++ notifyd_sys_callback, ++ state->msg_ctx, ++ &watcher.sys_watch); ++ if (ret != 0) { ++ DBG_WARNING("inotify_watch returned %s\n", strerror(errno)); + } + ++ memcpy(value.dptr, &watcher, sizeof(struct notifyd_watcher)); ++ + return 0; + } + +@@ -1193,21 +1287,17 @@ static int notifyd_db_del_syswatches(struct db_record *rec, void *private_data) + { + TDB_DATA key = dbwrap_record_get_key(rec); + TDB_DATA value = dbwrap_record_get_value(rec); +- struct notifyd_instance *instances = NULL; +- size_t num_instances = 0; +- size_t i; ++ struct notifyd_watcher watcher = {}; + bool ok; + +- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances, +- &num_instances); ++ ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL); + if (!ok) { + DBG_WARNING("Could not parse notifyd entry for %.*s\n", + (int)key.dsize, (char *)key.dptr); + return 0; + } +- for (i=0; ientries database + */ + +-bool notifyd_parse_entry( +- uint8_t *buf, +- size_t buflen, +- struct notifyd_instance **instances, +- size_t *num_instances) ++/** ++ * @brief Parse a notifyd database entry. ++ * ++ * The memory we pass down needs to be aligned. If it isn't aligned we can run ++ * into obscure errors as we just point into the data buffer. ++ * ++ * @param data The data to parse ++ * @param data_len The length of the data to parse ++ * @param watcher A pointer to store the watcher data or NULL. ++ * @param instances A pointer to store the array of notify instances or NULL. ++ * @param pnum_instances The number of elements in the array. If you just want ++ * the number of elements pass NULL for the watcher and instances pointers. ++ * ++ * @return true on success, false if an error occurred. ++ */ ++bool notifyd_parse_entry(uint8_t *data, ++ size_t data_len, ++ struct notifyd_watcher *watcher, ++ struct notifyd_instance **instances, ++ size_t *pnum_instances) + { +- if ((buflen % sizeof(struct notifyd_instance)) != 0) { +- DBG_WARNING("invalid buffer size: %zu\n", buflen); ++ size_t ilen; ++ ++ if (data_len < sizeof(struct notifyd_watcher)) { + return false; + } + +- if (instances != NULL) { +- *instances = (struct notifyd_instance *)buf; ++ if (watcher != NULL) { ++ *watcher = *((struct notifyd_watcher *)(uintptr_t)data); + } +- if (num_instances != NULL) { +- *num_instances = buflen / sizeof(struct notifyd_instance); ++ ++ ilen = data_len - sizeof(struct notifyd_watcher); ++ if ((ilen % sizeof(struct notifyd_instance)) != 0) { ++ return false; ++ } ++ ++ if (pnum_instances != NULL) { ++ *pnum_instances = ilen / sizeof(struct notifyd_instance); + } ++ if (instances != NULL) { ++ /* The (uintptr_t) cast removes a warning from -Wcast-align. */ ++ *instances = ++ (struct notifyd_instance *)(uintptr_t) ++ (data + sizeof(struct notifyd_watcher)); ++ } ++ + return true; + } +diff --git a/source3/smbd/notifyd/notifyd_private.h b/source3/smbd/notifyd/notifyd_private.h +index 36c08f47c54..db8e6e1c005 100644 +--- a/source3/smbd/notifyd/notifyd_private.h ++++ b/source3/smbd/notifyd/notifyd_private.h +@@ -20,30 +20,48 @@ + #include "lib/util/server_id.h" + #include "notifyd.h" + ++ + /* +- * notifyd's representation of a notify instance ++ * Representation of a watcher for a path ++ * ++ * This will be stored in the db. + */ +-struct notifyd_instance { +- struct server_id client; +- struct notify_instance instance; +- +- void *sys_watch; /* inotify/fam/etc handle */ ++struct notifyd_watcher { ++ /* ++ * This is an intersections of the filter the watcher is listening for. ++ */ ++ uint32_t filter; ++ uint32_t subdir_filter; + + /* +- * Filters after sys_watch took responsibility of some bits ++ * Those are inout variables passed to the sys_watcher. The sys_watcher ++ * will remove the bits it can't handle. + */ +- uint32_t internal_filter; +- uint32_t internal_subdir_filter; ++ uint32_t sys_filter; ++ uint32_t sys_subdir_filter; ++ ++ /* The handle for inotify/fam etc. */ ++ void *sys_watch; ++}; ++ ++/* ++ * Representation of a notifyd instance ++ * ++ * This will be stored in the db. ++ */ ++struct notifyd_instance { ++ struct server_id client; ++ struct notify_instance instance; + }; + + /* + * Parse an entry in the notifyd_context->entries database + */ + +-bool notifyd_parse_entry( +- uint8_t *buf, +- size_t buflen, +- struct notifyd_instance **instances, +- size_t *num_instances); ++bool notifyd_parse_entry(uint8_t *data, ++ size_t data_len, ++ struct notifyd_watcher *watcher, ++ struct notifyd_instance **instances, ++ size_t *num_instances); + + #endif +-- +2.48.1 + + +From da6309049eb21ec5cd6bdf7942203960adbc37c0 Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall +Date: Thu, 5 Dec 2024 16:35:51 +1300 +Subject: [PATCH 2/6] util: add a crypt wrapper, derived from + dsdb:password_hash + +This is going to be used by the dsdb password_hash module, and exposed +to Python via pyglue. + +We're doing this because Python 3.13 has dropped crypt from the Python +standard library. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15756 + +Reviewed-by: Andreas Schneider +(cherry picked from commit 93bc860e8f344a96d0496edbc5d463f2c5411fcd) +--- + lib/util/util_crypt.c | 90 ++++++++++++++++++++++++++++++++++++++++++ + lib/util/util_crypt.h | 5 +++ + lib/util/wscript_build | 6 +++ + 3 files changed, 101 insertions(+) + create mode 100644 lib/util/util_crypt.c + create mode 100644 lib/util/util_crypt.h + +diff --git a/lib/util/util_crypt.c b/lib/util/util_crypt.c +new file mode 100644 +index 00000000000..0f7b2d0fd31 +--- /dev/null ++++ b/lib/util/util_crypt.c +@@ -0,0 +1,90 @@ ++#include ++#include "data_blob.h" ++#include ++#include ++#include "util_crypt.h" ++ ++ ++static int crypt_as_best_we_can(const char *phrase, ++ const char *setting, ++ const char **hashp) ++{ ++ int ret = 0; ++ const char *hash = NULL; ++ ++#if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT_RN) ++ struct crypt_data crypt_data = { ++ .initialized = 0 /* working storage used by crypt */ ++ }; ++#endif ++ ++ /* ++ * crypt_r() and crypt() may return a null pointer upon error ++ * depending on how libcrypt was configured, so we prefer ++ * crypt_rn() from libcrypt / libxcrypt which always returns ++ * NULL on error. ++ * ++ * POSIX specifies returning a null pointer and setting ++ * errno. ++ * ++ * RHEL 7 (which does not use libcrypt / libxcrypt) returns a ++ * non-NULL pointer from crypt_r() on success but (always?) ++ * sets errno during internal processing in the NSS crypto ++ * subsystem. ++ * ++ * By preferring crypt_rn we avoid the 'return non-NULL but ++ * set-errno' that we otherwise cannot tell apart from the ++ * RHEL 7 behaviour. ++ */ ++ errno = 0; ++ ++#ifdef HAVE_CRYPT_RN ++ hash = crypt_rn(phrase, setting, ++ &crypt_data, ++ sizeof(crypt_data)); ++#elif HAVE_CRYPT_R ++ hash = crypt_r(phrase, setting, &crypt_data); ++#else ++ /* ++ * No crypt_r falling back to crypt, which is NOT thread safe ++ * Thread safety MT-Unsafe race:crypt ++ */ ++ hash = crypt(phrase, setting); ++#endif ++ /* ++ * On error, crypt() and crypt_r() may return a null pointer, ++ * or a pointer to an invalid hash beginning with a '*'. ++ */ ++ ret = errno; ++ errno = 0; ++ if (hash == NULL || hash[0] == '*') { ++ if (ret == 0) { ++ /* this is annoying */ ++ ret = ENOTRECOVERABLE; ++ } ++ } ++ ++ *hashp = hash; ++ return ret; ++} ++ ++ ++int talloc_crypt_blob(TALLOC_CTX *mem_ctx, ++ const char *phrase, ++ const char *setting, ++ DATA_BLOB *blob) ++{ ++ const char *hash = NULL; ++ int ret = crypt_as_best_we_can(phrase, setting, &hash); ++ if (ret != 0) { ++ blob->data = NULL; ++ blob->length = 0; ++ return ret; ++ } ++ blob->length = strlen(hash); ++ blob->data = talloc_memdup(mem_ctx, hash, blob->length); ++ if (blob->data == NULL) { ++ return ENOMEM; ++ } ++ return 0; ++} +diff --git a/lib/util/util_crypt.h b/lib/util/util_crypt.h +new file mode 100644 +index 00000000000..8c289e489e8 +--- /dev/null ++++ b/lib/util/util_crypt.h +@@ -0,0 +1,5 @@ ++ ++int talloc_crypt_blob(TALLOC_CTX *mem_ctx, ++ const char *phrase, ++ const char *cmd, ++ DATA_BLOB *blob); +diff --git a/lib/util/wscript_build b/lib/util/wscript_build +index b4fcfeaba07..7de9c0b7b17 100644 +--- a/lib/util/wscript_build ++++ b/lib/util/wscript_build +@@ -253,6 +253,12 @@ else: + private_library=True, + local_include=False) + ++ bld.SAMBA_LIBRARY('util_crypt', ++ source='util_crypt.c', ++ deps='talloc crypt', ++ private_library=True, ++ local_include=False) ++ + + bld.SAMBA_SUBSYSTEM('UNIX_PRIVS', + source='unix_privs.c', +-- +2.48.1 + + +From 334093563640f232bb337675417f1e8a410987de Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 20 Jan 2025 16:00:51 +0100 +Subject: [PATCH 3/6] s3: Add new keytab specifiers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 15e191736d3eaba83b2fb4b901e1df2214526b64) +--- + selftest/target/Samba3.pm | 3 +- + source3/libads/kerberos_keytab.c | 631 +++++++++++++-------- + source3/script/tests/test_update_keytab.sh | 449 +++++++++++---- + 3 files changed, 730 insertions(+), 353 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 17343e63e52..cc4498ff36e 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -807,7 +807,8 @@ sub provision_ad_member + \"$prefix_abs/keytab2:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab2k:spn_prefixes=imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\", \\ +- \"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\" ++ \"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\", \\ ++ \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\" + "; + } + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index dbf8af44c1f..619a7bda0d4 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -30,6 +30,7 @@ + #include "ads.h" + #include "secrets.h" + #include "librpc/gen_ndr/ndr_secrets.h" ++#include "lib/util/string_wrappers.h" + + #ifdef HAVE_KRB5 + +@@ -41,44 +42,59 @@ + #endif + + enum spn_spec_type { +- SPN_SPEC_DEFAULT, +- SPN_SPEC_SYNC, ++ SPN_SPEC_ACCOUNT_NAME, ++ SPN_SPEC_SYNC_ACCOUNT_NAME, ++ SPN_SPEC_HOST, ++ SPN_SPEC_SYNC_UPN, ++ SPN_SPEC_SYNC_SPNS, + SPN_SPEC_FULL, +- SPN_SPEC_PREFIX ++ SPN_SPEC_PREFIX, ++ SPN_SPEC_MAX + }; + +-/* pw2kt_conf contains 1 parsed line from "sync machine password to keytab" */ +-struct pw2kt_conf { +- enum spn_spec_type spn_spec; ++/* Specifier */ ++struct pw2kt_specifier { ++ bool is_set; ++ char **spn_spec_vals; /* Array of full SPNs or prefixes */ ++}; ++ ++/* Descriptor contains 1 parsed line from "sync machine password to keytab" */ ++struct pw2kt_keytab_desc { + char *keytab; + bool sync_etypes; + bool sync_kvno; + bool additional_dns_hostnames; + bool netbios_aliases; + bool machine_password; +- char **spn_spec_array; +- size_t num_spn_spec; ++ struct pw2kt_specifier spec_array[SPN_SPEC_MAX]; + }; + +-/* State used by pw2kt */ +-struct pw2kt_state { ++/* Global state - stores initial data */ ++struct pw2kt_global_state { + /* Array of parsed lines from "sync machine password to keytab" */ +- struct pw2kt_conf *keytabs; +- size_t num_keytabs; ++ struct pw2kt_keytab_desc *keytabs; ++ /* Accumulated configuration from all keytabs */ + bool sync_etypes; + bool sync_kvno; + bool sync_spns; ++ bool sync_upn; ++ bool sync_sam_account; + /* These are from DC */ + krb5_kvno ad_kvno; + uint32_t ad_etypes; ++ char *ad_upn; ++ char *ad_sam_account; + char **ad_spn_array; + size_t ad_num_spns; + /* This is from secrets.db */ + struct secrets_domain_info1 *info; + }; + +-/* State used by pw2kt_process_keytab */ +-struct pw2kt_process_state { ++/* ++ * Manages krb5lib data created during processing of 'global state'. ++ * One instance per keytab. ++ */ ++struct pw2kt_keytab_state { + krb5_keytab keytab; + krb5_context context; + krb5_keytab_entry *array1; +@@ -88,151 +104,206 @@ struct pw2kt_process_state { + krb5_enctype preferred_etype; + }; + +-static ADS_STATUS pw2kt_scan_add_spn(TALLOC_CTX *ctx, +- const char *spn, +- struct pw2kt_conf *conf) ++static ADS_STATUS pw2kt_add_val(TALLOC_CTX *ctx, ++ struct pw2kt_specifier *spec, ++ const char *spn_val) + { +- conf->spn_spec_array = talloc_realloc(ctx, +- conf->spn_spec_array, +- char *, +- conf->num_spn_spec + 1); +- if (conf->spn_spec_array == NULL) { ++ size_t len = talloc_array_length(spec->spn_spec_vals); ++ spec->spn_spec_vals = talloc_realloc(ctx, ++ spec->spn_spec_vals, ++ char *, ++ len + 1); ++ if (spec->spn_spec_vals == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } +- conf->spn_spec_array[conf->num_spn_spec] = talloc_strdup( +- conf->spn_spec_array, spn); +- if (conf->spn_spec_array[conf->num_spn_spec] == NULL) { ++ spec->spn_spec_vals[len] = talloc_strdup(spec->spn_spec_vals, spn_val); ++ if (spec->spn_spec_vals[len] == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } +- conf->num_spn_spec++; + + return ADS_SUCCESS; + } + ++static ADS_STATUS pw2kt_scan_spec(TALLOC_CTX *ctx, ++ struct pw2kt_global_state *gstate, ++ struct pw2kt_keytab_desc *desc, ++ const char *option) ++{ ++ enum spn_spec_type spec_type; ++ struct pw2kt_specifier *spec; ++ char *vals = NULL; ++ char *tmp = NULL; ++ ADS_STATUS status; ++ ++ /* First check for options sync_kvno, sync_etypes, ... */ ++ if (strequal(option, "sync_kvno")) { ++ desc->sync_kvno = gstate->sync_kvno = true; ++ return ADS_SUCCESS; ++ } else if (strequal(option, "sync_etypes")) { ++ desc->sync_etypes = gstate->sync_etypes = true; ++ return ADS_SUCCESS; ++ } else if (strequal(option, "additional_dns_hostnames")) { ++ desc->additional_dns_hostnames = true; ++ return ADS_SUCCESS; ++ } else if (strequal(option, "netbios_aliases")) { ++ desc->netbios_aliases = true; ++ return ADS_SUCCESS; ++ } else if (strequal(option, "machine_password")) { ++ desc->machine_password = true; ++ return ADS_SUCCESS; ++ } ++ ++ vals = strchr_m(option, '='); ++ if (vals != NULL) { ++ *vals = 0; ++ vals++; ++ } ++ ++ if (strequal(option, "account_name")) { ++ spec_type = SPN_SPEC_ACCOUNT_NAME; ++ } else if (strequal(option, "sync_account_name")) { ++ spec_type = SPN_SPEC_SYNC_ACCOUNT_NAME; ++ gstate->sync_sam_account = true; ++ } else if (strequal(option, "host")) { ++ spec_type = SPN_SPEC_HOST; ++ } else if (strequal(option, "sync_upn")) { ++ spec_type = SPN_SPEC_SYNC_UPN; ++ gstate->sync_upn = true; ++ } else if (strequal(option, "sync_spns")) { ++ spec_type = SPN_SPEC_SYNC_SPNS; ++ gstate->sync_spns = true; ++ } else if (strequal(option, "spns")) { ++ spec_type = SPN_SPEC_FULL; ++ } else if (strequal(option, "spn_prefixes")) { ++ spec_type = SPN_SPEC_PREFIX; ++ } else { ++ DBG_ERR("Invalid option: '%s'\n", option); ++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); ++ } ++ ++ desc->spec_array[spec_type].is_set = true; ++ if (spec_type != SPN_SPEC_PREFIX && spec_type != SPN_SPEC_FULL) { ++ return ADS_SUCCESS; ++ } ++ if (vals == NULL) { ++ DBG_ERR("SPN specifier: %s is missing '='\n", option); ++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); ++ } ++ spec = &desc->spec_array[spec_type]; ++ ++ /* Entries are separated via ',' */ ++ while ((tmp = strchr_m(vals, ',')) != NULL) { ++ *tmp = 0; ++ tmp++; ++ status = pw2kt_add_val(ctx, spec, vals); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ vals = tmp; ++ if (*vals == 0) { ++ DBG_ERR("Invalid syntax (trailing ','): %s\n", option); ++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); ++ } ++ } ++ /* Process the last entry */ ++ return pw2kt_add_val(ctx, spec, vals); ++} ++ + /* + * Parse the smb.conf and find out if it is needed to read from DC: +- * - servicePrincipalNames ++ * - servicePrincipalName + * - msDs-KeyVersionNumber ++ * - userPrincipalName ++ * - sAMAccountName ++ * ++ * Example of a line: ++ * /etc/krb5/krb5.keytab:account_name:snps=s1@REALM.COM,spn2@REALM.ORG:host:sync_kvno:machine_password + */ +-static ADS_STATUS pw2kt_scan_line(const char *line, struct pw2kt_state *state) ++static ADS_STATUS pw2kt_scan_line(const char *line, ++ struct pw2kt_global_state *gstate) + { +- char *keytabname = NULL; +- char *spn_spec = NULL; +- char *spn_val = NULL; +- char *option = NULL; +- struct pw2kt_conf *conf = NULL; ++ char *tmp = NULL; ++ char *olist = NULL; ++ struct pw2kt_keytab_desc *desc = NULL; + ADS_STATUS status; ++ size_t num_keytabs = talloc_array_length(gstate->keytabs); + +- state->keytabs = talloc_realloc(state, +- state->keytabs, +- struct pw2kt_conf, +- state->num_keytabs + 1); +- if (state->keytabs == NULL) { ++ gstate->keytabs = talloc_realloc(gstate, ++ gstate->keytabs, ++ struct pw2kt_keytab_desc, ++ num_keytabs + 1); ++ if (gstate->keytabs == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } +- conf = &state->keytabs[state->num_keytabs]; +- state->num_keytabs++; ++ desc = &gstate->keytabs[num_keytabs]; ++ ZERO_STRUCT(*desc); + +- keytabname = talloc_strdup(state->keytabs, line); +- if (keytabname == NULL) { ++ desc->keytab = talloc_strdup(gstate->keytabs, line); ++ if (desc->keytab == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + +- ZERO_STRUCT(*conf); +- conf->keytab = keytabname; +- spn_spec = strchr_m(keytabname, ':'); +- if (spn_spec == NULL) { +- DBG_ERR("Invalid format! ':' expected in '%s'\n", keytabname); ++ olist = strchr_m(desc->keytab, ':'); ++ if (olist == NULL) { ++ DBG_ERR("Invalid format! ':' expected in '%s'\n", line); + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } +- *spn_spec++ = 0; +- +- /* reverse match with strrchr_m() */ +- while ((option = strrchr_m(spn_spec, ':')) != NULL) { +- *option++ = 0; +- if (strequal(option, "sync_kvno")) { +- conf->sync_kvno = state->sync_kvno = true; +- } else if (strequal(option, "sync_etypes")) { +- conf->sync_etypes = state->sync_etypes = true; +- } else if (strequal(option, "additional_dns_hostnames")) { +- conf->additional_dns_hostnames = true; +- } else if (strequal(option, "netbios_aliases")) { +- conf->netbios_aliases = true; +- } else if (strequal(option, "machine_password")) { +- conf->machine_password = true; +- } else { +- DBG_WARNING("Unknown option '%s'!\n", option); +- return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); +- } +- } ++ *olist = 0; ++ olist++; + +- spn_val = strchr_m(spn_spec, '='); +- if (spn_val != NULL) { +- *spn_val++ = 0; +- } ++ /* Always add 'host' principal */ ++ desc->spec_array[SPN_SPEC_HOST].is_set = true; + +- if (strcmp(spn_spec, "account_name") == 0) { +- conf->spn_spec = SPN_SPEC_DEFAULT; +- } else if (strcmp(spn_spec, "sync_spns") == 0) { +- conf->spn_spec = SPN_SPEC_SYNC; +- state->sync_spns = true; +- } else if (strcmp(spn_spec, "spns") == 0 || +- strcmp(spn_spec, "spn_prefixes") == 0) +- { +- char *spn = NULL, *tmp = NULL; +- +- conf->spn_spec = strcmp(spn_spec, "spns") == 0 +- ? SPN_SPEC_FULL +- : SPN_SPEC_PREFIX; +- conf->num_spn_spec = 0; +- spn = spn_val; +- while ((tmp = strchr_m(spn, ',')) != NULL) { +- *tmp++ = 0; +- status = pw2kt_scan_add_spn(state->keytabs, spn, conf); +- if (!ADS_ERR_OK(status)) { +- return status; +- } +- spn = tmp; ++ /* Entries are separated via ':' */ ++ while ((tmp = strchr_m(olist, ':')) != NULL) { ++ *tmp = 0; ++ tmp++; ++ status = pw2kt_scan_spec(gstate->keytabs, gstate, desc, olist); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ olist = tmp; ++ if (*olist == 0) { ++ DBG_ERR("Invalid syntax (trailing ':'): %s\n", line); ++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } +- /* Do not forget the last entry */ +- return pw2kt_scan_add_spn(state->keytabs, spn, conf); +- } else { +- DBG_WARNING("Invalid SPN specifier: %s\n", spn_spec); +- return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } +- +- return ADS_SUCCESS; ++ /* Process the last entry */ ++ return pw2kt_scan_spec(gstate->keytabs, gstate, desc, olist); + } + + /* +- * Fill struct pw2kt_state with defaults if "sync machine password to keytab" +- * is missing in smb.conf ++ * Fill struct pw2kt_global_state with defaults if ++ * "sync machine password to keytab" is missing in smb.conf ++ * Creates 1 keytab with 3 SPN specifiers (sync_spns, account_name, host). + */ +-static ADS_STATUS pw2kt_default_cfg(const char *name, struct pw2kt_state *state) ++static ADS_STATUS pw2kt_default_cfg(const char *name, ++ struct pw2kt_global_state *state) + { + char *keytabname = NULL; +- struct pw2kt_conf *conf = NULL; ++ struct pw2kt_keytab_desc *desc = NULL; + + state->keytabs = talloc_zero_array(state->keytabs, +- struct pw2kt_conf, ++ struct pw2kt_keytab_desc, + 1); + if (state->keytabs == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } +- conf = &state->keytabs[0]; +- state->num_keytabs = 1; ++ desc = &state->keytabs[0]; + + keytabname = talloc_strdup(state->keytabs, name); + if (keytabname == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } +- +- conf->spn_spec = SPN_SPEC_SYNC; +- conf->keytab = keytabname; +- conf->machine_password = true; +- conf->sync_kvno = state->sync_kvno = true; ++ desc->keytab = keytabname; ++ desc->machine_password = true; ++ desc->sync_kvno = state->sync_kvno = true; + state->sync_spns = true; + ++ desc->spec_array[SPN_SPEC_SYNC_SPNS].is_set = true; ++ desc->spec_array[SPN_SPEC_ACCOUNT_NAME].is_set = true; ++ desc->spec_array[SPN_SPEC_HOST].is_set = true; ++ + return ADS_SUCCESS; + } + +@@ -240,7 +311,7 @@ static ADS_STATUS pw2kt_default_cfg(const char *name, struct pw2kt_state *state) + * For the given principal add to the array entries created from all pw->keys[] + */ + static krb5_error_code pw2kt_process_add_pw( +- struct pw2kt_process_state *state2, ++ struct pw2kt_keytab_state *state2, + krb5_principal princ, + krb5_kvno vno, + struct secrets_domain_info1_password *pw) +@@ -287,11 +358,10 @@ static krb5_error_code pw2kt_process_add_pw( + * For the given principal add to the array entries based on password, + * old_password, older_password and next_change->password. + */ +-static krb5_error_code pw2kt_process_add_info( +- struct pw2kt_process_state *state2, +- krb5_kvno kvno, +- const char *princs, +- struct secrets_domain_info1 *info) ++static krb5_error_code pw2kt_process_add_info(struct pw2kt_keytab_state *state2, ++ krb5_kvno kvno, ++ const char *princs, ++ struct secrets_domain_info1 *info) + { + krb5_error_code ret; + krb5_principal princ = NULL; +@@ -336,7 +406,7 @@ static krb5_error_code pw2kt_process_add_info( + return ret; + } + +-static int pw2kt_process_state_destructor(struct pw2kt_process_state *state2) ++static int pw2kt_keytab_state_destructor(struct pw2kt_keytab_state *state2) + { + int i; + size_t len2 = talloc_array_length(state2->array2); +@@ -356,7 +426,7 @@ static int pw2kt_process_state_destructor(struct pw2kt_process_state *state2) + } + + /* Read the whole keytab to krb5_keytab_entry array */ +-static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_process_state *state2) ++static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_keytab_state *state2) + { + krb5_error_code ret = 0, ret2 = 0; + krb5_kt_cursor cursor; +@@ -402,18 +472,173 @@ static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_process_state *state2) + return ret != 0 ? ret : ret2; + } + +-static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state, +- struct pw2kt_conf *keytabptr) ++#define ADD_INFO(P) \ ++ ret = pw2kt_process_add_info(state2, kvno, (P), gstate->info); \ ++ if (ret != 0) { \ ++ return ADS_ERROR_KRB5(ret); \ ++ } ++ ++static ADS_STATUS pw2kt_add_prefix(struct pw2kt_global_state *gstate, ++ struct pw2kt_keytab_state *state2, ++ struct pw2kt_keytab_desc *keytabptr, ++ const char *prefix) + { + krb5_error_code ret = 0; +- krb5_kvno kvno = -1; +- size_t i, j, len1 = 0, len2 = 0; ++ krb5_kvno kvno = keytabptr->sync_kvno ? gstate->ad_kvno : -1; + char *princ_s = NULL; + const char **netbios_alias = NULL; + const char **addl_hostnames = NULL; ++ ++ /* Add prefix/dnshostname@REALM */ ++ princ_s = talloc_asprintf(talloc_tos(), ++ "%s/%s@%s", ++ prefix, ++ lp_dns_hostname(), ++ lp_realm()); ++ if (princ_s == NULL) { ++ return ADS_ERROR_KRB5(ENOMEM); ++ } ++ ADD_INFO(princ_s); ++ ++ /* Add prefix/NETBIOSNAME@REALM */ ++ princ_s = talloc_asprintf(talloc_tos(), ++ "%s/%s@%s", ++ prefix, ++ lp_netbios_name(), ++ lp_realm()); ++ if (princ_s == NULL) { ++ return ADS_ERROR_KRB5(ENOMEM); ++ } ++ ADD_INFO(princ_s); ++ ++ if (keytabptr->netbios_aliases) { ++ for (netbios_alias = lp_netbios_aliases(); ++ netbios_alias != NULL && *netbios_alias != NULL; ++ netbios_alias++) ++ { ++ fstring netbios_lower; ++ ++ fstrcpy(netbios_lower, *netbios_alias); ++ if (!strlower_m(netbios_lower)) { ++ return ADS_ERROR_NT( ++ NT_STATUS_INVALID_PARAMETER); ++ } ++ ++ /* Add prefix/NETBIOSALIAS@REALM */ ++ princ_s = talloc_asprintf(talloc_tos(), ++ "%s/%s@%s", ++ prefix, ++ *netbios_alias, ++ lp_realm()); ++ if (princ_s == NULL) { ++ return ADS_ERROR_KRB5(ENOMEM); ++ } ++ ADD_INFO(princ_s); ++ ++ /* Add prefix/netbiosalias.dnsdomain@REALM */ ++ princ_s = talloc_asprintf(talloc_tos(), ++ "%s/%s.%s@%s", ++ prefix, ++ netbios_lower, ++ lp_dnsdomain(), ++ lp_realm()); ++ if (princ_s == NULL) { ++ return ADS_ERROR_KRB5(ENOMEM); ++ } ++ ADD_INFO(princ_s); ++ } ++ } ++ ++ if (keytabptr->additional_dns_hostnames) { ++ for (addl_hostnames = lp_additional_dns_hostnames(); ++ addl_hostnames != NULL && *addl_hostnames != NULL; ++ addl_hostnames++) ++ { ++ /* Add prefix/additionalhostname@REALM */ ++ princ_s = talloc_asprintf(talloc_tos(), ++ "%s/%s@%s", ++ prefix, ++ *addl_hostnames, ++ lp_realm()); ++ if (princ_s == NULL) { ++ return ADS_ERROR_KRB5(ENOMEM); ++ } ++ ADD_INFO(princ_s); ++ } ++ } ++ return ADS_SUCCESS; ++} ++ ++static ADS_STATUS pw2kt_process_specifier(struct pw2kt_global_state *gstate, ++ struct pw2kt_keytab_state *state2, ++ struct pw2kt_keytab_desc *keytabptr, ++ enum spn_spec_type spec_type) ++{ ++ krb5_error_code ret = 0; ++ ADS_STATUS status; ++ krb5_kvno kvno = keytabptr->sync_kvno ? gstate->ad_kvno : -1; ++ struct pw2kt_specifier *spec = &keytabptr->spec_array[spec_type]; ++ size_t i, num_spn_spec_vals; ++ ++ if (!spec->is_set) { ++ return ADS_SUCCESS; ++ } ++ switch (spec_type) { ++ case SPN_SPEC_ACCOUNT_NAME: ++ ADD_INFO(gstate->info->account_name); ++ break; ++ case SPN_SPEC_SYNC_ACCOUNT_NAME: ++ ADD_INFO(gstate->ad_sam_account); ++ break; ++ case SPN_SPEC_HOST: ++ status = pw2kt_add_prefix(gstate, state2, keytabptr, "host"); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ break; ++ case SPN_SPEC_SYNC_UPN: ++ if (gstate->ad_upn != NULL) { ++ ADD_INFO(gstate->ad_upn); ++ } ++ break; ++ case SPN_SPEC_SYNC_SPNS: ++ for (i = 0; i < gstate->ad_num_spns; i++) { ++ ADD_INFO(gstate->ad_spn_array[i]); ++ } ++ break; ++ case SPN_SPEC_FULL: ++ num_spn_spec_vals = talloc_array_length(spec->spn_spec_vals); ++ for (i = 0; i < num_spn_spec_vals; i++) { ++ ADD_INFO(spec->spn_spec_vals[i]); ++ } ++ break; ++ case SPN_SPEC_PREFIX: ++ num_spn_spec_vals = talloc_array_length(spec->spn_spec_vals); ++ for (i = 0; i < num_spn_spec_vals; i++) { ++ status = pw2kt_add_prefix(gstate, ++ state2, ++ keytabptr, ++ spec->spn_spec_vals[i]); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ } ++ break; ++ default: ++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); ++ } ++ return ADS_SUCCESS; ++} ++ ++static ADS_STATUS pw2kt_process_keytab(struct pw2kt_global_state *state, ++ struct pw2kt_keytab_desc *keytabptr) ++{ ++ krb5_error_code ret = 0; ++ size_t i, j, k, len1 = 0, len2 = 0; + size_t *index_array1 = NULL; + size_t *index_array2 = NULL; +- struct pw2kt_process_state *state2 = NULL; ++ struct pw2kt_keytab_state *state2 = NULL; ++ ADS_STATUS status; + + if (!keytabptr->machine_password) { + DBG_ERR("No 'machine_password' option for '%s'. Skip it.\n", +@@ -421,11 +646,11 @@ static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state, + return ADS_SUCCESS; + } + +- state2 = talloc_zero(state, struct pw2kt_process_state); ++ state2 = talloc_zero(state, struct pw2kt_keytab_state); + if (state2 == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } +- talloc_set_destructor(state2, pw2kt_process_state_destructor); ++ talloc_set_destructor(state2, pw2kt_keytab_state_destructor); + + ret = smb_krb5_init_context_common(&state2->context); + if (ret != 0) { +@@ -479,100 +704,11 @@ static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state, + } + } + +- if (keytabptr->sync_kvno) { +- kvno = state->ad_kvno; +- } +- +-#define ADD_INFO(P) \ +- ret = pw2kt_process_add_info(state2, kvno, (P), state->info); \ +- if (ret != 0) { \ +- return ADS_ERROR_KRB5(ret); \ +- } +- +- /* Add ACCOUNTNAME$ entries */ +- switch (keytabptr->spn_spec) { +- case SPN_SPEC_DEFAULT: +- ADD_INFO(state->info->account_name); +- break; +- case SPN_SPEC_SYNC: +- for (i = 0; i < state->ad_num_spns; i++) { +- ADD_INFO(state->ad_spn_array[i]); +- } +- break; +- case SPN_SPEC_FULL: +- for (i = 0; i < keytabptr->num_spn_spec; i++) { +- ADD_INFO(keytabptr->spn_spec_array[i]); +- } +- break; +- case SPN_SPEC_PREFIX: +- for (i = 0; i < keytabptr->num_spn_spec; i++) { +- princ_s = talloc_asprintf(talloc_tos(), +- "%s/%s@%s", +- keytabptr->spn_spec_array[i], +- lp_netbios_name(), +- lp_realm()); +- if (princ_s == NULL) { +- return ADS_ERROR_KRB5(ENOMEM); +- } +- ADD_INFO(princ_s); +- +- if (!keytabptr->netbios_aliases) { +- goto additional_dns_hostnames; +- } +- for (netbios_alias = lp_netbios_aliases(); +- netbios_alias != NULL && *netbios_alias != NULL; +- netbios_alias++) +- { +- /* Add PREFIX/netbiosname@REALM */ +- princ_s = talloc_asprintf( +- talloc_tos(), +- "%s/%s@%s", +- keytabptr->spn_spec_array[i], +- *netbios_alias, +- lp_realm()); +- if (princ_s == NULL) { +- return ADS_ERROR_KRB5(ENOMEM); +- } +- ADD_INFO(princ_s); +- +- /* Add PREFIX/netbiosname.domainname@REALM */ +- princ_s = talloc_asprintf( +- talloc_tos(), +- "%s/%s.%s@%s", +- keytabptr->spn_spec_array[i], +- *netbios_alias, +- lp_dnsdomain(), +- lp_realm()); +- if (princ_s == NULL) { +- return ADS_ERROR_KRB5(ENOMEM); +- } +- ADD_INFO(princ_s); +- } +- +-additional_dns_hostnames: +- if (!keytabptr->additional_dns_hostnames) { +- continue; +- } +- for (addl_hostnames = lp_additional_dns_hostnames(); +- addl_hostnames != NULL && *addl_hostnames != NULL; +- addl_hostnames++) +- { +- /* Add PREFIX/netbiosname@REALM */ +- princ_s = talloc_asprintf( +- talloc_tos(), +- "%s/%s@%s", +- keytabptr->spn_spec_array[i], +- *addl_hostnames, +- lp_realm()); +- if (princ_s == NULL) { +- return ADS_ERROR_KRB5(ENOMEM); +- } +- ADD_INFO(princ_s); +- } ++ for (k = 0; k < SPN_SPEC_MAX; k++) { ++ status = pw2kt_process_specifier(state, state2, keytabptr, k); ++ if (!ADS_ERR_OK(status)) { ++ return status; + } +- break; +- default: +- return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + ret = smb_krb5_kt_open(state2->context, +@@ -718,7 +854,7 @@ sync_kvno: + return ADS_ERROR_KRB5(ret); + } + +-static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state) ++static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_global_state *state) + { + ADS_STATUS status; + LDAPMessage *res = NULL; +@@ -762,7 +898,7 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state) + "msDS-SupportedEncryptionTypes", + &state->ad_etypes); + if (!ok) { +- DBG_WARNING("Failed to determine encryption types.\n"); ++ DBG_ERR("Failed to determine encryption types.\n"); + ads_msgfree(ads, res); + TALLOC_FREE(tmp_ctx); + return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); +@@ -773,7 +909,7 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state) + uint32_t kvno = -1; + ok = ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno); + if (!ok) { +- DBG_WARNING("Failed to determine the system's kvno.\n"); ++ DBG_ERR("Failed to determine the system's kvno.\n"); + ads_msgfree(ads, res); + TALLOC_FREE(tmp_ctx); + return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); +@@ -787,8 +923,34 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state) + res, + "servicePrincipalName", + &state->ad_num_spns); +- if (state->ad_spn_array == NULL) { +- DBG_WARNING("Failed to determine SPNs.\n"); ++ if (state->ad_spn_array == NULL || state->ad_num_spns == 0) { ++ DBG_ERR("Failed to determine servicePrincipalName.\n"); ++ ads_msgfree(ads, res); ++ TALLOC_FREE(tmp_ctx); ++ return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); ++ } ++ } ++ ++ if (state->sync_upn) { ++ state->ad_upn = ads_pull_string(ads, ++ state, ++ res, ++ "userPrincipalName"); ++ if (state->ad_upn == NULL) { ++ DBG_ERR("Failed to determine userPrincipalName.\n"); ++ ads_msgfree(ads, res); ++ TALLOC_FREE(tmp_ctx); ++ return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); ++ } ++ } ++ ++ if (state->sync_sam_account) { ++ state->ad_sam_account = ads_pull_string(ads, ++ state, ++ res, ++ "sAMAccountName"); ++ if (state->ad_sam_account == NULL) { ++ DBG_ERR("Failed to determine sAMAccountName.\n"); + ads_msgfree(ads, res); + TALLOC_FREE(tmp_ctx); + return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); +@@ -864,13 +1026,14 @@ NTSTATUS sync_pw2keytabs(void) + TALLOC_CTX *frame = talloc_stackframe(); + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); +- struct pw2kt_state *state = NULL; ++ struct pw2kt_global_state *state = NULL; + const char **line = NULL; + const char **lp_ptr = NULL; + const char *pwsync_script = NULL; + NTSTATUS status_nt; + ADS_STATUS status_ads; + int i; ++ size_t num_keytabs; + + DBG_DEBUG("Syncing machine password from secrets to keytabs.\n"); + +@@ -879,7 +1042,7 @@ NTSTATUS sync_pw2keytabs(void) + return NT_STATUS_OK; /* nothing todo */ + } + +- state = talloc_zero(frame, struct pw2kt_state); ++ state = talloc_zero(frame, struct pw2kt_global_state); + if (state == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; +@@ -921,7 +1084,9 @@ NTSTATUS sync_pw2keytabs(void) + } + + params_ready: +- if (state->sync_etypes || state->sync_kvno || state->sync_spns) { ++ if (state->sync_etypes || state->sync_kvno || state->sync_spns || ++ state->sync_upn || state->sync_sam_account) ++ { + status_ads = pw2kt_get_dc_info(state); + if (!ADS_ERR_OK(status_ads)) { + DBG_WARNING("cannot read from DC\n"); +@@ -929,9 +1094,10 @@ params_ready: + return NT_STATUS_INTERNAL_ERROR; + } + } else { +- DBG_DEBUG("No 'sync_etypes', 'sync_kvno' and 'sync_spns' in " +- "parameter 'sync machine password to keytab' => " +- "no need to talk to DC.\n"); ++ DBG_DEBUG("No 'sync_etypes', 'sync_kvno', 'sync_spns', " ++ "'sync_upn' and 'sync_sam_account' in parameter " ++ "'sync machine password to keytab' => no need to " ++ "talk to DC.\n"); + } + + if (!secrets_init()) { +@@ -951,7 +1117,8 @@ params_ready: + return status_nt; + } + +- for (i = 0; i < state->num_keytabs; i++) { ++ num_keytabs = talloc_array_length(state->keytabs); ++ for (i = 0; i < num_keytabs; i++) { + status_ads = pw2kt_process_keytab(state, &state->keytabs[i]); + if (!ADS_ERR_OK(status_ads)) { + TALLOC_FREE(frame); +diff --git a/source3/script/tests/test_update_keytab.sh b/source3/script/tests/test_update_keytab.sh +index 2c38b53ccca..82c64984787 100755 +--- a/source3/script/tests/test_update_keytab.sh ++++ b/source3/script/tests/test_update_keytab.sh +@@ -20,208 +20,416 @@ samba_net="$BINDIR/net $CONFIGURATION" + samba_rpcclient="$BINDIR/rpcclient $CONFIGURATION" + smbclient="${BINDIR}/smbclient" + +-keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k" ++keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k keytab4k" + keytabs_nosync_kvno="keytab0 keytab1 keytab2 keytab3" + keytabs_all="$keytabs_sync_kvno $keytabs_nosync_kvno" + +-# default, no specifiers ++# Generate the next ~300 lines for keytab templates using these steps: ++# make testenv SELFTEST_TESTENV="ad_member_idmap_nss:local" ++# source3/script/tests/test_update_keytab.sh ADDOMAIN --configfile=st/ad_member_idmap_nss/lib/server.conf ++# and finally source it from the vim editor ++# :r! for k in keytab0 keytab0k keytab1 keytab1k keytab2 keytab2k keytab3 keytab3k keytab4k ; do (echo $k=\"\\; bin/net --configfile=st/ad_member_idmap_nss/lib/server.conf ads keytab list /path/st/ad_member_idmap_nss/$k |sort -k3 |grep -v Vno|sed 's/\$/\\$/'; echo '";'; echo ); done ++ + keytab0="\ +- -1 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -1 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -2 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -3 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ -1 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -2 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -3 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + "; + +-# sync_kvno=yes + keytab0k="\ +- 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + "; + +-# sync_spns=yes + keytab1="\ +- -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + "; + +-# sync_spns=yes:sync_kvno=yes + keytab1k="\ +- 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + "; + +-# spn_prefixes=imap,smtp + keytab2="\ ++ -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + "; + +-# spn_prefixes=imap,smtp:sync_kvno=yes + keytab2k="\ +- 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + "; + +-# spns=wurst/brot\@$dcvars->{REALM} + keytab3="\ ++ -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + "; + +-# spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno=yes + keytab3k="\ +- 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM +- 3 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM ++"; ++ ++keytab4k="\ ++ 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 4 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM ++ 6 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + "; + + # find the biggest vno and store it into global variable vno +@@ -289,9 +497,9 @@ SED2="s/^ \+-\?[0-9]\+ \+//" + + compare_keytabs_sync_kvno() + { +- sed "$SED1" < "$1" | sort -k1rn -k3 | sed "$SED2" > "${1}.sync_kvno" +- sed "$SED1" < "$2" | sort -k1rn -k3 | sed "$SED2" > "${2}.sync_kvno" +- diff --ignore-case "${1}.sync_kvno" "${2}.sync_kvno" ++ sed "$SED1" < "$1" | sed "$SED2" | sort > "${1}.sync_kvno" ++ sed "$SED1" < "$2" | sed "$SED2" | sort > "${2}.sync_kvno" ++ diff "${1}.sync_kvno" "${2}.sync_kvno" + return $? + } + +@@ -299,7 +507,7 @@ compare_keytabs_nosync_kvno() + { + sed "$SED1" < "$1" | sort -k1rn -k3 > "${1}.nosync_kvno" + sed "$SED1" < "$2" | sort -k1rn -k3 > "${2}.nosync_kvno" +- diff --ignore-case "${1}.nosync_kvno" "${2}.nosync_kvno" ++ diff "${1}.nosync_kvno" "${2}.nosync_kvno" + return $? + } + +@@ -391,6 +599,7 @@ printf '%s' "$keytab2" > "$TMPDIR/keytab2_template" + printf '%s' "$keytab2k" > "$TMPDIR/keytab2k_template" + printf '%s' "$keytab3" > "$TMPDIR/keytab3_template" + printf '%s' "$keytab3k" > "$TMPDIR/keytab3k_template" ++printf '%s' "$keytab4k" > "$TMPDIR/keytab4k_template" + + # Other approach could e.g. compare first six entries from the template. + # The 6 entries correspond to password and old_password, each has 3 enc. types. +-- +2.48.1 + + +From f1e0fce49fbd1890da053d05c8511010cb7f2911 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 14 Jan 2025 11:29:54 +0100 +Subject: [PATCH 4/6] docs-xml:smbdotconf: Document new options for 'sync + machinepassword to keytab' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Pavel Filipensky +Autobuild-Date(master): Thu Feb 13 18:45:21 UTC 2025 on atb-devel-224 + +(cherry picked from commit 7a662e097be5e0d3f7779fa544486968b8f57063) +--- + docs-xml/manpages/net.8.xml | 24 +++++------ + .../security/syncmachinepasswordtokeytab.xml | 42 ++++++++++++------- + 2 files changed, 38 insertions(+), 28 deletions(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index f388644172f..8091368a48e 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1549,29 +1549,25 @@ to show in the result. + + + Since Samba 4.21.0, keytab file is created as specified in . The keytab is created only for ++name="sync machine password to keytab"/> . The keytab can be created only when ++machine password is available in secrets.tdb, i.e. only for + secrets only and + secrets and keytab. With + the smb.conf default values for secrets + only and + (default is empty) the keytab is not generated at all. Keytab with a default +-name and SPNs synced from AD is created for secrets and keytab if is missing. ++name containing: SPNs synced from AD, account name COMPUTER$ and principal ++host/dns_hostname is created for secrets ++and keytab if is missing. + + +-Till Samba 4.20.0, two more entries were created by default: the machinename of +-the client (ending with '$') and the UPN (host/domain@REALM). If these two +-entries are still needed, each must be specified in an own keytab file. +-Example below will generate three keytab files that contain SPNs synced from +-AD, host UPN and machine$ SPN: ++Till Samba 4.20, these entries were created by default: the account name ++COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates ++such keytab ('host' is added implicitly): + + +- +-/etc/krb5.keytab0:sync_spns:machine_password, +-/etc/krb5.keytab1:spns=host/smb.com@SMB.COM:machine_password, +-/etc/krb5.keytab2:account_name:machine_password +- ++/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password + + + No changes are made to the computer AD account. +diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml +index f7dc30023d4..02eaf3162c0 100644 +--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml ++++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml +@@ -24,36 +24,49 @@ synchronization. + + Each string has this form: + +-absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password] ++absolute_path_to_keytab:spn_spec[:spn_spec]*[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password] + + +-where spn_spec can have exactly one of these four forms: ++spn_spec can be specified multiple times (separated using ':') and each spn_spec can have exactly one of these forms: + + account_name ++sync_account_name ++sync_upn + sync_spns + spn_prefixes=value1[,value2[...]] + spns=value1[,value2[...]] + +-No other combinations are allowed. + + + +-Specifiers: ++Every keytab contains the 'host' principal and principals according the specification below: + +-account_name - creates entry using principal 'computer$@REALM'. +-sync_spns - uses principals received from AD DC. +-spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified. +-spns - creates only the principals defined in the list. ++account_name - COMPUTER$@REALM ++sync_account_name - uses attribute "sAMAccountName" from AD ++host - always present, no need to specify it explicitly ++ the 'host' principal is created for the same variants (netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in spn_prefixes ++sync_upn - uses attribute "userPrincipalName" (if exists in AD) ++sync_spns - uses attribute "servicePrincipalName" (if exists in AD) ++spn_prefixes - creates these two principals from each prefix. e.g.: ++ prefix/@REALM ++ prefix/@REALM ++ with :netbios_aliases for each netbiosalias in ++ prefix/netbiosalias@REALM ++ prefix/netbiosalias.dnsdomain@REALM ++ with :additional_dns_hostnames for each additionaldnshostname in ++ prefix/additionaldnshostname@REALM ++spns - creates only the principals defined in the list + ++'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD). + + + + Options: + +-sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib. +-sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1. +-netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See +-additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See ++sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib. ++sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1. ++netbios_aliases - evaluated only for spn_prefixes (see details above) and for the 'host' principal. ++additional_dns_hostnames - evaluated only for spn_prefixes (see details above) and for the 'host' principal. + machine_password - mandatory, if missing the entry is ignored. For future use. + + +@@ -68,7 +81,8 @@ Example: + "/path/to/keytab4:spn_prefixes=imap,smtp:machine_password", + "/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password", + "/path/to/keytab6:spns=wurst/brot@REALM:machine_password", +-"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password" ++"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password", ++"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password" + + If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options. + +@@ -80,7 +94,7 @@ If no value is present and is different + + + winbind uses value +- /path/to/keytab:sync_spns:sync_kvno:machine_password ++ /path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password + where the path to the keytab is obtained either from the krb5 library or from + . + +-- +2.48.1 + + +From 4dc163e87824aac33107767881d4a47033c5d9dd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 14 Feb 2025 17:28:54 +0100 +Subject: [PATCH 5/6] s3:libads: Remove specifier for 'host' principal from + 'sync machine password to keytab' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use specifier 'spn_prefixes=host' instead of 'host' + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Stefan Metzmacher +(cherry picked from commit ccc3b2b2fba7b5d223c79bffc0f655490aed19cf) +--- + selftest/target/Samba3.pm | 6 +-- + source3/libads/kerberos_keytab.c | 21 +++------- + source3/script/tests/test_update_keytab.sh | 48 ---------------------- + 3 files changed, 9 insertions(+), 66 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index cc4498ff36e..6650690fbb7 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -804,11 +804,11 @@ sub provision_ad_member + \"$prefix_abs/keytab0k:account_name:sync_kvno:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab1:sync_spns:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab1k:sync_spns:sync_kvno:machine_password:sync_etypes\", \\ +- \"$prefix_abs/keytab2:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\ +- \"$prefix_abs/keytab2k:spn_prefixes=imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\ ++ \"$prefix_abs/keytab2:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\ ++ \"$prefix_abs/keytab2k:spn_prefixes=host,imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\", \\ +- \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\" ++ \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\" + "; + } + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 619a7bda0d4..5913db299ad 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -44,7 +44,6 @@ + enum spn_spec_type { + SPN_SPEC_ACCOUNT_NAME, + SPN_SPEC_SYNC_ACCOUNT_NAME, +- SPN_SPEC_HOST, + SPN_SPEC_SYNC_UPN, + SPN_SPEC_SYNC_SPNS, + SPN_SPEC_FULL, +@@ -164,8 +163,6 @@ static ADS_STATUS pw2kt_scan_spec(TALLOC_CTX *ctx, + } else if (strequal(option, "sync_account_name")) { + spec_type = SPN_SPEC_SYNC_ACCOUNT_NAME; + gstate->sync_sam_account = true; +- } else if (strequal(option, "host")) { +- spec_type = SPN_SPEC_HOST; + } else if (strequal(option, "sync_upn")) { + spec_type = SPN_SPEC_SYNC_UPN; + gstate->sync_upn = true; +@@ -251,9 +248,6 @@ static ADS_STATUS pw2kt_scan_line(const char *line, + *olist = 0; + olist++; + +- /* Always add 'host' principal */ +- desc->spec_array[SPN_SPEC_HOST].is_set = true; +- + /* Entries are separated via ':' */ + while ((tmp = strchr_m(olist, ':')) != NULL) { + *tmp = 0; +@@ -275,7 +269,8 @@ static ADS_STATUS pw2kt_scan_line(const char *line, + /* + * Fill struct pw2kt_global_state with defaults if + * "sync machine password to keytab" is missing in smb.conf +- * Creates 1 keytab with 3 SPN specifiers (sync_spns, account_name, host). ++ * Creates 1 keytab with these SPN specifiers: ++ * sync_spns:account_name:spn_prefixes=host:sync_kvno:machine_password + */ + static ADS_STATUS pw2kt_default_cfg(const char *name, + struct pw2kt_global_state *state) +@@ -302,9 +297,11 @@ static ADS_STATUS pw2kt_default_cfg(const char *name, + + desc->spec_array[SPN_SPEC_SYNC_SPNS].is_set = true; + desc->spec_array[SPN_SPEC_ACCOUNT_NAME].is_set = true; +- desc->spec_array[SPN_SPEC_HOST].is_set = true; ++ desc->spec_array[SPN_SPEC_PREFIX].is_set = true; + +- return ADS_SUCCESS; ++ return pw2kt_add_val(state->keytabs, ++ &desc->spec_array[SPN_SPEC_PREFIX], ++ "host"); + } + + /* +@@ -590,12 +587,6 @@ static ADS_STATUS pw2kt_process_specifier(struct pw2kt_global_state *gstate, + case SPN_SPEC_SYNC_ACCOUNT_NAME: + ADD_INFO(gstate->ad_sam_account); + break; +- case SPN_SPEC_HOST: +- status = pw2kt_add_prefix(gstate, state2, keytabptr, "host"); +- if (!ADS_ERR_OK(status)) { +- return status; +- } +- break; + case SPN_SPEC_SYNC_UPN: + if (gstate->ad_upn != NULL) { + ADD_INFO(gstate->ad_upn); +diff --git a/source3/script/tests/test_update_keytab.sh b/source3/script/tests/test_update_keytab.sh +index 82c64984787..21edf8b8882 100755 +--- a/source3/script/tests/test_update_keytab.sh ++++ b/source3/script/tests/test_update_keytab.sh +@@ -40,48 +40,18 @@ keytab0="\ + -2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM +- -1 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -2 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -3 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -1 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + "; + + keytab0k="\ + 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + "; + + keytab1="\ +- -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +@@ -118,15 +88,9 @@ keytab1="\ + "; + + keytab1k="\ +- 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +@@ -295,24 +259,12 @@ keytab2k="\ + "; + + keytab3="\ +- -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + "; + + keytab3k="\ +- 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM +- 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM +- 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM +-- +2.48.1 + + +From 8bb9f6f5d9f5db755dfd950260288dfd746cfbb6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 14 Feb 2025 17:27:26 +0100 +Subject: [PATCH 6/6] docs: Update documentation for 'sync machine password to + keytab' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use specifier 'spn_prefixes=host' instead of 'host' + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Pavel Filipensky +Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224 + +(cherry picked from commit 7cae7aad1ca6dcd5e0a3a102f36af74fa49a2c2b) +--- + docs-xml/manpages/net.8.xml | 4 ++-- + .../security/syncmachinepasswordtokeytab.xml | 11 +++++------ + 2 files changed, 7 insertions(+), 8 deletions(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 8091368a48e..a5f004d6e12 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1564,10 +1564,10 @@ keytab"/> is missing. + + Till Samba 4.20, these entries were created by default: the account name + COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates +-such keytab ('host' is added implicitly): ++such keytab: + + +-/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password ++/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password + + + No changes are made to the computer AD account. +diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml +index 02eaf3162c0..ec3fffc1119 100644 +--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml ++++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml +@@ -39,12 +39,10 @@ spns=value1[,value2[...]] + + + +-Every keytab contains the 'host' principal and principals according the specification below: ++Every keytab contains principals according the specification below: + + account_name - COMPUTER$@REALM + sync_account_name - uses attribute "sAMAccountName" from AD +-host - always present, no need to specify it explicitly +- the 'host' principal is created for the same variants (netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in spn_prefixes + sync_upn - uses attribute "userPrincipalName" (if exists in AD) + sync_spns - uses attribute "servicePrincipalName" (if exists in AD) + spn_prefixes - creates these two principals from each prefix. e.g.: +@@ -55,6 +53,7 @@ spn_prefixes - creates these two principals from each prefix. e.g.: + prefix/netbiosalias.dnsdomain@REALM + with :additional_dns_hostnames for each additionaldnshostname in + prefix/additionaldnshostname@REALM ++ - 'host' principal should be created using specifier spn_prefixes + spns - creates only the principals defined in the list + + 'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD). +@@ -65,8 +64,8 @@ Options: + + sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib. + sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1. +-netbios_aliases - evaluated only for spn_prefixes (see details above) and for the 'host' principal. +-additional_dns_hostnames - evaluated only for spn_prefixes (see details above) and for the 'host' principal. ++netbios_aliases - evaluated only for spn_prefixes (see details above). ++additional_dns_hostnames - evaluated only for spn_prefixes (see details above). + machine_password - mandatory, if missing the entry is ignored. For future use. + + +@@ -82,7 +81,7 @@ Example: + "/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password", + "/path/to/keytab6:spns=wurst/brot@REALM:machine_password", + "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password", +-"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password" ++"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password" + + If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options. + +-- +2.48.1 + diff --git a/samba-4.21.3.tar.asc b/samba-4.21.3.tar.asc new file mode 100644 index 0000000..a9ae09f --- /dev/null +++ b/samba-4.21.3.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmd796YACgkQqplEL7aA +tiAdpA/9EodazpG4Vo534WW3aKiBxEWt0LzGjDZ6GUbTpCRIJE+a/a36rxbAgHFH +Mpc9mVnCI6/UWv1plnsLwNG4RnC/o0tDrw2ttvIX/ZEiWEPWU38sgfZ+vlwX1r2B +3Hi7Uym4br0SmPwrep5kPfjnE396ftlnC6YMHXZ+tg3i6y8m6msr8rEB8ejLx7RF +qXtJ/YO4HK2DrE51l/Ziyav9FwBgVoE9Sl0oXwLoUX5lhWh6qNe8Qz+bd0s36x1e +5w+ocSNuD2ph5uO1W+pmdOJyMgq8QFchOwxdHi454nRrelp7Kwtb2ARBHrFwoQ+V +kinQlufJ0sb59imso65Tl3EGuuV61CUQgGx9Ln9/wBMXdiPDNhi/H+ikH2AeVzpz +DFuL9WEU/HYT4thCKlNox5T8s90/95vT5MlN2q/CJhFjIti6mb7iM9uxatGFzUBI +A3OxPRc9IbORTEPYxLzsuPrxo+bcFXg0Go8SoNa4W3NYIehMDqnuWOOnC/ixleta +ig635ivxl5owC1CC/GzilBnJ/Tq4bzbZOrYDeYCYa5FkXv9EaTIT9JQcRr0LJcDS +Z43RoD9g9tG6tIea0XyAaPkfVillfnf70vcuelxycl3bhhuvSZUQ+8cqQ0vuUg1V +pcclEjCcgIecIR9r2zSv5S5EldS7hQ6t5pCC5KcJKyeq+LLaj5s= +=DkSu +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-systemd-sysusers.conf b/samba-systemd-sysusers.conf similarity index 100% rename from SOURCES/samba-systemd-sysusers.conf rename to samba-systemd-sysusers.conf diff --git a/SOURCES/samba-usershares-systemd-sysusers.conf b/samba-usershares-systemd-sysusers.conf similarity index 100% rename from SOURCES/samba-usershares-systemd-sysusers.conf rename to samba-usershares-systemd-sysusers.conf diff --git a/SOURCES/samba-winbind-systemd-sysusers.conf b/samba-winbind-systemd-sysusers.conf similarity index 100% rename from SOURCES/samba-winbind-systemd-sysusers.conf rename to samba-winbind-systemd-sysusers.conf diff --git a/SOURCES/samba.abignore b/samba.abignore similarity index 100% rename from SOURCES/samba.abignore rename to samba.abignore diff --git a/SOURCES/samba.logrotate b/samba.logrotate similarity index 85% rename from SOURCES/samba.logrotate rename to samba.logrotate index 40f85aa..43bef68 100644 --- a/SOURCES/samba.logrotate +++ b/samba.logrotate @@ -1,4 +1,4 @@ -/var/log/samba/log.* { +/var/log/samba/*log* { compress dateext maxage 365 diff --git a/SOURCES/samba.pamd b/samba.pamd similarity index 100% rename from SOURCES/samba.pamd rename to samba.pamd diff --git a/SPECS/samba.spec b/samba.spec similarity index 72% rename from SPECS/samba.spec rename to samba.spec index b7ee079..a14a184 100644 --- a/SPECS/samba.spec +++ b/samba.spec @@ -1,3 +1,13 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 3; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + # The testsuite is disabled by default. # # To build and run the tests use: @@ -8,7 +18,7 @@ # %bcond_with testsuite -# Build with internal talloc, tevent, tdb and ldb. +# Build with internal talloc, tevent, tdb # # fedpkg mockbuild --with=testsuite --with=includelibs # or @@ -55,9 +65,7 @@ # Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora %if 0%{?fedora} -# ppc64le excluded pending resolution of https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104172 -#%%ifarch aarch64 ppc64le s390x x86_64 -%ifarch aarch64 s390x x86_64 +%ifarch aarch64 ppc64le s390x x86_64 riscv64 %bcond_without vfs_cephfs %bcond_without ceph_mutex %else @@ -80,7 +88,7 @@ %if 0%{?fedora} -%ifarch aarch64 ppc64le s390x x86_64 +%ifarch aarch64 ppc64le s390x x86_64 riscv64 %bcond_without vfs_glusterfs %else %bcond_with vfs_glusterfs @@ -109,7 +117,7 @@ # Build vfs_io_uring module by default on 64bit Fedora %if 0%{?fedora} || 0%{?rhel} >= 8 -%ifarch aarch64 ppc64le s390x x86_64 +%ifarch aarch64 ppc64le s390x x86_64 riscv64 %bcond_without vfs_io_uring %else %bcond_with vfs_io_uring @@ -144,16 +152,30 @@ %bcond_with gpupdate %endif -%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") +%ifarch aarch64 ppc64le s390x x86_64 +%bcond lmdb 1 +%else +%bcond lmdb 0 +%endif + +%global samba_version 4.21.3 + +# The release field is extended: +# [.][.]%%{?dist}[.] +# Square brackets indicate an optional item. +# +# The autorelease macro accepts these parameters to allow packagers to specify +# those added fields: +# +# -p: Designates a pre-release, i.e. pkgrel will be prefixed with '0.'. +# -e : Allows specifying the extraver portion of the release. +# -b : Allows specifying a custom base release number (the +# default is 1). +%global samba_release %autorelease -b 100 -%global samba_version 4.19.4 -%global baserelease 7 -# This should be rc1 or %%nil %global pre_release %nil - -%global samba_release %{baserelease} %if "x%{?pre_release}" != "x" -%global samba_release 0.%{baserelease}.%{pre_release} +%global samba_release %autorelease -p -e %pre_release %endif @@ -164,13 +186,14 @@ %global libdcerpc_so_version 0 %global libndr_krb5pac_so_version 0 %global libndr_nbt_so_version 0 -%global libndr_so_version 3 +%global libndr_so_version 5 %global libndr_standard_so_version 0 %global libnetapi_so_version 1 %global libsamba_credentials_so_version 1 %global libsamba_errors_so_version 1 %global libsamba_hostconfig_so_version 0 %global libsamba_passdb_so_version 0 +%global libsamba_policy_so_version 0 %global libsamba_util_so_version 0 %global libsamdb_so_version 0 %global libsmbconf_so_version 0 @@ -180,12 +203,11 @@ %global libsmbclient_so_version 0 %global libwbclient_so_version 0 -%global talloc_version 2.4.1 -%global tdb_version 1.4.9 -%global tevent_version 0.15.0 -%global ldb_version 2.8.0 +%global talloc_version 2.4.2 +%global tdb_version 1.4.12 +%global tevent_version 0.16.1 -%global required_mit_krb5 1.18 +%global required_mit_krb5 1.20.1 # This is a network daemon, do a hardened build # Enables PIE and full RELRO protection @@ -197,12 +219,6 @@ # https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md %undefine _strict_symbol_defs_build -%global libwbc_alternatives_version 0.16 -%global libwbc_alternatives_suffix %nil -%if 0%{?__isa_bits} == 64 -%global libwbc_alternatives_suffix -64 -%endif - %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" # Make a copy of this variable to prevent repeated evaluation of the @@ -211,7 +227,7 @@ Name: samba Version: %{samba_version} -Release: %{samba_release}%{?dist} +Release: %{samba_release} %if 0%{?fedora} Epoch: 2 @@ -244,13 +260,15 @@ Source18: samba-winbind-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore -# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-19-redhat -# This will give us CI and makes it easy to generate patchsets. +# Patch0 is created using: # -# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.19-redhat.patch -Patch0: samba-4.19-redhat.patch +# git clone git@gitlab.com:samba-redhat/samba.git +# cd samba +# git checkout v4-21-redhat +# git format-patch --stdout -l1 --no-renames -N > redhat-4.21.patch +# where N is number of commits -Requires(pre): /usr/sbin/groupadd +Patch0: redhat-4.21.patch Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} @@ -259,6 +277,7 @@ Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dcerpc = %{samba_depver} +Requires: libldb = %{samba_depver} Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} @@ -295,6 +314,7 @@ BuildRequires: bison BuildRequires: cups-devel BuildRequires: dbus-devel BuildRequires: docbook-style-xsl +BuildRequires: doxygen BuildRequires: e2fsprogs-devel BuildRequires: flex BuildRequires: gawk @@ -313,7 +333,10 @@ BuildRequires: libcmocka-devel BuildRequires: libtirpc-devel BuildRequires: libuuid-devel BuildRequires: libxslt +%if %{with lmdb} BuildRequires: lmdb +BuildRequires: lmdb-devel >= 0.9.16 +%endif %if %{with winexe} BuildRequires: mingw32-gcc BuildRequires: mingw64-gcc @@ -346,7 +369,7 @@ BuildRequires: zlib-devel >= 1.2.3 BuildRequires: pkgconfig(libsystemd) -%ifnarch i686 +%ifnarch i686 riscv64 %if 0%{?fedora} >= 37 BuildRequires: mold %endif @@ -376,7 +399,7 @@ BuildRequires: python3-etcd %endif %if %{with gpupdate} -BuildRequires: cepces +BuildRequires: cepces-certmonger >= 0.3.8 %endif # pidl requirements @@ -393,20 +416,9 @@ BuildRequires: python3-tevent >= %{tevent_version} BuildRequires: libtdb-devel >= %{tdb_version} BuildRequires: python3-tdb >= %{tdb_version} - -BuildRequires: libldb-devel >= %{ldb_version} -BuildRequires: python3-ldb >= %{ldb_version} -BuildRequires: python3-ldb-devel >= %{ldb_version} %endif -%if %{with includelibs} || %{with testsuite} -# lmdb-devel is required for the mdb ldb module, if samba is configured -# to build includelibs we need lmdb-devel for building that module on our own -BuildRequires: lmdb-devel -#endif without includelibs -%endif - -%if %{with dc} || %{with testsuite} +%if %{with dc} BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} %if 0%{?fedora} || 0%{?rhel} >= 9 @@ -421,11 +433,38 @@ BuildRequires: python3-setproctitle %if %{without includelibs} BuildRequires: tdb-tools -BuildRequires: ldb-tools #endif without includelibs %endif -#endif with dc || with testsuite +#endif with dc +%endif + +%if %{with testsuite} +BuildRequires: bind-utils +BuildRequires: glibc-langpack-en +BuildRequires: git +BuildRequires: gnutls-utils +BuildRequires: jq +BuildRequires: krb5-pkinit +BuildRequires: krb5-workstation +BuildRequires: lmdb +BuildRequires: nss_wrapper +BuildRequires: pam_wrapper +BuildRequires: perl-Archive-Tar +BuildRequires: perl-Digest-MD5 +BuildRequires: perl-ExtUtils-MakeMaker +BuildRequires: perl-JSON +BuildRequires: perl-JSON-Parse +BuildRequires: perl-Parse-Yapp +BuildRequires: perl-Test-Base +BuildRequires: psmisc +BuildRequires: python3-libpamtest +BuildRequires: resolv_wrapper +BuildRequires: rsync +BuildRequires: socket_wrapper +BuildRequires: sudo +BuildRequires: uid_wrapper +#endif with testsuite %endif # filter out perl requirements pulled in from examples in the docdir. @@ -444,6 +483,7 @@ Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif @@ -470,6 +510,7 @@ Summary: Samba client libraries Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -504,6 +545,7 @@ Summary: Libraries used by both Samba servers and clients Requires(pre): samba-common = %{samba_depver} Requires: samba-common = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -544,6 +586,7 @@ Requires: samba-common-libs = %{samba_depver} Requires: samba-client-libs = %{samba_depver} Requires: samba-libs = %{samba_depver} Requires: samba-ldb-ldap-modules = %{samba_depver} +Requires: libldb = %{samba_depver} Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} @@ -563,7 +606,9 @@ Requires: python3-%{name} = %{samba_depver} Requires: python3-%{name}-dc = %{samba_depver} %if %{with dc} # samba-tool needs mdb_copy and tdbackup for domain backup or upgrade provision +%if %{with lmdb} Requires: lmdb +%endif Requires: tdb-tools Requires: python3-gpg %endif @@ -578,6 +623,7 @@ Summary: DCE RPC binaries Requires: samba-common-libs = %{samba_depver} Requires: samba-client-libs = %{samba_depver} Requires: samba-libs = %{samba_depver} +Requires: libldb = %{samba_depver} Requires: libnetapi = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} @@ -607,11 +653,7 @@ Requires: libwbclient = %{samba_depver} Requires: ldb-tools Requires: python3-setproctitle -# Force using libldb version to be the same as build version -# Otherwise LDB modules will not be loaded and samba-tool will fail -# See bug 1507420 -%samba_requires_eq libldb - +Requires: libldb = %{samba_depver} Requires: python3-%{name} = %{samba_depver} Requires: python3-%{name}-dc = %{samba_depver} Requires: krb5-server >= %{required_mit_krb5} @@ -642,6 +684,8 @@ Summary: Samba AD Domain Controller Libraries Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: libldb = %{samba_depver} +Requires: libwbclient = %{samba_depver} Provides: samba4-dc-libs = %{samba_depver} Obsoletes: samba4-dc-libs < %{samba_depver} @@ -662,6 +706,8 @@ Requires: %{name}-dc-libs = %{samba_depver} Requires: %{name}-dc = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: bind +Requires: libldb = %{samba_depver} +Requires: libwbclient = %{samba_depver} Provides: bundled(libreplace) @@ -676,13 +722,13 @@ name server related details of Samba AD. Summary: Developer tools for Samba libraries Requires: %{name}-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} -%if %{with dc} Requires: %{name}-dc-libs = %{samba_depver} -%endif Requires: libnetapi = %{samba_depver} Provides: samba4-devel = %{samba_depver} Obsoletes: samba4-devel < %{samba_depver} +Provides: python3-samba-devel = %{samba_depver} +Obsoletes: python3-samba-devel < %{samba_depver} %description devel The %{name}-devel package contains the header files for the libraries @@ -696,6 +742,8 @@ Summary: Samba VFS module for Ceph distributed storage system Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: libldb = %{samba_depver} +Requires: libwbclient = %{samba_depver} Provides: bundled(libreplace) @@ -711,6 +759,8 @@ Summary: Samba VFS module for io_uring Requires: %{name} = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: libldb = %{samba_depver} +Requires: libwbclient = %{samba_depver} Provides: bundled(libreplace) @@ -729,6 +779,7 @@ Requires: %{name} = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -746,10 +797,12 @@ Samba VFS module for GlusterFS integration. %if %{with gpupdate} %package gpupdate Summary: Samba GPO support for clients -Requires: cepces +Requires: cepces-certmonger Requires: certmonger Requires: %{name}-ldb-ldap-modules = %{samba_depver} Requires: python3-%{name} = %{samba_depver} +# samba-tool needs python3-samba-dc also on non-dc build +Requires: python3-%{name}-dc = %{samba_depver} %description gpupdate This package provides the samba-gpupdate tool to apply Group Policy Objects @@ -778,6 +831,8 @@ the Kerberos credentials cache of the user issuing the print job. Summary: Samba ldap modules for ldb Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires: libldb = %{samba_depver} +Requires: libwbclient = %{samba_depver} %description ldb-ldap-modules This package contains the ldb ldap modules required by samba-tool and @@ -788,6 +843,7 @@ samba-gpupdate. Summary: Samba libraries Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -808,6 +864,8 @@ Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: libldb = %{samba_depver} +Requires: libwbclient = %{samba_depver} %description -n libnetapi This contains the NETAPI library from the Samba suite. @@ -828,6 +886,7 @@ Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -885,6 +944,7 @@ Requires: python3-requests Requires: python3-talloc Requires: python3-tdb Requires: python3-tevent +Requires: libldb = %{samba_depver} %if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} %endif @@ -898,13 +958,6 @@ Provides: bundled(libreplace) The python3-%{name} package contains the Python 3 libraries needed by programs that use SMB, RPC and other Samba provided protocols in Python 3 programs. -%package -n python3-%{name}-devel -Summary: Samba python devel files -Requires: python3-%{name} = %{samba_depver} - -%description -n python3-%{name}-devel -The python3-%{name}-devel package contains the Python 3 devel files. - %package -n python3-samba-test Summary: Samba Python libraries Requires: python3-%{name} = %{samba_depver} @@ -922,6 +975,8 @@ Requires: %{name}-dc-libs = %{samba_depver} Requires: python3-%{name} = %{samba_depver} # for ms_forest_updates_markdown.py and ms_schema_markdown.py Requires: python3-markdown +Requires: libldb = %{samba_depver} +Requires: libwbclient = %{samba_depver} %description -n python3-samba-dc The python3-%{name}-dc package contains the Python libraries needed by programs @@ -957,6 +1012,7 @@ Requires: %{name}-test-libs = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} %endif Requires: %{name}-libs = %{samba_depver} +Requires: libldb = %{samba_depver} Requires: libnetapi = %{samba_depver} %if %{with libsmbclient} Requires: libsmbclient = %{samba_depver} @@ -982,6 +1038,7 @@ Summary: Libraries need by the testing tools for Samba servers and clients Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -1019,6 +1076,7 @@ Requires: %{name}-libs = %{samba_depver} Requires(post): %{name}-libs = %{samba_depver} Requires: %{name}-winbind-modules = %{samba_depver} Suggests: %{name}-tools = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libwbclient} Requires(post): libwbclient = %{samba_depver} @@ -1047,6 +1105,7 @@ Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-winbind = %{samba_depver} +Requires: libldb = %{samba_depver} %if %{with libwbclient} Requires: libwbclient = %{samba_depver} %endif @@ -1070,6 +1129,7 @@ Requires: %{name}-winbind = %{samba_depver} Requires: %{name}-libs = %{samba_depver} %endif Requires: samba-client-libs = %{samba_depver} +Requires: libldb = %{samba_depver} Provides: samba4-winbind-krb5-locator = %{samba_depver} Obsoletes: samba4-winbind-krb5-locator < %{samba_depver} @@ -1112,6 +1172,8 @@ Summary: Samba Winexe Windows Binary License: GPL-3.0-only Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires: libldb = %{samba_depver} +Requires: libwbclient = %{samba_depver} Provides: bundled(libreplace) @@ -1157,30 +1219,6 @@ projects to store temporary data. If an application is already using TDB for temporary data it is very easy to convert that application to be cluster aware and use CTDB instead. -%if %{with testsuite} -### CTDB-TEST -%package -n ctdb-tests -Summary: CTDB clustered database test suite - -Requires: %{name}-common-libs = %{samba_depver} -Requires: %{name}-client-libs = %{samba_depver} - -Requires: ctdb = %{samba_depver} -Recommends: nc - -Provides: ctdb-devel = %{samba_depver} -Obsoletes: ctdb-devel < %{samba_depver} - -%description -n ctdb-tests -Test suite for CTDB. -CTDB is a cluster implementation of the TDB database used by Samba and other -projects to store temporary data. If an application is already using TDB for -temporary data it is very easy to convert that application to be cluster aware -and use CTDB instead. - -#endif with testsuite -%endif - %if %{with pcp_pmda} %package -n ctdb-pcp-pmda @@ -1223,7 +1261,71 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB #endif with clustering %endif +### LIBLDB +%package -n libldb +Summary: A schema-less, ldap like, API and database +License: LGPL-3.0-or-later +Requires: libtalloc%{?_isa} >= %{talloc_version} +Requires: libtdb%{?_isa} >= %{tdb_version} +Requires: libtevent%{?_isa} >= %{tevent_version} +Provides: bundled(libreplace) +Obsoletes: libldb < 0:2.10 +Provides: libldb = 0:2.10 +Provides: libldb = %{samba_depver} + +%description -n libldb +An extensible library that implements an LDAP like API to access remote LDAP +servers, or use local tdb databases. + +### LIBLDB-DEVEL +%package -n libldb-devel +Summary: Developer tools for the LDB library +License: LGPL-3.0-or-later +Requires: libldb%{?_isa} = %{samba_depver} +Requires: libtdb-devel%{?_isa} >= %{tdb_version} +Requires: libtalloc-devel%{?_isa} >= %{talloc_version} +Requires: libtevent-devel%{?_isa} >= %{tevent_version} + +Obsoletes: libldb-devel < 0:2.10 +Provides: libldb-devel = 0:2.10 +Provides: libldb-devel = %{samba_depver} + +%description -n libldb-devel +Header files needed to develop programs that link against the LDB library. + +### LDB-TOOLS +%package -n ldb-tools +Summary: Tools to manage LDB files +License: LGPL-3.0-or-later +Requires: libldb%{?_isa} = %{samba_depver} +Obsoletes: ldb-tools < 0:2.10 +Provides: ldb-tools = %{samba_depver} + +%description -n ldb-tools +Tools to manage LDB files + +### PYTHON3-LDB +%package -n python3-ldb +Summary: Python bindings for the LDB library +License: LGPL-3.0-or-later +Requires: libldb%{?_isa} = %{samba_depver} +Requires: python3-tdb%{?_isa} >= %{tdb_version} +Requires: samba-client-libs = %{samba_depver} +%{?python_provide:%python_provide python3-ldb} + +Obsoletes: python3-ldb < 0:2.10 +Provides: python3-ldb = %{samba_depver} +# These were the C bindings, only used by Samba +Obsoletes: python-ldb-devel-common < 2.10 +Provides: python-ldb-devel-common = 2.10 +Provides: python-ldb-devel-common = %{samba_depver} +Obsoletes: python3-ldb-devel < 2.10 +Provides: python3-ldb-devel = 2.10 +Provides: python3-ldb-devel = %{samba_depver} + +%description -n python3-ldb +Python bindings for the LDB library %prep %if 0%{?fedora} || 0%{?rhel} >= 9 @@ -1233,26 +1335,22 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %endif %autosetup -n samba-%{version}%{pre_release} -p1 -# Ensure we rely on GnuTLS and do not build any other crypto code shipping with -# the sources. -rm -rf third_party/{aesni-intel,heimdal} -rm -f lib/crypto/{aes,rijndael}*.c +# Make sure we do not build with heimdal code +rm -rfv third_party/heimdal %build %if %{with includelibs} %global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _tevent_lib ,tevent,pytevent %global _tdb_lib ,tdb,pytdb -%global _ldb_lib ,ldb,pyldb,pyldb-util %else %global _talloc_lib ,!talloc,!pytalloc,!pytalloc-util %global _tevent_lib ,!tevent,!pytevent %global _tdb_lib ,!tdb,!pytdb -%global _ldb_lib ,!ldb,!pyldb,!pyldb-util #endif with includelibs %endif -%global _samba_libraries !popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} +%global _samba_bundled_libraries !popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib} %global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2 %global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 @@ -1278,7 +1376,8 @@ rm -f lib/crypto/{aes,rijndael}*.c %global _libwbclient wbclient, %endif -%global _samba_private_libraries %{_libsmbclient}%{_libwbclient} +%global _default_private_libraries !ldb,!dcerpc-samr,!samba-policy,!tevent-util,!dcerpc,!samba-hostconfig,!samba-credentials,!dcerpc_server,!samdb, +%global _samba_private_libraries %{_default_private_libraries}%{_libsmbclient}%{_libwbclient} # TODO: resolve underlinked python modules export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" @@ -1286,7 +1385,7 @@ export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" # Use the mold linker if possible export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" -%ifnarch i686 +%ifnarch i686 riscv64 %if 0%{?fedora} >= 37 export LDFLAGS="%{__global_ldflags} -fuse-ld=mold" export python_LDFLAGS="$(echo ${LDFLAGS} | sed -e 's/-Wl,-z,defs//g')" @@ -1315,14 +1414,12 @@ fi --with-cachedir=/var/lib/samba \ --disable-rpath-install \ --with-shared-modules=%{_samba_modules} \ - --bundled-libraries=%{_samba_libraries} \ + --bundled-libraries=%{_samba_bundled_libraries} \ + --private-libraries=%{_samba_private_libraries} \ --with-pam \ --with-pie \ --with-relro \ --without-fam \ -%if (%{without libsmbclient}) || (%{without libwbclient}) - --private-libraries=%{_samba_private_libraries} \ -%endif --with-system-mitkrb5 \ --with-experimental-mit-ad-dc \ %if %{without dc} && %{without testsuite} @@ -1368,16 +1465,23 @@ pushd pidl %make_build popd +pushd lib/ldb +doxygen Doxyfile +popd + %install +%if !%{with testsuite} # Do not use %%make_install, make is just a wrapper around waf in Samba! %{__make} %{?_smp_mflags} %{_make_verbose} install DESTDIR=%{buildroot} install -d -m 0755 %{buildroot}/usr/{sbin,bin} install -d -m 0755 %{buildroot}%{_libdir}/security install -d -m 0755 %{buildroot}/var/lib/samba +install -d -m 0755 %{buildroot}/var/lib/samba/certs install -d -m 0755 %{buildroot}/var/lib/samba/drivers install -d -m 0755 %{buildroot}/var/lib/samba/lock install -d -m 0755 %{buildroot}/var/lib/samba/private +install -d -m 0755 %{buildroot}/var/lib/samba/private/certs install -d -m 0755 %{buildroot}/var/lib/samba/scripts install -d -m 0755 %{buildroot}/var/lib/samba/sysvol install -d -m 0755 %{buildroot}/var/lib/samba/usershares @@ -1476,10 +1580,7 @@ rm -f %{buildroot}%{_mandir}/man8/vfs_ceph_snapshots.8* /sbin/ldconfig -N -n %{buildroot}%{_libdir} %if %{without dc} && %{without testsuite} -for f in samba/libsamba-net-samba4.so \ - samba/libsamba-python-samba4.so \ - libsamba-policy.so* \ - pkgconfig/samba-policy.pc ; do +for f in samba/libsamba-python-private-samba.so; do rm -f %{buildroot}%{_libdir}/$f done #endif without dc @@ -1500,8 +1601,23 @@ rm -f %{buildroot}%{perl_archlib}/vendor_perl/auto/Parse/Pidl/.packlist rm -rf %{buildroot}%{perl_vendorlib}/Parse/Yapp popd -%if %{with testsuite} +# Install libldb manpages +cp -a lib/ldb/apidocs/man/* %{buildroot}%{_mandir} +# Remove manpages we don't want +rm -f %{buildroot}%{_mandir}/man3/_* +rm -f %{buildroot}%{_mandir}/man3/PyLdb* + +# CTDB +%if %{with clustering} +touch %{buildroot}%{_libexecdir}/ctdb/statd_callout +#endif with clustering +%endif + +#endif !with testsuite +%endif + %check +%if %{with testsuite} # # samba3.smb2.timestamps.*: # @@ -1521,25 +1637,30 @@ export TDB_NO_FSYNC=1 export NMBD_DONT_LOG_STDOUT=1 export SMBD_DONT_LOG_STDOUT=1 export WINBINDD_DONT_LOG_STDOUT=1 +export SAMBA_DCERPCD_DONT_LOG_STDOUT=1 %{__make} %{?_smp_mflags} test FAIL_IMMEDIATELY=1 #endif with testsuite %endif +%if !%{with testsuite} %post +%systemd_post samba-bgqd.service %systemd_post smb.service %systemd_post nmb.service %preun +%systemd_preun samba-bgqd.service %systemd_preun smb.service %systemd_preun nmb.service %postun +%systemd_postun_with_restart samba-bgqd.service %systemd_postun_with_restart smb.service %systemd_postun_with_restart nmb.service %pre common # This creates the group 'printadmin' -getent group printadmin >/dev/null || groupadd -r printadmin || : +%sysusers_create_compat %{SOURCE16} %post common %{?ldconfig} @@ -1565,7 +1686,7 @@ fi %ldconfig_scriptlets common-libs -%if %{with dc} || %{with testsuite} +%if %{with dc} %ldconfig_scriptlets dc-libs %post dc @@ -1598,9 +1719,9 @@ fi %if %{with libwbclient} %pre -n libwbclient if [ $1 -gt 1 ] ; then - rm -rf %{_libdir}/samba/wbclient/ - rm -f /etc/alternatives/libwbclient.so* - rm -f /var/lib/alternatives/libwbclient.so* + rm -rf %{_libdir}/samba/wbclient/ 2>/dev/null + rm -f /etc/alternatives/libwbclient.so* 2>/dev/null + rm -f /var/lib/alternatives/libwbclient.so* 2>/dev/null fi %{?ldconfig} #endif {with libwbclient} @@ -1610,11 +1731,11 @@ fi %pre usershares # This creates the group 'usershares' -getent group usershares >/dev/null || groupadd -r usershares || : +%sysusers_create_compat %{SOURCE17} %pre winbind # This creates the group 'wbpriv' -/usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : +%sysusers_create_compat %{SOURCE18} %post winbind %systemd_post winbind.service @@ -1655,11 +1776,11 @@ fi %systemd_postun_with_restart ctdb.service %endif +%ldconfig_scriptlets -n libldb +%ldconfig_scriptlets -n python3-ldb ### SAMBA %files -%license COPYING -%doc README.md WHATSNEW.txt %doc examples/autofs examples/LDAP examples/misc %doc examples/printer-accounting examples/printing %doc packaging/README.downgrade @@ -1667,9 +1788,9 @@ fi %{_sbindir}/eventlogadm %{_sbindir}/nmbd %{_sbindir}/smbd -%if %{with dc} || %{with testsuite} +%if %{with dc} # This is only used by vfs_dfs_samba4 -%{_libdir}/samba/libdfs-server-ad-samba4.so +%{_libdir}/samba/libdfs-server-ad-private-samba.so %endif %dir %{_libdir}/samba/auth %{_libdir}/samba/auth/unix.so @@ -1685,7 +1806,7 @@ fi %{_libdir}/samba/vfs/commit.so %{_libdir}/samba/vfs/crossrename.so %{_libdir}/samba/vfs/default_quota.so -%if %{with dc} || %{with testsuite} +%if %{with dc} %{_libdir}/samba/vfs/dfs_samba4.so %endif %{_libdir}/samba/vfs/dirsort.so @@ -1718,10 +1839,6 @@ fi %{_libdir}/samba/vfs/worm.so %{_libdir}/samba/vfs/xattr_tdb.so -%if %{with testsuite} -%{_libdir}/samba/vfs/nfs4acl_xattr.so -%endif - %dir %{_libexecdir}/samba %{_libexecdir}/samba/samba-bgqd @@ -1731,6 +1848,7 @@ fi %{_unitdir}/nmb.service %{_unitdir}/smb.service +%{_unitdir}/samba-bgqd.service %dir %{_sysconfdir}/openldap/schema %config %{_sysconfdir}/openldap/schema/samba.schema %config(noreplace) %{_sysconfdir}/pam.d/samba @@ -1807,6 +1925,7 @@ fi %{_bindir}/smbspool %{_bindir}/smbtar %{_bindir}/smbtree +%{_bindir}/wspsearch %dir %{_libexecdir}/samba %ghost %{_libexecdir}/samba/cups_backend_smb %{_mandir}/man1/dbwrap_tool.1* @@ -1827,6 +1946,7 @@ fi %{_mandir}/man1/smbget.1* %{_mandir}/man1/smbtar.1* %{_mandir}/man1/smbtree.1* +%{_mandir}/man1/wspsearch.1* %{_mandir}/man7/traffic_learner.7.* %{_mandir}/man7/traffic_replay.7.* %{_mandir}/man8/cifsdd.8.* @@ -1878,86 +1998,86 @@ fi %{_libdir}/libtevent-util.so.%{libtevent_util_so_version}* %dir %{_libdir}/samba -%{_libdir}/samba/libCHARSET3-samba4.so -%{_libdir}/samba/libMESSAGING-SEND-samba4.so -%{_libdir}/samba/libMESSAGING-samba4.so -%{_libdir}/samba/libaddns-samba4.so -%{_libdir}/samba/libads-samba4.so -%{_libdir}/samba/libasn1util-samba4.so -%{_libdir}/samba/libauth-samba4.so -%{_libdir}/samba/libauthkrb5-samba4.so -%{_libdir}/samba/libcli-cldap-samba4.so -%{_libdir}/samba/libcli-ldap-common-samba4.so -%{_libdir}/samba/libcli-ldap-samba4.so -%{_libdir}/samba/libcli-nbt-samba4.so -%{_libdir}/samba/libcli-smb-common-samba4.so -%{_libdir}/samba/libcli-spoolss-samba4.so -%{_libdir}/samba/libcliauth-samba4.so -%{_libdir}/samba/libclidns-samba4.so -%{_libdir}/samba/libcluster-samba4.so -%{_libdir}/samba/libcmdline-contexts-samba4.so -%{_libdir}/samba/libcommon-auth-samba4.so -%{_libdir}/samba/libctdb-event-client-samba4.so -%{_libdir}/samba/libdbwrap-samba4.so -%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so -%{_libdir}/samba/libdcerpc-samba-samba4.so -%{_libdir}/samba/libevents-samba4.so -%{_libdir}/samba/libflag-mapping-samba4.so -%{_libdir}/samba/libgenrand-samba4.so -%{_libdir}/samba/libgensec-samba4.so -%{_libdir}/samba/libgpext-samba4.so -%{_libdir}/samba/libgpo-samba4.so -%{_libdir}/samba/libgse-samba4.so -%{_libdir}/samba/libhttp-samba4.so -%{_libdir}/samba/libinterfaces-samba4.so -%{_libdir}/samba/libiov-buf-samba4.so -%{_libdir}/samba/libkrb5samba-samba4.so -%{_libdir}/samba/libldbsamba-samba4.so -%{_libdir}/samba/liblibcli-lsa3-samba4.so -%{_libdir}/samba/liblibcli-netlogon3-samba4.so -%{_libdir}/samba/liblibsmb-samba4.so -%{_libdir}/samba/libmessages-dgm-samba4.so -%{_libdir}/samba/libmessages-util-samba4.so -%{_libdir}/samba/libmscat-samba4.so -%{_libdir}/samba/libmsghdr-samba4.so -%{_libdir}/samba/libmsrpc3-samba4.so -%{_libdir}/samba/libndr-samba-samba4.so -%{_libdir}/samba/libndr-samba4.so -%{_libdir}/samba/libnet-keytab-samba4.so -%{_libdir}/samba/libnetif-samba4.so -%{_libdir}/samba/libnpa-tstream-samba4.so -%{_libdir}/samba/libposix-eadb-samba4.so -%{_libdir}/samba/libprinter-driver-samba4.so -%{_libdir}/samba/libprinting-migrate-samba4.so -%{_libdir}/samba/libreplace-samba4.so -%{_libdir}/samba/libregistry-samba4.so -%{_libdir}/samba/libsamba-cluster-support-samba4.so -%{_libdir}/samba/libsamba-debug-samba4.so -%{_libdir}/samba/libsamba-modules-samba4.so -%{_libdir}/samba/libsamba-security-samba4.so -%{_libdir}/samba/libsamba-sockets-samba4.so -%{_libdir}/samba/libsamba3-util-samba4.so -%{_libdir}/samba/libsamdb-common-samba4.so -%{_libdir}/samba/libsecrets3-samba4.so -%{_libdir}/samba/libserver-id-db-samba4.so -%{_libdir}/samba/libserver-role-samba4.so -%{_libdir}/samba/libsmb-transport-samba4.so -%{_libdir}/samba/libsmbclient-raw-samba4.so -%{_libdir}/samba/libsmbd-base-samba4.so -%{_libdir}/samba/libsmbd-shim-samba4.so -%{_libdir}/samba/libsmbldaphelper-samba4.so -%{_libdir}/samba/libstable-sort-samba4.so -%{_libdir}/samba/libsys-rw-samba4.so -%{_libdir}/samba/libsocket-blocking-samba4.so -%{_libdir}/samba/libtalloc-report-printf-samba4.so -%{_libdir}/samba/libtalloc-report-samba4.so -%{_libdir}/samba/libtdb-wrap-samba4.so -%{_libdir}/samba/libtime-basic-samba4.so -%{_libdir}/samba/libtorture-samba4.so -%{_libdir}/samba/libtrusts-util-samba4.so -%{_libdir}/samba/libutil-reg-samba4.so -%{_libdir}/samba/libutil-setid-samba4.so -%{_libdir}/samba/libutil-tdb-samba4.so +%{_libdir}/samba/libCHARSET3-private-samba.so +%{_libdir}/samba/libMESSAGING-SEND-private-samba.so +%{_libdir}/samba/libMESSAGING-private-samba.so +%{_libdir}/samba/libaddns-private-samba.so +%{_libdir}/samba/libads-private-samba.so +%{_libdir}/samba/libasn1util-private-samba.so +%{_libdir}/samba/libauth-private-samba.so +%{_libdir}/samba/libauthkrb5-private-samba.so +%{_libdir}/samba/libcli-cldap-private-samba.so +%{_libdir}/samba/libcli-ldap-common-private-samba.so +%{_libdir}/samba/libcli-ldap-private-samba.so +%{_libdir}/samba/libcli-nbt-private-samba.so +%{_libdir}/samba/libcli-smb-common-private-samba.so +%{_libdir}/samba/libcli-spoolss-private-samba.so +%{_libdir}/samba/libcliauth-private-samba.so +%{_libdir}/samba/libclidns-private-samba.so +%{_libdir}/samba/libcluster-private-samba.so +%{_libdir}/samba/libcmdline-contexts-private-samba.so +%{_libdir}/samba/libcommon-auth-private-samba.so +%{_libdir}/samba/libctdb-event-client-private-samba.so +%{_libdir}/samba/libdbwrap-private-samba.so +%{_libdir}/samba/libdcerpc-pkt-auth-private-samba.so +%{_libdir}/samba/libdcerpc-samba-private-samba.so +%{_libdir}/samba/libevents-private-samba.so +%{_libdir}/samba/libflag-mapping-private-samba.so +%{_libdir}/samba/libgenrand-private-samba.so +%{_libdir}/samba/libgensec-private-samba.so +%{_libdir}/samba/libgpext-private-samba.so +%{_libdir}/samba/libgpo-private-samba.so +%{_libdir}/samba/libgse-private-samba.so +%{_libdir}/samba/libhttp-private-samba.so +%{_libdir}/samba/libinterfaces-private-samba.so +%{_libdir}/samba/libiov-buf-private-samba.so +%{_libdir}/samba/libkrb5samba-private-samba.so +%{_libdir}/samba/libldbsamba-private-samba.so +%{_libdir}/samba/liblibcli-lsa3-private-samba.so +%{_libdir}/samba/liblibcli-netlogon3-private-samba.so +%{_libdir}/samba/liblibsmb-private-samba.so +%{_libdir}/samba/libmessages-dgm-private-samba.so +%{_libdir}/samba/libmessages-util-private-samba.so +%{_libdir}/samba/libmscat-private-samba.so +%{_libdir}/samba/libmsghdr-private-samba.so +%{_libdir}/samba/libmsrpc3-private-samba.so +%{_libdir}/samba/libndr-samba-private-samba.so +%{_libdir}/samba/libndr-samba4-private-samba.so +%{_libdir}/samba/libnet-keytab-private-samba.so +%{_libdir}/samba/libnetif-private-samba.so +%{_libdir}/samba/libnpa-tstream-private-samba.so +%{_libdir}/samba/libposix-eadb-private-samba.so +%{_libdir}/samba/libprinter-driver-private-samba.so +%{_libdir}/samba/libprinting-migrate-private-samba.so +%{_libdir}/samba/libreplace-private-samba.so +%{_libdir}/samba/libregistry-private-samba.so +%{_libdir}/samba/libsamba-cluster-support-private-samba.so +%{_libdir}/samba/libsamba-debug-private-samba.so +%{_libdir}/samba/libsamba-modules-private-samba.so +%{_libdir}/samba/libsamba-security-private-samba.so +%{_libdir}/samba/libsamba-sockets-private-samba.so +%{_libdir}/samba/libsamba3-util-private-samba.so +%{_libdir}/samba/libsamdb-common-private-samba.so +%{_libdir}/samba/libsecrets3-private-samba.so +%{_libdir}/samba/libserver-id-db-private-samba.so +%{_libdir}/samba/libserver-role-private-samba.so +%{_libdir}/samba/libsmb-transport-private-samba.so +%{_libdir}/samba/libsmbclient-raw-private-samba.so +%{_libdir}/samba/libsmbd-base-private-samba.so +%{_libdir}/samba/libsmbd-shim-private-samba.so +%{_libdir}/samba/libsmbldaphelper-private-samba.so +%{_libdir}/samba/libstable-sort-private-samba.so +%{_libdir}/samba/libsys-rw-private-samba.so +%{_libdir}/samba/libsocket-blocking-private-samba.so +%{_libdir}/samba/libtalloc-report-printf-private-samba.so +%{_libdir}/samba/libtalloc-report-private-samba.so +%{_libdir}/samba/libtdb-wrap-private-samba.so +%{_libdir}/samba/libtime-basic-private-samba.so +%{_libdir}/samba/libtorture-private-samba.so +%{_libdir}/samba/libutil-crypt-private-samba.so +%{_libdir}/samba/libutil-reg-private-samba.so +%{_libdir}/samba/libutil-setid-private-samba.so +%{_libdir}/samba/libutil-tdb-private-samba.so %if %{without libwbclient} %{_libdir}/samba/libwbclient.so.* @@ -1972,19 +2092,9 @@ fi %if %{with includelibs} %{_libdir}/samba/libldb-*.so -%{_libdir}/samba/libtalloc-samba4.so -%{_libdir}/samba/libtdb-samba4.so -%{_libdir}/samba/libtevent-samba4.so - -%{_libdir}/samba/ldb/asq.so -%{_libdir}/samba/ldb/ldb.so -%{_libdir}/samba/ldb/mdb.so -%{_libdir}/samba/ldb/paged_searches.so -%{_libdir}/samba/ldb/rdn_name.so -%{_libdir}/samba/ldb/sample.so -%{_libdir}/samba/ldb/server_sort.so -%{_libdir}/samba/ldb/skel.so -%{_libdir}/samba/ldb/tdb.so +%{_libdir}/samba/libtalloc-private-samba.so +%{_libdir}/samba/libtdb-private-samba.so +%{_libdir}/samba/libtevent-private-samba.so %{_mandir}/man3/ldb.3.gz %{_mandir}/man3/talloc.3.gz @@ -1993,6 +2103,8 @@ fi ### COMMON %files common +%doc README.md WHATSNEW.txt +%license COPYING %{_tmpfilesdir}/samba.conf %{_sysusersdir}/samba.conf %dir %{_sysconfdir}/logrotate.d/ @@ -2002,7 +2114,9 @@ fi %ghost %dir /run/samba %ghost %dir /run/winbindd %dir /var/lib/samba +%dir /var/lib/samba/certs %attr(700,root,root) %dir /var/lib/samba/private +%attr(700,root,root) %dir /var/lib/samba/private/certs %dir /var/lib/samba/lock %attr(755,root,root) %dir %{_sysconfdir}/samba %config(noreplace) %{_sysconfdir}/samba/smb.conf @@ -2017,7 +2131,7 @@ fi ### COMMON-LIBS %files common-libs # common libraries -%{_libdir}/samba/libcmdline-samba4.so +%{_libdir}/samba/libcmdline-private-samba.so %dir %{_libdir}/samba/ldb @@ -2057,15 +2171,13 @@ fi %{_libexecdir}/samba/rpcd_fsrvp %{_libexecdir}/samba/rpcd_lsad %{_libexecdir}/samba/rpcd_mdssvc -%if %{with testsuite} -%{_libexecdir}/samba/rpcd_rpcecho -%endif %{_libexecdir}/samba/rpcd_spoolss %{_libexecdir}/samba/rpcd_winreg +%{_libexecdir}/samba/rpcd_witness %{_mandir}/man8/samba-dcerpcd.8* ### DC -%if %{with dc} || %{with testsuite} +%if %{with dc} %files dc %{_unitdir}/samba.service %{_sbindir}/samba @@ -2143,21 +2255,19 @@ fi %license source4/setup/ad-schema/licence.txt %{_datadir}/samba/setup -#endif with dc || with testsuite +#endif with dc %endif ### DC-LIBS %files dc-libs -%{_libdir}/samba/libauth4-samba4.so +%{_libdir}/libsamba-policy.so.%{libsamba_policy_so_version}* +%{_libdir}/samba/libauth4-private-samba.so +%{_libdir}/samba/libsamba-net-private-samba.so -%if %{with dc} || %{with testsuite} -%{_libdir}/samba/libdb-glue-samba4.so -%{_libdir}/samba/libpac-samba4.so -%{_libdir}/samba/libprocess-model-samba4.so -%{_libdir}/samba/libservice-samba4.so - -%if %{with testsuite} -%{_libdir}/samba/libntvfs-samba4.so -%endif +%if %{with dc} +%{_libdir}/samba/libdb-glue-private-samba.so +%{_libdir}/samba/libpac-private-samba.so +%{_libdir}/samba/libprocess-model-private-samba.so +%{_libdir}/samba/libservice-private-samba.so %dir %{_libdir}/samba/process_model %{_libdir}/samba/process_model/prefork.so @@ -2177,16 +2287,12 @@ fi %{_libdir}/samba/service/winbindd.so %{_libdir}/samba/service/wrepl.so -%if %{with testsuite} -%{_libdir}/samba/service/smb.so -%endif - %{_libdir}/libdcerpc-server.so.* -%{_libdir}/samba/libad-claims-samba4.so -%{_libdir}/samba/libauthn-policy-util-samba4.so -%{_libdir}/samba/libdsdb-module-samba4.so -%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so -%{_libdir}/samba/libscavenge-dns-records-samba4.so +%{_libdir}/samba/libad-claims-private-samba.so +%{_libdir}/samba/libauthn-policy-util-private-samba.so +%{_libdir}/samba/libdsdb-module-private-samba.so +%{_libdir}/samba/libdsdb-garbage-collect-tombstones-private-samba.so +%{_libdir}/samba/libscavenge-dns-records-private-samba.so ### DC-BIND %files dc-bind-dlz @@ -2260,6 +2366,7 @@ fi %{_includedir}/samba-4.0/samba/version.h %{_includedir}/samba-4.0/share.h %{_includedir}/samba-4.0/smb2_lease_struct.h +%{_includedir}/samba-4.0/smb3posix.h %{_includedir}/samba-4.0/smbconf.h %{_includedir}/samba-4.0/smb_ldap.h %{_includedir}/samba-4.0/smbldap.h @@ -2307,12 +2414,14 @@ fi %{_libdir}/pkgconfig/ndr_standard.pc %{_libdir}/pkgconfig/samba-credentials.pc %{_libdir}/pkgconfig/samba-hostconfig.pc +%{_libdir}/pkgconfig/samba-policy.pc %{_libdir}/pkgconfig/samba-util.pc %{_libdir}/pkgconfig/samdb.pc %{_libdir}/libsamba-passdb.so +%{_libdir}/libsamba-policy.so %{_libdir}/libsmbldap.so -%if %{with dc} || %{with testsuite} +%if %{with dc} %{_includedir}/samba-4.0/dcerpc_server.h %{_libdir}/libdcerpc-server.so %{_libdir}/pkgconfig/dcerpc_server.pc @@ -2332,8 +2441,10 @@ fi %if %{with vfs_cephfs} %files vfs-cephfs %{_libdir}/samba/vfs/ceph.so +%{_libdir}/samba/vfs/ceph_new.so %{_libdir}/samba/vfs/ceph_snapshots.so %{_mandir}/man8/vfs_ceph.8* +%{_mandir}/man8/vfs_ceph_new.8* %{_mandir}/man8/vfs_ceph_snapshots.8* %endif @@ -2368,21 +2479,22 @@ fi %files ldb-ldap-modules %{_libdir}/samba/ldb/ldbsamba_extensions.so %{_libdir}/samba/ldb/ildap.so +%{_libdir}/samba/ldb/ldap.so ### LIBS %files libs %{_libdir}/libdcerpc-samr.so.* -%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so -%{_libdir}/samba/libauth-unix-token-samba4.so -%{_libdir}/samba/libdcerpc-samba4.so -%{_libdir}/samba/libdnsserver-common-samba4.so -%{_libdir}/samba/libshares-samba4.so -%{_libdir}/samba/libsmbpasswdparser-samba4.so -%{_libdir}/samba/libxattr-tdb-samba4.so -%{_libdir}/samba/libREG-FULL-samba4.so -%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so -%{_libdir}/samba/libRPC-WORKER-samba4.so +%{_libdir}/samba/libLIBWBCLIENT-OLD-private-samba.so +%{_libdir}/samba/libauth-unix-token-private-samba.so +%{_libdir}/samba/libdcerpc-samba4-private-samba.so +%{_libdir}/samba/libdnsserver-common-private-samba.so +%{_libdir}/samba/libshares-private-samba.so +%{_libdir}/samba/libsmbpasswdparser-private-samba.so +%{_libdir}/samba/libxattr-tdb-private-samba.so +%{_libdir}/samba/libREG-FULL-private-samba.so +%{_libdir}/samba/libRPC-SERVER-LOOP-private-samba.so +%{_libdir}/samba/libRPC-WORKER-private-samba.so ### LIBNETAPI %files -n libnetapi @@ -2482,23 +2594,25 @@ fi %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/functional_level.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc +%{python3_sitearch}/samba/__pycache__/gkdi.*.pyc %{python3_sitearch}/samba/__pycache__/graph.*.pyc %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/__pycache__/idmap.*.pyc %{python3_sitearch}/samba/__pycache__/join.*.pyc +%{python3_sitearch}/samba/__pycache__/lsa_utils.*.pyc %{python3_sitearch}/samba/__pycache__/logger.*.pyc %{python3_sitearch}/samba/__pycache__/mdb_util.*.pyc %{python3_sitearch}/samba/__pycache__/ms_display_specifiers.*.pyc %{python3_sitearch}/samba/__pycache__/ms_schema.*.pyc %{python3_sitearch}/samba/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/__pycache__/ntacls.*.pyc +%{python3_sitearch}/samba/__pycache__/nt_time.*.pyc %{python3_sitearch}/samba/__pycache__/policies.*.pyc %{python3_sitearch}/samba/__pycache__/safe_tarfile.*.pyc %{python3_sitearch}/samba/__pycache__/sd_utils.*.pyc %{python3_sitearch}/samba/__pycache__/sites.*.pyc %{python3_sitearch}/samba/__pycache__/subnets.*.pyc %{python3_sitearch}/samba/__pycache__/tdb_util.*.pyc -%{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc @@ -2520,6 +2634,7 @@ fi %{python3_sitearch}/samba/dcerpc/auth.*.so %{python3_sitearch}/samba/dcerpc/base.*.so %{python3_sitearch}/samba/dcerpc/claims.*.so +%{python3_sitearch}/samba/dcerpc/conditional_ace.*.so %{python3_sitearch}/samba/dcerpc/dcerpc.*.so %{python3_sitearch}/samba/dcerpc/dfs.*.so %{python3_sitearch}/samba/dcerpc/dns.*.so @@ -2528,6 +2643,8 @@ fi %{python3_sitearch}/samba/dcerpc/drsuapi.*.so %{python3_sitearch}/samba/dcerpc/echo.*.so %{python3_sitearch}/samba/dcerpc/epmapper.*.so +%{python3_sitearch}/samba/dcerpc/gkdi.*.so +%{python3_sitearch}/samba/dcerpc/gmsa.*.so %{python3_sitearch}/samba/dcerpc/idmap.*.so %{python3_sitearch}/samba/dcerpc/initshutdown.*.so %{python3_sitearch}/samba/dcerpc/irpc.*.so @@ -2543,9 +2660,12 @@ fi %{python3_sitearch}/samba/dcerpc/ntlmssp.*.so %{python3_sitearch}/samba/dcerpc/preg.*.so %{python3_sitearch}/samba/dcerpc/samr.*.so +%{python3_sitearch}/samba/dcerpc/schannel.*.so %{python3_sitearch}/samba/dcerpc/security.*.so %{python3_sitearch}/samba/dcerpc/server_id.*.so %{python3_sitearch}/samba/dcerpc/smb_acl.*.so +%{python3_sitearch}/samba/dcerpc/smb3posix.*.so +%{python3_sitearch}/samba/dcerpc/smbXsrv.*.so %{python3_sitearch}/samba/dcerpc/spoolss.*.so %{python3_sitearch}/samba/dcerpc/srvsvc.*.so %{python3_sitearch}/samba/dcerpc/svcctl.*.so @@ -2559,16 +2679,65 @@ fi %{python3_sitearch}/samba/dcerpc/xattr.*.so %{python3_sitearch}/samba/descriptor.py %{python3_sitearch}/samba/dnsresolver.py +%dir %{python3_sitearch}/samba/domain +%{python3_sitearch}/samba/domain/__init__.py +%{python3_sitearch}/samba/domain/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/domain/models/__init__.py +%{python3_sitearch}/samba/domain/models/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/auth_policy.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/auth_silo.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/claim_type.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/computer.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/constants.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/container.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/exceptions.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/fields.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/gmsa.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/group.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/model.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/org.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/person.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/query.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/registry.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/schema.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/site.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/subnet.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/types.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/user.*.pyc +%{python3_sitearch}/samba/domain/models/__pycache__/value_type.*.pyc +%{python3_sitearch}/samba/domain/models/auth_policy.py +%{python3_sitearch}/samba/domain/models/auth_silo.py +%{python3_sitearch}/samba/domain/models/claim_type.py +%{python3_sitearch}/samba/domain/models/computer.py +%{python3_sitearch}/samba/domain/models/constants.py +%{python3_sitearch}/samba/domain/models/container.py +%{python3_sitearch}/samba/domain/models/exceptions.py +%{python3_sitearch}/samba/domain/models/fields.py +%{python3_sitearch}/samba/domain/models/gmsa.py +%{python3_sitearch}/samba/domain/models/group.py +%{python3_sitearch}/samba/domain/models/model.py +%{python3_sitearch}/samba/domain/models/org.py +%{python3_sitearch}/samba/domain/models/person.py +%{python3_sitearch}/samba/domain/models/query.py +%{python3_sitearch}/samba/domain/models/registry.py +%{python3_sitearch}/samba/domain/models/schema.py +%{python3_sitearch}/samba/domain/models/site.py +%{python3_sitearch}/samba/domain/models/subnet.py +%{python3_sitearch}/samba/domain/models/types.py +%{python3_sitearch}/samba/domain/models/user.py +%{python3_sitearch}/samba/domain/models/value_type.py %{python3_sitearch}/samba/drs_utils.py %{python3_sitearch}/samba/dsdb.*.so %{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/functional_level.py %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py +%{python3_sitearch}/samba/gkdi.py %{python3_sitearch}/samba/graph.py %{python3_sitearch}/samba/hostconfig.py %{python3_sitearch}/samba/idmap.py %{python3_sitearch}/samba/join.py +%{python3_sitearch}/samba/lsa_utils.py %{python3_sitearch}/samba/messaging.*.so %{python3_sitearch}/samba/ndr.py %{python3_sitearch}/samba/net.*.so @@ -2591,6 +2760,7 @@ fi %{python3_sitearch}/samba/gp/__pycache__/gp_centrify_crontab_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_centrify_sudoers_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_drive_maps_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_chromium_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_ext_loader.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_firefox_ext.*.pyc @@ -2616,6 +2786,7 @@ fi %{python3_sitearch}/samba/gp/gp_centrify_crontab_ext.py %{python3_sitearch}/samba/gp/gp_centrify_sudoers_ext.py %{python3_sitearch}/samba/gp/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp/gp_drive_maps_ext.py %{python3_sitearch}/samba/gp/gp_chromium_ext.py %{python3_sitearch}/samba/gp/gp_ext_loader.py %{python3_sitearch}/samba/gp/gp_firefox_ext.py @@ -2650,6 +2821,7 @@ fi %{python3_sitearch}/samba/gp_parse/gp_inf.py %{python3_sitearch}/samba/gp_parse/gp_ini.py %{python3_sitearch}/samba/gp_parse/gp_pol.py +%{python3_sitearch}/samba/hresult.*.so %{python3_sitearch}/samba/logger.py %{python3_sitearch}/samba/mdb_util.py %{python3_sitearch}/samba/ms_display_specifiers.py @@ -2681,11 +2853,11 @@ fi %{python3_sitearch}/samba/netcmd/__pycache__/processes.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/pso.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/rodc.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/shell.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/schema.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/sites.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/spn.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/testparm.*.pyc -%{python3_sitearch}/samba/netcmd/__pycache__/user.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/validators.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/visualize.*.pyc %{python3_sitearch}/samba/netcmd/common.py @@ -2718,12 +2890,30 @@ fi %{python3_sitearch}/samba/netcmd/domain/auth/__init__.py %dir %{python3_sitearch}/samba/netcmd/domain/auth/__pycache__ %{python3_sitearch}/samba/netcmd/domain/auth/__pycache__/__init__.*.pyc -%{python3_sitearch}/samba/netcmd/domain/auth/__pycache__/policy.*.pyc -%{python3_sitearch}/samba/netcmd/domain/auth/__pycache__/silo.*.pyc -%{python3_sitearch}/samba/netcmd/domain/auth/__pycache__/silo_member.*.pyc -%{python3_sitearch}/samba/netcmd/domain/auth/policy.py -%{python3_sitearch}/samba/netcmd/domain/auth/silo.py -%{python3_sitearch}/samba/netcmd/domain/auth/silo_member.py +%dir %{python3_sitearch}/samba/netcmd/domain/auth/policy +%{python3_sitearch}/samba/netcmd/domain/auth/policy/computer_allowed_to_authenticate_to.py +%{python3_sitearch}/samba/netcmd/domain/auth/policy/__init__.py +%{python3_sitearch}/samba/netcmd/domain/auth/policy/policy.py +%dir %{python3_sitearch}/samba/netcmd/domain/auth/policy/__pycache__ +%{python3_sitearch}/samba/netcmd/domain/auth/policy/__pycache__/computer_allowed_to_authenticate_to.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/policy/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/policy/__pycache__/policy.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/policy/__pycache__/service_allowed_to_authenticate_from.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/policy/__pycache__/service_allowed_to_authenticate_to.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/policy/__pycache__/user_allowed_to_authenticate_from.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/policy/__pycache__/user_allowed_to_authenticate_to.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_from.py +%{python3_sitearch}/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_to.py +%{python3_sitearch}/samba/netcmd/domain/auth/policy/user_allowed_to_authenticate_from.py +%{python3_sitearch}/samba/netcmd/domain/auth/policy/user_allowed_to_authenticate_to.py +%dir %{python3_sitearch}/samba/netcmd/domain/auth/silo +%{python3_sitearch}/samba/netcmd/domain/auth/silo/__init__.py +%{python3_sitearch}/samba/netcmd/domain/auth/silo/member.py +%dir %{python3_sitearch}/samba/netcmd/domain/auth/silo/__pycache__ +%{python3_sitearch}/samba/netcmd/domain/auth/silo/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/silo/__pycache__/member.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/silo/__pycache__/silo.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/silo/silo.py %{python3_sitearch}/samba/netcmd/domain/backup.py %dir %{python3_sitearch}/samba/netcmd/domain/claim %{python3_sitearch}/samba/netcmd/domain/claim/__init__.py @@ -2740,35 +2930,15 @@ fi %{python3_sitearch}/samba/netcmd/domain/functional_prep.py %{python3_sitearch}/samba/netcmd/domain/info.py %{python3_sitearch}/samba/netcmd/domain/join.py +%dir %{python3_sitearch}/samba/netcmd/domain/kds +%{python3_sitearch}/samba/netcmd/domain/kds/__init__.py +%dir %{python3_sitearch}/samba/netcmd/domain/kds/__pycache__ +%{python3_sitearch}/samba/netcmd/domain/kds/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/domain/kds/__pycache__/root_key.*.pyc +%{python3_sitearch}/samba/netcmd/domain/kds/root_key.py %{python3_sitearch}/samba/netcmd/domain/keytab.py %{python3_sitearch}/samba/netcmd/domain/leave.py %{python3_sitearch}/samba/netcmd/domain/level.py -%dir %{python3_sitearch}/samba/netcmd/domain/models -%{python3_sitearch}/samba/netcmd/domain/models/__init__.py -%dir %{python3_sitearch}/samba/netcmd/domain/models/__pycache__ -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/__init__.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/auth_policy.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/auth_silo.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/claim_type.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/exceptions.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/fields.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/model.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/schema.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/site.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/subnet.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/user.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/value_type.*.pyc -%{python3_sitearch}/samba/netcmd/domain/models/auth_policy.py -%{python3_sitearch}/samba/netcmd/domain/models/auth_silo.py -%{python3_sitearch}/samba/netcmd/domain/models/claim_type.py -%{python3_sitearch}/samba/netcmd/domain/models/exceptions.py -%{python3_sitearch}/samba/netcmd/domain/models/fields.py -%{python3_sitearch}/samba/netcmd/domain/models/model.py -%{python3_sitearch}/samba/netcmd/domain/models/schema.py -%{python3_sitearch}/samba/netcmd/domain/models/site.py -%{python3_sitearch}/samba/netcmd/domain/models/subnet.py -%{python3_sitearch}/samba/netcmd/domain/models/user.py -%{python3_sitearch}/samba/netcmd/domain/models/value_type.py %{python3_sitearch}/samba/netcmd/domain/passwordsettings.py %{python3_sitearch}/samba/netcmd/domain/provision.py %{python3_sitearch}/samba/netcmd/domain/samba3upgrade.py @@ -2793,13 +2963,79 @@ fi %{python3_sitearch}/samba/netcmd/pso.py %{python3_sitearch}/samba/netcmd/rodc.py %{python3_sitearch}/samba/netcmd/schema.py +%dir %{python3_sitearch}/samba/netcmd/service_account +%{python3_sitearch}/samba/netcmd/service_account/__init__.py +%{python3_sitearch}/samba/netcmd/service_account/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/service_account/__pycache__/group_msa_membership.*.pyc +%{python3_sitearch}/samba/netcmd/service_account/__pycache__/service_account.*.pyc +%{python3_sitearch}/samba/netcmd/service_account/group_msa_membership.py +%{python3_sitearch}/samba/netcmd/service_account/service_account.py +%{python3_sitearch}/samba/netcmd/shell.py %{python3_sitearch}/samba/netcmd/sites.py %{python3_sitearch}/samba/netcmd/spn.py %{python3_sitearch}/samba/netcmd/testparm.py -%{python3_sitearch}/samba/netcmd/user.py +%dir %{python3_sitearch}/samba/netcmd/user +%{python3_sitearch}/samba/netcmd/user/__init__.py +%{python3_sitearch}/samba/netcmd/user/add.py +%{python3_sitearch}/samba/netcmd/user/add_unix_attrs.py +%dir %{python3_sitearch}/samba/netcmd/user/auth +%{python3_sitearch}/samba/netcmd/user/auth/__init__.py +%{python3_sitearch}/samba/netcmd/user/auth/policy.py +%dir %{python3_sitearch}/samba/netcmd/user/auth/__pycache__ +%{python3_sitearch}/samba/netcmd/user/auth/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/user/auth/__pycache__/policy.*.pyc +%{python3_sitearch}/samba/netcmd/user/auth/__pycache__/silo.*.pyc +%{python3_sitearch}/samba/netcmd/user/auth/silo.py +%{python3_sitearch}/samba/netcmd/user/delete.py +%{python3_sitearch}/samba/netcmd/user/disable.py +%{python3_sitearch}/samba/netcmd/user/edit.py +%{python3_sitearch}/samba/netcmd/user/enable.py +%{python3_sitearch}/samba/netcmd/user/getgroups.py +%{python3_sitearch}/samba/netcmd/user/list.py +%{python3_sitearch}/samba/netcmd/user/move.py +%{python3_sitearch}/samba/netcmd/user/password.py +%dir %{python3_sitearch}/samba/netcmd/user/__pycache__ +%{python3_sitearch}/samba/netcmd/user/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/add.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/add_unix_attrs.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/delete.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/disable.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/edit.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/enable.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/getgroups.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/list.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/move.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/password.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/rename.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/sensitive.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/setexpiry.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/setpassword.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/setprimarygroup.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/unlock.*.pyc +%dir %{python3_sitearch}/samba/netcmd/user/readpasswords +%{python3_sitearch}/samba/netcmd/user/readpasswords/common.py +%{python3_sitearch}/samba/netcmd/user/readpasswords/get_kerberos_ticket.py +%{python3_sitearch}/samba/netcmd/user/readpasswords/getpassword.py +%{python3_sitearch}/samba/netcmd/user/readpasswords/__init__.py +%dir %{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__ +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/common.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/get_kerberos_ticket.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/getpassword.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/show.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/syncpasswords.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/show.py +%{python3_sitearch}/samba/netcmd/user/readpasswords/syncpasswords.py +%{python3_sitearch}/samba/netcmd/user/rename.py +%{python3_sitearch}/samba/netcmd/user/sensitive.py +%{python3_sitearch}/samba/netcmd/user/setexpiry.py +%{python3_sitearch}/samba/netcmd/user/setpassword.py +%{python3_sitearch}/samba/netcmd/user/setprimarygroup.py +%{python3_sitearch}/samba/netcmd/user/unlock.py %{python3_sitearch}/samba/netcmd/validators.py %{python3_sitearch}/samba/netcmd/visualize.py %{python3_sitearch}/samba/ntacls.py +%{python3_sitearch}/samba/nt_time.py %{python3_sitearch}/samba/param.*.so %{python3_sitearch}/samba/policies.py %{python3_sitearch}/samba/policy.*.so @@ -2830,20 +3066,17 @@ fi %{python3_sitearch}/samba/subunit/__pycache__/run.*.pyc %{python3_sitearch}/samba/subunit/run.py %{python3_sitearch}/samba/tdb_util.py -%{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so %{python3_sitearch}/samba/xattr_tdb.*.so -%{_libdir}/libsamba-policy.cpython*.so.* -%{_libdir}/samba/libsamba-net.cpython*.so +%{_libdir}/samba/libsamba-net-join.cpython*.so %{_libdir}/samba/libsamba-python.cpython*.so %if %{with includelibs} %{_libdir}/samba/libpyldb-util.cpython*.so -%{_libdir}/samba/libpytalloc-util.cpython*.so %{python3_sitearch}/__pycache__/_ldb_text*.pyc %{python3_sitearch}/__pycache__/_tdb_text*.pyc @@ -2852,16 +3085,13 @@ fi %{python3_sitearch}/_tdb_text.py %{python3_sitearch}/_tevent.cpython*.so %{python3_sitearch}/ldb.cpython*.so -%{python3_sitearch}/talloc.cpython*.so +#FIXME why is it missing? +#%{python3_sitearch}/talloc.cpython*.so %{python3_sitearch}/tdb.cpython*.so %{python3_sitearch}/tevent.py #endif with includelibs %endif -%files -n python3-%{name}-devel -%{_libdir}/libsamba-policy.*.so -%{_libdir}/pkgconfig/samba-policy.*.pc - %files -n python3-%{name}-dc %{python3_sitearch}/samba/samdb.py %{python3_sitearch}/samba/schema.py @@ -2877,7 +3107,7 @@ fi %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc %{python3_sitearch}/samba/dcerpc/dnsserver.*.so -%if %{with dc} || %{with testsuite} +%if %{with dc} %{python3_sitearch}/samba/dckeytab.*.so %endif %{python3_sitearch}/samba/domain_update.py @@ -2941,6 +3171,9 @@ fi %{python3_sitearch}/samba/tests/__pycache__/common.*.pyc %{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc %{python3_sitearch}/samba/tests/__pycache__/compression.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/conditional_ace_assembler.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/conditional_ace_bytes.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/conditional_ace_claims.*.pyc %{python3_sitearch}/samba/tests/__pycache__/core.*.pyc %{python3_sitearch}/samba/tests/__pycache__/credentials.*.pyc %{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc @@ -2957,6 +3190,8 @@ fi %{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_dns.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_quiet_env_tests.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_quiet_provision_tests.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc %{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc %{python3_sitearch}/samba/tests/__pycache__/domain_backup.*.pyc @@ -2965,6 +3200,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/gensec.*.pyc %{python3_sitearch}/samba/tests/__pycache__/get_opt.*.pyc %{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/gkdi.*.pyc %{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc %{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc %{python3_sitearch}/samba/tests/__pycache__/gpo_member.*.pyc @@ -2985,7 +3221,6 @@ fi %{python3_sitearch}/samba/tests/__pycache__/libsmb-basic.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc -%{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc %{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc @@ -3031,7 +3266,9 @@ fi %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc %{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sddl_conditional_ace.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/security_descriptors.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc %{python3_sitearch}/samba/tests/__pycache__/sid_strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc @@ -3047,6 +3284,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc %{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/token_factory.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgradeprovision.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgradeprovisionneeddc.*.pyc @@ -3070,16 +3308,23 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/__init__.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/claims.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/gmsa.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/http_chunk.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/http_content.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/misc_dfs_widelink.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_dns.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/rpcd_witness_samba_only.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_basic.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_dfs_propagate_inherit.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_propagate_inhertance.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_save_restore.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol_process.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_learner.*.pyc @@ -3087,16 +3332,23 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_summary.*.pyc %{python3_sitearch}/samba/tests/blackbox/bug13653.py %{python3_sitearch}/samba/tests/blackbox/check_output.py +%{python3_sitearch}/samba/tests/blackbox/claims.py %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py +%{python3_sitearch}/samba/tests/blackbox/gmsa.py +%{python3_sitearch}/samba/tests/blackbox/http_chunk.py +%{python3_sitearch}/samba/tests/blackbox/http_content.py %{python3_sitearch}/samba/tests/blackbox/mdsearch.py +%{python3_sitearch}/samba/tests/blackbox/misc_dfs_widelink.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py %{python3_sitearch}/samba/tests/blackbox/netads_dns.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py +%{python3_sitearch}/samba/tests/blackbox/rpcd_witness_samba_only.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py %{python3_sitearch}/samba/tests/blackbox/smbcacls.py %{python3_sitearch}/samba/tests/blackbox/smbcacls_basic.py %{python3_sitearch}/samba/tests/blackbox/smbcacls_dfs_propagate_inherit.py %{python3_sitearch}/samba/tests/blackbox/smbcacls_propagate_inhertance.py +%{python3_sitearch}/samba/tests/blackbox/smbcacls_save_restore.py %{python3_sitearch}/samba/tests/blackbox/smbcontrol.py %{python3_sitearch}/samba/tests/blackbox/smbcontrol_process.py %{python3_sitearch}/samba/tests/blackbox/traffic_learner.py @@ -3105,6 +3357,9 @@ fi %{python3_sitearch}/samba/tests/common.py %{python3_sitearch}/samba/tests/compression.py %{python3_sitearch}/samba/tests/complex_expressions.py +%{python3_sitearch}/samba/tests/conditional_ace_assembler.py +%{python3_sitearch}/samba/tests/conditional_ace_bytes.py +%{python3_sitearch}/samba/tests/conditional_ace_claims.py %{python3_sitearch}/samba/tests/core.py %{python3_sitearch}/samba/tests/credentials.py %{python3_sitearch}/samba/tests/cred_opt.py @@ -3114,11 +3369,11 @@ fi %{python3_sitearch}/samba/tests/dcerpc/__pycache__/__init__.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc -%{python3_sitearch}/samba/tests/dcerpc/__pycache__/createtrustrelax.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa_utils.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc @@ -3135,10 +3390,10 @@ fi %{python3_sitearch}/samba/tests/dcerpc/array.py %{python3_sitearch}/samba/tests/dcerpc/bare.py %{python3_sitearch}/samba/tests/dcerpc/binding.py -%{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py %{python3_sitearch}/samba/tests/dcerpc/integer.py %{python3_sitearch}/samba/tests/dcerpc/lsa.py +%{python3_sitearch}/samba/tests/dcerpc/lsa_utils.py %{python3_sitearch}/samba/tests/dcerpc/mdssvc.py %{python3_sitearch}/samba/tests/dcerpc/misc.py %{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py @@ -3169,6 +3424,8 @@ fi %{python3_sitearch}/samba/tests/dsdb_dns.py %{python3_sitearch}/samba/tests/dsdb_lock.py %{python3_sitearch}/samba/tests/dsdb_schema_attributes.py +%{python3_sitearch}/samba/tests/dsdb_quiet_env_tests.py +%{python3_sitearch}/samba/tests/dsdb_quiet_provision_tests.py %{python3_sitearch}/samba/tests/docs.py %{python3_sitearch}/samba/tests/domain_backup.py %{python3_sitearch}/samba/tests/domain_backup_offline.py @@ -3184,6 +3441,7 @@ fi %{python3_sitearch}/samba/tests/gensec.py %{python3_sitearch}/samba/tests/getdcname.py %{python3_sitearch}/samba/tests/get_opt.py +%{python3_sitearch}/samba/tests/gkdi.py %{python3_sitearch}/samba/tests/glue.py %{python3_sitearch}/samba/tests/gpo.py %{python3_sitearch}/samba/tests/gpo_member.py @@ -3213,14 +3471,18 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/claims_in_pac.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/claims_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/conditional_ace_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/device_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/gkdi_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/gmsa_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/group_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgt_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/lockout_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc @@ -3231,6 +3493,7 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1_generated.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc @@ -3250,14 +3513,18 @@ fi %{python3_sitearch}/samba/tests/krb5/claims_in_pac.py %{python3_sitearch}/samba/tests/krb5/claims_tests.py %{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/conditional_ace_tests.py %{python3_sitearch}/samba/tests/krb5/device_tests.py %{python3_sitearch}/samba/tests/krb5/etype_tests.py %{python3_sitearch}/samba/tests/krb5/fast_tests.py +%{python3_sitearch}/samba/tests/krb5/gkdi_tests.py +%{python3_sitearch}/samba/tests/krb5/gmsa_tests.py %{python3_sitearch}/samba/tests/krb5/group_tests.py %{python3_sitearch}/samba/tests/krb5/kcrypto.py %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/kdc_tgt_tests.py %{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py %{python3_sitearch}/samba/tests/krb5/lockout_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py @@ -3268,6 +3535,7 @@ fi %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py +%{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1_generated.py %{python3_sitearch}/samba/tests/krb5/rodc_tests.py %{python3_sitearch}/samba/tests/krb5/simple_tests.py %{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py @@ -3292,7 +3560,14 @@ fi %{python3_sitearch}/samba/tests/logfiles.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py -%{python3_sitearch}/samba/tests/ndr.py +%dir %{python3_sitearch}/samba/tests/ndr +%{python3_sitearch}/samba/tests/ndr/gkdi.py +%{python3_sitearch}/samba/tests/ndr/gmsa.py +%dir %{python3_sitearch}/samba/tests/ndr/__pycache__ +%{python3_sitearch}/samba/tests/ndr/__pycache__/gkdi.*.pyc +%{python3_sitearch}/samba/tests/ndr/__pycache__/gmsa.*.pyc +%{python3_sitearch}/samba/tests/ndr/__pycache__/wbint.*.pyc +%{python3_sitearch}/samba/tests/ndr/wbint.py %{python3_sitearch}/samba/tests/netbios.py %{python3_sitearch}/samba/tests/netcmd.py %{python3_sitearch}/samba/tests/net_join_no_spnego.py @@ -3344,10 +3619,10 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/contact.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/demote.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/dnscmd.*.pyc -%{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_base.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_policy.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_silo.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_claim.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_kds_root_key.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_models.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/drs_clone_dc_data_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/dsacl.*.pyc @@ -3370,10 +3645,16 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_userPassword_crypt.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/service_account.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/silo_base.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/timecmd.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_auth_policy.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_auth_silo.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_check_password_script.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_get_kerberos_ticket.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_getpassword_gmsa.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_base.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_gpg.*.pyc @@ -3386,10 +3667,10 @@ fi %{python3_sitearch}/samba/tests/samba_tool/contact.py %{python3_sitearch}/samba/tests/samba_tool/demote.py %{python3_sitearch}/samba/tests/samba_tool/dnscmd.py -%{python3_sitearch}/samba/tests/samba_tool/domain_auth_base.py %{python3_sitearch}/samba/tests/samba_tool/domain_auth_policy.py %{python3_sitearch}/samba/tests/samba_tool/domain_auth_silo.py %{python3_sitearch}/samba/tests/samba_tool/domain_claim.py +%{python3_sitearch}/samba/tests/samba_tool/domain_kds_root_key.py %{python3_sitearch}/samba/tests/samba_tool/domain_models.py %{python3_sitearch}/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/dsacl.py @@ -3412,10 +3693,16 @@ fi %{python3_sitearch}/samba/tests/samba_tool/provision_userPassword_crypt.py %{python3_sitearch}/samba/tests/samba_tool/rodc.py %{python3_sitearch}/samba/tests/samba_tool/schema.py +%{python3_sitearch}/samba/tests/samba_tool/service_account.py +%{python3_sitearch}/samba/tests/samba_tool/silo_base.py %{python3_sitearch}/samba/tests/samba_tool/sites.py %{python3_sitearch}/samba/tests/samba_tool/timecmd.py %{python3_sitearch}/samba/tests/samba_tool/user.py +%{python3_sitearch}/samba/tests/samba_tool/user_auth_policy.py +%{python3_sitearch}/samba/tests/samba_tool/user_auth_silo.py %{python3_sitearch}/samba/tests/samba_tool/user_check_password_script.py +%{python3_sitearch}/samba/tests/samba_tool/user_get_kerberos_ticket.py +%{python3_sitearch}/samba/tests/samba_tool/user_getpassword_gmsa.py %{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py %{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_base.py %{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py @@ -3426,7 +3713,9 @@ fi %{python3_sitearch}/samba/tests/samdb.py %{python3_sitearch}/samba/tests/samdb_api.py %{python3_sitearch}/samba/tests/sddl.py +%{python3_sitearch}/samba/tests/sddl_conditional_ace.py %{python3_sitearch}/samba/tests/security.py +%{python3_sitearch}/samba/tests/security_descriptors.py %{python3_sitearch}/samba/tests/segfault.py %{python3_sitearch}/samba/tests/sid_strings.py %{python3_sitearch}/samba/tests/smb.py @@ -3442,6 +3731,7 @@ fi %{python3_sitearch}/samba/tests/strings.py %{python3_sitearch}/samba/tests/subunitrun.py %{python3_sitearch}/samba/tests/tdb_util.py +%{python3_sitearch}/samba/tests/token_factory.py %{python3_sitearch}/samba/tests/upgrade.py %{python3_sitearch}/samba/tests/upgradeprovision.py %{python3_sitearch}/samba/tests/upgradeprovisionneeddc.py @@ -3461,21 +3751,12 @@ fi %{_mandir}/man1/ndrdump.1* %{_mandir}/man1/smbtorture.1* -%if %{with testsuite} -%{_mandir}/man1/vfstest.1* -# files to ignore in testsuite mode -%{_libdir}/samba/libnss-wrapper.so -%{_libdir}/samba/libsocket-wrapper.so -%{_libdir}/samba/libuid-wrapper.so -%endif - ### TEST-LIBS %files test-libs -%if %{with dc} || %{with testsuite} -%{_libdir}/samba/libdlz-bind9-for-torture-samba4.so -%else -%{_libdir}/samba/libdsdb-module-samba4.so +%if %{with dc} +%{_libdir}/samba/libdlz-bind9-for-torture-private-samba.so %endif +%{_libdir}/samba/libdsdb-module-private-samba.so ### USERSHARES %files usershares @@ -3487,8 +3768,8 @@ fi %files winbind %{_libdir}/samba/idmap %{_libdir}/samba/nss_info -%{_libdir}/samba/libnss-info-samba4.so -%{_libdir}/samba/libidmap-samba4.so +%{_libdir}/samba/libnss-info-private-samba.so +%{_libdir}/samba/libidmap-private-samba.so %{_sbindir}/winbindd %{_sysusersdir}/samba-winbind.conf %attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged @@ -3540,8 +3821,7 @@ fi %{_sysconfdir}/ctdb/functions %{_sysconfdir}/ctdb/nfs-linux-kernel-callout -%{_sysconfdir}/ctdb/statd-callout -%config %{_sysconfdir}/sudoers.d/ctdb +%ghost %{_sysconfdir}/ctdb/statd-callout # CTDB scripts, no config files # script with executable bit means activated @@ -3581,6 +3861,8 @@ fi %{_libexecdir}/ctdb/ctdb_recovery_helper %{_libexecdir}/ctdb/ctdb_takeover_helper %{_libexecdir}/ctdb/smnotify +%{_libexecdir}/ctdb/statd_callout +%{_libexecdir}/ctdb/statd_callout_helper %{_libexecdir}/ctdb/tdb_mutex_check %dir %{_localstatedir}/lib/ctdb/ @@ -3611,7 +3893,6 @@ fi %{_datadir}/ctdb/events/legacy/00.ctdb.script %{_datadir}/ctdb/events/legacy/01.reclock.script %{_datadir}/ctdb/events/legacy/05.system.script -%{_datadir}/ctdb/events/legacy/06.nfs.script %{_datadir}/ctdb/events/legacy/10.interface.script %{_datadir}/ctdb/events/legacy/11.natgw.script %{_datadir}/ctdb/events/legacy/11.routing.script @@ -3620,826 +3901,16 @@ fi %{_datadir}/ctdb/events/legacy/31.clamd.script %{_datadir}/ctdb/events/legacy/40.vsftpd.script %{_datadir}/ctdb/events/legacy/41.httpd.script +%{_datadir}/ctdb/events/legacy/46.update-keytabs.script +%{_datadir}/ctdb/events/legacy/47.samba-dcerpcd.script %{_datadir}/ctdb/events/legacy/48.netbios.script %{_datadir}/ctdb/events/legacy/49.winbind.script %{_datadir}/ctdb/events/legacy/50.samba.script %{_datadir}/ctdb/events/legacy/60.nfs.script %{_datadir}/ctdb/events/legacy/70.iscsi.script %{_datadir}/ctdb/events/legacy/91.lvs.script - -%if %{with testsuite} -%files -n ctdb-tests -%doc ctdb/tests/README -%{_bindir}/ctdb_local_daemons -%{_bindir}/ctdb_run_tests -%{_bindir}/ctdb_run_cluster_tests - -%dir %{_libexecdir}/ctdb -%dir %{_libexecdir}/ctdb/tests -%{_libexecdir}/ctdb/tests/cluster_mutex_test -%{_libexecdir}/ctdb/tests/cmdline_test -%{_libexecdir}/ctdb/tests/comm_client_test -%{_libexecdir}/ctdb/tests/comm_server_test -%{_libexecdir}/ctdb/tests/comm_test -%{_libexecdir}/ctdb/tests/conf_test -%{_libexecdir}/ctdb/tests/ctdb-db-test -%{_libexecdir}/ctdb/tests/ctdb_io_test -%{_libexecdir}/ctdb/tests/ctdb_packet_parse -%{_libexecdir}/ctdb/tests/ctdb_takeover_tests -%{_libexecdir}/ctdb/tests/db_hash_test -%{_libexecdir}/ctdb/tests/dummy_client -%{_libexecdir}/ctdb/tests/errcode -%{_libexecdir}/ctdb/tests/event_protocol_test -%{_libexecdir}/ctdb/tests/event_script_test -%{_libexecdir}/ctdb/tests/fake_ctdbd -%{_libexecdir}/ctdb/tests/fetch_loop -%{_libexecdir}/ctdb/tests/fetch_loop_key -%{_libexecdir}/ctdb/tests/fetch_readonly -%{_libexecdir}/ctdb/tests/fetch_readonly_loop -%{_libexecdir}/ctdb/tests/fetch_ring -%{_libexecdir}/ctdb/tests/g_lock_loop -%{_libexecdir}/ctdb/tests/hash_count_test -%{_libexecdir}/ctdb/tests/line_test -%{_libexecdir}/ctdb/tests/lock_tdb -%{_libexecdir}/ctdb/tests/message_ring -%{_libexecdir}/ctdb/tests/pidfile_test -%{_libexecdir}/ctdb/tests/pkt_read_test -%{_libexecdir}/ctdb/tests/pkt_write_test -%{_libexecdir}/ctdb/tests/porting_tests -%{_libexecdir}/ctdb/tests/protocol_basic_test -%{_libexecdir}/ctdb/tests/protocol_ctdb_compat_test -%{_libexecdir}/ctdb/tests/protocol_ctdb_test -%{_libexecdir}/ctdb/tests/protocol_types_compat_test -%{_libexecdir}/ctdb/tests/protocol_types_test -%{_libexecdir}/ctdb/tests/protocol_util_test -%{_libexecdir}/ctdb/tests/rb_test -%{_libexecdir}/ctdb/tests/reqid_test -%{_libexecdir}/ctdb/tests/run_event_test -%{_libexecdir}/ctdb/tests/run_proc_test -%{_libexecdir}/ctdb/tests/sigcode -%{_libexecdir}/ctdb/tests/sock_daemon_test -%{_libexecdir}/ctdb/tests/sock_io_test -%{_libexecdir}/ctdb/tests/srvid_test -%{_libexecdir}/ctdb/tests/system_socket_test -%{_libexecdir}/ctdb/tests/tmon_ping_test -%{_libexecdir}/ctdb/tests/tmon_test -%{_libexecdir}/ctdb/tests/transaction_loop -%{_libexecdir}/ctdb/tests/tunable_test -%{_libexecdir}/ctdb/tests/tunnel_cmd -%{_libexecdir}/ctdb/tests/tunnel_test -%{_libexecdir}/ctdb/tests/update_record -%{_libexecdir}/ctdb/tests/update_record_persistent - -%dir %{_datadir}/ctdb/tests -%dir %{_datadir}/ctdb/tests/CLUSTER -%dir %{_datadir}/ctdb/tests/CLUSTER/complex -%{_datadir}/ctdb/tests/CLUSTER/complex/11_ctdb_delip_removes_ip.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/18_ctdb_reloadips.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/30_nfs_tickle_killtcp.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/31_nfs_tickle.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/32_cifs_tickle.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/33_gratuitous_arp.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/34_nfs_tickle_restart.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/36_smb_reset_server.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/37_nfs_reset_server.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/41_failover_ping_discrete.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/42_failover_ssh_hostname.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/43_failover_nfs_basic.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/44_failover_nfs_oneway.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/45_failover_nfs_kill.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/60_rogueip_releaseip.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/61_rogueip_takeip.sh -%{_datadir}/ctdb/tests/CLUSTER/complex/README - -%dir %{_datadir}/ctdb/tests/CLUSTER/complex/scripts -%{_datadir}/ctdb/tests/CLUSTER/complex/scripts/local.bash - -%dir %{_datadir}/ctdb/tests/etc-ctdb -%dir %{_datadir}/ctdb/tests/etc-ctdb/events -%dir %{_datadir}/ctdb/tests/etc-ctdb/events/legacy -%{_datadir}/ctdb/tests/etc-ctdb/events/legacy/00.test.script -%dir %{_datadir}/ctdb/tests/INTEGRATION -%dir %{_datadir}/ctdb/tests/INTEGRATION/database -%{_datadir}/ctdb/tests/INTEGRATION/database/basics.001.attach.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/basics.002.attach.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/basics.003.detach.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/basics.004.wipe.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/basics.010.backup_restore.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/fetch.001.ring.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/fetch.002.ring-hotkeys.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/readonly.001.basic.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.001.volatile.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.002.large.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.003.no_resurrect.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.010.persistent.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/recovery.011.continue.sh -%dir %{_datadir}/ctdb/tests/INTEGRATION/database/scripts -%{_datadir}/ctdb/tests/INTEGRATION/database/scripts/local.bash -%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.001.ptrans.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.002.loop.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.003.loop_recovery.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.004.update_record.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/transaction.010.loop_recovery.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/traverse.001.one.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/traverse.002.many.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.001.fast.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.002.full.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.003.recreate.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.030.locked.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.031.locked.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.032.locked.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.033.locked.sh -%{_datadir}/ctdb/tests/INTEGRATION/database/vacuum.034.locked.sh -%dir %{_datadir}/ctdb/tests/INTEGRATION/failover -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.001.list.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.010.addip.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.011.delip.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.012.reloadips.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.013.failover_noop.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.014.iface_gc.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.020.moveip.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.030.disable_enable.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.032.stop_continue.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.040.NoIPTakeover.sh -%{_datadir}/ctdb/tests/INTEGRATION/failover/pubips.050.missing_ip.sh -%dir %{_datadir}/ctdb/tests/INTEGRATION/simple -%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.000.onnode.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.001.listnodes.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.002.tunables.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.003.ping.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.004.getpid.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.005.process_exists.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.010.statistics.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/basics.011.statistics_reset.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.001.stop_leader_yield.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.002.ban_leader_yield.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.003.capability_leader_yield.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.006.stop_leader_yield_no_lock.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.007.ban_leader_yield_no_lock.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.008.capability_leader_yield_no_lock.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.010.getrelock.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.012.reclock_command.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.015.reclock_remove_lock.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.016.reclock_move_lock_dir.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.020.message_ring.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.021.tunnel_ring.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.030.node_stall_leader_timeout.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.090.unreachable.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.091.version_check.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/debug.001.getdebug.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/debug.002.setdebug.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/debug.003.dumpmemory.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/eventscripts.001.zero_scripts.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/eventscripts.090.debug_hung.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/README -%dir %{_datadir}/ctdb/tests/scripts -%{_datadir}/ctdb/tests/scripts/cluster.bash -%{_datadir}/ctdb/tests/scripts/common.sh -%{_datadir}/ctdb/tests/scripts/integration.bash -%{_datadir}/ctdb/tests/scripts/integration_local_daemons.bash -%{_datadir}/ctdb/tests/scripts/integration_real_cluster.bash -%{_datadir}/ctdb/tests/scripts/script_install_paths.sh -%{_datadir}/ctdb/tests/scripts/test_wrap -%{_datadir}/ctdb/tests/scripts/unit.sh -%dir %{_datadir}/ctdb/tests/UNIT -%dir %{_datadir}/ctdb/tests/UNIT/cunit -%{_datadir}/ctdb/tests/UNIT/cunit/cluster_mutex_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/cluster_mutex_002.sh -%{_datadir}/ctdb/tests/UNIT/cunit/cluster_mutex_003.sh -%{_datadir}/ctdb/tests/UNIT/cunit/cmdline_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/comm_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/comm_test_002.sh -%{_datadir}/ctdb/tests/UNIT/cunit/conf_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/config_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/config_test_002.sh -%{_datadir}/ctdb/tests/UNIT/cunit/config_test_003.sh -%{_datadir}/ctdb/tests/UNIT/cunit/config_test_004.sh -%{_datadir}/ctdb/tests/UNIT/cunit/config_test_005.sh -%{_datadir}/ctdb/tests/UNIT/cunit/config_test_006.sh -%{_datadir}/ctdb/tests/UNIT/cunit/config_test_007.sh -%{_datadir}/ctdb/tests/UNIT/cunit/ctdb_io_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/db_hash_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/event_protocol_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/event_script_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/hash_count_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/line_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/path_tests_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/pidfile_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/pkt_read_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/pkt_write_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/porting_tests_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_002.sh -%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_012.sh -%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_101.sh -%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_111.sh -%{_datadir}/ctdb/tests/UNIT/cunit/protocol_test_201.sh -%{_datadir}/ctdb/tests/UNIT/cunit/rb_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/reqid_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/run_event_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/run_proc_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/sock_daemon_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/sock_io_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/srvid_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_002.sh -%{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_003.sh -%{_datadir}/ctdb/tests/UNIT/cunit/tmon_test_001.sh -%{_datadir}/ctdb/tests/UNIT/cunit/tmon_test_002.sh -%{_datadir}/ctdb/tests/UNIT/cunit/tunable_test_001.sh -%dir %{_datadir}/ctdb/tests/UNIT/eventd -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/ctdb.conf -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/debug-script.sh -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/data -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/data/03.notalink.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/data/README -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/empty -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/empty/README -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/multi -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/multi/01.test.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/multi/02.test.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/multi/03.test.script -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random/01.disabled.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random/02.enabled.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random/a.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/events/random/README.script -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data/01.dummy.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/data/02.disabled.script -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/empty -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/empty/README -%dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random/01.disabled.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random/02.enabled.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random/a.script -%{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/share/events/random/README.script -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_001.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_002.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_003.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_004.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_005.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_006.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_007.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_008.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_009.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_011.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_012.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_013.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_014.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_021.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_022.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_023.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_024.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_031.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_032.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_033.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_041.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_042.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_043.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_044.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_051.sh -%{_datadir}/ctdb/tests/UNIT/eventd/eventd_052.sh -%{_datadir}/ctdb/tests/UNIT/eventd/README -%dir %{_datadir}/ctdb/tests/UNIT/eventd/scripts -%{_datadir}/ctdb/tests/UNIT/eventd/scripts/local.sh -%dir %{_datadir}/ctdb/tests/UNIT/eventscripts -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.004.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.005.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.006.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.007.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.008.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/00.ctdb.init.009.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/01.reclock.init.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.004.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.005.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.006.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.007.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.012.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.014.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.015.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.017.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/05.system.monitor.018.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/06.nfs.releaseip.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/06.nfs.releaseip.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/06.nfs.takeip.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/06.nfs.takeip.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.010.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.012.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.013.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.021.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.022.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.init.023.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.004.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.005.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.006.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.009.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.010.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.012.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.013.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.014.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.015.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.016.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.017.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.monitor.018.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.multi.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.releaseip.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.releaseip.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.startup.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.startup.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.takeip.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.takeip.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/10.interface.takeip.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.004.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.012.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.013.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.014.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.015.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.021.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.022.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.023.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.024.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.025.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.031.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.041.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.042.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.051.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.052.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.053.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/11.natgw.054.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.004.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.005.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.006.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.007.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.008.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.009.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.010.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.012.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.013.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.014.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.015.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.016.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.017.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.018.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.019.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.021.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.022.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.023.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/13.per_ip_routing.024.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/20.multipathd.monitor.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/20.multipathd.monitor.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/20.multipathd.monitor.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/20.multipathd.monitor.004.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/31.clamd.monitor.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/31.clamd.monitor.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/40.vsftpd.monitor.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/40.vsftpd.shutdown.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/40.vsftpd.startup.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.monitor.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.shutdown.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.startup.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/48.netbios.shutdown.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/48.netbios.startup.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.monitor.101.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.monitor.102.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.shutdown.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.startup.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.101.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.103.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.104.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.105.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.106.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.110.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.111.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.112.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.monitor.113.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.shutdown.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.shutdown.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.shutdown.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/50.samba.startup.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.101.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.102.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.103.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.104.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.105.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.106.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.107.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.108.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.109.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.111.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.112.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.113.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.114.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.121.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.122.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.131.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.132.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.141.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.142.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.143.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.144.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.151.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.152.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.153.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.161.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.monitor.162.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.multi.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.multi.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.releaseip.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.releaseip.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.shutdown.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.shutdown.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.startup.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.startup.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.takeip.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/60.nfs.takeip.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.ipreallocated.011.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.ipreallocated.012.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.ipreallocated.013.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.ipreallocated.014.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.monitor.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.monitor.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.monitor.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.shutdown.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.shutdown.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.startup.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/91.lvs.startup.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.004.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.005.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.006.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.007.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.008.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.021.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.022.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.023.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.024.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.025.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.026.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.027.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/debug_locks.sh.028.sh -%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc -%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc-ctdb -%{_datadir}/ctdb/tests/UNIT/eventscripts/etc-ctdb/public_addresses -%{_datadir}/ctdb/tests/UNIT/eventscripts/etc-ctdb/rc.local -%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc/init.d -%{_datadir}/ctdb/tests/UNIT/eventscripts/etc/init.d/nfs -%{_datadir}/ctdb/tests/UNIT/eventscripts/etc/init.d/nfslock -%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc/samba -%{_datadir}/ctdb/tests/UNIT/eventscripts/etc/samba/smb.conf -%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/etc/sysconfig -%{_datadir}/ctdb/tests/UNIT/eventscripts/etc/sysconfig/nfs -%{_datadir}/ctdb/tests/UNIT/eventscripts/README -%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/00.ctdb.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/01.reclock.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/05.system.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/06.nfs.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/10.interface.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/11.natgw.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/13.per_ip_routing.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/20.multipathd.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/31.clamd.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/40.vsftpd.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/41.httpd.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/48.netbios.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/49.winbind.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/50.samba.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/60.nfs.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/91.lvs.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/debug_locks.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/local.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/statd-callout.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.001.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.002.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.003.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.004.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.005.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.006.sh -%{_datadir}/ctdb/tests/UNIT/eventscripts/statd-callout.007.sh -%dir %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb-config -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb_killtcp -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb_lvs -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ctdb_natgw -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/date -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/df -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ethtool -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/exportfs -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/gstack -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/id -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ip -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ip6tables -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/iptables -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ipvsadm -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/kill -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/killall -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/multipath -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/net -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/nfs-fake-callout -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/nfsconf -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pidof -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pkill -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ps -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rm -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.lockd -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.mountd -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.rquotad -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpc.statd -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/rpcinfo -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/service -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/sleep -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/smnotify -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/ss -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/stat -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/tdb_mutex_check -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/tdbdump -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/tdbtool -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/testparm -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/timeout -%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/wbinfo -%dir %{_datadir}/ctdb/tests/UNIT/onnode -%{_datadir}/ctdb/tests/UNIT/onnode/0001.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0002.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0003.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0004.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0005.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0006.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0010.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0011.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0070.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0071.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0072.sh -%{_datadir}/ctdb/tests/UNIT/onnode/0075.sh -%dir %{_datadir}/ctdb/tests/UNIT/onnode/etc-ctdb -%{_datadir}/ctdb/tests/UNIT/onnode/etc-ctdb/nodes -%dir %{_datadir}/ctdb/tests/UNIT/onnode/scripts -%{_datadir}/ctdb/tests/UNIT/onnode/scripts/local.sh -%dir %{_datadir}/ctdb/tests/UNIT/onnode/stubs -%{_datadir}/ctdb/tests/UNIT/onnode/stubs/ctdb -%{_datadir}/ctdb/tests/UNIT/onnode/stubs/ssh -%dir %{_datadir}/ctdb/tests/UNIT/shellcheck -%{_datadir}/ctdb/tests/UNIT/shellcheck/base_scripts.sh -%{_datadir}/ctdb/tests/UNIT/shellcheck/ctdb_helpers.sh -%{_datadir}/ctdb/tests/UNIT/shellcheck/event_scripts.sh -%{_datadir}/ctdb/tests/UNIT/shellcheck/functions.sh -%{_datadir}/ctdb/tests/UNIT/shellcheck/init_script.sh -%dir %{_datadir}/ctdb/tests/UNIT/shellcheck/scripts -%{_datadir}/ctdb/tests/UNIT/shellcheck/scripts/local.sh -%{_datadir}/ctdb/tests/UNIT/shellcheck/tests.sh -%{_datadir}/ctdb/tests/UNIT/shellcheck/tools.sh -%dir %{_datadir}/ctdb/tests/UNIT/takeover -%{_datadir}/ctdb/tests/UNIT/takeover/det.001.sh -%{_datadir}/ctdb/tests/UNIT/takeover/det.002.sh -%{_datadir}/ctdb/tests/UNIT/takeover/det.003.sh -%dir %{_datadir}/ctdb/tests/UNIT/takeover_helper -%{_datadir}/ctdb/tests/UNIT/takeover_helper/000.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/010.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/011.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/012.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/013.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/014.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/016.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/017.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/018.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/019.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/021.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/022.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/023.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/024.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/025.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/026.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/027.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/028.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/030.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/031.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/110.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/111.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/120.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/121.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/122.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/130.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/131.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/132.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/140.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/150.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/160.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/210.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/211.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/220.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/230.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/240.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/250.sh -%{_datadir}/ctdb/tests/UNIT/takeover_helper/260.sh -%dir %{_datadir}/ctdb/tests/UNIT/takeover_helper/scripts -%{_datadir}/ctdb/tests/UNIT/takeover_helper/scripts/local.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.001.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.002.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.003.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.004.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.005.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.006.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.007.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.008.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.009.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.010.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.011.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.012.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.013.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.014.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.015.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.016.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.024.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.025.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.027.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.028.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.029.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.030.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.031.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.032.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.033.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.034.sh -%{_datadir}/ctdb/tests/UNIT/takeover/lcp2.035.sh -%{_datadir}/ctdb/tests/UNIT/takeover/nondet.001.sh -%{_datadir}/ctdb/tests/UNIT/takeover/nondet.002.sh -%{_datadir}/ctdb/tests/UNIT/takeover/nondet.003.sh -%{_datadir}/ctdb/tests/UNIT/takeover/README -%dir %{_datadir}/ctdb/tests/UNIT/takeover/scripts -%{_datadir}/ctdb/tests/UNIT/takeover/scripts/local.sh -%dir %{_datadir}/ctdb/tests/UNIT/tool -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.attach.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.attach.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.attach.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ban.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ban.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ban.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.catdb.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.catdb.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.cattdb.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.cattdb.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.continue.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.continue.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.continue.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.deletekey.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.disable.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.disable.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.disable.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.disable.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.enable.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.enable.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.enable.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getcapabilities.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getcapabilities.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getcapabilities.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getcapabilities.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbmap.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbseqnum.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbseqnum.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbstatus.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbstatus.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getpid.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getpid.010.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getreclock.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getreclock.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getvar.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getvar.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ifaces.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.005.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.006.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ip.007.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ipinfo.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.leader.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.leader.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.listnodes.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.listnodes.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.listvars.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.005.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.006.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.007.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.008.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.010.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.005.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.006.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.007.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.008.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.010.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.005.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.006.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.007.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.pdelete.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ping.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.pnn.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.process-exists.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.process-exists.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.process-exists.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.pstore.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.ptrans.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.readkey.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.recover.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.011.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.012.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.013.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.014.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.015.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.016.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.017.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.018.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.019.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.020.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.021.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.023.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.reloadnodes.024.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.runstate.005.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbreadonly.005.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.004.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdbsticky.005.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdebug.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdebug.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setdebug.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setifacelink.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setifacelink.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setvar.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.setvar.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.status.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.status.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.status.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.stop.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.unban.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.unban.002.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.unban.003.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.uptime.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/ctdb.writekey.001.sh -%{_datadir}/ctdb/tests/UNIT/tool/README -%dir %{_datadir}/ctdb/tests/UNIT/tool/scripts -%{_datadir}/ctdb/tests/UNIT/tool/scripts/local.sh -#endif with selftest -%endif +%dir %{_datadir}/ctdb/scripts +%{_datadir}/ctdb/scripts/winbind_ctdb_updatekeytab.sh %if %{with pcp_pmda} %files -n ctdb-pcp-pmda @@ -4478,445 +3949,1009 @@ fi %{_mandir}/man1/winexe.1.gz %endif +%files -n libldb +%{_libdir}/libldb.so.* +%dir %{_libdir}/samba +%{_libdir}/samba/libldb-key-value-private-samba.so +%{_libdir}/samba/libldb-tdb-err-map-private-samba.so +%{_libdir}/samba/libldb-tdb-int-private-samba.so +%if %{with lmdb} +%{_libdir}/samba/libldb-mdb-int-private-samba.so +%endif + +%dir %{_libdir}/samba/ldb +%{_libdir}/samba/ldb/asq.so +%{_libdir}/samba/ldb/ldb.so +%if %{with lmdb} +%{_libdir}/samba/ldb/mdb.so +%endif +%{_libdir}/samba/ldb/paged_searches.so +%{_libdir}/samba/ldb/rdn_name.so +%{_libdir}/samba/ldb/sample.so +%{_libdir}/samba/ldb/server_sort.so +%{_libdir}/samba/ldb/skel.so +%{_libdir}/samba/ldb/tdb.so + +%files -n libldb-devel +%{_includedir}/samba-4.0/ldb_module.h +%{_includedir}/samba-4.0/ldb_handlers.h +%{_includedir}/samba-4.0/ldb_errors.h +%{_includedir}/samba-4.0/ldb_version.h +%{_includedir}/samba-4.0/ldb.h +%{_libdir}/libldb.so + +%{_libdir}/pkgconfig/ldb.pc +%{_mandir}/man3/ldb*.gz +%{_mandir}/man3/ldif*.gz + +%files -n ldb-tools +%{_bindir}/ldbadd +%{_bindir}/ldbdel +%{_bindir}/ldbedit +%{_bindir}/ldbmodify +%{_bindir}/ldbrename +%{_bindir}/ldbsearch +%{_libdir}/samba/libldb-cmdline-private-samba.so +%{_mandir}/man1/ldbadd.1.* +%{_mandir}/man1/ldbdel.1.* +%{_mandir}/man1/ldbedit.1.* +%{_mandir}/man1/ldbmodify.1.* +%{_mandir}/man1/ldbrename.1.* +%{_mandir}/man1/ldbsearch.1.* + +%files -n python3-ldb +%{python3_sitearch}/ldb.cpython-*.so +%{_libdir}/samba/libpyldb-util.cpython-*-private-samba.so +%{python3_sitearch}/_ldb_text.py +%{python3_sitearch}/__pycache__/_ldb_text.cpython-*.py* +#endif !with testsuite +%endif + %changelog -* Thu Mar 20 2025 Diaa Sami - 4.19.4-7 -- resolves: RHEL-84117 - fd_handle_destructor() can panic within an smbd_smb2_close() +## START: Generated by rpmautospec +* Mon Feb 17 2025 Pavel Filipenský - 0:4.21.3-102 +- resolves: RHEL-73183 - Fix keytab generation -* Tue Oct 22 2024 Andreas Schneider - 4.19.4-6 -- resolves: RHEL-63770 - Fix notifyd performance issue +* Tue Jan 07 2025 Pavel Filipenský - 0:4.21.3-101 +- resolves: RHEL-2223 - Fix vfs_crossrename -* Fri Aug 02 2024 Pavel Filipenský - 4.19.4-5 -- resolves: RHEL-45842 - Fix idmap_ad with trusted domains +* Tue Jan 07 2025 Pavel Filipenský - 0:4.21.3-100 +- Update to version 4.21.3 +- related: RHEL-59777 -* Thu May 02 2024 Pavel Filipenský - 4.19.4-4 -- related: RHEL-33813 - Undo wrong changes in rpminspect.yaml +* Tue Nov 26 2024 Pavel Filipenský - 0:4.21.2-102 +- resolves: RHEL-68945 - Fix libsmbclient for mounting CIFS share from + gnome -* Thu May 02 2024 Pavel Filipenský - 4.19.4-4 -- resolves: RHEL-33813 - Add option to request only POSIX groups from AD in idmap_ad +* Mon Nov 25 2024 Pavel Filipenský - 0:4.21.2-101 +- resolves: RHEL-65730 - Fix winexe -* Thu Jan 18 2024 Pavel Filipenský - 4.19.4-3 -- resolves: RHEL-19753 - Fix smbget interactive authentication +* Mon Nov 25 2024 Pavel Filipenský - 0:4.21.2-100 +- Update to version 4.21.2 +- related: RHEL-59777 -* Wed Jan 10 2024 Pavel Filipenský - 4.19.4-2 -- Fix error in PREIN scriptlet in rpm package samba-common -- related: RHEL-16483 - Update to version 4.19.4 +* Wed Oct 23 2024 Pavel Filipenský - 0:4.21.1-104 +- Add always do samba-devel: Requires: %%{name}-dc-libs -* Tue Jan 09 2024 Pavel Filipenský - 4.19.4-1 -- resolves: RHEL-16483 - Update to version 4.19.4 +* Tue Oct 22 2024 Pavel Filipenský - 0:4.21.1-103 +- Add Requires: libwbclient -* Thu Dec 14 2023 Pavel Filipenský - 4.19.3-2 -- resolves: RHEL-17283 - Fix smbget password interactive authentication +* Tue Oct 22 2024 Pavel Filipenský - 0:4.21.1-102 +- Fix samba 4.20 -> 4.21 upgrade for the removed python3-samba-devel -* Mon Dec 04 2023 Pavel Filipenský - 4.19.3-1 -- resolves: RHEL-16483 - Update to version 4.19.3 -- resolves: RHEL-11361 - - Fix CVE-2023-3961 CVE-2023-4091 CVE-2023-42669 -- resolves: RHEL-2228 - Logging Format Enhancement -- resolves: RHEL-1965 - Fix smbget issues with DFS shares -- resolves: RHEL-2108 - Fix force user/group issues with 'allow trusted domains = yes' -- resolves: RHEL-17122 - Fix memory corruption in libnss_winbind +* Tue Oct 15 2024 Pavel Filipenský - 0:4.21.1-101 +- Fix several rpminspect warnings -* Sat Nov 18 2023 Pavel Filipenský - 4.19.2-0 -- resolves: RHEL-16483 - Update to version 4.19.2 +* Mon Oct 14 2024 Pavel Filipenský - 0:4.21.1-100 +- Update to version 4.21.1 +- related: RHEL-59777 -* Thu Aug 17 2023 Andreas Schneider - 4.18.6-1 -- related: rhbz#2190417 - Update to version 4.18.6 -- resolves: rhbz#2232564 - Fix the rpc dsgetinfo command +* Thu Oct 03 2024 Pavel Filipenský - 0:4.21.0-106 +- resolves: RHEL-41041 - Fix smbd-notifyd O(n*n) performance issue -* Thu Jul 20 2023 Pavel Filipenský - 4.18.5-0 -- resolves: rhbz#2222894 - Fix CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968 +* Thu Oct 03 2024 Pavel Filipenský - 0:4.21.0-105 +- resolves: RHEL-61401 - Package certs directories in samba-common for + gpupdate [rhel-10.0] -* Mon Jul 17 2023 Pavel Filipenský - 4.18.4-2 -- resolves: rhbz#2222884 - Fix trust relationship between workstation and DC +* Wed Oct 02 2024 Pavel Filipenský - 0:4.21.0-104 +- resolves: RHEL-53006 - [RFE] update keytab entries when renewing the + machine account password -* Mon Jul 10 2023 Pavel Filipenský - 4.18.4-1 -- resolves: rhbz#2221594 - Fix broken symlink for libwbclient -- resolves: rhbz#2221600 - Fix segfault of winbind child when listing users with `winbind scan trusted domains = yes` -- resolves: rhbz#2175385 - Fix access of Samba share with veto files = /.*/ -- resolves: rhbz#2218237 - Fix Python tarfile extraction to avoid a warning +* Wed Oct 02 2024 Pavel Filipenský - 0:4.21.0-103 +- resolves: RHEL-34922 - Address SAST findings detected by static analyzers + (libldb) -* Thu Jul 06 2023 Pavel Filipenský - 4.18.4-0 -- resolves: rhbz#2190417 - Update to version 4.18.4 +* Wed Oct 02 2024 Pavel Filipenský - 0:4.21.0-102 +- resolves: RHEL-59377 - Address SAST findings detected by static analyzers + (samba) -* Tue Jun 13 2023 Pavel Filipenský - 4.18.3-0 -- resolves: rhbz#2190417 - Update to version 4.18.3 +* Wed Oct 02 2024 Pavel Filipenský - 0:4.21.0-101 +- related: RHEL-59777 - Build with ceph again for ppc64le -* Tue Jun 06 2023 Pavel Filipenský - 4.18.2-2 -- resolves: rhbz#2190417 - Rebuild to trigger distrobaker sync +* Fri Sep 27 2024 Pavel Filipenský - 0:4.21.0-100 +- Update to version 4.21.0 +- resolves: RHEL-59777 -* Wed May 24 2023 Pavel Filipenský - 4.18.2-1 -- resolves: rhbz#2190417 - Add missing tests to fix osci.brew-build.tier0.functional +* Thu Aug 01 2024 Pavel Filipenský - 0:4.20.2-104 +- resolves: RHEL-47308 Allow to run samba-bgqd as a standalone systemd + service -* Mon May 22 2023 Pavel Filipenský - 4.18.2-0 -- resolves: rhbz#2190417 - Update to version 4.18.2 +* Thu Jul 04 2024 Andreas Schneider - 0:4.20.2-103 +- related: RHEL-33591 - Rebuild package to run tests -* Wed Feb 15 2023 Pavel Filipenský - 4.17.5-2 -- resolves: rhbz#2169339 - Fix winbind memory leak -- resolves: rhbz#2152899 - Fix Samba shares not accessible issue +* Wed Jul 03 2024 Andreas Schneider - 0:4.20.2-102 +- resolves: RHEL-45838 - Fix idmap_ad with trusted domains -* Mon Feb 13 2023 Pavel Filipenský - 4.17.5-1 -- resolves: rhbz#2167691 - Create package samba-tools +* Mon Jul 01 2024 Andreas Schneider - 0:4.20.2-100 +- related: RHEL-33591 - Update to version 4.20.2 -* Fri Jan 27 2023 Pavel Filipenský - 4.17.5-0 -- related: rhbz#2132051 - Update to version 4.17.5 +* Mon Jun 24 2024 Troy Dawson - 0:4.20.1-103 +- Bump release for June 2024 mass rebuild -* Thu Dec 22 2022 Pavel Filipenský - 4.17.4-1 -- related: rhbz#2132051 - Create package dc-libs also for 'non-dc build' +* Mon Jun 03 2024 Andreas Schneider - 4.20.1-102 +- Update to version 4.20.1 +- resolves: RHEL-33591 -* Tue Dec 20 2022 Pavel Filipenský - 4.17.4-0 -- related: rhbz#2132051 - Update to version 4.17.4 -- resolves: rhbz#2154370 - Fix CVE-2022-38023 -- resolves: rhbz#2142331 - Fix %U include directive for share listing (netshareenum) -- resolves: rhbz#2148943 - Fix Winbind to retrieve user groups from Active Directory +* Mon Feb 12 2024 Guenther Deschner - 4.20.0rc2-3 +- resolves: #2263874 - Update to version 4.20.0rc2 -* Wed Nov 02 2022 Pavel Filipenský - 4.17.2-2 +* Thu Feb 01 2024 Pete Walter - 2:4.20.0-0.2.rc1 +- Rebuild for ICU 74 + +* Mon Jan 29 2024 Guenther Deschner - 4.20.0rc1-1 +- resolves: #2260895 - Update to version 4.20.0rc1 + +* Sat Jan 27 2024 Fedora Release Engineering - 2:4.19.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Jan 16 2024 Andreas Schneider - 4.29.4-3 +- Fix samba-gpupdate on Fedora/RHEL + +* Tue Jan 09 2024 Andreas Schneider - 4.19.4-2 +- resolves: rhbz#2256326 - Create all groups using systemd + +* Mon Jan 08 2024 Guenther Deschner - 4.19.4-1 +- resolves: #2257287 - Update to version 4.19.4 + +* Tue Nov 28 2023 Guenther Deschner - 4.19.3-2 +- Disable performance co-pilot support for i686 + +* Mon Nov 27 2023 Guenther Deschner - 4.19.3-1 +- resolves: #2251766 - Update to version 4.19.3 + +* Wed Nov 15 2023 Andreas Schneider - 4.19.2-2 +- Package samba-gpupdate also for RHEL9 + +* Mon Oct 16 2023 Guenther Deschner - 4.19.2-1 +- resolves: #2244496 - Update to version 4.19.2 + +* Tue Oct 10 2023 Guenther Deschner - 4.19.1-1 +- resolves: #2243073 - Update to version 4.19.1 +- resolves: #2241881, #2243228: Security fix for CVE-2023-3961 +- resolves: #2241882, #2243231: Security fix for CVE-2023-4091 +- resolves: #2241883, #2243230: Security fix for CVE-2023-4154 +- resolves: #2241884, #2243229: Security fix for CVE-2023-42669 +- resolves: #2241885, #2243232: Security fix for CVE-2023-42670 + +* Mon Sep 04 2023 Guenther Deschner - 4.19.0-1 +- resolves: #2237259 - Update to version 4.19.0 + +* Mon Aug 28 2023 Guenther Deschner - 4.19.0-0.5.rc4 +- resolves: #2232744 - Update to version 4.19.0rc4 + +* Fri Aug 18 2023 Guenther Deschner - 4.19.0-0.4.rc3 +- resolves: #2232744 - Update to version 4.19.0rc3 + +* Wed Aug 16 2023 Yaakov Selkowitz - 2:4.19.0-0.3.rc2 +- Move ad-claims and authn-policy-util to dc-libs + +* Tue Aug 15 2023 Adam Williamson - 4.19.0-0.2.rc2 +- python3-samba-dc requires python3-markdown now + +* Tue Aug 08 2023 Guenther Deschner - 4.19.0-0.1.rc2 +- resolves: #2227246 - Update to version 4.19.0rc2 + +* Mon Aug 07 2023 Guenther Deschner - 4.19.0-0.0.rc1 +- resolves: #2227246 - Update to version 4.19.0rc1 + +* Thu Jul 20 2023 Guenther Deschner - 4.18.5-0 +- resolves: #2224040 - Update to version 4.18.5 +- resolves: #2222791, #2224254 - Security fix for CVE-2022-2127 +- resolves: #2222792, #2224255 - Security fix for CVE-2023-3347 +- resolves: #2222793, #2224253 - Security fix for CVE-2023-34966 +- resolves: #2222794, #2224252 - Security fix for CVE-2023-34967 +- resolves: #2222795, #2224250 - Security fix for CVE-2023-34968 + +* Sat Jul 15 2023 Guenther Deschner - 4.18.4-3 +- resolves: #2223091 - Fix netlogon LogonGetCapabilities level 2 error handling + +* Tue Jul 11 2023 František Zatloukal - 2:4.18.4-2 +- Rebuilt for ICU 73.2 + +* Wed Jul 05 2023 Python Maint - 2:4.18.4-1 +- Rebuilt for Python 3.12 + +* Wed Jul 05 2023 Guenther Deschner - 4.18.4-0 +- resolves: #2219799 - Update to version 4.18.4 + +* Mon Jun 26 2023 Python Maint - 2:4.18.3-5 +- Rebuilt for Python 3.12 + +* Mon Jun 26 2023 Adam Williamson - 4.18.3-4 +- Only run libwbclient %pre on upgrade, not fresh install + +* Fri Jun 23 2023 Andreas Schneider - 4.18.3-3 +- resolves: rhbz#2211577 - Fix libwbclient package upgrades + +* Thu Jun 15 2023 Python Maint - 2:4.18.3-2 +- Rebuilt for Python 3.12 + +* Thu Jun 15 2023 Andreas Schneider - 4.18.3-1 +- resolves: #2203539 - Also cover mit_kdc.log by logrotate + +* Thu Jun 01 2023 Guenther Deschner - 4.18.3-0 +- resolves: #2211453 - Update to version 4.18.3 + +* Wed Apr 19 2023 Guenther Deschner - 4.18.2-0 +- resolves: #2187991 - Update to version 4.18.2 + +* Wed Mar 29 2023 Guenther Deschner - 4.18.1-0 +- resolves: #2182787 - Update to version 4.18.1 +- resolves: #2182772, #2182773 - Security fixes for CVE-2023-0225 +- resolves: #2182774, #2182775 - Security fixes for CVE-2023-0922 +- resolves: #2182776, #2182777 - Security fixes for CVE-2023-0614 + +* Tue Mar 21 2023 Andreas Schneider - 4.18.0-12 +- Fix ctdb file lists when built with test suite enabled + +* Fri Mar 17 2023 Kalev Lember - 4.18.0-10 +- Move libstable-sort-samba4.so to samba-client-libs subpackage + +* Wed Mar 08 2023 Guenther Deschner - 4.18.0-9 +- resolves: #2176469 - Update to version 4.18.0 + +* Wed Mar 01 2023 Guenther Deschner - 4.18.0rc4-8 +- resolves: #2174415 - Update to version 4.18.0rc4 + +* Tue Feb 28 2023 Andreas Schneider - 4.18.0-0.7.rc3 +- resolves: #2173619 - Add missing Requires for glibc-gconv-extra + +* Thu Feb 23 2023 Pavel Filipenský - 4.18.0-0.6.rc3 +- SPDX migration + +* Wed Feb 15 2023 Guenther Deschner - 4.18.0rc3-6 +- resolves: #2166416 - Update to version 4.18.0rc3 + +* Mon Feb 13 2023 Pavel Filipenský - 4.18.0rc2-5 +- Create package samba-tools, move there samba-tool binary + +* Thu Feb 02 2023 Guenther Deschner - 4.18.0rc2-3 +- resolves: #2166416 - Update to version 4.18.0rc2 + +* Sat Jan 21 2023 Fedora Release Engineering - 2:4.18.0-0.2.rc1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jan 19 2023 Guenther Deschner - 4.18.0rc1-0 +- resolves: #2162097 - Update to version 4.18.0rc1 + +* Sat Dec 31 2022 Pete Walter - 2:4.17.4-4 +- Rebuild for ICU 72 + +* Thu Dec 22 2022 Pavel Filipenský - 4.17.4-3 +- Create package dc-libs also for 'non-dc build' + +* Tue Dec 20 2022 Pavel Filipenský - 4.17.4-2 +- Fix '--without dc' build: delete libauth4-samba4.so + +* Mon Dec 19 2022 Pavel Filipenský - 4.17.4-1 +- Create a samba-dcerpc sub-package +- Fix package installation without samba and samba-dc package + +* Fri Dec 16 2022 Guenther Deschner - 4.17.4-0 +- resolves: #2153906 - Update to version 4.17.4 +- resolves: #2154362, #2154363 - Security fixes for CVE-2022-38023 +- resolves: #2154303, #2154304 - Security fixes for CVE-2022-37966 +- resolves: #2154320, #2154322 - Security fixes for CVE-2022-37967 + +* Thu Dec 1 2022 Alexander Bokovoy - 2:4.17.3-2 +- Rebuild against krb5 1.20.1, new KDB interface + +* Mon Nov 21 2022 Florian Weimer - 2:4.17.3-1 +- Remove C89-specific language constructs from configure checks +- Fix feature detection for major/minor macros + +* Tue Nov 15 2022 Guenther Deschner - 4.17.3-0 +- resolves: #2142959 - Update to version 4.17.3 +- resolves: #2140960, #2143117 - Security fixes for CVE-2022-42898 + +* Wed Nov 02 2022 Pavel Filipenský - 4.17.2-1 - Always add epoch to samba_depver to fix osci.brew-build.rpmdeplint.functional -- related: rhbz#2132051 -* Wed Oct 26 2022 Andreas Schneider - 4.17.2-1 -- resolves: rhbz#2132051 - Update to version 4.17.2 -- resolves: rhbz#2126174 - Fix CVE-2022-1615 -- resolves: rhbz#2108487 - ctdb: Add dependency to samba-winbind-clients +* Tue Oct 25 2022 Andreas Schneider - 4.17.2-1 +- Update to version 4.17.2 +- Fix CVE-2022-3592: A malicious client can use a symlink to escape the + exported -* Thu Aug 25 2022 Andreas Schneider - 4.16.4-2 -- resolves: rhbz#2120956 - Do not require samba package in python3-samba +* Mon Oct 24 2022 Andreas Schneider - 4.17.1-2 +- Add missing dependency for wbinfo used by ctdb scripts -* Thu Jul 28 2022 Andreas Schneider - 4.16.4-1 -- Rebase to version 4.16.4 -- resolves: rhbz#2108331 - Fix CVE-2022-32742 +* Wed Oct 19 2022 Pavel Filipenský - 4.17.1-1 +- Update to version 4.17.1 +- resolves: rhbz#2127301 - Permission denied calling SMBC_getatr when file not exists +- resolves: rhbz#2133818 - rpcclient 4.17.0 unable to resolve server hostname -* Mon Jul 18 2022 Pavel Filipenský - 4.16.3-0 -- related: rhbz#2077468 - Rebase Samba to 4.16.3 -- resolves: rhbz#2106672 - The pcap background queue process should not be stopped -- resolves: rhbz#2106263 - Fix crash in rpcd_classic -- resolves: rhbz#2100093 - Fix net ads info returns LDAP server and LDAP server name +* Wed Oct 05 2022 Andreas Schneider - 4.17.0-2 +- Move group creation logic to sysusers.d fragment -* Tue Jun 14 2022 Pavel Filipenský - 4.16.2-1 -- resolves: rhbz#2084162 - Fix printer displays only after 300 seconds timeout +* Tue Sep 13 2022 Andreas Schneider - 4.17.0-1 +- resolves: rhbz#2118818 - Update to version 4.17.0 +- resolves: rhbz#2121138 - Fix CVE-2022-32743 +- resolves: rhbz#2122650 - Fix CVE-2022-1615 -* Mon Jun 13 2022 Pavel Filipenský - 4.16.2-0 +* Tue Sep 13 2022 Andreas Schneider - 4.17.0-0.11.rc5 +- resolves: rhbz#2093656 - Split out libnetapi(-devel) sub-packages +- resolves: rhbz#2096405 - Add samba-usershare package + +* Tue Sep 06 2022 Guenther Deschner - 4.17.0-0.10.rc5 +- resolves: #2118818 - Update to version 4.17.0rc5 + +* Wed Aug 31 2022 Guenther Deschner - 4.17.0-0.9.rc4 +- resolves: #2118818 - Update to version 4.17.0rc4 + +* Thu Aug 25 2022 Adam Williamson - 4.17.0-0.8.rc3 +- Rebuild with no changes to fix F37 update grouping + +* Thu Aug 25 2022 Andreas Schneider - 4.17.0-0.7.rc3 +- python3-samba package should not require the samba package + +* Tue Aug 23 2022 Pavel Filipenský - 4.17.0-0.6.rc3 +- resolves: #2118818 - Update to version 4.17.0rc3 + +* Fri Aug 19 2022 Andreas Schneider - 4.17.0-0.5.rc2 +- Create a samba-gpupdate sub-package for GPO client support + +* Fri Aug 19 2022 Andreas Schneider - 4.17.0-0.4.rc2 +- Split out a samba-ldb-ldap-modules subpackage + +* Thu Aug 18 2022 Kalev Lember - 2:4.17.0-0.3.rc2 +- Avoid requiring systemd as per updated packaging guidelines + +* Wed Aug 17 2022 Guenther Deschner - 4.17.0rc2-2 +- resolves: #2118818 - Update to version 4.17.0rc2 + +* Wed Aug 10 2022 Andreas Schneider - 4.17.0rc1-1 +- Make sure we detect if SO version numbers of public libraries change. + +* Mon Aug 08 2022 Guenther Deschner - 4.17.0rc1-0 +- resolves: #2116503 - Update to version 4.17.0rc1 + +* Mon Aug 01 2022 Frantisek Zatloukal - 2:4.16.4-1 +- Rebuilt for ICU 71.1 + +* Wed Jul 27 2022 Guenther Deschner - 4.16.4-0 +- resolves: #2111490 - Update to version 4.16.4 +- resolves: #2108196, #2111729 - Security fixes for CVE-2022-32742 +- resolves: #2108205, #2111731 - Security fixes for CVE-2022-32744 +- resolves: #2108211, #2111732 - Security fixes for CVE-2022-32745 +- resolves: #2108215, #2111734 - Security fixes for CVE-2022-32746 + +* Sat Jul 23 2022 Fedora Release Engineering - 2:4.16.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jul 18 2022 Andreas Schneider - 4.16.3-1 +- Update to version 4.16.3 + +* Wed Jun 15 2022 Python Maint - 2:4.16.2-1 +- Rebuilt for Python 3.11 + +* Mon Jun 13 2022 Guenther Deschner - 4.16.2-0 +- Update to Samba 4.16.2 +- resolves: #2096167 + +* Wed Jun 08 2022 Andreas Schneider - 4.16.1-7 +- resolves: rhbz#2093833 - Remove weak dependency for logrotate for CentOS/RHEL + +* Tue May 31 2022 Jitka Plesnikova - 2:4.16.1-6 +- Perl 5.36 rebuild + +* Fri May 13 2022 Pavel Filipenský - 4.16.1-5 - Fix rpminspect abidiff -- related: rhbz#2077468 - Rebase Samba to 4.16.2 + +* Fri May 06 2022 Pavel Filipenský - 4.16.1-2 +- Update requires for packages + +* Thu May 05 2022 Tomas Popela - 4.16.1-1 +- Don't require full systemd for tmp files handling in samba-common * Mon May 02 2022 Pavel Filipenský - 4.16.1-0 - Update to Samba 4.16.1 -- resolves: rhbz#2077468 Rebase Samba to the the latest 4.16.x release +- resolves: #2080915 -* Wed Apr 27 2022 Pavel Filipenský - 4.15.5-8 -- resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls +* Fri Mar 25 2022 Sandro Mani - 2:4.16.0-7 +- Rebuild with mingw-gcc-12 -* Wed Apr 20 2022 Pavel Filipenský - 4.15.5-7 -- resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error +* Tue Mar 22 2022 Guenther Deschner - 4.16.0-6 +- Update to Samba 4.16.0 +- resolves: #2066290 -* Wed Apr 13 2022 Pavel Filipenský - 4.15.5-6 -- resolves: rhbz#2059151 - Fix username map for unix groups -- resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address. +* Wed Mar 09 2022 Guenther Deschner - 4.16.0-0.5.rc5 +- Update to Samba 4.16.0rc5 +- resolves: #2042518 -* Thu Feb 24 2022 Andreas Schneider - 4.15.5-4 -- resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh +* Tue Mar 01 2022 Pavel Filipenský - 4.16.0-0.4.rc4 +- Update to Samba 4.16.0rc4 +- resolves: #2042518 -* Mon Feb 21 2022 Andreas Schneider - 4.15.5-3 -- related: rhbz#1979959 - Fix typo in testparm output +* Wed Feb 23 2022 Andreas Schneider - 4.16.0-0.3.rc3 +- resolves: rhbz#2036443 - Fix samba-tool on builds with samba-dc -* Thu Feb 17 2022 Andreas Schneider - 4.15.5-2 -- resolves: rhbz#1979959 - Improve idmap autorid sanity checks and documentation +* Tue Feb 15 2022 Pavel Filipenský - 4.16.0rc3 +- Update to Samba 4.16.0rc3 +- resolves: #2042518 -* Mon Feb 14 2022 Pavel Filipenský - 4.15.5-1 -- resolves: #1995849 - [RFE] Change change password change prompt phrasing -- resolves: #2029417 - virusfilter_vfs_openat: Not scanned: Directory or special file +* Tue Feb 01 2022 Pavel Filipenský - 4.16.0rc2 +- Update to Samba 4.16.0rc2 +- resolves: #2046120, #2048566 - Security fixes for CVE-2021-44141 +- resolves: #2046146, #2048570 - Security fixes for CVE-2021-44142 +- resolves: #2046134, #2048568 - Security fixes for CVE-2022-0336 +- resolves: #2042518 -* Wed Feb 02 2022 Pavel Filipenský - 4.15.5-0 -- Update to Samba 4.15.5 -- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release -- resolves: rhbz#2046127 - Fix CVE-2021-44141 -- resolves: rhbz#2046153 - Fix CVE-2021-44142 -- resolves: rhbz#2044404 - Printing no longer works on Windows 7 -- resolves: rhbz#2043154 - Fix systemd notifications -- resolves: rhbz#2049602 - Disable NTLMSSP for ldap client connections (e.g. libads) +* Wed Jan 26 2022 Pavel Filipenský - 4.16.0rc1 +- Exclude temporarily ceph on ppc64le to fix failing build -* Fri Jan 21 2022 Pavel Filipenský - 4.15.4-0 +* Tue Jan 25 2022 Pavel Filipenský - 4.16.0rc1 +- Update to Samba 4.16.0rc1 +- resolves: #2042518 + +* Thu Jan 20 2022 Pavel Filipenský - 4.15.4-0 - Update to Samba 4.15.4 -- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release -- resolves: rhbz#2039153 - Fix CVE-2021-20316 -- resolves: rhbz#1912549 - Winexe: Kerberos flag not invoking Kerberos Auth -- resolves: rhbz#2039157 - Fix CVE-2021-43566 -- resolves: rhbz#2038148 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7 -- resolves: rhbz#2035528 - [smb] Segmentation fault when joining the domain -- resolves: rhbz#2038796 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED +- resolves: #2009673, #2039034 - Security fixes for CVE-2021-20316 +- resolves: #2042518 -* Thu Dec 16 2021 Pavel Filipenský - 4.15.3-1 -- related: rhbz#2013596 - Rebase to version 4.15.3 -- resolves: rhbz#2028029 - Fix possible null pointer dereference in winbind -- resolves: rhbz#1912549 - Winexe: Kerberos Auth is respected via --use-kerberos=desired +* Wed Dec 15 2021 Pavel Filipenský - 4.15.3-1 +- Fix resolv_wrapper with glibc 2.34 +- resolves: #2019669 -* Fri Dec 03 2021 Andreas Schneider - 4.15.2-2 -- related: rhbz#2013596 - Remove unneeded lmdb dependency +* Wed Dec 08 2021 Pavel Filipenský - 4.15.3-0 +- Update to Samba 4.15.3 +- resolves: #2030382 -* Thu Nov 25 2021 Pavel Filipenský - 4.15.2-1 -- resolves: rhbz#2013596 - Rebase to version 4.15.2 -- resolves: rhbz#1999294 - Remove noisy error message in winbindd -- resolves: rhbz#1958881 - Don't require winbind being online for krb5 auth - with one-way trusts -- resolves: rhbz#2019461 - Fix deleting directories with dangling symlinks +* Sat Nov 13 2021 Guenther Deschner - 4.15.2-3 +- Fix IPA DC schannel support -* Mon Nov 22 2021 Andreas Schneider - 4.14.5-14 -- related: rbhz#2019674 - Fix CVE-2020-25717 -- Fix running ktest (selftest) +* Thu Nov 11 2021 Guenther Deschner - 4.15.2-2 +- Fix winbind trusted domain regression +- related: #2021716 +- Fix logfile handling +- Fix smbclient -N failures in container setups -* Sat Nov 13 2021 Alexander Bokovoy - 4.14.5-13 -- related: rbhz#2019674 - Fix CVE-2020-25717 -- Add missing checks for IPA DC server role +* Tue Nov 09 2021 Guenther Deschner - 4.15.2-0 +- Update to Samba 4.15.2 +- resolves: #2019660, #2021711 - Security fixes for CVE-2016-2124 +- resolves: #2019672, #2021716 - Security fixes for CVE-2020-25717 +- resolves: #2019726, #2021718 - Security fixes for CVE-2020-25718 +- resolves: #2019732, #2021719 - Security fixes for CVE-2020-25719 +- resolves: #2021728, #2021729 - Security fixes for CVE-2020-25721 +- resolves: #2019764, #2021721 - Security fixes for CVE-2020-25722 +- resolves: #2021726, #2021727 - Security fixes for CVE-2021-3738 +- resolves: #2019666, #2021715 - Security fixes for CVE-2021-23192 +- resolves: #2021625 -* Wed Nov 10 2021 Andreas Schneider - 4.14.5-12 -- related: rbhz#2019674 - Fix regression with 'allow trusted domains = no' +* Fri Nov 05 2021 Guenther Deschner - 4.15.1-1 +- Fix winexe core dump +- resolves: #2020376 -* Tue Nov 09 2021 Andreas Schneider - 4.14.5-11 -- resolves: rhbz#2021425 - Add missing PAC buffer types to krb5pac.idl +* Wed Oct 27 2021 Guenther Deschner - 4.15.1-0 +- Update to Samba 4.15.1 +- resolves: #2017847 -* Fri Nov 05 2021 Andreas Schneider - 4.14.4-3 -- resolves: rhbz#2019662 - Fix CVE-2016-2124 -- resolves: rhbz#2019668 - Fix CVE-2021-23192 -- resolves: rbhz#2019674 - Fix CVE-2020-25717 +* Mon Sep 20 2021 Guenther Deschner - 4.15.0-13 +- Update to Samba 4.15.0 +- resolves: #2005817 -* Tue Jul 13 2021 Andreas Schneider - 4.14.4-2 -- related: rhbz#1980346 - Rebuild for libtalloc 0.11.0 +* Mon Sep 13 2021 Guenther Deschner - 4.15.0-0.12.rc7 +- Update to Samba 4.15.0rc7 +- resolves: #2003740 -* Thu Jun 24 2021 Andreas Schneider - 4.14.4-1 -- resolves: rhbz#1974792 - Create a subpackage for vfs-io-uring -- resolves: rhbz#1965397 - Raise log level for dfs ENOENT debug message +* Thu Sep 09 2021 Guenther Deschner - 4.15.0-0.11.rc6 +- Update to Samba 4.15.0rc6 +- resolves: #2002546 -* Thu Jun 10 2021 Andreas Schneider - 4.14.4-0 -- related: rhbz#1944657 - Update to version 4.14.5 -- resolves: rhbz#1969787 - Fix memory leak in RPC server -- resolves: rhbz#1954974 - Validate smb.conf option for domain members with testparm -- resolves: rhbz#1963298 - Fix smbd trying to delete files with wrong permissions -- resolves: rhbz#1890008 - Update rpcclient manpage to list all available commands -- resolves: rhbz#1857254 - Update smbcacls manpage to document inhertance flags +* Tue Sep 07 2021 Guenther Deschner - 4.15.0-0.10.rc5 +- Update to Samba 4.15.0rc5 +- resolves: #2001827 -* Wed May 12 2021 Andreas Schneider - 4.14.4-4 -- related: rhbz#1944657 - Fix possible upgrade issues +* Wed Sep 01 2021 Guenther Deschner - 4.15.0-0.9.rc4 +- Update to Samba 4.15.0rc4 +- resolves: #2000079 -* Tue May 11 2021 Andreas Schneider - 4.14.4-2 -- resolves: rhbz#1944657 - Update to version 4.14.4 -- resolves: rhbz#1949445 - Fix CVE-2021-20254 -- resolves: rhbz#1947945 - Fix libsmbldap.so.2 not being a symbolic link -- resolves: rhbz#1908506 - Fix creating the gencache user directory -- resolves: rhbz#1901029 - Build the vfs_io_uring module +* Thu Aug 26 2021 Guenther Deschner - 4.15.0-0.8.rc3 +- Update to Samba 4.15.0rc3 +- resolves: #1998024 -* Thu Feb 04 2021 Andreas Schneider - 4.13.3-3 -- resolves: #1924615 - Fix a memcache bug when cache is full -- resolves: #1924571 - Ensure that libwbclient has been updated before - restarting services +* Wed Aug 25 2021 Guenther Deschner - 4.15.0-0.7.rc2 +- Add ceph and etcd mutex helpers for CTDB -* Fri Jan 29 2021 Andreas Schneider - 4.13.3-2 -- resolves: #1909647 - Fix winbind in trust scenarios with connection issues +* Mon Aug 16 2021 Anoop C S - 4.15.0-0.6.rc2 +- Avoid removing PyDSDB library files from buildroot for non AD DC build -* Wed Dec 16 2020 Andreas Schneider - 4.13.3-1 -- related: #1878109 - Rebase Samba to version 4.13.3 +* Fri Aug 13 2021 Adam Williamson - 4.15.0-0.5.rc2 +- Fix samba-common-tools dependency -* Fri Dec 04 2020 Andreas Schneider - 4.13.2-5 -- resolves: #1904174 - Fix ldap timeout with 'net ads join' +* Thu Aug 12 2021 Andreas Schneider - 4.15.0-0.4.rc2 +- Package samba-tool correctly -* Fri Nov 27 2020 Andreas Schneider - 4.13.2-4 -- resolves: #1902198 - Document weak crypto output of testparm +* Mon Aug 09 2021 Guenther Deschner - 4.15.0-0.3.rc2 +- Update to Samba 4.15.0rc2 +- resolves: #1991634 -* Wed Nov 25 2020 Andreas Schneider - 4.13.2-3 -- resolves: #1899113 - Fix following dfs links with smb clients +* Fri Jul 23 2021 Fedora Release Engineering - 2:4.15.0-0.2.rc1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Tue Nov 17 2020 Andreas Schneider - 4.13.2-2 -- related: #1869702 - Fix spoolss crash -- resolves: #1896736 - Fix name lookups of FreeIPA users -- resolves: #1899113 - Fix DFS links +* Mon Jul 19 2021 Guenther Deschner - 4.15.0rc1-1 +- Fix ctdb-pcp-pmda install +- resolves: #1983369 + +* Thu Jul 15 2021 Guenther Deschner - 4.15.0rc1-0 +- Update to Samba 4.15.0rc1 +- resolves: #1982623 + +* Wed Jul 14 2021 Guenther Deschner - 4.14.6-1 +- Build with pcp-pmda support by default on Fedora +- resolves: #1552276 + +* Tue Jul 13 2021 Guenther Deschner - 4.14.6-0 +- Update to Samba 4.14.6 +- resolves: #1981764 + +* Thu Jun 24 2021 Andreas Schneider - 4.14.5-3 +- Create a subpackage for vfs-io-uring + +* Fri Jun 04 2021 Python Maint - 2:4.14.5-1 +- Rebuilt for Python 3.10 + +* Tue Jun 01 2021 Guenther Deschner - 4.14.5-0 +- Update to Samba 4.14.5 +- resolves: #1966456 + +* Fri May 21 2021 Jitka Plesnikova - 2:4.14.4-3 +- Perl 5.34 rebuild + +* Wed May 19 2021 Pete Walter - 2:4.14.4-2 +- Rebuild for ICU 69 + +* Tue May 18 2021 Andreas Schneider - 4.14.4-1 +- Fixed building with gcc 11.x +- Fixed quota support + +* Thu Apr 29 2021 Guenther Deschner - 4.14.4-0 +- Update to Samba 4.14.4 +- resolves: #1949442, #1955027 - Security fixes for CVE-2021-20254 +- resolves: #1955011 + +* Wed Apr 28 2021 Anoop C S - 4.14.3-2 +- resolves: #1954263 - wrong conditional build check of AD DC + +* Tue Apr 20 2021 Andreas Schneider - 4.14.3-1 +- resolves: #1942378 - Drop NIS support + +* Tue Apr 20 2021 Guenther Deschner - 4.14.3-0 +- Update to Samba 4.14.3 +- resolves: #1951531 + +* Mon Apr 19 2021 Michal Ambroz - 4.14.2-4 + - Added python3-ldb to BR + +* Mon Apr 19 2021 Andreas Schneider - 4.12.2-3 +- resolves: #1949295 - Remove findsmb script + +* Wed Apr 14 2021 Richard W.M. Jones - 2:4.14.2-2 +- Rebuild for updated liburing. + +* Wed Apr 07 2021 Alexander Bokovoy - 4.14.2-1 +- Fix memory leaks in RPC server +- resolves: #1946950 + +* Thu Mar 25 2021 Guenther Deschner - 4.14.2-0 +- Update to Samba 4.14.2 +- related: #1941400, #1942496 - Security fixes for CVE-2020-27840 +- related: #1941402, #1942497 - Security fixes for CVE-2021-20277 + +* Wed Mar 24 2021 Guenther Deschner - 4.14.1-0 +- Update to Samba 4.14.1 +- resolves: #1941400, #1942496 - Security fixes for CVE-2020-27840 +- resolves: #1941402, #1942497 - Security fixes for CVE-2021-20277 + +* Tue Mar 09 2021 Guenther Deschner - 4.14.0-3 +- Update to Samba 4.14.0 + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 2:4.14.0-0.0.rc4.2 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Mar 01 2021 Guenther Deschner - 4.14.0rc4-0 +- Update to Samba 4.14.0rc4 + +* Thu Feb 18 2021 Guenther Deschner - 4.14.0rc3-0 +- Update to Samba 4.14.0rc3 + +* Thu Feb 04 2021 Guenther Deschner - 4.14.0rc2-0 +- Update to Samba 4.14.0rc2 + +* Wed Jan 27 2021 Guenther Deschner - 4.14.0rc1-0 +- Update to Samba 4.14.0rc1 + +* Tue Jan 26 2021 Guenther Deschner - 4.13.4-0 +- Update to Samba 4.13.4 + +* Wed Dec 16 2020 Guenther Deschner - 4.13.3-1 +- Rebuild against krb5-1.19 +- Resolves: rhbz#1915928 + +* Tue Dec 15 2020 Guenther Deschner - 4.13.3-0 +- Update to Samba 4.13.3 + +* Wed Nov 25 2020 Alexander Bokovoy - 4.13.2-2 +- rhbz#1892745, rhbz#1900232: smbclient mget crashes (upstream bug 14517) +- Merge RHEL 8.4 patches: + - FIPS-related enhancements + - FreeIPA Global Catalog patches * Tue Nov 03 2020 Andreas Schneider - 4.13.2-1 -- resolves: #1878109 - Rebase Samba to version 4.13.2 -- resolves: #1872833 - Add samba-winexe subpackage -- resolves: #1891688 - Fix CVE-2020-14323 -- resolves: #1892633 - Fix CVE-2020-14318 -- resolves: #1892639 - Fix CVE-2020-14383 -- resolves: #1879835 - Fix CVE-2020-1472 -- resolves: #1888990 - Update smb.conf manpages to describe how to apply - config changes. -- resolves: #1869702 - Fix %U substitution for 'valid users' option -- resolves: #1818038 - Improve FIPS compliance +- Create a python3-samba-devel package to avoid unnessary dependencies -* Wed Aug 12 2020 Alexander Bokovoy - 4.12.3-12 -- resolves: #1868558 - cannot create a directory in home over SMB2, mkdirat returns EBADF +* Tue Nov 03 2020 Guenther Deschner - 4.13.2-0 +- Update to Samba 4.13.2 -* Wed Jul 22 2020 Andreas Schneider - 4.12.3-11 -- resolves: #1859277 - Allow a user to use gencache +* Thu Oct 29 2020 Guenther Deschner - 4.13.1-0 +- Update to Samba 4.13.1 +- resolves: #1892631, #1892634 - Security fixes for CVE-2020-14318 +- resolves: #1891685, #1892628 - Security fixes for CVE-2020-14323 +- resolves: #1892636, #1892640 - Security fixes for CVE-2020-14383 -* Wed Jul 15 2020 Isaac Boukris - 4.12.3-10 -- related: #1856315 - Fix net-ads-join with LDAP over TLS +* Mon Oct 26 2020 Andreas Schneider - 4.13.0-14 +- Fixed dbcheck running in a release tarball +- Updated internal resolv_wrapper copy to verison 1.1.7 -* Tue Jul 14 2020 Andreas Schneider - 4.12.3-9 -- related: #1817557 - Move DECRPC mdssvc data files to correct package -- resolves: #1856676 - Fix lookuprids in winbind +* Sun Oct 25 2020 Alexander Bokovoy - 4.13.0-13 +- Report 'samba' daemon status back to systemd +- Support dnspython 2.0.0 or later in samba_dnsupdate -* Mon Jul 13 2020 Isaac Boukris - 4.12.3-8 -- resolves: #1856315 - Fix net-ads-join with LDAP over TLS +* Thu Oct 22 2020 Alexander Bokovoy - 4.13.0-12 +- Add preliminary support for S4U operations in Samba AD DC + resolves: #1836630 - Samba DC: Remote Desktop cannot access files +- Fix lookup_unix_user_name to allow lookup of realm-qualified users and groups + required for upcoming FreeIPA Global Catalog support -* Fri Jul 10 2020 Andreas Schneider - 4.12.3-7 -- resolves: #1855711 - Fix 'require_membership_of' documentation in - pam_winbind manpage +* Tue Sep 22 2020 Guenther Deschner - 4.13.0-11 +- Update to Samba 4.13.0 -* Thu Jul 09 2020 Andreas Schneider - 4.12.3-6 -- related: #1842844 - Fix TLS connections with GnuTLS +* Fri Sep 18 2020 Guenther Deschner - 4.13.0rc6-10 +- Update to Samba 4.13.0rc6 +- resolves: #1879822, #1880703 - Security fixes for CVE-2020-1472 -* Wed Jul 01 2020 Andreas Schneider - 4.12.3-5 -- resolves: #1823612 - Fix segfault in 'net ads dns gethostbyname' -- resolves: #1792553 - Fix 'net ads join createcomputer=OU' +* Wed Sep 16 2020 Guenther Deschner - 4.13.0rc5-9 +- Update to Samba 4.13.0rc5 -* Fri Jun 26 2020 Isaac Boukris - 4.12.3-4 -- resolves: #1850980 - Add "additional dns hostname" to keytab -- resolves: #1850981 - Add net-ads-join dnshostname=fqdn option +* Mon Sep 07 2020 Guenther Deschner - 4.13.0rc4-8 +- Update to Samba 4.13.0rc4 -* Fri Jun 19 2020 Andreas Schneider - 4.12.3-1 -- resolves: #1666737 - Add a new smbc_readdirplus2() function to libsmbclient -- resolves: #1842844 - Fix GnuTLS priority list for TLS connections +* Fri Aug 28 2020 Neal Gompa - 4.13.0rc3-6 +- Enable winexe by default everywhere -* Tue Jun 02 2020 Andreas Schneider - 4.12.3-0 -- resolves: #1817557 - Rebase to version 4.12.3 -- resolves: #1813833 - Fix 'net ads join createupn=' +* Fri Aug 28 2020 Guenther Deschner - 4.13.0rc3-5 +- Update to Samba 4.13.0rc3 -* Fri May 29 2020 Alexander Bokovoy - 4.11.2-14 -- Rebuild with krb5 1.18 -- Resolves: #1817578 - support krb5 1.18 +* Fri Aug 14 2020 Guenther Deschner - 4.13.0rc2-4 +- Update to Samba 4.13.0rc2 -* Thu Feb 13 2020 Isaac Boukris - 4.11.2-13 -- resolves: #1802182 - Fix join using netbios name +* Wed Aug 12 2020 Andreas Schneider - 4.13.0rc1-3 +- resolves: #1865831 - Add missing /usr/lib64/samba/krb5 directory +- resolves: #1866989 - Remove obsolete python3-crypto dependency -* Wed Jan 29 2020 Andreas Schneider - 4.11.2-12 -- related: #1781232 - Improve debug output of smbclient -- resolves: #1794461 - Do not return bogus inode numbers in - cli_qpathinfo2()/cli_qpathinfo3() for SMB1 -- resolves: #1794442 - Fix segfault in smbd_do_qfilepathinfo() +* Wed Jul 29 2020 Fedora Release Engineering - 2:4.13.0-0.2.rc1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild -* Thu Jan 23 2020 Isaac Boukris - 4.11.2-11 -- resolves: #1778130 - Remove usage of DES encryption types in krb5 +* Tue Jul 14 2020 Tom Stellard - 2:4.13.0-0.2.rc1 +- Use make macros + https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro -* Fri Jan 17 2020 Alexander Bokovoy - 4.11.2-10 -- resolves: #1790353 - Fix access check in DsRGetForestTrustInformation -- resolves: #1791209 - Fix CVE-2019-14907 +* Tue Jul 14 2020 Andreas Schneider - 4.13.0rc1-1 +- Move mdssvc data files to correct package -* Fri Jan 10 2020 Andreas Schneider - 4.11.2-9 -- resolves: #1785134 - Fix libwbclient manual alternative settings +* Thu Jul 09 2020 Guenther Deschner - 4.13.0rc1-0 +- Update to Samba 4.13.0rc1 -* Fri Jan 10 2020 Andreas Schneider - 4.11.2-8 -- resolves: #1781232 - Fix smbclient debug message +* Wed Jul 08 2020 Merlin Mathesius - 4.12.5-1 +- Remove nonexistent --without-winexe option from configure -* Thu Dec 12 2019 Andreas Schneider - 4.11.2-7 -- related: #1637861 - Fix trust creation if weak crypto is disallowed +* Thu Jul 02 2020 Guenther Deschner - 4.12.5-0 +- Update to Samba 4.12.5 -* Tue Dec 10 2019 Andreas Schneider - 4.11.2-6 -- resolves: #1637861 - Use GnuTLS for crypto +* Thu Jul 02 2020 Guenther Deschner - 4.12.4-0 +- Update to Samba 4.12.4 +- resolves: #1849489, #1853255 - Security fixes for CVE-2020-10730 +- resolves: #1849491, #1853256 - Security fixes for CVE-2020-10745 +- resolves: #1849509, #1853276 - Security fixes for CVE-2020-10760 +- resolves: #1851298, #1853259 - Security fixes for CVE-2020-14303 -* Thu Dec 05 2019 Andreas Schneider - 4.11.2-4 -- related: #1754409 - Add patch to avoid overlinking with libnsl and libsocket -- related: #1754409 - Fix permissions for pidl -- related: #1754409 - Fix logrotate script -- related: #1754409 - Add missing README files +* Sat Jun 27 2020 Jitka Plesnikova - 2:4.12.3-1.1 +- Perl 5.32 re-rebuild updated packages -* Mon Dec 02 2019 Andreas Schneider - 4.11.2-3 -- related: #1754409 - Fix pidl packaging +* Thu Jun 25 2020 Guenther Deschner - 4.12.3-1 +- Add BuildRequires for python3-setuptools -* Fri Nov 29 2019 Andreas Schneider - 4.11.2-1 -- resolves: #1754409 - Rebase to Samba version 4.11.2 -- resolves: #1776312 - Winbind is not restarted on upgrade -- resolves: #1764469 - Fix CVE-2019-10218 -- resolves: #1746241 - Fix CVE-2019-10197 -- resolves: #1710980 - Add support for KCM ccache in pam_winbind +* Thu Jun 25 2020 Jitka Plesnikova - 2:4.12.3-0.4 +- Perl 5.32 rebuild -* Wed Oct 23 2019 Andreas Schneider - 4.10.4-101 -- related: #1760824 - Removed additional issues with overlinking +* Tue May 26 2020 Miro Hrončok - 2:4.12.3-0.3 +- Rebuilt for Python 3.9 -* Fri Oct 11 2019 Andreas Schneider - 4.10.4-100 -- resolves: #1754575 - Avoid overlinking with librt and libpthread -- resolves: #1755440 - Fix forest trusts enumeration -- resolves: #1755445 - Fix CUPS username/password authentication with smbspool +* Tue May 19 2020 Guenther Deschner - 4.12.3-0 +- Update to Samba 4.12.3 -* Wed Jun 19 2019 Andreas Schneider - 4.10.4-1 -- resolves: #1712378 - Fix smbspool CUPS backend -- resolves: #1696612 - Fix 'net ads join -U admin@parentdomain' +* Fri May 15 2020 Pete Walter - 2:4.12.2-1.2 +- Rebuild for ICU 67 -* Thu May 23 2019 Andreas Schneider - 4.10.4-0 -- related: #1638001 - Rebase to Samba version 4.10.4 -- resolves: #1597298 - Build Samba with python3 -- resolves: #1658558 - Add 'net ads leave --keep-account' option -- resolves: #1669004 - Fix systemd status notifications -- resolves: #1672167 - Fix printing cache timeout in debug output -- resolves: #1696525 - Fix CVE-2019-3880 +* Wed May 13 2020 Guenther Deschner - 4.12.2-1 +- Add support for building the new experimental io_uring VFS module -* Fri May 17 2019 Andreas Schneider - 4.10.3-0 -- related: #1638001 - Rebase to Samba version 4.10.3 +* Tue Apr 28 2020 Guenther Deschner - 4.12.2-0 +- Update to Samba 4.12.2 +- resolves: #1825731, #1828870 - Security fixes for CVE-2020-10700 +- resolves: #1825734, #1828872 - Security fixes for CVE-2020-10704 -* Fri May 10 2019 Andreas Schneider - 4.10.2-1 -- related: #1638001 - Fix package upgrades +* Sun Apr 12 2020 Alexander Bokovoy - 4.12.1-1 +- Revert POSIX stat tuning in libsmbclient +- Resolves: rhbz#1801442 -* Mon May 06 2019 Andreas Schneider - 4.10.2-0 -- resolves: #1638001 - Rebase Samba to version 4.10 +* Tue Apr 07 2020 Guenther Deschner - 4.12.1-0 +- Update to Samba 4.12.1 -* Thu Jan 03 2019 Andreas Schneider - 4.9.1-8 -- resolves: #1663421 - Fix perl interpreter dependencies +* Sat Mar 21 2020 Alexander Bokovoy - 4.12.0-6 +- Fix samba_requires_eq macro definition +- Resolves rhbz#1815739 -* Wed Dec 19 2018 Andreas Schneider - 4.9.1-7 -- resolves: #1658690 - Add smbc_setOptionProtocols() -- resolves: #1658678 - Fix spoolss client operations against Windows +* Tue Mar 10 2020 Guenther Deschner - 4.12.0-5 +- Add build requirement for perl-FindBin +- resolves: #1661213 - Add winexe subpackage for remote windows command execution -* Mon Dec 10 2018 Andreas Schneider - 4.9.1-6 -- resolves: #1642092 - Harden [homes] share export -- resolves: #1648846 - Fix out of bound array access in ctdb -- resolves: #1657266 - Fix tmp directory creation in /run +* Tue Mar 03 2020 Guenther Deschner - 4.12.0-3 +- Update to Samba 4.12.0 -* Fri Nov 09 2018 Andreas Schneider - 4.9.1-5 -- resolves: #1644327 - Segfault if wrong 'passdb backend' is configured -- resolves: #1647959 - Segfault in the debug system with hardended build +* Wed Feb 26 2020 Guenther Deschner - 4.12.0rc4-2 +- Update to Samba 4.12.0rc4 -* Fri Sep 28 2018 Andreas Schneider - 4.9.1-4 -- related: #1614232 - Fix some spec file issues detected by rpmdiff +* Wed Feb 19 2020 Guenther Deschner - 4.12.0rc3-2 +- Update to Samba 4.12.0rc3 -* Wed Sep 26 2018 Alexander Bokovoy - 4.9.1-3 -- Temporarily remove smbtorture from samba-test due to Python 2 linkage -- related: #1609661 - samba-test package cannot be installed due to unresolved dependencies +* Tue Feb 04 2020 Guenther Deschner - 4.12.0rc2-2 +- Update to Samba 4.12.0rc2 -* Wed Sep 26 2018 Andreas Schneider - 4.9.1-2 -- related: #1614232 - Add CTDB examples with a config migration script +* Thu Jan 30 2020 Fedora Release Engineering - 2:4.12.0-0.1.rc1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild -* Tue Sep 25 2018 Andreas Schneider - 4.9.1-1 -- resolves: #1614232 - Update to Samba 4.9.1 +* Fri Jan 24 2020 Alexander Bokovoy - 4.12.0.rc1-1 +- Allow building against krb5 1.18 beta and require it for Rawhide + +* Wed Jan 22 2020 Guenther Deschner - 4.12.0rc1-0 +- Update to Samba 4.12.0rc1 + +* Tue Jan 21 2020 Guenther Deschner - 4.11.5-0 +- Update to Samba 4.11.5 +- resolves: #1791201, #1793405 - Security fixes for CVE-2019-14902 +- resolves: #1791207, #1793407 - Security fixes for CVE-2019-14907 +- resolves: #1791204, #1793406 - Security fixes for CVE-2019-19344 + +* Mon Dec 16 2019 Guenther Deschner - 4.11.4-0 +- Update to Samba 4.11.4 + +* Tue Dec 10 2019 Guenther Deschner - 4.11.3-0 +- Update to Samba 4.11.3 +- resolves: #1778586, #1781542 - Security fixes for CVE-2019-14861 +- resolves: #1778589, #1781545 - Security fixes for CVE-2019-14870 + +* Thu Dec 05 2019 Andreas Schneider - 4.11.2-2 +- Restart winbindd on samba-winbind package upgrade + +* Wed Nov 06 2019 Alexander Bokovoy - 4.11.2-1 +- Update DES removal patch + +* Tue Oct 29 2019 Guenther Deschner - 4.11.2-0 +- Update to Samba 4.11.2 +- resolves: #1763137, #1766558 - Security fixes for CVE-2019-10218 +- resolves: #1764126, #1766559 - Security fixes for CVE-2019-14833 + +* Sun Oct 27 2019 Alexander Bokovoy - 4.11.1-1 +- resolves: #1757071 - Deploy new samba DC fails + +* Fri Oct 18 2019 Guenther Deschner - 4.11.1-0 +- Update to Samba 4.11.1 + +* Tue Sep 17 2019 Guenther Deschner - 4.11.0-3 +- Update to Samba 4.11.0 + +* Wed Sep 11 2019 Guenther Deschner - 4.11.0rc4-2 +- Update to Samba 4.11.0rc4 + +* Tue Sep 03 2019 Guenther Deschner - 4.11.0rc3-2 +- Update to Samba 4.11.0rc3 +- resolves: #1746225, #1748308 - Security fixes for CVE-2019-10197 + +* Tue Aug 27 2019 Guenther Deschner - 4.11.0rc2-2 +- resolves: #1746014 - re-add pidl + +* Mon Aug 26 2019 Lubomir Rintel - 2:4.11.0-0.1.rc2 +- Move the NetworkManager dispatcher script out of /etc + +* Wed Aug 21 2019 Guenther Deschner - 4.11.0rc2-0 +- Update to Samba 4.11.0rc2 + +* Tue Aug 20 2019 Guenther Deschner - 4.11.0rc1-0 +- Update to Samba 4.11.0rc1 + +* Mon Aug 19 2019 Miro Hrončok - 2:4.10.6-1.1 +- Rebuilt for Python 3.8 + +* Fri Aug 16 2019 Alexander Bokovoy - 2:4.10.6-1 +- Fix Samba bug https://bugzilla.samba.org/show_bug.cgi?id=14091 +- Fixes: Windows systems cannot resolve IPA users and groups over LSA RPC + +* Fri Jul 26 2019 Fedora Release Engineering - 2:4.10.6-0.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jul 08 2019 Guenther Deschner - 4.10.6-0 +- Update to Samba 4.10.6 + +* Mon Jul 01 2019 Guenther Deschner - 4.10.5-2 +- resolves: #1718113 - Avoid deprecated time.clock in wafsamba +- resolves: #1711638 - Update to latest waf version 2.0.17 + +* Thu Jun 20 2019 Guenther Deschner - 4.10.5-1 +- resolves: #1602824 - Make vfs_fruit operable with other remote VFS modules +- resolves: #1716455 - Avoid pathconf() in get_real_filename() VFS calls +- resolves: #1706090, #1700791 - Fix smbspool + +* Wed Jun 19 2019 Guenther Deschner - 4.10.5-0 +- Update to Samba 4.10.5 +- resolves: #1711816, #1721872 - Security fixes for CVE-2019-12435 +- resolves: #1711837, #1721873 - Security fixes for CVE-2019-12436 + +* Fri May 31 2019 Jitka Plesnikova - 2:4.10.4-1.1 +- Perl 5.30 rebuild + +* Tue May 28 2019 Guenther Deschner - 4.10.4-1 +- Add missing ctdb directories +- resolves: #1656777 + +* Wed May 22 2019 Guenther Deschner - 4.10.4-0 +- Update to Samba 4.10.4 + +* Tue May 14 2019 Guenther Deschner - 4.10.3-0 +- Update to Samba 4.10.3 +- resolves: #1705877, #1709679 - Security fixes for CVE-2018-16860 + +* Mon Apr 15 2019 Andreas Schneider - 4.10.2-1 +- resolves: #1699230 - Rebuild for MIT Kerberos soname bump of libkadm5srv + +* Mon Apr 08 2019 Guenther Deschner - 4.10.2-0 +- Update to Samba 4.10.2 +- resolves: #1689010, #1697718 - Security fixes for CVE-2019-3870 +- resolves: #1691518, #1697717 - Security fixes for CVE-2019-3880 + +* Wed Apr 03 2019 Guenther Deschner - 4.10.1-0 +- Update to Samba 4.10.1 + +* Mon Mar 25 2019 Andreas Schneider - 4.10.0-6 +- resolves: #1692347 - Add missing DC requirement for its python3 tools + +* Wed Mar 20 2019 Guenther Deschner - 4.10.0-5 +- Fix build failure (duplication during install) + +* Tue Mar 19 2019 Guenther Deschner - 4.10.0-4 +- Update to Samba 4.10.0 + +* Wed Mar 06 2019 Guenther Deschner - 4.10.0rc4-2 +- Update to Samba 4.10.0rc4 + +* Fri Feb 22 2019 Guenther Deschner - 4.10.0rc3-2 +- Update to Samba 4.10.0rc3 + +* Sun Feb 17 2019 Igor Gnatenko - 2:4.10.0-0.2.rc2.1 +- Rebuild for readline 8.0 + +* Thu Feb 14 2019 Andreas Schneider - 4.10.0rc2-2 +- resolves: #1672231 - Fix public NDR API + +* Tue Feb 12 2019 Guenther Deschner - 4.10.0rc2-1 +- resolves: #1674547 - Move samba.xattr modules out of python3 test package + +* Wed Feb 06 2019 Guenther Deschner - 4.10.0rc2-0 +- Update to Samba 4.10.0rc2 + +* Tue Jan 15 2019 Guenther Deschner - 4.10.0rc1-0 +- Update to Samba 4.10.0rc1 + +* Mon Jan 14 2019 Björn Esser - 2:4.9.4-0.1 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Thu Dec 20 2018 Guenther Deschner - 4.9.4-0 +- Update to Samba 4.9.4 + +* Tue Nov 27 2018 Guenther Deschner - 4.9.3-0 +- Update to Samba 4.9.3 +- resolves: #1625449, #1654078 - Security fixes for CVE-2018-14629 +- resolves: #1642545, #1654082 - Security fixes for CVE-2018-16841 +- resolves: #1646377, #1654091 - Security fixes for CVE-2018-16851 +- resolves: #1646386, #1654092 - Security fixes for CVE-2018-16852 +- resolves: #1647246, #1654093 - Security fixes for CVE-2018-16853 +- resolves: #1649278, #1654095 - Security fixes for CVE-2018-16857 + +* Thu Nov 08 2018 Guenther Deschner - 4.9.2-0 +- Update to Samba 4.9.2 + +* Wed Sep 26 2018 Alexander Bokovoy - 4.9.1-2 +- Package ctdb/doc/examples + +* Mon Sep 24 2018 Andreas Schneider - 4.9.1-1 +- Update to Samba 4.9.1 + +* Thu Sep 13 2018 Guenther Deschner - 4.9.0-4 +- Update to Samba 4.9.0 * Thu Sep 06 2018 Andreas Schneider - 4.9.0rc5-3 -- related: #1614232 - Update to Samba 4.9.0rc5 -- resolves: #1610909 - Re-enable glubsterfs vfs module -- resolves: #1624170 - Build with -fstack-protectore-strong if available -- resolves: #1602685 - Fixed issues found by covscan +- Update to Samba 4.9.0rc5 -* Fri Aug 17 2018 Andreas Schneider - 4.9.0rc3-3 -- related: #1614232 - Update to Samba 4.9.0rc3 -- resolves: #1554753 - Fix CVE-2018-1050 -- resolves: #1617912 - Fix CVE-2018-10858 -- resolves: #1617913 - Fix CVE-2018-10918 -- resolves: #1617914 - Fix CVE-2018-10919 -- resolves: #1617915 - Fix CVE-2018-1139 -- resolves: #1612522 - Manpage fixes +* Wed Aug 29 2018 Guenther Deschner - 4.9.0rc4-3 +- Update to Samba 4.9.0rc4 + +* Thu Aug 16 2018 Andreas Schneider - 4.9.0rc3-3 +- Fix python3 packaging + +* Wed Aug 15 2018 Guenther Deschner - 4.9.0rc3-2 +- Update to Samba 4.9.0rc3 +- resolves: #1589651, #1617916 - Security fixes for CVE-2018-1139 +- resolves: #1580230, #1618613 - Security fixes for CVE-2018-1140 +- resolves: #1612805, #1618697 - Security fixes for CVE-2018-10858 +- resolves: #1610640, #1617910 - Security fixes for CVE-2018-10918 +- resolves: #1610645, #1617911 - Security fixes for CVE-2018-10919 * Wed Aug 01 2018 Andreas Schneider - 4.9.0rc2-2 +- Add some spec file cleanups + +* Wed Aug 01 2018 Guenther Deschner - 4.9.0rc2-0 - Update to Samba 4.9.0rc2 -* Fri Jul 27 2018 Alexander Bokovoy - 4.9.0rc1-2 -- Do not package Python 2 artefacts by default - -* Sat Jul 21 2018 Alexander Bokovoy - 4.9.0rc1-1 -- Don't build dns and dsdb-related modules without AD DC - -* Fri Jul 13 2018 Guenther Deschner - 4.9.0rc1-0 +* Thu Jul 12 2018 Guenther Deschner - 4.9.0rc1-0 - Update to Samba 4.9.0rc1 -* Mon Jul 02 2018 Petr Viktorin - 4.8.3-2 -- Use %%{__python2}, not "python", as the Python2 interpreter -- Add workaround to allow building with Python 2 -- Change unversioned python macros to python2 -- Disable gluster temporarily +* Thu Jul 12 2018 Alexander Bokovoy - 2:4.8.3-4.1 +- Scope to local __bss_start symbol (typo in a patch) +- Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1600035 + +* Thu Jul 12 2018 Alexander Bokovoy - 2:4.8.3-4 +- Change scope to local for symbols automatically added by upcoming binutils 2.31 +- Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1600035 + +* Wed Jul 11 2018 Alexander Bokovoy - 2:4.8.3-3 +- Rebuild Samba against binutils 2.30.90-2.fc29 +- Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1600035 +- Add explicit BuildRequires for gcc + +* Fri Jul 06 2018 Petr Pisar +- Perl 5.28 rebuild + +* Thu Jul 05 2018 Alexander Bokovoy - 2:4.8.3-2 +- Fix rawhide build by explicitly using /usr/bin/python2 + +* Tue Jul 03 2018 Petr Pisar +- Perl 5.28 rebuild + +* Mon Jul 02 2018 Miro Hrončok - 2:4.8.3-1.2 +- Rebuilt for Python 3.7 + +* Thu Jun 28 2018 Jitka Plesnikova - 2:4.8.3-1.1 +- Perl 5.28 rebuild * Tue Jun 26 2018 Andreas Schneider - 4.8.3-1 - Update to Samba 4.8.3 @@ -7082,3 +7117,4 @@ fi - Added smbadduser command (missed from all previous RPMs) - Doooh! - Added smbuser file and smb.conf file updates for username map +## END: Generated by rpmautospec diff --git a/SOURCES/smb.conf.example b/smb.conf.example similarity index 100% rename from SOURCES/smb.conf.example rename to smb.conf.example diff --git a/SOURCES/smb.conf.vendor b/smb.conf.vendor similarity index 100% rename from SOURCES/smb.conf.vendor rename to smb.conf.vendor diff --git a/sources b/sources new file mode 100644 index 0000000..414e829 --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (samba-4.21.3.tar.xz) = 62eb3bfe1aa1cc8aa68055d4caf21bdea6d6f5b0f767566bef1da210100b5dd17b7d60f5c47da01b0123d3a2c1c3689b1960ef2c2cbd4f804ff998ead994fc3f +SHA512 (samba-pubkey_AA99442FB680B620.gpg) = 4a13414888fae9776a8edfb629e7002689f01cc482df9686c91eaec793b5e2afa2e1afe6ffeb424093a12259594676d40b4343e844a00499888840f7fe96a199 diff --git a/SOURCES/usershares.conf.vendor b/usershares.conf.vendor similarity index 100% rename from SOURCES/usershares.conf.vendor rename to usershares.conf.vendor