libdnsserver-common-samba4.so is already getting packaged in samba-libs
sub-package(see 68140d413f) and
samba-dc-libs pulls in samba-libs. Therefore removing it from samba-dc-libs.
Commit cc8c80c04b removed the following
PyDSDB library files from buildroot:
* /usr/lib64/python3.9/site-packages/samba/dsdb.cpython-39-x86_64-linux-gnu.so
* /usr/lib64/python3.9/site-packages/samba/dsdb_dns.cpython-39-x86_64-linux-gnu.so
This was done under the impression that their dependency on
libdnsserver-common-samba4.so was not built in a non AD DC
environment. But in reality it was also conditionally removed
from the buildroot.
Apart from including PyDSDB back into python3-samba, we avoid removing
libdnsserver-common-samba4.so from buildroot and subsequently include it
in samba-libs to satisfy all dependencies. Additionally we remove PyDSDB
listing from %files section of python3-samba-dc sub-package.
Following library files are built without AD DC but has dependency on
other components which are only available with DC:
/usr/lib64/python3.9/site-packages/samba/dsdb.cpython-39-x86_64-linux-gnu.so
/usr/lib64/python3.9/site-packages/samba/dsdb_dns.cpython-39-x86_64-linux-gnu.so
Therefore we remove those from buildroot.
resolves: #1991353
These patches are part of the https://gitlab.com/samba-redhat/samba/-/tree/v4-13-redhat
[PATCH 001/105] libcli:smb2: Do not leak ptext on error
[PATCH 002/105] libcli:smb2: Use talloc NULL context if we don't have
[PATCH 003/105] auth:creds: Introduce CRED_SMB_CONF
[PATCH 004/105] param: Add 'server smb encrypt' parameter
[PATCH 005/105] param: Create and use enum_smb_encryption_vals
[PATCH 006/105] s3:smbd: Use 'enum smb_encryption_setting' values
[PATCH 007/105] docs-xml: Add 'client smb encrypt'
[PATCH 008/105] lib:param: Add lpcfg_parse_enum_vals()
[PATCH 009/105] libcli:smb: Add smb_signing_setting_translate()
[PATCH 010/105] libcli:smb: Add smb_encryption_setting_translate()
[PATCH 011/105] s3:lib: Use smb_signing_setting_translate for cmdline
[PATCH 012/105] auth:creds: Remove unused credentials autoproto
[PATCH 013/105] auth:creds: Add
[PATCH 014/105] auth:creds: Add python bindings for
[PATCH 015/105] auth:creds: Add
[PATCH 016/105] auth:creds: Add python bindings for
[PATCH 017/105] auth:creds: Add
[PATCH 018/105] auth:creds: Add python bindings for
[PATCH 019/105] auth:creds: Add python bindings for
[PATCH 020/105] auth:creds: Bump library version
[PATCH 021/105] s3:lib: Use cli_credential_(get|set)_smb_signing()
[PATCH 022/105] s3:lib: Set smb encryption also via cli creds API
[PATCH 023/105] python: Remove unused sign argument from
[PATCH 024/105] python: Set smb signing via the creds API
[PATCH 025/105] s3:libsmb: Introduce CLI_FULL_CONNECTION_IPC
[PATCH 026/105] s3:pylibsmb: Add ipc=True support for
[PATCH 027/105] python:tests: Mark libsmb connection as an IPC
[PATCH 028/105] python:tests: Set smb ipc signing via the creds API
[PATCH 029/105] s3:libsmb: Use 'enum smb_signing_setting' in
[PATCH 030/105] s3:client: Turn off smb signing for message op
[PATCH 031/105] s3:libsmb: Remove signing_state from
[PATCH 032/105] s3:libsmb: Remove signing_state from
[PATCH 033/105] s3:libsmb: Add encryption support to
[PATCH 034/105] python: Add a test for SMB encryption
[PATCH 035/105] s3:net: Use cli_credentials_set_smb_encryption()
[PATCH 036/105] s3:libsmb: Use cli_credentials_set_smb_encryption()
[PATCH 037/105] s3:client: Remove unused smb encryption code
[PATCH 038/105] s3:utils: Remove obsolete force encryption from
[PATCH 039/105] s3:utils: Remove obsolete force encryption from
[PATCH 040/105] s3:utils: Remove obsolete force encryption from
[PATCH 041/105] s3:rpcclient: Remove obsolete force encryption from
[PATCH 042/105] examples: Remove obsolete force encryption from
[PATCH 043/105] s3:libsmb: Make cli_cm_force_encryption_creds()
[PATCH 044/105] s4:libcli: Return NTSTATUS errors for
[PATCH 045/105] s4:libcli: Return if encryption is requested for SMB1
[PATCH 046/105] s3:libcli: Split out smb2_connect_tcon_start()
[PATCH 047/105] s4:libcli: Add smb2_connect_enc_start()
[PATCH 048/105] s4:libcli: Require signing for SMB encryption
[PATCH 049/105] python:tests: Add test for SMB encrypted DCERPC
[PATCH 050/105] auth:gensec: Add gensec_security_sasl_names()
[PATCH 051/105] s4:ldap_server: Use samba_server_gensec_start() in
[PATCH 052/105] auth:gensec: Make gensec_use_kerberos_mechs() a
[PATCH 053/105] auth:gensec: Pass use_kerberos and keep_schannel to
[PATCH 054/105] auth:gensec: If Kerberos is required, keep schannel
[PATCH 055/105] auth:creds: Add cli_credentials_init_server()
[PATCH 056/105] s4:rpc_server: Use cli_credentials_init_server()
[PATCH 057/105] s4:smb_server: Use cli_credentials_init_server() for
[PATCH 058/105] selftest: Rename 'smb encrypt' to 'server smb
[PATCH 059/105] selftest: Move enc_desired to provision to have it in
[PATCH 060/105] s3:tests: Add smbclient tests for 'client smb
[PATCH 061/105] s3:client: Remove global smb_encrypt
[PATCH 062/105] s3:libsmb: Remove force_encrypt from cli_cm_open()
[PATCH 063/105] s3:libsmb: Remove force_encrypt from cli_cm_connect()
[PATCH 064/105] s3:libsmb: Remove force_encrypt from clidfs
[PATCH 065/105] s3:libsmb: Remove force_encrypt from
[PATCH 066/105] s3:libsmb: Pass cli_credentials to clidfs
[PATCH 067/105] s3:libsmb: Pass cli_credentials to cli_cm_connect()
[PATCH 068/105] s3:libsmb: Pass cli_credentials to cli_cm_open()
[PATCH 069/105] s3:libsmb: Pass cli_credentials to
[PATCH 070/105] s3:client: Remove global max_protocol
[PATCH 071/105] s3:libsmb: Remove max_protocol from cli_cm_open()
[PATCH 072/105] s3:libcmb: Remove max_protocol from cli_cm_connect()
[PATCH 073/105] s3:libsmb: Remove max_protocol from clidfs
[PATCH 074/105] s3:include: Move loadparm prototypes to own header
[PATCH 075/105] s3:lib: Move interface prototypes to own header file
[PATCH 076/105] idl: Add SID_SAMBA_SMB3
[PATCH 077/105] s3:smbd: Add SMB3 connection information to session
[PATCH 078/105] librpc: Add dcerpc helper
[PATCH 079/105] s3:smbd: Use defines to set 'srv_smb_encrypt'
[PATCH 080/105] s3:rpc_server: Allow to use RC4 for setting passwords
[PATCH 081/105] s4:rpc_server: Allow to use RC4 for setting passwords
[PATCH 082/105] lib:crypto: Add py binding for set_relax/strict fips
[PATCH 083/105] s4:param: Add 'weak crypto' getter to pyparam
[PATCH 084/105] python:tests: Add SAMR password change tests for fips
[PATCH 085/105] python:tests: Add SAMR password change tests for fips
[PATCH 086/105] auth:creds: Rename CRED_USE_KERBEROS values
[PATCH 087/105] auth:creds:tests: Migrate test to a cmocka unit test
[PATCH 088/105] s3-vfs_glusterfs: always disable write-behind
[PATCH 089/105] Add smb2cli_session_get_encryption_cipher()
[PATCH 090/105] Add dcerpc_transport_encrypted()
[PATCH 091/105] Add py binding for dcerpc_transport_encrypted
[PATCH 092/105] selftest: add a test for py dce transport_encrypted
[PATCH 093/105] Add CreateTrustedDomainRelax wrapper for fips mode
[PATCH 094/105] Use the new CreateTrustedDomainRelax()
[PATCH 095/105] selftest: add a test for the CreateTrustedDomainRelax
[PATCH 096/105] Remove source4/scripting/devel/createtrust script
[PATCH 097/105] s3:rpc_server: Use gnutls_cipher_decrypt() in
[PATCH 098/105] s4:rpc_server: Use gnutls_cipher_decrypt() in
[PATCH 099/105] s3:rpc_server: Allow to use RC4 for creating trusts
[PATCH 100/105] s4:rpc_server: Allow to use RC4 for creating trusts
[PATCH 101/105] sefltest: Enable the dcerpc.createtrustrelax test
[PATCH 102/105] s3: spoolss: Make parameters in call to
[PATCH 103/105] s3:smbd: Fix possible null pointer dereference in
[PATCH 104/105] lookup_name: allow lookup names prefixed with DNS
[PATCH 105/105] auth_sam: use pdb_get_domain_info to look up DNS
When DES encryption is not supported in MIT Kerberos, deployment of
Samba AD DC fails with
"ERROR(ldb): uncaught exception - setup_kerberos_keys: generation of a
des-cbc-md5 key failed: Bad encryption type"
Fix it by not using DES encryption types in MIT build.
Resolves#1757071
MIT Kerberos did remove support for DES. Without removing DES from the
default encryption types list we cannot proceed with Samba AD DC
creation.
Convert internal DES implementation to use GnuTLS instead.