11 changed files with 520 additions and 1476 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/samba-4.18.6.tar.xz
+SOURCES/samba-4.19.4.tar.xz
 SOURCES/samba-pubkey_AA99442FB680B620.gpg
--- a/.samba.metadata
+++ b/.samba.metadata
@ -1,2 +0,0 @@
-12b41f2a849cb6c40e9f5b174bb1cd823a060bd7 SOURCES/samba-4.18.6.tar.xz
-971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
--- a/SOURCES/CVE-2023-3961.patch
+++ b/SOURCES/CVE-2023-3961.patch
@ -1,45 +0,0 @@
-From ae476e1c28b797fe221172ed1066bf8efa476d8d Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 25 Jul 2023 17:41:04 -0700
-Subject: [PATCH] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
- could exit socket_dir.
-
-For now, SMB_ASSERT() to exit the server. We will remove
-this once the test code is in place.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
---
- source3/rpc_client/local_np.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
-index 0e912d0e35a..dfed7e7beb6 100644
--- a/source3/rpc_client/local_np.c
-+++ b/source3/rpc_client/local_np.c
-@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
- 		return tevent_req_post(req, ev);
- 	}
- 
-+	/*
-+	 * Ensure we cannot process a path that exits
-+	 * the socket_dir.
-+	 */
-+	if (ISDOTDOT(lower_case_pipename) ||
-+	    (strchr(lower_case_pipename, '/')!=NULL))
-+	{
-+		DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
-+			lower_case_pipename);
-+		/*
-+		 * For now, panic the server until we have
-+		 * the test code in place.
-+		 */
-+		SMB_ASSERT(false);
-+		tevent_req_error(req, ENOENT);
-+		return tevent_req_post(req, ev);
-+	}
-+
- 	state->socketpath = talloc_asprintf(
- 		state, "%s/np/%s", socket_dir, lower_case_pipename);
- 	if (tevent_req_nomem(state->socketpath, req)) {
--- a/SOURCES/CVE-2023-4091.patch
+++ b/SOURCES/CVE-2023-4091.patch
@ -1,183 +0,0 @@
-From b1fd65694185c26f1e196d84ee8756300e631bd5 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 1 Aug 2023 12:30:00 +0200
-Subject: [PATCH] CVE-2023-4091: smbtorture: test overwrite dispositions on
- read-only file
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- selftest/knownfail.d/samba3.smb2.acls |   1 +
- source4/torture/smb2/acls.c           | 143 ++++++++++++++++++++++++++
- 2 files changed, 144 insertions(+)
- create mode 100644 selftest/knownfail.d/samba3.smb2.acls
-
-diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
-new file mode 100644
-index 00000000000..18df260c0e5
--- /dev/null
-+++ b/selftest/knownfail.d/samba3.smb2.acls
-@@ -0,0 +1 @@
-+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
-diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
-index bbf201bcf4b..53f482c5541 100644
--- a/source4/torture/smb2/acls.c
-+++ b/source4/torture/smb2/acls.c
-@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
- 	return ret;
- }
- 
-+static bool test_overwrite_read_only_file(struct torture_context *tctx,
-+					  struct smb2_tree *tree)
-+{
-+	NTSTATUS status;
-+	struct smb2_create c;
-+	const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
-+	struct smb2_handle handle = {{0}};
-+	union smb_fileinfo q;
-+	union smb_setfileinfo set;
-+	struct security_descriptor *sd = NULL, *sd_orig = NULL;
-+	const char *owner_sid = NULL;
-+	int i;
-+	bool ret = true;
-+
-+	struct tcase {
-+		int disposition;
-+		const char *disposition_string;
-+		NTSTATUS expected_status;
-+	} tcases[] = {
-+#define TCASE(d, s) {				\
-+		.disposition = d,		\
-+		.disposition_string = #d,	\
-+		.expected_status = s,		\
-+	}
-+		TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
-+		TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
-+		TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
-+		TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
-+	};
-+#undef TCASE
-+
-+	ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
-+	torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
-+
-+	c = (struct smb2_create) {
-+		.in.desired_access = SEC_STD_READ_CONTROL |
-+			SEC_STD_WRITE_DAC |
-+			SEC_STD_WRITE_OWNER,
-+		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
-+		.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
-+			NTCREATEX_SHARE_ACCESS_WRITE,
-+		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
-+		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
-+		.in.fname = fname,
-+	};
-+
-+	status = smb2_create(tree, tctx, &c);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_create failed\n");
-+	handle = c.out.file.handle;
-+
-+	torture_comment(tctx, "get the original sd\n");
-+
-+	ZERO_STRUCT(q);
-+	q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
-+	q.query_secdesc.in.file.handle = handle;
-+	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
-+
-+	status = smb2_getinfo_file(tree, tctx, &q);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_getinfo_file failed\n");
-+	sd_orig = q.query_secdesc.out.sd;
-+
-+	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
-+
-+	sd = security_descriptor_dacl_create(tctx,
-+					0, NULL, NULL,
-+					owner_sid,
-+					SEC_ACE_TYPE_ACCESS_ALLOWED,
-+					SEC_FILE_READ_DATA,
-+					0,
-+					NULL);
-+
-+	ZERO_STRUCT(set);
-+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
-+	set.set_secdesc.in.file.handle = handle;
-+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
-+	set.set_secdesc.in.sd = sd;
-+
-+	status = smb2_setinfo_file(tree, &set);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_setinfo_file failed\n");
-+
-+	smb2_util_close(tree, handle);
-+	ZERO_STRUCT(handle);
-+
-+	for (i = 0; i < ARRAY_SIZE(tcases); i++) {
-+		torture_comment(tctx, "Verify open with %s dispostion\n",
-+				tcases[i].disposition_string);
-+
-+		c = (struct smb2_create) {
-+			.in.create_disposition = tcases[i].disposition,
-+			.in.desired_access = SEC_FILE_READ_DATA,
-+			.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
-+			.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
-+			.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
-+			.in.fname = fname,
-+		};
-+
-+		status = smb2_create(tree, tctx, &c);
-+		smb2_util_close(tree, c.out.file.handle);
-+		torture_assert_ntstatus_equal_goto(
-+			tctx, status, tcases[i].expected_status, ret, done,
-+			"smb2_create failed\n");
-+	};
-+
-+	torture_comment(tctx, "put back original sd\n");
-+
-+	c = (struct smb2_create) {
-+		.in.desired_access = SEC_STD_WRITE_DAC,
-+		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
-+		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
-+		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
-+		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
-+		.in.fname = fname,
-+	};
-+
-+	status = smb2_create(tree, tctx, &c);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_create failed\n");
-+	handle = c.out.file.handle;
-+
-+	ZERO_STRUCT(set);
-+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
-+	set.set_secdesc.in.file.handle = handle;
-+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
-+	set.set_secdesc.in.sd = sd_orig;
-+
-+	status = smb2_setinfo_file(tree, &set);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_setinfo_file failed\n");
-+
-+	smb2_util_close(tree, handle);
-+	ZERO_STRUCT(handle);
-+
-+done:
-+	smb2_util_close(tree, handle);
-+	smb2_util_unlink(tree, fname);
-+	smb2_deltree(tree, BASEDIR);
-+	return ret;
-+}
-+
- /*
-    basic testing of SMB2 ACLs
- */
-@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
- 			test_deny1);
- 	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
- 			test_mxac_not_granted);
-+	torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
- 
- 	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
- 
--- a/SOURCES/CVE-2023-42669.patch
+++ b/SOURCES/CVE-2023-42669.patch
@ -1,86 +0,0 @@
-From 3cf1beed5df7d8b5d854517de7de322c6a5bc7fa Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Tue, 12 Sep 2023 18:59:44 +1200
-Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
- default
-
-The rpcecho server is useful in development and testing, but should never
-have been allowed into production, as it includes the facility to
-do a blocking sleep() in the single-threaded rpc worker.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
- docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
- lib/param/loadparm.c                                   | 2 +-
- selftest/target/Samba4.pm                              | 2 +-
- source3/param/loadparm.c                               | 2 +-
- source4/rpc_server/wscript_build                       | 3 ++-
- 5 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
-index 8a217cc7f118..c6642b795fd6 100644
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
-+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
-@@ -6,6 +6,6 @@
- 	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
- </description>
- 
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
-+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
- <value type="example">rpcecho</value>
- </samba:parameter>
-diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
-index 9a7ae4f95fe8..673b913e6e5a 100644
--- a/lib/param/loadparm.c
-+++ b/lib/param/loadparm.c
-@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
- 	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
- 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- 
-	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
-+	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
- 	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
- 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
- 	/* the winbind method for domain controllers is for both RODC
-diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
-index 49e3c174b07e..5f1f1bfffad6 100755
--- a/selftest/target/Samba4.pm
-+++ b/selftest/target/Samba4.pm
-@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
- 	wins support = yes
- 	server role = $ctx->{server_role}
- 	server services = +echo $services
-        dcerpc endpoint servers = +winreg +srvsvc
-+        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
- 	notify:inotify = false
- 	ldb:nosync = true
- 	ldap server require strong auth = yes
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 1c3644589126..e7f4bbe3995e 100644
--- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
- 
- 	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
- 
-	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
-+	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
- 
- 	Globals.tls_enabled = true;
- 	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
-diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
-index 0e44a3c2baed..31ec4f60c9a6 100644
--- a/source4/rpc_server/wscript_build
-+++ b/source4/rpc_server/wscript_build
-@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
-                  source='echo/rpc_echo.c',
-                  subsystem='dcerpc_server',
-                  init_function='dcerpc_server_rpcecho_init',
-                 deps='ndr-standard events'
-+                 deps='ndr-standard events',
-+                 enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
-                  )
- 
- 
--- a/SOURCES/nsswitch-add-test-for-pthread_key_delete-missuse.patch
+++ b/SOURCES/nsswitch-add-test-for-pthread_key_delete-missuse.patch
@ -1,613 +0,0 @@
-From ced40c5a805dcfb06d5f3d68aa45a0aaa44bfdca Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 8 Sep 2023 13:57:26 +0200
-Subject: [PATCH 1/5] nsswitch: add test for pthread_key_delete missuse (bug
- 15464)
-
-This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
-written by Krzysztof Piotr Oledzki <ole@ans.pl>
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 62af25d44e542548d8cdecb061a6001e0071ee76)
---
- nsswitch/b15464-testcase.c            | 77 +++++++++++++++++++++++++++
- nsswitch/wscript_build                |  5 ++
- selftest/knownfail.d/b15464_testcase  |  1 +
- source3/selftest/tests.py             |  6 +++
- testprogs/blackbox/b15464-testcase.sh | 21 ++++++++
- 5 files changed, 110 insertions(+)
- create mode 100644 nsswitch/b15464-testcase.c
- create mode 100644 selftest/knownfail.d/b15464_testcase
- create mode 100755 testprogs/blackbox/b15464-testcase.sh
-
-diff --git a/nsswitch/b15464-testcase.c b/nsswitch/b15464-testcase.c
-new file mode 100644
-index 000000000000..decb474a81ee
--- /dev/null
-+++ b/nsswitch/b15464-testcase.c
-@@ -0,0 +1,77 @@
-+#include "replace.h"
-+#include "system/wait.h"
-+#include "system/threads.h"
-+#include <assert.h>
-+
-+int main(int argc, const char *argv[])
-+{
-+	pid_t pid;
-+	int wstatus;
-+	pthread_key_t k1;
-+	pthread_key_t k2;
-+	pthread_key_t k3;
-+	char *val = NULL;
-+	const char *nss_winbind = (argc >= 2 ? argv[1] : "bin/plugins/libnss_winbind.so.2");
-+	void *nss_winbind_handle = NULL;
-+	union {
-+		int (*fn)(void);
-+		void *symbol;
-+	} nss_winbind_endpwent = { .symbol = NULL, };
-+
-+	/*
-+	 * load and invoke something simple like
-+	 * _nss_winbind_endpwent in order to
-+	 * get the libnss_winbind internal going
-+	 */
-+	nss_winbind_handle = dlopen(nss_winbind, RTLD_NOW);
-+	printf("%d: nss_winbind[%s] nss_winbind_handle[%p]\n",
-+	       getpid(), nss_winbind, nss_winbind_handle);
-+	assert(nss_winbind_handle != NULL);
-+
-+	nss_winbind_endpwent.symbol = dlsym(nss_winbind_handle,
-+					    "_nss_winbind_endpwent");
-+	printf("%d: nss_winbind_handle[%p] _nss_winbind_endpwent[%p]\n",
-+	       getpid(), nss_winbind_handle, nss_winbind_endpwent.symbol);
-+	assert(nss_winbind_endpwent.symbol != NULL);
-+	(void)nss_winbind_endpwent.fn();
-+
-+	val = malloc(1);
-+	assert(val != NULL);
-+
-+	pthread_key_create(&k1, NULL);
-+	pthread_setspecific(k1, val);
-+	printf("%d: k1=%d\n", getpid(), k1);
-+
-+	pid = fork();
-+	if (pid) {
-+		free(val);
-+		wait(&wstatus);
-+		return WEXITSTATUS(wstatus);
-+	}
-+
-+	pthread_key_create(&k2, NULL);
-+	pthread_setspecific(k2, val);
-+
-+	printf("%d: Hello after fork, k1=%d, k2=%d\n", getpid(), k1, k2);
-+
-+	pid = fork();
-+
-+	if (pid) {
-+		free(val);
-+		wait(&wstatus);
-+		return WEXITSTATUS(wstatus);
-+	}
-+
-+	pthread_key_create(&k3, NULL);
-+	pthread_setspecific(k3, val);
-+
-+	printf("%d: Hello after fork2, k1=%d, k2=%d, k3=%d\n", getpid(), k1, k2, k3);
-+
-+	if (k1 == k2 || k2 == k3) {
-+		printf("%d: FAIL inconsistent keys\n", getpid());
-+		return 1;
-+	}
-+
-+	printf("%d: OK consistent keys\n", getpid());
-+	return 0;
-+}
-diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
-index 3247b6c2b7c3..4e62bb4c9461 100644
--- a/nsswitch/wscript_build
-+++ b/nsswitch/wscript_build
-@@ -15,6 +15,11 @@ if bld.CONFIG_SET('HAVE_PTHREAD'):
- 		     deps='wbclient pthread',
- 		     for_selftest=True
- 		     )
-+    bld.SAMBA_BINARY('b15464-testcase',
-+		     source='b15464-testcase.c',
-+		     deps='replace pthread dl',
-+		     for_selftest=True
-+		     )
- 
- # The nss_wrapper code relies strictly on the linux implementation and
- # name, so compile but do not install a copy under this name.
-diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase
-new file mode 100644
-index 000000000000..94dd7db7c2a5
--- /dev/null
-+++ b/selftest/knownfail.d/b15464_testcase
-@@ -0,0 +1 @@
-+^b15464_testcase.run.b15464-testcase
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index 0c834ed48b5e..ea17ead3eda7 100755
--- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -67,6 +67,8 @@ except KeyError:
-     samba4bindir = bindir()
-     config_h = os.path.join(samba4bindir, "default/include/config.h")
- 
-+bbdir = os.path.join(srcdir(), "testprogs/blackbox")
-+
- # check available features
- config_hash = dict()
- f = open(config_h, 'r')
-@@ -936,6 +938,10 @@ if with_pthreadpool:
-                   [os.path.join(samba3srcdir,
-                                 "script/tests/test_libwbclient_threads.sh"),
-                    "$DOMAIN", "$DC_USERNAME"])
-+    plantestsuite("b15464_testcase", "none",
-+                  [os.path.join(bbdir, "b15464-testcase.sh"),
-+                   binpath("b15464-testcase"),
-+                   binpath("plugins/libnss_winbind.so.2")])
- 
- plantestsuite("samba3.test_nfs4_acl", "none",
-               [os.path.join(bindir(), "test_nfs4_acls"),
-diff --git a/testprogs/blackbox/b15464-testcase.sh b/testprogs/blackbox/b15464-testcase.sh
-new file mode 100755
-index 000000000000..b0c88260d4cc
--- /dev/null
-+++ b/testprogs/blackbox/b15464-testcase.sh
-@@ -0,0 +1,21 @@
-+#!/bin/sh
-+# Blackbox wrapper for bug 15464
-+# Copyright (C) 2023 Stefan Metzmacher
-+
-+if [ $# -lt 2 ]; then
-+	cat <<EOF
-+Usage: b15464-testcase.sh B15464_TESTCASE LIBNSS_WINBIND
-+EOF
-+	exit 1
-+fi
-+
-+b15464_testcase=$1
-+libnss_winbind=$2
-+shift 2
-+failed=0
-+
-+. $(dirname $0)/subunit.sh
-+
-+testit "run b15464-testcase" $VALGRIND $b15464_testcase $libnss_winbind || failed=$(expr $failed + 1)
-+
-+testok $0 $failed
-- 
-2.34.1
-
-
-From 08728ee7847d7864d4c72a4ac1ddfeca78934326 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 7 Sep 2023 16:02:32 +0200
-Subject: [PATCH 2/5] nsswitch/wb_common.c: fix build without HAVE_PTHREAD
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 4faf806412c4408db25448b1f67c09359ec2f81f)
---
- nsswitch/wb_common.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
-index d569e761ebe4..c382a44c1209 100644
--- a/nsswitch/wb_common.c
-+++ b/nsswitch/wb_common.c
-@@ -104,7 +104,6 @@ static void wb_thread_ctx_initialize(void)
- 				 wb_thread_ctx_destructor);
- 	assert(ret == 0);
- }
-#endif
- 
- static struct winbindd_context *get_wb_thread_ctx(void)
- {
-@@ -139,6 +138,7 @@ static struct winbindd_context *get_wb_thread_ctx(void)
- 	}
- 	return ctx;
- }
-+#endif /* HAVE_PTHREAD */
- 
- static struct winbindd_context *get_wb_global_ctx(void)
- {
-- 
-2.34.1
-
-
-From d1f43cd4cc6aeb2ac9fcaee9aa512012ca92ecb3 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 8 Sep 2023 09:53:42 +0200
-Subject: [PATCH 3/5] nsswitch/wb_common.c: winbind_destructor can always use
- get_wb_global_ctx()
-
-The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all
-required magic.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 836823e5047d0eb18e66707386ba03b812adfaf8)
---
- nsswitch/wb_common.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
-index c382a44c1209..d56e48d9bdb8 100644
--- a/nsswitch/wb_common.c
-+++ b/nsswitch/wb_common.c
-@@ -246,14 +246,10 @@ static void winbind_destructor(void)
- 		return;
- 	}
- 
-#ifdef HAVE_PTHREAD_H
-	ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
-+	ctx = get_wb_global_ctx();
- 	if (ctx == NULL) {
- 		return;
- 	}
-#else
-	ctx = get_wb_global_ctx();
-#endif
- 
- 	winbind_close_sock(ctx);
- }
-- 
-2.34.1
-
-
-From 6e29ea5b9efe5cf166cc9d633c1dc4eb8f192736 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 8 Sep 2023 09:56:47 +0200
-Subject: [PATCH 4/5] nsswitch/wb_common.c: don't operate on a stale
- wb_global_ctx.key
-
-If nss_winbind is loaded into a process that uses fork multiple times
-without any further calls into nss_winbind, wb_atfork_child handler
-was using a wb_global_ctx.key that was no longer registered in the
-pthread library, so we operated on a slot that was potentially
-reused by other libraries or the main application. Which is likely
-to cause memory corruption.
-
-So we better don't call pthread_key_delete() in wb_atfork_child().
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
-
-Reported-by: Krzysztof Piotr Oledzki <ole@ans.pl>
-Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 91b30a7261e6455d3a4f31728c23e4849e3945b9)
---
- nsswitch/wb_common.c                 | 5 -----
- selftest/knownfail.d/b15464_testcase | 1 -
- 2 files changed, 6 deletions(-)
- delete mode 100644 selftest/knownfail.d/b15464_testcase
-
-diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
-index d56e48d9bdb8..38f9f334016b 100644
--- a/nsswitch/wb_common.c
-+++ b/nsswitch/wb_common.c
-@@ -76,11 +76,6 @@ static void wb_atfork_child(void)
- 
- 	winbind_close_sock(ctx);
- 	free(ctx);
-
-	ret = pthread_key_delete(wb_global_ctx.key);
-	assert(ret == 0);
-
-	wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
- }
- 
- static void wb_thread_ctx_destructor(void *p)
-diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase
-deleted file mode 100644
-index 94dd7db7c2a5..000000000000
--- a/selftest/knownfail.d/b15464_testcase
-+++ /dev/null
-@@ -1 +0,0 @@
-^b15464_testcase.run.b15464-testcase
-- 
-2.34.1
-
-
-From 61ca2c66e0a3c837f2c542b8d9321a8d8cd03382 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 7 Sep 2023 15:59:59 +0200
-Subject: [PATCH 5/5] nsswitch/wb_common.c: fix socket fd and memory leaks of
- global state
-
-When we are called in wb_atfork_child() or winbind_destructor(),
-wb_thread_ctx_destructor() is not called for the global state
-of the current nor any other thread, which means we would
-leak the related memory and socket fds.
-
-Now we maintain a global list protected by a global mutex.
-We traverse the list and close all socket fds, which are no
-longer used (winbind_destructor) or no longer valid in the
-current process (wb_atfork_child), in addition we 'autofree'
-the ones, which are only visible internally as global (per thread)
-context.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
-
-Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224
-
-(cherry picked from commit 4af3faace481d23869b64485b791bdd43d8972c5)
---
- nsswitch/wb_common.c | 143 ++++++++++++++++++++++++++++++++++---------
- 1 file changed, 113 insertions(+), 30 deletions(-)
-
-diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
-index 38f9f334016b..b7f84435a4ee 100644
--- a/nsswitch/wb_common.c
-+++ b/nsswitch/wb_common.c
-@@ -26,6 +26,7 @@
- #include "replace.h"
- #include "system/select.h"
- #include "winbind_client.h"
-+#include "lib/util/dlinklist.h"
- #include <assert.h>
- 
- #ifdef HAVE_PTHREAD_H
-@@ -37,67 +38,112 @@ static __thread char client_name[32];
- /* Global context */
- 
- struct winbindd_context {
-+	struct winbindd_context *prev, *next;
- 	int winbindd_fd;	/* winbind file descriptor */
- 	bool is_privileged;	/* using the privileged socket? */
- 	pid_t our_pid;		/* calling process pid */
-+	bool autofree;		/* this is a thread global context */
- };
- 
- static struct wb_global_ctx {
-	bool initialized;
- #ifdef HAVE_PTHREAD
- 	pthread_once_t control;
- 	pthread_key_t key;
-+	bool key_initialized;
-+#ifdef PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
-+#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
- #else
-	bool dummy;
-+#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
- #endif
-+#define WB_GLOBAL_LIST_LOCK do { \
-+	int __pret = pthread_mutex_lock(&wb_global_ctx.list_mutex); \
-+	assert(__pret == 0); \
-+} while(0)
-+#define WB_GLOBAL_LIST_UNLOCK do { \
-+	int __pret = pthread_mutex_unlock(&wb_global_ctx.list_mutex); \
-+	assert(__pret == 0); \
-+} while(0)
-+	pthread_mutex_t list_mutex;
-+#else /* => not HAVE_PTHREAD */
-+#define WB_GLOBAL_LIST_LOCK do { } while(0)
-+#define WB_GLOBAL_LIST_UNLOCK do { } while(0)
-+#endif /* not HAVE_PTHREAD */
-+	struct winbindd_context *list;
- } wb_global_ctx = {
- #ifdef HAVE_PTHREAD
- 	.control = PTHREAD_ONCE_INIT,
-+	.list_mutex = WB_GLOBAL_MUTEX_INITIALIZER,
- #endif
-+	.list = NULL,
- };
- 
- static void winbind_close_sock(struct winbindd_context *ctx);
-+static void winbind_ctx_free_locked(struct winbindd_context *ctx);
-+static void winbind_cleanup_list(void);
- 
- #ifdef HAVE_PTHREAD
- static void wb_thread_ctx_initialize(void);
- 
-+static void wb_atfork_prepare(void)
-+{
-+	WB_GLOBAL_LIST_LOCK;
-+}
-+
-+static void wb_atfork_parent(void)
-+{
-+	WB_GLOBAL_LIST_UNLOCK;
-+}
-+
- static void wb_atfork_child(void)
- {
-	struct winbindd_context *ctx = NULL;
-	int ret;
-+	wb_global_ctx.list_mutex = (pthread_mutex_t)WB_GLOBAL_MUTEX_INITIALIZER;
- 
-	ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
-	if (ctx == NULL) {
-		return;
-	}
-+	if (wb_global_ctx.key_initialized) {
-+		int ret;
- 
-	ret = pthread_setspecific(wb_global_ctx.key, NULL);
-	assert(ret == 0);
-+		/*
-+		 * After a fork the child still believes
-+		 * it is the same thread as in the parent.
-+		 * So pthread_getspecific() would return the
-+		 * value of the thread that called fork().
-+		 *
-+		 * But we don't want that behavior, so
-+		 * we just clear the reference and let
-+		 * winbind_cleanup_list() below 'autofree'
-+		 * the parent threads global context.
-+		 */
-+		ret = pthread_setspecific(wb_global_ctx.key, NULL);
-+		assert(ret == 0);
-+	}
- 
-	winbind_close_sock(ctx);
-	free(ctx);
-+	/*
-+	 * But we need to close/cleanup the global state
-+	 * of the parents threads.
-+	 */
-+	winbind_cleanup_list();
- }
- 
- static void wb_thread_ctx_destructor(void *p)
- {
- 	struct winbindd_context *ctx = (struct winbindd_context *)p;
- 
-	winbind_close_sock(ctx);
-	free(ctx);
-+	winbindd_ctx_free(ctx);
- }
- 
- static void wb_thread_ctx_initialize(void)
- {
- 	int ret;
- 
-	ret = pthread_atfork(NULL,
-			     NULL,
-+	ret = pthread_atfork(wb_atfork_prepare,
-+			     wb_atfork_parent,
- 			     wb_atfork_child);
- 	assert(ret == 0);
- 
- 	ret = pthread_key_create(&wb_global_ctx.key,
- 				 wb_thread_ctx_destructor);
- 	assert(ret == 0);
-+
-+	wb_global_ctx.key_initialized = true;
- }
- 
- static struct winbindd_context *get_wb_thread_ctx(void)
-@@ -123,9 +169,14 @@ static struct winbindd_context *get_wb_thread_ctx(void)
- 	*ctx = (struct winbindd_context) {
- 		.winbindd_fd = -1,
- 		.is_privileged = false,
-		.our_pid = 0
-+		.our_pid = 0,
-+		.autofree = true,
- 	};
- 
-+	WB_GLOBAL_LIST_LOCK;
-+	DLIST_ADD_END(wb_global_ctx.list, ctx);
-+	WB_GLOBAL_LIST_UNLOCK;
-+
- 	ret = pthread_setspecific(wb_global_ctx.key, ctx);
- 	if (ret != 0) {
- 		free(ctx);
-@@ -142,7 +193,8 @@ static struct winbindd_context *get_wb_global_ctx(void)
- 	static struct winbindd_context _ctx = {
- 		.winbindd_fd = -1,
- 		.is_privileged = false,
-		.our_pid = 0
-+		.our_pid = 0,
-+		.autofree = false,
- 	};
- #endif
- 
-@@ -150,9 +202,11 @@ static struct winbindd_context *get_wb_global_ctx(void)
- 	ctx = get_wb_thread_ctx();
- #else
- 	ctx = &_ctx;
-+	if (ctx->prev == NULL && ctx->next == NULL) {
-+		DLIST_ADD_END(wb_global_ctx.list, ctx);
-+	}
- #endif
- 
-	wb_global_ctx.initialized = true;
- 	return ctx;
- }
- 
-@@ -226,6 +280,30 @@ static void winbind_close_sock(struct winbindd_context *ctx)
- 	}
- }
- 
-+static void winbind_ctx_free_locked(struct winbindd_context *ctx)
-+{
-+	winbind_close_sock(ctx);
-+	DLIST_REMOVE(wb_global_ctx.list, ctx);
-+	free(ctx);
-+}
-+
-+static void winbind_cleanup_list(void)
-+{
-+	struct winbindd_context *ctx = NULL, *next = NULL;
-+
-+	WB_GLOBAL_LIST_LOCK;
-+	for (ctx = wb_global_ctx.list; ctx != NULL; ctx = next) {
-+		next = ctx->next;
-+
-+		if (ctx->autofree) {
-+			winbind_ctx_free_locked(ctx);
-+		} else {
-+			winbind_close_sock(ctx);
-+		}
-+	}
-+	WB_GLOBAL_LIST_UNLOCK;
-+}
-+
- /* Destructor for global context to ensure fd is closed */
- 
- #ifdef HAVE_DESTRUCTOR_ATTRIBUTE
-@@ -235,18 +313,18 @@ __attribute__((destructor))
- #endif
- static void winbind_destructor(void)
- {
-	struct winbindd_context *ctx;
-
-	if (!wb_global_ctx.initialized) {
-		return;
-+#ifdef HAVE_PTHREAD
-+	if (wb_global_ctx.key_initialized) {
-+		int ret;
-+		ret = pthread_key_delete(wb_global_ctx.key);
-+		assert(ret == 0);
-+		wb_global_ctx.key_initialized = false;
- 	}
- 
-	ctx = get_wb_global_ctx();
-	if (ctx == NULL) {
-		return;
-	}
-+	wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
-+#endif /* HAVE_PTHREAD */
- 
-	winbind_close_sock(ctx);
-+	winbind_cleanup_list();
- }
- 
- #define CONNECT_TIMEOUT 30
-@@ -928,11 +1006,16 @@ struct winbindd_context *winbindd_ctx_create(void)
- 
- 	ctx->winbindd_fd = -1;
- 
-+	WB_GLOBAL_LIST_LOCK;
-+	DLIST_ADD_END(wb_global_ctx.list, ctx);
-+	WB_GLOBAL_LIST_UNLOCK;
-+
- 	return ctx;
- }
- 
- void winbindd_ctx_free(struct winbindd_context *ctx)
- {
-	winbind_close_sock(ctx);
-	free(ctx);
-+	WB_GLOBAL_LIST_LOCK;
-+	winbind_ctx_free_locked(ctx);
-+	WB_GLOBAL_LIST_UNLOCK;
- }
-- 
-2.34.1
--- a/SOURCES/samba-4.18.6.tar.asc
+++ b/SOURCES/samba-4.18.6.tar.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmTc/5EACgkQqplEL7aA
-tiB+4RAAkcRhO1/ZC7sXgqAqTZY05On8g2GLeuBh2Q+u7QIyjcDLuJWzp0TkrbMn
-LBGtFAyCxM1JbW/K1UNafeQcf3UKzY1nIPtUpqVjN7qMxt0BDZ6MsXGbB/qhyGMZ
-YnsZ8of/8NOUKx5KbrSeN5TqjICWTVRKi7KPcBrD51sTSt5unXYrolyJpKoPjYYU
-lQS8cnh/shfvvFX4fYf9XtFS2OcQqCTFrLeajb6DU7Ep6ZBZa9r3m5Gk3ZvhBu9r
-qowmQDqbNfo++wIkOaehD6tQsWcY2XvfBCFLqtSnF1SraN0jpdYr08dbcRGyuhFd
-DS9+4BwCCML0mip7aaP6NHZpN+LvyYkAKPuKo8mW8pxe3i8ctxcTyN6SfmZA6RlE
-bcmRQSkBD/e0jjBX5nR0zsaT01bgE1bBvbro0ZKHpR7/k6WeV+k6jDmqqXnYj3uB
-61fCtf41w1b2pMhty70niga2gxaHrSqu9gqSl2wk/uMhwtdntqrJtaWIChWM0CRs
-b6pfbjEZM2NDhsLe3idvY9Hl1hlKrMtoLJTu7fksTDVJzWPfqOCyIOc1DkxbCqlG
-XB9fbre57DWIpRvNK4pu108LiGbavK2rLC6wlcjshP3/9BA3c3HO/JPQGtDAn1UE
-JVQlYT1Fzzp9RU8U5Khz9D7pB3k6K19ZIo3q5xTA/V5O6axB5WM=
-=GnJM
-----END PGP SIGNATURE-----
--- a/SOURCES/samba-4.19.4.tar.asc
+++ b/SOURCES/samba-4.19.4.tar.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
+tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
+Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
+2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
+XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
+iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
+svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
+JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
+ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
+vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
+1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
+=kOPP
+-----END PGP SIGNATURE-----
--- a/SOURCES/samba-winbind-systemd-sysusers.conf
+++ b/SOURCES/samba-winbind-systemd-sysusers.conf
@ -0,0 +1,2 @@
+#Type Name       ID
+g     wbpriv     88
--- a/SOURCES/smb.conf.vendor
+++ b/SOURCES/smb.conf.vendor
@ -18,6 +18,9 @@
 	load printers = yes
 	cups options = raw

+	# Install samba-usershares package for support
+	include = /etc/samba/usershares.conf
+
 [homes]
 	comment = Home Directories
 	valid users = %S, %D%w%S
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec