.gitignore

@@ -1,2 +1,2 @@
-SOURCES/samba-4.18.6.tar.xz
+SOURCES/samba-4.19.4.tar.xz
 SOURCES/samba-pubkey_AA99442FB680B620.gpg

.samba.metadata

@@ -1,2 +0,0 @@
-12b41f2a849cb6c40e9f5b174bb1cd823a060bd7 SOURCES/samba-4.18.6.tar.xz
-971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

SOURCES/CVE-2023-3961.patch

@@ -1,45 +0,0 @@
-From ae476e1c28b797fe221172ed1066bf8efa476d8d Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 25 Jul 2023 17:41:04 -0700
-Subject: [PATCH] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
- could exit socket_dir.
-
-For now, SMB_ASSERT() to exit the server. We will remove
-this once the test code is in place.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/rpc_client/local_np.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
-index 0e912d0e35a..dfed7e7beb6 100644
---- a/source3/rpc_client/local_np.c
-+++ b/source3/rpc_client/local_np.c
-@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
- 		return tevent_req_post(req, ev);
- 	}
- 
-+	/*
-+	 * Ensure we cannot process a path that exits
-+	 * the socket_dir.
-+	 */
-+	if (ISDOTDOT(lower_case_pipename) ||
-+	    (strchr(lower_case_pipename, '/')!=NULL))
-+	{
-+		DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
-+			lower_case_pipename);
-+		/*
-+		 * For now, panic the server until we have
-+		 * the test code in place.
-+		 */
-+		SMB_ASSERT(false);
-+		tevent_req_error(req, ENOENT);
-+		return tevent_req_post(req, ev);
-+	}
-+
- 	state->socketpath = talloc_asprintf(
- 		state, "%s/np/%s", socket_dir, lower_case_pipename);
- 	if (tevent_req_nomem(state->socketpath, req)) {

SOURCES/CVE-2023-4091.patch

@@ -1,183 +0,0 @@
-From b1fd65694185c26f1e196d84ee8756300e631bd5 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 1 Aug 2023 12:30:00 +0200
-Subject: [PATCH] CVE-2023-4091: smbtorture: test overwrite dispositions on
- read-only file
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- selftest/knownfail.d/samba3.smb2.acls |   1 +
- source4/torture/smb2/acls.c           | 143 ++++++++++++++++++++++++++
- 2 files changed, 144 insertions(+)
- create mode 100644 selftest/knownfail.d/samba3.smb2.acls
-
-diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
-new file mode 100644
-index 00000000000..18df260c0e5
---- /dev/null
-+++ b/selftest/knownfail.d/samba3.smb2.acls
-@@ -0,0 +1 @@
-+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
-diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
-index bbf201bcf4b..53f482c5541 100644
---- a/source4/torture/smb2/acls.c
-+++ b/source4/torture/smb2/acls.c
-@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
- 	return ret;
- }
- 
-+static bool test_overwrite_read_only_file(struct torture_context *tctx,
-+					  struct smb2_tree *tree)
-+{
-+	NTSTATUS status;
-+	struct smb2_create c;
-+	const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
-+	struct smb2_handle handle = {{0}};
-+	union smb_fileinfo q;
-+	union smb_setfileinfo set;
-+	struct security_descriptor *sd = NULL, *sd_orig = NULL;
-+	const char *owner_sid = NULL;
-+	int i;
-+	bool ret = true;
-+
-+	struct tcase {
-+		int disposition;
-+		const char *disposition_string;
-+		NTSTATUS expected_status;
-+	} tcases[] = {
-+#define TCASE(d, s) {				\
-+		.disposition = d,		\
-+		.disposition_string = #d,	\
-+		.expected_status = s,		\
-+	}
-+		TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
-+		TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
-+		TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
-+		TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
-+	};
-+#undef TCASE
-+
-+	ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
-+	torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
-+
-+	c = (struct smb2_create) {
-+		.in.desired_access = SEC_STD_READ_CONTROL |
-+			SEC_STD_WRITE_DAC |
-+			SEC_STD_WRITE_OWNER,
-+		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
-+		.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
-+			NTCREATEX_SHARE_ACCESS_WRITE,
-+		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
-+		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
-+		.in.fname = fname,
-+	};
-+
-+	status = smb2_create(tree, tctx, &c);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_create failed\n");
-+	handle = c.out.file.handle;
-+
-+	torture_comment(tctx, "get the original sd\n");
-+
-+	ZERO_STRUCT(q);
-+	q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
-+	q.query_secdesc.in.file.handle = handle;
-+	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
-+
-+	status = smb2_getinfo_file(tree, tctx, &q);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_getinfo_file failed\n");
-+	sd_orig = q.query_secdesc.out.sd;
-+
-+	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
-+
-+	sd = security_descriptor_dacl_create(tctx,
-+					0, NULL, NULL,
-+					owner_sid,
-+					SEC_ACE_TYPE_ACCESS_ALLOWED,
-+					SEC_FILE_READ_DATA,
-+					0,
-+					NULL);
-+
-+	ZERO_STRUCT(set);
-+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
-+	set.set_secdesc.in.file.handle = handle;
-+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
-+	set.set_secdesc.in.sd = sd;
-+
-+	status = smb2_setinfo_file(tree, &set);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_setinfo_file failed\n");
-+
-+	smb2_util_close(tree, handle);
-+	ZERO_STRUCT(handle);
-+
-+	for (i = 0; i < ARRAY_SIZE(tcases); i++) {
-+		torture_comment(tctx, "Verify open with %s dispostion\n",
-+				tcases[i].disposition_string);
-+
-+		c = (struct smb2_create) {
-+			.in.create_disposition = tcases[i].disposition,
-+			.in.desired_access = SEC_FILE_READ_DATA,
-+			.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
-+			.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
-+			.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
-+			.in.fname = fname,
-+		};
-+
-+		status = smb2_create(tree, tctx, &c);
-+		smb2_util_close(tree, c.out.file.handle);
-+		torture_assert_ntstatus_equal_goto(
-+			tctx, status, tcases[i].expected_status, ret, done,
-+			"smb2_create failed\n");
-+	};
-+
-+	torture_comment(tctx, "put back original sd\n");
-+
-+	c = (struct smb2_create) {
-+		.in.desired_access = SEC_STD_WRITE_DAC,
-+		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
-+		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
-+		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
-+		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
-+		.in.fname = fname,
-+	};
-+
-+	status = smb2_create(tree, tctx, &c);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_create failed\n");
-+	handle = c.out.file.handle;
-+
-+	ZERO_STRUCT(set);
-+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
-+	set.set_secdesc.in.file.handle = handle;
-+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
-+	set.set_secdesc.in.sd = sd_orig;
-+
-+	status = smb2_setinfo_file(tree, &set);
-+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
-+					"smb2_setinfo_file failed\n");
-+
-+	smb2_util_close(tree, handle);
-+	ZERO_STRUCT(handle);
-+
-+done:
-+	smb2_util_close(tree, handle);
-+	smb2_util_unlink(tree, fname);
-+	smb2_deltree(tree, BASEDIR);
-+	return ret;
-+}
-+
- /*
-    basic testing of SMB2 ACLs
- */
-@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
- 			test_deny1);
- 	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
- 			test_mxac_not_granted);
-+	torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
- 
- 	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
- 

SOURCES/CVE-2023-42669.patch

@@ -1,86 +0,0 @@
-From 3cf1beed5df7d8b5d854517de7de322c6a5bc7fa Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Tue, 12 Sep 2023 18:59:44 +1200
-Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
- default
-
-The rpcecho server is useful in development and testing, but should never
-have been allowed into production, as it includes the facility to
-do a blocking sleep() in the single-threaded rpc worker.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
----
- docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
- lib/param/loadparm.c                                   | 2 +-
- selftest/target/Samba4.pm                              | 2 +-
- source3/param/loadparm.c                               | 2 +-
- source4/rpc_server/wscript_build                       | 3 ++-
- 5 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
-index 8a217cc7f118..c6642b795fd6 100644
---- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
-+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
-@@ -6,6 +6,6 @@
- 	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
- </description>
- 
--<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
-+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
- <value type="example">rpcecho</value>
- </samba:parameter>
-diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
-index 9a7ae4f95fe8..673b913e6e5a 100644
---- a/lib/param/loadparm.c
-+++ b/lib/param/loadparm.c
-@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
- 	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
- 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- 
--	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
-+	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
- 	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
- 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
- 	/* the winbind method for domain controllers is for both RODC
-diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
-index 49e3c174b07e..5f1f1bfffad6 100755
---- a/selftest/target/Samba4.pm
-+++ b/selftest/target/Samba4.pm
-@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
- 	wins support = yes
- 	server role = $ctx->{server_role}
- 	server services = +echo $services
--        dcerpc endpoint servers = +winreg +srvsvc
-+        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
- 	notify:inotify = false
- 	ldb:nosync = true
- 	ldap server require strong auth = yes
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 1c3644589126..e7f4bbe3995e 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
- 
- 	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
- 
--	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
-+	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
- 
- 	Globals.tls_enabled = true;
- 	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
-diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
-index 0e44a3c2baed..31ec4f60c9a6 100644
---- a/source4/rpc_server/wscript_build
-+++ b/source4/rpc_server/wscript_build
-@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
-                  source='echo/rpc_echo.c',
-                  subsystem='dcerpc_server',
-                  init_function='dcerpc_server_rpcecho_init',
--                 deps='ndr-standard events'
-+                 deps='ndr-standard events',
-+                 enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
-                  )
- 
- 

SOURCES/samba-4.18.6.tar.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmTc/5EACgkQqplEL7aA
-tiB+4RAAkcRhO1/ZC7sXgqAqTZY05On8g2GLeuBh2Q+u7QIyjcDLuJWzp0TkrbMn
-LBGtFAyCxM1JbW/K1UNafeQcf3UKzY1nIPtUpqVjN7qMxt0BDZ6MsXGbB/qhyGMZ
-YnsZ8of/8NOUKx5KbrSeN5TqjICWTVRKi7KPcBrD51sTSt5unXYrolyJpKoPjYYU
-lQS8cnh/shfvvFX4fYf9XtFS2OcQqCTFrLeajb6DU7Ep6ZBZa9r3m5Gk3ZvhBu9r
-qowmQDqbNfo++wIkOaehD6tQsWcY2XvfBCFLqtSnF1SraN0jpdYr08dbcRGyuhFd
-DS9+4BwCCML0mip7aaP6NHZpN+LvyYkAKPuKo8mW8pxe3i8ctxcTyN6SfmZA6RlE
-bcmRQSkBD/e0jjBX5nR0zsaT01bgE1bBvbro0ZKHpR7/k6WeV+k6jDmqqXnYj3uB
-61fCtf41w1b2pMhty70niga2gxaHrSqu9gqSl2wk/uMhwtdntqrJtaWIChWM0CRs
-b6pfbjEZM2NDhsLe3idvY9Hl1hlKrMtoLJTu7fksTDVJzWPfqOCyIOc1DkxbCqlG
-XB9fbre57DWIpRvNK4pu108LiGbavK2rLC6wlcjshP3/9BA3c3HO/JPQGtDAn1UE
-JVQlYT1Fzzp9RU8U5Khz9D7pB3k6K19ZIo3q5xTA/V5O6axB5WM=
-=GnJM
------END PGP SIGNATURE-----

SOURCES/samba-4.19.4.tar.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
+tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
+Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
+2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
+XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
+iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
+svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
+JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
+ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
+vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
++NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
+1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
+=kOPP
+-----END PGP SIGNATURE-----

SOURCES/samba-winbind-systemd-sysusers.conf

@@ -0,0 +1,2 @@
+#Type Name       ID
+g     wbpriv     88

SOURCES/smb.conf.vendor

@@ -18,6 +18,9 @@
 	load printers = yes
 	cups options = raw
 
+	# Install samba-usershares package for support
+	include = /etc/samba/usershares.conf
+
 [homes]
 	comment = Home Directories
 	valid users = %S, %D%w%S