.gitignore

@@ -1,2 +1,2 @@
-SOURCES/samba-4.16.2.tar.xz
+SOURCES/samba-4.19.4.tar.xz
 SOURCES/samba-pubkey_AA99442FB680B620.gpg

.samba.metadata

@@ -1,2 +1,2 @@
-7ee5776f92bbca2508da3d06d2d03a8e5ff5ed67 SOURCES/samba-4.16.2.tar.xz
+6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz
 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

SOURCES/samba-4.16-waf-crypto.patch

@@ -1,77 +0,0 @@
-From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 4 Apr 2022 11:24:04 +0200
-Subject: [PATCH 1/2] waf: Check for GnuTLS earlier
-
-As GnuTLS is an essential part we need to check for it early so we can react on
-GnuTLS features in other wscripts.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- wscript | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/wscript b/wscript
-index d8220b35095..5b85d9a1682 100644
---- a/wscript
-+++ b/wscript
-@@ -189,6 +189,8 @@ def configure(conf):
-     conf.RECURSE('dynconfig')
-     conf.RECURSE('selftest')
- 
-+    conf.PROCESS_SEPARATE_RULE('system_gnutls')
-+
-     conf.CHECK_CFG(package='zlib', minversion='1.2.3',
-                    args='--cflags --libs',
-                    mandatory=True)
-@@ -297,8 +299,6 @@ def configure(conf):
-     if not conf.CONFIG_GET('KRB5_VENDOR'):
-         conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
- 
--    conf.PROCESS_SEPARATE_RULE('system_gnutls')
--
-     conf.RECURSE('source4/dsdb/samdb/ldb_modules')
-     conf.RECURSE('source4/ntvfs/sysdep')
-     conf.RECURSE('lib/util')
--- 
-2.35.1
-
-
-From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 4 Apr 2022 11:25:31 +0200
-Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS
- provides the cipher
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- third_party/wscript | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/third_party/wscript b/third_party/wscript
-index 1f4bc1ce1d7..a17c15bcaa7 100644
---- a/third_party/wscript
-+++ b/third_party/wscript
-@@ -5,7 +5,8 @@ from waflib import Options
- def configure(conf):
-     conf.RECURSE('cmocka')
-     conf.RECURSE('popt')
--    conf.RECURSE('aesni-intel')
-+    if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
-+        conf.RECURSE('aesni-intel')
-     if conf.CONFIG_GET('ENABLE_SELFTEST'):
-         conf.RECURSE('socket_wrapper')
-         conf.RECURSE('nss_wrapper')
-@@ -18,7 +19,8 @@ def configure(conf):
- def build(bld):
-     bld.RECURSE('cmocka')
-     bld.RECURSE('popt')
--    bld.RECURSE('aesni-intel')
-+    if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
-+        bld.RECURSE('aesni-intel')
-     if bld.CONFIG_GET('SOCKET_WRAPPER'):
-         bld.RECURSE('socket_wrapper')
-     if bld.CONFIG_GET('NSS_WRAPPER'):
--- 
-2.35.1
-

SOURCES/samba-4.16.2.tar.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmKm3zUACgkQqplEL7aA
-tiC2LA/+LwNu8NfLoSSuq+OXTe6Ih0KhdT3RtIhknhe2s3ibBw7juNqUEmZupufH
-01M6p+sq1YyyRABW2k2M51tKF96wdjffDNFTNdpFOXYL5Hm1uL4Lzdf4ZiWY9MKp
-U04uZ1OwicIeFdqU3oUt9iLY5Z2KPz4pTfIOZL67OV8QDXxHdieHfseWVUmOaAjd
-YsZFQRl2c29OkOkAD5AYpNdquQAGvS34M5dPYItrJwgKs9RYMG6JX03oCpoFxXVn
-wjV74S1GB03Gec7tOI+BlAshUeAgUIcYjSrcxJ3MEDTXjJkoVcS9gOOezuWf6lei
-4uEmLYKaYKstF3qFriXJIWoGPAakzyumQOpjo84C0Z0mftSX0L3XbVGmsP48Ra58
-foz0iLka2/8AqxYa5QXkGwqg615icpLo2MmM2/wvMg0Mvx6D6zcb2yx5gIb+ITmh
-d1iN7Rzhk+V2fP7m7zua4IEs7jq8M3pXUF7+By2XdboaOuq80APwLfr37yMeQBPu
-NTVgOPCe+AQZliOWagxZ03yLSraCljIfMFLecDdl1W2Vi45IrtRxT2o2gqtnOgsL
-1+8OfmcvPYYSXNr3dreeH7UROVR6DEBWL1bUV2UFB5EFzUDB612EE6Z5IVbPoTWl
-GVAKedXrrQx+f2ucUFg5AvjCJkZ8wVlkMTBK/KJbENbdAe/680k=
-=fziY
------END PGP SIGNATURE-----

SOURCES/samba-4.19.4.tar.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
+tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
+Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
+2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
+XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
+iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
+svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
+JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
+ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
+vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
++NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
+1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
+=kOPP
+-----END PGP SIGNATURE-----

SOURCES/samba-s4u.patch

@@ -1,670 +0,0 @@
-From 17eb98d3f8ebd0fe48e218bb03a3c0165b9b6e95 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Fri, 27 Sep 2019 18:25:03 +0300
-Subject: [PATCH 1/4] mit-kdc: add basic loacl realm S4U support
-
-Signed-off-by: Isaac Boukris <iboukris@gmail.com>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
----
- source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
- source4/kdc/mit_samba.c                  |  47 ++-------
- source4/kdc/mit_samba.h                  |   6 +-
- 3 files changed, 71 insertions(+), 106 deletions(-)
-
-diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
-index 793fe366c35..22534c09974 100644
---- a/source4/kdc/mit-kdb/kdb_samba_policies.c
-+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
-@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
- 				     krb5_keyblock *krbtgt_key,
- 				     krb5_timestamp authtime,
- 				     krb5_authdata **tgt_auth_data,
--				     krb5_pac *pac)
-+				     krb5_pac *out_pac)
- {
- 	struct mit_samba_context *mit_ctx;
- 	krb5_authdata **authdata = NULL;
--	krb5_pac ipac = NULL;
--	DATA_BLOB logon_data = { NULL, 0 };
-+	krb5_keyblock *header_server_key = NULL;
-+	krb5_key_data *impersonator_kd = NULL;
-+	krb5_keyblock impersonator_key = {0};
- 	krb5_error_code code;
-+	krb5_pac pac;
-+
-+	*out_pac = NULL;
- 
- 	mit_ctx = ks_get_context(context);
- 	if (mit_ctx == NULL) {
-@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
- 	code = krb5_pac_parse(context,
- 			      authdata[0]->contents,
- 			      authdata[0]->length,
--			      &ipac);
-+			      &pac);
- 	if (code != 0) {
- 		goto done;
- 	}
- 
--	/* TODO: verify this is correct
--	 *
--	 * In the constrained delegation case, the PAC is from a service
--	 * ticket rather than a TGT; we must verify the server and KDC
--	 * signatures to assert that the server did not forge the PAC.
-+	/*
-+	 * For constrained delegation in MIT version < 1.18 we aren't provided
-+	 * with the 2nd ticket server key to verify the PAC.
-+	 * We can workaround that by fetching the key from the client db entry,
-+	 * which is the impersonator account in that version.
-+	 * TODO: use the provided entry in the new 1.18 version.
- 	 */
- 	if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
--		code = krb5_pac_verify(context,
--				       ipac,
--				       authtime,
--				       client_princ,
--				       server_key,
--				       krbtgt_key);
-+		/* The impersonator must be local. */
-+		if (client == NULL) {
-+			code = KRB5KDC_ERR_BADOPTION;
-+			goto done;
-+		}
-+		/* Fetch and decrypt 2nd ticket server's current key. */
-+		code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
-+					     &impersonator_kd);
-+		if (code != 0) {
-+			goto done;
-+		}
-+		code = krb5_dbe_decrypt_key_data(context, NULL,
-+						 impersonator_kd,
-+						 &impersonator_key, NULL);
-+		if (code != 0) {
-+			goto done;
-+		}
-+		header_server_key = &impersonator_key;
- 	} else {
--		code = krb5_pac_verify(context,
--				       ipac,
--				       authtime,
--				       client_princ,
--				       krbtgt_key,
--				       NULL);
--	}
--	if (code != 0) {
--		goto done;
-+		header_server_key = krbtgt_key;
- 	}
- 
--	/* check and update PAC */
--	code = krb5_pac_parse(context,
--			      authdata[0]->contents,
--			      authdata[0]->length,
--			      pac);
-+	code = krb5_pac_verify(context, pac, authtime, client_princ,
-+			       header_server_key, NULL);
- 	if (code != 0) {
- 		goto done;
- 	}
-@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
- 	code = mit_samba_reget_pac(mit_ctx,
- 				   context,
- 				   flags,
--				   client_princ,
- 				   client,
- 				   server,
- 				   krbtgt,
- 				   krbtgt_key,
--				   pac);
-+				   &pac);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	*out_pac = pac;
-+	pac = NULL;
- 
- done:
-+	krb5_free_keyblock_contents(context, &impersonator_key);
- 	krb5_free_authdata(context, authdata);
--	krb5_pac_free(context, ipac);
--	free(logon_data.data);
-+	krb5_pac_free(context, pac);
- 
- 	return code;
- }
-@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 	krb5_authdata **pac_auth_data = NULL;
- 	krb5_authdata **authdata = NULL;
- 	krb5_boolean is_as_req;
-+	krb5_const_principal pac_client;
- 	krb5_error_code code;
- 	krb5_pac pac = NULL;
- 	krb5_data pac_data;
-@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
- 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
- 
--	/* FIXME: We don't support S4U yet */
--	if (flags & KRB5_KDB_FLAGS_S4U) {
--		return KRB5_KDB_DBTYPE_NOSUP;
--	}
--
- 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
- 
- 	/*
-@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 		ks_client_princ = client->princ;
- 	}
- 
-+	/* In protocol transition, we are currently not provided with the tgt
-+	 * client name to verify the PAC, we could probably skip the name
-+	 * verification and just verify the signatures, but since we don't
-+	 * support cross-realm nor aliases, we can just use server->princ */
-+	if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
-+		pac_client = server->princ;
-+	} else {
-+		pac_client = ks_client_princ;
-+	}
-+
- 	if (client_entry == NULL) {
- 		client_entry = client;
- 	}
-@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 
- 			code = ks_verify_pac(context,
- 					     flags,
--					     ks_client_princ,
-+					     pac_client,
- 					     client_entry,
- 					     server,
- 					     krbtgt,
-@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 		  is_as_req ? "AS-REQ" : "TGS-REQ",
- 		  client_name);
- 	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
--			server_key, krbtgt_key, &pac_data);
-+			     server_key, krbtgt_key, &pac_data);
- 	if (code != 0) {
- 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
- 		goto done;
-@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 					      KRB5_AUTHDATA_IF_RELEVANT,
- 					      authdata,
- 					      signed_auth_data);
--	if (code != 0) {
--		goto done;
--	}
--
--	code = 0;
--
- done:
- 	if (client_entry != NULL && client_entry != client) {
- 		ks_free_principal(context, client_entry);
-@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
- 	 * server; -> delegating service
- 	 * proxy; -> target principal
- 	 */
--	krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
--
--	char *target_name = NULL;
--	bool is_enterprise;
--	krb5_error_code code;
- 
- 	mit_ctx = ks_get_context(context);
- 	if (mit_ctx == NULL) {
- 		return KRB5_KDB_DBNOTINITED;
- 	}
- 
--	code = krb5_unparse_name(context, proxy, &target_name);
--	if (code) {
--		goto done;
--	}
--
--	is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
--
--	code = mit_samba_check_s4u2proxy(mit_ctx,
--					 delegating_service,
--					 target_name,
--					 is_enterprise);
--
--done:
--	free(target_name);
--	return code;
-+	return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
- }
- 
- 
-diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
-index 27b15828468..994dfed312b 100644
---- a/source4/kdc/mit_samba.c
-+++ b/source4/kdc/mit_samba.c
-@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
- krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
- 				    krb5_context context,
- 				    int flags,
--				    krb5_const_principal client_principal,
- 				    krb5_db_entry *client,
- 				    krb5_db_entry *server,
- 				    krb5_db_entry *krbtgt,
-@@ -682,7 +681,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
- 								  context,
- 								  *pac,
- 								  server->princ,
--								  discard_const(client_principal),
-+								  client->princ,
- 								  deleg_blob);
- 		if (!NT_STATUS_IS_OK(nt_status)) {
- 			DEBUG(0, ("Update delegation info failed: %s\n",
-@@ -1004,41 +1003,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
- }
- 
- int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
--			      krb5_db_entry *kentry,
--			      const char *target_name,
--			      bool is_nt_enterprise_name)
-+			      const krb5_db_entry *server,
-+			      krb5_const_principal target_principal)
- {
--#if 1
--	/*
--	 * This is disabled because mit_samba_update_pac_data() does not handle
--	 * S4U_DELEGATION_INFO
--	 */
--
--	return KRB5KDC_ERR_BADOPTION;
--#else
--	krb5_principal target_principal;
--	int flags = 0;
--	int ret;
--
--	if (is_nt_enterprise_name) {
--		flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
--	}
--
--	ret = krb5_parse_name_flags(ctx->context, target_name,
--				    flags, &target_principal);
--	if (ret) {
--		return ret;
--	}
--
--	ret = samba_kdc_check_s4u2proxy(ctx->context,
--					ctx->db_ctx,
--					skdc_entry,
--					target_principal);
--
--	krb5_free_principal(ctx->context, target_principal);
--
--	return ret;
--#endif
-+	struct samba_kdc_entry *server_skdc_entry =
-+		 talloc_get_type_abort(server->e_data,
-+				       struct samba_kdc_entry);
-+
-+	return samba_kdc_check_s4u2proxy(ctx->context,
-+					 ctx->db_ctx,
-+					 server_skdc_entry,
-+					 target_principal);
- }
- 
- static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
-diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
-index 4431e82a1b2..9370ab533af 100644
---- a/source4/kdc/mit_samba.h
-+++ b/source4/kdc/mit_samba.h
-@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
- krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
- 				    krb5_context context,
- 				    int flags,
--				    krb5_const_principal client_principal,
- 				    krb5_db_entry *client,
- 				    krb5_db_entry *server,
- 				    krb5_db_entry *krbtgt,
-@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
- 				  DATA_BLOB *e_data);
- 
- int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
--			      krb5_db_entry *kentry,
--			      const char *target_name,
--			      bool is_nt_enterprise_name);
-+			      const krb5_db_entry *server,
-+			      krb5_const_principal target_principal);
- 
- int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
- 				      char *pwd,
--- 
-2.33.1
-
-
-From f4fc23103f47b712baf3b4b0ebcb42d0f3f3fd42 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Fri, 27 Sep 2019 18:35:30 +0300
-Subject: [PATCH 2/4] krb5-mit: enable S4U client support for MIT build
-
-Signed-off-by: Isaac Boukris <iboukris@gmail.com>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
----
- lib/krb5_wrap/krb5_samba.c            | 185 ++++++++++++++++++++++++++
- lib/krb5_wrap/krb5_samba.h            |   2 -
- source4/auth/kerberos/kerberos_util.c |  11 --
- 3 files changed, 185 insertions(+), 13 deletions(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 61d651b4d5f..462acec90b6 100644
---- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2699,6 +2699,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
- 
- 	return 0;
- }
-+
-+#else /* MIT */
-+
-+static bool princ_compare_no_dollar(krb5_context ctx,
-+				    krb5_principal a,
-+				    krb5_principal b)
-+{
-+	bool cmp;
-+	krb5_principal mod = NULL;
-+
-+	if (a->length == 1 && b->length == 1 &&
-+	    a->data[0].length != 0 && b->data[0].length != 0 &&
-+	    a->data[0].data[a->data[0].length -1] !=
-+	    b->data[0].data[b->data[0].length -1]) {
-+		if (a->data[0].data[a->data[0].length -1] == '$') {
-+			mod = a;
-+			mod->data[0].length--;
-+		} else if (b->data[0].data[b->data[0].length -1] == '$') {
-+			mod = b;
-+			mod->data[0].length--;
-+		}
-+	}
-+
-+	cmp = krb5_principal_compare_flags(ctx, a, b,
-+					   KRB5_PRINCIPAL_COMPARE_CASEFOLD);
-+
-+	if (mod != NULL) {
-+		mod->data[0].length++;
-+	}
-+
-+	return cmp;
-+}
-+
-+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
-+					   krb5_ccache store_cc,
-+					   krb5_principal init_principal,
-+					   const char *init_password,
-+					   krb5_principal impersonate_principal,
-+					   const char *self_service,
-+					   const char *target_service,
-+					   krb5_get_init_creds_opt *krb_options,
-+					   time_t *expire_time,
-+					   time_t *kdc_time)
-+{
-+	krb5_error_code code;
-+	krb5_principal self_princ = NULL;
-+	krb5_principal target_princ = NULL;
-+	krb5_creds *store_creds;
-+	krb5_creds *s4u2self_creds = NULL;
-+	krb5_creds *s4u2proxy_creds = NULL;
-+	krb5_creds init_creds = {0};
-+	krb5_creds mcreds = {0};
-+	krb5_flags options = KRB5_GC_NO_STORE;
-+	krb5_ccache tmp_cc;
-+	bool s4u2proxy;
-+
-+	code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
-+	if (code != 0) {
-+		return code;
-+	}
-+
-+	code = krb5_get_init_creds_password(ctx, &init_creds,
-+					    init_principal,
-+					    init_password,
-+					    NULL, NULL,
-+					    0,
-+					    NULL,
-+					    krb_options);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	/*
-+	 * Check if we also need S4U2Proxy or if S4U2Self is
-+	 * enough in order to get a ticket for the target.
-+	 */
-+	if (target_service == NULL) {
-+		s4u2proxy = false;
-+	} else if (strcmp(target_service, self_service) == 0) {
-+		s4u2proxy = false;
-+	} else {
-+		s4u2proxy = true;
-+	}
-+
-+	code = krb5_parse_name(ctx, self_service, &self_princ);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	/* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
-+	 * client and the request server to be the same principal name. */
-+	if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
-+		code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
-+		goto done;
-+	}
-+
-+	mcreds.client = impersonate_principal;
-+	mcreds.server = init_creds.client;
-+
-+	code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
-+					     NULL, &s4u2self_creds);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	if (s4u2proxy) {
-+		code = krb5_parse_name(ctx, target_service, &target_princ);
-+		if (code != 0) {
-+			goto done;
-+		}
-+
-+		mcreds.client = init_creds.client;
-+		mcreds.server = target_princ;
-+		mcreds.second_ticket = s4u2self_creds->ticket;
-+
-+		code = krb5_get_credentials(ctx, options |
-+					    KRB5_GC_CONSTRAINED_DELEGATION,
-+					    tmp_cc, &mcreds, &s4u2proxy_creds);
-+		if (code != 0) {
-+			goto done;
-+		}
-+
-+		/* Check KDC support of S4U2Proxy extension */
-+		if (!krb5_principal_compare(ctx, s4u2self_creds->client,
-+					    s4u2proxy_creds->client)) {
-+			code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
-+			goto done;
-+		}
-+
-+		store_creds = s4u2proxy_creds;
-+	} else {
-+		store_creds = s4u2self_creds;;
-+
-+		/* We need to save the ticket with the requested server name
-+		 * or the caller won't be able to find it in cache. */
-+		if (!krb5_principal_compare(ctx, self_princ,
-+			store_creds->server)) {
-+			krb5_free_principal(ctx, store_creds->server);
-+			store_creds->server = NULL;
-+			code = krb5_copy_principal(ctx, self_princ,
-+						   &store_creds->server);
-+			if (code != 0) {
-+				goto done;
-+			}
-+		}
-+	}
-+
-+	code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	code = krb5_cc_store_cred(ctx, store_cc, store_creds);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	if (expire_time) {
-+		*expire_time = (time_t) store_creds->times.endtime;
-+	}
-+
-+	if (kdc_time) {
-+		*kdc_time = (time_t) store_creds->times.starttime;
-+	}
-+
-+done:
-+	krb5_cc_destroy(ctx, tmp_cc);
-+	krb5_free_cred_contents(ctx, &init_creds);
-+	krb5_free_creds(ctx, s4u2self_creds);
-+	krb5_free_creds(ctx, s4u2proxy_creds);
-+	krb5_free_principal(ctx, self_princ);
-+	krb5_free_principal(ctx, target_princ);
-+
-+	return code;
-+}
- #endif
- 
- #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
-diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
-index a66b7465530..c8573f52bd9 100644
---- a/lib/krb5_wrap/krb5_samba.h
-+++ b/lib/krb5_wrap/krb5_samba.h
-@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
- 					       krb5_get_init_creds_opt *krb_options,
- 					       time_t *expire_time,
- 					       time_t *kdc_time);
--#ifdef SAMBA4_USES_HEIMDAL
- krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
- 					   krb5_ccache store_cc,
- 					   krb5_principal init_principal,
-@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
- 					   krb5_get_init_creds_opt *krb_options,
- 					   time_t *expire_time,
- 					   time_t *kdc_time);
--#endif
- 
- #if defined(HAVE_KRB5_MAKE_PRINCIPAL)
- #define smb_krb5_make_principal krb5_make_principal
-diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
-index 544d9d853cc..c14d8c72d8c 100644
---- a/source4/auth/kerberos/kerberos_util.c
-+++ b/source4/auth/kerberos/kerberos_util.c
-@@ -234,9 +234,7 @@ done:
- {
- 	krb5_error_code ret;
- 	const char *password;
--#ifdef SAMBA4_USES_HEIMDAL
- 	const char *self_service;
--#endif
- 	const char *target_service;
- 	time_t kdc_time = 0;
- 	krb5_principal princ;
-@@ -268,9 +266,7 @@ done:
- 		return ret;
- 	}
- 
--#ifdef SAMBA4_USES_HEIMDAL
- 	self_service = cli_credentials_get_self_service(credentials);
--#endif
- 	target_service = cli_credentials_get_target_service(credentials);
- 
- 	password = cli_credentials_get_password(credentials);
-@@ -331,7 +327,6 @@ done:
- #endif
- 		if (password) {
- 			if (impersonate_principal) {
--#ifdef SAMBA4_USES_HEIMDAL
- 				ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
- 								 ccache,
- 								 princ,
-@@ -342,12 +337,6 @@ done:
- 								 krb_options,
- 								 NULL,
- 								 &kdc_time);
--#else
--				talloc_free(mem_ctx);
--				(*error_string) = "INTERNAL error: s4u2 ops "
--					"are not supported with MIT build yet";
--				return EINVAL;
--#endif
- 			} else {
- 				ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
- 								     ccache,
--- 
-2.33.1
-
-
-From 48d73d552f2fbbdb07bd9aff4d0294883b70417f Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Sat, 19 Sep 2020 14:16:20 +0200
-Subject: [PATCH 3/4] wip: for canonicalization with new MIT kdc code
-
----
- source4/kdc/mit_samba.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
-index 994dfed312b..9d039e5601b 100644
---- a/source4/kdc/mit_samba.c
-+++ b/source4/kdc/mit_samba.c
-@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
- 	if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
- 		sflags |= SDB_F_CANON;
- 	}
-+#if KRB5_KDB_API_VERSION >= 10
-+	sflags |= SDB_F_FORCE_CANON;
-+#endif
- 	if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
- 		      KRB5_KDB_FLAG_INCLUDE_PAC)) {
- 		/*
--- 
-2.33.1
-
-
-From f5f54026d151f6d899e8ff52d8829a2f9cf57f25 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 21 Dec 2021 12:17:11 +0100
-Subject: [PATCH 4/4] s4:kdc: Also cannoicalize krbtgt principals when
- enforcing canonicalization
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source4/kdc/db-glue.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
-index 8d17038cfe6..77c0c0e4746 100644
---- a/source4/kdc/db-glue.c
-+++ b/source4/kdc/db-glue.c
-@@ -946,7 +946,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
- 	if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
- 		p->is_krbtgt = true;
- 
--		if (flags & (SDB_F_CANON)) {
-+		if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) {
- 			/*
- 			 * When requested to do so, ensure that the
- 			 * both realm values in the principal are set
--- 
-2.33.1
-

SOURCES/samba-systemd-sysusers.conf

@@ -0,0 +1,2 @@
+#Type Name       ID
+g     printadmin -

SOURCES/samba-usershares-systemd-sysusers.conf

@@ -0,0 +1,2 @@
+#Type Name       ID
+g     usershares -

SOURCES/samba-winbind-systemd-sysusers.conf

@@ -0,0 +1,2 @@
+#Type Name       ID
+g     wbpriv     88

SOURCES/smb.conf.example

@@ -281,7 +281,7 @@
 
 [printers]
 	comment = All Printers
-	path = /var/spool/samba
+	path = /var/tmp
 	browseable = no
 	guest ok = no
 	writable = no

SOURCES/smb.conf.vendor

@@ -2,6 +2,10 @@
 # read the smb.conf manpage.
 # Run 'testparm' to verify the config is correct after
 # you modified it.
+#
+# Note:
+# SMB1 is disabled by default. This means clients without support for SMB2 or
+# SMB3 are no longer able to connect to smbd (by default).
 
 [global]
 	workgroup = SAMBA
@@ -14,6 +18,9 @@
 	load printers = yes
 	cups options = raw
 
+	# Install samba-usershares package for support
+	include = /etc/samba/usershares.conf
+
 [homes]
 	comment = Home Directories
 	valid users = %S, %D%w%S

SOURCES/usershares.conf.vendor

@@ -0,0 +1,3 @@
+[global]
+	usershare max shares = 100
+	usershare allow guests = yes