- Update spec file to fix the optional Heimdal DC build
- Fix external trusts with MIT Kerberos 1.20
- Add missing samba-client requirement to samba-winbind package;
(bsc#1198255);
- Move pdb backends from package samba-libs to package
samba-client-libs and remove samba-libs requirement from
samba-winbind; (bsc#1200964); (bsc#1198255);
- Add sysuser-shadow requirement for packages using
systemd-sysusers
- Use the canonical realm name to refresh the Kerberos tickets;
(bsc#1196224); (bso#14979);
- Moved logrotate files from user specific directory /etc/logrotate.d
to vendor specific directory /usr/etc/logrotate.d.
OBS-URL: https://build.opensuse.org/request/show/988948
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=665
- Update to 4.16.2
* Use pathref fd instead of io fd in vfs_default_durable_cookie;
(bso#15042);
* vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
file had been deleted; (bso#15069);
* Reintroduce netgroups support; (bso#15087);
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server; (bso#14674);
* Update from 4.15 to 4.16 breaks discovery of [homes] on
standalone server from Win and IOS; (bso#15062);
* waf produces incorrect names for python extensions with Python
3.11; (bso#15071);
* smbclient -E doesn't work as advertised; (bso#15075);
* The samba background daemon doesn't refresh the printcap cache
on startup; (bso#15081);
* Out-by-4 error in smbd read reply max_send clamp; (bso#14443);
- Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7
- Support building with MIT Kerberos 1.20
- Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC;
(CVE-2020-17049);
- Resource Based Constrained Delegation (RBCD) for Samba AD DC
- Support building with gcc 12.1
OBS-URL: https://build.opensuse.org/request/show/983456
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/samba?expand=0&rev=282
- Update to 4.16.1
* Share and server swapped in smbget password prompt; (bso#14831);
* Durable handles won't reconnect if the leased file is written to;
(bso#15022);
* rmdir silently fails if directory contains unreadable files and
hide unreadable is yes; (bso#15023);
* SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
on renamed file handle; (bso#15038);
* Need to describe --builtin-libraries= better (compare with
--bundled-libraries); (bso#8731);
* vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback;
(bso#14957);
* shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
(bso#15035);
* PAM Kerberos authentication incorrectly fails with a clock skew
error; (bso#15046);
* Username map - samba erroneously applies unix group memberships
to user account entries; (bso#15041);
* KVNO off by 100000; (bso#14951);
* Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
* vfs_gpfs recalls=no option prevents listing files; (bso#15055);
* smbd doesn't handle UPNs for looking up names; (bso#15054);
- Update update-apparmor-samba-profile script, replace
non-printable delimiter with more human readable separator as
sed can accept separators that can appear in the input data.
OBS-URL: https://build.opensuse.org/request/show/974674
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=662
- Update to 4.16.0
* New samba-dcerpcd binary to provide DCERPC in the member server
setup
* Certificate Auto Enrollment
* Ability to add ports to dns forwarder addresses in internal DNS
backend
* No longer using Linux mandatory locks for sharemodes
* SMB1 protocol has been deprecated, particularly older dialects
* SMB1 protocol SMBCopy command removed
* SMB1 server-side wildcard expansion removed
- Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101);
- Use systemd-sysusers to create system users; (bsc#1182847);
OBS-URL: https://build.opensuse.org/request/show/966947
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/samba?expand=0&rev=278
- Update to 4.15.5
* CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
outside target of a symlink exists; (bso#14911);
(bsc#1193690).
* CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
module; (bso#14914); (bsc#1194859).
* CVE-2022-0336: Re-adding an SPN skips subsequent SPN
conflict checks; bso#14950); (bsc#1195048).
- CVE-2021-44141: Information leak via symlinks of existance of
files or directories outside of the exported share; (bso#14911);
(bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
in VFS module vfs_fruit allows code execution; (bso#14914);
(bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
account can impersonate arbitrary services; (bso#14950);
(bsc#1195048);
OBS-URL: https://build.opensuse.org/request/show/950276
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=659
- Update to 4.15.4
* Duplicate SMB file_ids leading to Windows client cache
poisoning; (bso#14928);
* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
* kill_tcp_connections does not work; (bso#14934);
* Can't connect to Windows shares not requiring authentication
using KDE/Gnome; (bso#14935);
* smbclient -L doesn't set "client max protocol" to NT1 before
calling the "Reconnecting with SMB1 for workgroup listing"
path; (bso#14939);
* Cross device copy of the crossrename module always fails;
(bso#14940);
* symlinkat function from VFS cap module always fails with an
error; (bso#14941);
* Fix possible fsp pointer deference; (bso#14942);
* Missing pop_sec_ctx() in error path inside close_directory();
(bso#14944);
* "smbd --build-options" no longer works without an smb.conf file;
(bso#14945);
OBS-URL: https://build.opensuse.org/request/show/948069
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=658
- Use pkgconfig(krb5) as dependency for the -devel package: allow
OBS to pick the right flavor of krb5-devel (full vs mini).
- Do not require the 'krb5' symbol by samba-client-libs: this
package has an automatic dependency due to linkage on
libgssapi_krb5.so.2. Automatic deps are always better.
- Do not require the 'krb5' symbol from samba-libs: samba-libs
requires samba-client-libs, which in turn requires krb5
libraries. Samba-libs itself has no need for krb5 (but get it
indirectly anyway).
OBS-URL: https://build.opensuse.org/request/show/947215
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=657
- Reorganize libs packages. Split samba-libs into samba-client-libs,
samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
public libraries depending on internal samba libraries into these
packages as there were dependency problems everytime one of these
public libraries changed its version (bsc#1192684). The devel
packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Add python-rpm-macros to build requirements
OBS-URL: https://build.opensuse.org/request/show/945635
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=655
- Update to 4.15.3
* Recursive directory delete with veto files is broken in 4.15.0;
(bso#14878);
* A directory containing dangling symlinks cannot be deleted by
SMB2 alone when they are the only entry in the directory;
(bso#14879);
* SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
uninitialized in rmdir_internals(); (bso#14892);
* MaxQueryDuration not honoured in Samba AD DC LDAP; (bso#14694);
* The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token; (bso#14901); (bsc#1192849);
* User with multiple spaces (eg Fred<space><space>Nurk) become
un-deletable; (bso#14902);
* Avoid storing NTTIME_THAW (-2) as value on disk; (bso#14127);
* smbXsrv_client_global record validation leads to crash if existing
record points at non-existing process; (bso#14882);
* Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call;
(bso#14890);
* Samba process doesn't log to logfile; (bso#14897);
* set_ea_dos_attribute() fallback calling get_file_handle_for_metadata()
triggers locking.tdb assert; (bso#14907);
* Kerberos authentication on standalone server in MIT realm broken;
(bso#14922);
* Segmentation fault when joining the domain; (bso#14923);
* Support for ROLE_IPA_DC is incomplete; (bso#14903);
* rpcclient cannot connect to ncacn_ip_tcp services anymore;
(bso#14767);
* winexe crashes since 4.15.0 after popt parsing; (bso#14893);
* net ads status -P broken in a clustered environment; (bso#14908);
* Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
OBS-URL: https://build.opensuse.org/request/show/939491
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=654
- Fix regression introduced by CVE-2020-25717 patches, winbindd
does not start when 'allow trusted domains' is off; (bso#14899);
- Update to 4.15.2
* CVE-2016-2124: SMB1 client connections can be downgraded to
plaintext authentication; (bso#12444); (bsc#1014440);
* CVE-2020-25717: A user on the domain can become root on domain
members; (bso#14556); (bsc#1192284);
* CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
tickets issued by an RODC; (bso#14558); (bsc#1192246);
* CVE-2020-25719: Samba AD DC did not always rely on the SID and
PAC in Kerberos tickets; (bso#14561); (bsc#1192247);
* CVE-2020-25721: Kerberos acceptors need easy access to stable
AD identifiers (eg objectSid); (bso#14557); (bsc#1192505);
* CVE-2020-25722: Samba AD DC did not do suffienct access and
conformance checking of data stored; (bso#14564);
(bsc#1192283);
* CVE-2021-3738: Use after free in Samba AD DC RPC server;
(bso#14468); (bsc#1192215);
* CVE-2021-23192: Subsequent DCE/RPC fragment injection
vulnerability; (bso#14875); (bsc#1192214);
- Update to 4.15.1
* vfs_shadow_copy2: core dump in make_relative_path; (bso#14682);
* Log clutter from filename_convert_internal; (bso#14685);
* MacOSX compilation fixes; (bso#14862);
* rodc_rwdc test flaps; (bso#14868);
* Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
bit' S4U2Proxy Constrained Delegation bypass in Samba with
embedded Heimdal; (bso#14642);
* Python ldb.msg_diff() memory handling failure; (bso#14836);
* "in" operator on ldb.Message is case sensitive; (bso#14845);
OBS-URL: https://build.opensuse.org/request/show/930730
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=651
- Update to 4.14.6
* s3: lib: Fix talloc heirarcy error in parent_smb_fname(); (bso#14722).
* smbd: Fix pathref unlinking in create_file_unixpath(); (bso#14732).
* s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown(); (bso#14734).
* s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
change_file_owner_to_parent() error path; (bso#14736).
* NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
glusterfs VFS module; (bso#14730).
* s3/modules: fchmod: Fallback to path based chmod if pathref; (bso#14734).
* Spotlight RPC service doesn't work with vfs_glusterfs; (bso#14740).
* gensec_krb5: Restore ipv6 support for kpasswd; (bso#14750).
* smbXsrv_{open,session,tcon}: protect
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records;
(bso#14752).
* samba-tool domain backup offline doesn't work against bind DLZ
backend; (bso#14027).
* netcmd: Use next_free_rid() function to calculate a SID for
restoring a backup; (bso#14669).
OBS-URL: https://build.opensuse.org/request/show/908919
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=646
- Update to 4.14.5
* s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success;
(bso#14696);
* s3: smbd: Ensure POSIX default ACL is mapped into returned Windows
ACL for directory handles; (bso#14708);
* s3: smbd: Fix uninitialized memory read in process_symlink_open()
when used with vfs_shadow_copy2(); (bso#14721);
* docs: Expand the "log level" docs on audit logging; (bso#14689);
* smbd: Correctly initialize close timestamp fields; (bso#14714);
* Fix gcc11 compiler issues; (bso#14699);
* docs-xml: Update smbcacls manpage; (bso#14718);
* docs: Update list of available commands in rpcclient; (bso#14719);
* ctdb: Fix a crash in run_proc_signal_handler(); (bso#14475);
* s3:winbind: For 'security = ADS' require realm/workgroup to be set;
(bso#14695);
* lib:replace: Do not build strndup test with gcc 11 or newer;
(bso#14699);
OBS-URL: https://build.opensuse.org/request/show/897431
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=645
- Update to 4.14.4
* CVE-2021-20254: Fix buffer overrun in sids_to_unixids();
(bso#14571); (bsc#1184677).
- Update to 4.14.3
* s3:modules:vfs_virusfilter: Recent New_VFS changes break
vfs_virusfilter_openat; (bso#14671).
* build: Notice if flex is missing at configure time; (bso#14586).
* Fix smbd panic when two clients open same file; (bso#14672).
* Fix memory leak in the RPC server; (bso#14675).
* s3: smbd: fix deferred renames; (bso#14679).
* s3-iremotewinspool: Set the per-request memory context;
(bso#14675)
* Fix memory leak in the RPC server; (bso#14675).
* third_party: Update socket_wrapper to version 1.3.2;
(bso#11899).
* third_party: Update socket_wrapper to version 1.3.3;
(bso#14640).
* samba-gpupdate: Test that sysvol paths download in
case-insensitive way; (bso#14665).
* smbd: Ensure errno is preserved across fsp destructor;
(bso#14662).
* idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
conflict; (bso#14663).
* build: Only add -Wl,--as-needed when supported; (bso#14288).
OBS-URL: https://build.opensuse.org/request/show/889509
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=644
- Update to 4.13.4
* Work around special SMB2 IOCTL response behavior of NetApp Ontap
7.3.7; (bso#14607);
* Temporary DFS share setup doesn't set case parameters in the same
way as a regular share definition does; (bso#14612);
* lib: Avoid declaring zero-length VLAs in various messaging functions;
(bso#14605);
* Do not create an empty DB when accessing a sam.ldb; (bso#14579);
* vfs_fruit may close wrong backend fd; (bso#14596);
* Temporary DFS share setup doesn't set case parameters in the same way
as a regular share definition does; (bso#14612);
* vfs_virusfilter: Allocate separate memory for config char*; (bso#14606);
* vfs_fruit may close wrong backend fd; (bso#14596);
* Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7;
(bso#14607);
* The cache directory for the user gencache should be created recursively;
(bso#14601);
* Be more flexible with repository names in CentOS 8 test environments;
(bso#14594);
- Uninstalling samba-client: Failed to disable unit, cifs.service
does not exists; (bsc#1180388);
OBS-URL: https://build.opensuse.org/request/show/872360
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=641
- Update to 4.13.3
+ libcli: smb2: Never print length if smb2_signing_key_valid() fails for
crypto blob; (bsc#14210);
+ s3: modules: gluster. Fix the error I made in preventing talloc leaks
from a function; (bsc#14486);
+ s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL
via TALLOC_FREE(); (bsc#14515);
+ s3: spoolss: Make parameters in call to user_ok_token() match all other
uses; (bsc#14568);
+ s3: smbd: Quiet log messages from usershares for an unknown share;
(bsc#14590);
+ samba process does not honor max log size; (bsc#14248);
+ vfs_zfsacl: Add missing inherited flag on hidden "magic" everyone@ ACE;
(bsc#14587);
+ s3-libads: Pass timeout to open_socket_out in ms; (bsc#13124);
+ s3-vfs_glusterfs: Always disable write-behind translator; (bsc#14486);
+ smbclient: Fix recursive mget; (bsc#14517);
+ clitar: Use do_list()'s recursion in clitar.c; (bsc#14581);
+ manpages/vfs_glusterfs: Mention silent skipping of write-behind
translator; (bsc#14486);
+ vfs_shadow_copy2: Preserve all open flags assuming ROFS; (bsc#14573);
+ interface: Fix if_index is not parsed correctly; (bsc#14514);
OBS-URL: https://build.opensuse.org/request/show/856728
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=639
- Update to 4.13.2
+ s3: modules: vfs_glusterfs: Fix leak of char **lines onto
mem_ctx on return; (bso#14486);
+ RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
(bso#14471);
+ smb.conf.5: Add clarification how configuration changes reflected
by Samba; (bso#14538);
+ daemons: Report status to systemd even when running in foreground;
(bso#14552);
+ DNS Resolver: Support both dnspython before and after 2.0.0;
(bso#14553);
+ s3-vfs_glusterfs: Refuse connection when write-behind xlator is
present; (bso#14486);
+ provision: Add support for BIND 9.16.x; (bso#14487);
+ ctdb-common: Avoid aliasing errors during code optimization;
(bso#14537);
+ libndr: Avoid assigning duplicate versions to symbols; (bso#14541);
+ docs: Fix default value of spoolss:architecture; (bso#14522);
+ winbind: Fix a memleak; (bso#14388);
+ s4:dsdb:acl_read: Implement "List Object" mode feature; (bso#14531);
+ docs-xml/manpages: Add warning about write-behind translator for
vfs_glusterfs; (bso#14486);
+ nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
+ vfs_shadow_copy2: Avoid closing snapsdir twice; (bso#14530);
+ third_party: Update resolv_wrapper to version 1.1.7; (bso#14547);
+ examples:auth: Do not install example plugin; (bso#14550);
+ ctdb-recoverd: Drop unnecessary and broken code; (bso#14513);
+ RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special;
(bso#14471);
OBS-URL: https://build.opensuse.org/request/show/849279
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=638
