From 7c5ce0071c7b70ac5d84625fda321294452ca9e0fca2831dc15aaf9670f0e9f2 Mon Sep 17 00:00:00 2001
From: Noel Power <nopower@suse.com>
Date: Wed, 10 Nov 2021 21:17:55 +0000
Subject: [PATCH] Accepting request 930730 from
 home:scabrero:branches:network:samba:STABLE

- Fix regression introduced by CVE-2020-25717 patches, winbindd
  does not start when 'allow trusted domains' is off; (bso#14899);
- Update to 4.15.2
  * CVE-2016-2124:  SMB1 client connections can be downgraded to
    plaintext authentication; (bso#12444); (bsc#1014440);
  * CVE-2020-25717: A user on the domain can become root on domain
    members; (bso#14556); (bsc#1192284);
  * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
    tickets issued by an RODC; (bso#14558); (bsc#1192246);
  * CVE-2020-25719: Samba AD DC did not always rely on the SID and
    PAC in Kerberos tickets; (bso#14561); (bsc#1192247);
  * CVE-2020-25721: Kerberos acceptors need easy access to stable
    AD identifiers (eg objectSid); (bso#14557); (bsc#1192505);
  * CVE-2020-25722: Samba AD DC did not do suffienct access and
    conformance checking of data stored; (bso#14564);
    (bsc#1192283);
  * CVE-2021-3738: Use after free in Samba AD DC RPC server;
    (bso#14468); (bsc#1192215);
  * CVE-2021-23192: Subsequent DCE/RPC fragment injection
    vulnerability; (bso#14875); (bsc#1192214);
- Update to 4.15.1
 * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682);
 * Log clutter from filename_convert_internal; (bso#14685);
 * MacOSX compilation fixes; (bso#14862);
 * rodc_rwdc test flaps; (bso#14868);
 * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
   bit' S4U2Proxy Constrained Delegation bypass in Samba with
   embedded Heimdal; (bso#14642);
 * Python ldb.msg_diff() memory handling failure; (bso#14836);
 * "in" operator on ldb.Message is case sensitive; (bso#14845);

OBS-URL: https://build.opensuse.org/request/show/930730
OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/samba?expand=0&rev=651
---
 samba-4.15.0+git.185.378416e547c.tar.bz2 |  3 --
 samba-4.15.2+git.193.a4d6307f1fd.tar.bz2 |  3 ++
 samba.changes                            | 56 ++++++++++++++++++++++++
 samba.spec                               | 30 +++++++++----
 4 files changed, 81 insertions(+), 11 deletions(-)
 delete mode 100644 samba-4.15.0+git.185.378416e547c.tar.bz2
 create mode 100644 samba-4.15.2+git.193.a4d6307f1fd.tar.bz2

diff --git a/samba-4.15.0+git.185.378416e547c.tar.bz2 b/samba-4.15.0+git.185.378416e547c.tar.bz2
deleted file mode 100644
index a9ce8fe..0000000
--- a/samba-4.15.0+git.185.378416e547c.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4f37e85d0b7dd6ecd56f7c65b132dc473756edf2f27711900514f7e023496c74
-size 25317695
diff --git a/samba-4.15.2+git.193.a4d6307f1fd.tar.bz2 b/samba-4.15.2+git.193.a4d6307f1fd.tar.bz2
new file mode 100644
index 0000000..fe9d35a
--- /dev/null
+++ b/samba-4.15.2+git.193.a4d6307f1fd.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44f3c89fb4a81c393d559a355fc4395be8c37542aa085ab679682b1fcbf146ab
+size 25421589
diff --git a/samba.changes b/samba.changes
index 7a2c3e2..ad51555 100644
--- a/samba.changes
+++ b/samba.changes
@@ -1,3 +1,59 @@
+-------------------------------------------------------------------
+Wed Nov 10 10:26:01 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
+
+- Fix regression introduced by CVE-2020-25717 patches, winbindd
+  does not start when 'allow trusted domains' is off; (bso#14899);
+
+- Update to 4.15.2
+  * CVE-2016-2124:  SMB1 client connections can be downgraded to
+    plaintext authentication; (bso#12444); (bsc#1014440);
+  * CVE-2020-25717: A user on the domain can become root on domain
+    members; (bso#14556); (bsc#1192284);
+  * CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos
+    tickets issued by an RODC; (bso#14558); (bsc#1192246);
+  * CVE-2020-25719: Samba AD DC did not always rely on the SID and
+    PAC in Kerberos tickets; (bso#14561); (bsc#1192247);
+  * CVE-2020-25721: Kerberos acceptors need easy access to stable
+    AD identifiers (eg objectSid); (bso#14557); (bsc#1192505);
+  * CVE-2020-25722: Samba AD DC did not do suffienct access and
+    conformance checking of data stored; (bso#14564);
+    (bsc#1192283);
+  * CVE-2021-3738: Use after free in Samba AD DC RPC server;
+    (bso#14468); (bsc#1192215);
+  * CVE-2021-23192: Subsequent DCE/RPC fragment injection
+    vulnerability; (bso#14875); (bsc#1192214);
+
+- Update to 4.15.1
+ * vfs_shadow_copy2: core dump in make_relative_path; (bso#14682);
+ * Log clutter from filename_convert_internal; (bso#14685);
+ * MacOSX compilation fixes; (bso#14862);
+ * rodc_rwdc test flaps; (bso#14868);
+ * Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+   bit' S4U2Proxy Constrained Delegation bypass in Samba with
+   embedded Heimdal; (bso#14642);
+ * Python ldb.msg_diff() memory handling failure; (bso#14836);
+ * "in" operator on ldb.Message is case sensitive; (bso#14845);
+ * Release LDB 2.4.1 for Samba 4.15.1; (bso#14848);
+ * samldb_krbtgtnumber_available() looks for incorrect string;
+   (bso#14854);
+ * Fix Samba support for UF_NO_AUTH_DATA_REQUIRED; (bso#14871);
+ * Allow special chars like "@" in samAccountName when generating
+   the salt; (bso#14874);
+ * Correctly ignore comments in CTDB public addresses file;
+   (bso#14826);
+ * Fix transit path validation; (bso#12998);
+ * Fix that child winbindd logs to log.winbindd instead of
+   log.wb-<DOMAIN>; (bso#14852);
+ * SMB3 cancel requests should only include the MID together with
+   AsyncID when AES-128-GMAC is used; (bso#14855);
+ * Prepare to operate with MIT krb5 >= 1.20; (bso#14870);
+ * Heimdal prefers RC4 over AES for machine accounts; (bso#14864);
+
+-------------------------------------------------------------------
+Wed Oct 13 17:07:47 UTC 2021 - David Mulder <dmulder@suse.com>
+
+- Enable samba-tool without ad dc.
+
 -------------------------------------------------------------------
 Thu Sep 30 15:57:14 UTC 2021 - Noel Power <nopower@suse.com>
 
diff --git a/samba.spec b/samba.spec
index 594d0b3..58da2a6 100644
--- a/samba.spec
+++ b/samba.spec
@@ -53,7 +53,7 @@
 %define talloc_version 2.3.3
 %define tevent_version 0.11.0
 %define tdb_version    1.4.4
-%define ldb_version    2.4.0
+%define ldb_version    2.4.1
 
 # This table represents the possible combinations of build macros.
 # They are defined only if not already defined in the build service
@@ -184,7 +184,7 @@ BuildRequires:  liburing-devel
 %else
 %define	build_make_smp_mflags %{?jobs:-j%jobs}
 %endif
-Version:        4.15.0+git.185.378416e547c
+Version:        4.15.2+git.193.a4d6307f1fd
 Release:        0
 URL:            https://www.samba.org/
 Obsoletes:      samba-32bit < %{version}
@@ -873,6 +873,18 @@ The Ceph VFS module for Samba allows shares to be backed by the Ceph
 distributed file system. A Ceph CTDB lock helper binary is included so
 that RADOS locks can be used for CTDB split-brain avoidance.
 
+
+%package -n samba-tool
+Summary:        Main Samba administration tool
+License:        GPL-3.0-or-later
+Group:          Productivity/Networking/Samba
+Requires:       samba = %{version}
+Requires:       samba-python3 = %{version}
+Requires:       samba-ldb-ldap = %{version}
+
+%description -n samba-tool
+The package contains samba-tool, the main tool for Samba Administration.
+
 %package ad-dc
 Summary:        Samba Active Directory-compatible Domain Controller
 License:        GPL-3.0-or-later
@@ -883,6 +895,7 @@ Requires:       samba-dsdb-modules = %{version}
 Recommends:     krb5-server >= 1.15.1
 %endif
 Requires:       samba-python3 = %{version}
+Requires:       samba-tool = %{version}
 Recommends:     samba-winbind = %{version}
 Recommends:     tdb-tools >= %{tdb_version}
 Provides:       samba-kdc = %{version}
@@ -1067,10 +1080,7 @@ make install \
 # debug symbols are created and installed if the files are excluded only
 %if ! %{with_dc}
 rm \
-	%{buildroot}/%{_libdir}/samba/ldb/ildap.so \
-	%{buildroot}/%{_libdir}/samba/ldb/ldbsamba_extensions.so \
 	%{buildroot}/%{_mandir}/man8/samba.8* \
-	%{buildroot}/%{_mandir}/man8/samba-tool.8* \
 	%{buildroot}/%{_mandir}/man8/samba_downgrade_db.8* \
 	%{buildroot}/%{_unitdir}/samba-ad-dc.service
 %endif
@@ -1859,8 +1869,8 @@ exit 0
 %if %{with_dc}
 %{_libdir}/samba/libdb-glue-samba4.so
 %{_libdir}/samba/libdfs-server-ad-samba4.so
-%{_libdir}/samba/libdnsserver-common-samba4.so
 %endif
+%{_libdir}/samba/libdnsserver-common-samba4.so
 %{_libdir}/samba/libdsdb-module-samba4.so
 %if %{with_dc}
 %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
@@ -2403,11 +2413,14 @@ exit 0
 %{_libdir}/ctdb/ctdb_mutex_ceph_rados_helper
 %endif
 
+%files -n samba-tool
+%{_bindir}/samba-tool
+%{_mandir}/man8/samba-tool.8.*
+
 %if %{with_dc}
 %files ad-dc
 %{_fillupdir}/sysconfig.samba-ad-dc
 %{_unitdir}/samba-ad-dc.service
-%{_bindir}/samba-tool
 %{_sbindir}/samba
 %{_sbindir}/samba_dnsupdate
 %{_sbindir}/samba_kcc
@@ -2518,14 +2531,15 @@ exit 0
 %{_datadir}/samba/admx/en-US
 %{_datadir}/samba/admx/en-US/samba.adml
 %{_mandir}/man8/samba.8.*
-%{_mandir}/man8/samba-tool.8.*
 %{_mandir}/man8/samba_downgrade_db.8.*
+%endif
 
 %files ldb-ldap
 %defattr(-,root,root)
 %{_libdir}/samba/ldb/ildap.so
 %{_libdir}/samba/ldb/ldbsamba_extensions.so
 
+%if %{with_dc}
 %files dsdb-modules
 %defattr(-,root,root)
 %{_libdir}/samba/ldb/acl.so