From 63a09fdc7c4850a26e6de8acd3ddc19577c74ae8 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 13 Nov 2024 16:19:07 +0300 Subject: [PATCH] import samba-4.20.2-2.el9_5 --- .gitignore | 2 +- .samba.metadata | 2 +- SOURCES/redhat-4.20.2.patch | 618 ++++++++++++ SOURCES/samba-4.19-redhat.patch | 1632 ------------------------------- SOURCES/samba-4.19.4.tar.asc | 16 - SOURCES/samba-4.20.2.tar.asc | 16 + SPECS/samba.spec | 450 ++++++--- 7 files changed, 941 insertions(+), 1795 deletions(-) create mode 100644 SOURCES/redhat-4.20.2.patch delete mode 100644 SOURCES/samba-4.19-redhat.patch delete mode 100644 SOURCES/samba-4.19.4.tar.asc create mode 100644 SOURCES/samba-4.20.2.tar.asc diff --git a/.gitignore b/.gitignore index 775a82a..f5c29b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.19.4.tar.xz +SOURCES/samba-4.20.2.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 8a5c50b..4fab5e6 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz +607bea15c2306b165610ebe3f617f1b29ef7f133 SOURCES/samba-4.20.2.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/redhat-4.20.2.patch b/SOURCES/redhat-4.20.2.patch new file mode 100644 index 0000000..94a07a4 --- /dev/null +++ b/SOURCES/redhat-4.20.2.patch @@ -0,0 +1,618 @@ +From dddbbec2cb10b05a6ec3b4f1fcc877d60a44080a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 4 Jul 2024 11:08:03 +0200 +Subject: [PATCH 1/3] .gitlab-ci-main.yml: Add safe.directory '*' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is to fix the error when pushing to personal gitlab repo: + +2024-07-04 08:16:05,460 Running: 'git clone --recursive --shared /builds/pfilipen/samba /builds/samba-testbase/master' in '/builds/pfilipen/samba' +Cloning into '/builds/samba-testbase/master'... +fatal: detected dubious ownership in repository at '/builds/pfilipen/samba/.git' +To add an exception for this directory, call: + git config --global --add safe.directory /builds/pfilipen/samba/.git +fatal: Could not read from remote repository. + +Instead of adding more and more explicit repositories +we should just allow any, we're in an isolated environment... + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 + +Pair-Programmed-With: Stefan Metzmacher +Signed-off-by: Pavel Filipenský +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Wed Jul 10 10:35:00 UTC 2024 on atb-devel-224 + +(cherry picked from commit 3a21b7d9a4e7e9814d0be8c0ebf72b9821a5dc36) +--- + .gitlab-ci-main.yml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml +index face2103327..08865ca2c42 100644 +--- a/.gitlab-ci-main.yml ++++ b/.gitlab-ci-main.yml +@@ -146,8 +146,7 @@ include: + - ccache -z -M 500M + - ccache -s + # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI +- - git config --global --add safe.directory `pwd` +- - git config --global --add safe.directory /builds/samba-team/devel/samba/.git ++ - git config --global --add safe.directory '*' + after_script: + - mount + - df -h +-- +2.46.1 + + +From 1c69964d34d2cf66532b23ffde76a839a65b0db2 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 12 Jul 2024 14:18:26 +0200 +Subject: [PATCH 2/3] s3:printing: Allow to run samba-bgqd as a standalone + systemd service + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15683 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 0a532378322661b23b3393eb2ebde29402a16e62) + +Autobuild-User(v4-20-test): Jule Anger +Autobuild-Date(v4-20-test): Tue Jul 23 08:56:24 UTC 2024 on atb-devel-224 + +(cherry picked from commit 4cf9af9186d7829f11bd07c7d6e526a51dcf0d61) +--- + source3/printing/samba-bgqd.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c +index 59ed0cc40db..9560fcf9e35 100644 +--- a/source3/printing/samba-bgqd.c ++++ b/source3/printing/samba-bgqd.c +@@ -253,7 +253,9 @@ int main(int argc, const char *argv[]) + log_stdout = (debug_get_log_type() == DEBUG_STDOUT); + + /* main process will notify systemd */ +- daemon_sd_notifications(false); ++ if (ready_signal_fd != -1 || watch_fd != -1) { ++ daemon_sd_notifications(false); ++ } + + if (!cmdline_daemon_cfg->fork) { + daemon_status(progname, "Starting process ... "); +@@ -325,6 +327,10 @@ int main(int argc, const char *argv[]) + goto done; + } + ++ if (!cmdline_daemon_cfg->fork) { ++ daemon_ready(progname); ++ } ++ + if (ready_signal_fd != -1) { + pid_t pid = getpid(); + ssize_t written; +-- +2.46.1 + + +From 2e7ffc196aa9f241622a32ea002d96ad00799e4d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 22 Jul 2024 12:26:55 +0200 +Subject: [PATCH 3/3] s3:notifyd: Use a watcher per db record +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes a O(n²) performance regression in notifyd. The problem was +that we had a watcher per notify instance. This changes the code to have +a watcher per notify db entry. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14430 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Oct 1 14:22:43 UTC 2024 on atb-devel-224 +--- + source3/smbd/notifyd/notifyd.c | 214 ++++++++++++++++++------- + source3/smbd/notifyd/notifyd_db.c | 5 +- + source3/smbd/notifyd/notifyd_entry.c | 51 ++++-- + source3/smbd/notifyd/notifyd_private.h | 46 ++++-- + 4 files changed, 228 insertions(+), 88 deletions(-) + +diff --git a/source3/smbd/notifyd/notifyd.c b/source3/smbd/notifyd/notifyd.c +index ca303bd4d51..b368b8390fa 100644 +--- a/source3/smbd/notifyd/notifyd.c ++++ b/source3/smbd/notifyd/notifyd.c +@@ -337,6 +337,7 @@ static bool notifyd_apply_rec_change( + struct messaging_context *msg_ctx) + { + struct db_record *rec = NULL; ++ struct notifyd_watcher watcher = {}; + struct notifyd_instance *instances = NULL; + size_t num_instances; + size_t i; +@@ -344,6 +345,7 @@ static bool notifyd_apply_rec_change( + TDB_DATA value; + NTSTATUS status; + bool ok = false; ++ bool new_watcher = false; + + if (pathlen == 0) { + DBG_WARNING("pathlen==0\n"); +@@ -374,8 +376,12 @@ static bool notifyd_apply_rec_change( + value = dbwrap_record_get_value(rec); + + if (value.dsize != 0) { +- if (!notifyd_parse_entry(value.dptr, value.dsize, NULL, +- &num_instances)) { ++ ok = notifyd_parse_entry(value.dptr, ++ value.dsize, ++ &watcher, ++ NULL, ++ &num_instances); ++ if (!ok) { + goto fail; + } + } +@@ -390,8 +396,22 @@ static bool notifyd_apply_rec_change( + goto fail; + } + +- if (value.dsize != 0) { +- memcpy(instances, value.dptr, value.dsize); ++ if (num_instances > 0) { ++ struct notifyd_instance *tmp = NULL; ++ size_t num_tmp = 0; ++ ++ ok = notifyd_parse_entry(value.dptr, ++ value.dsize, ++ NULL, ++ &tmp, ++ &num_tmp); ++ if (!ok) { ++ goto fail; ++ } ++ ++ memcpy(instances, ++ tmp, ++ sizeof(struct notifyd_instance) * num_tmp); + } + + for (i=0; ifilter, +- .internal_subdir_filter = chg->subdir_filter + }; + + num_instances += 1; + } + +- if ((instance->instance.filter != 0) || +- (instance->instance.subdir_filter != 0)) { +- int ret; ++ /* ++ * Calculate an intersection of the instances filters for the watcher. ++ */ ++ if (instance->instance.filter > 0) { ++ uint32_t filter = instance->instance.filter; ++ ++ if ((watcher.filter & filter) != filter) { ++ watcher.filter |= filter; ++ ++ new_watcher = true; ++ } ++ } ++ ++ /* ++ * Calculate an intersection of the instances subdir_filters for the ++ * watcher. ++ */ ++ if (instance->instance.subdir_filter > 0) { ++ uint32_t subdir_filter = instance->instance.subdir_filter; + +- TALLOC_FREE(instance->sys_watch); ++ if ((watcher.subdir_filter & subdir_filter) != subdir_filter) { ++ watcher.subdir_filter |= subdir_filter; + +- ret = sys_notify_watch(entries, sys_notify_ctx, path, +- &instance->internal_filter, +- &instance->internal_subdir_filter, +- notifyd_sys_callback, msg_ctx, +- &instance->sys_watch); +- if (ret != 0) { +- DBG_WARNING("sys_notify_watch for [%s] returned %s\n", +- path, strerror(errno)); ++ new_watcher = true; + } + } + + if ((instance->instance.filter == 0) && + (instance->instance.subdir_filter == 0)) { ++ uint32_t tmp_filter = 0; ++ uint32_t tmp_subdir_filter = 0; ++ + /* This is a delete request */ +- TALLOC_FREE(instance->sys_watch); + *instance = instances[num_instances-1]; + num_instances -= 1; ++ ++ for (i = 0; i < num_instances; i++) { ++ struct notifyd_instance *tmp = &instances[i]; ++ ++ tmp_filter |= tmp->instance.filter; ++ tmp_subdir_filter |= tmp->instance.subdir_filter; ++ } ++ ++ /* ++ * If the filter has changed, register a new watcher with the ++ * changed filter. ++ */ ++ if (watcher.filter != tmp_filter || ++ watcher.subdir_filter != tmp_subdir_filter) ++ { ++ watcher.filter = tmp_filter; ++ watcher.subdir_filter = tmp_subdir_filter; ++ ++ new_watcher = true; ++ } ++ } ++ ++ if (new_watcher) { ++ /* ++ * In case we removed all notify instances, we want to remove ++ * the watcher. We won't register a new one, if no filters are ++ * set anymore. ++ */ ++ ++ TALLOC_FREE(watcher.sys_watch); ++ ++ watcher.sys_filter = watcher.filter; ++ watcher.sys_subdir_filter = watcher.subdir_filter; ++ ++ /* ++ * Only register a watcher if we have filter. ++ */ ++ if (watcher.filter != 0 || watcher.subdir_filter != 0) { ++ int ret = sys_notify_watch(entries, ++ sys_notify_ctx, ++ path, ++ &watcher.sys_filter, ++ &watcher.sys_subdir_filter, ++ notifyd_sys_callback, ++ msg_ctx, ++ &watcher.sys_watch); ++ if (ret != 0) { ++ DBG_WARNING("sys_notify_watch for [%s] " ++ "returned %s\n", ++ path, ++ strerror(errno)); ++ } ++ } + } + + DBG_DEBUG("%s has %zu instances\n", path, num_instances); + + if (num_instances == 0) { ++ TALLOC_FREE(watcher.sys_watch); ++ + status = dbwrap_record_delete(rec); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("dbwrap_record_delete returned %s\n", +@@ -456,13 +541,21 @@ static bool notifyd_apply_rec_change( + goto fail; + } + } else { +- value = make_tdb_data( +- (uint8_t *)instances, +- sizeof(struct notifyd_instance) * num_instances); ++ struct TDB_DATA iov[2] = { ++ { ++ .dptr = (uint8_t *)&watcher, ++ .dsize = sizeof(struct notifyd_watcher), ++ }, ++ { ++ .dptr = (uint8_t *)instances, ++ .dsize = sizeof(struct notifyd_instance) * ++ num_instances, ++ }, ++ }; + +- status = dbwrap_record_store(rec, value, 0); ++ status = dbwrap_record_storev(rec, iov, ARRAY_SIZE(iov), 0); + if (!NT_STATUS_IS_OK(status)) { +- DBG_WARNING("dbwrap_record_store returned %s\n", ++ DBG_WARNING("dbwrap_record_storev returned %s\n", + nt_errstr(status)); + goto fail; + } +@@ -706,12 +799,18 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data, + .when = tstate->msg->when }; + struct iovec iov[2]; + size_t path_len = key.dsize; ++ struct notifyd_watcher watcher = {}; + struct notifyd_instance *instances = NULL; + size_t num_instances = 0; + size_t i; ++ bool ok; + +- if (!notifyd_parse_entry(data.dptr, data.dsize, &instances, +- &num_instances)) { ++ ok = notifyd_parse_entry(data.dptr, ++ data.dsize, ++ &watcher, ++ &instances, ++ &num_instances); ++ if (!ok) { + DBG_DEBUG("Could not parse notifyd_entry\n"); + return; + } +@@ -734,9 +833,11 @@ static void notifyd_trigger_parser(TDB_DATA key, TDB_DATA data, + + if (tstate->covered_by_sys_notify) { + if (tstate->recursive) { +- i_filter = instance->internal_subdir_filter; ++ i_filter = watcher.sys_subdir_filter & ++ instance->instance.subdir_filter; + } else { +- i_filter = instance->internal_filter; ++ i_filter = watcher.sys_filter & ++ instance->instance.filter; + } + } else { + if (tstate->recursive) { +@@ -1142,46 +1243,39 @@ static int notifyd_add_proxy_syswatches(struct db_record *rec, + struct db_context *db = dbwrap_record_get_db(rec); + TDB_DATA key = dbwrap_record_get_key(rec); + TDB_DATA value = dbwrap_record_get_value(rec); +- struct notifyd_instance *instances = NULL; +- size_t num_instances = 0; +- size_t i; ++ struct notifyd_watcher watcher = {}; + char path[key.dsize+1]; + bool ok; ++ int ret; + + memcpy(path, key.dptr, key.dsize); + path[key.dsize] = '\0'; + +- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances, +- &num_instances); ++ /* This is a remote database, we just need the watcher. */ ++ ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL); + if (!ok) { + DBG_WARNING("Could not parse notifyd entry for %s\n", path); + return 0; + } + +- for (i=0; iinstance.filter; +- uint32_t subdir_filter = instance->instance.subdir_filter; +- int ret; ++ watcher.sys_watch = NULL; ++ watcher.sys_filter = watcher.filter; ++ watcher.sys_subdir_filter = watcher.subdir_filter; + +- /* +- * This is a remote database. Pointers that we were +- * given don't make sense locally. Initialize to NULL +- * in case sys_notify_watch fails. +- */ +- instances[i].sys_watch = NULL; +- +- ret = state->sys_notify_watch( +- db, state->sys_notify_ctx, path, +- &filter, &subdir_filter, +- notifyd_sys_callback, state->msg_ctx, +- &instance->sys_watch); +- if (ret != 0) { +- DBG_WARNING("inotify_watch returned %s\n", +- strerror(errno)); +- } ++ ret = state->sys_notify_watch(db, ++ state->sys_notify_ctx, ++ path, ++ &watcher.filter, ++ &watcher.subdir_filter, ++ notifyd_sys_callback, ++ state->msg_ctx, ++ &watcher.sys_watch); ++ if (ret != 0) { ++ DBG_WARNING("inotify_watch returned %s\n", strerror(errno)); + } + ++ memcpy(value.dptr, &watcher, sizeof(struct notifyd_watcher)); ++ + return 0; + } + +@@ -1189,21 +1283,17 @@ static int notifyd_db_del_syswatches(struct db_record *rec, void *private_data) + { + TDB_DATA key = dbwrap_record_get_key(rec); + TDB_DATA value = dbwrap_record_get_value(rec); +- struct notifyd_instance *instances = NULL; +- size_t num_instances = 0; +- size_t i; ++ struct notifyd_watcher watcher = {}; + bool ok; + +- ok = notifyd_parse_entry(value.dptr, value.dsize, &instances, +- &num_instances); ++ ok = notifyd_parse_entry(value.dptr, value.dsize, &watcher, NULL, NULL); + if (!ok) { + DBG_WARNING("Could not parse notifyd entry for %.*s\n", + (int)key.dsize, (char *)key.dptr); + return 0; + } +- for (i=0; ientries database + */ + +-bool notifyd_parse_entry( +- uint8_t *buf, +- size_t buflen, +- struct notifyd_instance **instances, +- size_t *num_instances) ++/** ++ * @brief Parse a notifyd database entry. ++ * ++ * The memory we pass down needs to be aligned. If it isn't aligned we can run ++ * into obscure errors as we just point into the data buffer. ++ * ++ * @param data The data to parse ++ * @param data_len The length of the data to parse ++ * @param watcher A pointer to store the watcher data or NULL. ++ * @param instances A pointer to store the array of notify instances or NULL. ++ * @param pnum_instances The number of elements in the array. If you just want ++ * the number of elements pass NULL for the watcher and instances pointers. ++ * ++ * @return true on success, false if an error occurred. ++ */ ++bool notifyd_parse_entry(uint8_t *data, ++ size_t data_len, ++ struct notifyd_watcher *watcher, ++ struct notifyd_instance **instances, ++ size_t *pnum_instances) + { +- if ((buflen % sizeof(struct notifyd_instance)) != 0) { +- DBG_WARNING("invalid buffer size: %zu\n", buflen); ++ size_t ilen; ++ ++ if (data_len < sizeof(struct notifyd_watcher)) { + return false; + } + +- if (instances != NULL) { +- *instances = (struct notifyd_instance *)buf; ++ if (watcher != NULL) { ++ *watcher = *((struct notifyd_watcher *)(uintptr_t)data); + } +- if (num_instances != NULL) { +- *num_instances = buflen / sizeof(struct notifyd_instance); ++ ++ ilen = data_len - sizeof(struct notifyd_watcher); ++ if ((ilen % sizeof(struct notifyd_instance)) != 0) { ++ return false; ++ } ++ ++ if (pnum_instances != NULL) { ++ *pnum_instances = ilen / sizeof(struct notifyd_instance); + } ++ if (instances != NULL) { ++ /* The (uintptr_t) cast removes a warning from -Wcast-align. */ ++ *instances = ++ (struct notifyd_instance *)(uintptr_t) ++ (data + sizeof(struct notifyd_watcher)); ++ } ++ + return true; + } +diff --git a/source3/smbd/notifyd/notifyd_private.h b/source3/smbd/notifyd/notifyd_private.h +index 36c08f47c54..db8e6e1c005 100644 +--- a/source3/smbd/notifyd/notifyd_private.h ++++ b/source3/smbd/notifyd/notifyd_private.h +@@ -20,30 +20,48 @@ + #include "lib/util/server_id.h" + #include "notifyd.h" + ++ + /* +- * notifyd's representation of a notify instance ++ * Representation of a watcher for a path ++ * ++ * This will be stored in the db. + */ +-struct notifyd_instance { +- struct server_id client; +- struct notify_instance instance; +- +- void *sys_watch; /* inotify/fam/etc handle */ ++struct notifyd_watcher { ++ /* ++ * This is an intersections of the filter the watcher is listening for. ++ */ ++ uint32_t filter; ++ uint32_t subdir_filter; + + /* +- * Filters after sys_watch took responsibility of some bits ++ * Those are inout variables passed to the sys_watcher. The sys_watcher ++ * will remove the bits it can't handle. + */ +- uint32_t internal_filter; +- uint32_t internal_subdir_filter; ++ uint32_t sys_filter; ++ uint32_t sys_subdir_filter; ++ ++ /* The handle for inotify/fam etc. */ ++ void *sys_watch; ++}; ++ ++/* ++ * Representation of a notifyd instance ++ * ++ * This will be stored in the db. ++ */ ++struct notifyd_instance { ++ struct server_id client; ++ struct notify_instance instance; + }; + + /* + * Parse an entry in the notifyd_context->entries database + */ + +-bool notifyd_parse_entry( +- uint8_t *buf, +- size_t buflen, +- struct notifyd_instance **instances, +- size_t *num_instances); ++bool notifyd_parse_entry(uint8_t *data, ++ size_t data_len, ++ struct notifyd_watcher *watcher, ++ struct notifyd_instance **instances, ++ size_t *num_instances); + + #endif +-- +2.46.1 + diff --git a/SOURCES/samba-4.19-redhat.patch b/SOURCES/samba-4.19-redhat.patch deleted file mode 100644 index 7ec74d1..0000000 --- a/SOURCES/samba-4.19-redhat.patch +++ /dev/null @@ -1,1632 +0,0 @@ -From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Thu, 17 Aug 2023 01:05:54 +0300 -Subject: [PATCH 01/25] gp: Support more global trust directories - -In addition to the SUSE global trust directory, add support for RHEL and -Debian-based distributions (including Ubuntu). - -To determine the correct directory to use, we iterate over the variants -and stop at the first which is a directory. - -In case none is found, fallback to the first option which will produce a -warning as it did previously. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 312c8ddf467..1b90ab46e90 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -45,10 +45,12 @@ cert_wrap = b""" - -----BEGIN CERTIFICATE----- - %s - -----END CERTIFICATE-----""" --global_trust_dir = '/etc/pki/trust/anchors' - endpoint_re = '(https|HTTPS)://(?P[a-zA-Z0-9.-]+)/ADPolicyProvider' + \ - '_CEP_(?P[a-zA-Z]+)/service.svc/CEP' - -+global_trust_dirs = ['/etc/pki/trust/anchors', # SUSE -+ '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora -+ '/usr/local/share/ca-certificates'] # Debian/Ubuntu - - def octet_string_to_objectGUID(data): - """Convert an octet string to an objectGUID.""" -@@ -249,12 +251,20 @@ def getca(ca, url, trust_dir): - return root_certs - - -+def find_global_trust_dir(): -+ """Return the global trust dir using known paths from various Linux distros.""" -+ for trust_dir in global_trust_dirs: -+ if os.path.isdir(trust_dir): -+ return trust_dir -+ return global_trust_dirs[0] -+ - def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - """Install the root certificate chain.""" - data = dict({'files': [], 'templates': []}, **ca) - url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] - root_certs = getca(ca, url, trust_dir) - data['files'].extend(root_certs) -+ global_trust_dir = find_global_trust_dir() - for src in root_certs: - # Symlink the certs to global trust dir - dst = os.path.join(global_trust_dir, os.path.basename(src)) --- -2.41.0 - - -From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Thu, 17 Aug 2023 01:09:28 +0300 -Subject: [PATCH 02/25] gp: Support update-ca-trust helper - -This is used on RHEL/Fedora instead of update-ca-certificates. They -behave similarly so it's enough to change the command name. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit fa80d1d86439749c44e60cf9075e84dc9ed3c268) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 1b90ab46e90..cefdafa21b2 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -258,6 +258,10 @@ def find_global_trust_dir(): - return trust_dir - return global_trust_dirs[0] - -+def update_ca_command(): -+ """Return the command to update the CA trust store.""" -+ return which('update-ca-certificates') or which('update-ca-trust') -+ - def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - """Install the root certificate chain.""" - data = dict({'files': [], 'templates': []}, **ca) -@@ -283,7 +287,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - # already exists. Ignore the FileExistsError. Preserve the - # existing symlink in the unapply data. - data['files'].append(dst) -- update = which('update-ca-certificates') -+ update = update_ca_command() - if update is not None: - Popen([update]).wait() - # Setup Certificate Auto Enrollment --- -2.41.0 - - -From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 11 Aug 2023 18:46:42 +0300 -Subject: [PATCH 03/25] gp: Change root cert extension suffix - -On Ubuntu, certificates must end in '.crt' in order to be considered by -the `update-ca-certificates` helper. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit bce3a89204545dcab5fb39a712590f6e166f997b) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index cefdafa21b2..c562722906b 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -241,7 +241,8 @@ def getca(ca, url, trust_dir): - certs = load_der_pkcs7_certificates(r.content) - for i in range(0, len(certs)): - cert = certs[i].public_bytes(Encoding.PEM) -- dest = '%s.%d' % (root_cert, i) -+ filename, extension = root_cert.rsplit('.', 1) -+ dest = '%s.%d.%s' % (filename, i, extension) - with open(dest, 'wb') as w: - w.write(cert) - root_certs.append(dest) --- -2.41.0 - - -From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 18 Aug 2023 17:06:43 +0300 -Subject: [PATCH 04/25] gp: Test with binary content for certificate data - -This fails all GPO-related tests that call `gpupdate --rsop`. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70) ---- - python/samba/tests/gpo.py | 8 ++++---- - selftest/knownfail.d/gpo | 13 +++++++++++++ - 2 files changed, 17 insertions(+), 4 deletions(-) - create mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py -index e4b75cc62a4..963f873f755 100644 ---- a/python/samba/tests/gpo.py -+++ b/python/samba/tests/gpo.py -@@ -6783,14 +6783,14 @@ class GPOTests(tests.TestCase): - ldb.add({'dn': certa_dn, - 'objectClass': 'certificationAuthority', - 'authorityRevocationList': ['XXX'], -- 'cACertificate': 'XXX', -+ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', - 'certificateRevocationList': ['XXX'], - }) - # Write the dummy pKIEnrollmentService - enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) - ldb.add({'dn': enroll_dn, - 'objectClass': 'pKIEnrollmentService', -- 'cACertificate': 'XXXX', -+ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', - 'certificateTemplates': ['Machine'], - 'dNSHostName': hostname, - }) -@@ -7201,14 +7201,14 @@ class GPOTests(tests.TestCase): - ldb.add({'dn': certa_dn, - 'objectClass': 'certificationAuthority', - 'authorityRevocationList': ['XXX'], -- 'cACertificate': 'XXX', -+ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', - 'certificateRevocationList': ['XXX'], - }) - # Write the dummy pKIEnrollmentService - enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) - ldb.add({'dn': enroll_dn, - 'objectClass': 'pKIEnrollmentService', -- 'cACertificate': 'XXXX', -+ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', - 'certificateTemplates': ['Machine'], - 'dNSHostName': hostname, - }) -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -new file mode 100644 -index 00000000000..0aad59607c2 ---- /dev/null -+++ b/selftest/knownfail.d/gpo -@@ -0,0 +1,13 @@ -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.41.0 - - -From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Wed, 16 Aug 2023 12:20:11 +0300 -Subject: [PATCH 05/25] gp: Convert CA certificates to base64 - -I don't know whether this applies universally, but in our case the -contents of `es['cACertificate'][0]` are binary, so cleanly converting -to a string fails with the following: - -'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte - -We found a fix to be encoding the certificate to base64 when -constructing the CA list. - -Section 4.4.5.2 of MS-CAESO also suggests that the content of -`cACertificate` is binary (OCTET string). - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit 157335ee93eb866f9b6a47486a5668d6e76aced5) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 5 ++--- - selftest/knownfail.d/gpo | 13 ------------- - 2 files changed, 2 insertions(+), 16 deletions(-) - delete mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index c562722906b..c8b5368c16a 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -158,7 +158,7 @@ def fetch_certification_authorities(ldb): - for es in res: - data = { 'name': get_string(es['cn'][0]), - 'hostname': get_string(es['dNSHostName'][0]), -- 'cACertificate': get_string(es['cACertificate'][0]) -+ 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0])) - } - result.append(data) - return result -@@ -176,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None): - return {'msPKI-Minimal-Key-Size': ['2048']} - - def format_root_cert(cert): -- cert = base64.b64encode(cert.encode()) -- return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL) -+ return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL) - - def find_cepces_submit(): - certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger', -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -deleted file mode 100644 -index 0aad59607c2..00000000000 ---- a/selftest/knownfail.d/gpo -+++ /dev/null -@@ -1,13 +0,0 @@ --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.41.0 - - -From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 18 Aug 2023 17:16:23 +0300 -Subject: [PATCH 06/25] gp: Test adding new cert templates enforces changes - -Ensure that cepces-submit reporting additional templates and re-applying -will enforce the updated policy. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit 2d6943a864405f324c467e8c3464c31ac08457b0) ---- - python/samba/tests/bin/cepces-submit | 3 +- - python/samba/tests/gpo.py | 48 ++++++++++++++++++++++++++++ - selftest/knownfail.d/gpo | 2 ++ - 3 files changed, 52 insertions(+), 1 deletion(-) - create mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit -index 668682a9f58..de63164692b 100755 ---- a/python/samba/tests/bin/cepces-submit -+++ b/python/samba/tests/bin/cepces-submit -@@ -14,4 +14,5 @@ if __name__ == "__main__": - assert opts.auth == 'Kerberos' - if 'CERTMONGER_OPERATION' in os.environ and \ - os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES': -- print('Machine') # Report a Machine template -+ templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',') -+ print('\n'.join(templates)) # Report the requested templates -diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py -index 963f873f755..e75c411bde7 100644 ---- a/python/samba/tests/gpo.py -+++ b/python/samba/tests/gpo.py -@@ -6812,6 +6812,23 @@ class GPOTests(tests.TestCase): - self.assertTrue(os.path.exists(machine_crt), - 'Machine key was not generated') - -+ # Subsequent apply should react to new certificate templates -+ os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' -+ self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') -+ ext.process_group_policy([], gpos, dname, dname) -+ self.assertTrue(os.path.exists(ca_crt), -+ 'Root CA certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine key was not generated') -+ workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca_cn) -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation certificate was not requested') -+ workstation_key = os.path.join(dname, '%s.Workstation.key' % ca_cn) -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation key was not generated') -+ - # Verify RSOP does not fail - ext.rsop([g for g in gpos if g.name == guid][0]) - -@@ -6829,11 +6846,17 @@ class GPOTests(tests.TestCase): - 'Machine certificate was not removed') - self.assertFalse(os.path.exists(machine_crt), - 'Machine key was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation certificate was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation key was not removed') - out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() - self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed') - out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() - self.assertNotIn(b'Machine', out, - 'Machine certificate not removed') -+ self.assertNotIn(b'Workstation', out, -+ 'Workstation certificate not removed') - - # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate - ldb.delete(certa_dn) -@@ -7233,6 +7256,25 @@ class GPOTests(tests.TestCase): - self.assertTrue(os.path.exists(machine_crt), - 'Machine key was not generated') - -+ # Subsequent apply should react to new certificate templates -+ os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' -+ self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') -+ ext.process_group_policy([], gpos, dname, dname) -+ for ca in ca_list: -+ self.assertTrue(os.path.exists(ca_crt), -+ 'Root CA certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine key was not generated') -+ -+ workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca) -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation certificate was not requested') -+ workstation_key = os.path.join(dname, '%s.Workstation.key' % ca) -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation key was not generated') -+ - # Verify RSOP does not fail - ext.rsop([g for g in gpos if g.name == guid][0]) - -@@ -7250,12 +7292,18 @@ class GPOTests(tests.TestCase): - 'Machine certificate was not removed') - self.assertFalse(os.path.exists(machine_crt), - 'Machine key was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation certificate was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation key was not removed') - out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() - for ca in ca_list: - self.assertNotIn(get_bytes(ca), out, 'CA was not removed') - out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() - self.assertNotIn(b'Machine', out, - 'Machine certificate not removed') -+ self.assertNotIn(b'Workstation', out, -+ 'Workstation certificate not removed') - - # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate - ldb.delete(certa_dn) -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -new file mode 100644 -index 00000000000..4edc1dce730 ---- /dev/null -+++ b/selftest/knownfail.d/gpo -@@ -0,0 +1,2 @@ -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.41.0 - - -From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Wed, 16 Aug 2023 12:37:17 +0300 -Subject: [PATCH 07/25] gp: Template changes should invalidate cache - -If certificate templates are added or removed, the autoenroll extension -should react to this and reapply the policy. Previously this wasn't -taken into account. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 15 ++++++++++----- - selftest/knownfail.d/gpo | 2 -- - 2 files changed, 10 insertions(+), 7 deletions(-) - delete mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index c8b5368c16a..8233713e8ad 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -262,6 +262,11 @@ def update_ca_command(): - """Return the command to update the CA trust store.""" - return which('update-ca-certificates') or which('update-ca-trust') - -+def changed(new_data, old_data): -+ """Return True if any key present in both dicts has changed.""" -+ return any((new_data[k] != old_data[k] if k in old_data else False) \ -+ for k in new_data.keys()) -+ - def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - """Install the root certificate chain.""" - data = dict({'files': [], 'templates': []}, **ca) -@@ -351,12 +356,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): - # If the policy has changed, unapply, then apply new policy - old_val = self.cache_get_attribute_value(guid, attribute) - old_data = json.loads(old_val) if old_val is not None else {} -- if all([(ca[k] == old_data[k] if k in old_data else False) \ -- for k in ca.keys()]) or \ -- self.cache_get_apply_state() == GPOSTATE.ENFORCE: -+ templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] -+ new_data = { 'templates': templates, **ca } -+ if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: - self.unapply(guid, attribute, old_val) -- # If policy is already applied, skip application -- if old_val is not None and \ -+ # If policy is already applied and unchanged, skip application -+ if old_val is not None and not changed(new_data, old_data) and \ - self.cache_get_apply_state() != GPOSTATE.ENFORCE: - return - -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -deleted file mode 100644 -index 4edc1dce730..00000000000 ---- a/selftest/knownfail.d/gpo -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.41.0 - - -From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 18 Aug 2023 17:26:59 +0300 -Subject: [PATCH 08/25] gp: Test disabled enrollment unapplies policy - -For this we need to stage a Registry.pol file with certificate -autoenrollment enabled, but with checkboxes unticked. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder -(cherry picked from commit ee814f7707a8ddef2657212cd6d31799501b7bb3) ---- - python/samba/tests/gpo.py | 54 +++++++++++++++++++++++++++++++++++++++ - selftest/knownfail.d/gpo | 1 + - 2 files changed, 55 insertions(+) - create mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py -index e75c411bde7..580f3568de8 100644 ---- a/python/samba/tests/gpo.py -+++ b/python/samba/tests/gpo.py -@@ -281,6 +281,28 @@ b""" - - """ - -+auto_enroll_unchecked_reg_pol = \ -+b""" -+ -+ -+ -+ Software\Policies\Microsoft\Cryptography\AutoEnrollment -+ AEPolicy -+ 0 -+ -+ -+ Software\Policies\Microsoft\Cryptography\AutoEnrollment -+ OfflineExpirationPercent -+ 10 -+ -+ -+ Software\Policies\Microsoft\Cryptography\AutoEnrollment -+ OfflineExpirationStoreNames -+ MY -+ -+ -+""" -+ - advanced_enroll_reg_pol = \ - b""" - -@@ -6836,6 +6858,38 @@ class GPOTests(tests.TestCase): - ret = rsop(self.lp) - self.assertEqual(ret, 0, 'gpupdate --rsop failed!') - -+ # Remove policy by staging pol file with auto-enroll unchecked -+ parser.load_xml(etree.fromstring(auto_enroll_unchecked_reg_pol.strip())) -+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) -+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) -+ ext.process_group_policy([], gpos, dname, dname) -+ self.assertFalse(os.path.exists(ca_crt), -+ 'Root CA certificate was not removed') -+ self.assertFalse(os.path.exists(machine_crt), -+ 'Machine certificate was not removed') -+ self.assertFalse(os.path.exists(machine_crt), -+ 'Machine key was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation certificate was not removed') -+ self.assertFalse(os.path.exists(workstation_crt), -+ 'Workstation key was not removed') -+ -+ # Reapply policy by staging the enabled pol file -+ parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip())) -+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) -+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) -+ ext.process_group_policy([], gpos, dname, dname) -+ self.assertTrue(os.path.exists(ca_crt), -+ 'Root CA certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine certificate was not requested') -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine key was not generated') -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation certificate was not requested') -+ self.assertTrue(os.path.exists(workstation_crt), -+ 'Workstation key was not generated') -+ - # Remove policy - gp_db = store.get_gplog(machine_creds.get_username()) - del_gpos = get_deleted_gpos_list(gp_db, []) -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -new file mode 100644 -index 00000000000..83bc9f0ac1f ---- /dev/null -+++ b/selftest/knownfail.d/gpo -@@ -0,0 +1 @@ -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.41.0 - - -From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Wed, 16 Aug 2023 12:33:59 +0300 -Subject: [PATCH 09/25] gp: Send list of keys instead of dict to remove - -`cache_get_all_attribute_values` returns a dict whereas we need to pass -a list of keys to `remove`. These will be interpolated in the gpdb search. - -Signed-off-by: Gabriel Nagy -Reviewed-by: Joseph Sutton -Reviewed-by: David Mulder - -Autobuild-User(master): Andrew Bartlett -Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224 - -(cherry picked from commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 2 +- - selftest/knownfail.d/gpo | 1 - - 2 files changed, 1 insertion(+), 2 deletions(-) - delete mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 8233713e8ad..64c35782ae8 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -415,7 +415,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): - # remove any existing policy - ca_attrs = \ - self.cache_get_all_attribute_values(gpo.name) -- self.clean(gpo.name, remove=ca_attrs) -+ self.clean(gpo.name, remove=list(ca_attrs.keys())) - - def __read_cep_data(self, guid, ldb, end_point_information, - trust_dir, private_dir): -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -deleted file mode 100644 -index 83bc9f0ac1f..00000000000 ---- a/selftest/knownfail.d/gpo -+++ /dev/null -@@ -1 +0,0 @@ --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext --- -2.41.0 - - -From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 9 Jan 2024 08:50:01 +0100 -Subject: [PATCH 10/25] python:gp: Print a nice message if cepces-submit can't - be found - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -(cherry picked from commit 8eb42425a8eb1b30ca0e94dfc01d8175ae5cde4b) - -Autobuild-User(v4-19-test): Jule Anger -Autobuild-Date(v4-19-test): Mon Jan 15 11:11:31 UTC 2024 on atb-devel-224 ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 24 ++++++++++++---------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 64c35782ae8..08d1a7348cd 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -185,17 +185,19 @@ def find_cepces_submit(): - - def get_supported_templates(server): - cepces_submit = find_cepces_submit() -- if os.path.exists(cepces_submit): -- env = os.environ -- env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' -- p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], -- env=env, stdout=PIPE, stderr=PIPE) -- out, err = p.communicate() -- if p.returncode != 0: -- data = { 'Error': err.decode() } -- log.error('Failed to fetch the list of supported templates.', data) -- return out.strip().split() -- return [] -+ if not cepces_submit or not os.path.exists(cepces_submit): -+ log.error('Failed to find cepces-submit') -+ return [] -+ -+ env = os.environ -+ env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' -+ p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], -+ env=env, stdout=PIPE, stderr=PIPE) -+ out, err = p.communicate() -+ if p.returncode != 0: -+ data = {'Error': err.decode()} -+ log.error('Failed to fetch the list of supported templates.', data) -+ return out.strip().split() - - - def getca(ca, url, trust_dir): --- -2.41.0 - - -From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Mon, 8 Jan 2024 18:05:08 +0200 -Subject: [PATCH 11/25] gpo: Test certificate policy without NDES - -As of 8231eaf856b, the NDES feature is no longer required on Windows, as -cert auto-enroll can use the certificate from the LDAP request. - -However, 157335ee93e changed the implementation to convert the LDAP -certificate to base64 due to it failing to cleanly convert to a string. - -Because of insufficient test coverage I missed handling the part where -NDES is disabled or not reachable and the LDAP certificate was imported. -The call to load_der_x509_certificate now fails with an error because it -expects binary data, yet it receives a base64 encoded string. - -This adds a test to confirm the issue. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557 - -Signed-off-by: Gabriel Nagy -Reviewed-by: David Mulder -Reviewed-by: Andreas Schneider -(cherry picked from commit 0d1ff69936f18ea729fc11fbbb1569a833302572) ---- - python/samba/tests/gpo.py | 126 ++++++++++++++++++++++++++++++++++++-- - selftest/knownfail.d/gpo | 1 + - 2 files changed, 121 insertions(+), 6 deletions(-) - create mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py -index 580f3568de8..a78af17dba4 100644 ---- a/python/samba/tests/gpo.py -+++ b/python/samba/tests/gpo.py -@@ -102,17 +102,21 @@ def dummy_certificate(): - - # Dummy requests structure for Certificate Auto Enrollment - class dummy_requests(object): -- @staticmethod -- def get(url=None, params=None): -+ class exceptions(object): -+ ConnectionError = Exception -+ -+ def __init__(self, want_exception=False): -+ self.want_exception = want_exception -+ -+ def get(self, url=None, params=None): -+ if self.want_exception: -+ raise self.exceptions.ConnectionError -+ - dummy = requests.Response() - dummy._content = dummy_certificate() - dummy.headers = {'Content-Type': 'application/x-x509-ca-cert'} - return dummy - -- class exceptions(object): -- ConnectionError = Exception --cae.requests = dummy_requests -- - realm = os.environ.get('REALM') - policies = realm + '/POLICIES' - realm = realm.lower() -@@ -6764,6 +6768,114 @@ class GPOTests(tests.TestCase): - # Unstage the Registry.pol file - unstage_file(reg_pol) - -+ def test_gp_cert_auto_enroll_ext_without_ndes(self): -+ local_path = self.lp.cache_path('gpo_cache') -+ guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' -+ reg_pol = os.path.join(local_path, policies, guid, -+ 'MACHINE/REGISTRY.POL') -+ cache_dir = self.lp.get('cache directory') -+ store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) -+ -+ machine_creds = Credentials() -+ machine_creds.guess(self.lp) -+ machine_creds.set_machine_account() -+ -+ # Initialize the group policy extension -+ cae.requests = dummy_requests(want_exception=True) -+ ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, -+ machine_creds.get_username(), store) -+ -+ gpos = get_gpo_list(self.server, machine_creds, self.lp, -+ machine_creds.get_username()) -+ -+ # Stage the Registry.pol file with test data -+ parser = GPPolParser() -+ parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip())) -+ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) -+ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) -+ -+ # Write the dummy CA entry, Enrollment Services, and Templates Entries -+ admin_creds = Credentials() -+ admin_creds.set_username(os.environ.get('DC_USERNAME')) -+ admin_creds.set_password(os.environ.get('DC_PASSWORD')) -+ admin_creds.set_realm(os.environ.get('REALM')) -+ hostname = get_dc_hostname(machine_creds, self.lp) -+ url = 'ldap://%s' % hostname -+ ldb = Ldb(url=url, session_info=system_session(), -+ lp=self.lp, credentials=admin_creds) -+ # Write the dummy CA -+ confdn = 'CN=Public Key Services,CN=Services,CN=Configuration,%s' % base_dn -+ ca_cn = '%s-CA' % hostname.replace('.', '-') -+ certa_dn = 'CN=%s,CN=Certification Authorities,%s' % (ca_cn, confdn) -+ ldb.add({'dn': certa_dn, -+ 'objectClass': 'certificationAuthority', -+ 'authorityRevocationList': ['XXX'], -+ 'cACertificate': dummy_certificate(), -+ 'certificateRevocationList': ['XXX'], -+ }) -+ # Write the dummy pKIEnrollmentService -+ enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) -+ ldb.add({'dn': enroll_dn, -+ 'objectClass': 'pKIEnrollmentService', -+ 'cACertificate': dummy_certificate(), -+ 'certificateTemplates': ['Machine'], -+ 'dNSHostName': hostname, -+ }) -+ # Write the dummy pKICertificateTemplate -+ template_dn = 'CN=Machine,CN=Certificate Templates,%s' % confdn -+ ldb.add({'dn': template_dn, -+ 'objectClass': 'pKICertificateTemplate', -+ }) -+ -+ with TemporaryDirectory() as dname: -+ try: -+ ext.process_group_policy([], gpos, dname, dname) -+ except Exception as e: -+ self.fail(str(e)) -+ -+ ca_crt = os.path.join(dname, '%s.crt' % ca_cn) -+ self.assertTrue(os.path.exists(ca_crt), -+ 'Root CA certificate was not requested') -+ machine_crt = os.path.join(dname, '%s.Machine.crt' % ca_cn) -+ self.assertTrue(os.path.exists(machine_crt), -+ 'Machine certificate was not requested') -+ machine_key = os.path.join(dname, '%s.Machine.key' % ca_cn) -+ self.assertTrue(os.path.exists(machine_key), -+ 'Machine key was not generated') -+ -+ # Verify RSOP does not fail -+ ext.rsop([g for g in gpos if g.name == guid][0]) -+ -+ # Check that a call to gpupdate --rsop also succeeds -+ ret = rsop(self.lp) -+ self.assertEqual(ret, 0, 'gpupdate --rsop failed!') -+ -+ # Remove policy -+ gp_db = store.get_gplog(machine_creds.get_username()) -+ del_gpos = get_deleted_gpos_list(gp_db, []) -+ ext.process_group_policy(del_gpos, [], dname) -+ self.assertFalse(os.path.exists(ca_crt), -+ 'Root CA certificate was not removed') -+ self.assertFalse(os.path.exists(machine_crt), -+ 'Machine certificate was not removed') -+ self.assertFalse(os.path.exists(machine_key), -+ 'Machine key was not removed') -+ out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() -+ self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed') -+ out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() -+ self.assertNotIn(b'Machine', out, -+ 'Machine certificate not removed') -+ self.assertNotIn(b'Workstation', out, -+ 'Workstation certificate not removed') -+ -+ # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate -+ ldb.delete(certa_dn) -+ ldb.delete(enroll_dn) -+ ldb.delete(template_dn) -+ -+ # Unstage the Registry.pol file -+ unstage_file(reg_pol) -+ - def test_gp_cert_auto_enroll_ext(self): - local_path = self.lp.cache_path('gpo_cache') - guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' -@@ -6777,6 +6889,7 @@ class GPOTests(tests.TestCase): - machine_creds.set_machine_account() - - # Initialize the group policy extension -+ cae.requests = dummy_requests() - ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, - machine_creds.get_username(), store) - -@@ -7241,6 +7354,7 @@ class GPOTests(tests.TestCase): - machine_creds.set_machine_account() - - # Initialize the group policy extension -+ cae.requests = dummy_requests() - ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, - machine_creds.get_username(), store) - -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -new file mode 100644 -index 00000000000..f1e590bc7d8 ---- /dev/null -+++ b/selftest/knownfail.d/gpo -@@ -0,0 +1 @@ -+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes --- -2.41.0 - - -From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Thu, 18 Jan 2024 20:23:24 +0200 -Subject: [PATCH 12/25] gpo: Decode base64 root cert before importing - -The reasoning behind this is described in the previous commit message, -but essentially this should either be wrapped in certificate blocks and -imported as PEM, or converted back to binary and imported as DER. - -I've opted for the latter since it's how it used to work before it -regressed in 157335ee93e. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557 - -Signed-off-by: Gabriel Nagy -Reviewed-by: David Mulder -Reviewed-by: Andreas Schneider -(cherry picked from commit 3f3ddfa699a33c2c8a59f7fb9ee044bb2a6e0e06) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 5 +++-- - selftest/knownfail.d/gpo | 1 - - 2 files changed, 3 insertions(+), 3 deletions(-) - delete mode 100644 selftest/knownfail.d/gpo - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 08d1a7348cd..cd5e54f1110 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -217,10 +217,11 @@ def getca(ca, url, trust_dir): - ' installed or not configured.') - if 'cACertificate' in ca: - log.warn('Installing the server certificate only.') -+ der_certificate = base64.b64decode(ca['cACertificate']) - try: -- cert = load_der_x509_certificate(ca['cACertificate']) -+ cert = load_der_x509_certificate(der_certificate) - except TypeError: -- cert = load_der_x509_certificate(ca['cACertificate'], -+ cert = load_der_x509_certificate(der_certificate, - default_backend()) - cert_data = cert.public_bytes(Encoding.PEM) - with open(root_cert, 'wb') as w: -diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo -deleted file mode 100644 -index f1e590bc7d8..00000000000 ---- a/selftest/knownfail.d/gpo -+++ /dev/null -@@ -1 +0,0 @@ --^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes --- -2.41.0 - - -From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001 -From: Gabriel Nagy -Date: Fri, 19 Jan 2024 11:36:19 +0200 -Subject: [PATCH 13/25] gpo: Do not get templates list on first run - -This is a visual fix and has no impact on functionality apart from -cleaner log messages. - -The point of this is to get the list of supported templates in order to -compute a diff between the current applied templates and the updated -list, so we are able to unapply and reapply the policy in case there are -differences. - -However this code path is executed on first applies as well, at which -point the root CA is not yet set up. This causes the -`get_supported_templates` call to fail, which is not a hard failure but -still pollutes the logs. In this case it's safe to avoid executing the -command as the policy will be applied regardless. - -Signed-off-by: Gabriel Nagy -Reviewed-by: David Mulder -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Jan 22 16:48:57 UTC 2024 on atb-devel-224 - -(cherry picked from commit 8579340fc540633c13c017d896034904a8dbd55c) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index cd5e54f1110..559c903e1a2 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -359,7 +359,8 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): - # If the policy has changed, unapply, then apply new policy - old_val = self.cache_get_attribute_value(guid, attribute) - old_data = json.loads(old_val) if old_val is not None else {} -- templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] -+ templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] \ -+ if old_val is not None else [] - new_data = { 'templates': templates, **ca } - if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: - self.unapply(guid, attribute, old_val) --- -2.41.0 - - -From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001 -From: David Mulder -Date: Fri, 5 Jan 2024 08:47:07 -0700 -Subject: [PATCH 14/25] gp: Skip site GP list if no site is found - -[MS-GPOL] 3.2.5.1.4 Site Search says if the site -search returns ERROR_NO_SITENAME, the GP site -search should be skipped. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15548 - -Signed-off-by: David Mulder -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Jan 23 11:20:35 UTC 2024 on atb-devel-224 - -(cherry picked from commit f05b61b4991e7f51bd184d76a79f8b50114a0ff3) ---- - python/samba/gp/gpclass.py | 30 ++++++++++++++++++------------ - 1 file changed, 18 insertions(+), 12 deletions(-) - -diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py -index 617ef79350c..babd8f90748 100644 ---- a/python/samba/gp/gpclass.py -+++ b/python/samba/gp/gpclass.py -@@ -866,19 +866,25 @@ def get_gpo_list(dc_hostname, creds, lp, username): - - # (S)ite - if gpo_list_machine: -- site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username) -- - try: -- log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn) -- gp_link = get_gpo_link(samdb, site_dn) -- except ldb.LdbError as e: -- (enum, estr) = e.args -- log.debug(estr) -- else: -- add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list, -- site_dn, gp_link, -- gpo.GP_LINK_SITE, -- add_only_forced_gpos, token) -+ site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username) -+ -+ try: -+ log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn) -+ gp_link = get_gpo_link(samdb, site_dn) -+ except ldb.LdbError as e: -+ (enum, estr) = e.args -+ log.debug(estr) -+ else: -+ add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list, -+ site_dn, gp_link, -+ gpo.GP_LINK_SITE, -+ add_only_forced_gpos, token) -+ except ldb.LdbError: -+ # [MS-GPOL] 3.2.5.1.4 Site Search: If the method returns -+ # ERROR_NO_SITENAME, the remainder of this message MUST be skipped -+ # and the protocol sequence MUST continue at GPO Search -+ pass - - # (L)ocal - gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy", --- -2.41.0 - - -From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 14:14:30 +0100 -Subject: [PATCH 15/25] python:gp: Avoid path check for cepces-submit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -find_cepces_submit() uses which(), which returns None if not found. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 6a9630eff624643fd725219775784e68d967d04c) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 559c903e1a2..7325d5132cf 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -185,7 +185,7 @@ def find_cepces_submit(): - - def get_supported_templates(server): - cepces_submit = find_cepces_submit() -- if not cepces_submit or not os.path.exists(cepces_submit): -+ if not cepces_submit: - log.error('Failed to find cepces-submit') - return [] - -@@ -301,7 +301,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - # Setup Certificate Auto Enrollment - getcert = which('getcert') - cepces_submit = find_cepces_submit() -- if getcert is not None and os.path.exists(cepces_submit): -+ if getcert is not None and cepces_submit is not None: - p = Popen([getcert, 'add-ca', '-c', ca['name'], '-e', - '%s --server=%s --auth=%s' % (cepces_submit, - ca['hostname'], auth)], --- -2.41.0 - - -From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 14:07:47 +0100 -Subject: [PATCH 16/25] python:gp: Improve logging for certificate enrollment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 6d5507e05050690cd4c56f3f97f5fb7de0338b87) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 7325d5132cf..a25a9678587 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -274,6 +274,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - """Install the root certificate chain.""" - data = dict({'files': [], 'templates': []}, **ca) - url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] -+ -+ log.info("Try to get root or server certificates") -+ - root_certs = getca(ca, url, trust_dir) - data['files'].extend(root_certs) - global_trust_dir = find_global_trust_dir() -@@ -283,6 +286,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - try: - os.symlink(src, dst) - data['files'].append(dst) -+ log.info("Created symlink: %s -> %s" % (src, dst)) - except PermissionError: - log.warn('Failed to symlink root certificate to the' - ' admin trust anchors') -@@ -295,9 +299,14 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - # already exists. Ignore the FileExistsError. Preserve the - # existing symlink in the unapply data. - data['files'].append(dst) -+ - update = update_ca_command() -+ log.info("Running %s" % (update)) - if update is not None: -- Popen([update]).wait() -+ ret = Popen([update]).wait() -+ if ret != 0: -+ log.error('Failed to run %s' % (update)) -+ - # Setup Certificate Auto Enrollment - getcert = which('getcert') - cepces_submit = find_cepces_submit() --- -2.41.0 - - -From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 15:04:36 +0100 -Subject: [PATCH 17/25] python:gp: Do not print an error, if CA already exists -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We will get an exit status for duplicate in future: -https://www.pagure.io/certmonger/issue/269 -We can't really fix that right now, as older version of certmonger -don't support the `-v` option. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 728757cd1ff0465967fcbda100254c9312e87c93) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index a25a9678587..0b23cd688db 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -318,8 +318,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - out, err = p.communicate() - log.debug(out.decode()) - if p.returncode != 0: -- data = { 'Error': err.decode(), 'CA': ca['name'] } -- log.error('Failed to add Certificate Authority', data) -+ if p.returncode == 2: -+ log.info('The CA [%s] already exists' % ca['name']) -+ else: -+ data = {'Error': err.decode(), 'CA': ca['name']} -+ log.error('Failed to add Certificate Authority', data) -+ - supported_templates = get_supported_templates(ca['hostname']) - for template in supported_templates: - attrs = fetch_template_attrs(ldb, template) --- -2.41.0 - - -From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 15:05:02 +0100 -Subject: [PATCH 18/25] python:gp: Do not print an error if template already - exists -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We will get an exit status for duplicate in future: -https://www.pagure.io/certmonger/issue/269 -We can't really fix that right now, as older version of certmonger -don't support the `-v` option. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 98dc44286ea102ef7701ccdea26bbde32b523a7e) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index 0b23cd688db..db681cb6f69 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -338,8 +338,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - out, err = p.communicate() - log.debug(out.decode()) - if p.returncode != 0: -- data = { 'Error': err.decode(), 'Certificate': nickname } -- log.error('Failed to request certificate', data) -+ if p.returncode == 2: -+ log.info('The template [%s] already exists' % (nickname)) -+ else: -+ data = {'Error': err.decode(), 'Certificate': nickname} -+ log.error('Failed to request certificate', data) -+ - data['files'].extend([keyfile, certfile]) - data['templates'].append(nickname) - if update is not None: --- -2.41.0 - - -From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 15:05:24 +0100 -Subject: [PATCH 19/25] python:gp: Log an error if update fails -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský -(cherry picked from commit 367756b85a9ac8daaac2326392bcd1373feed3b7) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index db681cb6f69..c8ad2039dc6 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -347,7 +347,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): - data['files'].extend([keyfile, certfile]) - data['templates'].append(nickname) - if update is not None: -- Popen([update]).wait() -+ ret = Popen([update]).wait() -+ if ret != 0: -+ log.error('Failed to run %s' % (update)) - else: - log.warn('certmonger and cepces must be installed for ' + - 'certificate auto enrollment to work') --- -2.41.0 - - -From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 22 Jan 2024 15:46:24 +0100 -Subject: [PATCH 20/25] python:gp: Improve working of log messages to avoid - confusion -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We should not use the word "Failed". We are totally fine if we can't -connect to NDES in the meantime. This logs: - -Try to get root or server certificates. -Unable to install root certificates (requires NDES). -Installing the server certificate only. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 - -Signed-off-by: Andreas Schneider -Reviewed-by: David Mulder -Reviewed-by: Pavel Filipenský - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Jan 29 10:37:29 UTC 2024 on atb-devel-224 - -(cherry picked from commit 1f823424418e814d9dc0785658e2a7d92643dab2) ---- - python/samba/gp/gp_cert_auto_enroll_ext.py | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py -index c8ad2039dc6..2b7f7d22c2b 100644 ---- a/python/samba/gp/gp_cert_auto_enroll_ext.py -+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py -@@ -209,12 +209,10 @@ def getca(ca, url, trust_dir): - r = requests.get(url=url, params={'operation': 'GetCACert', - 'message': 'CAIdentifier'}) - except requests.exceptions.ConnectionError: -- log.warn('Failed to establish a new connection') -+ log.warn('Could not connect to Network Device Enrollment Service.') - r = None - if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html': -- log.warn('Failed to fetch the root certificate chain.') -- log.warn('The Network Device Enrollment Service is either not' + -- ' installed or not configured.') -+ log.warn('Unable to fetch root certificates (requires NDES).') - if 'cACertificate' in ca: - log.warn('Installing the server certificate only.') - der_certificate = base64.b64decode(ca['cACertificate']) --- -2.41.0 - - -From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 29 Jan 2024 17:46:30 +0100 -Subject: [PATCH 21/25] python:gp: Fix logging with gp - -This allows enable INFO level logging with: `samba-gpupdate -d3` - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15558 - -Signed-off-by: Andreas Schneider -Reviewed-by: Joseph Sutton -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Jan 30 07:18:05 UTC 2024 on atb-devel-224 - -(cherry picked from commit 145194071b10c4c1857f28fe79c57fd63ffab889) ---- - python/samba/gp/util/logging.py | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/python/samba/gp/util/logging.py b/python/samba/gp/util/logging.py -index a74a8707d50..c3de32825db 100644 ---- a/python/samba/gp/util/logging.py -+++ b/python/samba/gp/util/logging.py -@@ -24,9 +24,10 @@ import gettext - import random - import sys - --logger = logging.getLogger() -+logger = logging.getLogger("gp") -+ -+ - def logger_init(name, log_level): -- logger = logging.getLogger(name) - logger.addHandler(logging.StreamHandler(sys.stdout)) - logger.setLevel(logging.CRITICAL) - if log_level == 1: --- -2.41.0 - - -From c188f44cf1037f751763db853ab3758d564c0bcd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Wed, 13 Mar 2024 13:55:41 +0100 -Subject: [PATCH 22/25] docs-xml: Add parameter all_groupmem to idmap_ad -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider -(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c) ---- - docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml -index b364bbfa231..de6d36afe95 100644 ---- a/docs-xml/manpages/idmap_ad.8.xml -+++ b/docs-xml/manpages/idmap_ad.8.xml -@@ -100,6 +100,16 @@ - - - -+ all_groupmem = yes/no -+ -+ If set to yes winbind will retrieve all -+ group members for getgrnam(3), getgrgid(3) and getgrent(3) calls, -+ including those with missing uidNumber. -+ -+ Default: no -+ -+ -+ - deny ous - This parameter is a list of OUs from - which objects will not be mapped via the ad idmap --- -2.41.0 - - -From 270121c01a04e81704c33e1ce72fe3679dc55911 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 12 Mar 2024 13:20:24 +0100 -Subject: [PATCH 23/25] s3:winbindd: Improve performance of lookup_groupmem() - in idmap_ad -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The LDAP query of lookup_groupmem() returns all group members from AD -even those with missing uidNumber. Such group members are useless in -UNIX environment for idmap_ad backend since there is no uid mapping. - -'test_user' is member of group "Domanin Users" with 200K members, -only 20K members have set uidNumber. - -Without this fix: - -$ time id test_user - -real 1m5.946s -user 0m0.019s -sys 0m0.012s - -With this fix: - -$ time id test_user - -real 0m3.544s -user 0m0.004s -sys 0m0.007s - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider -(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf) ---- - source3/winbindd/winbindd_ads.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index d7a665abbc6..e625aa6473f 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -1037,7 +1037,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, - } - - static NTSTATUS add_primary_group_members( -- ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, -+ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname, - char ***all_members, size_t *num_all_members) - { - char *filter; -@@ -1049,10 +1049,13 @@ static NTSTATUS add_primary_group_members( - char **members; - size_t num_members; - ads_control args; -+ bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false); - - filter = talloc_asprintf( -- mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", -- (unsigned)rid); -+ mem_ctx, -+ "(&(objectCategory=user)(primaryGroupID=%u)%s)", -+ (unsigned)rid, -+ all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))"); - if (filter == NULL) { - goto done; - } -@@ -1204,7 +1207,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - - DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); - -- status = add_primary_group_members(ads, mem_ctx, rid, -+ status = add_primary_group_members(ads, mem_ctx, rid, domain->name, - &members, &num_members); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("%s: add_primary_group_members failed: %s\n", --- -2.41.0 - - -From 4f9f3c9b8d5d229c0c1da17af3a457b1b49ae353 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 25 Mar 2024 22:38:18 +0100 -Subject: [PATCH 24/25] selftest: Add "winbind expand groups = 1" to - setup_ad_member_idmap_ad -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider -(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a) ---- - selftest/target/Samba3.pm | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 44ac4a5901a..606c65f8ab1 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1412,6 +1412,7 @@ sub setup_ad_member_idmap_ad - idmap config $dcvars->{TRUST_DOMAIN} : backend = ad - idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 - gensec_gssapi:requested_life_time = 5 -+ winbind expand groups = 1 - "; - - my $ret = $self->provision( --- -2.41.0 - - -From 569d942a39154bcf1267339bbb79253ac8c89416 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Thu, 14 Mar 2024 15:24:21 +0100 -Subject: [PATCH 25/25] tests: Add a test for "all_groups=no" to - test_idmap_ad.sh -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Pavel Filipensky -Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224 - -(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967) ---- - nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh -index 7ae112ada71..1d4bd395ba9 100755 ---- a/nsswitch/tests/test_idmap_ad.sh -+++ b/nsswitch/tests/test_idmap_ad.sh -@@ -94,6 +94,14 @@ gidNumber: 2000001 - unixHomeDirectory: /home/forbidden - loginShell: /bin/tcsh - gecos: User in forbidden OU -+ -+dn: CN=no_posix_id,CN=Users,$BASE_DN -+changetype: add -+objectClass: user -+samaccountName: no_posix_id -+unixHomeDirectory: /home/no_posix_id -+loginShell: /bin/sh -+gecos: User without uidNumber and gidNumber - EOF - - # -@@ -171,6 +179,17 @@ then - failed=$(($failed + 1)) - fi - -+# -+# Test 6: Make sure that with the default "all_groups=no" -+# the group "domain users" will not show user "no_posix_id" -+# but will show "SAMBA2008R2/administrator" -+# -+ -+dom_users="$DOMAIN/domain users" # Extra step to make sure that all is one word -+out="$($wbinfo --group-info "$dom_users")" -+testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1) -+testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1) -+ - # - # Trusted domain test 1: Test uid of Administrator, should be 2500000 - # -@@ -241,6 +260,9 @@ gidNumber: 2000002 - dn: cn=forbidden,ou=sub,$BASE_DN - changetype: delete - -+dn: CN=no_posix_id,CN=Users,$BASE_DN -+changetype: delete -+ - dn: ou=sub,$BASE_DN - changetype: delete - EOF --- -2.41.0 - diff --git a/SOURCES/samba-4.19.4.tar.asc b/SOURCES/samba-4.19.4.tar.asc deleted file mode 100644 index c4690ac..0000000 --- a/SOURCES/samba-4.19.4.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA -tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub -Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ -2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq -XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln -iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x -svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar -JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8 -ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ -vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo -+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++ -1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY= -=kOPP ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.20.2.tar.asc b/SOURCES/samba-4.20.2.tar.asc new file mode 100644 index 0000000..4f87006 --- /dev/null +++ b/SOURCES/samba-4.20.2.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmZy684ACgkQqplEL7aA +tiDXDw/+KleJ11LLq5ZlXMlj11niRCETErY8cuoZ9VX04lfRwRBnplpKKLSQuFit +5HeY5ED65DhbpGzPfLPx7xOw4wyFc/bXhHPTgF3Ybj8TKkEcaMmkpD3V8FPa4NAt +vNZ3alLQLP//kgRXnqeV9pfa4slx17G6WeBLbpd8b4SbgPMgokJt7hL3nWfBrFE9 +p6B+TKZcwfoCn9ufz1UxMpBFtpSK0yF0S7CQcdv3JrBNIYhULuXbnAnLCHcH1RqW +xreoxZPnMx+SrYb0iHyKbkMsDujCqBKm9CyS13Yt9DjI49lv0pBwQFnaqtR4Xm/D +BU2XIWLLInUecxtUOBtsa046h55fLQPgkb+WYob++iA9r91y4JAZIiAxdVrNLsxR +BiFUxkL7EPtyptT84xNjpQ3CTZuw8tlHu/sJ1/XHRUFMtRGjiMqJp7ULsVQDfwET +7T+HHrVHNstddb9A6WfM8qSItoMfGUlYyzTQ2d3OmrbGRnB0qf+zg9DI+vXv5Itx +M23we8ljSadCnc/kqz3Z6gefI538WWDnbXIljRqDxuzwaSXhMd4heG+xIAAO0Of5 +ziyCVQ/n8gnyXQmC82Xlebc3mYki8UoyYWdbVNJZAOEo/LuBql1OkjOhkhMcBDmr +qvD6f+0+MA4nydmVhI/q/pmo7nAUD3SAxmRKrVTwjpjcAnZ4IGw= +=CGiK +-----END PGP SIGNATURE----- diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 1304730..04f0f5a 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -57,7 +57,7 @@ # ppc64le excluded pending resolution of https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104172 #%%ifarch aarch64 ppc64le s390x x86_64 -%ifarch aarch64 s390x x86_64 +%ifarch aarch64 s390x x86_64 riscv64 %bcond_without vfs_cephfs %bcond_without ceph_mutex %else @@ -80,7 +80,7 @@ %if 0%{?fedora} -%ifarch aarch64 ppc64le s390x x86_64 +%ifarch aarch64 ppc64le s390x x86_64 riscv64 %bcond_without vfs_glusterfs %else %bcond_with vfs_glusterfs @@ -109,7 +109,7 @@ # Build vfs_io_uring module by default on 64bit Fedora %if 0%{?fedora} || 0%{?rhel} >= 8 -%ifarch aarch64 ppc64le s390x x86_64 +%ifarch aarch64 ppc64le s390x x86_64 riscv64 %bcond_without vfs_io_uring %else %bcond_with vfs_io_uring @@ -139,15 +139,15 @@ %endif %if 0%{?fedora} || 0%{?rhel} >= 9 -%bcond_with gpupdate +%bcond_without gpupdate %else %bcond_with gpupdate %endif %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global samba_version 4.19.4 -%global baserelease 105 +%global samba_version 4.20.2 +%global baserelease 2 # This should be rc1 or %%nil %global pre_release %nil @@ -164,7 +164,7 @@ %global libdcerpc_so_version 0 %global libndr_krb5pac_so_version 0 %global libndr_nbt_so_version 0 -%global libndr_so_version 3 +%global libndr_so_version 4 %global libndr_standard_so_version 0 %global libnetapi_so_version 1 %global libsamba_credentials_so_version 1 @@ -180,10 +180,10 @@ %global libsmbclient_so_version 0 %global libwbclient_so_version 0 -%global talloc_version 2.4.1 -%global tdb_version 1.4.9 -%global tevent_version 0.15.0 -%global ldb_version 2.8.0 +%global talloc_version 2.4.2 +%global tdb_version 1.4.10 +%global tevent_version 0.16.1 +%global ldb_version 2.9.1 %global required_mit_krb5 1.20.1 @@ -238,11 +238,15 @@ Source18: samba-winbind-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore -# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-19-redhat -# This will give us CI and makes it easy to generate patchsets. +# Patch0 is created using: # -# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.19-redhat.patch -Patch0: samba-4.19-redhat.patch +# git clone git@gitlab.com:samba-redhat/samba.git +# cd samba +# git checkout v4-20-redhat +# git format-patch --stdout -l1 --no-renames -N > redhat-4.20.2.patch +# where N is number of commits + +Patch0: redhat-4.20.2.patch Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} @@ -338,7 +342,7 @@ BuildRequires: zlib-devel >= 1.2.3 BuildRequires: pkgconfig(libsystemd) -%ifnarch i686 +%ifnarch i686 riscv64 %if 0%{?fedora} >= 37 BuildRequires: mold %endif @@ -368,7 +372,7 @@ BuildRequires: python3-etcd %endif %if %{with gpupdate} -BuildRequires: cepces-certmonger +BuildRequires: cepces-certmonger >= 0.3.8 %endif # pidl requirements @@ -1227,10 +1231,8 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %endif %autosetup -n samba-%{version}%{pre_release} -p1 -# Ensure we rely on GnuTLS and do not build any other crypto code shipping with -# the sources. -rm -rf third_party/{aesni-intel,heimdal} -rm -f lib/crypto/{aes,rijndael}*.c +# Make sure we do not build with heimdal code +rm -rfv third_party/heimdal %build %if %{with includelibs} @@ -1280,7 +1282,7 @@ export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" # Use the mold linker if possible export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" -%ifnarch i686 +%ifnarch i686 riscv64 %if 0%{?fedora} >= 37 export LDFLAGS="%{__global_ldflags} -fuse-ld=mold" export python_LDFLAGS="$(echo ${LDFLAGS} | sed -e 's/-Wl,-z,defs//g')" @@ -1369,9 +1371,11 @@ popd install -d -m 0755 %{buildroot}/usr/{sbin,bin} install -d -m 0755 %{buildroot}%{_libdir}/security install -d -m 0755 %{buildroot}/var/lib/samba +install -d -m 0755 %{buildroot}/var/lib/samba/certs install -d -m 0755 %{buildroot}/var/lib/samba/drivers install -d -m 0755 %{buildroot}/var/lib/samba/lock install -d -m 0755 %{buildroot}/var/lib/samba/private +install -d -m 0755 %{buildroot}/var/lib/samba/private/certs install -d -m 0755 %{buildroot}/var/lib/samba/scripts install -d -m 0755 %{buildroot}/var/lib/samba/sysvol install -d -m 0755 %{buildroot}/var/lib/samba/usershares @@ -1520,14 +1524,17 @@ export WINBINDD_DONT_LOG_STDOUT=1 %endif %post +%systemd_post samba-bgqd.service %systemd_post smb.service %systemd_post nmb.service %preun +%systemd_preun samba-bgqd.service %systemd_preun smb.service %systemd_preun nmb.service %postun +%systemd_postun_with_restart samba-bgqd.service %systemd_postun_with_restart smb.service %systemd_postun_with_restart nmb.service @@ -1592,9 +1599,9 @@ fi %if %{with libwbclient} %pre -n libwbclient if [ $1 -gt 1 ] ; then - rm -rf %{_libdir}/samba/wbclient/ - rm -f /etc/alternatives/libwbclient.so* - rm -f /var/lib/alternatives/libwbclient.so* + rm -rf %{_libdir}/samba/wbclient/ 2>/dev/null + rm -f /etc/alternatives/libwbclient.so* 2>/dev/null + rm -f /var/lib/alternatives/libwbclient.so* 2>/dev/null fi %{?ldconfig} #endif {with libwbclient} @@ -1652,8 +1659,6 @@ fi ### SAMBA %files -%license COPYING -%doc README.md WHATSNEW.txt %doc examples/autofs examples/LDAP examples/misc %doc examples/printer-accounting examples/printing %doc packaging/README.downgrade @@ -1663,7 +1668,7 @@ fi %{_sbindir}/smbd %if %{with dc} || %{with testsuite} # This is only used by vfs_dfs_samba4 -%{_libdir}/samba/libdfs-server-ad-samba4.so +%{_libdir}/samba/libdfs-server-ad-private-samba.so %endif %dir %{_libdir}/samba/auth %{_libdir}/samba/auth/unix.so @@ -1725,6 +1730,7 @@ fi %{_unitdir}/nmb.service %{_unitdir}/smb.service +%{_unitdir}/samba-bgqd.service %dir %{_sysconfdir}/openldap/schema %config %{_sysconfdir}/openldap/schema/samba.schema %config(noreplace) %{_sysconfdir}/pam.d/samba @@ -1801,6 +1807,7 @@ fi %{_bindir}/smbspool %{_bindir}/smbtar %{_bindir}/smbtree +%{_bindir}/wspsearch %dir %{_libexecdir}/samba %ghost %{_libexecdir}/samba/cups_backend_smb %{_mandir}/man1/dbwrap_tool.1* @@ -1821,6 +1828,7 @@ fi %{_mandir}/man1/smbget.1* %{_mandir}/man1/smbtar.1* %{_mandir}/man1/smbtree.1* +%{_mandir}/man1/wspsearch.1* %{_mandir}/man7/traffic_learner.7.* %{_mandir}/man7/traffic_replay.7.* %{_mandir}/man8/cifsdd.8.* @@ -1872,86 +1880,86 @@ fi %{_libdir}/libtevent-util.so.%{libtevent_util_so_version}* %dir %{_libdir}/samba -%{_libdir}/samba/libCHARSET3-samba4.so -%{_libdir}/samba/libMESSAGING-SEND-samba4.so -%{_libdir}/samba/libMESSAGING-samba4.so -%{_libdir}/samba/libaddns-samba4.so -%{_libdir}/samba/libads-samba4.so -%{_libdir}/samba/libasn1util-samba4.so -%{_libdir}/samba/libauth-samba4.so -%{_libdir}/samba/libauthkrb5-samba4.so -%{_libdir}/samba/libcli-cldap-samba4.so -%{_libdir}/samba/libcli-ldap-common-samba4.so -%{_libdir}/samba/libcli-ldap-samba4.so -%{_libdir}/samba/libcli-nbt-samba4.so -%{_libdir}/samba/libcli-smb-common-samba4.so -%{_libdir}/samba/libcli-spoolss-samba4.so -%{_libdir}/samba/libcliauth-samba4.so -%{_libdir}/samba/libclidns-samba4.so -%{_libdir}/samba/libcluster-samba4.so -%{_libdir}/samba/libcmdline-contexts-samba4.so -%{_libdir}/samba/libcommon-auth-samba4.so -%{_libdir}/samba/libctdb-event-client-samba4.so -%{_libdir}/samba/libdbwrap-samba4.so -%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so -%{_libdir}/samba/libdcerpc-samba-samba4.so -%{_libdir}/samba/libevents-samba4.so -%{_libdir}/samba/libflag-mapping-samba4.so -%{_libdir}/samba/libgenrand-samba4.so -%{_libdir}/samba/libgensec-samba4.so -%{_libdir}/samba/libgpext-samba4.so -%{_libdir}/samba/libgpo-samba4.so -%{_libdir}/samba/libgse-samba4.so -%{_libdir}/samba/libhttp-samba4.so -%{_libdir}/samba/libinterfaces-samba4.so -%{_libdir}/samba/libiov-buf-samba4.so -%{_libdir}/samba/libkrb5samba-samba4.so -%{_libdir}/samba/libldbsamba-samba4.so -%{_libdir}/samba/liblibcli-lsa3-samba4.so -%{_libdir}/samba/liblibcli-netlogon3-samba4.so -%{_libdir}/samba/liblibsmb-samba4.so -%{_libdir}/samba/libmessages-dgm-samba4.so -%{_libdir}/samba/libmessages-util-samba4.so -%{_libdir}/samba/libmscat-samba4.so -%{_libdir}/samba/libmsghdr-samba4.so -%{_libdir}/samba/libmsrpc3-samba4.so -%{_libdir}/samba/libndr-samba-samba4.so -%{_libdir}/samba/libndr-samba4.so -%{_libdir}/samba/libnet-keytab-samba4.so -%{_libdir}/samba/libnetif-samba4.so -%{_libdir}/samba/libnpa-tstream-samba4.so -%{_libdir}/samba/libposix-eadb-samba4.so -%{_libdir}/samba/libprinter-driver-samba4.so -%{_libdir}/samba/libprinting-migrate-samba4.so -%{_libdir}/samba/libreplace-samba4.so -%{_libdir}/samba/libregistry-samba4.so -%{_libdir}/samba/libsamba-cluster-support-samba4.so -%{_libdir}/samba/libsamba-debug-samba4.so -%{_libdir}/samba/libsamba-modules-samba4.so -%{_libdir}/samba/libsamba-security-samba4.so -%{_libdir}/samba/libsamba-sockets-samba4.so -%{_libdir}/samba/libsamba3-util-samba4.so -%{_libdir}/samba/libsamdb-common-samba4.so -%{_libdir}/samba/libsecrets3-samba4.so -%{_libdir}/samba/libserver-id-db-samba4.so -%{_libdir}/samba/libserver-role-samba4.so -%{_libdir}/samba/libsmb-transport-samba4.so -%{_libdir}/samba/libsmbclient-raw-samba4.so -%{_libdir}/samba/libsmbd-base-samba4.so -%{_libdir}/samba/libsmbd-shim-samba4.so -%{_libdir}/samba/libsmbldaphelper-samba4.so -%{_libdir}/samba/libstable-sort-samba4.so -%{_libdir}/samba/libsys-rw-samba4.so -%{_libdir}/samba/libsocket-blocking-samba4.so -%{_libdir}/samba/libtalloc-report-printf-samba4.so -%{_libdir}/samba/libtalloc-report-samba4.so -%{_libdir}/samba/libtdb-wrap-samba4.so -%{_libdir}/samba/libtime-basic-samba4.so -%{_libdir}/samba/libtorture-samba4.so -%{_libdir}/samba/libtrusts-util-samba4.so -%{_libdir}/samba/libutil-reg-samba4.so -%{_libdir}/samba/libutil-setid-samba4.so -%{_libdir}/samba/libutil-tdb-samba4.so +%{_libdir}/samba/libCHARSET3-private-samba.so +%{_libdir}/samba/libMESSAGING-SEND-private-samba.so +%{_libdir}/samba/libMESSAGING-private-samba.so +%{_libdir}/samba/libaddns-private-samba.so +%{_libdir}/samba/libads-private-samba.so +%{_libdir}/samba/libasn1util-private-samba.so +%{_libdir}/samba/libauth-private-samba.so +%{_libdir}/samba/libauthkrb5-private-samba.so +%{_libdir}/samba/libcli-cldap-private-samba.so +%{_libdir}/samba/libcli-ldap-common-private-samba.so +%{_libdir}/samba/libcli-ldap-private-samba.so +%{_libdir}/samba/libcli-nbt-private-samba.so +%{_libdir}/samba/libcli-smb-common-private-samba.so +%{_libdir}/samba/libcli-spoolss-private-samba.so +%{_libdir}/samba/libcliauth-private-samba.so +%{_libdir}/samba/libclidns-private-samba.so +%{_libdir}/samba/libcluster-private-samba.so +%{_libdir}/samba/libcmdline-contexts-private-samba.so +%{_libdir}/samba/libcommon-auth-private-samba.so +%{_libdir}/samba/libctdb-event-client-private-samba.so +%{_libdir}/samba/libdbwrap-private-samba.so +%{_libdir}/samba/libdcerpc-pkt-auth-private-samba.so +%{_libdir}/samba/libdcerpc-samba-private-samba.so +%{_libdir}/samba/libevents-private-samba.so +%{_libdir}/samba/libflag-mapping-private-samba.so +%{_libdir}/samba/libgenrand-private-samba.so +%{_libdir}/samba/libgensec-private-samba.so +%{_libdir}/samba/libgpext-private-samba.so +%{_libdir}/samba/libgpo-private-samba.so +%{_libdir}/samba/libgse-private-samba.so +%{_libdir}/samba/libhttp-private-samba.so +%{_libdir}/samba/libinterfaces-private-samba.so +%{_libdir}/samba/libiov-buf-private-samba.so +%{_libdir}/samba/libkrb5samba-private-samba.so +%{_libdir}/samba/libldbsamba-private-samba.so +%{_libdir}/samba/liblibcli-lsa3-private-samba.so +%{_libdir}/samba/liblibcli-netlogon3-private-samba.so +%{_libdir}/samba/liblibsmb-private-samba.so +%{_libdir}/samba/libmessages-dgm-private-samba.so +%{_libdir}/samba/libmessages-util-private-samba.so +%{_libdir}/samba/libmscat-private-samba.so +%{_libdir}/samba/libmsghdr-private-samba.so +%{_libdir}/samba/libmsrpc3-private-samba.so +%{_libdir}/samba/libndr-samba-private-samba.so +%{_libdir}/samba/libndr-samba4-private-samba.so +%{_libdir}/samba/libnet-keytab-private-samba.so +%{_libdir}/samba/libnetif-private-samba.so +%{_libdir}/samba/libnpa-tstream-private-samba.so +%{_libdir}/samba/libposix-eadb-private-samba.so +%{_libdir}/samba/libprinter-driver-private-samba.so +%{_libdir}/samba/libprinting-migrate-private-samba.so +%{_libdir}/samba/libreplace-private-samba.so +%{_libdir}/samba/libregistry-private-samba.so +%{_libdir}/samba/libsamba-cluster-support-private-samba.so +%{_libdir}/samba/libsamba-debug-private-samba.so +%{_libdir}/samba/libsamba-modules-private-samba.so +%{_libdir}/samba/libsamba-security-private-samba.so +%{_libdir}/samba/libsamba-sockets-private-samba.so +%{_libdir}/samba/libsamba3-util-private-samba.so +%{_libdir}/samba/libsamdb-common-private-samba.so +%{_libdir}/samba/libsecrets3-private-samba.so +%{_libdir}/samba/libserver-id-db-private-samba.so +%{_libdir}/samba/libserver-role-private-samba.so +%{_libdir}/samba/libsmb-transport-private-samba.so +%{_libdir}/samba/libsmbclient-raw-private-samba.so +%{_libdir}/samba/libsmbd-base-private-samba.so +%{_libdir}/samba/libsmbd-shim-private-samba.so +%{_libdir}/samba/libsmbldaphelper-private-samba.so +%{_libdir}/samba/libstable-sort-private-samba.so +%{_libdir}/samba/libsys-rw-private-samba.so +%{_libdir}/samba/libsocket-blocking-private-samba.so +%{_libdir}/samba/libtalloc-report-printf-private-samba.so +%{_libdir}/samba/libtalloc-report-private-samba.so +%{_libdir}/samba/libtdb-wrap-private-samba.so +%{_libdir}/samba/libtime-basic-private-samba.so +%{_libdir}/samba/libtorture-private-samba.so +%{_libdir}/samba/libtrusts-util-private-samba.so +%{_libdir}/samba/libutil-reg-private-samba.so +%{_libdir}/samba/libutil-setid-private-samba.so +%{_libdir}/samba/libutil-tdb-private-samba.so %if %{without libwbclient} %{_libdir}/samba/libwbclient.so.* @@ -1966,9 +1974,9 @@ fi %if %{with includelibs} %{_libdir}/samba/libldb-*.so -%{_libdir}/samba/libtalloc-samba4.so -%{_libdir}/samba/libtdb-samba4.so -%{_libdir}/samba/libtevent-samba4.so +%{_libdir}/samba/libtalloc-private-samba.so +%{_libdir}/samba/libtdb-private-samba.so +%{_libdir}/samba/libtevent-private-samba.so %{_libdir}/samba/ldb/asq.so %{_libdir}/samba/ldb/ldb.so @@ -1987,6 +1995,8 @@ fi ### COMMON %files common +%doc README.md WHATSNEW.txt +%license COPYING %{_tmpfilesdir}/samba.conf %{_sysusersdir}/samba.conf %dir %{_sysconfdir}/logrotate.d/ @@ -1996,7 +2006,9 @@ fi %ghost %dir /run/samba %ghost %dir /run/winbindd %dir /var/lib/samba +%dir /var/lib/samba/certs %attr(700,root,root) %dir /var/lib/samba/private +%attr(700,root,root) %dir /var/lib/samba/private/certs %dir /var/lib/samba/lock %attr(755,root,root) %dir %{_sysconfdir}/samba %config(noreplace) %{_sysconfdir}/samba/smb.conf @@ -2011,7 +2023,7 @@ fi ### COMMON-LIBS %files common-libs # common libraries -%{_libdir}/samba/libcmdline-samba4.so +%{_libdir}/samba/libcmdline-private-samba.so %dir %{_libdir}/samba/ldb @@ -2056,6 +2068,7 @@ fi %endif %{_libexecdir}/samba/rpcd_spoolss %{_libexecdir}/samba/rpcd_winreg +%{_libexecdir}/samba/rpcd_witness %{_mandir}/man8/samba-dcerpcd.8* ### DC @@ -2141,16 +2154,16 @@ fi %endif ### DC-LIBS %files dc-libs -%{_libdir}/samba/libauth4-samba4.so +%{_libdir}/samba/libauth4-private-samba.so %if %{with dc} || %{with testsuite} -%{_libdir}/samba/libdb-glue-samba4.so -%{_libdir}/samba/libpac-samba4.so -%{_libdir}/samba/libprocess-model-samba4.so -%{_libdir}/samba/libservice-samba4.so +%{_libdir}/samba/libdb-glue-private-samba.so +%{_libdir}/samba/libpac-private-samba.so +%{_libdir}/samba/libprocess-model-private-samba.so +%{_libdir}/samba/libservice-private-samba.so %if %{with testsuite} -%{_libdir}/samba/libntvfs-samba4.so +%{_libdir}/samba/libntvfs-private-samba.so %endif %dir %{_libdir}/samba/process_model @@ -2176,11 +2189,11 @@ fi %endif %{_libdir}/libdcerpc-server.so.* -%{_libdir}/samba/libad-claims-samba4.so -%{_libdir}/samba/libauthn-policy-util-samba4.so -%{_libdir}/samba/libdsdb-module-samba4.so -%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so -%{_libdir}/samba/libscavenge-dns-records-samba4.so +%{_libdir}/samba/libad-claims-private-samba.so +%{_libdir}/samba/libauthn-policy-util-private-samba.so +%{_libdir}/samba/libdsdb-module-private-samba.so +%{_libdir}/samba/libdsdb-garbage-collect-tombstones-private-samba.so +%{_libdir}/samba/libscavenge-dns-records-private-samba.so ### DC-BIND %files dc-bind-dlz @@ -2254,6 +2267,7 @@ fi %{_includedir}/samba-4.0/samba/version.h %{_includedir}/samba-4.0/share.h %{_includedir}/samba-4.0/smb2_lease_struct.h +%{_includedir}/samba-4.0/smb3posix.h %{_includedir}/samba-4.0/smbconf.h %{_includedir}/samba-4.0/smb_ldap.h %{_includedir}/samba-4.0/smbldap.h @@ -2367,16 +2381,16 @@ fi %files libs %{_libdir}/libdcerpc-samr.so.* -%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so -%{_libdir}/samba/libauth-unix-token-samba4.so -%{_libdir}/samba/libdcerpc-samba4.so -%{_libdir}/samba/libdnsserver-common-samba4.so -%{_libdir}/samba/libshares-samba4.so -%{_libdir}/samba/libsmbpasswdparser-samba4.so -%{_libdir}/samba/libxattr-tdb-samba4.so -%{_libdir}/samba/libREG-FULL-samba4.so -%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so -%{_libdir}/samba/libRPC-WORKER-samba4.so +%{_libdir}/samba/libLIBWBCLIENT-OLD-private-samba.so +%{_libdir}/samba/libauth-unix-token-private-samba.so +%{_libdir}/samba/libdcerpc-samba4-private-samba.so +%{_libdir}/samba/libdnsserver-common-private-samba.so +%{_libdir}/samba/libshares-private-samba.so +%{_libdir}/samba/libsmbpasswdparser-private-samba.so +%{_libdir}/samba/libxattr-tdb-private-samba.so +%{_libdir}/samba/libREG-FULL-private-samba.so +%{_libdir}/samba/libRPC-SERVER-LOOP-private-samba.so +%{_libdir}/samba/libRPC-WORKER-private-samba.so ### LIBNETAPI %files -n libnetapi @@ -2476,6 +2490,7 @@ fi %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/functional_level.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc +%{python3_sitearch}/samba/__pycache__/gkdi.*.pyc %{python3_sitearch}/samba/__pycache__/graph.*.pyc %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/__pycache__/idmap.*.pyc @@ -2486,6 +2501,7 @@ fi %{python3_sitearch}/samba/__pycache__/ms_schema.*.pyc %{python3_sitearch}/samba/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/__pycache__/ntacls.*.pyc +%{python3_sitearch}/samba/__pycache__/nt_time.*.pyc %{python3_sitearch}/samba/__pycache__/policies.*.pyc %{python3_sitearch}/samba/__pycache__/safe_tarfile.*.pyc %{python3_sitearch}/samba/__pycache__/sd_utils.*.pyc @@ -2514,6 +2530,7 @@ fi %{python3_sitearch}/samba/dcerpc/auth.*.so %{python3_sitearch}/samba/dcerpc/base.*.so %{python3_sitearch}/samba/dcerpc/claims.*.so +%{python3_sitearch}/samba/dcerpc/conditional_ace.*.so %{python3_sitearch}/samba/dcerpc/dcerpc.*.so %{python3_sitearch}/samba/dcerpc/dfs.*.so %{python3_sitearch}/samba/dcerpc/dns.*.so @@ -2522,6 +2539,8 @@ fi %{python3_sitearch}/samba/dcerpc/drsuapi.*.so %{python3_sitearch}/samba/dcerpc/echo.*.so %{python3_sitearch}/samba/dcerpc/epmapper.*.so +%{python3_sitearch}/samba/dcerpc/gkdi.*.so +%{python3_sitearch}/samba/dcerpc/gmsa.*.so %{python3_sitearch}/samba/dcerpc/idmap.*.so %{python3_sitearch}/samba/dcerpc/initshutdown.*.so %{python3_sitearch}/samba/dcerpc/irpc.*.so @@ -2540,6 +2559,8 @@ fi %{python3_sitearch}/samba/dcerpc/security.*.so %{python3_sitearch}/samba/dcerpc/server_id.*.so %{python3_sitearch}/samba/dcerpc/smb_acl.*.so +%{python3_sitearch}/samba/dcerpc/smb3posix.*.so +%{python3_sitearch}/samba/dcerpc/smbXsrv.*.so %{python3_sitearch}/samba/dcerpc/spoolss.*.so %{python3_sitearch}/samba/dcerpc/srvsvc.*.so %{python3_sitearch}/samba/dcerpc/svcctl.*.so @@ -2559,6 +2580,7 @@ fi %{python3_sitearch}/samba/functional_level.py %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py +%{python3_sitearch}/samba/gkdi.py %{python3_sitearch}/samba/graph.py %{python3_sitearch}/samba/hostconfig.py %{python3_sitearch}/samba/idmap.py @@ -2585,6 +2607,7 @@ fi %{python3_sitearch}/samba/gp/__pycache__/gp_centrify_crontab_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_centrify_sudoers_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_drive_maps_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_chromium_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_ext_loader.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_firefox_ext.*.pyc @@ -2610,6 +2633,7 @@ fi %{python3_sitearch}/samba/gp/gp_centrify_crontab_ext.py %{python3_sitearch}/samba/gp/gp_centrify_sudoers_ext.py %{python3_sitearch}/samba/gp/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp/gp_drive_maps_ext.py %{python3_sitearch}/samba/gp/gp_chromium_ext.py %{python3_sitearch}/samba/gp/gp_ext_loader.py %{python3_sitearch}/samba/gp/gp_firefox_ext.py @@ -2644,6 +2668,7 @@ fi %{python3_sitearch}/samba/gp_parse/gp_inf.py %{python3_sitearch}/samba/gp_parse/gp_ini.py %{python3_sitearch}/samba/gp_parse/gp_pol.py +%{python3_sitearch}/samba/hresult.*.so %{python3_sitearch}/samba/logger.py %{python3_sitearch}/samba/mdb_util.py %{python3_sitearch}/samba/ms_display_specifiers.py @@ -2675,11 +2700,11 @@ fi %{python3_sitearch}/samba/netcmd/__pycache__/processes.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/pso.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/rodc.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/shell.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/schema.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/sites.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/spn.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/testparm.*.pyc -%{python3_sitearch}/samba/netcmd/__pycache__/user.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/validators.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/visualize.*.pyc %{python3_sitearch}/samba/netcmd/common.py @@ -2746,7 +2771,9 @@ fi %{python3_sitearch}/samba/netcmd/domain/models/__pycache__/claim_type.*.pyc %{python3_sitearch}/samba/netcmd/domain/models/__pycache__/exceptions.*.pyc %{python3_sitearch}/samba/netcmd/domain/models/__pycache__/fields.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/group.*.pyc %{python3_sitearch}/samba/netcmd/domain/models/__pycache__/model.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/query.*.pyc %{python3_sitearch}/samba/netcmd/domain/models/__pycache__/schema.*.pyc %{python3_sitearch}/samba/netcmd/domain/models/__pycache__/site.*.pyc %{python3_sitearch}/samba/netcmd/domain/models/__pycache__/subnet.*.pyc @@ -2757,7 +2784,9 @@ fi %{python3_sitearch}/samba/netcmd/domain/models/claim_type.py %{python3_sitearch}/samba/netcmd/domain/models/exceptions.py %{python3_sitearch}/samba/netcmd/domain/models/fields.py +%{python3_sitearch}/samba/netcmd/domain/models/group.py %{python3_sitearch}/samba/netcmd/domain/models/model.py +%{python3_sitearch}/samba/netcmd/domain/models/query.py %{python3_sitearch}/samba/netcmd/domain/models/schema.py %{python3_sitearch}/samba/netcmd/domain/models/site.py %{python3_sitearch}/samba/netcmd/domain/models/subnet.py @@ -2787,13 +2816,72 @@ fi %{python3_sitearch}/samba/netcmd/pso.py %{python3_sitearch}/samba/netcmd/rodc.py %{python3_sitearch}/samba/netcmd/schema.py +%{python3_sitearch}/samba/netcmd/shell.py %{python3_sitearch}/samba/netcmd/sites.py %{python3_sitearch}/samba/netcmd/spn.py %{python3_sitearch}/samba/netcmd/testparm.py -%{python3_sitearch}/samba/netcmd/user.py +%dir %{python3_sitearch}/samba/netcmd/user +%{python3_sitearch}/samba/netcmd/user/__init__.py +%{python3_sitearch}/samba/netcmd/user/add.py +%{python3_sitearch}/samba/netcmd/user/add_unix_attrs.py +%dir %{python3_sitearch}/samba/netcmd/user/auth +%{python3_sitearch}/samba/netcmd/user/auth/__init__.py +%{python3_sitearch}/samba/netcmd/user/auth/policy.py +%dir %{python3_sitearch}/samba/netcmd/user/auth/__pycache__ +%{python3_sitearch}/samba/netcmd/user/auth/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/user/auth/__pycache__/policy.*.pyc +%{python3_sitearch}/samba/netcmd/user/auth/__pycache__/silo.*.pyc +%{python3_sitearch}/samba/netcmd/user/auth/silo.py +%{python3_sitearch}/samba/netcmd/user/delete.py +%{python3_sitearch}/samba/netcmd/user/disable.py +%{python3_sitearch}/samba/netcmd/user/edit.py +%{python3_sitearch}/samba/netcmd/user/enable.py +%{python3_sitearch}/samba/netcmd/user/getgroups.py +%{python3_sitearch}/samba/netcmd/user/list.py +%{python3_sitearch}/samba/netcmd/user/move.py +%{python3_sitearch}/samba/netcmd/user/password.py +%dir %{python3_sitearch}/samba/netcmd/user/__pycache__ +%{python3_sitearch}/samba/netcmd/user/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/add.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/add_unix_attrs.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/delete.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/disable.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/edit.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/enable.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/getgroups.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/list.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/move.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/password.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/rename.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/sensitive.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/setexpiry.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/setpassword.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/setprimarygroup.*.pyc +%{python3_sitearch}/samba/netcmd/user/__pycache__/unlock.*.pyc +%dir %{python3_sitearch}/samba/netcmd/user/readpasswords +%{python3_sitearch}/samba/netcmd/user/readpasswords/common.py +%{python3_sitearch}/samba/netcmd/user/readpasswords/get_kerberos_ticket.py +%{python3_sitearch}/samba/netcmd/user/readpasswords/getpassword.py +%{python3_sitearch}/samba/netcmd/user/readpasswords/__init__.py +%dir %{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__ +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/common.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/get_kerberos_ticket.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/getpassword.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/show.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/__pycache__/syncpasswords.*.pyc +%{python3_sitearch}/samba/netcmd/user/readpasswords/show.py +%{python3_sitearch}/samba/netcmd/user/readpasswords/syncpasswords.py +%{python3_sitearch}/samba/netcmd/user/rename.py +%{python3_sitearch}/samba/netcmd/user/sensitive.py +%{python3_sitearch}/samba/netcmd/user/setexpiry.py +%{python3_sitearch}/samba/netcmd/user/setpassword.py +%{python3_sitearch}/samba/netcmd/user/setprimarygroup.py +%{python3_sitearch}/samba/netcmd/user/unlock.py %{python3_sitearch}/samba/netcmd/validators.py %{python3_sitearch}/samba/netcmd/visualize.py %{python3_sitearch}/samba/ntacls.py +%{python3_sitearch}/samba/nt_time.py %{python3_sitearch}/samba/param.*.so %{python3_sitearch}/samba/policies.py %{python3_sitearch}/samba/policy.*.so @@ -2935,6 +3023,9 @@ fi %{python3_sitearch}/samba/tests/__pycache__/common.*.pyc %{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc %{python3_sitearch}/samba/tests/__pycache__/compression.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/conditional_ace_assembler.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/conditional_ace_bytes.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/conditional_ace_claims.*.pyc %{python3_sitearch}/samba/tests/__pycache__/core.*.pyc %{python3_sitearch}/samba/tests/__pycache__/credentials.*.pyc %{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc @@ -2959,6 +3050,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/gensec.*.pyc %{python3_sitearch}/samba/tests/__pycache__/get_opt.*.pyc %{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/gkdi.*.pyc %{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc %{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc %{python3_sitearch}/samba/tests/__pycache__/gpo_member.*.pyc @@ -2979,7 +3071,6 @@ fi %{python3_sitearch}/samba/tests/__pycache__/libsmb-basic.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc -%{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc %{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc @@ -3025,7 +3116,9 @@ fi %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc %{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sddl_conditional_ace.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/security_descriptors.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc %{python3_sitearch}/samba/tests/__pycache__/sid_strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc @@ -3041,6 +3134,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc %{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/token_factory.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgradeprovision.*.pyc %{python3_sitearch}/samba/tests/__pycache__/upgradeprovisionneeddc.*.pyc @@ -3064,16 +3158,22 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/__init__.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/claims.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/http_chunk.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/http_content.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/misc_dfs_widelink.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_dns.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/rpcd_witness_samba_only.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_basic.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_dfs_propagate_inherit.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_propagate_inhertance.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_save_restore.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol_process.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_learner.*.pyc @@ -3081,16 +3181,22 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_summary.*.pyc %{python3_sitearch}/samba/tests/blackbox/bug13653.py %{python3_sitearch}/samba/tests/blackbox/check_output.py +%{python3_sitearch}/samba/tests/blackbox/claims.py %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py +%{python3_sitearch}/samba/tests/blackbox/http_chunk.py +%{python3_sitearch}/samba/tests/blackbox/http_content.py %{python3_sitearch}/samba/tests/blackbox/mdsearch.py +%{python3_sitearch}/samba/tests/blackbox/misc_dfs_widelink.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py %{python3_sitearch}/samba/tests/blackbox/netads_dns.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py +%{python3_sitearch}/samba/tests/blackbox/rpcd_witness_samba_only.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py %{python3_sitearch}/samba/tests/blackbox/smbcacls.py %{python3_sitearch}/samba/tests/blackbox/smbcacls_basic.py %{python3_sitearch}/samba/tests/blackbox/smbcacls_dfs_propagate_inherit.py %{python3_sitearch}/samba/tests/blackbox/smbcacls_propagate_inhertance.py +%{python3_sitearch}/samba/tests/blackbox/smbcacls_save_restore.py %{python3_sitearch}/samba/tests/blackbox/smbcontrol.py %{python3_sitearch}/samba/tests/blackbox/smbcontrol_process.py %{python3_sitearch}/samba/tests/blackbox/traffic_learner.py @@ -3099,6 +3205,9 @@ fi %{python3_sitearch}/samba/tests/common.py %{python3_sitearch}/samba/tests/compression.py %{python3_sitearch}/samba/tests/complex_expressions.py +%{python3_sitearch}/samba/tests/conditional_ace_assembler.py +%{python3_sitearch}/samba/tests/conditional_ace_bytes.py +%{python3_sitearch}/samba/tests/conditional_ace_claims.py %{python3_sitearch}/samba/tests/core.py %{python3_sitearch}/samba/tests/credentials.py %{python3_sitearch}/samba/tests/cred_opt.py @@ -3178,6 +3287,7 @@ fi %{python3_sitearch}/samba/tests/gensec.py %{python3_sitearch}/samba/tests/getdcname.py %{python3_sitearch}/samba/tests/get_opt.py +%{python3_sitearch}/samba/tests/gkdi.py %{python3_sitearch}/samba/tests/glue.py %{python3_sitearch}/samba/tests/gpo.py %{python3_sitearch}/samba/tests/gpo_member.py @@ -3207,14 +3317,17 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/claims_in_pac.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/claims_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/conditional_ace_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/device_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/gkdi_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/group_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgt_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/lockout_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc @@ -3225,6 +3338,7 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1_generated.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc @@ -3244,14 +3358,17 @@ fi %{python3_sitearch}/samba/tests/krb5/claims_in_pac.py %{python3_sitearch}/samba/tests/krb5/claims_tests.py %{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/conditional_ace_tests.py %{python3_sitearch}/samba/tests/krb5/device_tests.py %{python3_sitearch}/samba/tests/krb5/etype_tests.py %{python3_sitearch}/samba/tests/krb5/fast_tests.py +%{python3_sitearch}/samba/tests/krb5/gkdi_tests.py %{python3_sitearch}/samba/tests/krb5/group_tests.py %{python3_sitearch}/samba/tests/krb5/kcrypto.py %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/kdc_tgt_tests.py %{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py %{python3_sitearch}/samba/tests/krb5/lockout_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py @@ -3262,6 +3379,7 @@ fi %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py +%{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1_generated.py %{python3_sitearch}/samba/tests/krb5/rodc_tests.py %{python3_sitearch}/samba/tests/krb5/simple_tests.py %{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py @@ -3286,7 +3404,14 @@ fi %{python3_sitearch}/samba/tests/logfiles.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py -%{python3_sitearch}/samba/tests/ndr.py +%dir %{python3_sitearch}/samba/tests/ndr +%{python3_sitearch}/samba/tests/ndr/gkdi.py +%{python3_sitearch}/samba/tests/ndr/gmsa.py +%dir %{python3_sitearch}/samba/tests/ndr/__pycache__ +%{python3_sitearch}/samba/tests/ndr/__pycache__/gkdi.*.pyc +%{python3_sitearch}/samba/tests/ndr/__pycache__/gmsa.*.pyc +%{python3_sitearch}/samba/tests/ndr/__pycache__/wbint.*.pyc +%{python3_sitearch}/samba/tests/ndr/wbint.py %{python3_sitearch}/samba/tests/netbios.py %{python3_sitearch}/samba/tests/netcmd.py %{python3_sitearch}/samba/tests/net_join_no_spnego.py @@ -3338,7 +3463,6 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/contact.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/demote.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/dnscmd.*.pyc -%{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_base.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_policy.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_silo.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_claim.*.pyc @@ -3364,10 +3488,15 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_userPassword_crypt.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/silo_base.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/timecmd.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_auth_policy.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_auth_silo.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_check_password_script.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_get_kerberos_ticket.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_getpassword_gmsa.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_base.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_gpg.*.pyc @@ -3380,7 +3509,6 @@ fi %{python3_sitearch}/samba/tests/samba_tool/contact.py %{python3_sitearch}/samba/tests/samba_tool/demote.py %{python3_sitearch}/samba/tests/samba_tool/dnscmd.py -%{python3_sitearch}/samba/tests/samba_tool/domain_auth_base.py %{python3_sitearch}/samba/tests/samba_tool/domain_auth_policy.py %{python3_sitearch}/samba/tests/samba_tool/domain_auth_silo.py %{python3_sitearch}/samba/tests/samba_tool/domain_claim.py @@ -3406,10 +3534,15 @@ fi %{python3_sitearch}/samba/tests/samba_tool/provision_userPassword_crypt.py %{python3_sitearch}/samba/tests/samba_tool/rodc.py %{python3_sitearch}/samba/tests/samba_tool/schema.py +%{python3_sitearch}/samba/tests/samba_tool/silo_base.py %{python3_sitearch}/samba/tests/samba_tool/sites.py %{python3_sitearch}/samba/tests/samba_tool/timecmd.py %{python3_sitearch}/samba/tests/samba_tool/user.py +%{python3_sitearch}/samba/tests/samba_tool/user_auth_policy.py +%{python3_sitearch}/samba/tests/samba_tool/user_auth_silo.py %{python3_sitearch}/samba/tests/samba_tool/user_check_password_script.py +%{python3_sitearch}/samba/tests/samba_tool/user_get_kerberos_ticket.py +%{python3_sitearch}/samba/tests/samba_tool/user_getpassword_gmsa.py %{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py %{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_base.py %{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py @@ -3420,7 +3553,9 @@ fi %{python3_sitearch}/samba/tests/samdb.py %{python3_sitearch}/samba/tests/samdb_api.py %{python3_sitearch}/samba/tests/sddl.py +%{python3_sitearch}/samba/tests/sddl_conditional_ace.py %{python3_sitearch}/samba/tests/security.py +%{python3_sitearch}/samba/tests/security_descriptors.py %{python3_sitearch}/samba/tests/segfault.py %{python3_sitearch}/samba/tests/sid_strings.py %{python3_sitearch}/samba/tests/smb.py @@ -3436,6 +3571,7 @@ fi %{python3_sitearch}/samba/tests/strings.py %{python3_sitearch}/samba/tests/subunitrun.py %{python3_sitearch}/samba/tests/tdb_util.py +%{python3_sitearch}/samba/tests/token_factory.py %{python3_sitearch}/samba/tests/upgrade.py %{python3_sitearch}/samba/tests/upgradeprovision.py %{python3_sitearch}/samba/tests/upgradeprovisionneeddc.py @@ -3466,9 +3602,9 @@ fi ### TEST-LIBS %files test-libs %if %{with dc} || %{with testsuite} -%{_libdir}/samba/libdlz-bind9-for-torture-samba4.so +%{_libdir}/samba/libdlz-bind9-for-torture-private-samba.so %else -%{_libdir}/samba/libdsdb-module-samba4.so +%{_libdir}/samba/libdsdb-module-private-samba.so %endif ### USERSHARES @@ -3481,8 +3617,8 @@ fi %files winbind %{_libdir}/samba/idmap %{_libdir}/samba/nss_info -%{_libdir}/samba/libnss-info-samba4.so -%{_libdir}/samba/libidmap-samba4.so +%{_libdir}/samba/libnss-info-private-samba.so +%{_libdir}/samba/libidmap-private-samba.so %{_sbindir}/winbindd %{_sysusersdir}/samba-winbind.conf %attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged @@ -3614,6 +3750,7 @@ fi %{_datadir}/ctdb/events/legacy/31.clamd.script %{_datadir}/ctdb/events/legacy/40.vsftpd.script %{_datadir}/ctdb/events/legacy/41.httpd.script +%{_datadir}/ctdb/events/legacy/47.samba-dcerpcd.script %{_datadir}/ctdb/events/legacy/48.netbios.script %{_datadir}/ctdb/events/legacy/49.winbind.script %{_datadir}/ctdb/events/legacy/50.samba.script @@ -4473,8 +4610,31 @@ fi %endif %changelog -* Wed Apr 24 2024 Pavel Filipenský - 4.19.4-105 -- resolves: RHEL-33783 - Add option to request only POSIX groups from AD in idmap_ad +* Thu Aug 01 2024 Pavel Filipenský - 4.20.2-2 +- resolves: RHEL-47757 - Allow to run samba-bgqd as a standalone systemd service + +* Tue Jul 02 2024 Pavel Filipenský - 4.20.2-1 +- related: RHEL-33645 - Update to version 4.20.2 +- resolves: RHEL-45841 - Fix KDC IP address lookup in case of trusted domain +- resolves: RHEL-23814 - Fix smbclient to enumerate the printers + +* Wed May 29 2024 Pavel Filipenský - 4.20.1-1 +- related: RHEL-33645 - Remove autorelease - rpmautospec is not available for rhel-9 yet + +* Tue May 28 2024 Pavel Filipenský - 4.20.1-1 +- related: RHEL-33645 - Update to version 4.20.1 +- resolves: RHEL-26337 - Fix site lookup for samba-gpupdate +- resolves: RHEL-5846 - Fix warning messages while upgrading libwbclient + +* Mon Apr 29 2024 Pavel Filipenský - 4.20.0-103 +- resolves: RHEL-20473 - Improve performance of winbind idmap_ad backend + +* Mon Apr 29 2024 Pavel Filipenský - 4.20.0-102 +- resolves: RHEL-2109 - Support Certificate Auto Enrollment in Samba +- resolves: RHEL-22157 - Fix root cert import for samba-gpupdate + +* Fri Apr 26 2024 Pavel Filipenský - 4.20.0-101 +- resolves: RHEL-33645 - Update to version 4.20.0 * Mon Feb 19 2024 Andreas Schneider - 4.19.4-104 - related: RHEL-2109 - Disable support for certificate auto enrollment