From 8380904ad81171eb3f8bd2841bd4070f1efc91a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Mon, 8 Aug 2022 22:32:54 +0200 Subject: [PATCH] Update to version 4.17.0rc1 resolves: #2116503 Guenther --- .gitignore | 2 + samba-4.16-waf-crypto.patch | 77 ----- samba-mount_h.patch | 36 -- samba-s4u.patch | 642 ------------------------------------ samba.spec | 140 ++++---- sources | 4 +- 6 files changed, 84 insertions(+), 817 deletions(-) delete mode 100644 samba-4.16-waf-crypto.patch delete mode 100644 samba-mount_h.patch delete mode 100644 samba-s4u.patch diff --git a/.gitignore b/.gitignore index 477e1dc..cb83d82 100644 --- a/.gitignore +++ b/.gitignore @@ -297,3 +297,5 @@ samba-3.6.0pre1.tar.gz /samba-4.16.3.tar.asc /samba-4.16.4.tar.xz /samba-4.16.4.tar.asc +/samba-4.17.0rc1.tar.xz +/samba-4.17.0rc1.tar.asc diff --git a/samba-4.16-waf-crypto.patch b/samba-4.16-waf-crypto.patch deleted file mode 100644 index 337be97..0000000 --- a/samba-4.16-waf-crypto.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:24:04 +0200 -Subject: [PATCH 1/2] waf: Check for GnuTLS earlier - -As GnuTLS is an essential part we need to check for it early so we can react on -GnuTLS features in other wscripts. - -Signed-off-by: Andreas Schneider ---- - wscript | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/wscript b/wscript -index d8220b35095..5b85d9a1682 100644 ---- a/wscript -+++ b/wscript -@@ -189,6 +189,8 @@ def configure(conf): - conf.RECURSE('dynconfig') - conf.RECURSE('selftest') - -+ conf.PROCESS_SEPARATE_RULE('system_gnutls') -+ - conf.CHECK_CFG(package='zlib', minversion='1.2.3', - args='--cflags --libs', - mandatory=True) -@@ -297,8 +299,6 @@ def configure(conf): - if not conf.CONFIG_GET('KRB5_VENDOR'): - conf.PROCESS_SEPARATE_RULE('embedded_heimdal') - -- conf.PROCESS_SEPARATE_RULE('system_gnutls') -- - conf.RECURSE('source4/dsdb/samdb/ldb_modules') - conf.RECURSE('source4/ntvfs/sysdep') - conf.RECURSE('lib/util') --- -2.35.1 - - -From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Apr 2022 11:25:31 +0200 -Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS - provides the cipher - -Signed-off-by: Andreas Schneider ---- - third_party/wscript | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/third_party/wscript b/third_party/wscript -index 1f4bc1ce1d7..a17c15bcaa7 100644 ---- a/third_party/wscript -+++ b/third_party/wscript -@@ -5,7 +5,8 @@ from waflib import Options - def configure(conf): - conf.RECURSE('cmocka') - conf.RECURSE('popt') -- conf.RECURSE('aesni-intel') -+ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ conf.RECURSE('aesni-intel') - if conf.CONFIG_GET('ENABLE_SELFTEST'): - conf.RECURSE('socket_wrapper') - conf.RECURSE('nss_wrapper') -@@ -18,7 +19,8 @@ def configure(conf): - def build(bld): - bld.RECURSE('cmocka') - bld.RECURSE('popt') -- bld.RECURSE('aesni-intel') -+ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): -+ bld.RECURSE('aesni-intel') - if bld.CONFIG_GET('SOCKET_WRAPPER'): - bld.RECURSE('socket_wrapper') - if bld.CONFIG_GET('NSS_WRAPPER'): --- -2.35.1 - diff --git a/samba-mount_h.patch b/samba-mount_h.patch deleted file mode 100644 index 9b3ead2..0000000 --- a/samba-mount_h.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 37b1f282d1b549063d2fca07caca812292be1d3b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 29 Jul 2022 10:08:24 +0200 -Subject: [PATCH] lib:replace: Remove from filesys.h - -You need to be careful if you include or -at least since glibc 2.36. - -Details at: -https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15132 - -Signed-off-by: Andreas Schneider ---- - lib/replace/system/filesys.h | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/lib/replace/system/filesys.h b/lib/replace/system/filesys.h -index 034e5d5886c..190c6b90f93 100644 ---- a/lib/replace/system/filesys.h -+++ b/lib/replace/system/filesys.h -@@ -36,10 +36,6 @@ - #include - #endif - --#ifdef HAVE_SYS_MOUNT_H --#include --#endif -- - #ifdef HAVE_MNTENT_H - #include - #endif --- -2.37.1 - diff --git a/samba-s4u.patch b/samba-s4u.patch deleted file mode 100644 index 5d3cb55..0000000 --- a/samba-s4u.patch +++ /dev/null @@ -1,642 +0,0 @@ -From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:25:03 +0300 -Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------ - source4/kdc/mit_samba.c | 47 ++------- - source4/kdc/mit_samba.h | 6 +- - 3 files changed, 71 insertions(+), 106 deletions(-) - -diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index 793fe366c35..22534c09974 100644 ---- a/source4/kdc/mit-kdb/kdb_samba_policies.c -+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, - krb5_keyblock *krbtgt_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, -- krb5_pac *pac) -+ krb5_pac *out_pac) - { - struct mit_samba_context *mit_ctx; - krb5_authdata **authdata = NULL; -- krb5_pac ipac = NULL; -- DATA_BLOB logon_data = { NULL, 0 }; -+ krb5_keyblock *header_server_key = NULL; -+ krb5_key_data *impersonator_kd = NULL; -+ krb5_keyblock impersonator_key = {0}; - krb5_error_code code; -+ krb5_pac pac; -+ -+ *out_pac = NULL; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { -@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = krb5_pac_parse(context, - authdata[0]->contents, - authdata[0]->length, -- &ipac); -+ &pac); - if (code != 0) { - goto done; - } - -- /* TODO: verify this is correct -- * -- * In the constrained delegation case, the PAC is from a service -- * ticket rather than a TGT; we must verify the server and KDC -- * signatures to assert that the server did not forge the PAC. -+ /* -+ * For constrained delegation in MIT version < 1.18 we aren't provided -+ * with the 2nd ticket server key to verify the PAC. -+ * We can workaround that by fetching the key from the client db entry, -+ * which is the impersonator account in that version. -+ * TODO: use the provided entry in the new 1.18 version. - */ - if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- server_key, -- krbtgt_key); -+ /* The impersonator must be local. */ -+ if (client == NULL) { -+ code = KRB5KDC_ERR_BADOPTION; -+ goto done; -+ } -+ /* Fetch and decrypt 2nd ticket server's current key. */ -+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, -+ &impersonator_kd); -+ if (code != 0) { -+ goto done; -+ } -+ code = krb5_dbe_decrypt_key_data(context, NULL, -+ impersonator_kd, -+ &impersonator_key, NULL); -+ if (code != 0) { -+ goto done; -+ } -+ header_server_key = &impersonator_key; - } else { -- code = krb5_pac_verify(context, -- ipac, -- authtime, -- client_princ, -- krbtgt_key, -- NULL); -- } -- if (code != 0) { -- goto done; -+ header_server_key = krbtgt_key; - } - -- /* check and update PAC */ -- code = krb5_pac_parse(context, -- authdata[0]->contents, -- authdata[0]->length, -- pac); -+ code = krb5_pac_verify(context, pac, authtime, client_princ, -+ header_server_key, NULL); - if (code != 0) { - goto done; - } -@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, - code = mit_samba_reget_pac(mit_ctx, - context, - flags, -- client_princ, - client, - server, - krbtgt, - krbtgt_key, -- pac); -+ &pac); -+ if (code != 0) { -+ goto done; -+ } -+ -+ *out_pac = pac; -+ pac = NULL; - - done: -+ krb5_free_keyblock_contents(context, &impersonator_key); - krb5_free_authdata(context, authdata); -- krb5_pac_free(context, ipac); -- free(logon_data.data); -+ krb5_pac_free(context, pac); - - return code; - } -@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krb5_authdata **pac_auth_data = NULL; - krb5_authdata **authdata = NULL; - krb5_boolean is_as_req; -+ krb5_const_principal pac_client; - krb5_error_code code; - krb5_pac pac = NULL; - krb5_data pac_data; -@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; - krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; - -- /* FIXME: We don't support S4U yet */ -- if (flags & KRB5_KDB_FLAGS_S4U) { -- return KRB5_KDB_DBTYPE_NOSUP; -- } -- - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); - - /* -@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - ks_client_princ = client->princ; - } - -+ /* In protocol transition, we are currently not provided with the tgt -+ * client name to verify the PAC, we could probably skip the name -+ * verification and just verify the signatures, but since we don't -+ * support cross-realm nor aliases, we can just use server->princ */ -+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { -+ pac_client = server->princ; -+ } else { -+ pac_client = ks_client_princ; -+ } -+ - if (client_entry == NULL) { - client_entry = client; - } -@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - - code = ks_verify_pac(context, - flags, -- ks_client_princ, -+ pac_client, - client_entry, - server, - krbtgt, -@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - is_as_req ? "AS-REQ" : "TGS-REQ", - client_name); - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, -- server_key, krbtgt_key, &pac_data); -+ server_key, krbtgt_key, &pac_data); - if (code != 0) { - DBG_ERR("krb5_pac_sign failed: %d\n", code); - goto done; -@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - KRB5_AUTHDATA_IF_RELEVANT, - authdata, - signed_auth_data); -- if (code != 0) { -- goto done; -- } -- -- code = 0; -- - done: - if (client_entry != NULL && client_entry != client) { - ks_free_principal(context, client_entry); -@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, - * server; -> delegating service - * proxy; -> target principal - */ -- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); -- -- char *target_name = NULL; -- bool is_enterprise; -- krb5_error_code code; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { - return KRB5_KDB_DBNOTINITED; - } - -- code = krb5_unparse_name(context, proxy, &target_name); -- if (code) { -- goto done; -- } -- -- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); -- -- code = mit_samba_check_s4u2proxy(mit_ctx, -- delegating_service, -- target_name, -- is_enterprise); -- --done: -- free(target_name); -- return code; -+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); - } - - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index cb72b5de294..03c2c2ea1de 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - context, - *pac, - server->princ, -- discard_const(client_principal), -+ client->princ, - deleg_blob); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Update delegation info failed: %s\n", -@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - } - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name) -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal) - { --#if 1 -- /* -- * This is disabled because mit_samba_update_pac_data() does not handle -- * S4U_DELEGATION_INFO -- */ -- -- return KRB5KDC_ERR_BADOPTION; --#else -- krb5_principal target_principal; -- int flags = 0; -- int ret; -- -- if (is_nt_enterprise_name) { -- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; -- } -- -- ret = krb5_parse_name_flags(ctx->context, target_name, -- flags, &target_principal); -- if (ret) { -- return ret; -- } -- -- ret = samba_kdc_check_s4u2proxy(ctx->context, -- ctx->db_ctx, -- skdc_entry, -- target_principal); -- -- krb5_free_principal(ctx->context, target_principal); -- -- return ret; --#endif -+ struct samba_kdc_entry *server_skdc_entry = -+ talloc_get_type_abort(server->e_data, -+ struct samba_kdc_entry); -+ -+ return samba_kdc_check_s4u2proxy(ctx->context, -+ ctx->db_ctx, -+ server_skdc_entry, -+ target_principal); - } - - static krb5_error_code mit_samba_change_pwd_error(krb5_context context, -diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 4431e82a1b2..9370ab533af 100644 ---- a/source4/kdc/mit_samba.h -+++ b/source4/kdc/mit_samba.h -@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int flags, -- krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, -@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, - DATA_BLOB *e_data); - - int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, -- krb5_db_entry *kentry, -- const char *target_name, -- bool is_nt_enterprise_name); -+ const krb5_db_entry *server, -+ krb5_const_principal target_principal); - - int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, - char *pwd, --- -2.37.1 - - -From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 27 Sep 2019 18:35:30 +0300 -Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build - -Signed-off-by: Isaac Boukris -Pair-Programmed-With: Andreas Schneider ---- - lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ - lib/krb5_wrap/krb5_samba.h | 2 - - source4/auth/kerberos/kerberos_util.c | 11 -- - 3 files changed, 185 insertions(+), 13 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 4321f07ca09..3fd95e47fca 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - - return 0; - } -+ -+#else /* MIT */ -+ -+static bool princ_compare_no_dollar(krb5_context ctx, -+ krb5_principal a, -+ krb5_principal b) -+{ -+ bool cmp; -+ krb5_principal mod = NULL; -+ -+ if (a->length == 1 && b->length == 1 && -+ a->data[0].length != 0 && b->data[0].length != 0 && -+ a->data[0].data[a->data[0].length -1] != -+ b->data[0].data[b->data[0].length -1]) { -+ if (a->data[0].data[a->data[0].length -1] == '$') { -+ mod = a; -+ mod->data[0].length--; -+ } else if (b->data[0].data[b->data[0].length -1] == '$') { -+ mod = b; -+ mod->data[0].length--; -+ } -+ } -+ -+ cmp = krb5_principal_compare_flags(ctx, a, b, -+ KRB5_PRINCIPAL_COMPARE_CASEFOLD); -+ -+ if (mod != NULL) { -+ mod->data[0].length++; -+ } -+ -+ return cmp; -+} -+ -+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, -+ krb5_ccache store_cc, -+ krb5_principal init_principal, -+ const char *init_password, -+ krb5_principal impersonate_principal, -+ const char *self_service, -+ const char *target_service, -+ krb5_get_init_creds_opt *krb_options, -+ time_t *expire_time, -+ time_t *kdc_time) -+{ -+ krb5_error_code code; -+ krb5_principal self_princ = NULL; -+ krb5_principal target_princ = NULL; -+ krb5_creds *store_creds; -+ krb5_creds *s4u2self_creds = NULL; -+ krb5_creds *s4u2proxy_creds = NULL; -+ krb5_creds init_creds = {0}; -+ krb5_creds mcreds = {0}; -+ krb5_flags options = KRB5_GC_NO_STORE; -+ krb5_ccache tmp_cc; -+ bool s4u2proxy; -+ -+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); -+ if (code != 0) { -+ return code; -+ } -+ -+ code = krb5_get_init_creds_password(ctx, &init_creds, -+ init_principal, -+ init_password, -+ NULL, NULL, -+ 0, -+ NULL, -+ krb_options); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* -+ * Check if we also need S4U2Proxy or if S4U2Self is -+ * enough in order to get a ticket for the target. -+ */ -+ if (target_service == NULL) { -+ s4u2proxy = false; -+ } else if (strcmp(target_service, self_service) == 0) { -+ s4u2proxy = false; -+ } else { -+ s4u2proxy = true; -+ } -+ -+ code = krb5_parse_name(ctx, self_service, &self_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt -+ * client and the request server to be the same principal name. */ -+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ mcreds.client = impersonate_principal; -+ mcreds.server = init_creds.client; -+ -+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, -+ NULL, &s4u2self_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (s4u2proxy) { -+ code = krb5_parse_name(ctx, target_service, &target_princ); -+ if (code != 0) { -+ goto done; -+ } -+ -+ mcreds.client = init_creds.client; -+ mcreds.server = target_princ; -+ mcreds.second_ticket = s4u2self_creds->ticket; -+ -+ code = krb5_get_credentials(ctx, options | -+ KRB5_GC_CONSTRAINED_DELEGATION, -+ tmp_cc, &mcreds, &s4u2proxy_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ /* Check KDC support of S4U2Proxy extension */ -+ if (!krb5_principal_compare(ctx, s4u2self_creds->client, -+ s4u2proxy_creds->client)) { -+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ goto done; -+ } -+ -+ store_creds = s4u2proxy_creds; -+ } else { -+ store_creds = s4u2self_creds;; -+ -+ /* We need to save the ticket with the requested server name -+ * or the caller won't be able to find it in cache. */ -+ if (!krb5_principal_compare(ctx, self_princ, -+ store_creds->server)) { -+ krb5_free_principal(ctx, store_creds->server); -+ store_creds->server = NULL; -+ code = krb5_copy_principal(ctx, self_princ, -+ &store_creds->server); -+ if (code != 0) { -+ goto done; -+ } -+ } -+ } -+ -+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); -+ if (code != 0) { -+ goto done; -+ } -+ -+ code = krb5_cc_store_cred(ctx, store_cc, store_creds); -+ if (code != 0) { -+ goto done; -+ } -+ -+ if (expire_time) { -+ *expire_time = (time_t) store_creds->times.endtime; -+ } -+ -+ if (kdc_time) { -+ *kdc_time = (time_t) store_creds->times.starttime; -+ } -+ -+done: -+ krb5_cc_destroy(ctx, tmp_cc); -+ krb5_free_cred_contents(ctx, &init_creds); -+ krb5_free_creds(ctx, s4u2self_creds); -+ krb5_free_creds(ctx, s4u2proxy_creds); -+ krb5_free_principal(ctx, self_princ); -+ krb5_free_principal(ctx, target_princ); -+ -+ return code; -+} - #endif - - #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) -diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index a66b7465530..c8573f52bd9 100644 ---- a/lib/krb5_wrap/krb5_samba.h -+++ b/lib/krb5_wrap/krb5_samba.h -@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#ifdef SAMBA4_USES_HEIMDAL - krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_ccache store_cc, - krb5_principal init_principal, -@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, - krb5_get_init_creds_opt *krb_options, - time_t *expire_time, - time_t *kdc_time); --#endif - - #if defined(HAVE_KRB5_MAKE_PRINCIPAL) - #define smb_krb5_make_principal krb5_make_principal -diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c -index 544d9d853cc..c14d8c72d8c 100644 ---- a/source4/auth/kerberos/kerberos_util.c -+++ b/source4/auth/kerberos/kerberos_util.c -@@ -234,9 +234,7 @@ done: - { - krb5_error_code ret; - const char *password; --#ifdef SAMBA4_USES_HEIMDAL - const char *self_service; --#endif - const char *target_service; - time_t kdc_time = 0; - krb5_principal princ; -@@ -268,9 +266,7 @@ done: - return ret; - } - --#ifdef SAMBA4_USES_HEIMDAL - self_service = cli_credentials_get_self_service(credentials); --#endif - target_service = cli_credentials_get_target_service(credentials); - - password = cli_credentials_get_password(credentials); -@@ -331,7 +327,6 @@ done: - #endif - if (password) { - if (impersonate_principal) { --#ifdef SAMBA4_USES_HEIMDAL - ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, - ccache, - princ, -@@ -342,12 +337,6 @@ done: - krb_options, - NULL, - &kdc_time); --#else -- talloc_free(mem_ctx); -- (*error_string) = "INTERNAL error: s4u2 ops " -- "are not supported with MIT build yet"; -- return EINVAL; --#endif - } else { - ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, - ccache, --- -2.37.1 - - -From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 19 Sep 2020 14:16:20 +0200 -Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code - ---- - source4/kdc/mit_samba.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 03c2c2ea1de..30fade56531 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, - if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { - sflags |= SDB_F_CANON; - } -+#if KRB5_KDB_API_VERSION >= 10 -+ sflags |= SDB_F_FORCE_CANON; -+#endif - if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | - KRB5_KDB_FLAG_INCLUDE_PAC)) { - /* --- -2.37.1 - diff --git a/samba.spec b/samba.spec index e915388..e4029cc 100644 --- a/samba.spec +++ b/samba.spec @@ -134,15 +134,15 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 1 +%global baserelease 0 -%global samba_version 4.16.4 -%global talloc_version 2.3.3 -%global tdb_version 1.4.6 -%global tevent_version 0.12.0 -%global ldb_version 2.5.2 +%global samba_version 4.17.0 +%global talloc_version 2.3.4 +%global tdb_version 1.4.7 +%global tevent_version 0.13.0 +%global ldb_version 2.6.1 # This should be rc1 or nil -%global pre_release %nil +%global pre_release rc1 %global samba_release %{baserelease} %if "x%{?pre_release}" != "x" @@ -204,12 +204,6 @@ Source15: samba.abignore Source201: README.downgrade -Patch0: samba-s4u.patch -# https://gitlab.com/samba-team/samba/-/merge_requests/2477 -Patch1: samba-4.16-waf-crypto.patch -# https://gitlab.com/samba-team/samba/-/merge_requests/2647 -Patch2: samba-mount_h.patch - Requires(pre): /usr/sbin/groupadd Requires(post): systemd Requires(preun): systemd @@ -1194,6 +1188,9 @@ export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" --systemd-smb-extra=%{_systemd_extra} \ --systemd-nmb-extra=%{_systemd_extra} \ --systemd-winbind-extra=%{_systemd_extra} \ +%if %{with clustering} + --systemd-ctdb-extra=%{_systemd_extra} \ +%endif --systemd-samba-extra=%{_systemd_extra} # Do not use %%make_build, make is just a wrapper around waf in Samba! @@ -1279,10 +1276,6 @@ install -m 0644 ctdb/config/ctdb.conf %{buildroot}%{_sysconfdir}/ctdb/ctdb.conf install -m 0644 %{SOURCE201} packaging/README.downgrade -%if %{with clustering} -install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir} -%endif - # NetworkManager online/offline script install -d -m 0755 %{buildroot}%{_prefix}/lib/NetworkManager/dispatcher.d/ install -m 0755 packaging/NetworkManager/30-winbind-systemd \ @@ -2370,18 +2363,6 @@ fi %{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc -%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_smb_conf_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/gp_sudoers_ext.*.pyc %{python3_sitearch}/samba/__pycache__/graph.*.pyc %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/__pycache__/idmap.*.pyc @@ -2399,14 +2380,6 @@ fi %{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc -%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so @@ -2468,11 +2441,6 @@ fi %{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py -%{python3_sitearch}/samba/gpclass.py -%{python3_sitearch}/samba/gp_gnome_settings_ext.py -%{python3_sitearch}/samba/gp_scripts_ext.py -%{python3_sitearch}/samba/gp_sec_ext.py -%{python3_sitearch}/samba/gpo.*.so %{python3_sitearch}/samba/graph.py %{python3_sitearch}/samba/hostconfig.py %{python3_sitearch}/samba/idmap.py @@ -2491,14 +2459,57 @@ fi %{python3_sitearch}/samba/emulate/__init__.py %{python3_sitearch}/samba/emulate/traffic.py %{python3_sitearch}/samba/emulate/traffic_packets.py -%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py -%{python3_sitearch}/samba/gp_chromium_ext.py -%{python3_sitearch}/samba/gp_ext_loader.py -%{python3_sitearch}/samba/gp_firefox_ext.py -%{python3_sitearch}/samba/gp_firewalld_ext.py -%{python3_sitearch}/samba/gp_msgs_ext.py -%{python3_sitearch}/samba/gp_smb_conf_ext.py -%{python3_sitearch}/samba/gp_sudoers_ext.py +%dir %{python3_sitearch}/samba/gp +%dir %{python3_sitearch}/samba/gp/__pycache__ +%{python3_sitearch}/samba/gp/__pycache__/gpclass.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_crontab_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_chromium_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_firefox_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_firewalld_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_gnome_settings_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_msgs_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_scripts_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_sec_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_smb_conf_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/gp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_access_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_files_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_issue_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_motd_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_openssh_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_startup_scripts_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/gp/__pycache__/vgp_symlink_ext.*.pyc +%{python3_sitearch}/samba/gp/gpclass.py +%{python3_sitearch}/samba/gp/gp_gnome_settings_ext.py +%{python3_sitearch}/samba/gp/gp_scripts_ext.py +%{python3_sitearch}/samba/gp/gp_sec_ext.py +%{python3_sitearch}/samba/gp/gp_centrify_crontab_ext.py +%{python3_sitearch}/samba/gp/gp_centrify_sudoers_ext.py +%{python3_sitearch}/samba/gp/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp/gp_chromium_ext.py +%{python3_sitearch}/samba/gp/gp_ext_loader.py +%{python3_sitearch}/samba/gp/gp_firefox_ext.py +%{python3_sitearch}/samba/gp/gp_firewalld_ext.py +%{python3_sitearch}/samba/gp/gp_msgs_ext.py +%{python3_sitearch}/samba/gp/gp_smb_conf_ext.py +%{python3_sitearch}/samba/gp/gp_sudoers_ext.py +%dir %{python3_sitearch}/samba/gp/util +%dir %{python3_sitearch}/samba/gp/util/__pycache__ +%{python3_sitearch}/samba/gp/util/__pycache__/logging.*.pyc +%{python3_sitearch}/samba/gp/util/logging.py +%{python3_sitearch}/samba/gp/vgp_access_ext.py +%{python3_sitearch}/samba/gp/vgp_files_ext.py +%{python3_sitearch}/samba/gp/vgp_issue_ext.py +%{python3_sitearch}/samba/gp/vgp_motd_ext.py +%{python3_sitearch}/samba/gp/vgp_openssh_ext.py +%{python3_sitearch}/samba/gp/vgp_startup_scripts_ext.py +%{python3_sitearch}/samba/gp/vgp_sudoers_ext.py +%{python3_sitearch}/samba/gp/vgp_symlink_ext.py +%{python3_sitearch}/samba/gpo.*.so %dir %{python3_sitearch}/samba/gp_parse %{python3_sitearch}/samba/gp_parse/__init__.py %dir %{python3_sitearch}/samba/gp_parse/__pycache__ @@ -2593,9 +2604,11 @@ fi %{python3_sitearch}/samba/samba3/mdscli.*.so %{python3_sitearch}/samba/samba3/param.*.so %{python3_sitearch}/samba/samba3/passdb.*.so +%{python3_sitearch}/samba/samba3/smbconf.*.so %{python3_sitearch}/samba/samba3/smbd.*.so %{python3_sitearch}/samba/sd_utils.py %{python3_sitearch}/samba/sites.py +%{python3_sitearch}/samba/smbconf.*.so %{python3_sitearch}/samba/subnets.py %dir %{python3_sitearch}/samba/subunit %{python3_sitearch}/samba/subunit/__init__.py @@ -2607,14 +2620,6 @@ fi %{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py -%{python3_sitearch}/samba/vgp_access_ext.py -%{python3_sitearch}/samba/vgp_files_ext.py -%{python3_sitearch}/samba/vgp_issue_ext.py -%{python3_sitearch}/samba/vgp_motd_ext.py -%{python3_sitearch}/samba/vgp_openssh_ext.py -%{python3_sitearch}/samba/vgp_startup_scripts_ext.py -%{python3_sitearch}/samba/vgp_sudoers_ext.py -%{python3_sitearch}/samba/vgp_symlink_ext.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so @@ -2760,6 +2765,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/logfiles.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc @@ -2777,6 +2783,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ntlm_auth_krb5.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_chauthtok.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/pam_winbind_setcred.*.pyc %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_warn_pwd_expire.*.pyc %{python3_sitearch}/samba/tests/__pycache__/param.*.pyc %{python3_sitearch}/samba/tests/__pycache__/password_hash.*.pyc @@ -2807,7 +2814,9 @@ fi %{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sid_strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smbconf.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb-notify.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc @@ -2842,6 +2851,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_dns.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls.*.pyc @@ -2858,6 +2868,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py %{python3_sitearch}/samba/tests/blackbox/mdsearch.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py +%{python3_sitearch}/samba/tests/blackbox/netads_dns.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py %{python3_sitearch}/samba/tests/blackbox/smbcacls.py @@ -2983,7 +2994,9 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/nt_hash_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/protected_users_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc @@ -3010,7 +3023,9 @@ fi %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py %{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +%{python3_sitearch}/samba/tests/krb5/nt_hash_tests.py %{python3_sitearch}/samba/tests/krb5/pac_align_tests.py +%{python3_sitearch}/samba/tests/krb5/protected_users_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py @@ -3033,6 +3048,7 @@ fi %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py +%{python3_sitearch}/samba/tests/logfiles.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py %{python3_sitearch}/samba/tests/ndr.py @@ -3049,6 +3065,7 @@ fi %{python3_sitearch}/samba/tests/ntlm_auth_krb5.py %{python3_sitearch}/samba/tests/pam_winbind.py %{python3_sitearch}/samba/tests/pam_winbind_chauthtok.py +%{python3_sitearch}/samba/tests/pam_winbind_setcred.py %{python3_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py %{python3_sitearch}/samba/tests/param.py %{python3_sitearch}/samba/tests/password_hash.py @@ -3157,7 +3174,9 @@ fi %{python3_sitearch}/samba/tests/sddl.py %{python3_sitearch}/samba/tests/security.py %{python3_sitearch}/samba/tests/segfault.py +%{python3_sitearch}/samba/tests/sid_strings.py %{python3_sitearch}/samba/tests/smb.py +%{python3_sitearch}/samba/tests/smbconf.py %{python3_sitearch}/samba/tests/smb-notify.py %{python3_sitearch}/samba/tests/smbd_base.py %{python3_sitearch}/samba/tests/smbd_fuzztest.py @@ -3278,7 +3297,6 @@ fi %config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check %{_sbindir}/ctdbd -%{_sbindir}/ctdbd_wrapper %{_bindir}/ctdb %{_bindir}/ctdb_diagnostics %{_bindir}/ltdbtool @@ -3311,7 +3329,6 @@ fi %{_mandir}/man1/onnode.1.gz %{_mandir}/man1/ltdbtool.1.gz %{_mandir}/man1/ping_pong.1.gz -%{_mandir}/man1/ctdbd_wrapper.1.gz %{_mandir}/man5/ctdb.conf.5.gz %{_mandir}/man5/ctdb-script.options.5.gz %{_mandir}/man5/ctdb.sysconfig.5.gz @@ -4167,6 +4184,9 @@ fi %endif %changelog +* Mon Aug 08 2022 Guenther Deschner - 4.17.0rc1-0 +- resolves: #2116503 - Update to version 4.17.0rc1 + * Mon Aug 01 2022 Frantisek Zatloukal - 2:4.16.4-1 - Rebuilt for ICU 71.1 diff --git a/sources b/sources index 851386b..70773ab 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (samba-4.16.4.tar.xz) = 263c33f202462c50ba9205232cc59f17eef6526bbe97cc1c6be6606e5e2fa8e235f24693da5ef00106ed126c5e2e1d83e2cfc0d2a690303ac94a8737e6760e95 -SHA512 (samba-4.16.4.tar.asc) = aec1d0dc15169dfa0f68776cff083b8a9ecfeb348d20cde02e236eda3548e1df13f6df3e9275ede6e8fdc6193b2fd304d2f493507b49f5877dbb6b7181d90367 +SHA512 (samba-4.17.0rc1.tar.xz) = e3ba692d9f8dd7e8c4d853b69a1fed2bdc1946610f62ec789018320ad666022aa07f52b80e8f3012d8a6de9373c2fc31f5c5758859eabe7e48b4f9f1b6aa302b +SHA512 (samba-4.17.0rc1.tar.asc) = 2df0e15af5e60f7baa4415bf1f086dd266256a34ceb57e21cec5656b45d95bb801ad42c87f8910b1a97f3b0b9a90fd21519b78eaa5a1a842a1464d97ce9e283c