Update to samba 4.12.3

Guenther

.gitignore

@@ -203,3 +203,5 @@ samba-3.6.0pre1.tar.gz
 /samba-4.12.1.tar.asc
 /samba-4.12.2.tar.xz
 /samba-4.12.2.tar.asc
+/samba-4.12.3.tar.xz
+/samba-4.12.3.tar.asc

0001-libsmb-Don-t-try-to-find-posix-stat-info-in-SMBC_get.patch

@@ -1,91 +0,0 @@
-From 686ea46cbc9538355815fe800e441d67fee6a9db Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Thu, 19 Mar 2020 11:01:41 +0100
-Subject: [PATCH] libsmb: Don't try to find posix stat info in SMBC_getatr()
-
-This wrongly used "frame" instead of "fname", which can never have
-worked. A first attempt to fix in 51551e0d53fa6 caused a few followup
-patches in an attempt to clean up the test failures 51551e0d53fa6
-introduced. They were reverted after a few discussions. So rather than
-changing behaviour, just remove the code that introduced the valgrind
-error again.
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Fri Mar 20 05:06:07 UTC 2020 on sn-devel-184
-
-(cherry picked from commit 39c910fd9cba3caf7414274b678b9eee33d7e20b)
----
- source3/include/libsmb_internal.h |  1 -
- source3/libsmb/libsmb_file.c      | 20 --------------------
- source3/libsmb/libsmb_server.c    |  9 ---------
- 3 files changed, 30 deletions(-)
-
-diff --git a/source3/include/libsmb_internal.h b/source3/include/libsmb_internal.h
-index 21a11c1a024..feedddd0877 100644
---- a/source3/include/libsmb_internal.h
-+++ b/source3/include/libsmb_internal.h
-@@ -76,7 +76,6 @@ typedef struct DOS_ATTR_DESC {
- struct _SMBCSRV {
- 	struct cli_state *cli;
- 	dev_t dev;
--	bool try_posixinfo;
- 	bool no_pathinfo;
- 	bool no_pathinfo2;
- 	bool no_pathinfo3;
-diff --git a/source3/libsmb/libsmb_file.c b/source3/libsmb/libsmb_file.c
-index 1577010e490..f0a16c61a83 100644
---- a/source3/libsmb/libsmb_file.c
-+++ b/source3/libsmb/libsmb_file.c
-@@ -504,26 +504,6 @@ SMBC_getatr(SMBCCTX * context,
- 		return False;
- 	}
- 
--	if (srv->try_posixinfo) {
--		SMB_STRUCT_STAT sbuf;
--
--		status = cli_posix_stat(targetcli, frame, &sbuf);
--		if (NT_STATUS_IS_OK(status)) {
--			setup_stat_from_stat_ex(&sbuf, path, sb);
--
--			TALLOC_FREE(frame);
--			return true;
--		}
--		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED) ||
--		    NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL)) {
--			/*
--			 * Turn this off if the server doesn't
--			 * support it.
--			 */
--			srv->try_posixinfo = false;
--		}
--	}
--
- 	if (!srv->no_pathinfo2) {
- 		status = cli_qpathinfo2(targetcli,
- 					targetpath,
-diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
-index d4f71d8c8b7..0067df48cac 100644
---- a/source3/libsmb/libsmb_server.c
-+++ b/source3/libsmb/libsmb_server.c
-@@ -657,15 +657,6 @@ SMBC_server_internal(TALLOC_CTX *ctx,
- 	ZERO_STRUCTP(srv);
- 	DLIST_ADD(srv->cli, c);
- 	srv->dev = (dev_t)(str_checksum(server) ^ str_checksum(share));
--	srv->try_posixinfo = false;
--	/*
--	 * Until SMB2 POSIX is done, only
--	 * try POSIX stat on SMB1 with POSIX capabilities.
--	 */
--	if ((smbXcli_conn_protocol(c->conn) < PROTOCOL_SMB2_02) &&
--	    (smb1cli_conn_capabilities(c->conn) & CAP_UNIX)) {
--		srv->try_posixinfo = true;
--	}
-         srv->no_pathinfo = False;
-         srv->no_pathinfo2 = False;
- 	srv->no_pathinfo3 = False;
--- 
-2.26.0
-

new_mit_118.patch

@@ -1,174 +0,0 @@
-From 04b262f686b5b16ba659ade1e4b5778e2b219f0a Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Mon, 16 Sep 2019 16:40:12 +0300
-Subject: [PATCH 1/2] Adapt sign_authdata in our KDB module for krb5 v1.18
-
-Signed-off-by: Isaac Boukris <iboukris@samba.org>
----
- source4/kdc/mit-kdb/kdb_samba.c          |  2 +-
- source4/kdc/mit-kdb/kdb_samba.h          | 21 +++++++++++++++++++++
- source4/kdc/mit-kdb/kdb_samba_policies.c | 24 ++++++++++++++++++++++++
- 3 files changed, 46 insertions(+), 1 deletion(-)
-
-diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
-index c5157d6ed1b..02bbdca9f54 100644
---- a/source4/kdc/mit-kdb/kdb_samba.c
-+++ b/source4/kdc/mit-kdb/kdb_samba.c
-@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
- 
- kdb_vftabl kdb_function_table = {
- 	.maj_ver                   = KRB5_KDB_DAL_MAJOR_VERSION,
--	.min_ver                   = 1,
-+	.min_ver                   = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
- 
- 	.init_library              = kdb_samba_init_library,
- 	.fini_library              = kdb_samba_fini_library,
-diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
-index 22ef9085b6a..ad4f6e27573 100644
---- a/source4/kdc/mit-kdb/kdb_samba.h
-+++ b/source4/kdc/mit-kdb/kdb_samba.h
-@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
- 
- /* from kdb_samba_policies.c */
- 
-+#if KRB5_KDB_API_VERSION < 10
- krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 					    unsigned int flags,
- 					    krb5_const_principal client_princ,
-@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 					    krb5_timestamp authtime,
- 					    krb5_authdata **tgt_auth_data,
- 					    krb5_authdata ***signed_auth_data);
-+#else
-+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
-+					    unsigned int flags,
-+					    krb5_const_principal client_princ,
-+					    krb5_const_principal server_princ,
-+					    krb5_db_entry *client,
-+					    krb5_db_entry *server,
-+					    krb5_db_entry *krbtgt,
-+					    krb5_db_entry *local_krbtgt,
-+					    krb5_keyblock *client_key,
-+					    krb5_keyblock *server_key,
-+					    krb5_keyblock *krbtgt_key,
-+					    krb5_keyblock *local_krbtgt_key,
-+					    krb5_keyblock *session_key,
-+					    krb5_timestamp authtime,
-+					    krb5_authdata **tgt_auth_data,
-+					    void *authdata_info,
-+					    krb5_data ***auth_indicators,
-+					    krb5_authdata ***signed_auth_data);
-+#endif
- 
- krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
- 					     krb5_kdc_req *kdcreq,
-diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
-index fc80329f221..e2f7174b0c2 100644
---- a/source4/kdc/mit-kdb/kdb_samba_policies.c
-+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
-@@ -287,6 +287,7 @@ done:
- 	return code;
- }
- 
-+#if KRB5_KDB_API_VERSION < 10
- krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 					    unsigned int flags,
- 					    krb5_const_principal client_princ,
-@@ -301,6 +302,29 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 					    krb5_authdata **tgt_auth_data,
- 					    krb5_authdata ***signed_auth_data)
- {
-+#else
-+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
-+					    unsigned int flags,
-+					    krb5_const_principal client_princ,
-+					    krb5_const_principal server_princ,
-+					    krb5_db_entry *client,
-+					    krb5_db_entry *server,
-+					    krb5_db_entry *krbtgt,
-+					    krb5_db_entry *local_krbtgt,
-+					    krb5_keyblock *client_key,
-+					    krb5_keyblock *server_key,
-+					    krb5_keyblock *krbtgt_key,
-+					    krb5_keyblock *local_krbtgt_key,
-+					    krb5_keyblock *session_key,
-+					    krb5_timestamp authtime,
-+					    krb5_authdata **tgt_auth_data,
-+					    void *authdata_info,
-+					    krb5_data ***auth_indicators,
-+					    krb5_authdata ***signed_auth_data)
-+{
-+	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
-+	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
-+#endif
- 	krb5_const_principal ks_client_princ;
- 	krb5_authdata **authdata = NULL;
- 	krb5_boolean is_as_req;
--- 
-2.24.1
-
-
-From c968ec07fa403ed919dcda7b3087e0d10d1e7a32 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Thu, 16 Jan 2020 22:00:21 +0100
-Subject: [PATCH 2/2] Sign and verify PAC with ticket principal instead of
- canon principal
-
-With MIT library 1.18 the KDC no longer set
-KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
-us to not canonicalize them (like in Windwos / Heimdal).
-
-However, it now breaks the PAC signature verification as it was
-wrongly done using canonical client rather than ticket client name.
-
-Signed-off-by: Isaac Boukris <iboukris@samba.org>
----
- source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++----------
- 1 file changed, 2 insertions(+), 10 deletions(-)
-
-diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
-index e2f7174b0c2..6a5f06a8a8c 100644
---- a/source4/kdc/mit-kdb/kdb_samba_policies.c
-+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
-@@ -325,20 +325,12 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
- 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
- #endif
--	krb5_const_principal ks_client_princ;
- 	krb5_authdata **authdata = NULL;
- 	krb5_boolean is_as_req;
- 	krb5_error_code code;
- 	krb5_pac pac = NULL;
- 	krb5_data pac_data;
- 
--	/* Prefer canonicalised name from client entry */
--	if (client != NULL) {
--		ks_client_princ = client->princ;
--	} else {
--		ks_client_princ = client_princ;
--	}
--
- 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
- 
- 	if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
-@@ -351,7 +343,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 	if (!is_as_req) {
- 		code = ks_verify_pac(context,
- 				     flags,
--				     ks_client_princ,
-+				     client_princ,
- 				     client,
- 				     server,
- 				     krbtgt,
-@@ -378,7 +370,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 		goto done;
- 	}
- 
--	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
-+	code = krb5_pac_sign(context, pac, authtime, client_princ,
- 			server_key, krbtgt_key, &pac_data);
- 	if (code != 0) {
- 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
--- 
-2.24.1
-

samba.spec

@@ -8,13 +8,13 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%define main_release 1
+%define main_release 0
 
-%define samba_version 4.12.2
+%define samba_version 4.12.3
 %define talloc_version 2.3.1
 %define tdb_version 1.4.3
 %define tevent_version 0.10.2
-%define ldb_version 2.1.2
+%define ldb_version 2.1.3
 # This should be rc1 or nil
 %define pre_release %nil
 
@@ -129,10 +129,6 @@ Source14:       samba.pamd
 
 Source201:      README.downgrade
 
-Patch100:       new_mit_118.patch
-Patch101:       0001-libsmb-Don-t-try-to-find-posix-stat-info-in-SMBC_get.patch
-Patch102:       samba-4.12.3-vfs_io_uring-bz14361.patch
-
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
 Requires(preun): systemd
@@ -3578,6 +3574,9 @@ fi
 %endif
 
 %changelog
+* Tue May 19 2020 Guenther Deschner <gdeschner@redhat.com> - 4.12.3-0
+- Update to Samba 4.12.3
+
 * Fri May 15 2020 Pete Walter <pwalter@fedoraproject.org> - 2:4.12.2-1.2
 - Rebuild for ICU 67
 

sources

@@ -1,2 +1,2 @@
-SHA512 (samba-4.12.2.tar.xz) = ab89b8f6f0c14b5e8712bf281f7f2cc8e3dae6a69147a826bb58538ed5a22457f4d9a1ec500cbd49da42a5918fe2dd1f2726bb9a7838d9ee5507424ecf75774b
-SHA512 (samba-4.12.2.tar.asc) = b585cc5e919405a0910f1aea303959e92e293645296654805c65f20b92bd58098fc08be82ae17a9a281e04339f6af5579658f1b5c768498c75127c9dc254cd3d
+SHA512 (samba-4.12.3.tar.xz) = 1810734a5f8645c3784f0341b5a75de240d8227aa9bc66b87b491a438b4623f6bfcf873049bf148ce73d22bfd97da9319c9d9468142063cd377d73503616b632
+SHA512 (samba-4.12.3.tar.asc) = d8911ad4b03cbeb0d35bb0dcaa83dca30dcbe1630cf888f56dc46a821b9e96c57bb3526573478cdb986e881c1577b03e30b6329166e87192fe51fdcabb415b53