11 changed files with 44 additions and 13562 deletions
--- a/.gitignore
+++ b/.gitignore
@ -211,43 +211,3 @@ samba-3.6.0pre1.tar.gz
 /samba-4.12.5.tar.asc
 /samba-4.13.0rc1.tar.xz
 /samba-4.13.0rc1.tar.asc
-/samba-4.13.0rc2.tar.xz
-/samba-4.13.0rc2.tar.asc
-/samba-4.13.0rc3.tar.xz
-/samba-4.13.0rc3.tar.asc
-/samba-4.13.0rc4.tar.xz
-/samba-4.13.0rc4.tar.asc
-/samba-4.13.0rc5.tar.xz
-/samba-4.13.0rc5.tar.asc
-/samba-4.13.0rc6.tar.xz
-/samba-4.13.0rc6.tar.asc
-/samba-4.13.0.tar.xz
-/samba-4.13.0.tar.asc
-/samba-4.13.1.tar.xz
-/samba-4.13.1.tar.asc
-/samba-4.13.2.tar.xz
-/samba-4.13.2.tar.asc
-/samba-4.13.3.tar.xz
-/samba-4.13.3.tar.asc
-/samba-4.13.4.tar.xz
-/samba-4.13.4.tar.asc
-/samba-4.13.5.tar.xz
-/samba-4.13.5.tar.asc
-/samba-4.13.6.tar.xz
-/samba-4.13.6.tar.asc
-/samba-4.13.7.tar.xz
-/samba-4.13.7.tar.asc
-/samba-4.13.8.tar.xz
-/samba-4.13.8.tar.asc
-/samba-4.13.9.tar.xz
-/samba-4.13.9.tar.asc
-/samba-4.13.10.tar.xz
-/samba-4.13.10.tar.asc
-/samba-4.13.11.tar.xz
-/samba-4.13.11.tar.asc
-/samba-4.13.12.tar.xz
-/samba-4.13.12.tar.asc
-/samba-4.13.13.tar.xz
-/samba-4.13.13.tar.asc
-/samba-4.13.14.tar.xz
-/samba-4.13.14.tar.asc
--- a/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
+++ b/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
--- a/samba-4.13-fix-winbind-no-trusted-domain.patch
+++ b/samba-4.13-fix-winbind-no-trusted-domain.patch
@ -1,41 +0,0 @@
-From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 9 Nov 2021 20:50:20 +0100
-Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
-
-add_trusted_domain() should only reject domains
-based on is_allowed_domain(), which now also
-checks "allow trusted domains = no", if we don't
-have an explicit trust to the domain (SEC_CHAN_NULL).
-
-We use at least SEC_CHAN_LOCAL for local domains like
-BUILTIN.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
-
-(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
---
- source3/winbindd/winbindd_util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
-index 42ddbfd2f44..9d54e462c42 100644
--- a/source3/winbindd/winbindd_util.c
-+++ b/source3/winbindd/winbindd_util.c
-@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
- 		return NT_STATUS_INVALID_PARAMETER;
- 	}
- 
-	if (!is_allowed_domain(domain_name)) {
-+	if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
- 		return NT_STATUS_NO_SUCH_DOMAIN;
- 	}
- 
-- 
-2.33.1
-
--- a/samba-4.13-ipa-dc-schannel.patch
+++ b/samba-4.13-ipa-dc-schannel.patch
@ -1,45 +0,0 @@
-From 3fc4d1d3998f3956a84c855cb60a9dcb335e1f59 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Fri, 12 Nov 2021 19:06:01 +0200
-Subject: [PATCH] IPA DC: add missing checks
-
-When introducing FreeIPA support, two places were forgotten:
-
- - schannel gensec module needs to be aware of IPA DC
- - _lsa_QueryInfoPolicy should treat IPA DC as PDC
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
- auth/gensec/schannel.c              | 1 +
- source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
-index 0cdae141ead..6ebbe8f3179 100644
--- a/auth/gensec/schannel.c
-+++ b/auth/gensec/schannel.c
-@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
- 	case ROLE_DOMAIN_BDC:
- 	case ROLE_DOMAIN_PDC:
- 	case ROLE_ACTIVE_DIRECTORY_DC:
-+	case ROLE_IPA_DC:
- 		return NT_STATUS_OK;
- 	default:
- 		return NT_STATUS_NOT_IMPLEMENTED;
-diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
-index 8d71b5252ab..ea92a22cbc9 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
-+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
-@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
- 		switch (lp_server_role()) {
- 			case ROLE_DOMAIN_PDC:
- 			case ROLE_DOMAIN_BDC:
-+			case ROLE_IPA_DC:
- 				name = get_global_sam_name();
- 				sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
- 				if (!sid) {
-- 
-2.33.1
-
--- a/samba-4.13-redhat.patch
+++ b/samba-4.13-redhat.patch
--- a/samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch
+++ b/samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch
@ -1,210 +0,0 @@
-From 81d6949acdad70ecfb130d3286eeab1b3a51937f Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Wed, 7 Oct 2020 19:25:24 +0300
-Subject: [PATCH 1/2] cli_credentials_parse_string: fix parsing of principals
-
-When parsing a principal-like name, user name was left with full
-principal instead of taking only the left part before '@' sign.
-
->>> from samba import credentials
->>> t = credentials.Credentials()
->>> t.parse_string('admin@realm.test', credentials.SPECIFIED)
->>> t.get_username()
-'admin@realm.test'
-
-The issue is that cli_credentials_set_username() does a talloc_strdup()
-of the argument, so we need to change order of assignment to allow
-talloc_strdup() to copy the right part of the string.
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
- auth/credentials/credentials.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index 77c35dd104b..06ac79058f9 100644
--- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -840,11 +840,10 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
- 		 * in order to undo the effect of
- 		 * cli_credentials_guess().
- 		 */
-		cli_credentials_set_username(credentials, uname, obtained);
-		cli_credentials_set_domain(credentials, "", obtained);
-
- 		cli_credentials_set_principal(credentials, uname, obtained);
- 		*p = 0;
-+		cli_credentials_set_username(credentials, uname, obtained);
-+		cli_credentials_set_domain(credentials, "", obtained);
- 		cli_credentials_set_realm(credentials, p+1, obtained);
- 		return;
- 	} else if ((p = strchr_m(uname,'\\'))
-- 
-2.28.0
-
-
-From fa38bebb993011428612d51819530218d8358f5e Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Mon, 13 Jan 2020 16:04:20 +0200
-Subject: [PATCH 2/2] lookup_name: allow lookup for own realm
-
-When using security tab in Windows Explorer, a lookup over a trusted
-forest might come as realm\name instead of NetBIOS domain name:
-
--------------------------------------------------------------------
-[2020/01/13 11:12:39.859134,  1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
-       lsa_LookupNames3: struct lsa_LookupNames3
-          in: struct lsa_LookupNames3
-              handle                   : *
-                  handle: struct policy_handle
-                      handle_type              : 0x00000000 (0)
-                      uuid                     : 0000000e-0000-0000-1c5e-a750e5810000
-              num_names                : 0x00000001 (1)
-              names: ARRAY(1)
-                  names: struct lsa_String
-                      length                   : 0x001e (30)
-                      size                     : 0x0020 (32)
-                      string                   : *
-                          string                   : 'ipa.test\admins'
-              sids                     : *
-                  sids: struct lsa_TransSidArray3
-                      count                    : 0x00000000 (0)
-                      sids                     : NULL
-              level                    : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
-              count                    : *
-                  count                    : 0x00000000 (0)
-              lookup_options           : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
-              client_revision          : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
-
-Allow this lookup using realm to be done against primary domain.
-
-Refactor user name parsing code to reuse cli_credentials_* API to be
-consistent with other places. cli_credentials_parse_string() handles
-both domain and realm-based user name variants.
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
- source3/passdb/lookup_sid.c | 75 ++++++++++++++++++++++++++-----------
- 1 file changed, 53 insertions(+), 22 deletions(-)
-
-diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
-index 82c47b3145b..39d599fed27 100644
--- a/source3/passdb/lookup_sid.c
-+++ b/source3/passdb/lookup_sid.c
-@@ -29,6 +29,7 @@
- #include "../libcli/security/security.h"
- #include "lib/winbind_util.h"
- #include "../librpc/gen_ndr/idmap.h"
-+#include "auth/credentials/credentials.h"
- 
- static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
- {
-@@ -78,52 +79,82 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
- 		 const char **ret_domain, const char **ret_name,
- 		 struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
- {
-	char *p;
- 	const char *tmp;
- 	const char *domain = NULL;
- 	const char *name = NULL;
-+	const char *realm = NULL;
- 	uint32_t rid;
- 	struct dom_sid sid;
- 	enum lsa_SidType type;
- 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-+	struct cli_credentials *creds = NULL;
- 
- 	if (tmp_ctx == NULL) {
- 		DEBUG(0, ("talloc_new failed\n"));
- 		return false;
- 	}
- 
-	p = strchr_m(full_name, '\\');
-
-	if (p != NULL) {
-		domain = talloc_strndup(tmp_ctx, full_name,
-					PTR_DIFF(p, full_name));
-		name = talloc_strdup(tmp_ctx, p+1);
-	} else {
-		domain = talloc_strdup(tmp_ctx, "");
-		name = talloc_strdup(tmp_ctx, full_name);
-+	creds = cli_credentials_init(tmp_ctx);
-+	if (creds == NULL) {
-+		DEBUG(0, ("cli_credentials_init failed\n"));
-+		return false;
- 	}
- 
-	if ((domain == NULL) || (name == NULL)) {
-		DEBUG(0, ("talloc failed\n"));
-		TALLOC_FREE(tmp_ctx);
-+	cli_credentials_parse_string(creds, full_name, CRED_SPECIFIED);
-+	name = cli_credentials_get_username(creds);
-+	domain = cli_credentials_get_domain(creds);
-+	realm = cli_credentials_get_realm(creds);
-+
-+	/* At this point we have:
-+	 * - name -- normal name or empty string
-+	 * - domain -- either NULL or domain name
-+	 * - realm -- either NULL or realm name
-+	 *
-+	 * domain and realm are exclusive to each other
-+	 * the code below in lookup_name assumes domain
-+	 * to be at least empty string, not NULL
-+	*/
-+
-+	if ((name == NULL) || (name[0] == '\0')) {
-+		DEBUG(0, ("lookup_name with empty name, exit\n"));
- 		return false;
- 	}
- 
-+	if ((domain == NULL) && (realm == NULL)) {
-+		domain = talloc_strdup(creds, "");
-+	}
-+
- 	DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n",
- 		full_name, domain, name));
- 	DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
- 
-	if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
-	    strequal(domain, get_global_sam_name()))
-	{
-+	/* Windows clients may send a LookupNames request with both NetBIOS
-+	 * domain name- and realm-qualified user names. Thus, we need to check
-+	 * both against both of the SAM domain name and realm, if set. Since
-+	 * domain name and realm in the request are exclusive, test the one
-+	 * that is specified.  cli_credentials_parse_string() will either set
-+	 * realm or wouldn't so we can use it to detect if realm was specified.
-+	 */
-+	if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
-+		const char *domain_name = realm ? realm : domain;
-+		bool check_global_sam = false;
-+
-+		if (domain_name[0] != '\0') {
-+			check_global_sam = strequal(domain_name, get_global_sam_name());
-+			if (!check_global_sam && lp_realm() != NULL) {
-+				check_global_sam = strequal(domain_name, lp_realm());
-+			}
-+		}
- 
-		/* It's our own domain, lookup the name in passdb */
-		if (lookup_global_sam_name(name, flags, &rid, &type)) {
-			sid_compose(&sid, get_global_sam_sid(), rid);
-			goto ok;
-+		if (check_global_sam) {
-+			/* It's our own domain, lookup the name in passdb */
-+			if (lookup_global_sam_name(name, flags, &rid, &type)) {
-+				sid_compose(&sid, get_global_sam_sid(), rid);
-+				goto ok;
-+			}
-+			TALLOC_FREE(tmp_ctx);
-+			return false;
- 		}
-		TALLOC_FREE(tmp_ctx);
-		return false;
- 	}
- 
- 	if ((flags & LOOKUP_NAME_BUILTIN) &&
-- 
-2.28.0
-
--- a/samba-pubkey_AA99442FB680B620.gpg
+++ b/samba-pubkey_AA99442FB680B620.gpg
--- a/samba-s4u.patch
+++ b/samba-s4u.patch
@ -1,697 +0,0 @@
-From e649f9aedfa8a0d5caa241743bb4191927430879 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Fri, 27 Sep 2019 18:25:03 +0300
-Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
-
-Signed-off-by: Isaac Boukris <iboukris@gmail.com>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
- source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
- source4/kdc/mit_samba.c                  |  47 ++-------
- source4/kdc/mit_samba.h                  |   6 +-
- 3 files changed, 71 insertions(+), 106 deletions(-)
-
-diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
-index 7bc9a7b3347..fc20bfed2f4 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
-+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
-@@ -192,13 +192,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
- 				     krb5_keyblock *krbtgt_key,
- 				     krb5_timestamp authtime,
- 				     krb5_authdata **tgt_auth_data,
-				     krb5_pac *pac)
-+				     krb5_pac *out_pac)
- {
- 	struct mit_samba_context *mit_ctx;
- 	krb5_authdata **authdata = NULL;
-	krb5_pac ipac = NULL;
-	DATA_BLOB logon_data = { NULL, 0 };
-+	krb5_keyblock *header_server_key = NULL;
-+	krb5_key_data *impersonator_kd = NULL;
-+	krb5_keyblock impersonator_key = {0};
- 	krb5_error_code code;
-+	krb5_pac pac;
-+
-+	*out_pac = NULL;
- 
- 	mit_ctx = ks_get_context(context);
- 	if (mit_ctx == NULL) {
-@@ -230,41 +234,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
- 	code = krb5_pac_parse(context,
- 			      authdata[0]->contents,
- 			      authdata[0]->length,
-			      &ipac);
-+			      &pac);
- 	if (code != 0) {
- 		goto done;
- 	}
- 
-	/* TODO: verify this is correct
-	 *
-	 * In the constrained delegation case, the PAC is from a service
-	 * ticket rather than a TGT; we must verify the server and KDC
-	 * signatures to assert that the server did not forge the PAC.
-+	/*
-+	 * For constrained delegation in MIT version < 1.18 we aren't provided
-+	 * with the 2nd ticket server key to verify the PAC.
-+	 * We can workaround that by fetching the key from the client db entry,
-+	 * which is the impersonator account in that version.
-+	 * TODO: use the provided entry in the new 1.18 version.
- 	 */
- 	if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
-		code = krb5_pac_verify(context,
-				       ipac,
-				       authtime,
-				       client_princ,
-				       server_key,
-				       krbtgt_key);
-+		/* The impersonator must be local. */
-+		if (client == NULL) {
-+			code = KRB5KDC_ERR_BADOPTION;
-+			goto done;
-+		}
-+		/* Fetch and decrypt 2nd ticket server's current key. */
-+		code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
-+					     &impersonator_kd);
-+		if (code != 0) {
-+			goto done;
-+		}
-+		code = krb5_dbe_decrypt_key_data(context, NULL,
-+						 impersonator_kd,
-+						 &impersonator_key, NULL);
-+		if (code != 0) {
-+			goto done;
-+		}
-+		header_server_key = &impersonator_key;
- 	} else {
-		code = krb5_pac_verify(context,
-				       ipac,
-				       authtime,
-				       client_princ,
-				       krbtgt_key,
-				       NULL);
-	}
-	if (code != 0) {
-		goto done;
-+		header_server_key = krbtgt_key;
- 	}
- 
-	/* check and update PAC */
-	code = krb5_pac_parse(context,
-			      authdata[0]->contents,
-			      authdata[0]->length,
-			      pac);
-+	code = krb5_pac_verify(context, pac, authtime, client_princ,
-+			       header_server_key, NULL);
- 	if (code != 0) {
- 		goto done;
- 	}
-@@ -272,17 +278,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
- 	code = mit_samba_reget_pac(mit_ctx,
- 				   context,
- 				   flags,
-				   client_princ,
- 				   client,
- 				   server,
- 				   krbtgt,
- 				   krbtgt_key,
-				   pac);
-+				   &pac);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	*out_pac = pac;
-+	pac = NULL;
- 
- done:
-+	krb5_free_keyblock_contents(context, &impersonator_key);
- 	krb5_free_authdata(context, authdata);
-	krb5_pac_free(context, ipac);
-	free(logon_data.data);
-+	krb5_pac_free(context, pac);
- 
- 	return code;
- }
-@@ -328,6 +339,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 	krb5_authdata **pac_auth_data = NULL;
- 	krb5_authdata **authdata = NULL;
- 	krb5_boolean is_as_req;
-+	krb5_const_principal pac_client;
- 	krb5_error_code code;
- 	krb5_pac pac = NULL;
- 	krb5_data pac_data;
-@@ -341,11 +353,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
- #endif
- 
-	/* FIXME: We don't support S4U yet */
-	if (flags & KRB5_KDB_FLAGS_S4U) {
-		return KRB5_KDB_DBTYPE_NOSUP;
-	}
-
- 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
- 
- 	/*
-@@ -406,6 +413,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 		ks_client_princ = client->princ;
- 	}
- 
-+	/* In protocol transition, we are currently not provided with the tgt
-+	 * client name to verify the PAC, we could probably skip the name
-+	 * verification and just verify the signatures, but since we don't
-+	 * support cross-realm nor aliases, we can just use server->princ */
-+	if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
-+		pac_client = server->princ;
-+	} else {
-+		pac_client = ks_client_princ;
-+	}
-+
- 	if (client_entry == NULL) {
- 		client_entry = client;
- 	}
-@@ -470,7 +487,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 
- 			code = ks_verify_pac(context,
- 					     flags,
-					     ks_client_princ,
-+					     pac_client,
- 					     client_entry,
- 					     server,
- 					     krbtgt,
-@@ -510,7 +527,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 		  is_as_req ? "AS-REQ" : "TGS-REQ",
- 		  client_name);
- 	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
-			server_key, krbtgt_key, &pac_data);
-+			     server_key, krbtgt_key, &pac_data);
- 	if (code != 0) {
- 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
- 		goto done;
-@@ -536,12 +553,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
- 					      KRB5_AUTHDATA_IF_RELEVANT,
- 					      authdata,
- 					      signed_auth_data);
-	if (code != 0) {
-		goto done;
-	}
-
-	code = 0;
-
- done:
- 	if (client_entry != NULL && client_entry != client) {
- 		ks_free_principal(context, client_entry);
-@@ -567,32 +578,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
- 	 * server; -> delegating service
- 	 * proxy; -> target principal
- 	 */
-	krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
-
-	char *target_name = NULL;
-	bool is_enterprise;
-	krb5_error_code code;
- 
- 	mit_ctx = ks_get_context(context);
- 	if (mit_ctx == NULL) {
- 		return KRB5_KDB_DBNOTINITED;
- 	}
- 
-	code = krb5_unparse_name(context, proxy, &target_name);
-	if (code) {
-		goto done;
-	}
-
-	is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
-
-	code = mit_samba_check_s4u2proxy(mit_ctx,
-					 delegating_service,
-					 target_name,
-					 is_enterprise);
-
-done:
-	free(target_name);
-	return code;
-+	return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
- }
- 
- 
-diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
-index e015c5a52db..2a48d731501 100644
--- a/source4/kdc/mit_samba.c
-+++ b/source4/kdc/mit_samba.c
-@@ -475,7 +475,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
- krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
- 				    krb5_context context,
- 				    int flags,
-				    krb5_const_principal client_principal,
- 				    krb5_db_entry *client,
- 				    krb5_db_entry *server,
- 				    krb5_db_entry *krbtgt,
-@@ -639,7 +638,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
- 								  context,
- 								  *pac,
- 								  server->princ,
-								  discard_const(client_principal),
-+								  client->princ,
- 								  deleg_blob);
- 		if (!NT_STATUS_IS_OK(nt_status)) {
- 			DEBUG(0, ("Update delegation info failed: %s\n",
-@@ -961,41 +960,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
- }
- 
- int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
-			      krb5_db_entry *kentry,
-			      const char *target_name,
-			      bool is_nt_enterprise_name)
-+			      const krb5_db_entry *server,
-+			      krb5_const_principal target_principal)
- {
-#if 1
-	/*
-	 * This is disabled because mit_samba_update_pac_data() does not handle
-	 * S4U_DELEGATION_INFO
-	 */
-
-	return KRB5KDC_ERR_BADOPTION;
-#else
-	krb5_principal target_principal;
-	int flags = 0;
-	int ret;
-
-	if (is_nt_enterprise_name) {
-		flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
-	}
-
-	ret = krb5_parse_name_flags(ctx->context, target_name,
-				    flags, &target_principal);
-	if (ret) {
-		return ret;
-	}
-
-	ret = samba_kdc_check_s4u2proxy(ctx->context,
-					ctx->db_ctx,
-					skdc_entry,
-					target_principal);
-
-	krb5_free_principal(ctx->context, target_principal);
-
-	return ret;
-#endif
-+	struct samba_kdc_entry *server_skdc_entry =
-+		 talloc_get_type_abort(server->e_data,
-+				       struct samba_kdc_entry);
-+
-+	return samba_kdc_check_s4u2proxy(ctx->context,
-+					 ctx->db_ctx,
-+					 server_skdc_entry,
-+					 target_principal);
- }
- 
- static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
-diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
-index 636c77ec97c..9cb00c9610e 100644
--- a/source4/kdc/mit_samba.h
-+++ b/source4/kdc/mit_samba.h
-@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
- krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
- 				    krb5_context context,
- 				    int flags,
-				    krb5_const_principal client_principal,
- 				    krb5_db_entry *client,
- 				    krb5_db_entry *server,
- 				    krb5_db_entry *krbtgt,
-@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
- 				  DATA_BLOB *e_data);
- 
- int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
-			      krb5_db_entry *kentry,
-			      const char *target_name,
-			      bool is_nt_enterprise_name);
-+			      const krb5_db_entry *server,
-+			      krb5_const_principal target_principal);
- 
- int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
- 				      char *pwd,
-- 
-2.33.1
-
-
-From 9eca7b08a3987d6320d6584e146005bbc01720f6 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Fri, 27 Sep 2019 18:35:30 +0300
-Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
-
-Signed-off-by: Isaac Boukris <iboukris@gmail.com>
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
- lib/krb5_wrap/krb5_samba.c            | 185 ++++++++++++++++++++++++++
- lib/krb5_wrap/krb5_samba.h            |   2 -
- source4/auth/kerberos/kerberos_util.c |  11 --
- 3 files changed, 185 insertions(+), 13 deletions(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index fff5b4e2a22..791b417d5ba 100644
--- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
- 
- 	return 0;
- }
-+
-+#else /* MIT */
-+
-+static bool princ_compare_no_dollar(krb5_context ctx,
-+				    krb5_principal a,
-+				    krb5_principal b)
-+{
-+	bool cmp;
-+	krb5_principal mod = NULL;
-+
-+	if (a->length == 1 && b->length == 1 &&
-+	    a->data[0].length != 0 && b->data[0].length != 0 &&
-+	    a->data[0].data[a->data[0].length -1] !=
-+	    b->data[0].data[b->data[0].length -1]) {
-+		if (a->data[0].data[a->data[0].length -1] == '$') {
-+			mod = a;
-+			mod->data[0].length--;
-+		} else if (b->data[0].data[b->data[0].length -1] == '$') {
-+			mod = b;
-+			mod->data[0].length--;
-+		}
-+	}
-+
-+	cmp = krb5_principal_compare_flags(ctx, a, b,
-+					   KRB5_PRINCIPAL_COMPARE_CASEFOLD);
-+
-+	if (mod != NULL) {
-+		mod->data[0].length++;
-+	}
-+
-+	return cmp;
-+}
-+
-+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
-+					   krb5_ccache store_cc,
-+					   krb5_principal init_principal,
-+					   const char *init_password,
-+					   krb5_principal impersonate_principal,
-+					   const char *self_service,
-+					   const char *target_service,
-+					   krb5_get_init_creds_opt *krb_options,
-+					   time_t *expire_time,
-+					   time_t *kdc_time)
-+{
-+	krb5_error_code code;
-+	krb5_principal self_princ = NULL;
-+	krb5_principal target_princ = NULL;
-+	krb5_creds *store_creds;
-+	krb5_creds *s4u2self_creds = NULL;
-+	krb5_creds *s4u2proxy_creds = NULL;
-+	krb5_creds init_creds = {0};
-+	krb5_creds mcreds = {0};
-+	krb5_flags options = KRB5_GC_NO_STORE;
-+	krb5_ccache tmp_cc;
-+	bool s4u2proxy;
-+
-+	code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
-+	if (code != 0) {
-+		return code;
-+	}
-+
-+	code = krb5_get_init_creds_password(ctx, &init_creds,
-+					    init_principal,
-+					    init_password,
-+					    NULL, NULL,
-+					    0,
-+					    NULL,
-+					    krb_options);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	/*
-+	 * Check if we also need S4U2Proxy or if S4U2Self is
-+	 * enough in order to get a ticket for the target.
-+	 */
-+	if (target_service == NULL) {
-+		s4u2proxy = false;
-+	} else if (strcmp(target_service, self_service) == 0) {
-+		s4u2proxy = false;
-+	} else {
-+		s4u2proxy = true;
-+	}
-+
-+	code = krb5_parse_name(ctx, self_service, &self_princ);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	/* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
-+	 * client and the request server to be the same principal name. */
-+	if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
-+		code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
-+		goto done;
-+	}
-+
-+	mcreds.client = impersonate_principal;
-+	mcreds.server = init_creds.client;
-+
-+	code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
-+					     NULL, &s4u2self_creds);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	if (s4u2proxy) {
-+		code = krb5_parse_name(ctx, target_service, &target_princ);
-+		if (code != 0) {
-+			goto done;
-+		}
-+
-+		mcreds.client = init_creds.client;
-+		mcreds.server = target_princ;
-+		mcreds.second_ticket = s4u2self_creds->ticket;
-+
-+		code = krb5_get_credentials(ctx, options |
-+					    KRB5_GC_CONSTRAINED_DELEGATION,
-+					    tmp_cc, &mcreds, &s4u2proxy_creds);
-+		if (code != 0) {
-+			goto done;
-+		}
-+
-+		/* Check KDC support of S4U2Proxy extension */
-+		if (!krb5_principal_compare(ctx, s4u2self_creds->client,
-+					    s4u2proxy_creds->client)) {
-+			code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
-+			goto done;
-+		}
-+
-+		store_creds = s4u2proxy_creds;
-+	} else {
-+		store_creds = s4u2self_creds;;
-+
-+		/* We need to save the ticket with the requested server name
-+		 * or the caller won't be able to find it in cache. */
-+		if (!krb5_principal_compare(ctx, self_princ,
-+			store_creds->server)) {
-+			krb5_free_principal(ctx, store_creds->server);
-+			store_creds->server = NULL;
-+			code = krb5_copy_principal(ctx, self_princ,
-+						   &store_creds->server);
-+			if (code != 0) {
-+				goto done;
-+			}
-+		}
-+	}
-+
-+	code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	code = krb5_cc_store_cred(ctx, store_cc, store_creds);
-+	if (code != 0) {
-+		goto done;
-+	}
-+
-+	if (expire_time) {
-+		*expire_time = (time_t) store_creds->times.endtime;
-+	}
-+
-+	if (kdc_time) {
-+		*kdc_time = (time_t) store_creds->times.starttime;
-+	}
-+
-+done:
-+	krb5_cc_destroy(ctx, tmp_cc);
-+	krb5_free_cred_contents(ctx, &init_creds);
-+	krb5_free_creds(ctx, s4u2self_creds);
-+	krb5_free_creds(ctx, s4u2proxy_creds);
-+	krb5_free_principal(ctx, self_princ);
-+	krb5_free_principal(ctx, target_princ);
-+
-+	return code;
-+}
- #endif
- 
- #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
-diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
-index 56a2a975278..5af9c6d73c1 100644
--- a/lib/krb5_wrap/krb5_samba.h
-+++ b/lib/krb5_wrap/krb5_samba.h
-@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
- 					       krb5_get_init_creds_opt *krb_options,
- 					       time_t *expire_time,
- 					       time_t *kdc_time);
-#ifdef SAMBA4_USES_HEIMDAL
- krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
- 					   krb5_ccache store_cc,
- 					   krb5_principal init_principal,
-@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
- 					   krb5_get_init_creds_opt *krb_options,
- 					   time_t *expire_time,
- 					   time_t *kdc_time);
-#endif
- 
- #if defined(HAVE_KRB5_MAKE_PRINCIPAL)
- #define smb_krb5_make_principal krb5_make_principal
-diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
-index 544d9d853cc..c14d8c72d8c 100644
--- a/source4/auth/kerberos/kerberos_util.c
-+++ b/source4/auth/kerberos/kerberos_util.c
-@@ -234,9 +234,7 @@ done:
- {
- 	krb5_error_code ret;
- 	const char *password;
-#ifdef SAMBA4_USES_HEIMDAL
- 	const char *self_service;
-#endif
- 	const char *target_service;
- 	time_t kdc_time = 0;
- 	krb5_principal princ;
-@@ -268,9 +266,7 @@ done:
- 		return ret;
- 	}
- 
-#ifdef SAMBA4_USES_HEIMDAL
- 	self_service = cli_credentials_get_self_service(credentials);
-#endif
- 	target_service = cli_credentials_get_target_service(credentials);
- 
- 	password = cli_credentials_get_password(credentials);
-@@ -331,7 +327,6 @@ done:
- #endif
- 		if (password) {
- 			if (impersonate_principal) {
-#ifdef SAMBA4_USES_HEIMDAL
- 				ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
- 								 ccache,
- 								 princ,
-@@ -342,12 +337,6 @@ done:
- 								 krb_options,
- 								 NULL,
- 								 &kdc_time);
-#else
-				talloc_free(mem_ctx);
-				(*error_string) = "INTERNAL error: s4u2 ops "
-					"are not supported with MIT build yet";
-				return EINVAL;
-#endif
- 			} else {
- 				ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
- 								     ccache,
-- 
-2.33.1
-
-
-From 80289eca2bb614aacd0df86bcf7ad7027c080671 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Sat, 19 Sep 2020 14:16:20 +0200
-Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
-
---
- source4/heimdal/lib/hdb/hdb.h | 1 +
- source4/kdc/db-glue.c         | 8 ++++++--
- source4/kdc/mit_samba.c       | 3 +++
- source4/kdc/sdb.h             | 1 +
- 4 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
-index 5ef9d9565f3..dafaffc6c2d 100644
--- a/source4/heimdal/lib/hdb/hdb.h
-+++ b/source4/heimdal/lib/hdb/hdb.h
-@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
- #define HDB_F_ALL_KVNOS		2048	/* we want all the keys, live or not */
- #define HDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
- #define HDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
-+#define HDB_F_FORCE_CANON	16384	/* force canonicalition */
- 
- /* hdb_capability_flags */
- #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
-diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
-index aff74f2ee71..d16b4c3329a 100644
--- a/source4/kdc/db-glue.c
-+++ b/source4/kdc/db-glue.c
-@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
- 			}
- 		}
- 
-	} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
-+	} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
- 		ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
- 		if (ret) {
- 			krb5_clear_error_message(context);
- 			goto out;
- 		}
-	} else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
-+	} else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
- 		/*
- 		 * SDB_F_CANON maps from the canonicalize flag in the
- 		 * packet, and has a different meaning between AS-REQ
- 		 * and TGS-REQ.  We only change the principal in the AS-REQ case
-+		 *
-+		 * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
-+		 * the canonical name in all lookups, and takes care to canonicalize
-+		 * only when appropriate.
- 		 */
- 		ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
- 		if (ret) {
-diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
-index 2a48d731501..a8d3e7ed493 100644
--- a/source4/kdc/mit_samba.c
-+++ b/source4/kdc/mit_samba.c
-@@ -198,6 +198,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
- 	if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
- 		sflags |= SDB_F_CANON;
- 	}
-+#if KRB5_KDB_API_VERSION >= 10
-+	sflags |= SDB_F_FORCE_CANON;
-+#endif
- 	if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
- 		      KRB5_KDB_FLAG_INCLUDE_PAC)) {
- 		/*
-diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
-index c929acccce6..a9115ec23d7 100644
--- a/source4/kdc/sdb.h
-+++ b/source4/kdc/sdb.h
-@@ -116,6 +116,7 @@ struct sdb_entry_ex {
- #define SDB_F_KVNO_SPECIFIED	128	/* we want a particular KVNO */
- #define SDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
- #define SDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
-+#define SDB_F_FORCE_CANON	16384	/* force canonicalition */
- 
- void sdb_free_entry(struct sdb_entry_ex *e);
- void free_sdb_entry(struct sdb_entry *s);
-- 
-2.33.1
-
--- a/samba.spec
+++ b/samba.spec
@ -8,15 +8,15 @@

 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")

-%define main_release 2
+%define main_release 1

-%define samba_version 4.13.14
+%define samba_version 4.13.0
 %define talloc_version 2.3.1
 %define tdb_version 1.4.3
 %define tevent_version 0.10.2
-%define ldb_version 2.2.3
+%define ldb_version 2.2.0
 # This should be rc1 or nil
-%define pre_release %nil
+%define pre_release rc1

 %if "x%{?pre_release}" != "x"
 %define samba_release 0.%{main_release}.%{pre_release}%{?dist}
@ -83,8 +83,10 @@
 %global with_clustering_support 1
 %endif

-# Enable winexe by default
-%bcond_without winexe
+%global with_winexe 1
+%if 0%{?rhel}
+%global with_winexe 0
+%endif

 %global with_vfs_io_uring 0
 # We need liburing >= 0.4 which is not available in RHEL yet
@ -120,7 +122,7 @@ URL:            https://www.samba.org
 # This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%%{version}%%{pre_release}.tar.gz
 Source0:        https://ftp.samba.org/pub/samba/samba-%{version}%{pre_release}.tar.gz#/samba-%{version}%{pre_release}.tar.xz
 Source1:        https://ftp.samba.org/pub/samba/samba-%{version}%{pre_release}.tar.asc
-Source2:        samba-pubkey_AA99442FB680B620.gpg
+Source2:        gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg

 # Red Hat specific replacement-files
 Source10:       samba.logrotate
@ -130,14 +132,6 @@ Source13:       pam_winbind.conf
 Source14:       samba.pamd

 Source201:      README.downgrade
-Patch1:         samba-s4u.patch
-# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-13-redhat
-# This will give us CI and makes it easy to generate patchsets.
-#
-# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.13-redhat.patch
-Patch2:         samba-4.13-redhat.patch
-Patch3:         samba-4.13-fix-winbind-no-trusted-domain.patch
-Patch4:         samba-4.13-ipa-dc-schannel.patch

 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@ -200,7 +194,7 @@ BuildRequires: libtirpc-devel
 BuildRequires: libuuid-devel
 BuildRequires: libxslt
 BuildRequires: lmdb
-%if %{with winexe}
+%if %{with_winexe}
 BuildRequires: mingw32-gcc
 BuildRequires: mingw64-gcc
 %endif
@ -397,6 +391,7 @@ Requires: ldb-tools
 # See bug 1507420
 %samba_requires_eq libldb

+Requires: python3-crypto
 Requires: python3-%{name} = %{samba_depver}
 Requires: python3-%{name}-dc = %{samba_depver}
 Requires: krb5-server >= %{required_mit_krb5}
@ -592,13 +587,6 @@ Requires: libwbclient = %{samba_depver}
 The python3-%{name} package contains the Python 3 libraries needed by programs
 that use SMB, RPC and other Samba provided protocols in Python 3 programs.

-%package -n python3-%{name}-devel
-Summary: Samba python devel files
-Requires: python3-%{name} = %{samba_depver}
-
-%description -n python3-%{name}-devel
-The python3-%{name}-devel package contains the Python 3 defel files.
-
 %package -n python3-samba-test
 Summary: Samba Python libraries
 Requires: python3-%{name} = %{samba_depver}
@ -766,7 +754,7 @@ The samba-winbind-modules package provides the NSS library and a PAM module
 necessary to communicate to the Winbind Daemon

 ### WINEXE
-%if %{with winexe}
+%if %{with_winexe}
 %package winexe
 Summary: Samba Winexe Windows Binary
 License: GPLv3
@ -921,16 +909,16 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold"
        --systemd-winbind-extra=%{_systemd_extra} \
        --systemd-samba-extra=%{_systemd_extra}

-%make_build
+make %{?_smp_mflags}

 pushd pidl
 %__perl Makefile.PL PREFIX=%{_prefix}

-%make_build
+make %{?_smp_mflags}
 popd

 %install
-%make_install
+make %{?_smp_mflags} install DESTDIR=%{buildroot}

 install -d -m 0755 %{buildroot}/usr/{sbin,bin}
 install -d -m 0755 %{buildroot}%{_libdir}/security
@ -1095,6 +1083,16 @@ rm -f %{buildroot}%{_mandir}/man8/vfs_ceph_snapshots.8*
 # the ldconfig-created links be recorded in the RPM.
 /sbin/ldconfig -N -n %{buildroot}%{_libdir}

+%if ! %with_dc
+for f in samba/libsamba-net-samba4.so \
+         samba/libsamba-python-samba4.so \
+         libsamba-policy.so* \
+         pkgconfig/samba-policy.pc ; do
+    rm -f %{buildroot}%{_libdir}/$f
+done
+#endif ! with_dc
+%endif
+
 pushd pidl
 make DESTDIR=%{buildroot} install_vendor

@ -1107,7 +1105,7 @@ popd

 %if %{with testsuite}
 %check
-TDB_NO_FSYNC=1 %make_build test FAIL_IMMEDIATELY=1
+TDB_NO_FSYNC=1 make %{?_smp_mflags} test FAIL_IMMEDIATELY=1
 #endif with testsuite
 %endif

@ -1495,7 +1493,6 @@ fi
 %{_libdir}/samba/libcommon-auth-samba4.so
 %{_libdir}/samba/libctdb-event-client-samba4.so
 %{_libdir}/samba/libdbwrap-samba4.so
-%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so
 %{_libdir}/samba/libdcerpc-samba-samba4.so
 %{_libdir}/samba/libevents-samba4.so
 %{_libdir}/samba/libflag-mapping-samba4.so
@ -1540,6 +1537,7 @@ fi
 %{_libdir}/samba/libsmb-transport-samba4.so
 %{_libdir}/samba/libsmbclient-raw-samba4.so
 %{_libdir}/samba/libsmbd-base-samba4.so
+%{_libdir}/samba/libsmbd-conn-samba4.so
 %{_libdir}/samba/libsmbd-shim-samba4.so
 %{_libdir}/samba/libsmbldaphelper-samba4.so
 %{_libdir}/samba/libsys-rw-samba4.so
@ -1734,8 +1732,6 @@ fi
 %{_libdir}/samba/bind9/dlz_bind9_10.so
 %{_libdir}/samba/bind9/dlz_bind9_11.so
 %{_libdir}/samba/bind9/dlz_bind9_12.so
-%{_libdir}/samba/bind9/dlz_bind9_14.so
-%{_libdir}/samba/bind9/dlz_bind9_16.so
 #endif with_dc
 %endif

@ -1989,7 +1985,6 @@ fi
 %{python3_sitearch}/samba/__pycache__/compat.*.pyc
 %{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc
 %{python3_sitearch}/samba/__pycache__/descriptor.*.pyc
-%{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc
 %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc
 %{python3_sitearch}/samba/__pycache__/getopt.*.pyc
 %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc
@ -2010,7 +2005,6 @@ fi
 %{python3_sitearch}/samba/__pycache__/sites.*.pyc
 %{python3_sitearch}/samba/__pycache__/subnets.*.pyc
 %{python3_sitearch}/samba/__pycache__/tdb_util.*.pyc
-%{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc
 %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc
 %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc
 %{python3_sitearch}/samba/__pycache__/xattr.*.pyc
@ -2042,7 +2036,6 @@ fi
 %{python3_sitearch}/samba/dcerpc/idmap.*.so
 %{python3_sitearch}/samba/dcerpc/initshutdown.*.so
 %{python3_sitearch}/samba/dcerpc/irpc.*.so
-%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so
 %{python3_sitearch}/samba/dcerpc/krb5pac.*.so
 %{python3_sitearch}/samba/dcerpc/lsa.*.so
 %{python3_sitearch}/samba/dcerpc/messaging.*.so
@ -2069,7 +2062,6 @@ fi
 %{python3_sitearch}/samba/dcerpc/wkssvc.*.so
 %{python3_sitearch}/samba/dcerpc/xattr.*.so
 %{python3_sitearch}/samba/descriptor.py
-%{python3_sitearch}/samba/dnsresolver.py
 %{python3_sitearch}/samba/drs_utils.py
 %{python3_sitearch}/samba/gensec.*.so
 %{python3_sitearch}/samba/getopt.py
@ -2202,20 +2194,25 @@ fi
 %{python3_sitearch}/samba/third_party/__init__.py
 %dir %{python3_sitearch}/samba/third_party/__pycache__
 %{python3_sitearch}/samba/third_party/__pycache__/__init__.*.pyc
-%{python3_sitearch}/samba/trust_utils.py
 %{python3_sitearch}/samba/upgrade.py
 %{python3_sitearch}/samba/upgradehelpers.py
 %{python3_sitearch}/samba/werror.*.so
 %{python3_sitearch}/samba/xattr.py
 %{python3_sitearch}/samba/xattr_native.*.so
 %{python3_sitearch}/samba/xattr_tdb.*.so
-%{_libdir}/libsamba-policy.cpython*.so.*
-%{_libdir}/samba/libsamba-net.cpython*.so
-%{_libdir}/samba/libsamba-python.cpython*.so
-
-%files -n python3-%{name}-devel
-%{_libdir}/libsamba-policy.cpython*.so
+# FIXME:
+# /usr/lib64/libsamba-policy.cpython-36m-x86-64-linux-gnu.so
+# /usr/lib64/libsamba-policy.cpython-36m-x86-64-linux-gnu.so.0
+# /usr/lib64/libsamba-policy.cpython-36m-x86-64-linux-gnu.so.0.0.1
+%{_libdir}/libsamba-policy.*.so*
+# FIXME:
+# /usr/lib64/pkgconfig/samba-policy.cpython-36m-x86_64-linux-gnu.pc
 %{_libdir}/pkgconfig/samba-policy.*.pc
+# FIXME:
+# /usr/lib64/samba/libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so
+# /usr/lib64/samba/libsamba-python.cpython-36m-x86-64-linux-gnu-samba4.so
+%{_libdir}/samba/libsamba-net.*-samba4.so
+%{_libdir}/samba/libsamba-python.*-samba4.so

 %if %{with_dc}
 %files -n python3-%{name}-dc
@ -2308,7 +2305,6 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc
-%{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc
@ -2327,8 +2323,6 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc
-%{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc
-%{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc
@ -2440,11 +2434,8 @@ fi
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/__init__.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc
-%{python3_sitearch}/samba/tests/dcerpc/__pycache__/createtrustrelax.*.pyc
-%{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc
-%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc
@ -2453,18 +2444,14 @@ fi
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpc_talloc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpcecho.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/sam.*.pyc
-%{python3_sitearch}/samba/tests/dcerpc/__pycache__/samr_change_password.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/srvsvc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/string_tests.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/testrpc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/unix.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/array.py
 %{python3_sitearch}/samba/tests/dcerpc/bare.py
-%{python3_sitearch}/samba/tests/dcerpc/binding.py
-%{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py
 %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py
 %{python3_sitearch}/samba/tests/dcerpc/integer.py
-%{python3_sitearch}/samba/tests/dcerpc/lsa.py
 %{python3_sitearch}/samba/tests/dcerpc/mdssvc.py
 %{python3_sitearch}/samba/tests/dcerpc/misc.py
 %{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py
@ -2473,7 +2460,6 @@ fi
 %{python3_sitearch}/samba/tests/dcerpc/rpc_talloc.py
 %{python3_sitearch}/samba/tests/dcerpc/rpcecho.py
 %{python3_sitearch}/samba/tests/dcerpc/sam.py
-%{python3_sitearch}/samba/tests/dcerpc/samr_change_password.py
 %{python3_sitearch}/samba/tests/dcerpc/srvsvc.py
 %{python3_sitearch}/samba/tests/dcerpc/string_tests.py
 %{python3_sitearch}/samba/tests/dcerpc/testrpc.py
@ -2490,7 +2476,6 @@ fi
 %{python3_sitearch}/samba/tests/dns_tkey.py
 %{python3_sitearch}/samba/tests/dns_wildcard.py
 %{python3_sitearch}/samba/tests/dsdb.py
-%{python3_sitearch}/samba/tests/dsdb_api.py
 %{python3_sitearch}/samba/tests/dsdb_lock.py
 %{python3_sitearch}/samba/tests/dsdb_schema_attributes.py
 %{python3_sitearch}/samba/tests/docs.py
@ -2528,60 +2513,21 @@ fi
 %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py
 %dir %{python3_sitearch}/samba/tests/krb5
 %dir %{python3_sitearch}/samba/tests/krb5/__pycache__
-%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/test_min_domain_uid.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/test_rpc.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/test_smb.*.pyc
-%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/xrealm_tests.*.pyc
-%{python3_sitearch}/samba/tests/krb5/alias_tests.py
-%{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py
-%{python3_sitearch}/samba/tests/krb5/as_req_tests.py
-%{python3_sitearch}/samba/tests/krb5/compatability_tests.py
-%{python3_sitearch}/samba/tests/krb5/fast_tests.py
 %{python3_sitearch}/samba/tests/krb5/kcrypto.py
-%{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
-%{python3_sitearch}/samba/tests/krb5/kdc_tests.py
-%{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
-%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
 %{python3_sitearch}/samba/tests/krb5/raw_testcase.py
-%{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py
 %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py
-%{python3_sitearch}/samba/tests/krb5/rodc_tests.py
-%{python3_sitearch}/samba/tests/krb5/s4u_tests.py
-%{python3_sitearch}/samba/tests/krb5/salt_tests.py
 %{python3_sitearch}/samba/tests/krb5/simple_tests.py
-%{python3_sitearch}/samba/tests/krb5/spn_tests.py
-%{python3_sitearch}/samba/tests/krb5/test_ccache.py
-%{python3_sitearch}/samba/tests/krb5/test_ldap.py
-%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py
-%{python3_sitearch}/samba/tests/krb5/test_rpc.py
-%{python3_sitearch}/samba/tests/krb5/test_smb.py
+%{python3_sitearch}/samba/tests/krb5/s4u_tests.py
 %{python3_sitearch}/samba/tests/krb5/xrealm_tests.py
 %{python3_sitearch}/samba/tests/krb5_credentials.py
 %{python3_sitearch}/samba/tests/ldap_raw.py
 %{python3_sitearch}/samba/tests/ldap_referrals.py
-%{python3_sitearch}/samba/tests/ldap_spn.py
-%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py
 %{python3_sitearch}/samba/tests/libsmb.py
 %{python3_sitearch}/samba/tests/loadparm.py
 %{python3_sitearch}/samba/tests/lsa_string.py
@ -2766,7 +2712,6 @@ fi
 ### WINBIND-KRB5-LOCATOR
 %files winbind-krb5-locator
 %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
-%dir %{_libdir}/samba/krb5
 %{_libdir}/samba/krb5/winbind_krb5_locator.so
 %{_mandir}/man8/winbind_krb5_locator.8*

@ -3397,7 +3342,6 @@ fi
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/kill
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/killall
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/multipath
-%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/nfsconf
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/net
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pidof
 %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pkill
@ -3668,135 +3612,13 @@ fi
 #endif with_clustering_support
 %endif

-%if %{with winexe}
+%if %{with_winexe}
 ### WINEXE
 %files winexe
 %{_bindir}/winexe
-%{_mandir}/man1/winexe.1.gz
 %endif

 %changelog
-* Sat Nov 13 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-2
- Fix IPA DC schannel support
-
-* Thu Nov 11 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-1
- Fix winbind trusted domain regression
- related: #2021716
-
-* Tue Nov 09 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-0
- Update to Samba 4.13.14
- resolves: #2019660, #2021711 - Security fixes for CVE-2016-2124
- resolves: #2019672, #2021716 - Security fixes for CVE-2020-25717
- resolves: #2019726, #2021718 - Security fixes for CVE-2020-25718
- resolves: #2019732, #2021719 - Security fixes for CVE-2020-25719
- resolves: #2021728, #2021729 - Security fixes for CVE-2020-25721
- resolves: #2019764, #2021721 - Security fixes for CVE-2020-25722
- resolves: #2021726, #2021727 - Security fixes for CVE-2021-3738
- resolves: #2019666, #2021715 - Security fixes for CVE-2021-23192
-
-* Fri Oct 29 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.13-0
- Update to Samba 4.13.13
-
-* Wed Sep 22 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.12-0
- Update to Samba 4.13.12
-
-* Tue Sep 07 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.11-0
- Update to Samba 4.13.11
-
-* Wed Jul 14 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.10-0
- Update to Samba 4.13.10
-
-* Tue May 11 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.9-0
- Update to Samba 4.13.9
-
-* Thu Apr 29 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.8-0
- Update to Samba 4.13.8
- resolves: #1949442, #1955027 - Security fixes for CVE-2021-20254
-
-* Wed Apr 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.7-1
- Fix memory leaks in RPC server
- resolves: #1946950
-
-* Thu Mar 25 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.7-0
- Update to Samba 4.13.7
- related: #1941400, #1942496 - Security fixes for CVE-2020-27840
- related: #1941402, #1942497 - Security fixes for CVE-2021-20277
-
-* Wed Mar 24 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.6-0
- Update to Samba 4.13.6
- resolves: #1941400, #1942496 - Security fixes for CVE-2020-27840
- resolves: #1941402, #1942497 - Security fixes for CVE-2021-20277
-
-* Tue Mar 09 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.5-0
- Update to Samba 4.13.5
-
-* Tue Jan 26 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.4-0
- Update to Samba 4.13.4
-
-* Tue Dec 15 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.3-0
- Update to Samba 4.13.3
-
-* Wed Nov 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.2-2
- rhbz#1892745, rhbz#1900232: smbclient mget crashes (upstream bug 14517)
- Merge RHEL 8.4 patches:
-  - FIPS-related enhancements
-  - FreeIPA Global Catalog patches
-
-* Tue Nov 03 2020 Andreas Schneider <asn@redhat.com> - 4.13.2-1
- Create a python3-samba-devel package to avoid unnessary dependencies
-
-* Tue Nov 03 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.2-0
- Update to Samba 4.13.2
-
-* Thu Oct 29 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.1-0
- Update to Samba 4.13.1
- resolves: #1892631, #1892634 - Security fixes for CVE-2020-14318
- resolves: #1891685, #1892628 - Security fixes for CVE-2020-14323
- resolves: #1892636, #1892640 - Security fixes for CVE-2020-14383
-
-* Sun Oct 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-13
- Report 'samba' daemon status back to systemd
- Support dnspython 2.0.0 or later in samba_dnsupdate
-
-* Thu Oct 22 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-12
- Add preliminary support for S4U operations in Samba AD DC
-  resolves: #1836630 - Samba DC: Remote Desktop cannot access files
- Fix lookup_unix_user_name to allow lookup of realm-qualified users and groups
-  required for upcoming FreeIPA Global Catalog support
-
-* Tue Sep 22 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0-11
- Update to Samba 4.13.0
-
-* Fri Sep 18 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc6-10
- Update to Samba 4.13.0rc6
- resolves: #1879822, #1880703 - Security fixes for CVE-2020-1472
-
-* Wed Sep 16 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc5-9
- Update to Samba 4.13.0rc5
-
-* Mon Sep 07 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc4-8
- Update to Samba 4.13.0rc4
-
-* Fri Aug 28 2020 Neal Gompa <ngompa13@gmail.com> - 4.13.0rc3-6
- Enable winexe by default everywhere
-
-* Fri Aug 28 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc3-5
- Update to Samba 4.13.0rc3
-
-* Fri Aug 14 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc2-4
- Update to Samba 4.13.0rc2
-
-* Wed Aug 12 2020 Andreas Schneider <asn@redhat.com> - 4.13.0rc1-3
- resolves: #1865831 - Add missing /usr/lib64/samba/krb5 directory
- resolves: #1866989 - Remove obsolete python3-crypto dependency
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13.0-0.2.rc1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 2:4.13.0-0.2.rc1
- Use make macros
-  https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
-
 * Tue Jul 14 2020 Andreas Schneider <asn@redhat.com> - 4.13.0rc1-1
 - Move mdssvc data files to correct package

--- a/smb.conf.vendor
+++ b/smb.conf.vendor
@ -2,10 +2,6 @@
 # read the smb.conf manpage.
 # Run 'testparm' to verify the config is correct after
 # you modified it.
-#
-# Note:
-# SMB1 is disabled by default. This means clients without support for SMB2 or
-# SMB3 are no longer able to connect to smbd (by default).

 [global]
 	workgroup = SAMBA
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (samba-4.13.14.tar.xz) = 9df1de1ef80010e83ac36239d4af7958fe4f44a0cad4c68cdde71d63d502372767dfe4e01f4743e3ab1d23fe3b65ac7571c14ef9614a3b6feba53c2295a7f28e
-SHA512 (samba-4.13.14.tar.asc) = 525f0d8087076e39db3205d878a2aba8242ef79927bca253963b2df7f181439dc825efd5ed457103a06251f2870fda68811ed1395a6cb7a995630e8f193153e7
+SHA512 (samba-4.13.0rc1.tar.xz) = 3e6d431998907ad8c81f488ddf78dcef5fd6a4cdf8ca684e5ad0ce9bf7217d82fcca7501155446c83d804f939bea7012f1d37c1f738d8ec7bc769a9148a6592a
+SHA512 (samba-4.13.0rc1.tar.asc) = 6dfe9467fd7fd28db91ae15fa3314a7707cfeb88c8ecd2af532d57614bec311119546a2fd4ced71063df9b7d6879a62f9ba512ae05d494323e0362a5492d33fa