Add missing Requires for python3-gpg to samba-tools

Guenther

.gitignore

@@ -311,3 +311,13 @@ samba-3.6.0pre1.tar.gz
 /samba-4.17.0.tar.asc
 /samba-4.17.1.tar.xz
 /samba-4.17.1.tar.asc
+/samba-4.17.2.tar.xz
+/samba-4.17.2.tar.asc
+/samba-4.17.3.tar.xz
+/samba-4.17.3.tar.asc
+/samba-4.17.4.tar.xz
+/samba-4.17.4.tar.asc
+/samba-4.17.5.tar.xz
+/samba-4.17.5.tar.asc
+/samba-4.17.6.tar.xz
+/samba-4.17.6.tar.asc

rpminspect.yaml

@@ -18,3 +18,7 @@ runpath:
 
 abidiff:
     suppression_file: samba.abignore
+
+debuginfo:
+    ignore:
+        - /usr/lib*/libdcerpc-samr.so.*

samba-4.17-fix-changeuserpassword4.patch

@@ -0,0 +1,540 @@
+From a3e3d05f35d6082ea48450060b39084e3d0e4056 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 10 Oct 2022 15:15:20 +0200
+Subject: [PATCH 1/5] s3:librpc: Improve GSE error message
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Noel Power <noel.power@suse.com>
+---
+ source3/librpc/crypto/gse.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index c50a8a036df..c2cac7abf82 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -546,11 +546,28 @@ init_sec_context_done:
+ 		goto done;
+ 	case GSS_S_FAILURE:
+ 		switch (gss_min) {
+-		case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+-			DBG_NOTICE("Server principal not found\n");
++		case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: {
++			gss_buffer_desc name_token = {
++				.length = 0,
++			};
++
++			gss_maj = gss_display_name(&gss_min,
++						   gse_ctx->server_name,
++						   &name_token,
++						   NULL);
++			if (gss_maj == GSS_S_COMPLETE) {
++				DBG_NOTICE("Server principal %.*s not found\n",
++					   (int)name_token.length,
++					   (char *)name_token.value);
++				gss_release_buffer(&gss_maj, &name_token);
++			} else {
++				DBG_NOTICE("Server principal not found\n");
++			}
++
+ 			/* Make SPNEGO ignore us, we can't go any further here */
+ 			status = NT_STATUS_INVALID_PARAMETER;
+ 			goto done;
++		}
+ 		case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED:
+ 			DBG_NOTICE("Ticket expired\n");
+ 			/* Make SPNEGO ignore us, we can't go any further here */
+-- 
+2.37.3
+
+
+From d2e2e9acd717e45806f1b19378e09f39c8fe3da8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 7 Oct 2022 14:35:15 +0200
+Subject: [PATCH 2/5] s3:rpcclient: Pass salt down to
+ init_samr_CryptPasswordAES()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Noel Power <noel.power@suse.com>
+---
+ source3/rpc_client/init_samr.c | 15 ++++-----------
+ source3/rpc_client/init_samr.h |  1 +
+ source3/rpcclient/cmd_samr.c   |  8 ++++++++
+ source4/libnet/libnet_passwd.c | 13 +++++++------
+ source4/torture/rpc/samr.c     | 27 +++++++++++++++++++++++++++
+ 5 files changed, 47 insertions(+), 17 deletions(-)
+
+diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
+index 68f42b602b3..52fa2f90d6e 100644
+--- a/source3/rpc_client/init_samr.c
++++ b/source3/rpc_client/init_samr.c
+@@ -79,6 +79,7 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
+ 
+ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
+ 				    const char *password,
++				    DATA_BLOB *salt,
+ 				    DATA_BLOB *session_key,
+ 				    struct samr_EncryptedPasswordAES *ppwd_buf)
+ {
+@@ -87,12 +88,6 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
+ 		.data = pw_data,
+ 		.length = sizeof(pw_data),
+ 	};
+-	size_t iv_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_256_CBC);
+-	uint8_t iv_data[iv_size];
+-	DATA_BLOB iv = {
+-		.data = iv_data,
+-		.length = iv_size,
+-	};
+ 	DATA_BLOB ciphertext = data_blob_null;
+ 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ 	bool ok;
+@@ -101,8 +96,6 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
+ 		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+ 
+-	generate_nonce_buffer(iv.data, iv.length);
+-
+ 	ok = encode_pwd_buffer514_from_str(pw_data, password, STR_UNICODE);
+ 	if (!ok) {
+ 		return NT_STATUS_INTERNAL_ERROR;
+@@ -114,7 +107,7 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
+ 			session_key,
+ 			&samr_aes256_enc_key_salt,
+ 			&samr_aes256_mac_key_salt,
+-			&iv,
++			salt,
+ 			&ciphertext,
+ 			ppwd_buf->auth_data);
+ 	BURN_DATA(pw_data);
+@@ -126,8 +119,8 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
+ 	ppwd_buf->cipher = ciphertext.data;
+ 	ppwd_buf->PBKDF2Iterations = 0;
+ 
+-	SMB_ASSERT(iv.length == sizeof(ppwd_buf->salt));
+-	memcpy(ppwd_buf->salt, iv.data, iv.length);
++	SMB_ASSERT(salt->length == sizeof(ppwd_buf->salt));
++	memcpy(ppwd_buf->salt, salt->data, salt->length);
+ 
+ 	return NT_STATUS_OK;
+ }
+diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
+index 940534e7168..71b4c0e573d 100644
+--- a/source3/rpc_client/init_samr.h
++++ b/source3/rpc_client/init_samr.h
+@@ -47,6 +47,7 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
+  */
+ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
+ 				    const char *password,
++				    DATA_BLOB *salt,
+ 				    DATA_BLOB *session_key,
+ 				    struct samr_EncryptedPasswordAES *ppwd_buf);
+ 
+diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
+index 9ccd2f78a8d..8106ca90cf2 100644
+--- a/source3/rpcclient/cmd_samr.c
++++ b/source3/rpcclient/cmd_samr.c
+@@ -3172,6 +3172,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
+ 	uint8_t nt_hash[16];
+ 	uint8_t lm_hash[16];
+ 	DATA_BLOB session_key;
++	uint8_t salt_data[16];
++	DATA_BLOB salt = {
++		.data = salt_data,
++		.length = sizeof(salt_data),
++	};
+ 	uint8_t password_expired = 0;
+ 	struct dcerpc_binding_handle *b = cli->binding_handle;
+ 	TALLOC_CTX *frame = NULL;
+@@ -3198,6 +3203,8 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
+ 		goto done;
+ 	}
+ 
++	generate_nonce_buffer(salt.data, salt.length);
++
+ 	switch(level) {
+ 	case 18:
+ 	case 21:
+@@ -3220,6 +3227,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
+ 	case 31:
+ 		status = init_samr_CryptPasswordAES(frame,
+ 						    param,
++						    &salt,
+ 						    &session_key,
+ 						    &pwd_buf_aes);
+ 		if (!NT_STATUS_IS_OK(status)) {
+diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
+index 4f662110e55..a1672104824 100644
+--- a/source4/libnet/libnet_passwd.c
++++ b/source4/libnet/libnet_passwd.c
+@@ -57,13 +57,13 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
+ 	struct samr_EncryptedPasswordAES pwd_buf = {
+ 		.cipher_len = 0
+ 	};
+-	DATA_BLOB iv = {
++	DATA_BLOB salt = {
+ 		.data = pwd_buf.salt,
+ 		.length = sizeof(pwd_buf.salt),
+ 	};
+-	gnutls_datum_t iv_datum = {
+-		.data = iv.data,
+-		.size = iv.length,
++	gnutls_datum_t salt_datum = {
++		.data = pwd_buf.salt,
++		.size = sizeof(pwd_buf.salt),
+ 	};
+ 	uint64_t pbkdf2_iterations = generate_random_u64_range(5000, 1000000);
+ 	NTSTATUS status;
+@@ -71,11 +71,11 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
+ 
+ 	E_md4hash(old_password, old_nt_key_data);
+ 
+-	generate_nonce_buffer(iv.data, iv.length);
++	generate_nonce_buffer(salt.data, salt.length);
+ 
+ 	rc = gnutls_pbkdf2(GNUTLS_MAC_SHA512,
+ 			   &old_nt_key,
+-			   &iv_datum,
++			   &salt_datum,
+ 			   pbkdf2_iterations,
+ 			   cek.data,
+ 			   cek.length);
+@@ -86,6 +86,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
+ 
+ 	status = init_samr_CryptPasswordAES(mem_ctx,
+ 					    new_password,
++					    &salt,
+ 					    &cek,
+ 					    &pwd_buf);
+ 	data_blob_clear(&cek);
+diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
+index de354659067..0b1880efa18 100644
+--- a/source4/torture/rpc/samr.c
++++ b/source4/torture/rpc/samr.c
+@@ -783,6 +783,11 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
+ 	struct samr_SetUserInfo s;
+ 	union samr_UserInfo u;
+ 	DATA_BLOB session_key;
++	uint8_t salt_data[16];
++	DATA_BLOB salt = {
++		.data = salt_data,
++		.length = sizeof(salt_data),
++	};
+ 	char *newpass = NULL;
+ 	struct dcerpc_binding_handle *b = p->binding_handle;
+ 	struct samr_GetUserPwInfo pwp;
+@@ -818,8 +823,11 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
+ 		return false;
+ 	}
+ 
++	generate_nonce_buffer(salt.data, salt.length);
++
+ 	status = init_samr_CryptPasswordAES(tctx,
+ 					    newpass,
++					    &salt,
+ 					    &session_key,
+ 					    &u.info32.password);
+ 	torture_assert_ntstatus_ok(tctx,
+@@ -852,6 +860,7 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
+ 
+ 	status = init_samr_CryptPasswordAES(tctx,
+ 					    newpass,
++					    &salt,
+ 					    &session_key,
+ 					    &u.info32.password);
+ 	torture_assert_ntstatus_ok(tctx,
+@@ -896,6 +905,11 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
+ 	union samr_UserInfo u;
+ 	bool ret = true;
+ 	DATA_BLOB session_key;
++	uint8_t salt_data[16];
++	DATA_BLOB salt = {
++		.data = salt_data,
++		.length = sizeof(salt_data),
++	};
+ 	char *newpass;
+ 	struct dcerpc_binding_handle *b = p->binding_handle;
+ 	struct samr_GetUserPwInfo pwp;
+@@ -931,8 +945,11 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
+ 		return false;
+ 	}
+ 
++	generate_nonce_buffer(salt.data, salt.length);
++
+ 	status = init_samr_CryptPasswordAES(tctx,
+ 					    newpass,
++					    &salt,
+ 					    &session_key,
+ 					    &u.info31.password);
+ 	torture_assert_ntstatus_ok(tctx,
+@@ -959,6 +976,7 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
+ 
+ 	status = init_samr_CryptPasswordAES(tctx,
+ 					    newpass,
++					    &salt,
+ 					    &session_key,
+ 					    &u.info31.password);
+ 	torture_assert_ntstatus_ok(tctx,
+@@ -1381,6 +1399,11 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
+ 	union samr_UserInfo u;
+ 	bool ret = true;
+ 	DATA_BLOB session_key;
++	uint8_t salt_data[16];
++	DATA_BLOB salt = {
++		.data = salt_data,
++		.length = sizeof(salt_data),
++	};
+ 	char *newpass;
+ 	struct dcerpc_binding_handle *b = p->binding_handle;
+ 	struct samr_GetUserPwInfo pwp;
+@@ -1490,6 +1513,8 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
+ 		return false;
+ 	}
+ 
++	generate_nonce_buffer(salt.data, salt.length);
++
+ 	switch (level) {
+ 	case 18:
+ 		{
+@@ -1561,6 +1586,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
+ 	case 31:
+ 		status = init_samr_CryptPasswordAES(tctx,
+ 						    newpass,
++						    &salt,
+ 						    &session_key,
+ 						    &u.info31.password);
+ 
+@@ -1568,6 +1594,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
+ 	case 32:
+ 		status = init_samr_CryptPasswordAES(tctx,
+ 						    newpass,
++						    &salt,
+ 						    &session_key,
+ 						    &u.info32.password);
+ 
+-- 
+2.37.3
+
+
+From 1d630363c9b2497266e418aad89c55d5b51a63ad Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 17 Oct 2022 09:02:28 +0200
+Subject: [PATCH 3/5] s4:libnet: If we successfully changed the password we are
+ done
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Noel Power <noel.power@suse.com>
+---
+ source4/libnet/libnet_passwd.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
+index a1672104824..b17614bcd97 100644
+--- a/source4/libnet/libnet_passwd.c
++++ b/source4/libnet/libnet_passwd.c
+@@ -101,7 +101,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
+ 	r.in.password = &pwd_buf;
+ 
+ 	status = dcerpc_samr_ChangePasswordUser4_r(h, mem_ctx, &r);
+-	if (NT_STATUS_IS_OK(status)) {
++	if (!NT_STATUS_IS_OK(status)) {
+ 		goto done;
+ 	}
+ 	if (!NT_STATUS_IS_OK(r.out.result)) {
+@@ -112,6 +112,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
+ 						account->string,
+ 						nt_errstr(status));
+ 		status = r.out.result;
++		goto done;
+ 	}
+ 
+ done:
+@@ -424,20 +425,23 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
+ 		r->samr.in.oldpassword,
+ 		r->samr.in.newpassword,
+ 		&(r->samr.out.error_string));
+-	if (!NT_STATUS_IS_OK(status)) {
+-		if (NT_STATUS_EQUAL(status,
+-				     NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
+-		    NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
+-		    NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+-			/*
+-			* Don't fallback to RC4 based SAMR if weak crypto is not
+-			* allowed.
+-			*/
+-			if (lpcfg_weak_crypto(ctx->lp_ctx) ==
+-			SAMBA_WEAK_CRYPTO_DISALLOWED) {
+-				goto disconnect;
+-			}
++	if (NT_STATUS_IS_OK(status)) {
++		goto disconnect;
++	} else if (NT_STATUS_EQUAL(status,
++				   NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
++		   NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
++		   NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
++		/*
++		 * Don't fallback to RC4 based SAMR if weak crypto is not
++		 * allowed.
++		 */
++		if (lpcfg_weak_crypto(ctx->lp_ctx) ==
++		    SAMBA_WEAK_CRYPTO_DISALLOWED) {
++			goto disconnect;
+ 		}
++	} else {
++		/* libnet_ChangePassword_samr_aes is implemented and failed */
++		goto disconnect;
+ 	}
+ 
+ 	status = libnet_ChangePassword_samr_rc4(
+-- 
+2.37.3
+
+
+From 9a4a169ab34641afb87e7f81708c9a72b321879e Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Fri, 21 Oct 2022 17:40:36 +0100
+Subject: [PATCH 4/5] s4/rpc_server/sambr: don't mutate the return of
+ samdb_set_password_aes
+
+prior to this commit return of samdb_set_password_aes was set to
+NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be
+returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here
+otherwise (and in this case can be partially responsible for failures
+in test samba.tests.auth_log_pass_change (with later gnutls)
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source4/rpc_server/samr/samr_password.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
+index 4691f9a47a9..b581be6361c 100644
+--- a/source4/rpc_server/samr/samr_password.c
++++ b/source4/rpc_server/samr/samr_password.c
+@@ -250,7 +250,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser4(struct dcesrv_call_state *dce_call,
+ 
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		ldb_transaction_cancel(sam_ctx);
+-		status = NT_STATUS_WRONG_PASSWORD;
+ 		goto done;
+ 	}
+ 
+-- 
+2.37.3
+
+
+From b8b36ecba0f22dbc203c12627ebd629c2437c635 Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Fri, 21 Oct 2022 17:14:44 +0100
+Subject: [PATCH 5/5] python/samba/tests: fix samba.tests.auth_log_pass_change
+ for later gnutls
+
+later gnutls that support GNUTLS_PBKDF2 currently fail,
+we need to conditionally switch test data to reflect use of
+'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
+depending on whether GNUTLS_PBKDF2 is supported or not
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ python/samba/tests/auth_log_pass_change.py | 20 ++++++++++++++++----
+ source4/selftest/tests.py                  |  9 ++++++---
+ 2 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py
+index 972af2158dd..1ca46c586b3 100644
+--- a/python/samba/tests/auth_log_pass_change.py
++++ b/python/samba/tests/auth_log_pass_change.py
+@@ -72,6 +72,18 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
+ 
+         # discard any auth log messages for the password setup
+         self.discardMessages()
++        gnutls_pbkdf2_support = samba.tests.env_get_var_value(
++            'GNUTLS_PBKDF2_SUPPORT',
++            allow_missing=True)
++        if gnutls_pbkdf2_support is None:
++            gnutls_pbkdf2_support = '0'
++        self.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support))
++
++    def _authDescription(self):
++        if self.gnutls_pbkdf2_support:
++            return "samr_ChangePasswordUser4"
++        else:
++            return "samr_ChangePasswordUser3"
+ 
+     def tearDown(self):
+         super(AuthLogPassChangeTests, self).tearDown()
+@@ -83,7 +95,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
+                     (msg["Authentication"]["serviceDescription"] ==
+                         "SAMR Password Change") and
+                     (msg["Authentication"]["authDescription"] ==
+-                        "samr_ChangePasswordUser3") and
++                        self._authDescription()) and
+                     (msg["Authentication"]["eventId"] ==
+                         EVT_ID_SUCCESSFUL_LOGON) and
+                     (msg["Authentication"]["logonType"] ==
+@@ -109,7 +121,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
+                     (msg["Authentication"]["serviceDescription"] ==
+                         "SAMR Password Change") and
+                     (msg["Authentication"]["authDescription"] ==
+-                        "samr_ChangePasswordUser3") and
++                        self._authDescription()) and
+                     (msg["Authentication"]["eventId"] ==
+                         EVT_ID_UNSUCCESSFUL_LOGON) and
+                     (msg["Authentication"]["logonType"] ==
+@@ -141,7 +153,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
+                     (msg["Authentication"]["serviceDescription"] ==
+                         "SAMR Password Change") and
+                     (msg["Authentication"]["authDescription"] ==
+-                        "samr_ChangePasswordUser3") and
++                        self._authDescription()) and
+                     (msg["Authentication"]["eventId"] ==
+                         EVT_ID_UNSUCCESSFUL_LOGON) and
+                     (msg["Authentication"]["logonType"] ==
+@@ -174,7 +186,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
+                     (msg["Authentication"]["serviceDescription"] ==
+                         "SAMR Password Change") and
+                     (msg["Authentication"]["authDescription"] ==
+-                        "samr_ChangePasswordUser3") and
++                        self._authDescription()) and
+                     (msg["Authentication"]["eventId"] ==
+                         EVT_ID_UNSUCCESSFUL_LOGON) and
+                     (msg["Authentication"]["logonType"] ==
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index a803d4704ea..c92105586a7 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -1094,9 +1094,11 @@ if have_heimdal_support:
+                            environ={'CLIENT_IP': '10.53.57.11',
+                                     'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
+     planoldpythontestsuite("ad_dc_smb1", "samba.tests.auth_log_pass_change",
+-                           extra_args=['-U"$USERNAME%$PASSWORD"'])
++                           extra_args=['-U"$USERNAME%$PASSWORD"'],
++                           environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
+     planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.auth_log_pass_change",
+-                           extra_args=['-U"$USERNAME%$PASSWORD"'])
++                           extra_args=['-U"$USERNAME%$PASSWORD"'],
++                           environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
+ 
+     # these tests use a NCA local RPC connection, so always run on the
+     # :local testenv, and so don't need to fake a client connection
+@@ -1113,7 +1115,8 @@ if have_heimdal_support:
+                            "samba.tests.auth_log_winbind",
+                            extra_args=['-U"$DC_USERNAME%$DC_PASSWORD"'])
+     planoldpythontestsuite("ad_dc", "samba.tests.audit_log_pass_change",
+-                           extra_args=['-U"$USERNAME%$PASSWORD"'])
++                           extra_args=['-U"$USERNAME%$PASSWORD"'],
++                           environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
+     planoldpythontestsuite("ad_dc", "samba.tests.audit_log_dsdb",
+                            extra_args=['-U"$USERNAME%$PASSWORD"'])
+     planoldpythontestsuite("ad_dc", "samba.tests.group_audit",
+-- 
+2.37.3
+

samba.spec

@@ -134,8 +134,8 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%global samba_version 4.17.1
-%global baserelease 1
+%global samba_version 4.17.6
+%global baserelease 0
 # This should be rc1 or %%nil
 %global pre_release %nil
 
@@ -193,24 +193,24 @@
 
 %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba"
 
+# Make a copy of this variable to prevent repeated evaluation of the
+# embedded shell command.  Avoid recursive macro definition if undefined.
+%{?python3_sitearch: %global python3_sitearch %{python3_sitearch}}
+
 Name:           samba
 Version:        %{samba_version}
 Release:        %{samba_release}%{?dist}
 
-%if 0%{?rhel}
-Epoch:          0
-%else
+%if 0%{?fedora}
 Epoch:          2
+%else
+Epoch:          0
 %endif
 
-%if 0%{?epoch} > 0
 %global samba_depver %{epoch}:%{version}-%{release}
-%else
-%global samba_depver %{version}-%{release}
-%endif
 
 Summary:        Server and Client software to interoperate with Windows machines
-License:        GPLv3+ and LGPLv3+
+License:        GPL-3.0-or-later AND LGPL-3.0-or-later
 URL:            https://www.samba.org
 
 # This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%%{version}%%{pre_release}.tar.gz
@@ -239,6 +239,7 @@ Requires: %{name}-common-libs = %{samba_depver}
 Requires: %{name}-common-tools = %{samba_depver}
 Requires: %{name}-client-libs = %{samba_depver}
 Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-dcerpc = %{samba_depver}
 Requires: libnetapi = %{samba_depver}
 %if %{with libwbclient}
 Requires(post): libwbclient = %{samba_depver}
@@ -269,6 +270,7 @@ Provides: bundled(libreplace)
 
 BuildRequires: make
 BuildRequires: gcc
+BuildRequires: glibc-gconv-extra
 BuildRequires: avahi-devel
 BuildRequires: bison
 BuildRequires: cups-devel
@@ -305,8 +307,10 @@ BuildRequires: perl-generators
 BuildRequires: perl(Archive::Tar)
 BuildRequires: perl(Test::More)
 BuildRequires: popt-devel
+BuildRequires: python3-cryptography
 BuildRequires: python3-devel
 BuildRequires: python3-dns
+BuildRequires: python3-requests
 BuildRequires: python3-setuptools
 BuildRequires: quota-devel
 BuildRequires: readline-devel
@@ -323,6 +327,10 @@ BuildRequires: zlib-devel >= 1.2.3
 
 BuildRequires: pkgconfig(libsystemd)
 
+%if 0%{?fedora} >= 37
+BuildRequires: mold
+%endif
+
 %if %{with vfs_glusterfs}
 BuildRequires: glusterfs-api-devel >= 3.4.0.16
 BuildRequires: glusterfs-devel >= 3.4.0.16
@@ -346,17 +354,6 @@ BuildRequires: librados-devel
 BuildRequires: python3-etcd
 %endif
 
-%if %{with dc} || %{with testsuite}
-# Add python3-iso8601 to avoid that the
-# version in Samba is being packaged
-BuildRequires: python3-iso8601
-BuildRequires: python3-pyasn1 >= 0.4.8
-
-BuildRequires: bind
-BuildRequires: krb5-server >= %{required_mit_krb5}
-#endif with dc
-%endif
-
 # pidl requirements
 BuildRequires: perl(ExtUtils::MakeMaker)
 BuildRequires: perl(FindBin)
@@ -387,10 +384,15 @@ BuildRequires: lmdb-devel
 %if %{with dc} || %{with testsuite}
 BuildRequires: bind
 BuildRequires: krb5-server >= %{required_mit_krb5}
+%if 0%{?fedora} || 0%{?rhel} >= 9
+BuildRequires: python3-dateutil
+%else
+BuildRequires: python3-iso8601
+%endif
 BuildRequires: python3-gpg
 BuildRequires: python3-markdown
+BuildRequires: python3-pyasn1 >= 0.4.8
 BuildRequires: python3-setproctitle
-BuildRequires: python3-cryptography
 
 %if %{without includelibs}
 BuildRequires: tdb-tools
@@ -447,6 +449,8 @@ Requires: %{name}-common-libs = %{samba_depver}
 Requires: libwbclient = %{samba_depver}
 %endif
 Requires: krb5-libs >= %{required_mit_krb5}
+# This is needed for charset conversion
+Requires: glibc-gconv-extra
 
 %description client-libs
 The samba-client-libs package contains internal libraries needed by the
@@ -510,7 +514,7 @@ SMB/CIFS clients.
 
 ### COMMON-TOOLS
 %package common-tools
-Summary: Tools for Samba servers and clients
+Summary: Tools for Samba clients
 Requires: samba-common-libs = %{samba_depver}
 Requires: samba-client-libs = %{samba_depver}
 Requires: samba-libs = %{samba_depver}
@@ -520,22 +524,42 @@ Requires: libnetapi = %{samba_depver}
 Requires: libwbclient = %{samba_depver}
 %endif
 
-# samba-tool needs python3-samba
-Requires: python3-%{name} = %{samba_depver}
-# samba-tool needs tdbbackup
-Requires: tdb-tools
-%if %{with dc}
-# samba-tool needs python3-samba-dc on a full build
-Requires: python3-%{name}-dc = %{samba_depver}
-# samba-tool needs mdb_copy for domain backup or upgrade provision
-Requires: lmdb
-%endif
-
 Provides: bundled(libreplace)
 
 %description common-tools
-The samba-common-tools package contains tools for Samba servers and
-SMB/CIFS clients.
+The samba-common-tools package contains tools for SMB/CIFS clients.
+
+### SAMBA-TOOLS
+%package tools
+Summary: Tools for Samba servers
+# samba-tool needs python3-samba
+Requires: python3-%{name} = %{samba_depver}
+# samba-tool needs python3-samba-dc also on non-dc build
+Requires: python3-%{name}-dc = %{samba_depver}
+%if %{with dc}
+# samba-tool needs mdb_copy and tdbackup for domain backup or upgrade provision
+Requires: lmdb
+Requires: tdb-tools
+Requires: python3-gpg
+%endif
+
+%description tools
+The samba-tools package contains tools for Samba servers
+and for GPO management on domain members.
+
+### RPC
+%package dcerpc
+Summary: DCE RPC binaries
+Requires: samba-common-libs = %{samba_depver}
+Requires: samba-client-libs = %{samba_depver}
+Requires: samba-libs = %{samba_depver}
+Requires: libnetapi = %{samba_depver}
+%if %{with libwbclient}
+Requires: libwbclient = %{samba_depver}
+%endif
+
+%description dcerpc
+The samba-dcerpc package contains binaries that serve DCERPC over named pipes.
 
 ### DC
 %if %{with dc} || %{with testsuite}
@@ -545,6 +569,7 @@ Requires: %{name} = %{samba_depver}
 Requires: %{name}-client-libs = %{samba_depver}
 Requires: %{name}-common-libs = %{samba_depver}
 Requires: %{name}-common-tools = %{samba_depver}
+Requires: %{name}-tools = %{samba_depver}
 Requires: %{name}-libs = %{samba_depver}
 Requires: %{name}-dc-provision = %{samba_depver}
 Requires: %{name}-dc-libs = %{samba_depver}
@@ -582,6 +607,9 @@ BuildArch: noarch
 %description dc-provision
 The samba-dc-provision package provides files to setup a domain controller
 
+#endif with dc || with testsuite
+%endif
+
 ### DC-LIBS
 %package dc-libs
 Summary: Samba AD Domain Controller Libraries
@@ -598,6 +626,7 @@ Provides: bundled(libreplace)
 The %{name}-dc-libs package contains the libraries needed by the DC to
 link against the SMB, RPC and other protocols.
 
+%if %{with dc} || %{with testsuite}
 ### DC-BIND
 %package dc-bind-dlz
 Summary: Bind DLZ module for Samba AD
@@ -722,6 +751,7 @@ the Kerberos credentials cache of the user issuing the print job.
 %package ldb-ldap-modules
 Summary: Samba ldap modules for ldb
 Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-common-libs = %{samba_depver}
 
 %description ldb-ldap-modules
 This package contains the ldb ldap modules required by samba-tool and
@@ -819,14 +849,14 @@ Summary: Samba Python3 libraries
 Requires: %{name}-client-libs = %{samba_depver}
 Requires: %{name}-common-libs = %{samba_depver}
 Requires: %{name}-libs = %{samba_depver}
-%if %{with dc}
 Requires: %{name}-dc-libs = %{samba_depver}
-%endif
-Requires: python3-talloc
-Requires: python3-tevent
-Requires: python3-tdb
-Requires: python3-ldb
+Requires: python3-cryptography
 Requires: python3-dns
+Requires: python3-ldb
+Requires: python3-requests
+Requires: python3-talloc
+Requires: python3-tdb
+Requires: python3-tevent
 %if %{with libsmbclient}
 Requires: libsmbclient = %{samba_depver}
 %endif
@@ -857,7 +887,6 @@ Requires: %{name}-libs = %{samba_depver}
 The python3-%{name}-test package contains the Python libraries used by the test suite of Samba.
 If you want to run full set of Samba tests, you need to install this package.
 
-%if %{with dc} || %{with testsuite}
 %package -n python3-samba-dc
 Summary: Samba Python libraries for Samba AD
 Requires: %{name}-client-libs = %{samba_depver}
@@ -867,7 +896,6 @@ Requires: python3-%{name} = %{samba_depver}
 %description -n python3-samba-dc
 The python3-%{name}-dc package contains the Python libraries needed by programs
 to manage Samba AD.
-%endif
 
 ### PIDL
 %package pidl
@@ -961,11 +989,13 @@ Requires(post): %{name}-client-libs = %{samba_depver}
 Requires: %{name}-libs = %{samba_depver}
 Requires(post): %{name}-libs = %{samba_depver}
 Requires: %{name}-winbind-modules = %{samba_depver}
+Recommends: %{name}-tools = %{samba_depver}
 
 %if %{with libwbclient}
 Requires(post): libwbclient = %{samba_depver}
 Requires: libwbclient = %{samba_depver}
 %endif
+Requires: %{name}-dcerpc = %{samba_depver}
 
 Provides: samba4-winbind = %{samba_depver}
 Obsoletes: samba4-winbind < %{samba_depver}
@@ -1050,7 +1080,7 @@ necessary to communicate to the Winbind Daemon
 %if %{with winexe}
 %package winexe
 Summary: Samba Winexe Windows Binary
-License: GPLv3
+License: GPL-3.0-only
 Requires: %{name}-client-libs = %{samba_depver}
 Requires: %{name}-common-libs = %{samba_depver}
 
@@ -1067,6 +1097,7 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB)
 
 Requires: %{name}-common-libs = %{samba_depver}
 Requires: %{name}-client-libs = %{samba_depver}
+Requires: %{name}-winbind-clients = %{samba_depver}
 
 Requires: coreutils
 # for ps and killall
@@ -1166,7 +1197,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB
 
 
 %prep
+%if 0%{?fedora} || 0%{?rhel} >= 9
+xzcat %{SOURCE0} | %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data=-
+%else
 xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
+%endif
 %autosetup -n samba-%{version}%{pre_release} -p1
 
 # Ensure we rely on GnuTLS and do not build any other crypto code shipping with
@@ -1219,9 +1254,13 @@ rm -f lib/crypto/{aes,rijndael}*.c
 # TODO: resolve underlinked python modules
 export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')"
 
-# Use the gold linker
-# See https://bugzilla.redhat.com/show_bug.cgi?id=2043178 ; For f36 do not use ld.gold till it is fixed
-#export LDFLAGS="%%{__global_ldflags} -fuse-ld=gold"
+# Use the mold linker
+%if 0%{?fedora} >= 37
+export LDFLAGS="%{__global_ldflags} -fuse-ld=mold"
+export python_LDFLAGS="$(echo ${LDFLAGS} | sed -e 's/-Wl,-z,defs//g')"
+%else
+export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')"
+%endif
 
 %configure \
         --enable-fhs \
@@ -1378,60 +1417,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 
 %if %{without dc} && %{without testsuite}
 for i in \
-    %{_libdir}/samba/libdfs-server-ad-samba4.so \
-    %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \
-    %{_libdir}/samba/libscavenge-dns-records-samba4.so \
     %{_mandir}/man8/samba.8 \
     %{_mandir}/man8/samba_downgrade_db.8 \
     %{_mandir}/man8/samba-gpupdate.8 \
     %{_unitdir}/samba.service \
-    %{python3_sitearch}/samba/dcerpc/dnsserver.*.so \
-    %{python3_sitearch}/samba/dnsserver.py \
-    %{python3_sitearch}/samba/domain_update.py \
-    %{python3_sitearch}/samba/forest_update.py \
-    %{python3_sitearch}/samba/kcc/__init__.py \
-    %{python3_sitearch}/samba/kcc/debug.py \
-    %{python3_sitearch}/samba/kcc/graph.py \
-    %{python3_sitearch}/samba/kcc/graph_utils.py \
-    %{python3_sitearch}/samba/kcc/kcc_utils.py \
-    %{python3_sitearch}/samba/kcc/ldif_import_export.py \
-    %{python3_sitearch}/samba/kcc/__pycache__/__init__.*.pyc \
-    %{python3_sitearch}/samba/kcc/__pycache__/debug.*.pyc \
-    %{python3_sitearch}/samba/kcc/__pycache__/graph.*.pyc \
-    %{python3_sitearch}/samba/kcc/__pycache__/graph_utils.*.pyc \
-    %{python3_sitearch}/samba/kcc/__pycache__/kcc_utils.*.pyc \
-    %{python3_sitearch}/samba/kcc/__pycache__/ldif_import_export.*.pyc \
-    %{python3_sitearch}/samba/ms_forest_updates_markdown.py \
-    %{python3_sitearch}/samba/ms_schema_markdown.py \
-    %{python3_sitearch}/samba/provision/__init__.py \
-    %{python3_sitearch}/samba/provision/backend.py \
-    %{python3_sitearch}/samba/provision/common.py \
-    %{python3_sitearch}/samba/provision/kerberos_implementation.py \
-    %{python3_sitearch}/samba/provision/kerberos.py \
-    %{python3_sitearch}/samba/provision/sambadns.py \
-    %{python3_sitearch}/samba/provision/__pycache__/__init__.*.pyc \
-    %{python3_sitearch}/samba/provision/__pycache__/backend.*.pyc \
-    %{python3_sitearch}/samba/provision/__pycache__/common.*.pyc \
-    %{python3_sitearch}/samba/provision/__pycache__/kerberos_implementation.*.pyc \
-    %{python3_sitearch}/samba/provision/__pycache__/kerberos.*.pyc \
-    %{python3_sitearch}/samba/provision/__pycache__/sambadns.*.pyc \
-    %{python3_sitearch}/samba/__pycache__/domain_update.*.pyc \
-    %{python3_sitearch}/samba/__pycache__/forest_update.*.pyc \
-    %{python3_sitearch}/samba/__pycache__/ms_forest_updates_markdown.*.pyc \
-    %{python3_sitearch}/samba/__pycache__/ms_schema_markdown.*.pyc \
-    %{python3_sitearch}/samba/__pycache__/remove_dc.*.pyc \
-    %{python3_sitearch}/samba/__pycache__/schema.*.pyc \
-    %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc \
-    %{python3_sitearch}/samba/remove_dc.py \
-    %{python3_sitearch}/samba/samdb.py \
-    %{python3_sitearch}/samba/schema.py \
-    %{python3_sitearch}/samba/third_party/iso8601/__init__.py \
-    %{python3_sitearch}/samba/third_party/iso8601/__pycache__/__init__.*.pyc \
-    %{python3_sitearch}/samba/third_party/iso8601/__pycache__/iso8601.*.pyc \
-    %{python3_sitearch}/samba/third_party/iso8601/__pycache__/test_iso8601.*.pyc \
-    %{python3_sitearch}/samba/third_party/iso8601/iso8601.py \
-    %{python3_sitearch}/samba/third_party/iso8601/test_iso8601.py \
-    %{python3_sitearch}/samba/uptodateness.py \
     %{_sbindir}/samba-gpupdate \
     ; do
     rm -f %{buildroot}$i
@@ -1744,15 +1733,6 @@ fi
 
 %dir %{_libexecdir}/samba
 %{_libexecdir}/samba/samba-bgqd
-%{_libexecdir}/samba/samba-dcerpcd
-%{_libexecdir}/samba/rpcd_classic
-%{_libexecdir}/samba/rpcd_epmapper
-%{_libexecdir}/samba/rpcd_fsrvp
-%{_libexecdir}/samba/rpcd_lsad
-%{_libexecdir}/samba/rpcd_mdssvc
-%{_libexecdir}/samba/rpcd_rpcecho
-%{_libexecdir}/samba/rpcd_spoolss
-%{_libexecdir}/samba/rpcd_winreg
 
 %dir %{_datadir}/samba
 %dir %{_datadir}/samba/mdssvc
@@ -1766,7 +1746,6 @@ fi
 %{_mandir}/man1/smbstatus.1*
 %{_mandir}/man8/eventlogadm.8*
 %{_mandir}/man8/samba-bgqd.8*
-%{_mandir}/man8/samba-dcerpcd.8*
 %{_mandir}/man8/smbd.8*
 %{_mandir}/man8/nmbd.8*
 %{_mandir}/man8/vfs_acl_tdb.8*
@@ -2057,11 +2036,11 @@ fi
 %{_libdir}/samba/pdb/smbpasswd.so
 %{_libdir}/samba/pdb/tdbsam.so
 
+### COMMON-TOOLS
 %files common-tools
 %{_bindir}/net
 %{_bindir}/pdbedit
 %{_bindir}/profiles
-%{_bindir}/samba-tool
 %{_bindir}/smbcontrol
 %{_bindir}/smbpasswd
 %{_bindir}/testparm
@@ -2070,9 +2049,27 @@ fi
 %{_mandir}/man1/testparm.1*
 %{_mandir}/man8/net.8*
 %{_mandir}/man8/pdbedit.8*
-%{_mandir}/man8/samba-tool.8*
 %{_mandir}/man8/smbpasswd.8*
 
+### TOOLS
+%files tools
+%{_bindir}/samba-tool
+%{_mandir}/man8/samba-tool.8*
+
+### RPC
+%files dcerpc
+%dir %{_libexecdir}/samba
+%{_libexecdir}/samba/samba-dcerpcd
+%{_libexecdir}/samba/rpcd_classic
+%{_libexecdir}/samba/rpcd_epmapper
+%{_libexecdir}/samba/rpcd_fsrvp
+%{_libexecdir}/samba/rpcd_lsad
+%{_libexecdir}/samba/rpcd_mdssvc
+%{_libexecdir}/samba/rpcd_rpcecho
+%{_libexecdir}/samba/rpcd_spoolss
+%{_libexecdir}/samba/rpcd_winreg
+%{_mandir}/man8/samba-dcerpcd.8*
+
 ### DC
 %if %{with dc} || %{with testsuite}
 %files dc
@@ -2087,7 +2084,6 @@ fi
 %{_libdir}/krb5/plugins/kdb/samba.so
 
 %{_libdir}/samba/auth/samba4.so
-%{_libdir}/samba/libpac-samba4.so
 %dir %{_libdir}/samba/gensec
 %{_libdir}/samba/gensec/krb5.so
 %{_libdir}/samba/ldb/acl.so
@@ -2149,9 +2145,15 @@ fi
 %license source4/setup/ad-schema/licence.txt
 %{_datadir}/samba/setup
 
+#endif with dc || with testsuite
+%endif
 ### DC-LIBS
 %files dc-libs
+%{_libdir}/samba/libauth4-samba4.so
+
+%if %{with dc} || %{with testsuite}
 %{_libdir}/samba/libdb-glue-samba4.so
+%{_libdir}/samba/libpac-samba4.so
 %{_libdir}/samba/libprocess-model-samba4.so
 %{_libdir}/samba/libservice-samba4.so
 
@@ -2370,7 +2372,6 @@ fi
 %{_libdir}/libdcerpc-samr.so.*
 
 %{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so
-%{_libdir}/samba/libauth4-samba4.so
 %{_libdir}/samba/libauth-unix-token-samba4.so
 %{_libdir}/samba/libdcerpc-samba4.so
 %{_libdir}/samba/libdnsserver-common-samba4.so
@@ -2764,7 +2765,6 @@ fi
 %{_libdir}/libsamba-policy.*.so
 %{_libdir}/pkgconfig/samba-policy.*.pc
 
-%if %{with dc} || %{with testsuite}
 %files -n python3-%{name}-dc
 %{python3_sitearch}/samba/samdb.py
 %{python3_sitearch}/samba/schema.py
@@ -2780,7 +2780,9 @@ fi
 %{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc
 
 %{python3_sitearch}/samba/dcerpc/dnsserver.*.so
+%if %{with dc} || %{with testsuite}
 %{python3_sitearch}/samba/dckeytab.*.so
+%endif
 %{python3_sitearch}/samba/domain_update.py
 %{python3_sitearch}/samba/forest_update.py
 %{python3_sitearch}/samba/ms_forest_updates_markdown.py
@@ -2821,7 +2823,6 @@ fi
 
 %{python3_sitearch}/samba/remove_dc.py
 %{python3_sitearch}/samba/uptodateness.py
-%endif
 
 %files -n python3-%{name}-test
 %dir %{python3_sitearch}/samba/tests
@@ -3102,6 +3103,7 @@ fi
 %{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
@@ -3132,6 +3134,7 @@ fi
 %{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py
 %{python3_sitearch}/samba/tests/krb5/as_req_tests.py
 %{python3_sitearch}/samba/tests/krb5/compatability_tests.py
+%{python3_sitearch}/samba/tests/krb5/etype_tests.py
 %{python3_sitearch}/samba/tests/krb5/fast_tests.py
 %{python3_sitearch}/samba/tests/krb5/kcrypto.py
 %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
@@ -4307,6 +4310,48 @@ fi
 %endif
 
 %changelog
+* Thu Mar 09 2023 Guenther Deschner <gdeschner@redhat.com> - 4.17.6-0
+- Update to version 4.17.6
+
+* Thu Feb 23 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-2
+- resolves: #2173619 - Add missing Requires for glibc-gconv-extra
+- SPDX migration
+
+* Tue Feb 14 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.17.5-1
+- resolves: rhbz#2166124 - Create package samba-tools, move there samba-tool binary
+
+* Thu Jan 26 2023 Guenther Deschner <gdeschner@redhat.com> - 4.17.5-0
+- Update to version 4.17.5
+
+* Thu Dec 22 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.4-2
+- Always add epoch to samba_depver to fix osci.brew-build.rpmdeplint.functional
+- Create package dc-libs also for 'non-dc build'
+
+* Tue Dec 20 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.4-1
+- Fix '--without dc' build: delete libauth4-samba4.so
+
+* Mon Dec 19 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.4-1
+- Create a samba-dcerpc sub-package
+- Fix package installation without samba and samba-dc package
+
+* Fri Dec 16 2022 Guenther Deschner <gdeschner@redhat.com> - 4.17.4-0
+- resolves: #2153906 - Update to version 4.17.4
+- resolves: #2154362, #2154363 - Security fixes for CVE-2022-38023
+- resolves: #2154303, #2154304 - Security fixes for CVE-2022-37966
+- resolves: #2154320, #2154322 - Security fixes for CVE-2022-37967
+
+* Tue Nov 15 2022 Guenther Deschner <gdeschner@redhat.com> - 4.17.3-0
+- resolves: #2142959 - Update to version 4.17.3
+- resolves: #2140960, #2143117 - Security fixes for CVE-2022-42898
+
+* Tue Oct 25 2022 Andreas Schneider <asn@redhat.com> - 4.17.2-1
+- Update to version 4.17.2
+- Fix CVE-2022-3592: A malicious client can use a symlink to escape the
+  exported
+
+* Mon Oct 24 2022 Andreas Schneider <asn@redhat.com> - 4.17.1-2
+- Add missing dependency for wbinfo used by ctdb scripts
+
 * Wed Oct 19 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.17.1-1
 - Update to version 4.17.1
 - resolves: rhbz#2127301 - Permission denied calling SMBC_getatr when file not exists

sources

@@ -1,2 +1,2 @@
-SHA512 (samba-4.17.1.tar.xz) = fd1dd3059c484b550cfc694b14b32bb509c4e0b0e209e15b4ddc98ceba4bee8b4d94c5a488a98f75cafaf1d36dde912d738b6f79cba8bf14037c314ad9bfe4b9
-SHA512 (samba-4.17.1.tar.asc) = 921eec6894195d68922ef86c0c9d741cee17f98e7381f4e8ee99a8fe8168f569cb094b73a4e4094070f9b3ea677cf2db670dba55191fe8b417aa85b804f1fe03
+SHA512 (samba-4.17.6.tar.xz) = 5c9341fc27ed9912de8da190f6b3464a46e4ad95b1edc8e1a4556d5da5fd17005873b22a26da9890b1537bf61d70c5e2de0d8243c361c71518959d99bb0790aa
+SHA512 (samba-4.17.6.tar.asc) = f666ebef32865e4d347ea78c2274742c07222f6539a2a8ec5db5c509b115490c2456243beab27c9c9054ad21a2375f15969787f01c2c269db19da3f5316ac166