Remove executable permission bits from ctdb service file

Avoids the following warning message from /var/log/messages:

...
systemd: Configuration file /usr/lib/systemd/system/ctdb.service
is marked executable. Please remove executable permission bits.
Proceeding anyway.
...

Signed-off-by: Anoop C S <anoopcs@redhat.com>

.gitignore

@@ -52,3 +52,15 @@ samba-3.6.0pre1.tar.gz
 /samba-4.2.3.tar.xz
 /samba-4.3.0rc3.tar.xz
 /samba-4.3.0rc4.tar.xz
+/samba-4.3.0.tar.xz
+/samba-4.3.1.tar.xz
+/samba-4.3.2.tar.xz
+/samba-4.3.3.tar.xz
+/samba-4.3.4.tar.xz
+/samba-4.3.5.tar.xz
+/samba-4.3.6.tar.xz
+/samba-4.3.8.tar.xz
+/samba-4.3.9.tar.xz
+/samba-4.3.10.tar.xz
+/samba-4.3.11.tar.xz
+/samba-4.3.12.tar.xz

samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch

@@ -0,0 +1,60 @@
+From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 12 Apr 2016 09:36:12 +0300
+Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
+ domains DCs
+
+  Allow cm_connect_netlogon() to talk to trusted domains' DCs when
+  running in a domain member configuration.
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/winbindd/winbindd_cm.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 63175e5..1ef3d17 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+  anonymous:
+ 
+ 	/* Finally fall back to anonymous. */
+-	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
++	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
++	    (IS_DC || domain->primary)) {
+ 		status = NT_STATUS_DOWNGRADE_DETECTED;
+-		DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
++		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
+ 			  "without connection level security, "
+ 			  "must set 'winbind sealed pipes = false' and "
+ 			  "'require strong key = false' to proceed: %s\n",
+@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ 
+  anonymous:
+ 
+-	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
++	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
++	    (IS_DC || domain->primary)) {
+ 		result = NT_STATUS_DOWNGRADE_DETECTED;
+-		DEBUG(1, ("Unwilling to make LSA connection to domain %s"
++		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
+ 			  "without connection level security, "
+ 			  "must set 'winbind sealed pipes = false' and "
+ 			  "'require strong key = false' to proceed: %s\n",
+@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ 
+  no_schannel:
+ 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+-		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
++		if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
++		    (IS_DC || domain->primary)) {
+ 			result = NT_STATUS_DOWNGRADE_DETECTED;
+-			DEBUG(1, ("Unwilling to make connection to domain %s"
++			DEBUG(1, ("Unwilling to make connection to domain %s "
+ 				  "without connection level security, "
+ 				  "must set 'winbind sealed pipes = false' and "
+ 				  "'require strong key = false' to proceed: %s\n",
+-- 
+2.5.5
+

samba-4.3.12-vfs_gluster_realpath.patch

@@ -0,0 +1,49 @@
+From 730c0a2fab4b0c494122f29355068cc2bbf0f672 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Fri, 21 Oct 2016 00:15:06 +0200
+Subject: [PATCH] vfs:glusterfs: preallocate result for glfs_realpath
+
+https://bugzilla.samba.org/show_bug.cgi?id=12404
+
+This makes us independent of the allocation
+method used inside glfs_realpath.
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Ira Cooper <ira@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Sat Oct 22 00:28:41 CEST 2016 on sn-devel-144
+
+(cherry picked from commit 92a0a56c3852726e0812d260e043957c879aefa4)
+---
+ source3/modules/vfs_glusterfs.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
+index 732ca51..fc40a90 100644
+--- a/source3/modules/vfs_glusterfs.c
++++ b/source3/modules/vfs_glusterfs.c
+@@ -1036,7 +1036,20 @@ static int vfs_gluster_fallocate(struct vfs_handle_struct *handle,
+ static char *vfs_gluster_realpath(struct vfs_handle_struct *handle,
+ 				  const char *path)
+ {
+-	return glfs_realpath(handle->data, path, 0);
++	char *result = NULL;
++	char *resolved_path = SMB_MALLOC_ARRAY(char, PATH_MAX+1);
++
++	if (resolved_path == NULL) {
++		errno = ENOMEM;
++		return NULL;
++	}
++
++	result = glfs_realpath(handle->data, path, resolved_path);
++	if (result == NULL) {
++		SAFE_FREE(resolved_path);
++	}
++
++	return result;
+ }
+ 
+ static bool vfs_gluster_lock(struct vfs_handle_struct *handle,
+-- 
+2.7.4

samba.spec

@@ -6,15 +6,15 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 1
+%define main_release 2
 
-%define samba_version 4.3.0
+%define samba_version 4.3.12
 %define talloc_version 2.1.3
 %define tdb_version 1.3.7
-%define tevent_version 0.9.25
-%define ldb_version 1.1.21
+%define tevent_version 0.9.28
+%define ldb_version 1.1.24
 # This should be rc1 or nil
-%define pre_release rc4
+%define pre_release %nil
 
 %if "x%{?pre_release}" != "x"
 %define samba_release 0.%{main_release}.%{pre_release}%{?dist}
@@ -107,6 +107,9 @@ Source6: samba.pamd
 Source200: README.dc
 Source201: README.downgrade
 
+Patch0:		samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+Patch1:		samba-4.3.12-vfs_gluster_realpath.patch
+
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 Requires(pre): /usr/sbin/groupadd
@@ -188,14 +191,14 @@ BuildRequires: pytalloc-devel >= %{libtalloc_version}
 %endif
 
 %if ! %with_internal_tevent
-%global libtevent_version 0.9.25
+%global libtevent_version 0.9.28
 
 BuildRequires: libtevent-devel >= %{libtevent_version}
 BuildRequires: python-tevent >= %{libtevent_version}
 %endif
 
 %if ! %with_internal_ldb
-%global libldb_version 1.1.21
+%global libldb_version 1.1.24
 
 BuildRequires: libldb-devel >= %{libldb_version}
 BuildRequires: pyldb-devel >= %{libldb_version}
@@ -238,7 +241,7 @@ Provides: samba4-client = %{samba_depver}
 Obsoletes: samba4-client < %{samba_depver}
 
 %description client
-The samba4-client package provides some SMB/CIFS clients to complement
+The %{name}-client package provides some SMB/CIFS clients to complement
 the built-in SMB/CIFS filesystem in Linux. These clients allow access
 of SMB/CIFS shares and printing to SMB/CIFS printers.
 
@@ -324,7 +327,7 @@ Provides: samba4-dc-libs = %{samba_depver}
 Obsoletes: samba4-dc-libs < %{samba_depver}
 
 %description dc-libs
-The samba4-dc-libs package contains the libraries needed by the DC to
+The %{name}-dc-libs package contains the libraries needed by the DC to
 link against the SMB, RPC and other protocols.
 
 ### DEVEL
@@ -338,7 +341,7 @@ Provides: samba4-devel = %{samba_depver}
 Obsoletes: samba4-devel < %{samba_depver}
 
 %description devel
-The samba4-devel package contains the header files for the libraries
+The %{name}-devel package contains the header files for the libraries
 needed to develop programs that link against the SMB, RPC and other
 libraries in the Samba suite.
 
@@ -373,6 +376,20 @@ Provides: samba-glusterfs
 Samba VFS module for GlusterFS integration.
 %endif
 
+### KRB5-PRINTING
+%package krb5-printing
+Summary: Samba CUPS backend for printing with Kerberos
+Group: Applications/System
+Requires(pre): %{name}-client
+
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+
+%description krb5-printing
+If you need Kerberos for print jobs to a printer connection to cups via the SMB
+backend, then you need to install that package. It will allow cups to access
+the Kerberos credentials cache of the user issuing the print job.
+
 ### LIBS
 %package libs
 Summary: Samba libraries
@@ -387,7 +404,7 @@ Provides: samba4-libs = %{samba_depver}
 Obsoletes: samba4-libs < %{samba_depver}
 
 %description libs
-The samba4-libs package contains the libraries needed by programs that
+The %{name}-libs package contains the libraries needed by programs that
 link against the SMB, RPC and other protocols provided by the Samba suite.
 
 ### LIBSMBCLIENT
@@ -448,7 +465,7 @@ Provides: samba4-python = %{samba_depver}
 Obsoletes: samba4-python < %{samba_depver}
 
 %description python
-The samba4-python package contains the Python libraries needed by programs
+The %{name}-python package contains the Python libraries needed by programs
 that use SMB, RPC and other Samba provided protocols in Python programs.
 
 ### PIDL
@@ -671,11 +688,14 @@ and use CTDB instead.
 %prep
 %setup -q -n samba-%{version}%{pre_release}
 
+%patch0 -p 1 -b .samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+%patch1 -p 1 -b .samba-4.3.12-vfs_gluster_realpath.patch
+
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
 %global _tevent_lib ,tevent,pytevent
 %global _tdb_lib ,tdb,pytdb
-%global _ldb_lib ,ldb,pyldb,!pyldb-util
+%global _ldb_lib ,ldb,pyldb,pyldb-util
 
 %if ! %{with_internal_talloc}
 %global _talloc_lib ,!talloc,!pytalloc,!pytalloc-util
@@ -720,7 +740,8 @@ and use CTDB instead.
         --with-sockets-dir=/run/samba \
         --with-modulesdir=%{_libdir}/samba \
         --with-pammodulesdir=%{_libdir}/security \
-        --with-lockdir=/var/lib/samba \
+        --with-lockdir=/var/lib/samba/lock \
+        --with-statedir=/var/lib/samba \
         --with-cachedir=/var/lib/samba \
         --disable-rpath-install \
         --with-shared-modules=%{_samba4_modules} \
@@ -785,6 +806,11 @@ then
     exit -1
 fi
 
+# Move smbspool_krb5_wrapper
+install -d -m 0755 %{buildroot}%{_libexecdir}/samba
+mv %{buildroot}%{_bindir}/smbspool_krb5_wrapper %{buildroot}%{_libexecdir}/samba
+touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb
+
 # Install other stuff
 install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d
 install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/samba
@@ -832,7 +858,7 @@ for i in nmb smb winbind ; do
     install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
 done
 %if %with_clustering_support
-install -m 0755 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
+install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
 %endif
 
 # NetworkManager online/offline script
@@ -875,13 +901,39 @@ if [ -d /var/cache/samba ]; then
     ln -sf /var/cache/samba /var/lib/samba/
 fi
 
-%postun common -p /sbin/ldconfig
+%post client
+%{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \
+    cups_backend_smb \
+    %{_bindir}/smbspool 10
+
+%postun client
+if [ $1 -eq 0 ] ; then
+    %{_sbindir}/update-alternatives --remove cups_backend_smb %{_bindir}/smbspool
+fi
+
+%post client-libs -p /sbin/ldconfig
+
+%postun client-libs -p /sbin/ldconfig
+
+%post common-libs -p /sbin/ldconfig
+
+%postun common-libs -p /sbin/ldconfig
 
 %if %with_dc
 %post dc-libs -p /sbin/ldconfig
 
 %postun dc-libs -p /sbin/ldconfig
-%endif # with_dc
+%endif
+
+%post krb5-printing
+%{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \
+	cups_backend_smb \
+	%{_libexecdir}/samba/smbspool_krb5_wrapper 50
+
+%postun krb5-printing
+if [ $1 -eq 0 ] ; then
+	%{_sbindir}/update-alternatives --remove cups_backend_smb %{_libexecdir}/samba/smbspool_krb5_wrapper
+fi
 
 %post libs -p /sbin/ldconfig
 
@@ -1119,6 +1171,8 @@ rm -rf %{buildroot}
 %{_bindir}/smbta-util
 %{_bindir}/smbtar
 %{_bindir}/smbtree
+%dir %{_libexecdir}/samba
+%ghost %{_libexecdir}/samba/cups_backend_smb
 %{_mandir}/man1/dbwrap_tool.1*
 %{_mandir}/man1/nmblookup.1*
 %{_mandir}/man1/oLschema2ldif.1*
@@ -1240,6 +1294,7 @@ rm -rf %{buildroot}
 %{_libdir}/samba/libnet-keytab-samba4.so
 %{_libdir}/samba/libnetif-samba4.so
 %{_libdir}/samba/libnpa-tstream-samba4.so
+%{_libdir}/samba/libposix-eadb-samba4.so
 %{_libdir}/samba/libprinting-migrate-samba4.so
 %{_libdir}/samba/libreplace-samba4.so
 %{_libdir}/samba/libsamba-cluster-support-samba4.so
@@ -1319,6 +1374,10 @@ rm -rf %{buildroot}
 %config(noreplace) %{_sysconfdir}/samba/smb.conf
 %config(noreplace) %{_sysconfdir}/samba/lmhosts
 %config(noreplace) %{_sysconfdir}/sysconfig/samba
+%{_mandir}/man5/lmhosts.5*
+%{_mandir}/man5/smb.conf.5*
+%{_mandir}/man5/smbpasswd.5*
+%{_mandir}/man7/samba.7*
 
 ### COMMON-libs
 %files common-libs
@@ -1347,10 +1406,6 @@ rm -rf %{buildroot}
 %{_mandir}/man1/profiles.1*
 %{_mandir}/man1/smbcontrol.1*
 %{_mandir}/man1/testparm.1*
-%{_mandir}/man5/lmhosts.5*
-%{_mandir}/man5/smb.conf.5*
-%{_mandir}/man5/smbpasswd.5*
-%{_mandir}/man7/samba.7*
 %{_mandir}/man8/net.8*
 %{_mandir}/man8/pdbedit.8*
 %{_mandir}/man8/smbpasswd.8*
@@ -1461,7 +1516,6 @@ rm -rf %{buildroot}
 %{_libdir}/samba/libdnsserver-common-samba4.so
 %{_libdir}/samba/libdsdb-module-samba4.so
 %{_libdir}/samba/libntvfs-samba4.so
-%{_libdir}/samba/libposix-eadb-samba4.so
 %{_libdir}/samba/bind9/dlz_bind9_9.so
 %else
 %doc packaging/README.dc-libs
@@ -1658,6 +1712,12 @@ rm -rf %{buildroot}
 %{_mandir}/man8/vfs_glusterfs.8*
 %endif
 
+### KRB5-PRINTING
+%files krb5-printing
+%defattr(-,root,root)
+%attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper
+%{_mandir}/man8/smbspool_krb5_wrapper.8*
+
 ### LIBS
 %files libs
 %defattr(-,root,root)
@@ -1977,6 +2037,90 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Mon Dec 05 2016 Rex Dieter <rdieter@fedoraproject.org> - -
+- rebuild (libldb)
+
+* Fri Nov 04 2016 Anoop C S <anoopcs@redhat.com> - 4.3.12-1
+- Fix glfs_realpath allocation in vfs_glusterfs
+
+* Thu Nov 03 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.12-0
+- Update to Samba 4.3.12
+
+* Wed Sep 14 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.11-2
+- Fix smbspool alternatives handling during samba-client uninstall
+
+* Thu Jul 07 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.11-1
+- Update to Samba 4.3.11
+- resolves: #1353504 - CVE-2016-2119
+
+* Wed Jun 22 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.10-1
+- resolves: #1348899 - Import of samba.ntacls fails
+
+* Thu Jun 16 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.10-0
+- Update to Samba 4.3.10
+
+* Mon May 02 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.9-0
+- Update to Samba 4.3.9
+
+* Tue Apr 12 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.8-0
+- Update to Samba 4.3.8, fix badlock security bug
+- resolves: #1326453 - CVE-2015-5370
+- resolves: #1326453 - CVE-2016-2110
+- resolves: #1326453 - CVE-2016-2111
+- resolves: #1326453 - CVE-2016-2112
+- resolves: #1326453 - CVE-2016-2113
+- resolves: #1326453 - CVE-2016-2114
+- resolves: #1326453 - CVE-2016-2115
+- resolves: #1326453 - CVE-2016-2118
+
+* Tue Mar 08 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.6-0
+- Update to Samba 4.3.6
+- resolves: #1315942 - CVE-2015-7560 Incorrect ACL get/set allowed on symlink path
+
+* Tue Feb 23 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.5-0
+- resolves: #1261230 - Update to Samba 4.3.5
+
+* Fri Jan 22 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.3.4-1
+- resolves: #1300038 - PANIC: Bad talloc magic value - wrong talloc version used/mixed
+
+* Tue Jan 12 2016 Guenther Deschner <gdeschner@redhat.com> - 4.3.4-0
+- resolves: #1261230 - Update to Samba 4.3.4
+
+* Wed Dec 16 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.3-0
+- Update to Samba 4.3.3
+- resolves: #1292069
+- CVE-2015-3223 Remote DoS in Samba (AD) LDAP server
+- CVE-2015-5252 Insufficient symlink verification in smbd
+- CVE-2015-5296 Samba client requesting encryption vulnerable to
+                downgrade attack
+- CVE-2015-5299 Missing access control check in shadow copy code
+- CVE-2015-7540 DoS to AD-DC due to insufficient checking of asn1
+                memory allocation
+
+* Tue Dec 15 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.2-2
+- revert dependencies to samba-common and -tools
+
+* Tue Dec 01 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.2-1
+- resolves: #1261230 - Update to Samba 4.3.2
+
+* Wed Nov 18 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.1-3
+- resolves: #1282931 - Fix DCE/RPC bind nak parsing
+
+* Fri Oct 23 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.1-2
+- Fix dependencies to samba-common
+
+* Tue Oct 20 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.1-1
+- resolves: #1261230 - Update to Samba 4.3.1
+
+* Mon Oct 12 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.0-3
+- Use separate lockdir
+
+* Mon Oct 12 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.0-2
+- resolves: #1270568 - Samba fails to start after update to 4.3.0
+
+* Tue Sep 08 2015 Guenther Deschner <gdeschner@redhat.com> - 4.3.0-1
+- resolves: #1088911 - Update to Samba 4.3.0
+
 * Tue Sep 01 2015 Andreas Schneider <asn@redhat.com> - 4.3.0-0.1rc4
 - Update to Samba 4.3.0rc4
 

sources

@@ -1 +1 @@
-7bdd10317a78c82d612e3ad4692301c9  samba-4.3.0rc4.tar.xz
+4b84415bea4b8a0d2085e51d1f9cc4c6  samba-4.3.12.tar.xz