Update to version 4.16.9

Guenther
Create package dc-libs also for 'non-dc' build
2023-02-16 23:00:07 +01:00 · 2022-12-22 18:23:09 +01:00 · 2022-12-22 18:21:36 +01:00 · 2022-12-22 18:17:32 +01:00 · 2022-12-22 18:17:28 +01:00 · 2022-12-20 17:52:41 +01:00
12 changed files with 2009 additions and 260 deletions
--- a/.gitignore
+++ b/.gitignore
@ -211,3 +211,99 @@ samba-3.6.0pre1.tar.gz
 /samba-4.12.5.tar.asc
 /samba-4.13.0rc1.tar.xz
 /samba-4.13.0rc1.tar.asc
+/samba-4.13.0rc2.tar.xz
+/samba-4.13.0rc2.tar.asc
+/samba-4.13.0rc3.tar.xz
+/samba-4.13.0rc3.tar.asc
+/samba-4.13.0rc4.tar.xz
+/samba-4.13.0rc4.tar.asc
+/samba-4.13.0rc5.tar.xz
+/samba-4.13.0rc5.tar.asc
+/samba-4.13.0rc6.tar.xz
+/samba-4.13.0rc6.tar.asc
+/samba-4.13.0.tar.xz
+/samba-4.13.0.tar.asc
+/samba-4.13.1.tar.xz
+/samba-4.13.1.tar.asc
+/samba-4.13.2.tar.xz
+/samba-4.13.2.tar.asc
+/samba-4.13.3.tar.xz
+/samba-4.13.3.tar.asc
+/samba-4.13.4.tar.xz
+/samba-4.13.4.tar.asc
+/samba-4.14.0rc1.tar.xz
+/samba-4.14.0rc1.tar.asc
+/samba-4.14.0rc2.tar.xz
+/samba-4.14.0rc2.tar.asc
+/samba-4.14.0rc3.tar.xz
+/samba-4.14.0rc3.tar.asc
+/samba-4.14.0rc4.tar.xz
+/samba-4.14.0rc4.tar.asc
+/samba-4.14.0.tar.xz
+/samba-4.14.0.tar.asc
+/samba-4.14.1.tar.xz
+/samba-4.14.1.tar.asc
+/samba-4.14.2.tar.xz
+/samba-4.14.2.tar.asc
+/samba-4.14.3.tar.xz
+/samba-4.14.3.tar.asc
+/samba-4.14.4.tar.xz
+/samba-4.14.4.tar.asc
+/samba-4.14.5.tar.xz
+/samba-4.14.5.tar.asc
+/samba-4.14.6.tar.xz
+/samba-4.14.6.tar.asc
+/samba-4.15.0rc1.tar.xz
+/samba-4.15.0rc1.tar.asc
+/samba-4.15.0rc2.tar.xz
+/samba-4.15.0rc2.tar.asc
+/samba-4.15.0rc3.tar.xz
+/samba-4.15.0rc3.tar.asc
+/samba-4.15.0rc4.tar.xz
+/samba-4.15.0rc4.tar.asc
+/samba-4.15.0rc5.tar.xz
+/samba-4.15.0rc5.tar.asc
+/samba-4.15.0rc6.tar.xz
+/samba-4.15.0rc6.tar.asc
+/samba-4.15.0rc7.tar.xz
+/samba-4.15.0rc7.tar.asc
+/samba-4.15.0.tar.xz
+/samba-4.15.0.tar.asc
+/samba-4.15.1.tar.xz
+/samba-4.15.1.tar.asc
+/samba-4.15.2.tar.xz
+/samba-4.15.2.tar.asc
+/samba-4.15.3.tar.xz
+/samba-4.15.3.tar.asc
+/samba-4.15.4.tar.xz
+/samba-4.15.4.tar.asc
+/samba-4.16.0rc1.tar.xz
+/samba-4.16.0rc1.tar.asc
+/samba-4.16.0rc2.tar.xz
+/samba-4.16.0rc2.tar.asc
+/samba-4.16.0rc3.tar.xz
+/samba-4.16.0rc3.tar.asc
+/samba-4.16.0rc4.tar.xz
+/samba-4.16.0rc4.tar.asc
+/samba-4.16.0rc5.tar.xz
+/samba-4.16.0rc5.tar.asc
+/samba-4.16.0.tar.xz
+/samba-4.16.0.tar.asc
+/samba-4.16.1.tar.xz
+/samba-4.16.1.tar.asc
+/samba-4.16.2.tar.xz
+/samba-4.16.2.tar.asc
+/samba-4.16.3.tar.xz
+/samba-4.16.3.tar.asc
+/samba-4.16.4.tar.xz
+/samba-4.16.4.tar.asc
+/samba-4.16.5.tar.xz
+/samba-4.16.5.tar.asc
+/samba-4.16.6.tar.xz
+/samba-4.16.6.tar.asc
+/samba-4.16.7.tar.xz
+/samba-4.16.7.tar.asc
+/samba-4.16.8.tar.xz
+/samba-4.16.8.tar.asc
+/samba-4.16.9.tar.xz
+/samba-4.16.9.tar.asc
--- a/filter-requires-samba.sh
+++ b/filter-requires-samba.sh
@ -1,3 +0,0 @@
-#!/bin/sh
-
-/usr/lib/rpm/perl.req $* | grep -E -v '(Net::LDAP|Crypt::SmbHash|CGI|Unicode::MapUTF8|smbldap_tools|Carp|Convert::ASN1|Getopt::Long|Getopt::Std|IO::Socket|POSIX|Time::Local|strict)'
--- a/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
+++ b/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -0,0 +1,20 @@
+---
+badfuncs:
+    ignore:
+        - /usr/bin/nmblookup
+        - /usr/bin/smbtorture
+        - /usr/lib*/libndr.so.*
+        - /usr/lib*/libsmbconf.so.*
+        - /usr/lib*/samba/libgse-samba4.so
+        - /usr/lib*/samba/libsamba-sockets-samba4.so
+        - /usr/lib*/samba/service/nbtd.so
+        - /usr/libexec/ctdb/smnotify
+        - /usr/sbin/nmbd
+
+runpath:
+    allowed_paths:
+        - /usr/lib/samba
+        - /usr/lib64/samba
+
+abidiff:
+    suppression_file: samba.abignore
--- a/samba-4.16-waf-crypto.patch
+++ b/samba-4.16-waf-crypto.patch
@ -0,0 +1,77 @@
+From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Apr 2022 11:24:04 +0200
+Subject: [PATCH 1/2] waf: Check for GnuTLS earlier
+
+As GnuTLS is an essential part we need to check for it early so we can react on
+GnuTLS features in other wscripts.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ wscript | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wscript b/wscript
+index d8220b35095..5b85d9a1682 100644
+--- a/wscript
+++ b/wscript
+@@ -189,6 +189,8 @@ def configure(conf):
+     conf.RECURSE('dynconfig')
+     conf.RECURSE('selftest')
+ 
+    conf.PROCESS_SEPARATE_RULE('system_gnutls')
+
+     conf.CHECK_CFG(package='zlib', minversion='1.2.3',
+                    args='--cflags --libs',
+                    mandatory=True)
+@@ -297,8 +299,6 @@ def configure(conf):
+     if not conf.CONFIG_GET('KRB5_VENDOR'):
+         conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
+ 
+-    conf.PROCESS_SEPARATE_RULE('system_gnutls')
+-
+     conf.RECURSE('source4/dsdb/samdb/ldb_modules')
+     conf.RECURSE('source4/ntvfs/sysdep')
+     conf.RECURSE('lib/util')
+-- 
+2.35.1
+
+
+From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Apr 2022 11:25:31 +0200
+Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS
+ provides the cipher
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ third_party/wscript | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/third_party/wscript b/third_party/wscript
+index 1f4bc1ce1d7..a17c15bcaa7 100644
+--- a/third_party/wscript
+++ b/third_party/wscript
+@@ -5,7 +5,8 @@ from waflib import Options
+ def configure(conf):
+     conf.RECURSE('cmocka')
+     conf.RECURSE('popt')
+-    conf.RECURSE('aesni-intel')
+    if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
+        conf.RECURSE('aesni-intel')
+     if conf.CONFIG_GET('ENABLE_SELFTEST'):
+         conf.RECURSE('socket_wrapper')
+         conf.RECURSE('nss_wrapper')
+@@ -18,7 +19,8 @@ def configure(conf):
+ def build(bld):
+     bld.RECURSE('cmocka')
+     bld.RECURSE('popt')
+-    bld.RECURSE('aesni-intel')
+    if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'):
+        bld.RECURSE('aesni-intel')
+     if bld.CONFIG_GET('SOCKET_WRAPPER'):
+         bld.RECURSE('socket_wrapper')
+     if bld.CONFIG_GET('NSS_WRAPPER'):
+-- 
+2.35.1
+
--- a/samba-pubkey_AA99442FB680B620.gpg
+++ b/samba-pubkey_AA99442FB680B620.gpg
--- a/samba-s4u.patch
+++ b/samba-s4u.patch
@ -0,0 +1,642 @@
+From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 27 Sep 2019 18:25:03 +0300
+Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
+
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+---
+ source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
+ source4/kdc/mit_samba.c                  |  47 ++-------
+ source4/kdc/mit_samba.h                  |   6 +-
+ 3 files changed, 71 insertions(+), 106 deletions(-)
+
+diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
+index 793fe366c35..22534c09974 100644
+--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
+@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+ 				     krb5_keyblock *krbtgt_key,
+ 				     krb5_timestamp authtime,
+ 				     krb5_authdata **tgt_auth_data,
+-				     krb5_pac *pac)
+				     krb5_pac *out_pac)
+ {
+ 	struct mit_samba_context *mit_ctx;
+ 	krb5_authdata **authdata = NULL;
+-	krb5_pac ipac = NULL;
+-	DATA_BLOB logon_data = { NULL, 0 };
+	krb5_keyblock *header_server_key = NULL;
+	krb5_key_data *impersonator_kd = NULL;
+	krb5_keyblock impersonator_key = {0};
+ 	krb5_error_code code;
+	krb5_pac pac;
+
+	*out_pac = NULL;
+ 
+ 	mit_ctx = ks_get_context(context);
+ 	if (mit_ctx == NULL) {
+@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+ 	code = krb5_pac_parse(context,
+ 			      authdata[0]->contents,
+ 			      authdata[0]->length,
+-			      &ipac);
+			      &pac);
+ 	if (code != 0) {
+ 		goto done;
+ 	}
+ 
+-	/* TODO: verify this is correct
+-	 *
+-	 * In the constrained delegation case, the PAC is from a service
+-	 * ticket rather than a TGT; we must verify the server and KDC
+-	 * signatures to assert that the server did not forge the PAC.
+	/*
+	 * For constrained delegation in MIT version < 1.18 we aren't provided
+	 * with the 2nd ticket server key to verify the PAC.
+	 * We can workaround that by fetching the key from the client db entry,
+	 * which is the impersonator account in that version.
+	 * TODO: use the provided entry in the new 1.18 version.
+ 	 */
+ 	if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+-		code = krb5_pac_verify(context,
+-				       ipac,
+-				       authtime,
+-				       client_princ,
+-				       server_key,
+-				       krbtgt_key);
+		/* The impersonator must be local. */
+		if (client == NULL) {
+			code = KRB5KDC_ERR_BADOPTION;
+			goto done;
+		}
+		/* Fetch and decrypt 2nd ticket server's current key. */
+		code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
+					     &impersonator_kd);
+		if (code != 0) {
+			goto done;
+		}
+		code = krb5_dbe_decrypt_key_data(context, NULL,
+						 impersonator_kd,
+						 &impersonator_key, NULL);
+		if (code != 0) {
+			goto done;
+		}
+		header_server_key = &impersonator_key;
+ 	} else {
+-		code = krb5_pac_verify(context,
+-				       ipac,
+-				       authtime,
+-				       client_princ,
+-				       krbtgt_key,
+-				       NULL);
+-	}
+-	if (code != 0) {
+-		goto done;
+		header_server_key = krbtgt_key;
+ 	}
+ 
+-	/* check and update PAC */
+-	code = krb5_pac_parse(context,
+-			      authdata[0]->contents,
+-			      authdata[0]->length,
+-			      pac);
+	code = krb5_pac_verify(context, pac, authtime, client_princ,
+			       header_server_key, NULL);
+ 	if (code != 0) {
+ 		goto done;
+ 	}
+@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+ 	code = mit_samba_reget_pac(mit_ctx,
+ 				   context,
+ 				   flags,
+-				   client_princ,
+ 				   client,
+ 				   server,
+ 				   krbtgt,
+ 				   krbtgt_key,
+-				   pac);
+				   &pac);
+	if (code != 0) {
+		goto done;
+	}
+
+	*out_pac = pac;
+	pac = NULL;
+ 
+ done:
+	krb5_free_keyblock_contents(context, &impersonator_key);
+ 	krb5_free_authdata(context, authdata);
+-	krb5_pac_free(context, ipac);
+-	free(logon_data.data);
+	krb5_pac_free(context, pac);
+ 
+ 	return code;
+ }
+@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 	krb5_authdata **pac_auth_data = NULL;
+ 	krb5_authdata **authdata = NULL;
+ 	krb5_boolean is_as_req;
+	krb5_const_principal pac_client;
+ 	krb5_error_code code;
+ 	krb5_pac pac = NULL;
+ 	krb5_data pac_data;
+@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
+ 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
+ 
+-	/* FIXME: We don't support S4U yet */
+-	if (flags & KRB5_KDB_FLAGS_S4U) {
+-		return KRB5_KDB_DBTYPE_NOSUP;
+-	}
+-
+ 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+ 
+ 	/*
+@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 		ks_client_princ = client->princ;
+ 	}
+ 
+	/* In protocol transition, we are currently not provided with the tgt
+	 * client name to verify the PAC, we could probably skip the name
+	 * verification and just verify the signatures, but since we don't
+	 * support cross-realm nor aliases, we can just use server->princ */
+	if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+		pac_client = server->princ;
+	} else {
+		pac_client = ks_client_princ;
+	}
+
+ 	if (client_entry == NULL) {
+ 		client_entry = client;
+ 	}
+@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 
+ 			code = ks_verify_pac(context,
+ 					     flags,
+-					     ks_client_princ,
+					     pac_client,
+ 					     client_entry,
+ 					     server,
+ 					     krbtgt,
+@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 		  is_as_req ? "AS-REQ" : "TGS-REQ",
+ 		  client_name);
+ 	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
+-			server_key, krbtgt_key, &pac_data);
+			     server_key, krbtgt_key, &pac_data);
+ 	if (code != 0) {
+ 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
+ 		goto done;
+@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 					      KRB5_AUTHDATA_IF_RELEVANT,
+ 					      authdata,
+ 					      signed_auth_data);
+-	if (code != 0) {
+-		goto done;
+-	}
+-
+-	code = 0;
+-
+ done:
+ 	if (client_entry != NULL && client_entry != client) {
+ 		ks_free_principal(context, client_entry);
+@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
+ 	 * server; -> delegating service
+ 	 * proxy; -> target principal
+ 	 */
+-	krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
+-
+-	char *target_name = NULL;
+-	bool is_enterprise;
+-	krb5_error_code code;
+ 
+ 	mit_ctx = ks_get_context(context);
+ 	if (mit_ctx == NULL) {
+ 		return KRB5_KDB_DBNOTINITED;
+ 	}
+ 
+-	code = krb5_unparse_name(context, proxy, &target_name);
+-	if (code) {
+-		goto done;
+-	}
+-
+-	is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
+-
+-	code = mit_samba_check_s4u2proxy(mit_ctx,
+-					 delegating_service,
+-					 target_name,
+-					 is_enterprise);
+-
+-done:
+-	free(target_name);
+-	return code;
+	return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
+ }
+ 
+ 
+diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
+index cb72b5de294..03c2c2ea1de 100644
+--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
+@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
+ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
+ 				    krb5_context context,
+ 				    int flags,
+-				    krb5_const_principal client_principal,
+ 				    krb5_db_entry *client,
+ 				    krb5_db_entry *server,
+ 				    krb5_db_entry *krbtgt,
+@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
+ 								  context,
+ 								  *pac,
+ 								  server->princ,
+-								  discard_const(client_principal),
+								  client->princ,
+ 								  deleg_blob);
+ 		if (!NT_STATUS_IS_OK(nt_status)) {
+ 			DEBUG(0, ("Update delegation info failed: %s\n",
+@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
+ }
+ 
+ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
+-			      krb5_db_entry *kentry,
+-			      const char *target_name,
+-			      bool is_nt_enterprise_name)
+			      const krb5_db_entry *server,
+			      krb5_const_principal target_principal)
+ {
+-#if 1
+-	/*
+-	 * This is disabled because mit_samba_update_pac_data() does not handle
+-	 * S4U_DELEGATION_INFO
+-	 */
+-
+-	return KRB5KDC_ERR_BADOPTION;
+-#else
+-	krb5_principal target_principal;
+-	int flags = 0;
+-	int ret;
+-
+-	if (is_nt_enterprise_name) {
+-		flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+-	}
+-
+-	ret = krb5_parse_name_flags(ctx->context, target_name,
+-				    flags, &target_principal);
+-	if (ret) {
+-		return ret;
+-	}
+-
+-	ret = samba_kdc_check_s4u2proxy(ctx->context,
+-					ctx->db_ctx,
+-					skdc_entry,
+-					target_principal);
+-
+-	krb5_free_principal(ctx->context, target_principal);
+-
+-	return ret;
+-#endif
+	struct samba_kdc_entry *server_skdc_entry =
+		 talloc_get_type_abort(server->e_data,
+				       struct samba_kdc_entry);
+
+	return samba_kdc_check_s4u2proxy(ctx->context,
+					 ctx->db_ctx,
+					 server_skdc_entry,
+					 target_principal);
+ }
+ 
+ static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
+diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
+index 4431e82a1b2..9370ab533af 100644
+--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
+@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
+ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
+ 				    krb5_context context,
+ 				    int flags,
+-				    krb5_const_principal client_principal,
+ 				    krb5_db_entry *client,
+ 				    krb5_db_entry *server,
+ 				    krb5_db_entry *krbtgt,
+@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
+ 				  DATA_BLOB *e_data);
+ 
+ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
+-			      krb5_db_entry *kentry,
+-			      const char *target_name,
+-			      bool is_nt_enterprise_name);
+			      const krb5_db_entry *server,
+			      krb5_const_principal target_principal);
+ 
+ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
+ 				      char *pwd,
+-- 
+2.37.1
+
+
+From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 27 Sep 2019 18:35:30 +0300
+Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
+
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+---
+ lib/krb5_wrap/krb5_samba.c            | 185 ++++++++++++++++++++++++++
+ lib/krb5_wrap/krb5_samba.h            |   2 -
+ source4/auth/kerberos/kerberos_util.c |  11 --
+ 3 files changed, 185 insertions(+), 13 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 4321f07ca09..3fd95e47fca 100644
+--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ 
+ 	return 0;
+ }
+
+#else /* MIT */
+
+static bool princ_compare_no_dollar(krb5_context ctx,
+				    krb5_principal a,
+				    krb5_principal b)
+{
+	bool cmp;
+	krb5_principal mod = NULL;
+
+	if (a->length == 1 && b->length == 1 &&
+	    a->data[0].length != 0 && b->data[0].length != 0 &&
+	    a->data[0].data[a->data[0].length -1] !=
+	    b->data[0].data[b->data[0].length -1]) {
+		if (a->data[0].data[a->data[0].length -1] == '$') {
+			mod = a;
+			mod->data[0].length--;
+		} else if (b->data[0].data[b->data[0].length -1] == '$') {
+			mod = b;
+			mod->data[0].length--;
+		}
+	}
+
+	cmp = krb5_principal_compare_flags(ctx, a, b,
+					   KRB5_PRINCIPAL_COMPARE_CASEFOLD);
+
+	if (mod != NULL) {
+		mod->data[0].length++;
+	}
+
+	return cmp;
+}
+
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+					   krb5_ccache store_cc,
+					   krb5_principal init_principal,
+					   const char *init_password,
+					   krb5_principal impersonate_principal,
+					   const char *self_service,
+					   const char *target_service,
+					   krb5_get_init_creds_opt *krb_options,
+					   time_t *expire_time,
+					   time_t *kdc_time)
+{
+	krb5_error_code code;
+	krb5_principal self_princ = NULL;
+	krb5_principal target_princ = NULL;
+	krb5_creds *store_creds;
+	krb5_creds *s4u2self_creds = NULL;
+	krb5_creds *s4u2proxy_creds = NULL;
+	krb5_creds init_creds = {0};
+	krb5_creds mcreds = {0};
+	krb5_flags options = KRB5_GC_NO_STORE;
+	krb5_ccache tmp_cc;
+	bool s4u2proxy;
+
+	code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
+	if (code != 0) {
+		return code;
+	}
+
+	code = krb5_get_init_creds_password(ctx, &init_creds,
+					    init_principal,
+					    init_password,
+					    NULL, NULL,
+					    0,
+					    NULL,
+					    krb_options);
+	if (code != 0) {
+		goto done;
+	}
+
+	code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
+	if (code != 0) {
+		goto done;
+	}
+
+	code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
+	if (code != 0) {
+		goto done;
+	}
+
+	/*
+	 * Check if we also need S4U2Proxy or if S4U2Self is
+	 * enough in order to get a ticket for the target.
+	 */
+	if (target_service == NULL) {
+		s4u2proxy = false;
+	} else if (strcmp(target_service, self_service) == 0) {
+		s4u2proxy = false;
+	} else {
+		s4u2proxy = true;
+	}
+
+	code = krb5_parse_name(ctx, self_service, &self_princ);
+	if (code != 0) {
+		goto done;
+	}
+
+	/* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
+	 * client and the request server to be the same principal name. */
+	if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
+		code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+		goto done;
+	}
+
+	mcreds.client = impersonate_principal;
+	mcreds.server = init_creds.client;
+
+	code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
+					     NULL, &s4u2self_creds);
+	if (code != 0) {
+		goto done;
+	}
+
+	if (s4u2proxy) {
+		code = krb5_parse_name(ctx, target_service, &target_princ);
+		if (code != 0) {
+			goto done;
+		}
+
+		mcreds.client = init_creds.client;
+		mcreds.server = target_princ;
+		mcreds.second_ticket = s4u2self_creds->ticket;
+
+		code = krb5_get_credentials(ctx, options |
+					    KRB5_GC_CONSTRAINED_DELEGATION,
+					    tmp_cc, &mcreds, &s4u2proxy_creds);
+		if (code != 0) {
+			goto done;
+		}
+
+		/* Check KDC support of S4U2Proxy extension */
+		if (!krb5_principal_compare(ctx, s4u2self_creds->client,
+					    s4u2proxy_creds->client)) {
+			code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+			goto done;
+		}
+
+		store_creds = s4u2proxy_creds;
+	} else {
+		store_creds = s4u2self_creds;;
+
+		/* We need to save the ticket with the requested server name
+		 * or the caller won't be able to find it in cache. */
+		if (!krb5_principal_compare(ctx, self_princ,
+			store_creds->server)) {
+			krb5_free_principal(ctx, store_creds->server);
+			store_creds->server = NULL;
+			code = krb5_copy_principal(ctx, self_princ,
+						   &store_creds->server);
+			if (code != 0) {
+				goto done;
+			}
+		}
+	}
+
+	code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
+	if (code != 0) {
+		goto done;
+	}
+
+	code = krb5_cc_store_cred(ctx, store_cc, store_creds);
+	if (code != 0) {
+		goto done;
+	}
+
+	if (expire_time) {
+		*expire_time = (time_t) store_creds->times.endtime;
+	}
+
+	if (kdc_time) {
+		*kdc_time = (time_t) store_creds->times.starttime;
+	}
+
+done:
+	krb5_cc_destroy(ctx, tmp_cc);
+	krb5_free_cred_contents(ctx, &init_creds);
+	krb5_free_creds(ctx, s4u2self_creds);
+	krb5_free_creds(ctx, s4u2proxy_creds);
+	krb5_free_principal(ctx, self_princ);
+	krb5_free_principal(ctx, target_princ);
+
+	return code;
+}
+ #endif
+ 
+ #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
+diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
+index a66b7465530..c8573f52bd9 100644
+--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
+@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
+ 					       krb5_get_init_creds_opt *krb_options,
+ 					       time_t *expire_time,
+ 					       time_t *kdc_time);
+-#ifdef SAMBA4_USES_HEIMDAL
+ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ 					   krb5_ccache store_cc,
+ 					   krb5_principal init_principal,
+@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ 					   krb5_get_init_creds_opt *krb_options,
+ 					   time_t *expire_time,
+ 					   time_t *kdc_time);
+-#endif
+ 
+ #if defined(HAVE_KRB5_MAKE_PRINCIPAL)
+ #define smb_krb5_make_principal krb5_make_principal
+diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
+index 544d9d853cc..c14d8c72d8c 100644
+--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
+@@ -234,9 +234,7 @@ done:
+ {
+ 	krb5_error_code ret;
+ 	const char *password;
+-#ifdef SAMBA4_USES_HEIMDAL
+ 	const char *self_service;
+-#endif
+ 	const char *target_service;
+ 	time_t kdc_time = 0;
+ 	krb5_principal princ;
+@@ -268,9 +266,7 @@ done:
+ 		return ret;
+ 	}
+ 
+-#ifdef SAMBA4_USES_HEIMDAL
+ 	self_service = cli_credentials_get_self_service(credentials);
+-#endif
+ 	target_service = cli_credentials_get_target_service(credentials);
+ 
+ 	password = cli_credentials_get_password(credentials);
+@@ -331,7 +327,6 @@ done:
+ #endif
+ 		if (password) {
+ 			if (impersonate_principal) {
+-#ifdef SAMBA4_USES_HEIMDAL
+ 				ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
+ 								 ccache,
+ 								 princ,
+@@ -342,12 +337,6 @@ done:
+ 								 krb_options,
+ 								 NULL,
+ 								 &kdc_time);
+-#else
+-				talloc_free(mem_ctx);
+-				(*error_string) = "INTERNAL error: s4u2 ops "
+-					"are not supported with MIT build yet";
+-				return EINVAL;
+-#endif
+ 			} else {
+ 				ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
+ 								     ccache,
+-- 
+2.37.1
+
+
+From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 19 Sep 2020 14:16:20 +0200
+Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
+
+---
+ source4/kdc/mit_samba.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
+index 03c2c2ea1de..30fade56531 100644
+--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
+@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
+ 	if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
+ 		sflags |= SDB_F_CANON;
+ 	}
+#if KRB5_KDB_API_VERSION >= 10
+	sflags |= SDB_F_FORCE_CANON;
+#endif
+ 	if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
+ 		      KRB5_KDB_FLAG_INCLUDE_PAC)) {
+ 		/*
+-- 
+2.37.1
+
--- a/samba.abignore
+++ b/samba.abignore
@ -0,0 +1,5 @@
+#################################################
+# This is a grouping library without any code
+#################################################
+[suppress_file]
+file_name_regexp=.*libdcerpc-samr\\.so.*
--- a/samba.spec
+++ b/samba.spec
--- a/smb.conf.example
+++ b/smb.conf.example
@ -281,7 +281,7 @@

 [printers]
 	comment = All Printers
-	path = /var/spool/samba
+	path = /var/tmp
 	browseable = no
 	guest ok = no
 	writable = no
--- a/smb.conf.vendor
+++ b/smb.conf.vendor
@ -2,6 +2,10 @@
 # read the smb.conf manpage.
 # Run 'testparm' to verify the config is correct after
 # you modified it.
+#
+# Note:
+# SMB1 is disabled by default. This means clients without support for SMB2 or
+# SMB3 are no longer able to connect to smbd (by default).

 [global]
 	workgroup = SAMBA
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (samba-4.13.0rc1.tar.xz) = 3e6d431998907ad8c81f488ddf78dcef5fd6a4cdf8ca684e5ad0ce9bf7217d82fcca7501155446c83d804f939bea7012f1d37c1f738d8ec7bc769a9148a6592a
-SHA512 (samba-4.13.0rc1.tar.asc) = 6dfe9467fd7fd28db91ae15fa3314a7707cfeb88c8ecd2af532d57614bec311119546a2fd4ced71063df9b7d6879a62f9ba512ae05d494323e0362a5492d33fa
+SHA512 (samba-4.16.9.tar.xz) = 5ec51b7576b6171bc15653906ed3412ccb7ab383e93791723d5845b7181395473a88be51d19c28bf6b212ca903dea3c24cdd1449222e6f3643bc7cda10049d84
+SHA512 (samba-4.16.9.tar.asc) = 75409da7d935185f567c9342175ba967dd068067a727e2adb9cbfb333c1789a9d9f8d365abbade8f29de4eceadf0f3e9c349e5fab9384adc1750a9459a995174