* Mon Mar 08 2010 Simo Sorce <ssorce@redhat.com> - 3.4.7-58

- Security update to 3.4.7
- Fixes CVE-2010-0728

.cvsignore

@@ -1 +1 @@
-samba-3.4.1.tar.gz
+samba-3.4.7.tar.gz

Makefile

@@ -4,7 +4,7 @@ NAME := samba
 SPECFILE = $(firstword $(wildcard *.spec))
 
 define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef
 
 MAKEFILE_COMMON := $(shell $(find-makefile-common))

branch

@@ -0,0 +1 @@
+F-12

samba-3.4.5-CVE-2009-3297-mount_cifs.patch

@@ -0,0 +1,628 @@
+From 40520b65fcfba963e90dfcffe87acd63a1760881 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:53 -0500
+Subject: [PATCH 1/5] mount.cifs: directly include sys/stat.h in mtab.c
+
+This file is mysteriously getting included when built via the makefile,
+but when you try to build mtab.o by hand it fails to build. Directly
+include it to remove any ambiguity.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mtab.c |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/source3/client/mtab.c b/source3/client/mtab.c
+index 93fbd11..70789bc 100644
+--- a/source3/client/mtab.c
++++ b/source3/client/mtab.c
+@@ -32,6 +32,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <sys/time.h>
++#include <sys/stat.h>
+ #include <time.h>
+ #include <fcntl.h>
+ #include <mntent.h>
+-- 
+1.6.6
+
+From 59dd0bb8c8b46c875bcc8b55a6c22fee5ea2113b Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:57 -0500
+Subject: [PATCH 2/5] mount.cifs: properly check for mount being in fstab when running setuid root (try#3)
+
+This is the third attempt to clean up the checks when a setuid
+mount.cifs is run by an unprivileged user. The main difference in this
+patch from the last one is that it fixes a bug where the mount might
+have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set.
+
+When mount.cifs is installed setuid root and run as an unprivileged
+user, it does some checks to limit how the mount is used. It checks that
+the mountpoint is owned by the user doing the mount.
+
+These checks however do not match those that /bin/mount does when it is
+called by an unprivileged user. When /bin/mount is called by an
+unprivileged user to do a mount, it checks that the mount in question is
+in /etc/fstab, that it has the "user" option set, etc.
+
+This means that it's currently not possible to set up user mounts the
+standard way (by the admin, in /etc/fstab) and simultaneously protect
+from an unprivileged user calling mount.cifs directly to mount a share
+on any directory that that user owns.
+
+Fix this by making the checks in mount.cifs match those of /bin/mount
+itself. This is a necessary step to make mount.cifs safe to be installed
+as a setuid binary, but not sufficient. For that, we'd need to give
+mount.cifs a proper security audit.
+
+Since some users may be depending on the legacy behavior, this patch
+also adds the ability to build mount.cifs with the older behavior.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mount.cifs.c |  202 ++++++++++++++++++++++++++++++++++---------
+ 1 files changed, 162 insertions(+), 40 deletions(-)
+
+diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
+index 43dc7f6..da2867c 100644
+--- a/source3/client/mount.cifs.c
++++ b/source3/client/mount.cifs.c
+@@ -39,10 +39,11 @@
+ #include <mntent.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <fstab.h>
+ #include "mount.h"
+ 
+ #define MOUNT_CIFS_VERSION_MAJOR "1"
+-#define MOUNT_CIFS_VERSION_MINOR "12"
++#define MOUNT_CIFS_VERSION_MINOR "13"
+ 
+ #ifndef MOUNT_CIFS_VENDOR_SUFFIX
+  #ifdef _SAMBA_BUILD_
+@@ -69,6 +70,10 @@
+ #define MS_BIND 4096
+ #endif
+ 
++/* private flags - clear these before passing to kernel */
++#define MS_USERS	0x40000000
++#define MS_USER		0x80000000
++
+ #define MAX_UNC_LEN 1024
+ 
+ #define CONST_DISCARD(type, ptr)      ((type) ((void *) (ptr)))
+@@ -83,6 +88,27 @@
+ /* currently maximum length of IPv6 address string */
+ #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN
+ 
++/*
++ * By default, mount.cifs follows the conventions set forth by /bin/mount
++ * for user mounts. That is, it requires that the mount be listed in
++ * /etc/fstab with the "user" option when run as an unprivileged user and
++ * mount.cifs is setuid root.
++ *
++ * Older versions of mount.cifs however were "looser" in this regard. When
++ * made setuid root, a user could run mount.cifs directly and mount any share
++ * on a directory owned by that user.
++ *
++ * The legacy behavior is now disabled by default. To reenable it, set the
++ * following #define to true.
++ */
++#define CIFS_LEGACY_SETUID_CHECK 0
++
++/*
++ * When an unprivileged user runs a setuid mount.cifs, we set certain mount
++ * flags by default. These defaults can be changed here.
++ */
++#define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV)
++
+ const char *thisprogram;
+ int verboseflag = 0;
+ int fakemnt = 0;
+@@ -142,6 +168,99 @@ static size_t strlcat(char *d, const char *s, size_t bufsize)
+ }
+ #endif
+ 
++/*
++ * If an unprivileged user is doing the mounting then we need to ensure
++ * that the entry is in /etc/fstab.
++ */
++static int
++check_mountpoint(const char *progname, char *mountpoint)
++{
++	int err;
++	struct stat statbuf;
++
++	/* does mountpoint exist and is it a directory? */
++	err = stat(mountpoint, &statbuf);
++	if (err) {
++		fprintf(stderr, "%s: failed to stat %s: %s\n", progname,
++				mountpoint, strerror(errno));
++		return EX_USAGE;
++	}
++
++	if (!S_ISDIR(statbuf.st_mode)) {
++		fprintf(stderr, "%s: %s is not a directory!", progname,
++				mountpoint);
++		return EX_USAGE;
++	}
++
++#if CIFS_LEGACY_SETUID_CHECK
++	/* do extra checks on mountpoint for legacy setuid behavior */
++	if (!getuid() || geteuid())
++		return 0;
++
++	if (statbuf.st_uid != getuid()) {
++		fprintf(stderr, "%s: %s is not owned by user\n", progname,
++			mountpoint);
++		return EX_USAGE;
++	}
++
++	if ((statbuf.st_mode & S_IRWXU) != S_IRWXU) {
++		fprintf(stderr, "%s: invalid permissions on %s\n", progname,
++			mountpoint);
++		return EX_USAGE;
++	}
++#endif /* CIFS_LEGACY_SETUID_CHECK */
++
++	return 0;
++}
++
++#if CIFS_LEGACY_SETUID_CHECK
++static int
++check_fstab(const char *progname, char *mountpoint, char *devname,
++	    char **options)
++{
++	return 0;
++}
++#else /* CIFS_LEGACY_SETUID_CHECK */
++static int
++check_fstab(const char *progname, char *mountpoint, char *devname,
++	    char **options)
++{
++	FILE *fstab;
++	struct mntent *mnt;
++
++	/* make sure this mount is listed in /etc/fstab */
++	fstab = setmntent(_PATH_FSTAB, "r");
++	if (!fstab) {
++		fprintf(stderr, "Couldn't open %s for reading!\n",
++				_PATH_FSTAB);
++		return EX_FILEIO;
++	}
++
++	while((mnt = getmntent(fstab))) {
++		if (!strcmp(mountpoint, mnt->mnt_dir))
++			break;
++	}
++	endmntent(fstab);
++
++	if (mnt == NULL || strcmp(mnt->mnt_fsname, devname)) {
++		fprintf(stderr, "%s: permission denied: no match for "
++				"%s found in %s\n", progname, mountpoint,
++				_PATH_FSTAB);
++		return EX_USAGE;
++	}
++
++	/*
++	 * 'mount' munges the options from fstab before passing them
++	 * to us. It is non-trivial to test that we have the correct
++	 * set of options. We don't want to trust what the user
++	 * gave us, so just take whatever is in /etc/fstab.
++	 */
++	free(*options);
++	*options = strdup(mnt->mnt_opts);
++	return 0;
++}
++#endif /* CIFS_LEGACY_SETUID_CHECK */
++
+ /* BB finish BB
+ 
+         cifs_umount
+@@ -373,7 +492,7 @@ static int get_password_from_file(int file_descript, char * filename)
+ 	return rc;
+ }
+ 
+-static int parse_options(char ** optionsp, int * filesys_flags)
++static int parse_options(char ** optionsp, unsigned long * filesys_flags)
+ {
+ 	const char * data;
+ 	char * percent_char = NULL;
+@@ -423,6 +542,7 @@ static int parse_options(char ** optionsp, int * filesys_flags)
+ 
+ 		if (strncmp(data, "users",5) == 0) {
+ 			if(!value || !*value) {
++				*filesys_flags |= MS_USERS;
+ 				goto nocopy;
+ 			}
+ 		} else if (strncmp(data, "user_xattr",10) == 0) {
+@@ -431,10 +551,7 @@ static int parse_options(char ** optionsp, int * filesys_flags)
+ 
+ 			if (!value || !*value) {
+ 				if(data[4] == '\0') {
+-					if(verboseflag)
+-						printf("\nskipping empty user mount parameter\n");
+-					/* remove the parm since it would otherwise be confusing
+-					to the kernel code which would think it was a real username */
++					*filesys_flags |= MS_USER;
+ 					goto nocopy;
+ 				} else {
+ 					printf("username specified with no parameter\n");
+@@ -1046,7 +1163,7 @@ static void print_cifs_mount_version(void)
+ int main(int argc, char ** argv)
+ {
+ 	int c;
+-	int flags = MS_MANDLOCK; /* no need to set legacy MS_MGC_VAL */
++	unsigned long flags = MS_MANDLOCK;
+ 	char * orgoptions = NULL;
+ 	char * share_name = NULL;
+ 	const char * ipaddr = NULL;
+@@ -1069,7 +1186,6 @@ int main(int argc, char ** argv)
+ 	size_t current_len;
+ 	int retry = 0; /* set when we have to retry mount with uppercase */
+ 	struct addrinfo *addrhead = NULL, *addr;
+-	struct stat statbuf;
+ 	struct utsname sysinfo;
+ 	struct mntent mountent;
+ 	struct sockaddr_in *addr4;
+@@ -1127,8 +1243,8 @@ int main(int argc, char ** argv)
+ 		exit(EX_USAGE);
+ 	}
+ 
+-	/* add sharename in opts string as unc= parm */
+ 
++	/* add sharename in opts string as unc= parm */
+ 	while ((c = getopt_long (argc, argv, "afFhilL:no:O:rsSU:vVwt:",
+ 			 longopts, NULL)) != -1) {
+ 		switch (c) {
+@@ -1266,6 +1382,22 @@ int main(int argc, char ** argv)
+ 		exit(EX_USAGE);
+ 	}
+ 
++	/* make sure mountpoint is legit */
++	rc = check_mountpoint(thisprogram, mountpoint);
++	if (rc)
++		goto mount_exit;
++
++	/* sanity check for unprivileged mounts */
++	if (getuid()) {
++		rc = check_fstab(thisprogram, mountpoint, dev_name,
++				 &orgoptions);
++		if (rc)
++			goto mount_exit;
++
++		/* enable any default user mount flags */
++		flags |= CIFS_SETUID_FLAGS;
++	}
++
+ 	if (getenv("PASSWD")) {
+ 		if(mountpassword == NULL)
+ 			mountpassword = (char *)calloc(MOUNT_PASSWD_SIZE+1,1);
+@@ -1283,6 +1415,27 @@ int main(int argc, char ** argv)
+                 rc = EX_USAGE;
+ 		goto mount_exit;
+ 	}
++
++	if (getuid()) {
++#if !CIFS_LEGACY_SETUID_CHECK
++		if (!(flags & (MS_USERS|MS_USER))) {
++			fprintf(stderr, "%s: permission denied\n", thisprogram);
++			rc = EX_USAGE;
++			goto mount_exit;
++		}
++#endif /* !CIFS_LEGACY_SETUID_CHECK */
++		
++		if (geteuid()) {
++			fprintf(stderr, "%s: not installed setuid - \"user\" "
++					"CIFS mounts not supported.",
++					thisprogram);
++			rc = EX_FAIL;
++			goto mount_exit;
++		}
++	}
++
++	flags &= ~(MS_USERS|MS_USER);
++
+ 	addrhead = addr = parse_server(&share_name);
+ 	if((addrhead == NULL) && (got_ip == 0)) {
+ 		printf("No ip address specified and hostname not found\n");
+@@ -1299,37 +1452,6 @@ int main(int argc, char ** argv)
+ 			mountpoint = resolved_path; 
+ 		}
+ 	}
+-	if(chdir(mountpoint)) {
+-		printf("mount error: can not change directory into mount target %s\n",mountpoint);
+-		rc = EX_USAGE;
+-		goto mount_exit;
+-	}
+-
+-	if(stat (".", &statbuf)) {
+-		printf("mount error: mount point %s does not exist\n",mountpoint);
+-		rc = EX_USAGE;
+-		goto mount_exit;
+-	}
+-
+-	if (S_ISDIR(statbuf.st_mode) == 0) {
+-		printf("mount error: mount point %s is not a directory\n",mountpoint);
+-		rc = EX_USAGE;
+-		goto mount_exit;
+-	}
+-
+-	if((getuid() != 0) && (geteuid() == 0)) {
+-		if((statbuf.st_uid == getuid()) && (S_IRWXU == (statbuf.st_mode & S_IRWXU))) {
+-#ifndef CIFS_ALLOW_USR_SUID
+-			/* Do not allow user mounts to control suid flag
+-			for mount unless explicitly built that way */
+-			flags |= MS_NOSUID | MS_NODEV;
+-#endif						
+-		} else {
+-			printf("mount error: permission denied or not superuser and mount.cifs not installed SUID\n"); 
+-			exit(EX_USAGE);
+-		}
+-	}
+-
+ 	if(got_user == 0) {
+ 		/* Note that the password will not be retrieved from the
+ 		   USER env variable (ie user%password form) as there is
+-- 
+1.6.6
+
+From a92fa34e73b988ca84fe15df6f67ea4879a6aa2e Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:58 -0500
+Subject: [PATCH 3/5] mount.cifs: take extra care that mountpoint isn't changed during mount
+
+It's possible to trick mount.cifs into mounting onto the wrong directory
+by replacing the mountpoint with a symlink to a directory. mount.cifs
+attempts to check the validity of the mountpoint, but there's still a
+possible race between those checks and the mount(2) syscall.
+
+To guard against this, chdir to the mountpoint very early, and only deal
+with it as "." from then on out.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mount.cifs.c |   34 ++++++++++++++++++++++++++--------
+ 1 files changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
+index da2867c..53d1dad 100644
+--- a/source3/client/mount.cifs.c
++++ b/source3/client/mount.cifs.c
+@@ -179,7 +179,7 @@ check_mountpoint(const char *progname, char *mountpoint)
+ 	struct stat statbuf;
+ 
+ 	/* does mountpoint exist and is it a directory? */
+-	err = stat(mountpoint, &statbuf);
++	err = stat(".", &statbuf);
+ 	if (err) {
+ 		fprintf(stderr, "%s: failed to stat %s: %s\n", progname,
+ 				mountpoint, strerror(errno));
+@@ -1383,6 +1383,14 @@ int main(int argc, char ** argv)
+ 	}
+ 
+ 	/* make sure mountpoint is legit */
++	rc = chdir(mountpoint);
++	if (rc) {
++		fprintf(stderr, "Couldn't chdir to %s: %s\n", mountpoint,
++				strerror(errno));
++		rc = EX_USAGE;
++		goto mount_exit;
++	}
++
+ 	rc = check_mountpoint(thisprogram, mountpoint);
+ 	if (rc)
+ 		goto mount_exit;
+@@ -1445,13 +1453,23 @@ int main(int argc, char ** argv)
+ 	
+ 	/* BB save off path and pop after mount returns? */
+ 	resolved_path = (char *)malloc(PATH_MAX+1);
+-	if(resolved_path) {
+-		/* Note that if we can not canonicalize the name, we get
+-		another chance to see if it is valid when we chdir to it */
+-		if (realpath(mountpoint, resolved_path)) {
+-			mountpoint = resolved_path; 
+-		}
++	if (!resolved_path) {
++		fprintf(stderr, "Unable to allocate memory.\n");
++		rc = EX_SYSERR;
++		goto mount_exit;
+ 	}
++
++	/* Note that if we can not canonicalize the name, we get
++	   another chance to see if it is valid when we chdir to it */
++	if(!realpath(".", resolved_path)) {
++		fprintf(stderr, "Unable to resolve %s to canonical path: %s\n",
++				mountpoint, strerror(errno));
++		rc = EX_SYSERR;
++		goto mount_exit;
++	}
++
++	mountpoint = resolved_path; 
++
+ 	if(got_user == 0) {
+ 		/* Note that the password will not be retrieved from the
+ 		   USER env variable (ie user%password form) as there is
+@@ -1585,7 +1603,7 @@ mount_retry:
+ 	if (verboseflag)
+ 		fprintf(stderr, "\n");
+ 
+-	if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
++	if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
+ 		switch (errno) {
+ 		case ECONNREFUSED:
+ 		case EHOSTUNREACH:
+-- 
+1.6.6
+
+From bcdb9dc5d7daef6e93b742462e6dd056c0d1ed91 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:58 -0500
+Subject: [PATCH 4/5] mount.cifs: check for invalid characters in device name and mountpoint
+
+It's apparently possible to corrupt the mtab if you pass embedded
+newlines to addmntent. Apparently tabs are also a problem with certain
+earlier glibc versions. Backslashes are also a minor issue apparently,
+but we can't reasonably filter those.
+
+Make sure that neither the devname or mountpoint contain any problematic
+characters before allowing the mount to proceed.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mount.cifs.c |   34 ++++++++++++++++++++++++++++++++++
+ 1 files changed, 34 insertions(+), 0 deletions(-)
+
+diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
+index 53d1dad..85be62b 100644
+--- a/source3/client/mount.cifs.c
++++ b/source3/client/mount.cifs.c
+@@ -1160,6 +1160,36 @@ static void print_cifs_mount_version(void)
+ 		MOUNT_CIFS_VENDOR_SUFFIX);
+ }
+ 
++/*
++ * This function borrowed from fuse-utils...
++ *
++ * glibc's addmntent (at least as of 2.10 or so) doesn't properly encode
++ * newlines embedded within the text fields. To make sure no one corrupts
++ * the mtab, fail the mount if there are embedded newlines.
++ */
++static int check_newline(const char *progname, const char *name)
++{
++    char *s;
++    for (s = "\n"; *s; s++) {
++        if (strchr(name, *s)) {
++            fprintf(stderr, "%s: illegal character 0x%02x in mount entry\n",
++                    progname, *s);
++            return EX_USAGE;
++        }
++    }
++    return 0;
++}
++
++static int check_mtab(const char *progname, const char *devname,
++			const char *dir)
++{
++	if (check_newline(progname, devname) == -1 ||
++	    check_newline(progname, dir) == -1)
++		return EX_USAGE;
++	return 0;
++}
++
++
+ int main(int argc, char ** argv)
+ {
+ 	int c;
+@@ -1603,6 +1633,10 @@ mount_retry:
+ 	if (verboseflag)
+ 		fprintf(stderr, "\n");
+ 
++	rc = check_mtab(thisprogram, dev_name, mountpoint);
++	if (rc)
++		goto mount_exit;
++
+ 	if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
+ 		switch (errno) {
+ 		case ECONNREFUSED:
+-- 
+1.6.6
+
+From ea8a30a9d217127eb2e5a0e0cd27d943cae7d13a Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:58 -0500
+Subject: [PATCH 5/5] mount.cifs: don't allow it to be run as setuid root program
+
+mount.cifs has been the subject of several "security" fire drills due to
+distributions installing it as a setuid root program. This program has
+not been properly audited for security and the Samba team highly
+recommends that it not be installed as a setuid root program at this
+time.
+
+To make that abundantly clear, this patch forcibly disables the ability
+for mount.cifs to run as a setuid root program. People are welcome to
+trivially patch this out, but they do so at their own peril.
+
+A security audit and redesign of this program is in progress and we hope
+that we'll be able to remove this in the near future.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mount.cifs.c |   39 ++++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 38 insertions(+), 1 deletions(-)
+
+diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
+index 85be62b..f29e1e6 100644
+--- a/source3/client/mount.cifs.c
++++ b/source3/client/mount.cifs.c
+@@ -43,7 +43,7 @@
+ #include "mount.h"
+ 
+ #define MOUNT_CIFS_VERSION_MAJOR "1"
+-#define MOUNT_CIFS_VERSION_MINOR "13"
++#define MOUNT_CIFS_VERSION_MINOR "14"
+ 
+ #ifndef MOUNT_CIFS_VENDOR_SUFFIX
+  #ifdef _SAMBA_BUILD_
+@@ -89,6 +89,17 @@
+ #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN
+ 
+ /*
++ * mount.cifs has been the subject of many "security" bugs that have arisen
++ * because of users and distributions installing it as a setuid root program.
++ * mount.cifs has not been audited for security. Thus, we strongly recommend
++ * that it not be installed setuid root. To make that abundantly clear,
++ * mount.cifs now check whether it's running setuid root and exit with an
++ * error if it is. If you wish to disable this check, then set the following
++ * #define to 1, but please realize that you do so at your own peril.
++ */
++#define CIFS_DISABLE_SETUID_CHECK 0
++
++/*
+  * By default, mount.cifs follows the conventions set forth by /bin/mount
+  * for user mounts. That is, it requires that the mount be listed in
+  * /etc/fstab with the "user" option when run as an unprivileged user and
+@@ -213,6 +224,29 @@ check_mountpoint(const char *progname, char *mountpoint)
+ 	return 0;
+ }
+ 
++#if CIFS_DISABLE_SETUID_CHECK
++static int
++check_setuid(void)
++{
++	return 0;
++}
++#else /* CIFS_DISABLE_SETUID_CHECK */
++static int
++check_setuid(void)
++{
++	if (getuid() && !geteuid()) {
++		printf("This mount.cifs program has been built with the "
++			"ability to run as a setuid root program disabled.\n"
++			"mount.cifs has not been well audited for security "
++			"holes. Therefore the Samba team does not recommend "
++			"installing it as a setuid root program.\n");
++		return 1;
++	}
++
++	return 0;
++}
++#endif /* CIFS_DISABLE_SETUID_CHECK */
++
+ #if CIFS_LEGACY_SETUID_CHECK
+ static int
+ check_fstab(const char *progname, char *mountpoint, char *devname,
+@@ -1222,6 +1256,9 @@ int main(int argc, char ** argv)
+ 	struct sockaddr_in6 *addr6;
+ 	FILE * pmntfile;
+ 
++	if (check_setuid())
++		return EX_USAGE;
++
+ 	/* setlocale(LC_ALL, "");
+ 	bindtextdomain(PACKAGE, LOCALEDIR);
+ 	textdomain(PACKAGE); */
+-- 
+1.6.6
+

samba.spec

@@ -1,26 +1,23 @@
-%define main_release 45
-%define samba_version 3.4.1
+%define main_release 58
+%define samba_version 3.4.7
 %define tdb_version 1.1.3
 %define talloc_version 1.3.0
 #%define pre_release rc1
 %define pre_release %nil
 
-%define samba_release 0%{pre_release}.%{main_release}%{?dist}
-
-%define enable_talloc 0
-%define enable_tdb    0
+%define samba_release %{main_release}%{pre_release}%{?dist}
 
 %define samba_source source3
 Summary: Server and Client software to interoperate with Windows machines
 Name: samba
 Epoch: 0
 Version: %{samba_version}
-Release: %{samba_release}.1
+Release: %{samba_release}
 License: GPLv3+ and LGPLv3+
 Group: System Environment/Daemons
 URL: http://www.samba.org/
 
-Source: http://www.samba.org/samba/ftp/samba/%{name}-%{samba_version}%{pre_release}.tar.gz
+Source: http://www.samba.org/samba/ftp/%{name}-%{samba_version}%{pre_release}.tar.gz
 
 # Red Hat specific replacement-files
 Source1: samba.log
@@ -48,6 +45,7 @@ Patch104: samba-3.0.0rc3-nmbd-netbiosname.patch
 # The passwd part has been applied, but not the group part
 Patch107: samba-3.2.0pre1-grouppwd.patch
 Patch200: samba-3.2.5-inotify.patch
+Patch202: samba-3.4.5-CVE-2009-3297-mount_cifs.patch
 
 Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release}
 Requires: pam >= 0:0.64
@@ -57,12 +55,7 @@ Requires(post): /sbin/chkconfig, /sbin/service
 Requires(preun): /sbin/chkconfig, /sbin/service
 BuildRequires: pam-devel, readline-devel, ncurses-devel, libacl-devel, krb5-devel, openldap-devel, openssl-devel, cups-devel, ctdb-devel
 BuildRequires: autoconf, gawk, popt-devel, gtk2-devel, libcap-devel, libuuid-devel
-%if ! %enable_talloc
-BuildRequires: libtalloc-devel >= %{talloc_version}
-%endif
-%if ! %enable_tdb
-BuildRequires: libtdb-devel >= %{tdb_version}
-%endif
+BuildRequires: libtalloc-devel, libtdb-devel
 
 # Working around perl dependency problem from docs
 %define __perl_requires %{SOURCE999}
@@ -85,7 +78,6 @@ need the NetBEUI (Microsoft Raw NetBIOS frame) protocol.
 Summary: Samba client programs
 Group: Applications/System
 Requires: samba-common = %{epoch}:%{samba_version}-%{release}
-Obsoletes: smbfs
 
 %description client
 The samba-client package provides some SMB/CIFS clients to complement
@@ -111,14 +103,24 @@ packages of Samba.
 Summary: Samba winbind
 Group: Applications/System
 Requires: samba-common = %{epoch}:%{samba_version}-%{release}
+Requires: samba-winbind-clients = %{epoch}:%{samba_version}-%{release}
 Requires(pre): /usr/sbin/groupadd
 Requires(post): /sbin/chkconfig, /sbin/service, coreutils
 Requires(preun): /sbin/chkconfig, /sbin/service
 
 %description winbind
-The samba-winbind package provides the winbind daemon, a NSS library, a PAM
-module and some client tools. Winbind enables Linux to be a full member in
-Windows domains and to use Windows user and group accounts on Linux.
+The samba-winbind package provides the winbind daemon and some client tools.
+Winbind enables Linux to be a full member in Windows domains and to use
+Windows user and group accounts on Linux.
+
+
+%package winbind-clients
+Summary: Samba winbind clients
+Group: Applications/System
+
+%description winbind-clients
+The samba-winbind-clients package provides the NSS library and a PAM
+module necessary to communicate to the Winbind Daemon
 
 
 %package winbind-devel
@@ -177,63 +179,6 @@ Requires: libsmbclient = %{epoch}:%{samba_version}-%{release}
 The libsmbclient-devel package contains the header files and libraries needed to
 develop programs that link against the SMB client library in the Samba suite.
 
-%if %enable_tdb
-%package -n libtdb
-Summary: The TDB library and tools
-Group: Applications/System
-Version: %{tdb_version}
-Release: %{main_release}%{?dist}
-
-%description -n libtdb
-The TDB library from the Samba suite.
-
-
-%package -n tdb-tools
-Summary: The TDB tools
-Group: Applications/System
-Version: %{tdb_version}
-Release: %{main_release}%{?dist}
-Requires: libtdb = %{epoch}:%{tdb_version}-%{main_release}%{?dist}
-
-%description -n tdb-tools
-Some TDB tools from the Samba suite.
-
-
-%package -n libtdb-devel
-Summary: Developer tools for the TDB library
-Group: Development
-Version: %{tdb_version}
-Release: %{main_release}%{?dist}
-Requires: libtdb = %{epoch}:%{tdb_version}-%{main_release}%{?dist}
-
-%description -n libtdb-devel
-The libtdb-devel package contains the header files and libraries needed to
-develop programs that link against the TDB library in the Samba suite.
-%endif
-
-%if %enable_talloc
-%package -n libtalloc
-Summary: The talloc library
-Group: Applications/System
-Version: %{talloc_version}
-Release: %{main_release}%{?dist}
-
-%description -n libtalloc
-The talloc library from the Samba suite.
-
-
-%package -n libtalloc-devel
-Summary: Developer tools for the talloc library
-Group: Development
-Version: %{talloc_version}
-Release: %{main_release}%{?dist}
-Requires: libtalloc = %{epoch}:%{talloc_version}-%{main_release}%{?dist}
-
-%description -n libtalloc-devel
-The libtalloc-devel package contains the header files and libraries needed to
-develop programs that link against the talloc library in the Samba suite.
-%endif
-
 %prep
 # TAG: change for non-pre
 %setup -q -n %{name}-%{samba_version}%{pre_release}
@@ -258,6 +203,7 @@ cp %{SOURCE11} packaging/Fedora/
 #%patch104 -p1 -b .nmbd-netbiosname # FIXME: does not apply
 %patch107 -p1 -b .grouppwd
 %patch200 -p0 -b .inotify
+%patch202 -p1 -b .CVE-2009-3297-mount_cifs
 
 mv %samba_source/VERSION %samba_source/VERSION.orig
 sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION
@@ -282,48 +228,52 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64"
 EXTRA="-D_LARGEFILE64_SOURCE"
 %endif
 CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -DLDAP_DEPRECATED" %configure \
-	--with-dnsupdate \
-	--with-ads \
-	--with-acl-support \
-	--with-automount \
-	--with-dnsupdate \
-	--with-libsmbclient \
-	--with-libsmbsharemodes \
-	--with-mmap \
-	--with-pam \
-	--with-pam_smbpass \
-	--with-quotas \
-	--with-sendfile-support \
-	--with-syslog \
-	--with-utmp \
-	--with-vfs \
-	--with-winbind \
-	--without-smbwrapper \
-	--with-lockdir=/var/lib/samba \
-	--with-piddir=/var/run \
-	--with-mandir=%{_mandir} \
-	--with-privatedir=/var/lib/samba/private \
-	--with-logfilebase=/var/log/samba \
-	--with-libdir=%{_libdir} \
-	--with-modulesdir=%{_libdir}/samba \
-	--with-configdir=%{_sysconfdir}/samba \
-	--with-pammodulesdir=%{_lib}/security \
-	--with-swatdir=%{_datadir}/swat \
-	--with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 \
-	--with-cifsupcall \
-	--with-cluster-support
-#	--with-aio-support \
+    --with-dnsupdate \
+    --with-ads \
+    --with-acl-support \
+    --with-automount \
+    --with-dnsupdate \
+    --with-libsmbclient \
+    --with-libsmbsharemodes \
+    --with-mmap \
+    --with-pam \
+    --with-pam_smbpass \
+    --with-quotas \
+    --with-sendfile-support \
+    --with-syslog \
+    --with-utmp \
+    --with-vfs \
+    --with-winbind \
+    --without-smbwrapper \
+    --with-lockdir=/var/lib/samba \
+    --with-piddir=/var/run \
+    --with-mandir=%{_mandir} \
+    --with-privatedir=/var/lib/samba/private \
+    --with-logfilebase=/var/log/samba \
+    --with-libdir=%{_libdir} \
+    --with-modulesdir=%{_libdir}/samba \
+    --with-configdir=%{_sysconfdir}/samba \
+    --with-pammodulesdir=%{_lib}/security \
+    --with-swatdir=%{_datadir}/swat \
+    --with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 \
+    --with-cifsupcall \
+    --with-cluster-support \
+    --with-libtalloc=no \
+    --enable-external-libtalloc=yes \
+    --with-libtdb=no \
+#    --enable-external-libtdb=yes \
+#    --with-aio-support \
 
 
 make  pch
 
 make  LD_LIBRARY_PATH=$RPM_BUILD_DIR/%{name}-%{samba_version}%{pre_release}/%samba_source/bin \
-	%{?_smp_mflags} \
-	all ../nsswitch/libnss_wins.so modules test_pam_modules test_nss_modules test_shlibs
+    %{?_smp_mflags} \
+    all ../nsswitch/libnss_wins.so modules test_pam_modules test_nss_modules test_shlibs
 
 make  LD_LIBRARY_PATH=$RPM_BUILD_DIR/%{name}-%{samba_version}%{pre_release}/%samba_source/bin \
-	%{?_smp_mflags} \
-	-C lib/netapi/examples
+    %{?_smp_mflags} \
+    -C lib/netapi/examples
 
 make  debug2html smbfilter bin/cifs.upcall
 
@@ -350,22 +300,22 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
 cd %samba_source
 
 %makeinstall \
-	BINDIR=$RPM_BUILD_ROOT%{_bindir} \
-	BASEDIR=$RPM_BUILD_ROOT%{_prefix} \
-	SBINDIR=$RPM_BUILD_ROOT%{_sbindir} \
-	DATADIR=$RPM_BUILD_ROOT%{_datadir} \
-	LOCKDIR=$RPM_BUILD_ROOT/var/lib/samba \
-	PRIVATEDIR=$RPM_BUILD_ROOT%{_sysconfdir}/samba \
-	LIBDIR=$RPM_BUILD_ROOT%{_libdir}/ \
-	MODULESDIR=$RPM_BUILD_ROOT%{_libdir}/samba \
-	CONFIGDIR=$RPM_BUILD_ROOT%{_sysconfdir}/samba \
-	PAMMODULESDIR=$RPM_BUILD_ROOT/%{_lib}/security \
-	MANDIR=$RPM_BUILD_ROOT%{_mandir} \
-	VARDIR=$RPM_BUILD_ROOT/var/log/samba \
-	CODEPAGEDIR=$RPM_BUILD_ROOT%{_libdir}/samba \
-	SWATDIR=$RPM_BUILD_ROOT%{_datadir}/swat \
-	SAMBABOOK=$RPM_BUILD_ROOT%{_datadir}/swat/using_samba \
-	PIDDIR=$RPM_BUILD_ROOT/var/run
+    BINDIR=$RPM_BUILD_ROOT%{_bindir} \
+    BASEDIR=$RPM_BUILD_ROOT%{_prefix} \
+    SBINDIR=$RPM_BUILD_ROOT%{_sbindir} \
+    DATADIR=$RPM_BUILD_ROOT%{_datadir} \
+    LOCKDIR=$RPM_BUILD_ROOT/var/lib/samba \
+    PRIVATEDIR=$RPM_BUILD_ROOT%{_sysconfdir}/samba \
+    LIBDIR=$RPM_BUILD_ROOT%{_libdir}/ \
+    MODULESDIR=$RPM_BUILD_ROOT%{_libdir}/samba \
+    CONFIGDIR=$RPM_BUILD_ROOT%{_sysconfdir}/samba \
+    PAMMODULESDIR=$RPM_BUILD_ROOT/%{_lib}/security \
+    MANDIR=$RPM_BUILD_ROOT%{_mandir} \
+    VARDIR=$RPM_BUILD_ROOT/var/log/samba \
+    CODEPAGEDIR=$RPM_BUILD_ROOT%{_libdir}/samba \
+    SWATDIR=$RPM_BUILD_ROOT%{_datadir}/swat \
+    SAMBABOOK=$RPM_BUILD_ROOT%{_datadir}/swat/using_samba \
+    PIDDIR=$RPM_BUILD_ROOT/var/run
 
 cd ..
 
@@ -396,30 +346,12 @@ ln -sf /%{_lib}/libnss_wins.so.2  $RPM_BUILD_ROOT%{_libdir}/libnss_wins.so
 mkdir -p $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_includedir}
 build_libdir="$RPM_BUILD_ROOT%{_libdir}"
 
-%if %enable_talloc
-# talloc
-cd lib/talloc
-# just to get the correct .pc file generated
-./autogen.sh && ./configure --prefix=%{_prefix} --libdir=%{_libdir}
-cd ../..
-install -m 644 lib/talloc/talloc.pc $build_libdir/pkgconfig/
-%endif
-
-%if %enable_tdb
-# tdb
-cd lib/tdb
-# just to get the correct .pc file generated
-./autogen.sh && ./configure --prefix=%{_prefix} --libdir=%{_libdir}
-cd ../..
-install -m 644 lib/tdb/tdb.pc $build_libdir/pkgconfig/
-%endif
-
 # make install puts libraries in the wrong place
 # (but at least gets the versioning right now)
 
 list="smbclient smbsharemodes netapi talloc tdb wbclient"
 for i in $list; do
-	install -m 644 %samba_source/pkgconfig/$i.pc $build_libdir/pkgconfig/ || true
+    install -m 644 %samba_source/pkgconfig/$i.pc $build_libdir/pkgconfig/ || true
 done
 
 
@@ -469,25 +401,21 @@ mv -f $RPM_BUILD_ROOT%{_mandir}/man1/ldbmodify.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 mv -f $RPM_BUILD_ROOT%{_mandir}/man1/ldbsearch.1 $RPM_BUILD_ROOT%{_mandir}/man1/ldb3search.1
 mv -f $RPM_BUILD_ROOT%{_mandir}/man1/ldbrename.1 $RPM_BUILD_ROOT%{_mandir}/man1/ldb3rename.1
 
-%if ! %enable_talloc
-rm -f $RPM_BUILD_ROOT%{_libdir}/libtalloc.so.*
-rm -f $RPM_BUILD_ROOT%{_includedir}/talloc.h
-rm -f $RPM_BUILD_ROOT%{_libdir}/libtalloc.so
-rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/talloc.pc
-%endif
+#rm -f $RPM_BUILD_ROOT%{_libdir}/libtalloc.so.*
+#rm -f $RPM_BUILD_ROOT%{_includedir}/talloc.h
+#rm -f $RPM_BUILD_ROOT%{_libdir}/libtalloc.so
+#rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/talloc.pc
 
-%if ! %enable_tdb
-rm -f $RPM_BUILD_ROOT%{_libdir}/libtdb.so.*
-rm -f $RPM_BUILD_ROOT%{_includedir}/tdb.h
-rm -f $RPM_BUILD_ROOT%{_libdir}/libtdb.so
-rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/tdb.pc
+#rm -f $RPM_BUILD_ROOT%{_libdir}/libtdb.so.*
+#rm -f $RPM_BUILD_ROOT%{_includedir}/tdb.h
+#rm -f $RPM_BUILD_ROOT%{_libdir}/libtdb.so
+#rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/tdb.pc
 rm -f $RPM_BUILD_ROOT%{_bindir}/tdbbackup
 rm -f $RPM_BUILD_ROOT%{_bindir}/tdbdump
 rm -f $RPM_BUILD_ROOT%{_bindir}/tdbtool
 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/tdbbackup.8*
 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/tdbdump.8*
 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/tdbtool.8*
-%endif
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -498,8 +426,8 @@ rm -rf $RPM_BUILD_ROOT
 /sbin/chkconfig --add smb
 /sbin/chkconfig --add nmb
 if [ "$1" -ge "1" ]; then
-	/sbin/service smb condrestart >/dev/null 2>&1 || :
-	/sbin/service nmb condrestart >/dev/null 2>&1 || :
+    /sbin/service smb condrestart >/dev/null 2>&1 || :
+    /sbin/service nmb condrestart >/dev/null 2>&1 || :
 fi
 exit 0
 
@@ -522,132 +450,12 @@ exit 0
 /sbin/chkconfig --add winbind
 
 if [ "$1" -ge "1" ]; then
-	/sbin/service winbind condrestart >/dev/null 2>&1 || :
+    /sbin/service winbind condrestart >/dev/null 2>&1 || :
 fi
 
 %post common
 /sbin/ldconfig
 
-###############################################################################
-## We have new default since F-8, time to stop checking for old files are there
-## should be none in any support upgrade case
-## (keeping it commented just for reference for a while
-## 
-## # This script must be run always on installs or upgrades
-## # it checks if a previous installation have created files
-## # under /var/cache/samba and move them in that case as the
-## # new package wants them to be under /var/lib/samba for
-## # FHS compliance
-## #
-## # - we must stop the dameon if running and restart it
-## #   after the script if it was
-## # - we do not overwrite newer files
-## # - even if /etc/init.d/smb is in samba and not
-## #   samba-common we need to stop smbd/nmbd, if they
-## #   are running, here as well, or we will mess up
-## #   shared (between winbindd and smbd/nmbd) tdbs
-## 
-## OLDPATH="/var/cache/samba"
-## NEWPATH="/var/lib/samba"
-## 
-## eval ls $OLDPATH/*.tdb >/dev/null 2>&1
-## if [ $? = 0 ]; then
-##     eval testparm -s 2>/dev/null |grep "lock dir" >/dev/null
-##     if [ $? = 0 ]; then 
-## 	echo "Warning: lock dir explicitly set. Not moving tdb files to new default location"
-##     else
-## 
-## 	#Stop daemons before we move the files around
-## 
-## 	#this is what condrestart checks as well
-## 	if [ -f /var/lock/subsys/winbindd ]; then
-## 		/sbin/service winbind stop >/dev/null 2>&1 || :
-## 		# Use a dirty trick to fool condrestart later
-## 		touch /var/lock/subsys/winbindd
-## 	fi
-## 
-## 	if [ -f /var/lock/subsys/smb ]; then
-## 		/sbin/service smb stop >/dev/null 2>&1 || :
-## 		# We need to stop smbd here as we are moving also smbd owned files
-## 		# but we can't restart it until the new server is installed.
-## 		# Use a dirty trick to fool condrestart later
-## 		touch /var/lock/subsys/smb
-## 	fi
-## 
-## 	if [ -f /var/lock/subsys/nmb ]; then
-## 		/sbin/service nmb stop >/dev/null 2>&1 || :
-## 		# We need to stop smbd here as we are moving also smbd owned files
-## 		# but we can't restart it until the new server is installed.
-## 		# Use a dirty trick to fool condrestart later
-## 		touch /var/lock/subsys/nmb
-## 	fi
-## 
-## 	eval ls $NEWPATH/*.tdb >/dev/null 2>&1
-## 	if [ $? = 0 ]; then
-## 		#something strange here, lets backup this stuff and avoid just wiping it
-## 
-## 		mkdir $NEWPATH.pkgbkp
-## 		mv -f $NEWPATH/*.tdb $NEWPATH.pkgbkp/ >/dev/null 2>&1
-## 		mv -f $NEWPATH/*.dat $NEWPATH.pkgbkp/ >/dev/null 2>&1
-## 		mv -f $NEWPATH/perfmon $NEWPATH.pkgbkp/ >/dev/null 2>&1
-## 		mv -f $NEWPATH/printing $NEWPATH.pkgbkp/ >/dev/null 2>&1
-## 	fi
-## 
-## 	mv -f $OLDPATH/*.tdb $NEWPATH/ >/dev/null 2>&1
-## 	mv -f $OLDPATH/*.dat $NEWPATH/ >/dev/null 2>&1
-## 	mv -f $OLDPATH/perfmon $NEWPATH/ >/dev/null 2>&1
-## 	mv -f $OLDPATH/printing $NEWPATH/ >/dev/null 2>&1
-## 
-##     fi
-## fi
-## 
-## # We also moved private files from /etc/samba to
-## # /var/lib/samba/private so we need to migrate these as well
-## 
-## #secrets.tdb
-## if [ -f %{_sysconfdir}/samba/secrets.tdb ]; then
-## 	eval testparm -s 2>/dev/null |grep "private dir" >/dev/null
-## 	if [ $? = 0 ]; then
-## 		echo "Warning: private dir explicitly set. Not moving secrets.tdb to new default location"
-## 	else
-## 		if [ -f /var/lib/samba/private/secrets.tdb ]; then
-## 			mv -f /var/lib/samba/private/secrets.tdb /var/lib/samba/private/secrets.tdb.old
-## 		fi
-## 		mv -f %{_sysconfdir}/samba/secrets.tdb /var/lib/samba/private/secrets.tdb
-## 	fi
-## fi
-## 
-## #smbpasswd
-## if [ -f %{_sysconfdir}/samba/smbpasswd ]; then
-## 	eval testparm -s 2>/dev/null |grep "smb passwd file" >/dev/null
-## 	if [ $? = 0 ]; then
-## 		echo "Warning: smbpasswd file location explicitly set. Not moving smbpasswd to new default location"
-## 	else
-## 		if [ -f /var/lib/samba/private/smbpasswd ]; then
-## 			mv -f /var/lib/samba/private/smbpasswd /var/lib/samba/private/smbpasswd.old
-## 		fi
-## 		mv -f %{_sysconfdir}/samba/smbpasswd /var/lib/samba/private/smbpasswd
-## 	fi
-## fi
-## 
-## #passdb.tdb
-## if [ -f %{_sysconfdir}/samba/passdb.tdb ]; then
-## 	eval testparm -s 2>/dev/null |grep "private dir" >/dev/null || testparm -s 2>/dev/null |grep -P "^\s*passdb\s*backend\s*=.*tdbsam:/etc/samba/passdb.tdb.*"
-## 	if [ $? = 0 ]; then
-## 		echo "Warning: passdb.tdb location explicitly set. Not moving passdb.tdb to new default location"
-## 	else
-## 		if [ -f /var/lib/samba/private/passdb.tdb ]; then
-## 			mv -f /var/lib/samba/private/passdb.tdb /var/lib/samba/private/passdb.tdb.old
-## 		fi
-## 		mv -f %{_sysconfdir}/samba/passdb.tdb /var/lib/samba/private/passdb.tdb
-## 	fi
-## fi
-## 
-## #remove schannel_store if existing, it is not info we need to keep across restarts
-## if [ -f %{_sysconfdir}/samba/schannel_store.tdb ]; then
-## 	rm -f %{_sysconfdir}/samba/schannel_store.tdb
-## fi
-## 
 %preun winbind
 if [ $1 = 0 ] ; then
     /sbin/service winbind stop >/dev/null 2>&1 || :
@@ -665,22 +473,6 @@ exit 0
 %postun -n libsmbclient
 /sbin/ldconfig
 
-%if %enable_tdb
-%post -n libtdb
-/sbin/ldconfig
-
-%postun -n libtdb
-/sbin/ldconfig
-%endif
-
-%if %enable_talloc
-%post -n libtalloc
-/sbin/ldconfig
-
-%postun -n libtalloc
-/sbin/ldconfig
-%endif
-
 %files
 %defattr(-,root,root)
 %{_sbindir}/smbd
@@ -753,8 +545,6 @@ exit 0
 %{_libdir}/samba/lowcase.dat
 %{_libdir}/samba/upcase.dat
 %{_libdir}/samba/valid.dat
-%{_libdir}/libnss_wins.so
-/%{_lib}/libnss_wins.so.2
 %{_libdir}/libnetapi.so
 %attr(755,root,root) %{_libdir}/libnetapi.so.*
 %{_includedir}/netapi.h
@@ -800,18 +590,15 @@ exit 0
 %{_mandir}/man8/pdbedit.8*
 %{_mandir}/man8/net.8*
 
-%doc README COPYING Manifest 
+%doc README COPYING Manifest
 %doc WHATSNEW.txt Roadmap
 
 %files winbind
+%defattr(-,root,root)
 %{_bindir}/ntlm_auth
 %{_bindir}/wbinfo
-%{_libdir}/libnss_winbind.so
-%attr(755,root,root) %{_libdir}/libwbclient.so.*
 %{_libdir}/samba/idmap
 %{_libdir}/samba/nss_info
-/%{_lib}/libnss_winbind.so.2
-/%{_lib}/security/pam_winbind.so
 %{_sbindir}/winbindd
 %dir /var/run/winbindd
 %attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged
@@ -825,21 +612,34 @@ exit 0
 %{_mandir}/man8/idmap_*.8*
 %{_datadir}/locale/*/LC_MESSAGES/pam_winbind.mo
 
+%files winbind-clients
+%defattr(-,root,root)
+%{_libdir}/libnss_winbind.so
+/%{_lib}/libnss_winbind.so.2
+%{_libdir}/libnss_wins.so
+/%{_lib}/libnss_wins.so.2
+/%{_lib}/security/pam_winbind.so
+%attr(755,root,root) %{_libdir}/libwbclient.so.*
+
 %files winbind-devel
+%defattr(-,root,root)
 %{_includedir}/wbclient.h
 %{_libdir}/libwbclient.so
 %{_libdir}/pkgconfig/wbclient.pc
 
 %files doc
+%defattr(-,root,root)
 %doc docs/Samba3-Developers-Guide.pdf docs/Samba3-ByExample.pdf
 %doc docs/Samba3-HOWTO.pdf
 %doc docs/htmldocs
 
 %files -n libsmbclient
+%defattr(-,root,root)
 %attr(755,root,root) %{_libdir}/libsmbclient.so.*
 %attr(755,root,root) %{_libdir}/libsmbsharemodes.so.*
 
 %files -n libsmbclient-devel
+%defattr(-,root,root)
 %{_includedir}/libsmbclient.h
 %{_includedir}/smb_share_modes.h
 %{_libdir}/libsmbclient.so
@@ -848,34 +648,6 @@ exit 0
 %{_libdir}/pkgconfig/smbsharemodes.pc
 %{_mandir}/man7/libsmbclient.7*
 
-%if %enable_talloc
-%files -n libtalloc
-%attr(755,root,root) %{_libdir}/libtalloc.so.*
-
-%files -n libtalloc-devel
-%{_includedir}/talloc.h
-%{_libdir}/libtalloc.so
-%{_libdir}/pkgconfig/talloc.pc
-%endif
-
-%if %enable_tdb
-%files -n libtdb
-%attr(755,root,root) %{_libdir}/libtdb.so.*
-
-%files -n libtdb-devel
-%{_includedir}/tdb.h
-%{_libdir}/libtdb.so
-%{_libdir}/pkgconfig/tdb.pc
-
-%files -n tdb-tools
-%{_bindir}/tdbbackup
-%{_bindir}/tdbdump
-%{_bindir}/tdbtool
-%{_mandir}/man8/tdbbackup.8*
-%{_mandir}/man8/tdbdump.8*
-%{_mandir}/man8/tdbtool.8*
-%endif
-
 %files domainjoin-gui
 %{_sbindir}/netdomjoin-gui
 %dir %{_datadir}/pixmaps/samba
@@ -884,6 +656,61 @@ exit 0
 %{_datadir}/pixmaps/samba/logo-small.png
 
 %changelog
+* Mon Mar 08 2010 Simo Sorce <ssorce@redhat.com> - 3.4.7-58
+- Security update to 3.4.7
+- Fixes CVE-2010-0728
+
+* Wed Feb 24 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.6-57
+- Update to 3.4.6
+
+* Wed Feb 17 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-56
+- Fix crash in cifs.upcall
+- resolves: #565446
+
+* Wed Jan 26 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-55
+- Security Release, fixes CVE-2009-3297
+- resolves: #532940
+
+* Wed Jan 26 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-54
+- Fix crash in pdbedit
+- resolves: #541267
+
+* Tue Jan 19 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-53
+- Update to 3.4.5
+
+* Thu Jan 14 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.4-52
+- Fix crash bug in libsmbclient (SMBC_parse_path)
+- resolves: #552658
+
+* Thu Jan 07 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.4-51
+- Update to 3.4.4
+
+* Tue Dec 01 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-50
+- Fix uninitialized rpc client pipe, causing winbind to crash
+- resolves: #541328
+
+* Wed Nov 25 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-49
+- Various updates to inline documentation in default smb.conf file
+- resolves: #483703
+
+* Thu Oct 29 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-48
+- Update to 3.4.3
+
+* Fri Oct 09 2009 Simo Sorce <ssorce@redhat.com> - 3.4.2-47
+- Spec file cleanup
+- Fix sources upstream location
+- Remove conditionals to build talloc and tdb, now they are completely indepent
+  packages in Fedora
+- Add defattr() where missing
+- Turn all tabs into 4 spaces
+- Remove unused migration script
+- Split winbind-clients out of main winbind package to avoid multilib to include
+  huge packages for no good reason
+
+* Thu Oct 01 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.2-0.46
+- Update to 3.4.2
+- Security Release, fixes CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906
+
 * Wed Sep 16 2009 Tomas Mraz <tmraz@redhat.com> - 3.4.1-0.45
 - Use password-auth common PAM configuration instead of system-auth
 

smb.conf.default

@@ -1,102 +1,119 @@
-# This is the main Samba configuration file. You should read the
-# smb.conf(5) manual page in order to understand the options listed
-# here. Samba has a huge number of configurable options (perhaps too
-# many!) most of which are not shown in this example
+# This is the main Samba configuration file. For detailed information about the
+# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
+# number of configurable options, most of which are not shown in this example.
 #
-# For a step to step guide on installing, configuring and using samba, 
-# read the Samba-HOWTO-Collection. This may be obtained from:
-#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
+# The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step
+# guides for installing, configuring, and using Samba:
+# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
 #
-# Many working examples of smb.conf files can be found in the 
-# Samba-Guide which is generated daily and can be downloaded from: 
-#  http://www.samba.org/samba/docs/Samba-Guide.pdf
+# The Samba-3 by Example guide has working examples for smb.conf. This guide is
+# generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf
 #
-# Any line which starts with a ; (semi-colon) or a # (hash) 
-# is a comment and is ignored. In this example we will use a #
-# for commentry and a ; for parts of the config file that you
-# may wish to enable
+# In this file, lines starting with a semicolon (;) or a hash (#) are
+# comments and are ignored. This file uses hashes to denote commentary and
+# semicolons for parts of the file you may wish to configure.
 #
-# NOTE: Whenever you modify this file you should run the command "testparm"
-# to check that you have not made any basic syntactic errors. 
+# Note: Run the "testparm" command after modifying this file to check for basic
+# syntax errors.
 #
 #---------------
-# SELINUX NOTES:
+# Security-Enhanced Linux (SELinux) Notes:
 #
-# If you want to use the useradd/groupadd family of binaries please run:
+# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
+# and groupadd family of binaries. Run the following command as the root user to
+# turn this Boolean on:
 # setsebool -P samba_domain_controller on
 #
-# If you want to share home directories via samba please run:
+# Turn the samba_enable_home_dirs Boolean on if you want to share home
+# directories via Samba. Run the following command as the root user to turn this
+# Boolean on:
 # setsebool -P samba_enable_home_dirs on
 #
-# If you create a new directory you want to share you should mark it as
-# "samba-share_t" so that selinux will let you write into it.
-# Make sure not to do that on system directories as they may already have
-# been marked with othe SELinux labels.
+# If you create a new directory, such as a new top-level directory, label it
+# with samba_share_t so that SELinux allows Samba to read and write to it. Do
+# not label system directories, such as /etc/ and /home/, with samba_share_t, as
+# such directories should already have an SELinux label.
 #
-# Use ls -ldZ /path to see which context a directory has
+# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
+# label for a given directory.
 #
-# Set labels only on directories you created!
-# To set a label use the following: chcon -t samba_share_t /path
+# Set SELinux labels only on files and directories you have created. Use the
+# chcon command to temporarily change a label:
+# chcon -t samba_share_t /path/to/directory
 #
-# If you need to share a system created directory you can use one of the
-# following (read-only/read-write):
+# Changes made via chcon are lost when the file system is relabeled or commands
+# such as restorecon are run.
+#
+# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
+# directories. To share such directories and only allow read-only permissions:
 # setsebool -P samba_export_all_ro on
-# or
+# To share such directories and allow read and write permissions:
 # setsebool -P samba_export_all_rw on
 #
-# If you want to run scripts (preexec/root prexec/print command/...) please
-# put them into the /var/lib/samba/scripts directory so that smbd will be
-# allowed to run them.
-# Make sure you COPY them and not MOVE them so that the right SELinux context
-# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
+# To run scripts (preexec/root prexec/print command/...), copy them to the
+# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
+# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
+# their existing SELinux labels, which may be labels that SELinux does not allow
+# smbd to run. Copying the scripts will result in the correct SELinux labels.
+# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
+# apply the correct SELinux labels to these files.
 #
 #--------------
 #
 #======================= Global Settings =====================================
-	
+
 [global]
-	
-# ----------------------- Netwrok Related Options -------------------------
+
+# ----------------------- Network-Related Options -------------------------
 #
-# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
+# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
 #
-# server string is the equivalent of the NT Description field
+# server string = the equivalent of the Windows NT Description field.
 #
-# netbios name can be used to specify a server name not tied to the hostname
+# netbios name = used to specify a server name that is not tied to the hostname.
 #
-# Interfaces lets you configure Samba to use multiple interfaces
-# If you have multiple network interfaces then you can list the ones
-# you want to listen on (never omit localhost)
+# interfaces = used to configure Samba to listen on multiple network interfaces.
+# If you have multiple interfaces, you can use the "interfaces =" option to
+# configure which of those interfaces Samba listens on. Never omit the localhost
+# interface (lo).
 #
-# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
-# specifiy it as a per share option as well
+# hosts allow = the hosts allowed to connect. This option can also be used on a
+# per-share basis.
+
+# hosts deny = the hosts not allowed to connect. This option can also be used on
+# a per-share basis.
 #
 	workgroup = MYGROUP
 	server string = Samba Server Version %v
-	
+
 ;	netbios name = MYSERVER
-	
-;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 
+
+;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
 ;	hosts allow = 127. 192.168.12. 192.168.13.
-	
+
 # --------------------------- Logging Options -----------------------------
 #
-# Log File let you specify where to put logs and how to split them up.
+# log file = specify where log files are written to and how they are split.
 #
-# Max Log Size let you specify the max size log files should reach
-	
-	# logs split per machine
+# max log size = specify the maximum size log files are allowed to reach. Log
+# files are rotated when they reach the size specified with "max log size".
+#
+
+	# log files split per-machine:
 	log file = /var/log/samba/log.%m
-	# max 50KB per log file, then rotate
+	# maximum size of 50KB per log file, then rotate:
 	max log size = 50
-	
+
 # ----------------------- Standalone Server Options ------------------------
 #
-# Scurity can be set to user, share(deprecated) or server(deprecated)
+# security = the mode Samba runs in. This can be set to user, share
+# (deprecated), or server (deprecated).
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
 #
-# Backend to store user information in. New installations should 
-# use either tdbsam or ldapsam. smbpasswd is available for backwards 
-# compatibility. tdbsam requires no further configuration.
 
 	security = user
 	passdb backend = tdbsam
@@ -104,23 +121,24 @@
 
 # ----------------------- Domain Members Options ------------------------
 #
-# Security must be set to domain or ads
+# security = must be set to domain or ads.
 #
-# Use the realm option only with security = ads
-# Specifies the Active Directory realm the host is part of
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
 #
-# Backend to store user information in. New installations should 
-# use either tdbsam or ldapsam. smbpasswd is available for backwards 
-# compatibility. tdbsam requires no further configuration.
+# realm = only use the realm option when the "security = ads" option is set.
+# The realm option specifies the Active Directory realm the host is a part of.
 #
-# Use password server option only with security = server or if you can't
-# use the DNS to locate Domain Controllers
-# The argument list may include:
-#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
-# or to auto-locate the domain controller/s
-#   password server = *
-	
-	
+# password server = only use this option when the "security = server"
+# option is set, or if you cannot use DNS to locate a Domain Controller. The
+# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
+#
+# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
+#
+# Use "password server = *" to automatically locate Domain Controllers.
+
 ;	security = domain
 ;	passdb backend = tdbsam
 ;	realm = MY_REALM
@@ -129,112 +147,123 @@
 
 # ----------------------- Domain Controller Options ------------------------
 #
-# Security must be set to user for domain controllers
+# security = must be set to user for domain controllers.
 #
-# Backend to store user information in. New installations should 
-# use either tdbsam or ldapsam. smbpasswd is available for backwards 
-# compatibility. tdbsam requires no further configuration.
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
 #
-# Domain Master specifies Samba to be the Domain Master Browser. This
-# allows Samba to collate browse lists between subnets. Don't use this
-# if you already have a Windows NT domain controller doing this job
+# domain master = specifies Samba to be the Domain Master Browser, allowing
+# Samba to collate browse lists between subnets. Do not use the "domain master"
+# option if you already have a Windows NT domain controller performing this task.
 #
-# Domain Logons let Samba be a domain logon server for Windows workstations. 
+# domain logons = allows Samba to provide a network logon service for Windows
+# workstations.
 #
-# Logon Scrpit let yuou specify a script to be run at login time on the client
-# You need to provide it in a share called NETLOGON
+# logon script = specifies a script to run at login time on the client. These
+# scripts must be provided in a share named NETLOGON.
 #
-# Logon Path let you specify where user profiles are stored (UNC path)
+# logon path = specifies (with a UNC path) where user profiles are stored.
 #
-# Various scripts can be used on a domain controller or stand-alone
-# machine to add or delete corresponding unix accounts
 #
 ;	security = user
 ;	passdb backend = tdbsam
-	
-;	domain master = yes 
+
+;	domain master = yes
 ;	domain logons = yes
-	
-	# the login script name depends on the machine name
+
+	# the following login script name is determined by the machine name
+	# (%m):
 ;	logon script = %m.bat
-	# the login script name depends on the unix user used
+	# the following login script name is determined by the UNIX user used:
 ;	logon script = %u.bat
 ;	logon path = \\%L\Profiles\%u
-	# disables profiles support by specifing an empty path
-;	logon path =          
-	
+	# use an empty path to disable profile support:
+;	logon path =
+
+	# various scripts can be used on a domain controller or a stand-alone
+	# machine to add or delete corresponding UNIX accounts:
+
 ;	add user script = /usr/sbin/useradd "%u" -n -g users
 ;	add group script = /usr/sbin/groupadd "%g"
 ;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
 ;	delete user script = /usr/sbin/userdel "%u"
 ;	delete user from group script = /usr/sbin/userdel "%u" "%g"
 ;	delete group script = /usr/sbin/groupdel "%g"
-	
-	
+
+
 # ----------------------- Browser Control Options ----------------------------
 #
-# set local master to no if you don't want Samba to become a master
-# browser on your network. Otherwise the normal election rules apply
+# local master = when set to no, Samba does not become the master browser on
+# your network. When set to yes, normal election rules apply.
 #
-# OS Level determines the precedence of this server in master browser
-# elections. The default value should be reasonable
+# os level = determines the precedence the server has in master browser
+# elections. The default value should be reasonable.
+#
+# preferred master = when set to yes, Samba forces a local browser election at
+# start up (and gives itself a slightly higher chance of winning the election).
 #
-# Preferred Master causes Samba to force a local browser election on startup
-# and gives it a slightly higher chance of winning the election
 ;	local master = no
 ;	os level = 33
 ;	preferred master = yes
-	
+
 #----------------------------- Name Resolution -------------------------------
-# Windows Internet Name Serving Support Section:
-# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
 #
-# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
+# This section details the support for the Windows Internet Name Service (WINS).
 #
-# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
+# Note: Samba can be either a WINS server or a WINS client, but not both.
 #
-# - WINS Proxy: Tells Samba to answer name resolution queries on
-#   behalf of a non WINS capable client, for this to work there must be
-#   at least one	WINS Server on the network. The default is NO.
+# wins support = when set to yes, the NMBD component of Samba enables its WINS
+# server.
 #
-# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
-# via DNS nslookups.
-	
+# wins server = tells the NMBD component of Samba to be a WINS client.
+#
+# wins proxy = when set to yes, Samba answers name resolution queries on behalf
+# of a non WINS capable client. For this to work, there must be at least one
+# WINS server on the network. The default is no.
+#
+# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
+# nslookups.
+
 ;	wins support = yes
 ;	wins server = w.x.y.z
 ;	wins proxy = yes
-	
+
 ;	dns proxy = yes
-	
+
 # --------------------------- Printing Options -----------------------------
 #
-# Load Printers let you load automatically the list of printers rather
-# than setting them up individually
+# The options in this section allow you to configure a non-default printing
+# system.
 #
-# Cups Options let you pass the cups libs custom options, setting it to raw
-# for example will let you use drivers on your Windows clients
+# load printers = when set you yes, the list of printers is automatically
+# loaded, rather than setting them up individually.
 #
-# Printcap Name let you specify an alternative printcap file
+# cups options = allows you to pass options to the CUPS library. Setting this
+# option to raw, for example, allows you to use drivers on your Windows clients.
 #
-# You can choose a non default printing system using the Printing option
-	
+# printcap name = used to specify an alternative printcap file.
+#
+
 	load printers = yes
 	cups options = raw
 
 ;	printcap name = /etc/printcap
-	#obtain list of printers automatically on SystemV
+	# obtain a list of printers automatically on UNIX System V systems:
 ;	printcap name = lpstat
 ;	printing = cups
 
-# --------------------------- Filesystem Options ---------------------------
+# --------------------------- File System Options ---------------------------
 #
-# The following options can be uncommented if the filesystem supports
-# Extended Attributes and they are enabled (usually by the mount option
-# user_xattr). Thess options will let the admin store the DOS attributes
-# in an EA and make samba not mess with the permission bits.
+# The options in this section can be un-commented if the file system supports
+# extended attributes, and those attributes are enabled (usually via the
+# "user_xattr" mount option). These options allow the administrator to specify
+# that DOS attributes are stored in extended attributes and also make sure that
+# Samba does not change the permission bits.
 #
-# Note: these options can also be set just per share, setting them in global
-# makes them the default for all shares
+# Note: These options can be used on a per-share basis. Setting them globally
+# (in the [global] section) makes them the default for all shares.
 
 ;	map archive = no
 ;	map hidden = no
@@ -244,14 +273,14 @@
 
 
 #============================ Share Definitions ==============================
-	
+
 [homes]
 	comment = Home Directories
 	browseable = no
 	writable = yes
 ;	valid users = %S
 ;	valid users = MYDOMAIN\%S
-	
+
 [printers]
 	comment = All Printers
 	path = /var/spool/samba
@@ -259,26 +288,24 @@
 	guest ok = no
 	writable = no
 	printable = yes
-	
-# Un-comment the following and create the netlogon directory for Domain Logons
+
+# Un-comment the following and create the netlogon directory for Domain Logons:
 ;	[netlogon]
 ;	comment = Network Logon Service
 ;	path = /var/lib/samba/netlogon
 ;	guest ok = yes
 ;	writable = no
 ;	share modes = no
-	
-	
-# Un-comment the following to provide a specific roving profile share
-# the default is to use the user's home directory
+
+# Un-comment the following to provide a specific roving profile share.
+# The default is to use the user's home directory:
 ;	[Profiles]
 ;	path = /var/lib/samba/profiles
 ;	browseable = no
 ;	guest ok = yes
-	
-	
-# A publicly accessible directory, but read only, except for people in
-# the "staff" group
+
+# A publicly accessible directory that is read only, except for users in the
+# "staff" group (which have write permissions):
 ;	[public]
 ;	comment = Public Stuff
 ;	path = /home/samba

sources

@@ -1 +1 @@
-f857c534148e28b686996d232da76cec  samba-3.4.1.tar.gz
+f5e11690d54466c143f4598bcce2a8bb  samba-3.4.7.tar.gz