--- rpms/samba/sme10/samba.spec 2016/09/29 08:22:00 1.1 +++ rpms/samba/sme10/samba.spec 2016/10/05 16:45:27 1.2 @@ -6,9 +6,9 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 10.2 +%define main_release 7.1 -%define samba_version 4.2.3 +%define samba_version 4.2.10 %define talloc_version 2.1.2 %define ntdb_version 1.0 %define tdb_version 1.3.4 @@ -109,14 +109,19 @@ Source6: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch -Patch1: samba-4.2.3-fix_smbX_segfault.patch -Patch2: samba-4.2.3-fix_dfree_command.patch -Patch3: samba-4.2.3-document_netbios_length.patch -Patch4: samba-4.2.3-fix_net_ads_keytab_segfault.patch -Patch5: samba-4.2.3-fix_force_group.patch -Patch6: samba-4.2.3-fix_map_to_guest_bad_uid.patch -Patch7: samba-4.2.3-fix_nss_wins.patch +Patch1: samba-4.2.10-ldap-sasl-win2003.patch +Patch3: samba-4.2.3-document_netbios_length.patch +Patch4: samba-4.2.3-fix_net_ads_keytab_segfault.patch +Patch5: samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch +Patch6: samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch +Patch7: samba-4.2.10-badlock-bugfixes.patch +Patch8: samba-4.2.10-fix_rpcclient_ipc_signing.patch +Patch9: samba-4.2.10-fix_ntlm_auth_issues.patch +Patch10: samba-4.2.10-fix_msrpc_parse.patch +Patch11: samba-4.2.10-fix_anon_with_singing_mandatory.patch +Patch12: samba-4.2.99-fix_idmap_hash_with_other_modules.path +Patch13: samba-4.2.99-net_ads_join_fix_keytab_generation.patch +Patch14: CVE-2016-2119-v4-2.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -394,7 +399,7 @@ Samba VFS module for GlusterFS integrati Summary: Samba libraries Group: Applications/System Requires: krb5-libs >= 1.10 -Requires: libldb = %{ldb_version} +Requires: libldb Requires: %{name}-client-libs = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} @@ -690,14 +695,19 @@ and use CTDB instead. %prep %setup -q -n samba-%{version}%{pre_release} -%patch0 -p1 -b .samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch -%patch1 -p1 -b .samba-4.2.3-fix_smbX_segfault.patch -%patch2 -p1 -b .samba-4.2.3-fix_dfree_command.patch +%patch1 -p1 -b .samba-4.2.10-ldap-sasl-win2003.patch %patch3 -p1 -b .samba-4.2.3-document_netbios_length.patch %patch4 -p1 -b .samba-4.2.3-fix_net_ads_keytab_segfault.patch -%patch5 -p1 -b .samba-4.2.3-fix_force_group.patch -%patch6 -p1 -b .samba-4.2.3-fix_map_to_guest_bad_uid.patch -%patch7 -p1 -b .samba-4.2.3-fix_nss_wins.patch +%patch5 -p1 -b .samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch +%patch6 -p1 -b .samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch +%patch7 -p1 -b .samba-4.2.10-badlock-bugfixes.patch +%patch8 -p1 -b .samba-4.2.10-fix_rpcclient_ipc_signing.patch +%patch9 -p1 -b .samba-4.2.10-fix_ntlm_auth_issues.patch +%patch10 -p1 -b .samba-4.2.10-fix_msrpc_parse.patch +%patch11 -p1 -b .samba-4.2.10-fix_anon_with_singing_mandatory.patch +%patch12 -p1 -b .samba-4.2.99-fix_idmap_hash_with_other_modules.path +%patch13 -p1 -b .samba-4.2.99-net_ads_join_fix_keytab_generation.patch +%patch14 -p1 -b .CVE-2016-2119-v4-2.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -855,7 +865,7 @@ install -m 0644 %{SOURCE200} packaging/R %endif install -d -m 0755 %{buildroot}%{_unitdir} -for i in nmb smb winbind samba; do +for i in nmb smb winbind samba ; do cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=/run/samba/krb5cc_samba@g' >tmp$i.service install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service done @@ -872,6 +882,17 @@ install -m 0755 packaging/NetworkManager install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%if ! %with_dc +for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \ + %{_libdir}/samba/libdnsserver-common-samba4.so \ + %{_mandir}/man8/samba.8 \ + %{_mandir}/man8/samba-tool.8 \ + %{_libdir}/samba/ldb/ildap.so \ + %{_libdir}/samba/ldb/ldbsamba_extensions.so ; do + rm -f %{buildroot}$i +done +%endif + # This makes the right links, as rpmlint requires that # the ldconfig-created links be recorded in the RPM. /sbin/ldconfig -N -n %{buildroot}%{_libdir} @@ -1348,6 +1369,7 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/logrotate.d/samba %attr(0700,root,root) %dir /var/log/samba %attr(0700,root,root) %dir /var/log/samba/old +%attr(0755,root,root) %dir /var/lib/samba %ghost %dir /var/run/samba %ghost %dir /var/run/winbindd %attr(700,root,root) %dir /var/lib/samba/private @@ -1461,11 +1483,6 @@ rm -rf %{buildroot} %{_unitdir}/samba.service %else # with_dc %doc packaging/README.dc -%exclude %{_mandir}/man8/samba.8* -%exclude %{_mandir}/man8/samba-tool.8* -%exclude %{_libdir}/samba/ldb/ildap.so -%exclude %{_libdir}/samba/ldb/ldbsamba_extensions.so - %endif # with_dc ### DC-LIBS @@ -1504,8 +1521,6 @@ rm -rf %{buildroot} %{_libdir}/samba/bind9/dlz_bind9_9.so %else %doc packaging/README.dc-libs -%exclude %{_libdir}/samba/libdfs-server-ad-samba4.so -%exclude %{_libdir}/samba/libdnsserver-common-samba4.so %endif # with_dc ### DEVEL @@ -1725,7 +1740,6 @@ rm -rf %{buildroot} %{_libdir}/samba/libHDB-SAMBA4-samba4.so %{_libdir}/samba/libasn1-samba4.so.8 %{_libdir}/samba/libasn1-samba4.so.8.0.0 -#%{_libdir}/samba/libdfs_server_ad.so %{_libdir}/samba/libgssapi-samba4.so.2 %{_libdir}/samba/libgssapi-samba4.so.2.0.0 %{_libdir}/samba/libhcrypto-samba4.so.5 @@ -1996,11 +2010,64 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog -* Wed Sep 28 2016 Greg Zartman - 4.2.3-11.sme -- Build for SME 10 [SME: 9751] +* Wed Oct 5 2016 Daniel Berteaud - 4.2.10-7.1.sme +- Rebuild with DC support (work from Greg Zartman) [SME: 9817] + +* Mon Jul 04 2016 Andreas Schneider - 4.2.10-7 +- resolves: #1351960 - Fix CVE-2016-2119 -* Wed Dec 02 2015 - ClearFoundation - 4.2.3-10.clear -- enable DC support for integration work +* Tue Jun 28 2016 Andreas Schneider - 4.2.10-6.3 +- resolves: #1350759 - Fix idmap_hash when used with other modules +- resolves: #1351260 - Fix krb5 encryption type setup during join + +* Wed Jun 01 2016 Andreas Schneider - 4.2.10-6.2 +- related: #1333794 - Fix issues caused by security tightening for Badlock + o ntlm_auth issues and segfault + o rpcclient doesn't respect "client ipc *" options + o fix anonymous authentication if signing is mandatory + +* Fri May 06 2016 Alexander Bokovoy - 4.2.10-6.1 +- Fix issues caused by security tightening for Badlock: + - Only validate MIC when "map to guest" is set + - NetApp SMB servers don't negotiate NTLMSSP_SIGN + - Anonymous connections don't work anymore + - wbinfo -u or 'net ads search' don't work anymore + - Handle empty session in client code +- resolves: #1333794 + +* Tue Apr 12 2016 Alexander Bokovoy - 4.2.10-6 +- Fix domain member winbind not being able to talk to trusted domains' DCs +- relates: #1322690 + +* Mon Apr 11 2016 Alexander Bokovoy - 4.2.10-5 +- Fix crash in smb.conf processing +- relates: #1322690 + +* Fri Apr 08 2016 Alexander Bokovoy - 4.2.10-4 +- Fix LDAP SASL bind with arcfour-hmac-md5 +- resolves: #1322690 + +* Thu Apr 07 2016 Alexander Bokovoy - 4.2.10-3 +- Make sure the package owns /var/lib/samba and uses it for cache purposes +- resolves: #1322690 + +* Wed Apr 06 2016 Alexander Bokovoy - 4.2.10-2 +- Remove ldb modules and internal libraries for DC when not packaging DC build +- resolves: #1322690 + +* Mon Apr 04 2016 Alexander Bokovoy - 4.2.10-1 +- resolves: #1322690 + +* Fri Mar 04 2016 Andreas Schneider - 4.2.3-12 +- resolves: #1314672 - Fix CVE-2015-7560 + +* Fri Dec 11 2015 Guenther Deschner - 4.2.3-11 +- resolves: #1290710 +- CVE-2015-3223 Remote DoS in Samba (AD) LDAP server +- CVE-2015-5299 Missing access control check in shadow copy code +- CVE-2015-5252 Insufficient symlink verification in smbd +- CVE-2015-5296 Samba client requesting encryption vulnerable to + downgrade attack * Tue Oct 27 2015 Andreas Schneider - 4.2.3-10 - related: #1273393 - Fix use after free with nss_wins module loaded