Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • lts-team/packages/samba
  • thctlo/samba-lintianfix
  • arnaudr/samba
  • jrwren/samba
  • paride/samba
  • athos/samba
  • henrich/samba
  • cnotin/samba
  • mimi89999/samba
  • samba-team/samba
  • ahasenack/samba
  • jrtc27/samba
  • noel/samba
13 results
Show changes
Commits on Source (69)
Showing
with 377 additions and 53 deletions
......@@ -146,8 +146,7 @@ include:
- ccache -z -M 500M
- ccache -s
# We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI
- git config --global --add safe.directory `pwd`
- git config --global --add safe.directory /builds/samba-team/devel/samba/.git
- git config --global --add safe.directory '*'
after_script:
- mount
- df -h
......
......@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=20
SAMBA_VERSION_RELEASE=2
SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
......
==============================
Release Notes for Samba 4.20.3
August 02, 2024
==============================
This is the latest stable release of the Samba 4.20 release series.
LDAP TLS/SASL channel binding support
-------------------------------------
The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).
Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.
If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.
This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.
All client tools using ldaps also include the correct
channel bindings now.
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
ldap server require strong auth new values
Changes since 4.20.2
--------------------
o Andreas Schneider <asn@samba.org>
* BUG 15683: Running samba-bgqd a a standalone systemd service does not work.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
Windows computer when user account need to change their own password.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15671: Invalid client warning about command line passwords.
* BUG 15672: Version string is truncated in manpages.
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15674: cmdline_burn does not always burn secrets.
* BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in
AD_DS_Classes_Windows_Server_v1903.ldf.
o Jo Sutton <josutton@catalyst.net.nz>
* BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
Windows computer when user account need to change their own password.
o Pavel Filipenský <pfilipensky@samba.org>
* BUG 15660: The images don\'t build after the git security release and
CentOS 8 Stream is EOL.
o Ralph Boehme <slow@samba.org>
* BUG 15676: Fix clock skew error message and memory cache clock skew
recovery.
o Stefan Metzmacher <metze@samba.org>
* BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in
init_sec_context/repl_mutual.
* BUG 15621: s4:ldap_server: does not support tls channel bindings
for sasl binds.
o Xavi Hernandez <xhernandez@redhat.com>
* BUG 15678: CTDB socket output queues may suffer unbounded delays under some
special conditions.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
==============================
Release Notes for Samba 4.20.2
June 19, 2024
......@@ -79,8 +182,7 @@ database (https://bugzilla.samba.org/).
======================================================================
Release notes for older releases follow:
----------------------------------------
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.20.1
May 08, 2024
......@@ -404,6 +506,7 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
ldap server require strong auth new values (4.20.3)
acl claims evaluation new AD DC only
smb3 unix extensions Per share -
smb3 share cap:ASYMMETRIC new no
......
......@@ -854,3 +854,66 @@ _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_
return NULL;
}
static int gensec_channel_bindings_destructor(struct gensec_channel_bindings *cb)
{
data_blob_clear_free(&cb->initiator_address);
data_blob_clear_free(&cb->acceptor_address);
data_blob_clear_free(&cb->application_data);
*cb = (struct gensec_channel_bindings) { .initiator_addrtype = 0, };
return 0;
}
_PUBLIC_ NTSTATUS gensec_set_channel_bindings(struct gensec_security *gensec_security,
uint32_t initiator_addrtype,
const DATA_BLOB *initiator_address,
uint32_t acceptor_addrtype,
const DATA_BLOB *acceptor_address,
const DATA_BLOB *application_data)
{
struct gensec_channel_bindings *cb = NULL;
if (gensec_security->subcontext) {
return NT_STATUS_INTERNAL_ERROR;
}
if (gensec_security->channel_bindings != NULL) {
return NT_STATUS_ALREADY_REGISTERED;
}
cb = talloc_zero(gensec_security, struct gensec_channel_bindings);
if (cb == NULL) {
return NT_STATUS_NO_MEMORY;
}
talloc_set_destructor(cb, gensec_channel_bindings_destructor);
cb->initiator_addrtype = initiator_addrtype;
if (initiator_address != NULL) {
cb->initiator_address = data_blob_dup_talloc(cb,
*initiator_address);
if (cb->initiator_address.length != initiator_address->length) {
TALLOC_FREE(cb);
return NT_STATUS_NO_MEMORY;
}
}
cb->acceptor_addrtype = acceptor_addrtype;
if (acceptor_address != NULL) {
cb->acceptor_address = data_blob_dup_talloc(cb,
*acceptor_address);
if (cb->acceptor_address.length != acceptor_address->length) {
TALLOC_FREE(cb);
return NT_STATUS_NO_MEMORY;
}
}
if (application_data != NULL) {
cb->application_data = data_blob_dup_talloc(cb,
*application_data);
if (cb->application_data.length != application_data->length) {
TALLOC_FREE(cb);
return NT_STATUS_NO_MEMORY;
}
}
gensec_security->channel_bindings = cb;
return NT_STATUS_OK;
}
......@@ -70,6 +70,7 @@ struct gensec_target {
#define GENSEC_FEATURE_NO_AUTHZ_LOG 0x00000800
#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000
#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000
#define GENSEC_FEATURE_CB_OPTIONAL 0x00004000
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
......@@ -313,6 +314,13 @@ bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism
NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal);
const char *gensec_get_target_principal(struct gensec_security *gensec_security);
NTSTATUS gensec_set_channel_bindings(struct gensec_security *gensec_security,
uint32_t initiator_addrtype,
const DATA_BLOB *initiator_address,
uint32_t acceptor_addrtype,
const DATA_BLOB *acceptor_address,
const DATA_BLOB *application_data);
NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
struct smb_krb5_context *smb_krb5_context,
......
......@@ -95,6 +95,23 @@ struct gensec_security_ops_wrapper {
const char *oid;
};
/*
* typedef struct gss_channel_bindings_struct {
* OM_uint32 initiator_addrtype;
* gss_buffer_desc initiator_address;
* OM_uint32 acceptor_addrtype;
* gss_buffer_desc acceptor_address;
* gss_buffer_desc application_data;
* } *gss_channel_bindings_t;
*/
struct gensec_channel_bindings {
uint32_t initiator_addrtype;
DATA_BLOB initiator_address;
uint32_t acceptor_addrtype;
DATA_BLOB acceptor_address;
DATA_BLOB application_data;
};
struct gensec_security {
const struct gensec_security_ops *ops;
void *private_data;
......@@ -106,6 +123,7 @@ struct gensec_security {
uint32_t max_update_size;
uint8_t dcerpc_auth_level;
struct tsocket_address *local_addr, *remote_addr;
struct gensec_channel_bindings *channel_bindings;
struct gensec_settings *settings;
/* When we are a server, this may be filled in to provide an
......
......@@ -732,6 +732,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
(*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
(*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
(*gensec_security)->channel_bindings = talloc_reference(*gensec_security, parent->channel_bindings);
talloc_set_destructor((*gensec_security), gensec_security_destructor);
return NT_STATUS_OK;
......
......@@ -599,6 +599,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
SingleHost->Value.AvSingleHost.remaining = data_blob_null;
}
if (!(gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL)
|| gensec_security->channel_bindings != NULL)
{
struct AV_PAIR *ChannelBindings = NULL;
......@@ -607,13 +609,12 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
count++;
*eol = *ChannelBindings;
/*
* gensec doesn't support channel bindings yet,
* but we want to match Windows on the wire
*/
ChannelBindings->AvId = MsvChannelBindings;
memset(ChannelBindings->Value.ChannelBindings, 0,
sizeof(ChannelBindings->Value.ChannelBindings));
nt_status = ntlmssp_hash_channel_bindings(gensec_security,
ChannelBindings->Value.ChannelBindings);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
}
service = gensec_get_target_service(gensec_security);
......
......@@ -56,6 +56,8 @@ void debug_ntlmssp_flags(uint32_t neg_flags);
NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
uint32_t neg_flags, const char *name);
const DATA_BLOB ntlmssp_version_blob(void);
NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
uint8_t cb_hash[16]);
/* The following definitions come from auth/ntlmssp_server.c */
......
......@@ -386,6 +386,9 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
DATA_BLOB version_blob = data_blob_null;
const unsigned int mic_len = NTLMSSP_MIC_SIZE;
DATA_BLOB mic_blob = data_blob_null;
const uint8_t zero_channel_bindings[16] = { 0, };
const uint8_t *client_channel_bindings = zero_channel_bindings;
uint8_t server_channel_bindings[16] = { 0, };
const char *parse_string;
bool ok;
struct timeval endtime;
......@@ -523,6 +526,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
uint32_t i = 0;
uint32_t count = 0;
const struct AV_PAIR *flags = NULL;
const struct AV_PAIR *cb = NULL;
const struct AV_PAIR *eol = NULL;
uint32_t av_flags = 0;
......@@ -598,6 +602,12 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
ntlmssp_state->new_spnego = true;
}
cb = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
MsvChannelBindings);
if (cb != NULL) {
client_channel_bindings = cb->Value.ChannelBindings;
}
count = ntlmssp_state->server.av_pair_list.count;
if (v2_resp.Challenge.AvPairs.count < count) {
return NT_STATUS_INVALID_PARAMETER;
......@@ -700,6 +710,43 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
}
}
if (gensec_security->channel_bindings != NULL) {
nt_status = ntlmssp_hash_channel_bindings(gensec_security,
server_channel_bindings);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
ok = mem_equal_const_time(client_channel_bindings,
server_channel_bindings,
16);
if (!ok && gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL) {
/*
* Unlike kerberos, explicit 16 zeros in
* MsvChannelBindings are not enough to
* pass the optional check.
*
* So we only let it through without explicit
* MsvChannelBindings.
*/
ok = (client_channel_bindings == zero_channel_bindings);
}
if (!ok) {
DBG_WARNING("Invalid channel bindings for "
"user=[%s] domain=[%s] workstation=[%s]\n",
ntlmssp_state->user,
ntlmssp_state->domain,
ntlmssp_state->client.netbios_name);
dump_data(DBGLVL_WARNING,
client_channel_bindings,
16);
dump_data(DBGLVL_WARNING,
server_channel_bindings,
16);
return NT_STATUS_BAD_BINDINGS;
}
}
nttime_to_timeval(&endtime, ntlmssp_state->server.challenge_endtime);
expired = timeval_expired(&endtime);
if (expired) {
......
......@@ -22,9 +22,15 @@
*/
#include "includes.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "../auth/ntlmssp/ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_private.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
......@@ -218,3 +224,95 @@ const DATA_BLOB ntlmssp_version_blob(void)
return data_blob_const(version_buffer, ARRAY_SIZE(version_buffer));
}
NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
uint8_t cb_hash[16])
{
const struct gensec_channel_bindings *cb =
gensec_security->channel_bindings;
gnutls_hash_hd_t hash_hnd = NULL;
uint8_t uint32buf[4];
int rc;
if (cb == NULL) {
memset(cb_hash, 0, 16);
return NT_STATUS_OK;
}
GNUTLS_FIPS140_SET_LAX_MODE();
rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
if (rc < 0) {
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
SIVAL(uint32buf, 0, cb->initiator_addrtype);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
SIVAL(uint32buf, 0, cb->initiator_address.length);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
if (cb->initiator_address.length > 0) {
rc = gnutls_hash(hash_hnd,
cb->initiator_address.data,
cb->initiator_address.length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
}
SIVAL(uint32buf, 0, cb->acceptor_addrtype);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
SIVAL(uint32buf, 0, cb->acceptor_address.length);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
if (cb->acceptor_address.length > 0) {
rc = gnutls_hash(hash_hnd,
cb->acceptor_address.data,
cb->acceptor_address.length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
}
SIVAL(uint32buf, 0, cb->application_data.length);
rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
if (cb->application_data.length > 0) {
rc = gnutls_hash(hash_hnd,
cb->application_data.data,
cb->application_data.length);
if (rc < 0) {
gnutls_hash_deinit(hash_hnd, NULL);
GNUTLS_FIPS140_SET_STRICT_MODE();
return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
}
}
gnutls_hash_deinit(hash_hnd, cb_hash);
GNUTLS_FIPS140_SET_STRICT_MODE();
return NT_STATUS_OK;
}
......@@ -286,7 +286,7 @@ def abi_build_vscript(task):
f.close()
def VSCRIPT_MAP_PRIVATE(bld, libname, orig_vscript, version, private_vscript):
version = version.replace("-", "_").replace("+","_").upper()
version = re.sub(r'\W', '_', version).upper()
t = bld.SAMBA_GENERATOR(private_vscript,
rule=abi_build_vscript,
source=orig_vscript,
......@@ -314,8 +314,8 @@ def ABI_VSCRIPT(bld, libname, abi_directory, version, vscript, abi_match=None, p
libname = os.path.basename(libname)
version = os.path.basename(version)
libname = libname.replace("-", "_").replace("+","_").upper()
version = version.replace("-", "_").replace("+","_").upper()
libname = re.sub(r'\W', '_', libname).upper()
version = re.sub(r'\W', '_', version).upper()
t = bld.SAMBA_GENERATOR(vscript,
rule=abi_build_vscript,
......
......@@ -272,7 +272,7 @@ static void queue_dead(struct tevent_context *ev, struct tevent_immediate *im,
/*
called when an incoming connection is writeable
*/
static void queue_io_write(struct ctdb_queue *queue)
static bool queue_io_write(struct ctdb_queue *queue)
{
while (queue->out_queue) {
struct ctdb_queue_pkt *pkt = queue->out_queue;
......@@ -294,14 +294,14 @@ static void queue_io_write(struct ctdb_queue *queue)
queue->fd = -1;
tevent_schedule_immediate(queue->im, queue->ctdb->ev,
queue_dead, queue);
return;
return false;
}
if (n <= 0) return;
if (n <= 0) return true;
if (n != pkt->length) {
pkt->length -= n;
pkt->data += n;
return;
return true;
}
DLIST_REMOVE(queue->out_queue, pkt);
......@@ -310,6 +310,8 @@ static void queue_io_write(struct ctdb_queue *queue)
}
TEVENT_FD_NOT_WRITEABLE(queue->fde);
return true;
}
/*
......@@ -320,10 +322,13 @@ static void queue_io_handler(struct tevent_context *ev, struct tevent_fd *fde,
{
struct ctdb_queue *queue = talloc_get_type(private_data, struct ctdb_queue);
if (flags & TEVENT_FD_WRITE) {
if (!queue_io_write(queue)) {
return;
}
}
if (flags & TEVENT_FD_READ) {
queue_io_read(queue);
} else {
queue_io_write(queue);
}
}
......
samba (3:4.20.2+dfsg-12) unstable; urgency=medium
samba (2:4.20.3+dfsg-1) unstable; urgency=medium
* bump the epoch to work around mistakenly uploaded 4.21.0-rc1
to unstable instead of experimental and a mess resulting from that.
Use the same epoch number for libldb.
Closes: #1077749
* update to the new upstream stable/bugfix release (4.20.3).
See WHATSNEW.txt for details.
* tilde-in-version.diff: remove, an equivalent is applied upstream
* d/rules: s/vendor-name/vendor-suffix/ as per new upstream option
* d/samba-ad-dc.lintian-overrides: add systemd-diversion override too
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 02 Aug 2024 12:13:59 +0300
-- Michael Tokarev <mjt@tls.msk.ru> Fri, 02 Aug 2024 18:33:51 +0300
samba (2:4.20.2+dfsg-11) unstable; urgency=medium
......
......@@ -81,6 +81,7 @@ libldb.so.2 #PACKAGE# #MINVER#
LDB_2.8.0@LDB_2.8.0 2:2.8.0
LDB_2.9.0@LDB_2.9.0 2:2.9.0
LDB_2.9.1@LDB_2.9.1 2:2.9.1
LDB_2_9_1@LDB_2_9_1 2:2.9.1
ldb_check_critical_controls@LDB_0.9.22 0.9.22
ldb_controls_except_specified@LDB_0.9.22 0.9.22
ldb_control_to_string@LDB_1.0.2 1.0.2~git20110403
......
......@@ -14,6 +14,7 @@ libsmbclient.so.0 #PACKAGE# #MINVER#
SMBCLIENT_0.6.0@SMBCLIENT_0.6.0 2:4.12.0+dfsg
SMBCLIENT_0.7.0@SMBCLIENT_0.7.0 2:4.16.0+dfsg
SMBCLIENT_0.8.0@SMBCLIENT_0.8.0 2:4.20.0~rc1
SMBCLIENT_0_8_0@SMBCLIENT_0_8_0 2:4.20.3
smbc_chmod@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
smbc_close@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
smbc_closedir@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
......
......@@ -8,6 +8,7 @@ libwbclient.so.0 #PACKAGE# #MINVER#
WBCLIENT_0.14@WBCLIENT_0.14 2:4.7.0+dfsg
WBCLIENT_0.15@WBCLIENT_0.15 2:4.10.0+dfsg
WBCLIENT_0.16@WBCLIENT_0.16 2:4.18.0~rc1+dfsg
WBCLIENT_0_16@WBCLIENT_0_16 2:4.20.3
wbcAddNamedBlob@WBCLIENT_0.9 2:4.0.3+dfsg1
wbcAllocateGid@WBCLIENT_0.9 2:4.0.3+dfsg1
wbcAllocateMemory@WBCLIENT_0.9 2:4.0.3+dfsg1
......
......@@ -25,4 +25,3 @@ silence-can-not-convert-group-sid.diff
edns0.patch
passchange-error-message.patch
lower-dns-lookup-mismatch-messages.patch
tilde-in-version.diff
From: Michael Tokarev <mjt@tls.msk.ru>
Subject: handle tilde in version string
Date: Thu, 20 Jun 2024 09:47:47 +0300
Forwarded: yes
wafsamba dislikes when version string contains "special" chars.
For some of them, upstream already has code to deal with.
Add handling of tilde (~) to the same places too.
diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py
index 2d9505d255c..cf7153f25f0 100644
--- a/buildtools/wafsamba/samba_abi.py
+++ b/buildtools/wafsamba/samba_abi.py
@@ -288,3 +288,3 @@ def abi_build_vscript(task):
def VSCRIPT_MAP_PRIVATE(bld, libname, orig_vscript, version, private_vscript):
- version = version.replace("-", "_").replace("+","_").upper()
+ version = version.replace("-", "_").replace("+","_").replace("~","_").upper()
t = bld.SAMBA_GENERATOR(private_vscript,
@@ -317,3 +317,3 @@ def ABI_VSCRIPT(bld, libname, abi_directory, version, vscript, abi_match=None, p
libname = libname.replace("-", "_").replace("+","_").upper()
- version = version.replace("-", "_").replace("+","_").upper()
+ version = version.replace("-", "_").replace("+","_").replace("~","_").upper()
......@@ -55,10 +55,9 @@ DESTDIR = ${CURDIR}/debian/tmp
# used to be dpkg_late_eval
late-eval = $(or $(value cache-$1),$(eval cache-$1 := $(shell $2))$(value cache-$1))
DEB_VERSION_EPOCH = $(firstword $(subst :, ,${DEB_VERSION})):
LDB_VERSION = $(call late-eval,LDB_VERSION,grep ^VERSION lib/ldb/wscript | cut -d\' -f2)
LDB_DEB_VERSION = ${DEB_VERSION_EPOCH}${LDB_VERSION}+samba${DEB_VERSION_UPSTREAM_REVISION}
LDB_DEB_VERSION = 2:${LDB_VERSION}+samba${DEB_VERSION_UPSTREAM_REVISION}
LDB_PACKAGES = libldb2 libldb-dev ldb-tools python3-ldb
before-trixie := $(filter pkg.samba.before-trixie, ${DEB_BUILD_PROFILES})
......@@ -66,7 +65,7 @@ before-trixie := $(filter pkg.samba.before-trixie, ${DEB_BUILD_PROFILES})
omit-pkgs =
config-args = \
--vendor-name=${DEB_VENDOR}-${DEB_VERSION_UPSTREAM_REVISION} \
--vendor-suffix=${DEB_VENDOR}-${DEB_VERSION_UPSTREAM_REVISION} \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
......