diff --git a/net/samba416/Makefile b/net/samba416/Makefile index a65c319d59fd..ee739448679f 100644 --- a/net/samba416/Makefile +++ b/net/samba416/Makefile @@ -1,701 +1,701 @@ PORTNAME= ${SAMBA4_BASENAME}416 PORTVERSION= ${SAMBA4_VERSION} PORTREVISION= 0 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} MAINTAINER= timur@FreeBSD.org COMMENT= Free SMB/CIFS and AD/DC server and client for Unix WWW= https://gitlab.com/samba-freebsd/ LICENSE= GPLv3+ LICENSE_FILE= ${WRKSRC}/COPYING USES= cpe CONFLICTS_INSTALL?= samba4* EXTRA_PATCHES= \ ${PATCHDIR}/0001-Compact-and-simplify-modules-build-and-config-genera.patch:-p1 \ ${PATCHDIR}/0002-Adjust-abi_gen.sh-script-to-run-under-FreeBSD-with-i.patch:-p1 \ ${PATCHDIR}/0003-Mask-CLang-prototype-warnings-in-kadm5-admin.h.patch:-p1 \ ${PATCHDIR}/0004-On-FreeBSD-date-1-has-different-semantics-than-on-Li.patch:-p1 \ ${PATCHDIR}/0005-Include-jemalloc-jemalloc.h-if-ENABLE_JEMALLOC-is-se.patch:-p1 \ ${PATCHDIR}/0006-Install-nss_-modules-into-PAMMODULESDIR-path.patch:-p1 \ ${PATCHDIR}/0007-Use-macro-value-as-a-default-backlog-size-for-the-li.patch:-p1 \ ${PATCHDIR}/0008-Brute-force-work-around-usage-of-Linux-specific-m-fl.patch:-p1 \ ${PATCHDIR}/0009-Make-sure-that-config-checks-fail-if-the-warning-is-.patch:-p1 \ ${PATCHDIR}/0010-Add-option-with-pkgconfigdir-to-specify-alternative-.patch:-p1 \ ${PATCHDIR}/0011-Use-provided-by-port-location-of-the-XML-catalog.patch:-p1 \ ${PATCHDIR}/0012-Create-shared-libraries-according-to-the-FreeBSD-spe.patch:-p1 \ ${PATCHDIR}/0013-Pass-additional-msg-parameter-to-CHECK_LIB-so-it-can.patch:-p1 \ ${PATCHDIR}/0014-Add-option-to-disable-CTDB-tests-failing-on-FreeBSD-.patch:-p1 \ ${PATCHDIR}/0015-Add-extra-debug-class-to-trck-down-DB-locking-code.patch:-p1 \ ${PATCHDIR}/0016-Make-ldb_schema_attribute_compare-a-stable-comparisi.patch:-p1 \ ${PATCHDIR}/0017-Use-arc4random-when-available-to-generate-random-tal.patch:-p1 \ ${PATCHDIR}/0018-Add-configuration-option-that-allows-to-choose-alter.patch:-p1 \ ${PATCHDIR}/0019-From-923bc7a1afeb0b920e60e14846987ae1d2d7dca4-Mon-Se.patch:-p1 \ ${PATCHDIR}/0020-FreeBSD-12-between-r336017-and-r342928-wrongfuly-ret.patch:-p1 \ ${PATCHDIR}/0021-Fix-casting-warnings-in-the-nfs_quota-debug-message.patch:-p1 \ ${PATCHDIR}/0022-Clean-up-UTMP-handling-code-and-add-FreeBSD-support..patch:-p1 \ ${PATCHDIR}/0023-Add-cmd_get_quota-test-function-into-vfstest-to-test.patch:-p1 \ ${PATCHDIR}/0024-Cherry-pick-ZFS-provisioning-code-by-iXsystems-Inc.patch:-p1 \ ${PATCHDIR}/0025-From-d9b748869a8f4018ebee302aae8246bf29f60309-Mon-Se.patch:-p1 \ ${PATCHDIR}/0026-vfs-add-a-compatibility-option-to-the-vfs_streams_xa.patch:-p1 \ ${PATCHDIR}/0027-Add-VFS-module-vfs_freebsd-that-implements-FreeBSD-s.patch:-p1 \ ${PATCHDIR}/0028-s3-lib-system-add-FreeBSD-proc_fd_pattern.patch:-p1 \ ${PATCHDIR}/0099-s3-modules-zfsacl-fix-get-set-ACL-on-FreeBSD-13.patch:-p1 \ ${PATCHDIR}/0099-s4-mitkdc-Add-support-for-MIT-Kerberos-1.20.patch:-p1 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.16.7 +SAMBA4_VERSION= 4.16.8 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} PLIST?= ${PKGDIR}/pkg-plist CPE_VENDOR= samba CPE_PRODUCT= samba # Directories VARDIR= ${DESTDIR}/var SAMBA4_RUNDIR= ${VARDIR}/run/${SAMBA4_PORTNAME} SAMBA4_LOGDIR= ${VARDIR}/log/${SAMBA4_PORTNAME} SAMBA4_LOCKDIR= ${VARDIR}/db/${SAMBA4_PORTNAME} SAMBA4_BINDDNSDIR= ${SAMBA4_LOCKDIR}/bind-dns SAMBA4_PRIVATEDIR= ${SAMBA4_LOCKDIR}/private SAMBA4_PAMDIR= ${PREFIX}/lib SAMBA4_LIBDIR= ${PREFIX}/lib/${SAMBA4_PORTNAME} SAMBA4_INCLUDEDIR= ${PREFIX}/include/${SAMBA4_PORTNAME} SAMBA4_CONFDIR= ${PREFIX}/etc SAMBA4_CONFIG= smb4.conf SAMBA4_MODULES_CLASS= auth bind9 gensec gpext idmap ldb nss_info \ pdb perfcount process_model service vfs CONFIGURE_ARGS= --mandir="${MANPREFIX}/man" \ --sysconfdir="${SAMBA4_CONFDIR}" \ --includedir="${SAMBA4_INCLUDEDIR}" \ --datadir="${DATADIR}" \ --libdir="${SAMBA4_LIBDIR}" \ --with-privatelibdir="${SAMBA4_LIBDIR}/private" \ --with-pammodulesdir="${SAMBA4_PAMDIR}" \ --with-modulesdir="${SAMBA4_MODULEDIR}" \ --with-pkgconfigdir="${PKGCONFIGDIR}" \ --localstatedir="${VARDIR}" \ --with-piddir="${SAMBA4_RUNDIR}" \ --with-sockets-dir="${SAMBA4_RUNDIR}" \ --with-privileged-socket-dir="${SAMBA4_RUNDIR}" \ --with-lockdir="${SAMBA4_LOCKDIR}" \ --with-statedir="${SAMBA4_LOCKDIR}" \ --with-cachedir="${SAMBA4_LOCKDIR}" \ --with-bind-dns-dir=${SAMBA4_BINDDNSDIR} \ --with-privatedir="${SAMBA4_PRIVATEDIR}" \ --with-logfilebase="${SAMBA4_LOGDIR}" # XXX: Flags CONFIGURE_ENV= PTHREAD_LDFLAGS="-lpthread" MAKE_ENV= PYTHONHASHSEED=1 USES= compiler:c++11-lang iconv localbase:ldflags \ perl5 pkgconfig shebangfix waf gettext-runtime USE_PERL5= build USE_LDCONFIG= ${SAMBA4_LIBDIR} WAF_CMD= buildtools/bin/waf CONFIGURE_LOG= bin/config.log PKGCONFIGDIR?= ${PREFIX}/libdata/pkgconfig PKGCONFIGDIR_REL?= ${PKGCONFIGDIR:S,^${PREFIX}/,,} PLIST_SUB= PKGCONFIGDIR=${PKGCONFIGDIR_REL} SUB_LIST= PKGCONFIGDIR=${PKGCONFIGDIR_REL} ############################################################################## OPTIONS_SUB= yes OPTIONS_DEFINE= AD_DC ADS CLUSTER CUPS DOCS FAM GPGME \ LDAP MANDOC PROFILE PYTHON3 QUOTAS \ SPOTLIGHT SYSLOG UTMP #OPTIONS_DEFINE+= DEVELOPER MEMORY_DEBUG OPTIONS_GROUP= VFS OPTIONS_GROUP_VFS= FRUIT GLUSTERFS OPTIONS_SINGLE= GSSAPI ZEROCONF OPTIONS_SINGLE_GSSAPI= GSSAPI_BUILTIN GSSAPI_MIT #GSSAPI_HEIMDAL OPTIONS_SINGLE_ZEROCONF= ZEROCONF_NONE AVAHI MDNSRESPONDER # Make those default options OPTIONS_DEFAULT= AD_DC ADS DOCS FAM LDAP \ PROFILE PYTHON3 QUOTAS SYSLOG UTMP \ FRUIT GSSAPI_BUILTIN AVAHI ############################################################################## ADS_DESC= Active Directory client(implies LDAP) AD_DC_DESC= Active Directory Domain Controller(implies PYTHON3) CLUSTER_DESC= Clustering support DEVELOPER_DESC= With developer framework FAM_DESC= File Alteration Monitor GPGME_DESC= GpgME support LDAP_DESC= LDAP client LIBZFS_DESC= LibZFS SPOTLIGHT_DESC= Spotlight server-side search support MANDOC_DESC= Build manpages from DOCBOOK templates MEMORY_DEBUG_DESC= Debug memory allocator PICKY_DEVELOPER_DESC= Treat compiler warnings as errors(implies DEVELOPER) PROFILE_DESC= Profiling data QUOTAS_DESC= Disk quota support UTMP_DESC= UTMP accounting VFS_DESC= VFS modules FRUIT_DESC= MacOSX and TimeMachine support GLUSTERFS_DESC= GlusterFS support GSSAPI_BUILTIN_DESC= GSSAPI support via bundled Heimdal ZEROCONF_DESC= Zero configuration networking ZEROCONF_NONE_DESC= Zeroconf support is absent ############################################################################## # XXX: Unconditional dependencies which can't be switched off(if present in # the system) # Iconv(picked up unconditionaly) LIB_DEPENDS= libiconv.so:converters/libiconv # unwind LIB_DEPENDS+= libunwind.so:devel/libunwind # Readline(sponsored by Python) # XXX: USES=readline pollutes CPPFLAGS, so we explicitly put dependency LIB_DEPENDS+= libreadline.so:devel/readline # popt LIB_DEPENDS+= libpopt.so:devel/popt # inotify LIB_DEPENDS+= libinotify.so:devel/libinotify # GNUTLS LIB_DEPENDS+= libgnutls.so:security/gnutls LIB_DEPENDS+= libgcrypt.so:security/libgcrypt # NFSv4 ACL glue LIB_DEPENDS+= libsunacl.so:sysutils/libsunacl # Jansson BUILD_DEPENDS+= jansson>=2.10:devel/jansson RUN_DEPENDS+= jansson>=2.10:devel/jansson # tasn1 BUILD_DEPENDS+= libtasn1>=3.8:security/libtasn1 RUN_DEPENDS+= libtasn1>=3.8:security/libtasn1 # External Samba dependencies # Needed for IDL compiler BUILD_DEPENDS+= p5-Parse-Yapp>=0:devel/p5-Parse-Yapp # Libarchive SAMBA4_BUNDLED_LIBS= !libarchive BUILD_DEPENDS+= libarchive>=3.1.2:archivers/libarchive RUN_DEPENDS+= libarchive>=3.1.2:archivers/libarchive ### Bundled libraries SAMBA4_BUNDLED_CMOCKA?= no SAMBA4_BUNDLED_TALLOC?= no SAMBA4_BUNDLED_TEVENT?= no SAMBA4_BUNDLED_TDB?= no SAMBA4_BUNDLED_LDB?= yes # cmocka .if defined(SAMBA4_BUNDLED_CMOCKA) && ${SAMBA4_BUNDLED_CMOCKA} == yes SAMBA4_BUNDLED_LIBS+= cmocka CONFLICTS_INSTALL+= cmocka-1.* PLIST_SUB+= SAMBA4_BUNDLED_CMOCKA="" SUB_LIST+= SAMBA4_BUNDLED_CMOCKA="" .else SAMBA4_BUNDLED_LIBS+= !cmocka BUILD_DEPENDS+= cmocka>=1.1.3:sysutils/cmocka TEST_DEPENDS+= cmocka>=1.1.3:sysutils/cmocka PLIST_SUB+= SAMBA4_BUNDLED_CMOCKA="@comment " SUB_LIST+= SAMBA4_BUNDLED_CMOCKA="@comment " .endif # talloc .if defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes SAMBA4_BUNDLED_LIBS+= talloc CONFLICTS_INSTALL+= talloc-* talloc1-* PLIST_SUB+= SAMBA4_BUNDLED_TALLOC="" SUB_LIST+= SAMBA4_BUNDLED_TALLOC="" .else SAMBA4_BUNDLED_LIBS+= !talloc BUILD_DEPENDS+= talloc>=2.3.3:devel/talloc RUN_DEPENDS+= talloc>=2.3.3:devel/talloc PLIST_SUB+= SAMBA4_BUNDLED_TALLOC="@comment " SUB_LIST+= SAMBA4_BUNDLED_TALLOC="@comment " .endif # tevent .if defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes SAMBA4_BUNDLED_LIBS+= tevent CONFLICTS_INSTALL+= tevent-* tevent1-* PLIST_SUB+= SAMBA4_BUNDLED_TEVENT="" SUB_LIST+= SAMBA4_BUNDLED_TEVENT="" .else SAMBA4_BUNDLED_LIBS+= !tevent BUILD_DEPENDS+= tevent>=0.11.0:devel/tevent RUN_DEPENDS+= tevent>=0.11.0:devel/tevent PLIST_SUB+= SAMBA4_BUNDLED_TEVENT="@comment " SUB_LIST+= SAMBA4_BUNDLED_TEVENT="@comment " .endif # tdb .if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes SAMBA4_BUNDLED_LIBS+= tdb CONFLICTS_INSTALL+= tdb-* tdb1-* PLIST_SUB+= SAMBA4_BUNDLED_TDB="" SUB_LIST+= SAMBA4_BUNDLED_TDB="" .else SAMBA4_BUNDLED_LIBS+= !tdb BUILD_DEPENDS+= tdb>=1.4.6:databases/tdb RUN_DEPENDS+= tdb>=1.4.6:databases/tdb PLIST_SUB+= SAMBA4_BUNDLED_TDB="@comment " SUB_LIST+= SAMBA4_BUNDLED_TDB="@comment " .endif # ldb .if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes SAMBA4_BUNDLED_LDB= yes SAMBA4_BUNDLED_LIBS+= ldb PLIST_SUB+= SAMBA4_BUNDLED_LDB="" SUB_LIST+= SAMBA4_BUNDLED_LDB="" SAMBA4_MODULEDIR= ${SAMBA4_LIBDIR}/modules .else SAMBA4_BUNDLED_LIBS+= !ldb BUILD_DEPENDS+= ldb25>=2.5.2:databases/ldb25 RUN_DEPENDS+= ldb25>=2.5.2:databases/ldb25 PLIST_SUB+= SAMBA4_BUNDLED_LDB="@comment " SUB_LIST+= SAMBA4_BUNDLED_LDB="@comment " SAMBA4_MODULEDIR= ${PREFIX}/lib/shared-modules .endif .if (defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes) \ || (defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes) \ || (defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes) \ || (defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes) SAMBA4_BUNDLED_LIBS+= replace .endif # Don't use external libcom_err SAMBA4_BUNDLED_LIBS+= com_err # Set the test environment variables TEST_USES= python TEST_ENV= PYTHON="${PYTHON_CMD}" \ SHA1SUM=/sbin/sha1 \ SHA256SUM=/sbin/sha256 \ MD5SUM=/sbin/md5 \ PYTHONDONTWRITEBYTECODE=1 TEST_DEPENDS= bash:shells/bash \ tshark:net/tshark # External Python modules TEST_BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}iso8601>=0.1.11:devel/py-iso8601@${PY_FLAVOR} TEST_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}iso8601>=0.1.11:devel/py-iso8601@${PY_FLAVOR} ############################################################################## CONFIGURE_ARGS+= \ --with-pam \ --with-iconv \ --with-winbind \ --with-regedit \ --disable-rpath \ --without-lttng \ --without-gettext \ --enable-pthreadpool \ --without-fake-kaserver \ --without-systemd \ --with-libarchive \ --with-acl-support \ --with-sendfile-support \ --disable-ctdb-tests # ${ICONV_CONFIGURE_BASE} ############################################################################## FRUIT_PREVENTS= ZEROCONF_NONE FRUIT_PREVENTS_MSG= MacOSX support requires Zeroconf(AVAHI or MDNSRESPONDER) FRUIT_VARS= SAMBA4_MODULES+=vfs_fruit FRUIT_PLIST_FILES= man/man8/vfs_fruit.8.gz GLUSTERFS_CONFIGURE_ENABLE= glusterfs GLUSTERFS_LIB_DEPENDS= libglusterfs.so:net/glusterfs GLUSTERFS_VARS= SAMBA4_MODULES+=vfs_glusterfs GLUSTERFS_PLIST_FILES= man/man8/vfs_glusterfs.8.gz ZEROCONF_NONE_MAKE_ENV= ZEROCONF=none ############################################################################## AVAHI_CONFIGURE_ENABLE= avahi AVAHI_LIB_DEPENDS= libavahi-client.so:net/avahi-app AVAHI_VARS= SAMBA4_SERVICES+=avahi_daemon MDNSRESPONDER_CONFIGURE_ENABLE= dnssd MDNSRESPONDER_LIB_DEPENDS= libdns_sd.so:net/mDNSResponder MDNSRESPONDER_VARS= SAMBA4_SERVICES+=mdnsd ############################################################################## MEMORY_DEBUG_IMPLIES= DEBUG MEMORY_DEBUG_CONFIGURE_ENV= ADDITIONAL_CFLAGS="-DENABLE_JEMALLOC `pkg-config --cflags jemalloc`" ADDITIONAL_LDFLAGS="`pkg-config --libs jemalloc`" MEMORY_DEBUG_LIB_DEPENDS= libjemalloc.so.2:devel/jemalloc # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194046 GDB_CMD?= ${LOCALBASE}/bin/gdb # https://bugzilla.samba.org/show_bug.cgi?id=8969 PICKY_DEVELOPER_IMPLIES= DEVELOPER PICKY_DEVELOPER_CONFIGURE_ON= --picky-developer DEVELOPER_CONFIGURE_ON= --enable-developer --enable-selftest --abi-check-disable DEVELOPER_CONFIGURE_ENV= WAF_CMD_FORMAT=string DEVELOPER_BUILD_DEPENDS= ${SAMBA4_LMDB_DEPENDS} \ ${GDB_CMD}:devel/gdb DEVELOPER_RUN_DEPENDS= ${SAMBA4_LMDB_DEPENDS} DEVELOPER_TEST_DEPENDS= ${GDB_CMD}:devel/gdb DEVELOPER_VARS_OFF= GDB_CMD=true ############################################################################## AD_DC_IMPLIES= PYTHON3 AD_DC_CONFIGURE_OFF= --without-ad-dc AD_DC_BUILD_DEPENDS= ${SAMBA4_LMDB_DEPENDS} AD_DC_RUN_DEPENDS= ${SAMBA4_LMDB_DEPENDS} AD_DC_VARS= PLIST+=${PKGDIR}/pkg-plist.ad_dc # samba-tool requires those for *upgrade AD_DC_BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}markdown>=3.3.7:textproc/py-markdown@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}dnspython>=2.2.1:dns/py-dnspython@${PY_FLAVOR} AD_DC_RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}markdown>=3.3.7:textproc/py-markdown@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}dnspython>=2.2.1:dns/py-dnspython@${PY_FLAVOR} ADS_IMPLIES= LDAP ADS_CONFIGURE_WITH= ads CLUSTER_CONFIGURE_WITH= cluster-support CLUSTER_VARS= PLIST+=${PKGDIR}/pkg-plist.cluster CUPS_CONFIGURE_ENABLE= cups iprint CUPS_LIB_DEPENDS= libcups.so:print/cups # https://bugzilla.samba.org/show_bug.cgi?id=9545 FAM_USES= fam FAM_CONFIGURE_WITH= fam GPGME_CONFIGURE_WITH= gpgme GPGME_LIB_DEPENDS= libgpgme.so:security/gpgme GPGME_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}gpgme>=1.14.0:security/py-gpgme@${PY_FLAVOR} GSSAPI_BUILTIN_USES= bison GSSAPI_BUILTIN_BUILD_DEPENDS= p5-JSON>=4.0:converters/p5-JSON GSSAPI_MIT_CONFIGURE_ON= --with-system-mitkrb5 ${GSSAPIBASEDIR} \ --with-system-mitkdc=${GSSAPIBASEDIR}/sbin/krb5kdc \ --with-experimental-mit-ad-dc GSSAPI_MIT_USES= gssapi:mit GSSAPI_HEIMDAL_CONFIGURE_ON= --with-system-heimdalkrb5 ${GSSAPIBASEDIR} GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_HEIMDAL_PREVENTS= AD_DC GSSAPI_HEIMDAL_PREVENTS_MSG= GSSAPI_HEIMDAL and AD_DC enable conflicting options LDAP_CONFIGURE_WITH= ldap LDAP_CONFIGURE_ON= --with-openldap=${LOCALBASE} LDAP_USE= OPENLDAP=yes LDAP_VARS= SAMBA4_MODULES+=idmap_ldap LIBZFS_CONFIGURE_WITH= libzfs LIBZFS_VARS= SAMBA4_MODULES+=vfs_zfs_space MANDOC_BUILD_DEPENDS= ${LOCALBASE}/share/xsl/docbook/manpages/docbook.xsl:textproc/docbook-xsl \ xsltproc:textproc/libxslt MANDOC_CONFIGURE_ENV_OFF= XSLTPROC="true" PROFILE_CONFIGURE_WITH= profiling-data QUOTAS_CONFIGURE_WITH= quotas SPOTLIGHT_CONFIGURE_ENABLE= spotlight SPOTLIGHT_BUILD_DEPENDS= tracker>=1.4.1:sysutils/tracker SPOTLIGHT_RUN_DEPENDS= tracker>=1.4.1:sysutils/tracker # ICU SPOTLIGHT_LIB_DEPENDS= libicuuc.so:devel/icu SPOTLIGHT_USES= bison gnome SPOTLIGHT_USE= gnome=glib20 SYSLOG_CONFIGURE_WITH= syslog UTMP_CONFIGURE_WITH= utmp ############################################################################## .include ############################################################################## .if ${OPSYS} == FreeBSD && ${OSVERSION} < 1300076 IGNORE=runs only on FreeBSD 13.1 and above due use of O_EMPTY_PATH .endif .if !defined(WANT_EXP_MODULES) || empty(WANT_EXP_MODULES) WANT_EXP_MODULES= vfs_cacheprime .endif .if ${WANT_EXP_MODULES:Mvfs_snapper} # snapper needs dbus LIB_DEPENDS+= libdbus-1.so:devel/dbus LIB_DEPENDS+= libdbus-glib-1.so:devel/dbus-glib .endif SAMBA4_MODULES+= krb5_async_dns_krb5_locator krb5_winbind_krb5_locator idmap_nss idmap_autorid \ idmap_rid idmap_hash idmap_tdb idmap_tdb2 idmap_script \ nss-info_hash # List of extra modules taken from RHEL build # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197320 .if ${PORT_OPTIONS:MADS} SAMBA4_MODULES+= idmap_ad idmap_rfc2307 nss-info_template \ nss-info_rfc2307 nss-info_sfu nss-info_sfu20 .endif # This kind of special for this distribution SAMBA4_MODULES+= vfs_freebsd SAMBA4_MODULES+= vfs_acl_tdb vfs_acl_xattr vfs_aio_fork vfs_aio_pthread \ vfs_audit vfs_cap vfs_catia vfs_commit vfs_crossrename \ vfs_default_quota vfs_dirsort vfs_expand_msdfs \ vfs_extd_audit vfs_fake_perms vfs_full_audit \ vfs_linux_xfs_sgid vfs_media_harmony vfs_offline \ vfs_preopen vfs_readahead vfs_readonly vfs_recycle \ vfs_shadow_copy vfs_shadow_copy2 vfs_shell_snap \ vfs_streams_depot vfs_streams_xattr vfs_syncops \ vfs_time_audit vfs_unityed_media vfs_virusfilter \ vfs_widelinks vfs_worm vfs_xattr_tdb vfs_zfsacl .if ${PORT_OPTIONS:MDEVELOPER} SAMBA4_MODULES+= auth_skel pdb_test gpext_security gpext_registry \ gpext_scripts perfcount_test vfs_fake_dfq \ vfs_skel_opaque vfs_skel_transparent \ vfs_shadow_copy_test vfs_fake_acls \ vfs_nfs4acl_xattr vfs_error_inject vfs_delay_inject .endif # Python bindings .if ! ${PORT_OPTIONS:MPYTHON3} || defined(NO_PYTHON) USES+= python:build,test CONFIGURE_ARGS+= --disable-python .else USES+= python:3.6+ PLIST+= ${PKGDIR}/pkg-plist.python # Don't cache Python modules CONFIGURE_ARGS+= --nopycache MAKE_ENV+= PYTHONDONTWRITEBYTECODE=1 . if defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes SAMBA4_BUNDLED_LIBS+= pytalloc-util . else SAMBA4_BUNDLED_LIBS+= !pytalloc-util . endif . if defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes SAMBA4_BUNDLED_LIBS+= pytevent . else SAMBA4_BUNDLED_LIBS+= !pytevent . endif . if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes SAMBA4_BUNDLED_LIBS+= pytdb . else SAMBA4_BUNDLED_LIBS+= !pytdb . endif . if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes SAMBA4_BUNDLED_LIBS+= pyldb pyldb-util . else SAMBA4_BUNDLED_LIBS+= !pyldb !pyldb-util . endif .endif .if defined(WANT_EXP_MODULES) && !empty(WANT_EXP_MODULES) SAMBA4_MODULES+= ${WANT_EXP_MODULES} .endif .if defined(SAMBA4_BUNDLED_LIBS) && !empty(SAMBA4_BUNDLED_LIBS) CONFIGURE_ARGS+= --bundled-libraries="${SAMBA4_BUNDLED_LIBS:Q:C|(\\\\ )+|,|g:S|\\||g}" .endif .if defined(SAMBA4_MODULES) && !empty(SAMBA4_MODULES) CONFIGURE_ARGS+= --with-shared-modules="${SAMBA4_MODULES:C|-|_|:Q:C|(\\\\ )+|,|g:S|\\||g}" .endif # XXX: Hack for nss-info_* -> nss_info/* modules # Add selected modules to the plist .for module in ${SAMBA4_MODULES} PLIST_FILES+= ${SAMBA4_MODULEDIR}/${module:C|_|/|:C|-|_|}.so .endfor .for module_class in ${SAMBA4_MODULES_CLASS} PLIST_DIRS+= ${SAMBA4_MODULEDIR}/${module_class} .endfor PLIST_DIRS+= ${SAMBA4_MODULEDIR} .if defined(WITH_DEBUG) CONFIGURE_ARGS+= --verbose --enable-debug MAKE_ARGS+= --verbose DEBUG_FLAGS?= -g -ggdb3 -O0 .endif ############################################################################## .include ############################################################################## # Implemented in the gcrypt on AMD64 .if ${ARCH} == "amd64" CONFIGURE_ARGS+= --accel-aes=intelaesni .else CONFIGURE_ARGS+= --accel-aes=none .endif # Only for 64-bit architectures .if ${ARCH} != armv6 && ${ARCH} != armv7 && ${ARCH} != i386 && ${ARCH} != mips && ${ARCH} != powerpc && ${ARCH} != powerpcspe . if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes && (${PORT_OPTIONS:MAD_DC} || ${PORT_OPTIONS:MDEVELOPER}) # LMDB SAMBA4_LMDB_DEPENDS= lmdb>=0.9.16:databases/lmdb PLIST_FILES+= ${SAMBA4_LIBDIR}/private/libldb-mdb-int-samba4.so \ ${SAMBA4_MODULEDIR}/ldb/mdb.so . endif .endif .if ${PORT_OPTIONS:MGSSAPI_MIT} PLIST_FILES+= ${SAMBA4_MODULEDIR}/krb5/winbind_krb5_localauth.so \ man/man8/winbind_krb5_localauth.8.gz . if ${PORT_OPTIONS:MAD_DC} PLIST_FILES+= ${SAMBA4_LIBDIR}/krb5/plugins/kdb/samba.so . endif .endif # for libexecinfo: (so that __builtin_frame_address() finds the top of the stack) CFLAGS_amd64+= -fno-omit-frame-pointer # No fancy color error messages CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}} CFLAGS_clang= -fno-color-diagnostics CONFIGURE_ENV+= NOCOLOR=yes WAF_LOG_FORMAT='%(c1)s%(zone)s%(c2)s %(message)s' MAKE_ENV+= NOCOLOR=yes WAF_LOG_FORMAT='%(c1)s%(zone)s%(c2)s %(message)s' # Allow rpcgen to find proper CPP MAKE_ENV+= RPCGEN_CPP="${CPP}" #.if ${readline_ARGS} == port #CFLAGS+= -D_FUNCTION_DEF #.endif # Make sure that the right version of Python is used by the tools # https://bugzilla.samba.org/show_bug.cgi?id=7305 SHEBANG_FILES= ${PATCH_WRKSRC}/source4/scripting/bin/* ${PATCH_WRKSRC}/selftest/* SAMBA4_SUB= SAMBA4_LOGDIR="${SAMBA4_LOGDIR}" \ SAMBA4_RUNDIR="${SAMBA4_RUNDIR}" \ SAMBA4_LOCKDIR="${SAMBA4_LOCKDIR}" \ SAMBA4_LIBDIR="${SAMBA4_LIBDIR}" \ SAMBA4_MODULEDIR="${SAMBA4_MODULEDIR}" \ SAMBA4_BINDDNSDIR="${SAMBA4_BINDDNSDIR}" \ SAMBA4_PRIVATEDIR="${SAMBA4_PRIVATEDIR}" \ SAMBA4_CONFDIR="${SAMBA4_CONFDIR}" \ SAMBA4_CONFIG="${SAMBA4_CONFIG}" \ SAMBA4_SERVICES="${SAMBA4_SERVICES}" PLIST_SUB+= ${SAMBA4_SUB} SUB_LIST+= ${SAMBA4_SUB} USE_RC_SUBR= samba_server SUB_FILES= pkg-message README.FreeBSD PORTDOCS= README.FreeBSD post-extract: @${RM} -r ${WRKSRC}/pidl/lib/Parse/Yapp post-patch: @${REINPLACE_CMD} -e 's|$${PKGCONFIGDIR}|${PKGCONFIGDIR}|g' \ ${PATCH_WRKSRC}/buildtools/wafsamba/pkgconfig.py @${REINPLACE_CMD} -e 's|%%LOCALBASE%%|${LOCALBASE}|g' \ ${PATCH_WRKSRC}/buildtools/wafsamba/wafsamba.py @${REINPLACE_CMD} -e 's|%%GDB_CMD%%|${GDB_CMD}|g' \ ${PATCH_WRKSRC}/buildtools/scripts/abi_gen.sh @${REINPLACE_CMD} -e 's|%%SAMBA4_CONFIG%%|${SAMBA4_CONFIG}|g' \ ${PATCH_WRKSRC}/dynconfig/wscript # Use threading (or multiprocessing) but not thread (renamed in python 3+). pre-configure: .if (!${PORT_OPTIONS:MPYTHON3} || defined(NO_PYTHON)) && ${PORT_OPTIONS:MAD_DC} @${ECHO_CMD}; \ ${ECHO_MSG} "===> AD_DC option requires PYTHON3 to be set"; \ ${ECHO_CMD}; \ ${FALSE} .endif pre-build-MANDOC-off: ${MKDIR} ${BUILD_WRKSRC}/bin/default/docs-xml/ ${CP} -rp ${BUILD_WRKSRC}/docs/manpages ${BUILD_WRKSRC}/bin/default/docs-xml/ .for man in libcli/nbt/man/nmblookup4.1 \ librpc/tools/ndrdump.1 \ source4/lib/registry/man/regdiff.1 \ source4/lib/registry/man/regpatch.1 \ source4/lib/registry/man/regshell.1 \ source4/lib/registry/man/regtree.1 \ source4/scripting/man/samba-gpupdate.8 \ source4/torture/man/gentest.1 \ source4/torture/man/locktest.1 \ source4/torture/man/masktest.1 \ source4/torture/man/smbtorture.1 \ source4/utils/man/ntlm_auth4.1 \ source4/utils/oLschema2ldif/oLschema2ldif.1 \ lib/tdb/man/tdbdump.8 \ lib/tdb/man/tdbbackup.8 \ lib/tdb/man/tdbtool.8 \ lib/talloc/man/talloc.3 \ lib/tdb/man/tdbrestore.8 \ lib/ldb/man/ldb.3 \ lib/ldb/man/ldbadd.1 \ lib/ldb/man/ldbdel.1 \ lib/ldb/man/ldbedit.1 \ lib/ldb/man/ldbmodify.1 \ lib/ldb/man/ldbrename.1 \ lib/ldb/man/ldbsearch.1 \ docs-xml/manpages/vfs_freebsd.8 ${MKDIR} `dirname ${BUILD_WRKSRC}/bin/default/${man}` ${INSTALL_MAN} ${FILESDIR}/man/`basename ${man}` ${BUILD_WRKSRC}/bin/default/${man} .endfor .if ${PORT_OPTIONS:MCLUSTER} ${MKDIR} ${BUILD_WRKSRC}/bin/default/ctdb/ . for man in ctdb_diagnostics.1 ctdb.1 ctdbd_wrapper.1 ctdbd.1 ltdbtool.1 onnode.1 ping_pong.1 \ ctdb.conf.5 ctdb.sysconfig.5 ctdb-script.options.5 \ ctdb.7 ctdb-statistics.7 ctdb-tunables.7 ${INSTALL_MAN} ${FILESDIR}/man/${man} ${BUILD_WRKSRC}/bin/default/ctdb/ . endfor .endif post-install-rm-junk: ${RM} -r ${STAGEDIR}${PYTHON_SITELIBDIR}/samba/third_party ${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -name __pycache__ \ -type d -print0 | ${XARGS} -0 -n 1 -t ${RM} -r ${FIND} ${STAGEDIR} -type f -empty -delete post-install-fix-manpages: .for f in vfs_aio_linux.8 vfs_btrfs.8 vfs_ceph.8 vfs_gpfs.8 ${RM} ${STAGEDIR}${PREFIX}/man/man8/${f} .endfor .if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes . for f in ldbadd.1 ldbdel.1 ldbedit.1 ldbmodify.1 ldbrename.1 ldbsearch.1 ${MV} ${STAGEDIR}${PREFIX}/man/man1/${f} ${STAGEDIR}${PREFIX}/man/man1/samba-${f} . endfor .endif .if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes . for f in tdbbackup.8 tdbdump.8 tdbrestore.8 tdbtool.8 ${MV} ${STAGEDIR}${PREFIX}/man/man8/${f} ${STAGEDIR}${PREFIX}/man/man8/samba-${f} . endfor .endif post-install: post-install-rm-junk post-install-fix-manpages ${LN} -sf smb.conf.5.gz ${STAGEDIR}${PREFIX}/man/man5/smb4.conf.5.gz # Run post-install script .for dir in ${SAMBA4_LOGDIR} ${SAMBA4_RUNDIR} ${SAMBA4_LOCKDIR} ${SAMBA4_MODULEDIR} ${INSTALL} -d -m 0755 "${STAGEDIR}${dir}" .endfor ${INSTALL} -d -m 0750 "${STAGEDIR}${SAMBA4_BINDDNSDIR}" ${INSTALL} -d -m 0750 "${STAGEDIR}${SAMBA4_PRIVATEDIR}" .for module_class in ${SAMBA4_MODULES_CLASS} ${INSTALL} -d -m 0755 "${STAGEDIR}${SAMBA4_MODULEDIR}/${module_class}" .endfor .if !defined(WITH_DEBUG) -${FIND} ${STAGEDIR}${PREFIX}/bin ${STAGEDIR}${PREFIX}/sbin ${STAGEDIR}${PREFIX}/libexec \ -type f -print0 | ${XARGS} -0 -n 1 -t ${STRIP_CMD} -${FIND} ${STAGEDIR}${PREFIX}/lib -name '*.so*' \ -type f -print0 | ${XARGS} -0 -n 1 -t ${STRIP_CMD} .endif post-install-FRUIT-off: ${RM} ${STAGEDIR}${SAMBA4_MODULEDIR}/vfs/fruit.so ${RM} ${STAGEDIR}${PREFIX}/man/man8/vfs_fruit.8 post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR} .for doc in ${PORTDOCS} ${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR} .endfor post-install-CLUSTER-on: ${LN} -nfs ../../../../share/ctdb/events/legacy/00.ctdb.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/00.ctdb.script ${LN} -nfs ../../../../share/ctdb/events/legacy/10.interface.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/10.interface.script ${LN} -nfs ../../../../share/ctdb/events/legacy/05.system.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/05.system.script ${LN} -nfs ../../../../share/ctdb/events/legacy/01.reclock.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/01.reclock.script .include diff --git a/net/samba416/distinfo b/net/samba416/distinfo index 861116a873b6..ce567ea5e5e4 100644 --- a/net/samba416/distinfo +++ b/net/samba416/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1668648463 -SHA256 (samba-4.16.7.tar.gz) = 02d38d5f9edcc776be3a7d60ad470b43980af2ba13c244fb78a57a41792734a6 -SIZE (samba-4.16.7.tar.gz) = 30622700 +TIMESTAMP = 1671402791 +SHA256 (samba-4.16.8.tar.gz) = bbb2959c86b3f220f59be8a3cecd26a8bf22ec8e0526f2343b58c9b866dc4185 +SIZE (samba-4.16.8.tar.gz) = 30682100 diff --git a/net/samba416/files/0099-s4-mitkdc-Add-support-for-MIT-Kerberos-1.20.patch b/net/samba416/files/0099-s4-mitkdc-Add-support-for-MIT-Kerberos-1.20.patch index e38cf5214696..4507dc599075 100644 --- a/net/samba416/files/0099-s4-mitkdc-Add-support-for-MIT-Kerberos-1.20.patch +++ b/net/samba416/files/0099-s4-mitkdc-Add-support-for-MIT-Kerberos-1.20.patch @@ -1,947 +1,942 @@ From 74f71d2e97bc15350b05967e6cff590a6b287a21 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 4 Oct 2021 11:53:55 +0200 Subject: [PATCH] s4:mitkdc: Add support for MIT Kerberos 1.20 This also addresses CVE-2020-17049. MIT Kerberos 1.20 is in pre-release state at the time writing this commit. It will be released in autumn 2022. We need to support MIT Kerberos 1.19 till enough distributions have been released with MIT Kerberos 1.20. Pair-Programmed-With: Robbie Harwood Signed-off-by: Andreas Schneider Signed-off-by: Robbie Harwood Reviewed-by: Stefan Metzmacher --- .../samba/tests/krb5/compatability_tests.py | 9 +- selftest/knownfail_mit_kdc | 25 +- selftest/knownfail_mit_kdc_1_20 | 9 + selftest/wscript | 6 + source4/kdc/mit-kdb/kdb_samba.c | 7 +- source4/kdc/mit-kdb/kdb_samba.h | 10 + source4/kdc/mit-kdb/kdb_samba_policies.c | 125 ++++- source4/kdc/mit_samba.c | 481 +++++++++++++++++- source4/kdc/mit_samba.h | 11 +- source4/selftest/tests.py | 7 +- wscript_configure_system_mitkrb5 | 4 + 11 files changed, 661 insertions(+), 33 deletions(-) create mode 100644 selftest/knownfail_mit_kdc_1_20 diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 44c2afd41dc..b862f381bc5 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -120,7 +120,12 @@ class SimpleKerberosTests(KDCBaseTest): self.fail( "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption") - def test_heimdal_ticket_signature(self): + # This tests also passes again Samba AD built with MIT Kerberos 1.20 which + # is not released yet. + # + # FIXME: Should be moved to to a new kdc_tgt_tests.py once MIT KRB5 1.20 + # is released. + def test_ticket_signature(self): # Ensure that a DC correctly issues tickets signed with its krbtgt key. user_creds = self.get_client_creds() target_creds = self.get_service_creds() @@ -141,7 +146,7 @@ class SimpleKerberosTests(KDCBaseTest): self.verify_ticket(service_ticket, key, service_ticket=True, expect_ticket_checksum=True) - def test_mit_ticket_signature(self): + def test_mit_pre_1_20_ticket_signature(self): # Ensure that a DC does not issue tickets signed with its krbtgt key. user_creds = self.get_client_creds() target_creds = self.get_service_creds() diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 6d07ca4efb6..f9d5c4b0b46 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -294,8 +294,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # # KDC TGS PAC tests # -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_client_no_auth_data_required\(ad_dc\) -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_no_pac_client_no_auth_data_required\(ad_dc\) ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_no_pac_service_no_auth_data_required\(ad_dc\) ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac\(ad_dc\) ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required\(ad_dc\) @@ -321,7 +319,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn(?!_) ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn_realm - +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_aes128_rc4.*fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_mac_aes128_rc4.*fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*aes.*rc4.*fl2003dc +^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*rc4.*aes.*fl2003dc # Differences in our KDC compared to windows # ^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally @@ -373,30 +374,14 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local ^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local ^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local -^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2000dc -^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2003dc -^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008dc -^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008r2dc -^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2000dc -^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2003dc -^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008dc -^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008r2dc ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008r2dc -^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2000dc -^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2003dc -^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008dc -^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008r2dc ^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc ^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc ^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008dc ^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008r2dc -^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2000dc -^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2003dc -^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc -^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc # # Alias tests # @@ -444,8 +429,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid) ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20 new file mode 100644 index 00000000000..4a47ab974ae --- /dev/null +++ b/selftest/knownfail_mit_kdc_1_20 @@ -0,0 +1,9 @@ +^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_pre_1_20_ticket_signature +# +# FAST tests +# https://github.com/krb5/krb5/pull/1225#issuecomment-996418770 +# +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_as_req_self\( +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self\( +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_none\( +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_true\( diff --git a/selftest/wscript b/selftest/wscript index e207b87eeb8..c92b37bd5e1 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -260,6 +260,12 @@ def cmd_testonly(opt): env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc" env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ "knownfail_mit_kdc" + + if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_20'): + env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_kdc_pre_1_20' + + if CONFIG_GET(opt, 'HAVE_MIT_KRB5_1_20'): + env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_kdc_1_20' else: env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ "knownfail_heimdal_kdc" diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c index 02bbdca9f54..f5092f75873 100644 --- a/source4/kdc/mit-kdb/kdb_samba.c +++ b/source4/kdc/mit-kdb/kdb_samba.c @@ -166,10 +166,15 @@ kdb_vftabl kdb_function_table = { .decrypt_key_data = kdb_samba_dbekd_decrypt_key_data, .encrypt_key_data = kdb_samba_dbekd_encrypt_key_data, - .sign_authdata = kdb_samba_db_sign_auth_data, .check_policy_as = kdb_samba_db_check_policy_as, .audit_as_req = kdb_samba_db_audit_as_req, .check_allowed_to_delegate = kdb_samba_db_check_allowed_to_delegate, .free_principal_e_data = kdb_samba_db_free_principal_e_data, + +#if KRB5_KDB_DAL_MAJOR_VERSION >= 9 + .issue_pac = kdb_samba_db_issue_pac, +#else + .sign_authdata = kdb_samba_db_sign_auth_data, +#endif }; diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h index e9613e2fc7e..dd97061130c 100644 --- a/source4/kdc/mit-kdb/kdb_samba.h +++ b/source4/kdc/mit-kdb/kdb_samba.h @@ -113,6 +113,16 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context, krb5_key_data *key_data); /* from kdb_samba_policies.c */ +krb5_error_code kdb_samba_db_issue_pac(krb5_context context, + unsigned int flags, + krb5_db_entry *client, + krb5_keyblock *replaced_reply_key, + krb5_db_entry *server, + krb5_db_entry *signing_krbtgt, + krb5_timestamp authtime, + krb5_pac old_pac, + krb5_pac new_pac, + krb5_data ***auth_indicators); krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, unsigned int flags, diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 793fe366c35..cbc9bbb9dae 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -190,6 +190,7 @@ static krb5_error_code ks_get_pac(krb5_context context, return code; } +#if KRB5_KDB_DAL_MAJOR_VERSION < 9 static krb5_error_code ks_verify_pac(krb5_context context, unsigned int flags, krb5_const_principal client_princ, @@ -557,6 +558,128 @@ done: return code; } +#else /* KRB5_KDB_DAL_MAJOR_VERSION >= 9 */ +static krb5_error_code ks_update_pac(krb5_context context, + int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *signing_krbtgt, + krb5_pac old_pac, + krb5_pac new_pac) +{ + struct mit_samba_context *mit_ctx = NULL; + krb5_error_code code; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { + return KRB5_KDB_DBNOTINITED; + } + + code = mit_samba_update_pac(mit_ctx, + context, + flags, + client, + server, + signing_krbtgt, + old_pac, + new_pac); + if (code != 0) { + return code; + } + + return code; +} + +krb5_error_code kdb_samba_db_issue_pac(krb5_context context, + unsigned int flags, + krb5_db_entry *client, + krb5_keyblock *replaced_reply_key, + krb5_db_entry *server, + krb5_db_entry *signing_krbtgt, + krb5_timestamp authtime, + krb5_pac old_pac, + krb5_pac new_pac, + krb5_data ***auth_indicators) +{ + char *client_name = NULL; + char *server_name = NULL; + krb5_error_code code = EINVAL; + + /* The KDC handles both signing and verification for us. */ + + if (client != NULL) { + code = krb5_unparse_name(context, + client->princ, + &client_name); + if (code != 0) { + return code; + } + } + + if (server != NULL) { + code = krb5_unparse_name(context, + server->princ, + &server_name); + if (code != 0) { + SAFE_FREE(client_name); + return code; + } + } + + /* + * Get a new PAC for AS-REQ or S4U2Self for our realm. + * + * For a simple cross-realm S4U2Proxy there will be the following TGS + * requests after the client realm is identified: + * + * 1. server@SREALM to SREALM for krbtgt/CREALM@SREALM -- a regular TGS + * request with server's normal TGT and no S4U2Self padata. + * 2. server@SREALM to CREALM for server@SREALM (expressed as an + * enterprise principal), with the TGT from #1 as header ticket and + * S4U2Self padata identifying the client. + * 3. server@SREALM to SREALM for server@SREALM with S4U2Self padata, + * with the referral TGT from #2 as header ticket + * + * In request 2 the PROTOCOL_TRANSITION and CROSS_REALM flags are set, + * and the request is for a local client (so client != NULL) and we + * want to make a new PAC. + * + * In request 3 the PROTOCOL_TRANSITION and CROSS_REALM flags are also + * set, but the request is for a non-local client (so client == NULL) + * and we want to copy the subject PAC contained in the referral TGT. + */ + if (old_pac == NULL || + (client != NULL && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION))) { + DBG_NOTICE("Generate PAC for AS-REQ [client=%s, flags=%#08x]\n", + client_name != NULL ? client_name : "", + flags); + + code = ks_get_pac(context, + client, + server, + replaced_reply_key, + &new_pac); + } else { + DBG_NOTICE("Update PAC for TGS-REQ [client=%s, server=%s, " + "flags=%#08x]\n", + client_name != NULL ? client_name : "", + server_name != NULL ? server_name : "", + flags); + + code = ks_update_pac(context, + flags, + client, + server, + signing_krbtgt, + old_pac, + new_pac); + } + SAFE_FREE(client_name); + SAFE_FREE(server_name); + + return code; +} +#endif /* KRB5_KDB_DAL_MAJOR_VERSION */ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, krb5_const_principal client, @@ -635,4 +758,4 @@ void kdb_samba_db_audit_as_req(krb5_context context, samba_bad_password_count(client, error_code); /* TODO: perform proper audit logging for addresses */ -} +} \ No newline at end of file diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index cb72b5de294..d58bbea4a5d 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -229,6 +229,27 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, sflags |= SDB_F_FORCE_CANON; #endif +#if KRB5_KDB_DAL_MAJOR_VERSION >= 9 + if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) { + sflags |= SDB_F_CANON; + } + + if (kflags & KRB5_KDB_FLAG_CLIENT) { + sflags |= SDB_F_GET_CLIENT; + + if (!(kflags & KRB5_KDB_FLAG_REFERRAL_OK)) { + sflags |= SDB_F_FOR_AS_REQ; + } + } else if (ks_is_tgs_principal(ctx, principal)) { + sflags |= SDB_F_GET_KRBTGT; + } else { + sflags |= SDB_F_GET_SERVER; + + if (!(kflags & KRB5_KDB_FLAG_REFERRAL_OK)) { + sflags |= SDB_F_FOR_TGS_REQ; + } + } +#else /* KRB5_KDB_DAL_MAJOR_VERSION < 9 */ if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { sflags |= SDB_F_CANON; } @@ -247,6 +268,7 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, } else { sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ; } +#endif /* KRB5_KDB_DAL_MAJOR_VERSION */ /* always set this or the created_by data will not be populated by samba's * backend and we will fail to parse the entry later */ @@ -434,7 +456,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_context context, krb5_db_entry *client, krb5_db_entry *server, - krb5_keyblock *client_key, + krb5_keyblock *replaced_reply_key, krb5_pac *pac) { TALLOC_CTX *tmp_ctx; @@ -461,12 +483,10 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, return ENOMEM; } -#if 0 /* TODO Find out if this is a pkinit_reply key */ /* Check if we have a PREAUTH key */ - if (client_key != NULL) { + if (replaced_reply_key != NULL) { cred_ndr_ptr = &cred_ndr; } -#endif is_krbtgt = ks_is_tgs_principal(smb_ctx, server->princ); @@ -488,9 +508,9 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, return EINVAL; } - if (cred_ndr != NULL) { + if (replaced_reply_key != NULL && cred_ndr != NULL) { code = samba_kdc_encrypt_pac_credentials(context, - client_key, + replaced_reply_key, cred_ndr, tmp_ctx, &cred_blob); @@ -514,6 +534,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, return code; } +#if KRB5_KDB_DAL_MAJOR_VERSION < 9 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -999,6 +1020,454 @@ done: talloc_free(tmp_ctx); return code; } +#else +krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_pac old_pac, + krb5_pac new_pac) +{ + TALLOC_CTX *tmp_ctx = NULL; + krb5_error_code code; + NTSTATUS nt_status; + DATA_BLOB *pac_blob = NULL; + DATA_BLOB *upn_blob = NULL; + DATA_BLOB *requester_sid_blob = NULL; + struct samba_kdc_entry *client_skdc_entry = NULL; + struct samba_kdc_entry *server_skdc_entry = NULL; + struct samba_kdc_entry *krbtgt_skdc_entry = NULL; + bool is_in_db = false; + bool is_untrusted = false; + bool is_krbtgt = false; + size_t num_types = 0; + uint32_t *types = NULL; + size_t i = 0; + ssize_t logon_info_idx = -1; + ssize_t delegation_idx = -1; + ssize_t logon_name_idx = -1; + ssize_t upn_dns_info_idx = -1; + ssize_t srv_checksum_idx = -1; + ssize_t kdc_checksum_idx = -1; + ssize_t tkt_checksum_idx = -1; + ssize_t attrs_info_idx = -1; + ssize_t requester_sid_idx = -1; + + /* Create a memory context early so code can use talloc_stackframe() */ + tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac context"); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + if (client != NULL) { + client_skdc_entry = + talloc_get_type_abort(client->e_data, + struct samba_kdc_entry); + + /* + * Check the objectSID of the client and pac data are the same. + * Does a parse and SID check, but no crypto. + */ + code = samba_kdc_validate_pac_blob(context, + client_skdc_entry, + old_pac); + if (code != 0) { + goto done; + } + } + + if (krbtgt == NULL) { + code = EINVAL; + goto done; + } + krbtgt_skdc_entry = + talloc_get_type_abort(krbtgt->e_data, + struct samba_kdc_entry); + + /* + * If the krbtgt was generated by an RODC, and we are not that + * RODC, then we need to regenerate the PAC - we can't trust + * it, and confirm that the RODC was permitted to print this ticket + * + * Because of the samba_kdc_validate_pac_blob() step we can be + * sure that the record in 'client' or 'server' matches the SID in the + * original PAC. + */ + code = samba_krbtgt_is_in_db(krbtgt_skdc_entry, + &is_in_db, + &is_untrusted); + if (code != 0) { + goto done; + } + + if (is_untrusted) { + struct auth_user_info_dc *user_info_dc = NULL; + WERROR werr; + + if (client == NULL) { + code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + goto done; + } + + nt_status = samba_kdc_get_pac_blobs(tmp_ctx, + client_skdc_entry, + &pac_blob, + NULL, + &upn_blob, + NULL, + PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY, + &requester_sid_blob, + &user_info_dc); + if (!NT_STATUS_IS_OK(nt_status)) { + code = EINVAL; + goto done; + } + + /* + * Check if the SID list in the user_info_dc intersects + * correctly with the RODC allow/deny lists. + */ + werr = samba_rodc_confirm_user_is_allowed(user_info_dc->num_sids, + user_info_dc->sids, + krbtgt_skdc_entry, + client_skdc_entry); + if (!W_ERROR_IS_OK(werr)) { + code = KRB5KDC_ERR_TGT_REVOKED; + if (W_ERROR_EQUAL(werr, + WERR_DOMAIN_CONTROLLER_NOT_FOUND)) { + code = KRB5KDC_ERR_POLICY; + } + goto done; + } + } else { + pac_blob = talloc_zero(tmp_ctx, DATA_BLOB); + if (pac_blob == NULL) { + code = ENOMEM; + goto done; + } + + nt_status = samba_kdc_update_pac_blob(tmp_ctx, + context, + krbtgt_skdc_entry->kdc_db_ctx->samdb, + old_pac, + pac_blob, + NULL, + NULL); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Update PAC blob failed: %s\n", + nt_errstr(nt_status))); + code = EINVAL; + goto done; + } + } + + /* Check the types of the given PAC */ + code = krb5_pac_get_types(context, old_pac, &num_types, &types); + if (code != 0) { + goto done; + } + + for (i = 0; i < num_types; i++) { + switch (types[i]) { + case PAC_TYPE_LOGON_INFO: + if (logon_info_idx != -1) { + DBG_WARNING("logon info type[%u] twice [%zd] and " + "[%zu]: \n", + types[i], + logon_info_idx, + i); + code = EINVAL; + goto done; + } + logon_info_idx = i; + break; + case PAC_TYPE_CONSTRAINED_DELEGATION: + if (delegation_idx != -1) { + DBG_WARNING("constrained delegation type[%u] " + "twice [%zd] and [%zu]: \n", + types[i], + delegation_idx, + i); + code = EINVAL; + goto done; + } + delegation_idx = i; + break; + case PAC_TYPE_LOGON_NAME: + if (logon_name_idx != -1) { + DBG_WARNING("logon name type[%u] twice [%zd] " + "and [%zu]: \n", + types[i], + logon_name_idx, + i); + code = EINVAL; + goto done; + } + logon_name_idx = i; + break; + case PAC_TYPE_UPN_DNS_INFO: + if (upn_dns_info_idx != -1) { + DBG_WARNING("upn dns info type[%u] twice [%zd] " + "and [%zu]: \n", + types[i], + upn_dns_info_idx, + i); + code = EINVAL; + goto done; + } + upn_dns_info_idx = i; + break; + case PAC_TYPE_SRV_CHECKSUM: + if (srv_checksum_idx != -1) { + DBG_WARNING("srv checksum type[%u] twice [%zd] " + "and [%zu]: \n", + types[i], + srv_checksum_idx, + i); + code = EINVAL; + goto done; + } + srv_checksum_idx = i; + break; + case PAC_TYPE_KDC_CHECKSUM: + if (kdc_checksum_idx != -1) { + DBG_WARNING("kdc checksum type[%u] twice [%zd] " + "and [%zu]: \n", + types[i], + kdc_checksum_idx, + i); + code = EINVAL; + goto done; + } + kdc_checksum_idx = i; + break; + case PAC_TYPE_TICKET_CHECKSUM: + if (tkt_checksum_idx != -1) { + DBG_WARNING("ticket checksum type[%u] twice " + "[%zd] and [%zu]: \n", + types[i], + tkt_checksum_idx, + i); + code = EINVAL; + goto done; + } + tkt_checksum_idx = i; + break; + case PAC_TYPE_ATTRIBUTES_INFO: + if (attrs_info_idx != -1) { + DBG_WARNING("attributes info type[%u] twice " + "[%zd] and [%zu]: \n", + types[i], + attrs_info_idx, + i); + code = EINVAL; + goto done; + } + attrs_info_idx = i; + break; + case PAC_TYPE_REQUESTER_SID: + if (requester_sid_idx != -1) { + DBG_WARNING("requester sid type[%u] twice" + "[%zd] and [%zu]: \n", + types[i], + requester_sid_idx, + i); + code = EINVAL; + goto done; + } + requester_sid_idx = i; + break; + default: + continue; + } + } + + if (logon_info_idx == -1) { + DBG_WARNING("PAC_TYPE_LOGON_INFO missing\n"); + code = EINVAL; + goto done; + } + if (logon_name_idx == -1) { + DBG_WARNING("PAC_TYPE_LOGON_NAME missing\n"); + code = EINVAL; + goto done; + } + if (srv_checksum_idx == -1) { + DBG_WARNING("PAC_TYPE_SRV_CHECKSUM missing\n"); + code = EINVAL; + goto done; + } + if (kdc_checksum_idx == -1) { + DBG_WARNING("PAC_TYPE_KDC_CHECKSUM missing\n"); + code = EINVAL; + goto done; + } + if (!(flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) && + requester_sid_idx == -1) { + DBG_WARNING("PAC_TYPE_REQUESTER_SID missing\n"); + code = KRB5KDC_ERR_TGT_REVOKED; + goto done; + } + + server_skdc_entry = talloc_get_type_abort(server->e_data, + struct samba_kdc_entry); + + /* + * The server account may be set not to want the PAC. + * + * While this is wasteful if the above cacluations were done + * and now thrown away, this is cleaner as we do any ticket + * signature checking etc always. + * + * UF_NO_AUTH_DATA_REQUIRED is the rare case and most of the + * time (eg not accepting a ticket from the RODC) we do not + * need to re-generate anything anyway. + */ + if (!samba_princ_needs_pac(server_skdc_entry)) { + code = 0; + goto done; + } + + is_krbtgt = ks_is_tgs_principal(ctx, server->princ); + + if (!is_untrusted && !is_krbtgt) { + /* + * The client may have requested no PAC when obtaining the + * TGT. + */ + bool requested_pac = false; + + code = samba_client_requested_pac(context, + &old_pac, + tmp_ctx, + &requested_pac); + if (code != 0 || !requested_pac) { + goto done; + } + } + +#define MAX_PAC_BUFFERS 64 /* Avoid infinite loops */ + + for (i = 0; i < MAX_PAC_BUFFERS;) { + krb5_data type_data; + DATA_BLOB type_blob = data_blob_null; + uint32_t type; + + if (i < num_types) { + type = types[i]; + i++; + } else { + break; + } + + switch (type) { + case PAC_TYPE_LOGON_INFO: + type_blob = *pac_blob; + break; + case PAC_TYPE_CREDENTIAL_INFO: + /* + * Note that we copy the credential blob, + * as it's only usable with the PKINIT based + * AS-REP reply key, it's only available on the + * host which did the AS-REQ/AS-REP exchange. + * + * This matches Windows 2008R2... + */ + break; + case PAC_TYPE_LOGON_NAME: + /* + * This is generated in the main KDC code + */ + continue; + case PAC_TYPE_UPN_DNS_INFO: + /* + * Replace in the RODC case, otherwise + * upn_blob is NULL and we just copy. + */ + if (upn_blob != NULL) { + type_blob = *upn_blob; + } + break; + case PAC_TYPE_SRV_CHECKSUM: + /* + * This is generated in the main KDC code + */ + continue; + case PAC_TYPE_KDC_CHECKSUM: + /* + * This is generated in the main KDC code + */ + continue; + case PAC_TYPE_TICKET_CHECKSUM: + /* + * This is generated in the main KDC code + */ + continue; + case PAC_TYPE_CONSTRAINED_DELEGATION: + /* + * This is generated in the main KDC code + */ + continue; + case PAC_TYPE_ATTRIBUTES_INFO: + if (!is_untrusted && is_krbtgt) { + /* just copy... */ + break; + } else { + continue; + } + case PAC_TYPE_REQUESTER_SID: + if (is_krbtgt) { + /* + * Replace in the RODC case, otherwise + * requester_sid_blob is NULL and we just copy. + */ + if (requester_sid_blob != NULL) { + type_blob = *requester_sid_blob; + } + break; + } else { + continue; + } + default: + /* just copy... */ + break; + } + + if (type_blob.length != 0) { + code = smb_krb5_copy_data_contents(&type_data, + type_blob.data, + type_blob.length); + if (code != 0) { + goto done; + } + } else { + code = krb5_pac_get_buffer(context, + old_pac, + type, + &type_data); + if (code != 0) { + goto done; + } + } + + code = krb5_pac_add_buffer(context, + new_pac, + type, + &type_data); + smb_krb5_free_data_contents(context, &type_data); + if (code != 0) { + goto done; + } + } + +done: + SAFE_FREE(types); + talloc_free(tmp_ctx); + return code; +} +#endif /* provide header, function is exported but there are no public headers */ diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h index 4431e82a1b2..f34fb1bbfd5 100644 --- a/source4/kdc/mit_samba.h +++ b/source4/kdc/mit_samba.h @@ -51,7 +51,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_context context, krb5_db_entry *client, krb5_db_entry *server, - krb5_keyblock *client_key, + krb5_keyblock *replaced_reply_key, krb5_pac *pac); krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, @@ -64,6 +64,15 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_keyblock *krbtgt_keyblock, krb5_pac *pac); +krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *signing_krbtgt, + krb5_pac old_pac, + krb5_pac new_pac); + int mit_samba_check_client_access(struct mit_samba_context *ctx, krb5_db_entry *client, const char *client_name, diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 3af8e92d7f2..f451ad1cec2 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py -@@ -963,7 +963,12 @@ for env in ['fileserver_smb1', 'nt4_member', 'clusteredmember', 'ktest', 'nt4_dc +@@ -964,7 +964,7 @@ for env in ['fileserver_smb1', 'nt4_member', 'clustere have_fast_support = 1 claims_support = 0 compound_id_support = 0 -tkt_sig_support = int('SAMBA4_USES_HEIMDAL' in config_hash) -+if ('SAMBA4_USES_HEIMDAL' in config_hash or -+ 'HAVE_MIT_KRB5_1_20' in config_hash): -+ tkt_sig_support = 1 -+else: -+ tkt_sig_support = 0 -+ ++tkt_sig_support = 1 if('SAMBA4_USES_HEIMDAL' in config_hash or 'HAVE_MIT_KRB5_1_20' in config_hash) else 0 + full_sig_support = int('SAMBA4_USES_HEIMDAL' in config_hash) expect_pac = int('SAMBA4_USES_HEIMDAL' in config_hash) extra_pac_buffers = int('SAMBA4_USES_HEIMDAL' in config_hash) - check_cname = int('SAMBA4_USES_HEIMDAL' in config_hash) diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index efdbced6e78..b0640654260 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -98,6 +98,10 @@ if conf.env.KRB5_CONFIG: else: Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version)) + if parse_version(krb5_version) < parse_version('1.20'): + conf.DEFINE('HAVE_MIT_KRB5_PRE_1_20', 1) + if parse_version(krb5_version) >= parse_version('1.20'): + conf.DEFINE('HAVE_MIT_KRB5_1_20', 1) conf.define('USING_SYSTEM_MITKRB5', '"%s"' % krb5_version) conf.CHECK_HEADERS('krb5.h krb5/locate_plugin.h', lib='krb5') -- 2.37.1 diff --git a/net/samba416/pkg-plist.python b/net/samba416/pkg-plist.python index 9b475e5d2dc0..7d86c1cb2e48 100644 --- a/net/samba416/pkg-plist.python +++ b/net/samba416/pkg-plist.python @@ -1,426 +1,428 @@ bin/smbtorture sbin/samba-gpupdate man/man1/smbtorture.1.gz man/man8/samba-gpupdate.8.gz include/samba4/policy.h lib/samba4/libsamba-policy%%PYTHON_EXT_SUFFIX%%.so lib/samba4/libsamba-policy%%PYTHON_EXT_SUFFIX%%.so.0 lib/samba4/private/libsamba-net%%PYTHON_EXT_SUFFIX%%-samba4.so lib/samba4/private/libsamba-python%%PYTHON_EXT_SUFFIX%%-samba4.so %%PKGCONFIGDIR%%/samba-policy%%PYTHON_EXT_SUFFIX%%.pc @comment Python block %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/dckeytab%%PYTHON_EXT_SUFFIX%%.so %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/posix_eadb%%PYTHON_EXT_SUFFIX%%.so %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/xattr_native%%PYTHON_EXT_SUFFIX%%.so %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/xattr_tdb%%PYTHON_EXT_SUFFIX%%.so %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/dsdb_dns%%PYTHON_EXT_SUFFIX%%.so %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/dsdb%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/__init__.py %%PYTHON_SITELIBDIR%%/samba/_glue%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/_ldb%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/auth_util.py %%PYTHON_SITELIBDIR%%/samba/auth%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/colour.py %%PYTHON_SITELIBDIR%%/samba/common.py %%PYTHON_SITELIBDIR%%/samba/credentials%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/crypto%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dbchecker.py %%PYTHON_SITELIBDIR%%/samba/dcerpc/__init__.py %%PYTHON_SITELIBDIR%%/samba/dcerpc/atsvc%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/auth%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/base%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/dcerpc%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/dfs%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/dns%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/dnsp%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/dnsserver%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/drsblobs%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/drsuapi%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/echo%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/epmapper%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/idmap%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/initshutdown%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/irpc%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/krb5ccache%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/krb5pac%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/lsa%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/mdssvc%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/messaging%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/mgmt%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/misc%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/nbt%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/netlogon%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/ntlmssp%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/preg%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/samr%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/security%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/server_id%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/smb_acl%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/spoolss%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/srvsvc%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/svcctl%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/unixinfo%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/winbind%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/windows_event_ids%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/winreg%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/winspool%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/witness%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/wkssvc%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/dcerpc/xattr%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/descriptor.py %%PYTHON_SITELIBDIR%%/samba/dnsresolver.py %%PYTHON_SITELIBDIR%%/samba/dnsserver.py %%PYTHON_SITELIBDIR%%/samba/domain_update.py %%PYTHON_SITELIBDIR%%/samba/drs_utils.py %%PYTHON_SITELIBDIR%%/samba/emulate/__init__.py %%PYTHON_SITELIBDIR%%/samba/emulate/traffic_packets.py %%PYTHON_SITELIBDIR%%/samba/emulate/traffic.py %%PYTHON_SITELIBDIR%%/samba/forest_update.py %%PYTHON_SITELIBDIR%%/samba/gensec%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/getopt.py %%PYTHON_SITELIBDIR%%/samba/gp_cert_auto_enroll_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_chromium_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_ext_loader.py %%PYTHON_SITELIBDIR%%/samba/gp_firefox_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_firewalld_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_gnome_settings_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_msgs_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_parse/__init__.py %%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_aas.py %%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_csv.py %%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_inf.py %%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_ini.py %%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_pol.py %%PYTHON_SITELIBDIR%%/samba/gp_scripts_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_sec_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_smb_conf_ext.py %%PYTHON_SITELIBDIR%%/samba/gp_sudoers_ext.py %%PYTHON_SITELIBDIR%%/samba/gpclass.py %%PYTHON_SITELIBDIR%%/samba/gpo%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/graph.py %%PYTHON_SITELIBDIR%%/samba/hostconfig.py %%PYTHON_SITELIBDIR%%/samba/idmap.py %%PYTHON_SITELIBDIR%%/samba/join.py %%PYTHON_SITELIBDIR%%/samba/kcc/__init__.py %%PYTHON_SITELIBDIR%%/samba/kcc/debug.py %%PYTHON_SITELIBDIR%%/samba/kcc/graph_utils.py %%PYTHON_SITELIBDIR%%/samba/kcc/graph.py %%PYTHON_SITELIBDIR%%/samba/kcc/kcc_utils.py %%PYTHON_SITELIBDIR%%/samba/kcc/ldif_import_export.py %%PYTHON_SITELIBDIR%%/samba/logger.py %%PYTHON_SITELIBDIR%%/samba/mdb_util.py %%PYTHON_SITELIBDIR%%/samba/messaging%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/ms_display_specifiers.py %%PYTHON_SITELIBDIR%%/samba/ms_forest_updates_markdown.py %%PYTHON_SITELIBDIR%%/samba/ms_schema_markdown.py %%PYTHON_SITELIBDIR%%/samba/ms_schema.py %%PYTHON_SITELIBDIR%%/samba/ndr.py %%PYTHON_SITELIBDIR%%/samba/net_s3%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/net%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/netbios%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/netcmd/__init__.py %%PYTHON_SITELIBDIR%%/samba/netcmd/common.py %%PYTHON_SITELIBDIR%%/samba/netcmd/computer.py %%PYTHON_SITELIBDIR%%/samba/netcmd/contact.py %%PYTHON_SITELIBDIR%%/samba/netcmd/dbcheck.py %%PYTHON_SITELIBDIR%%/samba/netcmd/delegation.py %%PYTHON_SITELIBDIR%%/samba/netcmd/dns.py %%PYTHON_SITELIBDIR%%/samba/netcmd/domain_backup.py %%PYTHON_SITELIBDIR%%/samba/netcmd/domain.py %%PYTHON_SITELIBDIR%%/samba/netcmd/drs.py %%PYTHON_SITELIBDIR%%/samba/netcmd/dsacl.py %%PYTHON_SITELIBDIR%%/samba/netcmd/forest.py %%PYTHON_SITELIBDIR%%/samba/netcmd/fsmo.py %%PYTHON_SITELIBDIR%%/samba/netcmd/gpo.py %%PYTHON_SITELIBDIR%%/samba/netcmd/group.py %%PYTHON_SITELIBDIR%%/samba/netcmd/ldapcmp.py %%PYTHON_SITELIBDIR%%/samba/netcmd/main.py %%PYTHON_SITELIBDIR%%/samba/netcmd/nettime.py %%PYTHON_SITELIBDIR%%/samba/netcmd/ntacl.py %%PYTHON_SITELIBDIR%%/samba/netcmd/ou.py %%PYTHON_SITELIBDIR%%/samba/netcmd/processes.py %%PYTHON_SITELIBDIR%%/samba/netcmd/pso.py %%PYTHON_SITELIBDIR%%/samba/netcmd/rodc.py %%PYTHON_SITELIBDIR%%/samba/netcmd/schema.py %%PYTHON_SITELIBDIR%%/samba/netcmd/sites.py %%PYTHON_SITELIBDIR%%/samba/netcmd/spn.py %%PYTHON_SITELIBDIR%%/samba/netcmd/testparm.py %%PYTHON_SITELIBDIR%%/samba/netcmd/user.py %%PYTHON_SITELIBDIR%%/samba/netcmd/visualize.py %%PYTHON_SITELIBDIR%%/samba/ntacls.py %%PYTHON_SITELIBDIR%%/samba/ntstatus%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/param%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/policy%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/provision/__init__.py %%PYTHON_SITELIBDIR%%/samba/provision/backend.py %%PYTHON_SITELIBDIR%%/samba/provision/common.py %%PYTHON_SITELIBDIR%%/samba/provision/kerberos_implementation.py %%PYTHON_SITELIBDIR%%/samba/provision/kerberos.py %%PYTHON_SITELIBDIR%%/samba/provision/sambadns.py %%PYTHON_SITELIBDIR%%/samba/registry%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/remove_dc.py %%PYTHON_SITELIBDIR%%/samba/samba3/__init__.py %%PYTHON_SITELIBDIR%%/samba/samba3/libsmb_samba_cwrapper%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/samba3/libsmb_samba_internal.py %%PYTHON_SITELIBDIR%%/samba/samba3/mdscli%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/samba3/param%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/samba3/passdb%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/samba3/smbd%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/samdb.py %%PYTHON_SITELIBDIR%%/samba/schema.py %%PYTHON_SITELIBDIR%%/samba/sd_utils.py %%PYTHON_SITELIBDIR%%/samba/security%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/sites.py %%PYTHON_SITELIBDIR%%/samba/subnets.py %%PYTHON_SITELIBDIR%%/samba/subunit/__init__.py %%PYTHON_SITELIBDIR%%/samba/subunit/run.py %%PYTHON_SITELIBDIR%%/samba/tdb_util.py %%PYTHON_SITELIBDIR%%/samba/tests/__init__.py %%PYTHON_SITELIBDIR%%/samba/tests/audit_log_base.py %%PYTHON_SITELIBDIR%%/samba/tests/audit_log_dsdb.py %%PYTHON_SITELIBDIR%%/samba/tests/audit_log_pass_change.py %%PYTHON_SITELIBDIR%%/samba/tests/auth_log_base.py %%PYTHON_SITELIBDIR%%/samba/tests/auth_log_ncalrpc.py %%PYTHON_SITELIBDIR%%/samba/tests/auth_log_netlogon_bad_creds.py %%PYTHON_SITELIBDIR%%/samba/tests/auth_log_netlogon.py %%PYTHON_SITELIBDIR%%/samba/tests/auth_log_pass_change.py %%PYTHON_SITELIBDIR%%/samba/tests/auth_log_samlogon.py %%PYTHON_SITELIBDIR%%/samba/tests/auth_log_winbind.py %%PYTHON_SITELIBDIR%%/samba/tests/auth_log.py %%PYTHON_SITELIBDIR%%/samba/tests/auth.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/__init__.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/bug13653.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/check_output.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/downgradedatabase.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/mdsearch.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/ndrdump.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/netads_json.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/samba_dnsupdate.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcacls_basic.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcacls_dfs_propagate_inherit.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcacls_propagate_inhertance.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcacls.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcontrol_process.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcontrol.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/traffic_learner.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/traffic_replay.py %%PYTHON_SITELIBDIR%%/samba/tests/blackbox/traffic_summary.py %%PYTHON_SITELIBDIR%%/samba/tests/common.py %%PYTHON_SITELIBDIR%%/samba/tests/complex_expressions.py %%PYTHON_SITELIBDIR%%/samba/tests/core.py %%PYTHON_SITELIBDIR%%/samba/tests/cred_opt.py %%PYTHON_SITELIBDIR%%/samba/tests/credentials.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/__init__.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/array.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/bare.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/binding.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/createtrustrelax.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/dnsserver.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/integer.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/lsa.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/mdssvc.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/misc.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/raw_protocol.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/raw_testcase.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/registry.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/rpc_talloc.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/rpcecho.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/sam.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/samr_change_password.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/srvsvc.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/string_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/testrpc.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/unix.py %%PYTHON_SITELIBDIR%%/samba/tests/dckeytab.py %%PYTHON_SITELIBDIR%%/samba/tests/dns_aging.py %%PYTHON_SITELIBDIR%%/samba/tests/dns_base.py %%PYTHON_SITELIBDIR%%/samba/tests/dns_forwarder_helpers/server.py %%PYTHON_SITELIBDIR%%/samba/tests/dns_forwarder.py %%PYTHON_SITELIBDIR%%/samba/tests/dns_invalid.py %%PYTHON_SITELIBDIR%%/samba/tests/dns_packet.py %%PYTHON_SITELIBDIR%%/samba/tests/dns_tkey.py %%PYTHON_SITELIBDIR%%/samba/tests/dns_wildcard.py %%PYTHON_SITELIBDIR%%/samba/tests/dns.py %%PYTHON_SITELIBDIR%%/samba/tests/docs.py %%PYTHON_SITELIBDIR%%/samba/tests/domain_backup_offline.py %%PYTHON_SITELIBDIR%%/samba/tests/domain_backup.py %%PYTHON_SITELIBDIR%%/samba/tests/dsdb_api.py %%PYTHON_SITELIBDIR%%/samba/tests/dsdb_dns.py %%PYTHON_SITELIBDIR%%/samba/tests/dsdb_lock.py %%PYTHON_SITELIBDIR%%/samba/tests/dsdb_schema_attributes.py %%PYTHON_SITELIBDIR%%/samba/tests/dsdb.py %%PYTHON_SITELIBDIR%%/samba/tests/emulate/__init__.py %%PYTHON_SITELIBDIR%%/samba/tests/emulate/traffic_packet.py %%PYTHON_SITELIBDIR%%/samba/tests/emulate/traffic.py %%PYTHON_SITELIBDIR%%/samba/tests/encrypted_secrets.py %%PYTHON_SITELIBDIR%%/samba/tests/gensec.py %%PYTHON_SITELIBDIR%%/samba/tests/get_opt.py %%PYTHON_SITELIBDIR%%/samba/tests/getdcname.py %%PYTHON_SITELIBDIR%%/samba/tests/glue.py %%PYTHON_SITELIBDIR%%/samba/tests/gpo_member.py %%PYTHON_SITELIBDIR%%/samba/tests/gpo.py %%PYTHON_SITELIBDIR%%/samba/tests/graph.py %%PYTHON_SITELIBDIR%%/samba/tests/group_audit.py %%PYTHON_SITELIBDIR%%/samba/tests/hostconfig.py %%PYTHON_SITELIBDIR%%/samba/tests/imports.py %%PYTHON_SITELIBDIR%%/samba/tests/join.py %%PYTHON_SITELIBDIR%%/samba/tests/kcc/__init__.py %%PYTHON_SITELIBDIR%%/samba/tests/kcc/graph_utils.py %%PYTHON_SITELIBDIR%%/samba/tests/kcc/graph.py %%PYTHON_SITELIBDIR%%/samba/tests/kcc/kcc_utils.py %%PYTHON_SITELIBDIR%%/samba/tests/kcc/ldif_import_export.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5_credentials.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/alias_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/as_canonicalization_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/as_req_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/compatability_tests.py +%%PYTHON_SITELIBDIR%%/samba/tests/krb5/etype_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/fast_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/kcrypto.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_base_test.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_tgs_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/kpasswd_tests.py +%%PYTHON_SITELIBDIR%%/samba/tests/krb5/lockout_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/pac_align_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/raw_testcase.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/rfc4120_constants.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/rfc4120_pyasn1.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/rodc_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/s4u_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/salt_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/simple_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/spn_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_ccache.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_idmap_nss.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_ldap.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_min_domain_uid.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_rpc.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_smb.py %%PYTHON_SITELIBDIR%%/samba/tests/krb5/xrealm_tests.py %%PYTHON_SITELIBDIR%%/samba/tests/ldap_raw.py %%PYTHON_SITELIBDIR%%/samba/tests/ldap_referrals.py %%PYTHON_SITELIBDIR%%/samba/tests/ldap_spn.py %%PYTHON_SITELIBDIR%%/samba/tests/ldap_upn_sam_account.py %%PYTHON_SITELIBDIR%%/samba/tests/libsmb.py %%PYTHON_SITELIBDIR%%/samba/tests/loadparm.py %%PYTHON_SITELIBDIR%%/samba/tests/lsa_string.py %%PYTHON_SITELIBDIR%%/samba/tests/messaging.py %%PYTHON_SITELIBDIR%%/samba/tests/ndr.py %%PYTHON_SITELIBDIR%%/samba/tests/net_join_no_spnego.py %%PYTHON_SITELIBDIR%%/samba/tests/net_join.py %%PYTHON_SITELIBDIR%%/samba/tests/netbios.py %%PYTHON_SITELIBDIR%%/samba/tests/netcmd.py %%PYTHON_SITELIBDIR%%/samba/tests/netlogonsvc.py %%PYTHON_SITELIBDIR%%/samba/tests/ntacls_backup.py %%PYTHON_SITELIBDIR%%/samba/tests/ntacls.py %%PYTHON_SITELIBDIR%%/samba/tests/ntlm_auth_base.py %%PYTHON_SITELIBDIR%%/samba/tests/ntlm_auth_krb5.py %%PYTHON_SITELIBDIR%%/samba/tests/ntlm_auth.py %%PYTHON_SITELIBDIR%%/samba/tests/ntlmdisabled.py %%PYTHON_SITELIBDIR%%/samba/tests/pam_winbind_chauthtok.py %%PYTHON_SITELIBDIR%%/samba/tests/pam_winbind_warn_pwd_expire.py %%PYTHON_SITELIBDIR%%/samba/tests/pam_winbind.py %%PYTHON_SITELIBDIR%%/samba/tests/param.py %%PYTHON_SITELIBDIR%%/samba/tests/password_hash_fl2003.py %%PYTHON_SITELIBDIR%%/samba/tests/password_hash_fl2008.py %%PYTHON_SITELIBDIR%%/samba/tests/password_hash_gpgme.py %%PYTHON_SITELIBDIR%%/samba/tests/password_hash_ldap.py %%PYTHON_SITELIBDIR%%/samba/tests/password_hash.py %%PYTHON_SITELIBDIR%%/samba/tests/password_quality.py %%PYTHON_SITELIBDIR%%/samba/tests/password_test.py %%PYTHON_SITELIBDIR%%/samba/tests/policy.py %%PYTHON_SITELIBDIR%%/samba/tests/posixacl.py %%PYTHON_SITELIBDIR%%/samba/tests/prefork_restart.py %%PYTHON_SITELIBDIR%%/samba/tests/process_limits.py %%PYTHON_SITELIBDIR%%/samba/tests/provision.py %%PYTHON_SITELIBDIR%%/samba/tests/pso.py %%PYTHON_SITELIBDIR%%/samba/tests/py_credentials.py %%PYTHON_SITELIBDIR%%/samba/tests/registry.py %%PYTHON_SITELIBDIR%%/samba/tests/s3_net_join.py %%PYTHON_SITELIBDIR%%/samba/tests/s3idmapdb.py %%PYTHON_SITELIBDIR%%/samba/tests/s3param.py %%PYTHON_SITELIBDIR%%/samba/tests/s3passdb.py %%PYTHON_SITELIBDIR%%/samba/tests/s3registry.py %%PYTHON_SITELIBDIR%%/samba/tests/s3windb.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/__init__.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/base.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/computer.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/contact.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/demote.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/dnscmd.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/dsacl.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/forest.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/fsmo.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/gpo_exts.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/gpo.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/group.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/help.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/join_lmdb_size.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/join_member.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/join.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/ntacl.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/ou.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/passwordsettings.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/processes.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/promote_dc_lmdb_size.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/provision_lmdb_size.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/provision_password_check.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/provision_userPassword_crypt.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/rodc.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/schema.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/sites.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/timecmd.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_check_password_script.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_virtualCryptSHA_base.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_virtualCryptSHA.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_wdigest.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/visualize_drs.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/visualize.py %%PYTHON_SITELIBDIR%%/samba/tests/samba_upgradedns_lmdb.py %%PYTHON_SITELIBDIR%%/samba/tests/samba3sam.py %%PYTHON_SITELIBDIR%%/samba/tests/samdb_api.py %%PYTHON_SITELIBDIR%%/samba/tests/samdb.py %%PYTHON_SITELIBDIR%%/samba/tests/sddl.py %%PYTHON_SITELIBDIR%%/samba/tests/security.py %%PYTHON_SITELIBDIR%%/samba/tests/segfault.py %%PYTHON_SITELIBDIR%%/samba/tests/smb-notify.py %%PYTHON_SITELIBDIR%%/samba/tests/smb.py %%PYTHON_SITELIBDIR%%/samba/tests/smbd_base.py %%PYTHON_SITELIBDIR%%/samba/tests/smbd_fuzztest.py %%PYTHON_SITELIBDIR%%/samba/tests/source_chars.py %%PYTHON_SITELIBDIR%%/samba/tests/source.py %%PYTHON_SITELIBDIR%%/samba/tests/strings.py %%PYTHON_SITELIBDIR%%/samba/tests/subunitrun.py %%PYTHON_SITELIBDIR%%/samba/tests/tdb_util.py %%PYTHON_SITELIBDIR%%/samba/tests/upgrade.py %%PYTHON_SITELIBDIR%%/samba/tests/upgradeprovision.py %%PYTHON_SITELIBDIR%%/samba/tests/upgradeprovisionneeddc.py %%PYTHON_SITELIBDIR%%/samba/tests/usage.py %%PYTHON_SITELIBDIR%%/samba/tests/xattr.py %%PYTHON_SITELIBDIR%%/samba/trust_utils.py %%PYTHON_SITELIBDIR%%/samba/upgrade.py %%PYTHON_SITELIBDIR%%/samba/upgradehelpers.py %%PYTHON_SITELIBDIR%%/samba/uptodateness.py %%PYTHON_SITELIBDIR%%/samba/vgp_access_ext.py %%PYTHON_SITELIBDIR%%/samba/vgp_files_ext.py %%PYTHON_SITELIBDIR%%/samba/vgp_issue_ext.py %%PYTHON_SITELIBDIR%%/samba/vgp_motd_ext.py %%PYTHON_SITELIBDIR%%/samba/vgp_openssh_ext.py %%PYTHON_SITELIBDIR%%/samba/vgp_startup_scripts_ext.py %%PYTHON_SITELIBDIR%%/samba/vgp_sudoers_ext.py %%PYTHON_SITELIBDIR%%/samba/vgp_symlink_ext.py %%PYTHON_SITELIBDIR%%/samba/werror%%PYTHON_EXT_SUFFIX%%.so %%PYTHON_SITELIBDIR%%/samba/xattr.py @dir %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool @dir %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc @dir %%PYTHON_SITELIBDIR%%/samba/tests/blackbox @dir %%PYTHON_SITELIBDIR%%/samba/tests @dir %%PYTHON_SITELIBDIR%%/samba/samba3 @dir %%PYTHON_SITELIBDIR%%/samba/provision @dir %%PYTHON_SITELIBDIR%%/samba/netcmd @dir %%PYTHON_SITELIBDIR%%/samba/dcerpc @dir %%PYTHON_SITELIBDIR%%/samba