Sisyphus repository
Last update: 1 october 2023 | SRPMs: 18631 | Visits: 37039426
en ru br
ALT Linux repos
S:4.17.11-alt1
5.0: 3.0.33-alt4
4.1: 3.0.30-alt3
4.0: 3.0.33-alt1.M40.1
+updates:3.0.33-alt1.M40.1
3.0: 3.0.14a-alt2
+backports:3.0.28-alt1

Group :: System/Servers
RPM: samba

 Main   Changelog   Spec   Patches   Sources   Download   Gear   Bugs and FR  Repocop 

23 september 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.17.11-alt1

  • Update to security release of Samba 4.17
  • smbd fileserver fixes (Samba#15419, Samba#15420, Samba#15430, Samba#15432,
                            Samba#15417, Samba#15346, Samba#15453, Samba#15435):
     + Weird filename can cause assert to fail in openat_pathref_fsp_nosymlink().
     + reply_sesssetup_and_X() can dereference uninitialized tmp pointer.
     + Missing return in reply_exit_done().
     + TREE_CONNECT without SETUP causes smbd to use uninitialized pointer.
     + Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted
       to remove the destination.
     + 2-3min delays at reconnect with smb2_validate_sequence_number:
       bad message_id 2.
     + File doesn't show when user doesn't have permission if
       aio_pthread is loaded.
     + Regression DFS not working with widelinks = true.
  • replication fixes (Samba#15401, Samba#15407)
     + Improve GetNChanges to address some (but not all "Azure AD Connect")
       syncronisation tool looping during the initial user sync phase.
     + Samba replication logs show (null) DN.
  • tools fixes (Samba#15384, Samba#15441, Samba#15451):
     + net ads lookup (with unspecified realm) fails
     + samba-tool ntacl get segfault if aio_pthread appended.
     + ctdb_killtcp fails to work with --enable-pcap and libpcap >= 1.9.1.
  • other protocol fixes (Samba#15446, Samba#9959, Samba#15463
                           Samba#15449, Samba#15342, Samba#15427):
     + DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
     + Windows client join fails if a second container CN=System exists somewhere.
     + macOS mdfind returns only 50 results.
     + mdssvc: Do an early talloc_free() in _mdssvc_open().
     + Spotlight sometimes returns no results on latest macOS.
     + Spotlight results return wrong date in result list.
  • Compatibility fixes of spec (thx asheplyakov@):
     + added missing BR: alternatives.
     + added rpm-macros-alterinatives as a pre-requirement.
     + added missing build-requirements: flex, liblmdb-devel.
     + dropped obsolete build dependency on gtk+2.
     + samba-client: libldb-cmdline-samba4.so.
  • Disabled tracker backend in spotlight (obsolete with version less than 3.x).
  • Disabled glusterfs on armh due it not supported on this architecture.

23 july 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.17.10-alt1

  • Update to maintenance release of Samba 4.17:
     + Secure channel faulty since Windows 10/11 update 07/2023 (KB5028166).
  • Security fixes (Samba#15418):
     + CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
                       crafted request can trigger an out-of-bounds read in winbind
                       and possibly crash it.
                       https://www.samba.org/samba/security/CVE-2022-2127.html

     + CVE-2023-3347:  SMB2 packet signing is not enforced if an admin configured
                       "server signing = required" or for SMB2 connections to Domain
                       Controllers where SMB2 packet signing is mandatory.
                       https://www.samba.org/samba/security/CVE-2023-3347.html

     + CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
                       Spotlight can be triggered by an unauthenticated attacker by
                       issuing a malformed RPC request.
                       https://www.samba.org/samba/security/CVE-2023-34966.html

     + CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
                       Spotlight can be used by an unauthenticated attacker to
                       trigger a process crash in a shared RPC mdssvc worker process.
                       https://www.samba.org/samba/security/CVE-2023-34967.html

     + CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
                       side absolute path of shares and files and directories in
                       search results.
                       https://www.samba.org/samba/security/CVE-2023-34968.html

10 july 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.17.9-alt1

  • Update to maintenance release of Samba 4.17:
     + smbd_scavenger crashes when service smbd is stopped (Samba#15275).
     + vfs_fruit might cause a failing open for delete (Samba#15378).
     + named crashes on DLZ zone update (Samba#14030).
     + winbind recurses into itself via rpcd_lsad (Samba#15361).
     + cli_list loops 100% CPU against pre-lanman2 servers (Samba#15382).
     + smbclient leaks fds with showacls (Samba#15391).
     + aes256 smb3 encryption algorithms are not allowed in
       smb3_sid_parse() (Samba#15374).
     + winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR (Samba#15413).
     + smbget memory leak if failed to download files recursively (Samba#15403).
  • Add check with admx-lint for group policy templates validation.

21 may 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.17.8-alt1

  • Update to maintenance release of Samba 4.17:
     + log flood: smbd_calculate_access_mask_fsp: Access denied: message level
       should be lower (Samba#15302).
     + Floating point exception (FPE) via cli_pull_send at
       source3/libsmb/clireadwrite.c (Samba#15306).
     + Reduce flapping of ridalloc test (Samba#15329).
     + large_ldap test is unreliable (Samba#15351).
     + New filename parser doesn't check veto files smb.conf parameter (Samba#15143).
     + mdssvc may crash when initializing (Samba#15354).
     + Large directory optimization broken for non-lcomp path elements (Samba#15313).
     + streams_depot fails to create streams (Samba#15357).
     + shadow_copy2 and streams_depot don't play well together (Samba#15358).
     + wbinfo -u fails on ad dc with >1000 users (Samba#15366).
     + winbindd idmap child contacts the domain controller without a
       need (Samba#15317).
     + idmap_autorid may fail to map sids of trusted domains for the first
       time (Samba#15318).
     + idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings (Samba#15319).
     + net ads search -P doesn't work against servers in other domains (Samba#15323).
     + DS ACEs might be inherited to unrelated object classes (Samba#15338).
     + Temporary smbXsrv_tcon_global.tdb can't be parsed (Samba#15353).
     + Setting veto files = /.*/ break listing directories (Samba#15360).
     + CVE-2020-25720 [SECURITY] Create Child permission should not
       allow full write to all attributes (additional changes) (Samba#14810).
     + Reduce flapping of ridalloc test (Samba#15329).
     + dsgetdcname: assumes local system uses IPv4 (Samba#15325).

29 march 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.17.7-alt1

  • Update to maintenance release of Samba 4.17 with update libldb to 2.6.2:
     + ldb wildcard matching makes excessive allocations (Samba#15331).
  • Security fixes (Samba#15276, Samba#15270, Samba#15315, Samba#14810):
     + CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
                      but otherwise unprivileged users to delete this attribute from
                      any object in the directory.
                      https://www.samba.org/samba/security/CVE-2023-0225.html

     + CVE-2023-0922: The Samba AD DC administration tool, when operating against a
                      remote LDAP server, will by default send new or reset
                      passwords over a signed-only connection.
                      https://www.samba.org/samba/security/CVE-2023-0922.html

     + CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
                      Confidential attribute disclosure via LDAP filters was
                      insufficient and an attacker may be able to obtain
                      confidential BitLocker recovery keys from a Samba AD DC.
                      Installations with such secrets in their Samba AD should
                      assume they have been obtained and need replacing.
                      https://www.samba.org/samba/security/CVE-2023-0614.html

     + CVE-2020-25720 Create Child permission should not allow full write to all
                      attributes (additional changes).

15 march 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.17.6-alt1

  • Update to maintenance release of Samba 4.17:
     + streams_xattr is creating unexpected locks on folders (Samba#15314).
     + Use of the Azure AD Connect cloud sync tool is now supported for password
       hash synchronisation, allowing Samba AD Domains to synchronise passwords
       with this popular cloud environment (Samba#10635).
     + New samba-dcerpc architecture does not scale gracefully (Samba#15310).
     + vfs_ceph incorrectly uses fsp_get_io_fd() instead of fsp_get_pathref_fd()
       in close and fstat (Samba#15307).
     + fd_load() function implicitly closes the fd where it should not (Samba#15311).
  • Revert not treat of missing include file as an error in handle_include().
     This behavior differs between the source3 and source4 parts of Samba.
     So, it should be the same and just not an error (Closes #44214).

11 march 2023 Michael Shigorin <mike at altlinux.org> 4.17.5-alt2

  • Fix doc knob

28 february 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.17.5-alt1

  • Update to stable release of Samba 4.17 with latest bugfixes and new features:
     + Support Protected Users security group introduced in Windows Server 2012 R2.
     + Resource Based Constrained Delegation (RBCD) support with samba-dc-mitkrb5.
     + Customizable DNS listening port to use another DNS server as a front and
       forward to Samba.
     + Operation without the (unsalted) NT password hash security support.
     + Suppport for modern Python API for smbconf.
     + JSON support for smbstatus.
     + LanMan Authentication and password storage removed from the AD DC.
  • Configure without the SMB1 Server not enabled yet.

20 february 2023 Evgeny Sinelnikov <sin at altlinux.org> 4.16.9-alt1

  • Update to maintenance release of Samba 4.16
  • Security fixes:
     + CVE-2022-38023: Samba should refuse RC4 (aka md5) based SChannel on
       NETLOGON (Samba#15240).
  • Major fixes:
     + smbc_getxattr() return value is incorrect (Samba#14808).
     + samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when
       there is only an AAAA record for the DC in DNS (Samba#15226).
     + smbd crashes if an FSCTL request is done on a stream handle (Samba#15236).
     + auth3_generate_session_info_pac leaks wbcAuthUserInfo (Samba#15286).
     + Leak in wbcCtxPingDc2 (Samba#15164).
     + irpc_destructor may crash during shutdown (Samba#15280).
  • Share enumeration (netshareenum) fixes:
     + %U for include directive doesn't work for share listing (Samba#15243).
     + Shares missing from netshareenum response in samba 4.17.4 (Samba#15266).
     + Access based share enum does not work in Samba 4.16+ (Samba#15265).
     + Crash during share enumeration (Samba#15267).

15 december 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.8-alt1

  • Update to maintenance release of Samba 4.16 with fixes of the Samba CVE for
     the Windows Kerberos Elevation of Privilege Vulnerability disclosed by
     Microsoft on Nov 8 2022 (CVE-2022-37967, CVE-2022-37966).
  • Security fixes:
     + CVE-2022-37966: A Samba Active Directory DC will issue weak rc4-hmac
                       session keys for use between modern clients and servers
                       despite all modern Kerberos implementations supporting
                       the aes256-cts-hmac-sha1-96 cipher.
                       On Samba Active Directory DCs and members
                       'kerberos encryption types = legacy' would force
                       rc4-hmac as a client even if the server supports
                       aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96
                       (Samba#13135, Samba#15219, Samba#15237).
                        https://www.samba.org/samba/security/CVE-2022-37966.html

     + CVE-2022-37967: A service account with the special constrained
                       delegation permission could forge a more powerful
                       ticket than the one it was presented with (Samba#15231).
                        https://www.samba.org/samba/security/CVE-2022-37967.html

     + CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
                       same algorithms as rc4-hmac cryptography in Kerberos,
                       and so must also be assumed to be weak (Samba#15240).
                        https://www.samba.org/samba/security/CVE-2022-38023.html

12 december 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.7-alt5

  • Update text of summary for role-usershares and smb-conf-usershares.
  • Update default usershare prefix allow and deny lists:
     + usershare prefix deny list = /etc /dev /sys /proc
     + usershare prefix allow list = /home /srv /mnt /media /var
  • Add new controls for samba-usershares:
     + smb-conf-usershare-allow-list
     + smb-conf-usershare-deny-list
     + smb-conf-usershare-owner-only
     + smb-conf-usershare-allow-guests

8 december 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.7-alt4

  • Add role-sambashare control for compatibility during upgrade from previous
     manual managed settings of usershares.
  • Trigger sambashare as role with privilege usershares (Closes: #44379).

3 december 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.7-alt3

  • Avoid cycle dependencies on common service files.
  • Fix cycle dependencies on libRPC and libREG samba4 libraries.

29 november 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.7-alt2

  • Add role-usershares control allow or disallow for group users using of
     samba usershares as privilege.
  • Add compatibility support for sambashare group as common privilege assigned
     to usershares group (Closes: #44379).

22 november 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.7-alt1

  • Update to maintenance release of Samba 4.16 (Samba#15203)
  • Security fixes:
     + CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
                       integer overflows when parsing a PAC on a 32-bit system, which
                       allowed an attacker with a forged PAC to corrupt the heap.
                       https://www.samba.org/samba/security/CVE-2022-42898.html
       Workaround and mitigations:
       * No workaround on 32-bit systems as an AD DC
       * file servers are only impacted if in a non-AD domain
       * 64-bit systems are not exploitable

7 november 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.6-alt2

  • Don't treat a missing include file as an error in handle_include().
     This behavior differs between the source3 and source4 parts of Samba.
     So, it should be the same and just not an error (Closes #44214).

27 october 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.6-alt1

  • Update to maintenance release of Samba 4.16 (Samba#15134)
  • Security fixes:
     + CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
                      unwrap_des() and unwrap_des3() routines of Heimdal (included
                      in Samba).
                      https://www.samba.org/samba/security/CVE-2022-3437.html
  • Add samba-usershares package for support for non-root user shares.
  • Default smb.conf simplified - homes, printers and print$ shares enabled by
     default. Original large default example smb.conf replaced to smb.conf.example.

12 september 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.5-alt1

  • Update to latest stable release of Samba 4.16
  • Major fixes:
     + Possible use after free of connection_struct when iterating
       smbd_server_connection->connections (Samba#15128).
     + Spotlight RPC service returns wrong response when Spotlight is
       disabled on a share (Samba#15086).
     + acl_xattr VFS module may unintentionally use filesystem
       permissions instead of ACL from xattr (Samba#15126).
     + Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
       assert failed: !is_named_stream(smb_fname)") at
       ../../lib/util/fault.c:197 (Samba#15153).
     + Missing READ_LEASE break could cause data corruption (Samba#15148).
     + rpcclient can crash using setuserinfo(2) (Samba#15124).
     + Samba fails to build with glibc 2.36 caused by including
       <sys/mount.h> in libreplace (Samba#15132).
     + SMB1 negotiation can fail to handle connection errors (Samba#15152).
     + samba-tool domain join segfault when joining a samba ad domain (Samba#15078).

8 september 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.4-alt2

  • Add support (Heimdal only) of "ignore requester sid" global option for the
     correct operation of trust relationships with oldest versions of MS AD without
     KB5008380 Authentication updates (CVE-2021-42287).

31 july 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.16.4-alt1

  • Update to latest stable release of Samba 4.16
  • Major fixes:
     + New samba-dcerpcd binary to provide DCERPC in the member server setup.
     + Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support.
     + Certificate Auto Enrollment support with internal group policy mechanism.
     + Ability to add ports to dns forwarder addresses in internal DNS backend.
     + Older SMB1 protocol SMBCopy command removed.
     + SMB1 server-side wildcard expansion removed.
     + SMB1 protocol has been deprecated, particularly older dialects.
     + No longer using Linux mandatory locks for sharemodes.

31 july 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.15.9-alt1

  • Update to security release of Samba 4.15
  • Security fixes:
     + CVE-2022-2031:  Samba AD users can bypass certain restrictions associated
                       with changing passwords (Samba#15047).
     + CVE-2022-32744: Samba AD users can forge password change requests for any
                       user (Samba#15074).
     + CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
                       or modify request (Samba#15008).
     + CVE-2022-32746: Samba AD users can induce a use-after-free in the server
                       process with an LDAP add or modify request (Samba#15009).
     + CVE-2022-32742: Server memory information leak via SMB1 (Samba#15085).

27 june 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.15.8-alt1

  • Update to maintenance release of Samba 4.15 with latest bugfixes:
     + Setting fruit:resource = stream in vfs_fruit causes a panic (Samba#15099).
     + Fix logging dsdb audit to specific files (Samba#15076).
     + Fix vfs_gpfs with vfs_shadowcopy2 fail to restore file if original file had
       been deleted (Samba#15069).
     + Remove netgroups support (Samba#15087).
     + Fix smbclient commands del & deltree fail with
       NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS (Samba#15100).
     + Fix out-by-4 error in smbd read reply max_send clamp (Samba#14443).
     + s3:libads: Check if we have a valid sockaddr (Samba#15106).
     + smbd: Make non_widelink_open() robust for non-cwd dirfsp (Samba#15105).

27 june 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.15.7-alt4

  • Add samba-krb5-printing with CUPS backend for printing with Kerberos support.
  • Fix samba-tool domain backup DC with forced local samdb.

20 june 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.15.7-alt3

  • samba-dc: Replace internal helper program performing asynchronous
     printing-related jobs (samba-bgqd) to internal package directory.

19 june 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.15.7-alt2

  • Revert get_naming_master() for dc replica join, which requires due only domain
     naming master can create application directory partitions.
  • Fix smbd doesn't handle UPNs for looking up names (Samba#15054).
  • Fix net ads info shows LDAP Server: 0.0.0.0 (Samba#14674).
  • Fix logging dsdb audit to specific files does not work (Samba#15076).
  • Fix use pathref fd instead of io fd in vfs_default_durable_cookie (Samba#15042).
  • Fix vfs_gpfs recalls=no option prevents listing files (Samba#15055).
  • Fix smbget manpage (no &stdarg.encrypt anymore).

6 june 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.15.7-alt1

  • Update to release of Samba 4.15 with SMB multi-channel, Offline Domain Join,
     samba-tool dns zoneoptions for aging control, samba-tool domain backup offline
     with the LMDB backend and always use enterprise principals for Kerberos (so
     that the DC will be able to redirect ticket requests to the right DC) support.

5 april 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.14.13-alt1

  • Update to latest bugfix release of Samba 4.14
  • Fixes:
     + Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND.
     + Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with
       same lease key.
     + NT error code is not set when overwriting a file during rename in libsmbclient.
     + net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
     + wbinfo -a doesn't work reliable with upn names.
     + Problem when winbind renews Kerberos.
     + NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in
       SMBC_server_internal.
     + Multpile RODC fixes:
  • Simple bind doesn't work against an RODC (with non-preloaded users).
  • Crash of winbind on RODC.
  • Uncached logon on RODC always fails once.
  • Changing the machine password against an RODC likely destroys the domain join.
  • Simple bind doesn't work against an RODC (with non-preloaded users).
     + Avoid mixing the main krbtgt account keys with an RODC if the
       msDS-KeyVersionNumber is larger than 65535 (set 16 upper bits to zero).
     + Use Heimdal 8.0 (pre) rather than an earlier snapshot.
     + LDAP simple binds should honour "old password allowed period".
     + Fix ldap simple bind with TLS auditing.
     + "password hash userPassword schemes = CryptSHA256" does not seem to work
       with samba-tool.

3 march 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.14.12-alt2

  • Fix linking of some libraries (libsmbldap.so.2.1.0, libpopt-samba3-samba4.so,
     libsamba-modules-samba4.so, winbind_krb5_locator.so and smbpasswd.so):
     + find-requires: ERROR: /usr/lib/rpm/lib.req failed.

9 february 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.14.12-alt1

  • Update to latest security release of Samba 4.14
  • Security fixes:
     + CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
     + CVE-2022-0336:  Re-adding an SPN skips subsequent SPN conflict checks.

27 january 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.14.11-alt3

  • Update for the latest fixes release of Samba 4.14
     + Fix resolv_wrapper with glibc 2.34
     + kill_tcp_connections does not work
     + Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
       NT_STATUS_BUFFER_TOO_SMALL
     + Can't connect to Windows shares not requiring authentication using KDE/Gnome
     + Duplicate SMB file_ids leading to Windows client cache poisoning
     + Missing pop_sec_ctx() in error path inside close_directory()
     + rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack

16 january 2022 Evgeny Sinelnikov <sin at altlinux.org> 4.14.11-alt2

  • Apply s4u support patch for samba-4.15 (due already updated kdb code base):
     + basic local realm S4U support
     + enable S4U client support for MIT build
     + wip: for canonicalization with new MIT kdc code

15 december 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.11-alt1

  • Update to latest maintenance release of Samba 4.14.
  • Fix broken of recursive directory delete with veto files.
  • Fix directory containing dangling symlinks cannot be deleted by
     SMB2 alone when they are the only entry in the directory.

13 december 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.10-alt3

  • Update for the latest fixes release of Samba 4.14
     + CVE-2020-25727 idmap_nss, krb5 and s3-auth regressions
     + CVE-2021-3670 ldap_server, dsdb/anr and ldb (libldb-2.3.2-alt2) regressions
     + smbd: s3-dsgetdcname: handle num_ips == 0
     + dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
     + lib: handle NTTIME_THAW in nt_time_to_full_timespec()
     + IPA DC: add missing checks
     + s3:winbindd: fix "allow trusted domains = no" regression
  • Update tob more compatible with ALT distributions:
     + loadparm: Set parameter "min domain uid" deafult value to 500.

13 november 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.10-alt2

  • Add support samba-tool-plus alternative for samba-dc build with heimdal.

7 november 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.9-alt2

  • Rebuild with updated ldb-2.3.2 with backported all C code changes from
     ldb-2.4.1 to be available for Samba 4.14.x.

7 november 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.10-alt1

  • Update to latest security release of Samba 4.14
  • Security fixes:
     + CVE-2016-2124:  SMB1 client connections can be downgraded to plaintext
                       authentication.
                       https://www.samba.org/samba/security/CVE-2016-2124.html
     + CVE-2020-25717: A user on the domain can become root on domain members.
                       https://www.samba.org/samba/security/CVE-2020-25717.html
     + CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets
                       issued by an RODC.
                       https://www.samba.org/samba/security/CVE-2020-25718.html
     + CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in
                       Kerberos tickets.
                       https://www.samba.org/samba/security/CVE-2020-25719.html
     + CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
                       (eg objectSid).
                       https://www.samba.org/samba/security/CVE-2020-25721.html
     + CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
                       checking of data stored.
                       https://www.samba.org/samba/security/CVE-2020-25722.html
     + CVE-2021-3738:  Use after free in Samba AD DC RPC server.
                       https://www.samba.org/samba/security/CVE-2021-3738.html
     + CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
                       https://www.samba.org/samba/security/CVE-2021-23192.html

1 november 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.9-alt1

  • Update to latest security release of Samba 4.14
  • Backport bronze bit fixes, tests, and selftest improvements. Provide a fix
     for MS in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation
     bypass in Samba with embedded Heimdal (Fixes: CVE-2020-17049).

6 october 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.8-alt1

  • Update to latest security release of Samba 4.14
  • Fix performance regressions in lsa_LookupSids3/LookupNames4 since Samba 4.9 by
     using an explicit database handle cache and address a signifcant in database
     access in the AD DC since Samba 4.12.
  • Fix an unuthenticated user can crash the AD DC KDC by omitting the server name
     in a TGS-REQ (Fixes: CVE-2021-3671).

5 october 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.7-alt5

  • Add pythonarchdir repplacement due compatibility with alt security
     python trust mode (enabled if /etc/alt/security/python-trust exists).

20 september 2021 Ivan A. Melnikov <iv at altlinux.org> 4.14.7-alt4

  • Use parallel make install.
  • Make building and installing more verbose.
  • Explicitly list architectures where ceph is enabled
     (fixes build on riscv64).

1 september 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.7-alt3

  • Fix net ads join segmentation fault problem if ldap SRV host record not found.

31 august 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.7-alt2

  • Add dependency lmdb-utils to samba-dc-common due it is necessary
     for mdb store backend permits database sizes greater than 4Gb

24 august 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.7-alt1

  • Update to latest release of Samba 4.14 with smbd fixes

19 july 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.6-alt1

  • Update to latest release of Samba 4.14 with smbd and samba-tool fixes

4 june 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.5-alt1

  • Update to latest release of Samba 4.14 with ensure POSIX default ACL
     is mapped into returned Windows ACL for directory handles and fix
     uninitialized memory read in process_symlink_open() when used with
     vfs_shadow_copy2() for smbd.

17 may 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.4-alt4

  • winbindd: Fix a startup race with allocate_gid (Samba#14678)

14 may 2021 Michael Shigorin <mike at altlinux.org> 4.14.4-alt2.1

  • Fix doc knob

14 may 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.4-alt3

  • Update with latest fixes (Samba#14695, Samba#14696)

6 may 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.4-alt2

  • Fix backward compatibility to fixed version of libldb with CVE-2021-20254.
  • Replace auth and vfs libraries from samba-libs to samba-dc-libs and samba packages.
  • Build without separated libnetapi private library.

30 april 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.4-alt1

  • Fix buffer overrun in sids_to_unixids() (Fixes: CVE-2021-20254)
  • Final migration to /run directory (Closes: 35891, 36652, 39992)
  • Avoid build problems on e2k

12 april 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.2-alt3

  • Multiple build fixes:
     + Revert to use macros for e2k (due ALT#36315 was fixed).
     + Add samba-common-client subpackage with smb.conf and its staff only.
     + Add dumpmscat utility with libtasn1-devel and libtasn1-utils buildrequires.
     + Replace mdfind and mvxattr to samba-client from samba-common-tools.
     + Support pdbedit in separate heimdal server build.
     + Add /usr/include/samba-4.0 directory to devel packages.
     + Shift shared libraries between samba-libs and samba-common-libs to avoid
       cyclical dependencies.

11 april 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.2-alt2

  • Add separate admx-samba subpackage with Samba ADMX policy templates.
  • Replace ADMX policy templates to common PolicyDefinitions directory.
  • Set buildarch of samba-common and samba-dc-common to noarch.

25 march 2021 Evgeny Sinelnikov <sin at altlinux.org> 4.14.2-alt1

  • Update to latest stable security release of the Samba 4.14
  • Security fixes:
     + CVE-2020-27840: Heap corruption via crafted DN strings
     + CVE-2021-20277: Out of bounds read in AD DC LDAP server

22 march 2021 Evgeny Sinelikov <sin at altlinux.org> 4.14.0-alt1

  • Update to release of Samba 4.14 with client Group Policy support

13 march 2021 Evgeny Sinelikov <sin at altlinux.org> 4.13.5-alt1

  • Update to latest release of Samba 4.13

8 february 2021 Evgeny Sinelikov <sin at altlinux.org> 4.13.4-alt1

  • Update to latest release of Samba 4.13:
     + Insecure wide links functionality has been moved into a separate VFS module;
     + NT4-like 'classic' Samba domain controller mode and SMBv1 only protocol
       options has been deprecated.
  • Add snapper VFS module in separate samba-vfs-snapper package due it requires DBus.
  • Add samba group policy ADMX files to samba-dc-common package.
  • Add elasticsearch backend mappings json file for Metadata Search Service (mdssvc)
     to samba-common package.

18 january 2021 Evgeny Sinelikov <sin at altlinux.org> 4.12.11-alt1

  • Update to latest release of Samba 4.12

19 november 2020 Evgeny Sinelikov <sin at altlinux.org> 4.12.10-alt2

  • Spotlight searches against an SMB server mdfind utility in samba-common-tools
     conflicts with gnustep-gworkspace due it also includes mdfind (closes: 39295)

12 november 2020 Evgeny Sinelikov <sin at altlinux.org> 4.12.10-alt1

  • Update to latest release of Samba 4.12

29 october 2020 Evgeny Sinelikov <sin at altlinux.org> 4.12.9-alt1

  • Update to latest stable security release of the Samba 4.12
  • Security fixes:
     + CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify
     + CVE-2020-14323: Unprivileged user can crash winbind
     + CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records

8 october 2020 Evgeny Sinelikov <sin at altlinux.org> 4.12.8-alt1

  • Update to newest release of Samba 4.12

8 october 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.14-alt1

  • Update to latest stable security release of the Samba 4.11

19 september 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.13-alt1

  • Update to latest stable security release of the Samba 4.11
  • Security fixes:
     + CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon")
       https://www.samba.org/samba/security/CVE-2020-1472.html

26 august 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.12-alt1

  • Update to latest stable security release of the Samba 4.11

2 august 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.11-alt2

  • Update to latest fixes from testing
  • Remove derecated libwbclient install as alternative with libwbclient-sssd
  • Fix pygpo double memory free stackframe in py_ads_get_gpo_list()

7 july 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.11-alt1

  • Update to latest stable security release of the Samba 4.11
  • Security fixes:
     + CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
                       LDAP Server with ASQ, VLV and paged_results
     + CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU
     + CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV
     + CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd

30 june 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.10-alt1

  • Update to latest stable bugfix release of the Samba 4.11
  • Build with ldb 2.0.11, LMDB databases can grow without bounds.
  • Fix glusterfs build requires (Closes: 38038)

27 may 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.9-alt2

  • Apply patches from fedora:
     + Add use the new des_crypt56_gnutls() and remove builtin DES crypto
     + Remove DES support if MIT Kerberos version does not support it
     + Create working private krb5.conf due it used by DNS update tool and should
       have enough details to authenticate with GSS-TSIG when running nsupdate

27 may 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.9-alt1

  • Update to latest stable bugfix release of the Samba 4.11

28 april 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.8-alt1

  • Update to latest stable security release of the Samba 4.11
  • Security fixes:
     + CVE-2020-10700: Fix use-after-free in AD DC LDAP server when ASQ and paged_results combined
     + CVE-2020-10704: Fix LDAP Denial of Service (stack overflow) in Samba AD DC

10 march 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.7-alt1

  • Update to latest spring release of Samba 4.11
  • Fix search with scope ONE and small result sets with ldb-2.0.9

6 february 2020 Evgeny Sinelikov <sin at altlinux.org> 4.11.6-alt1

  • Update to newest release of Samba 4.11

24 january 2020 Evgeny Sinelikov <sin at altlinux.org> 4.10.13-alt1

  • Update to latest stable release of the Samba 4.10
  • Security fixes:
     + CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic
     + CVE-2019-14907: Crash after failed character conversion at log level 3 or above
     + CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC

23 january 2020 Grigory Ustinov <grenka at altlinux.org> 4.10.11-alt2

  • Build without python2 support
  • Get rid of ubt macros

13 december 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.11-alt1

  • Update to last security winter release
  • Security fixes:
     + CVE-2019-14861: Samba AD DC zone-named record Denial of Service in DNS management server
     + CVE-2019-14870: DelegationNotAllowed not being enforced in protocol transition on Samba AD DC

29 october 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.10-alt1

  • Update to second security autumn release
  • Security fixes:
     + CVE-2019-10218 Client code can return filenames containing path separators
     + CVE-2019-14833 Samba AD DC check password script does not receive the full password
     + CVE-2019-14847 User with "get changes" permission can crash AD DC LDAP server via dirsync

19 october 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.9-alt1

  • Update to latest autumn release

11 september 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.8-alt2

  • Add requires samba-dc-mitkrb5 for samba
  • Use krb5.conf from the Samba private directory in MIT KDC service

3 september 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.8-alt1

  • Update to first security autumn release
  • Fix samba-gpupdate check sysvol path with ignore case for compatibility
  • Security fixes:
     + CVE-2019-10197 Permissions check deny can allow user to escape from the share

22 august 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.7-alt1

  • Update to final summer release with fixed joining a Windows pre-2008R2 DC
  • Fix lookup requests from AD DCs over LSA RPC to FreeIPA domain controller

14 august 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.6-alt2

  • Change lstat to stat check in directory_create_or_exist for compatibility
     with oldstyle /var/run due it symlink in modern linux installations

12 august 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.6-alt1

  • Update to latest summer release

31 july 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.5-alt1

  • Update to latest security release
  • Security fixes:
     + CVE-2019-12435 Samba AD DC Denial of Service in DNS management server (dnsserver)
     + CVE-2019-12436 Samba AD DC LDAP server crash (paged searches)

19 july 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.3-alt5

  • Partial fixes for SMBLoris vulnerability on smbd
     + Add smbd read timeout parameter
     + Set max smbd processes to 768

4 july 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.3-alt4

  • Remove conflict to libwbclient-sssd due problem that apt install
     it for with gssntlmssp-debuginfo (Closes: 36750)
  • New metapackage task-samba-dc-mitkrb5 to install complete Domain Controller
     with MIT Kerberos server and libraries

14 june 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.3-alt3

  • Add requires samba-common-tools for samba-common

27 may 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.3-alt2

  • Build with MIT and Heimdal separately
  • Fix upgrade of latest samba-4.9 builds from branches

27 may 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.3-alt1

  • Update to latest security release
  • Security fixes:
     + CVE-2018-16860 Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum

27 may 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.2-alt2

  • Initial support build with MIT and Heimdal separately:
     + Replace common DC and Winbind common files to separate subpackages
     + Add samba-vfs-cephfs and samba-vfs-glusterfs subpackages

11 april 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.2-alt1

  • Update to spring security release
  • Security fixes:
     + CVE-2019-3870 World writable files in Samba AD DC private/ dir
     + CVE-2019-3880 Save registry file outside share as unprivileged user

9 april 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.1-alt1

  • Update to second release of Samba 4.10

20 march 2019 Evgeny Sinelikov <sin at altlinux.org> 4.10.0-alt1

  • Update to first release of Samba 4.10

19 march 2019 Evgeny Sinelikov <sin at altlinux.org> 4.9.5-alt2

  • Fix build compatibility for newest architectures with not exists
     macroses on stable branches

15 march 2019 Evgeny Sinelikov <sin at altlinux.org> 4.9.5-alt1

  • Update to latest release with security ldb fixes (CVE-2019-3824)
  • Prepare to replace runtime files from /var/run to /run directory

23 february 2019 Alexey Shabalin <shaba at altlinux.org> 4.9.4-alt4

  • disable support ceph on 32-bit arch

28 january 2019 Evgeny Sinelikov <sin at altlinux.org> 4.9.4-alt3

  • Merge samba and samba-DC packages into single package
  • Rename samba-DC to samba-dc for compatibilty

2 january 2019 Evgeny Sinelikov <sin at altlinux.org> 4.9.4-alt2

  • Merge and rebuild for e2k
  • Change group access for private directory due effective mask with acl

20 december 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.9.4-alt1

  • Update to first winter security release
  • Security fixes regressions:
     + CVE-2018-16853 Do not segfault if client is not set
     + CVE-2018-14629 Fix CNAME loop prevention using counter regression

28 november 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.9.3-alt1

  • Update to autumn security release
  • Revert Samba DC to build with internal Heimdal Kerberos implementation
  • Clean test module of third_party/iso8601 and subunit modules
  • Security fixes:
     + CVE-2018-14629 Unprivileged adding of CNAME record causing loop in AD Internal DNS server
     + CVE-2018-16841 Double-free in Samba AD DC KDC with PKINIT
     + CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server
     + CVE-2018-16852 NULL pointer de-reference in Samba AD DC DNS servers
     + CVE-2018-16853 Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)
     + CVE-2018-16857 Bad password count in AD DC not always effective

13 october 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.9.1-alt1

  • Rebuild latest release of Samba 4.9 without ubt macros

11 october 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.8.6-alt1

  • Update to latest autumn release
  • Disable ubt macros due binary package identity change

25 september 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.9.1-alt1.S1

  • Update to second release of Samba 4.9

18 september 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.9.0-alt1.S1

  • Update to first release of Samba 4.9

14 september 2018 Alexey Sheplyakov <asheplyakov at altlinux.org> 4.8.5-alt2.S1

  • Fixed the patch which allows joining to Windows based domain controllers

24 august 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.8.5-alt1.S1

  • Update to latest summer release

14 august 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.8.4-alt1.S1

  • Update to summer security release
  • Security fixes:
     + CVE-2018-1139 Weak authentication protocol allowed
     + CVE-2018-1140 Denial of Service Attack on DNS and LDAP server
     + CVE-2018-10858 Insufficient input validation on client directory
       listing in libsmbclient
     + CVE-2018-10918 Denial of Service Attack on AD DC DRSUAPI server
     + CVE-2018-10919 Confidential attribute disclosure from the AD LDAP server
    + Build with subpackage for Python3

7 july 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.8.3-alt2.S1

  • Rebuild Samba DC with MIT Kerberos
  • Fix join.py with automatically connect to domain naming master

4 july 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.8.3-alt1.S1

  • Update to new summer release of Samba 4.8

21 june 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.7.8-alt1.S1

  • Update to first summer release of Samba 4.7
  • Fix doc knob: task-samba-dc should conditionally R: samba-DC-doc
  • Rebuild for e2k with missing SYS_setgroups32
  • Disable glusterfs and cephfs for e2k
  • Disable cephfs support for mipsel

8 june 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.7.7-alt2.S1

  • Split samba-DC-common to separate samba-DC-common-tools
  • Fix build against new python Sisyphus release with libnsl2

27 april 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.8.1-alt1.S1

  • Update to latest release of Samba 4.8

19 april 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.7.7-alt1.S1

  • Update to first spring release of Samba 4.7

23 march 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.7.6-alt1.S1

  • Update to latest winter release of Samba 4.7

15 march 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.6.14-alt1.S1.1

  • Rebuild security release (Fixes: CVE-2018-1050, CVE-2018-1057) with old
     ceph version without libceph-common for c7/c8

12 march 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.6.14-alt1.S1

  • Update to spring security release
  • Security fixes:
     + CVE-2018-1050 Codenomicon crashes in spoolss server code
     + CVE-2018-1057 Unprivileged user can change any user (and admin) password

20 february 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.6.13-alt1.S1

  • Update to second winter release with common bugfixes

23 january 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.6.12-alt2.S1

  • Fix trouble with joined machine account moving when it already exists.
     Move it only if the admin specified an explicit OU (Samba bug #12696)

5 january 2018 Evgeny Sinelnikov <sin at altlinux.org> 4.7.4-alt1.S1

  • Update to first winter release of Samba 4.7

21 december 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.6.12-alt1.S1

  • Update to first winter release with common bugfixes (closes: 33210)

23 november 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.6.11-alt2.S1

  • Backport from Heimdal upstream include/includedir directives for krb5.conf

21 november 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.7.3-alt1.S1

  • Update for second autumn security release of Samba 4.7

21 november 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.6.11-alt1.S1

  • Second autumn security release (Fixes: CVE-2017-14746, CVE-2017-15275)

17 november 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.7.2-alt1.S1

  • Update to third autumn release of Samba 4.7

16 november 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.6.10-alt1.S1

  • Update for third autumn release with common bugfixes

14 november 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.7.1-alt1.S1

  • Update for second autumn release with common bugfixes of Samba 4.7

25 october 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.7.0-alt2.S1

  • Fix KDC not works in configuration with trusted domain (samba bug #13078)

25 october 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.6.9-alt1.S1

  • Update for second autumn release with common bugfixes

12 october 2017 Evgeny Sinelnikov <sin at altlinux.org> 4.6.8-alt3.S1

  • Fix KDC not works in configuration with trusted domain (samba bug #13078)

27 september 2017 Alexey Shabalin <shaba at altlinux.ru> 4.6.8-alt2.S1

  • rebuild with new  libcephfs

22 september 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.7.0-alt1.S1

  • Update to new autumn release of Samba 4.7
  • Revert removed lpcfg_register_defaults_hook() for openchange

20 september 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.8-alt1.S1

  • Update for autumn security release:
     + CVE-2017-12150 (SMB1/2/3 connections may not require signing where they
      should)
     + CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects)
     + CVE-2017-12163 (Server memory information leak over SMB1)

20 september 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.7-alt3.S1

  • Avoid build trouble with ubt macros id on branch c8

18 august 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.7-alt2.S1

  • Clean code from old merged chunks

9 august 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.7-alt1.S1

  • Update to second summer release

15 july 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.6-alt2.S1

  • Rebuild with universal build tag (aka ubt macros) for p7 and c7

12 july 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.6-alt1.S1

  • Update to summer security release
  • Security fixes:
     + CVE-2017-11103 Orpheus' Lyre KDC-REP service name validation

20 june 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.5-alt2.S1

  • Remove conflict samba-DC-libs with samba-libs
  • Adjust python module requirement to samba-DC-common-libs
  • Add conflict python-module-samba-DC with python-module-samba

6 june 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.5-alt1.S1

  • Udpate to first summer release

5 june 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.4-alt2.S1

  • Add libldb-modules-DC package with domain controller ldb modules for ldb-tools
  • Add samba-DC-common-libs with libraries for common modules
  • Append list of libraries consists in libwbclient-DC to not require
     samba-DC-common-libs

24 may 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.4-alt1.S1

  • Update to second spring security release
  • Fix longtime initialization bug in ldb proxy
  • Security fixes:
     + CVE-2017-7494 Remote code execution from a writable share

25 april 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.3-alt1.S1

  • Udpate to second spring release
  • Remove conflict winbind with libwbclient-sssd due upgrade problems

12 april 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.2-alt2.S1

  • Fix problem with failed to create kerberos keytab during join to domain

31 march 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.2-alt1.S1

  • Update with regression fix of spring security release
  • Revert winbind problem fixes with access user to keytab due troubles in 4.6.x

23 march 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.1-alt1.S1

  • Update to spring security release
  • Fixed build --without docs (closes: 33118)
  • Security fixes:
     + CVE-2017-2619 Symlink race allows access outside share definition

7 march 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.6.0-alt1.S1

  • Udpate to first spring release
  • Revert removed unused DCERPC_FAULT_UNK_IF for openchange

1 february 2017 Evgeny Sinelnikov <sin at altlinux.ru> 4.5.5-alt1.S1

  • Update to winter release
  • Fix PAM winbind problem with access user to keytab

28 december 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.5.3-alt2.S1

  • Do not delete an existing valid credential cache for KEYRING type
  • Set FQDN to lower at fill_mem_keytab_from_system_keytab()

19 december 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.5.3-alt1.S1

  • Update for release with security fixes:
  • CVE-2016-2123 (ndr_pull_dnsp_name contains an integer wrap problem)
  • CVE-2016-2125 (client code always requests a forwardable ticket)
  • CVE-2016-2126 (crash winbindd using a legitimate Kerberos ticket)

19 december 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.5.2-alt1.S1

  • Udpate to first winter release

3 december 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.5.1-alt2

  • Add conflict winbind with libwbclient-sssd due compatibility
  • Update build dependencies versions for external samba libraries
  • Build with separate libwbclient-DC

28 october 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.5.1-alt1

  • Update with variety of fixes for autumn release

8 september 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.5.0-alt1

  • Update to new autumn release

8 july 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.4.5-alt1

  • Update for security release with CVE-2016-2119

30 june 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.4.4-alt3

  • Apply fixes for DRSUAPI limits of too strict for some workloads,
     e.g. DRSUAPI replication with large objects.
      https://bugzilla.samba.org/show_bug.cgi?id=11948
    + Set DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
    + Allow a total reassembled response payload of 240 MBytes

29 june 2016 Andrey Cherepanov <cas at altlinux.org> 4.4.4-alt2

  • Package libsamba_util private headers to package
     samba-DC-util-private-headers

10 june 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.4.4-alt1

  • Update to new version

24 may 2016 Alexey Shabalin <shaba at altlinux.ru> 4.4.3-alt3

  • build with libsystemd without compat libs
  • add patches from fedora
  • add again samba-grouppwd.patch

23 may 2016 Evgeny Sinelnikov <sin at altlinux.ru> 4.4.3-alt2

  • Fix rpc_server/drsuapi: Set msDS_IntId as attid for linked attributes if exists

4 may 2016 Andrey Cherepanov <cas at altlinux.org> 4.4.3-alt1

  • New version

28 april 2016 Andrey Cherepanov <cas at altlinux.org> 4.4.2-alt2

  • Fix CVE-2016-2110/NTLMSSP regression (https://bugzilla.samba.org/show_bug.cgi?id=11849)

12 april 2016 Andrey Cherepanov <cas at altlinux.org> 4.4.2-alt1

  • New version
  • Security fixes:
  • CVE-2015-5370 (Multiple errors in DCE-RPC code)
  • CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
  • CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
  • CVE-2016-2112 (LDAP client and server don't enforce integrity)
  • CVE-2016-2113 (Missing TLS certificate validation)
  • CVE-2016-2114 ("server signing = mandatory" not enforced)
  • CVE-2016-2115 (SMB IPC traffic is not integrity protected)
  • CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)

22 march 2016 Andrey Cherepanov <cas at altlinux.org> 4.4.0-alt1

  • New version (https://www.samba.org/samba/history/samba-4.4.0.html)
  • Remove samba-DC-test-build and samba-DC-ctdb-devel

13 march 2016 Andrey Cherepanov <cas at altlinux.org> 4.3.6-alt2

  • Rebuild with new libtalloc

9 march 2016 Andrey Cherepanov <cas at altlinux.org> 4.3.6-alt1

  • New version (https://www.samba.org/samba/history/samba-4.3.6.html)
  • Security fixes:
  • CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
  • CVE-2016-0771 (Out-of-bounds read in internal DNS server)
  • Do not use specified GID for wbpriv group

3 march 2016 Andrey Cherepanov <cas at altlinux.org> 4.3.5-alt1

  • New version (https://www.samba.org/samba/history/samba-4.3.5.html)

12 january 2016 Andrey Cherepanov <cas at altlinux.org> 4.3.4-alt1

  • New version (https://www.samba.org/samba/history/samba-4.3.4.html)

24 december 2015 Andrey Cherepanov <cas at altlinux.org> 4.3.3-alt2

  • Change services type from notify to forking

16 december 2015 Andrey Cherepanov <cas at altlinux.org> 4.3.3-alt1

  • New version (https://www.samba.org/samba/history/samba-4.3.3.html)
  • Security fixes:
  • CVE-2015-3223 (Denial of service in Samba Active Directory
     server)
  • CVE-2015-5252 (Insufficient symlink verification in smbd)
  • CVE-2015-5299 (Missing access control check in shadow copy
     code)
  • CVE-2015-5296 (Samba client requesting encryption vulnerable
     to downgrade attack)
  • CVE-2015-8467 (Denial of service attack against Windows
     Active Directory server)
  • CVE-2015-5330 (Remote memory read in Samba LDAP server)

8 december 2015 Igor Vlasenko <viy at altlinux.ru> 4.3.2-alt1.1

  • NMU: dropped unused prehistoric BR: perl-Perl4-CoreLibs

1 december 2015 Andrey Cherepanov <cas at altlinux.org> 4.3.2-alt1

  • New version (https://www.samba.org/samba/history/samba-4.3.2.html)
  • Enable RPATH in installed files to correct link using .pc files

26 november 2015 Andrey Cherepanov <cas at altlinux.org> 4.3.1-alt3

  • Remove libxfs-qa-devel from build requirements
  • Package samba-DC-ctdb, samba-DC-ctdb-devel and samba-DC-ctdb-tests

16 november 2015 Andrey Cherepanov <cas at altlinux.org> 4.3.1-alt2

  • Enable clustering support

20 october 2015 Andrey Cherepanov <cas at altlinux.org> 4.3.1-alt1

  • New version (https://www.samba.org/samba/history/samba-4.3.1.html)
  • New metapackage task-samba-dc to install complete Domain Controller

22 september 2015 Andrey Cherepanov <cas at altlinux.org> 4.3.0-alt2

  • Exclude libnss_win* from debuginfo
  • Make libnss_win* symlinks to /lib*
  • Package unit samba.service for systemd
  • Add conditional build of winbind part
  • Move all libraries to samba-DC-libs
  • Remove duplicated requirements

10 september 2015 Andrey Cherepanov <cas at altlinux.org> 4.3.0-alt1

  • New version (https://www.samba.org/samba/history/samba-4.3.0.html)
  • Requires /proc for doc generation

24 august 2015 Andrey Cherepanov <cas at altlinux.org> 4.2.3-alt2

  • Build in dc mode in /usr/lib64/samba-dc to prevent link conflict
     with ordinary samba in repository
  • Build without libsmbclient, libwbclient and libnetapi
  • Move documentation to /usr/share/doc/samba

14 july 2015 Andrey Cherepanov <cas at altlinux.org> 4.2.3-alt1

  • New version of Samba AD DC

1 june 2015 Andrey Cherepanov <cas at altlinux.org> 4.2.2-alt1

  • New version of Samba AD DC

29 april 2015 Andrey Cherepanov <cas at altlinux.org> 4.2.1-alt1

  • New version of Samba AD DC
  • Fix post/postun hooks for samba init script

10 april 2015 Andrey Cherepanov <cas at altlinux.org> 4.2.0-alt1

  • New version of Samba AD DC
  • Enable documentation build

23 february 2015 Andrey Cherepanov <cas at altlinux.org> 4.1.17-alt1

  • New version
  • Security fixes:
     + fixes CVE-2015-0240 (security flaw in the smbd file server daemon)

15 january 2015 Andrey Cherepanov <cas at altlinux.org> 4.1.16-alt1

  • New version
  • Security fixes:
     + CVE-2014-8143: Samba's AD DC allows the administrator to delegate
       creation of user or computer accounts to specific users or groups.
       However, all released versions of Samba's AD DC did not implement the
       additional required check on the UF_SERVER_TRUST_ACCOUNT bit in the
       userAccountControl attributes.

14 january 2015 Andrey Cherepanov <cas at altlinux.org> 4.1.15-alt1

  • New version

25 december 2014 Andrey Cherepanov <cas at altlinux.org> 4.1.14-alt0.M70P.1

  • New version
  • Disable build documentation because it cannot built

20 october 2014 Andrey Cherepanov <cas at altlinux.org> 4.1.13-alt0.M70P.1

  • New version
  • Do not use pidfile to stop service samba

14 october 2014 Andrey Cherepanov <cas at altlinux.org> 4.1.12-alt0.M70P.1

  • New version

13 october 2014 Andrey Cherepanov <cas at altlinux.org> 4.1.11-alt1.M70P.1

  • Build in DC mode
  • Fix mitkrb5 support with and without DC mode
  • Build on all available cores. Increase build and install verbosity
  • Add setproctitle support
  • Set verbosity level of make by VERBOSE option (-v, -vv or -vvv)
  • Remove missing upgradeprovision programm
  • Add initscript for samba
  • Add dlz_bind9_9.so
  • Rename to samba-DC conflicted by ordinary samba
  • Add tdb-utils for samba_upgradedns program
  • Use %force_with to really set flag for tests

27 august 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.11-alt2

  • update init scripts for ALTLinux

5 august 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.11-alt1

  • 4.1.11
  • fixed unstrcpy macro length is invalid(CVE-2014-3560)

28 july 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.10-alt1

  • 4.1.10

24 june 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.9-alt1

  • 4.1.9
  • fixed nmbd denial of service(CVE-2014-0244)
  • fixed Segmentation fault in smbd_marshall_dir_entry(CVE-2014-3493)

4 june 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.8-alt1

  • 4.1.8
  • fixed CVE-2014-0239, CVE-2014-0178

7 may 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.7-alt2

  • add winbind-krb5-locator package

5 may 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.7-alt1

  • 4.1.7

17 march 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.6-alt1

  • 4.1.6
  • fixed CVE-2013-4496, CVE-2013-6442

15 january 2014 Alexey Shabalin <shaba at altlinux.ru> 4.1.4-alt1

  • 4.1.4

9 december 2013 Alexey Shabalin <shaba at altlinux.ru> 4.1.3-alt1

  • 4.1.3
  • fixed CVE-2013-4408, CVE-2012-6150

4 december 2013 Alexey Shabalin <shaba at altlinux.ru> 4.1.2-alt1

  • 4.1.2
  • drop swat package
  • change build options:
     + --with-profiling-data
     + drop --disable-ntdb
     + --without-fam
     + drop --builtin-libraries=ccan
  • build with avahi support
  • build with external libntdb

27 november 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.12-alt1

  • 4.0.12

12 november 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.11-alt1

  • 4.0.11
  • fixed CVE-2013-4475, CVE-2013-4476

8 october 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.10-alt1

  • 4.0.10

26 august 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.9-alt1

  • 4.0.9
  • add -D options for default forking type start of services to sysV init and systemd

7 august 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.8-alt1

  • 4.0.8
  • fixed CVE-2013-4124

3 july 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.7-alt1

  • 4.0.7

23 may 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.6-alt1

  • 4.0.6

9 april 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.5-alt1

  • 4.0.5

19 march 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.4-alt1

  • 4.0.4 (fixed CVE-2013-186)
  • add /var/cache/samba to samba-common package (ALT#28601)

25 february 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.3-alt2

  • make systemctl reference indirect in packaging/NetworkManager/30-winbind-systemd (ALT#28585)

15 february 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.3-alt1

  • 4.0.3
  • build as default samba, replaced samba4 packages
  • rename pdb_ldap to pdb_ldapsam

4 february 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.2-alt2

  • obsoletes libnetapi4,libwbclient4,libsmbclient4 by samba4-libs if build without them

4 february 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.2-alt1

  • 4.0.2
  • fixed gensec: Allow login without a PAC by default (samba bug #9581)

1 february 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.1-alt3

  • build without libnetapi
  • add symlink ldapsam.so to ldap.so

31 january 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.1-alt2

  • build without libsmbclient and libwbclient

28 january 2013 Alexey Shabalin <shaba at altlinux.ru> 4.0.1-alt1

  • 4.0.1

21 december 2012 Alexey Shabalin <shaba at altlinux.ru> 4.0.0-alt2

  • 4.0.0 release

28 march 2012 Alexey Shabalin <shaba at altlinux.ru> 4.0.0-alt1.alpha18

  • alpha18

22 october 2011 Vitaly Kuznetsov <vitty at altlinux.ru> 4.0.0-alt1.alpha16.1

  • Rebuild with Python-2.7

8 august 2011 Alexey Shabalin <shaba at altlinux.ru> 4.0.0-alt1.alpha16

  • alpha16

11 may 2011 Alexey Shabalin <shaba at altlinux.ru> 4.0.0-alt1.alpha15

  • alpha15

14 april 2011 Alexey Shabalin <shaba at altlinux.ru> 4.0.0-alt0.alpha15

  • pre alpha15 snapshot

23 september 2010 Alexey Shabalin <shaba at altlinux.ru> 4.0.0-alt1.alpha13

  • Upgrade to alpha13

13 august 2010 Alexey Shabalin <shaba at altlinux.ru> 4.0.0-alt1.alpha11

  • initial build for ALT Linux Sisyphus

28 june 2010 Ralf Corsépius <corsepiu at fedoraproject.org> - 4.0.0-24.alpha11

  • Revert changes to %Release, use %main_release instead.
  • Rebuild for perl-5.12.x.

28 june 2010 Ralf Corsépius <corsepiu at fedoraproject.org> - 4.0.0-23.alpha11.2

  • Once again rebuild for perl-5.12.x.

2 june 2010 Marcela Maslanova <mmaslano at redhat.com> - 4.0.0-23.alpha11.1

  • Mass rebuild with perl-5.12.0

24 february 2010 Stephen Gallagher <sgallagh at redhat.com> - 4.0.0-23.alpha11

  • Rebuild against newer libtevent

24 january 2010 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-22.alpha11

  • Upgrade to alpha11

8 january 2010 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-21.alpha10

  • Bump ldb_version to 0.9.10.

8 january 2010 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-20.alpha10

  • Only install new command-line utilities if enable_samba4 is non-zero.

6 january 2010 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-19.alpha10

  • Upgrade to alpha10

17 september 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-18.alpha8_git20090916

  • Fix broken dependencies

17 september 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-18.1.alpha8_git20090916

  • Need docbook stuff to build man pages

16 september 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-17.alpha8_git20090916

  • Upgrade to alpha8-git20090916

16 september 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-16.alpha7

  • Stop building libtevent, it is now an external package

26 july 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.0.0-15.2alpha7.1

  • Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

22 may 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-15.2alpha7

  • Fix dependency

9 may 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-15.1alpha7

  • Don't build talloc and tdb, they are now separate packages

6 april 2009 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-14alpha7

  • Fix a build issue in samba4-common (RH bug #494243).

25 march 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-13alpha7

  • rebuild with correct CFLAGS (also fixes debuginfo)

10 march 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-12alpha7

  • Second part of fix for the ldb segfault problem from upstream

9 march 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-11alpha7

  • Add upstream patch to fix a problem within ldb

8 march 2009 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-10alpha7

  • Remove ldb.pc from samba4-devel (RH bug #489186).

4 march 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-9alpha7

  • Make talloc,tdb,tevent,ldb easy to exclude using defines
  • Fix package for non-mock "dirty" systems by deleting additional
     files we are not interested in atm

4 march 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-8alpha7

  • Fix typo in Requires

2 march 2009 Simo Sorce <ssorce at redhat.com> - 4.0.0-7alpha7

  • Compile and have separate packages for additional samba libraries
     Package in their own packages: talloc, tdb, tevent, ldb

27 february 2009 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-4.alpha7

  • Update to 4.0.0alpha7

25 february 2009 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-3.alpha6

  • Formal package review cleanups.

23 february 2009 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-2.alpha6

  • Disable subpackages not needed by OpenChange.
  • Incorporate package review feedback.

19 january 2009 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-1.alpha6

  • Update to 4.0.0alpha6

17 december 2008 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-0.8.alpha6.GIT.3508a66

  • Fix another file conflict: smbstatus

12 december 2008 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-0.7.alpha6.GIT.3508a66

  • Disable the winbind subpackage because it conflicts with samba-winbind
     and isn't needed to support OpenChange.

12 december 2008 Matthew Barnes <mbarnes at redhat.com> - 4.0.0-0.6.alpha6.GIT.3508a66

  • Update to the GIT revision OpenChange is now requiring.

29 august 2008 Andrew Bartlett <abartlet at samba.org> - 0:4.0.0-0.5.alpha5.fc10

  • Fix licence tag (the binaries are built into a GPLv3 whole, so the BSD licence need not be mentioned)

25 july 2008 Andrew Bartlett <abartlet at samba.org> - 0:4.0.0-0.4.alpha5.fc10

  • Remove talloc and tdb dependency (per https://bugzilla.redhat.com/show_bug.cgi?id=453083)
  • Fix deps on chkconfig and service to main pkg (not -common)
     (per https://bugzilla.redhat.com/show_bug.cgi?id=453083)

21 july 2008 Brad Hards <bradh at frogmouth.ent> - 0:4.0.0-0.3.alpha5.fc10

  • Use --sysconfdir instead of --with-configdir
  • Add patch for C++ header compatibility

30 june 2008 Andrew Bartlett <abartlet at samba.org> - 0:4.0.0-0.2.alpha5.fc9

  • Update per review feedback
  • Update for alpha5

26 june 2008 Andrew Bartlett <abartlet at samba.org> - 0:4.0.0-0.1.alpha4.fc9

  • Rework Fedora's Samba 3.2.0-1.rc2.16 spec file for Samba4
 
design & coding: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
current maintainer: Michael Shigorin