| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search | 
| Name: samba-winbind-libs | Distribution: openSUSE Tumbleweed | 
| Version: 4.22.5+git.431.dc5a539f124 | Vendor: openSUSE | 
| Release: 1.1 | Build date: Wed Oct 15 14:55:57 2025 | 
| Group: Development/Libraries/C and C++ | Build host: reproducible | 
| Size: 1313294 | Source RPM: samba-4.22.5+git.431.dc5a539f124-1.1.src.rpm | 
| Packager: http://bugs.opensuse.org | |
| Url: https://www.samba.org/ | |
| Summary: Winbind Daemon libraries | |
This package contains the libraries required by the Winbind daemon.
GPL-3.0-or-later
* Wed Oct 15 2025 Noel Power <noel.power@suse.com>
  - Update to 4.22.5
    * CVE-2025-10230: Command injection via WINS server hook
      script (bso#15903); (bsc#1251280).
    * CVE-2025-9640: uninitialized memory disclosure via
      vfs_streams_xattr; (bso#15885); (bsc#1251279).
* Wed Oct 01 2025 Samuel Cabrero <scabrero@suse.de>
  - Relax samba-gpupdate requirement for cepces, certmonger, and sscep
    to a recommends. They are only required if utilizing certificate
    auto enrollment (bsc#1249087).
* Thu Sep 25 2025 Noel Power <noel.power@suse.com>
  - Disable timeouts for smb.service so that possibly slow running
    ExecStartPre script 'update-samba-security-profile' doesn't
    cause service start to fail due to timeouts;(bsc#1249181).
* Thu Sep 25 2025 Noel Power <noel.power@suse.com>
  - Ensure semanage is pulled in as a requirement when samba in
    installed when selinux security access mechanism that is used;
    (bsc#1249180).
* Thu Sep 25 2025 Noel Power <noel.power@suse.com>
  - don't attempt to label paths that don't exist, also remove
    unecessary evaluation of semange & restorecon cmds;(bsc#1249179).
* Thu Sep 25 2025 Noel Power <noel.power@suse.com>
  - Update to 4.22.4
    * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
      SysvolReady=0; (bso#14981).
    * getpwuid does not shift to new DC when current DC is down;
      (bso#15844).
    * Windows security hardening locks out schannel'ed netlogon dc
      calls like netr_DsRGetDCName-; (bso#15876).
    * Unresponsive second DC can cause idmapping failure when using
      idmap_ad-; (bso#15881).
    * kinit command is failing with Missing cache Error;
      (bso#15840).
    * Figuring out the DC name from IP address fails and breaks
      fork_domain_child(); (bso#15891).
    * vfs_streams_depot fstatat broken; (bso#15816).
    * Delayed leader broadcast can block ctdb forever; (bso#15892).
    * Apparently there is a conflict between shadow_copy2 module
      and virusfilter (action quarantine); (bso#15663).
    * Fix handling of empty GPO link; (bso#15877).
    * SMB ACL inheritance doesn't work for files created;
      (bso#15880).
* Fri Jul 25 2025 Andreas Stieger <andreas.stieger@gmx.de>
  - adjust gpgme build dependency for future-proofing
* Tue Jul 08 2025 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.22.3
    * samba-tool cannot add user to group whose name is exactly 16
      characters long; (bso#15854);
    * Windows security hardening locks out schannel'ed netlogon dc
      calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876);
    * Startup messages of rpc deamons fills /var/log/messages;
      (bso#15869);
* Fri Jun 06 2025 Noel Power <nopower@suse.com>
  - Update to 4.22.2
    * (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick
      up group membership changes when re-authenticating an expired
      SMB session; (bso#15707); (bsc#1244136).
    * Profile sync fails due to Directory Leases; (bso#15861).
    * net ad join fails with "Failed to join domain: failed to
      create kerberos keytab"; (bso#15727).
    * dcerpcd not able to bind to listening port; (bso#15851).
    * vfs_ceph_snapshots fails to list snapshots for entries at any
      level beyond share root; (bso#15819).
    * CTDB does not put nodes running NFS into grace on graceful
      shutdown; (bso#15858).
* Fri May 09 2025 Noel Power <nopower@suse.com>
  - Update and rename update-apparmor-samba-profile script to
    update-samba-security-profile. It additionally now caters
    for selinux (if selinux is used); (bsc#1241391);
* Wed Apr 30 2025 Samuel Cabrero <scabrero@suse.de>
  - Update smb.conf to enable SMB3 unix extensions
* Tue Apr 22 2025 Noel Power <nopower@suse.com>
  - Update to 4.22.1
    * Running "gpo manage motd set" twice fails with backtrace;
      (bso#15774).
    * samba-tool gpo backup creates entity backups it can't read;
      (bso#15829).
    * gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
      prepended 0's; (bso#15839).
    * Deadlock between two smbd processes; (bso#15767).
    * Subnet based interfaces definition not listening on all
      covered IP addresses; (bso#15823).
    * PANIC: assert failed at source3/smbd/smb2_oplock.c(156):
      sconn->oplocks.exclusive_open>=0; (bso#15836).
    * net ad join fails with "Failed to join domain: failed to
      create kerberos keytab"; (bso#15727).
    * Enable support for cephfs case insensitive behavior;
      (bso#15822).
    * Remove of file or directory not possible with vfs_acl_tdb;
      (bso#15791).
    * Wide link issue in samba 4.22; (bso#15841).
    * NT_STATUS_INVALID_PARAMETER: Can't create folders on share of
      an exfat file system; (bso#15845).
    * Lease code is not endian-safe; (bso#15849).
    * vfs_ceph_new module does not work with other modules for
      snapshot management; (bso#15818).
    * vfs_ceph_new: Add path based fallback for SMB_VFS_FCHOWN,
      SMB_VFS_FCHMOD and SMB_VFS_FNTIMES; (bso#15834).
    * Add async io API from libcephfs to ceph_new VFS module;
      (bso#15810).
* Wed Mar 12 2025 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.22.0
    * SMB3 Directory Leases are supported. By default, SMB3 Directory
      Leases are enabled on non-clustered Samba and disabled on
      clustered Samba, based on the "clustering" option.
    * Netlogon Ping over LDAP and LDAPS
    * Experimental Himmelblaud Authentication in Samba
    * The "nmbd proxy logon" feature was removed.
    * fruit:posix_rename option of the vfs_fruit VFS module that
      could be used to enable POSIX directory rename behaviour for
      OS X clients has been removed as it could result in severe
      problems for Windows clients.
* Wed Feb 19 2025 Samuel Cabrero <scabrero@suse.de>
  - Remove nscd build dependency and usage in RPM scriptlets;
    (bsc#1237296);
* Wed Feb 19 2025 Noel Power <nopower@suse.com>
  - Update to 4.21.4
    * Increasing slowness of sharesec performance with high number
      of registry shares; (bso#15780).
    * winbindd shows memleak in kerberos_decode_pac; (bso#15782).
    * Creation of GPOs applicable to more than one group is
      impossible with Samba 4.20.0 and later; (bso#15738).
    * Replace `crypt` module in
      python/samba/netcmd/user/readpasswords/common.py;
      (bso#15756).
    * vfs_gpfs silently garbles timestamps > year 2106;
      (bso#15151).
    * Spotlight search results don't show file size and creation
      date; (bso#15796).
    * General improvements for vfs_ceph_new module; (bso#15703).
    * net offlinejoin not working correctly; (bso#15777).
    * net ads create/join/winbind producing unix dysfunctional
      keytabs; (bso#15759).
    * Windows Explorer crashes on S-1-22-* Unix-SIDs when accessing
      security tab; (bso#14213).
    * The values from hresult_errstr_const and hresult_errstr are
      reversed in 4.20 and 4.21; (bso#15769).
    * Kerberos referral tickets are generated for principals in our
      domain if we have a trust to a top level domain; (bso#15778).
    * NETLOGON_NTLMV2_ENABLED is missing in the SamLogon*
      user_flags field; (bso#15783).
    * Regression: stack-use-after-return in crypt_as_best_we_can();
      (bso#15784).
    * libreplace:readline: gcc 15 complains about incompatible
      pointer types; (bso#15788).
* Tue Jan 07 2025 Noel Power <nopower@suse.com>
  - Update to 4.21.3
    * More possible replication loops against Azure AD;
      (bso#15701).
    * Compound rename from Mac clients can fail with
      NT_STATUS_INTERNAL_ERROR if the file has a lease;
      (bso#15697).
    * vfs crossrename seems not work correctly; (bso#15724).
    * After 'machine password timeout' /etc/krb5.keytab is not
      updated; (bso#6750).
    * Memory leak wbcCtxLookupSid; (bso#15771).
    * Fix heap-user-after-free with association groups;
      (bso#15765).
    * Segfault in vfs_btrfs; (bso#15758).
    * Avoid event failure race when disabling an event script;
      (bso#15755).
* Fri Dec 06 2024 Noel Power <nopower@suse.com>
  - Update shipped /etc/samba/smb.conf to point to smb.conf
    man page;(bsc#1233880).
* Mon Nov 25 2024 Noel Power <nopower@suse.com>
  - Update to 4.21.2
    * smbd fails to correctly check sharemode against OVERWRITE
      dispositions; (bso#15732).
    * Panic in close_directory; (bso#15754).
    * winexe no longer works with samba 4.21; (bso#15752).
    * protocol error - Unclear debug message "pad length mismatch"
      for invalid bind packet; (bso#14356).
    * NetrGetLogonCapabilities QueryLevel 2 needs to be
      implemented; (bso#15425).
    * gss_accept_sec_context() from Heimdal does not imply
      GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE; (bso#15740).
    * winbindd should call process_set_title() for locator child;
      (bso#15749).
    * Update CTDB to track all TCP connections to public IP
      addresses; (bso#15320).
* Thu Oct 31 2024 Noel Power <nopower@suse.com>
  - Add placeholder changelog for sle15-sp7; (jsc#PED-11210).
* Wed Oct 16 2024 Noel Power <nopower@suse.com>
  -  Adjust spec to split out rpcd_* binaries into a separate
    sub package; (bsc#1231414).
* Tue Oct 15 2024 Noel Power <nopower@suse.com>
  - Update to 4.21.1
    * DH reconnect error handling can lead to stale sharemode
      entries; (bso#15624).
    * "inherit permissions = yes" triggers assert() in vfs_default
      when creating a stream; (bso#15695).
    * Samba 4.21.0 broke FreeIPA domain member integration;
      (bso#15715).
    * Missing conversion for msDS-UserTGTLifetime, msDS-
      ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-
      tool domain auth policy modify"; (bso#15692).
    * irpc_destructor may crash during shutdown; (bso#15280).
    * Durable handle is not granted when a previous OPEN exists
      with NoOplock; (bso#15649).
    * Durable handle is granted but reconnect fails; (bso#15651).
    * Disconnected durable handles with RH lease should not be
      purged by a new non conflicting open; (bso#15708).
    * net ads testjoin and other commands use the wrong secrets.tdb
      in a cluster; (bso#15714).
    * 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as
      rfc 8009 etypes are used; (bso#15726).
    * VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2;
      (bso#15730).
    * Samba 4.20.0 DLZ module crashes BIND on startup; (bso#15643).
    * Cannot build libldb lmdb backend on a build without AD DC;
      (bso#15721).
    * Consistent log level for sighup handler; (bso#15706).
* Wed Sep 25 2024 Noel Power <nopower@suse.com>
  - Support needed packaging changes required update to samba-4.21.0
    Update samba.spec, baselibs.conf to deliver libldb packages.
* Thu Sep 05 2024 David Disseldorp <ddiss@suse.com>
  - Package ceph_new VFS module.
* Thu Sep 05 2024 David Disseldorp <ddiss@suse.com>
  - Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated;
    (bso#15699); (bsc#1229684).
* Wed Aug 28 2024 Noel Power <nopower@suse.com>
  -  Bad variable definition for ParseTuple causing test failure for
    Smb3UnixTests.test_create_context_reparse; (bso#15702).
* Wed Aug 28 2024 Noel Power <nopower@suse.com>
  - Update to 4.21.0
    * Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when
      truncated; (bso#15699).
    * Bad variable definition for ParseTuple causing test failure
      for Smb3UnixTests.test_create_context_reparse; (bso#15702).
    * Add new vfs_ceph module (based on low level API);
      (bso#15686).
    * samba-tool can not load the default configuration file;
      (bso#15698).
    * Crash when readlinkat fails; (bso#15700).
    * Can't add/delete special keys to keytab for nfs, cifs, http
      etc; (bso#15689).
    * Compound SMB2 requests don't return
      NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
      MacOSX clients; (bso#15696).
    * --version-* options are still not ergonomic, and they reject
      tilde characters; (bso#15673).
    * ldb_version.h is missing from ldb public library;
      (bso#15690).
    * Can not add/delete special keys to keytab for nfs, cifs, http
      etc; (bso#15689).
    * undefined reference to winbind_lookup_name_ex; (bso#15687).
    * per user veto and hide file syntax is to complex;
      (bso#15688).
* Wed Aug 07 2024 Noel Power <nopower@suse.com>
  - Fix a crash when joining offline and 'kerberos method' includes
    keytab; (bsc#1228732).
* Tue Aug 06 2024 Noel Power <noel.power@suse.com>
  - Update to 4.20.4
    * --version-* options are still not ergonomic, and they reject
      tilde characters; (bso#15673).
  - Update to 4.20.3
    * Running samba-bgqd a a standalone systemd service does not
      work; (bso#15683).
    * When claims enabled with heimdal kerberos, unable to log on
      to a Windows computer when user account need to change their
      own password; (bso#15655).
    * Invalid client warning about command line passwords;
      (bso#15671).
    * Version string is truncated in manpages; (bso#15672).
    * cmdline_burn does not always burn secrets; (bso#15674).
    * Samba does not parse SDDL found in defaultSecurityDescriptor
      in AD_DS_Classes_Windows_Server_v1903.ldf; (bso#15685).
    * The images don\'t build after the git security release and
      CentOS 8 Stream is EOL; (bso#15660).
    * Fix clock skew error message and memory cache clock skew
      recovery; (bso#15676).
    * Heimdal ignores _gsskrb5_decapsulate errors in
      init_sec_context/repl_mutual; (bso#15603).
    * s4:ldap_server: does not support tls channel bindings for
      sasl binds; (bso#15621).
    * CTDB socket output queues may suffer unbounded delays under
      some special conditions; (bso#15678).
* Wed Jul 17 2024 Samuel Cabrero <scabrero@suse.de>
  - Update samba-tool package to require python3-Markdown also in
    the Heimdal ADDC build.
* Thu Jul 04 2024 Samuel Cabrero <scabrero@suse.de>
  - Fix named crash when using samba's DLZ plugin; (bsc#1224003);
    (bso#15643);
* Thu Jul 04 2024 pgajdos@suse.com
  - remove dependency on /usr/bin/python3 using
    %python3_fix_shebang macro, [bsc#1212476]
* Wed Jun 19 2024 Noel Power <nopower@suse.com>
  - Update to 4.20.2
    * vfs_widelinks with DFS shares breaks case insensitivity;
      (bso#15662); (bsc#1213607).
    * Samba build is not reproducible; (bso#13213).
    * ldb qsort might r/w out of bounds with an intransitive
      compare function; (bso#15569).
    * Many qsort() comparison functions are non-transitive, which
      can lead to out-of-bounds access in some circumstances;
      (bso#15625).
    * Need to change gitlab-ci.yml tags in all branches to avoid CI
      bill; (bso#15638).
    * We have added new options --vendor-name and --vendor-patch-
      revision arguments to ./configure to allow distributions and
      packagers to put their name in the Samba version string so
      that when debugging Samba the source of the binary is
      obvious; (bso#15654).
    * CTDB RADOS mutex helper misses namespace support;
      (bso#15665).
    * Dynamic DNS updates with the internal DNS are not working;
      (bso#13019).
    * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
      SysvolReady=0; (bso#14981).
    * Anonymous smb3 signing/encryption should be allowed (similar
      to Windows Server 2022); (bso#15412).
    * Panic in dreplsrv_op_pull_source_apply_changes_trigger;
      (bso#15573).
    * s4:nbt_server: does not provide unexpected handling, so
      winbindd can't use nmb requests instead cldap; (bso#15620).
    * winbindd, net ads join and other things don't work on an ipv6
      only host; (bso#15642).
    * Segmentation fault when deleting files in vfs_recycle;
      (bso#15659).
    * Panic in vfs_offload_token_db_fetch_fsp(); (bso#15664).
    * "client use kerberos" and --use-kerberos is ignored for the
      machine account; (bso#15666).
    * Regression DFS not working with widelinks = true;
      (bso#15435).
    * samba-gpupdate - Invalid NtVer in netlogon_samlogon_response;
      (bso#15633).
    * idmap_ad creates an incorrect local krb5.conf in case of
      trusted domain lookups; (bso#15653).
    * The images don't build after the git security release and
      CentOS 8 Stream is EOL; (bso#15660).
* Mon Jun 03 2024 Samuel Cabrero <scabrero@suse.de>
  - Fix non deterministic builds; (bsc#1225754); (bso#13213);
* Thu May 16 2024 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.20.1
    * dns update debug message is too noisy; (bso#15630);
    * Do not fail PAC validation for RFC8009 checksums types; (bso#15635);
    * Improve performance of lookup_groupmem() in idmap_ad; (bso#15605);
    * Smbcacls incorrectly propagates inheritance with Inherit-Only flag; (bso#15636);
    * http library doesn't support 'chunked transfer encoding'; (bso#15611);
    * Provide a systemd service file for the background queue daemon; (bso#15600);
  - Update to 4.20.0
    New features:
    * samba-tool user getpassword / syncpasswords ;rounds= change
    * Group Managed service account client-side features
    * New Windows Search Protocol Client
    * Allow 'smbcacls' to save/restore DACLs to file
    * Samba-tool extensions for AD Claims, Authentication Policies and Silos
    * AD DC support for Authentication Silos and Authentication Policies
    * Conditional ACEs and Resource Attribute ACEs
    * Service Witness Protocol [MS-SWN]
    Removed features:
    * Get locally logged on users from utmp
    Fixed bugs:
    * Avoid null-dereference with bad claims; (bso#15606);
    * ndr_pull_security_ace can leave resource attribute ACE coda
      claim struct undefined; (bso#15613);
    * fd_handle_destructor() panics within an smbd_smb2_close() if
      vfs_stat_fsp() fails in fd_close(); (bso#15527);
    * set_nt_acl sometimes fails with NT_STATUS_INVALID_PARAMETER -
      openat() EACCES; (bso#15583);
    * libgpo: Segfault in python bindings; (bso#15599);
    * Samba AD is missing some authentication policy tests;
      (bso#15607);
    * samba-gpupdate: Correctly implement site support; (bso#15588);
    * Remove unsupported "Final" keyword missing from Python 3.6;
      (bso#15575);
    * Additional witness backports for 4.20.0; (bso#15577);
    * Error output with wspsearch; (bso#15579);
    * Packet marshalling push support missing for
      CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
      CTDB_CONTROL_TCP_CLIENT_PASSED; (bso#15580);
    * Performance regression for NDR parsing of security
      descriptors; (bso#15574);
    * Build and install man page for wspsearch client utility;
      (bso#15565);
* Tue Feb 20 2024 Noel Power <nopower@suse.com>
  - Update to 4.19.5
    * Windows 2016 fails to restore previous version of a file from
      a shadow_copy2 snapshot; (bso#13688).
    * Symlinks on AIX are broken in 4.19 (and a few version before
      that); (bso#15549).
    * Fake directory create times has no effect; (bso#12421).
    * ctime mixed up with mtime by smbd; (bso#15550).
    * samba-gpupdate --rsop fails if machine is not in a site;
      (bso#15548).
    * gpupdate: The root cert import when NDES is not available is
      broken; (bso#15557).
    * samba-gpupdate should print a useful message if cepces-submit
      can't be found; (bso#15552).
    * samba-gpupdate logging doesn't work; (bso#15558).
    * smbpasswd reset permissions only if not 0600; (bso#15555).
* Wed Jan 10 2024 Noel Power <nopower@suse.com>
  - Remove -x from bash shebang update-apparmor-samba-profile;
    (bsc#1218431).
* Tue Jan 09 2024 Noel Power <nopower@suse.com>
  - Update to 4.19.4
    * net changesecretpw cannot set the machine account password if
      secrets.tdb is empty; (bso#13577).
    * For generating doc, take, if defined, env XML_CATALOG_FILES;
      (bso#15540).
    * Trivial C typo in nsswitch/winbind_nss_netbsd.c; (bso#15541).
    * vfs_linux_xfs is incorrectly named; (bso#15542).
    * systemd stumbled over copyright-message at smbd startup;
      (bso#15377).
    * Following intermediate abolute share-local symlinks is
      broken; (bso#15505).
    * ctdb RELEASE_IP causes a crash in release_ip if a connection
      to a non-public address disconnects first; (bso#15523).
    * shadow_copy2 broken when current fileset's directories are
      removed; (bso#15544).
    * smbd does not detect ctdb public ipv6 addresses for
      multichannel exclusion; (bso#15534).
    * 'force user = localunixuser' doesn't work if 'allow trusted
      domains = no' is set; (bso#15469).
    * smbget debug logging doesn't work; (bso#15525).
    * smget: username in the smburl and interactive password entry
      doesn't work; (bso#15532).
    * smbget auth function doesn't set values for password prompt
      correctly; (bso#15538).
    * Unable to copy and write files from clients to Ceph cluster
      via SMB Linux gateway with Ceph VFS module; (bso#15440).
    * Multichannel refresh network information; (bso#15547).
* Mon Nov 27 2023 Noel Power <nopower@suse.com>
  - Update to 4.19.3
    * sid_strings test broken by unix epoch > 1700000000;
      (bso#15520).
    * smbd crashes if asked to return full information on close of
      a stream handle with delete on close disposition set;
      (bso#15487).
    * smbd: fix close order of base_fsp and stream_fsp in
      smb_fname_fsp_destructor(); (bso#15521).
    * Improve logging for failover scenarios; (bso#15499).
    * Files without "read attributes" NFS4 ACL permission are not
      listed in directories; (bso#15093).
    * CVE-2018-14628 [SECURITY] Deleted Object tombstones visible
      in AD LDAP to normal users; (bso#13595).
    * Kerberos TGS-REQ with User2User does not work for normal
      accounts; (bso#15492).
    * vfs_gpfs stat calls fail due to file system permissions;
      (bso#15507).
    * Samba doesn't build with Python 3.12; (bso#15513).
* Mon Oct 23 2023 David Mulder <dmulder@suse.com>
  - packaging: samba-tool domain provision requires python3-Markdown;
    (bsc#1216519).
* Mon Oct 16 2023 Noel Power <nopower@suse.com>
  - Update to 4.19.2
    * Use-after-free in aio_del_req_from_fsp during smbd shutdown
      after failed IPC FSCTL_PIPE_TRANSCEIVE; (bso#15423).
    * clidfs.c do_connect() missing a "return" after a
      cli_shutdown() call; (bso#15426).
    * macOS mdfind returns only 50 results; (bso#15463).
    * GETREALFILENAME_CACHE can modify incoming new filename with
      previous cache entry value; (bso#15481).
    * libnss_winbind causes memory corruption since samba-4.18,
      impacts sendmail, zabbix, potentially more; (bso#15464).
    * ctdbd: setproctitle not initialized messages flooding logs;
      (bso#15479).
    * CVE-2023-5568 Heap buffer overflow with freshness tokens in
      the Heimdal KDC in Samba 4.19; (bso#15491).
    * The heimdal KDC doesn't detect s4u2self correctly when fast
      is in use; (bso#15477).
* Thu Oct 12 2023 Noel Power <nopower@suse.com>
  - packaging: Remove /etc/slp.reg.d from samba spec file;
    (bsc#1216160)
* Thu Oct 12 2023 Noel Power <nopower@suse.com>
  - use systemd-logind rather than utmp for y2038 safety;
    (bsc#1216159).
* Tue Oct 10 2023 Noel Power <nopower@suse.com>
  - CVE-2023-4091: samba: Client can truncate file with read-only
    permissions; (bsc#1215904); (bso#15439).
  - CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
    allows blocking sleep on request; (bso#1215905); (bso#15474).
  - CVE-2023-42670: samba:  The procedure number is out of range
    when starting Active Directory Users and Computers;
    (bsc#1215906); (bso#15473).
  - CVE-2023-3961: samba: Unsanitized client pipe name passed to
    local_np_connect(); (bsc#1215907); (bso#15422).
  - CVE-2023-4154: samba: dirsync allows SYSTEM access with only
    "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
    (bsc#1215908); (bso#15424).
* Tue Sep 26 2023 Noel Power <nopower@suse.com>
  - Update to 4.19.0
    * File doesn't show when user doesn't have permission if
      aio_pthread is loaded; (bso#15453).
    * ctdb_killtcp fails to work with --enable-pcap and libpcap ≥
      1.9.1; (bso#15451).
    * Logging to stdout/stderr with DEBUG_SYSLOG_FORMAT_ALWAYS can
      log to syslog; (bso#15460).
    * ‘samba-tool domain level raise’ fails unless given a URL;
      (bso#15458).
    * reply_sesssetup_and_X() can dereference uninitialized tmp
      pointer; (bso#15420).
    * missing return in reply_exit_done(); (bso#15430).
    * TREE_CONNECT without SETUP causes smbd to use uninitialized
      pointer; (bso#15432).
    * Avoid infinite loop in initial user sync with Azure AD
      Connect when synchronising a large Samba AD domain;
      (bso#15401).
    * Samba replication logs show (null) DN; (bso#15407).
    * 2-3min delays at reconnect with
      smb2_validate_sequence_number: bad message_id 2; (bso#15346).
    * DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed;
      (bso#15446).
    * CID 1539212 causes real issue when output contains only
      newlines; (bso#15438).
    * KDC encodes INT64 claims incorrectly; (bso#15452).
    * mdssvc: Do an early talloc_free() in _mdssvc_open();
      (bso#15449).
    * Windows client join fails if a second container CN=System
      exists somewhere; (bso#9959).
    * regression DFS not working with widelinks = true;
      (bso#15435).
    * Heimdal fails to build on 32-bit FreeBSD; (bso#15443).
    * samba-tool ntacl get segfault if aio_pthread appended;
      (bso#15441).
* Mon Aug 21 2023 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.18.6
    * reply_sesssetup_and_X() can dereference uninitialized tmp pointer;
      (bso#15420);
    * Missing return in reply_exit_done(); (bso#15430);
    * post-exec password redaction for samba-tool is more reliable for fully
      random passwords as it no longer uses regular expressions containing the
      password value itself; (bso#15289);
    * Windows client join fails if a second container CN=System exists somewhere;
      (bso#9959);
    * Spotlight sometimes returns no results on latest macOS; (bso#15342);
    * Renaming results in NT_STATUS_SHARING_VIOLATION if previously attempted to
      remove the destination; (bso#15417);
    * Spotlight results return wrong date in result list; (bso#15427);
    * "net offlinejoin provision" does not work as non-root user; (bso#15414);
    * rpcserver no longer accepts double backslash in dfs pathname; (bso#15400);
    * cm_prepare_connection() calls close(fd) for the second time; (bso#15433);
    * 2-3min delays at reconnect with smb2_validate_sequence_number: bad
      message_id 2; (bso#15346);
    * samba-tool ntacl get segfault if aio_pthread appended; (bso#15441);
    * DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed; (bso#15446);
    * Python tarfile extraction needs change to avoid a warning (CVE-2007-4559
      mitigation); (bso#15390);
    * Regression DFS not working with widelinks = true; (bso#15435);
    * mdssvc: Do an early talloc_free() in _mdssvc_open(); (bso#15449);
* Tue Aug 08 2023 Samuel Cabrero <scabrero@suse.de>
  - Move libcluster-samba4.so from samba-libs to samba-client-libs;
    (bsc#1213940);
* Wed Jul 19 2023 Noel Power <nopower@suse.com>
  - Update to 4.18.5
    * CVE-2022-2127: lm_resp_len not checked properly in
      winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
    * CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
      Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
    * CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
      Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
    * CVE-2023-34968: Spotlight server-side Share Path Disclosure;
      (bso#15388); (bsc#1213171).
    * CVE-2023-3347: Samba doesn't require SMB2+ signing if
      `server signing = mandatory` is set; (bso#15397); (bsc#1213170).
    * secure channel faulty since Windows 10/11 update 07/2023;
      (bso#15418); (bsc#1213384).
* Thu Jul 06 2023 Noel Power <nopower@suse.com>
  - Update to 4.18.4
    * Backport --pidl-developer fixes; (bso#15404).
    * Named crashes on DLZ zone update; (bso#14030).
    * smbcacls and smbcquotas do not check // before the server;
      (bso#2312).
    * cli_list loops 100% CPU against pre-lanman2 servers;
      (bso#15382).
    * smbclient leaks fds with showacls; (bso#15391).
    * smbd returns NOT_FOUND when creating files on a r/o
      filesystem; (bso#15402).
    * NSS_WRAPPER_HOSTNAME doesn't match NSS_WRAPPER_HOSTS entry
      and causes test timeouts; (bso#15355).
    * net ads lookup (with unspecified realm) fails; (bso#15384).
    * Register Samba processes with GPFS; (bso#15381).
    * Python tarfile extraction needs change to avoid a warning
      (CVE-2007-4559 mitigation); (bso#15390).
    * The winbind child segfaults when listing users with `winbind
      scan trusted domains = yes`; (bso#15398).
    * Remove comments about deprecated 'write cache size';
      (bso#15383).
    * smbget memory leak if failed to download files recursively;
      (bso#15403).
* Thu Jun 01 2023 Noel Power <nopower@suse.com>
  - Update to 4.18.3
    * Symlinks to files can have random DOS mode information in a
      directory listing; (bso#15375).
    * vfs_fruit might cause a failing open for delete; (bso#15378).
    * winbind recurses into itself via rpcd_lsad; (bso#15361).
    * wbinfo -u fails on ad dc with >1000 users; (bso#15366).
    * DS ACEs might be inherited to unrelated object classes;
      (bso#15338).
    * a lot of messages: get_static_share_mode_data:
      get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND;
      (bso#15362).
    * aes256 smb3 encryption algorithms are not allowed in
      smb3_sid_parse(); (bso#15374).
    * Setting veto files = /.*/ break listing directories;
      (bso#15360).
    * "samba-tool domain provision" does not run interactive mode
      if no arguments are given; (bso#15363).
    * dsgetdcname: assumes local system uses IPv4; (bso#15325).
  - Update to 4.18.2
    * Log flood: smbd_calculate_access_mask_fsp: Access denied:
      message level should be lower; (bso#15302).
    * Floating point exception (FPE) via cli_pull_send at
      source3/libsmb/clireadwrite.c; (bso#15306).
    * test_tstream_more_tcp_user_timeout_spin fails intermittently
      on Rackspace GitLab runners; (bso#15328).
    * Reduce flapping of ridalloc test; (bso#15329).
    * large_ldap test is unreliable; (bso#15351).
    * New filename parser doesn't check veto files smb.conf
      parameter; (bso#15143).
    * mdssvc may crash when initializing; (bso#15354).
    * large directory optimization broken for non-lcomp path
      elements; (bso#15313).
    * streams_depot fails to create streams; (bso#15357).
    * shadow_copy2 and streams_depot don't play well together;
      (bso#15358).
    * Flapping tests in samba_tool_drs_show_repl.py; (bso#15316).
    * winbindd idmap child contacts the domain controller without a
      need; (bso#15317).
    * idmap_autorid may fail to map sids of trusted domains for the
      first time; (bso#15318).
    * idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings;
      (bso#15319).
    * net ads search -P doesn't work against servers in other
      domains; (bso#15323).
    * Temporary smbXsrv_tcon_global.tdb can't be parsed;
      (bso#15353).
    * Tests use depricated and removed methods like
      assertRegexpMatches; (bso#15343).
* Wed Mar 29 2023 Noel Power <nopower@suse.com>
  - Update to 4.18.1
    * CVE-2023-0225: AD DC "dnsHostname" attribute can be
      deleted by unprivileged authenticated users.
      (bso#15276);(bsc#1209483).
    * CVE-2023-0614: Access controlled AD LDAP attributes can be
      discovered  (bso#15270); (bsc#1209485).
    * CVE-2023-0922: Samba AD DC admin tool samba-tool sends
      passwords in cleartext(bso#15315);(bsc#1209481).
    * ldb wildcard matching makes excessive allocations;
      (bso#15331).
    * large_ldap test is inefficient; (bso#15332).
* Fri Mar 17 2023 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.18.0
    * SMB server performance improvements
    * More succinct samba-tool error messages
    * Color output with samba-tool --color
      The NO_COLOR environment variable will disable colour output
    * New samba-tool dsacl subcommand for deleting ACEs
    * New wbinfo option --change-secret-at
    * Net option to change the NT ACL default location
    * Azure AD / Office365 synchronization improvements
* Tue Feb 14 2023 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.17.5
    * smbc_getxattr() return value is incorrect; (bso#14808);
    * Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
      correctly; (bso#15172);
    * synthetic_pathref AFP_AfpInfo failed errors; (bso#15210);
    * samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC
      when there is only an AAAA record for the DC in DNS; (bso#15226);
    * smbd crashes if an FSCTL request is done on a stream handle; (bso#15236);
    * DFS links don't work anymore on Mac clients since 4.17; (bso#15277);
    * vfs_virusfilter segfault on access, directory edgecase
      (accessing NULL value); (bso#15283);
    * CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based
      SChannel on NETLOGON (additional changes); (bso#15240);
    * %U for include directive doesn't work for share listing
      (netshareenum); (bso#15243);
    * Shares missing from netshareenum response in samba 4.17.4;
      (bso#15266);
    * ctdb: use-after-free in run_proc; (bso#15269);
    * irpc_destructor may crash during shutdown; (bso#15280);
    * auth3_generate_session_info_pac leaks wbcAuthUserInfo; (bso#15286);
    * smbclient segfaults with use after free on an optimized build;
      (bso#15268);
    * smbstatus leaking files in msg.sock and msg.lock; (bso#15282);
    * Leak in wbcCtxPingDc2; (bso#15164);
    * Access based share enum does not work in Samba 4.16+; (bso#15265);
    * Crash during share enumeration; (bso#15267);
    * rep_listxattr on FreeBSD does not properly check for reads off
      end of returned buffer; (bso#15271);
    * Avoid relying on C89 features in a few places; (bso#15281);
  - named crashes on DLZ zone update; (bso#14030); (bsc#1206996);
  - Drop libnsl build requirement; (bsc#1208220);
* Mon Jan 23 2023 Noel Power <nopower@suse.com>
  - libdsdb-module-samba4 should be packaged as part of samba-libs and
    not samba-ad-dc-libs. Additionally no need for it to be
    removed conditionally.
* Thu Jan 12 2023 Noel Power <nopower@suse.com>
  - Clean up logic for PAM migration settings in spec file.
* Wed Jan 04 2023 Stefan Schubert <schubi@suse.com>
  - Migration of PAM settings to /usr/lib/pam.d.
* Wed Dec 21 2022 Noel Power <nopower@suse.com>
  - Change with_dc default to 0 (for non TW builds).
* Thu Dec 15 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.17.4
    * CVE-2022-44640 Upstream Heimdal free of user-controlled
      pointer in FAST; (bsc#14929);
    * CVE-2021-20251 Bad password count not incremented atomically;
      (bsc#14611);
    * CVE-2022-42898 krb5_pac_parse() buffer parsing vulnerability;
      (bsc#15203);
    * CVE-2022-37966 rc4-hmac Kerberos session keys issued to
      modern servers; (bso#15237);
    * CVE-2022-37967 Kerberos constrained delegation ticket forgery
      possible against Samba AD DC; (bso#15231);
    * CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak
      and should be avoided; (bso#15240);
    * pam_winbind uses time_t and pointers assuming they are of the
      same size; (bso#15224);
    * Heimdal session key selection in AS-REQ examines wrong entry;
      (bso#15219);
    * filter-subunit is inefficient with large numbers of
      knownfails; (bso#15258);
    * smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories;
      (bso#15252);
    * The KDC logic arround msDs-supportedEncryptionTypes differs
      from Windows; (bso#13135);
    * libnet: change_password() doesn't work with
      dcerpc_samr_ChangePasswordUser4(); (bso#15206);
    * Heimdal session key selection in AS-REQ examines wrong entry;
      (bso#15219);
    * Memory leak in snprintf replacement functions; (bso#15230);
    * RODC doesn't reset badPwdCount reliable via an RWDC
      (CVE-2021-20251 regression); (bso#15253);
    * Prevent EBADF errors with vfs_glusterfs; (bso#15198);
    * %U for include directive doesn't work for share listing
      (netshareenum); (bso#15243);
    * Stack smashing in net offlinejoin requestodj; (bso#15257);
    * Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue;
      (bso#15197);
    * Heimdal session key selection in AS-REQ examines wrong entry;
      (bso#15219);
  - Remove deprecated if-{down,up} scripts; (bsc#1206444);
  - Adjust the systemd drop-in file for named service; (bsc#1201689);
    * Paths are additive so do not repeat paths from named.service
    * Prefix the samba DLZ directory with "-" to ignore this path
      if it does not exists
* Mon Dec 12 2022 Stefan Schubert <schubi@suse.com>
  - Migration PAM settings to /usr/etc: Saving user changed
    configuration files in /etc and restoring them while an RPM
    update.
* Thu Dec 01 2022 David Mulder <dmulder@suse.com>
  - Introduce without-smb1-server spec flag; (bsc#1205104);
* Tue Nov 15 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.17.3
    * CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit
      systems; (bsc#1205126); (bso#15203);
* Tue Nov 08 2022 Ben Greiner <code@bnavigator.de>
  - Replace obsolete python-gpgme with python-gpg
    * Upstream replaced it in v4.9.5 -- bso#13728
* Tue Oct 25 2022 Noel Power <nopower@suse.com>
  - Update to 4.17.2
    * CVE-2022-3592 [SECURITY] samba: Wide links protection broken;
      (bso#15207); (bsc#1204499).
    * CVE-2022-3437 [SECURITY] samba: Buffer overflow in Heimdal
      unwrap_des3();(bso#15134); (bsc#1204254).
* Wed Oct 19 2022 Noel Power <nopower@suse.com>
  - Update to 4.17.1
    * CVE-2021-20251 [SECURITY] Bad password count not incremented
      atomically; (bso#14611).
    * smbXsrv_connection_shutdown_send result leaked; (bso#15174).
    * Flush on a named stream never completes; (bso#15182).
    * Permission denied calling SMBC_getatr when file not exists;
      (bso#15195).
    * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
      over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
      (bso#15189).
    * pytest: add file removal helpers for TestCaseInTempDir;
      (bso#15191).
    * CVE-2021-20251 [SECURITY] Bad password count not incremented
      atomically; (bso#14611).
    * Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
      over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC;
      (bso#15189).
    * Flush on a named stream never completes; (bso#15182).
    * vfs_gpfs silently garbles timestamps > year 2106;
      (bso#15151).
    * CVE-2021-20251 [SECURITY] Bad password count not incremented
      atomically; (bso#14611).
    * multi-channel socket passing may hit a race if one of the
      involved processes already existed; (bso#15200).
    * memory leak on temporary of struct imessaging_post_state and
      struct tevent_immediate on struct imessaging_context (in
      rpcd_spoolss and maybe others); (bso#15201).
    * Since popt1.19 various use after free errors using result of
      poptGetArg are now exposed; (bso#15205); (boo#1204279).
    * Remove special case for O_CREAT in SMB_VFS_OPENAT from
      vfs_glusterfs; (bso#15192).
    * GETPWSID in memory cache grows indefinetly with each NTLM
      auth; (bso#15169).
    * CVE-2021-20251 [SECURITY] Bad password count not incremented
      atomically; (bso#14611).
  - Install a systemd drop-in file for named service to allow
    read/write access to the DLZ directory; (bsc#1201689);
* Fri Oct 14 2022 Noel Power <nopower@suse.com>
  - Fix use after free errors resulting from using return of
    poptGetArg exposed since popt-1.19; (boo#1204279); (bso#15205).
* Mon Sep 26 2022 Noel Power <nopower@suse.com>
  - s3: smbd: Fix memory leak in
    smbd_server_connection_terminate_done(); (bso#15174).
* Mon Sep 26 2022 Noel Power <nopower@suse.com>
  - Disable SMB1 for tumbleweed builds.
* Fri Sep 23 2022 Noel Power <nopower@suse.com>
  - Update to 4.17.0
    * acl_xattr VFS module may unintentionally use filesystem
      permissions instead of ACL from xattr; (bso#15126).
    * Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1;
      (bso#15153).
    * assert failed: !is_named_stream(smb_fname)") at
      ../../lib/util/fault.c:197; (bso#15161).
    * acl_xattr VFS module may unintentionally use filesystem
      permissions instead of ACL from xattr; (bso#15126).
    * assert failed: !is_named_stream(smb_fname)") at
      ../../lib/util/fault.c:197; (bso#15161).
    * Cross-node multi-channel reconnects result in SMB2 Negotiate
      returning NT_STATUS_NOT_SUPPORTED; (bso#15159).
    * winbind at info level debug can coredump when processing
      wb_lookupusergroups; (bso#15160).
    * Make use of glfs_*at() API calls in vfs_glusterfs;
      (bso#15157).
    * Possible use after free of connection_struct when iterating
      smbd_server_connection->connections; (bso#15128).
    * `net usershare add` fails with flag works with --long but
      fails with -l; (bso#15145).
    * acl_xattr VFS module may unintentionally use filesystem
      permissions instead of ACL from xattr; (bso#15126).
    * Performance regression on contended path based operations;
      (bso#15125).
    * Missing READ_LEASE break could cause data corruption;
      (bso#15148).
    * libsamba-errors uses a wrong version number; (bso#15141).
    * SMB1 negotiation can fail to handle connection errors;
      (bso#15152).
    * New filename parser doesn't check veto files smb.conf
      parameter; (bso#15143).
    * 4.17.rc1 still uses symlink-race prone unix_convert();
      (bso#15144).
    * Backport fileserver related changed to 4.17.0rc2;
      (bso#15146).
    * Manpage for smbstatus json is missing; (bso#15147).
    * Backport fileserver related changed to 4.17.0rc2;
      (bso#15146).
    * Performance regression on contended path based operations;
      (bso#15125).
    * Backport fileserver related changed to 4.17.0rc2;
      (bso#15146).
    * Fix issues found by coverity in smbstatus json code;
      (bso#15140).
    * Backport fileserver related changed to 4.17.0rc2;
      (bso#15146).
* Thu Sep 01 2022 Stefan Schubert <schubi@suse.com>
  - Migration to /usr/etc: Saving user changed configuration files
    in /etc and restoring them while an RPM update.
* Thu Jul 28 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.16.4
    * CVE-2022-2031: Samba AD users can bypass certain restrictions
      associated with changing passwords; (bsc#1201495); (bso#15047);
    * CVE-2022-32744: Samba AD users can forge password change
      requests for any user; (bsc#1201493); (bso#15074);
    * CVE-2022-32745: Samba AD users can crash the server process
      with an LDAP add or modify request; (bsc#1201492); (bso#15008);
    * CVE-2022-32746: Samba AD users can induce a use-after-free in
      the server process with an LDAP add or modify request;
      (bsc#1201490); (bso#15009);
    * CVE-2022-32742: Server memory information leak via SMB1;
      (bsc#1201496); (bso#15085);
* Tue Jul 19 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.16.3
    * Using vfs_streams_xattr and deleting a file causes a panic;
      (bso#15099);
    * Add support for bind 9.18; (bso#14986);
    * logging dsdb audit to specific files does not work;
      (bso#15076);
    * Problem when winbind renews Kerberos; (bso#14979);
      (bsc#1196224);
    * Samba with new lorikeet-heimdal fails to build on gcc 12.1 in
      developer mode; (bso#15095);
    * Crash in streams_xattr because fsp->base_fsp->fsp_name is
      NULL; (bso#15105);
    * Crash in rpcd_classic - NULL pointer deference in
      mangle_is_mangled(); (bso#15118);
    * smbclient commands del & deltree fail with
      NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100);
      (bsc#1200556);
    * Fix check for chown when processing NFSv4 ACL; (bso#15120);
    * The pcap background queue process should not be stopped;
      (bso#15082);
    * testparm: Fix typo in idmap rangesize check; (bso#15097);
    * net ads info returns LDAP server and LDAP server name as
      null; (bso#15106);
    * ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link;
      (bso#15108);
    * CTDB child process logging does not work as expected;
      (bso#15090);
* Tue Jul 12 2022 Samuel Cabrero <scabrero@suse.de>
  - Update spec file to fix the optional Heimdal DC build
  - Fix external trusts with MIT Kerberos 1.20
  - Add missing samba-client requirement to samba-winbind package;
    (bsc#1198255);
  - Move pdb backends from package samba-libs to package
    samba-client-libs and remove samba-libs requirement from
    samba-winbind; (bsc#1200964); (bsc#1198255);
  - Add sysuser-shadow requirement for packages using
    systemd-sysusers
  - Use the canonical realm name to refresh the Kerberos tickets;
    (bsc#1196224); (bso#14979);
* Tue Jun 21 2022 Stefan Schubert <schubi@suse.de>
  - Moved logrotate files from user specific directory /etc/logrotate.d
    to vendor specific directory /usr/etc/logrotate.d.
* Mon Jun 13 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.16.2
    * Use pathref fd instead of io fd in vfs_default_durable_cookie;
      (bso#15042);
    * vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
      file had been deleted; (bso#15069);
    * Reintroduce netgroups support; (bso#15087);
    * net ads info shows LDAP Server: 0.0.0.0 depending on contacted
      server; (bso#14674);
    * Update from 4.15  to 4.16 breaks discovery of [homes] on
      standalone server from Win and IOS; (bso#15062);
    * waf produces incorrect names for python extensions with Python
      3.11; (bso#15071);
    * smbclient -E doesn't work as advertised; (bso#15075);
    * The samba background daemon doesn't refresh the printcap cache
      on startup; (bso#15081);
    * Out-by-4 error in smbd read reply max_send clamp; (bso#14443);
  - Fix samba4.blackbox.net_ads_dns_async test with bind9 >= 9.17.7
  - Support building with MIT Kerberos 1.20
  - Bronze bit and S4U support with MIT Kerberos 1.20 for Samba AD DC;
    (CVE-2020-17049);
  - Resource Based Constrained Delegation (RBCD) for Samba AD DC
  - Support building with gcc 12.1
* Wed May 11 2022 Samuel Cabrero <scabrero@suse.de>
  - Use requires_eq macro to require the libldb2 version available at
    samba-dsdb-modules build time; (bsc#1199362);
* Tue May 03 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.16.1
    * Share and server swapped in smbget password prompt; (bso#14831);
    * Durable handles won't reconnect if the leased file is written to;
      (bso#15022);
    * rmdir silently fails if directory contains unreadable files and
      hide unreadable is yes; (bso#15023);
    * SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
      on renamed file handle; (bso#15038);
    * Need to describe --builtin-libraries= better (compare with
    - -bundled-libraries); (bso#8731);
    * vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback;
      (bso#14957);
    * shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
      (bso#15035);
    * PAM Kerberos authentication incorrectly fails with a clock skew
      error; (bso#15046);
    * Username map - samba erroneously applies unix group memberships
      to user account entries; (bso#15041);
    * KVNO off by 100000; (bso#14951);
    * Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
    * vfs_gpfs recalls=no option prevents listing files; (bso#15055);
    * smbd doesn't handle UPNs for looking up names; (bso#15054);
* Wed Apr 20 2022 Noel Power <nopower@suse.com>
  - Update update-apparmor-samba-profile script, replace
    non-printable delimiter with more human readable separator as
    sed can accept separators that can appear in the input data.
* Wed Apr 13 2022 Noel Power <nopower@suse.com>
  - Fix update-apparmor-samba-profile script, sed doesn't like
    multibyte separators; (bsc#1198309).
* Thu Mar 24 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.16.0
    * New samba-dcerpcd binary to provide DCERPC in the member server
      setup
    * Certificate Auto Enrollment
    * Ability to add ports to dns forwarder addresses in internal DNS
      backend
    * No longer using Linux mandatory locks for sharemodes
    * SMB1 protocol has been deprecated, particularly older dialects
    * SMB1 protocol SMBCopy command removed
    * SMB1 server-side wildcard expansion removed
  - Add python3-dnspython to samba-ad-dc recommens; (bsc#1187101);
  - Use systemd-sysusers to create system users; (bsc#1182847);
* Tue Mar 15 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.15.6
    * Renaming file on DFS root fails with
      NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169);
    * Samba does not response STATUS_INVALID_PARAMETER when opening 2
      objects with same lease key; (bso#14737);
    * NT error code is not set when overwriting a file during rename
      in libsmbclient; (bso#14938);
    * Fix ldap simple bind with TLS auditing; (bso#14996);
    * net ads info shows LDAP Server: 0.0.0.0 depending on contacted
      server; (bso#14674);
    * Problem when winbind renews Kerberos; (bso#14979);
      (bsc#1196224);
    * pam_winbind will not allow gdm login if password about to
      expire; (bso#8691);
    * virusfilter_vfs_openat: Not scanned: Directory or special file;
      (bso#14971);
    * DFS fix for AIX broken; (bso#13631);
    * Solaris and AIX acl modules: wrong function arguments;
      (bso#14974);
    * Function aixacl_sys_acl_get_file not declared / coredump;
      (bso#7239);
    * Regression: Samba 4.15.2 on macOS segfaults intermittently
      during strcpy in tdbsam_getsampwnam; (bso#14900);
    * Fix a use-after-free in SMB1 server; (bso#14989);
    * smb2_signing_decrypt_pdu() may not decrypt with
      gnutls_aead_cipher_decrypt() from gnutls before 3.5.2;
      (bso#14968);
    * Changing the machine password against an RODC likely destroys
      the domain join; (bso#14984);
    * authsam_make_user_info_dc() steals memory from its struct
      ldb_message *msg argument; (bso#14993);
    * Use Heimdal 8.0 (pre) rather than an earlier snapshot;
      (bso#14995);
    * Samba autorid fails to map AD users if id rangesize fits in the
      id range only once; (bso#14967);
* Mon Mar 07 2022 David Mulder <dmulder@suse.com>
  - Fix mismatched version of libldb2; (bsc#1196788).
  - Drop obsolete SuSEfirewall2 service files.
* Fri Mar 04 2022 David Disseldorp <ddiss@suse.com>
  - Drop obsolete Samba fsrvp v0->v1 state upgrade functionality;
    (bsc#1080338).
* Wed Feb 23 2022 Noel Power <nopower@suse.com>
  - Fix ntlm authentications with "winbind use default domain = yes";
    (bso#13126); (bsc#1173429); (bsc#1196308).
* Mon Feb 14 2022 David Mulder <dmulder@suse.com>
  - Fix samba-ad-dc status warning notification message by disabling
    systemd notifications in bgqd; (bsc#1195896); (bso#14947).
* Mon Feb 07 2022 David Mulder <dmulder@suse.com>
  - libldb version mismatch in Samba dsdb component; (bsc#1118508);
* Mon Jan 31 2022 Noel Power <nopower@suse.com>
  - Update to 4.15.5
    * CVE-2021-44141: UNIX extensions in SMB1 disclose whether the
      outside target of a symlink exists; (bso#14911);
      (bsc#1193690).
    * CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
      module; (bso#14914); (bsc#1194859).
    * CVE-2022-0336:  Re-adding an SPN skips subsequent SPN
      conflict checks; bso#14950); (bsc#1195048).
* Wed Jan 26 2022 Samuel Cabrero <scabrero@suse.de>
  - CVE-2021-44141: Information leak via symlinks of existance of
    files or directories outside of the exported share; (bso#14911);
    (bsc#1193690);
  - CVE-2021-44142: Out-of-bounds heap read/write vulnerability
    in VFS module vfs_fruit allows code execution; (bso#14914);
    (bsc#1194859);
  - CVE-2022-0336: Samba AD users with permission to write to an
    account can impersonate arbitrary services; (bso#14950);
    (bsc#1195048);
* Fri Jan 21 2022 Samuel Cabrero <scabrero@suse.de>
  - Update to 4.15.4
    * Duplicate SMB file_ids leading to Windows client cache
      poisoning; (bso#14928);
    * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
      NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
    * kill_tcp_connections does not work; (bso#14934);
    * Can't connect to Windows shares not requiring authentication
      using KDE/Gnome; (bso#14935);
    * smbclient -L doesn't set "client max protocol" to NT1 before
      calling the "Reconnecting with SMB1 for workgroup listing"
      path; (bso#14939);
    * Cross device copy of the crossrename module always fails;
      (bso#14940);
    * symlinkat function from VFS cap module always fails with an
      error; (bso#14941);
    * Fix possible fsp pointer deference; (bso#14942);
    * Missing pop_sec_ctx() in error path inside close_directory();
      (bso#14944);
    * "smbd --build-options" no longer works without an smb.conf file;
      (bso#14945);
* Tue Jan 18 2022 Dominique Leuenberger <dimstar@opensuse.org>
  - Use pkgconfig(krb5) as dependency for the -devel package: allow
    OBS to pick the right flavor of krb5-devel (full vs mini).
  - Do not require the 'krb5' symbol by samba-client-libs: this
    package has an automatic dependency due to linkage on
    libgssapi_krb5.so.2. Automatic deps are always better.
  - Do not require the 'krb5' symbol from samba-libs: samba-libs
    requires samba-client-libs, which in turn requires krb5
    libraries. Samba-libs itself has no need for krb5 (but get it
    indirectly anyway).
* Thu Jan 13 2022 Samuel Cabrero <scabrero@suse.de>
  - Reorganize libs packages. Split samba-libs into samba-client-libs,
    samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
    public libraries depending on internal samba libraries into these
    packages as there were dependency problems everytime one of these
    public libraries changed its version (bsc#1192684). The devel
    packages are merged into samba-devel.
  - Rename package samba-core-devel to samba-devel
  - Add python-rpm-macros to build requirements
  - Update the symlink create by samba-dsdb-modules to private samba
    ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
    /usr/lib64/ldb2/modules/ldb/samba
/usr/lib64/libnss_winbind.so.2 /usr/lib64/samba/idmap /usr/lib64/samba/idmap/ad.so /usr/lib64/samba/idmap/autorid.so /usr/lib64/samba/idmap/hash.so /usr/lib64/samba/idmap/ldap.so /usr/lib64/samba/idmap/rfc2307.so /usr/lib64/samba/idmap/rid.so /usr/lib64/samba/idmap/script.so /usr/lib64/samba/idmap/tdb2.so /usr/lib64/samba/krb5 /usr/lib64/samba/krb5/async_dns_krb5_locator.so /usr/lib64/samba/krb5/winbind_krb5_localauth.so /usr/lib64/samba/krb5/winbind_krb5_locator.so /usr/lib64/samba/libidmap-private-samba.so /usr/lib64/samba/libnss-info-private-samba.so /usr/lib64/samba/nss_info /usr/lib64/samba/nss_info/hash.so /usr/lib64/samba/nss_info/rfc2307.so /usr/lib64/samba/nss_info/sfu.so /usr/lib64/samba/nss_info/sfu20.so /usr/lib64/security/pam_winbind.so /usr/share/man/man5/pam_winbind.conf.5.gz /usr/share/man/man8/idmap_ad.8.gz /usr/share/man/man8/idmap_autorid.8.gz /usr/share/man/man8/idmap_hash.8.gz /usr/share/man/man8/idmap_ldap.8.gz /usr/share/man/man8/idmap_nss.8.gz /usr/share/man/man8/idmap_rfc2307.8.gz /usr/share/man/man8/idmap_rid.8.gz /usr/share/man/man8/idmap_script.8.gz /usr/share/man/man8/idmap_tdb.8.gz /usr/share/man/man8/idmap_tdb2.8.gz /usr/share/man/man8/pam_winbind.8.gz /usr/share/man/man8/winbind_krb5_localauth.8.gz /usr/share/man/man8/winbind_krb5_locator.8.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Fri Oct 24 23:41:00 2025