Ubuntu
samba package

Merge ~ahasenack/ubuntu/+source/samba:mantic-samba-merge-2 into ubuntu/+source/samba:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/samba
  3. mantic-samba-merge-2
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: git-ubuntu bot
Merged at revision: 9a1d39619ca7a41885e75aa447f77ea0d06889c6
Proposed branch: ~ahasenack/ubuntu/+source/samba:mantic-samba-merge-2
Merge into: ubuntu/+source/samba:debian/sid
Diff against target: 3405 lines (+3029/-6)
5 files modified
debian/changelog (+2510/-0)
debian/control (+6/-5)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+398/-0)
debian/tests/util (+111/-1)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+447094@code.launchpad.net

Description of the change

Merge latest from debian, which also fixes https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2027716

So far the extra patch has been tested by some community members from my ppa, but for other ubuntu releases, not yet mantic.

The DEP8 tests are green.

These tests include a domain join test, but that's linux<->linux, and won't exercise the fix for bug #2027716, but at least it serves to show there is no regression in that part.

range-diff is clean:

  git range-diff old/debian..logical/2%4.18.3+dfsg-3ubuntu1 new/debian..mantic-samba-merge-2

The fix for #2027716 will be SRUed all the way back to focal, maybe even bionic and earlier.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for this MP Andreas! The merge looks good, I have only one question: did you already try to forward commit 5deddd6 to Debian? This is simply changing the service restart to reload, and it is mentioned that it makes the test quicker, which should be interesting to Debian as well.

I see this salsa MR from you:

https://salsa.debian.org/samba-team/samba/-/merge_requests/61

but it seems to not include the change I mentioned above.

Other than that everything looks good to me, +1.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> did you already try to forward commit 5deddd6 to Debian?

No, that draft MP is in draft because it requires a bit of work to run these tests in debian. There are many ubuntu assumptions in it, like lxd as a snap, and launching a container from an "ubuntu-daily:", and also assuming it's going to be an ubuntu container.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded with rich history:

Uploading samba_4.18.5+dfsg-1ubuntu1.dsc
Uploading samba_4.18.5+dfsg.orig.tar.xz
Uploading samba_4.18.5+dfsg-1ubuntu1.debian.tar.xz
Uploading samba_4.18.5+dfsg-1ubuntu1_source.buildinfo
Uploading samba_4.18.5+dfsg-1ubuntu1_source.changes

Update scan failed

At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index cff98f9..b12c0c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
1samba (2:4.18.5+dfsg-1ubuntu1) mantic; urgency=medium
2
3 * Merge with Debian unstable (LP: #2028265, LP: #2027716). Remaining
4 changes:
5 - debian/control: Ubuntu i386 binary compatibility:
6 + drop ceph support
7 + enable the liburing vfs module, except on i386 where liburing is
8 not available
9 + build-depend on libglusterfs-dev only on !i386 arches
10 - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
11 samba AD DC provisioning and domain join tests with internal DNS
12 (LP #1977746, LP #2011745)
13 - d/t/util: reload instead of restarting samba, as it's quicker and
14 has the same effect we want in this test
15
16 -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Jul 2023 10:15:22 -0300
17
1samba (2:4.18.5+dfsg-1) unstable; urgency=medium18samba (2:4.18.5+dfsg-1) unstable; urgency=medium
219
3 * new upstream stable/security release 4.18.5, including:20 * new upstream stable/security release 4.18.5, including:
@@ -75,6 +92,23 @@ samba (2:4.18.4+dfsg-1) unstable; urgency=medium
7592
76 -- Michael Tokarev <mjt@tls.msk.ru> Wed, 05 Jul 2023 18:14:20 +030093 -- Michael Tokarev <mjt@tls.msk.ru> Wed, 05 Jul 2023 18:14:20 +0300
7794
95samba (2:4.18.3+dfsg-3ubuntu1) mantic; urgency=medium
96
97 * Merge with Debian unstable (LP: #2018054). Remaining changes:
98 - debian/control: Ubuntu i386 binary compatibility:
99 + drop ceph support
100 + enable the liburing vfs module, except on i386 where liburing is
101 not available
102 + build-depend on libglusterfs-dev only on !i386 arches
103 - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
104 samba AD DC provisioning and domain join tests with internal DNS
105 (LP #1977746, LP #2011745)
106 * Added changes:
107 - d/t/util: reload instead of restarting samba, as it's quicker and
108 has the same effect we want in this test
109
110 -- Andreas Hasenack <andreas@canonical.com> Thu, 22 Jun 2023 11:59:19 -0300
111
78samba (2:4.18.3+dfsg-3) unstable; urgency=medium112samba (2:4.18.3+dfsg-3) unstable; urgency=medium
79113
80 * d/rules: query for DEB_HOST_ARCH, not DEB_HOST_ARCH_CPU,114 * d/rules: query for DEB_HOST_ARCH, not DEB_HOST_ARCH_CPU,
@@ -233,6 +267,20 @@ samba (2:4.18.0+dfsg-1~exp1) experimental; urgency=medium
233267
234 -- Michael Tokarev <mjt@tls.msk.ru> Thu, 09 Mar 2023 14:47:05 +0300268 -- Michael Tokarev <mjt@tls.msk.ru> Thu, 09 Mar 2023 14:47:05 +0300
235269
270samba (2:4.17.7+dfsg-1ubuntu1) lunar; urgency=medium
271
272 * Merge with Debian unstable (LP: #2014052). Remaining changes:
273 - debian/control: Ubuntu i386 binary compatibility:
274 + drop ceph support
275 + enable the liburing vfs module, except on i386 where liburing is
276 not available
277 + build-depend on libglusterfs-dev only on !i386 arches
278 - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
279 samba AD DC provisioning and domain join tests with internal DNS
280 (LP #1977746, LP #2011745)
281
282 -- Andreas Hasenack <andreas@canonical.com> Fri, 31 Mar 2023 15:26:11 -0300
283
236samba (2:4.17.6+dfsg-1) unstable; urgency=medium284samba (2:4.17.6+dfsg-1) unstable; urgency=medium
237285
238 * new upstream stable/bugfix release 4.17.6:286 * new upstream stable/bugfix release 4.17.6:
@@ -260,6 +308,38 @@ samba (2:4.17.6+dfsg-1) unstable; urgency=medium
260308
261 -- Michael Tokarev <mjt@tls.msk.ru> Thu, 09 Mar 2023 12:52:14 +0300309 -- Michael Tokarev <mjt@tls.msk.ru> Thu, 09 Mar 2023 12:52:14 +0300
262310
311samba (2:4.17.5+dfsg-2ubuntu3) lunar; urgency=medium
312
313 * Add domain join tests (LP: #2011745):
314 - d/t/control: update dependencies for samba AD provisioning test,
315 which now also includes a member server join test
316 - d/t/util, d/t/samba-ad-dc-*: add member server join tests
317
318 -- Andreas Hasenack <andreas@canonical.com> Wed, 15 Mar 2023 20:49:56 -0300
319
320samba (2:4.17.5+dfsg-2ubuntu2) lunar; urgency=medium
321
322 * d/t/samba-ad-dc-provisioning-internal-dns: test improvements
323 (LP: #2009485):
324 - increase kinit timeout, as it also does DNS lookups
325 - add a trap on exit to show logs in the case of some failure
326
327 -- Andreas Hasenack <andreas@canonical.com> Mon, 06 Mar 2023 11:49:34 -0300
328
329samba (2:4.17.5+dfsg-2ubuntu1) lunar; urgency=medium
330
331 * Merge with Debian unstable (LP: #2002181). Remaining changes:
332 - debian/control: Ubuntu i386 binary compatibility:
333 + drop ceph support
334 + enable the liburing vfs module, except on i386 where liburing is
335 not available
336 + build-depend on libglusterfs-dev only on !i386 arches
337 * Added:
338 - d/t/control, d/t/samba-ad-dc-provisioning-internal-dns: samba AD
339 DC provisioning test with internal DNS (LP: #1977746)
340
341 -- Andreas Hasenack <andreas@canonical.com> Sun, 05 Feb 2023 13:47:57 -0300
342
263samba (2:4.17.5+dfsg-2) unstable; urgency=medium343samba (2:4.17.5+dfsg-2) unstable; urgency=medium
264344
265 * d/control: samba: depends on exact version of python3-samba345 * d/control: samba: depends on exact version of python3-samba
@@ -412,6 +492,43 @@ samba (2:4.17.3+dfsg-4) unstable; urgency=medium
412492
413 -- Michael Tokarev <mjt@tls.msk.ru> Mon, 05 Dec 2022 14:39:43 +0300493 -- Michael Tokarev <mjt@tls.msk.ru> Mon, 05 Dec 2022 14:39:43 +0300
414494
495samba (2:4.17.3+dfsg-3ubuntu2) lunar; urgency=medium
496
497 * No-change rebuild with Python 3.11 as default
498
499 -- Graham Inggs <ginggs@ubuntu.com> Mon, 26 Dec 2022 18:01:11 +0000
500
501samba (2:4.17.3+dfsg-3ubuntu1) lunar; urgency=medium
502
503 * Merge with Debian unstable (LP: #1993380). Remaining changes:
504 - debian/control: Ubuntu i386 binary compatibility:
505 + drop ceph support
506 - d/control: enable the liburing vfs module, except on i386 where
507 liburing is not available
508 - d/control: build-depend on libglusterfs-dev only on !i386 arches
509 * Dropped:
510 - debian/smb.conf;
511 + Add "(Samba, Ubuntu)" to server string.
512 [In 2:4.16.6+dfsg-1]
513 + Comment out the default [homes] share, and add a comment about
514 "valid users = %s" to show users how to restrict access to
515 \\server\username to only username.
516 [In 2:4.16.6+dfsg-1]
517 - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
518 Skip running the tests if on i386 platform, because the uring
519 package is not available there.
520 [In 2:4.16.6+dfsg-1, improved]
521 - d/t/util: fix setting the password of the smb test user
522 (LP #1955851)
523 [In 2:4.16.5+dfsg-2]
524 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
525 [Implemented dynamically in d/rules in 2:4.16.6+dfsg-6]
526 - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
527 enable the samba glusterfs vfs mofule in that case
528 [In 2:4.16.6+dfsg-1]
529
530 -- Andreas Hasenack <andreas@canonical.com> Tue, 13 Dec 2022 18:36:23 -0300
531
415samba (2:4.17.3+dfsg-3) unstable; urgency=medium532samba (2:4.17.3+dfsg-3) unstable; urgency=medium
416533
417 * d/control: winbind should depend on the same binary:Version534 * d/control: winbind should depend on the same binary:Version
@@ -708,6 +825,30 @@ samba (2:4.16.5+dfsg-1) unstable; urgency=medium
708825
709 -- Michael Tokarev <mjt@tls.msk.ru> Thu, 08 Sep 2022 12:44:38 +0300826 -- Michael Tokarev <mjt@tls.msk.ru> Thu, 08 Sep 2022 12:44:38 +0300
710827
828samba (2:4.16.4+dfsg-2ubuntu1) kinetic; urgency=medium
829
830 * Merge with Debian unstable. Remaining changes:
831 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
832 - debian/smb.conf;
833 + Add "(Samba, Ubuntu)" to server string.
834 + Comment out the default [homes] share, and add a comment about
835 "valid users = %s" to show users how to restrict access to
836 \\server\username to only username.
837 - debian/control: Ubuntu i386 binary compatibility:
838 + drop ceph support
839 - d/control: enable the liburing vfs module, except on i386 where
840 liburing is not available
841 - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
842 Skip running the tests if on i386 platform, because the uring
843 package is not available there.
844 - d/t/util: fix setting the password of the smb test user
845 (LP #1955851)
846 - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
847 enable the samba glusterfs vfs mofule in that case
848 - d/control: build-depend on libglusterfs-dev only on !i386 arches
849
850 -- Andreas Hasenack <andreas@canonical.com> Tue, 02 Aug 2022 09:30:05 -0300
851
711samba (2:4.16.4+dfsg-2) unstable; urgency=medium852samba (2:4.16.4+dfsg-2) unstable; urgency=medium
712853
713 * d/libldb2.symbols: include newly added symbols854 * d/libldb2.symbols: include newly added symbols
@@ -736,6 +877,62 @@ samba (2:4.16.4+dfsg-1) unstable; urgency=high
736877
737 -- Michael Tokarev <mjt@tls.msk.ru> Wed, 27 Jul 2022 18:35:53 +0300878 -- Michael Tokarev <mjt@tls.msk.ru> Wed, 27 Jul 2022 18:35:53 +0300
738879
880samba (2:4.16.3+dfsg-1ubuntu1) kinetic; urgency=medium
881
882 * Merge with Debian unstable (LP: #1982116). Remaining changes:
883 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
884 - debian/smb.conf;
885 + Add "(Samba, Ubuntu)" to server string.
886 + Comment out the default [homes] share, and add a comment about
887 "valid users = %s" to show users how to restrict access to
888 \\server\username to only username.
889 - debian/control: Ubuntu i386 binary compatibility:
890 + drop ceph support
891 - d/control: enable the liburing vfs module, except on i386 where
892 liburing is not available
893 - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
894 Skip running the tests if on i386 platform, because the uring
895 package is not available there.
896 - d/t/util: fix setting the password of the smb test user
897 (LP #1955851)
898 - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
899 enable the samba glusterfs vfs mofule in that case
900 - d/control: build-depend on libglusterfs-dev only on !i386 arches
901 * Dropped:
902 - Update nfs scripts for new nfs.conf config (LP: #1961840):
903 + d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: updated to use
904 nfsconf(8) if it's available, instead of parsing the old config
905 files in /etc/default/nfs-*
906 [In 2:4.16.3+dfsg-1]
907 + d/ctdb.example/nfs-kernel-server/nfs.conf: /etc/nfs.conf to be
908 used by the example enable-nfs.sh example script
909 [In 2:4.16.3+dfsg-1]
910 + d/ctdb.example/nfs-kernel-server/quota: quota config file to be
911 used by the example enable-nfs.sh script
912 [In 2:4.16.3+dfsg-1]
913 + d/ctdb.example/nfs-kernel-server/nfs-{common,kernel-server}:
914 obsolete, replaced by nfs.conf
915 [In 2:4.16.3+dfsg-1]
916 + d/ctdb.example/nfs-kernel-server/enable-nfs.sh: handle new
917 nfs.conf and other changes in the new nfs server packages
918 [In 2:4.16.3+dfsg-1]
919 - Fix abort when deleting a file and "fruit:resource = stream" is
920 used. (LP #1977491)
921 + d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-01.patch:
922 Add test that shows smbd crashing when deleting a file while using
923 vfs_fruit with "fruit:resource = stream".
924 + d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-02.patch:
925 Handle file deleting when "fruit:resource = stream" is used.
926 [Fixed upstream]
927 - Build dlz module for bind 9.18.x (LP #1964032)
928 + d/p/add-support-for-bind-918.patch: build a dlz module for
929 bind 9.18.x
930 + d/p/add-support-for-bind-918-2.patch: also update the
931 provisioning tool and template config file
932 [Fixed upstream]
933
934 -- Andreas Hasenack <andreas@canonical.com> Fri, 29 Jul 2022 17:09:27 -0300
935
739samba (2:4.16.3+dfsg-1) unstable; urgency=medium936samba (2:4.16.3+dfsg-1) unstable; urgency=medium
740937
741 [ Michael Tokarev ]938 [ Michael Tokarev ]
@@ -747,6 +944,54 @@ samba (2:4.16.3+dfsg-1) unstable; urgency=medium
747944
748 -- Michael Tokarev <mjt@tls.msk.ru> Mon, 18 Jul 2022 17:15:07 +0300945 -- Michael Tokarev <mjt@tls.msk.ru> Mon, 18 Jul 2022 17:15:07 +0300
749946
947samba (2:4.16.2+dfsg-1ubuntu1) kinetic; urgency=medium
948
949 * Merge with Debian unstable. Remaining changes:
950 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
951 - debian/smb.conf;
952 + Add "(Samba, Ubuntu)" to server string.
953 + Comment out the default [homes] share, and add a comment about
954 "valid users = %s" to show users how to restrict access to
955 \\server\username to only username.
956 - debian/control: Ubuntu i386 binary compatibility:
957 + drop ceph support
958 - d/control: enable the liburing vfs module, except on i386 where
959 liburing is not available
960 - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
961 Skip running the tests if on i386 platform, because the uring
962 package is not available there.
963 - d/t/util: fix setting the password of the smb test user
964 (LP #1955851)
965 - Update nfs scripts for new nfs.conf config (LP #1961840):
966 + d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: updated to use
967 nfsconf(8) if it's available, instead of parsing the old config
968 files in /etc/default/nfs-*
969 + d/ctdb.example/nfs-kernel-server/nfs.conf: /etc/nfs.conf to be
970 used by the example enable-nfs.sh example script
971 + d/ctdb.example/nfs-kernel-server/quota: quota config file to be
972 used by the example enable-nfs.sh script
973 + d/ctdb.example/nfs-kernel-server/nfs-{common,kernel-server}:
974 obsolete, replaced by nfs.conf
975 + d/ctdb.example/nfs-kernel-server/enable-nfs.sh: handle new
976 nfs.conf and other changes in the new nfs server packages
977 - Build dlz module for bind 9.18.x (LP #1964032)
978 + d/p/add-support-for-bind-918.patch: build a dlz module for
979 bind 9.18.x
980 + d/p/add-support-for-bind-918-2.patch: also update the
981 provisioning tool and template config file
982 - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
983 enable the samba glusterfs vfs mofule in that case
984 - d/control: build-depend on libglusterfs-dev only on !i386 arches
985 - Fix abort when deleting a file and "fruit:resource = stream" is
986 used. (LP #1977491)
987 + d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-01.patch:
988 Add test that shows smbd crashing when deleting a file while using
989 vfs_fruit with "fruit:resource = stream".
990 + d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-02.patch:
991 Handle file deleting when "fruit:resource = stream" is used.
992
993 -- Andreas Hasenack <andreas@canonical.com> Mon, 27 Jun 2022 18:32:00 -0300
994
750samba (2:4.16.2+dfsg-1) unstable; urgency=medium995samba (2:4.16.2+dfsg-1) unstable; urgency=medium
751996
752 * new upstream minor/bugfix release.997 * new upstream minor/bugfix release.
@@ -768,6 +1013,111 @@ samba (2:4.16.2+dfsg-1) unstable; urgency=medium
7681013
769 -- Michael Tokarev <mjt@tls.msk.ru> Mon, 13 Jun 2022 19:08:44 +03001014 -- Michael Tokarev <mjt@tls.msk.ru> Mon, 13 Jun 2022 19:08:44 +0300
7701015
1016samba (2:4.16.1+dfsg-8ubuntu2) kinetic; urgency=medium
1017
1018 * Fix abort when deleting a file and "fruit:resource = stream" is
1019 used. (LP: #1977491)
1020 - d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-01.patch:
1021 Add test that shows smbd crashing when deleting a file while using
1022 vfs_fruit with "fruit:resource = stream".
1023 - d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-02.patch:
1024 Handle file deleting when "fruit:resource = stream" is used.
1025
1026 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 20 Jun 2022 19:09:25 -0400
1027
1028samba (2:4.16.1+dfsg-8ubuntu1) kinetic; urgency=medium
1029
1030 * Merge with Debian unstable (LP: #1971256, LP: #1846947). Remaining
1031 changes:
1032 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
1033 - debian/smb.conf;
1034 + Add "(Samba, Ubuntu)" to server string.
1035 + Comment out the default [homes] share, and add a comment about
1036 "valid users = %s" to show users how to restrict access to
1037 \\server\username to only username.
1038 - debian/control: Ubuntu i386 binary compatibility:
1039 + drop ceph support
1040 - d/control: enable the liburing vfs module, except on i386 where
1041 liburing is not available
1042 - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
1043 Skip running the tests if on i386 platform, because the uring
1044 package is not available there.
1045 - d/t/util: fix setting the password of the smb test user
1046 (LP #1955851)
1047 - Update nfs scripts for new nfs.conf config (LP #1961840):
1048 + d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: updated to use
1049 nfsconf(8) if it's available, instead of parsing the old config
1050 files in /etc/default/nfs-*
1051 + d/ctdb.example/nfs-kernel-server/nfs.conf: /etc/nfs.conf to be
1052 used by the example enable-nfs.sh example script
1053 + d/ctdb.example/nfs-kernel-server/ctdb.example.quota: quota
1054 config file to be used by the example enable-nfs.sh script
1055 + d/ctdb.example/nfs-kernel-server/nfs-{common,kernel-server}:
1056 obsolete, replaced by nfs.conf
1057 + d/ctdb.example/nfs-kernel-server/enable-nfs.sh: handle new
1058 nfs.conf and other changes in the new nfs server packages
1059 - Build dlz module for bind 9.18.x (LP #1964032)
1060 + d/p/add-support-for-bind-918.patch: build a dlz module for
1061 bind 9.18.x
1062 + d/p/add-support-for-bind-918-2.patch: also update the
1063 provisioning tool and template config file
1064 - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
1065 enable the samba glusterfs vfs mofule in that case
1066 - d/control: build-depend on libglusterfs-dev only on !i386 arches
1067 * Dropped:
1068 - d/control: add a versioned libgnutls28-dev build-depends to reduce
1069 the amount of in-tree crypto code that is built
1070 [superfluous, the version in the archive is recent enough]
1071 - d/samba.postinst: do not populate sambashare from the Ubuntu admin group (LP 1942195)
1072 [Included in 2:4.13.13+dfsg-1]
1073 - d/control: bump required build-depends
1074 [Included in Debian]
1075 - d/samba-libs.install: update list of installed libraries and
1076 modules/plugins
1077 [Done in Debian]
1078 - debian/patches/CVE-2021-20254.patch: removed, applied upstream
1079 [Applied upstream, Debian didn't have this patch]
1080 - d/p/Rename-mdfind-to-mdsearch.patch: removed, applied usptream
1081 [Applied usptream, Debian did not have it]
1082 - d/{gpb.conf,watch,README.source}: update for 4.15
1083 [Debian updated it for 4.16]
1084 - d/rules: remove --with-dnsupdate, it was merged with
1085 --with-ads in samba 4.15.0
1086 [Included in 2:4.16.0+dfsg-1]
1087 - d/rules: drop removal of ctdb tests, they are no longer installed
1088 [Included in 2:4.16.0+dfsg-1]
1089 - Remove findsmb, no longer installed:
1090 + d/smbclient.install: remove findsmb
1091 + d/rules: drop fixing of findsmb shebang
1092 [Included in 2:4.16.0+dfsg-1]
1093 - d/ctdb.install: remove ctdb_local_daemons, part of ctdb tests,
1094 no longer installed
1095 [Included in 2:4.16.0+dfsg-1]
1096 - d/ctdb.install: add tdb_mutex_check
1097 [Included in 2:4.16.0+dfsg-1]
1098 - d/winbind.install: add async_dns_krb5_locator
1099 [Included in 2:4.16.0+dfsg-1]
1100 - d/samba.install: install samba-bgqd and its manpage
1101 [Included in 2:4.16.0+dfsg-1]
1102 - d/{libsmbclient,libwbclient0}.symbols: symbols updates
1103 [Obsolete, these were for 4.15.5]
1104 - d/rules: drop dh_perl override, unneeded
1105 [Included in 2:4.16.0+dfsg-1]
1106 - d/p/lp-1951490-fix-printing-KB5006743.patch: Fix printing after
1107 Windows 2021-10 Monthly Rollup patch (LP #1951490)
1108 [Included upstream in 4.16.0rc2]
1109 - d/rules: install the new/changed ctdb example nfs files
1110 [Installed via ctdb.examples]
1111 * Added:
1112 - rename ctdb example files nfs.conf and quota, to match what the
1113 enable-nfs.sh script expects
1114 - enable-nfs.sh ctdb example: use debian's filename for the
1115 static port sysctl configuration
1116 - enable-nfs.sh: in ctdb 4.16, the "recovery lock" config option was
1117 renamed to "cluster lock"
1118
1119 -- Andreas Hasenack <andreas@canonical.com> Wed, 08 Jun 2022 11:02:29 -0300
1120
771samba (2:4.16.1+dfsg-8) unstable; urgency=medium1121samba (2:4.16.1+dfsg-8) unstable; urgency=medium
7721122
773 * fix the Breaks/Replaces versions in the previous upload for moving1123 * fix the Breaks/Replaces versions in the previous upload for moving
@@ -1064,6 +1414,95 @@ samba (2:4.16.0+dfsg-1) experimental; urgency=medium
10641414
1065 -- Michael Tokarev <mjt@tls.msk.ru> Tue, 05 Apr 2022 16:01:25 +03001415 -- Michael Tokarev <mjt@tls.msk.ru> Tue, 05 Apr 2022 16:01:25 +0300
10661416
1417samba (2:4.15.5~dfsg-0ubuntu6) kinetic; urgency=medium
1418
1419 * No-change rebuild against libicu71
1420
1421 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 30 Apr 2022 02:14:39 +0000
1422
1423samba (2:4.15.5~dfsg-0ubuntu5) jammy; urgency=medium
1424
1425 * Enable glusterfs support (LP: #1894618):
1426 - d/control: revert disabling of glusterfs, since it's in main now
1427 - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
1428 enable the samba glusterfs vfs mofule in that case
1429 - d/control: build-depend on libglusterfs-dev only on !i386 arches
1430
1431 -- Andreas Hasenack <andreas@canonical.com> Wed, 09 Mar 2022 17:31:25 -0300
1432
1433samba (2:4.15.5~dfsg-0ubuntu4) jammy; urgency=medium
1434
1435 * Build dlz module for bind 9.18.x (LP: #1964032)
1436 - d/p/add-support-for-bind-918.patch: build a dlz module for
1437 bind 9.18.x
1438 - d/samba-libs.install: remove fixme comment
1439 - d/p/add-support-for-bind-918-2.patch: also update the provisioning
1440 tool and template config file
1441
1442 -- Andreas Hasenack <andreas@canonical.com> Fri, 25 Mar 2022 14:53:19 -0300
1443
1444samba (2:4.15.5~dfsg-0ubuntu3) jammy; urgency=medium
1445
1446 * Update nfs scripts for new nfs.conf config (LP: #1961840):
1447 - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: updated to use
1448 nfsconf(8) if it's available, instead of parsing the old config
1449 files in /etc/default/nfs-*
1450 - d/ctdb.example.nfs.conf: /etc/nfs.conf to be used by the example
1451 enable-nfs.sh example script
1452 - d/ctdb.example.quota: quota config file to be used by the example
1453 enable-nfs.sh script
1454 - d/ctdb.example.nfs-{common,kernel-server}: obsolete, replaced by
1455 nfs.conf
1456 - d/ctdb.example.enable.nfs.sh: handle new nfs.conf and other
1457 changes in the new nfs server packages
1458 - d/rules: install the new/changed ctdb example nfs files
1459
1460 -- Andreas Hasenack <andreas@canonical.com> Mon, 21 Mar 2022 11:55:54 -0300
1461
1462samba (2:4.15.5~dfsg-0ubuntu2) jammy; urgency=medium
1463
1464 * d/p/lp-1951490-fix-printing-KB5006743.patch: Fix printing after
1465 Windows 2021-10 Monthly Rollup patch (LP: #1951490)
1466
1467 -- Andreas Hasenack <andreas@canonical.com> Thu, 10 Mar 2022 10:32:59 -0300
1468
1469samba (2:4.15.5~dfsg-0ubuntu1) jammy; urgency=medium
1470
1471 * d/{gpb.conf,watch,README.source}: update for 4.15
1472 * New upstream release: 4.15.5 (LP: #1946839)
1473 * d/p/Rename-mdfind-to-mdsearch.patch: removed, applied usptream
1474 * d/rules: remove --with-dnsupdate, it was merged with
1475 --with-ads in samba 4.15.0
1476 * d/control: bump required build-depends
1477 * d/rules: drop removal of ctdb tests, they are no longer installed
1478 * Remove findsmb, no longer installed:
1479 - d/smbclient.install: remove findsmb
1480 - d/rules: drop fixing of findsmb shebang
1481 * d/ctdb.install: remove ctdb_local_daemons, part of ctdb tests,
1482 no longer installed
1483 * d/samba-libs.install: update list of installed libraries and
1484 modules/plugins
1485 * d/ctdb.install: add tdb_mutex_check
1486 * d/winbind.install: add async_dns_krb5_locator
1487 * d/samba.install: install samba-bgqd and its manpage
1488 * d/{libsmbclient,libwbclient0}.symbols: symbols updates
1489 * d/control: add python3-markdown to build-depends
1490 * d/watch: updated to handle ~dfsg versioning, thanks to
1491 Sergio Durigan Junior <sergio.durigan@canonical.com>
1492
1493 -- Andreas Hasenack <andreas@canonical.com> Tue, 22 Feb 2022 17:59:22 -0300
1494
1495samba (2:4.13.17~dfsg-0ubuntu1) jammy; urgency=medium
1496
1497 * Update to 4.13.17 as a security update
1498 - CVE-2021-43566, CVE-2021-44142, CVE-2022-0336
1499 * Removed patches included in new version:
1500 - debian/patches/trusted_domain_regression_fix.patch
1501 - debian/patches/bug14901-*.patch
1502 - debian/patches/bug14922.patch
1503
1504 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Feb 2022 10:19:08 -0500
1505
1067samba (2:4.13.14+dfsg-1) unstable; urgency=high1506samba (2:4.13.14+dfsg-1) unstable; urgency=high
10681507
1069 * New upstream security release in order to address the following defects:1508 * New upstream security release in order to address the following defects:
@@ -1090,6 +1529,52 @@ samba (2:4.13.14+dfsg-1) unstable; urgency=high
10901529
1091 -- Mathieu Parent <sathieu@debian.org> Tue, 09 Nov 2021 20:53:03 +01001530 -- Mathieu Parent <sathieu@debian.org> Tue, 09 Nov 2021 20:53:03 +0100
10921531
1532samba (2:4.13.14+dfsg-0ubuntu5) jammy; urgency=medium
1533
1534 * No-change rebuild for icu soname change
1535
1536 -- William 'jawn-smith' Wilson <jawn-smith@ubuntu.com> Fri, 11 Feb 2022 11:36:14 -0600
1537
1538samba (2:4.13.14+dfsg-0ubuntu4) jammy; urgency=medium
1539
1540 * d/t/util: fix setting the password of the smb test user
1541 (LP: #1955851)
1542
1543 -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Jan 2022 17:06:13 -0300
1544
1545samba (2:4.13.14+dfsg-0ubuntu3) jammy; urgency=medium
1546
1547 * No-change rebuild with Python 3.10 as default version
1548
1549 -- Graham Inggs <ginggs@ubuntu.com> Sun, 16 Jan 2022 07:01:34 +0000
1550
1551samba (2:4.13.14+dfsg-0ubuntu2) jammy; urgency=medium
1552
1553 * SECURITY REGRESSION: Kerberos authentication on standalone server in
1554 MIT realm broken
1555 - debian/patches/bug14922.patch: fix MIT Realm regression in
1556 source3/auth/user_krb5.c.
1557
1558 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 13 Dec 2021 07:09:36 -0500
1559
1560samba (2:4.13.14+dfsg-0ubuntu1) jammy; urgency=medium
1561
1562 * Update to 4.13.14 as a security update (LP: #1950363)
1563 - debian/patches/CVE-2021-20254.patch: removed, included in new
1564 version.
1565 - debian/control: bump ldb Build-Depends to 2.2.3.
1566 - debian/samba-libs.install: added libdcerpc-pkt-auth.so.0.
1567 - debian/patches/trusted_domain_regression_fix.patch: fix regression
1568 introduced in 4.13.14.
1569 - debian/patches/bug14901-*.patch: upstream patches to fix some
1570 mapping issues.
1571 - debian/patches/bug14918-*.patch: upstream patches to properly handle
1572 dangling symlinks.
1573 - CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719,
1574 CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192
1575
1576 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 09 Nov 2021 14:52:07 -0500
1577
1093samba (2:4.13.13+dfsg-1) unstable; urgency=high1578samba (2:4.13.13+dfsg-1) unstable; urgency=high
10941579
1095 [ Athos Ribeiro ]1580 [ Athos Ribeiro ]
@@ -1111,6 +1596,83 @@ samba (2:4.13.13+dfsg-1) unstable; urgency=high
11111596
1112 -- Mathieu Parent <sathieu@debian.org> Mon, 01 Nov 2021 08:59:20 +01001597 -- Mathieu Parent <sathieu@debian.org> Mon, 01 Nov 2021 08:59:20 +0100
11131598
1599samba (2:4.13.5+dfsg-2ubuntu4) jammy; urgency=medium
1600
1601 * No-change rebuild against liburing2
1602
1603 -- Paride Legovini <paride@ubuntu.com> Mon, 22 Nov 2021 18:08:34 +0100
1604
1605samba (2:4.13.5+dfsg-2ubuntu3) impish; urgency=medium
1606
1607 * d/samba.postinst: do not populate sambashare from the admin group
1608 (Debian packaging cherry-pick. LP: #1942195)
1609
1610 -- Paride Legovini <paride@ubuntu.com> Wed, 06 Oct 2021 10:31:14 +0200
1611
1612samba (2:4.13.5+dfsg-2ubuntu2) impish; urgency=medium
1613
1614 * No-change rebuild due to OpenLDAP soname bump.
1615
1616 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:08:36 -0400
1617
1618samba (2:4.13.5+dfsg-2ubuntu1) impish; urgency=medium
1619
1620 * Merge with Debian unstable. Remaining changes:
1621 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
1622 - debian/smb.conf;
1623 + Add "(Samba, Ubuntu)" to server string.
1624 + Comment out the default [homes] share, and add a comment about
1625 "valid users = %s" to show users how to restrict access to
1626 \\server\username to only username.
1627 - d/control: Disable glusterfs support because it's not in main.
1628 MIR bug is https://launchpad.net/bugs/1274247
1629 - debian/control: Ubuntu i386 binary compatibility:
1630 + drop ceph support
1631 - d/control: add a versioned libgnutls28-dev build-depends to reduce
1632 the amount of in-tree crypto code that is built
1633 - d/control: enable the liburing vfs module, except on i386 where
1634 liburing is not available
1635 - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
1636 Skip running the tests if on i386 platform, because the uring
1637 package is not available there.
1638 * Dropped changes:
1639 - debian/samba-common.config:
1640 + Do not change priority to high if dhclient3 is installed.
1641 [Included in 2:4.13.4+dfsg-1]
1642 - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
1643 change nfs service name from nfs to nfs-kernel-server
1644 (LP #722201)
1645 [Included in 2:4.13.4+dfsg-1]
1646 - d/p/ctdb-config-enable-syslog-by-default.patch:
1647 enable syslog and systemd journal by default
1648 [Included in 2:4.13.4+dfsg-1]
1649 - debian/rules: Ubuntu i386 binary compatibility:
1650 + drop ceph support
1651 + disable the following binary packages:
1652 - ctdb
1653 - libnss-winbind
1654 - libpam-winbind
1655 - python3-samba
1656 - samba
1657 - samba-common-bin
1658 - samba-testsuite
1659 - winbind
1660 [Included in 2:4.13.4+dfsg-1]
1661 - debian/rules: Ubuntu i386 binary compatibility:
1662 + re-enable the following binary packages:
1663 - libnss-winbind
1664 - samba-common-bin
1665 - python3-samba
1666 - winbind
1667 [Included in 2:4.13.4+dfsg-1]
1668 - SECURITY UPDATE: wrong group entries via negative idmap cache entries
1669 + debian/patches/CVE-2021-20254.patch: Simplify sids_to_unixids() in
1670 source3/passdb/lookup_sid.c.
1671 + CVE-2021-20254
1672 [Included in 2:4.13.5+dfsg-2]
1673
1674 -- Athos Ribeiro <athos.ribeiro@canonical.com> Mon, 17 May 2021 11:51:54 -0300
1675
1114samba (2:4.13.5+dfsg-2) unstable; urgency=high1676samba (2:4.13.5+dfsg-2) unstable; urgency=high
11151677
1116 * CVE-2021-20254: Negative idmap cache entries can cause incorrect group1678 * CVE-2021-20254: Negative idmap cache entries can cause incorrect group
@@ -1142,6 +1704,86 @@ samba (2:4.13.4+dfsg-1) unstable; urgency=medium
11421704
1143 -- Mathieu Parent <sathieu@debian.org> Tue, 09 Feb 2021 22:26:43 +01001705 -- Mathieu Parent <sathieu@debian.org> Tue, 09 Feb 2021 22:26:43 +0100
11441706
1707samba (2:4.13.3+dfsg-1ubuntu2.1) hirsute-security; urgency=medium
1708
1709 * SECURITY UPDATE: wrong group entries via negative idmap cache entries
1710 - debian/patches/CVE-2021-20254.patch: Simplify sids_to_unixids() in
1711 source3/passdb/lookup_sid.c.
1712 - CVE-2021-20254
1713
1714 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 29 Apr 2021 06:48:54 -0400
1715
1716samba (2:4.13.3+dfsg-1ubuntu2) hirsute; urgency=medium
1717
1718 * No change rebuild to pick up liburing, and also
1719 fix d/t/cifs-share-access-uring. (LP: #1914145)
1720
1721 -- Mauricio Faria de Oliveira <mfo@canonical.com> Wed, 03 Feb 2021 09:14:25 -0300
1722
1723samba (2:4.13.3+dfsg-1ubuntu1) hirsute; urgency=medium
1724
1725 * Merge with Debian unstable. Remaining changes:
1726 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
1727 - debian/smb.conf;
1728 + Add "(Samba, Ubuntu)" to server string.
1729 + Comment out the default [homes] share, and add a comment about
1730 "valid users = %s" to show users how to restrict access to
1731 \\server\username to only username.
1732 - debian/samba-common.config:
1733 + Do not change priority to high if dhclient3 is installed.
1734 - d/control, d/rules: Disable glusterfs support because it's not in main.
1735 MIR bug is https://launchpad.net/bugs/1274247
1736 - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
1737 change nfs service name from nfs to nfs-kernel-server
1738 (LP #722201)
1739 - d/p/ctdb-config-enable-syslog-by-default.patch:
1740 enable syslog and systemd journal by default
1741 - debian/rules: Ubuntu i386 binary compatibility:
1742 + drop ceph support
1743 + disable the following binary packages:
1744 - ctdb
1745 - libnss-winbind
1746 - libpam-winbind
1747 - python3-samba
1748 - samba
1749 - samba-common-bin
1750 - samba-testsuite
1751 - winbind
1752 - debian/control: Ubuntu i386 binary compatibility:
1753 + drop ceph support
1754 - debian/rules: Ubuntu i386 binary compatibility:
1755 + re-enable the following binary packages:
1756 - libnss-winbind
1757 - samba-common-bin
1758 - python3-samba
1759 - winbind
1760 - d/control: add a versioned libgnutls28-dev build-depends to reduce
1761 the amount of in-tree crypto code that is built
1762 - d/control: enable the liburing vfs module, except on i386 where
1763 liburing is not available
1764 * Dropped changes, incorporated by Debian:
1765 - d/t/smbclient-anonymous-share-list: add set -x and set -e
1766 - Factor out common DEP8 test code into d/t/util and change the tests
1767 to source from it:
1768 + d/t/util: added
1769 + d/t/cifs-share-access, d/t/smbclient-share-access: source from
1770 util, use random share name and add set -x and set -u
1771 + d/t/smbclient-authenticated-share-list: source from util and add
1772 set -x and set -u
1773 - Add new DEP8 tests for the uring vfs module:
1774 + d/t/control: add smbclient-share-access-uring and
1775 cifs-share-access-uring tests
1776 + d/t/smbclient-share-access-uring: new test
1777 + d/t/cifs-share-access-uring: new test
1778 - d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
1779 guard uring tests with a kernel version check and skip if it's too old
1780 * Added changes:
1781 - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
1782 Skip running the tests if on i386 platform, because the uring
1783 package is not available there.
1784
1785 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 13 Jan 2021 15:44:04 -0500
1786
1145samba (2:4.13.3+dfsg-1) unstable; urgency=medium1787samba (2:4.13.3+dfsg-1) unstable; urgency=medium
11461788
1147 [ Andreas Hasenack ]1789 [ Andreas Hasenack ]
@@ -1157,6 +1799,93 @@ samba (2:4.13.3+dfsg-1) unstable; urgency=medium
11571799
1158 -- Mathieu Parent <sathieu@debian.org> Wed, 16 Dec 2020 18:23:09 +01001800 -- Mathieu Parent <sathieu@debian.org> Wed, 16 Dec 2020 18:23:09 +0100
11591801
1802samba (2:4.13.2+dfsg-3ubuntu1) hirsute; urgency=medium
1803
1804 * Merge with Debian unstable (LP: #1905048). Remaining changes:
1805 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
1806 - debian/smb.conf;
1807 + Add "(Samba, Ubuntu)" to server string.
1808 + Comment out the default [homes] share, and add a comment about
1809 "valid users = %s" to show users how to restrict access to
1810 \\server\username to only username.
1811 - debian/samba-common.config:
1812 + Do not change priority to high if dhclient3 is installed.
1813 - d/control, d/rules: Disable glusterfs support because it's not in main.
1814 MIR bug is https://launchpad.net/bugs/1274247
1815 - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
1816 change nfs service name from nfs to nfs-kernel-server
1817 (LP #722201)
1818 - d/p/ctdb-config-enable-syslog-by-default.patch:
1819 enable syslog and systemd journal by default
1820 - debian/rules: Ubuntu i386 binary compatibility:
1821 + drop ceph support
1822 + disable the following binary packages:
1823 - ctdb
1824 - libnss-winbind
1825 - libpam-winbind
1826 - python3-samba
1827 - samba
1828 - samba-common-bin
1829 - samba-testsuite
1830 - winbind
1831 - debian/control: Ubuntu i386 binary compatibility:
1832 + drop ceph support
1833 - debian/rules: Ubuntu i386 binary compatibility:
1834 + re-enable the following binary packages:
1835 - libnss-winbind
1836 - samba-common-bin
1837 - python3-samba
1838 - winbind
1839 - d/control: add a versioned libgnutls28-dev build-depends to reduce
1840 the amount of in-tree crypto code that is built
1841 * d/t/smbclient-anonymous-share-list: add set -x and set -e
1842 * Factor out common DEP8 test code into d/t/util and change the tests
1843 to source from it:
1844 - d/t/util: added
1845 - d/t/cifs-share-access, d/t/smbclient-share-access: source from
1846 util, use random share name and add set -x and set -u
1847 - d/t/smbclient-authenticated-share-list: source from util and add
1848 set -x and set -u
1849 * d/control: enable the liburing vfs module, except on i386 where
1850 liburing is not available
1851 * Add new DEP8 tests for the uring vfs module:
1852 - d/t/control: add smbclient-share-access-uring and
1853 cifs-share-access-uring tests
1854 - d/t/smbclient-share-access-uring: new test
1855 - d/t/cifs-share-access-uring: new test
1856 * d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
1857 guard uring tests with a kernel version check and skip if it's too old
1858 * Dropped changes:
1859 - SECURITY UPDATE: Unauthenticated domain controller compromise by
1860 subverting Netlogon cryptography (ZeroLogon)
1861 + debian/patches/zerologon-*.patch: backport upstream patches:
1862 + For compatibility reasons, allow specifying an insecure netlogon
1863 configuration per machine. See the following link for examples:
1864 https://www.samba.org/samba/security/CVE-2020-1472.html
1865 + Add additional server checks for the protocol attack in the
1866 client-specified challenge to provide some protection when
1867 'server schannel = no/auto' and avoid the false-positive results
1868 when running the proof-of-concept exploit.
1869 [ Incorporated by upstream. ]
1870 - SECURITY UPDATE: Missing handle permissions check in ChangeNotify
1871 + debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
1872 get set unless the directory handle is open for SEC_DIR_LIST in
1873 source4/torture/smb2/notify.c, source3/smbd/notify.c.
1874 + CVE-2020-14318
1875 - SECURITY UPDATE: Unprivileged user can crash winbind
1876 + debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
1877 source3/winbindd/winbindd_lookupsids.c,
1878 source4/torture/winbind/struct_based.c.
1879 + CVE-2020-14323
1880 - SECURITY UPDATE: DNS server crash via invalid records
1881 - debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
1882 with NULL and do not crash when additional data not found in
1883 source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
1884 + CVE-2020-14383
1885 [ Incorporated by upstream. ]
1886
1887 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 24 Nov 2020 22:12:00 -0500
1888
1160samba (2:4.13.2+dfsg-3) unstable; urgency=medium1889samba (2:4.13.2+dfsg-3) unstable; urgency=medium
11611890
1162 * Ensure systemd-tmpfiles is called before testparm (Closes: #975422)1891 * Ensure systemd-tmpfiles is called before testparm (Closes: #975422)
@@ -1202,6 +1931,138 @@ samba (2:4.13.2+dfsg-1) experimental; urgency=medium
12021931
1203 -- Mathieu Parent <sathieu@debian.org> Thu, 12 Nov 2020 11:23:01 +01001932 -- Mathieu Parent <sathieu@debian.org> Thu, 12 Nov 2020 11:23:01 +0100
12041933
1934samba (2:4.12.5+dfsg-3ubuntu4.1) groovy-security; urgency=medium
1935
1936 * SECURITY UPDATE: Missing handle permissions check in ChangeNotify
1937 - debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
1938 get set unless the directory handle is open for SEC_DIR_LIST in
1939 source4/torture/smb2/notify.c, source3/smbd/notify.c.
1940 - CVE-2020-14318
1941 * SECURITY UPDATE: Unprivileged user can crash winbind
1942 - debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
1943 source3/winbindd/winbindd_lookupsids.c,
1944 source4/torture/winbind/struct_based.c.
1945 - CVE-2020-14323
1946 * SECURITY UPDATE: DNS server crash via invalid records
1947 - debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
1948 with NULL and do not crash when additional data not found in
1949 source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
1950 - CVE-2020-14383
1951
1952 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Oct 2020 06:53:44 -0400
1953
1954samba (2:4.12.5+dfsg-3ubuntu4) groovy; urgency=medium
1955
1956 * SECURITY UPDATE: Unauthenticated domain controller compromise by
1957 subverting Netlogon cryptography (ZeroLogon)
1958 - debian/patches/zerologon-*.patch: backport upstream patches:
1959 + For compatibility reasons, allow specifying an insecure netlogon
1960 configuration per machine. See the following link for examples:
1961 https://www.samba.org/samba/security/CVE-2020-1472.html
1962 + Add additional server checks for the protocol attack in the
1963 client-specified challenge to provide some protection when
1964 'server schannel = no/auto' and avoid the false-positive results
1965 when running the proof-of-concept exploit.
1966 - CVE-2020-1472
1967
1968 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 28 Sep 2020 09:46:49 -0400
1969
1970samba (2:4.12.5+dfsg-3ubuntu3) groovy; urgency=medium
1971
1972 * d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
1973 guard uring tests with a kernel version check and skip if it's too old
1974
1975 -- Andreas Hasenack <andreas@canonical.com> Tue, 11 Aug 2020 11:00:35 -0300
1976
1977samba (2:4.12.5+dfsg-3ubuntu2) groovy; urgency=medium
1978
1979 * d/t/smbclient-anonymous-share-list: add set -x and set -e
1980 * Factor out common DEP8 test code into d/t/util and change the tests
1981 to source from it:
1982 - d/t/util: added
1983 - d/t/cifs-share-access, d/t/smbclient-share-access: source from
1984 util, use random share name and add set -x and set -u
1985 - d/t/smbclient-authenticated-share-list: source from util and add
1986 set -x and set -u
1987 * d/control: enable the liburing vfs module, except on i386 where
1988 liburing is not available
1989 * Add new DEP8 tests for the uring vfs module:
1990 - d/t/control: add smbclient-share-access-uring and
1991 cifs-share-access-uring tests
1992 - d/t/smbclient-share-access-uring: new test
1993 - d/t/cifs-share-access-uring: new test
1994
1995 -- Andreas Hasenack <andreas@canonical.com> Tue, 04 Aug 2020 17:20:30 -0300
1996
1997samba (2:4.12.5+dfsg-3ubuntu1) groovy; urgency=medium
1998
1999 * Merge with Debian unstable. Remaining changes:
2000 - d/p/VERSION.patch: Update vendor string to "Ubuntu".
2001 - debian/smb.conf;
2002 + Add "(Samba, Ubuntu)" to server string.
2003 + Comment out the default [homes] share, and add a comment about
2004 "valid users = %s" to show users how to restrict access to
2005 \\server\username to only username.
2006 - debian/samba-common.config:
2007 + Do not change priority to high if dhclient3 is installed.
2008 - d/control, d/rules: Disable glusterfs support because it's not in main.
2009 MIR bug is https://launchpad.net/bugs/1274247
2010 - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
2011 change nfs service name from nfs to nfs-kernel-server
2012 (LP #722201)
2013 - d/p/ctdb-config-enable-syslog-by-default.patch:
2014 enable syslog and systemd journal by default
2015 - debian/rules: Ubuntu i386 binary compatibility:
2016 + drop ceph support
2017 + disable the following binary packages:
2018 - ctdb
2019 - libnss-winbind
2020 - libpam-winbind
2021 - python3-samba
2022 - samba
2023 - samba-common-bin
2024 - samba-testsuite
2025 - winbind
2026 - debian/control: Ubuntu i386 binary compatibility:
2027 + drop ceph support
2028 - debian/rules: Ubuntu i386 binary compatibility:
2029 + re-enable the following binary packages:
2030 - libnss-winbind
2031 - samba-common-bin
2032 - python3-samba
2033 - winbind
2034 - d/control: add a versioned libgnutls28-dev build-depends to reduce
2035 the amount of in-tree crypto code that is built
2036 * Dropped:
2037 - d/gbp.conf, d/watch, d/README.source: update for 4.12
2038 [In 2:4.12.3+dfsg-1]
2039 - d/control: bump build-depends:
2040 + ldb: 2.1.2
2041 + tevent: 0.10.2
2042 + tdb: 1.4.3
2043 + talloc: 2.3.1
2044 [In 2:4.12.3+dfsg-1]
2045 - d/smbclient.install: add new binary mdfind and its manpage
2046 [In 2:4.12.3+dfsg-1]
2047 - d/samba-dev.install, d/samba-libs.install: new lib
2048 libdcerpc-server-core
2049 [In 2:4.12.3+dfsg-1]
2050 - d/samba-libs.install: new library libtalloc-report-printf
2051 [In 2:4.12.3+dfsg-1]
2052 - d/libwbclient0.install: remove libaesni, no longer built when
2053 gnutls provides AES CMAC
2054 [In 2:4.12.3+dfsg-1]
2055 - d/libsmbclient.symbols, d/libwbclient0.symbols: update symbols
2056 [In 2:4.12.3+dfsg-1]
2057 - d/p/build-Remove-tests-for-getdents-and-getdirentries.patch
2058 [Dropped in 2:4.12.3+dfsg-1]
2059 - d/p/wscript-remove-all-checks-for-_FUNC-and-__FUNC.patch
2060 [Dropped in 2:4.12.3+dfsg-1]
2061 - d/p/wscript-split-function-check-to-one-per-line-and-sor.patch
2062 [Dropped in 2:4.12.3+dfsg-1]
2063
2064 -- Andreas Hasenack <andreas@canonical.com> Fri, 31 Jul 2020 11:07:47 -0300
2065
1205samba (2:4.12.5+dfsg-3) unstable; urgency=high2066samba (2:4.12.5+dfsg-3) unstable; urgency=high
12062067
1207 * Add Breaks: sssd-ad-common (<< 2.3.0), due to libndr so bump2068 * Add Breaks: sssd-ad-common (<< 2.3.0), due to libndr so bump
@@ -1266,6 +2127,131 @@ samba (2:4.12.3+dfsg-1) experimental; urgency=medium
12662127
1267 -- Mathieu Parent <sathieu@debian.org> Wed, 24 Jun 2020 23:12:11 +02002128 -- Mathieu Parent <sathieu@debian.org> Wed, 24 Jun 2020 23:12:11 +0200
12682129
2130samba (2:4.12.2+dfsg-0ubuntu1) groovy; urgency=medium
2131
2132 * New upstream version: 4.12.2
2133 * d/gbp.conf, d/watch, d/README.source: update for 4.12
2134 * d/control: bump build-depends:
2135 - ldb: 2.1.2
2136 - tevent: 0.10.2
2137 - tdb: 1.4.3
2138 - talloc: 2.3.1
2139 * d/smbclient.install: add new binary mdfind and its manpage
2140 * d/samba-dev.install, d/samba-libs.install: new lib libdcerpc-server-core
2141 * d/samba-libs.install: new library libtalloc-report-printf
2142 * d/libwbclient0.install: remove libaesni, no longer built when
2143 gnutls provides AES CMAC
2144 * d/libsmbclient.symbols, d/libwbclient0.symbols: update symbols
2145 * d/control: add a versioned libgnutls28-dev build-depends to reduce
2146 the amount of in-tree crypto code that is built
2147 * Dropped (applied upstream):
2148 - d/p/build-Remove-tests-for-getdents-and-getdirentries.patch
2149 - d/p/wscript-remove-all-checks-for-_FUNC-and-__FUNC.patch
2150 - d/p/wscript-split-function-check-to-one-per-line-and-sor.patch
2151 - d/p/CVE-2020-10700*.patch, d/p/CVE-2020-10704*.patch
2152
2153 -- Andreas Hasenack <andreas@canonical.com> Tue, 12 May 2020 10:42:17 -0300
2154
2155samba (2:4.11.6+dfsg-0ubuntu1.1) focal-security; urgency=medium
2156
2157 * SECURITY UPDATE: Use-after-free in AD DC LDAP server
2158 - debian/patches/CVE-2020-10700-1.patch: add test for ASQ and ASQ in
2159 combination with paged_results in selftest/knownfail.d/asq,
2160 source4/dsdb/tests/python/asq.py, source4/selftest/tests.py.
2161 - debian/patches/CVE-2020-10700-3.patch: do not permit the ASQ control
2162 for the GUID search in paged_results in selftest/knownfail.d/asq,
2163 source4/dsdb/samdb/ldb_modules/paged_results.c.
2164 - debian/control: bump libldb-dev, python3-ldb, and python3-ldb-dev
2165 Build-Depends to 2.0.10.
2166 - CVE-2020-10700
2167 * SECURITY UPDATE: Stack overflow in AD DC LDAP server
2168 - debian/patches/CVE-2020-10704-1.patch: add ASN.1 max tree depth in
2169 auth/gensec/gensec_util.c, lib/util/asn1.c, lib/util/asn1.h,
2170 lib/util/tests/asn1_tests.c, libcli/auth/spnego_parse.c,
2171 libcli/cldap/cldap.c, libcli/ldap/ldap_message.c,
2172 source3/lib/tldap.c, source3/lib/tldap_util.c,
2173 source3/libsmb/clispnego.c, source3/torture/torture.c,
2174 source4/auth/gensec/gensec_krb5.c, source4/ldap_server/ldap_server.c,
2175 source4/libcli/ldap/ldap_client.c,
2176 source4/libcli/ldap/ldap_controls.c.
2177 - debian/patches/CVE-2020-10704-3.patch: check parse tree depth in
2178 lib/util/asn1.c.
2179 - debian/patches/CVE-2020-10704-5.patch: add max ldap request sizes in
2180 docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml,
2181 docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml,
2182 lib/param/loadparm.c, source3/param/loadparm.c.
2183 - debian/patches/CVE-2020-10704-6.patch: limit request sizes in
2184 source4/ldap_server/ldap_server.c.
2185 - debian/patches/CVE-2020-10704-7.patch: add search size limits to
2186 ldap_decode in docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml,
2187 lib/param/loadparm.c, libcli/cldap/cldap.c,
2188 libcli/ldap/ldap_message.c, libcli/ldap/ldap_message.h,
2189 source3/param/loadparm.c, source4/ldap_server/ldap_server.c,
2190 source4/libcli/ldap/ldap_client.c.
2191 - debian/patches/CVE-2020-10704-8.patch: check search request lengths
2192 in lib/util/asn1.c, lib/util/asn1.h, libcli/ldap/ldap_message.c.
2193 - CVE-2020-10704
2194
2195 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 24 Apr 2020 08:08:38 -0400
2196
2197samba (2:4.11.6+dfsg-0ubuntu1) focal; urgency=medium
2198
2199 * New upstream release: 4.11.6
2200 * d/p/samba-tool-py38-*.patch: dropped, fixed upstream
2201
2202 -- Andreas Hasenack <andreas@canonical.com> Wed, 26 Feb 2020 11:55:16 -0300
2203
2204samba (2:4.11.5+dfsg-1ubuntu2) focal; urgency=medium
2205
2206 * d/p/samba-tool-py38-*.patch: use correct method flags (LP: #1864324)
2207
2208 -- Andreas Hasenack <andreas@canonical.com> Sat, 22 Feb 2020 17:22:21 -0300
2209
2210samba (2:4.11.5+dfsg-1ubuntu1) focal; urgency=medium
2211
2212 * Merge with Debian unstable. Remaining changes:
2213 - debian/VERSION.patch: Update vendor string to "Ubuntu".
2214 - debian/smb.conf;
2215 + Add "(Samba, Ubuntu)" to server string.
2216 + Comment out the default [homes] share, and add a comment about
2217 "valid users = %s" to show users how to restrict access to
2218 \\server\username to only username.
2219 - debian/samba-common.config:
2220 + Do not change priority to high if dhclient3 is installed.
2221 - d/control, d/rules: Disable glusterfs support because it's not in main.
2222 MIR bug is https://launchpad.net/bugs/1274247
2223 - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
2224 change nfs service name from nfs to nfs-kernel-server
2225 (LP #722201)
2226 - d/p/ctdb-config-enable-syslog-by-default.patch:
2227 enable syslog and systemd journal by default
2228 - debian/rules: Ubuntu i386 binary compatibility:
2229 + drop ceph support
2230 + disable the following binary packages:
2231 - ctdb
2232 - libnss-winbind
2233 - libpam-winbind
2234 - python3-samba
2235 - samba
2236 - samba-common-bin
2237 - samba-testsuite
2238 - winbind
2239 - debian/control: Ubuntu i386 binary compatibility:
2240 + drop ceph support
2241 - debian/rules: Ubuntu i386 binary compatibility:
2242 + re-enable the following binary packages:
2243 - libnss-winbind
2244 - samba-common-bin
2245 - python3-samba
2246 - winbind
2247 * Dropped:
2248 - d/control: drop python3-matplotlib. It's only used in
2249 script/attr_count_read which is not installed with the
2250 samba packages.
2251 [In 2:4.11.3+dfsg-1]
2252
2253 -- Andreas Hasenack <andreas@canonical.com> Mon, 17 Feb 2020 15:29:35 -0300
2254
1269samba (2:4.11.5+dfsg-1) unstable; urgency=medium2255samba (2:4.11.5+dfsg-1) unstable; urgency=medium
12702256
1271 * New upstream security release2257 * New upstream security release
@@ -1293,6 +2279,161 @@ samba (2:4.11.3+dfsg-1) unstable; urgency=high
12932279
1294 -- Mathieu Parent <sathieu@debian.org> Mon, 16 Dec 2019 09:47:45 +01002280 -- Mathieu Parent <sathieu@debian.org> Mon, 16 Dec 2019 09:47:45 +0100
12952281
2282samba (2:4.11.1+dfsg-3ubuntu4) focal; urgency=medium
2283
2284 * Ubuntu i386 binary compatibility effort: (LP: #1861316)
2285 - debian/rules:
2286 + re-enable the following binary packages generation:
2287 - libnss-winbind
2288 - samba-common-bin
2289 - python3-samba
2290 - winbind
2291
2292 -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Thu, 06 Feb 2020 14:42:38 +0000
2293
2294samba (2:4.11.1+dfsg-3ubuntu3) focal; urgency=medium
2295
2296 * No-change rebuild to build with python3.8.
2297
2298 -- Matthias Klose <doko@ubuntu.com> Sat, 25 Jan 2020 06:06:11 +0000
2299
2300samba (2:4.11.1+dfsg-3ubuntu2) focal; urgency=medium
2301
2302 * Ubuntu i386 binary compatibility effort: (LP: #1858479)
2303 - debian/control:
2304 + drop ceph support
2305 - debian/rules:
2306 + drop ceph support
2307 + disable the following binary packages generation:
2308 - ctdb
2309 - libnss-winbind
2310 - libpam-winbind
2311 - python3-samba
2312 - samba
2313 - samba-common-bin
2314 - samba-testsuite
2315 - winbind
2316
2317 -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Thu, 09 Jan 2020 00:40:31 +0000
2318
2319samba (2:4.11.1+dfsg-3ubuntu1) focal; urgency=medium
2320
2321 * Merge with Debian unstable. Remaining changes:
2322 - debian/VERSION.patch: Update vendor string to "Ubuntu".
2323 - debian/smb.conf;
2324 + Add "(Samba, Ubuntu)" to server string.
2325 + Comment out the default [homes] share, and add a comment about
2326 "valid users = %s" to show users how to restrict access to
2327 \\server\username to only username.
2328 - debian/samba-common.config:
2329 + Do not change priority to high if dhclient3 is installed.
2330 - d/control, d/rules: Disable glusterfs support because it's not in main.
2331 MIR bug is https://launchpad.net/bugs/1274247
2332 - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
2333 change nfs service name from nfs to nfs-kernel-server
2334 (LP #722201)
2335 [Adopted the Debian version and added a couple of extra hunks
2336 we had]
2337 - d/p/ctdb-config-enable-syslog-by-default.patch:
2338 enable syslog and systemd journal by default
2339 * Dropped:
2340 - Add apport hook:
2341 + Created debian/source_samba.py.
2342 + debian/rules, debian/samba-common-bin.install: install hook.
2343 [In 2:4.9.4+dfsg-2]
2344 - Removed patches already applied upstream:
2345 + d/p/nsswitch-Add-try_authtok-option-to-pam_winbind.patch
2346 [Removed in 2:4.10.7+dfsg-1]
2347 + d/p/s3-auth-ignore-create_builtin_guests-failing-without.patch
2348 [Removed in 4.9.5+dfsg-1]
2349 - d/p/add-so-version-to-private-libraries: refreshed to remove fuzz
2350 [Refreshed in 2:4.1.17+dfsg-1]
2351 - d/control: Updated build dependencies (already updated in Debian):
2352 + tdb >= 1.3.17
2353 + talloc >= 2.1.15
2354 + tevent >= 0.9.38
2355 + ldb >= 1.5.3
2356 - d/samba-common.docs: README is now README.md
2357 [In 2:4.10.7+dfsg-1]
2358 - d/libsmbclient.symbols: update symbols for this version
2359 - d/libwbclient0.symbols: update symbols for this version
2360 - d/ctdb.install: new binary ctdb_local_daemons
2361 [In 2:4.10.7+dfsg-1]
2362 - d/samba-dev.install: use globbing for the header files with
2363 exceptions for wbclient.h and libsmbclient.h, which belong in
2364 other packages.
2365 [In 2:4.10.7+dfsg-1]
2366 - d/rules: fix globbing used to move the dckeytab python module to the
2367 samba package, and add a comment explaining why this is being done.
2368 [In 2:4.10.7+dfsg-1]
2369 - Switch to python3 (in 2:4.10.7+dfsg-1):
2370 + d/rules: calculate the ldb version using python3, and drop the
2371 "really" bit since the real 1.5.x series is being used now.
2372 + d/rules: make sure python3 is used for the build
2373 + d/rules: adjust globbing to remove the python3 version of tevent.so
2374 + d/rules: drop PYVERS, unused
2375 + d/control: adjust dependencies (build and runtime) for python3
2376 + d/python3-samba.install, d/control: new python3-samba package
2377 (LP #1440381)
2378 + d/control, d/python-samba.install: get rid of python-samba, which is py2
2379 + d/python3-samba.lintian-overrides: use the same overrides we had for
2380 python-samba, now deleted.
2381 + d/samba-dev.install, d/samba-libs.install: update file list
2382 + d/t/control, d/t/python-smoke: use python3
2383 + d/control: use ${python3:Depends} now instead of the python 2
2384 counterpart for samba and samba-common-bin.
2385 - d/control: drop suggests for python-gpgme, it's no longer available.
2386 [In 2:4.10.7+dfsg-1]
2387 - d/gbp.conf, d/watch, r/README.source: updated for 4.10
2388 [In 2:4.10.7+dfsg-1]
2389 - d/control: update cmocka build-depends to >= 1.1.3
2390 [In 2:4.10.7+dfsg-1]
2391 - d/samba-libs.install: bump passdb minor to 0.27.2
2392 [In 2:4.10.7+dfsg-1]
2393 - d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d
2394 to allow pid file to exist (LP #1821775)
2395 [In 2:4.10.7+dfsg-1]
2396 - Allow proper ctdb initalization (LP #1828799):
2397 + d/ctdb.dirs: added /var/lib/ctdb/* directories
2398 + d/ctdb.postrm: remove leftovers from:
2399 /var/lib/ctdb/{state,persistent,volatile,scripts}
2400 [In 2:4.10.7+dfsg-1]
2401 - d/rules: installing provided config examples and helper scripts
2402 - Examples of NFS HA CTDB config files + helper script:
2403 + d/ctdb.example.enable.nfs.sh
2404 + d/ctdb.example.nfs-common
2405 + d/ctdb.example.nfs-kernel-server
2406 + d/ctdb.example.services
2407 + d/ctdb.example.sysctl-nfs-static-ports.conf
2408 [In 2:4.10.7+dfsg-1]
2409 - debian/rules: Make DEB_HOST_ARCH_CPU initialized through
2410 dpkg-architecture (Closes: #931138)
2411 [In 2:4.10.7+dfsg-1]
2412 - d/control: update ldb build-deps to 1.5.5
2413 [In 2:4.10.7+dfsg-1]
2414 - SECURITY UPDATE: restricted share escape by user (LP #1842533)
2415 [fixed upstream in 4.11.0rc2]
2416 + debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
2417 out impersonation debug info into a new function.
2418 + debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
2419 change_to_user_internal() always resets current_user.done_chdir
2420 + debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
2421 reset current_user.{need,done}_chdir in become_root()
2422 + debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
2423 fsrvp_share its own independent subdirectory
2424 + debian/patches/CVE-2019-10197-05-v4-10.patch:
2425 test_smbclient_s3.sh: add regression test for the no permission
2426 on share root problem
2427 + debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
2428 change_to_user_impersonate() out of change_to_user_internal()
2429 + CVE-2019-10197
2430 * Added:
2431 - d/control: drop python3-matplotlib. It's only used in
2432 script/attr_count_read which is not installed with the
2433 samba packages.
2434
2435 -- Andreas Hasenack <andreas@canonical.com> Fri, 29 Nov 2019 18:00:22 -0300
2436
1296samba (2:4.11.1+dfsg-3) unstable; urgency=medium2437samba (2:4.11.1+dfsg-3) unstable; urgency=medium
12972438
1298 * Add some python dependencies:2439 * Add some python dependencies:
@@ -1501,6 +2642,209 @@ samba (2:4.10.7+dfsg-1) experimental; urgency=medium
15012642
1502 -- Mathieu Parent <sathieu@debian.org> Thu, 29 Aug 2019 14:32:52 +02002643 -- Mathieu Parent <sathieu@debian.org> Thu, 29 Aug 2019 14:32:52 +0200
15032644
2645samba (2:4.10.7+dfsg-0ubuntu3) focal; urgency=medium
2646
2647 * No-change rebuild to build with python3.8.
2648
2649 -- Matthias Klose <doko@ubuntu.com> Fri, 18 Oct 2019 18:53:34 +0000
2650
2651samba (2:4.10.7+dfsg-0ubuntu2) eoan; urgency=medium
2652
2653 * SECURITY UPDATE: restricted share escape by user (LP: #1842533)
2654 - debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
2655 out impersonation debug info into a new function.
2656 - debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
2657 change_to_user_internal() always resets current_user.done_chdir
2658 - debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
2659 reset current_user.{need,done}_chdir in become_root()
2660 - debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
2661 fsrvp_share its own independent subdirectory
2662 - debian/patches/CVE-2019-10197-05-v4-10.patch:
2663 test_smbclient_s3.sh: add regression test for the no permission
2664 on share root problem
2665 - debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
2666 change_to_user_impersonate() out of change_to_user_internal()
2667 - CVE-2019-10197
2668
2669 -- Steve Beattie <sbeattie@ubuntu.com> Fri, 30 Aug 2019 11:07:19 -0700
2670
2671samba (2:4.10.7+dfsg-0ubuntu1) eoan; urgency=medium
2672
2673 * New upstream version: 4.10.7
2674 - d/p/ctdb-config-depend-on-etc-default-nodes-file.patch: dropped,
2675 included upstream in 4.10.7
2676
2677 -- Andreas Hasenack <andreas@canonical.com> Thu, 22 Aug 2019 15:03:23 -0300
2678
2679samba (2:4.10.6+dfsg-0ubuntu1) eoan; urgency=medium
2680
2681 * New upstream version: 4.10.6
2682 - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: changed to update
2683 the Debian config and use it.
2684 - d/control: update ldb build-deps to 1.5.5
2685 * Dropped:
2686 - d/p/CVE-2019-12436.patch: fixed upstream in 4.10.5
2687 - d/p/CVE-2019-12435-*.patch: fixed upstream in 4.10.5
2688 - d/p/CVE-2018-16860-*.patch: fixed upstream in 4.10.3
2689 - d/p/CVE-2019-3880.patch: fixed upstream in 4.10.2
2690 - d/p/CVE-2019-3870-*.patch: fixed upstream in 4.10.2
2691 - d/p/dlz_bind_zone_update.patch: fixed upstream in 4.10.1
2692 - d/p/ctdb-scripts-fix-tcp_tw_recycle-existence-check.patch: fixed
2693 upstream in 4.10.5
2694
2695 -- Andreas Hasenack <andreas@canonical.com> Wed, 07 Aug 2019 17:20:48 -0300
2696
2697samba (2:4.10.0+dfsg-0ubuntu6) eoan; urgency=medium
2698
2699 * d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
2700 change service name from nfs to nfs-kernel-server in
2701 legacy script 06.nfs.script also (LP: #722201)
2702
2703 -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Thu, 11 Jul 2019 21:44:49 +0000
2704
2705samba (2:4.10.0+dfsg-0ubuntu5) eoan; urgency=medium
2706
2707 * debian/rules: Make DEB_HOST_ARCH_CPU initialized through
2708 dpkg-architecture (Closes: #931138)
2709 * d/p/ctdb-scripts-fix-tcp_tw_recycle-existence-check.patch:
2710 fix tcp_tw_recycle existence check. (LP: #722201)
2711 * d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
2712 change nfs service name from nfs to nfs-kernel-server
2713 (LP: #722201)
2714 * d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d
2715 to allow pid file to exist (LP: #1821775)
2716 * Allow proper ctdb initialization (LP: #1828799):
2717 - d/ctdb.dirs: added /var/lib/ctdb/* directories
2718 - d/ctdb.postrm: remove leftovers from:
2719 /var/lib/ctdb/{state,persistent,volatile,scripts}
2720 * d/rules: installing provided config examples and helper scripts
2721 * Examples of NFS HA CTDB config files + helper script:
2722 - d/ctdb.example.enable.nfs.sh
2723 - d/ctdb.example.nfs-common
2724 - d/ctdb.example.nfs-kernel-server
2725 - d/ctdb.example.services
2726 - d/ctdb.example.sysctl-nfs-static-ports.conf
2727 * d/p/ctdb-config-depend-on-etc-default-nodes-file.patch:
2728 do not try to start daemon if /etc/ctdb/nodes does not exist
2729 * d/p/ctdb-config-enable-syslog-by-default.patch:
2730 enable syslog and systemd journal by default
2731
2732 -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Fri, 28 Jun 2019 00:14:27 +0000
2733
2734samba (2:4.10.0+dfsg-0ubuntu4) eoan; urgency=medium
2735
2736 * SECURITY UPDATE: zone operations can crash rpc server
2737 - debian/patches/CVE-2019-12435-1.patch: avoid NULL deference if zone
2738 not found in DnssrvOperation in
2739 python/samba/tests/dcerpc/dnsserver.py,
2740 source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
2741 - debian/patches/CVE-2019-12435-2.patch: avoid NULL deference if zone
2742 not found in DnssrvOperation2 in
2743 python/samba/tests/dcerpc/dnsserver.py,
2744 source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
2745 - CVE-2019-12435
2746 * SECURITY UPDATE: paged_searches crash on LDAP and homes access
2747 - debian/patches/CVE-2019-12436.patch: ignore successful results
2748 without messages in source4/dsdb/samdb/ldb_modules/paged_results.c,
2749 source4/dsdb/tests/python/vlv.py.
2750 - CVE-2019-12436
2751
2752 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 12 Jun 2019 10:08:44 -0400
2753
2754samba (2:4.10.0+dfsg-0ubuntu3) eoan; urgency=medium
2755
2756 * SECURITY UPDATE: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
2757 - debian/patches/CVE-2018-16860-1.patch: add test for S4U2Self with
2758 unkeyed checksum in selftest/knownfail.d/mitm-s4u2self,
2759 source4/torture/krb5/kdc-canon-heimdal.c.
2760 - debian/patches/CVE-2018-16860-2.patch: reject PA-S4U2Self with
2761 unkeyed checksum in selftest/knownfail.d/mitm-s4u2self,
2762 source4/heimdal/kdc/krb5tgs.c.
2763 - CVE-2018-16860
2764
2765 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 14 May 2019 09:10:24 -0400
2766
2767samba (2:4.10.0+dfsg-0ubuntu2) disco; urgency=medium
2768
2769 * SECURITY UPDATE: world writable files in Samba AD DC private/ dir
2770 - debian/patches/CVE-2019-3870-1.patch: extend smbd tests to check for
2771 umask being overwritten in python/samba/tests/ntacls_backup.py,
2772 python/samba/tests/posixacl.py, python/samba/tests/smbd_base.py,
2773 selftest/knownfail.d/umask-leak.
2774 - debian/patches/CVE-2019-3870-2.patch: add test to check
2775 file-permissions are correct after provision in
2776 selftest/knownfail.d/provision_fileperms, source4/selftest/tests.py,
2777 source4/setup/tests/provision_fileperms.sh.
2778 - debian/patches/CVE-2019-3870-3.patch: include tests to show the
2779 outside umask has no impact in python/samba/tests/ntacls_backup.py,
2780 python/samba/tests/smbd_base.py, selftest/knownfail.d/pymkdir-umask.
2781 - debian/patches/CVE-2019-3870-4.patch: move umask manipuations as
2782 close as possible to users in source3/smbd/pysmbd.c,
2783 selftest/knownfail.d/provision_fileperms,
2784 selftest/knownfail.d/umask-leak.
2785 - debian/patches/CVE-2019-3870-5.patch: ensure a zero umask is set for
2786 smbd.mkdir() in selftest/knownfail.d/pymkdir-umask,
2787 source3/smbd/pysmbd.c.
2788 - CVE-2019-3870
2789 * SECURITY UPDATE: save registry file outside share as unprivileged user
2790 - debian/patches/CVE-2019-3880.patch: remove implementations of
2791 SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
2792 - CVE-2019-3880
2793
2794 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Apr 2019 10:32:30 -0400
2795
2796samba (2:4.10.0+dfsg-0ubuntu1) disco; urgency=medium
2797
2798 * New upstream version: 4.10.0
2799 - d/gbp.conf, d/watch, r/README.source: updated for 4.10
2800 - d/control: update cmocka build-depends to >= 1.1.3
2801 - d/samba-libs.install: bump passdb minor to 0.27.2
2802 * d/p/dlz_bind_zone_update.patch: make b9_has_soa check dc=@ node. Thanks to
2803 Michael Saxl <mike@mwsys.mine.bz>. (LP: #1820846)
2804
2805 -- Andreas Hasenack <andreas@canonical.com> Thu, 21 Mar 2019 14:40:32 -0300
2806
2807samba (2:4.10.0~rc4+dfsg-0ubuntu1) disco; urgency=medium
2808
2809 * New upstream version 4.10.0rc4 (LP: #1818518):
2810 - Removed patches already applied upstream:
2811 + d/p/nsswitch-Add-try_authtok-option-to-pam_winbind.patch
2812 + d/p/s3-auth-ignore-create_builtin_guests-failing-without.patch
2813 - d/p/add-so-version-to-private-libraries: refreshed to remove fuzz
2814 - d/control: Updated build dependencies:
2815 + tdb >= 1.3.17
2816 + talloc >= 2.1.15
2817 + tevent >= 0.9.38
2818 + ldb >= 1.5.3
2819 - d/samba-common.docs: README is now README.md
2820 - d/libsmbclient.symbols: update symbols for this version
2821 - d/libwbclient0.symbols: update symbols for this version
2822 - d/ctdb.install: new binary ctdb_local_daemons
2823 - d/samba-dev.install: use globbing for the header files with
2824 exceptions for wbclient.h and libsmbclient.h, which belong in
2825 other packages.
2826 - d/rules: fix globbing used to move the dckeytab python module to the
2827 samba package, and add a comment explaining why this is being done.
2828 * Switch to python3:
2829 - d/rules: calculate the ldb version using python3, and drop the
2830 "really" bit since the real 1.5.x series is being used now.
2831 - d/rules: make sure python3 is used for the build
2832 - d/rules: adjust globbing to remove the python3 version of tevent.so
2833 - d/rules: drop PYVERS, unused
2834 - d/control: adjust dependencies (build and runtime) for python3
2835 - d/python3-samba.install, d/control: new python3-samba package
2836 (LP: #1440381)
2837 - d/control, d/python-samba.install: get rid of python-samba, which is py2
2838 - d/python3-samba.lintian-overrides: use the same overrides we had for
2839 python-samba, now deleted.
2840 - d/samba-dev.install, d/samba-libs.install: update file list
2841 - d/t/control, d/t/python-smoke: use python3
2842 - d/control: use ${python3:Depends} now instead of the python 2
2843 counterpart for samba and samba-common-bin.
2844 * d/control: drop suggests for python-gpgme, it's no longer available.
2845
2846 -- Andreas Hasenack <andreas@canonical.com> Sat, 09 Mar 2019 12:45:25 +0000
2847
1504samba (2:4.9.5+dfsg-1) experimental; urgency=medium2848samba (2:4.9.5+dfsg-1) experimental; urgency=medium
15052849
1506 * New upstream release2850 * New upstream release
@@ -1545,6 +2889,31 @@ samba (2:4.9.4+dfsg-2) unstable; urgency=medium
15452889
1546 -- Mathieu Parent <sathieu@debian.org> Wed, 23 Jan 2019 20:59:08 +01002890 -- Mathieu Parent <sathieu@debian.org> Wed, 23 Jan 2019 20:59:08 +0100
15472891
2892samba (2:4.9.4+dfsg-1ubuntu1) disco; urgency=medium
2893
2894 * Merge with Debian unstable. Remaining changes:
2895 - debian/VERSION.patch: Update vendor string to "Ubuntu".
2896 - debian/smb.conf;
2897 + Add "(Samba, Ubuntu)" to server string.
2898 + Comment out the default [homes] share, and add a comment about
2899 "valid users = %s" to show users how to restrict access to
2900 \\server\username to only username.
2901 - debian/samba-common.config:
2902 + Do not change priority to high if dhclient3 is installed.
2903 - Add apport hook:
2904 + Created debian/source_samba.py.
2905 + debian/rules, debian/samba-common-bin.install: install hook.
2906 - d/control, d/rules: Disable glusterfs support because it's not in main.
2907 MIR bug is https://launchpad.net/bugs/1274247
2908 * Dropped:
2909 - d/p/smbd-startup-with-winbind.patch: ignore create_builtin_guests()
2910 failing without a valid idmap configuration. This fixes the smbd startup
2911 on a standalone server where winbind is available and running. Thanks to
2912 Stefan Metzmacher <metze@samba.org>. (LP #1806035)
2913 [Fixed in 2:4.9.4+dfsg-1]
2914
2915 -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:23:52 -0200
2916
1548samba (2:4.9.4+dfsg-1) unstable; urgency=medium2917samba (2:4.9.4+dfsg-1) unstable; urgency=medium
15492918
1550 * New upstream release2919 * New upstream release
@@ -1555,6 +2924,44 @@ samba (2:4.9.4+dfsg-1) unstable; urgency=medium
15552924
1556 -- Mathieu Parent <sathieu@debian.org> Sat, 22 Dec 2018 18:32:00 +01002925 -- Mathieu Parent <sathieu@debian.org> Sat, 22 Dec 2018 18:32:00 +0100
15572926
2927samba (2:4.9.2+dfsg-2ubuntu3) disco; urgency=medium
2928
2929 * No-change rebuild for readline soname change.
2930
2931 -- Matthias Klose <doko@ubuntu.com> Mon, 14 Jan 2019 20:03:58 +0000
2932
2933samba (2:4.9.2+dfsg-2ubuntu2) disco; urgency=medium
2934
2935 * d/p/smbd-startup-with-winbind.patch: ignore create_builtin_guests()
2936 failing without a valid idmap configuration. This fixes the smbd startup
2937 on a standalone server where winbind is available and running. Thanks to
2938 Stefan Metzmacher <metze@samba.org>. (LP: #1806035)
2939
2940 -- Andreas Hasenack <andreas@canonical.com> Fri, 21 Dec 2018 10:39:23 -0200
2941
2942samba (2:4.9.2+dfsg-2ubuntu1) disco; urgency=medium
2943
2944 * Merge with Debian unstable. Remaining changes:
2945 - debian/VERSION.patch: Update vendor string to "Ubuntu".
2946 - debian/smb.conf;
2947 + Add "(Samba, Ubuntu)" to server string.
2948 + Comment out the default [homes] share, and add a comment about
2949 "valid users = %s" to show users how to restrict access to
2950 \\server\username to only username.
2951 - debian/samba-common.config:
2952 + Do not change priority to high if dhclient3 is installed.
2953 - Add apport hook:
2954 + Created debian/source_samba.py.
2955 + debian/rules, debian/samba-common-bin.install: install hook.
2956 - d/control, d/rules: Disable glusterfs support because it's not in main.
2957 MIR bug is https://launchpad.net/bugs/1274247
2958 * Dropped:
2959 - d/p/fix-rmdir.patch: Fix to make smbclient report directory-not-empty
2960 errors (LP: 1795772)
2961 [Fixed upstream]
2962
2963 -- Andreas Hasenack <andreas@canonical.com> Wed, 28 Nov 2018 20:06:47 -0200
2964
1558samba (2:4.9.2+dfsg-2) unstable; urgency=high2965samba (2:4.9.2+dfsg-2) unstable; urgency=high
15592966
1560 * New upstream security release2967 * New upstream security release
@@ -1664,6 +3071,58 @@ samba (2:4.8.5+dfsg-1) unstable; urgency=medium
16643071
1665 -- Mathieu Parent <sathieu@debian.org> Thu, 30 Aug 2018 19:32:24 +02003072 -- Mathieu Parent <sathieu@debian.org> Thu, 30 Aug 2018 19:32:24 +0200
16663073
3074samba (2:4.8.4+dfsg-2ubuntu3) disco; urgency=medium
3075
3076 * No-change rebuild against libldb1 1.4.2
3077
3078 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 14 Nov 2018 22:46:24 +0000
3079
3080samba (2:4.8.4+dfsg-2ubuntu2) cosmic; urgency=high
3081
3082 [ Karl Stenerud ]
3083 * d/p/fix-rmdir.patch: Fix to make the samba client library report
3084 directory-not-empty errors (LP: #1795772)
3085
3086 -- Andreas Hasenack <andreas@canonical.com> Tue, 09 Oct 2018 14:32:16 -0300
3087
3088samba (2:4.8.4+dfsg-2ubuntu1) cosmic; urgency=medium
3089
3090 * Merge with Debian unstable (LP: #1778125). Remaining changes:
3091 - debian/VERSION.patch: Update vendor string to "Ubuntu".
3092 - debian/smb.conf;
3093 + Add "(Samba, Ubuntu)" to server string.
3094 + Comment out the default [homes] share, and add a comment about
3095 "valid users = %s" to show users how to restrict access to
3096 \\server\username to only username.
3097 - debian/samba-common.config:
3098 + Do not change priority to high if dhclient3 is installed.
3099 - Add apport hook:
3100 + Created debian/source_samba.py.
3101 + debian/rules, debian/samba-common-bin.install: install hook.
3102 - d/control, d/rules: Disable glusterfs support because it's not in main.
3103 MIR bug is https://launchpad.net/bugs/1274247
3104 * Drop:
3105 - Add extra DEP8 tests to samba (LP #1696823):
3106 + d/t/control, d/t/cifs-share-access: access a file in a share using cifs
3107 + d/t/control, d/t/smbclient-anonymous-share-list: list available shares
3108 anonymously
3109 + d/t/control, d/t/smbclient-authenticated-share-list: list available
3110 shares using an authenticated connection
3111 + d/t/control, d/t/smbclient-share-access: create a share and download a
3112 file from it
3113 [Accepted by Debian in 2:4.7.4+dfsg-2]
3114 - d/samba-common.dhcp: If systemctl is available, use it to query the
3115 status of the smbd service before trying to reload it. Otherwise,
3116 keep the same check as before and reload the service based on the
3117 existence of the initscript. (LP #1579597)
3118 [In Debian since 2:4.7.4+dfsg-2]
3119 - debian/patches/passdb_dont_return_ok_if_pinfo_not_filled.patch:
3120 [PATCH] s3:passdb: Do not return OK if we don't have pinfo filled.
3121 Thanks to Andreas Schneider <asn@samba.org>. (LP #1761737)
3122 [Fixed upstream]
3123
3124 -- Andreas Hasenack <andreas@canonical.com> Tue, 21 Aug 2018 09:57:57 -0300
3125
1667samba (2:4.8.4+dfsg-2) unstable; urgency=high3126samba (2:4.8.4+dfsg-2) unstable; urgency=high
16683127
1669 * Fix typo in previous release: s/usefull/useful/3128 * Fix typo in previous release: s/usefull/useful/
@@ -1821,6 +3280,55 @@ samba (2:4.8.0+dfsg-1) experimental; urgency=medium
18213280
1822 -- Mathieu Parent <sathieu@debian.org> Mon, 19 Mar 2018 13:02:51 +01003281 -- Mathieu Parent <sathieu@debian.org> Mon, 19 Mar 2018 13:02:51 +0100
18233282
3283samba (2:4.7.6+dfsg~ubuntu-0ubuntu3) cosmic; urgency=medium
3284
3285 * No change rebuild to link with new ldb 1.3.3
3286
3287 -- Andreas Hasenack <andreas@canonical.com> Tue, 03 Jul 2018 09:57:24 -0300
3288
3289samba (2:4.7.6+dfsg~ubuntu-0ubuntu2) bionic; urgency=medium
3290
3291 * debian/patches/passdb_dont_return_ok_if_pinfo_not_filled.patch:
3292 [PATCH] s3:passdb: Do not return OK if we don't have pinfo filled.
3293 Thanks to Andreas Schneider <asn@samba.org>. (LP: #1761737)
3294
3295 -- Andreas Hasenack <andreas@canonical.com> Wed, 18 Apr 2018 11:49:55 -0300
3296
3297samba (2:4.7.6+dfsg~ubuntu-0ubuntu1) bionic; urgency=medium
3298
3299 * New upstream version:
3300 - Fix database corruption bug when upgrading from samba 4.6 or lower
3301 AD controllers (LP: #1755057)
3302 - Fix security issues: CVE-2018-1050 and CVE-2018-1057 (LP: #1755059)
3303 * Remaining changes:
3304 - debian/VERSION.patch: Update vendor string to "Ubuntu".
3305 - debian/smb.conf;
3306 + Add "(Samba, Ubuntu)" to server string.
3307 + Comment out the default [homes] share, and add a comment about
3308 "valid users = %s" to show users how to restrict access to
3309 \\server\username to only username.
3310 - debian/samba-common.config:
3311 + Do not change priority to high if dhclient3 is installed.
3312 - Add apport hook:
3313 + Created debian/source_samba.py.
3314 + debian/rules, debian/samba-common-bin.install: install hook.
3315 - Add extra DEP8 tests to samba (LP #1696823):
3316 + d/t/control, d/t/cifs-share-access: access a file in a share using cifs
3317 + d/t/control, d/t/smbclient-anonymous-share-list: list available shares
3318 anonymously
3319 + d/t/control, d/t/smbclient-authenticated-share-list: list available
3320 shares using an authenticated connection
3321 + d/t/control, d/t/smbclient-share-access: create a share and download a
3322 file from it
3323 - d/samba-common.dhcp: If systemctl is available, use it to query the
3324 status of the smbd service before trying to reload it. Otherwise,
3325 keep the same check as before and reload the service based on the
3326 existence of the initscript. (LP #1579597)
3327 - d/control, d/rules: Disable glusterfs support because it's not in main.
3328 MIR bug is https://launchpad.net/bugs/1274247
3329
3330 -- Andreas Hasenack <andreas@canonical.com> Tue, 13 Mar 2018 16:58:49 -0300
3331
1824samba (2:4.7.4+dfsg-2) unstable; urgency=high3332samba (2:4.7.4+dfsg-2) unstable; urgency=high
18253333
1826 [ Mathieu Parent ]3334 [ Mathieu Parent ]
@@ -1851,6 +3359,37 @@ samba (2:4.7.4+dfsg-2) unstable; urgency=high
18513359
1852 -- Mathieu Parent <sathieu@debian.org> Fri, 02 Mar 2018 20:55:06 +01003360 -- Mathieu Parent <sathieu@debian.org> Fri, 02 Mar 2018 20:55:06 +0100
18533361
3362samba (2:4.7.4+dfsg-1ubuntu1) bionic; urgency=medium
3363
3364 * Merge with Debian unstable (LP: #1744779). Remaining changes:
3365 - debian/VERSION.patch: Update vendor string to "Ubuntu".
3366 - debian/smb.conf;
3367 + Add "(Samba, Ubuntu)" to server string.
3368 + Comment out the default [homes] share, and add a comment about
3369 "valid users = %s" to show users how to restrict access to
3370 \\server\username to only username.
3371 - debian/samba-common.config:
3372 + Do not change priority to high if dhclient3 is installed.
3373 - Add apport hook:
3374 + Created debian/source_samba.py.
3375 + debian/rules, debian/samba-common-bin.install: install hook.
3376 - Add extra DEP8 tests to samba (LP #1696823):
3377 + d/t/control, d/t/cifs-share-access: access a file in a share using cifs
3378 + d/t/control, d/t/smbclient-anonymous-share-list: list available shares
3379 anonymously
3380 + d/t/control, d/t/smbclient-authenticated-share-list: list available
3381 shares using an authenticated connection
3382 + d/t/control, d/t/smbclient-share-access: create a share and download a
3383 file from it
3384 - d/samba-common.dhcp: If systemctl is available, use it to query the
3385 status of the smbd service before trying to reload it. Otherwise,
3386 keep the same check as before and reload the service based on the
3387 existence of the initscript. (LP #1579597)
3388 - d/control, d/rules: Disable glusterfs support because it's not in main.
3389 MIR bug is https://launchpad.net/bugs/1274247
3390
3391 -- Andreas Hasenack <andreas@canonical.com> Mon, 22 Jan 2018 16:31:41 -0200
3392
1854samba (2:4.7.4+dfsg-1) unstable; urgency=medium3393samba (2:4.7.4+dfsg-1) unstable; urgency=medium
18553394
1856 * New upstream version3395 * New upstream version
@@ -1867,6 +3406,42 @@ samba (2:4.7.4+dfsg-1) unstable; urgency=medium
18673406
1868 -- Mathieu Parent <sathieu@debian.org> Thu, 11 Jan 2018 20:49:28 +01003407 -- Mathieu Parent <sathieu@debian.org> Thu, 11 Jan 2018 20:49:28 +0100
18693408
3409samba (2:4.7.3+dfsg-1ubuntu1) bionic; urgency=medium
3410
3411 * Merge with Debian; remaining changes:
3412 - debian/VERSION.patch: Update vendor string to "Ubuntu".
3413 - debian/smb.conf;
3414 + Add "(Samba, Ubuntu)" to server string.
3415 + Comment out the default [homes] share, and add a comment about
3416 "valid users = %s" to show users how to restrict access to
3417 \\server\username to only username.
3418 - debian/samba-common.config:
3419 + Do not change priority to high if dhclient3 is installed.
3420 - Add apport hook:
3421 + Created debian/source_samba.py.
3422 + debian/rules, debian/samba-common-bin.install: install hook.
3423 - Add extra DEP8 tests to samba (LP #1696823):
3424 + d/t/control: enable the new DEP8 tests
3425 + d/t/smbclient-anonymous-share-list: list available shares anonymously
3426 + d/t/smbclient-authenticated-share-list: list available shares using
3427 an authenticated connection
3428 + d/t/smbclient-share-access: create a share and download a file from it
3429 + d/t/cifs-share-access: access a file in a share using cifs
3430 - Ask the user if we can run testparm against the config file. If yes,
3431 include its stderr and exit status in the bug report. Otherwise, only
3432 include the exit status. (LP #1694334)
3433 - If systemctl is available, use it to query the status of the smbd
3434 service before trying to reload it. Otherwise, keep the same check
3435 as before and reload the service based on the existence of the
3436 initscript. (LP #1579597)
3437 - d/rules: Compile winbindd/winbindd statically.
3438 - Disable glusterfs support because it's not in main.
3439 MIR bug is https://launchpad.net/bugs/1274247
3440 - d/source_samba.py: use the new recommended findmnt(8) tool to list
3441 mountpoints and correctly filter by the cifs filesystem type.
3442
3443 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 05 Dec 2017 12:49:20 -0500
3444
1870samba (2:4.7.3+dfsg-1) unstable; urgency=high3445samba (2:4.7.3+dfsg-1) unstable; urgency=high
18713446
1872 * New upstream version3447 * New upstream version
@@ -1890,6 +3465,42 @@ samba (2:4.7.1+dfsg-2) unstable; urgency=high
18903465
1891 -- Mathieu Parent <sathieu@debian.org> Sun, 12 Nov 2017 10:02:19 +01003466 -- Mathieu Parent <sathieu@debian.org> Sun, 12 Nov 2017 10:02:19 +0100
18923467
3468samba (2:4.7.1+dfsg-1ubuntu1) bionic; urgency=medium
3469
3470 * Merge with Debian; remaining changes:
3471 - debian/VERSION.patch: Update vendor string to "Ubuntu".
3472 - debian/smb.conf;
3473 + Add "(Samba, Ubuntu)" to server string.
3474 + Comment out the default [homes] share, and add a comment about
3475 "valid users = %s" to show users how to restrict access to
3476 \\server\username to only username.
3477 - debian/samba-common.config:
3478 + Do not change priority to high if dhclient3 is installed.
3479 - Add apport hook:
3480 + Created debian/source_samba.py.
3481 + debian/rules, debian/samba-common-bin.install: install hook.
3482 - Add extra DEP8 tests to samba (LP #1696823):
3483 + d/t/control: enable the new DEP8 tests
3484 + d/t/smbclient-anonymous-share-list: list available shares anonymously
3485 + d/t/smbclient-authenticated-share-list: list available shares using
3486 an authenticated connection
3487 + d/t/smbclient-share-access: create a share and download a file from it
3488 + d/t/cifs-share-access: access a file in a share using cifs
3489 - Ask the user if we can run testparm against the config file. If yes,
3490 include its stderr and exit status in the bug report. Otherwise, only
3491 include the exit status. (LP #1694334)
3492 - If systemctl is available, use it to query the status of the smbd
3493 service before trying to reload it. Otherwise, keep the same check
3494 as before and reload the service based on the existence of the
3495 initscript. (LP #1579597)
3496 - d/rules: Compile winbindd/winbindd statically.
3497 - Disable glusterfs support because it's not in main.
3498 MIR bug is https://launchpad.net/bugs/1274247
3499 - d/source_samba.py: use the new recommended findmnt(8) tool to list
3500 mountpoints and correctly filter by the cifs filesystem type.
3501
3502 -- Matthias Klose <doko@ubuntu.com> Fri, 10 Nov 2017 10:03:57 +0100
3503
1893samba (2:4.7.1+dfsg-1) unstable; urgency=medium3504samba (2:4.7.1+dfsg-1) unstable; urgency=medium
18943505
1895 * New upstream version3506 * New upstream version
@@ -1938,6 +3549,87 @@ samba (2:4.6.7+dfsg-2) unstable; urgency=high
19383549
1939 -- Mathieu Parent <sathieu@debian.org> Tue, 19 Sep 2017 22:00:13 +02003550 -- Mathieu Parent <sathieu@debian.org> Tue, 19 Sep 2017 22:00:13 +0200
19403551
3552samba (2:4.6.7+dfsg-1ubuntu3) artful; urgency=medium
3553
3554 * SECURITY UPDATE: SMB1/2/3 connections may not require signing where
3555 they should
3556 - debian/patches/CVE-2017-12150-1.patch: don't turn a guessed username
3557 into a specified one in source3/include/auth_info.h,
3558 source3/lib/popt_common.c, source3/lib/util_cmdline.c.
3559 - debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
3560 source3/lib/util_cmdline.c.
3561 - debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
3562 source3/libsmb/pylibsmb.c.
3563 - debian/patches/CVE-2017-12150-4.patch: add SMB_SIGNING_REQUIRED to
3564 libgpo/gpo_fetch.c.
3565 - debian/patches/CVE-2017-12150-5.patch: add check for
3566 NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
3567 - debian/patches/CVE-2017-12150-6.patch: add
3568 smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
3569 - debian/patches/CVE-2017-12150-7.patch: only fallback to anonymous if
3570 authentication was not requested in source3/libsmb/clidfs.c.
3571 - CVE-2017-12150
3572 * SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
3573 redirects
3574 - debian/patches/CVE-2017-12151-1.patch: add
3575 cli_state_is_encryption_on() helper function to
3576 source3/libsmb/clientgen.c, source3/libsmb/proto.h.
3577 - debian/patches/CVE-2017-12151-2.patch: make use of
3578 cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
3579 source3/libsmb/libsmb_context.c.
3580 - CVE-2017-12151
3581 * SECURITY UPDATE: Server memory information leak over SMB1
3582 - debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
3583 from writing server memory to file in source3/smbd/reply.c.
3584 - CVE-2017-12163
3585
3586 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 21 Sep 2017 08:10:03 -0400
3587
3588samba (2:4.6.7+dfsg-1ubuntu2) artful; urgency=medium
3589
3590 * d/source_samba.py: use the new recommended findmnt(8) tool to list
3591 mountpoints and correctly filter by the cifs filesystem type.
3592 (LP: #1703604)
3593
3594 -- Andreas Hasenack <andreas@canonical.com> Fri, 01 Sep 2017 09:47:58 -0300
3595
3596samba (2:4.6.7+dfsg-1ubuntu1) artful; urgency=medium
3597
3598 * Merge with Debian unstable (LP: #1710281).
3599 - Upstream version 4.6.7 fixes the CVE-2017-2619 regression with non-wide
3600 symlinks to directories (LP: #1701073)
3601 * Remaining changes:
3602 - debian/VERSION.patch: Update vendor string to "Ubuntu".
3603 - debian/smb.conf;
3604 + Add "(Samba, Ubuntu)" to server string.
3605 + Comment out the default [homes] share, and add a comment about
3606 "valid users = %s" to show users how to restrict access to
3607 \\server\username to only username.
3608 - debian/samba-common.config:
3609 + Do not change priority to high if dhclient3 is installed.
3610 - Add apport hook:
3611 + Created debian/source_samba.py.
3612 + debian/rules, debian/samba-common-bin.install: install hook.
3613 - Add extra DEP8 tests to samba (LP #1696823):
3614 + d/t/control: enable the new DEP8 tests
3615 + d/t/smbclient-anonymous-share-list: list available shares anonymously
3616 + d/t/smbclient-authenticated-share-list: list available shares using
3617 an authenticated connection
3618 + d/t/smbclient-share-access: create a share and download a file from it
3619 + d/t/cifs-share-access: access a file in a share using cifs
3620 - Ask the user if we can run testparm against the config file. If yes,
3621 include its stderr and exit status in the bug report. Otherwise, only
3622 include the exit status. (LP #1694334)
3623 - If systemctl is available, use it to query the status of the smbd
3624 service before trying to reload it. Otherwise, keep the same check
3625 as before and reload the service based on the existence of the
3626 initscript. (LP #1579597)
3627 - d/rules: Compile winbindd/winbindd statically.
3628 - Disable glusterfs support because it's not in main.
3629 MIR bug is https://launchpad.net/bugs/1274247
3630
3631 -- Andreas Hasenack <andreas@canonical.com> Mon, 21 Aug 2017 17:27:08 -0300
3632
1941samba (2:4.6.7+dfsg-1) unstable; urgency=medium3633samba (2:4.6.7+dfsg-1) unstable; urgency=medium
19423634
1943 * New upstream version3635 * New upstream version
@@ -1949,6 +3641,60 @@ samba (2:4.6.7+dfsg-1) unstable; urgency=medium
19493641
1950 -- Mathieu Parent <sathieu@debian.org> Tue, 15 Aug 2017 23:06:36 +02003642 -- Mathieu Parent <sathieu@debian.org> Tue, 15 Aug 2017 23:06:36 +0200
19513643
3644samba (2:4.6.5+dfsg-8ubuntu1) artful; urgency=medium
3645
3646 * Merge with Debian unstable (LP: #1700644). Remaining changes:
3647 - debian/VERSION.patch: Update vendor string to "Ubuntu".
3648 - debian/smb.conf;
3649 + Add "(Samba, Ubuntu)" to server string.
3650 + Comment out the default [homes] share, and add a comment about
3651 "valid users = %s" to show users how to restrict access to
3652 \\server\username to only username.
3653 - debian/samba-common.config:
3654 + Do not change priority to high if dhclient3 is installed.
3655 - Add apport hook:
3656 + Created debian/source_samba.py.
3657 + debian/rules, debian/samba-common-bin.install: install hook.
3658 - Add extra DEP8 tests to samba (LP #1696823):
3659 + d/t/control: enable the new DEP8 tests
3660 + d/t/smbclient-anonymous-share-list: list available shares anonymously
3661 + d/t/smbclient-authenticated-share-list: list available shares using
3662 an authenticated connection
3663 + d/t/smbclient-share-access: create a share and download a file from it
3664 + d/t/cifs-share-access: access a file in a share using cifs
3665 - Ask the user if we can run testparm against the config file. If yes,
3666 include its stderr and exit status in the bug report. Otherwise, only
3667 include the exit status. (LP #1694334)
3668 - If systemctl is available, use it to query the status of the smbd
3669 service before trying to reload it. Otherwise, keep the same check
3670 as before and reload the service based on the existence of the
3671 initscript. (LP #1579597)
3672 * Drop:
3673 - d/rules: Compile winbindd/winbindd statically. (LP: #1700527)
3674 [This hunk was missed in 2:4.5.8+dfsg-2ubuntu2 when patch
3675 fix-1584485.patch was dropped there.]
3676 - d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
3677 pam_winbind krb5_ccache_type=FILE failure
3678 [Replaced by d/p/s3-gse_krb5-fix-a-possible-crash-in-fill_mem_keytab.patch
3679 in 2:4.6.5+dfsg-3 that closed Debian's bug #739768]
3680 - debian/patches/winbind_trusted_domains.patch: make sure domain
3681 members can talk to trusted domains DCs.
3682 [Upstream committed a different fix, see updated patch attached to
3683 https://bugzilla.samba.org/show_bug.cgi?id=11830]
3684 - d/control: add libcephfs-dev as b-d to build vfs_ceph
3685 [Adopted by Debian in 2:4.6.5+dfsg-1]
3686 - debian/patches/CVE-2017-11103.patch: use encrypted service
3687 name rather than unencrypted (and therefore spoofable) version
3688 in heimdal
3689 [Adopted by Debian as
3690 d/p/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch]
3691 - Cherrypick upstream patch to fix FTBFS with new ceph lib.
3692 [Merged upstream in 4.6.0rc1]
3693 * Disable glusterfs support because it's not in main.
3694 MIR bug is https://launchpad.net/bugs/1274247
3695
3696 -- Andreas Hasenack <andreas@canonical.com> Thu, 10 Aug 2017 22:20:22 -0300
3697
1952samba (2:4.6.5+dfsg-8) unstable; urgency=medium3698samba (2:4.6.5+dfsg-8) unstable; urgency=medium
19533699
1954 * Remove dependency on update-inetd, not used anymore3700 * Remove dependency on update-inetd, not used anymore
@@ -2068,6 +3814,77 @@ samba (2:4.6.5+dfsg-1) experimental; urgency=medium
20683814
2069 -- Mathieu Parent <sathieu@debian.org> Mon, 12 Jun 2017 08:09:43 +02003815 -- Mathieu Parent <sathieu@debian.org> Mon, 12 Jun 2017 08:09:43 +0200
20703816
3817samba (2:4.5.8+dfsg-2ubuntu5) artful; urgency=medium
3818
3819 * Cherrypick upstream patch to fix FTBFS with new ceph lib.
3820
3821 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 26 Jul 2017 08:34:24 +0100
3822
3823samba (2:4.5.8+dfsg-2ubuntu4) artful; urgency=medium
3824
3825 * SECURITY UPDATE: KDC-REP service name impersonation
3826 - debian/patches/CVE-2017-11103.patch: use encrypted service
3827 name rather than unencrypted (and therefore spoofable) version
3828 in heimdal
3829 - CVE-2017-11103
3830
3831 -- Steve Beattie <sbeattie@ubuntu.com> Mon, 17 Jul 2017 16:22:28 -0700
3832
3833samba (2:4.5.8+dfsg-2ubuntu3) artful; urgency=medium
3834
3835 * No-change rebuild against libldb 1.1.29
3836
3837 -- Steve Langasek <steve.langasek@ubuntu.com> Sun, 25 Jun 2017 16:09:33 -0700
3838
3839samba (2:4.5.8+dfsg-2ubuntu2) artful; urgency=medium
3840
3841 * Add extra DEP8 tests to samba (LP: #1696823):
3842 - d/t/control: enable the new DEP8 tests
3843 - d/t/smbclient-anonymous-share-list: list available shares anonymously
3844 - d/t/smbclient-authenticated-share-list: list available shares using
3845 an authenticated connection
3846 - d/t/smbclient-share-access: create a share and download a file from it
3847 - d/t/cifs-share-access: access a file in a share using cifs
3848 * Ask the user if we can run testparm against the config file. If yes,
3849 include its stderr and exit status in the bug report. Otherwise, only
3850 include the exit status. (LP: #1694334)
3851 * If systemctl is available, use it to query the status of the smbd
3852 service before trying to reload it. Otherwise, keep the same check
3853 as before and reload the service based on the existence of the
3854 initscript. (LP: #1579597)
3855 * Remove d/p/fix-1584485.patch as it builds a broken pam_winbind
3856 module. There is a fixed version of that patch attached to
3857 #1677329 but it has not been vetted yet, so for now it's best
3858 to revert (again) so that pam_winbind can be used.
3859 (LP: #1677329, LP: #1644428)
3860
3861 -- Andreas Hasenack <andreas@canonical.com> Mon, 19 Jun 2017 10:49:29 -0700
3862
3863samba (2:4.5.8+dfsg-2ubuntu1) artful; urgency=medium
3864
3865 * Merge from Debian unstable. Remaining changes:
3866 - debian/VERSION.patch: Update vendor string to "Ubuntu".
3867 - debian/smb.conf;
3868 + Add "(Samba, Ubuntu)" to server string.
3869 + Comment out the default [homes] share, and add a comment about
3870 "valid users = %s" to show users how to restrict access to
3871 \\server\username to only username.
3872 - debian/samba-common.config:
3873 + Do not change priority to high if dhclient3 is installed.
3874 - Add apport hook:
3875 + Created debian/source_samba.py.
3876 + debian/rules, debian/samba-common-bin.install: install hook.
3877 - d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
3878 pam_winbind krb5_ccache_type=FILE failure
3879 - debian/patches/winbind_trusted_domains.patch: make sure domain
3880 members can talk to trusted domains DCs.
3881 - d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
3882 to be statically linked
3883 - d/rules: Compile winbindd/winbindd statically.
3884 - d/control: add libcephfs-dev as b-d to build vfs_ceph
3885
3886 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 15 Jun 2017 14:17:43 -0400
3887
2071samba (2:4.5.8+dfsg-2) unstable; urgency=high3888samba (2:4.5.8+dfsg-2) unstable; urgency=high
20723889
2073 * CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside3890 * CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside
@@ -2082,6 +3899,23 @@ samba (2:4.5.8+dfsg-1) unstable; urgency=high
20823899
2083 -- Mathieu Parent <sathieu@debian.org> Sat, 01 Apr 2017 20:39:17 +02003900 -- Mathieu Parent <sathieu@debian.org> Sat, 01 Apr 2017 20:39:17 +0200
20843901
3902samba (2:4.5.8+dfsg-0ubuntu1) artful; urgency=medium
3903
3904 * SECURITY UPDATE: remote code execution from a writable share
3905 - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
3906 slash inside in source3/rpc_server/srv_pipe.c.
3907 - CVE-2017-7494
3908
3909 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 May 2017 07:39:13 -0400
3910
3911samba (2:4.5.8+dfsg-0ubuntu0.17.04.1) zesty-security; urgency=medium
3912
3913 * SECURITY UPDATE: Symlink race allows access outside share definition
3914 - Updated to new upstream release 4.5.8.
3915 - CVE-2017-2619
3916
3917 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 21 Apr 2017 07:33:25 -0400
3918
2085samba (2:4.5.6+dfsg-2) unstable; urgency=high3919samba (2:4.5.6+dfsg-2) unstable; urgency=high
20863920
2087 * This is a security release in order to address the following defects:3921 * This is a security release in order to address the following defects:
@@ -2111,6 +3945,61 @@ samba (2:4.5.5+dfsg-1) unstable; urgency=medium
21113945
2112 -- Mathieu Parent <sathieu@debian.org> Sun, 05 Mar 2017 23:21:09 +01003946 -- Mathieu Parent <sathieu@debian.org> Sun, 05 Mar 2017 23:21:09 +0100
21133947
3948samba (2:4.5.4+dfsg-1ubuntu2) zesty; urgency=medium
3949
3950 * d/control: add libcephfs-dev as b-d to build vfs_ceph
3951 (LP: #1668940).
3952
3953 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Mon, 06 Mar 2017 11:13:41 -0800
3954
3955samba (2:4.5.4+dfsg-1ubuntu1) zesty; urgency=medium
3956
3957 * Merge from Debian unstable (LP: #1659707, LP: #1639962). Remaining
3958 changes:
3959 + debian/VERSION.patch: Update vendor string to "Ubuntu".
3960 + debian/smb.conf;
3961 - Add "(Samba, Ubuntu)" to server string.
3962 - Comment out the default [homes] share, and add a comment about "valid users = %s"
3963 to show users how to restrict access to \\server\username to only username.
3964 + debian/samba-common.config:
3965 - Do not change prioritiy to high if dhclient3 is installed.
3966 + Add apport hook:
3967 - Created debian/source_samba.py.
3968 - debian/rules, debia/samb-common-bin.install: install hook.
3969 + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
3970 pam_winbind krb5_ccache_type=FILE failure (LP #1310919)
3971 + debian/patches/winbind_trusted_domains.patch: make sure domain members
3972 can talk to trusted domains DCs.
3973 [ update patch based upon upstream discussion ]
3974 + d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
3975 to be statically linked fixes LP #1584485.
3976 + d/rules: Compile winbindd/winbindd statically.
3977 * Drop:
3978 - Delete debian/.gitignore
3979 [ Previously undocumented ]
3980 - debian/patches/git_smbclient_cpu.patch:
3981 + backport upstream patch to fix smbclient users hanging/eating cpu on
3982 trying to contact a machine which is not there (lp #1572260)
3983 [ Fixed upstream ]
3984 - SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
3985 + debian/patches/CVE-2016-2123.patch: check lengths in
3986 librpc/ndr/ndr_dnsp.c.
3987 + CVE-2016-2123
3988 [ Fixed in Debian ]
3989 - SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
3990 + debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
3991 source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
3992 source4/auth/gensec/gensec_gssapi.c.
3993 + CVE-2016-2125
3994 [ Fixed in Debian ]
3995 - SECURITY UPDATE: privilege elevation in Kerberos PAC validation
3996 + debian/patches/CVE-2016-2126.patch: only allow known checksum types
3997 in auth/kerberos/kerberos_pac.c.
3998 + CVE-2016-2126
3999 [ Fixed in Debian ]
4000
4001 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Thu, 26 Jan 2017 17:20:15 -0800
4002
2114samba (2:4.5.4+dfsg-1) unstable; urgency=medium4003samba (2:4.5.4+dfsg-1) unstable; urgency=medium
21154004
2116 [ Mathieu Parent ]4005 [ Mathieu Parent ]
@@ -2238,6 +4127,77 @@ samba (2:4.4.5+dfsg-3) unstable; urgency=medium
22384127
2239 -- Mathieu Parent <sathieu@debian.org> Fri, 09 Sep 2016 13:00:54 +02004128 -- Mathieu Parent <sathieu@debian.org> Fri, 09 Sep 2016 13:00:54 +0200
22404129
4130samba (2:4.4.5+dfsg-2ubuntu7) zesty; urgency=medium
4131
4132 * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
4133 - debian/patches/CVE-2016-2123.patch: check lengths in
4134 librpc/ndr/ndr_dnsp.c.
4135 - CVE-2016-2123
4136 * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
4137 - debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
4138 source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
4139 source4/auth/gensec/gensec_gssapi.c.
4140 - CVE-2016-2125
4141 * SECURITY UPDATE: privilege elevation in Kerberos PAC validation
4142 - debian/patches/CVE-2016-2126.patch: only allow known checksum types
4143 in auth/kerberos/kerberos_pac.c.
4144 - CVE-2016-2126
4145
4146 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 20 Jan 2017 12:32:25 -0500
4147
4148samba (2:4.4.5+dfsg-2ubuntu6) zesty; urgency=high
4149
4150 * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
4151 to be statically linked fixes LP: #1584485.
4152
4153 * d/rules: Compile winbindd/winbindd statically.
4154
4155 -- Jorge Niedbalski <jorge.niedbalski@canonical.com> Wed, 02 Nov 2016 13:59:10 +0100
4156
4157samba (2:4.4.5+dfsg-2ubuntu5) yakkety; urgency=medium
4158
4159 * No-change rebuild for readline soname change.
4160
4161 -- Matthias Klose <doko@ubuntu.com> Sun, 18 Sep 2016 10:26:52 +0000
4162
4163samba (2:4.4.5+dfsg-2ubuntu4) yakkety; urgency=medium
4164
4165 * No-change rebuild for readline soname change.
4166
4167 -- Matthias Klose <doko@ubuntu.com> Sat, 17 Sep 2016 12:09:21 +0000
4168
4169samba (2:4.4.5+dfsg-2ubuntu3) yakkety; urgency=medium
4170
4171 * debian/patches/git_smbclient_cpu.patch:
4172 - backport upstream patch to fix smbclient users hanging/eating cpu on
4173 trying to contact a machine which is not there (lp: #1572260)
4174
4175 -- Sebastien Bacher <seb128@ubuntu.com> Fri, 05 Aug 2016 17:32:43 +0200
4176
4177samba (2:4.4.5+dfsg-2ubuntu1) yakkety; urgency=low
4178
4179 * Merge from Debian unstable. Remaining changes:
4180 + debian/VERSION.patch: Update vendor string to "Ubuntu".
4181 + debian/smb.conf;
4182 - Add "(Samba, Ubuntu)" to server string.
4183 - Comment out the default [homes] share, and add a comment about "valid users = %s"
4184 to show users how to restrict access to \\server\username to only username.
4185 + debian/samba-common.config:
4186 - Do not change prioritiy to high if dhclient3 is installed.
4187 + Add apport hook:
4188 - Created debian/source_samba.py.
4189 - debian/rules, debia/samb-common-bin.install: install hook.
4190 + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
4191 pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
4192 + debian/patches/winbind_trusted_domains.patch: make sure domain members
4193 can talk to trusted domains DCs.
4194 * Dropped changes:
4195 - build-depends on libgnutls-dev instead of libgnutsl28-dev: rename was
4196 never done in Debian, revert.
4197 - ufw integration: included in Debian.
4198
4199 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 14 Jul 2016 17:45:46 -0700
4200
2241samba (2:4.4.5+dfsg-2) unstable; urgency=medium4201samba (2:4.4.5+dfsg-2) unstable; urgency=medium
22424202
2243 * Disable running of 'make quicktest' during build, as it takes very4203 * Disable running of 'make quicktest' during build, as it takes very
@@ -2365,6 +4325,20 @@ samba (2:4.4.0+dfsg-1) experimental; urgency=medium
23654325
2366 -- Andrew Bartlett <abartlet+debian@catalyst.net.nz> Wed, 06 Apr 2016 17:08:20 +12004326 -- Andrew Bartlett <abartlet+debian@catalyst.net.nz> Wed, 06 Apr 2016 17:08:20 +1200
23674327
4328samba (2:4.3.9+dfsg-0ubuntu1) yakkety; urgency=medium
4329
4330 * SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
4331 the previous security updates. (LP: #1577739)
4332 - debian/control: bump tevent Build-Depends to 0.9.28.
4333 * SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
4334 - debian/patches/samba-bug11912.patch: let msrpc_parse() return
4335 talloc'ed empty strings in libcli/auth/msrpc_parse.c.
4336 - debian/patches/samba-bug11914.patch: make
4337 ntlm_auth_generate_session_info() more complete in
4338 source3/utils/ntlm_auth.c.
4339
4340 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 May 2016 09:29:15 -0400
4341
2368samba (2:4.3.8+dfsg-1) unstable; urgency=low4342samba (2:4.3.8+dfsg-1) unstable; urgency=low
23694343
2370 [ Jelmer Vernooij ]4344 [ Jelmer Vernooij ]
@@ -2379,6 +4353,25 @@ samba (2:4.3.8+dfsg-1) unstable; urgency=low
23794353
2380 -- Jelmer Vernooij <jelmer@debian.org> Sat, 16 Apr 2016 01:18:36 +00004354 -- Jelmer Vernooij <jelmer@debian.org> Sat, 16 Apr 2016 01:18:36 +0000
23814355
4356samba (2:4.3.8+dfsg-0ubuntu1) xenial; urgency=medium
4357
4358 * SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
4359 - CVE-2015-5370: Multiple errors in DCE-RPC code
4360 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
4361 - CVE-2016-2111: NETLOGON Spoofing Vulnerability
4362 - CVE-2016-2112: The LDAP client and server don't enforce integrity
4363 protection
4364 - CVE-2016-2113: Missing TLS certificate validation allows man in the
4365 middle attacks
4366 - CVE-2016-2114: "server signing = mandatory" not enforced
4367 - CVE-2016-2115: SMB client connections for IPC traffic are not
4368 integrity protected
4369 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible
4370 * debian/patches/winbind_trusted_domains.patch: make sure domain members
4371 can talk to trusted domains DCs.
4372
4373 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 12 Apr 2016 07:26:29 -0400
4374
2382samba (2:4.3.7+dfsg-1) unstable; urgency=high4375samba (2:4.3.7+dfsg-1) unstable; urgency=high
23834376
2384 * New upstream release.4377 * New upstream release.
@@ -2421,6 +4414,29 @@ samba (2:4.3.6+dfsg-2) unstable; urgency=low
24214414
2422 -- Mathieu Parent <sathieu@debian.org> Thu, 31 Mar 2016 22:26:11 +02004415 -- Mathieu Parent <sathieu@debian.org> Thu, 31 Mar 2016 22:26:11 +0200
24234416
4417samba (2:4.3.6+dfsg-1ubuntu1) xenial; urgency=medium
4418
4419 * Merge with Debian; remaining changes:
4420 + debian/VERSION.patch: Update vendor string to "Ubuntu".
4421 + debian/smb.conf;
4422 - Add "(Samba, Ubuntu)" to server string.
4423 - Comment out the default [homes] share, and add a comment about "valid users = %s"
4424 to show users how to restrict access to \\server\username to only username.
4425 + debian/samba-common.config:
4426 - Do not change prioritiy to high if dhclient3 is installed.
4427 + debian/control:
4428 - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
4429 + Add ufw integration:
4430 - Created debian/samba.ufw.profile:
4431 - debian/rules, debian/samba.install: install profile
4432 + Add apport hook:
4433 - Created debian/source_samba.py.
4434 - debian/rules, debia/samb-common-bin.install: install hook.
4435 + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
4436 pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
4437
4438 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 09 Mar 2016 08:49:12 -0500
4439
2424samba (2:4.3.6+dfsg-1) unstable; urgency=medium4440samba (2:4.3.6+dfsg-1) unstable; urgency=medium
24254441
2426 * New upstream release.4442 * New upstream release.
@@ -2466,6 +4482,42 @@ samba (2:4.3.3+dfsg-2) unstable; urgency=medium
24664482
2467 -- Mathieu Parent <sathieu@debian.org> Thu, 04 Feb 2016 13:25:01 +01004483 -- Mathieu Parent <sathieu@debian.org> Thu, 04 Feb 2016 13:25:01 +0100
24684484
4485samba (2:4.3.3+dfsg-1ubuntu3) xenial; urgency=medium
4486
4487 * No-change rebuild for gnutls transition.
4488
4489 -- Matthias Klose <doko@ubuntu.com> Wed, 17 Feb 2016 22:41:43 +0000
4490
4491samba (2:4.3.3+dfsg-1ubuntu2) xenial; urgency=medium
4492
4493 * Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
4494 (LP: #1545750)
4495
4496 -- Dariusz Gadomski <dariusz.gadomski@canonical.com> Mon, 15 Feb 2016 16:05:12 +0100
4497
4498samba (2:4.3.3+dfsg-1ubuntu1) xenial; urgency=medium
4499
4500 * Merge with Debian; remaining changes:
4501 + debian/VERSION.patch: Update vendor string to "Ubuntu".
4502 + debian/smb.conf;
4503 - Add "(Samba, Ubuntu)" to server string.
4504 - Comment out the default [homes] share, and add a comment about "valid users = %s"
4505 to show users how to restrict access to \\server\username to only username.
4506 + debian/samba-common.config:
4507 - Do not change prioritiy to high if dhclient3 is installed.
4508 + debian/control:
4509 - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
4510 + Add ufw integration:
4511 - Created debian/samba.ufw.profile:
4512 - debian/rules, debian/samba.install: install profile
4513 + Add apport hook:
4514 - Created debian/source_samba.py.
4515 - debian/rules, debia/samb-common-bin.install: install hook.
4516 + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
4517 pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
4518
4519 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 06 Jan 2016 07:41:39 -0500
4520
2469samba (2:4.3.3+dfsg-1) unstable; urgency=medium4521samba (2:4.3.3+dfsg-1) unstable; urgency=medium
24704522
2471 * New upstream release. Closes: #808133.4523 * New upstream release. Closes: #808133.
@@ -2550,6 +4602,63 @@ samba (2:4.2.1+dfsg-1) experimental; urgency=medium
25504602
2551 -- Jelmer Vernooij <jelmer@debian.org> Sun, 07 Dec 2014 15:34:36 +00004603 -- Jelmer Vernooij <jelmer@debian.org> Sun, 07 Dec 2014 15:34:36 +0000
25524604
4605samba (2:4.1.20+dfsg-1ubuntu5) xenial; urgency=medium
4606
4607 * Resolve small merge error in the rules
4608
4609 -- Sebastien Bacher <seb128@ubuntu.com> Wed, 16 Dec 2015 12:02:12 +0100
4610
4611samba (2:4.1.20+dfsg-1ubuntu4) xenial; urgency=medium
4612
4613 * Backport Debian change to remove libpam-smbpasswd, it segfaults
4614 leading to non working session (lp: #1515207)
4615
4616 -- Sebastien Bacher <seb128@ubuntu.com> Wed, 16 Dec 2015 11:47:44 +0100
4617
4618samba (2:4.1.20+dfsg-1ubuntu3) xenial; urgency=medium
4619
4620 * Build with the new ldb
4621
4622 -- Sebastien Bacher <seb128@ubuntu.com> Wed, 18 Nov 2015 11:45:32 +0100
4623
4624samba (2:4.1.20+dfsg-1ubuntu2) xenial; urgency=medium
4625
4626 * debian/samba.logrotate:
4627 - revert to Debian version of the logrotate reload command, fix an
4628 invalid syntax introduced in the upstart->systemd transition
4629 (lp: #1385868)
4630
4631 -- Sebastien Bacher <seb128@ubuntu.com> Tue, 10 Nov 2015 19:01:06 +0100
4632
4633samba (2:4.1.20+dfsg-1ubuntu1) xenial; urgency=medium
4634
4635 * Merge with Debian; remaining changes:
4636 + debian/VERSION.patch: Update vendor string to "Ubuntu".
4637 + debian/smb.conf;
4638 - Add "(Samba, Ubuntu)" to server string.
4639 - Comment out the default [homes] share, and add a comment about "valid users = %s"
4640 to show users how to restrict access to \\server\username to only username.
4641 + debian/samba-common.config:
4642 - Do not change prioritiy to high if dhclient3 is installed.
4643 + debian/control:
4644 - Don't build against or suggest ctdb and tdb.
4645 - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
4646 + debian/rules:
4647 - Drop explicit configuration options for ctdb and tdb.
4648 + Add ufw integration:
4649 - Created debian/samba.ufw.profile:
4650 - debian/rules, debian/samba.install: install profile
4651 + Add apport hook:
4652 - Created debian/source_samba.py.
4653 - debian/rules, debia/samb-common-bin.install: install hook.
4654 + debian/samba.logrotate: use service command to reload (send SIGHUP) the main
4655 processes such that it works under both upstart and systemd.
4656 + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
4657 + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
4658 pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
4659
4660 -- Matthias Klose <doko@ubuntu.com> Sat, 24 Oct 2015 14:57:47 +0200
4661
2553samba (2:4.1.20+dfsg-1) unstable; urgency=medium4662samba (2:4.1.20+dfsg-1) unstable; urgency=medium
25544663
2555 * New upstream release (last compatible with current OpenChange).4664 * New upstream release (last compatible with current OpenChange).
@@ -2563,6 +4672,44 @@ samba (2:4.1.17+dfsg-5) unstable; urgency=medium
25634672
2564 -- Jelmer Vernooij <jelmer@debian.org> Sun, 20 Sep 2015 13:20:53 +00004673 -- Jelmer Vernooij <jelmer@debian.org> Sun, 20 Sep 2015 13:20:53 +0000
25654674
4675samba (2:4.1.17+dfsg-4ubuntu2) wily; urgency=medium
4676
4677 * debian/control:
4678 - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
4679
4680 -- Robert Ancell <robert.ancell@canonical.com> Tue, 11 Aug 2015 11:34:50 +1200
4681
4682samba (2:4.1.17+dfsg-4ubuntu1) wily; urgency=medium
4683
4684 * Merge from Debian unstable. Remaining changes:
4685 + debian/VERSION.patch: Update vendor string to "Ubuntu".
4686 + debian/smb.conf;
4687 - Add "(Samba, Ubuntu)" to server string.
4688 - Comment out the default [homes] share, and add a comment about "valid users = %s"
4689 to show users how to restrict access to \\server\username to only username.
4690 + debian/samba-common.config:
4691 - Do not change prioritiy to high if dhclient3 is installed.
4692 + debian/control:
4693 - Don't build against or suggest ctdb and tdb.
4694 + debian/rules:
4695 - Drop explicit configuration options for ctdb and tdb.
4696 + Add ufw integration:
4697 - Created debian/samba.ufw.profile:
4698 - debian/rules, debian/samba.install: install profile
4699 + Add apport hook:
4700 - Created debian/source_samba.py.
4701 - debian/rules, debia/samb-common-bin.install: install hook.
4702 + debian/samba.logrotate: use service command to reload (send SIGHUP) the main
4703 processes such that it works under both upstart and systemd.
4704 + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
4705 + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
4706 pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
4707 + debian/patches/git_timeout_client_error.patch:
4708 - don't let smb mounts timeout that leads to errors when trying to
4709 reuse a mount after idling for a while in e.g nautilus (lp: #310932)
4710
4711 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 08 May 2015 10:49:12 +0200
4712
2566samba (2:4.1.17+dfsg-4) unstable; urgency=medium4713samba (2:4.1.17+dfsg-4) unstable; urgency=medium
25674714
2568 * Add pidl_reproducible.patch: Make pidl output reproducible.4715 * Add pidl_reproducible.patch: Make pidl output reproducible.
@@ -2599,6 +4746,53 @@ samba (2:4.1.17+dfsg-1) unstable; urgency=high
25994746
2600 -- Ivo De Decker <ivodd@debian.org> Mon, 23 Feb 2015 20:20:21 +01004747 -- Ivo De Decker <ivodd@debian.org> Mon, 23 Feb 2015 20:20:21 +0100
26014748
4749samba (2:4.1.13+dfsg-4ubuntu3) vivid; urgency=medium
4750
4751 * debian/patches/git_timeout_client_error.patch:
4752 - don't let smb mounts timeout that leads to errors when trying to
4753 reuse a mount after idling for a while in e.g nautilus (lp: #310932)
4754
4755 -- Sebastien Bacher <seb128@ubuntu.com> Fri, 03 Apr 2015 17:20:06 +0200
4756
4757samba (2:4.1.13+dfsg-4ubuntu2) vivid; urgency=medium
4758
4759 * SECURITY UPDATE: code execution vulnerability in smbd daemon
4760 - debian/patches/CVE-2015-0240.patch: don't call talloc_free on an
4761 uninitialized pointer and don't dereference a NULL pointer in
4762 source3/rpc_server/netlogon/srv_netlog_nt.c.
4763 - CVE-2015-0240
4764
4765 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 23 Feb 2015 08:36:51 -0500
4766
4767samba (2:4.1.13+dfsg-4ubuntu1) vivid; urgency=low
4768
4769 * Merge from Debian unstable. Remaining changes:
4770 + debian/VERSION.patch: Update vendor string to "Ubuntu".
4771 + debian/smb.conf;
4772 - Add "(Samba, Ubuntu)" to server string.
4773 - Comment out the default [homes] share, and add a comment about "valid users = %s"
4774 to show users how to restrict access to \\server\username to only username.
4775 + debian/samba-common.config:
4776 - Do not change prioritiy to high if dhclient3 is installed.
4777 + debian/control:
4778 - Don't build against or suggest ctdb and tdb.
4779 + debian/rules:
4780 - Drop explicit configuration options for ctdb and tdb.
4781 + Add ufw integration:
4782 - Created debian/samba.ufw.profile:
4783 - debian/rules, debian/samba.install: install profile
4784 + Add apport hook:
4785 - Created debian/source_samba.py.
4786 - debian/rules, debia/samb-common-bin.install: install hook.
4787 + debian/samba.logrotate: use service command to reload (send SIGHUP) the main
4788 processes such that it works under both upstart and systemd.
4789 + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
4790 + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
4791 pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
4792 + debian/patches/CVE-2014-8143.patch fix CVE-2014-8143.
4793
4794 -- Gianfranco Costamagna <costamagnagianfranco@yahoo.it> Wed, 21 Jan 2015 15:48:05 +0100
4795
2602samba (2:4.1.13+dfsg-4) unstable; urgency=medium4796samba (2:4.1.13+dfsg-4) unstable; urgency=medium
26034797
2604 * Revert previous patch, since ldb has an active module version check.4798 * Revert previous patch, since ldb has an active module version check.
@@ -2641,6 +4835,69 @@ samba (2:4.1.11+dfsg-2) unstable; urgency=medium
26414835
2642 -- Jelmer Vernooij <jelmer@debian.org> Sun, 07 Sep 2014 20:52:27 +02004836 -- Jelmer Vernooij <jelmer@debian.org> Sun, 07 Sep 2014 20:52:27 +0200
26434837
4838samba (2:4.1.11+dfsg-1ubuntu4) vivid; urgency=medium
4839
4840 * SECURITY UPDATE: elevation of privilege to AD Domain Controller
4841 - debian/patches/CVE-2014-8143.patch: check for extended access rights
4842 before allowing changes to userAccountControl in
4843 librpc/idl/security.idl, source4/auth/session.c,
4844 source4/dsdb/common/util.c, source4/dsdb/pydsdb.c,
4845 source4/dsdb/samdb/ldb_modules/samldb.c, source4/dsdb/samdb/samdb.h,
4846 source4/rpc_server/lsa/dcesrv_lsa.c,
4847 source4/setup/schema_samba4.ldif.
4848 - CVE-2014-8143
4849
4850 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 21 Jan 2015 09:19:12 -0500
4851
4852samba (2:4.1.11+dfsg-1ubuntu3) vivid; urgency=medium
4853
4854 * No-change rebuild against current ldb. Note that I'm not claiming the
4855 merging for this package.
4856
4857 -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 04 Dec 2014 07:50:22 +0100
4858
4859samba (2:4.1.11+dfsg-1ubuntu2) utopic; urgency=medium
4860
4861 * d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
4862 pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
4863
4864 -- Serge Hallyn <serge.hallyn@ubuntu.com> Thu, 11 Sep 2014 11:53:36 -0500
4865
4866samba (2:4.1.11+dfsg-1ubuntu1) utopic; urgency=medium
4867
4868 * Merge from Debian unstable. Remaining changes:
4869 + debian/VERSION.patch: Update vendor string to "Ubuntu".
4870 + debian/smb.conf;
4871 - Add "(Samba, Ubuntu)" to server string.
4872 - Comment out the default [homes] share, and add a comment about "valid users = %s"
4873 to show users how to restrict access to \\server\username to only username.
4874 + debian/samba-common.config:
4875 - Do not change prioritiy to high if dhclient3 is installed.
4876 + debian/control:
4877 - Don't build against or suggest ctdb and tdb.
4878 + debian/rules:
4879 - Drop explicit configuration options for ctdb and tdb.
4880 + Add ufw integration:
4881 - Created debian/samba.ufw.profile:
4882 - debian/rules, debian/samba.install: install profile
4883 + Add apport hook:
4884 - Created debian/source_samba.py.
4885 - debian/rules, debia/samb-common-bin.install: install hook.
4886 + debian/samba.logrotate: call upstart interfaces unconditionally instead
4887 of hacking arround with pid files.
4888 + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
4889 first dummy transitional package version.
4890 + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
4891
4892 * In logrotate, use service command to reload (send SIGHUP) the main
4893 processes such that it works under both upstart and systemd.
4894 * Drop CVE patches, applied upstream.
4895 * Drop patches absent from series: readline-ftbfs.patch,
4896 krb5_kt_start_seq.diff, config-bind99.patch
4897 * Drop debian/source/include-binaries, pyc files are correctly cleaned up
4898
4899 -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 09 Aug 2014 21:26:23 +0100
4900
2644samba (2:4.1.11+dfsg-1) unstable; urgency=high4901samba (2:4.1.11+dfsg-1) unstable; urgency=high
26454902
2646 * New upstream release. Fixes:4903 * New upstream release. Fixes:
@@ -2676,6 +4933,62 @@ samba (2:4.1.9+dfsg-1) unstable; urgency=high
26764933
2677 -- Ivo De Decker <ivo.dedecker@ugent.be> Mon, 23 Jun 2014 18:33:27 +02004934 -- Ivo De Decker <ivo.dedecker@ugent.be> Mon, 23 Jun 2014 18:33:27 +0200
26784935
4936samba (2:4.1.8+dfsg-1ubuntu3) utopic; urgency=medium
4937
4938 * SECURITY UPDATE: remote code execution on unauthenticated nmbd
4939 - debian/patches/CVE-2014-3560.patch: fix unstrcpy in
4940 lib/util/string_wrappers.h.
4941 - CVE-2014-3560
4942
4943 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 01 Aug 2014 17:54:54 -0400
4944
4945samba (2:4.1.8+dfsg-1ubuntu2) utopic; urgency=medium
4946
4947 * SECURITY UPDATE: denial of service on nmbd malformed packet
4948 - debian/patches/CVE-2014-0244.patch: return on EWOULDBLOCK/EAGAIN in
4949 source3/lib/system.c.
4950 - CVE-2014-0244
4951 * SECURITY UPDATE: denial of service via bad unicode conversion
4952 - debian/patches/CVE-2014-3493.patch: refactor code in
4953 source3/lib/charcnv.c, change return code checks in
4954 source3/libsmb/clirap.c, source3/smbd/lanman.c.
4955 - CVE-2014-3493
4956
4957 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 23 Jun 2014 14:10:12 -0400
4958
4959samba (2:4.1.8+dfsg-1ubuntu1) utopic; urgency=low
4960
4961 * Merge from Debian unstable. Remaining changes:
4962 + debian/VERSION.patch: Update vendor string to "Ubuntu".
4963 + debian/smb.conf;
4964 - Add "(Samba, Ubuntu)" to server string.
4965 - Comment out the default [homes] share, and add a comment about "valid users = %s"
4966 to show users how to restrict access to \\server\username to only username.
4967 + debian/samba-common.config:
4968 - Do not change prioritiy to high if dhclient3 is installed.
4969 + debian/control:
4970 - Don't build against or suggest ctdb and tdb.
4971 + debian/rules:
4972 - Drop explicit configuration options for ctdb and tdb.
4973 + Add ufw integration:
4974 - Created debian/samba.ufw.profile:
4975 - debian/rules, debian/samba.install: install profile
4976 + Add apport hook:
4977 - Created debian/source_samba.py.
4978 - debian/rules, debia/samb-common-bin.install: install hook.
4979 + debian/samba.logrotate: call upstart interfaces unconditionally instead
4980 of hacking arround with pid files.
4981 + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
4982 first dummy transitional package version.
4983 + Dropped patches:
4984 - debian/patches/CVE-2013-4496.patch: Dropped no longer needed
4985 - debian/patches/CVE-2013-6442.patch: Dropped no longer needed.
4986 - debian/patches/readline-ftbfs.patch: Use the debian version.
4987 + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
4988 (LP: #1268180)
4989
4990 -- Chuck Short <zulcss@ubuntu.com> Wed, 18 Jun 2014 10:50:25 -0400
4991
2679samba (2:4.1.8+dfsg-1) unstable; urgency=medium4992samba (2:4.1.8+dfsg-1) unstable; urgency=medium
26804993
2681 [ Jelmer Vernooij ]4994 [ Jelmer Vernooij ]
@@ -2713,6 +5026,74 @@ samba (2:4.1.7+dfsg-1) unstable; urgency=medium
27135026
2714 -- Ivo De Decker <ivo.dedecker@ugent.be> Sat, 19 Apr 2014 13:39:09 +02005027 -- Ivo De Decker <ivo.dedecker@ugent.be> Sat, 19 Apr 2014 13:39:09 +0200
27155028
5029samba (2:4.1.6+dfsg-1ubuntu6) utopic; urgency=medium
5030
5031 * Set the stack size to unlimited during the build to avoid a SIGBUS in
5032 xsltproc on some architectures.
5033
5034 -- Colin Watson <cjwatson@ubuntu.com> Mon, 02 Jun 2014 23:18:40 +0100
5035
5036samba (2:4.1.6+dfsg-1ubuntu5) utopic; urgency=medium
5037
5038 * Backport from unstable (Ivo De Decker):
5039 - Build-depend on heimdal-dev.
5040
5041 -- Colin Watson <cjwatson@ubuntu.com> Mon, 02 Jun 2014 15:39:54 +0100
5042
5043samba (2:4.1.6+dfsg-1ubuntu4) utopic; urgency=high
5044
5045 * No change rebuild against new dh_installinit, to call update-rc.d at
5046 postinst.
5047
5048 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 28 May 2014 10:41:32 +0100
5049
5050samba (2:4.1.6+dfsg-1ubuntu3) utopic; urgency=medium
5051
5052 * cherrypick upstream patch 1310919 to fix pam_winbind regression
5053 (LP: #1310919)
5054
5055 -- Serge Hallyn <serge.hallyn@ubuntu.com> Tue, 29 Apr 2014 16:05:44 -0500
5056
5057samba (2:4.1.6+dfsg-1ubuntu2) trusty; urgency=medium
5058
5059 * Fix a grammatical error in smb.conf that showed up in a ucf prompt on
5060 upgrade.
5061
5062 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 03 Apr 2014 19:08:03 -0700
5063
5064samba (2:4.1.6+dfsg-1ubuntu1) trusty; urgency=low
5065
5066 * Merge from Debian unstable. Remaining changes:
5067 + debian/VERSION.patch: Update vendor string to "Ubuntu".
5068 + debian/smb.conf;
5069 - Add "(Samba, Ubuntu)" to server string.
5070 - Comment out the default [homes] share, and add a comment about "valid users = %s"
5071 to show users how to restrict access to \\server\username to only username.
5072 + debian/samba-common.config:
5073 - Do not change prioritiy to high if dhclient3 is installed.
5074 + debian/control:
5075 - Don't build against or suggest ctdb and tdb.
5076 + debian/rules:
5077 - Drop explicit configuration options for ctdb and tdb.
5078 + Add ufw integration:
5079 - Created debian/samba.ufw.profile:
5080 - debian/rules, debian/samba.install: install profile
5081 + Add apport hook:
5082 - Created debian/source_samba.py.
5083 - debian/rules, debia/samb-common-bin.install: install hook.
5084 + debian/samba.logrotate: call upstart interfaces unconditionally instead
5085 of hacking arround with pid files.
5086 + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
5087 first dummy transitional package version.
5088 + Dropped patches:
5089 - debian/patches/CVE-2013-4496.patch: Dropped no longer needed
5090 - debian/patches/CVE-2013-6442.patch: Dropped no longer needed.
5091 - debian/patches/readline-ftbfs.patch: Use the debian version.
5092 + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
5093 (LP: #1268180)
5094
5095 -- Chuck Short <zulcss@ubuntu.com> Wed, 02 Apr 2014 13:40:30 -0400
5096
2716samba (2:4.1.6+dfsg-1) unstable; urgency=high5097samba (2:4.1.6+dfsg-1) unstable; urgency=high
27175098
2718 * New upstream security release. Fixes:5099 * New upstream security release. Fixes:
@@ -2772,6 +5153,77 @@ samba (2:4.1.4+dfsg-1) unstable; urgency=medium
27725153
2773 -- Ivo De Decker <ivo.dedecker@ugent.be> Sat, 18 Jan 2014 14:07:15 +01005154 -- Ivo De Decker <ivo.dedecker@ugent.be> Sat, 18 Jan 2014 14:07:15 +0100
27745155
5156samba (2:4.1.3+dfsg-2ubuntu5) trusty; urgency=medium
5157
5158 * debian/smb.conf: comment back some of the "share definitions"
5159 options (including "valid users"). That was an Ubuntu diff and seems to
5160 have been dropped in the trusty merge. Those changes seem needed to
5161 get the usershare feature working (used by nautilus-share) (lp: #1261873)
5162
5163 -- Sebastien Bacher <seb128@ubuntu.com> Tue, 01 Apr 2014 16:01:04 +0200
5164
5165samba (2:4.1.3+dfsg-2ubuntu4) trusty; urgency=medium
5166
5167 * SECURITY UPDATE: Password lockout not enforced for SAMR password
5168 changes
5169 - debian/patches/CVE-2013-4496.patch: refactor password lockout code in
5170 source3/auth/check_samsec.c,
5171 source3/rpc_server/samr/srv_samr_chgpasswd.c,
5172 source3/rpc_server/samr/srv_samr_nt.c,
5173 source3/smbd/lanman.c,
5174 source4/rpc_server/samr/samr_password.c,
5175 source4/torture/rpc/samr.c.
5176 - CVE-2013-4496
5177 * SECURITY UPDATE: smbcacls can remove a file or directory ACL by
5178 mistake
5179 - debian/patches/CVE-2013-6442.patch: handle existing ACL in
5180 source3/utils/smbcacls.c.
5181 - CVE-2013-6442
5182 * debian/patches/readline-ftbfs.patch: fix ftbfs with newer readline6.
5183
5184 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 17 Mar 2014 08:32:30 -0400
5185
5186samba (2:4.1.3+dfsg-2ubuntu3) trusty; urgency=medium
5187
5188 * Depend on tdb-tools (LP: #1279593)
5189 * Updated generated config for Bind9.9.
5190
5191 -- Stéphane Graber <stgraber@ubuntu.com> Wed, 12 Feb 2014 21:26:00 -0500
5192
5193samba (2:4.1.3+dfsg-2ubuntu2) trusty; urgency=medium
5194
5195 * Add missing python-ntdb dependency to python-samba (spotted by
5196 autopkgtest).
5197
5198 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 10 Feb 2014 09:53:01 +0100
5199
5200samba (2:4.1.3+dfsg-2ubuntu1) trusty; urgency=low
5201
5202 * Merge from Debian Unstable:
5203 - debian/VERSION.patch: Update vendor string to "Ubuntu".
5204 * debian/smb.conf;
5205 - Add "(Samba, Ubuntu)" to server string.
5206 - Comment out the default [homes] share, and add a comment about "valid users = %s"
5207 to show users how to restrict access to \\server\username to only username.
5208 + debian/samba-common.config:
5209 - Do not change prioritiy to high if dhclient3 is installed.
5210 + debian/control:
5211 - Don't build against or suggest ctdb and tdb.
5212 + debian/rules:
5213 - Drop explicit configuration options for ctdb and tdb.
5214 + Add ufw integration:
5215 - Created debian/samba.ufw.profile:
5216 - debian/rules, debian/samba.install: install profile
5217 + Add apport hook:
5218 - Created debian/source_samba.py.
5219 - debian/rules, debia/samb-common-bin.install: install hook.
5220 + debian/samba.logrotate: call upstart interfaces unconditionally instead
5221 of hacking arround with pid files.
5222 + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
5223 first dummy transitional package version.
5224
5225 -- Chuck Short <zulcss@ubuntu.com> Mon, 13 Jan 2014 08:52:31 -0500
5226
2775samba (2:4.1.3+dfsg-2) unstable; urgency=medium5227samba (2:4.1.3+dfsg-2) unstable; urgency=medium
27765228
2777 * Add debug symbols for all binaries to samba-dbg. Closes: #7324935229 * Add debug symbols for all binaries to samba-dbg. Closes: #732493
@@ -2814,6 +5266,33 @@ samba (2:4.0.13+dfsg-2) UNRELEASED; urgency=low
28145266
2815 -- Steve Langasek <vorlon@debian.org> Mon, 09 Dec 2013 11:13:59 -08005267 -- Steve Langasek <vorlon@debian.org> Mon, 09 Dec 2013 11:13:59 -0800
28165268
5269samba (2:4.0.13+dfsg-1ubuntu1) trusty; urgency=low
5270
5271 * Merge from Debian Unstable:
5272 - debian/VERSION.patch: Update vendor string to "Ubuntu".
5273 * debian/smb.conf;
5274 - Add "(Samba, Ubuntu)" to server string.
5275 - Comment out the default [homes] share, and add a comment about "valid users = %s"
5276 to show users how to restrict access to \\server\username to only username.
5277 + debian/samba-common.config:
5278 - Do not change prioritiy to high if dhclient3 is installed.
5279 + debian/control:
5280 - Don't build against or suggest ctdb and tdb.
5281 + debian/rules:
5282 - Drop explicit configuration options for ctdb and tdb.
5283 + Add ufw integration:
5284 - Created debian/samba.ufw.profile:
5285 - debian/rules, debian/samba.install: install profile
5286 + Add apport hook:
5287 - Created debian/source_samba.py.
5288 - debian/rules, debia/samb-common-bin.install: install hook.
5289 + debian/samba.logrotate: call upstart interfaces unconditionally instead
5290 of hacking arround with pid files.
5291 + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
5292 first dummy transitional package version.
5293
5294 -- Chuck Short <zulcss@ubuntu.com> Wed, 11 Dec 2013 19:55:47 -0500
5295
2817samba (2:4.0.13+dfsg-1) unstable; urgency=high5296samba (2:4.0.13+dfsg-1) unstable; urgency=high
28185297
2819 [ Steve Langasek ]5298 [ Steve Langasek ]
@@ -2868,6 +5347,37 @@ samba (2:4.0.11+dfsg-1) unstable; urgency=high
28685347
2869 -- Ivo De Decker <ivo.dedecker@ugent.be> Mon, 11 Nov 2013 15:42:40 +01005348 -- Ivo De Decker <ivo.dedecker@ugent.be> Mon, 11 Nov 2013 15:42:40 +0100
28705349
5350samba (2:4.0.10+dfsg-4ubuntu2) trusty; urgency=low
5351
5352 * Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4, first dummy transitional package version.
5353
5354 -- Dmitrijs Ledkovs <xnox@ubuntu.com> Wed, 27 Nov 2013 21:50:43 +0000
5355
5356samba (2:4.0.10+dfsg-4ubuntu1) trusty; urgency=low
5357
5358 * Merge from Debian Unstable:
5359 - debian/VERSION.patch: Update vendor string to "Ubuntu".
5360 * debian/smb.conf;
5361 - Add "(Samba, Ubuntu)" to server string.
5362 - Comment out the default [homes] share, and add a comment about "valid users = %s"
5363 to show users how to restrict access to \\server\username to only username.
5364 + debian/samba-common.config:
5365 - Do not change prioritiy to high if dhclient3 is installed.
5366 + debian/control:
5367 - Don't build against or suggest ctdb and tdb.
5368 + debian/rules:
5369 - Drop explicit configuration options for ctdb and tdb.
5370 + Add ufw integration:
5371 - Created debian/samba.ufw.profile:
5372 - debian/rules, debian/samba.install: install profile
5373 + Add apport hook:
5374 - Created debian/source_samba.py.
5375 - debian/rules, debia/samb-common-bin.install: install hook.
5376 + debian/samba.logrotate: call upstart interfaces unconditionally instead
5377 of hacking arround with pid files.
5378
5379 -- Chuck Short <zulcss@ubuntu.com> Fri, 08 Nov 2013 13:47:46 +0800
5380
2871samba (2:4.0.10+dfsg-4) unstable; urgency=low5381samba (2:4.0.10+dfsg-4) unstable; urgency=low
28725382
2873 [ Christian Perrier ]5383 [ Christian Perrier ]
diff --git a/debian/control b/debian/control
index f6d3e96..ea59fa3 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: samba1Source: samba
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
5Uploaders: Steve Langasek <vorlon@debian.org>,6Uploaders: Steve Langasek <vorlon@debian.org>,
6 Jelmer Vernooij <jelmer@debian.org>,7 Jelmer Vernooij <jelmer@debian.org>,
7 Mathieu Parent <sathieu@debian.org>,8 Mathieu Parent <sathieu@debian.org>,
@@ -35,11 +36,11 @@ Build-Depends-Arch:
35 libblkid-dev,36 libblkid-dev,
36 libbsd-dev,37 libbsd-dev,
37 libcap-dev [linux-any],38 libcap-dev [linux-any],
38 libcephfs-dev [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x],39 libcephfs-dev [amd64 arm64 armel armhf mips64el mipsel ppc64el s390x],
39 libcmocka-dev (>= 1.1.3),40 libcmocka-dev (>= 1.1.3),
40 libcups2-dev,41 libcups2-dev,
41 libdbus-1-dev,42 libdbus-1-dev,
42 libglusterfs-dev [linux-any],43 libglusterfs-dev [!i386],
43 libgnutls28-dev,44 libgnutls28-dev,
44 libgpgme11-dev,45 libgpgme11-dev,
45 libicu-dev,46 libicu-dev,
@@ -53,12 +54,12 @@ Build-Depends-Arch:
53 libparse-yapp-perl,54 libparse-yapp-perl,
54 libpcap-dev [hurd-i386 kfreebsd-any],55 libpcap-dev [hurd-i386 kfreebsd-any],
55 libpopt-dev,56 libpopt-dev,
56 librados-dev [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x],57 librados-dev [amd64 arm64 armel armhf mips64el mipsel ppc64el s390x],
57 libreadline-dev,58 libreadline-dev,
58 libsystemd-dev [linux-any],59 libsystemd-dev [linux-any],
59 libtasn1-6-dev (>= 3.8),60 libtasn1-6-dev (>= 3.8),
60 libtasn1-bin,61 libtasn1-bin,
61 liburing-dev [linux-any] <!pkg.samba.nouring>,62 liburing-dev [!i386] <!pkg.samba.nouring>,
62 xfslibs-dev [linux-any],63 xfslibs-dev [linux-any],
63 zlib1g-dev (>= 1:1.2.3),64 zlib1g-dev (>= 1:1.2.3),
64# python (+#904999):65# python (+#904999):
diff --git a/debian/tests/control b/debian/tests/control
index d27e025..b37632e 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -28,3 +28,7 @@ Restrictions: needs-root, allow-stderr, isolation-container, skippable
28Tests: reinstall-samba-common-bin28Tests: reinstall-samba-common-bin
29Depends: samba-common, samba-common-bin29Depends: samba-common, samba-common-bin
30Restrictions: needs-root, needs-reboot, isolation-machine, allow-stderr30Restrictions: needs-root, needs-reboot, isolation-machine, allow-stderr
31
32Tests: samba-ad-dc-provisioning-internal-dns
33Depends: samba-ad-dc, samba-ad-provision, smbclient, krb5-user, bind9-dnsutils, lxd | snapd, lsb-release, dctrl-tools
34Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed
diff --git a/debian/tests/samba-ad-dc-provisioning-internal-dns b/debian/tests/samba-ad-dc-provisioning-internal-dns
31new file mode 10075535new file mode 100755
index 0000000..f61fa5e
--- /dev/null
+++ b/debian/tests/samba-ad-dc-provisioning-internal-dns
@@ -0,0 +1,398 @@
1#!/bin/bash
2
3set -e
4set -o pipefail
5
6source debian/tests/util
7
8declare -r domain="EXAMPLE"
9declare -r realm="EXAMPLE.FAKE"
10declare -r adminpass="Passw0rd"
11declare -r test_user="test_user_${RANDOM}"
12declare -r test_pw="test_user_secret_${RANDOM}"
13declare -A user_pass
14user_pass[Administrator]="${adminpass}"
15user_pass[${test_user}]="${test_pw}"
16declare -A join_method_deps
17# Minimum set of deps: let realmd install the extra dependencies
18# as needed, depending on the join method.
19join_method_deps[realmd_sssd]="realmd krb5-user smbclient"
20join_method_deps[realmd_winbind]="realmd krb5-user smbclient"
21
22
23cleanup() {
24 rc=$?
25 set +e # so we don't exit midcleanup
26 if [ ${rc} -ne 0 ]; then
27 echo "## Something failed, gathering logs"
28 echo
29 echo "## smb.conf"
30 cat /etc/samba/smb.conf
31 echo
32 echo "## resolv.conf"
33 cat /etc/resolv.conf
34 echo
35 echo "## resolvectl status"
36 resolvectl status
37 echo "## journal for samba-ad-dc.service"
38 journalctl -u samba-ad-dc.service --lines 500
39 echo
40 for log in /var/log/samba/log.*; do
41 # skip compressed logrotated files
42 if [ "${log%.gz}" != "${log}" ]; then
43 continue
44 fi
45 [ -s "${log}" ] || continue
46 echo "## $(basename ${log}):"
47 tail -n 500 "${log}"
48 echo
49 done
50 echo "## syslog"
51 tail -n 500 /var/log/syslog
52 fi
53}
54
55trap cleanup EXIT
56
57assert_testparm() {
58 local parameter="${1}"
59 local expected_value="${2}"
60 local current_value=""
61 local -i retval=0
62
63 echo -n "Asserting ${parameter} is ${expected_value}: "
64 current_value=$(testparm -s --parameter-name "${parameter}" 2>/dev/null) || {
65 retval=$?
66 echo "FAIL"
67 return ${retval}
68 }
69 if [ "${current_value}" = "${expected_value}" ]; then
70 echo "OK"
71 return 0
72 else
73 echo "FAIL"
74 return 1
75 fi
76}
77
78basic_config_tests() {
79 echo "## Basic config tests"
80 testparm -s > /dev/null
81 assert_testparm "realm" "${realm}"
82 assert_testparm "workgroup" "${domain}"
83 assert_testparm "server role" "active directory domain controller"
84 echo
85}
86
87dns_tests() {
88 echo "## DNS tests"
89 echo "Obtaining administrator kerberos ticket"
90 echo "${adminpass}" | timeout --verbose 30 kinit Administrator
91 echo
92 echo "Querying server info"
93 samba-tool dns serverinfo "$(hostname)"
94 echo
95 echo "Checking we got a service ticket of type host/"
96 klist | grep "host/$(hostname)"
97 echo
98 echo "Checking specific DNS records"
99 for srv in _ldap._tcp _kerberos._tcp _kerberos._udp _kpasswd._udp; do
100 echo -n "${srv}.${realm,,}: "
101 dig @localhost +short -t SRV ${srv}.${realm,,}
102 echo
103 done
104 echo
105 echo -n "Checking that our hostname \"$(hostname)\" is in DNS: "
106 myip=$(dig @localhost +short -t A "$(hostname).${realm,,}")
107 echo "${myip}"
108 echo
109}
110
111user_creation_tests() {
112 echo "## User creation tests"
113 samba-tool domain passwordsettings set --complexity=off
114 echo "Creating user \"${test_user}\" with password ${test_pw}"
115 samba-tool user add "${test_user}" "${test_pw}"
116 echo
117 echo "Attempting to obtain kerberos ticket for user \"${test_user}\""
118 # just in case it ends up waiting at a prompt, we use "timeout"
119 echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}"
120 echo "Ticket obtained"
121 klist
122 echo
123}
124
125smbclient_tests() {
126 echo "## smbclient tests"
127 kdestroy || :
128 echo
129 echo "Obtaining a TGT for ${test_user}"
130 echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}"
131 klist | grep krbtgt
132 echo
133 echo "Attempting password-less authentication with smbclient"
134 echo
135 echo "Listing shares"
136 smbclient -L "$(hostname)" --use-kerberos=required -k
137 echo
138 echo "Listing the sysvol share"
139 smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls"
140 echo
141 echo "Listing policies"
142 # lowercase the ${realm}
143 smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls ${realm,,}/Policies/*"
144 echo
145 echo "Checking that we have a ticket for the cifs service after all these commands"
146 klist | grep cifs/
147 echo
148}
149
150server_join_tests() {
151 local member_server
152 # the join methods are the keys of the join_method_deps dict
153 local -a methods=("${!join_method_deps[@]}")
154 local member_server="member-server"
155
156 echo "## Server join tests"
157 echo "## Initializing lxd"
158 setup_lxd "${realm,,}"
159
160 for method in "${methods[@]}"; do
161 echo "## Setting up member server to join a domain using method ${method}"
162 setup_member_server "${member_server}" "${method}"
163 echo "## Joining domain with method ${method}"
164 join_domain "${member_server}" "${method}"
165 echo
166 echo "## Verifying join with method ${method}"
167 verify_join "${member_server}" "${method}"
168 echo
169 echo "## Leaving domain with method ${method}"
170 leave_domain "${member_server}" "${method}"
171 echo
172 echo "## Destroying member server"
173 lxc delete --force "${member_server}"
174 done
175}
176
177setup_member_server() {
178 local container_name="${1}"
179 local method="${2}"
180 local release
181
182 release="$(lsb_release -cs)"
183 if [ -z "${join_method_deps[${method}]}" ]; then
184 echo "## INTERNAL ERROR, invalid join method: ${method}"
185 return 1
186 fi
187 echo "## Got test dependencies: ${join_method_deps[${method}]}"
188 # can't use cloud-init here to install packages, because we first need to
189 # sync the apt config from the host to the container
190 echo "## Launching ${release} container"
191 lxc launch "ubuntu-daily:${release}" "${container_name}" -q
192 wait_container_ready "${container_name}"
193 send_apt_config "${container_name}"
194 copy_local_apt_files "${container_name}"
195 echo "## Installing dependencies in test container"
196 install_packages_in_container "${container_name}" ${join_method_deps[${method}]}
197}
198
199join_domain_realmd_winbind() {
200 local server="${1}"
201 local discover_cmd="realm discover -v --membership-software=samba --client-software=winbind ${realm,,}"
202 local join_cmd="realm join -v --membership-software=samba --client-software=winbind ${realm,,}"
203
204 echo "## Domain information"
205 lxc exec "${server}" -- ${discover_cmd}
206 echo
207 echo "## Running join command: ${join_cmd}"
208 echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd}
209}
210
211verify_join_realmd_winbind() {
212 local server="${1}"
213 local member_domain
214
215 echo -n "## Verifying member server joined domain name: "
216 member_domain=$(lxc exec "${server}" -- wbinfo --own-domain)
217 echo "${member_domain}"
218 if [ "${member_domain}" != "${domain}" ]; then
219 echo "ERROR: expected member server domain to match the joined domain:"
220 echo "member server domain: ${member_domain}"
221 echo "AD domain: ${domain}"
222 return 1
223 fi
224 echo
225 # we just want to see the output, not parse it
226 echo "## Domain status in member server"
227 lxc exec "${server}" -- wbinfo --domain-info "${member_domain}"
228 echo
229 echo "## User status in member server"
230 for u in "${!user_pass[@]}"; do
231 echo "## User \"${u}@${realm}\" information:"
232 lxc exec "${server}" -- wbinfo --user-info "${u}@${realm}"
233 echo
234 echo "## id ${u}@${realm}"
235 lxc exec "${server}" -- id ${u}@${realm}
236 echo
237 echo "## kinit authentication check for user \"${u}@${realm}\" inside member server"
238 echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}"
239 lxc exec "${server}" -- klist
240 echo
241 echo "## Listing shares with the obtained kerberos ticket"
242 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
243 lxc exec "${server}" -- kdestroy
244 echo
245 echo "## wbinfo authentication check for user \"${u}@${realm}\" inside member server"
246 # non-interactive format for username is user%password
247 lxc exec "${server}" -- wbinfo --authenticate="${u}@${realm}%${user_pass[${u}]}"
248 echo
249 echo "## wbinfo kerberos authentication check for user \"${u}@${realm}\" inside member server"
250 lxc exec "${server}" -- wbinfo --krb5auth="${u}@${realm}%${user_pass[${u}]}"
251 echo
252 echo "## Listing shares with the obtained kerberos ticket"
253 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
254 lxc exec "${server}" -- kdestroy
255 done
256}
257
258leave_domain_realmd_winbind() {
259 local server="${1}"
260 local leave_cmd="realm leave -v --remove --client-software=winbind"
261
262 echo "## Running leave command: ${leave_cmd}"
263 echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd}
264}
265
266join_domain_realmd_sssd() {
267 local server="${1}"
268 local discover_cmd="realm discover -v --membership-software=adcli --client-software=sssd ${realm,,}"
269 local join_cmd="realm join -v --membership-software=adcli --client-software=sssd ${realm,,}"
270
271 echo "## Domain information"
272 lxc exec "${server}" -- ${discover_cmd}
273 echo
274 echo "## Running join command: ${join_cmd}"
275 echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd}
276 echo
277}
278
279verify_join_realmd_sssd() {
280 local server="${1}"
281 local samba_domain
282
283 echo -n "## Verifying member server joined domain name: "
284 samba_domain=$(lxc exec "${server}" -- sssctl domain-list)
285 echo "${samba_domain}"
286 if [ "${samba_domain}" != "${realm,,}" ]; then
287 echo "ERROR: expected member server domain to match the joined domain:"
288 echo "member server domain: ${samba_domain}"
289 echo "AD domain: ${realm,,}"
290 return 1
291 fi
292 echo
293 # we just want to see the output, not parse it
294 echo "## Domain status in member server"
295 lxc exec "${server}" -- sssctl domain-status "${realm}"
296 echo
297 echo "## User status in member server"
298 for u in "${!user_pass[@]}"; do
299 echo "## User \"${u}@${realm}\" information:"
300 lxc exec "${server}" -- sssctl user-checks "${u}@${realm}"
301 echo
302 echo "## id ${u}@${realm}"
303 lxc exec "${server}" -- id "${u}@${realm}"
304 echo
305 echo "## kinit authentication check for user \"${u}@${realm}\" inside member server"
306 echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}"
307 lxc exec "${server}" -- klist
308 echo
309 echo "## Listing shares with the obtained kerberos ticket"
310 lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
311 lxc exec "${server}" -- kdestroy
312 done
313}
314
315leave_domain_realmd_sssd() {
316 local server="${1}"
317 local leave_cmd="realm leave -v --remove --client-software=sssd"
318
319 echo "## Running leave command: ${leave_cmd}"
320 echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd}
321}
322
323join_domain() {
324 local server="${1}"
325 local m="${2}"
326
327 join_domain_${m} "${server}"
328}
329
330verify_join() {
331 local server="${1}"
332 local m="${2}"
333
334 verify_join_${m} "${server}"
335}
336
337leave_domain() {
338 local server="${1}"
339 local m="${2}"
340
341 leave_domain_${m} "${server}"
342}
343
344systemctl stop smbd nmbd winbind
345systemctl disable smbd nmbd winbind
346systemctl mask smbd nmbd winbind
347
348systemctl unmask samba-ad-dc
349systemctl enable samba-ad-dc
350
351if [ -f /etc/samba/smb.conf ]; then
352 mv /etc/samba/smb.conf{,.orig}
353fi
354
355# make sure we are starting fresh, as previous tests might left things around
356
357rm -rf /var/lib/samba/* /var/cache/samba/* /run/samba/*
358kdestroy || :
359
360samba-tool domain provision \
361 --domain="${domain}" \
362 --realm="${realm}" \
363 --adminpass="${adminpass}" \
364 --server-role=dc \
365 --use-rfc2307 \
366 --dns-backend=SAMBA_INTERNAL
367
368current_dns=$(resolvectl status | grep "^Current DNS Server:" | awk '{print $4}')
369
370if [ -n "${current_dns}" ]; then
371 echo "## Setting dns forwarder to ${current_dns} in smb.conf"
372 sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
373 /etc/samba/smb.conf
374 unlink /etc/resolv.conf
375 echo "nameserver 127.0.0.1" > /etc/resolv.conf
376 # lowercase substitution
377 echo "search ${realm,,}" >> /etc/resolv.conf
378 systemctl stop systemd-resolved
379 systemctl disable systemd-resolved
380else
381 echo "## Warning, couldn't detect the current DNS server to use as forwarder in smb.conf"
382 echo "## resolvectl status:"
383 resolvectl status
384 echo "## Continuing, and hoping for the best"
385fi
386
387cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf
388
389systemctl start samba-ad-dc
390
391# give it some time, it's a lot of services to start
392sleep 5s
393
394basic_config_tests
395dns_tests
396user_creation_tests
397smbclient_tests
398server_join_tests
diff --git a/debian/tests/util b/debian/tests/util
index 4278ee7..298b321 100644
--- a/debian/tests/util
+++ b/debian/tests/util
@@ -16,7 +16,7 @@ EOFEOF
16 if [ -n "${vfs}" ]; then16 if [ -n "${vfs}" ]; then
17 echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf17 echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf
18 fi18 fi
19 systemctl restart smbd.service19 systemctl reload smbd.service
20 else20 else
21 echo "Share [${share}] already exists, continuing"21 echo "Share [${share}] already exists, continuing"
22 fi22 fi
@@ -66,3 +66,113 @@ ensure_uring_available() {
66 exit 7766 exit 77
67 fi67 fi
68}68}
69
70wait_container_ready() {
71 local container="${1}"
72 local -i limit=120 # seconds
73 local -i i=0
74 local -i result=0
75 local ip
76 local output
77
78 while /bin/true; do
79 ip=$(lxc list "${container}" -c 4 --format=compact | tail -1 | awk '{print $1}')
80 if [ -n "${ip}" ]; then
81 break
82 fi
83 i=$((i+1))
84 if [ ${i} -ge ${limit} ]; then
85 return 1
86 fi
87 sleep 1s
88 echo -n "."
89 done
90 while ! nc -z "${ip}" 22; do
91 echo -n "."
92 i=$((i+1))
93 if [ ${i} -ge ${limit} ]; then
94 return 1
95 fi
96 sleep 1s
97 done
98 # cloud-init might still be doing things...
99 # this call blocks, so wrap it in its own little timeout
100 output=$(lxc exec "${container}" -- timeout --verbose $((limit-i)) cloud-init status --wait) || {
101 result=$?
102 echo "cloud-init status --wait failed on container ${container}"
103 echo "${output}"
104 return ${result}
105 }
106 echo
107}
108
109install_lxd() {
110 if ! command -v lxd > /dev/null 2>&1; then
111 # the test depends has "lxd | snapd", so if we don't have lxd, we must
112 # install the snap
113 snap list lxd > /dev/null 2>&1 || {
114 echo "Installing the LXD snap..."
115 snap install lxd
116 }
117 fi
118}
119
120setup_lxd() {
121 local dns_domain="${1}"
122 local network
123 local nic
124 local dns_ip
125
126 install_lxd
127 # Stop samba while lxd is setup, to avoid conflicts on lxdbr0:53
128 systemctl stop samba-ad-dc
129 lxd init --auto
130 lxd waitready --timeout 600
131 network=$(lxc network list --format=compact | grep -E "bridge.*YES.*CREATED")
132 nic=$(echo "${network}" | awk '{print $1}')
133 dns_ip=$(echo "${network}" | awk '{print $4}' | cut -d / -f 1) # strip the cidr
134 # port=0 effectively disables dnsmasq's DNS, so it doesn't conflict with samba's DNS
135 lxc network set "${nic:-lxdbr0}" ipv6.address=none dns.domain="${dns_domain}" raw.dnsmasq="$(echo -e port=0\\ndhcp-option=option:dns-server,${dns_ip})"
136 if [ -n "${http_proxy}" ]; then
137 lxc config set core.proxy_http "${http_proxy}"
138 fi
139 if [ -n "${https_proxy}" ]; then
140 lxc config set core.proxy_https "${https_proxy}"
141 fi
142 if [ -n "${noproxy}" ]; then
143 lxc config set core.proxy_ignore_hosts "${noproxy}"
144 fi
145 systemctl start samba-ad-dc
146 # give it some time, it's a lot of services to start
147 sleep 5s
148}
149
150# Copy the local apt package archive over to the lxd container.
151copy_local_apt_files() {
152 local container_name="${1:-docker}"
153
154 for local_source in $(apt-get indextargets | grep-dctrl -F URI -e '^file:/' -sURI | awk '{print $2}'); do
155 local_source=${local_source#file:}
156 local_dir=$(dirname "${local_source}")
157 lxc exec "${container_name}" -- mkdir -p "${local_dir}"
158 tar -cC "${local_dir}" . | lxc exec "${container_name}" -- tar -xC "${local_dir}"
159 done
160}
161
162send_apt_config() {
163 echo "Copying over /etc/apt to container ${1}"
164 lxc exec "${1}" -- rm -rf /etc/apt
165 lxc exec "${1}" -- mkdir -p /etc/apt
166 tar -cC /etc/apt . | lxc exec "${1}" -- tar -xC /etc/apt
167}
168
169install_packages_in_container() {
170 local container="${1}"
171 shift
172 local packages="${*}"
173
174 echo "### Installing dependencies in member server container: ${packages}"
175 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get update -q
176 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y
177 lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y ${packages}
178}

Subscribers

People subscribed via source and target branches