Ubuntu
samba package

debian/changelog (+2622/-0)
debian/control (+30/-4)
debian/rules (+11/-3)
debian/samba-vfs-modules-extra.install (+4/-0)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+398/-0)
debian/tests/util (+111/-1)

Related bugs:

Bug #2040363: Merge samba from Debian unstable for noble	Undecided	Fix Released
Bug #2045063: Demote glusterfs for noble	High	Fix Released

Link a bug report

Reviewer	Date Requested	Status
Sergio Durigan Junior (community)		Approve on 2024-01-17
Canonical Server Reporter	2024-01-16	Pending
Review via email: mp+458713@code.launchpad.net

Description of the change

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-merge

Samba merge from debian. Dropped some i386 compatbility changes that debian incorporated by their decision to not ship/build ceph and gluster in 32bit architectures.

The extra dep on python3-markdown was submitted to debian via [3].

Noteworthy in this branch is the split of samba-vfs-modules into samba-vfs-modules and samba-vfs-modules-extra, due to the gluster upcoming demotion to universe.

The gluster fuse module doesn't strictly need to go into universe, and thus samba-vfs-modules-extra, but I felt it would be more confusing if it didn't. I can revert that and move only the actual gluster module that pulls in the gluster dependencies.

Also noteworthy is that the gluster libraries are not available in 32bit architectures (i386 and armhf in ubuntu's case), which means that right now samba-vfs-modules-extra won't exist in 32bit architectures, otherwise it would be an empty package. I *think* the *fuse* gluster module can also not be used in 32bit architectures, because it still requires a gluster mount. But debian still ships[1] it in armhf, for example.

This packaging change will require a change to do-release-upgrade to install samba-vfs-modules-extra in release upgrades to noble, if samba-vfs-modules is installed. That is upcoming, and is a task of the glusterfs demotion bug[2].

1. https://packages.debian.org/sid/armhf/samba-vfs-modules/filelist
2. https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/2045063
3. https://salsa.debian.org/samba-team/samba/-/merge_requests/62

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2024-01-17:

Thanks, Andreas.

Package builds fine and dep8 tests are OK (although not all architectures have been tested). range-diff seems OK.

I'm impressed by the amount of changes under the debian/ directory. There have been quite a few changes to the maintainer scripts, which makes me a bit anxious. The fact that we have comprehensive tests for the package helps a lot.

I spent some time going through the changes under debian/ and couldn't find anything else to comment. Therefore: LGTM, +1.

review: Approve

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2024-01-17:

Thanks, uploaded:

Uploading samba_4.19.4+dfsg-2ubuntu1.dsc
Uploading samba_4.19.4+dfsg-2ubuntu1.debian.tar.xz
Uploading samba_4.19.4+dfsg-2ubuntu1_source.buildinfo
Uploading samba_4.19.4+dfsg-2ubuntu1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

Paul Smedley

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index 1af5f13..bb64924 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,35 @@
++samba (2:4.19.4+dfsg-2ubuntu1) noble; urgency=medium
++
++  * Merge with Debian unstable (LP: #2040363). Remaining changes:
++    - debian/control: Ubuntu i386 binary compatibility:
++      + enable the liburing vfs module, except on i386 where liburing is
++        not available
++    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
++      samba AD DC provisioning and domain join tests with internal DNS
++      (LP #1977746, LP #2011745)
++    - d/control: adjust breaks/replaces for file move that Debian did in
++      4.16.6+dfsg-5, and Ubuntu only did in 4.17.7+dfsg-1ubuntu1, to avoid
++      file conflict in a dist-upgrade from earlier Ubuntu releases, like
++      Kinetic (LP #2024663)
++  * Dropped:
++    - d/rules: ceph is not available in Ubuntu i386, disable it
++      [In 2:4.19.1+dfsg-1]
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      [In 2:4.19.1+dfsg-1]
++  * Added:
++    - d/control: python3-samba has a runtime dep on python3-markdown
++    - glusterfs is no longer in main, create new binary package in
++      universe to ship the samba glusterfs vfs modules and manpages
++      (LP: #2045063):
++      + d/control: new samba-vfs-modules-glusterfs package
++      + d/rules: glusterfs vfs modules and manpages are now in the
++        samba-vfs-modules-extra package
++      + d/samba-vfs-modules-extra.install: add glusterfs vfs modules and
++        manpage
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 15 Jan 2024 12:21:28 -0300
++
  samba (2:4.19.4+dfsg-2) unstable; urgency=medium
    * d/samba.smbd.service, d/samba.nmbd.service: expand forgotten @BINDIR@
@@ -182,6 +214,71 @@ samba (2:4.19.0+dfsg-1) unstable; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Mon, 04 Sep 2023 22:57:48 +0300
++samba (2:4.18.6+dfsg-1ubuntu2.2) noble; urgency=medium
++
++  * No-change rebuild for ICU soname change.
++
++ -- Matthias Klose <doko@ubuntu.com>  Tue, 19 Dec 2023 18:41:25 +0100
++
++samba (2:4.18.6+dfsg-1ubuntu2.1) mantic-security; urgency=medium
++
++  * SECURITY UPDATE: SMB clients can truncate files with read-only
++    permissions
++    - debian/patches/CVE-2023-4091-*.patch
++    - CVE-2023-4091
++  * SECURITY UPDATE: Samba AD DC password exposure to privileged users and
++    RODCs
++    - debian/patches/CVE-2023-4154-*.patch
++    - CVE-2023-4154
++  * SECURITY UPDATE: rpcecho development server allows Denial of Service
++    via sleep() call on AD DC
++    - debian/patches/CVE-2023-42669-*.patch
++    - CVE-2023-42669
++  * SECURITY UPDATE: Samba AD DC Busy RPC multiple listener DoS
++    - debian/patches/CVE-2023-42670-*.patch
++    - CVE-2023-42670
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 10 Oct 2023 12:25:20 -0400
++
++samba (2:4.18.6+dfsg-1ubuntu2) mantic; urgency=medium
++
++  * No-change rebuild with glusterfs 10.3 (LP: #2035127)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 13 Sep 2023 09:57:01 -0300
++
++samba (2:4.18.6+dfsg-1ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2031655, LP: #2031619). Remaining changes:
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + enable the liburing vfs module, except on i386 where liburing is
++        not available
++    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
++      samba AD DC provisioning and domain join tests with internal DNS
++      (LP #1977746, LP #2011745)
++  * Dropped:
++    - build-depend on libglusterfs-dev only on !i386 arches
++      [In 2:4.18.5+dfsg-2]
++    - Add changes to fix uncaught exception when updating old password
++      containing regex metacharacters by simplifying samba-tool password
++      redaction (LP #2002949).
++      + d/p/lib-cmdline-Return-if-the-commandline-was-redacted-i.patch
++      + d/p/lib-cmdline-Also-redact-newpassword-in-samba_cmdline.patch
++      + d/p/lib-cmdline-Also-burn-the-password2-parameter-if-giv.patch
++      + d/p/samba-tool-Use-samba.glue.get_burnt_cmdline-rather-t.patch
++      + d/p/python-Add-glue.burn_commandline-method.patch
++      + d/p/python-Move-PyList_AsStringList-to-common-code-so-we.patch
++      + d/p/python-Remove-const-from-PyList_AsStringList.patch
++        [Fixed upstream in 4.18.6]
++  * Added:
++    - d/control: adjust breaks/replaces for file move that Debian did in
++      4.16.6+dfsg-5, and Ubuntu only did in 4.17.7+dfsg-1ubuntu1, to avoid
++      file conflict in a dist-upgrade from earlier Ubuntu releases, like
++      Kinetic (LP: #2024663)
++    - d/rules: ceph is not available in Ubuntu i386, disable it
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 Aug 2023 09:52:00 -0300
++
  samba (2:4.18.6+dfsg-1) unstable; urgency=medium
    * new upstream stable/bugfix release:
@@ -242,6 +339,38 @@ samba (2:4.18.5+dfsg-2) unstable; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Fri, 04 Aug 2023 17:29:06 +0300
++samba (2:4.18.5+dfsg-1ubuntu2) mantic; urgency=medium
++
++  * Add changes to fix uncaught exception when updating old password
++    containing regex metacharacters by simplifying samba-tool password
++    redaction (LP: #2002949).
++    - d/p/lib-cmdline-Return-if-the-commandline-was-redacted-i.patch
++    - d/p/lib-cmdline-Also-redact-newpassword-in-samba_cmdline.patch
++    - d/p/lib-cmdline-Also-burn-the-password2-parameter-if-giv.patch
++    - d/p/samba-tool-Use-samba.glue.get_burnt_cmdline-rather-t.patch
++    - d/p/python-Add-glue.burn_commandline-method.patch
++    - d/p/python-Move-PyList_AsStringList-to-common-code-so-we.patch
++    - d/p/python-Remove-const-from-PyList_AsStringList.patch
++
++ -- Michal Maloszewski <michal.maloszewski@canonical.com>  Fri, 28 Jul 2023 00:55:03 +0200
++
++samba (2:4.18.5+dfsg-1ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2028265, LP: #2027716). Remaining
++    changes:
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + enable the liburing vfs module, except on i386 where liburing is
++        not available
++      + build-depend on libglusterfs-dev only on !i386 arches
++    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
++      samba AD DC provisioning and domain join tests with internal DNS
++      (LP #1977746, LP #2011745)
++    - d/t/util: reload instead of restarting samba, as it's quicker and
++      has the same effect we want in this test
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 20 Jul 2023 10:15:22 -0300
++
  samba (2:4.18.5+dfsg-1) unstable; urgency=medium
    * new upstream stable/security release 4.18.5, including:
@@ -319,6 +448,23 @@ samba (2:4.18.4+dfsg-1) unstable; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 05 Jul 2023 18:14:20 +0300
++samba (2:4.18.3+dfsg-3ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2018054). Remaining changes:
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + enable the liburing vfs module, except on i386 where liburing is
++        not available
++      + build-depend on libglusterfs-dev only on !i386 arches
++    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
++      samba AD DC provisioning and domain join tests with internal DNS
++      (LP #1977746, LP #2011745)
++  * Added changes:
++    - d/t/util: reload instead of restarting samba, as it's quicker and
++      has the same effect we want in this test
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 22 Jun 2023 11:59:19 -0300
++
  samba (2:4.18.3+dfsg-3) unstable; urgency=medium
    * d/rules: query for DEB_HOST_ARCH, not DEB_HOST_ARCH_CPU,
@@ -477,6 +623,20 @@ samba (2:4.18.0+dfsg-1~exp1) experimental; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Thu, 09 Mar 2023 14:47:05 +0300
++samba (2:4.17.7+dfsg-1ubuntu1) lunar; urgency=medium
++
++  * Merge with Debian unstable (LP: #2014052). Remaining changes:
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + enable the liburing vfs module, except on i386 where liburing is
++        not available
++      + build-depend on libglusterfs-dev only on !i386 arches
++    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
++      samba AD DC provisioning and domain join tests with internal DNS
++      (LP #1977746, LP #2011745)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 31 Mar 2023 15:26:11 -0300
++
  samba (2:4.17.6+dfsg-1) unstable; urgency=medium
    * new upstream stable/bugfix release 4.17.6:
@@ -504,6 +664,38 @@ samba (2:4.17.6+dfsg-1) unstable; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Thu, 09 Mar 2023 12:52:14 +0300
++samba (2:4.17.5+dfsg-2ubuntu3) lunar; urgency=medium
++
++  * Add domain join tests (LP: #2011745):
++    - d/t/control: update dependencies for samba AD provisioning test,
++      which now also includes a member server join test
++    - d/t/util, d/t/samba-ad-dc-*: add member server join tests
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 15 Mar 2023 20:49:56 -0300
++
++samba (2:4.17.5+dfsg-2ubuntu2) lunar; urgency=medium
++
++  * d/t/samba-ad-dc-provisioning-internal-dns: test improvements
++    (LP: #2009485):
++    - increase kinit timeout, as it also does DNS lookups
++    - add a trap on exit to show logs in the case of some failure
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 06 Mar 2023 11:49:34 -0300
++
++samba (2:4.17.5+dfsg-2ubuntu1) lunar; urgency=medium
++
++  * Merge with Debian unstable (LP: #2002181). Remaining changes:
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + enable the liburing vfs module, except on i386 where liburing is
++        not available
++      + build-depend on libglusterfs-dev only on !i386 arches
++  * Added:
++    - d/t/control, d/t/samba-ad-dc-provisioning-internal-dns: samba AD
++      DC provisioning test with internal DNS (LP: #1977746)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sun, 05 Feb 2023 13:47:57 -0300
++
  samba (2:4.17.5+dfsg-2) unstable; urgency=medium
    * d/control: samba: depends on exact version of python3-samba
@@ -656,6 +848,43 @@ samba (2:4.17.3+dfsg-4) unstable; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Mon, 05 Dec 2022 14:39:43 +0300
++samba (2:4.17.3+dfsg-3ubuntu2) lunar; urgency=medium
++
++  * No-change rebuild with Python 3.11 as default
++
++ -- Graham Inggs <ginggs@ubuntu.com>  Mon, 26 Dec 2022 18:01:11 +0000
++
++samba (2:4.17.3+dfsg-3ubuntu1) lunar; urgency=medium
++
++  * Merge with Debian unstable (LP: #1993380). Remaining changes:
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - d/control: enable the liburing vfs module, except on i386 where
++      liburing is not available
++    - d/control: build-depend on libglusterfs-dev only on !i386 arches
++  * Dropped:
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++        [In 2:4.16.6+dfsg-1]
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++        [In 2:4.16.6+dfsg-1]
++    - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
++      Skip running the tests if on i386 platform, because the uring
++      package is not available there.
++      [In 2:4.16.6+dfsg-1, improved]
++    - d/t/util: fix setting the password of the smb test user
++      (LP #1955851)
++      [In 2:4.16.5+dfsg-2]
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++      [Implemented dynamically in d/rules in 2:4.16.6+dfsg-6]
++    - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
++      enable the samba glusterfs vfs mofule in that case
++      [In 2:4.16.6+dfsg-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 13 Dec 2022 18:36:23 -0300
++
  samba (2:4.17.3+dfsg-3) unstable; urgency=medium
    * d/control: winbind should depend on the same binary:Version
@@ -952,6 +1181,30 @@ samba (2:4.16.5+dfsg-1) unstable; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Thu, 08 Sep 2022 12:44:38 +0300
++samba (2:4.16.4+dfsg-2ubuntu1) kinetic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - d/control: enable the liburing vfs module, except on i386 where
++      liburing is not available
++    - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
++      Skip running the tests if on i386 platform, because the uring
++      package is not available there.
++    - d/t/util: fix setting the password of the smb test user
++      (LP #1955851)
++    - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
++      enable the samba glusterfs vfs mofule in that case
++    - d/control: build-depend on libglusterfs-dev only on !i386 arches
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 02 Aug 2022 09:30:05 -0300
++
  samba (2:4.16.4+dfsg-2) unstable; urgency=medium
    * d/libldb2.symbols: include newly added symbols
@@ -980,6 +1233,62 @@ samba (2:4.16.4+dfsg-1) unstable; urgency=high
   -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 27 Jul 2022 18:35:53 +0300
++samba (2:4.16.3+dfsg-1ubuntu1) kinetic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1982116). Remaining changes:
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - d/control: enable the liburing vfs module, except on i386 where
++      liburing is not available
++    - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
++      Skip running the tests if on i386 platform, because the uring
++      package is not available there.
++    - d/t/util: fix setting the password of the smb test user
++      (LP #1955851)
++    - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
++      enable the samba glusterfs vfs mofule in that case
++    - d/control: build-depend on libglusterfs-dev only on !i386 arches
++  * Dropped:
++    - Update nfs scripts for new nfs.conf config (LP: #1961840):
++      + d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: updated to use
++        nfsconf(8) if it's available, instead of parsing the old config
++        files in /etc/default/nfs-*
++        [In 2:4.16.3+dfsg-1]
++      + d/ctdb.example/nfs-kernel-server/nfs.conf: /etc/nfs.conf to be
++        used by the example enable-nfs.sh example script
++        [In 2:4.16.3+dfsg-1]
++      + d/ctdb.example/nfs-kernel-server/quota: quota config file to be
++        used by the example enable-nfs.sh script
++        [In 2:4.16.3+dfsg-1]
++      + d/ctdb.example/nfs-kernel-server/nfs-{common,kernel-server}:
++        obsolete, replaced by nfs.conf
++        [In 2:4.16.3+dfsg-1]
++      + d/ctdb.example/nfs-kernel-server/enable-nfs.sh: handle new
++        nfs.conf and other changes in the new nfs server packages
++        [In 2:4.16.3+dfsg-1]
++    - Fix abort when deleting a file and "fruit:resource = stream" is
++      used.  (LP #1977491)
++      + d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-01.patch:
++        Add test that shows smbd crashing when deleting a file while using
++        vfs_fruit with "fruit:resource = stream".
++      + d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-02.patch:
++        Handle file deleting when "fruit:resource = stream" is used.
++        [Fixed upstream]
++    - Build dlz module for bind 9.18.x (LP #1964032)
++      + d/p/add-support-for-bind-918.patch: build a dlz module for
++        bind 9.18.x
++      + d/p/add-support-for-bind-918-2.patch: also update the
++        provisioning tool and template config file
++        [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 29 Jul 2022 17:09:27 -0300
++
  samba (2:4.16.3+dfsg-1) unstable; urgency=medium
    [ Michael Tokarev ]
@@ -991,6 +1300,54 @@ samba (2:4.16.3+dfsg-1) unstable; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Mon, 18 Jul 2022 17:15:07 +0300
++samba (2:4.16.2+dfsg-1ubuntu1) kinetic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - d/control: enable the liburing vfs module, except on i386 where
++      liburing is not available
++    - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
++      Skip running the tests if on i386 platform, because the uring
++      package is not available there.
++    - d/t/util: fix setting the password of the smb test user
++      (LP #1955851)
++    - Update nfs scripts for new nfs.conf config (LP #1961840):
++      + d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: updated to use
++        nfsconf(8) if it's available, instead of parsing the old config
++        files in /etc/default/nfs-*
++      + d/ctdb.example/nfs-kernel-server/nfs.conf: /etc/nfs.conf to be
++        used by the example enable-nfs.sh example script
++      + d/ctdb.example/nfs-kernel-server/quota: quota config file to be
++        used by the example enable-nfs.sh script
++      + d/ctdb.example/nfs-kernel-server/nfs-{common,kernel-server}:
++        obsolete, replaced by nfs.conf
++      + d/ctdb.example/nfs-kernel-server/enable-nfs.sh: handle new
++        nfs.conf and other changes in the new nfs server packages
++    - Build dlz module for bind 9.18.x (LP #1964032)
++      + d/p/add-support-for-bind-918.patch: build a dlz module for
++        bind 9.18.x
++      + d/p/add-support-for-bind-918-2.patch: also update the
++        provisioning tool and template config file
++    - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
++      enable the samba glusterfs vfs mofule in that case
++    - d/control: build-depend on libglusterfs-dev only on !i386 arches
++    - Fix abort when deleting a file and "fruit:resource = stream" is
++      used.  (LP #1977491)
++      + d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-01.patch:
++        Add test that shows smbd crashing when deleting a file while using
++        vfs_fruit with "fruit:resource = stream".
++      + d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-02.patch:
++        Handle file deleting when "fruit:resource = stream" is used.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 27 Jun 2022 18:32:00 -0300
++
  samba (2:4.16.2+dfsg-1) unstable; urgency=medium
    * new upstream minor/bugfix release.
@@ -1012,6 +1369,111 @@ samba (2:4.16.2+dfsg-1) unstable; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Mon, 13 Jun 2022 19:08:44 +0300
++samba (2:4.16.1+dfsg-8ubuntu2) kinetic; urgency=medium
++
++  * Fix abort when deleting a file and "fruit:resource = stream" is
++    used.  (LP: #1977491)
++    - d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-01.patch:
++      Add test that shows smbd crashing when deleting a file while using
++      vfs_fruit with "fruit:resource = stream".
++    - d/p/lp1977491-dont-crash-on-vfs_fruit-resource-stream-02.patch:
++      Handle file deleting when "fruit:resource = stream" is used.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 20 Jun 2022 19:09:25 -0400
++
++samba (2:4.16.1+dfsg-8ubuntu1) kinetic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1971256, LP: #1846947). Remaining
++    changes:
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - d/control: enable the liburing vfs module, except on i386 where
++      liburing is not available
++    - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
++      Skip running the tests if on i386 platform, because the uring
++      package is not available there.
++    - d/t/util: fix setting the password of the smb test user
++      (LP #1955851)
++    - Update nfs scripts for new nfs.conf config (LP #1961840):
++      + d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: updated to use
++        nfsconf(8) if it's available, instead of parsing the old config
++        files in /etc/default/nfs-*
++      + d/ctdb.example/nfs-kernel-server/nfs.conf: /etc/nfs.conf to be
++        used by the example enable-nfs.sh example script
++      + d/ctdb.example/nfs-kernel-server/ctdb.example.quota: quota
++        config file to be used by the example enable-nfs.sh script
++      + d/ctdb.example/nfs-kernel-server/nfs-{common,kernel-server}:
++        obsolete, replaced by nfs.conf
++      + d/ctdb.example/nfs-kernel-server/enable-nfs.sh: handle new
++        nfs.conf and other changes in the new nfs server packages
++    - Build dlz module for bind 9.18.x (LP #1964032)
++      + d/p/add-support-for-bind-918.patch: build a dlz module for
++        bind 9.18.x
++      + d/p/add-support-for-bind-918-2.patch: also update the
++        provisioning tool and template config file
++    - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
++      enable the samba glusterfs vfs mofule in that case
++    - d/control: build-depend on libglusterfs-dev only on !i386 arches
++  * Dropped:
++    - d/control: add a versioned libgnutls28-dev build-depends to reduce
++      the amount of in-tree crypto code that is built
++      [superfluous, the version in the archive is recent enough]
++    - d/samba.postinst: do not populate sambashare from the Ubuntu admin group (LP 1942195)
++      [Included in 2:4.13.13+dfsg-1]
++    - d/control: bump required build-depends
++      [Included in Debian]
++    - d/samba-libs.install: update list of installed libraries and
++      modules/plugins
++      [Done in Debian]
++    - debian/patches/CVE-2021-20254.patch: removed, applied upstream
++      [Applied upstream, Debian didn't have this patch]
++    - d/p/Rename-mdfind-to-mdsearch.patch: removed, applied usptream
++      [Applied usptream, Debian did not have it]
++    - d/{gpb.conf,watch,README.source}: update for 4.15
++      [Debian updated it for 4.16]
++    - d/rules: remove --with-dnsupdate, it was merged with
++      --with-ads in samba 4.15.0
++      [Included in 2:4.16.0+dfsg-1]
++    - d/rules: drop removal of ctdb tests, they are no longer installed
++      [Included in 2:4.16.0+dfsg-1]
++    - Remove findsmb, no longer installed:
++      + d/smbclient.install: remove findsmb
++      + d/rules: drop fixing of findsmb shebang
++      [Included in 2:4.16.0+dfsg-1]
++    - d/ctdb.install: remove ctdb_local_daemons, part of ctdb tests,
++      no longer installed
++      [Included in 2:4.16.0+dfsg-1]
++    - d/ctdb.install: add tdb_mutex_check
++      [Included in 2:4.16.0+dfsg-1]
++    - d/winbind.install: add async_dns_krb5_locator
++      [Included in 2:4.16.0+dfsg-1]
++    - d/samba.install: install samba-bgqd and its manpage
++      [Included in 2:4.16.0+dfsg-1]
++    - d/{libsmbclient,libwbclient0}.symbols: symbols updates
++      [Obsolete, these were for 4.15.5]
++    - d/rules: drop dh_perl override, unneeded
++      [Included in 2:4.16.0+dfsg-1]
++    - d/p/lp-1951490-fix-printing-KB5006743.patch: Fix printing after
++      Windows 2021-10 Monthly Rollup patch (LP #1951490)
++      [Included upstream in 4.16.0rc2]
++    - d/rules: install the new/changed ctdb example nfs files
++      [Installed via ctdb.examples]
++  * Added:
++    - rename ctdb example files nfs.conf and quota, to match what the
++      enable-nfs.sh script expects
++    - enable-nfs.sh ctdb example: use debian's filename for the
++      static port sysctl configuration
++    - enable-nfs.sh: in ctdb 4.16, the "recovery lock" config option was
++      renamed to "cluster lock"
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 08 Jun 2022 11:02:29 -0300
++
  samba (2:4.16.1+dfsg-8) unstable; urgency=medium
    * fix the Breaks/Replaces versions in the previous upload for moving
@@ -1308,6 +1770,95 @@ samba (2:4.16.0+dfsg-1) experimental; urgency=medium
   -- Michael Tokarev <mjt@tls.msk.ru>  Tue, 05 Apr 2022 16:01:25 +0300
++samba (2:4.15.5~dfsg-0ubuntu6) kinetic; urgency=medium
++
++  * No-change rebuild against libicu71
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sat, 30 Apr 2022 02:14:39 +0000
++
++samba (2:4.15.5~dfsg-0ubuntu5) jammy; urgency=medium
++
++  * Enable glusterfs support (LP: #1894618):
++    - d/control: revert disabling of glusterfs, since it's in main now
++    - d/rules: in Ubuntu, glusterfs is not built for i386, so don't
++      enable the samba glusterfs vfs mofule in that case
++    - d/control: build-depend on libglusterfs-dev only on !i386 arches
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 09 Mar 2022 17:31:25 -0300
++
++samba (2:4.15.5~dfsg-0ubuntu4) jammy; urgency=medium
++
++  * Build dlz module for bind 9.18.x (LP: #1964032)
++    - d/p/add-support-for-bind-918.patch: build a dlz module for
++      bind 9.18.x
++    - d/samba-libs.install: remove fixme comment
++    - d/p/add-support-for-bind-918-2.patch: also update the provisioning
++      tool and template config file
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 25 Mar 2022 14:53:19 -0300
++
++samba (2:4.15.5~dfsg-0ubuntu3) jammy; urgency=medium
++
++  * Update nfs scripts for new nfs.conf config (LP: #1961840):
++    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: updated to use
++      nfsconf(8) if it's available, instead of parsing the old config
++      files in /etc/default/nfs-*
++    - d/ctdb.example.nfs.conf: /etc/nfs.conf to be used by the example
++      enable-nfs.sh example script
++    - d/ctdb.example.quota: quota config file to be used by the example
++      enable-nfs.sh script
++    - d/ctdb.example.nfs-{common,kernel-server}: obsolete, replaced by
++      nfs.conf
++    - d/ctdb.example.enable.nfs.sh: handle new nfs.conf and other
++      changes in the new nfs server packages
++    - d/rules: install the new/changed ctdb example nfs files
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 21 Mar 2022 11:55:54 -0300
++
++samba (2:4.15.5~dfsg-0ubuntu2) jammy; urgency=medium
++
++  * d/p/lp-1951490-fix-printing-KB5006743.patch: Fix printing after
++    Windows 2021-10 Monthly Rollup patch (LP: #1951490)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 10 Mar 2022 10:32:59 -0300
++
++samba (2:4.15.5~dfsg-0ubuntu1) jammy; urgency=medium
++
++  * d/{gpb.conf,watch,README.source}: update for 4.15
++  * New upstream release: 4.15.5 (LP: #1946839)
++  * d/p/Rename-mdfind-to-mdsearch.patch: removed, applied usptream
++  * d/rules: remove --with-dnsupdate, it was merged with
++    --with-ads in samba 4.15.0
++  * d/control: bump required build-depends
++  * d/rules: drop removal of ctdb tests, they are no longer installed
++  * Remove findsmb, no longer installed:
++    - d/smbclient.install: remove findsmb
++    - d/rules: drop fixing of findsmb shebang
++  * d/ctdb.install: remove ctdb_local_daemons, part of ctdb tests,
++    no longer installed
++  * d/samba-libs.install: update list of installed libraries and
++    modules/plugins
++  * d/ctdb.install: add tdb_mutex_check
++  * d/winbind.install: add async_dns_krb5_locator
++  * d/samba.install: install samba-bgqd and its manpage
++  * d/{libsmbclient,libwbclient0}.symbols: symbols updates
++  * d/control: add python3-markdown to build-depends
++  * d/watch: updated to handle ~dfsg versioning, thanks to
++    Sergio Durigan Junior <sergio.durigan@canonical.com>
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 22 Feb 2022 17:59:22 -0300
++
++samba (2:4.13.17~dfsg-0ubuntu1) jammy; urgency=medium
++
++  * Update to 4.13.17 as a security update
++    - CVE-2021-43566, CVE-2021-44142, CVE-2022-0336
++  * Removed patches included in new version:
++    - debian/patches/trusted_domain_regression_fix.patch
++    - debian/patches/bug14901-*.patch
++    - debian/patches/bug14922.patch
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 14 Feb 2022 10:19:08 -0500
++
  samba (2:4.13.14+dfsg-1) unstable; urgency=high
    * New upstream security release in order to address the following defects:
@@ -1334,6 +1885,52 @@ samba (2:4.13.14+dfsg-1) unstable; urgency=high
   -- Mathieu Parent <sathieu@debian.org>  Tue, 09 Nov 2021 20:53:03 +0100
++samba (2:4.13.14+dfsg-0ubuntu5) jammy; urgency=medium
++
++  * No-change rebuild for icu soname change
++
++ -- William 'jawn-smith' Wilson <jawn-smith@ubuntu.com>  Fri, 11 Feb 2022 11:36:14 -0600
++
++samba (2:4.13.14+dfsg-0ubuntu4) jammy; urgency=medium
++
++  * d/t/util: fix setting the password of the smb test user
++    (LP: #1955851)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 20 Jan 2022 17:06:13 -0300
++
++samba (2:4.13.14+dfsg-0ubuntu3) jammy; urgency=medium
++
++  * No-change rebuild with Python 3.10 as default version
++
++ -- Graham Inggs <ginggs@ubuntu.com>  Sun, 16 Jan 2022 07:01:34 +0000
++
++samba (2:4.13.14+dfsg-0ubuntu2) jammy; urgency=medium
++
++  * SECURITY REGRESSION: Kerberos authentication on standalone server in
++    MIT realm broken
++    - debian/patches/bug14922.patch: fix MIT Realm regression in
++      source3/auth/user_krb5.c.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 13 Dec 2021 07:09:36 -0500
++
++samba (2:4.13.14+dfsg-0ubuntu1) jammy; urgency=medium
++
++  * Update to 4.13.14 as a security update (LP: #1950363)
++    - debian/patches/CVE-2021-20254.patch: removed, included in new
++      version.
++    - debian/control: bump ldb Build-Depends to 2.2.3.
++    - debian/samba-libs.install: added libdcerpc-pkt-auth.so.0.
++    - debian/patches/trusted_domain_regression_fix.patch: fix regression
++      introduced in 4.13.14.
++    - debian/patches/bug14901-*.patch: upstream patches to fix some
++      mapping issues.
++    - debian/patches/bug14918-*.patch: upstream patches to properly handle
++      dangling symlinks.
++    - CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719,
++      CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 09 Nov 2021 14:52:07 -0500
++
  samba (2:4.13.13+dfsg-1) unstable; urgency=high
    [ Athos Ribeiro ]
@@ -1355,6 +1952,83 @@ samba (2:4.13.13+dfsg-1) unstable; urgency=high
   -- Mathieu Parent <sathieu@debian.org>  Mon, 01 Nov 2021 08:59:20 +0100
++samba (2:4.13.5+dfsg-2ubuntu4) jammy; urgency=medium
++
++  * No-change rebuild against liburing2
++
++ -- Paride Legovini <paride@ubuntu.com>  Mon, 22 Nov 2021 18:08:34 +0100
++
++samba (2:4.13.5+dfsg-2ubuntu3) impish; urgency=medium
++
++  * d/samba.postinst: do not populate sambashare from the admin group
++    (Debian packaging cherry-pick. LP: #1942195)
++
++ -- Paride Legovini <paride@ubuntu.com>  Wed, 06 Oct 2021 10:31:14 +0200
++
++samba (2:4.13.5+dfsg-2ubuntu2) impish; urgency=medium
++
++  * No-change rebuild due to OpenLDAP soname bump.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 21 Jun 2021 18:08:36 -0400
++
++samba (2:4.13.5+dfsg-2ubuntu1) impish; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - d/control: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - d/control: add a versioned libgnutls28-dev build-depends to reduce
++      the amount of in-tree crypto code that is built
++    - d/control: enable the liburing vfs module, except on i386 where
++      liburing is not available
++    - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
++      Skip running the tests if on i386 platform, because the uring
++      package is not available there.
++  * Dropped changes:
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++      [Included in 2:4.13.4+dfsg-1]
++    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
++      change nfs service name from nfs to nfs-kernel-server
++      (LP #722201)
++      [Included in 2:4.13.4+dfsg-1]
++    - d/p/ctdb-config-enable-syslog-by-default.patch:
++      enable syslog and systemd journal by default
++      [Included in 2:4.13.4+dfsg-1]
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + disable the following binary packages:
++        - ctdb
++        - libnss-winbind
++        - libpam-winbind
++        - python3-samba
++        - samba
++        - samba-common-bin
++        - samba-testsuite
++        - winbind
++      [Included in 2:4.13.4+dfsg-1]
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + re-enable the following binary packages:
++        - libnss-winbind
++        - samba-common-bin
++        - python3-samba
++        - winbind
++      [Included in 2:4.13.4+dfsg-1]
++    - SECURITY UPDATE: wrong group entries via negative idmap cache entries
++      + debian/patches/CVE-2021-20254.patch: Simplify sids_to_unixids() in
++        source3/passdb/lookup_sid.c.
++      + CVE-2021-20254
++      [Included in 2:4.13.5+dfsg-2]
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Mon, 17 May 2021 11:51:54 -0300
++
  samba (2:4.13.5+dfsg-2) unstable; urgency=high
    * CVE-2021-20254: Negative idmap cache entries can cause incorrect group
@@ -1386,6 +2060,86 @@ samba (2:4.13.4+dfsg-1) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Tue, 09 Feb 2021 22:26:43 +0100
++samba (2:4.13.3+dfsg-1ubuntu2.1) hirsute-security; urgency=medium
++
++  * SECURITY UPDATE: wrong group entries via negative idmap cache entries
++    - debian/patches/CVE-2021-20254.patch: Simplify sids_to_unixids() in
++      source3/passdb/lookup_sid.c.
++    - CVE-2021-20254
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 29 Apr 2021 06:48:54 -0400
++
++samba (2:4.13.3+dfsg-1ubuntu2) hirsute; urgency=medium
++
++  * No change rebuild to pick up liburing, and also
++    fix d/t/cifs-share-access-uring. (LP: #1914145)
++
++ -- Mauricio Faria de Oliveira <mfo@canonical.com>  Wed, 03 Feb 2021 09:14:25 -0300
++
++samba (2:4.13.3+dfsg-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
++      change nfs service name from nfs to nfs-kernel-server
++      (LP #722201)
++    - d/p/ctdb-config-enable-syslog-by-default.patch:
++      enable syslog and systemd journal by default
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + disable the following binary packages:
++        - ctdb
++        - libnss-winbind
++        - libpam-winbind
++        - python3-samba
++        - samba
++        - samba-common-bin
++        - samba-testsuite
++        - winbind
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + re-enable the following binary packages:
++        - libnss-winbind
++        - samba-common-bin
++        - python3-samba
++        - winbind
++    - d/control: add a versioned libgnutls28-dev build-depends to reduce
++      the amount of in-tree crypto code that is built
++    - d/control: enable the liburing vfs module, except on i386 where
++      liburing is not available
++  * Dropped changes, incorporated by Debian:
++    - d/t/smbclient-anonymous-share-list: add set -x and set -e
++    - Factor out common DEP8 test code into d/t/util and change the tests
++      to source from it:
++      + d/t/util: added
++      + d/t/cifs-share-access, d/t/smbclient-share-access: source from
++        util, use random share name and add set -x and set -u
++      + d/t/smbclient-authenticated-share-list: source from util and add
++        set -x and set -u
++    - Add new DEP8 tests for the uring vfs module:
++      + d/t/control: add smbclient-share-access-uring and
++        cifs-share-access-uring tests
++      + d/t/smbclient-share-access-uring: new test
++      + d/t/cifs-share-access-uring: new test
++    - d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
++      guard uring tests with a kernel version check and skip if it's too old
++  * Added changes:
++    - d/t/{cifs-share-access-uring,smbclient-share-access-uring}:
++      Skip running the tests if on i386 platform, because the uring
++      package is not available there.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Wed, 13 Jan 2021 15:44:04 -0500
++
  samba (2:4.13.3+dfsg-1) unstable; urgency=medium
    [ Andreas Hasenack ]
@@ -1401,6 +2155,93 @@ samba (2:4.13.3+dfsg-1) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Wed, 16 Dec 2020 18:23:09 +0100
++samba (2:4.13.2+dfsg-3ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable (LP: #1905048). Remaining changes:
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
++      change nfs service name from nfs to nfs-kernel-server
++      (LP #722201)
++    - d/p/ctdb-config-enable-syslog-by-default.patch:
++      enable syslog and systemd journal by default
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + disable the following binary packages:
++        - ctdb
++        - libnss-winbind
++        - libpam-winbind
++        - python3-samba
++        - samba
++        - samba-common-bin
++        - samba-testsuite
++        - winbind
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + re-enable the following binary packages:
++        - libnss-winbind
++        - samba-common-bin
++        - python3-samba
++        - winbind
++    - d/control: add a versioned libgnutls28-dev build-depends to reduce
++      the amount of in-tree crypto code that is built
++  * d/t/smbclient-anonymous-share-list: add set -x and set -e
++  * Factor out common DEP8 test code into d/t/util and change the tests
++    to source from it:
++    - d/t/util: added
++    - d/t/cifs-share-access, d/t/smbclient-share-access: source from
++      util, use random share name and add set -x and set -u
++    - d/t/smbclient-authenticated-share-list: source from util and add
++      set -x and set -u
++  * d/control: enable the liburing vfs module, except on i386 where
++    liburing is not available
++  * Add new DEP8 tests for the uring vfs module:
++    - d/t/control: add smbclient-share-access-uring and
++      cifs-share-access-uring tests
++    - d/t/smbclient-share-access-uring: new test
++    - d/t/cifs-share-access-uring: new test
++  * d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
++    guard uring tests with a kernel version check and skip if it's too old
++  * Dropped changes:
++    - SECURITY UPDATE: Unauthenticated domain controller compromise by
++      subverting Netlogon cryptography (ZeroLogon)
++      + debian/patches/zerologon-*.patch: backport upstream patches:
++        + For compatibility reasons, allow specifying an insecure netlogon
++          configuration per machine. See the following link for examples:
++          https://www.samba.org/samba/security/CVE-2020-1472.html
++        + Add additional server checks for the protocol attack in the
++          client-specified challenge to provide some protection when
++          'server schannel = no/auto' and avoid the false-positive results
++          when running the proof-of-concept exploit.
++    [ Incorporated by upstream. ]
++    - SECURITY UPDATE: Missing handle permissions check in ChangeNotify
++      + debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
++        get set unless the directory handle is open for SEC_DIR_LIST in
++        source4/torture/smb2/notify.c, source3/smbd/notify.c.
++      + CVE-2020-14318
++    - SECURITY UPDATE: Unprivileged user can crash winbind
++      + debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
++        source3/winbindd/winbindd_lookupsids.c,
++        source4/torture/winbind/struct_based.c.
++      + CVE-2020-14323
++    - SECURITY UPDATE: DNS server crash via invalid records
++      - debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
++        with NULL  and do not crash when additional data not found in
++        source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
++      + CVE-2020-14383
++    [ Incorporated by upstream. ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Tue, 24 Nov 2020 22:12:00 -0500
++
  samba (2:4.13.2+dfsg-3) unstable; urgency=medium
    * Ensure systemd-tmpfiles is called before testparm (Closes: #975422)
@@ -1446,6 +2287,138 @@ samba (2:4.13.2+dfsg-1) experimental; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Thu, 12 Nov 2020 11:23:01 +0100
++samba (2:4.12.5+dfsg-3ubuntu4.1) groovy-security; urgency=medium
++
++  * SECURITY UPDATE: Missing handle permissions check in ChangeNotify
++    - debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't
++      get set unless the directory handle is open for SEC_DIR_LIST in
++      source4/torture/smb2/notify.c, source3/smbd/notify.c.
++    - CVE-2020-14318
++  * SECURITY UPDATE: Unprivileged user can crash winbind
++    - debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in
++      source3/winbindd/winbindd_lookupsids.c,
++      source4/torture/winbind/struct_based.c.
++    - CVE-2020-14323
++  * SECURITY UPDATE: DNS server crash via invalid records
++    - debian/patches/CVE-2020-14383-*.patch: ensure variable initialization
++      with NULL  and do not crash when additional data not found in
++      source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
++    - CVE-2020-14383
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Oct 2020 06:53:44 -0400
++
++samba (2:4.12.5+dfsg-3ubuntu4) groovy; urgency=medium
++
++  * SECURITY UPDATE: Unauthenticated domain controller compromise by
++    subverting Netlogon cryptography (ZeroLogon)
++    - debian/patches/zerologon-*.patch: backport upstream patches:
++      + For compatibility reasons, allow specifying an insecure netlogon
++        configuration per machine. See the following link for examples:
++        https://www.samba.org/samba/security/CVE-2020-1472.html
++      + Add additional server checks for the protocol attack in the
++        client-specified challenge to provide some protection when
++        'server schannel = no/auto' and avoid the false-positive results
++        when running the proof-of-concept exploit.
++    - CVE-2020-1472
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 28 Sep 2020 09:46:49 -0400
++
++samba (2:4.12.5+dfsg-3ubuntu3) groovy; urgency=medium
++
++  * d/t/{util, smbclient-share-access-uring, cifs-share-access-uring}:
++    guard uring tests with a kernel version check and skip if it's too old
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 11 Aug 2020 11:00:35 -0300
++
++samba (2:4.12.5+dfsg-3ubuntu2) groovy; urgency=medium
++
++  * d/t/smbclient-anonymous-share-list: add set -x and set -e
++  * Factor out common DEP8 test code into d/t/util and change the tests
++    to source from it:
++    - d/t/util: added
++    - d/t/cifs-share-access, d/t/smbclient-share-access: source from
++      util, use random share name and add set -x and set -u
++    - d/t/smbclient-authenticated-share-list: source from util and add
++      set -x and set -u
++  * d/control: enable the liburing vfs module, except on i386 where
++    liburing is not available
++  * Add new DEP8 tests for the uring vfs module:
++    - d/t/control: add smbclient-share-access-uring and
++      cifs-share-access-uring tests
++    - d/t/smbclient-share-access-uring: new test
++    - d/t/cifs-share-access-uring: new test
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 04 Aug 2020 17:20:30 -0300
++
++samba (2:4.12.5+dfsg-3ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/p/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
++      change nfs service name from nfs to nfs-kernel-server
++      (LP #722201)
++    - d/p/ctdb-config-enable-syslog-by-default.patch:
++      enable syslog and systemd journal by default
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + disable the following binary packages:
++        - ctdb
++        - libnss-winbind
++        - libpam-winbind
++        - python3-samba
++        - samba
++        - samba-common-bin
++        - samba-testsuite
++        - winbind
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + re-enable the following binary packages:
++        - libnss-winbind
++        - samba-common-bin
++        - python3-samba
++        - winbind
++    - d/control: add a versioned libgnutls28-dev build-depends to reduce
++      the amount of in-tree crypto code that is built
++  * Dropped:
++    - d/gbp.conf, d/watch, d/README.source: update for 4.12
++      [In 2:4.12.3+dfsg-1]
++    - d/control: bump build-depends:
++      + ldb: 2.1.2
++      + tevent: 0.10.2
++      + tdb: 1.4.3
++      + talloc: 2.3.1
++      [In 2:4.12.3+dfsg-1]
++    - d/smbclient.install: add new binary mdfind and its manpage
++      [In 2:4.12.3+dfsg-1]
++    - d/samba-dev.install, d/samba-libs.install: new lib
++      libdcerpc-server-core
++      [In 2:4.12.3+dfsg-1]
++    - d/samba-libs.install: new library libtalloc-report-printf
++      [In 2:4.12.3+dfsg-1]
++    - d/libwbclient0.install: remove libaesni, no longer built when
++      gnutls provides AES CMAC
++      [In 2:4.12.3+dfsg-1]
++    - d/libsmbclient.symbols, d/libwbclient0.symbols: update symbols
++      [In 2:4.12.3+dfsg-1]
++    - d/p/build-Remove-tests-for-getdents-and-getdirentries.patch
++      [Dropped in 2:4.12.3+dfsg-1]
++    - d/p/wscript-remove-all-checks-for-_FUNC-and-__FUNC.patch
++      [Dropped in 2:4.12.3+dfsg-1]
++    - d/p/wscript-split-function-check-to-one-per-line-and-sor.patch
++      [Dropped in 2:4.12.3+dfsg-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 31 Jul 2020 11:07:47 -0300
++
  samba (2:4.12.5+dfsg-3) unstable; urgency=high
    * Add Breaks: sssd-ad-common (<< 2.3.0), due to libndr so bump
@@ -1510,6 +2483,131 @@ samba (2:4.12.3+dfsg-1) experimental; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Wed, 24 Jun 2020 23:12:11 +0200
++samba (2:4.12.2+dfsg-0ubuntu1) groovy; urgency=medium
++
++  * New upstream version: 4.12.2
++  * d/gbp.conf, d/watch, d/README.source: update for 4.12
++  * d/control: bump build-depends:
++    - ldb: 2.1.2
++    - tevent: 0.10.2
++    - tdb: 1.4.3
++    - talloc: 2.3.1
++  * d/smbclient.install: add new binary mdfind and its manpage
++  * d/samba-dev.install, d/samba-libs.install: new lib libdcerpc-server-core
++  * d/samba-libs.install: new library libtalloc-report-printf
++  * d/libwbclient0.install: remove libaesni, no longer built when
++    gnutls provides AES CMAC
++  * d/libsmbclient.symbols, d/libwbclient0.symbols: update symbols
++  * d/control: add a versioned libgnutls28-dev build-depends to reduce
++    the amount of in-tree crypto code that is built
++  * Dropped (applied upstream):
++    - d/p/build-Remove-tests-for-getdents-and-getdirentries.patch
++    - d/p/wscript-remove-all-checks-for-_FUNC-and-__FUNC.patch
++    - d/p/wscript-split-function-check-to-one-per-line-and-sor.patch
++    - d/p/CVE-2020-10700*.patch, d/p/CVE-2020-10704*.patch
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 12 May 2020 10:42:17 -0300
++
++samba (2:4.11.6+dfsg-0ubuntu1.1) focal-security; urgency=medium
++
++  * SECURITY UPDATE: Use-after-free in AD DC LDAP server
++    - debian/patches/CVE-2020-10700-1.patch: add test for ASQ and ASQ in
++      combination with paged_results in selftest/knownfail.d/asq,
++      source4/dsdb/tests/python/asq.py, source4/selftest/tests.py.
++    - debian/patches/CVE-2020-10700-3.patch: do not permit the ASQ control
++      for the GUID search in paged_results in selftest/knownfail.d/asq,
++      source4/dsdb/samdb/ldb_modules/paged_results.c.
++    - debian/control: bump libldb-dev, python3-ldb, and python3-ldb-dev
++      Build-Depends to 2.0.10.
++    - CVE-2020-10700
++  * SECURITY UPDATE: Stack overflow in AD DC LDAP server
++    - debian/patches/CVE-2020-10704-1.patch: add ASN.1 max tree depth in
++      auth/gensec/gensec_util.c, lib/util/asn1.c, lib/util/asn1.h,
++      lib/util/tests/asn1_tests.c, libcli/auth/spnego_parse.c,
++      libcli/cldap/cldap.c, libcli/ldap/ldap_message.c,
++      source3/lib/tldap.c, source3/lib/tldap_util.c,
++      source3/libsmb/clispnego.c, source3/torture/torture.c,
++      source4/auth/gensec/gensec_krb5.c, source4/ldap_server/ldap_server.c,
++      source4/libcli/ldap/ldap_client.c,
++      source4/libcli/ldap/ldap_controls.c.
++    - debian/patches/CVE-2020-10704-3.patch: check parse tree depth in
++      lib/util/asn1.c.
++    - debian/patches/CVE-2020-10704-5.patch: add max ldap request sizes in
++      docs-xml/smbdotconf/ldap/ldapmaxanonrequest.xml,
++      docs-xml/smbdotconf/ldap/ldapmaxauthrequest.xml,
++      lib/param/loadparm.c, source3/param/loadparm.c.
++    - debian/patches/CVE-2020-10704-6.patch: limit request sizes in
++      source4/ldap_server/ldap_server.c.
++    - debian/patches/CVE-2020-10704-7.patch: add search size limits to
++      ldap_decode in docs-xml/smbdotconf/ldap/ldapmaxsearchrequest.xml,
++      lib/param/loadparm.c, libcli/cldap/cldap.c,
++      libcli/ldap/ldap_message.c, libcli/ldap/ldap_message.h,
++      source3/param/loadparm.c, source4/ldap_server/ldap_server.c,
++      source4/libcli/ldap/ldap_client.c.
++    - debian/patches/CVE-2020-10704-8.patch: check search request lengths
++      in lib/util/asn1.c, lib/util/asn1.h, libcli/ldap/ldap_message.c.
++    - CVE-2020-10704
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 24 Apr 2020 08:08:38 -0400
++
++samba (2:4.11.6+dfsg-0ubuntu1) focal; urgency=medium
++
++  * New upstream release: 4.11.6
++  * d/p/samba-tool-py38-*.patch: dropped, fixed upstream
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 26 Feb 2020 11:55:16 -0300
++
++samba (2:4.11.5+dfsg-1ubuntu2) focal; urgency=medium
++
++  * d/p/samba-tool-py38-*.patch: use correct method flags (LP: #1864324)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sat, 22 Feb 2020 17:22:21 -0300
++
++samba (2:4.11.5+dfsg-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
++      change nfs service name from nfs to nfs-kernel-server
++      (LP #722201)
++    - d/p/ctdb-config-enable-syslog-by-default.patch:
++      enable syslog and systemd journal by default
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + drop ceph support
++      + disable the following binary packages:
++        - ctdb
++        - libnss-winbind
++        - libpam-winbind
++        - python3-samba
++        - samba
++        - samba-common-bin
++        - samba-testsuite
++        - winbind
++    - debian/control: Ubuntu i386 binary compatibility:
++      + drop ceph support
++    - debian/rules: Ubuntu i386 binary compatibility:
++      + re-enable the following binary packages:
++        - libnss-winbind
++        - samba-common-bin
++        - python3-samba
++        - winbind
++  * Dropped:
++    - d/control: drop python3-matplotlib. It's only used in
++      script/attr_count_read which is not installed with the
++      samba packages.
++      [In 2:4.11.3+dfsg-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 17 Feb 2020 15:29:35 -0300
++
  samba (2:4.11.5+dfsg-1) unstable; urgency=medium
    * New upstream security release
@@ -1537,6 +2635,161 @@ samba (2:4.11.3+dfsg-1) unstable; urgency=high
   -- Mathieu Parent <sathieu@debian.org>  Mon, 16 Dec 2019 09:47:45 +0100
++samba (2:4.11.1+dfsg-3ubuntu4) focal; urgency=medium
++
++   * Ubuntu i386 binary compatibility effort: (LP: #1861316)
++    - debian/rules:
++        + re-enable the following binary packages generation:
++          - libnss-winbind
++          - samba-common-bin
++          - python3-samba
++          - winbind
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Thu, 06 Feb 2020 14:42:38 +0000
++
++samba (2:4.11.1+dfsg-3ubuntu3) focal; urgency=medium
++
++  * No-change rebuild to build with python3.8.
++
++ -- Matthias Klose <doko@ubuntu.com>  Sat, 25 Jan 2020 06:06:11 +0000
++
++samba (2:4.11.1+dfsg-3ubuntu2) focal; urgency=medium
++
++  * Ubuntu i386 binary compatibility effort: (LP: #1858479)
++    - debian/control:
++        + drop ceph support
++    - debian/rules:
++        + drop ceph support
++        + disable the following binary packages generation:
++          - ctdb
++          - libnss-winbind
++          - libpam-winbind
++          - python3-samba
++          - samba
++          - samba-common-bin
++          - samba-testsuite
++          - winbind
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Thu, 09 Jan 2020 00:40:31 +0000
++
++samba (2:4.11.1+dfsg-3ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
++      change nfs service name from nfs to nfs-kernel-server
++      (LP #722201)
++      [Adopted the Debian version and added a couple of extra hunks
++      we had]
++    - d/p/ctdb-config-enable-syslog-by-default.patch:
++      enable syslog and systemd journal by default
++  * Dropped:
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++      [In 2:4.9.4+dfsg-2]
++    - Removed patches already applied upstream:
++      + d/p/nsswitch-Add-try_authtok-option-to-pam_winbind.patch
++        [Removed in 2:4.10.7+dfsg-1]
++      + d/p/s3-auth-ignore-create_builtin_guests-failing-without.patch
++        [Removed in 4.9.5+dfsg-1]
++    - d/p/add-so-version-to-private-libraries: refreshed to remove fuzz
++      [Refreshed in 2:4.1.17+dfsg-1]
++    - d/control: Updated build dependencies (already updated in Debian):
++      + tdb >= 1.3.17
++      + talloc >= 2.1.15
++      + tevent >= 0.9.38
++      + ldb >= 1.5.3
++    - d/samba-common.docs: README is now README.md
++      [In 2:4.10.7+dfsg-1]
++    - d/libsmbclient.symbols: update symbols for this version
++    - d/libwbclient0.symbols: update symbols for this version
++    - d/ctdb.install: new binary ctdb_local_daemons
++      [In 2:4.10.7+dfsg-1]
++    - d/samba-dev.install: use globbing for the header files with
++      exceptions for wbclient.h and libsmbclient.h, which belong in
++      other packages.
++      [In 2:4.10.7+dfsg-1]
++    - d/rules: fix globbing used to move the dckeytab python module to the
++      samba package, and add a comment explaining why this is being done.
++      [In 2:4.10.7+dfsg-1]
++    - Switch to python3 (in 2:4.10.7+dfsg-1):
++      + d/rules: calculate the ldb version using python3, and drop the
++        "really" bit since the real 1.5.x series is being used now.
++      + d/rules: make sure python3 is used for the build
++      + d/rules: adjust globbing to remove the python3 version of tevent.so
++      + d/rules: drop PYVERS, unused
++      + d/control: adjust dependencies (build and runtime) for python3
++      + d/python3-samba.install, d/control: new python3-samba package
++        (LP #1440381)
++      + d/control, d/python-samba.install: get rid of python-samba, which is py2
++      + d/python3-samba.lintian-overrides: use the same overrides we had for
++        python-samba, now deleted.
++      + d/samba-dev.install, d/samba-libs.install: update file list
++      + d/t/control, d/t/python-smoke: use python3
++      + d/control: use ${python3:Depends} now instead of the python 2
++        counterpart for samba and samba-common-bin.
++    - d/control: drop suggests for python-gpgme, it's no longer available.
++      [In 2:4.10.7+dfsg-1]
++    - d/gbp.conf, d/watch, r/README.source: updated for 4.10
++      [In 2:4.10.7+dfsg-1]
++    - d/control: update cmocka build-depends to >= 1.1.3
++      [In 2:4.10.7+dfsg-1]
++    - d/samba-libs.install: bump passdb minor to 0.27.2
++      [In 2:4.10.7+dfsg-1]
++    - d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d
++      to allow pid file to exist (LP #1821775)
++      [In 2:4.10.7+dfsg-1]
++    - Allow proper ctdb initalization (LP #1828799):
++      + d/ctdb.dirs: added /var/lib/ctdb/* directories
++      + d/ctdb.postrm: remove leftovers from:
++        /var/lib/ctdb/{state,persistent,volatile,scripts}
++      [In 2:4.10.7+dfsg-1]
++    - d/rules: installing provided config examples and helper scripts
++    - Examples of NFS HA CTDB config files + helper script:
++      + d/ctdb.example.enable.nfs.sh
++      + d/ctdb.example.nfs-common
++      + d/ctdb.example.nfs-kernel-server
++      + d/ctdb.example.services
++      + d/ctdb.example.sysctl-nfs-static-ports.conf
++      [In 2:4.10.7+dfsg-1]
++    - debian/rules: Make DEB_HOST_ARCH_CPU initialized through
++      dpkg-architecture (Closes: #931138)
++      [In 2:4.10.7+dfsg-1]
++    - d/control: update ldb build-deps to 1.5.5
++      [In 2:4.10.7+dfsg-1]
++    - SECURITY UPDATE: restricted share escape by user (LP #1842533)
++      [fixed upstream in 4.11.0rc2]
++      + debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
++        out impersonation debug info into a new function.
++      + debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
++        change_to_user_internal() always resets current_user.done_chdir
++      + debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
++        reset current_user.{need,done}_chdir in become_root()
++      + debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
++        fsrvp_share its own independent subdirectory
++      + debian/patches/CVE-2019-10197-05-v4-10.patch:
++        test_smbclient_s3.sh: add regression test for the no permission
++        on share root problem
++      + debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
++        change_to_user_impersonate() out of change_to_user_internal()
++      + CVE-2019-10197
++  * Added:
++    - d/control: drop python3-matplotlib. It's only used in
++      script/attr_count_read which is not installed with the
++      samba packages.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 29 Nov 2019 18:00:22 -0300
++
  samba (2:4.11.1+dfsg-3) unstable; urgency=medium
    * Add some python dependencies:
@@ -1745,6 +2998,209 @@ samba (2:4.10.7+dfsg-1) experimental; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Thu, 29 Aug 2019 14:32:52 +0200
++samba (2:4.10.7+dfsg-0ubuntu3) focal; urgency=medium
++
++  * No-change rebuild to build with python3.8.
++
++ -- Matthias Klose <doko@ubuntu.com>  Fri, 18 Oct 2019 18:53:34 +0000
++
++samba (2:4.10.7+dfsg-0ubuntu2) eoan; urgency=medium
++
++  * SECURITY UPDATE: restricted share escape by user (LP: #1842533)
++    - debian/patches/CVE-2019-10197-01-v4-10.patch: smbd: separate
++      out impersonation debug info into a new function.
++    - debian/patches/CVE-2019-10197-02-v4-10.patch: smbd: make sure that
++      change_to_user_internal() always resets current_user.done_chdir
++    - debian/patches/CVE-2019-10197-03-v4-10.patch: smbd: make sure we
++      reset current_user.{need,done}_chdir in become_root()
++    - debian/patches/CVE-2019-10197-04-v4-10.patch: selftest: make
++      fsrvp_share its own independent subdirectory
++    - debian/patches/CVE-2019-10197-05-v4-10.patch:
++      test_smbclient_s3.sh: add regression test for the no permission
++      on share root problem
++    - debian/patches/CVE-2019-10197-06-v4-10.patch: smbd: split
++      change_to_user_impersonate() out of change_to_user_internal()
++    - CVE-2019-10197
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Fri, 30 Aug 2019 11:07:19 -0700
++
++samba (2:4.10.7+dfsg-0ubuntu1) eoan; urgency=medium
++
++  * New upstream version: 4.10.7
++    - d/p/ctdb-config-depend-on-etc-default-nodes-file.patch: dropped,
++      included upstream in 4.10.7
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 22 Aug 2019 15:03:23 -0300
++
++samba (2:4.10.6+dfsg-0ubuntu1) eoan; urgency=medium
++
++  * New upstream version: 4.10.6
++    - d/p/fix-nfs-service-name-to-nfs-kernel-server.patch: changed to update
++      the Debian config and use it.
++    - d/control: update ldb build-deps to 1.5.5
++  * Dropped:
++    - d/p/CVE-2019-12436.patch: fixed upstream in 4.10.5
++    - d/p/CVE-2019-12435-*.patch: fixed upstream in 4.10.5
++    - d/p/CVE-2018-16860-*.patch: fixed upstream in 4.10.3
++    - d/p/CVE-2019-3880.patch: fixed upstream in 4.10.2
++    - d/p/CVE-2019-3870-*.patch: fixed upstream in 4.10.2
++    - d/p/dlz_bind_zone_update.patch: fixed upstream in 4.10.1
++    - d/p/ctdb-scripts-fix-tcp_tw_recycle-existence-check.patch: fixed
++      upstream in 4.10.5
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 07 Aug 2019 17:20:48 -0300
++
++samba (2:4.10.0+dfsg-0ubuntu6) eoan; urgency=medium
++
++  * d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
++    change service name from nfs to nfs-kernel-server in
++    legacy script 06.nfs.script also (LP: #722201)
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Thu, 11 Jul 2019 21:44:49 +0000
++
++samba (2:4.10.0+dfsg-0ubuntu5) eoan; urgency=medium
++
++  * debian/rules: Make DEB_HOST_ARCH_CPU initialized through
++    dpkg-architecture (Closes: #931138)
++  * d/p/ctdb-scripts-fix-tcp_tw_recycle-existence-check.patch:
++    fix tcp_tw_recycle existence check. (LP: #722201)
++  * d/p/fix-nfs-service-name-to-nfs-kernel-server.patch:
++    change nfs service name from nfs to nfs-kernel-server
++    (LP: #722201)
++  * d/ctdb.install, d/rules: create ctdb run directory into tmpfiles.d
++    to allow pid file to exist (LP: #1821775)
++  * Allow proper ctdb initialization (LP: #1828799):
++    - d/ctdb.dirs: added /var/lib/ctdb/* directories
++    - d/ctdb.postrm: remove leftovers from:
++      /var/lib/ctdb/{state,persistent,volatile,scripts}
++  * d/rules: installing provided config examples and helper scripts
++  * Examples of NFS HA CTDB config files + helper script:
++    - d/ctdb.example.enable.nfs.sh
++    - d/ctdb.example.nfs-common
++    - d/ctdb.example.nfs-kernel-server
++    - d/ctdb.example.services
++    - d/ctdb.example.sysctl-nfs-static-ports.conf
++  * d/p/ctdb-config-depend-on-etc-default-nodes-file.patch:
++    do not try to start daemon if /etc/ctdb/nodes does not exist
++  * d/p/ctdb-config-enable-syslog-by-default.patch:
++    enable syslog and systemd journal by default
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Fri, 28 Jun 2019 00:14:27 +0000
++
++samba (2:4.10.0+dfsg-0ubuntu4) eoan; urgency=medium
++
++  * SECURITY UPDATE: zone operations can crash rpc server
++    - debian/patches/CVE-2019-12435-1.patch: avoid NULL deference if zone
++      not found in DnssrvOperation in
++      python/samba/tests/dcerpc/dnsserver.py,
++      source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
++    - debian/patches/CVE-2019-12435-2.patch: avoid NULL deference if zone
++      not found in DnssrvOperation2 in
++      python/samba/tests/dcerpc/dnsserver.py,
++      source4/rpc_server/dnsserver/dcerpc_dnsserver.c.
++    - CVE-2019-12435
++  * SECURITY UPDATE: paged_searches crash on LDAP and homes access
++    - debian/patches/CVE-2019-12436.patch: ignore successful results
++      without messages in source4/dsdb/samdb/ldb_modules/paged_results.c,
++      source4/dsdb/tests/python/vlv.py.
++    - CVE-2019-12436
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 12 Jun 2019 10:08:44 -0400
++
++samba (2:4.10.0+dfsg-0ubuntu3) eoan; urgency=medium
++
++  * SECURITY UPDATE: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
++    - debian/patches/CVE-2018-16860-1.patch: add test for S4U2Self with
++      unkeyed checksum in selftest/knownfail.d/mitm-s4u2self,
++      source4/torture/krb5/kdc-canon-heimdal.c.
++    - debian/patches/CVE-2018-16860-2.patch: reject PA-S4U2Self with
++      unkeyed checksum in selftest/knownfail.d/mitm-s4u2self,
++      source4/heimdal/kdc/krb5tgs.c.
++    - CVE-2018-16860
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 14 May 2019 09:10:24 -0400
++
++samba (2:4.10.0+dfsg-0ubuntu2) disco; urgency=medium
++
++  * SECURITY UPDATE: world writable files in Samba AD DC private/ dir
++    - debian/patches/CVE-2019-3870-1.patch: extend smbd tests to check for
++      umask being overwritten in python/samba/tests/ntacls_backup.py,
++      python/samba/tests/posixacl.py, python/samba/tests/smbd_base.py,
++      selftest/knownfail.d/umask-leak.
++    - debian/patches/CVE-2019-3870-2.patch: add test to check
++      file-permissions are correct after provision in
++      selftest/knownfail.d/provision_fileperms, source4/selftest/tests.py,
++      source4/setup/tests/provision_fileperms.sh.
++    - debian/patches/CVE-2019-3870-3.patch: include tests to show the
++      outside umask has no impact in python/samba/tests/ntacls_backup.py,
++      python/samba/tests/smbd_base.py, selftest/knownfail.d/pymkdir-umask.
++    - debian/patches/CVE-2019-3870-4.patch: move umask manipuations as
++      close as possible to users in source3/smbd/pysmbd.c,
++      selftest/knownfail.d/provision_fileperms,
++      selftest/knownfail.d/umask-leak.
++    - debian/patches/CVE-2019-3870-5.patch: ensure a zero umask is set for
++      smbd.mkdir() in selftest/knownfail.d/pymkdir-umask,
++      source3/smbd/pysmbd.c.
++    - CVE-2019-3870
++  * SECURITY UPDATE: save registry file outside share as unprivileged user
++    - debian/patches/CVE-2019-3880.patch: remove implementations of
++      SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
++    - CVE-2019-3880
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 08 Apr 2019 10:32:30 -0400
++
++samba (2:4.10.0+dfsg-0ubuntu1) disco; urgency=medium
++
++  * New upstream version: 4.10.0
++    - d/gbp.conf, d/watch, r/README.source: updated for 4.10
++    - d/control: update cmocka build-depends to >= 1.1.3
++    - d/samba-libs.install: bump passdb minor to 0.27.2
++  * d/p/dlz_bind_zone_update.patch: make b9_has_soa check dc=@ node. Thanks to
++    Michael Saxl <mike@mwsys.mine.bz>. (LP: #1820846)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 21 Mar 2019 14:40:32 -0300
++
++samba (2:4.10.0~rc4+dfsg-0ubuntu1) disco; urgency=medium
++
++  * New upstream version 4.10.0rc4 (LP: #1818518):
++    - Removed patches already applied upstream:
++      + d/p/nsswitch-Add-try_authtok-option-to-pam_winbind.patch
++      + d/p/s3-auth-ignore-create_builtin_guests-failing-without.patch
++    - d/p/add-so-version-to-private-libraries: refreshed to remove fuzz
++    - d/control: Updated build dependencies:
++      + tdb >= 1.3.17
++      + talloc >= 2.1.15
++      + tevent >= 0.9.38
++      + ldb >= 1.5.3
++    - d/samba-common.docs: README is now README.md
++    - d/libsmbclient.symbols: update symbols for this version
++    - d/libwbclient0.symbols: update symbols for this version
++    - d/ctdb.install: new binary ctdb_local_daemons
++    - d/samba-dev.install: use globbing for the header files with
++      exceptions for wbclient.h and libsmbclient.h, which belong in
++     other packages.
++    - d/rules: fix globbing used to move the dckeytab python module to the
++      samba package, and add a comment explaining why this is being done.
++  * Switch to python3:
++    - d/rules: calculate the ldb version using python3, and drop the
++      "really" bit since the real 1.5.x series is being used now.
++    - d/rules: make sure python3 is used for the build
++    - d/rules: adjust globbing to remove the python3 version of tevent.so
++    - d/rules: drop PYVERS, unused
++    - d/control: adjust dependencies (build and runtime) for python3
++    - d/python3-samba.install, d/control: new python3-samba package
++      (LP: #1440381)
++    - d/control, d/python-samba.install: get rid of python-samba, which is py2
++    - d/python3-samba.lintian-overrides: use the same overrides we had for
++      python-samba, now deleted.
++    - d/samba-dev.install, d/samba-libs.install: update file list
++    - d/t/control, d/t/python-smoke: use python3
++    - d/control: use ${python3:Depends} now instead of the python 2
++      counterpart for samba and samba-common-bin.
++  * d/control: drop suggests for python-gpgme, it's no longer available.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sat, 09 Mar 2019 12:45:25 +0000
++
  samba (2:4.9.5+dfsg-1) experimental; urgency=medium
    * New upstream release
@@ -1789,6 +3245,31 @@ samba (2:4.9.4+dfsg-2) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Wed, 23 Jan 2019 20:59:08 +0100
++samba (2:4.9.4+dfsg-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++  * Dropped:
++    - d/p/smbd-startup-with-winbind.patch: ignore create_builtin_guests()
++      failing without a valid idmap configuration. This fixes the smbd startup
++      on a standalone server where winbind is available and running. Thanks to
++      Stefan Metzmacher <metze@samba.org>. (LP #1806035)
++      [Fixed in 2:4.9.4+dfsg-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 17 Jan 2019 18:23:52 -0200
++
  samba (2:4.9.4+dfsg-1) unstable; urgency=medium
    * New upstream release
@@ -1799,6 +3280,44 @@ samba (2:4.9.4+dfsg-1) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Sat, 22 Dec 2018 18:32:00 +0100
++samba (2:4.9.2+dfsg-2ubuntu3) disco; urgency=medium
++
++  * No-change rebuild for readline soname change.
++
++ -- Matthias Klose <doko@ubuntu.com>  Mon, 14 Jan 2019 20:03:58 +0000
++
++samba (2:4.9.2+dfsg-2ubuntu2) disco; urgency=medium
++
++  * d/p/smbd-startup-with-winbind.patch: ignore create_builtin_guests()
++    failing without a valid idmap configuration. This fixes the smbd startup
++    on a standalone server where winbind is available and running. Thanks to
++    Stefan Metzmacher <metze@samba.org>. (LP: #1806035)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 21 Dec 2018 10:39:23 -0200
++
++samba (2:4.9.2+dfsg-2ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++  * Dropped:
++    - d/p/fix-rmdir.patch: Fix to make smbclient report directory-not-empty
++      errors (LP: 1795772)
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 28 Nov 2018 20:06:47 -0200
++
  samba (2:4.9.2+dfsg-2) unstable; urgency=high
    * New upstream security release
@@ -1908,6 +3427,58 @@ samba (2:4.8.5+dfsg-1) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Thu, 30 Aug 2018 19:32:24 +0200
++samba (2:4.8.4+dfsg-2ubuntu3) disco; urgency=medium
++
++  * No-change rebuild against libldb1 1.4.2
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 14 Nov 2018 22:46:24 +0000
++
++samba (2:4.8.4+dfsg-2ubuntu2) cosmic; urgency=high
++
++  [ Karl Stenerud ]
++  * d/p/fix-rmdir.patch: Fix to make the samba client library report
++    directory-not-empty errors (LP: #1795772)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 09 Oct 2018 14:32:16 -0300
++
++samba (2:4.8.4+dfsg-2ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1778125). Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++  * Drop:
++    - Add extra DEP8 tests to samba (LP #1696823):
++      + d/t/control, d/t/cifs-share-access: access a file in a share using cifs
++      + d/t/control, d/t/smbclient-anonymous-share-list: list available shares
++        anonymously
++      + d/t/control, d/t/smbclient-authenticated-share-list: list available
++        shares using an authenticated connection
++      + d/t/control, d/t/smbclient-share-access: create a share and download a
++        file from it
++      [Accepted by Debian in 2:4.7.4+dfsg-2]
++    - d/samba-common.dhcp: If systemctl is available, use it to query the
++      status of the smbd service before trying to reload it. Otherwise,
++      keep the same check as before and reload the service based on the
++      existence of the initscript. (LP #1579597)
++      [In Debian since 2:4.7.4+dfsg-2]
++    - debian/patches/passdb_dont_return_ok_if_pinfo_not_filled.patch:
++      [PATCH] s3:passdb: Do not return OK if we don't have pinfo filled.
++      Thanks to Andreas Schneider <asn@samba.org>. (LP #1761737)
++      [Fixed upstream]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 21 Aug 2018 09:57:57 -0300
++
  samba (2:4.8.4+dfsg-2) unstable; urgency=high
    * Fix typo in previous release: s/usefull/useful/
@@ -2065,6 +3636,55 @@ samba (2:4.8.0+dfsg-1) experimental; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Mon, 19 Mar 2018 13:02:51 +0100
++samba (2:4.7.6+dfsg~ubuntu-0ubuntu3) cosmic; urgency=medium
++
++  * No change rebuild to link with new ldb 1.3.3
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 03 Jul 2018 09:57:24 -0300
++
++samba (2:4.7.6+dfsg~ubuntu-0ubuntu2) bionic; urgency=medium
++
++  * debian/patches/passdb_dont_return_ok_if_pinfo_not_filled.patch:
++    [PATCH] s3:passdb: Do not return OK if we don't have pinfo filled.
++    Thanks to Andreas Schneider <asn@samba.org>. (LP: #1761737)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 18 Apr 2018 11:49:55 -0300
++
++samba (2:4.7.6+dfsg~ubuntu-0ubuntu1) bionic; urgency=medium
++
++  * New upstream version:
++    - Fix database corruption bug when upgrading from samba 4.6 or lower
++      AD controllers (LP: #1755057)
++    - Fix security issues: CVE-2018-1050 and CVE-2018-1057 (LP: #1755059)
++  * Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - Add extra DEP8 tests to samba (LP #1696823):
++      + d/t/control, d/t/cifs-share-access: access a file in a share using cifs
++      + d/t/control, d/t/smbclient-anonymous-share-list: list available shares
++        anonymously
++      + d/t/control, d/t/smbclient-authenticated-share-list: list available
++        shares using an authenticated connection
++      + d/t/control, d/t/smbclient-share-access: create a share and download a
++        file from it
++    - d/samba-common.dhcp: If systemctl is available, use it to query the
++      status of the smbd service before trying to reload it. Otherwise,
++      keep the same check as before and reload the service based on the
++      existence of the initscript. (LP #1579597)
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 13 Mar 2018 16:58:49 -0300
++
  samba (2:4.7.4+dfsg-2) unstable; urgency=high
    [ Mathieu Parent ]
@@ -2095,6 +3715,37 @@ samba (2:4.7.4+dfsg-2) unstable; urgency=high
   -- Mathieu Parent <sathieu@debian.org>  Fri, 02 Mar 2018 20:55:06 +0100
++samba (2:4.7.4+dfsg-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1744779). Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - Add extra DEP8 tests to samba (LP #1696823):
++      + d/t/control, d/t/cifs-share-access: access a file in a share using cifs
++      + d/t/control, d/t/smbclient-anonymous-share-list: list available shares
++        anonymously
++      + d/t/control, d/t/smbclient-authenticated-share-list: list available
++        shares using an authenticated connection
++      + d/t/control, d/t/smbclient-share-access: create a share and download a
++        file from it
++    - d/samba-common.dhcp: If systemctl is available, use it to query the
++      status of the smbd service before trying to reload it. Otherwise,
++      keep the same check as before and reload the service based on the
++      existence of the initscript. (LP #1579597)
++    - d/control, d/rules: Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 22 Jan 2018 16:31:41 -0200
++
  samba (2:4.7.4+dfsg-1) unstable; urgency=medium
    * New upstream version
@@ -2111,6 +3762,42 @@ samba (2:4.7.4+dfsg-1) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Thu, 11 Jan 2018 20:49:28 +0100
++samba (2:4.7.3+dfsg-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - Add extra DEP8 tests to samba (LP #1696823):
++      + d/t/control: enable the new DEP8 tests
++      + d/t/smbclient-anonymous-share-list: list available shares anonymously
++      + d/t/smbclient-authenticated-share-list: list available shares using
++        an authenticated connection
++      + d/t/smbclient-share-access: create a share and download a file from it
++      + d/t/cifs-share-access: access a file in a share using cifs
++    - Ask the user if we can run testparm against the config file. If yes,
++      include its stderr and exit status in the bug report. Otherwise, only
++      include the exit status. (LP #1694334)
++    - If systemctl is available, use it to query the status of the smbd
++      service before trying to reload it. Otherwise, keep the same check
++      as before and reload the service based on the existence of the
++      initscript. (LP #1579597)
++    - d/rules: Compile winbindd/winbindd statically.
++    - Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++    - d/source_samba.py: use the new recommended findmnt(8) tool to list
++      mountpoints and correctly filter by the cifs filesystem type.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 05 Dec 2017 12:49:20 -0500
++
  samba (2:4.7.3+dfsg-1) unstable; urgency=high
    * New upstream version
@@ -2134,6 +3821,42 @@ samba (2:4.7.1+dfsg-2) unstable; urgency=high
   -- Mathieu Parent <sathieu@debian.org>  Sun, 12 Nov 2017 10:02:19 +0100
++samba (2:4.7.1+dfsg-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - Add extra DEP8 tests to samba (LP #1696823):
++      + d/t/control: enable the new DEP8 tests
++      + d/t/smbclient-anonymous-share-list: list available shares anonymously
++      + d/t/smbclient-authenticated-share-list: list available shares using
++        an authenticated connection
++      + d/t/smbclient-share-access: create a share and download a file from it
++      + d/t/cifs-share-access: access a file in a share using cifs
++    - Ask the user if we can run testparm against the config file. If yes,
++      include its stderr and exit status in the bug report. Otherwise, only
++      include the exit status. (LP #1694334)
++    - If systemctl is available, use it to query the status of the smbd
++      service before trying to reload it. Otherwise, keep the same check
++      as before and reload the service based on the existence of the
++      initscript. (LP #1579597)
++    - d/rules: Compile winbindd/winbindd statically.
++    - Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++    - d/source_samba.py: use the new recommended findmnt(8) tool to list
++      mountpoints and correctly filter by the cifs filesystem type.
++
++ -- Matthias Klose <doko@ubuntu.com>  Fri, 10 Nov 2017 10:03:57 +0100
++
  samba (2:4.7.1+dfsg-1) unstable; urgency=medium
    * New upstream version
@@ -2182,6 +3905,87 @@ samba (2:4.6.7+dfsg-2) unstable; urgency=high
   -- Mathieu Parent <sathieu@debian.org>  Tue, 19 Sep 2017 22:00:13 +0200
++samba (2:4.6.7+dfsg-1ubuntu3) artful; urgency=medium
++
++  * SECURITY UPDATE: SMB1/2/3 connections may not require signing where
++    they should
++    - debian/patches/CVE-2017-12150-1.patch: don't turn a guessed username
++      into a specified one in source3/include/auth_info.h,
++      source3/lib/popt_common.c, source3/lib/util_cmdline.c.
++    - debian/patches/CVE-2017-12150-2.patch: add SMB_SIGNING_REQUIRED to
++      source3/lib/util_cmdline.c.
++    - debian/patches/CVE-2017-12150-3.patch: add SMB_SIGNING_REQUIRED to
++      source3/libsmb/pylibsmb.c.
++    - debian/patches/CVE-2017-12150-4.patch: add SMB_SIGNING_REQUIRED to
++      libgpo/gpo_fetch.c.
++    - debian/patches/CVE-2017-12150-5.patch: add check for
++      NTLM_CCACHE/SIGN/SEAL to auth/credentials/credentials.c.
++    - debian/patches/CVE-2017-12150-6.patch: add
++      smbXcli_conn_signing_mandatory() to libcli/smb/smbXcli_base.*.
++    - debian/patches/CVE-2017-12150-7.patch: only fallback to anonymous if
++      authentication was not requested in source3/libsmb/clidfs.c.
++    - CVE-2017-12150
++  * SECURITY UPDATE: SMB3 connections don't keep encryption across DFS
++    redirects
++    - debian/patches/CVE-2017-12151-1.patch: add
++      cli_state_is_encryption_on() helper function to
++      source3/libsmb/clientgen.c, source3/libsmb/proto.h.
++    - debian/patches/CVE-2017-12151-2.patch: make use of
++      cli_state_is_encryption_on() in source3/libsmb/clidfs.c,
++      source3/libsmb/libsmb_context.c.
++    - CVE-2017-12151
++  * SECURITY UPDATE: Server memory information leak over SMB1
++    - debian/patches/CVE-2017-12163.patch: prevent client short SMB1 write
++      from writing server memory to file in source3/smbd/reply.c.
++    - CVE-2017-12163
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 21 Sep 2017 08:10:03 -0400
++
++samba (2:4.6.7+dfsg-1ubuntu2) artful; urgency=medium
++
++  * d/source_samba.py: use the new recommended findmnt(8) tool to list
++    mountpoints and correctly filter by the cifs filesystem type.
++    (LP: #1703604)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 01 Sep 2017 09:47:58 -0300
++
++samba (2:4.6.7+dfsg-1ubuntu1) artful; urgency=medium
++
++  * Merge with Debian unstable (LP: #1710281).
++    - Upstream version 4.6.7 fixes the CVE-2017-2619 regression with non-wide
++      symlinks to directories (LP: #1701073)
++  * Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - Add extra DEP8 tests to samba (LP #1696823):
++      + d/t/control: enable the new DEP8 tests
++      + d/t/smbclient-anonymous-share-list: list available shares anonymously
++      + d/t/smbclient-authenticated-share-list: list available shares using
++        an authenticated connection
++      + d/t/smbclient-share-access: create a share and download a file from it
++      + d/t/cifs-share-access: access a file in a share using cifs
++    - Ask the user if we can run testparm against the config file. If yes,
++      include its stderr and exit status in the bug report. Otherwise, only
++      include the exit status. (LP #1694334)
++    - If systemctl is available, use it to query the status of the smbd
++      service before trying to reload it. Otherwise, keep the same check
++      as before and reload the service based on the existence of the
++      initscript. (LP #1579597)
++    - d/rules: Compile winbindd/winbindd statically.
++    - Disable glusterfs support because it's not in main.
++      MIR bug is https://launchpad.net/bugs/1274247
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 21 Aug 2017 17:27:08 -0300
++
  samba (2:4.6.7+dfsg-1) unstable; urgency=medium
    * New upstream version
@@ -2193,6 +3997,60 @@ samba (2:4.6.7+dfsg-1) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Tue, 15 Aug 2017 23:06:36 +0200
++samba (2:4.6.5+dfsg-8ubuntu1) artful; urgency=medium
++
++  * Merge with Debian unstable (LP: #1700644). Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - Add extra DEP8 tests to samba (LP #1696823):
++      + d/t/control: enable the new DEP8 tests
++      + d/t/smbclient-anonymous-share-list: list available shares anonymously
++      + d/t/smbclient-authenticated-share-list: list available shares using
++        an authenticated connection
++      + d/t/smbclient-share-access: create a share and download a file from it
++      + d/t/cifs-share-access: access a file in a share using cifs
++    - Ask the user if we can run testparm against the config file. If yes,
++      include its stderr and exit status in the bug report. Otherwise, only
++      include the exit status. (LP #1694334)
++    - If systemctl is available, use it to query the status of the smbd
++      service before trying to reload it. Otherwise, keep the same check
++      as before and reload the service based on the existence of the
++      initscript. (LP #1579597)
++  * Drop:
++    - d/rules: Compile winbindd/winbindd statically. (LP: #1700527)
++      [This hunk was missed in 2:4.5.8+dfsg-2ubuntu2 when patch
++      fix-1584485.patch was dropped there.]
++    - d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure
++      [Replaced by d/p/s3-gse_krb5-fix-a-possible-crash-in-fill_mem_keytab.patch
++      in 2:4.6.5+dfsg-3 that closed Debian's bug #739768]
++    - debian/patches/winbind_trusted_domains.patch: make sure domain
++      members can talk to trusted domains DCs.
++      [Upstream committed a different fix, see updated patch attached to
++      https://bugzilla.samba.org/show_bug.cgi?id=11830]
++    - d/control: add libcephfs-dev as b-d to build vfs_ceph
++      [Adopted by Debian in 2:4.6.5+dfsg-1]
++    - debian/patches/CVE-2017-11103.patch: use encrypted service
++      name rather than unencrypted (and therefore spoofable) version
++      in heimdal
++      [Adopted by Debian as
++      d/p/CVE-2017-11103-Orpheus-Lyre-KDC-REP-service-name-val.patch]
++    - Cherrypick upstream patch to fix FTBFS with new ceph lib.
++      [Merged upstream in 4.6.0rc1]
++  * Disable glusterfs support because it's not in main.
++    MIR bug is https://launchpad.net/bugs/1274247
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 10 Aug 2017 22:20:22 -0300
++
  samba (2:4.6.5+dfsg-8) unstable; urgency=medium
    * Remove dependency on update-inetd, not used anymore
@@ -2312,6 +4170,77 @@ samba (2:4.6.5+dfsg-1) experimental; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Mon, 12 Jun 2017 08:09:43 +0200
++samba (2:4.5.8+dfsg-2ubuntu5) artful; urgency=medium
++
++  * Cherrypick upstream patch to fix FTBFS with new ceph lib.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 26 Jul 2017 08:34:24 +0100
++
++samba (2:4.5.8+dfsg-2ubuntu4) artful; urgency=medium
++
++  * SECURITY UPDATE: KDC-REP service name impersonation
++    - debian/patches/CVE-2017-11103.patch: use encrypted service
++      name rather than unencrypted (and therefore spoofable) version
++      in heimdal
++    - CVE-2017-11103
++
++ -- Steve Beattie <sbeattie@ubuntu.com>  Mon, 17 Jul 2017 16:22:28 -0700
++
++samba (2:4.5.8+dfsg-2ubuntu3) artful; urgency=medium
++
++  * No-change rebuild against libldb 1.1.29
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 25 Jun 2017 16:09:33 -0700
++
++samba (2:4.5.8+dfsg-2ubuntu2) artful; urgency=medium
++
++  * Add extra DEP8 tests to samba (LP: #1696823):
++    - d/t/control: enable the new DEP8 tests
++    - d/t/smbclient-anonymous-share-list: list available shares anonymously
++    - d/t/smbclient-authenticated-share-list: list available shares using
++      an authenticated connection
++    - d/t/smbclient-share-access: create a share and download a file from it
++    - d/t/cifs-share-access: access a file in a share using cifs
++  * Ask the user if we can run testparm against the config file. If yes,
++    include its stderr and exit status in the bug report. Otherwise, only
++    include the exit status. (LP: #1694334)
++  * If systemctl is available, use it to query the status of the smbd
++    service before trying to reload it. Otherwise, keep the same check
++    as before and reload the service based on the existence of the
++    initscript. (LP: #1579597)
++  * Remove d/p/fix-1584485.patch as it builds a broken pam_winbind
++    module. There is a fixed version of that patch attached to
++    #1677329 but it has not been vetted yet, so for now it's best
++    to revert (again) so that pam_winbind can be used.
++    (LP: #1677329, LP: #1644428)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 19 Jun 2017 10:49:29 -0700
++
++samba (2:4.5.8+dfsg-2ubuntu1) artful; urgency=medium
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++    - debian/smb.conf;
++      + Add "(Samba, Ubuntu)" to server string.
++      + Comment out the default [homes] share, and add a comment about
++        "valid users = %s" to show users how to restrict access to
++        \\server\username to only username.
++    - debian/samba-common.config:
++      + Do not change priority to high if dhclient3 is installed.
++    - Add apport hook:
++      + Created debian/source_samba.py.
++      + debian/rules, debian/samba-common-bin.install: install hook.
++    - d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure
++    - debian/patches/winbind_trusted_domains.patch: make sure domain
++      members can talk to trusted domains DCs.
++    - d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
++      to be statically linked
++    - d/rules: Compile winbindd/winbindd statically.
++    - d/control: add libcephfs-dev as b-d to build vfs_ceph
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 15 Jun 2017 14:17:43 -0400
++
  samba (2:4.5.8+dfsg-2) unstable; urgency=high
    * CVE-2017-7494: rpc_server3: Refuse to open pipe names with / inside
@@ -2326,6 +4255,23 @@ samba (2:4.5.8+dfsg-1) unstable; urgency=high
   -- Mathieu Parent <sathieu@debian.org>  Sat, 01 Apr 2017 20:39:17 +0200
++samba (2:4.5.8+dfsg-0ubuntu1) artful; urgency=medium
++
++  * SECURITY UPDATE: remote code execution from a writable share
++    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
++      slash inside in source3/rpc_server/srv_pipe.c.
++    - CVE-2017-7494
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 24 May 2017 07:39:13 -0400
++
++samba (2:4.5.8+dfsg-0ubuntu0.17.04.1) zesty-security; urgency=medium
++
++  * SECURITY UPDATE: Symlink race allows access outside share definition
++    - Updated to new upstream release 4.5.8.
++    - CVE-2017-2619
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 21 Apr 2017 07:33:25 -0400
++
  samba (2:4.5.6+dfsg-2) unstable; urgency=high
    * This is a security release in order to address the following defects:
@@ -2355,6 +4301,61 @@ samba (2:4.5.5+dfsg-1) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Sun, 05 Mar 2017 23:21:09 +0100
++samba (2:4.5.4+dfsg-1ubuntu2) zesty; urgency=medium
++
++  * d/control: add libcephfs-dev as b-d to build vfs_ceph
++    (LP: #1668940).
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Mon, 06 Mar 2017 11:13:41 -0800
++
++samba (2:4.5.4+dfsg-1ubuntu1) zesty; urgency=medium
++
++  * Merge from Debian unstable (LP: #1659707, LP: #1639962). Remaining
++    changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    + debian/smb.conf;
++      - Add "(Samba, Ubuntu)" to server string.
++      - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure (LP #1310919)
++    + debian/patches/winbind_trusted_domains.patch: make sure domain members
++      can talk to trusted domains DCs.
++      [ update patch based upon upstream discussion ]
++    + d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
++      to be statically linked fixes LP #1584485.
++    + d/rules: Compile winbindd/winbindd statically.
++  * Drop:
++    - Delete debian/.gitignore
++    [ Previously undocumented ]
++    - debian/patches/git_smbclient_cpu.patch:
++      + backport upstream patch to fix smbclient users hanging/eating cpu on
++        trying to contact a machine which is not there (lp #1572260)
++    [ Fixed upstream ]
++    - SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
++      + debian/patches/CVE-2016-2123.patch: check lengths in
++        librpc/ndr/ndr_dnsp.c.
++      + CVE-2016-2123
++    [ Fixed in Debian ]
++    - SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
++      + debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
++        source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
++        source4/auth/gensec/gensec_gssapi.c.
++      + CVE-2016-2125
++    [ Fixed in Debian ]
++    - SECURITY UPDATE: privilege elevation in Kerberos PAC validation
++      + debian/patches/CVE-2016-2126.patch: only allow known checksum types
++        in auth/kerberos/kerberos_pac.c.
++      + CVE-2016-2126
++    [ Fixed in Debian ]
++
++ -- Nishanth Aravamudan <nish.aravamudan@canonical.com>  Thu, 26 Jan 2017 17:20:15 -0800
++
  samba (2:4.5.4+dfsg-1) unstable; urgency=medium
    [ Mathieu Parent ]
@@ -2482,6 +4483,77 @@ samba (2:4.4.5+dfsg-3) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Fri, 09 Sep 2016 13:00:54 +0200
++samba (2:4.4.5+dfsg-2ubuntu7) zesty; urgency=medium
++
++  * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
++    - debian/patches/CVE-2016-2123.patch: check lengths in
++      librpc/ndr/ndr_dnsp.c.
++    - CVE-2016-2123
++  * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
++    - debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
++      source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
++      source4/auth/gensec/gensec_gssapi.c.
++    - CVE-2016-2125
++  * SECURITY UPDATE: privilege elevation in Kerberos PAC validation
++    - debian/patches/CVE-2016-2126.patch: only allow known checksum types
++      in auth/kerberos/kerberos_pac.c.
++    - CVE-2016-2126
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 20 Jan 2017 12:32:25 -0500
++
++samba (2:4.4.5+dfsg-2ubuntu6) zesty; urgency=high
++
++  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
++    to be statically linked fixes LP: #1584485.
++
++  * d/rules: Compile winbindd/winbindd statically.
++
++ -- Jorge Niedbalski <jorge.niedbalski@canonical.com>  Wed, 02 Nov 2016 13:59:10 +0100
++
++samba (2:4.4.5+dfsg-2ubuntu5) yakkety; urgency=medium
++
++  * No-change rebuild for readline soname change.
++
++ -- Matthias Klose <doko@ubuntu.com>  Sun, 18 Sep 2016 10:26:52 +0000
++
++samba (2:4.4.5+dfsg-2ubuntu4) yakkety; urgency=medium
++
++  * No-change rebuild for readline soname change.
++
++ -- Matthias Klose <doko@ubuntu.com>  Sat, 17 Sep 2016 12:09:21 +0000
++
++samba (2:4.4.5+dfsg-2ubuntu3) yakkety; urgency=medium
++
++  * debian/patches/git_smbclient_cpu.patch:
++    - backport upstream patch to fix smbclient users hanging/eating cpu on
++      trying to contact a machine which is not there (lp: #1572260)
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Fri, 05 Aug 2016 17:32:43 +0200
++
++samba (2:4.4.5+dfsg-2ubuntu1) yakkety; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    + debian/smb.conf;
++      - Add "(Samba, Ubuntu)" to server string.
++      - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
++    + debian/patches/winbind_trusted_domains.patch: make sure domain members
++      can talk to trusted domains DCs.
++  * Dropped changes:
++    - build-depends on libgnutls-dev instead of libgnutsl28-dev: rename was
++      never done in Debian, revert.
++    - ufw integration: included in Debian.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 14 Jul 2016 17:45:46 -0700
++
  samba (2:4.4.5+dfsg-2) unstable; urgency=medium
    * Disable running of 'make quicktest' during build, as it takes very
@@ -2609,6 +4681,20 @@ samba (2:4.4.0+dfsg-1) experimental; urgency=medium
   -- Andrew Bartlett <abartlet+debian@catalyst.net.nz>  Wed, 06 Apr 2016 17:08:20 +1200
++samba (2:4.3.9+dfsg-0ubuntu1) yakkety; urgency=medium
++
++  * SECURITY REGRESSION: Updated to 4.3.9 to fix multiple regressions in
++    the previous security updates. (LP: #1577739)
++    - debian/control: bump tevent Build-Depends to 0.9.28.
++  * SECURITY REGRESSION: NTLM authentication issues (LP: #1578576)
++    - debian/patches/samba-bug11912.patch: let msrpc_parse() return
++      talloc'ed empty strings in libcli/auth/msrpc_parse.c.
++    - debian/patches/samba-bug11914.patch: make
++      ntlm_auth_generate_session_info() more complete in
++      source3/utils/ntlm_auth.c.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 25 May 2016 09:29:15 -0400
++
  samba (2:4.3.8+dfsg-1) unstable; urgency=low
    [ Jelmer Vernooĳ ]
@@ -2623,6 +4709,25 @@ samba (2:4.3.8+dfsg-1) unstable; urgency=low
   -- Jelmer Vernooĳ <jelmer@debian.org>  Sat, 16 Apr 2016 01:18:36 +0000
++samba (2:4.3.8+dfsg-0ubuntu1) xenial; urgency=medium
++
++  * SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues
++    - CVE-2015-5370: Multiple errors in DCE-RPC code
++    - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
++    - CVE-2016-2111: NETLOGON Spoofing Vulnerability
++    - CVE-2016-2112: The LDAP client and server don't enforce integrity
++      protection
++    - CVE-2016-2113: Missing TLS certificate validation allows man in the
++      middle attacks
++    - CVE-2016-2114: "server signing = mandatory" not enforced
++    - CVE-2016-2115: SMB client connections for IPC traffic are not
++      integrity protected
++    - CVE-2016-2118: SAMR and LSA man in the middle attacks possible
++  * debian/patches/winbind_trusted_domains.patch: make sure domain members
++    can talk to trusted domains DCs.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 12 Apr 2016 07:26:29 -0400
++
  samba (2:4.3.7+dfsg-1) unstable; urgency=high
    * New upstream release.
@@ -2665,6 +4770,29 @@ samba (2:4.3.6+dfsg-2) unstable; urgency=low
   -- Mathieu Parent <sathieu@debian.org>  Thu, 31 Mar 2016 22:26:11 +0200
++samba (2:4.3.6+dfsg-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    + debian/smb.conf;
++      - Add "(Samba, Ubuntu)" to server string.
++      - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + debian/control:
++      - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
++    + Add ufw integration:
++      - Created debian/samba.ufw.profile:
++      - debian/rules, debian/samba.install: install profile
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 09 Mar 2016 08:49:12 -0500
++
  samba (2:4.3.6+dfsg-1) unstable; urgency=medium
    * New upstream release.
@@ -2710,6 +4838,42 @@ samba (2:4.3.3+dfsg-2) unstable; urgency=medium
   -- Mathieu Parent <sathieu@debian.org>  Thu, 04 Feb 2016 13:25:01 +0100
++samba (2:4.3.3+dfsg-1ubuntu3) xenial; urgency=medium
++
++  * No-change rebuild for gnutls transition.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 17 Feb 2016 22:41:43 +0000
++
++samba (2:4.3.3+dfsg-1ubuntu2) xenial; urgency=medium
++
++  * Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
++    (LP: #1545750)
++
++ -- Dariusz Gadomski <dariusz.gadomski@canonical.com>  Mon, 15 Feb 2016 16:05:12 +0100
++
++samba (2:4.3.3+dfsg-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    + debian/smb.conf;
++      - Add "(Samba, Ubuntu)" to server string.
++      - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + debian/control:
++      - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
++    + Add ufw integration:
++      - Created debian/samba.ufw.profile:
++      - debian/rules, debian/samba.install: install profile
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 06 Jan 2016 07:41:39 -0500
++
  samba (2:4.3.3+dfsg-1) unstable; urgency=medium
    * New upstream release. Closes: #808133.
@@ -2794,6 +4958,63 @@ samba (2:4.2.1+dfsg-1) experimental; urgency=medium
   -- Jelmer Vernooij <jelmer@debian.org>  Sun, 07 Dec 2014 15:34:36 +0000
++samba (2:4.1.20+dfsg-1ubuntu5) xenial; urgency=medium
++
++  * Resolve small merge error in the rules
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Wed, 16 Dec 2015 12:02:12 +0100
++
++samba (2:4.1.20+dfsg-1ubuntu4) xenial; urgency=medium
++
++  * Backport Debian change to remove libpam-smbpasswd, it segfaults
++    leading to non working session (lp: #1515207)
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Wed, 16 Dec 2015 11:47:44 +0100
++
++samba (2:4.1.20+dfsg-1ubuntu3) xenial; urgency=medium
++
++  * Build with the new ldb
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Wed, 18 Nov 2015 11:45:32 +0100
++
++samba (2:4.1.20+dfsg-1ubuntu2) xenial; urgency=medium
++
++  * debian/samba.logrotate:
++    - revert to Debian version of the logrotate reload command, fix an
++      invalid syntax introduced in the upstart->systemd transition
++      (lp: #1385868)
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Tue, 10 Nov 2015 19:01:06 +0100
++
++samba (2:4.1.20+dfsg-1ubuntu1) xenial; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    + debian/smb.conf;
++      - Add "(Samba, Ubuntu)" to server string.
++      - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + debian/control:
++      - Don't build against or suggest ctdb and tdb.
++      - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
++    + debian/rules:
++      - Drop explicit configuration options for ctdb and tdb.
++    + Add ufw integration:
++      - Created debian/samba.ufw.profile:
++      - debian/rules, debian/samba.install: install profile
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + debian/samba.logrotate: use service command to reload (send SIGHUP) the main
++      processes such that it works under both upstart and systemd.
++    + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
++    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
++
++ -- Matthias Klose <doko@ubuntu.com>  Sat, 24 Oct 2015 14:57:47 +0200
++
  samba (2:4.1.20+dfsg-1) unstable; urgency=medium
    * New upstream release (last compatible with current OpenChange).
@@ -2807,6 +5028,44 @@ samba (2:4.1.17+dfsg-5) unstable; urgency=medium
   -- Jelmer Vernooij <jelmer@debian.org>  Sun, 20 Sep 2015 13:20:53 +0000
++samba (2:4.1.17+dfsg-4ubuntu2) wily; urgency=medium
++
++  * debian/control:
++    - Switch build depends from transitional libgnutsl28-dev to libgnutls-dev
++
++ -- Robert Ancell <robert.ancell@canonical.com>  Tue, 11 Aug 2015 11:34:50 +1200
++
++samba (2:4.1.17+dfsg-4ubuntu1) wily; urgency=medium
++
++  * Merge from Debian unstable.  Remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    + debian/smb.conf;
++      - Add "(Samba, Ubuntu)" to server string.
++      - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + debian/control:
++      - Don't build against or suggest ctdb and tdb.
++    + debian/rules:
++      - Drop explicit configuration options for ctdb and tdb.
++    + Add ufw integration:
++      - Created debian/samba.ufw.profile:
++      - debian/rules, debian/samba.install: install profile
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + debian/samba.logrotate: use service command to reload (send SIGHUP) the main
++      processes such that it works under both upstart and systemd.
++    + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
++    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
++    + debian/patches/git_timeout_client_error.patch:
++    - don't let smb mounts timeout that leads to errors when trying to
++      reuse a mount after idling for a while in e.g nautilus (lp: #310932)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 08 May 2015 10:49:12 +0200
++
  samba (2:4.1.17+dfsg-4) unstable; urgency=medium
    * Add pidl_reproducible.patch: Make pidl output reproducible.
@@ -2843,6 +5102,53 @@ samba (2:4.1.17+dfsg-1) unstable; urgency=high
   -- Ivo De Decker <ivodd@debian.org>  Mon, 23 Feb 2015 20:20:21 +0100
++samba (2:4.1.13+dfsg-4ubuntu3) vivid; urgency=medium
++
++  * debian/patches/git_timeout_client_error.patch:
++    - don't let smb mounts timeout that leads to errors when trying to
++      reuse a mount after idling for a while in e.g nautilus (lp: #310932)
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Fri, 03 Apr 2015 17:20:06 +0200
++
++samba (2:4.1.13+dfsg-4ubuntu2) vivid; urgency=medium
++
++  * SECURITY UPDATE: code execution vulnerability in smbd daemon
++    - debian/patches/CVE-2015-0240.patch: don't call talloc_free on an
++      uninitialized pointer and don't dereference a NULL pointer in
++      source3/rpc_server/netlogon/srv_netlog_nt.c.
++    - CVE-2015-0240
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 23 Feb 2015 08:36:51 -0500
++
++samba (2:4.1.13+dfsg-4ubuntu1) vivid; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    + debian/smb.conf;
++      - Add "(Samba, Ubuntu)" to server string.
++      - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + debian/control:
++      - Don't build against or suggest ctdb and tdb.
++    + debian/rules:
++      - Drop explicit configuration options for ctdb and tdb.
++    + Add ufw integration:
++      - Created debian/samba.ufw.profile:
++      - debian/rules, debian/samba.install: install profile
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + debian/samba.logrotate: use service command to reload (send SIGHUP) the main
++      processes such that it works under both upstart and systemd.
++    + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
++    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++      pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
++    + debian/patches/CVE-2014-8143.patch fix CVE-2014-8143.
++
++ -- Gianfranco Costamagna <costamagnagianfranco@yahoo.it>  Wed, 21 Jan 2015 15:48:05 +0100
++
  samba (2:4.1.13+dfsg-4) unstable; urgency=medium
    * Revert previous patch, since ldb has an active module version check.
@@ -2885,6 +5191,69 @@ samba (2:4.1.11+dfsg-2) unstable; urgency=medium
   -- Jelmer Vernooij <jelmer@debian.org>  Sun, 07 Sep 2014 20:52:27 +0200
++samba (2:4.1.11+dfsg-1ubuntu4) vivid; urgency=medium
++
++  * SECURITY UPDATE: elevation of privilege to AD Domain Controller
++    - debian/patches/CVE-2014-8143.patch: check for extended access rights
++      before allowing changes to userAccountControl in
++      librpc/idl/security.idl, source4/auth/session.c,
++      source4/dsdb/common/util.c, source4/dsdb/pydsdb.c,
++      source4/dsdb/samdb/ldb_modules/samldb.c, source4/dsdb/samdb/samdb.h,
++      source4/rpc_server/lsa/dcesrv_lsa.c,
++      source4/setup/schema_samba4.ldif.
++    - CVE-2014-8143
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 21 Jan 2015 09:19:12 -0500
++
++samba (2:4.1.11+dfsg-1ubuntu3) vivid; urgency=medium
++
++  * No-change rebuild against current ldb. Note that I'm not claiming the
++    merging for this package.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 04 Dec 2014 07:50:22 +0100
++
++samba (2:4.1.11+dfsg-1ubuntu2) utopic; urgency=medium
++
++  * d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
++    pam_winbind krb5_ccache_type=FILE failure (LP: #1310919)
++
++ -- Serge Hallyn <serge.hallyn@ubuntu.com>  Thu, 11 Sep 2014 11:53:36 -0500
++
++samba (2:4.1.11+dfsg-1ubuntu1) utopic; urgency=medium
++
++  * Merge from Debian unstable.  Remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    +  debian/smb.conf;
++       - Add "(Samba, Ubuntu)" to server string.
++       - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + debian/control:
++      - Don't build against or suggest ctdb and tdb.
++    + debian/rules:
++      - Drop explicit configuration options for ctdb and tdb.
++    + Add ufw integration:
++      - Created debian/samba.ufw.profile:
++      - debian/rules, debian/samba.install: install profile
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + debian/samba.logrotate: call upstart interfaces unconditionally instead
++      of hacking arround with pid files.
++    + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
++      first dummy transitional package version.
++    + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
++
++  * In logrotate, use service command to reload (send SIGHUP) the main
++    processes such that it works under both upstart and systemd.
++  * Drop CVE patches, applied upstream.
++  * Drop patches absent from series: readline-ftbfs.patch,
++    krb5_kt_start_seq.diff, config-bind99.patch
++  * Drop debian/source/include-binaries, pyc files are correctly cleaned up
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 09 Aug 2014 21:26:23 +0100
++
  samba (2:4.1.11+dfsg-1) unstable; urgency=high
    * New upstream release. Fixes:
@@ -2920,6 +5289,62 @@ samba (2:4.1.9+dfsg-1) unstable; urgency=high
   -- Ivo De Decker <ivo.dedecker@ugent.be>  Mon, 23 Jun 2014 18:33:27 +0200
++samba (2:4.1.8+dfsg-1ubuntu3) utopic; urgency=medium
++
++  * SECURITY UPDATE: remote code execution on unauthenticated nmbd
++    - debian/patches/CVE-2014-3560.patch: fix unstrcpy in
++      lib/util/string_wrappers.h.
++    - CVE-2014-3560
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 01 Aug 2014 17:54:54 -0400
++
++samba (2:4.1.8+dfsg-1ubuntu2) utopic; urgency=medium
++
++  * SECURITY UPDATE: denial of service on nmbd malformed packet
++    - debian/patches/CVE-2014-0244.patch: return on EWOULDBLOCK/EAGAIN in
++      source3/lib/system.c.
++    - CVE-2014-0244
++  * SECURITY UPDATE: denial of service via bad unicode conversion
++    - debian/patches/CVE-2014-3493.patch: refactor code in
++      source3/lib/charcnv.c, change return code checks in
++      source3/libsmb/clirap.c, source3/smbd/lanman.c.
++    - CVE-2014-3493
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 23 Jun 2014 14:10:12 -0400
++
++samba (2:4.1.8+dfsg-1ubuntu1) utopic; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    +  debian/smb.conf;
++       - Add "(Samba, Ubuntu)" to server string.
++       - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + debian/control:
++      - Don't build against or suggest ctdb and tdb.
++    + debian/rules:
++      - Drop explicit configuration options for ctdb and tdb.
++    + Add ufw integration:
++      - Created debian/samba.ufw.profile:
++      - debian/rules, debian/samba.install: install profile
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + debian/samba.logrotate: call upstart interfaces unconditionally instead
++      of hacking arround with pid files.
++    + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
++      first dummy transitional package version.
++    + Dropped patches:
++      - debian/patches/CVE-2013-4496.patch: Dropped no longer needed
++      - debian/patches/CVE-2013-6442.patch: Dropped no longer needed.
++      - debian/patches/readline-ftbfs.patch: Use the debian version.
++    + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
++      (LP: #1268180)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 18 Jun 2014 10:50:25 -0400
++
  samba (2:4.1.8+dfsg-1) unstable; urgency=medium
    [ Jelmer Vernooij ]
@@ -2957,6 +5382,74 @@ samba (2:4.1.7+dfsg-1) unstable; urgency=medium
   -- Ivo De Decker <ivo.dedecker@ugent.be>  Sat, 19 Apr 2014 13:39:09 +0200
++samba (2:4.1.6+dfsg-1ubuntu6) utopic; urgency=medium
++
++  * Set the stack size to unlimited during the build to avoid a SIGBUS in
++    xsltproc on some architectures.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 02 Jun 2014 23:18:40 +0100
++
++samba (2:4.1.6+dfsg-1ubuntu5) utopic; urgency=medium
++
++  * Backport from unstable (Ivo De Decker):
++    - Build-depend on heimdal-dev.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 02 Jun 2014 15:39:54 +0100
++
++samba (2:4.1.6+dfsg-1ubuntu4) utopic; urgency=high
++
++  * No change rebuild against new dh_installinit, to call update-rc.d at
++    postinst.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 28 May 2014 10:41:32 +0100
++
++samba (2:4.1.6+dfsg-1ubuntu3) utopic; urgency=medium
++
++  * cherrypick upstream patch 1310919 to fix pam_winbind regression
++    (LP: #1310919)
++
++ -- Serge Hallyn <serge.hallyn@ubuntu.com>  Tue, 29 Apr 2014 16:05:44 -0500
++
++samba (2:4.1.6+dfsg-1ubuntu2) trusty; urgency=medium
++
++  * Fix a grammatical error in smb.conf that showed up in a ucf prompt on
++    upgrade.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 03 Apr 2014 19:08:03 -0700
++
++samba (2:4.1.6+dfsg-1ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    + debian/VERSION.patch: Update vendor string to "Ubuntu".
++    +  debian/smb.conf;
++       - Add "(Samba, Ubuntu)" to server string.
++       - Comment out the default [homes] share, and add a comment about "valid users = %s"
++         to show users how to restrict access to \\server\username to only username.
++    + debian/samba-common.config:
++      - Do not change prioritiy to high if dhclient3 is installed.
++    + debian/control:
++      - Don't build against or suggest ctdb and tdb.
++    + debian/rules:
++      - Drop explicit configuration options for ctdb and tdb.
++    + Add ufw integration:
++      - Created debian/samba.ufw.profile:
++      - debian/rules, debian/samba.install: install profile
++    + Add apport hook:
++      - Created debian/source_samba.py.
++      - debian/rules, debia/samb-common-bin.install: install hook.
++    + debian/samba.logrotate: call upstart interfaces unconditionally instead
++      of hacking arround with pid files.
++    + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
++      first dummy transitional package version.
++    + Dropped patches:
++      - debian/patches/CVE-2013-4496.patch: Dropped no longer needed
++      - debian/patches/CVE-2013-6442.patch: Dropped no longer needed.
++      - debian/patches/readline-ftbfs.patch: Use the debian version.
++    + debian/samba-common.dirs: Move /var/lib/samba/private from samba.dirs.
++      (LP: #1268180)
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 02 Apr 2014 13:40:30 -0400
++
  samba (2:4.1.6+dfsg-1) unstable; urgency=high
    * New upstream security release. Fixes:
@@ -3016,6 +5509,77 @@ samba (2:4.1.4+dfsg-1) unstable; urgency=medium
   -- Ivo De Decker <ivo.dedecker@ugent.be>  Sat, 18 Jan 2014 14:07:15 +0100
++samba (2:4.1.3+dfsg-2ubuntu5) trusty; urgency=medium
++
++  * debian/smb.conf: comment back some of the "share definitions"
++    options (including "valid users"). That was an Ubuntu diff and seems to
++    have been dropped in the trusty merge. Those changes seem needed to
++    get the usershare feature working (used by nautilus-share) (lp: #1261873)
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Tue, 01 Apr 2014 16:01:04 +0200
++
++samba (2:4.1.3+dfsg-2ubuntu4) trusty; urgency=medium
++
++  * SECURITY UPDATE: Password lockout not enforced for SAMR password
++    changes
++    - debian/patches/CVE-2013-4496.patch: refactor password lockout code in
++      source3/auth/check_samsec.c,
++      source3/rpc_server/samr/srv_samr_chgpasswd.c,
++      source3/rpc_server/samr/srv_samr_nt.c,
++      source3/smbd/lanman.c,
++      source4/rpc_server/samr/samr_password.c,
++      source4/torture/rpc/samr.c.
++    - CVE-2013-4496
++  * SECURITY UPDATE: smbcacls can remove a file or directory ACL by
++    mistake
++    - debian/patches/CVE-2013-6442.patch: handle existing ACL in
++      source3/utils/smbcacls.c.
++    - CVE-2013-6442
++  * debian/patches/readline-ftbfs.patch: fix ftbfs with newer readline6.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 17 Mar 2014 08:32:30 -0400
++
++samba (2:4.1.3+dfsg-2ubuntu3) trusty; urgency=medium
++
++  * Depend on tdb-tools (LP: #1279593)
++  * Updated generated config for Bind9.9.
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Wed, 12 Feb 2014 21:26:00 -0500
++
++samba (2:4.1.3+dfsg-2ubuntu2) trusty; urgency=medium
++
++  * Add missing python-ntdb dependency to python-samba (spotted by
++    autopkgtest).
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 10 Feb 2014 09:53:01 +0100
++
++samba (2:4.1.3+dfsg-2ubuntu1) trusty; urgency=low
++
++  * Merge from Debian Unstable:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++  * debian/smb.conf;
++    - Add "(Samba, Ubuntu)" to server string.
++    - Comment out the default [homes] share, and add a comment about "valid users = %s"
++      to show users how to restrict access to \\server\username to only username.
++  + debian/samba-common.config:
++    - Do not change prioritiy to high if dhclient3 is installed.
++  + debian/control:
++    - Don't build against or suggest ctdb and tdb.
++  + debian/rules:
++    - Drop explicit configuration options for ctdb and tdb.
++  + Add ufw integration:
++    - Created debian/samba.ufw.profile:
++    - debian/rules, debian/samba.install: install profile
++  + Add apport hook:
++   - Created debian/source_samba.py.
++   - debian/rules, debia/samb-common-bin.install: install hook.
++  + debian/samba.logrotate: call upstart interfaces unconditionally instead
++    of hacking arround with pid files.
++  + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
++    first dummy transitional package version.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Mon, 13 Jan 2014 08:52:31 -0500
++
  samba (2:4.1.3+dfsg-2) unstable; urgency=medium
    * Add debug symbols for all binaries to samba-dbg. Closes: #732493
@@ -3058,6 +5622,33 @@ samba (2:4.0.13+dfsg-2) UNRELEASED; urgency=low
   -- Steve Langasek <vorlon@debian.org>  Mon, 09 Dec 2013 11:13:59 -0800
++samba (2:4.0.13+dfsg-1ubuntu1) trusty; urgency=low
++
++  * Merge from Debian Unstable:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++  * debian/smb.conf;
++    - Add "(Samba, Ubuntu)" to server string.
++    - Comment out the default [homes] share, and add a comment about "valid users = %s"
++      to show users how to restrict access to \\server\username to only username.
++  + debian/samba-common.config:
++    - Do not change prioritiy to high if dhclient3 is installed.
++  + debian/control:
++    - Don't build against or suggest ctdb and tdb.
++  + debian/rules:
++    - Drop explicit configuration options for ctdb and tdb.
++  + Add ufw integration:
++    - Created debian/samba.ufw.profile:
++    - debian/rules, debian/samba.install: install profile
++  + Add apport hook:
++   - Created debian/source_samba.py.
++   - debian/rules, debia/samb-common-bin.install: install hook.
++  + debian/samba.logrotate: call upstart interfaces unconditionally instead
++    of hacking arround with pid files.
++  + Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4,
++    first dummy transitional package version.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Wed, 11 Dec 2013 19:55:47 -0500
++
  samba (2:4.0.13+dfsg-1) unstable; urgency=high
    [ Steve Langasek ]
@@ -3112,6 +5703,37 @@ samba (2:4.0.11+dfsg-1) unstable; urgency=high
   -- Ivo De Decker <ivo.dedecker@ugent.be>  Mon, 11 Nov 2013 15:42:40 +0100
++samba (2:4.0.10+dfsg-4ubuntu2) trusty; urgency=low
++
++  * Set sbmclients conflicts with samba4-clients less than 4.0.3+dfsg1-0.1ubuntu4, first dummy transitional package version.
++
++ -- Dmitrijs Ledkovs <xnox@ubuntu.com>  Wed, 27 Nov 2013 21:50:43 +0000
++
++samba (2:4.0.10+dfsg-4ubuntu1) trusty; urgency=low
++
++  * Merge from Debian Unstable:
++    - debian/VERSION.patch: Update vendor string to "Ubuntu".
++  * debian/smb.conf;
++    - Add "(Samba, Ubuntu)" to server string.
++    - Comment out the default [homes] share, and add a comment about "valid users = %s"
++      to show users how to restrict access to \\server\username to only username.
++  + debian/samba-common.config:
++    - Do not change prioritiy to high if dhclient3 is installed.
++  + debian/control:
++    - Don't build against or suggest ctdb and tdb.
++  + debian/rules:
++    - Drop explicit configuration options for ctdb and tdb.
++  + Add ufw integration:
++    - Created debian/samba.ufw.profile:
++    - debian/rules, debian/samba.install: install profile
++  + Add apport hook:
++   - Created debian/source_samba.py.
++   - debian/rules, debia/samb-common-bin.install: install hook.
++  + debian/samba.logrotate: call upstart interfaces unconditionally instead
++    of hacking arround with pid files.
++
++ -- Chuck Short <zulcss@ubuntu.com>  Fri, 08 Nov 2013 13:47:46 +0800
++
  samba (2:4.0.10+dfsg-4) unstable; urgency=low
    [ Christian Perrier ]
 diff --git a/debian/control b/debian/control
 index 8f1176a..e46b7e4 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: samba
  Section: net
  Priority: optional
--Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
  Uploaders: Steve Langasek <vorlon@debian.org>,
             Jelmer Vernooĳ <jelmer@debian.org>,
             Mathieu Parent <sathieu@debian.org>,
@@ -59,7 +60,7 @@ Build-Depends-Arch:
  	libsystemd-dev [linux-any],
  	libtasn1-6-dev (>= 3.8),
  	libtasn1-bin,
--	liburing-dev [linux-any],
++	liburing-dev [!i386],
  	xfslibs-dev [linux-any],
  	zlib1g-dev (>= 1:1.2.3),
  # python (+#904999):
@@ -308,6 +309,7 @@ Architecture: any
  Section: python
  Depends: python3-ldb,
           python3-tdb,
++         python3-markdown,
           samba-libs (= ${binary:Version}),
           ${misc:Depends},
           ${python3:Depends},
@@ -370,6 +372,29 @@ Description: Samba Virtual FileSystem plugins
   Note: The runtime dependencies of vfs_ceph, vfs_glusterfs and vfs_snapper are
   moved to Recommends.
++Package: samba-vfs-modules-extra
++# Since we only ship the glusterfs module so far, exclude 32bit architectures,
++# which glusterfs does not support
++Architecture: amd64 arm64 ppc64el riscv64 s390x
++Multi-Arch: same
++Depends: samba-libs (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
++# glusterfs vfs modules and manpages were moved from samba-vfs-modules to
++# samba-vfs-modules-glusterfs in 2:4.19.4+dfsg-2ubuntu1
++Replaces: samba-vfs-modules (<< 2:4.19.4+dfsg-2ubuntu1~)
++Breaks:   samba-vfs-modules (<< 2:4.19.4+dfsg-2ubuntu1~)
++Enhances: samba
++Description: Samba Virtual FileSystem extra modules
++ Samba is an implementation of the SMB/CIFS protocol for Unix systems,
++ providing support for cross-platform file sharing with Microsoft Windows, OS X,
++ and other Unix systems.  Samba can also function as a domain controller
++ or member server in Active Directory or NT4-style domains.
++ .
++ Virtual FileSystem modules are stacked shared libraries extending the
++ functionality of Samba. This package ships some extra VFS modules which
++ were previously shipped in samba-vfs-modules:
++  * vfs_gluterfs
++  * vfs_glusterfs_fuse
++
  Package: libsmbclient
  Section: libs
  Architecture: any
@@ -407,8 +432,9 @@ Depends: samba-common (= ${source:Version}),
  Enhances: libkrb5-26-heimdal <!pkg.samba.mitkrb5>
  Suggests: libnss-winbind, libpam-winbind
  # 4.16.6+dfsg-5 idmap_{script,rfc2307}.8 moved samba{,-libs} => winbind
--Breaks:   samba (<< 2:4.16.6+dfsg-5~), samba-libs (<< 2:4.16.6+dfsg-5~),
--Replaces: samba (<< 2:4.16.6+dfsg-5~), samba-libs (<< 2:4.16.6+dfsg-5~),
++# In Ubuntu, this was first done in 2:4.17.7+dfsg-1ubuntu1. See LP: #2024663
++Breaks:   samba (<< 2:4.17.7+dfsg-1ubuntu1~), samba-libs (<< 2:4.17.7+dfsg-1ubuntu1~),
++Replaces: samba (<< 2:4.17.7+dfsg-1ubuntu1~), samba-libs (<< 2:4.17.7+dfsg-1ubuntu1~),
  Description: service to resolve user and group information from Windows NT servers
   Samba is an implementation of the SMB/CIFS protocol for Unix systems,
   providing support for cross-platform file sharing with Microsoft Windows, OS X,
 diff --git a/debian/rules b/debian/rules
 index 8ee78b3..d5af1a4 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -268,6 +268,15 @@ endif
  	dh_link -plibldb2 /usr/lib/${DEB_HOST_MULTIARCH}/ldb/modules/ldb \
  	                  /usr/lib/${DEB_HOST_MULTIARCH}/samba/ldb/compat
++execute_after_dh_install:
++# gluster vfs modules are in a separate package. Moving the modules here
++# avoids having to list all but the gluster modules in
++# d/samba-vfs-modules.install
++ifeq ($(with-glusterfs), yes)
++	rm debian/samba-vfs-modules/usr/lib/${DEB_HOST_MULTIARCH}/samba/vfs/glusterfs*.so
++	rm debian/samba-vfs-modules/usr/share/man/man8/vfs_glusterfs*.8
++endif
++
  provision-dest := debian/samba-ad-provision/usr/share/samba/setup
  override_dh_auto_install-indep:
@@ -349,7 +358,7 @@ override_dh_shlibdeps:
  # for specific executables/modules, put dependencies in separate variables
  # to change Depends to Recommends for them in d/control
  	dh_shlibdeps -l/usr/lib/${DEB_HOST_MULTIARCH}/samba \
--	    -Xceph.so -Xglusterfs.so -Xsnapper.so -Xctdb_mutex_ceph_rados_helper
++	    -Xceph.so -Xsnapper.so -Xctdb_mutex_ceph_rados_helper
  ifneq (,$(filter ctdb, ${build-pkgs}))
  	echo "rados:Depends=" >> debian/ctdb.substvars
  ifneq (${with-ceph},)
@@ -362,8 +371,7 @@ ifneq (,$(filter samba-vfs-modules,${build-pkgs}))
  ifneq (${with-snapper}${with-ceph}${with-glusterfs},)
  	dpkg-shlibdeps -Tdebian/samba-vfs-modules.substvars -pvfsmods \
  	    $(if ${with-snapper}, debian/samba-vfs-modules/usr/lib/*/samba/vfs/snapper.so) \
--	    $(if ${with-ceph}, debian/samba-vfs-modules/usr/lib/*/samba/vfs/ceph.so) \
--	    $(if ${with-glusterfs}, debian/samba-vfs-modules/usr/lib/*/samba/vfs/glusterfs.so)
++	    $(if ${with-ceph}, debian/samba-vfs-modules/usr/lib/*/samba/vfs/ceph.so)
  endif
  endif
  # after shlibdeps run, check that we don't have wrong depdendencies
 diff --git a/debian/samba-vfs-modules-extra.install b/debian/samba-vfs-modules-extra.install
 new file mode 100644
 index 0000000..c360548
 --- /dev/null
 +++ b/debian/samba-vfs-modules-extra.install
@@ -0,0 +1,4 @@
++usr/lib/${DEB_HOST_MULTIARCH}/samba/vfs/glusterfs.so
++usr/lib/${DEB_HOST_MULTIARCH}/samba/vfs/glusterfs_fuse.so
++usr/share/man/man8/vfs_glusterfs.8
++usr/share/man/man8/vfs_glusterfs_fuse.8
 diff --git a/debian/tests/control b/debian/tests/control
 index d27e025..b37632e 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -28,3 +28,7 @@ Restrictions: needs-root, allow-stderr, isolation-container, skippable
  Tests: reinstall-samba-common-bin
  Depends: samba-common, samba-common-bin
  Restrictions: needs-root, needs-reboot, isolation-machine, allow-stderr
++
++Tests: samba-ad-dc-provisioning-internal-dns
++Depends: samba-ad-dc, samba-ad-provision, smbclient, krb5-user, bind9-dnsutils, lxd | snapd, lsb-release, dctrl-tools
++Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed
 diff --git a/debian/tests/samba-ad-dc-provisioning-internal-dns b/debian/tests/samba-ad-dc-provisioning-internal-dns
 new file mode 100755
 index 0000000..f61fa5e
 --- /dev/null
 +++ b/debian/tests/samba-ad-dc-provisioning-internal-dns
@@ -0,0 +1,398 @@
++#!/bin/bash
++
++set -e
++set -o pipefail
++
++source debian/tests/util
++
++declare -r domain="EXAMPLE"
++declare -r realm="EXAMPLE.FAKE"
++declare -r adminpass="Passw0rd"
++declare -r test_user="test_user_${RANDOM}"
++declare -r test_pw="test_user_secret_${RANDOM}"
++declare -A user_pass
++user_pass[Administrator]="${adminpass}"
++user_pass[${test_user}]="${test_pw}"
++declare -A join_method_deps
++# Minimum set of deps: let realmd install the extra dependencies
++# as needed, depending on the join method.
++join_method_deps[realmd_sssd]="realmd krb5-user smbclient"
++join_method_deps[realmd_winbind]="realmd krb5-user smbclient"
++
++
++cleanup() {
++    rc=$?
++    set +e # so we don't exit midcleanup
++    if [ ${rc} -ne 0 ]; then
++        echo "## Something failed, gathering logs"
++        echo
++        echo "## smb.conf"
++        cat /etc/samba/smb.conf
++        echo
++        echo "## resolv.conf"
++        cat /etc/resolv.conf
++        echo
++        echo "## resolvectl status"
++        resolvectl status
++        echo "## journal for samba-ad-dc.service"
++        journalctl -u samba-ad-dc.service --lines 500
++        echo
++        for log in /var/log/samba/log.*; do
++            # skip compressed logrotated files
++            if [ "${log%.gz}" != "${log}" ]; then
++                continue
++            fi
++            [ -s "${log}" ] || continue
++            echo "## $(basename ${log}):"
++            tail -n 500 "${log}"
++            echo
++        done
++        echo "## syslog"
++        tail -n 500 /var/log/syslog
++    fi
++}
++
++trap cleanup EXIT
++
++assert_testparm() {
++    local parameter="${1}"
++    local expected_value="${2}"
++    local current_value=""
++    local -i retval=0
++
++    echo -n "Asserting ${parameter} is ${expected_value}: "
++    current_value=$(testparm -s --parameter-name "${parameter}" 2>/dev/null) || {
++        retval=$?
++        echo "FAIL"
++        return ${retval}
++    }
++    if [ "${current_value}" = "${expected_value}" ]; then
++        echo "OK"
++        return 0
++    else
++        echo "FAIL"
++        return 1
++    fi
++}
++
++basic_config_tests() {
++    echo "## Basic config tests"
++    testparm -s > /dev/null
++    assert_testparm "realm" "${realm}"
++    assert_testparm "workgroup" "${domain}"
++    assert_testparm "server role" "active directory domain controller"
++    echo
++}
++
++dns_tests() {
++    echo "## DNS tests"
++    echo "Obtaining administrator kerberos ticket"
++    echo "${adminpass}" | timeout --verbose 30 kinit Administrator
++    echo
++    echo "Querying server info"
++    samba-tool dns serverinfo "$(hostname)"
++    echo
++    echo "Checking we got a service ticket of type host/"
++    klist | grep "host/$(hostname)"
++    echo
++    echo "Checking specific DNS records"
++    for srv in _ldap._tcp _kerberos._tcp _kerberos._udp _kpasswd._udp; do
++        echo -n "${srv}.${realm,,}: "
++        dig @localhost +short -t SRV ${srv}.${realm,,}
++        echo
++    done
++    echo
++    echo -n "Checking that our hostname \"$(hostname)\" is in DNS: "
++    myip=$(dig @localhost +short -t A "$(hostname).${realm,,}")
++    echo "${myip}"
++    echo
++}
++
++user_creation_tests() {
++    echo "## User creation tests"
++    samba-tool domain passwordsettings set --complexity=off
++    echo "Creating user \"${test_user}\" with password ${test_pw}"
++    samba-tool user add "${test_user}" "${test_pw}"
++    echo
++    echo "Attempting to obtain kerberos ticket for user \"${test_user}\""
++    # just in case it ends up waiting at a prompt, we use "timeout"
++    echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}"
++    echo "Ticket obtained"
++    klist
++    echo
++}
++
++smbclient_tests() {
++    echo "## smbclient tests"
++    kdestroy || :
++    echo
++    echo "Obtaining a TGT for ${test_user}"
++    echo "${test_pw}" | timeout --verbose 30 kinit "${test_user}"
++    klist | grep krbtgt
++    echo
++    echo "Attempting password-less authentication with smbclient"
++    echo
++    echo "Listing shares"
++    smbclient -L "$(hostname)" --use-kerberos=required -k
++    echo
++    echo "Listing the sysvol share"
++    smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls"
++    echo
++    echo "Listing policies"
++    # lowercase the ${realm}
++    smbclient "//$(hostname)/sysvol" --use-kerberos=required -k -c "ls ${realm,,}/Policies/*"
++    echo
++    echo "Checking that we have a ticket for the cifs service after all these commands"
++    klist | grep cifs/
++    echo
++}
++
++server_join_tests() {
++    local member_server
++    # the join methods are the keys of the join_method_deps dict
++    local -a methods=("${!join_method_deps[@]}")
++    local member_server="member-server"
++
++    echo "## Server join tests"
++    echo "## Initializing lxd"
++    setup_lxd "${realm,,}"
++
++    for method in "${methods[@]}"; do
++        echo "## Setting up member server to join a domain using method ${method}"
++        setup_member_server "${member_server}" "${method}"
++        echo "## Joining domain with method ${method}"
++        join_domain "${member_server}" "${method}"
++        echo
++        echo "## Verifying join with method ${method}"
++        verify_join "${member_server}" "${method}"
++        echo
++        echo "## Leaving domain with method ${method}"
++        leave_domain "${member_server}" "${method}"
++        echo
++        echo "## Destroying member server"
++        lxc delete --force "${member_server}"
++    done
++}
++
++setup_member_server() {
++    local container_name="${1}"
++    local method="${2}"
++    local release
++
++    release="$(lsb_release -cs)"
++    if [ -z "${join_method_deps[${method}]}" ]; then
++        echo "## INTERNAL ERROR, invalid join method: ${method}"
++        return 1
++    fi
++    echo "## Got test dependencies: ${join_method_deps[${method}]}"
++    # can't use cloud-init here to install packages, because we first need to
++    # sync the apt config from the host to the container
++    echo "## Launching ${release} container"
++    lxc launch "ubuntu-daily:${release}" "${container_name}" -q
++    wait_container_ready "${container_name}"
++    send_apt_config "${container_name}"
++    copy_local_apt_files "${container_name}"
++    echo "## Installing dependencies in test container"
++    install_packages_in_container "${container_name}" ${join_method_deps[${method}]}
++}
++
++join_domain_realmd_winbind() {
++    local server="${1}"
++    local discover_cmd="realm discover -v --membership-software=samba --client-software=winbind ${realm,,}"
++    local join_cmd="realm join -v --membership-software=samba --client-software=winbind ${realm,,}"
++
++    echo "## Domain information"
++    lxc exec "${server}" -- ${discover_cmd}
++    echo
++    echo "## Running join command: ${join_cmd}"
++    echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd}
++}
++
++verify_join_realmd_winbind() {
++    local server="${1}"
++    local member_domain
++
++    echo -n "## Verifying member server joined domain name: "
++    member_domain=$(lxc exec "${server}" -- wbinfo --own-domain)
++    echo "${member_domain}"
++    if [ "${member_domain}" != "${domain}" ]; then
++        echo "ERROR: expected member server domain to match the joined domain:"
++        echo "member server domain: ${member_domain}"
++        echo "AD domain: ${domain}"
++        return 1
++    fi
++    echo
++    # we just want to see the output, not parse it
++    echo "## Domain status in member server"
++    lxc exec "${server}" -- wbinfo --domain-info "${member_domain}"
++    echo
++    echo "## User status in member server"
++    for u in "${!user_pass[@]}"; do
++        echo "## User \"${u}@${realm}\" information:"
++        lxc exec "${server}" -- wbinfo --user-info "${u}@${realm}"
++        echo
++        echo "## id ${u}@${realm}"
++        lxc exec "${server}" -- id ${u}@${realm}
++        echo
++        echo "## kinit authentication check for user \"${u}@${realm}\" inside member server"
++        echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}"
++        lxc exec "${server}" -- klist
++        echo
++        echo "## Listing shares with the obtained kerberos ticket"
++        lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
++        lxc exec "${server}" -- kdestroy
++        echo
++        echo "## wbinfo authentication check for user \"${u}@${realm}\" inside member server"
++        # non-interactive format for username is user%password
++        lxc exec "${server}" -- wbinfo --authenticate="${u}@${realm}%${user_pass[${u}]}"
++        echo
++        echo "## wbinfo kerberos authentication check for user \"${u}@${realm}\" inside member server"
++        lxc exec "${server}" -- wbinfo --krb5auth="${u}@${realm}%${user_pass[${u}]}"
++        echo
++        echo "## Listing shares with the obtained kerberos ticket"
++        lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
++        lxc exec "${server}" -- kdestroy
++    done
++}
++
++leave_domain_realmd_winbind() {
++    local server="${1}"
++    local leave_cmd="realm leave -v --remove --client-software=winbind"
++
++    echo "## Running leave command: ${leave_cmd}"
++    echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd}
++}
++
++join_domain_realmd_sssd() {
++    local server="${1}"
++    local discover_cmd="realm discover -v --membership-software=adcli --client-software=sssd ${realm,,}"
++    local join_cmd="realm join -v --membership-software=adcli --client-software=sssd ${realm,,}"
++
++    echo "## Domain information"
++    lxc exec "${server}" -- ${discover_cmd}
++    echo
++    echo "## Running join command: ${join_cmd}"
++    echo "${adminpass}" | lxc exec "${server}" -- ${join_cmd}
++    echo
++}
++
++verify_join_realmd_sssd() {
++    local server="${1}"
++    local samba_domain
++
++    echo -n "## Verifying member server joined domain name: "
++    samba_domain=$(lxc exec "${server}" -- sssctl domain-list)
++    echo "${samba_domain}"
++    if [ "${samba_domain}" != "${realm,,}" ]; then
++        echo "ERROR: expected member server domain to match the joined domain:"
++        echo "member server domain: ${samba_domain}"
++        echo "AD domain: ${realm,,}"
++        return 1
++    fi
++    echo
++    # we just want to see the output, not parse it
++    echo "## Domain status in member server"
++    lxc exec "${server}" -- sssctl domain-status "${realm}"
++    echo
++    echo "## User status in member server"
++    for u in "${!user_pass[@]}"; do
++        echo "## User \"${u}@${realm}\" information:"
++        lxc exec "${server}" -- sssctl user-checks "${u}@${realm}"
++        echo
++        echo "## id ${u}@${realm}"
++        lxc exec "${server}" -- id "${u}@${realm}"
++        echo
++        echo "## kinit authentication check for user \"${u}@${realm}\" inside member server"
++        echo "${user_pass[${u}]}" | lxc exec "${server}" -- timeout --verbose 30 kinit "${u}@${realm}"
++        lxc exec "${server}" -- klist
++        echo
++        echo "## Listing shares with the obtained kerberos ticket"
++        lxc exec "${server}" -- smbclient -L "$(hostname)" --use-kerberos=required -k
++        lxc exec "${server}" -- kdestroy
++    done
++}
++
++leave_domain_realmd_sssd() {
++    local server="${1}"
++    local leave_cmd="realm leave -v --remove --client-software=sssd"
++
++    echo "## Running leave command: ${leave_cmd}"
++    echo "${adminpass}" | lxc exec "${server}" -- ${leave_cmd}
++}
++
++join_domain() {
++    local server="${1}"
++    local m="${2}"
++
++    join_domain_${m} "${server}"
++}
++
++verify_join() {
++    local server="${1}"
++    local m="${2}"
++
++    verify_join_${m} "${server}"
++}
++
++leave_domain() {
++    local server="${1}"
++    local m="${2}"
++
++    leave_domain_${m} "${server}"
++}
++
++systemctl stop smbd nmbd winbind
++systemctl disable smbd nmbd winbind
++systemctl mask smbd nmbd winbind
++
++systemctl unmask samba-ad-dc
++systemctl enable samba-ad-dc
++
++if [ -f /etc/samba/smb.conf ]; then
++    mv /etc/samba/smb.conf{,.orig}
++fi
++
++# make sure we are starting fresh, as previous tests might left things around
++
++rm -rf /var/lib/samba/* /var/cache/samba/* /run/samba/*
++kdestroy || :
++
++samba-tool domain provision \
++    --domain="${domain}" \
++    --realm="${realm}" \
++    --adminpass="${adminpass}" \
++    --server-role=dc \
++    --use-rfc2307 \
++    --dns-backend=SAMBA_INTERNAL
++
++current_dns=$(resolvectl status | grep "^Current DNS Server:" | awk '{print $4}')
++
++if [ -n "${current_dns}" ]; then
++    echo "## Setting dns forwarder to ${current_dns} in smb.conf"
++    sed -r -i "s,dns forwarder = .*,dns forwarder = ${current_dns}," \
++        /etc/samba/smb.conf
++    unlink /etc/resolv.conf
++    echo "nameserver 127.0.0.1" > /etc/resolv.conf
++    # lowercase substitution
++    echo "search ${realm,,}" >> /etc/resolv.conf
++    systemctl stop systemd-resolved
++    systemctl disable systemd-resolved
++else
++    echo "## Warning, couldn't detect the current DNS server to use as forwarder in smb.conf"
++    echo "## resolvectl status:"
++    resolvectl status
++    echo "## Continuing, and hoping for the best"
++fi
++
++cp -f /var/lib/samba/private/krb5.conf /etc/krb5.conf
++
++systemctl start samba-ad-dc
++
++# give it some time, it's a lot of services to start
++sleep 5s
++
++basic_config_tests
++dns_tests
++user_creation_tests
++smbclient_tests
++server_join_tests
 diff --git a/debian/tests/util b/debian/tests/util
 index 4278ee7..298b321 100644
 --- a/debian/tests/util
 +++ b/debian/tests/util
@@ -16,7 +16,7 @@ EOFEOF
          if [ -n "${vfs}" ]; then
              echo "vfs objects = ${vfs}" >> /etc/samba/smb.conf
          fi
--        systemctl restart smbd.service
++        systemctl reload smbd.service
      else
          echo "Share [${share}] already exists, continuing"
      fi
@@ -66,3 +66,113 @@ ensure_uring_available() {
          exit 77
      fi
+ }
++
++wait_container_ready() {
++    local container="${1}"
++    local -i limit=120 # seconds
++    local -i i=0
++    local -i result=0
++    local ip
++    local output
++
++    while /bin/true; do
++        ip=$(lxc list "${container}" -c 4 --format=compact | tail -1 | awk '{print $1}')
++        if [ -n "${ip}" ]; then
++            break
++        fi
++        i=$((i+1))
++        if [ ${i} -ge ${limit} ]; then
++            return 1
++        fi
++        sleep 1s
++        echo -n "."
++    done
++    while ! nc -z "${ip}" 22; do
++        echo -n "."
++        i=$((i+1))
++        if [ ${i} -ge ${limit} ]; then
++            return 1
++        fi
++        sleep 1s
++    done
++    # cloud-init might still be doing things...
++    # this call blocks, so wrap it in its own little timeout
++    output=$(lxc exec "${container}" -- timeout --verbose $((limit-i)) cloud-init status --wait) || {
++        result=$?
++        echo "cloud-init status --wait failed on container ${container}"
++        echo "${output}"
++        return ${result}
++    }
++    echo
++}
++
++install_lxd() {
++    if ! command -v lxd > /dev/null 2>&1; then
++        # the test depends has "lxd | snapd", so if we don't have lxd, we must
++        # install the snap
++        snap list lxd > /dev/null 2>&1 || {
++            echo "Installing the LXD snap..."
++            snap install lxd
++        }
++    fi
++}
++
++setup_lxd() {
++    local dns_domain="${1}"
++    local network
++    local nic
++    local dns_ip
++
++    install_lxd
++    # Stop samba while lxd is setup, to avoid conflicts on lxdbr0:53
++    systemctl stop samba-ad-dc
++    lxd init --auto
++    lxd waitready --timeout 600
++    network=$(lxc network list --format=compact | grep -E "bridge.*YES.*CREATED")
++    nic=$(echo "${network}" | awk '{print $1}')
++    dns_ip=$(echo "${network}" | awk '{print $4}' | cut -d / -f 1) # strip the cidr
++    # port=0 effectively disables dnsmasq's DNS, so it doesn't conflict with samba's DNS
++    lxc network set "${nic:-lxdbr0}" ipv6.address=none dns.domain="${dns_domain}" raw.dnsmasq="$(echo -e port=0\\ndhcp-option=option:dns-server,${dns_ip})"
++    if [ -n "${http_proxy}" ]; then
++        lxc config set core.proxy_http "${http_proxy}"
++    fi
++    if [ -n "${https_proxy}" ]; then
++        lxc config set core.proxy_https "${https_proxy}"
++    fi
++    if [ -n "${noproxy}" ]; then
++        lxc config set core.proxy_ignore_hosts "${noproxy}"
++    fi
++    systemctl start samba-ad-dc
++    # give it some time, it's a lot of services to start
++    sleep 5s
++}
++
++# Copy the local apt package archive over to the lxd container.
++copy_local_apt_files() {
++    local container_name="${1:-docker}"
++
++    for local_source in $(apt-get indextargets | grep-dctrl -F URI -e '^file:/' -sURI | awk '{print $2}'); do
++        local_source=${local_source#file:}
++        local_dir=$(dirname "${local_source}")
++        lxc exec "${container_name}" -- mkdir -p "${local_dir}"
++        tar -cC "${local_dir}" . | lxc exec "${container_name}" -- tar -xC "${local_dir}"
++    done
++}
++
++send_apt_config() {
++    echo "Copying over /etc/apt to container ${1}"
++    lxc exec "${1}" -- rm -rf /etc/apt
++    lxc exec "${1}" -- mkdir -p /etc/apt
++    tar -cC /etc/apt . | lxc exec "${1}" -- tar -xC /etc/apt
++}
++
++install_packages_in_container() {
++    local container="${1}"
++    shift
++    local packages="${*}"
++
++    echo "### Installing dependencies in member server container: ${packages}"
++    lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get update -q
++    lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y
++    lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y ${packages}
++}

Ubuntusamba package

Merge ~ahasenack/ubuntu/+source/samba:noble-samba-merge-1 into ubuntu/+source/samba:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
samba package