commit: f73defc3dbc6d0bab31d9efc368002465b872e2f Author: Ben Kohler <bkohler <AT> gentoo <DOT> org> AuthorDate: Fri Jul 11 11:58:50 2025 +0000 Commit: Ben Kohler <bkohler <AT> gentoo <DOT> org> CommitDate: Fri Jul 11 12:11:35 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f73defc3
net-fs/samba: backport 2 fixes to 4.20 series Bug: https://bugs.gentoo.org/959760 Bug: https://bugs.gentoo.org/959125 Signed-off-by: Ben Kohler <bkohler <AT> gentoo.org> .../samba/files/samba-4.20.8-CVE-2025-0620.patch | 532 +++++++++++++++++++++ ...-use-deprecated-readline-CPPFunction-cast.patch | 74 +++ net-fs/samba/samba-4.20.8-r1.ebuild | 387 +++++++++++++++ 3 files changed, 993 insertions(+) diff --git a/net-fs/samba/files/samba-4.20.8-CVE-2025-0620.patch b/net-fs/samba/files/samba-4.20.8-CVE-2025-0620.patch new file mode 100644 index 000000000000..6b15a2258411 --- /dev/null +++ b/net-fs/samba/files/samba-4.20.8-CVE-2025-0620.patch @@ -0,0 +1,532 @@ +From 9fd05848d4a59db3977ae74f1a7a89f63f22b9ca Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <me...@samba.org> +Date: Fri, 11 Oct 2024 13:32:22 +0000 +Subject: [PATCH 1/3] s3:libsmb: let discover_dc_netbios() return + DOMAIN_CONTROLLER_NOT_FOUND + +We may get NT_STATUS_NOT_FOUND when the name can't be resolved +and NT_STATUS_INVALID_ADDRESS if the system doesn't have ipv4 +addresses... + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +Reviewed-by: Andreas Schneider <a...@samba.org> +(cherry picked from commit e47ce1d10b13d8ef165c70984e6e490f4c2a64c2) +--- + source3/libsmb/dsgetdcname.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c +index 654893c172c..00e1fac6b93 100644 +--- a/source3/libsmb/dsgetdcname.c ++++ b/source3/libsmb/dsgetdcname.c +@@ -483,7 +483,19 @@ static NTSTATUS discover_dc_netbios(TALLOC_CTX *mem_ctx, + &count, + resolve_order); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10,("discover_dc_netbios: failed to find DC\n")); ++ NTSTATUS raw_status = status; ++ ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { ++ status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; ++ } ++ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ADDRESS)) { ++ status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; ++ } ++ ++ DBG_DEBUG("failed to find DC for %s: %s => %s\n", ++ domain_name, ++ nt_errstr(raw_status), ++ nt_errstr(status)); + return status; + } + +-- +2.47.2 + + +From 4108b021383ccad766a571c93bd6d5fafc4e7b80 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <me...@samba.org> +Date: Fri, 9 May 2025 09:38:41 +0200 +Subject: [PATCH 2/3] s3:winbindd: avoid using any netlogon call to get a dc + name + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +Reviewed-by: Guenther Deschner <g...@samba.org> +Reviewed-by: Andreas Schneider <a...@samba.org> +Reviewed-by: Ralph Boehme <s...@samba.org> +(backported from commit f86a4bf6848ade2db7229d182576db3320c3ece7) +--- + source3/winbindd/winbindd_cm.c | 145 --------------------------- + source3/winbindd/winbindd_dual_srv.c | 105 +------------------ + 2 files changed, 5 insertions(+), 245 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 1685edbabaa..28ebc15ddf9 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -475,135 +475,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds) + return ret; + } + +-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, +- fstring dcname, +- struct sockaddr_storage *dc_ss, +- uint32_t request_flags) +-{ +- struct winbindd_domain *our_domain = NULL; +- struct rpc_pipe_client *netlogon_pipe = NULL; +- NTSTATUS result; +- WERROR werr; +- TALLOC_CTX *mem_ctx; +- unsigned int orig_timeout; +- const char *tmp = NULL; +- const char *p; +- struct dcerpc_binding_handle *b; +- +- /* Hmmmm. We can only open one connection to the NETLOGON pipe at the +- * moment.... */ +- +- if (IS_DC) { +- return False; +- } +- +- if (domain->primary) { +- return False; +- } +- +- our_domain = find_our_domain(); +- +- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) { +- return False; +- } +- +- result = cm_connect_netlogon(our_domain, &netlogon_pipe); +- if (!NT_STATUS_IS_OK(result)) { +- talloc_destroy(mem_ctx); +- return False; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (our_domain->active_directory) { +- struct netr_DsRGetDCNameInfo *domain_info = NULL; +- +- /* +- * TODO request flags are not respected in the server +- * (and in some cases, like REQUIRE_PDC, causes an error) +- */ +- result = dcerpc_netr_DsRGetDCName(b, +- mem_ctx, +- our_domain->dcname, +- domain->name, +- NULL, +- NULL, +- request_flags|DS_RETURN_DNS_NAME, +- &domain_info, +- &werr); +- if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) { +- tmp = talloc_strdup( +- mem_ctx, domain_info->dc_unc); +- if (tmp == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- if (domain->alt_name == NULL) { +- domain->alt_name = talloc_strdup(domain, +- domain_info->domain_name); +- if (domain->alt_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- if (domain->forest_name == NULL) { +- domain->forest_name = talloc_strdup(domain, +- domain_info->forest_name); +- if (domain->forest_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- } +- } else { +- result = dcerpc_netr_GetAnyDCName(b, mem_ctx, +- our_domain->dcname, +- domain->name, +- &tmp, +- &werr); +- } +- +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- if (!NT_STATUS_IS_OK(result)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- nt_errstr(result))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- win_errstr(werr))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- /* dcerpc_netr_GetAnyDCName gives us a name with \\ */ +- p = strip_hostname(tmp); +- +- fstrcpy(dcname, p); +- +- talloc_destroy(mem_ctx); +- +- DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname)); +- +- if (!resolve_name(dcname, dc_ss, 0x20, true)) { +- return False; +- } +- +- return True; +-} +- + /** + * Helper function to assemble trust password and account name + */ +@@ -1283,24 +1154,8 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, + struct samba_sockaddr *sa_list = NULL; + size_t salist_size = 0; + size_t i; +- bool is_our_domain; + enum security_types sec = (enum security_types)lp_security(); + +- is_our_domain = strequal(domain->name, lp_workgroup()); +- +- /* If not our domain, get the preferred DC, by asking our primary DC */ +- if ( !is_our_domain +- && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags) +- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, +- num_dcs) ) +- { +- char addr[INET6_ADDRSTRLEN]; +- print_sockaddr(addr, sizeof(addr), &ss); +- DEBUG(10, ("Retrieved DC %s at %s via netlogon\n", +- dcname, addr)); +- return True; +- } +- + if ((sec == SEC_ADS) && (domain->alt_name != NULL)) { + char *sitename = NULL; + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index bbdaf6e5807..0d9d88733da 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -662,106 +662,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p, + + NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r) + { +- struct winbindd_domain *domain = wb_child_domain(); +- struct rpc_pipe_client *netlogon_pipe; +- struct netr_DsRGetDCNameInfo *dc_info; +- NTSTATUS status; +- WERROR werr; +- unsigned int orig_timeout; +- struct dcerpc_binding_handle *b; +- bool retry = false; +- bool try_dsrgetdcname = false; +- +- if (domain == NULL) { +- return dsgetdcname(p->mem_ctx, global_messaging_context(), +- r->in.domain_name, r->in.domain_guid, +- r->in.site_name ? r->in.site_name : "", +- r->in.flags, +- r->out.dc_info); +- } +- +- if (domain->active_directory) { +- try_dsrgetdcname = true; +- } +- +-reconnect: +- status = cm_connect_netlogon(domain, &netlogon_pipe); +- +- reset_cm_connection_on_error(domain, NULL, status); +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("Can't contact the NETLOGON pipe\n")); +- return status; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (try_dsrgetdcname) { +- status = dcerpc_netr_DsRGetDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, NULL, r->in.domain_guid, +- r->in.flags, r->out.dc_info, &werr); +- if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) { +- goto done; +- } +- if (!retry && +- reset_cm_connection_on_error(domain, NULL, status)) +- { +- retry = true; +- goto reconnect; +- } +- try_dsrgetdcname = false; +- retry = false; +- } +- +- /* +- * Fallback to less capable methods +- */ +- +- dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo); +- if (dc_info == NULL) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- +- if (r->in.flags & DS_PDC_REQUIRED) { +- status = dcerpc_netr_GetDcName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } else { +- status = dcerpc_netr_GetAnyDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } +- +- if (!retry && reset_cm_connection_on_error(domain, b, status)) { +- retry = true; +- goto reconnect; +- } +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- nt_errstr(status))); +- goto done; +- } +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- win_errstr(werr))); +- status = werror_to_ntstatus(werr); +- goto done; +- } +- +- *r->out.dc_info = dc_info; +- status = NT_STATUS_OK; +- +-done: +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- return status; ++ return dsgetdcname(p->mem_ctx, global_messaging_context(), ++ r->in.domain_name, r->in.domain_guid, ++ r->in.site_name ? r->in.site_name : "", ++ r->in.flags, ++ r->out.dc_info); + } + + NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) +-- +2.47.2 + + +From 41191db034ea7825acd01a0166cd2a8b425878ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <g...@samba.org> +Date: Wed, 2 Jul 2025 21:59:48 +0200 +Subject: [PATCH 3/3] s3-winbindd: Fix internal winbind dsgetdcname calls + w.r.t. domain name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +when winbind calls to dsgetdcname internally, make sure to +prefer the DNS domain name if we have it. Makes DNS lookups much more +likely to succeed. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + +Guenther + +Signed-off-by: Guenther Deschner <g...@samba.org> +Reviewed-by: Andreas Schneider <a...@samba.org> +Reviewed-by: Ralph Boehme <s...@samba.org> + +Autobuild-User(master): Ralph Böhme <s...@samba.org> +Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224 + +(cherry picked from commit 2560c9b3224816ffd371a62103f65b3aca301ad5) +--- + source3/winbindd/wb_queryuser.c | 17 +++++++++++++---- + source3/winbindd/wb_sids2xids.c | 17 +++++++++++++---- + source3/winbindd/wb_xids2sids.c | 12 +++++++++--- + source3/winbindd/winbindd_dual.c | 6 +++++- + source3/winbindd/winbindd_proto.h | 1 + + source3/winbindd/winbindd_util.c | 19 +++++++++++++++++++ + 6 files changed, 60 insertions(+), 12 deletions(-) + +diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c +index c2758f1b76a..db8e946ba71 100644 +--- a/source3/winbindd/wb_queryuser.c ++++ b/source3/winbindd/wb_queryuser.c +@@ -289,10 +289,19 @@ static void wb_queryuser_done(struct tevent_req *subreq) + + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { +- D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n"); +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->info->domain_name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->info->domain_name); ++ ++ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling " ++ "wb_dsgetdcname_send(%s)\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c +index f0f6c23fc20..03e5e7e0258 100644 +--- a/source3/winbindd/wb_sids2xids.c ++++ b/source3/winbindd/wb_sids2xids.c +@@ -612,13 +612,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq) + !state->tried_dclookup) { + + struct lsa_DomainInfo *d; ++ const char *domain_name = NULL; + +- D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n"); + d = &state->idmap_doms.domains[state->dom_index]; + +- subreq = wb_dsgetdcname_send( +- state, state->ev, d->name.string, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ domain_name = find_dns_domain_name(d->name.string); ++ ++ D_DEBUG("Domain controller not found. Calling " ++ "wb_dsgetdcname_send(%s) to get it.\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c +index 86bd7f9deab..6fcf524d94f 100644 +--- a/source3/winbindd/wb_xids2sids.c ++++ b/source3/winbindd/wb_xids2sids.c +@@ -143,9 +143,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq) + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { + +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->dom_map->name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->dom_map->name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c +index b8e1ceddecc..ee80a4725fa 100644 +--- a/source3/winbindd/winbindd_dual.c ++++ b/source3/winbindd/winbindd_dual.c +@@ -532,6 +532,7 @@ static void wb_domain_request_trigger(struct tevent_req *req, + struct wb_domain_request_state *state = tevent_req_data( + req, struct wb_domain_request_state); + struct winbindd_domain *domain = state->domain; ++ const char *domain_name = NULL; + struct tevent_req *subreq = NULL; + size_t shortest_queue_length; + +@@ -604,8 +605,11 @@ static void wb_domain_request_trigger(struct tevent_req *req, + * which is indicated by DS_RETURN_DNS_NAME. + * For NT4 domains we still get the netbios name. + */ ++ ++ domain_name = find_dns_domain_name(state->domain->name); ++ + subreq = wb_dsgetdcname_send(state, state->ev, +- state->domain->name, ++ domain_name, + NULL, /* domain_guid */ + NULL, /* site_name */ + DS_RETURN_DNS_NAME); /* flags */ +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index 4dee9b046cf..292b96ee5fa 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -603,6 +603,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr, + struct dom_sid **sids, uint32_t *num_sids); + bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr, + struct unixid **pxids, uint32_t *pnum_xids); ++const char *find_dns_domain_name(const char *domain_name); + + /* The following definitions come from winbindd/winbindd_wins.c */ + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 7527a78b30e..5c832fc22b5 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -2241,3 +2241,22 @@ fail: + TALLOC_FREE(xids); + return false; + } ++ ++/** ++ * Helper to extract the DNS Domain Name from a struct winbindd_domain ++ */ ++const char *find_dns_domain_name(const char *domain_name) ++{ ++ struct winbindd_domain *wbdom = NULL; ++ ++ wbdom = find_domain_from_name(domain_name); ++ if (wbdom == NULL) { ++ return domain_name; ++ } ++ ++ if (wbdom->active_directory && wbdom->alt_name != NULL) { ++ return wbdom->alt_name; ++ } ++ ++ return wbdom->name; ++} +-- +2.47.2 + diff --git a/net-fs/samba/files/samba-4.20.8-dont-use-deprecated-readline-CPPFunction-cast.patch b/net-fs/samba/files/samba-4.20.8-dont-use-deprecated-readline-CPPFunction-cast.patch new file mode 100644 index 000000000000..21048bb8c7a0 --- /dev/null +++ b/net-fs/samba/files/samba-4.20.8-dont-use-deprecated-readline-CPPFunction-cast.patch @@ -0,0 +1,74 @@ +From 81fc67cce2a076236a82ab5336ed3a9260f12af1 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <a...@samba.org> +Date: Tue, 21 Jan 2025 17:59:27 +0100 +Subject: [PATCH] lib:replace: Don't use deprecated readline CPPFunction cast +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +HAVE_RL_COMPLETION_FUNC_T was unused and not checking for the right +function. + +libcli/smbreadline/smbreadline.c: In function ‘smb_readline’: +libcli/smbreadline/smbreadline.c:139:17: warning: ‘CPPFunction’ is deprecated [-Wdeprecated-declarations] + 139 | rl_attempted_completion_function = RL_COMPLETION_CAST completion_fn; + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +libcli/smbreadline/smbreadline.c:139:50: error: assignment to ‘char ** (*)(const char *, int, int)’ from incompatible pointer type ‘char ** (*)(void)’ [-Wincompatible-pointer-types] + 139 | rl_attempted_completion_function = RL_COMPLETION_CAST completion_fn; + | ^ + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15788 + +Signed-off-by: Andreas Schneider <a...@samba.org> +Reviewed-by: Alexander Bokovoy <a...@samba.org> + +Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> +Autobuild-Date(master): Tue Jan 21 19:38:37 UTC 2025 on atb-devel-224 + +(cherry picked from commit 9aa5c43315d83c19514251a11c4fba5a137f2821) + +Autobuild-User(v4-21-test): Jule Anger <jan...@samba.org> +Autobuild-Date(v4-21-test): Thu Jan 23 15:15:06 UTC 2025 on atb-devel-224 +--- + lib/replace/system/readline.h | 4 +++- + libcli/smbreadline/wscript_configure | 8 +++++--- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/replace/system/readline.h b/lib/replace/system/readline.h +index 9a9af266ca6d..ac3604fc12e0 100644 +--- a/lib/replace/system/readline.h ++++ b/lib/replace/system/readline.h +@@ -46,7 +46,9 @@ + #endif + + #ifdef HAVE_NEW_LIBREADLINE +-#ifdef HAVE_CPPFUNCTION ++#if defined(HAVE_RL_COMPLETION_FUNC_T) ++# define RL_COMPLETION_CAST (rl_completion_func_t *) ++#elif defined(HAVE_CPPFUNCTION) + # define RL_COMPLETION_CAST (CPPFunction *) + #elif defined(HAVE_RL_COMPLETION_T) + # define RL_COMPLETION_CAST (rl_completion_t *) +diff --git a/libcli/smbreadline/wscript_configure b/libcli/smbreadline/wscript_configure +index 912ff53a150d..f5a401ebae00 100644 +--- a/libcli/smbreadline/wscript_configure ++++ b/libcli/smbreadline/wscript_configure +@@ -51,10 +51,12 @@ conf.CHECK_CODE(''' + # endif + # endif + #endif +-int main(void) {rl_completion_t f; return 0;} ++int main(void) {rl_completion_func_t f; return 0;} + ''', +-'HAVE_RL_COMPLETION_FUNC_T', execute=False, addmain=False, +-msg='Checking for rl_completion_t') ++ 'HAVE_RL_COMPLETION_FUNC_T', ++ execute=False, ++ addmain=False, ++ msg='Checking for rl_completion_func_t') + + conf.CHECK_CODE(''' + #ifdef HAVE_READLINE_READLINE_H +-- +GitLab + diff --git a/net-fs/samba/samba-4.20.8-r1.ebuild b/net-fs/samba/samba-4.20.8-r1.ebuild new file mode 100644 index 000000000000..a54114e219a7 --- /dev/null +++ b/net-fs/samba/samba-4.20.8-r1.ebuild @@ -0,0 +1,387 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{11..13} ) +PYTHON_REQ_USE="threads(+),xml(+)" +inherit python-single-r1 flag-o-matic waf-utils multilib-minimal linux-info systemd pam tmpfiles + +DESCRIPTION="Samba Suite Version 4" +HOMEPAGE="https://samba.org/"; + +MY_PV="${PV/_rc/rc}" +MY_P="${PN}-${MY_PV}" +if [[ ${PV} == *_rc* ]]; then + SRC_URI="https://download.samba.org/pub/samba/rc/${MY_P}.tar.gz"; +else + SRC_URI="https://download.samba.org/pub/samba/stable/${MY_P}.tar.gz"; + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3" +SLOT="0" +IUSE="acl addc ads ceph client cluster cups debug fam glusterfs gpg" +IUSE+=" iprint json ldap llvm-libunwind pam profiling-data python quota +regedit selinux" +IUSE+=" snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test unwind winbind" +IUSE+=" zeroconf" + +REQUIRED_USE="${PYTHON_REQUIRED_USE} + addc? ( json python !system-mitkrb5 winbind ) + ads? ( acl ldap python winbind ) + cluster? ( ads ) + gpg? ( addc ) + spotlight? ( json ) + test? ( python ) + !ads? ( !addc ) + ?? ( system-heimdal system-mitkrb5 ) +" + +# the test suite is messed, it uses system-installed samba +# bits instead of what was built, tests things disabled via use +# flags, and generally just fails to work in a way ebuilds could +# rely on in its current state +RESTRICT="test" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/samba-4.0/policy.h + /usr/include/samba-4.0/dcerpc_server.h + /usr/include/samba-4.0/ctdb.h + /usr/include/samba-4.0/ctdb_client.h + /usr/include/samba-4.0/ctdb_protocol.h + /usr/include/samba-4.0/ctdb_private.h + /usr/include/samba-4.0/ctdb_typesafe_cb.h + /usr/include/samba-4.0/ctdb_version.h +) + +TALLOC_VERSION="2.4.2" +TDB_VERSION="1.4.10" +TEVENT_VERSION="0.16.1" + +COMMON_DEPEND=" + >=app-arch/libarchive-3.1.2:=[${MULTILIB_USEDEP}] + dev-lang/perl:= + dev-libs/icu:=[${MULTILIB_USEDEP}] + dev-libs/libbsd[${MULTILIB_USEDEP}] + dev-libs/libtasn1:=[${MULTILIB_USEDEP}] + dev-libs/popt[${MULTILIB_USEDEP}] + dev-perl/Parse-Yapp + >=net-libs/gnutls-3.4.7:=[${MULTILIB_USEDEP}] + >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] + >=sys-libs/ldb-2.9.2:=[ldap(+)?,${MULTILIB_USEDEP}] + <sys-libs/ldb-2.10.0:=[ldap(+)?,${MULTILIB_USEDEP}] + sys-libs/libcap[${MULTILIB_USEDEP}] + sys-libs/liburing:=[${MULTILIB_USEDEP}] + sys-libs/ncurses:= + sys-libs/readline:= + >=sys-libs/talloc-${TALLOC_VERSION}[${MULTILIB_USEDEP}] + >=sys-libs/tdb-${TDB_VERSION}[${MULTILIB_USEDEP}] + >=sys-libs/tevent-${TEVENT_VERSION}[${MULTILIB_USEDEP}] + sys-libs/zlib[${MULTILIB_USEDEP}] + virtual/libcrypt:=[${MULTILIB_USEDEP}] + virtual/libiconv + $(python_gen_cond_dep ' + addc? ( + dev-python/dnspython:=[${PYTHON_USEDEP}] + dev-python/markdown[${PYTHON_USEDEP}] + ) + ads? ( + dev-python/dnspython:=[${PYTHON_USEDEP}] + net-dns/bind[gssapi] + ) + ') + acl? ( virtual/acl ) + ceph? ( sys-cluster/ceph ) + cluster? ( net-libs/rpcsvc-proto ) + cups? ( net-print/cups ) + debug? ( dev-util/lttng-ust ) + fam? ( virtual/fam ) + gpg? ( app-crypt/gpgme:= ) + json? ( dev-libs/jansson:= ) + ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] ) + pam? ( sys-libs/pam ) + python? ( + sys-libs/ldb[python,${PYTHON_SINGLE_USEDEP}] + sys-libs/talloc[python,${PYTHON_SINGLE_USEDEP}] + sys-libs/tdb[python,${PYTHON_SINGLE_USEDEP}] + sys-libs/tevent[python,${PYTHON_SINGLE_USEDEP}] + ) + snapper? ( sys-apps/dbus ) + system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl(-),${MULTILIB_USEDEP}] ) + system-mitkrb5? ( >=app-crypt/mit-krb5-1.19[${MULTILIB_USEDEP}] ) + !system-heimdal? ( !system-mitkrb5? ( sys-apps/keyutils[${MULTILIB_USEDEP}] ) ) + systemd? ( sys-apps/systemd:= ) + unwind? ( + llvm-libunwind? ( llvm-runtimes/libunwind:= ) + !llvm-libunwind? ( sys-libs/libunwind:= ) + ) + zeroconf? ( net-dns/avahi[dbus] ) +" +DEPEND="${COMMON_DEPEND} + dev-perl/JSON + net-libs/libtirpc[${MULTILIB_USEDEP}] + net-libs/rpcsvc-proto + spotlight? ( dev-libs/glib ) + test? ( + >=dev-util/cmocka-1.1.3[${MULTILIB_USEDEP}] + $(python_gen_cond_dep "dev-python/python-subunit[\${PYTHON_USEDEP},${MULTILIB_USEDEP}]" ) + !system-mitkrb5? ( + >=net-dns/resolv_wrapper-1.1.4 + >=net-libs/socket_wrapper-1.1.9 + >=sys-libs/nss_wrapper-1.1.3 + >=sys-libs/uid_wrapper-1.2.1 + ) + )" +RDEPEND="${COMMON_DEPEND} + client? ( net-fs/cifs-utils[ads?] ) + python? ( ${PYTHON_DEPS} ) + selinux? ( sec-policy/selinux-samba ) +" +BDEPEND="${PYTHON_DEPS} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + virtual/pkgconfig +" + +PATCHES=( + "${FILESDIR}"/${PN}-4.18.4-pam.patch + "${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch + "${FILESDIR}"/${P}-dont-use-deprecated-readline-CPPFunction-cast.patch + "${FILESDIR}"/${P}-CVE-2025-0620.patch +) + +CONFDIR="${FILESDIR}/4.4" +WAF_BINARY="${S}/buildtools/bin/waf" +SHAREDMODS="" + +pkg_setup() { + # Package fails to build with distcc + export DISTCC_DISABLE=1 + export PYTHONHASHSEED=1 + + python-single-r1_pkg_setup + + SHAREDMODS="$(usev !snapper '!')vfs_snapper" + if use cluster ; then + SHAREDMODS+=",idmap_rid,idmap_tdb2,idmap_ad" + elif use ads ; then + SHAREDMODS+=",idmap_ad" + fi +} + +check_samba_dep_versions() { + actual_talloc_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/talloc/wscript || die) + if [[ ${actual_talloc_version} != ${TALLOC_VERSION} ]] ; then + eerror "Source talloc version: ${TALLOC_VERSION}" + eerror "Ebuild talloc version: ${actual_talloc_version}" + die "Ebuild needs to fix TALLOC_VERSION!" + fi + + actual_tdb_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/tdb/wscript || die) + if [[ ${actual_tdb_version} != ${TDB_VERSION} ]] ; then + eerror "Source tdb version: ${TDB_VERSION}" + eerror "Ebuild tdb version: ${actual_tdb_version}" + die "Ebuild needs to fix TDB_VERSION!" + fi + + actual_tevent_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/tevent/wscript || die) + if [[ ${actual_tevent_version} != ${TEVENT_VERSION} ]] ; then + eerror "Source tevent version: ${TEVENT_VERSION}" + eerror "Ebuild tevent version: ${actual_tevent_version}" + die "Ebuild needs to fix TEVENT_VERSION!" + fi +} + +src_prepare() { + default + + check_samba_dep_versions + + # Unbundle dnspython + sed -i -e '/"dns.resolver":/d' "${S}"/third_party/wscript || die + + # Unbundle iso8601 unless tests are enabled + if ! use test ; then + sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die + fi + + # Ugly hackaround for bug #592502 + #cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die + + sed -e 's:<gpgme\.h>:<gpgme/gpgme.h>:' \ + -i source4/dsdb/samdb/ldb_modules/password_hash.c \ + || die + + # WAF + multilib_copy_sources +} + +multilib_src_configure() { + # When specifying libs for samba build you must append NONE to the end to + # stop it automatically including things + local bundled_libs="NONE" + if ! use system-heimdal && ! use system-mitkrb5 ; then + bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE" + fi + + # We "use" bundled cmocka when we're not running tests as we're + # not using it anyway. Means we avoid making users install it for + # no reason. bug #802531 + if ! use test ; then + bundled_libs="cmocka,${bundled_libs}" + fi + + # bug #874633 + if use llvm-libunwind ; then + mkdir -p "${T}"/${ABI}/pkgconfig || die + + local -x PKG_CONFIG_PATH="${T}/${ABI}/pkgconfig:${PKG_CONFIG_PATH}" + + cat <<-EOF > "${T}"/${ABI}/pkgconfig/libunwind-generic.pc || die + exec_prefix=\${prefix} + libdir=/usr/$(get_libdir) + includedir=\${prefix}/include + + Name: libunwind-generic + Description: libunwind generic library + Version: 1.70 + Libs: -L\${libdir} -lunwind + Cflags: -I\${includedir} + EOF + fi + + local myconf=( + --enable-fhs + --sysconfdir="${EPREFIX}/etc" + --localstatedir="${EPREFIX}/var" + --with-modulesdir="${EPREFIX}/usr/$(get_libdir)/samba" + --with-piddir="${EPREFIX}/run/${PN}" + --bundled-libraries="${bundled_libs}" + --builtin-libraries=NONE + --disable-rpath + --disable-rpath-install + --nopyc + --nopyo + --without-winexe + $(multilib_native_use_with acl acl-support) + $(multilib_native_usex addc '' '--without-ad-dc') + $(multilib_native_use_with ads) + $(multilib_native_use_enable ceph cephfs) + $(multilib_native_use_with cluster cluster-support) + $(multilib_native_use_enable cups) + --without-dmapi + $(multilib_native_use_with fam) + $(multilib_native_use_enable glusterfs) + $(multilib_native_use_with gpg gpgme) + $(multilib_native_use_with json) + $(multilib_native_use_enable iprint) + $(multilib_native_use_with pam) + $(multilib_native_usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '') + $(multilib_native_use_with quota quotas) + $(multilib_native_use_with regedit) + $(multilib_native_use_enable spotlight) + $(multilib_native_use_with syslog) + $(multilib_native_use_with systemd) + --systemd-install-services + --with-systemddir="$(systemd_get_systemunitdir)" + $(multilib_native_use_with unwind libunwind) + $(multilib_native_use_with winbind) + $(multilib_native_usex python '' '--disable-python') + $(multilib_native_use_enable zeroconf avahi) + $(multilib_native_usex test '--enable-selftest' '') + $(usev system-mitkrb5 "--with-system-mitkrb5 ${ESYSROOT}/usr $(multilib_native_usex addc --with-experimental-mit-ad-dc '')") + $(use_with debug lttng) + $(use_with ldap) + $(use_with profiling-data) + # bug #683148 + --jobs 1 + ) + + if multilib_is_native_abi ; then + myconf+=( --with-shared-modules=${SHAREDMODS} ) + else + myconf+=( --with-shared-modules=DEFAULT,!vfs_snapper ) + fi + + append-cppflags "-I${ESYSROOT}/usr/include/et" + + waf-utils_src_configure ${myconf[@]} +} + +multilib_src_compile() { + waf-utils_src_compile +} + +multilib_src_test() { + if multilib_is_native_abi ; then + "${WAF_BINARY}" test || die "Test failed" + fi +} + +multilib_src_install() { + waf-utils_src_install + + # Make all .so files executable + find "${ED}" -type f -name "*.so" -exec chmod +x {} + || die + # smbspool_krb5_wrapper must only be accessible to root, bug #880739 + find "${ED}" -type f -name "smbspool_krb5_wrapper" -exec chmod go-rwx {} + || die + + # Remove empty runtime dirs created by build system (bug #892341) + find "${ED}"/{run,var} -type d -empty -delete || die + + if multilib_is_native_abi ; then + # Install ldap schema for server (bug #491002) + if use ldap ; then + insinto /etc/openldap/schema + doins examples/LDAP/samba.schema + fi + + # Create symlink for cups (bug #552310) + if use cups ; then + dosym ../../../bin/smbspool \ + /usr/libexec/cups/backend/smb + fi + + # Install example config file + insinto /etc/samba + doins examples/smb.conf.default + + # Fix paths in example file (bug #603964) + sed \ + -e '/log file =/s@/usr/local/samba/var/@/var/log/samba/@' \ + -e '/include =/s@/usr/local/samba/lib/@/etc/samba/@' \ + -e '/path =/s@/usr/local/samba/lib/@/var/lib/samba/@' \ + -e '/path =/s@/usr/local/samba/@/var/lib/samba/@' \ + -e '/path =/s@/usr/spool/samba@/var/spool/samba@' \ + -i "${ED}"/etc/samba/smb.conf.default || die + + # Install init script and conf.d file + newinitd "${CONFDIR}/samba4.initd-r1" samba + newconfd "${CONFDIR}/samba4.confd" samba + + dotmpfiles "${FILESDIR}"/samba.conf + if ! use addc ; then + rm "${D}/$(systemd_get_systemunitdir)/samba.service" \ + || die + fi + + # Preserve functionality for old gentoo-specific unit names + dosym nmb.service "$(systemd_get_systemunitdir)/nmbd.service" + dosym smb.service "$(systemd_get_systemunitdir)/smbd.service" + dosym winbind.service "$(systemd_get_systemunitdir)/winbindd.service" + + use python && python_optimize + fi + + if use pam && use winbind ; then + newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind + # bugs #376853 and #590374 + insinto /etc/security + doins examples/pam_winbind/pam_winbind.conf + fi +} + +pkg_postinst() { + tmpfiles_process samba.conf +}
