The branch, v4-19-stable has been updated
via fcd094b208f VERSION: Disable GIT_SNAPSHOT for the 4.19.3 release.
via e4a8049f7d9 WHATSNEW: Add release notes for Samba 4.19.3.
via 5897f213e11 vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions
via f4d8a3393e7 vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions
via ada585b6c52 nfs4_acls: Make fstat_with_cap_dac_override static
via 5f157b23b9f nfs4_acls: Make stat_with_cap_dac_override static
via 482e205dfd6 nfs4_acls: Make fstatat_with_cap_dac_override static
via 5998e68d3e4 vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and
rename function
via 119586b1926 vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename
function
via ac17e86baf0 vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename
function
via af89e07cb65 vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename
function
via dd266ff243a vfs_gpfs: Move stat_with_capability to nfs4_acls.c and
rename function
via 18373c5d395 vfs_gpfs: Move fstatat_with_cap_dac_override to
nfs4_acls.c
via cc0416f19b2 nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE
via 26d47c66354 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat
via 14bb93a4460 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstat
via 9043b07bd2d vfs_gpfs: Move fstatat with DAC_CAP_OVERRIDE to helper
function
via 98249085895 vfs_gpfs: Use O_PATH for opening dirfd for stat with
CAP_DAC_OVERRIDE
via b6c13c49153 python:tests: SHA1 is no longer supported by
cryptography module
via 2f5a1ac1c96 python:tests: Fix assertEquals which doesn't exist in
Python 3.12
via ec4893eea9c third_party: Build pypamtest with
-Wno-error=declaration-after-statement
via ec5885982af Use python.h from libreplace
via 2feaa755e25 lib:replace: Add python.h
via 95af9424ccc smbd: fix close order of base_fsp and stream_fsp in
smb_fname_fsp_destructor()
via a5b61b469a2 pytests: sid_strings: do not fail if epoch ending has
zeros
via af4fe00f264 system.c: fall back to become_root if CAP_DAC_OVERRIDE
isn't usable
via adb1da16e39 s3: smbd: Ignore fstat() error on deleted stream in
fd_close().
via 3b649ba044c s4:kdc: fix user2user tgs-requests for normal user
accounts
via 94fa2897906 third_party/heimdal kdc: introduce
HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit
a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))
via 166035b7c55 tests/krb5/kdc_tgs_tests: add user2user tests using a
normal user account
via ba252e247c5 s3:winbindd: Improve logging for failover scenarios in
winbindd_cm.c
via 8c0f1206560 s3:libads: Improve logging for failover scenarios
via 0bb520822c9 s3:libsmb: Improve logging for failover scenarios
via 7038794ec85 s3:winbindd: Improve logging for failover scenarios in
winbindd_pam.c
via a72c7228730 CVE-2018-14628: python:descriptor: let samba-tool
dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
via 98d0fa6c37d CVE-2018-14628: dbchecker: use
get_deletedobjects_descriptor for missing deleted objects container
via 0e657c31ac9 CVE-2018-14628: s4:dsdb: remove unused code in
dirsync_filter_entry()
via 31e4015b78e CVE-2018-14628: s4:setup: set the correct
nTSecurityDescriptor on the CN=Deleted Objects container
via 10673100a1b CVE-2018-14628: python:provision: make
DELETEDOBJECTS_DESCRIPTOR available in the ldif files
via 427054ab1ba CVE-2018-14628: python:descriptor: add
get_deletedobjects_descriptor()
via 2917289991e VERSION: Bump version up to Samba 4.19.3...
from 5b54d9e2be8 VERSION: Disable GIT_SNAPSHOT for the 4.19.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 126 ++++++++++++-
auth/credentials/pycredentials.c | 2 +-
buildtools/wafsamba/samba_autoconf.py | 3 +
lib/compression/pycompression.c | 2 +-
lib/crypto/py_crypto.c | 2 +-
lib/ldb-samba/pyldb.c | 2 +-
lib/ldb/pyldb.c | 2 +-
lib/ldb/pyldb_util.c | 2 +-
.../hash_inode.h => lib/replace/system/python.h | 19 +-
lib/smbconf/pysmbconf.c | 2 +-
lib/smbconf/pysmbconf.h | 2 +-
lib/talloc/pytalloc.c | 2 +-
lib/talloc/pytalloc_util.c | 2 +-
lib/talloc/test_pytalloc.c | 2 +-
lib/tdb/pytdb.c | 2 +-
lib/tevent/pytevent.c | 2 +-
libcli/nbt/pynbt.c | 2 +-
libcli/security/pysecurity.c | 2 +-
libcli/smb/py_reparse_symlink.c | 2 +-
libgpo/pygpo.c | 2 +-
pidl/lib/Parse/Pidl/Samba4/Python.pm | 2 +-
python/modules.c | 2 +-
python/py3compat.h | 2 +-
python/pyglue.c | 2 +-
python/samba/dbchecker.py | 27 ++-
python/samba/descriptor.py | 25 ++-
python/samba/provision/__init__.py | 5 +
python/samba/provision/sambadns.py | 4 +
python/samba/tests/gpo.py | 204 ++++++++++-----------
python/samba/tests/krb5/pkinit_tests.py | 24 +--
python/samba/tests/sid_strings.py | 2 +-
selftest/knownfail.d/samba4.ldap.confidential_attr | 1 +
source3/lib/smbconf/pys3smbconf.c | 2 +-
source3/lib/system.c | 31 +++-
source3/libads/ldap.c | 10 +
source3/libsmb/clientgen.c | 5 +
source3/libsmb/pylibsmb.c | 2 +-
source3/modules/nfs4_acls.c | 149 +++++++++++++++
source3/modules/nfs4_acls.h | 16 ++
source3/modules/vfs_aixacl2.c | 4 +
source3/modules/vfs_gpfs.c | 76 +-------
source3/modules/vfs_zfsacl.c | 4 +
source3/param/pyparam.c | 2 +-
source3/param/pyparam_util.c | 2 +-
source3/passdb/py_passdb.c | 2 +-
source3/rpc_client/py_mdscli.c | 2 +-
source3/smbd/files.c | 24 +--
source3/smbd/open.c | 15 +-
source3/smbd/pysmbd.c | 2 +-
source3/utils/py_net.c | 2 +-
source3/winbindd/winbindd_cm.c | 31 +++-
source3/winbindd/winbindd_pam.c | 4 +
source4/auth/gensec/pygensec.c | 2 +-
source4/auth/pyauth.c | 2 +-
source4/dns_server/pydns.c | 2 +-
source4/dsdb/pydsdb.c | 2 +-
source4/dsdb/samdb/ldb_modules/dirsync.c | 53 +-----
source4/kdc/db-glue.c | 30 ++-
source4/kdc/sdb.h | 4 +-
source4/lib/messaging/pymessaging.c | 2 +-
source4/lib/policy/pypolicy.c | 2 +-
source4/lib/registry/pyregistry.c | 2 +-
source4/libnet/py_net.c | 2 +-
source4/libnet/py_net_dckeytab.c | 2 +-
source4/librpc/ndr/py_auth.c | 2 +-
source4/librpc/ndr/py_lsa.c | 2 +-
source4/librpc/ndr/py_misc.c | 2 +-
source4/librpc/ndr/py_security.c | 26 +--
source4/librpc/ndr/py_xattr.c | 2 +-
source4/librpc/rpc/pyrpc.c | 2 +-
source4/librpc/rpc/pyrpc_util.c | 2 +-
source4/ntvfs/posix/python/pyposix_eadb.c | 2 +-
source4/ntvfs/posix/python/pyxattr_native.c | 2 +-
source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +-
source4/param/provision.c | 2 +-
source4/param/pyparam.c | 2 +-
source4/param/pyparam_util.c | 2 +-
source4/scripting/bin/gen_ntstatus.py | 2 +-
source4/scripting/bin/gen_werror.py | 2 +-
...eck-link-output-missing-link-sid-corruption.txt | 8 +-
.../expected-links-after-dbcheck.ldif | 2 +-
.../release-4-5-0-pre1/rootdse-version.final.txt | 2 +-
source4/setup/provision.ldif | 1 +
source4/setup/provision_configuration.ldif | 1 +
source4/setup/provision_dnszones_add.ldif | 1 +
testprogs/blackbox/dbcheck-links.sh | 12 ++
third_party/heimdal/kdc/krb5tgs.c | 7 +-
third_party/heimdal/lib/hdb/hdb.h | 1 +
third_party/pam_wrapper/wscript | 5 +
90 files changed, 714 insertions(+), 354 deletions(-)
copy source3/modules/hash_inode.h => lib/replace/system/python.h (60%)
create mode 100644 selftest/knownfail.d/samba4.ldap.confidential_attr
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 5ac084390fd..7da956b9a0f 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b9b3205212c..2d098c61f18 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,126 @@
+ ==============================
+ Release Notes for Samba 4.19.3
+ November 27, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+It contains the security-relevant bugfix CVE-2018-14628:
+
+ Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
+ allow read of object tombstones over LDAP
+ (Administrator action required!)
+ https://www.samba.org/samba/security/CVE-2018-14628.html
+
+
+Description of CVE-2018-14628
+-----------------------------
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft's Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+Action required in order to resolve CVE-2018-14628!
+---------------------------------------------------
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+ samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+ Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to
provision default?
+ Owner mismatch: SY (in ref) DA(in current)
+ Group mismatch: SY (in ref) DA(in current)
+ Part dacl is different between reference and current here is the
detail:
+ (A;;LCRPLORC;;;AU) ACE is not present in the reference
+ (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the
reference
+ (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the
reference
+ (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the
current
+ (A;;LCRP;;;BA) ACE is not present in the current
+ [y/N/all/none] y
+ Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted
Objects,DC=samba,DC=org'
+
+The change should be confirmed with 'y' for all objects starting with
+'CN=Deleted Objects'.
+
+
+Changes since 4.19.2
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15520: sid_strings test broken by unix epoch > 1700000000.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15487: smbd crashes if asked to return full information on close of a
+ stream handle with delete on close disposition set.
+ * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
+ smb_fname_fsp_destructor().
+
+o Pavel Filipenský <pfilipen...@samba.org>
+ * BUG 15499: Improve logging for failover scenarios.
+
+o Björn Jacke <b...@sernet.de>
+ * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
+ listed in directories.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
+ AD LDAP to normal users.
+ * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
+ accounts.
+
+o Christof Schmitt <c...@samba.org>
+ * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15513: Samba doesn't build with Python 3.12.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.19.2
October 16, 2023
@@ -58,8 +181,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.19.1
October 10, 2023
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index bd877941a9a..3687050bde9 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -16,7 +16,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "python/py3compat.h"
#include "includes.h"
#include "python/modules.h"
diff --git a/buildtools/wafsamba/samba_autoconf.py
b/buildtools/wafsamba/samba_autoconf.py
index 8541d003e2a..34fd5fab2c0 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -817,6 +817,9 @@ int main(void) {
if CHECK_CFLAGS(conf, ["-Wno-error=array-bounds"]):
conf.define('HAVE_WNO_ERROR_ARRAY_BOUNDS', 1)
+ if CHECK_CFLAGS(conf, ["-Wno-error=declaration-after-statement"]):
+ conf.define('HAVE_WNO_ERROR_DECLARATION_AFTER_STATEMENT', 1)
+
if not Options.options.disable_warnings_as_errors:
conf.ADD_NAMED_CFLAGS('PICKY_CFLAGS', '-Werror
-Wno-error=deprecated-declarations', testflags=True)
conf.ADD_NAMED_CFLAGS('PICKY_CFLAGS',
'-Wno-error=tautological-compare', testflags=True)
diff --git a/lib/compression/pycompression.c b/lib/compression/pycompression.c
index 3be3620b1cf..5c3fd82a00a 100644
--- a/lib/compression/pycompression.c
+++ b/lib/compression/pycompression.c
@@ -26,7 +26,7 @@
#include "includes.h"
#include <talloc.h>
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "lzxpress.h"
#include "lzxpress_huffman.h"
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
index 5b3c307057a..4d89e12376f 100644
--- a/lib/crypto/py_crypto.c
+++ b/lib/crypto/py_crypto.c
@@ -18,7 +18,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "includes.h"
#include "python/py3compat.h"
diff --git a/lib/ldb-samba/pyldb.c b/lib/ldb-samba/pyldb.c
index 01ed065947a..2241abc01df 100644
--- a/lib/ldb-samba/pyldb.c
+++ b/lib/ldb-samba/pyldb.c
@@ -19,7 +19,7 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "python/py3compat.h"
#include "includes.h"
#include <ldb.h>
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 8981e5ea45c..a0383ab8166 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -28,7 +28,7 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "ldb_private.h"
#include "ldb_handlers.h"
#include "pyldb.h"
diff --git a/lib/ldb/pyldb_util.c b/lib/ldb/pyldb_util.c
index 665e34426bc..1256b16ddad 100644
--- a/lib/ldb/pyldb_util.c
+++ b/lib/ldb/pyldb_util.c
@@ -23,7 +23,7 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "ldb.h"
#include "pyldb.h"
diff --git a/source3/modules/hash_inode.h b/lib/replace/system/python.h
similarity index 60%
copy from source3/modules/hash_inode.h
copy to lib/replace/system/python.h
index e08fc48aa15..b242baecb1c 100644
--- a/source3/modules/hash_inode.h
+++ b/lib/replace/system/python.h
@@ -1,7 +1,5 @@
/*
- * Unix SMB/Netbios implementation.
- *
- * Copyright (c) 2019 Andreas Schneider <a...@samba.org>
+ * Copyright (c) 2023 Andreas Schneider <a...@samba.org>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -17,9 +15,16 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _HASH_INODE_H
-#define _HASH_INODE_H
+#ifndef _SAMBA_PYTHON_H
+#define _SAMBA_PYTHON_H
-SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname);
+/*
+ * With Python 3.6 Cpython started to require C99. With Python 3.12 they
+ * started to mix code and variable declarations so disable the warnings.
+ */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeclaration-after-statement"
+#include <Python.h>
+#pragma GCC diagnostic pop
-#endif /* _HASH_INODE_H */
+#endif /* _SAMBA_PYTHON_H */
diff --git a/lib/smbconf/pysmbconf.c b/lib/smbconf/pysmbconf.c
index 20041d3a580..2538127b1ba 100644
--- a/lib/smbconf/pysmbconf.c
+++ b/lib/smbconf/pysmbconf.c
@@ -18,7 +18,7 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "includes.h"
#include "python/py3compat.h"
diff --git a/lib/smbconf/pysmbconf.h b/lib/smbconf/pysmbconf.h
index e8c6c9998e3..1e57bfb19dd 100644
--- a/lib/smbconf/pysmbconf.h
+++ b/lib/smbconf/pysmbconf.h
@@ -21,7 +21,7 @@
#ifndef _PYSMBCONF_H_
#define _PYSMBCONF_H_
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "lib/smbconf/smbconf.h"
typedef struct {
diff --git a/lib/talloc/pytalloc.c b/lib/talloc/pytalloc.c
index 9d62eed455e..f6f068108d6 100644
--- a/lib/talloc/pytalloc.c
+++ b/lib/talloc/pytalloc.c
@@ -21,7 +21,7 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include <talloc.h>
#include <pytalloc.h>
#include "pytalloc_private.h"
diff --git a/lib/talloc/pytalloc_util.c b/lib/talloc/pytalloc_util.c
index 064957ffd6f..766938a82c8 100644
--- a/lib/talloc/pytalloc_util.c
+++ b/lib/talloc/pytalloc_util.c
@@ -21,7 +21,7 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "replace.h"
#include <talloc.h>
#include "pytalloc.h"
diff --git a/lib/talloc/test_pytalloc.c b/lib/talloc/test_pytalloc.c
index aa05d8c342b..fb385852a39 100644
--- a/lib/talloc/test_pytalloc.c
+++ b/lib/talloc/test_pytalloc.c
@@ -26,7 +26,7 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include <talloc.h>
#include <pytalloc.h>
diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c
index ed22803328c..4d75d7a9041 100644
--- a/lib/tdb/pytdb.c
+++ b/lib/tdb/pytdb.c
@@ -24,7 +24,7 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "replace.h"
#include "system/filesys.h"
diff --git a/lib/tevent/pytevent.c b/lib/tevent/pytevent.c
index aa2331c1d6c..bbe29f6c693 100644
--- a/lib/tevent/pytevent.c
+++ b/lib/tevent/pytevent.c
@@ -22,7 +22,7 @@
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "replace.h"
#include <tevent.h>
diff --git a/libcli/nbt/pynbt.c b/libcli/nbt/pynbt.c
index 0908a6bce3c..e0a72fa8451 100644
--- a/libcli/nbt/pynbt.c
+++ b/libcli/nbt/pynbt.c
@@ -17,7 +17,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "includes.h"
#include "python/py3compat.h"
#include "libcli/util/pyerrors.h"
diff --git a/libcli/security/pysecurity.c b/libcli/security/pysecurity.c
index 80730485242..c7eaa91a71b 100644
--- a/libcli/security/pysecurity.c
+++ b/libcli/security/pysecurity.c
@@ -17,7 +17,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "python/py3compat.h"
#include "includes.h"
#include "python/modules.h"
diff --git a/libcli/smb/py_reparse_symlink.c b/libcli/smb/py_reparse_symlink.c
index 57dc6032f99..470aab8d679 100644
--- a/libcli/smb/py_reparse_symlink.c
+++ b/libcli/smb/py_reparse_symlink.c
@@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "replace.h"
#include "python/modules.h"
#include "python/py3compat.h"
diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index bf63a60522f..adbd5b4688d 100644
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -16,7 +16,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "includes.h"
#include "version.h"
#include "param/pyparam.h"
diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm
b/pidl/lib/Parse/Pidl/Samba4/Python.pm
index 6eb59a0557e..7867eabad92 100644
--- a/pidl/lib/Parse/Pidl/Samba4/Python.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm
@@ -2293,7 +2293,7 @@ sub Parse($$$$$)
$self->pidl_hdr("
/* Python wrapper functions auto-generated by pidl */
#define PY_SSIZE_T_CLEAN 1 /* We use Py_ssize_t for
PyArg_ParseTupleAndKeywords */
-#include <Python.h>
+#include \"lib/replace/system/python.h\"
#include \"python/py3compat.h\"
#include \"includes.h\"
#include \"python/modules.h\"
diff --git a/python/modules.c b/python/modules.c
index ca563ff07d2..577eb552750 100644
--- a/python/modules.c
+++ b/python/modules.c
@@ -17,7 +17,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "py3compat.h"
#include "includes.h"
#include "python/modules.h"
diff --git a/python/py3compat.h b/python/py3compat.h
index 01108214783..bfee82f92b3 100644
--- a/python/py3compat.h
+++ b/python/py3compat.h
@@ -19,7 +19,7 @@
#ifndef _SAMBA_PY3COMPAT_H_
#define _SAMBA_PY3COMPAT_H_
-#include <Python.h>
+#include "lib/replace/system/python.h"
/* Quick docs:
* Syntax for module initialization is as in Python 3, except the entrypoint
diff --git a/python/pyglue.c b/python/pyglue.c
index 901a9a37be5..b35b2d21104 100644
--- a/python/pyglue.c
+++ b/python/pyglue.c
@@ -17,7 +17,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <Python.h>
+#include "lib/replace/system/python.h"
#include "python/py3compat.h"
#include "includes.h"
#include "python/modules.h"
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 84513694fab..48669b5c521 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -20,7 +20,7 @@
import ldb
import samba
import time
-from base64 import b64decode
+from base64 import b64decode, b64encode
from samba import dsdb
from samba import common
from samba.dcerpc import misc
@@ -29,7 +29,11 @@ from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc import drsblobs
from samba.samdb import dsdb_Dn
from samba.dcerpc import security
-from samba.descriptor import get_wellknown_sds, get_diff_sds
+from samba.descriptor import (
+ get_wellknown_sds,
+ get_deletedobjects_descriptor,
+ get_diff_sds
--
Samba Shared Repository
