- Update to the 2.5.3 for samba-4.16.10 release

- Update to security release of Samba 4.16 with update libldb to 2.5.3:
  + ldb wildcard matching makes excessive allocations (Samba#15331).

- Security fixes (Samba#15270, Samba#15315):
  + CVE-2023-0922: The Samba AD DC administration tool, when operating against a
                   remote LDAP server, will by default send new or reset
                   passwords over a signed-only connection.
                   https://www.samba.org/samba/security/CVE-2023-0922.html

  + CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
                   Confidential attribute disclosure via LDAP filters was
                   insufficient and an attacker may be able to obtain
                   confidential BitLocker recovery keys from a Samba AD DC.
                   Installations with such secrets in their Samba AD should
                   assume they have been obtained and need replacing.
                   https://www.samba.org/samba/security/CVE-2023-0614.html

- Indents at selected OU's widget with policies list are minimized.
- Ellipsis for too long names in description bar is added. Label is located to
  the right of the tree with chosen object. Tool tip for that label is added.
  Tool tip contains full object name.
- Attribute groupType display and edit are changed from decimal to hexadecimal.
  Attribute value also contains flag names that were set.
- Error dialog after critical policy selection is removed. Error is displayed
  in log now. Dialog error messages after critical policy deletion attempt are
  clarified.
- Russian language is removed from english logs and vice versa.
- Block inheritance indicator is added to OU's icon from group policy objects.
- Enforced link indicator is added to policy icon from group policy objects.
- Disabled policies appearence changing is added to policies from group policy
  objects. Policy item icon changes appearance (fades) after group policy link
  disabling.
- Policy link indicator is added to policy icon from group policy objects.
  Indicator is located in left bottom policy icon corner.
- Policies that are linked to domain is visible in group policy objects now.
- Group policy objects order is changed. Policies is placed higher than OUs now.

- Support for pam_winbind (aka NT password) (Closes: #45513)
- Update russian translation, reconvert it to UTF-8

- Add conflicts to another postgresql versions subpackages with same
  major version (closes: 45507).

- Update to latest stable release.
- Fix run_time message validation in logsrvd.
- Fixed a potential double-free bug when matching a sudoers rule
  that contains a per-command chroot directive (CHROOT=dir).

- Update to maintenance release of Samba 4.16
- Security fixes:
  + CVE-2022-38023: Samba should refuse RC4 (aka md5) based SChannel on
    NETLOGON (Samba#15240).
- Major fixes:
  + smbc_getxattr() return value is incorrect (Samba#14808).
  + samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when
    there is only an AAAA record for the DC in DNS (Samba#15226).
  + smbd crashes if an FSCTL request is done on a stream handle (Samba#15236).
  + auth3_generate_session_info_pac leaks wbcAuthUserInfo (Samba#15286).
  + Leak in wbcCtxPingDc2 (Samba#15164).
  + irpc_destructor may crash during shutdown (Samba#15280).
- Share enumeration (netshareenum) fixes:
  + %U for include directive doesn't work for share listing (Samba#15243).
  + Shares missing from netshareenum response in samba 4.17.4 (Samba#15266).
  + Access based share enum does not work in Samba 4.16+ (Samba#15265).
  + Crash during share enumeration (Samba#15267).

- Update to latest stable bugfix and security release (closes: 44965).
- Fixed a compilation error on Linux/aarch64 (GitHub#197).
- Fixed a potential crash introduced in the fix for (GitHub#134):
 + If a user's sudoers entry did not have any RunAs user's set, running
   "sudo -U otheruser -l" would dereference a NULL pointer.
- Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating
  a I/O files when the "iolog_file" sudoers setting contains six or more Xs.
- Fixed security issue (fixes: CVE-2023-22809), a flaw in sudo's -e option (aka
  sudoedit) that could allow a malicious user with sudoedit privileges to edit
  arbitrary files.

- Fix race condition problems with AdInterface.

- Fixed a typo in cifs_applier.py

- Add user policies for drive maps symlinks in home directory.
- Add warning when disabling network manager.
- Fix correction of option name open ldap tls connections in russian.
- Fix typo in cups.service

- Update installation process for release 104.0.5112.114

- Update to latest release 106.0-5249.119

- Update Policy templates for Firefox 106 and Firefox ESR 102.4
- This release contains some typo fixes and new Russian translations
  thanks to lepata@

- Add control for Yandex Browser group policies mechanism.
- Improve group policies mechanisms display names and help descriptions.

- Action menu: Block inheritance feature is added to organizational
  unit context menu. Also limited group policy tab is returned.
- Console: Bug with empty group policy object crushing is fixed.
- Console: Non-deletable group policy containers dont dissapear
  from GUI after deletion attempt now. Warning message popups instead
  of error log dialog.
- Misc: "Order" column is added to policy organizational unit results.
  Sort is performed with this column by default.
- Console: Fix crash in policy tree after changing properties
  for organizational units.
- Misc: Fix description bar squishing scope pane, when selected
  item's name is too long and description bar needs to display it.
- Toolbar: Fix icons for "create" actions for organizational units,
  users and groups in toolbar.
- Misc: Add trimming to full name autofill.
- Misc: Add trimming to attribute sAMAccountName edit in create
  dialog for computers.
- Misc: Add "find gpo" action to policy tree. It implements group
  policy objects search functional.
- Misc: Improve "Import Query" action. So it's possible to
  import multiple queries at the same time.

- Update text of summary for role-usershares and smb-conf-usershares.
- Update default usershare prefix allow and deny lists:
  + usershare prefix deny list = /etc /dev /sys /proc
  + usershare prefix allow list = /home /srv /mnt /media /var
- Add new controls for samba-usershares:
  + smb-conf-usershare-allow-list
  + smb-conf-usershare-deny-list
  + smb-conf-usershare-owner-only
  + smb-conf-usershare-allow-guests

- Add role-usershares control allow or disallow for group users using of
  samba usershares as privilege.
- Add compatibility support for sambashare group as common privilege assigned
  to usershares group (Closes: #44379).

- Update samba defaults from samba-4.16.6-alt1 release.
- Update restore script with default configuration files actually placed in
  default directory as in the user's system.

- Update to latest 2.8 major release.
- Important fixes:
  + A regression when running sss_cache when no SSSD domain is enabled would
    produce a syslog critical message was fixed.
  + Several fixes in D-Bus infopipe functions:
    ListByName(), Groups.ListByName() and Groups.ListByDomainAndName().

- Don't treat a missing include file as an error in handle_include().
  This behavior differs between the source3 and source4 parts of Samba.
  So, it should be the same and just not an error (Closes #44214).

- Redesign become_user patch to should assign supplementary groups for server
  part of code only (due race condition in krb5_child, for example).

- AD GPO: Fix support processing referrals for hostname
- New features
  + Introduced the dbus function
    org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit)
    listing upto limit users matching the filter attr=value.
  + sssctl is now able to create, list and delete indexes on the local caches.
    Indexes are useful for the new D-Bus ListByAttr() function.
  + sssctl is now able to read and set each component's debug level
    independently.
- Important fixes
  + domains option in [sssd] section can now be completely omitted if domains
    are enabled via domains/enabled option.
- New options:
  + core_dumpable, ldap_enumeration_refresh_offset,
    subdomain_refresh_interval_offset, dyndns_refresh_interval_offset
    refresh_expired_interval_offset, ldap_purge_cache_offset.
- Configuration changes:
  + Option 'ad_machine_account_password_renewal_opts' now accepts an optional
    third part as the maximum deviation in the provided period (first part) and
    initial delay (second part). If the period and initial delay are provided
    but not the offset, the offset is assumed to be 0. If no part is provided,
    the default is 86400:750:300.
  + override_homedir now recognizes the %h template which is replaced by the
    original home directory retrieved from the identity provider, but in lower
    case.

- Add support LDAP add/mod operation to set/change password:
 + fix unable to join to active directory after KB5008380/CVE-2021-42287 with
   option '--ldap-passwd';
 + https://gitlab.freedesktop.org/realmd/adcli/-/issues/27
- Add support fall back to LDAPS if CLDAP ping was not successful
 + If the --use-ldaps option is used and there is no reply on the CLDAP 389/udp
   port adcli will try to send the request to the LDAPS port 636/tcp.
- Fix write SID before secret to Samba's db looks like 'net changesecretpw'
- Add passwd-user sub-command for (re)set a user password.
- Add dont-expire-password option for computer.

- New directory /etc/local-policy-system with Local Group Policy Template (GPT)
- Add control local-policy-system-access

- Fix machine part of file-copy group policy engine.

- Update Policy templates for Firefox 103 and Firefox ESR 102.1
- While these templates will work for Firefox ESR 91, they contain
  new policies that are not in Firefox ESR 91:
  + ExemptDomainFileTypePairsFromFileTypeDownloadWarnings
  + StartDownloadsInTempDirectory
  + UseSystemPrintDialog

- Update to latest release 105.0-5195.127

- Fixed formation of the correct path for creating a user directory

- Fixes:
  + #84127 Fix invalid types for list enums.
  + #76835 Fix message on policy state change.

- Update to release for samba-4.16

- New version for samba-4.16

- Update to the 2.5.2 for samba-4.16.4 release

- Update to latest stable release of Samba 4.16
- Major fixes:
  + Possible use after free of connection_struct when iterating
    smbd_server_connection->connections (Samba#15128).
  + Spotlight RPC service returns wrong response when Spotlight is
    disabled on a share (Samba#15086).
  + acl_xattr VFS module may unintentionally use filesystem
    permissions instead of ACL from xattr (Samba#15126).
  + Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
    assert failed: !is_named_stream(smb_fname)") at
    ../../lib/util/fault.c:197 (Samba#15153).
  + Missing READ_LEASE break could cause data corruption (Samba#15148).
  + rpcclient can crash using setuserinfo(2) (Samba#15124).
  + Samba fails to build with glibc 2.36 caused by including
    <sys/mount.h> in libreplace (Samba#15132).
  + SMB1 negotiation can fail to handle connection errors (Samba#15152).
  + samba-tool domain join segfault when joining a samba ad domain (Samba#15078).

- Update to latest 2.7 major release.
- Lock-free client support will be only built if libc provides
  pthread_key_create() and pthread_once().
  For glibc this means version 2.34+
- Add requirement of adcli to sssd-ad.

- Cleanup Requires and BuidRequires.

- Update to stable release 6.15 (Samba#15025, Samba#15026)
- mount.cifs: fix length check for ip option parsing (fixes: CVE-2022-27239)
- mount.cifs: fix verbose messages on option parsing (fixes: CVE-2022-29869)

- Apply patch libtdb-revert-breaking-tdb.h.patch from fedora
  (resolved sssd#5793 on github, rhbz#1983011)

- Update to latest release for samba-4.15

- New version for samba-4.15.0

- Update to the 2.4.4 for samba-4.15.9 release

- Update to security release of Samba 4.15
- Security fixes:
  + CVE-2022-2031:  Samba AD users can bypass certain restrictions associated
                    with changing passwords (Samba#15047).
  + CVE-2022-32744: Samba AD users can forge password change requests for any
                    user (Samba#15074).
  + CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
                    or modify request (Samba#15008).
  + CVE-2022-32746: Samba AD users can induce a use-after-free in the server
                    process with an LDAP add or modify request (Samba#15009).
  + CVE-2022-32742: Server memory information leak via SMB1 (Samba#15085).

- Updated to 11 version

- Update to latest 2.7 major release:
  + CLIENT: use thread local storage for socket to a.void the need for a lock.
  + SSS_CLIENT: got rid of code duplication.
  + SSS_CLIENT: mem-cache: fixed missing error code.
  + PAM P11: fixed minor mem-leak.

- update to new version
- add JAVA_HOME to run script (closed: 43326)

- task-auth-ad-sssd: add requires for sssd-tools and adcli for machine password

- build with stable wxGTK3.0

- Fix samba-tool domain backup DC with forced local samdb.

- Updated to 11 version

- Update russian translations (by Elena Mishina <lepata@basealt.ru>)

- Update to the 2.3.3 for latest samba-4.14.13 bugfix release

- Update to latest bugfix release of Samba 4.14
- Fixes:
  + Renaming file on DFS root fails with NT_STATUS_OBJECT_PATH_NOT_FOUND.
  + Samba does not response STATUS_INVALID_PARAMETER when opening 2 objects with
    same lease key.
  + NT error code is not set when overwriting a file during rename in libsmbclient.
  + net ads info shows LDAP Server: 0.0.0.0 depending on contacted server.
  + wbinfo -a doesn't work reliable with upn names.
  + Problem when winbind renews Kerberos.
  + NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES in
    SMBC_server_internal.
  + Multpile RODC fixes:
    - Simple bind doesn't work against an RODC (with non-preloaded users).
    - Crash of winbind on RODC.
    - Uncached logon on RODC always fails once.
    - Changing the machine password against an RODC likely destroys the domain join.
    - Simple bind doesn't work against an RODC (with non-preloaded users).
  + Avoid mixing the main krbtgt account keys with an RODC if the
    msDS-KeyVersionNumber is larger than 65535 (set 16 upper bits to zero).
  + Use Heimdal 8.0 (pre) rather than an earlier snapshot.
  + LDAP simple binds should honour "old password allowed period".
  + Fix ldap simple bind with TLS auditing.
  + "password hash userPassword schemes = CryptSHA256" does not seem to work
    with samba-tool.

- AD Domain in the AD Forest Missing after sssd latest update
- sdap_idmap.c/sssd_idmap.c incorrectly calculates rangesize from upper/lower
- Regression on rawhide with ssh auth using password
- sssd-ad broken in 2.6.2, 389 used as kerberos port
- sssd error triggers backtrace: write_krb5info_file_from_fo_server

- Update to latest 1.48 bugfix release (thanks to Ondrej Holy):
  + smb: Rework anonymous handling to avoid EINVAL
  + smb: Ignore EINVAL for kerberos/ccache login
  + sftp: Adapt on new OpenSSH password prompts
  + Translation updates

- new version 27.2.4
- build with rtmps support

- 1.26.1

- Update to latest regression fixes for samba-4.14.10:
  + CVE-2021-3670 ldb: Confirm the request has not yet timed out

- Fix linking of some libraries (libsmbldap.so.2.1.0, libpopt-samba3-samba4.so,
  libsamba-modules-samba4.so, winbind_krb5_locator.so and smbpasswd.so):
  + find-requires: ERROR: /usr/lib/rpm/lib.req failed.

- AD Domain in the AD Forest Missing after sssd latest update
- sdap_idmap.c/sssd_idmap.c incorrectly calculates rangesize from upper/lower
- Regression on rawhide with ssh auth using password
- sssd-ad broken in 2.6.2, 389 used as kerberos port
- sssd error triggers backtrace: write_krb5info_file_from_fo_server

- AD Domain in the AD Forest Missing after sssd latest update
- sdap_idmap.c/sssd_idmap.c incorrectly calculates rangesize from upper/lower
- Regression on rawhide with ssh auth using password
- sssd-ad broken in 2.6.2, 389 used as kerberos port
- sssd error triggers backtrace: write_krb5info_file_from_fo_server

- new version 1.1.4

- Update to the 2.3.2 with backported all C code changes from ldb-2.4.1
- Fix overflow timestring test for 32 bits platforms

- Add support samba-tool-plus alternative for samba-dc build with heimdal.

- Revert reverted patch with change owner/permissions of user deskprofile path
  due it still needed.

- Add support samba-tool-plus alternatives for various samba-dc and
  samba-dc-mitkrb5 builds with Heimdal and MIT Kerberos respectively.

- Add support systemd-networkd iface control functions

- Add systemd-networkd control mode

- Added support for Kerberos authentication via use_kerberos.patch

- Fixed typo in screensaver setting in Russian translations
- Improve English translation of gsettings strings
- Fix authetication method bug for gsetting oprtion:
  org.gnome.Vino.authentication-methods

- Adjust local policy templates
- Add control system-policy for gpupdate

- Added exception for org.gnome.Vino authentication-methods
- Fixed bug for alternative-port in org.gnome.Vino

- Add mutual exclusion for show system role (-S or --system) and
  show role in additional file option (-f or --file) options.

- Update to latest security release of Samba 4.14
- Fix performance regressions in lsa_LookupSids3/LookupNames4 since Samba 4.9 by
  using an explicit database handle cache and address a signifcant in database
  access in the AD DC since Samba 4.12.
- Fix an unuthenticated user can crash the AD DC KDC by omitting the server name
  in a TGS-REQ (Fixes: CVE-2021-3671).

- Fix the ability to add user_of_subject to user_identities
- Refactoring the addition_to_user_identities_user_of_subject function

- Update to latest stable release with bugfixes and improvements:
 + Sudo now can handle the getgroups() function returning a different
   number of groups for subsequent invocations.

- Fix kerberos mount regression in commit e461afd (Arch).
  This is the fix for CVE-2021-20208 (Closes: 40887)

- Fix net ads join segmentation fault problem if ldap SRV host record not found.

- Rebuild with explicitly enabled man pages and other build options
- Added rst2man.py3 to configure search list for compatibility with branch p9

- Update to latest release with support for fd-passing via unix sockets
- Add public libsocket_wrapper_noop library

- Update to 2.5.2:
  + auto_private_groups option can be set centrally through ID range setting
    in IPA (see ipa idrange commands family).
  + Default value of ldap_sudo_random_offset changed to 0 (disabled).
  + originalADgidNumber attribute in the SSSD cache is now indexed.
  + Add new config option fallback_to_nss.

- Fix Shortcuts applier double running in user context
- Add LogonUser variable to expand_windows_var() function
- Add support of path variable expansion to Shortcuts applier

- Fix using obsoleted in samba-4.14 cmd_user_create class with renamed
  cmd_user_add class (closes: 40557)
- Add conflicts with old samba package provided python3(samba.netcmd.user)