- Added new features from upstream (compatibility with SIEM systems):
  + ldap_server: Add a ldapsrv debug class to log LDAP queries

- Backport latest 2.9 LTM release for p10.
- Disable Kerberos localauth an2ln plugin for AD/IPA (fixes: CVE-2025-11561).

- Backport security fixes from Samba 4.21 (Fixes: CVE-2025-9640, CVE-2025-10230).
- smbclient, dns: fix new options default values (backport fixes).

- Multiple memory leaks in KDC (fixes: OVE-20250912-0001):
  + s4:kdc: Fix memory leak of padata_value (thx Ivan Korytov)
  + s4:kdc: Fix ticket encryption types memory leak (thx Ivan Korytov)
  + s4:kdc: Fix leaks of sdb_entry's members (thx Joseph Sutton)
  + s4:kdc: Fix memory leak for unused keys in TGT (thx Ivan Korytov)
  + auth: Cleanup exit code paths in kerberos_decode_pac() (thx Jeremy Allison)
  + auth: Add missing talloc_free() in error code path (thx Jeremy Allison)
- Added new features:
  + smbclient: support domain-based dfs (thx Petr Usoltsev)
  + dns: resolve srv records as in windows (thx Petr Usoltsev)
- New options:
  + 'client resolve dfs names' - If yes (by default) client library tries to
                                 resolve dfs name to hostname.
  + 'dns resolve srv records' -  If yes (by default) internal dns server fill
                                 in the srv entries with ip addresses in the
                                 additional section.
- Backported from upstream:
  + rpc registry: add ProductType for AD DC (thx Michael Saxl)
  + winbind: Fix running in interactive mode (thx Samuel Cabrero)

- Security release (fixes: CVE-2025-32462, CVE-2025-32463) (closes: 55007):
 + Sudo's -h (--host) option could be specified when running a command or
   editing a file. This could enable a local privilege escalation attack if the
   sudoers file allows the user to run commands on a different host.
   For more information, see Local Privilege Escalation via host option:
   https://www.sudo.ws/security/advisories/host_any/
 + An attacker can leverage sudo's -R (--chroot) option to run arbitrary
   commands as root, even if they are not listed in the sudoers file. The chroot
   support has been deprecated an will be removed entirely in a future release.
   For more information, see Local Privilege Escalation via chroot option:
   https://www.sudo.ws/security/advisories/chroot_bug/

- collect_tombstones: Doing a full scan for deleted objects in
  corresponding dn only (thx Ivan Volchenko).
- fix: mdb_util: enable compact while copying due it deadlock in offline backup.

- s3:locale:pam_winbind: Update Russian translation (thx Alevtina Karashokova).
- s3-waf: Enable build of MO files for localization (thx Ivan Korytov).
- s4:kdc: Free target principal string to avoid memory leak
  (CID 1596760) (thx Jo Sutton).
- s4:kdc: Allow referral policy for cross-realm krb-tgt tickets (thx Ivan Volchenko).
- mdb_util: enable compact while copying due it deadlock in offline backup.

- gse_krb5: gain root privilege during get server keytab (thx Ivan Volchenko).
  Fix PAM Winbind kerberos auth requires user access to keytab (Samba#12491).

- Fix typo in sss_ec_get_key() for OpenSSL older than 3.0.

- auth: Don't fallback to NTLMv1 in anonymous connections (thx Ivan Volchenko).
  Disable "not doing NTLM2 without a password" in function
  cli_credentials_get_ntlm_response().

- Update to latest stable release supported latest kernel 6.11.
- Major fixes from upstream:
  + LDAP Ping capability (to find the closest site);
  + smbinfo adds gettconinfo command (allowed dumping session and tcon id);
  + Various improvements to man pages.
- Backport bash completion support for smbinfo (with filestreaminfo, keys,
  gettconinfo) from Fedora.

- Added pam_canonicalize_user.so to system-auth-common (closes: #47426).
- Added pam_canonicalize_user control (closes: #47713).
- Disabled legacy pam_propperpwnam.so in system-auth-common during upgrade.

- Fix control support with various role module using.
- Fix not standart setup of libnss-role during upgrade (closes #50704).

- Updated to new version 1.3.1 (released 2024-06-12)
- Fixes from upstream:
  + Added support to find libc via LIBC_SO define
  + Fixed uid_wrapper running with jemalloc compiled binaries
  + Fixed socket_wrapper interaction test
  + Fixed thread sanitizer on modern Linux Kernels

- Updates to new version 1.4.3 (released 2024-06-12)
- Fixes from upstream:
  + Fixed socket_wrapper running with jemalloc compiled binaries
  + Fixed thread sanitizer on modern Linux Kernels
  + Fixed swrap_fake_uid_wrapper test

- Update to the 2.8.2 for samba-4.19.9 and later releases

- Update to security release of Samba 4.19
- Major fixes from upstream (Samba#15590, Samba#15624, Samba#15699, Samba#15280,
                             Samba#15696, Samba#15700):
  + libldb: performance issue with indexes (ldb 2.8.2 is already released).
  + DH reconnect error handling can lead to stale sharemode entries.
  + Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated.
  + irpc_destructor may crash during shutdown.
  + Compound SMB2 requests don't return NT_STATUS_NETWORK_SESSION_EXPIRED for
    all requests, confuses MacOSX clients.
  + Crash when readlinkat fails.

- Add password settings object's creation/deletion/edition. Password
  Settings Container contains these objects and located in the System
  container (objects tree).
- Fix empty parentheses display in the domain info widget for undefined domain
  controller's version.
- Add the ability to view which groups a group is a member of.

- Backport from stable release of Samba 4.20
  + Samba does not parse SDDL found in defaultSecurityDescriptor in
    AD_DS_Classes_Windows_Server_v1903.ldf

- Update to the 2.8.1 for samba-4.19.7 and later releases

- Update to maintenance release of Samba 4.19
- Fixes from upstream (Samba#15569, Samba#15625, Samba#14981, Samba#15412,
                       Samba#14981, Samba#15642, Samba#15636, Samba#15611):
  + ldb qsort might r/w out of bounds with an intransitive compare
     function (ldb 2.8.1 is already released).
  + Many qsort() comparison functions are non-transitive, which can
    lead to out-of-bounds access in some circumstances (ldb 2.8.1 released).
  + netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0.
  + Anonymous smb3 signing/encryption should be allowed (similar to
    Windows Server 2022).
  + Panic in dreplsrv_op_pull_source_apply_changes_trigger.
  + winbindd, net ads join and other things don't work on an ipv6 only host.
  + Smbcacls incorrectly propagates inheritance with Inherit-Only flag.
  + http library doesn't support 'chunked transfer encoding'.

- Fix clean memory for force dns canonicalize destination hostname option.

- Add support separate builds generated with samba-pidl.
- Backport latest fixes to maintenance release of Samba 4.19
  + Smbcacls incorrectly propagates inheritance with Inherit-Only
    flag (Samba#15636).
  + http library doesn't support 'chunked transfer encoding' (Samba#15611).

- Update to maintenance release of Samba 4.19
- Fixes from upstream (Samba#15580):
  + Packet marshalling push support missing for
     CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
     CTDB_CONTROL_TCP_CLIENT_PASSED.

- Update to latest release for samba-4.19

- Update to release for samba-4.19

- New version for samba-4.19

- Fixed LFS issues on 32bit platforms
- Fixed issue with fnctl() on 32bit
- Added openat64() to detect stale fds

- Fix cmocka >= 1.1.6 find_package()

- Fix cmocka >= 1.1.6 find_package()

- Fix cmocka >= 1.1.6 find_package()

- Update to the 2.8.0 for samba-4.19.x releases

- Update to stable release of Samba 4.19
- Fixes from upstream:
  + net changesecretpw cannot set the machine account password if secrets.tdb
    is empty (Samba#13577).
  + Following intermediate abolute share-local symlinks is broken (Samba#15505).
    ctdb RELEASE_IP causes a crash in release_ip if a connection to a non-public
    address disconnects first (Samba#15523).
  + shadow_copy2 broken when current fileset's directories are removed (Samba#15544).
  + 'force user = localunixuser' doesn't work if 'allow trusted domains = no'
    is set (Samba#15469).
  + smbget: debug logging doesn't work (Samba#15525), username in the smburl and
    interactive password entry doesn't work (Samba#15532), auth function doesn't
    set values for password prompt correctly (Samba#15538).
  + Unable to copy and write files from clients to Ceph cluster via SMB Linux
    gateway with Ceph VFS module (Samba#15440).
  + Multichannel refresh network information (Samba#15547).

- Update to latest 2.9 major release in long-term maintenance (LTM) phase.
- Fixes from upstream:
  + A crash when PAM passkey processing incorrectly handles non-passkey data.
  + A workaround was implemented to handle gracefully misbehaving applications
    that destroy internal state of SSSD client librarires.
  + An error when rotating KCM's logs was fixed.
  + Group membership handling when members are coming from different forest
    domains and using ldap token groups is prohibited.
  + Files provider was erroneously taking into consideration local_auth_policy
    config option, thus breaking smartcard authentication of local user in
    setups that didn't explicitly specify this option.

- Add compatibility with stable releases of samba-4.18 and later (closes: 49404).
- Replace python3 build to new pyproject_build process.

- Replace samba service pam config to samba-common due regression with password
  authentication in security = user mode with obey pam restrictions = yes.

- Update to latest 2.9 major release.
  + KCM: provide mechanism to purge expired credentials.
  + Default hardening - id_provider channel defaults unencrypted with starttls.
  + sssd-sudo missing debug statement in its .service file.
  + SSSD goes offline during initgroups of trusted user if a group is
    missing SID.
  + Incorrect handling of reverse IPv6 update results in update failure.
  + sssd-2.9.2 breaks smart card authentication (on el8).
- The proxy provider is now able to handle certificate mapping and matching
  rules and users handled by the proxy provider can be configured for local
  Smartcard authentication.
- Passkey doesn't fail when using FreeIPA server-side authentication and
  require-user-verification=false.
- When adding a new credential to KCM and the user has already reached their
  limit, the oldest expired credential will be removed to free some space.

- Update to release for samba-4.17

- Update to latest release for samba-4.17

- New version for samba-4.17

- Split and place libsocket_wrapper_noop library and it's development files
  to separate subpackages.

- Fixed possible crash in getaddrinfo()
- Fixed issues with processes closing all fds when forking
- Fixed issues with setgrent() and endpwent() nss module support

- Update to the 2.6.2 for samba-4.17.7 release

- Security update of Samba 4.17 with fixes of the Samba CVE for Deleted Object
  tombstones visible in AD LDAP to normal users (CVE-2018-14628).
- Security fixes:
  + CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
                    allow read of object tombstones over LDAP
                    (Administrator action required!)
                    https://www.samba.org/samba/security/CVE-2018-14628.html

- Update to latest 2.9 major release.
- sss_simpleifp library removed due it deprecated.
- "Files provider" removed due it deprecated, using "Proxy provider" with
  proxy_lib_name = files instead.
- New passkey functionality, which will allow the use of FIDO2 compliant devices
  to authenticate a centrally managed user locally.
- Default value of cache_first option was changed to true.
- sssctl cert-show and cert-show cert-eval-rule can now be run as non-root user.
- certmap: Handle type change of x400Address (due to CVE-2023-0286).
- New option local_auth_policy is added to control which offline authentication
  methods will be enabled by SSSD.
- SSSD can be configured not to perform a DNS search during DNS name resolution.
  This behavior is governed by the new dns_resolver_use_search_list in the
  domain section. Default value is true (follows the system settings).

- 1.2.1 -> 1.2.3.

- Add support the openssl security level

- Update to latest stable bugfix and security release (fixes: CVE-2023-42465):
 + The sudoers plugin has been modified to make it more resilient to ROWHAMMER
   attacks on authentication and policy matching.
 + The sudoers plugin now constructs the user time stamp file path name using
   the user-ID instead of the user name. This avoids a potential problem with
   user names that contain a path separator ('/') being interpreted as part of
   the path name. A similar issue in sudo-rs has been assigned CVE-2023-42456.
- Fixes in behavior:
 + The visudo utility will no longer create an empty file when the specified
   sudoers file does not exist and the user exits the editor without making any
   changes (GitHub#294).
 + Fixed a bug where output could go to the wrong terminal if "use_pty" is
   enabled (the default) and the standard input, output or error is redirected
   to a different terminal. Bug #1056.
 + A path separator ('/') in a user, group or host name is now replaced with an
   underbar character ('_') when expanding escapes in @include and @includedir
   directives as well as the "iolog_file" and "iolog_dir" sudoers Default
   settings.
- Fixes in user output:
 + Running "sudo -ll command" now produces verbose output that includes matching
   rule as well as the path to the sudoers file the matching rule came from.
 + Changes to terminal settings are now performed atomically, where possible.
   If the command is being run in a pseudo-terminal and the user's terminal is
   already in raw mode, sudo will not change the user's terminal settings. This
   prevents concurrent sudo processes from restoring the terminal settings to
   the wrong values (GitHub#312).
 + Better log message when rejecting a command if the "intercept" option is
   enabled and the "intercept_allow_setid" option is disabled. Previously,
   "command not allowed" would be logged and the user had no way of knowing
   what the actual problem was.
- Fixes in logging:
 + The sudoers source is now logged in the JSON event log. This makes it
   possible to tell which rule resulted in a match.
 + Sudo will now log the invoking user's environment as "submitenv" in the JSON
   logs. The command's environment ("runenv") is no longer logged for commands
   rejected by the sudoers file or an approval plugin.
 + The sudo_logsrvd server will now raise its open file descriptor limit to the
   maximum allowed value when it starts up. Each connection can require up to
   nine open file descriptors so the default soft limit may be too low.
- Fixed regressions:
 + Fixed the warning message for "sudo -l command" when the command is not
   permitted. There was a missing space between "list" and the actual command
   due to changes in sudo 1.9.14.
 + The "intercept_verify" sudoers option is now only applied when the
   "intercept" option is set in sudoers. Previously, it was also applied when
   "log_subcmds" was enabled. Sudo 1.9.14 contained an incorrect fix for this.
 + Reverted a change from sudo 1.9.4 that resulted in PAM session modules being
   called with the environment of the command to be run instead of the
   environment of the invoking user (GitHub#318).

- Update Policy templates for Firefox 114 and Firefox ESR 102.12

- Fix systemd-networkd cache initialization

- ALT_Regular_License: clean STATUS, adjust variables to be clear,
  add p10 branch

- Add check with admx-lint for group policy templates validation.

- Disable build of shared libutil.
- Enable build with static sudoers.

- Initial build for Sisyphus.

- Update to latest stable release with regressions.
- Fixed a bug that could cause sudo to hang when running a command
  in a pseudo-terminal when there is still input buffered after a
  command has exited.
- Fixed regressions in sudo 1.9.13:
 + Fixed a bug introduced in sudo 1.9.13 that caused a syntax error
   when "list" was used as a user or host name (GitHub #246).
 + Fixed "sudo -U otheruser -l command" (GitHub #248).
 + Fixed "sudo -l command args" when matching a command in sudoers
   with command line arguments (GitHub #249).

- Update to the 2.5.3 for samba-4.16.10 release

- Update to security release of Samba 4.16 with update libldb to 2.5.3:
  + ldb wildcard matching makes excessive allocations (Samba#15331).

- Security fixes (Samba#15270, Samba#15315):
  + CVE-2023-0922: The Samba AD DC administration tool, when operating against a
                   remote LDAP server, will by default send new or reset
                   passwords over a signed-only connection.
                   https://www.samba.org/samba/security/CVE-2023-0922.html

  + CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
                   Confidential attribute disclosure via LDAP filters was
                   insufficient and an attacker may be able to obtain
                   confidential BitLocker recovery keys from a Samba AD DC.
                   Installations with such secrets in their Samba AD should
                   assume they have been obtained and need replacing.
                   https://www.samba.org/samba/security/CVE-2023-0614.html

- Indents at selected OU's widget with policies list are minimized.
- Ellipsis for too long names in description bar is added. Label is located to
  the right of the tree with chosen object. Tool tip for that label is added.
  Tool tip contains full object name.
- Attribute groupType display and edit are changed from decimal to hexadecimal.
  Attribute value also contains flag names that were set.
- Error dialog after critical policy selection is removed. Error is displayed
  in log now. Dialog error messages after critical policy deletion attempt are
  clarified.
- Russian language is removed from english logs and vice versa.
- Block inheritance indicator is added to OU's icon from group policy objects.
- Enforced link indicator is added to policy icon from group policy objects.
- Disabled policies appearence changing is added to policies from group policy
  objects. Policy item icon changes appearance (fades) after group policy link
  disabling.
- Policy link indicator is added to policy icon from group policy objects.
  Indicator is located in left bottom policy icon corner.
- Policies that are linked to domain is visible in group policy objects now.
- Group policy objects order is changed. Policies is placed higher than OUs now.

- Support for pam_winbind (aka NT password) (Closes: #45513)
- Update russian translation, reconvert it to UTF-8

- Add conflicts to another postgresql versions subpackages with same
  major version (closes: 45507).

- Update to latest stable release.
- Fix run_time message validation in logsrvd.
- Fixed a potential double-free bug when matching a sudoers rule
  that contains a per-command chroot directive (CHROOT=dir).

- Update to maintenance release of Samba 4.16
- Security fixes:
  + CVE-2022-38023: Samba should refuse RC4 (aka md5) based SChannel on
    NETLOGON (Samba#15240).
- Major fixes:
  + smbc_getxattr() return value is incorrect (Samba#14808).
  + samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when
    there is only an AAAA record for the DC in DNS (Samba#15226).
  + smbd crashes if an FSCTL request is done on a stream handle (Samba#15236).
  + auth3_generate_session_info_pac leaks wbcAuthUserInfo (Samba#15286).
  + Leak in wbcCtxPingDc2 (Samba#15164).
  + irpc_destructor may crash during shutdown (Samba#15280).
- Share enumeration (netshareenum) fixes:
  + %U for include directive doesn't work for share listing (Samba#15243).
  + Shares missing from netshareenum response in samba 4.17.4 (Samba#15266).
  + Access based share enum does not work in Samba 4.16+ (Samba#15265).
  + Crash during share enumeration (Samba#15267).

- Update to latest stable bugfix and security release (closes: 44965).
- Fixed a compilation error on Linux/aarch64 (GitHub#197).
- Fixed a potential crash introduced in the fix for (GitHub#134):
 + If a user's sudoers entry did not have any RunAs user's set, running
   "sudo -U otheruser -l" would dereference a NULL pointer.
- Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating
  a I/O files when the "iolog_file" sudoers setting contains six or more Xs.
- Fixed security issue (fixes: CVE-2023-22809), a flaw in sudo's -e option (aka
  sudoedit) that could allow a malicious user with sudoedit privileges to edit
  arbitrary files.

- Fix race condition problems with AdInterface.

- Fixed a typo in cifs_applier.py

- Add user policies for drive maps symlinks in home directory.
- Add warning when disabling network manager.
- Fix correction of option name open ldap tls connections in russian.
- Fix typo in cups.service

- Update installation process for release 104.0.5112.114

- Update to latest release 106.0-5249.119

- Update Policy templates for Firefox 106 and Firefox ESR 102.4
- This release contains some typo fixes and new Russian translations
  thanks to lepata@

- Add control for Yandex Browser group policies mechanism.
- Improve group policies mechanisms display names and help descriptions.

- Action menu: Block inheritance feature is added to organizational
  unit context menu. Also limited group policy tab is returned.
- Console: Bug with empty group policy object crushing is fixed.
- Console: Non-deletable group policy containers dont dissapear
  from GUI after deletion attempt now. Warning message popups instead
  of error log dialog.
- Misc: "Order" column is added to policy organizational unit results.
  Sort is performed with this column by default.
- Console: Fix crash in policy tree after changing properties
  for organizational units.
- Misc: Fix description bar squishing scope pane, when selected
  item's name is too long and description bar needs to display it.
- Toolbar: Fix icons for "create" actions for organizational units,
  users and groups in toolbar.
- Misc: Add trimming to full name autofill.
- Misc: Add trimming to attribute sAMAccountName edit in create
  dialog for computers.
- Misc: Add "find gpo" action to policy tree. It implements group
  policy objects search functional.
- Misc: Improve "Import Query" action. So it's possible to
  import multiple queries at the same time.

- Update text of summary for role-usershares and smb-conf-usershares.
- Update default usershare prefix allow and deny lists:
  + usershare prefix deny list = /etc /dev /sys /proc
  + usershare prefix allow list = /home /srv /mnt /media /var
- Add new controls for samba-usershares:
  + smb-conf-usershare-allow-list
  + smb-conf-usershare-deny-list
  + smb-conf-usershare-owner-only
  + smb-conf-usershare-allow-guests

- Add role-usershares control allow or disallow for group users using of
  samba usershares as privilege.
- Add compatibility support for sambashare group as common privilege assigned
  to usershares group (Closes: #44379).

- Update samba defaults from samba-4.16.6-alt1 release.
- Update restore script with default configuration files actually placed in
  default directory as in the user's system.

- Update to latest 2.8 major release.
- Important fixes:
  + A regression when running sss_cache when no SSSD domain is enabled would
    produce a syslog critical message was fixed.
  + Several fixes in D-Bus infopipe functions:
    ListByName(), Groups.ListByName() and Groups.ListByDomainAndName().

- Don't treat a missing include file as an error in handle_include().
  This behavior differs between the source3 and source4 parts of Samba.
  So, it should be the same and just not an error (Closes #44214).

- Redesign become_user patch to should assign supplementary groups for server
  part of code only (due race condition in krb5_child, for example).

- AD GPO: Fix support processing referrals for hostname
- New features
  + Introduced the dbus function
    org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit)
    listing upto limit users matching the filter attr=value.
  + sssctl is now able to create, list and delete indexes on the local caches.
    Indexes are useful for the new D-Bus ListByAttr() function.
  + sssctl is now able to read and set each component's debug level
    independently.
- Important fixes
  + domains option in [sssd] section can now be completely omitted if domains
    are enabled via domains/enabled option.
- New options:
  + core_dumpable, ldap_enumeration_refresh_offset,
    subdomain_refresh_interval_offset, dyndns_refresh_interval_offset
    refresh_expired_interval_offset, ldap_purge_cache_offset.
- Configuration changes:
  + Option 'ad_machine_account_password_renewal_opts' now accepts an optional
    third part as the maximum deviation in the provided period (first part) and
    initial delay (second part). If the period and initial delay are provided
    but not the offset, the offset is assumed to be 0. If no part is provided,
    the default is 86400:750:300.
  + override_homedir now recognizes the %h template which is replaced by the
    original home directory retrieved from the identity provider, but in lower
    case.

- Add support LDAP add/mod operation to set/change password:
 + fix unable to join to active directory after KB5008380/CVE-2021-42287 with
   option '--ldap-passwd';
 + https://gitlab.freedesktop.org/realmd/adcli/-/issues/27
- Add support fall back to LDAPS if CLDAP ping was not successful
 + If the --use-ldaps option is used and there is no reply on the CLDAP 389/udp
   port adcli will try to send the request to the LDAPS port 636/tcp.
- Fix write SID before secret to Samba's db looks like 'net changesecretpw'
- Add passwd-user sub-command for (re)set a user password.
- Add dont-expire-password option for computer.

- Update to release for samba-4.16

- New version for samba-4.16

- Update to the 2.5.2 for samba-4.16.4 release

- Update to latest stable release of Samba 4.16
- Major fixes:
  + Possible use after free of connection_struct when iterating
    smbd_server_connection->connections (Samba#15128).
  + Spotlight RPC service returns wrong response when Spotlight is
    disabled on a share (Samba#15086).
  + acl_xattr VFS module may unintentionally use filesystem
    permissions instead of ACL from xattr (Samba#15126).
  + Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
    assert failed: !is_named_stream(smb_fname)") at
    ../../lib/util/fault.c:197 (Samba#15153).
  + Missing READ_LEASE break could cause data corruption (Samba#15148).
  + rpcclient can crash using setuserinfo(2) (Samba#15124).
  + Samba fails to build with glibc 2.36 caused by including
    <sys/mount.h> in libreplace (Samba#15132).
  + SMB1 negotiation can fail to handle connection errors (Samba#15152).
  + samba-tool domain join segfault when joining a samba ad domain (Samba#15078).

- Update to latest 2.7 major release.
- Lock-free client support will be only built if libc provides
  pthread_key_create() and pthread_once().
  For glibc this means version 2.34+
- Add requirement of adcli to sssd-ad.

- Cleanup Requires and BuidRequires.