Log message:
Revbump packages with a runtime Python dep but no version prefix.

For the Python 3.8 default switch.

Log message:
Revbump for openpam cppflags change months ago, belatedly.

Log message:
samba4: Add winbind SMF instance and tidy.

Log message:
samba4: updated to 4.13.2

Changes since 4.13.1
--------------------
   * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char
     **lines onto mem_ctx on return.
   * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
   * BUG 14538: smb.conf.5: Add clarification how configuration changes
     reflected by Samba.
   * BUG 14552: daemons: Report status to systemd even when running in
     foreground.
   * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
   * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
     present.
   * BUG 14487: provision: Add support for BIND 9.16.x.
   * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
   * BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
   * BUG 14522: docs: Fix default value of spoolss:architecture.
   * BUG 14388: winbind: Fix a memleak.
   * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
   * BUG 14486: docs-xml/manpages: Add warning about write-behind translator for
     vfs_glusterfs.
   * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
   * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
   * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
   * BUG 14550: examples:auth: Do not install example plugin.
   * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
   * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.

Changes since 4.13.0
--------------------
   * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
     unless the directory handle is open for SEC_DIR_LIST.
   * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
     'samba-tool'.
   * BUG 14472: CVE-2020-14383: Remote crash after adding MX records.
   * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.

4.31.0:
NEW FEATURES/CHANGES
====================

Python 3.6 or later required
----------------------------
Samba's minimum runtime requirement for python was raised to Python
3.5 with samba 4.12.  Samba 4.13 raises this minimum version to Python
3.6 both to access new features and because this is the oldest version
we test with in our CI infrastructure.

This is also the last release where it will be possible to build Samba
(just the file server) with Python versions 2.6 and 2.7.

As Python 2.7 has been End Of Life upstream since April 2020, Samba
is dropping ALL Python 2.x support in the NEXT release.

Samba 4.14 to be released in March 2021 will require Python 3.6 or
later to build.

wide links functionality
------------------------
For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure \ 
wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.

A future release to be determined will remove this implicit linkage,
causing administrators who need this functionality to have to explicitly
add the vfs_widelinks module into the "vfs objects =" parameter lists.
The release notes will be updated to note this change when it occurs.

NT4-like 'classic' Samba domain controllers
-------------------------------------------
Samba 4.13 deprecates Samba's original domain controller mode.

Sites using Samba as a Domain Controller should upgrade from the
NT4-like 'classic' Domain Controller to a Samba Active Directory DC
to ensure full operation with modern windows clients.

SMBv1 only protocol options deprecated
--------------------------------------
A number of smb.conf parameters for less-secure authentication methods
which are only possible over SMBv1 are deprecated in this release.

Log message:
net/samba4: update to 4.12.7

Update samba4 package to 4.12.7.

                   ==============================
                   Release Notes for Samba 4.12.7
                         September 18, 2020
                   ==============================

This is a security release in order to address the following defect:

o CVE-2020-1472: Unauthenticated domain takeover via netlogon \ 
("ZeroLogon").

The following applies to Samba used as domain controller only (most
seriously the Active Directory DC, but also the classic/NT4-style DC).

Installations running Samba as a file server only are not directly
affected by this flaw, though they may need configuration changes to
continue to talk to domain controllers (see "file servers and domain
members" below).

The netlogon protocol contains a flaw that allows an authentication
bypass. This was reported and patched by Microsoft as CVE-2020-1472.
Since the bug is a protocol level flaw, and Samba implements the
protocol, Samba is also vulnerable.

However, since version 4.8 (released in March 2018), the default
behaviour of Samba has been to insist on a secure netlogon channel,
which is a sufficient fix against the known exploits. This default is
equivalent to having 'server schannel = yes' in the smb.conf.

Therefore versions 4.8 and above are not vulnerable unless they have
the smb.conf lines 'server schannel = no' or 'server schannel = auto'.

Samba versions 4.7 and below are vulnerable unless they have 'server
schannel = yes' in the smb.conf.

Note each domain controller needs the correct settings in its smb.conf.

Vendors supporting Samba 4.7 and below are advised to patch their
installations and packages to add this line to the [global] section if
their smb.conf file.

The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
'FullSecureChannelProtection=1' registry key, the introduction of
which we understand forms the core of Microsoft's fix.

Some domains employ third-party software that will not work with a
'server schannel = yes'. For these cases patches are available that
allow specific machines to use insecure netlogon. For example, the
following smb.conf:

   server schannel = yes
   server require schannel:triceratops$ = no
   server require schannel:greywacke$ = no

will allow only "triceratops$" and "greywacke$" to avoid \ 
schannel.

More details can be found here:
https://www.samba.org/samba/security/CVE-2020-1472.html

Log message:
samba4: Limit iconv hack to NetBSD.

Resolves issue on Linux reported by sobukus on IRC.

Log message:
*: bump PKGREVISION for perl-5.32.

Log message:
samba4: updated to 4.12.6

Changes since 4.12.5
* BUG 14403: s3: libsmb: Fix SMB2 client rename bug to a Windows server.
* BUG 14424: dsdb: Allow "password hash userPassword schemes = CryptSHA256"
  to work on RHEL7.
* BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
* BUG 14426: lib/debug: Set the correct default backend loglevel to
  MAX_DEBUG_LEVEL.
* BUG 14428: PANIC: Assert failed in get_lease_type().
* BUG 14422: util: Fix build on AIX by fixing the order of replace.h include.
* BUG 14355: srvsvc_NetFileEnum asserts with open files.
* BUG 14354: KDC breaks with DES keys still in the database and
  msDS-SupportedEncryptionTypes 31 indicating support for it.
* BUG 14427: s3:smbd: Make sure vfs_ChDir() always sets
  conn->cwd_fsp->fh->fd = AT_FDCWD.
* BUG 14428: PANIC: Assert failed in get_lease_type().
* BUG 14358: docs: Fix documentation for require_membership_of of
  pam_winbind.conf.
* BUG 14444: ctdb-scripts: Use nfsconf utility for variable values in CTDB
  NFS scripts.
* BUG 14425: s3:winbind:idmap_ad: Make failure to get attrnames for schema
  mode fatal.

Log message:
*: revbump after fontconfig bl3 changes (libuuid removal)

Log message:
Move sysvol from /var/run/sysvol to /var/db/samba4/sysvol as FreeBSD does,
so that the provisioning data gets preserved across reboots.
From Matthias Perelmann