Log message:
samba4: updated to 4.12.2

Samba 4.12.2
This is a security release in order to address the following defects:
o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC

Log message:
samba4: updated to 4.12.1

Samba 4.12.1
* BUG 14295: nmblib: Avoid undefined behaviour in handle_name_ptrs().
* BUG 14296: samba-tool group: Handle group names with special chars
  correctly.
* BUG 14293: Add missing check for DMAPI offline status in async DOS
  attributes.
* BUG 14295: Starting ctdb node that was powered off hard before results in
  recovery loop.
* BUG 14307: smbd: Ignore set NTACL requests which contain S-1-5-88 NFS ACEs.
* BUG 14316: vfs_recycle: Prevent flooding the log if we're called on
  non-existant paths.
* BUG 14313: librpc: Fix IDL for svcctl_ChangeServiceConfigW.
* BUG 14327: nsswitch: Fix use-after-free causing segfault in
  _pam_delete_cred.
* BUG 13622: fruit:time machine max size is broken on arm.
* BUG 14294: CTDB recovery corner cases can cause record resurrection and
  node banning.
* BUG 14332: s3/utils: Fix double free error with smbtree.
* BUG 14294: CTDB recovery corner cases can cause record resurrection and
  node banning.
* BUG 14295: Starting ctdb node that was powered off hard before results in
  recovery loop.
* BUG 14324: CTDB recovery daemon can crash due to dereference of NULL
  pointer.

Log message:
samba4: updated to 4.12.0

samba 4.12.0:

NEW FEATURES/CHANGES
====================

Python 3.5 Required
-------------------

Samba's minimum runtime requirement for python was raised to Python
3.4 with samba 4.11.  Samba 4.12 raises this minimum version to Python
3.5 both to access new features and because this is the oldest version
we test with in our CI infrastructure.

(Build time support for the file server with Python 2.6 has not
changed)

Removing in-tree cryptography: GnuTLS 3.4.7 required
----------------------------------------------------

Samba is making efforts to remove in-tree cryptographic functionality,
and to instead rely on externally maintained libraries.  To this end,
Samba has chosen GnuTLS as our standard cryptographic provider.

Samba now requires GnuTLS 3.4.7 to be installed (including development
headers at build time) for all configurations, not just the Samba AD
DC.

Thanks to this work Samba no longer ships an in-tree DES
implementation and on GnuTLS 3.6.5 or later Samba will include no
in-tree cryptography other than the MD4 hash and that
implemented in our copy of Heimdal.

Using GnuTLS for SMB3 encryption you will notice huge performance and copy
speed improvements. Tests with the CIFS Kernel client from Linux Kernel 5.3
show a 3x speed improvement for writing and a 2.5x speed improvement for reads!

NOTE WELL: The use of GnuTLS means that Samba will honour the
system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
standard) and so will not operate in many still common situations if
this system-wide parameter is in effect, as many of our protocols rely
on outdated cryptography.

A future Samba version will mitigate this to some extent where good
cryptography effectively wraps bad cryptography, but for now that above
applies.

zlib library is now required to build Samba
-------------------------------------------

Samba no longer includes a local copy of zlib in our source tarball.
By removing this we do not need to ship (even where we did not
build) the old, broken zip encryption code found there.

New Spotlight backend for Elasticsearch
---------------------------------------

Support for the macOS specific Spotlight search protocol has been enhanced
significantly. Starting with 4.12 Samba supports using Elasticsearch as search
backend. Various new parameters have been added to configure this:

  spotlight backend = noindex | elasticsearch | tracker
  elasticsearch:address = ADDRESS
  elasticsearch:port = PORT
  elasticsearch:use tls = BOOLEAN
  elasticsearch:index = INDEXNAME
  elasticsearch:mappings = PATH
  elasticsearch:max results = NUMBER

Samba also ships a Spotlight client command "mdfind" which can be used \ 
to search
any SMB server that runs the Spotlight RPC service. See the manpage of mdfind
for details.

Note that when upgrading existing installations that are using the previous
default Spotlight backend Gnome Tracker must explicitly set "spotlight backend =
tracker" as the new default is "noindex".

'net ads kerberos pac save' and 'net eventlog export'
-----------------------------------------------------

The 'net ads kerberos pac save' and 'net eventlog export' tools will
no longer silently overwrite an existing file during data export.  If
the filename given exits, an error will be shown.

Fuzzing
-------

A large number of fuzz targets have been added to Samba, and Samba has
been registered in Google's oss-fuzz cloud fuzzing service.  In
particular, we now have good fuzzing coverage of our generated NDR
parsing code.

A large number of issues have been found and fixed thanks to this
effort.

'samba-tool' improvements add contacts as member to groups
----------------------------------------------------------

Previously 'samba-tool group addmemers' can just add users, groups and
computers as members to groups. But also contacts can be members of
groups. Samba 4.12 adds the functionality to add contacts to
groups. Since contacts have no sAMAccountName, it's possible that
there are more than one contact with the same name in different
organizational units. Therefore it's necessary to have an option to
handle group members by their DN.

To get the DN of an object there is now the "--full-dn" option available
for all necessary commands.

The MS Windows UI allows to search for specific types of group members
when searching for new members for a group. This feature is included
here with the new samba-tool group addmembers "--object-type=OBJECTYPE"
option. The different types are selected accordingly to the Windows
UI. The default samba-toole behaviour shouldn't be changed.

Allow filtering by OU or subtree in samba-tool
----------------------------------------------

A new "--base-dn" and "--member-base-dn" option is added to \ 
relevant
samba-tool user, group and ou management commands to allow operation
on just one part of the AD tree, such as a single OU.

VFS
===

SMB_VFS_NTIMES
--------------

Samba now uses a sentinel value based on utimensat(2) UTIME_OMIT to denote
to-be-ignored timestamp variables passed to the SMB_VFS_NTIMES() VFS function.

VFS modules can check whether any of the time values inside a struct
smb_file_time is to be ignored by calling is_omit_timespec() on the value.

'io_uring' vfs module
---------------------

The module makes use of the new io_uring infrastructure
(intruduced in Linux 5.1), see https://lwn.net/Articles/776703/

Currently this implements SMB_VFS_{PREAD,PWRITE,FSYNC}_SEND/RECV
and avoids the overhead of the userspace threadpool in the default
vfs backend. See also vfs_io_uring(8).

In order to build the module you need the liburing userspace library
and its developement headers installed, see
https://git.kernel.dk/cgit/liburing/

At runtime you'll need a Linux kernel with version 5.1 or higher.
Note that 5.4.14 and 5.4.15 have a regression that breaks the Samba
module! The regression was fixed in Linux 5.4.16 again.

MS-DFS changes in the VFS
-------------------------

This release changes set getting and setting of MS-DFS redirects
on the filesystem to go through two new VFS functions:

SMB_VFS_CREATE_DFS_PATHAT()
SMB_VFS_READ_DFS_PATHAT()

instead of smbd explicitly storing MS-DFS redirects inside
symbolic links on the filesystem. The underlying default
implementations of this has not changed, the redirects are
still stored inside symbolic links on the filesystem, but
moving the creation and reading of these links into the VFS
as first-class functions now allows alternate methods of
storing them (maybe in extended attributes) for OEMs who
don't want to mis-use filesystem symbolic links in this
way.

CTDB changes
============

* The ctdb_mutex_fcntl_helper periodically re-checks the lock file

  The re-check period is specified using a 2nd argument to this
  helper.  The default re-check period is 5s.

  If the file no longer exists or the inode number changes then the
  helper exits.  This triggers an election.

REMOVED FEATURES
================

The smb.conf parameter "write cache size" has been removed.

Since the in-memory write caching code was written, our write path has
changed significantly. In particular we have gained very flexible
support for async I/O, with the new linux io_uring interface in
development.  The old write cache concept which cached data in main
memory followed by a blocking pwrite no longer gives any improvement
on modern systems, and may make performance worse on memory-contrained
systems, so this functionality should not be enabled in core smbd
code.

In addition, it complicated the write code, which is a performance
critical code path.

If required for specialist purposes, it can be recreated as a VFS
module.

Retiring DES encryption types in Kerberos.
------------------------------------------
With this release, support for DES encryption types has been removed from
Samba, and setting DES_ONLY flag for an account will cause Kerberos
authentication to fail for that account (see RFC-6649).

Samba-DC: DES keys no longer saved in DB.
-----------------------------------------
When a new password is set for an account, Samba DC will store random keys
in DB instead of DES keys derived from the password.  If the account is being
migrated to Windbows or to an older version of Samba in order to use DES keys,
the password must be reset to make it work.

Heimdal-DC: removal of weak-crypto.
-----------------------------------
Following removal of DES encryption types from Samba, the embedded Heimdal
build has been updated to not compile weak crypto code (HEIM_WEAK_CRYPTO).

vfs_netatalk: The netatalk VFS module has been removed.
-------------------------------------------------------

The netatalk VFS module has been removed. It was unmaintained and is not needed
any more.

BIND9_FLATFILE deprecated
-------------------------

The BIND9_FLATFILE DNS backend is deprecated in this release and will
be removed in the future.  This was only practically useful on a single
domain controller or under expert care and supervision.

This release removes the 'rndc command' smb.conf parameter, which
supported this configuration by writing out a list of DCs permitted to
make changes to the DNS Zone and nudging the 'named' server if a new
DC was added to the domain.  Administrators using BIND9_FLATFILE will
need to maintain this manually from now on.

Log message:
samba4: Update PLIST.Linux

From @mmoll on GitHub. Closes NetBSD/pkgsrc#55

Log message:
net/samba*: Update DESCR

Based on input from Mike Pumford.

(It is acknowledged that samba4 is 4.11 and should be 4.12, but that's
normal being behind, not intended, as I see it.)

Log message:
librsvg: update bl3.mk to remove libcroco in rust case

recursive bump for the dependency change

Log message:
*: recursive bump for libffi

Log message:
samba4: make avahi optional

Avahi by default pulls in X11 via gtk2 and dbus, so you might want to
disable it on a small server if your clients don't need ZeroConf capability.

Log message:
samba4: updated to 4.11.6

Changes since 4.11.5:
* BUG 14209: pygpo: Use correct method flags.
* BUG 14216: vfs_ceph_snapshots: Fix root relative path handling.
* BUG 14209: Avoiding bad call flags with python 3.8, using METH_NOARGS
  instead of zero.
* BUG 14218: source4/utils/oLschema2ldif: Include stdint.h before cmocka.h.
* BUG 14122: docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc.
* BUG 14251: smbd: Fix the build with clang.
* BUG 14199: upgradedns: Ensure lmdb lock files linked.
* BUG 14182: s3: VFS: glusterfs: Reset nlinks for symlink entries during
  readdir.
* BUG 14101: smbc_stat() doesn't return the correct st_mode and also the
  uid/gid is not filled (SMBv1) file.
* BUG 14219: librpc: Fix string length checking in
  ndr_pull_charset_to_null().
* BUG 14227: ctdb-scripts: Strip square brackets when gathering connection
  info.

Log message:
net/samba4: update depdendency

Update dependency for daabases/ldb and devel/talloc.

Bump PKGREVISION.