samba: 4.20.8 -> 4.22.3

https://www.samba.org/samba/history/samba-4.21.0.html
https://www.samba.org/samba/history/samba-4.21.1.html
https://www.samba.org/samba/history/samba-4.21.2.html
https://www.samba.org/samba/history/samba-4.21.3.html
https://www.samba.org/samba/history/samba-4.21.4.html
https://www.samba.org/samba/history/samba-4.21.5.html

https://www.samba.org/samba/history/samba-4.22.0.html
https://www.samba.org/samba/history/samba-4.22.1.html
https://www.samba.org/samba/history/samba-4.22.2.html
https://www.samba.org/samba/history/samba-4.22.3.html

Fixes: CVE-2025-0620

pkgs/servers/samba/4.x-no-persistent-install.patch

@@ -1,6 +1,8 @@
---- a/ctdb/wscript	2019-01-15 02:07:00.000000000 -0800
+diff --git a/ctdb/wscript b/ctdb/wscript
-+++ b/ctdb/wscript	2019-01-20 20:21:08.800187459 -0800
+index e9cd89436a3..893b9a4c59e 100644
-@@ -814,7 +814,7 @@
+--- a/ctdb/wscript
++++ b/ctdb/wscript
+@@ -862,7 +862,7 @@ def build(bld):
      for t in etc_subdirs:
          files = SUBDIR_MODE('%s/%s' % (configdir, t), trim_path=configdir)
          for fmode in files:
@@ -9,7 +11,7 @@
                                destname=fmode[0], chmod=fmode[1])
  
      # If this is a direct install and there are no event scripts
-@@ -852,24 +852,20 @@
+@@ -901,17 +901,13 @@ def build(bld):
      ]
  
      for t in etc_scripts:
@@ -17,16 +19,8 @@
 +        bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}', 'config/%s' % t,
                            destname=t, chmod=MODE_755)
  
-     bld.SAMBA_GENERATOR('ctdb-sudoers',
-                         source='config/ctdb.sudoers',
-                         target='ctdb.sudoers',
-                         rule='sed %s ${SRC} > ${TGT}' % (sed_cmdline))
--    bld.INSTALL_FILES('${SYSCONFDIR}/sudoers.d', 'ctdb.sudoers',
-+    bld.INSTALL_FILES('${EXEC_PREFIX}${SYSCONFDIR}/sudoers.d', 'ctdb.sudoers',
-                       destname='ctdb')
- 
 -    bld.INSTALL_FILES('${CTDB_ETCDIR}/events/notification',
-+    bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}/events/notification',
++    bld.INSTALL_FILES('${EXEC_PREFIX}$${CTDB_ETCDIR}/events/notification',
                        'config/notification.README',
                        destname='README')
  

pkgs/servers/samba/4.x.nix

@@ -26,11 +26,11 @@
   talloc,
   jansson,
   ldb,
+  lmdb,
   libtasn1,
   tdb,
   tevent,
   libxcrypt,
-  libxcrypt-legacy,
   cmocka,
   rpcsvc-proto,
   bash,
@@ -49,7 +49,6 @@
   avahi,
   enableDomainController ? false,
   gpgme,
-  lmdb,
   enableRegedit ? true,
   ncurses,
   enableCephFS ? false,
@@ -66,15 +65,6 @@
 }:
 
 let
-  # samba-tool requires libxcrypt-legacy algorithms
-  python = python3Packages.python.override {
-    self = python;
-    libxcrypt = libxcrypt-legacy;
-  };
-  wrapPython = python3Packages.wrapPython.override {
-    inherit python;
-  };
-
   inherit (lib) optional optionals;
 
   needsAnswers =
@@ -89,11 +79,11 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "samba";
-  version = "4.20.8";
+  version = "4.22.3";
 
   src = fetchurl {
     url = "https://download.samba.org/pub/samba/stable/samba-${finalAttrs.version}.tar.gz";
-    hash = "sha256-db4OjTH0UBPpsmD+fPMEo20tgSg5GRR3JXchXsFzqAc=";
+    hash = "sha256-j9cJJimjWW2TXNdWfZNJeflCcpGOw6/9DMgHk07PIro=";
   };
 
   outputs = [
@@ -104,7 +94,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   patches = [
     ./4.x-no-persistent-install.patch
-    ./patch-source3__libads__kerberos_keytab.c.patch
     ./4.x-no-persistent-install-dynconfig.patch
     ./4.x-fix-makeflags-parsing.patch
     ./build-find-pre-built-heimdal-build-tools-in-case-of-.patch
@@ -123,6 +112,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   nativeBuildInputs = [
     python3Packages.python
+    python3Packages.wrapPython
     wafHook
     pkg-config
     bison
@@ -148,8 +138,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   buildInputs = [
     bash
-    wrapPython
+    python3Packages.python
-    python
     readline
     popt
     dbus
@@ -158,6 +147,7 @@ stdenv.mkDerivation (finalAttrs: {
     zlib
     gnutls
     libtasn1
+    lmdb
     tdb
     libxcrypt
   ]
@@ -182,7 +172,6 @@ stdenv.mkDerivation (finalAttrs: {
   ++ optional enableMDNS avahi
   ++ optionals enableDomainController [
     gpgme
-    lmdb
     python3Packages.dnspython
   ]
   ++ optional enableRegedit ncurses
@@ -230,7 +219,7 @@ stdenv.mkDerivation (finalAttrs: {
     "--disable-rpath"
     # otherwise third_party/waf/waflib/Tools/python.py would
     # get the wrong pythondir from build platform python
-    "--pythondir=${placeholder "out"}/${python.sitePackages}"
+    "--pythondir=${placeholder "out"}/${python3Packages.python.sitePackages}"
     (lib.enableFeature enablePrinting "cups")
   ]
   ++ optional (!enableDomainController) "--without-ad-dc"
@@ -245,7 +234,7 @@ stdenv.mkDerivation (finalAttrs: {
   ++ optional enableProfiling "--with-profiling-data"
   ++ optional (!enableAcl) "--without-acl-support"
   ++ optional (!enablePam) "--without-pam"
-  ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) ([
+  ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
     "--bundled-libraries=!asn1_compile,!compile_et"
     "--cross-compile"
     (
@@ -254,7 +243,7 @@ stdenv.mkDerivation (finalAttrs: {
       else
         "--cross-answers=answers"
     )
-  ])
+  ]
   ++ optionals stdenv.buildPlatform.is32bit [
     # By default `waf configure` spawns as many as available CPUs. On
     # 32-bit systems with many CPUs (like `i686` chroot on `x86_64`
@@ -321,7 +310,7 @@ stdenv.mkDerivation (finalAttrs: {
     # Samba does its own shebang patching, but uses build Python
     find $out/bin -type f -executable | while read file; do
       isScript "$file" || continue
-      sed -i 's^${lib.getBin buildPackages.python3Packages.python}^${lib.getBin python}^' "$file"
+      sed -i 's^${lib.getBin buildPackages.python3Packages.python}^${lib.getBin python3Packages.python}^' "$file"
     done
   '';
 
@@ -349,17 +338,12 @@ stdenv.mkDerivation (finalAttrs: {
     broken = enableGlusterFS;
     maintainers = with maintainers; [ aneeshusa ];
     pkgConfigModules = [
-      "dcerpc_samr"
-      "dcerpc"
       "ndr_krb5pac"
       "ndr_nbt"
       "ndr_standard"
       "ndr"
       "netapi"
-      "samba-credentials"
-      "samba-hostconfig"
       "samba-util"
-      "samdb"
       "smbclient"
       "wbclient"
     ];

pkgs/servers/samba/build-find-pre-built-heimdal-build-tools-in-case-of-.patch

@@ -1,4 +1,4 @@
-From 48f7e6d66e2850088b8922024641173776222242 Mon Sep 17 00:00:00 2001
+From 475ec75a34002aafabc92659f693cf705c96aff4 Mon Sep 17 00:00:00 2001
 From: Nick Cao <nickcao@nichi.co>
 Date: Thu, 21 Nov 2024 15:30:00 -0500
 Subject: [PATCH] build: find pre-built heimdal build tools in case of embedded
@@ -35,18 +35,19 @@ Signed-off-by: Uri Simchoni <uri@samba.org>
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 [Bachp: rebased for version 4.15.0]
 [Mats: rebased for version 4.18.5]
+[hexa: rebased for version 4.22.3]
 ---
  wscript_configure_embedded_heimdal | 11 +++++++++++
  1 file changed, 11 insertions(+)
 
 diff --git a/wscript_configure_embedded_heimdal b/wscript_configure_embedded_heimdal
-index 45f47721de..6c5a4bcf01 100644
+index c1488e5506e..ede28ba7fc3 100644
 --- a/wscript_configure_embedded_heimdal
 +++ b/wscript_configure_embedded_heimdal
-@@ -13,3 +13,14 @@ conf.RECURSE('third_party/heimdal_build')
+@@ -15,3 +15,14 @@ conf.RECURSE('third_party/heimdal_build')
- # when this will be available also in
- # system libraries...
  conf.define('HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG', 1)
+ 
+ conf.define('HAVE_KRB5_INIT_CREDS_STEP', 1)
 +
 +def check_system_heimdal_binary(name):
 +    if conf.LIB_MAY_BE_BUNDLED(name):
@@ -59,5 +60,4 @@ index 45f47721de..6c5a4bcf01 100644
 +check_system_heimdal_binary("compile_et")
 +check_system_heimdal_binary("asn1_compile")
 -- 
-2.47.0
+2.50.1
-

pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch

@@ -1,20 +0,0 @@
---- old/source3/libads/kerberos_keytab.c	2017-12-23 14:23:53.247467000 +0100
-+++ new/source3/libads/kerberos_keytab.c	2017-12-23 18:57:07.135340000 +0100
-@@ -32,8 +32,6 @@
- 
- #ifdef HAVE_KRB5
- 
--#ifdef HAVE_ADS
--
- /* This MAX_NAME_LEN is a constant defined in krb5.h */
- #ifndef MAX_KEYTAB_NAME_LEN
- #define MAX_KEYTAB_NAME_LEN 1100
-@@ -85,6 +83,8 @@
- 	return ret;
- }
- 
-+#ifdef HAVE_ADS
-+
- /**********************************************************************
-  Adds a single service principal, i.e. 'host' to the system keytab
- ***********************************************************************/