net-fs/samba: update to 4.11.13, sync with Gentoo

Update net-fs/samba to 4.11.13-r1, by syncing with upstream Gentoo. It is mainly to resolve CVE-2019-10197, CVE-2020-10704, CVE-2020-10745, and CVE-2019-10218. See also https://security.gentoo.org/glsa/202003-52 and https://security.gentoo.org/glsa/202007-15 .
2025-10-23 21:31:03 +02:00 · 2020-11-06 13:51:53 +01:00 · 2020-11-06 13:51:53 +01:00 · 28783b1e69
commit 28783b1e69
parent c4322159bd
19 changed files with 505 additions and 404 deletions
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
@ -1 +1 @@
-DIST samba-4.8.6.tar.gz 17723841 BLAKE2B 38da52e14b4417f26462eef2226c4498e54d2c276b4056e8c6d6c66079f33bcda24c1eab30b29bc7413280ec89a74a55e043e8274ac50f9a25bae7563717ff34 SHA512 f6afab5ca466bd8653a56c205b71ce94ecf0ad0c6e4c9d64cbba7b1e56f1987bc2022e6b629d87eb6078e3f6ba53833c19cfb41e40b6d589e4317ea9d85de273
+DIST samba-4.11.13.tar.gz 18598813 BLAKE2B 5671498058e61c1afbdb0976b6931dc4e13087792612d4fdc3073e8e40a60be82f578836e3baa48f111a600da5c6e0e08aa7ba638fbc1285bbb57644ae7e8b1d SHA512 396ab636db6f9583b772935d58a3cf1860109bb9e1ef841a38c08d7be9f3839d6e198d5cdc80ef0803fcbfa6c06f1173585f3b582937e8834857fc47d90f7181
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.confd
@ -6,6 +6,8 @@
 # accordingly.
 daemon_list="smbd nmbd"

+piddir="/run/samba"
+
 #----------------------------------------------------------------------------
 # Daemons calls: <daemon_name>_<command_option>
 #----------------------------------------------------------------------------
@ -17,22 +19,27 @@ my_service_POST=""
 # Daemons calls: <daemon_name>_<command_option>
 #----------------------------------------------------------------------------
 smbd_start_options="-D"
-smbd_start="start-stop-daemon --start --exec /usr/sbin/smbd -- ${smbd_start_options}"
-smbd_stop="start-stop-daemon --stop --exec /usr/sbin/smbd"
+smbd_command="/usr/sbin/smbd"
+smbd_start="start-stop-daemon --start --exec ${smbd_command} -- ${smbd_start_options}"
+smbd_stop="start-stop-daemon --stop --exec ${smbd_command}"
 smbd_reload="killall -HUP smbd"

 nmbd_start_options="-D"
-nmbd_start="start-stop-daemon --start --exec /usr/sbin/nmbd -- ${nmbd_start_options}"
-nmbd_stop="start-stop-daemon --stop --exec /usr/sbin/nmbd"
+nmbd_command="/usr/sbin/nmbd"
+nmbd_start="start-stop-daemon --start --exec ${nmbd_command} -- ${nmbd_start_options}"
+nmbd_stop="start-stop-daemon --stop --exec ${nmbd_command}"
 nmbd_reload="killall -HUP nmbd"

 samba4_start_options=""
-samba4_start="start-stop-daemon --start --exec /usr/sbin/samba -- ${samba4_start_options}"
-samba4_stop="start-stop-daemon --stop --exec /usr/sbin/samba"
+samba4_command="/usr/sbin/samba"
+samba4_pidfile="${piddir}/samba.pid"
+samba4_start="start-stop-daemon --start --exec ${samba4_command} --pidfile ${samba4_pidfile} -- ${samba4_start_options}"
+samba4_stop="start-stop-daemon --stop --exec ${samba4_command} --pidfile ${samba4_pidfile}"
 samba4_reload="killall -HUP samba"

 winbind_start_options=""
-winbind_start="start-stop-daemon --start --exec /usr/sbin/winbindd -- ${winbind_start_options}"
-winbind_stop="start-stop-daemon --stop --exec /usr/sbin/winbindd"
+winbind_command="/usr/sbin/winbindd"
+winbind_start="start-stop-daemon --start --exec ${winbind_command} -- ${winbind_start_options}"
+winbind_stop="start-stop-daemon --stop --exec ${winbind_command}"
 winbind_reload="killall -HUP winbindd"

--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/samba4.initd-r1
@ -1,9 +1,9 @@
 #!/sbin/openrc-run
-# Copyright 1999-2016 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License, v2 or later

 extra_started_commands="reload"
-piddir="/run/samba"
+[ -z "${piddir}" ] && piddir="/run/samba"

 depend() {
 	after slapd
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/system-auth-winbind.pam
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/4.4/system-auth-winbind.pam
@ -0,0 +1,18 @@
+#%PAM-1.0
+# $Id$
+
+auth        required      pam_env.so
+auth        sufficient    pam_winbind.so
+auth        sufficient    pam_unix.so likeauth nullok use_first_pass
+auth        required      pam_deny.so
+
+account     sufficient    pam_winbind.so
+account     required      pam_unix.so
+
+password    required      pam_cracklib.so retry=3
+password    sufficient    pam_unix.so nullok use_authtok md5 shadow
+password    required      pam_deny.so
+
+session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022 
+session     required      pam_limits.so
+session     required      pam_unix.so
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/nmbd.service
@ -1,12 +0,0 @@
-[Unit]
-Description=Samba NetBIOS name server
-After=network.target
-
-[Service]
-Type=forking
-PIDFile=/var/run/samba/nmbd.pid
-ExecStart=/usr/sbin/nmbd -D 
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-vfs_snapper_configure_option.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-vfs_snapper_configure_option.patch
@ -0,0 +1,56 @@
+From 7ae03a19b3ca895ba5f97a6bd4f9539d8daa6e0a Mon Sep 17 00:00:00 2001
+From: Matt Taylor <liverbugg@rinux.org>
+Date: Mon, 11 May 2020 15:26:41 -0400
+Subject: [PATCH] build: add configure option to control vfs_snapper build
+
+vfs_snapper is currently built if dbus development headers / libraries
+are detected during configure. This commit adds new --disable-snapper
+and --enable-snapper (default) configure parameters. When enabled,
+configure will fail if the dbus development headers / libraries are
+missing.
+
+Signed-off-by: Matt Taylor <liverbugg@rinux.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
+Autobuild-Date(master): Mon May 25 01:16:46 UTC 2020 on sn-devel-184
+---
+ source3/wscript | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/source3/wscript b/source3/wscript
+index 07991806c63..24ade3b0a2b 100644
+--- a/source3/wscript
+++ b/source3/wscript
+@@ -74,6 +74,7 @@ def options(opt):
+ 
+     opt.samba_add_onoff_option('glusterfs', with_name="enable", without_name="disable", default=True)
+     opt.samba_add_onoff_option('cephfs', with_name="enable", without_name="disable", default=True)
+    opt.samba_add_onoff_option('snapper', with_name="enable", without_name="disable", default=True)
+ 
+     opt.add_option('--enable-vxfs',
+                   help=("enable support for VxFS (default=no)"),
+@@ -1752,11 +1753,16 @@ main() {
+     if Options.options.enable_vxfs:
+         conf.DEFINE('HAVE_VXFS', '1')
+ 
+-    if conf.CHECK_CFG(package='dbus-1', args='--cflags --libs',
+    if Options.options.with_snapper:
+        if conf.CHECK_CFG(package='dbus-1', args='--cflags --libs',
+                       msg='Checking for dbus', uselib_store="DBUS-1"):
+-        if (conf.CHECK_HEADERS('dbus/dbus.h', lib='dbus-1')
+            if (conf.CHECK_HEADERS('dbus/dbus.h', lib='dbus-1')
+                                       and conf.CHECK_LIB('dbus-1', shlib=True)):
+-            conf.DEFINE('HAVE_DBUS', '1')
+                conf.DEFINE('HAVE_DBUS', '1')
+        else:
+            conf.fatal("vfs_snapper is enabled but prerequisite DBUS libraries "
+                       "or headers not found. Use --disable-snapper to disable "
+                       "vfs_snapper support.");
+ 
+     if conf.CHECK_CFG(package='liburing', args='--cflags --libs',
+                       msg='Checking for liburing package', uselib_store="URING"):
+-- 
+2.26.2
+
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-winexe_option.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.13-winexe_option.patch
@ -0,0 +1,67 @@
+From 54c21a99e6ca54bdb963c70d322f6778b57a384f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 4 Mar 2020 18:51:01 +0100
+Subject: [PATCH] winexe: add configure option to control whether to build it
+ (default: auto)
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Mon Mar  9 16:27:21 UTC 2020 on sn-devel-184
+---
+ examples/winexe/wscript_build |  3 ++-
+ source3/wscript               | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/examples/winexe/wscript_build b/examples/winexe/wscript_build
+index 43c09717e3d..559ed3fc706 100644
+--- a/examples/winexe/wscript_build
+++ b/examples/winexe/wscript_build
+@@ -106,4 +106,5 @@ if winexesvc_binaries != '':
+                           LOADPARM_CTX
+                           libsmb
+                           msrpc3
+-                      ''')
+                      ''',
+                      enabled=bld.env.build_winexe)
+diff --git a/source3/wscript b/source3/wscript
+index 85466b493fa..6d5bd22ca49 100644
+--- a/source3/wscript
+++ b/source3/wscript
+@@ -63,6 +63,7 @@ def options(opt):
+     opt.samba_add_onoff_option('cluster-support', default=False)
+ 
+     opt.samba_add_onoff_option('regedit', default=None)
+    opt.samba_add_onoff_option('winexe', default=None)
+ 
+     opt.samba_add_onoff_option('fake-kaserver',
+                           help=("Include AFS fake-kaserver support"), default=False)
+@@ -1782,6 +1783,22 @@ main() {
+     if conf.CHECK_HEADERS('ftw.h') and conf.CHECK_FUNCS('nftw'):
+         conf.env.build_mvxattr = True
+ 
+    conf.env.build_winexe = False
+    if not Options.options.with_winexe == False:
+        if conf.CONFIG_SET('HAVE_WINEXE_CC_WIN32') or conf.CONFIG_SET('HAVE_WINEXE_CC_WIN64'):
+            conf.env.build_winexe = True
+
+    if conf.env.build_winexe:
+        Logs.info("building winexe")
+    else:
+        if Options.options.with_winexe == False:
+            Logs.info("not building winexe (--without-winexe)")
+        elif Options.options.with_winexe == True:
+            Logs.error("mingw not available, cannot build winexe")
+            conf.fatal("mingw not available, but --with-winexe was specified")
+        else:
+            Logs.info("mingw not available, not building winexe")
+
+     conf.CHECK_FUNCS_IN('DES_pcbc_encrypt', 'crypto')
+     if Options.options.with_fake_kaserver == True:
+         conf.CHECK_HEADERS('afs/param.h afs/stds.h', together=True)
+-- 
+2.26.2
+
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.5.1-compile_et_fix.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.5.1-compile_et_fix.patch
@ -1,16 +0,0 @@
--- samba-4.5.1/source4/heimdal_build/wscript_configure
-+++ samba-4.5.1/source4/heimdal_build/wscript_configure
-@@ -258,7 +258,11 @@
- 
- # With the proper checks in place we should be able to build against the system libtommath.
- #if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'):
- #    conf.define('USING_SYSTEM_TOMMATH', 1)
- 
-check_system_heimdal_binary("compile_et")
-check_system_heimdal_binary("asn1_compile")
-+# comment out next line to stop Gentoo Samba build from using the compile_et in e2fsprogs-libs
-+# to compile the error tables. This produces a compile error later on.
-+#check_system_heimdal_binary("compile_et")
-+#
-+# As a precaution do the same for asn1_compile
-+#check_system_heimdal_binary("asn1_compile")
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.9.2-timespec.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.9.2-timespec.patch
@ -0,0 +1,21 @@
+From 11e8c14b78e2423041f3846882f74cd6490a3e44 Mon Sep 17 00:00:00 2001
+From: Joan Karadimov <joan@profuzdigital.com>
+Date: Thu, 18 Oct 2018 18:16:17 +0300
+Subject: [PATCH] Fix compatibility issues with the timespec struct
+
+---
+ source3/include/libsmbclient.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
+index 5e4a1715402..6487ea7a8aa 100644
+--- a/source3/include/libsmbclient.h
+++ b/source3/include/libsmbclient.h
+@@ -78,6 +78,7 @@ extern "C" {
+ #include <sys/statvfs.h>
+ #include <stdint.h>
+ #include <fcntl.h>
+#include <time.h>
+ #include <utime.h>
+ 
+ #define SMBC_BASE_FD        10000 /* smallest file descriptor returned */
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-glibc-2.26-no_rpc.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-glibc-2.26-no_rpc.patch
@ -1,14 +0,0 @@
-https://attachments.samba.org/attachment.cgi?id=13172
-https://bugs.gentoo.org/637320
-
--- a/lib/replace/wscript
-+++ b/lib/replace/wscript
-@@ -71,7 +71,7 @@
-     conf.CHECK_HEADERS('sys/fileio.h sys/filesys.h sys/dustat.h sys/sysmacros.h')
-     conf.CHECK_HEADERS('xfs/libxfs.h netgroup.h')
- 
-    conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H')
-+    conf.CHECK_CODE('ypstat s;', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H')
- 
-     conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h')
-     conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h')
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf
@ -1,2 +1,3 @@
 D /run/samba 0755 root root
+D /run/ctdb 0755 root root
 D /run/lock/samba 0755 root root
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.service
@ -1,10 +0,0 @@
-[Unit]
-Description=Samba AD server
-After=network.target winbindd.service
-Conflicts=nmbd.service smbd.service
-
-[Service]
-ExecStart=/usr/sbin/samba --interactive 
-
-[Install]
-WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.service
@ -1,12 +0,0 @@
-[Unit]
-Description=Samba SMB/CIFS server
-After=network.target nmbd.service winbindd.service
-
-[Service]
-Type=forking
-PIDFile=/var/run/samba/smbd.pid
-ExecStart=/usr/sbin/smbd -D 
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd.socket
@ -1,9 +0,0 @@
-[Unit]
-Description=Samba SMB/CIFS server socket
-
-[Socket]
-ListenStream=445
-Accept=yes
-
-[Install]
-WantedBy=sockets.target
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/smbd_at.service
@ -1,7 +0,0 @@
-[Unit]
-Description=Samba SMB/CIFS server instance
-
-[Service]
-ExecStart=/usr/sbin/smbd -F
-ExecReload=/bin/kill -HUP $MAINPID
-StandardInput=socket
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/winbindd.service
@ -1,12 +0,0 @@
-[Unit]
-Description=Samba Winbind daemon
-After=network.target nmbd.service
-
-[Service]
-Type=forking
-PIDFile=/var/run/samba/winbindd.pid
-ExecStart=/usr/sbin/winbindd -D 
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
@ -12,14 +12,16 @@
 		<flag name="addc">Enable Active Directory Domain Controller support</flag>
 		<flag name="addns">Enable AD DNS integration</flag>
 		<flag name="ads">Enable Active Directory support</flag>
-		<flag name="aio">Enable asynchronous IO support</flag>
 		<flag name="ceph">Enable support for Ceph distributed filesystem via <pkg>sys-cluster/ceph</pkg></flag>
 		<flag name="client">Enables the client part</flag>
 		<flag name="cluster">Enable support for clustering</flag>
 		<flag name="dmapi">Enable support for DMAPI. This currently works only in combination with XFS.</flag>
 		<flag name="gpg">Use <pkg>app-crypt/gpgme</pkg> for AD DC</flag>
+		<flag name="json">Enable json audit support through <pkg>dev-libs/jansson</pkg></flag>
 		<flag name="iprint">Enabling iPrint technology by Novell</flag>
+		<flag name="profiling-data">Enables support for collecting profiling data</flag>
 		<flag name="quota">Enables support for user quotas</flag>
+		<flag name="snapper">Enable vfs_snapper module (requires <pkg>sys-apps/dbus</pkg>)</flag>
 		<flag name="system-heimdal">Use <pkg>app-crypt/heimdal</pkg> instead of
 			bundled heimdal.</flag>
 		<flag name="system-mitkrb5">Use <pkg>app-crypt/mit-krb5</pkg> instead of
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.11.13-r1.ebuild
@ -0,0 +1,321 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python3_{6,7} )
+PYTHON_REQ_USE='threads(+),xml(+)'
+inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam
+
+MY_PV="${PV/_rc/rc}"
+MY_P="${PN}-${MY_PV}"
+
+SRC_PATH="stable"
+[[ ${PV} = *_rc* ]] && SRC_PATH="rc"
+
+SRC_URI="mirror://samba/${SRC_PATH}/${MY_P}.tar.gz"
+[[ ${PV} = *_rc* ]] || \
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ppc ppc64 sparc x86"
+
+DESCRIPTION="Samba Suite Version 4"
+HOMEPAGE="https://www.samba.org/"
+LICENSE="GPL-3"
+
+SLOT="0"
+
+IUSE="acl addc addns ads ceph client cluster cups debug dmapi fam gpg iprint
+json ldap pam profiling-data python quota selinux snapper syslog
+system-heimdal +system-mitkrb5 systemd test winbind zeroconf"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/samba-4.0/policy.h
+	/usr/include/samba-4.0/dcerpc_server.h
+	/usr/include/samba-4.0/ctdb.h
+	/usr/include/samba-4.0/ctdb_client.h
+	/usr/include/samba-4.0/ctdb_protocol.h
+	/usr/include/samba-4.0/ctdb_private.h
+	/usr/include/samba-4.0/ctdb_typesafe_cb.h
+	/usr/include/samba-4.0/ctdb_version.h
+)
+
+CDEPEND="
+	>=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}]
+	dev-lang/perl:=
+	dev-libs/libbsd[${MULTILIB_USEDEP}]
+	dev-libs/libtasn1[${MULTILIB_USEDEP}]
+	dev-libs/popt[${MULTILIB_USEDEP}]
+	>=net-libs/gnutls-3.2.0[${MULTILIB_USEDEP}]
+	net-libs/libnsl:=[${MULTILIB_USEDEP}]
+	sys-libs/e2fsprogs-libs[${MULTILIB_USEDEP}]
+	>=sys-libs/ldb-2.0.12[ldap(+)?,python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
+	<sys-libs/ldb-2.1.0[ldap(+)?,python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
+	sys-libs/libcap
+	sys-libs/ncurses:0=
+	sys-libs/readline:0=
+	>=sys-libs/talloc-2.2.0[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
+	>=sys-libs/tdb-1.4.2[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
+	>=sys-libs/tevent-0.10.0[python?,${PYTHON_SINGLE_USEDEP},${MULTILIB_USEDEP}]
+	sys-libs/zlib[${MULTILIB_USEDEP}]
+	virtual/libiconv
+	pam? ( sys-libs/pam )
+	acl? ( virtual/acl )
+	$(python_gen_cond_dep "
+		dev-python/subunit[\${PYTHON_MULTI_USEDEP},${MULTILIB_USEDEP}]
+		addns? (
+			net-dns/bind-tools[gssapi]
+			dev-python/dnspython:=[\${PYTHON_MULTI_USEDEP}]
+		)
+	")
+	ceph? ( sys-cluster/ceph )
+	cluster? (
+		net-libs/rpcsvc-proto
+		!dev-db/ctdb
+	)
+	cups? ( net-print/cups )
+	debug? ( dev-util/lttng-ust )
+	dmapi? ( sys-apps/dmapi )
+	fam? ( virtual/fam )
+	gpg? ( app-crypt/gpgme )
+	json? ( dev-libs/jansson )
+	ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] )
+	snapper? ( sys-apps/dbus )
+	system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] )
+	system-mitkrb5? ( >=app-crypt/mit-krb5-1.15.1[${MULTILIB_USEDEP}] )
+	systemd? ( sys-apps/systemd:0= )
+	zeroconf? ( net-dns/avahi[dbus] )
+"
+DEPEND="${CDEPEND}
+	${PYTHON_DEPS}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	>=dev-util/cmocka-1.1.1[${MULTILIB_USEDEP}]
+	net-libs/libtirpc[${MULTILIB_USEDEP}]
+	virtual/pkgconfig
+	|| (
+		net-libs/rpcsvc-proto
+		<sys-libs/glibc-2.26[rpc(+)]
+	)
+	test? (
+		!system-mitkrb5? (
+			>=sys-libs/nss_wrapper-1.1.3
+			>=net-dns/resolv_wrapper-1.1.4
+			>=net-libs/socket_wrapper-1.1.9
+			>=sys-libs/uid_wrapper-1.2.1
+		)
+	)"
+RDEPEND="${CDEPEND}
+	python? ( ${PYTHON_DEPS} )
+	client? ( net-fs/cifs-utils[ads?] )
+	selinux? ( sec-policy/selinux-samba )
+	!dev-perl/Parse-Yapp
+"
+
+REQUIRED_USE="
+	addc? ( python json winbind )
+	addns? ( python )
+	ads? ( acl ldap winbind )
+	cluster? ( ads )
+	gpg? ( addc )
+	test? ( python )
+	?? ( system-heimdal system-mitkrb5 )
+	${PYTHON_REQUIRED_USE}
+"
+
+# the test suite is messed, it uses system-installed samba
+# bits instead of what was built, tests things disabled via use
+# flags, and generally just fails to work in a way ebuilds could
+# rely on in its current state
+RESTRICT="test"
+
+S="${WORKDIR}/${MY_P}"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-4.4.0-pam.patch"
+	"${FILESDIR}/${PN}-4.9.2-timespec.patch"
+	"${FILESDIR}/${PN}-4.13-winexe_option.patch"
+	"${FILESDIR}/${PN}-4.13-vfs_snapper_configure_option.patch"
+)
+
+#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)"
+CONFDIR="${FILESDIR}/4.4"
+
+WAF_BINARY="${S}/buildtools/bin/waf"
+
+SHAREDMODS=""
+
+pkg_setup() {
+	# Package fails to build with distcc
+	export DISTCC_DISABLE=1
+
+	python-single-r1_pkg_setup
+	if use cluster ; then
+		SHAREDMODS="idmap_rid,idmap_tdb2,idmap_ad"
+	elif use ads ; then
+		SHAREDMODS="idmap_ad"
+	fi
+}
+
+src_prepare() {
+	default
+
+	# un-bundle dnspython
+	sed -i -e '/"dns.resolver":/d' "${S}"/third_party/wscript || die
+
+	# unbundle iso8601 unless tests are enabled
+	if ! use test ; then
+		sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die
+	fi
+
+	## ugly hackaround for bug #592502
+	#cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die
+
+	sed -e 's:<gpgme\.h>:<gpgme/gpgme.h>:' \
+		-i source4/dsdb/samdb/ldb_modules/password_hash.c \
+		|| die
+
+	# Friggin' WAF shit
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	# when specifying libs for samba build you must append NONE to the end to
+	# stop it automatically including things
+	local bundled_libs="NONE"
+	if ! use system-heimdal && ! use system-mitkrb5 ; then
+		bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE"
+	fi
+
+	local myconf=(
+		--enable-fhs
+		--sysconfdir="${EPREFIX}/etc"
+		--localstatedir="${EPREFIX}/var"
+		--with-modulesdir="${EPREFIX}/usr/$(get_libdir)/samba"
+		--with-piddir="${EPREFIX}/run/${PN}"
+		--bundled-libraries="${bundled_libs}"
+		--builtin-libraries=NONE
+		--disable-rpath
+		--disable-rpath-install
+		--nopyc
+		--nopyo
+		--without-winexe
+		$(multilib_native_use_with acl acl-support)
+		$(multilib_native_usex addc '' '--without-ad-dc')
+		$(multilib_native_use_with addns dnsupdate)
+		$(multilib_native_use_with ads)
+		$(multilib_native_use_enable ceph cephfs)
+		$(multilib_native_use_with cluster cluster-support)
+		$(multilib_native_use_enable cups)
+		$(multilib_native_use_with dmapi)
+		$(multilib_native_use_with fam)
+		$(multilib_native_use_with gpg gpgme)
+		$(multilib_native_use_with json)
+		$(multilib_native_use_enable iprint)
+		$(multilib_native_use_with pam)
+		$(multilib_native_usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '')
+		$(multilib_native_use_with quota quotas)
+		$(multilib_native_use_enable snapper)
+		$(multilib_native_use_with syslog)
+		$(multilib_native_use_with systemd)
+		--systemd-install-services
+		--with-systemddir="$(systemd_get_systemunitdir)"
+		$(multilib_native_use_with winbind)
+		$(multilib_native_usex python '' '--disable-python')
+		$(multilib_native_use_enable zeroconf avahi)
+		$(multilib_native_usex test '--enable-selftest' '')
+		$(usex system-mitkrb5 "--with-system-mitkrb5 $(multilib_native_usex addc --with-experimental-mit-ad-dc '')" '')
+		$(use_with debug lttng)
+		$(use_with ldap)
+		$(use_with profiling-data)
+		# bug #683148
+		--jobs 1
+	)
+
+	multilib_is_native_abi && myconf+=( --with-shared-modules=${SHAREDMODS} )
+
+	CPPFLAGS="-I${SYSROOT}${EPREFIX}/usr/include/et ${CPPFLAGS}" \
+		waf-utils_src_configure ${myconf[@]}
+}
+
+multilib_src_compile() {
+	waf-utils_src_compile
+}
+
+multilib_src_install() {
+	waf-utils_src_install
+
+	# Make all .so files executable
+	find "${ED}" -type f -name "*.so" -exec chmod +x {} + || die
+
+	if multilib_is_native_abi ; then
+		# install ldap schema for server (bug #491002)
+		if use ldap ; then
+			insinto /etc/openldap/schema
+			doins examples/LDAP/samba.schema
+		fi
+
+		# create symlink for cups (bug #552310)
+		if use cups ; then
+			dosym ../../../bin/smbspool /usr/libexec/cups/backend/smb
+		fi
+
+		# install example config file
+		insinto /etc/samba
+		doins examples/smb.conf.default
+
+		# Fix paths in example file (#603964)
+		sed \
+			-e '/log file =/s@/usr/local/samba/var/@/var/log/samba/@' \
+			-e '/include =/s@/usr/local/samba/lib/@/etc/samba/@' \
+			-e '/path =/s@/usr/local/samba/lib/@/var/lib/samba/@' \
+			-e '/path =/s@/usr/local/samba/@/var/lib/samba/@' \
+			-e '/path =/s@/usr/spool/samba@/var/spool/samba@' \
+			-i "${ED%/}"/etc/samba/smb.conf.default || die
+
+		# Install init script and conf.d file
+		newinitd "${CONFDIR}/samba4.initd-r1" samba
+		newconfd "${CONFDIR}/samba4.confd" samba
+
+		systemd_dotmpfilesd "${FILESDIR}"/samba.conf
+		use addc || rm "${D}/$(systemd_get_systemunitdir)/samba.service" || die
+
+		# Preserve functionality for old gentoo-specific unit names
+		dosym nmb.service "$(systemd_get_systemunitdir)/nmbd.service"
+		dosym smb.service "$(systemd_get_systemunitdir)/smbd.service"
+		dosym winbind.service "$(systemd_get_systemunitdir)/winbindd.service"
+	fi
+
+	if use pam && use winbind ; then
+		newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind
+		# bugs #376853 and #590374
+		insinto /etc/security
+		doins examples/pam_winbind/pam_winbind.conf
+	fi
+
+	keepdir /var/cache/samba
+	keepdir /var/lib/ctdb
+	keepdir /var/lib/samba/{bind-dns,private}
+	keepdir /var/log/samba
+}
+
+multilib_src_install_all() {
+	# Attempt to fix bug #673168
+	find "${ED}" -type d -name "Yapp" -print0 \
+		| xargs -0 --no-run-if-empty rm -r || die
+}
+
+multilib_src_test() {
+	if multilib_is_native_abi ; then
+		"${WAF_BINARY}" test || die "test failed"
+	fi
+}
+
+pkg_postinst() {
+	ewarn "Be aware that this release contains the best of all of Samba's"
+	ewarn "technology parts, both a file server (that you can reasonably expect"
+	ewarn "to upgrade existing Samba 3.x releases to) and the AD domain"
+	ewarn "controller work previously known as 'samba4'."
+
+	elog "For further information and migration steps make sure to read "
+	elog "https://samba.org/samba/history/${P}.html "
+	elog "https://wiki.samba.org/index.php/Samba4/HOWTO "
+}
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.8.6.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.8.6.ebuild
@ -1,300 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-PYTHON_COMPAT=( python2_7 )
-PYTHON_REQ_USE='threads(+),xml(+)'
-
-inherit python-single-r1 waf-utils multilib-minimal linux-info systemd eutils
-
-MY_PV="${PV/_rc/rc}"
-MY_P="${PN}-${MY_PV}"
-
-SRC_PATH="stable"
-[[ ${PV} = *_rc* ]] && SRC_PATH="rc"
-
-SRC_URI="mirror://samba/${SRC_PATH}/${MY_P}.tar.gz"
-[[ ${PV} = *_rc* ]] || \
-KEYWORDS="alpha amd64 arm arm64 ~hppa ia64 ppc ppc64 sparc x86"
-
-DESCRIPTION="Samba Suite Version 4"
-HOMEPAGE="http://www.samba.org/"
-LICENSE="GPL-3"
-
-SLOT="0"
-
-IUSE="acl addc addns ads client cluster cups dmapi fam gnutls gpg iprint ldap pam
-quota selinux syslog system-heimdal +system-mitkrb5 systemd test winbind zeroconf"
-IUSE+=" +minimal"  # COREOS: Only install libraries, not executables.
-
-# the test suite is messed, it uses system-installed samba
-# bits instead of what was built, tests things disabled via use
-# flags, and generally just fails to work in a way ebuilds could
-# rely on in its current state
-RESTRICT="test"
-
-MULTILIB_WRAPPED_HEADERS=(
-	/usr/include/samba-4.0/policy.h
-	/usr/include/samba-4.0/dcerpc_server.h
-	/usr/include/samba-4.0/ctdb.h
-	/usr/include/samba-4.0/ctdb_client.h
-	/usr/include/samba-4.0/ctdb_protocol.h
-	/usr/include/samba-4.0/ctdb_private.h
-	/usr/include/samba-4.0/ctdb_typesafe_cb.h
-	/usr/include/samba-4.0/ctdb_version.h
-)
-
-# sys-apps/attr is an automagic dependency (see bug #489748)
-CDEPEND="
-	>=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}]
-	dev-libs/libaio[${MULTILIB_USEDEP}]
-	dev-libs/libbsd[${MULTILIB_USEDEP}]
-	dev-libs/iniparser:0
-	dev-libs/popt[${MULTILIB_USEDEP}]
-	sys-apps/attr[${MULTILIB_USEDEP}]
-	sys-libs/libcap
-	sys-libs/ncurses:0=[${MULTILIB_USEDEP}]
-	sys-libs/readline:0=
-	sys-libs/zlib[${MULTILIB_USEDEP}]
-	virtual/libiconv
-	pam? ( virtual/pam )
-	acl? ( virtual/acl )
-	addns? ( net-dns/bind-tools[gssapi] )
-	cluster? (
-		net-libs/rpcsvc-proto
-		!dev-db/ctdb
-	)
-	cups? ( net-print/cups )
-	dmapi? ( sys-apps/dmapi )
-	fam? ( virtual/fam )
-	gnutls? (
-		dev-libs/libgcrypt:0
-		>=net-libs/gnutls-1.4.0
-	)
-	gpg? ( app-crypt/gpgme )
-	ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] )
-	system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] )
-	system-mitkrb5? ( app-crypt/mit-krb5[${MULTILIB_USEDEP}] )
-	systemd? ( sys-apps/systemd:0= )"
-DEPEND="${CDEPEND}
-	${PYTHON_DEPS}
-	app-text/docbook-xsl-stylesheets
-	dev-lang/perl:=
-	dev-libs/libxslt
-	virtual/pkgconfig
-	test? (
-		>=sys-libs/nss_wrapper-1.1.3
-		>=net-dns/resolv_wrapper-1.1.4
-		>=net-libs/socket_wrapper-1.1.7
-		>=sys-libs/uid_wrapper-1.2.1
-	)"
-RDEPEND="${CDEPEND}
-	client? ( net-fs/cifs-utils[ads?] )
-	selinux? ( sec-policy/selinux-samba )
-	!dev-perl/Parse-Yapp
-"
-
-REQUIRED_USE="
-	addc? ( gnutls !system-mitkrb5 )
-	ads? ( acl gnutls ldap )
-	cluster? ( ads )
-	gpg? ( addc )
-	?? ( system-heimdal system-mitkrb5 )
-	${PYTHON_REQUIRED_USE}"
-
-S="${WORKDIR}/${MY_P}"
-
-PATCHES=(
-	"${FILESDIR}/${PN}-4.4.0-pam.patch"
-	"${FILESDIR}/${PN}-4.5.1-compile_et_fix.patch"
-)
-
-#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)"
-CONFDIR="${FILESDIR}/4.4"
-
-WAF_BINARY="${S}/buildtools/bin/waf"
-
-SHAREDMODS=""
-
-pkg_setup() {
-	python-single-r1_pkg_setup
-	if use cluster ; then
-		SHAREDMODS="idmap_rid,idmap_tdb2,idmap_ad"
-	elif use ads ; then
-		SHAREDMODS="idmap_ad"
-	fi
-}
-
-src_prepare() {
-	default
-
-	sed -e 's:<gpgme\.h>:<gpgme/gpgme.h>:' \
-		-i source4/dsdb/samdb/ldb_modules/password_hash.c \
-		|| die
-
-	# Friggin' WAF shit
-	multilib_copy_sources
-}
-
-multilib_src_configure() {
-	# when specifying libs for samba build you must append NONE to the end to
-	# stop it automatically including things
-	local bundled_libs="NONE"
-	if ! use system-heimdal && ! use system-mitkrb5 ; then
-		bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE"
-	fi
-
-	# COREOS: Don't depend on tons of new packages with broken cross-compilation support.
-	bundled_libs=ALL
-
-	local myconf=()
-	myconf=(
-		--enable-fhs
-		--sysconfdir="${EPREFIX}/etc"
-		--localstatedir="${EPREFIX}/var"
-		--with-modulesdir="${EPREFIX}/usr/$(get_libdir)/samba"
-		--with-piddir="${EPREFIX}/run/${PN}"
-		--without-lttng
-		--bundled-libraries="${bundled_libs}"
-		--builtin-libraries=NONE
-		--disable-rpath
-		--disable-rpath-install
-		--nopyc
-		--nopyo
-		--disable-cephfs
-		--disable-python  # COREOS: Don't build libraries requiring Python.
-	)
-	if multilib_is_native_abi ; then
-		myconf+=(
-			$(use_with acl acl-support)
-			$(usex addc '' '--without-ad-dc')
-			$(use_with addns dnsupdate)
-			$(use_with ads)
-			$(use_with cluster cluster-support)
-			$(use_enable cups)
-			$(use_with dmapi)
-			$(use_with fam)
-			$(use_enable gnutls)
-			$(use_with gpg gpgme)
-			$(use_enable iprint)
-			$(use_with ldap)
-			$(use_with pam)
-			$(usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '')
-			$(use_with quota quotas)
-			$(use_with syslog)
-			$(use_with systemd)
-			$(usex system-mitkrb5 '--with-system-mitkrb5' '')
-			$(use_with winbind)
-			$(usex test '--enable-selftest' '')
-			$(use_enable zeroconf avahi)
-			--with-shared-modules=${SHAREDMODS}
-		)
-	else
-		myconf+=(
-			--without-acl-support
-			--without-ad-dc
-			--without-dnsupdate
-			--without-ads
-			--disable-avahi
-			--without-cluster-support
-			--disable-cups
-			--without-dmapi
-			--without-fam
-			--disable-gnutls
-			--without-gpgme
-			--disable-iprint
-			$(use_with ldap)
-			--without-pam
-			--without-quotas
-			--without-syslog
-			--without-systemd
-			$(usex system-mitkrb5 '--with-system-mitkrb5' '')
-			--without-winbind
-			--disable-python
-		)
-	fi
-
-	CPPFLAGS="-I${SYSROOT}${EPREFIX}/usr/include/et ${CPPFLAGS}" \
-		waf-utils_src_configure ${myconf[@]}
-}
-
-multilib_src_compile() {
-	waf-utils_src_compile
-}
-
-multilib_src_install() {
-	waf-utils_src_install
-
-	# Make all .so files executable
-	find "${D}" -type f -name "*.so" -exec chmod +x {} +
-
-	if multilib_is_native_abi; then
-		# install ldap schema for server (bug #491002)
-		if use ldap ; then
-			insinto /etc/openldap/schema
-			doins examples/LDAP/samba.schema
-		fi
-
-		# create symlink for cups (bug #552310)
-		if use cups ; then
-			dosym ../../../bin/smbspool /usr/libexec/cups/backend/smb
-		fi
-
-		# install example config file
-		insinto /etc/samba
-		doins examples/smb.conf.default
-
-		# Fix paths in example file (#603964)
-		sed \
-			-e '/log file =/s@/usr/local/samba/var/@/var/log/samba/@' \
-			-e '/include =/s@/usr/local/samba/lib/@/etc/samba/@' \
-			-e '/path =/s@/usr/local/samba/lib/@/var/lib/samba/@' \
-			-e '/path =/s@/usr/local/samba/@/var/lib/samba/@' \
-			-e '/path =/s@/usr/spool/samba@/var/spool/samba@' \
-			-i "${ED%/}"/etc/samba/smb.conf.default || die
-
-		# Install init script and conf.d file
-		newinitd "${CONFDIR}/samba4.initd-r1" samba
-		newconfd "${CONFDIR}/samba4.confd" samba
-
-		if ! use minimal ; then
-			systemd_dotmpfilesd "${FILESDIR}"/samba.conf
-		fi
-		systemd_dounit "${FILESDIR}"/nmbd.service
-		systemd_dounit "${FILESDIR}"/smbd.{service,socket}
-		systemd_newunit "${FILESDIR}"/smbd_at.service 'smbd@.service'
-		systemd_dounit "${FILESDIR}"/winbindd.service
-		systemd_dounit "${FILESDIR}"/samba.service
-	fi
-
-	rm -f "${ED%/}"/etc/samba/*
-	rm -f "${ED%/}"/usr/lib*/samba/ldb/*
-	if use minimal ; then
-		mv "${ED%/}"/usr/bin/net "${T}"/
-		rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/*
-		mv "${T}"/net "${ED%/}"/usr/bin/net
-		rm -rf ${ED%/}/lib*/security
-		rm -rf ${ED%/}/usr/lib/systemd
-		rm -rf ${ED%/}/usr/lib*/perl*
-		rm -rf ${ED%/}/usr/lib*/python*
-		rm -rf ${ED%/}/var
-	fi
-}
-
-multilib_src_test() {
-	if multilib_is_native_abi ; then
-		"${WAF_BINARY}" test || die "test failed"
-	fi
-}
-
-pkg_postinst() {
-	ewarn "Be aware the this release contains the best of all of Samba's"
-	ewarn "technology parts, both a file server (that you can reasonably expect"
-	ewarn "to upgrade existing Samba 3.x releases to) and the AD domain"
-	ewarn "controller work previously known as 'samba4'."
-
-	elog "For further information and migration steps make sure to read "
-	elog "http://samba.org/samba/history/${P}.html "
-	elog "http://samba.org/samba/history/${PN}-4.5.0.html and"
-	elog "http://wiki.samba.org/index.php/Samba4/HOWTO "
-}