overlay net-fs/samba: sync with Gentoo

Update net-fs/samba to 4.18.4, mainly to address CVE-2021-44142, CVE-2022-1615. Gentoo ref: 2cecc32967dd95e8c66ded510b89c8aeaf267f90
2026-02-15 20:52:34 +01:00 · 2023-09-25 15:34:06 +02:00 · 2023-09-25 15:34:06 +02:00 · b2f8324050
commit b2f8324050
parent db2b27d2b3
7 changed files with 210 additions and 110 deletions
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
@ -1 +1 @@
-DIST samba-4.15.4.tar.gz 19280813 BLAKE2B 3106f2f265263e871fe3f82d3eecaac2e5f642925ff5dd2a9d163092fd13e9348a3910e40431d51cb94a1abeb3b9c32c487ce1f8caebe59a8d6d90641b4d9201 SHA512 e55473dd4971816a01880870309ca44f022625cd529511bcf386c865a2e7e79118577ee4866559f607952de47dc0d310d6426bd08dd4293db95ddbbe3982383d
+DIST samba-4.18.4.tar.gz 41311410 BLAKE2B 1f1aab7eb933111b9b1c72af8c3dd379fe34014085129e9d5cc400b4e434742e1c08ad4fdf2a98291d6063ce9b2ddc811e9ab5dbb133a85e97f2158f83dd7c96 SHA512 bc8d792b510061556c07b6844a825801a4271eed45e01133a4718c1839d123e2908fa0e31e67af43098500e98a9082eb104052e711a8a034fac23d86e15c29ee
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/ldb-2.5.2-skip-wav-tevent-check.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/ldb-2.5.2-skip-wav-tevent-check.patch
@ -0,0 +1,12 @@
+--- ldb-1.3.6/lib/tevent/wscript
+++ ldb-1.3.6/lib/tevent/wscript
+@@ -34,8 +34,7 @@
+         if conf.CHECK_BUNDLED_SYSTEM_PKG('tevent', minversion=VERSION,
+                                      onlyif='talloc', implied_deps='replace talloc'):
+             conf.define('USING_SYSTEM_TEVENT', 1)
+-            if not conf.env.disable_python and \
+-                conf.CHECK_BUNDLED_SYSTEM_PYTHON('pytevent', 'tevent', minversion=VERSION):
+            if not conf.env.disable_python:
+                 conf.define('USING_SYSTEM_PYTEVENT', 1)
+ 
+     if conf.CHECK_FUNCS('epoll_create', headers='sys/epoll.h'):
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch
@ -0,0 +1,56 @@
+https://bugs.gentoo.org/910306
+https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+ source3/rpc_server/netlogon/srv_netlog_nt.c   | 9 +++++----
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++----
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ 	struct netlogon_creds_CredentialState *creds;
+ 	NTSTATUS status;
+ 
+	if (r->in.query_level != 1) {
+		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
+		return NT_STATUS_NOT_SUPPORTED;
+	}
+
+ 	become_root();
+ 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
+ 						p->mem_ctx,
+@@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ 		return status;
+ 	}
+ 
+-	if (r->in.query_level != 1) {
+-		return NT_STATUS_NOT_SUPPORTED;
+-	}
+-
+ 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+ 
+ 	return NT_STATUS_OK;
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ 	struct netlogon_creds_CredentialState *creds;
+ 	NTSTATUS status;
+ 
+	if (r->in.query_level != 1) {
+		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
+	}
+
+ 	status = dcesrv_netr_creds_server_step_check(dce_call,
+ 						     mem_ctx,
+ 						     r->in.computer_name,
+@@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ 	}
+ 	NT_STATUS_NOT_OK_RETURN(status);
+ 
+-	if (r->in.query_level != 1) {
+-		return NT_STATUS_NOT_SUPPORTED;
+-	}
+-
+ 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+ 
+ 	return NT_STATUS_OK;
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-pam.patch
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-pam.patch
@ -1,6 +1,6 @@
--- samba-4.4.0rc2/source3/wscript
-+++ samba-4.4.0rc2/source3/wscript
-@@ -870,7 +870,7 @@
+--- a/source3/wscript
+++ b/source3/wscript
+@@ -863,7 +863,7 @@
         if conf.env.with_iconv:
             conf.DEFINE('HAVE_ICONV', 1)
 
@ -9,9 +9,9 @@
         use_pam=True
         conf.CHECK_HEADERS('security/pam_appl.h pam/pam_appl.h')
         if not conf.CONFIG_SET('HAVE_SECURITY_PAM_APPL_H') and not conf.CONFIG_SET('HAVE_PAM_PAM_APPL_H'):
-@@ -943,6 +943,17 @@
-             conf.DEFINE('WITH_PAM', 1)
-             conf.DEFINE('WITH_PAM_MODULES', 1)
+@@ -940,6 +940,17 @@
+                        "or headers not found. Use --without-pam to disable "
+                        "PAM support.");
 
 +    else:
 +        Logs.warn("PAM disabled")
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf
@ -1,3 +1,8 @@
-D /run/samba 0755 root root
-D /run/ctdb 0755 root root
-D /run/lock/samba 0755 root root
+d /run/samba
+d /run/ctdb
+d /run/lock/samba
+d /var/cache/samba
+d /var/lib/ctdb
+d /var/lib/samba/bind-dns
+d /var/lib/samba/private
+d /var/log/samba
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
@ -10,7 +10,6 @@
 	</longdescription>
 	<use>
 		<flag name="addc">Enable Active Directory Domain Controller support</flag>
-		<flag name="addns">Enable AD DNS integration</flag>
 		<flag name="ads">Enable Active Directory support</flag>
 		<flag name="ceph">Enable support for Ceph distributed filesystem via <pkg>sys-cluster/ceph</pkg></flag>
 		<flag name="client">Enables the client part</flag>
@ -19,7 +18,6 @@
 		<flag name="gpg">Use <pkg>app-crypt/gpgme</pkg> for AD DC</flag>
 		<flag name="json">Enable json audit support through <pkg>dev-libs/jansson</pkg></flag>
 		<flag name="iprint">Enabling iPrint technology by Novell</flag>
-		<flag name="ntvfs">Enable support for NTVFS fileserver</flag>
 		<flag name="profiling-data">Enables support for collecting profiling data</flag>
 		<flag name="quota">Enables support for user quotas</flag>
 		<flag name="regedit">Enable support for regedit command-line tool</flag>
@ -29,9 +27,11 @@
 			bundled heimdal.</flag>
 		<flag name="system-mitkrb5">Use <pkg>app-crypt/mit-krb5</pkg> instead of
 			<pkg>app-crypt/heimdal</pkg>.</flag>
+		<flag name="unwind">Enable libunwind usage for backtraces</flag>
 		<flag name="winbind">Enables support for the winbind auth daemon</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:samba:samba</remote-id>
+		<remote-id type="gitlab">samba-team/samba</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.15.4-r4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.15.4-r4.ebuild
@ -1,36 +1,34 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

-EAPI=7
+EAPI=8

-PYTHON_COMPAT=( python3_{8..11} )
+PYTHON_COMPAT=( python3_{10..11} )
 PYTHON_REQ_USE="threads(+),xml(+)"
-TMPFILES_OPTIONAL=1
-inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam tmpfiles
+inherit python-single-r1 flag-o-matic waf-utils multilib-minimal linux-info systemd pam tmpfiles

 DESCRIPTION="Samba Suite Version 4"
 HOMEPAGE="https://samba.org/"

 MY_PV="${PV/_rc/rc}"
 MY_P="${PN}-${MY_PV}"
-if [[ ${PV} = *_rc* ]]; then
+if [[ ${PV} == *_rc* ]]; then
 	SRC_URI="mirror://samba/rc/${MY_P}.tar.gz"
 else
 	SRC_URI="mirror://samba/stable/${MY_P}.tar.gz"
-	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ppc ppc64 ~riscv sparc x86"
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ppc ppc64 ~riscv sparc x86"
 fi
 S="${WORKDIR}/${MY_P}"

 LICENSE="GPL-3"
 SLOT="0"
-IUSE="acl addc ads ceph client cluster cpu_flags_x86_aes cups debug fam
-glusterfs gpg iprint json ldap pam profiling-data python quota +regedit selinux
-snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test winbind
-zeroconf"
-IUSE+=" +minimal"  # Flatcar: Only install libraries, not executables.
+IUSE="acl addc ads ceph client cluster cpu_flags_x86_aes cups debug fam glusterfs gpg"
+IUSE+=" iprint json ldap llvm-libunwind pam profiling-data python quota +regedit selinux"
+IUSE+=" snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test unwind winbind"
+IUSE+=" zeroconf"

 REQUIRED_USE="${PYTHON_REQUIRED_USE}
-	addc? ( python json winbind )
+	addc? ( json python !system-mitkrb5 winbind )
 	ads? ( acl ldap python winbind )
 	cluster? ( ads )
 	gpg? ( addc )
@ -57,37 +55,42 @@ MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/samba-4.0/ctdb_version.h
 )

+TALLOC_VERSION="2.4.0"
+TDB_VERSION="1.4.8"
+TEVENT_VERSION="0.14.1"
+
 COMMON_DEPEND="
-	>=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}]
-	spotlight? ( dev-libs/icu:=[${MULTILIB_USEDEP}] )
+	>=app-arch/libarchive-3.1.2:=[${MULTILIB_USEDEP}]
+	dev-lang/perl:=
+	dev-libs/icu:=[${MULTILIB_USEDEP}]
 	dev-libs/libbsd[${MULTILIB_USEDEP}]
-	!minimal? ( dev-libs/libtasn1[${MULTILIB_USEDEP}] )
+	dev-libs/libtasn1:=[${MULTILIB_USEDEP}]
 	dev-libs/popt[${MULTILIB_USEDEP}]
-	>=net-libs/gnutls-3.4.7[${MULTILIB_USEDEP}]
+	dev-perl/Parse-Yapp
+	>=net-libs/gnutls-3.4.7:=[${MULTILIB_USEDEP}]
 	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
-	>=sys-libs/ldb-2.4.1[ldap(+)?,${MULTILIB_USEDEP}]
-	<sys-libs/ldb-2.5.0[ldap(+)?,${MULTILIB_USEDEP}]
+	>=sys-libs/ldb-2.7.2:=[ldap(+)?,${MULTILIB_USEDEP}]
+	<sys-libs/ldb-2.8.0:=[ldap(+)?,${MULTILIB_USEDEP}]
 	sys-libs/libcap[${MULTILIB_USEDEP}]
 	sys-libs/liburing:=[${MULTILIB_USEDEP}]
-	sys-libs/ncurses:0=
-	sys-libs/readline:0=
-	>=sys-libs/talloc-2.3.3[${MULTILIB_USEDEP}]
-	>=sys-libs/tdb-1.4.4[${MULTILIB_USEDEP}]
-	>=sys-libs/tevent-0.11.0[${MULTILIB_USEDEP}]
+	sys-libs/ncurses:=
+	sys-libs/readline:=
+	>=sys-libs/talloc-${TALLOC_VERSION}[${MULTILIB_USEDEP}]
+	>=sys-libs/tdb-${TDB_VERSION}[${MULTILIB_USEDEP}]
+	>=sys-libs/tevent-${TEVENT_VERSION}[${MULTILIB_USEDEP}]
 	sys-libs/zlib[${MULTILIB_USEDEP}]
 	virtual/libcrypt:=[${MULTILIB_USEDEP}]
 	virtual/libiconv
-	$(python_gen_cond_dep "
+	$(python_gen_cond_dep '
 		addc? (
-			dev-python/dnspython:=[\${PYTHON_USEDEP}]
-			dev-python/markdown[\${PYTHON_USEDEP}]
+			dev-python/dnspython:=[${PYTHON_USEDEP}]
+			dev-python/markdown[${PYTHON_USEDEP}]
 		)
 		ads? (
-			dev-python/dnspython:=[\${PYTHON_USEDEP}]
+			dev-python/dnspython:=[${PYTHON_USEDEP}]
 			net-dns/bind-tools[gssapi]
 		)
-	")
-	!alpha? ( !sparc? ( sys-libs/libunwind:= ) )
+	')
 	acl? ( virtual/acl )
 	ceph? ( sys-cluster/ceph )
 	cluster? ( net-libs/rpcsvc-proto )
@ -107,18 +110,20 @@ COMMON_DEPEND="
 	snapper? ( sys-apps/dbus )
 	system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] )
 	system-mitkrb5? ( >=app-crypt/mit-krb5-1.19[${MULTILIB_USEDEP}] )
-	systemd? ( sys-apps/systemd:0= )
+	systemd? ( sys-apps/systemd:= )
+	unwind? (
+		llvm-libunwind? ( sys-libs/llvm-libunwind:= )
+		!llvm-libunwind? ( sys-libs/libunwind:= )
+	)
 	zeroconf? ( net-dns/avahi[dbus] )
 "
 DEPEND="${COMMON_DEPEND}
-	>=dev-util/cmocka-1.1.3[${MULTILIB_USEDEP}]
+	dev-perl/JSON
 	net-libs/libtirpc[${MULTILIB_USEDEP}]
-	|| (
-		net-libs/rpcsvc-proto
-		<sys-libs/glibc-2.26[rpc(+)]
-	)
+	net-libs/rpcsvc-proto
 	spotlight? ( dev-libs/glib )
 	test? (
+		>=dev-util/cmocka-1.1.3[${MULTILIB_USEDEP}]
 		$(python_gen_cond_dep "dev-python/subunit[\${PYTHON_USEDEP},${MULTILIB_USEDEP}]" )
 		!system-mitkrb5? (
 			>=net-dns/resolv_wrapper-1.1.4
@ -133,31 +138,29 @@ RDEPEND="${COMMON_DEPEND}
 	selinux? ( sec-policy/selinux-samba )
 "
 BDEPEND="${PYTHON_DEPS}
-	dev-lang/perl:=
-	dev-perl/Parse-Yapp
 	app-text/docbook-xsl-stylesheets
 	dev-libs/libxslt
 	virtual/pkgconfig
 "

 PATCHES=(
-	"${FILESDIR}/${PN}-4.4.0-pam.patch"
+	"${FILESDIR}"/${PN}-4.18.4-pam.patch
+	"${FILESDIR}"/${PN}-4.18.4-bug-15418-windows-update-secure-channel.patch
+	"${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch
 )

-#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)"
 CONFDIR="${FILESDIR}/4.4"
-
 WAF_BINARY="${S}/buildtools/bin/waf"
-
 SHAREDMODS=""

 pkg_setup() {
 	# Package fails to build with distcc
 	export DISTCC_DISABLE=1
+	export PYTHONHASHSEED=1

 	python-single-r1_pkg_setup

-	SHAREDMODS="$(usex snapper '' '!')vfs_snapper"
+	SHAREDMODS="$(usev !snapper '!')vfs_snapper"
 	if use cluster ; then
 		SHAREDMODS+=",idmap_rid,idmap_tdb2,idmap_ad"
 	elif use ads ; then
@ -165,36 +168,86 @@ pkg_setup() {
 	fi
 }

+check_samba_dep_versions() {
+	actual_talloc_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/talloc/wscript || die)
+	if [[ ${actual_talloc_version} != ${TALLOC_VERSION} ]] ; then
+		eerror "Source talloc version: ${TALLOC_VERSION}"
+		eerror "Ebuild talloc version: ${actual_talloc_version}"
+		die "Ebuild needs to fix TALLOC_VERSION!"
+	fi
+
+	actual_tdb_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/tdb/wscript || die)
+	if [[ ${actual_tdb_version} != ${TDB_VERSION} ]] ; then
+		eerror "Source tdb version: ${TDB_VERSION}"
+		eerror "Ebuild tdb version: ${actual_tdb_version}"
+		die "Ebuild needs to fix TDB_VERSION!"
+	fi
+
+	actual_tevent_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/tevent/wscript || die)
+	if [[ ${actual_tevent_version} != ${TEVENT_VERSION} ]] ; then
+		eerror "Source tevent version: ${TEVENT_VERSION}"
+		eerror "Ebuild tevent version: ${actual_tevent_version}"
+		die "Ebuild needs to fix TEVENT_VERSION!"
+	fi
+}
+
 src_prepare() {
 	default

-	# un-bundle dnspython
+	check_samba_dep_versions
+
+	# Unbundle dnspython
 	sed -i -e '/"dns.resolver":/d' "${S}"/third_party/wscript || die

-	# unbundle iso8601 unless tests are enabled
+	# Unbundle iso8601 unless tests are enabled
 	if ! use test ; then
 		sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die
 	fi

+	# Ugly hackaround for bug #592502
+	#cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die
+
 	sed -e 's:<gpgme\.h>:<gpgme/gpgme.h>:' \
 		-i source4/dsdb/samdb/ldb_modules/password_hash.c \
 		|| die

-	# Friggin' WAF shit
+	# WAF
 	multilib_copy_sources
 }

 multilib_src_configure() {
-	# when specifying libs for samba build you must append NONE to the end to
+	# When specifying libs for samba build you must append NONE to the end to
 	# stop it automatically including things
 	local bundled_libs="NONE"
 	if ! use system-heimdal && ! use system-mitkrb5 ; then
 		bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE"
 	fi

-	# Flatcar: we need only the mandatory bundled library, ldb by default.
-	# Without that, configure will fail because of a missing bundled library.
-	bundled_libs="ldb"
+	# We "use" bundled cmocka when we're not running tests as we're
+	# not using it anyway. Means we avoid making users install it for
+	# no reason. bug #802531
+	if ! use test ; then
+		bundled_libs="cmocka,${bundled_libs}"
+	fi
+
+	# bug #874633
+	if use llvm-libunwind ; then
+		mkdir -p "${T}"/${ABI}/pkgconfig || die
+
+		local -x PKG_CONFIG_PATH="${T}/${ABI}/pkgconfig:${PKG_CONFIG_PATH}"
+
+		cat <<-EOF > "${T}"/${ABI}/pkgconfig/libunwind-generic.pc || die
+		exec_prefix=\${prefix}
+		libdir=/usr/$(get_libdir)
+		includedir=\${prefix}/include
+
+		Name: libunwind-generic
+		Description: libunwind generic library
+		Version: 1.70
+		Libs: -L\${libdir} -lunwind
+		Cflags: -I\${includedir}
+		EOF
+	fi

 	local myconf=(
 		--enable-fhs
@ -231,11 +284,12 @@ multilib_src_configure() {
 		$(multilib_native_use_with systemd)
 		--systemd-install-services
 		--with-systemddir="$(systemd_get_systemunitdir)"
+		$(multilib_native_use_with unwind libunwind)
 		$(multilib_native_use_with winbind)
 		$(multilib_native_usex python '' '--disable-python')
 		$(multilib_native_use_enable zeroconf avahi)
 		$(multilib_native_usex test '--enable-selftest' '')
-		$(usex system-mitkrb5 "--with-system-mitkrb5 $(multilib_native_usex addc --with-experimental-mit-ad-dc '')" '')
+		$(usev system-mitkrb5 "--with-system-mitkrb5 $(multilib_native_usex addc --with-experimental-mit-ad-dc '')")
 		$(use_with debug lttng)
 		$(use_with ldap)
 		$(use_with profiling-data)
@ -249,38 +303,50 @@ multilib_src_configure() {
 		myconf+=( --with-shared-modules=DEFAULT,!vfs_snapper )
 	fi

-	CPPFLAGS="-I${SYSROOT}${EPREFIX}/usr/include/et ${CPPFLAGS}" \
-		waf-utils_src_configure ${myconf[@]}
+	append-cppflags "-I${ESYSROOT}/usr/include/et"
+
+	waf-utils_src_configure ${myconf[@]}
 }

 multilib_src_compile() {
 	waf-utils_src_compile
 }

+multilib_src_test() {
+	if multilib_is_native_abi ; then
+		"${WAF_BINARY}" test || die "Test failed"
+	fi
+}
+
 multilib_src_install() {
 	waf-utils_src_install

 	# Make all .so files executable
 	find "${ED}" -type f -name "*.so" -exec chmod +x {} + || die
+	# smbspool_krb5_wrapper must only be accessible to root, bug #880739
+	find "${ED}" -type f -name "smbspool_krb5_wrapper" -exec chmod go-rwx {} + || die
+
+	# Remove empty runtime dirs created by build system (bug #892341)
+	find "${ED}"/{run,var} -type d -empty -delete || die

 	if multilib_is_native_abi ; then
-		# install ldap schema for server (bug #491002)
+		# Install ldap schema for server (bug #491002)
 		if use ldap ; then
 			insinto /etc/openldap/schema
 			doins examples/LDAP/samba.schema
 		fi

-		# create symlink for cups (bug #552310)
+		# Create symlink for cups (bug #552310)
 		if use cups ; then
 			dosym ../../../bin/smbspool \
 				/usr/libexec/cups/backend/smb
 		fi

-		# install example config file
+		# Install example config file
 		insinto /etc/samba
 		doins examples/smb.conf.default

-		# Fix paths in example file (#603964)
+		# Fix paths in example file (bug #603964)
 		sed \
 			-e '/log file =/s@/usr/local/samba/var/@/var/log/samba/@' \
 			-e '/include =/s@/usr/local/samba/lib/@/etc/samba/@' \
@ -293,7 +359,7 @@ multilib_src_install() {
 		newinitd "${CONFDIR}/samba4.initd-r1" samba
 		newconfd "${CONFDIR}/samba4.confd" samba

-		use minimal || dotmpfiles "${FILESDIR}"/samba.conf
+		dotmpfiles "${FILESDIR}"/samba.conf
 		if ! use addc ; then
 			rm "${D}/$(systemd_get_systemunitdir)/samba.service" \
 				|| die
@ -311,47 +377,8 @@ multilib_src_install() {
 		insinto /etc/security
 		doins examples/pam_winbind/pam_winbind.conf
 	fi
-
-	keepdir /var/cache/samba
-	keepdir /var/lib/ctdb
-	keepdir /var/lib/samba/{bind-dns,private}
-	keepdir /var/lock/samba
-	keepdir /var/log/samba
-
-
-	rm -f "${ED%/}"/etc/samba/*
-	rm -f "${ED%/}"/usr/lib*/samba/ldb/*
-	if use minimal ; then
-		mv "${ED%/}"/usr/bin/net "${T}"/
-		rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/*
-		mv "${T}"/net "${ED%/}"/usr/bin/net
-		rm -rf ${ED%/}/lib*/security
-		rm -rf ${ED%/}/usr/lib/systemd
-		rm -rf ${ED%/}/usr/lib*/perl*
-		rm -rf ${ED%/}/usr/lib*/python*
-		rm -rf ${ED%/}/var
-	fi
-}
-
-multilib_src_test() {
-	if multilib_is_native_abi ; then
-		"${WAF_BINARY}" test || die "test failed"
-	fi
 }

 pkg_postinst() {
-	use minimal || tmpfiles_process samba.conf
-
-	if [[ -z ${REPLACING_VERSIONS} ]] ; then
-		elog "Be aware that this release contains the best of all of Samba's"
-		elog "technology parts, both a file server (that you can reasonably expect"
-		elog "to upgrade existing Samba 3.x releases to) and the AD domain"
-		elog "controller work previously known as 'samba4'."
-		elog
-	fi
-	if [[ "${PV}" != *_rc* ]] ; then
-		elog "For further information and migration steps make sure to read "
-		elog "https://samba.org/samba/history/${P}.html "
-		elog "https://wiki.samba.org/index.php/Samba4/HOWTO "
-	fi
+	tmpfiles_process samba.conf
 }