[1/2] samba: Update to version 4.16.0

  - Update from version 4.15.5 to 4.16.0
- Update of rootfile
- perl-JSON now added to samba requirements. Additional patch combined with this on for
   install of perl-JSON
- Changelog
   Release Notes for Samba 4.16.0
     NEW FEATURES/CHANGES
	New samba-dcerpcd binary to provide DCERPC in the member server setup
		In order to make it much easier to break out the DCERPC services
		from smbd, a new samba-dcerpcd binary has been created.
		samba-dcerpcd can be used in two ways. In the normal case without
		startup script modification it is invoked on demand from smbd or
		winbind --np-helper to serve DCERPC over named pipes. Note that
		in order to run in this mode the smb.conf [global] section has
		a new parameter "rpc start on demand helpers = [true|false]".
		This parameter is set to "true" by default, meaning no changes to
		smb.conf files are needed to run samba-dcerpcd on demand as a named
		pipe helper.
		It can also be used in a standalone mode where it is started
		separately from smbd or winbind but this requires changes to system
		startup scripts, and in addition a change to smb.conf, setting the new
		[global] parameter "rpc start on demand helpers = false". If "rpc
		start on demand helpers" is not set to false, samba-dcerpcd will
		refuse to start in standalone mode.
		Note that when Samba is run in the Active Directory Domain Controller
		mode the samba binary that provides the AD code will still provide its
		normal DCERPC services whilst allowing samba-dcerpcd to provide
		services like SRVSVC in the same way that smbd used to in this
		configuration.
		The parameters that allowed some smbd-hosted services to be started
		externally are now gone (detailed below) as this is now the default
		setting.
		samba-dcerpcd can also be useful for use outside of the Samba
		framework, for example, use with the Linux kernel SMB2 server ksmbd or
		possibly other SMB2 server implementations.
	Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
		Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
		implementation.  This snapshot has now been updated and will closely
		match what will be released as Heimdal 8.0 shortly.
		This is a major update, previously we used a snapshot of Heimdal from
		2011, and brings important new Kerberos security features such as
		Kerberos request armoring, known as FAST.  This tunnels ticket
		requests and replies that might be encrypted with a weak password
		inside a wrapper built with a stronger password, say from a machine
		account.
		In Heimdal and MIT modes Samba's KDC now supports FAST, for the
		support of non-Windows clients.
		Windows clients will not use this feature however, as they do not
		attempt to do so against a server not advertising domain Functional
		Level 2012.  Samba users are of course free to modify how Samba
		advertises itself, but use with Windows clients is not supported "out
		of the box".
		Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
		the FAST protocol.  A future version will align this more closely with
		Microsoft AD behaviour.
		If FAST needs to be disabled on your Samba KDC, set
		 kdc enable fast = no
		in the smb.conf.
	Certificate Auto Enrollment
		Certificate Auto Enrollment allows devices to enroll for certificates from
		Active Directory Certificate Services. It is enabled by Group Policy.
		To enable Certificate Auto Enrollment, Samba's group policy will need to be
		enabled by setting the smb.conf option `apply group policies` to Yes. Samba
		Certificate Auto Enrollment depends on certmonger, the cepces certmonger
		plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
		certmonger paired with cepces to monitor the host certificate templates.
		Certificates are installed in /var/lib/samba/certs and private keys are
		installed in /var/lib/samba/private/certs.
	Ability to add ports to dns forwarder addresses in internal DNS backend
		The internal DNS server of Samba forwards queries non-AD zones to one or more
		configured forwarders. Up until now it has been assumed that these forwarders
		listen on port 53. Starting with this version it is possible to configure the
		port using host:port notation. See smb.conf for more details. Existing setups
		are not affected, as the default port is 53.
	CTDB changes
		* The "recovery master" role has been renamed "leader"
		  Documentation and logs now refer to "leader".
		  The following ctdb tool command names have changed:
		    recmaster -> leader
		    setrecmasterrole -> setleaderrole
		  Command output has changed for the following commands:
		    status
		    getcapabilities
		  The "[legacy] -> recmaster capability" configuration option has been
		  renamed and moved to the cluster section, so this is now:
		    [cluster] -> leader capability
		* The "recovery lock" has been renamed "cluster lock"
		  Documentation and logs now refer to "cluster lock".
		  The "[cluster] -> recovery lock" configuration option has been
		  deprecated and will be removed in a future version.  Please use
		  "[cluster] -> cluster lock" instead.
		  If the cluster lock is enabled then traditional elections are not
		  done and leader elections use a race for the cluster lock.  This
		  avoids various conditions where a node is elected leader but can not
		  take the cluster lock.  Such conditions included:
		  - At startup, a node elects itself leader of its own cluster before
		    connecting to other nodes
		  - Cluster filesystem failover is slow
		  The abbreviation "reclock" is still used in many places, because a
		  better abbreviation eludes us (i.e. "clock" is obvious bad) and
		  changing all instances would require a lot of churn.  If the
		  abbreviation "reclock" for "cluster lock" is confusing, please
		  consider mentally prefixing it with "really excellent".
		* CTDB now uses leader broadcasts and an associated timeout to
		  determine if an election is required
		  The leader broadcast timeout can be configured via new configuration
		  option
		    [cluster] -> leader timeout
		  This specifies the number of seconds without leader broadcasts
		  before a node calls an election.  The default is 5.
     REMOVED FEATURES
	  Older SMB1 protocol SMBCopy command removed
		SMB is a nearly 30-year old protocol, and some protocol commands that
		while supported in all versions, have not seen widespread use.
		One of those is SMBCopy, a feature for a server-side copy of a file.
		This feature has been so unmaintained that Samba has no testsuite for
		it.
		The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
		introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
		in the NT LAN Manager dialect.
		Therefore it has been removed from the Samba smbd server.
		We do note that a fully supported and tested server-side copy is
		present in SMB2, and can be accessed with "scopy" subcommand in
		smbclient)
	  SMB1 server-side wildcard expansion removed
		Server-side wildcard expansion is another feature that sounds useful,
		but is also rarely used and has become problematic - imposing extra
		work on the server (both in terms of code and CPU time).
		In actual OS design, wildcard expansion is handled in the local shell,
		not at the remote server using SMB wildcard syntax (which is not shell
		syntax).
		In Samba 4.16 the ability to process file name wildcards in requests
		using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
		SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
		command number 0x6) has been removed.
	  SMB1 protocol has been deprecated, particularly older dialects
		We take this opportunity to remind that we have deprecated and
		disabled by default, but not removed, the whole SMB1 protocol since
		Samba 4.11.  If needed for security purposes or code maintenance we
		will continue to remove older protocol commands and dialects that are
		unused or have been replaced in more modern SMB1 versions.
		We specifically deprecate the older dialects older than "NT LM 0.12"
		(also known as "NT LANMAN 1.0" and "NT1").
		Please note that "NT LM 0.12" is the dialect used by software as old
		as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
		to DOS and similar era clients.
		We do reassure that that 'simple' operation of older clients than
		these (eg DOS) will, while untested, continue for the near future, our
		purpose is not to cripple use of Samba in unique situations, but to
		reduce the maintaince burden.
		Eventually SMB1 as a whole will be removed, but no broader change is
		announced for 4.16.
		In the rare case where the above changes cause incompatibilities,
		users requiring support for these features will need to use older
		versions of Samba.
	  No longer using Linux mandatory locks for sharemodes
		smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
		was broken for a long time, and is planned to be removed with Linux 5.15. This
		Samba release removes the usage of mandatory locks for sharemodes and the
		"kernel share modes" config parameter is changed to default to "no". The Samba
		VFS interface is kept, so that file-system specific VFS modules can still use
		private calls for enforcing sharemodes.
	  smb.conf changes
		  Parameter Name                          Description     Default
		  --------------                          -----------     -------
		  kernel share modes                      New default     No
		  dns forwarder                           Changed
		  rpc_daemon                              Removed
		  rpc_server                              Removed
		  rpc start on demand helpers             Added           true

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/packages/x86_64/samba | 77 +++++++++++++-------------
 lfs/samba                              |  8 +--
 2 files changed, 42 insertions(+), 43 deletions(-)