samba-4.22.5+git.431.dc5a539f124-160000.1.1

- Update to 4.22.5
  * CVE-2025-10230: Command injection via WINS server hook
    script (bso#15903); (bsc#1251280).
  * CVE-2025-9640: uninitialized memory disclosure via
    vfs_streams_xattr; (bso#15885); (bsc#1251279).

- Relax samba-gpupdate requirement for cepces, certmonger, and sscep
  to a recommends. They are only required if utilizing certificate
  auto enrollment (bsc#1249087).

- Disable timeouts for smb.service so that possibly slow running
  ExecStartPre script 'update-samba-security-profile' doesn't
  cause service start to fail due to timeouts;(bsc#1249181).

- Ensure semanage is pulled in as a requirement when samba in
  installed when selinux security access mechanism that is used;
  (bsc#1249180).

- don't attempt to label paths that don't exist, also remove
  unecessary evaluation of semange & restorecon cmds;(bsc#1249179).

- Update to 4.22.4
  * netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
    SysvolReady=0; (bso#14981).
  * getpwuid does not shift to new DC when current DC is down;
    (bso#15844).
  * Windows security hardening locks out schannel'ed netlogon dc
    calls like netr_DsRGetDCName-; (bso#15876).
  * Unresponsive second DC can cause idmapping failure when using
    idmap_ad-; (bso#15881).
  * kinit command is failing with Missing cache Error;
    (bso#15840).
  * Figuring out the DC name from IP address fails and breaks
    fork_domain_child(); (bso#15891).
  * vfs_streams_depot fstatat broken; (bso#15816).
  * Delayed leader broadcast can block ctdb forever; (bso#15892).
  * Apparently there is a conflict between shadow_copy2 module
    and virusfilter (action quarantine); (bso#15663).
  * Fix handling of empty GPO link; (bso#15877).
  * SMB ACL inheritance doesn't work for files created;
    (bso#15880).

- adjust gpgme build dependency for future-proofing

- Update to 4.22.3
  * samba-tool cannot add user to group whose name is exactly 16
    characters long; (bso#15854);
  * Windows security hardening locks out schannel'ed netlogon dc
    calls like netr_DsRGetDCName; (bsc#1246431); (bso#15876);
  * Startup messages of rpc deamons fills /var/log/messages;
    (bso#15869);

- Update to 4.22.2
  * (CVE-2025-0620) [SECURITY] CVE-2025-0620: smbd doesn't pick
    up group membership changes when re-authenticating an expired
    SMB session; (bso#15707); (bsc#1244136).
  * Profile sync fails due to Directory Leases; (bso#15861).
  * net ad join fails with "Failed to join domain: failed to
    create kerberos keytab"; (bso#15727).
  * dcerpcd not able to bind to listening port; (bso#15851).
  * vfs_ceph_snapshots fails to list snapshots for entries at any
    level beyond share root; (bso#15819).
  * CTDB does not put nodes running NFS into grace on graceful
    shutdown; (bso#15858).

- Update and rename update-apparmor-samba-profile script to
  update-samba-security-profile. It additionally now caters
  for selinux (if selinux is used); (bsc#1241391);

- Update smb.conf to enable SMB3 unix extensions

- Update to 4.22.1
  * Running "gpo manage motd set" twice fails with backtrace;
    (bso#15774).
  * samba-tool gpo backup creates entity backups it can't read;
    (bso#15829).
  * gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
    prepended 0's; (bso#15839).
  * Deadlock between two smbd processes; (bso#15767).
  * Subnet based interfaces definition not listening on all
    covered IP addresses; (bso#15823).
  * PANIC: assert failed at source3/smbd/smb2_oplock.c(156):
    sconn->oplocks.exclusive_open>=0; (bso#15836).
  * net ad join fails with "Failed to join domain: failed to
    create kerberos keytab"; (bso#15727).
  * Enable support for cephfs case insensitive behavior;
    (bso#15822).
  * Remove of file or directory not possible with vfs_acl_tdb;
    (bso#15791).
  * Wide link issue in samba 4.22; (bso#15841).
  * NT_STATUS_INVALID_PARAMETER: Can't create folders on share of
    an exfat file system; (bso#15845).
  * Lease code is not endian-safe; (bso#15849).
  * vfs_ceph_new module does not work with other modules for
    snapshot management; (bso#15818).
  * vfs_ceph_new: Add path based fallback for SMB_VFS_FCHOWN,
    SMB_VFS_FCHMOD and SMB_VFS_FNTIMES; (bso#15834).
  * Add async io API from libcephfs to ceph_new VFS module;
    (bso#15810).

- Update to 4.22.0
  * SMB3 Directory Leases are supported. By default, SMB3 Directory
    Leases are enabled on non-clustered Samba and disabled on
    clustered Samba, based on the "clustering" option.
  * Netlogon Ping over LDAP and LDAPS
  * Experimental Himmelblaud Authentication in Samba
  * The "nmbd proxy logon" feature was removed.
  * fruit:posix_rename option of the vfs_fruit VFS module that
    could be used to enable POSIX directory rename behaviour for
    OS X clients has been removed as it could result in severe
    problems for Windows clients.

- Remove nscd build dependency and usage in RPM scriptlets;
  (bsc#1237296);

- Update to 4.21.4
  * Increasing slowness of sharesec performance with high number
    of registry shares; (bso#15780).
  * winbindd shows memleak in kerberos_decode_pac; (bso#15782).
  * Creation of GPOs applicable to more than one group is
    impossible with Samba 4.20.0 and later; (bso#15738).
  * Replace `crypt` module in
    python/samba/netcmd/user/readpasswords/common.py;
    (bso#15756).
  * vfs_gpfs silently garbles timestamps > year 2106;
    (bso#15151).
  * Spotlight search results don't show file size and creation
    date; (bso#15796).
  * General improvements for vfs_ceph_new module; (bso#15703).
  * net offlinejoin not working correctly; (bso#15777).
  * net ads create/join/winbind producing unix dysfunctional
    keytabs; (bso#15759).
  * Windows Explorer crashes on S-1-22-* Unix-SIDs when accessing
    security tab; (bso#14213).
  * The values from hresult_errstr_const and hresult_errstr are
    reversed in 4.20 and 4.21; (bso#15769).
  * Kerberos referral tickets are generated for principals in our
    domain if we have a trust to a top level domain; (bso#15778).
  * NETLOGON_NTLMV2_ENABLED is missing in the SamLogon*
    user_flags field; (bso#15783).
  * Regression: stack-use-after-return in crypt_as_best_we_can();
    (bso#15784).
  * libreplace:readline: gcc 15 complains about incompatible
    pointer types; (bso#15788).

- Update to 4.21.3
  * More possible replication loops against Azure AD;
    (bso#15701).
  * Compound rename from Mac clients can fail with
    NT_STATUS_INTERNAL_ERROR if the file has a lease;
    (bso#15697).
  * vfs crossrename seems not work correctly; (bso#15724).
  * After 'machine password timeout' /etc/krb5.keytab is not
    updated; (bso#6750).
  * Memory leak wbcCtxLookupSid; (bso#15771).
  * Fix heap-user-after-free with association groups;
    (bso#15765).
  * Segfault in vfs_btrfs; (bso#15758).
  * Avoid event failure race when disabling an event script;
    (bso#15755).

- Update shipped /etc/samba/smb.conf to point to smb.conf
  man page;(bsc#1233880).