Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
retrieving revision 1.227.2.1
diff -u -p -u -p -r1.227.2.1 Makefile
--- Makefile	23 Dec 2016 22:35:36 -0000	1.227.2.1
+++ Makefile	10 Feb 2017 01:34:44 -0000
@@ -1,6 +1,6 @@
 # $OpenBSD: Makefile,v 1.227.2.1 2016/12/23 22:35:36 jca Exp $
 
-VERSION =		4.4.5
+VERSION =		4.4.9
 DISTNAME =		samba-${VERSION}
 
 COMMENT-main =		SMB and CIFS client and server for UNIX
@@ -160,6 +160,7 @@ CONFIGURE_ARGS =	--enable-fhs \
 			--without-regedit \
 			--without-acl-support \
 			--without-libarchive \
+			--with-ntvfs-fileserver \
 			--disable-rpath
 
 # XXX Remember to remove --enable-developer, it prints passwords in logs.
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/samba/distinfo,v
retrieving revision 1.53
diff -u -p -u -p -r1.53 distinfo
--- distinfo	8 Jul 2016 18:39:50 -0000	1.53
+++ distinfo	10 Feb 2017 01:34:44 -0000
@@ -1,2 +1,2 @@
-SHA256 (samba-4.4.5.tar.gz) = uHbvLmP2YmVJDoChIuZu8tdhYRK4Od9o9WrC4c4Xp70=
-SIZE (samba-4.4.5.tar.gz) = 20715838
+SHA256 (samba-4.4.9.tar.gz) = EPdvoRMhOuUS20pIIzUReMk/tryV2Y0OvHLjp01DOG8=
+SIZE (samba-4.4.9.tar.gz) = 20750010
Index: patches/patch-auth_kerberos_kerberos_pac_c
===================================================================
RCS file: patches/patch-auth_kerberos_kerberos_pac_c
diff -N patches/patch-auth_kerberos_kerberos_pac_c
--- patches/patch-auth_kerberos_kerberos_pac_c	23 Dec 2016 22:35:36 -0000	1.1.2.1
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,50 +0,0 @@
-$OpenBSD: patch-auth_kerberos_kerberos_pac_c,v 1.1.2.1 2016/12/23 22:35:36 jca Exp $
-
-commit ce31a69a32d2bd6975006e428afe4584f6b7bc43
-Author: Stefan Metzmacher <metze@samba.org>
-Date:   Tue Nov 22 17:08:46 2016 +0100
-
-    CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
-
-    aes based checksums can only be checked with the
-    corresponding aes based keytype.
-
-    Otherwise we may trigger an undefined code path
-    deep in the kerberos libraries, which can leed to
-    segmentation faults.
-
-    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
-
-    Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
---- auth/kerberos/kerberos_pac.c.orig	Wed Dec 21 12:14:39 2016
-+++ auth/kerberos/kerberos_pac.c	Wed Dec 21 14:20:55 2016
-@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
- 	krb5_boolean checksum_valid = false;
- 	krb5_data input;
- 
-+	switch (sig->type) {
-+	case CKSUMTYPE_HMAC_MD5:
-+		/* ignores the key type */
-+		break;
-+	case CKSUMTYPE_HMAC_SHA1_96_AES_256:
-+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
-+			return EINVAL;
-+		}
-+		/* ok */
-+		break;
-+	case CKSUMTYPE_HMAC_SHA1_96_AES_128:
-+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
-+			return EINVAL;
-+		}
-+		/* ok */
-+		break;
-+	default:
-+		DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
-+			(int)sig->type));
-+		return EINVAL;
-+	}
-+
- #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
- 	cksum.cksumtype	= (krb5_cksumtype)sig->type;
- 	cksum.checksum.length	= sig->signature.length;
Index: patches/patch-python_samba_netcmd_domain_py
===================================================================
RCS file: patches/patch-python_samba_netcmd_domain_py
diff -N patches/patch-python_samba_netcmd_domain_py
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-python_samba_netcmd_domain_py	10 Feb 2017 01:34:44 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- python/samba/netcmd/domain.py.orig	Fri Feb 10 12:21:49 2017
++++ python/samba/netcmd/domain.py	Fri Feb 10 12:22:10 2017
+@@ -455,7 +455,7 @@ class cmd_domain_provision(Command):
+                   backend_type=ldap_backend_type,
+                   ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls, slapd_path=slapd_path,
+                   useeadb=eadb, next_rid=next_rid, lp=lp, use_ntvfs=use_ntvfs,
+-                  use_rfc2307=use_rfc2307, skip_sysvolacl=False,
++                  use_rfc2307=use_rfc2307, skip_sysvolacl=True,
+                   ldap_backend_extra_port=ldap_backend_extra_port,
+                   ldap_backend_forced_uri=ldap_backend_forced_uri,
+                   nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
Index: patches/patch-source3_librpc_crypto_gse_c
===================================================================
RCS file: patches/patch-source3_librpc_crypto_gse_c
diff -N patches/patch-source3_librpc_crypto_gse_c
--- patches/patch-source3_librpc_crypto_gse_c	23 Dec 2016 22:35:36 -0000	1.1.2.1
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,28 +0,0 @@
-$OpenBSD: patch-source3_librpc_crypto_gse_c,v 1.1.2.1 2016/12/23 22:35:36 jca Exp $
-
-commit 07ef0f6ce0fb9d9735710ab79c2ee91d7a72a974
-Author: Stefan Metzmacher <metze@samba.org>
-Date:   Wed Nov 23 11:42:59 2016 +0100
-
-    CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
-
-    We should only use GSS_C_DELEG_POLICY_FLAG in order to let
-    the KDC decide if we should send delegated credentials to
-    a remote server.
-
-    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
-
-    Signed-off-by: Stefan Metzmacher <metze@samba.org>
-    Reviewed-by: Alexander Bokovoy <ab@samba.org>
-    Reviewed-by: Simo Sorce <idra@samba.org>
-
---- source3/librpc/crypto/gse.c.orig	Wed Dec 21 12:14:43 2016
-+++ source3/librpc/crypto/gse.c	Wed Dec 21 14:20:55 2016
-@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
- 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
- 
- 	gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
--				GSS_C_DELEG_FLAG |
- 				GSS_C_DELEG_POLICY_FLAG |
- 				GSS_C_REPLAY_FLAG |
- 				GSS_C_SEQUENCE_FLAG;
Index: patches/patch-source4_auth_gensec_gensec_gssapi_c
===================================================================
RCS file: patches/patch-source4_auth_gensec_gensec_gssapi_c
diff -N patches/patch-source4_auth_gensec_gensec_gssapi_c
--- patches/patch-source4_auth_gensec_gensec_gssapi_c	23 Dec 2016 22:35:36 -0000	1.1.2.1
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,29 +0,0 @@
-$OpenBSD: patch-source4_auth_gensec_gensec_gssapi_c,v 1.1.2.1 2016/12/23 22:35:36 jca Exp $
-
-commit 58586ceae7fe628453e6bffdc463d4309ced15fb
-Author: Stefan Metzmacher <metze@samba.org>
-Date:   Wed Nov 23 11:44:22 2016 +0100
-
-    CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
-
-    This disabled the usage of GSS_C_DELEG_FLAG by default, as
-    GSS_C_DELEG_POLICY_FLAG is still used by default we let the
-    KDC decide if we should send delegated credentials to a remote server.
-
-    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
-
-    Signed-off-by: Stefan Metzmacher <metze@samba.org>
-    Reviewed-by: Alexander Bokovoy <ab@samba.org>
-    Reviewed-by: Simo Sorce <idra@samba.org>
-
---- source4/auth/gensec/gensec_gssapi.c.orig	Wed Dec 21 12:14:45 2016
-+++ source4/auth/gensec/gensec_gssapi.c	Wed Dec 21 14:20:55 2016
-@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_secu
- 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
- 		gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
- 	}
--	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
-+	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
- 		gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
- 	}
- 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
Index: patches/patch-source4_scripting_bin_nsupdate-gss
===================================================================
RCS file: patches/patch-source4_scripting_bin_nsupdate-gss
diff -N patches/patch-source4_scripting_bin_nsupdate-gss
--- patches/patch-source4_scripting_bin_nsupdate-gss	23 Dec 2016 22:35:36 -0000	1.1.2.1
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,28 +0,0 @@
-$OpenBSD: patch-source4_scripting_bin_nsupdate-gss,v 1.1.2.1 2016/12/23 22:35:36 jca Exp $
-
-commit 0f1b36b7d5514f8d16c60ebcd5c59753113b4334
-Author: Stefan Metzmacher <metze@samba.org>
-Date:   Wed Nov 23 11:41:10 2016 +0100
-
-    CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
-
-    This is just an example script that's not directly used by samba,
-    but we should avoid sending delegated credentials to dns servers.
-
-    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
-
-    Signed-off-by: Stefan Metzmacher <metze@samba.org>
-    Reviewed-by: Alexander Bokovoy <ab@samba.org>
-    Reviewed-by: Simo Sorce <idra@samba.org>
-
---- source4/scripting/bin/nsupdate-gss.orig	Wed Dec 21 12:14:47 2016
-+++ source4/scripting/bin/nsupdate-gss	Wed Dec 21 14:20:55 2016
-@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
-     my $flags = 
- 	GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
- 	GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
--	GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
-+	GSS_C_INTEG_FLAG;
- 
- 
-     $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,