initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>

SOURCES/README.downgrade

@@ -0,0 +1,29 @@
+Downgrading Samba
+=================
+
+Short version: data-preserving downgrades between Samba versions are not supported
+
+Long version:
+With Samba development there are cases when on-disk database format evolves.
+In general, Samba Team attempts to maintain forward compatibility and
+automatically upgrade databases during runtime when requires.
+However, when downgrade is required Samba will not perform downgrade to
+existing databases. It may be impossible if new features that caused database
+upgrade are in use. Thus, one needs to consider a downgrade procedure before
+actually downgrading Samba setup.
+
+Please always perform back up prior both upgrading and downgrading across major
+version changes. Restoring database files is easiest and simplest way to get to
+previously working setup.
+
+Easiest way to downgrade is to remove all created databases and start from scratch.
+This means losing all authentication and domain relationship data, as well as
+user databases (in case of tdb storage), printers, registry settings, and winbindd
+caches.
+
+Remove databases in following locations:
+/var/lib/samba/*.tdb
+/var/lib/samba/private/*.tdb
+
+In particular, registry settings are known to prevent running downgraded versions
+(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.

SOURCES/pam_winbind.conf

@@ -0,0 +1,38 @@
+#
+# pam_winbind configuration file
+#
+# /etc/security/pam_winbind.conf
+#
+
+[global]
+
+# turn on debugging
+;debug = no
+
+# turn on extended PAM state debugging
+;debug_state = no
+
+# request a cached login if possible
+# (needs "winbind offline logon = yes" in smb.conf)
+;cached_login = no
+
+# authenticate using kerberos
+;krb5_auth = no
+
+# when using kerberos, request a "FILE" krb5 credential cache type
+# (leave empty to just do krb5 authentication but not have a ticket
+# afterwards)
+;krb5_ccache_type =
+
+# make successful authentication dependend on membership of one SID
+# (can also take a name)
+;require_membership_of =
+
+# password expiry warning period in days
+;warn_pwd_expire = 14
+
+# omit pam conversations
+;silent = no
+
+# create homedirectory on the fly
+;mkhomedir = no

SOURCES/samba-4-15-fix-autorid.patch

@@ -0,0 +1,231 @@
+From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 1 Feb 2022 10:06:30 +0100
+Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range
+
+What we want to avoid:
+
+$ ./bin/testparm -s | grep "idmap config"
+        idmap config * : rangesize = 10000
+        idmap config * : range = 10000-19999
+        idmap config * : backend = autorid
+
+$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
+S-1-5-32-544 SID_ALIAS (4)
+
+$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
+10000
+
+$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
+S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
+
+$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
+failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
+Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
+
+If only one range is configured we are either not able to map users/groups
+from our primary *and* the BUILTIN domain. We need at least two ranges to also
+cover the BUILTIN domain!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f)
+---
+ source3/winbindd/idmap_autorid.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
+index ad53b5810ee..c7d56a37684 100644
+--- a/source3/winbindd/idmap_autorid.c
++++ b/source3/winbindd/idmap_autorid.c
+@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
+ 	config->maxranges = (dom->high_id - dom->low_id + 1) /
+ 	    config->rangesize;
+ 
+-	if (config->maxranges == 0) {
+-		DEBUG(1, ("Allowed uid range is smaller than rangesize. "
+-			  "Increase uid range or decrease rangesize.\n"));
++	if (config->maxranges < 2) {
++		DBG_WARNING("Allowed idmap range is not a least double the "
++			    "size of the rangesize. Please increase idmap "
++			    "range.\n");
+ 		status = NT_STATUS_INVALID_PARAMETER;
+ 		goto error;
+ 	}
+-- 
+2.35.1
+
+
+From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 1 Feb 2022 10:07:50 +0100
+Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid
+
+What we want to avoid:
+
+$ ./bin/testparm -s | grep "idmap config"
+        idmap config * : rangesize = 10000
+        idmap config * : range = 10000-19999
+        idmap config * : backend = autorid
+
+$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
+S-1-5-32-544 SID_ALIAS (4)
+
+$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
+10000
+
+$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
+S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
+
+$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
+failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
+Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
+
+If only one range is configured we are either not able to map users/groups
+from our primary *and* the BUILTIN domain. We need at least two ranges to also
+cover the BUILTIN domain!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4)
+---
+ source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
+index 98bcc219b1e..58ba46bc15f 100644
+--- a/source3/utils/testparm.c
++++ b/source3/utils/testparm.c
+@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string,
+ 	return false; /* Keep scanning */
+ }
+ 
++static int idmap_config_int(const char *domname, const char *option, int def)
++{
++	int len = snprintf(NULL, 0, "idmap config %s", domname);
++
++	if (len == -1) {
++		return def;
++	}
++	{
++		char config_option[len+1];
++		snprintf(config_option, sizeof(config_option),
++			 "idmap config %s", domname);
++		return lp_parm_int(-1, config_option, option, def);
++	}
++}
++
+ static bool do_idmap_check(void)
+ {
+ 	struct idmap_domains *d;
+@@ -157,6 +172,42 @@ static bool do_idmap_check(void)
+ 			rc);
+ 	}
+ 
++	/* Check autorid backend */
++	if (strequal(lp_idmap_default_backend(), "autorid")) {
++		struct idmap_config *c = NULL;
++		bool found = false;
++
++		for (i = 0; i < d->count; i++) {
++			c = &d->c[i];
++
++			if (strequal(c->backend, "autorid")) {
++				found = true;
++				break;
++			}
++		}
++
++		if (found) {
++			uint32_t rangesize =
++				idmap_config_int("*", "rangesize", 100000);
++			uint32_t maxranges =
++				(c->high - c->low  + 1) / rangesize;
++
++			if (maxranges < 2) {
++				fprintf(stderr,
++					"ERROR: The idmap autorid range "
++					"[%u-%u] needs to be at least twice as "
++					"big as the rangesize [%u]!"
++					"\n\n",
++					c->low,
++					c->high,
++					rangesize);
++				ok = false;
++				goto done;
++			}
++		}
++	}
++
++	/* Check for overlapping idmap ranges */
+ 	for (i = 0; i < d->count; i++) {
+ 		struct idmap_config *c = &d->c[i];
+ 		uint32_t j;
+-- 
+2.35.1
+
+
+From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 1 Feb 2022 10:05:19 +0100
+Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation
+
+What we want to avoid:
+
+$ ./bin/testparm -s | grep "idmap config"
+        idmap config * : rangesize = 10000
+        idmap config * : range = 10000-19999
+        idmap config * : backend = autorid
+
+$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
+S-1-5-32-544 SID_ALIAS (4)
+
+$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
+10000
+
+$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
+S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
+
+$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
+failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
+Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
+
+If only one range is configured we are either not able to map users/groups
+from our primary *and* the BUILTIN domain. We need at least two ranges to also
+cover the BUILTIN domain!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de)
+---
+ docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
+index 6c4da1cad8a..980718f0bd4 100644
+--- a/docs-xml/manpages/idmap_autorid.8.xml
++++ b/docs-xml/manpages/idmap_autorid.8.xml
+@@ -48,7 +48,13 @@
+ 			and the corresponding map is discarded.  It is
+ 			intended as a way to avoid accidental UID/GID
+ 			overlaps between local and remotely defined
+-			IDs.
++			IDs. Note that the range should be a multiple
++			of the rangesize and needs to be at least twice
++			as large in order to have sufficient id range
++			space for the mandatory BUILTIN domain.
++			With a default rangesize of 100000 the range
++			needs to span at least 200000.
++			This would be: range = 100000 - 299999.
+ 		</para></listitem>
+ 		</varlistentry>
+ 
+-- 
+2.35.1
+

SOURCES/samba-4-15-fix-create-local-krb5-conf.patch

@@ -0,0 +1,477 @@
+From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 16:53:02 +0100
+Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ testprogs/blackbox/test_net_ads.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 76b394b10a9..cfafb945b62 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -51,6 +51,12 @@ fi
+ 
+ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ 
++workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf")
++testit "local krb5.conf created" \
++	test -r \
++	"${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" ||
++	failed=$((failed + 1))
++
+ testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+ 
+ netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+-- 
+2.35.1
+
+
+From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 12:03:40 +0100
+Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/kerberos.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 75beeef4a44..60fe03fd5d7 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -1,4 +1,4 @@
+-/* 
++/*
+    Unix SMB/CIFS implementation.
+    kerberos utility library
+    Copyright (C) Andrew Tridgell 2001
+@@ -37,11 +37,11 @@
+ #define LIBADS_CCACHE_NAME "MEMORY:libads"
+ 
+ /*
+-  we use a prompter to avoid a crash bug in the kerberos libs when 
++  we use a prompter to avoid a crash bug in the kerberos libs when
+   dealing with empty passwords
+   this prompter is just a string copy ...
+ */
+-static krb5_error_code 
++static krb5_error_code
+ kerb_prompter(krb5_context ctx, void *data,
+ 	       const char *name,
+ 	       const char *banner,
+@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
+ 		krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
+ 	}
+ 
+-	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), 
++	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
+ 						 kerb_prompter, discard_const_p(char, password),
+ 						 0, NULL, opt))) {
+ 		goto out;
+@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name)
+ 	}
+ 
+ 	if ((code = krb5_cc_destroy (ctx, cc))) {
+-		DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", 
++		DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
+ 			error_message(code)));
+ 	}
+ 
+@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal,
+ 			    int time_offset,
+ 			    const char *cache_name)
+ {
+-	return kerberos_kinit_password_ext(principal, 
+-					   password, 
+-					   time_offset, 
+-					   0, 
++	return kerberos_kinit_password_ext(principal,
++					   password,
++					   time_offset,
++					   0,
+ 					   0,
+ 					   cache_name,
+ 					   False,
+-- 
+2.35.1
+
+
+From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 12:04:34 +0100
+Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string()
+
+This avoids useless allocations.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/kerberos.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 60fe03fd5d7..1bf149ef09b 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 	struct netlogon_samlogon_response **responses = NULL;
+ 	NTSTATUS status;
+ 	bool ok;
+-	char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
+-					print_canonical_sockaddr_with_port(mem_ctx, pss));
++	char *kdc_str = NULL;
+ 
++	SMB_ASSERT(pss != NULL);
++
++	kdc_str = talloc_asprintf(mem_ctx,
++				  "\t\tkdc = %s\n",
++				  print_canonical_sockaddr_with_port(mem_ctx,
++								     pss));
+ 	if (kdc_str == NULL) {
+ 		TALLOC_FREE(frame);
+ 		return NULL;
+@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 		}
+ 	}
+ 
+-	dc_addrs2 = talloc_zero_array(talloc_tos(),
+-				      struct tsocket_address *,
+-				      num_dcs);
+-
+ 	DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
+ 	if (num_dcs == 0) {
+ 		TALLOC_FREE(kdc_str);
+ 		goto out;
+ 	}
++
++	dc_addrs2 = talloc_zero_array(talloc_tos(),
++				      struct tsocket_address *,
++				      num_dcs);
+ 	if (dc_addrs2 == NULL) {
+ 		TALLOC_FREE(kdc_str);
+ 		goto out;
+-- 
+2.35.1
+
+
+From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 12:10:47 +0100
+Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/kerberos.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 1bf149ef09b..6a46d72a156 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 
+ 	result = kdc_str;
+ out:
+-	DBG_DEBUG("Returning\n%s\n", kdc_str);
++	if (result != NULL) {
++		DBG_DEBUG("Returning\n%s\n", kdc_str);
++	} else {
++		DBG_NOTICE("Failed to get KDC ip address\n");
++	}
+ 
+ 	TALLOC_FREE(ip_sa_site);
+ 	TALLOC_FREE(ip_sa_nonsite);
+-- 
+2.35.1
+
+
+From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 12:48:23 +0100
+Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in
+ get_kdc_ip_string()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/kerberos.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 6a46d72a156..d1c410ffa4b 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 		}
+ 
+ 		/* Append to the string - inefficient but not done often. */
+-		new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
+-					      kdc_str,
+-					      print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
+-		TALLOC_FREE(kdc_str);
++		new_kdc_str = talloc_asprintf_append(
++				kdc_str,
++				"\t\tkdc = %s\n",
++				print_canonical_sockaddr_with_port(
++					mem_ctx, &dc_addrs[i]));
+ 		if (new_kdc_str == NULL) {
+ 			goto out;
+ 		}
+-- 
+2.35.1
+
+
+From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 12:56:58 +0100
+Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/kerberos.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index d1c410ffa4b..aadc65a3edc 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 
+ 	SMB_ASSERT(pss != NULL);
+ 
+-	kdc_str = talloc_asprintf(mem_ctx,
++	kdc_str = talloc_asprintf(frame,
+ 				  "\t\tkdc = %s\n",
+ 				  print_canonical_sockaddr_with_port(mem_ctx,
+ 								     pss));
+@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 	 */
+ 
+ 	if (sitename) {
+-		status = get_kdc_list(talloc_tos(),
++		status = get_kdc_list(frame,
+ 					realm,
+ 					sitename,
+ 					&ip_sa_site,
+@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 
+ 	/* Get all KDC's. */
+ 
+-	status = get_kdc_list(talloc_tos(),
++	status = get_kdc_list(frame,
+ 					realm,
+ 					NULL,
+ 					&ip_sa_nonsite,
+@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 		kdc_str = new_kdc_str;
+ 	}
+ 
+-	result = kdc_str;
++	result = talloc_move(mem_ctx, &kdc_str);
+ out:
+ 	if (result != NULL) {
+ 		DBG_DEBUG("Returning\n%s\n", kdc_str);
+@@ -597,8 +597,6 @@ out:
+ 		DBG_NOTICE("Failed to get KDC ip address\n");
+ 	}
+ 
+-	TALLOC_FREE(ip_sa_site);
+-	TALLOC_FREE(ip_sa_nonsite);
+ 	TALLOC_FREE(frame);
+ 	return result;
+ }
+-- 
+2.35.1
+
+
+From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 12:57:18 +0100
+Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str
+
+This is allocated on the stackframe now!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/kerberos.c | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index aadc65a3edc..2087dc1e6f9 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 				  print_canonical_sockaddr_with_port(mem_ctx,
+ 								     pss));
+ 	if (kdc_str == NULL) {
+-		TALLOC_FREE(frame);
+-		return NULL;
++		goto out;
+ 	}
+ 
+ 	ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
+ 	if (!ok) {
+-		TALLOC_FREE(kdc_str);
+ 		goto out;
+ 	}
+ 
+@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 		if (!NT_STATUS_IS_OK(status)) {
+ 			DBG_ERR("get_kdc_list fail %s\n",
+ 				nt_errstr(status));
+-			TALLOC_FREE(kdc_str);
+ 			goto out;
+ 		}
+ 		DBG_DEBUG("got %zu addresses from site %s search\n",
+@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		DBG_ERR("get_kdc_list (site-less) fail %s\n",
+ 			nt_errstr(status));
+-		TALLOC_FREE(kdc_str);
+ 		goto out;
+ 	}
+ 	DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
+@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 	if (count_site + count_nonsite < count_site) {
+ 		/* Wrap check. */
+ 		DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
+-		TALLOC_FREE(kdc_str);
+ 		goto out;
+ 	}
+ 
+@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 	dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
+ 				count_site + count_nonsite);
+ 	if (dc_addrs == NULL) {
+-		TALLOC_FREE(kdc_str);
+ 		goto out;
+ 	}
+ 
+@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 
+ 	DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
+ 	if (num_dcs == 0) {
+-		TALLOC_FREE(kdc_str);
+ 		goto out;
+ 	}
+ 
+@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 				      struct tsocket_address *,
+ 				      num_dcs);
+ 	if (dc_addrs2 == NULL) {
+-		TALLOC_FREE(kdc_str);
+ 		goto out;
+ 	}
+ 
+@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 			status = map_nt_error_from_unix(errno);
+ 			DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
+ 				 addr, nt_errstr(status)));
+-			TALLOC_FREE(kdc_str);
+ 			goto out;
+ 		}
+ 	}
+@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
+ 			  "%s\n", nt_errstr(status)));
+-		TALLOC_FREE(kdc_str);
+ 		goto out;
+ 	}
+ 
+-- 
+2.35.1
+
+
+From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 13:02:05 +0100
+Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for
+ NULL in get_kdc_ip_string()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/kerberos.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 2087dc1e6f9..20dceeefb22 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 	NTSTATUS status;
+ 	bool ok;
+ 	char *kdc_str = NULL;
++	char *canon_sockaddr = NULL;
+ 
+ 	SMB_ASSERT(pss != NULL);
+ 
++	canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
++	if (canon_sockaddr == NULL) {
++		goto out;
++	}
++
+ 	kdc_str = talloc_asprintf(frame,
+ 				  "\t\tkdc = %s\n",
+-				  print_canonical_sockaddr_with_port(mem_ctx,
+-								     pss));
++				  canon_sockaddr);
+ 	if (kdc_str == NULL) {
+ 		goto out;
+ 	}
+-- 
+2.35.1
+
+
+From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 15 Mar 2022 13:10:06 +0100
+Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf
+
+We create an KDC ip string entry directly at the beginning, use it if we
+don't have any additional DCs.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/kerberos.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 20dceeefb22..3fd86e87064 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
+ 
+ 	DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
+ 	if (num_dcs == 0) {
++		/*
++		 * We do not have additional KDCs, but we have the one passed
++		 * in via `pss`. So just use that one and leave.
++		 */
++		result = talloc_move(mem_ctx, &kdc_str);
+ 		goto out;
+ 	}
+ 
+-- 
+2.35.1
+

SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch

@@ -0,0 +1,411 @@
+From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 12:59:44 +0100
+Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error
+ path
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
+---
+ source3/libads/authdata.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
+index dd21d895fc2..c048510d480 100644
+--- a/source3/libads/authdata.c
++++ b/source3/libads/authdata.c
+@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ {
+ 	krb5_error_code ret;
+ 	NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
+-	DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
++	DATA_BLOB tkt = data_blob_null;
++	DATA_BLOB tkt_wrapped = data_blob_null;
++	DATA_BLOB ap_rep = data_blob_null;
++	DATA_BLOB sesskey1 = data_blob_null;
+ 	const char *auth_princ = NULL;
+ 	const char *cc = "MEMORY:kerberos_return_pac";
+ 	struct auth_session_info *session_info;
+@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ 	ZERO_STRUCT(sesskey1);
+ 
+ 	if (!name || !pass) {
+-		return NT_STATUS_INVALID_PARAMETER;
++		status = NT_STATUS_INVALID_PARAMETER;
++		goto out;
+ 	}
+ 
+ 	if (cache_name) {
+@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ 
+ 	if (expire_time && renew_till_time &&
+ 	    (*expire_time == 0) && (*renew_till_time == 0)) {
+-		return NT_STATUS_INVALID_LOGON_TYPE;
++		status = NT_STATUS_INVALID_LOGON_TYPE;
++		goto out;
+ 	}
+ 
+ 	ret = ads_krb5_cli_get_ticket(mem_ctx,
+-- 
+2.35.1
+
+
+From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 13:00:05 +0100
+Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug
+ macro
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
+---
+ lib/krb5_wrap/krb5_samba.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index fff5b4e2a22..42d4b950f80 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
+ 		goto done;
+ 	}
+ 
+-	DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
++	DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
+ 
+ 	/* FIXME: we should not fall back to defaults */
+ 	ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
+-- 
+2.35.1
+
+
+From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 14:28:28 +0100
+Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer
+ debug macro
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
+---
+ lib/krb5_wrap/krb5_samba.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 42d4b950f80..76c2dcd2126 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
+ 
+ 	ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
+ 	if (ret) {
+-		DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
++		DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
++			  "for client '%s' and service '%s' failed: %s\n",
++			  ccache_string, client_string, service_string,
++			  error_message(ret));
+ 		goto done;
+ 	}
+ 
+-- 
+2.35.1
+
+
+From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 13:08:56 +0100
+Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from
+ kerberos_return_pac()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
+---
+ source3/libads/authdata.c       | 22 +++++++++++++++++++++-
+ source3/libads/kerberos_proto.h |  2 ++
+ source3/utils/net_ads.c         |  2 ++
+ source3/winbindd/winbindd_pam.c |  2 ++
+ 4 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
+index c048510d480..bf9a2335445 100644
+--- a/source3/libads/authdata.c
++++ b/source3/libads/authdata.c
+@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ 			     time_t renewable_time,
+ 			     const char *impersonate_princ_s,
+ 			     const char *local_service,
++			     char **_canon_principal,
++			     char **_canon_realm,
+ 			     struct PAC_DATA_CTR **_pac_data_ctr)
+ {
+ 	krb5_error_code ret;
+@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ 	struct auth4_context *auth_context;
+ 	struct loadparm_context *lp_ctx;
+ 	struct PAC_DATA_CTR *pac_data_ctr = NULL;
++	char *canon_principal = NULL;
++	char *canon_realm = NULL;
+ 
+ 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
+@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ 		goto out;
+ 	}
+ 
++	if (_canon_principal != NULL) {
++		*_canon_principal = NULL;
++	}
++
++	if (_canon_realm != NULL) {
++		*_canon_realm = NULL;
++	}
++
+ 	if (cache_name) {
+ 		cc = cache_name;
+ 	}
+@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ 					  request_pac,
+ 					  add_netbios_addr,
+ 					  renewable_time,
+-					  NULL, NULL, NULL,
++					  tmp_ctx,
++					  &canon_principal,
++					  &canon_realm,
+ 					  &status);
+ 	if (ret) {
+ 		DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
+@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ 	}
+ 
+ 	*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
++	if (_canon_principal != NULL) {
++		*_canon_principal = talloc_move(mem_ctx, &canon_principal);
++	}
++	if (_canon_realm != NULL) {
++		*_canon_realm = talloc_move(mem_ctx, &canon_realm);
++	}
+ 
+ out:
+ 	talloc_free(tmp_ctx);
+diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
+index 3d7b5bc074b..807381248c8 100644
+--- a/source3/libads/kerberos_proto.h
++++ b/source3/libads/kerberos_proto.h
+@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ 			     time_t renewable_time,
+ 			     const char *impersonate_princ_s,
+ 			     const char *local_service,
++			     char **_canon_principal,
++			     char **_canon_realm,
+ 			     struct PAC_DATA_CTR **pac_data_ctr);
+ 
+ /* The following definitions come from libads/krb5_setpw.c  */
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index 8f993f9ba4c..c41fb0afe9c 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
+ 				     2592000, /* one month */
+ 				     impersonate_princ_s,
+ 				     local_service,
++				     NULL,
++				     NULL,
+ 				     pac_data_ctr);
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		d_printf(_("failed to query kerberos PAC: %s\n"),
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 7606bfb4ecd..025a5cbc111 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ 				     NULL,
+ 				     local_service,
++				     NULL,
++				     NULL,
+ 				     &pac_data_ctr);
+ 	if (user_ccache_file != NULL) {
+ 		gain_root_privilege();
+-- 
+2.35.1
+
+
+From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 13:19:02 +0100
+Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache
+ entry
+
+They will be used later to refresh the tickets.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
+---
+ source3/winbindd/winbindd.h            |  2 ++
+ source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++-
+ source3/winbindd/winbindd_pam.c        | 14 ++++++++++----
+ source3/winbindd/winbindd_proto.h      |  4 +++-
+ 4 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
+index a6b2238cec1..dac4a1fa927 100644
+--- a/source3/winbindd/winbindd.h
++++ b/source3/winbindd/winbindd.h
+@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
+ 	const char *service;
+ 	const char *username;
+ 	const char *realm;
++	const char *canon_principal;
++	const char *canon_realm;
+ 	struct WINBINDD_MEMORY_CREDS *cred_ptr;
+ 	int ref_count;
+ 	uid_t uid;
+diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
+index c3077e21989..88847b1ab97 100644
+--- a/source3/winbindd/winbindd_cred_cache.c
++++ b/source3/winbindd/winbindd_cred_cache.c
+@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
+ 			    time_t create_time,
+ 			    time_t ticket_end,
+ 			    time_t renew_until,
+-			    bool postponed_request)
++			    bool postponed_request,
++			    const char *canon_principal,
++			    const char *canon_realm)
+ {
+ 	struct WINBINDD_CCACHE_ENTRY *entry = NULL;
+ 	struct timeval t;
+@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
+ 			goto no_mem;
+ 		}
+ 	}
++	if (canon_principal != NULL) {
++		entry->canon_principal = talloc_strdup(entry, canon_principal);
++		if (entry->canon_principal == NULL) {
++			goto no_mem;
++		}
++	}
++	if (canon_realm != NULL) {
++		entry->canon_realm = talloc_strdup(entry, canon_realm);
++		if (entry->canon_realm == NULL) {
++			goto no_mem;
++		}
++	}
+ 
+ 	entry->ccname = talloc_strdup(entry, ccname);
+ 	if (!entry->ccname) {
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 025a5cbc111..a24cef78440 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ 	const char *local_service;
+ 	uint32_t i;
+ 	struct netr_SamInfo6 *info6_copy = NULL;
++	char *canon_principal = NULL;
++	char *canon_realm = NULL;
+ 	bool ok;
+ 
+ 	*info6 = NULL;
+@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ 				     NULL,
+ 				     local_service,
+-				     NULL,
+-				     NULL,
++				     &canon_principal,
++				     &canon_realm,
+ 				     &pac_data_ctr);
+ 	if (user_ccache_file != NULL) {
+ 		gain_root_privilege();
+@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ 					    time(NULL),
+ 					    ticket_lifetime,
+ 					    renewal_until,
+-					    false);
++					    false,
++					    canon_principal,
++					    canon_realm);
+ 
+ 		if (!NT_STATUS_IS_OK(result)) {
+ 			DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
+@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
+ 							    time(NULL),
+ 							    time(NULL) + lp_winbind_cache_time(),
+ 							    time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+-							    true);
++							    true,
++							    principal_s,
++							    realm);
+ 
+ 				if (!NT_STATUS_IS_OK(result)) {
+ 					DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
+diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
+index c0d653a6d77..16c23f3de40 100644
+--- a/source3/winbindd/winbindd_proto.h
++++ b/source3/winbindd/winbindd_proto.h
+@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
+ 			    time_t create_time,
+ 			    time_t ticket_end,
+ 			    time_t renew_until,
+-			    bool postponed_request);
++			    bool postponed_request,
++			    const char *canon_principal,
++			    const char *canon_realm);
+ NTSTATUS remove_ccache(const char *username);
+ struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
+ NTSTATUS winbindd_add_memory_creds(const char *username,
+-- 
+2.35.1
+
+
+From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 14:28:44 +0100
+Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the
+ credentials
+
+The principal name stored in the winbindd ccache entry might be an
+enterprise principal name if enterprise principals are enabled. Use
+the canonical name to renew the credentials.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
+---
+ source3/winbindd/winbindd_cred_cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
+index 88847b1ab97..6c65db6a73f 100644
+--- a/source3/winbindd/winbindd_cred_cache.c
++++ b/source3/winbindd/winbindd_cred_cache.c
+@@ -209,7 +209,7 @@ rekinit:
+ 	set_effective_uid(entry->uid);
+ 
+ 	ret = smb_krb5_renew_ticket(entry->ccname,
+-				    entry->principal_name,
++				    entry->canon_principal,
+ 				    entry->service,
+ 				    &new_start);
+ #if defined(DEBUG_KRB5_TKT_RENEWAL)
+-- 
+2.35.1
+

SOURCES/samba-ctdb-etcd-reclock.patch

@@ -0,0 +1,30 @@
+From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
+From: Martin Schwenke <martin@meltin.net>
+Date: Tue, 27 Apr 2021 15:46:14 +1000
+Subject: [PATCH] utils: Use Python 3
+
+Due to the number of flake8 and pylint warnings it is unclear if the
+source has Python 3 incompatibilities.  These will be cleaned up in
+subsequent commits.
+
+Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
+Reviewed-by: Martin Schwenke <martin@meltin.net>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
+---
+ ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
+index 000c6bb7208..7f5194eff0a 100755
+--- a/ctdb/utils/etcd/ctdb_etcd_lock
++++ b/ctdb/utils/etcd/ctdb_etcd_lock
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python
++#!/usr/bin/env python3
+ #
+ #    This program is free software: you can redistribute it and/or modify
+ #    it under the terms of the GNU General Public License as published by
+-- 
+2.31.1
+

SOURCES/samba-disable-ntlmssp.patch

@@ -0,0 +1,764 @@
+From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 10 Dec 2021 16:08:04 +0100
+Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
+---
+ source3/utils/net_ads.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index 6ab4a0096b1..8f993f9ba4c 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
+ 	char *cp;
+ 	const char *realm = NULL;
+ 	bool tried_closest_dc = false;
++	enum credentials_use_kerberos krb5_state =
++		CRED_USE_KERBEROS_DISABLED;
+ 
+ 	/* lp_realm() should be handled by a command line param,
+ 	   However, the join requires that realm be set in smb.conf
+@@ -650,10 +652,28 @@ retry:
+ 		ads->auth.password = smb_xstrdup(c->opt_password);
+ 	}
+ 
+-	ads->auth.flags |= auth_flags;
+ 	SAFE_FREE(ads->auth.user_name);
+ 	ads->auth.user_name = smb_xstrdup(c->opt_user_name);
+ 
++	ads->auth.flags |= auth_flags;
++
++	/* The ADS code will handle FIPS mode */
++	krb5_state = cli_credentials_get_kerberos_state(c->creds);
++	switch (krb5_state) {
++	case CRED_USE_KERBEROS_REQUIRED:
++		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DESIRED:
++		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DISABLED:
++		ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	}
++
+        /*
+         * If the username is of the form "name@realm",
+         * extract the realm and convert to upper case.
+-- 
+2.33.1
+
+
+From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Wed, 8 Dec 2021 16:05:17 +0100
+Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
+---
+ source3/libads/sasl.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 60fa2bf80cb..b91e2d15bcf 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -1,18 +1,18 @@
+-/* 
++/*
+    Unix SMB/CIFS implementation.
+    ads sasl code
+    Copyright (C) Andrew Tridgell 2001
+-   
++
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+-   
++
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+-   
++
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
+ 	.disconnect	= ads_sasl_gensec_disconnect
+ };
+ 
+-/* 
++/*
+    perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
+    we fit on one socket??)
+ */
+@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
+ 
+ #endif /* HAVE_KRB5 */
+ 
+-/* 
++/*
+    this performs a SASL/SPNEGO bind
+ */
+ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 	file_save("sasl_spnego.dat", blob.data, blob.length);
+ #endif
+ 
+-	/* the server sent us the first part of the SPNEGO exchange in the negprot 
++	/* the server sent us the first part of the SPNEGO exchange in the negprot
+ 	   reply */
+ 	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
+ 			OIDs[0] == NULL) {
+@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 
+ #ifdef HAVE_KRB5
+ 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
+-	    got_kerberos_mechanism) 
++	    got_kerberos_mechanism)
+ 	{
+ 		mech = "KRB5";
+ 
+@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 				  "calling kinit\n", ads_errstr(status)));
+ 		}
+ 
+-		status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
++		status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+ 
+ 		if (ADS_ERR_OK(status)) {
+ 			status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 		}
+ 
+ 		/* only fallback to NTLMSSP if allowed */
+-		if (ADS_ERR_OK(status) || 
++		if (ADS_ERR_OK(status) ||
+ 		    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ 			goto done;
+ 		}
+@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ #endif
+ 
+ 	/* lets do NTLMSSP ... this has the big advantage that we don't need
+-	   to sync clocks, and we don't rely on special versions of the krb5 
++	   to sync clocks, and we don't rely on special versions of the krb5
+ 	   library for HMAC_MD4 encryption */
+ 	mech = "NTLMSSP";
+ 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+-- 
+2.33.1
+
+
+From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Thu, 9 Dec 2021 13:43:08 +0100
+Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
+---
+ source3/libads/sasl.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index b91e2d15bcf..992f7022a69 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 
+ 		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
+ 			 "for %s/%s with user[%s] realm[%s]: %s, "
+-			 "fallback to NTLMSSP\n",
++			 "try to fallback to NTLMSSP\n",
+ 			 p.service, p.hostname,
+ 			 ads->auth.user_name,
+ 			 ads->auth.realm,
+@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 	   to sync clocks, and we don't rely on special versions of the krb5
+ 	   library for HMAC_MD4 encryption */
+ 	mech = "NTLMSSP";
++
++	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
++		DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
++			    " disallowed.\n");
++		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++		goto done;
++	}
++
+ 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ 					     CRED_USE_KERBEROS_DISABLED,
+ 					     p.service, p.hostname,
+-- 
+2.33.1
+
+
+From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 7 Jan 2022 10:31:19 +0100
+Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
+---
+ source3/libads/sasl.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 992f7022a69..ea98aa47ecd 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 							p.service, p.hostname,
+ 							blob);
+ 			if (!ADS_ERR_OK(status)) {
+-				DEBUG(0,("kinit succeeded but "
+-					"ads_sasl_spnego_gensec_bind(KRB5) failed "
+-					"for %s/%s with user[%s] realm[%s]: %s\n",
++				DBG_ERR("kinit succeeded but "
++					"SPNEGO bind with Kerberos failed "
++					"for %s/%s - user[%s], realm[%s]: %s\n",
+ 					p.service, p.hostname,
+ 					ads->auth.user_name,
+ 					ads->auth.realm,
+-					ads_errstr(status)));
++					ads_errstr(status));
+ 			}
+ 		}
+ 
+@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 			goto done;
+ 		}
+ 
+-		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
+-			 "for %s/%s with user[%s] realm[%s]: %s, "
+-			 "try to fallback to NTLMSSP\n",
+-			 p.service, p.hostname,
+-			 ads->auth.user_name,
+-			 ads->auth.realm,
+-			 ads_errstr(status)));
++		DBG_WARNING("SASL bind with Kerberos failed "
++			    "for %s/%s - user[%s], realm[%s]: %s, "
++			    "try to fallback to NTLMSSP\n",
++			    p.service, p.hostname,
++			    ads->auth.user_name,
++			    ads->auth.realm,
++			    ads_errstr(status));
+ 	}
+ #endif
+ 
+-- 
+2.33.1
+
+
+From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Mon, 3 Jan 2022 11:13:06 +0100
+Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
+ without kerberos)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
+---
+ source3/libads/sasl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index ea98aa47ecd..1bcfe0490a8 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 	   library for HMAC_MD4 encryption */
+ 	mech = "NTLMSSP";
+ 
++	if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
++		DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
++		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++		goto done;
++	}
++
+ 	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ 		DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ 			    " disallowed.\n");
+-- 
+2.33.1
+
+
+From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Mon, 3 Jan 2022 15:33:46 +0100
+Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
+---
+ .../test_weak_disable_ntlmssp_ldap.sh         | 41 +++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+ create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+
+diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+new file mode 100755
+index 00000000000..2822ab29d14
+--- /dev/null
++++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+@@ -0,0 +1,41 @@
++#!/bin/sh
++# Blackbox tests for diabing NTLMSSP for ldap clinet connections
++# Copyright (c) 2022      Pavel Filipenský <pfilipen@redhat.com>
++
++if [ $# -lt 2 ]; then
++cat <<EOF
++Usage: $0 USERNAME PASSWORD
++EOF
++exit 1;
++fi
++
++USERNAME=$1
++PASSWORD=$2
++shift 2
++
++failed=0
++. `dirname $0`/subunit.sh
++
++samba_testparm="$BINDIR/testparm"
++samba_net="$BINDIR/net"
++
++unset GNUTLS_FORCE_FIPS_MODE
++
++# Checks that testparm reports: Weak crypto is allowed
++testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
++
++# We should be allowed to use NTLM for connecting
++testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
++
++GNUTLS_FORCE_FIPS_MODE=1
++export GNUTLS_FORCE_FIPS_MODE
++
++# Checks that testparm reports: Weak crypto is disallowed
++testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
++
++# We should not be allowed to use NTLM for connecting
++testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
++
++unset GNUTLS_FORCE_FIPS_MODE
++
++exit $failed
+-- 
+2.33.1
+
+
+From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 4 Jan 2022 12:00:20 +0100
+Subject: [PATCH 07/10] s4:selftest: plan test suite
+ samba4.blackbox.test_weak_disable_ntlmssp_ldap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
+---
+ source4/selftest/tests.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index 1e4b2ae6dd3..3a6a716f061 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
+ 
+ if have_gnutls_fips_mode_support:
+     plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
++    plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
+ 
+     for env in ["ad_dc_fips", "ad_member_fips"]:
+         plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
+-- 
+2.33.1
+
+
+From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 18 Jan 2022 19:47:38 +0100
+Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
+---
+ source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 948c903f165..e415df347e6 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ 
+ 	if ( !winbindd_can_contact_domain( domain ) ) {
+ 		DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
+-			  domain->name));		
++			  domain->name));
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ 
+ 	if ( !winbindd_can_contact_domain( domain ) ) {
+ 		DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
+-			  domain->name));		
++			  domain->name));
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ 	 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
+ 	 * default value, it MUST be absent. In case of extensible matching the
+ 	 * "dnattr" boolean defaults to FALSE and so it must be only be present
+-	 * when set to TRUE. 
++	 * when set to TRUE.
+ 	 *
+ 	 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
+ 	 * filter using bitwise matching rule then the buggy AD fails to decode
+@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ 	 *
+ 	 * Thanks to Ralf Haferkamp for input and testing - Guenther */
+ 
+-	filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", 
++	filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ 				 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
+-				 ADS_LDAP_MATCHING_RULE_BIT_AND, 
++				 ADS_LDAP_MATCHING_RULE_BIT_AND,
+ 				 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
+ 
+ 	if (filter == NULL) {
+@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ 	DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
+ 
+ done:
+-	if (res) 
++	if (res)
+ 		ads_msgfree(ads, res);
+ 
+ 	return status;
+@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ 				struct wb_acct_info **info)
+ {
+ 	/*
+-	 * This is a stub function only as we returned the domain 
++	 * This is a stub function only as we returned the domain
+ 	 * local groups in enum_dom_groups() if the domain->native field
+ 	 * was true.  This is a simple performance optimization when
+ 	 * using LDAP.
+ 	 *
+-	 * if we ever need to enumerate domain local groups separately, 
++	 * if we ever need to enumerate domain local groups separately,
+ 	 * then this optimization in enum_dom_groups() will need
+ 	 * to be split out
+ 	 */
+@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
+    tokenGroups are not available. */
+ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+ 					 TALLOC_CTX *mem_ctx,
+-					 const char *user_dn, 
++					 const char *user_dn,
+ 					 struct dom_sid *primary_group,
+ 					 uint32_t *p_num_groups, struct dom_sid **user_sids)
+ {
+@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+ 
+ 	if ( !winbindd_can_contact_domain( domain ) ) {
+ 		DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
+-			  domain->name));		
++			  domain->name));
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+ 
+ 	DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
+ done:
+-	if (res) 
++	if (res)
+ 		ads_msgfree(ads, res);
+ 
+ 	return status;
+@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ 	if (count != 1) {
+ 		status = NT_STATUS_UNSUCCESSFUL;
+ 		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
+-			 "invalid number of results (count=%d)\n", 
++			 "invalid number of results (count=%d)\n",
+ 			 dom_sid_str_buf(sid, &buf),
+ 			 count));
+ 		goto done;
+ 	}
+ 
+ 	if (!msg) {
+-		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", 
++		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
+ 			 dom_sid_str_buf(sid, &buf)));
+ 		status = NT_STATUS_UNSUCCESSFUL;
+ 		goto done;
+@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ 	}
+ 
+ 	if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
+-		DEBUG(1,("%s: No primary group for sid=%s !?\n", 
++		DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ 			 domain->name,
+ 			 dom_sid_str_buf(sid, &buf)));
+ 		goto done;
+@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ 
+ 	count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
+ 
+-	/* there must always be at least one group in the token, 
++	/* there must always be at least one group in the token,
+ 	   unless we are talking to a buggy Win2k server */
+ 
+ 	/* actually this only happens when the machine account has no read
+@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ 		/* lookup what groups this user is a member of by DN search on
+ 		 * "member" */
+ 
+-		status = lookup_usergroups_member(domain, mem_ctx, user_dn, 
++		status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ 						  &primary_group,
+ 						  &num_groups, user_sids);
+ 		*p_num_groups = num_groups;
+@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ 			DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
+ 				   "not map any SIDs at all.\n"));
+ 			/* Don't handle this as an error here.
+-			 * There is nothing left to do with respect to the 
++			 * There is nothing left to do with respect to the
+ 			 * overall result... */
+ 		}
+ 		else if (!NT_STATUS_IS_OK(status)) {
+@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ 			NETR_TRUST_FLAG_IN_FOREST;
+ 	} else {
+ 		flags = NETR_TRUST_FLAG_IN_FOREST;
+-	}	
++	}
+ 
+ 	result = cm_connect_netlogon(domain, &cli);
+ 
+ 	if (!NT_STATUS_IS_OK(result)) {
+ 		DEBUG(5, ("trusted_domains: Could not open a connection to %s "
+-			  "for PIPE_NETLOGON (%s)\n", 
++			  "for PIPE_NETLOGON (%s)\n",
+ 			  domain->name, nt_errstr(result)));
+ 		return NT_STATUS_UNSUCCESSFUL;
+ 	}
+-- 
+2.33.1
+
+
+From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 18 Jan 2022 19:44:54 +0100
+Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
+---
+ source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index e415df347e6..6f01ef6e334 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -34,6 +34,7 @@
+ #include "../libds/common/flag_mapping.h"
+ #include "libsmb/samlogon_cache.h"
+ #include "passdb.h"
++#include "auth/credentials/credentials.h"
+ 
+ #ifdef HAVE_ADS
+ 
+@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ 	ADS_STATUS status;
+ 	struct sockaddr_storage dc_ss;
+ 	fstring dc_name;
++	enum credentials_use_kerberos krb5_state;
+ 
+ 	if (auth_realm == NULL) {
+ 		return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ 	ads->auth.renewable = renewable;
+ 	ads->auth.password = password;
+ 
+-	ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++	/* In FIPS mode, client use kerberos is forced to required. */
++	krb5_state = lp_client_use_kerberos();
++	switch (krb5_state) {
++	case CRED_USE_KERBEROS_REQUIRED:
++		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DESIRED:
++		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DISABLED:
++		ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	}
+ 
+ 	ads->auth.realm = SMB_STRDUP(auth_realm);
+ 	if (!strupper_m(ads->auth.realm)) {
+-- 
+2.33.1
+
+
+From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 21 Jan 2022 12:01:33 +0100
+Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
+
+(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
+---
+ source3/libnet/libnet_join.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 02705f1c70c..4c67e9af5c4 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ 	ADS_STATUS status;
+ 	ADS_STRUCT *my_ads = NULL;
+ 	char *cp;
++	enum credentials_use_kerberos krb5_state;
+ 
+ 	my_ads = ads_init(dns_domain_name,
+ 			  netbios_domain_name,
+@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ 	}
+ 
+-	my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++	/* In FIPS mode, client use kerberos is forced to required. */
++	krb5_state = lp_client_use_kerberos();
++	switch (krb5_state) {
++	case CRED_USE_KERBEROS_REQUIRED:
++		my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DESIRED:
++		my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DISABLED:
++		my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++		my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	}
+ 
+ 	if (user_name) {
+ 		SAFE_FREE(my_ads->auth.user_name);
+-- 
+2.33.1
+

SOURCES/samba-disable-systemd-notifications.patch

@@ -0,0 +1,36 @@
+From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
+From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
+Date: Mon, 24 Jan 2022 22:14:31 -0500
+Subject: [PATCH] printing/bgqd: Disable systemd notifications
+
+samba-bgqd daemon is started by existing Samba daemons. When running
+under systemd, those daemons control systemd notifications and
+samba-bgqd messages need to be silenced.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
+
+Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
+---
+ source3/printing/samba-bgqd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
+index f21327fc622..59ed0cc40db 100644
+--- a/source3/printing/samba-bgqd.c
++++ b/source3/printing/samba-bgqd.c
+@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
+ 
+ 	log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
+ 
++	/* main process will notify systemd */
++	daemon_sd_notifications(false);
++
+ 	if (!cmdline_daemon_cfg->fork) {
+ 		daemon_status(progname, "Starting process ... ");
+ 	} else {
+-- 
+2.34.1
+

SOURCES/samba-glibc-dns.patch

@@ -0,0 +1,64 @@
+From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 7 Oct 2021 15:55:37 +0200
+Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34
+
+With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
+anymore. The res_* symbols have been moved from libresolv to libc. We are not
+able to intercept any traffic inside of libc.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ selftest/wscript                   |  2 +-
+ third_party/resolv_wrapper/wscript | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/wscript b/selftest/wscript
+index a6be06c2ae9..85d9338489a 100644
+--- a/selftest/wscript
++++ b/selftest/wscript
+@@ -252,7 +252,7 @@ def cmd_testonly(opt):
+     if os.environ.get('USE_NAMESPACES') is None:
+         env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
+ 
+-    if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
++    if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
+         env.OPTIONS += " --use-dns-faking"
+ 
+     if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
+diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
+index a7f18389b0f..7e369bd90b5 100644
+--- a/third_party/resolv_wrapper/wscript
++++ b/third_party/resolv_wrapper/wscript
+@@ -1,6 +1,7 @@
+ #!/usr/bin/env python
+ 
+ import os
++from waflib import Logs
+ 
+ VERSION="1.1.7"
+ 
+@@ -49,6 +50,18 @@ def configure(conf):
+         if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
+             conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
+ 
++        # If we find res_nquery in libc, we can't do resolv.conf redirect
++        conf.CHECK_FUNCS('res_nquery __res_nquery')
++        if (conf.CONFIG_SET('HAVE_RES_NQUERY')
++                or conf.CONFIG_SET('HAVE___RES_NQUERY')):
++            Logs.warn("Detection for resolv_wrapper: "
++                      "Only dns faking will be available")
++        else:
++            if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
++                conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
++            if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
++                conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
++
+         conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
+         conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
+         conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
+-- 
+2.33.1
+

SOURCES/samba-password-change-prompt.patch

@@ -0,0 +1,100 @@
+From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 17 Nov 2021 09:56:09 +0100
+Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
+ off).
+
+This change disables the prompt for the change of an expired password by
+default (using the PAM_RADIO_TYPE mechanism if present).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
+---
+ docs-xml/manpages/pam_winbind.conf.5.xml |  7 +++++++
+ nsswitch/pam_winbind.c                   | 12 ++++++++++--
+ nsswitch/pam_winbind.h                   |  1 +
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
+index 0bc288f91a1..bae9298fc32 100644
+--- a/docs-xml/manpages/pam_winbind.conf.5.xml
++++ b/docs-xml/manpages/pam_winbind.conf.5.xml
+@@ -194,6 +194,13 @@
+ 		</para></listitem>
+ 		</varlistentry>
+ 
++		<varlistentry>
++		<term>pwd_change_prompt = yes|no</term>
++		<listitem><para>
++			Generate prompt for changing an expired password. Defaults to "no".
++		</para></listitem>
++		</varlistentry>
++
+ 		</variablelist>
+ 
+ 	</para>
+diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
+index 720a4b90d85..06098dd07d8 100644
+--- a/nsswitch/pam_winbind.c
++++ b/nsswitch/pam_winbind.c
+@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
+ 		ctrl |= WINBIND_MKHOMEDIR;
+ 	}
+ 
++	if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
++		ctrl |= WINBIND_PWD_CHANGE_PROMPT;
++	}
++
+ config_from_pam:
+ 	/* step through arguments */
+ 	for (i=argc,v=argv; i-- > 0; ++v) {
+@@ -522,6 +526,8 @@ config_from_pam:
+ 		else if (!strncasecmp(*v, "warn_pwd_expire",
+ 			strlen("warn_pwd_expire")))
+ 			ctrl |= WINBIND_WARN_PWD_EXPIRE;
++		else if (!strcasecmp(*v, "pwd_change_prompt"))
++			ctrl |= WINBIND_PWD_CHANGE_PROMPT;
+ 		else if (type != PAM_WINBIND_CLEANUP) {
+ 			__pam_log(pamh, ctrl, LOG_ERR,
+ 				 "pam_parse: unknown option: %s", *v);
+@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
+ 		 * successfully sent the warning message.
+ 		 * Give the user a chance to change pwd.
+ 		 */
+-		if (ret == PAM_SUCCESS) {
++		if (ret == PAM_SUCCESS &&
++		    (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
+ 			if (change_pwd) {
+ 				retval = _pam_winbind_change_pwd(ctx);
+ 				if (retval) {
+@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
+ 		 * successfully sent the warning message.
+ 		 * Give the user a chance to change pwd.
+ 		 */
+-		if (ret == PAM_SUCCESS) {
++		if (ret == PAM_SUCCESS &&
++		    (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
+ 			if (change_pwd) {
+ 				retval = _pam_winbind_change_pwd(ctx);
+ 				if (retval) {
+diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
+index c6786d65a4d..2f4a25729bd 100644
+--- a/nsswitch/pam_winbind.h
++++ b/nsswitch/pam_winbind.h
+@@ -157,6 +157,7 @@ do {                             \
+ #define WINBIND_WARN_PWD_EXPIRE		0x00002000
+ #define WINBIND_MKHOMEDIR		0x00004000
+ #define WINBIND_TRY_AUTHTOK_ARG		0x00008000
++#define WINBIND_PWD_CHANGE_PROMPT	0x00010000
+ 
+ #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
+ #define _(string) dgettext(MODULE_NAME, string)
+-- 
+2.35.1
+

SOURCES/samba-printing-win7.patch

@@ -0,0 +1,229 @@
+From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 22 Jan 2022 01:08:26 +0100
+Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
+
+This is important for the source3/rpc_server code as it might
+be called embedded in smbd and may not run as root with access
+to our private tdb/ldb files.
+
+Note this is only really needed for 4.15 and older, as
+we no longer run the rpc_server embedded in smbd,
+but we better be consistent for now.
+
+This should be able to fix the problem the printing no longer works
+on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
+
+Windows uses NTLMSSP with privacy at the DCERPC layer on top
+of NCACN_NP (smb).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
+---
+ librpc/rpc/dcesrv_auth.c         |  5 +++++
+ librpc/rpc/dcesrv_core.c         | 18 ++++++++++++++++++
+ librpc/rpc/dcesrv_core.h         |  2 ++
+ source3/rpc_server/rpc_config.c  |  2 ++
+ source4/rpc_server/service_rpc.c | 10 ++++++++++
+ 5 files changed, 37 insertions(+)
+
+diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
+index fec8df513a83..99d8e0162160 100644
+--- a/librpc/rpc/dcesrv_auth.c
++++ b/librpc/rpc/dcesrv_auth.c
+@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
+ 	auth->auth_level = call->in_auth_info.auth_level;
+ 	auth->auth_context_id = call->in_auth_info.auth_context_id;
+ 
++	cb->auth.become_root();
+ 	status = cb->auth.gensec_prepare(
+ 		auth,
+ 		call,
+ 		&auth->gensec_security,
+ 		cb->auth.private_data);
++	cb->auth.unbecome_root();
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
+ 			  nt_errstr(status)));
+@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
+ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
+ {
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	const char *pdu = "<unknown>";
+ 
+ 	switch (call->pkt.ptype) {
+@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
+ 		return status;
+ 	}
+ 
++	cb->auth.become_root();
+ 	status = gensec_session_info(auth->gensec_security,
+ 				     auth,
+ 				     &auth->session_info);
++	cb->auth.unbecome_root();
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		DEBUG(1, ("Failed to establish session_info: %s\n",
+ 			  nt_errstr(status)));
+diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
+index d16159b0b6cd..ea91fc689b4a 100644
+--- a/librpc/rpc/dcesrv_core.c
++++ b/librpc/rpc/dcesrv_core.c
+@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
+ 	struct dcerpc_binding *ep_2nd_description = NULL;
+ 	const char *endpoint = NULL;
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	struct dcerpc_ack_ctx *ack_ctx_list = NULL;
+ 	struct dcerpc_ack_ctx *ack_features = NULL;
+ 	struct tevent_req *subreq = NULL;
+@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
+ 		return dcesrv_auth_reply(call);
+ 	}
+ 
++	cb->auth.become_root();
+ 	subreq = gensec_update_send(call, call->event_ctx,
+ 				    auth->gensec_security,
+ 				    call->in_auth_info.credentials);
++	cb->auth.unbecome_root();
+ 	if (subreq == NULL) {
+ 		return NT_STATUS_NO_MEMORY;
+ 	}
+@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
+ 		tevent_req_callback_data(subreq,
+ 		struct dcesrv_call_state);
+ 	struct dcesrv_connection *conn = call->conn;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	NTSTATUS status;
+ 
++	cb->auth.become_root();
+ 	status = gensec_update_recv(subreq, call,
+ 				    &call->out_auth_info->credentials);
++	cb->auth.unbecome_root();
+ 	TALLOC_FREE(subreq);
+ 
+ 	status = dcesrv_auth_complete(call, status);
+@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
+ {
+ 	struct dcesrv_connection *conn = call->conn;
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	struct tevent_req *subreq = NULL;
+ 	NTSTATUS status;
+ 
+@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
+ 		return NT_STATUS_OK;
+ 	}
+ 
++	cb->auth.become_root();
+ 	subreq = gensec_update_send(call, call->event_ctx,
+ 				    auth->gensec_security,
+ 				    call->in_auth_info.credentials);
++	cb->auth.unbecome_root();
+ 	if (subreq == NULL) {
+ 		return NT_STATUS_NO_MEMORY;
+ 	}
+@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
+ 		struct dcesrv_call_state);
+ 	struct dcesrv_connection *conn = call->conn;
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	NTSTATUS status;
+ 
++	cb->auth.become_root();
+ 	status = gensec_update_recv(subreq, call,
+ 				    &call->out_auth_info->credentials);
++	cb->auth.unbecome_root();
+ 	TALLOC_FREE(subreq);
+ 
+ 	status = dcesrv_auth_complete(call, status);
+@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
+ 	struct ncacn_packet *pkt = &call->ack_pkt;
+ 	uint32_t extra_flags = 0;
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	struct dcerpc_ack_ctx *ack_ctx_list = NULL;
+ 	struct tevent_req *subreq = NULL;
+ 	size_t i;
+@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
+ 		return dcesrv_auth_reply(call);
+ 	}
+ 
++	cb->auth.become_root();
+ 	subreq = gensec_update_send(call, call->event_ctx,
+ 				    auth->gensec_security,
+ 				    call->in_auth_info.credentials);
++	cb->auth.unbecome_root();
+ 	if (subreq == NULL) {
+ 		return NT_STATUS_NO_MEMORY;
+ 	}
+@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
+ 		tevent_req_callback_data(subreq,
+ 		struct dcesrv_call_state);
+ 	struct dcesrv_connection *conn = call->conn;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	NTSTATUS status;
+ 
++	cb->auth.become_root();
+ 	status = gensec_update_recv(subreq, call,
+ 				    &call->out_auth_info->credentials);
++	cb->auth.unbecome_root();
+ 	TALLOC_FREE(subreq);
+ 
+ 	status = dcesrv_auth_complete(call, status);
+diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
+index d8d5f9030959..0538442e0ce6 100644
+--- a/librpc/rpc/dcesrv_core.h
++++ b/librpc/rpc/dcesrv_core.h
+@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
+ 			struct gensec_security **out,
+ 			void *private_data);
+ 		void *private_data;
++		void (*become_root)(void);
++		void (*unbecome_root)(void);
+ 	} auth;
+ 	struct {
+ 		NTSTATUS (*find)(
+diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
+index 2f1a01da1c0b..289c4f398409 100644
+--- a/source3/rpc_server/rpc_config.c
++++ b/source3/rpc_server/rpc_config.c
+@@ -31,6 +31,8 @@
+ static struct dcesrv_context_callbacks srv_callbacks = {
+ 	.log.successful_authz = dcesrv_log_successful_authz,
+ 	.auth.gensec_prepare = dcesrv_auth_gensec_prepare,
++	.auth.become_root = become_root,
++	.auth.unbecome_root = unbecome_root,
+ 	.assoc_group.find = dcesrv_assoc_group_find,
+ };
+ 
+diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
+index d8c6746d7815..ebb50f8a7ef3 100644
+--- a/source4/rpc_server/service_rpc.c
++++ b/source4/rpc_server/service_rpc.c
+@@ -40,9 +40,19 @@
+ #include "../libcli/named_pipe_auth/npa_tstream.h"
+ #include "samba/process_model.h"
+ 
++static void skip_become_root(void)
++{
++}
++
++static void skip_unbecome_root(void)
++{
++}
++
+ static struct dcesrv_context_callbacks srv_callbacks = {
+ 	.log.successful_authz = log_successful_dcesrv_authz_event,
+ 	.auth.gensec_prepare = dcesrv_gensec_prepare,
++	.auth.become_root = skip_become_root,
++	.auth.unbecome_root = skip_unbecome_root,
+ 	.assoc_group.find = dcesrv_assoc_group_find,
+ };
+ 
+-- 
+2.25.1
+

SOURCES/samba-s4u.patch

@@ -0,0 +1,697 @@
+From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 27 Sep 2019 18:25:03 +0300
+Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
+
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+---
+ source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
+ source4/kdc/mit_samba.c                  |  47 ++-------
+ source4/kdc/mit_samba.h                  |   6 +-
+ 3 files changed, 71 insertions(+), 106 deletions(-)
+
+diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
+index f35210669c2..b1c7c5dcc5e 100644
+--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
+@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+ 				     krb5_keyblock *krbtgt_key,
+ 				     krb5_timestamp authtime,
+ 				     krb5_authdata **tgt_auth_data,
+-				     krb5_pac *pac)
++				     krb5_pac *out_pac)
+ {
+ 	struct mit_samba_context *mit_ctx;
+ 	krb5_authdata **authdata = NULL;
+-	krb5_pac ipac = NULL;
+-	DATA_BLOB logon_data = { NULL, 0 };
++	krb5_keyblock *header_server_key = NULL;
++	krb5_key_data *impersonator_kd = NULL;
++	krb5_keyblock impersonator_key = {0};
+ 	krb5_error_code code;
++	krb5_pac pac;
++
++	*out_pac = NULL;
+ 
+ 	mit_ctx = ks_get_context(context);
+ 	if (mit_ctx == NULL) {
+@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+ 	code = krb5_pac_parse(context,
+ 			      authdata[0]->contents,
+ 			      authdata[0]->length,
+-			      &ipac);
++			      &pac);
+ 	if (code != 0) {
+ 		goto done;
+ 	}
+ 
+-	/* TODO: verify this is correct
+-	 *
+-	 * In the constrained delegation case, the PAC is from a service
+-	 * ticket rather than a TGT; we must verify the server and KDC
+-	 * signatures to assert that the server did not forge the PAC.
++	/*
++	 * For constrained delegation in MIT version < 1.18 we aren't provided
++	 * with the 2nd ticket server key to verify the PAC.
++	 * We can workaround that by fetching the key from the client db entry,
++	 * which is the impersonator account in that version.
++	 * TODO: use the provided entry in the new 1.18 version.
+ 	 */
+ 	if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+-		code = krb5_pac_verify(context,
+-				       ipac,
+-				       authtime,
+-				       client_princ,
+-				       server_key,
+-				       krbtgt_key);
++		/* The impersonator must be local. */
++		if (client == NULL) {
++			code = KRB5KDC_ERR_BADOPTION;
++			goto done;
++		}
++		/* Fetch and decrypt 2nd ticket server's current key. */
++		code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
++					     &impersonator_kd);
++		if (code != 0) {
++			goto done;
++		}
++		code = krb5_dbe_decrypt_key_data(context, NULL,
++						 impersonator_kd,
++						 &impersonator_key, NULL);
++		if (code != 0) {
++			goto done;
++		}
++		header_server_key = &impersonator_key;
+ 	} else {
+-		code = krb5_pac_verify(context,
+-				       ipac,
+-				       authtime,
+-				       client_princ,
+-				       krbtgt_key,
+-				       NULL);
+-	}
+-	if (code != 0) {
+-		goto done;
++		header_server_key = krbtgt_key;
+ 	}
+ 
+-	/* check and update PAC */
+-	code = krb5_pac_parse(context,
+-			      authdata[0]->contents,
+-			      authdata[0]->length,
+-			      pac);
++	code = krb5_pac_verify(context, pac, authtime, client_princ,
++			       header_server_key, NULL);
+ 	if (code != 0) {
+ 		goto done;
+ 	}
+@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
+ 	code = mit_samba_reget_pac(mit_ctx,
+ 				   context,
+ 				   flags,
+-				   client_princ,
+ 				   client,
+ 				   server,
+ 				   krbtgt,
+ 				   krbtgt_key,
+-				   pac);
++				   &pac);
++	if (code != 0) {
++		goto done;
++	}
++
++	*out_pac = pac;
++	pac = NULL;
+ 
+ done:
++	krb5_free_keyblock_contents(context, &impersonator_key);
+ 	krb5_free_authdata(context, authdata);
+-	krb5_pac_free(context, ipac);
+-	free(logon_data.data);
++	krb5_pac_free(context, pac);
+ 
+ 	return code;
+ }
+@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 	krb5_authdata **pac_auth_data = NULL;
+ 	krb5_authdata **authdata = NULL;
+ 	krb5_boolean is_as_req;
++	krb5_const_principal pac_client;
+ 	krb5_error_code code;
+ 	krb5_pac pac = NULL;
+ 	krb5_data pac_data;
+@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
+ 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
+ 
+-	/* FIXME: We don't support S4U yet */
+-	if (flags & KRB5_KDB_FLAGS_S4U) {
+-		return KRB5_KDB_DBTYPE_NOSUP;
+-	}
+-
+ 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+ 
+ 	/*
+@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 		ks_client_princ = client->princ;
+ 	}
+ 
++	/* In protocol transition, we are currently not provided with the tgt
++	 * client name to verify the PAC, we could probably skip the name
++	 * verification and just verify the signatures, but since we don't
++	 * support cross-realm nor aliases, we can just use server->princ */
++	if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
++		pac_client = server->princ;
++	} else {
++		pac_client = ks_client_princ;
++	}
++
+ 	if (client_entry == NULL) {
+ 		client_entry = client;
+ 	}
+@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 
+ 			code = ks_verify_pac(context,
+ 					     flags,
+-					     ks_client_princ,
++					     pac_client,
+ 					     client_entry,
+ 					     server,
+ 					     krbtgt,
+@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 		  is_as_req ? "AS-REQ" : "TGS-REQ",
+ 		  client_name);
+ 	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
+-			server_key, krbtgt_key, &pac_data);
++			     server_key, krbtgt_key, &pac_data);
+ 	if (code != 0) {
+ 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
+ 		goto done;
+@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ 					      KRB5_AUTHDATA_IF_RELEVANT,
+ 					      authdata,
+ 					      signed_auth_data);
+-	if (code != 0) {
+-		goto done;
+-	}
+-
+-	code = 0;
+-
+ done:
+ 	if (client_entry != NULL && client_entry != client) {
+ 		ks_free_principal(context, client_entry);
+@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
+ 	 * server; -> delegating service
+ 	 * proxy; -> target principal
+ 	 */
+-	krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
+-
+-	char *target_name = NULL;
+-	bool is_enterprise;
+-	krb5_error_code code;
+ 
+ 	mit_ctx = ks_get_context(context);
+ 	if (mit_ctx == NULL) {
+ 		return KRB5_KDB_DBNOTINITED;
+ 	}
+ 
+-	code = krb5_unparse_name(context, proxy, &target_name);
+-	if (code) {
+-		goto done;
+-	}
+-
+-	is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
+-
+-	code = mit_samba_check_s4u2proxy(mit_ctx,
+-					 delegating_service,
+-					 target_name,
+-					 is_enterprise);
+-
+-done:
+-	free(target_name);
+-	return code;
++	return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
+ }
+ 
+ 
+diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
+index 4239332f0d9..acc3cba6254 100644
+--- a/source4/kdc/mit_samba.c
++++ b/source4/kdc/mit_samba.c
+@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
+ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
+ 				    krb5_context context,
+ 				    int flags,
+-				    krb5_const_principal client_principal,
+ 				    krb5_db_entry *client,
+ 				    krb5_db_entry *server,
+ 				    krb5_db_entry *krbtgt,
+@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
+ 								  context,
+ 								  *pac,
+ 								  server->princ,
+-								  discard_const(client_principal),
++								  client->princ,
+ 								  deleg_blob);
+ 		if (!NT_STATUS_IS_OK(nt_status)) {
+ 			DEBUG(0, ("Update delegation info failed: %s\n",
+@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
+ }
+ 
+ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
+-			      krb5_db_entry *kentry,
+-			      const char *target_name,
+-			      bool is_nt_enterprise_name)
++			      const krb5_db_entry *server,
++			      krb5_const_principal target_principal)
+ {
+-#if 1
+-	/*
+-	 * This is disabled because mit_samba_update_pac_data() does not handle
+-	 * S4U_DELEGATION_INFO
+-	 */
+-
+-	return KRB5KDC_ERR_BADOPTION;
+-#else
+-	krb5_principal target_principal;
+-	int flags = 0;
+-	int ret;
+-
+-	if (is_nt_enterprise_name) {
+-		flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+-	}
+-
+-	ret = krb5_parse_name_flags(ctx->context, target_name,
+-				    flags, &target_principal);
+-	if (ret) {
+-		return ret;
+-	}
+-
+-	ret = samba_kdc_check_s4u2proxy(ctx->context,
+-					ctx->db_ctx,
+-					skdc_entry,
+-					target_principal);
+-
+-	krb5_free_principal(ctx->context, target_principal);
+-
+-	return ret;
+-#endif
++	struct samba_kdc_entry *server_skdc_entry =
++		 talloc_get_type_abort(server->e_data,
++				       struct samba_kdc_entry);
++
++	return samba_kdc_check_s4u2proxy(ctx->context,
++					 ctx->db_ctx,
++					 server_skdc_entry,
++					 target_principal);
+ }
+ 
+ static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
+diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
+index 636c77ec97c..9cb00c9610e 100644
+--- a/source4/kdc/mit_samba.h
++++ b/source4/kdc/mit_samba.h
+@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
+ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
+ 				    krb5_context context,
+ 				    int flags,
+-				    krb5_const_principal client_principal,
+ 				    krb5_db_entry *client,
+ 				    krb5_db_entry *server,
+ 				    krb5_db_entry *krbtgt,
+@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
+ 				  DATA_BLOB *e_data);
+ 
+ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
+-			      krb5_db_entry *kentry,
+-			      const char *target_name,
+-			      bool is_nt_enterprise_name);
++			      const krb5_db_entry *server,
++			      krb5_const_principal target_principal);
+ 
+ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
+ 				      char *pwd,
+-- 
+2.33.1
+
+
+From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 27 Sep 2019 18:35:30 +0300
+Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
+
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+---
+ lib/krb5_wrap/krb5_samba.c            | 185 ++++++++++++++++++++++++++
+ lib/krb5_wrap/krb5_samba.h            |   2 -
+ source4/auth/kerberos/kerberos_util.c |  11 --
+ 3 files changed, 185 insertions(+), 13 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index fff5b4e2a22..791b417d5ba 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ 
+ 	return 0;
+ }
++
++#else /* MIT */
++
++static bool princ_compare_no_dollar(krb5_context ctx,
++				    krb5_principal a,
++				    krb5_principal b)
++{
++	bool cmp;
++	krb5_principal mod = NULL;
++
++	if (a->length == 1 && b->length == 1 &&
++	    a->data[0].length != 0 && b->data[0].length != 0 &&
++	    a->data[0].data[a->data[0].length -1] !=
++	    b->data[0].data[b->data[0].length -1]) {
++		if (a->data[0].data[a->data[0].length -1] == '$') {
++			mod = a;
++			mod->data[0].length--;
++		} else if (b->data[0].data[b->data[0].length -1] == '$') {
++			mod = b;
++			mod->data[0].length--;
++		}
++	}
++
++	cmp = krb5_principal_compare_flags(ctx, a, b,
++					   KRB5_PRINCIPAL_COMPARE_CASEFOLD);
++
++	if (mod != NULL) {
++		mod->data[0].length++;
++	}
++
++	return cmp;
++}
++
++krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
++					   krb5_ccache store_cc,
++					   krb5_principal init_principal,
++					   const char *init_password,
++					   krb5_principal impersonate_principal,
++					   const char *self_service,
++					   const char *target_service,
++					   krb5_get_init_creds_opt *krb_options,
++					   time_t *expire_time,
++					   time_t *kdc_time)
++{
++	krb5_error_code code;
++	krb5_principal self_princ = NULL;
++	krb5_principal target_princ = NULL;
++	krb5_creds *store_creds;
++	krb5_creds *s4u2self_creds = NULL;
++	krb5_creds *s4u2proxy_creds = NULL;
++	krb5_creds init_creds = {0};
++	krb5_creds mcreds = {0};
++	krb5_flags options = KRB5_GC_NO_STORE;
++	krb5_ccache tmp_cc;
++	bool s4u2proxy;
++
++	code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
++	if (code != 0) {
++		return code;
++	}
++
++	code = krb5_get_init_creds_password(ctx, &init_creds,
++					    init_principal,
++					    init_password,
++					    NULL, NULL,
++					    0,
++					    NULL,
++					    krb_options);
++	if (code != 0) {
++		goto done;
++	}
++
++	code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
++	if (code != 0) {
++		goto done;
++	}
++
++	code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
++	if (code != 0) {
++		goto done;
++	}
++
++	/*
++	 * Check if we also need S4U2Proxy or if S4U2Self is
++	 * enough in order to get a ticket for the target.
++	 */
++	if (target_service == NULL) {
++		s4u2proxy = false;
++	} else if (strcmp(target_service, self_service) == 0) {
++		s4u2proxy = false;
++	} else {
++		s4u2proxy = true;
++	}
++
++	code = krb5_parse_name(ctx, self_service, &self_princ);
++	if (code != 0) {
++		goto done;
++	}
++
++	/* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
++	 * client and the request server to be the same principal name. */
++	if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
++		code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
++		goto done;
++	}
++
++	mcreds.client = impersonate_principal;
++	mcreds.server = init_creds.client;
++
++	code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
++					     NULL, &s4u2self_creds);
++	if (code != 0) {
++		goto done;
++	}
++
++	if (s4u2proxy) {
++		code = krb5_parse_name(ctx, target_service, &target_princ);
++		if (code != 0) {
++			goto done;
++		}
++
++		mcreds.client = init_creds.client;
++		mcreds.server = target_princ;
++		mcreds.second_ticket = s4u2self_creds->ticket;
++
++		code = krb5_get_credentials(ctx, options |
++					    KRB5_GC_CONSTRAINED_DELEGATION,
++					    tmp_cc, &mcreds, &s4u2proxy_creds);
++		if (code != 0) {
++			goto done;
++		}
++
++		/* Check KDC support of S4U2Proxy extension */
++		if (!krb5_principal_compare(ctx, s4u2self_creds->client,
++					    s4u2proxy_creds->client)) {
++			code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
++			goto done;
++		}
++
++		store_creds = s4u2proxy_creds;
++	} else {
++		store_creds = s4u2self_creds;;
++
++		/* We need to save the ticket with the requested server name
++		 * or the caller won't be able to find it in cache. */
++		if (!krb5_principal_compare(ctx, self_princ,
++			store_creds->server)) {
++			krb5_free_principal(ctx, store_creds->server);
++			store_creds->server = NULL;
++			code = krb5_copy_principal(ctx, self_princ,
++						   &store_creds->server);
++			if (code != 0) {
++				goto done;
++			}
++		}
++	}
++
++	code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
++	if (code != 0) {
++		goto done;
++	}
++
++	code = krb5_cc_store_cred(ctx, store_cc, store_creds);
++	if (code != 0) {
++		goto done;
++	}
++
++	if (expire_time) {
++		*expire_time = (time_t) store_creds->times.endtime;
++	}
++
++	if (kdc_time) {
++		*kdc_time = (time_t) store_creds->times.starttime;
++	}
++
++done:
++	krb5_cc_destroy(ctx, tmp_cc);
++	krb5_free_cred_contents(ctx, &init_creds);
++	krb5_free_creds(ctx, s4u2self_creds);
++	krb5_free_creds(ctx, s4u2proxy_creds);
++	krb5_free_principal(ctx, self_princ);
++	krb5_free_principal(ctx, target_princ);
++
++	return code;
++}
+ #endif
+ 
+ #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
+diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
+index eab67f6d969..b5385c69a33 100644
+--- a/lib/krb5_wrap/krb5_samba.h
++++ b/lib/krb5_wrap/krb5_samba.h
+@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
+ 					       krb5_get_init_creds_opt *krb_options,
+ 					       time_t *expire_time,
+ 					       time_t *kdc_time);
+-#ifdef SAMBA4_USES_HEIMDAL
+ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ 					   krb5_ccache store_cc,
+ 					   krb5_principal init_principal,
+@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ 					   krb5_get_init_creds_opt *krb_options,
+ 					   time_t *expire_time,
+ 					   time_t *kdc_time);
+-#endif
+ 
+ #if defined(HAVE_KRB5_MAKE_PRINCIPAL)
+ #define smb_krb5_make_principal krb5_make_principal
+diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
+index 544d9d853cc..c14d8c72d8c 100644
+--- a/source4/auth/kerberos/kerberos_util.c
++++ b/source4/auth/kerberos/kerberos_util.c
+@@ -234,9 +234,7 @@ done:
+ {
+ 	krb5_error_code ret;
+ 	const char *password;
+-#ifdef SAMBA4_USES_HEIMDAL
+ 	const char *self_service;
+-#endif
+ 	const char *target_service;
+ 	time_t kdc_time = 0;
+ 	krb5_principal princ;
+@@ -268,9 +266,7 @@ done:
+ 		return ret;
+ 	}
+ 
+-#ifdef SAMBA4_USES_HEIMDAL
+ 	self_service = cli_credentials_get_self_service(credentials);
+-#endif
+ 	target_service = cli_credentials_get_target_service(credentials);
+ 
+ 	password = cli_credentials_get_password(credentials);
+@@ -331,7 +327,6 @@ done:
+ #endif
+ 		if (password) {
+ 			if (impersonate_principal) {
+-#ifdef SAMBA4_USES_HEIMDAL
+ 				ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
+ 								 ccache,
+ 								 princ,
+@@ -342,12 +337,6 @@ done:
+ 								 krb_options,
+ 								 NULL,
+ 								 &kdc_time);
+-#else
+-				talloc_free(mem_ctx);
+-				(*error_string) = "INTERNAL error: s4u2 ops "
+-					"are not supported with MIT build yet";
+-				return EINVAL;
+-#endif
+ 			} else {
+ 				ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
+ 								     ccache,
+-- 
+2.33.1
+
+
+From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 19 Sep 2020 14:16:20 +0200
+Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
+
+---
+ source4/heimdal/lib/hdb/hdb.h | 1 +
+ source4/kdc/db-glue.c         | 8 ++++++--
+ source4/kdc/mit_samba.c       | 3 +++
+ source4/kdc/sdb.h             | 1 +
+ 4 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
+index 5ef9d9565f3..dafaffc6c2d 100644
+--- a/source4/heimdal/lib/hdb/hdb.h
++++ b/source4/heimdal/lib/hdb/hdb.h
+@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
+ #define HDB_F_ALL_KVNOS		2048	/* we want all the keys, live or not */
+ #define HDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
+ #define HDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
++#define HDB_F_FORCE_CANON	16384	/* force canonicalition */
+ 
+ /* hdb_capability_flags */
+ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
+diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
+index aff74f2ee71..d16b4c3329a 100644
+--- a/source4/kdc/db-glue.c
++++ b/source4/kdc/db-glue.c
+@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
+ 			}
+ 		}
+ 
+-	} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
++	} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
+ 		ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
+ 		if (ret) {
+ 			krb5_clear_error_message(context);
+ 			goto out;
+ 		}
+-	} else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
++	} else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
+ 		/*
+ 		 * SDB_F_CANON maps from the canonicalize flag in the
+ 		 * packet, and has a different meaning between AS-REQ
+ 		 * and TGS-REQ.  We only change the principal in the AS-REQ case
++		 *
++		 * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
++		 * the canonical name in all lookups, and takes care to canonicalize
++		 * only when appropriate.
+ 		 */
+ 		ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
+ 		if (ret) {
+diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
+index acc3cba6254..f0b9df8b613 100644
+--- a/source4/kdc/mit_samba.c
++++ b/source4/kdc/mit_samba.c
+@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
+ 	if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
+ 		sflags |= SDB_F_CANON;
+ 	}
++#if KRB5_KDB_API_VERSION >= 10
++	sflags |= SDB_F_FORCE_CANON;
++#endif
+ 	if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
+ 		      KRB5_KDB_FLAG_INCLUDE_PAC)) {
+ 		/*
+diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
+index c929acccce6..a9115ec23d7 100644
+--- a/source4/kdc/sdb.h
++++ b/source4/kdc/sdb.h
+@@ -116,6 +116,7 @@ struct sdb_entry_ex {
+ #define SDB_F_KVNO_SPECIFIED	128	/* we want a particular KVNO */
+ #define SDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
+ #define SDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
++#define SDB_F_FORCE_CANON	16384	/* force canonicalition */
+ 
+ void sdb_free_entry(struct sdb_entry_ex *e);
+ void free_sdb_entry(struct sdb_entry *s);
+-- 
+2.33.1
+

SOURCES/samba-virus_scanner.patch

@@ -0,0 +1,597 @@
+From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 9 Feb 2022 16:33:10 +0100
+Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd
+
+We have the env variable SERVER_LOG_LEVEL which allows you to change
+the log level on the command line. If we force -d0 this will not work.
+
+make test TESTS="samba" SERVER_LOG_LEVEL=10
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
+---
+ selftest/target/Samba3.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index b901fd2677a..64a9a791a61 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -2153,7 +2153,7 @@ sub make_bin_cmd
+ {
+ 	my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
+ 
+-	my @optargs = ("-d0");
++	my @optargs = ();
+ 	if (defined($options)) {
+ 		@optargs = split(/ /, $options);
+ 	}
+-- 
+2.34.1
+
+
+From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 8 Feb 2022 12:07:03 +0100
+Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses
+ filename matching
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1)
+---
+ source3/modules/vfs_virusfilter.c        | 12 +++++
+ source3/modules/vfs_virusfilter_common.h |  4 ++
+ source3/modules/vfs_virusfilter_dummy.c  | 58 ++++++++++++++++++++++++
+ source3/modules/wscript_build            |  1 +
+ 4 files changed, 75 insertions(+)
+ create mode 100644 source3/modules/vfs_virusfilter_dummy.c
+
+diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
+index 9fafe4e5d41..e6cbee7cd45 100644
+--- a/source3/modules/vfs_virusfilter.c
++++ b/source3/modules/vfs_virusfilter.c
+@@ -35,12 +35,14 @@
+ 
+ enum virusfilter_scanner_enum {
+ 	VIRUSFILTER_SCANNER_CLAMAV,
++	VIRUSFILTER_SCANNER_DUMMY,
+ 	VIRUSFILTER_SCANNER_FSAV,
+ 	VIRUSFILTER_SCANNER_SOPHOS
+ };
+ 
+ static const struct enum_list scanner_list[] = {
+ 	{ VIRUSFILTER_SCANNER_CLAMAV,	"clamav" },
++	{ VIRUSFILTER_SCANNER_DUMMY,	"dummy" },
+ 	{ VIRUSFILTER_SCANNER_FSAV,	"fsav" },
+ 	{ VIRUSFILTER_SCANNER_SOPHOS,	"sophos" },
+ 	{ -1,				NULL }
+@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect(
+ 	int snum = SNUM(handle->conn);
+ 	struct virusfilter_config *config = NULL;
+ 	const char *exclude_files = NULL;
++	const char *infected_files = NULL;
+ 	const char *temp_quarantine_dir_mode = NULL;
+ 	const char *infected_file_command = NULL;
+ 	const char *scan_error_command = NULL;
+@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect(
+ 		set_namearray(&config->exclude_files, exclude_files);
+ 	}
+ 
++	infected_files = lp_parm_const_string(
++		snum, "virusfilter", "infected files", NULL);
++	if (infected_files != NULL) {
++		set_namearray(&config->infected_files, infected_files);
++	}
++
+ 	config->cache_entry_limit = lp_parm_int(
+ 		snum, "virusfilter", "cache entry limit", 100);
+ 
+@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect(
+ 	case VIRUSFILTER_SCANNER_CLAMAV:
+ 		ret = virusfilter_clamav_init(config);
+ 		break;
++	case VIRUSFILTER_SCANNER_DUMMY:
++		ret = virusfilter_dummy_init(config);
++		break;
+ 	default:
+ 		DBG_ERR("Unhandled scanner %d\n", backend);
+ 		return -1;
+diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h
+index f71b0b949a7..463a9d74e9c 100644
+--- a/source3/modules/vfs_virusfilter_common.h
++++ b/source3/modules/vfs_virusfilter_common.h
+@@ -83,6 +83,9 @@ struct virusfilter_config {
+ 	/* Exclude files */
+ 	name_compare_entry		*exclude_files;
+ 
++	/* Infected files */
++	name_compare_entry		*infected_files;
++
+ 	/* Scan result cache */
+ 	struct virusfilter_cache	*cache;
+ 	int				cache_entry_limit;
+@@ -149,5 +152,6 @@ struct virusfilter_backend {
+ int virusfilter_sophos_init(struct virusfilter_config *config);
+ int virusfilter_fsav_init(struct virusfilter_config *config);
+ int virusfilter_clamav_init(struct virusfilter_config *config);
++int virusfilter_dummy_init(struct virusfilter_config *config);
+ 
+ #endif /* _VIRUSFILTER_COMMON_H */
+diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c
+new file mode 100644
+index 00000000000..03405cd6629
+--- /dev/null
++++ b/source3/modules/vfs_virusfilter_dummy.c
+@@ -0,0 +1,58 @@
++/*
++   Samba-VirusFilter VFS modules
++   Dummy scanner with infected files support.
++   Copyright (C) 2022 Pavel Filipenský <pfilipen@redhat.com>
++
++   This program is free software; you can redistribute it and/or modify
++   it under the terms of the GNU General Public License as published by
++   the Free Software Foundation; either version 3 of the License, or
++   (at your option) any later version.
++
++   This program is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++   GNU General Public License for more details.
++
++   You should have received a copy of the GNU General Public License
++   along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "modules/vfs_virusfilter_utils.h"
++
++static virusfilter_result virusfilter_dummy_scan(
++	struct vfs_handle_struct *handle,
++	struct virusfilter_config *config,
++	const struct files_struct *fsp,
++	char **reportp)
++{
++	bool ok;
++
++	DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp));
++	ok = is_in_path(fsp->fsp_name->base_name,
++			config->infected_files,
++			false);
++	return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN;
++}
++
++static struct virusfilter_backend_fns virusfilter_backend_dummy = {
++	.connect = NULL,
++	.disconnect = NULL,
++	.scan_init = NULL,
++	.scan = virusfilter_dummy_scan,
++	.scan_end = NULL,
++};
++
++int virusfilter_dummy_init(struct virusfilter_config *config)
++{
++	struct virusfilter_backend *backend = NULL;
++
++	backend = talloc_zero(config, struct virusfilter_backend);
++	if (backend == NULL) {
++		return -1;
++	}
++
++	backend->fns = &virusfilter_backend_dummy;
++	backend->name = "dummy";
++	config->backend = backend;
++	return 0;
++}
+diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
+index 40df4539392..ff318c3fa06 100644
+--- a/source3/modules/wscript_build
++++ b/source3/modules/wscript_build
+@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
+                  vfs_virusfilter_sophos.c
+                  vfs_virusfilter_fsav.c
+                  vfs_virusfilter_clamav.c
++                 vfs_virusfilter_dummy.c
+                  ''',
+                  deps='samba-util VFS_VIRUSFILTER_UTILS',
+                  init_function='',
+-- 
+2.34.1
+
+
+From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 8 Feb 2022 22:35:29 +0100
+Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and
+ 'virusfilter:infected files'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
+---
+ docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
+index 329a35af68a..88f91d73a42 100644
+--- a/docs-xml/manpages/vfs_virusfilter.8.xml
++++ b/docs-xml/manpages/vfs_virusfilter.8.xml
+@@ -48,6 +48,10 @@
+ 		  scanner</para></listitem>
+ 		  <listitem><para><emphasis>clamav</emphasis>, the ClamAV
+ 		  scanner</para></listitem>
++		  <listitem><para><emphasis>dummy</emphasis>, dummy scanner used in
++		  tests. Checks against the <emphasis>infected files</emphasis>
++		  parameter and flags any name that matches as infected.
++		  </para></listitem>
+ 		</itemizedlist>
+ 		</listitem>
+ 		</varlistentry>
+@@ -264,6 +268,14 @@
+ 		</listitem>
+ 		</varlistentry>
+ 
++		<varlistentry>
++		<term>virusfilter:infected files = empty</term>
++		<listitem>
++		<para>Files that virusfilter <emphasis>dummy</emphasis> flags as infected.</para>
++		<para>If this option is not set, the default is empty.</para>
++		</listitem>
++		</varlistentry>
++
+ 		<varlistentry>
+ 		<term>virusfilter:block access on error = false</term>
+ 		<listitem>
+-- 
+2.34.1
+
+
+From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 8 Feb 2022 15:34:56 +0100
+Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a)
+---
+ selftest/target/Samba3.pm | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 64a9a791a61..7584a0e7ba9 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -188,7 +188,7 @@ sub getlog_env_app($$$)
+ 	close(LOG);
+ 
+ 	return "" if $out eq $title;
+- 
++
+ 	return $out;
+ }
+ 
+@@ -2426,7 +2426,7 @@ sub provision($$)
+ 	my $nmbdsockdir="$prefix_abs/nmbd";
+ 	unlink($nmbdsockdir);
+ 
+-	## 
++	##
+ 	## create the test directory layout
+ 	##
+ 	die ("prefix_abs = ''") if $prefix_abs eq "";
+@@ -3290,7 +3290,7 @@ sub provision($$)
+ 	unless (open(PASSWD, ">$nss_wrapper_passwd")) {
+            warn("Unable to open $nss_wrapper_passwd");
+            return undef;
+-        } 
++        }
+ 	print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
+ $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
+ pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
+-- 
+2.34.1
+
+
+From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 8 Feb 2022 15:35:48 +0100
+Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
+---
+ selftest/knownfail.d/virus_scanner         |   2 +
+ selftest/target/Samba3.pm                  |  12 ++
+ source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++
+ source3/selftest/tests.py                  |   9 ++
+ 4 files changed, 147 insertions(+)
+ create mode 100644 selftest/knownfail.d/virus_scanner
+ create mode 100755 source3/script/tests/test_virus_scanner.sh
+
+diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
+new file mode 100644
+index 00000000000..6df3fd20627
+--- /dev/null
++++ b/selftest/knownfail.d/virus_scanner
+@@ -0,0 +1,2 @@
++^samba3.blackbox.virus_scanner.check_infected_read  # test download infected file ('vfs objects = virusfilter')
++^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 7584a0e7ba9..c1d0c60d96a 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1688,6 +1688,9 @@ sub setup_fileserver
+ 	my $veto_sharedir="$share_dir/veto";
+ 	push(@dirs,$veto_sharedir);
+ 
++	my $virusfilter_sharedir="$share_dir/virusfilter";
++	push(@dirs,$virusfilter_sharedir);
++
+ 	my $ip4 = Samba::get_ipv4_addr("FILESERVER");
+ 	my $fileserver_options = "
+ 	kernel change notify = yes
+@@ -1813,6 +1816,15 @@ sub setup_fileserver
+ 	path = $veto_sharedir
+ 	delete veto files = yes
+ 
++[virusfilter]
++	path = $virusfilter_sharedir
++	vfs objects = acl_xattr virusfilter
++	virusfilter:scanner = dummy
++	virusfilter:min file size = 0
++	virusfilter:infected files = *infected*
++	virusfilter:infected file action = rename
++	virusfilter:scan on close = yes
++
+ [homes]
+ 	comment = Home directories
+ 	browseable = No
+diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
+new file mode 100755
+index 00000000000..2234ea6ca89
+--- /dev/null
++++ b/source3/script/tests/test_virus_scanner.sh
+@@ -0,0 +1,124 @@
++#!/bin/sh
++# Copyright (c) 2022      Pavel Filipenský <pfilipen@redhat.com>
++# shellcheck disable=1091
++
++if [ $# -lt 4 ]; then
++cat <<EOF
++Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
++EOF
++exit 1;
++fi
++
++SERVER_IP=${1}
++SHARE=${2}
++LOCAL_PATH=${3}
++SMBCLIENT=${4}
++
++SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
++
++failed=0
++sharedir="${LOCAL_PATH}/${SHARE}"
++
++incdir="$(dirname "$0")/../../../testprogs/blackbox"
++. "${incdir}/subunit.sh"
++
++check_infected_read()
++{
++    rm -rf "${sharedir:?}"/*
++
++    if ! touch "${sharedir}/infected.txt"; then
++        echo "ERROR: Cannot create ${sharedir}/infected.txt"
++        return 1
++    fi
++
++    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
++
++    # check that virusfilter:rename prefix/suffix was added
++    if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
++        echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
++        return 1
++    fi
++
++    # check that file was not downloaded
++    if [ -f "${sharedir}/infected.download.txt" ]; then
++        echo "ERROR: {sharedir}/infected.download.txt should not exist."
++        return 1
++    fi
++
++    return 0
++}
++
++check_infected_write()
++{
++    rm -rf "${sharedir:?}"/*
++    smbfile=infected.upload.txt
++    smbfilerenamed="virusfilter.${smbfile}.infected"
++
++    # non empty file is needed
++    # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
++    if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
++        echo "ERROR: Cannot create ${sharedir}/infected.txt"
++        return 1
++    fi
++
++    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
++
++    # check that virusfilter:rename prefix/suffix was added
++    if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
++        echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
++        return 1
++    fi
++
++    # check that file was not uploaded
++    if [ -f "${sharedir}/infected.upload.txt" ]; then
++        echo "ERROR: {sharedir}/${smbfile} should not exist."
++        return 1
++    fi
++
++    return 0
++}
++
++check_healthy_read()
++{
++    rm -rf "${sharedir:?}"/*
++
++    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
++        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
++        return 1
++    fi
++
++    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
++
++    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
++        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
++        return 1
++    fi
++
++    return 0
++}
++
++check_healthy_write()
++{
++    rm -rf "${sharedir:?}"/*
++
++    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
++        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
++        return 1
++    fi
++
++    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
++
++    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
++        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
++        return 1
++    fi
++
++    return 0
++}
++
++testit "check_infected_read"  check_infected_read  || failed=$((failed + 1))
++testit "check_infected_write" check_infected_write || failed=$((failed + 1))
++testit "check_healthy_read"   check_healthy_read   || failed=$((failed + 1))
++testit "check_healthy_write"  check_healthy_write  || failed=$((failed + 1))
++
++testok "$0" "$failed"
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 701be011f70..6b146c76381 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
+                '$SERVER_IP',
+                "tmp"])
+ 
++env = 'fileserver'
++plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
++              [os.path.join(samba3srcdir,
++                            "script/tests/test_virus_scanner.sh"),
++               '$SERVER_IP',
++               "virusfilter",
++               '$LOCAL_PATH',
++               smbclient3])
++
+ for env in ['fileserver', 'simpleserver']:
+     plantestsuite("samba3.blackbox.smbclient.encryption", env,
+                   [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),
+-- 
+2.34.1
+
+
+From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Mon, 7 Feb 2022 23:06:10 +0100
+Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
+
+(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c)
+---
+ selftest/knownfail.d/virus_scanner | 2 --
+ source3/modules/vfs_virusfilter.c  | 6 +++---
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+ delete mode 100644 selftest/knownfail.d/virus_scanner
+
+diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
+deleted file mode 100644
+index 6df3fd20627..00000000000
+--- a/selftest/knownfail.d/virus_scanner
++++ /dev/null
+@@ -1,2 +0,0 @@
+-^samba3.blackbox.virus_scanner.check_infected_read  # test download infected file ('vfs objects = virusfilter')
+-^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
+diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
+index e6cbee7cd45..d1554967ad1 100644
+--- a/source3/modules/vfs_virusfilter.c
++++ b/source3/modules/vfs_virusfilter.c
+@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
+ 		 */
+ 		goto virusfilter_vfs_open_next;
+ 	}
+-	ret = S_ISREG(smb_fname->st.st_ex_mode);
++	ret = S_ISREG(sbuf.st_ex_mode);
+ 	if (ret == 0) {
+ 		DBG_INFO("Not scanned: Directory or special file: %s/%s\n",
+ 			 cwd_fname, fname);
+ 		goto virusfilter_vfs_open_next;
+ 	}
+ 	if (config->max_file_size > 0 &&
+-	    smb_fname->st.st_ex_size > config->max_file_size)
++	    sbuf.st_ex_size > config->max_file_size)
+ 	{
+ 		DBG_INFO("Not scanned: file size > max file size: %s/%s\n",
+ 			 cwd_fname, fname);
+ 		goto virusfilter_vfs_open_next;
+ 	}
+ 	if (config->min_file_size > 0 &&
+-	    smb_fname->st.st_ex_size < config->min_file_size)
++	    sbuf.st_ex_size < config->min_file_size)
+ 	{
+ 		DBG_INFO("Not scanned: file size < min file size: %s/%s\n",
+ 		      cwd_fname, fname);
+-- 
+2.34.1
+

SOURCES/samba.logrotate

@@ -0,0 +1,10 @@
+/var/log/samba/log.* {
+    compress
+    dateext
+    maxage 365
+    rotate 99
+    notifempty
+    olddir /var/log/samba/old
+    missingok
+    copytruncate
+}

SOURCES/samba.pamd

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       required	pam_nologin.so
+auth       include	password-auth
+account    include	password-auth
+session    include	password-auth
+password   include	password-auth

SOURCES/smb.conf.example

@@ -0,0 +1,313 @@
+# This is the main Samba configuration file. For detailed information about the
+# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
+# number of configurable options, most of which are not shown in this example.
+#
+# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
+# and using Samba:
+# https://wiki.samba.org/index.php/User_Documentation
+#
+# In this file, lines starting with a semicolon (;) or a hash (#) are
+# comments and are ignored. This file uses hashes to denote commentary and
+# semicolons for parts of the file you may wish to configure.
+#
+# NOTE: Run the "testparm" command after modifying this file to check for basic
+# syntax errors.
+#
+#---------------
+# Security-Enhanced Linux (SELinux) Notes:
+#
+# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
+# useradd and groupadd family of binaries. Run the following command as the
+# root user to turn this Boolean on:
+# setsebool -P samba_domain_controller on
+#
+# Turn the samba_enable_home_dirs Boolean on if you want to share home
+# directories via Samba. Run the following command as the root user to turn this
+# Boolean on:
+# setsebool -P samba_enable_home_dirs on
+#
+# If you create a new directory, such as a new top-level directory, label it
+# with samba_share_t so that SELinux allows Samba to read and write to it. Do
+# not label system directories, such as /etc/ and /home/, with samba_share_t, as
+# such directories should already have an SELinux label.
+#
+# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
+# label for a given directory.
+#
+# Set SELinux labels only on files and directories you have created. Use the
+# chcon command to temporarily change a label:
+# chcon -t samba_share_t /path/to/directory
+#
+# Changes made via chcon are lost when the file system is relabeled or commands
+# such as restorecon are run.
+#
+# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
+# directories. To share such directories and only allow read-only permissions:
+# setsebool -P samba_export_all_ro on
+# To share such directories and allow read and write permissions:
+# setsebool -P samba_export_all_rw on
+#
+# To run scripts (preexec/root prexec/print command/...), copy them to the
+# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
+# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
+# their existing SELinux labels, which may be labels that SELinux does not allow
+# smbd to run. Copying the scripts will result in the correct SELinux labels.
+# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
+# apply the correct SELinux labels to these files.
+#
+#--------------
+#
+#======================= Global Settings =====================================
+
+[global]
+
+# ----------------------- Network-Related Options -------------------------
+#
+# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
+#
+# server string = the equivalent of the Windows NT Description field.
+#
+# netbios name = used to specify a server name that is not tied to the hostname,
+#                maximum is 15 characters.
+#
+# interfaces = used to configure Samba to listen on multiple network interfaces.
+# If you have multiple interfaces, you can use the "interfaces =" option to
+# configure which of those interfaces Samba listens on. Never omit the localhost
+# interface (lo).
+#
+# hosts allow = the hosts allowed to connect. This option can also be used on a
+# per-share basis.
+#
+# hosts deny = the hosts not allowed to connect. This option can also be used on
+# a per-share basis.
+#
+	workgroup = MYGROUP
+	server string = Samba Server Version %v
+
+;	netbios name = MYSERVER
+
+;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
+;	hosts allow = 127. 192.168.12. 192.168.13.
+
+# --------------------------- Logging Options -----------------------------
+#
+# log file = specify where log files are written to and how they are split.
+#
+# max log size = specify the maximum size log files are allowed to reach. Log
+# files are rotated when they reach the size specified with "max log size".
+#
+
+	# log files split per-machine:
+	log file = /var/log/samba/log.%m
+	# maximum size of 50KB per log file, then rotate:
+	max log size = 50
+
+# ----------------------- Standalone Server Options ------------------------
+#
+# security = the mode Samba runs in. This can be set to user, share
+# (deprecated), or server (deprecated).
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+
+	security = user
+	passdb backend = tdbsam
+
+
+# ----------------------- Domain Members Options ------------------------
+#
+# security = must be set to domain or ads.
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+# realm = only use the realm option when the "security = ads" option is set.
+# The realm option specifies the Active Directory realm the host is a part of.
+#
+# password server = only use this option when the "security = server"
+# option is set, or if you cannot use DNS to locate a Domain Controller. The
+# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
+#
+# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
+#
+# Use "password server = *" to automatically locate Domain Controllers.
+
+;	security = domain
+;	passdb backend = tdbsam
+;	realm = MY_REALM
+
+;	password server = <NT-Server-Name>
+
+# ----------------------- Domain Controller Options ------------------------
+#
+# security = must be set to user for domain controllers.
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+# domain master = specifies Samba to be the Domain Master Browser, allowing
+# Samba to collate browse lists between subnets. Do not use the "domain master"
+# option if you already have a Windows NT domain controller performing this task.
+#
+# domain logons = allows Samba to provide a network logon service for Windows
+# workstations.
+#
+# logon script = specifies a script to run at login time on the client. These
+# scripts must be provided in a share named NETLOGON.
+#
+# logon path = specifies (with a UNC path) where user profiles are stored.
+#
+#
+;	security = user
+;	passdb backend = tdbsam
+
+;	domain master = yes
+;	domain logons = yes
+
+	# the following login script name is determined by the machine name
+	# (%m):
+;	logon script = %m.bat
+	# the following login script name is determined by the UNIX user used:
+;	logon script = %u.bat
+;	logon path = \\%L\Profiles\%u
+	# use an empty path to disable profile support:
+;	logon path =
+
+	# various scripts can be used on a domain controller or a stand-alone
+	# machine to add or delete corresponding UNIX accounts:
+
+;	add user script = /usr/sbin/useradd "%u" -n -g users
+;	add group script = /usr/sbin/groupadd "%g"
+;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
+;	delete user script = /usr/sbin/userdel "%u"
+;	delete user from group script = /usr/sbin/userdel "%u" "%g"
+;	delete group script = /usr/sbin/groupdel "%g"
+
+
+# ----------------------- Browser Control Options ----------------------------
+#
+# local master = when set to no, Samba does not become the master browser on
+# your network. When set to yes, normal election rules apply.
+#
+# os level = determines the precedence the server has in master browser
+# elections. The default value should be reasonable.
+#
+# preferred master = when set to yes, Samba forces a local browser election at
+# start up (and gives itself a slightly higher chance of winning the election).
+#
+;	local master = no
+;	os level = 33
+;	preferred master = yes
+
+#----------------------------- Name Resolution -------------------------------
+#
+# This section details the support for the Windows Internet Name Service (WINS).
+#
+# Note: Samba can be either a WINS server or a WINS client, but not both.
+#
+# wins support = when set to yes, the NMBD component of Samba enables its WINS
+# server.
+#
+# wins server = tells the NMBD component of Samba to be a WINS client.
+#
+# wins proxy = when set to yes, Samba answers name resolution queries on behalf
+# of a non WINS capable client. For this to work, there must be at least one
+# WINS server on the network. The default is no.
+#
+# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
+# nslookups.
+
+;	wins support = yes
+;	wins server = w.x.y.z
+;	wins proxy = yes
+
+;	dns proxy = yes
+
+# --------------------------- Printing Options -----------------------------
+#
+# The options in this section allow you to configure a non-default printing
+# system.
+#
+# load printers = when set you yes, the list of printers is automatically
+# loaded, rather than setting them up individually.
+#
+# cups options = allows you to pass options to the CUPS library. Setting this
+# option to raw, for example, allows you to use drivers on your Windows clients.
+#
+# printcap name = used to specify an alternative printcap file.
+#
+
+	load printers = yes
+	cups options = raw
+
+;	printcap name = /etc/printcap
+	# obtain a list of printers automatically on UNIX System V systems:
+;	printcap name = lpstat
+;	printing = cups
+
+# --------------------------- File System Options ---------------------------
+#
+# The options in this section can be un-commented if the file system supports
+# extended attributes, and those attributes are enabled (usually via the
+# "user_xattr" mount option). These options allow the administrator to specify
+# that DOS attributes are stored in extended attributes and also make sure that
+# Samba does not change the permission bits.
+#
+# Note: These options can be used on a per-share basis. Setting them globally
+# (in the [global] section) makes them the default for all shares.
+
+;	map archive = no
+;	map hidden = no
+;	map read only = no
+;	map system = no
+;	store dos attributes = yes
+
+
+#============================ Share Definitions ==============================
+
+[homes]
+	comment = Home Directories
+	browseable = no
+	writable = yes
+;	valid users = %S
+;	valid users = MYDOMAIN\%S
+
+[printers]
+	comment = All Printers
+	path = /var/tmp
+	browseable = no
+	guest ok = no
+	writable = no
+	printable = yes
+
+# Un-comment the following and create the netlogon directory for Domain Logons:
+;	[netlogon]
+;	comment = Network Logon Service
+;	path = /var/lib/samba/netlogon
+;	guest ok = yes
+;	writable = no
+;	share modes = no
+
+# Un-comment the following to provide a specific roaming profile share.
+# The default is to use the user's home directory:
+;	[Profiles]
+;	path = /var/lib/samba/profiles
+;	browseable = no
+;	guest ok = yes
+
+# A publicly accessible directory that is read only, except for users in the
+# "staff" group (which have write permissions):
+;	[public]
+;	comment = Public Stuff
+;	path = /home/samba
+;	public = yes
+;	writable = no
+;	printable = no
+;	write list = +staff

SOURCES/smb.conf.vendor

@@ -0,0 +1,41 @@
+# See smb.conf.example for a more detailed config file or
+# read the smb.conf manpage.
+# Run 'testparm' to verify the config is correct after
+# you modified it.
+#
+# Note:
+# SMB1 is disabled by default. This means clients without support for SMB2 or
+# SMB3 are no longer able to connect to smbd (by default).
+
+[global]
+	workgroup = SAMBA
+	security = user
+
+	passdb backend = tdbsam
+
+	printing = cups
+	printcap name = cups
+	load printers = yes
+	cups options = raw
+
+[homes]
+	comment = Home Directories
+	valid users = %S, %D%w%S
+	browseable = No
+	read only = No
+	inherit acls = Yes
+
+[printers]
+	comment = All Printers
+	path = /var/tmp
+	printable = Yes
+	create mask = 0600
+	browseable = No
+
+[print$]
+	comment = Printer Drivers
+	path = /var/lib/samba/drivers
+	write list = @printadmin root
+	force group = @printadmin
+	create mask = 0664
+	directory mask = 0775