ipa-4.12.2-23

- Related: RHEL-114548 Rebase Samba to the latest 4.23.x release

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>

0109-dcerpc-make-sure-forest-trust-info-structure-version.patch

@@ -0,0 +1,108 @@
+From 7d4b5541b2de30a91cd1f14b790bfa33dca8ea5f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 8 Sep 2025 18:57:09 +0300
+Subject: [PATCH] dcerpc: make sure forest trust info structure version is 1
+
+[MS-DRSR] 5.64 FOREST_TRUST_INFORMATION defines version of the
+ForestTrustInfo structure as 1. We didn't set it so it was defaulting to
+zero. Samba validates the version number and rejects ForestTrustInfo
+structures from FreeIPA.
+
+Make sure new structures are always set to version 1 and old strutures
+fixed up to have version 1.
+
+Fixes: https://pagure.io/freeipa/issue/9852
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 38 +++++++++++++++++++++++++++++++++++++-
+ ipaserver/dcerpc.py       |  1 +
+ 2 files changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 26f8e89ecc0107c4ab66dc1321f8afb5e1ce7b2f..3b8fc90fbfc6b8ed1afcc753dde1d5bb25d76aba 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -30,6 +30,8 @@ char *smb_xstrdup(const char *s);
+ #include <smbldap.h>
+ 
+ #include <gen_ndr/samr.h>
++#include <gen_ndr/drsblobs.h>
++#include <gen_ndr/ndr_drsblobs.h>
+ 
+ #include <passdb.h>
+ 
+@@ -101,7 +103,6 @@ struct unixid {
+ 	enum id_type type;
+ }/* [public] */;
+ 
+-enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flags, struct trustAuthInOutBlob *r); /*available in libndr-samba.so */
+ bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
+ /* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
+ bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
+@@ -2422,6 +2423,36 @@ static bool get_uint32_t_from_ldap_msg(struct ipasam_private *ipasam_state,
+ 	return true;
+ }
+ 
++static bool repack_pdb_forest_trust_info(struct pdb_trusted_domain *td)
++{
++	struct ForestTrustInfo *fti = NULL;
++	enum ndr_err_code ndr_err = 0;
++	/*
++	 * Fix-up the version field as Samba expects it.
++	 * We need to unpack the blob, change, and pack it again
++	 */
++	fti = talloc(td, struct ForestTrustInfo);
++	if (fti == NULL) {
++	    return false;
++	}
++	ndr_err = ndr_pull_struct_blob_all(&td->trust_forest_trust_info, td, fti,
++					   (ndr_pull_flags_fn_t)ndr_pull_ForestTrustInfo);
++	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++	    TALLOC_FREE(fti);
++	    return false;
++	}
++
++	fti->version = 1;
++
++	talloc_free(td->trust_forest_trust_info.data);
++	td->trust_forest_trust_info = data_blob_null;
++
++	ndr_err = ndr_push_struct_blob(&td->trust_forest_trust_info, td, fti,
++				       (ndr_push_flags_fn_t)ndr_push_ForestTrustInfo);
++	TALLOC_FREE(fti);
++	return NDR_ERR_CODE_IS_SUCCESS(ndr_err);
++}
++
+ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 				    struct ipasam_private *ipasam_state,
+ 				    LDAPMessage *entry,
+@@ -2614,6 +2645,11 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 					LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO,
+ 					&td->trust_forest_trust_info)) {
+ 		DEBUG(9, ("Failed to set forest trust info.\n"));
++	} else {
++		res = repack_pdb_forest_trust_info(td);
++		if (!res) {
++			return false;
++		}
+ 	}
+ 
+ 	*_td = td;
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 3344ea226e3cba61912e717f9c375612bb4707e0..b75c4fccfb3693d1fc5c2db2bb11837e312400ae 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -1658,6 +1658,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):
+ 
+     ftinfo.count = len(ftinfo_records)
+     ftinfo.records = ftinfo_records
++    ftinfo.version = 1
+     result['ftinfo_data'] = ndr_pack(ftinfo)
+     return result
+ 
+-- 
+2.51.0
+

0110-dcerpc-Support-Samba-4.23.patch

@@ -0,0 +1,64 @@
+From 486558c63e4b0db6673e863a6bd89e885f8106dd Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 8 Sep 2025 18:59:50 +0300
+Subject: [PATCH] dcerpc: Support Samba 4.23
+
+Samba 4.23 ignores trust to PIM and 'within the forest' domains. It
+didn't know what to do with them in past as well but starting with 4.23
+the domain trust entries which have trust attributes with
+LSA_TRUST_ATTRIBUTE_PIM_TRUST and LSA_TRUST_ATTRIBUTE_WITHIN_FOREST bits
+set will be ignored.
+
+FreeIPA did default to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST for domains
+stored with trusted attributes set to 0 or missing. This was behavior in
+past for Samba as well. Since FreeIPA only supports forest trust and an
+external trust, in both cases we should set explicit LSA trust attribute
+bits:
+ - LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE for the forest trust
+ - LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE for the external trust
+
+Fixes: https://pagure.io/freeipa/issue/9852
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 8 ++++----
+ ipaserver/dcerpc.py       | 2 ++
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 3b8fc90fbfc6b8ed1afcc753dde1d5bb25d76aba..9fb4db4c5231de1fdf9b6550beea776142590cc8 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -2594,10 +2594,10 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 		TALLOC_FREE(td);
+ 		return false;
+ 	}
+-	if (td->trust_attributes == 0) {
+-		/* attribute wasn't present, this is a subdomain within the
+-		 * parent forest */
+-		td->trust_attributes = LSA_TRUST_ATTRIBUTE_WITHIN_FOREST;
++	if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) {
++                /* attribute wasn't present and this is not a subdomain within
++                 * the parent forest */
++		td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
+ 	}
+ 
+ 	res = get_uint32_t_from_ldap_msg(ipasam_state, entry,
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index b75c4fccfb3693d1fc5c2db2bb11837e312400ae..1182f128b4988bc699fe7a40d4834f1bead82cf5 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -1362,6 +1362,8 @@ class TrustDomainInstance:
+         info.trust_attributes = 0
+         if trust_external:
+             info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
++        else:
++            info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
+ 
+         try:
+             dname = lsa.String()
+-- 
+2.51.0
+

0111-ipasam-simplify-error-handling-in-fill_pdb_trusted_d.patch

@@ -0,0 +1,136 @@
+From fcd0f0c6e07200e90628f108c7566b0ede7879b8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 11 Sep 2025 13:52:41 +0300
+Subject: [PATCH] ipasam: simplify error handling in fill_pdb_trusted_domain
+
+Related: https://pagure.io/freeipa/issue/9852
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 44 ++++++++++++++++++---------------------
+ 1 file changed, 20 insertions(+), 24 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 9fb4db4c5231de1fdf9b6550beea776142590cc8..ea85a7f430e67750059182b191497f4d2a2b73dc 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -2507,7 +2507,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 	rc = ldap_str2dn(strdn, &dn, LDAP_DN_FORMAT_LDAPV3);
+ 	if (rc) {
+ 		free(strdn);
+-		return false;
++		res = false;
++		goto done;
+ 	}
+ 
+ 	for (count = 0; dn[count] != NULL; count++);
+@@ -2519,8 +2520,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 			  strdn, ipasam_state->trust_dn));
+ 		ldap_dnfree(dn);
+ 		free(strdn);
+-		TALLOC_FREE(td);
+-		return false;
++		res = false;
++		goto done;
+ 
+ 	}
+ 
+@@ -2543,7 +2544,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 					       dummy, &sid);
+ 		TALLOC_FREE(dummy);
+ 		if (err != IDMAP_SUCCESS) {
+-			return false;
++			res = false;
++			goto done;
+ 		}
+ 		sid_copy(&td->security_identifier, sid);
+ 		talloc_free(sid);
+@@ -2583,16 +2585,14 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 					 LDAP_ATTRIBUTE_TRUST_DIRECTION,
+ 					 &td->trust_direction);
+ 	if (!res) {
+-		TALLOC_FREE(td);
+-		return false;
++		goto done;
+ 	}
+ 
+ 	res = get_uint32_t_from_ldap_msg(ipasam_state, entry,
+ 					 LDAP_ATTRIBUTE_TRUST_ATTRIBUTES,
+ 					 &td->trust_attributes);
+ 	if (!res) {
+-		TALLOC_FREE(td);
+-		return false;
++		goto done;
+ 	}
+ 	if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) {
+                 /* attribute wasn't present and this is not a subdomain within
+@@ -2604,8 +2604,7 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 					 LDAP_ATTRIBUTE_TRUST_TYPE,
+ 					 &td->trust_type);
+ 	if (!res) {
+-		TALLOC_FREE(td);
+-		return false;
++		goto done;
+ 	}
+ 	if (td->trust_type == 0) {
+ 		/* attribute wasn't present, set default value */
+@@ -2614,28 +2613,24 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 
+ 	td->trust_posix_offset = talloc_zero(td, uint32_t);
+ 	if (td->trust_posix_offset == NULL) {
+-		TALLOC_FREE(td);
+-		return false;
++		goto done;
+ 	}
+ 	res = get_uint32_t_from_ldap_msg(ipasam_state, entry,
+ 					 LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET,
+ 					 td->trust_posix_offset);
+ 	if (!res) {
+-		TALLOC_FREE(td);
+-		return false;
++		goto done;
+ 	}
+ 
+ 	td->supported_enc_type = talloc_zero(td, uint32_t);
+ 	if (td->supported_enc_type == NULL) {
+-		TALLOC_FREE(td);
+-		return false;
++		goto done;
+ 	}
+ 	res = get_uint32_t_from_ldap_msg(ipasam_state, entry,
+ 					 LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE,
+ 					 td->supported_enc_type);
+ 	if (!res) {
+-		TALLOC_FREE(td);
+-		return false;
++		goto done;
+ 	}
+ 	if (*td->supported_enc_type == 0) {
+ 		*td->supported_enc_type = ipasam_state->supported_enctypes;
+@@ -2647,14 +2642,15 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
+ 		DEBUG(9, ("Failed to set forest trust info.\n"));
+ 	} else {
+ 		res = repack_pdb_forest_trust_info(td);
+-		if (!res) {
+-			return false;
+-		}
+ 	}
+ 
+-	*_td = td;
+-
+-	return true;
++done:
++	if (res) {
++		*_td = td;
++	} else {
++		TALLOC_FREE(td);
++	}
++	return res;
+ }
+ 
+ static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods,
+-- 
+2.51.0
+

0112-ipasam-address-signedness-warnings.patch

@@ -0,0 +1,53 @@
+From cb36c3d9969ce0c0beacb43c7d4ea29da652c499 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 11 Sep 2025 13:57:46 +0300
+Subject: [PATCH] ipasam: address signedness warnings
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index ea85a7f430e67750059182b191497f4d2a2b73dc..55a3a03a57f18856140a62d32fde744876c5e635 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -236,15 +236,13 @@ static void idmap_talloc_free(void *ptr, void *pvt)
+ 
+ static void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
+ {
+-	size_t c;
+-
+ 	memset(dst, 0, sizeof(*dst));
+ 
+ 	dst->sid_rev_num = src->sid_rev_num;
+ 	dst->num_auths = src->num_auths;
+ 	memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
+ 
+-	for (c = 0; c < src->num_auths; c++) {
++	for (int8_t c = 0; c < src->num_auths; c++) {
+ 		dst->sub_auths[c] = src->sub_auths[c];
+ 	}
+ }
+@@ -3249,7 +3247,6 @@ static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
+ {
+ 	NTSTATUS status;
+ 	struct pdb_trusted_domain **td;
+-	int i;
+ 
+ 	status = ipasam_enum_trusted_domains(methods, mem_ctx,
+ 					     num_domains, &td);
+@@ -3267,7 +3264,7 @@ static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods,
+ 		goto fail;
+ 	}
+ 
+-	for (i = 0; i < *num_domains; i++) {
++	for (uint32_t i = 0; i < *num_domains; i++) {
+ 		struct trustdom_info *dom_info;
+ 
+ 		dom_info = talloc(*domains, struct trustdom_info);
+-- 
+2.51.0
+

0113-ipasam-define-prototypes.patch

@@ -0,0 +1,34 @@
+From fc40c7cdcfa3e59d5122248f3ed9faa135de22a6 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 11 Sep 2025 13:58:03 +0300
+Subject: [PATCH] ipasam: define prototypes
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Julien Rische <jrische@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 55a3a03a57f18856140a62d32fde744876c5e635..839a621ef9a185c5c07c4c2c24f627e1ef8ab43a 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -5380,12 +5380,14 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ 	return NT_STATUS_OK;
+ }
+ 
++NTSTATUS samba_module_init(void);
+ NTSTATUS samba_module_init(void)
+ {
+ 	return smb_register_passdb(PASSDB_INTERFACE_VERSION, "ipasam",
+ 				   pdb_init_ipasam);
+ }
+ 
++NTSTATUS samba_init_module(void);
+ NTSTATUS samba_init_module(void)
+ {
+ 	return smb_register_passdb(PASSDB_INTERFACE_VERSION, "ipasam",
+-- 
+2.51.0
+

0114-ipasam-remove-definitions-which-included-from-ndr_dr.patch

@@ -0,0 +1,74 @@
+From 4645f5f00b476e6e3030d1a1cc3c73f3f9614ee7 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 18 Sep 2025 18:20:11 +0300
+Subject: [PATCH] ipasam: remove definitions which included from ndr_drsblobs.h
+
+Do not need to have duplicates as we include them. They used to be not
+exported by Samba but not anymore.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 47 ---------------------------------------
+ 1 file changed, 47 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 839a621ef9a185c5c07c4c2c24f627e1ef8ab43a..c43ffddbbdd69123b5d568a937fbc12d138243d1 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -43,53 +43,6 @@ char *smb_xstrdup(const char *s);
+ #include "ipa_pwd.h"
+ #include "ipa_mspac.h"
+ 
+-/* from drsblobs.h */
+-struct AuthInfoNone {
+-	uint32_t size;/* [value(0)] */
+-};
+-
+-struct AuthInfoNT4Owf {
+-	uint32_t size;/* [value(16)] */
+-	struct samr_Password password;
+-};
+-
+-struct AuthInfoClear {
+-	uint32_t size;
+-	uint8_t *password;
+-};
+-
+-struct AuthInfoVersion {
+-	uint32_t size;/* [value(4)] */
+-	uint32_t version;
+-};
+-
+-union AuthInfo {
+-	struct AuthInfoNone none;/* [case(TRUST_AUTH_TYPE_NONE)] */
+-	struct AuthInfoNT4Owf nt4owf;/* [case(TRUST_AUTH_TYPE_NT4OWF)] */
+-	struct AuthInfoClear clear;/* [case(TRUST_AUTH_TYPE_CLEAR)] */
+-	struct AuthInfoVersion version;/* [case(TRUST_AUTH_TYPE_VERSION)] */
+-}/* [nodiscriminant] */;
+-
+-struct AuthenticationInformation {
+-	NTTIME LastUpdateTime;
+-	enum lsa_TrustAuthType AuthType;
+-	union AuthInfo AuthInfo;/* [switch_is(AuthType)] */
+-	DATA_BLOB _pad;/* [flag(LIBNDR_FLAG_ALIGN4)] */
+-}/* [public] */;
+-
+-struct AuthenticationInformationArray {
+-	uint32_t count;
+-	struct AuthenticationInformation *array;
+-}/* [gensize,nopush,public,nopull] */;
+-
+-struct trustAuthInOutBlob {
+-	uint32_t count;
+-	uint32_t current_offset;/* [value((count>0)?12:0)] */
+-	uint32_t previous_offset;/* [value((count>0)?12+ndr_size_AuthenticationInformationArray(&current,ndr->flags):0)] */
+-	struct AuthenticationInformationArray current;/* [subcontext_size((previous_offset)-(current_offset)),subcontext(0)] */
+-	struct AuthenticationInformationArray previous;/* [subcontext(0),flag(LIBNDR_FLAG_REMAINING)] */
+-}/* [gensize,public,nopush] */;
+-
+ /* from generated idmap.h - hopefully OK */
+ enum id_type {
+ 	ID_TYPE_NOT_SPECIFIED,
+-- 
+2.51.0
+

freeipa.spec

@@ -69,7 +69,7 @@
 %global krb5_kdb_version 9.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.19
-%global samba_version 4.22.2
+%global samba_version 4.23.0
 %global slapi_nis_version 0.56.4
 %global python_ldap_version 3.1.0-1
 %if 0%{?rhel} < 9
@@ -231,7 +231,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        22%{?rc_version:.%rc_version}%{?dist}
+Release:        23%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -363,6 +363,12 @@ Patch0105:      0105-kdb-prevent-double-crash-in-RBCD-ACL-free.patch
 Patch0106:      0106-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch
 Patch0107:      0107-dns-disable-all-previous-Unbound-configuration-befor.patch
 Patch0108:      0108-ipatests-add-extensions-to-server-certificates-for-C.patch
+Patch0109:      0109-dcerpc-make-sure-forest-trust-info-structure-version.patch
+Patch0110:      0110-dcerpc-Support-Samba-4.23.patch
+Patch0111:      0111-ipasam-simplify-error-handling-in-fill_pdb_trusted_d.patch
+Patch0112:      0112-ipasam-address-signedness-warnings.patch
+Patch0113:      0113-ipasam-define-prototypes.patch
+Patch0114:      0114-ipasam-remove-definitions-which-included-from-ndr_dr.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -2016,6 +2022,9 @@ fi
 %endif
 
 %changelog
+* Thu Sep 18 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-23
+- Related: RHEL-114548 Rebase Samba to the latest 4.23.x release
+
 * Mon Aug 25 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22
 - Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate