import samba-4.15.5-0.el8

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/samba-4.15.4.tar.xz
+SOURCES/samba-4.15.5.tar.xz
 SOURCES/samba-pubkey_AA99442FB680B620.gpg

.samba.metadata

@@ -1,2 +1,2 @@
-3fbb516599cecb226726fc4d286be4923ed69e21 SOURCES/samba-4.15.4.tar.xz
+f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz
 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

SOURCES/samba-4.15.4.tar.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmHoKSwACgkQqplEL7aA
-tiC0HhAAl/r2uVwDX5ftNqX9zmUtJr4wJl9o7cWgMchQpEYCGL8Fvk/tvJFpyJnU
-tLEEqgCItraJEk28cu4sAxM3TSziaCJ1KBWH/Pmltk6wSNoCGXxwZ0VhvGPmHx7D
-eBWyva0JtBjXAiTQe1mTv9URLgFMopUD0XPv2GJD6dkwL3cgmcjv7A/sYc9A6LpF
-sihJqWNjYgTxr8TpJb5uGoRE+Ko6pYKm4cUvBqZcOiyoZT+WGfPbaxqSissthkkw
-y2e/WXCINUMPZfhP6ZgjqszAUjvYPkOElhOUK2+rc2MuUixDrfv5I/IO+4zrh0l4
-J91SL4w6TkpfLYx0ryv+gAcXMoNE+lE5oYc/b3WrvQ23iw/w3hlQ/ajc8gtRgzHU
-EKt9Auebo/P/rPlqK511dAEajPNxBm0qE13s8hM/3lNUS9UvPW/k6DGkwOs2QUYU
-XcK97oNZFDBijG3b2bCgn686IJdpXwkOhEc24tGDzr2KrRU9dNRhXDs+1x7Rk7z7
-riJUU3taPTNjd9MH/1JADH13FusmlxNp5jllBzJFYuVNmHUCi8FXWBcthhf39TnT
-VMghhrsOvFAK7KXdMEtu+JuDNgHErQ12KLt+VO/3jf+V917LWNPmFFEoao9esGsD
-d8B9W7vzMEiaInBdw+fbvrcLu8ySAPHjK4i1/Ox1tXL+mK6A4/c=
-=UQ4l
------END PGP SIGNATURE-----

SOURCES/samba-4.15.5.tar.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA
+tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX
+KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9
+j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt
+b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY
+0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v
+/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj
++rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9
+g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y
+5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ
+f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB
+OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo=
+=oc6g
+-----END PGP SIGNATURE-----

SOURCES/samba-disable-ntlmssp.patch

@@ -0,0 +1,764 @@
+From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 10 Dec 2021 16:08:04 +0100
+Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
+---
+ source3/utils/net_ads.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index 6ab4a0096b1..8f993f9ba4c 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
+ 	char *cp;
+ 	const char *realm = NULL;
+ 	bool tried_closest_dc = false;
++	enum credentials_use_kerberos krb5_state =
++		CRED_USE_KERBEROS_DISABLED;
+ 
+ 	/* lp_realm() should be handled by a command line param,
+ 	   However, the join requires that realm be set in smb.conf
+@@ -650,10 +652,28 @@ retry:
+ 		ads->auth.password = smb_xstrdup(c->opt_password);
+ 	}
+ 
+-	ads->auth.flags |= auth_flags;
+ 	SAFE_FREE(ads->auth.user_name);
+ 	ads->auth.user_name = smb_xstrdup(c->opt_user_name);
+ 
++	ads->auth.flags |= auth_flags;
++
++	/* The ADS code will handle FIPS mode */
++	krb5_state = cli_credentials_get_kerberos_state(c->creds);
++	switch (krb5_state) {
++	case CRED_USE_KERBEROS_REQUIRED:
++		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DESIRED:
++		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DISABLED:
++		ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	}
++
+        /*
+         * If the username is of the form "name@realm",
+         * extract the realm and convert to upper case.
+-- 
+2.33.1
+
+
+From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Wed, 8 Dec 2021 16:05:17 +0100
+Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
+---
+ source3/libads/sasl.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 60fa2bf80cb..b91e2d15bcf 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -1,18 +1,18 @@
+-/* 
++/*
+    Unix SMB/CIFS implementation.
+    ads sasl code
+    Copyright (C) Andrew Tridgell 2001
+-   
++
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+-   
++
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+-   
++
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
+ 	.disconnect	= ads_sasl_gensec_disconnect
+ };
+ 
+-/* 
++/*
+    perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
+    we fit on one socket??)
+ */
+@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
+ 
+ #endif /* HAVE_KRB5 */
+ 
+-/* 
++/*
+    this performs a SASL/SPNEGO bind
+ */
+ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 	file_save("sasl_spnego.dat", blob.data, blob.length);
+ #endif
+ 
+-	/* the server sent us the first part of the SPNEGO exchange in the negprot 
++	/* the server sent us the first part of the SPNEGO exchange in the negprot
+ 	   reply */
+ 	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
+ 			OIDs[0] == NULL) {
+@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 
+ #ifdef HAVE_KRB5
+ 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
+-	    got_kerberos_mechanism) 
++	    got_kerberos_mechanism)
+ 	{
+ 		mech = "KRB5";
+ 
+@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 				  "calling kinit\n", ads_errstr(status)));
+ 		}
+ 
+-		status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
++		status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+ 
+ 		if (ADS_ERR_OK(status)) {
+ 			status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 		}
+ 
+ 		/* only fallback to NTLMSSP if allowed */
+-		if (ADS_ERR_OK(status) || 
++		if (ADS_ERR_OK(status) ||
+ 		    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ 			goto done;
+ 		}
+@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ #endif
+ 
+ 	/* lets do NTLMSSP ... this has the big advantage that we don't need
+-	   to sync clocks, and we don't rely on special versions of the krb5 
++	   to sync clocks, and we don't rely on special versions of the krb5
+ 	   library for HMAC_MD4 encryption */
+ 	mech = "NTLMSSP";
+ 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+-- 
+2.33.1
+
+
+From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Thu, 9 Dec 2021 13:43:08 +0100
+Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
+---
+ source3/libads/sasl.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index b91e2d15bcf..992f7022a69 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 
+ 		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
+ 			 "for %s/%s with user[%s] realm[%s]: %s, "
+-			 "fallback to NTLMSSP\n",
++			 "try to fallback to NTLMSSP\n",
+ 			 p.service, p.hostname,
+ 			 ads->auth.user_name,
+ 			 ads->auth.realm,
+@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 	   to sync clocks, and we don't rely on special versions of the krb5
+ 	   library for HMAC_MD4 encryption */
+ 	mech = "NTLMSSP";
++
++	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
++		DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
++			    " disallowed.\n");
++		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++		goto done;
++	}
++
+ 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ 					     CRED_USE_KERBEROS_DISABLED,
+ 					     p.service, p.hostname,
+-- 
+2.33.1
+
+
+From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 7 Jan 2022 10:31:19 +0100
+Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
+---
+ source3/libads/sasl.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 992f7022a69..ea98aa47ecd 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 							p.service, p.hostname,
+ 							blob);
+ 			if (!ADS_ERR_OK(status)) {
+-				DEBUG(0,("kinit succeeded but "
+-					"ads_sasl_spnego_gensec_bind(KRB5) failed "
+-					"for %s/%s with user[%s] realm[%s]: %s\n",
++				DBG_ERR("kinit succeeded but "
++					"SPNEGO bind with Kerberos failed "
++					"for %s/%s - user[%s], realm[%s]: %s\n",
+ 					p.service, p.hostname,
+ 					ads->auth.user_name,
+ 					ads->auth.realm,
+-					ads_errstr(status)));
++					ads_errstr(status));
+ 			}
+ 		}
+ 
+@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 			goto done;
+ 		}
+ 
+-		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
+-			 "for %s/%s with user[%s] realm[%s]: %s, "
+-			 "try to fallback to NTLMSSP\n",
+-			 p.service, p.hostname,
+-			 ads->auth.user_name,
+-			 ads->auth.realm,
+-			 ads_errstr(status)));
++		DBG_WARNING("SASL bind with Kerberos failed "
++			    "for %s/%s - user[%s], realm[%s]: %s, "
++			    "try to fallback to NTLMSSP\n",
++			    p.service, p.hostname,
++			    ads->auth.user_name,
++			    ads->auth.realm,
++			    ads_errstr(status));
+ 	}
+ #endif
+ 
+-- 
+2.33.1
+
+
+From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Mon, 3 Jan 2022 11:13:06 +0100
+Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
+ without kerberos)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
+---
+ source3/libads/sasl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index ea98aa47ecd..1bcfe0490a8 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ 	   library for HMAC_MD4 encryption */
+ 	mech = "NTLMSSP";
+ 
++	if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
++		DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
++		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++		goto done;
++	}
++
+ 	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ 		DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ 			    " disallowed.\n");
+-- 
+2.33.1
+
+
+From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Mon, 3 Jan 2022 15:33:46 +0100
+Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
+---
+ .../test_weak_disable_ntlmssp_ldap.sh         | 41 +++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+ create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+
+diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+new file mode 100755
+index 00000000000..2822ab29d14
+--- /dev/null
++++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+@@ -0,0 +1,41 @@
++#!/bin/sh
++# Blackbox tests for diabing NTLMSSP for ldap clinet connections
++# Copyright (c) 2022      Pavel Filipenský <pfilipen@redhat.com>
++
++if [ $# -lt 2 ]; then
++cat <<EOF
++Usage: $0 USERNAME PASSWORD
++EOF
++exit 1;
++fi
++
++USERNAME=$1
++PASSWORD=$2
++shift 2
++
++failed=0
++. `dirname $0`/subunit.sh
++
++samba_testparm="$BINDIR/testparm"
++samba_net="$BINDIR/net"
++
++unset GNUTLS_FORCE_FIPS_MODE
++
++# Checks that testparm reports: Weak crypto is allowed
++testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
++
++# We should be allowed to use NTLM for connecting
++testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
++
++GNUTLS_FORCE_FIPS_MODE=1
++export GNUTLS_FORCE_FIPS_MODE
++
++# Checks that testparm reports: Weak crypto is disallowed
++testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
++
++# We should not be allowed to use NTLM for connecting
++testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
++
++unset GNUTLS_FORCE_FIPS_MODE
++
++exit $failed
+-- 
+2.33.1
+
+
+From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 4 Jan 2022 12:00:20 +0100
+Subject: [PATCH 07/10] s4:selftest: plan test suite
+ samba4.blackbox.test_weak_disable_ntlmssp_ldap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
+---
+ source4/selftest/tests.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index 1e4b2ae6dd3..3a6a716f061 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
+ 
+ if have_gnutls_fips_mode_support:
+     plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
++    plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
+ 
+     for env in ["ad_dc_fips", "ad_member_fips"]:
+         plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
+-- 
+2.33.1
+
+
+From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 18 Jan 2022 19:47:38 +0100
+Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
+---
+ source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 948c903f165..e415df347e6 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ 
+ 	if ( !winbindd_can_contact_domain( domain ) ) {
+ 		DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
+-			  domain->name));		
++			  domain->name));
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ 
+ 	if ( !winbindd_can_contact_domain( domain ) ) {
+ 		DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
+-			  domain->name));		
++			  domain->name));
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ 	 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
+ 	 * default value, it MUST be absent. In case of extensible matching the
+ 	 * "dnattr" boolean defaults to FALSE and so it must be only be present
+-	 * when set to TRUE. 
++	 * when set to TRUE.
+ 	 *
+ 	 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
+ 	 * filter using bitwise matching rule then the buggy AD fails to decode
+@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ 	 *
+ 	 * Thanks to Ralf Haferkamp for input and testing - Guenther */
+ 
+-	filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", 
++	filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ 				 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
+-				 ADS_LDAP_MATCHING_RULE_BIT_AND, 
++				 ADS_LDAP_MATCHING_RULE_BIT_AND,
+ 				 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
+ 
+ 	if (filter == NULL) {
+@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ 	DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
+ 
+ done:
+-	if (res) 
++	if (res)
+ 		ads_msgfree(ads, res);
+ 
+ 	return status;
+@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ 				struct wb_acct_info **info)
+ {
+ 	/*
+-	 * This is a stub function only as we returned the domain 
++	 * This is a stub function only as we returned the domain
+ 	 * local groups in enum_dom_groups() if the domain->native field
+ 	 * was true.  This is a simple performance optimization when
+ 	 * using LDAP.
+ 	 *
+-	 * if we ever need to enumerate domain local groups separately, 
++	 * if we ever need to enumerate domain local groups separately,
+ 	 * then this optimization in enum_dom_groups() will need
+ 	 * to be split out
+ 	 */
+@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
+    tokenGroups are not available. */
+ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+ 					 TALLOC_CTX *mem_ctx,
+-					 const char *user_dn, 
++					 const char *user_dn,
+ 					 struct dom_sid *primary_group,
+ 					 uint32_t *p_num_groups, struct dom_sid **user_sids)
+ {
+@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+ 
+ 	if ( !winbindd_can_contact_domain( domain ) ) {
+ 		DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
+-			  domain->name));		
++			  domain->name));
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+ 
+ 	DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
+ done:
+-	if (res) 
++	if (res)
+ 		ads_msgfree(ads, res);
+ 
+ 	return status;
+@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ 	if (count != 1) {
+ 		status = NT_STATUS_UNSUCCESSFUL;
+ 		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
+-			 "invalid number of results (count=%d)\n", 
++			 "invalid number of results (count=%d)\n",
+ 			 dom_sid_str_buf(sid, &buf),
+ 			 count));
+ 		goto done;
+ 	}
+ 
+ 	if (!msg) {
+-		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", 
++		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
+ 			 dom_sid_str_buf(sid, &buf)));
+ 		status = NT_STATUS_UNSUCCESSFUL;
+ 		goto done;
+@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ 	}
+ 
+ 	if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
+-		DEBUG(1,("%s: No primary group for sid=%s !?\n", 
++		DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ 			 domain->name,
+ 			 dom_sid_str_buf(sid, &buf)));
+ 		goto done;
+@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ 
+ 	count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
+ 
+-	/* there must always be at least one group in the token, 
++	/* there must always be at least one group in the token,
+ 	   unless we are talking to a buggy Win2k server */
+ 
+ 	/* actually this only happens when the machine account has no read
+@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ 		/* lookup what groups this user is a member of by DN search on
+ 		 * "member" */
+ 
+-		status = lookup_usergroups_member(domain, mem_ctx, user_dn, 
++		status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ 						  &primary_group,
+ 						  &num_groups, user_sids);
+ 		*p_num_groups = num_groups;
+@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ 			DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
+ 				   "not map any SIDs at all.\n"));
+ 			/* Don't handle this as an error here.
+-			 * There is nothing left to do with respect to the 
++			 * There is nothing left to do with respect to the
+ 			 * overall result... */
+ 		}
+ 		else if (!NT_STATUS_IS_OK(status)) {
+@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ 			NETR_TRUST_FLAG_IN_FOREST;
+ 	} else {
+ 		flags = NETR_TRUST_FLAG_IN_FOREST;
+-	}	
++	}
+ 
+ 	result = cm_connect_netlogon(domain, &cli);
+ 
+ 	if (!NT_STATUS_IS_OK(result)) {
+ 		DEBUG(5, ("trusted_domains: Could not open a connection to %s "
+-			  "for PIPE_NETLOGON (%s)\n", 
++			  "for PIPE_NETLOGON (%s)\n",
+ 			  domain->name, nt_errstr(result)));
+ 		return NT_STATUS_UNSUCCESSFUL;
+ 	}
+-- 
+2.33.1
+
+
+From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 18 Jan 2022 19:44:54 +0100
+Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
+---
+ source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index e415df347e6..6f01ef6e334 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -34,6 +34,7 @@
+ #include "../libds/common/flag_mapping.h"
+ #include "libsmb/samlogon_cache.h"
+ #include "passdb.h"
++#include "auth/credentials/credentials.h"
+ 
+ #ifdef HAVE_ADS
+ 
+@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ 	ADS_STATUS status;
+ 	struct sockaddr_storage dc_ss;
+ 	fstring dc_name;
++	enum credentials_use_kerberos krb5_state;
+ 
+ 	if (auth_realm == NULL) {
+ 		return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ 	ads->auth.renewable = renewable;
+ 	ads->auth.password = password;
+ 
+-	ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++	/* In FIPS mode, client use kerberos is forced to required. */
++	krb5_state = lp_client_use_kerberos();
++	switch (krb5_state) {
++	case CRED_USE_KERBEROS_REQUIRED:
++		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DESIRED:
++		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DISABLED:
++		ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	}
+ 
+ 	ads->auth.realm = SMB_STRDUP(auth_realm);
+ 	if (!strupper_m(ads->auth.realm)) {
+-- 
+2.33.1
+
+
+From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 21 Jan 2022 12:01:33 +0100
+Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
+
+(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
+---
+ source3/libnet/libnet_join.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 02705f1c70c..4c67e9af5c4 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ 	ADS_STATUS status;
+ 	ADS_STRUCT *my_ads = NULL;
+ 	char *cp;
++	enum credentials_use_kerberos krb5_state;
+ 
+ 	my_ads = ads_init(dns_domain_name,
+ 			  netbios_domain_name,
+@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ 	}
+ 
+-	my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++	/* In FIPS mode, client use kerberos is forced to required. */
++	krb5_state = lp_client_use_kerberos();
++	switch (krb5_state) {
++	case CRED_USE_KERBEROS_REQUIRED:
++		my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DESIRED:
++		my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++		my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	case CRED_USE_KERBEROS_DISABLED:
++		my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++		my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++		break;
++	}
+ 
+ 	if (user_name) {
+ 		SAFE_FREE(my_ads->auth.user_name);
+-- 
+2.33.1
+

SOURCES/samba-disable-systemd-notifications.patch

@@ -0,0 +1,36 @@
+From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
+From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
+Date: Mon, 24 Jan 2022 22:14:31 -0500
+Subject: [PATCH] printing/bgqd: Disable systemd notifications
+
+samba-bgqd daemon is started by existing Samba daemons. When running
+under systemd, those daemons control systemd notifications and
+samba-bgqd messages need to be silenced.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
+
+Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
+---
+ source3/printing/samba-bgqd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
+index f21327fc622..59ed0cc40db 100644
+--- a/source3/printing/samba-bgqd.c
++++ b/source3/printing/samba-bgqd.c
+@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
+ 
+ 	log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
+ 
++	/* main process will notify systemd */
++	daemon_sd_notifications(false);
++
+ 	if (!cmdline_daemon_cfg->fork) {
+ 		daemon_status(progname, "Starting process ... ");
+ 	} else {
+-- 
+2.34.1
+

SOURCES/samba-printing-win7.patch

@@ -0,0 +1,229 @@
+From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 22 Jan 2022 01:08:26 +0100
+Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
+
+This is important for the source3/rpc_server code as it might
+be called embedded in smbd and may not run as root with access
+to our private tdb/ldb files.
+
+Note this is only really needed for 4.15 and older, as
+we no longer run the rpc_server embedded in smbd,
+but we better be consistent for now.
+
+This should be able to fix the problem the printing no longer works
+on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
+
+Windows uses NTLMSSP with privacy at the DCERPC layer on top
+of NCACN_NP (smb).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
+---
+ librpc/rpc/dcesrv_auth.c         |  5 +++++
+ librpc/rpc/dcesrv_core.c         | 18 ++++++++++++++++++
+ librpc/rpc/dcesrv_core.h         |  2 ++
+ source3/rpc_server/rpc_config.c  |  2 ++
+ source4/rpc_server/service_rpc.c | 10 ++++++++++
+ 5 files changed, 37 insertions(+)
+
+diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
+index fec8df513a83..99d8e0162160 100644
+--- a/librpc/rpc/dcesrv_auth.c
++++ b/librpc/rpc/dcesrv_auth.c
+@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
+ 	auth->auth_level = call->in_auth_info.auth_level;
+ 	auth->auth_context_id = call->in_auth_info.auth_context_id;
+ 
++	cb->auth.become_root();
+ 	status = cb->auth.gensec_prepare(
+ 		auth,
+ 		call,
+ 		&auth->gensec_security,
+ 		cb->auth.private_data);
++	cb->auth.unbecome_root();
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
+ 			  nt_errstr(status)));
+@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
+ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
+ {
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	const char *pdu = "<unknown>";
+ 
+ 	switch (call->pkt.ptype) {
+@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
+ 		return status;
+ 	}
+ 
++	cb->auth.become_root();
+ 	status = gensec_session_info(auth->gensec_security,
+ 				     auth,
+ 				     &auth->session_info);
++	cb->auth.unbecome_root();
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		DEBUG(1, ("Failed to establish session_info: %s\n",
+ 			  nt_errstr(status)));
+diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
+index d16159b0b6cd..ea91fc689b4a 100644
+--- a/librpc/rpc/dcesrv_core.c
++++ b/librpc/rpc/dcesrv_core.c
+@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
+ 	struct dcerpc_binding *ep_2nd_description = NULL;
+ 	const char *endpoint = NULL;
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	struct dcerpc_ack_ctx *ack_ctx_list = NULL;
+ 	struct dcerpc_ack_ctx *ack_features = NULL;
+ 	struct tevent_req *subreq = NULL;
+@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
+ 		return dcesrv_auth_reply(call);
+ 	}
+ 
++	cb->auth.become_root();
+ 	subreq = gensec_update_send(call, call->event_ctx,
+ 				    auth->gensec_security,
+ 				    call->in_auth_info.credentials);
++	cb->auth.unbecome_root();
+ 	if (subreq == NULL) {
+ 		return NT_STATUS_NO_MEMORY;
+ 	}
+@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
+ 		tevent_req_callback_data(subreq,
+ 		struct dcesrv_call_state);
+ 	struct dcesrv_connection *conn = call->conn;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	NTSTATUS status;
+ 
++	cb->auth.become_root();
+ 	status = gensec_update_recv(subreq, call,
+ 				    &call->out_auth_info->credentials);
++	cb->auth.unbecome_root();
+ 	TALLOC_FREE(subreq);
+ 
+ 	status = dcesrv_auth_complete(call, status);
+@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
+ {
+ 	struct dcesrv_connection *conn = call->conn;
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	struct tevent_req *subreq = NULL;
+ 	NTSTATUS status;
+ 
+@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
+ 		return NT_STATUS_OK;
+ 	}
+ 
++	cb->auth.become_root();
+ 	subreq = gensec_update_send(call, call->event_ctx,
+ 				    auth->gensec_security,
+ 				    call->in_auth_info.credentials);
++	cb->auth.unbecome_root();
+ 	if (subreq == NULL) {
+ 		return NT_STATUS_NO_MEMORY;
+ 	}
+@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
+ 		struct dcesrv_call_state);
+ 	struct dcesrv_connection *conn = call->conn;
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	NTSTATUS status;
+ 
++	cb->auth.become_root();
+ 	status = gensec_update_recv(subreq, call,
+ 				    &call->out_auth_info->credentials);
++	cb->auth.unbecome_root();
+ 	TALLOC_FREE(subreq);
+ 
+ 	status = dcesrv_auth_complete(call, status);
+@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
+ 	struct ncacn_packet *pkt = &call->ack_pkt;
+ 	uint32_t extra_flags = 0;
+ 	struct dcesrv_auth *auth = call->auth_state;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	struct dcerpc_ack_ctx *ack_ctx_list = NULL;
+ 	struct tevent_req *subreq = NULL;
+ 	size_t i;
+@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
+ 		return dcesrv_auth_reply(call);
+ 	}
+ 
++	cb->auth.become_root();
+ 	subreq = gensec_update_send(call, call->event_ctx,
+ 				    auth->gensec_security,
+ 				    call->in_auth_info.credentials);
++	cb->auth.unbecome_root();
+ 	if (subreq == NULL) {
+ 		return NT_STATUS_NO_MEMORY;
+ 	}
+@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
+ 		tevent_req_callback_data(subreq,
+ 		struct dcesrv_call_state);
+ 	struct dcesrv_connection *conn = call->conn;
++	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ 	NTSTATUS status;
+ 
++	cb->auth.become_root();
+ 	status = gensec_update_recv(subreq, call,
+ 				    &call->out_auth_info->credentials);
++	cb->auth.unbecome_root();
+ 	TALLOC_FREE(subreq);
+ 
+ 	status = dcesrv_auth_complete(call, status);
+diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
+index d8d5f9030959..0538442e0ce6 100644
+--- a/librpc/rpc/dcesrv_core.h
++++ b/librpc/rpc/dcesrv_core.h
+@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
+ 			struct gensec_security **out,
+ 			void *private_data);
+ 		void *private_data;
++		void (*become_root)(void);
++		void (*unbecome_root)(void);
+ 	} auth;
+ 	struct {
+ 		NTSTATUS (*find)(
+diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
+index 2f1a01da1c0b..289c4f398409 100644
+--- a/source3/rpc_server/rpc_config.c
++++ b/source3/rpc_server/rpc_config.c
+@@ -31,6 +31,8 @@
+ static struct dcesrv_context_callbacks srv_callbacks = {
+ 	.log.successful_authz = dcesrv_log_successful_authz,
+ 	.auth.gensec_prepare = dcesrv_auth_gensec_prepare,
++	.auth.become_root = become_root,
++	.auth.unbecome_root = unbecome_root,
+ 	.assoc_group.find = dcesrv_assoc_group_find,
+ };
+ 
+diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
+index d8c6746d7815..ebb50f8a7ef3 100644
+--- a/source4/rpc_server/service_rpc.c
++++ b/source4/rpc_server/service_rpc.c
+@@ -40,9 +40,19 @@
+ #include "../libcli/named_pipe_auth/npa_tstream.h"
+ #include "samba/process_model.h"
+ 
++static void skip_become_root(void)
++{
++}
++
++static void skip_unbecome_root(void)
++{
++}
++
+ static struct dcesrv_context_callbacks srv_callbacks = {
+ 	.log.successful_authz = log_successful_dcesrv_authz_event,
+ 	.auth.gensec_prepare = dcesrv_gensec_prepare,
++	.auth.become_root = skip_become_root,
++	.auth.unbecome_root = skip_unbecome_root,
+ 	.assoc_group.find = dcesrv_assoc_group_find,
+ };
+ 
+-- 
+2.25.1
+

SPECS/samba.spec

@@ -134,7 +134,7 @@
 
 %global baserelease 0
 
-%global samba_version 4.15.4
+%global samba_version 4.15.5
 %global talloc_version 2.3.3
 %global tdb_version 1.4.4
 %global tevent_version 0.11.0
@@ -204,6 +204,9 @@ Source201:      README.downgrade
 Patch0:         samba-s4u.patch
 Patch1:         samba-ctdb-etcd-reclock.patch
 Patch2:         samba-glibc-dns.patch
+Patch3:         samba-printing-win7.patch
+Patch4:         samba-disable-systemd-notifications.patch
+Patch5:         samba-disable-ntlmssp.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -4102,6 +4105,15 @@ fi
 %endif
 
 %changelog
+* Wed Feb 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-0
+- Update to Samba 4.15.5
+- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
+- resolves: rhbz#2046127 - Fix CVE-2021-44141
+- resolves: rhbz#2046153 - Fix CVE-2021-44142
+- resolves: rhbz#2044404 - Printing no longer works on Windows 7
+- resolves: rhbz#2043154 - Fix systemd notifications
+- resolves: rhbz#2049602 - Disable NTLMSSP for ldap client connections (e.g. libads)
+
 * Fri Jan 21 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.4-0
 - Update to Samba 4.15.4
 - related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release