import samba-4.14.5-7.el8_5

SOURCES/CVE-2016-2124.patch

@@ -0,0 +1,108 @@
+From 2a961e883b624219a72f212c554d34a18f22d4d1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 24 Nov 2016 09:12:59 +0100
+Subject: [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non
+ spnego authentication if we require kerberos
+
+We should not send NTLM[v2] data on the wire if the user asked for kerberos
+only.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
+index 51e121bdce6b..391ee081fe62 100644
+--- a/source4/libcli/smb_composite/sesssetup.c
++++ b/source4/libcli/smb_composite/sesssetup.c
+@@ -622,6 +622,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
+ 	NTSTATUS status;
+ 	enum smb_encryption_setting encryption_state =
+ 		cli_credentials_get_smb_encryption(io->in.credentials);
++	enum credentials_use_kerberos krb5_state =
++		cli_credentials_get_kerberos_state(io->in.credentials);
+ 
+ 	c = composite_create(session, session->transport->ev);
+ 	if (c == NULL) return NULL;
+@@ -642,6 +644,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
+ 
+ 	/* no session setup at all in earliest protocol varients */
+ 	if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
++		if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
++			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++			return c;
++		}
+ 		ZERO_STRUCT(io->out);
+ 		composite_done(c);
+ 		return c;
+@@ -649,9 +655,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
+ 
+ 	/* see what session setup interface we will use */
+ 	if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
++		if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
++			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++			return c;
++		}
+ 		status = session_setup_old(c, session, io, &state->req);
+ 	} else if (!session->transport->options.use_spnego ||
+ 		   !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
++		if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
++			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++			return c;
++		}
+ 		status = session_setup_nt1(c, session, io, &state->req);
+ 	} else {
+ 		struct tevent_req *subreq = NULL;
+-- 
+2.25.1
+
+
+From 31a67554cf6c3d9368bef58d1249844f8eeb0059 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 27 Oct 2016 10:40:28 +0200
+Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego
+ authentication if we require kerberos
+
+We should not send NTLM[v2] nor plaintext data on the wire if the user
+asked for kerberos only.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/cliconnect.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 853fb344bcd6..c01846ac8119 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -1442,6 +1442,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
+ 	uint32_t in_sess_key = 0;
+ 	const char *in_native_os = NULL;
+ 	const char *in_native_lm = NULL;
++	enum credentials_use_kerberos krb5_state =
++		cli_credentials_get_kerberos_state(creds);
+ 	NTSTATUS status;
+ 
+ 	req = tevent_req_create(mem_ctx, &state,
+@@ -1483,6 +1485,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
+ 		return req;
+ 	}
+ 
++	if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
++		DBG_WARNING("Kerberos authentication requested, but "
++			    "the server does not support SPNEGO authentication\n");
++		tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++		return tevent_req_post(req, ev);
++	}
++
+ 	if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
+ 		/*
+ 		 * SessionSetupAndX was introduced by LANMAN 1.0. So we skip
+-- 
+2.25.1
+

SOURCES/samba-4.14-IPA-DC-add-missing-checks.patch

@@ -0,0 +1,51 @@
+From c11dab13dd30af3e0beb69e8d47c3bfd85e18a91 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 12 Nov 2021 19:06:01 +0200
+Subject: [PATCH] IPA DC: add missing checks
+
+When introducing FreeIPA support, two places were forgotten:
+
+ - schannel gensec module needs to be aware of IPA DC
+ - _lsa_QueryInfoPolicy should treat IPA DC as PDC
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
+Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
+
+(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)
+---
+ auth/gensec/schannel.c              | 1 +
+ source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
+index 0cdae141ead..6ebbe8f3179 100644
+--- a/auth/gensec/schannel.c
++++ b/auth/gensec/schannel.c
+@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+ 	case ROLE_DOMAIN_BDC:
+ 	case ROLE_DOMAIN_PDC:
+ 	case ROLE_ACTIVE_DIRECTORY_DC:
++	case ROLE_IPA_DC:
+ 		return NT_STATUS_OK;
+ 	default:
+ 		return NT_STATUS_NOT_IMPLEMENTED;
+diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
+index d6d606ddeca..36774be3e32 100644
+--- a/source3/rpc_server/lsa/srv_lsa_nt.c
++++ b/source3/rpc_server/lsa/srv_lsa_nt.c
+@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
+ 		switch (lp_server_role()) {
+ 			case ROLE_DOMAIN_PDC:
+ 			case ROLE_DOMAIN_BDC:
++			case ROLE_IPA_DC:
+ 				name = get_global_sam_name();
+ 				sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
+ 				if (!sid) {
+-- 
+2.33.1
+

SOURCES/samba-4.14-fix-winbind-no-trusted-domain.patch

@@ -0,0 +1,41 @@
+From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 9 Nov 2021 20:50:20 +0100
+Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
+
+add_trusted_domain() should only reject domains
+based on is_allowed_domain(), which now also
+checks "allow trusted domains = no", if we don't
+have an explicit trust to the domain (SEC_CHAN_NULL).
+
+We use at least SEC_CHAN_LOCAL for local domains like
+BUILTIN.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
+
+(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
+---
+ source3/winbindd/winbindd_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index 42ddbfd2f44..9d54e462c42 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
+ 		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+ 
+-	if (!is_allowed_domain(domain_name)) {
++	if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
+ 		return NT_STATUS_NO_SUCH_DOMAIN;
+ 	}
+ 
+-- 
+2.33.1
+

SOURCES/samba-4.14-krb5pac.patch

@@ -0,0 +1,298 @@
+From 97829843013e2f0d81b6ed61d155a04217e40205 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 1 Sep 2021 15:39:19 +1200
+Subject: [PATCH 1/6] krb5pac.idl: Add ticket checksum PAC buffer type
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Isaac Boukris <iboukris@samba.org>
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
+(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
+---
+ librpc/idl/krb5pac.idl | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index fb360c1257f..3239d7656b6 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -112,7 +112,8 @@ interface krb5pac
+ 		PAC_TYPE_KDC_CHECKSUM = 7,
+ 		PAC_TYPE_LOGON_NAME = 10,
+ 		PAC_TYPE_CONSTRAINED_DELEGATION = 11,
+-		PAC_TYPE_UPN_DNS_INFO = 12
++		PAC_TYPE_UPN_DNS_INFO = 12,
++		PAC_TYPE_TICKET_CHECKSUM = 16
+ 	} PAC_TYPE;
+ 
+ 	typedef struct {
+@@ -128,6 +129,7 @@ interface krb5pac
+ 		[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
+ 			PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
+ 		[case(PAC_TYPE_UPN_DNS_INFO)]	PAC_UPN_DNS_INFO upn_dns_info;
++		[case(PAC_TYPE_TICKET_CHECKSUM)]	PAC_SIGNATURE_DATA ticket_checksum;
+ 		/* when new PAC info types are added they are supposed to be done
+ 		   in such a way that they are backwards compatible with existing
+ 		   servers. This makes it safe to just use a [default] for
+-- 
+2.33.1
+
+
+From 99cc0e06e5fe2776371b808432af39de00f76cdf Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 1 Sep 2021 15:40:59 +1200
+Subject: [PATCH 2/6] security.idl: Add well-known SIDs for FAST
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Isaac Boukris <iboukris@samba.org>
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
+(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
+---
+ librpc/idl/security.idl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
+index 06bf7449a70..3df96dedbdd 100644
+--- a/librpc/idl/security.idl
++++ b/librpc/idl/security.idl
+@@ -295,6 +295,9 @@ interface security
+ 	const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
+ 	const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
+ 
++	const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
++	const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
++
+ 	/*
+ 	 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
+ 	 */
+-- 
+2.33.1
+
+
+From 693bcdb2f9b64af390d619c9b39293c581900151 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 29 Sep 2021 16:15:26 +1300
+Subject: [PATCH 3/6] krb5pac.idl: Add missing buffer type values
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Backported-by: Andreas Schneider <asn@samba.org>
+---
+ librpc/idl/krb5pac.idl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index 3239d7656b6..515150ab9cd 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -113,6 +113,9 @@ interface krb5pac
+ 		PAC_TYPE_LOGON_NAME = 10,
+ 		PAC_TYPE_CONSTRAINED_DELEGATION = 11,
+ 		PAC_TYPE_UPN_DNS_INFO = 12,
++		PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
++		PAC_TYPE_DEVICE_INFO = 14,
++		PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+ 		PAC_TYPE_TICKET_CHECKSUM = 16
+ 	} PAC_TYPE;
+ 
+-- 
+2.33.1
+
+
+From 97323751c1b6b97e72eb80b8b99485d94696b30b Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Tue, 26 Oct 2021 20:33:38 +1300
+Subject: [PATCH 4/6] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC
+ buffer type
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ librpc/idl/krb5pac.idl | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index 515150ab9cd..7a8d16464eb 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -97,6 +97,16 @@ interface krb5pac
+ 		PAC_UPN_DNS_FLAGS flags;
+ 	} PAC_UPN_DNS_INFO;
+ 
++	typedef [bitmap32bit] bitmap {
++		PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
++		PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
++	} PAC_ATTRIBUTE_INFO_FLAGS;
++
++	typedef struct {
++		uint32 flags_length; /* length in bits */
++		PAC_ATTRIBUTE_INFO_FLAGS flags;
++	} PAC_ATTRIBUTES_INFO;
++
+ 	typedef [public] struct {
+ 		PAC_LOGON_INFO *info;
+ 	} PAC_LOGON_INFO_CTR;
+@@ -116,7 +126,8 @@ interface krb5pac
+ 		PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
+ 		PAC_TYPE_DEVICE_INFO = 14,
+ 		PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+-		PAC_TYPE_TICKET_CHECKSUM = 16
++		PAC_TYPE_TICKET_CHECKSUM = 16,
++		PAC_TYPE_ATTRIBUTES_INFO = 17
+ 	} PAC_TYPE;
+ 
+ 	typedef struct {
+@@ -133,6 +144,7 @@ interface krb5pac
+ 			PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
+ 		[case(PAC_TYPE_UPN_DNS_INFO)]	PAC_UPN_DNS_INFO upn_dns_info;
+ 		[case(PAC_TYPE_TICKET_CHECKSUM)]	PAC_SIGNATURE_DATA ticket_checksum;
++		[case(PAC_TYPE_ATTRIBUTES_INFO)]	PAC_ATTRIBUTES_INFO attributes_info;
+ 		/* when new PAC info types are added they are supposed to be done
+ 		   in such a way that they are backwards compatible with existing
+ 		   servers. This makes it safe to just use a [default] for
+-- 
+2.33.1
+
+
+From 9867beabf3b0be026d900e26ac91af655fb50cfe Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Tue, 26 Oct 2021 20:33:49 +1300
+Subject: [PATCH 5/6] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
+ buffer type
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ librpc/idl/krb5pac.idl | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index 7a8d16464eb..52fb40c4bbb 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -107,6 +107,10 @@ interface krb5pac
+ 		PAC_ATTRIBUTE_INFO_FLAGS flags;
+ 	} PAC_ATTRIBUTES_INFO;
+ 
++	typedef struct {
++		dom_sid sid;
++	} PAC_REQUESTER_SID;
++
+ 	typedef [public] struct {
+ 		PAC_LOGON_INFO *info;
+ 	} PAC_LOGON_INFO_CTR;
+@@ -127,7 +131,8 @@ interface krb5pac
+ 		PAC_TYPE_DEVICE_INFO = 14,
+ 		PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+ 		PAC_TYPE_TICKET_CHECKSUM = 16,
+-		PAC_TYPE_ATTRIBUTES_INFO = 17
++		PAC_TYPE_ATTRIBUTES_INFO = 17,
++		PAC_TYPE_REQUESTER_SID = 18
+ 	} PAC_TYPE;
+ 
+ 	typedef struct {
+@@ -145,6 +150,7 @@ interface krb5pac
+ 		[case(PAC_TYPE_UPN_DNS_INFO)]	PAC_UPN_DNS_INFO upn_dns_info;
+ 		[case(PAC_TYPE_TICKET_CHECKSUM)]	PAC_SIGNATURE_DATA ticket_checksum;
+ 		[case(PAC_TYPE_ATTRIBUTES_INFO)]	PAC_ATTRIBUTES_INFO attributes_info;
++		[case(PAC_TYPE_REQUESTER_SID)]	PAC_REQUESTER_SID requester_sid;
+ 		/* when new PAC info types are added they are supposed to be done
+ 		   in such a way that they are backwards compatible with existing
+ 		   servers. This makes it safe to just use a [default] for
+-- 
+2.33.1
+
+
+From fb92457cfd11745be73660eb90519b625f6a5d97 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 27 Sep 2021 11:20:19 +1300
+Subject: [PATCH 6/6] CVE-2020-25721 krb5pac: Add new buffers for
+ samAccountName and objectSID
+
+These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ librpc/idl/krb5pac.idl   | 18 ++++++++++++++++--
+ librpc/ndr/ndr_krb5pac.c |  4 ++--
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index 52fb40c4bbb..bbe4a253e3a 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -86,15 +86,29 @@ interface krb5pac
+ 	} PAC_CONSTRAINED_DELEGATION;
+ 
+ 	typedef [bitmap32bit] bitmap {
+-		PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
++		PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
++		PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
+ 	} PAC_UPN_DNS_FLAGS;
+ 
++	typedef struct {
++		[value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
++		[relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
++		[value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
++		[relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
++	} PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
++
++	typedef [nodiscriminant] union {
++		[case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
++		[default];
++	} PAC_UPN_DNS_INFO_EX;
++
+ 	typedef struct {
+ 		[value(2*strlen_m(upn_name))] uint16 upn_name_size;
+ 		[relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
+ 		[value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
+ 		[relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
+ 		PAC_UPN_DNS_FLAGS flags;
++		[switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
+ 	} PAC_UPN_DNS_INFO;
+ 
+ 	typedef [bitmap32bit] bitmap {
+@@ -160,7 +174,7 @@ interface krb5pac
+ 
+ 	typedef [public,nopush,nopull] struct {
+ 		PAC_TYPE type;
+-		[value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
++		[value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
+ 		/*
+ 		 * We need to have two subcontexts to get the padding right,
+ 		 * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
+diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
+index a9ae2c4a789..57b28df9e52 100644
+--- a/librpc/ndr/ndr_krb5pac.c
++++ b/librpc/ndr/ndr_krb5pac.c
+@@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
+ 	if (ndr_flags & NDR_SCALARS) {
+ 		NDR_CHECK(ndr_push_align(ndr, 4));
+ 		NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type));
+-		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0)));
++		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8)));
+ 		{
+ 			uint32_t _flags_save_PAC_INFO = ndr->flags;
+ 			ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8);
+@@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
+ 				{
+ 					struct ndr_push *_ndr_info_pad;
+ 					struct ndr_push *_ndr_info;
+-					size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0);
++					size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8);
+ 					NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
+ 					NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
+ 					NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
+-- 
+2.33.1
+

SPECS/samba.spec

@@ -108,7 +108,7 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%global baserelease 2
+%global baserelease 7
 
 %global samba_version 4.14.5
 %global talloc_version 2.3.2
@@ -178,6 +178,12 @@ Source14:       samba.pamd
 Source201:      README.downgrade
 
 Patch0:         samba-4.14-raise-dfs-enoent-debug-level.patch
+Patch1:         CVE-2016-2124.patch
+Patch2:         CVE-2021-23192.patch
+Patch3:         CVE-2020-25717.patch
+Patch4:         samba-4.14-krb5pac.patch
+Patch5:         samba-4.14-fix-winbind-no-trusted-domain.patch
+Patch6:         samba-4.14-IPA-DC-add-missing-checks.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -1692,6 +1698,7 @@ fi
 %{_libdir}/samba/libctdb-event-client-samba4.so
 %{_libdir}/samba/libdbwrap-samba4.so
 %{_libdir}/samba/libdcerpc-samba-samba4.so
+%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so
 %{_libdir}/samba/libevents-samba4.so
 %{_libdir}/samba/libflag-mapping-samba4.so
 %{_libdir}/samba/libgenrand-samba4.so
@@ -3908,6 +3915,26 @@ fi
 %endif
 
 %changelog
+* Mon Nov 22 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-7
+- related: rhbz#2021171 - Fix CVE-2020-25717
+- Fix running ktest (selftest)
+
+* Sat Nov 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.14.5-6
+- related: rhbz#2021171 - Fix CVE-2020-25717
+- Add missing checks for IPA DC server role
+
+* Tue Nov 09 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-5
+- resolves: rhbz#2021493 - Add missing PAC buffer types to krb5pac.idl
+- related: rbhz#2021171 - Fix regression with 'allow trusted domains = no'
+
+* Fri Nov 05 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-4
+- resolves: rhbz#2021163
+  Fix CVE-2016-2124
+- resolves: rhbz#2021167
+  Fix CVE-2021-23192
+- resolves: rhbz#2021171
+  Fix CVE-2020-25717
+
 * Tue Jul 13 2021 Andreas Schneider <asn@redhat.com> -  4.14.4-2
 - related: rhbz#1980346 - Rebuild for libtalloc 0.11.0