diff --git a/ad_lookup_groupmem.patch b/ad_lookup_groupmem.patch
new file mode 100644
index 0000000..2480f92
--- /dev/null
+++ b/ad_lookup_groupmem.patch
@@ -0,0 +1,230 @@
+From 2b478bafd808218d3471fd5b1c9dc7d8e528cdb0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Wed, 13 Mar 2024 13:55:41 +0100
+Subject: [PATCH 1/4] docs-xml: Add parameter all_groupmem to idmap_ad
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c)
+---
+ docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
+index 32df8d066c2..c7fcc65d763 100644
+--- a/docs-xml/manpages/idmap_ad.8.xml
++++ b/docs-xml/manpages/idmap_ad.8.xml
+@@ -105,6 +105,16 @@
+ 		</listitem>
+ 		</varlistentry>
+ 		<varlistentry>
++		<term>all_groupmem = yes/no</term>
++		<listitem><para>
++		  If set to <parameter>yes</parameter> winbind will retrieve all
++		  group members for getgrnam(3), getgrgid(3) and getgrent(3) calls,
++		  including those with missing uidNumber.
++		</para>
++		<para>Default: no</para>
++		</listitem>
++		</varlistentry>
++		<varlistentry>
+ 		<term>deny ous</term>
+ 		<listitem><para>This parameter is a list of OUs from
+ 		which objects will not be mapped via the ad idmap
+-- 
+2.41.0
+
+
+From 2259b59220b625cd682a3d22024ab442a56ecc3a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Tue, 12 Mar 2024 13:20:24 +0100
+Subject: [PATCH 2/4] s3:winbindd: Improve performance of lookup_groupmem() in
+ idmap_ad
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The LDAP query of lookup_groupmem() returns all group members from AD
+even those with missing uidNumber.  Such group members are useless in
+UNIX environment for idmap_ad backend since there is no uid mapping.
+
+'test_user' is member of group "Domanin Users" with 200K members,
+only 20K members have set uidNumber.
+
+Without this fix:
+
+$ time id test_user
+
+real    1m5.946s
+user    0m0.019s
+sys     0m0.012s
+
+With this fix:
+
+$ time id test_user
+
+real    0m3.544s
+user    0m0.004s
+sys     0m0.007s
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf)
+---
+ source3/winbindd/winbindd_ads.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 7e572e5d41f..7d6324033ea 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
+ }
+ 
+ static NTSTATUS add_primary_group_members(
+-	ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
++	ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname,
+ 	char ***all_members, size_t *num_all_members)
+ {
+ 	char *filter;
+@@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members(
+ 	char **members;
+ 	size_t num_members;
+ 	ads_control args;
++	bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false);
+ 
+ 	filter = talloc_asprintf(
+-		mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
+-		(unsigned)rid);
++		mem_ctx,
++		"(&(objectCategory=user)(primaryGroupID=%u)%s)",
++		(unsigned)rid,
++		all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))");
+ 	if (filter == NULL) {
+ 		goto done;
+ 	}
+@@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ 
+ 	DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
+ 
+-	status = add_primary_group_members(ads, mem_ctx, rid,
++	status = add_primary_group_members(ads, mem_ctx, rid, domain->name,
+ 					   &members, &num_members);
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
+-- 
+2.41.0
+
+
+From 84b6ef6a95d821e44462105250ce50d124a62150 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Mon, 25 Mar 2024 22:38:18 +0100
+Subject: [PATCH 3/4] selftest: Add "winbind expand groups = 1" to
+ setup_ad_member_idmap_ad
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)
+---
+ selftest/target/Samba3.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index bbce55ea508..cf40633d127 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1420,6 +1420,7 @@ sub setup_ad_member_idmap_ad
+ 	idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
+ 	gensec_gssapi:requested_life_time = 5
+ 	winbind scan trusted domains = yes
++	winbind expand groups = 1
+ ";
+ 
+ 	my $ret = $self->provision(
+-- 
+2.41.0
+
+
+From 550c6218e83468874a6a11295a7b08b148d1295a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Thu, 14 Mar 2024 15:24:21 +0100
+Subject: [PATCH 4/4] tests: Add a test for "all_groups=no" to test_idmap_ad.sh
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
+Autobuild-Date(master): Tue Apr  2 13:25:39 UTC 2024 on atb-devel-224
+
+(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967)
+---
+ nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
+index 7ae112ada71..1d4bd395ba9 100755
+--- a/nsswitch/tests/test_idmap_ad.sh
++++ b/nsswitch/tests/test_idmap_ad.sh
+@@ -94,6 +94,14 @@ gidNumber: 2000001
+ unixHomeDirectory: /home/forbidden
+ loginShell: /bin/tcsh
+ gecos: User in forbidden OU
++
++dn: CN=no_posix_id,CN=Users,$BASE_DN
++changetype: add
++objectClass: user
++samaccountName: no_posix_id
++unixHomeDirectory: /home/no_posix_id
++loginShell: /bin/sh
++gecos: User without uidNumber and gidNumber
+ EOF
+ 
+ #
+@@ -171,6 +179,17 @@ then
+ 	failed=$(($failed + 1))
+ fi
+ 
++#
++# Test 6: Make sure that with the default "all_groups=no"
++# the group "domain users" will not show user "no_posix_id"
++# but will show "SAMBA2008R2/administrator"
++#
++
++dom_users="$DOMAIN/domain users"  # Extra step to make sure that all is one word
++out="$($wbinfo --group-info "$dom_users")"
++testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1)
++testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1)
++
+ #
+ # Trusted domain test 1: Test uid of Administrator, should be 2500000
+ #
+@@ -241,6 +260,9 @@ gidNumber: 2000002
+ dn: cn=forbidden,ou=sub,$BASE_DN
+ changetype: delete
+ 
++dn: CN=no_posix_id,CN=Users,$BASE_DN
++changetype: delete
++
+ dn: ou=sub,$BASE_DN
+ changetype: delete
+ EOF
+-- 
+2.41.0
+
diff --git a/samba.spec b/samba.spec
index 8b96715..df39c93 100644
--- a/samba.spec
+++ b/samba.spec
@@ -147,7 +147,7 @@
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
 %global samba_version 4.20.0
-%global baserelease 102
+%global baserelease 103
 # This should be rc1 or %%nil
 %global pre_release %nil
 
@@ -238,10 +238,7 @@ Source18:       samba-winbind-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore
 
-# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-20-redhat
-# This will give us CI and makes it easy to generate patchsets.
-#
-# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.20-redhat.patch
+Patch0:         ad_lookup_groupmem.patch
 
 Requires(pre): %{name}-common = %{samba_depver}
 Requires: %{name}-common = %{samba_depver}
@@ -4591,9 +4588,11 @@ fi
 %endif
 
 %changelog
+* Mon Apr 29 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.20.0-103
+- resolves: RHEL-20473 - Improve performance of winbind idmap_ad backend
+
 * Mon Apr 29 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.20.0-102
 - resolves: RHEL-2109  - Support Certificate Auto Enrollment in Samba
-- resolves: RHEL-20473 - Improve performance of winbind idmap_ad backend
 - resolves: RHEL-22157 - Fix root cert import for samba-gpupdate
 
 * Fri Apr 26 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.20.0-101