.gitignore

@@ -1,2 +1,18 @@
-SOURCES/samba-4.19.4.tar.xz
+SOURCES/samba-4.17.5.tar.xz
-SOURCES/samba-pubkey_AA99442FB680B620.gpg
+/samba-4.17.5.tar.xz
+/samba-4.18.2.tar.asc
+/samba-4.18.2.tar.xz
+/samba-4.18.3.tar.asc
+/samba-4.18.3.tar.xz
+/samba-4.18.4.tar.asc
+/samba-4.18.4.tar.xz
+/samba-4.18.5.tar.asc
+/samba-4.18.5.tar.xz
+/samba-4.18.6.tar.xz
+/samba-4.18.6.tar.asc
+/samba-4.19.2.tar.asc
+/samba-4.19.2.tar.xz
+/samba-4.19.3.tar.asc
+/samba-4.19.3.tar.xz
+/samba-4.19.4.tar.asc
+/samba-4.19.4.tar.xz

README.md

@@ -0,0 +1,186 @@
+Samba is a free SMB and CIFS client and server and Domain Controller for UNIX
+and other operating systems. It is maintained by the Samba Team, who support the
+original author, Andrew Tridgell.
+
+This software is freely distributable under the GNU public license, a copy of
+which you should have received with this software (in a file called COPYING).
+
+# WHAT IS SMB/CIFS?
+This is a big question.
+
+The very short answer is that it is the protocol by which a lot of PC-related
+machines share files and printers and other information such as lists of
+available files and printers. Operating systems that support this natively
+include Windows 9x, Windows NT (and derivatives), OS/2, Mac OS X and Linux. Add
+on packages that achieve the same thing are available for DOS, Windows 3.1, VMS,
+Unix of all kinds, MVS, and more.  Some Web Browsers can speak this protocol as
+well (smb://).  Alternatives to SMB include Netware, NFS, Appletalk, Banyan
+Vines, Decnet etc; many of these have advantages but none are both public
+specifications and widely implemented in desktop machines by default.
+
+The Common Internet File system (CIFS) is what the new SMB initiative is called.
+For details watch [here](https://samba.org/cifs)
+
+# WHY DO PEOPLE WANT TO USE SMB?
+* Many people want to integrate their Microsoft desktop clients with their Unix
+servers.
+
+* Others want to integrate their Microsoft (etc) servers with Unix servers. This
+is a different problem to integrating desktop clients.
+
+* Others want to replace protocols like NFS, DecNet and Novell NCP, especially
+when used with PCs.
+
+# WHAT CAN SAMBA DO?
+Please refer to the WHATSNEW.txt included with this README for a list of
+features in the latest Samba release.
+
+Here is a very short list of what samba includes, and what it does. For many
+networks this can be simply summarized by "Samba provides a complete replacement
+for Windows NT, Warp, NFS or Netware servers."
+* a SMB server, to provide Windows NT and LAN Manager-style file and print
+services to SMB clients such as Windows 95, Warp Server, smbfs and others.
+
+* a Windows Domain Controller (NT4 and AD) replacement.
+
+* a file/print server that can act as a member of a Windows NT 4.0 or Active
+Directory domain.
+
+* a NetBIOS (rfc1001/1002) nameserver, which amongst other things gives browsing
+support. Samba can be the master browser on your LAN if you wish.
+
+* a ftp-like SMB client so you can access PC resources (disks and printers) from
+UNIX, Netware, and other operating systems
+
+* a tar extension to the client for backing up PCs
+
+* limited command-line tool that supports some of the NT administrative
+functionality, which can be used on Samba, NT workstation and NT server.
+
+For a much better overview have a look at the [web site](http://samba.org/samba)
+and browse the user survey.
+
+#### Related packages include:
+* cifsvfs, an advanced Linux-only filesystem allowing you to mount remote SMB
+filesystems from PCs on your Linux box. This is included as standard with Linux
+2.5 and later.
+
+* smbfs, the previous Linux-only filesystem allowing you to mount remote SMB
+filesystems from PCs on your Linux box. This is included as standard with Linux
+2.0 and later.
+
+# CONTRIBUTIONS
+
+### To contribute via GitHub
+  * fork the official Samba team repository on GitHub
+    -- see [GitHub](https://github.com/samba-team/samba)
+
+  * become familiar with the coding standards as described in README.Coding
+
+  * make sure you read the Samba copyright policy
+    -- see [Copyright Policy](https://www.samba.org/samba/devel/copyright-policy.html)
+
+  * create a feature branch
+
+  * make changes
+
+  * when committing, be sure to add signed-off-by tags
+    -- see [Commit message tags](https://wiki.samba.org/index.php/CodeReview#commit_message_tags)
+
+  * send a pull request for your branch through GitHub
+
+  * this will trigger an email to the samba-technical mailing list
+
+  * discussion happens on the samba-technical mailing list as described below
+
+  * more info on using Git for Samba development can be found on Samba Wiki
+    -- see [Using Git for Samba](https://wiki.samba.org/index.php/Using_Git_for_Samba_Development)
+
+### To contribute via mailing lists
+Join the mailing list. The Samba team accepts patches (preferably in "diff -u"
+format, see [here](https://samba.org/samba/devel) for more details) and are
+always glad to receive feedback or suggestions to the address
+samba@lists.samba.org. More information on the various Samba mailing lists can
+be found at [mailman](http://lists.samba.org).
+
+You can also get the Samba sourcecode straight from the [git repository](http://wiki.samba.org/index.php/Using_Git_for_Samba_Development).
+
+If you like a particular feature then look through the git change-log on the
+[web](https://git.samba.org/?p=samba.git;a=summary) and see who added it, then
+send them an email.
+
+Remember that free software of this kind lives or dies by the response we get.
+If no one tells us they like it then we'll probably move onto something else.
+
+
+# MORE INFO
+
+### DOCUMENTATION
+There is quite a bit of documentation included with the package, including man
+pages, and lots of .html files with hints and useful info. This is also
+available from the web page. There is a growing collection of information under
+docs/.
+
+A list of Samba documentation in languages other than English is available on
+the web page.
+
+If you would like to help with the documentation, please coordinate on the
+samba@lists.samba.org mailing list. See the next section for details on
+subscribing to samba mailing lists.
+
+### MAILING LIST
+Please do NOT send subscription/unsubscription requests to the lists!
+
+There is a mailing list for discussion of Samba.  For details go to [mailman](https://lists.samba.org)
+or send mail to <samba-subscribe@lists.samba.org>.
+
+There is also an announcement mailing list where new versions are announced. To
+subscribe go to [mailman](http://lists.samba.org) or send mail to
+<samba-announce-subscribe@lists.samba.org>. All announcements also go to the
+samba list, so you only need to be on one.
+
+For details of other Samba mailing lists and for access to archives, see
+[mailman](http://lists.samba.org)
+
+### MAILING LIST ETIQUETTE
+
+A few tips when submitting to this or any mailing list.
+ - Make your subject short and descriptive. Avoid the words "help" or "Samba" in
+the subject. The readers of this list already know that a) you need help, and b)
+you are writing about samba (of course, you may need to distinguish between
+Samba PDC and other file sharing software). Avoid phrases such as "what is" and
+"how do i". Some good subject lines might look like "Slow response with Excel
+files" or "Migrating from Samba PDC to NT PDC".
+
+- If you include the original message in your reply, trim it so that only the
+relevant lines, enough to establish context, are included. Chances are (since
+this is a mailing list) we've already read the original message.
+
+- Trim irrelevant headers from the original message in your reply. All we need
+to see is a) From, b) Date, and c) Subject. We don't even really need the
+Subject, if you haven't changed it. Better yet is to just preface the original
+message with "On [date] [someone] wrote:".
+
+- Please don't reply to or argue about spam, spam filters or viruses on any
+Samba lists. We do have a spam filtering system that is working quite well thank
+you very much but occasionally unwanted messages slip through. Deal with it.
+
+- Never say "Me too." It doesn't help anyone solve the problem. Instead, if you
+ARE having the same problem, give more information. Have you seen something that
+the other writer hasn't mentioned, which may be helpful?
+
+- If you ask about a problem, then come up with the solution on your own or
+through another source, by all means post it. Someone else may have the same
+problem and is waiting for an answer, but never hears of it.
+
+- Give as much *relevant* information as possible such as Samba release number,
+OS, kernel version, etc...
+
+- RTFM. Google.
+
+### WEB SITE
+A Samba WWW [site](https://samba.org) has been setup with lots of useful info.
+
+As well as general information and documentation, this also has searchable
+archives of the mailing list and a user survey that shows who else is using this
+package.

SOURCES/samba-4.19.4.tar.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
-tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
-Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
-2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
-XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
-iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
-svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
-JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
-ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
-vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
-+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
-1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
-=kOPP
------END PGP SIGNATURE-----

gating.yaml

@@ -0,0 +1,8 @@
+# recipients: sssd-qe, asn, pfilipen, ftrivino
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

rpminspect.yaml

@@ -0,0 +1,24 @@
+---
+badfuncs:
+    ignore:
+        - /usr/bin/nmblookup
+        - /usr/bin/smbtorture
+        - /usr/lib*/libndr.so.*
+        - /usr/lib*/libsmbconf.so.*
+        - /usr/lib*/samba/libgse-samba4.so
+        - /usr/lib*/samba/libsamba-sockets-samba4.so
+        - /usr/lib*/samba/service/nbtd.so
+        - /usr/libexec/ctdb/smnotify
+        - /usr/sbin/nmbd
+
+runpath:
+    allowed_paths:
+        - /usr/lib/samba
+        - /usr/lib64/samba
+
+abidiff:
+    suppression_file: samba.abignore
+
+debuginfo:
+    ignore:
+        - /usr/lib*/libdcerpc-samr.so.*

samba-4.19-fix-smbget-debug.patch

@@ -0,0 +1,106 @@
+From 21d8c1b2dabf8dd5a65de14816c6701e9c81de44 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 5 Dec 2023 15:46:48 +0100
+Subject: [PATCH 1/2] s3:tests: Add smbget test for
+ smb://DOAMIN;user%password@server/share/file
+
+This is supported according to the smbget manpage!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit e5fe856e76eba26e3b85a391bcea02dfe045c26e)
+---
+ source3/script/tests/test_smbget.sh | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
+index 46c1f4a68a5..bdc62a71eff 100755
+--- a/source3/script/tests/test_smbget.sh
++++ b/source3/script/tests/test_smbget.sh
+@@ -145,6 +145,22 @@ test_singlefile_smburl()
+ 	return 0
+ }
+ 
++test_singlefile_smburl2()
++{
++	clear_download_area
++	$SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile"
++	if [ $? -ne 0 ]; then
++		echo 'ERROR: RC does not match, expected: 0'
++		return 1
++	fi
++	cmp --silent $WORKDIR/testfile ./testfile
++	if [ $? -ne 0 ]; then
++		echo 'ERROR: file content does not match'
++		return 1
++	fi
++	return 0
++}
++
+ test_singlefile_authfile()
+ {
+ 	clear_download_area
+@@ -499,6 +515,10 @@ testit "download single file with --update and UPN" test_singlefile_U_UPN ||
+ testit "download single file with smb URL" test_singlefile_smburl ||
+ 	failed=$(expr $failed + 1)
+ 
++testit "download single file with smb URL including domain" \
++	test_singlefile_smburl2 ||
++	failed=$(expr $failed + 1)
++
+ testit "download single file with authfile" test_singlefile_authfile ||
+ 	failed=$(expr $failed + 1)
+ 
+-- 
+2.43.0
+
+
+From e19fa9d75ee70ec23e70f166ee70241c116f7bf5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 6 Dec 2023 08:48:34 +0100
+Subject: [PATCH 2/2] s3:utils: Fix setting the debug level
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 763b2efe69dc74e1c0cd954607031012f832486d)
+---
+ source3/utils/smbget.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
+index 5c99dcf918a..8d98ba24602 100644
+--- a/source3/utils/smbget.c
++++ b/source3/utils/smbget.c
+@@ -849,6 +849,7 @@ int main(int argc, char **argv)
+ 	uint32_t gensec_features;
+ 	bool use_wbccache = false;
+ 	SMBCCTX *smb_ctx = NULL;
++	int dbg_lvl = -1;
+ 	int rc;
+ 
+ 	smb_init_locale();
+@@ -922,13 +923,16 @@ int main(int argc, char **argv)
+ 
+ 	samba_cmdline_burn(argc, argv);
+ 
++	/* smbc_new_context() will set the log level to 0 */
++	dbg_lvl = debuglevel_get();
++
+ 	smb_ctx = smbc_new_context();
+ 	if (smb_ctx == NULL) {
+ 		fprintf(stderr, "Unable to initialize libsmbclient\n");
+ 		ok = false;
+ 		goto done;
+ 	}
+-	smbc_setDebug(smb_ctx, debuglevel_get());
++	smbc_setDebug(smb_ctx, dbg_lvl);
+ 
+ 	rc = smbc_setConfiguration(smb_ctx, lp_default_path());
+ 	if (rc < 0) {
+-- 
+2.43.0
+

samba.spec

@@ -147,7 +147,7 @@
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
 %global samba_version 4.19.4
-%global baserelease 3
+%global baserelease 4
 # This should be rc1 or %%nil
 %global pre_release %nil
 
@@ -244,6 +244,12 @@ Source18:       samba-winbind-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore
 
+# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-19-redhat
+# This will give us CI and makes it easy to generate patchsets.
+#
+# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.19-redhat.patch
+Patch0:        samba-4.19-redhat.patch
+
 Requires(pre): /usr/sbin/groupadd
 
 Requires(pre): %{name}-common = %{samba_depver}
@@ -4473,6 +4479,12 @@ fi
 %endif
 
 %changelog
+* Thu May 02 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-4
+- related: RHEL-33813 - Undo wrong changes in rpminspect.yaml
+
+* Thu May 02 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-4
+- resolves: RHEL-33813 - Add option to request only POSIX groups from AD in idmap_ad
+
 * Thu Jan 18 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-3
 - resolves: RHEL-19753 - Fix smbget interactive authentication
 

sources

@@ -0,0 +1,2 @@
+SHA512 (samba-4.19.4.tar.asc) = 11bc51407d1464339817d7568f5d5bb059c19a05b49c6a1307d7425d289acb617ecd3e633e3736bdaa94947a7b3630d6cdb7ed6fe59d52556234c549eca8172a
+SHA512 (samba-4.19.4.tar.xz) = 3d2899e4a3b8bcb77befc29c4af66d3ac858b7f7a0dbbb66a8bc210cd88d9cde3e11361334a5cce650318473134ec8b134148bfa4af4d51f555de33eff395029

tests/testparm/Makefile

@@ -0,0 +1,62 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of gating test "testparm"
+#   Description: Basic config check for samba
+#   Author: Andrej Dzilsky <adzilsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2019 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=testparm
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Andrej Dzilsky <adzilsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Basic samba config check" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          samba" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Bug:             1653890" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/testparm/runtest.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of gating test "testparm"
+#   Description: Basic samba config check
+#   Author: Andrej Dzilsky <adzilsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2019 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+# From Andreas Schneider <asn@redhat.com>:
+# This is a basic test which makes sure the samba is installed and the default
+# smb.conf is available.
+
+rlJournalStart
+
+    rlPhaseStartTest
+        rlRun "testparm -v -s" 0 "testparm ends with expected output"
+    rlPhaseEnd
+
+rlJournalPrintText
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,13 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+      - role: standard-test-beakerlib
+        tags:
+            - classic
+        tests:
+            - testparm
+        required_packages:
+            - samba
+            - samba-client
+            - samba-common

v4-19-fix-force-user.patch

@@ -0,0 +1,325 @@
+From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 4 Sep 2023 16:29:46 +0200
+Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no'
+ firewalls Unix User|Group
+
+UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
+REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
+---
+ selftest/knownfail.d/forceuser_trusteddomains | 2 ++
+ selftest/target/Samba3.pm                     | 1 +
+ 2 files changed, 3 insertions(+)
+ create mode 100644 selftest/knownfail.d/forceuser_trusteddomains
+
+diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
+new file mode 100644
+index 00000000000..b515400cd90
+--- /dev/null
++++ b/selftest/knownfail.d/forceuser_trusteddomains
+@@ -0,0 +1,2 @@
++samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
++samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 39831afc599..85e69e4b72d 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1689,6 +1689,7 @@ sub setup_simpleserver
+ 	vfs objects = xattr_tdb streams_depot
+ 	change notify = no
+ 	server smb encrypt = off
++        allow trusted domains = no
+ 
+ [vfs_aio_pthread]
+ 	path = $prefix_abs/share
+-- 
+2.43.0
+
+
+From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 8 Sep 2023 12:50:32 +0200
+Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd)
+---
+ source3/auth/auth_util.c | 64 ++++++++++++++++++++--------------------
+ 1 file changed, 32 insertions(+), 32 deletions(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index 293523f4272..e5863d2272b 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
+ }
+ 
+ /****************************************************************************
+- Create an auth_usersupplied_data, making the DATA_BLOBs here. 
++ Create an auth_usersupplied_data, making the DATA_BLOBs here.
+  Decrypt and encrypt the passwords.
+ ****************************************************************************/
+ 
+ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
+ 				     struct auth_usersupplied_info **user_info,
+-				     const char *smb_name, 
+-				     const char *client_domain, 
++				     const char *smb_name,
++				     const char *client_domain,
+ 				     const char *workstation_name,
+ 				     const struct tsocket_address *remote_address,
+ 				     const struct tsocket_address *local_address,
+@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
+ 	DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
+ 
+ 	status = make_user_info_map(mem_ctx, user_info,
+-				    smb_name, client_domain, 
++				    smb_name, client_domain,
+ 				    workstation_name,
+ 				    remote_address,
+ 				    local_address,
+ 				    "SamLogon",
+-				    lm_pwd_len ? &lm_blob : NULL, 
++				    lm_pwd_len ? &lm_blob : NULL,
+ 				    nt_pwd_len ? &nt_blob : NULL,
+ 				    NULL, NULL, NULL,
+ 				    AUTH_PASSWORD_RESPONSE);
+@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
+ }
+ 
+ /****************************************************************************
+- Create an auth_usersupplied_data, making the DATA_BLOBs here. 
++ Create an auth_usersupplied_data, making the DATA_BLOBs here.
+  Decrypt and encrypt the passwords.
+ ****************************************************************************/
+ 
+ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
+ 					 struct auth_usersupplied_info **user_info,
+-					 const char *smb_name, 
+-					 const char *client_domain, 
++					 const char *smb_name,
++					 const char *client_domain,
+ 					 const char *workstation_name,
+ 					 const struct tsocket_address *remote_address,
+ 					 const struct tsocket_address *local_address,
+ 					 uint32_t logon_parameters,
+-					 const uchar chal[8], 
+-					 const uchar lm_interactive_pwd[16], 
++					 const uchar chal[8],
++					 const uchar lm_interactive_pwd[16],
+ 					 const uchar nt_interactive_pwd[16])
+ {
+ 	struct samr_Password lm_pwd;
+@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
+ 
+ 		nt_status = make_user_info_map(
+ 			mem_ctx,
+-			user_info, 
++			user_info,
+ 			smb_name, client_domain, workstation_name,
+ 			remote_address,
+ 			local_address,
+@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
+ 
+ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
+ 			      struct auth_usersupplied_info **user_info,
+-			      const char *smb_name, 
++			      const char *smb_name,
+ 			      const char *client_domain,
+ 			      const struct tsocket_address *remote_address,
+ 			      const struct tsocket_address *local_address,
+@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
+ 
+ 		/* We can't do an NT hash here, as the password needs to be
+ 		   case insensitive */
+-		local_nt_blob = data_blob_null; 
++		local_nt_blob = data_blob_null;
+ 	} else {
+-		local_lm_blob = data_blob_null; 
+-		local_nt_blob = data_blob_null; 
++		local_lm_blob = data_blob_null;
++		local_nt_blob = data_blob_null;
+ 	}
+ 
+ 	plaintext_password_string = talloc_strndup(talloc_tos(),
+@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
+ 	}
+ 
+ 	ret = make_user_info(mem_ctx,
+-		user_info, smb_name, smb_name, client_domain, client_domain, 
++		user_info, smb_name, smb_name, client_domain, client_domain,
+ 		get_remote_machine_name(),
+ 		remote_address,
+ 		local_address,
+@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx,
+ 
+ 	nt_status = make_user_info(mem_ctx,
+ 				   user_info,
+-				   "","", 
+-				   "","", 
+-				   "", 
++				   "","",
++				   "","",
++				   "",
+ 				   remote_address,
+ 				   local_address,
+ 				   service_description,
+-				   NULL, NULL, 
+-				   NULL, NULL, 
++				   NULL, NULL,
++				   NULL, NULL,
+ 				   NULL,
+ 				   AUTH_PASSWORD_RESPONSE);
+ 
+@@ -1258,7 +1258,7 @@ done:
+ 	}
+ 
+ 	session_info->unique_session_token = GUID_random();
+-	
++
+ 	*session_info_out = talloc_move(mem_ctx, &session_info);
+ 	TALLOC_FREE(frame);
+ 	return NT_STATUS_OK;
+@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+ 	*pwd = passwd;
+ 
+ 	/* This is pointless -- there is no support for differing
+-	   unix and windows names.  Make sure to always store the 
++	   unix and windows names.  Make sure to always store the
+ 	   one we actually looked up and succeeded. Have I mentioned
+-	   why I hate the 'winbind use default domain' parameter?   
++	   why I hate the 'winbind use default domain' parameter?
+ 	                                 --jerry              */
+ 
+ 	*found_username = talloc_strdup( mem_ctx, real_username );
+@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+ }
+ 
+ /****************************************************************************
+- Wrapper to allow the getpwnam() call to strip the domain name and 
+- try again in case a local UNIX user is already there.  Also run through 
++ Wrapper to allow the getpwnam() call to strip the domain name and
++ try again in case a local UNIX user is already there.  Also run through
+  the username if we fallback to the username only.
+  ****************************************************************************/
+ 
+@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
+ 	char *p = NULL;
+ 	const char *username = NULL;
+ 
+-	/* we only save a copy of the username it has been mangled 
++	/* we only save a copy of the username it has been mangled
+ 	   by winbindd use default domain */
+ 	*p_save_username = NULL;
+ 
+-	/* don't call map_username() here since it has to be done higher 
++	/* don't call map_username() here since it has to be done higher
+ 	   up the stack so we don't call it multiple times */
+ 
+ 	username = talloc_strdup(mem_ctx, domuser);
+@@ -2068,10 +2068,10 @@ username_only:
+ }
+ 
+ /***************************************************************************
+- Make a server_info struct from the info3 returned by a domain logon 
++ Make a server_info struct from the info3 returned by a domain logon
+ ***************************************************************************/
+ 
+-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, 
++NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ 				const char *sent_nt_username,
+ 				const char *domain,
+ 				struct auth_serversupplied_info **server_info,
+@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ 	struct dom_sid sid;
+ 	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ 
+-	/* 
++	/*
+ 	   Here is where we should check the list of
+-	   trusted domains, and verify that the SID 
++	   trusted domains, and verify that the SID
+ 	   matches.
+ 	*/
+ 
+-- 
+2.43.0
+
+
+From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 30 Nov 2023 10:54:07 +0100
+Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a
+ local token
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce)
+---
+ selftest/knownfail.d/forceuser_trusteddomains |  2 --
+ source3/auth/auth_util.c                      | 17 ++++++++++++++++-
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+ delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains
+
+diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
+deleted file mode 100644
+index b515400cd90..00000000000
+--- a/selftest/knownfail.d/forceuser_trusteddomains
++++ /dev/null
+@@ -1,2 +0,0 @@
+-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
+-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index e5863d2272b..2a35fea5061 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -21,6 +21,7 @@
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+ 
++#include "dom_sid.h"
+ #include "includes.h"
+ #include "auth.h"
+ #include "lib/util_unixsids.h"
+@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+ 	struct dom_sid tmp_sid;
+ 	struct auth_session_info *session_info = NULL;
+ 	struct unixid *ids;
++	bool is_allowed = false;
+ 
+ 	/* Ensure we can't possible take a code path leading to a
+ 	 * null deref. */
+@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+ 		return NT_STATUS_LOGON_FAILURE;
+ 	}
+ 
+-	if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
++	if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
++		is_allowed = true;
++	}
++
++	/* Check if we have extra info about the user. */
++	if (dom_sid_in_domain(&global_sid_Unix_Users,
++			      &server_info->extra.user_sid) ||
++	    dom_sid_in_domain(&global_sid_Unix_Groups,
++			      &server_info->extra.pgid_sid))
++	{
++		is_allowed = true;
++	}
++
++	if (!is_allowed) {
+ 		DBG_NOTICE("Authentication failed for user [%s] "
+ 			   "from firewalled domain [%s]\n",
+ 			   server_info->info3->base.account_name.string,
+-- 
+2.43.0
+