.gitignore

@@ -1,2 +1,2 @@
-SOURCES/samba-4.19.4.tar.xz
+SOURCES/samba-4.23.5.tar.xz
 SOURCES/samba-pubkey_AA99442FB680B620.gpg

.samba.metadata

@@ -1,2 +1,2 @@
-6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz
+19e3789510e8306f9584f56e198559f5c1c5bbc2 SOURCES/samba-4.23.5.tar.xz
 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

SOURCES/redhat-4.23.patch

@@ -0,0 +1,957 @@
+From e8384b6daea3b8091ad1bcfce84efc9e2c6a746d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Thu, 22 Jan 2026 14:27:09 +0100
+Subject: [PATCH 01/13] s3:libads: Allocate cli_credentials on a stackframe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes:
+ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158
+
+What happens:
+
+* `struct cli_credentials *creds` is allocated on `ads` talloc context
+* gensec_set_credentials() creates a talloc_reference to `creds`
+* TALLOC_FREE(creds) sees two parents and complains
+
+All other code is using temporary talloc_stackframe() for `creds`.
+Do it here as well.
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224
+---
+ source3/libads/ldap_utils.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
+index 9d6d962a2bc..d01afa69697 100644
+--- a/source3/libads/ldap_utils.c
++++ b/source3/libads/ldap_utils.c
+@@ -99,6 +99,7 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
+ 		struct cli_credentials *creds = NULL;
+ 		char *cred_name = NULL;
+ 		NTSTATUS ntstatus;
++		TALLOC_CTX *frame = talloc_stackframe();
+ 
+ 		if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) &&
+ 		    ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) &&
+@@ -119,18 +120,20 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
+ 			DBG_NOTICE("Search for %s in <%s> failed: %s\n",
+ 				   expr, bp, ads_errstr(status));
+ 			SAFE_FREE(bp);
++			TALLOC_FREE(frame);
+ 			return status;
+ 		}
+ 
+ 		ntstatus = ads->auth.reconnect_state->fn(ads,
+ 				ads->auth.reconnect_state->private_data,
+-				ads, &creds);
++				frame, &creds);
+ 		if (!NT_STATUS_IS_OK(ntstatus)) {
+ 			DBG_WARNING("Failed to get creds for realm(%s): %s\n",
+ 				    ads->server.realm, nt_errstr(ntstatus));
+ 			DBG_WARNING("Search for %s in <%s> failed: %s\n",
+ 				   expr, bp, ads_errstr(status));
+ 			SAFE_FREE(bp);
++			TALLOC_FREE(frame);
+ 			return status;
+ 		}
+ 
+@@ -151,11 +154,11 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
+ 			 * callers depend on it being around.
+ 			 */
+ 			ads_disconnect(ads);
+-			TALLOC_FREE(creds);
++			TALLOC_FREE(frame);
+ 			SAFE_FREE(bp);
+ 			return status;
+ 		}
+-		TALLOC_FREE(creds);
++		TALLOC_FREE(frame);
+ 
+ 		*res = NULL;
+ 
+-- 
+2.53.0
+
+
+From 7af95c7cb142aeb5f422a69d3b7a0ea3c0d2c2c2 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@samba.org>
+Date: Mon, 26 Jan 2026 13:36:02 +0100
+Subject: [PATCH 02/13] s3:rpc_client: Fix memory leak opening local named pipe
+
+If no local server name was passed to rpc_pipe_open_local_np() then
+get_myname() was called with NULL talloc context instead of the
+current stackframe.
+
+This was causing an increase of memory usage on busy servers with long-living
+rpcd_* workers.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Tue Jan 27 10:13:40 UTC 2026 on atb-devel-224
+
+(cherry picked from commit 24dc455362fb49ef81c99d95880e106a234ce29a)
+---
+ source3/rpc_client/cli_pipe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index e3f48526492..c61b8eb16cf 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -3625,7 +3625,7 @@ NTSTATUS rpc_pipe_open_local_np(
+ 	}
+ 
+ 	if (local_server_name == NULL) {
+-		local_server_name = get_myname(result);
++		local_server_name = get_myname(frame);
+ 	}
+ 
+ 	if (local_server_addr != NULL) {
+-- 
+2.53.0
+
+
+From ab1287f78bd9d2397c8eb26fbedafa028e2aaa16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 2 Dec 2025 17:17:33 +0100
+Subject: [PATCH 03/13] s3-selftest: mention in-memory ccache usage when
+ nothing is provided
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/script/tests/test_net_ads_kerberos.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
+index 8a3c9ef2bc7..92d3996d078 100755
+--- a/source3/script/tests/test_net_ads_kerberos.sh
++++ b/source3/script/tests/test_net_ads_kerberos.sh
+@@ -30,6 +30,7 @@ KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+ ## Test "net ads kerberos kinit" variants
+ #################################################
+ 
++#simply uses in memory ccache
+ testit "net_ads_kerberos_kinit" \
+ 	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ 	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+@@ -50,6 +51,7 @@ rm -f "$KRB5CCNAME_PATH"
+ #	--use-krb5-ccache=${KRB5CCNAME} \
+ #	|| failed=$((failed + 1))
+ 
++#simply uses in memory ccache
+ testit "net_ads_kerberos_kinit (-P)" \
+ 	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ 	-P "$ADDARGS" \
+-- 
+2.53.0
+
+
+From 0aa0d39e9a5deb77114f40930b599f11fd7cf3b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 2 Dec 2025 17:18:41 +0100
+Subject: [PATCH 04/13] s3-selftest: verify KRB5CCNAME presence after kinit
+ using klist
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/script/tests/test_net_ads_kerberos.sh | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
+index 92d3996d078..c53520cf733 100755
+--- a/source3/script/tests/test_net_ads_kerberos.sh
++++ b/source3/script/tests/test_net_ads_kerberos.sh
+@@ -14,6 +14,12 @@ PREFIX="$4"
+ shift 4
+ ADDARGS="$*"
+ 
++if [ -x $(which klist) ]; then
++	KLIST=$(which klist);
++else
++	KLIST="test -e";
++fi
++
+ incdir=$(dirname "$0")/../../../testprogs/blackbox
+ . "$incdir"/subunit.sh
+ 
+@@ -41,6 +47,9 @@ testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+ 	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ 	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+ 	|| failed=$((failed + 1))
++testit "klist env $KRB5CCNAME" \
++	"$KLIST" "$KRB5CCNAME" \
++	|| failed=$((failed +1))
+ unset KRB5CCNAME
+ rm -f "$KRB5CCNAME_PATH"
+ 
+@@ -62,6 +71,9 @@ testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
+ 	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+ 	-P "$ADDARGS" \
+ 	|| failed=$((failed + 1))
++testit "klist env $KRB5CCNAME" \
++	"$KLIST" "$KRB5CCNAME" \
++	|| failed=$((failed +1))
+ unset KRB5CCNAME
+ rm -f "$KRB5CCNAME_PATH"
+ 
+-- 
+2.53.0
+
+
+From b9c07d59c6a20931b80fa104629477ab8f78b4ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 2 Dec 2025 17:01:31 +0100
+Subject: [PATCH 05/13] s3-selftest: Activate "net ads kerberos kinit" tests
+ with --use-krb5-ccache
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ selftest/knownfail                            |  2 ++
+ source3/script/tests/test_net_ads_kerberos.sh | 30 +++++++++++--------
+ 2 files changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/selftest/knownfail b/selftest/knownfail
+index ab2d79d7114..76f1dae605d 100644
+--- a/selftest/knownfail
++++ b/selftest/knownfail
+@@ -338,3 +338,5 @@
+ 
+ # We currently don't send referrals for LDAP modify of non-replicated attrs
+ ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
++
++^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.*
+diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
+index c53520cf733..b7933bab6a6 100755
+--- a/source3/script/tests/test_net_ads_kerberos.sh
++++ b/source3/script/tests/test_net_ads_kerberos.sh
+@@ -53,12 +53,15 @@ testit "klist env $KRB5CCNAME" \
+ unset KRB5CCNAME
+ rm -f "$KRB5CCNAME_PATH"
+ 
+-# --use-krb5-ccache is not working
+-#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+-#	$VALGRIND $BINDIR/net ads kerberos kinit \
+-#	-U$USERNAME%$PASSWORD $ADDARGS \
+-#	--use-krb5-ccache=${KRB5CCNAME} \
+-#	|| failed=$((failed + 1))
++testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
++	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
++	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
++	--use-krb5-ccache="${KRB5CCNAME_PATH}" \
++	|| failed=$((failed + 1))
++testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \
++	"$KLIST" "$KRB5CCNAME_PATH" \
++	|| failed=$((failed +1))
++rm -f "$KRB5CCNAME_PATH"
+ 
+ #simply uses in memory ccache
+ testit "net_ads_kerberos_kinit (-P)" \
+@@ -77,12 +80,15 @@ testit "klist env $KRB5CCNAME" \
+ unset KRB5CCNAME
+ rm -f "$KRB5CCNAME_PATH"
+ 
+-# --use-krb5-ccache is not working
+-#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+-#	$VALGRIND $BINDIR/net ads kerberos kinit \
+-#	-P $ADDARGS \
+-#	--use-krb5-ccache=${KRB5CCNAME} \
+-#	|| failed=$((failed + 1))
++testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
++	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
++	-P "$ADDARGS" \
++	--use-krb5-ccache="${KRB5CCNAME_PATH}" \
++	|| failed=$((failed + 1))
++testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \
++	"$KLIST" "$KRB5CCNAME_PATH" \
++	|| failed=$((failed +1))
++rm -f "$KRB5CCNAME_PATH"
+ 
+ 
+ #################################################
+-- 
+2.53.0
+
+
+From c82b7636b633575621e8e5964a93332956c238ff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 2 Dec 2025 16:56:44 +0100
+Subject: [PATCH 06/13] s3-net: properly setup krb5 ccache name via
+ --use-krb5-ccache
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ selftest/knownfail      |  2 --
+ source3/utils/net.c     | 19 ++++++++++++-------
+ source3/utils/net_ads.c |  4 ++++
+ 3 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/selftest/knownfail b/selftest/knownfail
+index 76f1dae605d..ab2d79d7114 100644
+--- a/selftest/knownfail
++++ b/selftest/knownfail
+@@ -338,5 +338,3 @@
+ 
+ # We currently don't send referrals for LDAP modify of non-replicated attrs
+ ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
+-
+-^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.*
+diff --git a/source3/utils/net.c b/source3/utils/net.c
+index ecabd980d0c..271c96cf804 100644
+--- a/source3/utils/net.c
++++ b/source3/utils/net.c
+@@ -1396,7 +1396,7 @@ static struct functable net_func[] = {
+ 			cli_credentials_get_principal_obtained(c->creds);
+ 		enum credentials_obtained password_obtained =
+ 			cli_credentials_get_password_obtained(c->creds);
+-		char *krb5ccname = NULL;
++		const char *krb5ccname = NULL;
+ 
+ 		if (principal_obtained == CRED_SPECIFIED) {
+ 			c->explicit_credentials = true;
+@@ -1415,15 +1415,20 @@ static struct functable net_func[] = {
+ 		}
+ 
+ 		/* cli_credentials_get_ccache_name_obtained() would not work
+-		 * here, we also cannot get the content of --use-krb5-ccache= so
+-		 * for now at least honour the KRB5CCNAME environment variable
+-		 * to get 'net ads kerberos' functions to work at all - gd */
+-
+-		krb5ccname = getenv("KRB5CCNAME");
+-		if (krb5ccname == NULL) {
++		 * here but we can now access the content of the
++		 * --use-krb5-ccache option via cli credentials. Fallback to
++		 * KRB5CCNAME environment variable to get 'net ads kerberos'
++		 * functions to work at all - gd */
++
++		krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
++		if (krb5ccname == NULL || krb5ccname[0] == '\0') {
++			krb5ccname = getenv("KRB5CCNAME");
++		}
++		if (krb5ccname == NULL || krb5ccname[0] == '\0') {
+ 			krb5ccname = talloc_strdup(c, "MEMORY:net");
+ 		}
+ 		if (krb5ccname == NULL) {
++			DBG_ERR("Not able to setup krb5 ccache");
+ 			exit(1);
+ 		}
+ 		c->opt_krb5_ccache = krb5ccname;
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index d49b7537e71..5c57a0b290e 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -3245,7 +3245,11 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
+ 	if (ret) {
+ 		d_printf(_("failed to kinit password: %s\n"),
+ 			nt_errstr(status));
++		return ret;
+ 	}
++
++	d_printf("Stored Kerberos TGT in: %s\n", c->opt_krb5_ccache);
++
+ 	return ret;
+ }
+ 
+-- 
+2.53.0
+
+
+From 4f5ffea631d805564f7e92cc5f0f2f7ad55ba493 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Sat, 13 Dec 2025 13:49:37 +0100
+Subject: [PATCH 07/13] doc-xml: Document "net ads kerberos" commands
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Mon Jan  5 15:49:04 UTC 2026 on atb-devel-224
+---
+ docs-xml/manpages/net.8.xml | 139 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 139 insertions(+)
+
+diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
+index d9293d0bb34..737415b3722 100644
+--- a/docs-xml/manpages/net.8.xml
++++ b/docs-xml/manpages/net.8.xml
+@@ -1810,7 +1810,146 @@ the following entry types;
+ 
+ </refsect2>
+ 
++<refsect2>
++	<title>ADS KERBEROS</title>
++
++<para>
++	Issue Kerberos operations against an Active Directory KDC.
++</para>
++
++</refsect2>
++
++<refsect2>
++	<title>ADS KERBEROS KINIT</title>
++
++<para>
++	Issue a kinit request for a given user. When no other options are
++	defined the ticket granting ticket (TGT) will be stored in a memory cache.
++</para>
++
++<para>
++	To store the TGT in a different location either use the
++	<option>--krb5-ccache</option> option or set the
++	<replaceable>KRB5CCNAME</replaceable> environment variable.
++</para>
++
++<para>Example: <userinput>net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache</userinput></para>
++
++</refsect2>
++
++<refsect2>
++	<title>ADS KERBEROS RENEW</title>
++
++<para>
++	Renew an already acquired ticket granting ticket (TGT).
++</para>
++
++<para>Example: <userinput>net ads kerberos renew</userinput></para>
++
++</refsect2>
++
++<refsect2>
++	<title>ADS KERBEROS PAC</title>
++
++<para>
++	Request a Kerberos PAC while authenticating to an Active Directory KDC.
++</para>
++
++<para>
++	The following commands are provided:
++</para>
++
++<simplelist>
++<member>net ads kerberos pac dump - Dump a PAC to stdout.</member>
++<member>net ads kerneros pac save - Save a PAC to a file.</member>
++</simplelist>
++
++<para>
++	All commands allow to define an impersonation principal to do a Kerberos
++	Service for User (S4U2SELF) operation via
++	the <replaceable>impersonate=STRING</replaceable> option.
++	The impersonation principal can have multiple different formats:
++</para>
++
++<itemizedlist>
++	<listitem>
++		<para><replaceable>user@MY.REALM</replaceable></para>
++		<para>This is the default format.</para>
++	</listitem>
++	<listitem>
++		<para><replaceable>user@MY.REALM@MY.REALM</replaceable></para>
++		<para>The Kerberos Service for User (S4U2SELF) also supports
++		Enterprise Principals.</para>
++	</listitem>
++	<listitem>
++		<para><replaceable>user@UPN.SUFFIX@MY.REALM</replaceable></para>
++		<para>Enterprise Principal using a defined upn suffix.</para>
++	</listitem>
++	<listitem>
++		<para><replaceable>user@WORKGROUP@MY.REALM</replaceable></para>
++		<para>Enterprise Principal with netbios domain name.
++		This format is currently not supported by Samba AD.</para>
++	</listitem>
++</itemizedlist>
+ 
++<para>
++	By default net will request a service ticket for the local service
++	of the joined machine. A different service can be defined via
++        <replaceable>local_service=STRING</replaceable>.
++</para>
++
++</refsect2>
++<refsect2>
++	<title>ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int]</title>
++
++<para>
++	Request a Kerberos PAC while authenticating to an Active Directory KDC.
++	The PAC will be printed on stdout.
++</para>
++
++<para>
++	When no specific pac_buffer is selected, all buffers will be printed.
++	It is possible to select a specific one via
++	<replaceable>pac_buffer_type=INT</replaceable> from this list:
++</para>
++
++<simplelist>
++<member>1 PAC_TYPE_LOGON_INFO</member>
++<member>2 PAC_TYPE_CREDENTIAL_INFO</member>
++<member>6 PAC_TYPE_SRV_CHECKSUM</member>
++<member>7 PAC_TYPE_KDC_CHECKSUM</member>
++<member>10 PAC_TYPE_LOGON_NAME</member>
++<member>11 PAC_TYPE_CONSTRAINED_DELEGATION</member>
++<member>12 PAC_TYPE_UPN_DNS_INFO</member>
++<member>13 PAC_TYPE_CLIENT_CLAIMS_INFO</member>
++<member>14 PAC_TYPE_DEVICE_INFO</member>
++<member>15 PAC_TYPE_DEVICE_CLAIMS_INFO</member>
++<member>16 PAC_TYPE_TICKET_CHECKSUM</member>
++<member>17 PAC_TYPE_ATTRIBUTES_INFO</member>
++<member>18 PAC_TYPE_REQUESTER_SID</member>
++<member>19 PAC_TYPE_FULL_CHECKSUM</member>
++</simplelist>
++
++<para>Example: <userinput>net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM</userinput></para>
++
++</refsect2>
++
++<refsect2>
++	<title>ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string]</title>
++
++<para>
++	Request a Kerberos PAC while authenticating to an Active Directory KDC.
++	The PAC will be saved in a file.
++</para>
++
++<para>
++	The filename to store the PAC can be set via the
++	<replaceable>filename=STRING</replaceable> option.
++</para>
++
++<para>Example: <userinput>net ads kerberos pac save -U user%password filename=/tmp/pacstore</userinput></para>
++
++</refsect2>
+ <refsect2>
+ <title>SAM CREATEBUILTINGROUP &lt;NAME&gt;</title>
+ 
+-- 
+2.53.0
+
+
+From f634526bd95b8396ea7f5f1c8ed059eb01a5286b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Tue, 3 Feb 2026 12:53:10 +0100
+Subject: [PATCH 08/13] s3:utils: 'net ads kerberos kinit' should use also
+ default ccache name from krb5.conf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is re-introducing the behavior from samba-4.20 where both these
+commands operated on the same ccache (default_ccache_name in
+[libdefaults] section of krb5.conf)
+
+ 'net ads kerberos kinit -P'
+ 'klist'
+
+ With samba-4.21 it no longer works, 'net ads kerberos kinit -P'
+ fallbacks to 'MEMORY:net' (which is of a very limited use, ticket
+ cannot be used by other process) and klist finds no ticket.
+
+ The order is changed from:
+
+    --use-krb5-ccache
+    env "KRB5CCNAME"
+    "MEMORY:net"
+
+to ("MEMORY:net" is removed):
+
+    --use-krb5-ccache
+    env "KRB5CCNAME"
+    default_ccache_name
+
+'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials.
+
+Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name()
+because of commit:
+1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e)
+---
+ source3/utils/net.c | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/source3/utils/net.c b/source3/utils/net.c
+index 271c96cf804..0ce03f8213d 100644
+--- a/source3/utils/net.c
++++ b/source3/utils/net.c
+@@ -54,6 +54,7 @@
+ #include "source3/utils/passwd_proto.h"
+ #include "auth/gensec/gensec.h"
+ #include "lib/param/param.h"
++#include "lib/krb5_wrap/krb5_samba.h"
+ 
+ #ifdef WITH_FAKE_KASERVER
+ #include "utils/net_afs.h"
+@@ -1414,18 +1415,33 @@ static struct functable net_func[] = {
+ 				CRED_SPECIFIED);
+ 		}
+ 
+-		/* cli_credentials_get_ccache_name_obtained() would not work
+-		 * here but we can now access the content of the
+-		 * --use-krb5-ccache option via cli credentials. Fallback to
+-		 * KRB5CCNAME environment variable to get 'net ads kerberos'
+-		 * functions to work at all - gd */
+-
++		/*
++		 * Priority order for krb5 credential cache name
++		 *
++		 *    via cli_credentials_get_out_ccache_name() :
++		 *
++		 * 1. '--use-krb5-ccache' option
++		 *
++		 *    via krb5_cc_default_name() :
++		 *
++		 * 2. KRB5CCNAME environment variable
++		 * 3. default_ccache_name in [libdefaults] section of krb5.conf
++		 * 4. ...more - krb5_cc_default_name() always returns something
++		 *    - see documentation
++		 */
+ 		krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
+ 		if (krb5ccname == NULL || krb5ccname[0] == '\0') {
+-			krb5ccname = getenv("KRB5CCNAME");
+-		}
+-		if (krb5ccname == NULL || krb5ccname[0] == '\0') {
+-			krb5ccname = talloc_strdup(c, "MEMORY:net");
++			krb5_context ct = NULL;
++			krb5_error_code ret = smb_krb5_init_context_common(&ct);
++
++			if (ret == 0) {
++				krb5ccname = smb_force_krb5_cc_default_name(ct);
++				if (krb5ccname != NULL) {
++					krb5ccname = talloc_strdup(c,
++								   krb5ccname);
++				}
++				krb5_free_context(ct);
++			}
+ 		}
+ 		if (krb5ccname == NULL) {
+ 			DBG_ERR("Not able to setup krb5 ccache");
+-- 
+2.53.0
+
+
+From 0ca830d6ddded29b2b5d1969ebcbc4df1156656e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Thu, 5 Feb 2026 16:04:25 +0100
+Subject: [PATCH 09/13] manpages: Update NET ADS KERBEROS KINIT manpage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
+Autobuild-Date(master): Thu Feb  5 21:11:13 UTC 2026 on atb-devel-224
+
+(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b)
+---
+ docs-xml/manpages/net.8.xml | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
+index 737415b3722..b793361a27f 100644
+--- a/docs-xml/manpages/net.8.xml
++++ b/docs-xml/manpages/net.8.xml
+@@ -1823,17 +1823,37 @@ the following entry types;
+ 	<title>ADS KERBEROS KINIT</title>
+ 
+ <para>
+-	Issue a kinit request for a given user. When no other options are
+-	defined the ticket granting ticket (TGT) will be stored in a memory cache.
++	Issue a kinit request for a given user.  The following methods can be used
++	to specify where to store the ticket granting ticket (TGT) (in order of
++	precedence):
+ </para>
+ 
+-<para>
+-	To store the TGT in a different location either use the
+-	<option>--krb5-ccache</option> option or set the
+-	<replaceable>KRB5CCNAME</replaceable> environment variable.
+-</para>
++<itemizedlist>
++	<listitem>
++		<para>option <option>--use-krb5-ccache</option></para>
++	</listitem>
++	<listitem>
++		<para><replaceable>KRB5CCNAME</replaceable> environment variable</para>
++	</listitem>
++	<listitem>
++		<para><parameter>default_ccache_name</parameter> setting in <filename>krb5.conf</filename></para>
++	</listitem>
++</itemizedlist>
+ 
+-<para>Example: <userinput>net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache</userinput></para>
++<variablelist><title>Examples:</title>
++<varlistentry>
++<term>Use file based cache (FILE:/tmp/krb5cache)</term>
++<listitem><literallayout>
++net ads kerberos kinit -P --use-krb5-ccache=/tmp/krb5cache
++</literallayout></listitem>
++</varlistentry>
++<varlistentry>
++<term>Use memory cache (MEMORY:net) to verify the authentication</term>
++<listitem><literallayout>
++net ads kerberos kinit -P --use-krb5-ccache=MEMORY:net
++</literallayout></listitem>
++</varlistentry>
++</variablelist>
+ 
+ </refsect2>
+ 
+-- 
+2.53.0
+
+
+From 44b613d80c6a3818cc6ca593d57d51cd1bc00aa5 Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Fri, 13 Feb 2026 11:54:46 +0000
+Subject: [PATCH 10/13] selftest: Update tests to use
+ --use-kereros=desired|required no creds
+
+Add tests to call smbclient without passing credentials to
+demonstrate failure with --use-kereros=desired
+
+Also add knownfail
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit a22af9420965083b99b956477d1833000b7f2414)
+---
+ selftest/knownfail                              |  2 ++
+ source3/script/tests/test_smbclient_kerberos.sh | 12 ++++++++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/selftest/knownfail b/selftest/knownfail
+index ab2d79d7114..f0a5f7bb935 100644
+--- a/selftest/knownfail
++++ b/selftest/knownfail
+@@ -315,6 +315,8 @@
+ # ad_member don't support ntlmv1 (not even over SMB1)
+ ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member
+ ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member
++# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789
++samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).*
+ #nt-vfs server blocks read with execute access
+ ^samba4.smb2.read.access
+ #ntvfs server blocks copychunk with execute access on read handle
+diff --git a/source3/script/tests/test_smbclient_kerberos.sh b/source3/script/tests/test_smbclient_kerberos.sh
+index 31678d17e28..1139efd70d7 100755
+--- a/source3/script/tests/test_smbclient_kerberos.sh
++++ b/source3/script/tests/test_smbclient_kerberos.sh
+@@ -73,6 +73,18 @@ test_smbclient "smbclient.smb3.kerberos.desired[//${SERVER}/tmp]" \
+ 	--use-kerberos=desired -U${USERNAME}%${PASSWORD} -mSMB3 ||
+ 	failed=$(expr $failed + 1)
+ 
++test_smbclient "smbclient.smb3.kerberos.desired (no user/pass) [//${SERVER}/tmp]" \
++	"ls; quit" //${SERVER}/tmp \
++	--use-kerberos=desired -mSMB3 ||
++	failed=$(expr $failed + 1)
++
++test_smbclient "smbclient.smb3.kerberos.required (no user/pass) [//${SERVER}/tmp]" \
++	"ls; quit" //${SERVER}/tmp \
++	--use-kerberos=required -mSMB3 ||
++	failed=$(expr $failed + 1)
++
++
++
+ $samba_kdestroy
+ 
+ rm -rf $KRB5CCNAME_PATH
+-- 
+2.53.0
+
+
+From 65f70c0505759489a8b219e1297f8cdee2cc260a Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Mon, 19 Jan 2026 15:46:59 +0000
+Subject: [PATCH 11/13] auth/credentials: Fix regression with
+ --use-kerberos=desired for smbclient
+
+As part of the gse_krb5 processing the following call chain
+
+gensec_gse_client_start()
+  ---> gensec_kerberos_possible()
+         ---> cli_credentials_authentication_requested()
+
+gensec_kerberos_possible()  will always fail when
+cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
+
+It seems since use kerberos == desired is the default that it isn't
+necessary to see if credentials were modified to indicated authentication
+was requested. gensec_kerberos_possible() should afaics return true
+if kerberos is desired OR required (regardless of whether credentials
+were requested)
+
+This commit removes the knownfail associated with this bug.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
+Signed-off-by: <noel.power@suse.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 88f42eb222f299189d5f5f8204ae353e63a50970)
+---
+ auth/gensec/gensec_util.c | 5 -----
+ selftest/knownfail        | 2 --
+ 2 files changed, 7 deletions(-)
+
+diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
+index 0c7688d33d2..af6d198d48f 100644
+--- a/auth/gensec/gensec_util.c
++++ b/auth/gensec/gensec_util.c
+@@ -362,7 +362,6 @@ char *gensec_get_unparsed_target_principal(struct gensec_security *gensec_securi
+ NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
+ {
+ 	struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+-	bool auth_requested = cli_credentials_authentication_requested(creds);
+ 	enum credentials_use_kerberos krb5_state =
+ 		cli_credentials_get_kerberos_state(creds);
+ 	char *user_principal = NULL;
+@@ -370,10 +369,6 @@ NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
+ 	const char *target_principal = gensec_get_target_principal(gensec_security);
+ 	const char *hostname = gensec_get_target_hostname(gensec_security);
+ 
+-	if (!auth_requested) {
+-		return NT_STATUS_INVALID_PARAMETER;
+-	}
+-
+ 	if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
+ 		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+diff --git a/selftest/knownfail b/selftest/knownfail
+index f0a5f7bb935..ab2d79d7114 100644
+--- a/selftest/knownfail
++++ b/selftest/knownfail
+@@ -315,8 +315,6 @@
+ # ad_member don't support ntlmv1 (not even over SMB1)
+ ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*ad_member
+ ^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*ad_member
+-# regression smbclient using --use-kerberos=desired https://bugzilla.samba.org/show_bug.cgi?id=15789
+-samba3.blackbox.smbclient.kerberos.smbclient.smb3.kerberos.desired \(no user/pass\).*
+ #nt-vfs server blocks read with execute access
+ ^samba4.smb2.read.access
+ #ntvfs server blocks copychunk with execute access on read handle
+-- 
+2.53.0
+
+
+From 8c955cad98b197936fceaf98306047e1f929ddfe Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Mon, 19 Jan 2026 16:10:10 +0000
+Subject: [PATCH 12/13] s3/libsmb: cli_session_creds_init fails when kerberos
+ is desired
+
+There is a regression with code using cli_session_creds_init when
+cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
+
+Authentication succeeds when boolean fallback_after_kerberos is false
+and fails when true.
+There doesn't seem to be a good reason why the value of
+fallback_after_kerberos should initialise the krb5 ccache or not.
+It would seems that krb5 cache should be setup for creds
+for *any* kerberos auth (whether fallback is enabled or not)
+
+Partial patch from <will69@gmx.de> (see bug referenced below)
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 1c48599105736499d18aa1f647bce9e1f8dbdcca)
+---
+ source3/libsmb/cliconnect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 116f746d37e..3fd423d8e5f 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -218,7 +218,7 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
+ 				goto fail;
+ 			}
+ 		}
+-	} else if (use_kerberos && !fallback_after_kerberos) {
++	} else if (use_kerberos) {
+ 		const char *error_string = NULL;
+ 		int rc;
+ 
+-- 
+2.53.0
+
+
+From 015167aea7ece2bb683f86aa4b8c688d7a83267d Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Mon, 19 Jan 2026 16:18:02 +0000
+Subject: [PATCH 13/13] s3/libsmb: block anon authentication fallback is
+ use-kerberos = desired
+
+When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED
+libsmbclient method SMBC_server_internal will still try to fallback to
+anon NTLM. This patch prevents that.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Noel Power <npower@samba.org>
+Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224
+
+(cherry picked from commit bc868800276fe09cbcb206ebe4cb4da32af7599f)
+---
+ source3/libsmb/libsmb_server.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
+index f9b52e1f05a..8c7208aaee0 100644
+--- a/source3/libsmb/libsmb_server.c
++++ b/source3/libsmb/libsmb_server.c
+@@ -632,6 +632,8 @@ SMBC_server_internal(TALLOC_CTX *ctx,
+ 		password_used = "";
+ 
+                 if (smbc_getOptionNoAutoAnonymousLogin(context) ||
++		    cli_credentials_get_kerberos_state(creds) ==
++			    CRED_USE_KERBEROS_REQUIRED ||
+ 		    !NT_STATUS_IS_OK(cli_session_setup_anon(c))) {
+ 
+                         cli_shutdown(c);
+-- 
+2.53.0
+

SOURCES/samba-4.19.4.tar.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
-tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
-Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
-2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
-XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
-iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
-svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
-JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
-ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
-vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
-+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
-1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
-=kOPP
------END PGP SIGNATURE-----

SOURCES/samba-4.23.5.tar.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmlzV8sACgkQqplEL7aA
+tiCrUxAAkEcyHkI48DZpwRd+0rP2IJC+6vpGj/RSGHdlyztw3R+49EOW9HURNqsl
+8FHHUairod5CzyXc2UfoZNHuo5s3YE2WOuxSur2W8/FYPVllX9sOvNilaQsplvDX
+8zMsQ4Ky5z57EeScDFaGl/NPypLcJ5i2hrBHRrn4Gsa5koKs9M+BlO1/xH8TBFPG
+hAAXaLFw8pkMFDEIIrRMdOGAUeNaBq3dVkfzPAgd6FYAAUjuP/3O2gM87zLPgbf1
+5Deg+HYNLhKaAUNJPs3OuiLZTN3FpRAif/DKJCL16kbNxygN71OXI1vf20BooNpj
+qTx3xseHraHkTy3HElru5CTlW+jYPLd7UqHcH0g+wRp/xlwH5vR7vc+wZpyFmOfm
+OThXsVzZKzwQo9Ce+N9vs0FgSR0BLXvHHIs77XV0BdC3G/tE+iOPsp1GFbmhC5Dn
+F/hqFmbKBBNiqv2v1s3mT1rX8DNeUaHA44coJJnr8vc9fMtrqkDuBiAOtzknm+j+
+IW3NLWsvl2y94anc9Aq6Ffanc1qSwVvdFNb/d1dZjR7sLP19UdJAFZTiJ/V2yQET
+++AX9DKBtIO0KguJowEROrRu+inOT/Rs4PLwxxbtEVxqmqH7An+nO0FzV+xSjI/1
+l+zLG3njDFDSDS/cXvrnzvFAWqs/5pKmlhcDzAicnuUgIzsKd08=
+=qxcw
+-----END PGP SIGNATURE-----

SOURCES/samba.logrotate

@@ -1,4 +1,4 @@
-/var/log/samba/log.* {
+/var/log/samba/*log* {
     compress
     dateext
     maxage 365

SOURCES/smb.conf.vendor

@@ -38,7 +38,8 @@
 [print$]
 	comment = Printer Drivers
 	path = /var/lib/samba/drivers
-	write list = @printadmin root
-	force group = @printadmin
+	# printadmin is a local group
+	write list = printadmin root
+	force group = printadmin
 	create mask = 0664
 	directory mask = 0775