5 changed files with 690 additions and 554 deletions
--- a/SOURCES/101-orabug36371906-s3-passdb-fix-memleak-in-pdb_tdb.patch
+++ b/SOURCES/101-orabug36371906-s3-passdb-fix-memleak-in-pdb_tdb.patch
@ -0,0 +1,42 @@
 From 18913d384edb8c49c69501fd6db5511312614594 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Fri, 27 Oct 2023 12:09:53 +0200
 Subject: [PATCH] s3:passdb: Do not leak memory in pdb_tdb
 ==19938==ERROR: LeakSanitizer: detected memory leaks
 Direct leak of 77 byte(s) in 1 object(s) allocated from:
    #0 0x7f7d482841f8 in strdup (/lib64/libasan.so.8+0x841f8) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0)
    #1 0x7f7d47204846  (bin/shared/libsamba-util.so.0+0x4c846) (BuildId: 43b084eb9013442ac68eb1fc17649f142cbb0f94)
    #2 0x7f7d40b1d97a in pdb_init_tdbsam ../../source3/passdb/pdb_tdb.c:1361
    #3 0x7f7d4715f266  (bin/shared/libsamba-passdb.so.0+0x76266) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733)
    #4 0x7f7d4715f57a  (bin/shared/libsamba-passdb.so.0+0x7657a) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733)
    #5 0x7f7d47163700  (bin/shared/libsamba-passdb.so.0+0x7a700) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733)
    #6 0x55a9177d3853 in main ../../source3/smbd/server.c:1928
    #7 0x7f7d434281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Volker Lendecke <vl@samba.org>
 Orabug: 36371906
 Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
 Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
 ---
 source3/passdb/pdb_tdb.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
 index 4c578f8069d..f9ba193df3b 100644
 --- a/source3/passdb/pdb_tdb.c
 +++ b/source3/passdb/pdb_tdb.c
@@ -1346,6 +1346,9 @@ static NTSTATUS pdb_init_tdbsam(struct pdb_methods **pdb_method, const char *loc
 		}
 		pfile = tdbfile;
 	}
 +
 +	/* Do not leak memory if the init function is called more than once */
 +	SAFE_FREE(tdbsam_filename);
 	tdbsam_filename = SMB_STRDUP(pfile);
 	if (!tdbsam_filename) {
 		return NT_STATUS_NO_MEMORY;
 --
--- a/SOURCES/102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch
+++ b/SOURCES/102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch
@ -0,0 +1,80 @@
 From 48493735e2d2091740fe784cf07a4258dfc0b512 Mon Sep 17 00:00:00 2001
 From: Shaleen Bathla <shaleen.bathla@oracle.com>
 Date: Wed, 10 Apr 2024 18:31:39 +0530
 Subject: [PATCH] s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs
 Add missing free for entry variable and its members : key and principal
 Found definite memory leaks via valgrind as shown below.
 Leak 1 :
 ==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433
 ==1686==    at 0x4C38185: malloc (vg_replace_malloc.c:431)
 ==1686==    by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101)
 ==1686==    by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500)
 ==1686==    by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
 ==1686==    by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
 ==1686==    by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
 ==1686==    by 0x127F45: process_request_send (winbindd.c:502)
 ==1686==    by 0x127F45: winbind_client_request_read (winbindd.c:749)
 ==1686==    by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
 ==1686==    by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
 ==1686==    by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
 ==1686==    by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
 ==1686==    by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
 ==1686==    by 0x66D39B4: _tevent_loop_once (tevent.c:823)
 ==1686==    by 0x1232F3: main (winbindd.c:1718)
 Leak 2 :
 ==1686==    at 0x4C38185: malloc (vg_replace_malloc.c:431)
 ==1686==    by 0x62255E4: krb5_copy_principal (copy_princ.c:38)
 ==1686==    by 0x621D003: krb5_mkt_get_next (kt_memory.c:503)
 ==1686==    by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
 ==1686==    by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
 ==1686==    by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
 ==1686==    by 0x127F45: process_request_send (winbindd.c:502)
 ==1686==    by 0x127F45: winbind_client_request_read (winbindd.c:749)
 ==1686==    by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
 ==1686==    by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
 ==1686==    by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
 ==1686==    by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
 ==1686==    by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
 ==1686==    by 0x66D39B4: _tevent_loop_once (tevent.c:823)
 ==1686==    by 0x1232F3: main (winbindd.c:1718)
 Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
 Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224
 Orabug: 36566309
 Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
 Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
 ---
 source3/winbindd/winbindd_pam.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
 index 6c890c8acd5..e7d64189b7e 100644
 --- a/source3/winbindd/winbindd_pam.c
 +++ b/source3/winbindd/winbindd_pam.c
@@ -3433,12 +3433,17 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
 					     NULL, /* client_principal */
 					     0, /* tgs_authtime */
 					     p_pac_data);
 +		(void)smb_krb5_kt_free_entry(krbctx, &entry);
 		if (NT_STATUS_IS_OK(status)) {
 			break;
 		}
 -		k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
 		k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
 	}
 +	if (k5ret != 0 && k5ret != KRB5_KT_END) {
 +		DEBUG(1, ("Failed to get next entry: %s\n",
 +			  error_message(k5ret)));
 +		(void)smb_krb5_kt_free_entry(krbctx, &entry);
 +	}
 	k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
 	if (k5ret) {
--- a/SOURCES/samba-4.19-redhat.patch
+++ b/SOURCES/samba-4.19-redhat.patch
@ -1,7 +1,7 @@
 From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Thu, 17 Aug 2023 01:05:54 +0300
-Subject: [PATCH 01/28] gp: Support more global trust directories
+Subject: [PATCH 01/25] gp: Support more global trust directories
 In addition to the SUSE global trust directory, add support for RHEL and
 Debian-based distributions (including Ubuntu).
@ -60,13 +60,13 @@ index 312c8ddf467..1b90ab46e90 100644
         # Symlink the certs to global trust dir
         dst = os.path.join(global_trust_dir, os.path.basename(src))
 -- 
-2.45.2
+2.41.0
 From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Thu, 17 Aug 2023 01:09:28 +0300
-Subject: [PATCH 02/28] gp: Support update-ca-trust helper
+Subject: [PATCH 02/25] gp: Support update-ca-trust helper
 This is used on RHEL/Fedora instead of update-ca-certificates. They
 behave similarly so it's enough to change the command name.
@ -104,13 +104,13 @@ index 1b90ab46e90..cefdafa21b2 100644
         Popen([update]).wait()
     # Setup Certificate Auto Enrollment
 -- 
-2.45.2
+2.41.0
 From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Fri, 11 Aug 2023 18:46:42 +0300
-Subject: [PATCH 03/28] gp: Change root cert extension suffix
+Subject: [PATCH 03/25] gp: Change root cert extension suffix
 On Ubuntu, certificates must end in '.crt' in order to be considered by
 the `update-ca-certificates` helper.
@ -138,13 +138,13 @@ index cefdafa21b2..c562722906b 100644
                 w.write(cert)
             root_certs.append(dest)
 -- 
-2.45.2
+2.41.0
 From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Fri, 18 Aug 2023 17:06:43 +0300
-Subject: [PATCH 04/28] gp: Test with binary content for certificate data
+Subject: [PATCH 04/25] gp: Test with binary content for certificate data
 This fails all GPO-related tests that call `gpupdate --rsop`.
@ -216,13 +216,13 @@ index 00000000000..0aad59607c2
 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
 -- 
-2.45.2
+2.41.0
 From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Wed, 16 Aug 2023 12:20:11 +0300
-Subject: [PATCH 05/28] gp: Convert CA certificates to base64
+Subject: [PATCH 05/25] gp: Convert CA certificates to base64
 I don't know whether this applies universally, but in our case the
 contents of `es['cACertificate'][0]` are binary, so cleanly converting
@ -289,13 +289,13 @@ index 0aad59607c2..00000000000
 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
 -- 
-2.45.2
+2.41.0
 From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Fri, 18 Aug 2023 17:16:23 +0300
-Subject: [PATCH 06/28] gp: Test adding new cert templates enforces changes
+Subject: [PATCH 06/25] gp: Test adding new cert templates enforces changes
 Ensure that cepces-submit reporting additional templates and re-applying
 will enforce the updated policy.
@ -422,13 +422,13 @@ index 00000000000..4edc1dce730
 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
 -- 
-2.45.2
+2.41.0
 From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Wed, 16 Aug 2023 12:37:17 +0300
-Subject: [PATCH 07/28] gp: Template changes should invalidate cache
+Subject: [PATCH 07/25] gp: Template changes should invalidate cache
 If certificate templates are added or removed, the autoenroll extension
 should react to this and reapply the policy. Previously this wasn't
@ -487,13 +487,13 @@ index 4edc1dce730..00000000000
 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
 -- 
-2.45.2
+2.41.0
 From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Fri, 18 Aug 2023 17:26:59 +0300
-Subject: [PATCH 08/28] gp: Test disabled enrollment unapplies policy
+Subject: [PATCH 08/25] gp: Test disabled enrollment unapplies policy
 For this we need to stage a Registry.pol file with certificate
 autoenrollment enabled, but with checkboxes unticked.
@ -588,13 +588,13 @@ index 00000000000..83bc9f0ac1f
@@ -0,0 +1 @@
 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
 -- 
-2.45.2
+2.41.0
 From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Wed, 16 Aug 2023 12:33:59 +0300
-Subject: [PATCH 09/28] gp: Send list of keys instead of dict to remove
+Subject: [PATCH 09/25] gp: Send list of keys instead of dict to remove
 `cache_get_all_attribute_values` returns a dict whereas we need to pass
 a list of keys to `remove`. These will be interpolated in the gpdb search.
@ -634,13 +634,13 @@ index 83bc9f0ac1f..00000000000
@@ -1 +0,0 @@
 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
 -- 
-2.45.2
+2.41.0
 From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Tue, 9 Jan 2024 08:50:01 +0100
-Subject: [PATCH 10/28] python:gp: Print a nice message if cepces-submit can't
+Subject: [PATCH 10/25] python:gp: Print a nice message if cepces-submit can't
 be found
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552
@ -691,13 +691,13 @@ index 64c35782ae8..08d1a7348cd 100644
 def getca(ca, url, trust_dir):
 -- 
-2.45.2
+2.41.0
 From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Mon, 8 Jan 2024 18:05:08 +0200
-Subject: [PATCH 11/28] gpo: Test certificate policy without NDES
+Subject: [PATCH 11/25] gpo: Test certificate policy without NDES
 As of 8231eaf856b, the NDES feature is no longer required on Windows, as
 cert auto-enroll can use the certificate from the LDAP request.
@ -895,13 +895,13 @@ index 00000000000..f1e590bc7d8
@@ -0,0 +1 @@
 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes
 -- 
-2.45.2
+2.41.0
 From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Thu, 18 Jan 2024 20:23:24 +0200
-Subject: [PATCH 12/28] gpo: Decode base64 root cert before importing
+Subject: [PATCH 12/25] gpo: Decode base64 root cert before importing
 The reasoning behind this is described in the previous commit message,
 but essentially this should either be wrapped in certificate blocks and
@ -948,13 +948,13 @@ index f1e590bc7d8..00000000000
@@ -1 +0,0 @@
 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes
 -- 
-2.45.2
+2.41.0
 From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001
 From: Gabriel Nagy <gabriel.nagy@canonical.com>
 Date: Fri, 19 Jan 2024 11:36:19 +0200
-Subject: [PATCH 13/28] gpo: Do not get templates list on first run
+Subject: [PATCH 13/25] gpo: Do not get templates list on first run
 This is a visual fix and has no impact on functionality apart from
 cleaner log messages.
@ -997,13 +997,13 @@ index cd5e54f1110..559c903e1a2 100644
         if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE:
             self.unapply(guid, attribute, old_val)
 -- 
-2.45.2
+2.41.0
 From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001
 From: David Mulder <dmulder@samba.org>
 Date: Fri, 5 Jan 2024 08:47:07 -0700
-Subject: [PATCH 14/28] gp: Skip site GP list if no site is found
+Subject: [PATCH 14/25] gp: Skip site GP list if no site is found
 [MS-GPOL] 3.2.5.1.4 Site Search says if the site
 search returns ERROR_NO_SITENAME, the GP site
@ -1065,13 +1065,13 @@ index 617ef79350c..babd8f90748 100644
     # (L)ocal
     gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy",
 -- 
-2.45.2
+2.41.0
 From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 22 Jan 2024 14:14:30 +0100
-Subject: [PATCH 15/28] python:gp: Avoid path check for cepces-submit
+Subject: [PATCH 15/25] python:gp: Avoid path check for cepces-submit
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -1111,13 +1111,13 @@ index 559c903e1a2..7325d5132cf 100644
                   '%s --server=%s --auth=%s' % (cepces_submit,
                   ca['hostname'], auth)],
 -- 
-2.45.2
+2.41.0
 From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 22 Jan 2024 14:07:47 +0100
-Subject: [PATCH 16/28] python:gp: Improve logging for certificate enrollment
+Subject: [PATCH 16/25] python:gp: Improve logging for certificate enrollment
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -1171,13 +1171,13 @@ index 7325d5132cf..a25a9678587 100644
     getcert = which('getcert')
     cepces_submit = find_cepces_submit()
 -- 
-2.45.2
+2.41.0
 From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 22 Jan 2024 15:04:36 +0100
-Subject: [PATCH 17/28] python:gp: Do not print an error, if CA already exists
+Subject: [PATCH 17/25] python:gp: Do not print an error, if CA already exists
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -1217,13 +1217,13 @@ index a25a9678587..0b23cd688db 100644
         for template in supported_templates:
             attrs = fetch_template_attrs(ldb, template)
 -- 
-2.45.2
+2.41.0
 From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 22 Jan 2024 15:05:02 +0100
-Subject: [PATCH 18/28] python:gp: Do not print an error if template already
+Subject: [PATCH 18/25] python:gp: Do not print an error if template already
 exists
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -1264,13 +1264,13 @@ index 0b23cd688db..db681cb6f69 100644
             data['templates'].append(nickname)
         if update is not None:
 -- 
-2.45.2
+2.41.0
 From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 22 Jan 2024 15:05:24 +0100
-Subject: [PATCH 19/28] python:gp: Log an error if update fails
+Subject: [PATCH 19/25] python:gp: Log an error if update fails
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -1301,13 +1301,13 @@ index db681cb6f69..c8ad2039dc6 100644
         log.warn('certmonger and cepces must be installed for ' +
                  'certificate auto enrollment to work')
 -- 
-2.45.2
+2.41.0
 From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 22 Jan 2024 15:46:24 +0100
-Subject: [PATCH 20/28] python:gp: Improve working of log messages to avoid
+Subject: [PATCH 20/25] python:gp: Improve working of log messages to avoid
 confusion
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -1354,13 +1354,13 @@ index c8ad2039dc6..2b7f7d22c2b 100644
             log.warn('Installing the server certificate only.')
             der_certificate = base64.b64decode(ca['cACertificate'])
 -- 
-2.45.2
+2.41.0
 From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 29 Jan 2024 17:46:30 +0100
-Subject: [PATCH 21/28] python:gp: Fix logging with gp
+Subject: [PATCH 21/25] python:gp: Fix logging with gp
 This allows enable INFO level logging with: `samba-gpupdate -d3`
@ -1396,13 +1396,13 @@ index a74a8707d50..c3de32825db 100644
     logger.setLevel(logging.CRITICAL)
     if log_level == 1:
 -- 
-2.45.2
+2.41.0
-From 14ceb0b5f2f954bbabdaf78b8185fc515e3c8294 Mon Sep 17 00:00:00 2001
+From c188f44cf1037f751763db853ab3758d564c0bcd Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
 Date: Wed, 13 Mar 2024 13:55:41 +0100
-Subject: [PATCH 22/28] docs-xml: Add parameter all_groupmem to idmap_ad
+Subject: [PATCH 22/25] docs-xml: Add parameter all_groupmem to idmap_ad
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -1438,13 +1438,13 @@ index b364bbfa231..de6d36afe95 100644
 		<listitem><para>This parameter is a list of OUs from
 		which objects will not be mapped via the ad idmap
 -- 
-2.45.2
+2.41.0
-From ac4184c8c3220263cb6f1a46a012533ed1c4e047 Mon Sep 17 00:00:00 2001
+From 270121c01a04e81704c33e1ce72fe3679dc55911 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
 Date: Tue, 12 Mar 2024 13:20:24 +0100
-Subject: [PATCH 23/28] s3:winbindd: Improve performance of lookup_groupmem()
+Subject: [PATCH 23/25] s3:winbindd: Improve performance of lookup_groupmem()
 in idmap_ad
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -1521,13 +1521,13 @@ index d7a665abbc6..e625aa6473f 100644
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
 -- 
-2.45.2
+2.41.0
-From d0e2002efcc37055b35c351a6b936e6ab89fad32 Mon Sep 17 00:00:00 2001
+From 4f9f3c9b8d5d229c0c1da17af3a457b1b49ae353 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
 Date: Mon, 25 Mar 2024 22:38:18 +0100
-Subject: [PATCH 24/28] selftest: Add "winbind expand groups = 1" to
+Subject: [PATCH 24/25] selftest: Add "winbind expand groups = 1" to
 setup_ad_member_idmap_ad
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -1537,7 +1537,7 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
-(backported from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)
+(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)
 ---
 selftest/target/Samba3.pm | 1 +
 1 file changed, 1 insertion(+)
@ -1555,13 +1555,13 @@ index 44ac4a5901a..606c65f8ab1 100755
 	my $ret = $self->provision(
 -- 
-2.45.2
+2.41.0
-From 9625b6aed981aa4e70fe11d9d1acdb54db7591a3 Mon Sep 17 00:00:00 2001
+From 569d942a39154bcf1267339bbb79253ac8c89416 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
 Date: Thu, 14 Mar 2024 15:24:21 +0100
-Subject: [PATCH 25/28] tests: Add a test for "all_groups=no" to
+Subject: [PATCH 25/25] tests: Add a test for "all_groups=no" to
 test_idmap_ad.sh
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@ -1628,160 +1628,5 @@ index 7ae112ada71..1d4bd395ba9 100755
 changetype: delete
 EOF
 -- 
-2.45.2
+2.41.0
 From e5890e63c35a4a5af29ae16e6dd734c4a3a304cc Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Tue, 28 May 2024 13:51:53 +0200
 Subject: [PATCH 26/28] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs
 IP
 Remove the requirement to provide an IP address. We should look up the
 IP of the KDC and use it for the specified realm/workgroup.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 (cherry picked from commit 28aa0b815baf4668e3df01d52597c40fd430e2fb)
 ---
 source3/libads/kerberos.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)
 diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
 index 50f4a6de3c6..ddf97c11973 100644
 --- a/source3/libads/kerberos.c
 +++ b/source3/libads/kerberos.c
@@ -437,23 +437,23 @@ static char *get_kdc_ip_string(char *mem_ctx,
 	char *kdc_str = NULL;
 	char *canon_sockaddr = NULL;
 -	SMB_ASSERT(pss != NULL);
 -
 -	canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
 -	if (canon_sockaddr == NULL) {
 -		goto out;
 -	}
 +	if (pss != NULL) {
 +		canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
 +		if (canon_sockaddr == NULL) {
 +			goto out;
 +		}
 -	kdc_str = talloc_asprintf(frame,
 -				  "\t\tkdc = %s\n",
 -				  canon_sockaddr);
 -	if (kdc_str == NULL) {
 -		goto out;
 -	}
 +		kdc_str = talloc_asprintf(frame,
 +					  "\t\tkdc = %s\n",
 +					  canon_sockaddr);
 +		if (kdc_str == NULL) {
 +			goto out;
 +		}
 -	ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
 -	if (!ok) {
 -		goto out;
 +		ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
 +		if (!ok) {
 +			goto out;
 +		}
 	}
 	/*
 -- 
 2.45.2
 From 96a1ecd8db249fa03db60259cf76fdef9c1bd749 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Tue, 28 May 2024 13:53:51 +0200
 Subject: [PATCH 27/28] s3:libads: Do not fail if we don't get an IP passed
 down
 The IP should be optional and we should look it up if not provided.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 (cherry picked from commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2)
 ---
 source3/libads/kerberos.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
 index ddf97c11973..f74d8eb567c 100644
 --- a/source3/libads/kerberos.c
 +++ b/source3/libads/kerberos.c
@@ -704,7 +704,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 		return false;
 	}
 -	if (domain == NULL || pss == NULL) {
 +	if (domain == NULL) {
 		return false;
 	}
 -- 
 2.45.2
 From 4934642b7a7d92c6d81ba25ef6e4b66e3805f708 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Tue, 28 May 2024 13:54:24 +0200
 Subject: [PATCH 28/28] s3:winbind: Fix idmap_ad creating an invalid local
 krb5.conf
 In case of a trusted domain, we are providing the realm of the primary
 trust but specify the KDC IP of the trusted domain. This leads to
 Kerberos ticket requests to the trusted domain KDC which doesn't know
 about the machine account. However we need a ticket from our primary
 trust KDC.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 (backported from commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee)
 ---
 source3/winbindd/idmap_ad.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
 diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
 index 5c9fe07db95..b8002825161 100644
 --- a/source3/winbindd/idmap_ad.c
 +++ b/source3/winbindd/idmap_ad.c
@@ -320,7 +320,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 				       struct tldap_context **pld)
 {
 	struct netr_DsRGetDCNameInfo *dcinfo;
 -	struct sockaddr_storage dcaddr;
 +	struct sockaddr_storage dcaddr = {
 +		.ss_family = AF_UNSPEC,
 +	};
 +	struct sockaddr_storage *pdcaddr = NULL;
 	struct cli_credentials *creds;
 	struct loadparm_context *lp_ctx;
 	struct tldap_context *ld;
@@ -362,9 +365,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 	 * create_local_private_krb5_conf_for_domain() can deal with
 	 * sitename==NULL
 	 */
 +	if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup()))
 +	{
 +		pdcaddr = &dcaddr;
 +	}
 	ok = create_local_private_krb5_conf_for_domain(
 -		lp_realm(), lp_workgroup(), sitename, &dcaddr);
 +		lp_realm(), lp_workgroup(), sitename, pdcaddr);
 	TALLOC_FREE(sitename);
 	if (!ok) {
 		DBG_DEBUG("Could not create private krb5.conf\n");
 -- 
 2.45.2
--- a/SOURCES/smb.conf.vendor
+++ b/SOURCES/smb.conf.vendor
@ -18,9 +18,6 @@
 	load printers = yes
 	cups options = raw
 	# Install samba-usershares package for support
 	include = /etc/samba/usershares.conf
 [homes]
 	comment = Home Directories
 	valid users = %S, %D%w%S
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec