20 changed files with 2840 additions and 3223 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/samba-4.15.5.tar.xz
+SOURCES/samba-4.19.4.tar.xz
 SOURCES/samba-pubkey_AA99442FB680B620.gpg
--- a/.samba.metadata
+++ b/.samba.metadata
@ -1,2 +1,2 @@
-f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz
+6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz
 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
--- a/SOURCES/samba-4.15.5.tar.asc
+++ b/SOURCES/samba-4.15.5.tar.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA
 tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX
 KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9
 j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt
 b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY
 0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v
 /2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj
 +rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9
 g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y
 5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ
 f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB
 OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo=
 =oc6g
 -----END PGP SIGNATURE-----
--- a/SOURCES/samba-4.19-redhat.patch
+++ b/SOURCES/samba-4.19-redhat.patch
--- a/SOURCES/samba-4.19.4.tar.asc
+++ b/SOURCES/samba-4.19.4.tar.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
 tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
 Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
 2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
 XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
 iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
 svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
 JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
 ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
 vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
 +NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
 1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
 =kOPP
 -----END PGP SIGNATURE-----
--- a/SOURCES/samba-ctdb-etcd-reclock.patch
+++ b/SOURCES/samba-ctdb-etcd-reclock.patch
@ -1,30 +0,0 @@
 From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
 From: Martin Schwenke <martin@meltin.net>
 Date: Tue, 27 Apr 2021 15:46:14 +1000
 Subject: [PATCH] utils: Use Python 3
 Due to the number of flake8 and pylint warnings it is unclear if the
 source has Python 3 incompatibilities.  These will be cleaned up in
 subsequent commits.
 Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
 Reviewed-by: Martin Schwenke <martin@meltin.net>
 Reviewed-by: David Disseldorp <ddiss@samba.org>
 Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
 ---
 ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
 index 000c6bb7208..7f5194eff0a 100755
 --- a/ctdb/utils/etcd/ctdb_etcd_lock
 +++ b/ctdb/utils/etcd/ctdb_etcd_lock
@@ -1,4 +1,4 @@
 -#!/usr/bin/python
 +#!/usr/bin/env python3
 #
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 -- 
 2.31.1
--- a/SOURCES/samba-disable-ntlmssp.patch
+++ b/SOURCES/samba-disable-ntlmssp.patch
@ -1,764 +0,0 @@
 From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Fri, 10 Dec 2021 16:08:04 +0100
 Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
 ---
 source3/utils/net_ads.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)
 diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
 index 6ab4a0096b1..8f993f9ba4c 100644
 --- a/source3/utils/net_ads.c
 +++ b/source3/utils/net_ads.c
@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
 	char *cp;
 	const char *realm = NULL;
 	bool tried_closest_dc = false;
 +	enum credentials_use_kerberos krb5_state =
 +		CRED_USE_KERBEROS_DISABLED;
 	/* lp_realm() should be handled by a command line param,
 	   However, the join requires that realm be set in smb.conf
@@ -650,10 +652,28 @@ retry:
 		ads->auth.password = smb_xstrdup(c->opt_password);
 	}
 -	ads->auth.flags |= auth_flags;
 	SAFE_FREE(ads->auth.user_name);
 	ads->auth.user_name = smb_xstrdup(c->opt_user_name);
 +	ads->auth.flags |= auth_flags;
 +
 +	/* The ADS code will handle FIPS mode */
 +	krb5_state = cli_credentials_get_kerberos_state(c->creds);
 +	switch (krb5_state) {
 +	case CRED_USE_KERBEROS_REQUIRED:
 +		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
 +		ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	case CRED_USE_KERBEROS_DESIRED:
 +		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
 +		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	case CRED_USE_KERBEROS_DISABLED:
 +		ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
 +		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	}
 +
        /*
         * If the username is of the form "name@realm",
         * extract the realm and convert to upper case.
 -- 
 2.33.1
 From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Wed, 8 Dec 2021 16:05:17 +0100
 Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
 ---
 source3/libads/sasl.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
 diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
 index 60fa2bf80cb..b91e2d15bcf 100644
 --- a/source3/libads/sasl.c
 +++ b/source3/libads/sasl.c
@@ -1,18 +1,18 @@
 -/* 
 +/*
    Unix SMB/CIFS implementation.
    ads sasl code
    Copyright (C) Andrew Tridgell 2001
 -   
 +
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
 -   
 +
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 -   
 +
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
 	.disconnect	= ads_sasl_gensec_disconnect
 };
 -/* 
 +/*
    perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
    we fit on one socket??)
 */
@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
 #endif /* HAVE_KRB5 */
 -/* 
 +/*
    this performs a SASL/SPNEGO bind
 */
 static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	file_save("sasl_spnego.dat", blob.data, blob.length);
 #endif
 -	/* the server sent us the first part of the SPNEGO exchange in the negprot 
 +	/* the server sent us the first part of the SPNEGO exchange in the negprot
 	   reply */
 	if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
 			OIDs[0] == NULL) {
@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 #ifdef HAVE_KRB5
 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
 -	    got_kerberos_mechanism) 
 +	    got_kerberos_mechanism)
 	{
 		mech = "KRB5";
@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 				  "calling kinit\n", ads_errstr(status)));
 		}
 -		status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
 +		status = ADS_ERROR_KRB5(ads_kinit_password(ads));
 		if (ADS_ERR_OK(status)) {
 			status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 		}
 		/* only fallback to NTLMSSP if allowed */
 -		if (ADS_ERR_OK(status) || 
 +		if (ADS_ERR_OK(status) ||
 		    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
 			goto done;
 		}
@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 #endif
 	/* lets do NTLMSSP ... this has the big advantage that we don't need
 -	   to sync clocks, and we don't rely on special versions of the krb5 
 +	   to sync clocks, and we don't rely on special versions of the krb5
 	   library for HMAC_MD4 encryption */
 	mech = "NTLMSSP";
 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
 -- 
 2.33.1
 From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Thu, 9 Dec 2021 13:43:08 +0100
 Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
 ---
 source3/libads/sasl.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
 index b91e2d15bcf..992f7022a69 100644
 --- a/source3/libads/sasl.c
 +++ b/source3/libads/sasl.c
@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
 			 "for %s/%s with user[%s] realm[%s]: %s, "
 -			 "fallback to NTLMSSP\n",
 +			 "try to fallback to NTLMSSP\n",
 			 p.service, p.hostname,
 			 ads->auth.user_name,
 			 ads->auth.realm,
@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	   to sync clocks, and we don't rely on special versions of the krb5
 	   library for HMAC_MD4 encryption */
 	mech = "NTLMSSP";
 +
 +	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
 +		DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
 +			    " disallowed.\n");
 +		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
 +		goto done;
 +	}
 +
 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
 					     CRED_USE_KERBEROS_DISABLED,
 					     p.service, p.hostname,
 -- 
 2.33.1
 From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Fri, 7 Jan 2022 10:31:19 +0100
 Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
 ---
 source3/libads/sasl.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
 diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
 index 992f7022a69..ea98aa47ecd 100644
 --- a/source3/libads/sasl.c
 +++ b/source3/libads/sasl.c
@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 							p.service, p.hostname,
 							blob);
 			if (!ADS_ERR_OK(status)) {
 -				DEBUG(0,("kinit succeeded but "
 -					"ads_sasl_spnego_gensec_bind(KRB5) failed "
 -					"for %s/%s with user[%s] realm[%s]: %s\n",
 +				DBG_ERR("kinit succeeded but "
 +					"SPNEGO bind with Kerberos failed "
 +					"for %s/%s - user[%s], realm[%s]: %s\n",
 					p.service, p.hostname,
 					ads->auth.user_name,
 					ads->auth.realm,
 -					ads_errstr(status)));
 +					ads_errstr(status));
 			}
 		}
@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 			goto done;
 		}
 -		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
 -			 "for %s/%s with user[%s] realm[%s]: %s, "
 -			 "try to fallback to NTLMSSP\n",
 -			 p.service, p.hostname,
 -			 ads->auth.user_name,
 -			 ads->auth.realm,
 -			 ads_errstr(status)));
 +		DBG_WARNING("SASL bind with Kerberos failed "
 +			    "for %s/%s - user[%s], realm[%s]: %s, "
 +			    "try to fallback to NTLMSSP\n",
 +			    p.service, p.hostname,
 +			    ads->auth.user_name,
 +			    ads->auth.realm,
 +			    ads_errstr(status));
 	}
 #endif
 -- 
 2.33.1
 From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Mon, 3 Jan 2022 11:13:06 +0100
 Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
 without kerberos)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
 ---
 source3/libads/sasl.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
 index ea98aa47ecd..1bcfe0490a8 100644
 --- a/source3/libads/sasl.c
 +++ b/source3/libads/sasl.c
@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	   library for HMAC_MD4 encryption */
 	mech = "NTLMSSP";
 +	if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
 +		DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
 +		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
 +		goto done;
 +	}
 +
 	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
 		DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
 			    " disallowed.\n");
 -- 
 2.33.1
 From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Mon, 3 Jan 2022 15:33:46 +0100
 Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
 connections
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
 ---
 .../test_weak_disable_ntlmssp_ldap.sh         | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
 diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
 new file mode 100755
 index 00000000000..2822ab29d14
 --- /dev/null
 +++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
@@ -0,0 +1,41 @@
 +#!/bin/sh
 +# Blackbox tests for diabing NTLMSSP for ldap clinet connections
 +# Copyright (c) 2022      Pavel Filipenský <pfilipen@redhat.com>
 +
 +if [ $# -lt 2 ]; then
 +cat <<EOF
 +Usage: $0 USERNAME PASSWORD
 +EOF
 +exit 1;
 +fi
 +
 +USERNAME=$1
 +PASSWORD=$2
 +shift 2
 +
 +failed=0
 +. `dirname $0`/subunit.sh
 +
 +samba_testparm="$BINDIR/testparm"
 +samba_net="$BINDIR/net"
 +
 +unset GNUTLS_FORCE_FIPS_MODE
 +
 +# Checks that testparm reports: Weak crypto is allowed
 +testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
 +
 +# We should be allowed to use NTLM for connecting
 +testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
 +
 +GNUTLS_FORCE_FIPS_MODE=1
 +export GNUTLS_FORCE_FIPS_MODE
 +
 +# Checks that testparm reports: Weak crypto is disallowed
 +testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
 +
 +# We should not be allowed to use NTLM for connecting
 +testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
 +
 +unset GNUTLS_FORCE_FIPS_MODE
 +
 +exit $failed
 -- 
 2.33.1
 From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Tue, 4 Jan 2022 12:00:20 +0100
 Subject: [PATCH 07/10] s4:selftest: plan test suite
 samba4.blackbox.test_weak_disable_ntlmssp_ldap
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
 ---
 source4/selftest/tests.py | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
 index 1e4b2ae6dd3..3a6a716f061 100755
 --- a/source4/selftest/tests.py
 +++ b/source4/selftest/tests.py
@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
 if have_gnutls_fips_mode_support:
     plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
 +    plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
     for env in ["ad_dc_fips", "ad_member_fips"]:
         plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
 -- 
 2.33.1
 From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Tue, 18 Jan 2022 19:47:38 +0100
 Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
 ---
 source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 19 deletions(-)
 diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
 index 948c903f165..e415df347e6 100644
 --- a/source3/winbindd/winbindd_ads.c
 +++ b/source3/winbindd/winbindd_ads.c
@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 	if ( !winbindd_can_contact_domain( domain ) ) {
 		DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
 -			  domain->name));		
 +			  domain->name));
 		return NT_STATUS_OK;
 	}
@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
 	if ( !winbindd_can_contact_domain( domain ) ) {
 		DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
 -			  domain->name));		
 +			  domain->name));
 		return NT_STATUS_OK;
 	}
@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
 	 * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
 	 * default value, it MUST be absent. In case of extensible matching the
 	 * "dnattr" boolean defaults to FALSE and so it must be only be present
 -	 * when set to TRUE. 
 +	 * when set to TRUE.
 	 *
 	 * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
 	 * filter using bitwise matching rule then the buggy AD fails to decode
@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
 	 *
 	 * Thanks to Ralf Haferkamp for input and testing - Guenther */
 -	filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", 
 +	filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
 				 ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
 -				 ADS_LDAP_MATCHING_RULE_BIT_AND, 
 +				 ADS_LDAP_MATCHING_RULE_BIT_AND,
 				 enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
 	if (filter == NULL) {
@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
 	DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
 done:
 -	if (res) 
 +	if (res)
 		ads_msgfree(ads, res);
 	return status;
@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
 				struct wb_acct_info **info)
 {
 	/*
 -	 * This is a stub function only as we returned the domain 
 +	 * This is a stub function only as we returned the domain
 	 * local groups in enum_dom_groups() if the domain->native field
 	 * was true.  This is a simple performance optimization when
 	 * using LDAP.
 	 *
 -	 * if we ever need to enumerate domain local groups separately, 
 +	 * if we ever need to enumerate domain local groups separately,
 	 * then this optimization in enum_dom_groups() will need
 	 * to be split out
 	 */
@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
    tokenGroups are not available. */
 static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
 					 TALLOC_CTX *mem_ctx,
 -					 const char *user_dn, 
 +					 const char *user_dn,
 					 struct dom_sid *primary_group,
 					 uint32_t *p_num_groups, struct dom_sid **user_sids)
 {
@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
 	if ( !winbindd_can_contact_domain( domain ) ) {
 		DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
 -			  domain->name));		
 +			  domain->name));
 		return NT_STATUS_OK;
 	}
@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
 	DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
 done:
 -	if (res) 
 +	if (res)
 		ads_msgfree(ads, res);
 	return status;
@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 	if (count != 1) {
 		status = NT_STATUS_UNSUCCESSFUL;
 		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
 -			 "invalid number of results (count=%d)\n", 
 +			 "invalid number of results (count=%d)\n",
 			 dom_sid_str_buf(sid, &buf),
 			 count));
 		goto done;
 	}
 	if (!msg) {
 -		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", 
 +		DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
 			 dom_sid_str_buf(sid, &buf)));
 		status = NT_STATUS_UNSUCCESSFUL;
 		goto done;
@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 	}
 	if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
 -		DEBUG(1,("%s: No primary group for sid=%s !?\n", 
 +		DEBUG(1,("%s: No primary group for sid=%s !?\n",
 			 domain->name,
 			 dom_sid_str_buf(sid, &buf)));
 		goto done;
@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 	count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
 -	/* there must always be at least one group in the token, 
 +	/* there must always be at least one group in the token,
 	   unless we are talking to a buggy Win2k server */
 	/* actually this only happens when the machine account has no read
@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 		/* lookup what groups this user is a member of by DN search on
 		 * "member" */
 -		status = lookup_usergroups_member(domain, mem_ctx, user_dn, 
 +		status = lookup_usergroups_member(domain, mem_ctx, user_dn,
 						  &primary_group,
 						  &num_groups, user_sids);
 		*p_num_groups = num_groups;
@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 			DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
 				   "not map any SIDs at all.\n"));
 			/* Don't handle this as an error here.
 -			 * There is nothing left to do with respect to the 
 +			 * There is nothing left to do with respect to the
 			 * overall result... */
 		}
 		else if (!NT_STATUS_IS_OK(status)) {
@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
 			NETR_TRUST_FLAG_IN_FOREST;
 	} else {
 		flags = NETR_TRUST_FLAG_IN_FOREST;
 -	}	
 +	}
 	result = cm_connect_netlogon(domain, &cli);
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(5, ("trusted_domains: Could not open a connection to %s "
 -			  "for PIPE_NETLOGON (%s)\n", 
 +			  "for PIPE_NETLOGON (%s)\n",
 			  domain->name, nt_errstr(result)));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 -- 
 2.33.1
 From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Tue, 18 Jan 2022 19:44:54 +0100
 Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
 mode
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 (cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
 ---
 source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)
 diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
 index e415df347e6..6f01ef6e334 100644
 --- a/source3/winbindd/winbindd_ads.c
 +++ b/source3/winbindd/winbindd_ads.c
@@ -34,6 +34,7 @@
 #include "../libds/common/flag_mapping.h"
 #include "libsmb/samlogon_cache.h"
 #include "passdb.h"
 +#include "auth/credentials/credentials.h"
 #ifdef HAVE_ADS
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 	ADS_STATUS status;
 	struct sockaddr_storage dc_ss;
 	fstring dc_name;
 +	enum credentials_use_kerberos krb5_state;
 	if (auth_realm == NULL) {
 		return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 	ads->auth.renewable = renewable;
 	ads->auth.password = password;
 -	ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
 +	/* In FIPS mode, client use kerberos is forced to required. */
 +	krb5_state = lp_client_use_kerberos();
 +	switch (krb5_state) {
 +	case CRED_USE_KERBEROS_REQUIRED:
 +		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
 +		ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	case CRED_USE_KERBEROS_DESIRED:
 +		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
 +		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	case CRED_USE_KERBEROS_DISABLED:
 +		ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
 +		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	}
 	ads->auth.realm = SMB_STRDUP(auth_realm);
 	if (!strupper_m(ads->auth.realm)) {
 -- 
 2.33.1
 From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Fri, 21 Jan 2022 12:01:33 +0100
 Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
 mode
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Stefan Metzmacher <metze@samba.org>
 Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
 Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
 (cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
 ---
 source3/libnet/libnet_join.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)
 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
 index 02705f1c70c..4c67e9af5c4 100644
 --- a/source3/libnet/libnet_join.c
 +++ b/source3/libnet/libnet_join.c
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
 	ADS_STATUS status;
 	ADS_STRUCT *my_ads = NULL;
 	char *cp;
 +	enum credentials_use_kerberos krb5_state;
 	my_ads = ads_init(dns_domain_name,
 			  netbios_domain_name,
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 	}
 -	my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
 +	/* In FIPS mode, client use kerberos is forced to required. */
 +	krb5_state = lp_client_use_kerberos();
 +	switch (krb5_state) {
 +	case CRED_USE_KERBEROS_REQUIRED:
 +		my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
 +		my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	case CRED_USE_KERBEROS_DESIRED:
 +		my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
 +		my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	case CRED_USE_KERBEROS_DISABLED:
 +		my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
 +		my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
 +		break;
 +	}
 	if (user_name) {
 		SAFE_FREE(my_ads->auth.user_name);
 -- 
 2.33.1
--- a/SOURCES/samba-disable-systemd-notifications.patch
+++ b/SOURCES/samba-disable-systemd-notifications.patch
@ -1,36 +0,0 @@
 From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
 From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
 Date: Mon, 24 Jan 2022 22:14:31 -0500
 Subject: [PATCH] printing/bgqd: Disable systemd notifications
 samba-bgqd daemon is started by existing Samba daemons. When running
 under systemd, those daemons control systemd notifications and
 samba-bgqd messages need to be silenced.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
 Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
 Reviewed-by: Alexander Bokovoy <ab@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 (cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
 ---
 source3/printing/samba-bgqd.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
 index f21327fc622..59ed0cc40db 100644
 --- a/source3/printing/samba-bgqd.c
 +++ b/source3/printing/samba-bgqd.c
@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
 	log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
 +	/* main process will notify systemd */
 +	daemon_sd_notifications(false);
 +
 	if (!cmdline_daemon_cfg->fork) {
 		daemon_status(progname, "Starting process ... ");
 	} else {
 -- 
 2.34.1
--- a/SOURCES/samba-glibc-dns.patch
+++ b/SOURCES/samba-glibc-dns.patch
@ -1,64 +0,0 @@
 From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Thu, 7 Oct 2021 15:55:37 +0200
 Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34
 With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
 anymore. The res_* symbols have been moved from libresolv to libc. We are not
 able to intercept any traffic inside of libc.
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
 Reviewed-by: Alexander Bokovoy <ab@samba.org>
 ---
 selftest/wscript                   |  2 +-
 third_party/resolv_wrapper/wscript | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 diff --git a/selftest/wscript b/selftest/wscript
 index a6be06c2ae9..85d9338489a 100644
 --- a/selftest/wscript
 +++ b/selftest/wscript
@@ -252,7 +252,7 @@ def cmd_testonly(opt):
     if os.environ.get('USE_NAMESPACES') is None:
         env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
 -    if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
 +    if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
         env.OPTIONS += " --use-dns-faking"
     if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
 diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
 index a7f18389b0f..7e369bd90b5 100644
 --- a/third_party/resolv_wrapper/wscript
 +++ b/third_party/resolv_wrapper/wscript
@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 import os
 +from waflib import Logs
 VERSION="1.1.7"
@@ -49,6 +50,18 @@ def configure(conf):
         if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
             conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
 +        # If we find res_nquery in libc, we can't do resolv.conf redirect
 +        conf.CHECK_FUNCS('res_nquery __res_nquery')
 +        if (conf.CONFIG_SET('HAVE_RES_NQUERY')
 +                or conf.CONFIG_SET('HAVE___RES_NQUERY')):
 +            Logs.warn("Detection for resolv_wrapper: "
 +                      "Only dns faking will be available")
 +        else:
 +            if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
 +                conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
 +            if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
 +                conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
 +
         conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
         conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
         conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
 -- 
 2.33.1
--- a/SOURCES/samba-password-change-prompt.patch
+++ b/SOURCES/samba-password-change-prompt.patch
@ -1,100 +0,0 @@
 From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Wed, 17 Nov 2021 09:56:09 +0100
 Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
 off).
 This change disables the prompt for the change of an expired password by
 default (using the PAM_RADIO_TYPE mechanism if present).
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
 Guenther
 Signed-off-by: Guenther Deschner <gd@samba.org>
 Reviewed-by: Alexander Bokovoy <ab@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 (cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
 ---
 docs-xml/manpages/pam_winbind.conf.5.xml |  7 +++++++
 nsswitch/pam_winbind.c                   | 12 ++++++++++--
 nsswitch/pam_winbind.h                   |  1 +
 3 files changed, 18 insertions(+), 2 deletions(-)
 diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
 index 0bc288f91a1..bae9298fc32 100644
 --- a/docs-xml/manpages/pam_winbind.conf.5.xml
 +++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -194,6 +194,13 @@
 		</para></listitem>
 		</varlistentry>
 +		<varlistentry>
 +		<term>pwd_change_prompt = yes|no</term>
 +		<listitem><para>
 +			Generate prompt for changing an expired password. Defaults to "no".
 +		</para></listitem>
 +		</varlistentry>
 +
 		</variablelist>
 	</para>
 diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
 index 720a4b90d85..06098dd07d8 100644
 --- a/nsswitch/pam_winbind.c
 +++ b/nsswitch/pam_winbind.c
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
 		ctrl |= WINBIND_MKHOMEDIR;
 	}
 +	if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
 +		ctrl |= WINBIND_PWD_CHANGE_PROMPT;
 +	}
 +
 config_from_pam:
 	/* step through arguments */
 	for (i=argc,v=argv; i-- > 0; ++v) {
@@ -522,6 +526,8 @@ config_from_pam:
 		else if (!strncasecmp(*v, "warn_pwd_expire",
 			strlen("warn_pwd_expire")))
 			ctrl |= WINBIND_WARN_PWD_EXPIRE;
 +		else if (!strcasecmp(*v, "pwd_change_prompt"))
 +			ctrl |= WINBIND_PWD_CHANGE_PROMPT;
 		else if (type != PAM_WINBIND_CLEANUP) {
 			__pam_log(pamh, ctrl, LOG_ERR,
 				 "pam_parse: unknown option: %s", *v);
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
 		 * successfully sent the warning message.
 		 * Give the user a chance to change pwd.
 		 */
 -		if (ret == PAM_SUCCESS) {
 +		if (ret == PAM_SUCCESS &&
 +		    (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
 			if (change_pwd) {
 				retval = _pam_winbind_change_pwd(ctx);
 				if (retval) {
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
 		 * successfully sent the warning message.
 		 * Give the user a chance to change pwd.
 		 */
 -		if (ret == PAM_SUCCESS) {
 +		if (ret == PAM_SUCCESS &&
 +		    (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
 			if (change_pwd) {
 				retval = _pam_winbind_change_pwd(ctx);
 				if (retval) {
 diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
 index c6786d65a4d..2f4a25729bd 100644
 --- a/nsswitch/pam_winbind.h
 +++ b/nsswitch/pam_winbind.h
@@ -157,6 +157,7 @@ do {                             \
 #define WINBIND_WARN_PWD_EXPIRE		0x00002000
 #define WINBIND_MKHOMEDIR		0x00004000
 #define WINBIND_TRY_AUTHTOK_ARG		0x00008000
 +#define WINBIND_PWD_CHANGE_PROMPT	0x00010000
 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
 #define _(string) dgettext(MODULE_NAME, string)
 -- 
 2.35.1
--- a/SOURCES/samba-printing-win7.patch
+++ b/SOURCES/samba-printing-win7.patch
@ -1,229 +0,0 @@
 From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Sat, 22 Jan 2022 01:08:26 +0100
 Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
 This is important for the source3/rpc_server code as it might
 be called embedded in smbd and may not run as root with access
 to our private tdb/ldb files.
 Note this is only really needed for 4.15 and older, as
 we no longer run the rpc_server embedded in smbd,
 but we better be consistent for now.
 This should be able to fix the problem the printing no longer works
 on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
 Windows uses NTLMSSP with privacy at the DCERPC layer on top
 of NCACN_NP (smb).
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
 Signed-off-by: Stefan Metzmacher <metze@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 (cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
 ---
 librpc/rpc/dcesrv_auth.c         |  5 +++++
 librpc/rpc/dcesrv_core.c         | 18 ++++++++++++++++++
 librpc/rpc/dcesrv_core.h         |  2 ++
 source3/rpc_server/rpc_config.c  |  2 ++
 source4/rpc_server/service_rpc.c | 10 ++++++++++
 5 files changed, 37 insertions(+)
 diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
 index fec8df513a83..99d8e0162160 100644
 --- a/librpc/rpc/dcesrv_auth.c
 +++ b/librpc/rpc/dcesrv_auth.c
@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
 	auth->auth_level = call->in_auth_info.auth_level;
 	auth->auth_context_id = call->in_auth_info.auth_context_id;
 +	cb->auth.become_root();
 	status = cb->auth.gensec_prepare(
 		auth,
 		call,
 		&auth->gensec_security,
 		cb->auth.private_data);
 +	cb->auth.unbecome_root();
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
 			  nt_errstr(status)));
@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
 NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
 {
 	struct dcesrv_auth *auth = call->auth_state;
 +	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
 	const char *pdu = "<unknown>";
 	switch (call->pkt.ptype) {
@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
 		return status;
 	}
 +	cb->auth.become_root();
 	status = gensec_session_info(auth->gensec_security,
 				     auth,
 				     &auth->session_info);
 +	cb->auth.unbecome_root();
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to establish session_info: %s\n",
 			  nt_errstr(status)));
 diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
 index d16159b0b6cd..ea91fc689b4a 100644
 --- a/librpc/rpc/dcesrv_core.c
 +++ b/librpc/rpc/dcesrv_core.c
@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 	struct dcerpc_binding *ep_2nd_description = NULL;
 	const char *endpoint = NULL;
 	struct dcesrv_auth *auth = call->auth_state;
 +	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
 	struct dcerpc_ack_ctx *ack_ctx_list = NULL;
 	struct dcerpc_ack_ctx *ack_features = NULL;
 	struct tevent_req *subreq = NULL;
@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 		return dcesrv_auth_reply(call);
 	}
 +	cb->auth.become_root();
 	subreq = gensec_update_send(call, call->event_ctx,
 				    auth->gensec_security,
 				    call->in_auth_info.credentials);
 +	cb->auth.unbecome_root();
 	if (subreq == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
 		tevent_req_callback_data(subreq,
 		struct dcesrv_call_state);
 	struct dcesrv_connection *conn = call->conn;
 +	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
 	NTSTATUS status;
 +	cb->auth.become_root();
 	status = gensec_update_recv(subreq, call,
 				    &call->out_auth_info->credentials);
 +	cb->auth.unbecome_root();
 	TALLOC_FREE(subreq);
 	status = dcesrv_auth_complete(call, status);
@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
 {
 	struct dcesrv_connection *conn = call->conn;
 	struct dcesrv_auth *auth = call->auth_state;
 +	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
 	struct tevent_req *subreq = NULL;
 	NTSTATUS status;
@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
 		return NT_STATUS_OK;
 	}
 +	cb->auth.become_root();
 	subreq = gensec_update_send(call, call->event_ctx,
 				    auth->gensec_security,
 				    call->in_auth_info.credentials);
 +	cb->auth.unbecome_root();
 	if (subreq == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
 		struct dcesrv_call_state);
 	struct dcesrv_connection *conn = call->conn;
 	struct dcesrv_auth *auth = call->auth_state;
 +	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
 	NTSTATUS status;
 +	cb->auth.become_root();
 	status = gensec_update_recv(subreq, call,
 				    &call->out_auth_info->credentials);
 +	cb->auth.unbecome_root();
 	TALLOC_FREE(subreq);
 	status = dcesrv_auth_complete(call, status);
@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
 	struct ncacn_packet *pkt = &call->ack_pkt;
 	uint32_t extra_flags = 0;
 	struct dcesrv_auth *auth = call->auth_state;
 +	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
 	struct dcerpc_ack_ctx *ack_ctx_list = NULL;
 	struct tevent_req *subreq = NULL;
 	size_t i;
@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
 		return dcesrv_auth_reply(call);
 	}
 +	cb->auth.become_root();
 	subreq = gensec_update_send(call, call->event_ctx,
 				    auth->gensec_security,
 				    call->in_auth_info.credentials);
 +	cb->auth.unbecome_root();
 	if (subreq == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
 		tevent_req_callback_data(subreq,
 		struct dcesrv_call_state);
 	struct dcesrv_connection *conn = call->conn;
 +	struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
 	NTSTATUS status;
 +	cb->auth.become_root();
 	status = gensec_update_recv(subreq, call,
 				    &call->out_auth_info->credentials);
 +	cb->auth.unbecome_root();
 	TALLOC_FREE(subreq);
 	status = dcesrv_auth_complete(call, status);
 diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
 index d8d5f9030959..0538442e0ce6 100644
 --- a/librpc/rpc/dcesrv_core.h
 +++ b/librpc/rpc/dcesrv_core.h
@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
 			struct gensec_security **out,
 			void *private_data);
 		void *private_data;
 +		void (*become_root)(void);
 +		void (*unbecome_root)(void);
 	} auth;
 	struct {
 		NTSTATUS (*find)(
 diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
 index 2f1a01da1c0b..289c4f398409 100644
 --- a/source3/rpc_server/rpc_config.c
 +++ b/source3/rpc_server/rpc_config.c
@@ -31,6 +31,8 @@
 static struct dcesrv_context_callbacks srv_callbacks = {
 	.log.successful_authz = dcesrv_log_successful_authz,
 	.auth.gensec_prepare = dcesrv_auth_gensec_prepare,
 +	.auth.become_root = become_root,
 +	.auth.unbecome_root = unbecome_root,
 	.assoc_group.find = dcesrv_assoc_group_find,
 };
 diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
 index d8c6746d7815..ebb50f8a7ef3 100644
 --- a/source4/rpc_server/service_rpc.c
 +++ b/source4/rpc_server/service_rpc.c
@@ -40,9 +40,19 @@
 #include "../libcli/named_pipe_auth/npa_tstream.h"
 #include "samba/process_model.h"
 +static void skip_become_root(void)
 +{
 +}
 +
 +static void skip_unbecome_root(void)
 +{
 +}
 +
 static struct dcesrv_context_callbacks srv_callbacks = {
 	.log.successful_authz = log_successful_dcesrv_authz_event,
 	.auth.gensec_prepare = dcesrv_gensec_prepare,
 +	.auth.become_root = skip_become_root,
 +	.auth.unbecome_root = skip_unbecome_root,
 	.assoc_group.find = dcesrv_assoc_group_find,
 };
 -- 
 2.25.1
--- a/SOURCES/samba-s4u.patch
+++ b/SOURCES/samba-s4u.patch
@ -1,697 +0,0 @@
 From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Fri, 27 Sep 2019 18:25:03 +0300
 Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
 Signed-off-by: Isaac Boukris <iboukris@gmail.com>
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 ---
 source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
 source4/kdc/mit_samba.c                  |  47 ++-------
 source4/kdc/mit_samba.h                  |   6 +-
 3 files changed, 71 insertions(+), 106 deletions(-)
 diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
 index f35210669c2..b1c7c5dcc5e 100644
 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c
 +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
 				     krb5_keyblock *krbtgt_key,
 				     krb5_timestamp authtime,
 				     krb5_authdata **tgt_auth_data,
 -				     krb5_pac *pac)
 +				     krb5_pac *out_pac)
 {
 	struct mit_samba_context *mit_ctx;
 	krb5_authdata **authdata = NULL;
 -	krb5_pac ipac = NULL;
 -	DATA_BLOB logon_data = { NULL, 0 };
 +	krb5_keyblock *header_server_key = NULL;
 +	krb5_key_data *impersonator_kd = NULL;
 +	krb5_keyblock impersonator_key = {0};
 	krb5_error_code code;
 +	krb5_pac pac;
 +
 +	*out_pac = NULL;
 	mit_ctx = ks_get_context(context);
 	if (mit_ctx == NULL) {
@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
 	code = krb5_pac_parse(context,
 			      authdata[0]->contents,
 			      authdata[0]->length,
 -			      &ipac);
 +			      &pac);
 	if (code != 0) {
 		goto done;
 	}
 -	/* TODO: verify this is correct
 -	 *
 -	 * In the constrained delegation case, the PAC is from a service
 -	 * ticket rather than a TGT; we must verify the server and KDC
 -	 * signatures to assert that the server did not forge the PAC.
 +	/*
 +	 * For constrained delegation in MIT version < 1.18 we aren't provided
 +	 * with the 2nd ticket server key to verify the PAC.
 +	 * We can workaround that by fetching the key from the client db entry,
 +	 * which is the impersonator account in that version.
 +	 * TODO: use the provided entry in the new 1.18 version.
 	 */
 	if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
 -		code = krb5_pac_verify(context,
 -				       ipac,
 -				       authtime,
 -				       client_princ,
 -				       server_key,
 -				       krbtgt_key);
 +		/* The impersonator must be local. */
 +		if (client == NULL) {
 +			code = KRB5KDC_ERR_BADOPTION;
 +			goto done;
 +		}
 +		/* Fetch and decrypt 2nd ticket server's current key. */
 +		code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
 +					     &impersonator_kd);
 +		if (code != 0) {
 +			goto done;
 +		}
 +		code = krb5_dbe_decrypt_key_data(context, NULL,
 +						 impersonator_kd,
 +						 &impersonator_key, NULL);
 +		if (code != 0) {
 +			goto done;
 +		}
 +		header_server_key = &impersonator_key;
 	} else {
 -		code = krb5_pac_verify(context,
 -				       ipac,
 -				       authtime,
 -				       client_princ,
 -				       krbtgt_key,
 -				       NULL);
 -	}
 -	if (code != 0) {
 -		goto done;
 +		header_server_key = krbtgt_key;
 	}
 -	/* check and update PAC */
 -	code = krb5_pac_parse(context,
 -			      authdata[0]->contents,
 -			      authdata[0]->length,
 -			      pac);
 +	code = krb5_pac_verify(context, pac, authtime, client_princ,
 +			       header_server_key, NULL);
 	if (code != 0) {
 		goto done;
 	}
@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
 	code = mit_samba_reget_pac(mit_ctx,
 				   context,
 				   flags,
 -				   client_princ,
 				   client,
 				   server,
 				   krbtgt,
 				   krbtgt_key,
 -				   pac);
 +				   &pac);
 +	if (code != 0) {
 +		goto done;
 +	}
 +
 +	*out_pac = pac;
 +	pac = NULL;
 done:
 +	krb5_free_keyblock_contents(context, &impersonator_key);
 	krb5_free_authdata(context, authdata);
 -	krb5_pac_free(context, ipac);
 -	free(logon_data.data);
 +	krb5_pac_free(context, pac);
 	return code;
 }
@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 	krb5_authdata **pac_auth_data = NULL;
 	krb5_authdata **authdata = NULL;
 	krb5_boolean is_as_req;
 +	krb5_const_principal pac_client;
 	krb5_error_code code;
 	krb5_pac pac = NULL;
 	krb5_data pac_data;
@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
 -	/* FIXME: We don't support S4U yet */
 -	if (flags & KRB5_KDB_FLAGS_S4U) {
 -		return KRB5_KDB_DBTYPE_NOSUP;
 -	}
 -
 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
 	/*
@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 		ks_client_princ = client->princ;
 	}
 +	/* In protocol transition, we are currently not provided with the tgt
 +	 * client name to verify the PAC, we could probably skip the name
 +	 * verification and just verify the signatures, but since we don't
 +	 * support cross-realm nor aliases, we can just use server->princ */
 +	if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
 +		pac_client = server->princ;
 +	} else {
 +		pac_client = ks_client_princ;
 +	}
 +
 	if (client_entry == NULL) {
 		client_entry = client;
 	}
@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 			code = ks_verify_pac(context,
 					     flags,
 -					     ks_client_princ,
 +					     pac_client,
 					     client_entry,
 					     server,
 					     krbtgt,
@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 		  is_as_req ? "AS-REQ" : "TGS-REQ",
 		  client_name);
 	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
 -			server_key, krbtgt_key, &pac_data);
 +			     server_key, krbtgt_key, &pac_data);
 	if (code != 0) {
 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
 		goto done;
@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 					      KRB5_AUTHDATA_IF_RELEVANT,
 					      authdata,
 					      signed_auth_data);
 -	if (code != 0) {
 -		goto done;
 -	}
 -
 -	code = 0;
 -
 done:
 	if (client_entry != NULL && client_entry != client) {
 		ks_free_principal(context, client_entry);
@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
 	 * server; -> delegating service
 	 * proxy; -> target principal
 	 */
 -	krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
 -
 -	char *target_name = NULL;
 -	bool is_enterprise;
 -	krb5_error_code code;
 	mit_ctx = ks_get_context(context);
 	if (mit_ctx == NULL) {
 		return KRB5_KDB_DBNOTINITED;
 	}
 -	code = krb5_unparse_name(context, proxy, &target_name);
 -	if (code) {
 -		goto done;
 -	}
 -
 -	is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
 -
 -	code = mit_samba_check_s4u2proxy(mit_ctx,
 -					 delegating_service,
 -					 target_name,
 -					 is_enterprise);
 -
 -done:
 -	free(target_name);
 -	return code;
 +	return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
 }
 diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
 index 4239332f0d9..acc3cba6254 100644
 --- a/source4/kdc/mit_samba.c
 +++ b/source4/kdc/mit_samba.c
@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 				    krb5_context context,
 				    int flags,
 -				    krb5_const_principal client_principal,
 				    krb5_db_entry *client,
 				    krb5_db_entry *server,
 				    krb5_db_entry *krbtgt,
@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 								  context,
 								  *pac,
 								  server->princ,
 -								  discard_const(client_principal),
 +								  client->princ,
 								  deleg_blob);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DEBUG(0, ("Update delegation info failed: %s\n",
@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
 }
 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
 -			      krb5_db_entry *kentry,
 -			      const char *target_name,
 -			      bool is_nt_enterprise_name)
 +			      const krb5_db_entry *server,
 +			      krb5_const_principal target_principal)
 {
 -#if 1
 -	/*
 -	 * This is disabled because mit_samba_update_pac_data() does not handle
 -	 * S4U_DELEGATION_INFO
 -	 */
 -
 -	return KRB5KDC_ERR_BADOPTION;
 -#else
 -	krb5_principal target_principal;
 -	int flags = 0;
 -	int ret;
 -
 -	if (is_nt_enterprise_name) {
 -		flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
 -	}
 -
 -	ret = krb5_parse_name_flags(ctx->context, target_name,
 -				    flags, &target_principal);
 -	if (ret) {
 -		return ret;
 -	}
 -
 -	ret = samba_kdc_check_s4u2proxy(ctx->context,
 -					ctx->db_ctx,
 -					skdc_entry,
 -					target_principal);
 -
 -	krb5_free_principal(ctx->context, target_principal);
 -
 -	return ret;
 -#endif
 +	struct samba_kdc_entry *server_skdc_entry =
 +		 talloc_get_type_abort(server->e_data,
 +				       struct samba_kdc_entry);
 +
 +	return samba_kdc_check_s4u2proxy(ctx->context,
 +					 ctx->db_ctx,
 +					 server_skdc_entry,
 +					 target_principal);
 }
 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
 diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
 index 636c77ec97c..9cb00c9610e 100644
 --- a/source4/kdc/mit_samba.h
 +++ b/source4/kdc/mit_samba.h
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 				    krb5_context context,
 				    int flags,
 -				    krb5_const_principal client_principal,
 				    krb5_db_entry *client,
 				    krb5_db_entry *server,
 				    krb5_db_entry *krbtgt,
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
 				  DATA_BLOB *e_data);
 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
 -			      krb5_db_entry *kentry,
 -			      const char *target_name,
 -			      bool is_nt_enterprise_name);
 +			      const krb5_db_entry *server,
 +			      krb5_const_principal target_principal);
 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
 				      char *pwd,
 -- 
 2.33.1
 From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Fri, 27 Sep 2019 18:35:30 +0300
 Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
 Signed-off-by: Isaac Boukris <iboukris@gmail.com>
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 ---
 lib/krb5_wrap/krb5_samba.c            | 185 ++++++++++++++++++++++++++
 lib/krb5_wrap/krb5_samba.h            |   2 -
 source4/auth/kerberos/kerberos_util.c |  11 --
 3 files changed, 185 insertions(+), 13 deletions(-)
 diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
 index fff5b4e2a22..791b417d5ba 100644
 --- a/lib/krb5_wrap/krb5_samba.c
 +++ b/lib/krb5_wrap/krb5_samba.c
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
 	return 0;
 }
 +
 +#else /* MIT */
 +
 +static bool princ_compare_no_dollar(krb5_context ctx,
 +				    krb5_principal a,
 +				    krb5_principal b)
 +{
 +	bool cmp;
 +	krb5_principal mod = NULL;
 +
 +	if (a->length == 1 && b->length == 1 &&
 +	    a->data[0].length != 0 && b->data[0].length != 0 &&
 +	    a->data[0].data[a->data[0].length -1] !=
 +	    b->data[0].data[b->data[0].length -1]) {
 +		if (a->data[0].data[a->data[0].length -1] == '$') {
 +			mod = a;
 +			mod->data[0].length--;
 +		} else if (b->data[0].data[b->data[0].length -1] == '$') {
 +			mod = b;
 +			mod->data[0].length--;
 +		}
 +	}
 +
 +	cmp = krb5_principal_compare_flags(ctx, a, b,
 +					   KRB5_PRINCIPAL_COMPARE_CASEFOLD);
 +
 +	if (mod != NULL) {
 +		mod->data[0].length++;
 +	}
 +
 +	return cmp;
 +}
 +
 +krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
 +					   krb5_ccache store_cc,
 +					   krb5_principal init_principal,
 +					   const char *init_password,
 +					   krb5_principal impersonate_principal,
 +					   const char *self_service,
 +					   const char *target_service,
 +					   krb5_get_init_creds_opt *krb_options,
 +					   time_t *expire_time,
 +					   time_t *kdc_time)
 +{
 +	krb5_error_code code;
 +	krb5_principal self_princ = NULL;
 +	krb5_principal target_princ = NULL;
 +	krb5_creds *store_creds;
 +	krb5_creds *s4u2self_creds = NULL;
 +	krb5_creds *s4u2proxy_creds = NULL;
 +	krb5_creds init_creds = {0};
 +	krb5_creds mcreds = {0};
 +	krb5_flags options = KRB5_GC_NO_STORE;
 +	krb5_ccache tmp_cc;
 +	bool s4u2proxy;
 +
 +	code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
 +	if (code != 0) {
 +		return code;
 +	}
 +
 +	code = krb5_get_init_creds_password(ctx, &init_creds,
 +					    init_principal,
 +					    init_password,
 +					    NULL, NULL,
 +					    0,
 +					    NULL,
 +					    krb_options);
 +	if (code != 0) {
 +		goto done;
 +	}
 +
 +	code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
 +	if (code != 0) {
 +		goto done;
 +	}
 +
 +	code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
 +	if (code != 0) {
 +		goto done;
 +	}
 +
 +	/*
 +	 * Check if we also need S4U2Proxy or if S4U2Self is
 +	 * enough in order to get a ticket for the target.
 +	 */
 +	if (target_service == NULL) {
 +		s4u2proxy = false;
 +	} else if (strcmp(target_service, self_service) == 0) {
 +		s4u2proxy = false;
 +	} else {
 +		s4u2proxy = true;
 +	}
 +
 +	code = krb5_parse_name(ctx, self_service, &self_princ);
 +	if (code != 0) {
 +		goto done;
 +	}
 +
 +	/* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
 +	 * client and the request server to be the same principal name. */
 +	if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
 +		code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
 +		goto done;
 +	}
 +
 +	mcreds.client = impersonate_principal;
 +	mcreds.server = init_creds.client;
 +
 +	code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
 +					     NULL, &s4u2self_creds);
 +	if (code != 0) {
 +		goto done;
 +	}
 +
 +	if (s4u2proxy) {
 +		code = krb5_parse_name(ctx, target_service, &target_princ);
 +		if (code != 0) {
 +			goto done;
 +		}
 +
 +		mcreds.client = init_creds.client;
 +		mcreds.server = target_princ;
 +		mcreds.second_ticket = s4u2self_creds->ticket;
 +
 +		code = krb5_get_credentials(ctx, options |
 +					    KRB5_GC_CONSTRAINED_DELEGATION,
 +					    tmp_cc, &mcreds, &s4u2proxy_creds);
 +		if (code != 0) {
 +			goto done;
 +		}
 +
 +		/* Check KDC support of S4U2Proxy extension */
 +		if (!krb5_principal_compare(ctx, s4u2self_creds->client,
 +					    s4u2proxy_creds->client)) {
 +			code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
 +			goto done;
 +		}
 +
 +		store_creds = s4u2proxy_creds;
 +	} else {
 +		store_creds = s4u2self_creds;;
 +
 +		/* We need to save the ticket with the requested server name
 +		 * or the caller won't be able to find it in cache. */
 +		if (!krb5_principal_compare(ctx, self_princ,
 +			store_creds->server)) {
 +			krb5_free_principal(ctx, store_creds->server);
 +			store_creds->server = NULL;
 +			code = krb5_copy_principal(ctx, self_princ,
 +						   &store_creds->server);
 +			if (code != 0) {
 +				goto done;
 +			}
 +		}
 +	}
 +
 +	code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
 +	if (code != 0) {
 +		goto done;
 +	}
 +
 +	code = krb5_cc_store_cred(ctx, store_cc, store_creds);
 +	if (code != 0) {
 +		goto done;
 +	}
 +
 +	if (expire_time) {
 +		*expire_time = (time_t) store_creds->times.endtime;
 +	}
 +
 +	if (kdc_time) {
 +		*kdc_time = (time_t) store_creds->times.starttime;
 +	}
 +
 +done:
 +	krb5_cc_destroy(ctx, tmp_cc);
 +	krb5_free_cred_contents(ctx, &init_creds);
 +	krb5_free_creds(ctx, s4u2self_creds);
 +	krb5_free_creds(ctx, s4u2proxy_creds);
 +	krb5_free_principal(ctx, self_princ);
 +	krb5_free_principal(ctx, target_princ);
 +
 +	return code;
 +}
 #endif
 #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
 diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
 index eab67f6d969..b5385c69a33 100644
 --- a/lib/krb5_wrap/krb5_samba.h
 +++ b/lib/krb5_wrap/krb5_samba.h
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
 					       krb5_get_init_creds_opt *krb_options,
 					       time_t *expire_time,
 					       time_t *kdc_time);
 -#ifdef SAMBA4_USES_HEIMDAL
 krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
 					   krb5_ccache store_cc,
 					   krb5_principal init_principal,
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
 					   krb5_get_init_creds_opt *krb_options,
 					   time_t *expire_time,
 					   time_t *kdc_time);
 -#endif
 #if defined(HAVE_KRB5_MAKE_PRINCIPAL)
 #define smb_krb5_make_principal krb5_make_principal
 diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
 index 544d9d853cc..c14d8c72d8c 100644
 --- a/source4/auth/kerberos/kerberos_util.c
 +++ b/source4/auth/kerberos/kerberos_util.c
@@ -234,9 +234,7 @@ done:
 {
 	krb5_error_code ret;
 	const char *password;
 -#ifdef SAMBA4_USES_HEIMDAL
 	const char *self_service;
 -#endif
 	const char *target_service;
 	time_t kdc_time = 0;
 	krb5_principal princ;
@@ -268,9 +266,7 @@ done:
 		return ret;
 	}
 -#ifdef SAMBA4_USES_HEIMDAL
 	self_service = cli_credentials_get_self_service(credentials);
 -#endif
 	target_service = cli_credentials_get_target_service(credentials);
 	password = cli_credentials_get_password(credentials);
@@ -331,7 +327,6 @@ done:
 #endif
 		if (password) {
 			if (impersonate_principal) {
 -#ifdef SAMBA4_USES_HEIMDAL
 				ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
 								 ccache,
 								 princ,
@@ -342,12 +337,6 @@ done:
 								 krb_options,
 								 NULL,
 								 &kdc_time);
 -#else
 -				talloc_free(mem_ctx);
 -				(*error_string) = "INTERNAL error: s4u2 ops "
 -					"are not supported with MIT build yet";
 -				return EINVAL;
 -#endif
 			} else {
 				ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
 								     ccache,
 -- 
 2.33.1
 From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Sat, 19 Sep 2020 14:16:20 +0200
 Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
 ---
 source4/heimdal/lib/hdb/hdb.h | 1 +
 source4/kdc/db-glue.c         | 8 ++++++--
 source4/kdc/mit_samba.c       | 3 +++
 source4/kdc/sdb.h             | 1 +
 4 files changed, 11 insertions(+), 2 deletions(-)
 diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
 index 5ef9d9565f3..dafaffc6c2d 100644
 --- a/source4/heimdal/lib/hdb/hdb.h
 +++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_ALL_KVNOS		2048	/* we want all the keys, live or not */
 #define HDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
 #define HDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
 +#define HDB_F_FORCE_CANON	16384	/* force canonicalition */
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
 diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
 index aff74f2ee71..d16b4c3329a 100644
 --- a/source4/kdc/db-glue.c
 +++ b/source4/kdc/db-glue.c
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 			}
 		}
 -	} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
 +	} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
 		ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
 		if (ret) {
 			krb5_clear_error_message(context);
 			goto out;
 		}
 -	} else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
 +	} else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
 		/*
 		 * SDB_F_CANON maps from the canonicalize flag in the
 		 * packet, and has a different meaning between AS-REQ
 		 * and TGS-REQ.  We only change the principal in the AS-REQ case
 +		 *
 +		 * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
 +		 * the canonical name in all lookups, and takes care to canonicalize
 +		 * only when appropriate.
 		 */
 		ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
 		if (ret) {
 diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
 index acc3cba6254..f0b9df8b613 100644
 --- a/source4/kdc/mit_samba.c
 +++ b/source4/kdc/mit_samba.c
@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
 	if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
 		sflags |= SDB_F_CANON;
 	}
 +#if KRB5_KDB_API_VERSION >= 10
 +	sflags |= SDB_F_FORCE_CANON;
 +#endif
 	if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
 		      KRB5_KDB_FLAG_INCLUDE_PAC)) {
 		/*
 diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
 index c929acccce6..a9115ec23d7 100644
 --- a/source4/kdc/sdb.h
 +++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
 #define SDB_F_KVNO_SPECIFIED	128	/* we want a particular KVNO */
 #define SDB_F_FOR_AS_REQ	4096	/* fetch is for a AS REQ */
 #define SDB_F_FOR_TGS_REQ	8192	/* fetch is for a TGS REQ */
 +#define SDB_F_FORCE_CANON	16384	/* force canonicalition */
 void sdb_free_entry(struct sdb_entry_ex *e);
 void free_sdb_entry(struct sdb_entry *s);
 -- 
 2.33.1
--- a/SOURCES/samba-systemd-sysusers.conf
+++ b/SOURCES/samba-systemd-sysusers.conf
@ -0,0 +1,2 @@
 #Type Name       ID
 g     printadmin -
--- a/SOURCES/samba-usershares-systemd-sysusers.conf
+++ b/SOURCES/samba-usershares-systemd-sysusers.conf
@ -0,0 +1,2 @@
 #Type Name       ID
 g     usershares -
--- a/SOURCES/samba-virus_scanner.patch
+++ b/SOURCES/samba-virus_scanner.patch
@ -1,597 +0,0 @@
 From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Wed, 9 Feb 2022 16:33:10 +0100
 Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd
 We have the env variable SERVER_LOG_LEVEL which allows you to change
 the log level on the command line. If we force -d0 this will not work.
 make test TESTS="samba" SERVER_LOG_LEVEL=10
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Jeremy Allison <jra@samba.org>
 (cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
 ---
 selftest/target/Samba3.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
 index b901fd2677a..64a9a791a61 100755
 --- a/selftest/target/Samba3.pm
 +++ b/selftest/target/Samba3.pm
@@ -2153,7 +2153,7 @@ sub make_bin_cmd
 {
 	my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
 -	my @optargs = ("-d0");
 +	my @optargs = ();
 	if (defined($options)) {
 		@optargs = split(/ /, $options);
 	}
 -- 
 2.34.1
 From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Tue, 8 Feb 2022 12:07:03 +0100
 Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses
 filename matching
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Reviewed-by: Jeremy Allison <jra@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 (cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1)
 ---
 source3/modules/vfs_virusfilter.c        | 12 +++++
 source3/modules/vfs_virusfilter_common.h |  4 ++
 source3/modules/vfs_virusfilter_dummy.c  | 58 ++++++++++++++++++++++++
 source3/modules/wscript_build            |  1 +
 4 files changed, 75 insertions(+)
 create mode 100644 source3/modules/vfs_virusfilter_dummy.c
 diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
 index 9fafe4e5d41..e6cbee7cd45 100644
 --- a/source3/modules/vfs_virusfilter.c
 +++ b/source3/modules/vfs_virusfilter.c
@@ -35,12 +35,14 @@
 enum virusfilter_scanner_enum {
 	VIRUSFILTER_SCANNER_CLAMAV,
 +	VIRUSFILTER_SCANNER_DUMMY,
 	VIRUSFILTER_SCANNER_FSAV,
 	VIRUSFILTER_SCANNER_SOPHOS
 };
 static const struct enum_list scanner_list[] = {
 	{ VIRUSFILTER_SCANNER_CLAMAV,	"clamav" },
 +	{ VIRUSFILTER_SCANNER_DUMMY,	"dummy" },
 	{ VIRUSFILTER_SCANNER_FSAV,	"fsav" },
 	{ VIRUSFILTER_SCANNER_SOPHOS,	"sophos" },
 	{ -1,				NULL }
@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect(
 	int snum = SNUM(handle->conn);
 	struct virusfilter_config *config = NULL;
 	const char *exclude_files = NULL;
 +	const char *infected_files = NULL;
 	const char *temp_quarantine_dir_mode = NULL;
 	const char *infected_file_command = NULL;
 	const char *scan_error_command = NULL;
@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect(
 		set_namearray(&config->exclude_files, exclude_files);
 	}
 +	infected_files = lp_parm_const_string(
 +		snum, "virusfilter", "infected files", NULL);
 +	if (infected_files != NULL) {
 +		set_namearray(&config->infected_files, infected_files);
 +	}
 +
 	config->cache_entry_limit = lp_parm_int(
 		snum, "virusfilter", "cache entry limit", 100);
@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect(
 	case VIRUSFILTER_SCANNER_CLAMAV:
 		ret = virusfilter_clamav_init(config);
 		break;
 +	case VIRUSFILTER_SCANNER_DUMMY:
 +		ret = virusfilter_dummy_init(config);
 +		break;
 	default:
 		DBG_ERR("Unhandled scanner %d\n", backend);
 		return -1;
 diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h
 index f71b0b949a7..463a9d74e9c 100644
 --- a/source3/modules/vfs_virusfilter_common.h
 +++ b/source3/modules/vfs_virusfilter_common.h
@@ -83,6 +83,9 @@ struct virusfilter_config {
 	/* Exclude files */
 	name_compare_entry		*exclude_files;
 +	/* Infected files */
 +	name_compare_entry		*infected_files;
 +
 	/* Scan result cache */
 	struct virusfilter_cache	*cache;
 	int				cache_entry_limit;
@@ -149,5 +152,6 @@ struct virusfilter_backend {
 int virusfilter_sophos_init(struct virusfilter_config *config);
 int virusfilter_fsav_init(struct virusfilter_config *config);
 int virusfilter_clamav_init(struct virusfilter_config *config);
 +int virusfilter_dummy_init(struct virusfilter_config *config);
 #endif /* _VIRUSFILTER_COMMON_H */
 diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c
 new file mode 100644
 index 00000000000..03405cd6629
 --- /dev/null
 +++ b/source3/modules/vfs_virusfilter_dummy.c
@@ -0,0 +1,58 @@
 +/*
 +   Samba-VirusFilter VFS modules
 +   Dummy scanner with infected files support.
 +   Copyright (C) 2022 Pavel Filipenský <pfilipen@redhat.com>
 +
 +   This program is free software; you can redistribute it and/or modify
 +   it under the terms of the GNU General Public License as published by
 +   the Free Software Foundation; either version 3 of the License, or
 +   (at your option) any later version.
 +
 +   This program is distributed in the hope that it will be useful,
 +   but WITHOUT ANY WARRANTY; without even the implied warranty of
 +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +   GNU General Public License for more details.
 +
 +   You should have received a copy of the GNU General Public License
 +   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 +*/
 +
 +#include "modules/vfs_virusfilter_utils.h"
 +
 +static virusfilter_result virusfilter_dummy_scan(
 +	struct vfs_handle_struct *handle,
 +	struct virusfilter_config *config,
 +	const struct files_struct *fsp,
 +	char **reportp)
 +{
 +	bool ok;
 +
 +	DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp));
 +	ok = is_in_path(fsp->fsp_name->base_name,
 +			config->infected_files,
 +			false);
 +	return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN;
 +}
 +
 +static struct virusfilter_backend_fns virusfilter_backend_dummy = {
 +	.connect = NULL,
 +	.disconnect = NULL,
 +	.scan_init = NULL,
 +	.scan = virusfilter_dummy_scan,
 +	.scan_end = NULL,
 +};
 +
 +int virusfilter_dummy_init(struct virusfilter_config *config)
 +{
 +	struct virusfilter_backend *backend = NULL;
 +
 +	backend = talloc_zero(config, struct virusfilter_backend);
 +	if (backend == NULL) {
 +		return -1;
 +	}
 +
 +	backend->fns = &virusfilter_backend_dummy;
 +	backend->name = "dummy";
 +	config->backend = backend;
 +	return 0;
 +}
 diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
 index 40df4539392..ff318c3fa06 100644
 --- a/source3/modules/wscript_build
 +++ b/source3/modules/wscript_build
@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
                  vfs_virusfilter_sophos.c
                  vfs_virusfilter_fsav.c
                  vfs_virusfilter_clamav.c
 +                 vfs_virusfilter_dummy.c
                  ''',
                  deps='samba-util VFS_VIRUSFILTER_UTILS',
                  init_function='',
 -- 
 2.34.1
 From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Tue, 8 Feb 2022 22:35:29 +0100
 Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and
 'virusfilter:infected files'
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Reviewed-by: Jeremy Allison <jra@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 (cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
 ---
 docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
 index 329a35af68a..88f91d73a42 100644
 --- a/docs-xml/manpages/vfs_virusfilter.8.xml
 +++ b/docs-xml/manpages/vfs_virusfilter.8.xml
@@ -48,6 +48,10 @@
 		  scanner</para></listitem>
 		  <listitem><para><emphasis>clamav</emphasis>, the ClamAV
 		  scanner</para></listitem>
 +		  <listitem><para><emphasis>dummy</emphasis>, dummy scanner used in
 +		  tests. Checks against the <emphasis>infected files</emphasis>
 +		  parameter and flags any name that matches as infected.
 +		  </para></listitem>
 		</itemizedlist>
 		</listitem>
 		</varlistentry>
@@ -264,6 +268,14 @@
 		</listitem>
 		</varlistentry>
 +		<varlistentry>
 +		<term>virusfilter:infected files = empty</term>
 +		<listitem>
 +		<para>Files that virusfilter <emphasis>dummy</emphasis> flags as infected.</para>
 +		<para>If this option is not set, the default is empty.</para>
 +		</listitem>
 +		</varlistentry>
 +
 		<varlistentry>
 		<term>virusfilter:block access on error = false</term>
 		<listitem>
 -- 
 2.34.1
 From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Tue, 8 Feb 2022 15:34:56 +0100
 Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Reviewed-by: Jeremy Allison <jra@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 (cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a)
 ---
 selftest/target/Samba3.pm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
 index 64a9a791a61..7584a0e7ba9 100755
 --- a/selftest/target/Samba3.pm
 +++ b/selftest/target/Samba3.pm
@@ -188,7 +188,7 @@ sub getlog_env_app($$$)
 	close(LOG);
 	return "" if $out eq $title;
 - 
 +
 	return $out;
 }
@@ -2426,7 +2426,7 @@ sub provision($$)
 	my $nmbdsockdir="$prefix_abs/nmbd";
 	unlink($nmbdsockdir);
 -	## 
 +	##
 	## create the test directory layout
 	##
 	die ("prefix_abs = ''") if $prefix_abs eq "";
@@ -3290,7 +3290,7 @@ sub provision($$)
 	unless (open(PASSWD, ">$nss_wrapper_passwd")) {
            warn("Unable to open $nss_wrapper_passwd");
            return undef;
 -        } 
 +        }
 	print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
 $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
 pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
 -- 
 2.34.1
 From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Tue, 8 Feb 2022 15:35:48 +0100
 Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 Reviewed-by: Jeremy Allison <jra@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 (cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
 ---
 selftest/knownfail.d/virus_scanner         |   2 +
 selftest/target/Samba3.pm                  |  12 ++
 source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++
 source3/selftest/tests.py                  |   9 ++
 4 files changed, 147 insertions(+)
 create mode 100644 selftest/knownfail.d/virus_scanner
 create mode 100755 source3/script/tests/test_virus_scanner.sh
 diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
 new file mode 100644
 index 00000000000..6df3fd20627
 --- /dev/null
 +++ b/selftest/knownfail.d/virus_scanner
@@ -0,0 +1,2 @@
 +^samba3.blackbox.virus_scanner.check_infected_read  # test download infected file ('vfs objects = virusfilter')
 +^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
 diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
 index 7584a0e7ba9..c1d0c60d96a 100755
 --- a/selftest/target/Samba3.pm
 +++ b/selftest/target/Samba3.pm
@@ -1688,6 +1688,9 @@ sub setup_fileserver
 	my $veto_sharedir="$share_dir/veto";
 	push(@dirs,$veto_sharedir);
 +	my $virusfilter_sharedir="$share_dir/virusfilter";
 +	push(@dirs,$virusfilter_sharedir);
 +
 	my $ip4 = Samba::get_ipv4_addr("FILESERVER");
 	my $fileserver_options = "
 	kernel change notify = yes
@@ -1813,6 +1816,15 @@ sub setup_fileserver
 	path = $veto_sharedir
 	delete veto files = yes
 +[virusfilter]
 +	path = $virusfilter_sharedir
 +	vfs objects = acl_xattr virusfilter
 +	virusfilter:scanner = dummy
 +	virusfilter:min file size = 0
 +	virusfilter:infected files = *infected*
 +	virusfilter:infected file action = rename
 +	virusfilter:scan on close = yes
 +
 [homes]
 	comment = Home directories
 	browseable = No
 diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
 new file mode 100755
 index 00000000000..2234ea6ca89
 --- /dev/null
 +++ b/source3/script/tests/test_virus_scanner.sh
@@ -0,0 +1,124 @@
 +#!/bin/sh
 +# Copyright (c) 2022      Pavel Filipenský <pfilipen@redhat.com>
 +# shellcheck disable=1091
 +
 +if [ $# -lt 4 ]; then
 +cat <<EOF
 +Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
 +EOF
 +exit 1;
 +fi
 +
 +SERVER_IP=${1}
 +SHARE=${2}
 +LOCAL_PATH=${3}
 +SMBCLIENT=${4}
 +
 +SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
 +
 +failed=0
 +sharedir="${LOCAL_PATH}/${SHARE}"
 +
 +incdir="$(dirname "$0")/../../../testprogs/blackbox"
 +. "${incdir}/subunit.sh"
 +
 +check_infected_read()
 +{
 +    rm -rf "${sharedir:?}"/*
 +
 +    if ! touch "${sharedir}/infected.txt"; then
 +        echo "ERROR: Cannot create ${sharedir}/infected.txt"
 +        return 1
 +    fi
 +
 +    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
 +
 +    # check that virusfilter:rename prefix/suffix was added
 +    if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
 +        echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
 +        return 1
 +    fi
 +
 +    # check that file was not downloaded
 +    if [ -f "${sharedir}/infected.download.txt" ]; then
 +        echo "ERROR: {sharedir}/infected.download.txt should not exist."
 +        return 1
 +    fi
 +
 +    return 0
 +}
 +
 +check_infected_write()
 +{
 +    rm -rf "${sharedir:?}"/*
 +    smbfile=infected.upload.txt
 +    smbfilerenamed="virusfilter.${smbfile}.infected"
 +
 +    # non empty file is needed
 +    # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
 +    if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
 +        echo "ERROR: Cannot create ${sharedir}/infected.txt"
 +        return 1
 +    fi
 +
 +    ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
 +
 +    # check that virusfilter:rename prefix/suffix was added
 +    if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
 +        echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
 +        return 1
 +    fi
 +
 +    # check that file was not uploaded
 +    if [ -f "${sharedir}/infected.upload.txt" ]; then
 +        echo "ERROR: {sharedir}/${smbfile} should not exist."
 +        return 1
 +    fi
 +
 +    return 0
 +}
 +
 +check_healthy_read()
 +{
 +    rm -rf "${sharedir:?}"/*
 +
 +    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
 +        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
 +        return 1
 +    fi
 +
 +    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
 +
 +    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
 +        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
 +        return 1
 +    fi
 +
 +    return 0
 +}
 +
 +check_healthy_write()
 +{
 +    rm -rf "${sharedir:?}"/*
 +
 +    if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
 +        echo "ERROR: Cannot create ${sharedir}/healthy.txt"
 +        return 1
 +    fi
 +
 +    ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
 +
 +    if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
 +        echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
 +        return 1
 +    fi
 +
 +    return 0
 +}
 +
 +testit "check_infected_read"  check_infected_read  || failed=$((failed + 1))
 +testit "check_infected_write" check_infected_write || failed=$((failed + 1))
 +testit "check_healthy_read"   check_healthy_read   || failed=$((failed + 1))
 +testit "check_healthy_write"  check_healthy_write  || failed=$((failed + 1))
 +
 +testok "$0" "$failed"
 diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
 index 701be011f70..6b146c76381 100755
 --- a/source3/selftest/tests.py
 +++ b/source3/selftest/tests.py
@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
                '$SERVER_IP',
                "tmp"])
 +env = 'fileserver'
 +plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
 +              [os.path.join(samba3srcdir,
 +                            "script/tests/test_virus_scanner.sh"),
 +               '$SERVER_IP',
 +               "virusfilter",
 +               '$LOCAL_PATH',
 +               smbclient3])
 +
 for env in ['fileserver', 'simpleserver']:
     plantestsuite("samba3.blackbox.smbclient.encryption", env,
                   [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),
 -- 
 2.34.1
 From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
 Date: Mon, 7 Feb 2022 23:06:10 +0100
 Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
 Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
 Reviewed-by: Jeremy Allison <jra@samba.org>
 Reviewed-by: Andreas Schneider <asn@samba.org>
 Autobuild-User(master): Jeremy Allison <jra@samba.org>
 Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
 (cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c)
 ---
 selftest/knownfail.d/virus_scanner | 2 --
 source3/modules/vfs_virusfilter.c  | 6 +++---
 2 files changed, 3 insertions(+), 5 deletions(-)
 delete mode 100644 selftest/knownfail.d/virus_scanner
 diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
 deleted file mode 100644
 index 6df3fd20627..00000000000
 --- a/selftest/knownfail.d/virus_scanner
 +++ /dev/null
@@ -1,2 +0,0 @@
 -^samba3.blackbox.virus_scanner.check_infected_read  # test download infected file ('vfs objects = virusfilter')
 -^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
 diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
 index e6cbee7cd45..d1554967ad1 100644
 --- a/source3/modules/vfs_virusfilter.c
 +++ b/source3/modules/vfs_virusfilter.c
@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
 		 */
 		goto virusfilter_vfs_open_next;
 	}
 -	ret = S_ISREG(smb_fname->st.st_ex_mode);
 +	ret = S_ISREG(sbuf.st_ex_mode);
 	if (ret == 0) {
 		DBG_INFO("Not scanned: Directory or special file: %s/%s\n",
 			 cwd_fname, fname);
 		goto virusfilter_vfs_open_next;
 	}
 	if (config->max_file_size > 0 &&
 -	    smb_fname->st.st_ex_size > config->max_file_size)
 +	    sbuf.st_ex_size > config->max_file_size)
 	{
 		DBG_INFO("Not scanned: file size > max file size: %s/%s\n",
 			 cwd_fname, fname);
 		goto virusfilter_vfs_open_next;
 	}
 	if (config->min_file_size > 0 &&
 -	    smb_fname->st.st_ex_size < config->min_file_size)
 +	    sbuf.st_ex_size < config->min_file_size)
 	{
 		DBG_INFO("Not scanned: file size < min file size: %s/%s\n",
 		      cwd_fname, fname);
 -- 
 2.34.1
--- a/SOURCES/samba-winbind-systemd-sysusers.conf
+++ b/SOURCES/samba-winbind-systemd-sysusers.conf
@ -0,0 +1,2 @@
 #Type Name       ID
 g     wbpriv     88
--- a/SOURCES/samba.abignore
+++ b/SOURCES/samba.abignore
@ -0,0 +1,5 @@
 #################################################
 # This is a grouping library without any code
 #################################################
 [suppress_file]
 file_name_regexp=.*libdcerpc-samr\\.so.*
--- a/SOURCES/smb.conf.vendor
+++ b/SOURCES/smb.conf.vendor
@ -18,6 +18,9 @@
 	load printers = yes
 	cups options = raw
 	# Install samba-usershares package for support
 	include = /etc/samba/usershares.conf
 [homes]
 	comment = Home Directories
 	valid users = %S, %D%w%S
--- a/SOURCES/usershares.conf.vendor
+++ b/SOURCES/usershares.conf.vendor
@ -0,0 +1,3 @@
 [global]
 	usershare max shares = 100
 	usershare allow guests = yes
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
`@ -1,2 +1,2 @@`
	`SOURCES/samba-4.15.5.tar.xz`	`SOURCES/samba-4.19.4.tar.xz`
	`SOURCES/samba-pubkey_AA99442FB680B620.gpg`	`SOURCES/samba-pubkey_AA99442FB680B620.gpg`
`@ -1,2 +1,2 @@`
	`f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz`	`6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz`
	`971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg`	`971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg`