diff --git a/SOURCES/samba-4.10-fix_client_log_spam_for_messaging.patch b/SOURCES/samba-4.10-fix_client_log_spam_for_messaging.patch
new file mode 100644
index 0000000..a935971
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_client_log_spam_for_messaging.patch
@@ -0,0 +1,205 @@
+From 6947e4141016bb140dfae62cd71be9d9ba5d7060 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sat, 4 May 2019 12:12:04 +0200
+Subject: [PATCH 1/2] s3:dbwrap: initialize messaging before getting the ctdb
+ connection
+
+This is a better fix for bug #13465.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13925
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit ca95d7f41b683b4d7ac59ed6ee709d44abfe2019)
+---
+ source3/lib/dbwrap/dbwrap_open.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
+index c8dfd9103a8..20084bca471 100644
+--- a/source3/lib/dbwrap/dbwrap_open.c
++++ b/source3/lib/dbwrap/dbwrap_open.c
+@@ -141,13 +141,19 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
+ struct messaging_context *msg_ctx;
+ struct ctdbd_connection *conn;
+
++ /*
++ * Initialize messaging before getting the ctdb
++ * connection, as the ctdb connection requires messaging
++ * to be initialized.
++ */
++ msg_ctx = global_messaging_context();
++
+ conn = messaging_ctdb_connection();
+ if (conn == NULL) {
+ DBG_WARNING("No ctdb connection\n");
+ errno = EIO;
+ return NULL;
+ }
+- msg_ctx = global_messaging_context();
+
+ result = db_open_ctdb(mem_ctx, msg_ctx, base,
+ hash_size,
+--
+2.21.0
+
+
+From ca5652c7ee22955fb1690534fe33759ccb008ee5 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sat, 4 May 2019 12:12:48 +0200
+Subject: [PATCH 2/2] s3: remove now unneeded call to
+ cmdline_messaging_context()
+
+This was only needed as dbwrap_open() had a bug where it asked for the ctdb
+connection before initializing messaging. The previous commit fixed that so we
+can now safely remove the calls to cmdline_messaging_context() from all tools
+that don't use messaging.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13925
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Oct 24 09:33:47 UTC 2019 on sn-devel-184
+
+(cherry picked from commit 9471508391fd3bcf199b1e94f8d9ee2b956e8f8e)
+---
+ source3/lib/popt_common_cmdline.c | 7 -------
+ source3/utils/dbwrap_tool.c | 2 --
+ source3/utils/eventlogadm.c | 3 ---
+ source3/utils/ntlm_auth.c | 2 --
+ source3/utils/pdbedit.c | 2 --
+ source3/utils/sharesec.c | 1 -
+ source3/utils/smbget.c | 2 --
+ source3/utils/smbpasswd.c | 2 --
+ source3/utils/testparm.c | 2 --
+ 9 files changed, 23 deletions(-)
+
+diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c
+index 79e34847f48..39a787510a3 100644
+--- a/source3/lib/popt_common_cmdline.c
++++ b/source3/lib/popt_common_cmdline.c
+@@ -102,15 +102,8 @@ static void popt_common_credentials_callback(poptContext con,
+ }
+
+ if (reason == POPT_CALLBACK_REASON_POST) {
+- struct messaging_context *msg_ctx = NULL;
+ bool ok;
+
+- msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
+- if (msg_ctx == NULL) {
+- fprintf(stderr, "Unable to initialize "
+- "messaging context\n");
+- }
+-
+ ok = lp_load_client(get_dyn_CONFIGFILE());
+ if (!ok) {
+ const char *pname = poptGetInvocationName(con);
+diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
+index 2808a5d68bf..153a4459ee0 100644
+--- a/source3/utils/dbwrap_tool.c
++++ b/source3/utils/dbwrap_tool.c
+@@ -422,8 +422,6 @@ int main(int argc, const char **argv)
+ while (extra_argv[extra_argc]) extra_argc++;
+ }
+
+- cmdline_messaging_context(get_dyn_CONFIGFILE());
+-
+ lp_load_global(get_dyn_CONFIGFILE());
+
+ if ((extra_argc < 2) || (extra_argc > 5)) {
+diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c
+index db874dfae8a..2770fffa48c 100644
+--- a/source3/utils/eventlogadm.c
++++ b/source3/utils/eventlogadm.c
+@@ -473,9 +473,6 @@ int main( int argc, char *argv[] )
+ exit( 1 );
+ }
+
+- cmdline_messaging_context(configfile == NULL ?
+- get_dyn_CONFIGFILE() : configfile);
+-
+ if ( configfile == NULL ) {
+ lp_load_global(get_dyn_CONFIGFILE());
+ } else if (!lp_load_global(configfile)) {
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 2be641c891c..87f6554ae4f 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -2504,8 +2504,6 @@ enum {
+
+ poptFreeContext(pc);
+
+- cmdline_messaging_context(get_dyn_CONFIGFILE());
+-
+ if (!lp_load_global(get_dyn_CONFIGFILE())) {
+ d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n",
+ get_dyn_CONFIGFILE(), strerror(errno));
+diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
+index 74f8c3b0b2f..14edbaeceea 100644
+--- a/source3/utils/pdbedit.c
++++ b/source3/utils/pdbedit.c
+@@ -1128,8 +1128,6 @@ int main(int argc, const char **argv)
+ if (user_name == NULL)
+ user_name = poptGetArg(pc);
+
+- cmdline_messaging_context(get_dyn_CONFIGFILE());
+-
+ if (!lp_load_global(get_dyn_CONFIGFILE())) {
+ fprintf(stderr, "Can't load %s - run testparm to debug it\n", get_dyn_CONFIGFILE());
+ exit(1);
+diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
+index 2ea81b9adfa..10c347eaac3 100644
+--- a/source3/utils/sharesec.c
++++ b/source3/utils/sharesec.c
+@@ -501,7 +501,6 @@ int main(int argc, const char *argv[])
+
+ setlinebuf(stdout);
+
+- cmdline_messaging_context(get_dyn_CONFIGFILE());
+ lp_load_with_registry_shares(get_dyn_CONFIGFILE());
+
+ /* check for initializing secrets.tdb first */
+diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
+index 58690be56e3..a948a336445 100644
+--- a/source3/utils/smbget.c
++++ b/source3/utils/smbget.c
+@@ -1003,8 +1003,6 @@ int main(int argc, char **argv)
+
+ popt_burn_cmdline_password(argc, argv);
+
+- cmdline_messaging_context(get_dyn_CONFIGFILE());
+-
+ if (smbc_init(get_auth_data, opt.debuglevel) < 0) {
+ fprintf(stderr, "Unable to initialize libsmbclient\n");
+ return 1;
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 8e2b9d7f80f..a6509abe5cb 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -197,8 +197,6 @@ static int process_options(int argc, char **argv, int local_flags)
+ usage();
+ }
+
+- cmdline_messaging_context(configfile);
+-
+ if (!lp_load_global(configfile)) {
+ fprintf(stderr, "Can't load %s - run testparm to debug it\n",
+ configfile);
+diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
+index efa58a6a417..9ba625da4bf 100644
+--- a/source3/utils/testparm.c
++++ b/source3/utils/testparm.c
+@@ -742,8 +742,6 @@ static void do_per_share_checks(int s)
+ goto done;
+ }
+
+- cmdline_messaging_context(config_file);
+-
+ fprintf(stderr,"Load smb config files from %s\n",config_file);
+
+ if (!lp_load_with_registry_shares(config_file)) {
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch b/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch
new file mode 100644
index 0000000..ff175fe
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch
@@ -0,0 +1,48 @@
+From c50d91d16292a13d29b1125c0aa85c7a7963de5f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 27 Jan 2020 14:58:10 +0100
+Subject: [PATCH] lib:util: Log mkdir error on correct debug levels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For smbd we want an error and for smbclient we only want it in NOTICE
+debug level.
+The default log level of smbclient is log level 1 so we need notice to
+not spam the user.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14253
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Mon Jan 27 15:55:24 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 0ad6a243b259d284064c0c5abcc7d430d55be7e1)
+---
+ lib/util/util.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/util/util.c b/lib/util/util.c
+index 3bdeded5c1b..0d9ffe5cb7b 100644
+--- a/lib/util/util.c
++++ b/lib/util/util.c
+@@ -353,9 +353,12 @@ _PUBLIC_ bool directory_create_or_exist(const char *dname,
+ old_umask = umask(0);
+ ret = mkdir(dname, dir_perms);
+ if (ret == -1 && errno != EEXIST) {
+- DBG_WARNING("mkdir failed on directory %s: %s\n",
++ int dbg_level = geteuid() == 0 ? DBGLVL_ERR : DBGLVL_NOTICE;
++
++ DBG_PREFIX(dbg_level,
++ ("mkdir failed on directory %s: %s\n",
+ dname,
+- strerror(errno));
++ strerror(errno)));
+ umask(old_umask);
+ return false;
+ }
+--
+2.25.0
+
diff --git a/SOURCES/samba-4.10-winbind_krb5_enterprise_princ.patch b/SOURCES/samba-4.10-winbind_krb5_enterprise_princ.patch
new file mode 100644
index 0000000..baa9d48
--- /dev/null
+++ b/SOURCES/samba-4.10-winbind_krb5_enterprise_princ.patch
@@ -0,0 +1,1540 @@
+From 815da6970c8b973c514cc148b2caeca84f604f5c Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Thu, 8 Aug 2019 15:06:28 +0100
+Subject: [PATCH 01/22] s3/libads: clang: Fix Value stored to 'canon_princ' is
+ never read
+
+Fixes:
+
+source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
+ canon_princ = me;
+ ^ ~~
+1 warning generated.
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
+(cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290)
+---
+ source3/libads/kerberos.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 721c3c2a929..9fbe7dd0f07 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -189,9 +189,10 @@ int kerberos_kinit_password_ext(const char *principal,
+ goto out;
+ }
+
+- canon_princ = me;
+ #ifndef SAMBA4_USES_HEIMDAL /* MIT */
+ canon_princ = my_creds.client;
++#else
++ canon_princ = me;
+ #endif /* MIT */
+
+ if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
+--
+2.24.1
+
+
+From 9db218df645bd15232b5bda98f51f0ecc05425c9 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Sep 2019 08:05:09 +0200
+Subject: [PATCH 02/22] s4:auth: use the correct client realm in
+ gensec_gssapi_update_internal()
+
+The function gensec_gssapi_client_creds() may call kinit and gets
+a TGT for the user. The principal provided by the user may not
+be canonicalized. The user may use 'given.last@example.com'
+but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background.
+
+It means we should use client_realm = AD.EXAMPLE.PRIVATE
+instead of client_realm = EXAMPLE.COM
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38)
+---
+ source4/auth/gensec/gensec_gssapi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 4577c91c93a..045a0225741 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -437,8 +437,6 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
+ const char *target_principal = gensec_get_target_principal(gensec_security);
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+- const char *client_realm = cli_credentials_get_realm(cli_creds);
+- const char *server_realm = NULL;
+ gss_OID gss_oid_p = NULL;
+ OM_uint32 time_req = 0;
+ OM_uint32 time_rec = 0;
+@@ -457,6 +455,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+ {
++ const char *client_realm = NULL;
+ #ifdef SAMBA4_USES_HEIMDAL
+ struct gsskrb5_send_to_kdc send_to_kdc;
+ krb5_error_code ret;
+@@ -532,6 +531,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
+ * transitive forest trusts, would have to do the
+ * fallback ourself.
+ */
++ client_realm = cli_credentials_get_realm(cli_creds);
+ #ifndef SAMBA4_USES_HEIMDAL
+ if (gensec_gssapi_state->server_name == NULL) {
+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+@@ -575,6 +575,8 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec
+ }
+ #endif /* !SAMBA4_USES_HEIMDAL */
+ if (gensec_gssapi_state->server_name == NULL) {
++ const char *server_realm = NULL;
++
+ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
+ hostname,
+ client_realm);
+--
+2.24.1
+
+
+From 7e70ce1c6a6bb4041dbad54628d4f93caff771d4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2019 17:14:11 +0200
+Subject: [PATCH 03/22] s3:libads: let kerberos_kinit_password_ext() return the
+ canonicalized principal/realm
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236)
+---
+ source3/libads/authdata.c | 1 +
+ source3/libads/kerberos.c | 46 ++++++++++++++++++++++----
+ source3/libads/kerberos_proto.h | 5 ++-
+ source3/libads/kerberos_util.c | 3 +-
+ source3/utils/net_ads.c | 3 ++
+ source3/winbindd/winbindd_cred_cache.c | 6 ++++
+ 6 files changed, 56 insertions(+), 8 deletions(-)
+
+diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
+index 86a1be71bf9..6e6d5b397ff 100644
+--- a/source3/libads/authdata.c
++++ b/source3/libads/authdata.c
+@@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
++ NULL, NULL, NULL,
+ &status);
+ if (ret) {
+ DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 9fbe7dd0f07..3e09d70268f 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data,
+ place in default cache location.
+ remus@snapserver.com
+ */
+-int kerberos_kinit_password_ext(const char *principal,
++int kerberos_kinit_password_ext(const char *given_principal,
+ const char *password,
+ int time_offset,
+ time_t *expire_time,
+@@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal,
+ bool request_pac,
+ bool add_netbios_addr,
+ time_t renewable_time,
++ TALLOC_CTX *mem_ctx,
++ char **_canon_principal,
++ char **_canon_realm,
+ NTSTATUS *ntstatus)
+ {
++ TALLOC_CTX *frame = talloc_stackframe();
+ krb5_context ctx = NULL;
+ krb5_error_code code = 0;
+ krb5_ccache cc = NULL;
+@@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal,
+ krb5_creds my_creds;
+ krb5_get_init_creds_opt *opt = NULL;
+ smb_krb5_addresses *addr = NULL;
++ char *canon_principal = NULL;
++ char *canon_realm = NULL;
+
+ ZERO_STRUCT(my_creds);
+
+@@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal,
+ if (code != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(code));
++ TALLOC_FREE(frame);
+ return code;
+ }
+
+@@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal,
+ krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
+ }
+
+- DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
+- principal,
+- cache_name ? cache_name: krb5_cc_default_name(ctx),
+- getenv("KRB5_CONFIG")));
++ DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
++ given_principal,
++ cache_name ? cache_name: krb5_cc_default_name(ctx),
++ getenv("KRB5_CONFIG"));
+
+ if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
+ goto out;
+ }
+
+- if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
++ if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) {
+ goto out;
+ }
+
+@@ -195,6 +202,22 @@ int kerberos_kinit_password_ext(const char *principal,
+ canon_princ = me;
+ #endif /* MIT */
+
++ code = smb_krb5_unparse_name(frame,
++ ctx,
++ canon_princ,
++ &canon_principal);
++ if (code != 0) {
++ goto out;
++ }
++
++ DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal);
++
++ canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ);
++ if (canon_realm == NULL) {
++ code = ENOMEM;
++ goto out;
++ }
++
+ if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
+ goto out;
+ }
+@@ -210,6 +233,13 @@ int kerberos_kinit_password_ext(const char *principal,
+ if (renew_till_time) {
+ *renew_till_time = (time_t) my_creds.times.renew_till;
+ }
++
++ if (_canon_principal != NULL) {
++ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
++ }
++ if (_canon_realm != NULL) {
++ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
++ }
+ out:
+ if (ntstatus) {
+ /* fast path */
+@@ -239,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal,
+ if (ctx) {
+ krb5_free_context(ctx);
+ }
++ TALLOC_FREE(frame);
+ return code;
+ }
+
+@@ -328,6 +359,9 @@ int kerberos_kinit_password(const char *principal,
+ False,
+ False,
+ 0,
++ NULL,
++ NULL,
++ NULL,
+ NULL);
+ }
+
+diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
+index f92cabd757e..433bce9e0ec 100644
+--- a/source3/libads/kerberos_proto.h
++++ b/source3/libads/kerberos_proto.h
+@@ -45,7 +45,7 @@ struct PAC_DATA_CTR {
+
+ /* The following definitions come from libads/kerberos.c */
+
+-int kerberos_kinit_password_ext(const char *principal,
++int kerberos_kinit_password_ext(const char *given_principal,
+ const char *password,
+ int time_offset,
+ time_t *expire_time,
+@@ -54,6 +54,9 @@ int kerberos_kinit_password_ext(const char *principal,
+ bool request_pac,
+ bool add_netbios_addr,
+ time_t renewable_time,
++ TALLOC_CTX *mem_ctx,
++ char **_canon_principal,
++ char **_canon_realm,
+ NTSTATUS *ntstatus);
+ int ads_kdestroy(const char *cc_name);
+
+diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c
+index 68c0f302239..bfe53820aff 100644
+--- a/source3/libads/kerberos_util.c
++++ b/source3/libads/kerberos_util.c
+@@ -66,7 +66,8 @@ int ads_kinit_password(ADS_STRUCT *ads)
+ ads->auth.time_offset,
+ &ads->auth.tgt_expire, NULL,
+ ads->auth.ccache_name, false, false,
+- ads->auth.renewable, NULL);
++ ads->auth.renewable,
++ NULL, NULL, NULL, NULL);
+
+ if (ret) {
+ DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index 1f055507ad7..d33031a0dbd 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -3352,6 +3352,9 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
+ true,
+ true,
+ 2592000, /* one month */
++ NULL,
++ NULL,
++ NULL,
+ &status);
+ if (ret) {
+ d_printf(_("failed to kinit password: %s\n"),
+diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
+index 85ad426446a..5baecf906b9 100644
+--- a/source3/winbindd/winbindd_cred_cache.c
++++ b/source3/winbindd/winbindd_cred_cache.c
+@@ -146,6 +146,9 @@ rekinit:
+ False, /* no PAC required anymore */
+ True,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
++ NULL,
++ NULL,
++ NULL,
+ NULL);
+ gain_root_privilege();
+
+@@ -343,6 +346,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
+ False, /* no PAC required anymore */
+ True,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
++ NULL,
++ NULL,
++ NULL,
+ NULL);
+ gain_root_privilege();
+
+--
+2.24.1
+
+
+From 0455607124f93b72c1233d451efefbc0c445017e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Sep 2019 10:08:10 +0200
+Subject: [PATCH 04/22] s3:libsmb: avoid wrong debug message in
+ cli_session_creds_prepare_krb5()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 361fb0efabfb189526c851107eee49161da2293c)
+---
+ source3/libsmb/cliconnect.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index c416d10fa24..28f5fde0757 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -375,6 +375,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ /*
+ * Ignore the error and hope that NTLM will work
+ */
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
+ }
+
+ DBG_DEBUG("Successfully authenticated as %s to access %s using "
+--
+2.24.1
+
+
+From 68c4e372ef66fda975c4db7eb4fd283bfe4218a7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Sep 2019 08:49:13 +0200
+Subject: [PATCH 05/22] s3:libsmb: let cli_session_creds_prepare_krb5() update
+ the canonicalized principal to cli_credentials
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9)
+---
+ source3/libsmb/cliconnect.c | 39 ++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 28f5fde0757..ca6882c225e 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -229,6 +229,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ const char *user_account = NULL;
+ const char *user_domain = NULL;
+ const char *pass = NULL;
++ char *canon_principal = NULL;
++ char *canon_realm = NULL;
+ const char *target_hostname = NULL;
+ const DATA_BLOB *server_blob = NULL;
+ bool got_kerberos_mechanism = false;
+@@ -237,6 +239,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ bool need_kinit = false;
+ bool auth_requested = true;
+ int ret;
++ bool ok;
+
+ target_hostname = smbXcli_conn_remote_name(cli->conn);
+ server_blob = smbXcli_conn_server_gss_blob(cli->conn);
+@@ -245,7 +248,6 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ if (server_blob != NULL && server_blob->length != 0) {
+ char *OIDs[ASN1_MAX_OIDS] = { NULL, };
+ size_t i;
+- bool ok;
+
+ /*
+ * The server sent us the first part of the SPNEGO exchange in the
+@@ -354,9 +356,19 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ * only if required!
+ */
+ setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1);
+- ret = kerberos_kinit_password(user_principal, pass,
+- 0 /* no time correction for now */,
+- NULL);
++ ret = kerberos_kinit_password_ext(user_principal,
++ pass,
++ 0,
++ 0,
++ 0,
++ NULL,
++ false,
++ false,
++ 0,
++ frame,
++ &canon_principal,
++ &canon_realm,
++ NULL);
+ if (ret != 0) {
+ int dbglvl = DBGLVL_NOTICE;
+
+@@ -379,9 +391,26 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ return NT_STATUS_OK;
+ }
+
+- DBG_DEBUG("Successfully authenticated as %s to access %s using "
++ ok = cli_credentials_set_principal(creds,
++ canon_principal,
++ CRED_SPECIFIED);
++ if (!ok) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ ok = cli_credentials_set_realm(creds,
++ canon_realm,
++ CRED_SPECIFIED);
++ if (!ok) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ DBG_DEBUG("Successfully authenticated as %s (%s) to access %s using "
+ "Kerberos\n",
+ user_principal,
++ canon_principal,
+ target_hostname);
+
+ TALLOC_FREE(frame);
+--
+2.24.1
+
+
+From 38fd2f1fe94b63242296b2b1ce0a49065969a820 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 13 Sep 2019 16:04:30 +0200
+Subject: [PATCH 06/22] s3:libads/kerberos: always use the canonicalized
+ principal after kinit
+
+We should always use krb5_get_init_creds_opt_set_canonicalize()
+and krb5_get_init_creds_opt_set_win2k() for heimdal
+and expect the client principal to be changed.
+
+There's no reason to have a different logic between MIT and Heimdal.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 0bced73bed481a8846a6b3e68be85941914390ba)
+---
+ source3/libads/kerberos.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 3e09d70268f..559ec3b7f53 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -167,7 +167,10 @@ int kerberos_kinit_password_ext(const char *given_principal,
+ krb5_get_init_creds_opt_set_forwardable(opt, True);
+
+ /* Turn on canonicalization for lower case realm support */
+-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
++#ifdef SAMBA4_USES_HEIMDAL
++ krb5_get_init_creds_opt_set_win2k(ctx, opt, true);
++ krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true);
++#else /* MIT */
+ krb5_get_init_creds_opt_set_canonicalize(opt, true);
+ #endif /* MIT */
+ #if 0
+@@ -196,11 +199,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
+ goto out;
+ }
+
+-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
+ canon_princ = my_creds.client;
+-#else
+- canon_princ = me;
+-#endif /* MIT */
+
+ code = smb_krb5_unparse_name(frame,
+ ctx,
+--
+2.24.1
+
+
+From 6e1a52f6f48ca6624c8988a03ecfe5a3327c537e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 13 Sep 2019 16:04:30 +0200
+Subject: [PATCH 07/22] krb5_wrap: smb_krb5_kinit_password_ccache() should
+ always use the canonicalized principal
+
+We should always use krb5_get_init_creds_opt_set_canonicalize()
+and krb5_get_init_creds_opt_set_win2k() for heimdal
+and expect the client principal to be changed.
+
+There's no reason to have a different logic between MIT and Heimdal.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614)
+---
+ lib/krb5_wrap/krb5_samba.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index f0dc86b1859..a63159812e1 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2111,14 +2111,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
+ return code;
+ }
+
+-#ifndef SAMBA4_USES_HEIMDAL /* MIT */
+ /*
+ * We need to store the principal as returned from the KDC to the
+ * credentials cache. If we don't do that the KRB5 library is not
+ * able to find the tickets it is looking for
+ */
+ principal = my_creds.client;
+-#endif
+ code = krb5_cc_initialize(ctx, cc, principal);
+ if (code) {
+ goto done;
+--
+2.24.1
+
+
+From b19c14b730b470f969ccb2e2a64f57dc3ece46de Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 13 Sep 2019 16:04:30 +0200
+Subject: [PATCH 08/22] s4:auth: kinit_to_ccache() should always use the
+ canonicalized principal
+
+We should always use krb5_get_init_creds_opt_set_canonicalize()
+and krb5_get_init_creds_opt_set_win2k() for heimdal
+and expect the client principal to be changed.
+
+There's no reason to have a different logic between MIT and Heimdal.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 162b4199493c1f179e775a325a19ae7a136c418b)
+---
+ source4/auth/kerberos/kerberos_util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
+index 50bf8feec96..950d91f1737 100644
+--- a/source4/auth/kerberos/kerberos_util.c
++++ b/source4/auth/kerberos/kerberos_util.c
+@@ -313,6 +313,8 @@ done:
+ */
+ krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context,
+ krb_options, true);
++ krb5_get_init_creds_opt_set_canonicalize(smb_krb5_context->krb5_context,
++ krb_options, true);
+ #else /* MIT */
+ krb5_get_init_creds_opt_set_canonicalize(krb_options, true);
+ #endif
+--
+2.24.1
+
+
+From 1cf9d944d7dd15d8c3c796f071f82d8ffff7095e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 13 Sep 2019 16:04:30 +0200
+Subject: [PATCH 09/22] s3:libads: ads_krb5_chg_password() should always use
+ the canonicalized principal
+
+We should always use krb5_get_init_creds_opt_set_canonicalize()
+and krb5_get_init_creds_opt_set_win2k() for heimdal
+and expect the client principal to be changed.
+
+There's no reason to have a different logic between MIT and Heimdal.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 303b7e59a286896888ee2473995fc50bb2b5ce5e)
+---
+ source3/libads/krb5_setpw.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
+index c3c9477c4cf..67bc2f4640d 100644
+--- a/source3/libads/krb5_setpw.c
++++ b/source3/libads/krb5_setpw.c
+@@ -203,6 +203,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
+ krb5_get_init_creds_opt_set_renew_life(opts, 0);
+ krb5_get_init_creds_opt_set_forwardable(opts, 0);
+ krb5_get_init_creds_opt_set_proxiable(opts, 0);
++#ifdef SAMBA4_USES_HEIMDAL
++ krb5_get_init_creds_opt_set_win2k(context, opts, true);
++ krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
++#else /* MIT */
++ krb5_get_init_creds_opt_set_canonicalize(opts, true);
++#endif /* MIT */
+
+ /* note that heimdal will fill in the local addresses if the addresses
+ * in the creds_init_opt are all empty and then later fail with invalid
+--
+2.24.1
+
+
+From dc23b10c5c82f4587062fea5d68eb5d373d37bcb Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 13 Sep 2019 15:52:25 +0200
+Subject: [PATCH 10/22] krb5_wrap: let smb_krb5_parse_name() accept enterprise
+ principals
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 3bdf023956e861485be70430112ed38d0a5424f7)
+---
+ lib/krb5_wrap/krb5_samba.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index a63159812e1..abdcb308728 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
+ }
+
+ ret = krb5_parse_name(context, utf8_name, principal);
++ if (ret == KRB5_PARSE_MALFORMED) {
++ ret = krb5_parse_name_flags(context, utf8_name,
++ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
++ principal);
++ }
+ TALLOC_FREE(frame);
+ return ret;
+ }
+--
+2.24.1
+
+
+From 056fe4807255578204e56d247cd6ba003213e558 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 11 Sep 2019 16:44:43 +0200
+Subject: [PATCH 11/22] docs-xml: add "winbind use krb5 enterprise principals"
+ option
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 9520652399696010c333a3ce7247809ce5337a91)
+---
+ .../winbindusekrb5enterpriseprincipals.xml | 34 +++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
+
+diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
+new file mode 100644
+index 00000000000..bfc11c8636c
+--- /dev/null
++++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
+@@ -0,0 +1,34 @@
++<samba:parameter name="winbind use krb5 enterprise principals"
++ context="G"
++ type="boolean"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>winbindd is able to get kerberos tickets for
++ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
++ </para>
++
++ <para>winbindd (at least on a domain member) is never be able
++ to have a complete picture of the trust topology (which is managed by the DCs).
++ There might be uPNSuffixes and msDS-SPNSuffixes values,
++ which don't belong to any AD domain at all.
++ </para>
++
++ <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption>
++ winbindd don't even get an incomplete picture of the topology.
++ </para>
++
++ <para>It is not really required to know about the trust topology.
++ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM)
++ and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM
++ and follow the WRONG_REALM referrals in order to find the correct DC.
++ The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE.
++ </para>
++
++ <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption>
++ winbindd enterprise principals will be used.
++ </para>
++</description>
++
++<value type="default">no</value>
++<value type="example">yes</value>
++</samba:parameter>
+--
+2.24.1
+
+
+From f2c43932e14173574177c9e36894a25e7d8a6609 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 19 Jul 2019 15:10:09 +0000
+Subject: [PATCH 12/22] s3:winbindd: implement the "winbind use krb5 enterprise
+ principals" logic
+
+We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM)
+and delegate the routing decisions to the KDCs.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b)
+---
+ source3/winbindd/winbindd_pam.c | 57 +++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 24 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index b81f2722c42..35018fbe284 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -418,6 +418,15 @@ struct winbindd_domain *find_auth_domain(uint8_t flags,
+ return find_domain_from_name_noinit(domain_name);
+ }
+
++ if (lp_winbind_use_krb5_enterprise_principals()) {
++ /*
++ * If we use enterprise principals
++ * we always go trough our primary domain
++ * and follow the WRONG_REALM replies.
++ */
++ flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
++ }
++
+ /* we can auth against trusted domains */
+ if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
+ domain = find_domain_from_name_noinit(domain_name);
+@@ -717,7 +726,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+- principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
++ if (lp_winbind_use_krb5_enterprise_principals() &&
++ name_namespace[0] != '\0')
++ {
++ principal_s = talloc_asprintf(mem_ctx,
++ "%s@%s@%s",
++ name_user,
++ name_namespace,
++ realm);
++ } else {
++ principal_s = talloc_asprintf(mem_ctx,
++ "%s@%s",
++ name_user,
++ realm);
++ }
+ if (principal_s == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+@@ -1284,30 +1306,16 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
+
+ /* what domain should we contact? */
+
+- if ( IS_DC ) {
+- contact_domain = find_domain_from_name(name_namespace);
+- if (contact_domain == NULL) {
+- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+- state->request->data.auth.user, name_domain, name_user, name_domain));
+- result = NT_STATUS_NO_SUCH_USER;
+- goto done;
+- }
+-
++ if (lp_winbind_use_krb5_enterprise_principals()) {
++ contact_domain = find_auth_domain(0, name_namespace);
+ } else {
+- if (is_myname(name_domain)) {
+- DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
+- result = NT_STATUS_NO_SUCH_USER;
+- goto done;
+- }
+-
+ contact_domain = find_domain_from_name(name_namespace);
+- if (contact_domain == NULL) {
+- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
+- state->request->data.auth.user, name_domain, name_user, name_domain));
+-
+- result = NT_STATUS_NO_SUCH_USER;
+- goto done;
+- }
++ }
++ if (contact_domain == NULL) {
++ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
++ state->request->data.auth.user, name_domain, name_user, name_namespace));
++ result = NT_STATUS_NO_SUCH_USER;
++ goto done;
+ }
+
+ if (contact_domain->initialized &&
+@@ -1320,7 +1328,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
+ }
+
+ if (!contact_domain->active_directory) {
+- DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
++ DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
++ contact_domain->name));
+ return NT_STATUS_INVALID_LOGON_TYPE;
+ }
+ try_login:
+--
+2.24.1
+
+
+From eb1bdb032fe5f63cd53cb5a40702b8bcfac673ff Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 18 Sep 2019 08:04:42 +0200
+Subject: [PATCH 13/22] tests/pam_winbind.py: turn pypamtest.PamTestError into
+ a failure
+
+A failure generated by the AssertionError() checks can be added
+to selftest/knownfail.d/*.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit cd3ffaabb568db26e0de5e83178487e5947c4f09)
+---
+ python/samba/tests/pam_winbind.py | 15 ++++++++++++---
+ python/samba/tests/pam_winbind_chauthtok.py | 5 ++++-
+ python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++-
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
+index 68b05b30d7d..b05e8af6ffb 100644
+--- a/python/samba/tests/pam_winbind.py
++++ b/python/samba/tests/pam_winbind.py
+@@ -30,7 +30,10 @@ class SimplePamTests(samba.tests.TestCase):
+ expected_rc = 0 # PAM_SUCCESS
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
+- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
++ try:
++ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
++ except pypamtest.PamTestError as e:
++ raise AssertionError(str(e))
+
+ self.assertTrue(res is not None)
+
+@@ -42,7 +45,10 @@ class SimplePamTests(samba.tests.TestCase):
+ expected_rc = 7 # PAM_AUTH_ERR
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
+- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
++ try:
++ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
++ except pypamtest.PamTestError as e:
++ raise AssertionError(str(e))
+
+ self.assertTrue(res is not None)
+
+@@ -52,6 +58,9 @@ class SimplePamTests(samba.tests.TestCase):
+ expected_rc = 0 # PAM_SUCCESS
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
+- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
++ try:
++ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
++ except pypamtest.PamTestError as e:
++ raise AssertionError(str(e))
+
+ self.assertTrue(res is not None)
+diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py
+index e5be3a83ce7..18c2705127a 100644
+--- a/python/samba/tests/pam_winbind_chauthtok.py
++++ b/python/samba/tests/pam_winbind_chauthtok.py
+@@ -31,6 +31,9 @@ class PamChauthtokTests(samba.tests.TestCase):
+ expected_rc = 0 # PAM_SUCCESS
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
+- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
++ try:
++ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword])
++ except pypamtest.PamTestError as e:
++ raise AssertionError(str(e))
+
+ self.assertTrue(res is not None)
+diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py
+index df60bc5ace6..1af2f9befe1 100644
+--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
++++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
+@@ -31,7 +31,10 @@ class PasswordExpirePamTests(samba.tests.TestCase):
+ expected_rc = 0 # PAM_SUCCESS
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
+- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
++ try:
++ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password])
++ except pypamtest.PamTestError as e:
++ raise AssertionError(str(e))
+
+ self.assertTrue(res is not None)
+ if warn_pwd_expire == 0:
+--
+2.24.1
+
+
+From 54999a5fccc1777c1ee766c552cf32bb489634c9 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 20 Sep 2019 08:13:28 +0200
+Subject: [PATCH 14/22] tests/pam_winbind.py: allow upn names to be used in
+ USERNAME with an empty DOMAIN value
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 653e90485854d978dc522e689cd78c19dcc22a70)
+---
+ python/samba/tests/pam_winbind.py | 10 ++++++++--
+ python/samba/tests/pam_winbind_chauthtok.py | 5 ++++-
+ python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++-
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py
+index b05e8af6ffb..708f408f768 100644
+--- a/python/samba/tests/pam_winbind.py
++++ b/python/samba/tests/pam_winbind.py
+@@ -26,7 +26,10 @@ class SimplePamTests(samba.tests.TestCase):
+ domain = os.environ["DOMAIN"]
+ username = os.environ["USERNAME"]
+ password = os.environ["PASSWORD"]
+- unix_username = "%s/%s" % (domain, username)
++ if domain != "":
++ unix_username = "%s/%s" % (domain, username)
++ else:
++ unix_username = "%s" % username
+ expected_rc = 0 # PAM_SUCCESS
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
+@@ -41,7 +44,10 @@ class SimplePamTests(samba.tests.TestCase):
+ domain = os.environ["DOMAIN"]
+ username = os.environ["USERNAME"]
+ password = "WrongPassword"
+- unix_username = "%s/%s" % (domain, username)
++ if domain != "":
++ unix_username = "%s/%s" % (domain, username)
++ else:
++ unix_username = "%s" % username
+ expected_rc = 7 # PAM_AUTH_ERR
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
+diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py
+index 18c2705127a..c1d569b3cd0 100644
+--- a/python/samba/tests/pam_winbind_chauthtok.py
++++ b/python/samba/tests/pam_winbind_chauthtok.py
+@@ -27,7 +27,10 @@ class PamChauthtokTests(samba.tests.TestCase):
+ username = os.environ["USERNAME"]
+ password = os.environ["PASSWORD"]
+ newpassword = os.environ["NEWPASSWORD"]
+- unix_username = "%s/%s" % (domain, username)
++ if domain != "":
++ unix_username = "%s/%s" % (domain, username)
++ else:
++ unix_username = "%s" % username
+ expected_rc = 0 # PAM_SUCCESS
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc)
+diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py
+index 1af2f9befe1..56f5da94f98 100644
+--- a/python/samba/tests/pam_winbind_warn_pwd_expire.py
++++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py
+@@ -27,7 +27,10 @@ class PasswordExpirePamTests(samba.tests.TestCase):
+ username = os.environ["USERNAME"]
+ password = os.environ["PASSWORD"]
+ warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"])
+- unix_username = "%s/%s" % (domain, username)
++ if domain != "":
++ unix_username = "%s/%s" % (domain, username)
++ else:
++ unix_username = "%s" % username
+ expected_rc = 0 # PAM_SUCCESS
+
+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc)
+--
+2.24.1
+
+
+From a36c24e3553477c52864db8b4796cbe63ed6462a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 18 Sep 2019 01:25:58 +0200
+Subject: [PATCH 15/22] test_pam_winbind.sh: allow different pam_winbindd
+ config options to be specified
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1)
+---
+ python/samba/tests/test_pam_winbind.sh | 12 +++++++----
+ .../samba/tests/test_pam_winbind_chauthtok.sh | 4 ++--
+ .../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +++++++++++--------
+ selftest/tests.py | 6 +++---
+ 4 files changed, 25 insertions(+), 17 deletions(-)
+
+diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh
+index 0406b108b31..755e67280fa 100755
+--- a/python/samba/tests/test_pam_winbind.sh
++++ b/python/samba/tests/test_pam_winbind.sh
+@@ -12,6 +12,10 @@ PASSWORD="$3"
+ export PASSWORD
+ shift 3
+
++PAM_OPTIONS="$1"
++export PAM_OPTIONS
++shift 1
++
+ PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
+
+ pam_winbind="$BINDIR/shared/pam_winbind.so"
+@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services"
+ service_file="$service_dir/samba"
+
+ mkdir $service_dir
+-echo "auth required $pam_winbind debug debug_state" > $service_file
+-echo "account required $pam_winbind debug debug_state" >> $service_file
+-echo "password required $pam_winbind debug debug_state" >> $service_file
+-echo "session required $pam_winbind debug debug_state" >> $service_file
++echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file
++echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
++echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
++echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file
+
+ PAM_WRAPPER="1"
+ export PAM_WRAPPER
+diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh
+index 5887699300a..48adc81859d 100755
+--- a/python/samba/tests/test_pam_winbind_chauthtok.sh
++++ b/python/samba/tests/test_pam_winbind_chauthtok.sh
+@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}
+ export PAM_WRAPPER_DEBUGLEVEL
+
+ case $PAM_OPTIONS in
+- use_authtok)
++ *use_authtok*)
+ PAM_AUTHTOK="$NEWPASSWORD"
+ export PAM_AUTHTOK
+ ;;
+- try_authtok)
++ *try_authtok*)
+ PAM_AUTHTOK="$NEWPASSWORD"
+ export PAM_AUTHTOK
+ ;;
+diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
+index 16dede44227..348d2ae8387 100755
+--- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
++++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh
+@@ -12,6 +12,10 @@ PASSWORD="$3"
+ export PASSWORD
+ shift 3
+
++PAM_OPTIONS="$1"
++export PAM_OPTIONS
++shift 1
++
+ PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"
+
+ pam_winbind="$BINDIR/shared/pam_winbind.so"
+@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL
+ WARN_PWD_EXPIRE="50"
+ export WARN_PWD_EXPIRE
+
+-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
+-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
++echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
++echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
++echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
++echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+
+ PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
+ exit_code=$?
+@@ -54,10 +58,10 @@ fi
+ WARN_PWD_EXPIRE="0"
+ export WARN_PWD_EXPIRE
+
+-echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file
+-echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+-echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
+-echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file
++echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file
++echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
++echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
++echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file
+
+ PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire
+ exit_code=$?
+diff --git a/selftest/tests.py b/selftest/tests.py
+index 7dbc0a9871f..507f7c3ea55 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -168,11 +168,11 @@ if with_pam:
+ plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+- "$SERVER", "$USERNAME", "$PASSWORD"])
++ "$SERVER", "$USERNAME", "$PASSWORD", "''"])
+ plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"])
++ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"])
+
+ for pam_options in ["''", "use_authtok", "try_authtok"]:
+ plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member",
+@@ -185,7 +185,7 @@ if with_pam:
+ plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member",
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+- "$DOMAIN", "alice", "Secret007"])
++ "$DOMAIN", "alice", "Secret007", "''"])
+
+
+ plantestsuite("samba.unittests.krb5samba", "none",
+--
+2.24.1
+
+
+From a1a34241a96e2dc2bb5a1157c51f8d7b85973b32 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 18 Sep 2019 01:25:23 +0200
+Subject: [PATCH 16/22] selftest/tests.py: prepare looping over pam_winbindd
+ tests
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc)
+---
+ selftest/tests.py | 58 ++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 21 deletions(-)
+
+diff --git a/selftest/tests.py b/selftest/tests.py
+index 507f7c3ea55..3224de493f9 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -165,27 +165,43 @@ planpythontestsuite("none", "samba.tests.tdb_util", py3_compatible=True)
+ planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True)
+
+ if with_pam:
+- plantestsuite("samba.tests.pam_winbind(local)", "ad_member",
+- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+- valgrindify(python), pam_wrapper_so_path,
+- "$SERVER", "$USERNAME", "$PASSWORD", "''"])
+- plantestsuite("samba.tests.pam_winbind(domain)", "ad_member",
+- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+- valgrindify(python), pam_wrapper_so_path,
+- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"])
+-
+- for pam_options in ["''", "use_authtok", "try_authtok"]:
+- plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member",
+- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
+- valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
+- "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0",
+- pam_options, 'yes',
+- "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
+-
+- plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member",
+- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
+- valgrindify(python), pam_wrapper_so_path,
+- "$DOMAIN", "alice", "Secret007", "''"])
++ env = "ad_member"
++ options = [
++ {
++ "description": "default",
++ "pam_options": "",
++ },
++ ]
++ for o in options:
++ description = o["description"]
++ pam_options = "'%s'" % o["pam_options"]
++
++ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
++ valgrindify(python), pam_wrapper_so_path,
++ "$SERVER", "$USERNAME", "$PASSWORD",
++ pam_options])
++ plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
++ valgrindify(python), pam_wrapper_so_path,
++ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
++ pam_options])
++
++ for authtok_options in ["", "use_authtok", "try_authtok"]:
++ _pam_options = "'%s %s'" % (o["pam_options"], authtok_options)
++ _description = "%s %s" % (description, authtok_options)
++ plantestsuite("samba.tests.pam_winbind_chauthtok(domain+%s)" % _description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
++ valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
++ "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0",
++ _pam_options, 'yes',
++ "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
++
++ plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain+%s)" % description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
++ valgrindify(python), pam_wrapper_so_path,
++ "$DOMAIN", "alice", "Secret007",
++ pam_options])
+
+
+ plantestsuite("samba.unittests.krb5samba", "none",
+--
+2.24.1
+
+
+From 71047f27e44dd9b3c7aaf421990199de408ee67b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 18 Sep 2019 08:08:57 +0200
+Subject: [PATCH 17/22] selftest/tests.py: test pam_winbind with krb5_auth
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6)
+---
+ selftest/tests.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/selftest/tests.py b/selftest/tests.py
+index 3224de493f9..c2d94262c3c 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -167,6 +167,10 @@ planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True)
+ if with_pam:
+ env = "ad_member"
+ options = [
++ {
++ "description": "krb5",
++ "pam_options": "krb5_auth krb5_ccache_type=FILE",
++ },
+ {
+ "description": "default",
+ "pam_options": "",
+--
+2.24.1
+
+
+From 2262c07316a247aa20b306767af172c22e47d438 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 18 Sep 2019 14:03:34 +0200
+Subject: [PATCH 18/22] selftest/tests.py: test pam_winbind with a lot of
+ username variations
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit f07b542c61f84a97c097208e10bf9375ddfa9a15)
+---
+ selftest/tests.py | 27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/tests.py b/selftest/tests.py
+index c2d94262c3c..c9529328359 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -185,11 +185,36 @@ if with_pam:
+ valgrindify(python), pam_wrapper_so_path,
+ "$SERVER", "$USERNAME", "$PASSWORD",
+ pam_options])
+- plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env,
++ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
++ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
++ valgrindify(python), pam_wrapper_so_path,
++ "$REALM", "$DC_USERNAME", "$DC_PASSWORD",
++ pam_options])
++ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
++ valgrindify(python), pam_wrapper_so_path,
++ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
++ pam_options])
++ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
++ valgrindify(python), pam_wrapper_so_path,
++ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
++ pam_options])
++ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
++ valgrindify(python), pam_wrapper_so_path,
++ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
++ pam_options])
++ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env,
++ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
++ valgrindify(python), pam_wrapper_so_path,
++ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
++ pam_options])
+
+ for authtok_options in ["", "use_authtok", "try_authtok"]:
+ _pam_options = "'%s %s'" % (o["pam_options"], authtok_options)
+--
+2.24.1
+
+
+From 2ed154a74c10d77a1db4543e9c1b498875777a4c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 18 Sep 2019 08:02:38 +0200
+Subject: [PATCH 19/22] selftest/Samba3.pm: use "winbind scan trusted domains =
+ no" for ad_member
+
+This demonstrates that we rely on knowning about trusted domains before
+we can do krb5_auth in winbindd.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(similar to commit e2737a74d4453a3d65e5466ddc4405d68444df27)
+---
+ selftest/target/Samba3.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 892a6a15e2d..751304d9166 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -412,6 +412,7 @@ sub setup_ad_member
+ realm = $dcvars->{REALM}
+ netbios aliases = foo bar
+ template homedir = /home/%D/%G/%U
++ winbind scan trusted domains = no
+
+ [sub_dug]
+ path = $share_dir/D_%D/U_%U/G_%G
+--
+2.24.1
+
+
+From 27a48944cfbfb2932558a799d5b9c057e0d4ea42 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 18 Sep 2019 08:10:26 +0200
+Subject: [PATCH 20/22] selftest/Samba3.pm: use "winbind use krb5 enterprise
+ principals = yes" for ad_member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184
+
+(similar to commit 0ee085b594878f5e0e83839f465303754f015459)
+---
+ selftest/target/Samba3.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 751304d9166..89e75e54a91 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -413,6 +413,7 @@ sub setup_ad_member
+ netbios aliases = foo bar
+ template homedir = /home/%D/%G/%U
+ winbind scan trusted domains = no
++ winbind use krb5 enterprise principals = yes
+
+ [sub_dug]
+ path = $share_dir/D_%D/U_%U/G_%G
+--
+2.24.1
+
+
+From f70c0339b7e0f22351bdb2604504bf4f2c794544 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 9 Oct 2019 20:11:03 +0200
+Subject: [PATCH 21/22] lib:krb5_wrap: Do not create a temporary file for
+ MEMORY keytabs
+
+The autobuild cleanup script fails with:
+
+The tree has 3 new uncommitted files!!!
+git clean -n
+Would remove MEMORY:tmp_smb_creds_SK98Lv
+Would remove MEMORY:tmp_smb_creds_kornU6
+Would remove MEMORY:tmp_smb_creds_ljR828
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de)
+(cherry picked from commit d533a588b62829688824824da681cb360a399651)
+---
+ lib/krb5_wrap/krb5_samba.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index abdcb308728..6ce1d09952e 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -2002,21 +2002,21 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx,
+ krb_options);
+ #elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB)
+ {
+-#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX"
+- char tmp_name[sizeof(SMB_CREDS_KEYTAB)];
++#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache"
++ char tmp_name[64] = {0};
+ krb5_keytab_entry entry;
+ krb5_keytab keytab;
+- mode_t mask;
++ int rc;
+
+ memset(&entry, 0, sizeof(entry));
+ entry.principal = principal;
+ *(KRB5_KT_KEY(&entry)) = *keyblock;
+
+- memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB));
+- mask = umask(S_IRWXO | S_IRWXG);
+- mktemp(tmp_name);
+- umask(mask);
+- if (tmp_name[0] == 0) {
++ rc = snprintf(tmp_name, sizeof(tmp_name),
++ "%s-%p",
++ SMB_CREDS_KEYTAB,
++ &my_creds);
++ if (rc < 0) {
+ return KRB5_KT_BADNAME;
+ }
+ code = krb5_kt_resolve(ctx, tmp_name, &keytab);
+--
+2.24.1
+
+
+From 496c7702401cdce4603bdb143742fdf59e614fdd Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 9 Oct 2019 16:32:47 +0200
+Subject: [PATCH 22/22] s3:libads: Do not turn on canonicalization flag for MIT
+ Kerberos
+
+This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155
+
+Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25)
+
+Autobuild-User(v4-10-test): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(v4-10-test): Wed Oct 16 16:43:59 UTC 2019 on sn-devel-144
+
+(cherry picked from commit 3ad42536f873f21cc2db774ca3ea694ca7142253)
+---
+ source3/libads/krb5_setpw.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
+index 67bc2f4640d..028b0dcfa65 100644
+--- a/source3/libads/krb5_setpw.c
++++ b/source3/libads/krb5_setpw.c
+@@ -207,7 +207,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
+ krb5_get_init_creds_opt_set_win2k(context, opts, true);
+ krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
+ #else /* MIT */
++#if 0
++ /*
++ * FIXME
++ *
++ * Due to an upstream MIT Kerberos bug, this feature is not
++ * not working. Affection versions (2019-10-09): <= 1.17
++ *
++ * Reproducer:
++ * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM
++ *
++ * This is NOT a problem if the service is a krbtgt.
++ *
++ * https://bugzilla.samba.org/show_bug.cgi?id=14155
++ */
+ krb5_get_init_creds_opt_set_canonicalize(opts, true);
++#endif
+ #endif /* MIT */
+
+ /* note that heimdal will fill in the local addresses if the addresses
+--
+2.24.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 90d65b7..10ee2c5 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 10
+%define main_release 11
%define samba_version 4.10.4
%define talloc_version 2.1.16
@@ -138,6 +138,9 @@ Patch7: samba-4.10-fix_net_ads_join_hardened_env.patch
Patch8: samba-4.10-fix-netbios-join.patch
Patch9: CVE-2019-10218-4.11.patch
Patch10: samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
+Patch11: samba-4.10-winbind_krb5_enterprise_princ.patch
+Patch12: samba-4.10-fix_smblcient_mkdir_debug_message.patch
+Patch13: samba-4.10-fix_client_log_spam_for_messaging.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -3268,6 +3271,11 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
+* Mon Feb 03 2020 Andreas Schneider <asn@redhat.com> - 4.10.4-11
+- resolves: #1797560 - Fix Kerberos authentication with trusted domains
+- resolves: #1797561 - Fix smbclient mkdir log spam
+- resolves: #1797562 - Fix client tools log spam about messaging
+
* Wed Jan 08 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.10.4-10
- resolves: #1786324 - fix security level check for DsRGetForestTrustInformation