diff --git a/SOURCES/samba-4-15-kerberos-clock-skew.patch b/SOURCES/samba-4-15-kerberos-clock-skew.patch
new file mode 100644
index 0000000..1e87049
--- /dev/null
+++ b/SOURCES/samba-4-15-kerberos-clock-skew.patch
@@ -0,0 +1,347 @@
+From 01205e1ff2a16ecdeb99fd4153f40f917decacee Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@samba.org>
+Date: Wed, 13 Apr 2022 11:01:00 +0200
+Subject: [PATCH 1/4] s3:winbind: Do not use domain's private data to store the
+ SAMR pipes
+
+The domain's private_data pointer is also used to store a ADS_STRUCT,
+which is not allocated using talloc and there are many places casting
+this pointer directly.
+
+The recently added samba.tests.pam_winbind_setcred was randomly failing
+and after debugging it the problem was that kerberos authentication was
+failing because the time_offset passed to kerberos_return_pac() was
+wrong. This time_offset was retrieved from ads->auth.time_offset, where
+the ads pointer was directly casted from domain->private_data but
+private_data was pointing to a winbind_internal_pipes struct.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e1f29b0970f4cac52a9cd517be6862cf69a1433a)
+---
+ source3/winbindd/winbindd.h | 6 ++++++
+ source3/winbindd/winbindd_ndr.c | 3 +++
+ source3/winbindd/winbindd_samr.c | 18 ++++++------------
+ 3 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
+index dac4a1fa927..762844502e5 100644
+--- a/source3/winbindd/winbindd.h
++++ b/source3/winbindd/winbindd.h
+@@ -43,6 +43,8 @@
+
+ #define WB_REPLACE_CHAR '_'
+
++struct winbind_internal_pipes;
++
+ struct winbindd_cli_state {
+ struct winbindd_cli_state *prev, *next; /* Linked list pointers */
+ int sock; /* Open socket from client */
+@@ -157,6 +159,10 @@ struct winbindd_domain {
+
+ void *private_data;
+
++ struct {
++ struct winbind_internal_pipes *samr_pipes;
++ } backend_data;
++
+ /* A working DC */
+ char *dcname;
+ const char *ping_dcname;
+diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
+index 157ce1bff27..36901776b98 100644
+--- a/source3/winbindd/winbindd_ndr.c
++++ b/source3/winbindd/winbindd_ndr.c
+@@ -144,6 +144,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
+ ndr_print_bool(ndr, "startup", r->startup);
+ ndr_print_winbindd_methods(ndr, "backend", r->backend);
+ ndr_print_ptr(ndr, "private_data", r->private_data);
++ ndr_print_ptr(ndr,
++ "backend_data.samr_pipes",
++ r->backend_data.samr_pipes);
+ ndr_print_string(ndr, "dcname", r->dcname);
+ ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr);
+ ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check);
+diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
+index 5e23ff8217b..ce66adcc0c7 100644
+--- a/source3/winbindd/winbindd_samr.c
++++ b/source3/winbindd/winbindd_samr.c
+@@ -130,7 +130,7 @@ static NTSTATUS open_cached_internal_pipe_conn(
+ {
+ struct winbind_internal_pipes *internal_pipes = NULL;
+
+- if (domain->private_data == NULL) {
++ if (domain->backend_data.samr_pipes == NULL) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+
+@@ -156,14 +156,14 @@ static NTSTATUS open_cached_internal_pipe_conn(
+ return status;
+ }
+
+- domain->private_data = talloc_move(domain, &internal_pipes);
++ domain->backend_data.samr_pipes =
++ talloc_move(domain, &internal_pipes);
+
+ TALLOC_FREE(frame);
+
+ }
+
+- internal_pipes = talloc_get_type_abort(
+- domain->private_data, struct winbind_internal_pipes);
++ internal_pipes = domain->backend_data.samr_pipes;
+
+ if (samr_domain_hnd) {
+ *samr_domain_hnd = internal_pipes->samr_domain_hnd;
+@@ -188,23 +188,17 @@ static bool reset_connection_on_error(struct winbindd_domain *domain,
+ struct rpc_pipe_client *p,
+ NTSTATUS status)
+ {
+- struct winbind_internal_pipes *internal_pipes = NULL;
+ struct dcerpc_binding_handle *b = p->binding_handle;
+
+- internal_pipes = talloc_get_type_abort(
+- domain->private_data, struct winbind_internal_pipes);
+-
+ if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR))
+ {
+- TALLOC_FREE(internal_pipes);
+- domain->private_data = NULL;
++ TALLOC_FREE(domain->backend_data.samr_pipes);
+ return true;
+ }
+
+ if (!dcerpc_binding_handle_is_connected(b)) {
+- TALLOC_FREE(internal_pipes);
+- domain->private_data = NULL;
++ TALLOC_FREE(domain->backend_data.samr_pipes);
+ return true;
+ }
+
+--
+2.35.1
+
+
+From 79ab2a5669a1e21e96f29cecc651dccacd7ace71 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@samba.org>
+Date: Wed, 13 Apr 2022 11:15:35 +0200
+Subject: [PATCH 2/4] s3:winbind: Simplify open_cached_internal_pipe_conn()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 91395e660a2b1b69bf74ca0b77aee416e2ac1db3)
+---
+ source3/winbindd/winbindd_samr.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
+index ce66adcc0c7..20b5d758d1a 100644
+--- a/source3/winbindd/winbindd_samr.c
++++ b/source3/winbindd/winbindd_samr.c
+@@ -128,9 +128,10 @@ static NTSTATUS open_cached_internal_pipe_conn(
+ struct rpc_pipe_client **lsa_pipe,
+ struct policy_handle *lsa_hnd)
+ {
+- struct winbind_internal_pipes *internal_pipes = NULL;
++ struct winbind_internal_pipes *internal_pipes =
++ domain->backend_data.samr_pipes;
+
+- if (domain->backend_data.samr_pipes == NULL) {
++ if (internal_pipes == NULL) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+
+@@ -157,14 +158,11 @@ static NTSTATUS open_cached_internal_pipe_conn(
+ }
+
+ domain->backend_data.samr_pipes =
+- talloc_move(domain, &internal_pipes);
++ talloc_steal(domain, internal_pipes);
+
+ TALLOC_FREE(frame);
+-
+ }
+
+- internal_pipes = domain->backend_data.samr_pipes;
+-
+ if (samr_domain_hnd) {
+ *samr_domain_hnd = internal_pipes->samr_domain_hnd;
+ }
+--
+2.35.1
+
+
+From d57f54deef45c638093717378adc1a0743699ae8 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@samba.org>
+Date: Wed, 13 Apr 2022 11:31:45 +0200
+Subject: [PATCH 3/4] s3:winbind: Do not use domain's private data to store the
+ ADS_STRUCT
+
+The ADS_STRUCT is not allocated using talloc and there are many places
+casting this pointer directly so use a typed pointer.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3cb256439e9ceece26c2de82293c43486543e0cb)
+---
+ source3/winbindd/winbindd.h | 2 ++
+ source3/winbindd/winbindd_ads.c | 10 +++++-----
+ source3/winbindd/winbindd_ndr.c | 3 +++
+ source3/winbindd/winbindd_pam.c | 6 ++----
+ 4 files changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
+index 762844502e5..3cc88367b90 100644
+--- a/source3/winbindd/winbindd.h
++++ b/source3/winbindd/winbindd.h
+@@ -44,6 +44,7 @@
+ #define WB_REPLACE_CHAR '_'
+
+ struct winbind_internal_pipes;
++struct ads_struct;
+
+ struct winbindd_cli_state {
+ struct winbindd_cli_state *prev, *next; /* Linked list pointers */
+@@ -161,6 +162,7 @@ struct winbindd_domain {
+
+ struct {
+ struct winbind_internal_pipes *samr_pipes;
++ struct ads_struct *ads_conn;
+ } backend_data;
+
+ /* A working DC */
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 6f01ef6e334..d350f160223 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -269,10 +269,10 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
+ }
+
+ DEBUG(10,("ads_cached_connection\n"));
+- ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data);
++ ads_cached_connection_reuse(&domain->backend_data.ads_conn);
+
+- if (domain->private_data) {
+- return (ADS_STRUCT *)domain->private_data;
++ if (domain->backend_data.ads_conn != NULL) {
++ return domain->backend_data.ads_conn;
+ }
+
+ /* the machine acct password might have change - fetch it every time */
+@@ -303,7 +303,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
+ }
+
+ status = ads_cached_connection_connect(
+- (ADS_STRUCT **)&domain->private_data,
++ &domain->backend_data.ads_conn,
+ domain->alt_name,
+ domain->name, NULL,
+ password, realm,
+@@ -322,7 +322,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
+ return NULL;
+ }
+
+- return (ADS_STRUCT *)domain->private_data;
++ return domain->backend_data.ads_conn;
+ }
+
+ /* Query display info for a realm. This is the basic user list fn */
+diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
+index 36901776b98..94ce9d73747 100644
+--- a/source3/winbindd/winbindd_ndr.c
++++ b/source3/winbindd/winbindd_ndr.c
+@@ -147,6 +147,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
+ ndr_print_ptr(ndr,
+ "backend_data.samr_pipes",
+ r->backend_data.samr_pipes);
++ ndr_print_ptr(ndr,
++ "backend_data.ads_conn",
++ r->backend_data.ads_conn);
+ ndr_print_string(ndr, "dcname", r->dcname);
+ ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr);
+ ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check);
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 1a2628b50ba..5505220335f 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -677,7 +677,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ fstring name_namespace, name_domain, name_user;
+ time_t ticket_lifetime = 0;
+ time_t renewal_until = 0;
+- ADS_STRUCT *ads;
+ time_t time_offset = 0;
+ const char *user_ccache_file;
+ struct PAC_LOGON_INFO *logon_info = NULL;
+@@ -716,9 +715,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ /* 2nd step:
+ * get kerberos properties */
+
+- if (domain->private_data) {
+- ads = (ADS_STRUCT *)domain->private_data;
+- time_offset = ads->auth.time_offset;
++ if (domain->backend_data.ads_conn != NULL) {
++ time_offset = domain->backend_data.ads_conn->auth.time_offset;
+ }
+
+
+--
+2.35.1
+
+
+From e32528fd5abbace15b3aad2c7cec8d9c6ade7bf7 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@samba.org>
+Date: Wed, 13 Apr 2022 11:34:18 +0200
+Subject: [PATCH 4/4] s3:winbind: Remove no longer used domain's private_data
+ pointer
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit a6d6ae3cfcd64a85f82ec5b12253ca0e237d95bb)
+---
+ source3/winbindd/winbindd.h | 4 ----
+ source3/winbindd/winbindd_ndr.c | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
+index 3cc88367b90..fe286a9a686 100644
+--- a/source3/winbindd/winbindd.h
++++ b/source3/winbindd/winbindd.h
+@@ -156,10 +156,6 @@ struct winbindd_domain {
+ */
+ struct winbindd_methods *backend;
+
+- /* Private data for the backends (used for connection cache) */
+-
+- void *private_data;
+-
+ struct {
+ struct winbind_internal_pipes *samr_pipes;
+ struct ads_struct *ads_conn;
+diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
+index 94ce9d73747..b393586a692 100644
+--- a/source3/winbindd/winbindd_ndr.c
++++ b/source3/winbindd/winbindd_ndr.c
+@@ -143,7 +143,6 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
+ ndr_print_time_t(ndr, "startup_time", r->startup_time);
+ ndr_print_bool(ndr, "startup", r->startup);
+ ndr_print_winbindd_methods(ndr, "backend", r->backend);
+- ndr_print_ptr(ndr, "private_data", r->private_data);
+ ndr_print_ptr(ndr,
+ "backend_data.samr_pipes",
+ r->backend_data.samr_pipes);
+--
+2.35.1
+
diff --git a/SOURCES/samba-4-15-smbd-upn.patch b/SOURCES/samba-4-15-smbd-upn.patch
new file mode 100644
index 0000000..703a7d6
--- /dev/null
+++ b/SOURCES/samba-4-15-smbd-upn.patch
@@ -0,0 +1,273 @@
+From 25465d0bc77dd712b3d94e488f2cf0583fd7ac04 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 07:10:56 +0200
+Subject: [PATCH 1/5] s3:passdb: Remove trailing spaces in lookup_sid.c
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 756cd0eed30322ae6dbd5402ec11441387475884)
+---
+ source3/passdb/lookup_sid.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index a551bcfd24a..3a28cdc68a6 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -1,4 +1,4 @@
+-/*
++/*
+ Unix SMB/CIFS implementation.
+ uid/user handling
+ Copyright (C) Andrew Tridgell 1992-1998
+@@ -72,7 +72,7 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid)
+ If an explicit domain name was given in the form domain\user, it
+ has to try that. If no explicit domain name was given, we have
+ to do guesswork.
+-*****************************************************************/
++*****************************************************************/
+
+ bool lookup_name(TALLOC_CTX *mem_ctx,
+ const char *full_name, int flags,
+@@ -300,7 +300,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
+ goto ok;
+ }
+
+- /* 6. Builtin aliases */
++ /* 6. Builtin aliases */
+
+ if ((flags & LOOKUP_NAME_BUILTIN) &&
+ lookup_builtin_name(name, &rid))
+@@ -882,7 +882,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
+ }
+
+ /* First build up the data structures:
+- *
++ *
+ * dom_infos is a list of domains referenced in the list of
+ * SIDs. Later we will walk the list of domains and look up the RIDs
+ * in bulk.
+@@ -1070,7 +1070,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
+
+ /*****************************************************************
+ *THE CANONICAL* convert SID to name function.
+-*****************************************************************/
++*****************************************************************/
+
+ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ const char **ret_domain, const char **ret_name,
+@@ -1104,7 +1104,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+ goto done;
+ }
+
+- if ((ret_name != NULL) &&
++ if ((ret_name != NULL) &&
+ !(*ret_name = talloc_strdup(mem_ctx, name->name))) {
+ goto done;
+ }
+@@ -1130,7 +1130,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
+
+ /*****************************************************************
+ *THE LEGACY* convert SID to id function.
+-*****************************************************************/
++*****************************************************************/
+
+ static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id)
+ {
+@@ -1465,7 +1465,7 @@ fail:
+
+ /*****************************************************************
+ *THE CANONICAL* convert SID to uid function.
+-*****************************************************************/
++*****************************************************************/
+
+ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid)
+ {
+@@ -1527,7 +1527,7 @@ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid)
+ /*****************************************************************
+ *THE CANONICAL* convert SID to gid function.
+ Group mapping is used for gids that maps to Wellknown SIDs
+-*****************************************************************/
++*****************************************************************/
+
+ bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid)
+ {
+--
+2.36.0
+
+
+From e884efce61290ad6f4125ab4e3adb08bcc1a800d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 07:12:02 +0200
+Subject: [PATCH 2/5] s3:passdb: Add support to handle UPNs in lookup_name()
+
+This address an issue if sssd is running and handling nsswitch. If we look up
+a user with getpwnam("DOMAIN\user") it will return user@REALM in the passwd
+structure. We need to be able to deal with that.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 2a03fb91c1120718ada9d4b8421044cb7eae7b83)
+---
+ source3/passdb/lookup_sid.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index 3a28cdc68a6..c14d7a7b123 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -100,8 +100,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
+ PTR_DIFF(p, full_name));
+ name = talloc_strdup(tmp_ctx, p+1);
+ } else {
+- domain = talloc_strdup(tmp_ctx, "");
+- name = talloc_strdup(tmp_ctx, full_name);
++ char *q = strchr_m(full_name, '@');
++
++ /* Set the domain for UPNs */
++ if (q != NULL) {
++ name = talloc_strndup(tmp_ctx,
++ full_name,
++ PTR_DIFF(q, full_name));
++ domain = talloc_strdup(tmp_ctx, q + 1);
++ } else {
++ domain = talloc_strdup(tmp_ctx, "");
++ name = talloc_strdup(tmp_ctx, full_name);
++ }
+ }
+
+ if ((domain == NULL) || (name == NULL)) {
+--
+2.36.0
+
+
+From cc548efd5fa1783e8412e7ac695c8d6be3323d67 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 12:26:25 +0200
+Subject: [PATCH 3/5] s3:passdb: Use already defined pointer in
+ lookup_name_smbconf()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit ed8e466854d6d8d6120388716a7b604df7a4db27)
+---
+ source3/passdb/lookup_sid.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index c14d7a7b123..dbea5578f92 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -464,7 +464,7 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+ const char **ret_domain, const char **ret_name,
+ struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
+ {
+- char *qualified_name;
++ char *qualified_name = NULL;
+ const char *p;
+
+ if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
+@@ -472,16 +472,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+ /* The name is already qualified with a domain. */
+
+ if (*lp_winbind_separator() != '\\') {
+- char *tmp;
+-
+ /* lookup_name() needs '\\' as a separator */
+
+- tmp = talloc_strdup(mem_ctx, full_name);
+- if (!tmp) {
++ qualified_name = talloc_strdup(mem_ctx, full_name);
++ if (qualified_name == NULL) {
+ return false;
+ }
+- tmp[p - full_name] = '\\';
+- full_name = tmp;
++ qualified_name[p - full_name] = '\\';
++ full_name = qualified_name;
+ }
+
+ return lookup_name(mem_ctx, full_name, flags,
+--
+2.36.0
+
+
+From 3ee3336f4a3fbb80ccabe6c1494a68286af55437 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 07:24:10 +0200
+Subject: [PATCH 4/5] s3:passdb: Refactor lookup_name_smbconf()
+
+This will be changed to support UPNs too in the next patch.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 2690310743920dfe20ac235c1e3617e0f421eddc)
+---
+ source3/passdb/lookup_sid.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index dbea5578f92..de9dd123239 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -465,13 +465,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+ struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
+ {
+ char *qualified_name = NULL;
+- const char *p;
++ const char *p = strchr_m(full_name, *lp_winbind_separator());
++ bool is_qualified = p != NULL;
+
+- if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
++ if (is_qualified) {
+
+ /* The name is already qualified with a domain. */
+
+- if (*lp_winbind_separator() != '\\') {
++ if (p != NULL && *lp_winbind_separator() != '\\') {
+ /* lookup_name() needs '\\' as a separator */
+
+ qualified_name = talloc_strdup(mem_ctx, full_name);
+--
+2.36.0
+
+
+From 1baa5b170c36854eaa0a5f2c9aba29d50194f750 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 26 Apr 2022 07:39:12 +0200
+Subject: [PATCH 5/5] s3:passdb: Also allow to handle UPNs in
+ lookup_name_smbconf()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 28fc44f2852046d03cada161ed1001d04d9e1554)
+---
+ source3/passdb/lookup_sid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index de9dd123239..426ea3f81bd 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -466,8 +466,9 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
+ {
+ char *qualified_name = NULL;
+ const char *p = strchr_m(full_name, *lp_winbind_separator());
+- bool is_qualified = p != NULL;
++ bool is_qualified = p != NULL || strchr_m(full_name, '@') != NULL;
+
++ /* For DOMAIN\user or user@REALM directly call lookup_name(). */
+ if (is_qualified) {
+
+ /* The name is already qualified with a domain. */
+--
+2.36.0
+
diff --git a/SOURCES/samba-4-15-username-map.patch b/SOURCES/samba-4-15-username-map.patch
new file mode 100644
index 0000000..0687115
--- /dev/null
+++ b/SOURCES/samba-4-15-username-map.patch
@@ -0,0 +1,321 @@
+From 438284e1025a96dfa2eb0928de99226f580f356f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 1 Apr 2022 15:56:30 +0200
+Subject: [PATCH 1/5] selftest: Create users "jackthemapper" and "jacknomapper"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Noel Power <npower@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 1b0146182224fe01ed70815364656a626038685a)
+---
+ selftest/target/Samba3.pm | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 62fb3d1e39e..b0ea9804c50 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1466,8 +1466,10 @@ sub setup_ad_member_idmap_nss
+ my $extra_member_options = "
+ # bob:x:65521:65531:localbob gecos:/:/bin/false
+ # jane:x:65520:65531:localjane gecos:/:/bin/false
++ # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false
++ # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false
+ idmap config $dcvars->{DOMAIN} : backend = nss
+- idmap config $dcvars->{DOMAIN} : range = 65520-65521
++ idmap config $dcvars->{DOMAIN} : range = 65518-65521
+
+ # Support SMB1 so that we can use posix_whoami().
+ client min protocol = CORE
+@@ -2532,6 +2534,8 @@ sub provision($$)
+ my ($uid_slashuser);
+ my ($uid_localbob);
+ my ($uid_localjane);
++ my ($uid_localjackthemapper);
++ my ($uid_localjacknomapper);
+
+ if ($unix_uid < 0xffff - 13) {
+ $max_uid = 0xffff;
+@@ -2554,6 +2558,8 @@ sub provision($$)
+ $uid_slashuser = $max_uid - 13;
+ $uid_localbob = $max_uid - 14;
+ $uid_localjane = $max_uid - 15;
++ $uid_localjackthemapper = $max_uid - 16;
++ $uid_localjacknomapper = $max_uid - 17;
+
+ if ($unix_gids[0] < 0xffff - 8) {
+ $max_gid = 0xffff;
+@@ -3298,6 +3304,8 @@ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
+ slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
+ bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false
+ jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false
++jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false
++jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false
+ ";
+ if ($unix_uid != 0) {
+ print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
+@@ -3362,6 +3370,8 @@ force_user:x:$gid_force_user:
+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
++ createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper");
++ createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper");
+
+ open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
+ print DNS_UPDATE_LIST "A $server. $server_ip\n";
+--
+2.34.1
+
+
+From 28bf2f4c52105fc11515c58e13b935ae046399b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 5 Apr 2022 08:30:23 +0200
+Subject: [PATCH 2/5] selftest: Create groups "jackthemappergroup" and
+ "jacknomappergroup"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+(cherry picked from commit 26e4268d6e3bde74520e36f3ca3cc9d979292d1d)
+---
+ selftest/target/Samba3.pm | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index b0ea9804c50..131034a0e07 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -2527,6 +2527,8 @@ sub provision($$)
+ my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
+ my ($gid_userdup, $gid_everyone);
+ my ($gid_force_user);
++ my ($gid_jackthemapper);
++ my ($gid_jacknomapper);
+ my ($uid_user1);
+ my ($uid_user2);
+ my ($uid_gooduser);
+@@ -2575,6 +2577,8 @@ sub provision($$)
+ $gid_userdup = $max_gid - 6;
+ $gid_everyone = $max_gid - 7;
+ $gid_force_user = $max_gid - 8;
++ $gid_jackthemapper = $max_gid - 9;
++ $gid_jacknomapper = $max_gid - 10;
+
+ ##
+ ## create conffile
+@@ -3325,6 +3329,8 @@ domadmins:X:$gid_domadmins:
+ userdup:x:$gid_userdup:$unix_name
+ everyone:x:$gid_everyone:
+ force_user:x:$gid_force_user:
++jackthemappergroup:x:$gid_jackthemapper:jackthemapper
++jacknomappergroup:x:$gid_jacknomapper:jacknomapper
+ ";
+ if ($unix_gids[0] != 0) {
+ print GROUP "root:x:$gid_root:
+--
+2.34.1
+
+
+From deadcd6a919188a75157e54b2fd772e4bf18d4fc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 5 Apr 2022 08:31:41 +0200
+Subject: [PATCH 3/5] selftest: Add to "username.map" mapping for
+ jackthemappergroup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Only for environment ad_member_idmap_nss.
+
+* !jacknompapper = \@jackthemappergroup
+ jackthemaper from group jackthemappergroup is mapped to jacknompapper
+
+* !root = jacknomappergroup
+ since there is no '@' or '+' prefix, it is not an UNIX group mapping
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+(cherry picked from commit 0feeb6d58a6d6b1949faa842473053af4562c979)
+---
+ selftest/target/Samba3.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 131034a0e07..8d309f9c99a 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1490,6 +1490,8 @@ sub setup_ad_member_idmap_nss
+
+ open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+ print USERMAP "
++!jacknomapper = \@jackthemappergroup
++!root = jacknomappergroup
+ root = $dcvars->{DOMAIN}/root
+ bob = $dcvars->{DOMAIN}/bob
+ ";
+--
+2.34.1
+
+
+From edf5d5641de92665c30804be6825040d7b0862af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 5 Apr 2022 14:04:52 +0200
+Subject: [PATCH 4/5] s3:tests Test "username map" for UNIX groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+(cherry picked from commit af8747a28bd62937a01fa4648f404bd0b09a44c0)
+---
+ selftest/knownfail.d/usernamemap | 1 +
+ source3/script/tests/test_usernamemap.sh | 28 ++++++++++++++++++++++++
+ source3/selftest/tests.py | 2 ++
+ 3 files changed, 31 insertions(+)
+ create mode 100644 selftest/knownfail.d/usernamemap
+ create mode 100755 source3/script/tests/test_usernamemap.sh
+
+diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap
+new file mode 100644
+index 00000000000..1c720fe892d
+--- /dev/null
++++ b/selftest/knownfail.d/usernamemap
+@@ -0,0 +1 @@
++samba3.blackbox.smbclient_usernamemap.jacknomapper
+diff --git a/source3/script/tests/test_usernamemap.sh b/source3/script/tests/test_usernamemap.sh
+new file mode 100755
+index 00000000000..3a3344a8781
+--- /dev/null
++++ b/source3/script/tests/test_usernamemap.sh
+@@ -0,0 +1,28 @@
++#!/bin/sh
++#
++# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
++#
++# Tests for "username map" smb.conf parameter for UNIX groups
++
++if [ $# -lt 2 ]; then
++cat <<EOF
++Usage: test_usernamemap.sh SERVER SMBCLIENT
++EOF
++exit 1;
++fi
++
++SERVER="$1"
++SMBCLIENT="$2"
++SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
++
++incdir=$(dirname "$0")/../../../testprogs/blackbox
++. "${incdir}"/subunit.sh
++
++failed=0
++
++# jackthemapper is mapped to jacknomapper, so we need jacknomapper password
++testit "jackthemapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jackthemapper%nOmApsEcrEt" -c ls || failed=$((failed + 1))
++# jacknomapper is not mapped, so we need jacknomapper password
++testit "jacknomapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jacknomapper%nOmApsEcrEt" -c ls || failed=$((failed + 1))
++
++testok "$0" "${failed}"
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 06c71363d5b..390e77ad41d 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -393,6 +393,8 @@ plantestsuite("samba3.blackbox.smbclient_basic.SMB2_10", "nt4_dc_schannel", [os.
+ plantestsuite("samba3.blackbox.smbclient_basic.SMB3_02", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_02"])
+ plantestsuite("samba3.blackbox.smbclient_basic.SMB3_11", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_11"])
+
++plantestsuite("samba3.blackbox.smbclient_usernamemap", "ad_member_idmap_nss:local", [os.path.join(samba3srcdir, "script/tests/test_usernamemap.sh"), '$SERVER', smbclient3])
++
+ plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
+ for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
+ if "NT1" in options or "LANMAN2" in options:
+--
+2.34.1
+
+
+From e1bb74a5fe7f0b4f5f16da5c355973e94f7a07ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 25 Mar 2022 11:11:50 +0100
+Subject: [PATCH 5/5] s3:auth: Fix user_in_list() for UNIX groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+
+Autobuild-User(master): Noel Power <npower@samba.org>
+Autobuild-Date(master): Thu Apr 7 09:49:44 UTC 2022 on sn-devel-184
+
+(cherry picked from commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4)
+---
+ selftest/knownfail.d/usernamemap | 1 -
+ source3/auth/user_util.c | 12 +++++++-----
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+ delete mode 100644 selftest/knownfail.d/usernamemap
+
+diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap
+deleted file mode 100644
+index 1c720fe892d..00000000000
+--- a/selftest/knownfail.d/usernamemap
++++ /dev/null
+@@ -1 +0,0 @@
+-samba3.blackbox.smbclient_usernamemap.jacknomapper
+diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c
+index 70b4f320c5e..aa765c2a692 100644
+--- a/source3/auth/user_util.c
++++ b/source3/auth/user_util.c
+@@ -143,11 +143,11 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
+ return false;
+ }
+
+- DBG_DEBUG("Checking user %s in list\n", user);
+-
+ while (*list) {
+ const char *p = *list;
+- bool ok;
++ bool check_unix_group = false;
++
++ DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list);
+
+ /* Check raw username */
+ if (strequal(user, p)) {
+@@ -155,11 +155,13 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
+ }
+
+ while (*p == '@' || *p == '&' || *p == '+') {
++ if (*p == '@' || *p == '+') {
++ check_unix_group = true;
++ }
+ p++;
+ }
+
+- ok = user_in_group(user, p);
+- if (ok) {
++ if (check_unix_group && user_in_group(user, p)) {
+ return true;
+ }
+
+--
+2.34.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index c6c58a6..7a41d67 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -132,7 +132,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
-%global baserelease 5
+%global baserelease 8
%global samba_version 4.15.5
%global talloc_version 2.3.3
@@ -212,6 +212,9 @@ Patch7: samba-virus_scanner.patch
Patch8: samba-4-15-fix-autorid.patch
Patch9: samba-4-15-fix-winbind-refresh-tickets.patch
Patch10: samba-4-15-fix-create-local-krb5-conf.patch
+Patch11: samba-4-15-username-map.patch
+Patch12: samba-4-15-kerberos-clock-skew.patch
+Patch13: samba-4-15-smbd-upn.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -4110,9 +4113,15 @@ fi
%endif
%changelog
-* Wed Mar 16 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-5
-- resolves: rhbz#2064325 - Fix 'create krb5 conf = yes` when a KDC has a
- single IP address.
+* Wed Apr 27 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-8
+- resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls
+
+* Wed Apr 20 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-7
+- resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error
+
+* Wed Apr 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-6
+- resolves: rhbz#2059151 - Fix username map for unix groups
+- resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address.
* Thu Feb 24 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-4
- resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh