diff --git a/SOURCES/ldapsslads-v4-12.patch b/SOURCES/ldapsslads-v4-12.patch
new file mode 100644
index 0000000..b8bb84d
--- /dev/null
+++ b/SOURCES/ldapsslads-v4-12.patch
@@ -0,0 +1,609 @@
+From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
+Date: Mon, 10 Feb 2020 19:19:44 +0100
+Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Required for working certificate verification.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
+Signed-off-by: Björn Baumbach <bb@sernet.de>
+Reviewed-by: Bjoern Jacke <bjacke@samba.org>
+
+Autobuild-User(master): Björn Baumbach <bb@sernet.de>
+Autobuild-Date(master): Thu Mar  5 12:29:26 UTC 2020 on sn-devel-184
+
+(cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72)
+---
+ source3/libads/ldap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 7ef7e7e8420..b7f819d876b 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -669,7 +669,7 @@ got_connection:
+ 
+ 	/* Otherwise setup the TCP LDAP session */
+ 
+-	ads->ldap.ld = ldap_open_with_timeout(addr,
++	ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
+ 					      &ads->ldap.ss,
+ 					      ads->ldap.port, lp_ldap_timeout());
+ 	if (ads->ldap.ld == NULL) {
+-- 
+2.25.4
+
+
+From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
+Date: Wed, 3 Jun 2020 19:40:59 +0200
+Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap
+ session if possible
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use the known ip address of the ldap server to open the connection and
+initialize the ldap session with ldap_init_fd().
+
+This avoid unnecessary DNS lookups which might block or prevent the
+successful connection.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
+
+Signed-off-by: Björn Baumbach <bb@sernet.de>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0)
+---
+ source3/libads/ldap.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index b7f819d876b..36e73440495 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum)
+ 		return NULL;
+ 	}
+ 
+-#ifdef HAVE_LDAP_INITIALIZE
++#ifdef HAVE_LDAP_INIT_FD
++	{
++		int fd = -1;
++		NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
++
++		status = open_socket_out(ss, port, to, &fd);
++		if (!NT_STATUS_IS_OK(status)) {
++			return NULL;
++		}
++
++/* define LDAP_PROTO_TCP from openldap.h if required */
++#ifndef LDAP_PROTO_TCP
++#define LDAP_PROTO_TCP 1
++#endif
++		ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
++	}
++#elif defined(HAVE_LDAP_INITIALIZE)
+ 	ldap_err = ldap_initialize(&ldp, uri);
+ #else
+ 	ldp = ldap_open(server, port);
+-- 
+2.25.4
+
+
+From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 29 Jun 2020 16:55:33 +0300
+Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++
+ selftest/knownfail.d/net_ads_tls           |  1 +
+ source4/selftest/tests.py                  |  7 ++
+ testprogs/blackbox/test_net_ads_base.sh    | 76 ++++++++++++++++++++++
+ 4 files changed, 94 insertions(+)
+ create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
+ create mode 100644 selftest/knownfail.d/net_ads_tls
+ create mode 100755 testprogs/blackbox/test_net_ads_base.sh
+
+diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
+new file mode 100644
+index 00000000000..b16a39d134d
+--- /dev/null
++++ b/selftest/knownfail.d/net_ads_ntlm_fallback
+@@ -0,0 +1,10 @@
++# net-ads commands that fail with: --option=gensec:gse_krb5=no
++^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
++^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
++^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
++^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
+diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
+new file mode 100644
+index 00000000000..251c948b6a9
+--- /dev/null
++++ b/selftest/knownfail.d/net_ads_tls
+@@ -0,0 +1 @@
++^samba4.blackbox.net_ads_tls
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index 1d965c751a4..a394afa177f 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien
+ plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18'])
+ plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
+ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
++
++for nomech in ["none", "gse_krb5", "ntlmssp"]:
++    # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
++    plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
++    plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
++    plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
++
+ plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
+ # json tests hook into ``chgdcpass'' to make them run in contributor CI on
+ # gitlab
+diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
+new file mode 100755
+index 00000000000..59e3da67a7f
+--- /dev/null
++++ b/testprogs/blackbox/test_net_ads_base.sh
+@@ -0,0 +1,76 @@
++#!/bin/sh
++
++if [ $# -lt 5 ]; then
++cat <<EOF
++Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
++EOF
++exit 1;
++fi
++
++DC_SERVER=$1
++DC_USERNAME=$2
++DC_PASSWORD=$3
++TLS_MODE=$4
++NO_MECH=$5
++BASEDIR=$6
++shift 6
++
++HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
++HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
++LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
++
++RUNDIR=`pwd`
++cd $BASEDIR
++WORKDIR=`mktemp -d -p .`
++WORKDIR=`basename $WORKDIR`
++cp -a client/* $WORKDIR/
++sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
++sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
++sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
++sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
++rm -f $WORKDIR/private/secrets.tdb
++cd $RUNDIR
++
++failed=0
++
++export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
++
++xoptions=""
++if [ $TLS_MODE != "no" ]; then
++	xoptions="--option=ldapsslads=yes"
++fi
++
++if [ $NO_MECH != "none" ]; then
++	xoptions="$xoptions --option=gensec:$NO_MECH=no"
++fi
++
++if [ $TLS_MODE = "noverify" ]; then
++	export LDAPTLS_REQCERT=allow
++fi
++
++net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
++
++# Load test functions
++. `dirname $0`/subunit.sh
++
++testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
++
++testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
++
++testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
++
++tls_log="StartTLS issued: using a TLS connection"
++opt="-d3 --option=ldapssl=off"
++if [ $TLS_MODE != "no" ]; then
++	testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
++fi
++
++testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
++
++testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
++
++testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++
++rm -rf $BASEDIR/$WORKDIR
++
++exit $failed
+-- 
+2.25.4
+
+
+From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 24 Jun 2020 15:28:45 +0300
+Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ WHATSNEW.txt                            |  6 +++++
+ docs-xml/smbdotconf/ldap/ldapsslads.xml |  7 ++----
+ source3/include/smbldap.h               |  1 +
+ source3/lib/ABI/smbldap-2.1.0.sigs      | 33 +++++++++++++++++++++++++
+ source3/lib/smbldap.c                   | 19 +++++++++-----
+ source3/libads/ldap.c                   |  2 +-
+ source3/wscript_build                   |  2 +-
+ 7 files changed, 57 insertions(+), 13 deletions(-)
+ create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs
+
+diff --git a/WHATSNEW.txt b/WHATSNEW.txt
+index a5b554fe11f..8935876d247 100644
+--- a/WHATSNEW.txt
++++ b/WHATSNEW.txt
+@@ -557,6 +557,12 @@ CTDB changes
+   helper exits.  This triggers an election.
+ 
+ 
++The "ldap ssl ads" option no longer depends on "ldap ssl" option:
++-----------------------------------------------------------------
++With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
++is off.
++
++
+ REMOVED FEATURES
+ ================
+ 
+diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
+index 98c39651f1e..f99afe5bbad 100644
+--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
++++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
+@@ -7,13 +7,10 @@
+ 	<para>This option is used to define whether or not Samba should
+ 	use SSL when connecting to the ldap server using
+ 	<emphasis>ads</emphasis> methods.
+-	Rpc methods are not affected by this parameter. Please note, that
+-	this parameter won't have any effect if <smbconfoption name="ldap ssl"/>
+-	is set to <parameter>no</parameter>.
++	Rpc methods are not affected by this parameter.
+ 	</para>
+ 
+-	<para>See <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
+-	for more information on <smbconfoption name="ldap ssl"/>.
++	<para>See also <smbconfoption name="ldap ssl"/>.
+ 	</para>
+ 
+ </description>
+diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
+index 878268aebd6..d063f44afbc 100644
+--- a/source3/include/smbldap.h
++++ b/source3/include/smbldap.h
+@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state,
+                    const char *dn,
+                    LDAPMod *attrs[]);
+ int smbldap_start_tls(LDAP *ldap_struct, int version);
++int smbldap_start_tls_start(LDAP *ldap_struct, int version);
+ int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri);
+ int smbldap_search(struct smbldap_state *ldap_state,
+ 		   const char *base, int scope, const char *filter,
+diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs
+new file mode 100644
+index 00000000000..67dcc9a8a78
+--- /dev/null
++++ b/source3/lib/ABI/smbldap-2.1.0.sigs
+@@ -0,0 +1,33 @@
++smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **)
++smbldap_delete: int (struct smbldap_state *, const char *)
++smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **)
++smbldap_free_struct: void (struct smbldap_state **)
++smbldap_get_ldap: LDAP *(struct smbldap_state *)
++smbldap_get_paged_results: bool (struct smbldap_state *)
++smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int)
++smbldap_has_control: bool (LDAP *, const char *)
++smbldap_has_extension: bool (LDAP *, const char *)
++smbldap_has_naming_context: bool (LDAP *, const char *)
++smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **)
++smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *)
++smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *)
++smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **)
++smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *)
++smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **)
++smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **)
++smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **)
++smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *)
++smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *)
++smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *)
++smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *)
++smbldap_set_paged_results: void (struct smbldap_state *, bool)
++smbldap_setup_full_conn: int (LDAP **, const char *)
++smbldap_start_tls: int (LDAP *, int)
++smbldap_start_tls_start: int (LDAP *, int)
++smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **)
++smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *)
++smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *)
++smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
++smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
++smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *)
++smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
+diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
+index 34c841f9243..4815dd81fc3 100644
+--- a/source3/lib/smbldap.c
++++ b/source3/lib/smbldap.c
+@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
+ }
+ 
+ /********************************************************************
+- start TLS on an existing LDAP connection
++ start TLS on an existing LDAP connection per config
+ *******************************************************************/
+ 
+ int smbldap_start_tls(LDAP *ldap_struct, int version)
+-{ 
+-#ifdef LDAP_OPT_X_TLS
+-	int rc,tls;
+-#endif
+-
++{
+ 	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
+ 		return LDAP_SUCCESS;
+ 	}
+ 
++	return smbldap_start_tls_start(ldap_struct, version);
++}
++
++/********************************************************************
++ start TLS on an existing LDAP connection unconditionally
++*******************************************************************/
++
++int smbldap_start_tls_start(LDAP *ldap_struct, int version)
++{
+ #ifdef LDAP_OPT_X_TLS
++	int rc,tls;
++
+ 	/* check if we use ldaps already */
+ 	ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
+ 	if (tls == LDAP_OPT_X_TLS_HARD) {
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 36e73440495..16c32b2d5a7 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -703,7 +703,7 @@ got_connection:
+ 	ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+ 
+ 	if ( lp_ldap_ssl_ads() ) {
+-		status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
++		status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version));
+ 		if (!ADS_ERR_OK(status)) {
+ 			goto out;
+ 		}
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 10d9f71ae76..76d01a78f64 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap',
+                     abi_directory='lib/ABI',
+                     abi_match='smbldap_*',
+                     pc_files=[],
+-                    vnum='2',
++                    vnum='2.1.0',
+                     public_headers='include/smbldap.h include/smb_ldap.h')
+ 
+ bld.SAMBA3_LIBRARY('ads',
+-- 
+2.25.4
+
+
+From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 2 Jul 2020 10:59:18 +0200
+Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/ads_proto.h  | 2 +-
+ source3/libads/ads_struct.c | 8 ++++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index cd9c1082681..6cdde0cf6eb 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm,
+ 		     const char *workgroup,
+ 		     const char *ldap_server,
+ 		     enum ads_sasl_state_e sasl_state);
+-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
++bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags);
+ void ads_destroy(ADS_STRUCT **ads);
+ 
+ /* The following definitions come from libads/disp_sec.c  */
+diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
+index 043a1b21247..67a9a7cf75e 100644
+--- a/source3/libads/ads_struct.c
++++ b/source3/libads/ads_struct.c
+@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm,
+ /****************************************************************
+ ****************************************************************/
+ 
+-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags)
++bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags)
+ {
++	unsigned other_flags;
++
+ 	if (!ads) {
+ 		return false;
+ 	}
+ 
+-	ads->auth.flags = flags;
++	other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL);
++
++	ads->auth.flags = flags | other_flags;
+ 
+ 	return true;
+ }
+-- 
+2.25.4
+
+
+From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 2 Jul 2020 09:33:12 +0200
+Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ WHATSNEW.txt                     | 5 +++++
+ selftest/knownfail.d/net_ads_tls | 1 -
+ source3/libads/ldap.c            | 4 ++++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+ delete mode 100644 selftest/knownfail.d/net_ads_tls
+
+diff --git a/WHATSNEW.txt b/WHATSNEW.txt
+index 8935876d247..927b9a0fa59 100644
+--- a/WHATSNEW.txt
++++ b/WHATSNEW.txt
+@@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option:
+ With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
+ is off.
+ 
++The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
++-----------------------------------------------------------------------
++This is now done implicitly when over TLS, so "client ldap sasl wrapping"
++does not need to be set to "plain" in order for it to work.
++
+ 
+ REMOVED FEATURES
+ ================
+diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
+deleted file mode 100644
+index 251c948b6a9..00000000000
+--- a/selftest/knownfail.d/net_ads_tls
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba4.blackbox.net_ads_tls
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 16c32b2d5a7..3f41e990085 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -707,6 +707,10 @@ got_connection:
+ 		if (!ADS_ERR_OK(status)) {
+ 			goto out;
+ 		}
++		if (!ads_set_sasl_wrap_flags(ads, 0)) {
++			status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
++			goto out;
++		}
+ 	}
+ 
+ 	/* fill in the current time and offsets */
+-- 
+2.25.4
+
+
+From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 11 Jul 2020 05:04:59 +0200
+Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over
+ TLS
+
+From local tests with strace:
+
+socket(AF_UNIX, SOCK_STREAM, 0) = 12
+write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38
+...
+write(2, "ads_domain_func_level: 3\n", 25) = 25
+write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36
+write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe)
+--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} ---
++++ killed by SIGPIPE +++
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
+Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184
+---
+ source3/utils/net.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/utils/net.c b/source3/utils/net.c
+index 683b46794e4..e289b2814bc 100644
+--- a/source3/utils/net.c
++++ b/source3/utils/net.c
+@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c,
+ 		POPT_TABLEEND
+ 	};
+ 
++	/* Ignore possible SIGPIPE upon ldap_unbind when over TLS */
++	BlockSignals(True, SIGPIPE);
++
+ 	zero_sockaddr(&c->opt_dest_ip);
+ 
+ 	setup_logging(argv[0], DEBUG_STDERR);
+-- 
+2.25.4
+
+From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 Jul 2020 22:38:06 +0200
+Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+---
+ source3/libads/ldap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 1ffe96d32c9..d431156912f 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum)
+ 	{
+ 		int fd = -1;
+ 		NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
++		unsigned timeout_ms = 1000 * to;
+ 
+-		status = open_socket_out(ss, port, to, &fd);
++		status = open_socket_out(ss, port, timeout_ms, &fd);
+ 		if (!NT_STATUS_IS_OK(status)) {
++			DEBUG(3, ("open_socket_out: failed to open socket\n"));
+ 			return NULL;
+ 		}
+ 
+-- 
+2.25.4
+
diff --git a/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch b/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch
new file mode 100644
index 0000000..3b488f8
--- /dev/null
+++ b/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch
@@ -0,0 +1,41 @@
+From 069ba5774a5ccc72dcc3567bc6d17141d68ddff5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Jul 2020 11:48:26 +0200
+Subject: [PATCH] docs: Fix documentation for require_membership_of of
+ pam_winbind
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Fri Jul 10 09:40:37 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971)
+---
+ docs-xml/manpages/pam_winbind.8.xml | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
+index a9a227f1647..a61fb2d58e5 100644
+--- a/docs-xml/manpages/pam_winbind.8.xml
++++ b/docs-xml/manpages/pam_winbind.8.xml
+@@ -84,9 +84,11 @@
+ 		If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
+ 		can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
+ 		SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
+-		<parameter>MYDOMAIN\myuser</parameter>.  pam_winbind will, in that case, lookup the SID internally. Note that
+-		NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
+-		user is a member of with <command>wbinfo --user-sids=SID</command>.
++		<parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
++		<parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
++		<parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
++		the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
++		verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
+ 		</para>
+ 
+ 		<para>
+-- 
+2.27.0
+
diff --git a/SOURCES/samba-4.12-fix_winbind_lookuprids.patch b/SOURCES/samba-4.12-fix_winbind_lookuprids.patch
new file mode 100644
index 0000000..43cda48
--- /dev/null
+++ b/SOURCES/samba-4.12-fix_winbind_lookuprids.patch
@@ -0,0 +1,130 @@
+From 3b8312df417b1a1fbd712b9494d5dad495e33f6d Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 8 Jul 2020 15:00:49 +0200
+Subject: [PATCH 1/2] winbind: Add test for lookuprids cache problem
+
+When reading entries from gencache, wb_cache_rids_to_names() can
+return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle
+correctly.
+
+This test enforces this situation by filling gencache with one wbinfo
+-R and then erasing the winbindd_cache.tdb. This forces winbind to
+enter the domain helper process, which will then read from gencache
+filled with the previous wbinfo -R.
+
+Without having the entries cached this does not happen because
+wb_cache_rids_to_names() via the do_query: path calls deep inside
+calls dcerpc_lsa_lookup_sids_noalloc(), which hides the
+STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 04eafce653afcff517317d2b190acc4f0cbf4c61)
+---
+ selftest/knownfail.d/lookuprids_cache         |  1 +
+ .../tests/test_wbinfo_lookuprids_cache.sh     | 21 +++++++++++++++++++
+ source3/selftest/tests.py                     |  5 +++++
+ 3 files changed, 27 insertions(+)
+ create mode 100644 selftest/knownfail.d/lookuprids_cache
+ create mode 100755 source3/script/tests/test_wbinfo_lookuprids_cache.sh
+
+diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache
+new file mode 100644
+index 00000000000..d3c40a62b45
+--- /dev/null
++++ b/selftest/knownfail.d/lookuprids_cache
+@@ -0,0 +1 @@
++^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\)
+\ No newline at end of file
+diff --git a/source3/script/tests/test_wbinfo_lookuprids_cache.sh b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
+new file mode 100755
+index 00000000000..0b21ffcd7c9
+--- /dev/null
++++ b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
+@@ -0,0 +1,21 @@
++#!/bin/sh
++
++WBINFO="$VALGRIND ${WBINFO:-$BINDIR/wbinfo}"
++TDBTOOL="${TDBTOOL:-$BINDIR/tdbtool}"
++TDBDUMP="${TDBDUMP:-$BINDIR/tdbdump}"
++NET="$VALGRIND ${NET:-$BINDIR/net}"
++
++cache="$LOCK_DIR"/winbindd_cache.tdb
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++
++testit "flush" "$NET" "cache" "flush" || failed=`expr $failed + 1`
++testit "lookuprids1" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1`
++
++key=$("$TDBDUMP" "$cache" | grep ^key.*NDR.*/16/ | cut -d\" -f2)
++
++testit "delete" "$TDBTOOL" "$cache" delete "$key"
++testit "lookuprids2" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1`
++
++testok $0 $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index dc44160e50d..b01a3c1aad1 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -332,6 +332,11 @@ env = "nt4_member:local"
+ plantestsuite("samba3.wbinfo_sids_to_xids", env,
+               [os.path.join(srcdir(),
+                             "nsswitch/tests/test_wbinfo_sids_to_xids.sh")])
++plantestsuite(
++    "samba.wbinfo_lookuprids_cache",
++    env,
++    [os.path.join(samba3srcdir,
++                  "script/tests/test_wbinfo_lookuprids_cache.sh")])
+ 
+ env = "ad_member"
+ t = "WBCLIENT-MULTI-PING"
+-- 
+2.20.1
+
+
+From 7389996f5e04acb79a760cb72b9d5c5a617262b8 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 8 Jul 2020 15:09:45 +0200
+Subject: [PATCH 2/2] winbind: Fix lookuprids cache problem
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Thu Jul  9 21:40:52 UTC 2020 on sn-devel-184
+
+(cherry picked from commit cd4122d91e942ca465c03505d5e148117f505ba4)
+---
+ selftest/knownfail.d/lookuprids_cache | 1 -
+ source3/winbindd/winbindd_dual_srv.c  | 3 ++-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+ delete mode 100644 selftest/knownfail.d/lookuprids_cache
+
+diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache
+deleted file mode 100644
+index d3c40a62b45..00000000000
+--- a/selftest/knownfail.d/lookuprids_cache
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\)
+\ No newline at end of file
+diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
+index 13345caa41b..63bb614a0ca 100644
+--- a/source3/winbindd/winbindd_dual_srv.c
++++ b/source3/winbindd/winbindd_dual_srv.c
+@@ -672,7 +672,8 @@ NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
+ 					r->in.rids->rids, r->in.rids->num_rids,
+ 					&domain_name, &names, &types);
+ 	reset_cm_connection_on_error(domain, NULL, status);
+-	if (!NT_STATUS_IS_OK(status)) {
++	if (!NT_STATUS_IS_OK(status) &&
++	    !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ 		return status;
+ 	}
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/samba-4.12-gnutls-priority-list.patch b/SOURCES/samba-4.12-gnutls-priority-list.patch
index f41e8dc..4b143d9 100644
--- a/SOURCES/samba-4.12-gnutls-priority-list.patch
+++ b/SOURCES/samba-4.12-gnutls-priority-list.patch
@@ -1,7 +1,7 @@
-From 6981475bbe11029d88de8294734d7cb29f1d0799 Mon Sep 17 00:00:00 2001
+From 2840bd0becee307f4ee896b26e9f29baac03c347 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 15 Jun 2020 11:50:16 +0200
-Subject: [PATCH] s3:lib:tls: Use better priority lists for modern GnuTLS
+Subject: [PATCH 1/2] s3:lib:tls: Use better priority lists for modern GnuTLS
 
 We should use the default priority list. That is a good practice,
 because TLS protocol hardening and phasing out of legacy algorithms,
@@ -12,7 +12,9 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408
 
 Signed-off-by: Andreas Schneider <asn@samba.org>
 Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit 53e3a959b958a3b099df6ecc5f6e294e96bd948e)
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184
 ---
  docs-xml/smbdotconf/security/tlspriority.xml | 10 ++---
  lib/param/loadparm.c                         | 10 ++++-
@@ -211,5 +213,130 @@ index b2b955f3c90..631405fa34c 100644
  #
  # This is available since version 3.6.10, but 3.6.10 has a bug which got fixed
 -- 
-2.27.0
+2.26.2
+
+
+From fdcf9f23f659025f174b32109a273e80b2ad289e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 30 Jun 2020 17:12:17 +0200
+Subject: [PATCH 2/2] tls: Use NORMAL:-VERS-SSL3.0 as the default configuration
+
+This seems to be really broken in GnuTLS and the documentation is also
+not correct.
+
+This partially reverts 53e3a959b958a3b099df6ecc5f6e294e96bd948e
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
+Autobuild-Date(master): Wed Jul  1 14:56:33 UTC 2020 on sn-devel-184
+---
+ docs-xml/smbdotconf/security/tlspriority.xml |  6 ++----
+ lib/param/loadparm.c                         |  6 ------
+ python/samba/tests/docs.py                   | 21 --------------------
+ source3/param/loadparm.c                     |  8 +-------
+ 4 files changed, 3 insertions(+), 38 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml
+index 6d1f0dcb912..471dc25ba3b 100644
+--- a/docs-xml/smbdotconf/security/tlspriority.xml
++++ b/docs-xml/smbdotconf/security/tlspriority.xml
+@@ -12,10 +12,8 @@
+    <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
+    Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
+    </para>
+-   <para>By default it will try to find a config file matching "SAMBA", but if
+-   that does not exist will use the entry for "SYSTEM" and last fallback to
+-   NORMAL. In all cases the SSL3.0 protocol will be disabled.</para>
++   <para>The SSL3.0 protocol will be disabled.</para>
+  </description>
+ 
+- <value type="default">@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0</value>
++ <value type="default">NORMAL:-VERS-SSL3.0</value>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 8fdd844fbaa..4e7e3f599dd 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -2803,15 +2803,9 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ 	lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
+ 	lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
+ 	lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
+-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+-	lpcfg_do_global_parameter(lp_ctx,
+-				  "tls priority",
+-				  "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+-#else
+ 	lpcfg_do_global_parameter(lp_ctx,
+ 				  "tls priority",
+ 				  "NORMAL:-VERS-SSL3.0");
+-#endif
+ 
+ 	lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
+ 
+diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
+index 789865221cb..654a192b510 100644
+--- a/python/samba/tests/docs.py
++++ b/python/samba/tests/docs.py
+@@ -26,22 +26,6 @@ import os
+ import subprocess
+ import xml.etree.ElementTree as ET
+ 
+-config_h = os.path.join("bin/default/include/config.h")
+-config_hash = dict()
+-
+-if os.path.exists(config_h):
+-    config_hash = dict()
+-    f = open(config_h, 'r')
+-    try:
+-        lines = f.readlines()
+-        config_hash = dict((x[0], ' '.join(x[1:]))
+-                           for x in map(lambda line: line.strip().split(' ')[1:],
+-                                        list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines))))
+-    finally:
+-        f.close()
+-
+-have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash)
+-
+ class TestCase(samba.tests.TestCaseInTempDir):
+ 
+     def _format_message(self, parameters, message):
+@@ -142,11 +126,6 @@ class SmbDotConfTests(TestCase):
+         'smbd max async dosmode',
+     ])
+ 
+-    # 'tls priority' has a legacy default value if we don't link against a
+-    # modern GnuTLS version.
+-    if not have_gnutls_system_config_support:
+-        special_cases.add('tls priority')
+-
+     def setUp(self):
+         super(SmbDotConfTests, self).setUp()
+         # create a minimal smb.conf file for testparm
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 2b1a63998d6..901f01b1c6a 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -885,15 +885,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+ 	lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
+ 	lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
+ 	lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
+-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+ 	lpcfg_string_set(Globals.ctx,
+ 			 &Globals.tls_priority,
+-			 "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+-#else
+-	lpcfg_string_set(Globals.ctx,
+-			 &Globals.tls_priority,
+-			 "NORMAL!-VERS-SSL3.0");
+-#endif
++			 "NORMAL:-VERS-SSL3.0");
+ 
+ 	lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
+ 
+-- 
+2.26.2
 
diff --git a/SOURCES/samba-4.12-user-gencache.patch b/SOURCES/samba-4.12-user-gencache.patch
new file mode 100644
index 0000000..7836c91
--- /dev/null
+++ b/SOURCES/samba-4.12-user-gencache.patch
@@ -0,0 +1,478 @@
+From 3dbdb8c3d8cd0498e1afb47758fea700f5061435 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 7 May 2020 12:25:24 +0200
+Subject: [PATCH 1/4] lib:util: Add path_expand_tilde()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 15457254be0ab1235c327bd305dfeee19b2ea7a1)
+---
+ lib/util/util_paths.c | 72 +++++++++++++++++++++++++++++++++++++++++++
+ lib/util/util_paths.h |  9 ++++++
+ 2 files changed, 81 insertions(+)
+
+diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
+index 0473557dfc6..c05246a7407 100644
+--- a/lib/util/util_paths.c
++++ b/lib/util/util_paths.c
+@@ -6,6 +6,7 @@
+    Copyright (C) Simo Sorce 2001
+    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+    Copyright (C) James Peach 2006
++   Copyright (c) 2020      Andreas Schneider <asn@samba.org>
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -24,6 +25,7 @@
+ #include "includes.h"
+ #include "dynconfig/dynconfig.h"
+ #include "lib/util/util_paths.h"
++#include "system/passwd.h"
+ 
+ /**
+  * @brief Returns an absolute path to a file in the Samba modules directory.
+@@ -62,3 +64,73 @@ const char *shlib_ext(void)
+ 	return get_dyn_SHLIBEXT();
+ }
+ 
++static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
++{
++	struct passwd pwd = {0};
++	struct passwd *pwdbuf = NULL;
++	char buf[NSS_BUFLEN_PASSWD] = {0};
++	int rc;
++
++	rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
++	if (rc != 0 || pwdbuf == NULL ) {
++		const char *szPath = getenv("HOME");
++		if (szPath == NULL) {
++			return NULL;
++		}
++		snprintf(buf, sizeof(buf), "%s", szPath);
++
++		return talloc_strdup(mem_ctx, buf);
++	}
++
++	return talloc_strdup(mem_ctx, pwd.pw_dir);
++}
++
++char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d)
++{
++	char *h = NULL, *r = NULL;
++	const char *p = NULL;
++	struct stat sb = {0};
++	int rc;
++
++	if (d[0] != '~') {
++		return talloc_strdup(mem_ctx, d);
++	}
++	d++;
++
++	/* handle ~user/path */
++	p = strchr(d, '/');
++	if (p != NULL && p > d) {
++		struct passwd *pw;
++		size_t s = p - d;
++		char u[128];
++
++		if (s >= sizeof(u)) {
++			return NULL;
++		}
++		memcpy(u, d, s);
++		u[s] = '\0';
++
++		pw = getpwnam(u);
++		if (pw == NULL) {
++			return NULL;
++		}
++		h = talloc_strdup(mem_ctx, pw->pw_dir);
++	} else {
++		p = d;
++		h = get_user_home_dir(mem_ctx);
++	}
++	if (h == NULL) {
++		return NULL;
++	}
++
++	rc = stat(h, &sb);
++	if (rc != 0) {
++		TALLOC_FREE(h);
++		return NULL;
++	}
++
++	r = talloc_asprintf(mem_ctx, "%s%s", h, p);
++	TALLOC_FREE(h);
++
++	return r;
++}
+diff --git a/lib/util/util_paths.h b/lib/util/util_paths.h
+index 80e8aaac6e9..cf34f691e5f 100644
+--- a/lib/util/util_paths.h
++++ b/lib/util/util_paths.h
+@@ -51,4 +51,13 @@ char *data_path(TALLOC_CTX *mem_ctx, const char *name);
+  **/
+ const char *shlib_ext(void);
+ 
++/**
++ * @brief Expand a directory starting with a tilde '~'
++ *
++ * @param[in]  d        The directory to expand.
++ *
++ * @return              The expanded directory, NULL on error.
++ */
++char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d);
++
+ #endif
+-- 
+2.26.2
+
+
+From d43c586576353cba5082ba396c521dde1cde4929 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 11 May 2020 12:50:11 +0200
+Subject: [PATCH 2/4] lib:util: Add test for path_expand_tilde()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(backported from commit a15bd5493b696c66c6803d8ca65bc13f1cfcdf0a)
+---
+ lib/util/tests/test_util_paths.c | 127 +++++++++++++++++++++++++++++++
+ lib/util/wscript_build           |   6 ++
+ selftest/tests.py                |   2 +
+ 3 files changed, 135 insertions(+)
+ create mode 100644 lib/util/tests/test_util_paths.c
+
+diff --git a/lib/util/tests/test_util_paths.c b/lib/util/tests/test_util_paths.c
+new file mode 100644
+index 00000000000..b89abf0aea1
+--- /dev/null
++++ b/lib/util/tests/test_util_paths.c
+@@ -0,0 +1,127 @@
++/*
++ * Unix SMB/CIFS implementation.
++ *
++ * Copyright (C) 2020      Andreas Schneider <asn@samba.org>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <stdarg.h>
++#include <stddef.h>
++#include <stdint.h>
++#include <setjmp.h>
++#include <cmocka.h>
++
++#include <talloc.h>
++
++#include "lib/replace/replace.h"
++#include "lib/util/util_paths.c"
++
++static int setup(void **state)
++{
++	TALLOC_CTX *mem_ctx = talloc_new(NULL);
++
++	assert_non_null(mem_ctx);
++	*state = mem_ctx;
++
++	return 0;
++}
++
++static int teardown(void **state)
++{
++	TALLOC_CTX *mem_ctx = *state;
++	TALLOC_FREE(mem_ctx);
++
++    return 0;
++}
++
++static void test_get_user_home_dir(void **state)
++{
++	TALLOC_CTX *mem_ctx = *state;
++	struct passwd *pwd = getpwuid(getuid());
++	char *user;
++
++	user = get_user_home_dir(mem_ctx);
++	assert_non_null(user);
++	assert_string_equal(user, pwd->pw_dir);
++
++	TALLOC_FREE(user);
++}
++
++static void test_path_expand_tilde(void **state)
++{
++	TALLOC_CTX *mem_ctx = *state;
++	char h[256] = {0};
++	char *d = NULL;
++	const char *user = NULL;
++	char *home = NULL;
++
++	user = getenv("USER");
++	if (user == NULL){
++		user = getenv("LOGNAME");
++	}
++
++	/* In certain CIs there no such variables */
++	if (user == NULL) {
++		struct passwd *pw = getpwuid(getuid());
++		if (pw){
++			user = pw->pw_name;
++		}
++	}
++
++	home = getenv("HOME");
++	assert_non_null(home);
++	snprintf(h, sizeof(h), "%s/.cache", home);
++
++	d = path_expand_tilde(mem_ctx, "~/.cache");
++	assert_non_null(d);
++	assert_string_equal(d, h);
++	TALLOC_FREE(d);
++
++	snprintf(h, sizeof(h), "%s/.cache/X~", home);
++	d = path_expand_tilde(mem_ctx, "~/.cache/X~");
++	assert_string_equal(d, h);
++	TALLOC_FREE(d);
++
++	d = path_expand_tilde(mem_ctx, "/guru/meditation");
++	assert_non_null(d);
++	assert_string_equal(d, "/guru/meditation");
++	TALLOC_FREE(d);
++
++	snprintf(h, sizeof(h), "~%s/.cache", user);
++	d = path_expand_tilde(mem_ctx, h);
++	assert_non_null(d);
++
++	snprintf(h, sizeof(h), "%s/.cache", home);
++	assert_string_equal(d, h);
++	TALLOC_FREE(d);
++}
++
++int main(int argc, char *argv[])
++{
++	int rc;
++	const struct CMUnitTest tests[] = {
++		cmocka_unit_test(test_get_user_home_dir),
++		cmocka_unit_test(test_path_expand_tilde),
++	};
++
++	if (argc == 2) {
++		cmocka_set_test_filter(argv[1]);
++	}
++	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
++
++	rc = cmocka_run_group_tests(tests, setup, teardown);
++
++	return rc;
++}
+diff --git a/lib/util/wscript_build b/lib/util/wscript_build
+index a827eea3ed9..608f7b3dd73 100644
+--- a/lib/util/wscript_build
++++ b/lib/util/wscript_build
+@@ -288,3 +288,9 @@ else:
+                      deps='cmocka replace samba-util',
+                      local_include=False,
+                      for_selftest=True)
++
++    bld.SAMBA_BINARY('test_util_paths',
++                     source='tests/test_util_paths.c',
++                     deps='cmocka replace talloc samba-util',
++                     local_include=False,
++                     for_selftest=True)
+diff --git a/selftest/tests.py b/selftest/tests.py
+index 96d3f8d6317..b72a6fb65eb 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -389,6 +389,8 @@ plantestsuite("samba.unittests.ms_fnmatch", "none",
+               [os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])
+ plantestsuite("samba.unittests.byteorder", "none",
+               [os.path.join(bindir(), "default/lib/util/test_byteorder")])
++plantestsuite("samba.unittests.util_paths", "none",
++              [os.path.join(bindir(), "default/lib/util/test_util_paths")])
+ plantestsuite("samba.unittests.ntlm_check", "none",
+               [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
+ plantestsuite("samba.unittests.gnutls", "none",
+-- 
+2.26.2
+
+
+From 133edb95814adc43072fd33876caf9d720eaac1f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 6 May 2020 17:10:51 +0200
+Subject: [PATCH 3/4] s3:gencache: Allow to open gencache as read-only
+
+This allows client tools to access the cache for ready-only operations
+as a normal user.
+
+Example:
+    net ads status
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Fri May 15 14:40:32 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 04f0c45475de383a0be4ca355ab9aa7784e61c27)
+---
+ source3/lib/gencache.c | 63 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 60 insertions(+), 3 deletions(-)
+
+diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
+index 9ad85bbf55f..896bf50cbd7 100644
+--- a/source3/lib/gencache.c
++++ b/source3/lib/gencache.c
+@@ -29,10 +29,13 @@
+ #include "tdb_wrap/tdb_wrap.h"
+ #include "zlib.h"
+ #include "lib/util/strv.h"
++#include "lib/util/util_paths.h"
+ 
+ #undef  DBGC_CLASS
+ #define DBGC_CLASS DBGC_TDB
+ 
++#define GENCACHE_USER_PATH "~/.cache/samba/gencache.tdb"
++
+ static struct tdb_wrap *cache;
+ 
+ /**
+@@ -68,6 +71,7 @@ static bool gencache_init(void)
+ {
+ 	char* cache_fname = NULL;
+ 	int open_flags = O_RDWR|O_CREAT;
++	int tdb_flags = TDB_INCOMPATIBLE_HASH|TDB_NOSYNC|TDB_MUTEX_LOCKING;
+ 	int hash_size;
+ 
+ 	/* skip file open if it's already opened */
+@@ -85,10 +89,63 @@ static bool gencache_init(void)
+ 	DEBUG(5, ("Opening cache file at %s\n", cache_fname));
+ 
+ 	cache = tdb_wrap_open(NULL, cache_fname, hash_size,
+-			      TDB_INCOMPATIBLE_HASH|
+-			      TDB_NOSYNC|
+-			      TDB_MUTEX_LOCKING,
++			      tdb_flags,
+ 			      open_flags, 0644);
++	/*
++	 * Allow client tools to create a gencache in the home directory
++	 * as a normal user.
++	 */
++	if (cache == NULL && errno == EACCES && geteuid() != 0) {
++		char *cache_dname = NULL, *tmp = NULL;
++		bool ok;
++
++		TALLOC_FREE(cache_fname);
++
++		cache_fname = path_expand_tilde(talloc_tos(),
++						GENCACHE_USER_PATH);
++		if (cache_fname == NULL) {
++			DBG_ERR("Failed to expand path: %s\n",
++				GENCACHE_USER_PATH);
++			return false;
++		}
++
++		tmp = talloc_strdup(talloc_tos(), cache_fname);
++		if (tmp == NULL) {
++			DBG_ERR("No memory!\n");
++			TALLOC_FREE(cache_fname);
++			return false;
++		}
++
++		cache_dname = dirname(tmp);
++		if (cache_dname == NULL) {
++			DBG_ERR("Invalid path: %s\n", cache_fname);
++			TALLOC_FREE(tmp);
++			TALLOC_FREE(cache_fname);
++			return false;
++		}
++
++		ok = directory_create_or_exist(cache_dname, 0700);
++		if (!ok) {
++			DBG_ERR("Failed to create directory: %s - %s\n",
++				cache_dname, strerror(errno));
++			TALLOC_FREE(tmp);
++			TALLOC_FREE(cache_fname);
++			return false;
++		}
++		TALLOC_FREE(tmp);
++
++		cache = tdb_wrap_open(NULL,
++				      cache_fname,
++				      hash_size,
++				      tdb_flags,
++				      open_flags,
++				      0644);
++		if (cache != NULL) {
++			DBG_INFO("Opening user cache file %s.\n",
++				 cache_fname);
++		}
++	}
++
+ 	if (cache == NULL) {
+ 		DEBUG(5, ("Opening %s failed: %s\n", cache_fname,
+ 			  strerror(errno)));
+-- 
+2.26.2
+
+
+From de71248d86e29ca7d1d2df0f197b930ae8472d5b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 15 May 2020 12:18:02 -0700
+Subject: [PATCH 4/4] s3: lib: Paranoia around use of snprintf copying into a
+ fixed-size buffer from a getenv() pointer.
+
+Post checks for overflow/error.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184
+
+(cherry picked from commit dd1f750293ef4361455a5d5b63fc7a89495715b7)
+---
+ lib/util/util_paths.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
+index c05246a7407..c0ee5c32c30 100644
+--- a/lib/util/util_paths.c
++++ b/lib/util/util_paths.c
+@@ -73,12 +73,16 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
+ 
+ 	rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
+ 	if (rc != 0 || pwdbuf == NULL ) {
++		int len_written;
+ 		const char *szPath = getenv("HOME");
+ 		if (szPath == NULL) {
+ 			return NULL;
+ 		}
+-		snprintf(buf, sizeof(buf), "%s", szPath);
+-
++		len_written = snprintf(buf, sizeof(buf), "%s", szPath);
++		if (len_written >= sizeof(buf) || len_written < 0) {
++			/* Output was truncated or an error. */
++			return NULL;
++		}
+ 		return talloc_strdup(mem_ctx, buf);
+ 	}
+ 
+-- 
+2.26.2
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 095620c..68b5726 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -8,7 +8,7 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%define main_release 5
+%define main_release 11
 
 %define samba_version 4.12.3
 %define talloc_version 2.3.1
@@ -135,6 +135,10 @@ Source201:      README.downgrade
 
 Patch0:         samba-4.12-gnutls-priority-list.patch
 Patch1:         dnshostname_all.patch
+Patch2:         samba-4.12-fix_pam_winbind_manpage.patch
+Patch3:	        ldapsslads-v4-12.patch
+Patch4:         samba-4.12-fix_winbind_lookuprids.patch
+Patch5:         samba-4.12-user-gencache.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -1339,6 +1343,10 @@ fi
 %{_libdir}/samba/vfs/worm.so
 %{_libdir}/samba/vfs/xattr_tdb.so
 
+%dir %{_datadir}/samba
+%dir %{_datadir}/samba/mdssvc
+%{_datadir}/samba/mdssvc/elasticsearch_mappings.json
+
 %{_unitdir}/nmb.service
 %{_unitdir}/smb.service
 %attr(1777,root,root) %dir /var/spool/samba
@@ -1446,9 +1454,6 @@ fi
 %{_mandir}/man8/cifsdd.8.*
 %{_mandir}/man8/samba-regedit.8*
 %{_mandir}/man8/smbspool.8*
-%dir %{_datadir}/samba
-%dir %{_datadir}/samba/mdssvc
-%{_datadir}/samba/mdssvc/elasticsearch_mappings.json
 
 ### CLIENT-LIBS
 %files client-libs
@@ -3576,6 +3581,26 @@ fi
 %endif
 
 %changelog
+* Wed Jul 22 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-11
+- resolves: #1859277 - Allow a user to use gencache
+
+* Wed Jul 15 2020 Isaac Boukris <iboukris@redhat.com> - 4.12.3-10
+- related: #1856315 - Fix net-ads-join with LDAP over TLS
+
+* Tue Jul 14 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-9
+- related: #1817557 - Move DECRPC mdssvc data files to correct package
+- resolves: #1856676 - Fix lookuprids in winbind
+
+* Mon Jul 13 2020 Isaac Boukris <iboukris@redhat.com> - 4.12.3-8
+- resolves: #1856315 - Fix net-ads-join with LDAP over TLS
+
+* Fri Jul 10 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-7
+- resolves: #1855711 - Fix 'require_membership_of' documentation in
+                       pam_winbind manpage
+
+* Thu Jul 09 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-6
+- related: #1842844 - Fix TLS connections with GnuTLS
+
 * Wed Jul 01 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-5
 - resolves: #1823612 - Fix segfault in 'net ads dns gethostbyname'
 - resolves: #1792553 - Fix 'net ads join createcomputer=OU'