diff --git a/SOURCES/ldapsslads-v4-12.patch b/SOURCES/ldapsslads-v4-12.patch
new file mode 100644
index 0000000..b8bb84d
--- /dev/null
+++ b/SOURCES/ldapsslads-v4-12.patch
@@ -0,0 +1,609 @@
+From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
+Date: Mon, 10 Feb 2020 19:19:44 +0100
+Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Required for working certificate verification.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
+Signed-off-by: Björn Baumbach <bb@sernet.de>
+Reviewed-by: Bjoern Jacke <bjacke@samba.org>
+
+Autobuild-User(master): Björn Baumbach <bb@sernet.de>
+Autobuild-Date(master): Thu Mar 5 12:29:26 UTC 2020 on sn-devel-184
+
+(cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72)
+---
+ source3/libads/ldap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 7ef7e7e8420..b7f819d876b 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -669,7 +669,7 @@ got_connection:
+
+ /* Otherwise setup the TCP LDAP session */
+
+- ads->ldap.ld = ldap_open_with_timeout(addr,
++ ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
+ &ads->ldap.ss,
+ ads->ldap.port, lp_ldap_timeout());
+ if (ads->ldap.ld == NULL) {
+--
+2.25.4
+
+
+From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
+Date: Wed, 3 Jun 2020 19:40:59 +0200
+Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap
+ session if possible
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use the known ip address of the ldap server to open the connection and
+initialize the ldap session with ldap_init_fd().
+
+This avoid unnecessary DNS lookups which might block or prevent the
+successful connection.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
+
+Signed-off-by: Björn Baumbach <bb@sernet.de>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0)
+---
+ source3/libads/ldap.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index b7f819d876b..36e73440495 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum)
+ return NULL;
+ }
+
+-#ifdef HAVE_LDAP_INITIALIZE
++#ifdef HAVE_LDAP_INIT_FD
++ {
++ int fd = -1;
++ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
++
++ status = open_socket_out(ss, port, to, &fd);
++ if (!NT_STATUS_IS_OK(status)) {
++ return NULL;
++ }
++
++/* define LDAP_PROTO_TCP from openldap.h if required */
++#ifndef LDAP_PROTO_TCP
++#define LDAP_PROTO_TCP 1
++#endif
++ ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
++ }
++#elif defined(HAVE_LDAP_INITIALIZE)
+ ldap_err = ldap_initialize(&ldp, uri);
+ #else
+ ldp = ldap_open(server, port);
+--
+2.25.4
+
+
+From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 29 Jun 2020 16:55:33 +0300
+Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++
+ selftest/knownfail.d/net_ads_tls | 1 +
+ source4/selftest/tests.py | 7 ++
+ testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++
+ 4 files changed, 94 insertions(+)
+ create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
+ create mode 100644 selftest/knownfail.d/net_ads_tls
+ create mode 100755 testprogs/blackbox/test_net_ads_base.sh
+
+diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
+new file mode 100644
+index 00000000000..b16a39d134d
+--- /dev/null
++++ b/selftest/knownfail.d/net_ads_ntlm_fallback
+@@ -0,0 +1,10 @@
++# net-ads commands that fail with: --option=gensec:gse_krb5=no
++^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
++^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
++^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
++^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
+diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
+new file mode 100644
+index 00000000000..251c948b6a9
+--- /dev/null
++++ b/selftest/knownfail.d/net_ads_tls
+@@ -0,0 +1 @@
++^samba4.blackbox.net_ads_tls
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index 1d965c751a4..a394afa177f 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien
+ plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18'])
+ plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
+ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
++
++for nomech in ["none", "gse_krb5", "ntlmssp"]:
++ # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
++ plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
++ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
++ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
++
+ plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
+ # json tests hook into ``chgdcpass'' to make them run in contributor CI on
+ # gitlab
+diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
+new file mode 100755
+index 00000000000..59e3da67a7f
+--- /dev/null
++++ b/testprogs/blackbox/test_net_ads_base.sh
+@@ -0,0 +1,76 @@
++#!/bin/sh
++
++if [ $# -lt 5 ]; then
++cat <<EOF
++Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
++EOF
++exit 1;
++fi
++
++DC_SERVER=$1
++DC_USERNAME=$2
++DC_PASSWORD=$3
++TLS_MODE=$4
++NO_MECH=$5
++BASEDIR=$6
++shift 6
++
++HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
++HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
++LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
++
++RUNDIR=`pwd`
++cd $BASEDIR
++WORKDIR=`mktemp -d -p .`
++WORKDIR=`basename $WORKDIR`
++cp -a client/* $WORKDIR/
++sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
++sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
++sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
++sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
++rm -f $WORKDIR/private/secrets.tdb
++cd $RUNDIR
++
++failed=0
++
++export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
++
++xoptions=""
++if [ $TLS_MODE != "no" ]; then
++ xoptions="--option=ldapsslads=yes"
++fi
++
++if [ $NO_MECH != "none" ]; then
++ xoptions="$xoptions --option=gensec:$NO_MECH=no"
++fi
++
++if [ $TLS_MODE = "noverify" ]; then
++ export LDAPTLS_REQCERT=allow
++fi
++
++net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
++
++# Load test functions
++. `dirname $0`/subunit.sh
++
++testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
++
++testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
++
++testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
++
++tls_log="StartTLS issued: using a TLS connection"
++opt="-d3 --option=ldapssl=off"
++if [ $TLS_MODE != "no" ]; then
++ testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
++fi
++
++testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
++
++testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
++
++testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++
++rm -rf $BASEDIR/$WORKDIR
++
++exit $failed
+--
+2.25.4
+
+
+From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 24 Jun 2020 15:28:45 +0300
+Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ WHATSNEW.txt | 6 +++++
+ docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 ++----
+ source3/include/smbldap.h | 1 +
+ source3/lib/ABI/smbldap-2.1.0.sigs | 33 +++++++++++++++++++++++++
+ source3/lib/smbldap.c | 19 +++++++++-----
+ source3/libads/ldap.c | 2 +-
+ source3/wscript_build | 2 +-
+ 7 files changed, 57 insertions(+), 13 deletions(-)
+ create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs
+
+diff --git a/WHATSNEW.txt b/WHATSNEW.txt
+index a5b554fe11f..8935876d247 100644
+--- a/WHATSNEW.txt
++++ b/WHATSNEW.txt
+@@ -557,6 +557,12 @@ CTDB changes
+ helper exits. This triggers an election.
+
+
++The "ldap ssl ads" option no longer depends on "ldap ssl" option:
++-----------------------------------------------------------------
++With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
++is off.
++
++
+ REMOVED FEATURES
+ ================
+
+diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
+index 98c39651f1e..f99afe5bbad 100644
+--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
++++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
+@@ -7,13 +7,10 @@
+ <para>This option is used to define whether or not Samba should
+ use SSL when connecting to the ldap server using
+ <emphasis>ads</emphasis> methods.
+- Rpc methods are not affected by this parameter. Please note, that
+- this parameter won't have any effect if <smbconfoption name="ldap ssl"/>
+- is set to <parameter>no</parameter>.
++ Rpc methods are not affected by this parameter.
+ </para>
+
+- <para>See <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
+- for more information on <smbconfoption name="ldap ssl"/>.
++ <para>See also <smbconfoption name="ldap ssl"/>.
+ </para>
+
+ </description>
+diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
+index 878268aebd6..d063f44afbc 100644
+--- a/source3/include/smbldap.h
++++ b/source3/include/smbldap.h
+@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state,
+ const char *dn,
+ LDAPMod *attrs[]);
+ int smbldap_start_tls(LDAP *ldap_struct, int version);
++int smbldap_start_tls_start(LDAP *ldap_struct, int version);
+ int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri);
+ int smbldap_search(struct smbldap_state *ldap_state,
+ const char *base, int scope, const char *filter,
+diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs
+new file mode 100644
+index 00000000000..67dcc9a8a78
+--- /dev/null
++++ b/source3/lib/ABI/smbldap-2.1.0.sigs
+@@ -0,0 +1,33 @@
++smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **)
++smbldap_delete: int (struct smbldap_state *, const char *)
++smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **)
++smbldap_free_struct: void (struct smbldap_state **)
++smbldap_get_ldap: LDAP *(struct smbldap_state *)
++smbldap_get_paged_results: bool (struct smbldap_state *)
++smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int)
++smbldap_has_control: bool (LDAP *, const char *)
++smbldap_has_extension: bool (LDAP *, const char *)
++smbldap_has_naming_context: bool (LDAP *, const char *)
++smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **)
++smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *)
++smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *)
++smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **)
++smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *)
++smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **)
++smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **)
++smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **)
++smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *)
++smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *)
++smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *)
++smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *)
++smbldap_set_paged_results: void (struct smbldap_state *, bool)
++smbldap_setup_full_conn: int (LDAP **, const char *)
++smbldap_start_tls: int (LDAP *, int)
++smbldap_start_tls_start: int (LDAP *, int)
++smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **)
++smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *)
++smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *)
++smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
++smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
++smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *)
++smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
+diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
+index 34c841f9243..4815dd81fc3 100644
+--- a/source3/lib/smbldap.c
++++ b/source3/lib/smbldap.c
+@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
+ }
+
+ /********************************************************************
+- start TLS on an existing LDAP connection
++ start TLS on an existing LDAP connection per config
+ *******************************************************************/
+
+ int smbldap_start_tls(LDAP *ldap_struct, int version)
+-{
+-#ifdef LDAP_OPT_X_TLS
+- int rc,tls;
+-#endif
+-
++{
+ if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
+ return LDAP_SUCCESS;
+ }
+
++ return smbldap_start_tls_start(ldap_struct, version);
++}
++
++/********************************************************************
++ start TLS on an existing LDAP connection unconditionally
++*******************************************************************/
++
++int smbldap_start_tls_start(LDAP *ldap_struct, int version)
++{
+ #ifdef LDAP_OPT_X_TLS
++ int rc,tls;
++
+ /* check if we use ldaps already */
+ ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
+ if (tls == LDAP_OPT_X_TLS_HARD) {
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 36e73440495..16c32b2d5a7 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -703,7 +703,7 @@ got_connection:
+ ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+
+ if ( lp_ldap_ssl_ads() ) {
+- status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
++ status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version));
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 10d9f71ae76..76d01a78f64 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap',
+ abi_directory='lib/ABI',
+ abi_match='smbldap_*',
+ pc_files=[],
+- vnum='2',
++ vnum='2.1.0',
+ public_headers='include/smbldap.h include/smb_ldap.h')
+
+ bld.SAMBA3_LIBRARY('ads',
+--
+2.25.4
+
+
+From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 2 Jul 2020 10:59:18 +0200
+Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libads/ads_proto.h | 2 +-
+ source3/libads/ads_struct.c | 8 ++++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index cd9c1082681..6cdde0cf6eb 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm,
+ const char *workgroup,
+ const char *ldap_server,
+ enum ads_sasl_state_e sasl_state);
+-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
++bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags);
+ void ads_destroy(ADS_STRUCT **ads);
+
+ /* The following definitions come from libads/disp_sec.c */
+diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
+index 043a1b21247..67a9a7cf75e 100644
+--- a/source3/libads/ads_struct.c
++++ b/source3/libads/ads_struct.c
+@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm,
+ /****************************************************************
+ ****************************************************************/
+
+-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags)
++bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags)
+ {
++ unsigned other_flags;
++
+ if (!ads) {
+ return false;
+ }
+
+- ads->auth.flags = flags;
++ other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL);
++
++ ads->auth.flags = flags | other_flags;
+
+ return true;
+ }
+--
+2.25.4
+
+
+From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 2 Jul 2020 09:33:12 +0200
+Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ WHATSNEW.txt | 5 +++++
+ selftest/knownfail.d/net_ads_tls | 1 -
+ source3/libads/ldap.c | 4 ++++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+ delete mode 100644 selftest/knownfail.d/net_ads_tls
+
+diff --git a/WHATSNEW.txt b/WHATSNEW.txt
+index 8935876d247..927b9a0fa59 100644
+--- a/WHATSNEW.txt
++++ b/WHATSNEW.txt
+@@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option:
+ With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
+ is off.
+
++The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
++-----------------------------------------------------------------------
++This is now done implicitly when over TLS, so "client ldap sasl wrapping"
++does not need to be set to "plain" in order for it to work.
++
+
+ REMOVED FEATURES
+ ================
+diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
+deleted file mode 100644
+index 251c948b6a9..00000000000
+--- a/selftest/knownfail.d/net_ads_tls
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba4.blackbox.net_ads_tls
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 16c32b2d5a7..3f41e990085 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -707,6 +707,10 @@ got_connection:
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
++ if (!ads_set_sasl_wrap_flags(ads, 0)) {
++ status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
++ goto out;
++ }
+ }
+
+ /* fill in the current time and offsets */
+--
+2.25.4
+
+
+From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 11 Jul 2020 05:04:59 +0200
+Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over
+ TLS
+
+From local tests with strace:
+
+socket(AF_UNIX, SOCK_STREAM, 0) = 12
+write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38
+...
+write(2, "ads_domain_func_level: 3\n", 25) = 25
+write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36
+write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe)
+--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} ---
++++ killed by SIGPIPE +++
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
+Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184
+---
+ source3/utils/net.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/utils/net.c b/source3/utils/net.c
+index 683b46794e4..e289b2814bc 100644
+--- a/source3/utils/net.c
++++ b/source3/utils/net.c
+@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c,
+ POPT_TABLEEND
+ };
+
++ /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */
++ BlockSignals(True, SIGPIPE);
++
+ zero_sockaddr(&c->opt_dest_ip);
+
+ setup_logging(argv[0], DEBUG_STDERR);
+--
+2.25.4
+
+From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 Jul 2020 22:38:06 +0200
+Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+---
+ source3/libads/ldap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 1ffe96d32c9..d431156912f 100755
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum)
+ {
+ int fd = -1;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
++ unsigned timeout_ms = 1000 * to;
+
+- status = open_socket_out(ss, port, to, &fd);
++ status = open_socket_out(ss, port, timeout_ms, &fd);
+ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(3, ("open_socket_out: failed to open socket\n"));
+ return NULL;
+ }
+
+--
+2.25.4
+
diff --git a/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch b/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch
new file mode 100644
index 0000000..3b488f8
--- /dev/null
+++ b/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch
@@ -0,0 +1,41 @@
+From 069ba5774a5ccc72dcc3567bc6d17141d68ddff5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 9 Jul 2020 11:48:26 +0200
+Subject: [PATCH] docs: Fix documentation for require_membership_of of
+ pam_winbind
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Fri Jul 10 09:40:37 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971)
+---
+ docs-xml/manpages/pam_winbind.8.xml | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
+index a9a227f1647..a61fb2d58e5 100644
+--- a/docs-xml/manpages/pam_winbind.8.xml
++++ b/docs-xml/manpages/pam_winbind.8.xml
+@@ -84,9 +84,11 @@
+ If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
+ can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
+ SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
+- <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
+- NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
+- user is a member of with <command>wbinfo --user-sids=SID</command>.
++ <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
++ <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
++ <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
++ the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
++ verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
+ </para>
+
+ <para>
+--
+2.27.0
+
diff --git a/SOURCES/samba-4.12-fix_winbind_lookuprids.patch b/SOURCES/samba-4.12-fix_winbind_lookuprids.patch
new file mode 100644
index 0000000..43cda48
--- /dev/null
+++ b/SOURCES/samba-4.12-fix_winbind_lookuprids.patch
@@ -0,0 +1,130 @@
+From 3b8312df417b1a1fbd712b9494d5dad495e33f6d Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 8 Jul 2020 15:00:49 +0200
+Subject: [PATCH 1/2] winbind: Add test for lookuprids cache problem
+
+When reading entries from gencache, wb_cache_rids_to_names() can
+return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle
+correctly.
+
+This test enforces this situation by filling gencache with one wbinfo
+-R and then erasing the winbindd_cache.tdb. This forces winbind to
+enter the domain helper process, which will then read from gencache
+filled with the previous wbinfo -R.
+
+Without having the entries cached this does not happen because
+wb_cache_rids_to_names() via the do_query: path calls deep inside
+calls dcerpc_lsa_lookup_sids_noalloc(), which hides the
+STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 04eafce653afcff517317d2b190acc4f0cbf4c61)
+---
+ selftest/knownfail.d/lookuprids_cache | 1 +
+ .../tests/test_wbinfo_lookuprids_cache.sh | 21 +++++++++++++++++++
+ source3/selftest/tests.py | 5 +++++
+ 3 files changed, 27 insertions(+)
+ create mode 100644 selftest/knownfail.d/lookuprids_cache
+ create mode 100755 source3/script/tests/test_wbinfo_lookuprids_cache.sh
+
+diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache
+new file mode 100644
+index 00000000000..d3c40a62b45
+--- /dev/null
++++ b/selftest/knownfail.d/lookuprids_cache
+@@ -0,0 +1 @@
++^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\)
+\ No newline at end of file
+diff --git a/source3/script/tests/test_wbinfo_lookuprids_cache.sh b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
+new file mode 100755
+index 00000000000..0b21ffcd7c9
+--- /dev/null
++++ b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
+@@ -0,0 +1,21 @@
++#!/bin/sh
++
++WBINFO="$VALGRIND ${WBINFO:-$BINDIR/wbinfo}"
++TDBTOOL="${TDBTOOL:-$BINDIR/tdbtool}"
++TDBDUMP="${TDBDUMP:-$BINDIR/tdbdump}"
++NET="$VALGRIND ${NET:-$BINDIR/net}"
++
++cache="$LOCK_DIR"/winbindd_cache.tdb
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++
++testit "flush" "$NET" "cache" "flush" || failed=`expr $failed + 1`
++testit "lookuprids1" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1`
++
++key=$("$TDBDUMP" "$cache" | grep ^key.*NDR.*/16/ | cut -d\" -f2)
++
++testit "delete" "$TDBTOOL" "$cache" delete "$key"
++testit "lookuprids2" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1`
++
++testok $0 $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index dc44160e50d..b01a3c1aad1 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -332,6 +332,11 @@ env = "nt4_member:local"
+ plantestsuite("samba3.wbinfo_sids_to_xids", env,
+ [os.path.join(srcdir(),
+ "nsswitch/tests/test_wbinfo_sids_to_xids.sh")])
++plantestsuite(
++ "samba.wbinfo_lookuprids_cache",
++ env,
++ [os.path.join(samba3srcdir,
++ "script/tests/test_wbinfo_lookuprids_cache.sh")])
+
+ env = "ad_member"
+ t = "WBCLIENT-MULTI-PING"
+--
+2.20.1
+
+
+From 7389996f5e04acb79a760cb72b9d5c5a617262b8 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 8 Jul 2020 15:09:45 +0200
+Subject: [PATCH 2/2] winbind: Fix lookuprids cache problem
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Thu Jul 9 21:40:52 UTC 2020 on sn-devel-184
+
+(cherry picked from commit cd4122d91e942ca465c03505d5e148117f505ba4)
+---
+ selftest/knownfail.d/lookuprids_cache | 1 -
+ source3/winbindd/winbindd_dual_srv.c | 3 ++-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+ delete mode 100644 selftest/knownfail.d/lookuprids_cache
+
+diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache
+deleted file mode 100644
+index d3c40a62b45..00000000000
+--- a/selftest/knownfail.d/lookuprids_cache
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\)
+\ No newline at end of file
+diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
+index 13345caa41b..63bb614a0ca 100644
+--- a/source3/winbindd/winbindd_dual_srv.c
++++ b/source3/winbindd/winbindd_dual_srv.c
+@@ -672,7 +672,8 @@ NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
+ r->in.rids->rids, r->in.rids->num_rids,
+ &domain_name, &names, &types);
+ reset_cm_connection_on_error(domain, NULL, status);
+- if (!NT_STATUS_IS_OK(status)) {
++ if (!NT_STATUS_IS_OK(status) &&
++ !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+ return status;
+ }
+
+--
+2.20.1
+
diff --git a/SOURCES/samba-4.12-gnutls-priority-list.patch b/SOURCES/samba-4.12-gnutls-priority-list.patch
index f41e8dc..4b143d9 100644
--- a/SOURCES/samba-4.12-gnutls-priority-list.patch
+++ b/SOURCES/samba-4.12-gnutls-priority-list.patch
@@ -1,7 +1,7 @@
-From 6981475bbe11029d88de8294734d7cb29f1d0799 Mon Sep 17 00:00:00 2001
+From 2840bd0becee307f4ee896b26e9f29baac03c347 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 15 Jun 2020 11:50:16 +0200
-Subject: [PATCH] s3:lib:tls: Use better priority lists for modern GnuTLS
+Subject: [PATCH 1/2] s3:lib:tls: Use better priority lists for modern GnuTLS
We should use the default priority list. That is a good practice,
because TLS protocol hardening and phasing out of legacy algorithms,
@@ -12,7 +12,9 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit 53e3a959b958a3b099df6ecc5f6e294e96bd948e)
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184
---
docs-xml/smbdotconf/security/tlspriority.xml | 10 ++---
lib/param/loadparm.c | 10 ++++-
@@ -211,5 +213,130 @@ index b2b955f3c90..631405fa34c 100644
#
# This is available since version 3.6.10, but 3.6.10 has a bug which got fixed
--
-2.27.0
+2.26.2
+
+
+From fdcf9f23f659025f174b32109a273e80b2ad289e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 30 Jun 2020 17:12:17 +0200
+Subject: [PATCH 2/2] tls: Use NORMAL:-VERS-SSL3.0 as the default configuration
+
+This seems to be really broken in GnuTLS and the documentation is also
+not correct.
+
+This partially reverts 53e3a959b958a3b099df6ecc5f6e294e96bd948e
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
+Autobuild-Date(master): Wed Jul 1 14:56:33 UTC 2020 on sn-devel-184
+---
+ docs-xml/smbdotconf/security/tlspriority.xml | 6 ++----
+ lib/param/loadparm.c | 6 ------
+ python/samba/tests/docs.py | 21 --------------------
+ source3/param/loadparm.c | 8 +-------
+ 4 files changed, 3 insertions(+), 38 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml
+index 6d1f0dcb912..471dc25ba3b 100644
+--- a/docs-xml/smbdotconf/security/tlspriority.xml
++++ b/docs-xml/smbdotconf/security/tlspriority.xml
+@@ -12,10 +12,8 @@
+ <ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
+ Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
+ </para>
+- <para>By default it will try to find a config file matching "SAMBA", but if
+- that does not exist will use the entry for "SYSTEM" and last fallback to
+- NORMAL. In all cases the SSL3.0 protocol will be disabled.</para>
++ <para>The SSL3.0 protocol will be disabled.</para>
+ </description>
+
+- <value type="default">@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0</value>
++ <value type="default">NORMAL:-VERS-SSL3.0</value>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 8fdd844fbaa..4e7e3f599dd 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -2803,15 +2803,9 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
+ lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
+ lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
+-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+- lpcfg_do_global_parameter(lp_ctx,
+- "tls priority",
+- "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+-#else
+ lpcfg_do_global_parameter(lp_ctx,
+ "tls priority",
+ "NORMAL:-VERS-SSL3.0");
+-#endif
+
+ lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
+
+diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
+index 789865221cb..654a192b510 100644
+--- a/python/samba/tests/docs.py
++++ b/python/samba/tests/docs.py
+@@ -26,22 +26,6 @@ import os
+ import subprocess
+ import xml.etree.ElementTree as ET
+
+-config_h = os.path.join("bin/default/include/config.h")
+-config_hash = dict()
+-
+-if os.path.exists(config_h):
+- config_hash = dict()
+- f = open(config_h, 'r')
+- try:
+- lines = f.readlines()
+- config_hash = dict((x[0], ' '.join(x[1:]))
+- for x in map(lambda line: line.strip().split(' ')[1:],
+- list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines))))
+- finally:
+- f.close()
+-
+-have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash)
+-
+ class TestCase(samba.tests.TestCaseInTempDir):
+
+ def _format_message(self, parameters, message):
+@@ -142,11 +126,6 @@ class SmbDotConfTests(TestCase):
+ 'smbd max async dosmode',
+ ])
+
+- # 'tls priority' has a legacy default value if we don't link against a
+- # modern GnuTLS version.
+- if not have_gnutls_system_config_support:
+- special_cases.add('tls priority')
+-
+ def setUp(self):
+ super(SmbDotConfTests, self).setUp()
+ # create a minimal smb.conf file for testparm
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 2b1a63998d6..901f01b1c6a 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -885,15 +885,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+ lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
+ lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
+ lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
+-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+ lpcfg_string_set(Globals.ctx,
+ &Globals.tls_priority,
+- "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+-#else
+- lpcfg_string_set(Globals.ctx,
+- &Globals.tls_priority,
+- "NORMAL!-VERS-SSL3.0");
+-#endif
++ "NORMAL:-VERS-SSL3.0");
+
+ lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
+
+--
+2.26.2
diff --git a/SOURCES/samba-4.12-user-gencache.patch b/SOURCES/samba-4.12-user-gencache.patch
new file mode 100644
index 0000000..7836c91
--- /dev/null
+++ b/SOURCES/samba-4.12-user-gencache.patch
@@ -0,0 +1,478 @@
+From 3dbdb8c3d8cd0498e1afb47758fea700f5061435 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 7 May 2020 12:25:24 +0200
+Subject: [PATCH 1/4] lib:util: Add path_expand_tilde()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 15457254be0ab1235c327bd305dfeee19b2ea7a1)
+---
+ lib/util/util_paths.c | 72 +++++++++++++++++++++++++++++++++++++++++++
+ lib/util/util_paths.h | 9 ++++++
+ 2 files changed, 81 insertions(+)
+
+diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
+index 0473557dfc6..c05246a7407 100644
+--- a/lib/util/util_paths.c
++++ b/lib/util/util_paths.c
+@@ -6,6 +6,7 @@
+ Copyright (C) Simo Sorce 2001
+ Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+ Copyright (C) James Peach 2006
++ Copyright (c) 2020 Andreas Schneider <asn@samba.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -24,6 +25,7 @@
+ #include "includes.h"
+ #include "dynconfig/dynconfig.h"
+ #include "lib/util/util_paths.h"
++#include "system/passwd.h"
+
+ /**
+ * @brief Returns an absolute path to a file in the Samba modules directory.
+@@ -62,3 +64,73 @@ const char *shlib_ext(void)
+ return get_dyn_SHLIBEXT();
+ }
+
++static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
++{
++ struct passwd pwd = {0};
++ struct passwd *pwdbuf = NULL;
++ char buf[NSS_BUFLEN_PASSWD] = {0};
++ int rc;
++
++ rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
++ if (rc != 0 || pwdbuf == NULL ) {
++ const char *szPath = getenv("HOME");
++ if (szPath == NULL) {
++ return NULL;
++ }
++ snprintf(buf, sizeof(buf), "%s", szPath);
++
++ return talloc_strdup(mem_ctx, buf);
++ }
++
++ return talloc_strdup(mem_ctx, pwd.pw_dir);
++}
++
++char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d)
++{
++ char *h = NULL, *r = NULL;
++ const char *p = NULL;
++ struct stat sb = {0};
++ int rc;
++
++ if (d[0] != '~') {
++ return talloc_strdup(mem_ctx, d);
++ }
++ d++;
++
++ /* handle ~user/path */
++ p = strchr(d, '/');
++ if (p != NULL && p > d) {
++ struct passwd *pw;
++ size_t s = p - d;
++ char u[128];
++
++ if (s >= sizeof(u)) {
++ return NULL;
++ }
++ memcpy(u, d, s);
++ u[s] = '\0';
++
++ pw = getpwnam(u);
++ if (pw == NULL) {
++ return NULL;
++ }
++ h = talloc_strdup(mem_ctx, pw->pw_dir);
++ } else {
++ p = d;
++ h = get_user_home_dir(mem_ctx);
++ }
++ if (h == NULL) {
++ return NULL;
++ }
++
++ rc = stat(h, &sb);
++ if (rc != 0) {
++ TALLOC_FREE(h);
++ return NULL;
++ }
++
++ r = talloc_asprintf(mem_ctx, "%s%s", h, p);
++ TALLOC_FREE(h);
++
++ return r;
++}
+diff --git a/lib/util/util_paths.h b/lib/util/util_paths.h
+index 80e8aaac6e9..cf34f691e5f 100644
+--- a/lib/util/util_paths.h
++++ b/lib/util/util_paths.h
+@@ -51,4 +51,13 @@ char *data_path(TALLOC_CTX *mem_ctx, const char *name);
+ **/
+ const char *shlib_ext(void);
+
++/**
++ * @brief Expand a directory starting with a tilde '~'
++ *
++ * @param[in] d The directory to expand.
++ *
++ * @return The expanded directory, NULL on error.
++ */
++char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d);
++
+ #endif
+--
+2.26.2
+
+
+From d43c586576353cba5082ba396c521dde1cde4929 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 11 May 2020 12:50:11 +0200
+Subject: [PATCH 2/4] lib:util: Add test for path_expand_tilde()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(backported from commit a15bd5493b696c66c6803d8ca65bc13f1cfcdf0a)
+---
+ lib/util/tests/test_util_paths.c | 127 +++++++++++++++++++++++++++++++
+ lib/util/wscript_build | 6 ++
+ selftest/tests.py | 2 +
+ 3 files changed, 135 insertions(+)
+ create mode 100644 lib/util/tests/test_util_paths.c
+
+diff --git a/lib/util/tests/test_util_paths.c b/lib/util/tests/test_util_paths.c
+new file mode 100644
+index 00000000000..b89abf0aea1
+--- /dev/null
++++ b/lib/util/tests/test_util_paths.c
+@@ -0,0 +1,127 @@
++/*
++ * Unix SMB/CIFS implementation.
++ *
++ * Copyright (C) 2020 Andreas Schneider <asn@samba.org>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <stdarg.h>
++#include <stddef.h>
++#include <stdint.h>
++#include <setjmp.h>
++#include <cmocka.h>
++
++#include <talloc.h>
++
++#include "lib/replace/replace.h"
++#include "lib/util/util_paths.c"
++
++static int setup(void **state)
++{
++ TALLOC_CTX *mem_ctx = talloc_new(NULL);
++
++ assert_non_null(mem_ctx);
++ *state = mem_ctx;
++
++ return 0;
++}
++
++static int teardown(void **state)
++{
++ TALLOC_CTX *mem_ctx = *state;
++ TALLOC_FREE(mem_ctx);
++
++ return 0;
++}
++
++static void test_get_user_home_dir(void **state)
++{
++ TALLOC_CTX *mem_ctx = *state;
++ struct passwd *pwd = getpwuid(getuid());
++ char *user;
++
++ user = get_user_home_dir(mem_ctx);
++ assert_non_null(user);
++ assert_string_equal(user, pwd->pw_dir);
++
++ TALLOC_FREE(user);
++}
++
++static void test_path_expand_tilde(void **state)
++{
++ TALLOC_CTX *mem_ctx = *state;
++ char h[256] = {0};
++ char *d = NULL;
++ const char *user = NULL;
++ char *home = NULL;
++
++ user = getenv("USER");
++ if (user == NULL){
++ user = getenv("LOGNAME");
++ }
++
++ /* In certain CIs there no such variables */
++ if (user == NULL) {
++ struct passwd *pw = getpwuid(getuid());
++ if (pw){
++ user = pw->pw_name;
++ }
++ }
++
++ home = getenv("HOME");
++ assert_non_null(home);
++ snprintf(h, sizeof(h), "%s/.cache", home);
++
++ d = path_expand_tilde(mem_ctx, "~/.cache");
++ assert_non_null(d);
++ assert_string_equal(d, h);
++ TALLOC_FREE(d);
++
++ snprintf(h, sizeof(h), "%s/.cache/X~", home);
++ d = path_expand_tilde(mem_ctx, "~/.cache/X~");
++ assert_string_equal(d, h);
++ TALLOC_FREE(d);
++
++ d = path_expand_tilde(mem_ctx, "/guru/meditation");
++ assert_non_null(d);
++ assert_string_equal(d, "/guru/meditation");
++ TALLOC_FREE(d);
++
++ snprintf(h, sizeof(h), "~%s/.cache", user);
++ d = path_expand_tilde(mem_ctx, h);
++ assert_non_null(d);
++
++ snprintf(h, sizeof(h), "%s/.cache", home);
++ assert_string_equal(d, h);
++ TALLOC_FREE(d);
++}
++
++int main(int argc, char *argv[])
++{
++ int rc;
++ const struct CMUnitTest tests[] = {
++ cmocka_unit_test(test_get_user_home_dir),
++ cmocka_unit_test(test_path_expand_tilde),
++ };
++
++ if (argc == 2) {
++ cmocka_set_test_filter(argv[1]);
++ }
++ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
++
++ rc = cmocka_run_group_tests(tests, setup, teardown);
++
++ return rc;
++}
+diff --git a/lib/util/wscript_build b/lib/util/wscript_build
+index a827eea3ed9..608f7b3dd73 100644
+--- a/lib/util/wscript_build
++++ b/lib/util/wscript_build
+@@ -288,3 +288,9 @@ else:
+ deps='cmocka replace samba-util',
+ local_include=False,
+ for_selftest=True)
++
++ bld.SAMBA_BINARY('test_util_paths',
++ source='tests/test_util_paths.c',
++ deps='cmocka replace talloc samba-util',
++ local_include=False,
++ for_selftest=True)
+diff --git a/selftest/tests.py b/selftest/tests.py
+index 96d3f8d6317..b72a6fb65eb 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -389,6 +389,8 @@ plantestsuite("samba.unittests.ms_fnmatch", "none",
+ [os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])
+ plantestsuite("samba.unittests.byteorder", "none",
+ [os.path.join(bindir(), "default/lib/util/test_byteorder")])
++plantestsuite("samba.unittests.util_paths", "none",
++ [os.path.join(bindir(), "default/lib/util/test_util_paths")])
+ plantestsuite("samba.unittests.ntlm_check", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
+ plantestsuite("samba.unittests.gnutls", "none",
+--
+2.26.2
+
+
+From 133edb95814adc43072fd33876caf9d720eaac1f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 6 May 2020 17:10:51 +0200
+Subject: [PATCH 3/4] s3:gencache: Allow to open gencache as read-only
+
+This allows client tools to access the cache for ready-only operations
+as a normal user.
+
+Example:
+ net ads status
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Fri May 15 14:40:32 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 04f0c45475de383a0be4ca355ab9aa7784e61c27)
+---
+ source3/lib/gencache.c | 63 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 60 insertions(+), 3 deletions(-)
+
+diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
+index 9ad85bbf55f..896bf50cbd7 100644
+--- a/source3/lib/gencache.c
++++ b/source3/lib/gencache.c
+@@ -29,10 +29,13 @@
+ #include "tdb_wrap/tdb_wrap.h"
+ #include "zlib.h"
+ #include "lib/util/strv.h"
++#include "lib/util/util_paths.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_TDB
+
++#define GENCACHE_USER_PATH "~/.cache/samba/gencache.tdb"
++
+ static struct tdb_wrap *cache;
+
+ /**
+@@ -68,6 +71,7 @@ static bool gencache_init(void)
+ {
+ char* cache_fname = NULL;
+ int open_flags = O_RDWR|O_CREAT;
++ int tdb_flags = TDB_INCOMPATIBLE_HASH|TDB_NOSYNC|TDB_MUTEX_LOCKING;
+ int hash_size;
+
+ /* skip file open if it's already opened */
+@@ -85,10 +89,63 @@ static bool gencache_init(void)
+ DEBUG(5, ("Opening cache file at %s\n", cache_fname));
+
+ cache = tdb_wrap_open(NULL, cache_fname, hash_size,
+- TDB_INCOMPATIBLE_HASH|
+- TDB_NOSYNC|
+- TDB_MUTEX_LOCKING,
++ tdb_flags,
+ open_flags, 0644);
++ /*
++ * Allow client tools to create a gencache in the home directory
++ * as a normal user.
++ */
++ if (cache == NULL && errno == EACCES && geteuid() != 0) {
++ char *cache_dname = NULL, *tmp = NULL;
++ bool ok;
++
++ TALLOC_FREE(cache_fname);
++
++ cache_fname = path_expand_tilde(talloc_tos(),
++ GENCACHE_USER_PATH);
++ if (cache_fname == NULL) {
++ DBG_ERR("Failed to expand path: %s\n",
++ GENCACHE_USER_PATH);
++ return false;
++ }
++
++ tmp = talloc_strdup(talloc_tos(), cache_fname);
++ if (tmp == NULL) {
++ DBG_ERR("No memory!\n");
++ TALLOC_FREE(cache_fname);
++ return false;
++ }
++
++ cache_dname = dirname(tmp);
++ if (cache_dname == NULL) {
++ DBG_ERR("Invalid path: %s\n", cache_fname);
++ TALLOC_FREE(tmp);
++ TALLOC_FREE(cache_fname);
++ return false;
++ }
++
++ ok = directory_create_or_exist(cache_dname, 0700);
++ if (!ok) {
++ DBG_ERR("Failed to create directory: %s - %s\n",
++ cache_dname, strerror(errno));
++ TALLOC_FREE(tmp);
++ TALLOC_FREE(cache_fname);
++ return false;
++ }
++ TALLOC_FREE(tmp);
++
++ cache = tdb_wrap_open(NULL,
++ cache_fname,
++ hash_size,
++ tdb_flags,
++ open_flags,
++ 0644);
++ if (cache != NULL) {
++ DBG_INFO("Opening user cache file %s.\n",
++ cache_fname);
++ }
++ }
++
+ if (cache == NULL) {
+ DEBUG(5, ("Opening %s failed: %s\n", cache_fname,
+ strerror(errno)));
+--
+2.26.2
+
+
+From de71248d86e29ca7d1d2df0f197b930ae8472d5b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 15 May 2020 12:18:02 -0700
+Subject: [PATCH 4/4] s3: lib: Paranoia around use of snprintf copying into a
+ fixed-size buffer from a getenv() pointer.
+
+Post checks for overflow/error.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184
+
+(cherry picked from commit dd1f750293ef4361455a5d5b63fc7a89495715b7)
+---
+ lib/util/util_paths.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
+index c05246a7407..c0ee5c32c30 100644
+--- a/lib/util/util_paths.c
++++ b/lib/util/util_paths.c
+@@ -73,12 +73,16 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
+
+ rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
+ if (rc != 0 || pwdbuf == NULL ) {
++ int len_written;
+ const char *szPath = getenv("HOME");
+ if (szPath == NULL) {
+ return NULL;
+ }
+- snprintf(buf, sizeof(buf), "%s", szPath);
+-
++ len_written = snprintf(buf, sizeof(buf), "%s", szPath);
++ if (len_written >= sizeof(buf) || len_written < 0) {
++ /* Output was truncated or an error. */
++ return NULL;
++ }
+ return talloc_strdup(mem_ctx, buf);
+ }
+
+--
+2.26.2
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 095620c..68b5726 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -8,7 +8,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
-%define main_release 5
+%define main_release 11
%define samba_version 4.12.3
%define talloc_version 2.3.1
@@ -135,6 +135,10 @@ Source201: README.downgrade
Patch0: samba-4.12-gnutls-priority-list.patch
Patch1: dnshostname_all.patch
+Patch2: samba-4.12-fix_pam_winbind_manpage.patch
+Patch3: ldapsslads-v4-12.patch
+Patch4: samba-4.12-fix_winbind_lookuprids.patch
+Patch5: samba-4.12-user-gencache.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -1339,6 +1343,10 @@ fi
%{_libdir}/samba/vfs/worm.so
%{_libdir}/samba/vfs/xattr_tdb.so
+%dir %{_datadir}/samba
+%dir %{_datadir}/samba/mdssvc
+%{_datadir}/samba/mdssvc/elasticsearch_mappings.json
+
%{_unitdir}/nmb.service
%{_unitdir}/smb.service
%attr(1777,root,root) %dir /var/spool/samba
@@ -1446,9 +1454,6 @@ fi
%{_mandir}/man8/cifsdd.8.*
%{_mandir}/man8/samba-regedit.8*
%{_mandir}/man8/smbspool.8*
-%dir %{_datadir}/samba
-%dir %{_datadir}/samba/mdssvc
-%{_datadir}/samba/mdssvc/elasticsearch_mappings.json
### CLIENT-LIBS
%files client-libs
@@ -3576,6 +3581,26 @@ fi
%endif
%changelog
+* Wed Jul 22 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-11
+- resolves: #1859277 - Allow a user to use gencache
+
+* Wed Jul 15 2020 Isaac Boukris <iboukris@redhat.com> - 4.12.3-10
+- related: #1856315 - Fix net-ads-join with LDAP over TLS
+
+* Tue Jul 14 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-9
+- related: #1817557 - Move DECRPC mdssvc data files to correct package
+- resolves: #1856676 - Fix lookuprids in winbind
+
+* Mon Jul 13 2020 Isaac Boukris <iboukris@redhat.com> - 4.12.3-8
+- resolves: #1856315 - Fix net-ads-join with LDAP over TLS
+
+* Fri Jul 10 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-7
+- resolves: #1855711 - Fix 'require_membership_of' documentation in
+ pam_winbind manpage
+
+* Thu Jul 09 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-6
+- related: #1842844 - Fix TLS connections with GnuTLS
+
* Wed Jul 01 2020 Andreas Schneider <asn@redhat.com> - 4.12.3-5
- resolves: #1823612 - Fix segfault in 'net ads dns gethostbyname'
- resolves: #1792553 - Fix 'net ads join createcomputer=OU'