diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch
index 81724cd..a248091 100644
--- a/SOURCES/samba-4.10-redhat.patch
+++ b/SOURCES/samba-4.10-redhat.patch
@@ -1,7 +1,7 @@
From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Tue, 7 Jan 2020 19:25:53 +0200
-Subject: [PATCH 01/48] s3-rpcserver: fix security level check for
+Subject: [PATCH 01/88] s3-rpcserver: fix security level check for
DsRGetForestTrustInformation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -80,13 +80,13 @@ index d799ba4feef..87613b99fde 100644
}
--
-2.30.2
+2.33.1
From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 16:50:45 +0200
-Subject: [PATCH 02/48] Add a test to check dNSHostName with netbios aliases
+Subject: [PATCH 02/88] Add a test to check dNSHostName with netbios aliases
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -132,13 +132,13 @@ index 95c0cf76f90..6073ea972f9 100755
# Test createcomputer option of 'net ads join'
#
--
-2.30.2
+2.33.1
From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:52:46 +0200
-Subject: [PATCH 03/48] Fix accidental overwrite of dnsHostName by the last
+Subject: [PATCH 03/88] Fix accidental overwrite of dnsHostName by the last
netbios alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -186,13 +186,13 @@ index 9d4f656ffec..a31011b0ff8 100644
status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
goto done;
--
-2.30.2
+2.33.1
From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 24 Oct 2019 19:04:51 +0300
-Subject: [PATCH 04/48] Refactor ads_keytab_add_entry() to make it iterable
+Subject: [PATCH 04/88] Refactor ads_keytab_add_entry() to make it iterable
so we can more easily add msDS-AdditionalDnsHostName entries.
@@ -453,13 +453,13 @@ index 97d5535041c..0f450a09df5 100644
out:
SAFE_FREE(salt_princ_s);
--
-2.30.2
+2.33.1
From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 17:55:12 +0200
-Subject: [PATCH 05/48] Add a test for msDS-AdditionalDnsHostName entries in
+Subject: [PATCH 05/88] Add a test for msDS-AdditionalDnsHostName entries in
keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -501,13 +501,13 @@ index 6073ea972f9..a40b477a173 100755
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
--
-2.30.2
+2.33.1
From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:36:28 +0200
-Subject: [PATCH 06/48] Add msDS-AdditionalDnsHostName entries to the keytab
+Subject: [PATCH 06/88] Add msDS-AdditionalDnsHostName entries to the keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -648,13 +648,13 @@ index db2b72ab1b5..02a628ee0e6 100644
{
LDAPMessage *res = NULL;
--
-2.30.2
+2.33.1
From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:54:12 +0200
-Subject: [PATCH 07/48] Add net-ads-join dnshostname=fqdn option
+Subject: [PATCH 07/88] Add net-ads-join dnshostname=fqdn option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -794,13 +794,13 @@ index a40b477a173..85257f445d8 100755
exit $failed
--
-2.30.2
+2.33.1
From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:04:57 +0200
-Subject: [PATCH 08/48] CVE-2020-1472(ZeroLogon): libcli/auth: add
+Subject: [PATCH 08/88] CVE-2020-1472(ZeroLogon): libcli/auth: add
netlogon_creds_random_challenge()
It's good to have just a single isolated function that will generate
@@ -851,13 +851,13 @@ index 82febe74440..82797d453ed 100644
void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
--
-2.30.2
+2.33.1
From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:07:30 +0200
-Subject: [PATCH 09/48] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
+Subject: [PATCH 09/88] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
netlogon_creds_random_challenge()
This will avoid getting flakey tests once our server starts to
@@ -1007,13 +1007,13 @@ index 026d86d50e4..e11014922f8 100644
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
"ServerReqChallenge");
--
-2.30.2
+2.33.1
From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:08:38 +0200
-Subject: [PATCH 10/48] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
+Subject: [PATCH 10/88] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
netlogon_creds_random_challenge() in netlogon_creds_cli.c
This will avoid getting rejected by the server if we generate
@@ -1041,13 +1041,13 @@ index 817d2cd041a..0f6ca11ff96 100644
subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
state->binding_handle,
--
-2.30.2
+2.33.1
From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:10:53 +0200
-Subject: [PATCH 11/48] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make
+Subject: [PATCH 11/88] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make
use of netlogon_creds_random_challenge()
This is not strictly needed, but makes things more clear.
@@ -1074,13 +1074,13 @@ index 87613b99fde..86b2f343e82 100644
*r->out.return_credentials = pipe_state->server_challenge;
--
-2.30.2
+2.33.1
From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:10:53 +0200
-Subject: [PATCH 12/48] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make
+Subject: [PATCH 12/88] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make
use of netlogon_creds_random_challenge()
This is not strictly needed, but makes things more clear.
@@ -1107,13 +1107,13 @@ index 023adfd99e9..de260d8051d 100644
*r->out.return_credentials = pipe_state->server_challenge;
--
-2.30.2
+2.33.1
From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:15:26 +0200
-Subject: [PATCH 13/48] CVE-2020-1472(ZeroLogon): libcli/auth: add
+Subject: [PATCH 13/88] CVE-2020-1472(ZeroLogon): libcli/auth: add
netlogon_creds_is_random_challenge() to avoid weak values
This is the check Windows is using, so we won't generate challenges,
@@ -1177,13 +1177,13 @@ index 82797d453ed..ad768682b9f 100644
void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
--
-2.30.2
+2.33.1
From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:17:29 +0200
-Subject: [PATCH 14/48] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
+Subject: [PATCH 14/88] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
client challenges in netlogon_creds_server_init()
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
@@ -1262,13 +1262,13 @@ index d319d9b879e..394505d166d 100644
)
--
-2.30.2
+2.33.1
From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 19:20:25 +0200
-Subject: [PATCH 15/48] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 15/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
protect netr_ServerPasswordSet2 against unencrypted passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -1357,13 +1357,13 @@ index de260d8051d..acbf077c6c7 100644
ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
--
-2.30.2
+2.33.1
From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 16 Sep 2020 12:53:50 -0700
-Subject: [PATCH 16/48] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 16/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
protect netr_ServerPasswordSet2 against unencrypted passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -1502,13 +1502,13 @@ index 86b2f343e82..fd9127b386f 100644
p->session_info,
p->msg_ctx,
--
-2.30.2
+2.33.1
From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 10:18:45 +0200
-Subject: [PATCH 17/48] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 17/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
refactor dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.
@@ -1585,13 +1585,13 @@ index acbf077c6c7..b4326a4ecaa 100644
/*
--
-2.30.2
+2.33.1
From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 10:56:53 +0200
-Subject: [PATCH 18/48] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 18/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
@@ -1632,13 +1632,13 @@ index b4326a4ecaa..e7bafb31e83 100644
*creds_out = creds;
return NT_STATUS_OK;
--
-2.30.2
+2.33.1
From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Sep 2020 13:37:26 +0200
-Subject: [PATCH 19/48] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
+Subject: [PATCH 19/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
warnings about unsecure configurations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -1759,13 +1759,13 @@ index e7bafb31e83..7668a9eb923 100644
return NT_STATUS_OK;
}
--
-2.30.2
+2.33.1
From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 17 Sep 2020 14:57:22 +0200
-Subject: [PATCH 20/48] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 20/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
refactor dcesrv_netr_creds_server_step_check()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -1860,13 +1860,13 @@ index fd9127b386f..8541571b459 100644
--
-2.30.2
+2.33.1
From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 17 Sep 2020 14:23:16 +0200
-Subject: [PATCH 21/48] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 21/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
support "server require schannel:WORKSTATION$ = no"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -1911,13 +1911,13 @@ index 8541571b459..f9b10103bd5 100644
*creds_out = creds;
return NT_STATUS_OK;
--
-2.30.2
+2.33.1
From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 17 Sep 2020 14:42:52 +0200
-Subject: [PATCH 22/48] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
+Subject: [PATCH 22/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
warnings about unsecure configurations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -2039,13 +2039,13 @@ index f9b10103bd5..7f6704adbda 100644
return NT_STATUS_OK;
}
--
-2.30.2
+2.33.1
From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Sep 2020 17:27:54 +0200
-Subject: [PATCH 23/48] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
+Subject: [PATCH 23/88] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
require schannel:COMPUTERACCOUNT'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -2141,13 +2141,13 @@ index 489492d79b1..b682d086f76 100644
+
</samba:parameter>
--
-2.30.2
+2.33.1
From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Fri, 18 Sep 2020 12:39:54 +1200
-Subject: [PATCH 24/48] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
+Subject: [PATCH 24/88] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
machine acct pwd
Ensure that an empty machine account password can't be set by
@@ -2240,13 +2240,13 @@ index e11014922f8..0ba45f0c1da 100644
/* now try a random password */
password = generate_random_password(tctx, 8, 255);
--
-2.30.2
+2.33.1
From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Fri, 18 Sep 2020 15:57:34 +1200
-Subject: [PATCH 25/48] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
+Subject: [PATCH 25/88] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
bytes in client challenge
Ensure that client challenges with the first 5 bytes identical are
@@ -2615,13 +2615,13 @@ index 0ba45f0c1da..97c16688bc9 100644
}
--
-2.30.2
+2.33.1
From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 10 Jul 2020 15:09:33 -0700
-Subject: [PATCH 26/48] s4: torture: Add smb2.notify.handle-permissions test.
+Subject: [PATCH 26/88] s4: torture: Add smb2.notify.handle-permissions test.
Add knownfail entry.
@@ -2744,13 +2744,13 @@ index ebb4f8a4f8e..b017491c8fb 100644
suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
--
-2.30.2
+2.33.1
From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 7 Jul 2020 18:25:23 -0700
-Subject: [PATCH 27/48] s3: smbd: Ensure change notifies can't get set unless
+Subject: [PATCH 27/88] s3: smbd: Ensure change notifies can't get set unless
the directory handle is open for SEC_DIR_LIST.
Remove knownfail entry.
@@ -2795,13 +2795,13 @@ index 44c0b09432e..d23c03bce41 100644
DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
"fname = %s\n", fsp->fsp_name->base_name));
--
-2.30.2
+2.33.1
From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 9 Jul 2020 21:49:25 +0200
-Subject: [PATCH 28/48] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
+Subject: [PATCH 28/88] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
A lookupsids request without extra_data will lead to "state->domain==NULL",
which makes winbindd_lookupsids_recv trying to dereference it.
@@ -2829,13 +2829,13 @@ index d28b5fa9f01..a289fd86f0f 100644
}
if (request->extra_data.data[request->extra_len-1] != '\0') {
--
-2.30.2
+2.33.1
From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 9 Jul 2020 21:48:57 +0200
-Subject: [PATCH 29/48] CVE-2020-14323 torture4: Add a simple test for invalid
+Subject: [PATCH 29/88] CVE-2020-14323 torture4: Add a simple test for invalid
lookup_sids winbind call
We can't add this test before the fix, add it to knownfail and have the fix
@@ -2897,13 +2897,13 @@ index 9745b621ca9..71f248c0d61 100644
suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests");
--
-2.30.2
+2.33.1
From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001
From: Laurent Menase <laurent.menase@hpe.com>
Date: Wed, 20 May 2020 12:31:53 +0200
-Subject: [PATCH 30/48] winbind: Fix a memleak
+Subject: [PATCH 30/88] winbind: Fix a memleak
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388
Signed-off-by: Laurent Menase <laurent.menase@hpe.com>
@@ -2931,13 +2931,13 @@ index 556b4523866..325ba1abd82 100644
}
--
-2.30.2
+2.33.1
From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 17 Aug 2020 13:39:58 +0200
-Subject: [PATCH 31/48] s3:tests: Add test for 'valid users = DOMAIN\%U'
+Subject: [PATCH 31/88] s3:tests: Add test for 'valid users = DOMAIN\%U'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
@@ -2989,13 +2989,13 @@ index 1a46f11c85d..c813a8f9def 100755
+
exit $failed
--
-2.30.2
+2.33.1
From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 17 Aug 2020 14:12:48 +0200
-Subject: [PATCH 32/48] s3:smbd: Fix %U substitutions if it contains a domain
+Subject: [PATCH 32/88] s3:smbd: Fix %U substitutions if it contains a domain
name
'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer
@@ -3050,13 +3050,13 @@ index 3cbf7f318a2..0705e197975 100644
if (sharename != NULL) {
name = talloc_string_sub(mem_ctx, name, "%S", sharename);
--
-2.30.2
+2.33.1
From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 9 Jul 2020 11:48:26 +0200
-Subject: [PATCH 33/48] docs: Fix documentation for require_membership_of of
+Subject: [PATCH 33/88] docs: Fix documentation for require_membership_of of
pam_winbind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
@@ -3088,13 +3088,13 @@ index a9a227f1647..a61fb2d58e5 100644
<para>
--
-2.30.2
+2.33.1
From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 17 Jul 2020 12:14:16 +0200
-Subject: [PATCH 34/48] docs: Fix documentation for require_membership_of of
+Subject: [PATCH 34/88] docs: Fix documentation for require_membership_of of
pam_winbind.conf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
@@ -3127,13 +3127,13 @@ index fcac1ee7036..d81a0bd6eba 100644
<para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
</listitem>
--
-2.30.2
+2.33.1
From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 11 Jun 2020 21:05:07 +0300
-Subject: [PATCH 35/48] Fix a typo in recent net man page changes
+Subject: [PATCH 35/88] Fix a typo in recent net man page changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
@@ -3158,13 +3158,13 @@ index 69e18df8b6c..9b1d4458acc 100644
</para>
--
-2.30.2
+2.33.1
From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 16 Jun 2020 22:01:49 +0300
-Subject: [PATCH 36/48] selftest: add tests for binary
+Subject: [PATCH 36/88] selftest: add tests for binary
msDS-AdditionalDnsHostName
Like the short names added implicitly by Windows DC.
@@ -3236,13 +3236,13 @@ index 85257f445d8..eef4a31a6a7 100755
rm -f $dedicated_keytab_file
--
-2.30.2
+2.33.1
From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 11 Jun 2020 16:51:27 +0300
-Subject: [PATCH 37/48] Properly handle msDS-AdditionalDnsHostName returned
+Subject: [PATCH 37/88] Properly handle msDS-AdditionalDnsHostName returned
from Windows DC
Windows DC adds short names for each specified msDS-AdditionalDnsHostName
@@ -3330,13 +3330,13 @@ index 02a628ee0e6..2684bba63ec 100644
DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
machine_name));
--
-2.30.2
+2.33.1
From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 20 Jun 2020 17:17:33 +0200
-Subject: [PATCH 38/48] Fix usage of ldap_get_values_len for
+Subject: [PATCH 38/88] Fix usage of ldap_get_values_len for
msDS-AdditionalDnsHostName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
@@ -3372,13 +3372,13 @@ index 2684bba63ec..d1ce9cee2f0 100644
return NULL;
}
--
-2.30.2
+2.33.1
From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 15 Dec 2020 15:17:04 +0100
-Subject: [PATCH 39/48] HACK:s3:winbind: Rely on the domain child for online
+Subject: [PATCH 39/88] HACK:s3:winbind: Rely on the domain child for online
check
---
@@ -3435,13 +3435,13 @@ index 6e3277e5529..35b76a367aa 100644
/* Handle online/offline messages. */
--
-2.30.2
+2.33.1
From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Sep 2020 16:00:52 +0200
-Subject: [PATCH 40/48] s3:smbd: Use fsp al the talloc memory context
+Subject: [PATCH 40/88] s3:smbd: Use fsp al the talloc memory context
Somehow the lck pointer gets freed before we call TALLOC_FREE().
@@ -3466,13 +3466,13 @@ index de557f53a20..9a24e331ab1 100644
&mtimespec);
--
-2.30.2
+2.33.1
From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 3 Feb 2021 12:58:31 +0100
-Subject: [PATCH 41/48] Revert "s3:smbd: Use fsp al the talloc memory context"
+Subject: [PATCH 41/88] Revert "s3:smbd: Use fsp al the talloc memory context"
This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49.
---
@@ -3493,13 +3493,13 @@ index 9a24e331ab1..de557f53a20 100644
&mtimespec);
--
-2.30.2
+2.33.1
From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Wed, 22 Jul 2020 22:42:09 -0700
-Subject: [PATCH 42/48] nsswitch/nsstest.c: Avoid nss function conflicts with
+Subject: [PATCH 42/88] nsswitch/nsstest.c: Avoid nss function conflicts with
glibc nss.h
glibc 2.32 will define these varibles [1] which results in conflicts
@@ -3596,13 +3596,13 @@ index 6d92806cffc..46f96795f39 100644
static void nss_test_errors(void)
--
-2.30.2
+2.33.1
From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 3 Feb 2021 10:30:08 +0100
-Subject: [PATCH 43/48] lib:util: Add basic memcache unit test
+Subject: [PATCH 43/88] lib:util: Add basic memcache unit test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
@@ -3772,13 +3772,13 @@ index e7639c4da27..e3f7d9acb4a 100644
[os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
plantestsuite("samba.unittests.test_registry_regfio", "none",
--
-2.30.2
+2.33.1
From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 3 Feb 2021 10:37:12 +0100
-Subject: [PATCH 44/48] lib:util: Add cache oversize test for memcache
+Subject: [PATCH 44/88] lib:util: Add cache oversize test for memcache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
@@ -3856,13 +3856,13 @@ index 00000000000..0a74ace3003
@@ -0,0 +1 @@
+^samba.unittests.memcache.torture_memcache_add_oversize
--
-2.30.2
+2.33.1
From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 2 Feb 2021 18:10:38 +0100
-Subject: [PATCH 45/48] lib:util: Avoid free'ing our own pointer
+Subject: [PATCH 45/88] lib:util: Avoid free'ing our own pointer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -3932,13 +3932,13 @@ index 0a74ace3003..00000000000
@@ -1 +0,0 @@
-^samba.unittests.memcache.torture_memcache_add_oversize
--
-2.30.2
+2.33.1
From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 5 Nov 2020 15:48:08 -0800
-Subject: [PATCH 46/48] s3: spoolss: Make parameters in call to user_ok_token()
+Subject: [PATCH 46/88] s3: spoolss: Make parameters in call to user_ok_token()
match all other uses.
We already have p->session_info->unix_info->unix_name, we don't
@@ -3972,13 +3972,13 @@ index f32b465afb6..c0f1803c2fa 100644
!W_ERROR_IS_OK(print_access_check(p->session_info,
p->msg_ctx,
--
-2.30.2
+2.33.1
From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 11 Nov 2020 13:42:06 +0100
-Subject: [PATCH 47/48] s3:smbd: Fix possible null pointer dereference in
+Subject: [PATCH 47/88] s3:smbd: Fix possible null pointer dereference in
token_contains_name()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572
@@ -4008,13 +4008,13 @@ index 0705e197975..64276c79fbe 100644
/* Check if username starts with domain name */
if (domain_len > 0) {
--
-2.30.2
+2.33.1
From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 20 Feb 2021 15:50:12 +0100
-Subject: [PATCH 48/48] passdb: Simplify sids_to_unixids()
+Subject: [PATCH 48/88] passdb: Simplify sids_to_unixids()
Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.
@@ -4238,5 +4238,3232 @@ index 1bb15ccb8b4..186ba17fda6 100644
}
break;
--
-2.30.2
+2.33.1
+
+
+From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 24 Nov 2016 09:12:59 +0100
+Subject: [PATCH 49/88] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to
+ non spnego authentication if we require kerberos
+
+We should not send NTLM[v2] data on the wire if the user asked for kerberos
+only.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
+index 6ee4929e8d7..a0a1f4baa56 100644
+--- a/source4/libcli/smb_composite/sesssetup.c
++++ b/source4/libcli/smb_composite/sesssetup.c
+@@ -620,6 +620,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
+ struct composite_context *c;
+ struct sesssetup_state *state;
+ NTSTATUS status;
++ enum credentials_use_kerberos krb5_state =
++ cli_credentials_get_kerberos_state(io->in.credentials);
+
+ c = composite_create(session, session->transport->ev);
+ if (c == NULL) return NULL;
+@@ -635,6 +637,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
+
+ /* no session setup at all in earliest protocol varients */
+ if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
++ if (krb5_state == CRED_MUST_USE_KERBEROS) {
++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++ return c;
++ }
+ ZERO_STRUCT(io->out);
+ composite_done(c);
+ return c;
+@@ -642,9 +648,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
+
+ /* see what session setup interface we will use */
+ if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
++ if (krb5_state == CRED_MUST_USE_KERBEROS) {
++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++ return c;
++ }
+ status = session_setup_old(c, session, io, &state->req);
+ } else if (!session->transport->options.use_spnego ||
+ !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
++ if (krb5_state == CRED_MUST_USE_KERBEROS) {
++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++ return c;
++ }
+ status = session_setup_nt1(c, session, io, &state->req);
+ } else {
+ struct tevent_req *subreq = NULL;
+--
+2.33.1
+
+
+From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 27 Oct 2016 10:40:28 +0200
+Subject: [PATCH 50/88] CVE-2016-2124: s3:libsmb: don't fallback to non spnego
+ authentication if we require kerberos
+
+We should not send NTLM[v2] nor plaintext data on the wire if the user
+asked for kerberos only.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/cliconnect.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 9bba2665663..9a69d4b7217 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -1455,6 +1455,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
+ return req;
+ }
+
++ if (krb5_state == CRED_MUST_USE_KERBEROS) {
++ DBG_WARNING("Kerberos authentication requested, but "
++ "the server does not support SPNEGO authentication\n");
++ tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++ return tevent_req_post(req, ev);
++ }
++
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
+ /*
+ * SessionSetupAndX was introduced by LANMAN 1.0. So we skip
+--
+2.33.1
+
+
+From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sat, 18 Jan 2020 08:06:45 +0100
+Subject: [PATCH 51/88] s3/auth: use set_current_user_info() in
+ auth3_generate_session_info_pac()
+
+This delays reloading config slightly, but I don't see how could affect
+observable behaviour other then log messages coming from the functions in
+between the different locations for lp_load_with_shares() like
+make_session_info_krb5() are sent to a different logfile if "log file" uses %U.
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit dc4b1e39ce1f2201a2d6ae2d4cffef2448f69a62)
+
+[scabrero@samba.org Prerequisite for CVE-2020-25717 backport]
+---
+ source3/auth/auth_generic.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index 167d4e00367..0e9c423efef 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -159,12 +159,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ }
+ }
+
+- /* setup the string used by %U */
+- sub_set_smb_name(username);
+-
+- /* reload services so that the new %U is taken into account */
+- lp_load_with_shares(get_dyn_CONFIGFILE());
+-
+ status = make_session_info_krb5(mem_ctx,
+ ntuser, ntdomain, username, pw,
+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+@@ -176,6 +170,14 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ goto done;
+ }
+
++ /* setup the string used by %U */
++ set_current_user_info((*session_info)->unix_info->sanitized_username,
++ (*session_info)->unix_info->unix_name,
++ (*session_info)->info->domain_name);
++
++ /* reload services so that the new %U is taken into account */
++ lp_load_with_shares(get_dyn_CONFIGFILE());
++
+ DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
+ ntuser, ntdomain, rhost));
+
+--
+2.33.1
+
+
+From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Thu, 4 Nov 2021 11:51:08 +0100
+Subject: [PATCH 52/88] selftest: Fix ktest usermap file
+
+The user was not mapped:
+
+user_in_list: checking user |KTEST/administrator| against |KTEST\Administrator|
+The user 'KTEST/administrator' has no mapping. Skip it next time.
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+
+[scabrero@samba.org Once smb_getpswnam() fallbacks are removed the user
+ has to be mapped]
+---
+ selftest/target/Samba3.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 9e4da0e6a08..2eb5003112e 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1124,7 +1124,7 @@ sub setup_ktest
+
+ open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+ print USERMAP "
+-$ret->{USERNAME} = KTEST\\Administrator
++$ret->{USERNAME} = KTEST/Administrator
+ ";
+ close(USERMAP);
+
+--
+2.33.1
+
+
+From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 5 Oct 2021 16:42:00 +0200
+Subject: [PATCH 53/88] selftest/Samba3: replace (winbindd => "yes", skip_wait
+ => 1) with (winbindd => "offline")
+
+This is much more flexible and concentrates the logic in a single place.
+
+We'll use winbindd => "offline" in other places soon.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
+(cherry picked from commit 89b9cb8b786c3e4eb8691b5363390b68d8228a2d)
+
+[scabrero@samba.org Backported to 4.10]
+---
+ selftest/target/Samba3.pm | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 2eb5003112e..bbbefea44b7 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1333,7 +1333,7 @@ sub check_or_start($$$$$) {
+
+ $ENV{ENVNAME} = "$ENV{ENVNAME}.winbindd";
+
+- if ($winbindd ne "yes") {
++ if ($winbindd ne "yes" and $winbindd ne "offline") {
+ $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub {
+ my $signame = shift;
+ print("Skip winbindd received signal $signame");
+@@ -2564,13 +2564,17 @@ sub wait_for_start($$$$$)
+ }
+ }
+
+- if ($winbindd eq "yes") {
++ if ($winbindd eq "yes" or $winbindd eq "offline") {
+ print "checking for winbindd\n";
+ my $count = 0;
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+- $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
++ if ($winbindd eq "yes") {
++ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
++ } elsif ($winbindd eq "offline") {
++ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping";
++ }
+
+ do {
+ if ($ret != 0) {
+--
+2.33.1
+
+
+From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 22 Oct 2021 16:20:36 +0200
+Subject: [PATCH 54/88] CVE-2020-25719 CVE-2020-25717: selftest: remove
+ "gensec:require_pac" settings
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/selftest.pl | 2 --
+ selftest/target/Samba4.pm | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/selftest/selftest.pl b/selftest/selftest.pl
+index f2968139cfd..8c273951ab3 100755
+--- a/selftest/selftest.pl
++++ b/selftest/selftest.pl
+@@ -637,8 +637,6 @@ sub write_clientconf($$$)
+ client lanman auth = Yes
+ log level = 1
+ torture:basedir = $clientdir
+-#We don't want to pass our self-tests if the PAC code is wrong
+- gensec:require_pac = true
+ #We don't want to run 'speed' tests for very long
+ torture:timelimit = 1
+ winbind separator = /
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index a7a6c4c9587..0f644661176 100755
+--- a/selftest/target/Samba4.pm
++++ b/selftest/target/Samba4.pm
+@@ -777,8 +777,6 @@ sub provision_raw_step1($$)
+ notify:inotify = false
+ ldb:nosync = true
+ ldap server require strong auth = yes
+-#We don't want to pass our self-tests if the PAC code is wrong
+- gensec:require_pac = true
+ log file = $ctx->{logdir}/log.\%m
+ log level = $ctx->{server_loglevel}
+ lanman auth = Yes
+--
+2.33.1
+
+
+From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 4 Oct 2021 17:29:34 +0200
+Subject: [PATCH 55/88] CVE-2020-25717: s3:winbindd: make sure we default to
+ r->out.authoritative = true
+
+We need to make sure that temporary failures don't trigger a fallback
+to the local SAM that silently ignores the domain name part for users.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[scabrero@samba.org Backported for 4.10 due to no logon_id for
+log_authentication() neither is_allowed_domain()]
+---
+ source3/winbindd/winbindd_dual_srv.c | 7 +++++++
+ source3/winbindd/winbindd_irpc.c | 7 +++++++
+ source3/winbindd/winbindd_pam.c | 13 ++++++++++---
+ source3/winbindd/winbindd_pam_auth_crap.c | 9 ++++++++-
+ source3/winbindd/winbindd_util.c | 7 +++++++
+ 5 files changed, 39 insertions(+), 4 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
+index ab14f5d51a0..0842241e02e 100644
+--- a/source3/winbindd/winbindd_dual_srv.c
++++ b/source3/winbindd/winbindd_dual_srv.c
+@@ -928,6 +928,13 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
+ union netr_Validation *validation = NULL;
+ bool interactive = false;
+
++ /*
++ * Make sure we start with authoritative=true,
++ * it will only set to false if we don't know the
++ * domain.
++ */
++ r->out.authoritative = true;
++
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
+index 8cbb0b93086..45615c2dc47 100644
+--- a/source3/winbindd/winbindd_irpc.c
++++ b/source3/winbindd/winbindd_irpc.c
+@@ -143,6 +143,13 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg,
+ const char *target_domain_name = NULL;
+ const char *account_name = NULL;
+
++ /*
++ * Make sure we start with authoritative=true,
++ * it will only set to false if we don't know the
++ * domain.
++ */
++ req->out.authoritative = true;
++
+ switch (req->in.logon_level) {
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 35018fbe284..deed81d0a79 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -1703,7 +1703,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(
+ unsigned char local_nt_response[24];
+ fstring name_namespace, name_domain, name_user;
+ NTSTATUS result;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint32_t flags = 0;
+ uint16_t validation_level;
+ union netr_Validation *validation = NULL;
+@@ -2238,6 +2238,13 @@ done:
+ result = NT_STATUS_NO_LOGON_SERVERS;
+ }
+
++ /*
++ * Here we don't alter
++ * state->response->data.auth.authoritative based
++ * on the servers response
++ * as we don't want a fallback to the local sam
++ * for interactive PAM logons
++ */
+ set_auth_errors(state->response, result);
+
+ DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
+@@ -2420,7 +2427,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
+ const char *name_user = NULL;
+ const char *name_domain = NULL;
+ const char *workstation;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint32_t flags = 0;
+ uint16_t validation_level;
+ union netr_Validation *validation = NULL;
+@@ -2482,7 +2489,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
+ &validation_level,
+ &validation);
+ if (!NT_STATUS_IS_OK(result)) {
+- state->response->data.auth.authoritative = authoritative;
+ goto done;
+ }
+
+@@ -2526,6 +2532,7 @@ done:
+ }
+
+ set_auth_errors(state->response, result);
++ state->response->data.auth.authoritative = authoritative;
+
+ return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
+ }
+diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
+index b7912db43df..40cab81b5ea 100644
+--- a/source3/winbindd/winbindd_pam_auth_crap.c
++++ b/source3/winbindd/winbindd_pam_auth_crap.c
+@@ -24,6 +24,7 @@
+
+ struct winbindd_pam_auth_crap_state {
+ struct winbindd_response *response;
++ bool authoritative;
+ uint32_t flags;
+ };
+
+@@ -45,7 +46,7 @@ struct tevent_req *winbindd_pam_auth_crap_send(
+ if (req == NULL) {
+ return NULL;
+ }
+-
++ state->authoritative = true;
+ state->flags = request->flags;
+
+ if (state->flags & WBFLAG_PAM_AUTH_PAC) {
+@@ -124,6 +125,11 @@ struct tevent_req *winbindd_pam_auth_crap_send(
+
+ domain = find_auth_domain(request->flags, auth_domain);
+ if (domain == NULL) {
++ /*
++ * We don't know the domain so
++ * we're not authoritative
++ */
++ state->authoritative = false;
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+ return tevent_req_post(req, ev);
+ }
+@@ -184,6 +190,7 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
+
+ if (tevent_req_is_nterror(req, &status)) {
+ set_auth_errors(response, status);
++ response->data.auth.authoritative = state->authoritative;
+ return status;
+ }
+
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index 3245c70bb8e..315eb366a52 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -2062,6 +2062,13 @@ void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain)
+
+ void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
+ {
++ /*
++ * Make sure we start with authoritative=true,
++ * it will only set to false if we don't know the
++ * domain.
++ */
++ resp->data.auth.authoritative = true;
++
+ resp->data.auth.nt_status = NT_STATUS_V(result);
+ fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
+
+--
+2.33.1
+
+
+From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 4 Oct 2021 17:29:34 +0200
+Subject: [PATCH 56/88] CVE-2020-25717: s4:auth/ntlm: make sure
+ auth_check_password() defaults to r->out.authoritative = true
+
+We need to make sure that temporary failures don't trigger a fallback
+to the local SAM that silently ignores the domain name part for users.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/auth/ntlm/auth.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
+index 3a3fa7eaa59..f754bd5cd44 100644
+--- a/source4/auth/ntlm/auth.c
++++ b/source4/auth/ntlm/auth.c
+@@ -169,6 +169,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
+ /*TODO: create a new event context here! */
+ ev = auth_ctx->event_ctx;
+
++ /*
++ * We are authoritative by default
++ */
++ *pauthoritative = 1;
++
+ subreq = auth_check_password_send(mem_ctx,
+ ev,
+ auth_ctx,
+--
+2.33.1
+
+
+From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 26 Oct 2021 17:42:41 +0200
+Subject: [PATCH 57/88] CVE-2020-25717: s4:torture: start with authoritative =
+ 1
+
+This is not strictly needed, but makes it easier to audit
+that we don't miss important places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/torture/rpc/samlogon.c | 4 ++--
+ source4/torture/rpc/schannel.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
+index e689dfd5e98..957cb410712 100644
+--- a/source4/torture/rpc/samlogon.c
++++ b/source4/torture/rpc/samlogon.c
+@@ -1385,7 +1385,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
+
+ union netr_LogonLevel logon;
+ union netr_Validation validation;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint32_t flags = 0;
+
+ ZERO_STRUCT(logon);
+@@ -1498,7 +1498,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx,
+
+ union netr_LogonLevel logon;
+ union netr_Validation validation;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ struct dcerpc_binding_handle *b = p->binding_handle;
+
+ ZERO_STRUCT(a);
+diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
+index c237c82bbe7..72d0bf28fdd 100644
+--- a/source4/torture/rpc/schannel.c
++++ b/source4/torture/rpc/schannel.c
+@@ -50,7 +50,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
+ struct netr_NetworkInfo ninfo;
+ union netr_LogonLevel logon;
+ union netr_Validation validation;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint32_t _flags = 0;
+ DATA_BLOB names_blob, chal, lm_resp, nt_resp;
+ int i;
+--
+2.33.1
+
+
+From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 26 Oct 2021 17:42:41 +0200
+Subject: [PATCH 58/88] CVE-2020-25717: s4:smb_server: start with authoritative
+ = 1
+
+This is not strictly needed, but makes it easier to audit
+that we don't miss important places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/smb_server/smb/sesssetup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
+index 13f13934412..5e817eecd4b 100644
+--- a/source4/smb_server/smb/sesssetup.c
++++ b/source4/smb_server/smb/sesssetup.c
+@@ -102,7 +102,7 @@ static void sesssetup_old_send(struct tevent_req *subreq)
+ struct auth_session_info *session_info;
+ struct smbsrv_session *smb_sess;
+ NTSTATUS status;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint32_t flags;
+
+ status = auth_check_password_recv(subreq, req, &user_info_dc,
+@@ -243,7 +243,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
+ struct auth_user_info_dc *user_info_dc = NULL;
+ struct auth_session_info *session_info;
+ struct smbsrv_session *smb_sess;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint32_t flags;
+ NTSTATUS status;
+
+--
+2.33.1
+
+
+From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 26 Oct 2021 17:42:41 +0200
+Subject: [PATCH 59/88] CVE-2020-25717: s4:auth_simple: start with
+ authoritative = 1
+
+This is not strictly needed, but makes it easier to audit
+that we don't miss important places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/auth/ntlm/auth_simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
+index fcd9050979d..da8f094a838 100644
+--- a/source4/auth/ntlm/auth_simple.c
++++ b/source4/auth/ntlm/auth_simple.c
+@@ -150,7 +150,7 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
+ const struct tsocket_address *local_address = user_info->local_host;
+ const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
+ struct auth_user_info_dc *user_info_dc = NULL;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint32_t flags = 0;
+ NTSTATUS nt_status;
+
+--
+2.33.1
+
+
+From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 26 Oct 2021 17:42:41 +0200
+Subject: [PATCH 60/88] CVE-2020-25717: s3:ntlm_auth: start with authoritative
+ = 1
+
+This is not strictly needed, but makes it easier to audit
+that we don't miss important places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/utils/ntlm_auth.c | 4 ++--
+ source3/utils/ntlm_auth_diagnostics.c | 10 +++++-----
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 36c32e4a3dc..3f70732a837 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -1766,7 +1766,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
+ TALLOC_FREE(mem_ctx);
+
+ } else {
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+
+ if (!domain) {
+ domain = smb_xstrdup(get_winbind_domain());
+@@ -2235,7 +2235,7 @@ static bool check_auth_crap(void)
+ char *hex_lm_key;
+ char *hex_user_session_key;
+ char *error_string;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+
+ setbuf(stdout, NULL);
+
+diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c
+index 41591a8de33..fc0fc19bacb 100644
+--- a/source3/utils/ntlm_auth_diagnostics.c
++++ b/source3/utils/ntlm_auth_diagnostics.c
+@@ -54,7 +54,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which)
+ DATA_BLOB lm_response = data_blob(NULL, 24);
+ DATA_BLOB nt_response = data_blob(NULL, 24);
+ DATA_BLOB session_key = data_blob(NULL, 16);
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uchar lm_key[8];
+ uchar user_session_key[16];
+ uchar lm_hash[16];
+@@ -177,7 +177,7 @@ static bool test_ntlm_in_lm(void)
+ NTSTATUS nt_status;
+ uint32_t flags = 0;
+ DATA_BLOB nt_response = data_blob(NULL, 24);
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uchar lm_key[8];
+ uchar lm_hash[16];
+ uchar user_session_key[16];
+@@ -245,7 +245,7 @@ static bool test_ntlm_in_both(void)
+ uint32_t flags = 0;
+ DATA_BLOB nt_response = data_blob(NULL, 24);
+ DATA_BLOB session_key = data_blob(NULL, 16);
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint8_t lm_key[8];
+ uint8_t lm_hash[16];
+ uint8_t user_session_key[16];
+@@ -322,7 +322,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which)
+ DATA_BLOB lmv2_response = data_blob_null;
+ DATA_BLOB ntlmv2_session_key = data_blob_null;
+ DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain());
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uchar user_session_key[16];
+ DATA_BLOB chall = get_challenge();
+ char *error_string;
+@@ -452,7 +452,7 @@ static bool test_plaintext(enum ntlm_break break_which)
+ char *password;
+ smb_ucs2_t *nt_response_ucs2;
+ size_t converted_size;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uchar user_session_key[16];
+ uchar lm_key[16];
+ static const uchar zeros[8] = { 0, };
+--
+2.33.1
+
+
+From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 26 Oct 2021 17:42:41 +0200
+Subject: [PATCH 61/88] CVE-2020-25717: s3:torture: start with authoritative =
+ 1
+
+This is not strictly needed, but makes it easier to audit
+that we don't miss important places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[scabrero@samba.org Backported to 4.10 due to missing commit
+a5548af018643f2e78c482e33ef0e6073db149e4 to check return value
+of SMBOWFencrypt()]
+---
+ source3/torture/pdbtest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
+index 64bc45e6a7c..48190e78bf8 100644
+--- a/source3/torture/pdbtest.c
++++ b/source3/torture/pdbtest.c
+@@ -277,7 +277,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
+ struct netr_SamInfo6 *info6_wbc = NULL;
+ NTSTATUS status;
+ bool ok;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+
+ SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
+ local_nt_response);
+--
+2.33.1
+
+
+From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 26 Oct 2021 17:42:41 +0200
+Subject: [PATCH 62/88] CVE-2020-25717: s3:rpcclient: start with authoritative
+ = 1
+
+This is not strictly needed, but makes it easier to audit
+that we don't miss important places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpcclient/cmd_netlogon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index 631740562c6..30fa1ed7816 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -496,7 +496,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ uint32_t logon_param = 0;
+ const char *workstation = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ uint32_t flags = 0;
+ uint16_t validation_level;
+ union netr_Validation *validation = NULL;
+--
+2.33.1
+
+
+From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 26 Oct 2021 17:42:41 +0200
+Subject: [PATCH 63/88] CVE-2020-25717: s3:auth: start with authoritative = 1
+
+This is not strictly needed, but makes it easier to audit
+that we don't miss important places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[scabrero@samba.org Backported to 4.10 due to missing commits
+7f75dec865256049e99f7fcf46317cd2d53e95d1 and
+434030ba711e677fdd167a255d05c1cd4db943b7]
+---
+ source3/auth/auth_generic.c | 2 +-
+ source3/auth/auth_samba4.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index 0e9c423efef..4ef2270cb34 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -415,7 +415,7 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
+ {
+ NTSTATUS nt_status;
+ void *server_info;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+
+ if (auth_context->check_ntlm_password_send != NULL) {
+ struct tevent_context *ev = NULL;
+diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
+index a71c75631d7..bf7ccb4348c 100644
+--- a/source3/auth/auth_samba4.c
++++ b/source3/auth/auth_samba4.c
+@@ -118,7 +118,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
+ NTSTATUS nt_status;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth4_context *auth4_context;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+
+ nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+--
+2.33.1
+
+
+From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 26 Oct 2021 17:42:41 +0200
+Subject: [PATCH 64/88] CVE-2020-25717: auth/ntlmssp: start with authoritative
+ = 1
+
+This is not strictly needed, but makes it easier to audit
+that we don't miss important places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/ntlmssp/ntlmssp_server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
+index 140e89daeb1..eebada670be 100644
+--- a/auth/ntlmssp/ntlmssp_server.c
++++ b/auth/ntlmssp/ntlmssp_server.c
+@@ -830,7 +830,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq)
+ struct gensec_security *gensec_security = state->gensec_security;
+ struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
+ struct auth4_context *auth_context = gensec_security->auth_context;
+- uint8_t authoritative = 0;
++ uint8_t authoritative = 1;
+ NTSTATUS status;
+
+ status = auth_context->check_ntlm_password_recv(subreq,
+--
+2.33.1
+
+
+From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@samba.org>
+Date: Tue, 28 Sep 2021 10:43:40 +0200
+Subject: [PATCH 65/88] CVE-2020-25717: loadparm: Add new parameter "min domain
+ uid"
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[abartlet@samba.org Backported from master/4.15 due to
+ conflicts with other new parameters]
+---
+ docs-xml/smbdotconf/security/mindomainuid.xml | 17 +++++++++++++++++
+ docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 ++++
+ lib/param/loadparm.c | 4 ++++
+ source3/param/loadparm.c | 2 ++
+ 4 files changed, 27 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
+
+diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
+new file mode 100644
+index 00000000000..46ae795d730
+--- /dev/null
++++ b/docs-xml/smbdotconf/security/mindomainuid.xml
+@@ -0,0 +1,17 @@
++<samba:parameter name="min domain uid"
++ type="integer"
++ context="G"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>
++ The integer parameter specifies the minimum uid allowed when mapping a
++ local account to a domain account.
++ </para>
++
++ <para>
++ Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
++ </para>
++</description>
++
++<value type="default">1000</value>
++</samba:parameter>
+diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
+index 1374040fb29..f70f11df757 100644
+--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
++++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
+@@ -80,6 +80,9 @@
+ authoritative for a unix ID to SID mapping, so it must be set
+ for each individually configured domain and for the default
+ configuration. The configured ranges must be mutually disjoint.
++ </para>
++ <para>
++ Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
+ </para></listitem>
+ </varlistentry>
+
+@@ -115,4 +118,5 @@
+ </programlisting>
+
+ </description>
++<related>min domain uid</related>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 4c3dfff24f3..4aa91f4d404 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -3015,6 +3015,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ lpcfg_do_global_parameter(
+ lp_ctx, "ldap max search request size", "256000");
+
++ lpcfg_do_global_parameter(lp_ctx,
++ "min domain uid",
++ "1000");
++
+ for (i = 0; parm_table[i].label; i++) {
+ if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
+ lp_ctx->flags[i] |= FLAG_DEFAULT;
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 0db44e92d19..57d1d909099 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -963,6 +963,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+ Globals.ldap_max_authenticated_request_size = 16777216;
+ Globals.ldap_max_search_request_size = 256000;
+
++ Globals.min_domain_uid = 1000;
++
+ /* Now put back the settings that were set with lp_set_cmdline() */
+ apply_lp_set_cmdline();
+ }
+--
+2.33.1
+
+
+From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Oct 2021 19:57:18 +0200
+Subject: [PATCH 66/88] CVE-2020-25717: s3:auth: let
+ auth3_generate_session_info_pac() forward the low level errors
+
+Mapping everything to ACCESS_DENIED makes it hard to debug problems,
+which may happen because of our more restrictive behaviour in future.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/auth_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index 4ef2270cb34..26a38f92b30 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
+ nt_errstr(status)));
+- status = NT_STATUS_ACCESS_DENIED;
++ status = nt_status_squash(status);
+ goto done;
+ }
+
+--
+2.33.1
+
+
+From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@samba.org>
+Date: Tue, 28 Sep 2021 10:45:11 +0200
+Subject: [PATCH 67/88] CVE-2020-25717: s3:auth: Check minimum domain uid
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/auth_util.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index 8ff20c33759..8801d3f0f0b 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -2078,6 +2078,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ }
+ }
+ goto out;
++ } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
++ !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) {
++ /*
++ * !is_myname(domain) because when smbd starts tries to setup
++ * the guest user info, calling this function with nobody
++ * username. Nobody is usually uid 65535 but it can be changed
++ * to a regular user with 'guest account' parameter
++ */
++ nt_status = NT_STATUS_INVALID_TOKEN;
++ DBG_NOTICE("Username '%s%s%s' is invalid on this system, "
++ "it does not meet 'min domain uid' "
++ "restriction (%u < %u): %s\n",
++ nt_domain, lp_winbind_separator(), nt_username,
++ pwd->pw_uid, lp_min_domain_uid(),
++ nt_errstr(nt_status));
++ goto out;
+ }
+
+ result = make_server_info(tmp_ctx);
+--
+2.33.1
+
+
+From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Oct 2021 17:40:30 +0200
+Subject: [PATCH 68/88] CVE-2020-25717: s3:auth: we should not try to
+ autocreate the guest account
+
+We should avoid autocreation of users as much as possible.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/user_krb5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
+index 8998f9c8f8a..074e8c7eb71 100644
+--- a/source3/auth/user_krb5.c
++++ b/source3/auth/user_krb5.c
+@@ -155,7 +155,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ if (!fuser) {
+ return NT_STATUS_NO_MEMORY;
+ }
+- pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
++ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, false);
+ }
+
+ /* extra sanity check that the guest account is valid */
+--
+2.33.1
+
+
+From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Oct 2021 18:08:20 +0200
+Subject: [PATCH 69/88] CVE-2020-25717: s3:auth: no longer let check_account()
+ autocreate local users
+
+So far we autocreated local user accounts based on just the
+account_name (just ignoring any domain part).
+
+This only happens via a possible 'add user script',
+which is not typically defined on domain members
+and on NT4 DCs local users already exist in the
+local passdb anyway.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/auth_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index 8801d3f0f0b..6ee500493e6 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -1873,7 +1873,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true );
++ passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
+ if (!passwd) {
+ DEBUG(3, ("Failed to find authenticated user %s via "
+ "getpwnam(), denying access.\n", dom_user));
+--
+2.33.1
+
+
+From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 8 Oct 2021 12:33:16 +0200
+Subject: [PATCH 70/88] CVE-2020-25717: s3:auth: remove fallbacks in
+ smb_getpwnam()
+
+So far we tried getpwnam("DOMAIN\account") first and
+always did a fallback to getpwnam("account") completely
+ignoring the domain part, this just causes problems
+as we mix "DOMAIN1\account", "DOMAIN2\account",
+and "account"!
+
+As we require a running winbindd for domain member setups
+we should no longer do a fallback to just "account" for
+users served by winbindd!
+
+For users of the local SAM don't use this code path,
+as check_sam_security() doesn't call check_account().
+
+The only case where smb_getpwnam("account") happens is
+when map_username() via ("username map [script]") mapped
+"DOMAIN\account" to something without '\', but that is
+explicitly desired by the admin.
+
+Note: use 'git show -w'
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/auth_util.c | 77 ++++++++++++++++++++++------------------
+ 1 file changed, 42 insertions(+), 35 deletions(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index 6ee500493e6..161e05c2106 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -1908,7 +1908,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
+ {
+ struct passwd *pw = NULL;
+ char *p = NULL;
+- char *username = NULL;
++ const char *username = NULL;
+
+ /* we only save a copy of the username it has been mangled
+ by winbindd use default domain */
+@@ -1927,48 +1927,55 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
+ /* code for a DOMAIN\user string */
+
+ if ( p ) {
+- pw = Get_Pwnam_alloc( mem_ctx, domuser );
+- if ( pw ) {
+- /* make sure we get the case of the username correct */
+- /* work around 'winbind use default domain = yes' */
+-
+- if ( lp_winbind_use_default_domain() &&
+- !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
+- char *domain;
+-
+- /* split the domain and username into 2 strings */
+- *p = '\0';
+- domain = username;
+-
+- *p_save_username = talloc_asprintf(mem_ctx,
+- "%s%c%s",
+- domain,
+- *lp_winbind_separator(),
+- pw->pw_name);
+- if (!*p_save_username) {
+- TALLOC_FREE(pw);
+- return NULL;
+- }
+- } else {
+- *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
+- }
++ const char *domain = NULL;
+
+- /* whew -- done! */
+- return pw;
++ /* split the domain and username into 2 strings */
++ *p = '\0';
++ domain = username;
++ p++;
++ username = p;
++
++ if (strequal(domain, get_global_sam_name())) {
++ /*
++ * This typically don't happen
++ * as check_sam_Security()
++ * don't call make_server_info_info3()
++ * and thus check_account().
++ *
++ * But we better keep this.
++ */
++ goto username_only;
+ }
+
+- /* setup for lookup of just the username */
+- /* remember that p and username are overlapping memory */
+-
+- p++;
+- username = talloc_strdup(mem_ctx, p);
+- if (!username) {
++ pw = Get_Pwnam_alloc( mem_ctx, domuser );
++ if (pw == NULL) {
+ return NULL;
+ }
++ /* make sure we get the case of the username correct */
++ /* work around 'winbind use default domain = yes' */
++
++ if ( lp_winbind_use_default_domain() &&
++ !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
++ *p_save_username = talloc_asprintf(mem_ctx,
++ "%s%c%s",
++ domain,
++ *lp_winbind_separator(),
++ pw->pw_name);
++ if (!*p_save_username) {
++ TALLOC_FREE(pw);
++ return NULL;
++ }
++ } else {
++ *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
++ }
++
++ /* whew -- done! */
++ return pw;
++
+ }
+
+ /* just lookup a plain username */
+-
++username_only:
+ pw = Get_Pwnam_alloc(mem_ctx, username);
+
+ /* Create local user if requested but only if winbindd
+--
+2.33.1
+
+
+From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 4 Oct 2021 18:03:55 +0200
+Subject: [PATCH 71/88] CVE-2020-25717: s3:auth: don't let create_local_token
+ depend on !winbind_ping()
+
+We always require a running winbindd on a domain member, so
+we should better fail a request instead of silently alter
+the behaviour, which results in a different unix token, just
+because winbindd might be restarted.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/auth_util.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index 161e05c2106..c0e5cfd7fa8 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -551,13 +551,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+ }
+
+ /*
+- * If winbind is not around, we can not make much use of the SIDs the
+- * domain controller provided us with. Likewise if the user name was
+- * mapped to some local unix user.
++ * If the user name was mapped to some local unix user,
++ * we can not make much use of the SIDs the
++ * domain controller provided us with.
+ */
+-
+- if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
+- (server_info->nss_token)) {
++ if (server_info->nss_token) {
+ char *found_username = NULL;
+ status = create_token_from_username(session_info,
+ server_info->unix_name,
+--
+2.33.1
+
+
+From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Wed, 11 Nov 2020 18:50:45 +0200
+Subject: [PATCH 72/88] CVE-2020-25717: Add FreeIPA domain controller role
+
+As we want to reduce use of 'classic domain controller' role but FreeIPA
+relies on it internally, add a separate role to mark FreeIPA domain
+controller role.
+
+It means that role won't result in ROLE_STANDALONE.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[abartlet@samba.org Backported due to conflict with DEBUG
+ statements and IPA branding changes in comments]
+---
+ docs-xml/smbdotconf/security/serverrole.xml | 7 ++++
+ lib/param/loadparm_server_role.c | 2 ++
+ lib/param/param_table.c | 1 +
+ lib/param/util.c | 1 +
+ libcli/netlogon/netlogon.c | 2 +-
+ libds/common/roles.h | 1 +
+ source3/auth/auth.c | 3 ++
+ source3/auth/auth_sam.c | 2 ++
+ source3/include/smb_macros.h | 2 +-
+ source3/lib/netapi/joindomain.c | 1 +
+ source3/param/loadparm.c | 4 ++-
+ source3/passdb/lookup_sid.c | 1 -
+ source3/passdb/machine_account_secrets.c | 7 ++--
+ source3/registry/reg_backend_prod_options.c | 1 +
+ source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 +
+ source3/smbd/server.c | 2 +-
+ source3/winbindd/winbindd_misc.c | 2 +-
+ source3/winbindd/winbindd_util.c | 40 ++++++++++++++++-----
+ source4/auth/ntlm/auth.c | 1 +
+ source4/kdc/kdc-heimdal.c | 1 +
+ source4/rpc_server/samr/dcesrv_samr.c | 2 ++
+ 21 files changed, 65 insertions(+), 19 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
+index 9511c61c96d..b8b83a127b5 100644
+--- a/docs-xml/smbdotconf/security/serverrole.xml
++++ b/docs-xml/smbdotconf/security/serverrole.xml
+@@ -78,6 +78,13 @@
+ url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
+ HOWTO</ulink></para>
+
++ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
++
++ <para>This mode of operation runs Samba in a hybrid mode for IPA
++ domain controller, providing forest trust to Active Directory.
++ This role requires special configuration performed by IPA installers
++ and should not be used manually by any administrator.
++ </para>
+ </description>
+
+ <related>security</related>
+diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
+index 7a6bc770723..a78d1ab9cf3 100644
+--- a/lib/param/loadparm_server_role.c
++++ b/lib/param/loadparm_server_role.c
+@@ -42,6 +42,7 @@ static const struct srv_role_tab {
+ { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
+ { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
+ { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
++ { ROLE_IPA_DC, "ROLE_IPA_DC"},
+ { 0, NULL }
+ };
+
+@@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
++ case ROLE_IPA_DC:
+ if (security == SEC_USER) {
+ valid = true;
+ }
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index f9d3b55adf2..aed205d1944 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -100,6 +100,7 @@ static const struct enum_list enum_server_role[] = {
+ {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
+ {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
+ {ROLE_ACTIVE_DIRECTORY_DC, "dc"},
++ {ROLE_IPA_DC, "IPA primary domain controller"},
+ {-1, NULL}
+ };
+
+diff --git a/lib/param/util.c b/lib/param/util.c
+index cd8e74b9d8f..9a0fc102de8 100644
+--- a/lib/param/util.c
++++ b/lib/param/util.c
+@@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
++ case ROLE_IPA_DC:
+ return lpcfg_workgroup(lp_ctx);
+ default:
+ return lpcfg_netbios_name(lp_ctx);
+diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
+index 58a331d70ad..838bdf84c87 100644
+--- a/libcli/netlogon/netlogon.c
++++ b/libcli/netlogon/netlogon.c
+@@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx,
+ if (ndr->offset < ndr->data_size) {
+ TALLOC_FREE(ndr);
+ /*
+- * We need to handle a bug in FreeIPA (at least <= 4.1.2).
++ * We need to handle a bug in IPA (at least <= 4.1.2).
+ *
+ * They include the ip address information without setting
+ * NETLOGON_NT_VERSION_5EX_WITH_IP, while using
+diff --git a/libds/common/roles.h b/libds/common/roles.h
+index 4772c8d7d3f..03ba1915b21 100644
+--- a/libds/common/roles.h
++++ b/libds/common/roles.h
+@@ -33,6 +33,7 @@ enum server_role {
+
+ /* not in samr.idl */
+ ROLE_ACTIVE_DIRECTORY_DC = 4,
++ ROLE_IPA_DC = 5,
+
+ /* To determine the role automatically, this is not a valid role */
+ ROLE_AUTO = 100
+diff --git a/source3/auth/auth.c b/source3/auth/auth.c
+index 0a96d591808..c5bfe9ac626 100644
+--- a/source3/auth/auth.c
++++ b/source3/auth/auth.c
+@@ -529,6 +529,7 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
+ break;
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
++ case ROLE_IPA_DC:
+ DEBUG(5,("Making default auth method list for DC\n"));
+ methods = "anonymous sam winbind sam_ignoredomain";
+ break;
+@@ -557,6 +558,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
+ switch (lp_server_role()) {
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
++ case ROLE_IPA_DC:
+ methods = "sam_netlogon3 winbind";
+ break;
+
+@@ -578,6 +580,7 @@ NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
+ case ROLE_DOMAIN_MEMBER:
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
++ case ROLE_IPA_DC:
+ methods = "sam";
+ break;
+ case ROLE_ACTIVE_DIRECTORY_DC:
+diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
+index f9764d87e3c..d0b29083d46 100644
+--- a/source3/auth/auth_sam.c
++++ b/source3/auth/auth_sam.c
+@@ -139,6 +139,7 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
+ break;
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
++ case ROLE_IPA_DC:
+ if ( !is_local_name && !is_my_domain ) {
+ DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
+ effective_domain));
+@@ -209,6 +210,7 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
+ switch (lp_server_role()) {
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
++ case ROLE_IPA_DC:
+ break;
+ default:
+ DBG_ERR("Invalid server role\n");
+diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
+index 06d24744960..346401510c2 100644
+--- a/source3/include/smb_macros.h
++++ b/source3/include/smb_macros.h
+@@ -213,7 +213,7 @@ copy an IP address from one buffer to another
+ Check to see if we are a DC for this domain
+ *****************************************************************************/
+
+-#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
++#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_server_role() == ROLE_IPA_DC)
+ #define IS_AD_DC (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC)
+
+ /*
+diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
+index 8d0752f4531..0344c0e0416 100644
+--- a/source3/lib/netapi/joindomain.c
++++ b/source3/lib/netapi/joindomain.c
+@@ -369,6 +369,7 @@ WERROR NetGetJoinInformation_l(struct libnetapi_ctx *ctx,
+ case ROLE_DOMAIN_MEMBER:
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
++ case ROLE_IPA_DC:
+ *r->out.name_type = NetSetupDomainName;
+ break;
+ case ROLE_STANDALONE:
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 57d1d909099..98e05d13d59 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -4321,6 +4321,7 @@ int lp_default_server_announce(void)
+ default_server_announce |= SV_TYPE_DOMAIN_MEMBER;
+ break;
+ case ROLE_DOMAIN_PDC:
++ case ROLE_IPA_DC:
+ default_server_announce |= SV_TYPE_DOMAIN_CTRL;
+ break;
+ case ROLE_DOMAIN_BDC:
+@@ -4346,7 +4347,8 @@ int lp_default_server_announce(void)
+ bool lp_domain_master(void)
+ {
+ if (Globals._domain_master == Auto)
+- return (lp_server_role() == ROLE_DOMAIN_PDC);
++ return (lp_server_role() == ROLE_DOMAIN_PDC ||
++ lp_server_role() == ROLE_IPA_DC);
+
+ return (bool)Globals._domain_master;
+ }
+diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
+index 186ba17fda6..839da5cfbf4 100644
+--- a/source3/passdb/lookup_sid.c
++++ b/source3/passdb/lookup_sid.c
+@@ -117,7 +117,6 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
+ if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
+ strequal(domain, get_global_sam_name()))
+ {
+-
+ /* It's our own domain, lookup the name in passdb */
+ if (lookup_global_sam_name(name, flags, &rid, &type)) {
+ sid_compose(&sid, get_global_sam_sid(), rid);
+diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
+index dfc21f295a1..b60cf56c490 100644
+--- a/source3/passdb/machine_account_secrets.c
++++ b/source3/passdb/machine_account_secrets.c
+@@ -198,7 +198,8 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
+ dyn_guid = (struct GUID *)secrets_fetch(key, &size);
+
+ if (!dyn_guid) {
+- if (lp_server_role() == ROLE_DOMAIN_PDC) {
++ if (lp_server_role() == ROLE_DOMAIN_PDC ||
++ lp_server_role() == ROLE_IPA_DC) {
+ new_guid = GUID_random();
+ if (!secrets_store_domain_guid(domain, &new_guid))
+ return False;
+@@ -314,9 +315,7 @@ static const char *trust_keystr(const char *domain)
+
+ enum netr_SchannelType get_default_sec_channel(void)
+ {
+- if (lp_server_role() == ROLE_DOMAIN_BDC ||
+- lp_server_role() == ROLE_DOMAIN_PDC ||
+- lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
++ if (IS_DC) {
+ return SEC_CHAN_BDC;
+ } else {
+ return SEC_CHAN_WKSTA;
+diff --git a/source3/registry/reg_backend_prod_options.c b/source3/registry/reg_backend_prod_options.c
+index 655c587ac40..7bd3f324c37 100644
+--- a/source3/registry/reg_backend_prod_options.c
++++ b/source3/registry/reg_backend_prod_options.c
+@@ -40,6 +40,7 @@ static int prod_options_fetch_values(const char *key, struct regval_ctr *regvals
+ switch (lp_server_role()) {
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
++ case ROLE_IPA_DC:
+ value_ascii = "LanmanNT";
+ break;
+ case ROLE_STANDALONE:
+diff --git a/source3/rpc_server/dssetup/srv_dssetup_nt.c b/source3/rpc_server/dssetup/srv_dssetup_nt.c
+index 7e3efa8504e..aa896e15ac4 100644
+--- a/source3/rpc_server/dssetup/srv_dssetup_nt.c
++++ b/source3/rpc_server/dssetup/srv_dssetup_nt.c
+@@ -62,6 +62,7 @@ static WERROR fill_dsrole_dominfo_basic(TALLOC_CTX *ctx,
+ basic->domain = get_global_sam_name();
+ break;
+ case ROLE_DOMAIN_PDC:
++ case ROLE_IPA_DC:
+ basic->role = DS_ROLE_PRIMARY_DC;
+ basic->domain = get_global_sam_name();
+ break;
+diff --git a/source3/smbd/server.c b/source3/smbd/server.c
+index 7d96a5762ec..d263507b22f 100644
+--- a/source3/smbd/server.c
++++ b/source3/smbd/server.c
+@@ -1969,7 +1969,7 @@ extern void build_options(bool screen);
+ exit_daemon("smbd can not open secrets.tdb", EACCES);
+ }
+
+- if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) {
++ if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC || lp_server_role() == ROLE_IPA_DC) {
+ struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
+ if (!open_schannel_session_store(NULL, lp_ctx)) {
+ exit_daemon("ERROR: Samba cannot open schannel store for secured NETLOGON operations.", EACCES);
+diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
+index cc0701e597a..f09b029fd13 100644
+--- a/source3/winbindd/winbindd_misc.c
++++ b/source3/winbindd/winbindd_misc.c
+@@ -75,7 +75,7 @@ static char *get_trust_type_string(TALLOC_CTX *mem_ctx,
+ case SEC_CHAN_BDC: {
+ int role = lp_server_role();
+
+- if (role == ROLE_DOMAIN_PDC) {
++ if (role == ROLE_DOMAIN_PDC || role == ROLE_IPA_DC) {
+ s = talloc_strdup(mem_ctx, "PDC");
+ if (s == NULL) {
+ return NULL;
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index 315eb366a52..04e79e70f6b 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -1225,15 +1225,37 @@ bool init_domain_list(void)
+ secure_channel_type = SEC_CHAN_LOCAL;
+ }
+
+- status = add_trusted_domain(get_global_sam_name(),
+- NULL,
+- get_global_sam_sid(),
+- LSA_TRUST_TYPE_DOWNLEVEL,
+- trust_flags,
+- 0, /* trust_attribs */
+- secure_channel_type,
+- NULL,
+- &domain);
++ if ((pdb_domain_info != NULL) && (role == ROLE_IPA_DC)) {
++ /* This is IPA DC that presents itself as
++ * an Active Directory domain controller to trusted AD
++ * forests but in fact is a classic domain controller.
++ */
++ trust_flags = NETR_TRUST_FLAG_PRIMARY;
++ trust_flags |= NETR_TRUST_FLAG_IN_FOREST;
++ trust_flags |= NETR_TRUST_FLAG_NATIVE;
++ trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
++ trust_flags |= NETR_TRUST_FLAG_TREEROOT;
++ status = add_trusted_domain(pdb_domain_info->name,
++ pdb_domain_info->dns_domain,
++ &pdb_domain_info->sid,
++ LSA_TRUST_TYPE_UPLEVEL,
++ trust_flags,
++ LSA_TRUST_ATTRIBUTE_WITHIN_FOREST,
++ secure_channel_type,
++ NULL,
++ &domain);
++ TALLOC_FREE(pdb_domain_info);
++ } else {
++ status = add_trusted_domain(get_global_sam_name(),
++ NULL,
++ get_global_sam_sid(),
++ LSA_TRUST_TYPE_DOWNLEVEL,
++ trust_flags,
++ 0, /* trust_attribs */
++ secure_channel_type,
++ NULL,
++ &domain);
++ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to add local SAM to "
+ "domain to winbindd's internal list\n");
+diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
+index f754bd5cd44..7dab02b5c4d 100644
+--- a/source4/auth/ntlm/auth.c
++++ b/source4/auth/ntlm/auth.c
+@@ -773,6 +773,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
++ case ROLE_IPA_DC:
+ auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL);
+ break;
+ }
+diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
+index b5de5a790d4..49aa560470c 100644
+--- a/source4/kdc/kdc-heimdal.c
++++ b/source4/kdc/kdc-heimdal.c
+@@ -276,6 +276,7 @@ static NTSTATUS kdc_task_init(struct task_server *task)
+ return NT_STATUS_INVALID_DOMAIN_ROLE;
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
++ case ROLE_IPA_DC:
+ task_server_terminate(
+ task, "Cannot start KDC as a 'classic Samba' DC", false);
+ return NT_STATUS_INVALID_DOMAIN_ROLE;
+diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
+index 51fed4da62b..1f09b721408 100644
+--- a/source4/rpc_server/samr/dcesrv_samr.c
++++ b/source4/rpc_server/samr/dcesrv_samr.c
+@@ -568,6 +568,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state
+ break;
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
++ case ROLE_IPA_DC:
+ case ROLE_AUTO:
+ return NT_STATUS_INTERNAL_ERROR;
+ case ROLE_DOMAIN_MEMBER:
+@@ -675,6 +676,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state,
+ break;
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
++ case ROLE_IPA_DC:
+ case ROLE_AUTO:
+ return NT_STATUS_INTERNAL_ERROR;
+ case ROLE_DOMAIN_MEMBER:
+--
+2.33.1
+
+
+From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 5 Oct 2021 18:11:57 +0200
+Subject: [PATCH 73/88] CVE-2020-25717: auth/gensec: always require a PAC in
+ domain mode (DC or member)
+
+AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
+on the service account, which can only be explicitly configured,
+but that's an invalid configuration!
+
+We still try to support standalone servers in an MIT realm,
+as legacy setup.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/gensec/gensec_util.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
+index e185acc0c20..694661b53b5 100644
+--- a/auth/gensec/gensec_util.c
++++ b/auth/gensec/gensec_util.c
+@@ -25,6 +25,8 @@
+ #include "auth/gensec/gensec_internal.h"
+ #include "auth/common_auth.h"
+ #include "../lib/util/asn1.h"
++#include "param/param.h"
++#include "libds/common/roles.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_AUTH
+@@ -46,10 +48,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+
+ if (!pac_blob) {
+- if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
+- principal_string));
+- return NT_STATUS_ACCESS_DENIED;
++ enum server_role server_role =
++ lpcfg_server_role(gensec_security->settings->lp_ctx);
++
++ /*
++ * For any domain setup (DC or member) we require having
++ * a PAC, as the service ticket comes from an AD DC,
++ * which will always provide a PAC, unless
++ * UF_NO_AUTH_DATA_REQUIRED is configured for our
++ * account, but that's just an invalid configuration,
++ * the admin configured for us!
++ *
++ * As a legacy case, we still allow kerberos tickets from an MIT
++ * realm, but only in standalone mode. In that mode we'll only
++ * ever accept a kerberos authentication with a keytab file
++ * being explicitly configured via the 'keytab method' option.
++ */
++ if (server_role != ROLE_STANDALONE) {
++ DBG_WARNING("Unable to find PAC in ticket from %s, "
++ "failing to allow access\n",
++ principal_string);
++ return NT_STATUS_NO_IMPERSONATION_TOKEN;
+ }
+ DBG_NOTICE("Unable to find PAC for %s, resorting to local "
+ "user lookup\n", principal_string);
+--
+2.33.1
+
+
+From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 11 Oct 2021 23:17:19 +0200
+Subject: [PATCH 74/88] CVE-2020-25717: s4:auth: remove unused
+ auth_generate_session_info_principal()
+
+We'll require a PAC at the main gensec layer already.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[abartlet@samba.org Backported from master/4.15 as
+ check_password is sync in 4.14]
+---
+ source4/auth/auth.h | 8 ------
+ source4/auth/ntlm/auth.c | 49 ++++--------------------------------
+ source4/auth/ntlm/auth_sam.c | 12 ---------
+ 3 files changed, 5 insertions(+), 64 deletions(-)
+
+diff --git a/source4/auth/auth.h b/source4/auth/auth.h
+index 51895c9259f..f16d0649de2 100644
+--- a/source4/auth/auth.h
++++ b/source4/auth/auth.h
+@@ -73,14 +73,6 @@ struct auth_operations {
+ TALLOC_CTX *mem_ctx,
+ struct auth_user_info_dc **interim_info,
+ bool *authoritative);
+-
+- /* Lookup a 'session info interim' return based only on the principal or DN */
+- NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
+- struct auth4_context *auth_context,
+- const char *principal,
+- struct ldb_dn *user_dn,
+- struct auth_user_info_dc **interim_info);
+- uint32_t flags;
+ };
+
+ struct auth_method_context {
+diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
+index 7dab02b5c4d..2765fd1b13c 100644
+--- a/source4/auth/ntlm/auth.c
++++ b/source4/auth/ntlm/auth.c
+@@ -86,48 +86,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
+ return NT_STATUS_OK;
+ }
+
+-/****************************************************************************
+-Used in the gensec_gssapi and gensec_krb5 server-side code, where the
+-PAC isn't available, and for tokenGroups in the DSDB stack.
+-
+- Supply either a principal or a DN
+-****************************************************************************/
+-static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
+- TALLOC_CTX *mem_ctx,
+- const char *principal,
+- struct ldb_dn *user_dn,
+- uint32_t session_info_flags,
+- struct auth_session_info **session_info)
+-{
+- NTSTATUS nt_status;
+- struct auth_method_context *method;
+- struct auth_user_info_dc *user_info_dc;
+-
+- for (method = auth_ctx->methods; method; method = method->next) {
+- if (!method->ops->get_user_info_dc_principal) {
+- continue;
+- }
+-
+- nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
+- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+- continue;
+- }
+- if (!NT_STATUS_IS_OK(nt_status)) {
+- return nt_status;
+- }
+-
+- nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx,
+- user_info_dc,
+- user_info_dc->info->account_name,
+- session_info_flags, session_info);
+- talloc_free(user_info_dc);
+-
+- return nt_status;
+- }
+-
+- return NT_STATUS_NOT_IMPLEMENTED;
+-}
+-
+ /**
+ * Check a user's Plaintext, LM or NTLM password.
+ * (sync version)
+@@ -663,8 +621,11 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *tmp_ctx;
+
+ if (!pac_blob) {
+- return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name,
+- NULL, session_info_flags, session_info);
++ /*
++ * This should already be catched at the main
++ * gensec layer, but better check twice
++ */
++ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
+diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
+index fb88cb87f66..a8c7d8b4b85 100644
+--- a/source4/auth/ntlm/auth_sam.c
++++ b/source4/auth/ntlm/auth_sam.c
+@@ -854,28 +854,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
+ return NT_STATUS_OK;
+ }
+
+-/* Wrapper for the auth subsystem pointer */
+-static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
+- struct auth4_context *auth_context,
+- const char *principal,
+- struct ldb_dn *user_dn,
+- struct auth_user_info_dc **user_info_dc)
+-{
+- return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
+- principal, user_dn, user_info_dc);
+-}
+ static const struct auth_operations sam_ignoredomain_ops = {
+ .name = "sam_ignoredomain",
+ .want_check = authsam_ignoredomain_want_check,
+ .check_password = authsam_check_password_internals,
+- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
+ };
+
+ static const struct auth_operations sam_ops = {
+ .name = "sam",
+ .want_check = authsam_want_check,
+ .check_password = authsam_check_password_internals,
+- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
+ };
+
+ _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
+--
+2.33.1
+
+
+From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 21 Sep 2021 12:27:28 +0200
+Subject: [PATCH 75/88] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
+ ntlm_auth_generate_session_info_pac()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/utils/ntlm_auth.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 3f70732a837..fefdd32bf11 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -827,23 +827,27 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
+ if (!p) {
+ DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
+ princ_name));
+- return NT_STATUS_LOGON_FAILURE;
++ status = NT_STATUS_LOGON_FAILURE;
++ goto done;
+ }
+
+ user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
+ if (!user) {
+- return NT_STATUS_NO_MEMORY;
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
+ }
+
+ realm = talloc_strdup(talloc_tos(), p + 1);
+ if (!realm) {
+- return NT_STATUS_NO_MEMORY;
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
+ }
+
+ if (!strequal(realm, lp_realm())) {
+ DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
+ if (!lp_allow_trusted_domains()) {
+- return NT_STATUS_LOGON_FAILURE;
++ status = NT_STATUS_LOGON_FAILURE;
++ goto done;
+ }
+ }
+
+@@ -851,7 +855,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
+ domain = talloc_strdup(mem_ctx,
+ logon_info->info3.base.logon_domain.string);
+ if (!domain) {
+- return NT_STATUS_NO_MEMORY;
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
+ }
+ DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
+ } else {
+@@ -881,7 +886,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
+ domain = talloc_strdup(mem_ctx, realm);
+ }
+ if (!domain) {
+- return NT_STATUS_NO_MEMORY;
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
+ }
+ DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
+ }
+--
+2.33.1
+
+
+From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 21 Sep 2021 12:44:01 +0200
+Subject: [PATCH 76/88] CVE-2020-25717: s3:ntlm_auth: let
+ ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO
+ only
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/utils/ntlm_auth.c | 91 ++++++++++++---------------------------
+ 1 file changed, 28 insertions(+), 63 deletions(-)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index fefdd32bf11..ff2fd30a9ae 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -799,10 +799,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
+ struct PAC_LOGON_INFO *logon_info = NULL;
+ char *unixuser;
+ NTSTATUS status;
+- char *domain = NULL;
+- char *realm = NULL;
+- char *user = NULL;
+- char *p;
++ const char *domain = "";
++ const char *user = "";
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+@@ -819,79 +817,46 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+- }
+-
+- DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
+-
+- p = strchr_m(princ_name, '@');
+- if (!p) {
+- DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
+- princ_name));
+- status = NT_STATUS_LOGON_FAILURE;
++ } else {
++ status = NT_STATUS_ACCESS_DENIED;
++ DBG_WARNING("Kerberos ticket for[%s] has no PAC: %s\n",
++ princ_name, nt_errstr(status));
+ goto done;
+ }
+
+- user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
+- if (!user) {
+- status = NT_STATUS_NO_MEMORY;
+- goto done;
++ if (logon_info->info3.base.account_name.string != NULL) {
++ user = logon_info->info3.base.account_name.string;
++ } else {
++ user = "";
++ }
++ if (logon_info->info3.base.logon_domain.string != NULL) {
++ domain = logon_info->info3.base.logon_domain.string;
++ } else {
++ domain = "";
+ }
+
+- realm = talloc_strdup(talloc_tos(), p + 1);
+- if (!realm) {
+- status = NT_STATUS_NO_MEMORY;
++ if (strlen(user) == 0 || strlen(domain) == 0) {
++ status = NT_STATUS_ACCESS_DENIED;
++ DBG_WARNING("Kerberos ticket for[%s] has invalid "
++ "account_name[%s]/logon_domain[%s]: %s\n",
++ princ_name,
++ logon_info->info3.base.account_name.string,
++ logon_info->info3.base.logon_domain.string,
++ nt_errstr(status));
+ goto done;
+ }
+
+- if (!strequal(realm, lp_realm())) {
+- DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
++ DBG_NOTICE("Kerberos ticket principal name is [%s] "
++ "account_name[%s]/logon_domain[%s]\n",
++ princ_name, user, domain);
++
++ if (!strequal(domain, lp_workgroup())) {
+ if (!lp_allow_trusted_domains()) {
+ status = NT_STATUS_LOGON_FAILURE;
+ goto done;
+ }
+ }
+
+- if (logon_info && logon_info->info3.base.logon_domain.string) {
+- domain = talloc_strdup(mem_ctx,
+- logon_info->info3.base.logon_domain.string);
+- if (!domain) {
+- status = NT_STATUS_NO_MEMORY;
+- goto done;
+- }
+- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
+- } else {
+-
+- /* If we have winbind running, we can (and must) shorten the
+- username by using the short netbios name. Otherwise we will
+- have inconsistent user names. With Kerberos, we get the
+- fully qualified realm, with ntlmssp we get the short
+- name. And even w2k3 does use ntlmssp if you for example
+- connect to an ip address. */
+-
+- wbcErr wbc_status;
+- struct wbcDomainInfo *info = NULL;
+-
+- DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
+- realm));
+-
+- wbc_status = wbcDomainInfo(realm, &info);
+-
+- if (WBC_ERROR_IS_OK(wbc_status)) {
+- domain = talloc_strdup(mem_ctx,
+- info->short_name);
+- wbcFreeMemory(info);
+- } else {
+- DEBUG(3, ("Could not find short name: %s\n",
+- wbcErrorString(wbc_status)));
+- domain = talloc_strdup(mem_ctx, realm);
+- }
+- if (!domain) {
+- status = NT_STATUS_NO_MEMORY;
+- goto done;
+- }
+- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
+- }
+-
+ unixuser = talloc_asprintf(tmp_ctx, "%s%c%s", domain, winbind_separator(), user);
+ if (!unixuser) {
+ status = NT_STATUS_NO_MEMORY;
+--
+2.33.1
+
+
+From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 4 Oct 2021 19:42:20 +0200
+Subject: [PATCH 77/88] CVE-2020-25717: s3:auth: let
+ auth3_generate_session_info_pac() delegate everything to
+ make_server_info_wbcAuthUserInfo()
+
+This consolidates the code paths used for NTLMSSP and Kerberos!
+
+I checked what we were already doing for NTLMSSP, which is this:
+
+a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
+b) as a domain member we require a valid response from winbindd,
+ otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
+c) we call make_server_info_wbcAuthUserInfo(), which internally
+ calls make_server_info_info3()
+d) auth_check_ntlm_password() calls
+ smb_pam_accountcheck(unix_username, rhost), where rhost
+ is only an ipv4 or ipv6 address (without reverse dns lookup)
+e) from auth3_check_password_send/auth3_check_password_recv()
+ server_returned_info will be passed to auth3_generate_session_info(),
+ triggered by gensec_session_info(), which means we'll call into
+ create_local_token() in order to transform auth_serversupplied_info
+ into auth_session_info.
+
+For Kerberos gensec_session_info() will call
+auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
+helper function. The current logic is this:
+
+a) gensec_generate_session_info_pac() is the function that
+ evaluates the 'gensec:require_pac', which defaulted to 'no'
+ before.
+b) auth3_generate_session_info_pac() called
+ wbcAuthenticateUserEx() in order to pass the PAC blob
+ to winbindd, but only to prime its cache, e.g. netsamlogon cache
+ and others. Most failures were just ignored.
+c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
+ from it.
+d) Then we called the horrible get_user_from_kerberos_info() function:
+ - It uses a first part of the tickets principal name (before the @)
+ as username and combines that with the 'logon_info->base.logon_domain'
+ if the logon_info (PAC) is present.
+ - As a fallback without a PAC it's tries to ask winbindd for a mapping
+ from realm to netbios domain name.
+ - Finally is falls back to using the realm as netbios domain name
+ With this information is builds 'userdomain+winbind_separator+useraccount'
+ and calls map_username() followed by smb_getpwnam() with create=true,
+ Note this is similar to the make_server_info_info3() => check_account()
+ => smb_getpwnam() logic under 3.
+ - It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
+ instead of the ip address as rhost.
+ - It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
+ guest account.
+e) We called create_info3_from_pac_logon_info()
+f) make_session_info_krb5() calls gets called and triggers this:
+ - If get_user_from_kerberos_info() mapped to guest, it calls
+ make_server_info_guest()
+ - If create_info3_from_pac_logon_info() created a info3 from logon_info,
+ it calls make_server_info_info3()
+ - Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
+ a fallback to make_server_info_pw()
+ From there it calls create_local_token()
+
+I tried to change auth3_generate_session_info_pac() to behave similar
+to auth_winbind.c together with auth3_generate_session_info() as
+a domain member, as we now rely on a PAC:
+
+a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
+ and require a valid response!
+b) we call make_server_info_wbcAuthUserInfo(), which internally
+ calls make_server_info_info3(). Note make_server_info_info3()
+ handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
+ internally.
+c) Similar to auth_check_ntlm_password() we now call
+ smb_pam_accountcheck(unix_username, rhost), where rhost
+ is only an ipv4 or ipv6 address (without reverse dns lookup)
+d) From there it calls create_local_token()
+
+As standalone server (in an MIT realm) we continue
+with the already existing code logic, which works without a PAC:
+a) we keep smb_getpwnam() with create=true logic as it
+ also requires an explicit 'add user script' option.
+b) In the following commits we assert that there's
+ actually no PAC in this mode, which means we can
+ remove unused and confusing code.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[abartlet@samba.org Backported due to change in structure
+ initialization with { 0 } to zero ]
+[abartlet@samba.org backported to 4.12 due to conflict
+ with code not present to reload shared on krb5 login]
+---
+ source3/auth/auth_generic.c | 139 ++++++++++++++++++++++++++++--------
+ 1 file changed, 110 insertions(+), 29 deletions(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index 26a38f92b30..3099e8f9057 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -46,6 +46,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+ {
++ enum server_role server_role = lp_server_role();
+ TALLOC_CTX *tmp_ctx;
+ struct PAC_LOGON_INFO *logon_info = NULL;
+ struct netr_SamInfo3 *info3_copy = NULL;
+@@ -54,39 +55,59 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ char *ntuser;
+ char *ntdomain;
+ char *username;
+- char *rhost;
++ const char *rhost;
+ struct passwd *pw;
+ NTSTATUS status;
+- int rc;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- if (pac_blob) {
+-#ifdef HAVE_KRB5
+- struct wbcAuthUserParams params = {};
++ if (tsocket_address_is_inet(remote_address, "ip")) {
++ rhost = tsocket_address_inet_addr_string(
++ remote_address, tmp_ctx);
++ if (rhost == NULL) {
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
++ }
++ } else {
++ rhost = "127.0.0.1";
++ }
++
++ if (server_role != ROLE_STANDALONE) {
++ struct wbcAuthUserParams params = { 0 };
+ struct wbcAuthUserInfo *info = NULL;
+ struct wbcAuthErrorInfo *err = NULL;
++ struct auth_serversupplied_info *server_info = NULL;
++ char *original_user_name = NULL;
++ char *p = NULL;
+ wbcErr wbc_err;
+
++ if (pac_blob == NULL) {
++ /*
++ * This should already be catched at the main
++ * gensec layer, but better check twice
++ */
++ status = NT_STATUS_INTERNAL_ERROR;
++ goto done;
++ }
++
+ /*
+ * Let winbind decode the PAC.
+ * This will also store the user
+ * data in the netsamlogon cache.
+ *
+- * We need to do this *before* we
+- * call get_user_from_kerberos_info()
+- * as that does a user lookup that
+- * expects info in the netsamlogon cache.
+- *
+- * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
++ * This used to be a cache prime
++ * optimization, but now we delegate
++ * all logic to winbindd, as we require
++ * winbindd as domain member anyway.
+ */
+ params.level = WBC_AUTH_USER_LEVEL_PAC;
+ params.password.pac.data = pac_blob->data;
+ params.password.pac.length = pac_blob->length;
+
++ /* we are contacting the privileged pipe */
+ become_root();
+ wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err);
+ unbecome_root();
+@@ -99,18 +120,90 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ */
+
+ switch (wbc_err) {
+- case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ case WBC_ERR_SUCCESS:
+ break;
++ case WBC_ERR_WINBIND_NOT_AVAILABLE:
++ status = NT_STATUS_NO_LOGON_SERVERS;
++ DBG_ERR("winbindd not running - "
++ "but required as domain member: %s\n",
++ nt_errstr(status));
++ goto done;
+ case WBC_ERR_AUTH_ERROR:
+ status = NT_STATUS(err->nt_status);
+ wbcFreeMemory(err);
+ goto done;
++ case WBC_ERR_NO_MEMORY:
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
+ default:
+ status = NT_STATUS_LOGON_FAILURE;
+ goto done;
+ }
+
++ status = make_server_info_wbcAuthUserInfo(tmp_ctx,
++ info->account_name,
++ info->domain_name,
++ info, &server_info);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n",
++ nt_errstr(status)));
++ goto done;
++ }
++
++ /* We skip doing this step if the caller asked us not to */
++ if (!(server_info->guest)) {
++ const char *unix_username = server_info->unix_name;
++
++ /* We might not be root if we are an RPC call */
++ become_root();
++ status = smb_pam_accountcheck(unix_username, rhost);
++ unbecome_root();
++
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] "
++ "FAILED with error %s\n",
++ unix_username, nt_errstr(status)));
++ goto done;
++ }
++
++ DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] "
++ "succeeded\n", unix_username));
++ }
++
++ DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
++
++ p = strchr_m(princ_name, '@');
++ if (!p) {
++ DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
++ princ_name));
++ status = NT_STATUS_LOGON_FAILURE;
++ goto done;
++ }
++
++ original_user_name = talloc_strndup(tmp_ctx, princ_name, p - princ_name);
++ if (original_user_name == NULL) {
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
++ }
++
++ status = create_local_token(mem_ctx,
++ server_info,
++ NULL,
++ original_user_name,
++ session_info);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(10, ("create_local_token failed: %s\n",
++ nt_errstr(status)));
++ goto done;
++ }
++
++ goto session_info_ready;
++ }
++
++ /* This is the standalone legacy code path */
++
++ if (pac_blob != NULL) {
++#ifdef HAVE_KRB5
+ status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+ NULL, NULL, 0, &logon_info);
+ #else
+@@ -121,22 +214,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ }
+ }
+
+- rc = get_remote_hostname(remote_address,
+- &rhost,
+- tmp_ctx);
+- if (rc < 0) {
+- status = NT_STATUS_NO_MEMORY;
+- goto done;
+- }
+- if (strequal(rhost, "UNKNOWN")) {
+- rhost = tsocket_address_inet_addr_string(remote_address,
+- tmp_ctx);
+- if (rhost == NULL) {
+- status = NT_STATUS_NO_MEMORY;
+- goto done;
+- }
+- }
+-
+ status = get_user_from_kerberos_info(tmp_ctx, rhost,
+ princ_name, logon_info,
+ &is_mapped, &is_guest,
+@@ -170,6 +247,8 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ goto done;
+ }
+
++session_info_ready:
++
+ /* setup the string used by %U */
+ set_current_user_info((*session_info)->unix_info->sanitized_username,
+ (*session_info)->unix_info->unix_name,
+@@ -179,7 +258,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ lp_load_with_shares(get_dyn_CONFIGFILE());
+
+ DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
+- ntuser, ntdomain, rhost));
++ (*session_info)->info->account_name,
++ (*session_info)->info->domain_name,
++ rhost));
+
+ status = NT_STATUS_OK;
+
+--
+2.33.1
+
+
+From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 5 Oct 2021 17:14:01 +0200
+Subject: [PATCH 78/88] CVE-2020-25717: selftest: configure 'ktest' env with
+ winbindd and idmap_autorid
+
+The 'ktest' environment was/is designed to test kerberos in an active
+directory member setup. It was created at a time we wanted to test
+smbd/winbindd with kerberos without having the source4 ad dc available.
+
+This still applies to testing the build with system krb5 libraries
+but without relying on a running ad dc.
+
+As a domain member setup requires a running winbindd, we should test it
+that way, in order to reflect a valid setup.
+
+As a side effect it provides a way to demonstrate that we can accept
+smb connections authenticated via kerberos, but no connection to
+a domain controller! In order get this working offline, we need an
+idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
+should be the default choice.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[scabrero@samba.org Backported to 4.11 Run winbindd in offline mode
+ but keep the user name mapping to avoid having to backport fixes
+ for bso#14539]
+---
+ selftest/target/Samba3.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index bbbefea44b7..7034127ef0b 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1176,7 +1176,7 @@ $ret->{USERNAME} = KTEST/Administrator
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+- if (not $self->check_or_start($ret, "yes", "no", "yes")) {
++ if (not $self->check_or_start($ret, "yes", "offline", "yes")) {
+ return undef;
+ }
+ return $ret;
+--
+2.33.1
+
+
+From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 5 Oct 2021 18:12:49 +0200
+Subject: [PATCH 79/88] CVE-2020-25717: s3:auth: let
+ auth3_generate_session_info_pac() reject a PAC in standalone mode
+
+We should be strict in standalone mode, that we only support MIT realms
+without a PAC in order to keep the code sane.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[abartlet@samba.org Backported to Samba 4.12 has conflcits
+ as the share reload code is in a different spot]
+---
+ source3/auth/auth_generic.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index 3099e8f9057..23f746c078e 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -48,8 +48,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ {
+ enum server_role server_role = lp_server_role();
+ TALLOC_CTX *tmp_ctx;
+- struct PAC_LOGON_INFO *logon_info = NULL;
+- struct netr_SamInfo3 *info3_copy = NULL;
+ bool is_mapped;
+ bool is_guest;
+ char *ntuser;
+@@ -203,19 +201,20 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ /* This is the standalone legacy code path */
+
+ if (pac_blob != NULL) {
+-#ifdef HAVE_KRB5
+- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+- NULL, NULL, 0, &logon_info);
+-#else
+- status = NT_STATUS_ACCESS_DENIED;
+-#endif
++ /*
++ * In standalone mode we don't expect a PAC!
++ * we only support MIT realms
++ */
++ status = NT_STATUS_BAD_TOKEN_TYPE;
++ DBG_WARNING("Unexpected PAC for [%s] in standalone mode - %s\n",
++ princ_name, nt_errstr(status));
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ }
+
+ status = get_user_from_kerberos_info(tmp_ctx, rhost,
+- princ_name, logon_info,
++ princ_name, NULL,
+ &is_mapped, &is_guest,
+ &ntuser, &ntdomain,
+ &username, &pw);
+@@ -226,19 +225,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ goto done;
+ }
+
+- /* Get the info3 from the PAC data if we have it */
+- if (logon_info) {
+- status = create_info3_from_pac_logon_info(tmp_ctx,
+- logon_info,
+- &info3_copy);
+- if (!NT_STATUS_IS_OK(status)) {
+- goto done;
+- }
+- }
+-
+ status = make_session_info_krb5(mem_ctx,
+ ntuser, ntdomain, username, pw,
+- info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
++ NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+ session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
+--
+2.33.1
+
+
+From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Oct 2021 17:59:59 +0200
+Subject: [PATCH 80/88] CVE-2020-25717: s3:auth: simplify
+ get_user_from_kerberos_info() by removing the unused logon_info argument
+
+This code is only every called in standalone mode on a MIT realm,
+it means we never have a PAC and we also don't have winbindd arround.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/auth_generic.c | 2 +-
+ source3/auth/proto.h | 1 -
+ source3/auth/user_krb5.c | 57 +++++++------------------------------
+ 3 files changed, 11 insertions(+), 49 deletions(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index 23f746c078e..a11aae713f5 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -214,7 +214,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ }
+
+ status = get_user_from_kerberos_info(tmp_ctx, rhost,
+- princ_name, NULL,
++ princ_name,
+ &is_mapped, &is_guest,
+ &ntuser, &ntdomain,
+ &username, &pw);
+diff --git a/source3/auth/proto.h b/source3/auth/proto.h
+index fcfd1f36ca2..1ed3f4a2f77 100644
+--- a/source3/auth/proto.h
++++ b/source3/auth/proto.h
+@@ -416,7 +416,6 @@ struct PAC_LOGON_INFO;
+ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+- struct PAC_LOGON_INFO *logon_info,
+ bool *is_mapped,
+ bool *mapped_to_guest,
+ char **ntuser,
+diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
+index 074e8c7eb71..7b69ca6c222 100644
+--- a/source3/auth/user_krb5.c
++++ b/source3/auth/user_krb5.c
+@@ -31,7 +31,6 @@
+ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+- struct PAC_LOGON_INFO *logon_info,
+ bool *is_mapped,
+ bool *mapped_to_guest,
+ char **ntuser,
+@@ -40,8 +39,8 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ struct passwd **_pw)
+ {
+ NTSTATUS status;
+- char *domain = NULL;
+- char *realm = NULL;
++ const char *domain = NULL;
++ const char *realm = NULL;
+ char *user = NULL;
+ char *p;
+ char *fuser = NULL;
+@@ -62,55 +61,16 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- realm = talloc_strdup(talloc_tos(), p + 1);
+- if (!realm) {
+- return NT_STATUS_NO_MEMORY;
+- }
++ realm = p + 1;
+
+ if (!strequal(realm, lp_realm())) {
+ DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
+ if (!lp_allow_trusted_domains()) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+- }
+-
+- if (logon_info && logon_info->info3.base.logon_domain.string) {
+- domain = talloc_strdup(mem_ctx,
+- logon_info->info3.base.logon_domain.string);
+- if (!domain) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
++ domain = realm;
+ } else {
+-
+- /* If we have winbind running, we can (and must) shorten the
+- username by using the short netbios name. Otherwise we will
+- have inconsistent user names. With Kerberos, we get the
+- fully qualified realm, with ntlmssp we get the short
+- name. And even w2k3 does use ntlmssp if you for example
+- connect to an ip address. */
+-
+- wbcErr wbc_status;
+- struct wbcDomainInfo *info = NULL;
+-
+- DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
+- realm));
+-
+- wbc_status = wbcDomainInfo(realm, &info);
+-
+- if (WBC_ERROR_IS_OK(wbc_status)) {
+- domain = talloc_strdup(mem_ctx,
+- info->short_name);
+- wbcFreeMemory(info);
+- } else {
+- DEBUG(3, ("Could not find short name: %s\n",
+- wbcErrorString(wbc_status)));
+- domain = talloc_strdup(mem_ctx, realm);
+- }
+- if (!domain) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
++ domain = lp_workgroup();
+ }
+
+ fuser = talloc_asprintf(mem_ctx,
+@@ -175,7 +135,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+ *ntuser = user;
+- *ntdomain = domain;
++ *ntdomain = talloc_strdup(mem_ctx, domain);
++ if (*ntdomain == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
+ *_pw = pw;
+
+ return NT_STATUS_OK;
+@@ -282,7 +246,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+- struct PAC_LOGON_INFO *logon_info,
+ bool *is_mapped,
+ bool *mapped_to_guest,
+ char **ntuser,
+--
+2.33.1
+
+
+From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Oct 2021 18:03:04 +0200
+Subject: [PATCH 81/88] CVE-2020-25717: s3:auth: simplify
+ make_session_info_krb5() by removing unused arguments
+
+This is only ever be called in standalone mode with an MIT realm,
+so we don't have a PAC/info3 structure.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/auth_generic.c | 2 +-
+ source3/auth/proto.h | 2 --
+ source3/auth/user_krb5.c | 20 +-------------------
+ 3 files changed, 2 insertions(+), 22 deletions(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index a11aae713f5..4dd1af784bf 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -227,7 +227,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+
+ status = make_session_info_krb5(mem_ctx,
+ ntuser, ntdomain, username, pw,
+- NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
++ is_guest, is_mapped,
+ session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
+diff --git a/source3/auth/proto.h b/source3/auth/proto.h
+index 1ed3f4a2f77..c00ac70fd3f 100644
+--- a/source3/auth/proto.h
++++ b/source3/auth/proto.h
+@@ -427,9 +427,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest, bool username_was_mapped,
+- DATA_BLOB *session_key,
+ struct auth_session_info **session_info);
+
+ /* The following definitions come from auth/auth_samba4.c */
+diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
+index 7b69ca6c222..b8f37cbeee0 100644
+--- a/source3/auth/user_krb5.c
++++ b/source3/auth/user_krb5.c
+@@ -150,9 +150,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest, bool username_was_mapped,
+- DATA_BLOB *session_key,
+ struct auth_session_info **session_info)
+ {
+ NTSTATUS status;
+@@ -166,20 +164,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+- } else if (info3) {
+- /* pass the unmapped username here since map_username()
+- will be called again in make_server_info_info3() */
+-
+- status = make_server_info_info3(mem_ctx,
+- ntuser, ntdomain,
+- &server_info,
+- info3);
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(1, ("make_server_info_info3 failed: %s!\n",
+- nt_errstr(status)));
+- return status;
+- }
+-
+ } else {
+ /*
+ * We didn't get a PAC, we have to make up the user
+@@ -231,7 +215,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+
+ server_info->nss_token |= username_was_mapped;
+
+- status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info);
++ status = create_local_token(mem_ctx, server_info, NULL, ntuser, session_info);
+ talloc_free(server_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("failed to create local token: %s\n",
+@@ -261,9 +245,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest, bool username_was_mapped,
+- DATA_BLOB *session_key,
+ struct auth_session_info **session_info)
+ {
+ return NT_STATUS_NOT_IMPLEMENTED;
+--
+2.33.1
+
+
+From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 1 Sep 2021 15:39:19 +1200
+Subject: [PATCH 82/88] krb5pac.idl: Add ticket checksum PAC buffer type
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Isaac Boukris <iboukris@samba.org>
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
+(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
+---
+ librpc/idl/krb5pac.idl | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index f27e7243ee4..711b7f94b6c 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -112,7 +112,8 @@ interface krb5pac
+ PAC_TYPE_KDC_CHECKSUM = 7,
+ PAC_TYPE_LOGON_NAME = 10,
+ PAC_TYPE_CONSTRAINED_DELEGATION = 11,
+- PAC_TYPE_UPN_DNS_INFO = 12
++ PAC_TYPE_UPN_DNS_INFO = 12,
++ PAC_TYPE_TICKET_CHECKSUM = 16
+ } PAC_TYPE;
+
+ typedef struct {
+@@ -128,6 +129,7 @@ interface krb5pac
+ [case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
+ PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
+ [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
++ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
+ /* when new PAC info types are added they are supposed to be done
+ in such a way that they are backwards compatible with existing
+ servers. This makes it safe to just use a [default] for
+--
+2.33.1
+
+
+From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 1 Sep 2021 15:40:59 +1200
+Subject: [PATCH 83/88] security.idl: Add well-known SIDs for FAST
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Isaac Boukris <iboukris@samba.org>
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
+(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
+---
+ librpc/idl/security.idl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
+index 5930f448955..e6065a35691 100644
+--- a/librpc/idl/security.idl
++++ b/librpc/idl/security.idl
+@@ -292,6 +292,9 @@ interface security
+ const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
+ const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
+
++ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
++ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
++
+ /*
+ * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
+ */
+--
+2.33.1
+
+
+From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 29 Sep 2021 16:15:26 +1300
+Subject: [PATCH 84/88] krb5pac.idl: Add missing buffer type values
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Backported-by: Andreas Schneider <asn@samba.org>
+---
+ librpc/idl/krb5pac.idl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index 711b7f94b6c..141894ec5f1 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -113,6 +113,9 @@ interface krb5pac
+ PAC_TYPE_LOGON_NAME = 10,
+ PAC_TYPE_CONSTRAINED_DELEGATION = 11,
+ PAC_TYPE_UPN_DNS_INFO = 12,
++ PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
++ PAC_TYPE_DEVICE_INFO = 14,
++ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+ PAC_TYPE_TICKET_CHECKSUM = 16
+ } PAC_TYPE;
+
+--
+2.33.1
+
+
+From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Tue, 26 Oct 2021 20:33:38 +1300
+Subject: [PATCH 85/88] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC
+ buffer type
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ librpc/idl/krb5pac.idl | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index 141894ec5f1..4bfec2de5e6 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -97,6 +97,16 @@ interface krb5pac
+ PAC_UPN_DNS_FLAGS flags;
+ } PAC_UPN_DNS_INFO;
+
++ typedef [bitmap32bit] bitmap {
++ PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
++ PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
++ } PAC_ATTRIBUTE_INFO_FLAGS;
++
++ typedef struct {
++ uint32 flags_length; /* length in bits */
++ PAC_ATTRIBUTE_INFO_FLAGS flags;
++ } PAC_ATTRIBUTES_INFO;
++
+ typedef [public] struct {
+ PAC_LOGON_INFO *info;
+ } PAC_LOGON_INFO_CTR;
+@@ -116,7 +126,8 @@ interface krb5pac
+ PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
+ PAC_TYPE_DEVICE_INFO = 14,
+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+- PAC_TYPE_TICKET_CHECKSUM = 16
++ PAC_TYPE_TICKET_CHECKSUM = 16,
++ PAC_TYPE_ATTRIBUTES_INFO = 17
+ } PAC_TYPE;
+
+ typedef struct {
+@@ -133,6 +144,7 @@ interface krb5pac
+ PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
+ [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
++ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
+ /* when new PAC info types are added they are supposed to be done
+ in such a way that they are backwards compatible with existing
+ servers. This makes it safe to just use a [default] for
+--
+2.33.1
+
+
+From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Tue, 26 Oct 2021 20:33:49 +1300
+Subject: [PATCH 86/88] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
+ buffer type
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ librpc/idl/krb5pac.idl | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index 4bfec2de5e6..f750359a069 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -107,6 +107,10 @@ interface krb5pac
+ PAC_ATTRIBUTE_INFO_FLAGS flags;
+ } PAC_ATTRIBUTES_INFO;
+
++ typedef struct {
++ dom_sid sid;
++ } PAC_REQUESTER_SID;
++
+ typedef [public] struct {
+ PAC_LOGON_INFO *info;
+ } PAC_LOGON_INFO_CTR;
+@@ -127,7 +131,8 @@ interface krb5pac
+ PAC_TYPE_DEVICE_INFO = 14,
+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+ PAC_TYPE_TICKET_CHECKSUM = 16,
+- PAC_TYPE_ATTRIBUTES_INFO = 17
++ PAC_TYPE_ATTRIBUTES_INFO = 17,
++ PAC_TYPE_REQUESTER_SID = 18
+ } PAC_TYPE;
+
+ typedef struct {
+@@ -145,6 +150,7 @@ interface krb5pac
+ [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
+ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
++ [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid;
+ /* when new PAC info types are added they are supposed to be done
+ in such a way that they are backwards compatible with existing
+ servers. This makes it safe to just use a [default] for
+--
+2.33.1
+
+
+From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 27 Sep 2021 11:20:19 +1300
+Subject: [PATCH 87/88] CVE-2020-25721 krb5pac: Add new buffers for
+ samAccountName and objectSID
+
+These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ librpc/idl/krb5pac.idl | 18 ++++++++++++++++--
+ librpc/ndr/ndr_krb5pac.c | 4 ++--
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
+index f750359a069..94b9160d6eb 100644
+--- a/librpc/idl/krb5pac.idl
++++ b/librpc/idl/krb5pac.idl
+@@ -86,15 +86,29 @@ interface krb5pac
+ } PAC_CONSTRAINED_DELEGATION;
+
+ typedef [bitmap32bit] bitmap {
+- PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
++ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
++ PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
+ } PAC_UPN_DNS_FLAGS;
+
++ typedef struct {
++ [value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
++ [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
++ [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
++ [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
++ } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
++
++ typedef [nodiscriminant] union {
++ [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
++ [default];
++ } PAC_UPN_DNS_INFO_EX;
++
+ typedef struct {
+ [value(2*strlen_m(upn_name))] uint16 upn_name_size;
+ [relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
+ [value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
+ [relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
+ PAC_UPN_DNS_FLAGS flags;
++ [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
+ } PAC_UPN_DNS_INFO;
+
+ typedef [bitmap32bit] bitmap {
+@@ -160,7 +174,7 @@ interface krb5pac
+
+ typedef [public,nopush,nopull] struct {
+ PAC_TYPE type;
+- [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
++ [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
+ /*
+ * We need to have two subcontexts to get the padding right,
+ * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
+diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
+index a9ae2c4a789..57b28df9e52 100644
+--- a/librpc/ndr/ndr_krb5pac.c
++++ b/librpc/ndr/ndr_krb5pac.c
+@@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_push_align(ndr, 4));
+ NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type));
+- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0)));
++ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8)));
+ {
+ uint32_t _flags_save_PAC_INFO = ndr->flags;
+ ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8);
+@@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
+ {
+ struct ndr_push *_ndr_info_pad;
+ struct ndr_push *_ndr_info;
+- size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0);
++ size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8);
+ NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
+ NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
+ NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
+--
+2.33.1
+
+
+From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 12 Nov 2021 19:06:01 +0200
+Subject: [PATCH 88/88] IPA DC: add missing checks
+
+When introducing FreeIPA support, two places were forgotten:
+
+ - schannel gensec module needs to be aware of IPA DC
+ - _lsa_QueryInfoPolicy should treat IPA DC as PDC
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
+Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
+
+(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)
+---
+ auth/gensec/schannel.c | 1 +
+ source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
+index 71e9afdf48e..f23c1effb23 100644
+--- a/auth/gensec/schannel.c
++++ b/auth/gensec/schannel.c
+@@ -740,6 +740,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
++ case ROLE_IPA_DC:
+ return NT_STATUS_OK;
+ default:
+ return NT_STATUS_NOT_IMPLEMENTED;
+diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
+index 57bfc596005..3f77856457e 100644
+--- a/source3/rpc_server/lsa/srv_lsa_nt.c
++++ b/source3/rpc_server/lsa/srv_lsa_nt.c
+@@ -672,6 +672,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
+ switch (lp_server_role()) {
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
++ case ROLE_IPA_DC:
+ name = get_global_sam_name();
+ sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
+ if (!sid) {
+--
+2.33.1
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index fa9727a..7062f94 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 15
+%define main_release 17
%define samba_version 4.10.16
%define talloc_version 2.1.16
@@ -3305,6 +3305,14 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
+* Mon Nov 15 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-17
+- related: #2019673 - Add missing checks for IPA DC server role
+
+* Mon Nov 08 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-16
+- resolves: #2019661 - Fix CVE-2016-2124
+- resolves: #2019673 - Fix CVE-2020-25717
+- resolves: #2021428 - Add missing PAC buffer types to krb5pac.idl
+
* Mon Apr 26 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-15
- resolves: #1949444 - Fix CVE-2021-20254