diff --git a/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch b/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch
new file mode 100644
index 0000000..d72091e
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch
@@ -0,0 +1,52 @@
+From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001
+From: Bryan Mason <bmason@redhat.com>
+Date: Mon, 16 Sep 2019 12:35:06 -0700
+Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI
+
+CUPS sanitizes argv[0] by removing username/password, so use
+DEVICE_URI environment variable first.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128
+
+Signed-off-by: Bryan Mason <bmason@redhat.com>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184
+
+(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931)
+---
+ source3/client/smbspool.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index ad988eb0df9..36f7f67ca94 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */
+
+ /*
+ * Find the URI ...
+- */
+- if (dev_uri == NULL) {
+- env = getenv("DEVICE_URI");
+- if (env != NULL && env[0] != '\0') {
+- dev_uri = env;
+- }
+- }
++ *
++ * The URI in argv[0] is sanitized to remove username/password, so
++ * use DEVICE_URI if available. Otherwise keep the URI already
++ * discovered in argv.
++ */
++ env = getenv("DEVICE_URI");
++ if (env != NULL && env[0] != '\0') {
++ dev_uri = env;
++ }
+
+ if (dev_uri == NULL) {
+ fprintf(stderr,
+--
+2.23.0
+
diff --git a/SOURCES/samba-4.10-fix_spnego_downgrade.patch b/SOURCES/samba-4.10-fix_spnego_downgrade.patch
new file mode 100644
index 0000000..e762571
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_spnego_downgrade.patch
@@ -0,0 +1,160 @@
+From a8021d9515ecf75d52d038fe78f72da2c79731af Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 16:31:21 +0300
+Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic
+ token
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/gensec/spnego.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index dc73e324d99..97472c26837 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -136,6 +136,7 @@ struct spnego_state {
+ bool done_mic_check;
+
+ bool simulate_w2k;
++ bool no_optimistic;
+
+ /*
+ * The following is used to implement
+@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
+
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
++ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
++ "spnego",
++ "client_no_optimistic",
++ false);
+
+ gensec_security->private_data = spnego_state;
+ return NT_STATUS_OK;
+@@ -1944,6 +1949,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
+ * blob and NT_STATUS_OK.
+ */
+ state->sub.status = NT_STATUS_OK;
++ } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
++ spnego_state->no_optimistic) {
++ /*
++ * Skip optimistic token per conf.
++ */
++ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+ /*
+ * MORE_PROCESSING_REQUIRED =>
+--
+2.21.0
+
+
+From aa379f36ac5feb718c924b030308a29769657f7b Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 16:39:43 +0300
+Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/knownfail.d/spnego_no_optimistic | 1 +
+ source4/selftest/tests.py | 4 ++++
+ 2 files changed, 5 insertions(+)
+ create mode 100644 selftest/knownfail.d/spnego_no_optimistic
+
+diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
+new file mode 100644
+index 00000000000..54f51446be0
+--- /dev/null
++++ b/selftest/knownfail.d/spnego_no_optimistic
+@@ -0,0 +1 @@
++^samba4.smb.spnego.*.no_optimistic
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index 34ebe10cd79..d73d426ee3c 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -542,6 +542,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha
+ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon")
+ plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon")
+
++# Test SPNEGO without issuing an optimistic token
++opt='--option=spnego:client_no_optimistic=yes'
++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic")
++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic")
+
+ wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""]
+
+--
+2.21.0
+
+
+From 0119cf5a2888cd3d97927cb77872fbad82362020 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 17:04:12 +0300
+Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
+---
+ auth/gensec/spnego.c | 13 +++++++++++++
+ selftest/knownfail.d/spnego_no_optimistic | 1 -
+ 4 files changed, 13 insertions(+), 4 deletions(-)
+ delete mode 100644 selftest/knownfail.d/spnego_no_optimistic
+
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index 97472c26837..ddbe03c5d6b 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -1321,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
+ spnego_state->mic_requested = true;
+ }
+
++ if (sub_in.length == 0) {
++ spnego_state->no_optimistic = true;
++ }
++
+ /*
+ * Note that 'cur_sec' is temporary memory, but
+ * cur_sec->oid points to a const string in the
+@@ -1955,6 +1959,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
+ * Skip optimistic token per conf.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
++ } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
++ state->sub.in.length == 0 && spnego_state->no_optimistic) {
++ /*
++ * If we didn't like the mechanism for which the client sent us
++ * an optimistic token, or if he didn't send any, don't call
++ * the sub mechanism just yet.
++ */
++ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
++ spnego_state->no_optimistic = false;
+ } else {
+ /*
+ * MORE_PROCESSING_REQUIRED =>
+diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
+deleted file mode 100644
+index 54f51446be0..00000000000
+--- a/selftest/knownfail.d/spnego_no_optimistic
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba4.smb.spnego.*.no_optimistic
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch b/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch
new file mode 100644
index 0000000..6f7ca74
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch
@@ -0,0 +1,48 @@
+From 2d783791856be182d420555d8df5e31768b0d7d2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 12 Sep 2019 16:39:10 +0200
+Subject: [PATCH] s3-winbindd: fix forest trusts with additional trust
+ attributes.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14130
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit d78c87e665e23e6470a19a69383ede7137172c26)
+---
+ source3/winbindd/winbindd_ads.c | 2 +-
+ source3/winbindd/winbindd_util.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 5f20cfb7f76..485ca831be9 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -1457,7 +1457,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ */
+
+ if ((trust->trust_attributes
+- == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
++ & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
+ !domain->primary )
+ {
+ DEBUG(10,("trusted_domains: Skipping external trusted "
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index cc4c3f7391a..ee7651c9639 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -723,7 +723,7 @@ static void rescan_forest_trusts( void )
+
+ if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
+ (type == LSA_TRUST_TYPE_UPLEVEL) &&
+- (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
++ (attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
+ {
+ /* add the trusted domain if we don't know
+ about it */
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.9-fix_builtin_groups_creation.patch b/SOURCES/samba-4.9-fix_builtin_groups_creation.patch
new file mode 100644
index 0000000..18aad34
--- /dev/null
+++ b/SOURCES/samba-4.9-fix_builtin_groups_creation.patch
@@ -0,0 +1,52 @@
+From 1e8931dfc24a2576a3b1fe9115c4ccbfefbbd298 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 19 Dec 2018 09:38:33 +0100
+Subject: [PATCH] s3:auth: ignore create_builtin_guests() failing without a
+ valid idmap configuration
+
+This happens on standalone servers, where winbindd is automatically
+started by init scripts if it's installed. But it's not really
+used and may not have a valid idmap configuration (
+"idmap config * : range" has no default!)
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 865538fabaea33741f5fa542dbc3f2e08308c2c1)
+---
+ source3/auth/token_util.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
+index f5b0e6944335..ee38d6c9645b 100644
+--- a/source3/auth/token_util.c
++++ b/source3/auth/token_util.c
+@@ -745,7 +745,23 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
+ status = create_builtin_guests(domain_sid);
+ unbecome_root();
+
+- if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
++ /*
++ * NT_STATUS_PROTOCOL_UNREACHABLE:
++ * => winbindd is not running.
++ *
++ * NT_STATUS_ACCESS_DENIED:
++ * => no idmap config at all
++ * and wbint_AllocateGid()/winbind_allocate_gid()
++ * failed.
++ *
++ * NT_STATUS_NO_SUCH_GROUP:
++ * => no idmap config at all and
++ * "tdbsam:map builtin = no" means
++ * wbint_Sids2UnixIDs() fails.
++ */
++ if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
++ NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
++ NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
+ /*
+ * Add BUILTIN\Guests directly to token.
+ * But only if the token already indicates
+--
+2.17.1
+
diff --git a/SOURCES/samba-4.9-net_ads_join_createcomputer.patch b/SOURCES/samba-4.9-net_ads_join_createcomputer.patch
new file mode 100644
index 0000000..c196b55
--- /dev/null
+++ b/SOURCES/samba-4.9-net_ads_join_createcomputer.patch
@@ -0,0 +1,48 @@
+From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001
+From: Evgeny Sinelnikov <sin@altlinux.org>
+Date: Wed, 31 Jul 2019 23:17:20 +0400
+Subject: [PATCH] s3:ldap: Fix join with don't exists machine account
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add check for requested replies of existing machine object during join
+machine to domain. This solves regression fail during join with error:
+"None of the information to be translated has been translated."
+
+https://bugzilla.samba.org/show_bug.cgi?id=14007
+
+Reviewed-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184
+---
+ source3/libads/ldap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 4f3d43b02b1..2110390b65f 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ }
+
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+- ads_msgfree(ads, res);
+- if (ADS_ERR_OK(ret)) {
++ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
+ DBG_DEBUG("Host account for %s already exists.\n",
+ machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
++ ads_msgfree(ads, res);
+ goto done;
+ }
++ ads_msgfree(ads, res);
+
+ new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+--
+2.21.0
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 50ebc80..0543006 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 6
+%define main_release 10
%define samba_version 4.9.1
%define talloc_version 2.1.14
@@ -145,6 +145,11 @@ Patch14: samba-4.9-fix_net_ads_join_admin_otherdomain.patch
Patch15: samba-4.9-CVE-2019-3880.patch
Patch16: samba-4.9-fix_smbspool_krb5_auth.patch
Patch17: samba-4.9-fix_cups_printing.patch
+Patch18: samba-4.9-net_ads_join_createcomputer.patch
+Patch19: samba-4.10-fix_smbspool_username_passwd.patch
+Patch20: samba-4.9-fix_builtin_groups_creation.patch
+Patch21: samba-4.10-fix_winbind_trustdom_enum.patch
+Patch22: samba-4.10-fix_spnego_downgrade.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -3240,6 +3245,21 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
+* Mon Oct 21 2019 Isaac Boukris <iboukris@redhat.com> - 4.9.1.10
+- resolves: #1763650 - Fix spnego downgrade
+
+* Tue Oct 08 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-9
+- resolves: #1759445 - Fix trusted domain enumeration in windind caused
+ a Active Directory update
+
+* Tue Sep 24 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-8
+- resolves: #1754838 - Fix username/password auth with smbspool
+- resolves: #1754835 - Fix builtin groups creation.
+
+
+* Fri Sep 06 2019 Guenther Deschner <gdeschner@redhat.com> - 4.9.1-7
+- resolves: #1749300 - Fix 'net ads join createcomputer=<accountou>'
+
* Fri May 24 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-6
- related: #1703204 - Fix printing with smbspool as CUPS backend