diff --git a/SOURCES/CVE-2016-2119-v4-2.patch b/SOURCES/CVE-2016-2119-v4-2.patch
new file mode 100644
index 0000000..abf9c0d
--- /dev/null
+++ b/SOURCES/CVE-2016-2119-v4-2.patch
@@ -0,0 +1,124 @@
+From ec42fe46d4c126d9c2ebc20c1cb168ad5e06a21e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 20 Apr 2016 11:26:57 +0200
+Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if
+ we require signing
+
+Note real anonymous sessions (with "" as username) don't hit this
+as we don't even call smb2cli_session_set_session_key() in that case.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libcli/smb/smbXcli_base.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
+index b07fdad..6797207 100644
+--- a/libcli/smb/smbXcli_base.c
++++ b/libcli/smb/smbXcli_base.c
+@@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session)
+ return false;
+ }
+
++ if (session->conn->mandatory_signing) {
++ return false;
++ }
++
+ if (session->conn->protocol >= PROTOCOL_SMB2_02) {
+ if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
+ return true;
+@@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
+ const struct iovec *recv_iov)
+ {
+ struct smbXcli_conn *conn = session->conn;
+- uint16_t no_sign_flags;
++ uint16_t no_sign_flags = 0;
+ uint8_t session_key[16];
+ bool check_signature = true;
+ uint32_t hdr_flags;
+@@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
++ if (!conn->mandatory_signing) {
++ /*
++ * only allow guest sessions without
++ * mandatory signing.
++ *
++ * If we try an authentication with username != ""
++ * and the server let us in without verifying the
++ * password we don't have a negotiated session key
++ * for signing.
++ */
++ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST;
++ }
+
+ if (session->smb2->session_flags & no_sign_flags) {
+ session->smb2->should_sign = false;
+--
+1.9.1
+
+
+From c303bd4bdf6e3f89e6821abb13e3ef40164944f5 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 28 Apr 2016 02:36:35 +0200
+Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding
+ smbXcli_session_is_guest() with mandatory signing
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/cliconnect.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 420fe3c..3de3796 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq)
+ * have a negotiated session key.
+ *
+ * So just pretend we are completely done.
++ *
++ * Note that smbXcli_session_is_guest()
++ * always returns false if we require signing.
+ */
+ state->blob_in = data_blob_null;
+ state->local_ready = true;
+--
+1.9.1
+
+
+From fd0750e860b18b1182126dcf7ccc1f7dd38560ce Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 28 Apr 2016 02:24:52 +0200
+Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for
+ guest logins and mandatory signing
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/script/tests/test_smbclient_ntlm.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh
+index b8fc564..33a927f 100755
+--- a/source3/script/tests/test_smbclient_ntlm.sh
++++ b/source3/script/tests/test_smbclient_ntlm.sh
+@@ -37,4 +37,8 @@ else
+
+ testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
+ testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
++
++ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS
++ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS
++ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS
+ fi
+--
+1.9.1
+
diff --git a/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path b/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path
new file mode 100644
index 0000000..2bea56c
--- /dev/null
+++ b/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path
@@ -0,0 +1,1130 @@
+From 8672b486a2c847361e0e157be19eb2143ac550ab Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Tue, 18 Aug 2015 13:18:33 +0200
+Subject: [PATCH 01/14] loadparm3: Add lp_wi_scan_global_parametrics()
+
+This routine takes a regex and goes through all parametric parameters
+in [global], matching the regex. It can easily be extended to also
+look at shares, but right now it will only be used to list all idmap
+config domain names.
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
+(cherry picked from commit 443dd9bbbc641ede10a2a3708465f61ea3dfbde3)
+---
+ source3/include/proto.h | 9 ++++++
+ source3/param/loadparm.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 82 insertions(+)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index be90024..df7eecc 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -23,6 +23,9 @@
+ #ifndef _PROTO_H_
+ #define _PROTO_H_
+
++#include <sys/types.h>
++#include <regex.h>
++
+ /* The following definitions come from lib/access.c */
+
+ bool client_match(const char *tok, const void *item);
+@@ -951,6 +954,12 @@ int lp_smb2_max_credits(void);
+ int lp_cups_encrypt(void);
+ bool lp_widelinks(int );
+
++int lp_wi_scan_global_parametrics(
++ const char *regex, size_t max_matches,
++ bool (*cb)(const char *string, regmatch_t matches[],
++ void *private_data),
++ void *private_data);
++
+ char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def);
+ const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
+ struct loadparm_service;
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index e805fa4..9e56aca 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -1074,6 +1074,79 @@ static struct parmlist_entry *get_parametrics(int snum, const char *type,
+ }
+ }
+
++static void discard_whitespace(char *str)
++{
++ size_t len = strlen(str);
++ size_t i = 0;
++
++ while (i < len) {
++ if (isspace(str[i])) {
++ memmove(&str[i], &str[i+1], len-i);
++ len -= 1;
++ continue;
++ }
++ i += 1;
++ }
++}
++
++/**
++ * @brief Go through all global parametric parameters
++ *
++ * @param regex_str A regular expression to scan param for
++ * @param max_matches Max number of submatches the regexp expects
++ * @param cb Function to call on match. Should return true
++ * when it wants wi_scan_global_parametrics to stop
++ * scanning
++ * @param private_data Anonymous pointer passed to cb
++ *
++ * @return 0: success, regcomp/regexec return value on error.
++ * See "man regexec" for possible errors
++ */
++
++int lp_wi_scan_global_parametrics(
++ const char *regex_str, size_t max_matches,
++ bool (*cb)(const char *string, regmatch_t matches[],
++ void *private_data),
++ void *private_data)
++{
++ struct parmlist_entry *data;
++ regex_t regex;
++ int ret;
++
++ ret = regcomp(®ex, regex_str, REG_ICASE);
++ if (ret != 0) {
++ return ret;
++ }
++
++ for (data = Globals.param_opt; data != NULL; data = data->next) {
++ size_t keylen = strlen(data->key);
++ char key[keylen+1];
++ regmatch_t matches[max_matches];
++ bool stop;
++
++ memcpy(key, data->key, sizeof(key));
++ discard_whitespace(key);
++
++ ret = regexec(®ex, key, max_matches, matches, 0);
++ if (ret == REG_NOMATCH) {
++ continue;
++ }
++ if (ret != 0) {
++ goto fail;
++ }
++
++ stop = cb(key, matches, private_data);
++ if (stop) {
++ break;
++ }
++ }
++
++ ret = 0;
++fail:
++ regfree(®ex);
++ return ret;
++}
++
+
+ #define MISSING_PARAMETER(name) \
+ DEBUG(0, ("%s(): value is NULL or empty!\n", #name))
+--
+2.9.0
+
+
+From ef3701654107528530141bb9a66ee1209060f21c Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Thu, 22 Jan 2015 12:08:52 +0000
+Subject: [PATCH 02/14] winbind: Fix idmap initialization
+
+The fix is in the sscanf line: %u in the sscanf format mandates the use of
+a pointer to an "unsigned". idmap_domain->[low|high]_id are uint32_t. On
+little endian 64-bit this might at least put the correct values into
+low_id and high_id, but might overwrite the read_only bit set earlier,
+depending on structure alignment and packing. On big endian 64-bit,
+this will just fail.
+
+Automatic conversion to uint32_t will happen only at assignment, not
+when you take a pointer of such a thing.
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Thu Jan 22 17:58:16 CET 2015 on sn-devel-104
+
+(cherry picked from commit 63552f1c4c05a710143f12c2269754d0e547d945)
+---
+ source3/winbindd/idmap.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index a8beab7..841f710 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -172,6 +172,7 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
+ NTSTATUS status;
+ char *config_option = NULL;
+ const char *range;
++ unsigned low_id, high_id;
+
+ result = talloc_zero(mem_ctx, struct idmap_domain);
+ if (result == NULL) {
+@@ -230,23 +231,24 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
+ result->name));
+ goto fail;
+ }
+- } else if (sscanf(range, "%u - %u", &result->low_id,
+- &result->high_id) != 2)
++ } else if (sscanf(range, "%u - %u", &low_id, &high_id) != 2)
+ {
+ DEBUG(1, ("invalid range '%s' specified for domain "
+ "'%s'\n", range, result->name));
+ if (check_range) {
+ goto fail;
+ }
+- } else if (result->low_id > result->high_id) {
+- DEBUG(1, ("Error: invalid idmap range detected: %lu - %lu\n",
+- (unsigned long)result->low_id,
+- (unsigned long)result->high_id));
++ } else if (low_id > high_id) {
++ DEBUG(1, ("Error: invalid idmap range detected: %u - %u\n",
++ low_id, high_id));
+ if (check_range) {
+ goto fail;
+ }
+ }
+
++ result->low_id = low_id;
++ result->high_id = high_id;
++
+ status = result->methods->init(result);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("idmap initialization returned %s\n",
+--
+2.9.0
+
+
+From ad0688f0b2ed0e060fa2c5a612d10bf4daa2e9cf Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 4 Mar 2015 10:22:48 +0100
+Subject: [PATCH 03/14] winbind: Fix CID 1273295 Uninitialized scalar variable
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+(cherry picked from commit 25928b1bcc031469c5321ab283a8d0c32dde2f4f)
+---
+ source3/winbindd/idmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index 841f710..70f4e02 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -172,7 +172,8 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
+ NTSTATUS status;
+ char *config_option = NULL;
+ const char *range;
+- unsigned low_id, high_id;
++ unsigned low_id = 0;
++ unsigned high_id;
+
+ result = talloc_zero(mem_ctx, struct idmap_domain);
+ if (result == NULL) {
+--
+2.9.0
+
+
+From 940b73398d1e8847504db4d989ee548966f1e9c5 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 4 Mar 2015 10:28:20 +0100
+Subject: [PATCH 04/14] winbind: Fix CID 1273294 Uninitialized scalar variable
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+(cherry picked from commit 8e195fb52ecfa3c263f68b74f989fb48a3c9116f)
+---
+ source3/winbindd/idmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index 70f4e02..1e2feb9 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -173,7 +173,7 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
+ char *config_option = NULL;
+ const char *range;
+ unsigned low_id = 0;
+- unsigned high_id;
++ unsigned high_id = 0;
+
+ result = talloc_zero(mem_ctx, struct idmap_domain);
+ if (result == NULL) {
+--
+2.9.0
+
+
+From 461e69a3cb81247f0d514de865981ad56517d901 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Tue, 18 Aug 2015 16:58:02 +0200
+Subject: [PATCH 05/14] idmap: Move idmap_init() under the static vars
+
+Just moving code, idmap_init will need to reference the variables
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
+(cherry picked from commit d36de86639b7782e1e959d61917d8f19fdfc902c)
+---
+ source3/winbindd/idmap.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index 1e2feb9..0ba8fda 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -32,21 +32,6 @@
+
+ static_decl_idmap;
+
+-static void idmap_init(void)
+-{
+- static bool initialized;
+-
+- if (initialized) {
+- return;
+- }
+-
+- DEBUG(10, ("idmap_init(): calling static_init_idmap\n"));
+-
+- static_init_idmap;
+-
+- initialized = true;
+-}
+-
+ /**
+ * Pointer to the backend methods. Modules register themselves here via
+ * smb_register_idmap.
+@@ -79,6 +64,21 @@ static struct idmap_domain *passdb_idmap_domain;
+ static struct idmap_domain **idmap_domains = NULL;
+ static int num_domains = 0;
+
++static void idmap_init(void)
++{
++ static bool initialized;
++
++ if (initialized) {
++ return;
++ }
++
++ DEBUG(10, ("idmap_init(): calling static_init_idmap\n"));
++
++ static_init_idmap;
++
++ initialized = true;
++}
++
+ static struct idmap_methods *get_methods(const char *name)
+ {
+ struct idmap_backend *b;
+--
+2.9.0
+
+
+From 5b3f88a29d5e9d6133f6a1e43e3db69dc6fdd1f2 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 19 Aug 2015 17:00:46 +0200
+Subject: [PATCH 06/14] idmap: Initialize all idmap domains at startup
+
+So far we have initialized idmap domains on demand indexed by name.
+For sid2xid this works okay, because we could do lookupsids before
+and thus get the name. For xid2sid this is more problematic. We
+have to rely on enumtrustdoms to work completely, and we have to
+look at the list of winbind domains in the parent to get the domain
+name. Relying on domain->have_idmap_config is not particularly nice.
+
+This patch re-works initialization of idmap domains by scanning all
+parametric parameters, scanning for :backend configuration settings.
+This way we get a complete list of :range definitions. This means
+we can rely on the idmap domain array to be complete. This in turn
+means we can live without the domain name to find a domain, we can
+do a range search by uid or gid.
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
+(cherry picked from commit ef0c91195533d95ba4fb7947ff5f69c20aa677b8)
+---
+ source3/winbindd/idmap.c | 199 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 109 insertions(+), 90 deletions(-)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index 0ba8fda..40d87a7 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -64,12 +64,22 @@ static struct idmap_domain *passdb_idmap_domain;
+ static struct idmap_domain **idmap_domains = NULL;
+ static int num_domains = 0;
+
+-static void idmap_init(void)
++static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx,
++ const char *domname);
++static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
++ const char *domainname,
++ const char *modulename,
++ bool check_range);
++static bool idmap_found_domain_backend(
++ const char *string, regmatch_t matches[], void *private_data);
++
++static bool idmap_init(void)
+ {
+ static bool initialized;
++ int ret;
+
+ if (initialized) {
+- return;
++ return true;
+ }
+
+ DEBUG(10, ("idmap_init(): calling static_init_idmap\n"));
+@@ -77,6 +87,80 @@ static void idmap_init(void)
+ static_init_idmap;
+
+ initialized = true;
++
++ if (!pdb_is_responsible_for_everything_else()) {
++ default_idmap_domain = idmap_init_named_domain(NULL, "*");
++ if (default_idmap_domain == NULL) {
++ return false;
++ }
++ }
++
++ passdb_idmap_domain = idmap_init_domain(
++ NULL, get_global_sam_name(), "passdb", false);
++ if (passdb_idmap_domain == NULL) {
++ TALLOC_FREE(default_idmap_domain);
++ return false;
++ }
++
++ idmap_domains = talloc_array(NULL, struct idmap_domain *, 0);
++ if (idmap_domains == NULL) {
++ TALLOC_FREE(passdb_idmap_domain);
++ TALLOC_FREE(default_idmap_domain);
++ return false;
++ }
++
++ ret = lp_wi_scan_global_parametrics(
++ "idmapconfig\\(.*\\):backend", 2,
++ idmap_found_domain_backend, NULL);
++ if (ret != 0) {
++ DEBUG(5, ("wi_scan_global_parametrics returned %d\n", ret));
++ return false;
++ }
++
++ return true;
++}
++
++static bool idmap_found_domain_backend(
++ const char *string, regmatch_t matches[], void *private_data)
++{
++ if (matches[1].rm_so == -1) {
++ DEBUG(5, ("Found match, but no name??\n"));
++ return false;
++ }
++
++ {
++ struct idmap_domain *dom, **tmp;
++ regoff_t len = matches[1].rm_eo - matches[1].rm_so;
++ char domname[len+1];
++
++ memcpy(domname, string + matches[1].rm_so, len);
++ domname[len] = '\0';
++
++ DEBUG(7, ("Found idmap domain \"%s\"\n", domname));
++
++ if (strcmp(domname, "*") == 0) {
++ return false;
++ }
++
++ dom = idmap_init_named_domain(idmap_domains, domname);
++ if (dom == NULL) {
++ DEBUG(3, ("Could not init idmap domain %s\n",
++ domname));
++ }
++
++ tmp = talloc_realloc(idmap_domains, idmap_domains,
++ struct idmap_domain *, num_domains + 1);
++ if (tmp == NULL) {
++ DEBUG(1, ("talloc_realloc failed\n"));
++ TALLOC_FREE(dom);
++ return false;
++ }
++ idmap_domains = tmp;
++ idmap_domains[num_domains] = dom;
++ num_domains += 1;
++ }
++
++ return false;
+ }
+
+ static struct idmap_methods *get_methods(const char *name)
+@@ -280,8 +364,12 @@ static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx,
+ struct idmap_domain *result = NULL;
+ char *config_option;
+ const char *backend;
++ bool ok;
+
+- idmap_init();
++ ok = idmap_init();
++ if (!ok) {
++ return NULL;
++ }
+
+ config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
+ domname);
+@@ -312,57 +400,6 @@ fail:
+ }
+
+ /**
+- * Initialize the default domain structure
+- * @param[in] mem_ctx memory context for the result
+- * @result The default domain structure
+- *
+- * This routine takes the module name from the "idmap backend" parameter,
+- * passing a possible parameter like ldap:ldap://ldap-url/ to the module.
+- */
+-
+-static struct idmap_domain *idmap_init_default_domain(TALLOC_CTX *mem_ctx)
+-{
+- return idmap_init_named_domain(mem_ctx, "*");
+-}
+-
+-/**
+- * Initialize the passdb domain structure
+- * @param[in] mem_ctx memory context for the result
+- * @result The default domain structure
+- *
+- * No config, passdb has its own configuration.
+- */
+-
+-static struct idmap_domain *idmap_passdb_domain(TALLOC_CTX *mem_ctx)
+-{
+- idmap_init();
+-
+- if (!pdb_is_responsible_for_everything_else()) {
+- /*
+- * Always init the default domain, we can't go without one
+- */
+- if (default_idmap_domain == NULL) {
+- default_idmap_domain = idmap_init_default_domain(NULL);
+- }
+- if (default_idmap_domain == NULL) {
+- return NULL;
+- }
+- }
+-
+- if (passdb_idmap_domain != NULL) {
+- return passdb_idmap_domain;
+- }
+-
+- passdb_idmap_domain = idmap_init_domain(mem_ctx, get_global_sam_name(),
+- "passdb", false);
+- if (passdb_idmap_domain == NULL) {
+- DEBUG(1, ("Could not init passdb idmap domain\n"));
+- }
+-
+- return passdb_idmap_domain;
+-}
+-
+-/**
+ * Find a domain struct according to a domain name
+ * @param[in] domname Domain name to get the config for
+ * @result The default domain structure that fits
+@@ -379,21 +416,14 @@ static struct idmap_domain *idmap_passdb_domain(TALLOC_CTX *mem_ctx)
+
+ static struct idmap_domain *idmap_find_domain(const char *domname)
+ {
+- struct idmap_domain *result;
++ bool ok;
+ int i;
+
+ DEBUG(10, ("idmap_find_domain called for domain '%s'\n",
+ domname?domname:"NULL"));
+
+- idmap_init();
+-
+- /*
+- * Always init the default domain, we can't go without one
+- */
+- if (default_idmap_domain == NULL) {
+- default_idmap_domain = idmap_init_default_domain(NULL);
+- }
+- if (default_idmap_domain == NULL) {
++ ok = idmap_init();
++ if (!ok) {
+ return NULL;
+ }
+
+@@ -407,38 +437,21 @@ static struct idmap_domain *idmap_find_domain(const char *domname)
+ }
+ }
+
+- if (idmap_domains == NULL) {
+- /*
+- * talloc context for all idmap domains
+- */
+- idmap_domains = talloc_array(NULL, struct idmap_domain *, 1);
+- }
+-
+- if (idmap_domains == NULL) {
+- DEBUG(0, ("talloc failed\n"));
+- return NULL;
+- }
+-
+- result = idmap_init_named_domain(idmap_domains, domname);
+- if (result == NULL) {
+- /*
+- * Could not init that domain -- try the default one
+- */
+- return default_idmap_domain;
+- }
+-
+- ADD_TO_ARRAY(idmap_domains, struct idmap_domain *, result,
+- &idmap_domains, &num_domains);
+- return result;
++ return default_idmap_domain;
+ }
+
+ struct idmap_domain *idmap_find_domain_with_sid(const char *domname,
+ const struct dom_sid *sid)
+ {
+- idmap_init();
++ bool ok;
++
++ ok = idmap_init();
++ if (!ok) {
++ return NULL;
++ }
+
+ if (sid_check_is_for_passdb(sid)) {
+- return idmap_passdb_domain(NULL);
++ return passdb_idmap_domain;
+ }
+
+ return idmap_find_domain(domname);
+@@ -493,6 +506,12 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id)
+ {
+ struct idmap_domain *dom;
+ struct id_map *maps[2];
++ bool ok;
++
++ ok = idmap_init();
++ if (!ok) {
++ return NT_STATUS_NONE_MAPPED;
++ }
+
+ DEBUG(10, ("idmap_backend_unixid_to_sid: domain = '%s', xid = %d "
+ "(type %d)\n",
+@@ -505,7 +524,7 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id)
+ * Always give passdb a chance first
+ */
+
+- dom = idmap_passdb_domain(NULL);
++ dom = passdb_idmap_domain;
+ if ((dom != NULL)
+ && NT_STATUS_IS_OK(dom->methods->unixids_to_sids(dom, maps))
+ && id->status == ID_MAPPED) {
+--
+2.9.0
+
+
+From 808cde4e8490af596ec2c6d1df3a24c4e2b719cb Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Tue, 18 Aug 2015 17:30:27 +0200
+Subject: [PATCH 07/14] idmap: Use a range search in
+ idmap_backends_unixid_to_sid
+
+This obsoletes the domain name in the xid2sid calls
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
+(cherry picked from commit ad626b9e6b3c200c70b0d840c956f7b6fff20660)
+---
+ source3/winbindd/idmap.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index 40d87a7..aff5792 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -507,6 +507,7 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id)
+ struct idmap_domain *dom;
+ struct id_map *maps[2];
+ bool ok;
++ int i;
+
+ ok = idmap_init();
+ if (!ok) {
+@@ -531,7 +532,16 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id)
+ return NT_STATUS_OK;
+ }
+
+- dom = idmap_find_domain(domname);
++ dom = default_idmap_domain;
++
++ for (i=0; i<num_domains; i++) {
++ if ((id->xid.id >= idmap_domains[i]->low_id) &&
++ (id->xid.id <= idmap_domains[i]->high_id)) {
++ dom = idmap_domains[i];
++ break;
++ }
++ }
++
+ if (dom == NULL) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+--
+2.9.0
+
+
+From ebc02665c40d38fca33df001a4f660a18719e33b Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Tue, 18 Aug 2015 17:34:29 +0200
+Subject: [PATCH 08/14] idmap: Remove "domname" from
+ idmap_backends_unixid_to_sid
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464
+(cherry picked from commit ac4cc243771fc3273872547087679db21c9bb1cb)
+---
+ source3/torture/test_idmap_tdb_common.c | 2 +-
+ source3/winbindd/idmap.c | 8 ++++----
+ source3/winbindd/idmap_proto.h | 3 +--
+ source3/winbindd/idmap_util.c | 4 ++--
+ 4 files changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
+index f7262a2..dd736ad 100644
+--- a/source3/torture/test_idmap_tdb_common.c
++++ b/source3/torture/test_idmap_tdb_common.c
+@@ -62,7 +62,7 @@ bool idmap_is_online(void)
+ return true;
+ }
+
+-NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id)
++NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id)
+ {
+ return NT_STATUS_OK;
+ }
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index aff5792..56ebf21 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -146,6 +146,7 @@ static bool idmap_found_domain_backend(
+ if (dom == NULL) {
+ DEBUG(3, ("Could not init idmap domain %s\n",
+ domname));
++ return false;
+ }
+
+ tmp = talloc_realloc(idmap_domains, idmap_domains,
+@@ -502,7 +503,7 @@ NTSTATUS idmap_allocate_gid(struct unixid *id)
+ return idmap_allocate_unixid(id);
+ }
+
+-NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id)
++NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id)
+ {
+ struct idmap_domain *dom;
+ struct id_map *maps[2];
+@@ -514,9 +515,8 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id)
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+- DEBUG(10, ("idmap_backend_unixid_to_sid: domain = '%s', xid = %d "
+- "(type %d)\n",
+- domname?domname:"NULL", id->xid.id, id->xid.type));
++ DEBUG(10, ("idmap_backend_unixid_to_sid: xid = %d (type %d)\n",
++ id->xid.id, id->xid.type));
+
+ maps[0] = id;
+ maps[1] = NULL;
+diff --git a/source3/winbindd/idmap_proto.h b/source3/winbindd/idmap_proto.h
+index f7af8ed..159aac6 100644
+--- a/source3/winbindd/idmap_proto.h
++++ b/source3/winbindd/idmap_proto.h
+@@ -34,8 +34,7 @@ NTSTATUS smb_register_idmap(int version, const char *name,
+ void idmap_close(void);
+ NTSTATUS idmap_allocate_uid(struct unixid *id);
+ NTSTATUS idmap_allocate_gid(struct unixid *id);
+-NTSTATUS idmap_backends_unixid_to_sid(const char *domname,
+- struct id_map *id);
++NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id);
+
+ /* The following definitions come from winbindd/idmap_nss.c */
+
+diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c
+index e671acf..08857ab 100644
+--- a/source3/winbindd/idmap_util.c
++++ b/source3/winbindd/idmap_util.c
+@@ -66,7 +66,7 @@ backend:
+ map.xid.type = ID_TYPE_UID;
+ map.xid.id = uid;
+
+- ret = idmap_backends_unixid_to_sid(domname, &map);
++ ret = idmap_backends_unixid_to_sid(&map);
+ if ( ! NT_STATUS_IS_OK(ret)) {
+ DEBUG(10, ("error mapping uid [%lu]: %s\n", (unsigned long)uid,
+ nt_errstr(ret)));
+@@ -130,7 +130,7 @@ backend:
+ map.xid.type = ID_TYPE_GID;
+ map.xid.id = gid;
+
+- ret = idmap_backends_unixid_to_sid(domname, &map);
++ ret = idmap_backends_unixid_to_sid(&map);
+ if ( ! NT_STATUS_IS_OK(ret)) {
+ DEBUG(10, ("error mapping gid [%lu]: %s\n", (unsigned long)gid,
+ nt_errstr(ret)));
+--
+2.9.0
+
+
+From e7ca0730e3b3ba4eaa447b1ff487377978c70e64 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Thu, 10 Mar 2016 10:38:29 +0100
+Subject: [PATCH 09/14] s3:winbindd:idmap: add domain_has_idmap_config() helper
+ function.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit fb80e1158bb1a14f2602e65464909a213296cde1)
+---
+ source3/winbindd/idmap.c | 15 +++++++++++++++
+ source3/winbindd/winbindd_proto.h | 1 +
+ 2 files changed, 16 insertions(+)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index 56ebf21..7a96b92 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -120,6 +120,21 @@ static bool idmap_init(void)
+ return true;
+ }
+
++bool domain_has_idmap_config(const char *domname)
++{
++ int i;
++
++ idmap_init();
++
++ for (i=0; i<num_domains; i++) {
++ if (strequal(idmap_domains[i]->name, domname)) {
++ return true;
++ }
++ }
++
++ return false;
++}
++
+ static bool idmap_found_domain_backend(
+ const char *string, regmatch_t matches[], void *private_data)
+ {
+diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
+index 42fffc0..85aee5b 100644
+--- a/source3/winbindd/winbindd_proto.h
++++ b/source3/winbindd/winbindd_proto.h
+@@ -339,6 +339,7 @@ void init_idmap_child(void);
+ struct winbindd_child *idmap_child(void);
+ struct idmap_domain *idmap_find_domain_with_sid(const char *domname,
+ const struct dom_sid *sid);
++bool domain_has_idmap_config(const char *domname);
+
+ /* The following definitions come from winbindd/winbindd_locator.c */
+
+--
+2.9.0
+
+
+From d58905a6113fc0dc1e5cccb91568a550ee953999 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 10 Mar 2016 10:39:15 +0100
+Subject: [PATCH 10/14] s3:winbindd:idmap_hash: skip domains that already have
+ their own idmap configuration.
+
+Check if the domain from the list is not already configured to use another idmap
+backend. Not checking this makes the idmap_hash module map IDs for *all* domains
+implicitly. This is quite dangeorous in multi-idmap-config setups.
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
+
+Pair-Programmed-With: Michael Adam <obnox@samba.org>
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 55be1ee69743c94d33f4244ade848517fc98e264)
+---
+ source3/winbindd/idmap_hash/idmap_hash.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
+index 1dbd300..f77ee3b 100644
+--- a/source3/winbindd/idmap_hash/idmap_hash.c
++++ b/source3/winbindd/idmap_hash/idmap_hash.c
+@@ -137,6 +137,19 @@ static NTSTATUS be_init(struct idmap_domain *dom)
+
+ if (is_null_sid(&dom_list[i].sid))
+ continue;
++
++ /*
++ * Check if the domain from the list is not already configured
++ * to use another idmap backend. Not checking this makes the
++ * idmap_hash module map IDs for *all* domains implicitly. This
++ * is quite dangerous in setups that use multiple idmap
++ * configurations.
++ */
++
++ if (domain_has_idmap_config(dom_list[i].domain_name)) {
++ continue;
++ }
++
+ if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0)
+ continue;
+
+--
+2.9.0
+
+
+From 87079a86d35e298a7ec8a4476c5ff15c4c12d7ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 10 Mar 2016 12:21:52 +0100
+Subject: [PATCH 11/14] s3:winbindd:idmap: check loadparm in
+ domain_has_idmap_config() helper as well.
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
+
+Pair-Programmed-With: Michael Adam <obnox@samba.org>
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 4632ad98c4af5a4e0a2723c0cf716439e376e61f)
+---
+ source3/winbindd/idmap.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index 7a96b92..f716b6d 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -123,6 +123,9 @@ static bool idmap_init(void)
+ bool domain_has_idmap_config(const char *domname)
+ {
+ int i;
++ char *config_option;
++ const char *range = NULL;
++ const char *backend = NULL;
+
+ idmap_init();
+
+@@ -132,6 +135,25 @@ bool domain_has_idmap_config(const char *domname)
+ }
+ }
+
++ /* fallback: also check loadparm */
++
++ config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
++ domname);
++ if (config_option == NULL) {
++ DEBUG(0, ("out of memory\n"));
++ return false;
++ }
++
++ range = lp_parm_const_string(-1, config_option, "range", NULL);
++ backend = lp_parm_const_string(-1, config_option, "backend", NULL);
++ if (range != NULL && backend != NULL) {
++ DEBUG(5, ("idmap configuration specified for domain '%s'\n",
++ domname));
++ TALLOC_FREE(config_option);
++ return true;
++ }
++
++ TALLOC_FREE(config_option);
+ return false;
+ }
+
+--
+2.9.0
+
+
+From d80f66cf98e47a7a8dfc8dd27c8c36529e36d235 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Mon, 14 Mar 2016 17:06:34 +0100
+Subject: [PATCH 12/14] idmap_hash: rename be_init() -->
+ idmap_hash_initialize()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 4172491cbe7bb8ad2a7089efe15fbe46fcc123fb)
+---
+ source3/winbindd/idmap_hash/idmap_hash.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
+index f77ee3b..773d5a9 100644
+--- a/source3/winbindd/idmap_hash/idmap_hash.c
++++ b/source3/winbindd/idmap_hash/idmap_hash.c
+@@ -104,7 +104,7 @@ static void separate_hashes(uint32_t id,
+ /*********************************************************************
+ ********************************************************************/
+
+-static NTSTATUS be_init(struct idmap_domain *dom)
++static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom)
+ {
+ struct sid_hash_table *hashed_domains;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+@@ -153,10 +153,10 @@ static NTSTATUS be_init(struct idmap_domain *dom)
+ if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0)
+ continue;
+
+- DEBUG(5,("hash:be_init() Adding %s (%s) -> %d\n",
+- dom_list[i].domain_name,
+- sid_string_dbg(&dom_list[i].sid),
+- hash));
++ DEBUG(3, ("Adding %s (%s) -> %d\n",
++ dom_list[i].domain_name,
++ sid_string_dbg(&dom_list[i].sid),
++ hash));
+
+ hashed_domains[hash].sid = talloc(hashed_domains, struct dom_sid);
+ sid_copy(hashed_domains[hash].sid, &dom_list[i].sid);
+@@ -189,7 +189,7 @@ static NTSTATUS unixids_to_sids(struct idmap_domain *dom,
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+- nt_status = be_init(dom);
++ nt_status = idmap_hash_initialize(dom);
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+
+ for (i=0; ids[i]; i++) {
+@@ -239,7 +239,7 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom,
+ ids[i]->status = ID_UNKNOWN;
+ }
+
+- nt_status = be_init(dom);
++ nt_status = idmap_hash_initialize(dom);
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+
+ for (i=0; ids[i]; i++) {
+@@ -360,7 +360,7 @@ static NTSTATUS nss_hash_close(void)
+ ********************************************************************/
+
+ static struct idmap_methods hash_idmap_methods = {
+- .init = be_init,
++ .init = idmap_hash_initialize,
+ .unixids_to_sids = unixids_to_sids,
+ .sids_to_unixids = sids_to_unixids,
+ };
+--
+2.9.0
+
+
+From e4216d31e54d9936b021bf57fbaeddfcd8731995 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Mon, 14 Mar 2016 17:07:34 +0100
+Subject: [PATCH 13/14] idmap_hash: only allow the hash module for default
+ idmap config.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786
+
+This module only makes sense as the default idmap config
+("idmap config * : backend = hash" ...)
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit a16379c585a6f6e9470a8745b6043be8171eb615)
+---
+ source3/winbindd/idmap_hash/idmap_hash.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
+index 773d5a9..b3aab86 100644
+--- a/source3/winbindd/idmap_hash/idmap_hash.c
++++ b/source3/winbindd/idmap_hash/idmap_hash.c
+@@ -112,6 +112,13 @@ static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom)
+ size_t num_domains = 0;
+ int i;
+
++ if (!strequal(dom->name, "*")) {
++ DEBUG(0, ("Error: idmap_hash configured for domain '%s'. "
++ "But the hash module can only be used for the default "
++ "idmap configuration.\n", dom->name));
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
+ /* If the domain SID hash table has been initialized, assume
+ that we completed this function previously */
+
+--
+2.9.0
+
+
+From 11a3354fcd7ff4bf6cd2cdb18e05b12c1ebc6cfd Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Tue, 22 Mar 2016 11:24:23 +0100
+Subject: [PATCH 14/14] winbind: Fix CID 1357100 Unchecked return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Tue Mar 22 15:49:14 CET 2016 on sn-devel-144
+
+(cherry picked from commit 5291462bd8a683b2d21b5f21ad73f84939aa2d67)
+---
+ source3/winbindd/idmap.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
+index f716b6d..158fa81 100644
+--- a/source3/winbindd/idmap.c
++++ b/source3/winbindd/idmap.c
+@@ -126,8 +126,12 @@ bool domain_has_idmap_config(const char *domname)
+ char *config_option;
+ const char *range = NULL;
+ const char *backend = NULL;
++ bool ok;
+
+- idmap_init();
++ ok = idmap_init();
++ if (!ok) {
++ return false;
++ }
+
+ for (i=0; i<num_domains; i++) {
+ if (strequal(idmap_domains[i]->name, domname)) {
+--
+2.9.0
+
diff --git a/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch b/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch
new file mode 100644
index 0000000..1115cee
--- /dev/null
+++ b/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch
@@ -0,0 +1,1009 @@
+From 203193d5b167b5d24911d0438eda65f05eec2b31 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 22 Jan 2016 09:57:04 +0100
+Subject: [PATCH 01/11] s3:libads: setup the msDS-SupportedEncryptionTypes
+ attribute on ldap_add
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We may not have the permission to modify the object after creation.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Björn Jacke <bj@sernet.de>
+Reviewed-by: Günther Deschner <gd@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144
+---
+ source3/libads/ldap.c | 26 ++++++++++++++++++
+ source3/libnet/libnet_join.c | 65 --------------------------------------------
+ 2 files changed, 26 insertions(+), 65 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 121ba08..125c9d7 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -29,6 +29,7 @@
+ #include "../libds/common/flags.h"
+ #include "smbldap.h"
+ #include "../libcli/security/security.h"
++#include "../librpc/gen_ndr/netlogon.h"
+ #include "lib/param/loadparm.h"
+
+ #ifdef HAVE_LDAP
+@@ -2006,6 +2007,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
+ UF_DONT_EXPIRE_PASSWD |\
+ UF_ACCOUNTDISABLE );
++ uint32_t func_level = 0;
++
++ ret = ads_domain_func_level(ads, &func_level);
++ if (!ADS_ERR_OK(ret)) {
++ return ret;
++ }
+
+ if (!(ctx = talloc_init("ads_add_machine_acct")))
+ return ADS_ERROR(LDAP_NO_MEMORY);
+@@ -2041,6 +2048,25 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+ ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+
++ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
++ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
++ const char *etype_list_str;
++
++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
++ etype_list |= ENC_HMAC_SHA1_96_AES128;
++#endif
++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
++ etype_list |= ENC_HMAC_SHA1_96_AES256;
++#endif
++
++ etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
++ if (etype_list_str == NULL) {
++ goto done;
++ }
++ ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
++ etype_list_str);
++ }
++
+ ret = ads_gen_add(ads, new_dn, mods);
+
+ done:
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index d7c7679..5564bd2 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -605,52 +605,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
+ /****************************************************************
+ ****************************************************************/
+
+-static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
+- struct libnet_JoinCtx *r)
+-{
+- ADS_STATUS status;
+- ADS_MODLIST mods;
+- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+- const char *etype_list_str;
+-
+-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+- etype_list |= ENC_HMAC_SHA1_96_AES128;
+-#endif
+-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+- etype_list |= ENC_HMAC_SHA1_96_AES256;
+-#endif
+-
+- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
+- if (!etype_list_str) {
+- return ADS_ERROR(LDAP_NO_MEMORY);
+- }
+-
+- /* Find our DN */
+-
+- status = libnet_join_find_machine_acct(mem_ctx, r);
+- if (!ADS_ERR_OK(status)) {
+- return status;
+- }
+-
+- /* now do the mods */
+-
+- mods = ads_init_mods(mem_ctx);
+- if (!mods) {
+- return ADS_ERROR(LDAP_NO_MEMORY);
+- }
+-
+- status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
+- etype_list_str);
+- if (!ADS_ERR_OK(status)) {
+- return status;
+- }
+-
+- return ads_gen_mod(r->in.ads, r->out.dn, mods);
+-}
+-
+-/****************************************************************
+-****************************************************************/
+-
+ static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
+@@ -725,7 +679,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
+ ADS_STATUS status;
+- uint32_t func_level = 0;
+
+ if (!r->in.ads) {
+ status = libnet_join_connect_ads(mem_ctx, r);
+@@ -760,24 +713,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+- status = ads_domain_func_level(r->in.ads, &func_level);
+- if (!ADS_ERR_OK(status)) {
+- libnet_join_set_error_string(mem_ctx, r,
+- "failed to query domain controller functional level: %s",
+- ads_errstr(status));
+- return status;
+- }
+-
+- if (func_level >= DS_DOMAIN_FUNCTION_2008) {
+- status = libnet_join_set_etypes(mem_ctx, r);
+- if (!ADS_ERR_OK(status)) {
+- libnet_join_set_error_string(mem_ctx, r,
+- "failed to set machine kerberos encryption types: %s",
+- ads_errstr(status));
+- return status;
+- }
+- }
+-
+ if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+--
+2.9.0
+
+
+From 3b269e29a5b91723749d16685782c5c590fda424 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 11 Mar 2016 23:14:13 +0100
+Subject: [PATCH 02/11] Partly revert "s3:libads: setup the
+ msDS-SupportedEncryptionTypes attribute on ldap_add"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This partly reverts commit 0c74d62524db376b6a3fac00c688be0cdffcaa80.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 6686f67d2a91146c8bb2fb2a8104fcaa5710b855)
+---
+ source3/libnet/libnet_join.c | 46 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 5564bd2..343e5f1 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -604,6 +604,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
+
+ /****************************************************************
+ ****************************************************************/
++#if 0
++static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
++ struct libnet_JoinCtx *r)
++{
++ ADS_STATUS status;
++ ADS_MODLIST mods;
++ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
++ const char *etype_list_str;
++
++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
++ etype_list |= ENC_HMAC_SHA1_96_AES128;
++#endif
++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
++ etype_list |= ENC_HMAC_SHA1_96_AES256;
++#endif
++
++ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
++ if (!etype_list_str) {
++ return ADS_ERROR(LDAP_NO_MEMORY);
++ }
++
++ /* Find our DN */
++
++ status = libnet_join_find_machine_acct(mem_ctx, r);
++ if (!ADS_ERR_OK(status)) {
++ return status;
++ }
++
++ /* now do the mods */
++
++ mods = ads_init_mods(mem_ctx);
++ if (!mods) {
++ return ADS_ERROR(LDAP_NO_MEMORY);
++ }
++
++ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
++ etype_list_str);
++ if (!ADS_ERR_OK(status)) {
++ return status;
++ }
++
++ return ads_gen_mod(r->in.ads, r->out.dn, mods);
++}
++#endif
++/****************************************************************
++****************************************************************/
+
+ static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+--
+2.9.0
+
+
+From 452f99fdd08f9c5e5dcc660dc8900115f0abb093 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 2 Mar 2016 18:07:53 +0100
+Subject: [PATCH 03/11] s3:libnet:libnet_join: prepare to allow connecting with
+ machine creds.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 71d5634ab58f0ca21db633990231bd01a22c956c)
+---
+ source3/libnet/libnet_join.c | 73 +++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 68 insertions(+), 5 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 343e5f1..cc93a85 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -42,6 +42,7 @@
+ #include "lib/param/loadparm.h"
+ #include "libcli/auth/netlogon_creds_cli.h"
+ #include "auth/credentials/credentials.h"
++#include "krb5_env.h"
+
+ /****************************************************************
+ ****************************************************************/
+@@ -118,6 +119,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ const char *dc_name,
+ const char *user_name,
+ const char *password,
++ const char *ccname,
+ ADS_STRUCT **ads)
+ {
+ ADS_STATUS status;
+@@ -150,6 +152,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ my_ads->auth.password = SMB_STRDUP(password);
+ }
+
++ if (ccname != NULL) {
++ SAFE_FREE(my_ads->auth.ccache_name);
++ my_ads->auth.ccache_name = SMB_STRDUP(ccname);
++ setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1);
++ }
++
+ status = ads_connect_user_creds(my_ads);
+ if (!ADS_ERR_OK(status)) {
+ ads_destroy(&my_ads);
+@@ -164,15 +172,51 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ ****************************************************************/
+
+ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
+- struct libnet_JoinCtx *r)
++ struct libnet_JoinCtx *r,
++ bool use_machine_creds)
+ {
+ ADS_STATUS status;
++ const char *username;
++ const char *password;
++ const char *ccname = NULL;
++
++ if (use_machine_creds) {
++ if (r->in.machine_name == NULL ||
++ r->in.machine_password == NULL) {
++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
++ }
++ username = talloc_strdup(mem_ctx, r->in.machine_name);
++ if (username == NULL) {
++ return ADS_ERROR(LDAP_NO_MEMORY);
++ }
++ if (username[strlen(username)] != '$') {
++ username = talloc_asprintf(username, "%s$", username);
++ if (username == NULL) {
++ return ADS_ERROR(LDAP_NO_MEMORY);
++ }
++ }
++ password = r->in.machine_password;
++ ccname = "MEMORY:libnet_join_machine_creds";
++ } else {
++ username = r->in.admin_account;
++ password = r->in.admin_password;
++
++ /*
++ * when r->in.use_kerberos is set to allow "net ads join -k" we
++ * may not override the provided credential cache - gd
++ */
++
++ if (!r->in.use_kerberos) {
++ ccname = "MEMORY:libnet_join_user_creds";
++ }
++ }
+
+ status = libnet_connect_ads(r->out.dns_domain_name,
+ r->out.netbios_domain_name,
+ r->in.dc_name,
+- r->in.admin_account,
+- r->in.admin_password,
++ username,
++ password,
++ ccname,
+ &r->in.ads);
+ if (!ADS_ERR_OK(status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+@@ -201,6 +245,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
+ /****************************************************************
+ ****************************************************************/
+
++static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx,
++ struct libnet_JoinCtx *r)
++{
++ return libnet_join_connect_ads(mem_ctx, r, false);
++}
++
++/****************************************************************
++****************************************************************/
++#if 0
++static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx,
++ struct libnet_JoinCtx *r)
++{
++ return libnet_join_connect_ads(mem_ctx, r, true);
++}
++#endif
++/****************************************************************
++****************************************************************/
++
+ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
+ struct libnet_UnjoinCtx *r)
+ {
+@@ -211,6 +273,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
+ r->in.dc_name,
+ r->in.admin_account,
+ r->in.admin_password,
++ NULL,
+ &r->in.ads);
+ if (!ADS_ERR_OK(status)) {
+ libnet_unjoin_set_error_string(mem_ctx, r,
+@@ -727,7 +790,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
+ ADS_STATUS status;
+
+ if (!r->in.ads) {
+- status = libnet_join_connect_ads(mem_ctx, r);
++ status = libnet_join_connect_ads_user(mem_ctx, r);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+@@ -2258,7 +2321,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ if (r->out.domain_is_ad && r->in.account_ou &&
+ !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
+
+- ads_status = libnet_join_connect_ads(mem_ctx, r);
++ ads_status = libnet_join_connect_ads_user(mem_ctx, r);
+ if (!ADS_ERR_OK(ads_status)) {
+ return WERR_DEFAULT_JOIN_REQUIRED;
+ }
+--
+2.9.0
+
+
+From 3f6d9131abd68620bb35ef3bafbde586a1b751c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 4 Mar 2016 17:42:05 +0100
+Subject: [PATCH 04/11] s3:libads:ldap: print LDAP error message with log level
+ 10.
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 34030b025b9e4cd5e7321d6e242f6c03da2a60c0)
+---
+ source3/libads/ldap.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 125c9d7..91753d2 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1416,6 +1416,17 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ }
+ #endif
+
++static void ads_print_error(int ret, LDAP *ld)
++{
++ if (ret != 0) {
++ char *ld_error = NULL;
++ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
++ DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
++ ldap_err2string(ret), ld_error));
++ SAFE_FREE(ld_error);
++ }
++}
++
+ /**
+ * Perform an ldap modify
+ * @param ads connection to ads server
+@@ -1451,6 +1462,7 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
+ mods[i] = NULL;
+ ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn,
+ (LDAPMod **) mods, controls, NULL);
++ ads_print_error(ret, ads->ldap.ld);
+ TALLOC_FREE(utf8_dn);
+ return ADS_ERROR(ret);
+ }
+@@ -1479,6 +1491,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
+ mods[i] = NULL;
+
+ ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
++ ads_print_error(ret, ads->ldap.ld);
+ TALLOC_FREE(utf8_dn);
+ return ADS_ERROR(ret);
+ }
+@@ -1500,6 +1513,7 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
+ }
+
+ ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
++ ads_print_error(ret, ads->ldap.ld);
+ TALLOC_FREE(utf8_dn);
+ return ADS_ERROR(ret);
+ }
+--
+2.9.0
+
+
+From 6a2647247ab0abddc38c2abade36116e3a2e5788 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 11 Mar 2016 12:13:24 +0100
+Subject: [PATCH 05/11] s3:libads:ndr: add ADS_AUTH_USER_CREDS to
+ ndr_print_ads_auth_flags()
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit e8f6acdeece990dc8953d494113dee856d80da45)
+---
+ source3/libads/ndr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c
+index fd0b63e..ac0b9e6 100644
+--- a/source3/libads/ndr.c
++++ b/source3/libads/ndr.c
+@@ -37,6 +37,7 @@ static void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, ui
+ ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SIGN", ADS_AUTH_SASL_SIGN, r);
+ ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SEAL", ADS_AUTH_SASL_SEAL, r);
+ ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_FORCE", ADS_AUTH_SASL_FORCE, r);
++ ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_USER_CREDS", ADS_AUTH_USER_CREDS, r);
+ ndr->depth--;
+ }
+
+--
+2.9.0
+
+
+From 51657c35d3455226f697bef24a7d967944a2c67d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 11 Mar 2016 12:15:14 +0100
+Subject: [PATCH 06/11] s3:libads:ldap: fix ads_check_ou_dn to deal with
+ account_ou not being initialized
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit c61b111e6fa3e138d4d9cf5038b69644248e834a)
+---
+ source3/libads/ldap.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 91753d2..8eac5c8 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -3870,10 +3870,16 @@ ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx,
+ const char *name;
+ char *ou_string;
+
+- exploded_dn = ldap_explode_dn(*account_ou, 0);
+- if (exploded_dn) {
+- ldap_value_free(exploded_dn);
+- return ADS_SUCCESS;
++ if (account_ou == NULL) {
++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
++ }
++
++ if (*account_ou != NULL) {
++ exploded_dn = ldap_explode_dn(*account_ou, 0);
++ if (exploded_dn) {
++ ldap_value_free(exploded_dn);
++ return ADS_SUCCESS;
++ }
+ }
+
+ ou_string = ads_ou_string(ads, *account_ou);
+--
+2.9.0
+
+
+From 7a1303f27904fafb8245b9ad9a26e7f846d9968d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 10 Mar 2016 18:03:47 +0100
+Subject: [PATCH 07/11] s3:libnet:libnet_join: always try to create
+ machineaccount via LDAP first.
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit df8f79cc9d44ad7b2caa6b86b7ebde7bb1fd4c8c)
+---
+ source3/libnet/libnet_join.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index cc93a85..b10080d 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -2318,16 +2318,36 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ r->out.dns_domain_name, r->out.netbios_domain_name,
+ NULL, smbXcli_conn_remote_sockaddr(cli->conn));
+
+- if (r->out.domain_is_ad && r->in.account_ou &&
++ if (r->out.domain_is_ad &&
+ !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
+
++ const char *initial_account_ou = r->in.account_ou;
++
++ /*
++ * we want to create the msDS-SupportedEncryptionTypes attribute
++ * as early as possible so always try an LDAP create as the user
++ * first. We copy r->in.account_ou because it may be changed
++ * during the machine pre-creation.
++ */
++
+ ads_status = libnet_join_connect_ads_user(mem_ctx, r);
+ if (!ADS_ERR_OK(ads_status)) {
+ return WERR_DEFAULT_JOIN_REQUIRED;
+ }
+
+ ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
+- if (!ADS_ERR_OK(ads_status)) {
++ if (ADS_ERR_OK(ads_status)) {
++
++ /*
++ * LDAP object create succeeded, now go to the rpc
++ * password set routines
++ */
++
++ r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
++ goto rpc_join;
++ }
++
++ if (initial_account_ou != NULL) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to precreate account in ou %s: %s",
+ r->in.account_ou,
+@@ -2335,10 +2355,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ return WERR_DEFAULT_JOIN_REQUIRED;
+ }
+
+- r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
++ DEBUG(5, ("failed to precreate account in ou %s: %s",
++ r->in.account_ou, ads_errstr(ads_status)));
+ }
+ #endif /* HAVE_ADS */
+
++ rpc_join:
+ if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
+ (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) {
+ status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli);
+--
+2.9.0
+
+
+From d4cf8358ce96964443cae441f0808d744a1fd95d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 11 Mar 2016 16:02:27 +0100
+Subject: [PATCH 08/11] s3:librpc:idl:libnet_join: add encryption types to
+ libnet_JoinCtx.
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 4a49f6fac9d6c77d1eedf914308e67eb6e2baa8d)
+---
+ source3/librpc/idl/libnet_join.idl | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
+index ac0a350..0718739 100644
+--- a/source3/librpc/idl/libnet_join.idl
++++ b/source3/librpc/idl/libnet_join.idl
+@@ -35,6 +35,7 @@ interface libnetjoin
+ [in] boolean8 use_kerberos,
+ [in] netr_SchannelType secure_channel_type,
+ [in,noprint] messaging_context *msg_ctx,
++ [in] uint32 desired_encryption_types,
+ [out] string account_name,
+ [out] string netbios_domain_name,
+ [out] string dns_domain_name,
+@@ -43,7 +44,8 @@ interface libnetjoin
+ [out] dom_sid *domain_sid,
+ [out] boolean8 modified_config,
+ [out] string error_string,
+- [out] boolean8 domain_is_ad
++ [out] boolean8 domain_is_ad,
++ [out] uint32 set_encryption_types
+ );
+
+ [nopush,nopull,noopnum] WERROR libnet_UnjoinCtx(
+--
+2.9.0
+
+
+From b6dae5b223f379dbdbd3b4ccca9492753f7f5286 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 11 Mar 2016 16:04:52 +0100
+Subject: [PATCH 09/11] s3:libnet:libnet_join: define list of desired
+ encryption types only once.
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit e0da059b39f9dd5ccb74f32f965e1ced384c77eb)
+---
+ source3/libads/ads_proto.h | 6 ++++--
+ source3/libads/ldap.c | 14 ++++----------
+ source3/libnet/libnet_join.c | 24 ++++++++++++++----------
+ 3 files changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index 1399f41..425c352 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -97,8 +97,10 @@ ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
+ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
+ const char *my_fqdn, const char *spn);
+-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+- const char *org_unit);
++ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
++ const char *machine_name,
++ const char *org_unit,
++ uint32_t etype_list);
+ ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ const char *org_unit, bool *moved);
+ int ads_count_replies(ADS_STRUCT *ads, void *res);
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 8eac5c8..72bf4d9 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2006,8 +2006,10 @@ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_n
+ * @return 0 upon success, or non-zero otherwise
+ **/
+
+-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+- const char *org_unit)
++ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
++ const char *machine_name,
++ const char *org_unit,
++ uint32_t etype_list)
+ {
+ ADS_STATUS ret;
+ char *samAccountName, *controlstr;
+@@ -2063,16 +2065,8 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+ ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+
+ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
+- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ const char *etype_list_str;
+
+-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+- etype_list |= ENC_HMAC_SHA1_96_AES128;
+-#endif
+-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+- etype_list |= ENC_HMAC_SHA1_96_AES256;
+-#endif
+-
+ etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
+ if (etype_list_str == NULL) {
+ goto done;
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index b10080d..876a453 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -318,7 +318,8 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
+
+ status = ads_create_machine_acct(r->in.ads,
+ r->in.machine_name,
+- r->in.account_ou);
++ r->in.account_ou,
++ r->in.desired_encryption_types);
+
+ if (ADS_ERR_OK(status)) {
+ DEBUG(1,("machine account creation created\n"));
+@@ -673,17 +674,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
+ {
+ ADS_STATUS status;
+ ADS_MODLIST mods;
+- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ const char *etype_list_str;
+
+-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+- etype_list |= ENC_HMAC_SHA1_96_AES128;
+-#endif
+-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+- etype_list |= ENC_HMAC_SHA1_96_AES256;
+-#endif
+-
+- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
++ etype_list_str = talloc_asprintf(mem_ctx, "%d",
++ r->in.desired_encryption_types);
+ if (!etype_list_str) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+@@ -2143,6 +2137,16 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
+
+ ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
+
++ ctx->in.desired_encryption_types = ENC_CRC32 |
++ ENC_RSA_MD5 |
++ ENC_RC4_HMAC_MD5;
++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
++ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128;
++#endif
++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
++ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256;
++#endif
++
+ *r = ctx;
+
+ return WERR_OK;
+--
+2.9.0
+
+
+From 51a68159e119149b9527cac8a8a119f34bb6879a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 11 Mar 2016 16:05:53 +0100
+Subject: [PATCH 10/11] s3:libnet:libnet_join: fill in output enctypes and only
+ modify when necessary.
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 5d498d1b4d9b83f179fb7b2841a19ad984eec5f8)
+---
+ source3/libads/ldap.c | 2 +-
+ source3/libnet/libnet_join.c | 18 +++++++++++++++++-
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 72bf4d9..f611da2 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1268,7 +1268,7 @@ char *ads_parent_dn(const char *dn)
+ {
+ ADS_STATUS status;
+ char *expr;
+- const char *attrs[] = {"*", "nTSecurityDescriptor", NULL};
++ const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL};
+
+ *res = NULL;
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 876a453..9f3d830 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -417,6 +417,11 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
++ if (!ads_pull_uint32(r->in.ads, res, "msDS-SupportedEncryptionTypes",
++ &r->out.set_encryption_types)) {
++ r->out.set_encryption_types = 0;
++ }
++
+ done:
+ ads_msgfree(r->in.ads, res);
+ TALLOC_FREE(dn);
+@@ -689,6 +694,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
++ if (r->in.desired_encryption_types == r->out.set_encryption_types) {
++ return ADS_SUCCESS;
++ }
++
+ /* now do the mods */
+
+ mods = ads_init_mods(mem_ctx);
+@@ -702,7 +711,14 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+- return ads_gen_mod(r->in.ads, r->out.dn, mods);
++ status = ads_gen_mod(r->in.ads, r->out.dn, mods);
++ if (!ADS_ERR_OK(status)) {
++ return status;
++ }
++
++ r->out.set_encryption_types = r->in.desired_encryption_types;
++
++ return ADS_SUCCESS;
+ }
+ #endif
+ /****************************************************************
+--
+2.9.0
+
+
+From a489ac90045212decebbadf46a51fff42c224d3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 11 Mar 2016 23:15:06 +0100
+Subject: [PATCH 11/11] s3:libnet:libnet_join: update
+ msDS-SupportedEncryptionTypes (if required) with machine creds.
+
+Guenther
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144
+
+(cherry picked from commit 06aefe4b956ae8748e20ae4c730aa344e81808b6)
+---
+ source3/libnet/libnet_join.c | 59 +++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 55 insertions(+), 4 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 9f3d830..84f0e40 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx,
+
+ /****************************************************************
+ ****************************************************************/
+-#if 0
++
+ static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
+ return libnet_join_connect_ads(mem_ctx, r, true);
+ }
+-#endif
++
+ /****************************************************************
+ ****************************************************************/
+
+@@ -673,7 +673,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
+
+ /****************************************************************
+ ****************************************************************/
+-#if 0
++
+ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
+@@ -720,7 +720,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
+
+ return ADS_SUCCESS;
+ }
+-#endif
++
+ /****************************************************************
+ ****************************************************************/
+
+@@ -798,6 +798,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
+ ADS_STATUS status;
++ bool need_etype_update = false;
+
+ if (!r->in.ads) {
+ status = libnet_join_connect_ads_user(mem_ctx, r);
+@@ -832,6 +833,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
++ status = libnet_join_find_machine_acct(mem_ctx, r);
++ if (!ADS_ERR_OK(status)) {
++ return status;
++ }
++
++ if (r->in.desired_encryption_types != r->out.set_encryption_types) {
++ uint32_t func_level = 0;
++
++ status = ads_domain_func_level(r->in.ads, &func_level);
++ if (!ADS_ERR_OK(status)) {
++ libnet_join_set_error_string(mem_ctx, r,
++ "failed to query domain controller functional level: %s",
++ ads_errstr(status));
++ return status;
++ }
++
++ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
++ need_etype_update = true;
++ }
++ }
++
++ if (need_etype_update) {
++ /*
++ * We need to reconnect as machine account in order
++ * to update msDS-SupportedEncryptionTypes reliable
++ */
++
++ if (r->in.ads->auth.ccache_name != NULL) {
++ ads_kdestroy(r->in.ads->auth.ccache_name);
++ }
++
++ ads_destroy(&r->in.ads);
++
++ status = libnet_join_connect_ads_machine(mem_ctx, r);
++ if (!ADS_ERR_OK(status)) {
++ libnet_join_set_error_string(mem_ctx, r,
++ "Failed to connect as machine account: %s",
++ ads_errstr(status));
++ return status;
++ }
++
++ status = libnet_join_set_etypes(mem_ctx, r);
++ if (!ADS_ERR_OK(status)) {
++ libnet_join_set_error_string(mem_ctx, r,
++ "failed to set machine kerberos encryption types: %s",
++ ads_errstr(status));
++ return status;
++ }
++ }
++
+ if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+--
+2.9.0
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 9e1173b..9f2c0a0 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 6.2
+%define main_release 7
%define samba_version 4.2.10
%define talloc_version 2.1.2
@@ -119,6 +119,9 @@ Patch8: samba-4.2.10-fix_rpcclient_ipc_signing.patch
Patch9: samba-4.2.10-fix_ntlm_auth_issues.patch
Patch10: samba-4.2.10-fix_msrpc_parse.patch
Patch11: samba-4.2.10-fix_anon_with_singing_mandatory.patch
+Patch12: samba-4.2.99-fix_idmap_hash_with_other_modules.path
+Patch13: samba-4.2.99-net_ads_join_fix_keytab_generation.patch
+Patch14: CVE-2016-2119-v4-2.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -701,6 +704,9 @@ and use CTDB instead.
%patch9 -p1 -b .samba-4.2.10-fix_ntlm_auth_issues.patch
%patch10 -p1 -b .samba-4.2.10-fix_msrpc_parse.patch
%patch11 -p1 -b .samba-4.2.10-fix_anon_with_singing_mandatory.patch
+%patch12 -p1 -b .samba-4.2.99-fix_idmap_hash_with_other_modules.path
+%patch13 -p1 -b .samba-4.2.99-net_ads_join_fix_keytab_generation.patch
+%patch14 -p1 -b .CVE-2016-2119-v4-2.patch
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -2002,6 +2008,13 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
+* Mon Jul 04 2016 Andreas Schneider <asn@redhat.com> - 4.2.10-7
+- resolves: #1351960 - Fix CVE-2016-2119
+
+* Tue Jun 28 2016 Andreas Schneider <asn@redhat.com> - 4.2.10-6.3
+- resolves: #1350759 - Fix idmap_hash when used with other modules
+- resolves: #1351260 - Fix krb5 encryption type setup during join
+
* Wed Jun 01 2016 Andreas Schneider <asn@redhat.com> - 4.2.10-6.2
- related: #1333794 - Fix issues caused by security tightening for Badlock
o ntlm_auth issues and segfault