diff --git a/.gitignore b/.gitignore
index 1b087cf..99161ff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-SOURCES/samba-4.9.1.tar.xz
+SOURCES/samba-4.10.4.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
index 638f3b8..1e4e8c9 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1,2 +1,2 @@
 6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-81b7c9a13d48fa25c58c90ae85e7d256e9952227 SOURCES/samba-4.9.1.tar.xz
+c24e15add96d79950552f0ffbb44234e4142342c SOURCES/samba-4.10.4.tar.xz
diff --git a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt
new file mode 100644
index 0000000..eec8124
--- /dev/null
+++ b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt
@@ -0,0 +1,393 @@
+From 5e94fe726e9af81374c697ce603b3728ccaaebf3 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 12 Jul 2019 12:10:35 -0700
+Subject: [PATCH 1/6] CVE-2019-10197: smbd: separate out impersonation debug
+ info into a new function.
+
+Will be called on elsewhere on successful impersonation.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/uid.c | 37 +++++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index a4bcb747d37e..ce8e8d92131c 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -279,6 +279,28 @@ static bool check_user_ok(connection_struct *conn,
+ 	return(True);
+ }
+ 
++static void print_impersonation_info(connection_struct *conn)
++{
++	struct smb_filename *cwdfname = NULL;
++
++	if (!CHECK_DEBUGLVL(DBGLVL_INFO)) {
++		return;
++	}
++
++	cwdfname = vfs_GetWd(talloc_tos(), conn);
++	if (cwdfname == NULL) {
++		return;
++	}
++
++	DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
++		 (int)getuid(),
++		 (int)geteuid(),
++		 (int)getgid(),
++		 (int)getegid(),
++		 cwdfname->base_name);
++	TALLOC_FREE(cwdfname);
++}
++
+ /****************************************************************************
+  Become the user of a connection number without changing the security context
+  stack, but modify the current_user entries.
+@@ -415,20 +437,7 @@ static bool change_to_user_internal(connection_struct *conn,
+ 		current_user.done_chdir = true;
+ 	}
+ 
+-	if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
+-		struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn);
+-		if (cwdfname == NULL) {
+-			return false;
+-		}
+-		DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
+-			 (int)getuid(),
+-			 (int)geteuid(),
+-			 (int)getgid(),
+-			 (int)getegid(),
+-			 cwdfname->base_name);
+-		TALLOC_FREE(cwdfname);
+-	}
+-
++	print_impersonation_info(conn);
+ 	return true;
+ }
+ 
+-- 
+2.17.1
+
+
+From b4cd0dcbc38ae61cfb075e5f659384df889e99f7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 11 Jul 2019 17:01:29 +0200
+Subject: [PATCH 2/6] CVE-2019-10197: smbd: make sure that
+ change_to_user_internal() always resets current_user.done_chdir
+
+We should not leave current_user.done_chdir as true if we didn't call
+chdir_current_service() with success.
+
+This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when
+chdir_current_service() worked once on one share but later failed on another
+share.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/smbd/uid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index ce8e8d92131c..77a81f602988 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -427,6 +427,7 @@ static bool change_to_user_internal(connection_struct *conn,
+ 	current_user.conn = conn;
+ 	current_user.vuid = vuid;
+ 	current_user.need_chdir = conn->tcon_done;
++	current_user.done_chdir = false;
+ 
+ 	if (current_user.need_chdir) {
+ 		ok = chdir_current_service(conn);
+-- 
+2.17.1
+
+
+From b1496ce793129302c9959ebc6330219c6a3143f0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 18 Jun 2019 14:04:08 +0200
+Subject: [PATCH 3/6] CVE-2019-10197: smbd: make sure we reset
+ current_user.{need,done}_chdir in become_root()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/uid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index 77a81f602988..50868ba8572a 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -624,6 +624,9 @@ void smbd_become_root(void)
+ 	}
+ 	push_conn_ctx();
+ 	set_root_sec_ctx();
++
++	current_user.need_chdir = false;
++	current_user.done_chdir = false;
+ }
+ 
+ /* Unbecome the root user */
+-- 
+2.17.1
+
+
+From 03a0719d6d5c1a81b44bc3cedc76563a1eb04491 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 30 Jul 2019 17:16:59 +0200
+Subject: [PATCH 4/6] CVE-2019-10197: selftest: make fsrvp_share its own
+ independent subdirectory
+
+The next patch will otherwise break the fsrvp related tests.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/target/Samba3.pm | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 9d88253c9fe7..f7eb314138a0 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1540,6 +1540,9 @@ sub provision($$$$$$$$$)
+ 	my $widelinks_linkdir="$shrdir/widelinks_foo";
+ 	push(@dirs,$widelinks_linkdir);
+ 
++	my $fsrvp_shrdir="$shrdir/fsrvp";
++	push(@dirs,$fsrvp_shrdir);
++
+ 	my $shadow_tstdir="$shrdir/shadow";
+ 	push(@dirs,$shadow_tstdir);
+ 	my $shadow_mntdir="$shadow_tstdir/mount";
+@@ -2083,14 +2086,14 @@ sub provision($$$$$$$$$)
+ 	guest ok = yes
+ 
+ [fsrvp_share]
+-	path = $shrdir
++	path = $fsrvp_shrdir
+ 	comment = fake shapshots using rsync
+ 	vfs objects = shell_snap shadow_copy2
+ 	shell_snap:check path command = $fake_snap_pl --check
+ 	shell_snap:create command = $fake_snap_pl --create
+ 	shell_snap:delete command = $fake_snap_pl --delete
+ 	# a relative path here fails, the snapshot dir is no longer found
+-	shadow:snapdir = $shrdir/.snapshots
++	shadow:snapdir = $fsrvp_shrdir/.snapshots
+ 
+ [shadow1]
+ 	path = $shadow_shrdir
+-- 
+2.17.1
+
+
+From 409447f3258b87745a2248570278b1c6da8991f4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 16 Jul 2019 15:40:38 +0200
+Subject: [PATCH 5/6] CVE-2019-10197: test_smbclient_s3.sh: add regression test
+ for the no permission on share root problem
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/knownfail.d/CVE-2019-10197       |  1 +
+ selftest/target/Samba3.pm                 | 12 +++++++++
+ source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++++++++++
+ 3 files changed, 43 insertions(+)
+ create mode 100644 selftest/knownfail.d/CVE-2019-10197
+
+diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197
+new file mode 100644
+index 000000000000..f7056bbf3ad4
+--- /dev/null
++++ b/selftest/knownfail.d/CVE-2019-10197
+@@ -0,0 +1 @@
++^samba3.blackbox.smbclient_s3.*.noperm.share.regression
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index f7eb314138a0..2f491441815f 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1516,6 +1516,9 @@ sub provision($$$$$$$$$)
+ 	my $ro_shrdir="$shrdir/root-tmp";
+ 	push(@dirs,$ro_shrdir);
+ 
++	my $noperm_shrdir="$shrdir/noperm-tmp";
++	push(@dirs,$noperm_shrdir);
++
+ 	my $msdfs_shrdir="$shrdir/msdfsshare";
+ 	push(@dirs,$msdfs_shrdir);
+ 
+@@ -1586,6 +1589,11 @@ sub provision($$$$$$$$$)
+ 	chmod 0755, $piddir;
+ 
+ 
++	##
++	## Create a directory without permissions to enter
++	##
++	chmod 0000, $noperm_shrdir;
++
+ 	##
+ 	## create ro and msdfs share layout
+ 	##
+@@ -1902,6 +1910,10 @@ sub provision($$$$$$$$$)
+ [ro-tmp]
+ 	path = $ro_shrdir
+ 	guest ok = yes
++[noperm]
++	path = $noperm_shrdir
++	wide links = yes
++	guest ok = yes
+ [write-list-tmp]
+ 	path = $shrdir
+         read only = yes
+diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
+index bf033ccd2fbf..0bae1d78fac9 100755
+--- a/source3/script/tests/test_smbclient_s3.sh
++++ b/source3/script/tests/test_smbclient_s3.sh
+@@ -1329,6 +1329,32 @@ EOF
+     fi
+ }
+ 
++#
++# Regression test for CVE-2019-10197
++# we should always get ACCESS_DENIED
++#
++test_noperm_share_regression()
++{
++    cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls"  2>&1'
++    eval echo "$cmd"
++    out=`eval $cmd`
++    ret=$?
++    if [ $ret -eq 0 ] ; then
++       echo "$out"
++       echo "failed accessing no perm share should not work"
++       return 1
++    fi
++
++    num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l`
++    if [ "$num" -ne "2" ] ; then
++       echo "$out"
++       echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected"
++       return 1
++    fi
++
++    return 0
++}
++
+ # Test smbclient deltree command
+ test_deltree()
+ {
+@@ -1857,6 +1883,10 @@ testit "follow local symlinks" \
+     test_local_symlinks || \
+     failed=`expr $failed + 1`
+ 
++testit "noperm share regression" \
++    test_noperm_share_regression || \
++    failed=`expr $failed + 1`
++
+ testit "smbclient deltree command" \
+     test_deltree || \
+     failed=`expr $failed + 1`
+-- 
+2.17.1
+
+
+From 501e034aa5b6ba50bf14e41c59674fbbc28a2e9c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 11 Jul 2019 17:02:15 +0200
+Subject: [PATCH 6/6] CVE-2019-10197: smbd: split change_to_user_impersonate()
+ out of change_to_user_internal()
+
+This makes sure we always call chdir_current_service() even
+when we still impersonated the user. Which is important
+in order to run the SMB* request within the correct working directory
+and only if the user has permissions to enter that directory.
+
+It makes sure we always update conn->lastused_count
+in chdir_current_service() for each request.
+
+Note that vfs_ChDir() (called from chdir_current_service())
+maintains its own cache and avoids calling SMB_VFS_CHDIR()
+if possible.
+
+It means we still avoid syscalls if we get a multiple requests
+for the same session/tcon tuple.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ selftest/knownfail.d/CVE-2019-10197 |  1 -
+ source3/smbd/uid.c                  | 21 +++++++++++++++++----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+ delete mode 100644 selftest/knownfail.d/CVE-2019-10197
+
+diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197
+deleted file mode 100644
+index f7056bbf3ad4..000000000000
+--- a/selftest/knownfail.d/CVE-2019-10197
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.blackbox.smbclient_s3.*.noperm.share.regression
+diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
+index 50868ba8572a..5c39baade5cf 100644
+--- a/source3/smbd/uid.c
++++ b/source3/smbd/uid.c
+@@ -306,9 +306,9 @@ static void print_impersonation_info(connection_struct *conn)
+  stack, but modify the current_user entries.
+ ****************************************************************************/
+ 
+-static bool change_to_user_internal(connection_struct *conn,
+-				    const struct auth_session_info *session_info,
+-				    uint64_t vuid)
++static bool change_to_user_impersonate(connection_struct *conn,
++				       const struct auth_session_info *session_info,
++				       uint64_t vuid)
+ {
+ 	int snum;
+ 	gid_t gid;
+@@ -321,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn,
+ 
+ 	if ((current_user.conn == conn) &&
+ 	    (current_user.vuid == vuid) &&
+-	    (current_user.need_chdir == conn->tcon_done) &&
+ 	    (current_user.ut.uid == session_info->unix_token->uid))
+ 	{
+ 		DBG_INFO("Skipping user change - already user\n");
+@@ -426,6 +425,20 @@ static bool change_to_user_internal(connection_struct *conn,
+ 
+ 	current_user.conn = conn;
+ 	current_user.vuid = vuid;
++	return true;
++}
++
++static bool change_to_user_internal(connection_struct *conn,
++				    const struct auth_session_info *session_info,
++				    uint64_t vuid)
++{
++	bool ok;
++
++	ok = change_to_user_impersonate(conn, session_info, vuid);
++	if (!ok) {
++		return false;
++	}
++
+ 	current_user.need_chdir = conn->tcon_done;
+ 	current_user.done_chdir = false;
+ 
+-- 
+2.17.1
+
diff --git a/SOURCES/CVE-2019-10218-4.11.patch b/SOURCES/CVE-2019-10218-4.11.patch
new file mode 100644
index 0000000..49bec9e
--- /dev/null
+++ b/SOURCES/CVE-2019-10218-4.11.patch
@@ -0,0 +1,170 @@
+From d429b48596c63140696ba600bddb0908f2350f70 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 5 Aug 2019 13:39:53 -0700
+Subject: [PATCH 1/2] CVE-2019-10218 - s3: libsmb: Protect SMB1 client code
+ from evil server returned names.
+
+Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/clilist.c | 75 ++++++++++++++++++++++++++++++++++++++++
+ source3/libsmb/proto.h   |  3 ++
+ 2 files changed, 78 insertions(+)
+
+diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
+index 5cb1fce4338..4f518339e2b 100644
+--- a/source3/libsmb/clilist.c
++++ b/source3/libsmb/clilist.c
+@@ -24,6 +24,66 @@
+ #include "trans2.h"
+ #include "../libcli/smb/smbXcli_base.h"
+ 
++/****************************************************************************
++ Check if a returned directory name is safe.
++****************************************************************************/
++
++static NTSTATUS is_bad_name(bool windows_names, const char *name)
++{
++	const char *bad_name_p = NULL;
++
++	bad_name_p = strchr(name, '/');
++	if (bad_name_p != NULL) {
++		/*
++		 * Windows and POSIX names can't have '/'.
++		 * Server is attacking us.
++		 */
++		return NT_STATUS_INVALID_NETWORK_RESPONSE;
++	}
++	if (windows_names) {
++		bad_name_p = strchr(name, '\\');
++		if (bad_name_p != NULL) {
++			/*
++			 * Windows names can't have '\\'.
++			 * Server is attacking us.
++			 */
++			return NT_STATUS_INVALID_NETWORK_RESPONSE;
++		}
++	}
++	return NT_STATUS_OK;
++}
++
++/****************************************************************************
++ Check if a returned directory name is safe. Disconnect if server is
++ sending bad names.
++****************************************************************************/
++
++NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
++			const struct file_info *finfo)
++{
++	NTSTATUS status = NT_STATUS_OK;
++	bool windows_names = true;
++
++	if (cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP) {
++		windows_names = false;
++	}
++	if (finfo->name != NULL) {
++		status = is_bad_name(windows_names, finfo->name);
++		if (!NT_STATUS_IS_OK(status)) {
++			DBG_ERR("bad finfo->name\n");
++			return status;
++		}
++	}
++	if (finfo->short_name != NULL) {
++		status = is_bad_name(windows_names, finfo->short_name);
++		if (!NT_STATUS_IS_OK(status)) {
++			DBG_ERR("bad finfo->short_name\n");
++			return status;
++		}
++	}
++	return NT_STATUS_OK;
++}
++
+ /****************************************************************************
+  Calculate a safe next_entry_offset.
+ ****************************************************************************/
+@@ -492,6 +552,13 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ 			TALLOC_FREE(finfo);
+ 			return NT_STATUS_NO_MEMORY;
+ 		}
++
++		status = is_bad_finfo_name(state->cli, finfo);
++		if (!NT_STATUS_IS_OK(status)) {
++			smbXcli_conn_disconnect(state->cli->conn, status);
++			TALLOC_FREE(finfo);
++			return status;
++		}
+ 	}
+ 	*pfinfo = finfo;
+ 	return NT_STATUS_OK;
+@@ -727,6 +794,14 @@ static void cli_list_trans_done(struct tevent_req *subreq)
+ 			ff_eos = true;
+ 			break;
+ 		}
++
++		status = is_bad_finfo_name(state->cli, finfo);
++		if (!NT_STATUS_IS_OK(status)) {
++			smbXcli_conn_disconnect(state->cli->conn, status);
++			tevent_req_nterror(req, status);
++			return;
++		}
++
+ 		if (!state->first && (state->mask[0] != '\0') &&
+ 		    strcsequal(finfo->name, state->mask)) {
+ 			DEBUG(1, ("Error: Looping in FIND_NEXT as name %s has "
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index 6a647da58c8..48855d7112c 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -760,6 +760,9 @@ NTSTATUS cli_posix_whoami(struct cli_state *cli,
+ 
+ /* The following definitions come from libsmb/clilist.c  */
+ 
++NTSTATUS is_bad_finfo_name(const struct cli_state *cli,
++			const struct file_info *finfo);
++
+ NTSTATUS cli_list_old(struct cli_state *cli,const char *Mask,uint16_t attribute,
+ 		      NTSTATUS (*fn)(const char *, struct file_info *,
+ 				 const char *, void *), void *state);
+-- 
+2.23.0.866.gb869b98d4c-goog
+
+
+From c61e75b5755efab938c1b2045eb4d539a0724c47 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 6 Aug 2019 12:08:09 -0700
+Subject: [PATCH 2/2] CVE-2019-10218 - s3: libsmb: Protect SMB2 client code
+ from evil server returned names.
+
+Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/cli_smb2_fnum.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
+index 535beaab841..3fa322c243b 100644
+--- a/source3/libsmb/cli_smb2_fnum.c
++++ b/source3/libsmb/cli_smb2_fnum.c
+@@ -1442,6 +1442,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli,
+ 				goto fail;
+ 			}
+ 
++			/* Protect against server attack. */
++			status = is_bad_finfo_name(cli, finfo);
++			if (!NT_STATUS_IS_OK(status)) {
++				smbXcli_conn_disconnect(cli->conn, status);
++				goto fail;
++			}
++
+ 			if (dir_check_ftype((uint32_t)finfo->mode,
+ 					(uint32_t)attribute)) {
+ 				/*
+-- 
+2.23.0.866.gb869b98d4c-goog
+
diff --git a/SOURCES/samba-4.10-fix-netbios-join.patch b/SOURCES/samba-4.10-fix-netbios-join.patch
new file mode 100644
index 0000000..9dd2eec
--- /dev/null
+++ b/SOURCES/samba-4.10-fix-netbios-join.patch
@@ -0,0 +1,723 @@
+From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 30 Aug 2019 00:22:15 +0300
+Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and
+ lp_dnsdomain()
+
+This make the join process much more reliable, and avoids "Constraint
+violation" error when the fqdn returned from getaddrinfo has already
+got assigned an SPN.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c       | 31 +++++++++++-------------------
+ testprogs/blackbox/test_net_ads.sh |  7 +++++--
+ 2 files changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 7943bef2cf6..818b3039cb9 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 		}
+ 	}
+ 
+-	if (!name_to_fqdn(my_fqdn, r->in.machine_name)
+-	    || (strchr(my_fqdn, '.') == NULL)) {
+-		fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
+-			     r->out.dns_domain_name);
+-	}
++	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+ 
+ 	if (!strlower_m(my_fqdn)) {
+ 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ 	}
+ 
+-	if (!strequal(my_fqdn, r->in.machine_name)) {
+-		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+-		if (!spn) {
+-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-		}
++	spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++	if (spn == NULL) {
++		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++	}
+ 
+-		ok = ads_element_in_array(spn_array, num_spns, spn);
++	ok = ads_element_in_array(spn_array, num_spns, spn);
++	if (!ok) {
++		ok = add_string_to_array(spn_array, spn,
++					 &spn_array, &num_spns);
+ 		if (!ok) {
+-			ok = add_string_to_array(spn_array, spn,
+-						 &spn_array, &num_spns);
+-			if (!ok) {
+-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-			}
++			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ 		}
+ 	}
+ 
+@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 			/*
+ 			 * Add HOST/netbiosname.domainname
+ 			 */
+-			if (r->out.dns_domain_name == NULL) {
+-				continue;
+-			}
+ 			fstr_sprintf(my_fqdn, "%s.%s",
+ 				     *netbios_aliases,
+-				     r->out.dns_domain_name);
++				     lp_dnsdomain());
+ 
+ 			spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+ 			if (spn == NULL) {
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index cc8345c4624..ef6f99ddea4 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
+ netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+ uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]')
+ lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]')
+-fqdns="$netbios.$lc_realm"
++fqdn="$netbios.$lc_realm"
+ 
+ krb_princ="primary/instance@$REALM"
+ testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin
+ service="nfs"
+ testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+ 
+-search_str="$service/$fqdns@$REALM"
++search_str="$service/$fqdn@$REALM"
+ found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+ testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+ 
+@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
+ 
+ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+ 
++testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
++testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++
+ ##Goodbye...
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ 
+-- 
+2.21.0
+
+
+From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 20:00:34 +0300
+Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit
+ room for indentation
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------
+ 1 file changed, 47 insertions(+), 48 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 818b3039cb9..67ab50c68a8 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 	/* Windows only creates HOST/shortname & HOST/fqdn. */
+ 
+ 	spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
+-	if (!spn) {
++	if (spn == NULL) {
+ 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ 	}
+ 	if (!strupper_m(spn)) {
+@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 		}
+ 	}
+ 
+-	netbios_aliases = lp_netbios_aliases();
+-	if (netbios_aliases != NULL) {
+-		for (; *netbios_aliases != NULL; netbios_aliases++) {
+-			/*
+-			 * Add HOST/NETBIOSNAME
+-			 */
+-			spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
+-			if (spn == NULL) {
+-				TALLOC_FREE(spn);
+-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-			}
+-			if (!strupper_m(spn)) {
+-				TALLOC_FREE(spn);
+-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-			}
++	for (netbios_aliases = lp_netbios_aliases();
++	     netbios_aliases != NULL && *netbios_aliases != NULL;
++	     netbios_aliases++) {
++		/*
++		 * Add HOST/NETBIOSNAME
++		 */
++		spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
++		if (spn == NULL) {
++			TALLOC_FREE(spn);
++			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		}
++		if (!strupper_m(spn)) {
++			TALLOC_FREE(spn);
++			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		}
+ 
+-			ok = ads_element_in_array(spn_array, num_spns, spn);
+-			if (ok) {
+-				TALLOC_FREE(spn);
+-				continue;
+-			}
+-			ok = add_string_to_array(spn_array, spn,
+-						 &spn_array, &num_spns);
+-			if (!ok) {
+-				TALLOC_FREE(spn);
+-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-			}
++		ok = ads_element_in_array(spn_array, num_spns, spn);
++		if (ok) {
++			TALLOC_FREE(spn);
++			continue;
++		}
++		ok = add_string_to_array(spn_array, spn,
++					 &spn_array, &num_spns);
++		if (!ok) {
+ 			TALLOC_FREE(spn);
++			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		}
++		TALLOC_FREE(spn);
+ 
+-			/*
+-			 * Add HOST/netbiosname.domainname
+-			 */
+-			fstr_sprintf(my_fqdn, "%s.%s",
+-				     *netbios_aliases,
+-				     lp_dnsdomain());
++		/*
++		 * Add HOST/netbiosname.domainname
++		 */
++		fstr_sprintf(my_fqdn, "%s.%s",
++			     *netbios_aliases,
++			     lp_dnsdomain());
+ 
+-			spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+-			if (spn == NULL) {
+-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-			}
++		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++		if (spn == NULL) {
++			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		}
+ 
+-			ok = ads_element_in_array(spn_array, num_spns, spn);
+-			if (ok) {
+-				TALLOC_FREE(spn);
+-				continue;
+-			}
+-			ok = add_string_to_array(spn_array, spn,
+-						 &spn_array, &num_spns);
+-			if (!ok) {
+-				TALLOC_FREE(spn);
+-				return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-			}
++		ok = ads_element_in_array(spn_array, num_spns, spn);
++		if (ok) {
++			TALLOC_FREE(spn);
++			continue;
++		}
++		ok = add_string_to_array(spn_array, spn,
++					 &spn_array, &num_spns);
++		if (!ok) {
+ 			TALLOC_FREE(spn);
++			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ 		}
++		TALLOC_FREE(spn);
+ 	}
+ 
+ 	/* make sure to NULL terminate the array */
+-- 
+2.21.0
+
+
+From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 21:29:47 +0300
+Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling
+
+and avoid a possible memory leak when passing null to
+add_string_to_array() as mem_ctx.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 74 ++++++++++++++++++++----------------
+ 1 file changed, 42 insertions(+), 32 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 67ab50c68a8..43035370526 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
+ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 					      struct libnet_JoinCtx *r)
+ {
++	TALLOC_CTX *frame = talloc_stackframe();
+ 	ADS_STATUS status;
+ 	ADS_MODLIST mods;
+ 	fstring my_fqdn;
+@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 		return status;
+ 	}
+ 
+-	status = libnet_join_get_machine_spns(mem_ctx,
++	status = libnet_join_get_machine_spns(frame,
+ 					      r,
+ 					      discard_const_p(char **, &spn_array),
+ 					      &num_spns);
+@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 
+ 	/* Windows only creates HOST/shortname & HOST/fqdn. */
+ 
+-	spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
++	spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name);
+ 	if (spn == NULL) {
+-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
+ 	}
+ 	if (!strupper_m(spn)) {
+-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
+ 	}
+ 
+ 	ok = ads_element_in_array(spn_array, num_spns, spn);
+ 	if (!ok) {
+-		ok = add_string_to_array(spn_array, spn,
++		ok = add_string_to_array(frame, spn,
+ 					 &spn_array, &num_spns);
+ 		if (!ok) {
+-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			goto done;
+ 		}
+ 	}
+ 
+ 	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+ 
+ 	if (!strlower_m(my_fqdn)) {
+-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
+ 	}
+ 
+-	spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++	spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
+ 	if (spn == NULL) {
+-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
+ 	}
+ 
+ 	ok = ads_element_in_array(spn_array, num_spns, spn);
+ 	if (!ok) {
+-		ok = add_string_to_array(spn_array, spn,
++		ok = add_string_to_array(frame, spn,
+ 					 &spn_array, &num_spns);
+ 		if (!ok) {
+-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			goto done;
+ 		}
+ 	}
+ 
+@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 		/*
+ 		 * Add HOST/NETBIOSNAME
+ 		 */
+-		spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
++		spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases);
+ 		if (spn == NULL) {
+-			TALLOC_FREE(spn);
+-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			goto done;
+ 		}
+ 		if (!strupper_m(spn)) {
+-			TALLOC_FREE(spn);
+-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			goto done;
+ 		}
+ 
+ 		ok = ads_element_in_array(spn_array, num_spns, spn);
+ 		if (ok) {
+-			TALLOC_FREE(spn);
+ 			continue;
+ 		}
+ 		ok = add_string_to_array(spn_array, spn,
+ 					 &spn_array, &num_spns);
+ 		if (!ok) {
+-			TALLOC_FREE(spn);
+-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			goto done;
+ 		}
+-		TALLOC_FREE(spn);
+ 
+ 		/*
+ 		 * Add HOST/netbiosname.domainname
+@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 			     *netbios_aliases,
+ 			     lp_dnsdomain());
+ 
+-		spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++		spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
+ 		if (spn == NULL) {
+-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			goto done;
+ 		}
+ 
+ 		ok = ads_element_in_array(spn_array, num_spns, spn);
+ 		if (ok) {
+-			TALLOC_FREE(spn);
+ 			continue;
+ 		}
+ 		ok = add_string_to_array(spn_array, spn,
+ 					 &spn_array, &num_spns);
+ 		if (!ok) {
+-			TALLOC_FREE(spn);
+-			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			goto done;
+ 		}
+-		TALLOC_FREE(spn);
+ 	}
+ 
+ 	/* make sure to NULL terminate the array */
+-	spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
++	spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);
+ 	if (spn_array == NULL) {
+-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
+ 	}
+ 	spn_array[num_spns] = NULL;
+ 
+ 	mods = ads_init_mods(mem_ctx);
+ 	if (!mods) {
+-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
+ 	}
+ 
+ 	/* fields of primary importance */
+ 
+ 	status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
+ 	if (!ADS_ERR_OK(status)) {
+-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
+ 	}
+ 
+ 	status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
+ 				 spn_array);
+ 	if (!ADS_ERR_OK(status)) {
+-		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
+ 	}
+ 
+-	return ads_gen_mod(r->in.ads, r->out.dn, mods);
++	status = ads_gen_mod(r->in.ads, r->out.dn, mods);
++
++done:
++	TALLOC_FREE(frame);
++	return status;
+ }
+ 
+ /****************************************************************
+-- 
+2.21.0
+
+
+From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 23:15:57 +0300
+Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to
+ array
+
+and do not skip adding a fully qualified spn to netbios-aliases
+in case a short spn already existed.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 56 +++++++++++++++---------------------
+ 1 file changed, 23 insertions(+), 33 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 43035370526..a1d8a25bbc2 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
+ 	return status;
+ }
+ 
++static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const  char *spn,
++			       const char ***array, size_t *num)
++{
++	bool ok = ads_element_in_array(*array, *num, spn);
++	if (!ok) {
++		ok = add_string_to_array(mem_ctx, spn, array, num);
++		if (!ok) {
++			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		}
++	}
++	return ADS_SUCCESS;
++}
++
+ /****************************************************************
+  Set a machines dNSHostName and servicePrincipalName attributes
+ ****************************************************************/
+@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 	const char **spn_array = NULL;
+ 	size_t num_spns = 0;
+ 	char *spn = NULL;
+-	bool ok;
+ 	const char **netbios_aliases = NULL;
+ 
+ 	/* Find our DN */
+@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 		goto done;
+ 	}
+ 
+-	ok = ads_element_in_array(spn_array, num_spns, spn);
+-	if (!ok) {
+-		ok = add_string_to_array(frame, spn,
+-					 &spn_array, &num_spns);
+-		if (!ok) {
+-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-			goto done;
+-		}
++	status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++	if (!ADS_ERR_OK(status)) {
++		goto done;
+ 	}
+ 
+ 	fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 		goto done;
+ 	}
+ 
+-	ok = ads_element_in_array(spn_array, num_spns, spn);
+-	if (!ok) {
+-		ok = add_string_to_array(frame, spn,
+-					 &spn_array, &num_spns);
+-		if (!ok) {
+-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+-			goto done;
+-		}
++	status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++	if (!ADS_ERR_OK(status)) {
++		goto done;
+ 	}
+ 
+ 	for (netbios_aliases = lp_netbios_aliases();
+@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 			goto done;
+ 		}
+ 
+-		ok = ads_element_in_array(spn_array, num_spns, spn);
+-		if (ok) {
+-			continue;
+-		}
+-		ok = add_string_to_array(spn_array, spn,
+-					 &spn_array, &num_spns);
+-		if (!ok) {
+-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++		if (!ADS_ERR_OK(status)) {
+ 			goto done;
+ 		}
+ 
+@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 			goto done;
+ 		}
+ 
+-		ok = ads_element_in_array(spn_array, num_spns, spn);
+-		if (ok) {
+-			continue;
+-		}
+-		ok = add_string_to_array(spn_array, spn,
+-					 &spn_array, &num_spns);
+-		if (!ok) {
+-			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++		if (!ADS_ERR_OK(status)) {
+ 			goto done;
+ 		}
+ 	}
+-- 
+2.21.0
+
+
+From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 17 Sep 2019 21:38:07 +0300
+Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml
+
+diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml
+new file mode 100644
+index 00000000000..ddc04ee9f81
+--- /dev/null
++++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml
+@@ -0,0 +1,11 @@
++<samba:parameter name="additional dns hostnames"
++                 context="G"
++                 type="cmdlist"
++                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++ <description>
++        <para> A list of additional DNS names by which this host can be identified
++        </para>
++</description>
++<value type="default"><comment>empty string (no additional dns names)</comment></value>
++<value type="example"> host2.example.com host3.other.com </value>
++</samba:parameter>
+-- 
+2.21.0
+
+
+From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 13 Sep 2019 10:56:10 +0300
+Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames
+ entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+and set msDS-AdditionalDnsHostName to the specified list.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184
+---
+ source3/libnet/libnet_join.c       | 27 +++++++++++++++++++++++++++
+ testprogs/blackbox/test_net_ads.sh | 10 +++++++++-
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index a1d8a25bbc2..eb8e0ea17f7 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 	size_t num_spns = 0;
+ 	char *spn = NULL;
+ 	const char **netbios_aliases = NULL;
++	const char **addl_hostnames = NULL;
+ 
+ 	/* Find our DN */
+ 
+@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 		}
+ 	}
+ 
++	for (addl_hostnames = lp_additional_dns_hostnames();
++	     addl_hostnames != NULL && *addl_hostnames != NULL;
++	     addl_hostnames++) {
++
++		spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames);
++		if (spn == NULL) {
++			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++			goto done;
++		}
++
++		status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++		if (!ADS_ERR_OK(status)) {
++			goto done;
++		}
++	}
++
+ 	/* make sure to NULL terminate the array */
+ 	spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);
+ 	if (spn_array == NULL) {
+@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ 		goto done;
+ 	}
+ 
++	addl_hostnames = lp_additional_dns_hostnames();
++	if (addl_hostnames != NULL && *addl_hostnames != NULL) {
++		status = ads_mod_strlist(mem_ctx, &mods,
++					 "msDS-AdditionalDnsHostName",
++					 addl_hostnames);
++		if (!ADS_ERR_OK(status)) {
++			goto done;
++		}
++	}
++
+ 	status = ads_gen_mod(r->in.ads, r->out.dn, mods);
+ 
+ done:
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index ef6f99ddea4..8bcff006b8e 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com"
+ computers_dn="CN=Computers,$base_dn"
+ testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1`
+ 
+-testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++dns_alias1="${netbios}_alias1.other.${lc_realm}"
++dns_alias2="${netbios}_alias2.other2.${lc_realm}"
++testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ 
+ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+ 
+ testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
+ testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+ 
++testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++
++testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
++testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
++
+ ##Goodbye...
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ 
+-- 
+2.21.0
+
diff --git a/SOURCES/samba-4.10-fix-spnego-downgrade.patch b/SOURCES/samba-4.10-fix-spnego-downgrade.patch
new file mode 100644
index 0000000..0f3c786
--- /dev/null
+++ b/SOURCES/samba-4.10-fix-spnego-downgrade.patch
@@ -0,0 +1,160 @@
+From 55d19011faa99fae6ddcd778e433a0b253e0c7b4 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 16:31:21 +0300
+Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic
+ token
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/gensec/spnego.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index 0b3fbdce7ac..6bb5c8b6417 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -136,6 +136,7 @@ struct spnego_state {
+ 	bool done_mic_check;
+ 
+ 	bool simulate_w2k;
++	bool no_optimistic;
+ 
+ 	/*
+ 	 * The following is used to implement
+@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
+ 
+ 	spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ 						"spnego", "simulate_w2k", false);
++	spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
++							  "spnego",
++							  "client_no_optimistic",
++							  false);
+ 
+ 	gensec_security->private_data = spnego_state;
+ 	return NT_STATUS_OK;
+@@ -1923,6 +1928,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
+ 		 * blob and NT_STATUS_OK.
+ 		 */
+ 		state->sub.status = NT_STATUS_OK;
++	} else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
++		   spnego_state->no_optimistic) {
++		/*
++		 * Skip optimistic token per conf.
++		 */
++		state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ 	} else {
+ 		/*
+ 		 * MORE_PROCESSING_REQUIRED =>
+-- 
+2.21.0
+
+
+From e03ce41c911d5fead3f11c2eedce6baf7164e232 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 16:39:43 +0300
+Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/knownfail.d/spnego_no_optimistic | 1 +
+ source4/selftest/tests.py                 | 4 ++++
+ 2 files changed, 5 insertions(+)
+ create mode 100644 selftest/knownfail.d/spnego_no_optimistic
+
+diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
+new file mode 100644
+index 00000000000..54f51446be0
+--- /dev/null
++++ b/selftest/knownfail.d/spnego_no_optimistic
+@@ -0,0 +1 @@
++^samba4.smb.spnego.*.no_optimistic
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index aa54308c524..9c3c77f1c56 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -513,6 +513,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha
+ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon")
+ plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon")
+ 
++# Test SPNEGO without issuing an optimistic token
++opt='--option=spnego:client_no_optimistic=yes'
++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic")
++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic")
+ 
+ wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""]
+ 
+-- 
+2.21.0
+
+
+From 7e1be4ab8ff1ab8869b79f42828489dfa5450f2b Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 4 Sep 2019 17:04:12 +0300
+Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
+---
+ auth/gensec/spnego.c                      | 13 +++++++++++++
+ selftest/knownfail.d/spnego_no_optimistic |  1 -
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+ delete mode 100644 selftest/knownfail.d/spnego_no_optimistic
+
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index 6bb5c8b6417..5f78267281d 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -1300,6 +1300,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
+ 			spnego_state->mic_requested = true;
+ 		}
+ 
++		if (sub_in.length == 0) {
++			spnego_state->no_optimistic = true;
++		}
++
+ 		/*
+ 		 * Note that 'cur_sec' is temporary memory, but
+ 		 * cur_sec->oid points to a const string in the
+@@ -1934,6 +1938,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
+ 		 * Skip optimistic token per conf.
+ 		 */
+ 		state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
++	} else if (spnego_state->state_position == SPNEGO_SERVER_START &&
++		   state->sub.in.length == 0 && spnego_state->no_optimistic) {
++		/*
++		 * If we didn't like the mechanism for which the client sent us
++		 * an optimistic token, or if he didn't send any, don't call
++		 * the sub mechanism just yet.
++		 */
++		state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
++		spnego_state->no_optimistic = false;
+ 	} else {
+ 		/*
+ 		 * MORE_PROCESSING_REQUIRED =>
+diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
+deleted file mode 100644
+index 54f51446be0..00000000000
+--- a/selftest/knownfail.d/spnego_no_optimistic
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba4.smb.spnego.*.no_optimistic
+-- 
+2.21.0
+
diff --git a/SOURCES/samba-4.10-fix_gencache_debug_message.patch b/SOURCES/samba-4.10-fix_gencache_debug_message.patch
deleted file mode 100644
index 2440c97..0000000
--- a/SOURCES/samba-4.10-fix_gencache_debug_message.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 17 Jan 2019 13:58:14 +0100
-Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries.
-
-To get correct values, we need to cast 'timeout' to 'long int' first in
-order to do calculation in that integer space! Calculations are don in
-the space of the lvalue!
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
----
- source3/lib/gencache.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
-index ab12fc1c531..9f4e1cfcaa3 100644
---- a/source3/lib/gencache.c
-+++ b/source3/lib/gencache.c
-@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob,
- 	dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len };
- 	dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length };
- 
--	DEBUG(10, ("Adding cache entry with key=[%s] and timeout="
--	           "[%s] (%d seconds %s)\n", keystr,
-+	DBG_DEBUG("Adding cache entry with key=[%s] and timeout="
-+	           "[%s] (%ld seconds %s)\n", keystr,
- 		   timestring(talloc_tos(), timeout),
--		   (int)(timeout - time(NULL)), 
--		   timeout > time(NULL) ? "ahead" : "in the past"));
-+		   ((long int)timeout) - time(NULL),
-+		   timeout > time(NULL) ? "ahead" : "in the past");
- 
- 	ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr),
- 			 dbufs, 2, 0);
--- 
-2.20.1
-
diff --git a/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch b/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch
new file mode 100644
index 0000000..b3e0247
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch
@@ -0,0 +1,1276 @@
+From 0d1179d5c3585678e6b4097425a4137b8666d333 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 8 Aug 2019 14:35:38 +0200
+Subject: [PATCH 01/11] testprogs: Fix failure count in test_net_ads.sh
+
+There are missing ` at the end of the line.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37)
+---
+ testprogs/blackbox/test_net_ads.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index d3c4de5b741..512aa9d2952 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -141,10 +141,10 @@ testit "test spn service doensn't exist in AD but is present in keytab file afte
+ # SPN parser is very basic but does detect some illegal combination
+ 
+ windows_spn="$spn_service/$spn_host:"
+-testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1
++testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+ 
+ windows_spn="$spn_service/$spn_host/"
+-testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1
++testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+ 
+ testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+ 
+-- 
+2.23.0
+
+
+From 5acc6ededece33202fe3aa26cb9de9c052e32ba2 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Aug 2019 17:06:58 +0200
+Subject: [PATCH 02/11] s3:libads: Use ldap_add_ext_s() in ads_gen_add()
+
+ldap_add_s() is marked as deprecated.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64)
+---
+ source3/libads/ldap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 8d13a7cf18c..d409d4ab78e 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1596,7 +1596,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
+ 	/* make sure the end of the list is NULL */
+ 	mods[i] = NULL;
+ 
+-	ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods);
++	ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL);
+ 	ads_print_error(ret, ads->ldap.ld);
+ 	TALLOC_FREE(utf8_dn);
+ 	return ADS_ERROR(ret);
+-- 
+2.23.0
+
+
+From 17d370a97ee2c7e6359aafc0248efae90c654857 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Aug 2019 17:41:40 +0200
+Subject: [PATCH 03/11] s3:libnet: Require sealed LDAP SASL connections for
+ joining
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f)
+---
+ libgpo/pygpo.c                     |  2 +-
+ source3/lib/netapi/joindomain.c    |  5 ++++-
+ source3/libads/ads_proto.h         |  9 ++++++++-
+ source3/libads/ads_struct.c        | 14 +++++++++++++-
+ source3/libads/ldap.c              |  4 ++--
+ source3/libnet/libnet_join.c       |  3 ++-
+ source3/libsmb/namequery_dc.c      |  2 +-
+ source3/printing/nt_printing_ads.c |  6 +++---
+ source3/utils/net_ads.c            | 13 +++++++++----
+ source3/winbindd/winbindd_ads.c    |  5 ++++-
+ source3/winbindd/winbindd_cm.c     |  5 ++++-
+ 11 files changed, 51 insertions(+), 17 deletions(-)
+
+diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
+index cd107318860..4db8cad7ca4 100644
+--- a/libgpo/pygpo.c
++++ b/libgpo/pygpo.c
+@@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds)
+ 		return -1;
+ 	}
+ 
+-	self->ads_ptr = ads_init(realm, workgroup, ldap_server);
++	self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN);
+ 	if (self->ads_ptr == NULL) {
+ 		return -1;
+ 	}
+diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
+index ff2154ba803..8d0752f4531 100644
+--- a/source3/lib/netapi/joindomain.c
++++ b/source3/lib/netapi/joindomain.c
+@@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
+ 
+ 	dc = strip_hostname(info->dc_unc);
+ 
+-	ads = ads_init(info->domain_name, info->domain_name, dc);
++	ads = ads_init(info->domain_name,
++		       info->domain_name,
++		       dc,
++		       ADS_SASL_PLAIN);
+ 	if (!ads) {
+ 		return WERR_GEN_FAILURE;
+ 	}
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index 154bf67f964..92bb3a22cdb 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -32,6 +32,12 @@
+ #ifndef _LIBADS_ADS_PROTO_H_
+ #define _LIBADS_ADS_PROTO_H_
+ 
++enum ads_sasl_state_e {
++	ADS_SASL_PLAIN = 0,
++	ADS_SASL_SIGN,
++	ADS_SASL_SEAL,
++};
++
+ /* The following definitions come from libads/ads_struct.c  */
+ 
+ char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse);
+@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm);
+ char *ads_build_domain(const char *dn);
+ ADS_STRUCT *ads_init(const char *realm,
+ 		     const char *workgroup,
+-		     const char *ldap_server);
++		     const char *ldap_server,
++		     enum ads_sasl_state_e sasl_state);
+ bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
+ void ads_destroy(ADS_STRUCT **ads);
+ 
+diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
+index 3ab682c0e38..043a1b21247 100644
+--- a/source3/libads/ads_struct.c
++++ b/source3/libads/ads_struct.c
+@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn)
+ */
+ ADS_STRUCT *ads_init(const char *realm, 
+ 		     const char *workgroup,
+-		     const char *ldap_server)
++		     const char *ldap_server,
++		     enum ads_sasl_state_e sasl_state)
+ {
+ 	ADS_STRUCT *ads;
+ 	int wrap_flags;
+@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm,
+ 		wrap_flags = 0;
+ 	}
+ 
++	switch (sasl_state) {
++	case ADS_SASL_PLAIN:
++		break;
++	case ADS_SASL_SIGN:
++		wrap_flags |= ADS_AUTH_SASL_SIGN;
++		break;
++	case ADS_SASL_SEAL:
++		wrap_flags |= ADS_AUTH_SASL_SEAL;
++		break;
++	}
++
+ 	ads->auth.flags = wrap_flags;
+ 
+ 	/* Start with the configured page size when the connection is new,
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index d409d4ab78e..7bdda4b1768 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2964,7 +2964,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
+ 
+ 	if ( !ads->ldap.ld ) {
+ 		if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, 
+-			ads->server.ldap_server )) == NULL )
++			ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
+ 		{
+ 			status = ADS_ERROR(LDAP_NO_MEMORY);
+ 			goto done;
+@@ -3026,7 +3026,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val)
+ 
+ 	if ( !ads->ldap.ld ) {
+ 		if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, 
+-			ads->server.ldap_server )) == NULL )
++			ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL )
+ 		{
+ 			status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ 			goto done;
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index b876d7ea89f..a512afc238a 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ 
+ 	my_ads = ads_init(dns_domain_name,
+ 			  netbios_domain_name,
+-			  dc_name);
++			  dc_name,
++			  ADS_SASL_SEAL);
+ 	if (!my_ads) {
+ 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ 	}
+diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
+index 4ee5b5278e4..f63dde61603 100644
+--- a/source3/libsmb/namequery_dc.c
++++ b/source3/libsmb/namequery_dc.c
+@@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain,
+ 
+ 	/* Try this 3 times then give up. */
+ 	for( i =0 ; i < 3; i++) {
+-		ads = ads_init(realm, domain, NULL);
++		ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN);
+ 		if (!ads) {
+ 			TALLOC_FREE(sitename);
+ 			return False;
+diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c
+index 2588e1de7e7..a82f1361fc8 100644
+--- a/source3/printing/nt_printing_ads.c
++++ b/source3/printing/nt_printing_ads.c
+@@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer,
+ 		return WERR_NOT_ENOUGH_MEMORY;
+ 	}
+ 
+-	ads = ads_init(lp_realm(), lp_workgroup(), NULL);
++	ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
+ 	if (ads == NULL) {
+ 		result = WERR_RPC_S_SERVER_UNAVAILABLE;
+ 		goto out;
+@@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx,
+ 
+ 	TALLOC_FREE(sinfo2);
+ 
+-	ads = ads_init(lp_realm(), lp_workgroup(), NULL);
++	ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
+ 	if (!ads) {
+ 		DEBUG(3, ("ads_init() failed\n"));
+ 		win_rc = WERR_RPC_S_SERVER_UNAVAILABLE;
+@@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx)
+ 	tmp_ctx = talloc_new(NULL);
+ 	if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY;
+ 
+-	ads = ads_init(lp_realm(), lp_workgroup(), NULL);
++	ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN);
+ 	if (!ads) {
+ 		DEBUG(3, ("ads_init() failed\n"));
+ 		return WERR_RPC_S_SERVER_UNAVAILABLE;
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index d33031a0dbd..07a22098fb1 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -620,7 +620,10 @@ retry_connect:
+ 		realm = assume_own_realm(c);
+ 	}
+ 
+-	ads = ads_init(realm, c->opt_target_workgroup, c->opt_host);
++	ads = ads_init(realm,
++			c->opt_target_workgroup,
++			c->opt_host,
++			ADS_SASL_PLAIN);
+ 
+ 	if (!c->opt_user_name) {
+ 		c->opt_user_name = "administrator";
+@@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha
+ 	ADS_STRUCT *ads;
+ 	ADS_STATUS status;
+ 
+-	if ( (ads = ads_init( realm, workgroup, host )) == NULL ) {
++	ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN);
++	if (ads == NULL ) {
+ 		return -1;
+ 	}
+ 
+@@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st
+ 	 * kinit with the machine password to do dns update.
+ 	 */
+ 
+-	ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name);
++	ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN);
+ 
+ 	if (ads_dns == NULL) {
+ 		d_fprintf(stderr, _("DNS update failed: out of memory!\n"));
+@@ -2654,7 +2658,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv)
+ 
+ 	/* use the realm so we can eventually change passwords for users
+ 	in realms other than default */
+-	if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) {
++	ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN);
++	if (ads == NULL) {
+ 		return -1;
+ 	}
+ 
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 922ca43764b..556b4523866 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ 	/* we don't want this to affect the users ccache */
+ 	setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
+ 
+-	ads = ads_init(target_realm, target_dom_name, ldap_server);
++	ads = ads_init(target_realm,
++		       target_dom_name,
++		       ldap_server,
++		       ADS_SASL_SEAL);
+ 	if (!ads) {
+ 		DEBUG(1,("ads_init for domain %s failed\n", target_dom_name));
+ 		return ADS_ERROR(LDAP_NO_MEMORY);
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 22d3dcaa92b..4bd03ed8b7a 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
+ 
+ 		print_sockaddr(addr, sizeof(addr), pss);
+ 
+-		ads = ads_init(domain->alt_name, domain->name, addr);
++		ads = ads_init(domain->alt_name,
++			       domain->name,
++			       addr,
++			       ADS_SASL_PLAIN);
+ 		ads->auth.flags |= ADS_AUTH_NO_BIND;
+ 		ads->config.flags |= request_flags;
+ 		ads->server.no_fallback = true;
+-- 
+2.23.0
+
+
+From 244ecd7d839340858e96d75118548942b44bbd5c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Aug 2019 16:30:07 +0200
+Subject: [PATCH 04/11] s3:libads: Cleanup error code paths in
+ ads_create_machine_acct()
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a)
+---
+ source3/libads/ldap.c | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 7bdda4b1768..e492d0688a5 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2092,11 +2092,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 				   uint32_t etype_list)
+ {
+ 	ADS_STATUS ret;
+-	char *samAccountName, *controlstr;
+-	TALLOC_CTX *ctx;
++	char *samAccountName = NULL;
++	char *controlstr = NULL;
++	TALLOC_CTX *ctx = NULL;
+ 	ADS_MODLIST mods;
+ 	char *machine_escaped = NULL;
+-	char *new_dn;
++	char *new_dn = NULL;
+ 	const char *objectClass[] = {"top", "person", "organizationalPerson",
+ 				     "user", "computer", NULL};
+ 	LDAPMessage *res = NULL;
+@@ -2110,13 +2111,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 		return ret;
+ 	}
+ 
+-	if (!(ctx = talloc_init("ads_add_machine_acct")))
++	ctx = talloc_init("ads_add_machine_acct");
++	if (ctx == NULL) {
+ 		return ADS_ERROR(LDAP_NO_MEMORY);
+-
+-	ret = ADS_ERROR(LDAP_NO_MEMORY);
++	}
+ 
+ 	machine_escaped = escape_rdn_val_string_alloc(machine_name);
+-	if (!machine_escaped) {
++	if (machine_escaped == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
+ 		goto done;
+ 	}
+ 
+@@ -2131,17 +2133,26 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 	ads_msgfree(ads, res);
+ 
+ 	new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
+-	samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
++	if (new_dn == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
+ 
+-	if ( !new_dn || !samAccountName ) {
++	samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
++	if (samAccountName == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
+ 		goto done;
+ 	}
+ 
+-	if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) {
++	controlstr = talloc_asprintf(ctx, "%u", acct_control);
++	if (controlstr == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
+ 		goto done;
+ 	}
+ 
+-	if (!(mods = ads_init_mods(ctx))) {
++	mods = ads_init_mods(ctx);
++	if (mods == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
+ 		goto done;
+ 	}
+ 
+@@ -2155,6 +2166,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 
+ 		etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
+ 		if (etype_list_str == NULL) {
++			ret = ADS_ERROR(LDAP_NO_MEMORY);
+ 			goto done;
+ 		}
+ 		ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
+-- 
+2.23.0
+
+
+From 8d0e49716b7039fee4785186c67de774b34bd85b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 21 Aug 2019 12:22:32 +0200
+Subject: [PATCH 05/11] s3:libads: Use a talloc_asprintf in
+ ads_find_machine_acct()
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357)
+---
+ source3/libads/ldap.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index e492d0688a5..3bc9a2a06aa 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1367,18 +1367,22 @@ char *ads_parent_dn(const char *dn)
+ 	ADS_STATUS status;
+ 	char *expr;
+ 	const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL};
++	TALLOC_CTX *frame = talloc_stackframe();
+ 
+ 	*res = NULL;
+ 
+ 	/* the easiest way to find a machine account anywhere in the tree
+ 	   is to look for hostname$ */
+-	if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) {
+-		DEBUG(1, ("asprintf failed!\n"));
+-		return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
++	expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine);
++	if (expr == NULL) {
++		status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
++		goto done;
+ 	}
+ 
+ 	status = ads_search(ads, res, expr, attrs);
+-	SAFE_FREE(expr);
++
++done:
++	TALLOC_FREE(frame);
+ 	return status;
+ }
+ 
+-- 
+2.23.0
+
+
+From be247641382d1cc730ab5cd1e8bebe92e1d3a6fc Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 14 Aug 2019 13:01:19 +0200
+Subject: [PATCH 06/11] s3:libads: Fix detection if acount already exists in
+ ads_find_machine_count()
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d)
+---
+ source3/libads/ldap.c | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 3bc9a2a06aa..ec6ad61a55c 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1366,7 +1366,21 @@ char *ads_parent_dn(const char *dn)
+ {
+ 	ADS_STATUS status;
+ 	char *expr;
+-	const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL};
++	const char *attrs[] = {
++		/* This is how Windows checks for machine accounts */
++		"objectClass",
++		"SamAccountName",
++		"userAccountControl",
++		"DnsHostName",
++		"ServicePrincipalName",
++		"unicodePwd",
++
++		/* Additional attributes Samba checks */
++		"msDS-SupportedEncryptionTypes",
++		"nTSecurityDescriptor",
++
++		NULL
++	};
+ 	TALLOC_CTX *frame = talloc_stackframe();
+ 
+ 	*res = NULL;
+@@ -1380,6 +1394,11 @@ char *ads_parent_dn(const char *dn)
+ 	}
+ 
+ 	status = ads_search(ads, res, expr, attrs);
++	if (ADS_ERR_OK(status)) {
++		if (ads_count_replies(ads, *res) != 1) {
++			status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
++		}
++	}
+ 
+ done:
+ 	TALLOC_FREE(frame);
+@@ -1867,11 +1886,11 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
+ 	char *dn_string = NULL;
+ 
+ 	ret = ads_find_machine_acct(ads, &res, machine_name);
+-	if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
++	if (!ADS_ERR_OK(ret)) {
+ 		DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name));
+ 		DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name));
+ 		ads_msgfree(ads, res);
+-		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
++		return ret;
+ 	}
+ 
+ 	DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name));
+@@ -2027,12 +2046,12 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
+ 	const char **servicePrincipalName = spns;
+ 
+ 	ret = ads_find_machine_acct(ads, &res, machine_name);
+-	if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) {
++	if (!ADS_ERR_OK(ret)) {
+ 		DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n",
+ 			machine_name));
+ 		DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n"));
+ 		ads_msgfree(ads, res);
+-		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
++		return ret;
+ 	}
+ 
+ 	DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name));
+@@ -2127,7 +2146,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 	}
+ 
+ 	ret = ads_find_machine_acct(ads, &res, machine_escaped);
+-	if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
++	if (ADS_ERR_OK(ret)) {
+ 		DBG_DEBUG("Host account for %s already exists.\n",
+ 				machine_escaped);
+ 		ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+@@ -3684,14 +3703,15 @@ ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname)
+ 	TALLOC_FREE(hostnameDN);
+ 
+ 	status = ads_find_machine_acct(ads, &res, host);
+-	if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
++	if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
++	    (status.err.rc != LDAP_NO_SUCH_OBJECT)) {
+ 		DEBUG(3, ("Failed to remove host account.\n"));
+ 		SAFE_FREE(host);
+ 		return status;
+ 	}
+ 
+ 	SAFE_FREE(host);
+-	return status;
++	return ADS_SUCCESS;
+ }
+ 
+ /**
+-- 
+2.23.0
+
+
+From d7485cee3652a91ac199f912d656713cf1ddafa9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 14 Aug 2019 12:17:20 +0200
+Subject: [PATCH 07/11] s3:libads: Don't set supported encryption types during
+ account creation
+
+This is already handled by libnet_join_post_processing_ads_modify()
+which calls libnet_join_set_etypes() if encrytion types should be set.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38)
+---
+ source3/libads/ldap.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index ec6ad61a55c..8fbd97e25e2 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2127,12 +2127,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 	uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
+ 	                        UF_DONT_EXPIRE_PASSWD |\
+ 			        UF_ACCOUNTDISABLE );
+-	uint32_t func_level = 0;
+-
+-	ret = ads_domain_func_level(ads, &func_level);
+-	if (!ADS_ERR_OK(ret)) {
+-		return ret;
+-	}
+ 
+ 	ctx = talloc_init("ads_add_machine_acct");
+ 	if (ctx == NULL) {
+@@ -2184,18 +2178,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 	ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
+ 	ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
+ 
+-	if (func_level >= DS_DOMAIN_FUNCTION_2008) {
+-		const char *etype_list_str;
+-
+-		etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list);
+-		if (etype_list_str == NULL) {
+-			ret = ADS_ERROR(LDAP_NO_MEMORY);
+-			goto done;
+-		}
+-		ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes",
+-			    etype_list_str);
+-	}
+-
+ 	ret = ads_gen_add(ads, new_dn, mods);
+ 
+ done:
+-- 
+2.23.0
+
+
+From f8f7158ac639c516e6dcdeca9d41b94ba6d06134 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Aug 2019 16:34:34 +0200
+Subject: [PATCH 08/11] s3:libads: Fix creating machine account using LDAP
+
+This implements the same behaviour as Windows.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292)
+---
+ source3/libads/ads_proto.h   |   4 +-
+ source3/libads/ldap.c        | 118 +++++++++++++++++++++++++++++++----
+ source3/libnet/libnet_join.c |  23 ++++---
+ 3 files changed, 124 insertions(+), 21 deletions(-)
+
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index 92bb3a22cdb..495ef5d3325 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -114,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_
+                                           const char **spns);
+ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 				   const char *machine_name,
++				   const char *machine_password,
+ 				   const char *org_unit,
+-				   uint32_t etype_list);
++				   uint32_t etype_list,
++				   const char *dns_domain_name);
+ ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name,
+                                  const char *org_unit, bool *moved);
+ int ads_count_replies(ADS_STRUCT *ads, void *res);
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 8fbd97e25e2..81efda0cf30 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1516,7 +1516,6 @@ ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ 			       name, (const void **) vals);
+ }
+ 
+-#if 0
+ /**
+  * Add a single ber-encoded value to a mod list
+  * @param ctx An initialized TALLOC_CTX
+@@ -1537,7 +1536,6 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ 	return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES,
+ 			       name, (const void **) values);
+ }
+-#endif
+ 
+ static void ads_print_error(int ret, LDAP *ld)
+ {
+@@ -2111,8 +2109,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
+ 
+ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 				   const char *machine_name,
++				   const char *machine_password,
+ 				   const char *org_unit,
+-				   uint32_t etype_list)
++				   uint32_t etype_list,
++				   const char *dns_domain_name)
+ {
+ 	ADS_STATUS ret;
+ 	char *samAccountName = NULL;
+@@ -2120,13 +2120,23 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 	TALLOC_CTX *ctx = NULL;
+ 	ADS_MODLIST mods;
+ 	char *machine_escaped = NULL;
++	char *dns_hostname = NULL;
+ 	char *new_dn = NULL;
+-	const char *objectClass[] = {"top", "person", "organizationalPerson",
+-				     "user", "computer", NULL};
++	char *utf8_pw = NULL;
++	size_t utf8_pw_len = 0;
++	char *utf16_pw = NULL;
++	size_t utf16_pw_len = 0;
++	struct berval machine_pw_val;
++	bool ok;
++	const char **spn_array = NULL;
++	size_t num_spns = 0;
++	const char *spn_prefix[] = {
++		"HOST",
++		"RestrictedKrbHost",
++	};
++	size_t i;
+ 	LDAPMessage *res = NULL;
+-	uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\
+-	                        UF_DONT_EXPIRE_PASSWD |\
+-			        UF_ACCOUNTDISABLE );
++	uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT;
+ 
+ 	ctx = talloc_init("ads_add_machine_acct");
+ 	if (ctx == NULL) {
+@@ -2139,10 +2149,9 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 		goto done;
+ 	}
+ 
++	/* Check if the machine account already exists. */
+ 	ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ 	if (ADS_ERR_OK(ret)) {
+-		DBG_DEBUG("Host account for %s already exists.\n",
+-				machine_escaped);
+ 		ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ 		ads_msgfree(ads, res);
+ 		goto done;
+@@ -2155,28 +2164,111 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 		goto done;
+ 	}
+ 
++	/* Create machine account */
++
+ 	samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+ 	if (samAccountName == NULL) {
+ 		ret = ADS_ERROR(LDAP_NO_MEMORY);
+ 		goto done;
+ 	}
+ 
++	dns_hostname = talloc_asprintf(ctx,
++				       "%s.%s",
++				       machine_name,
++				       dns_domain_name);
++	if (dns_hostname == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	/* Add dns_hostname SPNs */
++	for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
++		char *spn = talloc_asprintf(ctx,
++					    "%s/%s",
++					    spn_prefix[i],
++					    dns_hostname);
++		if (spn == NULL) {
++			ret = ADS_ERROR(LDAP_NO_MEMORY);
++			goto done;
++		}
++
++		ok = add_string_to_array(spn_array,
++					 spn,
++					 &spn_array,
++					 &num_spns);
++		if (!ok) {
++			ret = ADS_ERROR(LDAP_NO_MEMORY);
++			goto done;
++		}
++	}
++
++	/* Add machine_name SPNs */
++	for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) {
++		char *spn = talloc_asprintf(ctx,
++					    "%s/%s",
++					    spn_prefix[i],
++					    machine_name);
++		if (spn == NULL) {
++			ret = ADS_ERROR(LDAP_NO_MEMORY);
++			goto done;
++		}
++
++		ok = add_string_to_array(spn_array,
++					 spn,
++					 &spn_array,
++					 &num_spns);
++		if (!ok) {
++			ret = ADS_ERROR(LDAP_NO_MEMORY);
++			goto done;
++		}
++	}
++
++	/* Make sure to NULL terminate the array */
++	spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1);
++	if (spn_array == NULL) {
++		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++	}
++	spn_array[num_spns] = NULL;
++
+ 	controlstr = talloc_asprintf(ctx, "%u", acct_control);
+ 	if (controlstr == NULL) {
+ 		ret = ADS_ERROR(LDAP_NO_MEMORY);
+ 		goto done;
+ 	}
+ 
++	utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
++	if (utf8_pw == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
++	utf8_pw_len = strlen(utf8_pw);
++
++	ok = convert_string_talloc(ctx,
++				   CH_UTF8, CH_UTF16MUNGED,
++				   utf8_pw, utf8_pw_len,
++				   (void *)&utf16_pw, &utf16_pw_len);
++	if (!ok) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	machine_pw_val = (struct berval) {
++		.bv_val = utf16_pw,
++		.bv_len = utf16_pw_len,
++	};
++
+ 	mods = ads_init_mods(ctx);
+ 	if (mods == NULL) {
+ 		ret = ADS_ERROR(LDAP_NO_MEMORY);
+ 		goto done;
+ 	}
+ 
+-	ads_mod_str(ctx, &mods, "cn", machine_name);
+-	ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName);
+-	ads_mod_strlist(ctx, &mods, "objectClass", objectClass);
++	ads_mod_str(ctx, &mods, "objectClass", "Computer");
++	ads_mod_str(ctx, &mods, "SamAccountName", samAccountName);
+ 	ads_mod_str(ctx, &mods, "userAccountControl", controlstr);
++	ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname);
++	ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array);
++	ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val);
+ 
+ 	ret = ads_gen_add(ads, new_dn, mods);
+ 
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index a512afc238a..d5c8599beee 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -338,10 +338,22 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
+ 	/* Attempt to create the machine account and bail if this fails.
+ 	   Assume that the admin wants exactly what they requested */
+ 
++	if (r->in.machine_password == NULL) {
++		r->in.machine_password =
++			trust_pw_new_value(mem_ctx,
++					   r->in.secure_channel_type,
++					   SEC_ADS);
++		if (r->in.machine_password == NULL) {
++			return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		}
++	}
++
+ 	status = ads_create_machine_acct(r->in.ads,
+ 					 r->in.machine_name,
++					 r->in.machine_password,
+ 					 r->in.account_ou,
+-					 r->in.desired_encryption_types);
++					 r->in.desired_encryption_types,
++					 r->out.dns_domain_name);
+ 
+ 	if (ADS_ERR_OK(status)) {
+ 		DEBUG(1,("machine account creation created\n"));
+@@ -2668,12 +2680,11 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ 		if (ADS_ERR_OK(ads_status)) {
+ 
+ 			/*
+-			 * LDAP object create succeeded, now go to the rpc
+-			 * password set routines
++			 * LDAP object creation succeeded.
+ 			 */
+-
+ 			r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
+-			goto rpc_join;
++
++			return WERR_OK;
+ 		}
+ 
+ 		if (initial_account_ou != NULL) {
+@@ -2687,8 +2698,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
+ 		DBG_INFO("Failed to pre-create account in OU %s: %s\n",
+ 			 r->in.account_ou, ads_errstr(ads_status));
+ 	}
+- rpc_join:
+-
+ #endif /* HAVE_ADS */
+ 
+ 	if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
+-- 
+2.23.0
+
+
+From f37eaa71dbd1cb206e8f3bcf251fc42308aa561d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 14 Aug 2019 10:15:19 +0200
+Subject: [PATCH 09/11] s3:libnet: Improve debug messages
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94)
+---
+ source3/libnet/libnet_join.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index d5c8599beee..31d1d221ed3 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -356,7 +356,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
+ 					 r->out.dns_domain_name);
+ 
+ 	if (ADS_ERR_OK(status)) {
+-		DEBUG(1,("machine account creation created\n"));
++		DBG_WARNING("Machine account successfully created\n");
+ 		return status;
+ 	} else  if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
+ 		    (status.err.rc == LDAP_ALREADY_EXISTS)) {
+@@ -364,7 +364,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
+ 	}
+ 
+ 	if (!ADS_ERR_OK(status)) {
+-		DEBUG(1,("machine account creation failed\n"));
++		DBG_WARNING("Failed to create machine account\n");
+ 		return status;
+ 	}
+ 
+-- 
+2.23.0
+
+
+From d590cf9739393e15aa4d9cc86ca56f93db6f1a2b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 8 Aug 2019 14:40:04 +0200
+Subject: [PATCH 10/11] s3:libads: Just change the machine password if account
+ already exists
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884
+
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521)
+---
+ source3/libads/ldap.c        | 167 ++++++++++++++++++++++++++++++-----
+ source3/libnet/libnet_join.c |   1 +
+ 2 files changed, 146 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 81efda0cf30..afae46d2e79 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2098,6 +2098,127 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads,
+ 	return ret;
+ }
+ 
++static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads,
++				  LDAPMessage *msg)
++{
++	uint32_t acct_ctrl = 0;
++	bool ok;
++
++	ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl);
++	if (!ok) {
++		return 0;
++	}
++
++	return acct_ctrl;
++}
++
++static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads,
++					  LDAPMessage *msg,
++					  const struct berval *machine_pw_val)
++{
++	ADS_MODLIST mods;
++	ADS_STATUS ret;
++	TALLOC_CTX *frame = talloc_stackframe();
++	uint32_t acct_control;
++	char *control_str = NULL;
++	const char *attrs[] = {
++		"objectSid",
++		NULL
++	};
++	LDAPMessage *res = NULL;
++	char *dn = NULL;
++
++	dn = ads_get_dn(ads, frame, msg);
++	if (dn == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	acct_control = ads_get_acct_ctrl(ads, msg);
++	if (acct_control == 0) {
++		ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
++		goto done;
++	}
++
++	/*
++	 * Changing the password, disables the account. So we need to change the
++	 * userAccountControl flags to enable it again.
++	 */
++	mods = ads_init_mods(frame);
++	if (mods == NULL) {
++		ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val);
++
++	ret = ads_gen_mod(ads, dn, mods);
++	if (!ADS_ERR_OK(ret)) {
++		goto done;
++	}
++	TALLOC_FREE(mods);
++
++	/*
++	 * To activate the account, we need to disable and enable it.
++	 */
++	acct_control |= UF_ACCOUNTDISABLE;
++
++	control_str = talloc_asprintf(frame, "%u", acct_control);
++	if (control_str == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	mods = ads_init_mods(frame);
++	if (mods == NULL) {
++		ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	ads_mod_str(frame, &mods, "userAccountControl", control_str);
++
++	ret = ads_gen_mod(ads, dn, mods);
++	if (!ADS_ERR_OK(ret)) {
++		goto done;
++	}
++	TALLOC_FREE(mods);
++	TALLOC_FREE(control_str);
++
++	/*
++	 * Enable the account again.
++	 */
++	acct_control &= ~UF_ACCOUNTDISABLE;
++
++	control_str = talloc_asprintf(frame, "%u", acct_control);
++	if (control_str == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	mods = ads_init_mods(frame);
++	if (mods == NULL) {
++		ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	ads_mod_str(frame, &mods, "userAccountControl", control_str);
++
++	ret = ads_gen_mod(ads, dn, mods);
++	if (!ADS_ERR_OK(ret)) {
++		goto done;
++	}
++	TALLOC_FREE(mods);
++	TALLOC_FREE(control_str);
++
++	ret = ads_search_dn(ads, &res, dn, attrs);
++	ads_msgfree(ads, res);
++
++done:
++	talloc_free(frame);
++
++	return ret;
++}
++
+ /**
+  * adds a machine account to the ADS server
+  * @param ads An intialized ADS_STRUCT
+@@ -2149,11 +2270,34 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 		goto done;
+ 	}
+ 
++	utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
++	if (utf8_pw == NULL) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
++	utf8_pw_len = strlen(utf8_pw);
++
++	ok = convert_string_talloc(ctx,
++				   CH_UTF8, CH_UTF16MUNGED,
++				   utf8_pw, utf8_pw_len,
++				   (void *)&utf16_pw, &utf16_pw_len);
++	if (!ok) {
++		ret = ADS_ERROR(LDAP_NO_MEMORY);
++		goto done;
++	}
++
++	machine_pw_val = (struct berval) {
++		.bv_val = utf16_pw,
++		.bv_len = utf16_pw_len,
++	};
++
+ 	/* Check if the machine account already exists. */
+ 	ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ 	if (ADS_ERR_OK(ret)) {
+-		ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
++		/* Change the machine account password */
++		ret = ads_change_machine_acct(ads, res, &machine_pw_val);
+ 		ads_msgfree(ads, res);
++
+ 		goto done;
+ 	}
+ 	ads_msgfree(ads, res);
+@@ -2236,27 +2380,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 		goto done;
+ 	}
+ 
+-	utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password);
+-	if (utf8_pw == NULL) {
+-		ret = ADS_ERROR(LDAP_NO_MEMORY);
+-		goto done;
+-	}
+-	utf8_pw_len = strlen(utf8_pw);
+-
+-	ok = convert_string_talloc(ctx,
+-				   CH_UTF8, CH_UTF16MUNGED,
+-				   utf8_pw, utf8_pw_len,
+-				   (void *)&utf16_pw, &utf16_pw_len);
+-	if (!ok) {
+-		ret = ADS_ERROR(LDAP_NO_MEMORY);
+-		goto done;
+-	}
+-
+-	machine_pw_val = (struct berval) {
+-		.bv_val = utf16_pw,
+-		.bv_len = utf16_pw_len,
+-	};
+-
+ 	mods = ads_init_mods(ctx);
+ 	if (mods == NULL) {
+ 		ret = ADS_ERROR(LDAP_NO_MEMORY);
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 31d1d221ed3..1052afde641 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -968,6 +968,7 @@ static ADS_STATUS libnet_join_post_processing_ads_modify(TALLOC_CTX *mem_ctx,
+ 
+ 		if (r->in.ads->auth.ccache_name != NULL) {
+ 			ads_kdestroy(r->in.ads->auth.ccache_name);
++			r->in.ads->auth.ccache_name = NULL;
+ 		}
+ 
+ 		ads_destroy(&r->in.ads);
+-- 
+2.23.0
+
+
+From 2209c01f8069d47b47c8fc5df376cc9c41c552e1 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 22 Aug 2019 16:31:30 +0200
+Subject: [PATCH 11/11] testprogs: Add test for 'net ads join createcomputer='
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Oct  9 08:26:17 UTC 2019 on sn-devel-184
+
+(cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f)
+---
+ testprogs/blackbox/test_net_ads.sh | 32 ++++++++++++++++++++++++++++--
+ 1 file changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 512aa9d2952..cc8345c4624 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -31,6 +31,16 @@ if [ -x "$BINDIR/ldbsearch" ]; then
+ 	ldbsearch="$BINDIR/ldbsearch"
+ fi
+ 
++ldbadd="ldbadd"
++if [ -x "$BINDIR/ldbadd" ]; then
++	ldbadd="$BINDIR/ldbadd"
++fi
++
++ldbdel="ldbdel"
++if [ -x "$BINDIR/ldbdel" ]; then
++	ldbdel="$BINDIR/ldbdel"
++fi
++
+ # Load test functions
+ . `dirname $0`/subunit.sh
+ 
+@@ -188,8 +198,9 @@ testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME%
+ 
+ testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1`
+ 
+-computers_ldb_ou="CN=Computers,DC=addom,DC=samba,DC=example,DC=com"
+-testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_ldb_ou" || failed=`expr $failed + 1`
++base_dn="DC=addom,DC=samba,DC=example,DC=com"
++computers_dn="CN=Computers,$base_dn"
++testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1`
+ 
+ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ 
+@@ -198,6 +209,23 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+ ##Goodbye...
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ 
++#
++# Test createcomputer option of 'net ads join'
++#
++testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER <<EOF
++dn: OU=Servers,$base_dn
++objectClass: organizationalUnit
++EOF
++
++testit "join+createcomputer" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createcomputer=Servers || failed=`expr $failed + 1`
++
++testit "ldb check for existence of machine account in OU=Servers" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,OU=Servers,$base_dn" || failed=`expr $failed + 1`
++
++## Goodbye...
++testit "leave+createcomputer" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++
++testit "Remove OU=Servers" $VALGRIND $ldbdel -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER "OU=Servers,$base_dn"
++
+ rm -rf $BASEDIR/$WORKDIR
+ 
+ exit $failed
+-- 
+2.23.0
+
diff --git a/SOURCES/samba-4.10-fix_smbspool.patch b/SOURCES/samba-4.10-fix_smbspool.patch
new file mode 100644
index 0000000..fa12f06
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_smbspool.patch
@@ -0,0 +1,1127 @@
+From 16056895403f3c673dc5adc531b7e739d46292fb Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 16:55:49 +0200
+Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups
+
+This is required to access files in /var/spool/cups which have been
+temporarily created in there by CUPS.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b)
+---
+ source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 5c4da33238b..e6684fc0d0c 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -82,6 +82,7 @@ int main(int argc, char *argv[])
+ {
+ 	char smbspool_cmd[PATH_MAX] = {0};
+ 	struct passwd *pwd;
++	struct group *g = NULL;
+ 	char gen_cc[PATH_MAX] = {0};
+ 	struct stat sb;
+ 	char *env = NULL;
+@@ -89,6 +90,7 @@ int main(int argc, char *argv[])
+ 	char device_uri[4096] = {0};
+ 	uid_t uid = (uid_t)-1;
+ 	gid_t gid = (gid_t)-1;
++	gid_t groups[1] = { (gid_t)-1 };
+ 	unsigned long tmp;
+ 	int cmp;
+ 	int rc;
+@@ -176,6 +178,26 @@ int main(int argc, char *argv[])
+ 		return CUPS_BACKEND_FAILED;
+ 	}
+ 
++	/*
++	 * We need the primary group of the 'lp' user. This is needed to access
++	 * temporary files in /var/spool/cups/.
++	 */
++	g = getgrnam("lp");
++	if (g == NULL) {
++		CUPS_SMB_ERROR("Failed to find user 'lp' - %s",
++			       strerror(errno));
++		return CUPS_BACKEND_FAILED;
++	}
++
++	CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid);
++	groups[0] = g->gr_gid;
++	rc = setgroups(sizeof(groups), groups);
++	if (rc != 0) {
++		CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s",
++			       strerror(errno));
++		return CUPS_BACKEND_FAILED;
++	}
++
+ 	CUPS_SMB_DEBUG("Switching to gid=%d", gid);
+ 	rc = setgid(gid);
+ 	if (rc != 0) {
+-- 
+2.21.0
+
+
+From a6b29458e833db85057ef1b7c0403e90f76adfa4 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 13:41:02 +0200
+Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate
+ with
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5)
+---
+ source3/client/smbspool.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 22071613677..efbdd418fdb 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -616,6 +616,7 @@ static bool kerberos_ccache_is_valid(void) {
+ 		return false;
+ 	} else {
+ 		krb5_principal default_princ = NULL;
++		char *princ_name = NULL;
+ 
+ 		code = krb5_cc_get_principal(ctx,
+ 					     ccache,
+@@ -625,6 +626,16 @@ static bool kerberos_ccache_is_valid(void) {
+ 			krb5_free_context(ctx);
+ 			return false;
+ 		}
++
++		code = krb5_unparse_name(ctx,
++					 default_princ,
++					 &princ_name);
++		if (code == 0) {
++			fprintf(stderr,
++				"DEBUG: Try to authenticate as %s\n",
++				princ_name);
++			krb5_free_unparsed_name(ctx, princ_name);
++		}
+ 		krb5_free_principal(ctx, default_princ);
+ 	}
+ 	krb5_cc_close(ctx, ccache);
+-- 
+2.21.0
+
+
+From b64ed8bb51c7c78d757881fc3944f7bc812f5457 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 14:25:00 +0200
+Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba)
+---
+ source3/client/smbspool_krb5_wrapper.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index e6684fc0d0c..2cdcd372ec6 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -219,10 +219,14 @@ int main(int argc, char *argv[])
+ 	env = getenv("KRB5CCNAME");
+ 	if (env != NULL && env[0] != 0) {
+ 		snprintf(gen_cc, sizeof(gen_cc), "%s", env);
++		CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache",
++			       gen_cc);
+ 
+ 		goto create_env;
+ 	}
+ 
++	CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
++
+ 	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
+ 
+ 	rc = lstat(gen_cc, &sb);
+-- 
+2.21.0
+
+
+From 3b7be905d256955e7e8c056f14626547e08fea2d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 17:10:57 +0200
+Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858)
+---
+ source3/client/smbspool_krb5_wrapper.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 2cdcd372ec6..3266b90ec1a 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -227,13 +227,13 @@ int main(int argc, char *argv[])
+ 
+ 	CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
+ 
+-	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
++	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
+ 
+ 	rc = lstat(gen_cc, &sb);
+ 	if (rc == 0) {
+-		snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid);
++		snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
+ 	} else {
+-		snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid);
++		snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
+ 
+ 		rc = lstat(gen_cc, &sb);
+ 		if (rc == 0 && S_ISDIR(sb.st_mode)) {
+-- 
+2.21.0
+
+
+From 6e2069b014358b6f7e04121fa39c5f2750506d78 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 17:40:43 +0200
+Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is
+ not set
+
+This could also support the new KCM credential cache storage.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3)
+---
+ source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++--------
+ source3/wscript_build                  |  1 +
+ 2 files changed, 55 insertions(+), 25 deletions(-)
+
+diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
+index 3266b90ec1a..bff1df417e8 100644
+--- a/source3/client/smbspool_krb5_wrapper.c
++++ b/source3/client/smbspool_krb5_wrapper.c
+@@ -21,6 +21,7 @@
+ 
+ #include "includes.h"
+ #include "system/filesys.h"
++#include "system/kerberos.h"
+ #include "system/passwd.h"
+ 
+ #include <errno.h>
+@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
+ 		buffer);
+ }
+ 
++static bool kerberos_get_default_ccache(char *ccache_buf, size_t len)
++{
++	krb5_context ctx;
++	const char *ccache_name = NULL;
++	char *full_ccache_name = NULL;
++	krb5_ccache ccache = NULL;
++	krb5_error_code code;
++
++	code = krb5_init_context(&ctx);
++	if (code != 0) {
++		return false;
++	}
++
++	ccache_name = krb5_cc_default_name(ctx);
++	if (ccache_name == NULL) {
++		krb5_free_context(ctx);
++		return false;
++	}
++
++	code = krb5_cc_resolve(ctx, ccache_name, &ccache);
++	if (code != 0) {
++		krb5_free_context(ctx);
++		return false;
++	}
++
++	code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name);
++	krb5_cc_close(ctx, ccache);
++	if (code != 0) {
++		krb5_free_context(ctx);
++		return false;
++	}
++
++	snprintf(ccache_buf, len, "%s", full_ccache_name);
++
++#ifdef SAMBA4_USES_HEIMDAL
++	free(full_ccache_name);
++#else
++	krb5_free_string(ctx, full_ccache_name);
++#endif
++	krb5_free_context(ctx);
++
++	return true;
++}
++
+ /*
+  * This is a helper binary to execute smbspool.
+  *
+@@ -84,7 +129,6 @@ int main(int argc, char *argv[])
+ 	struct passwd *pwd;
+ 	struct group *g = NULL;
+ 	char gen_cc[PATH_MAX] = {0};
+-	struct stat sb;
+ 	char *env = NULL;
+ 	char auth_info_required[256] = {0};
+ 	char device_uri[4096] = {0};
+@@ -92,6 +136,7 @@ int main(int argc, char *argv[])
+ 	gid_t gid = (gid_t)-1;
+ 	gid_t groups[1] = { (gid_t)-1 };
+ 	unsigned long tmp;
++	bool ok;
+ 	int cmp;
+ 	int rc;
+ 
+@@ -225,32 +270,16 @@ int main(int argc, char *argv[])
+ 		goto create_env;
+ 	}
+ 
+-	CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
+-
+-	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
+-
+-	rc = lstat(gen_cc, &sb);
+-	if (rc == 0) {
+-		snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
+-	} else {
+-		snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
+-
+-		rc = lstat(gen_cc, &sb);
+-		if (rc == 0 && S_ISDIR(sb.st_mode)) {
+-			snprintf(gen_cc,
+-				 sizeof(gen_cc),
+-				 "DIR:/run/user/%d/krb5cc",
+-				 uid);
+-		} else {
+-#if defined(__linux__)
+-			snprintf(gen_cc,
+-				 sizeof(gen_cc),
+-				 "KEYRING:persistent:%d",
+-				 uid);
+-#endif
+-		}
++	ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc));
++	if (ok) {
++		CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]",
++			       gen_cc);
++		goto create_env;
+ 	}
+ 
++	/* Fallback to a FILE ccache */
++	snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
++
+ create_env:
+ 	/*
+ 	 * Make sure we do not have LD_PRELOAD or other security relevant
+diff --git a/source3/wscript_build b/source3/wscript_build
+index f67ce59fe52..8e34b7d0261 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -1134,6 +1134,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
+                  deps='''
+                       DYNCONFIG
+                       cups
++                      krb5
+                       ''',
+                  install_path='${LIBEXECDIR}/samba',
+                  enabled=bld.CONFIG_SET('HAVE_CUPS'))
+-- 
+2.21.0
+
+
+From d6673500b639ad1402014aa35113bd395e35d4f5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 16:48:31 +0200
+Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd)
+---
+ source3/client/smbspool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index efbdd418fdb..ef16c2bed42 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -224,7 +224,9 @@ main(int argc,			/* I - Number of command-line arguments */
+ 
+ 		fp = fopen(print_file, "rb");
+ 		if (fp == NULL) {
+-			perror("ERROR: Unable to open print file");
++			fprintf(stderr,
++				"ERROR: Unable to open print file: %s",
++				print_file);
+ 			goto done;
+ 		}
+ 
+-- 
+2.21.0
+
+
+From ea931f33d92506cdab17a7b746e43831d6bf2112 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 May 2019 18:54:02 +0200
+Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos
+
+If username and password is given, then fallback to NTLM. However try
+kinit first. Also we correctly handle NULL passwords in the meantime and
+this makes it easier to deal with issues.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d)
+---
+ source3/client/smbspool.c | 90 ++++++++++++++++++++++-----------------
+ 1 file changed, 51 insertions(+), 39 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index ef16c2bed42..f21aac2ac58 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -88,8 +88,8 @@ main(int argc,			/* I - Number of command-line arguments */
+ 	int             port;	/* Port number */
+ 	char            uri[1024],	/* URI */
+ 	               *sep,	/* Pointer to separator */
+-	               *tmp, *tmp2,	/* Temp pointers to do escaping */
+-	               *password;	/* Password */
++	               *tmp, *tmp2;	/* Temp pointers to do escaping */
++	const char     *password = NULL;	/* Password */
+ 	char           *username,	/* Username */
+ 	               *server,	/* Server name */
+ 	               *printer;/* Printer name */
+@@ -293,8 +293,6 @@ main(int argc,			/* I - Number of command-line arguments */
+ 		if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
+ 			*tmp2++ = '\0';
+ 			password = uri_unescape_alloc(tmp2);
+-		} else {
+-			password = empty_str;
+ 		}
+ 		username = uri_unescape_alloc(tmp);
+ 	} else {
+@@ -302,14 +300,15 @@ main(int argc,			/* I - Number of command-line arguments */
+ 			username = empty_str;
+ 		}
+ 
+-		if ((password = getenv("AUTH_PASSWORD")) == NULL) {
+-			password = empty_str;
++		env = getenv("AUTH_PASSWORD");
++		if (env != NULL && strlen(env) > 0) {
++			password = env;
+ 		}
+ 
+ 		server = uri + 6;
+ 	}
+ 
+-	if (password != empty_str) {
++	if (password != NULL) {
+ 		auth_info_required = "username,password";
+ 	}
+ 
+@@ -514,6 +513,7 @@ smb_complete_connection(const char *myname,
+ 	NTSTATUS        nt_status;
+ 	struct cli_credentials *creds = NULL;
+ 	bool use_kerberos = false;
++	bool fallback_after_kerberos = false;
+ 
+ 	/* Start the SMB connection */
+ 	*need_auth = false;
+@@ -524,27 +524,21 @@ smb_complete_connection(const char *myname,
+ 		return NULL;
+ 	}
+ 
+-	/*
+-	 * We pretty much guarantee password must be valid or a pointer to a
+-	 * 0 char.
+-	 */
+-	if (!password) {
+-		*need_auth = true;
+-		return NULL;
+-	}
+-
+ 	if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+-		auth_info_required = "negotiate";
+ 		use_kerberos = true;
+ 	}
+ 
++	if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) {
++		fallback_after_kerberos = true;
++	}
++
+ 	creds = cli_session_creds_init(cli,
+ 				       username,
+ 				       workgroup,
+ 				       NULL, /* realm */
+ 				       password,
+ 				       use_kerberos,
+-				       false, /* fallback_after_kerberos */
++				       fallback_after_kerberos,
+ 				       false, /* use_ccache */
+ 				       false); /* password_is_nt_hash */
+ 	if (creds == NULL) {
+@@ -663,6 +657,10 @@ smb_connect(const char *workgroup,	/* I - Workgroup */
+ 	struct cli_state *cli;	/* New connection */
+ 	char           *myname = NULL;	/* Client name */
+ 	struct passwd  *pwd;
++	int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
++	bool use_kerberos = false;
++	const char *user = username;
++	int cmp;
+ 
+ 	/*
+          * Get the names and addresses of the client and server...
+@@ -672,42 +670,56 @@ smb_connect(const char *workgroup,	/* I - Workgroup */
+ 		return NULL;
+ 	}
+ 
+-	/*
+-	 * See if we have a username first.  This is for backwards compatible
+-	 * behavior with 3.0.14a
+-	 */
+ 
+-	if (username == NULL || username[0] == '\0') {
+-		if (kerberos_ccache_is_valid()) {
+-			goto kerberos_auth;
++	cmp = strcmp(auth_info_required, "negotiate");
++	if (cmp == 0) {
++		if (!kerberos_ccache_is_valid()) {
++			return NULL;
+ 		}
++		user = jobusername;
++
++		use_kerberos = true;
++		fprintf(stderr,
++			"DEBUG: Try to connect using Kerberos ...\n");
++	}
++
++	cmp = strcmp(auth_info_required, "username,password");
++	if (cmp == 0) {
++		if (username == NULL || username[0] == '\0') {
++			return NULL;
++		}
++
++		/* Fallback to NTLM */
++		flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
++
++		fprintf(stderr,
++			"DEBUG: Try to connect using username/password ...\n");
++	}
++
++	cmp = strcmp(auth_info_required, "none");
++	if (cmp == 0) {
++		fprintf(stderr,
++			"DEBUG: This backend doesn't support none auth ...\n");
++		return NULL;
+ 	}
+ 
+ 	cli = smb_complete_connection(myname,
+ 				      server,
+ 				      port,
+-				      username,
++				      user,
+ 				      password,
+ 				      workgroup,
+ 				      share,
+-				      0,
++				      flags,
+ 				      need_auth);
+ 	if (cli != NULL) {
+-		fputs("DEBUG: Connected with username/password...\n", stderr);
++		fprintf(stderr, "DEBUG: SMB connection established.\n");
+ 		return (cli);
+ 	}
+ 
+-kerberos_auth:
+-	/*
+-	 * Try to use the user kerberos credentials (if any) to authenticate
+-	 */
+-	cli = smb_complete_connection(myname, server, port, jobusername, "",
+-				      workgroup, share,
+-				 CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
+-
+-	if (cli) {
+-		fputs("DEBUG: Connected using Kerberos...\n", stderr);
+-		return (cli);
++	if (!use_kerberos) {
++		fprintf(stderr, "ERROR: SMB connection failed!\n");
++		return NULL;
+ 	}
+ 
+ 	/* give a chance for a passwordless NTLMSSP session setup */
+-- 
+2.21.0
+
+
+From 8689e83030160fbdbe9b72ff0c86826b49f707a1 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 16 May 2019 18:24:32 +0200
+Subject: [PATCH 8/9] s3:smbspool: Add debug messages to
+ kerberos_ccache_is_valid()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3)
+---
+ source3/client/smbspool.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index f21aac2ac58..79e210dd12e 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -602,12 +602,15 @@ static bool kerberos_ccache_is_valid(void) {
+ 
+ 	ccache_name = krb5_cc_default_name(ctx);
+ 	if (ccache_name == NULL) {
++		DBG_ERR("Failed to get default ccache name\n");
+ 		krb5_free_context(ctx);
+ 		return false;
+ 	}
+ 
+ 	code = krb5_cc_resolve(ctx, ccache_name, &ccache);
+ 	if (code != 0) {
++		DBG_ERR("Failed to resolve ccache name: %s\n",
++			ccache_name);
+ 		krb5_free_context(ctx);
+ 		return false;
+ 	} else {
+@@ -618,6 +621,9 @@ static bool kerberos_ccache_is_valid(void) {
+ 					     ccache,
+ 					     &default_princ);
+ 		if (code != 0) {
++			DBG_ERR("Failed to get default principal from "
++				"ccache: %s\n",
++				ccache_name);
+ 			krb5_cc_close(ctx, ccache);
+ 			krb5_free_context(ctx);
+ 			return false;
+-- 
+2.21.0
+
+
+From d1cee66a5e66d83b2aee3a803351c51d4f5a8118 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 14 May 2019 11:35:46 +0200
+Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes
+
+This allows us to simplify some code and return better errors.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea)
+---
+ source3/client/smbspool.c | 250 ++++++++++++++++++++++----------------
+ 1 file changed, 145 insertions(+), 105 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index 79e210dd12e..ad988eb0df9 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -61,12 +61,27 @@
+  * Local functions...
+  */
+ 
+-static int      get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
++static int      get_exit_code(NTSTATUS nt_status);
+ static void     list_devices(void);
+-static struct cli_state *smb_complete_connection(const char *, const char *,
+-	int, const char *, const char *, const char *, const char *, int, bool *need_auth);
+-static struct cli_state *smb_connect(const char *, const char *, int, const
+-	char *, const char *, const char *, const char *, bool *need_auth);
++static NTSTATUS
++smb_complete_connection(struct cli_state **output_cli,
++			const char *myname,
++			const char *server,
++			int port,
++			const char *username,
++			const char *password,
++			const char *workgroup,
++			const char *share,
++			int flags);
++static NTSTATUS
++smb_connect(struct cli_state **output_cli,
++	    const char *workgroup,
++	    const char *server,
++	    const int port,
++	    const char *share,
++	    const char *username,
++	    const char *password,
++	    const char *jobusername);
+ static int      smb_print(struct cli_state *, const char *, FILE *);
+ static char    *uri_unescape_alloc(const char *);
+ #if 0
+@@ -90,16 +105,15 @@ main(int argc,			/* I - Number of command-line arguments */
+ 	               *sep,	/* Pointer to separator */
+ 	               *tmp, *tmp2;	/* Temp pointers to do escaping */
+ 	const char     *password = NULL;	/* Password */
+-	char           *username,	/* Username */
+-	               *server,	/* Server name */
++	const char     *username = NULL;	/* Username */
++	char           *server,	/* Server name */
+ 	               *printer;/* Printer name */
+ 	const char     *workgroup;	/* Workgroup */
+ 	FILE           *fp;	/* File to print */
+ 	int             status = 1;	/* Status of LPD job */
+-	struct cli_state *cli;	/* SMB interface */
+-	char            empty_str[] = "";
++	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
++	struct cli_state *cli = NULL;	/* SMB interface */
+ 	int             tries = 0;
+-	bool		need_auth = true;
+ 	const char     *dev_uri = NULL;
+ 	const char     *env = NULL;
+ 	const char     *config_file = NULL;
+@@ -296,8 +310,9 @@ main(int argc,			/* I - Number of command-line arguments */
+ 		}
+ 		username = uri_unescape_alloc(tmp);
+ 	} else {
+-		if ((username = getenv("AUTH_USERNAME")) == NULL) {
+-			username = empty_str;
++		env = getenv("AUTH_USERNAME");
++		if (env != NULL && strlen(env) > 0) {
++			username = env;
+ 		}
+ 
+ 		env = getenv("AUTH_PASSWORD");
+@@ -369,27 +384,39 @@ main(int argc,			/* I - Number of command-line arguments */
+ 	load_interfaces();
+ 
+ 	do {
+-		cli = smb_connect(workgroup,
+-				  server,
+-				  port,
+-				  printer,
+-				  username,
+-				  password,
+-				  print_user,
+-				  &need_auth);
+-		if (cli == NULL) {
+-			if (need_auth) {
+-				exit(2);
++		nt_status = smb_connect(&cli,
++					workgroup,
++					server,
++					port,
++					printer,
++					username,
++					password,
++					print_user);
++		if (!NT_STATUS_IS_OK(nt_status)) {
++			status = get_exit_code(nt_status);
++			if (status == 2) {
++				fprintf(stderr,
++					"DEBUG: Unable to connect to CIFS "
++					"host: %s",
++					nt_errstr(nt_status));
++				goto done;
+ 			} else if (getenv("CLASS") == NULL) {
+-				fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
++				fprintf(stderr,
++					"ERROR: Unable to connect to CIFS "
++					"host: %s. Will retry in 60 "
++					"seconds...\n",
++					nt_errstr(nt_status));
+ 				sleep(60);
+ 				tries++;
+ 			} else {
+-				fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
++				fprintf(stderr,
++					"ERROR: Unable to connect to CIFS "
++					"host: %s. Trying next printer...\n",
++					nt_errstr(nt_status));
+ 				goto done;
+ 			}
+ 		}
+-	} while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
++	} while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT));
+ 
+ 	if (cli == NULL) {
+ 		fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
+@@ -436,10 +463,9 @@ done:
+  */
+ 
+ static int
+-get_exit_code(struct cli_state * cli,
+-	      NTSTATUS nt_status)
++get_exit_code(NTSTATUS nt_status)
+ {
+-	int i;
++	size_t i;
+ 
+ 	/* List of NTSTATUS errors that are considered
+ 	 * authentication errors
+@@ -455,17 +481,16 @@ get_exit_code(struct cli_state * cli,
+ 	};
+ 
+ 
+-	fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
+-		cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
++	fprintf(stderr,
++		"DEBUG: get_exit_code(nt_status=%s [%x])\n",
++		nt_errstr(nt_status), NT_STATUS_V(nt_status));
+ 
+ 	for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
+ 		if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
+ 			continue;
+ 		}
+ 
+-		if (cli) {
+-			fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
+-		}
++		fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
+ 
+ 		/*
+ 		 * 2 = authentication required...
+@@ -498,16 +523,16 @@ list_devices(void)
+ }
+ 
+ 
+-static struct cli_state *
+-smb_complete_connection(const char *myname,
++static NTSTATUS
++smb_complete_connection(struct cli_state **output_cli,
++			const char *myname,
+ 			const char *server,
+ 			int port,
+ 			const char *username,
+ 			const char *password,
+ 			const char *workgroup,
+ 			const char *share,
+-			int flags,
+-			bool *need_auth)
++			int flags)
+ {
+ 	struct cli_state *cli;	/* New connection */
+ 	NTSTATUS        nt_status;
+@@ -516,12 +541,11 @@ smb_complete_connection(const char *myname,
+ 	bool fallback_after_kerberos = false;
+ 
+ 	/* Start the SMB connection */
+-	*need_auth = false;
+ 	nt_status = cli_start_connection(&cli, myname, server, NULL, port,
+ 					 SMB_SIGNING_DEFAULT, flags);
+ 	if (!NT_STATUS_IS_OK(nt_status)) {
+ 		fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
+-		return NULL;
++		return nt_status;
+ 	}
+ 
+ 	if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+@@ -544,20 +568,16 @@ smb_complete_connection(const char *myname,
+ 	if (creds == NULL) {
+ 		fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
+ 		cli_shutdown(cli);
+-		return NULL;
++		return NT_STATUS_NO_MEMORY;
+ 	}
+ 
+ 	nt_status = cli_session_setup_creds(cli, creds);
+ 	if (!NT_STATUS_IS_OK(nt_status)) {
+ 		fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
+ 
+-		if (get_exit_code(cli, nt_status) == 2) {
+-			*need_auth = true;
+-		}
+-
+ 		cli_shutdown(cli);
+ 
+-		return NULL;
++		return nt_status;
+ 	}
+ 
+ 	nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
+@@ -565,13 +585,9 @@ smb_complete_connection(const char *myname,
+ 		fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
+ 			nt_errstr(nt_status));
+ 
+-		if (get_exit_code(cli, nt_status) == 2) {
+-			*need_auth = true;
+-		}
+-
+ 		cli_shutdown(cli);
+ 
+-		return NULL;
++		return nt_status;
+ 	}
+ #if 0
+ 	/* Need to work out how to specify this on the URL. */
+@@ -584,7 +600,8 @@ smb_complete_connection(const char *myname,
+ 	}
+ #endif
+ 
+-	return cli;
++	*output_cli = cli;
++	return NT_STATUS_OK;
+ }
+ 
+ static bool kerberos_ccache_is_valid(void) {
+@@ -650,49 +667,48 @@ static bool kerberos_ccache_is_valid(void) {
+  * 'smb_connect()' - Return a connection to a server.
+  */
+ 
+-static struct cli_state *	/* O - SMB connection */
+-smb_connect(const char *workgroup,	/* I - Workgroup */
++static NTSTATUS
++smb_connect(struct cli_state **output_cli,
++	    const char *workgroup,	/* I - Workgroup */
+ 	    const char *server,	/* I - Server */
+ 	    const int port,	/* I - Port */
+ 	    const char *share,	/* I - Printer */
+ 	    const char *username,	/* I - Username */
+ 	    const char *password,	/* I - Password */
+-	    const char *jobusername,	/* I - User who issued the print job */
+-	    bool *need_auth)
+-{				/* O - Need authentication? */
+-	struct cli_state *cli;	/* New connection */
++	    const char *jobusername)	/* I - User who issued the print job */
++{
++	struct cli_state *cli = NULL;	/* New connection */
+ 	char           *myname = NULL;	/* Client name */
+ 	struct passwd  *pwd;
+ 	int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
+ 	bool use_kerberos = false;
+ 	const char *user = username;
+-	int cmp;
++	NTSTATUS nt_status;
+ 
+ 	/*
+          * Get the names and addresses of the client and server...
+          */
+ 	myname = get_myname(talloc_tos());
+ 	if (!myname) {
+-		return NULL;
++		return NT_STATUS_NO_MEMORY;
+ 	}
+ 
+ 
+-	cmp = strcmp(auth_info_required, "negotiate");
+-	if (cmp == 0) {
++	if (strcmp(auth_info_required, "negotiate") == 0) {
+ 		if (!kerberos_ccache_is_valid()) {
+-			return NULL;
++			fprintf(stderr,
++				"ERROR: No valid Kerberos credential cache "
++				"found!\n");
++			return NT_STATUS_LOGON_FAILURE;
+ 		}
+ 		user = jobusername;
+ 
+ 		use_kerberos = true;
+ 		fprintf(stderr,
+ 			"DEBUG: Try to connect using Kerberos ...\n");
+-	}
+-
+-	cmp = strcmp(auth_info_required, "username,password");
+-	if (cmp == 0) {
+-		if (username == NULL || username[0] == '\0') {
+-			return NULL;
++	} else if (strcmp(auth_info_required, "username,password") == 0) {
++		if (username == NULL) {
++			return NT_STATUS_INVALID_ACCOUNT_NAME;
+ 		}
+ 
+ 		/* Fallback to NTLM */
+@@ -700,59 +716,83 @@ smb_connect(const char *workgroup,	/* I - Workgroup */
+ 
+ 		fprintf(stderr,
+ 			"DEBUG: Try to connect using username/password ...\n");
+-	}
++	} else {
++		if (username != NULL) {
++			flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
++		} else if (kerberos_ccache_is_valid()) {
++			auth_info_required = "negotiate";
+ 
+-	cmp = strcmp(auth_info_required, "none");
+-	if (cmp == 0) {
+-		fprintf(stderr,
+-			"DEBUG: This backend doesn't support none auth ...\n");
+-		return NULL;
++			user = jobusername;
++			use_kerberos = true;
++		} else {
++			fprintf(stderr,
++				"DEBUG: This backend requires credentials!\n");
++			return NT_STATUS_ACCESS_DENIED;
++		}
+ 	}
+ 
+-	cli = smb_complete_connection(myname,
+-				      server,
+-				      port,
+-				      user,
+-				      password,
+-				      workgroup,
+-				      share,
+-				      flags,
+-				      need_auth);
+-	if (cli != NULL) {
++	nt_status = smb_complete_connection(&cli,
++					    myname,
++					    server,
++					    port,
++					    user,
++					    password,
++					    workgroup,
++					    share,
++					    flags);
++	if (NT_STATUS_IS_OK(nt_status)) {
+ 		fprintf(stderr, "DEBUG: SMB connection established.\n");
+-		return (cli);
++
++		*output_cli = cli;
++		return NT_STATUS_OK;
+ 	}
+ 
+ 	if (!use_kerberos) {
+ 		fprintf(stderr, "ERROR: SMB connection failed!\n");
+-		return NULL;
++		return nt_status;
+ 	}
+ 
+ 	/* give a chance for a passwordless NTLMSSP session setup */
+ 	pwd = getpwuid(geteuid());
+ 	if (pwd == NULL) {
+-		return NULL;
+-	}
+-
+-	cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
+-				      workgroup, share, 0, need_auth);
+-
+-	if (cli) {
++		return NT_STATUS_ACCESS_DENIED;
++	}
++
++	nt_status = smb_complete_connection(&cli,
++					    myname,
++					    server,
++					    port,
++					    pwd->pw_name,
++					    "",
++					    workgroup,
++					    share,
++					    0);
++	if (NT_STATUS_IS_OK(nt_status)) {
+ 		fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
+-		return (cli);
++
++		*output_cli = cli;
++		return NT_STATUS_OK;
+ 	}
+ 
+ 	/*
+          * last try. Use anonymous authentication
+          */
+ 
+-	cli = smb_complete_connection(myname, server, port, "", "",
+-				      workgroup, share, 0, need_auth);
+-	/*
+-         * Return the new connection...
+-         */
+-
+-	return (cli);
++	nt_status = smb_complete_connection(&cli,
++					    myname,
++					    server,
++					    port,
++					    "",
++					    "",
++					    workgroup,
++					    share,
++					    0);
++	if (NT_STATUS_IS_OK(nt_status)) {
++		*output_cli = cli;
++		return NT_STATUS_OK;
++	}
++
++	return nt_status;
+ }
+ 
+ 
+@@ -798,7 +838,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
+ 	if (!NT_STATUS_IS_OK(nt_status)) {
+ 		fprintf(stderr, "ERROR: %s opening remote spool %s\n",
+ 			nt_errstr(nt_status), title);
+-		return get_exit_code(cli, nt_status);
++		return get_exit_code(nt_status);
+ 	}
+ 
+ 	/*
+@@ -816,7 +856,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
+ 		status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
+ 				      tbytes, nbytes, NULL);
+ 		if (!NT_STATUS_IS_OK(status)) {
+-			int ret = get_exit_code(cli, status);
++			int ret = get_exit_code(status);
+ 			fprintf(stderr, "ERROR: Error writing spool: %s\n",
+ 				nt_errstr(status));
+ 			fprintf(stderr, "DEBUG: Returning status %d...\n",
+@@ -832,7 +872,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
+ 	if (!NT_STATUS_IS_OK(nt_status)) {
+ 		fprintf(stderr, "ERROR: %s closing remote spool %s\n",
+ 			nt_errstr(nt_status), title);
+-		return get_exit_code(cli, nt_status);
++		return get_exit_code(nt_status);
+ 	} else {
+ 		return (0);
+ 	}
+-- 
+2.21.0
+
+From ffa5f8b65c662130c2d23e47df6d00fef3b73cc3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 18 Jun 2019 14:43:50 +0200
+Subject: [PATCH] s3:client: Link smbspool_krb5_wrapper against krb5samba
+
+Heimdal doesn't provide krb5_free_unparsed_name(), so we need to use the
+function we provide in krb5samba.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 9268919e046190c7b423133de3f9d0edada3f1b8)
+---
+ source3/wscript_build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 1ebb006781a..26e251f442a 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -1133,7 +1133,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
+                  deps='''
+                       DYNCONFIG
+                       cups
+-                      krb5
++                      krb5samba
+                       ''',
+                  install_path='${LIBEXECDIR}/samba',
+                  enabled=bld.CONFIG_SET('HAVE_CUPS'))
+-- 
+2.21.0
+
diff --git a/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch b/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch
deleted file mode 100644
index d72091e..0000000
--- a/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001
-From: Bryan Mason <bmason@redhat.com>
-Date: Mon, 16 Sep 2019 12:35:06 -0700
-Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI
-
-CUPS sanitizes argv[0] by removing username/password, so use
-DEVICE_URI environment variable first.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128
-
-Signed-off-by: Bryan Mason <bmason@redhat.com>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184
-
-(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931)
----
- source3/client/smbspool.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index ad988eb0df9..36f7f67ca94 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -256,13 +256,15 @@ main(int argc,			/* I - Number of command-line arguments */
- 
- 	/*
- 	 * Find the URI ...
--	 */
--	if (dev_uri == NULL) {
--		env = getenv("DEVICE_URI");
--		if (env != NULL && env[0] != '\0') {
--			dev_uri = env;
--		}
--	}
-+         *
-+         * The URI in argv[0] is sanitized to remove username/password, so
-+         * use DEVICE_URI if available. Otherwise keep the URI already
-+         * discovered in argv.
-+         */
-+        env = getenv("DEVICE_URI");
-+        if (env != NULL && env[0] != '\0') {
-+          dev_uri = env;
-+        }
- 
- 	if (dev_uri == NULL) {
- 		fprintf(stderr,
--- 
-2.23.0
-
diff --git a/SOURCES/samba-4.10-fix_smbspool_username_password.patch b/SOURCES/samba-4.10-fix_smbspool_username_password.patch
new file mode 100644
index 0000000..d72091e
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_smbspool_username_password.patch
@@ -0,0 +1,52 @@
+From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001
+From: Bryan Mason <bmason@redhat.com>
+Date: Mon, 16 Sep 2019 12:35:06 -0700
+Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI
+
+CUPS sanitizes argv[0] by removing username/password, so use
+DEVICE_URI environment variable first.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128
+
+Signed-off-by: Bryan Mason <bmason@redhat.com>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184
+
+(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931)
+---
+ source3/client/smbspool.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
+index ad988eb0df9..36f7f67ca94 100644
+--- a/source3/client/smbspool.c
++++ b/source3/client/smbspool.c
+@@ -256,13 +256,15 @@ main(int argc,			/* I - Number of command-line arguments */
+ 
+ 	/*
+ 	 * Find the URI ...
+-	 */
+-	if (dev_uri == NULL) {
+-		env = getenv("DEVICE_URI");
+-		if (env != NULL && env[0] != '\0') {
+-			dev_uri = env;
+-		}
+-	}
++         *
++         * The URI in argv[0] is sanitized to remove username/password, so
++         * use DEVICE_URI if available. Otherwise keep the URI already
++         * discovered in argv.
++         */
++        env = getenv("DEVICE_URI");
++        if (env != NULL && env[0] != '\0') {
++          dev_uri = env;
++        }
+ 
+ 	if (dev_uri == NULL) {
+ 		fprintf(stderr,
+-- 
+2.23.0
+
diff --git a/SOURCES/samba-4.10-fix_spnego_downgrade.patch b/SOURCES/samba-4.10-fix_spnego_downgrade.patch
deleted file mode 100644
index e762571..0000000
--- a/SOURCES/samba-4.10-fix_spnego_downgrade.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-From a8021d9515ecf75d52d038fe78f72da2c79731af Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Wed, 4 Sep 2019 16:31:21 +0300
-Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic
- token
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
-
-Signed-off-by: Isaac Boukris <iboukris@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- auth/gensec/spnego.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
-index dc73e324d99..97472c26837 100644
---- a/auth/gensec/spnego.c
-+++ b/auth/gensec/spnego.c
-@@ -136,6 +136,7 @@ struct spnego_state {
- 	bool done_mic_check;
- 
- 	bool simulate_w2k;
-+	bool no_optimistic;
- 
- 	/*
- 	 * The following is used to implement
-@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
- 
- 	spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
- 						"spnego", "simulate_w2k", false);
-+	spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
-+							  "spnego",
-+							  "client_no_optimistic",
-+							  false);
- 
- 	gensec_security->private_data = spnego_state;
- 	return NT_STATUS_OK;
-@@ -1944,6 +1949,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
- 		 * blob and NT_STATUS_OK.
- 		 */
- 		state->sub.status = NT_STATUS_OK;
-+	} else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
-+		   spnego_state->no_optimistic) {
-+		/*
-+		 * Skip optimistic token per conf.
-+		 */
-+		state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- 	} else {
- 		/*
- 		 * MORE_PROCESSING_REQUIRED =>
--- 
-2.21.0
-
-
-From aa379f36ac5feb718c924b030308a29769657f7b Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Wed, 4 Sep 2019 16:39:43 +0300
-Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
-
-Signed-off-by: Isaac Boukris <iboukris@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- selftest/knownfail.d/spnego_no_optimistic | 1 +
- source4/selftest/tests.py                 | 4 ++++
- 2 files changed, 5 insertions(+)
- create mode 100644 selftest/knownfail.d/spnego_no_optimistic
-
-diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
-new file mode 100644
-index 00000000000..54f51446be0
---- /dev/null
-+++ b/selftest/knownfail.d/spnego_no_optimistic
-@@ -0,0 +1 @@
-+^samba4.smb.spnego.*.no_optimistic
-diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
-index 34ebe10cd79..d73d426ee3c 100755
---- a/source4/selftest/tests.py
-+++ b/source4/selftest/tests.py
-@@ -542,6 +542,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha
- plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon")
- plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon")
- 
-+# Test SPNEGO without issuing an optimistic token
-+opt='--option=spnego:client_no_optimistic=yes'
-+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic")
-+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic")
- 
- wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""]
- 
--- 
-2.21.0
-
-
-From 0119cf5a2888cd3d97927cb77872fbad82362020 Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Wed, 4 Sep 2019 17:04:12 +0300
-Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
-
-Signed-off-by: Isaac Boukris <iboukris@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
----
- auth/gensec/spnego.c                      | 13 +++++++++++++
- selftest/knownfail.d/spnego_no_optimistic |  1 -
- 4 files changed, 13 insertions(+), 4 deletions(-)
- delete mode 100644 selftest/knownfail.d/spnego_no_optimistic
-
-diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
-index 97472c26837..ddbe03c5d6b 100644
---- a/auth/gensec/spnego.c
-+++ b/auth/gensec/spnego.c
-@@ -1321,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
- 			spnego_state->mic_requested = true;
- 		}
- 
-+		if (sub_in.length == 0) {
-+			spnego_state->no_optimistic = true;
-+		}
-+
- 		/*
- 		 * Note that 'cur_sec' is temporary memory, but
- 		 * cur_sec->oid points to a const string in the
-@@ -1955,6 +1959,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
- 		 * Skip optimistic token per conf.
- 		 */
- 		state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
-+	} else if (spnego_state->state_position == SPNEGO_SERVER_START &&
-+		   state->sub.in.length == 0 && spnego_state->no_optimistic) {
-+		/*
-+		 * If we didn't like the mechanism for which the client sent us
-+		 * an optimistic token, or if he didn't send any, don't call
-+		 * the sub mechanism just yet.
-+		 */
-+		state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
-+		spnego_state->no_optimistic = false;
- 	} else {
- 		/*
- 		 * MORE_PROCESSING_REQUIRED =>
-diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
-deleted file mode 100644
-index 54f51446be0..00000000000
---- a/selftest/knownfail.d/spnego_no_optimistic
-+++ /dev/null
-@@ -1 +0,0 @@
--^samba4.smb.spnego.*.no_optimistic
--- 
-2.21.0
-
diff --git a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch
new file mode 100644
index 0000000..c196b55
--- /dev/null
+++ b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch
@@ -0,0 +1,48 @@
+From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001
+From: Evgeny Sinelnikov <sin@altlinux.org>
+Date: Wed, 31 Jul 2019 23:17:20 +0400
+Subject: [PATCH] s3:ldap: Fix join with don't exists machine account
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add check for requested replies of existing machine object during join
+machine to domain. This solves regression fail during join with error:
+"None of the information to be translated has been translated."
+
+https://bugzilla.samba.org/show_bug.cgi?id=14007
+
+Reviewed-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Wed Sep  4 17:02:37 UTC 2019 on sn-devel-184
+---
+ source3/libads/ldap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 4f3d43b02b1..2110390b65f 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
+ 	}
+ 
+ 	ret = ads_find_machine_acct(ads, &res, machine_escaped);
+-	ads_msgfree(ads, res);
+-	if (ADS_ERR_OK(ret)) {
++	if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
+ 		DBG_DEBUG("Host account for %s already exists.\n",
+ 				machine_escaped);
+ 		ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
++		ads_msgfree(ads, res);
+ 		goto done;
+ 	}
++	ads_msgfree(ads, res);
+ 
+ 	new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
+ 	samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
+-- 
+2.21.0
+
diff --git a/SOURCES/samba-4.10.4.tar.asc b/SOURCES/samba-4.10.4.tar.asc
new file mode 100644
index 0000000..29f805c
--- /dev/null
+++ b/SOURCES/samba-4.10.4.tar.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXOUjjhUcc2FtYmEtYnVn
+c0BzYW1iYS5vcmcACgkQbzORW2Vot+oeXQCgkgjBBjMDA7WRd7pl8akT65XmGaAA
+n3v79/BJYEuD3vw98M5nW4GBN6C9
+=/Xfk
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch
new file mode 100644
index 0000000..61635f8
--- /dev/null
+++ b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch
@@ -0,0 +1,124 @@
+From 41794e74876f3cba648b18b3f4bdedac9717061e Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 23 May 2019 13:33:21 -0700
+Subject: [PATCH] s3: winbind: Fix crash when invoking winbind idmap scripts.
+
+Previously the private context was caching a pointer to
+a string returned from lp_XXX(). This string can change
+on config file reload. Ensure the string is talloc_strup'ed
+onto the owning context instead.
+
+Reported by Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13956
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit a1f95ba5db6fc017fad35377fbf76c048f2dd8ab)
+---
+ source3/winbindd/idmap_script.c | 20 ++++++++++++++++----
+ source3/winbindd/idmap_tdb2.c   | 22 +++++++++++++++++-----
+ 2 files changed, 33 insertions(+), 9 deletions(-)
+
+diff --git a/source3/winbindd/idmap_script.c b/source3/winbindd/idmap_script.c
+index 7ad6b806fb8..f382f896b35 100644
+--- a/source3/winbindd/idmap_script.c
++++ b/source3/winbindd/idmap_script.c
+@@ -615,6 +615,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
+ 	NTSTATUS ret;
+ 	struct idmap_script_context *ctx;
+ 	const char * idmap_script = NULL;
++	const char *ctx_script = NULL;
+ 
+ 	DEBUG(10, ("%s called ...\n", __func__));
+ 
+@@ -625,7 +626,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
+ 		goto failed;
+ 	}
+ 
+-	ctx->script = idmap_config_const_string(dom->name, "script", NULL);
++	ctx_script = idmap_config_const_string(dom->name, "script", NULL);
+ 
+ 	/* Do we even need to handle this? */
+ 	idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
+@@ -634,13 +635,24 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
+ 			  " Please use 'idmap config * : script' instead!\n"));
+ 	}
+ 
+-	if (strequal(dom->name, "*") && ctx->script == NULL) {
++	if (strequal(dom->name, "*") && ctx_script == NULL) {
+ 		/* fall back to idmap:script for backwards compatibility */
+-		ctx->script = idmap_script;
++		ctx_script = idmap_script;
+ 	}
+ 
+-	if (ctx->script) {
++	if (ctx_script) {
+ 		DEBUG(1, ("using idmap script '%s'\n", ctx->script));
++		/*
++		 * We must ensure this memory is owned by ctx.
++		 * The ctx_script const pointer is a pointer into
++		 * the config file data and may become invalid
++		 * on config file reload. BUG: 13956
++		 */
++		ctx->script = talloc_strdup(ctx, ctx_script);
++		if (ctx->script == NULL) {
++			ret = NT_STATUS_NO_MEMORY;
++			goto failed;
++		}
+ 	}
+ 
+ 	dom->private_data = ctx;
+diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
+index b784546bb33..eceab9c0784 100644
+--- a/source3/winbindd/idmap_tdb2.c
++++ b/source3/winbindd/idmap_tdb2.c
+@@ -522,6 +522,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
+ 	struct idmap_tdb_common_context *commonctx;
+ 	struct idmap_tdb2_context *ctx;
+ 	const char * idmap_script = NULL;
++	const char *ctx_script = NULL;
+ 
+ 	commonctx = talloc_zero(dom, struct idmap_tdb_common_context);
+ 	if(!commonctx) {
+@@ -543,7 +544,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
+ 		goto failed;
+ 	}
+ 
+-	ctx->script = idmap_config_const_string(dom->name, "script", NULL);
++	ctx_script = idmap_config_const_string(dom->name, "script", NULL);
+ 
+ 	idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
+ 	if (idmap_script != NULL) {
+@@ -551,13 +552,24 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
+ 			  " Please use 'idmap config * : script' instead!\n"));
+ 	}
+ 
+-	if (strequal(dom->name, "*") && ctx->script == NULL) {
++	if (strequal(dom->name, "*") && ctx_script == NULL) {
+ 		/* fall back to idmap:script for backwards compatibility */
+-		ctx->script = idmap_script;
++		ctx_script = idmap_script;
+ 	}
+ 
+-	if (ctx->script) {
+-		DEBUG(1, ("using idmap script '%s'\n", ctx->script));
++	if (ctx_script) {
++		DEBUG(1, ("using idmap script '%s'\n", ctx_script));
++		/*
++		 * We must ensure this memory is owned by ctx.
++		 * The ctx_script const pointer is a pointer into
++		 * the config file data and may become invalid
++		 * on config file reload. BUG: 13956
++		 */
++		ctx->script = talloc_strdup(ctx, ctx_script);
++		if (ctx->script == NULL) {
++			ret = NT_STATUS_NO_MEMORY;
++			goto failed;
++		}
+ 	}
+ 
+ 	commonctx->max_id = dom->high_id;
+-- 
+2.22.0.rc1.257.g3120a18244-goog
+
diff --git a/SOURCES/samba-4.9-CVE-2019-3880.patch b/SOURCES/samba-4.9-CVE-2019-3880.patch
deleted file mode 100644
index eded5d9..0000000
--- a/SOURCES/samba-4.9-CVE-2019-3880.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 21 Mar 2019 14:51:30 -0700
-Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
- SaveKey/RestoreKey.
-
-The were not using VFS backend calls and could only work
-locally, and were unsafe against symlink races and other
-security issues.
-
-If the incoming handle is valid, return WERR_BAD_PATHNAME.
-
-[MS-RRP] states "The format of the file name is implementation-specific"
-so ensure we don't allow this.
-
-As reported by Michael Hanselmann.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
----
- source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
- 1 file changed, 4 insertions(+), 88 deletions(-)
-
-diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
-index d9ee8d0602d..816c6bb2a12 100644
---- a/source3/rpc_server/winreg/srv_winreg_nt.c
-+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
-@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
- }
- 
- /*******************************************************************
-- ********************************************************************/
--
--static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
--{
--	char *p = NULL;
--	int num_services = lp_numservices();
--	int snum = -1;
--	const char *share_path = NULL;
--	char *fname = *pp_fname;
--
--	/* convert to a unix path, stripping the C:\ along the way */
--
--	if (!(p = valid_share_pathname(ctx, fname))) {
--		return -1;
--	}
--
--	/* has to exist within a valid file share */
--
--	for (snum=0; snum<num_services; snum++) {
--		if (!lp_snum_ok(snum) || lp_printable(snum)) {
--			continue;
--		}
--
--		share_path = lp_path(talloc_tos(), snum);
--
--		/* make sure we have a path (e.g. [homes] ) */
--		if (strlen(share_path) == 0) {
--			continue;
--		}
--
--		if (strncmp(share_path, p, strlen(share_path)) == 0) {
--			break;
--		}
--	}
--
--	*pp_fname = p;
--	return (snum < num_services) ? snum : -1;
--}
--
--/*******************************************************************
-  _winreg_RestoreKey
-  ********************************************************************/
- 
-@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
- 			  struct winreg_RestoreKey *r)
- {
- 	struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
--	char *fname = NULL;
--	int snum = -1;
- 
--	if ( !regkey )
-+	if ( !regkey ) {
- 		return WERR_INVALID_HANDLE;
--
--	if ( !r->in.filename || !r->in.filename->name )
--		return WERR_INVALID_PARAMETER;
--
--	fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
--	if (!fname) {
--		return WERR_NOT_ENOUGH_MEMORY;
- 	}
--
--	DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
--		 "\"%s\"\n", regkey->key->name, fname));
--
--	if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
--		return WERR_BAD_PATHNAME;
--
--	/* user must posses SeRestorePrivilege for this this proceed */
--
--	if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
--		return WERR_ACCESS_DENIED;
--	}
--
--	DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
--		 regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
--
--	return reg_restorekey(regkey, fname);
-+	return WERR_BAD_PATHNAME;
- }
- 
- /*******************************************************************
-@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
- 		       struct winreg_SaveKey *r)
- {
- 	struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
--	char *fname = NULL;
--	int snum = -1;
- 
--	if ( !regkey )
-+	if ( !regkey ) {
- 		return WERR_INVALID_HANDLE;
--
--	if ( !r->in.filename || !r->in.filename->name )
--		return WERR_INVALID_PARAMETER;
--
--	fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
--	if (!fname) {
--		return WERR_NOT_ENOUGH_MEMORY;
- 	}
--
--	DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
--		 regkey->key->name, fname));
--
--	if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
--		return WERR_BAD_PATHNAME;
--
--	DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
--		 regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
--
--	return reg_savekey(regkey, fname);
-+	return WERR_BAD_PATHNAME;
- }
- 
- /*******************************************************************
--- 
-2.11.0
-
diff --git a/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch b/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch
deleted file mode 100644
index 08c88a1..0000000
--- a/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch
+++ /dev/null
@@ -1,280 +0,0 @@
-From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 4 Sep 2018 15:48:03 +0200
-Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6)
----
- source3/include/libsmbclient.h          |  19 ++-
- source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++
- source3/libsmb/libsmb_setget.c          |  18 +++
- source3/libsmb/wscript                  |   2 +-
- 4 files changed, 222 insertions(+), 2 deletions(-)
- create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs
-
-diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
-index ca5c7f87f71..5e4a1715402 100644
---- a/source3/include/libsmbclient.h
-+++ b/source3/include/libsmbclient.h
-@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c);
- void
- smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b);
- 
--
-+/**
-+ * @brief Set the 'client min protocol' and the 'client max protocol'.
-+ *
-+ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max
-+ * protocol' set in the smb.conf file!
-+ *
-+ * @param[in]  c  The smbc context to use.
-+ *
-+ * @param[in]  min_proto  The minimal protocol to use or NULL for leaving it
-+ *                        untouched.
-+ *
-+ * @param[in]  max_proto  The maximum protocol to use or NULL for leaving it
-+ *                        untouched.
-+ *
-+ * @returns true for success, false otherwise
-+ */
-+smbc_bool
-+smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto);
- 
- /*************************************
-  * Getters and setters for FUNCTIONS *
-diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs
-new file mode 100644
-index 00000000000..b4245979c24
---- /dev/null
-+++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs
-@@ -0,0 +1,185 @@
-+smbc_chmod: int (const char *, mode_t)
-+smbc_close: int (int)
-+smbc_closedir: int (int)
-+smbc_creat: int (const char *, mode_t)
-+smbc_fgetxattr: int (int, const char *, const void *, size_t)
-+smbc_flistxattr: int (int, char *, size_t)
-+smbc_free_context: int (SMBCCTX *, int)
-+smbc_fremovexattr: int (int, const char *)
-+smbc_fsetxattr: int (int, const char *, const void *, size_t, int)
-+smbc_fstat: int (int, struct stat *)
-+smbc_fstatvfs: int (int, struct statvfs *)
-+smbc_ftruncate: int (int, off_t)
-+smbc_getDebug: int (SMBCCTX *)
-+smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *)
-+smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *)
-+smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *)
-+smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *)
-+smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *)
-+smbc_getFunctionClose: smbc_close_fn (SMBCCTX *)
-+smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *)
-+smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *)
-+smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *)
-+smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *)
-+smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *)
-+smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *)
-+smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *)
-+smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *)
-+smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *)
-+smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *)
-+smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *)
-+smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *)
-+smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *)
-+smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *)
-+smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *)
-+smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *)
-+smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *)
-+smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *)
-+smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *)
-+smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *)
-+smbc_getFunctionRead: smbc_read_fn (SMBCCTX *)
-+smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *)
-+smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *)
-+smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *)
-+smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *)
-+smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *)
-+smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *)
-+smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *)
-+smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *)
-+smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *)
-+smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *)
-+smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *)
-+smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *)
-+smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *)
-+smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *)
-+smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *)
-+smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *)
-+smbc_getNetbiosName: const char *(SMBCCTX *)
-+smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *)
-+smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *)
-+smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *)
-+smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *)
-+smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *)
-+smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *)
-+smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *)
-+smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *)
-+smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *)
-+smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *)
-+smbc_getOptionUseCCache: smbc_bool (SMBCCTX *)
-+smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *)
-+smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *)
-+smbc_getOptionUserData: void *(SMBCCTX *)
-+smbc_getPort: uint16_t (SMBCCTX *)
-+smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *)
-+smbc_getTimeout: int (SMBCCTX *)
-+smbc_getUser: const char *(SMBCCTX *)
-+smbc_getWorkgroup: const char *(SMBCCTX *)
-+smbc_getdents: int (unsigned int, struct smbc_dirent *, int)
-+smbc_getxattr: int (const char *, const char *, const void *, size_t)
-+smbc_init: int (smbc_get_auth_data_fn, int)
-+smbc_init_context: SMBCCTX *(SMBCCTX *)
-+smbc_lgetxattr: int (const char *, const char *, const void *, size_t)
-+smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn)
-+smbc_listxattr: int (const char *, char *, size_t)
-+smbc_llistxattr: int (const char *, char *, size_t)
-+smbc_lremovexattr: int (const char *, const char *)
-+smbc_lseek: off_t (int, off_t, int)
-+smbc_lseekdir: int (int, off_t)
-+smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int)
-+smbc_mkdir: int (const char *, mode_t)
-+smbc_new_context: SMBCCTX *(void)
-+smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *)
-+smbc_open: int (const char *, int, mode_t)
-+smbc_open_print_job: int (const char *)
-+smbc_opendir: int (const char *)
-+smbc_option_get: void *(SMBCCTX *, char *)
-+smbc_option_set: void (SMBCCTX *, char *, ...)
-+smbc_print_file: int (const char *, const char *)
-+smbc_read: ssize_t (int, void *, size_t)
-+smbc_readdir: struct smbc_dirent *(unsigned int)
-+smbc_readdirplus: const struct libsmb_file_info *(unsigned int)
-+smbc_removexattr: int (const char *, const char *)
-+smbc_rename: int (const char *, const char *)
-+smbc_rmdir: int (const char *)
-+smbc_setConfiguration: int (SMBCCTX *, const char *)
-+smbc_setDebug: void (SMBCCTX *, int)
-+smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn)
-+smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn)
-+smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn)
-+smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn)
-+smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn)
-+smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn)
-+smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn)
-+smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn)
-+smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn)
-+smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn)
-+smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn)
-+smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn)
-+smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn)
-+smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn)
-+smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn)
-+smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn)
-+smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn)
-+smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn)
-+smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn)
-+smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn)
-+smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn)
-+smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn)
-+smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn)
-+smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn)
-+smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn)
-+smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn)
-+smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn)
-+smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn)
-+smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn)
-+smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn)
-+smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn)
-+smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn)
-+smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn)
-+smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn)
-+smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn)
-+smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn)
-+smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn)
-+smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn)
-+smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn)
-+smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn)
-+smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn)
-+smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn)
-+smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn)
-+smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn)
-+smbc_setNetbiosName: void (SMBCCTX *, const char *)
-+smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int)
-+smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode)
-+smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *)
-+smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level)
-+smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool)
-+smbc_setOptionUserData: void (SMBCCTX *, void *)
-+smbc_setPort: void (SMBCCTX *, uint16_t)
-+smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *)
-+smbc_setTimeout: void (SMBCCTX *, int)
-+smbc_setUser: void (SMBCCTX *, const char *)
-+smbc_setWorkgroup: void (SMBCCTX *, const char *)
-+smbc_set_context: SMBCCTX *(SMBCCTX *)
-+smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *)
-+smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *)
-+smbc_setxattr: int (const char *, const char *, const void *, size_t, int)
-+smbc_stat: int (const char *, struct stat *)
-+smbc_statvfs: int (char *, struct statvfs *)
-+smbc_telldir: off_t (int)
-+smbc_unlink: int (const char *)
-+smbc_unlink_print_job: int (const char *, int)
-+smbc_urldecode: int (char *, char *, size_t)
-+smbc_urlencode: int (char *, char *, int)
-+smbc_utime: int (const char *, struct utimbuf *)
-+smbc_utimes: int (const char *, struct timeval *)
-+smbc_version: const char *(void)
-+smbc_write: ssize_t (int, const void *, size_t)
-diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c
-index 60b822a395c..b1c4ff3b557 100644
---- a/source3/libsmb/libsmb_setget.c
-+++ b/source3/libsmb/libsmb_setget.c
-@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b)
-         }
- }
- 
-+smbc_bool
-+smbc_setOptionProtocols(SMBCCTX *c,
-+			const char *min_proto,
-+			const char *max_proto)
-+{
-+	bool ok = true;
-+
-+	if (min_proto != NULL) {
-+		ok = lp_set_cmdline("client min protocol", min_proto);
-+	}
-+
-+	if (max_proto != NULL) {
-+		ok &= lp_set_cmdline("client min protocol", max_proto);
-+	}
-+
-+	return ok;
-+}
-+
- /** Get the function for obtaining authentication data */
- smbc_get_auth_data_fn
- smbc_getFunctionAuthData(SMBCCTX *c)
-diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript
-index 5482aea7d9c..298afc3c0e3 100644
---- a/source3/libsmb/wscript
-+++ b/source3/libsmb/wscript
-@@ -27,5 +27,5 @@ def build(bld):
-                        public_headers='../include/libsmbclient.h',
-                        abi_directory='ABI',
-                        abi_match='smbc_*',
--                       vnum='0.4.0',
-+                       vnum='0.5.0',
-                        pc_files='smbclient.pc')
--- 
-2.19.2
-
diff --git a/SOURCES/samba-4.9-disable_netbios.patch b/SOURCES/samba-4.9-disable_netbios.patch
deleted file mode 100644
index 4191502..0000000
--- a/SOURCES/samba-4.9-disable_netbios.patch
+++ /dev/null
@@ -1,252 +0,0 @@
-From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Thu, 3 Jan 2019 12:07:01 -0500
-Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect
-
-If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
-for a port 139 connection in the low level socket connection code.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Noel Power <nopower@suse.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9)
----
- source3/libsmb/smbsock_connect.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
-index 9f915e1bb42..bb3cb07646c 100644
---- a/source3/libsmb/smbsock_connect.c
-+++ b/source3/libsmb/smbsock_connect.c
-@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
- 	tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup);
- 
- 	if (port == NBT_SMB_PORT) {
-+		if (lp_disable_netbios()) {
-+			tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
-+			return tevent_req_post(req, ev);
-+		}
-+
- 		state->req_139 = nb_connect_send(state, state->ev, state->addr,
- 						 state->called_name,
- 						 state->called_type,
--- 
-2.20.1
-
-
-From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Dec 2018 14:40:33 -0500
-Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios
-
-With a preceding patch, cli_connect_nb() will return
-NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
-
-Print an informative error message to indicate Netbios is disabled
-if this occurs.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Noel Power <nopower@suse.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b)
----
- source3/libsmb/clidfs.c        | 10 +++++++---
- source3/libsmb/libsmb_server.c |  4 ++++
- 2 files changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
-index 0dfb8b33606..4342a3b1d1b 100644
---- a/source3/libsmb/clidfs.c
-+++ b/source3/libsmb/clidfs.c
-@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
- 		flags, &c);
- 
- 	if (!NT_STATUS_IS_OK(status)) {
--		d_printf("Connection to %s failed (Error %s)\n",
--				server,
--				nt_errstr(status));
-+		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+			DBG_ERR("NetBIOS support disabled, unable to connect");
-+		}
-+
-+		DBG_WARNING("Connection to %s failed (Error %s)\n",
-+			    server,
-+			    nt_errstr(status));
- 		return status;
- 	}
- 
-diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
-index 67dfcf72327..0067df48cac 100644
---- a/source3/libsmb/libsmb_server.c
-+++ b/source3/libsmb/libsmb_server.c
-@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
- 	}
- 
- 	if (!NT_STATUS_IS_OK(status)) {
-+		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+			DBG_ERR("NetBIOS support disabled, unable to connect");
-+		}
-+
- 		errno = map_errno_from_nt_status(status);
- 		return NULL;
- 	}
--- 
-2.20.1
-
-
-From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Dec 2018 14:57:59 -0500
-Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios
-
-With a preceding patch, cli_connect_nb() will return
-NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
-
-Print an informative error message to indicate Netbios is disabled
-if this occurs.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Noel Power <nopower@suse.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)
----
- source3/libsmb/passchange.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
-index 48ffba8036f..f60e3079975 100644
---- a/source3/libsmb/passchange.c
-+++ b/source3/libsmb/passchange.c
-@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine,
- 	result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL,
- 				SMB_SIGNING_IPC_DEFAULT, 0, &cli);
- 	if (!NT_STATUS_IS_OK(result)) {
--		if (asprintf(err_str, "Unable to connect to SMB server on "
--			 "machine %s. Error was : %s.\n",
--			 remote_machine, nt_errstr(result))==-1) {
--			*err_str = NULL;
-+		if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
-+			if (asprintf(err_str, "Unable to connect to SMB server on "
-+				"machine %s. NetBIOS support disabled\n",
-+				remote_machine) == -1) {
-+				*err_str = NULL;
-+			}
-+		} else {
-+			if (asprintf(err_str, "Unable to connect to SMB server on "
-+				 "machine %s. Error was : %s.\n",
-+				 remote_machine, nt_errstr(result))==-1) {
-+				*err_str = NULL;
-+			}
- 		}
- 		return result;
- 	}
--- 
-2.20.1
-
-
-From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Dec 2018 15:17:24 -0500
-Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios
-
-With a preceding patch, cli_connect_nb() will return
-NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
-
-Print an informative error message to indicate Netbios is disabled
-if this occurs.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Noel Power <nopower@suse.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397)
----
- source3/utils/net_rpc.c  | 3 +++
- source3/utils/net_time.c | 9 +++++++--
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 67fff2f4d1b..91ad90f9594 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags)
- 				lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT,
- 				0, &cli);
- 	if (!NT_STATUS_IS_OK(status)) {
-+		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+			DBG_ERR("NetBIOS support disabled, unable to connect\n");
-+		}
- 		return false;
- 	}
- 	status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE,
-diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c
-index 0091fc86333..5e6cf2ea15d 100644
---- a/source3/utils/net_time.c
-+++ b/source3/utils/net_time.c
-@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host,
- 	status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(),
- 				SMB_SIGNING_DEFAULT, 0, &cli);
- 	if (!NT_STATUS_IS_OK(status)) {
--		fprintf(stderr, _("Can't contact server %s. Error %s\n"),
--			host, nt_errstr(status));
-+		if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
-+			fprintf(stderr, "Can't contact server %s. NetBIOS support disabled,"
-+				" Error %s\n", host, nt_errstr(status));
-+		} else {
-+			fprintf(stderr, "Can't contact server %s. Error %s\n",
-+				host, nt_errstr(status));
-+		}
- 		goto done;
- 	}
- 
--- 
-2.20.1
-
-
-From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 14 Jan 2019 10:36:47 -0500
-Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in
- smbsock_connect_send
-
-If disable_netbios is set, return before the tevent timer is triggered
-to prevent outgoing netbios connections.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)
----
- source3/libsmb/smbsock_connect.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
-index bb3cb07646c..be52b9a4f79 100644
---- a/source3/libsmb/smbsock_connect.c
-+++ b/source3/libsmb/smbsock_connect.c
-@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
- 	tevent_req_set_callback(state->req_445, smbsock_connect_connected,
- 				req);
- 
-+	/*
-+	 * Check for disable_netbios
-+	 */
-+	if (lp_disable_netbios()) {
-+		return req;
-+	}
-+
- 	/*
- 	 * After 5 msecs, fire the 139 (NBT) request
- 	 */
--- 
-2.20.1
-
diff --git a/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch b/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch
deleted file mode 100644
index 748a515..0000000
--- a/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 22 Mar 2019 14:39:11 +0100
-Subject: [PATCH] docs: Update smbclient manpage for --max-protocol
-
-We default to SMB3 now.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
----
- docs-xml/manpages/smbclient.1.xml | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
-index e71a21a95e3..e25f7d3517b 100644
---- a/docs-xml/manpages/smbclient.1.xml
-+++ b/docs-xml/manpages/smbclient.1.xml
-@@ -261,9 +261,9 @@
- 		<listitem><para>This allows the user to select the
- 		highest SMB protocol level that smbclient will use to
- 		connect to the server. By default this is set to
--		NT1, which is the highest available SMB1 protocol.
--		To connect using SMB2 or SMB3 protocol, use the
--		strings SMB2 or SMB3 respectively. Note that to connect
-+		highest available SMB3 protocol version.
-+		To connect using SMB2 or SMB1 protocol, use the
-+		strings SMB2 or NT1 respectively. Note that to connect
- 		to a Windows 2012 server with encrypted transport selecting
- 		a max-protocol of SMB3 is required.
- 		</para></listitem>
--- 
-2.21.0
-
diff --git a/SOURCES/samba-4.9-fix_builtin_groups_creation.patch b/SOURCES/samba-4.9-fix_builtin_groups_creation.patch
deleted file mode 100644
index 18aad34..0000000
--- a/SOURCES/samba-4.9-fix_builtin_groups_creation.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 1e8931dfc24a2576a3b1fe9115c4ccbfefbbd298 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 19 Dec 2018 09:38:33 +0100
-Subject: [PATCH] s3:auth: ignore create_builtin_guests() failing without a
- valid idmap configuration
-
-This happens on standalone servers, where winbindd is automatically
-started by init scripts if it's installed. But it's not really
-used and may not have a valid idmap configuration (
-"idmap config * : range" has no default!)
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit 865538fabaea33741f5fa542dbc3f2e08308c2c1)
----
- source3/auth/token_util.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
-index f5b0e6944335..ee38d6c9645b 100644
---- a/source3/auth/token_util.c
-+++ b/source3/auth/token_util.c
-@@ -745,7 +745,23 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
- 		status = create_builtin_guests(domain_sid);
- 		unbecome_root();
- 
--		if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
-+		/*
-+		 * NT_STATUS_PROTOCOL_UNREACHABLE:
-+		 * => winbindd is not running.
-+		 *
-+		 * NT_STATUS_ACCESS_DENIED:
-+		 * => no idmap config at all
-+		 * and wbint_AllocateGid()/winbind_allocate_gid()
-+		 * failed.
-+		 *
-+		 * NT_STATUS_NO_SUCH_GROUP:
-+		 * => no idmap config at all and
-+		 * "tdbsam:map builtin = no" means
-+		 * wbint_Sids2UnixIDs() fails.
-+		 */
-+		if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
-+		    NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
-+		    NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
- 			/*
- 			 * Add BUILTIN\Guests directly to token.
- 			 * But only if the token already indicates
--- 
-2.17.1
-
diff --git a/SOURCES/samba-4.9-fix_cups_printing.patch b/SOURCES/samba-4.9-fix_cups_printing.patch
deleted file mode 100644
index 80da965..0000000
--- a/SOURCES/samba-4.9-fix_cups_printing.patch
+++ /dev/null
@@ -1,1094 +0,0 @@
-From 1f64c74fec614bde510411b339e731f53b4707dd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 16:55:49 +0200
-Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups
-
-This is required to access files in /var/spool/cups which have been
-temporarily created in there by CUPS.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b)
----
- source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 5c4da33238b..e6684fc0d0c 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -82,6 +82,7 @@ int main(int argc, char *argv[])
- {
- 	char smbspool_cmd[PATH_MAX] = {0};
- 	struct passwd *pwd;
-+	struct group *g = NULL;
- 	char gen_cc[PATH_MAX] = {0};
- 	struct stat sb;
- 	char *env = NULL;
-@@ -89,6 +90,7 @@ int main(int argc, char *argv[])
- 	char device_uri[4096] = {0};
- 	uid_t uid = (uid_t)-1;
- 	gid_t gid = (gid_t)-1;
-+	gid_t groups[1] = { (gid_t)-1 };
- 	unsigned long tmp;
- 	int cmp;
- 	int rc;
-@@ -176,6 +178,26 @@ int main(int argc, char *argv[])
- 		return CUPS_BACKEND_FAILED;
- 	}
- 
-+	/*
-+	 * We need the primary group of the 'lp' user. This is needed to access
-+	 * temporary files in /var/spool/cups/.
-+	 */
-+	g = getgrnam("lp");
-+	if (g == NULL) {
-+		CUPS_SMB_ERROR("Failed to find user 'lp' - %s",
-+			       strerror(errno));
-+		return CUPS_BACKEND_FAILED;
-+	}
-+
-+	CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid);
-+	groups[0] = g->gr_gid;
-+	rc = setgroups(sizeof(groups), groups);
-+	if (rc != 0) {
-+		CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s",
-+			       strerror(errno));
-+		return CUPS_BACKEND_FAILED;
-+	}
-+
- 	CUPS_SMB_DEBUG("Switching to gid=%d", gid);
- 	rc = setgid(gid);
- 	if (rc != 0) {
--- 
-2.21.0
-
-
-From e634ee57d57cf4e5e2c8922f27576d402c6f06af Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 13:41:02 +0200
-Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate
- with
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5)
----
- source3/client/smbspool.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index c404b3a3f69..78c13b9ebdb 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -612,6 +612,7 @@ static bool kerberos_ccache_is_valid(void) {
- 		return false;
- 	} else {
- 		krb5_principal default_princ = NULL;
-+		char *princ_name = NULL;
- 
- 		code = krb5_cc_get_principal(ctx,
- 					     ccache,
-@@ -621,6 +622,16 @@ static bool kerberos_ccache_is_valid(void) {
- 			krb5_free_context(ctx);
- 			return false;
- 		}
-+
-+		code = krb5_unparse_name(ctx,
-+					 default_princ,
-+					 &princ_name);
-+		if (code == 0) {
-+			fprintf(stderr,
-+				"DEBUG: Try to authenticate as %s\n",
-+				princ_name);
-+			krb5_free_unparsed_name(ctx, princ_name);
-+		}
- 		krb5_free_principal(ctx, default_princ);
- 	}
- 	krb5_cc_close(ctx, ccache);
--- 
-2.21.0
-
-
-From 997a9c4e9eed11d5c9e1635db3fe402c3c686989 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 14:25:00 +0200
-Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba)
----
- source3/client/smbspool_krb5_wrapper.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index e6684fc0d0c..2cdcd372ec6 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -219,10 +219,14 @@ int main(int argc, char *argv[])
- 	env = getenv("KRB5CCNAME");
- 	if (env != NULL && env[0] != 0) {
- 		snprintf(gen_cc, sizeof(gen_cc), "%s", env);
-+		CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache",
-+			       gen_cc);
- 
- 		goto create_env;
- 	}
- 
-+	CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
-+
- 	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
- 
- 	rc = lstat(gen_cc, &sb);
--- 
-2.21.0
-
-
-From 793b16c22b0732a48de9bc927aab012bab87e8e4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 17:10:57 +0200
-Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858)
----
- source3/client/smbspool_krb5_wrapper.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 2cdcd372ec6..3266b90ec1a 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -227,13 +227,13 @@ int main(int argc, char *argv[])
- 
- 	CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
- 
--	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
-+	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
- 
- 	rc = lstat(gen_cc, &sb);
- 	if (rc == 0) {
--		snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid);
-+		snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
- 	} else {
--		snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid);
-+		snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
- 
- 		rc = lstat(gen_cc, &sb);
- 		if (rc == 0 && S_ISDIR(sb.st_mode)) {
--- 
-2.21.0
-
-
-From a2eb883469617688bef4f5c5dbbb1fc916299923 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 17:40:43 +0200
-Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is
- not set
-
-This could also support the new KCM credential cache storage.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3)
----
- source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++--------
- source3/wscript_build                  |  1 +
- 2 files changed, 55 insertions(+), 25 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 3266b90ec1a..bff1df417e8 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -21,6 +21,7 @@
- 
- #include "includes.h"
- #include "system/filesys.h"
-+#include "system/kerberos.h"
- #include "system/passwd.h"
- 
- #include <errno.h>
-@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
- 		buffer);
- }
- 
-+static bool kerberos_get_default_ccache(char *ccache_buf, size_t len)
-+{
-+	krb5_context ctx;
-+	const char *ccache_name = NULL;
-+	char *full_ccache_name = NULL;
-+	krb5_ccache ccache = NULL;
-+	krb5_error_code code;
-+
-+	code = krb5_init_context(&ctx);
-+	if (code != 0) {
-+		return false;
-+	}
-+
-+	ccache_name = krb5_cc_default_name(ctx);
-+	if (ccache_name == NULL) {
-+		krb5_free_context(ctx);
-+		return false;
-+	}
-+
-+	code = krb5_cc_resolve(ctx, ccache_name, &ccache);
-+	if (code != 0) {
-+		krb5_free_context(ctx);
-+		return false;
-+	}
-+
-+	code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name);
-+	krb5_cc_close(ctx, ccache);
-+	if (code != 0) {
-+		krb5_free_context(ctx);
-+		return false;
-+	}
-+
-+	snprintf(ccache_buf, len, "%s", full_ccache_name);
-+
-+#ifdef SAMBA4_USES_HEIMDAL
-+	free(full_ccache_name);
-+#else
-+	krb5_free_string(ctx, full_ccache_name);
-+#endif
-+	krb5_free_context(ctx);
-+
-+	return true;
-+}
-+
- /*
-  * This is a helper binary to execute smbspool.
-  *
-@@ -84,7 +129,6 @@ int main(int argc, char *argv[])
- 	struct passwd *pwd;
- 	struct group *g = NULL;
- 	char gen_cc[PATH_MAX] = {0};
--	struct stat sb;
- 	char *env = NULL;
- 	char auth_info_required[256] = {0};
- 	char device_uri[4096] = {0};
-@@ -92,6 +136,7 @@ int main(int argc, char *argv[])
- 	gid_t gid = (gid_t)-1;
- 	gid_t groups[1] = { (gid_t)-1 };
- 	unsigned long tmp;
-+	bool ok;
- 	int cmp;
- 	int rc;
- 
-@@ -225,32 +270,16 @@ int main(int argc, char *argv[])
- 		goto create_env;
- 	}
- 
--	CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
--
--	snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
--
--	rc = lstat(gen_cc, &sb);
--	if (rc == 0) {
--		snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
--	} else {
--		snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
--
--		rc = lstat(gen_cc, &sb);
--		if (rc == 0 && S_ISDIR(sb.st_mode)) {
--			snprintf(gen_cc,
--				 sizeof(gen_cc),
--				 "DIR:/run/user/%d/krb5cc",
--				 uid);
--		} else {
--#if defined(__linux__)
--			snprintf(gen_cc,
--				 sizeof(gen_cc),
--				 "KEYRING:persistent:%d",
--				 uid);
--#endif
--		}
-+	ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc));
-+	if (ok) {
-+		CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]",
-+			       gen_cc);
-+		goto create_env;
- 	}
- 
-+	/* Fallback to a FILE ccache */
-+	snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
-+
- create_env:
- 	/*
- 	 * Make sure we do not have LD_PRELOAD or other security relevant
-diff --git a/source3/wscript_build b/source3/wscript_build
-index bbcfc72a714..a601ab4e9b1 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -1137,6 +1137,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
-                  deps='''
-                       DYNCONFIG
-                       cups
-+                      krb5
-                       ''',
-                  install_path='${LIBEXECDIR}/samba',
-                  enabled=bld.CONFIG_SET('HAVE_CUPS'))
--- 
-2.21.0
-
-
-From ec526ef97fc6edf0342dea9ee82ecc14433cc063 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 16:48:31 +0200
-Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd)
----
- source3/client/smbspool.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 78c13b9ebdb..805ad88b88d 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -223,7 +223,9 @@ main(int argc,			/* I - Number of command-line arguments */
- 
- 		fp = fopen(print_file, "rb");
- 		if (fp == NULL) {
--			perror("ERROR: Unable to open print file");
-+			fprintf(stderr,
-+				"ERROR: Unable to open print file: %s",
-+				print_file);
- 			goto done;
- 		}
- 
--- 
-2.21.0
-
-
-From cd9e3a2a7666dfe545a8d0e9a68def6aa536641b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 18:54:02 +0200
-Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos
-
-If username and password is given, then fallback to NTLM. However try
-kinit first. Also we correctly handle NULL passwords in the meantime and
-this makes it easier to deal with issues.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d)
----
- source3/client/smbspool.c | 90 ++++++++++++++++++++++-----------------
- 1 file changed, 51 insertions(+), 39 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 805ad88b88d..d336cd08209 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -87,8 +87,8 @@ main(int argc,			/* I - Number of command-line arguments */
- 	int             port;	/* Port number */
- 	char            uri[1024],	/* URI */
- 	               *sep,	/* Pointer to separator */
--	               *tmp, *tmp2,	/* Temp pointers to do escaping */
--	               *password;	/* Password */
-+	               *tmp, *tmp2;	/* Temp pointers to do escaping */
-+	const char     *password = NULL;	/* Password */
- 	char           *username,	/* Username */
- 	               *server,	/* Server name */
- 	               *printer;/* Printer name */
-@@ -292,8 +292,6 @@ main(int argc,			/* I - Number of command-line arguments */
- 		if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
- 			*tmp2++ = '\0';
- 			password = uri_unescape_alloc(tmp2);
--		} else {
--			password = empty_str;
- 		}
- 		username = uri_unescape_alloc(tmp);
- 	} else {
-@@ -301,14 +299,15 @@ main(int argc,			/* I - Number of command-line arguments */
- 			username = empty_str;
- 		}
- 
--		if ((password = getenv("AUTH_PASSWORD")) == NULL) {
--			password = empty_str;
-+		env = getenv("AUTH_PASSWORD");
-+		if (env != NULL && strlen(env) > 0) {
-+			password = env;
- 		}
- 
- 		server = uri + 6;
- 	}
- 
--	if (password != empty_str) {
-+	if (password != NULL) {
- 		auth_info_required = "username,password";
- 	}
- 
-@@ -513,6 +512,7 @@ smb_complete_connection(const char *myname,
- 	NTSTATUS        nt_status;
- 	struct cli_credentials *creds = NULL;
- 	bool use_kerberos = false;
-+	bool fallback_after_kerberos = false;
- 
- 	/* Start the SMB connection */
- 	*need_auth = false;
-@@ -523,27 +523,21 @@ smb_complete_connection(const char *myname,
- 		return NULL;
- 	}
- 
--	/*
--	 * We pretty much guarantee password must be valid or a pointer to a
--	 * 0 char.
--	 */
--	if (!password) {
--		*need_auth = true;
--		return NULL;
--	}
--
- 	if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
--		auth_info_required = "negotiate";
- 		use_kerberos = true;
- 	}
- 
-+	if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) {
-+		fallback_after_kerberos = true;
-+	}
-+
- 	creds = cli_session_creds_init(cli,
- 				       username,
- 				       workgroup,
- 				       NULL, /* realm */
- 				       password,
- 				       use_kerberos,
--				       false, /* fallback_after_kerberos */
-+				       fallback_after_kerberos,
- 				       false, /* use_ccache */
- 				       false); /* password_is_nt_hash */
- 	if (creds == NULL) {
-@@ -659,6 +653,10 @@ smb_connect(const char *workgroup,	/* I - Workgroup */
- 	struct cli_state *cli;	/* New connection */
- 	char           *myname = NULL;	/* Client name */
- 	struct passwd  *pwd;
-+	int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
-+	bool use_kerberos = false;
-+	const char *user = username;
-+	int cmp;
- 
- 	/*
-          * Get the names and addresses of the client and server...
-@@ -668,42 +666,56 @@ smb_connect(const char *workgroup,	/* I - Workgroup */
- 		return NULL;
- 	}
- 
--	/*
--	 * See if we have a username first.  This is for backwards compatible
--	 * behavior with 3.0.14a
--	 */
- 
--	if (username == NULL || username[0] == '\0') {
--		if (kerberos_ccache_is_valid()) {
--			goto kerberos_auth;
-+	cmp = strcmp(auth_info_required, "negotiate");
-+	if (cmp == 0) {
-+		if (!kerberos_ccache_is_valid()) {
-+			return NULL;
- 		}
-+		user = jobusername;
-+
-+		use_kerberos = true;
-+		fprintf(stderr,
-+			"DEBUG: Try to connect using Kerberos ...\n");
-+	}
-+
-+	cmp = strcmp(auth_info_required, "username,password");
-+	if (cmp == 0) {
-+		if (username == NULL || username[0] == '\0') {
-+			return NULL;
-+		}
-+
-+		/* Fallback to NTLM */
-+		flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
-+
-+		fprintf(stderr,
-+			"DEBUG: Try to connect using username/password ...\n");
-+	}
-+
-+	cmp = strcmp(auth_info_required, "none");
-+	if (cmp == 0) {
-+		fprintf(stderr,
-+			"DEBUG: This backend doesn't support none auth ...\n");
-+		return NULL;
- 	}
- 
- 	cli = smb_complete_connection(myname,
- 				      server,
- 				      port,
--				      username,
-+				      user,
- 				      password,
- 				      workgroup,
- 				      share,
--				      0,
-+				      flags,
- 				      need_auth);
- 	if (cli != NULL) {
--		fputs("DEBUG: Connected with username/password...\n", stderr);
-+		fprintf(stderr, "DEBUG: SMB connection established.\n");
- 		return (cli);
- 	}
- 
--kerberos_auth:
--	/*
--	 * Try to use the user kerberos credentials (if any) to authenticate
--	 */
--	cli = smb_complete_connection(myname, server, port, jobusername, "",
--				      workgroup, share,
--				 CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
--
--	if (cli) {
--		fputs("DEBUG: Connected using Kerberos...\n", stderr);
--		return (cli);
-+	if (!use_kerberos) {
-+		fprintf(stderr, "ERROR: SMB connection failed!\n");
-+		return NULL;
- 	}
- 
- 	/* give a chance for a passwordless NTLMSSP session setup */
--- 
-2.21.0
-
-
-From f470477d71214b00a4b33f6934d7dbef3b3fce1d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 18:24:32 +0200
-Subject: [PATCH 8/9] s3:smbspool: Add debug messages to
- kerberos_ccache_is_valid()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3)
----
- source3/client/smbspool.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index d336cd08209..221c50af196 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -599,11 +599,15 @@ static bool kerberos_ccache_is_valid(void) {
- 
- 	ccache_name = krb5_cc_default_name(ctx);
- 	if (ccache_name == NULL) {
-+		DBG_ERR("Failed to get default ccache name\n");
-+		krb5_free_context(ctx);
- 		return false;
- 	}
- 
- 	code = krb5_cc_resolve(ctx, ccache_name, &ccache);
- 	if (code != 0) {
-+		DBG_ERR("Failed to resolve ccache name: %s\n",
-+			ccache_name);
- 		krb5_free_context(ctx);
- 		return false;
- 	} else {
-@@ -614,6 +618,9 @@ static bool kerberos_ccache_is_valid(void) {
- 					     ccache,
- 					     &default_princ);
- 		if (code != 0) {
-+			DBG_ERR("Failed to get default principal from "
-+				"ccache: %s\n",
-+				ccache_name);
- 			krb5_cc_close(ctx, ccache);
- 			krb5_free_context(ctx);
- 			return false;
--- 
-2.21.0
-
-
-From 27511ca2bbb05134681714475c634473b5125503 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 14 May 2019 11:35:46 +0200
-Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes
-
-This allows us to simplify some code and return better errors.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea)
----
- source3/client/smbspool.c | 250 ++++++++++++++++++++++----------------
- 1 file changed, 145 insertions(+), 105 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 221c50af196..5ab286cd3e9 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -60,12 +60,27 @@
-  * Local functions...
-  */
- 
--static int      get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
-+static int      get_exit_code(NTSTATUS nt_status);
- static void     list_devices(void);
--static struct cli_state *smb_complete_connection(const char *, const char *,
--	int, const char *, const char *, const char *, const char *, int, bool *need_auth);
--static struct cli_state *smb_connect(const char *, const char *, int, const
--	char *, const char *, const char *, const char *, bool *need_auth);
-+static NTSTATUS
-+smb_complete_connection(struct cli_state **output_cli,
-+			const char *myname,
-+			const char *server,
-+			int port,
-+			const char *username,
-+			const char *password,
-+			const char *workgroup,
-+			const char *share,
-+			int flags);
-+static NTSTATUS
-+smb_connect(struct cli_state **output_cli,
-+	    const char *workgroup,
-+	    const char *server,
-+	    const int port,
-+	    const char *share,
-+	    const char *username,
-+	    const char *password,
-+	    const char *jobusername);
- static int      smb_print(struct cli_state *, const char *, FILE *);
- static char    *uri_unescape_alloc(const char *);
- #if 0
-@@ -89,16 +104,15 @@ main(int argc,			/* I - Number of command-line arguments */
- 	               *sep,	/* Pointer to separator */
- 	               *tmp, *tmp2;	/* Temp pointers to do escaping */
- 	const char     *password = NULL;	/* Password */
--	char           *username,	/* Username */
--	               *server,	/* Server name */
-+	const char     *username = NULL;	/* Username */
-+	char           *server,	/* Server name */
- 	               *printer;/* Printer name */
- 	const char     *workgroup;	/* Workgroup */
- 	FILE           *fp;	/* File to print */
- 	int             status = 1;	/* Status of LPD job */
--	struct cli_state *cli;	/* SMB interface */
--	char            empty_str[] = "";
-+	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-+	struct cli_state *cli = NULL;	/* SMB interface */
- 	int             tries = 0;
--	bool		need_auth = true;
- 	const char     *dev_uri = NULL;
- 	const char     *env = NULL;
- 	const char     *config_file = NULL;
-@@ -295,8 +309,9 @@ main(int argc,			/* I - Number of command-line arguments */
- 		}
- 		username = uri_unescape_alloc(tmp);
- 	} else {
--		if ((username = getenv("AUTH_USERNAME")) == NULL) {
--			username = empty_str;
-+		env = getenv("AUTH_USERNAME");
-+		if (env != NULL && strlen(env) > 0) {
-+			username = env;
- 		}
- 
- 		env = getenv("AUTH_PASSWORD");
-@@ -368,27 +383,39 @@ main(int argc,			/* I - Number of command-line arguments */
- 	load_interfaces();
- 
- 	do {
--		cli = smb_connect(workgroup,
--				  server,
--				  port,
--				  printer,
--				  username,
--				  password,
--				  print_user,
--				  &need_auth);
--		if (cli == NULL) {
--			if (need_auth) {
--				exit(2);
-+		nt_status = smb_connect(&cli,
-+					workgroup,
-+					server,
-+					port,
-+					printer,
-+					username,
-+					password,
-+					print_user);
-+		if (!NT_STATUS_IS_OK(nt_status)) {
-+			status = get_exit_code(nt_status);
-+			if (status == 2) {
-+				fprintf(stderr,
-+					"DEBUG: Unable to connect to CIFS "
-+					"host: %s",
-+					nt_errstr(nt_status));
-+				goto done;
- 			} else if (getenv("CLASS") == NULL) {
--				fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
-+				fprintf(stderr,
-+					"ERROR: Unable to connect to CIFS "
-+					"host: %s. Will retry in 60 "
-+					"seconds...\n",
-+					nt_errstr(nt_status));
- 				sleep(60);
- 				tries++;
- 			} else {
--				fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
-+				fprintf(stderr,
-+					"ERROR: Unable to connect to CIFS "
-+					"host: %s. Trying next printer...\n",
-+					nt_errstr(nt_status));
- 				goto done;
- 			}
- 		}
--	} while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
-+	} while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT));
- 
- 	if (cli == NULL) {
- 		fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
-@@ -435,10 +462,9 @@ done:
-  */
- 
- static int
--get_exit_code(struct cli_state * cli,
--	      NTSTATUS nt_status)
-+get_exit_code(NTSTATUS nt_status)
- {
--	int i;
-+	size_t i;
- 
- 	/* List of NTSTATUS errors that are considered
- 	 * authentication errors
-@@ -454,17 +480,16 @@ get_exit_code(struct cli_state * cli,
- 	};
- 
- 
--	fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
--		cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
-+	fprintf(stderr,
-+		"DEBUG: get_exit_code(nt_status=%s [%x])\n",
-+		nt_errstr(nt_status), NT_STATUS_V(nt_status));
- 
- 	for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
- 		if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
- 			continue;
- 		}
- 
--		if (cli) {
--			fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
--		}
-+		fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
- 
- 		/*
- 		 * 2 = authentication required...
-@@ -497,16 +522,16 @@ list_devices(void)
- }
- 
- 
--static struct cli_state *
--smb_complete_connection(const char *myname,
-+static NTSTATUS
-+smb_complete_connection(struct cli_state **output_cli,
-+			const char *myname,
- 			const char *server,
- 			int port,
- 			const char *username,
- 			const char *password,
- 			const char *workgroup,
- 			const char *share,
--			int flags,
--			bool *need_auth)
-+			int flags)
- {
- 	struct cli_state *cli;	/* New connection */
- 	NTSTATUS        nt_status;
-@@ -515,12 +540,11 @@ smb_complete_connection(const char *myname,
- 	bool fallback_after_kerberos = false;
- 
- 	/* Start the SMB connection */
--	*need_auth = false;
- 	nt_status = cli_start_connection(&cli, myname, server, NULL, port,
- 					 SMB_SIGNING_DEFAULT, flags);
- 	if (!NT_STATUS_IS_OK(nt_status)) {
- 		fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
--		return NULL;
-+		return nt_status;
- 	}
- 
- 	if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-@@ -543,20 +567,16 @@ smb_complete_connection(const char *myname,
- 	if (creds == NULL) {
- 		fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
- 		cli_shutdown(cli);
--		return NULL;
-+		return NT_STATUS_NO_MEMORY;
- 	}
- 
- 	nt_status = cli_session_setup_creds(cli, creds);
- 	if (!NT_STATUS_IS_OK(nt_status)) {
- 		fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
- 
--		if (get_exit_code(cli, nt_status) == 2) {
--			*need_auth = true;
--		}
--
- 		cli_shutdown(cli);
- 
--		return NULL;
-+		return nt_status;
- 	}
- 
- 	nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
-@@ -564,13 +584,9 @@ smb_complete_connection(const char *myname,
- 		fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
- 			nt_errstr(nt_status));
- 
--		if (get_exit_code(cli, nt_status) == 2) {
--			*need_auth = true;
--		}
--
- 		cli_shutdown(cli);
- 
--		return NULL;
-+		return nt_status;
- 	}
- #if 0
- 	/* Need to work out how to specify this on the URL. */
-@@ -583,7 +599,8 @@ smb_complete_connection(const char *myname,
- 	}
- #endif
- 
--	return cli;
-+	*output_cli = cli;
-+	return NT_STATUS_OK;
- }
- 
- static bool kerberos_ccache_is_valid(void) {
-@@ -647,49 +664,48 @@ static bool kerberos_ccache_is_valid(void) {
-  * 'smb_connect()' - Return a connection to a server.
-  */
- 
--static struct cli_state *	/* O - SMB connection */
--smb_connect(const char *workgroup,	/* I - Workgroup */
-+static NTSTATUS
-+smb_connect(struct cli_state **output_cli,
-+	    const char *workgroup,	/* I - Workgroup */
- 	    const char *server,	/* I - Server */
- 	    const int port,	/* I - Port */
- 	    const char *share,	/* I - Printer */
- 	    const char *username,	/* I - Username */
- 	    const char *password,	/* I - Password */
--	    const char *jobusername,	/* I - User who issued the print job */
--	    bool *need_auth)
--{				/* O - Need authentication? */
--	struct cli_state *cli;	/* New connection */
-+	    const char *jobusername)	/* I - User who issued the print job */
-+{
-+	struct cli_state *cli = NULL;	/* New connection */
- 	char           *myname = NULL;	/* Client name */
- 	struct passwd  *pwd;
- 	int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
- 	bool use_kerberos = false;
- 	const char *user = username;
--	int cmp;
-+	NTSTATUS nt_status;
- 
- 	/*
-          * Get the names and addresses of the client and server...
-          */
- 	myname = get_myname(talloc_tos());
- 	if (!myname) {
--		return NULL;
-+		return NT_STATUS_NO_MEMORY;
- 	}
- 
- 
--	cmp = strcmp(auth_info_required, "negotiate");
--	if (cmp == 0) {
-+	if (strcmp(auth_info_required, "negotiate") == 0) {
- 		if (!kerberos_ccache_is_valid()) {
--			return NULL;
-+			fprintf(stderr,
-+				"ERROR: No valid Kerberos credential cache "
-+				"found!\n");
-+			return NT_STATUS_LOGON_FAILURE;
- 		}
- 		user = jobusername;
- 
- 		use_kerberos = true;
- 		fprintf(stderr,
- 			"DEBUG: Try to connect using Kerberos ...\n");
--	}
--
--	cmp = strcmp(auth_info_required, "username,password");
--	if (cmp == 0) {
--		if (username == NULL || username[0] == '\0') {
--			return NULL;
-+	} else if (strcmp(auth_info_required, "username,password") == 0) {
-+		if (username == NULL) {
-+			return NT_STATUS_INVALID_ACCOUNT_NAME;
- 		}
- 
- 		/* Fallback to NTLM */
-@@ -697,59 +713,83 @@ smb_connect(const char *workgroup,	/* I - Workgroup */
- 
- 		fprintf(stderr,
- 			"DEBUG: Try to connect using username/password ...\n");
--	}
-+	} else {
-+		if (username != NULL) {
-+			flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
-+		} else if (kerberos_ccache_is_valid()) {
-+			auth_info_required = "negotiate";
- 
--	cmp = strcmp(auth_info_required, "none");
--	if (cmp == 0) {
--		fprintf(stderr,
--			"DEBUG: This backend doesn't support none auth ...\n");
--		return NULL;
-+			user = jobusername;
-+			use_kerberos = true;
-+		} else {
-+			fprintf(stderr,
-+				"DEBUG: This backend requires credentials!\n");
-+			return NT_STATUS_ACCESS_DENIED;
-+		}
- 	}
- 
--	cli = smb_complete_connection(myname,
--				      server,
--				      port,
--				      user,
--				      password,
--				      workgroup,
--				      share,
--				      flags,
--				      need_auth);
--	if (cli != NULL) {
-+	nt_status = smb_complete_connection(&cli,
-+					    myname,
-+					    server,
-+					    port,
-+					    user,
-+					    password,
-+					    workgroup,
-+					    share,
-+					    flags);
-+	if (NT_STATUS_IS_OK(nt_status)) {
- 		fprintf(stderr, "DEBUG: SMB connection established.\n");
--		return (cli);
-+
-+		*output_cli = cli;
-+		return NT_STATUS_OK;
- 	}
- 
- 	if (!use_kerberos) {
- 		fprintf(stderr, "ERROR: SMB connection failed!\n");
--		return NULL;
-+		return nt_status;
- 	}
- 
- 	/* give a chance for a passwordless NTLMSSP session setup */
- 	pwd = getpwuid(geteuid());
- 	if (pwd == NULL) {
--		return NULL;
--	}
--
--	cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
--				      workgroup, share, 0, need_auth);
--
--	if (cli) {
-+		return NT_STATUS_ACCESS_DENIED;
-+	}
-+
-+	nt_status = smb_complete_connection(&cli,
-+					    myname,
-+					    server,
-+					    port,
-+					    pwd->pw_name,
-+					    "",
-+					    workgroup,
-+					    share,
-+					    0);
-+	if (NT_STATUS_IS_OK(nt_status)) {
- 		fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
--		return (cli);
-+
-+		*output_cli = cli;
-+		return NT_STATUS_OK;
- 	}
- 
- 	/*
-          * last try. Use anonymous authentication
-          */
- 
--	cli = smb_complete_connection(myname, server, port, "", "",
--				      workgroup, share, 0, need_auth);
--	/*
--         * Return the new connection...
--         */
--
--	return (cli);
-+	nt_status = smb_complete_connection(&cli,
-+					    myname,
-+					    server,
-+					    port,
-+					    "",
-+					    "",
-+					    workgroup,
-+					    share,
-+					    0);
-+	if (NT_STATUS_IS_OK(nt_status)) {
-+		*output_cli = cli;
-+		return NT_STATUS_OK;
-+	}
-+
-+	return nt_status;
- }
- 
- 
-@@ -795,7 +835,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
- 	if (!NT_STATUS_IS_OK(nt_status)) {
- 		fprintf(stderr, "ERROR: %s opening remote spool %s\n",
- 			nt_errstr(nt_status), title);
--		return get_exit_code(cli, nt_status);
-+		return get_exit_code(nt_status);
- 	}
- 
- 	/*
-@@ -813,7 +853,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
- 		status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
- 				      tbytes, nbytes, NULL);
- 		if (!NT_STATUS_IS_OK(status)) {
--			int ret = get_exit_code(cli, status);
-+			int ret = get_exit_code(status);
- 			fprintf(stderr, "ERROR: Error writing spool: %s\n",
- 				nt_errstr(status));
- 			fprintf(stderr, "DEBUG: Returning status %d...\n",
-@@ -829,7 +869,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
- 	if (!NT_STATUS_IS_OK(nt_status)) {
- 		fprintf(stderr, "ERROR: %s closing remote spool %s\n",
- 			nt_errstr(nt_status), title);
--		return get_exit_code(cli, nt_status);
-+		return get_exit_code(nt_status);
- 	} else {
- 		return (0);
- 	}
--- 
-2.21.0
-
diff --git a/SOURCES/samba-4.9-fix_debug_segfault.patch b/SOURCES/samba-4.9-fix_debug_segfault.patch
deleted file mode 100644
index edbbd33..0000000
--- a/SOURCES/samba-4.9-fix_debug_segfault.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 7 Nov 2018 14:32:29 +0100
-Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation
-
-This fixes a segfault in pyglue:
-
-==10142== Process terminating with default action of signal 11 (SIGSEGV)
-==10142==  Bad permissions for mapped region at address 0x6F00A20
-==10142==    at 0x6F1074B: py_set_debug_level (pyglue.c:165)
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0)
----
- lib/util/debug.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/lib/util/debug.c b/lib/util/debug.c
-index d41e0f99c77..847ec1f0a0c 100644
---- a/lib/util/debug.c
-+++ b/lib/util/debug.c
-@@ -557,10 +557,10 @@ static const char *default_classname_table[] = {
-  * This is to allow reading of DEBUGLEVEL_CLASS before the debug
-  * system has been initialized.
-  */
--static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
-+static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
- 
- static size_t debug_num_classes = 0;
--int     *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial);
-+int     *DEBUGLEVEL_CLASS = debug_class_list_initial;
- 
- 
- /* -------------------------------------------------------------------------- **
--- 
-2.19.1
-
diff --git a/SOURCES/samba-4.9-fix_force_group_panic.patch b/SOURCES/samba-4.9-fix_force_group_panic.patch
deleted file mode 100644
index e228ccf..0000000
--- a/SOURCES/samba-4.9-fix_force_group_panic.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 18 Jan 2019 14:24:30 -0800
-Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an
- existing share connection.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-smbd could crash if "force group" is added to a
-share definition whilst an existing connection
-to that share exists. In that case, don't change
-the existing credentials for force group, only
-do so for new connections.
-
-Remove knownfail from regression test.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-
-Autobuild-User(master): Ralph Böhme <slow@samba.org>
-Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
-
-(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
----
- source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++--
- 2 files changed, 33 insertions(+), 4 deletions(-)
-
-diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
-index 9d5321cf4cc..ced2d450f8e 100644
---- a/source3/smbd/uid.c
-+++ b/source3/smbd/uid.c
-@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn,
- 	int snum;
- 	gid_t gid;
- 	uid_t uid;
-+	const char *force_group_name;
- 	char group_c;
- 	int num_groups = 0;
- 	gid_t *group_list = NULL;
-@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn,
- 	 * See if we should force group for this service. If so this overrides
- 	 * any group set in the force user code.
- 	 */
--	if((group_c = *lp_force_group(talloc_tos(), snum))) {
-+	force_group_name = lp_force_group(talloc_tos(), snum);
-+	group_c = *force_group_name;
- 
--		SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
-+	if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
-+		/*
-+		 * This can happen if "force group" is added to a
-+		 * share definition whilst an existing connection
-+		 * to that share exists. In that case, don't change
-+		 * the existing credentials for force group, only
-+		 * do so for new connections.
-+		 *
-+		 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
-+		 */
-+		DBG_INFO("Not forcing group %s on existing connection to "
-+			"share %s for SMB user %s (unix user %s)\n",
-+			force_group_name,
-+			lp_const_servicename(snum),
-+			session_info->unix_info->sanitized_username,
-+			session_info->unix_info->unix_name);
-+	}
-+
-+	if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
-+		/*
-+		 * Only force group for connections where
-+		 * conn->force_group_gid has already been set
-+		 * to the correct value (i.e. the connection
-+		 * happened after the 'force group' definition
-+		 * was added to the share definition. Connections
-+		 * that were made before force group was added
-+		 * should stay with their existing credentials.
-+		 *
-+		 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
-+		 */
- 
- 		if (group_c == '+') {
- 			int i;
--- 
-2.20.1.495.gaa96b0ce6b-goog
-
diff --git a/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch b/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch
deleted file mode 100644
index 8cd6b4e..0000000
--- a/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch
+++ /dev/null
@@ -1,544 +0,0 @@
-From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 29 Mar 2019 11:34:53 +0100
-Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails
-
-Currently we just get an error but don't know what exactly we tried to
-do in 'net ads join -d10'.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
----
- source3/libads/ldap.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index 13846695bd4..110f74a2dbb 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
- 	if (ret != 0) {
- 		char *ld_error = NULL;
- 		ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
--		DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
--			ldap_err2string(ret), ld_error));
-+		DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
-+			ret,
-+			ldap_err2string(ret),
-+			ld_error);
- 		SAFE_FREE(ld_error);
- 	}
- }
-@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
- 		(char) 1};
- 	LDAPControl *controls[2];
- 
-+	DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
-+
- 	controls[0] = &PermitModify;
- 	controls[1] = NULL;
- 
-@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
- 	char *utf8_dn = NULL;
- 	size_t converted_size;
- 
-+	DBG_INFO("AD LDAP: Adding %s\n", new_dn);
-+
- 	if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
- 		DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
- 		return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
-@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
- 		return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- 	}
- 
-+	DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
-+
- 	ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
- 	ads_print_error(ret, ads->ldap.ld);
- 	TALLOC_FREE(utf8_dn);
--- 
-2.21.0
-
-
-From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 27 Mar 2019 16:45:39 +0100
-Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
----
- source3/libsmb/cliconnect.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index 837299d9220..9a3d3c769f9 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
- 		return NT_STATUS_OK;
- 	}
- 
-+	DBG_INFO("Doing kinit for %s to access %s\n",
-+		 user_principal, target_hostname);
- 
- 	/*
- 	 * TODO: This should be done within the gensec layer
-@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
- 		 */
- 	}
- 
-+	DBG_DEBUG("Successfully authenticated as %s to access %s using "
-+		  "Kerberos\n",
-+		  user_principal,
-+		  target_hostname);
-+
- 	TALLOC_FREE(frame);
- 	return NT_STATUS_OK;
- }
-@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
- 		return tevent_req_post(req, ev);
- 	}
- 
-+	DBG_INFO("Connect to %s as %s using SPNEGO\n",
-+		 target_hostname,
-+		 cli_credentials_get_principal(creds, talloc_tos()));
-+
- 	subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
- 					       target_service, target_hostname);
- 	if (tevent_req_nomem(subreq, req)) {
-@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
- 		return tevent_req_post(req, ev);
- 	}
- 
-+	DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
-+
- 	if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- 		bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
- 		uint8_t *bytes = NULL;
--- 
-2.21.0
-
-
-From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001
-From: Guenther Deschner <gd@samba.org>
-Date: Mon, 1 Apr 2019 17:46:39 +0200
-Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin()
-
-A newline is missing but also use DBG_INFO macro and cleanup spelling.
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
----
- source3/libnet/libnet_join.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 27fc5135442..ddc00f7ad7c 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
- 			return WERR_NERR_DEFAULTJOINREQUIRED;
- 		}
- 
--		DEBUG(5, ("failed to precreate account in ou %s: %s",
--			r->in.account_ou, ads_errstr(ads_status)));
-+		DBG_INFO("Failed to pre-create account in OU %s: %s\n",
-+			 r->in.account_ou, ads_errstr(ads_status));
- 	}
-  rpc_join:
- 
--- 
-2.21.0
-
-
-From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001
-From: Guenther Deschner <gd@samba.org>
-Date: Wed, 27 Mar 2019 17:51:04 +0100
-Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output
-
-This got lost somehow during refactoring. This is still viable
-information when trying to figure out what is going wrong when
-authenticating a user over NTLMSSP.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
----
- auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
- 1 file changed, 32 insertions(+)
-
-diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
-index ab406a2c5be..8e49dcee5ea 100644
---- a/auth/ntlmssp/ntlmssp_client.c
-+++ b/auth/ntlmssp/ntlmssp_client.c
-@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
- 		}
- 	}
- 
-+	if (DEBUGLEVEL >= 10) {
-+		struct CHALLENGE_MESSAGE *challenge =
-+			talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
-+		if (challenge != NULL) {
-+			NTSTATUS status;
-+			challenge->NegotiateFlags = chal_flags;
-+			status = ntlmssp_pull_CHALLENGE_MESSAGE(
-+					&in, challenge, challenge);
-+			if (NT_STATUS_IS_OK(status)) {
-+				NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
-+						challenge);
-+			}
-+			TALLOC_FREE(challenge);
-+		}
-+	}
-+
- 	if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
- 		ntlmssp_state->server.is_standalone = true;
- 	} else {
-@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
- 		return nt_status;
- 	}
- 
-+	if (DEBUGLEVEL >= 10) {
-+		struct AUTHENTICATE_MESSAGE *authenticate =
-+			talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
-+		if (authenticate != NULL) {
-+			NTSTATUS status;
-+			authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
-+			status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
-+				out, authenticate, authenticate);
-+			if (NT_STATUS_IS_OK(status)) {
-+				NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
-+						authenticate);
-+			}
-+			TALLOC_FREE(authenticate);
-+		}
-+	}
-+
- 	/*
- 	 * We always include the MIC, even without:
- 	 * av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
--- 
-2.21.0
-
-
-From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 1 Apr 2019 15:59:10 +0200
-Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username
- when using NTLM
-
-If we want to authenticate using -Wadmin@otherdomain the DC should do
-take care of the authentication with the right DC for us.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
----
- auth/credentials/credentials.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
-index 4663185c979..7ef58d0752c 100644
---- a/auth/credentials/credentials.c
-+++ b/auth/credentials/credentials.c
-@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
- 					      const char **username, 
- 					      const char **domain) 
- {
--	if (cred->principal_obtained > cred->username_obtained) {
-+	if (cred->principal_obtained >= cred->username_obtained) {
- 		*domain = talloc_strdup(mem_ctx, "");
- 		*username = cli_credentials_get_principal(cred, mem_ctx);
- 	} else {
--- 
-2.21.0
-
-
-From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 1 Apr 2019 16:39:45 +0200
-Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf
-
-Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
----
- source3/libnet/libnet_join.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index ddc00f7ad7c..e052306523d 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
- 		}
- 
- 		/* The domain parameter is only used as modifier
--		 * to krb5.conf file name. .JOIN is is not a valid
-+		 * to krb5.conf file name. _JOIN_ is is not a valid
- 		 * NetBIOS name so it cannot clash with another domain
- 		 * -- Uri.
- 		 */
--		create_local_private_krb5_conf_for_domain(
--		    pre_connect_realm, ".JOIN", sitename, &ss);
-+		create_local_private_krb5_conf_for_domain(pre_connect_realm,
-+							  "_JOIN_",
-+							  sitename,
-+							  &ss);
- 	}
- 
- 	status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
--- 
-2.21.0
-
-
-From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 1 Apr 2019 16:47:26 +0200
-Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not
- configured
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Pair-Programmed-With: Guenther Deschner <gd@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
----
- source3/libads/kerberos.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index e623f2456a8..360cdd741da 100644
---- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
- 	}
- #endif
- 
-+	/*
-+	 * We are setting 'dns_lookup_kdc' to true, because we want to lookup
-+	 * KDCs which are not configured via DNS SRV records, eg. if we do:
-+	 *
-+	 *     net ads join -Uadmin@otherdomain
-+	 */
- 	file_contents =
- 	    talloc_asprintf(fname,
--			    "[libdefaults]\n\tdefault_realm = %s\n"
-+			    "[libdefaults]\n"
-+			    "\tdefault_realm = %s\n"
- 			    "%s"
--			    "\tdns_lookup_realm = false\n\n"
-+			    "\tdns_lookup_realm = false\n"
-+			    "\tdns_lookup_kdc = true\n\n"
- 			    "[realms]\n\t%s = {\n"
- 			    "%s\t}\n"
- 			    "%s\n",
--- 
-2.21.0
-
-
-From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001
-From: Guenther Deschner <gd@samba.org>
-Date: Mon, 1 Apr 2019 17:40:03 +0200
-Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing
- accounts
-
-This avoids numerous LDAP constraint violation errors when we try to
-re-precreate an already existing machine account.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Pair-Programmed-With: Andreas Schneider <asn@samba.org>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
----
- source3/libads/ldap.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index 110f74a2dbb..e191ea792a8 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
- 		goto done;
- 	}
- 
-+	ret = ads_find_machine_acct(ads, &res, machine_escaped);
-+	ads_msgfree(ads, res);
-+	if (ADS_ERR_OK(ret)) {
-+		DBG_DEBUG("Host account for %s already exists.\n",
-+				machine_escaped);
-+		ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
-+		goto done;
-+	}
-+
- 	new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
- 	samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
- 
-@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
- 
- done:
- 	SAFE_FREE(machine_escaped);
--	ads_msgfree(ads, res);
- 	talloc_destroy(ctx);
- 
- 	return ret;
--- 
-2.21.0
-
-
-From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 2 Apr 2019 13:14:06 +0200
-Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads
- layer
-
-Otherwise we could loose the information that a non-default domain name
-has been used for admin creds.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
----
- source3/libnet/libnet_join.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index e052306523d..fc7429e6a23 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
- 		password = r->in.machine_password;
- 		ccname = "MEMORY:libnet_join_machine_creds";
- 	} else {
-+		char *p = NULL;
-+
- 		username = r->in.admin_account;
-+
-+		p = strchr(r->in.admin_account, '@');
-+		if (p == NULL) {
-+			username = talloc_asprintf(mem_ctx, "%s@%s",
-+						   r->in.admin_account,
-+						   r->in.admin_domain);
-+		}
-+		if (username == NULL) {
-+			return ADS_ERROR(LDAP_NO_MEMORY);
-+		}
- 		password = r->in.admin_password;
- 
- 		/*
--- 
-2.21.0
-
-
-From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 2 Apr 2019 13:16:11 +0200
-Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD
- connect fails
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
----
- source3/libnet/libnet_join.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index fc7429e6a23..6d3fc1fe01f 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
- 
- 		ads_status = libnet_join_connect_ads_user(mem_ctx, r);
- 		if (!ADS_ERR_OK(ads_status)) {
-+			libnet_join_set_error_string(mem_ctx, r,
-+				"failed to connect to AD: %s",
-+				ads_errstr(ads_status));
- 			return WERR_NERR_DEFAULTJOINREQUIRED;
- 		}
- 
--- 
-2.21.0
-
-
-From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 2 Apr 2019 13:16:55 +0200
-Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in
- libnet_join
-
-When a non-DNS and non-default admin domain is provided during the join
-sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME'
-(e.g. when the winbind krb5 locator is not installed). In that case lets
-fallback to NTLMSSP, like we do in winbind.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Apr  3 18:57:31 UTC 2019 on sn-devel-144
-
-(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
----
- source3/libnet/libnet_join.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 6d3fc1fe01f..b876d7ea89f 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
- 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
- 	}
- 
-+	my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
-+
- 	if (user_name) {
- 		SAFE_FREE(my_ads->auth.user_name);
- 		my_ads->auth.user_name = SMB_STRDUP(user_name);
--- 
-2.21.0
-
diff --git a/SOURCES/samba-4.9-fix_net_ads_krb5.patch b/SOURCES/samba-4.9-fix_net_ads_krb5.patch
deleted file mode 100644
index a8aedde..0000000
--- a/SOURCES/samba-4.9-fix_net_ads_krb5.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Dec 2018 11:26:11 -0500
-Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
-
-This affects net rpc getsid and net rpc changetrustpw commands.
-This avoids an anonymous IPC connection being made when -k is used,
-this only affects net rpc getsid and net rpc changetrustpw commands.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Noel Power <npower@samba.org>
----
- source3/utils/net_rpc.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index b99a036fca1..67fff2f4d1b 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
- 
- int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
- {
-+	int conn_flags = NET_FLAGS_PDC;
-+
-+	if (!c->opt_user_specified && !c->opt_kerberos) {
-+		conn_flags |= NET_FLAGS_ANONYMOUS;
-+	}
-+
- 	if (c->display_usage) {
- 		d_printf(  "%s\n"
- 			   "net rpc changetrustpw\n"
-@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
- 	}
- 
- 	return run_rpc_command(c, NULL, &ndr_table_netlogon,
--			       NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
-+			       conn_flags,
- 			       rpc_changetrustpw_internals,
- 			       argc, argv);
- }
-@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
- {
- 	int conn_flags = NET_FLAGS_PDC;
- 
--	if (!c->opt_user_specified) {
-+	if (!c->opt_user_specified && !c->opt_kerberos) {
- 		conn_flags |= NET_FLAGS_ANONYMOUS;
- 	}
- 
--- 
-2.20.1
-
diff --git a/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch b/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch
deleted file mode 100644
index 013eebc..0000000
--- a/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch
+++ /dev/null
@@ -1,521 +0,0 @@
-From 7c0a36d527800cd9d148c64b24371c76ac73db63 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 10:15:05 +0100
-Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a)
----
- source3/script/tests/test_smbspool.sh | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
-index d95ed064634..f28c0909334 100755
---- a/source3/script/tests/test_smbspool.sh
-+++ b/source3/script/tests/test_smbspool.sh
-@@ -99,8 +99,8 @@ test_vlp_verify()
- 	fi
- 
- 	jobid=$(echo "$out" | awk '/[0-9]+/ { print $1 };')
--	if [ $jobid -lt 1000 || $jobid -gt 2000 ]; then
--		echo "failed to get jobid"
-+	if [ -z "$jobid" ] || [ $jobid -lt 100 || [ $jobid -gt 2000 ]; then
-+		echo "Invalid jobid: $jobid"
- 		echo "$out"
- 		return 1
- 	fi
--- 
-2.20.1
-
-
-From 3cce23b5b863abf2c2352f5a066dc005d9728b18 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 09:40:58 +0100
-Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to
- smbspool
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a)
----
- source3/client/smbspool_krb5_wrapper.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index dee3b4c54be..5c4da33238b 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -84,24 +84,36 @@ int main(int argc, char *argv[])
- 	struct passwd *pwd;
- 	char gen_cc[PATH_MAX] = {0};
- 	struct stat sb;
--	char *env;
-+	char *env = NULL;
-+	char auth_info_required[256] = {0};
-+	char device_uri[4096] = {0};
- 	uid_t uid = (uid_t)-1;
- 	gid_t gid = (gid_t)-1;
- 	unsigned long tmp;
- 	int cmp;
- 	int rc;
- 
-+	env = getenv("DEVICE_URI");
-+	if (env != NULL && strlen(env) > 2) {
-+		snprintf(device_uri, sizeof(device_uri), "%s", env);
-+	}
-+
- 	/* Check if AuthInfoRequired is set to negotiate */
- 	env = getenv("AUTH_INFO_REQUIRED");
- 
-         /* If not set, then just call smbspool. */
--	if (env == NULL) {
-+	if (env == NULL || env[0] == 0) {
- 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
- 			       "execute smbspool");
- 		goto smbspool;
- 	} else {
- 		CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
- 
-+		snprintf(auth_info_required,
-+			 sizeof(auth_info_required),
-+			 "%s",
-+			 env);
-+
- 		cmp = strcmp(env, "username,password");
- 		if (cmp == 0) {
- 			CUPS_SMB_DEBUG("Authenticate using username/password - "
-@@ -223,12 +235,18 @@ create_env:
- #else
- 	{
- 		extern char **environ;
--		environ = calloc(1, sizeof(*environ));
-+		environ = calloc(3, sizeof(*environ));
- 	}
- #endif
- 
- 	CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc);
- 	setenv("KRB5CCNAME", gen_cc, 1);
-+	if (device_uri[0] != '\0') {
-+		setenv("DEVICE_URI", device_uri, 1);
-+	}
-+	if (auth_info_required[0] != '\0') {
-+		setenv("AUTH_INFO_REQUIRED", auth_info_required, 1);
-+	}
- 
- smbspool:
- 	snprintf(smbspool_cmd,
--- 
-2.20.1
-
-
-From 0c03a0baf57ef4503e98b9e2ddd5695e6c8dd3fd Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 4 Jan 2019 09:21:24 +0100
-Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set
- by cups
-
-This should not switch to username,password if cups has been configured
-to use negotiate (Kerberos authentication).
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)
----
- source3/client/smbspool.c | 32 ++++++++++++++++++++------------
- 1 file changed, 20 insertions(+), 12 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 389e4ea553f..3dbf6be014b 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -60,7 +60,7 @@
-  * Local functions...
-  */
- 
--static int      get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
-+static int      get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
- static void     list_devices(void);
- static struct cli_state *smb_complete_connection(const char *, const char *,
- 	int, const char *, const char *, const char *, const char *, int, bool *need_auth);
-@@ -72,6 +72,8 @@ static char    *uri_unescape_alloc(const char *);
- static bool     smb_encrypt;
- #endif
- 
-+static const char *auth_info_required;
-+
- /*
-  * 'main()' - Main entry for SMB backend.
-  */
-@@ -185,6 +187,11 @@ main(int argc,			/* I - Number of command-line arguments */
- 		}
- 	}
- 
-+	auth_info_required = getenv("AUTH_INFO_REQUIRED");
-+	if (auth_info_required == NULL) {
-+		auth_info_required = "none";
-+	}
-+
- 	cmp = strncmp(dev_uri, "smb://", 6);
- 	if (cmp != 0) {
- 		fprintf(stderr,
-@@ -233,6 +240,10 @@ main(int argc,			/* I - Number of command-line arguments */
- 		server = uri + 6;
- 	}
- 
-+	if (password != empty_str) {
-+		auth_info_required = "username,password";
-+	}
-+
- 	tmp = server;
- 
- 	if ((sep = strchr_m(tmp, '/')) == NULL) {
-@@ -352,8 +363,7 @@ done:
- 
- static int
- get_exit_code(struct cli_state * cli,
--	      NTSTATUS nt_status,
--	      bool use_kerberos)
-+	      NTSTATUS nt_status)
- {
- 	int i;
- 
-@@ -380,10 +390,7 @@ get_exit_code(struct cli_state * cli,
- 		}
- 
- 		if (cli) {
--			if (use_kerberos)
--				fputs("ATTR: auth-info-required=negotiate\n", stderr);
--			else
--				fputs("ATTR: auth-info-required=username,password\n", stderr);
-+			fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
- 		}
- 
- 		/*
-@@ -452,6 +459,7 @@ smb_complete_connection(const char *myname,
- 	}
- 
- 	if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-+		auth_info_required = "negotiate";
- 		use_kerberos = true;
- 	}
- 
-@@ -474,7 +482,7 @@ smb_complete_connection(const char *myname,
- 	if (!NT_STATUS_IS_OK(nt_status)) {
- 		fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
- 
--		if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
-+		if (get_exit_code(cli, nt_status) == 2) {
- 			*need_auth = true;
- 		}
- 
-@@ -488,7 +496,7 @@ smb_complete_connection(const char *myname,
- 		fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
- 			nt_errstr(nt_status));
- 
--		if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
-+		if (get_exit_code(cli, nt_status) == 2) {
- 			*need_auth = true;
- 		}
- 
-@@ -677,7 +685,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
- 	if (!NT_STATUS_IS_OK(nt_status)) {
- 		fprintf(stderr, "ERROR: %s opening remote spool %s\n",
- 			nt_errstr(nt_status), title);
--		return get_exit_code(cli, nt_status, false);
-+		return get_exit_code(cli, nt_status);
- 	}
- 
- 	/*
-@@ -695,7 +703,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
- 		status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
- 				      tbytes, nbytes, NULL);
- 		if (!NT_STATUS_IS_OK(status)) {
--			int ret = get_exit_code(cli, status, false);
-+			int ret = get_exit_code(cli, status);
- 			fprintf(stderr, "ERROR: Error writing spool: %s\n",
- 				nt_errstr(status));
- 			fprintf(stderr, "DEBUG: Returning status %d...\n",
-@@ -711,7 +719,7 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
- 	if (!NT_STATUS_IS_OK(nt_status)) {
- 		fprintf(stderr, "ERROR: %s closing remote spool %s\n",
- 			nt_errstr(nt_status), title);
--		return get_exit_code(cli, nt_status, false);
-+		return get_exit_code(cli, nt_status);
- 	} else {
- 		return (0);
- 	}
--- 
-2.20.1
-
-
-From 59c5b1c6bad46ac523504120833080836cdc19a1 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 10:09:14 +0100
-Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title
-
-We can't be sure we can write to the input buffer.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282)
----
- source3/client/smbspool.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 3dbf6be014b..94c7ea368a2 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *,
- 	int, const char *, const char *, const char *, const char *, int, bool *need_auth);
- static struct cli_state *smb_connect(const char *, const char *, int, const
- 	char *, const char *, const char *, const char *, bool *need_auth);
--static int      smb_print(struct cli_state *, char *, FILE *);
-+static int      smb_print(struct cli_state *, const char *, FILE *);
- static char    *uri_unescape_alloc(const char *);
- #if 0
- static bool     smb_encrypt;
-@@ -655,7 +655,7 @@ kerberos_auth:
- 
- static int			/* O - 0 = success, non-0 = failure */
- smb_print(struct cli_state * cli,	/* I - SMB connection */
--	  char *title,		/* I - Title/job name */
-+	  const char *print_title,		/* I - Title/job name */
- 	  FILE * fp)
- {				/* I - File to print */
- 	uint16_t             fnum;	/* File number */
-@@ -663,12 +663,18 @@ smb_print(struct cli_state * cli,	/* I - SMB connection */
- 	                tbytes;	/* Total bytes read */
- 	char            buffer[8192],	/* Buffer for copy */
- 	               *ptr;	/* Pointer into title */
-+	char title[1024] = {0};
-+	int len;
- 	NTSTATUS nt_status;
- 
- 
- 	/*
--         * Sanitize the title...
--         */
-+	 * Sanitize the title...
-+	 */
-+	len = snprintf(title, sizeof(title), "%s", print_title);
-+	if (len != strlen(print_title)) {
-+		return 2;
-+	}
- 
- 	for (ptr = title; *ptr; ptr++) {
- 		if (!isalnum((int) *ptr) && !isspace((int) *ptr)) {
--- 
-2.20.1
-
-
-From 912e8b22b3b35c17bce35d10d543cc1505a15c46 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 12 Mar 2019 11:40:30 +0100
-Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling
-
-If we are executed as a CUPS backend, argv[0] is set to the device uri.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Bryan Mason <bmason@redhat.com>
-Signed-off-by: Guenther Deschner <gd@samba.org>
-
-(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a)
----
- source3/client/smbspool.c | 120 ++++++++++++++++++++++++++++++--------
- 1 file changed, 96 insertions(+), 24 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 94c7ea368a2..97d00bdd011 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -99,10 +99,12 @@ main(int argc,			/* I - Number of command-line arguments */
- 	char            empty_str[] = "";
- 	int             tries = 0;
- 	bool		need_auth = true;
--	const char     *dev_uri;
-+	const char     *dev_uri = NULL;
-+	const char     *env = NULL;
- 	const char     *config_file = NULL;
- 	TALLOC_CTX     *frame = talloc_stackframe();
--	bool device_uri_cmdline = false;
-+	const char *print_user = NULL;
-+	const char *print_title = NULL;
- 	const char *print_file = NULL;
- 	const char *print_copies = NULL;
- 	int cmp;
-@@ -139,21 +141,81 @@ main(int argc,			/* I - Number of command-line arguments */
- 	}
- 
- 	/*
--	 * If we have 6 arguments find out if we have the device_uri from the
--	 * command line or the print data
-+	 * Find out if we have the device_uri in the command line.
-+	 *
-+	 * If we are started as a CUPS backend argv[0] is normally the
-+	 * device_uri!
- 	 */
--	if (argc == 7) {
--		cmp = strncmp(argv[1], "smb://", 6);
--		if (cmp == 0) {
--			device_uri_cmdline = true;
-+	if (argc == 8) {
-+		/*
-+		 * smbspool <uri> <job> <user> <title> <copies> <options> <file>
-+		 * 0        1     2     3      4       5        6         7
-+		 */
-+
-+		dev_uri = argv[1];
-+
-+		print_user = argv[3];
-+		print_title = argv[4];
-+		print_copies = argv[5];
-+		print_file = argv[7];
-+	} else if (argc == 7) {
-+		int cmp1;
-+		int cmp2;
-+
-+		/*
-+		 * <uri>    <job> <user> <title> <copies> <options> <file>
-+		 * smbspool <uri> <job>  <user>  <title>  <copies>  <options>
-+		 * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
-+		 */
-+		cmp1 = strncmp(argv[0], "smb://", 6);
-+		cmp2 = strncmp(argv[1], "smb://", 6);
-+
-+		if (cmp1 == 0) {
-+			/*
-+			 * <uri>    <job> <user> <title> <copies> <options> <file>
-+			 * 0        1     2      3       4        5         6
-+			 */
-+			dev_uri = argv[0];
-+
-+			print_user = argv[2];
-+			print_title = argv[3];
-+			print_copies = argv[4];
-+			print_file = argv[6];
-+		} else if (cmp2 == 0) {
-+			/*
-+			 * smbspool <uri> <job>  <user>  <title>  <copies>  <options>
-+			 * 0        1     2      3       4        5         6
-+			 */
-+			dev_uri = argv[1];
-+
-+			print_user = argv[3];
-+			print_title = argv[4];
-+			print_copies = argv[5];
-+			print_file = NULL;
- 		} else {
-+			/*
-+			 * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
-+			 * 0        1     2      3       4        5         6
-+			 */
-+			print_user = argv[2];
-+			print_title = argv[3];
- 			print_copies = argv[4];
- 			print_file = argv[6];
- 		}
--	} else if (argc == 8) {
--		device_uri_cmdline = true;
--		print_copies = argv[5];
--		print_file = argv[7];
-+	} else if (argc == 6) {
-+		/*
-+		 * <uri>    <job> <user> <title> <copies> <options>
-+		 * smbspool <job> <user> <title> <copies> <options> | DEVICE_URI
-+		 * 0        1     2      3       4        5
-+		 */
-+		cmp = strncmp(argv[0], "smb://", 6);
-+		if (cmp == 0) {
-+			dev_uri = argv[0];
-+		}
-+
-+		print_user = argv[2];
-+		print_title = argv[3];
-+		print_copies = argv[4];
- 	}
- 
- 	if (print_file != NULL) {
-@@ -178,18 +240,17 @@ main(int argc,			/* I - Number of command-line arguments */
- 	/*
- 	 * Find the URI ...
- 	 */
--	if (device_uri_cmdline) {
--		dev_uri = argv[1];
--	} else {
--		dev_uri = getenv("DEVICE_URI");
--		if (dev_uri == NULL || strlen(dev_uri) == 0) {
--			dev_uri = "";
-+	if (dev_uri == NULL) {
-+		env = getenv("DEVICE_URI");
-+		if (env != NULL && env[0] != '\0') {
-+			dev_uri = env;
- 		}
- 	}
- 
--	auth_info_required = getenv("AUTH_INFO_REQUIRED");
--	if (auth_info_required == NULL) {
--		auth_info_required = "none";
-+	if (dev_uri == NULL) {
-+		fprintf(stderr,
-+			"ERROR: No valid device URI has been specified\n");
-+		goto done;
- 	}
- 
- 	cmp = strncmp(dev_uri, "smb://", 6);
-@@ -205,6 +266,11 @@ main(int argc,			/* I - Number of command-line arguments */
- 		goto done;
- 	}
- 
-+	auth_info_required = getenv("AUTH_INFO_REQUIRED");
-+	if (auth_info_required == NULL) {
-+		auth_info_required = "none";
-+	}
-+
- 	/*
-          * Extract the destination from the URI...
-          */
-@@ -301,8 +367,14 @@ main(int argc,			/* I - Number of command-line arguments */
- 	load_interfaces();
- 
- 	do {
--		cli = smb_connect(workgroup, server, port, printer,
--			username, password, argv[3], &need_auth);
-+		cli = smb_connect(workgroup,
-+				  server,
-+				  port,
-+				  printer,
-+				  username,
-+				  password,
-+				  print_user,
-+				  &need_auth);
- 		if (cli == NULL) {
- 			if (need_auth) {
- 				exit(2);
-@@ -338,7 +410,7 @@ main(int argc,			/* I - Number of command-line arguments */
-          */
- 
- 	for (i = 0; i < copies; i++) {
--		status = smb_print(cli, argv[4] /* title */ , fp);
-+		status = smb_print(cli, print_title, fp);
- 		if (status != 0) {
- 			break;
- 		}
--- 
-2.20.1
-
diff --git a/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch b/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch
deleted file mode 100644
index b04c8cc..0000000
--- a/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From be97b5934ca163259676be27d5c254da30080fbe Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 May 2019 16:18:51 +0200
-Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos
- credentials
-
-This is a regression which has been introduced with Samba 4.8.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a)
----
- source3/client/smbspool.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 97d00bdd011..c404b3a3f69 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -660,7 +660,7 @@ smb_connect(const char *workgroup,	/* I - Workgroup */
- 	 * behavior with 3.0.14a
- 	 */
- 
--	if (username != NULL && username[0] != '\0') {
-+	if (username == NULL || username[0] == '\0') {
- 		if (kerberos_ccache_is_valid()) {
- 			goto kerberos_auth;
- 		}
--- 
-2.21.0
-
diff --git a/SOURCES/samba-4.9-fix_testparm_crash.patch b/SOURCES/samba-4.9-fix_testparm_crash.patch
deleted file mode 100644
index 74a8a52..0000000
--- a/SOURCES/samba-4.9-fix_testparm_crash.patch
+++ /dev/null
@@ -1,2126 +0,0 @@
-From 425bed0731a02b2e310b8835e9b75bff73582d99 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Mon, 9 Jul 2018 17:11:57 +0200
-Subject: [PATCH 01/22] s3:lib/server_contexts: make server_event_ctx and
- server_msg_ctx static
-
-server_event_ctx and server_msg_ctx static shouldn't be accessible from
-outside this compilation unit.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit d920a725ee19215190bbccaefd5b426bedc98860)
----
- source3/lib/server_contexts.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/lib/server_contexts.c b/source3/lib/server_contexts.c
-index 50072e680b6..b21cf0a4c81 100644
---- a/source3/lib/server_contexts.c
-+++ b/source3/lib/server_contexts.c
-@@ -21,7 +21,7 @@
- #include "includes.h"
- #include "messages.h"
- 
--struct tevent_context *server_event_ctx = NULL;
-+static struct tevent_context *server_event_ctx = NULL;
- 
- struct tevent_context *server_event_context(void)
- {
-@@ -44,7 +44,7 @@ void server_event_context_free(void)
- 	TALLOC_FREE(server_event_ctx);
- }
- 
--struct messaging_context *server_msg_ctx = NULL;
-+static struct messaging_context *server_msg_ctx = NULL;
- 
- struct messaging_context *server_messaging_context(void)
- {
--- 
-2.13.6
-
-
-From 1e8feaa20bfba475d6e2cbe69b5e1447586a7411 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 13 Aug 2018 15:07:20 -0700
-Subject: [PATCH 02/22] s3/lib:popt_common: Move setup_logging to common
- callback
-
-The flag is set in the common callback, so be consistent
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit dff1028e8ba4c70e726283c12531853681034014)
----
- source3/lib/popt_common.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
-index cc93a756c3b..454884fbb5c 100644
---- a/source3/lib/popt_common.c
-+++ b/source3/lib/popt_common.c
-@@ -93,6 +93,10 @@ static void popt_common_callback(poptContext con,
- 			}
- 		}
- 
-+		if (override_logfile) {
-+			setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE );
-+		}
-+
- 		/* Further 'every Samba program must do this' hooks here. */
- 		return;
- 	}
-@@ -288,10 +292,6 @@ static void popt_common_credentials_callback(poptContext con,
- 	if (reason == POPT_CALLBACK_REASON_POST) {
- 		bool ok;
- 
--		if (override_logfile) {
--			setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE );
--		}
--
- 		ok = lp_load_client(get_dyn_CONFIGFILE());
- 		if (!ok) {
- 			const char *pname = poptGetInvocationName(con);
--- 
-2.13.6
-
-
-From a1954bee751b35c3888be7c3c36ce59bb857e3f3 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 13 Aug 2018 15:39:08 -0700
-Subject: [PATCH 03/22] s3:lib: Move popt_common_credentials to separate file
-
-This is only used by command line utilities and has additional
-dependencies. Move to a separate file to contain the dependencies to the
-command line tools.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit b7464fd89bc22b71c82bbaa424bcbfcf947db651)
----
- source3/client/client.c               |   2 +-
- source3/include/popt_common.h         |  10 --
- source3/include/popt_common_cmdline.h |  47 +++++++
- source3/lib/popt_common.c             | 208 -----------------------------
- source3/lib/popt_common_cmdline.c     | 241 ++++++++++++++++++++++++++++++++++
- source3/rpcclient/cmd_spoolss.c       |   2 +-
- source3/rpcclient/rpcclient.c         |   2 +-
- source3/rpcclient/wscript_build       |   2 +-
- source3/utils/net.c                   |   2 +-
- source3/utils/regedit.c               |   2 +-
- source3/utils/smbcacls.c              |   2 +-
- source3/utils/smbcquotas.c            |   2 +-
- source3/utils/smbget.c                |   2 +-
- source3/utils/smbtree.c               |   2 +-
- source3/utils/wscript_build           |  14 +-
- source3/wscript_build                 |   9 +-
- 16 files changed, 313 insertions(+), 236 deletions(-)
- create mode 100644 source3/include/popt_common_cmdline.h
- create mode 100644 source3/lib/popt_common_cmdline.c
-
-diff --git a/source3/client/client.c b/source3/client/client.c
-index 25ba01d6216..2f193459d5d 100644
---- a/source3/client/client.c
-+++ b/source3/client/client.c
-@@ -23,7 +23,7 @@
- 
- #include "includes.h"
- #include "system/filesys.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpc_client/cli_pipe.h"
- #include "client/client_proto.h"
- #include "client/clitar_proto.h"
-diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h
-index a8c778473e9..e001a5369b7 100644
---- a/source3/include/popt_common.h
-+++ b/source3/include/popt_common.h
-@@ -21,7 +21,6 @@
- #define _POPT_COMMON_H
- 
- #include <popt.h>
--#include "auth_info.h"
- 
- /* Common popt structures */
- extern struct poptOption popt_common_samba[];
-@@ -41,19 +40,10 @@ extern const struct poptOption popt_common_dynconfig[];
- #define POPT_COMMON_CONNECTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_connection, 0, "Connection options:", NULL },
- #define POPT_COMMON_VERSION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_version, 0, "Common samba options:", NULL },
- #define POPT_COMMON_CONFIGFILE { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile, 0, "Common samba config:", NULL },
--#define POPT_COMMON_CREDENTIALS { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_credentials, 0, "Authentication options:", NULL },
- #define POPT_COMMON_DYNCONFIG { NULL, 0, POPT_ARG_INCLUDE_TABLE, \
-     discard_const_p(poptOption, popt_common_dynconfig), 0, \
-     "Build-time configuration overrides:", NULL },
- #define POPT_COMMON_DEBUGLEVEL { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debuglevel, 0, "Common samba debugging:", NULL },
- #define POPT_COMMON_OPTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_option, 0, "Common samba commandline config:", NULL },
- 
--struct user_auth_info *popt_get_cmdline_auth_info(void);
--void popt_free_cmdline_auth_info(void);
--
--void popt_common_credentials_set_ignore_missing_conf(void);
--void popt_common_credentials_set_delay_post(void);
--void popt_common_credentials_post(void);
--void popt_burn_cmdline_password(int argc, char *argv[]);
--
- #endif /* _POPT_COMMON_H */
-diff --git a/source3/include/popt_common_cmdline.h b/source3/include/popt_common_cmdline.h
-new file mode 100644
-index 00000000000..21130cff071
---- /dev/null
-+++ b/source3/include/popt_common_cmdline.h
-@@ -0,0 +1,47 @@
-+/*
-+   Unix SMB/CIFS implementation.
-+   Common popt arguments
-+   Copyright (C) Jelmer Vernooij	2003
-+   Copyright (C) Christof Schmitt	2018
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; either version 3 of the License, or
-+   (at your option) any later version.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+
-+#ifndef _POPT_COMMON_CREDENTIALS_H
-+#define _POPT_COMMON_CREDENTIALS_H
-+
-+#include "popt_common.h"
-+
-+extern struct poptOption popt_common_credentials[];
-+#define POPT_COMMON_CREDENTIALS \
-+	{ \
-+		NULL,						\
-+		0,						\
-+		POPT_ARG_INCLUDE_TABLE,			\
-+		popt_common_credentials,			\
-+		0,						\
-+		"Authentication options:",			\
-+		NULL						\
-+	},
-+
-+struct user_auth_info *popt_get_cmdline_auth_info(void);
-+void popt_free_cmdline_auth_info(void);
-+
-+void popt_common_credentials_set_ignore_missing_conf(void);
-+void popt_common_credentials_set_delay_post(void);
-+void popt_common_credentials_post(void);
-+void popt_burn_cmdline_password(int argc, char *argv[]);
-+
-+#endif
-diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
-index 454884fbb5c..11db080c82d 100644
---- a/source3/lib/popt_common.c
-+++ b/source3/lib/popt_common.c
-@@ -213,211 +213,3 @@ struct poptOption popt_common_option[] = {
- 	{ "option",         0, POPT_ARG_STRING, NULL, OPT_OPTION, "Set smb.conf option from command line", "name=value" },
- 	POPT_TABLEEND
- };
--
--/* Handle command line options:
-- *		-U,--user
-- *		-A,--authentication-file
-- *		-k,--use-kerberos
-- *		-N,--no-pass
-- *		-S,--signing
-- *              -P --machine-pass
-- * 		-e --encrypt
-- * 		-C --use-ccache
-- */
--
--static struct user_auth_info *cmdline_auth_info;
--
--struct user_auth_info *popt_get_cmdline_auth_info(void)
--{
--	return cmdline_auth_info;
--}
--void popt_free_cmdline_auth_info(void)
--{
--	TALLOC_FREE(cmdline_auth_info);
--}
--
--static bool popt_common_credentials_ignore_missing_conf;
--static bool popt_common_credentials_delay_post;
--
--void popt_common_credentials_set_ignore_missing_conf(void)
--{
--	popt_common_credentials_delay_post = true;
--}
--
--void popt_common_credentials_set_delay_post(void)
--{
--	popt_common_credentials_delay_post = true;
--}
--
--void popt_common_credentials_post(void)
--{
--	if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
--	    !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
--	{
--		fprintf(stderr,
--			"Failed to use machine account credentials\n");
--		exit(1);
--	}
--
--	set_cmdline_auth_info_getpass(cmdline_auth_info);
--
--	/*
--	 * When we set the username during the handling of the options passed to
--	 * the binary we haven't loaded the config yet. This means that we
--	 * didnn't take the 'winbind separator' into account.
--	 *
--	 * The username might contain the domain name and thus it hasn't been
--	 * correctly parsed yet. If we have a username we need to set it again
--	 * to run the string parser for the username correctly.
--	 */
--	reset_cmdline_auth_info_username(cmdline_auth_info);
--}
--
--static void popt_common_credentials_callback(poptContext con,
--					enum poptCallbackReason reason,
--					const struct poptOption *opt,
--					const char *arg, const void *data)
--{
--	if (reason == POPT_CALLBACK_REASON_PRE) {
--		struct user_auth_info *auth_info =
--				user_auth_info_init(NULL);
--		if (auth_info == NULL) {
--			fprintf(stderr, "user_auth_info_init() failed\n");
--			exit(1);
--		}
--		cmdline_auth_info = auth_info;
--		return;
--	}
--
--	if (reason == POPT_CALLBACK_REASON_POST) {
--		bool ok;
--
--		ok = lp_load_client(get_dyn_CONFIGFILE());
--		if (!ok) {
--			const char *pname = poptGetInvocationName(con);
--
--			fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
--				pname, get_dyn_CONFIGFILE());
--			if (!popt_common_credentials_ignore_missing_conf) {
--				exit(1);
--			}
--		}
--
--		load_interfaces();
--
--		set_cmdline_auth_info_guess(cmdline_auth_info);
--
--		if (popt_common_credentials_delay_post) {
--			return;
--		}
--
--		popt_common_credentials_post();
--		return;
--	}
--
--	switch(opt->val) {
--	case 'U':
--		set_cmdline_auth_info_username(cmdline_auth_info, arg);
--		break;
--
--	case 'A':
--		set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
--		break;
--
--	case 'k':
--#ifndef HAVE_KRB5
--		d_printf("No kerberos support compiled in\n");
--		exit(1);
--#else
--		set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
--#endif
--		break;
--
--	case 'S':
--		if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
--				arg)) {
--			fprintf(stderr, "Unknown signing option %s\n", arg );
--			exit(1);
--		}
--		break;
--	case 'P':
--		set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
--		break;
--	case 'N':
--		set_cmdline_auth_info_password(cmdline_auth_info, "");
--		break;
--	case 'e':
--		set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
--		break;
--	case 'C':
--		set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
--		break;
--	case 'H':
--		set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
--		break;
--	}
--}
--
--/**
-- * @brief Burn the commandline password.
-- *
-- * This function removes the password from the command line so we
-- * don't leak the password e.g. in 'ps aux'.
-- *
-- * It should be called after processing the options and you should pass down
-- * argv from main().
-- *
-- * @param[in]  argc     The number of arguments.
-- *
-- * @param[in]  argv[]   The argument array we will find the array.
-- */
--void popt_burn_cmdline_password(int argc, char *argv[])
--{
--	bool found = false;
--	char *p = NULL;
--	int i, ulen = 0;
--
--	for (i = 0; i < argc; i++) {
--		p = argv[i];
--		if (strncmp(p, "-U", 2) == 0) {
--			ulen = 2;
--			found = true;
--		} else if (strncmp(p, "--user", 6) == 0) {
--			ulen = 6;
--			found = true;
--		}
--
--		if (found) {
--			if (p == NULL) {
--				return;
--			}
--
--			if (strlen(p) == ulen) {
--				continue;
--			}
--
--			p = strchr_m(p, '%');
--			if (p != NULL) {
--				memset(p, '\0', strlen(p));
--			}
--			found = false;
--		}
--	}
--}
--
--struct poptOption popt_common_credentials[] = {
--	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
--	  (void *)popt_common_credentials_callback, 0, NULL },
--	{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "USERNAME" },
--	{ "no-pass", 'N', POPT_ARG_NONE, NULL, 'N', "Don't ask for a password" },
--	{ "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" },
--	{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
--	{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
--	{"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" },
--	{"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport" },
--	{"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C',
--	 "Use the winbind ccache for authentication" },
--	{"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H',
--	 "The supplied password is the NT hash" },
--	POPT_TABLEEND
--};
-diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c
-new file mode 100644
-index 00000000000..57f77e0868a
---- /dev/null
-+++ b/source3/lib/popt_common_cmdline.c
-@@ -0,0 +1,241 @@
-+/*
-+   Unix SMB/CIFS implementation.
-+   Common popt routines only used by cmdline utils
-+
-+   Copyright (C) Tim Potter 2001,2002
-+   Copyright (C) Jelmer Vernooij 2002,2003
-+   Copyright (C) James Peach 2006
-+   Copyright (C) Christof Schmitt 2018
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; either version 3 of the License, or
-+   (at your option) any later version.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+/* Handle command line options:
-+ *		-U,--user
-+ *		-A,--authentication-file
-+ *		-k,--use-kerberos
-+ *		-N,--no-pass
-+ *		-S,--signing
-+ *		-P --machine-pass
-+ *		-e --encrypt
-+ *		-C --use-ccache
-+ */
-+
-+#include "popt_common_cmdline.h"
-+#include "includes.h"
-+#include "auth_info.h"
-+
-+static struct user_auth_info *cmdline_auth_info;
-+
-+struct user_auth_info *popt_get_cmdline_auth_info(void)
-+{
-+	return cmdline_auth_info;
-+}
-+void popt_free_cmdline_auth_info(void)
-+{
-+	TALLOC_FREE(cmdline_auth_info);
-+}
-+
-+static bool popt_common_credentials_ignore_missing_conf;
-+static bool popt_common_credentials_delay_post;
-+
-+void popt_common_credentials_set_ignore_missing_conf(void)
-+{
-+	popt_common_credentials_delay_post = true;
-+}
-+
-+void popt_common_credentials_set_delay_post(void)
-+{
-+	popt_common_credentials_delay_post = true;
-+}
-+
-+void popt_common_credentials_post(void)
-+{
-+	if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) &&
-+	    !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info))
-+	{
-+		fprintf(stderr,
-+			"Failed to use machine account credentials\n");
-+		exit(1);
-+	}
-+
-+	set_cmdline_auth_info_getpass(cmdline_auth_info);
-+
-+	/*
-+	 * When we set the username during the handling of the options passed to
-+	 * the binary we haven't loaded the config yet. This means that we
-+	 * didn't take the 'winbind separator' into account.
-+	 *
-+	 * The username might contain the domain name and thus it hasn't been
-+	 * correctly parsed yet. If we have a username we need to set it again
-+	 * to run the string parser for the username correctly.
-+	 */
-+	reset_cmdline_auth_info_username(cmdline_auth_info);
-+}
-+
-+static void popt_common_credentials_callback(poptContext con,
-+					enum poptCallbackReason reason,
-+					const struct poptOption *opt,
-+					const char *arg, const void *data)
-+{
-+	if (reason == POPT_CALLBACK_REASON_PRE) {
-+		struct user_auth_info *auth_info =
-+				user_auth_info_init(NULL);
-+		if (auth_info == NULL) {
-+			fprintf(stderr, "user_auth_info_init() failed\n");
-+			exit(1);
-+		}
-+		cmdline_auth_info = auth_info;
-+		return;
-+	}
-+
-+	if (reason == POPT_CALLBACK_REASON_POST) {
-+		bool ok;
-+
-+		ok = lp_load_client(get_dyn_CONFIGFILE());
-+		if (!ok) {
-+			const char *pname = poptGetInvocationName(con);
-+
-+			fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n",
-+				pname, get_dyn_CONFIGFILE());
-+			if (!popt_common_credentials_ignore_missing_conf) {
-+				exit(1);
-+			}
-+		}
-+
-+		load_interfaces();
-+
-+		set_cmdline_auth_info_guess(cmdline_auth_info);
-+
-+		if (popt_common_credentials_delay_post) {
-+			return;
-+		}
-+
-+		popt_common_credentials_post();
-+		return;
-+	}
-+
-+	switch(opt->val) {
-+	case 'U':
-+		set_cmdline_auth_info_username(cmdline_auth_info, arg);
-+		break;
-+
-+	case 'A':
-+		set_cmdline_auth_info_from_file(cmdline_auth_info, arg);
-+		break;
-+
-+	case 'k':
-+#ifndef HAVE_KRB5
-+		d_printf("No kerberos support compiled in\n");
-+		exit(1);
-+#else
-+		set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info);
-+#endif
-+		break;
-+
-+	case 'S':
-+		if (!set_cmdline_auth_info_signing_state(cmdline_auth_info,
-+				arg)) {
-+			fprintf(stderr, "Unknown signing option %s\n", arg );
-+			exit(1);
-+		}
-+		break;
-+	case 'P':
-+		set_cmdline_auth_info_use_machine_account(cmdline_auth_info);
-+		break;
-+	case 'N':
-+		set_cmdline_auth_info_password(cmdline_auth_info, "");
-+		break;
-+	case 'e':
-+		set_cmdline_auth_info_smb_encrypt(cmdline_auth_info);
-+		break;
-+	case 'C':
-+		set_cmdline_auth_info_use_ccache(cmdline_auth_info, true);
-+		break;
-+	case 'H':
-+		set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true);
-+		break;
-+	}
-+}
-+
-+/**
-+ * @brief Burn the commandline password.
-+ *
-+ * This function removes the password from the command line so we
-+ * don't leak the password e.g. in 'ps aux'.
-+ *
-+ * It should be called after processing the options and you should pass down
-+ * argv from main().
-+ *
-+ * @param[in]  argc     The number of arguments.
-+ *
-+ * @param[in]  argv[]   The argument array we will find the array.
-+ */
-+void popt_burn_cmdline_password(int argc, char *argv[])
-+{
-+	bool found = false;
-+	char *p = NULL;
-+	int i, ulen = 0;
-+
-+	for (i = 0; i < argc; i++) {
-+		p = argv[i];
-+		if (strncmp(p, "-U", 2) == 0) {
-+			ulen = 2;
-+			found = true;
-+		} else if (strncmp(p, "--user", 6) == 0) {
-+			ulen = 6;
-+			found = true;
-+		}
-+
-+		if (found) {
-+			if (p == NULL) {
-+				return;
-+			}
-+
-+			if (strlen(p) == ulen) {
-+				continue;
-+			}
-+
-+			p = strchr_m(p, '%');
-+			if (p != NULL) {
-+				memset(p, '\0', strlen(p));
-+			}
-+			found = false;
-+		}
-+	}
-+}
-+
-+struct poptOption popt_common_credentials[] = {
-+	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST,
-+	  (void *)popt_common_credentials_callback, 0, NULL },
-+	{ "user", 'U', POPT_ARG_STRING, NULL, 'U',
-+	  "Set the network username", "USERNAME" },
-+	{ "no-pass", 'N', POPT_ARG_NONE, NULL, 'N',
-+	  "Don't ask for a password" },
-+	{ "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',
-+	  "Use kerberos (active directory) authentication" },
-+	{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A',
-+	  "Get the credentials from a file", "FILE" },
-+	{ "signing", 'S', POPT_ARG_STRING, NULL, 'S',
-+	  "Set the client signing state", "on|off|required" },
-+	{"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P',
-+	 "Use stored machine account password" },
-+	{"encrypt", 'e', POPT_ARG_NONE, NULL, 'e',
-+	 "Encrypt SMB transport" },
-+	{"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C',
-+	 "Use the winbind ccache for authentication" },
-+	{"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H',
-+	 "The supplied password is the NT hash" },
-+	POPT_TABLEEND
-+};
-diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
-index 1d24476e9a5..8d330afdeb0 100644
---- a/source3/rpcclient/cmd_spoolss.c
-+++ b/source3/rpcclient/cmd_spoolss.c
-@@ -33,7 +33,7 @@
- #include "../libcli/security/security_descriptor.h"
- #include "../libcli/registry/util_reg.h"
- #include "libsmb/libsmb.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- 
- #define RPCCLIENT_PRINTERNAME(_printername, _cli, _arg) \
- { \
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index b4e25e6e479..f7e196226cf 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -21,7 +21,7 @@
- 
- #include "includes.h"
- #include "../libcli/auth/netlogon_creds_cli.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpcclient.h"
- #include "../libcli/auth/libcli_auth.h"
- #include "../librpc/gen_ndr/ndr_lsa_c.h"
-diff --git a/source3/rpcclient/wscript_build b/source3/rpcclient/wscript_build
-index c24a5670db9..11a64f3248a 100644
---- a/source3/rpcclient/wscript_build
-+++ b/source3/rpcclient/wscript_build
-@@ -25,7 +25,7 @@ bld.SAMBA3_BINARY('rpcclient',
- 		 ''',
-                  deps='''
-                  talloc
--                 popt_samba3
-+                 popt_samba3_cmdline
-                  pdb
-                  libsmb
-                  smbconf
-diff --git a/source3/utils/net.c b/source3/utils/net.c
-index 44daa6088ca..76b8677bf78 100644
---- a/source3/utils/net.c
-+++ b/source3/utils/net.c
-@@ -41,7 +41,7 @@
- /*****************************************************/
- 
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "utils/net.h"
- #include "secrets.h"
- #include "lib/netapi/netapi.h"
-diff --git a/source3/utils/regedit.c b/source3/utils/regedit.c
-index 27bd6f8f2c2..20115ae1624 100644
---- a/source3/utils/regedit.c
-+++ b/source3/utils/regedit.c
-@@ -18,7 +18,7 @@
-  */
- 
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "lib/util/data_blob.h"
- #include "lib/registry/registry.h"
- #include "regedit.h"
-diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
-index 0a5eeb31d0b..33eb78c41ec 100644
---- a/source3/utils/smbcacls.c
-+++ b/source3/utils/smbcacls.c
-@@ -22,7 +22,7 @@
- */
- 
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpc_client/cli_pipe.h"
- #include "../librpc/gen_ndr/ndr_lsa.h"
- #include "rpc_client/cli_lsarpc.h"
-diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
-index 798b8b6f177..a4b1b8111a5 100644
---- a/source3/utils/smbcquotas.c
-+++ b/source3/utils/smbcquotas.c
-@@ -22,7 +22,7 @@
- */
- 
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpc_client/cli_pipe.h"
- #include "../librpc/gen_ndr/ndr_lsa.h"
- #include "rpc_client/cli_lsarpc.h"
-diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
-index e1be42917fb..37462fa131f 100644
---- a/source3/utils/smbget.c
-+++ b/source3/utils/smbget.c
-@@ -18,7 +18,7 @@
- 
- #include "includes.h"
- #include "system/filesys.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "libsmbclient.h"
- 
- static int columns = 0;
-diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
-index 3b539ef1045..fb0f165a18d 100644
---- a/source3/utils/smbtree.c
-+++ b/source3/utils/smbtree.c
-@@ -20,7 +20,7 @@
- */
- 
- #include "includes.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "rpc_client/cli_pipe.h"
- #include "../librpc/gen_ndr/ndr_srvsvc_c.h"
- #include "libsmb/libsmb.h"
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 93e6abaac0d..67bb87e7a74 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -27,7 +27,7 @@ bld.SAMBA3_BINARY('smbtree',
-                  smbconf
-                  libsmb
-                  msrpc3
--                 popt_samba3
-+                 popt_samba3_cmdline
-                  RPC_NDR_SRVSVC''')
- 
- bld.SAMBA3_BINARY('smbpasswd',
-@@ -52,7 +52,7 @@ bld.SAMBA3_BINARY('smbget',
-                  source='smbget.c',
-                  deps='''
-                  talloc
--                 popt_samba3
-+                 popt_samba3_cmdline
-                  smbclient''')
- 
- bld.SAMBA3_BINARY('nmblookup',
-@@ -67,7 +67,7 @@ bld.SAMBA3_BINARY('smbcacls',
-                  source='smbcacls.c ../lib/util_sd.c',
-                  deps='''
-                  talloc
--                 popt_samba3
-+                 popt_samba3_cmdline
-                  msrpc3
-                  libcli_lsa3
-                  krb5samba''')
-@@ -76,7 +76,7 @@ bld.SAMBA3_BINARY('smbcquotas',
-                  source='smbcquotas.c',
-                  deps='''
-                  talloc
--                 popt_samba3
-+                 popt_samba3_cmdline
-                  libsmb
-                  msrpc3
-                  libcli_lsa3''')
-@@ -150,7 +150,9 @@ bld.SAMBA3_BINARY('samba-regedit',
-                             regedit_wrap.c regedit_treeview.c
-                             regedit_valuelist.c regedit_dialog.c
-                             regedit_hexedit.c regedit_list.c""",
--                  deps='ncurses menu panel form registry smbconf popt_samba3',
-+                  deps='''
-+                  ncurses menu panel form registry smbconf popt_samba3_cmdline
-+                  ''',
-                   enabled=bld.env.build_regedit)
- 
- bld.SAMBA3_BINARY('testparm',
-@@ -217,7 +219,7 @@ bld.SAMBA3_BINARY('net',
-                  netapi
-                  addns
-                  samba_intl
--                 popt_samba3
-+                 popt_samba3_cmdline
-                  pdb
-                  libsmb
-                  smbconf
-diff --git a/source3/wscript_build b/source3/wscript_build
-index c7c69a9bee1..5ecf23d531d 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -268,7 +268,12 @@ bld.SAMBA3_SUBSYSTEM('REG_FULL',
- 
- bld.SAMBA3_LIBRARY('popt_samba3',
-                    source='lib/popt_common.c',
--                   deps='popt samba-util util_cmdline',
-+                   deps='popt samba-util smbconf',
-+                   private_library=True)
-+
-+bld.SAMBA3_LIBRARY('popt_samba3_cmdline',
-+                   source='lib/popt_common_cmdline.c',
-+                   deps='popt_samba3 util_cmdline',
-                    private_library=True)
- 
- bld.SAMBA3_LIBRARY('util_cmdline',
-@@ -1094,7 +1099,7 @@ bld.SAMBA3_BINARY('client/smbclient',
-                         ''',
-                  deps='''
-                       talloc
--                      popt_samba3
-+                      popt_samba3_cmdline
-                       smbconf
-                       ndr-standard
-                       SMBREADLINE
--- 
-2.13.6
-
-
-From a98b2df2121c129326c64e35ba63e780aeb44a19 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 14:44:28 -0700
-Subject: [PATCH 04/22] s3:lib: Introduce cmdline context wrapper
-
-Command line tools need acccess to the same messaging context provided
-by server_messaging_context, as common code for db_open uses that
-context. We want to have additional checking for command line tools
-without having that code part of the servers. Introduce a wrapper
-library to use for command line tools with the additional checks, that
-then acquires the server_messaging_context.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 8c3b62e6231e62feafacf2a7ee4c9d41cd27a4a1)
----
- source3/lib/cmdline_contexts.c | 70 ++++++++++++++++++++++++++++++++++++++++++
- source3/lib/cmdline_contexts.h | 27 ++++++++++++++++
- source3/wscript_build          |  5 +++
- 3 files changed, 102 insertions(+)
- create mode 100644 source3/lib/cmdline_contexts.c
- create mode 100644 source3/lib/cmdline_contexts.h
-
-diff --git a/source3/lib/cmdline_contexts.c b/source3/lib/cmdline_contexts.c
-new file mode 100644
-index 00000000000..5713f7f7956
---- /dev/null
-+++ b/source3/lib/cmdline_contexts.c
-@@ -0,0 +1,70 @@
-+/*
-+   Unix SMB/CIFS implementation.
-+   cmdline context wrapper.
-+
-+   Copyright (C) Christof Schmitt <cs@samba.org> 2018
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; either version 3 of the License, or
-+   (at your option) any later version.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "cmdline_contexts.h"
-+#include "includes.h"
-+#include "messages.h"
-+
-+struct messaging_context *cmdline_messaging_context(const char *config_file)
-+{
-+	struct messaging_context *msg_ctx = NULL;
-+
-+	/*
-+	 * Ensure that a config is loaded, in case the underlying
-+	 * messaging_init needs to create directories or sockets.
-+	 */
-+	if (!lp_loaded()) {
-+		if (!lp_load_initial_only(config_file)) {
-+			return NULL;
-+		}
-+	}
-+
-+	/*
-+	 * Clustered Samba can only work as root due to required
-+	 * access to the registry and ctdb, which in turn requires
-+	 * messaging access as root.
-+	 */
-+	if (lp_clustering() && geteuid() != 0) {
-+		fprintf(stderr, "Cluster mode requires running as root.\n");
-+		exit(1);
-+	}
-+
-+	msg_ctx = server_messaging_context();
-+	if (msg_ctx == NULL) {
-+		if (geteuid() == 0) {
-+			fprintf(stderr,
-+				"Unable to initialize messaging context!\n");
-+			exit(1);
-+		} else {
-+			/*
-+			 * Non-cluster, non-root: Log error, but leave
-+			 * it up to the caller how to proceed.
-+			 */
-+			DBG_NOTICE("Unable to initialize messaging context.\n");
-+		}
-+	}
-+
-+	return msg_ctx;
-+}
-+
-+void cmdline_messaging_context_free(void)
-+{
-+	server_messaging_context_free();
-+}
-diff --git a/source3/lib/cmdline_contexts.h b/source3/lib/cmdline_contexts.h
-new file mode 100644
-index 00000000000..21f81f0f1cd
---- /dev/null
-+++ b/source3/lib/cmdline_contexts.h
-@@ -0,0 +1,27 @@
-+/*
-+   Unix SMB/CIFS implementation.
-+   cmdline context wrapper.
-+
-+   Copyright (C) Christof Schmitt <cs@samba.org> 2018
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; either version 3 of the License, or
-+   (at your option) any later version.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#ifndef _LIB_CMDLINE_CONTEXTS_H
-+#define _LIB_CMDLINE_CONTEXTS_H
-+
-+struct messaging_context *cmdline_messaging_context(const char *config_file);
-+void cmdline_messaging_context_free(void);
-+
-+#endif
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 5ecf23d531d..6fb09f7fbeb 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -281,6 +281,11 @@ bld.SAMBA3_LIBRARY('util_cmdline',
-                    deps='secrets3',
-                    private_library=True)
- 
-+bld.SAMBA3_LIBRARY('cmdline_contexts',
-+                   source='lib/cmdline_contexts.c',
-+                   deps='samba3core',
-+                   private_library=True)
-+
- bld.SAMBA3_SUBSYSTEM('KRBCLIENT',
-                      source='libads/kerberos.c libads/ads_status.c',
-                      public_deps='krb5samba asn1util k5crypto gssapi LIBTSOCKET CLDAP LIBNMB')
--- 
-2.13.6
-
-
-From d5d7a587f7476835bc48aae0dda5e064c2fd573c Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 10 Jul 2018 08:11:31 +0200
-Subject: [PATCH 05/22] s3:loadparm: reinit_globals in
- lp_load_with_registry_shares()
-
-This was set to false in 0e0d77519c27038b30fec92d542198e97be767d9 based
-on the assumption that callers would have no need to call
-lp_load_initial_only() with a later call to lp_load_something().
-
-This is not quite correct, since for accessing registry config on a
-cluster with include=registry, we need messaging up and running which
-*itself* requires loadparm to be initialized to get the statedir,
-lockdir asf. directories.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit 3aca3f24d4bdacc11278388934b0b411d518d7b0)
----
- source3/param/loadparm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 291ba57e0bb..322934c55f0 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -4120,7 +4120,7 @@ bool lp_load_with_registry_shares(const char *pszFname)
- 			  false, /* global_only */
- 			  true,  /* save_defaults */
- 			  false, /* add_ipc */
--			  false, /* reinit_globals */
-+			  true, /* reinit_globals */
- 			  true,  /* allow_include_registry */
- 			  true); /* load_all_shares*/
- }
--- 
-2.13.6
-
-
-From 88291681f03bb928d31e89717d2a19292f433024 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 10 Jul 2018 10:38:10 +0200
-Subject: [PATCH 06/22] selftest: pass configfile to pdbedit
-
-This is needed otherwise pdbedit fails to initialize messaging in
-autobuild.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit 10e1a6ebb3d95b8a1584a9b90c2584536aa9c96d)
----
- testprogs/blackbox/test_pdbtest.sh | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh
-index 2ffded9af4e..02615094451 100755
---- a/testprogs/blackbox/test_pdbtest.sh
-+++ b/testprogs/blackbox/test_pdbtest.sh
-@@ -44,12 +44,12 @@ send ${NEWUSERPASS}\n
- send ${NEWUSERPASS}\n
- EOF
- 
--testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1`
-+testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -s $SMB_CONF -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1`
- USERPASS=$NEWUSERPASS
- 
- test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@ || failed=`expr $failed + 1`
- 
--testit "modify user"  $VALGRIND $pdbedit --modify $USER --drive="D:" $@ || failed=`expr $failed + 1`
-+testit "modify user"  $VALGRIND $pdbedit -s $SMB_CONF --modify $USER --drive="D:" $@ || failed=`expr $failed + 1`
- 
- test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1`
- 
-@@ -87,11 +87,11 @@ test_smbclient "Test login with no expiry (ntlm)" 'ls' "$unc" -k no -U$USER%$NEW
- NEWUSERPASS=testPaSS@03%
- NEWUSERHASH=062519096c45739c1938800f80906731
- 
--testit "Set user password with password hash" $VALGRIND $pdbedit -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1`
-+testit "Set user password with password hash" $VALGRIND $pdbedit -s $SMB_CONF -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1`
- 
- test_smbclient "Test login with new password (from hash)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS || failed=`expr $failed + 1`
- 
--testit "del user"  $VALGRIND $pdbedit -x $USER $@ || failed=`expr $failed + 1`
-+testit "del user"  $VALGRIND $pdbedit -s $SMB_CONF -x $USER $@ || failed=`expr $failed + 1`
- 
- rm ./tmpsmbpasswdscript
- 
--- 
-2.13.6
-
-
-From 31a50b15bfbe2c97ca19313e2536332979bfcef2 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 10 Jul 2018 15:26:40 +0200
-Subject: [PATCH 07/22] s3:popt_common: use cmdline_messaging_context() in
- popt_common_credentials_callback()
-
-This adds a call to cmdline_messaging_context() to the popt
-popt_common_credentials_callback() hook and ensures that any client tool
-that uses POPT_COMMON_CREDENTIALS gets an implicit messaging context,
-ensuring it doesn't crash in the subsequent lp_load_client() with
-include=registry in a cluster.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit 2c63ce94ef3a55ab0aa1aae4f6fee88e29ac2efe)
----
- source3/lib/popt_common_cmdline.c | 8 ++++++++
- source3/wscript_build             | 2 +-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c
-index 57f77e0868a..d1ba90dd43e 100644
---- a/source3/lib/popt_common_cmdline.c
-+++ b/source3/lib/popt_common_cmdline.c
-@@ -35,6 +35,7 @@
- #include "popt_common_cmdline.h"
- #include "includes.h"
- #include "auth_info.h"
-+#include "cmdline_contexts.h"
- 
- static struct user_auth_info *cmdline_auth_info;
- 
-@@ -101,8 +102,15 @@ static void popt_common_credentials_callback(poptContext con,
- 	}
- 
- 	if (reason == POPT_CALLBACK_REASON_POST) {
-+		struct messaging_context *msg_ctx = NULL;
- 		bool ok;
- 
-+		msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
-+		if (msg_ctx == NULL) {
-+			fprintf(stderr, "Unable to initialize "
-+				"messaging context\n");
-+		}
-+
- 		ok = lp_load_client(get_dyn_CONFIGFILE());
- 		if (!ok) {
- 			const char *pname = poptGetInvocationName(con);
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 6fb09f7fbeb..250b7f1ff52 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -273,7 +273,7 @@ bld.SAMBA3_LIBRARY('popt_samba3',
- 
- bld.SAMBA3_LIBRARY('popt_samba3_cmdline',
-                    source='lib/popt_common_cmdline.c',
--                   deps='popt_samba3 util_cmdline',
-+                   deps='popt_samba3 util_cmdline cmdline_contexts',
-                    private_library=True)
- 
- bld.SAMBA3_LIBRARY('util_cmdline',
--- 
-2.13.6
-
-
-From db6cce7786809a96f81c575a3cbbbf87bdec3047 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Tue, 21 Aug 2018 14:58:01 -0700
-Subject: [PATCH 08/22] test:doc: Skip 'clustering=yes'
-
-As testparm will error out when running clustering=yes as non-root, skip
-this step to avoid a test failure.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(backported from commit 3ecb9ed7b079fc1bf74c311cf5f1684086b36883)
----
- python/samba/tests/docs.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
-index 0f029ae02d2..620383caebd 100644
---- a/python/samba/tests/docs.py
-+++ b/python/samba/tests/docs.py
-@@ -163,7 +163,8 @@ import xml.etree.ElementTree as ET
-                           'registry shares',
-                           'smb ports',
-                           'rpc server dynamic port range',
--                          'name resolve order'])
-+                          'name resolve order',
-+                          'clustering'])
-         self._test_empty(['bin/testparm'])
- 
-     def test_default_s4(self):
--- 
-2.13.6
-
-
-From 7608714a4a0796c8ef747c0cbce160fc3d0fa325 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 15:38:33 -0700
-Subject: [PATCH 09/22] s3:smbpasswd: Use cmdline_messaging_context
-
-smbpasswd does not use POPT_CREDENTIALS. Call cmdline_messaging_context
-to initialize a messaging_context with proper error checking before
-calling lp_load_global.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 29fd2c2e5ad3c2d44f3629c6b7b4139772fe350c)
----
- source3/utils/smbpasswd.c   | 17 +++--------------
- source3/utils/wscript_build |  4 +++-
- 2 files changed, 6 insertions(+), 15 deletions(-)
-
-diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
-index 04f34aa9b69..8e2b9d7f80f 100644
---- a/source3/utils/smbpasswd.c
-+++ b/source3/utils/smbpasswd.c
-@@ -23,6 +23,7 @@
- #include "../lib/util/util_pw.h"
- #include "libsmb/proto.h"
- #include "passdb.h"
-+#include "cmdline_contexts.h"
- 
- /*
-  * Next two lines needed for SunOS and don't
-@@ -196,6 +197,8 @@ static int process_options(int argc, char **argv, int local_flags)
- 		usage();
- 	}
- 
-+	cmdline_messaging_context(configfile);
-+
- 	if (!lp_load_global(configfile)) {
- 		fprintf(stderr, "Can't load %s - run testparm to debug it\n", 
- 			configfile);
-@@ -614,7 +617,6 @@ static int process_nonroot(int local_flags)
- int main(int argc, char **argv)
- {	
- 	TALLOC_CTX *frame = talloc_stackframe();
--	struct messaging_context *msg_ctx = NULL;
- 	int local_flags = 0;
- 	int ret;
- 
-@@ -632,19 +634,6 @@ int main(int argc, char **argv)
- 
- 	setup_logging("smbpasswd", DEBUG_STDERR);
- 
--	msg_ctx = server_messaging_context();
--	if (msg_ctx == NULL) {
--		if (geteuid() != 0) {
--			DBG_NOTICE("Unable to initialize messaging context. "
--				   "Must be root to do that.\n");
--		} else {
--			fprintf(stderr,
--				"smbpasswd is not able to initialize the "
--				"messaging context!\n");
--			return 1;
--		}
--	}
--
- 	/*
- 	 * Set the machine NETBIOS name if not already
- 	 * set from the config file. 
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 67bb87e7a74..06a986cada4 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -37,7 +37,9 @@ bld.SAMBA3_BINARY('smbpasswd',
-                  smbconf
-                  pdb
-                  PASSWD_UTIL
--                 PASSCHANGE''')
-+                 PASSCHANGE
-+                 cmdline_contexts
-+                 ''')
- 
- bld.SAMBA3_BINARY('pdbedit',
-                  source='pdbedit.c',
--- 
-2.13.6
-
-
-From 305cf6a251e395c895f04b2590125dec430a08e6 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 15:46:27 -0700
-Subject: [PATCH 10/22] s3:smbstatus: Use cmdline_messaging_context
-
-Use cmdline_messaging_context to initialize a messaging context instead
-of open coding the same steps.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit d7fa3815a83a50fd9e3d78cac0d5ef3eb79235e5)
----
- source3/utils/status.c | 25 +++----------------------
- source3/wscript_build  |  1 +
- 2 files changed, 4 insertions(+), 22 deletions(-)
-
-diff --git a/source3/utils/status.c b/source3/utils/status.c
-index d04efedee3f..1d68219a5ac 100644
---- a/source3/utils/status.c
-+++ b/source3/utils/status.c
-@@ -48,6 +48,7 @@
- #include "serverid.h"
- #include "status_profile.h"
- #include "smbd/notifyd/notifyd.h"
-+#include "cmdline_contexts.h"
- 
- #define SMB_MAXPIDS		2048
- static uid_t 		Ucrit_uid = 0;               /* added by OH */
-@@ -528,7 +529,6 @@ int main(int argc, const char *argv[])
- 	};
- 	TALLOC_CTX *frame = talloc_stackframe();
- 	int ret = 0;
--	struct tevent_context *ev;
- 	struct messaging_context *msg_ctx = NULL;
- 	char *db_path;
- 	bool ok;
-@@ -607,28 +607,9 @@ int main(int argc, const char *argv[])
- 		d_printf("using configfile = %s\n", get_dyn_CONFIGFILE());
- 	}
- 
--	if (!lp_load_initial_only(get_dyn_CONFIGFILE())) {
--		fprintf(stderr, "Can't load %s - run testparm to debug it\n",
--			get_dyn_CONFIGFILE());
--		ret = -1;
--		goto done;
--	}
--
--
--	/*
--	 * This implicitly initializes the global ctdbd connection,
--	 * usable by the db_open() calls further down.
--	 */
--	ev = samba_tevent_context_init(NULL);
--	if (ev == NULL) {
--		fprintf(stderr, "samba_tevent_context_init failed\n");
--		ret = -1;
--		goto done;
--	}
--
--	msg_ctx = messaging_init(NULL, ev);
-+	msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
- 	if (msg_ctx == NULL) {
--		fprintf(stderr, "messaging_init failed\n");
-+		fprintf(stderr, "Could not initialize messaging, not root?\n");
- 		ret = -1;
- 		goto done;
- 	}
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 250b7f1ff52..36cfd5dada7 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -1157,6 +1157,7 @@ bld.SAMBA3_BINARY('smbstatus',
-                       talloc
-                       smbconf
-                       popt_samba3
-+                      cmdline_contexts
-                       smbd_base
-                       LOCKING
-                       PROFILE
--- 
-2.13.6
-
-
-From 27e80482d1d37aaacbca7ca6eff6000c78349da7 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 15:54:11 -0700
-Subject: [PATCH 11/22] rpcclient: Use cmdline_messaging_context
-
-Use cmdline_messaging_context with its error checking instead of open
-coding the same steps.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit dd3ae2ffdc66be4707471bfccf27ef446b5599cb)
----
- source3/rpcclient/rpcclient.c | 28 ++--------------------------
- 1 file changed, 2 insertions(+), 26 deletions(-)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index f7e196226cf..9f95f1a7a8c 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -35,6 +35,7 @@
- #include "auth/gensec/gensec.h"
- #include "../libcli/smb/smbXcli_base.h"
- #include "messages.h"
-+#include "cmdline_contexts.h"
- 
- enum pipe_auth_type_spnego {
- 	PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
-@@ -950,7 +951,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
- 	const char *binding_string = NULL;
- 	const char *host;
- 	int signing_state = SMB_SIGNING_IPC_DEFAULT;
--	struct tevent_context *ev_ctx = NULL;
- 
- 	/* make sure the vars that get altered (4th field) are in
- 	   a fixed location or certain compilers complain */
-@@ -1016,30 +1016,7 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
- 	poptFreeContext(pc);
- 	popt_burn_cmdline_password(argc, argv);
- 
--	ev_ctx = samba_tevent_context_init(frame);
--	if (ev_ctx == NULL) {
--		fprintf(stderr, "Could not init event context\n");
--		result = 1;
--		goto done;
--	}
--
--	nt_status = messaging_init_client(ev_ctx,
--					  ev_ctx,
--					  &rpcclient_msg_ctx);
--	if (geteuid() != 0 &&
--			NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
--		/*
--		 * Normal to fail to initialize messaging context
--		 * if we're not root as we don't have ability to
--		 * read lock directory.
--		 */
--		DBG_NOTICE("Unable to initialize messaging context. "
--			"Must be root to do that.\n");
--	} else if (!NT_STATUS_IS_OK(nt_status)) {
--		fprintf(stderr, "Could not init messaging context\n");
--		result = 1;
--		goto done;
--	}
-+	rpcclient_msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
- 
- 	if (!init_names()) {
- 		result = 1;
-@@ -1258,7 +1235,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info,
- 	popt_free_cmdline_auth_info();
- 	netlogon_creds_cli_close_global_db();
- 	TALLOC_FREE(rpcclient_msg_ctx);
--	TALLOC_FREE(ev_ctx);
- 	TALLOC_FREE(frame);
- 	return result;
- }
--- 
-2.13.6
-
-
-From eaa0cb2c039c9c8ef838f259efcaffc59033bbbf Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:01:00 -0700
-Subject: [PATCH 12/22] s3:net: Use cmdline_messaging_context
-
-Use cmdline_messaging_context with its error checking instead of open
-coding the same steps.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit f2b659e4f518ccb06f221dd028f99883ca1a1847)
----
- source3/utils/net.c | 29 ++---------------------------
- 1 file changed, 2 insertions(+), 27 deletions(-)
-
-diff --git a/source3/utils/net.c b/source3/utils/net.c
-index 76b8677bf78..759d8cd442b 100644
---- a/source3/utils/net.c
-+++ b/source3/utils/net.c
-@@ -48,6 +48,7 @@
- #include "../libcli/security/security.h"
- #include "passdb.h"
- #include "messages.h"
-+#include "cmdline_contexts.h"
- 
- #ifdef WITH_FAKE_KASERVER
- #include "utils/net_afs.h"
-@@ -915,9 +916,7 @@ static struct functable net_func[] = {
- 	const char **argv_const = discard_const_p(const char *, argv);
- 	poptContext pc;
- 	TALLOC_CTX *frame = talloc_stackframe();
--	struct tevent_context *ev;
- 	struct net_context *c = talloc_zero(frame, struct net_context);
--	NTSTATUS status;
- 
- 	struct poptOption long_options[] = {
- 		{"help",	'h', POPT_ARG_NONE,   0, 'h'},
-@@ -1031,31 +1030,7 @@ static struct functable net_func[] = {
- 		}
- 	}
- 
--	if (!lp_load_initial_only(get_dyn_CONFIGFILE())) {
--		d_fprintf(stderr, "Can't load %s - run testparm to debug it\n",
--			  get_dyn_CONFIGFILE());
--		exit(1);
--	}
--
--	ev = samba_tevent_context_init(c);
--	if (ev == NULL) {
--		d_fprintf(stderr, "samba_tevent_context_init failed\n");
--		exit(1);
--	}
--	status = messaging_init_client(c, ev, &c->msg_ctx);
--	if (geteuid() != 0 &&
--			NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
--		/*
--		 * Normal to fail to initialize messaging context
--		 * if we're not root as we don't have ability to
--		 * read lock directory.
--		 */
--		DBG_NOTICE("Unable to initialize messaging context. "
--			"Must be root to do that.\n");
--	} else if (!NT_STATUS_IS_OK(status)) {
--		d_fprintf(stderr, "Failed to init messaging context\n");
--		exit(1);
--	}
-+	c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
- 
- 	if (!lp_load_global(get_dyn_CONFIGFILE())) {
- 		d_fprintf(stderr, "Can't load %s - run testparm to debug it\n",
--- 
-2.13.6
-
-
-From 8cb95d9ad621db6adf627b439745691c8ff09d66 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 10 Jul 2018 16:29:46 +0200
-Subject: [PATCH 13/22] s3:messaging: remove unused messaging_init_client()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Christof Schmitt <cs@samba.org>
-(cherry picked from commit f56496b11469f0e9af9ba81cefb796ca1febabb1)
----
- source3/include/messages.h | 3 ---
- source3/lib/messages.c     | 9 ---------
- 2 files changed, 12 deletions(-)
-
-diff --git a/source3/include/messages.h b/source3/include/messages.h
-index 29c394af317..f7b40664b0b 100644
---- a/source3/include/messages.h
-+++ b/source3/include/messages.h
-@@ -46,9 +46,6 @@ struct messaging_rec;
- 
- struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx, 
- 					 struct tevent_context *ev);
--NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx,
--			       struct tevent_context *ev,
--			       struct messaging_context **pmsg_ctx);
- 
- struct server_id messaging_server_id(const struct messaging_context *msg_ctx);
- struct tevent_context *messaging_tevent_context(
-diff --git a/source3/lib/messages.c b/source3/lib/messages.c
-index dab53f1c48e..90fffa2c872 100644
---- a/source3/lib/messages.c
-+++ b/source3/lib/messages.c
-@@ -635,15 +635,6 @@ struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx,
- 	return ctx;
- }
- 
--NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx,
--			       struct tevent_context *ev,
--			       struct messaging_context **pmsg_ctx)
--{
--	return messaging_init_internal(mem_ctx,
--					ev,
--					pmsg_ctx);
--}
--
- struct server_id messaging_server_id(const struct messaging_context *msg_ctx)
- {
- 	return msg_ctx->id;
--- 
-2.13.6
-
-
-From 37ad220effcfea97929483e84477fae2e48d0be8 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:08:21 -0700
-Subject: [PATCH 14/22] s3:pdbedit: Use cmdline_messaging_context
-
-Initialize the messaging context through cmdline_messaging_context to
-allow access to config in clustered Samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 4661537c201acebee991d219d151cb481f56265c)
----
- source3/utils/pdbedit.c     | 3 +++
- source3/utils/wscript_build | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
-index 5c947e2fbde..a2394880c65 100644
---- a/source3/utils/pdbedit.c
-+++ b/source3/utils/pdbedit.c
-@@ -25,6 +25,7 @@
- #include "../librpc/gen_ndr/samr.h"
- #include "../libcli/security/security.h"
- #include "passdb.h"
-+#include "cmdline_contexts.h"
- 
- #define BIT_BACKEND	0x00000004
- #define BIT_VERBOSE	0x00000008
-@@ -1121,6 +1122,8 @@ int main(int argc, const char **argv)
- 	if (user_name == NULL)
- 		user_name = poptGetArg(pc);
- 
-+	cmdline_messaging_context(get_dyn_CONFIGFILE());
-+
- 	if (!lp_load_global(get_dyn_CONFIGFILE())) {
- 		fprintf(stderr, "Can't load %s - run testparm to debug it\n", get_dyn_CONFIGFILE());
- 		exit(1);
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 06a986cada4..570c4506bee 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -47,6 +47,7 @@ bld.SAMBA3_BINARY('pdbedit',
-                  talloc
-                  smbconf
-                  popt_samba3
-+                 cmdline_contexts
-                  pdb
-                  PASSWD_UTIL''')
- 
--- 
-2.13.6
-
-
-From 375f013eaeb9d4c2592f68cd10374f61e2d12533 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:11:11 -0700
-Subject: [PATCH 15/22] s3:testparm: Use cmdline_messaging_context
-
-Call cmdline_messaging_context to initialize a messaging config before
-accessing clustered Samba config.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit ea7a4ff7ae5ef2b22fb7ef5640d6b946c064cfc3)
----
- source3/utils/testparm.c    | 3 +++
- source3/utils/wscript_build | 4 +++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
-index 8113eea0020..88dfc42d492 100644
---- a/source3/utils/testparm.c
-+++ b/source3/utils/testparm.c
-@@ -35,6 +35,7 @@
- #include "system/filesys.h"
- #include "popt_common.h"
- #include "lib/param/loadparm.h"
-+#include "cmdline_contexts.h"
- 
- #include <regex.h>
- 
-@@ -698,6 +699,8 @@ static void do_per_share_checks(int s)
- 		goto done;
- 	}
- 
-+	cmdline_messaging_context(config_file);
-+
- 	fprintf(stderr,"Load smb config files from %s\n",config_file);
- 
- 	if (!lp_load_with_registry_shares(config_file)) {
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 570c4506bee..ffa0762d828 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -163,7 +163,9 @@ bld.SAMBA3_BINARY('testparm',
-                  deps='''
-                  talloc
-                  smbconf
--                 popt_samba3''')
-+                 popt_samba3
-+                 cmdline_contexts
-+                 ''')
- 
- bld.SAMBA3_BINARY('net',
-                  source='''net.c
--- 
-2.13.6
-
-
-From 96d91b1d4c60552b1ed7058a4d9ed2b06a929c57 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:15:02 -0700
-Subject: [PATCH 16/22] s3:sharesec: Use cmdline_messaging_context
-
-Call cmdline_messasging_context to initialize messaging context before
-accessing clustered Samba config.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit cab8f27bbc927e48c52bac6350325e8ec38092b2)
----
- source3/utils/sharesec.c    | 2 ++
- source3/utils/wscript_build | 4 +++-
- 2 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
-index d9f81587f0e..375ae582ae5 100644
---- a/source3/utils/sharesec.c
-+++ b/source3/utils/sharesec.c
-@@ -28,6 +28,7 @@ struct cli_state;
- #include "../libcli/security/security.h"
- #include "passdb/machine_sid.h"
- #include "util_sd.h"
-+#include "cmdline_contexts.h"
- 
- static TALLOC_CTX *ctx;
- 
-@@ -420,6 +421,7 @@ int main(int argc, const char *argv[])
- 
- 	setlinebuf(stdout);
- 
-+	cmdline_messaging_context(get_dyn_CONFIGFILE());
- 	lp_load_with_registry_shares(get_dyn_CONFIGFILE());
- 
- 	/* check for initializing secrets.tdb first */
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index ffa0762d828..7e586dc268d 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -98,7 +98,9 @@ bld.SAMBA3_BINARY('sharesec',
-                  talloc
-                  msrpc3
-                  libcli_lsa3
--                 popt_samba3''')
-+                 popt_samba3
-+                 cmdline_contexts
-+                 ''')
- 
- bld.SAMBA3_BINARY('log2pcap',
-                  source='log2pcaphex.c',
--- 
-2.13.6
-
-
-From 389d7e32dc9f02b037ab9c2d0db1095f88f64145 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:18:20 -0700
-Subject: [PATCH 17/22] s3: ntlm_auth: Use cmdline_messaging_context
-
-Call cmdline_messaging_context to initialize the messaging context
-before accessing clustered Samba config.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 9ed617474f588ceb42c8929ee8a51071a408c219)
----
- source3/utils/ntlm_auth.c   | 3 +++
- source3/utils/wscript_build | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
-index 7d27712980b..b8014ec1034 100644
---- a/source3/utils/ntlm_auth.c
-+++ b/source3/utils/ntlm_auth.c
-@@ -47,6 +47,7 @@
- #include "nsswitch/libwbclient/wbclient.h"
- #include "lib/param/loadparm.h"
- #include "lib/util/base64.h"
-+#include "cmdline_contexts.h"
- 
- #if HAVE_KRB5
- #include "auth/kerberos/pac_utils.h"
-@@ -2380,6 +2381,8 @@ enum {
- 
- 	poptFreeContext(pc);
- 
-+	cmdline_messaging_context(get_dyn_CONFIGFILE());
-+
- 	if (!lp_load_global(get_dyn_CONFIGFILE())) {
- 		d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n",
- 			get_dyn_CONFIGFILE(), strerror(errno));
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 7e586dc268d..92404a61c2d 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -128,6 +128,7 @@ bld.SAMBA3_BINARY('ntlm_auth',
-                  tiniparser
-                  libsmb
-                  popt_samba3
-+                 cmdline_contexts
-                  gse gensec''')
- 
- bld.SAMBA3_BINARY('dbwrap_tool',
--- 
-2.13.6
-
-
-From 6a08003f378ddc270597465509cf4b34837d8dc8 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Mon, 20 Aug 2018 16:21:51 -0700
-Subject: [PATCH 18/22] s3:eventlogadm: Use cmdline_messaging_context
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 095123df945270bc51635a19125a7abdfcd4ab80)
----
- source3/utils/eventlogadm.c | 4 ++++
- source3/utils/wscript_build | 1 +
- 2 files changed, 5 insertions(+)
-
-diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c
-index 5ef091a9ae3..db874dfae8a 100644
---- a/source3/utils/eventlogadm.c
-+++ b/source3/utils/eventlogadm.c
-@@ -30,6 +30,7 @@
- #include "registry/reg_util_token.h"
- #include "registry/reg_backend_db.h"
- #include "../libcli/registry/util_reg.h"
-+#include "cmdline_contexts.h"
- 
- extern int optind;
- extern char *optarg;
-@@ -472,6 +473,9 @@ int main( int argc, char *argv[] )
- 		exit( 1 );
- 	}
- 
-+	cmdline_messaging_context(configfile == NULL ?
-+				  get_dyn_CONFIGFILE() : configfile);
-+
- 	if ( configfile == NULL ) {
- 		lp_load_global(get_dyn_CONFIGFILE());
- 	} else if (!lp_load_global(configfile)) {
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 92404a61c2d..eabebcf3d52 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -89,6 +89,7 @@ bld.SAMBA3_BINARY('eventlogadm',
-                  deps='''
-                  talloc
-                  smbconf
-+                 cmdline_contexts
-                  LIBEVENTLOG''',
-                  install_path='${SBINDIR}')
- 
--- 
-2.13.6
-
-
-From 6f32f75ad43b4e49de5af794beb134252267b768 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Tue, 21 Aug 2018 12:34:34 -0700
-Subject: [PATCH 19/22] s3:dbwrap_tool: Use cmdline_messaging_context
-
-Initialize the messaging context through cmdline_messaging_context to
-allow access to config in clustered Samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 7eeff96b826711b5a8d44ab24603dafcc0343d84)
----
- source3/utils/dbwrap_tool.c | 3 +++
- source3/utils/wscript_build | 4 +++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
-index 94aacd8ba26..b182e9cbfab 100644
---- a/source3/utils/dbwrap_tool.c
-+++ b/source3/utils/dbwrap_tool.c
-@@ -28,6 +28,7 @@
- #include "dbwrap/dbwrap_watch.h"
- #include "messages.h"
- #include "util_tdb.h"
-+#include "cmdline_contexts.h"
- 
- enum dbwrap_op { OP_FETCH, OP_STORE, OP_DELETE, OP_ERASE, OP_LISTKEYS,
- 		 OP_EXISTS };
-@@ -428,6 +429,8 @@ int main(int argc, const char **argv)
- 		while (extra_argv[extra_argc]) extra_argc++;
- 	}
- 
-+	cmdline_messaging_context(get_dyn_CONFIGFILE());
-+
- 	lp_load_global(get_dyn_CONFIGFILE());
- 
- 	if ((extra_argc < 2) || (extra_argc > 5)) {
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index eabebcf3d52..11bd2015c3a 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -136,7 +136,9 @@ bld.SAMBA3_BINARY('dbwrap_tool',
-                  source='dbwrap_tool.c',
-                  deps='''
-                  talloc
--                 popt_samba3''')
-+                 popt_samba3
-+                 cmdline_contexts
-+                 ''')
- 
- bld.SAMBA3_BINARY('dbwrap_torture',
-                  source='dbwrap_torture.c',
--- 
-2.13.6
-
-
-From f23f129047edd4b6fd6163a7795e48be3e59b49c Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Tue, 21 Aug 2018 12:35:11 -0700
-Subject: [PATCH 20/22] s3:smbcontrol: Use cmdline_messaging_context
-
-Initialize the messaging context through cmdline_messaging_context to
-allow access to config in clustered Samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit de040eafbd7d729316d757c14c44df163a4b36ad)
----
- source3/utils/smbcontrol.c  | 19 +++++++++++--------
- source3/utils/wscript_build |  1 +
- 2 files changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/source3/utils/smbcontrol.c b/source3/utils/smbcontrol.c
-index bd89b9ebf0a..ecf27801f8a 100644
---- a/source3/utils/smbcontrol.c
-+++ b/source3/utils/smbcontrol.c
-@@ -35,6 +35,7 @@
- #include "util_tdb.h"
- #include "../lib/util/pidfile.h"
- #include "serverid.h"
-+#include "cmdline_contexts.h"
- 
- #if HAVE_LIBUNWIND_H
- #include <libunwind.h>
-@@ -1609,21 +1610,23 @@ int main(int argc, const char **argv)
- 	if (argc <= 1)
- 		usage(pc);
- 
-+	msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
-+	if (msg_ctx == NULL) {
-+		fprintf(stderr,
-+			"Could not init messaging context, not root?\n");
-+		TALLOC_FREE(frame);
-+		exit(1);
-+	}
-+
-+	evt_ctx = server_event_context();
-+
- 	lp_load_global(get_dyn_CONFIGFILE());
- 
- 	/* Need to invert sense of return code -- samba
-          * routines mostly return True==1 for success, but
-          * shell needs 0. */ 
- 
--	if (!(evt_ctx = samba_tevent_context_init(NULL)) ||
--	    !(msg_ctx = messaging_init(NULL, evt_ctx))) {
--		fprintf(stderr, "could not init messaging context\n");
--		TALLOC_FREE(frame);
--		exit(1);
--	}
--
- 	ret = !do_command(evt_ctx, msg_ctx, argc, argv);
--	TALLOC_FREE(msg_ctx);
- 	TALLOC_FREE(frame);
- 	return ret;
- }
-diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
-index 11bd2015c3a..6793c6d5c8a 100644
---- a/source3/utils/wscript_build
-+++ b/source3/utils/wscript_build
-@@ -18,6 +18,7 @@ bld.SAMBA3_BINARY('smbcontrol',
-                  talloc
-                  smbconf
-                  popt_samba3
-+                 cmdline_contexts
-                  PRINTBASE''')
- 
- bld.SAMBA3_BINARY('smbtree',
--- 
-2.13.6
-
-
-From 4f57a7b28cc1b705f34444f795724e3d3a06d99c Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <cs@samba.org>
-Date: Tue, 21 Aug 2018 16:11:02 -0700
-Subject: [PATCH 21/22] s3:smbget: Use cmdline_messaging_context
-
-Initialize the messaging context through cmdline_messaging_context to
-allow access to config in clustered Samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Christof Schmitt <cs@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 20ed13923ed3c55e1b293e5440028d29384e9d3a)
----
- source3/utils/smbget.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
-index 37462fa131f..4653c6894e0 100644
---- a/source3/utils/smbget.c
-+++ b/source3/utils/smbget.c
-@@ -20,6 +20,7 @@
- #include "system/filesys.h"
- #include "popt_common_cmdline.h"
- #include "libsmbclient.h"
-+#include "cmdline_contexts.h"
- 
- static int columns = 0;
- 
-@@ -879,6 +880,8 @@ int main(int argc, char **argv)
- 
- 	popt_burn_cmdline_password(argc, argv);
- 
-+	cmdline_messaging_context(get_dyn_CONFIGFILE());
-+
- 	if (smbc_init(get_auth_data, opt.debuglevel) < 0) {
- 		fprintf(stderr, "Unable to initialize libsmbclient\n");
- 		return 1;
--- 
-2.13.6
-
-
-From 8fb42e4a751af55e6e56cd4e64029228f1cc36c3 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Fri, 7 Sep 2018 07:27:46 +0200
-Subject: [PATCH 22/22] examples: Fix the smb2mount build
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 94852e3544bf2cace3ddba8b9c89d986d77fdab5)
----
- examples/fuse/smb2mount.c   | 2 +-
- examples/fuse/wscript_build | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/examples/fuse/smb2mount.c b/examples/fuse/smb2mount.c
-index 816b0b597ad..ec4be809f6d 100644
---- a/examples/fuse/smb2mount.c
-+++ b/examples/fuse/smb2mount.c
-@@ -20,7 +20,7 @@
- 
- #include "source3/include/includes.h"
- #include "popt.h"
--#include "popt_common.h"
-+#include "popt_common_cmdline.h"
- #include "client.h"
- #include "libsmb/proto.h"
- #include "clifuse.h"
-diff --git a/examples/fuse/wscript_build b/examples/fuse/wscript_build
-index 9ec5fc0a0f2..31341e4357d 100644
---- a/examples/fuse/wscript_build
-+++ b/examples/fuse/wscript_build
-@@ -3,5 +3,5 @@
- if bld.env.HAVE_FUSE:
-     bld.SAMBA_BINARY('smb2mount',
-                      source='smb2mount.c clifuse.c',
--                     deps='smbconf popt_samba3 libsmb fuse',
-+                     deps='smbconf popt_samba3_cmdline libsmb fuse',
-                      install=False)
--- 
-2.13.6
-
diff --git a/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch b/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch
deleted file mode 100644
index 3d678a2..0000000
--- a/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 29 Oct 2018 19:45:58 +0100
-Subject: [PATCH] s3:winbind: Check return code of initialize_password_db()
-
-See https://retrace.fedoraproject.org/faf/reports/1577174/
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac)
----
- source3/winbindd/winbindd.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
-index 254d93b344d..a8ffc31778c 100644
---- a/source3/winbindd/winbindd.c
-+++ b/source3/winbindd/winbindd.c
-@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv)
- 	if (!NT_STATUS_IS_OK(status)) {
- 		exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
- 	}
--	initialize_password_db(true, server_event_context());
-+
-+	ok = initialize_password_db(true, server_event_context());
-+	if (!ok) {
-+		exit_daemon("Failed to initialize passdb backend! "
-+			    "Check the 'passdb backend' variable in your "
-+			    "smb.conf file.", EINVAL);
-+	}
- 
- 	/*
- 	 * Do not initialize the parent-child-pipe before becoming
--- 
-2.19.1
-
diff --git a/SOURCES/samba-4.9-harden_homes_share.patch b/SOURCES/samba-4.9-harden_homes_share.patch
deleted file mode 100644
index 60ca5c6..0000000
--- a/SOURCES/samba-4.9-harden_homes_share.patch
+++ /dev/null
@@ -1,402 +0,0 @@
-From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 15 Nov 2018 16:06:49 +0100
-Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0)
----
- selftest/target/Samba3.pm | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 438cb3409bb..373f8152ca3 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$)
-	my ($gid_force_user);
-	my ($uid_user1);
-	my ($uid_user2);
-+	my ($uid_gooduser);
-+	my ($uid_eviluser);
-
--	if ($unix_uid < 0xffff - 10) {
-+	if ($unix_uid < 0xffff - 12) {
-		$max_uid = 0xffff;
-	} else {
-		$max_uid = $unix_uid;
-@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$)
-	$uid_smbget = $max_uid - 8;
-	$uid_user1 = $max_uid - 9;
-	$uid_user2 = $max_uid - 10;
-+	$uid_gooduser = $max_uid - 11;
-+	$uid_eviluser = $max_uid - 12;
-
-	if ($unix_gids[0] < 0xffff - 8) {
-		$max_gid = 0xffff;
-@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f
- smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
- user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
- user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
-+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
-+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
- ";
-	if ($unix_uid != 0) {
-		print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
-@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user:
-	createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user");
-	createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1");
-	createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
-+	createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
-+	createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
-
-	open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
-	print DNS_UPDATE_LIST "A $server. $server_ip\n";
---
-2.19.2
-
-
-From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 16 Nov 2018 15:40:59 +0100
-Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes'
- share
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This adds a test for CVE-2009-2813.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6)
----
- selftest/target/Samba3.pm          |  4 ++
- source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++
- source3/selftest/tests.py          |  1 +
- 3 files changed, 104 insertions(+)
- create mode 100755 source3/script/tests/test_homes.sh
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 373f8152ca3..2031003210c 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -921,6 +921,10 @@ sub setup_fileserver
-	comment = inherit only unix owner
-	inherit owner = unix only
-	acl_xattr:ignore system acls = yes
-+[homes]
-+	comment = Home directories
-+	browseable = No
-+	read only = No
- ";
-
-	my $vars = $self->provision($path, "WORKGROUP",
-diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
-new file mode 100755
-index 00000000000..06de0a0c301
---- /dev/null
-+++ b/source3/script/tests/test_homes.sh
-@@ -0,0 +1,99 @@
-+#!/bin/sh
-+
-+# Copyright (c) Andreas Schneider <asn@samba.org>
-+# License: GPLv3
-+
-+if [ $# -lt 7 ]; then
-+	echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION"
-+	exit 1
-+fi
-+
-+SERVER="${1}"
-+USERNAME="${2}"
-+PASSWORD="${3}"
-+LOCAL_PATH="${4}"
-+PREFIX="${5}"
-+SMBCLIENT="${6}"
-+CONFIGURATION="${7}"
-+shift 7
-+
-+incdir=`dirname $0`/../../../testprogs/blackbox
-+. $incdir/subunit.sh
-+
-+failed=0
-+
-+test_gooduser_home()
-+{
-+    tmpfile=$PREFIX/smbclient_homes_gooduser_commands
-+    cat > $tmpfile <<EOF
-+ls
-+quit
-+EOF
-+
-+    USERNAME=gooduser
-+
-+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
-+    eval echo "$cmd"
-+    out=$(eval $cmd)
-+    ret=$?
-+    rm -f $tmpfile
-+
-+    if [ $ret -ne 0 ] ; then
-+       echo "$out"
-+       echo "failed to connect error $ret"
-+       return 1
-+    fi
-+
-+    echo "$out" | grep 'Try "help" to get a list of possible commands.'
-+    ret=$?
-+    if [ $ret -ne 0 ] ; then
-+       echo "$out"
-+       echo 'failed - should get: Try "help" to get a list of possible commands.'
-+       return 1
-+    fi
-+
-+    return 0
-+}
-+
-+test_eviluser_home()
-+{
-+    tmpfile=$PREFIX/smbclient_homes_eviluser_commands
-+    cat > $tmpfile <<EOF
-+ls
-+quit
-+EOF
-+
-+    USERNAME=eviluser
-+
-+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
-+    eval echo "$cmd"
-+    out=$(eval $cmd)
-+    ret=$?
-+    rm -f $tmpfile
-+
-+    if [ $ret -ne 1 ] ; then
-+       echo "$out"
-+       echo "The server should reject connecting ret=$ret"
-+       return 1
-+    fi
-+
-+    echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
-+    ret=$?
-+    if [ $ret -ne 0 ] ; then
-+       echo "$out"
-+       echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
-+       return 1
-+    fi
-+
-+    return 0
-+}
-+
-+testit "test gooduser home" \
-+    test_gooduser_home || \
-+    failed=`expr $failed + 1`
-+
-+testit "test eviluser home reject" \
-+    test_eviluser_home || \
-+    failed=`expr $failed + 1`
-+
-+testok $0 $failed
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index 09cd5159a0d..4aef7a4d596 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -290,6 +290,7 @@ for env in ["fileserver"]:
-     plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1'])
-     plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3'])
-     plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp'])
-+    plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration])
-
-     #
-     # tar command tests
---
-2.19.2
-
-
-From 274e960fde8e680a487fd7f3af57c824f9a5151b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 22 Nov 2018 18:23:24 +0100
-Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home
- dir
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If "/" (root) is returned as the home directory, prevent exporting it.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af)
----
- source3/param/service.c | 6 +++++-
- source3/smbd/password.c | 7 +++++++
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/source3/param/service.c b/source3/param/service.c
-index b21be6093d4..22f46f08894 100644
---- a/source3/param/service.c
-+++ b/source3/param/service.c
-@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out)
-		DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out,
-			phome_dir?phome_dir:"(NULL)"));
-
--		iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir);
-+		if (!strequal(phome_dir, "/")) {
-+			iService = add_home_service(*p_service_out,
-+						    *p_service_out, /* username */
-+						    phome_dir);
-+		}
-	}
-
-	/* If we still don't have a service, attempt to add it as a printer. */
-diff --git a/source3/smbd/password.c b/source3/smbd/password.c
-index f472bda2c70..0576d2563eb 100644
---- a/source3/smbd/password.c
-+++ b/source3/smbd/password.c
-@@ -129,6 +129,13 @@ int register_homes_share(const char *username)
-		return -1;
-	}
-
-+	if (strequal(pwd->pw_dir, "/")) {
-+		DBG_NOTICE("Invalid home directory defined for user '%s'\n",
-+			   username);
-+		TALLOC_FREE(pwd);
-+		return -1;
-+	}
-+
-	DEBUG(3, ("Adding homes service for user '%s' using home directory: "
-		  "'%s'\n", username, pwd->pw_dir));
-
---
-2.19.2
-
-
-From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 3 Dec 2018 11:05:46 +0100
-Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed
- as home dir
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Wed Dec  5 05:22:43 CET 2018 on sn-devel-144
-
-(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87)
----
- selftest/target/Samba3.pm          |  6 ++++-
- source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++
- 2 files changed, 42 insertions(+), 1 deletion(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 2031003210c..583396b3818 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$)
-	my ($uid_user2);
-	my ($uid_gooduser);
-	my ($uid_eviluser);
-+	my ($uid_slashuser);
-
--	if ($unix_uid < 0xffff - 12) {
-+	if ($unix_uid < 0xffff - 13) {
-		$max_uid = 0xffff;
-	} else {
-		$max_uid = $unix_uid;
-@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$)
-	$uid_user2 = $max_uid - 10;
-	$uid_gooduser = $max_uid - 11;
-	$uid_eviluser = $max_uid - 12;
-+	$uid_slashuser = $max_uid - 13;
-
-	if ($unix_gids[0] < 0xffff - 8) {
-		$max_gid = 0xffff;
-@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
- user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
- gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
- eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
-+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
- ";
-	if ($unix_uid != 0) {
-		print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
-@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user:
-	createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
-	createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
-	createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
-+	createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
-
-	open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
-	print DNS_UPDATE_LIST "A $server. $server_ip\n";
-diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
-index 06de0a0c301..90e84550dbc 100755
---- a/source3/script/tests/test_homes.sh
-+++ b/source3/script/tests/test_homes.sh
-@@ -88,6 +88,39 @@ EOF
-     return 0
- }
-
-+test_slashuser_home()
-+{
-+    tmpfile=$PREFIX/smbclient_homes_slashuser_commands
-+    cat > $tmpfile <<EOF
-+ls
-+quit
-+EOF
-+
-+    USERNAME=slashuser
-+
-+    cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
-+    eval echo "$cmd"
-+    out=$(eval $cmd)
-+    ret=$?
-+    rm -f $tmpfile
-+
-+    if [ $ret -ne 1 ] ; then
-+       echo "$out"
-+       echo "The server should reject connecting ret=$ret"
-+       return 1
-+    fi
-+
-+    echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
-+    ret=$?
-+    if [ $ret -ne 0 ] ; then
-+       echo "$out"
-+       echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
-+       return 1
-+    fi
-+
-+    return 0
-+}
-+
- testit "test gooduser home" \
-     test_gooduser_home || \
-     failed=`expr $failed + 1`
-@@ -96,4 +129,8 @@ testit "test eviluser home reject" \
-     test_eviluser_home || \
-     failed=`expr $failed + 1`
-
-+testit "test slashuser home reject" \
-+    test_slashuser_home || \
-+    failed=`expr $failed + 1`
-+
- testok $0 $failed
---
-2.19.2
diff --git a/SOURCES/samba-4.9-net_ads_join_createcomputer.patch b/SOURCES/samba-4.9-net_ads_join_createcomputer.patch
deleted file mode 100644
index c196b55..0000000
--- a/SOURCES/samba-4.9-net_ads_join_createcomputer.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001
-From: Evgeny Sinelnikov <sin@altlinux.org>
-Date: Wed, 31 Jul 2019 23:17:20 +0400
-Subject: [PATCH] s3:ldap: Fix join with don't exists machine account
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add check for requested replies of existing machine object during join
-machine to domain. This solves regression fail during join with error:
-"None of the information to be translated has been translated."
-
-https://bugzilla.samba.org/show_bug.cgi?id=14007
-
-Reviewed-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Wed Sep  4 17:02:37 UTC 2019 on sn-devel-184
----
- source3/libads/ldap.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index 4f3d43b02b1..2110390b65f 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
- 	}
- 
- 	ret = ads_find_machine_acct(ads, &res, machine_escaped);
--	ads_msgfree(ads, res);
--	if (ADS_ERR_OK(ret)) {
-+	if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
- 		DBG_DEBUG("Host account for %s already exists.\n",
- 				machine_escaped);
- 		ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
-+		ads_msgfree(ads, res);
- 		goto done;
- 	}
-+	ads_msgfree(ads, res);
- 
- 	new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
- 	samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
--- 
-2.21.0
-
diff --git a/SOURCES/samba-4.9-net_ads_leave_keep_account.patch b/SOURCES/samba-4.9-net_ads_leave_keep_account.patch
deleted file mode 100644
index 4590081..0000000
--- a/SOURCES/samba-4.9-net_ads_leave_keep_account.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 1038892f651cbc1a924cd7e74b393eb356dd5266 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Wed, 27 Jun 2018 11:32:31 -0400
-Subject: [PATCH] s3:libads: Add net ads leave keep-account option
-
-Add the ability to leave the domain with --keep-account argument to avoid
-removal of the host machine account.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498
-
-Signed-off-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694)
----
- docs-xml/manpages/net.8.xml  | 9 ++++++++-
- source3/libnet/libnet_join.c | 2 ++
- source3/utils/net.c          | 3 ++-
- source3/utils/net.h          | 1 +
- source3/utils/net_ads.c      | 9 +++++++--
- 5 files changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index 3154ee5ff85..d2bcd24c502 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -377,6 +377,13 @@
- 		</para></listitem>
- 		</varlistentry>
- 
-+		<varlistentry>
-+		<term>--keep-account</term>
-+		<listitem><para>Prevent the machine account removal as
-+		part of "net ads leave".
-+		</para></listitem>
-+		</varlistentry>
-+
- 		&stdarg.encrypt;
- 		&popt.common.samba.client;
- 
-@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller.
- </refsect2>
- 
- <refsect2>
--<title>ADS LEAVE</title>
-+<title>ADS LEAVE [--keep-account]</title>
- 
- <para>Make the remote host leave the domain it is part of. </para>
- 
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index a9405e8d288..27fc5135442 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
- 			return ntstatus_to_werror(status);
- 		}
- 
-+		r->out.dns_domain_name = talloc_strdup(mem_ctx,
-+				                      r->in.domain_name);
- 		r->out.disabled_machine_account = true;
- 	}
- 
-diff --git a/source3/utils/net.c b/source3/utils/net.c
-index 759d8cd442b..b3bd4b67118 100644
---- a/source3/utils/net.c
-+++ b/source3/utils/net.c
-@@ -970,8 +970,9 @@ static struct functable net_func[] = {
- 		{"wipe", 0, POPT_ARG_NONE, &c->opt_wipe},
- 		/* Options for 'net registry import' */
- 		{"precheck", 0, POPT_ARG_STRING, &c->opt_precheck},
--		/* Options for 'net ads join' */
-+		/* Options for 'net ads join or leave' */
- 		{"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates},
-+		{"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account},
- 		POPT_COMMON_SAMBA
- 		{ 0, 0, 0, 0}
- 	};
-diff --git a/source3/utils/net.h b/source3/utils/net.h
-index d6dfeb6208f..5e70fd3aafa 100644
---- a/source3/utils/net.h
-+++ b/source3/utils/net.h
-@@ -85,6 +85,7 @@ struct net_context {
- 	int opt_wipe;
- 	const char *opt_precheck;
- 	int opt_no_dns_updates;
-+	int opt_keep_account;
- 
- 	int opt_have_ip;
- 	struct sockaddr_storage opt_dest_ip;
-diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
-index ffa67d8f525..afe47dad839 100644
---- a/source3/utils/net_ads.c
-+++ b/source3/utils/net_ads.c
-@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
- 
- 	if (c->display_usage) {
- 		d_printf(  "%s\n"
--			   "net ads leave\n"
-+			   "net ads leave [--keep-account]\n"
- 			   "    %s\n",
- 			 _("Usage:"),
- 			 _("Leave an AD domain"));
-@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
- 	   WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
- 	r->in.unjoin_flags	= WKSSVC_JOIN_FLAGS_JOIN_TYPE |
- 				  WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
--	r->in.delete_machine_account = true;
-+	if (c->opt_keep_account) {
-+		r->in.delete_machine_account = false;
-+	} else {
-+		r->in.delete_machine_account = true;
-+	}
-+
- 	r->in.msg_ctx		= c->msg_ctx;
- 
- 	werr = libnet_Unjoin(ctx, r);
--- 
-2.17.1
-
diff --git a/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
new file mode 100644
index 0000000..5bf463b
--- /dev/null
+++ b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
@@ -0,0 +1,75 @@
+From 54db478fccac0ac3b0cc63f5eacfeae23bc26d4a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Tue, 7 Jan 2020 19:25:53 +0200
+Subject: [PATCH 1/2] s3-rpcserver: fix security level check for
+ DsRGetForestTrustInformation
+
+Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
+didn't change since DCE RPC channel refactoring.
+
+With the current code we return RPC faul as can be seen in the logs:
+
+2019/12/11 17:12:55.463081,  1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
+       netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
+          in: struct netr_DsRGetForestTrustInformation
+              server_name              : *
+                  server_name              : '\\some-dc.example.com'
+              trusted_domain_name      : NULL
+              flags                    : 0x00000000 (0)
+[2019/12/11 17:12:55.463122,  4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
+  api_rpcTNP: fault(5) return.
+
+This is due to this check in processing a request:
+        if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+                       && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+                p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+                return WERR_ACCESS_DENIED;
+        }
+
+and since we get AuthZ response,
+
+  Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
+  Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
+[2019/12/11 17:12:55.461584,  4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
+  JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
+   "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
+   "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
+   "serviceDescription": "netlogon", "authType": "ncacn_np",
+   "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
+   "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
+   "transportProtection": "SMB", "accountFlags": "0x00000010"}}
+
+this means we are actually getting anonymous DCE/RPC access to netlogon
+on top of authenticated SMB connection. In such case we have exactly
+auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
+DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
+
+Update the code to follow the same security level check as in s4 variant
+of the call.
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index cbbf9feedc7..52b17c10e61 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2451,10 +2451,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
+ {
+ 	NTSTATUS status;
+ 	struct lsa_ForestTrustInformation *info, **info_ptr;
++	enum security_user_level security_level;
+ 
+-	if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+-		       && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+-		p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
++	security_level = security_session_user_level(p->session_info, NULL);
++	if (security_level < SECURITY_USER) {
+ 		return WERR_ACCESS_DENIED;
+ 	}
+ 
+-- 
+2.24.1
+
diff --git a/SOURCES/samba-4.9-static_analysis_fixes.patch b/SOURCES/samba-4.9-static_analysis_fixes.patch
deleted file mode 100644
index 06b10cf..0000000
--- a/SOURCES/samba-4.9-static_analysis_fixes.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:09:23 +0100
-Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name
-
-This could be passed uninitialized to dcerpc_netr_DsRGetDCName()
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d)
----
- source3/rpcclient/cmd_netlogon.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
-index 8d62ef7e095..631740562c6 100644
---- a/source3/rpcclient/cmd_netlogon.c
-+++ b/source3/rpcclient/cmd_netlogon.c
-@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli,
-	WERROR werr = WERR_OK;
-	uint32_t flags = DS_RETURN_DNS_NAME;
-	const char *server_name = cli->desthost;
--	const char *domain_name;
-+	const char *domain_name = NULL;
-	struct GUID domain_guid = GUID_zero();
-	struct GUID site_guid = GUID_zero();
-	struct netr_DsRGetDCNameInfo *info = NULL;
---
-2.19.2
-
-
-From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:13:51 +0100
-Subject: [PATCH 2/5] librpc:ndr: Initialize inblob
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83)
----
- librpc/ndr/ndr_backupkey.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c
-index 827bc694230..adb6e393287 100644
---- a/librpc/ndr/ndr_backupkey.c
-+++ b/librpc/ndr/ndr_backupkey.c
-@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name,
-		ndr->flags |= LIBNDR_PRINT_SET_VALUES;
-	}
-	if (flags & NDR_IN) {
--		union bkrp_data_in_blob inblob;
-+		union bkrp_data_in_blob inblob = {
-+			.empty._empty_ = '\0',
-+		};
-		DATA_BLOB blob;
-		uint32_t level;
-		enum ndr_err_code ndr_err;
---
-2.19.2
-
-
-From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:16:06 +0100
-Subject: [PATCH 3/5] libgpo: Make sure status is intialized
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7)
----
- libgpo/gpo_ldap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
-index fec00053b49..f087203f28a 100644
---- a/libgpo/gpo_ldap.c
-+++ b/libgpo/gpo_ldap.c
-@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
-		       const char *guid_name,
-		       struct GROUP_POLICY_OBJECT *gpo)
- {
--	ADS_STATUS status;
-+	ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
-	LDAPMessage *res = NULL;
-	char *dn;
-	const char *filter;
---
-2.19.2
-
-
-From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:17:37 +0100
-Subject: [PATCH 4/5] lib:util Always initialize start and space
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45)
----
- lib/util/talloc_report.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c
-index 63213a014b6..bed0fd91e43 100644
---- a/lib/util/talloc_report.c
-+++ b/lib/util/talloc_report.c
-@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
-					      const char *fmt, va_list ap)
- {
-	ssize_t str_len = *pstr_len;
--	size_t buflen, needed, space;
--	char *start, *tmpbuf;
-+	size_t buflen, needed, space = 0;
-+	char *start = NULL, *tmpbuf = NULL;
-	va_list ap2;
-	int printlen;
-
-@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
-	if (buflen > str_len) {
-		start = buf + str_len;
-		space = buflen - str_len;
--	} else {
--		start = NULL;
--		space = 0;
-	}
-
-	va_copy(ap2, ap);
---
-2.19.2
-
-
-From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 12 Nov 2018 10:21:15 +0100
-Subject: [PATCH 5/5] ctdb: Fix an out of bound array access
-
-Found by cppcheck.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9)
----
- ctdb/common/logging.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
-index dc8c4f75058..55e5d541735 100644
---- a/ctdb/common/logging.c
-+++ b/ctdb/common/logging.c
-@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level)
- {
-	int i;
-
--	for (i=0; ARRAY_SIZE(log_string_map); i++) {
-+	for (i=0; i < ARRAY_SIZE(log_string_map); i++) {
-		if (log_string_map[i].log_level == log_level) {
-			return log_string_map[i].log_string;
-		}
---
-2.19.2
diff --git a/SOURCES/samba-4.9.0rc5-stack-protector.patch b/SOURCES/samba-4.9.0rc5-stack-protector.patch
deleted file mode 100644
index 51bc83a..0000000
--- a/SOURCES/samba-4.9.0rc5-stack-protector.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 3 Sep 2018 10:35:08 +0200
-Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support
-
-The -fstack-protector* flags are compiler only flags, don't pass them to
-the linker.
-
-https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371)
----
- buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++-------------
- 1 file changed, 19 insertions(+), 17 deletions(-)
-
-diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
-index c4391d0c4dc..bfd6f9710db 100644
---- a/buildtools/wafsamba/samba_autoconf.py
-+++ b/buildtools/wafsamba/samba_autoconf.py
-@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None):
-         return
- 
-     # we need to build real code that can't be optimized away to test
--    if conf.check(fragment='''
--        #include <stdio.h>
--
--        int main(void)
--        {
--            char t[100000];
--            while (fgets(t, sizeof(t), stdin));
--            return 0;
--        }
--        ''',
--        execute=0,
--        ccflags='-fstack-protector',
--        ldflags='-fstack-protector',
--        mandatory=False,
--        msg='Checking if toolchain accepts -fstack-protector'):
--            conf.ADD_CFLAGS('-fstack-protector')
--            conf.ADD_LDFLAGS('-fstack-protector')
-+    stack_protect_list = ['-fstack-protector-strong', '-fstack-protector']
-+    for stack_protect_flag in stack_protect_list:
-+        flag_supported = conf.check(fragment='''
-+                                    #include <stdio.h>
-+
-+                                    int main(void)
-+                                    {
-+                                        char t[100000];
-+                                        while (fgets(t, sizeof(t), stdin));
-+                                        return 0;
-+                                    }
-+                                    ''',
-+                                    execute=0,
-+                                    ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag],
-+                                    mandatory=False,
-+                                    msg='Checking if compiler accepts %s' % (stack_protect_flag))
-+        if flag_supported:
-+            conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
-+            break
- 
-     if Options.options.debug:
-         conf.ADD_CFLAGS('-g', testflags=True)
--- 
-2.18.0
-
-
-From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 3 Sep 2018 10:49:52 +0200
-Subject: [PATCH 2/2] waf: Add -fstack-clash-protection
-
-https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0)
----
- buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
-index bfd6f9710db..f2b3ec8db8d 100644
---- a/buildtools/wafsamba/samba_autoconf.py
-+++ b/buildtools/wafsamba/samba_autoconf.py
-@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None):
-             conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
-             break
- 
-+    flag_supported = conf.check(fragment='''
-+                                #include <stdio.h>
-+
-+                                int main(void)
-+                                {
-+                                    char t[100000];
-+                                    while (fgets(t, sizeof(t), stdin));
-+                                    return 0;
-+                                }
-+                                ''',
-+                                execute=0,
-+                                ccflags=[ '-Werror', '-fstack-clash-protection'],
-+                                mandatory=False,
-+                                msg='Checking if compiler accepts -fstack-clash-protection')
-+    if flag_supported:
-+        conf.ADD_CFLAGS('-fstack-clash-protection')
-+
-     if Options.options.debug:
-         conf.ADD_CFLAGS('-g', testflags=True)
- 
--- 
-2.18.0
-
diff --git a/SOURCES/samba-4.9.1.tar.asc b/SOURCES/samba-4.9.1.tar.asc
deleted file mode 100644
index 3a95975..0000000
--- a/SOURCES/samba-4.9.1.tar.asc
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
-Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg==
-=2NTz
------END PGP SIGNATURE-----
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 0543006..90d65b7 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -8,11 +8,11 @@
 
 %define main_release 10
 
-%define samba_version 4.9.1
-%define talloc_version 2.1.14
-%define tdb_version 1.3.16
-%define tevent_version 0.9.37
-%define ldb_version 1.4.2
+%define samba_version 4.10.4
+%define talloc_version 2.1.16
+%define tdb_version 1.3.18
+%define tevent_version 0.9.39
+%define ldb_version 1.5.4
 # This should be rc1 or nil
 %define pre_release %nil
 
@@ -63,7 +63,7 @@
 %global with_intel_aes_accel 1
 %endif
 
-%global libwbc_alternatives_version 0.14
+%global libwbc_alternatives_version 0.15
 %global libwbc_alternatives_suffix %nil
 %if 0%{?__isa_bits} == 64
 %global libwbc_alternatives_suffix -64
@@ -127,29 +127,17 @@ Source14: samba.pamd
 Source200: README.dc
 Source201: README.downgrade
 
-Patch0:         samba-4.9.0rc5-stack-protector.patch
-Patch1:         samba-4.9-harden_homes_share.patch
-Patch2:         samba-4.9-static_analysis_fixes.patch
-Patch3:         samba-4.9-fix_debug_segfault.patch
-Patch4:         samba-4.9-fix_winbind_passdb_segfault.patch
-Patch5:         samba-4.9-fix_testparm_crash.patch
-Patch6:         samba-4.9-disable_netbios.patch
-Patch7:         samba-4.9-net_ads_leave_keep_account.patch
-Patch8:         samba-4.9-fix_force_group_panic.patch
-Patch9:         samba-4.10-fix_gencache_debug_message.patch
-Patch10:        samba-4.9-fix_net_ads_krb5.patch
-Patch11:        samba-4.9-add_smbc_setOptionProtocols.patch
-Patch12:        samba-4.9-fix_smbspool_as_cups_backend.patch
-Patch13:        samba-4.9-doc_smbclient_max_protocol.patch
-Patch14:        samba-4.9-fix_net_ads_join_admin_otherdomain.patch
-Patch15:        samba-4.9-CVE-2019-3880.patch
-Patch16:        samba-4.9-fix_smbspool_krb5_auth.patch
-Patch17:        samba-4.9-fix_cups_printing.patch
-Patch18:        samba-4.9-net_ads_join_createcomputer.patch
-Patch19:        samba-4.10-fix_smbspool_username_passwd.patch
-Patch20:        samba-4.9-fix_builtin_groups_creation.patch
-Patch21:        samba-4.10-fix_winbind_trustdom_enum.patch
-Patch22:        samba-4.10-fix_spnego_downgrade.patch
+Patch0:         samba-4.10-fix_smbspool.patch
+Patch1:         samba-4.10.6-fix_idmap_tdb2.patch
+Patch2:         samba-4.10-net_ads_join_createcomputer.patch
+Patch3:         CVE-2019-10197-v4-10-metze03.patches.txt
+Patch4:         samba-4.10-fix_smbspool_username_password.patch
+Patch5:         samba-4.10-fix_winbind_trustdom_enum.patch
+Patch6:         samba-4.10-fix-spnego-downgrade.patch
+Patch7:         samba-4.10-fix_net_ads_join_hardened_env.patch
+Patch8:         samba-4.10-fix-netbios-join.patch
+Patch9:         CVE-2019-10218-4.11.patch
+Patch10:        samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -223,6 +211,8 @@ BuildRequires: python2-markdown
 BuildRequires: quota-devel
 BuildRequires: readline-devel
 BuildRequires: sed
+BuildRequires: libtasn1-devel
+BuildRequires: libtasn1-tools
 BuildRequires: xfsprogs-devel
 BuildRequires: xz
 BuildRequires: zlib-devel >= 1.2.3
@@ -240,6 +230,8 @@ BuildRequires: libcephfs-devel
 BuildRequires: gnutls-devel >= 3.4.7
 # Required by samba-tool to run tests
 BuildRequires: python2-crypto
+%else
+BuildRequires: gnutls-devel >= 3.2.0
 %endif
 
 # pidl requirements
@@ -814,6 +806,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
 
 %global _samba_private_libraries %{_libsmbclient}%{_libwbclient}
 
+export PYTHON=/usr/bin/python2
 %configure \
         --enable-fhs \
         --with-piddir=/run \
@@ -865,7 +858,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
 make %{?_smp_mflags}
 
 %install
-rm -rf %{buildroot}
+PYTHON=/usr/bin/python2 \
 make %{?_smp_mflags} install DESTDIR=%{buildroot}
 
 export PYTHON=%{__python2}
@@ -1061,7 +1054,7 @@ find %{buildroot}%{python2_sitearch} -name "*.pyc" -print -delete
 
 %if %{with testsuite}
 %check
-TDB_NO_FSYNC=1 make %{?_smp_mflags} test
+PYTHON=/usr/bin/python2 TDB_NO_FSYNC=1 make %{?_smp_mflags} test
 %endif
 
 %post
@@ -1239,7 +1232,7 @@ rm -rf %{buildroot}
 %files
 %defattr(-,root,root,-)
 %license COPYING
-%doc README WHATSNEW.txt
+%doc README.md WHATSNEW.txt
 %doc examples/autofs examples/LDAP examples/misc
 %doc examples/printer-accounting examples/printing
 %doc packaging/README.downgrade
@@ -1276,6 +1269,7 @@ rm -rf %{buildroot}
 %{_libdir}/samba/vfs/fileid.so
 %{_libdir}/samba/vfs/fruit.so
 %{_libdir}/samba/vfs/full_audit.so
+%{_libdir}/samba/vfs/glusterfs_fuse.so
 %{_libdir}/samba/vfs/linux_xfs_sgid.so
 %{_libdir}/samba/vfs/media_harmony.so
 %{_libdir}/samba/vfs/netatalk.so
@@ -1313,7 +1307,6 @@ rm -rf %{buildroot}
 %{_mandir}/man8/vfs_aio_pthread.8*
 %{_mandir}/man8/vfs_audit.8*
 %{_mandir}/man8/vfs_btrfs.8*
-%{_mandir}/man8/vfs_cacheprime.8*
 %{_mandir}/man8/vfs_cap.8*
 %{_mandir}/man8/vfs_catia.8*
 %{_mandir}/man8/vfs_commit.8*
@@ -1325,13 +1318,11 @@ rm -rf %{buildroot}
 %{_mandir}/man8/vfs_fileid.8*
 %{_mandir}/man8/vfs_fruit.8*
 %{_mandir}/man8/vfs_full_audit.8*
-%{_mandir}/man8/vfs_gpfs.8*
+%{_mandir}/man8/vfs_glusterfs_fuse.8*
 %{_mandir}/man8/vfs_linux_xfs_sgid.8*
 %{_mandir}/man8/vfs_media_harmony.8*
 %{_mandir}/man8/vfs_netatalk.8*
-%{_mandir}/man8/vfs_nfs4acl_xattr.8*
 %{_mandir}/man8/vfs_offline.8*
-%{_mandir}/man8/vfs_prealloc.8*
 %{_mandir}/man8/vfs_preopen.8*
 %{_mandir}/man8/vfs_readahead.8*
 %{_mandir}/man8/vfs_readonly.8*
@@ -1344,7 +1335,6 @@ rm -rf %{buildroot}
 %{_mandir}/man8/vfs_streams_xattr.8*
 %{_mandir}/man8/vfs_syncops.8*
 %{_mandir}/man8/vfs_time_audit.8*
-%{_mandir}/man8/vfs_tsmsm.8*
 %{_mandir}/man8/vfs_unityed_media.8*
 %{_mandir}/man8/vfs_virusfilter.8*
 %{_mandir}/man8/vfs_worm.8*
@@ -1354,10 +1344,6 @@ rm -rf %{buildroot}
 %exclude %{_mandir}/man8/vfs_glusterfs.8*
 %endif
 
-%if ! %{with_vfs_cephfs}
-%exclude %{_mandir}/man8/vfs_ceph.8*
-%endif
-
 %attr(775,root,printadmin) %dir /var/lib/samba/drivers
 
 ### CLIENT
@@ -1430,8 +1416,11 @@ rm -rf %{buildroot}
 %{_bindir}/ldbrename
 %{_bindir}/ldbsearch
 %{_libdir}/samba/libldb-cmdline-samba4.so
+%{_libdir}/samba/libldb-key-value-samba4.so
+%{_libdir}/samba/libldb-tdb-err-map-samba4.so
+%{_libdir}/samba/libldb-tdb-int-samba4.so
 %{_libdir}/samba/ldb/asq.so
-%{_libdir}/samba/ldb/paged_results.so
+%{_libdir}/samba/ldb/ldb.so
 %{_libdir}/samba/ldb/paged_searches.so
 %{_libdir}/samba/ldb/rdn_name.so
 %{_libdir}/samba/ldb/sample.so
@@ -1481,6 +1470,8 @@ rm -rf %{buildroot}
 %{_libdir}/samba/libcli-smb-common-samba4.so
 %{_libdir}/samba/libcli-spoolss-samba4.so
 %{_libdir}/samba/libcliauth-samba4.so
+%{_libdir}/samba/libclidns-samba4.so
+%{_libdir}/samba/libcmdline-contexts-samba4.so
 %{_libdir}/samba/libcmdline-credentials-samba4.so
 %{_libdir}/samba/libcommon-auth-samba4.so
 %{_libdir}/samba/libctdb-event-client-samba4.so
@@ -1827,16 +1818,14 @@ rm -rf %{buildroot}
 %{_includedir}/samba-4.0/util/byteorder.h
 %{_includedir}/samba-4.0/util/data_blob.h
 %{_includedir}/samba-4.0/util/debug.h
+%{_includedir}/samba-4.0/util/discard.h
 %{_includedir}/samba-4.0/util/fault.h
 %{_includedir}/samba-4.0/util/genrand.h
 %{_includedir}/samba-4.0/util/idtree.h
 %{_includedir}/samba-4.0/util/idtree_random.h
-%{_includedir}/samba-4.0/util/memory.h
-%{_includedir}/samba-4.0/util/safe_string.h
 %{_includedir}/samba-4.0/util/signal.h
 %{_includedir}/samba-4.0/util/string_wrappers.h
 %{_includedir}/samba-4.0/util/substitute.h
-%{_includedir}/samba-4.0/util/talloc_stack.h
 %{_includedir}/samba-4.0/util/tevent_ntstatus.h
 %{_includedir}/samba-4.0/util/tevent_unix.h
 %{_includedir}/samba-4.0/util/tevent_werror.h
@@ -2015,9 +2004,11 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/descriptor.py*
 %{python_sitearch}/samba/gensec.so
 %{python_sitearch}/samba/getopt.py*
+%{python_sitearch}/samba/gp_ext_loader.py*
 %{python_sitearch}/samba/hostconfig.py*
 %{python_sitearch}/samba/idmap.py*
 %{python_sitearch}/samba/join.py*
+%{python_sitearch}/samba/logger.py*
 %{python_sitearch}/samba/messaging.so
 %{python_sitearch}/samba/ms_display_specifiers.py*
 %{python_sitearch}/samba/ms_schema.py*
@@ -2036,8 +2027,10 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/sites.py*
 %{python_sitearch}/samba/smb.so
 %{python_sitearch}/samba/subnets.py*
+
 %{python_sitearch}/samba/upgrade.py*
 %{python_sitearch}/samba/upgradehelpers.py*
+%{python_sitearch}/samba/uptodateness.py*
 %{python_sitearch}/samba/werror.so
 %{python_sitearch}/samba/xattr.py*
 %{python_sitearch}/samba/xattr_native.so
@@ -2056,6 +2049,7 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/dcerpc/drsuapi.so
 %{python_sitearch}/samba/dcerpc/echo.so
 %{python_sitearch}/samba/dcerpc/epmapper.so
+%{python_sitearch}/samba/dcerpc/preg.so
 %{python_sitearch}/samba/dcerpc/idmap.so
 %{python_sitearch}/samba/dcerpc/initshutdown.so
 %{python_sitearch}/samba/dcerpc/irpc.so
@@ -2071,11 +2065,15 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/dcerpc/security.so
 %{python_sitearch}/samba/dcerpc/server_id.so
 %{python_sitearch}/samba/dcerpc/smb_acl.so
+%{python_sitearch}/samba/dcerpc/spoolss.so
 %{python_sitearch}/samba/dcerpc/srvsvc.so
 %{python_sitearch}/samba/dcerpc/svcctl.so
 %{python_sitearch}/samba/dcerpc/unixinfo.so
 %{python_sitearch}/samba/dcerpc/winbind.so
+%{python_sitearch}/samba/dcerpc/windows_event_ids.so
 %{python_sitearch}/samba/dcerpc/winreg.so
+%{python_sitearch}/samba/dcerpc/winspool.so
+%{python_sitearch}/samba/dcerpc/witness.so
 %{python_sitearch}/samba/dcerpc/wkssvc.so
 %{python_sitearch}/samba/dcerpc/xattr.so
 
@@ -2084,6 +2082,14 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/emulate/traffic.py*
 %{python_sitearch}/samba/emulate/traffic_packets.py*
 
+%dir %{python_sitearch}/samba/gp_parse
+%{python_sitearch}/samba/gp_parse/__init__.py*
+%{python_sitearch}/samba/gp_parse/gp_aas.py*
+%{python_sitearch}/samba/gp_parse/gp_csv.py*
+%{python_sitearch}/samba/gp_parse/gp_inf.py*
+%{python_sitearch}/samba/gp_parse/gp_ini.py*
+%{python_sitearch}/samba/gp_parse/gp_pol.py*
+
 %dir %{python_sitearch}/samba/netcmd
 %{python_sitearch}/samba/netcmd/__init__.py*
 %{python_sitearch}/samba/netcmd/common.py*
@@ -2178,64 +2184,28 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/tests/auth_log_netlogon_bad_creds.py*
 %{python_sitearch}/samba/tests/auth_log_pass_change.py*
 %{python_sitearch}/samba/tests/auth_log_samlogon.py*
-%dir %{python_sitearch}/samba/tests/blackbox
-%{python_sitearch}/samba/tests/blackbox/__init__.py*
-%{python_sitearch}/samba/tests/blackbox/check_output.py*
-%{python_sitearch}/samba/tests/blackbox/ndrdump.py*
-%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py*
-%{python_sitearch}/samba/tests/blackbox/smbcontrol.py*
-%{python_sitearch}/samba/tests/blackbox/traffic_learner.py*
-%{python_sitearch}/samba/tests/blackbox/traffic_replay.py*
-%{python_sitearch}/samba/tests/blackbox/traffic_summary.py*
+%{python_sitearch}/samba/tests/complex_expressions.py*
 %{python_sitearch}/samba/tests/common.py*
 %{python_sitearch}/samba/tests/core.py*
 %{python_sitearch}/samba/tests/credentials.py*
-%dir %{python_sitearch}/samba/tests/dcerpc
-%{python_sitearch}/samba/tests/dcerpc/__init__.py*
-%{python_sitearch}/samba/tests/dcerpc/array.py*
-%{python_sitearch}/samba/tests/dcerpc/bare.py*
-%{python_sitearch}/samba/tests/dcerpc/dnsserver.py*
-%{python_sitearch}/samba/tests/dcerpc/integer.py*
-%{python_sitearch}/samba/tests/dcerpc/misc.py*
-%{python_sitearch}/samba/tests/dcerpc/raw_protocol.py*
-%{python_sitearch}/samba/tests/dcerpc/raw_testcase.py*
-%{python_sitearch}/samba/tests/dcerpc/registry.py*
-%{python_sitearch}/samba/tests/dcerpc/rpc_talloc.py*
-%{python_sitearch}/samba/tests/dcerpc/rpcecho.py*
-%{python_sitearch}/samba/tests/dcerpc/sam.py*
-%{python_sitearch}/samba/tests/dcerpc/srvsvc.py*
-%{python_sitearch}/samba/tests/dcerpc/string.py*
-%{python_sitearch}/samba/tests/dcerpc/testrpc.py*
-%{python_sitearch}/samba/tests/dcerpc/unix.py*
 %{python_sitearch}/samba/tests/dns.py*
 %{python_sitearch}/samba/tests/dns_base.py*
 %{python_sitearch}/samba/tests/dns_forwarder.py*
-%dir %{python_sitearch}/samba/tests/dns_forwarder_helpers
-%{python_sitearch}/samba/tests/dns_forwarder_helpers/server.py*
 %{python_sitearch}/samba/tests/dns_tkey.py*
 %{python_sitearch}/samba/tests/dns_wildcard.py*
 %{python_sitearch}/samba/tests/docs.py*
 %{python_sitearch}/samba/tests/dsdb.py*
 %{python_sitearch}/samba/tests/dsdb_lock.py*
 %{python_sitearch}/samba/tests/dsdb_schema_attributes.py*
-%dir %{python_sitearch}/samba/tests/emulate
-%{python_sitearch}/samba/tests/emulate/__init__.py*
-%{python_sitearch}/samba/tests/emulate/traffic.py*
-%{python_sitearch}/samba/tests/emulate/traffic_packet.py*
+%{python_sitearch}/samba/tests/domain_backup_offline.py*
 %{python_sitearch}/samba/tests/encrypted_secrets.py*
 %{python_sitearch}/samba/tests/gensec.py*
 %{python_sitearch}/samba/tests/get_opt.py*
 %{python_sitearch}/samba/tests/glue.py*
 %{python_sitearch}/samba/tests/graph.py*
 %{python_sitearch}/samba/tests/hostconfig.py*
+%{python_sitearch}/samba/tests/libsmb.py*
 %{python_sitearch}/samba/tests/join.py*
-%dir %{python_sitearch}/samba/tests/kcc
-%{python_sitearch}/samba/tests/kcc/__init__.py*
-%{python_sitearch}/samba/tests/kcc/graph.py*
-%{python_sitearch}/samba/tests/kcc/graph_utils.py*
-%{python_sitearch}/samba/tests/kcc/kcc_utils.py*
-%{python_sitearch}/samba/tests/kcc/ldif_import_export.py*
-%{python_sitearch}/samba/tests/libsmb_samba_internal.py*
 %{python_sitearch}/samba/tests/lsa_string.py*
 %{python_sitearch}/samba/tests/messaging.py*
 %{python_sitearch}/samba/tests/net_join.py*
@@ -2243,8 +2213,12 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/tests/netcmd.py*
 %{python_sitearch}/samba/tests/netlogonsvc.py*
 %{python_sitearch}/samba/tests/ntacls.py*
+%{python_sitearch}/samba/tests/ntlm_auth.py*
+%{python_sitearch}/samba/tests/ntlm_auth_base.py*
+%{python_sitearch}/samba/tests/ntlm_auth_krb5.py*
 %{python_sitearch}/samba/tests/ntlmdisabled.py*
 %{python_sitearch}/samba/tests/pam_winbind.py*
+%{python_sitearch}/samba/tests/pam_winbind_chauthtok.py*
 %{python_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py*
 %{python_sitearch}/samba/tests/param.py*
 %{python_sitearch}/samba/tests/password_hash.py*
@@ -2254,10 +2228,71 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/tests/password_hash_ldap.py*
 %{python_sitearch}/samba/tests/policy.py*
 %{python_sitearch}/samba/tests/posixacl.py*
+%{python_sitearch}/samba/tests/prefork_restart.py*
+%{python_sitearch}/samba/tests/process_limits.py*
 %{python_sitearch}/samba/tests/provision.py*
 %{python_sitearch}/samba/tests/py_credentials.py*
 %{python_sitearch}/samba/tests/registry.py*
 %{python_sitearch}/samba/tests/samba3sam.py*
+%{python_sitearch}/samba/tests/samdb.py*
+%{python_sitearch}/samba/tests/smbd_base.py*
+%{python_sitearch}/samba/tests/security.py*
+%{python_sitearch}/samba/tests/source.py*
+%{python_sitearch}/samba/tests/strings.py*
+%{python_sitearch}/samba/tests/subunitrun.py*
+%{python_sitearch}/samba/tests/tdb_util.py*
+%{python_sitearch}/samba/tests/upgrade.py*
+%{python_sitearch}/samba/tests/upgradeprovision.py*
+%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py*
+%{python_sitearch}/samba/tests/xattr.py*
+
+%dir %{python_sitearch}/samba/tests/blackbox
+%{python_sitearch}/samba/tests/blackbox/__init__.py*
+%{python_sitearch}/samba/tests/blackbox/bug13653.py*
+%{python_sitearch}/samba/tests/blackbox/check_output.py*
+%{python_sitearch}/samba/tests/blackbox/netads_json.py*
+%{python_sitearch}/samba/tests/blackbox/ndrdump.py*
+%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py*
+%{python_sitearch}/samba/tests/blackbox/smbcontrol.py*
+%{python_sitearch}/samba/tests/blackbox/smbcontrol_process.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_learner.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_replay.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_summary.py*
+
+%dir %{python_sitearch}/samba/tests/dcerpc
+%{python_sitearch}/samba/tests/dcerpc/__init__.py*
+%{python_sitearch}/samba/tests/dcerpc/array.py*
+%{python_sitearch}/samba/tests/dcerpc/bare.py*
+%{python_sitearch}/samba/tests/dcerpc/dnsserver.py*
+%{python_sitearch}/samba/tests/dcerpc/integer.py*
+%{python_sitearch}/samba/tests/dcerpc/misc.py*
+%{python_sitearch}/samba/tests/dcerpc/raw_protocol.py*
+%{python_sitearch}/samba/tests/dcerpc/raw_testcase.py*
+%{python_sitearch}/samba/tests/dcerpc/registry.py*
+%{python_sitearch}/samba/tests/dcerpc/rpc_talloc.py*
+%{python_sitearch}/samba/tests/dcerpc/rpcecho.py*
+%{python_sitearch}/samba/tests/dcerpc/sam.py*
+%{python_sitearch}/samba/tests/dcerpc/srvsvc.py*
+%{python_sitearch}/samba/tests/dcerpc/string_tests.py*
+%{python_sitearch}/samba/tests/dcerpc/testrpc.py*
+%{python_sitearch}/samba/tests/dcerpc/unix.py*
+
+%dir %{python_sitearch}/samba/tests/dns_forwarder_helpers
+%{python_sitearch}/samba/tests/dns_forwarder_helpers/server.py*
+%{python_sitearch}/samba/tests/dns_forwarder_helpers/dns_hub.py*
+
+%dir %{python_sitearch}/samba/tests/emulate
+%{python_sitearch}/samba/tests/emulate/__init__.py*
+%{python_sitearch}/samba/tests/emulate/traffic.py*
+%{python_sitearch}/samba/tests/emulate/traffic_packet.py*
+
+%dir %{python_sitearch}/samba/tests/kcc
+%{python_sitearch}/samba/tests/kcc/__init__.py*
+%{python_sitearch}/samba/tests/kcc/graph.py*
+%{python_sitearch}/samba/tests/kcc/graph_utils.py*
+%{python_sitearch}/samba/tests/kcc/kcc_utils.py*
+%{python_sitearch}/samba/tests/kcc/ldif_import_export.py*
+
 %dir %{python_sitearch}/samba/tests/samba_tool
 %{python_sitearch}/samba/tests/samba_tool/__init__.py*
 %{python_sitearch}/samba/tests/samba_tool/base.py*
@@ -2279,17 +2314,6 @@ rm -rf %{buildroot}
 %{python_sitearch}/samba/tests/samba_tool/user_wdigest.py*
 %{python_sitearch}/samba/tests/samba_tool/visualize.py*
 %{python_sitearch}/samba/tests/samba_tool/visualize_drs.py*
-%{python_sitearch}/samba/tests/samdb.py*
-%{python_sitearch}/samba/tests/security.py*
-%{python_sitearch}/samba/tests/source.py*
-%{python_sitearch}/samba/tests/strings.py*
-%{python_sitearch}/samba/tests/subunitrun.py*
-%{python_sitearch}/samba/tests/tdb_util.py*
-%{python_sitearch}/samba/tests/unicodenames.py*
-%{python_sitearch}/samba/tests/upgrade.py*
-%{python_sitearch}/samba/tests/upgradeprovision.py*
-%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py*
-%{python_sitearch}/samba/tests/xattr.py*
 
 ### TEST
 %files test
@@ -2321,6 +2345,7 @@ rm -rf %{buildroot}
 %else
 %{_libdir}/samba/libdsdb-module-samba4.so
 %endif
+%{_libdir}/samba/libcmocka-samba4.so
 
 ### WINBIND
 %files winbind
@@ -2403,6 +2428,7 @@ rm -rf %{buildroot}
 %{_sbindir}/ctdbd
 %{_sbindir}/ctdbd_wrapper
 %{_bindir}/ctdb
+%{_bindir}/ctdb_local_daemons
 %{_bindir}/ping_pong
 %{_bindir}/ltdbtool
 %{_bindir}/ctdb_diagnostics
@@ -2478,6 +2504,7 @@ rm -rf %{buildroot}
 %{_libexecdir}/ctdb/tests/conf_test
 %{_libexecdir}/ctdb/tests/ctdb_packet_parse
 %{_libexecdir}/ctdb/tests/ctdb_takeover_tests
+%{_libexecdir}/ctdb/tests/ctdb_io_test
 %{_libexecdir}/ctdb/tests/db_hash_test
 %{_libexecdir}/ctdb/tests/dummy_client
 %{_libexecdir}/ctdb/tests/errcode
@@ -2512,6 +2539,7 @@ rm -rf %{buildroot}
 %{_libexecdir}/ctdb/tests/sock_daemon_test
 %{_libexecdir}/ctdb/tests/sock_io_test
 %{_libexecdir}/ctdb/tests/srvid_test
+%{_libexecdir}/ctdb/tests/system_socket_test
 %{_libexecdir}/ctdb/tests/test_mutex_raw
 %{_libexecdir}/ctdb/tests/transaction_loop
 %{_libexecdir}/ctdb/tests/tunnel_cmd
@@ -2523,7 +2551,6 @@ rm -rf %{buildroot}
 
 %dir %{_datadir}/ctdb/tests/complex
 %{_datadir}/ctdb/tests/complex/README
-%{_datadir}/ctdb/tests/complex/00_ctdb_init.sh
 %{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh
 %{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh
 %{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh
@@ -2556,6 +2583,7 @@ rm -rf %{buildroot}
 %{_datadir}/ctdb/tests/cunit/config_test_005.sh
 %{_datadir}/ctdb/tests/cunit/config_test_006.sh
 %{_datadir}/ctdb/tests/cunit/config_test_007.sh
+%{_datadir}/ctdb/tests/cunit/ctdb_io_test_001.sh
 %{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh
 %{_datadir}/ctdb/tests/cunit/event_protocol_test_001.sh
 %{_datadir}/ctdb/tests/cunit/event_script_test_001.sh
@@ -2579,7 +2607,11 @@ rm -rf %{buildroot}
 %{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh
 %{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh
 %{_datadir}/ctdb/tests/cunit/srvid_test_001.sh
-
+%{_datadir}/ctdb/tests/cunit/system_socket_test_001.sh
+%dir %{_datadir}/ctdb/tests/etc-ctdb
+%dir %{_datadir}/ctdb/tests/etc-ctdb/events
+%dir %{_datadir}/ctdb/tests/etc-ctdb/events/legacy
+%{_datadir}/ctdb/tests/etc-ctdb/events/legacy/00.test.script
 %dir %{_datadir}/ctdb/tests/eventd
 %{_datadir}/ctdb/tests/eventd/README
 %dir %{_datadir}/ctdb/tests/eventd/etc-ctdb
@@ -2921,6 +2953,8 @@ rm -rf %{buildroot}
 %{_datadir}/ctdb/tests/onnode/0004.sh
 %{_datadir}/ctdb/tests/onnode/0005.sh
 %{_datadir}/ctdb/tests/onnode/0006.sh
+%{_datadir}/ctdb/tests/onnode/0010.sh
+%{_datadir}/ctdb/tests/onnode/0011.sh
 %{_datadir}/ctdb/tests/onnode/0070.sh
 %{_datadir}/ctdb/tests/onnode/0071.sh
 %{_datadir}/ctdb/tests/onnode/0072.sh
@@ -2957,12 +2991,9 @@ rm -rf %{buildroot}
 
 %dir %{_datadir}/ctdb/tests/simple
 %{_datadir}/ctdb/tests/simple/README
-%{_datadir}/ctdb/tests/simple/00_ctdb_init.sh
 %{_datadir}/ctdb/tests/simple/00_ctdb_onnode.sh
-%{_datadir}/ctdb/tests/simple/01_ctdb_version.sh
-%{_datadir}/ctdb/tests/simple/02_ctdb_listvars.sh
-%{_datadir}/ctdb/tests/simple/03_ctdb_getvar.sh
-%{_datadir}/ctdb/tests/simple/04_ctdb_setvar.sh
+%{_datadir}/ctdb/tests/simple/01_ctdb_reclock_command.sh
+%{_datadir}/ctdb/tests/simple/02_ctdb_tunables.sh
 %{_datadir}/ctdb/tests/simple/05_ctdb_listnodes.sh
 %{_datadir}/ctdb/tests/simple/06_ctdb_getpid.sh
 %{_datadir}/ctdb/tests/simple/07_ctdb_process_exists.sh
@@ -2985,11 +3016,9 @@ rm -rf %{buildroot}
 %{_datadir}/ctdb/tests/simple/26_ctdb_config_check_error_on_unreachable_ctdb.sh
 %{_datadir}/ctdb/tests/simple/27_ctdb_detach.sh
 %{_datadir}/ctdb/tests/simple/28_zero_eventscripts.sh
-%{_datadir}/ctdb/tests/simple/31_ctdb_disable.sh
-%{_datadir}/ctdb/tests/simple/32_ctdb_enable.sh
+%{_datadir}/ctdb/tests/simple/32_ctdb_disable_enable.sh
 %{_datadir}/ctdb/tests/simple/35_ctdb_getreclock.sh
-%{_datadir}/ctdb/tests/simple/41_ctdb_stop.sh
-%{_datadir}/ctdb/tests/simple/42_ctdb_continue.sh
+%{_datadir}/ctdb/tests/simple/42_ctdb_stop_continue.sh
 %{_datadir}/ctdb/tests/simple/43_stop_recmaster_yield.sh
 %{_datadir}/ctdb/tests/simple/51_message_ring.sh
 %{_datadir}/ctdb/tests/simple/52_fetch_ring.sh
@@ -2999,6 +3028,7 @@ rm -rf %{buildroot}
 %{_datadir}/ctdb/tests/simple/56_replicated_transaction_recovery.sh
 %{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh
 %{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh
+%{_datadir}/ctdb/tests/simple/69_recovery_resurrect_deleted.sh
 %{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh
 %{_datadir}/ctdb/tests/simple/71_ctdb_wipedb.sh
 %{_datadir}/ctdb/tests/simple/72_update_record_persistent.sh
@@ -3011,17 +3041,10 @@ rm -rf %{buildroot}
 %{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh
 %{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh
 %{_datadir}/ctdb/tests/simple/90_debug_hung_script.sh
-%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh
-
-%dir %{_datadir}/ctdb/tests/simple/etc-ctdb
-%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events
-%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy
-%{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy/00.test.script
 
 %dir %{_datadir}/ctdb/tests/simple/scripts
 %{_datadir}/ctdb/tests/simple/scripts/local.bash
 %{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash
-%{_datadir}/ctdb/tests/simple/scripts/ssh_local_daemons.sh
 
 %dir %{_datadir}/ctdb/tests/takeover
 %{_datadir}/ctdb/tests/takeover/README
@@ -3245,20 +3268,42 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
-* Mon Oct 21 2019 Isaac Boukris <iboukris@redhat.com> - 4.9.1.10
-- resolves: #1763650 - Fix spnego downgrade
+* Wed Jan 08 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.10.4-10
+- resolves: #1786324 - fix security level check for DsRGetForestTrustInformation
+
+* Thu Oct 31 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-9
+- resolves: #1764468 - Fix CVE-2019-10218
+
+* Wed Oct 30 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-8
+- resolves: #1656541 - Fix join using netbios name
+
+* Mon Oct 14 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-7
+- resolves: #1657428 - Fix spnego downgrade
+- resolves: #1663064 - Fix net ads join in hardened environments
 
-* Tue Oct 08 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-9
-- resolves: #1759445 - Fix trusted domain enumeration in windind caused
+* Fri Oct 04 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-6
+- resolves: #1753254 - Fix trusted domain enumeration in windind caused
                        a Active Directory update
 
-* Tue Sep 24 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-8
-- resolves: #1754838 - Fix username/password auth with smbspool
-- resolves: #1754835 - Fix builtin groups creation.
+* Thu Sep 19 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-5
+- resolves: #1751335 - Fix username/passwd auth with smbspool
+
+* Mon Sep 16 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-4
+- resolves: #1740986 - Fix issues creating BUILTIN\Guests
+
+* Thu Sep 05 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.4-3
+- resolves: #1746240 - Security fix for CVE-2019-10197
+
+* Wed Sep 04 2019 Guenther Deschner <gdeschner@redhat.com> - 4.10.4-2
+- resolves: #1740000 - Fix 'net ads join createcomputer=<accountou>'
 
+* Wed Aug 14 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-1
+- resolves: #1497809 - Add --resolve-uids for 'smbstatus -L'
+- resolves: #1714947 - Fix idmap_tdb2 scripts
 
-* Fri Sep 06 2019 Guenther Deschner <gdeschner@redhat.com> - 4.9.1-7
-- resolves: #1749300 - Fix 'net ads join createcomputer=<accountou>'
+* Wed Aug 14 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-0
+- resolves: #1724991 - Update to version 4.10.4
+- resolves: #1595277 - Update manpage for 'net ads lookup'
 
 * Fri May 24 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-6
 - related: #1703204 - Fix printing with smbspool as CUPS backend