diff --git a/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
new file mode 100644
index 0000000..90ec59d
--- /dev/null
+++ b/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
@@ -0,0 +1,84 @@
+From 2a7249a43c82d720191e29510db5633f3a92a08c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Tue, 7 Jan 2020 19:25:53 +0200
+Subject: [PATCH 209/209] s3-rpcserver: fix security level check for
+ DsRGetForestTrustInformation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
+didn't change since DCE RPC channel refactoring.
+
+With the current code we return RPC faul as can be seen in the logs:
+
+2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
+ netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
+ in: struct netr_DsRGetForestTrustInformation
+ server_name : *
+ server_name : '\\some-dc.example.com'
+ trusted_domain_name : NULL
+ flags : 0x00000000 (0)
+[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
+ api_rpcTNP: fault(5) return.
+
+This is due to this check in processing a request:
+ if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+ && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return WERR_ACCESS_DENIED;
+ }
+
+and since we get AuthZ response,
+
+ Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
+ Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
+[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
+ JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
+ "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
+ "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
+ "serviceDescription": "netlogon", "authType": "ncacn_np",
+ "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
+ "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
+ "transportProtection": "SMB", "accountFlags": "0x00000010"}}
+
+this means we are actually getting anonymous DCE/RPC access to netlogon
+on top of authenticated SMB connection. In such case we have exactly
+auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
+DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
+
+Update the code to follow the same security level check as in s4 variant
+of the call.
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
+
+(cherry picked from commit c6d880a115095c336b8b74f45854a99abb1bbb87)
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 3dd8ecf5ca8..3fb62d3f82e 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2454,10 +2454,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
+ {
+ NTSTATUS status;
+ struct lsa_ForestTrustInformation *info, **info_ptr;
++ enum security_user_level security_level;
+
+- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+- p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
++ security_level = security_session_user_level(p->session_info, NULL);
++ if (security_level < SECURITY_USER) {
+ return WERR_ACCESS_DENIED;
+ }
+
+--
+2.24.1
+
diff --git a/SOURCES/CVE-2019-14907-4.11.patch b/SOURCES/CVE-2019-14907-4.11.patch
new file mode 100644
index 0000000..1465ec8
--- /dev/null
+++ b/SOURCES/CVE-2019-14907-4.11.patch
@@ -0,0 +1,100 @@
+From 588b74189958630b39cb393c47495d39dead83a1 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 29 Nov 2019 20:58:47 +1300
+Subject: [PATCH] CVE-2019-14907 lib/util: Do not print the failed to convert
+ string into the logs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The string may be in another charset, or may be sensitive and
+certainly may not be terminated. It is not safe to just print.
+
+Found by Robert Święcki using a fuzzer he wrote for smbd.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ lib/util/charset/convert_string.c | 38 ++++++++++++++++---------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
+index d274e305a0c..b725b53cb5a 100644
+--- a/lib/util/charset/convert_string.c
++++ b/lib/util/charset/convert_string.c
+@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
+ switch(errno) {
+ case EINVAL:
+ reason="Incomplete multibyte sequence";
+- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
+- reason, (const char *)src));
++ DBG_NOTICE("Conversion error: %s\n",
++ reason);
+ break;
+ case E2BIG:
+ {
+ reason="No more room";
+ if (from == CH_UNIX) {
+- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n",
+- charset_name(ic, from), charset_name(ic, to),
+- (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason));
++ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
++ charset_name(ic, from), charset_name(ic, to),
++ (unsigned int)srclen, (unsigned int)destlen, reason);
+ } else {
+- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+- charset_name(ic, from), charset_name(ic, to),
+- (unsigned int)srclen, (unsigned int)destlen, reason));
++ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
++ charset_name(ic, from), charset_name(ic, to),
++ (unsigned int)srclen, (unsigned int)destlen, reason);
+ }
+ break;
+ }
+ case EILSEQ:
+ reason="Illegal multibyte sequence";
+- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
+- reason, (const char *)src));
++ DBG_NOTICE("convert_string_internal: Conversion error: %s\n",
++ reason);
+ break;
+ default:
+- DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",
+- reason, (const char *)src));
++ DBG_ERR("convert_string_internal: Conversion error: %s\n",
++ reason);
+ break;
+ }
+ /* smb_panic(reason); */
+@@ -427,20 +427,22 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,
+ switch(errno) {
+ case EINVAL:
+ reason="Incomplete multibyte sequence";
+- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
++ DBG_NOTICE("Conversion error: %s\n",
++ reason);
+ break;
+ case E2BIG:
+ reason = "output buffer is too small";
+- DBG_NOTICE("convert_string_talloc: "
+- "Conversion error: %s(%s)\n",
+- reason, inbuf);
++ DBG_NOTICE("Conversion error: %s\n",
++ reason);
+ break;
+ case EILSEQ:
+ reason="Illegal multibyte sequence";
+- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
++ DBG_NOTICE("Conversion error: %s\n",
++ reason);
+ break;
+ default:
+- DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
++ DBG_ERR("Conversion error: %s\n",
++ reason);
+ break;
+ }
+ /* smb_panic(reason); */
+--
+2.17.1
+
diff --git a/SOURCES/krb5_no_des_411.patch b/SOURCES/krb5_no_des_411.patch
new file mode 100644
index 0000000..0fd1286
--- /dev/null
+++ b/SOURCES/krb5_no_des_411.patch
@@ -0,0 +1,613 @@
+From d8c48f3773d72a5e36bb46a1c09ba11fc64ae38d Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 6 Nov 2019 09:17:52 +0100
+Subject: [PATCH 01/10] selftest/remote_pac: remove
+ test_PACVerify_workstation_des
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/torture/rpc/remote_pac.c | 37 --------------------------------
+ 1 file changed, 37 deletions(-)
+
+diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
+index 7a5cda74b74..f12060e3c8f 100644
+--- a/source4/torture/rpc/remote_pac.c
++++ b/source4/torture/rpc/remote_pac.c
+@@ -38,7 +38,6 @@
+
+ #define TEST_MACHINE_NAME_BDC "torturepacbdc"
+ #define TEST_MACHINE_NAME_WKSTA "torturepacwksta"
+-#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes"
+ #define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc"
+ #define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk"
+
+@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx,
+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
+ }
+
+-static bool test_PACVerify_workstation_des(struct torture_context *tctx,
+- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx)
+-{
+- struct samr_SetUserInfo r;
+- union samr_UserInfo user_info;
+- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx);
+- struct smb_krb5_context *smb_krb5_context;
+- krb5_error_code ret;
+-
+- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(),
+- tctx->lp_ctx, &smb_krb5_context);
+- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed");
+-
+- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) {
+- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes");
+- }
+-
+- /* Mark this workstation with DES-only */
+- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST;
+- r.in.user_handle = torture_join_samr_user_policy(join_ctx);
+- r.in.level = 16;
+- r.in.info = &user_info;
+-
+- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r),
+- "failed to set DES info account flags");
+- torture_assert_ntstatus_ok(tctx, r.out.result,
+- "failed to set DES into account flags");
+-
+- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
+- TEST_MACHINE_NAME_WKSTA_DES,
+- NETLOGON_NEG_AUTH2_ADS_FLAGS);
+-}
+-
+ #ifdef SAMBA4_USES_HEIMDAL
+ static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx,
+ uint16_t validation_level,
+@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
+ &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
+ torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes);
+
+- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des",
+- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES);
+- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des);
+ #ifdef SAMBA4_USES_HEIMDAL
+ tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
+ &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC);
+--
+2.24.1
+
+
+From c19bef15eba2f8436d3ffafae5e640c6581fdb81 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 31 Oct 2019 19:41:46 +0100
+Subject: [PATCH 02/10] selftest: exclude msDS-SupportedEncryptionType in
+ ldapcmp
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Pair-Programmed-With: Alexander Bokovoy <ab@samba.org>
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ testprogs/blackbox/dbcheck-oldrelease.sh | 2 +-
+ testprogs/blackbox/functionalprep.sh | 2 +-
+ testprogs/blackbox/upgradeprovision-oldrelease.sh | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
+index 3d0ee2c165a..41c55178d4e 100755
+--- a/testprogs/blackbox/dbcheck-oldrelease.sh
++++ b/testprogs/blackbox/dbcheck-oldrelease.sh
+@@ -388,7 +388,7 @@ referenceprovision() {
+
+ ldapcmp() {
+ if [ x$RELEASE = x"release-4-0-0" ]; then
+- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
+ fi
+ }
+
+diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh
+index 80e82252d45..1d37611ef7a 100755
+--- a/testprogs/blackbox/functionalprep.sh
++++ b/testprogs/blackbox/functionalprep.sh
+@@ -61,7 +61,7 @@ provision_2012r2() {
+ ldapcmp_ignore() {
+ # At some point we will need to ignore, but right now, it should be perfect
+ IGNORE_ATTRS=$1
+- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn
++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes
+ }
+
+ ldapcmp() {
+diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
+index 76276168011..208baa54a02 100755
+--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
++++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
+@@ -106,7 +106,7 @@ referenceprovision() {
+
+ ldapcmp() {
+ if [ x$RELEASE != x"alpha13" ]; then
+- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
+ fi
+ }
+
+--
+2.24.1
+
+
+From afb8e18c42122841111b6077bb26bd5dd95e5c55 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 24 Oct 2019 12:20:05 +0300
+Subject: [PATCH 03/10] kerberos: remove single DES enctypes from ENC_ALL_TYPES
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/auth/kerberos/kerberos.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
+index 2ff9e3868af..1dd63acc838 100644
+--- a/source4/auth/kerberos/kerberos.h
++++ b/source4/auth/kerberos/kerberos.h
+@@ -50,7 +50,7 @@ struct keytab_container {
+ #define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01")
+ #define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01")
+
+-#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \
++#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \
+ ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
+
+ #ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
+--
+2.24.1
+
+
+From 4747d04bd8c9d694b613cdec92640312208aee9d Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 24 Oct 2019 18:53:34 +0300
+Subject: [PATCH 04/10] kdc/db-glue: do not fetch single DES keys from db
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/kdc/db-glue.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
+index f62a633c6c7..023ae7b580d 100644
+--- a/source4/kdc/db-glue.c
++++ b/source4/kdc/db-glue.c
+@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
+
+ /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
+ if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+- supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
++ supported_enctypes = 0;
+ } else {
+ /* Otherwise, add in the default enc types */
+- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
++ supported_enctypes |= ENC_RC4_HMAC_MD5;
+ }
+
+ /* Is this the krbtgt or a RODC krbtgt */
+--
+2.24.1
+
+
+From 5c460fe678eb5db9f0f2eed67a6be8c07ca8d53c Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 24 Oct 2019 18:32:37 +0300
+Subject: [PATCH 05/10] password_hash: do not generate single DES keys
+
+Per RFC-6649 single DES enctypes should not be used.
+
+MIT has retired single DES encryption types, see:
+https://web.mit.edu/kerberos/krb5-1.12/doc/admin/advanced/retiring-des.html
+
+As a workaround, store random keys instead, making the usage of signle DES
+encryption types virtually impossible.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ .../dsdb/samdb/ldb_modules/password_hash.c | 49 +++----------------
+ 1 file changed, 7 insertions(+), 42 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
+index 006e35c46d5..ffd48da616e 100644
+--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
+@@ -783,56 +783,21 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
+ }
+
+ /*
+- * create ENCTYPE_DES_CBC_MD5 key out of
+- * the salt and the cleartext password
++ * As per RFC-6649 single DES encryption types are no longer considered
++ * secure to be used in Kerberos, we store random keys instead of the
++ * ENCTYPE_DES_CBC_MD5 and ENCTYPE_DES_CBC_CRC keys.
+ */
+- krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+- NULL,
+- &salt,
+- &cleartext_data,
+- ENCTYPE_DES_CBC_MD5,
+- &key);
+- if (krb5_ret) {
+- ldb_asprintf_errstring(ldb,
+- "setup_kerberos_keys: "
+- "generation of a des-cbc-md5 key failed: %s",
+- smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
+- krb5_ret, io->ac));
+- return LDB_ERR_OPERATIONS_ERROR;
+- }
+- io->g.des_md5 = data_blob_talloc(io->ac,
+- KRB5_KEY_DATA(&key),
+- KRB5_KEY_LENGTH(&key));
+- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
++ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8);
+ if (!io->g.des_md5.data) {
+ return ldb_oom(ldb);
+ }
++ generate_secret_buffer(io->g.des_md5.data, 8);
+
+- /*
+- * create ENCTYPE_DES_CBC_CRC key out of
+- * the salt and the cleartext password
+- */
+- krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+- NULL,
+- &salt,
+- &cleartext_data,
+- ENCTYPE_DES_CBC_CRC,
+- &key);
+- if (krb5_ret) {
+- ldb_asprintf_errstring(ldb,
+- "setup_kerberos_keys: "
+- "generation of a des-cbc-crc key failed: %s",
+- smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
+- krb5_ret, io->ac));
+- return LDB_ERR_OPERATIONS_ERROR;
+- }
+- io->g.des_crc = data_blob_talloc(io->ac,
+- KRB5_KEY_DATA(&key),
+- KRB5_KEY_LENGTH(&key));
+- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
++ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8);
+ if (!io->g.des_crc.data) {
+ return ldb_oom(ldb);
+ }
++ generate_secret_buffer(io->g.des_crc.data, 8);
+
+ return LDB_SUCCESS;
+ }
+--
+2.24.1
+
+
+From 000abe4e405ce5fa4eae6235335bfca2a8152e3c Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 24 Oct 2019 19:04:51 +0300
+Subject: [PATCH 06/10] kerberos_keytab: do not add single DES keys to keytab
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source3/libads/kerberos_keytab.c | 2 --
+ testprogs/blackbox/test_export_keytab_heimdal.sh | 16 ++++++++--------
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
+index 97d5535041c..7d193e1a600 100644
+--- a/source3/libads/kerberos_keytab.c
++++ b/source3/libads/kerberos_keytab.c
+@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
+ krb5_data password;
+ krb5_kvno kvno;
+ krb5_enctype enctypes[6] = {
+- ENCTYPE_DES_CBC_CRC,
+- ENCTYPE_DES_CBC_MD5,
+ #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ #endif
+diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
+index cfa245fd4de..6a2595cd684 100755
+--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
++++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
+@@ -43,7 +43,7 @@ test_keytab() {
+
+ echo "test: $testname"
+
+- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour")
++ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour")
+ status=$?
+ if [ x$status != x0 ]; then
+ echo "failure: $testname"
+@@ -64,22 +64,22 @@ unc="//$SERVER/tmp"
+ testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1`
+
+ testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
+-test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
++test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
+ testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
+-test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
++test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
+
+ testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
+-test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
++test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
+ testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
+-test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
++test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
+
+ testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
+-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
++test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
+ testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
+-test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
++test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
+
+ testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1`
+-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5
++test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3
+
+ KRB5CCNAME="$PREFIX/tmpuserccache"
+ export KRB5CCNAME
+--
+2.24.1
+
+
+From 4e96a263c2c038bc4c835b78161623cc4d050c61 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 16 Sep 2019 15:17:08 +0300
+Subject: [PATCH 07/10] machine_account_secrets: do not generate single DES
+ keys
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source3/passdb/machine_account_secrets.c | 36 ------------------------
+ 1 file changed, 36 deletions(-)
+
+diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
+index dfc21f295a1..efba80f1474 100644
+--- a/source3/passdb/machine_account_secrets.c
++++ b/source3/passdb/machine_account_secrets.c
+@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
+ krb5_keyblock key;
+ DATA_BLOB aes_256_b = data_blob_null;
+ DATA_BLOB aes_128_b = data_blob_null;
+- DATA_BLOB des_md5_b = data_blob_null;
+ bool ok;
+ #endif /* HAVE_ADS */
+ DATA_BLOB arc4_b = data_blob_null;
+@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
+ return ENOMEM;
+ }
+
+- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
+- NULL,
+- &salt,
+- &cleartext_utf8,
+- ENCTYPE_DES_CBC_MD5,
+- &key);
+- if (krb5_ret != 0) {
+- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n",
+- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
+- krb5_free_context(krb5_ctx);
+- TALLOC_FREE(keys);
+- TALLOC_FREE(salt_data);
+- return krb5_ret;
+- }
+- des_md5_b = data_blob_talloc(keys,
+- KRB5_KEY_DATA(&key),
+- KRB5_KEY_LENGTH(&key));
+- krb5_free_keyblock_contents(krb5_ctx, &key);
+- if (des_md5_b.data == NULL) {
+- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n");
+- krb5_free_context(krb5_ctx);
+- TALLOC_FREE(keys);
+- TALLOC_FREE(salt_data);
+- return ENOMEM;
+- }
+-
+ krb5_free_context(krb5_ctx);
+ no_kerberos:
+
+@@ -1227,15 +1200,6 @@ no_kerberos:
+ keys[idx].value = arc4_b;
+ idx += 1;
+
+-#ifdef HAVE_ADS
+- if (des_md5_b.length != 0) {
+- keys[idx].keytype = ENCTYPE_DES_CBC_MD5;
+- keys[idx].iteration_count = 4096;
+- keys[idx].value = des_md5_b;
+- idx += 1;
+- }
+-#endif /* HAVE_ADS */
+-
+ p->salt_data = salt_data;
+ p->default_iteration_count = 4096;
+ p->num_keys = idx;
+--
+2.24.1
+
+
+From 79fce8cfb906ca8b5bfa5f1954bf81ff950c3d23 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 12 Nov 2019 12:00:34 +0100
+Subject: [PATCH 08/10] selftest: mitm-s4u2self: use zlib for CRC32_checksum
+ calc
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/torture/krb5/kdc-canon-heimdal.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
+index ee3045181dc..7dec67bc49b 100644
+--- a/source4/torture/krb5/kdc-canon-heimdal.c
++++ b/source4/torture/krb5/kdc-canon-heimdal.c
+@@ -33,6 +33,7 @@
+ #include "auth/auth_sam_reply.h"
+ #include "auth/gensec/gensec.h"
+ #include "param/param.h"
++#include "zlib.h"
+
+ #define TEST_CANONICALIZE 0x0000001
+ #define TEST_ENTERPRISE 0x0000002
+@@ -214,6 +215,17 @@ static bool test_accept_ticket(struct torture_context *tctx,
+ return true;
+ }
+
++static void
++zCRC32_checksum(const void *data,
++ size_t len,
++ Checksum *C)
++{
++ uint32_t *crc = C->checksum.data;
++ *crc = ~(crc32(0xffffffff, data, len));
++ C->checksum.length = 4;
++ C->cksumtype = 1;
++}
++
+ krb5_error_code
+ _krb5_s4u2self_to_checksumdata(krb5_context context,
+ const PA_S4U2Self *self,
+@@ -252,11 +264,7 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context,
+ torture_assert_int_equal(test_context->tctx,
+ _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data),
+ 0, "_krb5_s4u2self_to_checksumdata() failed");
+- torture_assert_int_equal(test_context->tctx,
+- krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM,
+- CKSUMTYPE_CRC32, cksum_data.data,
+- cksum_data.length, &mod_self.cksum),
+- 0, "krb5_create_checksum() failed");
++ zCRC32_checksum(cksum_data.data, cksum_data.length, &mod_self.cksum);
+
+ ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length,
+ &mod_self, &used, ret);
+@@ -270,7 +278,6 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context,
+
+ free_PA_S4U2Self(&self);
+ krb5_data_free(&cksum_data);
+- free_Checksum(&mod_self.cksum);
+
+ return true;
+ }
+--
+2.24.1
+
+
+From 1a658936884a9a18616fcb1d13b8f9b6be587322 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 16 Nov 2019 22:46:19 +0100
+Subject: [PATCH 09/10] selftest: allow any kdc error in mitm-s4u2self test
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/torture/krb5/kdc-canon-heimdal.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
+index 7dec67bc49b..5315afa9252 100644
+--- a/source4/torture/krb5/kdc-canon-heimdal.c
++++ b/source4/torture/krb5/kdc-canon-heimdal.c
+@@ -737,13 +737,12 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex
+ error.pvno, 5,
+ "Got wrong error.pvno");
+ expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE;
+- if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) {
+- expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE;
++ if (!test_context->test_data->mitm_s4u2self) {
++ torture_assert_int_equal(test_context->tctx,
++ error.error_code,
++ expected_error,
++ "Got wrong error.error_code");
+ }
+- torture_assert_int_equal(test_context->tctx,
+- error.error_code,
+- expected_error,
+- "Got wrong error.error_code");
+ } else {
+ torture_assert_int_equal(test_context->tctx,
+ decode_TGS_REP(recv_buf->data, recv_buf->length,
+@@ -2090,8 +2089,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
+ || test_data->upn == false)) {
+
+ if (test_data->mitm_s4u2self) {
+- torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM,
+- assertion_message);
++ torture_assert_int_not_equal(tctx, k5ret, 0, assertion_message);
+ /* Done testing mitm-s4u2self */
+ return true;
+ }
+--
+2.24.1
+
+
+From 80ebb75804312a848df4cf5ab883291eaf816130 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 16 Nov 2019 23:03:34 +0100
+Subject: [PATCH 10/10] heimdal: do not compile weak crypto
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ selftest/target/Samba.pm | 1 -
+ source4/heimdal_build/roken.h | 3 ---
+ 2 files changed, 4 deletions(-)
+
+diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
+index c30f6fe33ce..3f5ac64c8c2 100644
+--- a/selftest/target/Samba.pm
++++ b/selftest/target/Samba.pm
+@@ -261,7 +261,6 @@ sub mk_krb5_conf($$)
+ dns_lookup_kdc = true
+ ticket_lifetime = 24h
+ forwardable = yes
+- allow_weak_crypto = yes
+
+ # We are running on the same machine, do not correct
+ # system clock differences
+diff --git a/source4/heimdal_build/roken.h b/source4/heimdal_build/roken.h
+index 9752c04a741..559021c0a0e 100644
+--- a/source4/heimdal_build/roken.h
++++ b/source4/heimdal_build/roken.h
+@@ -6,9 +6,6 @@
+
+ #include "config.h"
+
+-/* Support 'weak' keys for now, it can't be worse than NTLM and we don't want to hard-code the behaviour at this point */
+-#define HEIM_WEAK_CRYPTO 1
+-
+ /* path to sysconf - should we force this to samba LIBDIR ? */
+ #define SYSCONFDIR "/etc"
+
+--
+2.24.1
+
diff --git a/SOURCES/samba-4.10-fix-netbios-join.patch b/SOURCES/samba-4.10-fix-netbios-join.patch
new file mode 100644
index 0000000..9dd2eec
--- /dev/null
+++ b/SOURCES/samba-4.10-fix-netbios-join.patch
@@ -0,0 +1,723 @@
+From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 30 Aug 2019 00:22:15 +0300
+Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and
+ lp_dnsdomain()
+
+This make the join process much more reliable, and avoids "Constraint
+violation" error when the fqdn returned from getaddrinfo has already
+got assigned an SPN.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 31 +++++++++++-------------------
+ testprogs/blackbox/test_net_ads.sh | 7 +++++--
+ 2 files changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 7943bef2cf6..818b3039cb9 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ }
+ }
+
+- if (!name_to_fqdn(my_fqdn, r->in.machine_name)
+- || (strchr(my_fqdn, '.') == NULL)) {
+- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
+- r->out.dns_domain_name);
+- }
++ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+
+ if (!strlower_m(my_fqdn)) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+- if (!strequal(my_fqdn, r->in.machine_name)) {
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+- if (!spn) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++ if (spn == NULL) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
++ ok = ads_element_in_array(spn_array, num_spns, spn);
++ if (!ok) {
++ ok = add_string_to_array(spn_array, spn,
++ &spn_array, &num_spns);
+ if (!ok) {
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ }
+
+@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ /*
+ * Add HOST/netbiosname.domainname
+ */
+- if (r->out.dns_domain_name == NULL) {
+- continue;
+- }
+ fstr_sprintf(my_fqdn, "%s.%s",
+ *netbios_aliases,
+- r->out.dns_domain_name);
++ lp_dnsdomain());
+
+ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+ if (spn == NULL) {
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index cc8345c4624..ef6f99ddea4 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
+ netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+ uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]')
+ lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]')
+-fqdns="$netbios.$lc_realm"
++fqdn="$netbios.$lc_realm"
+
+ krb_princ="primary/instance@$REALM"
+ testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin
+ service="nfs"
+ testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+-search_str="$service/$fqdns@$REALM"
++search_str="$service/$fqdn@$REALM"
+ found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+ testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+
+@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
+
+ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+
++testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
++testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++
+ ##Goodbye...
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+--
+2.21.0
+
+
+From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 20:00:34 +0300
+Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit
+ room for indentation
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------
+ 1 file changed, 47 insertions(+), 48 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 818b3039cb9..67ab50c68a8 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ /* Windows only creates HOST/shortname & HOST/fqdn. */
+
+ spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
+- if (!spn) {
++ if (spn == NULL) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ if (!strupper_m(spn)) {
+@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ }
+ }
+
+- netbios_aliases = lp_netbios_aliases();
+- if (netbios_aliases != NULL) {
+- for (; *netbios_aliases != NULL; netbios_aliases++) {
+- /*
+- * Add HOST/NETBIOSNAME
+- */
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
+- if (spn == NULL) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
+- if (!strupper_m(spn)) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ for (netbios_aliases = lp_netbios_aliases();
++ netbios_aliases != NULL && *netbios_aliases != NULL;
++ netbios_aliases++) {
++ /*
++ * Add HOST/NETBIOSNAME
++ */
++ spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
++ if (spn == NULL) {
++ TALLOC_FREE(spn);
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ if (!strupper_m(spn)) {
++ TALLOC_FREE(spn);
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (ok) {
+- TALLOC_FREE(spn);
+- continue;
+- }
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ ok = ads_element_in_array(spn_array, num_spns, spn);
++ if (ok) {
++ TALLOC_FREE(spn);
++ continue;
++ }
++ ok = add_string_to_array(spn_array, spn,
++ &spn_array, &num_spns);
++ if (!ok) {
+ TALLOC_FREE(spn);
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ TALLOC_FREE(spn);
+
+- /*
+- * Add HOST/netbiosname.domainname
+- */
+- fstr_sprintf(my_fqdn, "%s.%s",
+- *netbios_aliases,
+- lp_dnsdomain());
++ /*
++ * Add HOST/netbiosname.domainname
++ */
++ fstr_sprintf(my_fqdn, "%s.%s",
++ *netbios_aliases,
++ lp_dnsdomain());
+
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
+- if (spn == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++ if (spn == NULL) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (ok) {
+- TALLOC_FREE(spn);
+- continue;
+- }
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- }
++ ok = ads_element_in_array(spn_array, num_spns, spn);
++ if (ok) {
++ TALLOC_FREE(spn);
++ continue;
++ }
++ ok = add_string_to_array(spn_array, spn,
++ &spn_array, &num_spns);
++ if (!ok) {
+ TALLOC_FREE(spn);
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
++ TALLOC_FREE(spn);
+ }
+
+ /* make sure to NULL terminate the array */
+--
+2.21.0
+
+
+From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 21:29:47 +0300
+Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling
+
+and avoid a possible memory leak when passing null to
+add_string_to_array() as mem_ctx.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 74 ++++++++++++++++++++----------------
+ 1 file changed, 42 insertions(+), 32 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 67ab50c68a8..43035370526 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
+ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
++ TALLOC_CTX *frame = talloc_stackframe();
+ ADS_STATUS status;
+ ADS_MODLIST mods;
+ fstring my_fqdn;
+@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+- status = libnet_join_get_machine_spns(mem_ctx,
++ status = libnet_join_get_machine_spns(frame,
+ r,
+ discard_const_p(char **, &spn_array),
+ &num_spns);
+@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+
+ /* Windows only creates HOST/shortname & HOST/fqdn. */
+
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
++ spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name);
+ if (spn == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ if (!strupper_m(spn)) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (!ok) {
+- ok = add_string_to_array(spn_array, spn,
++ ok = add_string_to_array(frame, spn,
+ &spn_array, &num_spns);
+ if (!ok) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ }
+
+ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+
+ if (!strlower_m(my_fqdn)) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
+ if (spn == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (!ok) {
+- ok = add_string_to_array(spn_array, spn,
++ ok = add_string_to_array(frame, spn,
+ &spn_array, &num_spns);
+ if (!ok) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ }
+
+@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ /*
+ * Add HOST/NETBIOSNAME
+ */
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
++ spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases);
+ if (spn == NULL) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ if (!strupper_m(spn)) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (ok) {
+- TALLOC_FREE(spn);
+ continue;
+ }
+ ok = add_string_to_array(spn_array, spn,
+ &spn_array, &num_spns);
+ if (!ok) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+- TALLOC_FREE(spn);
+
+ /*
+ * Add HOST/netbiosname.domainname
+@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ *netbios_aliases,
+ lp_dnsdomain());
+
+- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
++ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
+ if (spn == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (ok) {
+- TALLOC_FREE(spn);
+ continue;
+ }
+ ok = add_string_to_array(spn_array, spn,
+ &spn_array, &num_spns);
+ if (!ok) {
+- TALLOC_FREE(spn);
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+- TALLOC_FREE(spn);
+ }
+
+ /* make sure to NULL terminate the array */
+- spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
++ spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);
+ if (spn_array == NULL) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+ spn_array[num_spns] = NULL;
+
+ mods = ads_init_mods(mem_ctx);
+ if (!mods) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ /* fields of primary importance */
+
+ status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
+ if (!ADS_ERR_OK(status)) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+ status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
+ spn_array);
+ if (!ADS_ERR_OK(status)) {
+- return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
+ }
+
+- return ads_gen_mod(r->in.ads, r->out.dn, mods);
++ status = ads_gen_mod(r->in.ads, r->out.dn, mods);
++
++done:
++ TALLOC_FREE(frame);
++ return status;
+ }
+
+ /****************************************************************
+--
+2.21.0
+
+
+From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Wed, 18 Sep 2019 23:15:57 +0300
+Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to
+ array
+
+and do not skip adding a fully qualified spn to netbios-aliases
+in case a short spn already existed.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/libnet/libnet_join.c | 56 +++++++++++++++---------------------
+ 1 file changed, 23 insertions(+), 33 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 43035370526..a1d8a25bbc2 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
++static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const char *spn,
++ const char ***array, size_t *num)
++{
++ bool ok = ads_element_in_array(*array, *num, spn);
++ if (!ok) {
++ ok = add_string_to_array(mem_ctx, spn, array, num);
++ if (!ok) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ }
++ return ADS_SUCCESS;
++}
++
+ /****************************************************************
+ Set a machines dNSHostName and servicePrincipalName attributes
+ ****************************************************************/
+@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ const char **spn_array = NULL;
+ size_t num_spns = 0;
+ char *spn = NULL;
+- bool ok;
+ const char **netbios_aliases = NULL;
+
+ /* Find our DN */
+@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (!ok) {
+- ok = add_string_to_array(frame, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- goto done;
+- }
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
+ }
+
+ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (!ok) {
+- ok = add_string_to_array(frame, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+- goto done;
+- }
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
+ }
+
+ for (netbios_aliases = lp_netbios_aliases();
+@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (ok) {
+- continue;
+- }
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- ok = ads_element_in_array(spn_array, num_spns, spn);
+- if (ok) {
+- continue;
+- }
+- ok = add_string_to_array(spn_array, spn,
+- &spn_array, &num_spns);
+- if (!ok) {
+- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+ }
+--
+2.21.0
+
+
+From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 17 Sep 2019 21:38:07 +0300
+Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml
+
+diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml
+new file mode 100644
+index 00000000000..ddc04ee9f81
+--- /dev/null
++++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml
+@@ -0,0 +1,11 @@
++<samba:parameter name="additional dns hostnames"
++ context="G"
++ type="cmdlist"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++ <description>
++ <para> A list of additional DNS names by which this host can be identified
++ </para>
++</description>
++<value type="default"><comment>empty string (no additional dns names)</comment></value>
++<value type="example"> host2.example.com host3.other.com </value>
++</samba:parameter>
+--
+2.21.0
+
+
+From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 13 Sep 2019 10:56:10 +0300
+Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames
+ entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+and set msDS-AdditionalDnsHostName to the specified list.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116
+
+Signed-off-by: Isaac Boukris <iboukris@redhat.com>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184
+---
+ source3/libnet/libnet_join.c | 27 +++++++++++++++++++++++++++
+ testprogs/blackbox/test_net_ads.sh | 10 +++++++++-
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index a1d8a25bbc2..eb8e0ea17f7 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ size_t num_spns = 0;
+ char *spn = NULL;
+ const char **netbios_aliases = NULL;
++ const char **addl_hostnames = NULL;
+
+ /* Find our DN */
+
+@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ }
+ }
+
++ for (addl_hostnames = lp_additional_dns_hostnames();
++ addl_hostnames != NULL && *addl_hostnames != NULL;
++ addl_hostnames++) {
++
++ spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames);
++ if (spn == NULL) {
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
++ }
++ }
++
+ /* make sure to NULL terminate the array */
+ spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1);
+ if (spn_array == NULL) {
+@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
++ addl_hostnames = lp_additional_dns_hostnames();
++ if (addl_hostnames != NULL && *addl_hostnames != NULL) {
++ status = ads_mod_strlist(mem_ctx, &mods,
++ "msDS-AdditionalDnsHostName",
++ addl_hostnames);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
++ }
++ }
++
+ status = ads_gen_mod(r->in.ads, r->out.dn, mods);
+
+ done:
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index ef6f99ddea4..8bcff006b8e 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com"
+ computers_dn="CN=Computers,$base_dn"
+ testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1`
+
+-testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++dns_alias1="${netbios}_alias1.other.${lc_realm}"
++dns_alias2="${netbios}_alias2.other2.${lc_realm}"
++testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+
+ testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
+ testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
++testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
++
++testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
++testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
++
+ ##Goodbye...
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+--
+2.21.0
+
diff --git a/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch b/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch
new file mode 100644
index 0000000..b8afd92
--- /dev/null
+++ b/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch
@@ -0,0 +1,172 @@
+From f38cf794fe16e5b160db1a3f4f17d5e5c7601d5c Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 17 Oct 2019 11:39:02 -0700
+Subject: [PATCH 1/2] s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return
+ an inode number.
+
+The info level it uses doesn't return that, previously we
+were using the field that is returned as the EA size as
+the inode number (which is usually zero, so the code in
+libsmbclient would then synthesize an inode number from
+a hash of the pathname, which is all it can do for SMB1).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14161
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit d495074ee27a5f528d5156a69800ee58d799b1eb)
+---
+ source3/libsmb/clirap.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
+index e80dfc92a77..b4b40ebdab4 100644
+--- a/source3/libsmb/clirap.c
++++ b/source3/libsmb/clirap.c
+@@ -855,7 +855,15 @@ NTSTATUS cli_qpathinfo2_recv(struct tevent_req *req,
+ *size = IVAL2_TO_SMB_BIG_UINT(state->data,48);
+ }
+ if (ino) {
+- *ino = IVAL(state->data, 64);
++ /*
++ * SMB1 qpathinfo2 uses SMB_QUERY_FILE_ALL_INFO
++ * which doesn't return an inode number (fileid).
++ * We can't change this to one of the FILE_ID
++ * info levels as only Win2003 and above support
++ * these [MS-SMB: 2.2.2.3.1] and the SMB1 code
++ * needs to support older servers.
++ */
++ *ino = 0;
+ }
+ return NT_STATUS_OK;
+ }
+--
+2.23.0.866.gb869b98d4c-goog
+
+
+From 9c1abe9348c83a2ecd63563f2b47ddf22fd814be Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 17 Oct 2019 12:41:08 -0700
+Subject: [PATCH 2/2] s3: torture: Ensure SMB1 cli_qpathinfo2() doesn't return
+ an inode number.
+
+Piggyback on existing tests, ensure we don't regress on:
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14161
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 8e55a8562951924e4b1aad5a6d67fc8b309590c1)
+---
+ source3/torture/torture.c | 49 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 47 insertions(+), 2 deletions(-)
+
+diff --git a/source3/torture/torture.c b/source3/torture/torture.c
+index 66dc0cf4d1c..a795e61125f 100644
+--- a/source3/torture/torture.c
++++ b/source3/torture/torture.c
+@@ -4211,6 +4211,7 @@ static bool run_trans2test(int dummy)
+ bool correct = True;
+ NTSTATUS status;
+ uint32_t fs_attr;
++ uint64_t ino;
+
+ printf("starting trans2 test\n");
+
+@@ -4218,6 +4219,14 @@ static bool run_trans2test(int dummy)
+ return False;
+ }
+
++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
++ /* Ensure ino is zero, SMB2 gets a real one. */
++ ino = 0;
++ } else {
++ /* Ensure ino is -1, SMB1 never gets a real one. */
++ ino = (uint64_t)-1;
++ }
++
+ status = cli_get_fs_attr_info(cli, &fs_attr);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("ERROR: cli_get_fs_attr_info returned %s\n",
+@@ -4289,7 +4298,7 @@ static bool run_trans2test(int dummy)
+ O_RDWR | O_CREAT | O_TRUNC, DENY_NONE, &fnum);
+ cli_close(cli, fnum);
+ status = cli_qpathinfo2(cli, fname, &c_time_ts, &a_time_ts, &w_time_ts,
+- &m_time_ts, &size, NULL, NULL);
++ &m_time_ts, &size, NULL, &ino);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("ERROR: qpathinfo2 failed (%s)\n", nt_errstr(status));
+ correct = False;
+@@ -4299,6 +4308,19 @@ static bool run_trans2test(int dummy)
+ printf("This system appears to set a initial 0 write time\n");
+ correct = False;
+ }
++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
++ /* SMB2 should always return an inode. */
++ if (ino == 0) {
++ printf("SMB2 bad inode (0)\n");
++ correct = false;
++ }
++ } else {
++ /* SMB1 must always return zero here. */
++ if (ino != 0) {
++ printf("SMB1 bad inode (!0)\n");
++ correct = false;
++ }
++ }
+ }
+
+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+@@ -11593,11 +11615,20 @@ static bool run_dir_createtime(int dummy)
+ struct timespec create_time1;
+ uint16_t fnum;
+ bool ret = false;
++ uint64_t ino;
+
+ if (!torture_open_connection(&cli, 0)) {
+ return false;
+ }
+
++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
++ /* Ensure ino is zero, SMB2 gets a real one. */
++ ino = 0;
++ } else {
++ /* Ensure ino is -1, SMB1 never gets a real one. */
++ ino = (uint64_t)-1;
++ }
++
+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+ cli_rmdir(cli, dname);
+
+@@ -11608,13 +11639,27 @@ static bool run_dir_createtime(int dummy)
+ }
+
+ status = cli_qpathinfo2(cli, dname, &create_time, NULL, NULL, NULL,
+- NULL, NULL, NULL);
++ NULL, NULL, &ino);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_qpathinfo2 returned %s\n",
+ nt_errstr(status));
+ goto out;
+ }
+
++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
++ /* SMB2 should always return an inode. */
++ if (ino == 0) {
++ printf("SMB2 bad inode (0)\n");
++ goto out;
++ }
++ } else {
++ /* SMB1 must always return zero here. */
++ if (ino != 0) {
++ printf("SMB1 bad inode (!0)\n");
++ goto out;
++ }
++ }
++
+ /* Sleep 3 seconds, then create a file. */
+ sleep(3);
+
+--
+2.23.0.866.gb869b98d4c-goog
+
diff --git a/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch b/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch
new file mode 100644
index 0000000..d079d31
--- /dev/null
+++ b/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch
@@ -0,0 +1,33 @@
+From 7de67a994e84c2fadccb48c2448f2cba529a57fd Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 31 Jul 2019 10:42:24 +0200
+Subject: [PATCH] smbd: Fix the build with clang
+
+clang correctly complains that "close_fsp" is used uninitialized if
+"get_posix_fsp" fails and we end up in "goto out;".
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14251
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit a8a1ca3f83dce6d725392989cbc97271cbf52f4a)
+---
+ source3/smbd/trans2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index b0616f15ade..8164c8fd213 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -4848,7 +4848,7 @@ static NTSTATUS smb_query_posix_acl(connection_struct *conn,
+ unsigned int size_needed = 0;
+ NTSTATUS status;
+ bool ok;
+- bool close_fsp;
++ bool close_fsp = false;
+
+ /*
+ * Ensure we always operate on a file descriptor, not just
+--
+2.24.1
+
diff --git a/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch b/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch
new file mode 100644
index 0000000..ff175fe
--- /dev/null
+++ b/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch
@@ -0,0 +1,48 @@
+From c50d91d16292a13d29b1125c0aa85c7a7963de5f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 27 Jan 2020 14:58:10 +0100
+Subject: [PATCH] lib:util: Log mkdir error on correct debug levels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For smbd we want an error and for smbclient we only want it in NOTICE
+debug level.
+The default log level of smbclient is log level 1 so we need notice to
+not spam the user.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14253
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Mon Jan 27 15:55:24 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 0ad6a243b259d284064c0c5abcc7d430d55be7e1)
+---
+ lib/util/util.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/util/util.c b/lib/util/util.c
+index 3bdeded5c1b..0d9ffe5cb7b 100644
+--- a/lib/util/util.c
++++ b/lib/util/util.c
+@@ -353,9 +353,12 @@ _PUBLIC_ bool directory_create_or_exist(const char *dname,
+ old_umask = umask(0);
+ ret = mkdir(dname, dir_perms);
+ if (ret == -1 && errno != EEXIST) {
+- DBG_WARNING("mkdir failed on directory %s: %s\n",
++ int dbg_level = geteuid() == 0 ? DBGLVL_ERR : DBGLVL_NOTICE;
++
++ DBG_PREFIX(dbg_level,
++ ("mkdir failed on directory %s: %s\n",
+ dname,
+- strerror(errno));
++ strerror(errno)));
+ umask(old_umask);
+ return false;
+ }
+--
+2.25.0
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index ad1bc72..51f3b9c 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 7
+%define main_release 13
%define samba_version 4.11.2
%define talloc_version 2.2.0
@@ -325,8 +325,15 @@ Patch0205: 0205-param-Do-not-use-weak-crypto-for-kerberos-if-disallo.patch
Patch0206: 0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch
Patch0207: 0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch
Patch0208: 0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch
+Patch0209: 0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
Patch1000: samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch
+Patch1001: CVE-2019-14907-4.11.patch
+Patch1002: krb5_no_des_411.patch
+Patch1003: samba-4.11.7-fix_smbclient_debug_spam.patch
+Patch1004: samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch
+Patch1005: samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch
+Patch1006: samba-4.10-fix-netbios-join.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -422,9 +429,6 @@ BuildRequires: libcephfs-devel
# Add python3-iso8601 to avoid that the
# version in Samba is being packaged
BuildRequires: python3-iso8601
-BuildRequires: python3-subunit-test
-# Required by samba-tool to run tests
-BuildRequires: python3-crypto
BuildRequires: bind
BuildRequires: krb5-server >= %{required_mit_krb5}
@@ -1272,7 +1276,7 @@ popd
%if %{with testsuite}
%check
-TDB_NO_FSYNC=1 make %{?_smp_mflags} test
+TDB_NO_FSYNC=1 make %{?_smp_mflags} test FAIL_IMMEDIATELY=1
#endif with testsuite
%endif
@@ -1358,10 +1362,12 @@ fi
%{?ldconfig}
%preun -n libwbclient
-%{_sbindir}/update-alternatives \
- --remove \
- libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
- %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version}
+if [ $1 -eq 0 ]; then
+ %{_sbindir}/update-alternatives \
+ --remove \
+ libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
+ %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version}
+fi
/sbin/ldconfig
%posttrans -n libwbclient-devel
@@ -1377,10 +1383,16 @@ fi
# When downgrading to a version where alternatives is not used and
# libwbclient.so is a link and not a file it will be removed. The following
# check removes the alternatives files manually if that is the case.
-if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then
- /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null
-else
- %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so
+if [ $1 -eq 0 ]; then
+ if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then
+ /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} \
+ /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null
+ else
+ %{_sbindir}/update-alternatives \
+ --remove \
+ libwbclient.so%{libwbc_alternatives_suffix} \
+ %{_libdir}/samba/wbclient/libwbclient.so
+ fi
fi
#endif with_libwbclient
@@ -3713,6 +3725,28 @@ fi
%endif
%changelog
+* Thu Feb 13 2020 Isaac Boukris <iboukris@redhat.com> - 4.11.2-13
+- resolves: #1802182 - Fix join using netbios name
+
+* Wed Jan 29 2020 Andreas Schneider <asn@redhat.com> - 4.11.2-12
+- related: #1781232 - Improve debug output of smbclient
+- resolves: #1794461 - Do not return bogus inode numbers in
+ cli_qpathinfo2()/cli_qpathinfo3() for SMB1
+- resolves: #1794442 - Fix segfault in smbd_do_qfilepathinfo()
+
+* Thu Jan 23 2020 Isaac Boukris <iboukris@redhat.com> - 4.11.2-11
+- resolves: #1778130 - Remove usage of DES encryption types in krb5
+
+* Fri Jan 17 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.2-10
+- resolves: #1790353 - Fix access check in DsRGetForestTrustInformation
+- resolves: #1791209 - Fix CVE-2019-14907
+
+* Fri Jan 10 2020 Andreas Schneider <asn@redhat.com> - 4.11.2-9
+- resolves: #1785134 - Fix libwbclient manual alternative settings
+
+* Fri Jan 10 2020 Andreas Schneider <asn@redhat.com> - 4.11.2-8
+- resolves: #1781232 - Fix smbclient debug message
+
* Thu Dec 12 2019 Andreas Schneider <asn@redhat.com> - 4.11.2-7
- related: #1637861 - Fix trust creation if weak crypto is disallowed