diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch
index a248091..e7a075d 100644
--- a/SOURCES/samba-4.10-redhat.patch
+++ b/SOURCES/samba-4.10-redhat.patch
@@ -1,7 +1,7 @@
 From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <ab@samba.org>
 Date: Tue, 7 Jan 2020 19:25:53 +0200
-Subject: [PATCH 01/88] s3-rpcserver: fix security level check for
+Subject: [PATCH 01/97] s3-rpcserver: fix security level check for
  DsRGetForestTrustInformation
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -80,13 +80,13 @@ index d799ba4feef..87613b99fde 100644
  	}
  
 -- 
-2.33.1
+2.34.1
 
 
 From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Wed, 27 May 2020 16:50:45 +0200
-Subject: [PATCH 02/88] Add a test to check dNSHostName with netbios aliases
+Subject: [PATCH 02/97] Add a test to check dNSHostName with netbios aliases
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
 
@@ -132,13 +132,13 @@ index 95c0cf76f90..6073ea972f9 100755
  # Test createcomputer option of 'net ads join'
  #
 -- 
-2.33.1
+2.34.1
 
 
 From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Wed, 27 May 2020 15:52:46 +0200
-Subject: [PATCH 03/88] Fix accidental overwrite of dnsHostName by the last
+Subject: [PATCH 03/97] Fix accidental overwrite of dnsHostName by the last
  netbios alias
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -186,13 +186,13 @@ index 9d4f656ffec..a31011b0ff8 100644
  			status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
  			goto done;
 -- 
-2.33.1
+2.34.1
 
 
 From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Thu, 24 Oct 2019 19:04:51 +0300
-Subject: [PATCH 04/88] Refactor ads_keytab_add_entry() to make it iterable
+Subject: [PATCH 04/97] Refactor ads_keytab_add_entry() to make it iterable
 
 so we can more easily add msDS-AdditionalDnsHostName entries.
 
@@ -453,13 +453,13 @@ index 97d5535041c..0f450a09df5 100644
  out:
  	SAFE_FREE(salt_princ_s);
 -- 
-2.33.1
+2.34.1
 
 
 From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Wed, 27 May 2020 17:55:12 +0200
-Subject: [PATCH 05/88] Add a test for msDS-AdditionalDnsHostName entries in
+Subject: [PATCH 05/97] Add a test for msDS-AdditionalDnsHostName entries in
  keytab
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -501,13 +501,13 @@ index 6073ea972f9..a40b477a173 100755
  testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
  
 -- 
-2.33.1
+2.34.1
 
 
 From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Wed, 27 May 2020 15:36:28 +0200
-Subject: [PATCH 06/88] Add msDS-AdditionalDnsHostName entries to the keytab
+Subject: [PATCH 06/97] Add msDS-AdditionalDnsHostName entries to the keytab
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
 
@@ -648,13 +648,13 @@ index db2b72ab1b5..02a628ee0e6 100644
  {
  	LDAPMessage *res = NULL;
 -- 
-2.33.1
+2.34.1
 
 
 From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Wed, 27 May 2020 15:54:12 +0200
-Subject: [PATCH 07/88] Add net-ads-join dnshostname=fqdn option
+Subject: [PATCH 07/97] Add net-ads-join dnshostname=fqdn option
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
 
@@ -794,13 +794,13 @@ index a40b477a173..85257f445d8 100755
  
  exit $failed
 -- 
-2.33.1
+2.34.1
 
 
 From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 16:04:57 +0200
-Subject: [PATCH 08/88] CVE-2020-1472(ZeroLogon): libcli/auth: add
+Subject: [PATCH 08/97] CVE-2020-1472(ZeroLogon): libcli/auth: add
  netlogon_creds_random_challenge()
 
 It's good to have just a single isolated function that will generate
@@ -851,13 +851,13 @@ index 82febe74440..82797d453ed 100644
  void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
  void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
 -- 
-2.33.1
+2.34.1
 
 
 From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 16:07:30 +0200
-Subject: [PATCH 09/88] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
+Subject: [PATCH 09/97] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
  netlogon_creds_random_challenge()
 
 This will avoid getting flakey tests once our server starts to
@@ -1007,13 +1007,13 @@ index 026d86d50e4..e11014922f8 100644
  	torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
  		"ServerReqChallenge");
 -- 
-2.33.1
+2.34.1
 
 
 From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 16:08:38 +0200
-Subject: [PATCH 10/88] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
+Subject: [PATCH 10/97] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
  netlogon_creds_random_challenge() in netlogon_creds_cli.c
 
 This will avoid getting rejected by the server if we generate
@@ -1041,13 +1041,13 @@ index 817d2cd041a..0f6ca11ff96 100644
  	subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
  						state->binding_handle,
 -- 
-2.33.1
+2.34.1
 
 
 From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 16:10:53 +0200
-Subject: [PATCH 11/88] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make
+Subject: [PATCH 11/97] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make
  use of netlogon_creds_random_challenge()
 
 This is not strictly needed, but makes things more clear.
@@ -1074,13 +1074,13 @@ index 87613b99fde..86b2f343e82 100644
  	*r->out.return_credentials = pipe_state->server_challenge;
  
 -- 
-2.33.1
+2.34.1
 
 
 From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 16:10:53 +0200
-Subject: [PATCH 12/88] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make
+Subject: [PATCH 12/97] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make
  use of netlogon_creds_random_challenge()
 
 This is not strictly needed, but makes things more clear.
@@ -1107,13 +1107,13 @@ index 023adfd99e9..de260d8051d 100644
  	*r->out.return_credentials = pipe_state->server_challenge;
  
 -- 
-2.33.1
+2.34.1
 
 
 From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 16:15:26 +0200
-Subject: [PATCH 13/88] CVE-2020-1472(ZeroLogon): libcli/auth: add
+Subject: [PATCH 13/97] CVE-2020-1472(ZeroLogon): libcli/auth: add
  netlogon_creds_is_random_challenge() to avoid weak values
 
 This is the check Windows is using, so we won't generate challenges,
@@ -1177,13 +1177,13 @@ index 82797d453ed..ad768682b9f 100644
  
  void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
 -- 
-2.33.1
+2.34.1
 
 
 From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 16:17:29 +0200
-Subject: [PATCH 14/88] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
+Subject: [PATCH 14/97] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
  client challenges in netlogon_creds_server_init()
 
 This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
@@ -1262,13 +1262,13 @@ index d319d9b879e..394505d166d 100644
  	)
  
 -- 
-2.33.1
+2.34.1
 
 
 From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 19:20:25 +0200
-Subject: [PATCH 15/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 15/97] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
  protect netr_ServerPasswordSet2 against unencrypted passwords
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -1357,13 +1357,13 @@ index de260d8051d..acbf077c6c7 100644
  
  	ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
 -- 
-2.33.1
+2.34.1
 
 
 From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001
 From: Jeremy Allison <jra@samba.org>
 Date: Wed, 16 Sep 2020 12:53:50 -0700
-Subject: [PATCH 16/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 16/97] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
  protect netr_ServerPasswordSet2 against unencrypted passwords
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -1502,13 +1502,13 @@ index 86b2f343e82..fd9127b386f 100644
  						   p->session_info,
  						   p->msg_ctx,
 -- 
-2.33.1
+2.34.1
 
 
 From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 10:18:45 +0200
-Subject: [PATCH 17/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 17/97] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
  refactor dcesrv_netr_creds_server_step_check()
 
 We should debug more details about the failing request.
@@ -1585,13 +1585,13 @@ index acbf077c6c7..b4326a4ecaa 100644
  
  /*
 -- 
-2.33.1
+2.34.1
 
 
 From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Wed, 16 Sep 2020 10:56:53 +0200
-Subject: [PATCH 18/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 18/97] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
  support "server require schannel:WORKSTATION$ = no"
 
 This allows to add expections for individual workstations, when using "server schannel = yes".
@@ -1632,13 +1632,13 @@ index b4326a4ecaa..e7bafb31e83 100644
  			*creds_out = creds;
  			return NT_STATUS_OK;
 -- 
-2.33.1
+2.34.1
 
 
 From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Thu, 17 Sep 2020 13:37:26 +0200
-Subject: [PATCH 19/88] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
+Subject: [PATCH 19/97] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
  warnings about unsecure configurations
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -1759,13 +1759,13 @@ index e7bafb31e83..7668a9eb923 100644
  	return NT_STATUS_OK;
  }
 -- 
-2.33.1
+2.34.1
 
 
 From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Thu, 17 Sep 2020 14:57:22 +0200
-Subject: [PATCH 20/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 20/97] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
  refactor dcesrv_netr_creds_server_step_check()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -1860,13 +1860,13 @@ index fd9127b386f..8541571b459 100644
  
  
 -- 
-2.33.1
+2.34.1
 
 
 From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Thu, 17 Sep 2020 14:23:16 +0200
-Subject: [PATCH 21/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 21/97] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
  support "server require schannel:WORKSTATION$ = no"
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -1911,13 +1911,13 @@ index 8541571b459..f9b10103bd5 100644
  			*creds_out = creds;
  			return NT_STATUS_OK;
 -- 
-2.33.1
+2.34.1
 
 
 From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Thu, 17 Sep 2020 14:42:52 +0200
-Subject: [PATCH 22/88] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
+Subject: [PATCH 22/97] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
  warnings about unsecure configurations
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -2039,13 +2039,13 @@ index f9b10103bd5..7f6704adbda 100644
  	return NT_STATUS_OK;
  }
 -- 
-2.33.1
+2.34.1
 
 
 From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Thu, 17 Sep 2020 17:27:54 +0200
-Subject: [PATCH 23/88] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
+Subject: [PATCH 23/97] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
  require schannel:COMPUTERACCOUNT'
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -2141,13 +2141,13 @@ index 489492d79b1..b682d086f76 100644
 +
  </samba:parameter>
 -- 
-2.33.1
+2.34.1
 
 
 From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001
 From: Gary Lockyer <gary@catalyst.net.nz>
 Date: Fri, 18 Sep 2020 12:39:54 +1200
-Subject: [PATCH 24/88] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
+Subject: [PATCH 24/97] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
  machine acct pwd
 
 Ensure that an empty machine account password can't be set by
@@ -2240,13 +2240,13 @@ index e11014922f8..0ba45f0c1da 100644
  	/* now try a random password */
  	password = generate_random_password(tctx, 8, 255);
 -- 
-2.33.1
+2.34.1
 
 
 From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001
 From: Gary Lockyer <gary@catalyst.net.nz>
 Date: Fri, 18 Sep 2020 15:57:34 +1200
-Subject: [PATCH 25/88] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
+Subject: [PATCH 25/97] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
  bytes in client challenge
 
 Ensure that client challenges with the first 5 bytes identical are
@@ -2615,13 +2615,13 @@ index 0ba45f0c1da..97c16688bc9 100644
  }
  
 -- 
-2.33.1
+2.34.1
 
 
 From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001
 From: Jeremy Allison <jra@samba.org>
 Date: Fri, 10 Jul 2020 15:09:33 -0700
-Subject: [PATCH 26/88] s4: torture: Add smb2.notify.handle-permissions test.
+Subject: [PATCH 26/97] s4: torture: Add smb2.notify.handle-permissions test.
 
 Add knownfail entry.
 
@@ -2744,13 +2744,13 @@ index ebb4f8a4f8e..b017491c8fb 100644
  	suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
  
 -- 
-2.33.1
+2.34.1
 
 
 From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001
 From: Jeremy Allison <jra@samba.org>
 Date: Tue, 7 Jul 2020 18:25:23 -0700
-Subject: [PATCH 27/88] s3: smbd: Ensure change notifies can't get set unless
+Subject: [PATCH 27/97] s3: smbd: Ensure change notifies can't get set unless
  the directory handle is open for SEC_DIR_LIST.
 
 Remove knownfail entry.
@@ -2795,13 +2795,13 @@ index 44c0b09432e..d23c03bce41 100644
  		DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
  			  "fname = %s\n", fsp->fsp_name->base_name));
 -- 
-2.33.1
+2.34.1
 
 
 From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001
 From: Volker Lendecke <vl@samba.org>
 Date: Thu, 9 Jul 2020 21:49:25 +0200
-Subject: [PATCH 28/88] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
+Subject: [PATCH 28/97] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
 
 A lookupsids request without extra_data will lead to "state->domain==NULL",
 which makes winbindd_lookupsids_recv trying to dereference it.
@@ -2829,13 +2829,13 @@ index d28b5fa9f01..a289fd86f0f 100644
  	}
  	if (request->extra_data.data[request->extra_len-1] != '\0') {
 -- 
-2.33.1
+2.34.1
 
 
 From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001
 From: Volker Lendecke <vl@samba.org>
 Date: Thu, 9 Jul 2020 21:48:57 +0200
-Subject: [PATCH 29/88] CVE-2020-14323 torture4: Add a simple test for invalid
+Subject: [PATCH 29/97] CVE-2020-14323 torture4: Add a simple test for invalid
  lookup_sids winbind call
 
 We can't add this test before the fix, add it to knownfail and have the fix
@@ -2897,13 +2897,13 @@ index 9745b621ca9..71f248c0d61 100644
  	suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests");
  
 -- 
-2.33.1
+2.34.1
 
 
 From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001
 From: Laurent Menase <laurent.menase@hpe.com>
 Date: Wed, 20 May 2020 12:31:53 +0200
-Subject: [PATCH 30/88] winbind: Fix a memleak
+Subject: [PATCH 30/97] winbind: Fix a memleak
 
 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388
 Signed-off-by: Laurent Menase <laurent.menase@hpe.com>
@@ -2931,13 +2931,13 @@ index 556b4523866..325ba1abd82 100644
  }
  
 -- 
-2.33.1
+2.34.1
 
 
 From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 17 Aug 2020 13:39:58 +0200
-Subject: [PATCH 31/88] s3:tests: Add test for 'valid users = DOMAIN\%U'
+Subject: [PATCH 31/97] s3:tests: Add test for 'valid users = DOMAIN\%U'
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
 
@@ -2989,13 +2989,13 @@ index 1a46f11c85d..c813a8f9def 100755
 +
  exit $failed
 -- 
-2.33.1
+2.34.1
 
 
 From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 17 Aug 2020 14:12:48 +0200
-Subject: [PATCH 32/88] s3:smbd: Fix %U substitutions if it contains a domain
+Subject: [PATCH 32/97] s3:smbd: Fix %U substitutions if it contains a domain
  name
 
 'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer
@@ -3050,13 +3050,13 @@ index 3cbf7f318a2..0705e197975 100644
  	if (sharename != NULL) {
  		name = talloc_string_sub(mem_ctx, name, "%S", sharename);
 -- 
-2.33.1
+2.34.1
 
 
 From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Thu, 9 Jul 2020 11:48:26 +0200
-Subject: [PATCH 33/88] docs: Fix documentation for require_membership_of of
+Subject: [PATCH 33/97] docs: Fix documentation for require_membership_of of
  pam_winbind
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
@@ -3088,13 +3088,13 @@ index a9a227f1647..a61fb2d58e5 100644
  
  		<para>
 -- 
-2.33.1
+2.34.1
 
 
 From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Fri, 17 Jul 2020 12:14:16 +0200
-Subject: [PATCH 34/88] docs: Fix documentation for require_membership_of of
+Subject: [PATCH 34/97] docs: Fix documentation for require_membership_of of
  pam_winbind.conf
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
@@ -3127,13 +3127,13 @@ index fcac1ee7036..d81a0bd6eba 100644
  		<para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
  		</listitem>
 -- 
-2.33.1
+2.34.1
 
 
 From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Thu, 11 Jun 2020 21:05:07 +0300
-Subject: [PATCH 35/88] Fix a typo in recent net man page changes
+Subject: [PATCH 35/97] Fix a typo in recent net man page changes
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
 
@@ -3158,13 +3158,13 @@ index 69e18df8b6c..9b1d4458acc 100644
  </para>
  
 -- 
-2.33.1
+2.34.1
 
 
 From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Tue, 16 Jun 2020 22:01:49 +0300
-Subject: [PATCH 36/88] selftest: add tests for binary
+Subject: [PATCH 36/97] selftest: add tests for binary
  msDS-AdditionalDnsHostName
 
 Like the short names added implicitly by Windows DC.
@@ -3236,13 +3236,13 @@ index 85257f445d8..eef4a31a6a7 100755
  rm -f $dedicated_keytab_file
  
 -- 
-2.33.1
+2.34.1
 
 
 From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Thu, 11 Jun 2020 16:51:27 +0300
-Subject: [PATCH 37/88] Properly handle msDS-AdditionalDnsHostName returned
+Subject: [PATCH 37/97] Properly handle msDS-AdditionalDnsHostName returned
  from Windows DC
 
 Windows DC adds short names for each specified msDS-AdditionalDnsHostName
@@ -3330,13 +3330,13 @@ index 02a628ee0e6..2684bba63ec 100644
  		DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
  			  machine_name));
 -- 
-2.33.1
+2.34.1
 
 
 From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Sat, 20 Jun 2020 17:17:33 +0200
-Subject: [PATCH 38/88] Fix usage of ldap_get_values_len for
+Subject: [PATCH 38/97] Fix usage of ldap_get_values_len for
  msDS-AdditionalDnsHostName
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
@@ -3372,13 +3372,13 @@ index 2684bba63ec..d1ce9cee2f0 100644
  			return NULL;
  		}
 -- 
-2.33.1
+2.34.1
 
 
 From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Tue, 15 Dec 2020 15:17:04 +0100
-Subject: [PATCH 39/88] HACK:s3:winbind: Rely on the domain child for online
+Subject: [PATCH 39/97] HACK:s3:winbind: Rely on the domain child for online
  check
 
 ---
@@ -3435,13 +3435,13 @@ index 6e3277e5529..35b76a367aa 100644
  
  	/* Handle online/offline messages. */
 -- 
-2.33.1
+2.34.1
 
 
 From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Wed, 9 Sep 2020 16:00:52 +0200
-Subject: [PATCH 40/88] s3:smbd: Use fsp al the talloc memory context
+Subject: [PATCH 40/97] s3:smbd: Use fsp al the talloc memory context
 
 Somehow the lck pointer gets freed before we call TALLOC_FREE().
 
@@ -3466,13 +3466,13 @@ index de557f53a20..9a24e331ab1 100644
  				  &mtimespec);
  
 -- 
-2.33.1
+2.34.1
 
 
 From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Wed, 3 Feb 2021 12:58:31 +0100
-Subject: [PATCH 41/88] Revert "s3:smbd: Use fsp al the talloc memory context"
+Subject: [PATCH 41/97] Revert "s3:smbd: Use fsp al the talloc memory context"
 
 This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49.
 ---
@@ -3493,13 +3493,13 @@ index 9a24e331ab1..de557f53a20 100644
  				  &mtimespec);
  
 -- 
-2.33.1
+2.34.1
 
 
 From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 22 Jul 2020 22:42:09 -0700
-Subject: [PATCH 42/88] nsswitch/nsstest.c: Avoid nss function conflicts with
+Subject: [PATCH 42/97] nsswitch/nsstest.c: Avoid nss function conflicts with
  glibc nss.h
 
 glibc 2.32 will define these varibles [1] which results in conflicts
@@ -3596,13 +3596,13 @@ index 6d92806cffc..46f96795f39 100644
  
  static void nss_test_errors(void)
 -- 
-2.33.1
+2.34.1
 
 
 From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Wed, 3 Feb 2021 10:30:08 +0100
-Subject: [PATCH 43/88] lib:util: Add basic memcache unit test
+Subject: [PATCH 43/97] lib:util: Add basic memcache unit test
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
 
@@ -3772,13 +3772,13 @@ index e7639c4da27..e3f7d9acb4a 100644
                [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
  plantestsuite("samba.unittests.test_registry_regfio", "none",
 -- 
-2.33.1
+2.34.1
 
 
 From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Wed, 3 Feb 2021 10:37:12 +0100
-Subject: [PATCH 44/88] lib:util: Add cache oversize test for memcache
+Subject: [PATCH 44/97] lib:util: Add cache oversize test for memcache
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
 
@@ -3856,13 +3856,13 @@ index 00000000000..0a74ace3003
 @@ -0,0 +1 @@
 +^samba.unittests.memcache.torture_memcache_add_oversize
 -- 
-2.33.1
+2.34.1
 
 
 From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Tue, 2 Feb 2021 18:10:38 +0100
-Subject: [PATCH 45/88] lib:util: Avoid free'ing our own pointer
+Subject: [PATCH 45/97] lib:util: Avoid free'ing our own pointer
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -3932,13 +3932,13 @@ index 0a74ace3003..00000000000
 @@ -1 +0,0 @@
 -^samba.unittests.memcache.torture_memcache_add_oversize
 -- 
-2.33.1
+2.34.1
 
 
 From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001
 From: Jeremy Allison <jra@samba.org>
 Date: Thu, 5 Nov 2020 15:48:08 -0800
-Subject: [PATCH 46/88] s3: spoolss: Make parameters in call to user_ok_token()
+Subject: [PATCH 46/97] s3: spoolss: Make parameters in call to user_ok_token()
  match all other uses.
 
 We already have p->session_info->unix_info->unix_name, we don't
@@ -3972,13 +3972,13 @@ index f32b465afb6..c0f1803c2fa 100644
  		    !W_ERROR_IS_OK(print_access_check(p->session_info,
  						      p->msg_ctx,
 -- 
-2.33.1
+2.34.1
 
 
 From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Wed, 11 Nov 2020 13:42:06 +0100
-Subject: [PATCH 47/88] s3:smbd: Fix possible null pointer dereference in
+Subject: [PATCH 47/97] s3:smbd: Fix possible null pointer dereference in
  token_contains_name()
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572
@@ -4008,13 +4008,13 @@ index 0705e197975..64276c79fbe 100644
  		/* Check if username starts with domain name */
  		if (domain_len > 0) {
 -- 
-2.33.1
+2.34.1
 
 
 From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001
 From: Volker Lendecke <vl@samba.org>
 Date: Sat, 20 Feb 2021 15:50:12 +0100
-Subject: [PATCH 48/88] passdb: Simplify sids_to_unixids()
+Subject: [PATCH 48/97] passdb: Simplify sids_to_unixids()
 
 Best reviewed with "git show -b", there's a "continue" statement that
 changes subsequent indentation.
@@ -4238,13 +4238,13 @@ index 1bb15ccb8b4..186ba17fda6 100644
  			}
  			break;
 -- 
-2.33.1
+2.34.1
 
 
 From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Thu, 24 Nov 2016 09:12:59 +0100
-Subject: [PATCH 49/88] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to
+Subject: [PATCH 49/97] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to
  non spnego authentication if we require kerberos
 
 We should not send NTLM[v2] data on the wire if the user asked for kerberos
@@ -4300,13 +4300,13 @@ index 6ee4929e8d7..a0a1f4baa56 100644
  	} else {
  		struct tevent_req *subreq = NULL;
 -- 
-2.33.1
+2.34.1
 
 
 From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Thu, 27 Oct 2016 10:40:28 +0200
-Subject: [PATCH 50/88] CVE-2016-2124: s3:libsmb: don't fallback to non spnego
+Subject: [PATCH 50/97] CVE-2016-2124: s3:libsmb: don't fallback to non spnego
  authentication if we require kerberos
 
 We should not send NTLM[v2] nor plaintext data on the wire if the user
@@ -4338,13 +4338,13 @@ index 9bba2665663..9a69d4b7217 100644
  		/*
  		 * SessionSetupAndX was introduced by LANMAN 1.0. So we skip
 -- 
-2.33.1
+2.34.1
 
 
 From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow@samba.org>
 Date: Sat, 18 Jan 2020 08:06:45 +0100
-Subject: [PATCH 51/88] s3/auth: use set_current_user_info() in
+Subject: [PATCH 51/97] s3/auth: use set_current_user_info() in
  auth3_generate_session_info_pac()
 
 This delays reloading config slightly, but I don't see how could affect
@@ -4394,13 +4394,13 @@ index 167d4e00367..0e9c423efef 100644
  		  ntuser, ntdomain, rhost));
  
 -- 
-2.33.1
+2.34.1
 
 
 From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001
 From: Samuel Cabrero <scabrero@suse.de>
 Date: Thu, 4 Nov 2021 11:51:08 +0100
-Subject: [PATCH 52/88] selftest: Fix ktest usermap file
+Subject: [PATCH 52/97] selftest: Fix ktest usermap file
 
 The user was not mapped:
 
@@ -4429,13 +4429,13 @@ index 9e4da0e6a08..2eb5003112e 100755
  	close(USERMAP);
  
 -- 
-2.33.1
+2.34.1
 
 
 From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 5 Oct 2021 16:42:00 +0200
-Subject: [PATCH 53/88] selftest/Samba3: replace (winbindd => "yes", skip_wait
+Subject: [PATCH 53/97] selftest/Samba3: replace (winbindd => "yes", skip_wait
  => 1) with (winbindd => "offline")
 
 This is much more flexible and concentrates the logic in a single place.
@@ -4489,13 +4489,13 @@ index 2eb5003112e..bbbefea44b7 100755
  	    do {
  		if ($ret != 0) {
 -- 
-2.33.1
+2.34.1
 
 
 From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Fri, 22 Oct 2021 16:20:36 +0200
-Subject: [PATCH 54/88] CVE-2020-25719 CVE-2020-25717: selftest: remove
+Subject: [PATCH 54/97] CVE-2020-25719 CVE-2020-25717: selftest: remove
  "gensec:require_pac" settings
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
@@ -4534,13 +4534,13 @@ index a7a6c4c9587..0f644661176 100755
  	log level = $ctx->{server_loglevel}
  	lanman auth = Yes
 -- 
-2.33.1
+2.34.1
 
 
 From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Mon, 4 Oct 2021 17:29:34 +0200
-Subject: [PATCH 55/88] CVE-2020-25717: s3:winbindd: make sure we default to
+Subject: [PATCH 55/97] CVE-2020-25717: s3:winbindd: make sure we default to
  r->out.authoritative = true
 
 We need to make sure that temporary failures don't trigger a fallback
@@ -4708,13 +4708,13 @@ index 3245c70bb8e..315eb366a52 100644
  	fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
  
 -- 
-2.33.1
+2.34.1
 
 
 From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Mon, 4 Oct 2021 17:29:34 +0200
-Subject: [PATCH 56/88] CVE-2020-25717: s4:auth/ntlm: make sure
+Subject: [PATCH 56/97] CVE-2020-25717: s4:auth/ntlm: make sure
  auth_check_password() defaults to r->out.authoritative = true
 
 We need to make sure that temporary failures don't trigger a fallback
@@ -4744,13 +4744,13 @@ index 3a3fa7eaa59..f754bd5cd44 100644
  					  ev,
  					  auth_ctx,
 -- 
-2.33.1
+2.34.1
 
 
 From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 57/88] CVE-2020-25717: s4:torture: start with authoritative =
+Subject: [PATCH 57/97] CVE-2020-25717: s4:torture: start with authoritative =
  1
 
 This is not strictly needed, but makes it easier to audit
@@ -4800,13 +4800,13 @@ index c237c82bbe7..72d0bf28fdd 100644
  	DATA_BLOB names_blob, chal, lm_resp, nt_resp;
  	int i;
 -- 
-2.33.1
+2.34.1
 
 
 From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 58/88] CVE-2020-25717: s4:smb_server: start with authoritative
+Subject: [PATCH 58/97] CVE-2020-25717: s4:smb_server: start with authoritative
  = 1
 
 This is not strictly needed, but makes it easier to audit
@@ -4842,13 +4842,13 @@ index 13f13934412..5e817eecd4b 100644
  	NTSTATUS status;
  
 -- 
-2.33.1
+2.34.1
 
 
 From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 59/88] CVE-2020-25717: s4:auth_simple: start with
+Subject: [PATCH 59/97] CVE-2020-25717: s4:auth_simple: start with
  authoritative = 1
 
 This is not strictly needed, but makes it easier to audit
@@ -4875,13 +4875,13 @@ index fcd9050979d..da8f094a838 100644
  	NTSTATUS nt_status;
  
 -- 
-2.33.1
+2.34.1
 
 
 From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 60/88] CVE-2020-25717: s3:ntlm_auth: start with authoritative
+Subject: [PATCH 60/97] CVE-2020-25717: s3:ntlm_auth: start with authoritative
  = 1
 
 This is not strictly needed, but makes it easier to audit
@@ -4967,13 +4967,13 @@ index 41591a8de33..fc0fc19bacb 100644
  	uchar lm_key[16];
  	static const uchar zeros[8] = { 0, };
 -- 
-2.33.1
+2.34.1
 
 
 From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 61/88] CVE-2020-25717: s3:torture: start with authoritative =
+Subject: [PATCH 61/97] CVE-2020-25717: s3:torture: start with authoritative =
  1
 
 This is not strictly needed, but makes it easier to audit
@@ -5004,13 +5004,13 @@ index 64bc45e6a7c..48190e78bf8 100644
  	SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
  		      local_nt_response);
 -- 
-2.33.1
+2.34.1
 
 
 From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 62/88] CVE-2020-25717: s3:rpcclient: start with authoritative
+Subject: [PATCH 62/97] CVE-2020-25717: s3:rpcclient: start with authoritative
  = 1
 
 This is not strictly needed, but makes it easier to audit
@@ -5037,13 +5037,13 @@ index 631740562c6..30fa1ed7816 100644
  	uint16_t validation_level;
  	union netr_Validation *validation = NULL;
 -- 
-2.33.1
+2.34.1
 
 
 From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 63/88] CVE-2020-25717: s3:auth: start with authoritative = 1
+Subject: [PATCH 63/97] CVE-2020-25717: s3:auth: start with authoritative = 1
 
 This is not strictly needed, but makes it easier to audit
 that we don't miss important places.
@@ -5087,13 +5087,13 @@ index a71c75631d7..bf7ccb4348c 100644
  	nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
  	if (!NT_STATUS_IS_OK(nt_status)) {
 -- 
-2.33.1
+2.34.1
 
 
 From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 64/88] CVE-2020-25717: auth/ntlmssp: start with authoritative
+Subject: [PATCH 64/97] CVE-2020-25717: auth/ntlmssp: start with authoritative
  = 1
 
 This is not strictly needed, but makes it easier to audit
@@ -5120,13 +5120,13 @@ index 140e89daeb1..eebada670be 100644
  
  	status = auth_context->check_ntlm_password_recv(subreq,
 -- 
-2.33.1
+2.34.1
 
 
 From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001
 From: Samuel Cabrero <scabrero@samba.org>
 Date: Tue, 28 Sep 2021 10:43:40 +0200
-Subject: [PATCH 65/88] CVE-2020-25717: loadparm: Add new parameter "min domain
+Subject: [PATCH 65/97] CVE-2020-25717: loadparm: Add new parameter "min domain
  uid"
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
@@ -5219,13 +5219,13 @@ index 0db44e92d19..57d1d909099 100644
  	apply_lp_set_cmdline();
  }
 -- 
-2.33.1
+2.34.1
 
 
 From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Fri, 8 Oct 2021 19:57:18 +0200
-Subject: [PATCH 66/88] CVE-2020-25717: s3:auth: let
+Subject: [PATCH 66/97] CVE-2020-25717: s3:auth: let
  auth3_generate_session_info_pac() forward the low level errors
 
 Mapping everything to ACCESS_DENIED makes it hard to debug problems,
@@ -5253,13 +5253,13 @@ index 4ef2270cb34..26a38f92b30 100644
  	}
  
 -- 
-2.33.1
+2.34.1
 
 
 From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001
 From: Samuel Cabrero <scabrero@samba.org>
 Date: Tue, 28 Sep 2021 10:45:11 +0200
-Subject: [PATCH 67/88] CVE-2020-25717: s3:auth: Check minimum domain uid
+Subject: [PATCH 67/97] CVE-2020-25717: s3:auth: Check minimum domain uid
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
@@ -5300,13 +5300,13 @@ index 8ff20c33759..8801d3f0f0b 100644
  
  	result = make_server_info(tmp_ctx);
 -- 
-2.33.1
+2.34.1
 
 
 From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Fri, 8 Oct 2021 17:40:30 +0200
-Subject: [PATCH 68/88] CVE-2020-25717: s3:auth: we should not try to
+Subject: [PATCH 68/97] CVE-2020-25717: s3:auth: we should not try to
  autocreate the guest account
 
 We should avoid autocreation of users as much as possible.
@@ -5333,13 +5333,13 @@ index 8998f9c8f8a..074e8c7eb71 100644
  
  		/* extra sanity check that the guest account is valid */
 -- 
-2.33.1
+2.34.1
 
 
 From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Fri, 8 Oct 2021 18:08:20 +0200
-Subject: [PATCH 69/88] CVE-2020-25717: s3:auth: no longer let check_account()
+Subject: [PATCH 69/97] CVE-2020-25717: s3:auth: no longer let check_account()
  autocreate local users
 
 So far we autocreated local user accounts based on just the
@@ -5372,13 +5372,13 @@ index 8801d3f0f0b..6ee500493e6 100644
  		DEBUG(3, ("Failed to find authenticated user %s via "
  			  "getpwnam(), denying access.\n", dom_user));
 -- 
-2.33.1
+2.34.1
 
 
 From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow@samba.org>
 Date: Fri, 8 Oct 2021 12:33:16 +0200
-Subject: [PATCH 70/88] CVE-2020-25717: s3:auth: remove fallbacks in
+Subject: [PATCH 70/97] CVE-2020-25717: s3:auth: remove fallbacks in
  smb_getpwnam()
 
 So far we tried getpwnam("DOMAIN\account") first and
@@ -5516,13 +5516,13 @@ index 6ee500493e6..161e05c2106 100644
  
  	/* Create local user if requested but only if winbindd
 -- 
-2.33.1
+2.34.1
 
 
 From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Mon, 4 Oct 2021 18:03:55 +0200
-Subject: [PATCH 71/88] CVE-2020-25717: s3:auth: don't let create_local_token
+Subject: [PATCH 71/97] CVE-2020-25717: s3:auth: don't let create_local_token
  depend on !winbind_ping()
 
 We always require a running winbindd on a domain member, so
@@ -5561,13 +5561,13 @@ index 161e05c2106..c0e5cfd7fa8 100644
  		status = create_token_from_username(session_info,
  						    server_info->unix_name,
 -- 
-2.33.1
+2.34.1
 
 
 From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <ab@samba.org>
 Date: Wed, 11 Nov 2020 18:50:45 +0200
-Subject: [PATCH 72/88] CVE-2020-25717: Add FreeIPA domain controller role
+Subject: [PATCH 72/97] CVE-2020-25717: Add FreeIPA domain controller role
 
 As we want to reduce use of 'classic domain controller' role but FreeIPA
 relies on it internally, add a separate role to mark FreeIPA domain
@@ -5974,13 +5974,13 @@ index 51fed4da62b..1f09b721408 100644
  		return NT_STATUS_INTERNAL_ERROR;
  	case ROLE_DOMAIN_MEMBER:
 -- 
-2.33.1
+2.34.1
 
 
 From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 5 Oct 2021 18:11:57 +0200
-Subject: [PATCH 73/88] CVE-2020-25717: auth/gensec: always require a PAC in
+Subject: [PATCH 73/97] CVE-2020-25717: auth/gensec: always require a PAC in
  domain mode (DC or member)
 
 AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
@@ -6044,13 +6044,13 @@ index e185acc0c20..694661b53b5 100644
  		DBG_NOTICE("Unable to find PAC for %s, resorting to local "
  			   "user lookup\n", principal_string);
 -- 
-2.33.1
+2.34.1
 
 
 From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Mon, 11 Oct 2021 23:17:19 +0200
-Subject: [PATCH 74/88] CVE-2020-25717: s4:auth: remove unused
+Subject: [PATCH 74/97] CVE-2020-25717: s4:auth: remove unused
  auth_generate_session_info_principal()
 
 We'll require a PAC at the main gensec layer already.
@@ -6188,13 +6188,13 @@ index fb88cb87f66..a8c7d8b4b85 100644
  
  _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
 -- 
-2.33.1
+2.34.1
 
 
 From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 21 Sep 2021 12:27:28 +0200
-Subject: [PATCH 75/88] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
+Subject: [PATCH 75/97] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
  ntlm_auth_generate_session_info_pac()
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
@@ -6262,13 +6262,13 @@ index 3f70732a837..fefdd32bf11 100644
  		DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
  	}
 -- 
-2.33.1
+2.34.1
 
 
 From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 21 Sep 2021 12:44:01 +0200
-Subject: [PATCH 76/88] CVE-2020-25717: s3:ntlm_auth: let
+Subject: [PATCH 76/97] CVE-2020-25717: s3:ntlm_auth: let
  ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO
  only
 
@@ -6404,13 +6404,13 @@ index fefdd32bf11..ff2fd30a9ae 100644
  	if (!unixuser) {
  		status = NT_STATUS_NO_MEMORY;
 -- 
-2.33.1
+2.34.1
 
 
 From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Mon, 4 Oct 2021 19:42:20 +0200
-Subject: [PATCH 77/88] CVE-2020-25717: s3:auth: let
+Subject: [PATCH 77/97] CVE-2020-25717: s3:auth: let
  auth3_generate_session_info_pac() delegate everything to
  make_server_info_wbcAuthUserInfo()
 
@@ -6725,13 +6725,13 @@ index 26a38f92b30..3099e8f9057 100644
  	status = NT_STATUS_OK;
  
 -- 
-2.33.1
+2.34.1
 
 
 From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 5 Oct 2021 17:14:01 +0200
-Subject: [PATCH 78/88] CVE-2020-25717: selftest: configure 'ktest' env with
+Subject: [PATCH 78/97] CVE-2020-25717: selftest: configure 'ktest' env with
  winbindd and idmap_autorid
 
 The 'ktest' environment was/is designed to test kerberos in an active
@@ -6776,13 +6776,13 @@ index bbbefea44b7..7034127ef0b 100755
  	}
  	return $ret;
 -- 
-2.33.1
+2.34.1
 
 
 From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Tue, 5 Oct 2021 18:12:49 +0200
-Subject: [PATCH 79/88] CVE-2020-25717: s3:auth: let
+Subject: [PATCH 79/97] CVE-2020-25717: s3:auth: let
  auth3_generate_session_info_pac() reject a PAC in standalone mode
 
 We should be strict in standalone mode, that we only support MIT realms
@@ -6861,13 +6861,13 @@ index 3099e8f9057..23f746c078e 100644
  	if (!NT_STATUS_IS_OK(status)) {
  		DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
 -- 
-2.33.1
+2.34.1
 
 
 From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Fri, 8 Oct 2021 17:59:59 +0200
-Subject: [PATCH 80/88] CVE-2020-25717: s3:auth: simplify
+Subject: [PATCH 80/97] CVE-2020-25717: s3:auth: simplify
  get_user_from_kerberos_info() by removing the unused logon_info argument
 
 This code is only every called in standalone mode on a MIT realm,
@@ -7011,13 +7011,13 @@ index 074e8c7eb71..7b69ca6c222 100644
  				     bool *mapped_to_guest,
  				     char **ntuser,
 -- 
-2.33.1
+2.34.1
 
 
 From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001
 From: Stefan Metzmacher <metze@samba.org>
 Date: Fri, 8 Oct 2021 18:03:04 +0200
-Subject: [PATCH 81/88] CVE-2020-25717: s3:auth: simplify
+Subject: [PATCH 81/97] CVE-2020-25717: s3:auth: simplify
  make_session_info_krb5() by removing unused arguments
 
 This is only ever be called in standalone mode with an MIT realm,
@@ -7114,13 +7114,13 @@ index 7b69ca6c222..b8f37cbeee0 100644
  {
  	return NT_STATUS_NOT_IMPLEMENTED;
 -- 
-2.33.1
+2.34.1
 
 
 From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Wed, 1 Sep 2021 15:39:19 +1200
-Subject: [PATCH 82/88] krb5pac.idl: Add ticket checksum PAC buffer type
+Subject: [PATCH 82/97] krb5pac.idl: Add ticket checksum PAC buffer type
 
 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
@@ -7154,13 +7154,13 @@ index f27e7243ee4..711b7f94b6c 100644
  		   in such a way that they are backwards compatible with existing
  		   servers. This makes it safe to just use a [default] for
 -- 
-2.33.1
+2.34.1
 
 
 From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Wed, 1 Sep 2021 15:40:59 +1200
-Subject: [PATCH 83/88] security.idl: Add well-known SIDs for FAST
+Subject: [PATCH 83/97] security.idl: Add well-known SIDs for FAST
 
 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 Reviewed-by: Andrew Bartlett <abartlet@samba.org>
@@ -7186,13 +7186,13 @@ index 5930f448955..e6065a35691 100644
  	 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
  	 */
 -- 
-2.33.1
+2.34.1
 
 
 From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Wed, 29 Sep 2021 16:15:26 +1300
-Subject: [PATCH 84/88] krb5pac.idl: Add missing buffer type values
+Subject: [PATCH 84/97] krb5pac.idl: Add missing buffer type values
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
 
@@ -7218,13 +7218,13 @@ index 711b7f94b6c..141894ec5f1 100644
  	} PAC_TYPE;
  
 -- 
-2.33.1
+2.34.1
 
 
 From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Tue, 26 Oct 2021 20:33:38 +1300
-Subject: [PATCH 85/88] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC
+Subject: [PATCH 85/97] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC
  buffer type
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
@@ -7275,13 +7275,13 @@ index 141894ec5f1..4bfec2de5e6 100644
  		   in such a way that they are backwards compatible with existing
  		   servers. This makes it safe to just use a [default] for
 -- 
-2.33.1
+2.34.1
 
 
 From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001
 From: Joseph Sutton <josephsutton@catalyst.net.nz>
 Date: Tue, 26 Oct 2021 20:33:49 +1300
-Subject: [PATCH 86/88] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
+Subject: [PATCH 86/97] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
  buffer type
 
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
@@ -7326,13 +7326,13 @@ index 4bfec2de5e6..f750359a069 100644
  		   in such a way that they are backwards compatible with existing
  		   servers. This makes it safe to just use a [default] for
 -- 
-2.33.1
+2.34.1
 
 
 From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001
 From: Andrew Bartlett <abartlet@samba.org>
 Date: Mon, 27 Sep 2021 11:20:19 +1300
-Subject: [PATCH 87/88] CVE-2020-25721 krb5pac: Add new buffers for
+Subject: [PATCH 87/97] CVE-2020-25721 krb5pac: Add new buffers for
  samAccountName and objectSID
 
 These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
@@ -7413,13 +7413,13 @@ index a9ae2c4a789..57b28df9e52 100644
  					NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
  					NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
 -- 
-2.33.1
+2.34.1
 
 
 From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <ab@samba.org>
 Date: Fri, 12 Nov 2021 19:06:01 +0200
-Subject: [PATCH 88/88] IPA DC: add missing checks
+Subject: [PATCH 88/97] IPA DC: add missing checks
 
 When introducing FreeIPA support, two places were forgotten:
 
@@ -7465,5 +7465,1084 @@ index 57bfc596005..3f77856457e 100644
  				sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
  				if (!sid) {
 -- 
-2.33.1
+2.34.1
+
+
+From c64bcd68614871cdddc9fe37c860729f490b4da1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 12 Nov 2021 15:27:58 +0100
+Subject: [PATCH 89/97] CVE-2020-25717: idmap_nss: verify that the name of the
+ sid belongs to the configured domain
+
+We already check the sid belongs to the domain, but checking the name
+too feels better and make it easier to understand.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+[abartlet@samba.org backorted from commit bfd093648b4af51d104096c0cb3535e8706671e5
+ as header libcli/security/dom_sid.h was not present for struct dom_sid_buf]
+
+[abartlet@samba.org fix CVE marker]
+---
+ source3/winbindd/idmap_nss.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
+index 3fe98cbc729..243b67ccafd 100644
+--- a/source3/winbindd/idmap_nss.c
++++ b/source3/winbindd/idmap_nss.c
+@@ -25,6 +25,7 @@
+ #include "nsswitch/winbind_client.h"
+ #include "idmap.h"
+ #include "lib/winbind_util.h"
++#include "libcli/security/dom_sid.h"
+ 
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_IDMAP
+@@ -135,18 +136,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
+ 	for (i = 0; ids[i]; i++) {
+ 		struct group *gr;
+ 		enum lsa_SidType type;
+-		const char *p = NULL;
++		const char *_domain = NULL;
++		const char *_name = NULL;
++		char *domain = NULL;
+ 		char *name = NULL;
+ 		bool ret;
+ 
+ 		/* by default calls to winbindd are disabled
+ 		   the following call will not recurse so this is safe */
+ 		(void)winbind_on();
+-		ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL,
+-					 &p, &type);
++		ret = winbind_lookup_sid(talloc_tos(),
++					 ids[i]->sid,
++					 &_domain,
++					 &_name,
++					 &type);
+ 		(void)winbind_off();
+-		name = discard_const_p(char, p);
+-
+ 		if (!ret) {
+ 			/* TODO: how do we know if the name is really not mapped,
+ 			 * or something just failed ? */
+@@ -154,6 +158,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
+ 			continue;
+ 		}
+ 
++		domain = discard_const_p(char, _domain);
++		name = discard_const_p(char, _name);
++
++		if (!strequal(domain, dom->name)) {
++			struct dom_sid_buf buf;
++			DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n",
++			        dom->name, dom_sid_str_buf(ids[i]->sid, &buf),
++				sid_type_lookup(type), domain, name);
++			ids[i]->status = ID_UNMAPPED;
++			continue;
++		}
++
+ 		switch (type) {
+ 		case SID_NAME_USER: {
+ 			struct passwd *pw;
+@@ -186,6 +202,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
+ 			ids[i]->status = ID_UNKNOWN;
+ 			break;
+ 		}
++		TALLOC_FREE(domain);
+ 		TALLOC_FREE(name);
+ 	}
+ 	return NT_STATUS_OK;
+-- 
+2.34.1
+
+
+From c7d277ef2c902482eca00fc981bf340a088fbfe1 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Fri, 12 Nov 2021 20:53:30 +1300
+Subject: [PATCH 90/97] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent
+ uid' to make room for new accounts
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a)
+---
+ nsswitch/nsstest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
+index 46f96795f39..8ce7493d1b6 100644
+--- a/nsswitch/nsstest.c
++++ b/nsswitch/nsstest.c
+@@ -460,7 +460,7 @@ static void nss_test_errors(void)
+ 		printf("ERROR Non existent user gave error %d\n", last_error);
+ 	}
+ 
+-	pwd = getpwuid(0xFFF0);
++	pwd = getpwuid(0xFF00);
+ 	if (pwd || last_error != NSS_STATUS_NOTFOUND) {
+ 		total_errors++;
+ 		printf("ERROR Non existent uid gave error %d\n", last_error);
+-- 
+2.34.1
+
+
+From 0ff9bba35a043267a2781c294f5832378cd6da54 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 12 Nov 2021 16:10:31 +1300
+Subject: [PATCH 91/97] CVE-2020-25717: s3:auth: Fallback to a SID/UID based
+ mapping if the named based lookup fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before the CVE-2020-25717 fixes we had a fallback from
+getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
+unpredictable.
+
+Now we do the fallback based on sid_to_uid() followed by
+getpwuid() on the returned uid.
+
+This obsoletes 'username map [script]' based workaround adviced
+for CVE-2020-25717, when nss_winbindd is not used or
+idmap_nss is actually used.
+
+In future we may decide to prefer or only do the SID/UID based
+lookup, but for now we want to keep this unchanged as much as possible.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[metze@samba.org moved the new logic into the fallback codepath only
+ in order to avoid behavior changes as much as possible]
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
+
+[abartlet@samba.org backported from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
+ as usage.py is not present in Samba 4.10]
+---
+ source3/auth/auth_util.c | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index c0e5cfd7fa8..b463059f259 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -1837,7 +1837,9 @@ const struct auth_session_info *get_session_info_system(void)
+ ***************************************************************************/
+ 
+ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+-			      const char *username, char **found_username,
++			      const char *username,
++			      const struct dom_sid *sid,
++			      char **found_username,
+ 			      struct passwd **pwd,
+ 			      bool *username_was_mapped)
+ {
+@@ -1872,6 +1874,31 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+ 	}
+ 
+ 	passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
++	if (!passwd && !*username_was_mapped) {
++		struct dom_sid_buf buf;
++		uid_t uid;
++		bool ok;
++
++		DBG_DEBUG("Failed to find authenticated user %s via "
++			  "getpwnam(), fallback to sid_to_uid(%s).\n",
++			  dom_user, dom_sid_str_buf(sid, &buf));
++
++		ok = sid_to_uid(sid, &uid);
++		if (!ok) {
++			DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n",
++				dom_sid_str_buf(sid, &buf), dom_user);
++			return NT_STATUS_NO_SUCH_USER;
++		}
++		passwd = getpwuid_alloc(mem_ctx, uid);
++		if (!passwd) {
++			DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n",
++				(long long)uid,
++				dom_sid_str_buf(sid, &buf),
++				dom_user);
++			return NT_STATUS_NO_SUCH_USER;
++		}
++		real_username = talloc_strdup(mem_ctx, passwd->pw_name);
++	}
+ 	if (!passwd) {
+ 		DEBUG(3, ("Failed to find authenticated user %s via "
+ 			  "getpwnam(), denying access.\n", dom_user));
+@@ -2017,6 +2044,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ 	bool username_was_mapped;
+ 	struct passwd *pwd;
+ 	struct auth_serversupplied_info *result;
++	struct dom_sid sid;
+ 	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ 
+ 	/* 
+@@ -2063,9 +2091,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ 
+ 	/* this call will try to create the user if necessary */
+ 
++	sid_copy(&sid, info3->base.domain_sid);
++	sid_append_rid(&sid, info3->base.rid);
++
+ 	nt_status = check_account(tmp_ctx,
+ 				  nt_domain,
+ 				  nt_username,
++				  &sid,
+ 				  &found_username,
+ 				  &pwd,
+ 				  &username_was_mapped);
+-- 
+2.34.1
+
+
+From f035c041e42594bacfe7c3f4e5ea5d05399e1c5a Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 Nov 2021 10:57:17 +0100
+Subject: [PATCH 92/97] CVE-2020-25717: s3-auth: fix MIT Realm regression
+
+This looks like a regression introduced by the recent security fixes. This
+commit should hopefully fixes it.
+
+As a quick solution it might be possible to use the username map script based on
+the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
+sure this behaves identical, but it might work in the standalone server case.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
+
+Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
+---
+ source3/auth/user_krb5.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
+index b8f37cbeee0..169bf563368 100644
+--- a/source3/auth/user_krb5.c
++++ b/source3/auth/user_krb5.c
+@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ 	char *fuser = NULL;
+ 	char *unixuser = NULL;
+ 	struct passwd *pw = NULL;
++	bool may_retry = false;
+ 
+ 	DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
+ 
+@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ 		domain = realm;
+ 	} else {
+ 		domain = lp_workgroup();
++		may_retry = true;
+ 	}
+ 
+ 	fuser = talloc_asprintf(mem_ctx,
+@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ 	*mapped_to_guest = false;
+ 
+ 	pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
++	if (may_retry && pw == NULL && !*is_mapped) {
++		fuser = talloc_strdup(mem_ctx, user);
++		if (!fuser) {
++			return NT_STATUS_NO_MEMORY;
++		}
++		pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
++	}
+ 	if (pw) {
+ 		if (!unixuser) {
+ 			return NT_STATUS_NO_MEMORY;
+-- 
+2.34.1
+
+
+From 8b8d1b20b16381c305c23ce03a559b8c7de67f5d Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 13 Jan 2022 16:48:01 +0100
+Subject: [PATCH 93/97] CVE-2021-44142: libadouble: add defines for icon
+ lengths
+
+From https://www.ietf.org/rfc/rfc1740.txt
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/modules/vfs_fruit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
+index afad70ce180..3a35620bfe4 100644
+--- a/source3/modules/vfs_fruit.c
++++ b/source3/modules/vfs_fruit.c
+@@ -283,6 +283,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC} adouble_type_t;
+ #define ADEDLEN_MACFILEI        4
+ #define ADEDLEN_PRODOSFILEI     8
+ #define ADEDLEN_MSDOSFILEI      2
++#define ADEDLEN_ICONBW          128
++#define ADEDLEN_ICONCOL         1024
+ #define ADEDLEN_DID             4
+ #define ADEDLEN_PRIVDEV         8
+ #define ADEDLEN_PRIVINO         8
+-- 
+2.34.1
+
+
+From 3f2e9a6de36c086cff0bb3296f00c85a37a2653c Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sat, 20 Nov 2021 16:36:42 +0100
+Subject: [PATCH 94/97] CVE-2021-44142: smbd: add Netatalk xattr used by
+ vfs_fruit to the list of private Samba xattrs
+
+This is an internal xattr that should not be user visible.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c]
+---
+ source3/smbd/trans2.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index f8d987bbe63..406087c0419 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -176,6 +176,16 @@ void aapl_force_zero_file_id(struct smbd_server_connection *sconn)
+  Refuse to allow clients to overwrite our private xattrs.
+ ****************************************************************************/
+ 
++/*
++ * Taken from vfs_fruit.c
++ */
++#define NETATALK_META_XATTR "org.netatalk.Metadata"
++#if defined(HAVE_ATTROPEN)
++#define AFPINFO_EA_NETATALK NETATALK_META_XATTR
++#else
++#define AFPINFO_EA_NETATALK "user." NETATALK_META_XATTR
++#endif
++
+ bool samba_private_attr_name(const char *unix_ea_name)
+ {
+ 	static const char * const prohibited_ea_names[] = {
+@@ -183,6 +193,7 @@ bool samba_private_attr_name(const char *unix_ea_name)
+ 		SAMBA_XATTR_DOS_ATTRIB,
+ 		SAMBA_XATTR_MARKER,
+ 		XATTR_NTACL_NAME,
++		AFPINFO_EA_NETATALK,
+ 		NULL
+ 	};
+ 
+-- 
+2.34.1
+
+
+From 00287584703e9e91e804e0f182bd844b7c436716 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 Nov 2021 07:19:32 +0100
+Subject: [PATCH 95/97] CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
+
+This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
+which is used for parsing ._ AppleDouble sidecar files, and the buffer
+ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
+buffer out-of-bounds access checks in ad_unpack_xattrs().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/modules/vfs_fruit.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
+index 3a35620bfe4..76139e51047 100644
+--- a/source3/modules/vfs_fruit.c
++++ b/source3/modules/vfs_fruit.c
+@@ -728,14 +728,27 @@ static bool ad_pack(struct adouble *ad)
+ static bool ad_unpack_xattrs(struct adouble *ad)
+ {
+ 	struct ad_xattr_header *h = &ad->adx_header;
++	size_t bufsize = talloc_get_size(ad->ad_data);
+ 	const char *p = ad->ad_data;
+ 	uint32_t hoff;
+ 	uint32_t i;
+ 
++	if (ad->ad_type != ADOUBLE_RSRC) {
++		return false;
++	}
++
+ 	if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) {
+ 		return true;
+ 	}
+ 
++	/*
++	 * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
++	 * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
++	 */
++	if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
++		return false;
++	}
++
+ 	/* 2 bytes padding */
+ 	hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2;
+ 
+@@ -985,11 +998,12 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
+ 		ad->ad_eid[eid].ade_len = len;
+ 	}
+ 
+-	ok = ad_unpack_xattrs(ad);
+-	if (!ok) {
+-		return false;
++	if (ad->ad_type == ADOUBLE_RSRC) {
++		ok = ad_unpack_xattrs(ad);
++		if (!ok) {
++			return false;
++		}
+ 	}
+-
+ 	return true;
+ }
+ 
+-- 
+2.34.1
+
+
+From 94141fa38e082e4ab50be6c2f79c8506e72bc274 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 25 Nov 2021 15:04:03 +0100
+Subject: [PATCH 96/97] CVE-2021-44142: libadouble: add basic cmocka tests
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+[slow@samba.org: conflict due to missing test in selftest/tests.py]
+---
+ selftest/knownfail.d/samba.unittests.adouble |   3 +
+ selftest/tests.py                            |   2 +
+ source3/lib/test_adouble.c                   | 393 +++++++++++++++++++
+ source3/wscript_build                        |   5 +
+ 4 files changed, 403 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba.unittests.adouble
+ create mode 100644 source3/lib/test_adouble.c
+
+diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
+new file mode 100644
+index 00000000000..8b0314f2fae
+--- /dev/null
++++ b/selftest/knownfail.d/samba.unittests.adouble
+@@ -0,0 +1,3 @@
++^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
++^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
++^samba.unittests.adouble.parse_abouble_date2\(none\)
+diff --git a/selftest/tests.py b/selftest/tests.py
+index e3f7d9acb4a..4bc4d301c4c 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -260,3 +260,5 @@ plantestsuite("samba.unittests.ntlm_check", "none",
+               [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
+ plantestsuite("samba.unittests.test_registry_regfio", "none",
+               [os.path.join(bindir(), "default/source3/test_registry_regfio")])
++plantestsuite("samba.unittests.adouble", "none",
++              [os.path.join(bindir(), "test_adouble")])
+diff --git a/source3/lib/test_adouble.c b/source3/lib/test_adouble.c
+new file mode 100644
+index 00000000000..667d2a7542e
+--- /dev/null
++++ b/source3/lib/test_adouble.c
+@@ -0,0 +1,393 @@
++/*
++ * Unix SMB/CIFS implementation.
++ *
++ * Copyright (C) 2021 Ralph Boehme <slow@samba.org>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include "includes.h"
++extern NTSTATUS vfs_fruit_init(TALLOC_CTX *mem_ctx);
++
++#include "vfs_fruit.c"
++#include <cmocka.h>
++
++
++static int setup_talloc_context(void **state)
++{
++	TALLOC_CTX *frame = talloc_stackframe();
++
++	*state = frame;
++	return 0;
++}
++
++static int teardown_talloc_context(void **state)
++{
++	TALLOC_CTX *frame = *state;
++
++	TALLOC_FREE(frame);
++	return 0;
++}
++
++/*
++ * Basic and sane buffer.
++ */
++static uint8_t ad_basic[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x32,	/* offset */
++	0x00, 0x00, 0x00, 0x20,	/* length */
++	/* adentry 2: Resourcefork */
++	0x00, 0x00, 0x00, 0x02,	/* eid: Resourcefork */
++	0x00, 0x00, 0x00, 0x52,	/* offset */
++	0xff, 0xff, 0xff, 0x00,	/* length */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * An empty FinderInfo entry.
++ */
++static uint8_t ad_finderinfo1[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x52,	/* off: points at end of buffer */
++	0x00, 0x00, 0x00, 0x00,	/* len: 0, so off+len don't exceed bufferlen */
++	/* adentry 2: Resourcefork */
++	0x00, 0x00, 0x00, 0x02,	/* eid: Resourcefork */
++	0x00, 0x00, 0x00, 0x52,	/* offset */
++	0xff, 0xff, 0xff, 0x00,	/* length */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * A dangerous FinderInfo with correct length exceeding buffer by one byte.
++ */
++static uint8_t ad_finderinfo2[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x33,	/* off: points at beginng of data + 1 */
++	0x00, 0x00, 0x00, 0x20,	/* len: 32, so off+len exceeds bufferlen by 1 */
++	/* adentry 2: Resourcefork */
++	0x00, 0x00, 0x00, 0x02,	/* eid: Resourcefork */
++	0x00, 0x00, 0x00, 0x52,	/* offset */
++	0xff, 0xff, 0xff, 0x00,	/* length */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++static uint8_t ad_finderinfo3[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x33,	/* off: points at beginng of data + 1 */
++	0x00, 0x00, 0x00, 0x1f,	/* len: 31, so off+len don't exceed buf */
++	/* adentry 2: Resourcefork */
++	0x00, 0x00, 0x00, 0x02,	/* eid: Resourcefork */
++	0x00, 0x00, 0x00, 0x52,	/* offset */
++	0xff, 0xff, 0xff, 0x00,	/* length */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * A dangerous name entry.
++ */
++static uint8_t ad_name[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x32,	/* offset */
++	0x00, 0x00, 0x00, 0x20,	/* length */
++	/* adentry 2: Name */
++	0x00, 0x00, 0x00, 0x03,	/* eid: Name */
++	0x00, 0x00, 0x00, 0x52,	/* off: points at end of buffer */
++	0x00, 0x00, 0x00, 0x01,	/* len: 1, so off+len exceeds bufferlen */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * A empty ADEID_FILEDATESI entry.
++ */
++static uint8_t ad_date1[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x32,	/* offset */
++	0x00, 0x00, 0x00, 0x20,	/* length */
++	/* adentry 2: Dates */
++	0x00, 0x00, 0x00, 0x08,	/* eid: dates */
++	0x00, 0x00, 0x00, 0x52,	/* off: end of buffer */
++	0x00, 0x00, 0x00, 0x00,	/* len: 0, empty entry, valid */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * A dangerous ADEID_FILEDATESI entry, invalid length.
++ */
++static uint8_t ad_date2[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x32,	/* offset */
++	0x00, 0x00, 0x00, 0x20,	/* length */
++	/* adentry 2: Dates */
++	0x00, 0x00, 0x00, 0x08,	/* eid: dates */
++	0x00, 0x00, 0x00, 0x43,	/* off: FinderInfo buf but one byte short */
++	0x00, 0x00, 0x00, 0x0f,	/* len: 15, so off+len don't exceed bufferlen */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++static struct adouble *parse_adouble(TALLOC_CTX *mem_ctx,
++				     uint8_t *adbuf,
++				     size_t adsize,
++				     off_t filesize)
++{
++	struct adouble *ad = NULL;
++	bool ok;
++
++	ad = talloc_zero(mem_ctx, struct adouble);
++	ad->ad_data = talloc_zero_size(ad, adsize);
++	assert_non_null(ad);
++
++	memcpy(ad->ad_data, adbuf, adsize);
++
++	ok = ad_unpack(ad, 2, filesize);
++	if (!ok) {
++		return NULL;
++	}
++
++	return ad;
++}
++
++static void parse_abouble_basic(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++	char *p = NULL;
++
++	ad = parse_adouble(frame, ad_basic, sizeof(ad_basic), 0xffffff52);
++	assert_non_null(ad);
++
++	p = ad_get_entry(ad, ADEID_FINDERI);
++	assert_non_null(p);
++
++	return;
++}
++
++static void parse_abouble_finderinfo1(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++	char *p = NULL;
++
++	ad = parse_adouble(frame,
++			   ad_finderinfo1,
++			   sizeof(ad_finderinfo1),
++			   0xffffff52);
++	assert_non_null(ad);
++
++	p = ad_get_entry(ad, ADEID_FINDERI);
++	assert_null(p);
++
++	return;
++}
++
++static void parse_abouble_finderinfo2(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++
++	ad = parse_adouble(frame,
++			   ad_finderinfo2,
++			   sizeof(ad_finderinfo2),
++			   0xffffff52);
++	assert_null(ad);
++
++	return;
++}
++
++static void parse_abouble_finderinfo3(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++
++	ad = parse_adouble(frame,
++			   ad_finderinfo3,
++			   sizeof(ad_finderinfo3),
++			   0xffffff52);
++	assert_null(ad);
++
++	return;
++}
++
++static void parse_abouble_name(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++
++	ad = parse_adouble(frame, ad_name, sizeof(ad_name), 0x52);
++	assert_null(ad);
++
++	return;
++}
++
++static void parse_abouble_date1(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++	char *p = NULL;
++
++	ad = parse_adouble(frame, ad_date1, sizeof(ad_date1), 0x52);
++	assert_non_null(ad);
++
++	p = ad_get_entry(ad, ADEID_FILEDATESI);
++	assert_null(p);
++
++	return;
++}
++
++static void parse_abouble_date2(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++
++	ad = parse_adouble(frame, ad_date2, sizeof(ad_date2), 0x52);
++	assert_null(ad);
++
++	return;
++}
++
++int main(int argc, char *argv[])
++{
++	int rc;
++	const struct CMUnitTest tests[] = {
++		cmocka_unit_test(parse_abouble_basic),
++		cmocka_unit_test(parse_abouble_finderinfo1),
++		cmocka_unit_test(parse_abouble_finderinfo2),
++		cmocka_unit_test(parse_abouble_finderinfo3),
++		cmocka_unit_test(parse_abouble_name),
++		cmocka_unit_test(parse_abouble_date1),
++		cmocka_unit_test(parse_abouble_date2),
++	};
++
++	if (argc == 2) {
++		cmocka_set_test_filter(argv[1]);
++	}
++	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
++
++	rc = cmocka_run_group_tests(tests,
++				    setup_talloc_context,
++				    teardown_talloc_context);
++
++	return rc;
++}
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 26e251f442a..5230ae32934 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -1080,6 +1080,11 @@ bld.SAMBA3_SUBSYSTEM('SPOOLSSD',
+ 
+ ########################## BINARIES #################################
+ 
++bld.SAMBA3_BINARY('test_adouble',
++                 source='lib/test_adouble.c',
++                 deps='smbd_base STRING_REPLACE cmocka OFFLOAD_TOKEN',
++                 install=False)
++
+ bld.SAMBA3_BINARY('smbd/smbd',
+                  source='smbd/server.c smbd/smbd_cleanupd.c',
+                  deps='''
+-- 
+2.34.1
+
+
+From 5c1c2ea3dbe554f621014bb2b3133c0859dce2da Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 13 Jan 2022 17:03:02 +0100
+Subject: [PATCH 97/97] CVE-2021-44142: libadouble: harden parsing code
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ selftest/knownfail.d/samba.unittests.adouble |   3 -
+ source3/modules/vfs_fruit.c                  | 114 ++++++++++++++++---
+ 2 files changed, 100 insertions(+), 17 deletions(-)
+ delete mode 100644 selftest/knownfail.d/samba.unittests.adouble
+
+diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
+deleted file mode 100644
+index 8b0314f2fae..00000000000
+--- a/selftest/knownfail.d/samba.unittests.adouble
++++ /dev/null
+@@ -1,3 +0,0 @@
+-^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
+-^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
+-^samba.unittests.adouble.parse_abouble_date2\(none\)
+diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c
+index 76139e51047..17e97d15bdb 100644
+--- a/source3/modules/vfs_fruit.c
++++ b/source3/modules/vfs_fruit.c
+@@ -540,6 +540,94 @@ static AfpInfo *afpinfo_new(TALLOC_CTX *ctx);
+ static ssize_t afpinfo_pack(const AfpInfo *ai, char *buf);
+ static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data);
+ 
++/*
++ * All entries besides FinderInfo and resource fork must fit into the
++ * buffer. FinderInfo is special as it may be larger then the default 32 bytes
++ * if it contains marshalled xattrs, which we will fixup that in
++ * ad_convert(). The first 32 bytes however must also be part of the buffer.
++ *
++ * The resource fork is never accessed directly by the ad_data buf.
++ */
++static bool ad_entry_check_size(uint32_t eid,
++				size_t bufsize,
++				uint32_t off,
++				uint32_t got_len)
++{
++	struct {
++		off_t expected_len;
++		bool fixed_size;
++		bool minimum_size;
++	} ad_checks[] = {
++		[ADEID_DFORK] = {-1, false, false}, /* not applicable */
++		[ADEID_RFORK] = {-1, false, false}, /* no limit */
++		[ADEID_NAME] = {ADEDLEN_NAME, false, false},
++		[ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false},
++		[ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false},
++		[ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false},
++		[ADEID_FILEI] = {ADEDLEN_FILEI, true, false},
++		[ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false},
++		[ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true},
++		[ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false},
++		[ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false},
++		[ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false},
++		[ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false},
++		[ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false},
++		[ADEID_DID] = {ADEDLEN_DID, true, false},
++		[ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false},
++		[ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false},
++		[ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false},
++		[ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false},
++	};
++
++	if (eid >= ADEID_MAX) {
++		return false;
++	}
++	if (got_len == 0) {
++		/* Entry present, but empty, allow */
++		return true;
++	}
++	if (ad_checks[eid].expected_len == 0) {
++		/*
++		 * Shouldn't happen: implicitly initialized to zero because
++		 * explicit initializer missing.
++		 */
++		return false;
++	}
++	if (ad_checks[eid].expected_len == -1) {
++		/* Unused or no limit */
++		return true;
++	}
++	if (ad_checks[eid].fixed_size) {
++		if (ad_checks[eid].expected_len != got_len) {
++			/* Wrong size fo fixed size entry. */
++			return false;
++		}
++	} else {
++		if (ad_checks[eid].minimum_size) {
++			if (got_len < ad_checks[eid].expected_len) {
++				/*
++				 * Too small for variable sized entry with
++				 * minimum size.
++				 */
++				return false;
++			}
++		} else {
++			if (got_len > ad_checks[eid].expected_len) {
++				/* Too big for variable sized entry. */
++				return false;
++			}
++		}
++	}
++	if (off + got_len < off) {
++		/* wrap around */
++		return false;
++	}
++	if (off + got_len > bufsize) {
++		/* overflow */
++		return false;
++	}
++	return true;
++}
+ 
+ /**
+  * Return a pointer to an AppleDouble entry
+@@ -548,8 +636,15 @@ static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data);
+  **/
+ static char *ad_get_entry(const struct adouble *ad, int eid)
+ {
++	size_t bufsize = talloc_get_size(ad->ad_data);
+ 	off_t off = ad_getentryoff(ad, eid);
+ 	size_t len = ad_getentrylen(ad, eid);
++	bool valid;
++
++	valid = ad_entry_check_size(eid, bufsize, off, len);
++	if (!valid) {
++		return NULL;
++	}
+ 
+ 	if (off == 0 || len == 0) {
+ 		return NULL;
+@@ -935,20 +1030,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
+ 			return false;
+ 		}
+ 
+-		/*
+-		 * All entries besides FinderInfo and resource fork
+-		 * must fit into the buffer. FinderInfo is special as
+-		 * it may be larger then the default 32 bytes (if it
+-		 * contains marshalled xattrs), but we will fixup that
+-		 * in ad_convert(). And the resource fork is never
+-		 * accessed directly by the ad_data buf (also see
+-		 * comment above) anyway.
+-		 */
+-		if ((eid != ADEID_RFORK) &&
+-		    (eid != ADEID_FINDERI) &&
+-		    ((off + len) > bufsize)) {
+-			DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n",
+-				  eid, off, len));
++		ok = ad_entry_check_size(eid, bufsize, off, len);
++		if (!ok) {
++			DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] "
++				"off [%"PRIu32"] len [%"PRIu32"]\n",
++				eid, bufsize, off, len);
+ 			return false;
+ 		}
+ 
+-- 
+2.34.1
 
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 7062f94..6c1b77e 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 17
+%define main_release 18
 
 %define samba_version 4.10.16
 %define talloc_version 2.1.16
@@ -3305,6 +3305,11 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Tue Jan 25 2022 Andreas Schneider <asn@redhat.com> - 4.10.16-18
+- resolves: #2034800 - Fix usermap script regression caused by CVE-2020-25717
+- resolves: #2036595 - Fix MIT realm regression caused by CVE-2020-25717
+- resolves: #2046148 - Fix CVE-2021-44142
+
 * Mon Nov 15 2021 Andreas Schneider <asn@redhat.com> - 4.10.16-17
 - related: #2019673 - Add missing checks for IPA DC server role