diff --git a/SOURCES/0210-support-krb5-1.18.patch b/SOURCES/0210-support-krb5-1.18.patch
new file mode 100644
index 0000000..7cfa02e
--- /dev/null
+++ b/SOURCES/0210-support-krb5-1.18.patch
@@ -0,0 +1,191 @@
+From 6e3fd37ab243858e6494a37b3c805bff855ff5a7 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 16 Sep 2019 16:40:12 +0300
+Subject: [PATCH] Adapt sign_authdata in our KDB module for krb5 v1.18
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source4/kdc/mit-kdb/kdb_samba.c | 2 +-
+ source4/kdc/mit-kdb/kdb_samba.h | 21 ++++++++++++++++++
+ source4/kdc/mit-kdb/kdb_samba_policies.c | 27 ++++++++++++++++++++++++
+ 3 files changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
+index c5157d6ed1b..02bbdca9f54 100644
+--- a/source4/kdc/mit-kdb/kdb_samba.c
++++ b/source4/kdc/mit-kdb/kdb_samba.c
+@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
+
+ kdb_vftabl kdb_function_table = {
+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+- .min_ver = 1,
++ .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
+
+ .init_library = kdb_samba_init_library,
+ .fini_library = kdb_samba_fini_library,
+diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
+index 22ef9085b6a..ad4f6e27573 100644
+--- a/source4/kdc/mit-kdb/kdb_samba.h
++++ b/source4/kdc/mit-kdb/kdb_samba.h
+@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
+
+ /* from kdb_samba_policies.c */
+
++#if KRB5_KDB_API_VERSION < 10
+ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data);
++#else
++krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
++ unsigned int flags,
++ krb5_const_principal client_princ,
++ krb5_const_principal server_princ,
++ krb5_db_entry *client,
++ krb5_db_entry *server,
++ krb5_db_entry *krbtgt,
++ krb5_db_entry *local_krbtgt,
++ krb5_keyblock *client_key,
++ krb5_keyblock *server_key,
++ krb5_keyblock *krbtgt_key,
++ krb5_keyblock *local_krbtgt_key,
++ krb5_keyblock *session_key,
++ krb5_timestamp authtime,
++ krb5_authdata **tgt_auth_data,
++ void *authdata_info,
++ krb5_data ***auth_indicators,
++ krb5_authdata ***signed_auth_data);
++#endif
+
+ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
+ krb5_kdc_req *kdcreq,
+diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
+index fc80329f221..586cf81451d 100644
+--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
+@@ -287,6 +287,7 @@ done:
+ return code;
+ }
+
++#if KRB5_KDB_API_VERSION < 10
+ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+@@ -301,6 +302,27 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data)
+ {
++#else
++krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
++ unsigned int flags,
++ krb5_const_principal client_princ,
++ krb5_const_principal server_princ,
++ krb5_db_entry *client,
++ krb5_db_entry *server,
++ krb5_db_entry *krbtgt,
++ krb5_db_entry *local_krbtgt,
++ krb5_keyblock *client_key,
++ krb5_keyblock *server_key,
++ krb5_keyblock *krbtgt_key,
++ krb5_keyblock *local_krbtgt_key,
++ krb5_keyblock *session_key,
++ krb5_timestamp authtime,
++ krb5_authdata **tgt_auth_data,
++ void *authdata_info,
++ krb5_data ***auth_indicators,
++ krb5_authdata ***signed_auth_data)
++{
++#endif
+ krb5_const_principal ks_client_princ;
+ krb5_authdata **authdata = NULL;
+ krb5_boolean is_as_req;
+@@ -308,6 +330,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ krb5_pac pac = NULL;
+ krb5_data pac_data;
+
++#if KRB5_KDB_API_VERSION >= 10
++ krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
++ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
++#endif
++
+ /* Prefer canonicalised name from client entry */
+ if (client != NULL) {
+ ks_client_princ = client->princ;
+--
+2.25.4
+
+From 958807109845313c35a0c6949b33ffbc09eeba59 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 16 Jan 2020 22:00:21 +0100
+Subject: [PATCH] Sign and verify PAC with ticket principal instead of canon
+ principal
+
+With MIT library 1.18 the KDC no longer set
+KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
+us to not canonicalize them (like in Windows / Heimdal).
+
+However, it now breaks the PAC signature verification as it was
+wrongly done using canonical client rather than ticket client name.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
+
+Signed-off-by: Isaac Boukris <iboukris@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+---
+ source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
+index 586cf81451d..2eec496fa92 100644
+--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
+@@ -323,7 +323,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ krb5_authdata ***signed_auth_data)
+ {
+ #endif
+- krb5_const_principal ks_client_princ;
+ krb5_authdata **authdata = NULL;
+ krb5_boolean is_as_req;
+ krb5_error_code code;
+@@ -335,13 +334,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
+ #endif
+
+- /* Prefer canonicalised name from client entry */
+- if (client != NULL) {
+- ks_client_princ = client->princ;
+- } else {
+- ks_client_princ = client_princ;
+- }
+-
+ is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+
+ if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
+@@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ if (!is_as_req) {
+ code = ks_verify_pac(context,
+ flags,
+- ks_client_princ,
++ client_princ,
+ client,
+ server,
+ krbtgt,
+@@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ goto done;
+ }
+
+- code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
++ code = krb5_pac_sign(context, pac, authtime, client_princ,
+ server_key, krbtgt_key, &pac_data);
+ if (code != 0) {
+ DBG_ERR("krb5_pac_sign failed: %d\n", code);
+--
+2.25.4
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 51f3b9c..7a46d52 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 13
+%define main_release 14
%define samba_version 4.11.2
%define talloc_version 2.2.0
@@ -73,7 +73,7 @@
%global with_dc 1
%endif
-%global required_mit_krb5 1.15.1
+%global required_mit_krb5 1.18
%global with_clustering_support 0
@@ -326,6 +326,7 @@ Patch0206: 0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch
Patch0207: 0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch
Patch0208: 0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch
Patch0209: 0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
+Patch0210: 0210-support-krb5-1.18.patch
Patch1000: samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch
Patch1001: CVE-2019-14907-4.11.patch
@@ -3725,6 +3726,10 @@ fi
%endif
%changelog
+* Fri May 29 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.2-14
+- Rebuild with krb5 1.18
+- Resolves: #1817578 - support krb5 1.18
+
* Thu Feb 13 2020 Isaac Boukris <iboukris@redhat.com> - 4.11.2-13
- resolves: #1802182 - Fix join using netbios name