diff --git a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
new file mode 100644
index 0000000..93c2caa
--- /dev/null
+++ b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
@@ -0,0 +1,411 @@
+From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 12:59:44 +0100
+Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error
+ path
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
+---
+ source3/libads/authdata.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
+index dd21d895fc2..c048510d480 100644
+--- a/source3/libads/authdata.c
++++ b/source3/libads/authdata.c
+@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ {
+ krb5_error_code ret;
+ NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
+- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
++ DATA_BLOB tkt = data_blob_null;
++ DATA_BLOB tkt_wrapped = data_blob_null;
++ DATA_BLOB ap_rep = data_blob_null;
++ DATA_BLOB sesskey1 = data_blob_null;
+ const char *auth_princ = NULL;
+ const char *cc = "MEMORY:kerberos_return_pac";
+ struct auth_session_info *session_info;
+@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ ZERO_STRUCT(sesskey1);
+
+ if (!name || !pass) {
+- return NT_STATUS_INVALID_PARAMETER;
++ status = NT_STATUS_INVALID_PARAMETER;
++ goto out;
+ }
+
+ if (cache_name) {
+@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+
+ if (expire_time && renew_till_time &&
+ (*expire_time == 0) && (*renew_till_time == 0)) {
+- return NT_STATUS_INVALID_LOGON_TYPE;
++ status = NT_STATUS_INVALID_LOGON_TYPE;
++ goto out;
+ }
+
+ ret = ads_krb5_cli_get_ticket(mem_ctx,
+--
+2.35.1
+
+
+From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 13:00:05 +0100
+Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug
+ macro
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
+---
+ lib/krb5_wrap/krb5_samba.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index fff5b4e2a22..42d4b950f80 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
+ goto done;
+ }
+
+- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
++ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
+
+ /* FIXME: we should not fall back to defaults */
+ ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
+--
+2.35.1
+
+
+From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 14:28:28 +0100
+Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer
+ debug macro
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
+---
+ lib/krb5_wrap/krb5_samba.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 42d4b950f80..76c2dcd2126 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
+
+ ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
+ if (ret) {
+- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
++ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
++ "for client '%s' and service '%s' failed: %s\n",
++ ccache_string, client_string, service_string,
++ error_message(ret));
+ goto done;
+ }
+
+--
+2.35.1
+
+
+From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 13:08:56 +0100
+Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from
+ kerberos_return_pac()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
+---
+ source3/libads/authdata.c | 22 +++++++++++++++++++++-
+ source3/libads/kerberos_proto.h | 2 ++
+ source3/utils/net_ads.c | 2 ++
+ source3/winbindd/winbindd_pam.c | 2 ++
+ 4 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
+index c048510d480..bf9a2335445 100644
+--- a/source3/libads/authdata.c
++++ b/source3/libads/authdata.c
+@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ time_t renewable_time,
+ const char *impersonate_princ_s,
+ const char *local_service,
++ char **_canon_principal,
++ char **_canon_realm,
+ struct PAC_DATA_CTR **_pac_data_ctr)
+ {
+ krb5_error_code ret;
+@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ struct auth4_context *auth_context;
+ struct loadparm_context *lp_ctx;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
++ char *canon_principal = NULL;
++ char *canon_realm = NULL;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
+@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ goto out;
+ }
+
++ if (_canon_principal != NULL) {
++ *_canon_principal = NULL;
++ }
++
++ if (_canon_realm != NULL) {
++ *_canon_realm = NULL;
++ }
++
+ if (cache_name) {
+ cc = cache_name;
+ }
+@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ request_pac,
+ add_netbios_addr,
+ renewable_time,
+- NULL, NULL, NULL,
++ tmp_ctx,
++ &canon_principal,
++ &canon_realm,
+ &status);
+ if (ret) {
+ DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
+@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ }
+
+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
++ if (_canon_principal != NULL) {
++ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
++ }
++ if (_canon_realm != NULL) {
++ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
++ }
+
+ out:
+ talloc_free(tmp_ctx);
+diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
+index 3d7b5bc074b..807381248c8 100644
+--- a/source3/libads/kerberos_proto.h
++++ b/source3/libads/kerberos_proto.h
+@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ time_t renewable_time,
+ const char *impersonate_princ_s,
+ const char *local_service,
++ char **_canon_principal,
++ char **_canon_realm,
+ struct PAC_DATA_CTR **pac_data_ctr);
+
+ /* The following definitions come from libads/krb5_setpw.c */
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index 8f993f9ba4c..c41fb0afe9c 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
+ 2592000, /* one month */
+ impersonate_princ_s,
+ local_service,
++ NULL,
++ NULL,
+ pac_data_ctr);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_printf(_("failed to query kerberos PAC: %s\n"),
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 7606bfb4ecd..025a5cbc111 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL,
+ local_service,
++ NULL,
++ NULL,
+ &pac_data_ctr);
+ if (user_ccache_file != NULL) {
+ gain_root_privilege();
+--
+2.35.1
+
+
+From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 13:19:02 +0100
+Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache
+ entry
+
+They will be used later to refresh the tickets.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
+---
+ source3/winbindd/winbindd.h | 2 ++
+ source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++-
+ source3/winbindd/winbindd_pam.c | 14 ++++++++++----
+ source3/winbindd/winbindd_proto.h | 4 +++-
+ 4 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
+index a6b2238cec1..dac4a1fa927 100644
+--- a/source3/winbindd/winbindd.h
++++ b/source3/winbindd/winbindd.h
+@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
+ const char *service;
+ const char *username;
+ const char *realm;
++ const char *canon_principal;
++ const char *canon_realm;
+ struct WINBINDD_MEMORY_CREDS *cred_ptr;
+ int ref_count;
+ uid_t uid;
+diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
+index c3077e21989..88847b1ab97 100644
+--- a/source3/winbindd/winbindd_cred_cache.c
++++ b/source3/winbindd/winbindd_cred_cache.c
+@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
+ time_t create_time,
+ time_t ticket_end,
+ time_t renew_until,
+- bool postponed_request)
++ bool postponed_request,
++ const char *canon_principal,
++ const char *canon_realm)
+ {
+ struct WINBINDD_CCACHE_ENTRY *entry = NULL;
+ struct timeval t;
+@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
+ goto no_mem;
+ }
+ }
++ if (canon_principal != NULL) {
++ entry->canon_principal = talloc_strdup(entry, canon_principal);
++ if (entry->canon_principal == NULL) {
++ goto no_mem;
++ }
++ }
++ if (canon_realm != NULL) {
++ entry->canon_realm = talloc_strdup(entry, canon_realm);
++ if (entry->canon_realm == NULL) {
++ goto no_mem;
++ }
++ }
+
+ entry->ccname = talloc_strdup(entry, ccname);
+ if (!entry->ccname) {
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 025a5cbc111..a24cef78440 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ const char *local_service;
+ uint32_t i;
+ struct netr_SamInfo6 *info6_copy = NULL;
++ char *canon_principal = NULL;
++ char *canon_realm = NULL;
+ bool ok;
+
+ *info6 = NULL;
+@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL,
+ local_service,
+- NULL,
+- NULL,
++ &canon_principal,
++ &canon_realm,
+ &pac_data_ctr);
+ if (user_ccache_file != NULL) {
+ gain_root_privilege();
+@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ time(NULL),
+ ticket_lifetime,
+ renewal_until,
+- false);
++ false,
++ canon_principal,
++ canon_realm);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
+@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
+ time(NULL),
+ time(NULL) + lp_winbind_cache_time(),
+ time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+- true);
++ true,
++ principal_s,
++ realm);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
+diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
+index c0d653a6d77..16c23f3de40 100644
+--- a/source3/winbindd/winbindd_proto.h
++++ b/source3/winbindd/winbindd_proto.h
+@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
+ time_t create_time,
+ time_t ticket_end,
+ time_t renew_until,
+- bool postponed_request);
++ bool postponed_request,
++ const char *canon_principal,
++ const char *canon_realm);
+ NTSTATUS remove_ccache(const char *username);
+ struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
+ NTSTATUS winbindd_add_memory_creds(const char *username,
+--
+2.35.1
+
+
+From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 22 Feb 2022 14:28:44 +0100
+Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the
+ credentials
+
+The principal name stored in the winbindd ccache entry might be an
+enterprise principal name if enterprise principals are enabled. Use
+the canonical name to renew the credentials.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
+---
+ source3/winbindd/winbindd_cred_cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
+index 88847b1ab97..6c65db6a73f 100644
+--- a/source3/winbindd/winbindd_cred_cache.c
++++ b/source3/winbindd/winbindd_cred_cache.c
+@@ -209,7 +209,7 @@ rekinit:
+ set_effective_uid(entry->uid);
+
+ ret = smb_krb5_renew_ticket(entry->ccname,
+- entry->principal_name,
++ entry->canon_principal,
+ entry->service,
+ &new_start);
+ #if defined(DEBUG_KRB5_TKT_RENEWAL)
+--
+2.35.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index e7d6298..47b704e 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -132,7 +132,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
-%global baserelease 3
+%global baserelease 4
%global samba_version 4.15.5
%global talloc_version 2.3.3
@@ -210,6 +210,7 @@ Patch5: samba-disable-ntlmssp.patch
Patch6: samba-password-change-prompt.patch
Patch7: samba-virus_scanner.patch
Patch8: samba-4-15-fix-autorid.patch
+Patch9: samba-4-15-fix-winbind-refresh-tickets.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -4108,10 +4109,13 @@ fi
%endif
%changelog
-* Mon Feb 21 2022 Andreas Schneider <asn@redhat.com> - 4.15.2-3
+* Thu Feb 24 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-4
+- resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh
+
+* Mon Feb 21 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-3
- related: rhbz#1979959 - Fix typo in testparm output
-* Thu Feb 17 2022 Andreas Schneider <asn@redhat.com> - 4.15.2-2
+* Thu Feb 17 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-2
- resolves: rhbz#1979959 - Improve idmap autorid sanity checks and documentation
* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-1