diff --git a/.gitignore b/.gitignore
index 9b3845c..41cd890 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/samba-4.15.3.tar.xz
+SOURCES/samba-4.15.5.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg
diff --git a/.samba.metadata b/.samba.metadata
index 3011278..b1ff8f6 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1,2 +1,2 @@
-e778708ce1f39566d91d74dce8e9940b324d1ef1 SOURCES/samba-4.15.3.tar.xz
+f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
diff --git a/SOURCES/samba-4.15.3.tar.asc b/SOURCES/samba-4.15.3.tar.asc
deleted file mode 100644
index dbc01c2..0000000
--- a/SOURCES/samba-4.15.3.tar.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGww0kACgkQqplEL7aA
-tiCzMg/+IzBD53oeYFSSt6V9o1ZhD/7bL425n/7Ea2iLaHkOEQWN3AgKV7h1rdSb
-tS/Ys3xUf9LB1ZVkXbu17oWj5pG8aWcp6Ky80uXHycZ5X0/fcHegSU5SIyUfLs0F
-d3BXvFWkPIy8H9a55wFTpJte2ofRoFqWUG4MAlOq83ummnmrz0W5j6QcufVIRjWq
-hGMbg8Vjk+UEtKNO7fl8iSQ0ZRyXCkBR3biDBtMbvtoluaVkixxwwSPqgDoNXgju
-ox2EbVfHLSHc+7Tb30uKQq/mf3uhf6ASIrajNVrXotK1fgpCCKnMLb9qRHEftttY
-DwYKQvsrHCw9vYg/xyO2NOBr82mxjE6NBLsV1Kp8pdc4vInmAqOCsQpOuZ0SgO6u
-sZk4c5AkfH7pZtHeNtlefiGe8/7ApU6UC6kkXT3mnLBtWKMBte9/NR6ZgCLle7tV
-aAx6Io9j/rAeueRRgIK98bzxXSufjtFyNmM+Qr7IXnFHtJNM919ib4pr5DzpGwAc
-+FMG0LfmU0XiUXcbw/IZ3AOD2DBwZC58ZezO3alUS8eRqNTP13v3Uhg9F78+eyah
-Wbohx05Y4MA1ywtMd8z/dZn97nw3bw+z6fLNC//1Sq1qo1fXipaoSQW1LK9IHeVO
-cV7cvd2c16p7NN3Op+34QY7Nc7b1uhtTV3v3tiEQYR/uQx+tyz8=
-=fu6B
------END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.15.5.tar.asc b/SOURCES/samba-4.15.5.tar.asc
new file mode 100644
index 0000000..4e31e62
--- /dev/null
+++ b/SOURCES/samba-4.15.5.tar.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA
+tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX
+KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9
+j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt
+b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY
+0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v
+/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj
++rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9
+g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y
+5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ
+f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB
+OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo=
+=oc6g
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/samba-disable-ntlmssp.patch b/SOURCES/samba-disable-ntlmssp.patch
new file mode 100644
index 0000000..d80e85b
--- /dev/null
+++ b/SOURCES/samba-disable-ntlmssp.patch
@@ -0,0 +1,764 @@
+From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 10 Dec 2021 16:08:04 +0100
+Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
+---
+ source3/utils/net_ads.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index 6ab4a0096b1..8f993f9ba4c 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
+ char *cp;
+ const char *realm = NULL;
+ bool tried_closest_dc = false;
++ enum credentials_use_kerberos krb5_state =
++ CRED_USE_KERBEROS_DISABLED;
+
+ /* lp_realm() should be handled by a command line param,
+ However, the join requires that realm be set in smb.conf
+@@ -650,10 +652,28 @@ retry:
+ ads->auth.password = smb_xstrdup(c->opt_password);
+ }
+
+- ads->auth.flags |= auth_flags;
+ SAFE_FREE(ads->auth.user_name);
+ ads->auth.user_name = smb_xstrdup(c->opt_user_name);
+
++ ads->auth.flags |= auth_flags;
++
++ /* The ADS code will handle FIPS mode */
++ krb5_state = cli_credentials_get_kerberos_state(c->creds);
++ switch (krb5_state) {
++ case CRED_USE_KERBEROS_REQUIRED:
++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ case CRED_USE_KERBEROS_DESIRED:
++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ case CRED_USE_KERBEROS_DISABLED:
++ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ }
++
+ /*
+ * If the username is of the form "name@realm",
+ * extract the realm and convert to upper case.
+--
+2.33.1
+
+
+From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Wed, 8 Dec 2021 16:05:17 +0100
+Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
+---
+ source3/libads/sasl.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 60fa2bf80cb..b91e2d15bcf 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -1,18 +1,18 @@
+-/*
++/*
+ Unix SMB/CIFS implementation.
+ ads sasl code
+ Copyright (C) Andrew Tridgell 2001
+-
++
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+-
++
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+-
++
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
+ .disconnect = ads_sasl_gensec_disconnect
+ };
+
+-/*
++/*
+ perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
+ we fit on one socket??)
+ */
+@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
+
+ #endif /* HAVE_KRB5 */
+
+-/*
++/*
+ this performs a SASL/SPNEGO bind
+ */
+ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ file_save("sasl_spnego.dat", blob.data, blob.length);
+ #endif
+
+- /* the server sent us the first part of the SPNEGO exchange in the negprot
++ /* the server sent us the first part of the SPNEGO exchange in the negprot
+ reply */
+ if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
+ OIDs[0] == NULL) {
+@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+
+ #ifdef HAVE_KRB5
+ if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
+- got_kerberos_mechanism)
++ got_kerberos_mechanism)
+ {
+ mech = "KRB5";
+
+@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ "calling kinit\n", ads_errstr(status)));
+ }
+
+- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
++ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+
+ if (ADS_ERR_OK(status)) {
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ }
+
+ /* only fallback to NTLMSSP if allowed */
+- if (ADS_ERR_OK(status) ||
++ if (ADS_ERR_OK(status) ||
+ !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ goto done;
+ }
+@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ #endif
+
+ /* lets do NTLMSSP ... this has the big advantage that we don't need
+- to sync clocks, and we don't rely on special versions of the krb5
++ to sync clocks, and we don't rely on special versions of the krb5
+ library for HMAC_MD4 encryption */
+ mech = "NTLMSSP";
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+--
+2.33.1
+
+
+From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Thu, 9 Dec 2021 13:43:08 +0100
+Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
+---
+ source3/libads/sasl.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index b91e2d15bcf..992f7022a69 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+
+ DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
+ "for %s/%s with user[%s] realm[%s]: %s, "
+- "fallback to NTLMSSP\n",
++ "try to fallback to NTLMSSP\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ to sync clocks, and we don't rely on special versions of the krb5
+ library for HMAC_MD4 encryption */
+ mech = "NTLMSSP";
++
++ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
++ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
++ " disallowed.\n");
++ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++ goto done;
++ }
++
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ CRED_USE_KERBEROS_DISABLED,
+ p.service, p.hostname,
+--
+2.33.1
+
+
+From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 7 Jan 2022 10:31:19 +0100
+Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
+---
+ source3/libads/sasl.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 992f7022a69..ea98aa47ecd 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ p.service, p.hostname,
+ blob);
+ if (!ADS_ERR_OK(status)) {
+- DEBUG(0,("kinit succeeded but "
+- "ads_sasl_spnego_gensec_bind(KRB5) failed "
+- "for %s/%s with user[%s] realm[%s]: %s\n",
++ DBG_ERR("kinit succeeded but "
++ "SPNEGO bind with Kerberos failed "
++ "for %s/%s - user[%s], realm[%s]: %s\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+- ads_errstr(status)));
++ ads_errstr(status));
+ }
+ }
+
+@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ goto done;
+ }
+
+- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
+- "for %s/%s with user[%s] realm[%s]: %s, "
+- "try to fallback to NTLMSSP\n",
+- p.service, p.hostname,
+- ads->auth.user_name,
+- ads->auth.realm,
+- ads_errstr(status)));
++ DBG_WARNING("SASL bind with Kerberos failed "
++ "for %s/%s - user[%s], realm[%s]: %s, "
++ "try to fallback to NTLMSSP\n",
++ p.service, p.hostname,
++ ads->auth.user_name,
++ ads->auth.realm,
++ ads_errstr(status));
+ }
+ #endif
+
+--
+2.33.1
+
+
+From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Mon, 3 Jan 2022 11:13:06 +0100
+Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
+ without kerberos)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
+---
+ source3/libads/sasl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index ea98aa47ecd..1bcfe0490a8 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ library for HMAC_MD4 encryption */
+ mech = "NTLMSSP";
+
++ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
++ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
++ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
++ goto done;
++ }
++
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ " disallowed.\n");
+--
+2.33.1
+
+
+From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Mon, 3 Jan 2022 15:33:46 +0100
+Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
+---
+ .../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+ create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+
+diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+new file mode 100755
+index 00000000000..2822ab29d14
+--- /dev/null
++++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
+@@ -0,0 +1,41 @@
++#!/bin/sh
++# Blackbox tests for diabing NTLMSSP for ldap clinet connections
++# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
++
++if [ $# -lt 2 ]; then
++cat <<EOF
++Usage: $0 USERNAME PASSWORD
++EOF
++exit 1;
++fi
++
++USERNAME=$1
++PASSWORD=$2
++shift 2
++
++failed=0
++. `dirname $0`/subunit.sh
++
++samba_testparm="$BINDIR/testparm"
++samba_net="$BINDIR/net"
++
++unset GNUTLS_FORCE_FIPS_MODE
++
++# Checks that testparm reports: Weak crypto is allowed
++testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
++
++# We should be allowed to use NTLM for connecting
++testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
++
++GNUTLS_FORCE_FIPS_MODE=1
++export GNUTLS_FORCE_FIPS_MODE
++
++# Checks that testparm reports: Weak crypto is disallowed
++testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
++
++# We should not be allowed to use NTLM for connecting
++testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
++
++unset GNUTLS_FORCE_FIPS_MODE
++
++exit $failed
+--
+2.33.1
+
+
+From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 4 Jan 2022 12:00:20 +0100
+Subject: [PATCH 07/10] s4:selftest: plan test suite
+ samba4.blackbox.test_weak_disable_ntlmssp_ldap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
+---
+ source4/selftest/tests.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index 1e4b2ae6dd3..3a6a716f061 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
+
+ if have_gnutls_fips_mode_support:
+ plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
++ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
+
+ for env in ["ad_dc_fips", "ad_member_fips"]:
+ plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
+--
+2.33.1
+
+
+From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 18 Jan 2022 19:47:38 +0100
+Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
+---
+ source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 948c903f165..e415df347e6 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
+- domain->name));
++ domain->name));
+ return NT_STATUS_OK;
+ }
+
+@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
+- domain->name));
++ domain->name));
+ return NT_STATUS_OK;
+ }
+
+@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ * According to Section 5.1(4) of RFC 2251 if a value of a type is it's
+ * default value, it MUST be absent. In case of extensible matching the
+ * "dnattr" boolean defaults to FALSE and so it must be only be present
+- * when set to TRUE.
++ * when set to TRUE.
+ *
+ * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
+ * filter using bitwise matching rule then the buggy AD fails to decode
+@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ *
+ * Thanks to Ralf Haferkamp for input and testing - Guenther */
+
+- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
++ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
+- ADS_LDAP_MATCHING_RULE_BIT_AND,
++ ADS_LDAP_MATCHING_RULE_BIT_AND,
+ enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
+
+ if (filter == NULL) {
+@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
+
+ done:
+- if (res)
++ if (res)
+ ads_msgfree(ads, res);
+
+ return status;
+@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ struct wb_acct_info **info)
+ {
+ /*
+- * This is a stub function only as we returned the domain
++ * This is a stub function only as we returned the domain
+ * local groups in enum_dom_groups() if the domain->native field
+ * was true. This is a simple performance optimization when
+ * using LDAP.
+ *
+- * if we ever need to enumerate domain local groups separately,
++ * if we ever need to enumerate domain local groups separately,
+ * then this optimization in enum_dom_groups() will need
+ * to be split out
+ */
+@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
+ tokenGroups are not available. */
+ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+- const char *user_dn,
++ const char *user_dn,
+ struct dom_sid *primary_group,
+ uint32_t *p_num_groups, struct dom_sid **user_sids)
+ {
+@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+
+ if ( !winbindd_can_contact_domain( domain ) ) {
+ DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
+- domain->name));
++ domain->name));
+ return NT_STATUS_OK;
+ }
+
+@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
+
+ DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
+ done:
+- if (res)
++ if (res)
+ ads_msgfree(ads, res);
+
+ return status;
+@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ if (count != 1) {
+ status = NT_STATUS_UNSUCCESSFUL;
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
+- "invalid number of results (count=%d)\n",
++ "invalid number of results (count=%d)\n",
+ dom_sid_str_buf(sid, &buf),
+ count));
+ goto done;
+ }
+
+ if (!msg) {
+- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
++ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
+ dom_sid_str_buf(sid, &buf)));
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ }
+
+ if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
+- DEBUG(1,("%s: No primary group for sid=%s !?\n",
++ DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ domain->name,
+ dom_sid_str_buf(sid, &buf)));
+ goto done;
+@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+
+ count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
+
+- /* there must always be at least one group in the token,
++ /* there must always be at least one group in the token,
+ unless we are talking to a buggy Win2k server */
+
+ /* actually this only happens when the machine account has no read
+@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ /* lookup what groups this user is a member of by DN search on
+ * "member" */
+
+- status = lookup_usergroups_member(domain, mem_ctx, user_dn,
++ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ &primary_group,
+ &num_groups, user_sids);
+ *p_num_groups = num_groups;
+@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
+ "not map any SIDs at all.\n"));
+ /* Don't handle this as an error here.
+- * There is nothing left to do with respect to the
++ * There is nothing left to do with respect to the
+ * overall result... */
+ }
+ else if (!NT_STATUS_IS_OK(status)) {
+@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ NETR_TRUST_FLAG_IN_FOREST;
+ } else {
+ flags = NETR_TRUST_FLAG_IN_FOREST;
+- }
++ }
+
+ result = cm_connect_netlogon(domain, &cli);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(5, ("trusted_domains: Could not open a connection to %s "
+- "for PIPE_NETLOGON (%s)\n",
++ "for PIPE_NETLOGON (%s)\n",
+ domain->name, nt_errstr(result)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+--
+2.33.1
+
+
+From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 18 Jan 2022 19:44:54 +0100
+Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
+---
+ source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index e415df347e6..6f01ef6e334 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -34,6 +34,7 @@
+ #include "../libds/common/flag_mapping.h"
+ #include "libsmb/samlogon_cache.h"
+ #include "passdb.h"
++#include "auth/credentials/credentials.h"
+
+ #ifdef HAVE_ADS
+
+@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ ADS_STATUS status;
+ struct sockaddr_storage dc_ss;
+ fstring dc_name;
++ enum credentials_use_kerberos krb5_state;
+
+ if (auth_realm == NULL) {
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
+ ads->auth.renewable = renewable;
+ ads->auth.password = password;
+
+- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++ /* In FIPS mode, client use kerberos is forced to required. */
++ krb5_state = lp_client_use_kerberos();
++ switch (krb5_state) {
++ case CRED_USE_KERBEROS_REQUIRED:
++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ case CRED_USE_KERBEROS_DESIRED:
++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ case CRED_USE_KERBEROS_DISABLED:
++ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ }
+
+ ads->auth.realm = SMB_STRDUP(auth_realm);
+ if (!strupper_m(ads->auth.realm)) {
+--
+2.33.1
+
+
+From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 21 Jan 2022 12:01:33 +0100
+Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
+
+(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
+---
+ source3/libnet/libnet_join.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 02705f1c70c..4c67e9af5c4 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ ADS_STATUS status;
+ ADS_STRUCT *my_ads = NULL;
+ char *cp;
++ enum credentials_use_kerberos krb5_state;
+
+ my_ads = ads_init(dns_domain_name,
+ netbios_domain_name,
+@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+
+- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++ /* In FIPS mode, client use kerberos is forced to required. */
++ krb5_state = lp_client_use_kerberos();
++ switch (krb5_state) {
++ case CRED_USE_KERBEROS_REQUIRED:
++ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ case CRED_USE_KERBEROS_DESIRED:
++ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ case CRED_USE_KERBEROS_DISABLED:
++ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
++ break;
++ }
+
+ if (user_name) {
+ SAFE_FREE(my_ads->auth.user_name);
+--
+2.33.1
+
diff --git a/SOURCES/samba-disable-systemd-notifications.patch b/SOURCES/samba-disable-systemd-notifications.patch
new file mode 100644
index 0000000..9e57630
--- /dev/null
+++ b/SOURCES/samba-disable-systemd-notifications.patch
@@ -0,0 +1,36 @@
+From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
+From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
+Date: Mon, 24 Jan 2022 22:14:31 -0500
+Subject: [PATCH] printing/bgqd: Disable systemd notifications
+
+samba-bgqd daemon is started by existing Samba daemons. When running
+under systemd, those daemons control systemd notifications and
+samba-bgqd messages need to be silenced.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
+
+Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
+---
+ source3/printing/samba-bgqd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
+index f21327fc622..59ed0cc40db 100644
+--- a/source3/printing/samba-bgqd.c
++++ b/source3/printing/samba-bgqd.c
+@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
+
+ log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
+
++ /* main process will notify systemd */
++ daemon_sd_notifications(false);
++
+ if (!cmdline_daemon_cfg->fork) {
+ daemon_status(progname, "Starting process ... ");
+ } else {
+--
+2.34.1
+
diff --git a/SOURCES/samba-password-change-prompt.patch b/SOURCES/samba-password-change-prompt.patch
new file mode 100644
index 0000000..5dee86c
--- /dev/null
+++ b/SOURCES/samba-password-change-prompt.patch
@@ -0,0 +1,100 @@
+From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 17 Nov 2021 09:56:09 +0100
+Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
+ off).
+
+This change disables the prompt for the change of an expired password by
+default (using the PAM_RADIO_TYPE mechanism if present).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
+---
+ docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++
+ nsswitch/pam_winbind.c | 12 ++++++++++--
+ nsswitch/pam_winbind.h | 1 +
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
+index 0bc288f91a1..bae9298fc32 100644
+--- a/docs-xml/manpages/pam_winbind.conf.5.xml
++++ b/docs-xml/manpages/pam_winbind.conf.5.xml
+@@ -194,6 +194,13 @@
+ </para></listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term>pwd_change_prompt = yes|no</term>
++ <listitem><para>
++ Generate prompt for changing an expired password. Defaults to "no".
++ </para></listitem>
++ </varlistentry>
++
+ </variablelist>
+
+ </para>
+diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
+index 720a4b90d85..06098dd07d8 100644
+--- a/nsswitch/pam_winbind.c
++++ b/nsswitch/pam_winbind.c
+@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
+ ctrl |= WINBIND_MKHOMEDIR;
+ }
+
++ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
++ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
++ }
++
+ config_from_pam:
+ /* step through arguments */
+ for (i=argc,v=argv; i-- > 0; ++v) {
+@@ -522,6 +526,8 @@ config_from_pam:
+ else if (!strncasecmp(*v, "warn_pwd_expire",
+ strlen("warn_pwd_expire")))
+ ctrl |= WINBIND_WARN_PWD_EXPIRE;
++ else if (!strcasecmp(*v, "pwd_change_prompt"))
++ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
+ else if (type != PAM_WINBIND_CLEANUP) {
+ __pam_log(pamh, ctrl, LOG_ERR,
+ "pam_parse: unknown option: %s", *v);
+@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
+ * successfully sent the warning message.
+ * Give the user a chance to change pwd.
+ */
+- if (ret == PAM_SUCCESS) {
++ if (ret == PAM_SUCCESS &&
++ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
+ if (change_pwd) {
+ retval = _pam_winbind_change_pwd(ctx);
+ if (retval) {
+@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
+ * successfully sent the warning message.
+ * Give the user a chance to change pwd.
+ */
+- if (ret == PAM_SUCCESS) {
++ if (ret == PAM_SUCCESS &&
++ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
+ if (change_pwd) {
+ retval = _pam_winbind_change_pwd(ctx);
+ if (retval) {
+diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
+index c6786d65a4d..2f4a25729bd 100644
+--- a/nsswitch/pam_winbind.h
++++ b/nsswitch/pam_winbind.h
+@@ -157,6 +157,7 @@ do { \
+ #define WINBIND_WARN_PWD_EXPIRE 0x00002000
+ #define WINBIND_MKHOMEDIR 0x00004000
+ #define WINBIND_TRY_AUTHTOK_ARG 0x00008000
++#define WINBIND_PWD_CHANGE_PROMPT 0x00010000
+
+ #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
+ #define _(string) dgettext(MODULE_NAME, string)
+--
+2.35.1
+
diff --git a/SOURCES/samba-printing-win7.patch b/SOURCES/samba-printing-win7.patch
new file mode 100644
index 0000000..d1a6b6a
--- /dev/null
+++ b/SOURCES/samba-printing-win7.patch
@@ -0,0 +1,229 @@
+From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 22 Jan 2022 01:08:26 +0100
+Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
+
+This is important for the source3/rpc_server code as it might
+be called embedded in smbd and may not run as root with access
+to our private tdb/ldb files.
+
+Note this is only really needed for 4.15 and older, as
+we no longer run the rpc_server embedded in smbd,
+but we better be consistent for now.
+
+This should be able to fix the problem the printing no longer works
+on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
+
+Windows uses NTLMSSP with privacy at the DCERPC layer on top
+of NCACN_NP (smb).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
+---
+ librpc/rpc/dcesrv_auth.c | 5 +++++
+ librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++
+ librpc/rpc/dcesrv_core.h | 2 ++
+ source3/rpc_server/rpc_config.c | 2 ++
+ source4/rpc_server/service_rpc.c | 10 ++++++++++
+ 5 files changed, 37 insertions(+)
+
+diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
+index fec8df513a83..99d8e0162160 100644
+--- a/librpc/rpc/dcesrv_auth.c
++++ b/librpc/rpc/dcesrv_auth.c
+@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
+ auth->auth_level = call->in_auth_info.auth_level;
+ auth->auth_context_id = call->in_auth_info.auth_context_id;
+
++ cb->auth.become_root();
+ status = cb->auth.gensec_prepare(
+ auth,
+ call,
+ &auth->gensec_security,
+ cb->auth.private_data);
++ cb->auth.unbecome_root();
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
+ nt_errstr(status)));
+@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
+ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
+ {
+ struct dcesrv_auth *auth = call->auth_state;
++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ const char *pdu = "<unknown>";
+
+ switch (call->pkt.ptype) {
+@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
+ return status;
+ }
+
++ cb->auth.become_root();
+ status = gensec_session_info(auth->gensec_security,
+ auth,
+ &auth->session_info);
++ cb->auth.unbecome_root();
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to establish session_info: %s\n",
+ nt_errstr(status)));
+diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
+index d16159b0b6cd..ea91fc689b4a 100644
+--- a/librpc/rpc/dcesrv_core.c
++++ b/librpc/rpc/dcesrv_core.c
+@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
+ struct dcerpc_binding *ep_2nd_description = NULL;
+ const char *endpoint = NULL;
+ struct dcesrv_auth *auth = call->auth_state;
++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ struct dcerpc_ack_ctx *ack_ctx_list = NULL;
+ struct dcerpc_ack_ctx *ack_features = NULL;
+ struct tevent_req *subreq = NULL;
+@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
+ return dcesrv_auth_reply(call);
+ }
+
++ cb->auth.become_root();
+ subreq = gensec_update_send(call, call->event_ctx,
+ auth->gensec_security,
+ call->in_auth_info.credentials);
++ cb->auth.unbecome_root();
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
+ tevent_req_callback_data(subreq,
+ struct dcesrv_call_state);
+ struct dcesrv_connection *conn = call->conn;
++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ NTSTATUS status;
+
++ cb->auth.become_root();
+ status = gensec_update_recv(subreq, call,
+ &call->out_auth_info->credentials);
++ cb->auth.unbecome_root();
+ TALLOC_FREE(subreq);
+
+ status = dcesrv_auth_complete(call, status);
+@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
+ {
+ struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_auth *auth = call->auth_state;
++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ struct tevent_req *subreq = NULL;
+ NTSTATUS status;
+
+@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
+ return NT_STATUS_OK;
+ }
+
++ cb->auth.become_root();
+ subreq = gensec_update_send(call, call->event_ctx,
+ auth->gensec_security,
+ call->in_auth_info.credentials);
++ cb->auth.unbecome_root();
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
+ struct dcesrv_call_state);
+ struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_auth *auth = call->auth_state;
++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ NTSTATUS status;
+
++ cb->auth.become_root();
+ status = gensec_update_recv(subreq, call,
+ &call->out_auth_info->credentials);
++ cb->auth.unbecome_root();
+ TALLOC_FREE(subreq);
+
+ status = dcesrv_auth_complete(call, status);
+@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
+ struct ncacn_packet *pkt = &call->ack_pkt;
+ uint32_t extra_flags = 0;
+ struct dcesrv_auth *auth = call->auth_state;
++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ struct dcerpc_ack_ctx *ack_ctx_list = NULL;
+ struct tevent_req *subreq = NULL;
+ size_t i;
+@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
+ return dcesrv_auth_reply(call);
+ }
+
++ cb->auth.become_root();
+ subreq = gensec_update_send(call, call->event_ctx,
+ auth->gensec_security,
+ call->in_auth_info.credentials);
++ cb->auth.unbecome_root();
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
+ tevent_req_callback_data(subreq,
+ struct dcesrv_call_state);
+ struct dcesrv_connection *conn = call->conn;
++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
+ NTSTATUS status;
+
++ cb->auth.become_root();
+ status = gensec_update_recv(subreq, call,
+ &call->out_auth_info->credentials);
++ cb->auth.unbecome_root();
+ TALLOC_FREE(subreq);
+
+ status = dcesrv_auth_complete(call, status);
+diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
+index d8d5f9030959..0538442e0ce6 100644
+--- a/librpc/rpc/dcesrv_core.h
++++ b/librpc/rpc/dcesrv_core.h
+@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
+ struct gensec_security **out,
+ void *private_data);
+ void *private_data;
++ void (*become_root)(void);
++ void (*unbecome_root)(void);
+ } auth;
+ struct {
+ NTSTATUS (*find)(
+diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
+index 2f1a01da1c0b..289c4f398409 100644
+--- a/source3/rpc_server/rpc_config.c
++++ b/source3/rpc_server/rpc_config.c
+@@ -31,6 +31,8 @@
+ static struct dcesrv_context_callbacks srv_callbacks = {
+ .log.successful_authz = dcesrv_log_successful_authz,
+ .auth.gensec_prepare = dcesrv_auth_gensec_prepare,
++ .auth.become_root = become_root,
++ .auth.unbecome_root = unbecome_root,
+ .assoc_group.find = dcesrv_assoc_group_find,
+ };
+
+diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
+index d8c6746d7815..ebb50f8a7ef3 100644
+--- a/source4/rpc_server/service_rpc.c
++++ b/source4/rpc_server/service_rpc.c
+@@ -40,9 +40,19 @@
+ #include "../libcli/named_pipe_auth/npa_tstream.h"
+ #include "samba/process_model.h"
+
++static void skip_become_root(void)
++{
++}
++
++static void skip_unbecome_root(void)
++{
++}
++
+ static struct dcesrv_context_callbacks srv_callbacks = {
+ .log.successful_authz = log_successful_dcesrv_authz_event,
+ .auth.gensec_prepare = dcesrv_gensec_prepare,
++ .auth.become_root = skip_become_root,
++ .auth.unbecome_root = skip_unbecome_root,
+ .assoc_group.find = dcesrv_assoc_group_find,
+ };
+
+--
+2.25.1
+
diff --git a/SOURCES/samba-virus_scanner.patch b/SOURCES/samba-virus_scanner.patch
new file mode 100644
index 0000000..6e243da
--- /dev/null
+++ b/SOURCES/samba-virus_scanner.patch
@@ -0,0 +1,597 @@
+From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 9 Feb 2022 16:33:10 +0100
+Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd
+
+We have the env variable SERVER_LOG_LEVEL which allows you to change
+the log level on the command line. If we force -d0 this will not work.
+
+make test TESTS="samba" SERVER_LOG_LEVEL=10
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
+---
+ selftest/target/Samba3.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index b901fd2677a..64a9a791a61 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -2153,7 +2153,7 @@ sub make_bin_cmd
+ {
+ my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
+
+- my @optargs = ("-d0");
++ my @optargs = ();
+ if (defined($options)) {
+ @optargs = split(/ /, $options);
+ }
+--
+2.34.1
+
+
+From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 8 Feb 2022 12:07:03 +0100
+Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses
+ filename matching
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1)
+---
+ source3/modules/vfs_virusfilter.c | 12 +++++
+ source3/modules/vfs_virusfilter_common.h | 4 ++
+ source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++
+ source3/modules/wscript_build | 1 +
+ 4 files changed, 75 insertions(+)
+ create mode 100644 source3/modules/vfs_virusfilter_dummy.c
+
+diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
+index 9fafe4e5d41..e6cbee7cd45 100644
+--- a/source3/modules/vfs_virusfilter.c
++++ b/source3/modules/vfs_virusfilter.c
+@@ -35,12 +35,14 @@
+
+ enum virusfilter_scanner_enum {
+ VIRUSFILTER_SCANNER_CLAMAV,
++ VIRUSFILTER_SCANNER_DUMMY,
+ VIRUSFILTER_SCANNER_FSAV,
+ VIRUSFILTER_SCANNER_SOPHOS
+ };
+
+ static const struct enum_list scanner_list[] = {
+ { VIRUSFILTER_SCANNER_CLAMAV, "clamav" },
++ { VIRUSFILTER_SCANNER_DUMMY, "dummy" },
+ { VIRUSFILTER_SCANNER_FSAV, "fsav" },
+ { VIRUSFILTER_SCANNER_SOPHOS, "sophos" },
+ { -1, NULL }
+@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect(
+ int snum = SNUM(handle->conn);
+ struct virusfilter_config *config = NULL;
+ const char *exclude_files = NULL;
++ const char *infected_files = NULL;
+ const char *temp_quarantine_dir_mode = NULL;
+ const char *infected_file_command = NULL;
+ const char *scan_error_command = NULL;
+@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect(
+ set_namearray(&config->exclude_files, exclude_files);
+ }
+
++ infected_files = lp_parm_const_string(
++ snum, "virusfilter", "infected files", NULL);
++ if (infected_files != NULL) {
++ set_namearray(&config->infected_files, infected_files);
++ }
++
+ config->cache_entry_limit = lp_parm_int(
+ snum, "virusfilter", "cache entry limit", 100);
+
+@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect(
+ case VIRUSFILTER_SCANNER_CLAMAV:
+ ret = virusfilter_clamav_init(config);
+ break;
++ case VIRUSFILTER_SCANNER_DUMMY:
++ ret = virusfilter_dummy_init(config);
++ break;
+ default:
+ DBG_ERR("Unhandled scanner %d\n", backend);
+ return -1;
+diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h
+index f71b0b949a7..463a9d74e9c 100644
+--- a/source3/modules/vfs_virusfilter_common.h
++++ b/source3/modules/vfs_virusfilter_common.h
+@@ -83,6 +83,9 @@ struct virusfilter_config {
+ /* Exclude files */
+ name_compare_entry *exclude_files;
+
++ /* Infected files */
++ name_compare_entry *infected_files;
++
+ /* Scan result cache */
+ struct virusfilter_cache *cache;
+ int cache_entry_limit;
+@@ -149,5 +152,6 @@ struct virusfilter_backend {
+ int virusfilter_sophos_init(struct virusfilter_config *config);
+ int virusfilter_fsav_init(struct virusfilter_config *config);
+ int virusfilter_clamav_init(struct virusfilter_config *config);
++int virusfilter_dummy_init(struct virusfilter_config *config);
+
+ #endif /* _VIRUSFILTER_COMMON_H */
+diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c
+new file mode 100644
+index 00000000000..03405cd6629
+--- /dev/null
++++ b/source3/modules/vfs_virusfilter_dummy.c
+@@ -0,0 +1,58 @@
++/*
++ Samba-VirusFilter VFS modules
++ Dummy scanner with infected files support.
++ Copyright (C) 2022 Pavel Filipenský <pfilipen@redhat.com>
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "modules/vfs_virusfilter_utils.h"
++
++static virusfilter_result virusfilter_dummy_scan(
++ struct vfs_handle_struct *handle,
++ struct virusfilter_config *config,
++ const struct files_struct *fsp,
++ char **reportp)
++{
++ bool ok;
++
++ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp));
++ ok = is_in_path(fsp->fsp_name->base_name,
++ config->infected_files,
++ false);
++ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN;
++}
++
++static struct virusfilter_backend_fns virusfilter_backend_dummy = {
++ .connect = NULL,
++ .disconnect = NULL,
++ .scan_init = NULL,
++ .scan = virusfilter_dummy_scan,
++ .scan_end = NULL,
++};
++
++int virusfilter_dummy_init(struct virusfilter_config *config)
++{
++ struct virusfilter_backend *backend = NULL;
++
++ backend = talloc_zero(config, struct virusfilter_backend);
++ if (backend == NULL) {
++ return -1;
++ }
++
++ backend->fns = &virusfilter_backend_dummy;
++ backend->name = "dummy";
++ config->backend = backend;
++ return 0;
++}
+diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
+index 40df4539392..ff318c3fa06 100644
+--- a/source3/modules/wscript_build
++++ b/source3/modules/wscript_build
+@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
+ vfs_virusfilter_sophos.c
+ vfs_virusfilter_fsav.c
+ vfs_virusfilter_clamav.c
++ vfs_virusfilter_dummy.c
+ ''',
+ deps='samba-util VFS_VIRUSFILTER_UTILS',
+ init_function='',
+--
+2.34.1
+
+
+From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 8 Feb 2022 22:35:29 +0100
+Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and
+ 'virusfilter:infected files'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
+---
+ docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
+index 329a35af68a..88f91d73a42 100644
+--- a/docs-xml/manpages/vfs_virusfilter.8.xml
++++ b/docs-xml/manpages/vfs_virusfilter.8.xml
+@@ -48,6 +48,10 @@
+ scanner</para></listitem>
+ <listitem><para><emphasis>clamav</emphasis>, the ClamAV
+ scanner</para></listitem>
++ <listitem><para><emphasis>dummy</emphasis>, dummy scanner used in
++ tests. Checks against the <emphasis>infected files</emphasis>
++ parameter and flags any name that matches as infected.
++ </para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+@@ -264,6 +268,14 @@
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term>virusfilter:infected files = empty</term>
++ <listitem>
++ <para>Files that virusfilter <emphasis>dummy</emphasis> flags as infected.</para>
++ <para>If this option is not set, the default is empty.</para>
++ </listitem>
++ </varlistentry>
++
+ <varlistentry>
+ <term>virusfilter:block access on error = false</term>
+ <listitem>
+--
+2.34.1
+
+
+From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 8 Feb 2022 15:34:56 +0100
+Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a)
+---
+ selftest/target/Samba3.pm | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 64a9a791a61..7584a0e7ba9 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -188,7 +188,7 @@ sub getlog_env_app($$$)
+ close(LOG);
+
+ return "" if $out eq $title;
+-
++
+ return $out;
+ }
+
+@@ -2426,7 +2426,7 @@ sub provision($$)
+ my $nmbdsockdir="$prefix_abs/nmbd";
+ unlink($nmbdsockdir);
+
+- ##
++ ##
+ ## create the test directory layout
+ ##
+ die ("prefix_abs = ''") if $prefix_abs eq "";
+@@ -3290,7 +3290,7 @@ sub provision($$)
+ unless (open(PASSWD, ">$nss_wrapper_passwd")) {
+ warn("Unable to open $nss_wrapper_passwd");
+ return undef;
+- }
++ }
+ print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
+ $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
+ pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
+--
+2.34.1
+
+
+From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 8 Feb 2022 15:35:48 +0100
+Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
+---
+ selftest/knownfail.d/virus_scanner | 2 +
+ selftest/target/Samba3.pm | 12 ++
+ source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++
+ source3/selftest/tests.py | 9 ++
+ 4 files changed, 147 insertions(+)
+ create mode 100644 selftest/knownfail.d/virus_scanner
+ create mode 100755 source3/script/tests/test_virus_scanner.sh
+
+diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
+new file mode 100644
+index 00000000000..6df3fd20627
+--- /dev/null
++++ b/selftest/knownfail.d/virus_scanner
+@@ -0,0 +1,2 @@
++^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
++^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 7584a0e7ba9..c1d0c60d96a 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1688,6 +1688,9 @@ sub setup_fileserver
+ my $veto_sharedir="$share_dir/veto";
+ push(@dirs,$veto_sharedir);
+
++ my $virusfilter_sharedir="$share_dir/virusfilter";
++ push(@dirs,$virusfilter_sharedir);
++
+ my $ip4 = Samba::get_ipv4_addr("FILESERVER");
+ my $fileserver_options = "
+ kernel change notify = yes
+@@ -1813,6 +1816,15 @@ sub setup_fileserver
+ path = $veto_sharedir
+ delete veto files = yes
+
++[virusfilter]
++ path = $virusfilter_sharedir
++ vfs objects = acl_xattr virusfilter
++ virusfilter:scanner = dummy
++ virusfilter:min file size = 0
++ virusfilter:infected files = *infected*
++ virusfilter:infected file action = rename
++ virusfilter:scan on close = yes
++
+ [homes]
+ comment = Home directories
+ browseable = No
+diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
+new file mode 100755
+index 00000000000..2234ea6ca89
+--- /dev/null
++++ b/source3/script/tests/test_virus_scanner.sh
+@@ -0,0 +1,124 @@
++#!/bin/sh
++# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
++# shellcheck disable=1091
++
++if [ $# -lt 4 ]; then
++cat <<EOF
++Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
++EOF
++exit 1;
++fi
++
++SERVER_IP=${1}
++SHARE=${2}
++LOCAL_PATH=${3}
++SMBCLIENT=${4}
++
++SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
++
++failed=0
++sharedir="${LOCAL_PATH}/${SHARE}"
++
++incdir="$(dirname "$0")/../../../testprogs/blackbox"
++. "${incdir}/subunit.sh"
++
++check_infected_read()
++{
++ rm -rf "${sharedir:?}"/*
++
++ if ! touch "${sharedir}/infected.txt"; then
++ echo "ERROR: Cannot create ${sharedir}/infected.txt"
++ return 1
++ fi
++
++ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
++
++ # check that virusfilter:rename prefix/suffix was added
++ if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
++ echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
++ return 1
++ fi
++
++ # check that file was not downloaded
++ if [ -f "${sharedir}/infected.download.txt" ]; then
++ echo "ERROR: {sharedir}/infected.download.txt should not exist."
++ return 1
++ fi
++
++ return 0
++}
++
++check_infected_write()
++{
++ rm -rf "${sharedir:?}"/*
++ smbfile=infected.upload.txt
++ smbfilerenamed="virusfilter.${smbfile}.infected"
++
++ # non empty file is needed
++ # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
++ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
++ echo "ERROR: Cannot create ${sharedir}/infected.txt"
++ return 1
++ fi
++
++ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
++
++ # check that virusfilter:rename prefix/suffix was added
++ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
++ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
++ return 1
++ fi
++
++ # check that file was not uploaded
++ if [ -f "${sharedir}/infected.upload.txt" ]; then
++ echo "ERROR: {sharedir}/${smbfile} should not exist."
++ return 1
++ fi
++
++ return 0
++}
++
++check_healthy_read()
++{
++ rm -rf "${sharedir:?}"/*
++
++ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
++ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
++ return 1
++ fi
++
++ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
++
++ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
++ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
++ return 1
++ fi
++
++ return 0
++}
++
++check_healthy_write()
++{
++ rm -rf "${sharedir:?}"/*
++
++ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
++ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
++ return 1
++ fi
++
++ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
++
++ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
++ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
++ return 1
++ fi
++
++ return 0
++}
++
++testit "check_infected_read" check_infected_read || failed=$((failed + 1))
++testit "check_infected_write" check_infected_write || failed=$((failed + 1))
++testit "check_healthy_read" check_healthy_read || failed=$((failed + 1))
++testit "check_healthy_write" check_healthy_write || failed=$((failed + 1))
++
++testok "$0" "$failed"
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 701be011f70..6b146c76381 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
+ '$SERVER_IP',
+ "tmp"])
+
++env = 'fileserver'
++plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
++ [os.path.join(samba3srcdir,
++ "script/tests/test_virus_scanner.sh"),
++ '$SERVER_IP',
++ "virusfilter",
++ '$LOCAL_PATH',
++ smbclient3])
++
+ for env in ['fileserver', 'simpleserver']:
+ plantestsuite("samba3.blackbox.smbclient.encryption", env,
+ [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),
+--
+2.34.1
+
+
+From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Mon, 7 Feb 2022 23:06:10 +0100
+Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
+
+(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c)
+---
+ selftest/knownfail.d/virus_scanner | 2 --
+ source3/modules/vfs_virusfilter.c | 6 +++---
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+ delete mode 100644 selftest/knownfail.d/virus_scanner
+
+diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
+deleted file mode 100644
+index 6df3fd20627..00000000000
+--- a/selftest/knownfail.d/virus_scanner
++++ /dev/null
+@@ -1,2 +0,0 @@
+-^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
+-^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
+diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
+index e6cbee7cd45..d1554967ad1 100644
+--- a/source3/modules/vfs_virusfilter.c
++++ b/source3/modules/vfs_virusfilter.c
+@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
+ */
+ goto virusfilter_vfs_open_next;
+ }
+- ret = S_ISREG(smb_fname->st.st_ex_mode);
++ ret = S_ISREG(sbuf.st_ex_mode);
+ if (ret == 0) {
+ DBG_INFO("Not scanned: Directory or special file: %s/%s\n",
+ cwd_fname, fname);
+ goto virusfilter_vfs_open_next;
+ }
+ if (config->max_file_size > 0 &&
+- smb_fname->st.st_ex_size > config->max_file_size)
++ sbuf.st_ex_size > config->max_file_size)
+ {
+ DBG_INFO("Not scanned: file size > max file size: %s/%s\n",
+ cwd_fname, fname);
+ goto virusfilter_vfs_open_next;
+ }
+ if (config->min_file_size > 0 &&
+- smb_fname->st.st_ex_size < config->min_file_size)
++ sbuf.st_ex_size < config->min_file_size)
+ {
+ DBG_INFO("Not scanned: file size < min file size: %s/%s\n",
+ cwd_fname, fname);
+--
+2.34.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 0db9947..8d088f3 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -132,9 +132,9 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
-%global baserelease 1
+%global baserelease 101
-%global samba_version 4.15.3
+%global samba_version 4.15.5
%global talloc_version 2.3.3
%global tdb_version 1.4.4
%global tevent_version 0.11.0
@@ -204,6 +204,11 @@ Source201: README.downgrade
Patch0: samba-s4u.patch
Patch1: samba-ctdb-etcd-reclock.patch
Patch2: samba-glibc-dns.patch
+Patch3: samba-printing-win7.patch
+Patch4: samba-disable-systemd-notifications.patch
+Patch5: samba-disable-ntlmssp.patch
+Patch6: samba-password-change-prompt.patch
+Patch7: samba-virus_scanner.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -325,7 +330,7 @@ BuildRequires: python3-etcd
# Add python3-iso8601 to avoid that the
# version in Samba is being packaged
BuildRequires: python3-iso8601
-BuildRequires: python3-pyasn1
+BuildRequires: python3-pyasn1 >= 0.4.8
BuildRequires: bind
BuildRequires: krb5-server >= %{required_mit_krb5}
@@ -4102,6 +4107,26 @@ fi
%endif
%changelog
+* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-101
+- resolves: #2050111 - [RFE] Change change password change prompt phrasing
+- resolves: #2054110 - virusfilter_vfs_openat: Not scanned: Directory or special file
+
+* Wed Feb 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-100
+- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release
+- resolves: #2046129 - Fix CVE-2021-44141
+- resolves: #2046154 - Fix CVE-2021-44142
+- resolves: #2044405 - Fix printing no longer works on Windows 7
+- resolves: #2049485 - Fix systemd notifications
+- resolves: #2049604 - Disable NTLMSSP for ldap client connections
+
+* Mon Jan 24 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.4-100
+- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release
+- resolves: #2039154 - Fix CVE-2021-20316
+- resolves: #2044238 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7x
+- resolves: #2044239 - [smb] Segmentation fault when joining the domain
+- resolves: #2044241 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED
+- resolves: #2044255 - Fix CVE-2021-43566
+
* Wed Dec 15 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.3-1
- related: rhbz#2013578 - Rebase to Samba 4.15.3
- resolves: rhbz#2028026 - Fix possible null pointer dereference in winbind