Initial import

CVE-2017-12150.patch

@@ -0,0 +1,381 @@
+From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 29 Aug 2017 17:06:21 +0200
+Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed
+ username into a specified one
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/include/auth_info.h |  1 +
+ source3/lib/popt_common.c   |  6 +-----
+ source3/lib/util_cmdline.c  | 29 +++++++++++++++++++++++++++++
+ 3 files changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
+index c6f71ad..8212c27 100644
+--- a/source3/include/auth_info.h
++++ b/source3/include/auth_info.h
+@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
+ const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
+ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
+ 				    const char *username);
++void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);
+ const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);
+ void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
+ 				  const char *domain);
+diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
+index 9928c70..36b5e92 100644
+--- a/source3/lib/popt_common.c
++++ b/source3/lib/popt_common.c
+@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)
+ void popt_common_credentials_post(void)
+ {
+ 	struct user_auth_info *auth_info = cmdline_auth_info;
+-	const char *username = NULL;
+ 
+ 	if (get_cmdline_auth_info_use_machine_account(auth_info) &&
+ 	    !set_cmdline_auth_info_machine_account_creds(auth_info))
+@@ -259,10 +258,7 @@ void popt_common_credentials_post(void)
+ 	 * correctly parsed yet. If we have a username we need to set it again
+ 	 * to run the string parser for the username correctly.
+ 	 */
+-	username = get_cmdline_auth_info_username(auth_info);
+-	if (username != NULL && username[0] != '\0') {
+-		set_cmdline_auth_info_username(auth_info, username);
+-	}
++	reset_cmdline_auth_info_username(auth_info);
+ }
+ 
+ static void popt_common_credentials_callback(poptContext con,
+diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
+index ad51a4f..80142e2 100644
+--- a/source3/lib/util_cmdline.c
++++ b/source3/lib/util_cmdline.c
+@@ -37,6 +37,7 @@
+ struct user_auth_info {
+ 	struct cli_credentials *creds;
+ 	struct loadparm_context *lp_ctx;
++	bool got_username;
+ 	bool got_pass;
+ 	int signing_state;
+ 	bool smb_encrypt;
+@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
+ 	if (!ok) {
+ 		exit(EIO);
+ 	}
++	auth_info->got_username = true;
+ }
+ 
+ const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
+@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
+ 		exit(ENOMEM);
+ 	}
+ 
++	auth_info->got_username = true;
+ 	if (strchr_m(username, '%') != NULL) {
+ 		auth_info->got_pass = true;
+ 	}
+ }
+ 
++void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
++{
++	const char *username = NULL;
++	const char *new_val = NULL;
++
++	if (!auth_info->got_username) {
++		return;
++	}
++
++	username = cli_credentials_get_username(auth_info->creds);
++	if (username == NULL) {
++		return;
++	}
++	if (username[0] == '\0') {
++		return;
++	}
++
++	cli_credentials_parse_string(auth_info->creds,
++				     username,
++				     CRED_SPECIFIED);
++	new_val = cli_credentials_get_username(auth_info->creds);
++	if (new_val == NULL) {
++		exit(ENOMEM);
++	}
++}
++
+ const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
+ {
+ 	const char *domain = NULL;
+-- 
+1.9.1
+
+
+From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 3 Nov 2016 17:16:43 +0100
+Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:
+ get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
+
+This is an addition to the fixes for CVE-2015-5296.
+
+It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/lib/util_cmdline.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
+index 80142e2..90ee67c 100644
+--- a/source3/lib/util_cmdline.c
++++ b/source3/lib/util_cmdline.c
+@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
+ 
+ int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
+ {
++	if (auth_info->smb_encrypt) {
++		return SMB_SIGNING_REQUIRED;
++	}
+ 	return auth_info->signing_state;
+ }
+ 
+-- 
+1.9.1
+
+
+From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 9 Dec 2016 09:26:32 +0100
+Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of
+ SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/pylibsmb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
+index 59c0998..350c6d4 100644
+--- a/source3/libsmb/pylibsmb.c
++++ b/source3/libsmb/pylibsmb.c
+@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
+ 
+ 	req = cli_full_connection_creds_send(
+ 		NULL, self->ev, "myname", host, NULL, 0, share, "?????",
+-		cli_creds, 0, 0);
++		cli_creds, 0, SMB_SIGNING_DEFAULT);
+ 	if (!py_tevent_req_wait_exc(self->ev, req)) {
+ 		return -1;
+ 	}
+-- 
+1.9.1
+
+
+From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Dec 2016 05:49:46 +0100
+Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
+ in gpo_connect_server()
+
+It's important that we use a signed connection to get the GPOs!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libgpo/gpo_fetch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
+index 836bc23..3740d4e 100644
+--- a/libgpo/gpo_fetch.c
++++ b/libgpo/gpo_fetch.c
+@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
+ 			ads->auth.password,
+ 			CLI_FULL_CONNECTION_USE_KERBEROS |
+ 			CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
+-			Undefined);
++			SMB_SIGNING_REQUIRED);
+ 	if (!NT_STATUS_IS_OK(result)) {
+ 		DEBUG(10,("check_refresh_gpo: "
+ 				"failed to connect: %s\n",
+-- 
+1.9.1
+
+
+From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 29 Aug 2017 15:24:14 +0200
+Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:
+ cli_credentials_authentication_requested() should check for
+ NTLM_CCACHE/SIGN/SEAL
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/credentials/credentials.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index 06648c7..5e3b5e8 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -25,6 +25,7 @@
+ #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
+ #include "auth/credentials/credentials.h"
+ #include "auth/credentials/credentials_internal.h"
++#include "auth/gensec/gensec.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "tevent.h"
+ #include "param/param.h"
+@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
+ 
+ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) 
+ {
++	uint32_t gensec_features = 0;
++
+ 	if (cred->bind_dn) {
+ 		return true;
+ 	}
+@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
+ 		return true;
+ 	}
+ 
++	gensec_features = cli_credentials_get_gensec_features(cred);
++	if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
++		return true;
++	}
++
++	if (gensec_features & GENSEC_FEATURE_SIGN) {
++		return true;
++	}
++
++	if (gensec_features & GENSEC_FEATURE_SEAL) {
++		return true;
++	}
++
+ 	return false;
+ }
+ 
+-- 
+1.9.1
+
+
+From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 29 Aug 2017 15:35:49 +0200
+Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add
+ smbXcli_conn_signing_mandatory()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libcli/smb/smbXcli_base.c | 5 +++++
+ libcli/smb/smbXcli_base.h | 1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
+index b21d796..239e5eb 100644
+--- a/libcli/smb/smbXcli_base.c
++++ b/libcli/smb/smbXcli_base.c
+@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
+ 	return false;
+ }
+ 
++bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
++{
++	return conn->mandatory_signing;
++}
++
+ void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
+ {
+ 	set_socket_options(conn->sock_fd, options);
+diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
+index e48fc35..2594f07 100644
+--- a/libcli/smb/smbXcli_base.h
++++ b/libcli/smb/smbXcli_base.h
+@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
+ 
+ enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
+ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
++bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
+ 
+ void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
+ const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
+-- 
+1.9.1
+
+
+From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Dec 2016 06:07:56 +0100
+Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
+ authentication was not requested
+
+With forced encryption or required signing we should also don't fallback.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clidfs.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index 75012b2..fdcd665 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -26,6 +26,7 @@
+ #include "trans2.h"
+ #include "libsmb/nmblib.h"
+ #include "../libcli/smb/smbXcli_base.h"
++#include "auth/credentials/credentials.h"
+ 
+ /********************************************************************
+  Important point.
+@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
+ 	char *servicename;
+ 	char *sharename;
+ 	char *newserver, *newshare;
+-	const char *username;
+-	const char *password;
+-	const char *domain;
+ 	NTSTATUS status;
+ 	int flags = 0;
+ 	int signing_state = get_cmdline_auth_info_signing_state(auth_info);
+@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
+ 		smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
+ 	}
+ 
+-	username = get_cmdline_auth_info_username(auth_info);
+-	password = get_cmdline_auth_info_password(auth_info);
+-	domain = get_cmdline_auth_info_domain(auth_info);
+-	if ((domain == NULL) || (domain[0] == '\0')) {
+-		domain = lp_workgroup();
+-	}
+-
+ 	creds = get_cmdline_auth_info_creds(auth_info);
+ 
+ 	status = cli_session_setup_creds(c, creds);
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		/* If a password was not supplied then
+ 		 * try again with a null username. */
+-		if (password[0] || !username[0] ||
+-			get_cmdline_auth_info_use_kerberos(auth_info) ||
++		if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
++			cli_credentials_authentication_requested(creds) ||
++			cli_credentials_is_anonymous(creds) ||
+ 			!NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
+ 		{
+ 			d_printf("session setup failed: %s\n",
+-- 
+1.9.1
+

CVE-2017-12151.patch

@@ -0,0 +1,111 @@
+From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 14 Aug 2017 12:13:18 +0200
+Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add
+ cli_state_is_encryption_on() helper function
+
+This allows to check if the current cli_state uses encryption
+(either via unix extentions or via SMB3).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clientgen.c | 13 +++++++++++++
+ source3/libsmb/proto.h     |  1 +
+ 2 files changed, 14 insertions(+)
+
+diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
+index bc5c1b1ce3c..3e8523e5ce8 100644
+--- a/source3/libsmb/clientgen.c
++++ b/source3/libsmb/clientgen.c
+@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli)
+ 	return cli->smb1.pid;
+ }
+ 
++bool cli_state_is_encryption_on(struct cli_state *cli)
++{
++	if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
++		return smb1cli_conn_encryption_on(cli->conn);
++	}
++
++	if (cli->smb2.tcon == NULL) {
++		return false;
++	}
++
++	return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);
++}
++
+ bool cli_state_has_tcon(struct cli_state *cli)
+ {
+ 	uint16_t tid = cli_state_get_tid(cli);
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index 764f3fc1b12..67fa43e4e4a 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);
+ uint16_t cli_state_get_vc_num(struct cli_state *cli);
+ uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);
+ uint32_t cli_getpid(struct cli_state *cli);
++bool cli_state_is_encryption_on(struct cli_state *cli);
+ bool cli_state_has_tcon(struct cli_state *cli);
+ uint16_t cli_state_get_tid(struct cli_state *cli);
+ uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid);
+-- 
+2.13.5
+
+
+From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 17 Dec 2016 10:36:49 +0100
+Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of
+ cli_state_is_encryption_on()
+
+This will keep enforced encryption across dfs referrals.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clidfs.c         | 4 ++--
+ source3/libsmb/libsmb_context.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index c477d7c6a46..99818a681e3 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
+ 			     "IPC$",
+ 			     dfs_auth_info,
+ 			     false,
+-			     smb1cli_conn_encryption_on(rootcli->conn),
++			     cli_state_is_encryption_on(rootcli),
+ 			     smbXcli_conn_protocol(rootcli->conn),
+ 			     0,
+ 			     0x20,
+@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
+ 				dfs_refs[count].share,
+ 				dfs_auth_info,
+ 				false,
+-				smb1cli_conn_encryption_on(rootcli->conn),
++				cli_state_is_encryption_on(rootcli),
+ 				smbXcli_conn_protocol(rootcli->conn),
+ 				0,
+ 				0x20,
+diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
+index ed6ca2b1b9f..b55cf1e2d15 100644
+--- a/source3/libsmb/libsmb_context.c
++++ b/source3/libsmb/libsmb_context.c
+@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,
+ 
+                 for (s = context->internal->servers; s; s = s->next) {
+                         num_servers++;
+-                        if (!smb1cli_conn_encryption_on(s->cli->conn)) {
++                        if (!cli_state_is_encryption_on(s->cli)) {
+                                 return (void *)false;
+                         }
+                 }
+-- 
+2.13.5
+

CVE-2017-12163.patch

@@ -0,0 +1,141 @@
+From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 8 Sep 2017 10:13:14 -0700
+Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
+ writing server memory to file.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index 317143f..7b07078 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
+ 	}
+ 
+ 	/* Ensure we don't write bytes past the end of this packet. */
++	/*
++	 * This already protects us against CVE-2017-12163.
++	 */
+ 	if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
+ 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ 		error_to_writebrawerr(req);
+@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
+ 			exit_server_cleanly("secondary writebraw failed");
+ 		}
+ 
++		/*
++		 * We are not vulnerable to CVE-2017-12163
++		 * here as we are guarenteed to have numtowrite
++		 * bytes available - we just read from the client.
++		 */
+ 		nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
+ 		if (nwritten == -1) {
+ 			TALLOC_FREE(buf);
+@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
+ 	connection_struct *conn = req->conn;
+ 	ssize_t nwritten = -1;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	off_t startpos;
+ 	const char *data;
+ 	NTSTATUS status = NT_STATUS_OK;
+@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
+ 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+ 	data = (const char *)req->buf + 3;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwriteunlock);
++		return;
++	}
++
+ 	if (!fsp->print_file && numtowrite > 0) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
+ {
+ 	connection_struct *conn = req->conn;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	ssize_t nwritten = -1;
+ 	off_t startpos;
+ 	const char *data;
+@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
+ 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+ 	data = (const char *)req->buf + 3;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwrite);
++		return;
++	}
++
+ 	if (!fsp->print_file) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 			(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
+ 			goto out;
+ 		}
+ 	} else {
++		/*
++		 * This already protects us against CVE-2017-12163.
++		 */
+ 		if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
+ 				smb_doff + numtowrite > smblen) {
+ 			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
+ {
+ 	connection_struct *conn = req->conn;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	ssize_t nwritten = -1;
+ 	NTSTATUS close_status = NT_STATUS_OK;
+ 	off_t startpos;
+@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
+ 	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
+ 	data = (const char *)req->buf + 1;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwriteclose);
++		return;
++	}
++
+ 	if (fsp->print_file == NULL) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
+ 
+ 	numtowrite = SVAL(req->buf, 1);
+ 
++	/*
++	 * This already protects us against CVE-2017-12163.
++	 */
+ 	if (req->buflen < numtowrite + 3) {
+ 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ 		END_PROFILE(SMBsplwr);
+-- 
+1.9.1
+

CVE-2017-14746.patch

@@ -0,0 +1,63 @@
+From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 19 Sep 2017 16:11:33 -0700
+Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When setting up the chain, always use 'next->' variables
+not the 'req->' one.
+
+Bug discovered by 连一汉 <lianyihan@360.cn>
+
+CVE-2017-14746
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/process.c | 7 ++++---
+ source3/smbd/reply.c   | 5 +++++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/source3/smbd/process.c b/source3/smbd/process.c
+index b65ae2c1b1c..9b2b0a669a2 100644
+--- a/source3/smbd/process.c
++++ b/source3/smbd/process.c
+@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
+ 
+ 		next->vuid = SVAL(req->outbuf, smb_uid);
+ 		next->tid  = SVAL(req->outbuf, smb_tid);
+-		status = smb1srv_tcon_lookup(req->xconn, req->tid,
++		status = smb1srv_tcon_lookup(req->xconn, next->tid,
+ 					     now, &tcon);
++
+ 		if (NT_STATUS_IS_OK(status)) {
+-			req->conn = tcon->compat;
++			next->conn = tcon->compat;
+ 		} else {
+-			req->conn = NULL;
++			next->conn = NULL;
+ 		}
+ 		next->chain_fsp = req->chain_fsp;
+ 		next->inbuf = req->inbuf;
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index 7b07078249b..81acedf0413 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
+ 		}
+ 
+ 		TALLOC_FREE(tcon);
++		/*
++		 * This tree id is gone. Make sure we can't re-use it
++		 * by accident.
++		 */
++		req->tid = 0;
+ 	}
+ 
+ 	if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
+-- 
+2.14.2.920.gcf0c67979c-goog
+

CVE-2017-15275.patch

@@ -0,0 +1,45 @@
+From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 20 Sep 2017 11:04:50 -0700
+Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
+ talloc buffer is grown.
+
+Ensure we zero out unused grown area.
+
+CVE-2017-15275
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/srvstr.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
+index 56dceba8c6c..c2d70b32c32 100644
+--- a/source3/smbd/srvstr.c
++++ b/source3/smbd/srvstr.c
+@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
+ 		DEBUG(0, ("srvstr_push failed\n"));
+ 		return -1;
+ 	}
++
++	/*
++	 * Ensure we clear out the extra data we have
++	 * grown the buffer by, but not written to.
++	 */
++	if (buf_size + result < buf_size) {
++		return -1;
++	}
++	if (grow_size < result) {
++		return -1;
++	}
++
++	memset(tmp + buf_size + result, '\0', grow_size - result);
++
+ 	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
+ 
+ 	*outbuf = tmp;
+-- 
+2.14.2.920.gcf0c67979c-goog
+

CVE-2017-7494.patch

@@ -0,0 +1,34 @@
+From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Mon, 8 May 2017 21:40:40 +0200
+Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
+ inside
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_server/srv_pipe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index 0633b5f..c3f0cd8 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
+ {
+ 	NTSTATUS status;
+ 
++	if (strchr(pipename, '/')) {
++		DEBUG(1, ("Refusing open on pipe %s\n", pipename));
++		return false;
++	}
++
+ 	if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
+ 		DEBUG(10, ("refusing spoolss access\n"));
+ 		return false;
+-- 
+1.9.1
+

README.dc

@@ -0,0 +1,20 @@
+MIT Kerberos 5 Support
+=======================
+
+Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of
+choice. The Samba build in Fedora is using MIT Kerberos implementation in order
+to allow system-wide interoperability between both desktop and server
+applications running on the same machine.
+
+At the moment the Samba Active Directory Domain Controller implementation is
+not available with MIT Kereberos. FreeIPA and Samba Team members are currently
+working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux
+distribution integration of Samba AD DC features.
+
+We have just finished migrating the file server and all client utilities to MIT
+Kerberos.  The result of this work is available in samba-* packages in Fedora.
+We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos
+KDC will be ready.
+
+In case of further questions do not hesitate to send your inquiries to
+samba-owner@fedoraproject.org

README.downgrade

@@ -0,0 +1,29 @@
+Downgrading Samba
+=================
+
+Short version: data-preserving downgrades between Samba versions are not supported
+
+Long version:
+With Samba development there are cases when on-disk database format evolves.
+In general, Samba Team attempts to maintain forward compatibility and
+automatically upgrade databases during runtime when requires.
+However, when downgrade is required Samba will not perform downgrade to
+existing databases. It may be impossible if new features that caused database
+upgrade are in use. Thus, one needs to consider a downgrade procedure before
+actually downgrading Samba setup.
+
+Please always perform back up prior both upgrading and downgrading across major
+version changes. Restoring database files is easiest and simplest way to get to
+previously working setup.
+
+Easiest way to downgrade is to remove all created databases and start from scratch.
+This means losing all authentication and domain relationship data, as well as
+user databases (in case of tdb storage), printers, registry settings, and winbindd
+caches.
+
+Remove databases in following locations:
+/var/lib/samba/*.tdb
+/var/lib/samba/private/*.tdb
+
+In particular, registry settings are known to prevent running downgraded versions
+(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.

pam_winbind.conf

@@ -0,0 +1,38 @@
+#
+# pam_winbind configuration file
+#
+# /etc/security/pam_winbind.conf
+#
+
+[global]
+
+# turn on debugging
+;debug = no
+
+# turn on extended PAM state debugging
+;debug_state = no
+
+# request a cached login if possible
+# (needs "winbind offline logon = yes" in smb.conf)
+;cached_login = no
+
+# authenticate using kerberos
+;krb5_auth = no
+
+# when using kerberos, request a "FILE" krb5 credential cache type
+# (leave empty to just do krb5 authentication but not have a ticket
+# afterwards)
+;krb5_ccache_type =
+
+# make successful authentication dependend on membership of one SID
+# (can also take a name)
+;require_membership_of =
+
+# password expiry warning period in days
+;warn_pwd_expire = 14
+
+# omit pam conversations
+;silent = no
+
+# create homedirectory on the fly
+;mkhomedir = no

samba-4.6.2.tar.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz
+DQw3KuAbWCKIgkHcy1zZr2o=
+=bIg5
+-----END PGP SIGNATURE-----

samba-v4-6-fix-building-with-new-glibc.patch

@@ -0,0 +1,37 @@
+From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 5 Jan 2017 09:34:36 +0100
+Subject: [PATCH] replace: Include sysmacros.h
+
+In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
+historical compatibility, it is currently defined by <sys/types.h> as
+well, but it is planned to remove this soon.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+
+(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741)
+---
+ lib/replace/replace.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/replace/replace.h b/lib/replace/replace.h
+index c69a069e4b3..1dbeacfff66 100644
+--- a/lib/replace/replace.h
++++ b/lib/replace/replace.h
+@@ -171,6 +171,10 @@
+ #include <sys/types.h>
+ #endif
+ 
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
++
+ #ifdef HAVE_SETPROCTITLE_H
+ #include <setproctitle.h>
+ #endif
+-- 
+2.12.0
+

samba-v4-6-fix-kerberos-debug-message.patch

@@ -0,0 +1,39 @@
+From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 20 Mar 2017 16:08:20 +0100
+Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/cliconnect.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 029c3d4760e..93f873079db 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ 				0 /* no time correction for now */,
+ 				NULL);
+ 	if (ret != 0) {
+-		DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
+-			  user_principal, target_hostname,
+-			  error_message(ret)));
++		int dbglvl = DBGLVL_WARNING;
++
++		if (krb5_state == CRED_MUST_USE_KERBEROS) {
++			dbglvl = DBGLVL_ERR;
++		}
++
++		DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
++			       user_principal, target_hostname,
++			       error_message(ret)));
+ 		if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ 			TALLOC_FREE(frame);
+ 			return krb5_to_nt_status(ret);
+-- 
+2.12.0
+

samba-v4-6-fix-net-ads-keytab-handling.patch

@@ -0,0 +1,293 @@
+From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 17:30:37 +0100
+Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters
+
+The old behaviour is:
+
+  for var in $*
+  do
+    echo "$var"
+  done
+
+And you get this:
+
+$ sh test.sh 1 2 '3 4'
+1
+2
+3
+4
+
+Changing it to:
+
+  for var in "$@"
+  do
+    echo "$var"
+  done
+
+will correctly expand to:
+
+$ sh test.sh 1 2 '3 4'
+1
+2
+3 4
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
+
+(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)
+---
+ testprogs/blackbox/subunit.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
+index 0791d775d27..5c81ce20a11 100755
+--- a/testprogs/blackbox/subunit.sh
++++ b/testprogs/blackbox/subunit.sh
+@@ -78,7 +78,7 @@ subunit_skip_test () {
+ testit () {
+ 	name="$1"
+ 	shift
+-	cmdline="$*"
++	cmdline="$@"
+ 	subunit_start_test "$name"
+ 	output=`$cmdline 2>&1`
+ 	status=$?
+@@ -93,7 +93,7 @@ testit () {
+ testit_expect_failure () {
+ 	name="$1"
+ 	shift
+-	cmdline="$*"
++	cmdline="$@"
+ 	subunit_start_test "$name"
+ 	output=`$cmdline 2>&1`
+ 	status=$?
+-- 
+2.12.0
+
+
+From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:11:39 +0100
+Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)
+---
+ lib/krb5_wrap/krb5_samba.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 10b42dec53f..fd8e4a96071 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
+ 		goto open_keytab;
+ 	}
+ 
++	DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
++
+ 	return KRB5_KT_BADNAME;
+ 
+ open_keytab:
+-- 
+2.12.0
+
+
+From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:24:52 +0100
+Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
+---
+ source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 57 insertions(+), 12 deletions(-)
+
+diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
+index 3c73b089bbb..96df10fcf65 100644
+--- a/source3/libads/kerberos_keytab.c
++++ b/source3/libads/kerberos_keytab.c
+@@ -34,6 +34,57 @@
+ 
+ #ifdef HAVE_ADS
+ 
++/* This MAX_NAME_LEN is a constant defined in krb5.h */
++#ifndef MAX_KEYTAB_NAME_LEN
++#define MAX_KEYTAB_NAME_LEN 1100
++#endif
++
++static krb5_error_code ads_keytab_open(krb5_context context,
++				       krb5_keytab *keytab)
++{
++	char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
++	const char *keytab_name = NULL;
++	krb5_error_code ret = 0;
++
++	switch (lp_kerberos_method()) {
++	case KERBEROS_VERIFY_SYSTEM_KEYTAB:
++	case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
++		ret = krb5_kt_default_name(context,
++					   keytab_str,
++					   sizeof(keytab_str) - 2);
++		if (ret != 0) {
++			DBG_WARNING("Failed to get default keytab name");
++			goto out;
++		}
++		keytab_name = keytab_str;
++		break;
++	case KERBEROS_VERIFY_DEDICATED_KEYTAB:
++		keytab_name = lp_dedicated_keytab_file();
++		break;
++	default:
++		DBG_ERR("Invalid kerberos method set (%d)\n",
++			lp_kerberos_method());
++		ret = KRB5_KT_BADNAME;
++		goto out;
++	}
++
++	if (keytab_name == NULL || keytab_name[0] == '\0') {
++		DBG_ERR("Invalid keytab name\n");
++		ret = KRB5_KT_BADNAME;
++		goto out;
++	}
++
++	ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
++	if (ret != 0) {
++		DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
++			    error_message(ret));
++		goto out;
++	}
++
++out:
++	return ret;
++}
++
+ /**********************************************************************
+  Adds a single service principal, i.e. 'host' to the system keytab
+ ***********************************************************************/
+@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
+ 		return -1;
+ 	}
+ 
+-	ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+-	if (ret) {
+-		DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+-			  error_message(ret)));
++	ret = ads_keytab_open(context, &keytab);
++	if (ret != 0) {
+ 		goto out;
+ 	}
+ 
+@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
+ 		return ret;
+ 	}
+ 
+-	ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+-	if (ret) {
+-		DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+-			  error_message(ret)));
++	ret = ads_keytab_open(context, &keytab);
++	if (ret != 0) {
+ 		goto out;
+ 	}
+ 
+@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+ 	DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
+ 		  "and update.\n"));
+ 
+-	ret = smb_krb5_kt_open(context, NULL, True, &keytab);
+-	if (ret) {
+-		DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
+-			  error_message(ret)));
++	ret = ads_keytab_open(context, &keytab);
++	if (ret != 0) {
+ 		goto done;
+ 	}
+ 
+-- 
+2.12.0
+
+
+From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 17:28:58 +0100
+Subject: [PATCH 4/5] param: Allow to specify kerberos method on the
+ commandline
+
+We support --option for our tools but you cannot set an option where the
+value of the option includes a space.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)
+---
+ lib/param/param_table.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index 4b5234a7c9e..9a944ef19b3 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
+ static const struct enum_list enum_kerberos_method[] = {
+ 	{KERBEROS_VERIFY_SECRETS, "default"},
+ 	{KERBEROS_VERIFY_SECRETS, "secrets only"},
++	{KERBEROS_VERIFY_SECRETS, "secretsonly"},
+ 	{KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
++	{KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
+ 	{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
++	{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
+ 	{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
++	{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
+ 	{-1, NULL}
+ };
+ 
+-- 
+2.12.0
+
+
+From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 13 Mar 2017 16:34:05 +0100
+Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab
+
+This checks that a 'net ads join' can create the keytab and make sure we
+will not regress in future.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
+---
+ testprogs/blackbox/test_net_ads.sh | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 8e915cdcf1f..99b886f53eb 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed +
+ 
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ 
++# Test with kerberos method = secrets and keytab
++dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
++testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
++
++testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
++
++testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++rm -f $dedicated_keytab_file
++
+ testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+ 
+ testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+-- 
+2.12.0
+

samba-v4-6-fix-spoolss-32bit-driver-upload.patch

@@ -0,0 +1,245 @@
+From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 4 May 2017 17:48:42 +0200
+Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with
+ COPY_FROM_DIRECTORY
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05)
+---
+ source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++-------------
+ 1 file changed, 35 insertions(+), 16 deletions(-)
+
+diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
+index 394a3e5..49be5d9 100644
+--- a/source3/printing/nt_printing.c
++++ b/source3/printing/nt_printing.c
+@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver
+ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ 				   const char *architecture,
+ 				   const char *driverpath_in,
++				   const char *driver_directory,
+ 				   WERROR *perr)
+ {
+ 	int cversion = -1;
+ 	NTSTATUS          nt_status;
+ 	struct smb_filename *smb_fname = NULL;
+-	char *driverpath = NULL;
+ 	files_struct      *fsp = NULL;
+ 	connection_struct *conn = NULL;
+ 	char *oldcwd;
+ 	char *printdollar = NULL;
++	char *printdollar_path = NULL;
++	char *working_dir = NULL;
+ 	int printdollar_snum;
+ 
+ 	*perr = WERR_INVALID_PARAMETER;
+@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ 		return -1;
+ 	}
+ 
++	printdollar_path = lp_path(talloc_tos(), printdollar_snum);
++	if (printdollar_path == NULL) {
++		*perr = WERR_NOT_ENOUGH_MEMORY;
++		return -1;
++	}
++
++	working_dir = talloc_asprintf(talloc_tos(),
++				      "%s/%s",
++				      printdollar_path,
++				      architecture);
++	/*
++	 * If the driver has been uploaded into a temorpary driver
++	 * directory, switch to the driver directory.
++	 */
++	if (driver_directory != NULL) {
++		working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s",
++					      printdollar_path,
++					      architecture,
++					      driver_directory);
++	}
++
+ 	nt_status = create_conn_struct_cwd(talloc_tos(),
+ 					   server_event_context(),
+ 					   server_messaging_context(),
+ 					   &conn,
+ 					   printdollar_snum,
+-					   lp_path(talloc_tos(), printdollar_snum),
++					   working_dir,
+ 					   session_info, &oldcwd);
+ 	if (!NT_STATUS_IS_OK(nt_status)) {
+ 		DEBUG(0,("get_correct_cversion: create_conn_struct "
+@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
+ 		goto error_free_conn;
+ 	}
+ 
+-	/* Open the driver file (Portable Executable format) and determine the
+-	 * deriver the cversion. */
+-	driverpath = talloc_asprintf(talloc_tos(),
+-					"%s/%s",
+-					architecture,
+-					driverpath_in);
+-	if (!driverpath) {
+-		*perr = WERR_NOT_ENOUGH_MEMORY;
+-		goto error_exit;
+-	}
+-
+-	nt_status = driver_unix_convert(conn, driverpath, &smb_fname);
++	/*
++	 * We switch to the directory where the driver files are located,
++	 * so only work on the file names
++	 */
++	nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname);
+ 	if (!NT_STATUS_IS_OK(nt_status)) {
+ 		*perr = ntstatus_to_werror(nt_status);
+ 		goto error_exit;
+@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx,
+ 	 *	NT2K: cversion=3
+ 	 */
+ 
+-	*version = get_correct_cversion(session_info, short_architecture,
+-					*driver_path, &err);
++	*version = get_correct_cversion(session_info,
++					short_architecture,
++					*driver_path,
++					*driver_directory,
++					&err);
+ 	if (*version == -1) {
+ 		return err;
+ 	}
+-- 
+2.9.3
+
+
+From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 5 May 2017 11:11:25 +0200
+Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test
+ for 64bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e)
+---
+ source4/torture/rpc/spoolss.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
+index 409ba57..c4b7bf1 100644
+--- a/source4/torture/rpc/spoolss.c
++++ b/source4/torture/rpc/spoolss.c
+@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx,
+ }
+ 
+ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+-					    struct dcerpc_pipe *p)
++					    struct dcerpc_pipe *p,
++					    const char *architecture)
+ {
+ 	struct torture_driver_context *d;
+ 	struct spoolss_StringArray *a;
+@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+ 	d = talloc_zero(tctx, struct torture_driver_context);
+ 	torture_assert_not_null(tctx, d, "ENOMEM");
+ 
+-	d->local.environment		=
+-		talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64);
++	d->local.environment		= talloc_strdup(d, architecture);
+ 	torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
+ 
+ 	d->local.driver_directory	=
+@@ -11208,6 +11208,12 @@ done:
+ 	return ok;
+ }
+ 
++static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
++					       struct dcerpc_pipe *p)
++{
++	return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
++}
++
+ static bool test_del_driver_all_files(struct torture_context *tctx,
+ 				      struct dcerpc_pipe *p)
+ {
+@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
+ 	torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers);
+ 
+ 	torture_rpc_tcase_add_test(tcase,
+-				   "test_driver_copy_from_directory",
+-				   test_driver_copy_from_directory);
++				   "test_driver_copy_from_directory_64",
++				   test_driver_copy_from_directory_64);
+ 
+ 	torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
+ 
+-- 
+2.9.3
+
+
+From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 5 May 2017 11:12:02 +0200
+Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for
+ copy_from_directory
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0)
+---
+ source4/torture/rpc/spoolss.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
+index c4b7bf1..e17ac6f 100644
+--- a/source4/torture/rpc/spoolss.c
++++ b/source4/torture/rpc/spoolss.c
+@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
+ 	d->local.environment		= talloc_strdup(d, architecture);
+ 	torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
+ 
+-	d->local.driver_directory	=
+-		talloc_asprintf(d, "/usr/share/cups/drivers/x64");
++	if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) {
++		d->local.driver_directory =
++			talloc_strdup(d, "/usr/share/cups/drivers/x64");
++	} else {
++		d->local.driver_directory =
++			talloc_strdup(d, "/usr/share/cups/drivers/i386");
++	}
+ 	torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM");
+ 
+ 	d->remote.driver_upload_directory = GUID_string2(d, &guid);
+@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
+ 	return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
+ }
+ 
++static bool test_driver_copy_from_directory_32(struct torture_context *tctx,
++					       struct dcerpc_pipe *p)
++{
++	return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86);
++}
++
+ static bool test_del_driver_all_files(struct torture_context *tctx,
+ 				      struct dcerpc_pipe *p)
+ {
+@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
+ 				   "test_driver_copy_from_directory_64",
+ 				   test_driver_copy_from_directory_64);
+ 
++	torture_rpc_tcase_add_test(tcase,
++				   "test_driver_copy_from_directory_32",
++				   test_driver_copy_from_directory_32);
++
+ 	torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
+ 
+ 	torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files);
+-- 
+2.9.3
+

samba-v4-6-fix-vfs-expand-msdfs.patch

@@ -0,0 +1,211 @@
+From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 14 Mar 2017 16:12:20 +0100
+Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file
+
+The arguments get passed in the wrong order to read_target_host().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)
+---
+ source3/modules/vfs_expand_msdfs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
+index ffbfa333bad..e42d0098b32 100644
+--- a/source3/modules/vfs_expand_msdfs.c
++++ b/source3/modules/vfs_expand_msdfs.c
+@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
+ 		return NULL;
+ 	}
+ 
+-	targethost = read_target_host(
+-		ctx, raddr, mapfilename);
++	targethost = read_target_host(ctx, mapfilename, raddr);
+ 	if (targethost == NULL) {
+ 		DEBUG(1, ("Could not expand target host from file %s\n",
+ 			  mapfilename));
+-- 
+2.12.0
+
+From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 15:32:37 +0100
+Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to
+ get_referred_path()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e)
+---
+ source3/modules/vfs_default.c       |  2 ++
+ source3/rpc_server/dfs/srv_dfs_nt.c |  6 ++++++
+ source3/smbd/msdfs.c                | 12 +++++++-----
+ source3/smbd/proto.h                | 12 +++++++-----
+ 4 files changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
+index e0b6125f7d8..dcae861103d 100644
+--- a/source3/modules/vfs_default.c
++++ b/source3/modules/vfs_default.c
+@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle,
+ 
+ 	/* The following call can change cwd. */
+ 	status = get_referred_path(r, pathnamep,
++				   handle->conn->sconn->remote_address,
++				   handle->conn->sconn->local_address,
+ 				   !handle->conn->sconn->using_smb2,
+ 				   junction, &consumedcnt, &self_referral);
+ 	if (!NT_STATUS_IS_OK(status)) {
+diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c
+index ab2af53c0ba..0a4d6d31b7c 100644
+--- a/source3/rpc_server/dfs/srv_dfs_nt.c
++++ b/source3/rpc_server/dfs/srv_dfs_nt.c
+@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r)
+ 
+ 	/* The following call can change the cwd. */
+ 	status = get_referred_path(ctx, r->in.path,
++				   p->remote_address,
++				   p->local_address,
+ 				   true, /*allow_broken_path */
+ 				   jn, &consumedcnt, &self_ref);
+ 	if(!NT_STATUS_IS_OK(status)) {
+@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r)
+ 	}
+ 
+ 	status = get_referred_path(ctx, r->in.dfs_entry_path,
++				   p->remote_address,
++				   p->local_address,
+ 				   true, /*allow_broken_path */
+ 				   jn, &consumedcnt, &self_ref);
+ 	if(!NT_STATUS_IS_OK(status)) {
+@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r)
+ 
+ 	/* The following call can change the cwd. */
+ 	status = get_referred_path(ctx, r->in.dfs_entry_path,
++				   p->remote_address,
++				   p->local_address,
+ 				   true, /*allow_broken_path */
+ 				   jn, &consumedcnt, &self_ref);
+ 	if(!NT_STATUS_IS_OK(status) ||
+diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
+index 61538cec832..3cf82d3b430 100644
+--- a/source3/smbd/msdfs.c
++++ b/source3/smbd/msdfs.c
+@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx,
+ **********************************************************************/
+ 
+ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+-			const char *dfs_path,
+-			bool allow_broken_path,
+-			struct junction_map *jucn,
+-			int *consumedcntp,
+-			bool *self_referralp)
++			   const char *dfs_path,
++			   const struct tsocket_address *remote_address,
++			   const struct tsocket_address *local_address,
++			   bool allow_broken_path,
++			   struct junction_map *jucn,
++			   int *consumedcntp,
++			   bool *self_referralp)
+ {
+ 	struct connection_struct *conn;
+ 	char *targetpath = NULL;
+diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
+index c1b8201b472..e64457cf9e0 100644
+--- a/source3/smbd/proto.h
++++ b/source3/smbd/proto.h
+@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn,
+ 		SMB_STRUCT_STAT *sbufp);
+ struct junction_map;
+ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+-			const char *dfs_path,
+-			bool allow_broken_path,
+-			struct junction_map *jucn,
+-			int *consumedcntp,
+-			bool *self_referralp);
++			   const char *dfs_path,
++			   const struct tsocket_address *remote_address,
++			   const struct tsocket_address *local_address,
++			   bool allow_broken_path,
++			   struct junction_map *jucn,
++			   int *consumedcntp,
++			   bool *self_referralp);
+ int setup_dfs_referral(connection_struct *orig_conn,
+ 			const char *dfs_path,
+ 			int max_referral_level,
+-- 
+2.13.0
+
+
+From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 15:45:34 +0100
+Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake
+ connection
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9)
+---
+ source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
+index 3cf82d3b430..c25fb17cee8 100644
+--- a/source3/smbd/msdfs.c
++++ b/source3/smbd/msdfs.c
+@@ -31,6 +31,7 @@
+ #include "lib/param/loadparm.h"
+ #include "libcli/security/security.h"
+ #include "librpc/gen_ndr/ndr_dfsblobs.h"
++#include "lib/tsocket/tsocket.h"
+ 
+ /**********************************************************************
+  Parse a DFS pathname of the form \hostname\service\reqpath
+@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
+ 		return status;
+ 	}
+ 
++	/*
++	 * TODO
++	 *
++	 * The remote and local address should be passed down to
++	 * create_conn_struct_cwd.
++	 */
++	if (conn->sconn->remote_address == NULL) {
++		conn->sconn->remote_address =
++			tsocket_address_copy(remote_address, conn->sconn);
++		if (conn->sconn->remote_address == NULL) {
++			TALLOC_FREE(pdp);
++			return NT_STATUS_NO_MEMORY;
++		}
++	}
++	if (conn->sconn->local_address == NULL) {
++		conn->sconn->local_address =
++			tsocket_address_copy(local_address, conn->sconn);
++		if (conn->sconn->local_address == NULL) {
++			TALLOC_FREE(pdp);
++			return NT_STATUS_NO_MEMORY;
++		}
++	}
++
+ 	/* If this is a DFS path dfs_lookup should return
+ 	 * NT_STATUS_PATH_NOT_COVERED. */
+ 
+-- 
+2.13.0
+

samba-v4-6-fix_net_ads_changetrustpw.patch

@@ -0,0 +1,74 @@
+From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 9 Aug 2017 18:14:23 +0200
+Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d)
+---
+ source3/libads/krb5_setpw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
+index 630c2e46631..bc96ac603b1 100644
+--- a/source3/libads/krb5_setpw.c
++++ b/source3/libads/krb5_setpw.c
+@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
+ 	ret = krb5_set_password(context,
+ 				&creds,
+ 				discard_const_p(char, newpw),
+-				princ,
++				NULL,
+ 				&result_code,
+ 				&result_code_string,
+ 				&result_string);
+-- 
+2.14.0
+
+
+From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 9 Aug 2017 12:14:34 +0200
+Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw'
+
+BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144
+
+(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f)
+---
+ testprogs/blackbox/test_net_ads.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 99b886f53eb..bbd99b676bd 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
+ 
+ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+ 
++testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
++
+ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ 
+ # Test with kerberos method = secrets and keytab
+@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC
+ 
+ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+ 
++testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
++
+ testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+ rm -f $dedicated_keytab_file
+ 
+-- 
+2.14.0
+

samba-v4-6-fix_path_substitutions.patch

@@ -0,0 +1,194 @@
+From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Fri, 17 Mar 2017 13:52:57 +0100
+Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user
+ information
+
+This fixes the substitution for 'template homedir'.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
+
+(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5)
+---
+ source3/winbindd/wb_queryuser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
+index be4d3d3e665..69b4c8dad5a 100644
+--- a/source3/winbindd/wb_queryuser.c
++++ b/source3/winbindd/wb_queryuser.c
+@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq)
+ 	NTSTATUS status;
+ 	const char *domain_name;
+ 
+-	status = wb_lookupsid_recv(subreq, state, &type, &domain_name,
++	status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name,
+ 				   &state->info->primary_group_name);
+ 	TALLOC_FREE(subreq);
+ 	if (tevent_req_nterror(req, status)) {
+-- 
+2.12.0
+
+
+From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 15 Mar 2017 12:37:08 +0100
+Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660)
+---
+ selftest/target/Samba3.pm                  | 19 ++++++++++++++++++-
+ source3/script/tests/test_substitutions.sh |  9 +++++++--
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index f5b2c510224..1e053f12297 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -394,16 +394,33 @@ sub setup_admember($$$$)
+ 	$substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users";
+ 	push(@dirs, $substitution_path);
+ 
++	# Using '/' as the winbind separator is a bad idea ...
++	$substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN";
++	push(@dirs, $substitution_path);
++
++	$substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice";
++	push(@dirs, $substitution_path);
++
++	$substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN";
++	push(@dirs, $substitution_path);
++
++	$substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users";
++	push(@dirs, $substitution_path);
++
+ 	my $member_options = "
+ 	security = ads
+         workgroup = $dcvars->{DOMAIN}
+         realm = $dcvars->{REALM}
+         netbios aliases = foo bar
+ 
+-[subDUG]
++[sub_dug]
+ 	path = $share_dir/D_%D/U_%U/G_%G
+ 	writeable = yes
+ 
++[sub_dug2]
++	path = $share_dir/D_%D/u_%u/g_%g
++	writeable = yes
++
+ ";
+ 
+ 	my $ret = $self->provision($prefix,
+diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
+index 0852ad969f0..1a46f11c85d 100755
+--- a/source3/script/tests/test_substitutions.sh
++++ b/source3/script/tests/test_substitutions.sh
+@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient"
+ . $samba_srcdir/testprogs/blackbox/subunit.sh
+ . $samba_srcdir/testprogs/blackbox/common_test_fns.inc
+ 
+-SMB_UNC="//$SERVER/subDUG"
++SMB_UNC="//$SERVER/sub_dug"
+ 
+-test_smbclient "Test login to share with substitution" \
++test_smbclient "Test login to share with substitution (DUG)" \
++	"ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
++
++SMB_UNC="//$SERVER/sub_dug2"
++
++test_smbclient "Test login to share with substitution (Dug)" \
+ 	"ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
+ 
+ exit $failed
+-- 
+2.12.0
+
+
+From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 17 Mar 2017 10:04:19 +0100
+Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
+
+With this set, the samba3.local.nss test for ad_member will ensure that
+we correctly substitute those smb.conf options.
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
+
+(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03)
+---
+ nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------
+ selftest/target/Samba3.pm     |  1 +
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
+index cfe582df068..f9c040e5f43 100755
+--- a/nsswitch/tests/test_wbinfo.sh
++++ b/nsswitch/tests/test_wbinfo.sh
+@@ -205,13 +205,18 @@ subunit_start_test "$test_name"
+ # The full name (GECOS) is based on name (the RDN, in this case CN)
+ # and displayName in winbindd_ads, and is based only on displayName in
+ # winbindd_msrpc and winbindd_rpc.  Allow both versions.
+-expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
+-expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
++if test "$TARGET" = "ad_member"; then
++	expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false"
++	expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false"
++else
++	expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
++	expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
++fi
+ 
+-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
+ 	subunit_pass_test "$test_name"
+ else
+-	echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
++	echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ 	failed=`expr $failed + 1`
+ fi
+ 
+@@ -227,10 +232,10 @@ fi
+ 
+ test_name="confirm output of wbinfo --uid-info against $TARGET"
+ subunit_start_test "$test_name"
+-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
+ 	subunit_pass_test "$test_name"
+ else
+-	echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
++	echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ 	failed=`expr $failed + 1`
+ fi
+ 
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 1e053f12297..cb4970828a5 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -412,6 +412,7 @@ sub setup_admember($$$$)
+         workgroup = $dcvars->{DOMAIN}
+         realm = $dcvars->{REALM}
+         netbios aliases = foo bar
++	template homedir = /home/%D/%G/%U
+ 
+ [sub_dug]
+ 	path = $share_dir/D_%D/U_%U/G_%G
+-- 
+2.12.0
+

samba-v4-6-fix_smbclient_session_setup_info.patch

@@ -0,0 +1,339 @@
+From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 15 Mar 2017 17:04:30 +0000
+Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of
+ smb_bytes_pull_str()
+
+This function needs to get the whole smb buffer in order to get
+the alignment for unicode correct.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24)
+---
+ libcli/smb/smb1cli_session.c | 28 +++++++++++++-------------
+ libcli/smb/smb_util.h        |  3 ++-
+ libcli/smb/util.c            | 47 +++++++++++++++++++++++++++++---------------
+ 3 files changed, 47 insertions(+), 31 deletions(-)
+
+diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c
+index 9d92aa6aed4..11614df0ae4 100644
+--- a/libcli/smb/smb1cli_session.c
++++ b/libcli/smb/smb1cli_session.c
+@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq)
+ 	p = bytes;
+ 
+ 	status = smb_bytes_pull_str(state, &state->out_native_os,
+-				    use_unicode, p,
+-				    bytes+num_bytes-p, &ret);
++				    use_unicode, bytes, num_bytes,
++				    p, &ret);
+ 	if (tevent_req_nterror(req, status)) {
+ 		return;
+ 	}
+ 	p += ret;
+ 
+ 	status = smb_bytes_pull_str(state, &state->out_native_lm,
+-				    use_unicode, p,
+-				    bytes+num_bytes-p, &ret);
++				    use_unicode, bytes, num_bytes,
++				    p, &ret);
+ 	if (tevent_req_nterror(req, status)) {
+ 		return;
+ 	}
+@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq)
+ 	p = bytes;
+ 
+ 	status = smb_bytes_pull_str(state, &state->out_native_os,
+-				    use_unicode, p,
+-				    bytes+num_bytes-p, &ret);
++				    use_unicode, bytes, num_bytes,
++				    p, &ret);
+ 	if (tevent_req_nterror(req, status)) {
+ 		return;
+ 	}
+ 	p += ret;
+ 
+ 	status = smb_bytes_pull_str(state, &state->out_native_lm,
+-				    use_unicode, p,
+-				    bytes+num_bytes-p, &ret);
++				    use_unicode, bytes, num_bytes,
++				    p, &ret);
+ 	if (tevent_req_nterror(req, status)) {
+ 		return;
+ 	}
+ 	p += ret;
+ 
+ 	status = smb_bytes_pull_str(state, &state->out_primary_domain,
+-				    use_unicode, p,
+-				    bytes+num_bytes-p, &ret);
++				    use_unicode, bytes, num_bytes,
++				    p, &ret);
+ 	if (tevent_req_nterror(req, status)) {
+ 		return;
+ 	}
+@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq)
+ 	p += out_security_blob_length;
+ 
+ 	status = smb_bytes_pull_str(state, &state->out_native_os,
+-				    use_unicode, p,
+-				    bytes+num_bytes-p, &ret);
++				    use_unicode, bytes, num_bytes,
++				    p, &ret);
+ 	if (tevent_req_nterror(req, status)) {
+ 		return;
+ 	}
+ 	p += ret;
+ 
+ 	status = smb_bytes_pull_str(state, &state->out_native_lm,
+-				    use_unicode, p,
+-				    bytes+num_bytes-p, &ret);
++				    use_unicode, bytes, num_bytes,
++				    p, &ret);
+ 	if (tevent_req_nterror(req, status)) {
+ 		return;
+ 	}
+diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
+index 7e6f0a4ebc4..2884786339d 100644
+--- a/libcli/smb/smb_util.h
++++ b/libcli/smb/smb_util.h
+@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
+ 				 const uint8_t *bytes, size_t num_bytes);
+ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
+ 			    const uint8_t *buf, size_t buf_len,
+-			    size_t *pbuf_consumed);
++			    const uint8_t *position,
++			    size_t *_consumed);
+diff --git a/libcli/smb/util.c b/libcli/smb/util.c
+index ef8c9fafa35..7ef909c6077 100644
+--- a/libcli/smb/util.c
++++ b/libcli/smb/util.c
+@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
+ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
+ 					bool ucs2, bool align_odd,
+ 					const uint8_t *buf, size_t buf_len,
+-					size_t *pbuf_consumed)
++					const uint8_t *position,
++					size_t *p_consumed)
+ {
+ 	size_t pad = 0;
++	size_t offset;
+ 	char *str = NULL;
+ 	size_t str_len = 0;
+ 	bool ok;
+ 
+ 	*_str = NULL;
+-	if (pbuf_consumed != NULL) {
+-		*pbuf_consumed = 0;
++	if (p_consumed != NULL) {
++		*p_consumed = 0;
++	}
++
++	if (position < buf) {
++		return NT_STATUS_INTERNAL_ERROR;
++	}
++
++	offset = PTR_DIFF(position, buf);
++	if (offset > buf_len) {
++		return NT_STATUS_BUFFER_TOO_SMALL;
+ 	}
+ 
+ 	if (ucs2 &&
+-	    ((align_odd && (buf_len % 2 == 0)) ||
+-	     (!align_odd && (buf_len % 2 == 1)))) {
+-		if (buf_len < 1) {
+-			return NT_STATUS_BUFFER_TOO_SMALL;
+-		}
+-		pad = 1;
+-		buf_len -= pad;
+-		buf += pad;
++	    ((align_odd && (offset % 2 == 0)) ||
++	     (!align_odd && (offset % 2 == 1)))) {
++		pad += 1;
++		offset += 1;
++	}
++
++	if (offset > buf_len) {
++		return NT_STATUS_BUFFER_TOO_SMALL;
+ 	}
+ 
++	buf_len -= offset;
++	buf += offset;
++
+ 	if (ucs2) {
+ 		buf_len = utf16_len_n(buf, buf_len);
+ 	} else {
+@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
+ 		return map_nt_error_from_unix_common(errno);
+ 	}
+ 
+-	if (pbuf_consumed != NULL) {
+-		*pbuf_consumed = buf_len + pad;
++	if (p_consumed != NULL) {
++		*p_consumed = buf_len + pad;
+ 	}
+ 	*_str = str;
+-	return NT_STATUS_OK;;
++	return NT_STATUS_OK;
+ }
+ 
+ NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
+ 			    const uint8_t *buf, size_t buf_len,
+-			    size_t *_buf_consumed)
++			    const uint8_t *position,
++			    size_t *_consumed)
+ {
+ 	return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
+-				       buf, buf_len, _buf_consumed);
++				       buf, buf_len, position, _consumed);
+ }
+-- 
+2.13.1
+
+
+From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 15 Mar 2017 17:04:44 +0000
+Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper
+ function
+
+This function updates cli->server_{os,type,domain} to valid values
+after a session setup.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3)
+---
+ source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++--------------
+ 1 file changed, 52 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index a2362ceb863..ef03da17eec 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ 	return NT_STATUS_OK;
+ }
+ 
++static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli,
++						 const char *native_os,
++						 const char *native_lm,
++						 const char *primary_domain)
++{
++#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0')
++
++	if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) {
++		cli->server_os = talloc_strdup(cli, native_os);
++		if (cli->server_os == NULL) {
++			return NT_STATUS_NO_MEMORY;
++		}
++	}
++
++	if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) {
++		cli->server_type = talloc_strdup(cli, native_lm);
++		if (cli->server_type == NULL) {
++			return NT_STATUS_NO_MEMORY;
++		}
++	}
++
++	if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) {
++		cli->server_domain = talloc_strdup(cli, primary_domain);
++		if (cli->server_domain == NULL) {
++			return NT_STATUS_NO_MEMORY;
++		}
++	}
++
++#undef _VALID_STRING
++	return NT_STATUS_OK;
++}
++
+ /********************************************************
+  Utility function to ensure we always return at least
+  a valid char * pointer to an empty string for the
+@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
+ 		subreq, struct tevent_req);
+ 	struct cli_sesssetup_blob_state *state = tevent_req_data(
+ 		req, struct cli_sesssetup_blob_state);
+-	struct cli_state *cli = state->cli;
+ 	NTSTATUS status;
+ 
+ 	if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
+@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
+ 		return;
+ 	}
+ 
+-	if (cli->server_os == NULL) {
+-		cli->server_os = talloc_move(cli, &state->out_native_os);
+-	}
+-	if (cli->server_type == NULL) {
+-		cli->server_type = talloc_move(cli, &state->out_native_lm);
+-	}
+-
+ 	state->status = status;
+ 
++	status = cli_state_update_after_sesssetup(state->cli,
++						  state->out_native_os,
++						  state->out_native_lm,
++						  NULL);
++	if (tevent_req_nterror(req, status)) {
++		return;
++	}
++
+ 	if (state->blob.length != 0) {
+ 		/*
+ 		 * More to send
+@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq)
+ 		return;
+ 	}
+ 
+-	if (cli->server_os == NULL) {
+-		cli->server_os = talloc_move(cli, &state->out_native_os);
+-	}
+-	if (cli->server_type == NULL) {
+-		cli->server_type = talloc_move(cli, &state->out_native_lm);
+-	}
+-	if (cli->server_domain == NULL) {
+-		cli->server_domain = talloc_move(cli, &state->out_primary_domain);
++	status = cli_state_update_after_sesssetup(state->cli,
++						  state->out_native_os,
++						  state->out_native_lm,
++						  state->out_primary_domain);
++	if (tevent_req_nterror(req, status)) {
++		return;
+ 	}
+ 
+ 	ok = smb1cli_conn_activate_signing(cli->conn,
+@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
+ 		subreq, struct tevent_req);
+ 	struct cli_session_setup_creds_state *state = tevent_req_data(
+ 		req, struct cli_session_setup_creds_state);
+-	struct cli_state *cli = state->cli;
+ 	NTSTATUS status;
+ 
+ 	status = smb1cli_session_setup_lm21_recv(subreq, state,
+@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
+ 		return;
+ 	}
+ 
+-	if (cli->server_os == NULL) {
+-		cli->server_os = talloc_move(cli, &state->out_native_os);
+-	}
+-	if (cli->server_type == NULL) {
+-		cli->server_type = talloc_move(cli, &state->out_native_lm);
++	status = cli_state_update_after_sesssetup(state->cli,
++						  state->out_native_os,
++						  state->out_native_lm,
++						  NULL);
++	if (tevent_req_nterror(req, status)) {
++		return;
+ 	}
+ 
+ 	tevent_req_done(req);
+-- 
+2.13.1
+

samba-v4-6-fix_smbclient_username_parsing.patch

@@ -0,0 +1,162 @@
+From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 19 Jun 2017 14:50:33 +0200
+Subject: [PATCH 1/2] s3:popt_common: Reparse the username in
+ popt_common_credentials_post()
+
+When we parse the username in the options handling, the smb.conf file
+has not been loaded yet. So we are not aware of a 'winbind separator'
+set in the config file.
+
+We need to read and set the username again in the post-processing of the
+credentials.
+
+https://bugzilla.samba.org/show_bug.cgi?id=12849
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b)
+---
+ source3/lib/popt_common.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
+index 3589a4fbd2b..9928c708e89 100644
+--- a/source3/lib/popt_common.c
++++ b/source3/lib/popt_common.c
+@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void)
+ void popt_common_credentials_post(void)
+ {
+ 	struct user_auth_info *auth_info = cmdline_auth_info;
++	const char *username = NULL;
+ 
+ 	if (get_cmdline_auth_info_use_machine_account(auth_info) &&
+ 	    !set_cmdline_auth_info_machine_account_creds(auth_info))
+@@ -248,6 +249,20 @@ void popt_common_credentials_post(void)
+ 	}
+ 
+ 	set_cmdline_auth_info_getpass(auth_info);
++
++	/*
++	 * When we set the username during the handling of the options passed to
++	 * the binary we haven't loaded the config yet. This means that we
++	 * didnn't take the 'winbind separator' into account.
++	 *
++	 * The username might contain the domain name and thus it hasn't been
++	 * correctly parsed yet. If we have a username we need to set it again
++	 * to run the string parser for the username correctly.
++	 */
++	username = get_cmdline_auth_info_username(auth_info);
++	if (username != NULL && username[0] != '\0') {
++		set_cmdline_auth_info_username(auth_info, username);
++	}
+ }
+ 
+ static void popt_common_credentials_callback(poptContext con,
+-- 
+2.13.1
+
+
+From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 19 Jun 2017 15:52:23 +0200
+Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144
+
+(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af)
+---
+ source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++
+ source3/selftest/tests.py                    |  1 +
+ 2 files changed, 63 insertions(+)
+ create mode 100755 source3/script/tests/test_smbclient_basic.sh
+
+diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh
+new file mode 100755
+index 00000000000..90e579b68e9
+--- /dev/null
++++ b/source3/script/tests/test_smbclient_basic.sh
+@@ -0,0 +1,62 @@
++#!/bin/sh
++
++# this runs the file serving tests that are expected to pass with samba3 against shares with various options
++
++if [ $# -lt 5 ]; then
++cat <<EOF
++Usage: test_smbclient_basic.sh SERVER SERVER_IP DOMAIN USERNAME PASSWORD SMBCLIENT <smbclient arguments>
++EOF
++exit 1;
++fi
++
++SERVER="$1"
++SERVER_IP="$2"
++USERNAME="$3"
++PASSWORD="$4"
++smbclient="$5"
++CONFIGURATION="$6"
++shift 6
++ADDARGS="$@"
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++
++test_smbclient() {
++	name="$1"
++	cmd="$2"
++	shift
++	shift
++	echo "test: $name"
++	$VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@
++	status=$?
++	if [ x$status = x0 ]; then
++		echo "success: $name"
++	else
++		echo "failure: $name"
++	fi
++	return $status
++}
++
++# TEST using \ as the separator (default)
++test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
++# TEST using / as the separator (default)
++test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
++
++# TEST using 'winbind separator = +'
++test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1`
++
++# TEST using 'winbind separator = +' set in a config file
++smbclient_config="$PREFIX/tmpsmbconf"
++cat > $smbclient_config <<EOF
++[global]
++    include = $(echo $CONFIGURATION | cut -d= -f2)
++    winbind separator = +
++EOF
++
++SAVE_CONFIGURATION="$CONFIGURATION"
++CONFIGURATION="--configfile=$smbclient_config"
++test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD || failed=`expr $failed + 1`
++CONFIGURATION="$SAVE_CONFIGURATION"
++rm -rf $smbclient_config
++
++exit $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index dfe7866b283..d3cb071b903 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -152,6 +152,7 @@ plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3s
+ plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+ plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+ 
++plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
+ for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
+     env = "nt4_dc"
+     plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+-- 
+2.13.1
+

samba-v4-6-fix_winbind_child_crash.patch

@@ -0,0 +1,227 @@
+From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 21 Mar 2017 09:57:30 +0100
+Subject: [PATCH 1/2] s3:libads: Remove obsolete
+ smb_krb5_get_ntstatus_from_init_creds()
+
+There is no way we can get a better error code out of this. The original
+function called was krb5_get_init_creds_opt_get_error() which has been
+deprecated in 2008.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
+---
+ source3/libads/kerberos.c | 169 ----------------------------------------------
+ 1 file changed, 169 deletions(-)
+
+Index: samba-4.6.2/source3/libads/kerberos.c
+===================================================================
+--- samba-4.6.2.orig/source3/libads/kerberos.c
++++ samba-4.6.2/source3/libads/kerberos.c
+@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da
+ 	return 0;
+ }
+ 
+-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
+-				  DATA_BLOB *edata,
+-				  DATA_BLOB *edata_out)
+-{
+-	DATA_BLOB edata_contents;
+-	ASN1_DATA *data;
+-	int edata_type;
+-
+-	if (!edata->length) {
+-		return false;
+-	}
+-
+-	data = asn1_init(mem_ctx);
+-	if (data == NULL) {
+-		return false;
+-	}
+-
+-	if (!asn1_load(data, *edata)) goto err;
+-	if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
+-	if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
+-	if (!asn1_read_Integer(data, &edata_type)) goto err;
+-
+-	if (edata_type != KRB5_PADATA_PW_SALT) {
+-		DEBUG(0,("edata is not of required type %d but of type %d\n",
+-			KRB5_PADATA_PW_SALT, edata_type));
+-		goto err;
+-	}
+-
+-	if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
+-	if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
+-	if (!asn1_end_tag(data)) goto err;
+-	if (!asn1_end_tag(data)) goto err;
+-	if (!asn1_end_tag(data)) goto err;
+-	asn1_free(data);
+-
+-	*edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
+-
+-	data_blob_free(&edata_contents);
+-
+-	return true;
+-
+-  err:
+-
+-	asn1_free(data);
+-	return false;
+-}
+-
+- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
+-						   NTSTATUS *nt_status)
+-{
+-	DATA_BLOB edata;
+-	DATA_BLOB unwrapped_edata;
+-	TALLOC_CTX *mem_ctx;
+-	struct KRB5_EDATA_NTSTATUS parsed_edata;
+-	enum ndr_err_code ndr_err;
+-
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+-	edata = data_blob(error->e_data->data, error->e_data->length);
+-#else
+-	edata = data_blob(error->e_data.data, error->e_data.length);
+-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+-
+-#ifdef DEVELOPER
+-	dump_data(10, edata.data, edata.length);
+-#endif /* DEVELOPER */
+-
+-	mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
+-	if (mem_ctx == NULL) {
+-		data_blob_free(&edata);
+-		return False;
+-	}
+-
+-	if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
+-		data_blob_free(&edata);
+-		TALLOC_FREE(mem_ctx);
+-		return False;
+-	}
+-
+-	data_blob_free(&edata);
+-
+-	ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, 
+-		&parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
+-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+-		data_blob_free(&unwrapped_edata);
+-		TALLOC_FREE(mem_ctx);
+-		return False;
+-	}
+-
+-	data_blob_free(&unwrapped_edata);
+-
+-	if (nt_status) {
+-		*nt_status = parsed_edata.ntstatus;
+-	}
+-
+-	TALLOC_FREE(mem_ctx);
+-
+-	return True;
+-}
+-
+-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
+-						  krb5_principal client,
+-						  krb5_get_init_creds_opt *opt,
+-						  NTSTATUS *nt_status)
+-{
+-	krb5_init_creds_context icc;
+-	krb5_error_code code;
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+-	/* HEIMDAL */
+-	krb5_error error;
+-#else
+-	krb5_error *error = NULL;
+-#endif
+-	bool ok;
+-
+-	code = krb5_init_creds_init(ctx,
+-				    client,
+-				    NULL,
+-				    NULL,
+-				    0,
+-				    opt,
+-				    &icc);
+-	if (code != 0) {
+-		DBG_WARNING("krb5_init_creds_init failed with: %s\n",
+-			    error_message(code));
+-		return false;
+-	}
+-
+-	code = krb5_init_creds_get_error(ctx,
+-					 icc,
+-					 &error);
+-	if (code != 0) {
+-		DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
+-			    error_message(code));
+-		return false;
+-	}
+-	krb5_init_creds_free(ctx, icc);
+-
+-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+-	ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
+-
+-	krb5_free_error_contents(ctx, &error);
+-#else
+-	ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
+-
+-	krb5_free_error(ctx, error);
+-#endif
+-
+-	return ok;
+-}
+-
+ /*
+   simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
+   place in default cache location.
+@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch
+ 	}
+  out:
+ 	if (ntstatus) {
+-
+-		NTSTATUS status;
+-
+ 		/* fast path */
+ 		if (code == 0) {
+ 			*ntstatus = NT_STATUS_OK;
+ 			goto cleanup;
+ 		}
+ 
+-		/* try to get ntstatus code out of krb5_error when we have it
+-		 * inside the krb5_get_init_creds_opt - gd */
+-
+-		if (opt != NULL) {
+-			bool ok;
+-
+-			ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
+-								   me,
+-								   opt,
+-								   &status);
+-			if (ok) {
+-				*ntstatus = status;
+-				goto cleanup;
+-			}
+-		}
+-
+ 		/* fall back to self-made-mapping */
+ 		*ntstatus = krb5_to_nt_status(code);
+ 	}
+Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh
+===================================================================
+--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh
++++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh
+@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d
+ 
+ testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
+ 
++testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
++
++testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
++
+ rm -f $KRB5CCNAME_PATH
+ 
+ exit $failed

samba-v4-6-fix_winbind_normalize_names.patch

@@ -0,0 +1,76 @@
+From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 20 Jun 2017 10:27:07 +0200
+Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
+index 8c764f77b08..b0bf6784ba6 100644
+--- a/source3/winbindd/wb_getpwsid.c
++++ b/source3/winbindd/wb_getpwsid.c
+@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ 		req, struct wb_getpwsid_state);
+ 	struct winbindd_pw *pw = state->pw;
+ 	struct wbint_userinfo *info;
++	struct winbindd_domain *domain = NULL;
+ 	fstring acct_name, output_username;
++	char *mapped_name = NULL;
+ 	char *tmp;
+ 	NTSTATUS status;
+ 
+@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ 		return;
+ 	}
+ 
+-	fill_domain_username(output_username, info->domain_name,
+-			     acct_name, true);
++	domain = find_domain_from_name_noinit(info->domain_name);
++	if (tevent_req_nomem(domain, req)) {
++		return;
++	}
++
++	/*
++	 * TODO:
++	 * This function should be called in 'idmap winbind child'. It shouldn't
++	 * be a blocking call, but for this we need to add a new function for
++	 * winbind.idl. This is a fix which can be backported for now.
++	 */
++	status = normalize_name_map(state,
++				    domain,
++				    acct_name,
++				    &mapped_name);
++	if (NT_STATUS_IS_OK(status)) {
++		fill_domain_username(output_username,
++				     info->domain_name,
++				     mapped_name, true);
++		fstrcpy(acct_name, mapped_name);
++	} else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
++		fstrcpy(acct_name, mapped_name);
++	} else {
++		fill_domain_username(output_username,
++				     info->domain_name,
++				     acct_name, true);
++	}
++
+ 	strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
+ 
+ 	strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "",
+@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
+ 	TALLOC_FREE(tmp);
+ 
+ 	tmp = talloc_sub_specified(
+-		state, info->shell, info->acct_name,
++		state, info->shell, acct_name,
+ 		info->primary_group_name, info->domain_name,
+ 		pw->pw_uid, pw->pw_gid);
+ 	if (tevent_req_nomem(tmp, req)) {
+-- 
+2.13.1
+

samba-v4.6-credentials-fix-realm.patch

@@ -0,0 +1,54 @@
+commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
+Author: Andreas Schneider <asn@samba.org>
+Date:   Wed Dec 21 22:17:22 2016 +0100
+
+    auth/credentials: Always set the the realm if we set the principal from the ccache
+    
+    This fixes a bug in gensec_gssapi_client_start() where an invalid realm
+    is used to get a Kerberos ticket.
+    
+    Signed-off-by: Andreas Schneider <asn@samba.org>
+    Reviewed-by: Stefan Metzmacher <metze@samba.org>
+    (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
+
+diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
+index 0e68012..1912c48 100644
+--- a/auth/credentials/credentials_krb5.c
++++ b/auth/credentials/credentials_krb5.c
+@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ 					   enum credentials_obtained obtained,
+ 					   const char **error_string)
+ {
+-	
++	bool ok;
++	char *realm;
+ 	krb5_principal princ;
+ 	krb5_error_code ret;
+ 	char *name;
+@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
+ 		return ret;
+ 	}
+ 
+-	cli_credentials_set_principal(cred, name, obtained);
+-
++	ok = cli_credentials_set_principal(cred, name, obtained);
++	if (!ok) {
++		krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
++		return ENOMEM;
++	}
+ 	free(name);
+ 
++	realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
++					     princ);
+ 	krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
++	if (realm == NULL) {
++		return ENOMEM;
++	}
++	ok = cli_credentials_set_realm(cred, realm, obtained);
++	SAFE_FREE(realm);
++	if (!ok) {
++		return ENOMEM;
++	}
+ 
+ 	/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
+ 	cred->ccache_obtained = obtained;

samba-v4.6-fix_smbpasswd_user_pwd_change.patch

@@ -0,0 +1,391 @@
+From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:08:46 +0200
+Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29)
+---
+ source3/include/proto.h     | 3 ++-
+ source3/libsmb/passchange.c | 5 +++--
+ source3/utils/smbpasswd.c   | 3 ++-
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index baa579995a5..9deb27b416b 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain,
+ 
+ /* The following definitions come from libsmb/passchange.c  */
+ 
+-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, 
++NTSTATUS remote_password_change(const char *remote_machine,
++				const char *domain, const char *user_name,
+ 				const char *old_passwd, const char *new_passwd,
+ 				char **err_str);
+ 
+diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
+index c89b7ca85d1..48ffba8036f 100644
+--- a/source3/libsmb/passchange.c
++++ b/source3/libsmb/passchange.c
+@@ -30,7 +30,8 @@
+  Change a password on a remote machine using IPC calls.
+ *************************************************************/
+ 
+-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, 
++NTSTATUS remote_password_change(const char *remote_machine,
++				const char *domain, const char *user_name,
+ 				const char *old_passwd, const char *new_passwd,
+ 				char **err_str)
+ {
+@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
+ 
+ 	creds = cli_session_creds_init(cli,
+ 				       user_name,
+-				       NULL, /* domain */
++				       domain,
+ 				       NULL, /* realm */
+ 				       old_passwd,
+ 				       false, /* use_kerberos */
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 437a5e551bb..4d7a3c739bc 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username,
+ 			fprintf(stderr, "Invalid remote operation!\n");
+ 			return NT_STATUS_UNSUCCESSFUL;
+ 		}
+-		ret = remote_password_change(remote_mach, username,
++		ret = remote_password_change(remote_mach,
++					     NULL, username,
+ 					     old_passwd, new_pw, &err_str);
+ 	} else {
+ 		ret = local_password_change(username, local_flags, new_pw,
+-- 
+2.14.1
+
+
+From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:10:06 +0200
+Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950)
+---
+ source3/include/proto.h   |  7 -------
+ source3/libsmb/proto.h    | 10 ++++++++++
+ source3/utils/smbpasswd.c |  1 +
+ 3 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 9deb27b416b..67e1a9d750e 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain,
+ 		fstring srv_name,
+ 		struct sockaddr_storage *ss_out);
+ 
+-/* The following definitions come from libsmb/passchange.c  */
+-
+-NTSTATUS remote_password_change(const char *remote_machine,
+-				const char *domain, const char *user_name,
+-				const char *old_passwd, const char *new_passwd,
+-				char **err_str);
+-
+ /* The following definitions come from libsmb/smberr.c  */
+ 
+ const char *smb_dos_err_name(uint8_t e_class, uint16_t num);
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index a583a8ee159..44f4d04cff5 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -31,6 +31,9 @@
+ 
+ struct smb_trans_enc_state;
+ struct cli_credentials;
++struct cli_state;
++struct file_info;
++struct print_job_info;
+ 
+ /* The following definitions come from libsmb/cliconnect.c  */
+ 
+@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,
+ 		       TALLOC_CTX *mem_ctx, char **psubstitute_name,
+ 		      char **pprint_name, uint32_t *pflags);
+ 
++/* The following definitions come from libsmb/passchange.c  */
++
++NTSTATUS remote_password_change(const char *remote_machine,
++				const char *domain, const char *user_name,
++				const char *old_passwd, const char *new_passwd,
++				char **err_str);
++
+ #endif /* _LIBSMB_PROTO_H_ */
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 4d7a3c739bc..6eb2deb7a3b 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -21,6 +21,7 @@
+ #include "secrets.h"
+ #include "../librpc/gen_ndr/samr.h"
+ #include "../lib/util/util_pw.h"
++#include "libsmb/proto.h"
+ #include "passdb.h"
+ 
+ /*
+-- 
+2.14.1
+
+
+From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:13:15 +0200
+Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change()
+ in smbpasswd
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373)
+---
+ source3/utils/smbpasswd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 6eb2deb7a3b..b0e08cc0e58 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get)
+  Change a password either locally or remotely.
+ *************************************************************/
+ 
+-static NTSTATUS password_change(const char *remote_mach, char *username, 
+-				char *old_passwd, char *new_pw,
++static NTSTATUS password_change(const char *remote_mach,
++				const char *username,
++				const char *old_passwd, const char *new_pw,
+ 				int local_flags)
+ {
+ 	NTSTATUS ret;
+-- 
+2.14.1
+
+
+From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:14:57 +0200
+Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit b483340639157fe95777672f5723455c48c3c616)
+---
+ source3/utils/smbpasswd.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index b0e08cc0e58..92712e38f6b 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get)
+ *************************************************************/
+ 
+ static NTSTATUS password_change(const char *remote_mach,
+-				const char *username,
++				const char *domain, const char *username,
+ 				const char *old_passwd, const char *new_pw,
+ 				int local_flags)
+ {
+@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach,
+ 			return NT_STATUS_UNSUCCESSFUL;
+ 		}
+ 		ret = remote_password_change(remote_mach,
+-					     NULL, username,
++					     domain, username,
+ 					     old_passwd, new_pw, &err_str);
+ 	} else {
+ 		ret = local_password_change(username, local_flags, new_pw,
+@@ -466,7 +466,8 @@ static int process_root(int local_flags)
+ 		}
+ 	}
+ 
+-	if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,
++	if (!NT_STATUS_IS_OK(password_change(remote_machine,
++					     NULL, user_name,
+ 					     old_passwd, new_passwd,
+ 					     local_flags))) {
+ 		result = 1;
+@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags)
+ 		exit(1);
+ 	}
+ 
+-	if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw,
+-					     new_pw, 0))) {
++	if (!NT_STATUS_IS_OK(password_change(remote_machine,
++					     NULL, user_name,
++					     old_pw, new_pw, 0))) {
+ 		result = 1;
+ 		goto done;
+ 	}
+-- 
+2.14.1
+
+
+From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 18 Aug 2017 16:17:08 +0200
+Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name
+ in smbpasswd
+
+If a local user wants to change his password using smbpasswd and the
+machine is a domain member, we need to make sure we authenticate against
+our SAM and not ask winbind.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02)
+---
+ source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++-----
+ 1 file changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 92712e38f6b..556e6869da7 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -58,7 +58,7 @@ static void usage(void)
+ 	printf("  -c smb.conf file     Use the given path to the smb.conf file\n");
+ 	printf("  -D LEVEL             debug level\n");
+ 	printf("  -r MACHINE           remote machine\n");
+-	printf("  -U USER              remote username\n");
++	printf("  -U USER              remote username (e.g. SAM/user)\n");
+ 
+ 	printf("extra options when run by root or in local mode:\n");
+ 	printf("  -a                   add user\n");
+@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags)
+ 
+ 	user_name[0] = '\0';
+ 
+-	while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
++	while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) {
+ 		switch(ch) {
+ 		case 'L':
+ 			if (getuid() != 0) {
+@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags)
+ 	int result = 0;
+ 	char *old_pw = NULL;
+ 	char *new_pw = NULL;
++	const char *username = user_name;
++	const char *domain = NULL;
++	char *p = NULL;
+ 
+ 	if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) {
+ 		/* Extra flags that we can't honor non-root */
+@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags)
+ 		}
+ 	}
+ 
++	/* Allow domain as part of the username */
++	if ((p = strchr_m(user_name, '\\')) ||
++	    (p = strchr_m(user_name, '/')) ||
++	    (p = strchr_m(user_name, *lp_winbind_separator()))) {
++		*p = '\0';
++		username = p + 1;
++		domain = user_name;
++	}
++
+ 	/*
+ 	 * A non-root user is always setting a password
+ 	 * via a remote machine (even if that machine is
+@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags)
+ 
+ 	load_interfaces(); /* Delayed from main() */
+ 
+-	if (remote_machine == NULL) {
++	if (remote_machine != NULL) {
++		if (!is_ipaddress(remote_machine)) {
++			domain = remote_machine;
++		}
++	} else {
+ 		remote_machine = "127.0.0.1";
++
++		/*
++		 * If we deal with a local user, change the password for the
++		 * user in our SAM.
++		 */
++		domain = get_global_sam_name();
+ 	}
+ 
+ 	if (remote_machine != NULL) {
+@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags)
+ 	}
+ 
+ 	if (!NT_STATUS_IS_OK(password_change(remote_machine,
+-					     NULL, user_name,
++					     domain, username,
+ 					     old_pw, new_pw, 0))) {
+ 		result = 1;
+ 		goto done;
+ 	}
+ 
+-	printf("Password changed for user %s\n", user_name);
++	printf("Password changed for user %s\n", username);
+ 
+  done:
+ 	SAFE_FREE(old_pw);
+-- 
+2.14.1
+
+
+From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 22 Aug 2017 15:46:07 +0200
+Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
+
+Review with: git show -U20
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andrew Bartlet <abartlet@samba.org>
+(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e)
+---
+ source3/utils/smbpasswd.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
+index 556e6869da7..fb7ad283995 100644
+--- a/source3/utils/smbpasswd.c
++++ b/source3/utils/smbpasswd.c
+@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags)
+ 		domain = get_global_sam_name();
+ 	}
+ 
+-	if (remote_machine != NULL) {
+-		old_pw = get_pass("Old SMB password:",stdin_passwd_get);
+-		if (old_pw == NULL) {
+-			fprintf(stderr, "Unable to get old password.\n");
+-			exit(1);
+-		}
++	old_pw = get_pass("Old SMB password:",stdin_passwd_get);
++	if (old_pw == NULL) {
++		fprintf(stderr, "Unable to get old password.\n");
++		exit(1);
+ 	}
+ 
+ 	if (!new_passwd) {
+-- 
+2.14.1
+

samba-v4.6-graceful_fsctl_validate_negotiate_info.patch

@@ -0,0 +1,53 @@
+From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 30 May 2017 16:30:33 +0200
+Subject: [PATCH] libcli:smb2: Gracefully handle not supported for
+ FSCTL_VALIDATE_NEGOTIATE_INFO
+
+If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
+server then gracefully handle NT_STATUS_NOT_SUPPORTED too.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Pair-Programmed-With: Guenther Deschner <gd@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Volker Lendecke <vl@samba.org>
+Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
+
+(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a)
+---
+ libcli/smb/smbXcli_base.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
+index a7b24f01497..593edf9ce78 100644
+--- a/libcli/smb/smbXcli_base.c
++++ b/libcli/smb/smbXcli_base.c
+@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
+ 		tevent_req_done(req);
+ 		return;
+ 	}
++	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
++		/*
++		 * The response was signed, but not supported
++		 *
++		 * This might be returned by older Windows versions or by
++		 * NetApp SMB server implementations.
++		 *
++		 * See
++		 *
++		 * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/
++		 *
++		 */
++		tevent_req_done(req);
++		return;
++	}
+ 	if (tevent_req_nterror(req, status)) {
+ 		return;
+ 	}
+-- 
+2.13.1.518.g3df882009-goog
+

samba-v4.6-gss_krb5_import_cred.patch

@@ -0,0 +1,543 @@
+From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 17:08:09 +0200
+Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)
+---
+ wscript_configure_system_mitkrb5 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
+index 06a9821..d3e8ebf 100644
+--- a/wscript_configure_system_mitkrb5
++++ b/wscript_configure_system_mitkrb5
+@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN('''
+        gsskrb5_extract_authz_data_from_sec_context
+        gss_krb5_export_lucid_sec_context
+        gss_import_cred gss_export_cred
++       gss_acquire_cred_from
+        ''', 'gssapi gssapi_krb5')
+ conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers)
+ conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
+-- 
+2.9.3
+
+
+From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:14:57 +0200
+Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
+
+Wrap gss_krb5_import_cred() to allow re-implementing it with
+gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
+works fine with GSSAPI interposer (GSS-proxy) while
+gss_krb5_import_cred() is not interposed yet.
+
+The wrapper has additional parameter, krb5_context handle, to facilitate
+with credentials cache name discovery. All our callers to
+gss_krb5_import_cred() already have krb5 context handy.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
+---
+ lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++
+ lib/krb5_wrap/gss_samba.h |  13 +++++
+ 2 files changed, 134 insertions(+)
+
+diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
+index b444633..757ffc5 100644
+--- a/lib/krb5_wrap/gss_samba.c
++++ b/lib/krb5_wrap/gss_samba.c
+@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
+ }
+ #endif /* !HAVE_GSS_OID_EQUAL */
+ 
++
++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
++ * interposed by GSSPROXY while gss_krb5_import_cred() is not.
++ *
++ * This wrapper requires a proper krb5_context to resolve ccache name.
++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
++uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
++				  krb5_ccache id, krb5_principal keytab_principal,
++				  krb5_keytab keytab, gss_cred_id_t *cred)
++{
++	uint32_t major_status = 0;
++
++#if HAVE_GSS_ACQUIRE_CRED_FROM
++	uint32_t minor = 0;
++	gss_key_value_element_desc ccache_element = {
++		.key = "ccache",
++		.value = NULL,
++	};
++
++	gss_key_value_element_desc keytab_element = {
++		.key = "keytab",
++		.value = NULL,
++	};
++
++	gss_key_value_element_desc elements[2];
++
++	gss_key_value_set_desc cred_store = {
++		.elements = &ccache_element,
++		.count = 1,
++	};
++
++	gss_OID_set mech_set = GSS_C_NO_OID_SET;
++	gss_cred_usage_t cred_usage = GSS_C_INITIATE;
++	gss_name_t name = NULL;
++	gss_buffer_desc pr_name = {
++		.value = NULL,
++		.length = 0,
++	};
++
++	if (id != NULL) {
++		major_status = krb5_cc_get_full_name(ctx,
++						     id,
++						     discard_const(&ccache_element.value));
++		if (major_status != 0) {
++			return major_status;
++		}
++	}
++
++	if (keytab != NULL) {
++		keytab_element.value = malloc(4096);
++		if (!keytab_element.value) {
++			return ENOMEM;
++		}
++		major_status = krb5_kt_get_name(ctx,
++						keytab,
++						discard_const(keytab_element.value), 4096);
++		if (major_status != 0) {
++			free(discard_const(keytab_element.value));
++			return major_status;
++		}
++		cred_usage = GSS_C_ACCEPT;
++		cred_store.elements = &keytab_element;
++
++		if (keytab_principal != NULL) {
++			major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
++			if (major_status != 0) {
++				free(discard_const(keytab_element.value));
++				return major_status;
++			}
++			pr_name.length = strlen(pr_name.value);
++
++			major_status = gss_import_name(minor_status,
++						       &pr_name,
++						       discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
++						       &name);
++			if (major_status != 0) {
++				krb5_free_unparsed_name(ctx, pr_name.value);
++				free(discard_const(keytab_element.value));
++				return major_status;
++			}
++		}
++	}
++
++	if (id != NULL && keytab != NULL) {
++		elements[0] = ccache_element;
++		elements[1] = keytab_element;
++
++		cred_store.elements = elements;
++		cred_store.count = 2;
++		cred_usage = GSS_C_BOTH;
++	}
++
++	major_status = gss_acquire_cred_from(minor_status,
++					     name,
++					     0,
++					     mech_set,
++					     cred_usage,
++					     &cred_store,
++					     cred,
++					     NULL,
++					     NULL);
++
++	if (pr_name.value != NULL) {
++		(void)gss_release_name(&minor, &name);
++		krb5_free_unparsed_name(ctx, pr_name.value);
++	}
++	if (keytab_element.value != NULL) {
++		free(discard_const(keytab_element.value));
++	}
++	krb5_free_string(ctx, discard_const(ccache_element.value));
++#else
++	major_status = gss_krb5_import_cred(minor_status,
++					id,
++					keytab_principal,
++					keytab, cred);
++#endif
++	return major_status;
++}
++
++
+ #endif /* HAVE_GSSAPI */
+diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
+index 5319932..89aee34 100644
+--- a/lib/krb5_wrap/gss_samba.h
++++ b/lib/krb5_wrap/gss_samba.h
+@@ -25,6 +25,7 @@
+ #ifdef HAVE_GSSAPI
+ 
+ #include "system/gssapi.h"
++#include "krb5_samba.h"
+ 
+ #if defined(HAVE_GSS_OID_EQUAL)
+ #define smb_gss_oid_equal gss_oid_equal
+@@ -32,5 +33,17 @@
+ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
+ #endif /* HAVE_GSS_OID_EQUAL */
+ 
++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
++ * interposed by GSS-proxy while gss_krb5_import_cred() is not.
++ *
++ * This wrapper requires a proper krb5_context to resolve the ccache name for
++ * gss_acquire_cred_from().
++ *
++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
++uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
++				  krb5_ccache id, krb5_principal keytab_principal,
++				  krb5_keytab keytab, gss_cred_id_t *cred);
++
+ #endif /* HAVE_GSSAPI */
+ #endif /* _GSS_SAMBA_H */
+-- 
+2.9.3
+
+
+From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:57:13 +0200
+Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)
+---
+ auth/credentials/credentials_krb5.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
+index e974df9..0e68012 100644
+--- a/auth/credentials/credentials_krb5.c
++++ b/auth/credentials/credentials_krb5.c
+@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ 		return ENOMEM;
+ 	}
+ 
+-	maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, 
+-					&gcc->creds);
++	maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
++					    ccache->ccache, NULL, NULL,
++					    &gcc->creds);
+ 	if ((maj_stat == GSS_S_FAILURE) &&
+ 	    (min_stat == (OM_uint32)KRB5_CC_END ||
+ 	     min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
+@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ 			return ret;
+ 		}
+ 
+-		maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
+-						&gcc->creds);
++		maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
++						    ccache->ccache, NULL, NULL,
++						    &gcc->creds);
+ 
+ 	}
+ 
+@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ 		} else {
+ 			ret = EINVAL;
+ 		}
+-		(*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
++		(*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
+ 		return ret;
+ 	}
+ 
+@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
+ 
+ 	if (ktc->password_based || obtained < CRED_SPECIFIED) {
+ 		/* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
+-		maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
+-						&gcc->creds);
++		maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
++						    NULL, NULL, ktc->keytab,
++						    &gcc->creds);
+ 	} else {
+ 		/* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
+-		maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
+-						&gcc->creds);
++		maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
++						    NULL, princ, ktc->keytab,
++						    &gcc->creds);
+ 	}
+ 	if (maj_stat) {
+ 		if (min_stat) {
+-- 
+2.9.3
+
+
+From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:57:50 +0200
+Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)
+---
+ source3/libads/sasl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 8570788..30127fa 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
+ 		goto done;
+ 	}
+ 
+-	maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
++	maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred);
+ 	if (maj != GSS_S_COMPLETE) {
+ 		status = ADS_ERROR_GSS(maj, min);
+ 		goto done;
+-- 
+2.9.3
+
+
+From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 3 Mar 2017 16:58:14 +0200
+Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)
+---
+ source3/librpc/crypto/gse.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index abf20bc..f4238f3 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ 	/* TODO: get krb5 ticket using username/password, if no valid
+ 	 * one already available in ccache */
+ 
+-	gss_maj = gss_krb5_import_cred(&gss_min,
+-				       gse_ctx->ccache,
+-				       NULL, /* keytab_principal */
+-				       NULL, /* keytab */
+-				       &gse_ctx->creds);
++	gss_maj = smb_gss_krb5_import_cred(&gss_min,
++					   gse_ctx->k5ctx,
++					   gse_ctx->ccache,
++					   NULL, /* keytab_principal */
++					   NULL, /* keytab */
++					   &gse_ctx->creds);
+ 	if (gss_maj) {
+ 		char *ccache = NULL;
+ 		int kret;
+@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+ 			ccache = NULL;
+ 		}
+ 
+-		DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
++		DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -"
+ 			  "the caller may retry after a kinit.\n",
+ 			  ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
+ 		SAFE_FREE(ccache);
+@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
+ 	}
+ 
+ 	/* This creates a GSSAPI cred_id_t with the keytab set */
+-	gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, 
+-				       &gse_ctx->creds);
++	gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx,
++					   NULL, NULL, gse_ctx->keytab,
++					   &gse_ctx->creds);
+ 
+ 	if (gss_maj != 0
+ 	    && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
+-		DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
++		DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
+ 			  gse_errstr(gse_ctx, gss_maj, gss_min)));
+ 		status = NT_STATUS_INTERNAL_ERROR;
+ 		goto done;
+-- 
+2.9.3
+
+
+From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Wed, 8 Mar 2017 12:38:49 +0200
+Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
+ wrapper
+
+MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
+credentials from a keytab without specifying actual principal.
+This was fixed in MIT krb5 1.9.2 (see commit
+71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
+master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
+
+Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
+expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
+code use of krb5 mech when calling to gss_acquire_cred.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
+Autobuild-Date(master): Wed Mar  8 22:00:24 CET 2017 on sn-devel-144
+
+(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)
+---
+ lib/krb5_wrap/gss_samba.c   | 46 +++++++++++++++++++++++++++++++++++++++---
+ source3/librpc/crypto/gse.c | 49 +--------------------------------------------
+ 2 files changed, 44 insertions(+), 51 deletions(-)
+
+diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
+index 757ffc5..9e5ad4a 100644
+--- a/lib/krb5_wrap/gss_samba.c
++++ b/lib/krb5_wrap/gss_samba.c
+@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
+ 	krb5_free_string(ctx, discard_const(ccache_element.value));
+ #else
+ 	major_status = gss_krb5_import_cred(minor_status,
+-					id,
+-					keytab_principal,
+-					keytab, cred);
++					    id,
++					    keytab_principal,
++					    keytab, cred);
++
++	if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
++		if ((keytab_principal == NULL) && (keytab != NULL)) {
++			/* No principal was specified and MIT krb5 1.9 version failed.
++			 * We have to fall back to set global acceptor identity */
++			gss_OID_set_desc mech_set;
++			char *kt_name = NULL;
++
++			kt_name = malloc(4096);
++			if (!kt_name) {
++				return ENOMEM;
++			}
++
++			major_status = krb5_kt_get_name(ctx,
++							keytab,
++							kt_name, 4096);
++			if (major_status != 0) {
++				free(kt_name);
++				return major_status;
++			}
++
++			major_status = gsskrb5_register_acceptor_identity(kt_name);
++			if (major_status) {
++				free(kt_name);
++				return major_status;
++			}
++
++			/* We are dealing with krb5 GSSAPI mech in this fallback */
++			mech_set.count = 1;
++			mech_set.elements = gss_mech_krb5;
++			major_status = gss_acquire_cred(minor_status,
++							GSS_C_NO_NAME,
++							GSS_C_INDEFINITE,
++							&mech_set,
++							GSS_C_ACCEPT,
++							cred,
++							NULL, NULL);
++			free(kt_name);
++		}
++	}
+ #endif
+ 	return major_status;
+ }
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index f4238f3..a111320 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
+ 					   NULL, NULL, gse_ctx->keytab,
+ 					   &gse_ctx->creds);
+ 
+-	if (gss_maj != 0
+-	    && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
++	if (gss_maj != 0) {
+ 		DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
+ 			  gse_errstr(gse_ctx, gss_maj, gss_min)));
+ 		status = NT_STATUS_INTERNAL_ERROR;
+ 		goto done;
+-
+-		/* This is the error the MIT krb5 1.9 gives when it
+-		 * implements the function, but we do not specify the
+-		 * principal.  However, when we specify the principal
+-		 * as host$@REALM the GSS acceptor fails with 'wrong
+-		 * principal in request'.  Work around the issue by
+-		 * falling back to the alternate approach below. */
+-	} else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
+-	/* FIXME!!!
+-	 * This call sets the default keytab for the whole server, not
+-	 * just for this context. Need to find a way that does not alter
+-	 * the state of the whole server ... */
+-	{
+-		const char *ktname;
+-		gss_OID_set_desc mech_set;
+-
+-		ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx,
+-				   gse_ctx->keytab, &ktname);
+-		if (ret) {
+-			status = NT_STATUS_INTERNAL_ERROR;
+-			goto done;
+-		}
+-
+-		ret = gsskrb5_register_acceptor_identity(ktname);
+-		if (ret) {
+-			status = NT_STATUS_INTERNAL_ERROR;
+-			goto done;
+-		}
+-
+-		mech_set.count = 1;
+-		mech_set.elements = &gse_ctx->gss_mech;
+-
+-		gss_maj = gss_acquire_cred(&gss_min,
+-				   GSS_C_NO_NAME,
+-				   GSS_C_INDEFINITE,
+-				   &mech_set,
+-				   GSS_C_ACCEPT,
+-				   &gse_ctx->creds,
+-				   NULL, NULL);
+-
+-		if (gss_maj) {
+-			DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
+-				  gse_errstr(gse_ctx, gss_maj, gss_min)));
+-			status = NT_STATUS_INTERNAL_ERROR;
+-			goto done;
+-		}
+ 	}
+ 
+ 	status = NT_STATUS_OK;
+-- 
+2.9.3
+

samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch

@@ -0,0 +1,179 @@
+From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 10 Mar 2017 16:20:06 +0200
+Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Implement a small Python module that exposes arcfour_crypt_blob()
+function widely used in Samba C code.
+
+When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
+there is a need to encrypt trusted credentials with RC4 cipher.
+
+Current Samba Python code relies on Python runtime to provide RC4
+cipher. However, in FIPS 140-2 mode system crypto libraries do not
+provide access RC4 cipher at all. According to Microsoft dochelp team,
+Windows is treating AuthenticationInformation blob encryption as 'plain
+text' in terms of FIPS 140-2, thus doing application-level encryption.
+
+Replace samba.arcfour_encrypt() implementation with a call to
+samba.crypto.arcfour_crypt_blob().
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
+
+(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
+---
+ lib/crypto/py_crypto.c   | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/crypto/wscript_build |  7 ++++
+ python/samba/__init__.py | 16 ++-------
+ 3 files changed, 99 insertions(+), 14 deletions(-)
+ create mode 100644 lib/crypto/py_crypto.c
+
+diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
+new file mode 100644
+index 0000000..bf7f9f4
+--- /dev/null
++++ b/lib/crypto/py_crypto.c
+@@ -0,0 +1,90 @@
++/*
++   Unix SMB/CIFS implementation.
++   Samba crypto functions
++
++   Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
++
++   This program is free software; you can redistribute it and/or modify
++   it under the terms of the GNU General Public License as published by
++   the Free Software Foundation; either version 3 of the License, or
++   (at your option) any later version.
++
++   This program is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++   GNU General Public License for more details.
++
++   You should have received a copy of the GNU General Public License
++   along with this program.  If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include <Python.h>
++#include "includes.h"
++#include "python/py3compat.h"
++#include "lib/crypto/arcfour.h"
++
++static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
++{
++	DATA_BLOB data, key;
++	PyObject *py_data, *py_key, *result;
++	TALLOC_CTX *ctx;
++
++	if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
++		return NULL;
++
++	if (!PyBytes_Check(py_data)) {
++		PyErr_Format(PyExc_TypeError, "bytes expected");
++		return NULL;
++	}
++
++	if (!PyBytes_Check(py_key)) {
++		PyErr_Format(PyExc_TypeError, "bytes expected");
++		return NULL;
++	}
++
++	ctx = talloc_new(NULL);
++
++	data.length = PyBytes_Size(py_data);
++	data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
++	if (!data.data) {
++		talloc_free(ctx);
++		return PyErr_NoMemory();
++	}
++
++	key.data = (uint8_t *)PyBytes_AsString(py_key);
++	key.length = PyBytes_Size(py_key);
++
++	arcfour_crypt_blob(data.data, data.length, &key);
++
++	result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
++	talloc_free(ctx);
++	return result;
++}
++
++
++static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
++					 "Encrypt the data with RC4 algorithm using the key";
++
++static PyMethodDef py_crypto_methods[] = {
++	{ "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
++	{ NULL },
++};
++
++static struct PyModuleDef moduledef = {
++	PyModuleDef_HEAD_INIT,
++	.m_name = "crypto",
++	.m_doc = "Crypto functions required for SMB",
++	.m_size = -1,
++	.m_methods = py_crypto_methods,
++};
++
++MODULE_INIT_FUNC(crypto)
++{
++	PyObject *m;
++
++	m = PyModule_Create(&moduledef);
++	if (m == NULL)
++		return NULL;
++
++	return m;
++}
+diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
+index 7f94532..d1f152e 100644
+--- a/lib/crypto/wscript_build
++++ b/lib/crypto/wscript_build
+@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
+         autoproto='test_proto.h',
+         deps='LIBCRYPTO'
+         )
++
++for env in bld.gen_python_environments():
++	bld.SAMBA_PYTHON('python_crypto',
++		source='py_crypto.c',
++		deps='LIBCRYPTO',
++		realname='samba/crypto.so'
++		)
+diff --git a/python/samba/__init__.py b/python/samba/__init__.py
+index 19d5e38..fa4244a 100644
+--- a/python/samba/__init__.py
++++ b/python/samba/__init__.py
+@@ -371,20 +371,8 @@ def string_to_byte_array(string):
+     return blob
+ 
+ def arcfour_encrypt(key, data):
+-    try:
+-        from Crypto.Cipher import ARC4
+-        c = ARC4.new(key)
+-        return c.encrypt(data)
+-    except ImportError as e:
+-        pass
+-    try:
+-        from M2Crypto.RC4 import RC4
+-        c = RC4(key)
+-        return c.update(data)
+-    except ImportError as e:
+-        pass
+-    raise Exception("arcfour_encrypt() requires " +
+-                    "python*-crypto or python*-m2crypto or m2crypto")
++    from samba.crypto import arcfour_crypt_blob
++    return arcfour_crypt_blob(data, key)
+ 
+ import _glue
+ version = _glue.version
+-- 
+2.9.3
+

samba-v4.7-config-dynamic-rpc-port-range.patch

@@ -0,0 +1,405 @@
+From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 16 Jan 2017 11:43:12 +0100
+Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows
+
+Since Windows Server 2008 Microsoft uses a different port range for RPC
+services. Before it was 1024-65535 and they changed it to 49152-65535.
+
+We should use the same range as these are the ports the firewall in AD
+networks normally allow.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3)
+---
+ source3/rpc_server/rpc_server.c | 4 ++--
+ source4/smbd/service_stream.c   | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
+index 5effe66d9bb..37fe68fc36d 100644
+--- a/source3/rpc_server/rpc_server.c
++++ b/source3/rpc_server/rpc_server.c
+@@ -34,8 +34,8 @@
+ #include "rpc_server/srv_pipe_hnd.h"
+ #include "rpc_server/srv_pipe.h"
+ 
+-#define SERVER_TCP_LOW_PORT  1024
+-#define SERVER_TCP_HIGH_PORT 1300
++#define SERVER_TCP_LOW_PORT  49152
++#define SERVER_TCP_HIGH_PORT 65535
+ 
+ /* Creates a pipes_struct and initializes it with the information
+  * sent from the client */
+diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
+index f0a379acf6a..96a303fc6a9 100644
+--- a/source4/smbd/service_stream.c
++++ b/source4/smbd/service_stream.c
+@@ -30,8 +30,8 @@
+ #include "lib/util/util_net.h"
+ 
+ /* the range of ports to try for dcerpc over tcp endpoints */
+-#define SERVER_TCP_LOW_PORT  1024
+-#define SERVER_TCP_HIGH_PORT 1300
++#define SERVER_TCP_LOW_PORT  49152
++#define SERVER_TCP_HIGH_PORT 65535
+ 
+ /* size of listen() backlog in smbd */
+ #define SERVER_LISTEN_BACKLOG 10
+-- 
+2.11.0
+
+
+From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 16 Jan 2017 12:05:09 +0100
+Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC
+ services
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d)
+---
+ docs-xml/smbdotconf/protocol/rpcserverport.xml     | 14 +++++--
+ .../smbdotconf/rpc/rpcserverdynamicportrange.xml   | 22 ++++++++++
+ lib/param/loadparm.c                               | 47 ++++++++++++++++++++++
+ lib/param/loadparm.h                               |  9 ++++-
+ lib/param/param.h                                  |  3 ++
+ python/samba/tests/docs.py                         | 11 +++--
+ source3/include/proto.h                            |  2 +
+ source3/param/loadparm.c                           | 16 ++++++++
+ source3/rpc_server/rpc_server.c                    |  5 +--
+ source4/smbd/service_stream.c                      |  8 ++--
+ 10 files changed, 120 insertions(+), 17 deletions(-)
+ create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+
+diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml
+index 8a70835612f..0fd87d69212 100644
+--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml
++++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml
+@@ -4,11 +4,19 @@
+                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+ 	<para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para>
+-	<para>This controls default port for all protocols, except for NETLOGON.  If unset, the first available port after 1024 is used.</para>
+-	<para>The NETLOGON server will use the next available port, eg 1025.  To change this port use (eg) rpc server port:netlogon = 4000.</para>
++	<para>This controls the default port for all protocols, except for NETLOGON.</para>
++	<para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para>
++	<para>The NETLOGON server will use the next available port, e.g. 49153.  To change this port use (eg) rpc server port:netlogon = 4000.</para>
+ 	<para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para>
+ 
++	<para>This option applies currently only when
++	<citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
++	runs as an active directory domain controller.</para>
++
++	<para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para>
+ </description>
+-<para>The default value 0 causes Samba to select the first available port after 1024.</para>
++
++<related>rpc server dynamic port range</related>
++
+ <value type="default">0</value>
+ </samba:parameter>
+diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+new file mode 100644
+index 00000000000..a9c51d2fe41
+--- /dev/null
++++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
+@@ -0,0 +1,22 @@
++<samba:parameter name="rpc server dynamic port range"
++                 context="G"
++                 type="string"
++                 handler="handle_rpc_server_dynamic_port_range"
++                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++	<para>
++		This parameter tells the RPC server which port range it is
++		allowed to use to create a listening socket for LSA, SAM,
++		Netlogon and others without wellknown tcp ports.
++		The first value is the lowest number of the port
++		range and the second the hightest.
++	</para>
++	<para>
++		This applies to RPC servers in all server roles.
++	</para>
++</description>
++
++<related>rpc server port</related>
++
++<value type="default">49152-65535</value>
++</samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 6aa757f7c6b..3b54ff232aa 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx)
+ 	return lp_ctx->sDefault;
+ }
+ 
++int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
++{
++	return lp_ctx->globals->rpc_low_port;
++}
++
++int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
++{
++	return lp_ctx->globals->rpc_high_port;
++}
++
+ /**
+  * Convenience routine to grab string parameters into temporary memory
+  * and run standard_sub_basic on them.
+@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
+ 	return true;
+ }
+ 
++bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
++					  struct loadparm_service *service,
++					  const char *pszParmValue,
++					  char **ptr)
++{
++	int low_port = -1, high_port = -1;
++	int rc;
++
++	if (pszParmValue == NULL || pszParmValue[0] == '\0') {
++		return false;
++	}
++
++	rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
++	if (rc != 2) {
++		return false;
++	}
++
++	if (low_port > high_port) {
++		return false;
++	}
++
++	if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
++		return false;
++	}
++
++	lp_ctx->globals->rpc_low_port = low_port;
++	lp_ctx->globals->rpc_high_port = high_port;
++
++	return true;
++}
++
+ bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
+ 			     struct loadparm_service *service,
+ 			     const char *pszParmValue, char **ptr)
+@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ 	lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
+ 	/* This appears odd, but globals in s3 isn't a pointer */
+ 	lp_ctx->globals->ctx = lp_ctx->globals;
++	lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
++	lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
+ 	lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
+ 	lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
+ 
+@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ 
+ 	lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
+ 
++	lpcfg_do_global_parameter(lp_ctx,
++				  "rpc server dynamic port range",
++				  "49152-65535");
++
+ 	/* Allow modules to adjust defaults */
+ 	for (defaults_hook = defaults_hooks; defaults_hook;
+ 		 defaults_hook = defaults_hook->next) {
+diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
+index f9fb7d8d804..c63683d6b66 100644
+--- a/lib/param/loadparm.h
++++ b/lib/param/loadparm.h
+@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
+ #endif /* DEVELOPER */
+ };
+ 
++#define SERVER_TCP_LOW_PORT  49152
++#define SERVER_TCP_HIGH_PORT 65535
++
++#define SERVER_TCP_PORT_MIN 1024
++#define SERVER_TCP_PORT_MAX 65535
+ 
+ 
+ 
+@@ -272,7 +277,9 @@ enum inheritowner_options {
+ #define LOADPARM_EXTRA_GLOBALS \
+ 	struct parmlist_entry *param_opt;				\
+ 	char *dnsdomain;						\
+-	char *realm_original;
++	char *realm_original;						\
++	int rpc_low_port;						\
++	int rpc_high_port;
+ 
+ const char* server_role_str(uint32_t role);
+ int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
+diff --git a/lib/param/param.h b/lib/param/param.h
+index 66037e2ef1b..e123e67a990 100644
+--- a/lib/param/param.h
++++ b/lib/param/param.h
+@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
+ 				time_t *usr_tkt_lifetime,
+ 				time_t *renewal_lifetime);
+ 
++int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx);
++int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx);
++
+ /* The following definitions come from lib/version.c  */
+ 
+ const char *samba_version_string(void);
+diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
+index 22e022583f6..65df573a350 100644
+--- a/python/samba/tests/docs.py
++++ b/python/samba/tests/docs.py
+@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase):
+                          'lprm command', 'lpq command', 'print command', 'template homedir',
+                          'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
+                          'max open files', 'fss: prune stale', 'fss: sequence timeout',
+-                         'include system krb5 conf'])
++                         'include system krb5 conf', 'rpc server dynamic port range'])
+ 
+     def setUp(self):
+         super(SmbDotConfTests, self).setUp()
+@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase):
+             exceptions = ['client lanman auth',
+                           'client plaintext auth',
+                           'registry shares',
+-                          'smb ports'])
++                          'smb ports',
++                          'rpc server dynamic port range'])
+         self._test_empty(['bin/testparm'])
+ 
+     def test_default_s4(self):
+         self._test_default(['bin/samba-tool', 'testparm'])
+         self._set_defaults(['bin/samba-tool', 'testparm'])
+         self._set_arbitrary(['bin/samba-tool', 'testparm'],
+-            exceptions = ['smb ports'])
++            exceptions = ['smb ports',
++                          'rpc server dynamic port range'])
+         self._test_empty(['bin/samba-tool', 'testparm'])
+ 
+     def _test_default(self, program):
+@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase):
+ 
+         for tuples in self.defaults:
+             param, default, context, param_type = tuples
++
+             if param in self.special_cases:
+                 continue
+             section = None
+@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase):
+         for tuples in self.defaults:
+             param, default, context, param_type = tuples
+ 
+-            if param in ['printing']:
++            if param in ['printing', 'rpc server dynamic port range']:
+                 continue
+ 
+             section = None
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 642900ed67c..b3d3ca0e5d1 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void);
+ int lp_smb2_max_credits(void);
+ int lp_cups_encrypt(void);
+ bool lp_widelinks(int );
++int lp_rpc_low_port(void);
++int lp_rpc_high_port(void);
+ 
+ int lp_wi_scan_global_parametrics(
+ 	const char *regex, size_t max_matches,
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index d8da749ccba..2c8380067f6 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+ 
+ 	Globals.aio_max_threads = 100;
+ 
++	lpcfg_string_set(Globals.ctx,
++			 &Globals.rpc_server_dynamic_port_range,
++			 "49152-65535");
++	Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
++	Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
++
+ 	/* Now put back the settings that were set with lp_set_cmdline() */
+ 	apply_lp_set_cmdline();
+ }
+@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void)
+ 	return client_ipc_signing;
+ }
+ 
++int lp_rpc_low_port(void)
++{
++	return Globals.rpc_low_port;
++}
++
++int lp_rpc_high_port(void)
++{
++	return Globals.rpc_high_port;
++}
++
+ struct loadparm_global * get_globals(void)
+ {
+ 	return &Globals;
+diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
+index 37fe68fc36d..f7fb8ef5207 100644
+--- a/source3/rpc_server/rpc_server.c
++++ b/source3/rpc_server/rpc_server.c
+@@ -34,9 +34,6 @@
+ #include "rpc_server/srv_pipe_hnd.h"
+ #include "rpc_server/srv_pipe.h"
+ 
+-#define SERVER_TCP_LOW_PORT  49152
+-#define SERVER_TCP_HIGH_PORT 65535
+-
+ /* Creates a pipes_struct and initializes it with the information
+  * sent from the client */
+ int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
+@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port)
+ 	if (*port == 0) {
+ 		uint16_t i;
+ 
+-		for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) {
++		for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
+ 			fd = open_socket_in(SOCK_STREAM,
+ 					    i,
+ 					    0,
+diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
+index 96a303fc6a9..deb96d8d69d 100644
+--- a/source4/smbd/service_stream.c
++++ b/source4/smbd/service_stream.c
+@@ -29,10 +29,6 @@
+ #include "../lib/tsocket/tsocket.h"
+ #include "lib/util/util_net.h"
+ 
+-/* the range of ports to try for dcerpc over tcp endpoints */
+-#define SERVER_TCP_LOW_PORT  49152
+-#define SERVER_TCP_HIGH_PORT 65535
+-
+ /* size of listen() backlog in smbd */
+ #define SERVER_LISTEN_BACKLOG 10
+ 
+@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx,
+ 	if (!port) {
+ 		status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
+ 	} else if (*port == 0) {
+-		for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) {
++		for (i = lpcfg_rpc_low_port(lp_ctx);
++		     i <= lpcfg_rpc_high_port(lp_ctx);
++		     i++) {
+ 			socket_address->port = i;
+ 			status = socket_listen(stream_socket->sock, socket_address, 
+ 					       SERVER_LISTEN_BACKLOG, 0);
+-- 
+2.11.0
+

samba.log

@@ -0,0 +1,7 @@
+/var/log/samba/* {
+    notifempty
+    olddir /var/log/samba/old
+    missingok
+    sharedscripts
+    copytruncate
+}

samba.pamd

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       required	pam_nologin.so
+auth       include	password-auth
+account    include	password-auth
+session    include	password-auth
+password   include	password-auth

smb.conf.example

@@ -0,0 +1,313 @@
+# This is the main Samba configuration file. For detailed information about the
+# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
+# number of configurable options, most of which are not shown in this example.
+#
+# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
+# and using Samba:
+# https://wiki.samba.org/index.php/User_Documentation
+#
+# In this file, lines starting with a semicolon (;) or a hash (#) are
+# comments and are ignored. This file uses hashes to denote commentary and
+# semicolons for parts of the file you may wish to configure.
+#
+# NOTE: Run the "testparm" command after modifying this file to check for basic
+# syntax errors.
+#
+#---------------
+# Security-Enhanced Linux (SELinux) Notes:
+#
+# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
+# useradd and groupadd family of binaries. Run the following command as the
+# root user to turn this Boolean on:
+# setsebool -P samba_domain_controller on
+#
+# Turn the samba_enable_home_dirs Boolean on if you want to share home
+# directories via Samba. Run the following command as the root user to turn this
+# Boolean on:
+# setsebool -P samba_enable_home_dirs on
+#
+# If you create a new directory, such as a new top-level directory, label it
+# with samba_share_t so that SELinux allows Samba to read and write to it. Do
+# not label system directories, such as /etc/ and /home/, with samba_share_t, as
+# such directories should already have an SELinux label.
+#
+# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
+# label for a given directory.
+#
+# Set SELinux labels only on files and directories you have created. Use the
+# chcon command to temporarily change a label:
+# chcon -t samba_share_t /path/to/directory
+#
+# Changes made via chcon are lost when the file system is relabeled or commands
+# such as restorecon are run.
+#
+# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
+# directories. To share such directories and only allow read-only permissions:
+# setsebool -P samba_export_all_ro on
+# To share such directories and allow read and write permissions:
+# setsebool -P samba_export_all_rw on
+#
+# To run scripts (preexec/root prexec/print command/...), copy them to the
+# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
+# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
+# their existing SELinux labels, which may be labels that SELinux does not allow
+# smbd to run. Copying the scripts will result in the correct SELinux labels.
+# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
+# apply the correct SELinux labels to these files.
+#
+#--------------
+#
+#======================= Global Settings =====================================
+
+[global]
+
+# ----------------------- Network-Related Options -------------------------
+#
+# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
+#
+# server string = the equivalent of the Windows NT Description field.
+#
+# netbios name = used to specify a server name that is not tied to the hostname,
+#                maximum is 15 characters.
+#
+# interfaces = used to configure Samba to listen on multiple network interfaces.
+# If you have multiple interfaces, you can use the "interfaces =" option to
+# configure which of those interfaces Samba listens on. Never omit the localhost
+# interface (lo).
+#
+# hosts allow = the hosts allowed to connect. This option can also be used on a
+# per-share basis.
+#
+# hosts deny = the hosts not allowed to connect. This option can also be used on
+# a per-share basis.
+#
+	workgroup = MYGROUP
+	server string = Samba Server Version %v
+
+;	netbios name = MYSERVER
+
+;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
+;	hosts allow = 127. 192.168.12. 192.168.13.
+
+# --------------------------- Logging Options -----------------------------
+#
+# log file = specify where log files are written to and how they are split.
+#
+# max log size = specify the maximum size log files are allowed to reach. Log
+# files are rotated when they reach the size specified with "max log size".
+#
+
+	# log files split per-machine:
+	log file = /var/log/samba/log.%m
+	# maximum size of 50KB per log file, then rotate:
+	max log size = 50
+
+# ----------------------- Standalone Server Options ------------------------
+#
+# security = the mode Samba runs in. This can be set to user, share
+# (deprecated), or server (deprecated).
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+
+	security = user
+	passdb backend = tdbsam
+
+
+# ----------------------- Domain Members Options ------------------------
+#
+# security = must be set to domain or ads.
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+# realm = only use the realm option when the "security = ads" option is set.
+# The realm option specifies the Active Directory realm the host is a part of.
+#
+# password server = only use this option when the "security = server"
+# option is set, or if you cannot use DNS to locate a Domain Controller. The
+# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
+#
+# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
+#
+# Use "password server = *" to automatically locate Domain Controllers.
+
+;	security = domain
+;	passdb backend = tdbsam
+;	realm = MY_REALM
+
+;	password server = <NT-Server-Name>
+
+# ----------------------- Domain Controller Options ------------------------
+#
+# security = must be set to user for domain controllers.
+#
+# passdb backend = the backend used to store user information in. New
+# installations should use either tdbsam or ldapsam. No additional configuration
+# is required for tdbsam. The "smbpasswd" utility is available for backwards
+# compatibility.
+#
+# domain master = specifies Samba to be the Domain Master Browser, allowing
+# Samba to collate browse lists between subnets. Do not use the "domain master"
+# option if you already have a Windows NT domain controller performing this task.
+#
+# domain logons = allows Samba to provide a network logon service for Windows
+# workstations.
+#
+# logon script = specifies a script to run at login time on the client. These
+# scripts must be provided in a share named NETLOGON.
+#
+# logon path = specifies (with a UNC path) where user profiles are stored.
+#
+#
+;	security = user
+;	passdb backend = tdbsam
+
+;	domain master = yes
+;	domain logons = yes
+
+	# the following login script name is determined by the machine name
+	# (%m):
+;	logon script = %m.bat
+	# the following login script name is determined by the UNIX user used:
+;	logon script = %u.bat
+;	logon path = \\%L\Profiles\%u
+	# use an empty path to disable profile support:
+;	logon path =
+
+	# various scripts can be used on a domain controller or a stand-alone
+	# machine to add or delete corresponding UNIX accounts:
+
+;	add user script = /usr/sbin/useradd "%u" -n -g users
+;	add group script = /usr/sbin/groupadd "%g"
+;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
+;	delete user script = /usr/sbin/userdel "%u"
+;	delete user from group script = /usr/sbin/userdel "%u" "%g"
+;	delete group script = /usr/sbin/groupdel "%g"
+
+
+# ----------------------- Browser Control Options ----------------------------
+#
+# local master = when set to no, Samba does not become the master browser on
+# your network. When set to yes, normal election rules apply.
+#
+# os level = determines the precedence the server has in master browser
+# elections. The default value should be reasonable.
+#
+# preferred master = when set to yes, Samba forces a local browser election at
+# start up (and gives itself a slightly higher chance of winning the election).
+#
+;	local master = no
+;	os level = 33
+;	preferred master = yes
+
+#----------------------------- Name Resolution -------------------------------
+#
+# This section details the support for the Windows Internet Name Service (WINS).
+#
+# Note: Samba can be either a WINS server or a WINS client, but not both.
+#
+# wins support = when set to yes, the NMBD component of Samba enables its WINS
+# server.
+#
+# wins server = tells the NMBD component of Samba to be a WINS client.
+#
+# wins proxy = when set to yes, Samba answers name resolution queries on behalf
+# of a non WINS capable client. For this to work, there must be at least one
+# WINS server on the network. The default is no.
+#
+# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
+# nslookups.
+
+;	wins support = yes
+;	wins server = w.x.y.z
+;	wins proxy = yes
+
+;	dns proxy = yes
+
+# --------------------------- Printing Options -----------------------------
+#
+# The options in this section allow you to configure a non-default printing
+# system.
+#
+# load printers = when set you yes, the list of printers is automatically
+# loaded, rather than setting them up individually.
+#
+# cups options = allows you to pass options to the CUPS library. Setting this
+# option to raw, for example, allows you to use drivers on your Windows clients.
+#
+# printcap name = used to specify an alternative printcap file.
+#
+
+	load printers = yes
+	cups options = raw
+
+;	printcap name = /etc/printcap
+	# obtain a list of printers automatically on UNIX System V systems:
+;	printcap name = lpstat
+;	printing = cups
+
+# --------------------------- File System Options ---------------------------
+#
+# The options in this section can be un-commented if the file system supports
+# extended attributes, and those attributes are enabled (usually via the
+# "user_xattr" mount option). These options allow the administrator to specify
+# that DOS attributes are stored in extended attributes and also make sure that
+# Samba does not change the permission bits.
+#
+# Note: These options can be used on a per-share basis. Setting them globally
+# (in the [global] section) makes them the default for all shares.
+
+;	map archive = no
+;	map hidden = no
+;	map read only = no
+;	map system = no
+;	store dos attributes = yes
+
+
+#============================ Share Definitions ==============================
+
+[homes]
+	comment = Home Directories
+	browseable = no
+	writable = yes
+;	valid users = %S
+;	valid users = MYDOMAIN\%S
+
+[printers]
+	comment = All Printers
+	path = /var/spool/samba
+	browseable = no
+	guest ok = no
+	writable = no
+	printable = yes
+
+# Un-comment the following and create the netlogon directory for Domain Logons:
+;	[netlogon]
+;	comment = Network Logon Service
+;	path = /var/lib/samba/netlogon
+;	guest ok = yes
+;	writable = no
+;	share modes = no
+
+# Un-comment the following to provide a specific roaming profile share.
+# The default is to use the user's home directory:
+;	[Profiles]
+;	path = /var/lib/samba/profiles
+;	browseable = no
+;	guest ok = yes
+
+# A publicly accessible directory that is read only, except for users in the
+# "staff" group (which have write permissions):
+;	[public]
+;	comment = Public Stuff
+;	path = /home/samba
+;	public = yes
+;	writable = no
+;	printable = no
+;	write list = +staff

smb.conf.vendor

@@ -0,0 +1,36 @@
+# See smb.conf.example for a more detailed config file or
+# read the smb.conf manpage.
+# Run 'testparm' to verify the config is correct after
+# you modified it.
+
+[global]
+	workgroup = SAMBA
+	security = user
+
+	passdb backend = tdbsam
+
+	printing = cups
+	printcap name = cups
+	load printers = yes
+	cups options = raw
+
+[homes]
+	comment = Home Directories
+	valid users = %S, %D%w%S
+	browseable = No
+	read only = No
+	inherit acls = Yes
+
+[printers]
+	comment = All Printers
+	path = /var/tmp
+	printable = Yes
+	create mask = 0600
+	browseable = No
+
+[print$]
+	comment = Printer Drivers
+	path = /var/lib/samba/drivers
+	write list = root
+	create mask = 0664
+	directory mask = 0775