Trying out these patches here: https://gitlab.com/samba-team/devel/samba/-/pipelines/394086676

This is a big backport, but as the diffstat will show it is mostly tests and test infrastructure, CI etc.  

The production code changes are to fix:

RN: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal.

RN: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED

RN: Allow special chars like "@" in samAccountName when generating the salt

Created attachment 16864 [details]
patch from master backported to 4.15 (only)

The CI passed on a branch with the same final result, just with a patch and it's revert included (one of the ldb changes was reduced to a pointless knownfail and knownfail removal by the cherry-pick merge logic).

Created attachment 16865 [details]
diffstat from master cherry-picked to 4.15 (only)

This diffstat shows despite 166 patches, the 
95 files changed, 6071 insertions(+), 2343 deletions(-)
are mostly in the testsuite or CI systems.

Created attachment 16868 [details]
patch backported to 4.14 (only) (v3)

Attached is the patch from 4.15 backported to 4.14 to bring the bronze bit and associated Kerberos tests up to the same level as master.

Created attachment 16869 [details]
diffstat of patch for Samba 4.14

This diffstat, and a diff between the 4.15 and 4.14 patches should assure that these patches are reasonable.

The main difference is it misses some gitlab-ci changes and a thankfully small number of conflicts due to changes in tests.

CI: https://gitlab.com/samba-team/devel/samba/-/pipelines/395310961

Comment on attachment 16868 [details]
patch backported to 4.14 (only) (v3)

Patch is on top of ldb 2.3.1 patch in bug 14848

Created attachment 16870 [details]
patch backported to 4.13 (only)

Samba 4.13 is in security support only, and MS CVE-2020-17049 'bronze bit' is not being handled as a security thing in Samba, but here is a patch for those who might disagree and need it.

Comment on attachment 16870 [details]
patch backported to 4.13 (only)

CI: https://gitlab.com/samba-team/devel/samba/-/pipelines/395320714

Created attachment 16871 [details]
diffstat of patch for Samba 4.13

Using the diffstat and a diff between the patches may allow some to come to a conclusion as to the relative safety of the backport to 4.13.

Created attachment 16873 [details]
patch from master backported to 4.14 (v4)

CI passed: https://gitlab.com/samba-team/devel/samba/-/pipelines/395405420

Created attachment 16874 [details]
diffstat of the changes for 4.14 (v4)

The patches in bug 14848 must land first.

Created attachment 16875 [details]
patch from master backported to 4.13 (v3)

CI: https://gitlab.com/samba-team/devel/samba/-/pipelines/395523723

Created attachment 16876 [details]
diffstat of the changes for 4.13 (v3)

Created attachment 16877 [details]
patch from master backported to 4.14 (v5)

This is the same as the v4 patch bug has BUG tags pointing at this bug.

Comment on attachment 16877 [details]
patch from master backported to 4.14 (v5)

Pushed to autobuild

This bug was referenced in samba v4-14-test:

6acbb94daddb94a795e0b506bb7637ed15578cc5
fb63bdd828330274452436da2f8fd02e40866e82
67d713b9362aab401585610b4f662aac7e9fda6e
ba22aee1d8c32a4e2de4e7d31822c658918312ff
22aa29993e01f3c7bc68eb8e2f1cc4224b5715d5
a87fdc6629f1ff2f0534c54fedd76243f2342769
231d508a4724487c7a8cbf31557a43822b451ec9
e1fa2fff9304bcbf828b1b6c50bd127ced9f71bf
dadedd0d55089bbd9ced65a774f03b8a1d71abbf
ee2a85aba9f6daeb94a38299ad852d98b5af5a82
c8c0af0b20f4339628172867ea85b0d3df16d780
7b6848c73b0cb9451eb033ef93772f168b9bfad7
f63461ffd80426830abd24b667de1356509a1aad
7d955391e290aeec931f95d16ac96c289ae71942
d94233f1e0c9a16ba2e5bf003bf7d10b71d3329f
3edaa318df912f92ac4a7d4f7f4aeaf2e0193bbb
d5b1b59cde48c0695bafc0e8d7309d1277d28208
39a7676c8688703e96254df54417404b848ccd4c
0e80a7ef9c41c89ca126a813ca36cc4398de5ab5
1984c30ce37453c5a5597bfb9a9bd7e70670962d
95c7eba3951abe029b32f11271f0ac320ebd48ab
fc91b526f7daec574b9ebd2a00f5b54eae4ca04e
23eaf0160adde30986811b7591ac46758c0427c2
dcd13ba166e8385b6e60f206acd34912a5eb09c7
0e1d6fda2067caf37415332de8da6e3712bf8620
7594ba47c19e0a288a03eb76fc7cec137c1f4024
18c892942ee450e776b19f8f212ef8aa8f1b7f6e
58f68bf357f10b3e42609b0166a56cfa292413a5
811714e4f6b32d667659810c422096fc992da11a
61739d1a33a57d54a184fd09e89f349f4e7eb385
fadecadfe2f42bc43eea50be0a479eef494d5c0a
10e46b9b74bc581ade5fde1d3936f652448b03ef
82a19ce548eac76f9ce4ca60f2b6b4c98aa87cbb
6614fee6e8b47ec8052306281fb3e5642dfbddcc
0dcab6505c62475f0d30012c748322e0f8d76ced
bf06918b44d2737f3b696430e6db2d03878158f8
5812a13ec5febc96d718377178727327160c132f
61cc6767c32cb131e24c1f303c9d312e4d3d395c
76f1deb3cd85333bf469128d6e56996db8dde182
c2a61c2c911ca5bb928b6bd68c3eb72c7d98e0fb
8c7d78a2e1aefb9d3f4dcfd07c4bcdd95c1096d4
aff414e2a7586384d36502a8e825ac20f4a88f14
eb103f6337a6a433b204ce8640324fe0f6a1a744
71c46e032a9d0a0f9809b237c1fa09cbc4619efa
7ad68c8cc59be645b9e6506c5253eca027900ec9
690d90ba615ccbf0094fb1a93d29be1e651cc879
1e6c77a03afa9595d06141060a7a9ed58f5793a0
65a269f1e31dd402fa048d99a3676d9a6df0f87d
b14183e7f35ee1536594a66664465956066723ae
459e3bd695b98f8efff4b4bc5c98ba1e2270d25f
5db1b57b20d1c8fc6f7ecf6204427a6e4e851775
10db9a0bfb05924c1e9721f5def2425abac5cd57
912bac3ba71ef07a8d5c90810e08551938f1b89f
4fc5d67f601ee02a968d69a504653fc794d12380
1301ed37c447682a32356e470ec9cf85d2416f87
bee8264f1bc9360c5bbe15e60e7b5161358efecf
02c17fe22bed720814610418cc7fedf54a49a777
f274497789601bfa62db3e6e8f5248c1b68bc00c
efc3d6edd69439a72ab7b75934387f65c7c1d86e
84973c79a7926b16d47a084ee88a6e3e8ace81b5
4ace77d830bce86e29380ce7dd4568f581e35960
15c7c561f7bb29c2b436d5c34b8ce84a2579743b
39941358333cd1c9acbbcdca851f538bf41b1c91
c08defb5a7df10f2598c2ae844f6f3fe22e481b5
e71cfc36ad7b4748806c58e425672b5df9eebf5d
0fbff441fc71c167ee5ab38db6405044a421564c
ac378a754bd3f7ac37005ba11040076f77a5dc0a
5cd321086ba7e87fcb8949de9769ef45880ecde8
1c1154d81ad9ad32fd2c43902073a63c7063ead4
6868628eab75e155305ac711b4b6b8ff4fbbd92d
4cf6614a16a89f74045e1eb5db288dd1cf91ea15
bb6eb577c0530540d145f3b7ec7c5e0d39c80d3a
85053e6eb2ec716046e502f304614ef8d863d3c2
91df69559c5b09f2a9d32e577e09bcefce85f303
2af40a2ddf23d843aac7637ae094ae439d14fcfb
505eb4e71f7d31549f6038312fcbbde7050038b9
b5432f5203fc16d5cc6ebe00cf659c9a0a94580f
22477380e69e92953f74ac35f61da442e77dc834
ce2da506c772af4a28a45939f4ba25a22500848e
d5566cbb6815cd0f0dcb10195edf99cc255b2b3e
bd1aa18c52bb2ad6f857c9bf30bd988556fb9fe9
08608d9f50e4240fdcd4beef57eabeed825a8563
f2c1535f8b68e618f90f7cfa320c7fc61af60bbc
a4e9eb693a92ed8ca5bcafb1ae2aaf02cc8e6e36
0547b4ebcdd5f25d09b47a0691e6d6b7435fd346
ca549882cf62299935a5416ab8bb9e0a0a643827
191a0e9dbb3a8b4b04168bf11c54c13482cff4e2
316df8064dea1d1b6d318231f18e8a7ae2b65bca
0bdeb9cebf0309f50ddae7e7c2f38ca740993c95
68275cdd1911c4e587f2cffd43d282b3abdbb13d
bbaa1159d2dbfc0d8bcab153c9e10137507fd315
fbfdfb979f3277e6504c15faa1a8212cb657889f
2c77e1d8771e8206e699d3df687dd017c0f46e1c
0e16f882d02a5173862056e50490e8d60853cb15
d9135f31e33058d444f89bb7c54d8daf80c1f388
a608f75910526816da7d63fa7635a2ddd2884f5f
d5e7162ae37f3eb7d31a211e9b49cf62509b27ba
cb0b486f483ff5554fc1f7adf125698750854ce7
8537439913a93c2471abb7b1591f31493ee12c6f
72c05a708d11699b7a474e2bf2fae8304ac4b9d7
a26133b9f0a4da4f376ded0f30bb0477b772eb81
e7150fe29689df9d2df5d08fb8dc06248ba80889
1eb3f880c703f43730446236b0b4d2f88704e934
dafb8efd7f586afd18413b40b949298913c9402b
5620fbd2a3d4dbb4cac1fe5883b7d022e5c29896
2dc3b7d9a4cbea44fc59f6ec2748eba8314d7e4d
fd40fbe9a39908d5a27ec2dad0c8ead4963faef4
2c65205c2387549a19318b0d50811ce87bbc0c85
1ddb8111ed540841b075749e13678c7c6ad98f9e
ec438f0b6eefb83b0d09357a67d2cc6be27a90fc
a5f3863aec192fbf1a7366da516475c066e5f942
271b8cebf14be3f99944b984dd96919af16c63f2
f8ac3ccdb7cf9c67b8a842e0c51faaae8aa6bee4
fbf52f34082a4ce970042d1cbfb56f9d72e3630d
0c828728e0d2c6a3f76247d12aeafa1eee991a10
761ae6dba6720bea48fdcc8bc695d5724fc00c1a
8048b6fe8cfd2887090a5aec682060b396794f6b
a3864293e828dade0ff63412517530a5267d0716
77f46ab1a4a70de542fc035b20c829d4cab51082
4e4fa68e1b5fbad23d87ba2b9c85e8f8f89d917a
2d2da2af26e621e20bdb13f7a85fdb98569f9724
5c5ca93aab796dbfc1c2e428890aa6c5fa6f0b81
bf8ad7c0d292b44556c9e8b8c6118134e461a5fa
15789d27dd9ec30d4d313849cc2689c54929b13b
81e1564e3eeddb4e6f2b63af87d14302e4ad2fc7
4de575650ee1d809e9e242b4a7ea802071f0da89
a1d8f275d10cb7e311609d915132aa6f87c872fa
c8bbd3d659bbe42436cf43e8e32ca8da30adce39
a2c7a5a94e68ce19ffb877d4d68ce1ceb44c622d
eadd3b8844d1e4162558f443e5cd4905f12667e6
4ecd119b7c1aff7db9fc1f475121debe464391c2
c3df114577d5a535b0e0c0dc1ec4beed0907e25c
4e98f5d9d4609e88783580b6a4d752b4d54f505e
1a1f72c2e2297a39b9743b13ebb94adf027a30a1
d09fa6b47b30165769041143f210816a447f5c9f
bb3fbf53ad1bd665d0a02e5459a9eef631802f4c
8034d387a8fcdd455be24a1fcb48a488bfde0f03
5cdec75f8bceee0e4996682d09104ff076e241b3
2149108966f4159a218a901c19bea3921d68fa1e
d8b9907d2a78fa06a0fd944eeee4a6bdd0e02614
716b2825791f64040ad69f88c5324ae045d108f7
45cd642a45669619b23ecec7f0735dfe9804bb99
30b9be9601b19ef492b6170a74c917bd0cd9eaa7
0d100830605dd95e2ff308a2deb43bd8c31f1dc1
11a5c413da5e690e2aafde5aaff5417619c9ef94
93ea095a260f45d27b69b08a323d093c0dea1cde
e4e9f671d0349540e80c197e7e4a0e49ffcac0d3
1918feb3e9fcba21df55a48e28786243fe9c58a7
523b18be4b1304cbfe0fb25ebd13245278fe33c8
64880dc2ad2ac44b0a133248d56c6ac2169a4140
7fbdc4f0bc4783eac09be6adcda8db986712501f
3a813c6d70e0a6b390f550ec208599ad4f79a661
cf03277b663796a22d9fffbfdb6db270169a0385
68f9cc0b9f299f8690036b19570826b1798b1523
b2157fd16de68853c98422cfcaea6bd35faa3a42
46ef1ac3f37118aa6c4a67c98a6fbd3829905153
d79ddfb027a47a5cf81f14d77ebced2b38844442
51324ea4a6507d550f08b7166701f72f7752a100
6b5aba80e648a2b1c67c802c44ea7060540ac262

This bug was referenced in samba v4-14-stable (Release samba-4.14.9):

6acbb94daddb94a795e0b506bb7637ed15578cc5
fb63bdd828330274452436da2f8fd02e40866e82
67d713b9362aab401585610b4f662aac7e9fda6e
ba22aee1d8c32a4e2de4e7d31822c658918312ff
22aa29993e01f3c7bc68eb8e2f1cc4224b5715d5
a87fdc6629f1ff2f0534c54fedd76243f2342769
231d508a4724487c7a8cbf31557a43822b451ec9
e1fa2fff9304bcbf828b1b6c50bd127ced9f71bf
dadedd0d55089bbd9ced65a774f03b8a1d71abbf
ee2a85aba9f6daeb94a38299ad852d98b5af5a82
c8c0af0b20f4339628172867ea85b0d3df16d780
7b6848c73b0cb9451eb033ef93772f168b9bfad7
f63461ffd80426830abd24b667de1356509a1aad
7d955391e290aeec931f95d16ac96c289ae71942
d94233f1e0c9a16ba2e5bf003bf7d10b71d3329f
3edaa318df912f92ac4a7d4f7f4aeaf2e0193bbb
d5b1b59cde48c0695bafc0e8d7309d1277d28208
39a7676c8688703e96254df54417404b848ccd4c
0e80a7ef9c41c89ca126a813ca36cc4398de5ab5
1984c30ce37453c5a5597bfb9a9bd7e70670962d
95c7eba3951abe029b32f11271f0ac320ebd48ab
fc91b526f7daec574b9ebd2a00f5b54eae4ca04e
23eaf0160adde30986811b7591ac46758c0427c2
dcd13ba166e8385b6e60f206acd34912a5eb09c7
0e1d6fda2067caf37415332de8da6e3712bf8620
7594ba47c19e0a288a03eb76fc7cec137c1f4024
18c892942ee450e776b19f8f212ef8aa8f1b7f6e
58f68bf357f10b3e42609b0166a56cfa292413a5
811714e4f6b32d667659810c422096fc992da11a
61739d1a33a57d54a184fd09e89f349f4e7eb385
fadecadfe2f42bc43eea50be0a479eef494d5c0a
10e46b9b74bc581ade5fde1d3936f652448b03ef
82a19ce548eac76f9ce4ca60f2b6b4c98aa87cbb
6614fee6e8b47ec8052306281fb3e5642dfbddcc
0dcab6505c62475f0d30012c748322e0f8d76ced
bf06918b44d2737f3b696430e6db2d03878158f8
5812a13ec5febc96d718377178727327160c132f
61cc6767c32cb131e24c1f303c9d312e4d3d395c
76f1deb3cd85333bf469128d6e56996db8dde182
c2a61c2c911ca5bb928b6bd68c3eb72c7d98e0fb
8c7d78a2e1aefb9d3f4dcfd07c4bcdd95c1096d4
aff414e2a7586384d36502a8e825ac20f4a88f14
eb103f6337a6a433b204ce8640324fe0f6a1a744
71c46e032a9d0a0f9809b237c1fa09cbc4619efa
7ad68c8cc59be645b9e6506c5253eca027900ec9
690d90ba615ccbf0094fb1a93d29be1e651cc879
1e6c77a03afa9595d06141060a7a9ed58f5793a0
65a269f1e31dd402fa048d99a3676d9a6df0f87d
b14183e7f35ee1536594a66664465956066723ae
459e3bd695b98f8efff4b4bc5c98ba1e2270d25f
5db1b57b20d1c8fc6f7ecf6204427a6e4e851775
10db9a0bfb05924c1e9721f5def2425abac5cd57
912bac3ba71ef07a8d5c90810e08551938f1b89f
4fc5d67f601ee02a968d69a504653fc794d12380
1301ed37c447682a32356e470ec9cf85d2416f87
bee8264f1bc9360c5bbe15e60e7b5161358efecf
02c17fe22bed720814610418cc7fedf54a49a777
f274497789601bfa62db3e6e8f5248c1b68bc00c
efc3d6edd69439a72ab7b75934387f65c7c1d86e
84973c79a7926b16d47a084ee88a6e3e8ace81b5
4ace77d830bce86e29380ce7dd4568f581e35960
15c7c561f7bb29c2b436d5c34b8ce84a2579743b
39941358333cd1c9acbbcdca851f538bf41b1c91
c08defb5a7df10f2598c2ae844f6f3fe22e481b5
e71cfc36ad7b4748806c58e425672b5df9eebf5d
0fbff441fc71c167ee5ab38db6405044a421564c
ac378a754bd3f7ac37005ba11040076f77a5dc0a
5cd321086ba7e87fcb8949de9769ef45880ecde8
1c1154d81ad9ad32fd2c43902073a63c7063ead4
6868628eab75e155305ac711b4b6b8ff4fbbd92d
4cf6614a16a89f74045e1eb5db288dd1cf91ea15
bb6eb577c0530540d145f3b7ec7c5e0d39c80d3a
85053e6eb2ec716046e502f304614ef8d863d3c2
91df69559c5b09f2a9d32e577e09bcefce85f303
2af40a2ddf23d843aac7637ae094ae439d14fcfb
505eb4e71f7d31549f6038312fcbbde7050038b9
b5432f5203fc16d5cc6ebe00cf659c9a0a94580f
22477380e69e92953f74ac35f61da442e77dc834
ce2da506c772af4a28a45939f4ba25a22500848e
d5566cbb6815cd0f0dcb10195edf99cc255b2b3e
bd1aa18c52bb2ad6f857c9bf30bd988556fb9fe9
08608d9f50e4240fdcd4beef57eabeed825a8563
f2c1535f8b68e618f90f7cfa320c7fc61af60bbc
a4e9eb693a92ed8ca5bcafb1ae2aaf02cc8e6e36
0547b4ebcdd5f25d09b47a0691e6d6b7435fd346
ca549882cf62299935a5416ab8bb9e0a0a643827
191a0e9dbb3a8b4b04168bf11c54c13482cff4e2
316df8064dea1d1b6d318231f18e8a7ae2b65bca
0bdeb9cebf0309f50ddae7e7c2f38ca740993c95
68275cdd1911c4e587f2cffd43d282b3abdbb13d
bbaa1159d2dbfc0d8bcab153c9e10137507fd315
fbfdfb979f3277e6504c15faa1a8212cb657889f
2c77e1d8771e8206e699d3df687dd017c0f46e1c
0e16f882d02a5173862056e50490e8d60853cb15
d9135f31e33058d444f89bb7c54d8daf80c1f388
a608f75910526816da7d63fa7635a2ddd2884f5f
d5e7162ae37f3eb7d31a211e9b49cf62509b27ba
cb0b486f483ff5554fc1f7adf125698750854ce7
8537439913a93c2471abb7b1591f31493ee12c6f
72c05a708d11699b7a474e2bf2fae8304ac4b9d7
a26133b9f0a4da4f376ded0f30bb0477b772eb81
e7150fe29689df9d2df5d08fb8dc06248ba80889
1eb3f880c703f43730446236b0b4d2f88704e934
dafb8efd7f586afd18413b40b949298913c9402b
5620fbd2a3d4dbb4cac1fe5883b7d022e5c29896
2dc3b7d9a4cbea44fc59f6ec2748eba8314d7e4d
fd40fbe9a39908d5a27ec2dad0c8ead4963faef4
2c65205c2387549a19318b0d50811ce87bbc0c85
1ddb8111ed540841b075749e13678c7c6ad98f9e
ec438f0b6eefb83b0d09357a67d2cc6be27a90fc
a5f3863aec192fbf1a7366da516475c066e5f942
271b8cebf14be3f99944b984dd96919af16c63f2
f8ac3ccdb7cf9c67b8a842e0c51faaae8aa6bee4
fbf52f34082a4ce970042d1cbfb56f9d72e3630d
0c828728e0d2c6a3f76247d12aeafa1eee991a10
761ae6dba6720bea48fdcc8bc695d5724fc00c1a
8048b6fe8cfd2887090a5aec682060b396794f6b
a3864293e828dade0ff63412517530a5267d0716
77f46ab1a4a70de542fc035b20c829d4cab51082
4e4fa68e1b5fbad23d87ba2b9c85e8f8f89d917a
2d2da2af26e621e20bdb13f7a85fdb98569f9724
5c5ca93aab796dbfc1c2e428890aa6c5fa6f0b81
bf8ad7c0d292b44556c9e8b8c6118134e461a5fa
15789d27dd9ec30d4d313849cc2689c54929b13b
81e1564e3eeddb4e6f2b63af87d14302e4ad2fc7
4de575650ee1d809e9e242b4a7ea802071f0da89
a1d8f275d10cb7e311609d915132aa6f87c872fa
c8bbd3d659bbe42436cf43e8e32ca8da30adce39
a2c7a5a94e68ce19ffb877d4d68ce1ceb44c622d
eadd3b8844d1e4162558f443e5cd4905f12667e6
4ecd119b7c1aff7db9fc1f475121debe464391c2
c3df114577d5a535b0e0c0dc1ec4beed0907e25c
4e98f5d9d4609e88783580b6a4d752b4d54f505e
1a1f72c2e2297a39b9743b13ebb94adf027a30a1
d09fa6b47b30165769041143f210816a447f5c9f
bb3fbf53ad1bd665d0a02e5459a9eef631802f4c
8034d387a8fcdd455be24a1fcb48a488bfde0f03
5cdec75f8bceee0e4996682d09104ff076e241b3
2149108966f4159a218a901c19bea3921d68fa1e
d8b9907d2a78fa06a0fd944eeee4a6bdd0e02614
716b2825791f64040ad69f88c5324ae045d108f7
45cd642a45669619b23ecec7f0735dfe9804bb99
30b9be9601b19ef492b6170a74c917bd0cd9eaa7
0d100830605dd95e2ff308a2deb43bd8c31f1dc1
11a5c413da5e690e2aafde5aaff5417619c9ef94
93ea095a260f45d27b69b08a323d093c0dea1cde
e4e9f671d0349540e80c197e7e4a0e49ffcac0d3
1918feb3e9fcba21df55a48e28786243fe9c58a7
523b18be4b1304cbfe0fb25ebd13245278fe33c8
64880dc2ad2ac44b0a133248d56c6ac2169a4140
7fbdc4f0bc4783eac09be6adcda8db986712501f
3a813c6d70e0a6b390f550ec208599ad4f79a661
cf03277b663796a22d9fffbfdb6db270169a0385
68f9cc0b9f299f8690036b19570826b1798b1523
b2157fd16de68853c98422cfcaea6bd35faa3a42
46ef1ac3f37118aa6c4a67c98a6fbd3829905153
d79ddfb027a47a5cf81f14d77ebced2b38844442
51324ea4a6507d550f08b7166701f72f7752a100
6b5aba80e648a2b1c67c802c44ea7060540ac262

Comment on attachment 16875 [details]
patch from master backported to 4.13 (v3)

CI pass here: https://gitlab.com/samba-team/devel/samba/-/pipelines/395523723

Created attachment 16879 [details]
inter-diff 4.14 -> 4.13

The 4.13 backport is pretty much just the 4.14 backport, so this inter-diff may help review.

Comment on attachment 16875 [details]
patch from master backported to 4.13 (v3)

Pushed to autobuild

Comment on attachment 16875 [details]
patch from master backported to 4.13 (v3)

CI when applied on top of patch for bug 14848: https://gitlab.com/samba-team/devel/samba/-/pipelines/396972124

(In reply to Stefan Metzmacher from comment #22)
Sorry for the stress, but Joseph tells me the ldb fixes are needed (not just a really good idea) and while autobuild passes we shouldn't risk it, so I've made ldb 2.2.2 and am re-testing on top of that.

If you don't get to this in time no worries, I think it may be actually OK, and we can apply ldb 2.2.2 second.

Created attachment 16881 [details]
shell script to backport the bronze bit fixes to Samba 4.12

This script uses some inline patches but mostly cherry-pick of commit hashes in master as a way to safely backport the required things to Samba 4.12.

This may assist some needing to support Samba 4.12 and want the bronze bit fix.

This omits a few smaller cleanups to our selftest code for the Samba3.pm case that are otherwise in the backports elsewhere in this bug:

89b9cb8b786c3e4eb8691b5363390b68d8228a2d selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
88f824aeb3fab477b083de8b761535e284c2eb3e selftest/Samba3: remove unused close(USERMAP); calls
c9e54bbe242f4040758ef6c35a83de23fdb5c05e waf: Allow building with MIT KRB5 >= 1.20
f01e4e19cf67ae9bcb939cdaacab78fac74fb56c selftest: Improve error handling and perl style when setting up users in Samba4.pm
2bf0e4224f85751fff4485e00e0d1fe13d5030bb selftest: Remove duplicate setup of $base_dn and $ldbmodify

Created attachment 16882 [details]
patch backported to 4.12 (only)

This is the patch generated by attachment 16881 [details]

Created attachment 16883 [details]
diffstat of patch for Samba 4.12

diffstat of the Samba 4.12 backport showing possibly the highest tests vs code ratio in a backport, but it is safer to backport the whole testsuite than just bits.

Comment on attachment 16882 [details]
patch backported to 4.12 (only)

CI: https://gitlab.com/samba-team/devel/samba/-/pipelines/396985896

This bug was referenced in samba v4-13-test:

283a128129f85552e36bcd7d49eaced9a25568ea
d4872f50bc4abee7fbb450c550a632f030a16d69
6882fb5c3e6fe045c0f375a3ad04ab5a9144c651
0d0d609dc07af01f48f2135c639933d8204494e0
d5572676f51adb48a0e7740bc12205057f34fc44
efb8340f41f55813e31bb6783d6214136a805253
a91f36d7bc45642e920e69b37b8c96a67e90aef5
20df014fb13ba1d6e8e0653ecbb9d43af9419fcb
735d514ec11bc2df26cd146e286eb82bccaf080c
c978fcdf535bb41e02eb8d633d9c7ea146e3024a
4892fa1315fcd26a08cfc51eb002c53645d45663
9b75a279c030f0a2037f6d7f3825653b7c7fc2eb
a2d8713c55c0eb995f68fb324396c2e9f21bfe62
1837ddb34811e3277c0bdc35bc74fce99b7870a6
dcde84d9268f4e78de1ec28981bc371b713774d4
99702d5d7db2acdcc3ccc7ce5607b9e693f4e7f7
36eb76b6c2fe6b66e137e73f998e54364b305ad4
e4c5a3ea34f25a77e4934b61545c9a23cd68b0bc
f86766afd9222884daf1a8c953a6cdb49550abae
af38bdc05696d69aaef5b39ad047d644494730d8
9bd79bfe7a844738237119f4801f8ce1912f43eb
829de7f89a71dad95df5c33c8a233a1da121a665
eef81ead620c8c70b60aa10d0c743076032db53a
39541dfa2d0c197b1dda28f5a81f4d41f7520b00
26b6b6e630b58cf67ab02971535b574728fbf8f7
a57391cf431a60606fc2d1625b766155cf54bfc9
36f8c7080a730a4ea1e4896a8d66408eb6eb4b7c
ac14815f849661c15c212f4fb0ad4a9de81ca74e
9926198bce0f1ba1d05965403d61d64ff05fea50
860f77046507cb8ec28ead1b71ad4b7c9a93743b
c2cbe6e9aab347945c855c27435ce1ec87614c36
7d6ad51b20c04ba25ae553ad744ef4c928fcc32b
9b151de26530d4d5e4dfed381728fc271a064283
329fcc65aa6f69e276ae5af85b173000e36cb05f
c7491a9e760a1ef9a211de93f944948def4a92bd
8c7d05440356f59f8b098fa10070c40a1cfacf10
b68eae6687b4610599c80a232beaaf0c4c97f4ff
4b9b3e922562a1ec977039576471d42b06813b94
3f2c977d478a1b2b4a9fd06f945f6c061b839466
b2f980110151f2d9d55ffa03328a375a9ba46e03
286d69daf8b0afcbf83e4724a761466fb1f690f8
c106983b6faccbb797f2c8ffd6153eb1ec378e66
2850771dfcb0efdfb9736ebea2818fe194aeeaa2
d97a975e92a6008104456cc5d99ac5eb9ccc5122
e93ed34f928efa89431f3ca48a89a741d17add6b
bb236fc2432316308dd4878240140f58ecc1e758
cb35919a14f8698c6b6275fb2c668d3a57829d75
a8c139de2af35ca0c243b430d6388b0327a358ac
e380626903e5a68e643b740896a8ca4bcb69ab93
b619f4cb768847462751b959b3e3b4e92cb99b0e
7446e1cd80149fddbeda8461ecb4092300fd9b0f
1c05c3f7433a176203a6d49e48a1fa658fd6ff32
a54629359b664b92c7b4e208284e40c1198f2ff3
c6a2b7f196e125fc07fdf23dc7a9b40cda9781fd
3fdc427411c1b63622db5af1691b9b70ed4be833
b146689063243b930abe38004c558e1284ec598b
454a8a7e687e400b79ad4b69c8fd4b7cc4912c85
891195fa81e70e8369ee2d17f6bad981d1362315
0eccbbc27480524d05ecb9cfb77578a83ca70ff9
bce8a8bd915ac59faa9c2bd5b2b8fe56695bf058
3d1e55d06076d611a2bf98505497029ae90e3cd7
74b4bcc2b98a89bb44504a921026c87128e6727d
68da62728d242eab44e6a0d59c5c929b80692109
4c561dbb3ca2cd6a792ab80b149960fed77721d4
e238315bbdfe6b67d5014b6559d77bc2071c8b9c
6d3e996b480f4a83f4f41f48d6ea3d0851eabac3
1e4e8d883b61867fd095fc7751c978429eb000b6
466f694f2fdf5f40668f85e70315de821854cfb9
5b2c7c0930df378782becb814a8cee8837c86a8e
dc44a5b6fdf4ddcf216ad48c2e3f745a604d4f10
74f90d6b1a6f4373d1ad4093070d0b80b1410b76
65ff3ff171e97214b9b0585a4cf6913f07a0bb89
279bb102fe8be500cd487e87e1dd85b22153c322
0b5f8ac5b4d665b35a5a50bf3cca9def1c9c9f7c
ab9034dd8246b43290914014a261ea7625260ca2
b047ed0c87d517e2d5b600e5d1358d21c8b12439
5c1ab0b2697e6418b8aefc3bcee9bab7b41094b2
82606cd6f3140bc377f6177b6d813e659422e9e7
7ba4cad1a769f7fe7b3755fc80b39009a838d73e
528c950eff9e70b6063881b6c375fce9b2efea4b
39bba78a5d014bfc30a94cfbb630ea98e8ab0e00
1506b1c29bb02231628cbe7c9e319449ee9d4c34
501d5e76a82bafd265b5fd754d75fe3372479cb1
91d385abffb95ba5aab4dbc50b89c92d2316149d
d310714c22114c9dbf83ef57c7fdf0f94bb5c9a3
2052395dd89b56b3c99d2b270a9eade67d042c7f
e3cd9b3649fb152ea3310d9220c5461bad08a5f8
0e33a8d82fea2dc21adebe40c5c080069805c24b
8a6c15b431c41021feb3d030983634d6951ca55e
4f6e02bf1db79887947df43964bf4ced664a70ad
896eea26d352fadee91fcd2bfa81f3622e586fab
f1fad85fe183079b382eb5d59c7211de65890236
86e97e83ce4f63f613d1212a5cac3c370a4456b1
334361501a9e1eebcfb572e3179064cc403929fe
cb49059ab461ecf66c0b4ae47b25b9fb8aeb9214
e56da60d01b1b4546b3d92480f89cbf591e500f1
129772e049dc15ccc3806801475d5fabb0b4aa33
5bc46c831ef0fc19ee3a4d54f379b84bddc7446a
b0f9a83846baef02de7958be3c25ff7e8480d446
7f3d6f9d92598944b8940c44e05fa5565c67262a
5f72fd098f08787c42b7ea29c471f48beeb4a474
07e242da411326ea36b9d6bf286db636abe68f0e
d82e7716f486154602767351136f18e232f7b3cc
8ee28d96b29845c631554fb1f3171e74028fe47f
54fb144fe9ad68a65d2acd4c78e69753db8c19c6
07ace448a5c64d9409f31d9be6dfe581bbb6a7f1
b08fd85bcb209ae249807e296d362d92bd2faa8f
90d58c72bd792d683c17aacdcfa4646963ee5ff0
d46f0d1793bed59026cb517dc7056a51fca1d5cb
2c6b918ab92fb88f179edea773b2364aad262bde
1ca795a0cb9a169dc428b966db095bf34f1bd597
518e990f496317c79148f2fc00838a0ac3bca959
91faad4ef6ba401267a2ec94a14c5fe6075d8075
6a1549a49557fa1149b30d3a626f6833e673b229
61ec92dc0964118fc6ffb5e4afa3d2ac52b22b6a
2373c1ac1ef321d51ef2939df221f00510633778
8b947965d4f86b7bbb36fd181e93430ed47a8250
f3c36a069981964baeec92efa15416491516748e
0e53c4353a28404cd57c9726f5701ab80adc8562
8b363a630e55aaf507735ecbcb0d678906c065e4
1486a8a04b0fe7ba86b0378d7e9ee78c77cbe17f
6afc41b262ed2d308a89926c4f63139f26983d91
ff31503bd41dd76c8d965b6a6c3e9904aa78c373
4114e57a371f4d873d280257c8f396945b872c4b
c17bfba30011b01fa23cf5742c7d4026b42839e9
c73825d0b0131b505ee2b75f75d55c21ad1f2d05
49bcbcbb4d6130440064db6d1a0bd888891f3a8f
58bc0a4b7f1ec70e1d9e7a80dac6e85042cf7bc2
61fb0ba82c65734c6ed9b85b8dab4db72bd47fd0
e5ca4a51c80cca54d4484032268716cee139792b
6fbde5488035897f92c7996c631a1d7fb92824bd
9d3419c3068b7ae08049df83927fdf23cad3d223
5919475dc9026c527a016b226586d5bab30cac1e
cb044703b29b2d80775305ebb01027199542af1d
4ff8af7d54df3ee51f13f9dbc7c80a83a9c08153
543478fe985cd962f07e14bedd30660144382c54
33537398392db0d3352ae3ca9ff7d7df866a181c
033249c56e1b6a72d717aa64f1d09d107d6b67a2
473278c1301bcefd623b10ea88f1ff7627fe7c1e
fa32948c1d15ace180b5a9c7d80a1e0b25846d2a
106dc4a049265e49f5b39c0bf0dbb3793aa34a61
3eb78cd43b6feb5fdee396881ca46e84371918f3
999208d3afa8f6fcb2e20ce3dd068d5f0c48cf86
e9b12d2def935050fb8be3f1d3e0ab6713807f32
f7d6826afeafaae83a0164e8713c672e297eab6a
a203de481979f65ba4c3d0e4c079cafde55b7b40
a64c25ff09707d2cccd80335f662571fed024972
18bce6fc477d94d7c5a361ceec3b6f3353647e71
38ebe186f421df13a9e593a6a9f0f14b77cbaba7
2bf0e4224f85751fff4485e00e0d1fe13d5030bb
f01e4e19cf67ae9bcb939cdaacab78fac74fb56c
c9e54bbe242f4040758ef6c35a83de23fdb5c05e
88f824aeb3fab477b083de8b761535e284c2eb3e
89b9cb8b786c3e4eb8691b5363390b68d8228a2d
4056198f4c950b77569c247beaff1bbdf3acf8f5
a2a173d70ad4e9ea54b336ef9660897ea6ed58d6
3f376eeaa88237a15a523cbf1c11a75e20f3ffc8
a742af325f904396973bb274e5413c437dce487a
d3b491c31164c8ac6c9f4c0a35742684efe0d61d
ae6d74c9ef81b7fda5617948f4cc7b1be7c279a9
274f16103f69d98b9262575d043d84bb9a1b53eb
0cea7f53c01718ec1d5d86a415ca494e1899501f

This bug was referenced in samba v4-13-test:

74e65d7c06c5eda79105f43d87efcaec09dfbb77

This bug was referenced in samba v4-13-stable (Release samba-4.13.13):

283a128129f85552e36bcd7d49eaced9a25568ea
d4872f50bc4abee7fbb450c550a632f030a16d69
6882fb5c3e6fe045c0f375a3ad04ab5a9144c651
0d0d609dc07af01f48f2135c639933d8204494e0
d5572676f51adb48a0e7740bc12205057f34fc44
efb8340f41f55813e31bb6783d6214136a805253
a91f36d7bc45642e920e69b37b8c96a67e90aef5
20df014fb13ba1d6e8e0653ecbb9d43af9419fcb
735d514ec11bc2df26cd146e286eb82bccaf080c
c978fcdf535bb41e02eb8d633d9c7ea146e3024a
4892fa1315fcd26a08cfc51eb002c53645d45663
9b75a279c030f0a2037f6d7f3825653b7c7fc2eb
a2d8713c55c0eb995f68fb324396c2e9f21bfe62
1837ddb34811e3277c0bdc35bc74fce99b7870a6
dcde84d9268f4e78de1ec28981bc371b713774d4
99702d5d7db2acdcc3ccc7ce5607b9e693f4e7f7
36eb76b6c2fe6b66e137e73f998e54364b305ad4
e4c5a3ea34f25a77e4934b61545c9a23cd68b0bc
f86766afd9222884daf1a8c953a6cdb49550abae
af38bdc05696d69aaef5b39ad047d644494730d8
9bd79bfe7a844738237119f4801f8ce1912f43eb
829de7f89a71dad95df5c33c8a233a1da121a665
eef81ead620c8c70b60aa10d0c743076032db53a
39541dfa2d0c197b1dda28f5a81f4d41f7520b00
26b6b6e630b58cf67ab02971535b574728fbf8f7
a57391cf431a60606fc2d1625b766155cf54bfc9
36f8c7080a730a4ea1e4896a8d66408eb6eb4b7c
ac14815f849661c15c212f4fb0ad4a9de81ca74e
9926198bce0f1ba1d05965403d61d64ff05fea50
860f77046507cb8ec28ead1b71ad4b7c9a93743b
c2cbe6e9aab347945c855c27435ce1ec87614c36
7d6ad51b20c04ba25ae553ad744ef4c928fcc32b
9b151de26530d4d5e4dfed381728fc271a064283
329fcc65aa6f69e276ae5af85b173000e36cb05f
c7491a9e760a1ef9a211de93f944948def4a92bd
8c7d05440356f59f8b098fa10070c40a1cfacf10
b68eae6687b4610599c80a232beaaf0c4c97f4ff
4b9b3e922562a1ec977039576471d42b06813b94
3f2c977d478a1b2b4a9fd06f945f6c061b839466
b2f980110151f2d9d55ffa03328a375a9ba46e03
286d69daf8b0afcbf83e4724a761466fb1f690f8
c106983b6faccbb797f2c8ffd6153eb1ec378e66
2850771dfcb0efdfb9736ebea2818fe194aeeaa2
d97a975e92a6008104456cc5d99ac5eb9ccc5122
e93ed34f928efa89431f3ca48a89a741d17add6b
bb236fc2432316308dd4878240140f58ecc1e758
cb35919a14f8698c6b6275fb2c668d3a57829d75
a8c139de2af35ca0c243b430d6388b0327a358ac
e380626903e5a68e643b740896a8ca4bcb69ab93
b619f4cb768847462751b959b3e3b4e92cb99b0e
7446e1cd80149fddbeda8461ecb4092300fd9b0f
1c05c3f7433a176203a6d49e48a1fa658fd6ff32
a54629359b664b92c7b4e208284e40c1198f2ff3
c6a2b7f196e125fc07fdf23dc7a9b40cda9781fd
3fdc427411c1b63622db5af1691b9b70ed4be833
b146689063243b930abe38004c558e1284ec598b
454a8a7e687e400b79ad4b69c8fd4b7cc4912c85
891195fa81e70e8369ee2d17f6bad981d1362315
0eccbbc27480524d05ecb9cfb77578a83ca70ff9
bce8a8bd915ac59faa9c2bd5b2b8fe56695bf058
3d1e55d06076d611a2bf98505497029ae90e3cd7
74b4bcc2b98a89bb44504a921026c87128e6727d
68da62728d242eab44e6a0d59c5c929b80692109
4c561dbb3ca2cd6a792ab80b149960fed77721d4
e238315bbdfe6b67d5014b6559d77bc2071c8b9c
6d3e996b480f4a83f4f41f48d6ea3d0851eabac3
1e4e8d883b61867fd095fc7751c978429eb000b6
466f694f2fdf5f40668f85e70315de821854cfb9
5b2c7c0930df378782becb814a8cee8837c86a8e
dc44a5b6fdf4ddcf216ad48c2e3f745a604d4f10
74f90d6b1a6f4373d1ad4093070d0b80b1410b76
65ff3ff171e97214b9b0585a4cf6913f07a0bb89
279bb102fe8be500cd487e87e1dd85b22153c322
0b5f8ac5b4d665b35a5a50bf3cca9def1c9c9f7c
ab9034dd8246b43290914014a261ea7625260ca2
b047ed0c87d517e2d5b600e5d1358d21c8b12439
5c1ab0b2697e6418b8aefc3bcee9bab7b41094b2
82606cd6f3140bc377f6177b6d813e659422e9e7
7ba4cad1a769f7fe7b3755fc80b39009a838d73e
528c950eff9e70b6063881b6c375fce9b2efea4b
39bba78a5d014bfc30a94cfbb630ea98e8ab0e00
1506b1c29bb02231628cbe7c9e319449ee9d4c34
501d5e76a82bafd265b5fd754d75fe3372479cb1
91d385abffb95ba5aab4dbc50b89c92d2316149d
d310714c22114c9dbf83ef57c7fdf0f94bb5c9a3
2052395dd89b56b3c99d2b270a9eade67d042c7f
e3cd9b3649fb152ea3310d9220c5461bad08a5f8
0e33a8d82fea2dc21adebe40c5c080069805c24b
8a6c15b431c41021feb3d030983634d6951ca55e
4f6e02bf1db79887947df43964bf4ced664a70ad
896eea26d352fadee91fcd2bfa81f3622e586fab
f1fad85fe183079b382eb5d59c7211de65890236
86e97e83ce4f63f613d1212a5cac3c370a4456b1
334361501a9e1eebcfb572e3179064cc403929fe
cb49059ab461ecf66c0b4ae47b25b9fb8aeb9214
e56da60d01b1b4546b3d92480f89cbf591e500f1
129772e049dc15ccc3806801475d5fabb0b4aa33
5bc46c831ef0fc19ee3a4d54f379b84bddc7446a
b0f9a83846baef02de7958be3c25ff7e8480d446
7f3d6f9d92598944b8940c44e05fa5565c67262a
5f72fd098f08787c42b7ea29c471f48beeb4a474
07e242da411326ea36b9d6bf286db636abe68f0e
d82e7716f486154602767351136f18e232f7b3cc
8ee28d96b29845c631554fb1f3171e74028fe47f
54fb144fe9ad68a65d2acd4c78e69753db8c19c6
07ace448a5c64d9409f31d9be6dfe581bbb6a7f1
b08fd85bcb209ae249807e296d362d92bd2faa8f
90d58c72bd792d683c17aacdcfa4646963ee5ff0
d46f0d1793bed59026cb517dc7056a51fca1d5cb
2c6b918ab92fb88f179edea773b2364aad262bde
1ca795a0cb9a169dc428b966db095bf34f1bd597
518e990f496317c79148f2fc00838a0ac3bca959
91faad4ef6ba401267a2ec94a14c5fe6075d8075
6a1549a49557fa1149b30d3a626f6833e673b229
61ec92dc0964118fc6ffb5e4afa3d2ac52b22b6a
2373c1ac1ef321d51ef2939df221f00510633778
8b947965d4f86b7bbb36fd181e93430ed47a8250
f3c36a069981964baeec92efa15416491516748e
0e53c4353a28404cd57c9726f5701ab80adc8562
8b363a630e55aaf507735ecbcb0d678906c065e4
1486a8a04b0fe7ba86b0378d7e9ee78c77cbe17f
6afc41b262ed2d308a89926c4f63139f26983d91
ff31503bd41dd76c8d965b6a6c3e9904aa78c373
4114e57a371f4d873d280257c8f396945b872c4b
c17bfba30011b01fa23cf5742c7d4026b42839e9
c73825d0b0131b505ee2b75f75d55c21ad1f2d05
49bcbcbb4d6130440064db6d1a0bd888891f3a8f
58bc0a4b7f1ec70e1d9e7a80dac6e85042cf7bc2
61fb0ba82c65734c6ed9b85b8dab4db72bd47fd0
e5ca4a51c80cca54d4484032268716cee139792b
6fbde5488035897f92c7996c631a1d7fb92824bd
9d3419c3068b7ae08049df83927fdf23cad3d223
5919475dc9026c527a016b226586d5bab30cac1e
cb044703b29b2d80775305ebb01027199542af1d
4ff8af7d54df3ee51f13f9dbc7c80a83a9c08153
543478fe985cd962f07e14bedd30660144382c54
33537398392db0d3352ae3ca9ff7d7df866a181c
033249c56e1b6a72d717aa64f1d09d107d6b67a2
473278c1301bcefd623b10ea88f1ff7627fe7c1e
fa32948c1d15ace180b5a9c7d80a1e0b25846d2a
106dc4a049265e49f5b39c0bf0dbb3793aa34a61
3eb78cd43b6feb5fdee396881ca46e84371918f3
999208d3afa8f6fcb2e20ce3dd068d5f0c48cf86
e9b12d2def935050fb8be3f1d3e0ab6713807f32
f7d6826afeafaae83a0164e8713c672e297eab6a
a203de481979f65ba4c3d0e4c079cafde55b7b40
a64c25ff09707d2cccd80335f662571fed024972
18bce6fc477d94d7c5a361ceec3b6f3353647e71
38ebe186f421df13a9e593a6a9f0f14b77cbaba7
2bf0e4224f85751fff4485e00e0d1fe13d5030bb
f01e4e19cf67ae9bcb939cdaacab78fac74fb56c
c9e54bbe242f4040758ef6c35a83de23fdb5c05e
88f824aeb3fab477b083de8b761535e284c2eb3e
89b9cb8b786c3e4eb8691b5363390b68d8228a2d
4056198f4c950b77569c247beaff1bbdf3acf8f5
a2a173d70ad4e9ea54b336ef9660897ea6ed58d6
3f376eeaa88237a15a523cbf1c11a75e20f3ffc8
a742af325f904396973bb274e5413c437dce487a
d3b491c31164c8ac6c9f4c0a35742684efe0d61d
ae6d74c9ef81b7fda5617948f4cc7b1be7c279a9
274f16103f69d98b9262575d043d84bb9a1b53eb
0cea7f53c01718ec1d5d86a415ca494e1899501f
74e65d7c06c5eda79105f43d87efcaec09dfbb77