From d2806fa77ce6b881afaed1c3426b0e34d0e7e9d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 13 Nov 2021 00:15:32 +0100
Subject: [PATCH] Fix IPA DC schannel support

Guenther
---
 samba-4.13-ipa-dc-schannel.patch | 45 ++++++++++++++++++++++++++++++++
 samba.spec                       |  6 ++++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 samba-4.13-ipa-dc-schannel.patch

diff --git a/samba-4.13-ipa-dc-schannel.patch b/samba-4.13-ipa-dc-schannel.patch
new file mode 100644
index 0000000..d315a5d
--- /dev/null
+++ b/samba-4.13-ipa-dc-schannel.patch
@@ -0,0 +1,45 @@
+From 3fc4d1d3998f3956a84c855cb60a9dcb335e1f59 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Fri, 12 Nov 2021 19:06:01 +0200
+Subject: [PATCH] IPA DC: add missing checks
+
+When introducing FreeIPA support, two places were forgotten:
+
+ - schannel gensec module needs to be aware of IPA DC
+ - _lsa_QueryInfoPolicy should treat IPA DC as PDC
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ auth/gensec/schannel.c              | 1 +
+ source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
+index 0cdae141ead..6ebbe8f3179 100644
+--- a/auth/gensec/schannel.c
++++ b/auth/gensec/schannel.c
+@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+ 	case ROLE_DOMAIN_BDC:
+ 	case ROLE_DOMAIN_PDC:
+ 	case ROLE_ACTIVE_DIRECTORY_DC:
++	case ROLE_IPA_DC:
+ 		return NT_STATUS_OK;
+ 	default:
+ 		return NT_STATUS_NOT_IMPLEMENTED;
+diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
+index 8d71b5252ab..ea92a22cbc9 100644
+--- a/source3/rpc_server/lsa/srv_lsa_nt.c
++++ b/source3/rpc_server/lsa/srv_lsa_nt.c
+@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
+ 		switch (lp_server_role()) {
+ 			case ROLE_DOMAIN_PDC:
+ 			case ROLE_DOMAIN_BDC:
++			case ROLE_IPA_DC:
+ 				name = get_global_sam_name();
+ 				sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
+ 				if (!sid) {
+-- 
+2.33.1
+
diff --git a/samba.spec b/samba.spec
index 5d09a31..f3b678a 100644
--- a/samba.spec
+++ b/samba.spec
@@ -8,7 +8,7 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%define main_release 1
+%define main_release 2
 
 %define samba_version 4.13.14
 %define talloc_version 2.3.1
@@ -137,6 +137,7 @@ Patch1:         samba-s4u.patch
 # Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.13-redhat.patch
 Patch2:         samba-4.13-redhat.patch
 Patch3:         samba-4.13-fix-winbind-no-trusted-domain.patch
+Patch4:         samba-4.13-ipa-dc-schannel.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -3675,6 +3676,9 @@ fi
 %endif
 
 %changelog
+* Sat Nov 13 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-2
+- Fix IPA DC schannel support
+
 * Thu Nov 11 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-1
 - Fix winbind trusted domain regression
 - related: #2021716