Bug#1033661: marked as done (unblock: samba/2:4.17.7+dfsg-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 30 Mar 2023 14:50:59 +0000
with message-id <E1phtcB-00FhJ4-VZ@respighi.debian.org>
and subject line unblock samba
has caused the Debian Bug report #1033661,
regarding unblock: samba/2:4.17.7+dfsg-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1033661: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033661
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: samba/2:4.17.7+dfsg-1
• From: Michael Tokarev <mjt@tls.msk.ru>
• Date: Wed, 29 Mar 2023 19:54:05 +0300
• Message-id: <[🔎] 168010884566.1498744.14008481357616753715.reportbug@localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: security@debian.org, pkg-samba-maint@lists.alioth.debian.org

Please unblock package samba

[ Reason ]
This is a stable security/bugfix release, fixing 3 CVE vulnerabilities
in samba AD-DC code. See the changelog entries below for more information.
The bug has been disclosed today.

[ Impact ]
This impacts samba running as an Active Directory Domain Controller.
Which is quite an important role and is enabled on quite a few installs
worldwide. Since this is a security bugfix, we should provide fixed
version as soon as possible.

[ Tests ]
The samba testsuite does excellent job at catching regressions and
ensuring things stay as best as possible.

[ Risks ]
There's a usual risk of breaking something.  Though the testsuite
does good job here.

[ Checklist ]
  [*] all changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in testing

[ Other info ]
Unfortunately there's quite a significant portion of the changes
in debdiff which are only about manpage date/version, - for every
manpage shipped. This is in docs/manpages/*.\d and in ctdb/doc/*.\d.
I'll remove whole set of manpages from the upstream source in bookworm+,
- since these are generated anyway, and we're DFSG'ifying the source
already to remove non-free bits.

unblock samba/2:4.17.7+dfsg-1


diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb.1 samba-4.17.7+dfsg/ctdb/doc/ctdb.1
--- samba-4.17.6+dfsg/ctdb/doc/ctdb.1	2023-03-09 12:19:07.539069200 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb.1	2023-03-29 16:24:24.408779900 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb.7 samba-4.17.7+dfsg/ctdb/doc/ctdb.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb.7	2023-03-09 12:19:09.990867100 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb.7	2023-03-29 16:24:27.108780100 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb.conf.5 samba-4.17.7+dfsg/ctdb/doc/ctdb.conf.5
--- samba-4.17.6+dfsg/ctdb/doc/ctdb.conf.5	2023-03-09 12:19:09.178933600 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb.conf.5	2023-03-29 16:24:26.204779900 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB\&.CONF" "5" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\&.CONF" "5" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdbd.1 samba-4.17.7+dfsg/ctdb/doc/ctdbd.1
--- samba-4.17.6+dfsg/ctdb/doc/ctdbd.1	2023-03-09 12:19:07.823045500 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdbd.1	2023-03-29 16:24:24.688779800 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdbd
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDBD" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDBD" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb_diagnostics.1 samba-4.17.7+dfsg/ctdb/doc/ctdb_diagnostics.1
--- samba-4.17.6+dfsg/ctdb/doc/ctdb_diagnostics.1	2023-03-09 12:19:08.646977400 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb_diagnostics.1	2023-03-29 16:24:25.480780000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb_diagnostics
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB_DIAGNOSTICS" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB_DIAGNOSTICS" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb-etcd.7 samba-4.17.7+dfsg/ctdb/doc/ctdb-etcd.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb-etcd.7	2023-03-09 12:19:10.762804500 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb-etcd.7	2023-03-29 16:24:28.020780000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb-etcd
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB\-ETCD" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\-ETCD" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb_mutex_ceph_rados_helper.7 samba-4.17.7+dfsg/ctdb/doc/ctdb_mutex_ceph_rados_helper.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb_mutex_ceph_rados_helper.7	2023-03-09 12:19:10.998785300 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb_mutex_ceph_rados_helper.7	2023-03-29 16:24:28.288780200 +0300
@@ -2,12 +2,12 @@
 .\"     Title: Ceph RADOS Mutex
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CEPH RADOS MUTEX" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CEPH RADOS MUTEX" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb-script.options.5 samba-4.17.7+dfsg/ctdb/doc/ctdb-script.options.5
--- samba-4.17.6+dfsg/ctdb/doc/ctdb-script.options.5	2023-03-09 12:19:09.454911000 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb-script.options.5	2023-03-29 16:24:26.536779900 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb-script.options
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB\-SCRIPT\&.OPTIO" "5" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\-SCRIPT\&.OPTIO" "5" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb-statistics.7 samba-4.17.7+dfsg/ctdb/doc/ctdb-statistics.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb-statistics.7	2023-03-09 12:19:10.254845600 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb-statistics.7	2023-03-29 16:24:27.380780000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb-statistics
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB\-STATISTICS" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\-STATISTICS" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb.sysconfig.5 samba-4.17.7+dfsg/ctdb/doc/ctdb.sysconfig.5
--- samba-4.17.6+dfsg/ctdb/doc/ctdb.sysconfig.5	2023-03-09 12:19:09.714889800 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb.sysconfig.5	2023-03-29 16:24:26.816780000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb.sysconfig
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB\&.SYSCONFIG" "5" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\&.SYSCONFIG" "5" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb-tunables.7 samba-4.17.7+dfsg/ctdb/doc/ctdb-tunables.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb-tunables.7	2023-03-09 12:19:10.518824300 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb-tunables.7	2023-03-29 16:24:27.656780200 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ctdb-tunables
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "CTDB\-TUNABLES" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\-TUNABLES" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ltdbtool.1 samba-4.17.7+dfsg/ctdb/doc/ltdbtool.1
--- samba-4.17.6+dfsg/ctdb/doc/ltdbtool.1	2023-03-09 12:19:08.087023700 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ltdbtool.1	2023-03-29 16:24:24.980780000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ltdbtool
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "LTDBTOOL" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "LTDBTOOL" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/onnode.1 samba-4.17.7+dfsg/ctdb/doc/onnode.1
--- samba-4.17.6+dfsg/ctdb/doc/onnode.1	2023-03-09 12:19:08.922954600 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/onnode.1	2023-03-29 16:24:25.856779800 +0300
@@ -2,12 +2,12 @@
 .\"     Title: onnode
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "ONNODE" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "ONNODE" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ping_pong.1 samba-4.17.7+dfsg/ctdb/doc/ping_pong.1
--- samba-4.17.6+dfsg/ctdb/doc/ping_pong.1	2023-03-09 12:19:08.339002800 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ping_pong.1	2023-03-29 16:24:25.236780000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ping_pong
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: CTDB - clustered TDB database
 .\"    Source: ctdb
 .\"  Language: English
 .\"
-.TH "PING_PONG" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "PING_PONG" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/debian/changelog samba-4.17.7+dfsg/debian/changelog
--- samba-4.17.6+dfsg/debian/changelog	2023-03-09 12:52:14.000000000 +0300
+++ samba-4.17.7+dfsg/debian/changelog	2023-03-29 17:59:17.000000000 +0300
@@ -1,3 +1,25 @@
+samba (2:4.17.7+dfsg-1) unstable; urgency=high
+
+  * upstream stable/security/bugfix release, fixing the following issues:
+    o CVE-2023-0225: An incomplete access check on dnsHostName allows
+      authenticated but otherwise unprivileged users to delete this
+      attribute from any object in the directory.
+      https://www.samba.org/samba/security/CVE-2023-0225.html
+    o CVE-2023-0922: The Samba AD DC administration tool, when operating
+      against a remote LDAP server, will by default send new or reset
+      passwords over a signed-only connection.
+      https://www.samba.org/samba/security/CVE-2023-0922.html
+    o CVE-2023-0614: Fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+      Confidential attribute disclosure via LDAP filters was insufficient and
+      an attacker may be able to obtain confidential BitLocker recovery keys
+      from a Samba AD DC.  Installations with such secrets in their Samba AD
+      should assume they have been obtained and need replacing.
+      https://www.samba.org/samba/security/CVE-2023-0614.html
+    Closes: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614
+  * update libldb symbols and versions
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 29 Mar 2023 17:59:17 +0300
+
 samba (2:4.17.6+dfsg-1) unstable; urgency=medium
 
   * new upstream stable/bugfix release 4.17.6:
diff -Nru samba-4.17.6+dfsg/debian/libldb2.symbols samba-4.17.7+dfsg/debian/libldb2.symbols
--- samba-4.17.6+dfsg/debian/libldb2.symbols	2023-03-09 12:37:58.000000000 +0300
+++ samba-4.17.7+dfsg/debian/libldb2.symbols	2023-03-29 17:59:17.000000000 +0300
@@ -78,6 +78,7 @@
  LDB_2.5.0@LDB_2.5.0 2:2.5.0
  LDB_2.6.0@LDB_2.6.0 2:2.6.0
  LDB_2.6.1@LDB_2.6.1 2:2.6.1
+ LDB_2.6.2@LDB_2.6.2 2:2.6.2
  ldb_check_critical_controls@LDB_0.9.22 0.9.22
  ldb_controls_except_specified@LDB_0.9.22 0.9.22
  ldb_control_to_string@LDB_1.0.2 1.0.2~git20110403
@@ -167,6 +168,7 @@
  ldb_extended@LDB_0.9.10 0.9.21
  ldb_extended_default_callback@LDB_0.9.10 0.9.21
  ldb_filter_attrs@LDB_2.0.1 2:2.0.1
+ ldb_filter_attrs_in_place@LDB_2.6.2 2:2.6.2
  ldb_filter_from_tree@LDB_0.9.10 0.9.21
  ldb_get_config_basedn@LDB_0.9.10 0.9.21
  ldb_get_create_perms@LDB_0.9.10 0.9.21
@@ -206,6 +208,7 @@
  ldb_match_msg@LDB_0.9.10 0.9.21
  ldb_match_msg_error@LDB_0.9.15 0.9.21
  ldb_match_msg_objectclass@LDB_0.9.10 0.9.21
+ ldb_match_scope@LDB_2.6.2 2:2.6.2
  ldb_mod_register_control@LDB_0.9.10 0.9.21
  ldb_modify@LDB_0.9.10 0.9.21
  ldb_modify_default_callback@LDB_0.9.12 0.9.21
@@ -230,6 +233,7 @@
  ldb_modules_list_from_string@LDB_0.9.10 0.9.21
  ldb_modules_load@LDB_0.9.18 0.9.21
  ldb_msg_add@LDB_0.9.10 0.9.21
+ ldb_msg_add_distinguished_name@LDB_2.6.2 2:2.6.2
  ldb_msg_add_empty@LDB_0.9.10 0.9.21
  ldb_msg_add_fmt@LDB_0.9.10 0.9.21
  ldb_msg_add_linearized_dn@LDB_0.9.10 0.9.21
@@ -255,6 +259,9 @@
  ldb_msg_element_compare@LDB_0.9.10 0.9.21
  ldb_msg_element_compare_name@LDB_0.9.10 0.9.21
  ldb_msg_element_equal_ordered@LDB_1.1.6 1:1.1.6
+ ldb_msg_element_is_inaccessible@LDB_2.6.2 2:2.6.2
+ ldb_msg_element_mark_inaccessible@LDB_2.6.2 2:2.6.2
+ ldb_msg_elements_take_ownership@LDB_2.6.2 2:2.6.2
  ldb_msg_find_attr_as_bool@LDB_0.9.10 0.9.21
  ldb_msg_find_attr_as_dn@LDB_0.9.10 0.9.21
  ldb_msg_find_attr_as_double@LDB_0.9.10 0.9.21
@@ -272,8 +279,10 @@
  ldb_msg_normalize@LDB_0.9.15 0.9.21
  ldb_msg_remove_attr@LDB_0.9.10 0.9.21
  ldb_msg_remove_element@LDB_0.9.10 0.9.21
+ ldb_msg_remove_inaccessible@LDB_2.6.2 2:2.6.2
  ldb_msg_rename_attr@LDB_0.9.10 0.9.21
  ldb_msg_sanity_check@LDB_0.9.10 0.9.21
+ ldb_msg_shrink_to_fit@LDB_2.6.2 2:2.6.2
  ldb_msg_sort_elements@LDB_0.9.10 0.9.21
  ldb_next_del_trans@LDB_0.9.10 0.9.21
  ldb_next_end_trans@LDB_0.9.10 0.9.21
@@ -294,12 +303,14 @@
  ldb_parse_tree@LDB_0.9.10 0.9.21
  ldb_parse_tree_attr_replace@LDB_0.9.10 0.9.21
  ldb_parse_tree_copy_shallow@LDB_0.9.10 0.9.21
+ ldb_parse_tree_get_attr@LDB_2.6.2 2:2.6.2
  ldb_parse_tree_walk@LDB_1.1.2 1.1.2~
  ldb_qsort@LDB_0.9.10 0.9.21
  ldb_register_backend@LDB_0.9.10 0.9.21
  ldb_register_extended_match_rule@LDB_1.1.19 1:1.1.20
  ldb_register_hook@LDB_0.9.18 0.9.21
  ldb_register_module@LDB_0.9.10 0.9.21
+ ldb_register_redact_callback@LDB_2.6.2 2:2.6.2
  ldb_rename@LDB_0.9.10 0.9.21
  ldb_reply_add_control@LDB_0.9.10 0.9.21
  ldb_reply_get_control@LDB_0.9.10 0.9.21
diff -Nru samba-4.17.6+dfsg/debian/python3-ldb.symbols.in samba-4.17.7+dfsg/debian/python3-ldb.symbols.in
--- samba-4.17.6+dfsg/debian/python3-ldb.symbols.in	2023-03-09 12:37:58.000000000 +0300
+++ samba-4.17.7+dfsg/debian/python3-ldb.symbols.in	2023-03-29 17:59:17.000000000 +0300
@@ -61,6 +61,7 @@
  PYLDB_UTIL_2.5.0@PYLDB_UTIL_2.5.0 2:2.5.0
  PYLDB_UTIL_2.6.0@PYLDB_UTIL_2.6.0 2:2.6.0
  PYLDB_UTIL_2.6.1@PYLDB_UTIL_2.6.1 2:2.6.1
+ PYLDB_UTIL_2.6.2@PYLDB_UTIL_2.6.2 2:2.6.2
  pyldb_Dn_FromDn@PYLDB_UTIL_1.1.2 2:2.0.7
  pyldb_Object_AsDn@PYLDB_UTIL_1.1.2 2:2.0.7
  pyldb_check_type@PYLDB_UTIL_2.1.0 2:2.1.0
diff -Nru samba-4.17.6+dfsg/docs/manpages/cifsdd.8 samba-4.17.7+dfsg/docs/manpages/cifsdd.8
--- samba-4.17.6+dfsg/docs/manpages/cifsdd.8	2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/cifsdd.8	2023-03-29 16:24:29.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: cifsdd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "CIFSDD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "CIFSDD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/dbwrap_tool.1 samba-4.17.7+dfsg/docs/manpages/dbwrap_tool.1
--- samba-4.17.6+dfsg/docs/manpages/dbwrap_tool.1	2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/dbwrap_tool.1	2023-03-29 16:24:29.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: dbwrap_tool
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "DBWRAP_TOOL" "1" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "DBWRAP_TOOL" "1" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -317,7 +317,7 @@
 Use with caution!
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/eventlogadm.8 samba-4.17.7+dfsg/docs/manpages/eventlogadm.8
--- samba-4.17.6+dfsg/docs/manpages/eventlogadm.8	2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/eventlogadm.8	2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: eventlogadm
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "EVENTLOGADM" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "EVENTLOGADM" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -339,7 +339,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_ad.8 samba-4.17.7+dfsg/docs/manpages/idmap_ad.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_ad.8	2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_ad.8	2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_ad
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_AD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_AD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_autorid.8 samba-4.17.7+dfsg/docs/manpages/idmap_autorid.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_autorid.8	2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_autorid.8	2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_autorid
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_AUTORID" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_AUTORID" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_hash.8 samba-4.17.7+dfsg/docs/manpages/idmap_hash.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_hash.8	2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_hash.8	2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_hash
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_HASH" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_HASH" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_ldap.8 samba-4.17.7+dfsg/docs/manpages/idmap_ldap.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_ldap.8	2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_ldap.8	2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_ldap
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_LDAP" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_LDAP" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_nss.8 samba-4.17.7+dfsg/docs/manpages/idmap_nss.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_nss.8	2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_nss.8	2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_nss
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_NSS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_NSS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_rfc2307.8 samba-4.17.7+dfsg/docs/manpages/idmap_rfc2307.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_rfc2307.8	2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_rfc2307.8	2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_rfc2307
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_RFC2307" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_RFC2307" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_rid.8 samba-4.17.7+dfsg/docs/manpages/idmap_rid.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_rid.8	2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_rid.8	2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_rid
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_RID" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_RID" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_script.8 samba-4.17.7+dfsg/docs/manpages/idmap_script.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_script.8	2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_script.8	2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_script
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_SCRIPT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_SCRIPT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_tdb2.8 samba-4.17.7+dfsg/docs/manpages/idmap_tdb2.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_tdb2.8	2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_tdb2.8	2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_tdb2
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_TDB2" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_TDB2" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_tdb.8 samba-4.17.7+dfsg/docs/manpages/idmap_tdb.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_tdb.8	2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_tdb.8	2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: idmap_tdb
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "IDMAP_TDB" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_TDB" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/libsmbclient.7 samba-4.17.7+dfsg/docs/manpages/libsmbclient.7
--- samba-4.17.6+dfsg/docs/manpages/libsmbclient.7	2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/libsmbclient.7	2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: libsmbclient
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: 7
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "LIBSMBCLIENT" "7" "03/09/2023" "Samba 4\&.17\&.6" "7"
+.TH "LIBSMBCLIENT" "7" "03/29/2023" "Samba 4\&.17\&.7" "7"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -86,7 +86,7 @@
 Watch this space for future updates\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/lmhosts.5 samba-4.17.7+dfsg/docs/manpages/lmhosts.5
--- samba-4.17.6+dfsg/docs/manpages/lmhosts.5	2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/lmhosts.5	2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: lmhosts
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: File Formats and Conventions
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "LMHOSTS" "5" "03/09/2023" "Samba 4\&.17\&.6" "File Formats and Conventions"
+.TH "LMHOSTS" "5" "03/29/2023" "Samba 4\&.17\&.7" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -112,7 +112,7 @@
 /usr/local/samba/lib\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbclient\fR(1),
diff -Nru samba-4.17.6+dfsg/docs/manpages/log2pcap.1 samba-4.17.7+dfsg/docs/manpages/log2pcap.1
--- samba-4.17.6+dfsg/docs/manpages/log2pcap.1	2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/log2pcap.1	2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: log2pcap
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "LOG2PCAP" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "LOG2PCAP" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -107,7 +107,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "BUGS"
 .PP
 Only SMB data is extracted from the samba logs, no LDAP, NetBIOS lookup or other data\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/mdsearch.1 samba-4.17.7+dfsg/docs/manpages/mdsearch.1
--- samba-4.17.6+dfsg/docs/manpages/mdsearch.1	2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/mdsearch.1	2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: mdsearch
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "MDSEARCH" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "MDSEARCH" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -349,7 +349,7 @@
 https://developer\&.apple\&.com/library/archive/documentation/Carbon/Conceptual/SpotlightQuery/Concepts/Introduction\&.html
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/mvxattr.1 samba-4.17.7+dfsg/docs/manpages/mvxattr.1
--- samba-4.17.6+dfsg/docs/manpages/mvxattr.1	2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/mvxattr.1	2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: mvxattr
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "MVXATTR" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "MVXATTR" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -76,7 +76,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/net.8 samba-4.17.7+dfsg/docs/manpages/net.8
--- samba-4.17.6+dfsg/docs/manpages/net.8	2023-03-09 12:19:15.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/net.8	2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: net
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "NET" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "NET" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/nmbd.8 samba-4.17.7+dfsg/docs/manpages/nmbd.8
--- samba-4.17.6+dfsg/docs/manpages/nmbd.8	2023-03-09 12:19:15.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/nmbd.8	2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: nmbd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "NMBD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "NMBD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -288,7 +288,7 @@
 (SIGUSR[1|2] signals are no longer used since Samba 2\&.2)\&. This is to allow transient problems to be diagnosed, whilst still running at a normally low log level\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBinetd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/nmblookup.1 samba-4.17.7+dfsg/docs/manpages/nmblookup.1
--- samba-4.17.6+dfsg/docs/manpages/nmblookup.1	2023-03-09 12:19:15.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/nmblookup.1	2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: nmblookup
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "NMBLOOKUP" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "NMBLOOKUP" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -330,7 +330,7 @@
 would query the WINS server samba\&.org for the domain master browser (1B name type) for the IRIX workgroup\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBnmbd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/ntlm_auth.1 samba-4.17.7+dfsg/docs/manpages/ntlm_auth.1
--- samba-4.17.6+dfsg/docs/manpages/ntlm_auth.1	2023-03-09 12:19:15.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/ntlm_auth.1	2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: ntlm_auth
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "NTLM_AUTH" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "NTLM_AUTH" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -450,7 +450,7 @@
 the Microsoft Knowledge Base article #239869 and follow instructions described there\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/pam_winbind.8 samba-4.17.7+dfsg/docs/manpages/pam_winbind.8
--- samba-4.17.6+dfsg/docs/manpages/pam_winbind.8	2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/pam_winbind.8	2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: pam_winbind
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: 8
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "PAM_WINBIND" "8" "03/09/2023" "Samba 4\&.17\&.6" "8"
+.TH "PAM_WINBIND" "8" "03/29/2023" "Samba 4\&.17\&.7" "8"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -210,7 +210,7 @@
 \fBsmb.conf\fR(5)
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of Samba\&.
+This man page is part of version 4\&.17\&.7 of Samba\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/pam_winbind.conf.5 samba-4.17.7+dfsg/docs/manpages/pam_winbind.conf.5
--- samba-4.17.6+dfsg/docs/manpages/pam_winbind.conf.5	2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/pam_winbind.conf.5	2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: pam_winbind.conf
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: 5
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "PAM_WINBIND\&.CONF" "5" "03/09/2023" "Samba 4\&.17\&.6" "5"
+.TH "PAM_WINBIND\&.CONF" "5" "03/29/2023" "Samba 4\&.17\&.7" "5"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -153,7 +153,7 @@
 \fBsmb.conf\fR(5)
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of Samba\&.
+This man page is part of version 4\&.17\&.7 of Samba\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/pdbedit.8 samba-4.17.7+dfsg/docs/manpages/pdbedit.8
--- samba-4.17.6+dfsg/docs/manpages/pdbedit.8	2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/pdbedit.8	2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: pdbedit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "PDBEDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "PDBEDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -635,7 +635,7 @@
 This command may be used only by root\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbpasswd\fR(5),
diff -Nru samba-4.17.6+dfsg/docs/manpages/profiles.1 samba-4.17.7+dfsg/docs/manpages/profiles.1
--- samba-4.17.6+dfsg/docs/manpages/profiles.1	2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/profiles.1	2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: profiles
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "PROFILES" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "PROFILES" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -128,7 +128,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/rpcclient.1 samba-4.17.7+dfsg/docs/manpages/rpcclient.1
--- samba-4.17.6+dfsg/docs/manpages/rpcclient.1	2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/rpcclient.1	2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: rpcclient
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "RPCCLIENT" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "RPCCLIENT" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -1958,7 +1958,7 @@
 that are incompatible for some commands or services\&. Additionally, the developers are sending reports to Microsoft, and problems found or reported to Microsoft are fixed in Service Packs, which may result in incompatibilities\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba.7 samba-4.17.7+dfsg/docs/manpages/samba.7
--- samba-4.17.6+dfsg/docs/manpages/samba.7	2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba.7	2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: samba
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: Miscellanea
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SAMBA" "7" "03/09/2023" "Samba 4\&.17\&.6" "Miscellanea"
+.TH "SAMBA" "7" "03/29/2023" "Samba 4\&.17\&.7" "Miscellanea"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -231,7 +231,7 @@
 you can find a lot of information in the archives and you can subscribe to the samba list and ask for help or discuss things\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "CONTRIBUTIONS"
 .PP
 If you wish to contribute to the Samba project, then I suggest you join the Samba mailing list at
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba.8 samba-4.17.7+dfsg/docs/manpages/samba.8
--- samba-4.17.6+dfsg/docs/manpages/samba.8	2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba.8	2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: samba
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SAMBA" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -239,7 +239,7 @@
 Most messages are reasonably self\-explanatory\&. Unfortunately, at the time this man page was created, there are too many diagnostics available in the source code to warrant describing each and every diagnostic\&. At this stage your best bet is still to grep the source code and inspect the conditions that gave rise to the diagnostics you are seeing\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBhosts_access\fR(5)
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba-bgqd.8 samba-4.17.7+dfsg/docs/manpages/samba-bgqd.8
--- samba-4.17.6+dfsg/docs/manpages/samba-bgqd.8	2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba-bgqd.8	2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: samba-bgqd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SAMBA\-BGQD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA\-BGQD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba-dcerpcd.8 samba-4.17.7+dfsg/docs/manpages/samba-dcerpcd.8
--- samba-4.17.6+dfsg/docs/manpages/samba-dcerpcd.8	2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba-dcerpcd.8	2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: samba-dcerpcd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SAMBA\-DCERPCD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA\-DCERPCD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba_downgrade_db.8 samba-4.17.7+dfsg/docs/manpages/samba_downgrade_db.8
--- samba-4.17.6+dfsg/docs/manpages/samba_downgrade_db.8	2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba_downgrade_db.8	2023-03-29 16:24:36.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: samba_downgrade_db
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SAMBA_DOWNGRADE_DB" "8" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SAMBA_DOWNGRADE_DB" "8" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -42,7 +42,7 @@
 \fIbefore\fR
 the Samba packages can be safely downgraded\&.
 .PP
-This tool downgrades a Samba sam\&.ldb database from the format used in version 4\&.17\&.6 to that of version 4\&.7\&. The v4\&.7 database format can safely be read by any version of Samba\&. If necessary, later versions of Samba will repack and reconfigure a v4\&.7\-format database when the samba executable is first started\&.
+This tool downgrades a Samba sam\&.ldb database from the format used in version 4\&.17\&.7 to that of version 4\&.7\&. The v4\&.7 database format can safely be read by any version of Samba\&. If necessary, later versions of Samba will repack and reconfigure a v4\&.7\-format database when the samba executable is first started\&.
 .PP
 Note that all Samba services must be stopped on the DC before running this tool\&. Once the tool has run, do not restart samba or modify the database before the Samba software package has been downgraded\&.
 .SH "OPTIONS"
@@ -58,7 +58,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
+This man page is complete for version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba-regedit.8 samba-4.17.7+dfsg/docs/manpages/samba-regedit.8
--- samba-4.17.6+dfsg/docs/manpages/samba-regedit.8	2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba-regedit.8	2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: samba-regedit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SAMBA\-REGEDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA\-REGEDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -365,7 +365,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba-tool.8 samba-4.17.7+dfsg/docs/manpages/samba-tool.8
--- samba-4.17.6+dfsg/docs/manpages/samba-tool.8	2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba-tool.8	2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: samba-tool
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SAMBA\-TOOL" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA\-TOOL" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -1196,7 +1196,7 @@
 Gives usage information\&.
 .SH "VERSION"
 .PP
-This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
+This man page is complete for version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/sharesec.1 samba-4.17.7+dfsg/docs/manpages/sharesec.1
--- samba-4.17.6+dfsg/docs/manpages/sharesec.1	2023-03-09 12:19:18.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/sharesec.1	2023-03-29 16:24:36.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: sharesec
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SHARESEC" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SHARESEC" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -358,7 +358,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbcacls.1 samba-4.17.7+dfsg/docs/manpages/smbcacls.1
--- samba-4.17.6+dfsg/docs/manpages/smbcacls.1	2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbcacls.1	2023-03-29 16:24:38.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbcacls
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBCACLS" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBCACLS" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -1033,7 +1033,7 @@
 couldn\*(Aqt connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbclient.1 samba-4.17.7+dfsg/docs/manpages/smbclient.1
--- samba-4.17.6+dfsg/docs/manpages/smbclient.1	2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbclient.1	2023-03-29 16:24:38.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbclient
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBCLIENT" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBCLIENT" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -1247,7 +1247,7 @@
 The number and nature of diagnostics available depends on the debug level used by the client\&. If you have problems, set the debug level to 3 and peruse the log files\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smb.conf.5 samba-4.17.7+dfsg/docs/manpages/smb.conf.5
--- samba-4.17.6+dfsg/docs/manpages/smb.conf.5	2023-03-09 12:19:19.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smb.conf.5	2023-03-29 16:24:37.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smb.conf
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: File Formats and Conventions
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMB\&.CONF" "5" "03/09/2023" "Samba 4\&.17\&.6" "File Formats and Conventions"
+.TH "SMB\&.CONF" "5" "03/29/2023" "Samba 4\&.17\&.7" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -2145,20 +2145,24 @@
 \fIseal\fR
 are only available if Samba has been compiled against a modern OpenLDAP version (2\&.3\&.x or higher)\&.
 .sp
-This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "HKLM\eSystem\eCurrentControlSet\eServices\e
-NTDS\eParameters\eLDAPServerIntegrity" on the Windows server side\&.
+This option is needed firstly to secure the privacy of administrative connections from
+samba\-tool, including in particular new or reset passwords for users\&. For this reason the default is
+\fIseal\fR\&.
 .sp
-Depending on the used KRB5 library (MIT and older Heimdal versions) it is possible that the message "integrity only" is not supported\&. In this case,
+Additionally,
+winbindd
+and the
+net
+tool can use LDAP to communicate with Domain Controllers, so this option also controls the level of privacy for those connections\&. All supported AD DC versions will enforce the usage of at least signed LDAP connections by default, so a value of at least
 \fIsign\fR
-is just an alias for
-\fIseal\fR\&.
+is required in practice\&.
 .sp
 The default value is
-\fIsign\fR\&. That implies synchronizing the time with the KDC in the case of using
+\fIseal\fR\&. That implies synchronizing the time with the KDC in the case of using
 \fIKerberos\fR\&.
 .sp
 Default:
-\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIsign\fR\fI \fR
+\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIseal\fR\fI \fR
 .RE
 
 client max protocol (G)
@@ -14509,7 +14513,7 @@
 special sections make life for an administrator easy, but the various combinations of default attributes can be tricky\&. Take extreme care when designing these sections\&. In particular, ensure that the permissions on spool directories are correct\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsamba\fR(7),
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbcontrol.1 samba-4.17.7+dfsg/docs/manpages/smbcontrol.1
--- samba-4.17.6+dfsg/docs/manpages/smbcontrol.1	2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbcontrol.1	2023-03-29 16:24:38.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbcontrol
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBCONTROL" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBCONTROL" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -332,7 +332,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBnmbd\fR(8)
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbcquotas.1 samba-4.17.7+dfsg/docs/manpages/smbcquotas.1
--- samba-4.17.6+dfsg/docs/manpages/smbcquotas.1	2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbcquotas.1	2023-03-29 16:24:38.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbcquotas
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBCQUOTAS" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBCQUOTAS" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -431,7 +431,7 @@
 couldn\*(Aqt connect to the specified server, or when there was an error getting or setting the quota(s), an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbd.8 samba-4.17.7+dfsg/docs/manpages/smbd.8
--- samba-4.17.6+dfsg/docs/manpages/smbd.8	2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbd.8	2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SMBD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -260,7 +260,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "DIAGNOSTICS"
 .PP
 Most diagnostics issued by the server are logged in a specified log file\&. The log file name is specified at compile time, but may be overridden on the command line\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbget.1 samba-4.17.7+dfsg/docs/manpages/smbget.1
--- samba-4.17.6+dfsg/docs/manpages/smbget.1	2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbget.1	2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbget
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBGET" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBGET" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -189,7 +189,7 @@
 Permission denied is returned in some cases where the cause of the error is unknown (such as an illegally formatted smb:// url or trying to get a directory without \-R turned on)\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbgetrc.5 samba-4.17.7+dfsg/docs/manpages/smbgetrc.5
--- samba-4.17.6+dfsg/docs/manpages/smbgetrc.5	2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbgetrc.5	2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbgetrc
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: File Formats and Conventions
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBGETRC" "5" "03/09/2023" "Samba 4\&.17\&.6" "File Formats and Conventions"
+.TH "SMBGETRC" "5" "03/29/2023" "Samba 4\&.17\&.7" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -87,7 +87,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbget\fR(1)
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbpasswd.5 samba-4.17.7+dfsg/docs/manpages/smbpasswd.5
--- samba-4.17.6+dfsg/docs/manpages/smbpasswd.5	2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbpasswd.5	2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbpasswd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: File Formats and Conventions
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBPASSWD" "5" "03/09/2023" "Samba 4\&.17\&.6" "File Formats and Conventions"
+.TH "SMBPASSWD" "5" "03/29/2023" "Samba 4\&.17\&.7" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -165,7 +165,7 @@
 All other colon separated fields are ignored at this time\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbpasswd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbpasswd.8 samba-4.17.7+dfsg/docs/manpages/smbpasswd.8
--- samba-4.17.6+dfsg/docs/manpages/smbpasswd.8	2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbpasswd.8	2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbpasswd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBPASSWD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SMBPASSWD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -314,7 +314,7 @@
 In addition, the smbpasswd command is only useful if Samba has been set up to use encrypted passwords\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbpasswd\fR(5),
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbspool.8 samba-4.17.7+dfsg/docs/manpages/smbspool.8
--- samba-4.17.6+dfsg/docs/manpages/smbspool.8	2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbspool.8	2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbspool
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBSPOOL" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SMBSPOOL" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -173,7 +173,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbd\fR(8)
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbspool_krb5_wrapper.8 samba-4.17.7+dfsg/docs/manpages/smbspool_krb5_wrapper.8
--- samba-4.17.6+dfsg/docs/manpages/smbspool_krb5_wrapper.8	2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbspool_krb5_wrapper.8	2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbspool_krb5_wrapper
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBSPOOL_KRB5_WRAPPE" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SMBSPOOL_KRB5_WRAPPE" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbstatus.1 samba-4.17.7+dfsg/docs/manpages/smbstatus.1
--- samba-4.17.6+dfsg/docs/manpages/smbstatus.1	2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbstatus.1	2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbstatus
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBSTATUS" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBSTATUS" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -483,7 +483,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbd\fR(8)
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbtar.1 samba-4.17.7+dfsg/docs/manpages/smbtar.1
--- samba-4.17.6+dfsg/docs/manpages/smbtar.1	2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbtar.1	2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbtar
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBTAR" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBTAR" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -145,7 +145,7 @@
 command\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmbd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbtree.1 samba-4.17.7+dfsg/docs/manpages/smbtree.1
--- samba-4.17.6+dfsg/docs/manpages/smbtree.1	2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbtree.1	2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: smbtree
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "SMBTREE" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBTREE" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -244,7 +244,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/testparm.1 samba-4.17.7+dfsg/docs/manpages/testparm.1
--- samba-4.17.6+dfsg/docs/manpages/testparm.1	2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/testparm.1	2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: testparm
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "TESTPARM" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "TESTPARM" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -184,7 +184,7 @@
 For certain use cases, SMB protocol requires use of cryptographic algorithms which are known to be weak and already broken\&. DES and ARCFOUR (RC4) ciphers and the SHA1 and MD5 hash algorithms are considered weak but they are required for backward compatibility\&. The testparm utility shows whether the Samba tools will fall back to these weak crypto algorithms if it is not possible to use strong cryptography by default\&. In FIPS mode weak crypto cannot be enabled\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsmb.conf\fR(5),
diff -Nru samba-4.17.6+dfsg/docs/manpages/traffic_learner.7 samba-4.17.7+dfsg/docs/manpages/traffic_learner.7
--- samba-4.17.6+dfsg/docs/manpages/traffic_learner.7	2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/traffic_learner.7	2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: traffic_learner
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "TRAFFIC_LEARNER" "7" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "TRAFFIC_LEARNER" "7" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -115,7 +115,7 @@
 The other special packet is "\-", which represents the limit of the conversation\&. In the example, this indicates that one observed conversation ended after this particular ngram\&. This special opcode is also used at the beginning of conversations, which are indicated by the ngram "\-\et\-"\&.
 .SH "VERSION"
 .PP
-This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
+This man page is complete for version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBtraffic_replay\fR(7)\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/traffic_replay.7 samba-4.17.7+dfsg/docs/manpages/traffic_replay.7
--- samba-4.17.6+dfsg/docs/manpages/traffic_replay.7	2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/traffic_replay.7	2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: traffic_replay
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "TRAFFIC_REPLAY" "7" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "TRAFFIC_REPLAY" "7" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -367,7 +367,7 @@
 The users created by the test will have names like STGU\-0\-xyz\&. The groups generated have names like STGG\-0\-xyz\&.
 .SH "VERSION"
 .PP
-This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
+This man page is complete for version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBtraffic_learner\fR(7)\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_acl_tdb.8 samba-4.17.7+dfsg/docs/manpages/vfs_acl_tdb.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_acl_tdb.8	2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_acl_tdb.8	2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_acl_tdb
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_ACL_TDB" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_ACL_TDB" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_acl_xattr.8 samba-4.17.7+dfsg/docs/manpages/vfs_acl_xattr.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_acl_xattr.8	2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_acl_xattr.8	2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_acl_xattr
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_ACL_XATTR" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_ACL_XATTR" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_aio_fork.8 samba-4.17.7+dfsg/docs/manpages/vfs_aio_fork.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_aio_fork.8	2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_aio_fork.8	2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_aio_fork
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_AIO_FORK" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_AIO_FORK" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -62,7 +62,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_aio_pthread.8 samba-4.17.7+dfsg/docs/manpages/vfs_aio_pthread.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_aio_pthread.8	2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_aio_pthread.8	2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_aio_pthread
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_AIO_PTHREAD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_AIO_PTHREAD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -75,7 +75,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_audit.8 samba-4.17.7+dfsg/docs/manpages/vfs_audit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_audit.8	2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_audit.8	2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_AUDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_AUDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -112,7 +112,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_btrfs.8 samba-4.17.7+dfsg/docs/manpages/vfs_btrfs.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_btrfs.8	2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_btrfs.8	2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_btrfs
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_BTRFS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_BTRFS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -103,7 +103,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_cacheprime.8 samba-4.17.7+dfsg/docs/manpages/vfs_cacheprime.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_cacheprime.8	2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_cacheprime.8	2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_cacheprime
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_CACHEPRIME" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CACHEPRIME" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -115,7 +115,7 @@
 is not a substitute for a general\-purpose readahead mechanism\&. It is intended for use only in very specific environments where disk operations must be aligned and sized to known values (as much as that is possible)\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_cap.8 samba-4.17.7+dfsg/docs/manpages/vfs_cap.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_cap.8	2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_cap.8	2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_cap
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_CAP" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CAP" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -63,7 +63,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_catia.8 samba-4.17.7+dfsg/docs/manpages/vfs_catia.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_catia.8	2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_catia.8	2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_catia
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_CATIA" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CATIA" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_ceph.8 samba-4.17.7+dfsg/docs/manpages/vfs_ceph.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_ceph.8	2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_ceph.8	2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_ceph
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_CEPH" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CEPH" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -109,7 +109,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_ceph_snapshots.8 samba-4.17.7+dfsg/docs/manpages/vfs_ceph_snapshots.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_ceph_snapshots.8	2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_ceph_snapshots.8	2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_ceph_snapshots
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_CEPH_SNAPSHOTS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CEPH_SNAPSHOTS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -107,7 +107,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_commit.8 samba-4.17.7+dfsg/docs/manpages/vfs_commit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_commit.8	2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_commit.8	2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_commit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_COMMIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_COMMIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -116,7 +116,7 @@
 may reduce performance\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_crossrename.8 samba-4.17.7+dfsg/docs/manpages/vfs_crossrename.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_crossrename.8	2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_crossrename.8	2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_crossrename
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_CROSSRENAME" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CROSSRENAME" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -89,7 +89,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_default_quota.8 samba-4.17.7+dfsg/docs/manpages/vfs_default_quota.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_default_quota.8	2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_default_quota.8	2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_default_quota
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_DEFAULT_QUOTA" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_DEFAULT_QUOTA" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -86,7 +86,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_dirsort.8 samba-4.17.7+dfsg/docs/manpages/vfs_dirsort.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_dirsort.8	2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_dirsort.8	2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_dirsort
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_DIRSORT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_DIRSORT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -59,7 +59,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_expand_msdfs.8 samba-4.17.7+dfsg/docs/manpages/vfs_expand_msdfs.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_expand_msdfs.8	2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_expand_msdfs.8	2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_expand_msdfs
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_EXPAND_MSDFS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_EXPAND_MSDFS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -56,7 +56,7 @@
 With this, clients from network 192\&.168\&.234/24 are redirected to host local\&.samba\&.org, clients from 192\&.168/16 are redirected to remote\&.samba\&.org and all other clients go to default\&.samba\&.org\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_extd_audit.8 samba-4.17.7+dfsg/docs/manpages/vfs_extd_audit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_extd_audit.8	2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_extd_audit.8	2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_extd_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_EXTD_AUDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_EXTD_AUDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -55,7 +55,7 @@
 This module is stackable\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_fake_perms.8 samba-4.17.7+dfsg/docs/manpages/vfs_fake_perms.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_fake_perms.8	2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_fake_perms.8	2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_fake_perms
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_FAKE_PERMS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_FAKE_PERMS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -58,7 +58,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_fileid.8 samba-4.17.7+dfsg/docs/manpages/vfs_fileid.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_fileid.8	2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_fileid.8	2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_fileid
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_FILEID" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_FILEID" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -212,7 +212,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_fruit.8 samba-4.17.7+dfsg/docs/manpages/vfs_fruit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_fruit.8	2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_fruit.8	2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_fruit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_FRUIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_FRUIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_full_audit.8 samba-4.17.7+dfsg/docs/manpages/vfs_full_audit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_full_audit.8	2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_full_audit.8	2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_full_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_FULL_AUDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_FULL_AUDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -513,7 +513,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_glusterfs.8 samba-4.17.7+dfsg/docs/manpages/vfs_glusterfs.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_glusterfs.8	2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_glusterfs.8	2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_glusterfs
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_GLUSTERFS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_GLUSTERFS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -129,7 +129,7 @@
 With GlusterFS versions >= 9, we silently bypass write\-behind translator during initial connect and failure is avoided\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_glusterfs_fuse.8 samba-4.17.7+dfsg/docs/manpages/vfs_glusterfs_fuse.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_glusterfs_fuse.8	2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_glusterfs_fuse.8	2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_glusterfs_fuse
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_GLUSTERFS_FUSE" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_GLUSTERFS_FUSE" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -78,7 +78,7 @@
 This module does currently have no further options\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_gpfs.8 samba-4.17.7+dfsg/docs/manpages/vfs_gpfs.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_gpfs.8	2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_gpfs.8	2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_gpfs
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_GPFS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_GPFS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -660,7 +660,7 @@
 in gpfs versions newer than 3\&.2\&.1 PTF8\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_io_uring.8 samba-4.17.7+dfsg/docs/manpages/vfs_io_uring.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_io_uring.8	2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_io_uring.8	2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_io_uring
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_IO_URING" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_IO_URING" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -78,7 +78,7 @@
 \fBio_uring_setup\fR(2)\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_linux_xfs_sgid.8 samba-4.17.7+dfsg/docs/manpages/vfs_linux_xfs_sgid.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_linux_xfs_sgid.8	2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_linux_xfs_sgid.8	2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_syncops
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_SYNCOPS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SYNCOPS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -64,7 +64,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_media_harmony.8 samba-4.17.7+dfsg/docs/manpages/vfs_media_harmony.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_media_harmony.8	2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_media_harmony.8	2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_media_harmony
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_MEDIA_HARMONY" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_MEDIA_HARMONY" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -138,7 +138,7 @@
 is designed to work with Avid editing applications that look in the Avid MediaFiles or OMFI MediaFiles directories for media\&. It is not designed to work as expected in all circumstances for general use\&. For example: It is possible to open a client\-specific file such as msmMMOB\&.mdb_192\&.168\&.1\&.10_userx even though it doesn\*(Aqt show up in a directory listing\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_nfs4acl_xattr.8 samba-4.17.7+dfsg/docs/manpages/vfs_nfs4acl_xattr.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_nfs4acl_xattr.8	2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_nfs4acl_xattr.8	2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_nfs4acl_xattr
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_NFS4ACL_XATTR" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_NFS4ACL_XATTR" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_offline.8 samba-4.17.7+dfsg/docs/manpages/vfs_offline.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_offline.8	2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_offline.8	2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_offline
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_OFFLINE" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_OFFLINE" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -59,7 +59,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_prealloc.8 samba-4.17.7+dfsg/docs/manpages/vfs_prealloc.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_prealloc.8	2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_prealloc.8	2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_prealloc
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_PREALLOC" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_PREALLOC" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -112,7 +112,7 @@
 is not supported on all platforms and filesystems\&. Currently only XFS filesystems on Linux and IRIX are supported\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_preopen.8 samba-4.17.7+dfsg/docs/manpages/vfs_preopen.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_preopen.8	2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_preopen.8	2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_preopen
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_PREOPEN" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_PREOPEN" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -147,7 +147,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_readahead.8 samba-4.17.7+dfsg/docs/manpages/vfs_readahead.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_readahead.8	2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_readahead.8	2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_readahead
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_READAHEAD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_READAHEAD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -115,7 +115,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_readonly.8 samba-4.17.7+dfsg/docs/manpages/vfs_readonly.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_readonly.8	2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_readonly.8	2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_readonly
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_READONLY" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_READONLY" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -81,7 +81,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_recycle.8 samba-4.17.7+dfsg/docs/manpages/vfs_recycle.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_recycle.8	2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_recycle.8	2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_recycle
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_RECYCLE" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_RECYCLE" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -136,7 +136,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_shadow_copy2.8 samba-4.17.7+dfsg/docs/manpages/vfs_shadow_copy2.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_shadow_copy2.8	2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_shadow_copy2.8	2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_shadow_copy2
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_SHADOW_COPY2" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SHADOW_COPY2" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -519,7 +519,7 @@
 is designed to be an end\-user tool only\&. It does not replace or enhance your backup and archival solutions and should in no way be considered as such\&. Additionally, if you need version control, implement a version control system\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_shadow_copy.8 samba-4.17.7+dfsg/docs/manpages/vfs_shadow_copy.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_shadow_copy.8	2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_shadow_copy.8	2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_shadow_copy
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_SHADOW_COPY" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SHADOW_COPY" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -167,7 +167,7 @@
 is designed to be an end\-user tool only\&. It does not replace or enhance your backup and archival solutions and should in no way be considered as such\&. Additionally, if you need version control, implement a version control system\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_shell_snap.8 samba-4.17.7+dfsg/docs/manpages/vfs_shell_snap.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_shell_snap.8	2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_shell_snap.8	2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_shell_snap
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_SHELL_SNAP" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SHELL_SNAP" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -214,7 +214,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_snapper.8 samba-4.17.7+dfsg/docs/manpages/vfs_snapper.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_snapper.8	2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_snapper.8	2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_snapper
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_SNAPPER" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SNAPPER" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -84,7 +84,7 @@
 The DiskShadow\&.exe FSRVP client initially authenticates as the Active Directory computer account\&. This account must therefore be granted the same permissions as the user account issuing the snapshot creation and deletion requests\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_streams_depot.8 samba-4.17.7+dfsg/docs/manpages/vfs_streams_depot.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_streams_depot.8	2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_streams_depot.8	2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_streams_depot
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_STREAMS_DEPOT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_STREAMS_DEPOT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_streams_xattr.8 samba-4.17.7+dfsg/docs/manpages/vfs_streams_xattr.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_streams_xattr.8	2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_streams_xattr.8	2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_streams_xattr
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_STREAMS_XATTR" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_STREAMS_XATTR" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_syncops.8 samba-4.17.7+dfsg/docs/manpages/vfs_syncops.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_syncops.8	2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_syncops.8	2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_syncops
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_SYNCOPS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SYNCOPS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -76,7 +76,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfstest.1 samba-4.17.7+dfsg/docs/manpages/vfstest.1
--- samba-4.17.6+dfsg/docs/manpages/vfstest.1	2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfstest.1	2023-03-29 16:24:49.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfstest
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFSTEST" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "VFSTEST" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -797,7 +797,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_time_audit.8 samba-4.17.7+dfsg/docs/manpages/vfs_time_audit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_time_audit.8	2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_time_audit.8	2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_time_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_TIME_AUDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_TIME_AUDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -72,7 +72,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_tsmsm.8 samba-4.17.7+dfsg/docs/manpages/vfs_tsmsm.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_tsmsm.8	2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_tsmsm.8	2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_tsmsm
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_TSMSM" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_TSMSM" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -83,7 +83,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_unityed_media.8 samba-4.17.7+dfsg/docs/manpages/vfs_unityed_media.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_unityed_media.8	2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_unityed_media.8	2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_unityed_media
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_UNITYED_MEDIA" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_UNITYED_MEDIA" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -111,7 +111,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_virusfilter.8 samba-4.17.7+dfsg/docs/manpages/vfs_virusfilter.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_virusfilter.8	2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_virusfilter.8	2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_virusfilter
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
 .\"    Source: Samba 4.8
 .\"  Language: English
 .\"
-.TH "VFS_VIRUSFILTER" "8" "03/09/2023" "Samba 4\&.8" "System Administration tools"
+.TH "VFS_VIRUSFILTER" "8" "03/29/2023" "Samba 4\&.8" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_widelinks.8 samba-4.17.7+dfsg/docs/manpages/vfs_widelinks.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_widelinks.8	2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_widelinks.8	2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_widelinks
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_WIDELINKS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_WIDELINKS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -53,7 +53,7 @@
 No examples listed\&. This module is implicitly loaded by smbd as needed\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_worm.8 samba-4.17.7+dfsg/docs/manpages/vfs_worm.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_worm.8	2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_worm.8	2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_worm
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_WORM" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_WORM" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -68,7 +68,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_xattr_tdb.8 samba-4.17.7+dfsg/docs/manpages/vfs_xattr_tdb.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_xattr_tdb.8	2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_xattr_tdb.8	2023-03-29 16:24:49.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_xattr_tdb
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_XATTR_TDB" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_XATTR_TDB" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_zfsacl.8 samba-4.17.7+dfsg/docs/manpages/vfs_zfsacl.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_zfsacl.8	2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_zfsacl.8	2023-03-29 16:24:49.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: vfs_zfsacl
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "VFS_ZFSACL" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_ZFSACL" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -310,7 +310,7 @@
 .\}
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/wbinfo.1 samba-4.17.7+dfsg/docs/manpages/wbinfo.1
--- samba-4.17.6+dfsg/docs/manpages/wbinfo.1	2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/wbinfo.1	2023-03-29 16:24:49.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: wbinfo
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "WBINFO" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "WBINFO" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -472,7 +472,7 @@
 will always return failure\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBwinbindd\fR(8)
diff -Nru samba-4.17.6+dfsg/docs/manpages/winbindd.8 samba-4.17.7+dfsg/docs/manpages/winbindd.8
--- samba-4.17.6+dfsg/docs/manpages/winbindd.8	2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/winbindd.8	2023-03-29 16:24:50.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: winbindd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: System Administration tools
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "WINBINDD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "WINBINDD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -587,7 +587,7 @@
 .RE
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 nsswitch\&.conf(5),
diff -Nru samba-4.17.6+dfsg/docs/manpages/winbind_krb5_localauth.8 samba-4.17.7+dfsg/docs/manpages/winbind_krb5_localauth.8
--- samba-4.17.6+dfsg/docs/manpages/winbind_krb5_localauth.8	2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/winbind_krb5_localauth.8	2023-03-29 16:24:50.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: winbind_krb5_localauth
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: 8
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "WINBIND_KRB5_LOCALAU" "8" "03/09/2023" "Samba 4\&.17\&.6" "8"
+.TH "WINBIND_KRB5_LOCALAU" "8" "03/29/2023" "Samba 4\&.17\&.7" "8"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -66,7 +66,7 @@
 .sp
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/winbind_krb5_locator.8 samba-4.17.7+dfsg/docs/manpages/winbind_krb5_locator.8
--- samba-4.17.6+dfsg/docs/manpages/winbind_krb5_locator.8	2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/winbind_krb5_locator.8	2023-03-29 16:24:50.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: winbind_krb5_locator
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: 8
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "WINBIND_KRB5_LOCATOR" "8" "03/09/2023" "Samba 4\&.17\&.6" "8"
+.TH "WINBIND_KRB5_LOCATOR" "8" "03/29/2023" "Samba 4\&.17\&.7" "8"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -57,7 +57,7 @@
 /etc/krb5\&.conf\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/winexe.1 samba-4.17.7+dfsg/docs/manpages/winexe.1
--- samba-4.17.6+dfsg/docs/manpages/winexe.1	2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/winexe.1	2023-03-29 16:24:50.000000000 +0300
@@ -2,12 +2,12 @@
 .\"     Title: winexe
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\"      Date: 03/09/2023
+.\"      Date: 03/29/2023
 .\"    Manual: User Commands
-.\"    Source: Samba 4.17.6
+.\"    Source: Samba 4.17.7
 .\"  Language: English
 .\"
-.TH "WINEXE" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "WINEXE" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -464,7 +464,7 @@
 The winexe program returns 0 if the operation succeeded, or 1 if the operation failed\&.
 .SH "VERSION"
 .PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml samba-4.17.7+dfsg/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
--- samba-4.17.6+dfsg/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml	2022-08-08 17:15:39.012189400 +0300
+++ samba-4.17.7+dfsg/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml	2023-03-20 12:05:01.312120400 +0300
@@ -18,25 +18,24 @@
 	</para>
 	
 	<para>
-	This option is needed in the case of Domain Controllers enforcing 
-	the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
-	LDAP sign and seal can be controlled with the registry key
-	"<literal>HKLM\System\CurrentControlSet\Services\</literal>
-	<literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
-	on the Windows server side.  
-	</para>
+	This option is needed firstly to secure the privacy of
+	administrative connections from <command>samba-tool</command>,
+	including in particular new or reset passwords for users. For
+	this reason the default is <emphasis>seal</emphasis>.</para>
 
-	<para>
-	Depending on the used KRB5 library (MIT and older Heimdal versions)
-	it is possible that the message "integrity only" is not supported. 
-	In this case, <emphasis>sign</emphasis> is just an alias for 
-	<emphasis>seal</emphasis>.
+	<para>Additionally, <command>winbindd</command> and the
+	<command>net</command> tool can use LDAP to communicate with
+	Domain Controllers, so this option also controls the level of
+	privacy for those connections.  All supported AD DC versions
+	will enforce the usage of at least signed LDAP connections by
+	default, so a value of at least <emphasis>sign</emphasis> is
+	required in practice.
 	</para>
 
 	<para>
-	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+	The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
 	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
 	</para>
 </description>
-<value type="default">sign</value>
+<value type="default">seal</value>
 </samba:parameter>
diff -Nru samba-4.17.6+dfsg/lib/ldb/ABI/ldb-2.6.2.sigs samba-4.17.7+dfsg/lib/ldb/ABI/ldb-2.6.2.sigs
--- samba-4.17.6+dfsg/lib/ldb/ABI/ldb-2.6.2.sigs	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ABI/ldb-2.6.2.sigs	2023-03-20 12:03:45.323654400 +0300
@@ -0,0 +1,301 @@
+ldb_add: int (struct ldb_context *, const struct ldb_message *)
+ldb_any_comparison: int (struct ldb_context *, void *, ldb_attr_handler_t, const struct ldb_val *, const struct ldb_val *)
+ldb_asprintf_errstring: void (struct ldb_context *, const char *, ...)
+ldb_attr_casefold: char *(TALLOC_CTX *, const char *)
+ldb_attr_dn: int (const char *)
+ldb_attr_in_list: int (const char * const *, const char *)
+ldb_attr_list_copy: const char **(TALLOC_CTX *, const char * const *)
+ldb_attr_list_copy_add: const char **(TALLOC_CTX *, const char * const *, const char *)
+ldb_base64_decode: int (char *)
+ldb_base64_encode: char *(TALLOC_CTX *, const char *, int)
+ldb_binary_decode: struct ldb_val (TALLOC_CTX *, const char *)
+ldb_binary_encode: char *(TALLOC_CTX *, struct ldb_val)
+ldb_binary_encode_string: char *(TALLOC_CTX *, const char *)
+ldb_build_add_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_del_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_extended_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const char *, void *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_mod_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_rename_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_search_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, const char *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_search_req_ex: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, struct ldb_parse_tree *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_casefold: char *(struct ldb_context *, TALLOC_CTX *, const char *, size_t)
+ldb_casefold_default: char *(void *, TALLOC_CTX *, const char *, size_t)
+ldb_check_critical_controls: int (struct ldb_control **)
+ldb_comparison_binary: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *)
+ldb_comparison_fold: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *)
+ldb_connect: int (struct ldb_context *, const char *, unsigned int, const char **)
+ldb_control_to_string: char *(TALLOC_CTX *, const struct ldb_control *)
+ldb_controls_except_specified: struct ldb_control **(struct ldb_control **, TALLOC_CTX *, struct ldb_control *)
+ldb_debug: void (struct ldb_context *, enum ldb_debug_level, const char *, ...)
+ldb_debug_add: void (struct ldb_context *, const char *, ...)
+ldb_debug_end: void (struct ldb_context *, enum ldb_debug_level)
+ldb_debug_set: void (struct ldb_context *, enum ldb_debug_level, const char *, ...)
+ldb_delete: int (struct ldb_context *, struct ldb_dn *)
+ldb_dn_add_base: bool (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_add_base_fmt: bool (struct ldb_dn *, const char *, ...)
+ldb_dn_add_child: bool (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_add_child_fmt: bool (struct ldb_dn *, const char *, ...)
+ldb_dn_add_child_val: bool (struct ldb_dn *, const char *, struct ldb_val)
+ldb_dn_alloc_casefold: char *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_alloc_linearized: char *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_canonical_ex_string: char *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_canonical_string: char *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_check_local: bool (struct ldb_module *, struct ldb_dn *)
+ldb_dn_check_special: bool (struct ldb_dn *, const char *)
+ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val)
+ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *)
+ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *)
+ldb_dn_extended_syntax_by_name: const struct ldb_dn_extended_syntax *(struct ldb_context *, const char *)
+ldb_dn_from_ldb_val: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const struct ldb_val *)
+ldb_dn_get_casefold: const char *(struct ldb_dn *)
+ldb_dn_get_comp_num: int (struct ldb_dn *)
+ldb_dn_get_component_name: const char *(struct ldb_dn *, unsigned int)
+ldb_dn_get_component_val: const struct ldb_val *(struct ldb_dn *, unsigned int)
+ldb_dn_get_extended_comp_num: int (struct ldb_dn *)
+ldb_dn_get_extended_component: const struct ldb_val *(struct ldb_dn *, const char *)
+ldb_dn_get_extended_linearized: char *(TALLOC_CTX *, struct ldb_dn *, int)
+ldb_dn_get_ldb_context: struct ldb_context *(struct ldb_dn *)
+ldb_dn_get_linearized: const char *(struct ldb_dn *)
+ldb_dn_get_parent: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_get_rdn_name: const char *(struct ldb_dn *)
+ldb_dn_get_rdn_val: const struct ldb_val *(struct ldb_dn *)
+ldb_dn_has_extended: bool (struct ldb_dn *)
+ldb_dn_is_null: bool (struct ldb_dn *)
+ldb_dn_is_special: bool (struct ldb_dn *)
+ldb_dn_is_valid: bool (struct ldb_dn *)
+ldb_dn_map_local: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *)
+ldb_dn_map_rebase_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *)
+ldb_dn_map_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *)
+ldb_dn_minimise: bool (struct ldb_dn *)
+ldb_dn_new: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *)
+ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *, ...)
+ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int)
+ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int)
+ldb_dn_remove_extended_components: void (struct ldb_dn *)
+ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val)
+ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *)
+ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *)
+ldb_dn_validate: bool (struct ldb_dn *)
+ldb_dump_results: void (struct ldb_context *, struct ldb_result *, FILE *)
+ldb_error_at: int (struct ldb_context *, int, const char *, const char *, int)
+ldb_errstring: const char *(struct ldb_context *)
+ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **)
+ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *)
+ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *)
+ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *)
+ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *)
+ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *)
+ldb_get_create_perms: unsigned int (struct ldb_context *)
+ldb_get_default_basedn: struct ldb_dn *(struct ldb_context *)
+ldb_get_event_context: struct tevent_context *(struct ldb_context *)
+ldb_get_flags: unsigned int (struct ldb_context *)
+ldb_get_opaque: void *(struct ldb_context *, const char *)
+ldb_get_root_basedn: struct ldb_dn *(struct ldb_context *)
+ldb_get_schema_basedn: struct ldb_dn *(struct ldb_context *)
+ldb_global_init: int (void)
+ldb_handle_get_event_context: struct tevent_context *(struct ldb_handle *)
+ldb_handle_new: struct ldb_handle *(TALLOC_CTX *, struct ldb_context *)
+ldb_handle_use_global_event_context: void (struct ldb_handle *)
+ldb_handler_copy: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *)
+ldb_handler_fold: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *)
+ldb_init: struct ldb_context *(TALLOC_CTX *, struct tevent_context *)
+ldb_ldif_message_redacted_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *)
+ldb_ldif_message_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *)
+ldb_ldif_parse_modrdn: int (struct ldb_context *, const struct ldb_ldif *, TALLOC_CTX *, struct ldb_dn **, struct ldb_dn **, bool *, struct ldb_dn **, struct ldb_dn **)
+ldb_ldif_read: struct ldb_ldif *(struct ldb_context *, int (*)(void *), void *)
+ldb_ldif_read_file: struct ldb_ldif *(struct ldb_context *, FILE *)
+ldb_ldif_read_file_state: struct ldb_ldif *(struct ldb_context *, struct ldif_read_file_state *)
+ldb_ldif_read_free: void (struct ldb_context *, struct ldb_ldif *)
+ldb_ldif_read_string: struct ldb_ldif *(struct ldb_context *, const char **)
+ldb_ldif_write: int (struct ldb_context *, int (*)(void *, const char *, ...), void *, const struct ldb_ldif *)
+ldb_ldif_write_file: int (struct ldb_context *, FILE *, const struct ldb_ldif *)
+ldb_ldif_write_redacted_trace_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *)
+ldb_ldif_write_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *)
+ldb_load_modules: int (struct ldb_context *, const char **)
+ldb_map_add: int (struct ldb_module *, struct ldb_request *)
+ldb_map_delete: int (struct ldb_module *, struct ldb_request *)
+ldb_map_init: int (struct ldb_module *, const struct ldb_map_attribute *, const struct ldb_map_objectclass *, const char * const *, const char *, const char *)
+ldb_map_modify: int (struct ldb_module *, struct ldb_request *)
+ldb_map_rename: int (struct ldb_module *, struct ldb_request *)
+ldb_map_search: int (struct ldb_module *, struct ldb_request *)
+ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, enum ldb_scope, bool *)
+ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope)
+ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *)
+ldb_match_msg_objectclass: int (const struct ldb_message *, const char *)
+ldb_match_scope: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *, enum ldb_scope)
+ldb_mod_register_control: int (struct ldb_module *, const char *)
+ldb_modify: int (struct ldb_context *, const struct ldb_message *)
+ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *)
+ldb_module_call_chain: char *(struct ldb_request *, TALLOC_CTX *)
+ldb_module_connect_backend: int (struct ldb_context *, const char *, const char **, struct ldb_module **)
+ldb_module_done: int (struct ldb_request *, struct ldb_control **, struct ldb_extended *, int)
+ldb_module_flags: uint32_t (struct ldb_context *)
+ldb_module_get_ctx: struct ldb_context *(struct ldb_module *)
+ldb_module_get_name: const char *(struct ldb_module *)
+ldb_module_get_ops: const struct ldb_module_ops *(struct ldb_module *)
+ldb_module_get_private: void *(struct ldb_module *)
+ldb_module_init_chain: int (struct ldb_context *, struct ldb_module *)
+ldb_module_load_list: int (struct ldb_context *, const char **, struct ldb_module *, struct ldb_module **)
+ldb_module_new: struct ldb_module *(TALLOC_CTX *, struct ldb_context *, const char *, const struct ldb_module_ops *)
+ldb_module_next: struct ldb_module *(struct ldb_module *)
+ldb_module_popt_options: struct poptOption **(struct ldb_context *)
+ldb_module_send_entry: int (struct ldb_request *, struct ldb_message *, struct ldb_control **)
+ldb_module_send_referral: int (struct ldb_request *, char *)
+ldb_module_set_next: void (struct ldb_module *, struct ldb_module *)
+ldb_module_set_private: void (struct ldb_module *, void *)
+ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type)
+ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *)
+ldb_modules_load: int (const char *, const char *)
+ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int)
+ldb_msg_add_distinguished_name: int (struct ldb_message *)
+ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **)
+ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...)
+ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *)
+ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *)
+ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *)
+ldb_msg_add_string: int (struct ldb_message *, const char *, const char *)
+ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int)
+ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **)
+ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...)
+ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int)
+ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int)
+ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int)
+ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int)
+ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int)
+ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *)
+ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *)
+ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
+ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *)
+ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
+ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *)
+ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **)
+ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *)
+ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *)
+ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *)
+ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *)
+ldb_msg_element_is_inaccessible: bool (const struct ldb_message_element *)
+ldb_msg_element_mark_inaccessible: void (struct ldb_message_element *)
+ldb_msg_elements_take_ownership: int (struct ldb_message *)
+ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int)
+ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *)
+ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double)
+ldb_msg_find_attr_as_int: int (const struct ldb_message *, const char *, int)
+ldb_msg_find_attr_as_int64: int64_t (const struct ldb_message *, const char *, int64_t)
+ldb_msg_find_attr_as_string: const char *(const struct ldb_message *, const char *, const char *)
+ldb_msg_find_attr_as_uint: unsigned int (const struct ldb_message *, const char *, unsigned int)
+ldb_msg_find_attr_as_uint64: uint64_t (const struct ldb_message *, const char *, uint64_t)
+ldb_msg_find_common_values: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message_element *, struct ldb_message_element *, uint32_t)
+ldb_msg_find_duplicate_val: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message_element *, struct ldb_val **, uint32_t)
+ldb_msg_find_element: struct ldb_message_element *(const struct ldb_message *, const char *)
+ldb_msg_find_ldb_val: const struct ldb_val *(const struct ldb_message *, const char *)
+ldb_msg_find_val: struct ldb_val *(const struct ldb_message_element *, struct ldb_val *)
+ldb_msg_new: struct ldb_message *(TALLOC_CTX *)
+ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **)
+ldb_msg_remove_attr: void (struct ldb_message *, const char *)
+ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *)
+ldb_msg_remove_inaccessible: void (struct ldb_message *)
+ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *)
+ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *)
+ldb_msg_shrink_to_fit: void (struct ldb_message *)
+ldb_msg_sort_elements: void (struct ldb_message *)
+ldb_next_del_trans: int (struct ldb_module *)
+ldb_next_end_trans: int (struct ldb_module *)
+ldb_next_init: int (struct ldb_module *)
+ldb_next_prepare_commit: int (struct ldb_module *)
+ldb_next_read_lock: int (struct ldb_module *)
+ldb_next_read_unlock: int (struct ldb_module *)
+ldb_next_remote_request: int (struct ldb_module *, struct ldb_request *)
+ldb_next_request: int (struct ldb_module *, struct ldb_request *)
+ldb_next_start_trans: int (struct ldb_module *)
+ldb_op_default_callback: int (struct ldb_request *, struct ldb_reply *)
+ldb_options_copy: const char **(TALLOC_CTX *, const char **)
+ldb_options_find: const char *(struct ldb_context *, const char **, const char *)
+ldb_options_get: const char **(struct ldb_context *)
+ldb_pack_data: int (struct ldb_context *, const struct ldb_message *, struct ldb_val *, uint32_t)
+ldb_parse_control_from_string: struct ldb_control *(struct ldb_context *, TALLOC_CTX *, const char *)
+ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CTX *, const char **)
+ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *)
+ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *)
+ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *)
+ldb_parse_tree_get_attr: const char *(const struct ldb_parse_tree *)
+ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *)
+ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t)
+ldb_register_backend: int (const char *, ldb_connect_fn, bool)
+ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *)
+ldb_register_hook: int (ldb_hook_fn)
+ldb_register_module: int (const struct ldb_module_ops *)
+ldb_register_redact_callback: int (struct ldb_context *, ldb_redact_fn, struct ldb_module *)
+ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *)
+ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *)
+ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *)
+ldb_req_get_custom_flags: uint32_t (struct ldb_request *)
+ldb_req_is_untrusted: bool (struct ldb_request *)
+ldb_req_location: const char *(struct ldb_request *)
+ldb_req_mark_trusted: void (struct ldb_request *)
+ldb_req_mark_untrusted: void (struct ldb_request *)
+ldb_req_set_custom_flags: void (struct ldb_request *, uint32_t)
+ldb_req_set_location: void (struct ldb_request *, const char *)
+ldb_request: int (struct ldb_context *, struct ldb_request *)
+ldb_request_add_control: int (struct ldb_request *, const char *, bool, void *)
+ldb_request_done: int (struct ldb_request *, int)
+ldb_request_get_control: struct ldb_control *(struct ldb_request *, const char *)
+ldb_request_get_status: int (struct ldb_request *)
+ldb_request_replace_control: int (struct ldb_request *, const char *, bool, void *)
+ldb_request_set_state: void (struct ldb_request *, int)
+ldb_reset_err_string: void (struct ldb_context *)
+ldb_save_controls: int (struct ldb_control *, struct ldb_request *, struct ldb_control ***)
+ldb_schema_attribute_add: int (struct ldb_context *, const char *, unsigned int, const char *)
+ldb_schema_attribute_add_with_syntax: int (struct ldb_context *, const char *, unsigned int, const struct ldb_schema_syntax *)
+ldb_schema_attribute_by_name: const struct ldb_schema_attribute *(struct ldb_context *, const char *)
+ldb_schema_attribute_fill_with_syntax: int (struct ldb_context *, TALLOC_CTX *, const char *, unsigned int, const struct ldb_schema_syntax *, struct ldb_schema_attribute *)
+ldb_schema_attribute_remove: void (struct ldb_context *, const char *)
+ldb_schema_attribute_remove_flagged: void (struct ldb_context *, unsigned int)
+ldb_schema_attribute_set_override_handler: void (struct ldb_context *, ldb_attribute_handler_override_fn_t, void *)
+ldb_schema_set_override_GUID_index: void (struct ldb_context *, const char *, const char *)
+ldb_schema_set_override_indexlist: void (struct ldb_context *, bool)
+ldb_search: int (struct ldb_context *, TALLOC_CTX *, struct ldb_result **, struct ldb_dn *, enum ldb_scope, const char * const *, const char *, ...)
+ldb_search_default_callback: int (struct ldb_request *, struct ldb_reply *)
+ldb_sequence_number: int (struct ldb_context *, enum ldb_sequence_type, uint64_t *)
+ldb_set_create_perms: void (struct ldb_context *, unsigned int)
+ldb_set_debug: int (struct ldb_context *, void (*)(void *, enum ldb_debug_level, const char *, va_list), void *)
+ldb_set_debug_stderr: int (struct ldb_context *)
+ldb_set_default_dns: void (struct ldb_context *)
+ldb_set_errstring: void (struct ldb_context *, const char *)
+ldb_set_event_context: void (struct ldb_context *, struct tevent_context *)
+ldb_set_flags: void (struct ldb_context *, unsigned int)
+ldb_set_modules_dir: void (struct ldb_context *, const char *)
+ldb_set_opaque: int (struct ldb_context *, const char *, void *)
+ldb_set_require_private_event_context: void (struct ldb_context *)
+ldb_set_timeout: int (struct ldb_context *, struct ldb_request *, int)
+ldb_set_timeout_from_prev_req: int (struct ldb_context *, struct ldb_request *, struct ldb_request *)
+ldb_set_utf8_default: void (struct ldb_context *)
+ldb_set_utf8_fns: void (struct ldb_context *, void *, char *(*)(void *, void *, const char *, size_t))
+ldb_setup_wellknown_attributes: int (struct ldb_context *)
+ldb_should_b64_encode: int (struct ldb_context *, const struct ldb_val *)
+ldb_standard_syntax_by_name: const struct ldb_schema_syntax *(struct ldb_context *, const char *)
+ldb_strerror: const char *(int)
+ldb_string_to_time: time_t (const char *)
+ldb_string_utc_to_time: time_t (const char *)
+ldb_timestring: char *(TALLOC_CTX *, time_t)
+ldb_timestring_utc: char *(TALLOC_CTX *, time_t)
+ldb_transaction_cancel: int (struct ldb_context *)
+ldb_transaction_cancel_noerr: int (struct ldb_context *)
+ldb_transaction_commit: int (struct ldb_context *)
+ldb_transaction_prepare_commit: int (struct ldb_context *)
+ldb_transaction_start: int (struct ldb_context *)
+ldb_unpack_data: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *)
+ldb_unpack_data_flags: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, unsigned int)
+ldb_unpack_get_format: int (const struct ldb_val *, uint32_t *)
+ldb_val_dup: struct ldb_val (TALLOC_CTX *, const struct ldb_val *)
+ldb_val_equal_exact: int (const struct ldb_val *, const struct ldb_val *)
+ldb_val_map_local: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *)
+ldb_val_map_remote: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *)
+ldb_val_string_cmp: int (const struct ldb_val *, const char *)
+ldb_val_to_time: int (const struct ldb_val *, time_t *)
+ldb_valid_attr_name: int (const char *)
+ldb_vdebug: void (struct ldb_context *, enum ldb_debug_level, const char *, va_list)
+ldb_wait: int (struct ldb_handle *, enum ldb_wait_type)
diff -Nru samba-4.17.6+dfsg/lib/ldb/ABI/pyldb-util-2.6.2.sigs samba-4.17.7+dfsg/lib/ldb/ABI/pyldb-util-2.6.2.sigs
--- samba-4.17.6+dfsg/lib/ldb/ABI/pyldb-util-2.6.2.sigs	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ABI/pyldb-util-2.6.2.sigs	2023-03-20 12:03:45.323654400 +0300
@@ -0,0 +1,3 @@
+pyldb_Dn_FromDn: PyObject *(struct ldb_dn *)
+pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **)
+pyldb_check_type: bool (PyObject *, const char *)
diff -Nru samba-4.17.6+dfsg/lib/ldb/common/ldb_match.c samba-4.17.7+dfsg/lib/ldb/common/ldb_match.c
--- samba-4.17.6+dfsg/lib/ldb/common/ldb_match.c	2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/common/ldb_match.c	2023-03-20 12:03:45.211653700 +0300
@@ -34,14 +34,15 @@
 
 #include "ldb_private.h"
 #include "dlinklist.h"
+#include "ldb_handlers.h"
 
 /*
   check if the scope matches in a search result
 */
-static int ldb_match_scope(struct ldb_context *ldb,
-			   struct ldb_dn *base,
-			   struct ldb_dn *dn,
-			   enum ldb_scope scope)
+int ldb_match_scope(struct ldb_context *ldb,
+		    struct ldb_dn *base,
+		    struct ldb_dn *dn,
+		    enum ldb_scope scope)
 {
 	int ret = 0;
 
@@ -259,20 +260,42 @@
 		return LDB_SUCCESS;
 	}
 
-	if (a->syntax->canonicalise_fn(ldb, ldb, &value, &val) != 0) {
-		return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+	/* No need to just copy this value for a binary match */
+	if (a->syntax->canonicalise_fn != ldb_handler_copy) {
+		if (a->syntax->canonicalise_fn(ldb, ldb, &value, &val) != 0) {
+			return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+		}
+
+		/*
+		 * Only set save_p if we allocate (call
+		 * a->syntax->canonicalise_fn()), as we
+		 * talloc_free(save_p) below to clean up
+		 */
+		save_p = val.data;
+	} else {
+		val = value;
 	}
 
-	save_p = val.data;
 	cnk.data = NULL;
 
 	if ( ! tree->u.substring.start_with_wildcard ) {
+		uint8_t *cnk_to_free = NULL;
 
 		chunk = tree->u.substring.chunks[c];
-		if (a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
+		/* No need to just copy this value for a binary match */
+		if (a->syntax->canonicalise_fn != ldb_handler_copy) {
+			if (a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) {
+				goto mismatch;
+			}
+
+			cnk_to_free = cnk.data;
+		} else {
+			cnk = *chunk;
+		}
 
 		/* This deals with wildcard prefix searches on binary attributes (eg objectGUID) */
 		if (cnk.length > val.length) {
+			TALLOC_FREE(cnk_to_free);
 			goto mismatch;
 		}
 		/*
@@ -280,32 +303,47 @@
 		 * we can cope with this.
 		 */
 		if (cnk.length == 0) {
+			TALLOC_FREE(cnk_to_free);
+			goto mismatch;
+		}
+
+		if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) {
+			TALLOC_FREE(cnk_to_free);
 			goto mismatch;
 		}
 
-		if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
 		val.length -= cnk.length;
 		val.data += cnk.length;
 		c++;
-		talloc_free(cnk.data);
+		TALLOC_FREE(cnk_to_free);
 		cnk.data = NULL;
 	}
 
 	while (tree->u.substring.chunks[c]) {
 		uint8_t *p;
+		uint8_t *cnk_to_free = NULL;
 
 		chunk = tree->u.substring.chunks[c];
-		if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) {
-			goto mismatch;
+		/* No need to just copy this value for a binary match */
+		if (a->syntax->canonicalise_fn != ldb_handler_copy) {
+			if (a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) {
+				goto mismatch;
+			}
+
+			cnk_to_free = cnk.data;
+		} else {
+			cnk = *chunk;
 		}
 		/*
 		 * Empty strings are returned as length 0. Ensure
 		 * we can cope with this.
 		 */
 		if (cnk.length == 0) {
+			TALLOC_FREE(cnk_to_free);
 			goto mismatch;
 		}
 		if (cnk.length > val.length) {
+			TALLOC_FREE(cnk_to_free);
 			goto mismatch;
 		}
 
@@ -320,6 +358,8 @@
 			cmp = memcmp(p,
 				     cnk.data,
 				     cnk.length);
+			TALLOC_FREE(cnk_to_free);
+
 			if (cmp != 0) {
 				goto mismatch;
 			}
@@ -331,15 +371,16 @@
 			p = memmem((const void *)val.data, val.length,
 				   (const void *)cnk.data, cnk.length);
 			if (p == NULL) {
+				TALLOC_FREE(cnk_to_free);
 				goto mismatch;
 			}
 			/* move val to the end of the match */
 			p += cnk.length;
 			val.length -= (p - val.data);
 			val.data = p;
+			TALLOC_FREE(cnk_to_free);
 		}
 		c++;
-		TALLOC_FREE(cnk.data);
 	}
 
 	talloc_free(save_p);
@@ -349,7 +390,6 @@
 mismatch:
 	*matched = false;
 	talloc_free(save_p);
-	talloc_free(cnk.data);
 	return LDB_SUCCESS;
 }
 
@@ -531,6 +571,26 @@
 			      &tree->u.extended.value, matched);
 }
 
+static bool ldb_must_suppress_match(const struct ldb_message *msg,
+				    const struct ldb_parse_tree *tree)
+{
+	const char *attr = NULL;
+	struct ldb_message_element *el = NULL;
+
+	attr = ldb_parse_tree_get_attr(tree);
+	if (attr == NULL) {
+		return false;
+	}
+
+	/* find the message element */
+	el = ldb_msg_find_element(msg, attr);
+	if (el == NULL) {
+		return false;
+	}
+
+	return ldb_msg_element_is_inaccessible(el);
+}
+
 /*
   Check if a particular message will match the given filter
 
@@ -555,6 +615,17 @@
 		return LDB_SUCCESS;
 	}
 
+	/*
+	 * Suppress matches on confidential attributes (handled
+	 * manually in extended matches as these can do custom things
+	 * like read other parts of the DB or other attributes).
+	 */
+	if (tree->operation != LDB_OP_EXTENDED) {
+		if (ldb_must_suppress_match(msg, tree)) {
+			return LDB_SUCCESS;
+		}
+	}
+
 	switch (tree->operation) {
 	case LDB_OP_AND:
 		for (i=0;i<tree->u.list.num_elements;i++) {
@@ -741,3 +812,15 @@
 	return LDB_SUCCESS;
 }
 
+int ldb_register_redact_callback(struct ldb_context *ldb,
+				 ldb_redact_fn redact_fn,
+				 struct ldb_module *module)
+{
+	if (ldb->redact.callback != NULL) {
+		return LDB_ERR_ENTRY_ALREADY_EXISTS;
+	}
+
+	ldb->redact.callback = redact_fn;
+	ldb->redact.module = module;
+	return LDB_SUCCESS;
+}
diff -Nru samba-4.17.6+dfsg/lib/ldb/common/ldb_msg.c samba-4.17.7+dfsg/lib/ldb/common/ldb_msg.c
--- samba-4.17.6+dfsg/lib/ldb/common/ldb_msg.c	2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/common/ldb_msg.c	2023-03-20 12:03:44.611650000 +0300
@@ -795,6 +795,32 @@
 	return ldb_attr_cmp(el1->name, el2->name);
 }
 
+void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el)
+{
+	el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+}
+
+bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el)
+{
+	return (el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE) != 0;
+}
+
+void ldb_msg_remove_inaccessible(struct ldb_message *msg)
+{
+	unsigned i;
+	unsigned num_del = 0;
+
+	for (i = 0; i < msg->num_elements; ++i) {
+		if (ldb_msg_element_is_inaccessible(&msg->elements[i])) {
+			++num_del;
+		} else if (num_del) {
+			msg->elements[i - num_del] = msg->elements[i];
+		}
+	}
+
+	msg->num_elements -= num_del;
+}
+
 /*
   convenience functions to return common types from a message
   these return the first value if the attribute is multi-valued
@@ -1471,6 +1497,22 @@
 	}
 }
 
+/* Reallocate elements to drop any excess capacity. */
+void ldb_msg_shrink_to_fit(struct ldb_message *msg)
+{
+	if (msg->num_elements > 0) {
+		struct ldb_message_element *elements = talloc_realloc(msg,
+								      msg->elements,
+								      struct ldb_message_element,
+								      msg->num_elements);
+		if (elements != NULL) {
+			msg->elements = elements;
+		}
+	} else {
+		TALLOC_FREE(msg->elements);
+	}
+}
+
 /*
   return a LDAP formatted GeneralizedTime string
 */
diff -Nru samba-4.17.6+dfsg/lib/ldb/common/ldb_pack.c samba-4.17.7+dfsg/lib/ldb/common/ldb_pack.c
--- samba-4.17.6+dfsg/lib/ldb/common/ldb_pack.c	2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/common/ldb_pack.c	2023-03-20 12:03:44.663650300 +0300
@@ -690,6 +690,7 @@
 		element->values = NULL;
 		if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) && element->num_values == 1) {
 			element->values = &ldb_val_single_array[nelem];
+			element->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
 		} else if (element->num_values != 0) {
 			element->values = talloc_array(message->elements,
 						       struct ldb_val,
@@ -932,6 +933,7 @@
 		if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) &&
 		    element->num_values == 1) {
 			element->values = &ldb_val_single_array[nelem];
+			element->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
 		} else if (element->num_values != 0) {
 			element->values = talloc_array(message->elements,
 						       struct ldb_val,
@@ -1096,7 +1098,7 @@
 /*
   add the special distinguishedName element
 */
-static int msg_add_distinguished_name(struct ldb_message *msg)
+int ldb_msg_add_distinguished_name(struct ldb_message *msg)
 {
 	const char *dn_attr = "distinguishedName";
 	char *dn = NULL;
@@ -1156,7 +1158,7 @@
 
 	/* Shortcuts for the simple cases */
 	} else if (add_dn && i == 1) {
-		if (msg_add_distinguished_name(filtered_msg) != 0) {
+		if (ldb_msg_add_distinguished_name(filtered_msg) != 0) {
 			goto failed;
 		}
 		return 0;
@@ -1236,7 +1238,7 @@
 	filtered_msg->num_elements = num_elements;
 
 	if (add_dn) {
-		if (msg_add_distinguished_name(filtered_msg) != 0) {
+		if (ldb_msg_add_distinguished_name(filtered_msg) != 0) {
 			goto failed;
 		}
 	}
@@ -1259,3 +1261,100 @@
 	TALLOC_FREE(filtered_msg->elements);
 	return -1;
 }
+
+/*
+ * filter the specified list of attributes from msg,
+ * adding requested attributes, and perhaps all for *.
+ * Unlike ldb_filter_attrs(), the DN will not be added
+ * if it is missing.
+ */
+int ldb_filter_attrs_in_place(struct ldb_message *msg,
+			      const char *const *attrs)
+{
+	unsigned int i = 0;
+	bool keep_all = false;
+	unsigned int num_del = 0;
+
+	if (attrs) {
+		/* check for special attrs */
+		for (i = 0; attrs[i]; i++) {
+			int cmp = strcmp(attrs[i], "*");
+			if (cmp == 0) {
+				keep_all = true;
+				break;
+			}
+		}
+		if (!keep_all && i == 0) {
+			msg->num_elements = 0;
+			return LDB_SUCCESS;
+		}
+	} else {
+		keep_all = true;
+	}
+
+	for (i = 0; i < msg->num_elements; i++) {
+		bool found = false;
+		unsigned int j;
+
+		if (keep_all) {
+			found = true;
+		} else {
+			for (j = 0; attrs[j]; j++) {
+				int cmp = ldb_attr_cmp(msg->elements[i].name, attrs[j]);
+				if (cmp == 0) {
+					found = true;
+					break;
+				}
+			}
+		}
+
+		if (!found) {
+			++num_del;
+		} else if (num_del != 0) {
+			msg->elements[i - num_del] = msg->elements[i];
+		}
+	}
+
+	msg->num_elements -= num_del;
+
+	return LDB_SUCCESS;
+}
+
+/* Have an unpacked ldb message take talloc ownership of its elements. */
+int ldb_msg_elements_take_ownership(struct ldb_message *msg)
+{
+	unsigned int i = 0;
+
+	for (i = 0; i < msg->num_elements; i++) {
+		struct ldb_message_element *el = &msg->elements[i];
+		const char *name;
+		unsigned int j;
+
+		name = talloc_strdup(msg->elements,
+				     el->name);
+		if (name == NULL) {
+			return -1;
+		}
+		el->name = name;
+
+		if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
+			struct ldb_val *values = talloc_memdup(msg->elements, el->values,
+							       sizeof(struct ldb_val) * el->num_values);
+			if (values == NULL) {
+				return -1;
+			}
+			el->values = values;
+			el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
+		}
+
+		for (j = 0; j < el->num_values; j++) {
+			struct ldb_val val = ldb_val_dup(el->values, &el->values[j]);
+			if (val.data == NULL && el->values[j].length != 0) {
+				return -1;
+			}
+			el->values[j] = val;
+		}
+	}
+
+	return LDB_SUCCESS;
+}
diff -Nru samba-4.17.6+dfsg/lib/ldb/common/ldb_parse.c samba-4.17.7+dfsg/lib/ldb/common/ldb_parse.c
--- samba-4.17.6+dfsg/lib/ldb/common/ldb_parse.c	2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/common/ldb_parse.c	2023-03-20 12:03:44.803651300 +0300
@@ -997,3 +997,28 @@
 
 	return nt;
 }
+
+/* Get the attribute (if any) associated with the top node of a parse tree. */
+const char *ldb_parse_tree_get_attr(const struct ldb_parse_tree *tree)
+{
+	switch (tree->operation) {
+	case LDB_OP_AND:
+	case LDB_OP_OR:
+	case LDB_OP_NOT:
+		return NULL;
+	case LDB_OP_EQUALITY:
+		return tree->u.equality.attr;
+	case LDB_OP_SUBSTRING:
+		return tree->u.substring.attr;
+	case LDB_OP_GREATER:
+	case LDB_OP_LESS:
+	case LDB_OP_APPROX:
+		return tree->u.comparison.attr;
+	case LDB_OP_PRESENT:
+		return tree->u.present.attr;
+	case LDB_OP_EXTENDED:
+		return tree->u.extended.attr;
+	}
+
+	return NULL;
+}
diff -Nru samba-4.17.6+dfsg/lib/ldb/include/ldb_module.h samba-4.17.7+dfsg/lib/ldb/include/ldb_module.h
--- samba-4.17.6+dfsg/lib/ldb/include/ldb_module.h	2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/include/ldb_module.h	2023-03-20 12:03:45.131653300 +0300
@@ -102,6 +102,12 @@
  */
 #define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200
 
+/*
+ * this attribute has been access checked. We know the user has the right to
+ * view it. Used internally in Samba aclread module.
+ */
+#define LDB_FLAG_INTERNAL_ACCESS_CHECKED 0x400
+
 /* an extended match rule that always fails to match */
 #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1"
 
@@ -490,6 +496,9 @@
  */
 bool ldb_dn_replace_components(struct ldb_dn *dn, struct ldb_dn *new_dn);
 
+/* Get the attribute (if any) associated with the top node of a parse tree. */
+const char *ldb_parse_tree_get_attr(const struct ldb_parse_tree *tree);
+
 /*
   walk a parse tree, calling the provided callback on each node
 */
@@ -513,6 +522,15 @@
 int ldb_register_extended_match_rule(struct ldb_context *ldb,
 				     const struct ldb_extended_match_rule *rule);
 
+void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el);
+bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el);
+void ldb_msg_remove_inaccessible(struct ldb_message *msg);
+
+typedef int (*ldb_redact_fn)(struct ldb_module *, struct ldb_request *, struct ldb_message *);
+int ldb_register_redact_callback(struct ldb_context *ldb,
+			       ldb_redact_fn redact_fn,
+			       struct ldb_module *module);
+
 /*
  * these pack/unpack functions are exposed in the library for use by
  * ldb tools like ldbdump and for use in tests,
@@ -538,6 +556,19 @@
 		     const struct ldb_message *msg,
 		     const char *const *attrs,
 		     struct ldb_message *filtered_msg);
+
+/*
+ * filter the specified list of attributes from msg,
+ * adding requested attributes, and perhaps all for *.
+ * Unlike ldb_filter_attrs(), the DN will not be added
+ * if it is missing.
+ */
+int ldb_filter_attrs_in_place(struct ldb_message *msg,
+			      const char *const *attrs);
+
+/* Have an unpacked ldb message take talloc ownership of its elements. */
+int ldb_msg_elements_take_ownership(struct ldb_message *msg);
+
 /*
  * Unpack a ldb message from a linear buffer in ldb_val
  *
diff -Nru samba-4.17.6+dfsg/lib/ldb/include/ldb_private.h samba-4.17.7+dfsg/lib/ldb/include/ldb_private.h
--- samba-4.17.6+dfsg/lib/ldb/include/ldb_private.h	2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/include/ldb_private.h	2023-03-20 12:03:45.211653700 +0300
@@ -119,6 +119,11 @@
 		struct ldb_extended_match_entry *prev, *next;
 	} *extended_match_rules;
 
+	struct {
+		struct ldb_module *module;
+		ldb_redact_fn callback;
+	} redact;
+
 	/* custom utf8 functions */
 	struct ldb_utf8_fns utf8_fns;
 
@@ -317,4 +322,20 @@
 		      const struct ldb_parse_tree *tree,
 		      enum ldb_scope scope, bool *matched);
 
+/*
+  check if the scope matches in a search result
+*/
+int ldb_match_scope(struct ldb_context *ldb,
+		    struct ldb_dn *base,
+		    struct ldb_dn *dn,
+		    enum ldb_scope scope);
+
+/* Reallocate elements to drop any excess capacity. */
+void ldb_msg_shrink_to_fit(struct ldb_message *msg);
+
+/*
+  add the special distinguishedName element
+*/
+int ldb_msg_add_distinguished_name(struct ldb_message *msg);
+
 #endif
diff -Nru samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv.h samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv.h
--- samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv.h	2022-08-08 17:15:39.084190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv.h	2023-03-20 12:03:44.687650400 +0300
@@ -301,10 +301,8 @@
 		      const struct ldb_val ldb_key,
 		      struct ldb_message *msg,
 		      unsigned int unpack_flags);
-int ldb_kv_filter_attrs(struct ldb_context *ldb,
-			const struct ldb_message *msg,
-			const char *const *attrs,
-			struct ldb_message *filtered_msg);
+int ldb_kv_filter_attrs_in_place(struct ldb_message *msg,
+				 const char *const *attrs);
 int ldb_kv_search(struct ldb_kv_context *ctx);
 
 /*
diff -Nru samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv_index.c samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv_index.c
--- samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv_index.c	2022-08-08 17:15:39.084190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv_index.c	2023-03-20 12:03:45.211653700 +0300
@@ -2264,7 +2264,6 @@
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
 	struct ldb_message *msg;
-	struct ldb_message *filtered_msg;
 	unsigned int i;
 	unsigned int num_keys = 0;
 	uint8_t previous_guid_key[LDB_KV_GUID_KEY_SIZE] = {0};
@@ -2435,17 +2434,31 @@
 		 *
 		 * LDB_SCOPE_BASE is not passed in by our only caller.
 		 */
-		if (ac->scope == LDB_SCOPE_ONELEVEL &&
-		    ldb_kv->cache->one_level_indexes &&
-		    scope_one_truncation == KEY_NOT_TRUNCATED) {
-			ret = ldb_match_message(ldb, msg, ac->tree,
-						ac->scope, &matched);
-		} else {
-			ret = ldb_match_msg_error(ldb, msg,
-						  ac->tree, ac->base,
-						  ac->scope, &matched);
+		if (ac->scope != LDB_SCOPE_ONELEVEL ||
+		    !ldb_kv->cache->one_level_indexes ||
+		    scope_one_truncation != KEY_NOT_TRUNCATED)
+		{
+			/*
+			 * The redaction callback may be expensive to call if it
+			 * fetches a security descriptor. Check the DN early and
+			 * bail out if it doesn't match the base.
+			 */
+			if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) {
+				talloc_free(msg);
+				continue;
+			}
 		}
 
+		if (ldb->redact.callback != NULL) {
+			ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
+			if (ret != LDB_SUCCESS) {
+				talloc_free(msg);
+				return ret;
+			}
+		}
+
+		ret = ldb_match_message(ldb, msg, ac->tree,
+					ac->scope, &matched);
 		if (ret != LDB_SUCCESS) {
 			talloc_free(keys);
 			talloc_free(msg);
@@ -2456,27 +2469,31 @@
 			continue;
 		}
 
-		filtered_msg = ldb_msg_new(ac);
-		if (filtered_msg == NULL) {
-			TALLOC_FREE(keys);
-			TALLOC_FREE(msg);
+		ret = ldb_msg_add_distinguished_name(msg);
+		if (ret == -1) {
+			talloc_free(msg);
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
-		filtered_msg->dn = talloc_steal(filtered_msg, msg->dn);
-
 		/* filter the attributes that the user wants */
-		ret = ldb_kv_filter_attrs(ldb, msg, ac->attrs, filtered_msg);
+		ret = ldb_kv_filter_attrs_in_place(msg, ac->attrs);
+		if (ret != LDB_SUCCESS) {
+			talloc_free(keys);
+			talloc_free(msg);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
 
-		talloc_free(msg);
+		ldb_msg_shrink_to_fit(msg);
 
-		if (ret == -1) {
-			TALLOC_FREE(filtered_msg);
+		/* Ensure the message elements are all talloc'd. */
+		ret = ldb_msg_elements_take_ownership(msg);
+		if (ret != LDB_SUCCESS) {
 			talloc_free(keys);
+			talloc_free(msg);
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
-		ret = ldb_module_send_entry(ac->req, filtered_msg, NULL);
+		ret = ldb_module_send_entry(ac->req, msg, NULL);
 		if (ret != LDB_SUCCESS) {
 			/* Regardless of success or failure, the msg
 			 * is the callbacks responsiblity, and should
diff -Nru samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv_search.c samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv_search.c
--- samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv_search.c	2022-08-08 17:15:39.084190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv_search.c	2023-03-20 12:03:45.211653700 +0300
@@ -292,15 +292,13 @@
 
 /*
  * filter the specified list of attributes from msg,
- * adding requested attributes, and perhaps all for *,
- * but not the DN to filtered_msg.
+ * adding requested attributes, and perhaps all for *.
+ * The DN will not be added if it is missing.
  */
-int ldb_kv_filter_attrs(struct ldb_context *ldb,
-			const struct ldb_message *msg,
-			const char *const *attrs,
-			struct ldb_message *filtered_msg)
+int ldb_kv_filter_attrs_in_place(struct ldb_message *msg,
+				 const char *const *attrs)
 {
-	return ldb_filter_attrs(ldb, msg, attrs, filtered_msg);
+	return ldb_filter_attrs_in_place(msg, attrs);
 }
 
 /*
@@ -313,7 +311,7 @@
 {
 	struct ldb_context *ldb;
 	struct ldb_kv_context *ac;
-	struct ldb_message *msg, *filtered_msg;
+	struct ldb_message *msg;
 	struct timeval now;
 	int ret, timeval_cmp;
 	bool matched;
@@ -397,9 +395,27 @@
 		}
 	}
 
+	/*
+	 * The redaction callback may be expensive to call if it fetches a
+	 * security descriptor. Check the DN early and bail out if it doesn't
+	 * match the base.
+	 */
+	if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) {
+		talloc_free(msg);
+		return 0;
+	}
+
+	if (ldb->redact.callback != NULL) {
+		ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
+		if (ret != LDB_SUCCESS) {
+			talloc_free(msg);
+			return ret;
+		}
+	}
+
 	/* see if it matches the given expression */
-	ret = ldb_match_msg_error(ldb, msg,
-				  ac->tree, ac->base, ac->scope, &matched);
+	ret = ldb_match_message(ldb, msg,
+				ac->tree, ac->scope, &matched);
 	if (ret != LDB_SUCCESS) {
 		talloc_free(msg);
 		ac->error = LDB_ERR_OPERATIONS_ERROR;
@@ -410,25 +426,31 @@
 		return 0;
 	}
 
-	filtered_msg = ldb_msg_new(ac);
-	if (filtered_msg == NULL) {
-		TALLOC_FREE(msg);
+	ret = ldb_msg_add_distinguished_name(msg);
+	if (ret == -1) {
+		talloc_free(msg);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	filtered_msg->dn = talloc_steal(filtered_msg, msg->dn);
-
 	/* filter the attributes that the user wants */
-	ret = ldb_kv_filter_attrs(ldb, msg, ac->attrs, filtered_msg);
-	talloc_free(msg);
+	ret = ldb_kv_filter_attrs_in_place(msg, ac->attrs);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(msg);
+		ac->error = LDB_ERR_OPERATIONS_ERROR;
+		return -1;
+	}
 
-	if (ret == -1) {
-		TALLOC_FREE(filtered_msg);
+	ldb_msg_shrink_to_fit(msg);
+
+	/* Ensure the message elements are all talloc'd. */
+	ret = ldb_msg_elements_take_ownership(msg);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(msg);
 		ac->error = LDB_ERR_OPERATIONS_ERROR;
 		return -1;
 	}
 
-	ret = ldb_module_send_entry(ac->req, filtered_msg, NULL);
+	ret = ldb_module_send_entry(ac->req, msg, NULL);
 	if (ret != LDB_SUCCESS) {
 		ac->request_terminated = true;
 		/* the callback failed, abort the operation */
@@ -491,7 +513,7 @@
 static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv,
 					 struct ldb_kv_context *ctx)
 {
-	struct ldb_message *msg, *filtered_msg;
+	struct ldb_message *msg;
 	struct ldb_context *ldb = ldb_module_get_ctx(ctx->module);
 	const char *dn_linearized;
 	const char *msg_dn_linearized;
@@ -526,6 +548,13 @@
 		return ret;
 	}
 
+	if (ldb->redact.callback != NULL) {
+		ret = ldb->redact.callback(ldb->redact.module, ctx->req, msg);
+		if (ret != LDB_SUCCESS) {
+			talloc_free(msg);
+			return ret;
+		}
+	}
 
 	/*
 	 * We use this, not ldb_match_msg_error() as we know
@@ -549,12 +578,6 @@
 	dn_linearized = ldb_dn_get_linearized(ctx->base);
 	msg_dn_linearized = ldb_dn_get_linearized(msg->dn);
 
-	filtered_msg = ldb_msg_new(ctx);
-	if (filtered_msg == NULL) {
-		talloc_free(msg);
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
-
 	if (strcmp(dn_linearized, msg_dn_linearized) == 0) {
 		/*
 		 * If the DN is exactly the same string, then
@@ -562,36 +585,42 @@
 		 * returned result, as it has already been
 		 * casefolded
 		 */
-		filtered_msg->dn = ldb_dn_copy(filtered_msg, ctx->base);
+		struct ldb_dn *dn = ldb_dn_copy(msg, ctx->base);
+		if (dn != NULL) {
+			msg->dn = dn;
+		}
 	}
 
-	/*
-	 * If the ldb_dn_copy() failed, or if we did not choose that
-	 * optimisation (filtered_msg is zeroed at allocation),
-	 * steal the one from the unpack
-	 */
-	if (filtered_msg->dn == NULL) {
-		filtered_msg->dn = talloc_steal(filtered_msg, msg->dn);
+	ret = ldb_msg_add_distinguished_name(msg);
+	if (ret == -1) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
 	/*
 	 * filter the attributes that the user wants.
 	 */
-	ret = ldb_kv_filter_attrs(ldb, msg, ctx->attrs, filtered_msg);
-	if (ret == -1) {
+	ret = ldb_kv_filter_attrs_in_place(msg, ctx->attrs);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ldb_msg_shrink_to_fit(msg);
+
+	/* Ensure the message elements are all talloc'd. */
+	ret = ldb_msg_elements_take_ownership(msg);
+	if (ret != LDB_SUCCESS) {
 		talloc_free(msg);
-		filtered_msg = NULL;
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
 	/*
-	 * Remove any extended components possibly copied in from
-	 * msg->dn, we just want the casefold components
+	 * Remove any extended components, we just want the casefold components
 	 */
-	ldb_dn_remove_extended_components(filtered_msg->dn);
-	talloc_free(msg);
+	ldb_dn_remove_extended_components(msg->dn);
 
-	ret = ldb_module_send_entry(ctx->req, filtered_msg, NULL);
+	ret = ldb_module_send_entry(ctx->req, msg, NULL);
 	if (ret != LDB_SUCCESS) {
 		/* Regardless of success or failure, the msg
 		 * is the callbacks responsiblity, and should
diff -Nru samba-4.17.6+dfsg/lib/ldb/tests/ldb_filter_attrs_in_place_test.c samba-4.17.7+dfsg/lib/ldb/tests/ldb_filter_attrs_in_place_test.c
--- samba-4.17.6+dfsg/lib/ldb/tests/ldb_filter_attrs_in_place_test.c	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/tests/ldb_filter_attrs_in_place_test.c	2023-03-20 12:03:44.667650500 +0300
@@ -0,0 +1,940 @@
+/*
+ * Tests exercising ldb_filter_attrs_in_place().
+ *
+ *
+ * Copyright (C) Catalyst.NET Ltd 2017
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2019
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../include/ldb.h"
+#include "../include/ldb_module.h"
+
+struct ldbtest_ctx {
+	struct tevent_context *ev;
+	struct ldb_context *ldb;
+};
+
+/*
+ * NOTE WELL:
+ *
+ * This test checks the current behaviour of the function, however
+ * this is not in a public ABI and many of the tested behaviours are
+ * not ideal.  If the behaviour is deliberatly improved, this test
+ * should be updated without worry to the new better behaviour.
+ *
+ * In particular the test is particularly to ensure the current
+ * behaviour is memory-safe.
+ */
+
+static int setup(void **state)
+{
+	struct ldbtest_ctx *test_ctx;
+
+	test_ctx = talloc_zero(NULL, struct ldbtest_ctx);
+	assert_non_null(test_ctx);
+
+	test_ctx->ev = tevent_context_init(test_ctx);
+	assert_non_null(test_ctx->ev);
+
+	test_ctx->ldb = ldb_init(test_ctx, test_ctx->ev);
+	assert_non_null(test_ctx->ldb);
+
+	*state = test_ctx;
+	return 0;
+}
+
+static int teardown(void **state)
+{
+	talloc_free(*state);
+	return 0;
+}
+
+static void msg_add_dn(struct ldb_message *msg)
+{
+	const char *dn_attr = "distinguishedName";
+	char *dn = NULL;
+	int ret;
+
+	assert_null(ldb_msg_find_element(msg, dn_attr));
+
+	assert_non_null(msg->dn);
+	dn = ldb_dn_alloc_linearized(msg, msg->dn);
+	assert_non_null(dn);
+
+	/*
+	 * The message's elements must be talloc allocated to call
+	 * ldb_msg_add_steal_string().
+	 */
+	msg->elements = talloc_memdup(msg,
+				      msg->elements,
+				      msg->num_elements * sizeof(msg->elements[0]));
+	assert_non_null(msg->elements);
+
+	ret = ldb_msg_add_steal_string(msg, dn_attr, dn);
+	assert_int_equal(ret, LDB_SUCCESS);
+}
+
+/*
+ * Test against a record with only one attribute, matching the one in
+ * the list
+ */
+static void test_filter_attrs_in_place_one_attr_matched(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"foo", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 1;
+	msg->elements = &element_1;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+
+	assert_non_null(msg->dn);
+	assert_int_equal(msg->num_elements, 1);
+	assert_string_equal(msg->elements[0].name, "foo");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_int_equal(msg->elements[0].values[0].length,
+			 strlen(value));
+	assert_memory_equal(msg->elements[0].values[0].data,
+			    value, strlen(value));
+}
+
+/*
+ * Test against a record with only one attribute, matching the one of
+ * the multiple attributes in the list
+ */
+static void test_filter_attrs_in_place_one_attr_matched_of_many(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"foo", "bar", "baz", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 1;
+	msg->elements = &element_1;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+
+	assert_non_null(msg->dn);
+	assert_int_equal(msg->num_elements, 1);
+	assert_string_equal(msg->elements[0].name, "foo");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_int_equal(msg->elements[0].values[0].length,
+			 strlen(value));
+	assert_memory_equal(msg->elements[0].values[0].data,
+			    value, strlen(value));
+}
+
+/*
+ * Test against a record with only one attribute, matching both
+ * attributes in the list
+ */
+static void test_filter_attrs_in_place_two_attr_matched_attrs(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	/* deliberatly the other order */
+	const char *attrs[] = {"bar", "foo", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	/* foo and bar are the other order to in attrs */
+	struct ldb_message_element elements[] = {
+		{
+			.name = "foo",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 2;
+	msg->elements = elements;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 2);
+
+	assert_non_null(msg->dn);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(msg->elements[0].name, "foo");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_int_equal(msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+	assert_string_equal(msg->elements[1].name, "bar");
+	assert_int_equal(msg->elements[1].num_values, 1);
+	assert_int_equal(msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, only of which is in
+ * the list
+ */
+static void test_filter_attrs_in_place_two_attr_matched_one_attr(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"bar", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	struct ldb_message_element elements[] = {
+		{
+			.name = "foo",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 2;
+	msg->elements = elements;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 1);
+
+	assert_non_null(msg->dn);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(msg->elements[0].name, "bar");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_int_equal(msg->elements[0].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(msg->elements[0].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, both matching the one
+ * specified attribute in the list (a corrupt record)
+ */
+static void test_filter_attrs_in_place_two_dup_attr_matched_one_attr(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"bar", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	struct ldb_message_element elements[] = {
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 2;
+	msg->elements = elements;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+
+	/* Both elements match the filter */
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 2);
+
+	assert_non_null(msg->dn);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(msg->elements[0].name, "bar");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_int_equal(msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+
+	assert_string_equal(msg->elements[1].name, "bar");
+	assert_int_equal(msg->elements[1].num_values, 1);
+	assert_int_equal(msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, both matching the one
+ * specified attribute in the list (a corrupt record)
+ */
+static void test_filter_attrs_in_place_two_dup_attr_matched_dup(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"bar", "bar", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	struct ldb_message_element elements[] = {
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 2;
+	msg->elements = elements;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+
+	/* This does not fail the pidgenhole test */
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 2);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(msg->elements[0].name, "bar");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_int_equal(msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+	assert_string_equal(msg->elements[1].name, "bar");
+	assert_int_equal(msg->elements[1].num_values, 1);
+	assert_int_equal(msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, both matching one of the
+ * specified attributes in the list (a corrupt record)
+ */
+static void test_filter_attrs_in_place_two_dup_attr_matched_one_of_two(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"bar", "foo", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	struct ldb_message_element elements[] = {
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 2;
+	msg->elements = elements;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+
+	/* This does not fail the pidgenhole test */
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 2);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(msg->elements[0].name, "bar");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_int_equal(msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+	assert_string_equal(msg->elements[1].name, "bar");
+	assert_int_equal(msg->elements[1].num_values, 1);
+	assert_int_equal(msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes against * (but not the
+ * other named attribute) (a corrupt record)
+ */
+static void test_filter_attrs_in_place_two_dup_attr_matched_star(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", "foo", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	struct ldb_message_element elements[] = {
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 2;
+	msg->elements = elements;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+
+	/* This does not fail the pidgenhole test */
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 3);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(msg->elements[0].name, "bar");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_int_equal(msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+	assert_string_equal(msg->elements[1].name, "bar");
+	assert_int_equal(msg->elements[1].num_values, 1);
+	assert_int_equal(msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+
+	assert_non_null(msg->dn);
+	assert_string_equal(ldb_msg_find_attr_as_string(msg,
+							"distinguishedName",
+							NULL),
+			    ldb_dn_get_linearized(msg->dn));
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list
+ */
+static void test_filter_attrs_in_place_one_attr_matched_star(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 1;
+	msg->elements = &element_1;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 2);
+
+	assert_non_null(msg->dn);
+	assert_string_equal(ldb_msg_find_attr_as_string(msg,
+							"distinguishedName",
+							NULL),
+			    ldb_dn_get_linearized(msg->dn));
+	assert_string_equal(ldb_msg_find_attr_as_string(msg,
+							"foo",
+							NULL),
+			    value);
+}
+
+/*
+ * Test against a record with two attributes, matching the * in
+ * the list
+ */
+static void test_filter_attrs_in_place_two_attr_matched_star(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+	struct ldb_message_element elements[] = {
+		{
+			.name = "foo",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 2;
+	msg->elements = elements;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 3);
+
+	assert_non_null(msg->dn);
+	assert_string_equal(ldb_msg_find_attr_as_string(msg,
+							"distinguishedName",
+							NULL),
+			    ldb_dn_get_linearized(msg->dn));
+	assert_string_equal(ldb_msg_find_attr_as_string(msg,
+							"foo",
+							NULL),
+			    value1);
+	assert_string_equal(ldb_msg_find_attr_as_string(msg,
+							"bar",
+							NULL),
+			    value2);
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list, but without the DN being pre-filled.  Succeeds, but the
+ * distinguishedName is not added.
+ */
+static void test_filter_attrs_in_place_one_attr_matched_star_no_dn(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+
+	assert_non_null(msg);
+	msg->dn = NULL;
+	msg->num_elements = 1;
+	msg->elements = &element_1;
+
+	assert_null(msg->dn);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 1);
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list plus requsesting distinguishedName
+ */
+static void test_filter_attrs_in_place_one_attr_matched_star_dn(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", "distinguishedName", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 1;
+	msg->elements = &element_1;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 2);
+
+	assert_non_null(msg->dn);
+
+	assert_string_equal(ldb_msg_find_attr_as_string(msg,
+							"distinguishedName",
+							NULL),
+			    ldb_dn_get_linearized(msg->dn));
+	assert_string_equal(ldb_msg_find_attr_as_string(msg,
+							"foo",
+							NULL),
+			    value);
+}
+
+/*
+ * Test against a record with only one attribute, but returning
+ * distinguishedName from the list (only)
+ */
+static void test_filter_attrs_in_place_one_attr_matched_dn(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"distinguishedName", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 1;
+	msg->elements = &element_1;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 1);
+
+	assert_non_null(msg->dn);
+	assert_string_equal(msg->elements[0].name, "distinguishedName");
+	assert_int_equal(msg->elements[0].num_values, 1);
+	assert_string_equal(msg->elements[0].values[0].data,
+			    ldb_dn_get_linearized(msg->dn));
+}
+
+/*
+ * Test against a record with only one attribute, not matching the
+ * empty attribute list
+ */
+static void test_filter_attrs_in_place_one_attr_empty_list(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+
+	assert_non_null(msg);
+	msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+	msg->num_elements = 1;
+	msg->elements = &element_1;
+
+	assert_non_null(msg->dn);
+	msg_add_dn(msg);
+
+	ret = ldb_filter_attrs_in_place(msg, attrs);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(msg->num_elements, 0);
+	assert_non_null(msg->dn);
+}
+
+int main(int argc, const char **argv)
+{
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_one_attr_matched,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_one_attr_matched_of_many,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_two_attr_matched_attrs,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_two_attr_matched_one_attr,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_two_dup_attr_matched_one_attr,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_two_dup_attr_matched_dup,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_two_dup_attr_matched_one_of_two,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_two_dup_attr_matched_star,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_one_attr_matched_star,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_two_attr_matched_star,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_one_attr_matched_star_no_dn,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_one_attr_matched_star_dn,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_one_attr_matched_dn,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_in_place_one_attr_empty_list,
+			setup,
+			teardown),
+	};
+
+	return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff -Nru samba-4.17.6+dfsg/lib/ldb/tests/ldb_filter_attrs_test.c samba-4.17.7+dfsg/lib/ldb/tests/ldb_filter_attrs_test.c
--- samba-4.17.6+dfsg/lib/ldb/tests/ldb_filter_attrs_test.c	2022-08-08 17:15:39.108190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/tests/ldb_filter_attrs_test.c	2023-03-20 12:03:44.559649700 +0300
@@ -36,6 +36,7 @@
 #include <stdarg.h>
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include <setjmp.h>
 #include <cmocka.h>
 
@@ -96,10 +97,10 @@
 
 	const char *attrs[] = {"foo", NULL};
 
-	uint8_t value[] = "The value.......end";
+	char value[] = "The value.......end";
 	struct ldb_val value_1 = {
-		.data   = value,
-		.length = (sizeof(value))
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
 	};
 	struct ldb_message_element element_1 = {
 		.name = "foo",
@@ -130,9 +131,9 @@
 	assert_string_equal(filtered_msg->elements[0].name, "foo");
 	assert_int_equal(filtered_msg->elements[0].num_values, 1);
 	assert_int_equal(filtered_msg->elements[0].values[0].length,
-			 sizeof(value));
+			 strlen(value));
 	assert_memory_equal(filtered_msg->elements[0].values[0].data,
-			    value, sizeof(value));
+			    value, strlen(value));
 }
 
 /*
@@ -148,10 +149,10 @@
 
 	const char *attrs[] = {"foo", "bar", "baz", NULL};
 
-	uint8_t value[] = "The value.......end";
+	char value[] = "The value.......end";
 	struct ldb_val value_1 = {
-		.data   = value,
-		.length = (sizeof(value))
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
 	};
 	struct ldb_message_element element_1 = {
 		.name = "foo",
@@ -182,9 +183,9 @@
 	assert_string_equal(filtered_msg->elements[0].name, "foo");
 	assert_int_equal(filtered_msg->elements[0].num_values, 1);
 	assert_int_equal(filtered_msg->elements[0].values[0].length,
-			 sizeof(value));
+			 strlen(value));
 	assert_memory_equal(filtered_msg->elements[0].values[0].data,
-			    value, sizeof(value));
+			    value, strlen(value));
 }
 
 /*
@@ -201,15 +202,15 @@
 	/* deliberatly the other order */
 	const char *attrs[] = {"bar", "foo", NULL};
 
-	uint8_t value1[] = "The value.......end";
-	uint8_t value2[] = "The value..MUST.end";
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
 	struct ldb_val value_1 = {
-		.data   = value1,
-		.length = (sizeof(value1))
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
 	};
 	struct ldb_val value_2 = {
-		.data   = value2,
-		.length = (sizeof(value2))
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
 	};
 
 	/* foo and bar are the other order to in attrs */
@@ -251,15 +252,15 @@
 	assert_string_equal(filtered_msg->elements[0].name, "foo");
 	assert_int_equal(filtered_msg->elements[0].num_values, 1);
 	assert_int_equal(filtered_msg->elements[0].values[0].length,
-			 sizeof(value1));
+			 strlen(value1));
 	assert_memory_equal(filtered_msg->elements[0].values[0].data,
-			    value1, sizeof(value1));
+			    value1, strlen(value1));
 	assert_string_equal(filtered_msg->elements[1].name, "bar");
 	assert_int_equal(filtered_msg->elements[1].num_values, 1);
 	assert_int_equal(filtered_msg->elements[1].values[0].length,
-			 sizeof(value2));
+			 strlen(value2));
 	assert_memory_equal(filtered_msg->elements[1].values[0].data,
-			    value2, sizeof(value2));
+			    value2, strlen(value2));
 }
 
 /*
@@ -276,15 +277,15 @@
 	/* deliberatly the other order */
 	const char *attrs[] = {"bar", NULL};
 
-	uint8_t value1[] = "The value.......end";
-	uint8_t value2[] = "The value..MUST.end";
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
 	struct ldb_val value_1 = {
-		.data   = value1,
-		.length = (sizeof(value1))
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
 	};
 	struct ldb_val value_2 = {
-		.data   = value2,
-		.length = (sizeof(value2))
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
 	};
 
 	/* foo and bar are the other order to in attrs */
@@ -326,9 +327,9 @@
 	assert_string_equal(filtered_msg->elements[0].name, "bar");
 	assert_int_equal(filtered_msg->elements[0].num_values, 1);
 	assert_int_equal(filtered_msg->elements[0].values[0].length,
-			 sizeof(value2));
+			 strlen(value2));
 	assert_memory_equal(filtered_msg->elements[0].values[0].data,
-			    value2, sizeof(value2));
+			    value2, strlen(value2));
 }
 
 /*
@@ -345,15 +346,15 @@
 	/* deliberatly the other order */
 	const char *attrs[] = {"bar", NULL};
 
-	uint8_t value1[] = "The value.......end";
-	uint8_t value2[] = "The value..MUST.end";
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
 	struct ldb_val value_1 = {
-		.data   = value1,
-		.length = (sizeof(value1))
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
 	};
 	struct ldb_val value_2 = {
-		.data   = value2,
-		.length = (sizeof(value2))
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
 	};
 
 	/* foo and bar are the other order to in attrs */
@@ -400,15 +401,15 @@
 
 	const char *attrs[] = {"bar", "bar", NULL};
 
-	uint8_t value1[] = "The value.......end";
-	uint8_t value2[] = "The value..MUST.end";
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
 	struct ldb_val value_1 = {
-		.data   = value1,
-		.length = (sizeof(value1))
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
 	};
 	struct ldb_val value_2 = {
-		.data   = value2,
-		.length = (sizeof(value2))
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
 	};
 
 	/* foo and bar are the other order to in attrs */
@@ -445,15 +446,15 @@
 	assert_string_equal(filtered_msg->elements[0].name, "bar");
 	assert_int_equal(filtered_msg->elements[0].num_values, 1);
 	assert_int_equal(filtered_msg->elements[0].values[0].length,
-			 sizeof(value1));
+			 strlen(value1));
 	assert_memory_equal(filtered_msg->elements[0].values[0].data,
-			    value1, sizeof(value1));
+			    value1, strlen(value1));
 	assert_string_equal(filtered_msg->elements[1].name, "bar");
 	assert_int_equal(filtered_msg->elements[1].num_values, 1);
 	assert_int_equal(filtered_msg->elements[1].values[0].length,
-			 sizeof(value2));
+			 strlen(value2));
 	assert_memory_equal(filtered_msg->elements[1].values[0].data,
-			    value2, sizeof(value2));
+			    value2, strlen(value2));
 }
 
 /*
@@ -469,15 +470,15 @@
 
 	const char *attrs[] = {"bar", "foo", NULL};
 
-	uint8_t value1[] = "The value.......end";
-	uint8_t value2[] = "The value..MUST.end";
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
 	struct ldb_val value_1 = {
-		.data   = value1,
-		.length = (sizeof(value1))
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
 	};
 	struct ldb_val value_2 = {
-		.data   = value2,
-		.length = (sizeof(value2))
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
 	};
 
 	/* foo and bar are the other order to in attrs */
@@ -514,15 +515,15 @@
 	assert_string_equal(filtered_msg->elements[0].name, "bar");
 	assert_int_equal(filtered_msg->elements[0].num_values, 1);
 	assert_int_equal(filtered_msg->elements[0].values[0].length,
-			 sizeof(value1));
+			 strlen(value1));
 	assert_memory_equal(filtered_msg->elements[0].values[0].data,
-			    value1, sizeof(value1));
+			    value1, strlen(value1));
 	assert_string_equal(filtered_msg->elements[1].name, "bar");
 	assert_int_equal(filtered_msg->elements[1].num_values, 1);
 	assert_int_equal(filtered_msg->elements[1].values[0].length,
-			 sizeof(value2));
+			 strlen(value2));
 	assert_memory_equal(filtered_msg->elements[1].values[0].data,
-			    value2, sizeof(value2));
+			    value2, strlen(value2));
 }
 
 /*
@@ -538,15 +539,15 @@
 
 	const char *attrs[] = {"*", "foo", NULL};
 
-	uint8_t value1[] = "The value.......end";
-	uint8_t value2[] = "The value..MUST.end";
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
 	struct ldb_val value_1 = {
-		.data   = value1,
-		.length = (sizeof(value1))
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
 	};
 	struct ldb_val value_2 = {
-		.data   = value2,
-		.length = (sizeof(value2))
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
 	};
 
 	/* foo and bar are the other order to in attrs */
@@ -586,15 +587,15 @@
 	assert_string_equal(filtered_msg->elements[0].name, "bar");
 	assert_int_equal(filtered_msg->elements[0].num_values, 1);
 	assert_int_equal(filtered_msg->elements[0].values[0].length,
-			 sizeof(value1));
+			 strlen(value1));
 	assert_memory_equal(filtered_msg->elements[0].values[0].data,
-			    value1, sizeof(value1));
+			    value1, strlen(value1));
 	assert_string_equal(filtered_msg->elements[1].name, "bar");
 	assert_int_equal(filtered_msg->elements[1].num_values, 1);
 	assert_int_equal(filtered_msg->elements[1].values[0].length,
-			 sizeof(value2));
+			 strlen(value2));
 	assert_memory_equal(filtered_msg->elements[1].values[0].data,
-			    value2, sizeof(value2));
+			    value2, strlen(value2));
 	/*
 	 * assert the ldb_filter_attrs does not modify filtered_msg.dn
 	 * in this case
@@ -619,10 +620,10 @@
 
 	const char *attrs[] = {"*", NULL};
 
-	uint8_t value[] = "The value.......end";
+	char value[] = "The value.......end";
 	struct ldb_val value_1 = {
-		.data   = value,
-		.length = (sizeof(value))
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
 	};
 	struct ldb_message_element element_1 = {
 		.name = "foo",
@@ -676,15 +677,15 @@
 
 	const char *attrs[] = {"*", NULL};
 
-	uint8_t value1[] = "The value.......end";
-	uint8_t value2[] = "The value..MUST.end";
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
 	struct ldb_val value_1 = {
-		.data   = value1,
-		.length = (sizeof(value1))
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
 	};
 	struct ldb_val value_2 = {
-		.data   = value2,
-		.length = (sizeof(value2))
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
 	};
 	struct ldb_message_element elements[] = {
 		{
@@ -750,10 +751,10 @@
 
 	const char *attrs[] = {"*", NULL};
 
-	uint8_t value[] = "The value.......end";
+	char value[] = "The value.......end";
 	struct ldb_val value_1 = {
-		.data   = value,
-		.length = (sizeof(value))
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
 	};
 	struct ldb_message_element element_1 = {
 		.name = "foo",
@@ -789,10 +790,10 @@
 
 	const char *attrs[] = {"*", "distinguishedName", NULL};
 
-	uint8_t value[] = "The value.......end";
+	char value[] = "The value.......end";
 	struct ldb_val value_1 = {
-		.data   = value,
-		.length = (sizeof(value))
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
 	};
 	struct ldb_message_element element_1 = {
 		.name = "foo",
@@ -844,10 +845,10 @@
 
 	const char *attrs[] = {"distinguishedName", NULL};
 
-	uint8_t value[] = "The value.......end";
+	char value[] = "The value.......end";
 	struct ldb_val value_1 = {
-		.data   = value,
-		.length = (sizeof(value))
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
 	};
 	struct ldb_message_element element_1 = {
 		.name = "foo",
@@ -894,10 +895,10 @@
 
 	const char *attrs[] = {NULL};
 
-	uint8_t value[] = "The value.......end";
+	char value[] = "The value.......end";
 	struct ldb_val value_1 = {
-		.data   = value,
-		.length = (sizeof(value))
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
 	};
 	struct ldb_message_element element_1 = {
 		.name = "foo",
diff -Nru samba-4.17.6+dfsg/lib/ldb/wscript samba-4.17.7+dfsg/lib/ldb/wscript
--- samba-4.17.6+dfsg/lib/ldb/wscript	2022-08-08 17:15:39.116190200 +0300
+++ samba-4.17.7+dfsg/lib/ldb/wscript	2023-03-20 12:03:45.323654400 +0300
@@ -2,7 +2,7 @@
 
 APPNAME = 'ldb'
 # For Samba 4.17.x
-VERSION = '2.6.1'
+VERSION = '2.6.2'
 
 import sys, os
 
@@ -518,6 +518,11 @@
                          deps='cmocka ldb ldb_tdb_err_map',
                          install=False)
 
+        bld.SAMBA_BINARY('ldb_filter_attrs_in_place_test',
+                         source='tests/ldb_filter_attrs_in_place_test.c',
+                         deps='cmocka ldb ldb_tdb_err_map',
+                         install=False)
+
         bld.SAMBA_BINARY('ldb_key_value_sub_txn_tdb_test',
                          bld.SUBDIR('ldb_key_value',
                              '''ldb_kv_search.c
@@ -627,7 +632,6 @@
                  'ldb_msg_test',
                  'ldb_tdb_mod_op_test',
                  'ldb_tdb_guid_mod_op_test',
-                 'ldb_msg_test',
                  'ldb_tdb_kv_ops_test',
                  'ldb_tdb_test',
                  'ldb_match_test',
@@ -637,7 +641,10 @@
                  # on operations which the TDB backend does not currently
                  # support
                  # 'ldb_key_value_sub_txn_tdb_test'
-                 'ldb_parse_test']
+                 'ldb_parse_test',
+                 'ldb_filter_attrs_test',
+                 'ldb_filter_attrs_in_place_test',
+                 ]
 
     # if LIB_LDAP and LIB_LBER defined, then we can test ldb_ldap backend
     # behavior regression for bz#14413
diff -Nru samba-4.17.6+dfsg/lib/ldb-samba/ldb_matching_rules.c samba-4.17.7+dfsg/lib/ldb-samba/ldb_matching_rules.c
--- samba-4.17.6+dfsg/lib/ldb-samba/ldb_matching_rules.c	2022-08-08 17:15:39.064189700 +0300
+++ samba-4.17.7+dfsg/lib/ldb-samba/ldb_matching_rules.c	2023-03-20 12:03:45.303654200 +0300
@@ -67,7 +67,12 @@
 	 * Note also that we don't have the original request
 	 * here, so we can not apply controls or timeouts here.
 	 */
-	ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0);
+	ret = dsdb_search_dn(ldb,
+			     tmp_ctx,
+			     &res,
+			     to_visit->dn,
+			     attrs,
+			     DSDB_MARK_REQ_UNTRUSTED);
 	if (ret != LDB_SUCCESS) {
 		talloc_free(tmp_ctx);
 		return ret;
@@ -370,6 +375,11 @@
 		return LDB_SUCCESS;
 	}
 
+	if (ldb_msg_element_is_inaccessible(el)) {
+		*matched = false;
+		return LDB_SUCCESS;
+	}
+
 	session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"),
 				       struct auth_session_info);
 	if (session_info == NULL) {
@@ -489,6 +499,11 @@
 		return LDB_SUCCESS;
 	}
 
+	if (ldb_msg_element_is_inaccessible(el)) {
+		*matched = false;
+		return LDB_SUCCESS;
+	}
+
 	session_info
 		= talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO),
 				  struct auth_session_info);
diff -Nru samba-4.17.6+dfsg/lib/ldb-samba/tests/match_rules.py samba-4.17.7+dfsg/lib/ldb-samba/tests/match_rules.py
--- samba-4.17.6+dfsg/lib/ldb-samba/tests/match_rules.py	2022-08-08 17:15:39.064189700 +0300
+++ samba-4.17.7+dfsg/lib/ldb-samba/tests/match_rules.py	2023-03-20 12:03:45.287654200 +0300
@@ -20,22 +20,35 @@
 # Windows appear to preserve casing of the RDN and uppercase the other keys.
 
 
-class MatchRulesTests(samba.tests.TestCase):
+class MatchRulesTestsBase(samba.tests.TestCase):
     def setUp(self):
-        super(MatchRulesTests, self).setUp()
-        self.lp = lp
-        self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
+        super().setUp()
+        self.lp = self.sambaopts.get_loadparm()
+        self.creds = self.credopts.get_credentials(self.lp)
+
+        self.ldb = SamDB(self.host, credentials=self.creds,
+                         session_info=system_session(self.lp),
+                         lp=self.lp)
         self.base_dn = self.ldb.domain_dn()
-        self.ou = "OU=matchrulestest,%s" % self.base_dn
+        self.ou_rdn = "OU=matchrulestest"
+        self.ou = self.ou_rdn + "," + self.base_dn
         self.ou_users = "OU=users,%s" % self.ou
         self.ou_groups = "OU=groups,%s" % self.ou
         self.ou_computers = "OU=computers,%s" % self.ou
 
+        try:
+            self.ldb.delete(self.ou, ["tree_delete:1"])
+        except LdbError as e:
+            pass
+
         # Add a organizational unit to create objects
         self.ldb.add({
             "dn": self.ou,
             "objectclass": "organizationalUnit"})
 
+        self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0'])
+
+
         # Add the following OU hierarchy and set otherWellKnownObjects,
         # which has BinaryDN syntax:
         #
@@ -204,6 +217,39 @@
                                      FLAG_MOD_ADD, "member")
         self.ldb.modify(m)
 
+        # Add a couple of ms-Exch-Configuration-Container to test forward-link
+        # attributes without backward link (addressBookRoots2)
+        # e1
+        # |--> e2
+        # |    |--> c1
+        self.ldb.add({
+            "dn": "cn=e1,%s" % self.ou,
+            "objectclass": "msExchConfigurationContainer"})
+        self.ldb.add({
+            "dn": "cn=e2,%s" % self.ou,
+            "objectclass": "msExchConfigurationContainer"})
+
+        m = Message()
+        m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
+        m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
+                                 FLAG_MOD_ADD, "addressBookRoots2")
+        self.ldb.modify(m)
+
+        m = Message()
+        m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
+        m["e1"] = MessageElement("cn=e2,%s" % self.ou,
+                                 FLAG_MOD_ADD, "addressBookRoots2")
+        self.ldb.modify(m)
+
+
+
+class MatchRulesTests(MatchRulesTestsBase):
+    def setUp(self):
+        self.sambaopts = sambaopts
+        self.credopts = credopts
+        self.host = host
+        super().setUp()
+
         # The msDS-RevealedUsers is owned by system and cannot be modified
         # directly. Set the schemaUpgradeInProgress flag as workaround
         # and create this hierarchy:
@@ -243,33 +289,6 @@
         m["e1"] = MessageElement("0", FLAG_MOD_REPLACE, "schemaUpgradeInProgress")
         self.ldb.modify(m)
 
-        # Add a couple of ms-Exch-Configuration-Container to test forward-link
-        # attributes without backward link (addressBookRoots2)
-        # e1
-        # |--> e2
-        # |    |--> c1
-        self.ldb.add({
-            "dn": "cn=e1,%s" % self.ou,
-            "objectclass": "msExchConfigurationContainer"})
-        self.ldb.add({
-            "dn": "cn=e2,%s" % self.ou,
-            "objectclass": "msExchConfigurationContainer"})
-
-        m = Message()
-        m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
-        m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
-                                 FLAG_MOD_ADD, "addressBookRoots2")
-        self.ldb.modify(m)
-
-        m = Message()
-        m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
-        m["e1"] = MessageElement("cn=e2,%s" % self.ou,
-                                 FLAG_MOD_ADD, "addressBookRoots2")
-        self.ldb.modify(m)
-
-    def tearDown(self):
-        super(MatchRulesTests, self).tearDown()
-        self.ldb.delete(self.ou, controls=['tree_delete:0'])
 
     def test_u1_member_of_g4(self):
         # Search without transitive match must return 0 results
@@ -945,8 +964,12 @@
 class MatchRuleConditionTests(samba.tests.TestCase):
     def setUp(self):
         super(MatchRuleConditionTests, self).setUp()
-        self.lp = lp
-        self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
+        self.lp = sambaopts.get_loadparm()
+        self.creds = credopts.get_credentials(self.lp)
+
+        self.ldb = SamDB(host, credentials=self.creds,
+                         session_info=system_session(self.lp),
+                         lp=self.lp)
         self.base_dn = self.ldb.domain_dn()
         self.ou = "OU=matchruleconditiontests,%s" % self.base_dn
         self.ou_users = "OU=users,%s" % self.ou
@@ -1745,32 +1768,30 @@
                                     self.ou_groups, self.ou_computers))
         self.assertEqual(len(res1), 0)
 
+if __name__ == "__main__":
 
-parser = optparse.OptionParser("match_rules.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-subunitopts = SubunitOptions(parser)
-parser.add_option_group(subunitopts)
-
-if len(args) < 1:
-    parser.print_usage()
-    sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-if "://" not in host:
-    if os.path.isfile(host):
-        host = "tdb://%s" % host
-    else:
-        host = "ldap://%s"; % host
+    parser = optparse.OptionParser("match_rules.py [options] <host>")
+    sambaopts = options.SambaOptions(parser)
+    parser.add_option_group(sambaopts)
+    parser.add_option_group(options.VersionOptions(parser))
+
+    # use command line creds if available
+    credopts = options.CredentialsOptions(parser)
+    parser.add_option_group(credopts)
+    opts, args = parser.parse_args()
+    subunitopts = SubunitOptions(parser)
+    parser.add_option_group(subunitopts)
+
+    if len(args) < 1:
+        parser.print_usage()
+        sys.exit(1)
+
+    host = args[0]
+
+    if "://" not in host:
+        if os.path.isfile(host):
+            host = "tdb://%s" % host
+        else:
+            host = "ldap://%s"; % host
 
-TestProgram(module=__name__, opts=subunitopts)
+    TestProgram(module=__name__, opts=subunitopts)
diff -Nru samba-4.17.6+dfsg/lib/ldb-samba/tests/match_rules_remote.py samba-4.17.7+dfsg/lib/ldb-samba/tests/match_rules_remote.py
--- samba-4.17.6+dfsg/lib/ldb-samba/tests/match_rules_remote.py	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/lib/ldb-samba/tests/match_rules_remote.py	2023-03-20 12:03:45.287654200 +0300
@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+
+import optparse
+import sys
+import os
+import samba
+import samba.getopt as options
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba import sd_utils
+from samba.ndr import ndr_unpack
+from ldb import Message, MessageElement, Dn, LdbError
+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
+
+from match_rules import MatchRulesTestsBase
+
+
+class MatchRulesTestsUser(MatchRulesTestsBase):
+    def setUp(self):
+        self.sambaopts = sambaopts
+        self.credopts = credopts
+        self.host = host
+        super().setUp()
+        self.sd_utils = sd_utils.SDUtils(self.ldb)
+
+        self.user_pass = "samba123@"
+        self.match_test_user = "matchtestuser"
+        self.ldb.newuser(self.match_test_user,
+                         self.user_pass,
+                         userou=self.ou_rdn)
+        user_creds = self.insta_creds(template=self.creds,
+                                      username=self.match_test_user,
+                                      userpass=self.user_pass)
+        self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
+        token_res = self.user_ldb.search(scope=SCOPE_BASE,
+                                         base="",
+                                         attrs=["tokenGroups"])
+        self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
+                                   token_res[0]["tokenGroups"][0])
+
+        self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
+
+    def test_with_denied_link(self):
+
+        # add an ACE that denies the user Read Property (RP) access to
+        # the member attr (which is similar to making the attribute
+        # confidential)
+        ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
+                                         self.user_sid)
+        g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
+
+        # add the ACE that denies access to the attr under test
+        self.sd_utils.dacl_add_ace(g2_dn, ace)
+
+        # Search without transitive match must return 0 results
+        res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+                               scope=SCOPE_BASE,
+                               expression="member=cn=u1,%s" % self.ou_users)
+        self.assertEqual(len(res1), 0)
+
+        # Search with transitive match must return 1 results
+        res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+                               scope=SCOPE_BASE,
+                               expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+        self.assertEqual(len(res1), 1)
+        self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower())
+
+        # Search as a user match must return 0 results as the intermediate link can't be seen
+        res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
+                                    scope=SCOPE_BASE,
+                                    expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+        self.assertEqual(len(res1), 0)
+
+
+
+parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+if len(args) < 1:
+    parser.print_usage()
+    sys.exit(1)
+
+host = args[0]
+
+if "://" not in host:
+    if os.path.isfile(host):
+        host = "tdb://%s" % host
+    else:
+        host = "ldap://%s"; % host
+
+TestProgram(module=__name__, opts=subunitopts)
diff -Nru samba-4.17.6+dfsg/lib/param/loadparm.c samba-4.17.7+dfsg/lib/param/loadparm.c
--- samba-4.17.6+dfsg/lib/param/loadparm.c	2022-12-15 19:09:31.709236100 +0300
+++ samba-4.17.7+dfsg/lib/param/loadparm.c	2023-03-20 12:05:01.312120400 +0300
@@ -2992,7 +2992,7 @@
 
 	lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10");
 
-	lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
+	lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal");
 
 	lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios");
 
diff -Nru samba-4.17.6+dfsg/libcli/security/access_check.c samba-4.17.7+dfsg/libcli/security/access_check.c
--- samba-4.17.6+dfsg/libcli/security/access_check.c	2022-08-08 17:15:39.184190800 +0300
+++ samba-4.17.7+dfsg/libcli/security/access_check.c	2023-03-20 12:03:44.471649200 +0300
@@ -394,7 +394,7 @@
 	return NT_STATUS_OK;
 }
 
-static const struct GUID *get_ace_object_type(struct security_ace *ace)
+static const struct GUID *get_ace_object_type(const struct security_ace *ace)
 {
 	if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
 		return &ace->object.object.type.type;
@@ -412,7 +412,7 @@
  *                            rights to the object/attribute
  * @returns NT_STATUS_OK, unless access was denied
  */
-static NTSTATUS check_object_specific_access(struct security_ace *ace,
+static NTSTATUS check_object_specific_access(const struct security_ace *ace,
 					     struct object_tree *tree,
 					     bool *grant_access)
 {
@@ -505,7 +505,7 @@
 			     uint32_t access_desired,
 			     uint32_t *access_granted,
 			     struct object_tree *tree,
-			     struct dom_sid *replace_sid)
+			     const struct dom_sid *replace_sid)
 {
 	uint32_t i;
 	uint32_t bits_remaining;
@@ -556,8 +556,8 @@
 
 	/* check each ace in turn. */
 	for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
-		struct dom_sid *trustee;
-		struct security_ace *ace = &sd->dacl->aces[i];
+		const struct dom_sid *trustee;
+		const struct security_ace *ace = &sd->dacl->aces[i];
 		NTSTATUS status;
 		bool grant_access = false;
 
diff -Nru samba-4.17.6+dfsg/libcli/security/access_check.h samba-4.17.7+dfsg/libcli/security/access_check.h
--- samba-4.17.6+dfsg/libcli/security/access_check.h	2022-08-08 17:15:39.184190800 +0300
+++ samba-4.17.7+dfsg/libcli/security/access_check.h	2023-03-20 12:03:44.471649200 +0300
@@ -74,7 +74,7 @@
 			     uint32_t access_desired,
 			     uint32_t *access_granted,
 			     struct object_tree *tree,
-			     struct dom_sid *replace_sid);
+			     const struct dom_sid *replace_sid);
 
 bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
 			   const struct GUID *guid,
diff -Nru samba-4.17.6+dfsg/libds/common/flags.h samba-4.17.7+dfsg/libds/common/flags.h
--- samba-4.17.6+dfsg/libds/common/flags.h	2022-08-08 17:15:39.204190700 +0300
+++ samba-4.17.7+dfsg/libds/common/flags.h	2023-03-20 12:04:29.063923100 +0300
@@ -258,6 +258,8 @@
 #define DS_HR_KVNOEMUW2K                          0x00000011
 
 #define DS_HR_TWENTIETH_CHAR                      0x00000014
+#define DS_HR_ATTR_AUTHZ_ON_LDAP_ADD              0x0000001C
+#define DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS         0x0000001D
 #define DS_HR_THIRTIETH_CHAR                      0x0000001E
 #define DS_HR_FOURTIETH_CHAR                      0x00000028
 #define DS_HR_FIFTIETH_CHAR                       0x00000032
diff -Nru samba-4.17.6+dfsg/python/samba/tests/auth_log.py samba-4.17.7+dfsg/python/samba/tests/auth_log.py
--- samba-4.17.6+dfsg/python/samba/tests/auth_log.py	2022-08-08 17:15:39.272191300 +0300
+++ samba-4.17.7+dfsg/python/samba/tests/auth_log.py	2023-03-20 12:05:01.312120400 +0300
@@ -470,7 +470,7 @@
         def isLastExpectedMessage(msg):
             return (msg["type"] == "Authorization" and
                     msg["Authorization"]["serviceDescription"] == "LDAP" and
-                    msg["Authorization"]["transportProtection"] == "SIGN" and
+                    msg["Authorization"]["transportProtection"] == "SEAL" and
                     msg["Authorization"]["authType"] == "krb5")
 
         self.samdb = SamDB(url="ldap://%s"; % os.environ["SERVER"],
diff -Nru samba-4.17.6+dfsg/source3/param/loadparm.c samba-4.17.7+dfsg/source3/param/loadparm.c
--- samba-4.17.6+dfsg/source3/param/loadparm.c	2023-01-26 20:45:01.653668600 +0300
+++ samba-4.17.7+dfsg/source3/param/loadparm.c	2023-03-20 12:05:01.312120400 +0300
@@ -756,7 +756,7 @@
 	Globals.ldap_debug_level = 0;
 	Globals.ldap_debug_threshold = 10;
 
-	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL;
 
 	Globals.ldap_server_require_strong_auth =
 		LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/common/util.c samba-4.17.7+dfsg/source4/dsdb/common/util.c
--- samba-4.17.6+dfsg/source4/dsdb/common/util.c	2023-03-09 12:18:38.361810200 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/common/util.c	2023-03-20 12:03:45.247654000 +0300
@@ -366,6 +366,26 @@
 }
 
 /*
+  pull a dom_sid structure from a objectSid in a result set.
+*/
+int samdb_result_dom_sid_buf(const struct ldb_message *msg,
+			     const char *attr,
+			     struct dom_sid *sid)
+{
+	ssize_t ret;
+	const struct ldb_val *v = NULL;
+	v = ldb_msg_find_ldb_val(msg, attr);
+	if (v == NULL) {
+		return LDB_ERR_NO_SUCH_ATTRIBUTE;
+	}
+	ret = sid_parse(v->data, v->length, sid);
+	if (ret == -1) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	return LDB_SUCCESS;
+}
+
+/*
   pull a guid structure from a objectGUID in a result set.
 */
 struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
@@ -4858,6 +4878,10 @@
 		}
 	}
 
+	if (dsdb_flags & DSDB_MARK_REQ_UNTRUSTED) {
+		ldb_req_mark_untrusted(req);
+	}
+
 	return LDB_SUCCESS;
 }
 
diff -Nru samba-4.17.6+dfsg/source4/dsdb/common/util.h samba-4.17.7+dfsg/source4/dsdb/common/util.h
--- samba-4.17.6+dfsg/source4/dsdb/common/util.h	2022-08-08 17:15:39.544193300 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/common/util.h	2023-03-20 12:03:45.247654000 +0300
@@ -43,6 +43,7 @@
 #define DSDB_MODIFY_PARTIAL_REPLICA	      0x04000
 #define DSDB_PASSWORD_BYPASS_LAST_SET         0x08000
 #define DSDB_REPLMD_VANISH_LINKS              0x10000
+#define DSDB_MARK_REQ_UNTRUSTED               0x20000
 
 bool is_attr_in_list(const char * const * attrs, const char *attr);
 
diff -Nru samba-4.17.6+dfsg/source4/dsdb/pydsdb.c samba-4.17.7+dfsg/source4/dsdb/pydsdb.c
--- samba-4.17.6+dfsg/source4/dsdb/pydsdb.c	2022-12-15 19:09:31.749236600 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/pydsdb.c	2023-03-20 12:04:29.087923300 +0300
@@ -1665,6 +1665,36 @@
 	ADD_DSDB_FLAG(DS_NTDSDSA_OPT_DISABLE_NTDSCONN_XLATE);
 	ADD_DSDB_FLAG(DS_NTDSDSA_OPT_DISABLE_SPN_REGISTRATION);
 
+	/* dsHeuristics character indexes (see MS-ADTS 7.1.1.2.4.1.2) */
+	ADD_DSDB_FLAG(DS_HR_SUPFIRSTLASTANR);
+	ADD_DSDB_FLAG(DS_HR_SUPLASTFIRSTANR);
+	ADD_DSDB_FLAG(DS_HR_DOLISTOBJECT);
+	ADD_DSDB_FLAG(DS_HR_DONICKRES);
+	ADD_DSDB_FLAG(DS_HR_LDAP_USEPERMMOD);
+	ADD_DSDB_FLAG(DS_HR_HIDEDSID);
+	ADD_DSDB_FLAG(DS_HR_BLOCK_ANONYMOUS_OPS);
+	ADD_DSDB_FLAG(DS_HR_ALLOW_ANON_NSPI);
+	ADD_DSDB_FLAG(DS_HR_USER_PASSWORD_SUPPORT);
+	ADD_DSDB_FLAG(DS_HR_TENTH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_SPECIFY_GUID_ON_ADD);
+	ADD_DSDB_FLAG(DS_HR_NO_STANDARD_SD);
+	ADD_DSDB_FLAG(DS_HR_ALLOW_NONSECURE_PWD_OPS);
+	ADD_DSDB_FLAG(DS_HR_NO_PROPAGATE_ON_NOCHANGE);
+	ADD_DSDB_FLAG(DS_HR_COMPUTE_ANR_STATS);
+	ADD_DSDB_FLAG(DS_HR_ADMINSDEXMASK);
+	ADD_DSDB_FLAG(DS_HR_KVNOEMUW2K);
+
+	ADD_DSDB_FLAG(DS_HR_TWENTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_ATTR_AUTHZ_ON_LDAP_ADD);
+	ADD_DSDB_FLAG(DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS);
+	ADD_DSDB_FLAG(DS_HR_THIRTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_FOURTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_FIFTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_SIXTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_SEVENTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_EIGHTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_NINETIETH_CHAR);
+
 	ADD_DSDB_FLAG(NTDSCONN_KCC_GC_TOPOLOGY);
 	ADD_DSDB_FLAG(NTDSCONN_KCC_RING_TOPOLOGY);
 	ADD_DSDB_FLAG(NTDSCONN_KCC_MINIMIZE_HOPS_TOPOLOGY);
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2022-08-08 17:29:11.377506700 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2023-03-20 12:04:29.127923500 +0300
@@ -46,11 +46,6 @@
 #undef strcasecmp
 #undef strncasecmp
 
-struct extended_access_check_attribute {
-	const char *oa_name;
-	const uint32_t requires_rights;
-};
-
 struct acl_private {
 	bool acl_search;
 	const char **password_attrs;
@@ -58,7 +53,6 @@
 	uint64_t cached_schema_metadata_usn;
 	uint64_t cached_schema_loaded_usn;
 	const char **confidential_attrs;
-	bool userPassword_support;
 };
 
 struct acl_context {
@@ -66,15 +60,12 @@
 	struct ldb_request *req;
 	bool am_system;
 	bool am_administrator;
-	bool modify_search;
 	bool constructed_attrs;
 	bool allowedAttributes;
 	bool allowedAttributesEffective;
 	bool allowedChildClasses;
 	bool allowedChildClassesEffective;
 	bool sDRightsEffective;
-	bool userPassword;
-	const char * const *attrs;
 	struct dsdb_schema *schema;
 };
 
@@ -83,25 +74,9 @@
 	struct ldb_context *ldb;
 	struct acl_private *data;
 	int ret;
-	unsigned int i, n, j;
-	TALLOC_CTX *mem_ctx;
-	static const char * const attrs[] = { "passwordAttribute", NULL };
-	static const char * const secret_attrs[] = {
-		DSDB_SECRET_ATTRIBUTES
-	};
-	struct ldb_result *res;
-	struct ldb_message *msg;
-	struct ldb_message_element *password_attributes;
 
 	ldb = ldb_module_get_ctx(module);
 
-	ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
-	if (ret != LDB_SUCCESS) {
-		ldb_debug(ldb, LDB_DEBUG_ERROR,
-			  "acl_module_init: Unable to register control with rootdse!\n");
-		return ldb_operr(ldb);
-	}
-
 	data = talloc_zero(module, struct acl_private);
 	if (data == NULL) {
 		return ldb_oom(ldb);
@@ -111,91 +86,14 @@
 					NULL, "acl", "search", true);
 	ldb_module_set_private(module, data);
 
-	mem_ctx = talloc_new(module);
-	if (!mem_ctx) {
-		return ldb_oom(ldb);
-	}
-
-	ret = dsdb_module_search_dn(module, mem_ctx, &res,
-				    ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
-				    attrs,
-				    DSDB_FLAG_NEXT_MODULE |
-				    DSDB_FLAG_AS_SYSTEM,
-				    NULL);
-	if (ret != LDB_SUCCESS) {
-		goto done;
-	}
-	if (res->count == 0) {
-		goto done;
-	}
-
-	if (res->count > 1) {
-		talloc_free(mem_ctx);
-		return LDB_ERR_CONSTRAINT_VIOLATION;
-	}
-
-	msg = res->msgs[0];
-
-	password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
-	if (!password_attributes) {
-		goto done;
-	}
-	data->password_attrs = talloc_array(data, const char *,
-			password_attributes->num_values +
-			ARRAY_SIZE(secret_attrs) + 1);
-	if (!data->password_attrs) {
-		talloc_free(mem_ctx);
-		return ldb_oom(ldb);
-	}
-
-	n = 0;
-	for (i=0; i < password_attributes->num_values; i++) {
-		data->password_attrs[n] = (const char *)password_attributes->values[i].data;
-		talloc_steal(data->password_attrs, password_attributes->values[i].data);
-		n++;
-	}
-
-	for (i=0; i < ARRAY_SIZE(secret_attrs); i++) {
-		bool found = false;
-
-		for (j=0; j < n; j++) {
-			if (strcasecmp(data->password_attrs[j], secret_attrs[i]) == 0) {
-				found = true;
-				break;
-			}
-		}
-
-		if (found) {
-			continue;
-		}
-
-		data->password_attrs[n] = talloc_strdup(data->password_attrs,
-							secret_attrs[i]);
-		if (data->password_attrs[n] == NULL) {
-			talloc_free(mem_ctx);
-			return ldb_oom(ldb);
-		}
-		n++;
-	}
-	data->password_attrs[n] = NULL;
-
-done:
-	talloc_free(mem_ctx);
-	ret = ldb_next_init(module);
-
+	ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
 	if (ret != LDB_SUCCESS) {
-		return ret;
+		ldb_debug(ldb, LDB_DEBUG_ERROR,
+			  "acl_module_init: Unable to register control with rootdse!\n");
+		return ldb_operr(ldb);
 	}
 
-	/*
-	 * Check this after the modules have be initialised so we
-	 * can actually read the backend DB.
-	 */
-	data->userPassword_support
-		= dsdb_user_password_support(module,
-					     module,
-					     NULL);
-	return ret;
+	return ldb_next_init(module);
 }
 
 static int acl_allowedAttributes(struct ldb_module *module,
@@ -900,11 +798,6 @@
 		NULL
 	};
 
-	if (el->num_values == 0) {
-		return LDB_SUCCESS;
-	}
-	dnsHostName = &el->values[0];
-
 	tmp_ctx = talloc_new(mem_ctx);
 	if (tmp_ctx == NULL) {
 		return ldb_oom(ldb);
@@ -1050,6 +943,13 @@
 		--account_name_len;
 	}
 
+	/* Check for add or replace requests with no value. */
+	if (el->num_values == 0) {
+		talloc_free(tmp_ctx);
+		return ldb_operr(ldb);
+	}
+	dnsHostName = &el->values[0];
+
 	dnsHostName_str = (const char *)dnsHostName->data;
 	dns_host_name_len = dnsHostName->length;
 
@@ -2522,29 +2422,11 @@
 						     ares->controls);
 		}
 
-		if (data->password_attrs != NULL) {
-			for (i = 0; data->password_attrs[i]; i++) {
-				if ((!ac->userPassword) &&
-				    (ldb_attr_cmp(data->password_attrs[i],
-						  "userPassword") == 0))
-				{
-						continue;
-				}
-
-				ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
-			}
-		}
-
 		if (ac->am_administrator) {
 			return ldb_module_send_entry(ac->req, ares->message,
 						     ares->controls);
 		}
 
-		ret = acl_search_update_confidential_attrs(ac, data);
-		if (ret != LDB_SUCCESS) {
-			return ret;
-		}
-
 		if (data->confidential_attrs != NULL) {
 			for (i = 0; data->confidential_attrs[i]; i++) {
 				ldb_msg_remove_attr(ares->message,
@@ -2569,11 +2451,12 @@
 {
 	struct ldb_context *ldb;
 	struct acl_context *ac;
-	struct ldb_parse_tree *down_tree;
+	struct ldb_parse_tree *down_tree = req->op.search.tree;
 	struct ldb_request *down_req;
 	struct acl_private *data;
 	int ret;
 	unsigned int i;
+	bool modify_search = true;
 
 	if (ldb_dn_is_special(req->op.search.base)) {
 		return ldb_next_request(module, req);
@@ -2592,13 +2475,11 @@
 	ac->am_system = dsdb_module_am_system(module);
 	ac->am_administrator = dsdb_module_am_administrator(module);
 	ac->constructed_attrs = false;
-	ac->modify_search = true;
 	ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
 	ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
 	ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
 	ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
 	ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
-	ac->userPassword = true;
 	ac->schema = dsdb_get_schema(ldb, ac);
 
 	ac->constructed_attrs |= ac->allowedAttributes;
@@ -2608,13 +2489,13 @@
 	ac->constructed_attrs |= ac->sDRightsEffective;
 
 	if (data == NULL) {
-		ac->modify_search = false;
+		modify_search = false;
 	}
 	if (ac->am_system) {
-		ac->modify_search = false;
+		modify_search = false;
 	}
 
-	if (!ac->constructed_attrs && !ac->modify_search) {
+	if (!ac->constructed_attrs && !modify_search) {
 		talloc_free(ac);
 		return ldb_next_request(module, req);
 	}
@@ -2624,38 +2505,24 @@
 		return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
 				 "acl_private data is missing");
 	}
-	ac->userPassword = data->userPassword_support;
 
-	ret = acl_search_update_confidential_attrs(ac, data);
-	if (ret != LDB_SUCCESS) {
-		return ret;
-	}
-
-	down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree);
-	if (down_tree == NULL) {
-		return ldb_oom(ldb);
-	}
+	if (!ac->am_system && !ac->am_administrator) {
+		ret = acl_search_update_confidential_attrs(ac, data);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
 
-	if (!ac->am_system && data->password_attrs) {
-		for (i = 0; data->password_attrs[i]; i++) {
-			if ((!ac->userPassword) &&
-			    (ldb_attr_cmp(data->password_attrs[i],
-					  "userPassword") == 0))
-			{
-				continue;
+		if (data->confidential_attrs != NULL) {
+			down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree);
+			if (down_tree == NULL) {
+				return ldb_oom(ldb);
 			}
 
-			ldb_parse_tree_attr_replace(down_tree,
-						    data->password_attrs[i],
-						    "kludgeACLredactedattribute");
-		}
-	}
-
-	if (!ac->am_system && !ac->am_administrator && data->confidential_attrs) {
-		for (i = 0; data->confidential_attrs[i]; i++) {
-			ldb_parse_tree_attr_replace(down_tree,
-						    data->confidential_attrs[i],
-						    "kludgeACLredactedattribute");
+			for (i = 0; data->confidential_attrs[i]; i++) {
+				ldb_parse_tree_attr_replace(down_tree,
+							    data->confidential_attrs[i],
+							    "kludgeACLredactedattribute");
+			}
 		}
 	}
 
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl_read.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl_read.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl_read.c	2022-08-08 17:15:39.548193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl_read.c	2023-03-20 12:03:45.175653500 +0300
@@ -37,20 +37,25 @@
 #include "librpc/gen_ndr/ndr_security.h"
 #include "param/param.h"
 #include "dsdb/samdb/ldb_modules/util.h"
+#include "lib/util/binsearch.h"
 
 #undef strcasecmp
 
+struct ldb_attr_vec {
+	const char** attrs;
+	size_t len;
+	size_t capacity;
+};
+
 struct aclread_context {
 	struct ldb_module *module;
 	struct ldb_request *req;
-	const char * const *attrs;
 	const struct dsdb_schema *schema;
 	uint32_t sd_flags;
 	bool added_nTSecurityDescriptor;
 	bool added_instanceType;
 	bool added_objectSid;
 	bool added_objectClass;
-	bool indirsync;
 
 	bool do_list_object_initialized;
 	bool do_list_object;
@@ -60,6 +65,11 @@
 	/* cache on the last parent we checked in this search */
 	struct ldb_dn *last_parent_dn;
 	int last_parent_check_ret;
+
+	bool am_administrator;
+
+	bool got_tree_attrs;
+	struct ldb_attr_vec tree_attrs;
 };
 
 struct aclread_private {
@@ -68,14 +78,192 @@
 	/* cache of the last SD we read during any search */
 	struct security_descriptor *sd_cached;
 	struct ldb_val sd_cached_blob;
+	const char **password_attrs;
+	size_t num_password_attrs;
 };
 
-static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
-	el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+struct access_check_context {
+	struct security_descriptor *sd;
+	struct dom_sid sid_buf;
+	const struct dom_sid *sid;
+	const struct dsdb_class *objectclass;
+};
+
+static void acl_element_mark_access_checked(struct ldb_message_element *el)
+{
+	el->flags |= LDB_FLAG_INTERNAL_ACCESS_CHECKED;
+}
+
+static bool acl_element_is_access_checked(const struct ldb_message_element *el)
+{
+	return (el->flags & LDB_FLAG_INTERNAL_ACCESS_CHECKED) != 0;
+}
+
+static bool attr_in_vec(const struct ldb_attr_vec *vec, const char *attr)
+{
+	const char **found = NULL;
+
+	if (vec == NULL) {
+		return false;
+	}
+
+	BINARY_ARRAY_SEARCH_V(vec->attrs,
+			      vec->len,
+			      attr,
+			      ldb_attr_cmp,
+			      found);
+	return found != NULL;
+}
+
+static int acl_attr_cmp_fn(const char *a, const char **b)
+{
+	return ldb_attr_cmp(a, *b);
+}
+
+static int attr_vec_add_unique(TALLOC_CTX *mem_ctx,
+			       struct ldb_attr_vec *vec,
+			       const char *attr)
+{
+	const char **exact = NULL;
+	const char **next = NULL;
+	size_t next_idx = 0;
+
+	BINARY_ARRAY_SEARCH_GTE(vec->attrs,
+				vec->len,
+				attr,
+				acl_attr_cmp_fn,
+				exact,
+				next);
+	if (exact != NULL) {
+		return LDB_SUCCESS;
+	}
+
+	if (vec->len == SIZE_MAX) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (next != NULL) {
+		next_idx = next - vec->attrs;
+	}
+
+	if (vec->len >= vec->capacity) {
+		const char **attrs = NULL;
+
+		if (vec->capacity == 0) {
+			vec->capacity = 4;
+		} else {
+			if (vec->capacity > SIZE_MAX / 2) {
+				return LDB_ERR_OPERATIONS_ERROR;
+			}
+			vec->capacity *= 2;
+		}
+
+		attrs = talloc_realloc(mem_ctx, vec->attrs, const char *, vec->capacity);
+		if (attrs == NULL) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		vec->attrs = attrs;
+	}
+	SMB_ASSERT(vec->len < vec->capacity);
+
+	if (next == NULL) {
+		vec->attrs[vec->len++] = attr;
+	} else {
+		size_t count = (vec->len - next_idx) * sizeof (vec->attrs[0]);
+		memmove(&vec->attrs[next_idx + 1],
+			&vec->attrs[next_idx],
+			count);
+
+		vec->attrs[next_idx] = attr;
+		++vec->len;
+	}
+
+	return LDB_SUCCESS;
+}
+
+static bool ldb_attr_always_present(const char *attr)
+{
+	static const char * const attrs_always_present[] = {
+		"objectClass",
+		"distinguishedName",
+		"name",
+		"objectGUID",
+		NULL
+	};
+
+	return ldb_attr_in_list(attrs_always_present, attr);
+}
+
+static bool ldb_attr_always_visible(const char *attr)
+{
+	static const char * const attrs_always_visible[] = {
+		"isDeleted",
+		"isRecycled",
+		NULL
+	};
+
+	return ldb_attr_in_list(attrs_always_visible, attr);
 }
 
-static bool aclread_is_inaccessible(struct ldb_message_element *el) {
-	return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+/* Collect a list of attributes required to match a given parse tree. */
+static int ldb_parse_tree_collect_acl_attrs(struct ldb_module *module,
+					    TALLOC_CTX *mem_ctx,
+					    struct ldb_attr_vec *attrs,
+					    const struct ldb_parse_tree *tree)
+{
+	const char *attr = NULL;
+	unsigned int i;
+	int ret;
+
+	if (tree == NULL) {
+		return 0;
+	}
+
+	switch (tree->operation) {
+	case LDB_OP_OR:
+	case LDB_OP_AND:		/* attributes stored in list of subtrees */
+		for (i = 0; i < tree->u.list.num_elements; i++) {
+			ret = ldb_parse_tree_collect_acl_attrs(module, mem_ctx,
+							       attrs, tree->u.list.elements[i]);
+			if (ret) {
+				return ret;
+			}
+		}
+		return 0;
+
+	case LDB_OP_NOT:		/* attributes stored in single subtree */
+		return ldb_parse_tree_collect_acl_attrs(module, mem_ctx, attrs, tree->u.isnot.child);
+
+	case LDB_OP_PRESENT:
+		/*
+		 * If the search filter is checking for an attribute's presence,
+		 * and the attribute is always present, we can skip access
+		 * rights checks. Every object has these attributes, and so
+		 * there's no security reason to hide their presence.
+		 * Note: the acl.py tests (e.g. test_search1()) rely on this
+		 * exception.  I.e. even if we lack Read Property (RP) rights
+		 * for a child object, it should still appear as a visible
+		 * object in 'objectClass=*' searches, so long as we have List
+		 * Contents (LC) rights for the object.
+		 */
+		if (ldb_attr_always_present(tree->u.present.attr)) {
+			/* No need to check this attribute. */
+			return 0;
+		}
+
+		FALL_THROUGH;
+	case LDB_OP_EQUALITY:
+		if (ldb_attr_always_visible(tree->u.present.attr)) {
+			/* No need to check this attribute. */
+			return 0;
+		}
+
+		FALL_THROUGH;
+	default:			/* single attribute in tree */
+		attr = ldb_parse_tree_get_attr(tree);
+		return attr_vec_add_unique(mem_ctx, attrs, attr);
+	}
 }
 
 /*
@@ -262,13 +450,13 @@
  */
 
 static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,
-					   struct ldb_message *acl_res,
+					   const struct ldb_message *acl_res,
 					   struct security_descriptor **sd)
 {
 	struct ldb_message_element *sd_element;
 	struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
 	struct aclread_private *private_data
-		= talloc_get_type(ldb_module_get_private(ac->module),
+		= talloc_get_type_abort(ldb_module_get_private(ac->module),
 				  struct aclread_private);
 	enum ndr_err_code ndr_err;
 
@@ -309,16 +497,11 @@
 	}
 
 	talloc_unlink(private_data, private_data->sd_cached_blob.data);
-	if (ac->added_nTSecurityDescriptor) {
-		private_data->sd_cached_blob = sd_element->values[0];
-		talloc_steal(private_data, sd_element->values[0].data);
-	} else {
-		private_data->sd_cached_blob = ldb_val_dup(private_data,
-							   &sd_element->values[0]);
-		if (private_data->sd_cached_blob.data == NULL) {
-			TALLOC_FREE(*sd);
-			return ldb_operr(ldb);
-		}
+	private_data->sd_cached_blob = ldb_val_dup(private_data,
+						   &sd_element->values[0]);
+	if (private_data->sd_cached_blob.data == NULL) {
+		TALLOC_FREE(*sd);
+		return ldb_operr(ldb);
 	}
 
 	talloc_unlink(private_data, private_data->sd_cached);
@@ -327,6 +510,23 @@
 	return LDB_SUCCESS;
 }
 
+/* Check whether the attribute is a password attribute. */
+static bool attr_is_secret(const char *attr, const struct aclread_private *private_data)
+{
+	const char **found = NULL;
+
+	if (private_data->password_attrs == NULL) {
+		return false;
+	}
+
+	BINARY_ARRAY_SEARCH_V(private_data->password_attrs,
+			      private_data->num_password_attrs,
+			      attr,
+			      ldb_attr_cmp,
+			      found);
+	return found != NULL;
+}
+
 /*
  * Returns the access mask required to read a given attribute
  */
@@ -362,61 +562,59 @@
 	return access_mask;
 }
 
-/* helper struct for traversing the attributes in the search-tree */
-struct parse_tree_aclread_ctx {
-	struct aclread_context *ac;
-	TALLOC_CTX *mem_ctx;
-	struct dom_sid *sid;
-	struct ldb_dn *dn;
-	struct security_descriptor *sd;
-	const struct dsdb_class *objectclass;
-	bool suppress_result;
-};
-
 /*
- * Checks that the user has sufficient access rights to view an attribute
+ * Checks that the user has sufficient access rights to view an attribute, else
+ * marks it as inaccessible.
  */
-static int check_attr_access_rights(TALLOC_CTX *mem_ctx, const char *attr_name,
-				    struct aclread_context *ac,
-				    struct security_descriptor *sd,
-				    const struct dsdb_class *objectclass,
-				    struct dom_sid *sid, struct ldb_dn *dn)
+static int acl_redact_attr(TALLOC_CTX *mem_ctx,
+			   struct ldb_message_element *el,
+			   struct aclread_context *ac,
+			   const struct aclread_private *private_data,
+			   const struct ldb_message *msg,
+			   const struct dsdb_schema *schema,
+			   const struct security_descriptor *sd,
+			   const struct dom_sid *sid,
+			   const struct dsdb_class *objectclass)
 {
 	int ret;
 	const struct dsdb_attribute *attr = NULL;
 	uint32_t access_mask;
 	struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
 
-	attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, attr_name);
+	if (attr_is_secret(el->name, private_data)) {
+		ldb_msg_element_mark_inaccessible(el);
+		return LDB_SUCCESS;
+	}
+
+	/* Look up the attribute in the schema. */
+	attr = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
 	if (!attr) {
 		ldb_debug_set(ldb,
-			      LDB_DEBUG_TRACE,
-			      "acl_read: %s cannot find attr[%s] in schema,"
-			      "ignoring\n",
-			      ldb_dn_get_linearized(dn), attr_name);
-		return LDB_SUCCESS;
+			      LDB_DEBUG_FATAL,
+			      "acl_read: %s cannot find attr[%s] in schema\n",
+			      ldb_dn_get_linearized(msg->dn), el->name);
+		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
 	access_mask = get_attr_access_mask(attr, ac->sd_flags);
-
-	/* the access-mask should be non-zero. Skip attribute otherwise */
 	if (access_mask == 0) {
 		DBG_ERR("Could not determine access mask for attribute %s\n",
-			attr_name);
+			el->name);
+		ldb_msg_element_mark_inaccessible(el);
 		return LDB_SUCCESS;
 	}
 
+	/* We must check whether the user has rights to view the attribute. */
+
 	ret = acl_check_access_on_attribute(ac->module, mem_ctx, sd, sid,
 					    access_mask, attr, objectclass);
 
 	if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
-		return ret;
-	}
-
-	if (ret != LDB_SUCCESS) {
+		ldb_msg_element_mark_inaccessible(el);
+	} else if (ret != LDB_SUCCESS) {
 		ldb_debug_set(ldb, LDB_DEBUG_FATAL,
 			      "acl_read: %s check attr[%s] gives %s - %s\n",
-			      ldb_dn_get_linearized(dn), attr_name,
+			      ldb_dn_get_linearized(msg->dn), el->name,
 			      ldb_strerror(ret), ldb_errstring(ldb));
 		return ret;
 	}
@@ -424,152 +622,112 @@
 	return LDB_SUCCESS;
 }
 
-/*
- * Returns the attribute name for this particular level of a search operation
- * parse-tree.
- */
-static const char * parse_tree_get_attr(struct ldb_parse_tree *tree)
+static int setup_access_check_context(struct aclread_context *ac,
+				      const struct ldb_message *msg,
+				      struct access_check_context *ctx)
 {
-	const char *attr = NULL;
-
-	switch (tree->operation) {
-	case LDB_OP_EQUALITY:
-	case LDB_OP_GREATER:
-	case LDB_OP_LESS:
-	case LDB_OP_APPROX:
-		attr = tree->u.equality.attr;
-		break;
-	case LDB_OP_SUBSTRING:
-		attr = tree->u.substring.attr;
-		break;
-	case LDB_OP_PRESENT:
-		attr = tree->u.present.attr;
-		break;
-	case LDB_OP_EXTENDED:
-		attr = tree->u.extended.attr;
-		break;
-
-	/* we'll check LDB_OP_AND/_OR/_NOT children later on in the walk */
-	default:
-		break;
-	}
-	return attr;
-}
-
-/*
- * Checks a single attribute in the search parse-tree to make sure the user has
- * sufficient rights to view it.
- */
-static int parse_tree_check_attr_access(struct ldb_parse_tree *tree,
-					void *private_context)
-{
-	struct parse_tree_aclread_ctx *ctx = NULL;
-	const char *attr_name = NULL;
 	int ret;
-	static const char * const attrs_always_present[] = {
-		"objectClass",
-		"distinguishedName",
-		"name",
-		"objectGUID",
-		NULL
-	};
-
-	ctx = (struct parse_tree_aclread_ctx *)private_context;
 
 	/*
-	 * we can skip any further checking if we already know that this object
-	 * shouldn't be visible in this user's search
+	 * Fetch the schema so we can check which attributes are
+	 * considered confidential.
 	 */
-	if (ctx->suppress_result) {
-		return LDB_SUCCESS;
-	}
+	if (ac->schema == NULL) {
+		struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
 
-	/* skip this level of the search-tree if it has no attribute to check */
-	attr_name = parse_tree_get_attr(tree);
-	if (attr_name == NULL) {
-		return LDB_SUCCESS;
+		/* Cache the schema for later use. */
+		ac->schema = dsdb_get_schema(ldb, ac);
+
+		if (ac->schema == NULL) {
+			return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+					 "aclread_callback: Error obtaining schema.");
+		}
 	}
 
+	/* Fetch the object's security descriptor. */
+	ret = aclread_get_sd_from_ldb_message(ac, msg, &ctx->sd);
+	if (ret != LDB_SUCCESS) {
+		ldb_debug_set(ldb_module_get_ctx(ac->module), LDB_DEBUG_FATAL,
+			      "acl_read: cannot get descriptor of %s: %s\n",
+			      ldb_dn_get_linearized(msg->dn), ldb_strerror(ret));
+		return LDB_ERR_OPERATIONS_ERROR;
+	} else if (ctx->sd == NULL) {
+		ldb_debug_set(ldb_module_get_ctx(ac->module), LDB_DEBUG_FATAL,
+			      "acl_read: cannot get descriptor of %s (attribute not found)\n",
+			      ldb_dn_get_linearized(msg->dn));
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
 	/*
-	 * If the search filter is checking for an attribute's presence, and the
-	 * attribute is always present, we can skip access rights checks. Every
-	 * object has these attributes, and so there's no security reason to
-	 * hide their presence.
-	 * Note: the acl.py tests (e.g. test_search1()) rely on this exception.
-	 * I.e. even if we lack Read Property (RP) rights for a child object, it
-	 * should still appear as a visible object in 'objectClass=*' searches,
-	 * so long as we have List Contents (LC) rights for the object.
+	 * Get the most specific structural object class for the ACL check
 	 */
-	if (tree->operation == LDB_OP_PRESENT &&
-	    is_attr_in_list(attrs_always_present, attr_name)) {
-		return LDB_SUCCESS;
+	ctx->objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
+	if (ctx->objectclass == NULL) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+				       "acl_read: Failed to find a structural class for %s",
+				       ldb_dn_get_linearized(msg->dn));
+		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	ret = check_attr_access_rights(ctx->mem_ctx, attr_name, ctx->ac,
-				       ctx->sd, ctx->objectclass, ctx->sid,
-				       ctx->dn);
-
-	/*
-	 * if the user does not have the rights to view this attribute, then we
-	 * should not return the object as a search result, i.e. act as if the
-	 * object doesn't exist (for this particular user, at least)
-	 */
-	if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
-		ctx->suppress_result = true;
-		return LDB_SUCCESS;
+	/* Fetch the object's SID. */
+	ret = samdb_result_dom_sid_buf(msg, "objectSid", &ctx->sid_buf);
+	if (ret == LDB_SUCCESS) {
+		ctx->sid = &ctx->sid_buf;
+	} else if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
+		/* This is expected. */
+		ctx->sid = NULL;
+	} else {
+		ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+				       "acl_read: Failed to parse objectSid as dom_sid for %s",
+				       ldb_dn_get_linearized(msg->dn));
+		return ret;
 	}
 
-	return ret;
+	return LDB_SUCCESS;
 }
 
 /*
- * Traverse the search-tree to check that the user has sufficient access rights
- * to view all the attributes.
+ * Whether this attribute was added to perform access checks and must be
+ * removed.
  */
-static int check_search_ops_access(struct aclread_context *ac,
-				   TALLOC_CTX *mem_ctx,
-				   struct security_descriptor *sd,
-				   const struct dsdb_class *objectclass,
-				   struct dom_sid *sid, struct ldb_dn *dn,
-				   bool *suppress_result)
+static bool should_remove_attr(const char *attr, const struct aclread_context *ac)
 {
-	int ret;
-	struct parse_tree_aclread_ctx ctx = { 0 };
-	struct ldb_parse_tree *tree = ac->req->op.search.tree;
+	if (ac->added_nTSecurityDescriptor &&
+	    ldb_attr_cmp("nTSecurityDescriptor", attr) == 0)
+	{
+		return true;
+	}
+
+	if (ac->added_objectSid &&
+	    ldb_attr_cmp("objectSid", attr) == 0)
+	{
+		return true;
+	}
 
-	ctx.ac = ac;
-	ctx.mem_ctx = mem_ctx;
-	ctx.suppress_result = false;
-	ctx.sid = sid;
-	ctx.dn = dn;
-	ctx.sd = sd;
-	ctx.objectclass = objectclass;
+	if (ac->added_instanceType &&
+	    ldb_attr_cmp("instanceType", attr) == 0)
+	{
+		return true;
+	}
 
-	/* walk the search tree, checking each attribute as we go */
-	ret = ldb_parse_tree_walk(tree, parse_tree_check_attr_access, &ctx);
+	if (ac->added_objectClass &&
+	    ldb_attr_cmp("objectClass", attr) == 0)
+	{
+		return true;
+	}
 
-	/* return whether this search result should be hidden to this user */
-	*suppress_result = ctx.suppress_result;
-	return ret;
+	return false;
 }
 
 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 {
-	struct ldb_context *ldb;
 	struct aclread_context *ac;
-	struct ldb_message *ret_msg;
+	struct aclread_private *private_data = NULL;
 	struct ldb_message *msg;
 	int ret;
-	size_t num_of_attrs = 0;
-	unsigned int i, k = 0;
-	struct security_descriptor *sd = NULL;
-	struct dom_sid *sid = NULL;
-	TALLOC_CTX *tmp_ctx;
-	const struct dsdb_class *objectclass;
-	bool suppress_result = false;
+	unsigned int i;
+	struct access_check_context acl_ctx;
 
-	ac = talloc_get_type(req->context, struct aclread_context);
-	ldb = ldb_module_get_ctx(ac->module);
+	ac = talloc_get_type_abort(req->context, struct aclread_context);
 	if (!ares) {
 		return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
 	}
@@ -577,36 +735,10 @@
 		return ldb_module_done(ac->req, ares->controls,
 				       ares->response, ares->error);
 	}
-	tmp_ctx = talloc_new(ac);
 	switch (ares->type) {
 	case LDB_REPLY_ENTRY:
 		msg = ares->message;
-		ret = aclread_get_sd_from_ldb_message(ac, msg, &sd);
-		if (ret != LDB_SUCCESS) {
-			ldb_debug_set(ldb, LDB_DEBUG_FATAL,
-				      "acl_read: cannot get descriptor of %s: %s\n",
-				      ldb_dn_get_linearized(msg->dn), ldb_strerror(ret));
-			ret = LDB_ERR_OPERATIONS_ERROR;
-			goto fail;
-		} else if (sd == NULL) {
-			ldb_debug_set(ldb, LDB_DEBUG_FATAL,
-				      "acl_read: cannot get descriptor of %s (attribute not found)\n",
-				      ldb_dn_get_linearized(msg->dn));
-			ret = LDB_ERR_OPERATIONS_ERROR;
-			goto fail;
-		}
-		/*
-		 * Get the most specific structural object class for the ACL check
-		 */
-		objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
-		if (objectclass == NULL) {
-			ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
-					       ldb_dn_get_linearized(msg->dn));
-			ret = LDB_ERR_OPERATIONS_ERROR;
-			goto fail;
-		}
 
-		sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
 		if (!ldb_dn_is_null(msg->dn)) {
 			/*
 			 * this is a real object, so we have
@@ -614,187 +746,90 @@
 			 */
 			ret = aclread_check_object_visible(ac, msg, req);
 			if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
-				talloc_free(tmp_ctx);
 				return LDB_SUCCESS;
 			} else if (ret != LDB_SUCCESS) {
+				struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
 				ldb_debug_set(ldb, LDB_DEBUG_FATAL,
 					      "acl_read: %s check parent %s - %s\n",
 					      ldb_dn_get_linearized(msg->dn),
 					      ldb_strerror(ret),
 					      ldb_errstring(ldb));
-				goto fail;
+				return ldb_module_done(ac->req, NULL, NULL, ret);
 			}
 		}
 
 		/* for every element in the message check RP */
-		for (i=0; i < msg->num_elements; i++) {
-			const struct dsdb_attribute *attr;
-			bool is_sd, is_objectsid, is_instancetype, is_objectclass;
-			uint32_t access_mask;
-			attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
-								 msg->elements[i].name);
-			if (!attr) {
-				ldb_debug_set(ldb, LDB_DEBUG_FATAL,
-					      "acl_read: %s cannot find attr[%s] in of schema\n",
-					      ldb_dn_get_linearized(msg->dn),
-					      msg->elements[i].name);
-				ret = LDB_ERR_OPERATIONS_ERROR;
-				goto fail;
-			}
-			is_sd = ldb_attr_cmp("nTSecurityDescriptor",
-					      msg->elements[i].name) == 0;
-			is_objectsid = ldb_attr_cmp("objectSid",
-						    msg->elements[i].name) == 0;
-			is_instancetype = ldb_attr_cmp("instanceType",
-						       msg->elements[i].name) == 0;
-			is_objectclass = ldb_attr_cmp("objectClass",
-						      msg->elements[i].name) == 0;
-			/* these attributes were added to perform access checks and must be removed */
-			if (is_objectsid && ac->added_objectSid) {
-				aclread_mark_inaccesslible(&msg->elements[i]);
-				continue;
-			}
-			if (is_instancetype && ac->added_instanceType) {
-				aclread_mark_inaccesslible(&msg->elements[i]);
-				continue;
-			}
-			if (is_objectclass && ac->added_objectClass) {
-				aclread_mark_inaccesslible(&msg->elements[i]);
-				continue;
-			}
-			if (is_sd && ac->added_nTSecurityDescriptor) {
-				aclread_mark_inaccesslible(&msg->elements[i]);
+		for (i = 0; i < msg->num_elements; ++i) {
+			struct ldb_message_element *el = &msg->elements[i];
+
+			/* Remove attributes added to perform access checks. */
+			if (should_remove_attr(el->name, ac)) {
+				ldb_msg_element_mark_inaccessible(el);
 				continue;
 			}
 
-			access_mask = get_attr_access_mask(attr, ac->sd_flags);
-
-			if (access_mask == 0) {
-				aclread_mark_inaccesslible(&msg->elements[i]);
+			if (acl_element_is_access_checked(el)) {
+				/* We will have already checked this attribute. */
 				continue;
 			}
 
-			ret = acl_check_access_on_attribute(ac->module,
-							    tmp_ctx,
-							    sd,
-							    sid,
-							    access_mask,
-							    attr,
-							    objectclass);
-
 			/*
-			 * Dirsync control needs the replpropertymetadata attribute
-			 * so return it as it will be removed by the control
-			 * in anycase.
+			 * We need to fetch the security descriptor to check
+			 * this attribute.
 			 */
-			if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
-				bool in_search_filter;
+			break;
+		}
 
-				/* check if attr is part of the search filter */
-				in_search_filter = dsdb_attr_in_parse_tree(ac->req->op.search.tree,
-								msg->elements[i].name);
-
-				if (in_search_filter) {
-
-					/*
-					 * We are doing dirysnc answers
-					 * and the object shouldn't be returned (normally)
-					 * but we will return it without replPropertyMetaData
-					 * so that the dirysync module will do what is needed
-					 * (remove the object if it is not deleted, or return
-					 * just the objectGUID if it's deleted).
-					 */
-					if (ac->indirsync) {
-						ldb_msg_remove_attr(msg, "replPropertyMetaData");
-						break;
-					} else {
-
-						/* do not return this entry */
-						talloc_free(tmp_ctx);
-						return LDB_SUCCESS;
-					}
-				} else {
-					aclread_mark_inaccesslible(&msg->elements[i]);
-				}
-			} else if (ret != LDB_SUCCESS) {
-				ldb_debug_set(ldb, LDB_DEBUG_FATAL,
-					      "acl_read: %s check attr[%s] gives %s - %s\n",
-					      ldb_dn_get_linearized(msg->dn),
-					      msg->elements[i].name,
-					      ldb_strerror(ret),
-					      ldb_errstring(ldb));
-				goto fail;
-			}
+		if (i == msg->num_elements) {
+			/* All elements have been checked. */
+			goto reply_entry_done;
 		}
 
-		/*
-		 * check access rights for the search attributes, as well as the
-		 * attribute values actually being returned
-		 */
-		ret = check_search_ops_access(ac, tmp_ctx, sd, objectclass, sid,
-					      msg->dn, &suppress_result);
+		ret = setup_access_check_context(ac, msg, &acl_ctx);
 		if (ret != LDB_SUCCESS) {
-			ldb_debug_set(ldb, LDB_DEBUG_FATAL,
-				      "acl_read: %s check search ops %s - %s\n",
-				      ldb_dn_get_linearized(msg->dn),
-				      ldb_strerror(ret), ldb_errstring(ldb));
-			goto fail;
+			return ret;
 		}
 
-		if (suppress_result) {
+		private_data = talloc_get_type_abort(ldb_module_get_private(ac->module),
+						     struct aclread_private);
 
-			/*
-			 * As per the above logic, we strip replPropertyMetaData
-			 * out of the msg so that the dirysync module will do
-			 * what is needed (return just the objectGUID if it's,
-			 * deleted, or remove the object if it is not).
-			 */
-			if (ac->indirsync) {
-				ldb_msg_remove_attr(msg, "replPropertyMetaData");
-			} else {
-				talloc_free(tmp_ctx);
-				return LDB_SUCCESS;
-			}
-		}
+		for (/* begin where we left off */; i < msg->num_elements; ++i) {
+			struct ldb_message_element *el = &msg->elements[i];
 
-		for (i=0; i < msg->num_elements; i++) {
-			if (!aclread_is_inaccessible(&msg->elements[i])) {
-				num_of_attrs++;
-			}
-		}
-		/*create a new message to return*/
-		ret_msg = ldb_msg_new(ac->req);
-		ret_msg->dn = msg->dn;
-		talloc_steal(ret_msg, msg->dn);
-		ret_msg->num_elements = num_of_attrs;
-		if (num_of_attrs > 0) {
-			ret_msg->elements = talloc_array(ret_msg,
-							 struct ldb_message_element,
-							 num_of_attrs);
-			if (ret_msg->elements == NULL) {
-				return ldb_oom(ldb);
+			/* Remove attributes added to perform access checks. */
+			if (should_remove_attr(el->name, ac)) {
+				ldb_msg_element_mark_inaccessible(el);
+				continue;
 			}
-			for (i=0; i < msg->num_elements; i++) {
-				bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
-				if (!to_remove) {
-					ret_msg->elements[k] = msg->elements[i];
-					talloc_steal(ret_msg->elements, msg->elements[i].name);
-					talloc_steal(ret_msg->elements, msg->elements[i].values);
-					k++;
-				}
+
+			if (acl_element_is_access_checked(el)) {
+				/* We will have already checked this attribute. */
+				continue;
 			}
+
 			/*
-			 * This should not be needed, but some modules
-			 * may allocate values on the wrong context...
+			 * We need to check whether the attribute is secret,
+			 * confidential, or access-controlled.
 			 */
-			talloc_steal(ret_msg->elements, msg);
-		} else {
-			ret_msg->elements = NULL;
+			ret = acl_redact_attr(ac,
+					      el,
+					      ac,
+					      private_data,
+					      msg,
+					      ac->schema,
+					      acl_ctx.sd,
+					      acl_ctx.sid,
+					      acl_ctx.objectclass);
+			if (ret != LDB_SUCCESS) {
+				return ldb_module_done(ac->req, NULL, NULL, ret);
+			}
 		}
-		talloc_free(tmp_ctx);
+
+	reply_entry_done:
+		ldb_msg_remove_inaccessible(msg);
 
 		ac->num_entries++;
-		return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
+		return ldb_module_send_entry(ac->req, msg, ares->controls);
 	case LDB_REPLY_REFERRAL:
 		return ldb_module_send_referral(ac->req, ares->referral);
 	case LDB_REPLY_DONE:
@@ -813,9 +848,6 @@
 
 	}
 	return LDB_SUCCESS;
-fail:
-	talloc_free(tmp_ctx);
-	return ldb_module_done(ac->req, NULL, NULL, ret);
 }
 
 
@@ -825,8 +857,7 @@
 	int ret;
 	struct aclread_context *ac;
 	struct ldb_request *down_req;
-	struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
-	uint32_t flags = ldb_req_get_custom_flags(req);
+	bool am_system;
 	struct ldb_result *res;
 	struct aclread_private *p;
 	bool need_sd = false;
@@ -843,11 +874,16 @@
 	ldb = ldb_module_get_ctx(module);
 	p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
 
+	am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL;
+	if (!am_system) {
+		am_system = dsdb_module_am_system(module);
+	}
+
 	/* skip access checks if we are system or system control is supplied
 	 * or this is not LDAP server request */
 	if (!p || !p->enabled ||
-	    dsdb_module_am_system(module)
-	    || as_system || !is_untrusted) {
+	    am_system ||
+	    !is_untrusted) {
 		return ldb_next_request(module, req);
 	}
 	/* no checks on special dn */
@@ -861,15 +897,6 @@
 	}
 	ac->module = module;
 	ac->req = req;
-	ac->schema = dsdb_get_schema(ldb, req);
-	if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) {
-		ac->indirsync = true;
-	} else {
-		ac->indirsync = false;
-	}
-	if (!ac->schema) {
-		return ldb_operr(ldb);
-	}
 
 	attrs = req->op.search.attrs;
 	if (attrs == NULL) {
@@ -926,7 +953,7 @@
 		ac->added_nTSecurityDescriptor = true;
 	}
 
-	ac->attrs = req->op.search.attrs;
+	ac->am_administrator = dsdb_module_am_administrator(module);
 
 	/* check accessibility of base */
 	if (!ldb_dn_is_null(req->op.search.base)) {
@@ -970,19 +997,287 @@
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
+	/*
+	 * We provide 'ac' as the control value, which is then used by the
+	 * callback to avoid double-work.
+	 */
+	ret = ldb_request_add_control(down_req, DSDB_CONTROL_ACL_READ_OID, false, ac);
+	if (ret != LDB_SUCCESS) {
+			return ldb_error(ldb, ret,
+					"acl_read: Error adding acl_read control.");
+	}
+
 	return ldb_next_request(module, down_req);
 }
 
+/*
+ * Here we mark inaccessible attributes known to be looked for in the
+ * filter. This only redacts attributes found in the search expression. If any
+ * extended attribute match rules examine different attributes without their own
+ * access control checks, a security bypass is possible.
+ */
+static int acl_redact_msg_for_filter(struct ldb_module *module, struct ldb_request *req, struct ldb_message *msg)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+	const struct aclread_private *private_data = NULL;
+	struct ldb_control *control = NULL;
+	struct aclread_context *ac = NULL;
+	struct access_check_context acl_ctx;
+	int ret;
+	unsigned i;
+
+	/*
+	 * The private data contains a list of attributes which are to be
+	 * considered secret.
+	 */
+	private_data = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
+	if (private_data == NULL) {
+		return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+				 "aclread_private data is missing");
+	}
+	if (!private_data->enabled) {
+		return LDB_SUCCESS;
+	}
+
+	control = ldb_request_get_control(req, DSDB_CONTROL_ACL_READ_OID);
+	if (control == NULL) {
+		/*
+		 * We've bypassed the acl_read module for this request, and
+		 * should skip redaction in this case.
+		 */
+		return LDB_SUCCESS;
+	}
+
+	ac = talloc_get_type_abort(control->data, struct aclread_context);
+
+	if (!ac->got_tree_attrs) {
+		ret = ldb_parse_tree_collect_acl_attrs(module, ac, &ac->tree_attrs, req->op.search.tree);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+		ac->got_tree_attrs = true;
+	}
+
+	for (i = 0; i < msg->num_elements; ++i) {
+		struct ldb_message_element *el = &msg->elements[i];
+
+		/* Is the attribute mentioned in the search expression? */
+		if (attr_in_vec(&ac->tree_attrs, el->name)) {
+			/*
+			 * We need to fetch the security descriptor to check
+			 * this element.
+			 */
+			break;
+		}
+
+		/*
+		 * This attribute is not in the search filter, so we can leave
+		 * handling it till aclread_callback(), by which time we know
+		 * this object is a match. This saves work checking ACLs if the
+		 * search is unindexed and most objects don't match the filter.
+		 */
+	}
+
+	if (i == msg->num_elements) {
+		/* All elements have been checked. */
+		return LDB_SUCCESS;
+	}
+
+	ret = setup_access_check_context(ac, msg, &acl_ctx);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	/* For every element in the message and the parse tree, check RP. */
+
+	for (/* begin where we left off */; i < msg->num_elements; ++i) {
+		struct ldb_message_element *el = &msg->elements[i];
+
+		/* Is the attribute mentioned in the search expression? */
+		if (!attr_in_vec(&ac->tree_attrs, el->name)) {
+			/*
+			 * If not, leave it for later and check the next
+			 * attribute.
+			 */
+			continue;
+		}
+
+		/*
+		 * We need to check whether the attribute is secret,
+		 * confidential, or access-controlled.
+		 */
+		ret = acl_redact_attr(ac,
+				      el,
+				      ac,
+				      private_data,
+				      msg,
+				      ac->schema,
+				      acl_ctx.sd,
+				      acl_ctx.sid,
+				      acl_ctx.objectclass);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+
+		acl_element_mark_access_checked(el);
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int ldb_attr_cmp_fn(const void *_a, const void *_b)
+{
+	const char * const *a = _a;
+	const char * const *b = _b;
+
+	return ldb_attr_cmp(*a, *b);
+}
+
 static int aclread_init(struct ldb_module *module)
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
+	unsigned int i, n, j;
+	TALLOC_CTX *mem_ctx = NULL;
+	int ret;
+	bool userPassword_support;
+	static const char * const attrs[] = { "passwordAttribute", NULL };
+	static const char * const secret_attrs[] = {
+		DSDB_SECRET_ATTRIBUTES
+	};
+	struct ldb_result *res;
+	struct ldb_message *msg;
+	struct ldb_message_element *password_attributes;
 	struct aclread_private *p = talloc_zero(module, struct aclread_private);
 	if (p == NULL) {
 		return ldb_module_oom(module);
 	}
 	p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
+
+	ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
+	if (ret != LDB_SUCCESS) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR,
+			  "acl_module_init: Unable to register sd_flags control with rootdse!\n");
+		return ldb_operr(ldb);
+	}
+
 	ldb_module_set_private(module, p);
-	return ldb_next_init(module);
+
+	mem_ctx = talloc_new(module);
+	if (!mem_ctx) {
+		return ldb_oom(ldb);
+	}
+
+	ret = dsdb_module_search_dn(module, mem_ctx, &res,
+				    ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
+				    attrs,
+				    DSDB_FLAG_NEXT_MODULE |
+				    DSDB_FLAG_AS_SYSTEM,
+				    NULL);
+	if (ret != LDB_SUCCESS) {
+		goto done;
+	}
+	if (res->count == 0) {
+		goto done;
+	}
+
+	if (res->count > 1) {
+		talloc_free(mem_ctx);
+		return LDB_ERR_CONSTRAINT_VIOLATION;
+	}
+
+	msg = res->msgs[0];
+
+	password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
+	if (!password_attributes) {
+		goto done;
+	}
+	p->password_attrs = talloc_array(p, const char *,
+			password_attributes->num_values +
+			ARRAY_SIZE(secret_attrs));
+	if (!p->password_attrs) {
+		talloc_free(mem_ctx);
+		return ldb_oom(ldb);
+	}
+
+	n = 0;
+	for (i=0; i < password_attributes->num_values; i++) {
+		p->password_attrs[n] = (const char *)password_attributes->values[i].data;
+		talloc_steal(p->password_attrs, password_attributes->values[i].data);
+		n++;
+	}
+
+	for (i=0; i < ARRAY_SIZE(secret_attrs); i++) {
+		bool found = false;
+
+		for (j=0; j < n; j++) {
+			if (strcasecmp(p->password_attrs[j], secret_attrs[i]) == 0) {
+				found = true;
+				break;
+			}
+		}
+
+		if (found) {
+			continue;
+		}
+
+		p->password_attrs[n] = talloc_strdup(p->password_attrs,
+						     secret_attrs[i]);
+		if (p->password_attrs[n] == NULL) {
+			talloc_free(mem_ctx);
+			return ldb_oom(ldb);
+		}
+		n++;
+	}
+	p->num_password_attrs = n;
+
+	/* Sort the password attributes so we can use binary search. */
+	TYPESAFE_QSORT(p->password_attrs, p->num_password_attrs, ldb_attr_cmp_fn);
+
+	ret = ldb_register_redact_callback(ldb, acl_redact_msg_for_filter, module);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+done:
+	talloc_free(mem_ctx);
+	ret = ldb_next_init(module);
+
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	if (p->password_attrs != NULL) {
+		/*
+		 * Check this after the modules have be initialised so we can
+		 * actually read the backend DB.
+		 */
+		userPassword_support = dsdb_user_password_support(module,
+								  module,
+								  NULL);
+		if (!userPassword_support) {
+			const char **found = NULL;
+
+			/*
+			 * Remove the userPassword attribute, as it is not
+			 * considered secret.
+			 */
+			BINARY_ARRAY_SEARCH_V(p->password_attrs,
+					      p->num_password_attrs,
+					      "userPassword",
+					      ldb_attr_cmp,
+					      found);
+			if (found != NULL) {
+				size_t found_idx = found - p->password_attrs;
+
+				/* Shift following elements backwards by one. */
+				for (i = found_idx; i < p->num_password_attrs - 1; ++i) {
+					p->password_attrs[i] = p->password_attrs[i + 1];
+				}
+				--p->num_password_attrs;
+			}
+		}
+	}
+	return ret;
 }
 
 static const struct ldb_module_ops ldb_aclread_module_ops = {
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl_util.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl_util.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl_util.c	2022-08-08 17:15:39.548193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl_util.c	2023-03-20 12:03:44.507649400 +0300
@@ -97,8 +97,8 @@
 
 int acl_check_access_on_attribute(struct ldb_module *module,
 				  TALLOC_CTX *mem_ctx,
-				  struct security_descriptor *sd,
-				  struct dom_sid *rp_sid,
+				  const struct security_descriptor *sd,
+				  const struct dom_sid *rp_sid,
 				  uint32_t access_mask,
 				  const struct dsdb_attribute *attr,
 				  const struct dsdb_class *objectclass)
@@ -298,7 +298,7 @@
 
 	sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
 	if (sd_control != NULL && sd_control->data != NULL) {
-		struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
+		struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control);
 
 		sd_flags = sdctr->secinfo_flags;
 
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/extended_dn_in.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/extended_dn_in.c	2022-08-08 17:15:39.552193400 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/extended_dn_in.c	2023-03-20 12:03:45.227653700 +0300
@@ -48,6 +48,7 @@
 struct extended_search_context {
 	struct ldb_module *module;
 	struct ldb_request *req;
+	struct ldb_parse_tree *tree;
 	struct ldb_dn *basedn;
 	struct ldb_dn *dn;
 	char *wellknown_object;
@@ -200,7 +201,7 @@
 						      ldb_module_get_ctx(ac->module), ac->req,
 						      ac->basedn,
 						      ac->req->op.search.scope,
-						      ac->req->op.search.tree,
+						      ac->tree,
 						      ac->req->op.search.attrs,
 						      ac->req->controls,
 						      ac, extended_final_callback, 
@@ -422,7 +423,15 @@
 	guid_val = ldb_dn_get_extended_component(dn, "GUID");
 	sid_val  = ldb_dn_get_extended_component(dn, "SID");
 
-	if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) {
+	/*
+	 * Is the attribute indexed? By treating confidential attributes
+	 * as unindexed, we force searches to go through the unindexed
+	 * search path, avoiding observable timing differences.
+	 */
+	if (!guid_val && !sid_val &&
+	    (attribute->searchFlags & SEARCH_FLAG_ATTINDEX) &&
+	    !(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+	{
 		/* if it is indexed, then fixing the string DN will do
 		   no good here, as we will not find the attribute in
 		   the index. So for now fall through to a standard DN
@@ -515,11 +524,14 @@
  */
 static int extended_dn_fix_filter(struct ldb_module *module,
 				  struct ldb_request *req,
-				  uint32_t default_dsdb_flags)
+				  uint32_t default_dsdb_flags,
+				  struct ldb_parse_tree **down_tree)
 {
 	struct extended_dn_filter_ctx *filter_ctx;
 	int ret;
 
+	*down_tree = NULL;
+
 	filter_ctx = talloc_zero(req, struct extended_dn_filter_ctx);
 	if (filter_ctx == NULL) {
 		return ldb_module_oom(module);
@@ -550,12 +562,12 @@
 	filter_ctx->test_only = false;
 	filter_ctx->matched   = false;
 
-	req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
-	if (req->op.search.tree == NULL) {
+	*down_tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
+	if (*down_tree == NULL) {
 		return ldb_oom(ldb_module_get_ctx(module));
 	}
 
-	ret = ldb_parse_tree_walk(req->op.search.tree, extended_dn_filter_callback, filter_ctx);
+	ret = ldb_parse_tree_walk(*down_tree, extended_dn_filter_callback, filter_ctx);
 	if (ret != LDB_SUCCESS) {
 		talloc_free(filter_ctx);
 		return ret;
@@ -572,7 +584,8 @@
 static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req, struct ldb_dn *dn)
 {
 	struct extended_search_context *ac;
-	struct ldb_request *down_req;
+	struct ldb_request *down_req = NULL;
+	struct ldb_parse_tree *down_tree = NULL;
 	int ret;
 	struct ldb_dn *base_dn = NULL;
 	enum ldb_scope base_dn_scope = LDB_SCOPE_BASE;
@@ -595,7 +608,7 @@
 	}
 
 	if (req->operation == LDB_SEARCH) {
-		ret = extended_dn_fix_filter(module, req, dsdb_flags);
+		ret = extended_dn_fix_filter(module, req, dsdb_flags, &down_tree);
 		if (ret != LDB_SUCCESS) {
 			return ret;
 		}
@@ -603,7 +616,25 @@
 
 	if (!ldb_dn_has_extended(dn)) {
 		/* Move along there isn't anything to see here */
-		return ldb_next_request(module, req);
+		if (down_tree == NULL) {
+			down_req = req;
+		} else {
+			ret = ldb_build_search_req_ex(&down_req,
+						      ldb_module_get_ctx(module), req,
+						      req->op.search.base,
+						      req->op.search.scope,
+						      down_tree,
+						      req->op.search.attrs,
+						      req->controls,
+						      req, dsdb_next_callback,
+						      req);
+			if (ret != LDB_SUCCESS) {
+				return ret;
+			}
+			LDB_REQ_SET_LOCATION(down_req);
+		}
+
+		return ldb_next_request(module, down_req);
 	} else {
 		/* It looks like we need to map the DN */
 		const struct ldb_val *sid_val, *guid_val, *wkguid_val;
@@ -690,6 +721,7 @@
 		
 		ac->module = module;
 		ac->req = req;
+		ac->tree = (down_tree != NULL) ? down_tree : req->op.search.tree;
 		ac->dn = dn;
 		ac->basedn = NULL;  /* Filled in if the search finds the DN by SID/GUID etc */
 		ac->wellknown_object = wellknown_object;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c	2022-08-08 17:15:39.552193400 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c	2023-03-20 12:03:44.487649200 +0300
@@ -104,7 +104,7 @@
 	 * If we are a GC let's remove the control,
 	 * if there is a specified GC check that is us.
 	 */
-	struct ldb_verify_name_control *lvnc = (struct ldb_verify_name_control *)control->data;
+	struct ldb_verify_name_control *lvnc = talloc_get_type_abort(control->data, struct ldb_verify_name_control);
 	if (samdb_is_gc(ldb)) {
 		/* Because we can't easily talloc a struct ldb_dn*/
 		struct ldb_dn **dn = talloc_array(ctx, struct ldb_dn *, 1);
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c	2022-10-19 15:14:56.036195800 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c	2023-03-20 12:03:44.491649400 +0300
@@ -4066,7 +4066,7 @@
 	ctrl = ldb_request_get_control(ac->req,
 				       DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID);
 	if (ctrl != NULL) {
-		ac->change = (struct dsdb_control_password_change *) ctrl->data;
+		ac->change = talloc_get_type_abort(ctrl->data, struct dsdb_control_password_change);
 
 		/* Mark the "change" control as uncritical (done) */
 		ctrl->critical = false;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/util.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/util.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/util.c	2022-08-08 17:29:11.377506700 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/util.c	2023-03-20 12:04:29.063923100 +0300
@@ -1433,6 +1433,46 @@
 	return result;
 }
 
+bool dsdb_attribute_authz_on_ldap_add(struct ldb_module *module,
+				      TALLOC_CTX *mem_ctx,
+				      struct ldb_request *parent)
+{
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	bool result = false;
+	const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
+								     tmp_ctx,
+								     parent);
+	if (hr_val != NULL && hr_val->length >= DS_HR_ATTR_AUTHZ_ON_LDAP_ADD) {
+		uint8_t val = hr_val->data[DS_HR_ATTR_AUTHZ_ON_LDAP_ADD - 1];
+		if (val != '0' && val != '2') {
+			result = true;
+		}
+	}
+
+	talloc_free(tmp_ctx);
+	return result;
+}
+
+bool dsdb_block_owner_implicit_rights(struct ldb_module *module,
+				      TALLOC_CTX *mem_ctx,
+				      struct ldb_request *parent)
+{
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	bool result = false;
+	const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
+								     tmp_ctx,
+								     parent);
+	if (hr_val != NULL && hr_val->length >= DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS) {
+		uint8_t val = hr_val->data[DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS - 1];
+		if (val != '0' && val != '2') {
+			result = true;
+		}
+	}
+
+	talloc_free(tmp_ctx);
+	return result;
+}
+
 /*
   show the chain of requests, useful for debugging async requests
  */
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/samdb.h samba-4.17.7+dfsg/source4/dsdb/samdb/samdb.h
--- samba-4.17.6+dfsg/source4/dsdb/samdb/samdb.h	2022-08-08 17:29:11.377506700 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/samdb.h	2023-03-20 12:03:45.135653300 +0300
@@ -232,6 +232,8 @@
  */
 #define DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID "1.3.6.1.4.1.7165.4.3.35"
 
+#define DSDB_CONTROL_ACL_READ_OID "1.3.6.1.4.1.7165.4.3.37"
+
 #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1"
 struct dsdb_extended_replicated_object {
 	struct ldb_message *msg;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/schema/schema_description.c samba-4.17.7+dfsg/source4/dsdb/schema/schema_description.c
--- samba-4.17.6+dfsg/source4/dsdb/schema/schema_description.c	2022-08-08 17:15:39.564193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/schema/schema_description.c	2023-03-20 12:03:45.227653700 +0300
@@ -160,6 +160,13 @@
 					       attribute->rangeUpper,
 					       GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID),
 					       GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID),
+					       /*
+						* We actually ignore the indexed
+						* flag for confidential
+						* attributes, but we'll include
+						* it for the purposes of
+						* description.
+						*/
 					       (attribute->searchFlags & SEARCH_FLAG_ATTINDEX),
 					       attribute->systemOnly);
 	talloc_free(tmp_ctx);
diff -Nru samba-4.17.6+dfsg/source4/dsdb/schema/schema_init.c samba-4.17.7+dfsg/source4/dsdb/schema/schema_init.c
--- samba-4.17.6+dfsg/source4/dsdb/schema/schema_init.c	2022-08-08 17:15:39.564193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/schema/schema_init.c	2023-03-20 12:03:45.227653700 +0300
@@ -514,8 +514,15 @@
 	if (attr->isSingleValued) {
 		a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE;
 	}
-	
-	if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
+
+	/*
+	 * Is the attribute indexed? By treating confidential attributes as
+	 * unindexed, we force searches to go through the unindexed search path,
+	 * avoiding observable timing differences.
+	 */
+	if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
+	    !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+	{
 		a->flags |= LDB_ATTR_FLAG_INDEXED;
 	}
 
diff -Nru samba-4.17.6+dfsg/source4/dsdb/schema/schema_set.c samba-4.17.7+dfsg/source4/dsdb/schema/schema_set.c
--- samba-4.17.6+dfsg/source4/dsdb/schema/schema_set.c	2022-08-08 17:15:39.564193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/schema/schema_set.c	2023-03-20 12:03:45.227653700 +0300
@@ -221,7 +221,14 @@
 			break;
 		}
 
-		if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
+		/*
+		 * Is the attribute indexed? By treating confidential attributes
+		 * as unindexed, we force searches to go through the unindexed
+		 * search path, avoiding observable timing differences.
+		 */
+		if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
+		    !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+		{
 			/*
 			 * When preparing to downgrade Samba, we need to write
 			 * out an LDB without the new key word ORDERED_INTEGER.
diff -Nru samba-4.17.6+dfsg/source4/dsdb/tests/python/acl_modify.py samba-4.17.7+dfsg/source4/dsdb/tests/python/acl_modify.py
--- samba-4.17.6+dfsg/source4/dsdb/tests/python/acl_modify.py	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/tests/python/acl_modify.py	2023-03-20 12:04:29.103923300 +0300
@@ -0,0 +1,236 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+
+import optparse
+import sys
+sys.path.insert(0, "bin/python")
+import samba
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+import samba.getopt as options
+
+from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
+from ldb import Message, MessageElement, Dn
+from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from samba.dcerpc import security
+
+from samba.auth import system_session
+from samba import gensec, sd_utils
+from samba.samdb import SamDB
+from samba.credentials import Credentials, DONT_USE_KERBEROS
+import samba.tests
+import samba.dsdb
+
+
+parser = optparse.OptionParser("acl.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+opts, args = parser.parse_args()
+
+if len(args) < 1:
+    parser.print_usage()
+    sys.exit(1)
+
+host = args[0]
+if "://" not in host:
+    ldaphost = "ldap://%s"; % host
+else:
+    ldaphost = host
+    start = host.rindex("://")
+    host = host.lstrip(start + 3)
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
+
+#
+# Tests start here
+#
+
+
+class AclTests(samba.tests.TestCase):
+
+    def setUp(self):
+        super(AclTests, self).setUp()
+
+        strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True)
+        if strict_checking is None:
+            strict_checking = '1'
+        self.strict_checking = bool(int(strict_checking))
+
+        self.ldb_admin = SamDB(ldaphost, credentials=creds, session_info=system_session(lp), lp=lp)
+        self.base_dn = self.ldb_admin.domain_dn()
+        self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
+        self.user_pass = "samba123@"
+        self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
+        self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
+        self.addCleanup(self.delete_admin_connection)
+        # used for anonymous login
+        self.creds_tmp = Credentials()
+        self.creds_tmp.set_username("")
+        self.creds_tmp.set_password("")
+        self.creds_tmp.set_domain(creds.get_domain())
+        self.creds_tmp.set_realm(creds.get_realm())
+        self.creds_tmp.set_workstation(creds.get_workstation())
+        print("baseDN: %s" % self.base_dn)
+
+        # set AttributeAuthorizationOnLDAPAdd and BlockOwnerImplicitRights
+        self.set_heuristic(samba.dsdb.DS_HR_ATTR_AUTHZ_ON_LDAP_ADD, b'11')
+
+    def set_heuristic(self, index, values):
+        self.assertGreater(index, 0)
+        self.assertLess(index, 30)
+        self.assertIsInstance(values, bytes)
+
+        # Get the old "dSHeuristics" if it was set
+        dsheuristics = self.ldb_admin.get_dsheuristics()
+        # Reset the "dSHeuristics" as they were before
+        self.addCleanup(self.ldb_admin.set_dsheuristics, dsheuristics)
+        # Set the "dSHeuristics" to activate the correct behaviour
+        default_heuristics = b"000000000100000000020000000003"
+        if dsheuristics is None:
+            dsheuristics = b""
+        dsheuristics += default_heuristics[len(dsheuristics):]
+        dsheuristics = (dsheuristics[:index - 1] +
+                        values +
+                        dsheuristics[index - 1 + len(values):])
+        self.ldb_admin.set_dsheuristics(dsheuristics)
+
+    def get_user_dn(self, name):
+        return "CN=%s,CN=Users,%s" % (name, self.base_dn)
+
+    def get_ldb_connection(self, target_username, target_password):
+        creds_tmp = Credentials()
+        creds_tmp.set_username(target_username)
+        creds_tmp.set_password(target_password)
+        creds_tmp.set_domain(creds.get_domain())
+        creds_tmp.set_realm(creds.get_realm())
+        creds_tmp.set_workstation(creds.get_workstation())
+        creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
+                                      | gensec.FEATURE_SEAL)
+        creds_tmp.set_kerberos_state(DONT_USE_KERBEROS)  # kinit is too expensive to use in a tight loop
+        ldb_target = SamDB(url=ldaphost, credentials=creds_tmp, lp=lp)
+        return ldb_target
+
+    # Test if we have any additional groups for users than default ones
+    def assert_user_no_group_member(self, username):
+        res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % self.get_user_dn(username))
+        try:
+            self.assertEqual(res[0]["memberOf"][0], "")
+        except KeyError:
+            pass
+        else:
+            self.fail()
+
+    def delete_admin_connection(self):
+        del self.sd_utils
+        del self.ldb_admin
+
+
+class AclModifyTests(AclTests):
+
+    def setup_computer_with_hostname(self, account_name):
+        ou_dn = f'OU={account_name},{self.base_dn}'
+        dn = f'CN={account_name},{ou_dn}'
+
+        user, password = "mouse", "mus musculus 123!"
+        self.addCleanup(self.ldb_admin.deleteuser, user)
+
+        self.ldb_admin.newuser(user, password)
+        self.ldb_user = self.get_ldb_connection(user, password)
+
+        self.addCleanup(self.ldb_admin.delete, ou_dn,
+                        controls=["tree_delete:0"])
+        self.ldb_admin.create_ou(ou_dn)
+
+        self.ldb_admin.add({
+            'dn': dn,
+            'objectClass': 'computer',
+            'sAMAccountName': account_name + '$',
+        })
+
+        host_name = f'{account_name}.{self.ldb_user.domain_dns_name()}'
+
+        m = Message(Dn(self.ldb_admin, dn))
+        m['dNSHostName'] = MessageElement(host_name,
+                                          FLAG_MOD_REPLACE,
+                                          'dNSHostName')
+
+        self.ldb_admin.modify(m)
+        return host_name, dn
+
+    def test_modify_delete_dns_host_name_specified(self):
+        '''Test deleting dNSHostName'''
+        account_name = self.id().rsplit(".", 1)[1][:63]
+        host_name, dn = self.setup_computer_with_hostname(account_name)
+
+        m = Message(Dn(self.ldb_user, dn))
+        m['dNSHostName'] = MessageElement(host_name,
+                                          FLAG_MOD_DELETE,
+                                          'dNSHostName')
+
+        self.assertRaisesLdbError(
+            ERR_INSUFFICIENT_ACCESS_RIGHTS,
+            "User able to delete dNSHostName (with specified name)",
+            self.ldb_user.modify, m)
+
+    def test_modify_delete_dns_host_name_unspecified(self):
+        '''Test deleting dNSHostName'''
+        account_name = self.id().rsplit(".", 1)[1][:63]
+        host_name, dn = self.setup_computer_with_hostname(account_name)
+
+        m = Message(Dn(self.ldb_user, dn))
+        m['dNSHostName'] = MessageElement([],
+                                          FLAG_MOD_DELETE,
+                                          'dNSHostName')
+
+        self.assertRaisesLdbError(
+            ERR_INSUFFICIENT_ACCESS_RIGHTS,
+            "User able to delete dNSHostName (without specified name)",
+            self.ldb_user.modify, m)
+
+    def test_modify_delete_dns_host_name_ldif_specified(self):
+        '''Test deleting dNSHostName'''
+        account_name = self.id().rsplit(".", 1)[1][:63]
+        host_name, dn = self.setup_computer_with_hostname(account_name)
+
+        ldif = f"""
+dn: {dn}
+changetype: modify
+delete: dNSHostName
+dNSHostName: {host_name}
+"""
+        self.assertRaisesLdbError(
+            ERR_INSUFFICIENT_ACCESS_RIGHTS,
+            "User able to delete dNSHostName (with specified name)",
+            self.ldb_user.modify_ldif, ldif)
+
+    def test_modify_delete_dns_host_name_ldif_unspecified(self):
+        '''Test deleting dNSHostName'''
+        account_name = self.id().rsplit(".", 1)[1][:63]
+        host_name, dn = self.setup_computer_with_hostname(account_name)
+
+        ldif = f"""
+dn: {dn}
+changetype: modify
+delete: dNSHostName
+"""
+        self.assertRaisesLdbError(
+            ERR_INSUFFICIENT_ACCESS_RIGHTS,
+            "User able to delete dNSHostName (without specific name)",
+            self.ldb_user.modify_ldif, ldif)
+
+
+ldb = SamDB(ldaphost, credentials=creds, session_info=system_session(lp), lp=lp)
+
+TestProgram(module=__name__, opts=subunitopts)
diff -Nru samba-4.17.6+dfsg/source4/dsdb/tests/python/confidential_attr.py samba-4.17.7+dfsg/source4/dsdb/tests/python/confidential_attr.py
--- samba-4.17.6+dfsg/source4/dsdb/tests/python/confidential_attr.py	2022-08-08 17:15:39.564193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/tests/python/confidential_attr.py	2023-03-20 12:03:45.135653300 +0300
@@ -25,6 +25,9 @@
 
 import samba
 import os
+import random
+import statistics
+import time
 from samba.tests.subunitrun import SubunitOptions, TestProgram
 import samba.getopt as options
 from ldb import SCOPE_BASE, SCOPE_SUBTREE
@@ -487,7 +490,7 @@
         self.make_attr_confidential()
 
         self.assert_conf_attr_searches(has_rights_to=0)
-        dc_mode = self.guess_dc_mode()
+        dc_mode = DC_MODE_RETURN_ALL
         self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
         self.assert_attr_visible(expect_attr=False)
 
@@ -500,7 +503,7 @@
         self.make_attr_confidential()
 
         self.assert_conf_attr_searches(has_rights_to=0)
-        dc_mode = self.guess_dc_mode()
+        dc_mode = DC_MODE_RETURN_ALL
         self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
         self.assert_attr_visible(expect_attr=False)
 
@@ -563,7 +566,7 @@
         self.make_attr_confidential()
 
         self.assert_conf_attr_searches(has_rights_to=0)
-        dc_mode = self.guess_dc_mode()
+        dc_mode = DC_MODE_RETURN_ALL
         self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
         self.assert_attr_visible(expect_attr=False)
 
@@ -738,7 +741,7 @@
 
         # the user shouldn't be able to see the attribute anymore
         self.assert_conf_attr_searches(has_rights_to="deny-one")
-        dc_mode = self.guess_dc_mode()
+        dc_mode = DC_MODE_RETURN_ALL
         self.assert_negative_searches(has_rights_to="deny-one",
                                       dc_mode=dc_mode)
         self.assert_attr_visible(expect_attr=False)
@@ -914,7 +917,7 @@
 
         self.assert_conf_attr_searches(has_rights_to=0)
         self.assert_attr_visible(expect_attr=False)
-        dc_mode = self.guess_dc_mode()
+        dc_mode = DC_MODE_RETURN_ALL
         self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
 
         # as a final sanity-check, make sure the admin can still see the attr
@@ -924,12 +927,12 @@
         self.assert_negative_searches(has_rights_to="all",
                                       samdb=self.ldb_admin)
 
-    def get_guid(self, dn):
+    def get_guid_string(self, dn):
         """Returns an object's GUID (in string format)"""
         res = self.ldb_admin.search(base=dn, attrs=["objectGUID"],
                                     scope=SCOPE_BASE)
         guid = res[0]['objectGUID'][0]
-        return self.ldb_admin.schema_format_value("objectGUID", guid)
+        return self.ldb_admin.schema_format_value("objectGUID", guid).decode('utf-8')
 
     def make_attr_preserve_on_delete(self):
         """Marks the attribute under test as being preserve on delete"""
@@ -978,7 +981,7 @@
         # deleted objects, but only from this particular test run. We can do
         # this by matching lastKnownParent against this test case's OU, which
         # will match any deleted child objects.
-        ou_guid = self.get_guid(self.ou)
+        ou_guid = self.get_guid_string(self.ou)
         deleted_filter = "(lastKnownParent=<GUID={0}>)".format(ou_guid)
 
         # the extra-filter will get combined via AND with the search expression
@@ -1009,7 +1012,7 @@
         # check we can't see the objects now, even with using dirsync controls
         self.assert_conf_attr_searches(has_rights_to=0)
         self.assert_attr_visible(expect_attr=False)
-        dc_mode = self.guess_dc_mode()
+        dc_mode = DC_MODE_RETURN_ALL
         self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
 
         # now delete the users (except for the user whose LDB connection
@@ -1022,4 +1025,163 @@
         self.assert_conf_attr_searches(has_rights_to=0)
         self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
 
+    def test_timing_attack(self):
+        # Create the machine account.
+        mach_name = f'conf_timing_{random.randint(0, 0xffff)}'
+        mach_dn = Dn(self.ldb_admin, f'CN={mach_name},{self.ou}')
+        details = {
+            'dn': mach_dn,
+            'objectclass': 'computer',
+            'sAMAccountName': f'{mach_name}$',
+        }
+        self.ldb_admin.add(details)
+
+        # Get the machine account's GUID.
+        res = self.ldb_admin.search(mach_dn,
+                                    attrs=['objectGUID'],
+                                    scope=SCOPE_BASE)
+        mach_guid = res[0].get('objectGUID', idx=0)
+
+        # Now we can create an msFVE-RecoveryInformation object that is a child
+        # of the machine account object.
+        recovery_dn = Dn(self.ldb_admin, str(mach_dn))
+        recovery_dn.add_child('CN=recovery_info')
+
+        secret_pw = 'Secret007'
+        not_secret_pw = 'Secret008'
+
+        secret_pw_utf8 = secret_pw.encode('utf-8')
+
+        # The crucial attribute, msFVE-RecoveryPassword, is a confidential
+        # attribute.
+        conf_attr = 'msFVE-RecoveryPassword'
+
+        m = Message(recovery_dn)
+        m['objectClass'] = 'msFVE-RecoveryInformation'
+        m['msFVE-RecoveryGuid'] = mach_guid
+        m[conf_attr] = secret_pw
+        self.ldb_admin.add(m)
+
+        attrs = [conf_attr]
+
+        # Search for the confidential attribute as administrator, ensuring it
+        # is visible.
+        res = self.ldb_admin.search(recovery_dn,
+                                    attrs=attrs,
+                                    scope=SCOPE_BASE)
+        self.assertEqual(1, len(res))
+        pw = res[0].get(conf_attr, idx=0)
+        self.assertEqual(secret_pw_utf8, pw)
+
+        # Repeat the search with an expression matching on the confidential
+        # attribute. This should also work.
+        res = self.ldb_admin.search(
+            recovery_dn,
+            attrs=attrs,
+            expression=f'({conf_attr}={secret_pw})',
+            scope=SCOPE_BASE)
+        self.assertEqual(1, len(res))
+        pw = res[0].get(conf_attr, idx=0)
+        self.assertEqual(secret_pw_utf8, pw)
+
+        # Search for the attribute as an unprivileged user. It should not be
+        # visible.
+        user_res = self.ldb_user.search(recovery_dn,
+                                        attrs=attrs,
+                                        scope=SCOPE_BASE)
+        pw = user_res[0].get(conf_attr, idx=0)
+        # The attribute should be None.
+        self.assertIsNone(pw)
+
+        # We use LDAP_MATCHING_RULE_TRANSITIVE_EVAL to create a search
+        # expression that takes a long time to execute, by setting off another
+        # search each time it is evaluated. It makes no difference that the
+        # object on which we're searching has no 'member' attribute.
+        dummy_dn = 'cn=user,cn=users,dc=samba,dc=example,dc=com'
+        slow_subexpr = f'(member:1.2.840.113556.1.4.1941:={dummy_dn})'
+        slow_expr = f'(|{slow_subexpr * 100})'
+
+        # The full search expression. It comprises a match on the confidential
+        # attribute joined by an AND to our slow search expression, The AND
+        # operator is short-circuiting, so if our first subexpression fails to
+        # match, we'll bail out of the search early. Otherwise, we'll evaluate
+        # the slow part; as its subexpressions are joined by ORs, and will all
+        # fail to match, every one of them will need to be evaluated. By
+        # measuring how long the search takes, we'll be able to infer whether
+        # the confidential attribute matched or not.
+
+        # This is bad if we are not an administrator, and are able to use this
+        # to determine the values of confidential attributes. Therefore we need
+        # to ensure we can't observe any difference in timing.
+        correct_expr = f'(&({conf_attr}={secret_pw}){slow_expr})'
+        wrong_expr = f'(&({conf_attr}={not_secret_pw}){slow_expr})'
+
+        def standard_uncertainty_bounds(times):
+            mean = statistics.mean(times)
+            stdev = statistics.stdev(times, mean)
+
+            return (mean - stdev, mean + stdev)
+
+        # Perform a number of searches with both correct and incorrect
+        # expressions, and return the uncertainty bounds for each.
+        def time_searches(samdb):
+            warmup_samples = 3
+            samples = 10
+            matching_times = []
+            non_matching_times = []
+
+            for _ in range(warmup_samples):
+                samdb.search(recovery_dn,
+                             attrs=attrs,
+                             expression=correct_expr,
+                             scope=SCOPE_BASE)
+
+            for _ in range(samples):
+                # Measure the time taken for a search, for both a matching and
+                # a non-matching search expression.
+
+                prev = time.time()
+                samdb.search(recovery_dn,
+                             attrs=attrs,
+                             expression=correct_expr,
+                             scope=SCOPE_BASE)
+                now = time.time()
+                matching_times.append(now - prev)
+
+                prev = time.time()
+                samdb.search(recovery_dn,
+                             attrs=attrs,
+                             expression=wrong_expr,
+                             scope=SCOPE_BASE)
+                now = time.time()
+                non_matching_times.append(now - prev)
+
+            matching = standard_uncertainty_bounds(matching_times)
+            non_matching = standard_uncertainty_bounds(non_matching_times)
+            return matching, non_matching
+
+        def assertRangesDistinct(a, b):
+            a0, a1 = a
+            b0, b1 = b
+            self.assertLess(min(a1, b1), max(a0, b0))
+
+        def assertRangesOverlap(a, b):
+            a0, a1 = a
+            b0, b1 = b
+            self.assertGreaterEqual(min(a1, b1), max(a0, b0))
+
+        # For an administrator, the uncertainty bounds for matching and
+        # non-matching searches should be distinct. This shows that the two
+        # cases are distinguishable, and therefore that confidential attributes
+        # are visible.
+        admin_matching, admin_non_matching = time_searches(self.ldb_admin)
+        assertRangesDistinct(admin_matching, admin_non_matching)
+
+        # The user cannot view the confidential attribute, so the uncertainty
+        # bounds for matching and non-matching searches must overlap. The two
+        # cases must be indistinguishable.
+        user_matching, user_non_matching = time_searches(self.ldb_user)
+        assertRangesOverlap(user_matching, user_non_matching)
+
+
 TestProgram(module=__name__, opts=subunitopts)
diff -Nru samba-4.17.6+dfsg/source4/dsdb/tests/python/large_ldap.py samba-4.17.7+dfsg/source4/dsdb/tests/python/large_ldap.py
--- samba-4.17.6+dfsg/source4/dsdb/tests/python/large_ldap.py	2022-08-08 17:15:39.568193400 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/tests/python/large_ldap.py	2023-03-20 12:03:44.451649000 +0300
@@ -32,7 +32,7 @@
 import samba.getopt as options
 
 from samba.auth import system_session
-from samba import ldb
+from samba import ldb, sd_utils
 from samba.samdb import SamDB
 from samba.ndr import ndr_unpack
 from samba import gensec
@@ -66,30 +66,32 @@
 
 class ManyLDAPTest(samba.tests.TestCase):
 
-    def setUp(self):
-        super(ManyLDAPTest, self).setUp()
-        self.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
-        self.base_dn = self.ldb.domain_dn()
-        self.OU_NAME_MANY="many_ou" + format(random.randint(0, 99999), "05")
-        self.ou_dn = ldb.Dn(self.ldb, "ou=" + self.OU_NAME_MANY + "," + str(self.base_dn))
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        cls.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
+        cls.base_dn = self.ldb.domain_dn()
+        cls.OU_NAME_MANY="many_ou" + format(random.randint(0, 99999), "05")
+        cls.ou_dn = ldb.Dn(self.ldb, "ou=" + self.OU_NAME_MANY + "," + str(self.base_dn))
 
-        samba.tests.delete_force(self.ldb, self.ou_dn,
+        samba.tests.delete_force(cls.ldb, cls.ou_dn,
                                  controls=['tree_delete:1'])
 
-        self.ldb.add({
-            "dn": self.ou_dn,
+        cls.ldb.add({
+            "dn": cls.ou_dn,
             "objectclass": "organizationalUnit",
-            "ou": self.OU_NAME_MANY})
+            "ou": cls.OU_NAME_MANY})
 
         for x in range(2000):
-            ou_name = self.OU_NAME_MANY + str(x)
-            self.ldb.add({
-                "dn": "ou=" + ou_name + "," + str(self.ou_dn),
+            ou_name = cls.OU_NAME_MANY + str(x)
+            cls.ldb.add({
+                "dn": "ou=" + ou_name + "," + str(cls.ou_dn),
                 "objectclass": "organizationalUnit",
                 "ou": ou_name})
 
-    def tearDown(self):
-        samba.tests.delete_force(self.ldb, self.ou_dn,
+    @classmethod
+    def tearDownClass(cls):
+        samba.tests.delete_force(cls.ldb, self.ou_dn,
                                  controls=['tree_delete:1'])
 
     def test_unindexed_iterator_search(self):
@@ -117,34 +119,38 @@
 
 class LargeLDAPTest(samba.tests.TestCase):
 
-    def setUp(self):
-        super(LargeLDAPTest, self).setUp()
-        self.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
-        self.base_dn = self.ldb.domain_dn()
-        self.USER_NAME = "large_user" + format(random.randint(0, 99999), "05") + "-"
-        self.OU_NAME="large_user_ou" + format(random.randint(0, 99999), "05")
-        self.ou_dn = ldb.Dn(self.ldb, "ou=" + self.OU_NAME + "," + str(self.base_dn))
+    @classmethod
+    def setUpClass(cls):
+        cls.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
+        cls.base_dn = cls.ldb.domain_dn()
+
+        cls.sd_utils = sd_utils.SDUtils(cls.ldb)
+        cls.USER_NAME = "large_user" + format(random.randint(0, 99999), "05") + "-"
+        cls.OU_NAME="large_user_ou" + format(random.randint(0, 99999), "05")
+        cls.ou_dn = ldb.Dn(cls.ldb, "ou=" + cls.OU_NAME + "," + str(cls.base_dn))
 
-        samba.tests.delete_force(self.ldb, self.ou_dn,
+
+        samba.tests.delete_force(cls.ldb, cls.ou_dn,
                                  controls=['tree_delete:1'])
 
-        self.ldb.add({
-            "dn": self.ou_dn,
+        cls.ldb.add({
+            "dn": cls.ou_dn,
             "objectclass": "organizationalUnit",
-            "ou": self.OU_NAME})
+            "ou": cls.OU_NAME})
 
         for x in range(200):
-            user_name = self.USER_NAME + format(x, "03")
-            self.ldb.add({
-                "dn": "cn=" + user_name + "," + str(self.ou_dn),
+            user_name = cls.USER_NAME + format(x, "03")
+            cls.ldb.add({
+                "dn": "cn=" + user_name + "," + str(cls.ou_dn),
                 "objectclass": "user",
                 "sAMAccountName": user_name,
                 "jpegPhoto": b'a' * (2 * 1024 * 1024)})
 
-    def tearDown(self):
+    @classmethod
+    def tearDownClass(cls):
         # Remake the connection for tear-down (old Samba drops the socket)
-        self.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
-        samba.tests.delete_force(self.ldb, self.ou_dn,
+        cls.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
+        samba.tests.delete_force(cls.ldb, cls.ou_dn,
                                  controls=['tree_delete:1'])
 
     def test_unindexed_iterator_search(self):
@@ -246,6 +252,7 @@
         self.assertGreater(count, count_jpeg)
 
     def test_timeout(self):
+
         policy_dn = ldb.Dn(self.ldb,
                            'CN=Default Query Policy,CN=Query-Policies,'
                            'CN=Directory Service,CN=Windows NT,CN=Services,'
@@ -283,9 +290,19 @@
                       session_info=system_session(lp),
                       lp=lp)
 
+        for x in range(200):
+            user_name = self.USER_NAME + format(x, "03")
+            ace = "(OD;;RP;{6bc69afa-7bd9-4184-88f5-28762137eb6a};;S-1-%d)" % x
+            dn = ldb.Dn(self.ldb, "cn=" + user_name + "," + str(self.ou_dn))
+
+            # add an ACE that denies access to the above random attr
+            # for a not-existing user.  This makes each SD distinct
+            # and so will slow SD parsing.
+            self.sd_utils.dacl_add_ace(dn, ace)
+
         # Create a large search expression that will take a long time to
         # evaluate.
-        expression = '(anr=l)' * 10000
+        expression = f'(jpegPhoto=*X*)' * 1000
         expression = f'(|{expression})'
 
         # Perform the LDAP search.
diff -Nru samba-4.17.6+dfsg/source4/selftest/tests.py samba-4.17.7+dfsg/source4/selftest/tests.py
--- samba-4.17.6+dfsg/source4/selftest/tests.py	2022-12-15 19:09:31.753236500 +0300
+++ samba-4.17.7+dfsg/source4/selftest/tests.py	2023-03-20 12:04:29.107923500 +0300
@@ -1322,6 +1322,7 @@
 plantestsuite_loadlist("samba4.urgent_replication.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(DSDB_PYTEST_DIR, "urgent_replication.py"), '$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb', '$LOADLIST', '$LISTOPT'])
 plantestsuite_loadlist("samba4.ldap.dirsync.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(DSDB_PYTEST_DIR, "dirsync.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
 plantestsuite_loadlist("samba4.ldap.match_rules.python", "ad_dc_ntvfs", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/match_rules.py"), '$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
+plantestsuite_loadlist("samba4.ldap.match_rules.python", "ad_dc_ntvfs", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/match_rules_remote.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
 plantestsuite("samba4.ldap.index.python", "none", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/index.py")])
 plantestsuite_loadlist("samba4.ldap.notification.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(DSDB_PYTEST_DIR, "notification.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
 plantestsuite_loadlist("samba4.ldap.sites.python(ad_dc_default)", "ad_dc_default", [python, os.path.join(DSDB_PYTEST_DIR, "sites.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
@@ -1417,6 +1418,7 @@
     plantestsuite("samba4.ldap.possibleInferiors.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/samdb/ldb_modules/tests/possibleinferiors.py"), "ldap://$SERVER";, '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN"])
     plantestsuite_loadlist("samba4.ldap.secdesc.python(%s)" % env, env, [python, os.path.join(DSDB_PYTEST_DIR, "sec_descriptor.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
     plantestsuite_loadlist("samba4.ldap.acl.python(%s)" % env, env, ["STRICT_CHECKING=0", python, os.path.join(DSDB_PYTEST_DIR, "acl.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
+    plantestsuite_loadlist("samba4.ldap.acl_modify.python(%s)" % env, env, ["STRICT_CHECKING=0", python, os.path.join(DSDB_PYTEST_DIR, "acl_modify.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
 
 for env in all_fl_envs + ["schema_dc", "ad_dc_no_ntlm"]:
     if env != "fl2000dc":
diff -Nru samba-4.17.6+dfsg/source4/setup/schema_samba4.ldif samba-4.17.7+dfsg/source4/setup/schema_samba4.ldif
--- samba-4.17.6+dfsg/source4/setup/schema_samba4.ldif	2022-08-08 17:15:40.424200000 +0300
+++ samba-4.17.7+dfsg/source4/setup/schema_samba4.ldif	2023-03-20 12:03:45.135653300 +0300
@@ -231,6 +231,9 @@
 #Allocated: DSDB_CONTROL_INVALID_NOT_IMPLEMENTED 1.3.6.1.4.1.7165.4.3.32
 #Allocated: DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID 1.3.6.1.4.1.7165.4.3.33
 #Allocated: DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID 1.3.6.1.4.1.7165.4.3.34
+#Allocated: DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID 1.3.6.1.4.1.7165.4.3.35
+#Allocated: DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID 1.3.6.1.4.1.7165.4.3.36
+#Allocated: DSDB_CONTROL_ACL_READ_OID 1.3.6.1.4.1.7165.4.3.37
 
 
 # Extended 1.3.6.1.4.1.7165.4.4.x
@@ -243,6 +246,7 @@
 #Allocated: DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID 1.3.6.1.4.1.7165.4.4.7
 #Allocated: DSDB_EXTENDED_CREATE_OWN_RID_SET 1.3.6.1.4.1.7165.4.4.8
 #Allocated: DSDB_EXTENDED_ALLOCATE_RID 1.3.6.1.4.1.7165.4.4.9
+#Allocated: DSDB_EXTENDED_SCHEMA_LOAD 1.3.6.1.4.1.7165.4.4.10
 
 
 ############
diff -Nru samba-4.17.6+dfsg/source4/torture/ldb/ldb.c samba-4.17.7+dfsg/source4/torture/ldb/ldb.c
--- samba-4.17.6+dfsg/source4/torture/ldb/ldb.c	2022-08-08 17:15:40.448200200 +0300
+++ samba-4.17.7+dfsg/source4/torture/ldb/ldb.c	2023-03-20 12:03:44.691650600 +0300
@@ -1634,7 +1634,6 @@
 	TALLOC_CTX *mem_ctx = talloc_new(torture);
 	struct ldb_context *ldb;
 	struct ldb_val data = *discard_const_p(struct ldb_val, data_p);
-	struct ldb_message *unpack_msg = ldb_msg_new(mem_ctx);
 	struct ldb_message *msg = ldb_msg_new(mem_ctx);
 	const char *lookup_names[] = {"instanceType", "nonexistent",
 				      "whenChanged", "objectClass",
@@ -1649,18 +1648,15 @@
 		       "Failed to init samba");
 
 	torture_assert_int_equal(torture,
-				 ldb_unpack_data(ldb, &data, unpack_msg),
+				 ldb_unpack_data(ldb, &data, msg),
 				 0, "ldb_unpack_data failed");
 
-	torture_assert_int_equal(torture, unpack_msg->num_elements, 13,
+	torture_assert_int_equal(torture, msg->num_elements, 13,
 				 "Got wrong count of elements");
 
-	msg->dn = talloc_steal(msg, unpack_msg->dn);
-
 	torture_assert_int_equal(torture,
-				 ldb_filter_attrs(ldb, unpack_msg,
-						  lookup_names, msg),
-				 0, "ldb_kv_filter_attrs failed");
+				 ldb_filter_attrs_in_place(msg, lookup_names),
+				 0, "ldb_filter_attrs_in_place failed");
 
 	/* Compare data in binary form */
 	torture_assert_int_equal(torture, msg->num_elements, 6,
diff -Nru samba-4.17.6+dfsg/VERSION samba-4.17.7+dfsg/VERSION
--- samba-4.17.6+dfsg/VERSION	2023-03-09 12:18:38.345811800 +0300
+++ samba-4.17.7+dfsg/VERSION	2023-03-29 16:22:38.841019400 +0300
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
 
 ########################################################
 # If a official release has a serious bug              #
diff -Nru samba-4.17.6+dfsg/WHATSNEW.txt samba-4.17.7+dfsg/WHATSNEW.txt
--- samba-4.17.6+dfsg/WHATSNEW.txt	2023-03-09 12:18:38.345811800 +0300
+++ samba-4.17.7+dfsg/WHATSNEW.txt	2023-03-29 16:22:38.825019600 +0300
@@ -1,4 +1,75 @@
                    ==============================
+                   Release Notes for Samba 4.17.7
+                           March 29, 2023
+                   ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+                 but otherwise unprivileged users to delete this attribute from
+                 any object in the directory.
+                 https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+                 remote LDAP server, will by default send new or reset
+                 passwords over a signed-only connection.
+                 https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+                 Confidential attribute disclosure via LDAP filters was
+                 insufficient and an attacker may be able to obtain
+                 confidential BitLocker recovery keys from a Samba AD DC.
+                 Installations with such secrets in their Samba AD should
+                 assume they have been obtained and need replacing.
+                 https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.17.6
+--------------------
+
+o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+   * BUG 15276: CVE-2023-0225.
+
+o  Andrew Bartlett <abartlet@samba.org>
+   * BUG 15270: CVE-2023-0614.
+   * BUG 15331: ldb wildcard matching makes excessive allocations.
+   * BUG 15332: large_ldap test is inefficient.
+
+o  Rob van der Linde <rob@catalyst.net.nz>
+   * BUG 15315: CVE-2023-0922.
+
+o  Joseph Sutton <josephsutton@catalyst.net.nz>
+   * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
+     allow full write to all attributes (additional changes).
+   * BUG 15270: CVE-2023-0614.
+   * BUG 15276: CVE-2023-0225.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+                   ==============================
                    Release Notes for Samba 4.17.6
                            March 09, 2023
                    ==============================
@@ -58,8 +129,7 @@
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.17.5
                           January 26, 2023

--- End Message ---

--- Begin Message ---

• To: 1033661-done@bugs.debian.org
• Subject: unblock samba
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Thu, 30 Mar 2023 14:50:59 +0000
• Message-id: <E1phtcB-00FhJ4-VZ@respighi.debian.org>

Unblocked.

--- End Message ---