diff -Nru samba-4.7.6+dfsg~ubuntu/debian/changelog samba-4.7.6+dfsg~ubuntu/debian/changelog
--- samba-4.7.6+dfsg~ubuntu/debian/changelog	2022-01-25 15:20:03.000000000 +0000
+++ samba-4.7.6+dfsg~ubuntu/debian/changelog	2022-11-09 14:42:14.000000000 +0000
@@ -1,3 +1,10 @@
+samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.29) bionic; urgency=medium
+
+  * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2
+    clients (LP: #1993934)
+
+ -- Andreas Hasenack <andreas@canonical.com>  Wed, 09 Nov 2022 11:42:14 -0300
+
 samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.28) bionic-security; urgency=medium
 
   * SECURITY UPDATE: code exec via out-of-bounds read/write in vfs_fruit
diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/series samba-4.7.6+dfsg~ubuntu/debian/patches/series
--- samba-4.7.6+dfsg~ubuntu/debian/patches/series	2022-01-25 15:16:34.000000000 +0000
+++ samba-4.7.6+dfsg~ubuntu/debian/patches/series	2022-11-09 14:42:14.000000000 +0000
@@ -171,3 +171,4 @@
 CVE-2021-44142-4.patch
 CVE-2021-44142-5.patch
 CVE-2021-44142-6.patch
+win-22H2-fix.patch
diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/win-22H2-fix.patch samba-4.7.6+dfsg~ubuntu/debian/patches/win-22H2-fix.patch
--- samba-4.7.6+dfsg~ubuntu/debian/patches/win-22H2-fix.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-4.7.6+dfsg~ubuntu/debian/patches/win-22H2-fix.patch	2022-11-09 14:42:14.000000000 +0000
@@ -0,0 +1,138 @@
+From 56c949d2764b69050bc441bec68008f4a046f1d3 Mon Sep 17 00:00:00 2001
+From: Luke Howard <lukeh@padl.com>
+Date: Thu, 20 Oct 2022 13:27:31 +1300
+Subject: [PATCH 3/3] kdc: avoid re-encoding KDC-REQ-BODY
+
+Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
+re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
+
+[abartlet@samba.org adapted from Heimdal commit
+ ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
+ by removing references to FAST and GSS-pre-auth.
+
+ This fixes the Windows 11 22H2 issue with TGS-REQ
+ as seen at https://github.com/heimdal/heimdal/issues/1011 and so
+ removes the knownfail file for this test]
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+
+Ubuntu backport note: removed diff for files that do not exist in this version
+
+Origin: backport, https://bugzilla.samba.org/attachment.cgi?id=17596
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934
+Last-Update: 2022-11-09
+---
+ selftest/knownfail.d/windows11-22h2 |  2 --
+ source4/heimdal/kdc/krb5tgs.c       | 24 ++----------------------
+ source4/heimdal/kdc/pkinit.c        | 16 ++--------------
+ source4/heimdal/lib/asn1/krb5.opt   |  1 +
+ 4 files changed, 5 insertions(+), 38 deletions(-)
+ delete mode 100644 selftest/knownfail.d/windows11-22h2
+
+diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
+index 13996f96b4a..f1393fa87a1 100644
+--- a/source4/heimdal/kdc/krb5tgs.c
++++ b/source4/heimdal/kdc/krb5tgs.c
+@@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context,
+ 			krb5_keyblock *key)
+ {
+     krb5_authenticator auth;
+-    size_t len = 0;
+-    unsigned char *buf;
+-    size_t buf_size;
+     krb5_error_code ret;
+     krb5_crypto crypto;
+ 
+@@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context,
+ 	goto out;
+     }
+ 
+-    /* XXX should not re-encode this */
+-    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
+-    if(ret){
+-	const char *msg = krb5_get_error_message(context, ret);
+-	kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
+-	krb5_free_error_message(context, msg);
+-	goto out;
+-    }
+-    if(buf_size != len) {
+-	free(buf);
+-	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
+-	*e_text = "KDC internal error";
+-	ret = KRB5KRB_ERR_GENERIC;
+-	goto out;
+-    }
+     ret = krb5_crypto_init(context, key, 0, &crypto);
+     if (ret) {
+ 	const char *msg = krb5_get_error_message(context, ret);
+-	free(buf);
+ 	kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ 	krb5_free_error_message(context, msg);
+ 	goto out;
+@@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context,
+     ret = krb5_verify_checksum(context,
+ 			       crypto,
+ 			       KRB5_KU_TGS_REQ_AUTH_CKSUM,
+-			       buf,
+-			       len,
++			       b->_save.data,
++			       b->_save.length,
+ 			       auth->cksum);
+-    free(buf);
+     krb5_crypto_destroy(context, crypto);
+     if(ret){
+ 	const char *msg = krb5_get_error_message(context, ret);
+diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
+index ad7f3efc10a..64ea4c00e41 100644
+--- a/source4/heimdal/kdc/pkinit.c
++++ b/source4/heimdal/kdc/pkinit.c
+@@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context,
+ 			 PKAuthenticator *a,
+ 			 const KDC_REQ *req)
+ {
+-    u_char *buf = NULL;
+-    size_t buf_size;
+     krb5_error_code ret;
+-    size_t len = 0;
+     krb5_timestamp now;
+     Checksum checksum;
+ 
+@@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context,
+ 	return KRB5KRB_AP_ERR_SKEW;
+     }
+ 
+-    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
+-    if (ret) {
+-	krb5_clear_error_message(context);
+-	return ret;
+-    }
+-    if (buf_size != len)
+-	krb5_abortx(context, "Internal error in ASN.1 encoder");
+-
+     ret = krb5_create_checksum(context,
+ 			       NULL,
+ 			       0,
+ 			       CKSUMTYPE_SHA1,
+-			       buf,
+-			       len,
++			       req->req_body._save.data,
++			       req->req_body._save.length,
+ 			       &checksum);
+-    free(buf);
+     if (ret) {
+ 	krb5_clear_error_message(context);
+ 	return ret;
+diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt
+index 1d6d5e8989f..5acc596d39c 100644
+--- a/source4/heimdal/lib/asn1/krb5.opt
++++ b/source4/heimdal/lib/asn1/krb5.opt
+@@ -4,3 +4,4 @@
+ --sequence=METHOD-DATA
+ --sequence=ETYPE-INFO
+ --sequence=ETYPE-INFO2
++--preserve-binary=KDC-REQ-BODY
+-- 
+2.25.1
+