[Pkg-samba-maint] [Git][samba-team/samba][experimental] 2988 commits: smbd: call exit_server_cleanly() to avoid panicking

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Mon Jan 29 18:45:43 GMT 2024



Michael Tokarev pushed to branch experimental at Debian Samba Team / samba


Commits:
36bb9480 by Ralph Boehme at 2023-07-06T11:56:19+00:00
smbd: call exit_server_cleanly() to avoid panicking

The parent smdb forwards SIGTERM to its process group in order to kill all
children like the scavenger. This happens from a function registered via
atexit() which means the signal forwarding is happening very briefly before the
main smbd process exits. When exiting the pipe between smbd and scavenger is
closed which triggers a file event in the scavenger.

However, due to kernel sheduling it is possible that the file descriptor event
is received before the signal, where we call exit_server() which call
smb_panic() at the end.

Change the exit to exit_server_cleanly() and just log this event at level 2
which we already do.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15275

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul  5 13:14:08 UTC 2023 on atb-devel-224

(cherry picked from commit 083fe1c28c6ec69cbd15d8cc2f7f06b1b630f2bc)

- - - - -
bdaf1b1c by Stefan Metzmacher at 2023-07-06T11:56:19+00:00
s3:libads: re-initialize num_requests to 0 for cldap_ping_list retries

Commit 8132edf119757ee91070facffef016c93de9c2a6 introduced a retry loop
arround cldap_multi_netlogon(), but it forgot to reset num_requests to 0
for the retries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15416

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Jul  5 11:17:43 UTC 2023 on atb-devel-224

(cherry picked from commit 6965e77268e1abfc21f1793c7cd006444938ac03)

- - - - -
3b2f3cf8 by Stefan Metzmacher at 2023-07-06T11:56:19+00:00
s3:winbindd: call reset_cm_connection_on_error() in wb_cache_query_user_list()

This is mostly for consistency, every remote call should call
reset_cm_connection_on_error(). Note this is more than
a simple invalidate_cm_connection() as it may set
domain->conn.netlogon_force_reauth = true.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit cb59fd43bbf758e4bad774cfc19ef87b157052c2)

- - - - -
156bafb2 by Stefan Metzmacher at 2023-07-06T11:56:19+00:00
s3:winbindd: make use of reset_cm_connection_on_error() for winbindd_lookup_{names,sids}()

Note this is more than a simple invalidate_cm_connection() as it may set
domain->conn.netlogon_force_reauth = true.

This is not strictly needed as the callers call
reset_cm_connection_on_error() via reconnect_need_retry().
But it might avoid one roundtrip.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 4ad5a35a3f67860aa7a1345efcfc92fe40578e31)

- - - - -
12043529 by Stefan Metzmacher at 2023-07-06T11:56:19+00:00
s3:winbindd: let winbind_samlogon_retry_loop() always start with authoritative = 1

Otherwise we could treat a local problem as non-authoritative.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 0cb6de4b1d5410f3699172952be81c6eb75c2c86)

- - - - -
ddd61699 by Stefan Metzmacher at 2023-07-06T11:56:19+00:00
s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop()

Note this is more than a simple invalidate_cm_connection() as it may set
domain->conn.netlogon_force_reauth = true, which is important in order
to recover from NT_STATUS_RPC_SEC_PKG_ERROR errors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit b317b10dffd99d1add3ff0b85b958edd9639abc8)

- - - - -
9b25d901 by Stefan Metzmacher at 2023-07-06T13:01:55+00:00
s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS

When we were not able to get a valid response from any DC we should
report NT_STATUS_NO_LOGON_SERVERS with authoritative = 1.

This matches what windows does. In a chain of transitive
trusts the ACCESS_DENIED/authoritative=0 is not propagated,
instead NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
passed along the chain if there's no other DC is available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 50e771c12f84f9268c2e9ddeef0965f79f85de3d)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Thu Jul  6 13:01:55 UTC 2023 on atb-devel-224

- - - - -
10828732 by Jule Anger at 2023-07-19T17:01:18+02:00
Merge tag 'samba-4.18.5' into v4-18-test

samba: tag release samba-4.18.5

- - - - -
9100d5ac by Jule Anger at 2023-07-19T17:04:23+02:00
VERSION: Bump version up to Samba 4.18.6...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
5ac859e9 by Günther Deschner at 2023-07-19T15:14:13+00:00
s3-net: no secrets access required when processing a ODJ provisioning

It should be possible to call "net offlinejoin provision" as non-root,
no access to secrets.tdb required in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15414

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Jul  5 09:23:22 UTC 2023 on atb-devel-224

(cherry picked from commit bf7fbf7e2b675145e25ce7bffc29abbf44c35540)

- - - - -
96793d42 by Ralph Boehme at 2023-07-19T16:23:17+00:00
smbd: don't leak the fsp if close_file_smb() fails

This can happen if DELETE-ON-CLOSE is set, but the deletion fails for some
reason.

The bug was introduced by 1808e5c133474eabc9d3cf91c2a92ec4d92d9fdd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15417

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Jul 10 21:32:32 UTC 2023 on atb-devel-224

(cherry picked from commit 4da50463e1b75c06d5f8c066e8b4eff48186afb0)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Wed Jul 19 16:23:17 UTC 2023 on atb-devel-224

- - - - -
14ce7756 by Noel Power at 2023-07-24T10:19:13+00:00
python/samba: Adjust tarfile extraction filter

The 'data_filter' is far too restrictive, this filter doesn't apply any
mode bits to directories which in turn will result in unexpected
directory permissions of the amongst others msg.[ls]ock directories.

With 'data_filter' and a 'patched' python at best we experience
CI failures with samba-ad-back1 & samba-ad-back2 CI jobs due to server
startup failures, at worst user/admins will need to adjust directory
permissions post backup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e401ae44b2f952fc2686065fbfb3a563e3d4066a)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Mon Jul 24 10:19:13 UTC 2023 on atb-devel-224

- - - - -
c403201a by Stefan Metzmacher at 2023-07-28T10:48:33+00:00
VERSION: Bump version up to 4.20.0pre1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
1771ee69 by Stefan Metzmacher at 2023-07-28T10:48:33+00:00
WHATSNEW: Start release notes for Samba 4.20.0pre1.

Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
7319c759 by Jule Anger at 2023-07-28T11:49:02+00:00
ldb: change the version to 2.9.0 for Samba 4.20

Signed-off-by: Jule Anger <janger at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Jul 28 11:49:02 UTC 2023 on atb-devel-224

- - - - -
c052d8bd by Pavel Filipenský at 2023-07-28T12:41:12+00:00
s3:tests: Add rpcclient 'dfsgetinfo' test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15400

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2af9c65f2a17ace4e1021b5c8fd6df636c904cfe)

- - - - -
19e110d7 by Pavel Filipenský at 2023-07-28T12:41:12+00:00
s3:rpc_server: Initialize consumedcnt to 0 in _dfs_GetInfo()

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 8c10f53928653d02bbb75d6ab05510e87ee97420)

- - - - -
aa2af3c0 by Pavel Filipenský at 2023-07-28T12:41:12+00:00
s3:rpc_server: Fix double blackslash issue in dfs path

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15400

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jul  5 20:24:35 UTC 2023 on atb-devel-224

(cherry picked from commit 6f073f258f1f4f03a8eb568ea05be78fdbec49eb)

- - - - -
c1c2a0ec by Pavel Filipenský at 2023-07-28T13:37:01+00:00
s3:winbindd: Fix double close(fd)

Reported by Red Hat internal coverity

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15433

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Tue Jul 25 12:08:49 UTC 2023 on atb-devel-224

(cherry picked from commit dd998cc163358edd6c748e40900247877f91eb1f)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Fri Jul 28 13:37:01 UTC 2023 on atb-devel-224

- - - - -
b57cdfd7 by Noel Power at 2023-07-28T23:50:32+00:00
selftest: Add new dfs share (with widelinks enabled)

Adds share (to be used in later test) that has dfs node
but additionally has widelinks set to yes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
3d2e9db8 by Noel Power at 2023-07-28T23:50:32+00:00
sefltest: Add new regression test dfs with widelinks = yes

Adds a new test trying to cd into dfs path on share with
widelinks enabled, should generate an error (see BUG:)

Add a knownfail so CI continues

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
2668dcd0 by Noel Power at 2023-07-28T23:50:32+00:00
s3/modules: Add flag indicating if connected share is a dfs share

Not used yet, will be used in the next commit to avoid testing
if the connected share is a dfs one.

Pair-Programmed-With: Jeremy Alison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0bf8b25a by Noel Power at 2023-07-29T00:43:52+00:00
s3/modules: Fix DFS links when widelinks = yes

In openat(), even if we fail to open the file,
propagate stat if and only if the object is a link in
a DFS share. This allows calling code to further process
the link.

Also remove knownfail

Pair-Programmed-With: Jeremy Alison <jra at samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Jul 29 00:43:52 UTC 2023 on atb-devel-224

- - - - -
b6e80733 by Arvid Requate at 2023-07-31T06:18:32+00:00
For Bug #9959: local talloc frame for next commit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Arvid Requate <requate at univention.de>

[abartlet at samba.org Added additional talloc_free() in failure paths]
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
2d461844 by Arvid Requate at 2023-07-31T06:18:32+00:00
Bug #9959: Don't search for CN=System

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Arvid Requate <requate at univention.de>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
25b0e110 by Andrew Bartlett at 2023-07-31T06:18:33+00:00
dsdb: Add new function samdb_system_container_dn()

This will replace many calls crafting or searching for this DN
elsewhere in the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
97b682e0 by Andrew Bartlett at 2023-07-31T06:18:33+00:00
dsdb: Use samdb_system_container_dn() in samldb.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
3669caa9 by Andrew Bartlett at 2023-07-31T06:18:33+00:00
dsdb: Use samdb_get_system_container_dn() to get Password Settings Container

By doing this we use the common samdb_get_system_container_dn() routine and we
avoid doing a linerize and parse step on the main DN, instead using the
already stored parse of the DN.  This is more hygenic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
4e18066f by Andrew Bartlett at 2023-07-31T06:18:33+00:00
s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a900f6aa by Andrew Bartlett at 2023-07-31T06:18:33+00:00
s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
13eed1e0 by Andrew Bartlett at 2023-07-31T06:18:33+00:00
s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
9b4f3f3c by Andrew Bartlett at 2023-07-31T06:18:33+00:00
s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
4250d07e by Andrew Bartlett at 2023-07-31T06:18:33+00:00
dsdb: Use samdb_system_container_dn() in dsdb_trust_*()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
5571ce96 by Andrew Bartlett at 2023-07-31T07:20:21+00:00
dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*()

This makes more calls to add children, but avoids the cn=system string in the
codebase which makes it easier to audit that this is always being built
correctly.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224

- - - - -
160b7dc0 by Ralph Boehme at 2023-07-31T08:05:13+00:00
mdssvc: set query state for continued queries to SLQ_STATE_RUNNING

SLQ_STATE_RESULTS implies that there are already results attached to the slq
which is not the case. Instead the backend will start processing from where it
left off when it hits the maximum result limit and had set the state to
SLQ_STATE_FULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4149ef97e5906604be1587622f390f121db183e2)

- - - - -
7d5e9f5f by Ralph Boehme at 2023-07-31T08:05:13+00:00
mdssvc: fix long running backend queries

If a query is still running in the backend and we have no results yet, returning
0 triggers a search termination by the client in latest macOS releases. macOS
returns 0x23 in this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 925fefae20e52a3c89a56bdd0cd5b98cc951db5f)

- - - - -
60fdb3ad by Ralph Boehme at 2023-07-31T08:05:13+00:00
mdssvc: add and use SL_PAGESIZE

SL_PAGESIZE is the number of entries we want to process per paged search result
set. This is different from MAX_SL_RESULTS which ought to be a default maximum
value for total number of results returned for a search query.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 086c2602d074d4dc0d44f5534857e5f59a8690b2)

- - - - -
39c2b556 by Ralph Boehme at 2023-07-31T08:05:14+00:00
mdssvc: fix enforcement of "elasticsearch:max results"

This wasn't enforced at all thus a query would return all available matches
without limit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d8fa5c8e2a1794ea8dc663485315ebd9401b2628)

- - - - -
3036f3cb by Ralph Boehme at 2023-07-31T08:05:14+00:00
tests/mdssvc: match hits:total:value to be the actual amount of entries in hits

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 7f5e4edf64f7e4175f652bf8762d4edc110ad6b1)

- - - - -
590c9164 by Ralph Boehme at 2023-07-31T08:05:14+00:00
mdssvc: reduce pagesize to 50

Lastest macOS queries additional file metadata per search result, which causes
the mashalled paged result set including metadata to exceed the 64 KB result
fragment buffer.

Lacking fragementation support in mdssvc (it's supported by the protocol), for
now just reduce the maximum number of results per search page.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 724a0518c901589fe1171d94648391832e056f4d)

- - - - -
aa4db8a3 by Ralph Boehme at 2023-07-31T08:05:14+00:00
mdssvc: prepare for returning timestamps with sub-seconds granularity

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15427

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 9dc66fecf7c1743d264c5c4f8978b77bab75ed86)

- - - - -
f4a33735 by Ralph Boehme at 2023-07-31T08:05:14+00:00
mdssvc: fix date marshalling

Did this ever work? Possible just copied over from Netatalk and was always
broken... The Mac client expects the timevalue as seconds relative to
2001-01-01 00:00:00 UTC, packed as IEEE float.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15427

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 620ca1e68d02be45a94aa41217a141d211fceb1f)

- - - - -
35573c04 by Ralph Boehme at 2023-07-31T09:11:21+00:00
mdssvc: fix returning file modification date for older Mac releases

Mac 10.10 uses kMDItemContentModificationDate instead of
kMDItemFSContentChangeDate.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15427

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jul 26 23:42:44 UTC 2023 on atb-devel-224

(cherry picked from commit c2e83ebe726b7bc42b329198214c784936f19888)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Mon Jul 31 09:11:21 UTC 2023 on atb-devel-224

- - - - -
217beca6 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure Firewalld tests don't flop

This test was failing depending on the system it
was run on, since the result depends on whether
firewalld python bindings were installed. This
wasn't failing in CI (and so there is no flopping
test marked), but does fail on some local systems.

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b49d150d by David Mulder at 2023-07-31T09:58:30+00:00
gp: Test modifying firewalld policy enforces changes

Ensure that modifying the firewalld policy and
re-applying will enforce the correct policy.

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
32a70df7 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Test modifying firefox policy enforces changes

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ef0c54d7 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Test modifying MOTD policy enforces changes

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ae752b8c by David Mulder at 2023-07-31T09:58:30+00:00
gp: Test modifying Messages policy enforces changes

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c5571718 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Test modifying Issue policy enforces changes

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5c2dc0cc by David Mulder at 2023-07-31T09:58:30+00:00
gp: Test modifying smb.conf policy enforces changes

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
70d3601f by David Mulder at 2023-07-31T09:58:30+00:00
gp: Test modifying script user policy enforces changes

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7db3b63e by David Mulder at 2023-07-31T09:58:30+00:00
gp: Test modifying centrify crontab user policy enforces changes

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6ac22de7 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure Firewalld preforms proper cleanup

Now uses gp_applier to ensure old settings are
properly cleaned up.

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8f59ce54 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Add a misc applier, to assist some gp exts

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
03d796c6 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure Firefox policy preforms proper cleanup

Now uses gp_misc_applier to ensure old settings
are properly cleaned up.

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8a248290 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure Messages policy preforms proper cleanup

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8bdb1b65 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure Issue policy preforms proper cleanup

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a330ad7b by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure MOTD policy preforms proper cleanup

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b278f158 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure smb.conf policy preforms proper cleanup

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8cc706c1 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure script user policy performs proper cleanup

This resolves cleanup issues for scripts user
policy.

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ab2cda79 by David Mulder at 2023-07-31T09:58:30+00:00
gp: Ensure centrify crontab user policy performs proper cleanup

This resolves cleanup issues for user and group
centrify compatible policies. It also ensures the
crontab policies use functions from the scripts
policy, to avoid code duplication and simplify
cleanup.

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
16eaf7fd by David Mulder at 2023-07-31T10:55:26+00:00
gp: Cleanup some unused code

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Jul 31 10:55:26 UTC 2023 on atb-devel-224

- - - - -
f374da1d by Pavel Filipenský at 2023-07-31T10:56:54+00:00
s4:auth: Fix trailing whitespaces in kerberos_util.c

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
dfc26dc4 by Pavel Filipenský at 2023-07-31T10:56:54+00:00
auth:kerberos: Fix resource leak in parse_principal()

Reported by Red Hat internal covscan
leaked_storage: Variable "princ" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
f1356805 by Pavel Filipenský at 2023-07-31T10:56:54+00:00
auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container()

Reported by Red Hat internal covscan
leaked_storage: Variable "keytab" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
25647129 by Pavel Filipenský at 2023-07-31T10:56:54+00:00
auth:kerberos: Fix resource leak in smb_krb5_update_keytab()

Reported by Red Hat internal covscan
leaked_storage: Variable "keytab" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
3ef5162d by Pavel Filipenský at 2023-07-31T10:56:54+00:00
auth:credentials: Fix resource leak in cli_credentials_set_from_ccache()

Reported by Red Hat internal covscan
leaked_storage: Variable "princ" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
c58a7142 by Pavel Filipenský at 2023-07-31T10:56:54+00:00
lib:krb5_wrap: Fix resource leak in smb_krb5_kt_seek_and_delete_old_entries

Reported by Red Hat internal covscan
leaked_storage: Variable "cursor" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
5cc86160 by Andrew Bartlett at 2023-07-31T10:56:54+00:00
lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern

This moves success logs 6 -> 10, failure logs 4 -> 5.

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
acf6d89c by Andrew Bartlett at 2023-07-31T10:56:54+00:00
dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c

This will be useful when adding debugging to other routines.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
78669a04 by Andrew Bartlett at 2023-07-31T10:56:54+00:00
dsdb: Add tracing to dsdb_search() similar to gendb_search_v()

The aim of this tracing is to make it simple to follow the
requests made from the RPC server and similar to LDB now that
gendb_search_v() is no longer the dominant interface.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
d23dd3e2 by Andrew Bartlett at 2023-07-31T11:49:19+00:00
dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v()

The aim of this tracing is to make it simple to follow the
requests made from the RPC server and similar to LDB now that
gendb_search_v() is no longer the dominant interface.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jul 31 11:49:19 UTC 2023 on atb-devel-224

- - - - -
3b3b92f5 by Arvid Requate at 2023-08-01T09:53:17+00:00
For Bug #9959: local talloc frame for next commit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Arvid Requate <requate at univention.de>

[abartlet at samba.org Added additional talloc_free() in failure paths]
Reviewed-by: Stefan Metzmacher <metze at samba.org>

(cherry picked from commit b6e80733c3a589f9d784eec86fc713f1ec9c1049)

- - - - -
364730e9 by Arvid Requate at 2023-08-01T09:53:17+00:00
Bug #9959: Don't search for CN=System

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Arvid Requate <requate at univention.de>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 2d461844a201fbca55ebc9a46a15e1d16048055b)

- - - - -
c14fbf24 by Andrew Bartlett at 2023-08-01T09:53:17+00:00
dsdb: Add new function samdb_system_container_dn()

This will replace many calls crafting or searching for this DN
elsewhere in the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 25b0e1102e1a502152d2695aeddf7c65555b16fb)

- - - - -
820752e3 by Andrew Bartlett at 2023-08-01T09:53:17+00:00
dsdb: Use samdb_system_container_dn() in samldb.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 97b682e0eb0450513dcecb74be672e18e84fe7a2)

- - - - -
8e45b202 by Andrew Bartlett at 2023-08-01T09:53:17+00:00
dsdb: Use samdb_get_system_container_dn() to get Password Settings Container

By doing this we use the common samdb_get_system_container_dn() routine and we
avoid doing a linerize and parse step on the main DN, instead using the
already stored parse of the DN.  This is more hygenic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 3669caa97f76d3e893ac6a1ab88341057929ee6a)

- - - - -
32704194 by Andrew Bartlett at 2023-08-01T09:53:17+00:00
s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 4e18066fa243da1c505f782ba87187c3bb1078ee)

- - - - -
c3595310 by Andrew Bartlett at 2023-08-01T09:53:17+00:00
s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a900f6aa5d909d912ee3ca529baa4047c9c4da87)

- - - - -
ae64a438 by Andrew Bartlett at 2023-08-01T09:53:17+00:00
s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 13eed1e0e7d0bdef6b5cdb6b858f124b812adbea)

- - - - -
5f908aef by Andrew Bartlett at 2023-08-01T09:53:17+00:00
s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 9b4f3f3cb4ed17bb233d3b5ccd191be63f01f3f4)

- - - - -
da03582f by Andrew Bartlett at 2023-08-01T09:53:17+00:00
dsdb: Use samdb_system_container_dn() in dsdb_trust_*()

This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 4250d07e4dcd43bf7450b1ae603ff46fdc892d02)

- - - - -
ed62f4fa by Andrew Bartlett at 2023-08-01T10:57:04+00:00
dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*()

This makes more calls to add children, but avoids the cn=system string in the
codebase which makes it easier to audit that this is always being built
correctly.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224

(cherry picked from commit 5571ce9619d856d3c9545099366f4e0259aee8ef)

RN: A second container with name CN=System would disable the operation
 of the Samba AD DC.  Samba now finds the CN=System container by exact
 DN and not a search.

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Tue Aug  1 10:57:04 UTC 2023 on atb-devel-224

- - - - -
8f4c1c67 by Jones Syue at 2023-08-02T11:16:40+00:00
vfs_aio_pthread: fix segfault if samba-tool ntacl get

If configured as AD DC and aio_pthread appended into 'vfs objects'[1],
run these commands would get segfault:
1. sudo samba-tool ntacl get .
2. sudo net vfs getntacl sysvol .
gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2],
and the fsp->conn->sconn->client is null (0x0).

'sconn->client' memory is allocated when a new connection is accpeted:
smbd_accept_connection > smbd_process > smbXsrv_client_create
While running local commands looks like it would not go through
smbXsrv_client_create so the 'client' is null, segfault might happen.
We should not dereference 'client->server_multi_channel_enabled',
if 'client' is null.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441

[1] smb.conf example, samba-4.18.5, ubuntu 22.04.2
[global]
        dns forwarder = 127.0.0.53
        netbios name = U22-JONES-88X1
        realm = U22-JONES-88X1.X88X1.JONES
        server role = active directory domain controller
        workgroup = X88X1
        idmap_ldb:use rfc2307 = yes
        vfs objects = dfs_samba4 acl_xattr aio_pthread

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts
        read only = No

[2] gdb
(gdb) run /usr/local/samba/bin/samba-tool ntacl get .
Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get .
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
warning: Source file is more recent than executable.
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) bt
    at ../../source3/modules/vfs_aio_pthread.c:467
    at ../../source3/smbd/pysmbd.c:320
---Type <return> to continue, or q <return> to quit---
(gdb) f
    at ../../source3/modules/vfs_aio_pthread.c:467
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) p fsp->conn->sconn->client
$1 = (struct smbXsrv_client *) 0x0
(gdb)

Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
c67534fe by Andrew Bartlett at 2023-08-02T11:16:41+00:00
selftest: Add test for combination of anr and paged_results

This combination was known to cause a segfault in Samba 4.13, fixed by
5f0590362c5c0c5ee20503a67467f9be2d50e73b in later versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14970

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
1b68bd97 by Stefan Metzmacher at 2023-08-02T11:16:41+00:00
paged_results: add no memory checks in paged_search()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Arvid Requate <requate at univention.de>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>

[abartlet at samba.org combination of two patches by the above authors]

- - - - -
3b51091c by Andrew Bartlett at 2023-08-02T11:16:41+00:00
dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results

We should not be stealing caller memory like this, and while a
talloc_reference() is not much better, this combined with a
shallow copy should be a little better in terms of polite
memory management.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
00316255 by Andrew Bartlett at 2023-08-02T12:10:19+00:00
dsdb: Make a shallow copy of ldb_parse_tree in operational module

We should not be making modifications to caller memory.  In
particular, this causes problems for logging of requests if the
original request becomes modified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Aug  2 12:10:20 UTC 2023 on atb-devel-224

- - - - -
06d673a1 by Joseph Sutton at 2023-08-03T05:40:28+00:00
third_party/heimdal: Import lorikeet-heimdal-202308030152 (commit 2a036a6fd80833799316b8a85623cdea3a1135df)

This import fixes the build on 32-bit FreeBSD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15443

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Thu Aug  3 05:40:28 UTC 2023 on atb-devel-224

- - - - -
e50f377b by Noel Power at 2023-08-03T07:42:17+00:00
selftest: Add new dfs share (with widelinks enabled)

Adds share (to be used in later test) that has dfs node
but additionally has widelinks set to yes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b57cdfd7efb161cf96b3a39dc7a1652db817e602)

- - - - -
5db858c1 by Noel Power at 2023-08-03T07:42:17+00:00
sefltest: Add new regression test dfs with widelinks = yes

Adds a new test trying to cd into dfs path on share with
widelinks enabled, should generate an error (see BUG:)

Add a knownfail so CI continues

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 3d2e9db8b95f9f45d486f8272e53584975f177fa)

- - - - -
e949750d by Noel Power at 2023-08-03T07:42:17+00:00
s3/modules: Add flag indicating if connected share is a dfs share

Not used yet, will be used in the next commit to avoid testing
if the connected share is a dfs one.

Pair-Programmed-With: Jeremy Alison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 2668dcd0968133cca4f8410bf8c41ed0483f5d87)

- - - - -
c40f1619 by Noel Power at 2023-08-03T08:44:47+00:00
s3/modules: Fix DFS links when widelinks = yes

In openat(), even if we fail to open the file,
propagate stat if and only if the object is a link in
a DFS share. This allows calling code to further process
the link.

Also remove knownfail

Pair-Programmed-With: Jeremy Alison <jra at samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Jul 29 00:43:52 UTC 2023 on atb-devel-224

(cherry picked from commit 0bf8b25aacdf2f5c746922320b32e3f0886c81f5)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Thu Aug  3 08:44:47 UTC 2023 on atb-devel-224

- - - - -
d0b2c27d by Andreas Schneider at 2023-08-03T14:31:34+00:00
lib:fuzzing: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
edcebcd4 by Andreas Schneider at 2023-08-03T14:31:34+00:00
lib:tevent: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
0ed62798 by Andreas Schneider at 2023-08-03T14:31:34+00:00
s3:utils: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
01c31c8f by Andreas Schneider at 2023-08-03T14:31:34+00:00
s3:spoolss: Remove dead code

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
795e464c by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:auth: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
69498022 by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:cldap_server: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
dbb1fbe8 by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:client: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
ed3c1fcb by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:dns_server: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
2304ec43 by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:dsdb:common: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
e3319795 by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:dsdb:kcc: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
3ebe11cd by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:dsdb:repl: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
f34ef1ef by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:dsdb:samdb: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
969bcc28 by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:dsdb:schema: Fix trailing white spaces

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
bedc978c by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:dsdb:schema: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
b29793ff by Andreas Schneider at 2023-08-03T14:31:34+00:00
s4:dsdb:tests: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
- - - - -
85c8222b by Andreas Schneider at 2023-08-03T15:25:01+00:00
s4:kdc: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Aug  3 15:25:01 UTC 2023 on atb-devel-224

- - - - -
5949adab by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: turn user.py into module netcmd.user

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
87aae028 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user add command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e85070b0 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user delete command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
970c2bcb by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user enable command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0385e4a9 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user disable command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
69536ff7 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user list command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c621183c by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user setexpiry command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
84c13a86 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move common code used by various password commands

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9b47a424 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user password command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f20b5f60 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user getgroups command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a6e1b569 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user setprimarygroup command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
65fc1472 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user setpassword command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b5145683 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user getpassword and syncpasswords commands

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d08f7260 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user edit command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4a34b681 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user show command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
41492dad by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user move command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
44a974e1 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user rename command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
95f6abeb by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user unlock command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8c4a6e55 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user add_unix_attrs command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
10aa17a4 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: move user sensitive command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fab69e47 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: readpasswords: turn getpassword.py into readpasswords module

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6319df10 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: readpasswords: move show command to readpasswords

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
24c56761 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: readpasswords: move common.py to readpasswords

it only contains code relating to the getpassword module

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1929cca2 by Rob van der Linde at 2023-08-04T04:31:37+00:00
netcmd: user: readpasswords: move getpassword command to readpasswords

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3452b0d2 by Rob van der Linde at 2023-08-04T05:27:53+00:00
netcmd: user: readpasswords: move syncpasswords command to readpasswords

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Aug  4 05:27:53 UTC 2023 on atb-devel-224

- - - - -
7f87d028 by Andrew Bartlett at 2023-08-04T07:02:15+00:00
lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 848fea1a01a4ddc1598150823d5d0784d3ef0be4)

- - - - -
2ed39136 by Andrew Bartlett at 2023-08-04T07:02:15+00:00
python: Move PyList_AsStringList to common code so we can reuse

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit fd81759e2ed44cac3bc67243a39256f953969103)

- - - - -
534425ba by Andrew Bartlett at 2023-08-04T07:02:15+00:00
python: Remove const from PyList_AsStringList()

The returned strings are not owned by python, so need not be const.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 5afd206d1d8f0344a2f1fa7a238204d1fb164eda)

- - - - -
8c2c1b54 by Andrew Bartlett at 2023-08-04T07:02:15+00:00
python: Add glue.burn_commandline() method

This uses samba_cmdline_burn() to as to have common
command line redaction code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 3f9e455898554b726bf1689f743b2d9cb6b59537)

- - - - -
e724909a by Andrew Bartlett at 2023-08-04T07:02:15+00:00
samba-tool: Use samba.glue.get_burnt_cmdline rather than regex

This use avoids having two different methods to match on command-line
passwords.  We already have a dependency on the setproctitle python
module, and this does not change as the (C) libbsd setproctitle()
can't be run from within a python module.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a53ebc288f47329c997d52325eeeb5e91ce43b75)

- - - - -
c11b6d6b by Andrew Bartlett at 2023-08-04T07:02:15+00:00
lib/cmdline: Also burn the --password2 parameter if given

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 414b3803bb6a1b12c44b52ab1ff64a8b7f61fd03)

- - - - -
e9114241 by Andrew Bartlett at 2023-08-04T08:05:00+00:00
lib/cmdline: Also redact --newpassword in samba_cmdline_burn()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Jul 21 06:16:30 UTC 2023 on atb-devel-224

(cherry picked from commit 76ad44f446c42832e87b2c60a4731a8de3a0018f)

RN: post-exec password redaction for samba-tool is more reliable for
 fully random passwords as it no longer uses regular expressions
 containing the password value itself.

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Fri Aug  4 08:05:00 UTC 2023 on atb-devel-224

- - - - -
f01a179a by Martin Schwenke at 2023-08-07T08:43:39+00:00
ctdb-tools: Fix CID 1539212 - signed/unsigned issue

>>>     CID 1539212:  Control flow issues  (NO_EFFECT)
>>>     This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "p >= 0UL".
216     		while (p >= 0 && output[p] == '\n') {

This is a real problem in the unlikely event that the output contains
only newlines.

Fix the issue by using a pointer and add a test to cover this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15438

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

- - - - -
f87f02f6 by Martin Schwenke at 2023-08-07T09:43:33+00:00
ctdb-doc: Fix documentation for ctdb event status

Behaviour was changed, documentation wasn't.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15438

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Mon Aug  7 09:43:33 UTC 2023 on atb-devel-224

- - - - -
8ed69553 by Joseph Sutton at 2023-08-08T04:39:36+00:00
lib:dbwrap: Remove unneeded space in debug message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
aa9ca519 by Joseph Sutton at 2023-08-08T04:39:36+00:00
lib/replace: Const-qualify sys_errlist

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
aa0d17a7 by Joseph Sutton at 2023-08-08T04:39:36+00:00
auth: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
50c6ca69 by Joseph Sutton at 2023-08-08T04:39:36+00:00
auth: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a8085b3d by Joseph Sutton at 2023-08-08T04:39:36+00:00
ctdb: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5c67b452 by Joseph Sutton at 2023-08-08T04:39:36+00:00
lib/util: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8090e595 by Joseph Sutton at 2023-08-08T04:39:36+00:00
lib/ldb-samba: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
731e233a by Joseph Sutton at 2023-08-08T04:39:36+00:00
s4:auth: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0e653af8 by Joseph Sutton at 2023-08-08T04:39:36+00:00
libcli: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2b33c919 by Joseph Sutton at 2023-08-08T04:39:36+00:00
libcli/auth: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
60f4d873 by Joseph Sutton at 2023-08-08T04:39:36+00:00
libcli/security: Remove unnecessary code

The revision has already been set at the start of this function.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
748cbac2 by Joseph Sutton at 2023-08-08T04:39:36+00:00
libcli/security: Cast isupper() argument to ‘unsigned char’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e69968d2 by Joseph Sutton at 2023-08-08T04:39:36+00:00
librpc/rpc: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
448ed84c by Joseph Sutton at 2023-08-08T04:39:36+00:00
librpc/ndr: Remove unneeded casts

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2a2604bf by Joseph Sutton at 2023-08-08T04:39:36+00:00
ndr_string: Add overflow check in ndr_pull_charset_to_null()

This matches ndr_pull_charset().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dd53e052 by Joseph Sutton at 2023-08-08T04:39:36+00:00
ndr_string: Fix typo

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
87216413 by Joseph Sutton at 2023-08-08T04:39:36+00:00
ndr_string: Remove dodgy-looking casts

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ee6ef91f by Joseph Sutton at 2023-08-08T04:39:36+00:00
ndr/dns-utils: Make error message slightly more readable

max_length will always be greater than one, so we can use the plural.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
64834e26 by Joseph Sutton at 2023-08-08T04:39:36+00:00
librpc/ndr: Format NDR pull sizes as ‘size_t’

The arguments to these macros are occasionally of type size_t.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b25a6b12 by Joseph Sutton at 2023-08-08T04:39:36+00:00
librpc/py_security: Don’t pass a NULL pointer to PyUnicode_FromString()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ae9e56a1 by Joseph Sutton at 2023-08-08T04:39:36+00:00
librpc/ndr: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d17dda03 by Joseph Sutton at 2023-08-08T04:39:37+00:00
pidl: Remove unneeded semicolon

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ae684939 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s3:eventlog: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4d6118e4 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s3:utils: Fix debug message formatting

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
af8fbe85 by Joseph Sutton at 2023-08-08T04:39:37+00:00
nmbd_become_lmb.c: Fix debug message formatting

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
abcfaa79 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:dsdb: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
57969727 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:dsdb: Move comment to more appropriate place

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0c868428 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:dsdb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f4d73ee8 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
119067e4 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Check that client and server are not NULL (CID 1534695)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dfad7f87 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8648c9f6 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Remove unused variable

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1286b952 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Remove redundant comment

We don’t need two copies of the same comment.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b86cd80f by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Remove casts in debug messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
54c38cf9 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Use portable format specifiers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0182ddf9 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Use newer debugging macros

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1713f255 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Inline some variables

IMO, this code is easier to read if the reader can tell at a glance what
the values of these enumerations are, rather than having to think about
where the values come from.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4bc1dd32 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Fix comment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
85beb883 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:kdc: Avoid operator precedence issues

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1dc8cb3e by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:libcli/ldap: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
936c9ae1 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:libcli/smb_composite: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9c880e86 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:librpc: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
13a04d67 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:rpc_server: Add missing newlines to debugging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ebfa5ff6 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s4:rpc_server/backupkey: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d4a643e6 by Joseph Sutton at 2023-08-08T04:39:37+00:00
selftest: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
26429996 by Joseph Sutton at 2023-08-08T04:39:37+00:00
selftest: Add missing import

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1fc549ae by Joseph Sutton at 2023-08-08T04:39:37+00:00
testprogs: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1a7a5dcd by Joseph Sutton at 2023-08-08T04:39:37+00:00
samba-tool/ntacl: Remove unused and unnecessary return

setntacl() just returns None.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3c15ff6e by Joseph Sutton at 2023-08-08T04:39:37+00:00
samba-tool/ntacl: Remove unused variable

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
245044d6 by Joseph Sutton at 2023-08-08T04:39:37+00:00
samba-tool/ntacl: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f47aef77 by Joseph Sutton at 2023-08-08T04:39:37+00:00
python: Use correct function signatures

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d0efff68 by Joseph Sutton at 2023-08-08T04:39:37+00:00
python:samba:kcc: Fix log message formatting

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b270333f by Joseph Sutton at 2023-08-08T04:39:37+00:00
python: Fix leak

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fa9f9d49 by Joseph Sutton at 2023-08-08T04:39:37+00:00
python: Check return value of talloc_strndup()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9a123429 by Joseph Sutton at 2023-08-08T04:39:37+00:00
pyglue: Fix leak

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
07299ab7 by Joseph Sutton at 2023-08-08T04:39:37+00:00
pyglue: Add missing whitespace in docstrings

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ccf99477 by Joseph Sutton at 2023-08-08T04:39:37+00:00
python:tests: Remove references to now-gone files

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b3e684b5 by Joseph Sutton at 2023-08-08T04:39:37+00:00
tests/krb5: Correct comment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
40b529f8 by Joseph Sutton at 2023-08-08T04:39:37+00:00
libgpo:admx: Fix code spelling

(NEGOgiation → NEGOtiation)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d6a6dcc0 by Joseph Sutton at 2023-08-08T04:39:37+00:00
libcli/ldap: Don’t try to encode NULL name

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6ce9c6a3 by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Don’t pass NULL pointer into strcasecmp()

Doing so is undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d5c309a5 by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Account for ‘name’ possibly being NULL

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1cb91c6a by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
41e0951d by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Don’t decrement reference count until object is no longer needed

If ‘tmp’ happens to be garbage-collected, ‘name’ will become invalid.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
58205585 by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Check talloc_strdup() return value

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dc89fabb by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Don’t leak ‘msg’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
229d270d by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Check talloc_zero_array() return value

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
77015f3c by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Don’t leak ‘el’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d278f97d by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Clarify documentation for PyObject_AsMessageElement()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
150d457b by Joseph Sutton at 2023-08-08T04:39:37+00:00
ldb: Work around inconsistent behaviour in PyObject_AsMessageElement()

PyObject_AsMessageElement() has ‘flags’ and ‘attr_name’ parameters to
set properties of the returned MessageElement, but they apply only
*sometimes*.

‘attr_name’ not being set can result in cryptic and misleading error
messages from various ldb operations.

Changing the function’s behaviour to be more consistent could break
existing code, so we work around the issue instead.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
45ef3ab9 by Joseph Sutton at 2023-08-08T04:39:37+00:00
smbXcli: Remove call to utf16_len_n()

This code was probably intended to refer to ‘blob1’ rather than to
‘blob2’. As it is, it fails to achieve anything.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b6c35d03 by Joseph Sutton at 2023-08-08T04:39:37+00:00
ndr_string: Move string length calculation fallback into default case

We are about to add a new enumeration constant (NUM_CHARSETS) to
charset_t. To do that we must have a default case in this switch
statement, or the compiler will refuse to compile it, stating that we
haven’t handled all the cases.

The alternative, adding a case for NUM_CHARSETS, would just look silly.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
355fd3c7 by Joseph Sutton at 2023-08-08T04:39:37+00:00
lib:charset: Update NUM_CHARSETS to reflect true value

CH_DISPLAY was removed in commit
125a2ff262aa312df20eec68802fd5f8a47f492f, but NUM_CHARSETS was not
updated to match.

By assigning to NUM_CHARSETS the last enumeration value in charset_t, we
guard against its falling out of sync again.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f6babaa9 by Joseph Sutton at 2023-08-08T04:39:37+00:00
nsswitch:libwbclient: Fix memory leak

Found by Balazs Scheidler <bazsi at balabit.hu>.

Reported by Ferenc Wágner <wferi at niif.hu> at
https://lists.samba.org/archive/samba-technical/2023-June/138271.html

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
def62de1 by Joseph Sutton at 2023-08-08T04:39:37+00:00
auth: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9769b594 by Joseph Sutton at 2023-08-08T04:39:37+00:00
ctdb: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f14d5a01 by Joseph Sutton at 2023-08-08T04:39:37+00:00
talloc: Fix typo

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ea888d69 by Joseph Sutton at 2023-08-08T04:39:37+00:00
lib:mscat: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6ee008d2 by Joseph Sutton at 2023-08-08T04:39:37+00:00
lib:socket: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8ff5c514 by Joseph Sutton at 2023-08-08T04:39:37+00:00
lib/util: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f05ed662 by Joseph Sutton at 2023-08-08T04:39:37+00:00
libcli/auth: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3870e00f by Joseph Sutton at 2023-08-08T04:39:37+00:00
libcli/security: Call dom_sid_compare_domain() instead of sid_compare_domain()

The two functions are identical in behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8d658eaf by Joseph Sutton at 2023-08-08T04:39:37+00:00
s3:modules: Call dom_sid_compare_domain() instead of sid_compare_domain()

The two functions are identical in behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5cf61ed2 by Joseph Sutton at 2023-08-08T04:39:37+00:00
libcli/security: Remove unused function sid_compare_domain()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dbf53bf3 by Joseph Sutton at 2023-08-08T04:39:37+00:00
libcli/security: Fix integer overflow

On a typical machine where the size of ‘int’ is 32 bits or smaller, a
sub-authority of 2147483649 would be ordered before a sub-authority of
1, even though it is greater.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
aa0cddad by Joseph Sutton at 2023-08-08T04:39:37+00:00
libcli/security: Use portable format specifiers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
38b93532 by Joseph Sutton at 2023-08-08T04:39:37+00:00
libcli/security: Remove unnecessary cast

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6913aebd by Joseph Sutton at 2023-08-08T04:39:37+00:00
librpc:ndr: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dc3bcd5e by Joseph Sutton at 2023-08-08T04:39:37+00:00
librpc: Fix typo

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
29b2dcb4 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s3:auth: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8505094b by Joseph Sutton at 2023-08-08T04:39:37+00:00
s3:client: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
34545cdf by Joseph Sutton at 2023-08-08T04:39:37+00:00
s3:lib: Consistently return a string with a trailing newline

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
45a50fa9 by Joseph Sutton at 2023-08-08T04:39:37+00:00
s3:client: Remove unnecessary newline from logging message

time_to_asc() adds a trailing newline of its own.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8ea7b8a0 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:groupdb: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c7d71dd1 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:lib: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
769aa901 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:lib: Use portable format specifiers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
09a13ca4 by Joseph Sutton at 2023-08-08T04:39:38+00:00
tldap: Use portable integer constant

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
67decfc7 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:libads: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f798cf93 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:libnet: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
956c7a28 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:librpc: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bba1613d by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:libsmb: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
728eebbf by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:libsmb: Add missing parenthesis to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cef6692b by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:modules: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fa24c5de by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:modules: Remove redundant newlines in logging messages

ctime() and time_to_asc() each add a trailing newline of their own.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ae147ebc by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:modules: Correct escape sequence

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e9882f82 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:modules: Fix error message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4fef81f1 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:nmbd: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1b082f7b by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:passdb: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f80a8516 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:passdb: Fix typo

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1fbfe050 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:printing: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
575f0016 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:printing: Add missing spaces to error messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6489f313 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:printing: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cd3d9aa2 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:registry: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
687a0f01 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:rpc_client: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c172de6e by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:rpc_server: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f7e86f50 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:rpc_server: Fix incomplete logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ce0ace67 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:rpc_server: Add missing space to debug message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
867b192c by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:rpc_server: Fix typo

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
aff878dc by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:smbd: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
44d3f17a by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:smbd Remove unnecessary newlines from logging messages

time_to_asc() adds a trailing newline of its own.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
732923e7 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:smbd: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
aec5307e by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:smbd: Add missing space to warning message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a30b6d1e by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:utils: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
88acf7de by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:utils: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
90a3aca4 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:vfs: Add missing space in debug message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ac0f599c by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:winbindd: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
146a9260 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s3:winbindd: Fix debug messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
703978c7 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:auth: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c590d8d3 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:auth: Check return value of talloc_reference()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e663c1d9 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:auth: Correct condition and remove redundant check

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3076bb6c by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:cldap_server: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ffbd69ed by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:client: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1e753542 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dns_server: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
79cc9adf by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cb2053ee by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb: Improve grammar

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
54714b35 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb: Remove unnecessary parentheses

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d4db9a27 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c850ffde by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb: Correct error messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4fad62d9 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb: Check result of talloc functions

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
68388153 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb: Do not dereference a NULL pointer

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5a19ea9b by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb:tests: Use control that was (presumably) intended

Otherwise ‘control4’ goes unused.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
178a7ed8 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:dsdb:tests: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fd6c3e6b by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:ldap_server: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b07dd255 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:lib: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
45abe285 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:libnet: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
90a9f78a by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:librpc: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c4d055de by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:ntvfs: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
36bbfe62 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:param: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5b2e6058 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:policy: Fix leak

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
68bf480b by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:rpc_server: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2e1adcfc by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:rpc_server/backupkey: Fix leaks

Allocate these objects on a shorter-lived memory context.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
29c92705 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:rpc_server: Remove unnecessary parentheses

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
56561fd0 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:rpc_server: Fix typo

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
63863066 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:samba: Add missing newline to logging message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d61c3684 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:smb_server: Add missing newlines to logging messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3ec0c61c by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:smb_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
43b44827 by Joseph Sutton at 2023-08-08T04:39:38+00:00
s4:torture: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5c81f349 by Douglas Bagnall at 2023-08-08T04:39:38+00:00
lib/fuzzing: LLVMFuzzerTestOneInput() takes const uint8_t*

We have been using `uint8_t *`, which works fine as far as
linking goes, but leads fuzz target developers to sometimes
forget why they can't just modify the passed in string instead of
copying it for modification (e.g. to NUL-terminate).

REF: https://llvm.org/docs/LibFuzzer.html#fuzz-target

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c3ded9d9 by Douglas Bagnall at 2023-08-08T04:39:38+00:00
lib/fuzzing:fuzz_sddl_access_check fix nul-term check

We were wanting to ensure the string contains a zero byte, but
instead were checking for a non-zero byte.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5c007600 by Douglas Bagnall at 2023-08-08T04:39:38+00:00
util/base64: add a note about zero length strings

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f404ef3c by Douglas Bagnall at 2023-08-08T04:39:39+00:00
libcli:auth:sess_crypt_blob: ensure key has 7 bytes

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
019bee54 by Douglas Bagnall at 2023-08-08T04:39:39+00:00
fuzz: add fuzzer for sess_crypt_blob

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
17e35c26 by Douglas Bagnall at 2023-08-08T04:39:39+00:00
fuzz: add fuzzer for ldb_comparison_fold

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f0e0ff26 by Douglas Bagnall at 2023-08-08T04:39:39+00:00
tldap: avoid infinite loop when filter contains "\)"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14600

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
269738d6 by Douglas Bagnall at 2023-08-08T05:35:08+00:00
lib/replace: fix strlcat/strlcpy compile for Honggfuzz

Otherwise we getthis kind of thing:

../../lib/replace/replace.c:837:3: error: implicit declaration of function 'strlcpy' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
                strlcpy(buf, s, buflen);

../../third_party/heimdal/lib/roken/getarg.c:288:6: error: implicit declaration of function 'strlcat' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
            strlcat(buf, "]", sizeof(buf));

because we found the symbol names in libc, but didn't check that the
functions are declared in <string.h>. We already include
<bsd/string.h> whenever we have it.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Aug  8 05:35:08 UTC 2023 on atb-devel-224

- - - - -
c37adb76 by Stefan Metzmacher at 2023-08-08T08:02:40+00:00
s4:torture/ndr: add tests for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED

The PDUs were generated by Windows clients.

And we fail to parse them currently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
5c724a3e by Stefan Metzmacher at 2023-08-08T08:02:40+00:00
librpc/rpc: let dcerpc_read_ncacn_packet_next_vector() handle fragments without any payload

DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED don't have any payload by
default. In order to receive them via dcerpc_read_ncacn_packet_send/recv
we need to allow fragments with frag_len == DCERPC_NCACN_PAYLOAD_OFFSET.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
9ec22e68 by Stefan Metzmacher at 2023-08-08T08:57:46+00:00
dcerpc.idl: fix definitions for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED payload

It seems commit 259129e8f4bc8cacd1850eba3f6551134835d079 was partly just
fantasy...

Windows clients just use 16 bytes for DCERPC_PKT_CO_CANCEL and
DCERPC_PKT_ORPHANED pdus.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Aug  8 08:57:46 UTC 2023 on atb-devel-224

- - - - -
cf7a0c9d by Stefan Metzmacher at 2023-08-08T11:43:09+00:00
vfs_aio_pthread: don't crash without a pthreadpool

During 'samba-tool ntacl sysvolreset' and similar.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3694f2ce6205a647eb5dab2115785fb45decaf0b)

- - - - -
bace04c3 by Jones Syue at 2023-08-08T11:43:09+00:00
vfs_aio_pthread: fix segfault if samba-tool ntacl get

If configured as AD DC and aio_pthread appended into 'vfs objects'[1],
run these commands would get segfault:
1. sudo samba-tool ntacl get .
2. sudo net vfs getntacl sysvol .
gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2],
and the fsp->conn->sconn->client is null (0x0).

'sconn->client' memory is allocated when a new connection is accpeted:
smbd_accept_connection > smbd_process > smbXsrv_client_create
While running local commands looks like it would not go through
smbXsrv_client_create so the 'client' is null, segfault might happen.
We should not dereference 'client->server_multi_channel_enabled',
if 'client' is null.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441

[1] smb.conf example, samba-4.18.5, ubuntu 22.04.2
[global]
        dns forwarder = 127.0.0.53
        netbios name = U22-JONES-88X1
        realm = U22-JONES-88X1.X88X1.JONES
        server role = active directory domain controller
        workgroup = X88X1
        idmap_ldb:use rfc2307 = yes
        vfs objects = dfs_samba4 acl_xattr aio_pthread

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts
        read only = No

[2] gdb
(gdb) run /usr/local/samba/bin/samba-tool ntacl get .
Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get .
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
warning: Source file is more recent than executable.
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) bt
    at ../../source3/modules/vfs_aio_pthread.c:467
    at ../../source3/smbd/pysmbd.c:320
---Type <return> to continue, or q <return> to quit---
(gdb) f
    at ../../source3/modules/vfs_aio_pthread.c:467
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) p fsp->conn->sconn->client
$1 = (struct smbXsrv_client *) 0x0
(gdb)

Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2)

- - - - -
f2604db1 by Stefan Metzmacher at 2023-08-08T11:43:09+00:00
s4:torture/ndr: add tests for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED

The PDUs were generated by Windows clients.

And we fail to parse them currently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit c37adb762640b7df9731d6a60edce808aa8787f8)

- - - - -
30f317cf by Stefan Metzmacher at 2023-08-08T11:43:09+00:00
librpc/rpc: let dcerpc_read_ncacn_packet_next_vector() handle fragments without any payload

DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED don't have any payload by
default. In order to receive them via dcerpc_read_ncacn_packet_send/recv
we need to allow fragments with frag_len == DCERPC_NCACN_PAYLOAD_OFFSET.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 5c724a3e156ae734e4d187bf9639d895bb011834)

- - - - -
1b3197ff by Stefan Metzmacher at 2023-08-08T12:56:30+00:00
dcerpc.idl: fix definitions for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED payload

It seems commit 259129e8f4bc8cacd1850eba3f6551134835d079 was partly just
fantasy...

Windows clients just use 16 bytes for DCERPC_PKT_CO_CANCEL and
DCERPC_PKT_ORPHANED pdus.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Aug  8 08:57:46 UTC 2023 on atb-devel-224

(cherry picked from commit 9ec22e680249cfde06fb1a0a34fcc94d1f47002d)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Tue Aug  8 12:56:30 UTC 2023 on atb-devel-224

- - - - -
ade663ee by Stefan Metzmacher at 2023-08-08T12:57:29+00:00
s4:torture/smb2: let torture_smb2_con_sopt() use smb2_connect()

There's no need for smb2_connect_ext().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
dc5a500f by Stefan Metzmacher at 2023-08-08T12:57:29+00:00
s4:torture/smb2: let us have a common torture_smb2_con_share()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
2b93058b by Stefan Metzmacher at 2023-08-08T12:57:29+00:00
s4:torture/smb2: make it possible to pass existing_conn to smb2_connect_ext()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
4028d658 by Stefan Metzmacher at 2023-08-08T12:57:29+00:00
s4:torture/smb2: add smb2.multichannel.bugs.bug_15346

This demonstrates the race quite easily against
Samba and works fine against Windows Server 2022.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
50d61e53 by Stefan Metzmacher at 2023-08-08T12:57:29+00:00
s3:smbd: always clear filter_subreq in smb2srv_client_mc_negprot_next()

Commit 5d66d5b84f87267243dcd5223210906ce589af91 introduced a
'verify_again:' target, if we ever hit that, we would leak
the existing filter_subreq.

Moving it just above a possible messaging_filtered_read_send()
will allow us to only clear it if we actually create a new
request. That will help us in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
f348b84f by Stefan Metzmacher at 2023-08-08T13:59:58+00:00
s3:smbd: fix multichannel connection passing race

If a client opens multiple connection with the same
client guid in parallel, our connection passing is likely
to hit a race.

Assume we have 3 processes:

smbdA: This process already handles all connections for
       a given client guid
smbdB: This just received a new connection with an
       SMB2 neprot for the same client guid
smbdC: This also received a new connection with an
       SMB2 neprot for the same client guid

Now both smbdB and smbdC send a MSG_SMBXSRV_CONNECTION_PASS
message to smbdA. These messages contain the socket fd
for each connection.

While waiting for a MSG_SMBXSRV_CONNECTION_PASSED message
from smbdA, both smbdB and smbdC watch the smbXcli_client.tdb
record for changes (that also verifies smbdA stays alive).

Once one of them say smbdB received the MSG_SMBXSRV_CONNECTION_PASSED
message, the dbwrap_watch logic will wakeup smbdC in order to
let it recheck the smbXcli_client.tdb record in order to
handle the case where smbdA died or deleted its record.

Now smbdC rechecks the smbXcli_client.tdb record, but it
was not woken because of a problem with smbdA. It meant
that smbdC sends a MSG_SMBXSRV_CONNECTION_PASS message
including the socket fd again.

As a result smbdA got the socket fd from smbdC twice (or even more),
and creates two (or more) smbXsrv_connection structures for the
same low level tcp connection. And it also sends more than one
SMB2 negprot response. Depending on the tevent logic, it will
use different smbXsrv_connection structures to process incoming
requests. And this will almost immediately result in errors.

The typicall error is:
 smb2_validate_sequence_number: smb2_validate_sequence_number: bad message_id 2 (sequence id 2) (granted = 1, low = 1, range = 1)

But other errors would also be possible.

The detail that leads to the long delays on the client side is
that our smbd_server_connection_terminate_ex() code will close
only the fd of a single smbXsrv_connection, but the refcount
on the socket fd in the kernel is still not 0, so the tcp
connection is still alive...

Now we remember the server_id of the process that we send
the MSG_SMBXSRV_CONNECTION_PASS message to. And just keep
watching the smbXcli_client.tdb record if the server_id
don't change. As we just need more patience to wait for
the MSG_SMBXSRV_CONNECTION_PASSED message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Aug  8 13:59:58 UTC 2023 on atb-devel-224

- - - - -
874c693b by Volker Lendecke at 2023-08-10T13:40:31+00:00
smbd: Don't crash in cli_fsctl_send()

If you run "allinfo" on a symlink with NT1, cli_readlink_send sends a
NULL "in" blob. Do the same as smb2cli_ioctl_send() does, just send
NULL/0 in that case and don't crash.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
9831fbeb by Volker Lendecke at 2023-08-10T13:40:31+00:00
libcli: Make symlink_reparse_buffer_parse() more flexible

Allow the destination struct to be preallocated

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
97ba7b68 by Volker Lendecke at 2023-08-10T13:40:31+00:00
libcli: Add general reparse point data parsing

When we retrieve reparse point data, we don't know before what we
get. Right now all we do is expect a symlink, but we could get other
types as well.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
2e20e984 by Volker Lendecke at 2023-08-10T13:40:31+00:00
libsmb: Use reparse_data_buffer_parse() in cli_readlink()

Gives the chance of better debug higher up (not used yet)

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
e20919af by Volker Lendecke at 2023-08-10T13:40:31+00:00
libsmb: Use reparse_data_buffer_parse() to get symlink error resp

Gets a nicer error message

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
e71a6ab5 by Volker Lendecke at 2023-08-10T13:40:31+00:00
pylibsmb: Use reparse_data_buffer_parse()

Remove the last direct caller of symlink_reparse_buffer_parse()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
e99e676b by Volker Lendecke at 2023-08-10T13:40:31+00:00
libsmb: Some README.Coding for symlink_reparse_buffer_parse()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
8ad55c38 by Volker Lendecke at 2023-08-10T13:40:31+00:00
libsmb: Move symlink_reparse_buffer_parse() to reparse.c

The goal of this is to eventually remove reparse_symlink.c once we
have marshalling routines for symlinks in reparse.c

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
eb3e9315 by Volker Lendecke at 2023-08-10T13:40:31+00:00
libsmb: Factor out cli_get_reparse_data() from cli_readlink()

Will be used in smbclient's allinfo command: Reparse points are more
than just symlinks.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a0edab50 by Volker Lendecke at 2023-08-10T13:40:31+00:00
libsmb: Retry with OPEN_REPARSE_POINT on IO_REPARSE_TAG_NOT_HANDLED

Eventually we'll have to make STOPPED_ON_SYMLINK special to handle the
symlink response, but for now they are the same.

STOPPED_ON_SYMLINK will tell us where the symlink is,
REPARSE_TAG_NOT_HANDLED won't. So if there's an unhandled reparse
point somewhere in the path, there's no really good way to handle
this. We'll get the REPARSE_TAG_NOT_HANDLED the second time as
well. Even SMB1 QPATHINFO gets this when you try to cross a NFS
reparse point.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
5ec66016 by Volker Lendecke at 2023-08-10T14:36:40+00:00
smbclient3: Get all reparse data for allinfo

If we hit a reparse point in point, it might be something but a
symlink.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Aug 10 14:36:40 UTC 2023 on atb-devel-224

- - - - -
aec49671 by Stefan Metzmacher at 2023-08-11T08:48:12+00:00
s4:torture/smb2: let torture_smb2_con_sopt() use smb2_connect()

There's no need for smb2_connect_ext().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ade663ee6ca1a2813b203ea667d933f4dab9e7b7)

- - - - -
208bece1 by Stefan Metzmacher at 2023-08-11T08:48:12+00:00
s4:torture/smb2: let us have a common torture_smb2_con_share()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit dc5a500f0a76720b2a5cb5b1142cf4c35cb6bdea)

- - - - -
76c6234a by Stefan Metzmacher at 2023-08-11T08:48:12+00:00
s4:torture/smb2: make it possible to pass existing_conn to smb2_connect_ext()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 2b93058be3f6e5eaee239ad3b0e707c62089d18e)

- - - - -
28e68be9 by Stefan Metzmacher at 2023-08-11T08:48:12+00:00
s4:torture/smb2: add smb2.multichannel.bugs.bug_15346

This demonstrates the race quite easily against
Samba and works fine against Windows Server 2022.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4028d6582907cf582730ceec56872d8584ad02e6)

- - - - -
4dcefc01 by Stefan Metzmacher at 2023-08-11T08:48:12+00:00
s3:smbd: always clear filter_subreq in smb2srv_client_mc_negprot_next()

Commit 5d66d5b84f87267243dcd5223210906ce589af91 introduced a
'verify_again:' target, if we ever hit that, we would leak
the existing filter_subreq.

Moving it just above a possible messaging_filtered_read_send()
will allow us to only clear it if we actually create a new
request. That will help us in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 50d61e5300250922bf36bb699306f82dff6a00b9)

- - - - -
cd866f5c by Stefan Metzmacher at 2023-08-11T09:49:53+00:00
s3:smbd: fix multichannel connection passing race

If a client opens multiple connection with the same
client guid in parallel, our connection passing is likely
to hit a race.

Assume we have 3 processes:

smbdA: This process already handles all connections for
       a given client guid
smbdB: This just received a new connection with an
       SMB2 neprot for the same client guid
smbdC: This also received a new connection with an
       SMB2 neprot for the same client guid

Now both smbdB and smbdC send a MSG_SMBXSRV_CONNECTION_PASS
message to smbdA. These messages contain the socket fd
for each connection.

While waiting for a MSG_SMBXSRV_CONNECTION_PASSED message
from smbdA, both smbdB and smbdC watch the smbXcli_client.tdb
record for changes (that also verifies smbdA stays alive).

Once one of them say smbdB received the MSG_SMBXSRV_CONNECTION_PASSED
message, the dbwrap_watch logic will wakeup smbdC in order to
let it recheck the smbXcli_client.tdb record in order to
handle the case where smbdA died or deleted its record.

Now smbdC rechecks the smbXcli_client.tdb record, but it
was not woken because of a problem with smbdA. It meant
that smbdC sends a MSG_SMBXSRV_CONNECTION_PASS message
including the socket fd again.

As a result smbdA got the socket fd from smbdC twice (or even more),
and creates two (or more) smbXsrv_connection structures for the
same low level tcp connection. And it also sends more than one
SMB2 negprot response. Depending on the tevent logic, it will
use different smbXsrv_connection structures to process incoming
requests. And this will almost immediately result in errors.

The typicall error is:
 smb2_validate_sequence_number: smb2_validate_sequence_number: bad message_id 2 (sequence id 2) (granted = 1, low = 1, range = 1)

But other errors would also be possible.

The detail that leads to the long delays on the client side is
that our smbd_server_connection_terminate_ex() code will close
only the fd of a single smbXsrv_connection, but the refcount
on the socket fd in the kernel is still not 0, so the tcp
connection is still alive...

Now we remember the server_id of the process that we send
the MSG_SMBXSRV_CONNECTION_PASS message to. And just keep
watching the smbXcli_client.tdb record if the server_id
don't change. As we just need more patience to wait for
the MSG_SMBXSRV_CONNECTION_PASSED message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Aug  8 13:59:58 UTC 2023 on atb-devel-224

(cherry picked from commit f348b84fbcf203ab1ba92840cf7aecd55dbf9aa0)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Fri Aug 11 09:49:53 UTC 2023 on atb-devel-224

- - - - -
fd8324d5 by Michael Tokarev at 2023-08-11T13:07:45+03:00
d/control: python3-testtools is only needed for selftest, remove from Build-Depends for now

- - - - -
0d9ea6c5 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Add tmp_highest_usn tracking to replication log

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
d0c1ce53 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Improve debugging of invalid DNs

This is still unreachable, so but improve the logging
to give more detail in this area anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a12bcce8 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Improve debug message for drs_ObjectIdentifier_to_dn_and_nc_root() failure

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
63843a22 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-dsdb: Improve logging for drs_ObjectIdentifier_to_dn_and_nc_root()

At this layer we can make a reasonable assumption about being able
to read ldb_errstring() to print that for extra useful debugging.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
0550e469 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Remove rudundant check for valid and non-NULL ncRoot_dn

This check was valuable before aee2039e63ceeb5e69a0461fb77e0f18278e4dc4
but now only checks things we know to be true, as the value has come
from Samba via drs_ObjectIdentifier_to_dn_and_nc_root() either on this
or a previous call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
c30bb876 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-torture/drs: Save the server dnsname on the DcConnection object

This object is used to hold one of many possible connections and
it is helpful for debugging and uniqueness to know which DC is being
connected to.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
628eab11 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-torture/drs: Create temp OU with a unique name per test

It is always better to keep the testing OUs unique if possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
40f831e6 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-torture/drs: Use addCleanup() in getchanges.py for OU handling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
db16366b by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-torture/drs: Add a test matching Azure AD Connect REPL_OBJ behaviour

Azure AD Connect will send a GUID but no DummyDN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
b323169d by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-torture/drs: Add test demonstrating that a GetNCChanges REPL_OBJ will not reset the replication cookie

This demonstrates the behaviour used by the "Azure AD Connect" cloud sync tool.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
87414955 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-torture/drs: Add test showing that if present in the set the NC root leads and tmp_highest_usn moves

The NC root, on any replication when it appears, is the first object to be
replicated, including for all subsequent chunks in the replication.

However the tmp_highest_usn is not updated by that USN, it must
only be updated for the non-NC changes (to match Windows exactly),
or at least only updated with the non-NC changes until it would
naturally appear.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
99579e70 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Only keep and invalidate replication cycle state for normal replication

This changes the GetNCChanges server to use a per-call state for
extended operations like RID_ALLOC or REPL_OBJ and only maintain
and (more importantly) invalidate the state during normal replication.

This allows REPL_OBJ to be called during a normal replication cycle
that continues using after that call, continuing with the same
highwatermark cookie.

Azure AD will do a sequence of (roughly)

* Normal replication (objects 1..100)
* REPL_OBJ (of 1 object)
* Normal replication (objects 101..200)

However, if there are more than 100 (in this example) objects in the
domain, and the second replication is required, the objects 1..100
are sent, as the replication state was invalidated by the REPL_OBJ call.

RN: Improve GetNChanges to address some (but not all "Azure AD Connect")
syncronisation tool looping during the initial user sync phase.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
fe7418e1 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Fix indentation in GetNCChanges()

This avoids the indentation correction being in the previous patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
548f141f by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Avoid modification to ncRoot input variable in GetNCChanges

This tries to avoid it appearing that ncRoot is a value that can
be trusted and used internally by not updating it and instead leaving
it just as an input/echo-back value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
2ed9815e by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Rename ncRoot -> untrusted_ncRoot to avoid misuse

Because of the requirement to echo back the original string, we can
not force this to be a trustworthy value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
2aba9e23 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Update getnc_state to be != NULL

This is closer to our READDME.Coding style

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
17359afa by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsuapi: Ensure logs show DN for replicated objects, not (null)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15407
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
79ca6ef2 by Andrew Bartlett at 2023-08-13T21:59:29+00:00
s4-rpc_server/drsupai: Avoid looping with Azure AD Connect by not incrementing temp_highest_usn for the NC root

We send the NC root first, as a special case for every chunk
that we send until the natural point where it belongs.

We do not bump the tmp_highest_usn in the highwatermark that
the client and server use (it is meant to be an opauqe cookie)
until the 'natural' point where the object appears, similar
to the cache for GET_ANC.

The issue is that without this, because the NC root was sorted
first in whatever chunk it appeared in but could have a 'high'
highwatermark, Azure AD Connect will send back the same
new_highwatermark->tmp_highest_usn, and due to a bug,
a zero reserved_usn, which makes Samba discard it.

The reserved_usn is now much less likely to ever be set because
the tmp_higest_usn is now always advancing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
58260e1e by Michael Tokarev at 2023-08-13T22:54:55+00:00
python/samba/netcmd/domain/schemaupgrade.py: fix missing newline

Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Aug 13 22:54:55 UTC 2023 on atb-devel-224

- - - - -
26329a69 by Andrew Bartlett at 2023-08-14T03:46:35+00:00
WHATSNEW: Remove unusual box around 'REMOVED FEATURES'

We do not normally put the ==== above the titles, per recent practice.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

- - - - -
8744e5df by Andrew Bartlett at 2023-08-14T03:46:35+00:00
bootstrap: Heimdal no longer requires perl-JSON

Heimdal after lorikeet-heimdal-202307040259
(commit 33d117b8a9c11714ef709e63a005d87e34b9bfde)
includes Heimdal master commit f62e2f278437ff6c03d2d09bd628381c795bba78.

This has PR https://github.com/heimdal/heimdal/pull/1176 and no
longer requires the external JSON module, as JSON::PP is builtin.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15394

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

- - - - -
4ae3e9b2 by Andrew Bartlett at 2023-08-14T03:46:35+00:00
selftest: Allow MIT Krb5 1.21 to still start to fl2000dc

This is the simplest way to keep this test environment alive.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

- - - - -
b896da35 by Andrew Bartlett at 2023-08-14T03:46:35+00:00
krb5: Increase the minimum MIT Krb5 version to 1.21

This is the version we test with in CI after the image update
in the next commit.  This addresses the issues that were
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures
that Samba builds against the MIT version that allows us to
avoid that attack.

The hooks to allow these expectations to be disabled in the tests
are kept for now, to allow this to be reverted or to test
older servers.

With MIT 1.21 as the new test standard for the MIT KDC build
we update the knownfail_mit_kdc - this was required regadless
after the CI image update.

Any update to the CI image, even an unrelated one, brings in
a new MIT Krb5, version 1.21-3 in this case.  This has new
behaviour that needs to be noted in the knownfail files or
else the tests, which haven't changed, will fail and
pipelines won't pass.

(The image generated by the earlier bootstrap commit brought
in krb5-1.21-2 which was buggy with CVE-2023-39975)

Further tweaks to tests or the server should reduce the number
of knownfail entries, but this keeps the pipelines passing for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

- - - - -
57672e45 by Andreas Schneider at 2023-08-14T04:40:03+00:00
bootstrap: Install codespell

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Aug 14 04:40:03 UTC 2023 on atb-devel-224

- - - - -
329bfe47 by Joseph Sutton at 2023-08-14T04:57:34+00:00
auth: Remove unnecessary casts

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
28b84ac6 by Joseph Sutton at 2023-08-14T04:57:34+00:00
auth: Use portable format specifier

Also, correctly format the value as unsigned.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
830efcfe by Joseph Sutton at 2023-08-14T04:57:34+00:00
docs-xml: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
993ff035 by Joseph Sutton at 2023-08-14T04:57:34+00:00
ldb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
578c1d39 by Joseph Sutton at 2023-08-14T04:57:34+00:00
ldb:ldb_sqlite3: Access correct member of union

Accessing the wrong member of a union invokes undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5b3a8aa5 by Joseph Sutton at 2023-08-14T04:57:34+00:00
lib:krb5_wrap: Remove unnecessary cast

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a643ac45 by Joseph Sutton at 2023-08-14T04:57:34+00:00
lib/replace: Ensure that __STDC_WANT_LIB_EXT1__ is set to 1

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d35e7f10 by Joseph Sutton at 2023-08-14T04:57:34+00:00
tsocket: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
44df4771 by Joseph Sutton at 2023-08-14T04:57:34+00:00
librpc:ndr: Format sizes as ‘size_t’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c68b8cf1 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s3:lib: Use portable format specifiers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
816ceb27 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s3:registry: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
939bd3d9 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:auth: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3e076b37 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:dsdb: Remove unnecessary casts

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0a202264 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:dsdb: Access correct member of union

Accessing the wrong member of a union invokes undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9fd501df by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Remove unnecessary casts

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2de67b71 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Correct comments mentioning Heimdal

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d1755501 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:rpc_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7da7b81d by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:torture: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4c320f75 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Refer to correct function in error messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
928f898e by Joseph Sutton at 2023-08-14T04:57:34+00:00
tests/krb5: Allow cached=True with an assigned silo or policy

We might want to create an account with an assigned silo or policy in
setUp() or setUpClass() to be reused in subsequent tests.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f5529337 by Joseph Sutton at 2023-08-14T04:57:34+00:00
tests/krb5: Rename compatability_tests class

We should not have two unrelated classes both named SimpleKerberosTests.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
942cc0b6 by Joseph Sutton at 2023-08-14T04:57:34+00:00
tests/krb5: Keep claim types for subsequent tests

We want to be able to reuse them across several tests.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
55c09c91 by Joseph Sutton at 2023-08-14T04:57:34+00:00
tests/krb5: Move some functions round to prepare for splitting the class

No effective code change.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a5492d76 by Joseph Sutton at 2023-08-14T04:57:34+00:00
tests/krb5: Split out new AuthnPolicyBaseTests class

This class provides a useful base for other tests to build upon.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
da89b86e by Joseph Sutton at 2023-08-14T04:57:34+00:00
tests/krb5: Allow specifying additional details for a test account

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c9d6a3dd by Joseph Sutton at 2023-08-14T04:57:34+00:00
tests/krb5: Allow specifying KDC options when requesting a TGT

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7026b08e by Joseph Sutton at 2023-08-14T04:57:34+00:00
tests/krb5: Test that neither forwardable nor proxiable tickets are issued to Protected Users

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0cf658cd by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Don’t issue forwardable or proxiable tickets to Protected Users

If an authentication policy enforces a maximum TGT lifetime for a
Protected User, that limit should stand in place of the four-hour limit
usually applied to Protected Users; we should nevertheless continue to
ensure that forwardable or proxiable tickets are not issued to such
users.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e035cfab by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Don’t log secret keys

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f34645b8 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Initialize entry->modified_by

If smb_krb5_make_principal() fails without setting the principal,
sdb_entry_free() will try to free whatever memory the uninitialized
member points to.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7cfddcbf by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Check result of samdb_result_dom_sid()

We must not pass a NULL pointer into dom_sid_split_rid().

While we’re at it, switch to using samdb_result_dom_sid_buf(), which
doesn’t require a heap allocation.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
26e2e891 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Ensure we don’t increase the value of entry->etypes->len

The value of entry->etypes->len ought to be equal to that of
entry->keys.len, and so should be nonzero. But it’s safer not to rely on
that assumption.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
09e13845 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Fix leak of sdb_entry

We should take the common ‘out’ path to ensure that we call
sdb_entry_free() on the entry.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bc1103e9 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Check return value from ldb_dn_get_linearized()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
79738178 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Free samba_kdc_seq context on failure to allocate memory

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
902ed79b by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Call krb5_free_principal() directly after to-be-freed principal is used

This simplifies the ‘out’ path.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bf78c603 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Remove unnecessary talloc context

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e9c275b4 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Move calls to talloc_steal() out of the ‘out’ paths

This simplifies the ‘out’ paths.

Every code path that reaches ‘out’ via a goto ensures that ‘ret’ is set
to a nonzero value.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a5129c07 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Fix leaks

Use a temporary context to allocate these variables. Each variable that
needs to be transferred to the caller is stolen onto an appropriate
talloc context just prior to the function’s returning.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
93c0f355 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
84929c68 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Return an error code if sdb_entry_to_hdb_entry() fails

This condition was written backwards — if samba_kdc_fetch() returned
zero, we would ignore any error code returned by
sdb_entry_to_hdb_entry().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0f127875 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Correct error message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bb78ad7b by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Use portable format specifier

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
406af84b by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Correctly report length of KDC packet

If the data was received over TCP, it would have had four bytes
subtracted from its length already, in kdc_tcp_call_loop().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e5465872 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Fail PAC checksum verification if the krbtgt entry has no keys

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
75a1beee by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Fix leaks of sdb_entry’s members

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7e496d77 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Consistently zero HDB structures

To these conversion functions we sometimes pass malloc-allocated HDB
structures, which we free afterwards if conversion fails. If parts of
these structures are still uninitialized when we try to free them, all
sorts of fun things can result.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7dd13e8d by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Ensure the value of h->len is accurate

If we exited this function early due to an error, h->len would contain
the number of elements that *ought* to be in h->val, but not all of
those elements must have been initialized. Subsequently trying to free
this partially-uninitialized structure with free_Keys() could have bad
results.

Avoid this by ensuring that h->len accurately reports the actual number
of initialized elements.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6e5e2f0b by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Erase key data

If we’re going to zero the keys before freeing them, we might as well do
it properly.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dadfc06c by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Use type bool for ‘is_tgs’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
18569f81 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:auth: Add missing space to error message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
45ca5e23 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:auth: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e9e2dfa5 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:auth: Check return value of talloc_new()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e67c0226 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Return (possibly) more appropriate error codes

This change ultimately won’t make much difference to responses, as
unrecognized codes are mapped to ERR_GENERIC in any case. But it might
provide some help for debugging.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fc99b903 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Make some functions static

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7d6ebfe4 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Return krb5_error_code

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
914f1700 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Switch to using samdb_result_dom_sid_buf()

This function doesn’t require a heap allocation.

We also check the result of the function, which we weren’t doing before.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
63f79844 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Don’t enforce a server authentication policy for the krbtgt

As the server authentication policy will be non-NULL only for entries
looked up as servers, the krbtgt shouldn’t have an authentication policy
anyway. But we might as well be explicit.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ab098c24 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Inline samba_get_claims_blob()

Wrapping a function this simple doesn’t gain us very much.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9d485b26 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Use common out path in mit_samba_kpasswd_change_password()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c1061ae8 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Free error message returned by krb5_get_error_message()

Also check whether the message is NULL. Passing NULL to vasprintf() is
undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
37c8c343 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:dsdb: Use uint32_t for ‘num_sids’

This matches the use of uint32_t for security_token::num_sids.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
479ebdd0 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:dsdb: Make ‘sids’ parameter const

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
365455b6 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:dsdb: Check for overflow in security_token_create()

Overflow is unlikely ever to occur, but you never know.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
78fc6fbb by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Have encode_claims_set return NTSTATUS

This change will simplify things later. Probably.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c6cd6b25 by Joseph Sutton at 2023-08-14T04:57:34+00:00
s4:kdc: Remove ldb_context parameter as being no longer needed

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
58371c33 by Joseph Sutton at 2023-08-14T04:57:35+00:00
s4:kdc: Properly allocate claims set on a talloc context

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e6b78ef7 by Joseph Sutton at 2023-08-14T04:57:35+00:00
s4:kdc: Ensure that we don’t dereference a NULL pointer

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
504a36f3 by Joseph Sutton at 2023-08-14T04:57:35+00:00
s4:kdc: Rename get_claims_for_principal() to get_claims_blob_for_principal()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
21e0c258 by Joseph Sutton at 2023-08-14T04:57:35+00:00
s4:kdc: Rename ‘claims_blob’ parameter to ‘claims_blob_out’

Just to make perfectly clear that it is an out parameter.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2b24bce2 by Michael Tokarev at 2023-08-14T08:34:11+03:00
d/rules: export PYTHONDONTWRITEBYTECODE=1 to stop python from generating .pyc caches (#1048754)

- - - - -
c01c206d by Joseph Sutton at 2023-08-14T05:51:45+00:00
s4:kdc: Add get_claims_set_for_principal()

Add a new function, get_claims_set_for_principal(), that returns the
claims as a CLAIMS_SET structure rather than as a blob. To accommodate
this, move the call to encode_claims_set() out of get_all_claims() and
into get_claims_blob_for_principal().

Being able to get the unencoded claims will save us from having to
decode claims that we just needlessly encoded.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Aug 14 05:51:45 UTC 2023 on atb-devel-224

- - - - -
e7bf94b4 by Jeremy Allison at 2023-08-14T14:57:32+00:00
s3: smbd: Deliberately currupt an uninitialized pointer.

We will need this to show smbd crashing in the test code.
This will be removed once we're passing the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
963fd8aa by Jeremy Allison at 2023-08-14T14:57:32+00:00
s3: torture: Add SMB1-TRUNCATED-SESSSETUP test.

Shows that we indirect through an uninitialized pointer and the client crashes
it's own smbd.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
9220c45c by Jeremy Allison at 2023-08-14T14:57:32+00:00
s3: smbd: Ensure srvstr_pull_req_talloc() always NULLs out *dest.

Robert Morris <rtm at lcs.mit.edu> noticed that in the case
where srvstr_pull_req_talloc() is being called with
buffer remaining == 0, we don't NULL out the destination
pointed which is *always* done in the codepaths inside
pull_string_talloc(). This prevents a crash in the caller.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
5bc50d2e by Jeremy Allison at 2023-08-14T14:57:32+00:00
s3: smbd: Uncorrupt the pointer we were using to prove a crash.

Rather than restore to uninitialized, set to NULL as per
modern coding practices.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420
Reviewed-by: Volker Lendecke <vl at samba.org>

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
5379b8d5 by Jeremy Allison at 2023-08-14T15:55:43+00:00
s3: smbd: Ensure all callers to srvstr_pull_req_talloc() pass a zeroed-out dest pointer.

Now we've fixed srvstr_pull_req_talloc() this isn't
strictly needed, but ensuring pointers are initialized
is best practice to avoid future bugs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Aug 14 15:55:43 UTC 2023 on atb-devel-224

- - - - -
044cb8f9 by Jones Syue at 2023-08-14T18:11:37+00:00
mdssvc: Do an early talloc_free() in _mdssvc_open()

Environment setup:
When macOS Finder connect to a samba server with 'spotlight = yes',
macOS would issue mdssvc open (mdssvc.opnum == 0) to samba and it goes
through api _mdssvc_open().

After applied 578e434a94147dc2d7dbfc006d2ab84807859c1d,
(this is reported by jaywei at qnap.com)
this line 'talloc_free(path);' is deleted if _mdssvc_open() normal exit,
so memory is lazy de-allocate: delayed to
smbd_tevent_trace_callback() @ smb2_process.c. [1]

Supposed to explicitly free 'path' in _mdssvc_open() @ srv_mdssvc_nt.c[2]
just like abnormal exit, do not wait for main loop to free 'path' which is
no longer used, this is more consistent while reading source code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15449

[1] gdb tracing 'path' address 0x56204ccc67e0 to know how it is freed.
Breakpoint 2, _tc_free_children_internal (tc=0x56204ccc6780, ptr=0x56204ccc67e0, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1656
1656            while (tc->child) {
(gdb) bt
0  _tc_free_children_internal (tc=0x56204ccc6780, ptr=0x56204ccc67e0, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1656
1  0x00007ff430d92b14 in _tc_free_internal (tc=0x56204ccc6780, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1183
2  0x00007ff430d93b71 in _tc_free_children_internal (tc=0x56204ccc6720, ptr=0x56204ccc6780, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1668
3  0x00007ff430d93d66 in talloc_free_children (ptr=0x56204ccc6780) at ../../lib/talloc/talloc.c:1714
4  0x00007ff432235aca in talloc_pop (frame=0x56204ccc6780) at ../../lib/util/talloc_stack.c:125
5  0x00007ff430d92959 in _tc_free_internal (tc=0x56204ccc6720, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1157
6  0x00007ff430d92cd5 in _talloc_free_internal (ptr=0x56204ccc6780, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1247
7  0x00007ff430d93f96 in _talloc_free (ptr=0x56204ccc6780, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1791
8  0x00007ff431d81292 in smbd_tevent_trace_callback (point=TEVENT_TRACE_AFTER_LOOP_ONCE, private_data=0x7ffe46591e30) at ../../source3/smbd/process.c:3726
<...cut...>

[2] gdb tracing 'path' address 0x55a6d66deed0 to know how it is freed.
Breakpoint 2, _tc_free_children_internal (tc=0x55a6d66deed0, ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1656
1656            while (tc->child) {
(gdb) bt
0  _tc_free_children_internal (tc=0x55a6d66deed0, ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1656
1  0x00007fc4cb892b14 in _tc_free_internal (tc=0x55a6d66deed0, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1183
2  0x00007fc4cb892cd5 in _talloc_free_internal (ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1247
3  0x00007fc4cb893f96 in _talloc_free (ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1791
4  0x00007fc4cc9396e4 in _mdssvc_open (p=0x55a6d66d5600, r=0x55a6d66edc60) at ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189
<...cut...>

Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Mon Aug 14 18:11:37 UTC 2023 on atb-devel-224

- - - - -
63895e03 by Jeremy Allison at 2023-08-14T18:56:38+00:00
s3: torture: Add a test doing an SMB1 negotiate+exit.

Robert Morris <rtm at lcs.mit.edu> noticed a missing
return in reply_exit_done().

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15430

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>

- - - - -
d79d0508 by Jeremy Allison at 2023-08-14T19:52:49+00:00
s3: smbd: Add missing 'return;'s in exit paths in reply_exit_done().

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15430

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Mon Aug 14 19:52:49 UTC 2023 on atb-devel-224

- - - - -
b6938025 by Volker Lendecke at 2023-08-14T19:53:37+00:00
passdb: Fix a DBG message

This is not dsdb_add_domain_alias()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
753e271e by Volker Lendecke at 2023-08-14T19:53:37+00:00
passdb: Fix whitespace

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
2bea8a80 by Volker Lendecke at 2023-08-14T19:53:37+00:00
passdb: Fix a DBG statement

This is not pdb_getsampwent()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0c6ac321 by Volker Lendecke at 2023-08-14T19:53:37+00:00
idmap: Fix whitespace

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
b7e0f342 by Volker Lendecke at 2023-08-14T19:53:37+00:00
idmap_tdb: Remove a variable never used

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0bcba393 by Volker Lendecke at 2023-08-14T19:53:37+00:00
idmap:fix whitespace

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
ac738e30 by Volker Lendecke at 2023-08-14T19:53:37+00:00
lib: Move few bytes of R/W data to R/O text

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0c645107 by Volker Lendecke at 2023-08-14T19:53:37+00:00
smbd: Use struct initialization

Avoid an explicit ZERO_STRUCT

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
d40d130b by Volker Lendecke at 2023-08-14T19:53:37+00:00
smbd: Fix DBG macro

This augments 5c37615efa2, the DBG macros already prepend the the function name

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
ad098665 by Volker Lendecke at 2023-08-14T19:53:37+00:00
dbwrap: Simplify dbwrap_change_uint32_atomic_action()

Use dbwrap_do_locked()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0382e072 by Volker Lendecke at 2023-08-14T19:53:37+00:00
dbwrap: Simplify dbwrap_change_int32_atomic_action()

Use dbwrap_do_locked()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
688891f4 by Volker Lendecke at 2023-08-14T19:53:37+00:00
smbstatus: Fix CID 1507870 Uninitialized pointer read

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
6527211a by Volker Lendecke at 2023-08-14T19:53:37+00:00
smbstatus: Fix CID 1507865 Uninitialized pointer read

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
4da367c3 by Volker Lendecke at 2023-08-14T19:53:37+00:00
smbd: Use "dirfsp" in smb_posix_open()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
3ee9fe28 by Volker Lendecke at 2023-08-14T19:53:37+00:00
smbd: Use "dirfsp" in smb_posix_unlink()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
fab10b58 by Volker Lendecke at 2023-08-14T19:53:37+00:00
smbd: Pass down "dirfsp" to smb_unix_mknod()

Avoids a call to parent_pathref()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
544c7285 by Volker Lendecke at 2023-08-14T19:53:37+00:00
libsmb: A bit README.Coding for cli_qpathinfo2()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a9f358f7 by Volker Lendecke at 2023-08-14T19:53:37+00:00
tevent: Fix a typo

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
42e4691c by Volker Lendecke at 2023-08-14T20:51:11+00:00
audit_logging: Simplify json_add_stringn() with json_stringn()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Aug 14 20:51:11 UTC 2023 on atb-devel-224

- - - - -
783eff3f by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:lib: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a749d885 by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:libcli: Remove tailing white spaces

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
950f0b47 by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:libcli: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
37664f4c by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:libnet: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
42f094af by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:librpc: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6427dafe by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:ntvfs: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8d85b998 by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:rpc_server: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ee1bc66e by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:samba: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9c13765f by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:scripting: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9ebd645e by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:selftest: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
541f4d08 by Andreas Schneider at 2023-08-14T21:45:29+00:00
s3:ldap_server: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5a0201e8 by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:setup: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e1da1fc9 by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:smb_server: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5dd07a44 by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:torture:auth: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3dd7625a by Andreas Schneider at 2023-08-14T21:45:29+00:00
s4:torture:dfs: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
69b78769 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:drs: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5850ea63 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:basic: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e2c952cf by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:dns: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
56fdc3c5 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:krb5: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3f023d74 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:ldap: Remove trailing white spaces

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1c4e84fd by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:ldap: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
faa06e5e by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:ldb: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
664f6961 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:libnetapi: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c4ed99a2 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:nbench: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
428c1556 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:nbt: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ff2f813b by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:raw: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
085cfe0c by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:rpc: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0d241305 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture:smb2: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
920ffe5d by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:torture: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dbfc239f by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:wrepl_server: Remove trailing white spaces

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5f024d57 by Andreas Schneider at 2023-08-14T21:45:30+00:00
s4:wrepl_server: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a7ed7405 by Andreas Schneider at 2023-08-14T21:45:30+00:00
testprogs: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
be56ec0a by Andreas Schneider at 2023-08-14T21:45:30+00:00
tests: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
45e17b70 by Andreas Schneider at 2023-08-14T21:45:30+00:00
wintest: Fix code spelling

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e54939c8 by Andreas Schneider at 2023-08-14T21:45:30+00:00
scripts: Add codespell check

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
61d97ebf by Andreas Schneider at 2023-08-14T22:44:58+00:00
gitlab-ci: Add running codespell

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Aug 14 22:44:58 UTC 2023 on atb-devel-224

- - - - -
d87041d8 by Martin Schwenke at 2023-08-15T09:49:38+00:00
ctdb-common: Improve error handling

Factor out a failure label, which will get more use in subsequent
commits, and only set private_data when success is certain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15451

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

- - - - -
ffc2ae61 by Martin Schwenke at 2023-08-15T09:49:38+00:00
ctdb-common: Replace pcap_open_live() by lower level calls

A subsequent commit will insert an additional call before
pcap_activate().

This sequence of calls is taken from the source for pcap_open_live(),
so there should be no change in behaviour.

Given the defaults set by pcap_create_common(), it would be possible
to omit the calls to pcap_set_promisc() and pcap_set_timeout().
However, those defaults don't seem to be well documented, so continue
to explicitly set everything that was set before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15451

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

- - - - -
dc7b48c4 by Martin Schwenke at 2023-08-15T10:53:52+00:00
ctdb-common: Set immediate mode for pcap capture

Fix a problem where ctdb_killtcp (almost always) fails to capture
packets with --enable-pcap and libpcap ≥ 1.9.1.  The problem is due to
a gradual change in libpcap semantics when using
pcap_get_selectable_fd(3PCAP) to get a file descriptor and then using
that file descriptor in non-blocking mode.

pcap_set_immediate_mode(3PCAP) says:

  pcap_set_immediate_mode() sets whether immediate mode should be set
  on a capture handle when the handle is activated.  In immediate
  mode, packets are always delivered as soon as they arrive, with no
  buffering.

and

  On Linux, with previous releases of libpcap, capture devices are
  always in immediate mode; however, in 1.5.0 and later, they are, by
  default, not in immediate mode, so if pcap_set_immediate_mode() is
  available, it should be used.

However, it wasn't until libpcap commit
2ade7676101366983bd4f86bc039ffd25da8c126 (before libpcap 1.9.1) that
it became a requirement to use pcap_set_immediate_mode(), even with a
timeout of 0.

More explanation in this libpcap issue comment:

  https://github.com/the-tcpdump-group/libpcap/issues/860#issuecomment-541204548

Do a configure check for pcap_set_immediate_mode() even though it has
existed for 10 years.  It is easy enough.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15451

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Tue Aug 15 10:53:52 UTC 2023 on atb-devel-224

- - - - -
f02f74e9 by Jeremy Allison at 2023-08-15T11:12:32+00:00
s3: smbd: init_smb1_request() isn't being passed zero'ed memory from any codepath.

If a client does a SMB1 NEGPROT followed by SMB1 TCON
then req->session is left uninitialized.

Show this causes a crash by deliberately initializing
req->session to an invalid pointer. This will be removed
once the test shows the crash, and the fix is added to
cause init_smb1_request() to zero the memory passed in.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>

- - - - -
c32df3bb by Jeremy Allison at 2023-08-15T11:12:32+00:00
s3: torture: Add SMB1-NEGOTIATE-TCON that shows the SMB1 server crashes on the uninitialized req->session.

Found by Robert Morris <rtm at lcs.mit.edu>.

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <nopower at samba.org>

- - - - -
4145bfb1 by Jeremy Allison at 2023-08-15T12:06:36+00:00
s3: smbd: Ensure init_smb1_request() zeros out what the incoming pointer points to.

Remove the now unneeded req->xxx = NULL assignments (and the
deliberately bogus req->session = (void *)0xDEADBEEF one
used to demonstrate the bug).

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Tue Aug 15 12:06:36 UTC 2023 on atb-devel-224

- - - - -
2c915e74 by Joseph Sutton at 2023-08-15T18:46:33+00:00
tests/krb5: Remove unused import

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0cce6168 by Joseph Sutton at 2023-08-15T18:46:33+00:00
tests/krb5: Shorten long lines

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
631e26e1 by Joseph Sutton at 2023-08-15T18:46:33+00:00
tests/krb5: Add a test decoding INT64 PAC claims issued by Windows

Our NDR code currently handles INT64 claims incorrectly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
402bb176 by Joseph Sutton at 2023-08-15T18:46:33+00:00
librpc:ndr: Add ‘int64’ type

This type behaves like a signed variant of ‘hyper’. Unlike the existing
‘dlong’ type, which has four byte alignment, ‘int64’ is aligned to eight
bytes.

Bump the NDR version to 3.0.1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
aa181551 by Joseph Sutton at 2023-08-15T18:46:33+00:00
claims.idl: Use ‘int64’ instead of ‘dlong’ for INT64 claims

This field is supposed to be aligned to eight bytes, but the ‘dlong’
type is aligned to only four bytes. This discrepancy resulted in claims
being encoded and decoded incorrectly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
37fdd79c by Joseph Sutton at 2023-08-15T19:41:50+00:00
tests/krb5: Remove incorrect comments

Now that the INT64 claim IDL definition has been corrected, these tests
should pass against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Aug 15 19:41:50 UTC 2023 on atb-devel-224

- - - - -
9e5f1a30 by Jones Syue at 2023-08-16T10:48:14+00:00
mdssvc: Do an early talloc_free() in _mdssvc_open()

Environment setup:
When macOS Finder connect to a samba server with 'spotlight = yes',
macOS would issue mdssvc open (mdssvc.opnum == 0) to samba and it goes
through api _mdssvc_open().

After applied 578e434a94147dc2d7dbfc006d2ab84807859c1d,
(this is reported by jaywei at qnap.com)
this line 'talloc_free(path);' is deleted if _mdssvc_open() normal exit,
so memory is lazy de-allocate: delayed to
smbd_tevent_trace_callback() @ smb2_process.c. [1]

Supposed to explicitly free 'path' in _mdssvc_open() @ srv_mdssvc_nt.c[2]
just like abnormal exit, do not wait for main loop to free 'path' which is
no longer used, this is more consistent while reading source code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15449

[1] gdb tracing 'path' address 0x56204ccc67e0 to know how it is freed.
Breakpoint 2, _tc_free_children_internal (tc=0x56204ccc6780, ptr=0x56204ccc67e0, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1656
1656            while (tc->child) {
(gdb) bt
0  _tc_free_children_internal (tc=0x56204ccc6780, ptr=0x56204ccc67e0, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1656
1  0x00007ff430d92b14 in _tc_free_internal (tc=0x56204ccc6780, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1183
2  0x00007ff430d93b71 in _tc_free_children_internal (tc=0x56204ccc6720, ptr=0x56204ccc6780, location=0x7ff430d96410 "../../lib/talloc/talloc.c:1714") at ../../lib/talloc/talloc.c:1668
3  0x00007ff430d93d66 in talloc_free_children (ptr=0x56204ccc6780) at ../../lib/talloc/talloc.c:1714
4  0x00007ff432235aca in talloc_pop (frame=0x56204ccc6780) at ../../lib/util/talloc_stack.c:125
5  0x00007ff430d92959 in _tc_free_internal (tc=0x56204ccc6720, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1157
6  0x00007ff430d92cd5 in _talloc_free_internal (ptr=0x56204ccc6780, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1247
7  0x00007ff430d93f96 in _talloc_free (ptr=0x56204ccc6780, location=0x7ff431f358d0 "../../source3/smbd/process.c:3726") at ../../lib/talloc/talloc.c:1791
8  0x00007ff431d81292 in smbd_tevent_trace_callback (point=TEVENT_TRACE_AFTER_LOOP_ONCE, private_data=0x7ffe46591e30) at ../../source3/smbd/process.c:3726
<...cut...>

[2] gdb tracing 'path' address 0x55a6d66deed0 to know how it is freed.
Breakpoint 2, _tc_free_children_internal (tc=0x55a6d66deed0, ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1656
1656            while (tc->child) {
(gdb) bt
0  _tc_free_children_internal (tc=0x55a6d66deed0, ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1656
1  0x00007fc4cb892b14 in _tc_free_internal (tc=0x55a6d66deed0, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1183
2  0x00007fc4cb892cd5 in _talloc_free_internal (ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1247
3  0x00007fc4cb893f96 in _talloc_free (ptr=0x55a6d66def30, location=0x7fc4cca84040 "../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189") at ../../lib/talloc/talloc.c:1791
4  0x00007fc4cc9396e4 in _mdssvc_open (p=0x55a6d66d5600, r=0x55a6d66edc60) at ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:189
<...cut...>

Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Mon Aug 14 18:11:37 UTC 2023 on atb-devel-224

(cherry picked from commit 044cb8f9d558bfcd7658cae0f05ff36330538748)

- - - - -
8e31fd2d by Jeremy Allison at 2023-08-16T10:48:14+00:00
s3: smbd: Deliberately currupt an uninitialized pointer.

We will need this to show smbd crashing in the test code.
This will be removed once we're passing the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit e7bf94b4e3a7f994aa6f0b859089c5add2ad380f)

- - - - -
6fef9767 by Jeremy Allison at 2023-08-16T10:48:14+00:00
s3: torture: Add SMB1-TRUNCATED-SESSSETUP test.

Shows that we indirect through an uninitialized pointer and the client crashes
it's own smbd.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 963fd8aa9b76361ab9aeb63307773f2498b17879)

- - - - -
4c27dfe3 by Jeremy Allison at 2023-08-16T10:48:14+00:00
s3: smbd: Ensure srvstr_pull_req_talloc() always NULLs out *dest.

Robert Morris <rtm at lcs.mit.edu> noticed that in the case
where srvstr_pull_req_talloc() is being called with
buffer remaining == 0, we don't NULL out the destination
pointed which is *always* done in the codepaths inside
pull_string_talloc(). This prevents a crash in the caller.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 9220c45cc191b34e293190f6a923ba463edd5db9)

- - - - -
f025f51a by Jeremy Allison at 2023-08-16T10:48:14+00:00
s3: smbd: Uncorrupt the pointer we were using to prove a crash.

Rather than restore to uninitialized, set to NULL as per
modern coding practices.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420
Reviewed-by: Volker Lendecke <vl at samba.org>

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 5bc50d2ea4444244721e72b4264311c7005d2f3c)

- - - - -
e6c0d4f1 by Jeremy Allison at 2023-08-16T10:48:14+00:00
s3: smbd: Ensure all callers to srvstr_pull_req_talloc() pass a zeroed-out dest pointer.

Now we've fixed srvstr_pull_req_talloc() this isn't
strictly needed, but ensuring pointers are initialized
is best practice to avoid future bugs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15420

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Aug 14 15:55:43 UTC 2023 on atb-devel-224

(cherry picked from commit 5379b8d557a9a16b81eafb87b60b81debc4bfccb)

- - - - -
122afc37 by Jeremy Allison at 2023-08-16T10:48:14+00:00
s3: torture: Add a test doing an SMB1 negotiate+exit.

Robert Morris <rtm at lcs.mit.edu> noticed a missing
return in reply_exit_done().

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15430

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit 63895e03c4e8ed79a3b2cda928f58ec278cd6608)

- - - - -
320d6540 by Jeremy Allison at 2023-08-16T11:49:39+00:00
s3: smbd: Add missing 'return;'s in exit paths in reply_exit_done().

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15430

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Noel Power <npower at samba.org>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Mon Aug 14 19:52:49 UTC 2023 on atb-devel-224

(cherry picked from commit d79d0508a4b8bdc4582a350d109181ecae0bf1e2)

Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Wed Aug 16 11:49:39 UTC 2023 on atb-devel-224

- - - - -
87e193d9 by Jule Anger at 2023-08-16T18:36:14+02:00
WHATSNEW: Add release notes for Samba 4.18.6.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
2613f2b2 by Jule Anger at 2023-08-16T18:36:51+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.18.6 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
124758a0 by Michael Tokarev at 2023-08-16T20:06:52+03:00
New upstream version 4.18.6+dfsg
- - - - -
7f1e477b by Michael Tokarev at 2023-08-16T20:07:26+03:00
Update upstream source from tag 'upstream/4.18.6+dfsg'

Update to upstream version '4.18.6+dfsg'
with Debian dir 928ac93eb5074cfafd18152754a55a9c3c072389
- - - - -
a1bb3bd5 by Michael Tokarev at 2023-08-16T20:12:47+03:00
update changelog; upload version 4.18.6+dfsg-1 to unstable

- - - - -
02b54677 by Joseph Sutton at 2023-08-21T23:37:29+00:00
lib:krb5_wrap: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d608dc17 by Joseph Sutton at 2023-08-21T23:37:29+00:00
lib:krb5_wrap: Fix references to incorrect function names

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
593a7fb6 by Joseph Sutton at 2023-08-21T23:37:29+00:00
libcli/auth: Remove unnecessary casts

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d5cbb542 by Joseph Sutton at 2023-08-21T23:37:29+00:00
librpc:ndr: Use portable integer types

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a836b433 by Joseph Sutton at 2023-08-21T23:37:29+00:00
pidl: Use non-existent function dissect_ndr_int64()

This function does not exist yet, but Wireshark can implement it if they
ever choose to regenerate their NDR dissectors.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d40293e0 by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:netcmd: Add missing newlines to error messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
859bbef4 by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:netcmd: Remove semicolon

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c052b175 by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:subunit: Fix docstring

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b7e00680 by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:subunit: Use ‘is’ to compare variables with singletons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a985873c by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:tests: Make getSamDB() a static method

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f71893c1 by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:tests: Reuse claims created by setUp() across all tests

We now create the claims in setUp() only once, preserving them so as to
reuse them across all of the tests in this class. Then we finally delete
them all in tearDownClass().

addClassCleanup() could make this cleaner, but it’s available only in
Python 3.8 and above.

This change reduces the time taken by my machine to run these tests from
four minutes to twenty seconds.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
981c3413 by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:tests: Reuse policies and silos created by setUp() across all tests

We now create the claims in setUp() only once, preserving them so as to
reuse them across all of the tests using this class. Then we finally
delete them all in tearDownClass().

addClassCleanup() could make this cleaner, but it’s available only in
Python 3.8 and above.

This change reduces the time taken by my machine to run
samba.tests.samba_tool.domain_auth_policy from two minutes to ten
seconds.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2d6b10da by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:tests: Fix spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
683dab11 by Joseph Sutton at 2023-08-21T23:37:29+00:00
python:tests: Save files with intended contents

We presumably here meant to use the variable ‘contents’, not
‘test_contents’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4004ded9 by Joseph Sutton at 2023-08-21T23:37:29+00:00
s3:libnet: Remove unnecessary cast

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b3c47b65 by Joseph Sutton at 2023-08-21T23:37:29+00:00
s3:libnet: Fix reference to incorrect function names

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
448cc122 by Joseph Sutton at 2023-08-21T23:37:29+00:00
s3:rpc_server: Remove unnecessary cast

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6b580f73 by Joseph Sutton at 2023-08-21T23:37:29+00:00
s4:kdc: Do not panic if authsam_logon_success_accounting() fails

In hdb_samba4_audit(), ERR_GENERIC signals an unexpected situation — if
we encounter that error code while running under selftest, we’ll panic.
In response to an expected event such as the failure of
authsam_logon_success_accounting(), it’s more appropriate to continue to
run.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bbfa98ec by Joseph Sutton at 2023-08-21T23:37:29+00:00
s4:kdc: Remove support code for older versions of MIT Kerberos

The oldest version we now support is 1.21. For every supported version
we can be certain that KRB5_KDB_API_VERSION >= 10 and
KRB5_KDB_DAL_MAJOR_VERSION >= 9.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9166d01b by Joseph Sutton at 2023-08-21T23:37:29+00:00
s4:kdc: Set SAMBA_KDC_FLAG_PROTOCOL_TRANSITION flag for MIT Kerberos

This flag was set in commit 461dc44e740aacad41bb0df0552560d1eb3c6ea8,
but only in mit_samba_reget_pac(); it was not set in the newer function,
mit_samba_update_pac(), used with MIT Kerberos 1.20 and above.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6d2c7c45 by Joseph Sutton at 2023-08-21T23:37:29+00:00
s4:kdc: Use ‘krb5_error_code’ for return types

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4b03aabe by Joseph Sutton at 2023-08-21T23:37:29+00:00
s4:kdc: Use smb_krb5_make_data()

smb_krb5_make_data() sets the magic field, which we were previously
ignoring. We should also not set krb5_data::length if krb5_data::data is
NULL.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
783f09cc by Joseph Sutton at 2023-08-21T23:37:29+00:00
s4:smb_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
892c1b0a by Joseph Sutton at 2023-08-21T23:37:29+00:00
s4:torture: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c2126e08 by Joseph Sutton at 2023-08-21T23:37:29+00:00
selftest: Remove semicolon

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7ce6e3c9 by Joseph Sutton at 2023-08-21T23:37:29+00:00
selftest: Remove unused variable

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cbc0ff18 by Joseph Sutton at 2023-08-21T23:37:29+00:00
selftest: Remove leftover from debugging

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fc41a35a by Joseph Sutton at 2023-08-21T23:37:29+00:00
selftest: Fix subunit reporting the time incorrectly

Although report_time() would output the time in UTC, it neglected to
specify the timezone offset. Thus subunithelper.parse_results() would
interpret the time string it was given as being in local time.
TestProtocolClient.time() then converted that *back* into UTC, giving an
incorrect result (unless UTC is your local timezone).

Fix this by having report_time() indicate that the time zone is UTC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15162

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
aba7eb09 by Joseph Sutton at 2023-08-22T00:36:52+00:00
selftest: Report time at which testsuite starts

With no call to report_time() preceding it,
PlainFormatter.start_testsuite() would always claim that no time had
elapsed prior to the first testsuite starting to run. This gave a
misleading impression of the time spent running the first testsuite. Now
the time will be consistent with that reported for subsequent
testsuites, and will properly include any time that test environments
took to start up.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Aug 22 00:36:52 UTC 2023 on atb-devel-224

- - - - -
3a5f7eae by Michael Tokarev at 2023-08-22T08:04:07+03:00
d/changelog: add 2 forgotten changelog entries for the previous upload

- - - - -
55539629 by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Add cli_smb2_qpathinfo_send/recv()

Wrap the create/qfileinfo/close, to be used in next patches

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
50edb026 by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Use cli_smb2_qpathinfo() for streams

Remove sync cli_smb2_qpathinfo_streams() wrapper.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
f2d535db by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Use cli_smb2_qpathinfo() in cli_qpathinfo2()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
47509eb7 by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Use cli_smb2_qpathinfo_basic() in cli_getatr()

cli_smb2_qpathinfo_basic() uses the smb_create_returns and avoids a
round-trip.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
914e0cf6 by Volker Lendecke at 2023-08-22T16:45:31+00:00
smbclient: Don't give up in allinfo if getting advanced info fails

Getting streams might fail, but further down getting reparse info
might succeed.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
c0db32b4 by Volker Lendecke at 2023-08-22T16:45:31+00:00
torture3: Avoid unused variables

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
087cddc9 by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Move cli_qpathinfo1() to torture3

It's only used there, and it clutters general code. Re-adding the
async flavor is trivial should it ever be required.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a6a5ce7b by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Move cli_raw_ioctl() to torture3

Only used there.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
107beacf by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Use tevent_req_oom() where appropriate

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
edc6e69e by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Remove a duplicate TALLOC_FREE()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
dd801b69 by Volker Lendecke at 2023-08-22T16:45:31+00:00
libsmb: Use tevent_req_nterror() properly

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
939aa0e6 by Volker Lendecke at 2023-08-22T16:45:31+00:00
clifuse: Use direct FSCC info level

Avoid the magic -1000

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
2c6a01c8 by Volker Lendecke at 2023-08-22T16:45:31+00:00
libcli: Add required #includes to smbXcli_base.h

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
81226b51 by MikeLiu at 2023-08-22T17:44:00+00:00
vfs_aio_pthread: use SMB_VFS_NEXT_OPENAT() in aio_pthread_openat_fn()

1. Set 'aio_allow_open' to false if fsp->fsp_flags.is_pathref
2. Move !(how->flags & O_CREAT) and !(how->flags & O_EXCL) up and set 'aio_allow_open' to false
3. Use SMB_VFS_NEXT_OPENAT() instead of openat() for disable async opens case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15453

Signed-off-by: MikeLiu <mikeliu at qnap.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 22 17:44:00 UTC 2023 on atb-devel-224

- - - - -
c291ab2a by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:param: Use lpcfg_set_cmdline()

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
b9a73ff6 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
examples: Use lpcfg_set_cmdline()

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
4a54b005 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:rpcclient: Use lpcfg_set_cmdline()

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
993ba8a8 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:rpc_server: Use lpcfg_set_cmdline() in test_mdsparser_es

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
0534e1ca by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in dbwrap_tool

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
041e28d9 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in dbwrap_torture

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
2eced254 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in mdsearch

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
e6ea68b4 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in net

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
10e35d6c by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Remove trailing spaces in pdbedit; no changes

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
914d1a38 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in pdbedit

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
ed947b16 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in regedit

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
6c00718f by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in sharesec

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
0e2d13c5 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in smbcacls

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
d0ca1114 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Remove trailing spaces in smbcacls; no changes

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
7a4cb09a by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in smbcontrol

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
9ef35869 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Remove trailing spaces in smbcontrol; no changes

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
16a4c8c8 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in smbcquotas

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
8f2a9f83 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Remove trailing spaces in smbcquotas; no changes

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
91e5859b by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in smbstatus

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
b37269e0 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in testparm

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
1502ef29 by Pavel Kalugin at 2023-08-23T08:27:30+00:00
s3:utils: Use lpcfg_set_cmdline() in vfstest

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
86f67f59 by Jeremy Allison at 2023-08-23T09:29:51+00:00
s3: libsmb: Add a missing return statement in the timeout case.

Obvious fix (needs a malicious server to recreate).

Found by Robert Morris <rtm at lcs.mit.edu>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15426

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Aug 23 09:29:51 UTC 2023 on atb-devel-224

- - - - -
4504324e by Douglas Bagnall at 2023-08-24T02:53:30+00:00
lib/util: strhex_to_data_blob checks talloc

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
43e017d3 by Douglas Bagnall at 2023-08-24T02:53:30+00:00
libcli/security/pysecurity: use NULL to mean NULL in C

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
59a2d741 by Douglas Bagnall at 2023-08-24T02:53:30+00:00
pytests: add helper to grab a directory from environment

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
77967274 by Douglas Bagnall at 2023-08-24T02:53:30+00:00
pytest/sddl: replace/export tests based on environment vars

We had a stupid system involving test functions with side-effects,
that needed to be enabled by editing the file. Now you get the same
effects by setting environment variables, the names of which you can
only learn by reading the file closely.

This works better because some stuff needs to happen at class-time
rather than instance-time.

Also the environment variables specify the import and export locations.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5b9f42b3 by Douglas Bagnall at 2023-08-24T02:53:30+00:00
pytest/sddl: environment option for exporting as fuzz seeds

We want realistic examples for sddl fuzzing seeds, and we want
realistic examples for sddl tests, so hopefully we only need to get
it right once.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a8a0ae89 by Douglas Bagnall at 2023-08-24T02:53:30+00:00
pytest/sddl: add option for case-insensitive tests

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4a1848a1 by Douglas Bagnall at 2023-08-24T02:53:30+00:00
pytest/sddl: tests for more invalid or weird cases

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
31dadff3 by Douglas Bagnall at 2023-08-24T02:53:30+00:00
s4/torture: initialise ACE structs to zero

Because soon these structs will have more members, which are typically
going to be zero.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5a45a434 by Douglas Bagnall at 2023-08-24T02:53:30+00:00
s4/ntfvfs/pvfs_acl: initialise ACEs to zeroes

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
47edd41b by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: sddl ACL decode avoids early splitting on parenthesis

Soon we will have Conditional ACEs and Resource Attribute ACEs. It is
expected --indeed mandatory-- that the SDDL representations of these
ACEs will contain parentheses, so we can't use '(' and ')' to decide
where ACEs stop and start.

This means shifting where we make a mutable copy of the SDDL string
from per-ACE to per-ACL, and allowing sddl_decode_ace() to decide when
its ACE is finished.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c73034cf by Douglas Bagnall at 2023-08-24T02:53:31+00:00
librpc/security.idl: adjust size calculations for upcoming ace types

Soon we will get Conditional ACEs and Resource Attribute ACES, each of
which have trailing bytes at the end of the ACE. Here's a diagram:

              ____      The ACE size field may indicate a size bigger
  .type      /    |     than the known parts, even when you take
  .flags    /     |     rounding to a multiple of four into account.
  .size  --'      |     This extra data is meaningful in some ACEs.
  .access_mask    |
  .trustee (sid) _|  <- known data ends here.
                  :
   "coda"      ___:  <- the trailing part, Zero size unless the size
                        field points beyond the end of the known data.
			Probably empty for ordinary ACE types.

Until now we have thrown away these extra bytes, because they have no
meaning in the ACE types we recognise. But with conditional and
resource attribute ACEs we need to catch and process these bytes, so
we add an extra field for that.

Thus we can drop the manually written ndr_pull_security_ace() that
discarded the trailing bytes, because we just allow it to be pulled
into an unused blob. In the very common case, the blob will be empty.

Microsoft does not use a common name across different ACE types to
describe this end-data -- "coda" is a Samba term.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
26722348 by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: used sec_ace_object() in sddl encoding

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c1621d34 by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: avoid leak in calculate_inherited_from_parent()

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
55cc6b52 by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: remove unused tmp_ctx in calculate_inherited_from_parent()

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3c300790 by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: script to turn token/descriptor pairs into sddl

We fuzz security descriptors in a couple of different ways, and this
maps seeds from one form into the other. The SDDL examples can also be
used in Windows tests.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a24ba4ea by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: add some test more Windows SDDL test strings

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f58372cc by Douglas Bagnall at 2023-08-24T02:53:31+00:00
python/colour: add a colour diff helper

Sometimes colour can help show what is different between two strings.

This is roughly the same as

`git diff --no-index --color-words=. <a> <b>`.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
641981c4 by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: rewrite SDDL tests for running on Windows

This script never worked well because it had to shell out to
Powershell, which never worked well due to syntax conflicts and
Powershell's specialness. The attempted ctypes version did not work,
due to the difficulty in expressing things like "relative
PSECURITY_DESCRIPTOR" in ctypes.

It turns out that pywin32 is easy to install and use, and we can
extract the NDR bytes which is far more useful than just testing if
the SDDL parses.

On Windows:

1. install Python from python.org
2. run `pip install pywin32`
3. copy e.g. libcli/security/tests/data/conditional-aces.txt to Windows
4. run `python windows-sddl-tests.py conditional-aces.txt`
5. add `--help` to see how to export descriptor bytes.

The default output is a whole lot of multi-coloured text, indicating
what failed and what didn't.

With --export-json it writes a JSON file mapping SDDL strings to NDR
byte sequences, which can be used to compare with Samba's attempts. If
you are only interested in --export-json, you might also like --quiet.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
536b9a0c by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: move Windows test script to windows subdir

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
741ab485 by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: test helper script extracts fuzz SDDL

This allows us to try the fuzz seeds as SDDL on Windows, then test
that Samba matches Windows' security descriptors in the cases where
the SDDL compiles. This will find SDDL edge cases that might otherwise
be missed.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
882ad161 by Douglas Bagnall at 2023-08-24T02:53:31+00:00
pytest: compare Samba vs Windows SDDL security descriptors

Can Samba understand Windows security descriptors? Does it parse SDDL
the same way?

Here we test on over 7000 SDDL/descriptor pairs and find the answer
is pleasing. In later commits we will add more tests using different
classes of ACE.

The test cases are derived from fuzz seeds, exported to Windows via
the script in the last commit, with the Windows descriptor bytes found
using libcli/security/tests/windows/windows-sddl-test.py.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
909a2af9 by Douglas Bagnall at 2023-08-24T02:53:31+00:00
libcli/security: rm unused sec_ace_copy()

Unused since 2014.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
18f44f3b by Douglas Bagnall at 2023-08-24T03:47:08+00:00
selftest:ndrdump: adjust xattr_NTACL test for ACE coda

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Aug 24 03:47:08 UTC 2023 on atb-devel-224

- - - - -
c7672779 by Martin Schwenke at 2023-08-28T01:21:07+00:00
util: Avoid logging to multiple backends for stdout/stderr

Commit 83fe7a0316d3e5867a56cfdc51ec17f36ea03889 converted the
stdout/stderr logging  types to DEBUG_FILE to get a header when using
DEBUG_SYSLOG_FORMAT_ALWAYS.  However, this causes all configured
backends to be invoked.  When syslog is one of those backends then
this is almost certainly not what is intended.

Instead, call debug_file_log() directly in that special case and
revert the parts of the above commit that convert to file logging.

Most of the changes to debughdrclass() still seem necessary, since
they handle the change of debug_syslog_format from a bool to an enum.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15460

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Mon Aug 28 01:21:07 UTC 2023 on atb-devel-224

- - - - -
8e7a62b6 by Andreas Schneider at 2023-08-28T02:04:36+00:00
waf: Build nmbd with -Wno-error=stringop-overflow

We use strlcpy() which has been added to glibc recently. This means we
also get fortification for strlcpy() now:

source3/nmbd/nmbd_browsesync.c: In function ‘find_domain_master_name_query_success’:
source3/nmbd/nmbd_browsesync.c:337:9: warning: ‘strlcpy’ writing 257 bytes into a
region of size 16 overflows the destination [-Wstringop-overflow=]
  337 |         strlcpy(userdata->data, work->work_group, size - sizeof(*userdata));
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We allocate memory for the userdata struct + fstring. However the data
pointer we use only is 16 bytes. Also nowadays you would use offsetof()
for the allocation calculation, but it only works correctly on newer
compilers like gcc > 7. We could make use of it in future after CentOS 7
is gone.

As we don't want to touch nmbd anymore, just silence the warnings.

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
776597bc by Joseph Sutton at 2023-08-28T02:04:36+00:00
samba-tool: Allow LDB URL to be None

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15458

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a1b285e4 by Gabriel Nagy at 2023-08-28T02:04:36+00:00
gp: Support more global trust directories

In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).

To determine the correct directory to use, we iterate over the variants
and stop at the first which is a directory.

In case none is found, fallback to the first option which will produce a
warning as it did previously.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
fa80d1d8 by Gabriel Nagy at 2023-08-28T02:04:36+00:00
gp: Support update-ca-trust helper

This is used on RHEL/Fedora instead of update-ca-certificates. They
behave similarly so it's enough to change the command name.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
bce3a892 by Gabriel Nagy at 2023-08-28T02:04:36+00:00
gp: Change root cert extension suffix

On Ubuntu, certificates must end in '.crt' in order to be considered by
the `update-ca-certificates` helper.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
1ef722cf by Gabriel Nagy at 2023-08-28T02:04:36+00:00
gp: Test with binary content for certificate data

This fails all GPO-related tests that call `gpupdate --rsop`.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
157335ee by Gabriel Nagy at 2023-08-28T02:04:36+00:00
gp: Convert CA certificates to base64

I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
to a string fails with the following:

'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte

We found a fix to be encoding the certificate to base64 when
constructing the CA list.

Section 4.4.5.2 of MS-CAESO also suggests that the content of
`cACertificate` is binary (OCTET string).

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
2d6943a8 by Gabriel Nagy at 2023-08-28T02:04:36+00:00
gp: Test adding new cert templates enforces changes

Ensure that cepces-submit reporting additional templates and re-applying
will enforce the updated policy.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
2a6ae997 by Gabriel Nagy at 2023-08-28T02:04:36+00:00
gp: Template changes should invalidate cache

If certificate templates are added or removed, the autoenroll extension
should react to this and reapply the policy. Previously this wasn't
taken into account.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
ee814f77 by Gabriel Nagy at 2023-08-28T02:04:36+00:00
gp: Test disabled enrollment unapplies policy

For this we need to stage a Registry.pol file with certificate
autoenrollment enabled, but with checkboxes unticked.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
7dc18175 by Gabriel Nagy at 2023-08-28T03:01:22+00:00
gp: Send list of keys instead of dict to remove

`cache_get_all_attribute_values` returns a dict whereas we need to pass
a list of keys to `remove`. These will be interpolated in the gpdb search.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224

- - - - -
087e7cdc by Jule Anger at 2023-08-28T15:55:30+02:00
VERSION: Bump version up to Samba 4.19.0rc5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
9f573711 by Martin Schwenke at 2023-08-29T08:25:12+00:00
ctdb-common: Improve error handling

Factor out a failure label, which will get more use in subsequent
commits, and only set private_data when success is certain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15451

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit d87041d8968e91db9d257445321b85693303f95e)

- - - - -
58e7d6a9 by Martin Schwenke at 2023-08-29T08:25:12+00:00
ctdb-common: Replace pcap_open_live() by lower level calls

A subsequent commit will insert an additional call before
pcap_activate().

This sequence of calls is taken from the source for pcap_open_live(),
so there should be no change in behaviour.

Given the defaults set by pcap_create_common(), it would be possible
to omit the calls to pcap_set_promisc() and pcap_set_timeout().
However, those defaults don't seem to be well documented, so continue
to explicitly set everything that was set before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15451

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit ffc2ae616d8fab7528fbdfd8c6b94c5b9a0e3a7c)

- - - - -
1af8a099 by Martin Schwenke at 2023-08-29T09:34:35+00:00
ctdb-common: Set immediate mode for pcap capture

Fix a problem where ctdb_killtcp (almost always) fails to capture
packets with --enable-pcap and libpcap ≥ 1.9.1.  The problem is due to
a gradual change in libpcap semantics when using
pcap_get_selectable_fd(3PCAP) to get a file descriptor and then using
that file descriptor in non-blocking mode.

pcap_set_immediate_mode(3PCAP) says:

  pcap_set_immediate_mode() sets whether immediate mode should be set
  on a capture handle when the handle is activated.  In immediate
  mode, packets are always delivered as soon as they arrive, with no
  buffering.

and

  On Linux, with previous releases of libpcap, capture devices are
  always in immediate mode; however, in 1.5.0 and later, they are, by
  default, not in immediate mode, so if pcap_set_immediate_mode() is
  available, it should be used.

However, it wasn't until libpcap commit
2ade7676101366983bd4f86bc039ffd25da8c126 (before libpcap 1.9.1) that
it became a requirement to use pcap_set_immediate_mode(), even with a
timeout of 0.

More explanation in this libpcap issue comment:

  https://github.com/the-tcpdump-group/libpcap/issues/860#issuecomment-541204548

Do a configure check for pcap_set_immediate_mode() even though it has
existed for 10 years.  It is easy enough.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15451

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Tue Aug 15 10:53:52 UTC 2023 on atb-devel-224

(cherry picked from commit dc7b48c404337891b5105df4d6751cf549a533eb)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Tue Aug 29 09:34:35 UTC 2023 on atb-devel-224

- - - - -
93d37f8b by Joseph Sutton at 2023-08-30T02:15:28+00:00
pyldb: Check whether Python object is a list

If we’re going to call PyList_Size() on an object, we should be sure
that it is a list first.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e5794b8c by Joseph Sutton at 2023-08-30T02:15:28+00:00
pyldb: Check return values of talloc functions

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5e9187ba by Joseph Sutton at 2023-08-30T02:15:28+00:00
pyldb: Check return values of Python functions

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6668d213 by Joseph Sutton at 2023-08-30T02:15:28+00:00
pyldb: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
94f46f0c by Joseph Sutton at 2023-08-30T02:15:28+00:00
buildtools: Fix comments and documentation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6df81630 by Joseph Sutton at 2023-08-30T02:15:28+00:00
buildtools: Use ‘is’ to compare with singletons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8d61d3f8 by Joseph Sutton at 2023-08-30T02:15:28+00:00
buildtools: Prefer ‘x not in y’ to ‘not x in y’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
84dc7129 by Joseph Sutton at 2023-08-30T02:15:28+00:00
buildtools: Properly set global variable

Since we didn’t declare ‘old_refill_task_list’ as global, we were just
assigning a value to a local variable that was destroyed after we
returned from this function. We clearly intended instead to assign to a
global variable of the same name.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e4ab1de4 by Joseph Sutton at 2023-08-30T02:15:29+00:00
lib:ldb:tests: Remove explicit comparison with False

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b440732e by Joseph Sutton at 2023-08-30T02:15:29+00:00
ldb: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5de640fc by Joseph Sutton at 2023-08-30T02:15:29+00:00
ldb: Heed return code from Python testsuite

When we added a second run of the Python testsuite, the return code from
the first run began to go ignored.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6c6db88d by Joseph Sutton at 2023-08-30T02:15:29+00:00
python: Fix spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fce882ab by Joseph Sutton at 2023-08-30T02:15:29+00:00
python: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
12f1c782 by Joseph Sutton at 2023-08-30T02:15:29+00:00
python: Remove redundant backslashes

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b068592d by Joseph Sutton at 2023-08-30T02:15:29+00:00
python: Fix invalid escape sequences

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b076cad4 by Joseph Sutton at 2023-08-30T02:15:29+00:00
python:join: Fix references to undefined variables

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5c5045ee by Joseph Sutton at 2023-08-30T02:15:29+00:00
samba-tool: Remove useless return

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
83230577 by Joseph Sutton at 2023-08-30T02:15:29+00:00
python: Fix reference to undefined name ‘samba’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c4e0d4fb by Joseph Sutton at 2023-08-30T02:15:29+00:00
python:tests: Fix usage line

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bbd0e35f by Joseph Sutton at 2023-08-30T02:15:29+00:00
python:tests: Complete assertion messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d3bc6faa by Joseph Sutton at 2023-08-30T02:15:29+00:00
python:tests: Rename test method so as not to mask previously-defined method

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8e5c998b by Joseph Sutton at 2023-08-30T02:15:29+00:00
pytest/dns_aging: Check value of ‘dtime’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
472d80c1 by Joseph Sutton at 2023-08-30T02:15:29+00:00
pytest/dns_aging: Correctly check that record is tombstoned

We were passing in as the name parameter to assert_tombstoned() an NDR
Python object, rather than a string. This meant that the LDAP search
filter would look something like this:

(&(objectClass=dnsNode)(name=<dnsp.DnssrvRpcRecord talloc based object at 0x29abee0>))

and we would fail to find any records.

These searches should have a better chance of working if we pass in the
name of the record instead.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
de04333b by Joseph Sutton at 2023-08-30T02:15:29+00:00
pytest/dns_aging: Assert that the name of the node to search for is a string

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5755b4a4 by Joseph Sutton at 2023-08-30T02:15:29+00:00
gp: Add missing import

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
94afa3b1 by Joseph Sutton at 2023-08-30T02:15:29+00:00
gp: Don’t shadow imports

Rename a variable that shadows an import of ‘gp_ext’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
036a523e by Joseph Sutton at 2023-08-30T02:15:29+00:00
gp: Prefer ‘x not in y’ to ‘not x in y’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
953bc918 by Joseph Sutton at 2023-08-30T02:15:29+00:00
gp: Check correct variables

We were intending to check the keys, not the certificates.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
928f2bbc by Joseph Sutton at 2023-08-30T02:15:29+00:00
gp: Use assertEqual() instead of assertEquals()

assertEquals() is deprecated and could be removed in a future version of
Python.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
34042677 by Joseph Sutton at 2023-08-30T02:15:29+00:00
gp: Fix resource leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2b566979 by Joseph Sutton at 2023-08-30T02:15:29+00:00
gp: Use read_file() instead of readfp()

readfp() is deprecated and could be removed in a future version of
Python.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e390e674 by Joseph Sutton at 2023-08-30T02:15:29+00:00
tests/krb5: Remove test of pre-1.20 MIT Kerberos behaviour

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1def8f04 by Joseph Sutton at 2023-08-30T02:15:29+00:00
tests/krb5: Move KDC TGT tests to new file

We can now rely on having MIT Kerberos 1.20 available.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
04cdb13c by Joseph Sutton at 2023-08-30T02:15:29+00:00
tests/krb5: Remove local variable

This seems a bit clearer to me.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3f01cf91 by Joseph Sutton at 2023-08-30T02:15:29+00:00
tests/krb5: Correctly assert that we found a LOGON_INFO PAC buffer

Because ‘found_logon_info’ was invariably true, we would miss the case
in which set_pac_sids() failed to accomplish anything, having been
unable to find the LOGON_INFO PAC buffer.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7b4b03e5 by Joseph Sutton at 2023-08-30T02:15:29+00:00
tests/krb5: Re-raise any LdbError other than ERR_ENTRY_ALREADY_EXISTS

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b4a2e641 by Joseph Sutton at 2023-08-30T02:15:29+00:00
tests/krb5: Add KerberosCredentials.get_rid()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
357b520b by Joseph Sutton at 2023-08-30T02:15:29+00:00
tests/krb5: Have modified_ticket() not modify its arguments

Inexplicable behaviour could result when the same arguments were passed
in across multiple calls.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6e20afeb by Joseph Sutton at 2023-08-30T02:15:29+00:00
s4:dsdb:tests: Fix spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fec8d228 by Joseph Sutton at 2023-08-30T02:15:29+00:00
s4:dsdb:tests: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3c7ef6d0 by Joseph Sutton at 2023-08-30T02:15:29+00:00
s4:dsdb:tests: Fix usage lines

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6db02afa by Joseph Sutton at 2023-08-30T02:15:29+00:00
selftest: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0fe4a12b by Joseph Sutton at 2023-08-30T02:15:29+00:00
selftest: Remove star imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0898329b by Joseph Sutton at 2023-08-30T02:15:29+00:00
selftest: Don’t use invalid escape sequences

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dfe25969 by Joseph Sutton at 2023-08-30T02:15:29+00:00
third_party/heimdal_build: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a6c442ac by Joseph Sutton at 2023-08-30T02:15:29+00:00
third_party/heimdal_build: Remove semicolons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
752a1c40 by Joseph Sutton at 2023-08-30T02:15:29+00:00
third_party/heimdal_build: Use ‘is’ to compare with singletons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b5cc15fd by Joseph Sutton at 2023-08-30T02:15:29+00:00
wscript: Remove unused variable

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c6d0323b by Joseph Sutton at 2023-08-30T02:15:29+00:00
wscript: Use ‘is’ to compare with singletons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8f430492 by Joseph Sutton at 2023-08-30T02:15:29+00:00
wscript: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
54ebd103 by Joseph Sutton at 2023-08-30T02:15:29+00:00
wscript: Remove semicolons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
70dea37d by Joseph Sutton at 2023-08-30T03:15:05+00:00
wscript: Refer to correct ConfigSet variable

LIB_GSSAPI appears to be an error of copy-and-pasting.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Aug 30 03:15:05 UTC 2023 on atb-devel-224

- - - - -
3afa27a0 by Ralph Boehme at 2023-08-30T10:51:40+00:00
mdssvc: better support for search with mdfind from Macs

When searching Samba via Spotlight from a Mac with mdfind, only 50 results are
returned.

It seems the changes for bug #15342 where one step in the right
direction. There, a status indicator meaning "search is still being processed"
was implemented, returning a special status indicator (0x23) in a response, when
the query was still running in the backend, eg Elasticsearch, and we haven't got
any result when when the Mac already comes along asking for results of a query.

Turns out, we should also return 0x23, ie "search is still being processed" when
we have some initial search results from the backend. Otherwise mdfind will stop
querying for more results. It works in Finder, as the Finder by default employs
a "live" search where it just keeps polling for more results even after the
server returned an empty result set. The Finder just keeps on querying in some
interval, typically 4 seconds, and a Mac server Spotlight server might return
new results if new files where created that match the query, hence "live"
search.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15463

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Aug 30 10:51:40 UTC 2023 on atb-devel-224

- - - - -
b13d4370 by Pavel Filipenský at 2023-08-30T12:42:29+00:00
s3:winbindd: Avoid doing the same assignment twice

Done already in setup_child(): child->domain = domain

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
8abac097 by Pavel Filipenský at 2023-08-30T12:42:29+00:00
s3:winbindd: Use a correct value for the length of domain children

We often loop over the array of domain children. However, the size of
the array is calculated as lp_winbind_max_domain_connections() which can
change (it is based on smb.conf). The fix is the talloc_array_length().

Reproducer:

winbind max domain connections = 100

smbcontrol all reload-config
smbcontrol all debug 10

/var/log/samba/log.winbindd shows many lines with random garbage pid:

[2023/08/25 10:03:49.898994, 10, pid=158296, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:885(winbind_msg_relay_fn)
  winbind_msg_relay_fn: sending message to pid 1037686087.
[2023/08/25 10:03:49.899010,  3, pid=158296, effective(0, 0), real(0, 0)] ../../source3/lib/util_procid.c:53(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

In this scenario we dereference only a garbage PID, but if we would
dereference some garbage pointer we would segfault.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
3fbc514a by Pavel Filipenský at 2023-08-30T13:37:37+00:00
docs:smbdotconf: Inform that changing 'winbind max domain connections' needs a restart

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Wed Aug 30 13:37:37 UTC 2023 on atb-devel-224

- - - - -
8a34b378 by MikeLiu at 2023-09-04T10:17:37+00:00
vfs_aio_pthread: use SMB_VFS_NEXT_OPENAT() in aio_pthread_openat_fn()

1. Set 'aio_allow_open' to false if fsp->fsp_flags.is_pathref
2. Move !(how->flags & O_CREAT) and !(how->flags & O_EXCL) up and set 'aio_allow_open' to false
3. Use SMB_VFS_NEXT_OPENAT() instead of openat() for disable async opens case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15453

Signed-off-by: MikeLiu <mikeliu at qnap.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Aug 22 17:44:00 UTC 2023 on atb-devel-224

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Sep  4 10:17:37 UTC 2023 on atb-devel-224

- - - - -
a21e0936 by Jule Anger at 2023-09-04T14:34:46+02:00
WHATSNEW: Add release notes for Samba 4.19.0.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
b7921852 by Jule Anger at 2023-09-04T14:35:46+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.19.0 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
a8c5fe34 by Jule Anger at 2023-09-04T14:36:48+02:00
VERSION: Bump version up to Samba 4.19.1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
f4f3ea67 by Michael Tokarev at 2023-09-04T22:39:27+03:00
d/gbp.conf, d/README.source.md, d/watch: prepare for 4.19

- - - - -
f9931b55 by Michael Tokarev at 2023-09-04T22:40:31+03:00
New upstream version 4.19.0+dfsg
- - - - -
b61c5785 by Michael Tokarev at 2023-09-04T22:41:09+03:00
Update upstream source from tag 'upstream/4.19.0+dfsg'

Update to upstream version '4.19.0+dfsg'
with Debian dir 68feca235038b9ca86e9dc5ffcfa3341b3dbe53b
- - - - -
51a401e2 by Michael Tokarev at 2023-09-04T22:42:04+03:00
d/changelog: start 4.19

- - - - -
27b5a891 by Michael Tokarev at 2023-09-04T22:42:18+03:00
d/patches: remove patches applied upstream

 heimdal-to-support-KEYRING-ccache.patch
 spelling.patch

- - - - -
a4422caf by Michael Tokarev at 2023-09-04T22:42:27+03:00
refresh patches

meaningful-error-if-no-python3-markdown.patch
meaningful-error-if-no-samba-ad-provision.patch

- - - - -
f0f35506 by Michael Tokarev at 2023-09-04T22:42:38+03:00
d/control: update talloc/tevent/tdb build-deps

- - - - -
d9b2de05 by Michael Tokarev at 2023-09-04T22:42:46+03:00
d/smbclient.install: remove smbgetrc.5

- - - - -
36507736 by Michael Tokarev at 2023-09-04T22:42:52+03:00
d/patches: add ldb 2.7.1 & 2.7.2 ABI files

ldb-2.7.2 contains a few actual new symbols, it is not just a version
bump. Get ldb-2.7.2.sigs from ldb-2.7.2 tag.

- - - - -
d97627f9 by Michael Tokarev at 2023-09-04T22:43:03+03:00
d/libldb2.symbols: add new symbols (ldb_val_as_*) and new version (2.8.0)

- - - - -
a41f5b69 by Michael Tokarev at 2023-09-04T22:43:09+03:00
d/python3-ldb.symbols: remove unused versions, add new version

- - - - -
8f616bcf by Michael Tokarev at 2023-09-04T22:43:15+03:00
d/samba-common-bin.install: install samba-log-parser (for winbindd for now)

- - - - -
aa3a9626 by Michael Tokarev at 2023-09-04T22:43:21+03:00
d/samba-libs.install: 2 new libs

- - - - -
865181e3 by Michael Tokarev at 2023-09-04T22:43:27+03:00
d/samba-libs.install, d/samba-testsuite.install: move libshares-samba4.so.0 from samba-libs to samba-testsuite

- - - - -
af22355e by Michael Tokarev at 2023-09-04T22:43:34+03:00
d/samba-libs.install, d/samba-vfs-modules.install: move libdfs-server-ad-samba4.so.0 from samba-libs to samba-vfs-modules

- - - - -
12ca65a9 by Michael Tokarev at 2023-09-04T22:43:39+03:00
d/samba-libs.install, d/samba-common-bin.install: move libnet-keytab-samba4.so.0 from samba-libs to samba-common-bin (used by net only)

- - - - -
5a0523a0 by Michael Tokarev at 2023-09-04T22:43:47+03:00
d/samba-libs.install, d/samba-common-bin.install: move libRPC-WORKER-samba4.so.0 from samba-libs to samba-common-bin (used by usr/libexec/samba/rpcd_*)

- - - - -
b0bc6d2d by Michael Tokarev at 2023-09-04T22:43:56+03:00
d/source/lintian-overrides: remove unused source-is-missing override

- - - - -
9f334e6a by Michael Tokarev at 2023-09-04T22:44:04+03:00
d/samba-vfs-modules.lintian-overrides: remove unused spelling-error-in-binary override

- - - - -
1e6603c1 by Michael Tokarev at 2023-09-04T22:44:14+03:00
d/control: add Breaks/Replaces for moved libraries

- - - - -
1ffd116b by Michael Tokarev at 2023-09-04T22:44:39+03:00
d/samba-libs.symbols new libndr 3.0.1 symbols

- - - - -
4cdc2620 by Michael Tokarev at 2023-09-04T22:57:51+03:00
update changelog; upload version 4.19.0+dfsg-1 to unstable

- - - - -
0e244ff7 by Andreas Schneider at 2023-09-05T07:30:12+00:00
s3:torture: Remove masktest.c

The file is not built.

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Sep  5 07:30:12 UTC 2023 on atb-devel-224

- - - - -
eadd7e5f by Ralph Boehme at 2023-09-05T09:33:16+00:00
mdssvc: better support for search with mdfind from Macs

When searching Samba via Spotlight from a Mac with mdfind, only 50 results are
returned.

It seems the changes for bug #15342 where one step in the right
direction. There, a status indicator meaning "search is still being processed"
was implemented, returning a special status indicator (0x23) in a response, when
the query was still running in the backend, eg Elasticsearch, and we haven't got
any result when when the Mac already comes along asking for results of a query.

Turns out, we should also return 0x23, ie "search is still being processed" when
we have some initial search results from the backend. Otherwise mdfind will stop
querying for more results. It works in Finder, as the Finder by default employs
a "live" search where it just keeps polling for more results even after the
server returned an empty result set. The Finder just keeps on querying in some
interval, typically 4 seconds, and a Mac server Spotlight server might return
new results if new files where created that match the query, hence "live"
search.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15463

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Aug 30 10:51:40 UTC 2023 on atb-devel-224

(cherry picked from commit 3afa27a01ca0b81b0044d5d543a999936582e67a)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Tue Sep  5 09:33:17 UTC 2023 on atb-devel-224

- - - - -
17117156 by Andrew Bartlett at 2023-09-05T14:20:48+00:00
.gitlab-ci: Do builds under /builds as this is never an overlayfs

On the GitLab shared runners / is overlayfs, which /builds being ext,
so we want this real filesystem, which should be faster in any case.

This may allow us to use GitLab shared runners for more jobs.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Sep  5 14:20:48 UTC 2023 on atb-devel-224

- - - - -
3f3fccab by Noel Power at 2023-09-05T21:18:32+00:00
pidl/lib: Add recursion detection logic to prevent looping.

Under some circumstances 'can_contain_deferred' & 'align_type functions' can
loop.

This prevents a hang when processing sample idl like

interface hang
{
	typedef [public] struct {
		wsp_cbasestoragevariant variant[NUM_ENTRIES];
	} vt_variant_wrap;

	typedef [public,nodiscriminant,switch_type(uint16)] union {
		[case(VT_I1)] int8 vt_i1;
		[case(VT_VARIANT)] vt_variant_wrap vt_variant_wrap;
	} variant_types;

	typedef [public] struct {
		[switch_is(vtype)] variant_types vvalue;
	} wsp_cbasestoragevariant;
};

which will hang with the following command

   pidl --header --ndr-parser -- foo.idl

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d3f3c401 by Noel Power at 2023-09-05T21:18:32+00:00
pidl/tests: Add tests for hang with nested struct.

make sure hang test calls Parse::Pidl::Typelist::LoadIdl which triggers
part of the hang

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e4afb211 by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:libnetapi: Return error from RequestOfflineJoin

The error code must be returned to caller even if the error string is not set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bdab834d by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:libnetapi: Add some comments to document ODJ blob charset conversions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
740e704b by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
532701e3 by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7cabbec2 by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:libnetapi: Add NetComposeOfflineDomainJoin() to API.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a8bd8f22 by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:libnetapi: Implement NetComposeOfflineDomainJoin_l()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4a1f2071 by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:net: Add "net offlinejoin composeodj" command

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b2399b69 by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:net: Load ODJ blob from file only if "loadfile" parameter is present

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c14a4f51 by Samuel Cabrero at 2023-09-05T21:18:32+00:00
s3:net: Allow to load ODJ blob from stdin

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e92e4b95 by Samuel Cabrero at 2023-09-05T21:18:32+00:00
testprogs: Cleanup machine account in net offlinejoin tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f3c632e7 by Samuel Cabrero at 2023-09-05T22:11:46+00:00
testprogs: Add net offlinejoin composeodj tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep  5 22:11:46 UTC 2023 on atb-devel-224

- - - - -
16f46601 by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
smb2_server: avoid ZERO_STRUCT*() in the core code

We should avoid calling memset_s() in the core smbd processing,
we can use struct initializers instead.

This reduces the overhead...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
948d19b0 by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
smb2_server: move struct msghdr to smbd_smb2_request_read_state

This makes the code a little bit faster, but the main reason
is the preparation of io_uring support, as it can't be on the
stack for async operations.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
02e0ba71 by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
smb2_server: remove state->hdr.done and always set state->vector first

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
76f9a41f by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
smb2_server: split smbd_smb2_advance_incoming() out of smbd_smb2_io_handler()

The logic in smbd_smb2_advance_incoming() will be reused for io_uring.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a9c53b9e by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
lib/util: inline iov_{buflen,buf,advance}()

The main reason for this change was the use of
iov_advance() in the next commits in
source3/smbd/smb2_server.c

And the function calls to iov_advance() showed up
in profiling with callgrind.

While there iov_buf() and iov_buflen() are moved as
well, as they are also used there.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
72d86d49 by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
smb2_server: change smbd_smb2_advance_incoming() to use iov_advance()

In future we may use vectors with more elements, so we convert to
a single element array now...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
153323ef by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
smb2_server: simplify smbd_smb2_advance_incoming() recvfile logic

This will make further changes easier...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0ca825c4 by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
smb2_server: split out smbd_smb2_advance_send_queue() out of smbd_smb2_flush_send_queue()

The logic in smbd_smb2_advance_send_queue() will be reused for io_uring.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
02df6bda by Stefan Metzmacher at 2023-09-06T19:30:35+00:00
smb2_server: split out smbd_smb2_flush_with_sendmsg() out of smbd_smb2_flush_send_queue()

We'll have an smbd_smb2_flush_with_io_uring() later...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
3fc35827 by Stefan Metzmacher at 2023-09-06T20:31:04+00:00
smb2_server: move struct msghdr to smbd_smb2_send_queue

The main reason is the preparation of io_uring support,
as it can't be on the stack for async operations.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep  6 20:31:04 UTC 2023 on atb-devel-224

- - - - -
a420aa91 by Andreas Schneider at 2023-09-07T04:53:41+00:00
s4:samdb: Avoid memory leaks in partition_metadata_get_uint64()

==395==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 1 object(s) allocated from:
    #0 0x7f4c5dedc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: b10bafa0ba3304197db35cc24e0024cb0492168a)
    #1 0x7f4c5d252b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f4c5d2543cc in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f4c5d2543cc in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f4c5d2543cc in talloc_named_const ../../lib/talloc/talloc.c:1751
    #5 0x7f4c504acc53 in partition_metadata_get_uint64 ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:50
    #6 0x7f4c504add29 in partition_metadata_sequence_number_increment ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:398
    #7 0x7f4c504a66aa in partition_sequence_number ../../source4/dsdb/samdb/ldb_modules/partition.c:1401
    #8 0x7f4c504a66aa in partition_extended ../../source4/dsdb/samdb/ldb_modules/partition.c:1680
    #9 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #10 0x7f4c503980c8 in replmd_extended ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:8455
    #11 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #12 0x7f4c502fae5c in samldb_extended ../../source4/dsdb/samdb/ldb_modules/samldb.c:5718
    #13 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #14 0x7f4c52f0b94c in acl_extended ../../source4/dsdb/samdb/ldb_modules/acl.c:2854
    #15 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #16 0x7f4c52eb019c in descriptor_extended ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1450
    #17 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #18 0x7f4c52ed8687 in log_extended ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1824
    #19 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #20 0x7f4c505aa337 in unlazy_op ../../source4/dsdb/samdb/ldb_modules/lazy_commit.c:40
    #21 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #22 0x7f4c502d0f82 in schema_load_extended ../../source4/dsdb/samdb/ldb_modules/schema_load.c:593
    #23 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #24 0x7f4c5035a010 in rootdse_extended ../../source4/dsdb/samdb/ldb_modules/rootdse.c:1780
    #25 0x7f4c5c4914ef in ldb_request ../../lib/ldb/common/ldb.c:1244
    #26 0x7f4c5c492a2d in ldb_extended ../../lib/ldb/common/ldb.c:1714
    #27 0x7f4c5c492bdf in ldb_sequence_number ../../lib/ldb/common/ldb.c:1943
    #28 0x7f4c503a9abd in replmd_add ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1316
    #29 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543
    #30 0x7f4c50458783 in rdn_name_add ../../lib/ldb/modules/rdn_name.c:206
    #31 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543
    #32 0x7f4c504f4852 in attr_handler ../../source4/dsdb/samdb/ldb_modules/objectclass_attrs.c:334

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>

- - - - -
1de2af9f by Douglas Bagnall at 2023-09-07T04:53:41+00:00
pytests:security: don't use invalid domain SID S-2-0-0

The '2' is a version number, but there is not yet a version 2, so we
can't even say what the rest of the string should look like.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6d012757 by Joseph Sutton at 2023-09-07T04:53:41+00:00
libcli/security: make sddl_decode_sid an external function

We are going to need it in for parsing SDDL for conditional ACEs and
resource ACEs, which will go in a separate file because it's huge.

This means changing the interface for `sddl_decode_sid` to that from
before 7d466a913f2c0038b30424403a7355db849fee7a which introduced
sddl_transition_state to deal ease the shift to disambiguated machine/
domain/forest SIDs. Internal callers use `sddl_transition_decode_sid()`
which is the old function; external callers use the same shim pattern as
the other externally available functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2bf404eb by Douglas Bagnall at 2023-09-07T04:53:41+00:00
libcli/security: make sddl_encode_sid an external function

Mirroring the last commit for sddl_decode_sid, we want to be able to
encode SIDs from sibling source files.

The dom_sid functions are insufficient for this because they don't know
the SDDL short aliases, like "WD".

sddl_transition_encode_sid() is used internally.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
676a7152 by Douglas Bagnall at 2023-09-07T04:53:41+00:00
librpc/idl: add conditional ACE structures and constants

This will be used to decode the expressions on conditional ACEs.
At the moment it changes nothing.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a84e89aa by Douglas Bagnall at 2023-09-07T04:53:41+00:00
libcli/security: create_descriptor handles unknown ACE types

Because we're going to add more ACE types.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
416f6ef7 by Douglas Bagnall at 2023-09-07T04:53:41+00:00
librpc:security.idl: add more ACE enum types, with annotations

The callback types are used for conditional ACEs. The others are just
there and we might as well know them.

Several ACE types are "reserved for future use" by Microsoft.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
601d60e3 by Douglas Bagnall at 2023-09-07T04:53:41+00:00
libcli:sec:display: print callback ace types

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
89589347 by Douglas Bagnall at 2023-09-07T04:53:41+00:00
libcli:sec:display: use macro for more ace types

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0d6c7bea by Douglas Bagnall at 2023-09-07T04:53:41+00:00
librpc:security.idl: add enums for resource attribute aces

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7f57b5ed by Douglas Bagnall at 2023-09-07T04:53:41+00:00
librpc:security.idl: add Resource Attribute claim types

This will be used in Resource Attribute ACEs, and in security tokens
when security tokens become claim-aware.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f893cf85 by Douglas Bagnall at 2023-09-07T05:50:24+00:00
security.idl: extend security token for claims

A security token contains the context needed to make access decisions
for a particular client, which has until now been a number of SIDs and
flags. Claims are arbitrary attributes that can be tacked onto the
security token. Typically they will arrive via a Kerberos PAC, but we
don't need to worry about that now -- only that they are stored on the
token.

The security token in [MS-DTYP] 2.5.2 is described in abstract terms
(it is not transmitted on the wire) as behaving *as if* it held claims
in three arrays of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures. We
take that suggestion literally. This is *almost* the same as storing
the [MS-ADTS] 2.2.18 claims wire structures that the claims are
presumably derived from, and doing that might seem like a small
optimisation. But we don't do that because of subtle differences and
we already need CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 in security.idl
for resource attribute ACEs.

The three stored claim types are user claims, device claims, and local
claims. Local claims relate to local Windows accounts and are unlikely
to occur in Samba. Nevertheless we have the array there just in case.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep  7 05:50:24 UTC 2023 on atb-devel-224

- - - - -
03ce770e by Volker Lendecke at 2023-09-08T16:27:39+00:00
tests: Create symlinks using posix extensions

This way we can run the tests and more easily put them into knownfail
individually. Before this, everything went into the error category,
which was not so easy to catch in something like knownfail.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
c9a000be by Volker Lendecke at 2023-09-08T16:27:39+00:00
tests: Add test_symlink_reparse_data_buffer_parse

The blob was taken from a smbclient allinfo command for a Windows
symlink. Show that reparse_data_buffer_parse() is broken.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
ebb6eb9c by Volker Lendecke at 2023-09-08T17:24:19+00:00
libsmb: Fix parsing symlink reparse points

Untested code is broken code. For symlinks we need to hand over the
full reparse buffer into symlink_reparse_buffer_parse(), as this is
also used for the smb2 error response handling. For that, the
"reserved" field in [MS-FSCC] 2.1.2.4 Symbolic Link Reparse Data
Buffer is used for the "unparsed" field.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Sep  8 17:24:19 UTC 2023 on atb-devel-224

- - - - -
88e06dfc by Michael Tokarev at 2023-09-09T14:34:24+03:00
drop attempts to keep ldb ABI versioning

- - - - -
f51efc40 by Joseph Sutton at 2023-09-11T02:42:40+00:00
Makefile: Fix spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e69ba9a0 by Joseph Sutton at 2023-09-11T02:42:41+00:00
auth: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c6249147 by Joseph Sutton at 2023-09-11T02:42:41+00:00
ctdb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f6ff6f7c by Joseph Sutton at 2023-09-11T02:42:41+00:00
docs-xml: Fix spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1c35195f by Joseph Sutton at 2023-09-11T02:42:41+00:00
lib:compression: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
74580daa by Joseph Sutton at 2023-09-11T02:42:41+00:00
lib:crypto: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7d9edb82 by Joseph Sutton at 2023-09-11T02:42:41+00:00
lib:krb5_wrap: Fix spelling in documentation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5fbbf9b9 by Joseph Sutton at 2023-09-11T02:42:41+00:00
ldb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9d699895 by Joseph Sutton at 2023-09-11T02:42:41+00:00
lib:printer_driver: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
53caec3c by Joseph Sutton at 2023-09-11T02:42:41+00:00
tdb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6a303be5 by Joseph Sutton at 2023-09-11T02:42:41+00:00
tevent: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dd2b5687 by Joseph Sutton at 2023-09-11T02:42:41+00:00
lib:charset: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
87749b55 by Joseph Sutton at 2023-09-11T02:42:41+00:00
libcli: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5292c774 by Joseph Sutton at 2023-09-11T02:42:41+00:00
libgpo: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
df24eced by Joseph Sutton at 2023-09-11T02:42:41+00:00
librpc: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c8750428 by Joseph Sutton at 2023-09-11T02:42:41+00:00
pidl: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bb79de4c by Joseph Sutton at 2023-09-11T02:42:41+00:00
python:tests: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
26fd734d by Joseph Sutton at 2023-09-11T02:42:41+00:00
selftest: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9e2a93d5 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:auth: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2a4d35ed by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:lib: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
06816117 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:libads: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d7331a68 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:libnet: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bbd9fabf by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:librpc: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
47dcdb31 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:nmbd: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c4a02d8e by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:registry: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
32a1e742 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:rpc_client: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
72e79e13 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:rpc_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b60f86a0 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:smbd: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c6c1b55a by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:utils: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4e74350f by Joseph Sutton at 2023-09-11T02:42:41+00:00
s3:winbindd: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
354eff14 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:auth: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
20ab21e6 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:client: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8a93a4fa by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:dns_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
65c26c0b by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:dsdb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0834b309 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:kdc: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0cef5daf by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:libcli: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1bb5cfef by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:libnet: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b1e23155 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:ntvfs: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
36ccc9cf by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:rpc_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
882a4674 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:samba: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
39a88a83 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:torture: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ebdaaf92 by Joseph Sutton at 2023-09-11T02:42:41+00:00
s4:wrepl_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a842c14d by Andrew Bartlett at 2023-09-11T02:42:41+00:00
.gitlab-ci.yml: Move coverity build to internal Heimdal

The opensuse155 image has MIT 1.20, not the required MIT 1.21, so build
with intenral Heimdal instead.

The opensuse155 image was chosen deliberatly in commit
f2eb411646bbc3cbedd4aecaba98bd363a6cd3df so this changes
the KDC choice rather than the image.  Eventually we will
need to do both.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

- - - - -
da841a80 by Douglas Bagnall at 2023-09-11T02:42:41+00:00
s3:rpc: bump named_pipe_auth_req_info version number

This is because commit f893cf85cc387b66c496661e11073b1215270022
changed the security token in secuirty.idl, and bumping the version
was missed.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5cad8278 by Samuel Cabrero at 2023-09-11T02:42:41+00:00
netapi: Pass loadparm_context to libnetapi_net_init()

The net's tool cmdline lp_ctx can be reused, no need to init a new one except
for external library users.

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8cdb4f29 by Samuel Cabrero at 2023-09-11T02:42:41+00:00
netapi: Pass net's cmdline credentials to libnetapi_net_init()

Avoid unnecessary credentials allocation and initialization by passing the
net's cmdline creds to libnetapi_net_init() directly.

Fixes the problem of running cli_credentials_guess() (which runs password
callbacks) twice, one for the net's cmdline creds and a second time for the
creds initialized in libnetapi_net_init(), just to override them immediately
after.

Example:

$ export PASSWD_FD=0
$ ./bin/net offlinejoin composeodj <...>
foo
bar

Password is read from STDIN twice.

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
65b21109 by Samuel Cabrero at 2023-09-11T03:36:28+00:00
auth:credentials: Check if password_obtained > obtained

Fixes reading the password from STDIN or environment vars if it was already
given in the command line:

$ export PASSWD_FD=0
$ ./bin/net offlinejoin composeodj <...> --password=FOO
<Waiting to read password from STDIN>

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Sep 11 03:36:28 UTC 2023 on atb-devel-224

- - - - -
0f1443d9 by Ralph Boehme at 2023-09-12T17:08:17+00:00
smbd: make vfs_stat_fsp() a no-op on fake file-handles

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Sep 12 17:08:17 UTC 2023 on atb-devel-224

- - - - -
416ff2c6 by Stefan Metzmacher at 2023-09-14T17:56:30+00:00
.gitlab-ci: restore starting ubuntu2204-samba-o3 for the default pipeline

This got lost in commit bcc22d00569551cfa25851c8c267ec9decc63d21
for ubuntu1804-samba-o3 at the time...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b1e83b6c by Stefan Metzmacher at 2023-09-14T17:56:30+00:00
.gitlab-ci: make it explicit that some tests require ext4/5.15 kernel

This is better then requiring private runners,
as we'll be able to use shared runners for ext4 soon.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
19fb9a97 by Andrew Bartlett at 2023-09-14T17:56:30+00:00
.gitlab-ci: Allow ext4 jobs to run on shared runners

At the time of this commit, GitLab shared runners
tagged "gce" were 2x AMD EPYC 7B12 with 8GB ram.

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
62af25d4 by Stefan Metzmacher at 2023-09-14T17:56:30+00:00
nsswitch: add test for pthread_key_delete missuse (bug 15464)

This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
written by Krzysztof Piotr Oledzki <ole at ans.pl>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
4faf8064 by Stefan Metzmacher at 2023-09-14T17:56:30+00:00
nsswitch/wb_common.c: fix build without HAVE_PTHREAD

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
836823e5 by Stefan Metzmacher at 2023-09-14T17:56:30+00:00
nsswitch/wb_common.c: winbind_destructor can always use get_wb_global_ctx()

The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all
required magic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
91b30a72 by Stefan Metzmacher at 2023-09-14T17:56:30+00:00
nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key

If nss_winbind is loaded into a process that uses fork multiple times
without any further calls into nss_winbind, wb_atfork_child handler
was using a wb_global_ctx.key that was no longer registered in the
pthread library, so we operated on a slot that was potentially
reused by other libraries or the main application. Which is likely
to cause memory corruption.

So we better don't call pthread_key_delete() in wb_atfork_child().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Reported-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Tested-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
4af3faac by Stefan Metzmacher at 2023-09-14T18:53:07+00:00
nsswitch/wb_common.c: fix socket fd and memory leaks of global state

When we are called in wb_atfork_child() or winbind_destructor(),
wb_thread_ctx_destructor() is not called for the global state
of the current nor any other thread, which means we would
leak the related memory and socket fds.

Now we maintain a global list protected by a global mutex.
We traverse the list and close all socket fds, which are no
longer used (winbind_destructor) or no longer valid in the
current process (wb_atfork_child), in addition we 'autofree'
the ones, which are only visible internally as global (per thread)
context.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Tested-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224

- - - - -
74e1bb05 by Joseph Sutton at 2023-09-14T21:35:28+00:00
lib:mscat: Remove unnecessary casts

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0bcf44c8 by Joseph Sutton at 2023-09-14T21:35:28+00:00
lib:tdr: Remove unnecessary cast

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c8603809 by Joseph Sutton at 2023-09-14T21:35:28+00:00
libgpo: Remove unnecessary cast

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9f78cc3b by Joseph Sutton at 2023-09-14T21:35:28+00:00
librpc:ndr: Avoid overflow in size calculation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9f566703 by Joseph Sutton at 2023-09-14T21:35:29+00:00
python:tests: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9846da6f by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:scripting: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b208c8e8 by Joseph Sutton at 2023-09-14T21:35:29+00:00
libcli:security: Prefer explicit initialization to ZERO_STRUCTP()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c92fac94 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Prefer explicit initialization to ZERO_STRUCT()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
97906d27 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Remove duplicate function signature

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ffbd95e6 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Use smb_krb5_data_from_blob()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
716bf29d by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Remove unused flags

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
39340f65 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Check result of dom_sid_parse()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3ef5e655 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Handle invalid enum values

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1f20e557 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Check result of talloc_realloc()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7ac99b19 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Make functions to add special SIDs non‐static

This allows us to call them from elsewhere.

Change their names accordingly to start with ‘samba_kdc_’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
571ff5f3 by Joseph Sutton at 2023-09-14T21:35:29+00:00
claims.idl: Allow empty claim value buffers

Windows doesn’t reject these, nor do we have any reason to do so.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ba175008 by Joseph Sutton at 2023-09-14T21:35:29+00:00
claims.idl: Be more lenient in our expectations for the compression of claims

384 bytes is not a strict threshold below which claims are never to be
compressed. Windows has been known to compress claims a mere 368 bytes
in size.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
49b96243 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Check return value of samdb_result_dom_sid()

We should not pass a NULL pointer into dom_sid_split_rid().

Unlike samdb_result_dom_sid(), samdb_result_dom_sid_buf() produces an
error code on failure and does not require a heap allocation.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2d929f13 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Remove unused talloc context

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1f4438c5 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Check return value of smb_krb5_principal_get_comp_string()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
acda12a7 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Correct error message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e427b5b7 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Initialize pointers to NULL

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
afd48f8d by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Fix error message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3387140d by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Inline samba_get_requester_sid_pac_blob()

A wrapper doesn’t add much utility to a function this small. We might as
well join these two into a single function.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2981a7f0 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Allocate contents of PAC blobs on blob talloc contexts

The lifetime of a blob’s contents should be tied to the lifetime of the
blob itself.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bac02f08 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Don’t operate directly on caller‐owned pointer

This is more consistent with the other PAC blob functions, and easier to
reason about.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
30db0126 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fb071bc3 by Joseph Sutton at 2023-09-14T21:35:29+00:00
docs-xml: Add missing paragraph section

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3fca94cd by Joseph Sutton at 2023-09-14T21:35:29+00:00
python:tests: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bd8c3afe by Joseph Sutton at 2023-09-14T21:35:29+00:00
python:tests: Fix invalid escape sequence

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0669af30 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s3:rpc_server: Fix inverted error messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2d736bd9 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Inline samba_get_pac_attrs_blob()

A wrapper doesn’t add much utility to a function this small. We might as
well join these two into a single function.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4954443e by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:scripting: Fix comments

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b96c55c2 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:scripting: Prefer ‘x not in y’ to ‘not x in y’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2e8bbaea by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:dsdb: Parenthesize macro expression

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bd05237d by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:dsdb: Prefer explicit initialization to ZERO_STRUCT()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8b2e1405 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:auth: Check return values of talloc functions

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c4933dd4 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:auth: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5c580dbd by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request

I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.

A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.

Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e48df091 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Fix leaks

Allocate variables on to a temporary context rather than on to the
potentially long‐lived context passed in by the caller.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7718a9d6 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Use common exit point for functions

This makes it less likely that we forget to clean up resources.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bf9b1688 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Fix leak

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
19b616d1 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Avoid potential use‐after‐free

We must allocate the domain groups on to the correct memory context,
lest they get freed prematurely.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d045809c by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Check for overflow when adding a domain group SID

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6dae90bd by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Don’t corrupt domain groups structure if talloc_realloc() fails

Introduce a temporary variable instead of assigning the result of
talloc_realloc() directly to samr_RidWithAttributeArray::rids. In this
way we avoid having a structure with a non‐zero ‘count’ but with ‘rids’
set to the NULL pointer.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d4ceac44 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Assign RID and attribute together

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
446e45be by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Directly zero‐initialize PAC_DOMAIN_GROUP_MEMBERSHIP structure

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
953af6c3 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Increment PAC_DEVICE_INFO::domain_group_count only after SID has been successfully added

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cf2bde73 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Allocate variables on to more suitable memory context

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0d2d3a90 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Fix leak

Introduce a temporary memory context and allocate working structures on
to it.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8b49e058 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Use temporary memory context in samba_kdc_verify_pac()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cbf1e0c8 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Introduce a temporary talloc context in samba_kdc_update_pac()

This avoids allocating working structures on to a potentially long‐lived
context.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e9590ac7 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Add common out path to pac_blobs_from_krb5_pac()

This helps to make error‐checking and cleanup more systematic.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cb400950 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Don’t corrupt pac_blobs structure if talloc_realloc() fails

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ed843609 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Make ‘struct pac_blobs’ memory handling safer and more consistent

Having pac_blobs::type_blobs be managed both by talloc and by the
‘pac_blobs’ structure itself (with pac_blobs_destroy()) is very prone to
error. So is the current situation of having the other ‘pac_blobs’
functions each take in a memory context.

Improve these circumstances by requiring ‘pac_blobs’ to be managed by
talloc. Now the other functions can dispense with their ‘mem_ctx’
parameters, being instead able to allocate on to the ‘pac_blobs’
structure itself. pac_blobs_init() no longer must be a separate
function; inline it into pac_blobs_from_krb5_pac(). pac_blobs_destroy(),
being no longer of use, can go too.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a5308a2d by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Make pac_blobs_remove_blob() never fail

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c72d784a by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Have samba_krbtgt_is_in_db() return a krb5_error_code

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b8368ed3 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Have samba_krbtgt_is_in_db() take a const KDC entry

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ed8d7497 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Rename ‘status’ variables to ‘reply_status’

This makes it clearer what these variables are used for, and avoids
confusion with the similarly‐named ‘nt_status’ variables — also used in
these functions.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
617f87a9 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Make RODC ID checks easier to understand with more clearly‐named variables

No change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
41d97438 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Prefer explicit initialization to ZERO_STRUCTP()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d902c134 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Be sure not to pass a NULL pointer into strcmp()

To do so is to invoke undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
aa56750f by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Fix leaks

Create a temporary memory context on which to allocate things.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b8ca4dea by Joseph Sutton at 2023-09-14T21:35:29+00:00
lib:krb5_wrap: Eliminate redundant code from smb_krb5_sockaddr_to_kaddr()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d901fe9c by Joseph Sutton at 2023-09-14T21:35:29+00:00
lib:krb5_wrap: Have smb_krb5_principal_get_realm() check the return values of intermediate functions

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
eec9e545 by Joseph Sutton at 2023-09-14T21:35:29+00:00
lib:krb5_wrap: Add smb_krb5_princ_component()

For now this function is a mere wrapper round krb5_princ_component(),
but one whose interface allows for a more sensible implementation.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
229d26e2 by Joseph Sutton at 2023-09-14T21:35:29+00:00
lib:krb5_wrap: Add Heimdal‐specific smb_krb5_princ_component() implementation

This implementation doesn’t rely on a variable of static storage
duration being used as a conduit for the return value.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9bb80c27 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:dsdb: Switch to using smb_krb5_princ_component()

This function has the handy feature of being able to be called twice in
succession without mysteriously breaking your code. Now, doesn’t that
sound useful?

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cec4ebbe by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Switch to using smb_krb5_princ_component()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7e62f392 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:rpc_server: Switch to using smb_krb5_princ_component()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
187d74d9 by Joseph Sutton at 2023-09-14T21:35:29+00:00
lib:krb5_wrap: Remove Heimdal‐only krb5_princ_component() implementation

This implementation is no longer called: using a variable of static
storage duration as a conduit for return values is only asking for
trouble.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
716c3a25 by Joseph Sutton at 2023-09-14T21:35:29+00:00
nsswitch: Fix script usage

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
74624bd9 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s3:script: Fix script usage lines

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
31212b0c by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:selftest: Fix script usage lines

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2ff2d9bf by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:setup: Fix script usage line

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
208f452e by Joseph Sutton at 2023-09-14T21:35:29+00:00
testprogs: Fix script usage lines

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
238b5a8a by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Remove ks_is_tgs_principal()

This function is a near‐duplicate of smb_krb5_principal_is_tgs().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
477dc8f2 by Joseph Sutton at 2023-09-14T21:35:29+00:00
ldb: Prefer explicit initialization to ZERO_STRUCT()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d16337bd by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:wrepl_server: Correctly read ‘type’ element

winsdb_message() stores this element as hexadecimal, which format
ldb_msg_find_attr_as_uint() cannot cope with. Permit this element to be
in either decimal or hexadecimal format.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fb17b170 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:kdc: Don’t prepend useless colon to MIT KDC logging messages

If we pass an empty string as the ‘whoami’ parameter, MIT’s logging
facilities will prepend a mysterious colon to the message. Printing
“mitkdc: ” ought at least to be more sensible, and perhaps more closely
to match our behaviour prior to commit
dd8138236bec3635c25e5b482b7a14faa0a9c36b.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
253ca786 by Joseph Sutton at 2023-09-14T21:35:29+00:00
s3:net: Check return value of data_blob_talloc()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e4a81f26 by Joseph Sutton at 2023-09-14T21:35:29+00:00
tests/krb5: Rename ‘client_claims’ to ‘claims_metadata’

This variable is used not only for client claims, but for device claims
as well.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9ef494c1 by Joseph Sutton at 2023-09-14T21:35:29+00:00
fsrvp.idl: Remove excess zero digit from literal

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9a9861b5 by Joseph Sutton at 2023-09-14T21:35:29+00:00
dsgetdcname: Remove excess zero digits from literals

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
41df712d by Joseph Sutton at 2023-09-14T21:35:29+00:00
s3:winbindd: Add zero digit to literal

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
df3816eb by Joseph Sutton at 2023-09-14T21:35:29+00:00
s4:dsdb: Fix comment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0e659702 by Andrew Bartlett at 2023-09-14T21:35:29+00:00
build: Remove -Wno-error=missing-field-initializers from Heimdal build

This allows this warning (error) to be used in Samba for cases where a
non-designated initialiser is under-specified.  We can do this now as
the GCC versions we build on do not regard foo = {} as an error.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
58e45b35 by Andrew Bartlett at 2023-09-14T21:35:29+00:00
build: Reduce heimdal_no_error_flags to a more minimal set

Heimdal does not seem to give as many errors as in the past, so we
can reduce the set of errors we ignore warnings for.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
b6e46432 by Pavel Kalugin at 2023-09-14T21:35:29+00:00
s3:notifyd: Use lpcfg_set_cmdline()

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6f00a088 by Pavel Kalugin at 2023-09-14T21:35:29+00:00
s3:torture: Use lpcfg_set_cmdline()

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ea59632b by Pavel Kalugin at 2023-09-14T21:35:29+00:00
s3:utils: Use lpcfg_set_cmdline() in smbpasswd

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9b624673 by Pavel Kalugin at 2023-09-14T21:35:29+00:00
libnetapi: Use lpcfg_set_cmdline()

Replace lp_set_cmdline() with lpcfg_set_cmdline() in netapi.c.
For this purpose:
1. Add loadparm_context to the libnetapi_ctx because we need it
   in libnetapi_set_debuglevel() and libnetapi_set_logfile().
2. Move loadparm_context creation from libnetapi_net_init()
   to libnetapi_init() and add the lp_ctx parameter to the former.

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
04d20c3a by Pavel Kalugin at 2023-09-14T21:35:29+00:00
s3:netapi: Fix a leak in libnetapi_net_init()

Allow libnetapi_net_init() to be called more than once without
leaking libnetapi_ctx allocated on a previous call, which is
currently the case in the `net rpc` code.

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f7a06f3a by Pavel Kalugin at 2023-09-14T21:35:29+00:00
s3:libsmb: Use lpcfg_set_cmdline()

Signed-off-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c839a25d by Andreas Schneider at 2023-09-14T21:35:29+00:00
s3:client: Use lpcfg_set_cmdline()

This lp_set_cmdline() leaks memory and we want to get rid of it.

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
96e18e17 by Andreas Schneider at 2023-09-14T22:30:06+00:00
s3:param: Remove unused lp_set_cmdline()

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Pavel Kalugin <pkalugin at inno.tech>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 14 22:30:06 UTC 2023 on atb-devel-224

- - - - -
5b7f9840 by Stefan Metzmacher at 2023-09-17T18:04:18+00:00
selftest: add some basic testing for the io_uring vfs module

We're now able to build it on all linux systems and
the ci runners have at least a 5.4 kernel. That's
all the current vfs_io_uring requires.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sun Sep 17 18:04:18 UTC 2023 on atb-devel-224

- - - - -
340b7fd1 by Stefan Metzmacher at 2023-09-18T15:59:16+00:00
nsswitch: add test for pthread_key_delete missuse (bug 15464)

This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
written by Krzysztof Piotr Oledzki <ole at ans.pl>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 62af25d44e542548d8cdecb061a6001e0071ee76)

- - - - -
61f6f46b by Stefan Metzmacher at 2023-09-18T15:59:16+00:00
nsswitch/wb_common.c: fix build without HAVE_PTHREAD

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4faf806412c4408db25448b1f67c09359ec2f81f)

- - - - -
9c10f828 by Stefan Metzmacher at 2023-09-18T15:59:16+00:00
nsswitch/wb_common.c: winbind_destructor can always use get_wb_global_ctx()

The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all
required magic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 836823e5047d0eb18e66707386ba03b812adfaf8)

- - - - -
7d04c32e by Stefan Metzmacher at 2023-09-18T15:59:16+00:00
nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key

If nss_winbind is loaded into a process that uses fork multiple times
without any further calls into nss_winbind, wb_atfork_child handler
was using a wb_global_ctx.key that was no longer registered in the
pthread library, so we operated on a slot that was potentially
reused by other libraries or the main application. Which is likely
to cause memory corruption.

So we better don't call pthread_key_delete() in wb_atfork_child().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Reported-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Tested-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 91b30a7261e6455d3a4f31728c23e4849e3945b9)

- - - - -
374ba0d2 by Stefan Metzmacher at 2023-09-18T16:55:30+00:00
nsswitch/wb_common.c: fix socket fd and memory leaks of global state

When we are called in wb_atfork_child() or winbind_destructor(),
wb_thread_ctx_destructor() is not called for the global state
of the current nor any other thread, which means we would
leak the related memory and socket fds.

Now we maintain a global list protected by a global mutex.
We traverse the list and close all socket fds, which are no
longer used (winbind_destructor) or no longer valid in the
current process (wb_atfork_child), in addition we 'autofree'
the ones, which are only visible internally as global (per thread)
context.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Tested-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224

(cherry picked from commit 4af3faace481d23869b64485b791bdd43d8972c5)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Sep 18 16:55:30 UTC 2023 on atb-devel-224

- - - - -
e61a956b by Jeremy Allison at 2023-09-19T18:59:34+00:00
s3: smbd: rename_internals_fsp() has to reopen the parent directory of the target as a pathref to check permissions.

So it never looks at any passed in dst_dirfsp.

Prove this by passing NULL.

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
33845e09 by Jeremy Allison at 2023-09-19T18:59:34+00:00
s3: smbd: Now we've proved dst_dirfsp parameter is always NULL, remove the parameter from rename_internals_fsp().

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
c38815b4 by Jeremy Allison at 2023-09-19T18:59:34+00:00
s3: smbd: As rename_internals() calls rename_internals_fsp(), show we can pass dst_dirfsp as NULL here too.

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
e94796e7 by Jeremy Allison at 2023-09-19T18:59:34+00:00
s3: smbd: Now we have shown dst_dirfsp is always NULL, remove the parameter from rename_internals().

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
3fba7872 by Jeremy Allison at 2023-09-19T18:59:34+00:00
s3: smbd: hardlink_internals() never looks at src_dirfsp or dst_dirfsp.

Show this by sending NULL in all cases.

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
05291d2b by Jeremy Allison at 2023-09-19T19:51:47+00:00
s3: smbd: Now we have proved hardlink_internals() doesn't use src_dirfsp and dst_dirfsp, remove the parameters.

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Sep 19 19:51:47 UTC 2023 on atb-devel-224

- - - - -
82e88f70 by Jeremy Allison at 2023-09-20T01:49:34+00:00
s3: smbd: Add some DEVELOPER-only code to panic if the destructor for an aio_lnk is called and the associated fsp doesn't exist.

Make this DEVELOPER-only as it walks the entire open
file list on every file close (with associated aio).

This helps catch really subtle problems with orphaned
aio lnk structs.

Reproducer test case to follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
3f32bf88 by Jeremy Allison at 2023-09-20T01:49:34+00:00
s3: smbd: named pipe reads are async. Use the same logic as for named pipe transacts to avoid crashes on shutdown.

Noticed by Metze.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
ea062c3b by Jeremy Allison at 2023-09-20T01:49:34+00:00
s3: smbd: named pipe writes are async. Use the same logic as for named pipe transacts to avoid crashes on shutdown.

Noticed by Metze.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
66398dd0 by Jeremy Allison at 2023-09-20T01:49:35+00:00
s3: torture: Add a new SMB2 test: SMB2-PIPE-READ-ASYNC-DISCONNECT

Shows the server crashes if we open a named pipe, do an async read
and then disconnect.

Adds knownfail:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
11280f17 by Jeremy Allison at 2023-09-20T02:43:18+00:00
s3: smbd: Ensure we remove any pending aio values for named pipes on forced shutdown.

Matches file and directory closes.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 20 02:43:18 UTC 2023 on atb-devel-224

- - - - -
d70374c3 by Jeremy Allison at 2023-09-20T16:23:32+00:00
s3: libsmb: Add a missing return statement in the timeout case.

Obvious fix (needs a malicious server to recreate).

Found by Robert Morris <rtm at lcs.mit.edu>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15426

Signed-off-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d27c2f2a47dc488ee32dd28d01697bfc409dff77)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Wed Sep 20 16:23:32 UTC 2023 on atb-devel-224

- - - - -
56df75d4 by Volker Lendecke at 2023-09-20T21:48:36+00:00
tests: Add reproducer for BZ15481

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
3481bbfe by Volker Lendecke at 2023-09-20T22:42:48+00:00
smbd: Fix BZ15481

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 20 22:42:48 UTC 2023 on atb-devel-224

- - - - -
8b9f4644 by Martin Schwenke at 2023-09-21T00:46:50+00:00
ctdb-daemon: Call setproctitle_init()

Commit 19c82c19c009eefe975ae95c8b709fc93f5f4c39 changed the behaviour
of prctl_set_comment() so it now calls setproctitle(3bsd) by default.

In some Linux distributions (e.g. Rocky Linux 8.8), this results in
messages like this spamming the logs:

  ctdbd: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.

Most Samba daemons seem to call setproctitle_init(), so do it here.

In the longer term CTDB should also switch to using lib/util's
process_set_title(), like the rest of Samba, for more flexible process
names.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15479

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Thu Sep 21 00:46:50 UTC 2023 on atb-devel-224

- - - - -
b3cae8dc by Volker Lendecke at 2023-09-21T17:43:23+00:00
conf: Remove "smb3 unix extensions" parameter

Always offer it, it's a client thing to ask for it or not.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 21 17:43:23 UTC 2023 on atb-devel-224

- - - - -
3ac07573 by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: smbd: Add some DEVELOPER-only code to panic if the destructor for an aio_lnk is called and the associated fsp doesn't exist.

Make this DEVELOPER-only as it walks the entire open
file list on every file close (with associated aio).

This helps catch really subtle problems with orphaned
aio lnk structs.

Reproducer test case to follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 82e88f70f181300f6f98691f6680839a94470e13)

- - - - -
68b8a5c4 by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: smbd: named pipe reads are async. Use the same logic as for named pipe transacts to avoid crashes on shutdown.

Noticed by Metze.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3f32bf887d4425655e81da0b2234cbca3b1d56e6)

- - - - -
f3d07e12 by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: smbd: named pipe writes are async. Use the same logic as for named pipe transacts to avoid crashes on shutdown.

Noticed by Metze.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ea062c3b0d4dbb1f0682f808ac893bf36a6fb194)

- - - - -
09e00c0a by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: torture: Add a new SMB2 test: SMB2-PIPE-READ-ASYNC-DISCONNECT

Shows the server crashes if we open a named pipe, do an async read
and then disconnect.

Adds knownfail:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 66398dd03c46633b474438dddb771caa2d245e64)

- - - - -
c30984f0 by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: smbd: Ensure we remove any pending aio values for named pipes on forced shutdown.

Matches file and directory closes.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 20 02:43:18 UTC 2023 on atb-devel-224

(cherry picked from commit 11280f1705c0faa1729f5aeaa1b6a1f79ab5a199)

- - - - -
9ba1c94e by Joseph Sutton at 2023-09-22T19:34:15+00:00
s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request

I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.

A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.

Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477

- - - - -
ebc4bbbf by Volker Lendecke at 2023-09-22T19:34:15+00:00
tests: Add reproducer for BZ15481

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 56df75d44795582dcecb8676a0d80d6f4a46c7e9)

- - - - -
79101588 by Volker Lendecke at 2023-09-22T20:34:16+00:00
smbd: Fix BZ15481

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 20 22:42:48 UTC 2023 on atb-devel-224

(cherry picked from commit 3481bbfede5127e3664bcf464a0ae3dec9247ab7)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Fri Sep 22 20:34:16 UTC 2023 on atb-devel-224

- - - - -
6a7d404d by Pavel Filipenský at 2023-09-24T21:37:38+00:00
s3:tests: Fix smbspool_argv_wrapper.c

smbspool_argv_wrapper must copy also the last argument

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d8f1298a by Pavel Filipenský at 2023-09-24T22:33:07+00:00
s3:tests: test_smbspool.sh should be calling smbspool_argv_wrapper

There is no variable named 'smbspool_argv_wrapper', the correct name is
'samba_argv_wrapper'. The smbspool_argv_wrapper was not called from this
test till now.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Sun Sep 24 22:33:07 UTC 2023 on atb-devel-224

- - - - -
efa7f6a1 by Pavel Filipenský at 2023-09-24T23:13:33+00:00
s3:tests: Fix init of samba_kdestroy in test_smbclient_kerberos.sh

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3d7d37ad by Pavel Filipenský at 2023-09-24T23:13:33+00:00
s3:tests: Fix syntax error in test_smbclient_kerberos.sh

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e58805fe by Pavel Filipenský at 2023-09-25T00:14:47+00:00
s3:tests: Check if test_smbclient_kerberos.sh was successful

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Mon Sep 25 00:14:47 UTC 2023 on atb-devel-224

- - - - -
88258e17 by Volker Lendecke at 2023-09-25T17:09:37+00:00
libsmb: Add sync cli_mknod() for smbclient3's use

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
815ff26d by Volker Lendecke at 2023-09-25T17:09:37+00:00
smbclient: Add mkfifo command

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
ddc1f56c by Volker Lendecke at 2023-09-25T17:09:37+00:00
libsmb: Add reparse_data_buffer_marshall()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
41274da9 by Volker Lendecke at 2023-09-25T17:09:37+00:00
libsmb: Use reparse_data_buffer_marshall() in py_reparse_symlink_put()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
d19a28fd by Volker Lendecke at 2023-09-25T17:09:37+00:00
libsmb: Factor out cli_create_reparse_point() from cli_symlink()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
1f21be82 by Volker Lendecke at 2023-09-25T17:09:37+00:00
libsmb: Use reparse_data_buffer_marshall() in cli_symlink_send()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
e5d724ca by Volker Lendecke at 2023-09-25T17:09:37+00:00
libsmb: Use reparse_data_buffer_marshall() in py_reparse_put()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
af5756df by Volker Lendecke at 2023-09-25T17:09:37+00:00
libsmb: Remove reparse_symlink.c

Makes reparse_buffer_marshall static to reparse.c

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
9c316623 by Volker Lendecke at 2023-09-25T18:08:01+00:00
libsmb: Extend cli_mknod to create NFS reparse points

Tested smbclient mkfifo manually against W2k22, the Windows NFS server
reports this as FIFO.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 25 18:08:01 UTC 2023 on atb-devel-224

- - - - -
aaf5821d by Volker Lendecke at 2023-09-25T19:01:34+00:00
smbclient: Save lines with talloc_asprintf_addbuf()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
2399b105 by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Remove unused cli_is_nt_error()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
9ec7245b by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Remove a call to SMBC_errno()

All returns from cacl_get() now explicitly set the errno.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
bb8ec333 by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Remove a call to SMBC_errno()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
15ff9c18 by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Remove a call to SMBC_errno()

This involves converting cli_printjob_del() to NTSTATUS and thus
touches a few callers.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
3cfe1683 by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Remove SMBC_errno()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
05828c3e by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Eliminate a reader of cli->raw_status

At some point we should get rid of cli->raw_status.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
b0b1fc19 by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Remove unused cli_dos_error()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
e6136139 by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Remove unused cli_is_dos_error()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
46f710c9 by Volker Lendecke at 2023-09-25T19:01:34+00:00
lib: Modernize tdb_fetch_lifetime()

Just came across this, avoid mallocs.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
3b8cfda1 by Volker Lendecke at 2023-09-25T19:01:34+00:00
lib: Avoid a tdb handle leak

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
94433d1d by Volker Lendecke at 2023-09-25T19:01:34+00:00
examples: Use explicit SMBCCTX

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
446a3b3e by Volker Lendecke at 2023-09-25T19:01:34+00:00
smbd: Modernize a few DBG statements

Changes on level from 4 to 3 in store_file_unix_basic().

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
aef98c63 by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Remove two #defines just used once

To me these two did not create clarity.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
94dcda1e by Volker Lendecke at 2023-09-25T19:01:34+00:00
examples: Slightly modernize printfs in teststat

long long works, but it's a bit too specific now that we have intmax_t

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
27ae6bdb by Volker Lendecke at 2023-09-25T19:01:34+00:00
clifuse: Use an empty array for holding the inode path

Cleaner these days.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
cd2e6c45 by Volker Lendecke at 2023-09-25T19:01:34+00:00
clifuse: Start implementing forget()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a0181938 by Volker Lendecke at 2023-09-25T19:01:34+00:00
libcli: Correct guard #define

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
b693b6ac by Volker Lendecke at 2023-09-25T19:01:34+00:00
libsmb: Make libsmb/clispnego.c static to libads/

It's only called there. The "+" part of this patch might not conform
to README.Coding because it's a literal cut&paste.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
fab08854 by Volker Lendecke at 2023-09-25T19:59:17+00:00
libsmb: Pass neg contexts through sync smbXcli_negprot_recv()

Looks much larger than it is, there's a lot of callers too feed NULL to.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon Sep 25 19:59:17 UTC 2023 on atb-devel-224

- - - - -
d7394a90 by Samuel Cabrero at 2023-09-26T19:28:08+00:00
testparm: Allow idmap ranges overlap for idmap_nss

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Sep 26 19:28:08 UTC 2023 on atb-devel-224

- - - - -
4ef7845b by Douglas Bagnall at 2023-09-26T23:45:35+00:00
security.idl: extend security token with device SIDs

A device has SIDs too, and a modern security token needs to know
them in order to interpret conditional expressions like
"Device_member_of".

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
34aa33a1 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
security.idl: use sec_ace_object() in object switch

At some point sec_ace_object() is going to gain awareness of
SEC_ACE_TYPE_ACCESS_ALLOWED_CALLBACK_OBJECT and the like.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
617cfa0e by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: helper to find callback/conditional aces

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
41e1b695 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: helper to find resource attribute ACEs

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e81e98c4 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: helper to find ACEs with meaningful codas

Only Resource Attribute ACEs and Conditional ACEs are expected to have
trailing data. Others sometimes might, but we don't care what it is.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
762646b5 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: use tabs in sec_ace_object()

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
498c4110 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: callback object aces are object aces

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
40d9b08d by Douglas Bagnall at 2023-09-26T23:45:35+00:00
librpc:security.idl: ace->coda can be resource attribute

And now we see why security_ace_coda was a union.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e8192ddd by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/sec: reformat long line in wscript_build

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
df8eec38 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
librpc:security.idl: add conditional ace coda

Conditional ACEs go into a DATA_BLOB just like the default ignored
coda, but we add a union field with a different name to preserve
sanity.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5e1ed7b7 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
ndr_sec_helper: ndr_size_security_ace: do less work

Almost always the ACE has an `ignored` DATA_BLOB as the coda, and the
length of the coda is the length field of the blob, which is usually
zero.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a8e3f5d3 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
ndr_sec_helper: ace length should be multiple of 4

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cdd9424e by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: whitespace repair in sddl.c

tabs not spaces.

It appears that my emacs got its configuration mixed up and was using
spaces.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
672fc0a1 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: find SDDL coda for RA and conditional ACEs

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
140f7466 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: add stub of conditional ACE code.

This is just the outline of what will come, but first we'll add
conditional ACE SDDL decoding in sddl_conditional_ace.c

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
94f0a108 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli:security: outline for sddl_conditional_ace.c

This is to show where we're going to end up.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6f588a1f by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli:security: helpers for converting claim types

There are three different forms for claims, and we need to convert
between them.

For now, we are only going to be converting between conditional ACE
type and the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 type used by
resource ACEs and in the security token, and later we will add the PAC
claim types.

It doesn't help that these all have incompatible definitions, but we
do our best.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
969cb79d by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: add conditional ACE SDDL functions

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4b8e9e3f by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli:security: add functions to decode and decode RA ACEs

Resource Attribute ACEs have similar syntactical components to
conditional ACEs -- enough so that it is worth reusing the same
functions, but not quite enough so that it is exactly simple.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d6bd491e by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli:security: add code to interpret conditional ACES

This doesn't actually *do* anything yet, for two reasons:

 1. conditional ACEs are not checked in the
    libcli/security/access_check.c functions (or anywhere else), and
    will be treated just as they are now, as unknown types.

 2. this file isn't mentioned in the wscript, so aren't compiled.

 We'll get to point 2 first.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e88ea32c by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: add conditional ace files to samba-security

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
84fa3972 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: sdd_decode_ace handles callback types

Conditional ACEs will not actually be decoded until the CALLBACK types
are added to the ace_types flag table.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6683d611 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: sdd_decode_ace handles resource attribute types

The decoding will not happen until "RA" is added to the ace_types table.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ed52c9ed by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: sddl_encode_ace encodes conditional ACEs

Will work when the ace_flags table is updated.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3959fba3 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: sddl_encode_ace encodes resource attribute ACEs

Will work when the ace_flags table is updated.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1cc8888b by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: SDDL: add callback and resource ace type flags

With this, Conditional ACEs and Resource Attribute ACEs in SDDL will
be parsed.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2923898e by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security/create_descriptor: calc_inherited handles new types

*_CALLBACK_OBJECT types inherit like other _OBJECT types.
*_CALLBACK types do nothing, like other non-OBJECT types.

We also explicitly throw unused alarm callback types and
SEC_ACE_TYPE_SYSTEM_MANDATORY_LABEL and
SEC_ACE_TYPE_SYSTEM_SCOPED_POLICY_ID into the fire.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b08093ed by Douglas Bagnall at 2023-09-26T23:45:35+00:00
lbcli/security: callback object ACES fall back with no GUID

As with other object ACEs, if there is not a GUID to refer to the ACE
becomes the corresponding non-object ACE.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e4865a3b by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: test SDDL compilation in cmocka

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
295c609f by Douglas Bagnall at 2023-09-26T23:45:35+00:00
lib/fuzzing: fuzz SDDL conditional ACEs

Here we're not compiling the whole SD, just the single conditional
ACE.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
829d77b4 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
s4/librpc: build conditional ace Python bindings

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5569c177 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: security_descriptors comparison is quieter

This matters when we have a millions failures.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
63be8401 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: security_descriptors test for repetitive ACLs

If there are multiple identical ACEs in an SDDL ACL, Windows will decode
them all and put extra trailing zeroes at the end of the ACL.

In contrast, Samba will decode the ACEs and not put extra zeroes at the
end.

The problem comes when Samba tries to read a binary ACL from Windows that
has the extra zeroes, because Samba's ACL size calculation is based on
the size of its constituent ACEs, not the ACL size field.

There is no good reason for an ACL to have repeated ACEs, but they could
be added accidentally.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b6a665cc by Douglas Bagnall at 2023-09-26T23:45:35+00:00
librpc/ndr:ndr_sec_helper: fix a typo

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
afec8524 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: use sec_object_ace() in size_security_ace

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7b9462fa by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: security_descriptors: tests without revision number hack

ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset
of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2
ACL can be called revision 4 without any problem. But not vice versa:
a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The
extra ACE types relate to objects.

Samba currently simplifies things by calling all its ACLs revision 4,
even if (as is commonly the case) the ACLs contain only revision 2 ACEs.
On the other hand, Windows will use revision 2 whenever it can. In other
tests we skip past this by forcing Windows ACLs to v4 before comparison.
This test is to remind us of the incompatibility.

It would not be hard to fix.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
901f77c5 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: security descriptors: test some conditional and RA ACEs

We have two sets of tests: one that will succeed, and one that is going
to remain a knownfail. The latter involves Resource Attribute ACEs that
have the TX type, meaning "byte string".

In MS-DTYP, a bytestring is defined like "#6869210a", with a hash,
followed by an even number of hex digits. In other places on the web, it
is mentioned that zeroes in the string can be replaced by hashes, like so
"#686921#a". We discover via indirect fuzzing that a TX RA ACE can also
take bare integers, like "6869210a" or "2023". As it would be tricky to
support this, and there is no evidence of this occurring in the wild, we
will probably leave this as a knownfail.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a392b403 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest:security descriptors: hack to capture results as json

This makes it easy to separate a large number of examples into
successes and knownfails.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
28d23377 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest:security_descriptors: test collected conditional ACEs

These tests were named in the superclass, but were not actually run,
nor was the file in git.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ee386021 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: windows-sddl-test: fix typo in --help

found by Rob van der Linde.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d7c0948d by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: windows-sddl-test: fix read of text examples

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2f30103f by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: sddl tests can be only externally defined

Currently a test suite needs a strings list in order to import new
strings. This lets us avoid that and have the actual tests defined
only in external lists, making it easier to see we're testing the same
thing on Windows and reducing duplication.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2a4fc3fe by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: sddl strings dir can be defined in class

Before we had to do this in an environment variable. In that case we
are probably wanting to monitor changes, so we like it to print more
messages than we want to see in an autobuild run that will hopefully
never do anything interesting.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c13684e6 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security/tests: add some test strings

These will soon be used by python/samba/tests/sddl_conditional_ace.py,
and are a format understood by the Windows programs in
libcli/security/tests/windows.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fabc2f35 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: sddl tests with conditional ACEs

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
924d59fd by Douglas Bagnall at 2023-09-26T23:45:35+00:00
security.idl: drop claim v1 reserved field

It isn't used and ended up filled with junk. The alignment works out.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e2a4f20d by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security/conditional ACEs: compare composites as sets

... or at least settishly.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b7ae4304 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: cmocka test for running conditional ACEs

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
044370a0 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: tools for creating security tokens

Sometimes we need security tokens for tests, and the raw constructor
is not very ergonomic. This wraps it so you can do this:

from samba.tests.token_factory import token as Token
t = Token(['WD', 'AA'],
          privileges=['SEC_PRIV_DEBUG'],
          rights=0x840,
          device_claims={'wheels': 2, 'smelly': 'no'},
          device_sids=['BG'])

and get a security.token object with the expected qualities.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
30e6249d by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: tests for conditional ACEs with security tokens

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b65ac100 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest:conditional_ace_claims: ease export of failing tests to C

When a test fails, this prints a little stanza like

static void test_something(void **state)
{
       INIT();
       USER_SIDS("WD", "AA");
       DEVICE_SIDS("BA", "BG");
       SD("D:(XA;;0x1f;;;AA;(! Member_of{SID(AA)}))");
       DENY_CHECK(0x10);
}

which is exactly right for copying into
libcli/security/tests/test_run_conditional_ace.c
which is much easier to iterate over with compiling and debugging.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
327861dc by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: conditional ace access checks for AD

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b7bd1f43 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: conditional ace access checks for file server

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c6a62d69 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
lib/fuzzing: adapt fuzz_sddl_access_check for claims

The token has more stuff in it.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ea4caa45 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
lib/fuzzing: fuzz_conditional_ace_blob

This parses the blob as a conditional ACE, and if possible tries
decompiling it into SDDL.

There are not many round-trip assertions we can honestly make, but we
keep the trip going as long as possible, in case it reveals anything.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cc17c3e2 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
lib/fuzzing: adjust access-check seed patch

Now that access_check.c includes headers for conditional ACEs, the patch
should take that into account.

Also, we check for a talloc failure.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
15fe49a2 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: assembler for conditional ACEs

This is a helper module to construct conditional ACEs that can't be
created from SDDL.

There is a semi-infinite number of valid conditional ACEs that don't
have SDDL representations, and an even larger number of invalid (or
borderline invalid) ACEs.

This allows us to create those ACEs without having to deal with too
many array of numbers.

The next commit provides an example of its use.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
14492945 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
libcli/security: beginning of tests for conditional ACE bytes

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
978a9e46 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
pytest: conditional_ace assembler assembles full descriptor

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f8215ed3 by Douglas Bagnall at 2023-09-26T23:45:35+00:00
librpc/ndr_claims: avoid 'bin/default' in #include

Obviously it works fine, but we don't do it anywhere else.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c9cf90ae by Andrew Bartlett at 2023-09-26T23:45:35+00:00
s3-lib/util_nttoken: Reimplement dup_nt_token() with NDR pull/push

The struct security_token can now contain complex claims as well as SIDs
so we can no longer just duplicate it by hand.  Instead let PIDL and libndr
do the hard work for us.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
5696f66d by Andrew Bartlett at 2023-09-26T23:45:35+00:00
librpc: Add context as to if this token should be used for claims evaluation

Claims evaluation is added to the core se_access_check() library, but
not all callers provide claims in the security_token and we want to
be able to disable this new and complex code if needed.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
1223b89d by Andrew Bartlett at 2023-09-26T23:45:35+00:00
docs-xml: Add new parameter "acl claims evaluation"

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
f1fcbc0f by Andrew Bartlett at 2023-09-26T23:45:35+00:00
s4-auth: pass lp_ctx to auth_generate_session_info() where possible

For non-testing callers of auth_generate_session_info(), passing
lp_ctx will allow us to correctly set a flag indicating if claims
should be evaluated.

For testing applications, the default will allow safe operation
inspecting the SID list.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
e2cc29d1 by Andrew Bartlett at 2023-09-26T23:45:35+00:00
libcli/security: Pass in claims evaluation state when building any security token

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
a8210ab1 by Andrew Bartlett at 2023-09-26T23:45:35+00:00
s3-net_rpc: Use security_token_initialise() to create struct security_token

This ensures that the full structure is initialised now and in the
future.

Because this is now a talloc based structure, we can now use
add_sid_to_array_unique() rather than a reimplementation in this file.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
934b0335 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
s3-net_rpc: Make the struct user_token array the parent talloc context

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
4e8e35de by Andrew Bartlett at 2023-09-26T23:45:36+00:00
s3-winbind: Use token as parent for token->sids in check_info3_in_group()

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
13d3c615 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
libcli/security: Move dup_nt_token() to libcli/security

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
dc7dc6f5 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
libcli/security: Rename dup_nt_token() -> security_token_duplicate()

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
d027200a by Andrew Bartlett at 2023-09-26T23:45:36+00:00
libgpo: Reimplmeent registry_create_system_token() using get_system_token()

This helps ensure we have a smaller number of places that
a struct security_token starts from.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
d9e268db by Andrew Bartlett at 2023-09-26T23:45:36+00:00
python: Change the generic merge_nt_token() to being specific to the system_token

This allows us to punt on the question of merging the claims, as there are
none on the system token.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
c8c86b81 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
s3-lib: Modify merge_nt_token() into a GPO-specifc merge with SYSTEM

By making this specific to the only use case, merging with the SYSTEM
token for GPOs, we avoid having to merge the claims, as there are none
for SYSTEM.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
e3f28c2e by Andrew Bartlett at 2023-09-26T23:45:36+00:00
libcli/security: Hook in ability to disable conditional ACE evaluation

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
588a339d by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security: adjust tests for evaluate_claims flag

Most tests were prepared in advance, but we left these ones to test
the change.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
117d4c55 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security: access_check with MAXIMUM_ALLOWED checks callbacks

To help clarify the logic, we make new functions that separate the
deny and allow cases, which helps keep track of what 'yes' and 'no'
mean and which incorporate the logic of token->evaluate_claims
handling, which determines when we want to run a conditional ACE, when
we want to ignore it, and when we want to take offence. In the case
when we decide to run it, we then need to decide whether to apply it
or ignore it based on the result. This last bit differs between allow
and deny aces, hence the two functions.

These functions will replace check_callback_ace_access() over the next
few commits.

In the case where token->evaluate_claims is
CLAIMS_EVALUATION_INVALID_STATE and the DACL contains a conditional
ACE, the maximum allowed is 0, as if it was a "deny everything" ACE.

This is an unexpected case. Most likely the evaluate_claims state
will be NEVER or ALWAYS. In the NEVER case the conditional ACE is
skipped, as would have happened in all cases before 4.20, while in the
ALWAYS case the conditional ACE is run and applied if successful.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5d6f0927 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security: sec_access_check_ds uses new callback ACE checks

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c5345f18 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security: se_access_check uses new callback checks

With the last caller of check_callback_ace_access() gone, so is that
function.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1e45a4d1 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security: access_check handles CALLBACK_OBJECT types

These are like an object type if the callback (i.e. condtional ACE
conditions) succeeds, otherwise they are ignored.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
94d1cfbd by Andrew Bartlett at 2023-09-26T23:45:36+00:00
conditional_aces: Avoid manual parsing for ace_condition_sid

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
793b86f4 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
conditional_aces: Avoid manual parsing for ace_condition_bytes, use DATA_BLOB

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
fe835fc3 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
Make blob->data pointer in ace_sid_to_claim_v1_sid() a child of the DATA_BLOB

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
03d63fb0 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
libcli/security: Make failure parsing where consumed == -1 clear

This was caught by the next condition, but this is clearer.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
ab531abc by Andrew Bartlett at 2023-09-26T23:45:36+00:00
libcli/security: Check for sddl_from_conditional_ace() failure in test_sddl_conditional_ace

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
b9e90bae by Andrew Bartlett at 2023-09-26T23:45:36+00:00
conditional_aces: Avoid manual parsing for ace_condition_int

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
5f4197bf by Andrew Bartlett at 2023-09-26T23:45:36+00:00
libndr: Add support for pulling strings with LIBNDR_FLAG_STR_SIZE4|LIBNDR_FLAG_STR_NOTERM|LIBNDR_FLAG_STR_BYTESIZE

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
0ac979b2 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
conditional_aces: Avoid manual parsing for ace_condition_unicode

A consequence of this is that we remove the confusing "length"
from the IDL, as it was the internal UTF8 length, not a wire
value.  We use null terminated strings internally now.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
a2e6df03 by Andrew Bartlett at 2023-09-26T23:45:36+00:00
add comment that ace_condition_composite is not representative of the wire format

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
b3f92b47 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
lib/fuzzing: fuzz_sddl_parse: allow non-round-trip with long strings

There is a borderline case where a conditional ACE unicode string
becomes longer than the SDDL parser wants to handle when control
characters are given canonical escaping. This can make the round trip
fail, but it isn't really a problem.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5650b511 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security/sddl_conditional_ace: ban empty expressions in SDDL

The trouble is with expressions like "(!(()))", which boil down to a
single NOT operation with no argument, which is invalid and can't be
run or expressed as SDDL.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
310c2540 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcl/security: conditional ACE sddl >= ops take literal parens only

You can't do things like '(a == b) == (c < d)'.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
65674cde by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security: conditional ACE sddl doesn't have string escapes

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e4da279b by Douglas Bagnall at 2023-09-26T23:45:36+00:00
util/str: helper to check for utf-8 validity

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3be69fc3 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
fuzzing: fuzz_sddl_parse forgives bad utf-8

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
96dbc71e by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security: conditional ace sddl: do not write nested composites

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
38247d39 by Douglas Bagnall at 2023-09-26T23:45:36+00:00
libcli/security: conditional ace sddl: do not read nested composites

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3b6c1f1a by Douglas Bagnall at 2023-09-27T00:41:26+00:00
libcli/security: condtional ACE recursive composites are not supported

We can't add them via SDDL on Windows, and they aren't useful for
claims.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 27 00:41:26 UTC 2023 on atb-devel-224

- - - - -
c9aab312 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Add header guard

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
40c5ed60 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Use correct union member

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f5568a0a by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Remove bool_value member

‘bool_value’ has the same type as ‘uint_value’. Removing the former
avoids our having more duplicate code than is strictly necessary.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
48606c8a by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Const‐qualify function parameters

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a4010c9b by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Add some missing declarations

so that users of this header file don’t have to declare them.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f035985d by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Add function to convert token claims to security attribute claims

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9cb3beee by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Emit error message if program is too large

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c0795c80 by Joseph Sutton at 2023-09-27T02:43:28+00:00
tests/krb5: Match filter after transforming test name

If you just want to rerun a single test that failed, this removes the
need to successfully guess its untransformed name.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
26ff87dc by Joseph Sutton at 2023-09-27T02:43:28+00:00
python:tests: Fix invalid escape sequences

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cdbb5ab7 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli:security: Add SELF SID constant

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2782df62 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli:security: Use SELF SID constant

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
214f6c64 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli:security: Correct Asserted Identity SID definitions

These definitions were the wrong way round.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dcca6bba by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:dsdb: Use NULL SID constant

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
89985f6f by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:kdc: Use Asserted Identity SID constants

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
56def24b by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli:security: Add Compounded Authentication and Claims Valid SID constants

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b1b7d33b by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:kdc: Use Compounded Authentication and Claims Valid SID constants

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e6bb3a34 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:auth: Use Anonymous and System SID constants

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4405e709 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:dsdb: Use Builtin SID constant

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4bef3fd7 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:ntvfs: Use World and System SID constants

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8b496331 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:rpc_server: Use Builtin SID constant

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dc731603 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:torture: Use SID constants

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c94db7d2 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:auth: Correct error message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
37a32d3b by Joseph Sutton at 2023-09-27T02:43:28+00:00
python:tests: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
21f765c1 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Remove unused macro

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e1a45ec3 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Remove unused flag SDDL_FLAG_EXPECTING_END

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
55e198fc by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Remove unused flag SDDL_FLAG_IS_ATTR

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8d4f60c8 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Remove unused flag SDDL_FLAG_IS_LITERAL

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a064e2f2 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Remove unused flag SDDL_FLAG_IS_FAKE_OP

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
37ed2087 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Refer to UTF‐16 code units rather than to codepoints

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ac34f48a by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Use ACL revision constants

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c755bbd6 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Fix code formatting

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
48969305 by Joseph Sutton at 2023-09-27T02:43:28+00:00
libcli/security: Test hex‐escapes that should be literals

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0bd7863e by Joseph Sutton at 2023-09-27T02:43:28+00:00
lib/krb5_wrap: Make use of smb_krb5_make_data()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
58bd2f52 by Joseph Sutton at 2023-09-27T02:43:28+00:00
lib/krb5_wrap: Simplify assignments

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2f6083f5 by Joseph Sutton at 2023-09-27T02:43:28+00:00
lib:audit_logging: Initialize ‘tm’ structure

‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
31c7d7cf by Joseph Sutton at 2023-09-27T02:43:28+00:00
s3:lib: Initialize ‘tm’ structure

‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
955fd832 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s3:modules: Initialize ‘tm’ structure

‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
67f3fead by Joseph Sutton at 2023-09-27T02:43:28+00:00
s3:passdb: Initialize ‘tm’ structure

‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c278a1d3 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s3:rpc_server: Initialize ‘tm’ structure

‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8ce4e372 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s3:smbd: Initialize ‘tm’ structure

‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bdf0e1be by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:kdc: Initialize ‘tm’ structure

‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9bd9b9bf by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:kdc: Fix ldb_msg_find_krb5time_ldap_time()

strptime() will fail to parse the LDAP ‘whenCreated’ time string,
because the format string is wrong: it will expect to get a time like
“20230920043849Z”, but the time string seems to be actually formatted
“20230920043849.0Z” — like a GeneralizedTime.

Fix this by delegating to ldb_val_to_time().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a2700cf6 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:torture: Initialize ‘tm’ structure

‘tm’ must be initialized prior to calling strptime().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
842f845c by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:auth: Make returning resource groups the last thing we do

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
219ee05d by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:auth: Introduce helper variable ‘resource_groups_in’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0a9f2486 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:auth: Return a talloc‐allocated resource groups structure

Future callers will rely on resource_groups_out being talloc‐allocated.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ab227bbe by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:auth: Fix ‘user_info_dc_out’ leak

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5e164cc2 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:kdc: Move encode_claims_set() into the auth_session subsystem

Some functions in the auth_session subsystem will need to be able to
call encode_claims_set(). Moving said function lets them do that whilst
avoiding circular dependencies and additional public dependencies.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
58aa8d99 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:auth: Include missing headers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4839adf9 by Joseph Sutton at 2023-09-27T02:43:28+00:00
s4:auth: Add functions to convert between different claims formats

The new ‘claims_data’ structure can store claims in three different
representations — as an encoded blob, as a CLAIMS_SET structure, or as a
series of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claims. Given a set of
claims, the accompanying functions provide a way to convert them into
the desired format.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0078a330 by Joseph Sutton at 2023-09-27T02:43:28+00:00
testdata: Mark compression test data as binary

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ce43dd05 by Joseph Sutton at 2023-09-27T02:43:28+00:00
ndr: Display values for failed range checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9914

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fb39bb19 by Joseph Sutton at 2023-09-27T02:43:28+00:00
pidl: Use portable format specifiers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
267464f6 by Joseph Sutton at 2023-09-27T02:43:28+00:00
librpc/ndr: Use portable format specifiers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
acc614f2 by Joseph Sutton at 2023-09-27T02:43:28+00:00
librpc: Use portable format specifiers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
464d86ca by Joseph Sutton at 2023-09-27T02:43:28+00:00
pidl: Use INT_MAX as enum constant for portability

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c8b90d8d by Joseph Sutton at 2023-09-27T03:38:00+00:00
librpc: Fix typos in error messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Sep 27 03:38:00 UTC 2023 on atb-devel-224

- - - - -
ad76bb2e by MikeLiu at 2023-09-27T08:42:25+00:00
streams_depot: Goto done if FSETXATTR SAMBA_XATTR_MARKER failed

Goto done if FSETXATTR SAMBA_XATTR_MARKER failed

Signed-off-by: MikeLiu <mikeliu at qnap.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Sep 27 08:42:25 UTC 2023 on atb-devel-224

- - - - -
c33ce174 by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Sort imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
939a74e3 by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Allow variation in PADATA_PW_SALT

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
60e479d8 by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Allow filter for tests that crash Windows

Set CRASH_WINDOWS=0 when running against a Windows DC.  These crashes are
only possible because we can modify the PAC, but having these tests allows
us to lock down Samba behaviour, so we include them.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d054f583 by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Allow multiple ticket modification functions

This means that callers can specify a stack of possible modifications.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dfd2027d by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Don’t bother regenerating the PAC if modify_pac_fn or update_pac_checksums are false

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d6ec0e4f by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Allow passing mapping=None to map_to_sid()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
34e72103 by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Make set_pac_sids() parameters keyword‐only

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9fb0380c by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Make optional ‘user_rid’ parameter to set_pac_sids()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cc1dd00d by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Make optional ‘domain_sid’ parameter to set_pac_sids()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2d0bdb5c by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Have set_pac_sids() accept lone RIDs as well as full SIDs

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6f5368dd by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Add method to replace the device SIDs in a PAC

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0e7e46c3 by Joseph Sutton at 2023-09-28T03:33:38+00:00
tests/krb5: Add method to replace client or device claims in a PAC

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
08b9d5c7 by Joseph Sutton at 2023-09-28T04:35:05+00:00
tests/krb5: Add samba.tests.krb5.conditional_ace_tests

This is a test using conditional ACEs and claims to confirm that we understand
the full end-to-end network behaviour of these all the way from the PAC to the
application in the access check of the KDC.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 28 04:35:05 UTC 2023 on atb-devel-224

- - - - -
7f4db710 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: avoid the need to create a random command in GetSamDB

Also the code that looks over kwargs is somewhat confusing and unnecessary.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f9d406dc by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: bugfix: argument -U was already in creds so listed twice

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
71c191ca by Rob van der Linde at 2023-09-29T02:18:34+00:00
python: tests: implement setUpTestData overridable class method

On Python 3.6 and 3.7 the addClassCleanup method needs to be implemented, and tearDownClass must be called by setupClass if any exception is raised.

On Python 3.8 and higher, unittest already calls tearDownClass, even if it raises an exception in setUpClass.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
16c19c47 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: make _run a classmethod in SambaToolCmdTest

So that it can be called from setUpClass as well

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
91fa5088 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: tests tidyup and make use of setUpTestData

Still only load the test data once per test class, but much easier to read.

Made several methods static for creating/deleting claims, policies and silos.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f1d5f93f by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: test that create objects make use of addCleanup

Since the samdb connection is on the class and hangs around between tests, we need to clean up what we created.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c01e9431 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: modify claim cli tests setup their own test data

Initially the test data was created in setUp, but it was moved to setUpClass.

The problem with this is tests modifying objects, which could affect the next test.

Create all required data in the test itself for clarity (and also is faster)

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2a333554 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: modify auth policy cli tests setup their own test data

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
27cd5982 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: modify auth silo cli tests setup their own test data

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
950a70a1 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: models: field to_db_value needs ldb param

Required by SDDL field type added in next commit

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
83d321e7 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: models: add FieldError subclass which stores the field

This is so that errors on the CLI show the field name

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1325e013 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: models: add SDDL model field

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
385029fb by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: models: add SDDL fields to AuthenticationPolicy model

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
645b7734 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: auth: add new SDDL fields to create and modify auth policy commands

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
12a98ab4 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: tests: add some tests for valid and invalid SDDL in cli commands

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6af1a717 by Rob van der Linde at 2023-09-29T02:18:34+00:00
netcmd: auth: manpage documentation for conditional ace fields

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
272f26e3 by Douglas Bagnall at 2023-09-29T02:18:34+00:00
libcli/security: conditional ACEs check again for NULL/empty claims

CID 1545152.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b2107889 by Douglas Bagnall at 2023-09-29T02:18:34+00:00
libcli/security: test_run_condtional_ace: va_end() on errors

CID 1545154, CID 1545155.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5ff80465 by Douglas Bagnall at 2023-09-29T02:18:34+00:00
libcli/security: fix talloc context for integer values (CID 1545156)

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
90ba53ee by Kacper at 2023-09-29T03:15:18+00:00
samba-tool: Fix for gpo restore not working without --tmpdir

cmd_restore depends on cmd_create but the later cleans up
required temp files for cmd_restore to function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15462

RN: Fix for gpo restore not working without --tmpdir

Signed-off-by: Kacper Boström <kacper at kacper.se>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Sep 29 03:15:18 UTC 2023 on atb-devel-224

- - - - -
e961783a by Joseph Sutton at 2023-10-01T22:45:38+00:00
lib:compression: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
50c208fc by Joseph Sutton at 2023-10-01T22:45:38+00:00
lib/ldb-samba: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a77b90d8 by Joseph Sutton at 2023-10-01T22:45:38+00:00
ldb: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1f92b5f1 by Joseph Sutton at 2023-10-01T22:45:38+00:00
lib/util: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
184a48d6 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s3:libads: Don’t do first loop iteration if ‘attr’ is NULL

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
10726fb3 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s3:libads: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b33a486e by Joseph Sutton at 2023-10-01T22:45:38+00:00
s3:rpc_server: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c3eaa285 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s3:smbd: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c2f55b06 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:ntvfs: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bc680b6f by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:torture: Fix building with FORTIFY_SOURCE=2

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9ecd17c8 by Joseph Sutton at 2023-10-01T22:45:38+00:00
libcli/security: Conform to Samba’s brace style

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e4d45d41 by Joseph Sutton at 2023-10-01T22:45:38+00:00
libcli/security: Parenthesize macro parameter

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4437eb14 by Joseph Sutton at 2023-10-01T22:45:38+00:00
libcli/security: Have security_ace_equal() handle callback and resource ACEs

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bbb259e1 by Joseph Sutton at 2023-10-01T22:45:38+00:00
libcli/security: Handle new ACE types with sec_ace_object()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d30a6124 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:auth: Ensure that some parameters are not NULL

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
da202eb2 by Joseph Sutton at 2023-10-01T22:45:38+00:00
lib:krb5_wrap: Include missing headers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fff9b71b by Joseph Sutton at 2023-10-01T22:45:38+00:00
.gitattributes: Mark large data file as binary

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
452aeb21 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Prefer explicit initialization to ZERO_STRUCTP()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
af22a655 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Check that principal being copied is not NULL

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
75875322 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Remove unnecessary assignments

These structures have been zero‐initialized already.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c45a24cc by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Initialize pointer to NULL

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
26e40717 by Joseph Sutton at 2023-10-01T22:45:38+00:00
ndr: Parenthesize expressions to be cast

We must parenthesize each expression that is to be cast to a specific
type, otherwise the cast will apply to only part of the full expression.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9914

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
773c36ba by Joseph Sutton at 2023-10-01T22:45:38+00:00
pidl: Parenthesize expression to be cast

We must parenthesize each expression that is to be cast to a specific
type, otherwise the cast will apply to only part of the full expression.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9914

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c829dd1b by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:dsdb: Add parameters for claims and device SIDs to security_token_create()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a621e9ab by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:dsdb: Add session info flag to indicate authentication with a device

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4f0ba2b0 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:auth: Rename parameter to match function implementation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a2b6c219 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:auth: Reformat function calls

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a3a489fa by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Reformat function call

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8a5921d9 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:auth: Add parameters for claims and device info to auth_generate_security_token()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
54cd7f4f by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Add parameters for claims and device info to authn_policy_access_check()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3ae75998 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Add claims parameter to authn_policy_authenticate_from_device()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2f9d2ff8 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Add parameters for claims and device info to authn_policy_authenticate_to_service()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
41527cfa by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Remove unused memory context from samba_kdc_lookup_realm()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e0a3dd54 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_get_user_info_dc()

It was never used.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cfeb3d75 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID

samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f250a24e by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_get_user_info_dc()

It was not used.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3c480886 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Identity SID

samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_asserted_identity() into the
former function’s callers, we’ll be able to remove the
‘asserted_identity’ parameter in the next commit, reducing the
function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
68dc69d8 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Remove ‘asserted_identity’ parameter from samba_kdc_get_user_info_dc()

It was not used.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
eba1ab0c by Joseph Sutton at 2023-10-01T22:45:38+00:00
tests/krb5: Initialize variable

This avoids the following exception:

Exception: Traceback (most recent call last):
  File "/samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 2500, in test_renew_pac_request_false
    tgt = self._modify_tgt(tgt, renewable=True)
  File "samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 3014, in _modify_tgt
    return self.modified_ticket(
  File "/samba/bin/python/samba/tests/krb5/raw_testcase.py", line 5694, in modified_ticket
    auth_data, new_pac,
UnboundLocalError: local variable 'new_pac' referenced before assignment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
849ee959 by Joseph Sutton at 2023-10-01T22:45:38+00:00
tests/krb5: Add method to perform an armored AS‐REQ

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
989fb009 by Joseph Sutton at 2023-10-01T22:45:38+00:00
tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3358b04a by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Remove device PAC validation

In the first place, this check was only applicable to the Heimdal KDC,
the MIT KDC not having support for compounded authentication. Secondly,
it was redundant, because _kdc_fast_check_armor_pac() would have already
been called to verify the armor ticket; a second round of validation
achieved nothing. And finally, the check was flawed: it checked only
*explicitly* armored PACs, and so would have done nothing for an armored
*AS‐REQ*.

In short, this check was useless; remove it.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
321e0ed6 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Remove unused parameters from samba_kdc_verify_pac()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
46c08652 by Joseph Sutton at 2023-10-01T22:45:38+00:00
tests/krb5: Add Device Restriction tests for silos and authentication policies in the KDC

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0633e78b by Joseph Sutton at 2023-10-01T22:45:38+00:00
third_party/heimdal_build: Define HAVE_KRB5_PAC_IS_TRUSTED when using embedded Heimdal

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1c456912 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type

With embedded Heimdal, we can mark a PAC as being trusted (i.e. not
issued by an RODC). This is convenient, as it saves us needing to carry
that information in flags, hoping it isn’t inadvertently lost.

System Heimdal and MIT Kerberos, however, don’t provide a way to mark a
PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that
contains this extra information if ‘krb5_const_pac’ doesn’t contain it
already. As it also stores a pointer to the client entry, the
structure’s lifetime must therefore be carefully managed. Finally, it
keeps track of whether the PAC came across a trust, to know which is
useful in some circumstances.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
45e8e197 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Remove unused declaration

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1ea4b271 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Fix indentation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
79b33eea by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Add function to determine whether a KDC entry represents a trust

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bad7a3fc by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Add function to get device PAC entry from Heimdal request structure

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
77b35c42 by Joseph Sutton at 2023-10-01T22:45:38+00:00
s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7b6c1735 by Joseph Sutton at 2023-10-01T23:46:44+00:00
tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Sun Oct  1 23:46:44 UTC 2023 on atb-devel-224

- - - - -
749bc568 by Martin Schwenke at 2023-10-03T03:53:35+00:00
ctdb-doc: Update CTDB manual pages to UTF-8

This will allow Unicode characters to be used, resulting in more
readable source files.

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

- - - - -
7c468d9d by Martin Schwenke at 2023-10-03T03:53:35+00:00
ctdb-doc: Add some subsection names in description

A subsequent commit will add a new section, which looks out of place
without these new sections.

Best reviewed with "git show -w".

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

- - - - -
4981984d by Martin Schwenke at 2023-10-03T03:53:35+00:00
ctdb-scripts: Avoid errors for uninitialised counters

Uninitialised counters are treated as 0, but still produce an error.

The redirect to stderr needs to come before the redirect for a missing
counter file.

The seemingly saner alternative of moving it outside the subshell
works when dash is /bin/sh (e.g. on Debian) but does not work when
bash is /bin/sh (e.g. on Fedora).

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

- - - - -
8303c3a5 by Martin Schwenke at 2023-10-03T03:53:35+00:00
ctdb-scripts: Implement failcount handling with thresholds

This can be used for simple failure counting, without restarts, as
used in the 40.vsftpd event script.  That case will subsequently be
converted and this functionality can also be used elsewhere.

Add documentation to ctdb-script.options(5) to allow parameters that
use this to be more easily described.

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

- - - - -
3ee348a9 by Martin Schwenke at 2023-10-03T04:53:38+00:00
ctdb-scripts: Convert 40.vsftpd to use threshold-based fail counting

This effectively provides simple testing for the threshold-based
approach.

Add new script option CTDB_VSFTPD_MONITOR_THRESHOLDS.

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Tue Oct  3 04:53:38 UTC 2023 on atb-devel-224

- - - - -
52c3edb2 by Volker Lendecke at 2023-10-04T20:31:36+00:00
tests: We always do smb3 unix extensions

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
078db302 by Volker Lendecke at 2023-10-04T20:31:36+00:00
tests: Run smb3unix tests with SMB1

We want to create native FIFOs with smb1 extensions

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
7f1ee32a by Volker Lendecke at 2023-10-04T20:31:36+00:00
pylibsmb: Py_BuildValue can build tuples directly

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
6f91cce1 by Volker Lendecke at 2023-10-04T20:31:36+00:00
libsmb: Allow NULL print_name in reparse_data_buffer_marshall()

read_symlink_reparse() does this.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
8107aafb by Volker Lendecke at 2023-10-04T20:31:36+00:00
idl: Add smb3posix.idl

Let PIDL take care of encoding SMB2_FILE_POSIX_INFORMATION. This way
we also get parsing.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
6874ed6a by Volker Lendecke at 2023-10-04T20:31:36+00:00
smbd: Use smb3posix marshalling in smbd_smb2_create_after_exec()

Signed-off-by: Volker Lendecke <vl at samba.org>

- - - - -
36fd98a5 by Volker Lendecke at 2023-10-04T20:31:36+00:00
smbd: Add smb3_file_posix_information_init()

Copy the logic from store_smb2_posix_info() to allow use of
ndr_push_smb3_file_posix_information().

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a8593ad3 by Volker Lendecke at 2023-10-04T20:31:36+00:00
smbd: Modernize a DEBUG statement

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
b573e1da by Volker Lendecke at 2023-10-04T20:31:36+00:00
smbd: Use Use smb3posix marshalling in in smbd_marshall_dir_entry()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
2d6c643e by Volker Lendecke at 2023-10-04T20:31:36+00:00
smbd: Use Use smb3posix marshalling in in smbd_do_qfilepathinfo()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
7b865702 by Volker Lendecke at 2023-10-04T20:31:36+00:00
smbd: Remove unused marshalling of smb3posix file information

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
82a12f7a by Volker Lendecke at 2023-10-04T20:31:36+00:00
libndr: Factor out ndr_pull_struct_blob_noalloc()

smb3_file_posix_information is variable length with something behind.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
cb166028 by Volker Lendecke at 2023-10-04T20:31:36+00:00
libsmb: Pass NTTIME to interpret_long_date()

Separate concerns of conversion and pulling off the wire. Needed soon
for smb311 pidl generated parsing.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
cb89ea70 by Volker Lendecke at 2023-10-04T21:26:20+00:00
libsmb: Use pidl generated parsing for posix file info

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Oct  4 21:26:20 UTC 2023 on atb-devel-224

- - - - -
4b376fff by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Pass "struct vfs_open_how" to reopen_from_procfd()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
7996c07b by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Pass "struct vfs_open_how" to fd_open_atomic()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
2a53fdeb by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Pass "struct vfs_open_how" to reopen_from_fsp()

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
236df26a by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Slightly simplify open_file()

Replace "truncating" variable reference with what it was defined
as. We use "(flags & O_TRUNC)" a few lines above, so it can't be that
bad.

After we set it to "false" further down, it was never used again.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
3f4c937d by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Remove variable "accmode" from open_file()

We directly look at the flags in many other places in this function,
so do this also for O_ACCMODE for clarity.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
ad7b119b by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Don't change incoming flags in open_file()

This will be part of a const struct vfs_open_how soon. Further down in
this function we don't look at O_CREAT or O_EXCL of "flags" anymore
anyway.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
45005d4b by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Simplify open_file()

We can unconditionally just and-out O_CREAT from local_flags, so
remove an if-condition.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
df78af98 by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Simplify an if-condition in open_file()

We use the plain (flags&O_TRUNC) a few lines above, make the
if-condition a bit more readable.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
f8645c7a by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Simplify open_file()

We handle O_TRUNC further down anyway by passing local_flags&~O_TRUNC to
reopen_from_fsp(). No need for this FIFO special case.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
814b37bd by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Simplify open_file()

We have extracted FSP_POSIX_FLAGS_PATHNAMES above.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
884b9926 by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Simplify open_file()

Simplify an if-condition:

We have to return NT_STATUS_OBJECT_NAME_INVALID even if we're not
creating. In fact, we probably should not end up in open_file() if
we're open a Windows file with a wildcard.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
6ec031b2 by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Make open_file() a bit safer

Move adding O_RDWR before the check for read only shares. I haven't
been able to pass this condition through SMB, but in any case we
should not accidentially open with O_RDWR in the !CAN_WRITE(conn)
case.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
7c356769 by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Remove "local_flags" from open_file()

This needs close review. I could not see where we were actually
referencing the original flags in a way that would not be available in
local_flags. The reason for this patch is that I want to pass in
vfs_open_how into open_file(), and the distinction between flags and
local_flags made this significantly harder to understand for me.

The only place where we really used both versions is the DBG_NOTICE in
the last hunk, and this will come back in the next patch.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
02d9321c by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Pass struct vfs_open_how to open_file()

We want to pass BACKUP_INTENT down into reopen_from_fsp, and the
elegant way is to do this via vfs_open_how.resolve.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
f701faf6 by Volker Lendecke at 2023-10-05T12:58:33+00:00
smbd: Remove "flags2" from open_file_ntcreate()

"flags" carried just the O_ACCMODE bits, "flags2" everything
else. Unify them.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
d1846452 by Volker Lendecke at 2023-10-05T14:00:33+00:00
vfs: Add VFS_OPEN_HOW_WITH_BACKUP_INTENT

Indicate BACKUP_INTENT to vfs_openat(). Why? I have a customer request
who wants to add O_NOATIME in this case to avoid metadata updates when
a backup or virus-checking application comes along.

This does not fully handle BACKUP_INTENT correctly, this would require
become_root() appropriately. We might want to do that later after a
lot of careful security audit, but this patch independently might
already provide some infrastructure for it.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Thu Oct  5 14:00:33 UTC 2023 on atb-devel-224

- - - - -
8128800c by Michael Tokarev at 2023-10-06T16:14:48+03:00
debian/libldb2.symbols: update

- - - - -
fa5d14d6 by Michael Tokarev at 2023-10-06T16:14:48+03:00
d/control: samba-libs: depend on libldb of the same version

Since libldb ABI is incorrectly versioned resulting in breakage
like #1021371, just require libldb version of the same build.
https://lists.samba.org/archive/samba-technical/2023-September/138422.html

Also, since we changed symbol versioning in the previous commit,
add Breaks: samba-libs << 4.19 by libldb2.

- - - - -
5dbc8ed2 by Michael Tokarev at 2023-10-06T16:14:48+03:00
d/control: disable ceph (libcephfs-dev, librados-dev) on 32bit architectures (#1053202)

- - - - -
127486af by Michael Tokarev at 2023-10-06T16:14:48+03:00
d/control: enable rados on riscv64 once it's available there

- - - - -
0ffd9d8b by Michael Tokarev at 2023-10-06T16:14:48+03:00
d/control: bump mit-krb5 build-dep (on mitkrb5 profile) to 1.20

- - - - -
d3089f73 by Michael Tokarev at 2023-10-06T16:14:48+03:00
remove debconf questions and wins dhcp hooks

WINS is netbios which is not used in modern windows.
Other debconf questions which were there makes no
sense these days too.

smb.conf file should be edited manually in almost
all cases anyway, and asking only about workgroup
(which is not very useful by itself already) is not
a good idea, we should either ask about much more
other things too or not ask at all.

Just drop all this.

- - - - -
5dab2cfd by Jeremy Allison at 2023-10-08T22:05:34+02:00
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
45d58453 by Jeremy Allison at 2023-10-08T22:05:34+02:00
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.

The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
f17abf9c by Jeremy Allison at 2023-10-08T22:05:34+02:00
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.

We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
2ff6cbcd by Ralph Boehme at 2023-10-08T22:05:54+02:00
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
6b6495c7 by Ralph Boehme at 2023-10-08T22:05:54+02:00
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
05c370c4 by Andreas Schneider at 2023-10-08T22:06:12+02:00
CVE-2023-4154 s4:dsdb:tests: Fix code spelling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)

- - - - -
937e50b1 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice

To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c284a922 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()

Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e46a30aa by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start

Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e9cbf161 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1eca806c by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once

When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f70bdb46 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour

SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
56c13448 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests

The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
72248a51 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY

This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5eeba465 by Andrew Bartlett at 2023-10-08T22:06:35+02:00
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
88542d6d by Andrew Bartlett at 2023-10-08T22:06:35+02:00
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
06a434bc by Andrew Bartlett at 2023-10-08T22:06:59+02:00
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3e6d7e10 by Andrew Bartlett at 2023-10-08T22:06:59+02:00
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup

We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.

This means that any duplicates will be noticed early not just
in a race condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cb9c3524 by Jule Anger at 2023-10-09T22:14:05+02:00
VERSION: Bump version up to Samba 4.19.1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>
(cherry picked from commit a8c5fe34b639f72c045bc0500d0c053842327556)

- - - - -
67c67785 by Jeremy Allison at 2023-10-09T22:14:05+02:00
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
44d59c38 by Jeremy Allison at 2023-10-09T22:14:05+02:00
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.

The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
456a758f by Jeremy Allison at 2023-10-09T22:14:05+02:00
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.

We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
2761477b by Ralph Boehme at 2023-10-09T22:14:05+02:00
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
9cd1ad18 by Ralph Boehme at 2023-10-09T22:14:05+02:00
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
52c633af by Andreas Schneider at 2023-10-09T22:14:05+02:00
CVE-2023-4154 s4:dsdb:tests: Fix code spelling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)

- - - - -
c04ec1a2 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice

To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b398d8af by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()

Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ad11a871 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start

Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f7d30cf9 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
93424793 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once

When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c443a222 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour

SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b55e2c32 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests

The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1b321f44 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY

This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5609c68a by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2cb41dd7 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
338021c7 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
81b816c6 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup

We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.

This means that any duplicates will be noticed early not just
in a race condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f72ef19c by Volker Lendecke at 2023-10-10T08:19:29+00:00
libsmb: Add "flags" to cli_smb2_close_fnum_send()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
c4047443 by Volker Lendecke at 2023-10-10T08:19:29+00:00
libsmb: Pass "flags" through cli_close_send() and pylibsmb

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
340f0420 by Volker Lendecke at 2023-10-10T08:19:29+00:00
pylibsmb: Add SMB2_CLOSE_FLAGS_FULL_INFORMATION constant

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
23deb79a by Volker Lendecke at 2023-10-10T08:19:29+00:00
tests: Add reproducer for bug 15487

Show that smbd crashes if asked to return full information on close of a
stream handle with delete on close disposition set.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a4bdbfef by Jule Anger at 2023-10-10T11:04:03+02:00
WHATSNEW: Add release notes for Samba 4.19.1.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
d9e90993 by Jule Anger at 2023-10-10T11:04:49+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.19.1 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
633a3ee6 by Ralph Boehme at 2023-10-10T09:39:27+00:00
s3: smbd: Ignore fstat() error on deleted stream in fd_close().

In the fd_close() fsp->fsp_flags.fstat_before_close code path.

If this is a stream and delete-on-close was set, the
backing object (an xattr from streams_xattr) might
already be deleted so fstat() fails with
NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
ignore the error and only bail for normal files where
an fstat() should still work. NB. We cannot use
fsp_is_alternate_stream(fsp) for this as the base_fsp
has already been closed at this point and so the value
fsp_is_alternate_stream() checks for is already NULL.

Remove knownfail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Oct 10 09:39:27 UTC 2023 on atb-devel-224

- - - - -
58ec8009 by Volker Lendecke at 2023-10-10T13:14:31+00:00
ctdb: Fix whitespace

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
ce3243d7 by Volker Lendecke at 2023-10-10T13:14:31+00:00
ctdb: Reduce indentation in get_tunable_values()

Use an early return tvals; review with "git sh -b".

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
23ccb1c0 by Volker Lendecke at 2023-10-10T13:14:31+00:00
ctdb: Align variable signedness

ipalloc_state->num_nodes is uint32_t
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
ea9cbbd8 by Volker Lendecke at 2023-10-10T13:14:31+00:00
ctdb: setup $CTDB_BASE for deterministic ip alloc tests

ipalloc_deterministic() will require it in the next patch

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
a6b66661 by Volker Lendecke at 2023-10-10T14:17:19+00:00
ctdb: Add "home_nodes" file to deterministic IP allocation

With a file "home_nodes" next to "public_addresses" you can assign
public IPs to specific nodes when using the deterministic allocation
algorithm. Whenever the "home node" is up, the IP address will be
assigned to that node, independent of any other deterministic
calculation. The line

192.168.21.254 2

in the file "home_nodes" assigns the IP address to node 2. Only when
node 2 is not able to host IP addresses, 192.168.21.254 undergoes the
normal deterministic IP allocation algorithm.

Signed-off-by: Volker Lendecke <vl at samba.org>

add home_nodes
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue Oct 10 14:17:19 UTC 2023 on atb-devel-224

- - - - -
ae476e1c by Jeremy Allison at 2023-10-10T14:49:39+00:00
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
c39f90a1 by Jeremy Allison at 2023-10-10T14:49:39+00:00
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.

The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
5ed25efb by Jeremy Allison at 2023-10-10T14:49:39+00:00
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.

We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra at samba.org>

- - - - -
b1fd6569 by Ralph Boehme at 2023-10-10T14:49:39+00:00
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
b70f4f86 by Ralph Boehme at 2023-10-10T14:49:39+00:00
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
6578a65e by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice

To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
07d2b28f by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()

Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b644bb06 by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start

Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
76b8d3ed by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d4a71fbe by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once

When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0a79ed2c by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour

SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d3d83a8f by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests

The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cfeb9fe5 by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY

This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3cf1beed by Andrew Bartlett at 2023-10-10T14:49:39+00:00
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a9c32f92 by Andrew Bartlett at 2023-10-10T14:49:40+00:00
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2e87c9d8 by Andrew Bartlett at 2023-10-10T14:49:40+00:00
s4-echo: Remove the "echo" server (port 7, RFC 862) in production builds

This demonstration should never be enabled in production, if
echo service is required other software is far better positioned
to provide it.  Reflection attacks on echo are a known issue.

This is removed for consistency with the removal of rpcecho, but was
never enabled in the default smb.conf so is mostly harmless.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
11ece30a by Andrew Bartlett at 2023-10-10T14:49:40+00:00
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8c3fc865 by Michael Tokarev at 2023-10-10T17:50:00+03:00
New upstream version 4.19.1+dfsg
- - - - -
b5d840f8 by Michael Tokarev at 2023-10-10T17:56:04+03:00
update changelog

- - - - -
8de4cbbd by Michael Tokarev at 2023-10-10T17:57:32+03:00
Update upstream source from tag 'upstream/4.19.1+dfsg'

Update to upstream version '4.19.1+dfsg'
with Debian dir 7f6270a649c15e8d64b08ba93949cf27ec9a795a
- - - - -
d9c2932a by Michael Tokarev at 2023-10-10T18:03:19+03:00
update changelog; upload version 4.19.1+dfsg-1 to unstable

- - - - -
6872b662 by Jule Anger at 2023-10-10T17:05:22+02:00
Merge tag 'samba-4.19.1' into v4-19-stable

samba: tag release samba-4.19.1

- - - - -
fe7adbfc by Jule Anger at 2023-10-10T17:46:38+02:00
Merge branch 'v4-19-stable' into v4-19-test

- - - - -
1fbf08e8 by Andrew Bartlett at 2023-10-10T15:47:04+00:00
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup

We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.

This means that any duplicates will be noticed early not just
in a race condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Jule Anger <janger at samba.org>
Autobuild-Date(master): Tue Oct 10 15:47:04 UTC 2023 on atb-devel-224

- - - - -
6d875c29 by Jule Anger at 2023-10-10T17:56:21+02:00
VERSION: Bump version up to Samba 4.19.2...

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
32f65c8c by Michael Tokarev at 2023-10-10T19:03:23+03:00
d/rules: sync with-ceph arch list from d/control

- - - - -
fac54ae6 by Michael Tokarev at 2023-10-10T19:03:44+03:00
update changelog; upload version 4.19.1+dfsg-2 to unstable

- - - - -
964c3642 by Michael Tokarev at 2023-10-10T20:11:52+03:00
d/ctdb.install: sync ceph arch list

- - - - -
95a56bbc by Michael Tokarev at 2023-10-10T20:12:12+03:00
d/control: mention other places where ceph arch list is used

- - - - -
fc66ee05 by Michael Tokarev at 2023-10-10T20:12:47+03:00
update changelog; upload version 4.19.1+dfsg-3 to unstable

- - - - -
14705069 by Martin Schwenke at 2023-10-10T17:42:25+00:00
ctdb-daemon: Call setproctitle_init()

Commit 19c82c19c009eefe975ae95c8b709fc93f5f4c39 changed the behaviour
of prctl_set_comment() so it now calls setproctitle(3bsd) by default.

In some Linux distributions (e.g. Rocky Linux 8.8), this results in
messages like this spamming the logs:

  ctdbd: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.

Most Samba daemons seem to call setproctitle_init(), so do it here.

In the longer term CTDB should also switch to using lib/util's
process_set_title(), like the rest of Samba, for more flexible process
names.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15479

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Thu Sep 21 00:46:50 UTC 2023 on atb-devel-224

(cherry picked from commit 8b9f464420b66cebaf00654cf8b19165b301b8b6)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Tue Oct 10 17:42:25 UTC 2023 on atb-devel-224

- - - - -
9fc70e18 by Michael Tokarev at 2023-10-10T21:32:41+03:00
d/samba-common.postinst: restore installing of smb.conf using ucf

- - - - -
fa656aee by Michael Tokarev at 2023-10-10T22:33:49+03:00
update changelog; upload version 4.19.1+dfsg-4 to unstable

- - - - -
817f68e4 by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Expand IS_DOS_* macros

To me these macros hide more than they clarify. In a lot of places we
already directly check for these flags without those macros. Unify
that.

Also, check for the dosmode bits first, lp_map_* is a bit more effort
to evaluate.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
226a7c7b by Volker Lendecke at 2023-10-10T23:23:40+00:00
libsmb: Expand IS_DOS_* macros

To me these macros hide more than they clarify.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
28295775 by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Expand IS_DOS_ARCHIVE() macros

Together with the "dosmode | FILE_ATTRIBUTE_ARCHIVE" a line below this
is more obvious to me.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
29895176 by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Expand IS_DOS_READONLY() macros

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
c23d336c by Volker Lendecke at 2023-10-10T23:23:40+00:00
examples: Expand IS_DOS_DIR() macros

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
b48d7a8e by Volker Lendecke at 2023-10-10T23:23:40+00:00
libsmb: Expand IS_DOS_DIR() macro

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
8cd296e4 by Volker Lendecke at 2023-10-10T23:23:40+00:00
Remove IS_DOS_*() macros

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
770f279a by Volker Lendecke at 2023-10-10T23:23:40+00:00
pdb: Slightly simplify pdb_samba_dsdb_set_trusteddom_pw()

This is easier to read to me.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
7bc1fa70 by Volker Lendecke at 2023-10-10T23:23:40+00:00
lsa_srv4: Fix a typo

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
e2e5ae1e by Volker Lendecke at 2023-10-10T23:23:40+00:00
dsdb: Slightly simplify dsdb_trust_get_incoming_passwords()

Use talloc_memdup() instead of a manual copy.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
768990ec by Volker Lendecke at 2023-10-10T23:23:40+00:00
rpc_netlogon4: Simplify dcesrv_netr_ServerAuthenticate3_helper()

Use a switch/case statement instead of a if/else chain. Easier to read
to me.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
be1cf356 by Volker Lendecke at 2023-10-10T23:23:40+00:00
rpc_server3: Remove a duplicate comment

Review with "git sh -U20"

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
446ae3f8 by Volker Lendecke at 2023-10-10T23:23:40+00:00
rpc_server3: Avoid a pointless DEBUGADD

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0b38cd8e by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Avoid casts in a DBG statement

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
d7f5267c by Volker Lendecke at 2023-10-10T23:23:40+00:00
libsmb: Remove unused smb2_create_blob_remove()

Trivial to re-add if needed.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
e8570f73 by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Reduce indentation, remove a nested if-statement

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
94dcbed3 by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Modernize two DBG statements

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
99789537 by Volker Lendecke at 2023-10-10T23:23:40+00:00
vfs: Fix a typo

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
d4a05fc1 by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
5130ade6 by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Use SMB_VFS_FSTATAT() instead of SMB_LSTAT()

Use the dirfsp when we have it available

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a8dd943c by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: Remove a pointless NULL check

boolean short-circuiting already gives us this condition.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a77c6b59 by Volker Lendecke at 2023-10-10T23:23:40+00:00
smbd: is_in_path() deals with a NULL namelist

Don't need to check in the callers

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
1ad84c70 by Volker Lendecke at 2023-10-10T23:23:40+00:00
libcli: Convert security_token_debug_privileges() to talloc_asprintf

Reduces the number of DEBUGADD calls which leads to messed debug logs
between processes.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
09c787c3 by Volker Lendecke at 2023-10-10T23:23:40+00:00
libcli: Make security_token_debug() use just one DEBUG statement

This avoids messing up the debug logs when multiple processes are
writing into the same file.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
6071220f by Volker Lendecke at 2023-10-11T00:24:58+00:00
libcli: Make debug_unix_user_token() use just one DEBUG statement

This avoids messing up the debug logs when multiple processes are
writing into the same file.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Oct 11 00:24:58 UTC 2023 on atb-devel-224

- - - - -
94462dfa by Ralph Boehme at 2023-10-11T11:47:44+00:00
s4:torture/smb2: fix typo in acls.c

This fixes the failing samba-codecheck CI job and is not part of the functional
security fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
d60af10e by Stefan Metzmacher at 2023-10-11T11:47:44+00:00
.codespellignore: adjust in order to pass on ubuntu 22.04

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
9a3c558a by Stefan Metzmacher at 2023-10-11T11:47:44+00:00
bootstrap: install codespell, shfmt and shellcheck also on debian/ubuntu

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
10a4a977 by Stefan Metzmacher at 2023-10-11T12:52:57+00:00
gitlab-ci: run samba-codecheck on ubuntu22.04

There's no reason to run it on fedora38
and it makes sure autobuild and gitlab-ci use the same.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 11 12:52:57 UTC 2023 on atb-devel-224

- - - - -
928ce91e by Pavel Filipenský at 2023-10-11T15:37:28+00:00
s3:winbindd: Skip check_negative_conn_cache() if saf_servername == NULL

saf_servername can be NULL even after calling saf_fetch().  Avoid
calling check_negative_conn_cache() like it was before commit 0fcf0012

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
027332ce by Pavel Filipenský at 2023-10-11T16:42:15+00:00
s3:winbindd: Call winbind_add_failed_connection_entry() for the correct dc name

We were calling winbind_add_failed_connection_entry() for saf_servername
which is NULL.  domain->dcname should be used instead.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Wed Oct 11 16:42:15 UTC 2023 on atb-devel-224

- - - - -
edc451ab by Michael Tokarev at 2023-10-12T14:45:10+03:00
d/samba-common.maintscript: remove obsolete /etc/dhcp/dhclient-enter-hooks.d/samba conffile (#1053780)

- - - - -
8de01c31 by Volker Lendecke at 2023-10-12T16:55:34+00:00
smbclient: Always ask for SMB311 posix in negprot

This does not mean that we're actually using it (yet). We just probe
whether the server is willing to do it.

Enable the posix cli command for smb311 posix extensions.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
77001b25 by Volker Lendecke at 2023-10-12T16:55:34+00:00
libsmb: Ask for posix semantics if requested

This is so far only for the getattr-style smb311 calls to request
case-sensitive semantics when "posix" was requested over smb311.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
214eef0f by Volker Lendecke at 2023-10-12T16:55:34+00:00
examples: Print file type as part of teststat

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
30f4129e by Volker Lendecke at 2023-10-12T16:55:34+00:00
libsmb: Add placeholder "mode" parameter to cli_qpathinfo2()

Unused so far: Patch stripped out to not clutter the real patches that
follow.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
4c44b6e1 by Volker Lendecke at 2023-10-12T16:55:34+00:00
libsmb: Query reparse tag in cli_qpathinfo2

Convert what we find to a file type

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
9e3856ec by Volker Lendecke at 2023-10-12T16:55:34+00:00
libsmb: Parse reparse tag in query_directory response

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
feb78035 by Volker Lendecke at 2023-10-12T16:55:34+00:00
libsmbclient: Add smbc_[gs]etOptionPosixExtensions()

This is an obvious part of MR2888, not used anywhere yet. It will
eventually result in us requesting SMB311 posix semantics, but for now
it will just allow to change behaviour of libsmbclient that could
break unsuspecting applications.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
6a4413c6 by Volker Lendecke at 2023-10-12T16:55:34+00:00
libsmbclient: Read the file type from the server with posix enabled

This does not really request posix extensions, but it depends on them
being activated because it changes behaviour.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
051492c1 by Volker Lendecke at 2023-10-12T16:55:34+00:00
examples: Enable posix for teststat

Show that we can properly detect non-regular files created by the
Windows NFS server. Tested manually against Windows 2022.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
4b9b7f70 by Volker Lendecke at 2023-10-12T17:51:44+00:00
libsmb: Use cli_smb2_qpathinfo_send() for SMB_QUERY_FILE_ALT_NAME_INFO

Remove one sync-only wrapper

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Ralph Böhme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Oct 12 17:51:44 UTC 2023 on atb-devel-224

- - - - -
704c71da by Joseph Sutton at 2023-10-12T23:13:32+00:00
libcli/security: Initialize conditional ACE token

If the ‘flags’ member is not initialized, we invoke undefined behaviour
when trying to push or evaluate the parsed conditional ACE.

One way this issue can manifest is in the mysterious failure of Unicode
comparisons owing to the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE
flag being set when it shouldn’t.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a7323d70 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f03b14f8 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9c464743 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ce7c543f by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
96ab35bb by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc()

We want to call this function from more places. But some potential
callers, found in db-glue.c, have only a partially‐initialized
‘samba_kdc_entry’ structure, without the crucial ‘msg’ member. These
callers need to be able to pass in the ldb message as a separate
parameter.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0a61dc6c by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc()

The latter function behaves identically, except that it makes a shallow
copy of the returned structure, thus avoiding lifetime issues.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c35d1fe5 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
64326818 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d51c505d by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
54cd2af2 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob()

We shall need it in order to produce an error string.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a57d973d by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code

instead of an NT status code.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
16cb8c47 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Make boolean members into bit‐fields

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
29c23053 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8b518817 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
024d8cf5 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d02f37b4 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0ed6d11e by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Check parameters of samba_kdc_get_user_info_from_db()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d5706230 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Initialize out parameter of samba_kdc_get_user_info_from_db()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c559e992 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Introduce intermediate variable ‘resource_groups’

No change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
30459085 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Fix leak

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7ee08114 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename parameter ‘user_info_dc_out’ to ‘info_out’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
453bb84e by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename variable ‘user_info_dc’ to ‘info’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
02daf011 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc()

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
886bbcdc by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Remove common out path from samba_kdc_obtain_user_info_dc()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b2bb86bc by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Simplify memory management with talloc stackframe

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d7ed1b53 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Check parameters of samba_kdc_get_user_info_from_pac()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3f6e6a3c by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Make ‘resource_groups_out’ parameter const

The caller shouldn’t need to modify this.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
30cfa9b7 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Pass resource groups parameter only if we are creating a TGT

No change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
300459e8 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Pass AUTH_EXCLUDE_RESOURCE_GROUPS into samba_kdc_obtain_user_info_dc()

As the ‘group_inclusion’ parameter has an effect only if the
‘resource_groups_out’ parameter is non‐NULL, this does not result in a
change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2f3a8ae8 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Remove ‘group_inclusion’ parameter from samba_kdc_obtain_user_info_dc()

It could be equal only to AUTH_EXCLUDE_RESOURCE_GROUPS.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a7765d13 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Label ‘resource_groups_out’ parameter

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
19b1e31e by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Always fetch resource groups

No behaviour change, and if the caller doesn’t need the resource groups
after all, the cost incurred is little more than the allocation of a
couple of dozen bytes of memory.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
37321e6f by Andrew Bartlett at 2023-10-12T23:13:32+00:00
s4-kdc: Do not modify the returned user_info_dc from samba_kdc_get_user_info_dc()

We have the duplicated shallow copy in each caller so that the caller is
clear on what memory can be changed.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

- - - - -
9937c1c5 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Cache user info and resource groups from PACs

When authentication policies are implemented, we shall need to fetch
SIDs (and claims) from the PACs of users and devices repeatedly — not
just when first looking up a user, but every time a policy needs to be
evaluated.

This will likely be more efficient if we can cache this information,
removing the need to derive it more than once.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
72b26d56 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename samba_kdc_obtain_user_info_dc() to samba_kdc_get_user_info_dc()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e3953e18 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Declare ‘auth_entry’ to be of type ‘samba_kdc_entry_pac’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3e5aba62 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims

Having the lifetime of the encoded claims be tied in a predictable
fashion to a caller‐controlled memory context is less prone to error.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e09bf1bc by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:auth: Explicitly initialize claims structures

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2462dacc by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Add functions to fetch claims from the DB or from the PAC

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
98597115 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Modify samba_kdc_get_claims_blob() to use claims_data functions

The chief advantage of these functions is that the claims got from the
database are retained in the ‘samba_kdc_entry’ object, allowing them to
be reused should they be needed later during the same request.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1e3c3479 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Remove unused function get_claims_blob_for_principal()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6228267c by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Create the Requester SID blob only if we actually need it

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
65a6676c by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc()

The latter function accomplishes most of what we were doing ourselves.

No intended change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6d3d6f9b by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Note use of parent memory context

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b5ebe74e by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Simplify creation of device claims blob

Let samba_kdc_get_claims_data() and claims_data_encoded_claims_set()
handle the work for us.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b15ef257 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Introduce helper variable ‘server_restrictions_present’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0038cc05 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_add_claims_valid()

It’s only ever equal to SAMBA_CLAIMS_VALID_INCLUDE.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0d2424a2 by Andrew Bartlett at 2023-10-12T23:13:32+00:00
s4:kdc: Change the type of ‘compounded_auth’ to boolean

View with ‘git show -b’.

This allows us to make the call to authsam_shallow_copy_user_info_dc()
and samba_kdc_add_compounded_auth() only if required.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
981411ba by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_add_compounded_auth()

It’s only ever equal to SAMBA_COMPOUNDED_AUTH_INCLUDE.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3199a815 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Make samba_kdc_add_compounded_auth() static

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
43cce1d1 by Joseph Sutton at 2023-10-12T23:13:32+00:00
tests/krb5: Correctly test services that do not support Compound Identity

These two tests now pass against Windows.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
407a979b by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Do not perform compound authentication for services without Compound Identity support

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
430f7a89 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Fetch device claims for server restrictions

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9cef5de9 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Have samba_kdc_allowed_to_authenticate_to() take claims and device info

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7336fbb2 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Use claims and device info to evaluate server authentication policy

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
608c8d49 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Use device claims to evaluate client authentication policy

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
03e3a3a4 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Use ‘claims_data’ functions to create client claims blob

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3c511c59 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Make samba_kdc_get_user_info_dc() non‐static

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
09857f86 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Use claims and device info to evaluate server authentication policy

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3280893a by Joseph Sutton at 2023-10-12T23:13:32+00:00
third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204))

The issue here is that only the size of the pointer, not the size
of the struture was allocated with calloc().

This means that the malloc() for the freshness token bytes would
have the memory address written beyond the end of the allocated memory.

Additionally, the allocation was not free()ed, resulting in a memory
leak.  This means that a user could trigger ongoing memory allocation
in the server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
204b1f0c by Andrew Bartlett at 2023-10-12T23:13:32+00:00
third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

- - - - -
390be7d3 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Adapt interface to new Heimdal revision

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b13701ac by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6c02e9ac by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
310c537f by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Call samba_kdc_get_user_info_dc() to get client information

Among other things, this function can deal with RODC‐issued PACs.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
51d516cc by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Rename ‘user_info_dc’ to ‘client_info’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9b4dbaec by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f7064f6f by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Use device info to evaluate RBCD conditions

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4b19a707 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:kdc: Use claims to evaluate RBCD conditions

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c0ef3b42 by Joseph Sutton at 2023-10-12T23:13:32+00:00
s4:dsdb: Skip allocation of empty device SIDs array

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a2d96f5e by Joseph Sutton at 2023-10-13T00:11:08+00:00
s4:kdc: Always regard device info when checking a server authentication policy

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224

- - - - -
03ca8c25 by Joseph Sutton at 2023-10-13T02:18:30+00:00
lib:compression: Correctly fix sign extension of long matches (CID 1517275)

Commit 6b4d94c9877ec59081b9da946c00fa2647cad928 was a previous attempt
to fix this issue.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fe86989f by Joseph Sutton at 2023-10-13T02:18:30+00:00
lib:printer_driver: Check return value of gp_inifile_enum_section() (CID 1444835)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8f4aa350 by Joseph Sutton at 2023-10-13T02:18:30+00:00
lib:replace: Properly check result of write() and read() (CID 1034925)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
757cd49b by Joseph Sutton at 2023-10-13T02:18:30+00:00
tdb: Do not pass non–null‐terminated strings to strcmp() (CID 1449485)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
700754b0 by Joseph Sutton at 2023-10-13T02:18:31+00:00
util: Remove redundant assertion (CID 1497841)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
86f8cde6 by Joseph Sutton at 2023-10-13T02:18:31+00:00
lib:util: Remove always‐false comparison (CID 242193)

‘id’ is an unsigned variable, and so it can never be less than zero.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b28a268b by Joseph Sutton at 2023-10-13T02:18:31+00:00
smbXcli: Remove unreachable code (CID 1444978)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3179fc2a by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:client: Correctly call setgroups() (CID 1449449)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7eb47179 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:lib: Rearrange preprocessor directives to avoid structurally dead code (CID 242032)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
72817708 by Joseph Sutton at 2023-10-13T02:18:31+00:00
Revert "s3:libads: Don’t do first loop iteration if ‘attr’ is NULL"

Fixes CID 1547073: Control flow issues (DEADCODE).

This reverts commit 184a48d65772f359bd81f83256daada8c9e500b3.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0c2d2f83 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:libnet: Remove always‐false comparison (CID 241309)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d53483a5 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:libsmb: Fix array traversal (CID 1034683)

Commit 033185e2a1b2892fe8dc74a18a38e5e13e08cb22 changed the sentinel
value to an empty character array, but failed to update the traversal
code to match.

Commit 48a453996ac161d7c7a7cb15a047e57cbdbb1e87 then tried to fix the
situation, but did not do so correctly.

Fix this code by forgetting about sentinel values altogether.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
86b0755a by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:modules: Remove unreachable code (CID 1508998)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c30aa741 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:modules: Initialize mask_permset (CID 1435850)

If this code had ever run, sys_acl_clear_perms() would have attempted to
write to some random address in memory. ‘mask_permset’ must be a valid
non‐NULL pointer.

Commit 9b79d5f2a2f8af75ef13bdc41d2dc296e19ba098 seems to have been a
previous attempt to fix this issue.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
67b2dc72 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:nmbd: Remove redundant code (CID 1414756)

‘buf’ is reassigned a few lines down.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1e4d4e6a by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:rpcclient: Do not pass uninitialized pointer to printf() (CID 1476170)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dbf96126 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:smbd: Avoid integer overflow (CID 1035487)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
68fb12cb by Joseph Sutton at 2023-10-13T02:18:31+00:00
Revert "smbd: Fix CID 1504457 Resource leak"

We cannot free ‘enc’ — it may be a copy of ‘buffer’, in which parameter
both construct_reply_chain() and smb_request_done() pass arrays of
automatic storage duration!

Fixes CID 1505354.

This reverts commit a395f752f0748751d4ade533c41066903f26c2dd.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7774ca87 by Joseph Sutton at 2023-10-13T02:18:31+00:00
smb2_server: Remove unreachable code (CID 1444981)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7eaad46f by Joseph Sutton at 2023-10-13T02:18:31+00:00
smb2_server: Check status codes (CID 1474441)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
59e16873 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:utils: Avoid integer overflow (CID 1035488)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ac00851f by Joseph Sutton at 2023-10-13T02:18:31+00:00
s3:utils: Check return value of cli_RNetServiceEnum() (CID 1273313)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
79a9a07c by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:auth: Fix resource leak (CID 1107222)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fa68f261 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:auth: Remove event context on failure

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d3b1aa63 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dns_server: Merge similar code paths

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1ad4dd92 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dns_server: Check return value of ldb_transaction_commit() (CID 1034631)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d0db0ff2 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Check whether ‘p’ is NULL before dereferencing it (CID 240875)

Commit 6baf7608dfc3517cb3798fc53db849f49c6d157a added a NULL check in
one place, but not everywhere ‘p’ was dereferenced.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
61037a85 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Permit forward link to be missing in linked_attributes_fix_forward_link()

We don’t care if a forward link is missing from an object being renamed
during the deletion process.

Nothing yet checks the value returned from this function, so there
should be no change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7e8c3860 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Check return code (CID 1444824/1444844)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4cf9f43e by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Remove unreachable code (CID 1034686)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b098eb82 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Fix unreachable code (CID 1435967)

Commit ede668e8e24c86f0836dfa5740e76d8aca1e0824 removed this condition
for some unexplained reason, causing the following code to become
unreachable.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d4042e88 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1272827)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ea561fea by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Replace early ‘continue’ with ‘if’ statement (CID 1414738)

A ‘continue’ statement creates the misleading impression that this loop
executes more than once.

This also avoids ‘mem_ctx’ being leaked.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b60604b1 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Log correct ldb error

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
244440d1 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:dsdb: Don’t overwrite existing error code (CID 1445263)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
077a7e41 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:libcli: Remove unnecessary casts

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
61534dd2 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:libcli: Check return value of convert_string_talloc() (CID 1272839)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c65411ea by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:messaging: Remove redundant code

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4bb18ece by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:ntvfs: Remove unneeded NULL check (CID 240771)

We’ve already dereferenced ‘pending’ in the init‐clause of the loop, and
won’t reassign it during the loop.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bea908cf by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:ntvfs: Remove dead code path

‘pending’ will never be NULL.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c2daa356 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:ntvfs: Correctly acknowledge PVFS_FLAG_STRICT_SYNC flag (CID 241154)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ca2a97b7 by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:rpc_server: Check mkdir() return value (CID 1034649)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
240b082d by Joseph Sutton at 2023-10-13T02:18:31+00:00
s4:rpc_server: Check return values of gnutls functions (CID 1452111)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7f3f6530 by Günther Deschner at 2023-10-13T02:18:31+00:00
s3-iremotewinspool: add PAR->RPRN mapping table

There is no 1:1 mapping between the opcodes but between the functions
(including _Ex and _2 naming extensions):

e.g.
winspool_AsyncOpenPrinter  (0x00) -> spoolss_OpenPrinterEx (0x45)
winspool_AsyncClosePrinter (0x14) -> spoolss_ClosePrinter  (0x1d)

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e7a4c868 by Günther Deschner at 2023-10-13T02:18:31+00:00
s3-iremotewinspool: properly map incoming PAR to RPRN requests.

Map the incoming iremotewinspool opnum to match the appropriate call in
the spoolss server in the pull path.

There is no 1:1 mapping in the opnums between the procols, only in the
corresponding functions.

Without doing the mapping we currently forward
e.g. winspool_AsyncOpenPrinter() to spoolss_EnumPrinters() leading to
all sorts of errors.

A correct mapping was in place earlier with an handsorted server call
table but it got removed with the rpc server rewrite.

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e6b07d42 by Günther Deschner at 2023-10-13T02:18:31+00:00
s4-torture: add testcase to iremotewinspool suite to explore object_uuid handling

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e05c8340 by Günther Deschner at 2023-10-13T02:18:31+00:00
s3-iremotewinspool: check for correct object_uuid in dispatch fn.

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
afb33566 by Günther Deschner at 2023-10-13T03:19:59+00:00
s4-torture: add another test to demonstrate identical functions

Create a spoolss_EnumPrinters request and send it to both endpoints and
verify they deliver identical replies.

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 13 03:19:59 UTC 2023 on atb-devel-224

- - - - -
2870ef95 by Joseph Sutton at 2023-10-13T03:50:31+00:00
buildtools: Remove semicolons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1f3d49ed by Joseph Sutton at 2023-10-13T03:50:31+00:00
examples: Don’t use deprecated method ‘has_key()’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
876ee3fb by Joseph Sutton at 2023-10-13T03:50:31+00:00
examples: Fix invalid escape sequences

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7c89c588 by Joseph Sutton at 2023-10-13T03:50:31+00:00
python:colour: Fix exception message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
08dbb35e by Joseph Sutton at 2023-10-13T03:50:31+00:00
python:subunit: Use now() instead of utcnow()

utcnow() is deprecated and will be removed in a future version of Python.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2fa838d4 by Joseph Sutton at 2023-10-13T03:50:31+00:00
python:tests: Use assertEqual() instead of assertEquals()

assertEquals() was removed in Python 3.12.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d2196545 by Joseph Sutton at 2023-10-13T03:50:31+00:00
python:tests: Fix exception message

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ed97b15f by Joseph Sutton at 2023-10-13T03:50:31+00:00
python:tests: Fix comment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7efe6b0a by Joseph Sutton at 2023-10-13T03:50:31+00:00
python:tests: Correct search expression

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
af61444d by Joseph Sutton at 2023-10-13T03:50:31+00:00
python:tests: Remove semicolons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f7009e2a by Joseph Sutton at 2023-10-13T03:50:31+00:00
python:tests: Use now() instead of utcnow()

utcnow() is deprecated and will be removed in a future version of Python.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2f5833cb by Joseph Sutton at 2023-10-13T03:50:31+00:00
tests/krb5: Use assertEqual() instead of assertEquals()

assertEquals() was removed in Python 3.12.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1a4ec25b by Joseph Sutton at 2023-10-13T03:50:31+00:00
tests/krb5: Fix assertion messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
39a4d27a by Joseph Sutton at 2023-10-13T03:50:31+00:00
s3:script: Remove semicolons

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
079306cf by Joseph Sutton at 2023-10-13T03:50:31+00:00
s4:dsdb:tests: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1513a459 by Joseph Sutton at 2023-10-13T03:50:31+00:00
s4:dsdb:tests: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bb77f36f by Joseph Sutton at 2023-10-13T03:50:31+00:00
s4:dsdb:tests: Fix assertion messages

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9e3a8589 by Joseph Sutton at 2023-10-13T03:50:31+00:00
s4:dsdb:tests: Use loadTestsFromTestCase() instead of makeSuite()

makeSuite() is deprecated and will be removed in Python 3.13.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
44958f36 by Joseph Sutton at 2023-10-13T03:50:31+00:00
s4:torture: Use assertEqual() instead of assertEquals()

assertEquals() was removed in Python 3.12.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3f70da66 by Joseph Sutton at 2023-10-13T03:50:31+00:00
selftest: Use now() instead of utcnow()

utcnow() is deprecated and will be removed in a future version of Python.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d895c98c by Joseph Sutton at 2023-10-13T04:55:06+00:00
wintest: Fix invalid escape sequences

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 13 04:55:06 UTC 2023 on atb-devel-224

- - - - -
30d22631 by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
tevent: introduce DLIST_DEMOTE_SHORT()

It turns out that the overhead of DLIST_DEMOTE() implemented
as DLIST_REMOVE();DLIST_ADD_END(), is very high if the list
contains only 1 or 2 elements.

The next commits will make use of DLIST_DEMOTE_SHORT() for
multiplexing multiple tevent_fd structures for a single fd
and the most important and common case is a list with just
one element.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
4fe39d9e by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
lib/util: sync DLIST_DEMOTE_SHORT() changes to dlinklist.h

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
7672a29f by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
ldb: sync DLIST_DEMOTE_SHORT() changes to include/dlinklist.h

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
95d6600a by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
tevent: split out a tevent_common_fd_disarm() helper

It means tevent_trace_fd_callback(TEVENT_EVENT_TRACE_DETACH)
is always called and similar future changes are only
needed in one place.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
b328e990 by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
tevent: add tevent_common_fd_mpx infrastructure

Backends may require to map individual tevent_fd instances to
a single low level kernel state (e.g. for epoll).

This generic infrastructure adds helper functions using
a generic (sub)part of struct tevent_fd.

The new code will allow us to support more than 2 tevent_fd
instances per fd, which makes sure all backends can provide
a similar behavior. This will be important when we add
TEVENT_FD_ERROR as a 3rd kind of fd event.

The aim is to use this in order to replace the limited implementation
we already have in tevent_epoll.c.

As these helpers are typically called from within
'void tevent_fd_set_flags(struct tevent_fd *fde, uint16_t flags)'
there's no way to report errors. So in order avoid additional
error handling complexity the helpers try to avoid
any allocations which may fail. It also means the logic in
tevent_epoll.c doesn't have to change much.

These are implemented as static line functions in order to avoid
the function call overhead, which showed up in profiles of the
early implementation.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
28bf51fc by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
tevent: let tevent_epoll.c use new generic mpx infrastructure

This allows any number of event handlers per low level fd.

It means the epoll backend behaves like the poll backend now.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
a76056fa by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
tevent: add test_fd_speed3

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
55f25eb3 by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
tevent: add test_event_fd3

The tests the interaction of multiple event handlers on
the same low level fd.

It shows that poll and epoll backends behave in the
same fair way.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
407cda2f by Stefan Metzmacher at 2023-10-13T09:49:33+00:00
tevent: add support for TEVENT_FD_ERROR

After 12 years we finally got TEVENT_FD_ERROR support :-)

TEVENT_FD_WRITE event handlers never get errors reported
instead the event handler is silently disabled.
There are likely callers relying on that behavior, so
we are not able to chance it.

Now TEVENT_FD_WRITE can be used together with TEVENT_FD_ERROR
in order to get errors reported without waiting for TEVENT_FD_READ.

TEVENT_FD_ERROR can also be used alone in order to detect errors
on sockets in order to cleanup resources.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
acd9248b by Stefan Metzmacher at 2023-10-13T10:45:51+00:00
tevent: version 0.16.0

- the epoll backend is no longer limited to 2 event handlers
  per low level fd.
- finally add support for TEVENT_FD_ERROR

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Oct 13 10:45:51 UTC 2023 on atb-devel-224

- - - - -
42d03da3 by David Mulder at 2023-10-16T00:59:32+00:00
gpupdate: Test Drive Maps Client Side Extension

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b76e184c by David Mulder at 2023-10-16T00:59:32+00:00
gpdupate: Implement Drive Maps Client Side Extension

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6e862bd3 by Oleg Kravtsov at 2023-10-16T02:01:17+00:00
s4/torture: fix exit status of raw.bench-lookup

Use correct value of 'result' when the test passes.

Signed-off-by: Oleg Kravtsov <oleg at tuxera.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Oct 16 02:01:17 UTC 2023 on atb-devel-224

- - - - -
f0da8219 by Joseph Sutton at 2023-10-16T08:28:32+00:00
CVE-2023-5568 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204))

The issue here is that only the size of the pointer, not the size
of the struture was allocated with calloc().

This means that the malloc() for the freshness token bytes would
have the memory address written beyond the end of the allocated memory.

Additionally, the allocation was not free()ed, resulting in a memory
leak.  This means that a user could trigger ongoing memory allocation
in the server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3280893ae80507e36653a0c7da03c82b88ece30b)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Oct 16 08:28:32 UTC 2023 on atb-devel-224

- - - - -
7d9af74c by Jule Anger at 2023-10-16T15:41:13+02:00
WHATSNEW: Add release notes for Samba 4.19.2.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
5b54d9e2 by Jule Anger at 2023-10-16T15:41:42+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.19.2 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
29172899 by Jule Anger at 2023-10-16T15:41:56+02:00
VERSION: Bump version up to Samba 4.19.3...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
3be190dc by Stefan Metzmacher at 2023-10-16T14:39:33+00:00
CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()

samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.

Only the auto inherited SACL is available via a ldap search.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0c329a0f by Stefan Metzmacher at 2023-10-16T14:39:33+00:00
CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7f8b15fa by Stefan Metzmacher at 2023-10-16T14:39:33+00:00
CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container

This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
498542be by Stefan Metzmacher at 2023-10-16T14:39:33+00:00
CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()

This makes the next change easier to understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
70586061 by Stefan Metzmacher at 2023-10-16T14:39:33+00:00
CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
97e4aab1 by Stefan Metzmacher at 2023-10-16T14:39:33+00:00
CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c99fe118 by Stefan Metzmacher at 2023-10-16T14:39:33+00:00
tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cbb8145d by Stefan Metzmacher at 2023-10-16T14:39:33+00:00
third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))

This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.

But for User2User the account password is not used,
so it is safe to return the server entry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

[abartlet at samba.org Adapted to be an import from lorikeet-heimdal as requested]

- - - - -
7758b7d9 by Michael Tokarev at 2023-10-16T18:20:38+03:00
New upstream version 4.19.2+dfsg
- - - - -
43601ea2 by Michael Tokarev at 2023-10-16T18:21:12+03:00
Update upstream source from tag 'upstream/4.19.2+dfsg'

Update to upstream version '4.19.2+dfsg'
with Debian dir 06fc2f0b2dfb57251d22722879bd707e7fd257d7
- - - - -
0610d767 by Michael Tokarev at 2023-10-16T18:26:35+03:00
update changelog; upload version 4.19.2+dfsg-1 to unstable

- - - - -
bf79979f by Stefan Metzmacher at 2023-10-16T15:38:12+00:00
s4:kdc: fix user2user tgs-requests for normal user accounts

User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.

In addition User2User also asserts that client and server
are the same account (cecked based on the sid).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224

- - - - -
219179d5 by Michael Tokarev at 2023-10-16T19:07:08+03:00
d/changelog: remove trailing whitespace and double-word

- - - - -
ec23abfe by Joseph Sutton at 2023-10-17T03:19:38+00:00
buildtools: Don’t call normpath() repeatedly

A non‐negligible fraction of the build process — especially for
incremental builds — is spent calling normpath() over and over again.

Make builds faster by not doing that.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
35c7061f by Joseph Sutton at 2023-10-17T03:19:38+00:00
buildtools: Correctly raise exception

This avoids errors like the following:
‘RuntimeError: No active exception to reraise’

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b5b8b16a by Joseph Sutton at 2023-10-17T03:19:38+00:00
tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD

If we’re verifying that a ticket was permitted to be issued by an RODC,
and not trusting the group SIDs in the ticket, is there any reason to
ban its use with RBCD?

A client with a ticket issued by an RODC that happens to select a DC to
direct an RBCD request at should not have the request mysteriously fail.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
52ea4805 by Joseph Sutton at 2023-10-17T03:19:38+00:00
tests/krb5: Expect a status code with policy errors

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a8a18686 by Joseph Sutton at 2023-10-17T03:19:38+00:00
tests/krb5: Fix tests that crash Windows

Expect an actual error code or an outcome, not CRASHES_WINDOWS.

I don’t know which error codes Windows might be expected to produce, so
I’ve chosen some that seem plausible.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1712449a by Joseph Sutton at 2023-10-17T03:19:38+00:00
tests/krb5: Don’t expect groups if we’re expecting an error

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c15a9af8 by Joseph Sutton at 2023-10-17T03:19:38+00:00
tests/krb5: Fix ASN.1 source

It currently fails to compile.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b7b4c7ca by Joseph Sutton at 2023-10-17T03:19:38+00:00
s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9fcace58 by Joseph Sutton at 2023-10-17T03:19:38+00:00
s4:kdc: Make ‘struct user_info_dc’ members const

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7405a8fa by Joseph Sutton at 2023-10-17T03:19:38+00:00
s4:kdc: Explicitly initialize SDBFlags structures

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
53ff61bb by Joseph Sutton at 2023-10-17T03:19:38+00:00
s4:kdc: Remove unused function int2SDBFlags()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e2ace2d6 by Christof Schmitt at 2023-10-17T03:19:38+00:00
 build: Add 'make printversion' to provide version string

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497

Signed-off-by: Christof Schmitt <christof.schmitt at us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
31062950 by Michael Adam at 2023-10-17T04:16:29+00:00
gitignore: add WAF lockfile

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497

Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Christof Schmitt <christof.schmitt at us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224

- - - - -
8a97538c by Pavel Filipenský at 2023-10-17T18:23:32+00:00
s3:tests: The correct name of shell variable is 'samba_smbspool_krb5'

There is no shell variable named 'smbspool_krb5'.

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
0f107f2f by Pavel Filipenský at 2023-10-17T18:23:32+00:00
s3:tests: Add smbspool test using kerberos authentication: test_smbspool_krb.sh

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
237b6fc3 by Pavel Filipenský at 2023-10-17T19:19:32+00:00
s3:tests: Plan test_smbspool_krb.sh for environment ad_member_fips

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Tue Oct 17 19:19:32 UTC 2023 on atb-devel-224

- - - - -
09daeba6 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
libcli/util: let win_errstr() fallback to hresult_errstr()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2a290dcb by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:selftest: also run rpc.mgmt against the nt4_dc (and ad_dc)

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a38f58ac by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:torture/rpc: let test_inq_princ_name_size also test for princ_name_size = 0 and BAD_STUB_DATA

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6cb12d39 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
librpc/rpc: apply some code cleanup and error checks to dcesrv_mgmt.c

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9f51379d by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
librpc/rpc: let dcesrv_mgmt_inq_if_ids() filter out the mgmt syntax_id

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1d0a5b3a by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
librpc/rpc: implement dcesrv_mgmt_inq_princ_name infrastructure

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2ba5016e by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
librpc/rpc: add dcesrv_register_default_auth_types[_machine_principal]() helpers

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2d73b1e0 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: let register_ep_server() errors result in DBG_ERR()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ae38cfe6 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: let get_servers() callback of rpc_worker_main() return NTSTATUS

This means the rpc_worker_main() logic is the only layer that
needs to call exit() and its able to do some cleanup before.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f35baa4e by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: make use of dcesrv_register_default_auth_types[_machine_principal]()

This mostly matches windows now...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
94723b67 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: call reopen_logs before we print the copyright notice

This matches what we do in smbd, winbindd and nmbd.

For the workers it's important to call it at all, otherwise
things like 'debug pid = yes' or 'debug class = yes' have no effect
in the workers.

We could argue if we want the copyright notice on the start
of each worker at all, but that's a different discussion...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e4bdab65 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
rpc_host.idl: change server_index from uint8 to uint32

This reflects what we're using in the C code already...

Note this is an incompatible change, but we also changed
from named_pipe_auth_req_info7 to named_pipe_auth_req_info8
in master...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
eb8cf371 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: correctly allow up to 65536 workers processes

We already limit the per worker portion of the association
group id to UINT16_MAX, so we can also use 16-bit instead
of just 8-bit to encode the worker index.

While there we should actually ensure that the max worker
index is UINT16_MAX.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cd2cb491 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: simplify rpc_host_find_worker()

This will help me in the next commits.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2c2c2f43 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: improve debugging in rpc_host_distribute_clients()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
40e780ad by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
dcesrv_core: maintain the number of allocated association groups per dce_ctx

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f8b76235 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: distribute clients based on available association group slots

The important factor to distribute connection to workers
should be the number of used association group slots instead
of the raw number of connections. If one worker has a lot of
association groups with just one connection each, but another
with few association groups, but multiple connections per
association group. The one with less association groups should
get the connection. Note each worker is only able to allocate
UINT16_MAX allocation groups, but the number of connections
is only limited by RAM.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5a697820 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
librpc/rpc: allow dcesrv_context to propose the preferred ndr syntax

This allows specific services to use ndr64.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b8eae782 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
librpc/rpc: add dcesrv_async_reply() helper that disconnects as needed

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
27d11803 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:rpc_server/echo: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
eaf3654d by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:rpc_server/common: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d8809994 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:rpc_server/lsa: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
06c12033 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:rpc_server/netlogon: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
403bceef by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:rpc_server/remote: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ac392c35 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s3:rpc_server: let create_policy_hnd() return a pointer

This allows a TALLOC_FREE() on it to unregister and destroy the
handle easily.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1058382d by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
librpc/rpc: add dcerpc_floor_pack_uuid_full() helper function

This handles the full syntax with split major and minor version,
from lhs and rhs.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7a7a38b8 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
librpc/rpc: also get the 2nd half of the ndr_syntax_id from a floor

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dfdb8736 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:rpc_server: simplify logic in dcesrv_epm_Map matching

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
53e4fe64 by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:rpc_server/epmapper: check dcerpc_floor_get_uuid_full() result in dcesrv_epm_Map()

This already checks for EPM_PROTOCOL_UUID and simplifies the logic.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5ec5496d by Stefan Metzmacher at 2023-10-17T19:20:38+00:00
s4:rpc_server/epmapper: use ndr_syntax_id_equal() in dcesrv_epm_Map() to match the request

This matches it much easier to understand.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c6d0df78 by Andreas Schneider at 2023-10-17T19:20:38+00:00
s4:torture: Increase multichannel timeout

This avoid running into timeouts on Gitlab CI.

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f392fdfd by MikeLiu at 2023-10-17T20:22:18+00:00
shadow_copy2: Add missing TALLOC_FREE

Signed-off-by: MikeLiu <mikeliu at qnap.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Oct 17 20:22:18 UTC 2023 on atb-devel-224

- - - - -
21bb84ed by Pavel Filipenský at 2023-10-18T14:43:37+00:00
s3:winbindd: Improve logging for failover scenarios in winbindd_cm.c

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
6063f3ee by Pavel Filipenský at 2023-10-18T14:43:37+00:00
s3:winbindd: Improve logging for failover scenarios in winbindd_pam.c

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
5f7a834e by Pavel Filipenský at 2023-10-18T14:43:37+00:00
s3:libsmb: Improve logging for failover scenarios

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
14600a31 by Pavel Filipenský at 2023-10-18T15:47:09+00:00
s3:libads: Improve logging for failover scenarios

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Wed Oct 18 15:47:09 UTC 2023 on atb-devel-224

- - - - -
52fd0d79 by Ralph Boehme at 2023-10-18T16:46:00+00:00
smbd: put back code to fill in user and group SID

This is accidentally removed by 6874ed6a9defdf6f842e1e25f1ffd95708534ca6.

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Oct 18 16:46:00 UTC 2023 on atb-devel-224

- - - - -
cf30ddb5 by Joseph Sutton at 2023-10-19T21:37:36+00:00
s4:torture: Check return values of talloc functions

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
07ec3457 by Joseph Sutton at 2023-10-19T21:37:36+00:00
s4:torture: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
29176807 by Joseph Sutton at 2023-10-19T21:37:36+00:00
s4:torture: Check return values of gnutls functions (CID 1547212)

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
879e7a3c by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Remove marker

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fcdc0101 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Fix comment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fc475b2e by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Add ‘expect_edata’ parameter to _user2user()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a365f04d by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
59f70522 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Correctly pass arguments to _modify_tgt()

We were passing the new realm as the ‘renewable’ parameter!

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
88d5ae32 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Have _modify_tgt() accept only keyword arguments

to prevent further accidents.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
11835ed5 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Update method names to be consistent with other tests

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7f860d1c by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Remove incorrect functional level check

RBCD has no relevance to a method called _tgs().

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2ddd8ca3 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Move assignments closer to where the variables are used

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
991e8f5a by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Use None for the default values of parameters

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ee43eed6 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Add parameter to _tgs() specifying whether FAST is to be used

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
69db1b58 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Don’t expect edata if no error is expected

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a0d32a39 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Make ‘keybytes’ a bytes object rather than a list

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d363c7bf by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Fix DES3CBC random_to_key()

Because ‘keybytes’ is an immutable bytes object, ‘keybytes[7] = …’ has
no hope of working.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
137499ae by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f1babf2f by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Remove unnecessary f‐strings

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e48eb621 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Fix RC4‐only Protected Users tests

We forgot to actually use the ‘supported_enctypes’ parameter.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ea10d01b by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Remove unreachable exception handlers

‘IOError’ is a subclass of ‘error’, which has already been handled.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7ea71c48 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Make ‘services’ parameter required

We use it unconditionally without a check for None.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
053292a7 by Joseph Sutton at 2023-10-19T21:37:36+00:00
tests/krb5: Delete connection variable

This avoids a ‘variable set but unused’ warning.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fc7f64ba by Joseph Sutton at 2023-10-19T21:37:36+00:00
s4:dsdb: Remove reference to non‐existent code

Commit 498542be0bbf4f26558573c1f87b77b8e3509371 removed the code in
question.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4e83dfb6 by Joseph Sutton at 2023-10-19T21:37:36+00:00
s4:kdc: Always regard device info when the client performs RBCD

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
37594035 by Joseph Sutton at 2023-10-19T21:37:36+00:00
s4:kdc: Use HDB flag constants instead of SDB ones

These flags are passed to us by Heimdal, and so they are HDB flags, not
SDB flags.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d209cdf4 by Joseph Sutton at 2023-10-19T21:37:36+00:00
s4:kdc: Add flag to indicate the upper sixteen bits of the kvno are specified

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4c291514 by Joseph Sutton at 2023-10-19T22:39:19+00:00
s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224

- - - - -
318c89b3 by Michael Tokarev at 2023-10-20T16:39:39+03:00
d/samba-common.maintscript: fix version number for dhcp hook removal (#1053780)

- - - - -
427054ab by Stefan Metzmacher at 2023-10-23T08:37:13+00:00
CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()

samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.

Only the auto inherited SACL is available via a ldap search.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8)

- - - - -
10673100 by Stefan Metzmacher at 2023-10-23T08:37:14+00:00
CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c)

- - - - -
31e4015b by Stefan Metzmacher at 2023-10-23T08:37:14+00:00
CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container

This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47)

- - - - -
0e657c31 by Stefan Metzmacher at 2023-10-23T08:37:14+00:00
CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()

This makes the next change easier to understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371)

- - - - -
98d0fa6c by Stefan Metzmacher at 2023-10-23T08:37:14+00:00
CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db)

- - - - -
a72c7228 by Stefan Metzmacher at 2023-10-23T08:37:14+00:00
CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566)

- - - - -
7038794e by Pavel Filipenský at 2023-10-23T08:37:14+00:00
s3:winbindd: Improve logging for failover scenarios in winbindd_pam.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 6063f3ee733348855d6b144091bbdbbe6862494c)

- - - - -
0bb52082 by Pavel Filipenský at 2023-10-23T08:37:14+00:00
s3:libsmb: Improve logging for failover scenarios

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5f7a834effea56d683f76a801924c7125385e534)

- - - - -
8c0f1206 by Pavel Filipenský at 2023-10-23T08:37:14+00:00
s3:libads: Improve logging for failover scenarios

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Wed Oct 18 15:47:09 UTC 2023 on atb-devel-224

(cherry picked from commit 14600a3128c6b66de4f9291eeec52e34725030c5)

- - - - -
ba252e24 by Pavel Filipenský at 2023-10-23T09:43:03+00:00
s3:winbindd: Improve logging for failover scenarios in winbindd_cm.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15499

Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 21bb84ed1c30b863b4ef17fcebdd79f147142b9f)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Oct 23 09:43:03 UTC 2023 on atb-devel-224

- - - - -
4e8fb970 by Joseph Sutton at 2023-10-24T00:54:31+00:00
tests/krb5: Remove unnecessary target_creds variables

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0f5033a1 by Joseph Sutton at 2023-10-24T00:54:31+00:00
tests/krb5: Work around Samba’s incorrect krbtgt principal handling

These tests fail only because they are using the ‘krbtgt at REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
eb21ac87 by Joseph Sutton at 2023-10-24T00:54:31+00:00
tests/krb5: Test whether the device belongs to some default groups

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7728a062 by Joseph Sutton at 2023-10-24T00:54:31+00:00
s4:kdc: Make a copy of the device SIDs to be placed in the security token

We shall need to add extra SIDs on the end.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fc2f8864 by Joseph Sutton at 2023-10-24T00:54:31+00:00
s4:kdc: Add a flag indicating that the device should be added to the default groups

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c91d1618 by Joseph Sutton at 2023-10-24T00:54:31+00:00
s4:kdc: Add device to default groups for authentication policy evaluation

This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.

It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.

Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
eaffadb8 by Joseph Sutton at 2023-10-24T00:54:31+00:00
s4:kdc: Add a flag indicating that the device should be added to Authenticated Users

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
63aeb645 by Joseph Sutton at 2023-10-24T01:59:32+00:00
s4:kdc: Add device to Authenticated Users for authentication policy evaluation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Oct 24 01:59:32 UTC 2023 on atb-devel-224

- - - - -
f8213ec8 by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
lib/util: add samba_socket_{poll,sock,poll_or_sock}_error()

These are copies of the static functions in lib/tsocket/tsocket_bsd.c,
which we will replace in the next commit.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cd964e52 by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
lib/tsocket: make use of samba_socket_poll_or_sock_error()

This is just a copy of the existing code...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
66b25637 by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
lib/tsocket: make use of samba_socket_sock_error()

This is nicer than calling getsockopt(state->fd, SOL_SOCKET, SO_ERROR)
directly.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
21a18a5b by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
lib/async_req: let async_connect_send use TEVENT_FD_ERROR instead of TEVENT_FD_READ

This mostly cosmetic, but now that we have TEVENT_FD_ERROR we should use it.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
82aafa4a by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
lib/async_req: let writev_send/recv use TEVENT_FD_ERROR

Unless err_on_readability is true, we use TEVENT_FD_READ only
to detect errors. Now that we have TEVENT_FD_ERROR we should use it.

As a side effect it makes the code much simpler and clearer, as
we can directly map TEVENT_FD_ERROR to EPIPE.

In addition the err_on_readability=true case is now also
clearer, where we just map TEVENT_FD_READ to EPIPE.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
22e3a542 by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
lib/tsocket: let tstream_bsd_connect_send() use TEVENT_FD_ERROR instead of TEVENT_FD_READ

This mostly cosmetic, but now that we have TEVENT_FD_ERROR we should use it.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5bedf167 by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
lib/tsocket: make use of TEVENT_FD_ERROR in tstream_bsd_fde_handler()

This makes the logic introduced to fix bug #15202 simpler.

While developing this I noticed that a lot of callers
rely on the fact that they can read the pending bytes out
of the recv queue before EOF is reported.

So I changed the code handle TEVENT_FD_ERROR together with
TEVENT_FD_READ in a way that keep the existing callers happy.

In the next step we'll add a way to let callers opt-in in order
to fail immediately if TEVENT_FD_ERROR appears (even if there
are pending bytes remaining in the recv queue).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
71e8727b by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
lib/tsocket: add tstream_bsd_fail_readv_first_error()

This gives the caller the option to fail immediately if
TEVENT_FD_ERROR appear even with pending bytes in the
recv queue.

Servers typically want to activate this in order to avoid
pointless work, while clients typically want to read
pending responses from the recv queue.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3a47a276 by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
s4:kdc: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e897ccd9 by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
s4:ldap_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
341e800d by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
s4:dns_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d9c416ba by Stefan Metzmacher at 2023-10-24T09:36:37+00:00
s3:libsmb: the unexpected handler use tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
391ef8ae by Stefan Metzmacher at 2023-10-24T09:36:38+00:00
s4:ntp_signd: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0e83b564 by Stefan Metzmacher at 2023-10-24T09:36:38+00:00
s4:libcli/wrepl: make use of tstream_bsd_fail_readv_first_error(false)

As a client we want recv pending responses even if the server
already closed the connection.

While tstream_bsd_fail_readv_first_error(false) is the default for
tstream_bsd, the wins replication protocol is special as it has
a way to switch server and client roles on an existing tcp connection.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
82b2a379 by Stefan Metzmacher at 2023-10-24T09:36:38+00:00
s4:wrepl_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8e8f2fa9 by Stefan Metzmacher at 2023-10-24T09:36:38+00:00
libcli/named_pipe_auth: let tstream_npa_existing_socket use tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
27b2ca7d by Stefan Metzmacher at 2023-10-24T09:36:38+00:00
s4:service_named_pipe: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7e6f830d by Stefan Metzmacher at 2023-10-24T09:36:38+00:00
s4:rpc_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c5201cd0 by Stefan Metzmacher at 2023-10-24T09:36:38+00:00
s3:rpc_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3f4f80ed by Stefan Metzmacher at 2023-10-24T10:32:56+00:00
smb2_server: monitor connections with TEVENT_FD_ERROR

By asking for TEVENT_FD_ERROR we're able to fail early
when a connection to a client is broken.

In that case it does not make any sense to process
pending requests in the recv queue as it's not
possible to deliver the response to the client anyway.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Oct 24 10:32:56 UTC 2023 on atb-devel-224

- - - - -
9267d9b2 by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbind: Ensure parse_domain_user() can't write beyond the end of domain[]

fail if we try to write beyond the fstring boundry

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15467
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
7e1f210b by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: rename canonicalize_username to canonicalize_username_fstr

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
2e06bf9f by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: Add new canonicalize_username function

Add a mew canonicalize_username replacement function for
canonicalize_username_fstr which doesn't use fstrings but instead
uses talloc allocated strings

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
aa3febfd by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: in winbindd_ccache_save use canonicalize_username

replace use of canonicalize_username_fstr with canonicalize_username

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
85e8d33a by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: in winbindd_pam_logoff_send use canonicalize_username

replace use of canonicalize_username_fstr with canonicalize_username

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
be6ed28f by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: in winbindd_pam_auth_send use canonicalize_username

replace use of canonicalize_username_fstr with canonicalize_username

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
d1beafe7 by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: in winbindd_pam_chauthtok_send use canonicalize_username

replace use of canonicalize_username_fstr with canonicalize_username

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
c6fe21e1 by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: remove canonicalize_username_fstr

not longer any callers to canonicalize_username_fstr so it
can be removed

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
87a91908 by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: rename parse_domain_user to parse_domain_user_fstr

prepare to port parse_domain_user function to not use fstrings.
rename function parse_domain_user (and all callers) to use
parse_domain_user_fstr

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
d4341d48 by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: Add new parse_domain_user function

Adds a new parse_domain_user function which doesn't use fstrings
but instead uses talloc allocated out strings (created from passed in
ctx)

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
f734b1b2 by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: use parse_domain_user_fstr instead of parse_domain_user

in winbindd_getgroups_send replace parse_domain_user_fstr
with parse_domain_user

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
9d5652ec by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: use parse_domain_user instead of parse_domain_user_fstr

in winbindd_getpwnam_send replace parse_domain_user_fstr with
parse_domain_user

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
b5427ef8 by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: use parse_domain_user instead of parse_domain_user_fstr

In winbindd_ccache_ntlm_auth replace use of parse_domain_user_fstr
with parse_domain_user

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
89fb5eee by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: replace parse_domain_user_fn with parse_domain_user

In winbindd_getgrnam_send use parse_domain_user instead of
parse_domain_user_fstr

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
b4bdd341 by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: replace use of parse_domain_user_fstr with parse_domain_user

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
5640d7ab by Noel Power at 2023-10-24T12:43:37+00:00
s3/winbindd: use parse_domain_user instead of parse_domain_user_fstr

In canonicalize_username replace use of parse_domain_user_fstr
with parse_domain_user

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
6830b796 by Noel Power at 2023-10-24T13:47:16+00:00
s3:/winbindd: remove parse_domain_user_fstr

Last caller of parse_domain_user_fstr has been removed so
we can safely remove the function

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Tue Oct 24 13:47:16 UTC 2023 on atb-devel-224

- - - - -
071b1024 by Ralph Boehme at 2023-10-24T13:48:33+00:00
clang-format: tweak config to bring us closer to README.Coding.

I'm enabling "AllowAllArgumentsOnNextLine" because that's longstanding practice
with many many function calls like tevent_req_callback_data() and
tevent_req_data() and imho results in the most readable code at the place where
this is often seen (variable declartions with tevent_req_* stuff).

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
f83d6c53 by Ralph Boehme at 2023-10-24T14:47:57+00:00
clang-format: sort alphabetically

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Oct 24 14:47:57 UTC 2023 on atb-devel-224

- - - - -
e933fd2d by Joseph Sutton at 2023-10-24T14:48:36+00:00
lib/torture: Use portable format specifiers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15498

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
46f0c269 by Joseph Sutton at 2023-10-24T14:48:36+00:00
lib/torture: Add torture_assert_size_*() macros

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15498

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
9f54b94b by Joseph Sutton at 2023-10-24T15:51:40+00:00
s4:torture: Produce more output to help debug smb2.multichannel.bugs.bug_15346

Print the time (as reckoned by tevent) at which each ‘negprot done’ and
‘echo done’ message is produced, and print another message if one of the
requests times out.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15498

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Oct 24 15:51:40 UTC 2023 on atb-devel-224

- - - - -
825a992a by Ralph Boehme at 2023-10-24T21:31:38+00:00
vfs_fruit: add option fruit:validate_afpinfo = yes|no (default: yes)

Allows disabling validation of AfpInfo stream data. It seems in data migration
scenarios from other SMB servers to Samba with fruit, somehow such invalid
streams are present on the source SMB server and can't be copied to Samba.

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
7c8dea14 by Ralph Boehme at 2023-10-24T22:30:06+00:00
smbtorture: add test for fruit:validate_afpinfo option

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Oct 24 22:30:06 UTC 2023 on atb-devel-224

- - - - -
b543874a by Rob van der Linde at 2023-10-24T23:31:29+00:00
tests: minor indentation and whitespace fixes

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
029e0457 by Rob van der Linde at 2023-10-24T23:31:29+00:00
netcmd: tests: make check_run and related methods classmethod for consistency

Before that only run_command was turned into a @classmethod, but not
the other related methods which were left unchanged, this made it
inconsistent.

Some of these methods need to be called from setUpTestData so they
really need to be @classmethod anyway.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
22316fea by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: PEP8 fixup whitespace in getopt.py first

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e209b8d7 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: move comment for check_bytes to docstring

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1f8b4913 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: getopt: update super calls to python3 style

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c688e733 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: getopt: correctly group and sort imports

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
96959b72 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: getopt: move SambaOption to the top of the file

This is needed for the next commit

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8b575612 by Rob van der Linde at 2023-10-24T23:31:29+00:00
netcmd: correctly pass Samba option class to OptionParser

On OptionGroups it will set option_class and then this gets used by self.add_option

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c3876242 by Rob van der Linde at 2023-10-24T23:31:29+00:00
netcmd: move comment above class to docstring

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
99c93c1e by Rob van der Linde at 2023-10-24T23:31:29+00:00
netcmd: PEP8: minor whitespace fix, file did not pass PEP8

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bdad257a by Rob van der Linde at 2023-10-24T23:31:29+00:00
netcmd: don't turn exception into CommandError in run_validators

It's the wrong place to do it.

Instead, let it raise the original exception, capture it in _run, and
call existing show_command_error method.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
29c99915 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: getopt: move validators logic to parent class

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dc513a82 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: move Validator base class and ValidationError to getopt

It makes more sense for these to exist in the top package, because they are used by SambaOption.

validators.py can still exist in netcmd, just not the base class and exception.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0f93e1d1 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: add docstrings to Validator and ValidationError

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
90f7ad08 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: tests: fix some hidden tab characters in tests.py

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3a5a5cae by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: ntacl: fix import grouping and order

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a930456f by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: dbcheck: fix import grouping and order

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
32032937 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: SUPPRESS_HELP constant has no effect here

Where it is used, on a few options, the constant should be used
directly instead.

This means that in the following commit, the Option subclass of
SambaOption can be removed, as it will become redundant.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5f8c46d1 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: remove redundant Option subclass

Instead, just import SambaOption as Option, so all the existing commands don't need changing.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b7a1946d by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: fix import grouping and sorting in base first

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d54f52b8 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: parser class in getSamDB should set option_class

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f77064c8 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: getopt: rename SambaOption to Option

 * Nothing uses SambaOption directly, everything imports it through samba.netcmd.Option
 * Avoid an unnecessary rename on import

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
14b21298 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: catch parent exception class OptParseError instead

This covers both OptionError and OptionValueError

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fb058e7f by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: remove OptionError alias to OptionValueError

The other methods in this file already raise optparse.OptionValueError
directly, except for two older ones.

They are using an alias which changes the name to OptionError, the
confusing part about this is that optparse.OptionError actually does
exist, so the incorrect alias needs to be removed.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6943a58b by Rob van der Linde at 2023-10-24T23:31:29+00:00
netcmd: tests: stop checking for ERROR prefix from CommandError

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
837e1d9f by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: getopt: subclass OptionParser to populate option_class

The option_class needs to be set correctly for OptionGroups that use self.add_option

Override OptionParser `__init__` to change the default Option class to the samba one.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e60f3afc by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: getopt: implement required flag on options and OptionParser

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0f3d6d80 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: make use of required flag on Option for claims commands

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e1244ba3 by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: getopt: Add HostOptions to avoid need to manually add -H

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0667708c by Rob van der Linde at 2023-10-24T23:31:29+00:00
python: netcmd: make use of HostOptions for claims and sites commands

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7c389e19 by Rob van der Linde at 2023-10-24T23:31:29+00:00
netcmd: auth policy: add OptionGroup classes for user, service and computer options

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
50b8a2de by Rob van der Linde at 2023-10-25T00:31:36+00:00
python: getopt: HostOptions and other option groups inherit from samba OptionGroup class

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Oct 25 00:31:37 UTC 2023 on atb-devel-224

- - - - -
3c4714bc by Joseph Sutton at 2023-10-25T21:40:33+00:00
s3:rpc_server: Correctly reset DEVMODE bit

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Oct 25 21:40:33 UTC 2023 on atb-devel-224

- - - - -
0653f78b by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in net

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8482d46f by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in ntlm_auth

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
66c76976 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in pdbedit

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
72add41e by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in regedit

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d7a8e63f by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in sharesec

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9428fa35 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in smbcacls

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6d482485 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in smbcontrol

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2eee959f by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in smbcquotas

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f849efeb by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Remove trailing white spaces in smbfilter.c

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8a873f89 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in smbfilter

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
bbda37e4 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in smbget

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6aa56331 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Remove trailing white spaces in smbpasswd.c

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
643e0ae8 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all before exit in smbpasswd

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4d411cf5 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:utils: Call gfree_all() before exit in smbtree

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e48798cb by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:client: Call gfree_all() before exit in smbclient

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e24900ac by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:client: Call gfree_all() before exit in smbspool

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
49424f18 by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:param: Use a talloc stackframe in pyparam

Several parts of the code use talloc_tos() requiring a stackframe to be
present. This is needed as loadparm_init_s3() will call init_globals()
later.

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e30c404f by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:param: Use the memory context we just created instead of tos

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0e45a0ce by Andreas Schneider at 2023-10-25T22:23:37+00:00
s3:param: Make init_globals() public

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d7a6488d by Andreas Schneider at 2023-10-25T22:23:37+00:00
lib:param: Set a memory context for the globals if not initialized yet

Typically once the smb.conf starts to be loaded,
loadparm_s3_init_globals() will be called and a memory context for
strings on the static Globals will be created.  But we might call
lpcfg_set_cmdline() before we load the smb.conf file, so we (via a
helper pointer) call loadparm_s3_init_globals() to get that
initialisation done earlier, ensuring that all allocations on Globals is
done on a memory context that we can later TALLOC_FREE() before exit().

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
04548bdb by Joseph Sutton at 2023-10-25T22:23:37+00:00
.gitattributes: Treat file containing test SDDL as binary

This file contains some very long lines that can make it hard to grep
for things from the terminal.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8f4c17e9 by Joseph Sutton at 2023-10-25T22:23:37+00:00
libcli/security: Fix leak on reallocation failure in pull_composite()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b4de22a7 by Joseph Sutton at 2023-10-25T22:23:37+00:00
libcli/security: Fix leak on reallocation failure in conditional_ace_encode_binary()

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
17983427 by Joseph Sutton at 2023-10-25T22:23:37+00:00
python: Remove unnecessary f‐strings

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c750c1db by Joseph Sutton at 2023-10-25T22:23:37+00:00
python:tests: Remove unnecessary f‐strings

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
defeb3e6 by Joseph Sutton at 2023-10-25T22:23:37+00:00
tests/krb5: Don’t pass parameters unnecessarily

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d0c24a52 by Joseph Sutton at 2023-10-25T22:23:37+00:00
tests/krb5: Sort imports

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
301cc80b by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:libads: Update code reference in comment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a0c1c469 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:passdb: Fix code formatting

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ee239525 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:dsdb:tests: Remove unnecessary f‐strings

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7c1492c5 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:ntvfs: Avoid signed integer overflow

Signed integer overflow is undefined behaviour.

ubsan reports errors similar to the following:
signed integer overflow: 9223372036854775807 + 2147483682 cannot be represented in type 'long int'

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2543bc04 by Joseph Sutton at 2023-10-25T22:23:37+00:00
selftest: Remove ubsan suppressions

These instances of undefined behaviour ought now to be fixed.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
49dca847 by Joseph Sutton at 2023-10-25T22:23:37+00:00
tests/krb5: Add more tests of the device belonging to certain groups

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5f0ebf08 by Joseph Sutton at 2023-10-25T22:23:37+00:00
tests/krb5: Add tests for group membership with RBCD

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f48afb2b by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:kdc: Add device to default groups for RBCD conditions evaluation

This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.

It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.

Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
91046720 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:kdc: Add device to Authenticated Users for RBCD conditions evaluation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a1f5965f by Joseph Sutton at 2023-10-25T22:23:37+00:00
SECURITY.md: Fix spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
984b3ab7 by Joseph Sutton at 2023-10-25T22:23:37+00:00
auth: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e3bc4d4a by Joseph Sutton at 2023-10-25T22:23:37+00:00
docs-xml: Fix documentation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f2c82834 by Joseph Sutton at 2023-10-25T22:23:37+00:00
examples: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ee8820b6 by Joseph Sutton at 2023-10-25T22:23:37+00:00
ldb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
97566f1b by Joseph Sutton at 2023-10-25T22:23:37+00:00
lib/fuzzing: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
82ec1965 by Joseph Sutton at 2023-10-25T22:23:37+00:00
talloc: Fix documentation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
15035895 by Joseph Sutton at 2023-10-25T22:23:37+00:00
tevent: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
53caed5e by Joseph Sutton at 2023-10-25T22:23:37+00:00
lib/util: Fix comment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
47975ea8 by Joseph Sutton at 2023-10-25T22:23:37+00:00
libcli/security: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
093ce69e by Joseph Sutton at 2023-10-25T22:23:37+00:00
libcli: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fb57dbe7 by Joseph Sutton at 2023-10-25T22:23:37+00:00
security.idl: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2dc6fab2 by Joseph Sutton at 2023-10-25T22:23:37+00:00
librpc:ndr: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c36163c3 by Joseph Sutton at 2023-10-25T22:23:37+00:00
pidl: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1ce4af01 by Joseph Sutton at 2023-10-25T22:23:37+00:00
python:tests: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
46f4dd3e by Joseph Sutton at 2023-10-25T22:23:37+00:00
tests/krb5: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4cf3e4eb by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:auth: Add missing word to comment

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
58ba1d4c by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:lib: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1d6d21bd by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:libads: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3890b129 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:libsmb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
1a670182 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:passdb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c5af0e1e by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:rpc_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
61d5816e by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:smbd: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b9ea773f by Joseph Sutton at 2023-10-25T22:23:37+00:00
s3:utils: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b5504971 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:auth: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
234b9529 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:dsdb: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2ac1d19d by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:kdc: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c73456d7 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:lib: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
46a4ce32 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:librpc: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7c917254 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:ntvfs: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fc1fd9c6 by Joseph Sutton at 2023-10-25T22:23:37+00:00
s4:rpc_server: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
378aa653 by Joseph Sutton at 2023-10-25T22:23:38+00:00
s4:torture: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
fef091b6 by Joseph Sutton at 2023-10-25T22:23:38+00:00
script: Fix code spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e3a44012 by Joseph Sutton at 2023-10-25T22:23:38+00:00
testdata: Fix spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
40b51535 by Joseph Sutton at 2023-10-25T22:23:38+00:00
third_party/heimdal_build: Fix spelling

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a50e3483 by Noel Power at 2023-10-25T22:23:38+00:00
codespellignore: ignore some spellings introduced with wsp files

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8800f4f8 by Ralph Boehme at 2023-10-25T22:23:38+00:00
libcli/util: add tstream_full_request_u32 and tstream_full_request_u16

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4d1088fa by Ralph Boehme at 2023-10-25T22:23:38+00:00
libcli/util: add struct tstream_context to tstream_read_pdu_blob_full_fn_t

Add struct tstream_context to tstream_read_pdu_blob_full_fn_t and update
all callers of tstream_read_pdu_blob_send() to use the correct callback.

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
53d87445 by Ralph Boehme at 2023-10-25T22:23:38+00:00
s4/lib: remove packet_full_request_u16, not used anymore

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8cc1e25a by Noel Power at 2023-10-25T22:23:38+00:00
libcli/smb: Allow dynamic setting of the max_data in SMB Pipe transaction.

Some services like WSP can send larger messages than the current 'Max Ioctl'
limit, this results in the server producing a BUFFER_OVERFLOW status (and
additionally clipping the message sent). Add support to allow a client to
modify the hardcoded 'Max Ioctl' default value to allow the server to
successfully send larger responses.

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a16f3f7e by Ralph Boehme at 2023-10-25T22:23:38+00:00
libcli: Implement a tstream dcerpc_binding_handle

This implements a dcerpc_binding_handle that does just pass request and
response blob passing.

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
180f25f7 by Ralph Boehme at 2023-10-25T22:23:38+00:00
libcli/smb: add FSCTL_PIPE_WAIT

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d766729c by Noel Power at 2023-10-25T22:23:38+00:00
librpc/idl: Add idl for WSP and also some required helper functions.

Represent the message data, structures and constants to do with the
WSP (Windows Search Protocol) as idl.

(see: https://msdn.microsoft.com/en-us/library/cc251767.aspx)

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a3b25146 by Noel Power at 2023-10-25T22:23:38+00:00
s3/build: Add support for WSP in configure script.

Building wsp cli, tools should be controlled by
specifying '--enable-wsp' Note: By default this option is not enabled
as the is an experimental feature however it is enabled if configure
is called with '--selftest'

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
62f96d9c by Noel Power at 2023-10-25T22:23:38+00:00
librpc/rpc: Add windows propertyset info and associated accessor and helper api.

wsp_util.c contains property definitions for well known windows
properties that can be used with WSP. These properties are generated from
some csv files (located in the librpc/wsp). The csv files themselves
were generated from a couple of sources e.g. the [MS-WSP]:
Windows Search Protocol document and wireshark mswsp dissector source code.

for more details please see librpc/wsp/README

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8188b37b by Noel Power at 2023-10-25T22:23:38+00:00
docs-xml: Add config param for defining extra wsp properties

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ae9d9434 by Noel Power at 2023-10-25T22:23:38+00:00
librpc/wsp: adjust the wsp property api to additionally use a csv file

We have definitions for a number of properties both from the WSP
spec document and from those used by wireshark. These properties
are built into samba (generated from csv files). This commit allows
extra properties to be added on the fly in a custom csv file, the
format of the csv file is the same as that used in the build. This
allows us to add some 'unknown' properties on the fly, although we
would hope that information regarding these properties would be
incorporated into the build in due course.

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
46b4a99b by Noel Power at 2023-10-25T22:23:38+00:00
librpc/wsp: add some helper functions needed to support AQS

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b28fb85a by Noel Power at 2023-10-25T22:23:38+00:00
libcli/wsp: Add support for simplified Advanced Query Syntax

Add support to parse AQS-like (Advanced query syntax)

AQS - see https://learn.microsoft.com/en-gb/windows/win32/search/-search-3x-advancedquerysyntax

The basic (AQS) syntax is supported e.g. a query is built of a sequence of
queries connected by AND, OR and NOT where the query elements are
essentially restrictions defined by a property. There are some
limitations on the operators supported[1] and additionally some things
like enumerated ranges are not supported at all and range values are not
delimited as specified [2]. Some special cases that you see in the
windows search UI are exceptions [3] which are handled more or less as keywords

Some examples:

The following are all exactly the same query just expressed using
different variations of the syntax

'ALL:($<p403 OR $<p404) AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:10241-102401'

'ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:>=10241 AND System.Size:<102401'

'ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND > System.Size:small'

The queries above by default select the property System.ItemUrl as the
one and only column returned, the query parameter however accepts a
variation to the AQS like syntax to allow arbitrary columns to be
selected e.g.

'SELECT System.ItemName, System.ItemURL, System.Size WHERE ALL:$<p403 OR ALL:$<p404 AND System.Kind:picture AND Scope:"FILE://somemachine/someshare" AND System.Size:small'

[1] supported operators
    -------------------
    =    Equals
    !=   Not Equals
    >    Greater than
    <    Less than
    >=   Greater than or equals
    <=   Less than or equals

    $=   equals
    $<   starts with
[2] ranges are specified as value-value instead of value..value (seems
    my flex/bison skills are not good enough and couldn't get that to
    work with '..'

[3] The windows UI has shortcut ranges (presumably represented as enumerated
    ranges) providing date ranges like 'today', 'tomorrow',
   'lastweek' etc. and similarly sizes like "empty, tiny, small, large..."

   These are supported (but implemented as keywords)

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
68ce6cf6 by Noel Power at 2023-10-25T22:23:38+00:00
librpc/wsp: Add functions to dump restriction as string

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
86d43421 by Noel Power at 2023-10-25T22:23:38+00:00
libcli/wsp: Test AQS parser

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
8977d0a5 by Noel Power at 2023-10-25T22:23:38+00:00
librpc/wsp: Add some util functions needed for wsp client api

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2b2fdd53 by Noel Power at 2023-10-25T22:23:38+00:00
remove problematic include (seems to bring in conflicted definitions)

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
47a0dc6f by Noel Power at 2023-10-25T22:23:38+00:00
add accessor for tstream_context

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
387c9f3a by Noel Power at 2023-10-25T22:23:38+00:00
libcli/wsp: Add simple client api for wsp client code.

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a3a7a94f by Noel Power at 2023-10-25T22:23:38+00:00
s3/utils: Add search client

Simple cli client for doing a basic windows search.

example:

  wspsearch -U$(USER)%$(PASSWD) //$(SERVER)/$(SHARE) --search='DSC' --kind=Picture

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
704a6155 by Noel Power at 2023-10-25T23:20:33+00:00
docs-xml: add manpage for wspsearch cli client

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Oct 25 23:20:33 UTC 2023 on atb-devel-224

- - - - -
7cf4efe7 by Douglas Bagnall at 2023-10-26T01:24:32+00:00
lib/util/charset: @param typos

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
df8ab7ed by Douglas Bagnall at 2023-10-26T01:24:32+00:00
util/charset: disambiguate docs for convert_string twins

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
44ce1ad5 by Douglas Bagnall at 2023-10-26T01:24:32+00:00
idl/spoolss: fix spelling of UTF16 charset

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
acb0a299 by Douglas Bagnall at 2023-10-26T01:24:32+00:00
librpc/ndr_basic: attempt only IPv4 addresses in push_ipv4

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
78658eee by Douglas Bagnall at 2023-10-26T01:24:32+00:00
s4/dsdb: try not to leak on access check failure

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ffdd9dde by Douglas Bagnall at 2023-10-26T01:24:32+00:00
s4:dns_server: loudly warn when a tombstone record has other records

This shouldn't happen -- that is, there should never be non-tombstone
records in conjunction with a tombstone record -- and if it does, the
situation should resolve itself here. But the flow is confusing and
strange things sometimes happen often enough that it would be helpful
to know if this ever occurs.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
15b7508b by Douglas Bagnall at 2023-10-26T01:24:32+00:00
docs/manpages: fix links to mod_ntlm_winbind and squid

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7f870211 by Douglas Bagnall at 2023-10-26T01:24:32+00:00
s4/torture/gentest: remove redundant op entry

Also on line 2994.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b5a728e8 by Douglas Bagnall at 2023-10-26T01:24:32+00:00
util/convert string: remove inaccurate misspelt comment

Previous commit to the "embarrassing" line was ce10a7a673e8adf "Fix
typo in comment", which did not completely fix the typo in the
comment.

But there are no gotos anymore, so no embarrassment, however spelt.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
58011bc6 by Douglas Bagnall at 2023-10-26T01:24:32+00:00
s4/torture/gentest: explain seemingly redundant initialisation

It seems silly, but it confused me.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d7481f94 by Douglas Bagnall at 2023-10-26T01:24:32+00:00
util/charset/torture: test convert_string_talloc with emptyish strings

because it wasn't entirely obvious (a zero length string returns a
length 1 result).

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
949fe570 by Douglas Bagnall at 2023-10-26T01:24:32+00:00
libutil/iconv: don't allow wtf-8 surrogate pairs

At present, if we meet a string like "hello \xed\xa7\x96 world", the
bytes in the middle will be converted into half of a surrogate pair,
and the UTF-16 will be invalid. It is better to error out immediately,
because the UTF-8 string is already invalid.

https://learn.microsoft.com/en-us/windows/win32/api/Stringapiset/nf-stringapiset-widechartomultibyte#remarks
is a citation for the statement about this being a pre-Vista
problem.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3960eabc by Douglas Bagnall at 2023-10-26T01:24:32+00:00
libutil/iconv: avoid overflow in surrogate pairs

Consider the non-conforment utf-8 sequence "\xf5\x80\x80\x80", which
would encode 0x140000. We would set the high byte of the first
surrogate to 0xd8 | (0x130000 >> 18), or 0xdc, which is an invalid
start for a high surrogate, making the sequence as a whole invalid (as
you would expect -- the Unicode range was set precisely to that
covered by utf-16 surrogates).

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f266f5c6 by Joseph Sutton at 2023-10-26T01:24:32+00:00
tests/krb5: Also consider single‐component krbtgt principals to be TGS principals

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3917a199 by Joseph Sutton at 2023-10-26T01:24:32+00:00
tests/krb5: Add tests for single‐component krbtgt principals

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
800f3203 by Joseph Sutton at 2023-10-26T01:24:32+00:00
lib/krb5_wrap: Check return value of krb5_principal_get_comp_string()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2944bc1e by Joseph Sutton at 2023-10-26T01:24:32+00:00
s4:dsdb: Initialize pointers to NULL

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9a0c5ee4 by Joseph Sutton at 2023-10-26T01:24:32+00:00
s4:kdc: Have smb_krb5_principal_get_comp_string() properly indicate an error

The existing implementation did not differentiate between the case where
the relevant component was not present, and that where talloc_strndup()
failed. To correct this situation, put the result into an out parameter
on success and return an error on failure.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
865e4f0f by Joseph Sutton at 2023-10-26T01:24:32+00:00
s4:kdc: Change signature of is_kadmin_changepw() to accommodate failure cases

principal_comp_strcmp() cannot yet indicate a failure case, but it will
soon be changed to do so.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
6d7a05bf by Joseph Sutton at 2023-10-26T01:24:32+00:00
s4:kdc: Make use of smb_krb5_principal_is_tgs()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7b68f751 by Joseph Sutton at 2023-10-26T01:24:32+00:00
third_party/heimdal: Import lorikeet-heimdal-202309250010 (commit b73ae22b9b1c6fc06d0d79afe55517367a5f9670)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ddef0e5e by Joseph Sutton at 2023-10-26T01:24:32+00:00
s4:kdc: Consider a single‐component krbtgt principal to be the TGS

This matches the behaviour of Windows.

NOTE: This commit finally works again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
12211735 by Joseph Sutton at 2023-10-26T01:24:32+00:00
s4:kdc: Have principal_comp_strcmp_int() properly indicate an error

We should return error codes rather than silently mask failures.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ea6d2ddb by Joseph Sutton at 2023-10-26T01:24:32+00:00
s4:kdc: Check for overflow before calling smb_krb5_princ_component()

smb_krb5_princ_component() takes its component index parameter as ‘int’,
not ‘unsigned int’.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d57f3bdc by Joseph Sutton at 2023-10-26T02:26:02+00:00
s4:kdc: Simplify principal_comp_strcmp_int() to handle only equality

We only ever use the principal comparison functions to check equality.
Having these functions only handle equality simplifies their
implementation and makes them a bit easier to use.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 26 02:26:02 UTC 2023 on atb-devel-224

- - - - -
45643c70 by Ralph Boehme at 2023-10-26T15:29:29+00:00
smbd: fix group marshalling in smb3_file_posix_information_init

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
788dafcc by Ralph Boehme at 2023-10-26T15:29:29+00:00
s3/libsmb: reuse smbXcli_conn_have_posix()

We already store the negotiated POSIX state in smbXcli_connection
and there we only store it if the server actually supports the
version we requested.

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
3aedefcc by Ralph Boehme at 2023-10-26T15:29:29+00:00
smbd: add nlinks marshalling in smb3_file_posix_information_init()

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
853ae7a9 by Ralph Boehme at 2023-10-26T16:32:30+00:00
smbd: add inode marshalling in smb3_file_posix_information_init()

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Oct 26 16:32:30 UTC 2023 on atb-devel-224

- - - - -
b436720e by Samuel Cabrero at 2023-10-26T22:27:44+00:00
s3:rpc_server/wkssvc: Remove get logged on user list from utmp

utmp is not Y2038 safe.

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
b6ae5d66 by Andrew Bartlett at 2023-10-26T23:27:29+00:00
codespell: Ignore .git

Otherwise the first line of commit messages is checked,
because text is found in .git/logs/HEAD, but only on
autobuild and not in CI (which does a shallow clone),
and not the whole commit message either, which is inconsistent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15503

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 26 23:27:29 UTC 2023 on atb-devel-224

- - - - -
c22400fd by Rob van der Linde at 2023-10-26T23:32:34+00:00
netcmd: silo command remove combined --policy which set all 3

doesn't make much sense to set all 3 to the same policy, user authentication policy, service authentication policy, computer authentication policy

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
15fb8a5f by Rob van der Linde at 2023-10-26T23:32:34+00:00
netcmd: silo command uses more consistent naming for policy args

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
156887c6 by Rob van der Linde at 2023-10-26T23:32:34+00:00
netcmd: silo command uses more consistent naming for tgt args

The args --user-tgt-lifetime-mins, --service-tgt-lifetime-mins and
--computer-tgt-lifetime-mins suffixed with -mins to be consistent
with Windows tooling.

For these, the internal names don't need to change and neither do
the model fields, only the external cli interface has this.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3e9f74a6 by Rob van der Linde at 2023-10-26T23:32:34+00:00
netcmd: claims: rename claims and silo tests

Rename test function names that were starting to get very long.

They were all prefixed with the test name, stop doing that and use double underscore for better separation.

e.g. AuthPolicyCmdTestCase.test_authentication_policy_list_json

becomes AuthPolicyCmdTestCase.test_list__json

The claim types and value types test cases have been split into two testcases.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ed245e28 by Rob van der Linde at 2023-10-26T23:32:34+00:00
netcmd: tests: make use of addCleanup

Makes self.members redundant and tearDown method can go completely.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d19e2682 by Rob van der Linde at 2023-10-26T23:32:34+00:00
python: tests: function to generate a unique name from caller

Uses the caller function to generate a unique name from the test function name.

Unique name is converted to camel case

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e87d7406 by Rob van der Linde at 2023-10-26T23:32:34+00:00
python: tests: addCleanup is always before create operation

This way if it raises during a create, it will still end up running the cleanup.

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
95cb6a0b by Rob van der Linde at 2023-10-26T23:32:34+00:00
python: tests: qa and developers were not in the correct case

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2dd06ae4 by Rob van der Linde at 2023-10-26T23:32:34+00:00
python: tests: improve comments for auth silo and policy tests

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2aa4d674 by Rob van der Linde at 2023-10-26T23:32:34+00:00
python: tests: claims and silo tests make use of unique_name

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
47f5bc78 by Rob van der Linde at 2023-10-26T23:32:34+00:00
python: silos: add some missing tests for auth policy command

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
16d52aa5 by Rob van der Linde at 2023-10-26T23:32:34+00:00
python: move method escaped_claim_id from test to samba.sd_utils

This is so that it can be used in other places too without the need to import or extend the test base class

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
84916935 by Rob van der Linde at 2023-10-26T23:32:34+00:00
python: add docstring for escaped_claim_id function

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0bb67a3a by Rob van der Linde at 2023-10-27T00:30:05+00:00
python: silos: add support for allowed to authenticate from silo shortcut

this avoids the need to write SDDL, the user just needs to give the silo name

Signed-off-by: Rob van der Linde <rob at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 27 00:30:05 UTC 2023 on atb-devel-224

- - - - -
a2a31519 by Andreas Schneider at 2023-10-27T05:54:33+00:00
s3:utils: Initialize row variable in wspsearch

../../source3/utils/wspsearch.c:331:25: error: ‘row’ may be used
uninitialized [-Werror=maybe-uninitialized]
  331 |         *rows_processed = row;
      |         ~~~~~~~~~~~~~~~~^~~~~

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
200a5b76 by Andreas Schneider at 2023-10-27T05:54:33+00:00
lib:util: Add boolean return type for memcache_add()

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
842d2eca by Andreas Schneider at 2023-10-27T05:54:33+00:00
lib:util: Add boolean return type for memcache_add_talloc()

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b3234c55 by Andreas Schneider at 2023-10-27T05:54:33+00:00
s3:passdb: Do not leak memory if memcache add fails

Indirect leak of 496 byte(s) in 1 object(s) allocated from:
    #0 0x7ffb062dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0)
    #1 0x7ffb06025b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7ffb06027512 in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7ffb06027512 in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7ffb06027512 in _talloc_zero ../../lib/talloc/talloc.c:2421
    #5 0x7ffb05a0332c in samu_new ../../source3/passdb/passdb.c:63
    #6 0x7ffb05a2031f in pdb_getsampwnam ../../source3/passdb/pdb_interface.c:351
    #7 0x7ffb05a0540b in local_password_change ../../source3/passdb/passdb.c:752
    #8 0x56291ddd4b8b in password_change ../../source3/utils/smbpasswd.c:273
    #9 0x56291ddd5b59 in process_root ../../source3/utils/smbpasswd.c:478
    #10 0x56291ddd5b59 in main ../../source3/utils/smbpasswd.c:661
    #11 0x7ffb024281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
cdcaac14 by Andreas Schneider at 2023-10-27T05:54:33+00:00
lib:util: Add a gfree_memcache()

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
89e376c6 by Andreas Schneider at 2023-10-27T05:54:33+00:00
s3:util: Add gfree_memcache() to gfree_all()

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d1d2a03d by Andreas Schneider at 2023-10-27T06:51:48+00:00
s3:utils: Initialize the memcache for smbpasswd

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Oct 27 06:51:48 UTC 2023 on atb-devel-224

- - - - -
9c5a9244 by Gabriel Nagy at 2023-10-27T13:47:30+00:00
gp_pol: Test empty multi_sz roundtrip

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
d5d96bed by Gabriel Nagy at 2023-10-27T13:47:31+00:00
gp_pol: Allow null data for REG_MULTI_SZ

The parser is able to convert data from binary to XML (it generates an
empty <Value> tag) but not the other way around. This is a common
occurrence for empty multitext fields.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
03af1176 by Gabriel Nagy at 2023-10-27T14:45:28+00:00
gp_pol: Test multiple values multi_sz roundtrip

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Fri Oct 27 14:45:28 UTC 2023 on atb-devel-224

- - - - -
cc1657c5 by Volker Lendecke at 2023-10-27T20:14:30+00:00
tests: Get a file through an absolute symlink within a subdirectory

This shows that read_symlink_reparse() is broken when trying to
replace an absolute with a relative filename within a
share.

read_symlink_reparse() is used only in openat_pathref_fsp_nosymlink()
so far to chase symlinks for non-lcomp path components. Chasing lcomp
symlinks is done through non_widelink_open(), which gets it right.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15505

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
952d6c2c by Volker Lendecke at 2023-10-27T21:19:35+00:00
smbd: Fix read_symlink_reparse()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15505

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Oct 27 21:19:35 UTC 2023 on atb-devel-224

- - - - -
9313731e by Martin Schwenke at 2023-10-30T09:19:11+00:00
ctdb-scripts: Update detect_init_style to use /etc/os-release

/etc/os-release is quite universal.  It can be found on most Linux
distros and on FreeBSD.

Attempt to use /etc/os-release to detect Red Hat, SUSE and Debian
based distros.  If /etc/os-release exists but distro is unknown then
$ID is printed as the detected distro, which will probably result in
sub-optimal behaviour, but when tracing it will at least indicate that
a new distro needs to be handled.

The only way to handle missing /etc/os-release is to set
CTDB_INIT_STYLE - see ctdb.sysconfig(5) for details.

The event script unit tests are updated to use /etc/os-release so
the new logic is exercised.

Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>

Autobuild-User(master): Amitay Isaacs <amitay at samba.org>
Autobuild-Date(master): Mon Oct 30 09:19:11 UTC 2023 on atb-devel-224

- - - - -
8a8f1f3c by Ralph Boehme at 2023-10-31T04:38:42+00:00
libcli/smb: add IO_REPARSE_TAG_RESERVED_ZERO

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
4ff144c2 by Ralph Boehme at 2023-10-31T04:38:42+00:00
pylibsmb: add IO_REPARSE_TAG_RESERVED_ZERO

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
6944aa7c by Ralph Boehme at 2023-10-31T04:38:42+00:00
CI: smb3unix.py: use libsmb.SMB2_FIND_POSIX_INFORMATION

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
ea89dd00 by Ralph Boehme at 2023-10-31T04:38:42+00:00
libsmb: infer posix context from info_level

No need for an explcit additional argument, we can just infer this from the
info_level.

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
f52a025a by Ralph Boehme at 2023-10-31T04:38:42+00:00
libsmb: info-level SMB2_FIND_POSIX_INFORMATION doesn't return short name

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
3dc1911f by Ralph Boehme at 2023-10-31T04:38:42+00:00
libsmb: use K format for parsing unsigned long long

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
d6c8b709 by Ralph Boehme at 2023-10-31T04:38:42+00:00
libsmb: remove mode from struct file_info

There's already the "attr" member and this is even used in list_posix_helper()
in pylibsmb.c. While at it, remove the cast in list_posix_helper() by using "I"
instead of "i" format.

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
b6301fd0 by Ralph Boehme at 2023-10-31T04:38:42+00:00
libsmb: add all fields from SMB2_FIND_POSIX_INFORMATION in list_posix_helper()

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

- - - - -
7a5228ff by Ralph Boehme at 2023-10-31T05:41:17+00:00
CI: smb3unix.py: check basic CreateContexts response

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Oct 31 05:41:17 UTC 2023 on atb-devel-224

- - - - -
de20ee1a by Samuel Cabrero at 2023-11-01T12:52:13+00:00
WHATSNEW: Mention logged on users list removal

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Nov  1 12:52:13 UTC 2023 on atb-devel-224

- - - - -
9f63fad3 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Simplify sys_proc_fd_path()

We know the buffer size up-front, create a struct for that. Also, I
think if we ever hit another /proc pattern this is very likely on a
different OS that could be handled by an #ifdef.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
3c20ea9d by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Simplify reopen_from_fsp()

Pass down a dummy "file_created" variable in open_directory(), remove
a unneeded if-condition.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
32d15770 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Simplify reopen_from_fsp()

Add the checks in reopen_from_procfd() into an if-condition, remove
the MORE_PROCESSING_REQUIRED logic that confused me.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
28873a84 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Fix whitespace

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
d2afaf21 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Fix whitespace

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
252d2cc7 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
846adcb2 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Save errno around unbecome_root()

Probably not required, but better safe than sorry.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
ba2bc307 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Fix some whitespace

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
a181283f by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Remove code #ifdef'ed out >23years ago

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
9e5d7525 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: "have_proc_fds" can only work for a real fd

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
45ec0f61 by Volker Lendecke at 2023-11-01T18:55:32+00:00
libcli: SMBntcreateX can return STOPPED_ON_SYMLINK

This does not count as NT_STATUS_IS_ERR, as it starts with 0x8 instead
of 0xC. So we return NT_STATUS_INVALID_NETWORK_RESPONSE, which is
wrong.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
170b67b3 by Volker Lendecke at 2023-11-01T18:55:32+00:00
manpages: Add a missing space

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
ea168705 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Fix previous_slash()

Untested code is broken code... previous_slash() did not return a
pointer to the slash but after it. This went undetected because so far
we never call symlink_target_path() with "unparsed==0". Once we
started doing that, we would find that the "unparsed==0" case actually
puts parent on the "previous slash", not the character behind it.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
92606a46 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Move filename_convert_smb1_search_path() to smb1-only code

Just general cleanup.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
bdc6d3be by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Remove unused FAKE_FILE_TYPE_NAMED_PIPE enum

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
879db14f by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Open file as REPARSE_POINT in smb_posix_unlink()

In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
93f0a367 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Open file as REPARSE_POINT in rename_internals()

In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
0fc160c6 by Volker Lendecke at 2023-11-01T18:55:32+00:00
smbd: Open file as REPARSE_POINT in reply_rmdir()

In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

- - - - -
1862561d by Volker Lendecke at 2023-11-01T19:56:33+00:00
smbd: Open file as REPARSE_POINT in unlink_internals()

In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>

Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Nov  1 19:56:33 UTC 2023 on atb-devel-224

- - - - -
947d3e59 by Joseph Sutton at 2023-11-01T20:10:45+00:00
tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
dc1e2b41 by Joseph Sutton at 2023-11-01T20:10:45+00:00
tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7ba4bb81 by Joseph Sutton at 2023-11-01T20:10:45+00:00
tests/krb5: Add tests to see how SIDs are conveyed from PACs

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3b936623 by Joseph Sutton at 2023-11-01T20:10:45+00:00
s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
12b0c9d0 by Joseph Sutton at 2023-11-01T20:10:45+00:00
s4:dsdb: Align integer type

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
01b89669 by Joseph Sutton at 2023-11-01T20:10:45+00:00
libcli/security: Remove unnecessary return statement

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
ce9fbcea by Joseph Sutton at 2023-11-01T20:10:45+00:00
libcli/security: Correct function documentation

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
487e21ec by Joseph Sutton at 2023-11-01T20:10:45+00:00
s4:dsdb: Make sids_contains_sid() usable by other Samba modules

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5ff72d0e by Joseph Sutton at 2023-11-01T20:10:45+00:00
libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()

S