s3:vfs_crossrename: crossrename_renameat() needs to return 0 if copy_reg() is successful

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15724

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:vfs_crossrename: avoid locking panic in copy_reg()

Use low level backend functions that don't go through the FSA layer.
Done via calling transfer_file() as it was in version before 5c18f07

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15724

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

docs:manpages:  Update 'net ads keytab create'

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Dec 16 19:32:32 UTC 2024 on atb-devel-224

ctdb-scripts: Change default persistent DB for statd_callout_helper

This database isn't use throughout CTDB, so name the it more
specifically.

Note that this might cause locks to be lost during upgrade to the
first version containing this change.

For testing, a different name is chosen to exercise related
functionality.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Dec 13 15:01:10 UTC 2024 on atb-devel-224

ctdb-scripts: Support CTDB_STATD_CALLOUT_SHARED_STORAGE=none

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Update statd-callout tests to handle both modes

Add support for shared_dir mode.

Instead of duplicating all of the tests, update them so they can be
wrapped.  Created new tests for shared_dir mode that source the
"original" tests.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Support storing statd-callout state in cluster filesystem

CTDB_STATD_CALLOUT_SHARED_STORAGE is a new configuration variable
indicating where statd-callout should store its NFS client locking
data.  See the update to ctdb-script.options(5) for details.

This adds back functionality that was removed in commit
12cc82623150ca4a83482f1b7165401cbdecd3de.  The commit message doesn't
say why this was changed but it was most likely due to a cluster
filesystem hanging at inopportune times.  Hence, this is re-added as a
non-default option.  There are 2 justifications for re-adding it:

* The existing method (persistent_db) relies on dequeuing data during
  the monitor event, which loses any queued data on node crash.

* NFS-Ganesha writes NFSv4 client locking data to a cluster
  filesystem, by default.  Something similar might as well exist for
  NFSv3.

Note that this could create the files for sm-notify in add-client.
However, this would require an alternate implementation of
send_notifies() (or a change to the implementation for persistent_db
too).  It seems better to leave add-client lightweight and do the work
in notify, since add-client is a more frequent operation.

Unconditionally create the state directory on startup.  This is
currently implicitly created for persistent_db when the queue
directory is created.  However, it isn't created anywhere else for
shared_dir, so do it in a common place.

In test mode, the shared storage location has a prefix added so files
are created within the test environment.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Fix impending SM_NOTIFY versus record deletion race

SM_NOTIFYs are sent before client records are deleted.  Theoretically,
this means new records resulting from lock reclaim can be deleted.

This doesn't actually happen at the moment because any new "records"
resulting from lock reclaim are entered into the queue directory and
only dequeued to the database during a later monitor event.  Since a
monitor event can't collide with an ipreallocated event, no records
can be dequeeued into the database during the ipreallocated event, so
they can't be deleted by delete_records().

However, a subsequent commit will add direct writing of records into a
shared cluster filesystem directory.  This means that add-client
events will cause records to be added directly to that directory so,
without a fix, the race will be able to occur.

So, delete records before sending SM_NOTIFYs.  In theory, the script
could be killed before all SM_NOTIFYs are successfully sent, resulting
in loss of locks.  However, given the overall lack of error checking,
there are other, more likely problems.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Factor out some statd-callout functions

This captures all of the persistent database (currently ctdb.tdb)
implementation-specific details in functions.  Alternate
implementations can now be easily added.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Improve update and listing code

Drop the complexity associated with using awk to escape dots in IPv4
addresses to protect them from sed, and generate a grep -F filter
instead.

For listing, the pipeline is now longer, but the steps are now
clearer:

1. List DB records
2. Extract keys
3. Keep only keys machine hosted public IPs
4. Parse out server IP and client IP
5. Sort

Performance here isn't critical, so having clearer code is preferable.

Use temporary files to avoid command-line length limits.

Also, drop the cd to the queue directory during update.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Drop TCP tuning comments from statd_callout_helper

Commits caad5dc38d790d76f6720b312c1557ec3151a084 and
f022df1d40c9c1e3e528f178204f404ee395d5c2 commented out these lines
back in 2007.

2 things are clear from the commit messages:

* These setting should not be required in the real world - they are:

    mainly useful for avoiding ack-storms when doing very rapid
    failover/failback during testing

* If they are needed, they are not specific to
  statd_callout/statd_callout_helper

Let's remove these comments to avoid confusing people.

Reported-by: Ulrich Sibiller <ulrich.sibiller@eviden.com>
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Fix some bit-rotted comments and whitespace

The top comment in the file is no longer true.

The comment about notifications doesn't really apply anymore since
upstream sm-notify is used and it does "the right thing".

shfmt wants to remove a space before a semicolon, so do that too.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Use CTDB_NFS_SHARED_STATE_DIR in nfs-ganesha-callout

Rename CTDB_NFS_STATE_MNT to CTDB_NFS_SHARED_STATE_DIR.  It doesn't
have to be a mount but can be any directory in a cluster filesystem.
CTDB_NFS_SHARED_STATE_DIR will soon be used in statd_callout_helper,
so the variable name might as well be better.

With this change, it will still only be used by nfs-ganesha-callout,
which isn't yet supported (i.e. it still lives in doc/examples).  The
rest of the comments below refer to behaviour changes in that script.

CTDB_NFS_SHARED_STATE_DIR is now mandatory when GPFS is used.  This is
much saner that choosing the first GPFS filesystem - if the state
directory changes then connection metadata can be lost.

Drop CTDB_NFS_STATE_FS_TYPE.  The filesystem type is now determined
from CTDB_NFS_SHARED_STATE_DIR and it is now checked against supported
filesystems.  This will catch the case when the filesystem for the
specified directory has not been mounted and the filesystem for the
mountpoint (e.g. ext4) is not a supported filesystem for shared state.

A side-effect is that the filesystem containing
CTDB_NFS_SHARED_STATE_DIR must be mounted when nfs-ganesha-callout is
first run.

While touching this file, my shfmt pre-commit hook wants to insert a
trailing ;; into a case statement.  Let's sneak that in here too.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

s4:rpc_server/netlogon: fix dcesrv_netr_LogonSamLogon_base_call() for ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 12 15:00:10 UTC 2024 on atb-devel-224

s4:rpc_server/netlogon: fix dcesrv_netr_ServerPasswordSet[2] for ServerAuthenticateKerberos

Review with: git show --patience

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

librpc/server: call dcesrv_netr_check_schannel() as schannel_check_creds_state() callback

If schannel is not used we need to return ACCESS_DENIED and discard
the effect of netlogon_creds_server_step_check().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/auth: let schannel_check_creds_state() take an access_check callback

This allows the callback to decide if the updated creds should be stored
or not.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: add 'server support krb5 netlogon = yes' for ad_dc

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest add 'server reject aes schannel:COMPUTER$' rules

These avoid a lot of messages during the tests...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:rpc_server/netlogon: implement dcesrv_netr_ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

librpc/server: prepare schannel_util.c for netr_ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

docs-xml/smbdotconf: add "server support krb5 netlogon" options

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

docs-xml/smbdotconf: add "server reject aes schannel[:COMPUTERACCOUNT]" options

This will be useful in order to require netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:rpc_server/lsa: allow krb5+privacy instead of schannel

With netr_ServerAuthenticateKerberos() clients also use
krb5 for lsa_LookupSids3 and lsa_LookupNames4.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

auth_log: prepare for netr_ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python:tests/krb5: add ServerAuthenticateKerberos related tests to netlogon.py

Works against Windows 2025 preview:

SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.115 DC_SERVER=w2025p-115.w2025p-l8.base \
DOMAIN="W2025P-L8" REALM="W2025P-L8.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
NETLOGON_STRONG_KEY_SUPPORT=1 NETLOGON_AUTH_KRB5_SUPPORT=1 \
STRICT_CHECKING=0 python/samba/tests/krb5/netlogon.py

The code still works against Windows 2022 with the
following options:

SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \
DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
NETLOGON_STRONG_KEY_SUPPORT=1 NETLOGON_AUTH_KRB5_SUPPORT=0 \
STRICT_CHECKING=0 python/samba/tests/krb5/netlogon.py

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

pycredentials: add py_netlogon_creds_kerberos_init

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python:tests/krb5: let netlogon.py test strong key without arcfour

It shows that there's no encryption on buffers...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/auth: add infrastructure for netr_ServerAuthenticateKerberos()

This shows that STRONG_KEY without ARCFOUR means no encryption
for ServerPasswordSet2.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/auth: add let netlogon_creds_alloc() use _talloc_keep_secret()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ldb: Add LGPLv3 LICENSE file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15729

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tdb: Add LGPLv3 LICENSE file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15729

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tevent: Add LGPLv3 LICENSE file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15729

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

talloc: Add LGPLv3 LICENSE file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15729

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server: make use of dcesrv_assoc_group_common_destructor()

Currently this should not be needed, but it's better to
call dcesrv_assoc_group_common_destructor() in all assoc_group
destructors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 12 07:22:29 UTC 2024 on atb-devel-224

s3:rpc_server: make use of dcesrv_assoc_group_common_destructor()

We need to detach dcesrv_iface_state from dcesrv_assoc_group,
if dcesrv_assoc_group is free'ed first.

Typically this doesn't happen, but it does when
rpc_worker_connection_terminated explicitly calls
talloc_unlink(conn, conn->assoc_group)
and dcesrv_iface_state_store_conn() is used.

But we better do it in all assoc_group destructors.

==381007==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d000004f80 at pc 0x7f15fc12e0ac bp 0x7ffe43267780 sp 0x7ffe43267778
READ of size 8 at 0x50d000004f80 thread T0
    #0 0x7f15fc12e0ab in dcesrv_iface_state_destructor ../../librpc/rpc/dcesrv_handles.c:166
    #1 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #2 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #3 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #4 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #5 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #6 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #7 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #8 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #9 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #10 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #11 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #12 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #13 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #14 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #15 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #16 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #17 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #18 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #19 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #20 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #21 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #22 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #23 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #24 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #25 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #26 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #27 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #28 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #29 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #30 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #31 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #32 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #33 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #34 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #35 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #36 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #37 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #38 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #39 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #40 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #41 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #42 0x7f15fbff9691 in tstream_bsd_readv_handler ../../lib/tsocket/tsocket_bsd.c:2080
    #43 0x7f15fbff6f85 in tstream_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:1764
    #44 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #45 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #46 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #47 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #48 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #49 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #50 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #51 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #52 0x7f15f7c2a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #53 0x5632ae162e64 in _start ../sysdeps/x86_64/start.S:115

0x50d000004f80 is located 112 bytes inside of 136-byte region [0x50d000004f10,0x50d000004f98)
freed by thread T0 here:
    #0 0x7f15fcefb418 in free ../../../../libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f15fc0f857d in _tc_free_internal ../../lib/talloc/talloc.c:1222
    #2 0x7f15fc0f8d0f in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #3 0x7f15fc0f8d0f in talloc_unlink ../../lib/talloc/talloc.c:1473
    #4 0x7f15fc934580 in rpc_worker_connection_terminated ../../source3/rpc_server/rpc_worker.c:143
    #5 0x7f15fc9310bd in dcesrv_connection_destructor ../../source3/rpc_server/rpc_worker.c:175
    #6 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #7 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #8 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #9 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #10 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #11 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #12 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #13 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #14 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #15 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #16 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #17 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #18 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #19 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #20 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #21 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #22 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #23 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #24 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #25 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #26 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #27 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #28 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #29 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #30 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #31 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #32 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #33 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234

previously allocated by thread T0 here:
    #0 0x7f15fcefc777 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f15fc0fbc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f15fc0fd8cf in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f15fc0fd8cf in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f15fc0fd8cf in _talloc_zero ../../lib/talloc/talloc.c:2421
    #5 0x7f15fc93156e in rpc_worker_assoc_group_new ../../source3/rpc_server/rpc_worker.c:681
    #6 0x7f15fc93156e in rpc_worker_assoc_group_find ../../source3/rpc_server/rpc_worker.c:730
    #7 0x7f15fc120a18 in dcesrv_bind ../../librpc/rpc/dcesrv_core.c:1158
    #8 0x7f15fc120a18 in dcesrv_process_ncacn_packet ../../librpc/rpc/dcesrv_core.c:2324
    #9 0x7f15fc120a18 in dcesrv_loop_next_packet ../../librpc/rpc/dcesrv_core.c:3222
    #10 0x7f15fc933722 in rpc_worker_new_client ../../source3/rpc_server/rpc_worker.c:489
    #11 0x7f15fc933722 in rpc_worker_new_client_filter ../../source3/rpc_server/rpc_worker.c:558
    #12 0x7f15fbef95ca in messaging_dispatch_waiters ../../source3/lib/messages.c:1343
    #13 0x7f15fbefb589 in messaging_dispatch_rec ../../source3/lib/messages.c:1371
    #14 0x7f15fbefb589 in messaging_recv_cb ../../source3/lib/messages.c:431
    #15 0x7f15faddba9e in msg_dgm_ref_recv ../../lib/messaging/messages_dgm_ref.c:144
    #16 0x7f15fadd6cc3 in messaging_dgm_recv ../../lib/messaging/messages_dgm.c:1426
    #17 0x7f15fadd7618 in messaging_dgm_read_handler ../../lib/messaging/messages_dgm.c:1316
    #18 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #19 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #20 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #21 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #22 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #23 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #24 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #25 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dcesrv_core: add dcesrv_assoc_group_common_destructor()

We need to detach dcesrv_iface_state from dcesrv_assoc_group,
if dcesrv_assoc_group is free'ed first.

==381007==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d000004f80 at pc 0x7f15fc12e0ac bp 0x7ffe43267780 sp 0x7ffe43267778
READ of size 8 at 0x50d000004f80 thread T0
    #0 0x7f15fc12e0ab in dcesrv_iface_state_destructor ../../librpc/rpc/dcesrv_handles.c:166
    #1 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #2 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #3 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #4 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #5 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #6 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #7 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #8 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #9 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #10 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #11 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #12 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #13 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #14 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #15 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #16 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #17 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #18 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #19 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #20 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #21 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #22 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #23 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #24 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #25 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #26 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #27 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #28 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #29 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #30 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #31 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #32 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #33 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #34 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #35 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #36 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #37 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #38 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #39 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #40 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #41 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #42 0x7f15fbff9691 in tstream_bsd_readv_handler ../../lib/tsocket/tsocket_bsd.c:2080
    #43 0x7f15fbff6f85 in tstream_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:1764
    #44 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #45 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #46 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #47 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #48 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #49 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #50 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #51 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #52 0x7f15f7c2a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #53 0x5632ae162e64 in _start ../sysdeps/x86_64/start.S:115

0x50d000004f80 is located 112 bytes inside of 136-byte region [0x50d000004f10,0x50d000004f98)
freed by thread T0 here:
    #0 0x7f15fcefb418 in free ../../../../libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f15fc0f857d in _tc_free_internal ../../lib/talloc/talloc.c:1222
    #2 0x7f15fc0f8d0f in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #3 0x7f15fc0f8d0f in talloc_unlink ../../lib/talloc/talloc.c:1473
    #4 0x7f15fc934580 in rpc_worker_connection_terminated ../../source3/rpc_server/rpc_worker.c:143
    #5 0x7f15fc9310bd in dcesrv_connection_destructor ../../source3/rpc_server/rpc_worker.c:175
    #6 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #7 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #8 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #9 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #10 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #11 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #12 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #13 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #14 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #15 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #16 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #17 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #18 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #19 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #20 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #21 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #22 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #23 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #24 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #25 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #26 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #27 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #28 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #29 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #30 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #31 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #32 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #33 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234

previously allocated by thread T0 here:
    #0 0x7f15fcefc777 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f15fc0fbc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f15fc0fd8cf in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f15fc0fd8cf in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f15fc0fd8cf in _talloc_zero ../../lib/talloc/talloc.c:2421
    #5 0x7f15fc93156e in rpc_worker_assoc_group_new ../../source3/rpc_server/rpc_worker.c:681
    #6 0x7f15fc93156e in rpc_worker_assoc_group_find ../../source3/rpc_server/rpc_worker.c:730
    #7 0x7f15fc120a18 in dcesrv_bind ../../librpc/rpc/dcesrv_core.c:1158
    #8 0x7f15fc120a18 in dcesrv_process_ncacn_packet ../../librpc/rpc/dcesrv_core.c:2324
    #9 0x7f15fc120a18 in dcesrv_loop_next_packet ../../librpc/rpc/dcesrv_core.c:3222
    #10 0x7f15fc933722 in rpc_worker_new_client ../../source3/rpc_server/rpc_worker.c:489
    #11 0x7f15fc933722 in rpc_worker_new_client_filter ../../source3/rpc_server/rpc_worker.c:558
    #12 0x7f15fbef95ca in messaging_dispatch_waiters ../../source3/lib/messages.c:1343
    #13 0x7f15fbefb589 in messaging_dispatch_rec ../../source3/lib/messages.c:1371
    #14 0x7f15fbefb589 in messaging_recv_cb ../../source3/lib/messages.c:431
    #15 0x7f15faddba9e in msg_dgm_ref_recv ../../lib/messaging/messages_dgm_ref.c:144
    #16 0x7f15fadd6cc3 in messaging_dgm_recv ../../lib/messaging/messages_dgm.c:1426
    #17 0x7f15fadd7618 in messaging_dgm_read_handler ../../lib/messaging/messages_dgm.c:1316
    #18 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #19 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #20 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #21 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #22 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #23 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #24 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #25 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

samba-tool/backup: set the right permissions on our root dir

Since processes can run under the UID of the logged in user, it's required
to make sure that the users have the permissions here.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Tue Dec 10 11:40:27 UTC 2024 on atb-devel-224

docs-xml: Change 'DEBUGLEVEL' -> 'level' to match the option description

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Fri Dec  6 13:33:38 UTC 2024 on atb-devel-224

docs-xml: Fix manpage section generated by cmdline.common.debug.server

man winbinbdd.8 is wrongly mixing two options:

before fix:
       -d|--debuglevel=DEBUGLEVEL, --debug-stdout
...

after fix:
       -d|--debuglevel=DEBUGLEVEL
...
       --debug-stdout

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:rpc_server/netlogon: fix error codes in dcesrv_netr_NetrLogonSendToSam

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec  5 17:46:49 UTC 2024 on atb-devel-224

s4:rpc_server/netlogon: implement dcesrv_netr_ServerPasswordGet()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:selftest: run samba.tests.krb5.netlogon

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python:tests/krb5: add netlogon.py

This adds tests for the application layer encryption used
based on the secure channel session key.

This will get tests for netr_ServerAuthenticateKerberos()
in order to explore its details.

This runs against Windows 2022 as well as Windows 2025 (preview)
using something like this:

SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \
DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
STRICT_CHECKING=0 \python/samba/tests/krb5/netlogon.py

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python:tests/krb5: avoid some problems when running against w2025 (preview) with STRICT_CHECKING=0

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python:tests/krb5: remember the objectGUID of created accounts

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

pycredentials: add credentials.netlogon_creds_*() functions via py_module_methods

This makes it possible to explore the functions arround
netlogon_creds_CredentialState via python.

This allows us to write tests in order to explore
the details of netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

pycredentials: add creds.[g|s]et_netlogon_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

pycredentials: remove unused module methods

It's not useful to use the PyCredentials methods
also as module methods...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

pyrpc_util: fix error Exception message in py_check_dcerpc_type()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:rpc_server/netlogon: let dcesrv_netr_LogonSamLogon_base_reply handle encryption errors

This might be the better option when we implement
netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/auth: let netlogon_creds_crypt_samlogon_validation handle generic info

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tests/krb5: make use of conn.auth_info() in _test_samlogon()

In future we'll have KRB5 instead of SCHANNEL...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:pyrpc: add conn.auth_info()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid GSS_C_DELEG[_POLICY]_FLAG

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:cli_pipe: pass target_service to cli_rpc_pipe_open_with_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: add kerberos_kinit_passwords_ext() helper

This can check more than one password and is designed to
support getting a TGT for our machine account also falling
back to older passwords...

If we don't have a plaintext password it falls back to an nt_hash.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: split out kerberos_kinit_generic_once()

This can be used to kinit with a keyblock later
and also a loop over multiple password generations will
be possible.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: remove unused time_offset from kerberos_kinit_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: let kerberos_kinit_password_ext() always initialize *ntstatus

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: fix compiler warning in trust_pw_change()

../../source3/libads/trusts_util.c: In function ‘trust_pw_change’:
../../source3/libads/trusts_util.c:302:45: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
  302 |                                    (void **)&new_trust_pw_blob.data,

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:rpc_client: remember the local/remote ipv4 or ipv6 addresses

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: remove useless lines in add_trusted_domains_dc()

add_trusted_domain() above already sets this...

Review with: git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: make use of samba_sockaddr in set_remote_addresses() to avoid warnings

../../source3/winbindd/winbindd_dual_ndr.c: In function ‘set_remote_addresses’:
../../source3/winbindd/winbindd_dual_ndr.c:467:51: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
  467 |         struct sockaddr *sar = (struct sockaddr *)&st;

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: make use of samba_sockaddr add_one_dc_unique() to avoid warnings

../../source3/winbindd/winbindd_cm.c: In function ‘add_one_dc_unique’:
../../source3/winbindd/winbindd_cm.c:1172:48: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
 1172 |                             (struct sockaddr *)(void *)&(*dcs)[i].ss,

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: let wb_dsgetdcname* normalize to dns names on an ad_dc

wb_dsgetdcname() is typically used by dcerpc_wbint_DsGetDcName_send()
from netr_DsRGetDCName* in the netlogon server, when domain members
try to ask for domain controllers of a trusted domain.

The domain might disabled netbios support, so we better try the
already dns name if available.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:utils: let net_rpc_testjoin() work for ad domains and no ipv4 address

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND

We may get NT_STATUS_NOT_FOUND when the name can't be resolved
and NT_STATUS_INVALID_ADDRESS if the system doesn't have ipv4
addresses...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/auth: return RESOURCE_REQUIREMENTS_CHANGED is the proposed flags changed

This will be important when we add support for netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:torture/rpc: make use of creds->client_requested_flags

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:librpc/rpc: make use of creds_state->client_requested_flags

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

schannel.idl: change netlogon_creds_CredentialState layout for 4.22

This breaks compat with 4.21 and moves stuff out of
netlogon_creds_CredentialState_extra_info.

It also prepares support for netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Revert "libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy"

This reverts commit c3fa132fbe179bd4e1451240ce572ec791356a16.

We break the compat of the netlogon_creds_cli.tdb records compared to
4.21 with the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/auth: don't loose server_dns_domain in netlogon_creds_cli_context_global()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

netlogon.idl: add NetlogonTicketLogonInformation/NetlogonValidationTicketLogon

I have basic tests, which have shown that the payload is not
encrypted at application level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

librpc/ndr: let ndr_print_bitmap_flag work for bitmap64bit values

Keep libndr at 6.0.0, this has not been released yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python/ndr: allow print_secrets=True for ndr_print*

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

pidl/Python: allow ndr_print(print_secrets=True)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

librpc/ndr: add ndr_print_{struct,union,function}_secret_string()

Keep libndr at 6.0.0, this has not been released yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

librpr/ndr: split out ndr_print_generic_string()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

netlogon.idl: use authservice("netlogon")

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

netlogon.idl: mark some structs as public so that ndr.ndr_deepcopy() works in python

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

samr/netlogon.idl: add [flag(NDR_SECRET)] in some more places

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:tests: Adapt winbind_call_depth_trace to depth=3

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Dec  5 15:54:57 UTC 2024 on atb-devel-224

s3:tests: Make winbind_call_depth_trace to use global_inject.conf

To get the expected traces we need:

debug syslog format = no
log level = 10

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli: Speed up sddl_decode_ace()

Factor out talloc-less sddl_transition_decode_sid()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec  3 09:03:01 UTC 2024 on atb-devel-224

libcli: Remove a special case

dom_sid_parse_endp does accept the lowercase "s" in "s-1-1-0".

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

libcli: Simplify sddl_decode_err_msg()

We have security_descriptor_initialise() for this

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

libcli: README.Coding for dom_sid routines

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

lib: Simplify security_descriptor_initialise() with a struct init

Rely no the default NULL init.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

libcli: Fix a signed/unsigned comparison warning

With this we compare pointers, not numbers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Dec  2 05:52:56 UTC 2024 on atb-devel-224

libcli: Use dom_sid_dup() instead of talloc_memdup()

We have specialized code for this, why not use it...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

libcli: Apply a little const

Probably does not matter code-wise, but looks nicer to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

libcli: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

libcli: Fix whitespace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

libcli: Avoid an unnecessary "else"

We return in the error case anyway

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

smbd: Modernize DEBUGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

smbd: Simplify smb_set_posix_lock()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

smbd: Simplify smb_file_position_information()

We've asserted fsp!=NULL in the caller

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

smbd: Simplify smb_file_position_information()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>