s4:dns_server: defer calling werr_to_dns_err() in a central place

The WERROR codes are much more verbose and it's better to
keep them until we really need the mapping to DNS error codes.

This will allow us to create much better debug messages in
the next commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:waf: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:winbindd: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:utils: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:torture: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:smbd: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:smbd: Fix trailing white spaces in quotas.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:smbd: Fix trailing white spaces in dmapi.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:selftest: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:script: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:rpc_server: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:rpc_client: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:registry: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:printing: Rename variably to dummy to make codespell happy

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:printing: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:printing: Fix trailing white spaces in print_iprint.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:passdb: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:param: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s3:param: Rename bLoaded global variable

This makes codespell happy.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

ctdb-tests: Log to stderr in statd-callout tests

Errors logged when testing statd-callout don't currently go anywhere.
This is because arguments to the hacked version of script_log() are
ignored.

Remove the hack and configure logging to stderr.

This could go in the local statd-callout.sh setup script.  However,
make it available for other script tests.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Wed Jul 19 09:57:37 UTC 2023 on atb-devel-224

ctdb-scripts: Support script logging to stderr

Logging in statd-callout tests is currently useless.  This will
provide a way of seeing errors in those tests.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Avoid ShellCheck warning SC2162

  SC2162 read without -r will mangle backslashes.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-recoverd: CID 1509028 - Use of 32-bit time_t (Y2K38_SAFETY)

usecs is going to be passed as a uint32_t.  There is no need to
calculate it as a time_t.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb: Do not use egrep

On some platforms, egrep prints a deprecation warning to stderr:

  egrep: warning: egrep is obsolescent; using grep -E

Use grep -E instead.

This is nice and simple, so no use splitting this commit into 2
separate commits for each of tools and test.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-doc: Correct bit-rotted documenation

Loading tunables is now done in ctdbd, so find another example for the
"setup" event.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-utils: Drop unused scsi_io.c source file

It will be in the git history if we ever decide to use SCSI persistent
reservations as a cluster lock.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

s3:winbind: Set/unset the winbind_call_flow callback if log level changes

Done only for the parent process. Works with 'smbcontrol reload-config'

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul 19 09:00:50 UTC 2023 on atb-devel-224

s3:winbind: Update winbind to tevent 0.15.0 API

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:winbind: Add callback winbind_call_flow()

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

ldb: call tevent_set_max_debug_level(TEVENT_DEBUG_TRACE) together with ldb_tevent_debug()

This means ldb_tevent_debug() is only called for TEVENT_DEBUG_TRACE.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

lib/util: call tevent_set_max_debug_level() in samba_tevent_set_debug()

This means samba_tevent_debug() is only called when needed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: version 0.15.0

- remove py2 ifdefs
- python: Safely clear structure members
- the tevent_thread_call_depth API is updated
  in order to allow better tracing.
- add tevent_set_max_debug_level() only and don't
  pass TEVENT_DEBUG_TRACE to tevent_debug() callbacks by default.
- Spelling fixes
- Make use of epoll_create1() for epoll backend
- Optimize overhead in the epoll backend

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: add tevent_common_fd_str() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: avoid calling epoll_update_event() again if epoll_check_reopen() already did it

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: let epoll_check_reopen() clear all events before reopening them

This is clearer for multiplexed fdes as it means both sides are
already cleared before we call epoll_update_event() again.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: avoid epoll_check_reopen() overhead unless required

The preparation, function call and cleanup for epoll_check_reopen()
is quite some overhead and not needed most of the time!

So check the pid in the caller avoids most of it.

Review with: git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: make use of TEVENT_DEBUG() when using TEVENT_DEBUG_TRACE

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: add TEVENT_DEBUG() avoid argument overhead when log is not active...

It can be very costly to calculate the arguments passed to
tevent_debug(), just to drop the message within tevent_debug()
or the callback function.

So we add a way to avoid the overhead, it will be used in the
next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: introduce tevent_set_max_debug_level() (default TEVENT_DEBUG_WARNING)

Allow an application to decide which log levels it wants to get
in the callback function passed to tevent_set_debug().

By default TEVENT_DEBUG_WARNING is the maximal reported level
and TEVENT_DEBUG_TRACE message no longer reach the callback function
by default.

It seems Samba is the only consumer of tevent_set_debug(), so it
should not be a huge problem, as Samba only reports TEVENT_DEBUG_TRACE
message with log level 50 anyway. And future Samba versions will
call tevent_set_max_debug_level() if needed.

Note the change to tevent-0.14.1.sigs will be reverted
with the release of tevent 0.15.0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: add fd_speed test

This is similar to the "context" test, but without signal handlers.

It also creates a constant load instead of being time limited,
which makes it useful to analyse using callgrind and other tools.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: Flow: add tevent_thread_call_depth_set_callback()

Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tevent: Flow: store cleanup function name in tevent_req

Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

tevent: Flow: store cancel function name in tevent_req

Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

tevent: Flow: store trigger function name in tevent_queue_entry

Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tevent: Flow: store callback function name in tevent_req

Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tevent: Flow: pass function name to tevent_req_create()

Note the tevent-0.14.1.sigs changes will be reverted in
the 'tevent 0.15.0' commit.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tevent: Deprecate some tevent_thread_call_depth_*() functions

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tevent: Move definition of _DEPRECATED_ to the top of tevent.h

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

tevent: add tevent_dlinklist.h as copy from lib/util/dlinklist.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

lib/util: dlinklist.h sync with LGPL copy from lib/ldb/include/dlinklist.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

ldb: clarify LGPL scope of include/dlinklist.h

Removing the explicit notice about ldb in order to
have the same content in all copies of dlinklist.h
in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

ldb: remove trailing whitespaces from include/dlinklist.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

tevent: rely on epoll_create1() for epoll interface

Prefer epoll_create1(2) over epoll_create(2) and
always require the former to use epoll(7) interface,
thus saving extra fcntl(2) call to set FD_CLOEXEC.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:replace: rely on epoll_create1() for epoll interface

Prefer epoll_create1(2) over epoll_create(2) and
always require the former to use epoll(7) interface.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tdb: release 1.4.9

* Remove remaining, but broken python2 support
* Spelling fixes
* python: Safely clear structure members

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

talloc: release 2.4.1

* Remove remaining, but broken python2 support
* Spelling fixes
* Remove unneeded va_copy()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

netcmd: sites: add sites and subnet list and view commands to manpage

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 19 04:29:15 UTC 2023 on atb-devel-224

netcmd: sites: add missing subnet commands to samba-tool manpage

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

netcmd: sites: tests for list and view sites and subnet

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

netcmd: sites: make use of ldb_connect from base class

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

netcmd: add list and view commands for sites and subnets

* samba-tool sites list
* samba-tool sites view
* samba-tool sites subnet list
* samba-tool sites subnet view

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

netcmd: add Subnet and Site models

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

WHATSNEW: Update minimum GnuTLS version

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds

If this patch is applied, and an environment variable is set, all
access_check calls will be recorded as seeds for
fuzz_security_token_vs_descriptor. See the patch for details.

You probably will never want to apply this patch, but it is here just
in case.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/fuzzing: adapt fuzz_sddl_access_check for AD variant

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant

This of course doesn't exercise the object tree or default SID code,
but it still covers a lot to the *_ds access_check functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/fuzzing: add fuzzer for arbitrary token/sd access checks

The token and descriptor are stored in NDR format; for this purpose we
add a new IDL struct containing this pair (along with a desired access
mask).

An upcoming commit will show how to collect seeds for this fuzzer.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/fuzzing: add fuzz_sddl_access_check

This fuzzer parses SDDL into a security descriptor and runs an access
check on it using a known security token. This is purely for crash
detection -- we don't know enough to assert whether the check should
succeed or not.

The seed strings used are compatible with those of fuzz_sddl_parse --
anything found by fuzz_sddl_parse is worth trying as a seed here, and
vice versa.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:provision: use better values for operatingSystem[Version]

Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.

So we better use a value matching the dc functional level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:pydsdb: add dc_operatingSystemVersion() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version]

Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.

So we better use a value matching the dc functional level.

While we also fixed operatingSystem[Version] at provision time,
we do it also in dsdb_check_and_update_fl() in order to
handle old provisions and systems joined to an existing domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

upgradeprovision: handle operatingSystem similar to operatingSystemVersion

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldapcmp: also ignore operatingSystem similar to operatingSystemVersion

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon.idl: add some comments to netr_OsVersionInfoEx

[MS-RPRN] 7 Appendix B: Product Behavior contains information
about the products and their announced versions.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 19 02:41:25 UTC 2023 on atb-devel-224

tests/krb5: Add a test for PK-INIT with a revoked certificate

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow passing a pre-created certificate into _pkinit_req()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key

These are useful to keep around for other purposes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Factor out a method to fetch the CA certificate and private key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Factor out a method to create a certificate

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add auth_data_reqd flag to SDBFlags

This is to adapt to Heimdal:

commit 3c4548025c0a239ff580e7974939185eadf1856b
Author: Nicolas Williams <nico@twosigma.com>
Date:   Sun Jun 4 22:54:03 2023 -0500

    hdb: Add auth-data-reqd flag

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal_build: Make Heimdal version strings const

This is to adapt to Heimdal:

commit 997916e3f67d70bb52674829615c50455918fbb3
Author: Taylor R Campbell <campbell+heimdal@mumble.net>
Date:   Sun May 28 20:34:34 2023 +0000

    krb5: Make heimdal_version and heimdal_long_version const.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test Windows 2000 variant of PK-INIT

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused methods

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer

When PK-INIT is performed, check that the buffer is as expected and
contains the correct NT hash.

The PK-INIT tests now pass against Windows Server 2019.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14985

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add PK-INIT testing framework

To run these tests standalone, you will need the certificate and private
key of the Certificate Authority. These can be specified together in the
same file with the environment variable CA_CERT, or the private key may
be specified in its own file with CA_PRIVATE_KEY.

If either of these files are encrypted, you can specify the password in
the environment variable CA_PASS.

These tests create a new certificate for the user account, signed with
the private key of the Certificate Authority. We negotiate the reply key
with either of the public-key and Diffie-Hellman PK-INIT variants, and
use the reply key to decrypt the enc-part in the response. We also check
that the KDC’s signatures are valid.

Most of the failures with the Heimdal KDC are due to the wrong nonce
being returned in the reply compared to Windows, which issue is simple
enough to correct.

An example command line for manual testing against Windows:
SMB_CONF_PATH=ad_dc.conf KRB5_CONFIG=krb5.conf SERVICE_USERNAME=win2k19-dc.example.com ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass ADMIN_KVNO=1 FOR_USER=Administrator USERNAME=Administrator PASSWORD=locDCpass DC_SERVER=win2k19-dc.example.com SERVER=win2k19-dc.example.com DOMAIN=example REALM=example.com PYTHONPATH=bin/python STRICT_CHECKING=1 FAST_SUPPORT=1 CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 TKT_SIG_SUPPORT=1 FULL_SIG_SUPPORT=1 GNUTLS_PBKDF2_SUPPORT=1 EXPECT_PAC=1 EXPECT_EXTRA_PAC_BUFFERS=1 CHECK_CNAME=1 CHECK_PADATA=1 KADMIN_IS_TGS=0 FORCED_RC4=1 DEFAULT_ETYPES=36 CA_CERT=./win2k19-ca.pfx CA_PASS=1234 python3 python/samba/tests/krb5/pkinit_tests.py

To set up windows for this I first installed an Certificate Authority with an Enterprise CA.
Then I exported the private key and certificate of the CA:

1. go into the Certification Authority snap-in for the relevant computer,
2. right-clicking the CA
3. clicking ‘All Tasks’ → ‘Back up CA...’
4. and exporting the private key and CA certificate.

(I downloaded the resulting file via smbclient).

After setting up an Enterprise CA, I also needed to edit the domain
controller GPO to enable auto-enrollment, otherwise Windows would
refuse to accept as legitimate any certificates provided by the client.

That can be done by first enabling the policy:
 ‘Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client — Auto-Enrollment’,
and then ticking both ‘Renew expired certificates…’ and ‘Update certificates…’)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow KerberosCredentials to have associated RSA private key

This is needed for PK-INIT testing.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add helper methods for PK-INIT testing

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Refactor encryption type selection

Add and use some methods to calculate the highest supported AES and RC4
encryption types, respectively.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add PK-INIT ASN1 definitions and include licence

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

tests/krb5: Add PKINIT pre-authentication types

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add PKINIT typed data errors

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add PKINIT error codes

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix wrong debug message

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>