winbind:varlink: Improve membership enumeration continue flag handling

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Install connection closed handler

If the connection is closed by the client the ongoing tevent_req must be
cancelled, otherwise winbindd receives a SIGBUS when trying to write in
the closed stream.

  [2023/02/08 12:56:41.308393,  0] ../../lib/util/fault.c:173(smb_panic_log)
    ===============================================================
  [2023/02/08 12:56:41.308438,  0] ../../lib/util/fault.c:174(smb_panic_log)
    INTERNAL ERROR: Signal 7: Bus error in pid 24407 (4.19.0pre1-DEVELOPERBUILD)
  [2023/02/08 12:56:41.308451,  0] ../../lib/util/fault.c:178(smb_panic_log)
    If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
  [2023/02/08 12:56:41.308463,  0] ../../lib/util/fault.c:183(smb_panic_log)
    ===============================================================
  [2023/02/08 12:56:41.308473,  0] ../../lib/util/fault.c:184(smb_panic_log)
    PANIC (pid 24407): Signal 7: Bus error in 4.19.0pre1-DEVELOPERBUILD

Backtrace:

  #0  0x00007f0e76853997 in wait4 () from /lib64/libc.so.6
  #1  0x00007f0e767c591b in do_system () from /lib64/libc.so.6
  #2  0x00007f0e7785ce43 in smb_panic_s3 (why=0x7ffe41b4e110 "Signal 7: Bus error")
      at ../../source3/lib/util.c:698
  #3  0x00007f0e76ce59f1 in smb_panic (why=0x7ffe41b4e110 "Signal 7: Bus error")
      at ../../lib/util/fault.c:198
  #4  0x00007f0e76ce54d0 in fault_report (sig=7) at ../../lib/util/fault.c:82
  #5  0x00007f0e76ce54e5 in sig_fault (sig=7) at ../../lib/util/fault.c:93
  #6  <signal handler called>
  #7  varlink_stream_write (stream=0x656d614e72657375, message=<optimized out>) at ../lib/stream.c:303
  #8  0x00007f0e76c5aa35 in varlink_call_reply (call=0x561c51aafe60, parameters=<optimized out>, flags=1)
      at ../lib/service.c:651
  #9  0x0000561c506a7e5b in membership_reply (call=0x561c51aafe60,
      username=0x561c51aaa860 "AFOREST+buser1", groupname=0x561c51acae58 "AFOREST+bgroup453",
      continues=true) at ../../source3/winbindd/winbindd_varlink_getmemberships.c:36
  #10 0x0000561c506a9793 in memberships_by_user_getgrgid_done (req=0x0)
      at ../../source3/winbindd/winbindd_varlink_getmemberships.c:481
  #11 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab2d30,
      location=0x561c5075b870 "../../source3/winbindd/winbindd_getgrgid.c:110")
      at ../../lib/tevent/tevent_req.c:151
  #12 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab2d30, state=TEVENT_REQ_DONE,
      location=0x561c5075b870 "../../source3/winbindd/winbindd_getgrgid.c:110")
      at ../../lib/tevent/tevent_req.c:203
  #13 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab2d30,
      location=0x561c5075b870 "../../source3/winbindd/winbindd_getgrgid.c:110")
      at ../../lib/tevent/tevent_req.c:209
  #14 0x0000561c50713770 in winbindd_getgrgid_done (subreq=0x0)
      at ../../source3/winbindd/winbindd_getgrgid.c:110
  #15 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51a98c50,
      location=0x561c507559b0 "../../source3/winbindd/wb_getgrsid.c:201")
      at ../../lib/tevent/tevent_req.c:151
  #16 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51a98c50, state=TEVENT_REQ_DONE,
      location=0x561c507559b0 "../../source3/winbindd/wb_getgrsid.c:201")
      at ../../lib/tevent/tevent_req.c:203
  #17 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51a98c50,
      location=0x561c507559b0 "../../source3/winbindd/wb_getgrsid.c:201")
      at ../../lib/tevent/tevent_req.c:209
  #18 0x0000561c50708d22 in wb_getgrsid_got_members (subreq=0x0)
      at ../../source3/winbindd/wb_getgrsid.c:201
  #19 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51aa9e80,
      location=0x561c50755310 "../../source3/winbindd/wb_group_members.c:463")
      at ../../lib/tevent/tevent_req.c:151
  #20 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51aa9e80, state=TEVENT_REQ_DONE,
      location=0x561c50755310 "../../source3/winbindd/wb_group_members.c:463")
      at ../../lib/tevent/tevent_req.c:203
  #21 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51aa9e80,
      location=0x561c50755310 "../../source3/winbindd/wb_group_members.c:463")
      at ../../lib/tevent/tevent_req.c:209
  #22 0x0000561c507082a6 in wb_group_members_done (subreq=0x0)
      at ../../source3/winbindd/wb_group_members.c:463
  #23 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab1e00,
      location=0x561c50754f18 "../../source3/winbindd/wb_group_members.c:252")
      at ../../lib/tevent/tevent_req.c:151
  #24 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab1e00, state=TEVENT_REQ_DONE,
      location=0x561c50754f18 "../../source3/winbindd/wb_group_members.c:252")
      at ../../lib/tevent/tevent_req.c:203
  #25 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab1e00,
      location=0x561c50754f18 "../../source3/winbindd/wb_group_members.c:252")
      at ../../lib/tevent/tevent_req.c:209
  #26 0x0000561c50707903 in wb_groups_members_done (subreq=0x0)
      at ../../source3/winbindd/wb_group_members.c:252
  #27 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51aafad0,
      location=0x561c50754bf0 "../../source3/winbindd/wb_group_members.c:102")
      at ../../lib/tevent/tevent_req.c:151
  #28 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51aafad0, state=TEVENT_REQ_DONE,
      location=0x561c50754bf0 "../../source3/winbindd/wb_group_members.c:102")
      at ../../lib/tevent/tevent_req.c:203
  #29 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51aafad0,
      location=0x561c50754bf0 "../../source3/winbindd/wb_group_members.c:102")
      at ../../lib/tevent/tevent_req.c:209
  #30 0x0000561c5070732e in wb_lookupgroupmem_done (subreq=0x0)
      at ../../source3/winbindd/wb_group_members.c:102
  #31 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab66a0,
      location=0x7f0e77bc5f18 "librpc/gen_ndr/ndr_winbind_c.c:2888") at ../../lib/tevent/tevent_req.c:151
  #32 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab66a0, state=TEVENT_REQ_DONE,
      location=0x7f0e77bc5f18 "librpc/gen_ndr/ndr_winbind_c.c:2888") at ../../lib/tevent/tevent_req.c:203
  #33 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab66a0,
      location=0x7f0e77bc5f18 "librpc/gen_ndr/ndr_winbind_c.c:2888") at ../../lib/tevent/tevent_req.c:209
  #34 0x00007f0e77bba4a7 in dcerpc_wbint_LookupGroupMembers_done (subreq=0x0)
      at librpc/gen_ndr/ndr_winbind_c.c:2888
  #35 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51aa1dc0,
      location=0x7f0e77bc5d28 "librpc/gen_ndr/ndr_winbind_c.c:2773") at ../../lib/tevent/tevent_req.c:151
  #36 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51aa1dc0, state=TEVENT_REQ_DONE,
      location=0x7f0e77bc5d28 "librpc/gen_ndr/ndr_winbind_c.c:2773") at ../../lib/tevent/tevent_req.c:203
  #37 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51aa1dc0,
      location=0x7f0e77bc5d28 "librpc/gen_ndr/ndr_winbind_c.c:2773") at ../../lib/tevent/tevent_req.c:209
  #38 0x00007f0e77bba0ef in dcerpc_wbint_LookupGroupMembers_r_done (subreq=0x0)
      at librpc/gen_ndr/ndr_winbind_c.c:2773
  #39 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab51f0,
      location=0x7f0e7810b4d0 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:151
  #40 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab51f0, state=TEVENT_REQ_DONE,
      location=0x7f0e7810b4d0 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:203
  #41 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab51f0,
      location=0x7f0e7810b4d0 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:209
  #42 0x00007f0e780f6bec in dcerpc_binding_handle_call_done (subreq=0x0)
      at ../../librpc/rpc/binding_handle.c:520
  #43 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51aaacf0,
      location=0x7f0e7810b090 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:151
  #44 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51aaacf0, state=TEVENT_REQ_DONE,
      location=0x7f0e7810b090 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:203
  #45 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51aaacf0,
      location=0x7f0e7810b090 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:209
  #46 0x00007f0e780f60d2 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
      at ../../librpc/rpc/binding_handle.c:203
  #47 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab78b0,
      location=0x561c50745ef0 "../../source3/winbindd/winbindd_dual_ndr.c:209")
      at ../../lib/tevent/tevent_req.c:151
  #48 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab78b0, state=TEVENT_REQ_DONE,
      location=0x561c50745ef0 "../../source3/winbindd/winbindd_dual_ndr.c:209")
      at ../../lib/tevent/tevent_req.c:203
  #49 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab78b0,
      location=0x561c50745ef0 "../../source3/winbindd/winbindd_dual_ndr.c:209")
      at ../../lib/tevent/tevent_req.c:209
  #50 0x0000561c506e7782 in wbint_bh_raw_call_domain_done (subreq=0x0)
      at ../../source3/winbindd/winbindd_dual_ndr.c:209
  #51 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51a98750,
      location=0x561c50743390 "../../source3/winbindd/winbindd_dual.c:745")
      at ../../lib/tevent/tevent_req.c:151
  #52 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51a98750, state=TEVENT_REQ_DONE,
      location=0x561c50743390 "../../source3/winbindd/winbindd_dual.c:745")
      at ../../lib/tevent/tevent_req.c:203
  #53 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51a98750,
      location=0x561c50743390 "../../source3/winbindd/winbindd_dual.c:745")
      at ../../lib/tevent/tevent_req.c:209
  #54 0x0000561c506e30d3 in wb_domain_request_done (subreq=0x0)
      at ../../source3/winbindd/winbindd_dual.c:745
  #55 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab1a90,
      location=0x561c507429f8 "../../source3/winbindd/winbindd_dual.c:306")
      at ../../lib/tevent/tevent_req.c:151
  #56 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab1a90, state=TEVENT_REQ_DONE,
      location=0x561c507429f8 "../../source3/winbindd/winbindd_dual.c:306")
      at ../../lib/tevent/tevent_req.c:203
  #57 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab1a90,
      location=0x561c507429f8 "../../source3/winbindd/winbindd_dual.c:306")
      at ../../lib/tevent/tevent_req.c:209
  #58 0x0000561c506e1f8d in wb_child_request_done (subreq=0x561c51ab3ca0)
      at ../../source3/winbindd/winbindd_dual.c:306
  #59 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab3ca0,
      location=0x561c50723d98 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:151
  #60 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab3ca0, state=TEVENT_REQ_DONE,
      location=0x561c50723d98 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:203
  #61 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab3ca0,
      location=0x561c50723d98 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:209
  #62 0x0000561c50696101 in wb_simple_trans_read_done (subreq=0x0) at ../../nsswitch/wb_reqtrans.c:432
  #63 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab6a20,
      location=0x561c50723a20 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:151
  #64 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab6a20, state=TEVENT_REQ_DONE,
      location=0x561c50723a20 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:203
  #65 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab6a20,
      location=0x561c50723a20 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:209
  #66 0x0000561c50695adf in wb_resp_read_done (subreq=0x0) at ../../nsswitch/wb_reqtrans.c:275
  #67 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab6d70,
      location=0x7f0e7786fec8 "../../lib/async_req/async_sock.c:568") at ../../lib/tevent/tevent_req.c:151
  #68 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab6d70, state=TEVENT_REQ_DONE,
      location=0x7f0e7786fec8 "../../lib/async_req/async_sock.c:568") at ../../lib/tevent/tevent_req.c:203
  #69 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab6d70,
      location=0x7f0e7786fec8 "../../lib/async_req/async_sock.c:568") at ../../lib/tevent/tevent_req.c:209
  #70 0x00007f0e778255eb in read_packet_handler (ev=0x561c51a86670, fde=0x561c51b982a0, flags=1,
      private_data=0x561c51ab6d70) at ../../lib/async_req/async_sock.c:568
  #71 0x00007f0e780c9651 in tevent_common_invoke_fd_handler (fde=0x561c51b982a0, flags=1, removed=0x0)
      at ../../lib/tevent/tevent_fd.c:142
  #72 0x00007f0e780d448c in epoll_event_loop (epoll_ev=0x561c51a96380, tvalp=0x7ffe41b4f6f0)
      at ../../lib/tevent/tevent_epoll.c:737
  #73 0x00007f0e780d4aec in epoll_event_loop_once (ev=0x561c51a86670,
      location=0x561c50726a70 "../../source3/winbindd/winbindd.c:1734")
      at ../../lib/tevent/tevent_epoll.c:938
  #74 0x00007f0e780d1408 in std_event_loop_once (ev=0x561c51a86670,
      location=0x561c50726a70 "../../source3/winbindd/winbindd.c:1734")
      at ../../lib/tevent/tevent_standard.c:110
  #75 0x00007f0e780c8239 in _tevent_loop_once (ev=0x561c51a86670,
      location=0x561c50726a70 "../../source3/winbindd/winbindd.c:1734") at ../../lib/tevent/tevent.c:823
  #76 0x0000561c5069c4a3 in main (argc=1, argv=0x7ffe41b4fb28) at ../../source3/winbindd/winbindd.c:1734

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement membership by group and user names

$> varlink call -m unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetMemberships "{\"service\":\"org.samba.winbind\",\"groupName\":\"AFOREST+domain users\",\"userName\":\"AFOREST+user1\"}"
{
  "groupName": "AFOREST+domain users",
  "userName": "AFOREST+user1"
}

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement memberships by group name

$> userdbctl -s org.samba.winbind users-in-group "AFOREST+domain users"
Enabled services: org.samba.winbind
USER                  GROUP
AFOREST+administrator AFOREST+domain users
AFOREST+krbtgt        AFOREST+domain users
AFOREST+user1         AFOREST+domain users

3 memberships listed.

$> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group "AFOREST+domain users"
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+administrator"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+user1"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+krbtgt"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users:x:20513:AFOREST+administrator,AFOREST+user1,AFOREST+krbtgt

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement memberships by user

$> userdbctl -s org.samba.winbind groups-of-user AFOREST+user1
Enabled services: org.samba.winbind
USER          GROUP
AFOREST+user1 AFOREST+domain users
AFOREST+user1 AFOREST+user1

2 memberships listed.

$> SYSTEMD_LOG_LEVEL=7 getent -sinitgroups:systemd initgroups "AFOREST+domain users"
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"userName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+domain users"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
Failed to connect to /run/systemd/userdb/io.systemd.Multiplexer: No such file or directory
Unable to connect to /run/systemd/userdb/io.systemd.Multiplexer: No such file or directory
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+domain users"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
Failed to connect to /run/systemd/userdb/io.systemd.Multiplexer: No such file or directory
Unable to connect to /run/systemd/userdb/io.systemd.Multiplexer: No such file or directory
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users  20513 20513

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement memberships enumeration

$> varlink call -m unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetMemberships "{\"service\":\"org.samba.winbind\"}"
{
  "groupName": "AFOREST+schema admins",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+enterprise admins",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+domain admins",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+domain users",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+domain users",
  "userName": "AFOREST+user1"
}
{
  "groupName": "AFOREST+domain users",
  "userName": "AFOREST+krbtgt"
}
{
  "groupName": "AFOREST+domain guests",
  "userName": "AFOREST+guest"
}
{
  "groupName": "AFOREST+group policy creator owners",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+denied rodc password replication group",
  "userName": "AFOREST+krbtgt"
}

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get group record by name and gid

$> varlink call -m unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetGroupRecord "{\"service\":\"org.samba.winbind\",\"gid\":20513,\"groupName\":\"AFOREST+domain users\"}"
{
  "incomplete": false,
  "record": {
    "gid": 20513,
    "groupName": "AFOREST+domain users",
    "members": [
      "AFOREST+administrator",
      "AFOREST+user1",
      "AFOREST+krbtgt"
    ],
    "service": "org.samba.winbind"
  }
}

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get group record by name

$> userdbctl -s org.samba.winbind group "AFOREST+domain users"
Enabled services: org.samba.winbind
  Group name: AFOREST+domain users
 Disposition: regular
         GID: 20513
     Service: org.samba.winbind

$> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group "AFOREST+domain users"
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users:x:20513:AFOREST+administrator,AFOREST+user1,AFOREST+krbtgt

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get group record by gid

$> userdbctl -s org.samba.winbind group 20513
Enabled services: org.samba.winbind
  Group name: AFOREST+domain users
 Disposition: regular
         GID: 20513
     Service: org.samba.winbind

$> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group 20513
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"gid":20513,"service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users:x:20513:AFOREST+administrator,AFOREST+user1,AFOREST+krbtgt

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement group record enumeration

$> userdbctl -s org.samba.winbind group
   NAME                                            DISPOSITION        GID DESCRIPTION
   ...
   AFOREST+enterprise read-only domain controllers regular          20498 -
   AFOREST+domain admins                           regular          20512 -
   AFOREST+domain users                            regular          20513 -
   AFOREST+domain guests                           regular          20514 -
   AFOREST+domain computers                        regular          20515 -
   AFOREST+domain controllers                      regular          20516 -
   AFOREST+cert publishers                         regular          20517 -
   AFOREST+schema admins                           regular          20518 -
   AFOREST+enterprise admins                       regular          20519 -
   AFOREST+group policy creator owners             regular          20520 -
   AFOREST+read-only domain controllers            regular          20521 -
   AFOREST+cloneable domain controllers            regular          20522 -
   AFOREST+protected users                         regular          20525 -
   AFOREST+ras and ias servers                     regular          20553 -
   AFOREST+allowed rodc password replication group regular          20571 -
   AFOREST+denied rodc password replication group  regular          20572 -
   AFOREST+winrmremotewmiusers__                   regular          21000 -
   AFOREST+dnsadmins                               regular          21102 -
   AFOREST+dnsupdateproxy                          regular          21103 -
   ...

$> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":21000,"groupName":"AFOREST+winrmremotewmiusers__","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+winrmremotewmiusers__","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+winrmremotewmiusers__:x:21000:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20515,"groupName":"AFOREST+domain computers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain computers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain computers:x:20515:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20516,"groupName":"AFOREST+domain controllers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain controllers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain controllers:x:20516:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20518,"groupName":"AFOREST+schema admins","members":["AFOREST+administrator"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+schema admins","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+schema admins:x:20518:AFOREST+administrator
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20519,"groupName":"AFOREST+enterprise admins","members":["AFOREST+administrator"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+enterprise admins","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+enterprise admins:x:20519:AFOREST+administrator
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20517,"groupName":"AFOREST+cert publishers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+cert publishers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+cert publishers:x:20517:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20512,"groupName":"AFOREST+domain admins","members":["AFOREST+administrator"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain admins","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain admins:x:20512:AFOREST+administrator
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+user1","AFOREST+administrator","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users:x:20513:AFOREST+user1,AFOREST+administrator,AFOREST+krbtgt
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20514,"groupName":"AFOREST+domain guests","members":["AFOREST+guest"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain guests","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain guests:x:20514:AFOREST+guest
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20520,"groupName":"AFOREST+group policy creator owners","members":["AFOREST+administrator"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+group policy creator owners","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+group policy creator owners:x:20520:AFOREST+administrator
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20553,"groupName":"AFOREST+ras and ias servers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+ras and ias servers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+ras and ias servers:x:20553:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20571,"groupName":"AFOREST+allowed rodc password replication group","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+allowed rodc password replication group","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+allowed rodc password replication group:x:20571:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20572,"groupName":"AFOREST+denied rodc password replication group","members":["AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+denied rodc password replication group","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+denied rodc password replication group:x:20572:AFOREST+krbtgt
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20521,"groupName":"AFOREST+read-only domain controllers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+read-only domain controllers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+read-only domain controllers:x:20521:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20498,"groupName":"AFOREST+enterprise read-only domain controllers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+enterprise read-only domain controllers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+enterprise read-only domain controllers:x:20498:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20522,"groupName":"AFOREST+cloneable domain controllers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+cloneable domain controllers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+cloneable domain controllers:x:20522:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20525,"groupName":"AFOREST+protected users","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+protected users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+protected users:x:20525:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":21102,"groupName":"AFOREST+dnsadmins","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+dnsadmins","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+dnsadmins:x:21102:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":21103,"groupName":"AFOREST+dnsupdateproxy","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+dnsupdateproxy","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+dnsupdateproxy:x:21103:
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get user record by name and uid

$> varlink call unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetUserRecord "{\"service\":\"org.samba.winbind\",\"userName\":\"AFOREST+user1\",\"uid\":21105}"
{
  "incomplete": false,
  "record": {
    "gid": 20513,
    "homeDirectory": "/home/AFOREST/user1",
    "service": "org.samba.winbind",
    "shell": "/bin/bash",
    "uid": 21105,
    "userName": "AFOREST+user1"
  }
}

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get user record by name

$> userdbctl -s org.samba.winbind user AFOREST+user1
Enabled services: org.samba.winbind
   User name: AFOREST+user1
 Disposition: regular
    Login OK: yes
 Password OK: no (none set)
         UID: 21105
         GID: 20513 (unresolvable: No such process)
   Directory: /home/AFOREST/user1
     Storage: classic
       Shell: /bin/bash
   Passwords: none
     Service: org.samba.winbind

$> SYSTEMD_LOG_LEVEL=7 getent -spasswd:systemd passwd AFOREST+user1
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"AFOREST+user1","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/user1","service":"org.samba.winbind","shell":"/bin/bash","uid":21105,"userName":"AFOREST+user1"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+user1:x:21105:20513:AFOREST+user1:/home/AFOREST/user1:/bin/bash

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get user record by uid

$> userdbctl -s org.samba.winbind user 21105
Enabled services: org.samba.winbind
   User name: AFOREST+user1
 Disposition: regular
    Login OK: yes
 Password OK: no (none set)
         UID: 21105
         GID: 20513 (unresolvable: No such process)
   Directory: /home/AFOREST/user1
     Storage: classic
       Shell: /bin/bash
   Passwords: none
     Service: org.samba.winbind

$> SYSTEMD_LOG_LEVEL=7 getent -spasswd:systemd passwd 21105
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"uid":21105,"service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/user1","service":"org.samba.winbind","shell":"/bin/bash","uid":21105,"userName":"AFOREST+user1"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+user1:x:21105:20513:AFOREST+user1:/home/AFOREST/user1:/bin/bash

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement user record enumeration

$> userdbctl -s org.samba.winbind
Enabled services: org.samba.winbind
   NAME                           DISPOSITION        UID   GID REALNAME                     HOME                        SHELL
   ...
   AFOREST+administrator          regular          20500 20513 -                            /home/AFOREST/administrator /bin/bash
   AFOREST+guest                  regular          20501 20513 -                            /home/AFOREST/guest         /bin/bash
   AFOREST+krbtgt                 regular          20502 20513 -                            /home/AFOREST/krbtgt        /bin/bash
   AFOREST+user1                  regular          21105 20513 -                            /home/AFOREST/user1         /bin/bash
   ...

$> SYSTEMD_LOG_LEVEL=7 getent -spasswd:systemd passwd
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/administrator","service":"org.samba.winbind","shell":"/bin/bash","uid":20500,"userName":"AFOREST+administrator"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
AFOREST+administrator:x:20500:20513:AFOREST+administrator:/home/AFOREST/administrator:/bin/bash
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/guest","service":"org.samba.winbind","shell":"/bin/bash","uid":20501,"userName":"AFOREST+guest"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
AFOREST+guest:x:20501:20513:AFOREST+guest:/home/AFOREST/guest:/bin/bash
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/krbtgt","service":"org.samba.winbind","shell":"/bin/bash","uid":20502,"userName":"AFOREST+krbtgt"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
AFOREST+krbtgt:x:20502:20513:AFOREST+krbtgt:/home/AFOREST/krbtgt:/bin/bash
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/user1","service":"org.samba.winbind","shell":"/bin/bash","uid":21105,"userName":"AFOREST+user1"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+user1:x:21105:20513:AFOREST+user1:/home/AFOREST/user1:/bin/bash

$> ./bin/varlink-tool call unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetUserRecord "{\"service\":\"org.samba.winbind\"}" -m
...

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Add a function to craft a winbindd_cli_state structure

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Add io.systemd.UserDatabase interface

$> varlink info unix:/run/systemd/userdb/org.samba.winbind
Vendor: Samba
Product: Winbind
Version: 1
URL: https://samba.org
Interfaces:
  io.systemd.UserDatabase
  org.varlink.service

TODO libvarlink bug handling camel case interface names:
https://github.com/varlink/libvarlink/pull/58

$> varlink help unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase
interface io.systemd.UserDatabase

method GetUserRecord(
  uid: ?int,
  userName: ?string,
  service: string
) -> (record: object, incomplete: bool)

method GetGroupRecord(
  gid: ?int,
  groupName: ?string,
  service: string
) -> (record: object, incomplete: bool)

method GetMemberships(
  userName: ?string,
  groupName: ?string,
  service: string
) -> (userName: string, groupName: string)

error NoRecordFound ()

error BadService ()

error ServiceNotAvailable ()

error ConflictingRecordFound ()

error EnumerationNotSupported ()

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Create varlink socket directory

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Add varlink service

$> userdbctl services
SERVICE           LISTENING
org.samba.winbind yes

1 services listed.

$> varlink info unix:/run/systemd/userdb/org.samba.winbind
Vendor: Samba
Product: Winbind
Version: 1
URL: https://samba.org
Interfaces:
  org.varlink.service

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind: Add "winbind varlink service" smb.conf option

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wscript: Add --with-systemd-userdb option

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind: Fix running in interactive mode

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ctdb-scripts: Fix CTDB_BASE to allow event scripts to run standalone

commit 12fd8d7a5c5d14d403aac6cd9e318afcd0a8e159 broke this when it moved the eventscripts
 down a subdirectory without changing this boilerplate.

Signed-off-by: yogita72 <yogita.bijani@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Feb 19 02:43:44 UTC 2025 on atb-devel-224

python:lsa_utils: Fix fallback to OpenPolicy2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 17 18:33:15 UTC 2025 on atb-devel-224

python:lsa_utils: Don't use optional arguments for OpenPolicyFallback()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

pidl: Update documentation for DCERPC interface connections

https://realpython.com/documenting-python-code/

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

librpc:pyrpc: Allow new authenticated rpc connection on the same transport as the basis_connection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dcesrv_core: Make dcesrv_call_disconnect_after() public

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:rpc_client: Use cli_rpc_pipe_reopen_np_noauth() for OpenPolicy fallback

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:rpc_cerver: Use dcerpc_lsa_open_policy3() for internal RPC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:rpc_client: Add cli_rpc_pipe_reopen_np_noauth()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

docs: Update documentation for 'sync machine password to keytab'

Use specifier 'spn_prefixes=host' instead of 'host'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224

s3:libads: Remove specifier for 'host' principal from 'sync machine password to keytab'

Use specifier 'spn_prefixes=host' instead of 'host'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

pytests: test pysmbd with relative path names via samba-tool ntacl

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15806

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Fri Feb 14 16:18:19 UTC 2025 on atb-devel-224

pysmbd: Fix interactive samba-tool use after 0bb35e246141

samba-tool ntacl also calls into pysmbd, and 0bb35e246141 broke
relative path names. Thanks to Björn Baumbach <bb@sernet.de> for
testing interactively!!

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15806
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

pytests: test pysmbd with non-existent file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15807

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

pysmbd: Init mangle_fns

openat_pathref_fsp() eventually calls mangling functions, so we have
to initialize them.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15807
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:kdc: pass the full samba_kdc_db_context to most helper functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 14 15:19:24 UTC 2025 on atb-devel-224

s4:kdc: let struct samba_kdc_entry_pac remember the krbtgt samba_kdc_entry

This will allow us later to find the information needed to do
sid filtering of the pac.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:kdc: always go through samba_kdc_get_device_info_blob()

This means we always go through samba_kdc_get_user_info_dc()
both for client and also device pac.

It means we use the same logic regarding samba_krb5_pac_is_trusted()
and calling authsam_update_user_info_dc().

It means we do all logic on struct auth_user_info_dc
and only convert to PAC_DEVICE_INFO at the end.

Before we tried a mix of calling authsam_update_user_info_dc()
on a half constructed auth_user_info_dc,
while trying to apply the diff on auth_user_info_dc
to the also half constructed PAC_DEVICE_INFO.
Which can't work once auth_user_info_dc() will
apply sid filtering and the number of sids
may shrink.

Now we use authsam_update_user_info_dc()
followed by auth_convert_user_info_dc_saminfo3()
and samba_kdc_make_device_info().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

auth: remember the origin of sids from the PAC

So far the conversion from TGT PAC to
struct auth_user_info_dc back to TGS PAC
looses the information in what part of
the PAC_LOGON_INFO a sid was stored.

With this change we let
make_user_info_dc_{netlogon_validation,pac}()
remember this, so that
auth_convert_user_info_dc_sam{baseinfo,info6}()
can rebuild the information into the desired
parts of the PAC_LOGON_INFO.

This was found and fixed for sid filter related
tests, but it turns out that it already
fixes a few tests from samba.tests.krb5.device_tests.

All other places get an implicit AUTH_SID_ORIGIN_UNKNOWN (=0),
which means we use the same logic as before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth: simplify authsam_make_user_info_dc()

By using (struct auth_SidAttr) {} we don't leave
uninitialized memory if struct auth_SidAttr changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth: let authsam_make_user_info_dc() use helper variables for the rodcsid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth: let authsam_make_user_info_dc() use helper variables for the groupsid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth: let auth_domain_admin_user_info_dc() use talloc_zero_array(struct auth_SidAttr)

This means we won't leave uninitialized memory if
struct auth_SidAttr changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth: simplify auth_anonymous_user_info_dc()

By using (struct auth_SidAttr) {} we don't leave
uninitialized memory if struct auth_SidAttr changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth: simplify auth_system_user_info_dc()

By using (struct auth_SidAttr) {} we don't leave
uninitialized memory if struct auth_SidAttr changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth: let auth_generate_security_token() use auth_user_info_dc_expand_sids() for device_info

This means we'll also expand local groups for the device,
which was missing before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth: split auth_user_info_dc_expand_sids() out of auth_generate_security_token()

This way we'll be able to reuse it for the device sids in the
next commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:dsdb/common: simplify the logic in dsdb_expand_nested_groups()

By using (struct auth_SidAttr) {} we make sure struct auth_SidAttr
can change without leaving uninitialized memory.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:dsdb/common: use talloc_zero() in samdb_result_dom_sid_attrs()

This means struct auth_SidAttr can change without leaving
uninitialized memory.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:auth/ntlm: simplifiy logic in name_to_ntstatus_check_password()

Using (struct auth_SidAttr) {} means we won't leave
uninitialized memory arround if struct auth_SidAttr will
change in the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

libcli/security: simplify logic in add_sid_to_array_attrs()

(struct auth_SidAttr) {} makes sure we don't leave uninitialized
memory in case struct auth_SidAttr will change (which will happen in
the next commits).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

auth: simplify logic in make_user_info_dc_{netlogon_validation,pac}()

It's better to use (struct auth_SidAttr) {} in order to
intialize all members.

struct auth_SidAttr will change in the next commits
and this makes it easier to review that we don't
leave some parts uninitialized.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

auth: let make_user_info_dc_netlogon_validation allocate the sid array in one go

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

auth: let make_user_info_dc_netlogon_validation validate all parameters first

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

auth: remove sid-filtering comment in make_user_info_dc_netlogon_validation

sid filtering will be done at a different level...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

auth.idl: make sure ndr_{push,pull}_auth_SidAttr() is never used

auth_SidAttr is currently not used for any IPC traffic,
with this change demonstrates that and makes sure it
stays that way.

It means we are free to change auth_SidAttr without the
need to change any ipc protocol version.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

libcli/security: add some more global_sid_ values required for SID filtering

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

ndr_claims: only use compression if it actually reduces the size

I have captures showing that claims compression depends on the payload
itself and how well it compresses, instead of the pure length of the
payload.

E.g. a single string claim with a value of 68 'a'
characters has an unpressed size of 336
and compressed size is 335.
While a single string with random string s1
has an unpressed size of 504 and it's still
uncompressed on the wire.
A different random string s2 also has an unpressed
size of 504, but it is compressed into a size of 502.

So it really depends if the compression makes it actually
smaller than the uncompressed version.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 14 11:56:49 UTC 2025 on atb-devel-224

python:tests/krb5: only expect compressed claims if the compression reduces the size

I have captures showing that claims compression depends on the payload
itself and how well it compresses, instead of the pure length of the
payload.

E.g. a single string claim with a value of 68 'a'
characters has an unpressed size of 336
and compressed size is 335.
While a single string with random string s1
has an unpressed size of 504 and it's still
uncompressed on the wire.
A different random string s2 also has an unpressed
size of 504, but it is compressed into a size of 502.

So it really depends if the compression makes it actually
smaller than the uncompressed version.

This makes the tests more reliable against Windows DCs
with existing claims defined.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests: add ClaimsTransformationTests to security.py

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/security: add py_claims_tf_policy_{parse_rules,wrap_xml}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/security: add claims_tf_policy_[un]wrap_xml() for msDS-TransformationRules

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/security: add claims_tf_rule_set_parse_blob() for MS-CTA rules

It parses [MS-CTA] rules into structures.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

claims.idl: add some helper structs for claims transformation [MS-CTA]

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

mdssvc: support a few more attributes

This adds support for the following Spotlight Metadata Attributes:

  _kMDItemFileName (another alias for kMDItemFSName and kMDItemDisplayName)
  kMDItemLastUsedDate
  kMDItemContentCreationDate
  kMDItemLogicalSize (another alias for kMDItemFSSize)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15796

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

vfs_ceph_new:minor logging improvement

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15703

Signed-off-by: Shweta Sodani <ssodani@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Feb 14 10:57:50 UTC 2025 on atb-devel-224

docs-xml:smbdotconf: Document new options for 'sync machinepassword to keytab'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Feb 13 18:45:21 UTC 2025 on atb-devel-224

s3: Add new keytab specifiers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

ndr: fix coda logic around in ndr_pull_security_ace()

Sometimes an access allowed object ACE has unneeded trailing bytes,
like this:

                      aces: struct security_ace
                          type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                          flags                    : 0x00 (0)
                                 0: SEC_ACE_FLAG_OBJECT_INHERIT
                                 0: SEC_ACE_FLAG_CONTAINER_INHERIT
                                 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                                 0: SEC_ACE_FLAG_INHERIT_ONLY
                                 0: SEC_ACE_FLAG_INHERITED_ACE
                              0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                                 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                                 0: SEC_ACE_FLAG_FAILED_ACCESS
                          size                     : 0x0048 (72)
                          access_mask              : 0x00000100 (256)
                          object                   : union security_ace_object_ctr(case 1)
                          object: struct security_ace_object
                              flags                    : 0x00000001 (1)
                                     1: SEC_ACE_OBJECT_TYPE_PRESENT
                                     0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                              type                     : union security_ace_object_type(case 1)
                              type                     : edacfd8f-ffb3-11d1-b41d-00a0c968f939
                              inherited_type           : union security_ace_object_inherited_type(case 0)
                          trustee                  : S-1-3-0
                          coda                     : union security_ace_coda(case 5)
                          ignored                  : DATA_BLOB length=32
  [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
  [0010] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........

which we need to pull in order to ignore.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 13 15:15:40 UTC 2025 on atb-devel-224

pytest: add ndr packing tests for security descriptors

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:tldap: add some const to 'const char * const *attrs'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 13 13:14:02 UTC 2025 on atb-devel-224

s3:tldap: avoid using talloc_tos()

Async code should never use it without
creating its own stackframe!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_streams_depot: Introduce streams_depot_config_data

Read the vfs parameters just once: lp_parm_* are not free with their
string comparisons, calling them over and over again is unnecessary

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 13 09:40:22 UTC 2025 on atb-devel-224

vfs: Allow WITH_BACKUP_INTENT in vfs openat functions

BACKUP_INTENT has no real meaning so far throughout our code, so we
should ignore and thus allow it in our openat-intercepting functions.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: move dead code into a comment

We need to re-activate this once we support multitple domains
in out own forest.

Fixes CID 1642726:  Control flow issues  (UNREACHABLE)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Feb 11 23:18:02 UTC 2025 on atb-devel-224

libnet4: free tevent request even on error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15798

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Tue Feb 11 11:05:37 UTC 2025 on atb-devel-224

drsuapi.idl: fix source_dsa spelling

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Feb  8 19:49:33 UTC 2025 on atb-devel-224

security.idl: DOMAIN_RID_{FOREST,EXTERNAL}_TRUST_ACCOUNTS

These seem to be new in Windows 2025.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

security.idl: add SID_NT_THIS_ORGANIZATION_CERTIFICATE

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

security.idl: change ORGANISATION into ORGANIZATION

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

drsblobs.idl: make some scannerInfo related stuff public

This is needed in order to use ndr_pack() on them
in python code.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

drsblobs.idl: use dom_sid0 in ForestTrustDataDomainInfo

We already use ndr_size_dom_sid0() and when ForestTrustDataDomainInfo
is used as part of ForestTrustDataScannerInfo, sid_size is 0
and the subcontext for the sid is skipped.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

drsblobs.idl: introduce ForestTrustDataScannerInfo

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

drsblobs.idl: split explicit binary data and unknown data for ForestTrustData

For know FOREST_TRUST_SCANNER_INFO unknown.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

drsblobs.idl: set NDR_PAHEX for ForestTrustDataBinaryData

The dump_data hexdump is much easier to read...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/ndr: add a ForestTrustInfo ndr test with FOREST_TRUST_SCANNER_INFO

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

drsblobs.idl: add support for ForestTrustInfo with FOREST_TRUST_SCANNER_INFO

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:kdc: let samba_kdc_trust_message2entry don't support WITHIN_FOREST and PIM_TRUST

These are not supported yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb  8 16:23:30 UTC 2025 on atb-devel-224

winbindd: don't support PIM_TRUST and WITHIN_FOREST

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: PIM trusts are not supported yet

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: a PIM trust requires FOREST_TRANSITIVE

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: WITHIN_FOREST together with FOREST_TRANSITIVE is invalid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: don't allow WITHIN_FOREST trusts

They are not supported yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: don't allow WITHIN_FOREST together with CROSS_ORGANIZATION

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server: dcesrv_lsa_DeleteObject needs to close the handles

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: let dcesrv_lsa_CreateTrustedDomain check for valid netbios name length

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: check for valid netbios name length for trusts

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests: let lsa_utils.py use valid netbios names

createtrustrelax has 16 characters, but only 15 are allowed
and they are typically uppercase.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: no longer send MSG_WINBIND_RELOAD_TRUSTED_DOMAINS

This is done by the "trust_notify" ldb module now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>