python:tests/krb5: let create_trust() take {ingress,egress}_claims_tf_rules

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 24 10:28:02 UTC 2025 on atb-devel-224

python:tests/krb5: let create_trust() take forest_info

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let modified_ticket() to take modify_{tkt,enc}_fn

This makes it possible modify the public ticket part well as the enc part.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: add remove_pac_buffers()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: set_pac_claims with claims=[] should be an empty blob

Review with: git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let set_pac_sids() replace the requester_sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: add set_pac_names() to modify the names in a pac

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: give KerberosTicketCreds a basic __str__() function

This makes debugging easier...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let create_ccache[_with_ticket] use the correct crealm

It can be different from the servers realm.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: allow get_service_ticket() to fail with expected_status

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: add KerberosTicketCreds.set_srealm()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:testparm: make it clear that 'client use krb5 netlogon' is experimental

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15815

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 24 08:43:55 UTC 2025 on atb-devel-224

samba-tool/testparm: make it clear that 'client use krb5 netlogon' is experimental

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15815

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

docs-xml/smbdotconf: make it clear that 'client use krb5 netlogon' is experimental

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15815

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:kdc: split access check preparation from the actual check in samba_kdc_update_pac()

This allows us to add more access checks later...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 22 23:04:04 UTC 2025 on atb-devel-224

s4:kdc: let samba_kdc_get_claims_blob() check msDS-EgressClaimsTransformationPolicy

For now we only allow the implicit (default) or explicit allow all
policy, as well as a deny all policy.

For all others we return an error in order to indicate the
non-supported configuration.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_claims_data() check msDS-IngressClaimsTransformationPolicy

For now we only allow the implicit (default) or explicit deny all
policy.

For all others we return an error in order to indicate the
non-supported configuration.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: also fetch msDS-[In|E]gressClaimsTransformationPolicy

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: add dsdb_trust_get_claims_tf_policy()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_update_pac() always call samba_kdc_get_upn_info_blob()

There's no reason not to regenerate it, it makes the code more
consistent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_update_pac() always call samba_kdc_get_logon_info_blob()

The logic in samba_kdc_get_logon_info_blob() also does
talloc_zero(tmp_ctx, DATA_BLOB) followed by calling
samba_get_logon_info_pac_blob().

So we can always just call samba_kdc_get_logon_info_blob().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: also pass override_resource_groups to samba_kdc_get_logon_info_blob()

This will make the following changes easier...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move device_{info,claims}_blob generation in samba_kdc_update_pac()

We should generate the device blobs after generating the client blobs
and also after all access checking.

We also use the samba_kdc_get_claims_blob() helper,
which is currently only a wrapper around
claims_data_encoded_claims_set(), but that will change in future...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: regenerate the client claims blob in samba_kdc_update_pac() if needed

Note that samba_kdc_get_claims_data() already handles the
samba_kdc_entry_pac_issued_by_trust() case to clear the
claims received from a trusted domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_claims_data() indicate if regeneration is needed

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: rewrite the logic in samba_kdc_get_claims_data()

We should also go via samba_kdc_get_claims_data_from_pac()
if the pack was issued by a trust. But for now we still
clear the claims, which is the default if
msDS-IngressClaimsTransformationPolicy is missing
on the trustedDomain object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_claims_data_from_pac() return if a buffer was found

This will simplify further changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_pac() use samba_kdc_get_claims_blob()

We should avoid calling claims_data_encoded_claims_set() directly,
we'll have to do more than claims_data_encoded_claims_set() in future,
so make sure we always go via the common samba_kdc_get_claims_blob()
helper.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_claims_blob() take struct claims_data as input.

It means samba_kdc_update_pac() does not call
samba_kdc_get_claims_data_from_db() twice,
as it's already called by samba_kdc_get_claims_data().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_update_pac() always fetch the user claims

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_update_pac() use samba_kdc_entry_pac_valid_principal() to check delegated_proxy

This might not be needed, but it's more consistent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: remove useless samba_kdc_get_user_info_dc() from samba_kdc_get_device_info_blob()

There's no need to call it again if the caller already did.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move user_info_dc_shallow_copy variable in samba_kdc_update_pac()

This is only needed as tmp variable in the if block...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move samba_kdc_get_user_info_dc() for the device in samba_kdc_update_pac()

We should can already call this in the 'need_device' branch, then
it can be reused later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move samba_kdc_get_user_info_dc() up in samba_kdc_update_pac()

This will make further changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: introduce need_device helper variable in samba_kdc_update_pac()

Also use samba_kdc_entry_pac_valid_principal() in order to catch
all conditions for a valid device. For principals issued by
trusted domains there's no device.entry pointer!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: make samba_kdc_get_{user_info_dc,claims_data} static

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: pass samba_kdc_entry_pac to samba_kdc_check_s4u2proxy_rbcd()

This simplifies and unifies the callers.

For the MIT kdc we avoid using via kerberos_pac_to_user_info_dc()
directly.

Now both go via samba_kdc_get_user_info_dc() and MIT also
handles the samba_kdc_get_claims_data() path.

For the MIT kdc it means kerberos_pac_to_user_info_dc() is now
called via samba_kdc_get_user_info_dc() ->
samba_kdc_get_user_info_from_pac() and it is followed by
authsam_update_user_info_dc() consistently.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move samba_kdc_check_s4u2proxy_rbcd() from db-glue to pac-glue

This will allow us to make more functions static in the next steps.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: make a lot of pac-glue.c functions static

This makes the code base less confusing (at least for me).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let mit_samba_get_pac() use samba_kdc_get_pac()

It means we port commit b42fbc78395870c3caa33aa1c9636a59fde9e867 also to the
MIT kdc and enforce authentication policy service restrictions when getting a PAC

We should have this logic only once in order to avoid getting out of
sync between heimdal and MIT regarding the core logic.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: split out samba_kdc_get_pac() from samba_wdc_get_pac()

samba_kdc_get_pac() will be re-used by mit_samba_get_pac() in
the next step.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: don't return ENOENT from samba_kdc_get_claims_data[_from_pac]

This will matter in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: use better variable names in samba_wdc_check_client_access()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:auth: avoid talloc_reference in claims_data_encoded_claims_set()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: find_auth_domain() and find_lookup_domain_from_name() should handle namespaces

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 22 17:03:27 UTC 2025 on atb-devel-224

winbindd: add find_routing_from_namespace_noinit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: remember ForestTrustInformation in routing_domain->fti

This will be used for sid/name filtering in the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:passdb: add pdb_filter_hints()

This reveals information about our own domain/forest.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: let dcesrv_lsa_lookup_name_account() handle uPNSuffixes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_match_tln_namespace()

This will be used by the namespace filtering part of
sid filtering...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() check RODC callers check computer_name

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: let dcesrv_netr_NTLMv2_RESPONSE_verify do RODC checking

This implements MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() return the computer_name

This will be used to implement the MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: add NTLMv2_RESPONSE_verify_trust() checking

This implements MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:rpc_server/netlogon: let _netr_NTLMv2_RESPONSE_verify() generate trust_forest_domain_info array

MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: let dcesrv_netr_NTLMv2_RESPONSE_verify generate trust_forest_domain_info array

MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: pass trust_forest_domain_info array to NTLMv2_RESPONSE_verify_netlogon_creds

This will be used in the next commits in order to
implement MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:rpc_server/netlogon: split out _netr_NTLMv2_RESPONSE_verify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: split out dcesrv_netr_NTLMv2_RESPONSE_verify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: split out NTLMv2_RESPONSE_verify_workstation()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

docs-xml/smbdotconf: add ft_scanner to 'server service'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb: add forest trust scanner service

See MS-ADTS 3.1.1.6.4 PDC Forest Trust Update

It basically connects to all forest trusts
and searches for crossRef objects with
SYSTEM_FLAG_CR_NTDS_DOMAIN under
CN=Partitions,CN=Configuration.

With this information it add/removes
FOREST_TRUST_SCANNER_INFO records into
the msDS-TrustForestTrustInfo of the local
trustedDomain object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:tldap: add tldap_msg_rc() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: make use of lsaR[G|S]etForestTrustInformation2 to allow SCANNER_INFO

Note that we don't need to handle a fallback to old servers,
because we only talk to ourself here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: add lsaR[G|S]etForestTrustInformation2 support to allow FOREST_TRUST_SCANNER_INFO

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_merge_forest_info() handle SCANNER and BINARY records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_normalize_forest_info_step2() handle SCANNER and BINARY records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_normalize_forest_info_step1() handle BINARY and SCANNER records

Note for scanner records we need to filter out duplicates,
but binary records may exist multiple times.

Review with: git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_forest_info_add_record() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_info_from_lsa2() handle BINARY and SCANNER records

The tricky part is that we also need to upgrade
LSA_FOREST_TRUST_BINARY_DATA records into FOREST_TRUST_SCANNER_INFO records.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_lsa_2to2()

This normalizes LSA_FOREST_TRUST_BINARY_DATA in
LSA_FOREST_TRUST_SCANNER_INFO.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_{record_lsa_2to1,info_to_lsa}() handle SCANNER_INFO

We need to convert the [LSA_]FOREST_TRUST_SCANNER_INFO record
into a binary record, but with LSA_FOREST_TRUST_SCANNER_INFO
as type.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_{record_lsa_1to2,info_from_lsa}() handle BINARY and SCANNER records

The tricky part is that it's all based on the sub_type within
the binary data, if it's FOREST_TRUST_SCANNER_INFO the
record is upgraded to an LSA_FOREST_TRUST_SCANNER_INFO,
otherwise it's downgraded to a LSA_FOREST_TRUST_BINARY_DATA
record.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_record_to_lsa() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_record_from_lsa() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/util_trusts: convert most functions from lsa_ForestTrustInformation to lsa_ForestTrustInformation2

We use trust_forest_info_lsa_{1to2,2to1}() where needed.

This will make it possible to support
FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_lsa_{1to2,2to1}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_{from,to}_lsa2()

Note for now these will fail for FOREST_TRUST_BINARY_DATA and
FOREST_TRUST_SCANNER_INFO.

But this will still make the transition from
lsa_ForestTrustInformation to lsa_ForestTrustInformation2
easier.

Support for will FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO
will be added before we implement the forest trust background scanner
job and the lsaRSetForestTrustInformation2 function.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: split out dcesrv_lsa_SetFTI()

This will help implementing dcesrv_lsa_lsaRSetForestTrustInformation2
later...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: split out dcesrv_lsa_QueryFTI()

This will help implementing dcesrv_lsa_lsaRQueryForestTrustInformation2
later...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change trust_forest_record_to_lsa to lsa_ForestTrustRecord2

lsa_ForestTrustRecord2 is needed to represent all possible
ForestTrustInfoRecord types including SCANNER_INFO in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change trust_forest_record_from_lsa to lsa_ForestTrustRecord2

lsa_ForestTrustRecord2 is needed to represent all possible
ForestTrustInfoRecord types including SCANNER_INFO in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: don't allocate in trust_forest_record_to_lsa()

It will help with the following changes to
allocate lsa_ForestTrustRecord in the caller.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change logic in trust_forest_record_to_lsa() to avoid default:

We should let the compiler warn us if a enum type is missing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: split out trust_forest_record_from_lsa

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: always add msDS-TrustForestTrustInfo if FOREST_TRANSITIVE is set

Windows (at least server 2025) always creates the default
msDS-TrustForestTrustInfo, with just a TOP_LEVEL_NAME and DOMAIN_INFO
representing the forest root domain of the trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: add allocation checks to fill_trust_domain_ex()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: add dsdb_trust_default_forest_info()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

dsdb:util_trusts: replace dsdb_trust_find_tln[_ex]_match() with trust_forest_info_tln[_ex]_match()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_tln[_ex]_match()

These are copies of dsdb_trust_find_tln[_ex]_match()
in source4/dsdb/common/util_trusts.c, which gets replaced
in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: fix talloc hierarchy in trust_forest_info_from_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: fix talloc hierarchy in trust_forest_record_to_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

dsdb:util_trusts: remove unused dsdb_trust_forest_info_{from,to}_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

dsdb:util_trusts: make use of trust_forest_info_to_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: make use of trust_forest_info_{from,to}_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_{from,to}_lsa()

They will replace the dsdb_trust_forest_info_{from,to}_lsa() functions.
They are just copied over.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add missing forward declarations for lsa_TrustDomainInfo{AuthInfo,Buffer}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/security: add dom_sid_match_prefix() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbind:varlink: Always reply with the requested username

The service io.systemd.Multiplexer will drop responses if the username in the
response does not match the requested name. This happens when the requested
username is an UPN and the response is a down-level user name (DOMAIN\user).

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Feb 20 09:05:46 UTC 2025 on atb-devel-224