winbindd: remember ForestTrustInformation in routing_domain->fti

This will be used for sid/name filtering in the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:passdb: add pdb_filter_hints()

This reveals information about our own domain/forest.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: let dcesrv_lsa_lookup_name_account() handle uPNSuffixes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_match_tln_namespace()

This will be used by the namespace filtering part of
sid filtering...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() check RODC callers check computer_name

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: let dcesrv_netr_NTLMv2_RESPONSE_verify do RODC checking

This implements MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() return the computer_name

This will be used to implement the MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: add NTLMv2_RESPONSE_verify_trust() checking

This implements MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:rpc_server/netlogon: let _netr_NTLMv2_RESPONSE_verify() generate trust_forest_domain_info array

MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: let dcesrv_netr_NTLMv2_RESPONSE_verify generate trust_forest_domain_info array

MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: pass trust_forest_domain_info array to NTLMv2_RESPONSE_verify_netlogon_creds

This will be used in the next commits in order to
implement MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:rpc_server/netlogon: split out _netr_NTLMv2_RESPONSE_verify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: split out dcesrv_netr_NTLMv2_RESPONSE_verify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: split out NTLMv2_RESPONSE_verify_workstation()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

docs-xml/smbdotconf: add ft_scanner to 'server service'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb: add forest trust scanner service

See MS-ADTS 3.1.1.6.4 PDC Forest Trust Update

It basically connects to all forest trusts
and searches for crossRef objects with
SYSTEM_FLAG_CR_NTDS_DOMAIN under
CN=Partitions,CN=Configuration.

With this information it add/removes
FOREST_TRUST_SCANNER_INFO records into
the msDS-TrustForestTrustInfo of the local
trustedDomain object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:tldap: add tldap_msg_rc() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: make use of lsaR[G|S]etForestTrustInformation2 to allow SCANNER_INFO

Note that we don't need to handle a fallback to old servers,
because we only talk to ourself here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: add lsaR[G|S]etForestTrustInformation2 support to allow FOREST_TRUST_SCANNER_INFO

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_merge_forest_info() handle SCANNER and BINARY records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_normalize_forest_info_step2() handle SCANNER and BINARY records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_normalize_forest_info_step1() handle BINARY and SCANNER records

Note for scanner records we need to filter out duplicates,
but binary records may exist multiple times.

Review with: git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_forest_info_add_record() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_info_from_lsa2() handle BINARY and SCANNER records

The tricky part is that we also need to upgrade
LSA_FOREST_TRUST_BINARY_DATA records into FOREST_TRUST_SCANNER_INFO records.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_lsa_2to2()

This normalizes LSA_FOREST_TRUST_BINARY_DATA in
LSA_FOREST_TRUST_SCANNER_INFO.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_{record_lsa_2to1,info_to_lsa}() handle SCANNER_INFO

We need to convert the [LSA_]FOREST_TRUST_SCANNER_INFO record
into a binary record, but with LSA_FOREST_TRUST_SCANNER_INFO
as type.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_{record_lsa_1to2,info_from_lsa}() handle BINARY and SCANNER records

The tricky part is that it's all based on the sub_type within
the binary data, if it's FOREST_TRUST_SCANNER_INFO the
record is upgraded to an LSA_FOREST_TRUST_SCANNER_INFO,
otherwise it's downgraded to a LSA_FOREST_TRUST_BINARY_DATA
record.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_record_to_lsa() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_record_from_lsa() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/util_trusts: convert most functions from lsa_ForestTrustInformation to lsa_ForestTrustInformation2

We use trust_forest_info_lsa_{1to2,2to1}() where needed.

This will make it possible to support
FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_lsa_{1to2,2to1}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_{from,to}_lsa2()

Note for now these will fail for FOREST_TRUST_BINARY_DATA and
FOREST_TRUST_SCANNER_INFO.

But this will still make the transition from
lsa_ForestTrustInformation to lsa_ForestTrustInformation2
easier.

Support for will FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO
will be added before we implement the forest trust background scanner
job and the lsaRSetForestTrustInformation2 function.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: split out dcesrv_lsa_SetFTI()

This will help implementing dcesrv_lsa_lsaRSetForestTrustInformation2
later...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: split out dcesrv_lsa_QueryFTI()

This will help implementing dcesrv_lsa_lsaRQueryForestTrustInformation2
later...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change trust_forest_record_to_lsa to lsa_ForestTrustRecord2

lsa_ForestTrustRecord2 is needed to represent all possible
ForestTrustInfoRecord types including SCANNER_INFO in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change trust_forest_record_from_lsa to lsa_ForestTrustRecord2

lsa_ForestTrustRecord2 is needed to represent all possible
ForestTrustInfoRecord types including SCANNER_INFO in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: don't allocate in trust_forest_record_to_lsa()

It will help with the following changes to
allocate lsa_ForestTrustRecord in the caller.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change logic in trust_forest_record_to_lsa() to avoid default:

We should let the compiler warn us if a enum type is missing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: split out trust_forest_record_from_lsa

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: always add msDS-TrustForestTrustInfo if FOREST_TRANSITIVE is set

Windows (at least server 2025) always creates the default
msDS-TrustForestTrustInfo, with just a TOP_LEVEL_NAME and DOMAIN_INFO
representing the forest root domain of the trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: add allocation checks to fill_trust_domain_ex()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: add dsdb_trust_default_forest_info()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

dsdb:util_trusts: replace dsdb_trust_find_tln[_ex]_match() with trust_forest_info_tln[_ex]_match()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_tln[_ex]_match()

These are copies of dsdb_trust_find_tln[_ex]_match()
in source4/dsdb/common/util_trusts.c, which gets replaced
in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: fix talloc hierarchy in trust_forest_info_from_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: fix talloc hierarchy in trust_forest_record_to_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

dsdb:util_trusts: remove unused dsdb_trust_forest_info_{from,to}_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

dsdb:util_trusts: make use of trust_forest_info_to_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: make use of trust_forest_info_{from,to}_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_{from,to}_lsa()

They will replace the dsdb_trust_forest_info_{from,to}_lsa() functions.
They are just copied over.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add missing forward declarations for lsa_TrustDomainInfo{AuthInfo,Buffer}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/security: add dom_sid_match_prefix() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbind:varlink: Always reply with the requested username

The service io.systemd.Multiplexer will drop responses if the username in the
response does not match the requested name. This happens when the requested
username is an UPN and the response is a down-level user name (DOMAIN\user).

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Feb 20 09:05:46 UTC 2025 on atb-devel-224

winbind:varlink: Print varlink replies

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Initialize variables

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind: Add a check for "winbind varlink service"

Print a warning in winbindd startup if the option is enabled
but samba was built without systemd's userdb support.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/utils: Add a check for "winbind varlink service"

Warn when the option is enabled but samba was built without systemd's userdb
support.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Set the disposition field in user records

Set the disposition field in the user record, otherwise systemd could derive it
from the uid based on its configured ranges.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Check memory allocation when creating the records

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

pytests/varlink: Add varlink tests

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

bootstrap: Install libvarlink and python3-varlink for selftests

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Avoid recursion

Avoid recursion while dispatching a call. This is similar to the _NO_WINBINDD
environment variable that nss_winbind uses, but on the server side.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Improve membership enumeration continue flag handling

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Install connection closed handler

If the connection is closed by the client the ongoing tevent_req must be
cancelled, otherwise winbindd receives a SIGBUS when trying to write in
the closed stream.

  [2023/02/08 12:56:41.308393,  0] ../../lib/util/fault.c:173(smb_panic_log)
    ===============================================================
  [2023/02/08 12:56:41.308438,  0] ../../lib/util/fault.c:174(smb_panic_log)
    INTERNAL ERROR: Signal 7: Bus error in pid 24407 (4.19.0pre1-DEVELOPERBUILD)
  [2023/02/08 12:56:41.308451,  0] ../../lib/util/fault.c:178(smb_panic_log)
    If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
  [2023/02/08 12:56:41.308463,  0] ../../lib/util/fault.c:183(smb_panic_log)
    ===============================================================
  [2023/02/08 12:56:41.308473,  0] ../../lib/util/fault.c:184(smb_panic_log)
    PANIC (pid 24407): Signal 7: Bus error in 4.19.0pre1-DEVELOPERBUILD

Backtrace:

  #0  0x00007f0e76853997 in wait4 () from /lib64/libc.so.6
  #1  0x00007f0e767c591b in do_system () from /lib64/libc.so.6
  #2  0x00007f0e7785ce43 in smb_panic_s3 (why=0x7ffe41b4e110 "Signal 7: Bus error")
      at ../../source3/lib/util.c:698
  #3  0x00007f0e76ce59f1 in smb_panic (why=0x7ffe41b4e110 "Signal 7: Bus error")
      at ../../lib/util/fault.c:198
  #4  0x00007f0e76ce54d0 in fault_report (sig=7) at ../../lib/util/fault.c:82
  #5  0x00007f0e76ce54e5 in sig_fault (sig=7) at ../../lib/util/fault.c:93
  #6  <signal handler called>
  #7  varlink_stream_write (stream=0x656d614e72657375, message=<optimized out>) at ../lib/stream.c:303
  #8  0x00007f0e76c5aa35 in varlink_call_reply (call=0x561c51aafe60, parameters=<optimized out>, flags=1)
      at ../lib/service.c:651
  #9  0x0000561c506a7e5b in membership_reply (call=0x561c51aafe60,
      username=0x561c51aaa860 "AFOREST+buser1", groupname=0x561c51acae58 "AFOREST+bgroup453",
      continues=true) at ../../source3/winbindd/winbindd_varlink_getmemberships.c:36
  #10 0x0000561c506a9793 in memberships_by_user_getgrgid_done (req=0x0)
      at ../../source3/winbindd/winbindd_varlink_getmemberships.c:481
  #11 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab2d30,
      location=0x561c5075b870 "../../source3/winbindd/winbindd_getgrgid.c:110")
      at ../../lib/tevent/tevent_req.c:151
  #12 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab2d30, state=TEVENT_REQ_DONE,
      location=0x561c5075b870 "../../source3/winbindd/winbindd_getgrgid.c:110")
      at ../../lib/tevent/tevent_req.c:203
  #13 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab2d30,
      location=0x561c5075b870 "../../source3/winbindd/winbindd_getgrgid.c:110")
      at ../../lib/tevent/tevent_req.c:209
  #14 0x0000561c50713770 in winbindd_getgrgid_done (subreq=0x0)
      at ../../source3/winbindd/winbindd_getgrgid.c:110
  #15 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51a98c50,
      location=0x561c507559b0 "../../source3/winbindd/wb_getgrsid.c:201")
      at ../../lib/tevent/tevent_req.c:151
  #16 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51a98c50, state=TEVENT_REQ_DONE,
      location=0x561c507559b0 "../../source3/winbindd/wb_getgrsid.c:201")
      at ../../lib/tevent/tevent_req.c:203
  #17 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51a98c50,
      location=0x561c507559b0 "../../source3/winbindd/wb_getgrsid.c:201")
      at ../../lib/tevent/tevent_req.c:209
  #18 0x0000561c50708d22 in wb_getgrsid_got_members (subreq=0x0)
      at ../../source3/winbindd/wb_getgrsid.c:201
  #19 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51aa9e80,
      location=0x561c50755310 "../../source3/winbindd/wb_group_members.c:463")
      at ../../lib/tevent/tevent_req.c:151
  #20 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51aa9e80, state=TEVENT_REQ_DONE,
      location=0x561c50755310 "../../source3/winbindd/wb_group_members.c:463")
      at ../../lib/tevent/tevent_req.c:203
  #21 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51aa9e80,
      location=0x561c50755310 "../../source3/winbindd/wb_group_members.c:463")
      at ../../lib/tevent/tevent_req.c:209
  #22 0x0000561c507082a6 in wb_group_members_done (subreq=0x0)
      at ../../source3/winbindd/wb_group_members.c:463
  #23 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab1e00,
      location=0x561c50754f18 "../../source3/winbindd/wb_group_members.c:252")
      at ../../lib/tevent/tevent_req.c:151
  #24 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab1e00, state=TEVENT_REQ_DONE,
      location=0x561c50754f18 "../../source3/winbindd/wb_group_members.c:252")
      at ../../lib/tevent/tevent_req.c:203
  #25 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab1e00,
      location=0x561c50754f18 "../../source3/winbindd/wb_group_members.c:252")
      at ../../lib/tevent/tevent_req.c:209
  #26 0x0000561c50707903 in wb_groups_members_done (subreq=0x0)
      at ../../source3/winbindd/wb_group_members.c:252
  #27 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51aafad0,
      location=0x561c50754bf0 "../../source3/winbindd/wb_group_members.c:102")
      at ../../lib/tevent/tevent_req.c:151
  #28 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51aafad0, state=TEVENT_REQ_DONE,
      location=0x561c50754bf0 "../../source3/winbindd/wb_group_members.c:102")
      at ../../lib/tevent/tevent_req.c:203
  #29 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51aafad0,
      location=0x561c50754bf0 "../../source3/winbindd/wb_group_members.c:102")
      at ../../lib/tevent/tevent_req.c:209
  #30 0x0000561c5070732e in wb_lookupgroupmem_done (subreq=0x0)
      at ../../source3/winbindd/wb_group_members.c:102
  #31 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab66a0,
      location=0x7f0e77bc5f18 "librpc/gen_ndr/ndr_winbind_c.c:2888") at ../../lib/tevent/tevent_req.c:151
  #32 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab66a0, state=TEVENT_REQ_DONE,
      location=0x7f0e77bc5f18 "librpc/gen_ndr/ndr_winbind_c.c:2888") at ../../lib/tevent/tevent_req.c:203
  #33 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab66a0,
      location=0x7f0e77bc5f18 "librpc/gen_ndr/ndr_winbind_c.c:2888") at ../../lib/tevent/tevent_req.c:209
  #34 0x00007f0e77bba4a7 in dcerpc_wbint_LookupGroupMembers_done (subreq=0x0)
      at librpc/gen_ndr/ndr_winbind_c.c:2888
  #35 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51aa1dc0,
      location=0x7f0e77bc5d28 "librpc/gen_ndr/ndr_winbind_c.c:2773") at ../../lib/tevent/tevent_req.c:151
  #36 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51aa1dc0, state=TEVENT_REQ_DONE,
      location=0x7f0e77bc5d28 "librpc/gen_ndr/ndr_winbind_c.c:2773") at ../../lib/tevent/tevent_req.c:203
  #37 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51aa1dc0,
      location=0x7f0e77bc5d28 "librpc/gen_ndr/ndr_winbind_c.c:2773") at ../../lib/tevent/tevent_req.c:209
  #38 0x00007f0e77bba0ef in dcerpc_wbint_LookupGroupMembers_r_done (subreq=0x0)
      at librpc/gen_ndr/ndr_winbind_c.c:2773
  #39 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab51f0,
      location=0x7f0e7810b4d0 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:151
  #40 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab51f0, state=TEVENT_REQ_DONE,
      location=0x7f0e7810b4d0 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:203
  #41 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab51f0,
      location=0x7f0e7810b4d0 "../../librpc/rpc/binding_handle.c:520") at ../../lib/tevent/tevent_req.c:209
  #42 0x00007f0e780f6bec in dcerpc_binding_handle_call_done (subreq=0x0)
      at ../../librpc/rpc/binding_handle.c:520
  #43 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51aaacf0,
      location=0x7f0e7810b090 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:151
  #44 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51aaacf0, state=TEVENT_REQ_DONE,
      location=0x7f0e7810b090 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:203
  #45 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51aaacf0,
      location=0x7f0e7810b090 "../../librpc/rpc/binding_handle.c:203") at ../../lib/tevent/tevent_req.c:209
  #46 0x00007f0e780f60d2 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
      at ../../librpc/rpc/binding_handle.c:203
  #47 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab78b0,
      location=0x561c50745ef0 "../../source3/winbindd/winbindd_dual_ndr.c:209")
      at ../../lib/tevent/tevent_req.c:151
  #48 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab78b0, state=TEVENT_REQ_DONE,
      location=0x561c50745ef0 "../../source3/winbindd/winbindd_dual_ndr.c:209")
      at ../../lib/tevent/tevent_req.c:203
  #49 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab78b0,
      location=0x561c50745ef0 "../../source3/winbindd/winbindd_dual_ndr.c:209")
      at ../../lib/tevent/tevent_req.c:209
  #50 0x0000561c506e7782 in wbint_bh_raw_call_domain_done (subreq=0x0)
      at ../../source3/winbindd/winbindd_dual_ndr.c:209
  #51 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51a98750,
      location=0x561c50743390 "../../source3/winbindd/winbindd_dual.c:745")
      at ../../lib/tevent/tevent_req.c:151
  #52 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51a98750, state=TEVENT_REQ_DONE,
      location=0x561c50743390 "../../source3/winbindd/winbindd_dual.c:745")
      at ../../lib/tevent/tevent_req.c:203
  #53 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51a98750,
      location=0x561c50743390 "../../source3/winbindd/winbindd_dual.c:745")
      at ../../lib/tevent/tevent_req.c:209
  #54 0x0000561c506e30d3 in wb_domain_request_done (subreq=0x0)
      at ../../source3/winbindd/winbindd_dual.c:745
  #55 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab1a90,
      location=0x561c507429f8 "../../source3/winbindd/winbindd_dual.c:306")
      at ../../lib/tevent/tevent_req.c:151
  #56 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab1a90, state=TEVENT_REQ_DONE,
      location=0x561c507429f8 "../../source3/winbindd/winbindd_dual.c:306")
      at ../../lib/tevent/tevent_req.c:203
  #57 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab1a90,
      location=0x561c507429f8 "../../source3/winbindd/winbindd_dual.c:306")
      at ../../lib/tevent/tevent_req.c:209
  #58 0x0000561c506e1f8d in wb_child_request_done (subreq=0x561c51ab3ca0)
      at ../../source3/winbindd/winbindd_dual.c:306
  #59 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab3ca0,
      location=0x561c50723d98 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:151
  #60 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab3ca0, state=TEVENT_REQ_DONE,
      location=0x561c50723d98 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:203
  #61 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab3ca0,
      location=0x561c50723d98 "../../nsswitch/wb_reqtrans.c:432") at ../../lib/tevent/tevent_req.c:209
  #62 0x0000561c50696101 in wb_simple_trans_read_done (subreq=0x0) at ../../nsswitch/wb_reqtrans.c:432
  #63 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab6a20,
      location=0x561c50723a20 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:151
  #64 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab6a20, state=TEVENT_REQ_DONE,
      location=0x561c50723a20 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:203
  #65 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab6a20,
      location=0x561c50723a20 "../../nsswitch/wb_reqtrans.c:275") at ../../lib/tevent/tevent_req.c:209
  #66 0x0000561c50695adf in wb_resp_read_done (subreq=0x0) at ../../nsswitch/wb_reqtrans.c:275
  #67 0x00007f0e780cb413 in _tevent_req_notify_callback (req=0x561c51ab6d70,
      location=0x7f0e7786fec8 "../../lib/async_req/async_sock.c:568") at ../../lib/tevent/tevent_req.c:151
  #68 0x00007f0e780cb577 in tevent_req_finish (req=0x561c51ab6d70, state=TEVENT_REQ_DONE,
      location=0x7f0e7786fec8 "../../lib/async_req/async_sock.c:568") at ../../lib/tevent/tevent_req.c:203
  #69 0x00007f0e780cb5a3 in _tevent_req_done (req=0x561c51ab6d70,
      location=0x7f0e7786fec8 "../../lib/async_req/async_sock.c:568") at ../../lib/tevent/tevent_req.c:209
  #70 0x00007f0e778255eb in read_packet_handler (ev=0x561c51a86670, fde=0x561c51b982a0, flags=1,
      private_data=0x561c51ab6d70) at ../../lib/async_req/async_sock.c:568
  #71 0x00007f0e780c9651 in tevent_common_invoke_fd_handler (fde=0x561c51b982a0, flags=1, removed=0x0)
      at ../../lib/tevent/tevent_fd.c:142
  #72 0x00007f0e780d448c in epoll_event_loop (epoll_ev=0x561c51a96380, tvalp=0x7ffe41b4f6f0)
      at ../../lib/tevent/tevent_epoll.c:737
  #73 0x00007f0e780d4aec in epoll_event_loop_once (ev=0x561c51a86670,
      location=0x561c50726a70 "../../source3/winbindd/winbindd.c:1734")
      at ../../lib/tevent/tevent_epoll.c:938
  #74 0x00007f0e780d1408 in std_event_loop_once (ev=0x561c51a86670,
      location=0x561c50726a70 "../../source3/winbindd/winbindd.c:1734")
      at ../../lib/tevent/tevent_standard.c:110
  #75 0x00007f0e780c8239 in _tevent_loop_once (ev=0x561c51a86670,
      location=0x561c50726a70 "../../source3/winbindd/winbindd.c:1734") at ../../lib/tevent/tevent.c:823
  #76 0x0000561c5069c4a3 in main (argc=1, argv=0x7ffe41b4fb28) at ../../source3/winbindd/winbindd.c:1734

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement membership by group and user names

$> varlink call -m unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetMemberships "{\"service\":\"org.samba.winbind\",\"groupName\":\"AFOREST+domain users\",\"userName\":\"AFOREST+user1\"}"
{
  "groupName": "AFOREST+domain users",
  "userName": "AFOREST+user1"
}

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement memberships by group name

$> userdbctl -s org.samba.winbind users-in-group "AFOREST+domain users"
Enabled services: org.samba.winbind
USER                  GROUP
AFOREST+administrator AFOREST+domain users
AFOREST+krbtgt        AFOREST+domain users
AFOREST+user1         AFOREST+domain users

3 memberships listed.

$> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group "AFOREST+domain users"
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+administrator"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+user1"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+krbtgt"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users:x:20513:AFOREST+administrator,AFOREST+user1,AFOREST+krbtgt

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement memberships by user

$> userdbctl -s org.samba.winbind groups-of-user AFOREST+user1
Enabled services: org.samba.winbind
USER          GROUP
AFOREST+user1 AFOREST+domain users
AFOREST+user1 AFOREST+user1

2 memberships listed.

$> SYSTEMD_LOG_LEVEL=7 getent -sinitgroups:systemd initgroups "AFOREST+domain users"
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"userName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+domain users"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
Failed to connect to /run/systemd/userdb/io.systemd.Multiplexer: No such file or directory
Unable to connect to /run/systemd/userdb/io.systemd.Multiplexer: No such file or directory
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"groupName":"AFOREST+domain users","userName":"AFOREST+domain users"}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
Failed to connect to /run/systemd/userdb/io.systemd.Multiplexer: No such file or directory
Unable to connect to /run/systemd/userdb/io.systemd.Multiplexer: No such file or directory
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users  20513 20513

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement memberships enumeration

$> varlink call -m unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetMemberships "{\"service\":\"org.samba.winbind\"}"
{
  "groupName": "AFOREST+schema admins",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+enterprise admins",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+domain admins",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+domain users",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+domain users",
  "userName": "AFOREST+user1"
}
{
  "groupName": "AFOREST+domain users",
  "userName": "AFOREST+krbtgt"
}
{
  "groupName": "AFOREST+domain guests",
  "userName": "AFOREST+guest"
}
{
  "groupName": "AFOREST+group policy creator owners",
  "userName": "AFOREST+administrator"
}
{
  "groupName": "AFOREST+denied rodc password replication group",
  "userName": "AFOREST+krbtgt"
}

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get group record by name and gid

$> varlink call -m unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetGroupRecord "{\"service\":\"org.samba.winbind\",\"gid\":20513,\"groupName\":\"AFOREST+domain users\"}"
{
  "incomplete": false,
  "record": {
    "gid": 20513,
    "groupName": "AFOREST+domain users",
    "members": [
      "AFOREST+administrator",
      "AFOREST+user1",
      "AFOREST+krbtgt"
    ],
    "service": "org.samba.winbind"
  }
}

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get group record by name

$> userdbctl -s org.samba.winbind group "AFOREST+domain users"
Enabled services: org.samba.winbind
  Group name: AFOREST+domain users
 Disposition: regular
         GID: 20513
     Service: org.samba.winbind

$> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group "AFOREST+domain users"
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users:x:20513:AFOREST+administrator,AFOREST+user1,AFOREST+krbtgt

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get group record by gid

$> userdbctl -s org.samba.winbind group 20513
Enabled services: org.samba.winbind
  Group name: AFOREST+domain users
 Disposition: regular
         GID: 20513
     Service: org.samba.winbind

$> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group 20513
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"gid":20513,"service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+administrator","AFOREST+user1","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users:x:20513:AFOREST+administrator,AFOREST+user1,AFOREST+krbtgt

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement group record enumeration

$> userdbctl -s org.samba.winbind group
   NAME                                            DISPOSITION        GID DESCRIPTION
   ...
   AFOREST+enterprise read-only domain controllers regular          20498 -
   AFOREST+domain admins                           regular          20512 -
   AFOREST+domain users                            regular          20513 -
   AFOREST+domain guests                           regular          20514 -
   AFOREST+domain computers                        regular          20515 -
   AFOREST+domain controllers                      regular          20516 -
   AFOREST+cert publishers                         regular          20517 -
   AFOREST+schema admins                           regular          20518 -
   AFOREST+enterprise admins                       regular          20519 -
   AFOREST+group policy creator owners             regular          20520 -
   AFOREST+read-only domain controllers            regular          20521 -
   AFOREST+cloneable domain controllers            regular          20522 -
   AFOREST+protected users                         regular          20525 -
   AFOREST+ras and ias servers                     regular          20553 -
   AFOREST+allowed rodc password replication group regular          20571 -
   AFOREST+denied rodc password replication group  regular          20572 -
   AFOREST+winrmremotewmiusers__                   regular          21000 -
   AFOREST+dnsadmins                               regular          21102 -
   AFOREST+dnsupdateproxy                          regular          21103 -
   ...

$> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":21000,"groupName":"AFOREST+winrmremotewmiusers__","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+winrmremotewmiusers__","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+winrmremotewmiusers__:x:21000:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20515,"groupName":"AFOREST+domain computers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain computers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain computers:x:20515:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20516,"groupName":"AFOREST+domain controllers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain controllers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain controllers:x:20516:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20518,"groupName":"AFOREST+schema admins","members":["AFOREST+administrator"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+schema admins","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+schema admins:x:20518:AFOREST+administrator
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20519,"groupName":"AFOREST+enterprise admins","members":["AFOREST+administrator"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+enterprise admins","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+enterprise admins:x:20519:AFOREST+administrator
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20517,"groupName":"AFOREST+cert publishers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+cert publishers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+cert publishers:x:20517:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20512,"groupName":"AFOREST+domain admins","members":["AFOREST+administrator"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain admins","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain admins:x:20512:AFOREST+administrator
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20513,"groupName":"AFOREST+domain users","members":["AFOREST+user1","AFOREST+administrator","AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain users:x:20513:AFOREST+user1,AFOREST+administrator,AFOREST+krbtgt
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20514,"groupName":"AFOREST+domain guests","members":["AFOREST+guest"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+domain guests","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+domain guests:x:20514:AFOREST+guest
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20520,"groupName":"AFOREST+group policy creator owners","members":["AFOREST+administrator"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+group policy creator owners","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+group policy creator owners:x:20520:AFOREST+administrator
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20553,"groupName":"AFOREST+ras and ias servers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+ras and ias servers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+ras and ias servers:x:20553:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20571,"groupName":"AFOREST+allowed rodc password replication group","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+allowed rodc password replication group","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+allowed rodc password replication group:x:20571:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20572,"groupName":"AFOREST+denied rodc password replication group","members":["AFOREST+krbtgt"],"service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+denied rodc password replication group","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+denied rodc password replication group:x:20572:AFOREST+krbtgt
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20521,"groupName":"AFOREST+read-only domain controllers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+read-only domain controllers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+read-only domain controllers:x:20521:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20498,"groupName":"AFOREST+enterprise read-only domain controllers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+enterprise read-only domain controllers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+enterprise read-only domain controllers:x:20498:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20522,"groupName":"AFOREST+cloneable domain controllers","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+cloneable domain controllers","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+cloneable domain controllers:x:20522:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20525,"groupName":"AFOREST+protected users","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+protected users","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+protected users:x:20525:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":21102,"groupName":"AFOREST+dnsadmins","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+dnsadmins","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+dnsadmins:x:21102:
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":21103,"groupName":"AFOREST+dnsupdateproxy","service":"org.samba.winbind"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"groupName":"AFOREST+dnsupdateproxy","service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+dnsupdateproxy:x:21103:
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"error":"io.systemd.UserDatabase.NoRecordFound"}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
Got lookup error: io.systemd.UserDatabase.NoRecordFound
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get user record by name and uid

$> varlink call unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetUserRecord "{\"service\":\"org.samba.winbind\",\"userName\":\"AFOREST+user1\",\"uid\":21105}"
{
  "incomplete": false,
  "record": {
    "gid": 20513,
    "homeDirectory": "/home/AFOREST/user1",
    "service": "org.samba.winbind",
    "shell": "/bin/bash",
    "uid": 21105,
    "userName": "AFOREST+user1"
  }
}

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get user record by name

$> userdbctl -s org.samba.winbind user AFOREST+user1
Enabled services: org.samba.winbind
   User name: AFOREST+user1
 Disposition: regular
    Login OK: yes
 Password OK: no (none set)
         UID: 21105
         GID: 20513 (unresolvable: No such process)
   Directory: /home/AFOREST/user1
     Storage: classic
       Shell: /bin/bash
   Passwords: none
     Service: org.samba.winbind

$> SYSTEMD_LOG_LEVEL=7 getent -spasswd:systemd passwd AFOREST+user1
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"AFOREST+user1","service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/user1","service":"org.samba.winbind","shell":"/bin/bash","uid":21105,"userName":"AFOREST+user1"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+user1:x:21105:20513:AFOREST+user1:/home/AFOREST/user1:/bin/bash

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement get user record by uid

$> userdbctl -s org.samba.winbind user 21105
Enabled services: org.samba.winbind
   User name: AFOREST+user1
 Disposition: regular
    Login OK: yes
 Password OK: no (none set)
         UID: 21105
         GID: 20513 (unresolvable: No such process)
   Directory: /home/AFOREST/user1
     Storage: classic
       Shell: /bin/bash
   Passwords: none
     Service: org.samba.winbind

$> SYSTEMD_LOG_LEVEL=7 getent -spasswd:systemd passwd 21105
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"uid":21105,"service":"org.samba.winbind"}}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/user1","service":"org.samba.winbind","shell":"/bin/bash","uid":21105,"userName":"AFOREST+user1"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+user1:x:21105:20513:AFOREST+user1:/home/AFOREST/user1:/bin/bash

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Implement user record enumeration

$> userdbctl -s org.samba.winbind
Enabled services: org.samba.winbind
   NAME                           DISPOSITION        UID   GID REALNAME                     HOME                        SHELL
   ...
   AFOREST+administrator          regular          20500 20513 -                            /home/AFOREST/administrator /bin/bash
   AFOREST+guest                  regular          20501 20513 -                            /home/AFOREST/guest         /bin/bash
   AFOREST+krbtgt                 regular          20502 20513 -                            /home/AFOREST/krbtgt        /bin/bash
   AFOREST+user1                  regular          21105 20513 -                            /home/AFOREST/user1         /bin/bash
   ...

$> SYSTEMD_LOG_LEVEL=7 getent -spasswd:systemd passwd
varlink: Setting state idle-client
/run/systemd/userdb/org.samba.winbind: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"service":"org.samba.winbind"},"more":true}
/run/systemd/userdb/org.samba.winbind: Changing state idle-client → awaiting-reply-more
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/administrator","service":"org.samba.winbind","shell":"/bin/bash","uid":20500,"userName":"AFOREST+administrator"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
AFOREST+administrator:x:20500:20513:AFOREST+administrator:/home/AFOREST/administrator:/bin/bash
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/guest","service":"org.samba.winbind","shell":"/bin/bash","uid":20501,"userName":"AFOREST+guest"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
AFOREST+guest:x:20501:20513:AFOREST+guest:/home/AFOREST/guest:/bin/bash
/run/systemd/userdb/org.samba.winbind: New incoming message: {"continues":true,"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/krbtgt","service":"org.samba.winbind","shell":"/bin/bash","uid":20502,"userName":"AFOREST+krbtgt"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → awaiting-reply-more
AFOREST+krbtgt:x:20502:20513:AFOREST+krbtgt:/home/AFOREST/krbtgt:/bin/bash
/run/systemd/userdb/org.samba.winbind: New incoming message: {"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory":"/home/AFOREST/user1","service":"org.samba.winbind","shell":"/bin/bash","uid":21105,"userName":"AFOREST+user1"}}}
/run/systemd/userdb/org.samba.winbind: Changing state awaiting-reply-more → processing-reply
/run/systemd/userdb/org.samba.winbind: Changing state processing-reply → idle-client
AFOREST+user1:x:21105:20513:AFOREST+user1:/home/AFOREST/user1:/bin/bash

$> ./bin/varlink-tool call unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase.GetUserRecord "{\"service\":\"org.samba.winbind\"}" -m
...

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Add a function to craft a winbindd_cli_state structure

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Add io.systemd.UserDatabase interface

$> varlink info unix:/run/systemd/userdb/org.samba.winbind
Vendor: Samba
Product: Winbind
Version: 1
URL: https://samba.org
Interfaces:
  io.systemd.UserDatabase
  org.varlink.service

TODO libvarlink bug handling camel case interface names:
https://github.com/varlink/libvarlink/pull/58

$> varlink help unix:/run/systemd/userdb/org.samba.winbind/io.systemd.UserDatabase
interface io.systemd.UserDatabase

method GetUserRecord(
  uid: ?int,
  userName: ?string,
  service: string
) -> (record: object, incomplete: bool)

method GetGroupRecord(
  gid: ?int,
  groupName: ?string,
  service: string
) -> (record: object, incomplete: bool)

method GetMemberships(
  userName: ?string,
  groupName: ?string,
  service: string
) -> (userName: string, groupName: string)

error NoRecordFound ()

error BadService ()

error ServiceNotAvailable ()

error ConflictingRecordFound ()

error EnumerationNotSupported ()

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Create varlink socket directory

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind:varlink: Add varlink service

$> userdbctl services
SERVICE           LISTENING
org.samba.winbind yes

1 services listed.

$> varlink info unix:/run/systemd/userdb/org.samba.winbind
Vendor: Samba
Product: Winbind
Version: 1
URL: https://samba.org
Interfaces:
  org.varlink.service

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind: Add "winbind varlink service" smb.conf option

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wscript: Add --with-systemd-userdb option

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

winbind: Fix running in interactive mode

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ctdb-scripts: Fix CTDB_BASE to allow event scripts to run standalone

commit 12fd8d7a5c5d14d403aac6cd9e318afcd0a8e159 broke this when it moved the eventscripts
 down a subdirectory without changing this boilerplate.

Signed-off-by: yogita72 <yogita.bijani@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Feb 19 02:43:44 UTC 2025 on atb-devel-224

python:lsa_utils: Fix fallback to OpenPolicy2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 17 18:33:15 UTC 2025 on atb-devel-224

python:lsa_utils: Don't use optional arguments for OpenPolicyFallback()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

pidl: Update documentation for DCERPC interface connections

https://realpython.com/documenting-python-code/

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

librpc:pyrpc: Allow new authenticated rpc connection on the same transport as the basis_connection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

dcesrv_core: Make dcesrv_call_disconnect_after() public

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:rpc_client: Use cli_rpc_pipe_reopen_np_noauth() for OpenPolicy fallback

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:rpc_cerver: Use dcerpc_lsa_open_policy3() for internal RPC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:rpc_client: Add cli_rpc_pipe_reopen_np_noauth()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

docs: Update documentation for 'sync machine password to keytab'

Use specifier 'spn_prefixes=host' instead of 'host'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224

s3:libads: Remove specifier for 'host' principal from 'sync machine password to keytab'

Use specifier 'spn_prefixes=host' instead of 'host'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

pytests: test pysmbd with relative path names via samba-tool ntacl

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15806

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Fri Feb 14 16:18:19 UTC 2025 on atb-devel-224

pysmbd: Fix interactive samba-tool use after 0bb35e246141

samba-tool ntacl also calls into pysmbd, and 0bb35e246141 broke
relative path names. Thanks to Björn Baumbach <bb@sernet.de> for
testing interactively!!

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15806
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

pytests: test pysmbd with non-existent file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15807

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

pysmbd: Init mangle_fns

openat_pathref_fsp() eventually calls mangling functions, so we have
to initialize them.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15807
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:kdc: pass the full samba_kdc_db_context to most helper functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Feb 14 15:19:24 UTC 2025 on atb-devel-224

s4:kdc: let struct samba_kdc_entry_pac remember the krbtgt samba_kdc_entry

This will allow us later to find the information needed to do
sid filtering of the pac.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>