nsswitch: Align integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

nsswitch: Simplify wbcCtxDcInfo()

Use winbindd_free_response()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15775

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb: Align an integer type

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb: Simplification with generate_random_str_list_buf()

No NULL check required

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture4: Simplification with generate_random_str_list_buf()

No NULL check required

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture4: Align a few integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture4: Use generate_random_str_list_buf()

Avoid a theoretical printf("%s", NULL)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smb1_srv: Use generate_random_str_list_buf()

Avoid a theoretical printf("%s", NULL)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: factor out generate_random_str_list_buf()

No talloc required

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Remove a pointless if-statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Use fsp_is_alternate_stream() in shadow_copy2

To me this makes the meaning of this if-statement more obvious

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Modernize a DEBUG

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

docs: Fix a copy&paste error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Fix DBGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture3: Fix an error message

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use MIN() instead of explicit if-statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

samba-tool user disable: add new --remove-supplemental-groups option

Removes all supplemental groups from a user, what is commonly
wanted when a user is disabled.

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jule Anger <janger@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Jan 23 19:51:05 UTC 2025 on atb-devel-224

samba-tool user disable: make sure that filter matches only one user

toggle_userAccountFlags() can only handle one user.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

samba-tool user disable: rename filter variable to search_filter

filter() is a Python built-in function to filter iterables.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

samba-tool user disable: set proper --filter option description

Seems to be copied from samba-tool user setpassword command.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

samba-tool group removemembers: avoid python backtrace on error

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: no need to set member_base_dn multiple times

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: fix group member removal by SID

Otherwise the removal of groupmembers by SID fails silently, because the
DN does not match the the DN in group member list.

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: fix check which checks if user is already member of group

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: rename filter variable to search_filter

filter() is a Python built-in function to filter iterables.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: add missing function parameter description

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: fix attribute name in parameter description

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

third_party: Update socket_wrapper to version 1.4.4

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 23 11:28:32 UTC 2025 on atb-devel-224

lib:replace: Don't use deprecated readline CPPFunction cast

HAVE_RL_COMPLETION_FUNC_T was unused and not checking for the right
function.

libcli/smbreadline/smbreadline.c: In function ‘smb_readline’:
libcli/smbreadline/smbreadline.c:139:17: warning: ‘CPPFunction’ is deprecated [-Wdeprecated-declarations]
  139 |                 rl_attempted_completion_function = RL_COMPLETION_CAST completion_fn;
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libcli/smbreadline/smbreadline.c:139:50: error: assignment to ‘char ** (*)(const char *, int,  int)’ from incompatible pointer type ‘char ** (*)(void)’ [-Wincompatible-pointer-types]
  139 |                 rl_attempted_completion_function = RL_COMPLETION_CAST completion_fn;
      |                                                  ^

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15788

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 21 19:38:37 UTC 2025 on atb-devel-224

lib:replace: Remove trailing spaces from readline.h

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15788

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

vfs_fruit: Fix 63f0b59cbed

After 30 years of coding C, pointers and macros are still error-prone :-(

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Jan 20 08:00:24 UTC 2025 on atb-devel-224

lib:util: Fix stack-use-after-return in crypt_as_best_we_can()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15784

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jan 17 23:21:13 UTC 2025 on atb-devel-224

vfs_ceph_new: add smbprofile for async-ops

Commit fcd3fc34b2ec5e ("vfs_ceph_new: add profiling support") added
PROFILE accounting for non-async VFS hooks. Add also SMBPROFILE for
async (read/write/fsync) hooks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15703

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jan 17 16:47:28 UTC 2025 on atb-devel-224

auth: Cleanup exit code paths in kerberos_decode_pac().

One more memory leak missed and now fixed. tmp_ctx
must be freed once the pac data is talloc_move'd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jan 17 12:01:47 UTC 2025 on atb-devel-224

auth: Add missing talloc_free() in error code path.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jan 16 14:32:39 UTC 2025 on atb-devel-224

s3:winbindd: split our wb_gettoken_trybuiltins() helper

This makes the logical steps a bit cleaner and future changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jan 15 14:00:28 UTC 2025 on atb-devel-224

s3:winbindd: split out wb_gettoken_trylocalgroups() function

This makes the logical steps a bit cleaner and future changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: add winbindd_domain_verify_sid() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: consistently use add_sid_to_array_unique() in winbindd_ads.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: use struct initializers for all struct winbindd_methods cases

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:auth: let check_sam_security() add NETLOGON_NTLMV2_ENABLED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:auth/ntlm: let authsam_check_password_internals() add NETLOGON_NTLMV2_ENABLED

Windows returns NETLOGON_NTLMV2_ENABLED in all
netr_LogonSamLogon* response messages.
Even if NTLMv1 was actually used and also
for password authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python:tests/krb5: let netlogon.py check for NETLOGON_NTLMV2_ENABLED

It's there for network_samlogon and interactive_samlogon,
but not in ticket_samlogon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: force 'client use krb5 netlogon = yes' for admem_idmap_autorid

With 'reject aes netlogon servers = yes' we prevent any fallback.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 14 00:37:34 UTC 2025 on atb-devel-224

s4:torture/rpc: add rpc.pac tests with DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

selftest: add 'server support krb5 netlogon = yes' for fl2008r2dc

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: let rpc.samlogon also test DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: let rpc.samlogon test credential_flags again...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: let rpc.schannel also use of DCERPC_SCHANNEL_KRB5

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: prepare test_lsa_ops for ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: use expected_{account,authority}_name variables in test_lsa_ops

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: prepare netlogon tests for ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: prepare lsa lookup tests for ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: make more use of netlogon_creds_client_verify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:librpc/rpc: implement DCERPC_SCHANNEL_KRB5

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:tests: let test_update_keytab.sh use rpc changetrustpw --server

If we pass the server name via -I/--ipaddress means we internally loose
the server name and fail to use kerberos with just the ip address.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests: let s3_net_join.py avoid kerberos_state=DONT_USE_KERBEROS

We may use ServerAuthenticateKerberos in future and that needed to
use kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

testprogs/blackbox: let test_rpcclient_schannel.sh explicitly use --option=clientusekrb5netlogon

This also tests lsa over kerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests: let auth_log.py also test --option=clientusekrb5netlogon=yes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests: let auth_log.py explicitly use --option=clientusekrb5netlogon=no

It also add some additional checks to make sure netlogon with AES was
used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests: let auth_log.py use self.assertIn(received, [4, 5]

This will simplify further changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

selftest: add 'server support krb5 netlogon = yes' for ad_dc_ntvfs

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

libcli/auth: add support for ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:winbindd: split out cm_connect_schannel_or_krb5() helper

This will allow us to use ServerAuthenticateKerberos() later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:cli_netlogon: prepare for netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:winbindd: use GENSEC_FEATURE_NO_DELEGATION for trust credentials for netlogon

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:rpcclient: use GENSEC_FEATURE_NO_DELEGATION for trust credentials

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:libnet_join: use GENSEC_FEATURE_NO_DELEGATION for trust credentials

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:cli_netlogon: use GENSEC_FEATURE_NO_DELEGATION for trust credentials

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

libcli/auth: add netlogon_creds_cli_use_kerberos() helper

This allows the calling code to decide if a krb5 or anonymous
netlogon connection should be tried.

Currently we don't try ServerAuthenticateKerberos, but that will change
in a few commits. But before we need to prepare the callers...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

docs-xml/smbdotconf: add "client use krb5 netlogon" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

docs-xml/smbdotconf: add "reject aes netlogon servers" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:libads: prepare trust_pw_change() for ServerAuthenticateKerberos()

We use kerberos_kinit_passwords_ext() to check the password before
and after ServerPasswordSet2() as ServerAuthenticateKerberos()
does not check it. We use the ip address of the dcerpc connection
in order to use a fixed KDC, so that we talk to the same server
that also received the ServerPasswordSet2().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:libads: rename variables in trust_pw_change()

We'll have more than nt_hashes soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

vfs_ceph_new: add profiling support

Signed-off-by: Shweta Sodani <ssodani@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 13 21:26:34 UTC 2025 on atb-devel-224

sharesec: Check if share exists in configuration

Load config from registry without share info and check if sharename
exists from configuration. This results into lesser delay for the same.

In case of view we load config with all shares to ensure we get all
shares for diplay purpose.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jan 10 10:45:30 UTC 2025 on atb-devel-224

sharesec: Add function to check existence of share from config

Add function to detect if a share name exists in the registry or config file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

param: Add API to load registry without share info

As number of shares increases loading entire registry configuration along with
share information becomes very costly operation.
Since we may not require share information all time, we can optimise
this by using API just loading configuration without any share info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

sharesec: Fix warning frame not freed in order

This change should fix following warning:
Freed frame ../../source3/utils/sharesec.c:515, expected ../../source3/utils/sharesec.c:637

Frame was not getting freed in case of servicename is NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

s3-sharesec: Add Test to verify command option "--view-all"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>

s4:selftest: samba.tests.krb5.netlogon don't need explicit FAST_SUPPORT

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jan  8 10:16:50 UTC 2025 on atb-devel-224

python:tests/krb5: let netlogon.py test referral ticket for SEC_CHAN_DNS_DOMAIN

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: allow get_service_ticket to accept a trust referral ticket without kvno

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: allow tickets without a kvno

This is needed for trust referrals.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: let netlogon.py export changed passwords to keytab

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: add domain trust tests to netlogon.py

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: add a create_trust() helper function to test trusted domains

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: allow exporting a keytab file of the accounts used by the tests

EXPORT_KEYTAB_FILE=/dev/shm/export.keytab
EXPORT_KEYTAB_APPEND=0 or 1
EXPORT_EXISTING_CREDS_TO_KEYTAB=0 or 1
EXPORT_GIVEN_CREDS_TO_KEYTAB=0 or 1

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: add KerberosCredentials.[g|s]et_trust_{incoming,outgoing,account}_creds

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

pycredentials: add [g|s]et_old_nt_hash()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:rpc_server/netlogon: fix error codes for netr_NetrLogonSendToSam() with SEC_CHAN_RODC

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:rpc_server/netlogon: an RODC is not allowed to call netr_ServerPasswordGet()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: let netlogon.py run the tests also as rodc

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: allow netlogon.py tests to work against a KDC with claims enabled

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: allow get_mock_rodc_krbtgt_creds(preserve=False) to create a tmp rodc

This also exposes credentials for the machine account for netlogon
testing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests/krb5: fix etypes_to_test values in RawKerberosTest

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:rpc_server/netlogon: fill netlogon_creds_CredentialState->tdo_guid

This will help us to lookup the tdo object using a <GUID=TDO-GUID>
search base.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

schannel.idl: add tdo_guid to netlogon_creds_CredentialState

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:dsdb: fix logic of dsdb_trust_routing_by_name()

We need to use the longest dnsname match as possible.

If we are the domain samba.example.com and have a trust
to example.com, a routing request for dc.samba.example.com
should return the tdo for samba.example.com instead
of example.com.

I reproduced the problem with the following diff:

> diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> index 15d7692b5d64..6e9595b784c4 100644
> --- a/selftest/target/Samba.pm
> +++ b/selftest/target/Samba.pm
> @@ -564,7 +564,7 @@ sub realm_to_ip_mappings
>   'samba2000.example.com'           => 'dc5',
>   'samba2003.example.com'           => 'dc6',
>   'samba2008r2.example.com'         => 'dc7',
> - 'addom.samba.example.com'         => 'addc',
> + 'addom.samba2008r2.example.com'         => 'addc',
>   'addom2.samba.example.com'        => 'addcsmb1',
>   'sub.samba.example.com'           => 'localsubdc',
>   'chgdcpassword.samba.example.com' => 'chgdcpass',
> diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> index 0e4cf50235c3..6bca0cfd0c89 100755
> --- a/selftest/target/Samba4.pm
> +++ b/selftest/target/Samba4.pm
> @@ -2631,7 +2631,7 @@ sub setup_fl2008r2dc
>       return undef;
>   }
>
> - $env = $self->setup_trust($env, $ad_dc_vars, "forest", "");
> + $env = $self->setup_trust($env, $ad_dc_vars, "forest", "--skip-validation");
>   if (!defined $env) {
>       return undef;
>   }
> @@ -2843,7 +2843,7 @@ sub _setup_ad_dc
>   $server = "addc";
>   }
>   if (!defined($dom)) {
> - $dom = "addom.samba.example.com";
> + $dom = "addom.samba2008r2.example.com";
>   }
>   my $env = $self->provision_ad_dc($path, $server, "ADDOMAIN",
>    $dom,

and running:
 make -j testenv SELFTEST_TESTENV="fl2008r2dc:local"

Inside the testenv:
bin/smbclient //addc.addom.samba2008r2.example.com/netlogon \
  -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD \
  --use-kerberos=required \
  -c 'ls'

It lets the KDC of ADDOM.SAMBA2008R2.EXAMPLE.COM to
generate a (referral) ticket for
krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA2008R2.EXAMPLE.COM
instead of
cifs/addc.addom.samba2008r2.example.com@ADDOM.SAMBA2008R2.EXAMPLE.COM

As ADDOM.SAMBA2008R2.EXAMPLE.COM has a forest trust (without msDS-TrustForestTrustInfo)
to SAMBA2008R2.EXAMPLE.COM dsdb_trust_update_best_tln() overwrote the
best match of addom.samba2008r2.example.com with samba2008r2.example.com.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15778

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jan  8 04:14:47 UTC 2025 on atb-devel-224