sharesec: Fix warning frame not freed in order

This change should fix following warning:
Freed frame ../../source3/utils/sharesec.c:515, expected ../../source3/utils/sharesec.c:637

Frame was not getting freed in case of servicename is NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 04531e1b1d25d114c470922547bee769b07e5e60)

s3-sharesec: Add Test to verify command option "--view-all"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
(cherry picked from commit 0a12254ea8b3414deebc3e6329025052c650356e)

s4:dsdb: fix logic of dsdb_trust_routing_by_name()

We need to use the longest dnsname match as possible.

If we are the domain samba.example.com and have a trust
to example.com, a routing request for dc.samba.example.com
should return the tdo for samba.example.com instead
of example.com.

I reproduced the problem with the following diff:

> diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> index 15d7692b5d64..6e9595b784c4 100644
> --- a/selftest/target/Samba.pm
> +++ b/selftest/target/Samba.pm
> @@ -564,7 +564,7 @@ sub realm_to_ip_mappings
>   'samba2000.example.com'           => 'dc5',
>   'samba2003.example.com'           => 'dc6',
>   'samba2008r2.example.com'         => 'dc7',
> - 'addom.samba.example.com'         => 'addc',
> + 'addom.samba2008r2.example.com'         => 'addc',
>   'addom2.samba.example.com'        => 'addcsmb1',
>   'sub.samba.example.com'           => 'localsubdc',
>   'chgdcpassword.samba.example.com' => 'chgdcpass',
> diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
> index 0e4cf50235c3..6bca0cfd0c89 100755
> --- a/selftest/target/Samba4.pm
> +++ b/selftest/target/Samba4.pm
> @@ -2631,7 +2631,7 @@ sub setup_fl2008r2dc
>       return undef;
>   }
>
> - $env = $self->setup_trust($env, $ad_dc_vars, "forest", "");
> + $env = $self->setup_trust($env, $ad_dc_vars, "forest", "--skip-validation");
>   if (!defined $env) {
>       return undef;
>   }
> @@ -2843,7 +2843,7 @@ sub _setup_ad_dc
>   $server = "addc";
>   }
>   if (!defined($dom)) {
> - $dom = "addom.samba.example.com";
> + $dom = "addom.samba2008r2.example.com";
>   }
>   my $env = $self->provision_ad_dc($path, $server, "ADDOMAIN",
>    $dom,

and running:
 make -j testenv SELFTEST_TESTENV="fl2008r2dc:local"

Inside the testenv:
bin/smbclient //addc.addom.samba2008r2.example.com/netlogon \
  -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD \
  --use-kerberos=required \
  -c 'ls'

It lets the KDC of ADDOM.SAMBA2008R2.EXAMPLE.COM to
generate a (referral) ticket for
krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA2008R2.EXAMPLE.COM
instead of
cifs/addc.addom.samba2008r2.example.com@ADDOM.SAMBA2008R2.EXAMPLE.COM

As ADDOM.SAMBA2008R2.EXAMPLE.COM has a forest trust (without msDS-TrustForestTrustInfo)
to SAMBA2008R2.EXAMPLE.COM dsdb_trust_update_best_tln() overwrote the
best match of addom.samba2008r2.example.com with samba2008r2.example.com.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15778

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jan  8 04:14:47 UTC 2025 on atb-devel-224

(cherry picked from commit 56947612452c32bd26f30ad6c9767830fe608d67)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Jan  9 09:56:59 UTC 2025 on atb-devel-224

s4:scripting: fix gen_hresult.py

Commit 6877e4849e81ed8f7f355fa4069f13a134e999ce reversed the
return values of hresult_errstr() and hresult_errstr_const().

hresult_errstr() should return "HRES_SEC_E_WRONG_PRINCIPAL",
while hresult_errstr_const() should return
"The target principal name is incorrect.".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15769

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 6e0e9c4efc86f5ec4566aa0220ed4a74ad5436c1)

pam_winbind: Fix Bug 15771

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15771

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 7e8bfe738a3d91b0724d57ed54acf40ebe026c14)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Dec 19 10:40:28 UTC 2024 on atb-devel-224

selftest: Add test for vfs crossrename module

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15724

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 02d4f58a2f7ac2db60dd2e4d16a3cbf71b3f08a9)

docs:manpage: vfs_crossrename is not fully stackable VFS module

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15724

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 94c9a99c56db438c391a966c927ec2f862c373e7)

s3:vfs_crossrename: add back checking for errno ENOENT

strace gives a clue: samba try to remove 'file.txt' in the dst folder but
actually it is not existed yet, and got an errno = ENOENT,

renameat(32, "file.txt", 31, "file.txt") = -1 EXDEV (Invalid cross-device link)
unlinkat(31, "file.txt", 0)             = -1 ENOENT (No such file or directory)

Commit 5c18f074be92 ("s3: VFS: crossrename. Use real dirfsp for
SMB_VFS_RENAMEAT()") seems unintentionally removed errno ENOENT checking,
so add it back could address 1st issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15724

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1a089a16c40e0b3bc5d4fcde559157cf137056c2)

s3:vfs_crossrename: crossrename_renameat() needs to return 0 if copy_reg() is successful

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15724

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0a9adc85e77bc557bb8be12237fa31c4142dd3d5)

s3:vfs_crossrename: avoid locking panic in copy_reg()

Use low level backend functions that don't go through the FSA layer.
Done via calling transfer_file() as it was in version before 5c18f07

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15724

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0a5da82f75a43838be3419cab10a50750fa500d7)

s4:rpc_server: make use of dcesrv_assoc_group_common_destructor()

Currently this should not be needed, but it's better to
call dcesrv_assoc_group_common_destructor() in all assoc_group
destructors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 19657be71d7cec5ac58a5d6969dc1d6ae7c5b517)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Dec 18 09:51:41 UTC 2024 on atb-devel-224

s3:rpc_server: make use of dcesrv_assoc_group_common_destructor()

We need to detach dcesrv_iface_state from dcesrv_assoc_group,
if dcesrv_assoc_group is free'ed first.

Typically this doesn't happen, but it does when
rpc_worker_connection_terminated explicitly calls
talloc_unlink(conn, conn->assoc_group)
and dcesrv_iface_state_store_conn() is used.

But we better do it in all assoc_group destructors.

==381007==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d000004f80 at pc 0x7f15fc12e0ac bp 0x7ffe43267780 sp 0x7ffe43267778
READ of size 8 at 0x50d000004f80 thread T0
    #0 0x7f15fc12e0ab in dcesrv_iface_state_destructor ../../librpc/rpc/dcesrv_handles.c:166
    #1 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #2 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #3 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #4 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #5 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #6 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #7 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #8 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #9 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #10 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #11 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #12 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #13 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #14 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #15 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #16 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #17 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #18 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #19 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #20 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #21 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #22 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #23 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #24 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #25 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #26 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #27 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #28 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #29 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #30 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #31 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #32 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #33 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #34 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #35 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #36 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #37 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #38 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #39 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #40 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #41 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #42 0x7f15fbff9691 in tstream_bsd_readv_handler ../../lib/tsocket/tsocket_bsd.c:2080
    #43 0x7f15fbff6f85 in tstream_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:1764
    #44 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #45 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #46 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #47 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #48 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #49 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #50 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #51 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #52 0x7f15f7c2a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #53 0x5632ae162e64 in _start ../sysdeps/x86_64/start.S:115

0x50d000004f80 is located 112 bytes inside of 136-byte region [0x50d000004f10,0x50d000004f98)
freed by thread T0 here:
    #0 0x7f15fcefb418 in free ../../../../libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f15fc0f857d in _tc_free_internal ../../lib/talloc/talloc.c:1222
    #2 0x7f15fc0f8d0f in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #3 0x7f15fc0f8d0f in talloc_unlink ../../lib/talloc/talloc.c:1473
    #4 0x7f15fc934580 in rpc_worker_connection_terminated ../../source3/rpc_server/rpc_worker.c:143
    #5 0x7f15fc9310bd in dcesrv_connection_destructor ../../source3/rpc_server/rpc_worker.c:175
    #6 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #7 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #8 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #9 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #10 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #11 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #12 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #13 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #14 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #15 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #16 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #17 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #18 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #19 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #20 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #21 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #22 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #23 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #24 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #25 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #26 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #27 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #28 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #29 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #30 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #31 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #32 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #33 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234

previously allocated by thread T0 here:
    #0 0x7f15fcefc777 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f15fc0fbc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f15fc0fd8cf in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f15fc0fd8cf in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f15fc0fd8cf in _talloc_zero ../../lib/talloc/talloc.c:2421
    #5 0x7f15fc93156e in rpc_worker_assoc_group_new ../../source3/rpc_server/rpc_worker.c:681
    #6 0x7f15fc93156e in rpc_worker_assoc_group_find ../../source3/rpc_server/rpc_worker.c:730
    #7 0x7f15fc120a18 in dcesrv_bind ../../librpc/rpc/dcesrv_core.c:1158
    #8 0x7f15fc120a18 in dcesrv_process_ncacn_packet ../../librpc/rpc/dcesrv_core.c:2324
    #9 0x7f15fc120a18 in dcesrv_loop_next_packet ../../librpc/rpc/dcesrv_core.c:3222
    #10 0x7f15fc933722 in rpc_worker_new_client ../../source3/rpc_server/rpc_worker.c:489
    #11 0x7f15fc933722 in rpc_worker_new_client_filter ../../source3/rpc_server/rpc_worker.c:558
    #12 0x7f15fbef95ca in messaging_dispatch_waiters ../../source3/lib/messages.c:1343
    #13 0x7f15fbefb589 in messaging_dispatch_rec ../../source3/lib/messages.c:1371
    #14 0x7f15fbefb589 in messaging_recv_cb ../../source3/lib/messages.c:431
    #15 0x7f15faddba9e in msg_dgm_ref_recv ../../lib/messaging/messages_dgm_ref.c:144
    #16 0x7f15fadd6cc3 in messaging_dgm_recv ../../lib/messaging/messages_dgm.c:1426
    #17 0x7f15fadd7618 in messaging_dgm_read_handler ../../lib/messaging/messages_dgm.c:1316
    #18 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #19 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #20 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #21 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #22 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #23 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #24 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #25 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 627a7857844804a29c6612df5da4605c94edb3f9)

dcesrv_core: add dcesrv_assoc_group_common_destructor()

We need to detach dcesrv_iface_state from dcesrv_assoc_group,
if dcesrv_assoc_group is free'ed first.

==381007==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d000004f80 at pc 0x7f15fc12e0ac bp 0x7ffe43267780 sp 0x7ffe43267778
READ of size 8 at 0x50d000004f80 thread T0
    #0 0x7f15fc12e0ab in dcesrv_iface_state_destructor ../../librpc/rpc/dcesrv_handles.c:166
    #1 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #2 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #3 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #4 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #5 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #6 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #7 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #8 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #9 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #10 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #11 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #12 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #13 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #14 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #15 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #16 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #17 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #18 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #19 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #20 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #21 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #22 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #23 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #24 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #25 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #26 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #27 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #28 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #29 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #30 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #31 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #32 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #33 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #34 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #35 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #36 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #37 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #38 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #39 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #40 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #41 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #42 0x7f15fbff9691 in tstream_bsd_readv_handler ../../lib/tsocket/tsocket_bsd.c:2080
    #43 0x7f15fbff6f85 in tstream_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:1764
    #44 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #45 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #46 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #47 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #48 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #49 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #50 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #51 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #52 0x7f15f7c2a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #53 0x5632ae162e64 in _start ../sysdeps/x86_64/start.S:115

0x50d000004f80 is located 112 bytes inside of 136-byte region [0x50d000004f10,0x50d000004f98)
freed by thread T0 here:
    #0 0x7f15fcefb418 in free ../../../../libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f15fc0f857d in _tc_free_internal ../../lib/talloc/talloc.c:1222
    #2 0x7f15fc0f8d0f in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #3 0x7f15fc0f8d0f in talloc_unlink ../../lib/talloc/talloc.c:1473
    #4 0x7f15fc934580 in rpc_worker_connection_terminated ../../source3/rpc_server/rpc_worker.c:143
    #5 0x7f15fc9310bd in dcesrv_connection_destructor ../../source3/rpc_server/rpc_worker.c:175
    #6 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #7 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #8 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #9 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #10 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #11 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #12 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #13 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #14 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #15 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #16 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #17 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #18 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #19 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #20 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #21 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #22 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #23 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #24 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #25 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #26 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #27 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #28 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #29 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #30 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #31 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #32 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #33 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234

previously allocated by thread T0 here:
    #0 0x7f15fcefc777 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f15fc0fbc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f15fc0fd8cf in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f15fc0fd8cf in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f15fc0fd8cf in _talloc_zero ../../lib/talloc/talloc.c:2421
    #5 0x7f15fc93156e in rpc_worker_assoc_group_new ../../source3/rpc_server/rpc_worker.c:681
    #6 0x7f15fc93156e in rpc_worker_assoc_group_find ../../source3/rpc_server/rpc_worker.c:730
    #7 0x7f15fc120a18 in dcesrv_bind ../../librpc/rpc/dcesrv_core.c:1158
    #8 0x7f15fc120a18 in dcesrv_process_ncacn_packet ../../librpc/rpc/dcesrv_core.c:2324
    #9 0x7f15fc120a18 in dcesrv_loop_next_packet ../../librpc/rpc/dcesrv_core.c:3222
    #10 0x7f15fc933722 in rpc_worker_new_client ../../source3/rpc_server/rpc_worker.c:489
    #11 0x7f15fc933722 in rpc_worker_new_client_filter ../../source3/rpc_server/rpc_worker.c:558
    #12 0x7f15fbef95ca in messaging_dispatch_waiters ../../source3/lib/messages.c:1343
    #13 0x7f15fbefb589 in messaging_dispatch_rec ../../source3/lib/messages.c:1371
    #14 0x7f15fbefb589 in messaging_recv_cb ../../source3/lib/messages.c:431
    #15 0x7f15faddba9e in msg_dgm_ref_recv ../../lib/messaging/messages_dgm_ref.c:144
    #16 0x7f15fadd6cc3 in messaging_dgm_recv ../../lib/messaging/messages_dgm.c:1426
    #17 0x7f15fadd7618 in messaging_dgm_read_handler ../../lib/messaging/messages_dgm.c:1316
    #18 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #19 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #20 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #21 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #22 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #23 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #24 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #25 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15765

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5b929860e269e2968a0ec3759a6125ae990b43c3)

smbd: fix breaking leases on rename

We must also break leases on other opens if the open of the rename doesn't have
a lease itself. The existing test test_lease_v2_rename() that was added
alongside the deferred rename server code didn't cover this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15697

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct 31 12:47:24 UTC 2024 on atb-devel-224

(cherry picked from commit efbbe8d6f80ceb6107f20486623eee949409c0ff)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Dec  9 09:45:57 UTC 2024 on atb-devel-224

smbd: force sync rename with lease break

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15697

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit bc2d87981967bc65155ba09eb5b3e3f913bec50e)

smbd: return correct error for compound related requests that went async

For a compound related request chain of eg CREATE+NOTIFY+GETINFO, the NOTIFY
will typically go async. When this is noted in smbd_smb2_request_pending_queue()
the pending async tevent_req is cancelled which means we return
NT_STATUS_CANCELLED to the client while Windows returns
NT_STATUS_INTERNAL_ERROR.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15697

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a5635791cfdb10f64bf2bf7c72c58f7591249a0d)

smbtorture: test rename with other opens on the file

Windows allows this. Samba also already implements this correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15697

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3890ac2fafc5e17919fa39542440a05ef72a3fa5)

smbtorture: add a bunch of tests for async rename and async interim responses

All tests pass against Windows 2022, we have some bugs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15697

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 42e739ab62cb573d72215737027cf3c7f1fcd212)

smbtorture: rename CHECK_VALUE() to CHECK_VAL() in smb2/compound.c

Prepares for using macros from lease_break_handler.h which makes use of
CHECK_VAL() while relying on a definition of CHECK_VAL() in the .c file.

While at it, add a goto done which is always a good thing to get clear failures
from tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15697

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4932b433ff2f1c4e603073624a5d22140acfb2ed)

ctdb-common: Map ENOENT for a missing event script to ENOEXEC

This handles the case where an event script is disabled by unlinking,
while an event is being run, after the script list has been created.
Without this change the script will fail.  With this change the script
will be marked as DISABLED.  See the comment added by this commit for
more details.

Add a testcase to simulate the race, using an event script to disable
subsequent ones.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15755
RN: Avoid event failure race when disabling an event script

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu Nov 21 01:42:09 UTC 2024 on atb-devel-224

(cherry picked from commit fee31b6cb2b8f7dd111bdd9d2ff5479c31cbca37)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Dec  6 15:19:41 UTC 2024 on atb-devel-224

ctdb-scripts: Track connections for all ports for public IPs

Currently TCP ports like NFS lock manager are not tracked.  It is
easier to track all connections than to add a configuration system to
try to track specified ports, so do that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 590a86dbe4adf45ac8d15497934e25ea98148034)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Nov 25 13:58:45 UTC 2024 on atb-devel-224

ctdb-scripts: Get connections after tickle list

Running ss to get current connections before running ctdb gettickles
means the ss output might be out of date when the 2 lists are
compared.  Some tickles might have been added after ss was run by some
other means (e.g. SMB tickles, added internally) and they would be
deleted according to the stale ss output.

This isn't currently a problem because update_tickles() is currently
only called with port 2049, so all tickles are managed by this code.
That will change in a subsequent commit.

Changing the order means the reverse problem can occur, where
update_tickles() attempts to delete an already deleted tickle.  That
may happen occasionally but is harmless because it doesn't result in
missing information.  It (currently) just causes a message to be
logged at DEBUG level.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit c3695722b6316b624aa6c44cad4f44279303d1b1)

ctdb-scripts: Move connection tracking to 10.interface

This should really be done for all connections to public IP addresses.
Leave the port number there for now - this is just the first step.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 9683bb3ac2bbdf0e83c3be3681f9d1c8ee7cc327)

ctdb-server: Drop a log message to DEBUG level

This is harmless, so it doesn't generally need to be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit f4a8f84328c5e692ce63bec05bb71fcb469a3e9c)

ctdb-server: Clean up connection tracking functions

Apply README.Coding, modernise logging, pre-render connection as a
string for logging, switch terminology from "tickle" to "connection",
tidy up comments.

No changes in functionality.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 3c19c8df778070705485b3c993e695ca1636bfa7)

ctdb-scripts: Use ss -H option to simplify

This option has been available since ~2018 and has been implemented in
the stub since then.  I guess we didn't use it because CentOS 7?

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 0505d06b12a04a5c5e813fb3f4799278f9e5b7eb)

ctdb-scripts: Remove superseded compatibility code

Since commit 224e99804efef960ef4ce2ff2f4f6dced1e74146, square brackets
have been parsed by daemon and tool code, so drop the compatibility
code from here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 32e4f786601712e57992ce4c8f46e5d38620a5dd)

ctdb-scripts: update_tickles() should use the public IPs cache

This avoids duplicating logic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit b3e2c69ad92c0d20bb10146d2dd6d0d475455298)

ctdb-scripts: Add caching function for public IPs

This is way more complicated than I would like but, as per the
comment, this is due to complexities in the way public IPs work.  The
main consumer will be statd-callout, which will then be able to run as
a non-root user.

Also generate the cache file in test code, whenever the PNN is set.
However, this can cause "ctdb ip" to generate a fake IP layout before
public IPs are setup.  So, have the "ctdb ip" stub generate the IP
layout every time it is run to avoid it being stale.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit ed3f041c309e84bcb73fda9a7a68dbf69f63e3e3)

ctdb-scripts: Don't list connections when not hosting IPs

With an empty IP filter, all incoming connections to port 2049 will be
listed, not just those to public IP addresses.  This causes error
messages like the following to be logged:

  ctdb-eventd[...]: 60.nfs: Failed to add 1 tickles

since the connection being added seems to be for a random NFS mount
that doesn't use a public IP addresses.

This has been a problem for a long time (probably since commit
04fe9e20749985c71fef1bce7f6e4c439fe11c81 in 2015).  It isn't currently
a huge deal because it only affects NFS connections.  However, this
code will soon be used to track connections to public IP addresses on
all ports.  This would result in a constant stream of log messages,
since there will always be some active connections.

The theory behind the fix is that if a node hosts no public IPs then
it should have no relevant connections and has no business changing
the list of registered tickles.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 1a4a6c46f1cdabfea67c264d6576a597a70c3007)

smbd: avoid a panic in close_directory()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15754

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 18 12:43:28 UTC 2024 on atb-devel-224

(backported from commit f86d1a35917cdcc07b2fa741c6a369aaad24abaf)
[slow@samba.org: context changes from Directory Leases]

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Nov 20 11:17:07 UTC 2024 on atb-devel-224

VERSION: Bump version up to Samba 4.20.7...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.20.6 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.20.6.

Signed-off-by: Jule Anger <janger@samba.org>

BUG 15590 ldb: Release LDB 2.9.2

* BUG 15590: libldb: performance issue with indexes.

Signed-off-by: Jule Anger <janger@samba.org>

libcli/auth: make use of netlogon_creds_cli_check_transport() in more places

This was somehow missing in commit
7a5ad9f64a905f5744430c6e0796c646baf9432e

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Nov  7 09:14:33 UTC 2024 on atb-devel-224

(cherry picked from commit f340dce6546a22d857cad440f8afaee9815dbdb1)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Nov 13 11:36:37 UTC 2024 on atb-devel-224

libcli/auth: split out netlogon_creds_cli_check_transport()

This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7a5ad9f64a905f5744430c6e0796c646baf9432e)

libcli/auth: let netlogon_creds_copy() copy all scalar elements

This version is good for now, as we want it to be backportable.
For master we'll add a ndr_deepcopy_struct() helper in order
to avoid future problems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8edbdd65ef78e3f26357d0254b58db3120a32880)

s4:librpc/rpc: make use of netlogon_creds_client_verify()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 132629ee3a9b73d0888d1110e4d0a45ded778e5a)

libcli/auth: make use of netlogon_creds_client_verify()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1a5984ac6312b204b51590057b8327cf4698383b)

libcli/auth: split out netlogon_creds_client_verify() that takes auth_{type,level}

This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 45faf6c35a033ec46a546dfb9d5d6aeb2fb2b83c)

libcli/auth: pass auth_{type,level} to netlogon_creds_server_step_check()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2956c7eb3c9fc2161fd2748e5aac1fc94478e8c7)

libcli/auth: pass auth_{type,level} to schannel_check_creds_state()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7b02fb50143ba5044605ec67ed41180391835dcb)

libcli/auth: return INVALID_PARAMETER for DES in netlogon_creds_{de,en}crypt_samlogon_logon

For the NetlogonGenericInformation case we want an error instead of no
encryption if only DES was negotiated...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 131f5c0b251e456c466eaca744525504e1d69492)

s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_SendToSam

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 834197dafef0f3779ba69c8e350cbd7bb9333284)

s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_samr_CryptPassword

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit f1c1b8661a9121e1ff02784955c98d9f33bca8bd)

s4:rpc_server/netlogon: make use of netlogon_creds_{de,en}crypt_samr_Password()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7a7cb0d0426a891185f5acf825573d98360e98e1)

s3:rpc_server/netlogon: make use of netlogon_creds_decrypt_samr_CryptPassword()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a359b4139c8043ee3c3277b7559cb6d4f58f4044)

s3:rpc_server/netlogon: make use of netlogon_creds_{de,en}crypt_samr_Password

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 550d20fd3dd04397b3a38f8b9e0cfa574453eea1)

s4:torture/rpc: make use of netlogon_creds_{de,en}crypt_samr_Password

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 172ce406d48916c57f0742b6a0e064ac170ec8ff)

s4:torture/rpc: make use of netlogon_creds_encrypt_samr_CryptPassword()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2d7a47a175337729f4c671d7a6223f6e0ea23ebe)

s4:torture/rpc: make use of netlogon_creds_decrypt_samlogon_validation()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a177d15c875030dfc6c11ead3ec3a3ec851261cb)

s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon()

This will make it easier to catch all places where we need to
implement the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1666d1d74dec3978837ab49f8749d59c0abcf595)

libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_Password

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e92d0509d6b4d7f86e8626ba8c5efc5b786823f1)

libcli/auth: make use of netlogon_creds_encrypt_SendToSam

This will help when implementing netr_ServerAuthenticateKerberos()...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2bd77ff7314932dc4116773731a810fe0f7ce4b7)

libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPassword

This will help when implementing netr_ServerAuthenticateKerberos()...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 285ec9ecde712e40e6f0981bcb379ee911bfe9d8)

libcli/auth: make netlogon_creds_des_{de,en}crypt_LMKey() static

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1edcd5df80bdbc4d4da5bdd5e534d7a17ec61f77)

python/tests: use encrypt_netr_PasswordInfo in KDCBaseTest._test_samlogon()

This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e7d57fc6e992ca212b834d5dd4d381244bca55c6)

pycredentials: add py_creds_encrypt_netr_PasswordInfo helper

This will replace py_creds_encrypt_samr_password in the next steps
and prepares the introduction of netr_ServerAuthenticateKerberos().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit fac378485f5f15ac0a11c3d82207c4bc780bfb80)

pycredentials: make use of netlogon_creds_encrypt_samr_CryptPassword in py_creds_encrypt_netr_crypt_password

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit ea792fa342deebefa75b77832c9057924cdcb6f6)

libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit b8681c165731666bb5eed073ab862490c33ea095)

libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8eb95a155de396981375c7f11221695fd3c7f9d5)

libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 851a9b18eccece64c3ae0cedd7c7b26a44f0eec6)

libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_logon()

This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3d4ea276bdf44202250246cd6edae2bc17e92c74)

libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()

This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a56356e399339d5bce2e699431cd3e6186229170)

netlogon.idl: add netr_ServerAuthenticateKerberos() and related stuff

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit de8de55a5fee573d0718fa8dd13168a4f0a14614)

s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE() helper macro

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 62afadb3ebac49a684fb0e5a1beb6d7db6f5e515)

dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 01577b93cbb0a26aba3209cde69475be2e1c5fb8)

s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticateGeneric()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e4132c492ded7cadc60371b524e72e41f71f75e9)

s4:dsdb/common: dsdb_trust_get_incoming_passwords only needs a const ldb_message

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit f92def2f943917d8946b03f71fcf676998701815)

libcli/auth: split out netlogon_creds_alloc()

Review with: git show --patience

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e9767315cf06bcb257b40014441dd4cd9aad0fb0)

libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy

Before storing the structure into a ctdb managed volatile database
we check against netlogon_creds_CredentialState_legacy (the structure
used before recent changes). This makes sure unpatched cluster nodes
would not get a parsing error.

We'll remove this again in master when we try to implement
netr_ServerAuthenticateKerberos() and the related changes
to netlogon_creds_CredentialState, which will break the compat...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3792fe372884aad6ea2893f2e62629dd1cddc129)

libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 17394ed7bbf8fa50570a5732f1ce84ccd5e69393)

libcli/auth: also use netlogon_creds_CredentialState_extra_info for the client

In order to allow backports and cluster updates we simulate a
dom_sid, so that the old code is able to parse the blob.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8b972fea0978101575f847eac33b09d2fd8d02e7)

s4:torture/rpc: let test_netlogon_capabilities() fail on legacy servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 498fc88c155b57a0de6150c3b1e3cfcac181d45b)

s4:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit fd4b027511b18615e215b66183f95b54bcab683e)

s3:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 484a046d8e179a3b21ead8b5bc3660095314e816)

libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit dfbc5e5a19420311eac3db5ede1c665a9198395d)

libcli/auth: remove unused creds->sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a9308c490cb5ec8908a3e4c13e2ce8a08b9027e9)

s4:rpc_server/netlogon: make use of creds->ex->client_sid

creds->sid will be removed soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 4533afc9e12c4dbbc7d11c13e775888c113d497c)

s3:rpc_server/netlogon: make use of creds->ex->client_sid

creds->sid will be removed soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 88a84d9330d2bb03176f888a0d8e5066e1e21bf6)

librpc/rpc: make use of creds->ex->client_sid in dcesrv_netr_check_schannel_get_state()

creds->sid will be removed soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 453587fbc1ef74a3b997235e84040553261fa13e)

libcli/auth: split out netlogon_creds_CredentialState_extra_info

As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.

For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.

In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.

In the following patches we'll also use it in order
to store client related information...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 518f57b93bdb84900d3b58cd94bdf1046f82a5a6)

libcli/auth: pass client_sid to netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c2ef866fca296c8f3eb1620fdd2bb9bf289d96fc)

s4:rpc_server/netlogon: add client_sid helper variables

This will make the following changes simpler...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2e8949495f601d3fd117cceccd1b464a6ae43251)

s3:rpc_server/netlogon: add client_sid helper variables

This will make the following changes simpler...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit eda3728a4079c5399f693b1d68e64e5660647c72)

s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to() only needs a const sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c9eaf5e22de730f1e7575f6697f32dbb377eae06)

s3:cli_netlogon: let rpccli_connect_netlogon() use force_reauth = true on retry

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7f478656dcf08619bc3a7ad390c7db3bfdef924e)

s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit d174b6595a962230bf71cc5c2f512a2c93a4cc1b)

s4:librpc/rpc: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 0b6ac4b082ddec5dae1392537727f3a7123ec279)

s4:librpc/rpc: define required schannel flags and enforce them

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 25294685b1c2c8652f0ca0220e8f3729e0b347e2)

s4:librpc/rpc: don't allow any unexpected upgrades of negotiate_flags

Only remove the unsupported flags from local_negotiate_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 69b0cbd13d06fa640a900acab6757425b5b77cac)

s4:librpc/rpc: do LogonControl after LogonGetCapabilities downgrade

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 24de5d1cbd25fabae6b01565907b53f5e51ea06d)

libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 25a2105ca7816c47a9c4a7fded88a922e4ccf88b)

libcli/auth: use a LogonControl after a LogonGetCapabilities downgrade

If LogonGetCapabilities was downgraded by an DCERPC Fault, we
rely on the schannel message ordering to detect failures.

Instead of letting any real winbindd request trigger this,
we do it directly in netlogon_creds_cli_check() with
a LogonControl that is also used for 'wbinfo --ping-dc'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 276137e950696fbf36450dceebd6c0250c6242d0)

libcli/auth: if we require aes we don't need to require arcfour nor strong key

But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3da40f1c6818550eb08a6d7d680c213c3f1d0649)

libcli/auth: don't allow any unexpected upgrades of negotiate_flags

Only remove the unsupported flags from state->current_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a9040c8ce76cb9911c4c0c5d623cc479e49f460d)

libcli/auth: make use of netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 69cb9aea67de0613f467f7ce2d460364ff2be241)

libcli/auth: remove unused netlogon_creds_client_init_session_key()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit cf0e07a3d2a085d31f7d682633af9ec57c155e57)

netlogon.idl: the capabilities in query_level=2 are the ones send by the client

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 86176598eee4c83dc63a9dac163f32c886477129)