vfs: Implement streams_depot_fstatat()

So far we don't call FSTATAT on streams, but this might change soon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Implement streams_xattr_fstatat()

So far we don't call FSTATAT on streams, but this might change soon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Fix streams_depot_lstat()

When passing NULL as base_sbuf to stream_smb_fname(), it uses
SMB_VFS_NEXT_STAT() to find the right stream directory. This will
potentially dereference the last symlink. Make sure that in
streams_depot_lstat() this is not done.

Also, the current version did not return the stat struct at all.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use filename_convert_dirfsp_rel() in durable reconnect

Avoid a reference to conn->cwd_fsp and thus simplify the code used in
fd_openat().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

streams_depot: Simplify walk_streams()

Remove unused pdirname parameter

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Simplify delete_all_streams()

In our callers we have the dirfsp around, use that and avoid
references to conn->cwd_fsp and deep path-based operations

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Move parent_pathref() up in close_remove_share_mode()

Make it available for delete_all_streams()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Move parent_pathref() out of rmdir_internals()

Make the dirfsp() available in close_directory()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Simplify rmdir_internals()

recursive_rmdir_fsp() works fine on the original fsp passed in, we
don't need to fetch the dirfsp from the dir_hnd we created to call
can_delete_directory_hnd()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_fruit: Don't expect a pathref fsp in unlinkat

The unix syscall unlinkat does not expect a file descriptor for the
to-be-removed object. SMB_VFS_UNLINKAT should also not expect
that. Put the special case into vfs_fruit.

This is required to simplify delete_all_streams next, which should not
have to do an openat_pathref_fsp() on all streams just for the
vfs_fruit case.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Modernize a DEBUG

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Do an early talloc_free in an error path

Not a long-term memleak, talloc_tos() takes care of this later, but
this looks cleaner to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Rename variables in streams_depot_renameat()

These are directory fsps

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Use is_ntfs_stream_smb_fname() where appropriate

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Slightly simplify acl_common_remove_object()

This makes it more obvious to me that it's just the flag that differs
between the if-branches.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Simplify acl_common_remove_object()

These days we have "dirfsp" available inside the unlinkat vfs
functions. There's no need to mess with the cwd.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb: Avoid a talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Slightly simplify rename_internals_fsp()

The required permissions only depend on S_ISDIR, but before this patch
they were assigned in two places far away from the call to
check_parent_access_fsp(). Consolidate that into where the permissions
are checked.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Slightly simplify rename_internals_fsp()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

pam_winbind: Align integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

nsswitch: Align integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

nsswitch: Simplify wbcCtxDcInfo()

Use winbindd_free_response()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15775

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb: Align an integer type

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb: Simplification with generate_random_str_list_buf()

No NULL check required

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture4: Simplification with generate_random_str_list_buf()

No NULL check required

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture4: Align a few integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture4: Use generate_random_str_list_buf()

Avoid a theoretical printf("%s", NULL)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smb1_srv: Use generate_random_str_list_buf()

Avoid a theoretical printf("%s", NULL)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: factor out generate_random_str_list_buf()

No talloc required

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Remove a pointless if-statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Use fsp_is_alternate_stream() in shadow_copy2

To me this makes the meaning of this if-statement more obvious

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Modernize a DEBUG

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

docs: Fix a copy&paste error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Fix DBGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture3: Fix an error message

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use MIN() instead of explicit if-statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

samba-tool user disable: add new --remove-supplemental-groups option

Removes all supplemental groups from a user, what is commonly
wanted when a user is disabled.

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jule Anger <janger@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Jan 23 19:51:05 UTC 2025 on atb-devel-224

samba-tool user disable: make sure that filter matches only one user

toggle_userAccountFlags() can only handle one user.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

samba-tool user disable: rename filter variable to search_filter

filter() is a Python built-in function to filter iterables.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

samba-tool user disable: set proper --filter option description

Seems to be copied from samba-tool user setpassword command.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

samba-tool group removemembers: avoid python backtrace on error

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: no need to set member_base_dn multiple times

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: fix group member removal by SID

Otherwise the removal of groupmembers by SID fails silently, because the
DN does not match the the DN in group member list.

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: fix check which checks if user is already member of group

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: rename filter variable to search_filter

filter() is a Python built-in function to filter iterables.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: add missing function parameter description

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

python/samdb: fix attribute name in parameter description

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>

third_party: Update socket_wrapper to version 1.4.4

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 23 11:28:32 UTC 2025 on atb-devel-224

lib:replace: Don't use deprecated readline CPPFunction cast

HAVE_RL_COMPLETION_FUNC_T was unused and not checking for the right
function.

libcli/smbreadline/smbreadline.c: In function ‘smb_readline’:
libcli/smbreadline/smbreadline.c:139:17: warning: ‘CPPFunction’ is deprecated [-Wdeprecated-declarations]
  139 |                 rl_attempted_completion_function = RL_COMPLETION_CAST completion_fn;
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libcli/smbreadline/smbreadline.c:139:50: error: assignment to ‘char ** (*)(const char *, int,  int)’ from incompatible pointer type ‘char ** (*)(void)’ [-Wincompatible-pointer-types]
  139 |                 rl_attempted_completion_function = RL_COMPLETION_CAST completion_fn;
      |                                                  ^

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15788

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 21 19:38:37 UTC 2025 on atb-devel-224

lib:replace: Remove trailing spaces from readline.h

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15788

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

vfs_fruit: Fix 63f0b59cbed

After 30 years of coding C, pointers and macros are still error-prone :-(

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Jan 20 08:00:24 UTC 2025 on atb-devel-224

lib:util: Fix stack-use-after-return in crypt_as_best_we_can()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15784

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jan 17 23:21:13 UTC 2025 on atb-devel-224

vfs_ceph_new: add smbprofile for async-ops

Commit fcd3fc34b2ec5e ("vfs_ceph_new: add profiling support") added
PROFILE accounting for non-async VFS hooks. Add also SMBPROFILE for
async (read/write/fsync) hooks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15703

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jan 17 16:47:28 UTC 2025 on atb-devel-224

auth: Cleanup exit code paths in kerberos_decode_pac().

One more memory leak missed and now fixed. tmp_ctx
must be freed once the pac data is talloc_move'd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jan 17 12:01:47 UTC 2025 on atb-devel-224

auth: Add missing talloc_free() in error code path.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15782

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jan 16 14:32:39 UTC 2025 on atb-devel-224

s3:winbindd: split our wb_gettoken_trybuiltins() helper

This makes the logical steps a bit cleaner and future changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jan 15 14:00:28 UTC 2025 on atb-devel-224

s3:winbindd: split out wb_gettoken_trylocalgroups() function

This makes the logical steps a bit cleaner and future changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: add winbindd_domain_verify_sid() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: consistently use add_sid_to_array_unique() in winbindd_ads.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: use struct initializers for all struct winbindd_methods cases

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:auth: let check_sam_security() add NETLOGON_NTLMV2_ENABLED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:auth/ntlm: let authsam_check_password_internals() add NETLOGON_NTLMV2_ENABLED

Windows returns NETLOGON_NTLMV2_ENABLED in all
netr_LogonSamLogon* response messages.
Even if NTLMv1 was actually used and also
for password authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python:tests/krb5: let netlogon.py check for NETLOGON_NTLMV2_ENABLED

It's there for network_samlogon and interactive_samlogon,
but not in ticket_samlogon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: force 'client use krb5 netlogon = yes' for admem_idmap_autorid

With 'reject aes netlogon servers = yes' we prevent any fallback.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 14 00:37:34 UTC 2025 on atb-devel-224

s4:torture/rpc: add rpc.pac tests with DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

selftest: add 'server support krb5 netlogon = yes' for fl2008r2dc

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: let rpc.samlogon also test DCERPC_SCHANNEL_KRB5/ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: let rpc.samlogon test credential_flags again...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: let rpc.schannel also use of DCERPC_SCHANNEL_KRB5

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: prepare test_lsa_ops for ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: use expected_{account,authority}_name variables in test_lsa_ops

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: prepare netlogon tests for ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: prepare lsa lookup tests for ServerAuthenticateKerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:torture/rpc: make more use of netlogon_creds_client_verify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s4:librpc/rpc: implement DCERPC_SCHANNEL_KRB5

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:tests: let test_update_keytab.sh use rpc changetrustpw --server

If we pass the server name via -I/--ipaddress means we internally loose
the server name and fail to use kerberos with just the ip address.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests: let s3_net_join.py avoid kerberos_state=DONT_USE_KERBEROS

We may use ServerAuthenticateKerberos in future and that needed to
use kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

testprogs/blackbox: let test_rpcclient_schannel.sh explicitly use --option=clientusekrb5netlogon

This also tests lsa over kerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests: let auth_log.py also test --option=clientusekrb5netlogon=yes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests: let auth_log.py explicitly use --option=clientusekrb5netlogon=no

It also add some additional checks to make sure netlogon with AES was
used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

python:tests: let auth_log.py use self.assertIn(received, [4, 5]

This will simplify further changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

selftest: add 'server support krb5 netlogon = yes' for ad_dc_ntvfs

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

libcli/auth: add support for ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:winbindd: split out cm_connect_schannel_or_krb5() helper

This will allow us to use ServerAuthenticateKerberos() later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:cli_netlogon: prepare for netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:winbindd: use GENSEC_FEATURE_NO_DELEGATION for trust credentials for netlogon

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:rpcclient: use GENSEC_FEATURE_NO_DELEGATION for trust credentials

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:libnet_join: use GENSEC_FEATURE_NO_DELEGATION for trust credentials

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:cli_netlogon: use GENSEC_FEATURE_NO_DELEGATION for trust credentials

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

libcli/auth: add netlogon_creds_cli_use_kerberos() helper

This allows the calling code to decide if a krb5 or anonymous
netlogon connection should be tried.

Currently we don't try ServerAuthenticateKerberos, but that will change
in a few commits. But before we need to prepare the callers...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

docs-xml/smbdotconf: add "client use krb5 netlogon" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

docs-xml/smbdotconf: add "reject aes netlogon servers" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:libads: prepare trust_pw_change() for ServerAuthenticateKerberos()

We use kerberos_kinit_passwords_ext() to check the password before
and after ServerPasswordSet2() as ServerAuthenticateKerberos()
does not check it. We use the ip address of the dcerpc connection
in order to use a fixed KDC, so that we talk to the same server
that also received the ServerPasswordSet2().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:libads: rename variables in trust_pw_change()

We'll have more than nt_hashes soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

vfs_ceph_new: add profiling support

Signed-off-by: Shweta Sodani <ssodani@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 13 21:26:34 UTC 2025 on atb-devel-224

sharesec: Check if share exists in configuration

Load config from registry without share info and check if sharename
exists from configuration. This results into lesser delay for the same.

In case of view we load config with all shares to ensure we get all
shares for diplay purpose.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jan 10 10:45:30 UTC 2025 on atb-devel-224

sharesec: Add function to check existence of share from config

Add function to detect if a share name exists in the registry or config file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

param: Add API to load registry without share info

As number of shares increases loading entire registry configuration along with
share information becomes very costly operation.
Since we may not require share information all time, we can optimise
this by using API just loading configuration without any share info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

sharesec: Fix warning frame not freed in order

This change should fix following warning:
Freed frame ../../source3/utils/sharesec.c:515, expected ../../source3/utils/sharesec.c:637

Frame was not getting freed in case of servicename is NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15780

Signed-off-by: Vinit Agnihotri <vagnihot@redhat.com>
Reviewed-by: John Mulligan <jmulligan@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>