libcli: avoid work in security token debug no-op

When the debug level is too low to print, we don't need to allocate
the strings.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15737

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python:tdb_util: "samba-tool domain backup offline" hangs

GNU getopt(3) is by default non-POSIX compliant and accepts options after
positional arguments (unless forced with POSIXLY_CORRECT). This is not portable,
e..g., on FreeBSD. Put options first and then positional arguments.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15804

Signed-off-by: Andrea Venturoli <ml@netfence.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

s3:torture: report kilobytes per second as kB/s, not kb/s

https://bugzilla.samba.org/show_bug.cgi?id=11023

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

smbclient: report kilobytes per second as kB/s, not kb/s

https://bugzilla.samba.org/show_bug.cgi?id=11023

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

build: --disable-warnings-as-errors avoids some warning config checks

This fixes compilation with some versions of Honggfuzz.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

vfs: Fix vfs_streams_depot's fstatat

a24c7d566f2 does not cover subdirectories

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15816
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Feb 26 09:00:34 UTC 2025 on atb-devel-224

python:tests/krb5: let create_trust() take {ingress,egress}_claims_tf_rules

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 24 10:28:02 UTC 2025 on atb-devel-224

python:tests/krb5: let create_trust() take forest_info

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let modified_ticket() to take modify_{tkt,enc}_fn

This makes it possible modify the public ticket part well as the enc part.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: add remove_pac_buffers()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: set_pac_claims with claims=[] should be an empty blob

Review with: git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let set_pac_sids() replace the requester_sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: add set_pac_names() to modify the names in a pac

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: give KerberosTicketCreds a basic __str__() function

This makes debugging easier...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let create_ccache[_with_ticket] use the correct crealm

It can be different from the servers realm.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: allow get_service_ticket() to fail with expected_status

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: add KerberosTicketCreds.set_srealm()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:testparm: make it clear that 'client use krb5 netlogon' is experimental

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15815

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 24 08:43:55 UTC 2025 on atb-devel-224

samba-tool/testparm: make it clear that 'client use krb5 netlogon' is experimental

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15815

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

docs-xml/smbdotconf: make it clear that 'client use krb5 netlogon' is experimental

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15815

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:kdc: split access check preparation from the actual check in samba_kdc_update_pac()

This allows us to add more access checks later...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 22 23:04:04 UTC 2025 on atb-devel-224

s4:kdc: let samba_kdc_get_claims_blob() check msDS-EgressClaimsTransformationPolicy

For now we only allow the implicit (default) or explicit allow all
policy, as well as a deny all policy.

For all others we return an error in order to indicate the
non-supported configuration.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_claims_data() check msDS-IngressClaimsTransformationPolicy

For now we only allow the implicit (default) or explicit deny all
policy.

For all others we return an error in order to indicate the
non-supported configuration.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: also fetch msDS-[In|E]gressClaimsTransformationPolicy

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: add dsdb_trust_get_claims_tf_policy()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_update_pac() always call samba_kdc_get_upn_info_blob()

There's no reason not to regenerate it, it makes the code more
consistent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_update_pac() always call samba_kdc_get_logon_info_blob()

The logic in samba_kdc_get_logon_info_blob() also does
talloc_zero(tmp_ctx, DATA_BLOB) followed by calling
samba_get_logon_info_pac_blob().

So we can always just call samba_kdc_get_logon_info_blob().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: also pass override_resource_groups to samba_kdc_get_logon_info_blob()

This will make the following changes easier...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move device_{info,claims}_blob generation in samba_kdc_update_pac()

We should generate the device blobs after generating the client blobs
and also after all access checking.

We also use the samba_kdc_get_claims_blob() helper,
which is currently only a wrapper around
claims_data_encoded_claims_set(), but that will change in future...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: regenerate the client claims blob in samba_kdc_update_pac() if needed

Note that samba_kdc_get_claims_data() already handles the
samba_kdc_entry_pac_issued_by_trust() case to clear the
claims received from a trusted domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_claims_data() indicate if regeneration is needed

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: rewrite the logic in samba_kdc_get_claims_data()

We should also go via samba_kdc_get_claims_data_from_pac()
if the pack was issued by a trust. But for now we still
clear the claims, which is the default if
msDS-IngressClaimsTransformationPolicy is missing
on the trustedDomain object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_claims_data_from_pac() return if a buffer was found

This will simplify further changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_pac() use samba_kdc_get_claims_blob()

We should avoid calling claims_data_encoded_claims_set() directly,
we'll have to do more than claims_data_encoded_claims_set() in future,
so make sure we always go via the common samba_kdc_get_claims_blob()
helper.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_claims_blob() take struct claims_data as input.

It means samba_kdc_update_pac() does not call
samba_kdc_get_claims_data_from_db() twice,
as it's already called by samba_kdc_get_claims_data().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_update_pac() always fetch the user claims

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_update_pac() use samba_kdc_entry_pac_valid_principal() to check delegated_proxy

This might not be needed, but it's more consistent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: remove useless samba_kdc_get_user_info_dc() from samba_kdc_get_device_info_blob()

There's no need to call it again if the caller already did.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move user_info_dc_shallow_copy variable in samba_kdc_update_pac()

This is only needed as tmp variable in the if block...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move samba_kdc_get_user_info_dc() for the device in samba_kdc_update_pac()

We should can already call this in the 'need_device' branch, then
it can be reused later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move samba_kdc_get_user_info_dc() up in samba_kdc_update_pac()

This will make further changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: introduce need_device helper variable in samba_kdc_update_pac()

Also use samba_kdc_entry_pac_valid_principal() in order to catch
all conditions for a valid device. For principals issued by
trusted domains there's no device.entry pointer!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: make samba_kdc_get_{user_info_dc,claims_data} static

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: pass samba_kdc_entry_pac to samba_kdc_check_s4u2proxy_rbcd()

This simplifies and unifies the callers.

For the MIT kdc we avoid using via kerberos_pac_to_user_info_dc()
directly.

Now both go via samba_kdc_get_user_info_dc() and MIT also
handles the samba_kdc_get_claims_data() path.

For the MIT kdc it means kerberos_pac_to_user_info_dc() is now
called via samba_kdc_get_user_info_dc() ->
samba_kdc_get_user_info_from_pac() and it is followed by
authsam_update_user_info_dc() consistently.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: move samba_kdc_check_s4u2proxy_rbcd() from db-glue to pac-glue

This will allow us to make more functions static in the next steps.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: make a lot of pac-glue.c functions static

This makes the code base less confusing (at least for me).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let mit_samba_get_pac() use samba_kdc_get_pac()

It means we port commit b42fbc78395870c3caa33aa1c9636a59fde9e867 also to the
MIT kdc and enforce authentication policy service restrictions when getting a PAC

We should have this logic only once in order to avoid getting out of
sync between heimdal and MIT regarding the core logic.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: split out samba_kdc_get_pac() from samba_wdc_get_pac()

samba_kdc_get_pac() will be re-used by mit_samba_get_pac() in
the next step.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: don't return ENOENT from samba_kdc_get_claims_data[_from_pac]

This will matter in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: use better variable names in samba_wdc_check_client_access()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:auth: avoid talloc_reference in claims_data_encoded_claims_set()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: find_auth_domain() and find_lookup_domain_from_name() should handle namespaces

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 22 17:03:27 UTC 2025 on atb-devel-224

winbindd: add find_routing_from_namespace_noinit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: remember ForestTrustInformation in routing_domain->fti

This will be used for sid/name filtering in the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:passdb: add pdb_filter_hints()

This reveals information about our own domain/forest.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: let dcesrv_lsa_lookup_name_account() handle uPNSuffixes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_match_tln_namespace()

This will be used by the namespace filtering part of
sid filtering...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() check RODC callers check computer_name

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: let dcesrv_netr_NTLMv2_RESPONSE_verify do RODC checking

This implements MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() return the computer_name

This will be used to implement the MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: add NTLMv2_RESPONSE_verify_trust() checking

This implements MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:rpc_server/netlogon: let _netr_NTLMv2_RESPONSE_verify() generate trust_forest_domain_info array

MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: let dcesrv_netr_NTLMv2_RESPONSE_verify generate trust_forest_domain_info array

MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: pass trust_forest_domain_info array to NTLMv2_RESPONSE_verify_netlogon_creds

This will be used in the next commits in order to
implement MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:rpc_server/netlogon: split out _netr_NTLMv2_RESPONSE_verify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/netlogon: split out dcesrv_netr_NTLMv2_RESPONSE_verify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/auth: split out NTLMv2_RESPONSE_verify_workstation()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

docs-xml/smbdotconf: add ft_scanner to 'server service'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb: add forest trust scanner service

See MS-ADTS 3.1.1.6.4 PDC Forest Trust Update

It basically connects to all forest trusts
and searches for crossRef objects with
SYSTEM_FLAG_CR_NTDS_DOMAIN under
CN=Partitions,CN=Configuration.

With this information it add/removes
FOREST_TRUST_SCANNER_INFO records into
the msDS-TrustForestTrustInfo of the local
trustedDomain object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:tldap: add tldap_msg_rc() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: make use of lsaR[G|S]etForestTrustInformation2 to allow SCANNER_INFO

Note that we don't need to handle a fallback to old servers,
because we only talk to ourself here.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: add lsaR[G|S]etForestTrustInformation2 support to allow FOREST_TRUST_SCANNER_INFO

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_merge_forest_info() handle SCANNER and BINARY records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_normalize_forest_info_step2() handle SCANNER and BINARY records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_normalize_forest_info_step1() handle BINARY and SCANNER records

Note for scanner records we need to filter out duplicates,
but binary records may exist multiple times.

Review with: git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: let dsdb_trust_forest_info_add_record() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_info_from_lsa2() handle BINARY and SCANNER records

The tricky part is that we also need to upgrade
LSA_FOREST_TRUST_BINARY_DATA records into FOREST_TRUST_SCANNER_INFO records.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_lsa_2to2()

This normalizes LSA_FOREST_TRUST_BINARY_DATA in
LSA_FOREST_TRUST_SCANNER_INFO.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_{record_lsa_2to1,info_to_lsa}() handle SCANNER_INFO

We need to convert the [LSA_]FOREST_TRUST_SCANNER_INFO record
into a binary record, but with LSA_FOREST_TRUST_SCANNER_INFO
as type.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_{record_lsa_1to2,info_from_lsa}() handle BINARY and SCANNER records

The tricky part is that it's all based on the sub_type within
the binary data, if it's FOREST_TRUST_SCANNER_INFO the
record is upgraded to an LSA_FOREST_TRUST_SCANNER_INFO,
otherwise it's downgraded to a LSA_FOREST_TRUST_BINARY_DATA
record.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_record_to_lsa() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: let trust_forest_record_from_lsa() handle BINARY and SCANNER records

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/util_trusts: convert most functions from lsa_ForestTrustInformation to lsa_ForestTrustInformation2

We use trust_forest_info_lsa_{1to2,2to1}() where needed.

This will make it possible to support
FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_lsa_{1to2,2to1}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_{from,to}_lsa2()

Note for now these will fail for FOREST_TRUST_BINARY_DATA and
FOREST_TRUST_SCANNER_INFO.

But this will still make the transition from
lsa_ForestTrustInformation to lsa_ForestTrustInformation2
easier.

Support for will FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO
will be added before we implement the forest trust background scanner
job and the lsaRSetForestTrustInformation2 function.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: split out dcesrv_lsa_SetFTI()

This will help implementing dcesrv_lsa_lsaRSetForestTrustInformation2
later...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: split out dcesrv_lsa_QueryFTI()

This will help implementing dcesrv_lsa_lsaRQueryForestTrustInformation2
later...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change trust_forest_record_to_lsa to lsa_ForestTrustRecord2

lsa_ForestTrustRecord2 is needed to represent all possible
ForestTrustInfoRecord types including SCANNER_INFO in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change trust_forest_record_from_lsa to lsa_ForestTrustRecord2

lsa_ForestTrustRecord2 is needed to represent all possible
ForestTrustInfoRecord types including SCANNER_INFO in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: don't allocate in trust_forest_record_to_lsa()

It will help with the following changes to
allocate lsa_ForestTrustRecord in the caller.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: change logic in trust_forest_record_to_lsa() to avoid default:

We should let the compiler warn us if a enum type is missing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: split out trust_forest_record_from_lsa

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: always add msDS-TrustForestTrustInfo if FOREST_TRANSITIVE is set

Windows (at least server 2025) always creates the default
msDS-TrustForestTrustInfo, with just a TOP_LEVEL_NAME and DOMAIN_INFO
representing the forest root domain of the trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:rpc_server/lsa: add allocation checks to fill_trust_domain_ex()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:dsdb/common: add dsdb_trust_default_forest_info()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

dsdb:util_trusts: replace dsdb_trust_find_tln[_ex]_match() with trust_forest_info_tln[_ex]_match()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: add trust_forest_info_tln[_ex]_match()

These are copies of dsdb_trust_find_tln[_ex]_match()
in source4/dsdb/common/util_trusts.c, which gets replaced
in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: fix talloc hierarchy in trust_forest_info_from_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/lsarpc: fix talloc hierarchy in trust_forest_record_to_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

dsdb:util_trusts: remove unused dsdb_trust_forest_info_{from,to}_lsa()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>