selftest: Add tests for keytab update

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Add "sync machine password to keytab" to env. ad_member_idmap_nss

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:utils: Change net_ads_keytab_create() to call sync_pw2keytabs()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libnet: Sync keytab during libnet_join_create_keytab()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3: Sync machine account password in secrets_{prepare,finish}_password_change

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:ads: Remove 'kerberos method' warning for 'net ads keytab' functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:ads: Do not update system keytab from "net ads changetrustpw"

It will be done in secrets_{prepare,finish}_password_change

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:lib: Sync machine password to keytab: helper functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads: Request "msDS-KeyVersionNumber" from ads_find_machine_acct()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads: Use the TRACE SUPPORT for keys operations

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

krb5_wrap: Add TRACE SUPPORT for keys operations

The trace looks like below. Useful is the last filed - hex dump of the
data - allows to search for all manipulations.

KEYTAB_TRACE sync_pw2keytabs_process_keytab:622 add ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM 14 17 C66D244CB26005C7D6FF9FC00FCBBE4A

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:testparm: Add check for "sync machine password to keytab" to testparm

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

docs:smbdotconf: Add parameter 'sync machine password script'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

docs:smbdotconf: Add parameter 'sync machine password to keytab'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:lib: Merge library trusts_util into library ads

Function trust_pw_change() originally from library trustis_util was updated
to call functionality from ads library. This would introduce circular
dependency between the two libraries. To avoid it, trusts_util is merged
into ads.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

WHATSNEW.txt: document "veto files" and "hide files"

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 26 11:10:42 UTC 2024 on atb-devel-224

s3/lib: return error from set_namearray()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: return errors from token_contains_name()

Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.

Manually tested with smbclient with the following hack in winbindd:

---8<---
  $ git di
   source3/winbindd/winbindd_cache.c | 7 +++++++
   1 file changed, 7 insertions(+)

  diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
  index c889489dbbbc..8ccf0a28e11a 100644
  --- a/source3/winbindd/winbindd_cache.c
  +++ b/source3/winbindd/winbindd_cache.c
  @@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
          ZERO_STRUCTP(sid);
          *type = SID_NAME_UNKNOWN;

  +       if (strequal(name, "unknown")) {
  +               return NT_STATUS_OK;
  +       }
  +       if (strequal(name, "iotimeout")) {
  +               return NT_STATUS_IO_TIMEOUT;
  +       }
  +
          status = wcache_name_to_sid(domain, domain_name, name, sid, type);
          if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
                  return status;
---8<---

  veto files = ../unknown/file1/../slow/file2

  $ bin/smbclient -U slow%x //localhost/test -c quit
  $

In the log:

  [2024/03/04 15:21:33.659356,  1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
    token_contains_name: lookup_name 'unknown' failed

  veto files = ../iotimeout/file1/../slow/file2

  $ bin/smbclient -U slow%x //localhost/test -c quit
  tree connect failed: NT_STATUS_LOGON_FAILURE
  $

  [2024/03/04 15:22:15.655811,  0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
    token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
  [2024/03/04 15:22:15.655846,  1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
    change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
  [2024/03/04 15:22:15.655855,  0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
    make_connection_snum: Can't become connected user!

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/lib: use lookup_name_smbconf_ex() in token_contains_name()

No change in behaviour as we still ignore lookup erros as well as a not-found
result.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/passdb: add lookup_name_smbconf_ex() using lookup_name_internal()

Returns NTSTATUS instead of bool. lookup_name_smbconf() becomes a thin
wrapper around lookup_name_smbconf_ex().

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/passdb: factor out lookup_name_internal()

lookup_name() becomes a thin wrapper around lookup_name_internal(). Prepares for
adding more callers to lookup_name_internal() that are interested in the
NTSTATUS return value to distinguish between NAME_NOT_FOUND lookup results and
real errors.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/passdb: use winbind_lookup_name_ex() in lookup_name() instead of winbind_lookup_name()

No change in behaviour, prepares for returning NTSTATUS instead of bool from
lookup_name().

Review-with: git show -w

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/passdb: add winbind_lookup_name_ex()

Differs from winbind_lookup_name() by

- returning NTSTATUS instead of bool, so callers can distinguish between
STATUS_NAME_NOT_FOUND lookup results and real errors.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3-errormap: add WBC_ERR_NOT_MAPPED -> NT_STATUS_NONE_MAPPED

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3-errormap: move map_nt_error_from_wbcErr() back into errormap.c

This basically reverts commit 313db81ad3de6cf7759d6a0fc21ee32419b2e62b.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/rpc_client: fix handling of NT_STATUS_SOME_NOT_MAPPED

In this case names that couldn't be resolved will be have a NULL sid pointer
which would trigger a crash in sid_copy().

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names

Previously LookupNames would fail if a name could not be translated, so winbindd
clients like libwbclient couldn't differentiate between not being able to talk
to a DC and just an unkown name.

As a visible change this alters

  $ bin/wbinfo -n Idontexist
  failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
  Could not lookup name Idontexist

to

  $ bin/wbinfo -n Idontexist
  failed to call wbcLookupName: WBC_ERR_SOME_NOT_MAPPED
  Could not lookup name Idontexist

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libwbclient: prepare wbcCtxLookupName() for dealing with WBC_SID_NAME_UNKNOWN

This changes the wbcErr from WBC_ERR_DOMAIN_NOT_FOUND to WBC_ERR_NOT_MAPPED.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libwbclient: add error WBC_ERR_NOT_MAPPED

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbindd: properly initialize sid and type in wb_cache_name_to_sid()

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbindd: collapse two if expressions

No change in behaviour.

After calling set_domain_offline() domain->offline will be set to false, iow
everytime

  if (!domain->internal && was_online)

is true,

  if (!domain->internal &&
      !domain->online &&
      was_online)

will also true, so we can drop the second if expression.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbindd: reformatting

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbindd: rename variable old_status to was_online in wb_cache_name_to_sid()

A lot easier to make sense of the complex logic when using this name.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CI: add a test for per-user (and per-group) veto files

Not adding a specific test for per-user hide files as that uses the exact same
mechanism as the per-user veto files.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

CI: fix test file cleanup

Test files are stored beneath "$SHAREPATH/dir1", not "$SHAREPATH/dir_1".

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/lib: add per-user support to set_namearray()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: move token_contains_name() to util_namearray.c and make it public

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: add groups "group1" and "group2" to Samba3

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/lib: move set_namearray() to util_namearray.c

Needed to fix circular dependencies between samba-passdb, secrets3 and
samba3util (iirc).

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: maintain veto_list and hide_list in the vuid cache

Prepares for adding per-user support to both options. I don't think it makes
sense also adding per-user support to "veto oplock files" and "aio write behind"
so I'm ignoring those.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: prepare free_conn_session_info_if_unused() for more cleanup logic

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: move target code out of loop body

Reduces indentation of the code code that is run in this function and prepares
for adding more of it.

Review with: git show -w

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/lib: modernize set_namearray()

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/lib: move path_to_strv() to util_path.c

More callers are coming.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3/lib: remove name_compare_entry typedef

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: remove net groupmap delete stuff

Likely not needed anymore since we now cleanup the fileserver env.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: ensure the "fileserver" test environment is removed before provisioning

This was likely taken by copy/paste from somewhere else where it might have made
sense.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: setup "fileserver" testenv specific directories after calling provision()

This ensures provision() can remove st/fileserver/* from previous runs.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: setup "simpleserver" testenv specific directories after calling provision()

This ensures provision() can remove st/simpleserver/* from previous runs.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: remove check for $no_delete_prefix

provision_ctdb() was always called with $no_delete_prefix undefined
from  setup_ctdb(), so we can just remove the check.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:security: allow spaces after BAD:

In AD_DS_Classes_Windows_Server_v1903.ldf from
https://www.microsoft.com/en-us/download/details.aspx?id=23782, we see

  defaultSecurityDescriptor: O:BAG:BAD: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15685

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 25 06:27:27 UTC 2024 on atb-devel-224

selftest: Move MIT Kerberos knownfails to separate files in their own directory

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jo Sutton <jsutton@samba.org>
Autobuild-Date(master): Tue Jul 23 23:47:43 UTC 2024 on atb-devel-224

selftest: Move Heimdal Kerberos knownfails to separate files in their own directory

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: Consolidate MIT Kerberos knownfails into a single file

There is no longer any meaningful distinction between the two files.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:tests: let modprinter.pl use $TMPDIR

We should avoid using /tmp in selftest

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 23 13:53:13 UTC 2024 on atb-devel-224

third_party: Update pam_wrapper to version 1.1.7

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest:Samba3: don't use PAM_WRAPPER_KEEP_DIR and PAM_WRAPPER_DEBUGLEVEL

They are both only for debugging problems.

In normal runs we don't need them and this avoids leaving to many
/tmp/pam.* directories arround.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-daemon: Use ctdb_parse_node_address() in ctdbd

While here, fix a trivial memory leak (ctdbd will exit anyway if this
function fails).

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jul 23 12:39:18 UTC 2024 on atb-devel-224

ctdb-daemon: Use ctdb_read_nodes() in ctdbd

ctdb_control_getnodesfile() calls ctdb_read_nodes(), which returns a
struct ctdb_node_map rather than the old version, so update associated
marshalling.  While here modernise a debug message and wrap the
function arguments.

For ctdb_load_nodes_file() to use ctdb_read_nodes(), tweak
convert_node_map_to_list() to also use the modern node map structure.

Remove unused copy of ctdb_read_nodes_file().

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>

ctdb-protocol: Move ctdb_node_map_* to protocol_api.h

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>

ctdb-tests: Use ctdb_read_nodes() in the fake ctdbd

Remove unused copy of ctdb_read_nodes_file().

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>

ctdb-tools: Use ctdb_read_nodes() in the ctdb tool

Remove unused copy of ctdb_read_nodes_file().

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>

ctdb-conf: Add a common node address handling module

These functions are intended to be used in ctdbd, the ctdb tool and
fake_ctdbd, replacing the different copies in each place.

ctdb_read_nodes() will replace ctdb_read_nodes_file().  The name
change is intentional - in future the location may be something other
than a simple filename.

The static copies of ctdb_read_nodes_file() and node_map_add() are
slightly sanitised versions of those in tools/ctdb.c, with a call to
ctdb_parse_node_address().  A bit more care is taken in node_map_add()
to avoid undefined behaviour if talloc_realloc() fails.

ctdb_parse_node_address() will replace ctdb_parse_address().  There is
an obvious argument change, since the ctdb context argument was
unused.  It can only fail on an invalid node address, so return a
bool.  This function might be changed later to allow the input address
string to include an optional port.

Where to put this module isn't entirely clear.  It could go in common,
so be part of ctdb-util.  However, if it later needs
ctdb-conf (e.g. to allow the node list location to be configurable)
then there would be a direct cyclic dependency.  This is configuration
handling, so conf/ seems sane.  However, I didn't want to put it into
the ctdb-conf target, since some code might need to parse a nodes list
but not need to parse ctdb.conf.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>

ctdb-protocol: Move definition of CTDB_PORT to protocol

Users of CTDB_PORT will all pick up the new definition.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>

ctdb-build: Remove unused dependencies on ctdb-util

Since commit ba8f8ef33cd99ea60fc2682727a5497995b5f569.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>

s3:printing: Allow to run samba-bgqd as a standalone systemd service

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15683

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 19 11:13:28 UTC 2024 on atb-devel-224

s4:torture: Initialize struct cldap_netlogon

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/ldap/cldapbench.c:40: var_decl: Declaring variable ""io"" without initializer.
samba-4.20.0rc2/source4/torture/ldap/cldapbench.c:45: uninit_use_in_call: Using uninitialized value ""io.in.map_response"" when calling ""cldap_netlogon_recv"".
   43|    TALLOC_CTX *tmp_ctx = talloc_new(NULL);
   44|    io.in.version = 6;
   45|->  status = cldap_netlogon_recv(req, tmp_ctx, &io);
   46|    talloc_free(req);
   47|    if (NT_STATUS_IS_OK(status)) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 13:48:03 UTC 2024 on atb-devel-224

s4:torture: Remove trailing spaces from cldapbench.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

s4:torture: Initialize struct netr_LogonSamLogonEx

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/schannel.c:49: var_decl: Declaring variable ""r"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/schannel.c:152: uninit_use_in_call: Using uninitialized value ""r.in.validation_level"" when calling ""torture_comment"".
  150|    ""LogonSamLogonEx failed"");
  151|    } else {
  152|->  torture_comment(tctx,
  153|    ""Skip auth_level[%u] Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n"",
  154|    auth_level, ninfo.identity_info.account_name.string, crypto_alg,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

nsswitch: Fix integer size types in winbind_write_sock()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

examples:winexe: Initialize integer

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/examples/winexe/winexesvc.c:147: var_decl: Declaring variable ""res"" without initializer.
samba-4.20.0rc2/examples/winexe/winexesvc.c:156: uninit_use: Using uninitialized value ""res"".
  154|    GetOverlappedResult(pipe->h, &pipe->o, (LPDWORD)&res, TRUE);
  155|    FlushFileBuffers(pipe->h);
  156|->  return res;
  157|   }
  158|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

auth:gensec: Fully initialize struct spnego_data

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/auth/gensec/spnego.c:1129: var_decl: Declaring variable ""spnego_out"" without initializer.
samba-4.20.0rc2/auth/gensec/spnego.c:1154: uninit_use_in_call: Using uninitialized value ""spnego_out.negTokenTarg.negResult"" when calling ""spnego_write_data"".
 1152|    }
 1153|
 1154|->  if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 1155|    DEBUG(1, (""Failed to write SPNEGO reply to NEG_TOKEN_TARG\n""));
 1156|    return NT_STATUS_INVALID_PARAMETER;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

s4:torture: Initialize union spoolss_KeyNames

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/spoolss.c:7835: var_decl: Declaring variable ""key_buffer"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/spoolss.c:7906: uninit_use: Using uninitialized value ""key_buffer.string_array"".
 7904|
 7905|    if (array) {
 7906|->  *array = key_buffer.string_array;
 7907|    }
 7908|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

examples:winexe: Fully initialize EXPLICIT_ACCESS

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/examples/winexe/winexesvc.c:60: var_decl: Declaring variable ""ea"" without initializer.
samba-4.20.0rc2/examples/winexe/winexesvc.c:86: uninit_use_in_call: Using uninitialized value ""ea"". Field ""ea.Trustee.pMultipleTrustee"" is uninitialized when calling ""SetEntriesInAclA"".
   84|
   85|    /* Create a new ACL that contains the new ACEs */
   86|->  dwRes = SetEntriesInAcl(1, &ea, NULL, &pACL);
   87|    if (ERROR_SUCCESS != dwRes) {
   88|    dbg(""SetEntriesInAcl Error %lu\n"", GetLastError());"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

s4:torture: Initialize pointer with NULL

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1447: var_decl: Declaring variable ""tree2"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1492: uninit_use_in_call: Using uninitialized value ""tree2"" when calling ""smb2_util_unlink"".
 1490|    }
 1491|
 1492|->  smb2_util_unlink(tree2, fname);
 1493|
 1494|    talloc_free(tree);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

s3:smbd: Initialize struct security_ace array

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/smbd/posix_acls.c:4599: var_decl: Declaring variable ""aces"" without initializer.
samba-4.20.0rc2/source3/smbd/posix_acls.c:4676: uninit_use_in_call: Using uninitialized value ""*aces"". Field ""aces->object"" is uninitialized when calling ""make_sec_acl"".
 4674|    idx++;
 4675|
 4676|->  new_dacl = make_sec_acl(ctx,
 4677|    NT4_ACL_REVISION,
 4678|    idx,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

s4:torture: Add new LSA test_query_forest_trust_info()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 12:36:25 UTC 2024 on atb-devel-224

s4:torture: Split out a new LSA test_set_forest_trust_info() function

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Remove samba4.rpc.lsa.forest.trust from knownfail

The test needs --option="torture:Forest_Trust_Dom2_Binding=..." in order
to be useful, so the skip is correct, but the knownfail entry should
have been removed with e5163dfd57694351bf556565e92f74b71221db29.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

python:tests: make test_export_keytab_nochange_update() more reliable

net.export_keytab() includes the current timestamp into the resulting
keytab. So we need to make sure the two compared exports actually
run within the same second.

And klist may also print the keytab filename...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 17 14:21:30 UTC 2024 on atb-devel-224

s3:auth: allow real plaintext authentication

In standalone setups we use the PAM stack to verify
the plaintext authentication, so we need to pass it
down...

There are still production systems out there
(legacy audio/video recording systems...)
using this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 17 11:17:54 UTC 2024 on atb-devel-224

selftest: setup pam_matrix in the simpleserver env

This allows testing a plaintext password authentication
on a standalone server using the PAM stack to verify it.

There are still production systems out in the wild using this...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:auth: let smb_pam_conv() handle resp=NULL

pam_matrix calls smb_pam_conv() with resp=NULL in some situation,
we should not segfault...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

third_party/pam_wrapper: add pam_matrix module

This allows testing pam with simple passwords.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:passdb: don't clear the LM HASH without a password change

Updating things like the bad pwd count should not clear the
stored LM HASH with 'lanman auth = no'.

This allows testing with 'lanman auth = no' and 'lanman auth = yes'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests

This demonstrates that we currently have problems with
plaintext and lanman authentication. In both domain member
and standalone setups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest:Samba3: allow lanman auth in setup_nt4_member

Note that the LM HASH is only generated for passwords
up to 14 characters...

We use extra_options_before_inject in order to
allow overriding any existing parameter.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest:Samba3: add simpleserver globals before include = global_inject.conf

This allows overriding any existing parameter.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/auth: fix debug level 100 valgrind warnings in SMBOWFencrypt_ntv2()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:lib: Fix a typo in MACRO

DEBUG_PASSWORDS --> DEBUG_PASSWORD

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Jul 17 08:49:46 UTC 2024 on atb-devel-224

libnet: Fix debug text

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>

s3:librpc: Fix a typo in DEBUG text

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>

python:tests: Fix spelling in to test_samba_dnsupdate_no_change

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>

docs-xml: Mention winbind consistently in samba-dcerpcd.8

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb-tests: Correctly handle adding a deleted node at the end

The current fake_ctdbd code for reloading the nodes file overruns the
allocation when adding a deleted node at the end.  This is a very
unlikely case, but it might as well work.

Check the size of the internal node map when marking a node deleted.
Also, update the code that adds a node to correctly set the deleted
flag when appropriate.

The included test case tests this.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jul 17 00:06:53 UTC 2024 on atb-devel-224

ctdb-tests: Add more reloadnodes unit tests

There are no existing tests to exercise node IP address change
detection.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Guenther Deschner <gd@samba.org>

s4:torture: Do not set sr.in.info to info be we queried the info

`sr.in.info = info` is correctly set later after we called
dcerpc_lsa_QueryTrustedDomainInfoByName_r() which filling the info
pointer with data.

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/forest_trust.c:211: var_decl: Declaring variable ""info"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/forest_trust.c:248: uninit_use: Using uninitialized value ""info"".
  246|    sr.in.trusted_domain = talloc_zero(tctx, struct lsa_String);
  247|    sr.in.trusted_domain->string = name;
  248|->  sr.in.info = info;
  249|
  250|    for (c = 0; il[c].info_level != -1; c++) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jul 16 12:42:39 UTC 2024 on atb-devel-224

lib:param: Add missing return code check

"Error: NEGATIVE_RETURNS (CWE-394):
samba-4.20.0rc2/lib/param/loadparm.c:1275: negative_return_fn: Function ""lpcfg_map_parameter(""printing"")"" returns a negative number.
samba-4.20.0rc2/lib/param/loadparm.c:1275: assign: Assigning: ""parm_num"" = ""lpcfg_map_parameter(""printing"")"".
samba-4.20.0rc2/lib/param/loadparm.c:1278: negative_returns: Using variable ""parm_num"" as an index to array ""parm_table"".
 1276|    }
 1277|
 1278|->  if (!lp_set_enum_parm(&parm_table[parm_num], pszParmValue, (int*)ptr)) {
 1279|    return false;
 1280|    }"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

s3:services: Initialize struct security_ace array

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

s4:torture: Remove tailing spaces in forest_trust.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>