tests/krb5: Don’t pass gMSA as ‘domain_joined_mach_creds’ parameter

We just want to test whether a gMSA can use netlogon.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test performing NTLMSSP logons at different times

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Let dsdb gMSA time influence pwdLastSet

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon()

View with ‘git show -b’.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make use of gmsa_series_for_account() method

This allows us to replace a call to
expected_current_gmsa_password_blob() with one to
expected_gmsa_password_blob(), a method which allows us to specify the
exact key we expect.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add quantized_time() method

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Read current time from correct SamDB

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Pass ServerPasswordSet2() parameters in correct order

‘account_name’ and ‘server_name’ are passed in the wrong order. While
Samba ignores the account name parameter and doesn’t have a problem with
it missing its trailing dollar, Windows checks it and requires the
trailing dollar to be present.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Remove unnecessary ‘pass’ statement

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Remove unused netlogon connection parameter

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libcli: Add more controls to our list of known controls

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libcli: Fix code spelling

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:setup: Update name of dsdb password change control

Commit 0a907c2f45c34efcac784738c9d75303b9d04d2f renamed this control to
DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Fix code spelling

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Remove trailing whitespace

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:fuzzing: Fix undefined shift

../../lib/fuzzing/fuzz_stable_sort_r_unstable.c:47:22: runtime error: left shift of negative value -34

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:fuzzing: Remove unused variable

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth:credentials: Check for NT hash being NULL

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Fix a typo in a few places

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 17:56:24 UTC 2024 on atb-devel-224

smbd: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

g_lock: Fix buffer length check in g_lock_parse()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Simplify check_parent_access_fsp()

We don't need to explicitly call fetch_share_mode_unlocked,
get_file_infos does it for us behind the scenes

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Remove an obsolete comment

notify_fname only sends a message to the notify daemon. There is no
potential deadlock anymore.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Add reparse tag to smb3_posix_cc_info

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 14 23:29:46 UTC 2024 on atb-devel-224

smbd: Test reparse tag in smb3_posix_cc_info

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use fsctl_get_reparse_tag in fsctl_del_reparse_point

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use fsctl_get_reparse_tag in fsctl_set_reparse_point

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Add fsctl_get_reparse_tag() helper function

There's a few places where we only care about the tag

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Cap max_rdata at UINT16_MAX

The caller does not necessarily query max values for smb1 and smb2+.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Use the direct FSCC_FILE_ALL_INFORMATION define

(SMB_FILE_ALL_INFORMATION - 1000) looks a bit silly if you look at the
definition of SMB_FILE_ALL_INFORMATION...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Add DEBUG message got get_reparse_point

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Return reparse tag as of MS-FSCC 2.4.6

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix a DBG

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

tests: get TAG_INFORMATION

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

pylibsmb: Add py_cli_qfileinfo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

pylibsmb: Add FSCC QUERY_INFO levels

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Remove smb2 branch from cli_qfileinfo_basic_send

cli_qfileinfo_send now does it

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Add smb2 branch to cli_qfileinfo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Add a tevent_req_received() where appropriate

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Convert cli_qfileinfo to use FSCC levels

This will enable this routine to be used for SMB2 as well. The
translation table is from [MS-CIFS] 2.2.8.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Use SMB2_0_INFO_FILE instead of the raw "1"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Use SMB2_0_INFO_SECURITY instead of the raw "3"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Modernize a DEBUG

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

test: Align integer types

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:winbindd: Update non cache entries keys (non_centry_keys)

This change does NOT affect WHAT and HOW is cached. It only avoids
undefined behavior for "NDR" and "TRUSTDOMCACHE" when processed in
wcache_flush_cache() and wbcache_upgrade_v1_to_v2().

winbindd_cache.tdb contains two types of entries:

1) cache entries (typed as 'struct cache_entry')
  - internal format is:           [ntstatus; sequence_number; timeout]

2) non cache entries (keys listed in non_centry_keys)
  - for "NDR" internal format is: [sequence_number; timeout]

Without this commit, "NDR" would be processed as the first type (instead
as the second type). E.g. in the stack below:

wcache_fetch_raw()
traverse_fn_cleanup()
wcache_flush_cache()

the triplet [ntstatus; sequence_number; timeout] would be initialized
from data containing only [sequence_number; timeout], leading to
mismatched values ('ntstatus' would be filled from 'sequence_number').

Anyway, current code is never calling wcache_flush_cache(), since
wcache_flush_cache() can be called only from get_cache() and get_cache()
will call it only if global/static wcache was not set yet. But wcache is
set very early in the main winbind (and all winbind children get it
after fork), sooner than any call of get_cache() can happen:

   #1 init_wcache + 0x19
   #2 initialize_winbindd_cache + 0x35
   #3 winbindd_cache_validate_and_initialize + 0x25
   #4 main + 0x806

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 14 21:04:57 UTC 2024 on atb-devel-224

s3:winbindd: Use TDB_REPLACE in tdb_store

tdb_store() should use as a flag TDB_REPLACE instead of undocumented 0

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Restore empty string default for conf.env['icu-libs']

The reworked ICU libraries configuration code used [] as
default for conf.env['icu-libs']. This breaks dependency analysis
in samba_deps.py because SAMBA_SUBSYSTEM() expects deps to be
a string.

Signed-off-by: Earl Chew <earl_chew@yahoo.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 14 14:44:06 UTC 2024 on atb-devel-224

python/tests: Fix nlink test in smb3unix on btrfs filesystem

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue May 14 13:37:53 UTC 2024 on atb-devel-224

lib/replace: make sure krb5_cc_default[_name]() is no longer used directly

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 14 11:22:28 UTC 2024 on atb-devel-224

auth/credentials_krb5: let cli_credentials_set_ccache() use smb_force_krb5_cc_default()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

auth/credentials_krb5: use system/{gssapi,kerberos}.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbspool: let kerberos_ccache_is_valid() use smb_force_krb5_cc_default_name()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbspool_krb5_wrapper: let kerberos_get_default_ccache() use smb_force_krb5_cc_default_name()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbspool_krb5_wrapper: remove unused includes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

krb5_wrap: let smb_krb5_renew_ticket() use smb_force_krb5_cc_default_name()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

krb5_wrap: add smb_force_krb5_cc_default[_name]() wrappers

If we touch the global krb5_ccache we want to make that explicit,
so calling krb5_cc_default[_name] will result in an error during
the next patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: let kerberos_kinit_password_ext() require an explicit krb5 ccache

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

krb5_wrap: let ads_krb5_cli_get_ticket() require an explicit krb5 ccache

Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:libads: finally remove unused ads_connect[_user_creds]() and related code

That was a long way, but now we're cli_credentials/gensec only :-)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net: finally remove net_context->opt_{user_specified,user_name,password}

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net: remove unused net_context->smb_encrypt

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net: remove unused net_context->opt_kerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:include: remove unused krb5_env.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net_ads: remove unused use_in_memory_ccache()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net_ads: make use of ads_connect_{cldap_only,creds}() in ads_startup_int()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: let ads_krb5_set_password() require an explicit krb5 ccache to operate on

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: kerberos_set_password() don't need to kinit before ads_krb5_chg_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: remove unused kdc_host and time_offset arguments to kerberos_set_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: remove unused kdc_host and time_offset arguments to ads_krb5_chg_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: remove krb5_set_real_time() from ads_krb5_set_password()

Callers typically only pass in 0 anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: remove unused kdc_host argument of ads_krb5_set_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net_ads: require kerberos if we use ads_krb5_set_password() in ads_user_add()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net_ads: use ADS_SASL_SEAL by default, so that we always get encryption

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net_ads: use cli_credentials_get_principal() in order to call kerberos functions

This is better than the value from cli_credentials_get_username()...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net: remove useless net_prompt_pass() wrapper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net_rpc: make use of !c->explicit_credentials for NET_FLAGS_ANONYMOUS

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net: make use of c->explicit_credentials in order to check for valid credentials

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net: add net_context->explicit_credentials to check if credentials were passed

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials

c->opt_kerberos is derived from c->creds...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:lib/netapi: add libnetapi_get_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libgpo/pygpo: make use of ads_connect_{creds,machine}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:printing: make use of ads_connect_machine()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: add ads_connect_machine() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: add ads_simple_creds() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: add ads_connect_simple_anon() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:utils: let net_update_dns_internal() set status before goto done in all cases

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: make use of samba_sockaddr to avoid compiler warnings

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: make winbindd_get_trust_credentials() public

We'll use it outside of winbindd_cm.c soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds

This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>