lib/util: fix NONNULL(params) __attribute__((nonnull(params)))

This should be set on the function prototype itself specifying
all non null arguments e.g.

NONNULL(1) NONNULL(3)
int foo(const char *arg1, int arg2, const char *arg3);

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:libsmb: rework smbsock_connect_* to work on smb_transports internally

We try the first transport first and all others after 5msecs,
but if one fails we start the next one.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:lib: remove unused open_socket_out_defer_send/recv

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:lib: pass 'protocol' to open_socket_out_send()

For now this is always explicitly IPPROTO_TCP,
but that will change when we add support for IPPROTO_QUIC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:lib: let open_socket_out_send() use samba_sockaddr to avoid strict-aliasing warnings

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: use open_socket_in_protocol() in smbd_open_one_socket()

For now this is always explicitly IPPROTO_TCP,
but that will change when we add support for IPPROTO_QUIC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:lib: split out open_socket_in_protocol()

This will be useful if we want to listen on IPPROTO_QUIC
sockets.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

docs-xml/smbdotconf: change 'smb ports' into a synonym for 'server smb transport'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb:events: let 50.samba.script use 'server smb transports'

We can't only use 'server smb transports' as in ci runs
the 'testparm' binary is from the distribution and likely
be in older Samba version.

So we still fallback to 'smb ports'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb:events: let 50.samba.script normalize the transports to tcp ports

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: setup parent->transports from 'server smb transports'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:smb_server: make use of lpcfg_server_smb_transports() in smbsrv_add_socket()

Here we still only support tcp and nbt...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

docs-xml/smbdotconf: add 'server smb transport' option

In the next commits 'smb ports' will become just
a synonym for 'server smb transport'...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:torture: map --smb-ports option to 'client smb transports'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:param: let lpcfg_smbcli_options() use lpcfg_client_smb_transports()

It means we'll use 'client smb transports' instead of 'smb ports'
for the client side.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

docs-xml/smbdotconf: add 'client smb transports' option

This will replace the use of 'smb ports' for source4 clients.

In future it will be used for all smb client connections
and it will allow to add other transports as 'quic' or 'smbdirect.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:smb_server: make use of smb_transports_parse() in smbsrv_add_socket()

Here we will only support tcp and nbt...,
but that will simplify the global transition from 'smb ports' to
'server smb transports'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: use parent->transports instead of 'smb ports' strings

This will simplify adding new transports as 'quic' or 'smbdirect'
in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: setup parent->transports from 'smb ports'

This will be used in the next commits and in the
end derived from the 'server smb transports' option.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: let open_sockets_smbd() use smbd_open_socket_for_ip()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: remove unused msg_ctx argument from smbd_open_socket_for_ip()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: let smbd_open_socket_for_ip() return the number of successful binds

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: simplify binding to wildcard addresses

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: only do dns_port logic in one central place.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: remove unused dns_port variable from smbd_open_socket_for_ip()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: let smbd_{addr_changed,close_socket_for_ip}() use samba_sockaddr to avoid strict-aliasing warnings

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:smbd: let smbd_accept_connection() use samba_sockaddr to avoid strict-aliasing warnings

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:client: remove unused ports from do_connect()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:torture: remove unused ports from masktests.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:client: remove unused ports from cifsdd* functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports from smbcli_full_connection()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:client: remove unused destports from do_message_op()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports from smbcli_socket_connect()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused dest_ports from smbcli_tree_full_connection()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused dest_ports struct smb_composite_fsinfo

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports from struct smb_composite_fetchfile

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:torture/raw: remove unused dest_port handling from openbench.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused dest_ports from struct smb_composite_connect

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports from smb2_connect()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports argument from smb2_connect_ext()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports argument from smb2_connect_send

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused dest_ports from smb_connect_nego_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: pass struct smbcli_options to smbcli_sock_connect() instead of port strings

This allows us to build the ports array from options.transports.

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: introduce smbcli_options.transports based on lpcfg_smb_ports()

This will allow us to avoid passing lpcfg_smb_ports() explicitly
in a lot of places in the following commits.

Once that's done we will change away from "smb ports" to
something like "client smb transports".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

libcli/smb: add struct smb_transports infrastructure

This will be able to use a structure instead of
a string array with int string values for 'smb ports'.

We'll soon add support for smb over quic, so
we need something better than tcp ports with
139 being special.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli/smb_composite: remove unused struct smb_composite_connectmulti

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

libcli/smb: make smb2_lease_{pull,push} endian safe

smbd_smb2_send_lease_break() is already endian safe,
which means we'll get a mismatch on big endian systems,
so that smbd_smb2_send_lease_break() sends the lease key
in reversed order.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr 17 11:30:58 UTC 2025 on atb-devel-224

libcli/smb: convert smb2_lease_push() to PUSH_LE_U*

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

libcli/smb: make the last 2 reserved bytes explicit in smb2_lease_push()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

libcli/smb: convert smb2_lease_pull() to PULL_LE_U*

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

s3:smbd: work around broken "vfs mkdir use tmp name" on FAT

"vfs mkdir use tmp name" creates a name with ":" because the file should
be invisible for Windows clients. ":" however is an invalid character on
FAT filesystems and we get EINVAL back. In that case we fall back to not
using tmp names for mkdir.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15845

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>

vfs: Fix "wide links = yes"

vfs_wide_links hides symlinks from the rest of smbd, and it implicitly
follows symlinks. Also, O_PATH will expose symlinks to the rest of
smbd, remove that.

We also need to do this for posix paths, as deep inside
rename_internals we want to avoid case-insensitive lookups by setting
SMB_FILENAME_POSIX_PATH.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15841

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 16 20:56:33 UTC 2025 on atb-devel-224

lib:cmdline: POPT_CALLBACK_REASON_POST should handle if we skip the password callback

It is already checking if there is a valid ccache and disabling the callback.
In case of IAKerb we specify a ccache but might to fill one with a krbtgt.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 15 12:54:57 UTC 2025 on atb-devel-224

lib:cmdline: Make sure --use-krb5-ccache sets the ccache

Pair-Programmed-With: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

auth:creds: Do a kinit if we have a password and the ccache is empty

This implements the same behaviour for s4 clients as we have with s3
clients.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

s3-wscript: make sure to build with selftest without libevent

No need to stop running selftest in absence of libevent anymore.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Apr 11 19:47:24 UTC 2025 on atb-devel-224

s3-selftest: only run prometheus exporter tests when configured

Extract the configure info for building with prometheus exporter and
only run the blackbox test in case it is enabled.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

build: use '--with-prometheus-exporter' configure option

Prefer '--with-prometheus-exporter' configure option over
'--with-libevent', which in turn, requires libevent.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

selftest: Add test for smb_prometheus_endpoint utility

Basic test for smb_prometheus_endpoint utility. Requires valid metrics
output using 'curl'. Start/stop the endpoint utility from within the
test script itself.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

s3/smb_prometheus_endpoint: add authentication metrics

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

smbprofile: add authentication metrics

"authentication" is the total number of requests and "authentication_failed" is
obviously the number of failed authentications.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

smbprofile: SMB2-READ result NT_STATUS_END_OF_FILE is not an error

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

smbprofile: Count failed requests

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

utils: Initial version of smb_prometheus_endpoint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Add number of sessions, tcons and files to smbstatus -P

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Add sessions, tcons and files to profile data

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Pass dummy smbd_server_connection to smbprofile_dump()

It will need access to its fields soon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Return number of workers from smbprofile_collect_tdb()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Add time buckets to smbprofile_stats_iobytes

Enable a histogram of time taken for smb2 requests. This puts all smb2
requests into buckets of <1, <2, <4, ... <256 msecs duration and
beyond.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

build: Detect libevent

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

testprogs: Use 'sync machine password to keytab' for keytab creation

We want to get rid of dedicatedkeytabfile for writing keytabs.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr 11 08:38:49 UTC 2025 on atb-devel-224

testprogs: Remove dead code

The test for this has been removed already, this is just leftover.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

docs-xml: Document 'net ads keytab list'

Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

s3:net: 'net ads keytab list' should only list default keytab

If you don't specify a keytab, assume we just want the default keytab. This will
make upcoming changes to the code easier.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

s3:net: Remove `net ads keytab flush`

This removes all entries from a keytab *and* removes all SPNs from the AD
machine account. We should not do that and if you want to get rid of the keytab
you can use `rm`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

smbd: convert all fsp->fh->private_options to fsp_flags

Use fsp_apply_private_ntcreatex_flags() to store the private_flags as fsp_flags
and convert all users to check the fsp_flags.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr  9 14:39:26 UTC 2025 on atb-devel-224

smbd: remove broken initial-delete-on-close logic from rename_internals_fsp()

fh_get_private_options() return private_flags, not create_options and thus can
never contain FILE_DELETE_ON_CLOSE.

Afaict fsp_flags.initial_delete_on_close is already correctly filled in
open_file_ntcreate():

        /* Handle strange delete on close create semantics. */
        if (create_options & FILE_DELETE_ON_CLOSE) {
                if (!new_file_created) {
                        status = can_set_delete_on_close(fsp,
                                         existing_dos_attributes);

                        if (!NT_STATUS_IS_OK(status)) {
                                /* Remember to delete the mode we just added. */
                                lck_state.cleanup_fn =
                                        open_ntcreate_lock_cleanup_entry;
                                goto unlock;
                        }
                }
                /* Note that here we set the *initial* delete on close flag,
                   not the regular one. The magic gets handled in close. */
                fsp->fsp_flags.initial_delete_on_close = true;
        }

so we can just remove the broken handling here.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

smbd: add fsp_apply_private_ntcreatex_flags()

Not used yet, comes next.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs: add fsp_flags ntcreatex_deny_[dos|fcb] and ntcreatex_stream_baseopen

Not used for now.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

smbd: remove unused private_flags from open_file()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/locking: remove now unused private_options from share_mode_entry

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/locking: store NTCREATEX_FLAG_DENY_[DOS|FCB] as share_entry_flags

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/locking: store NTCREATEX_FLAG_STREAM_BASEOPEN as share_entry_flag

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/locking: add and use fsp_[get|apply]_share_entry_flags()

Prepares for converting private_options to flags.

Fixes Durable Handle reconnect of POSIX opens which weren't setting the fsp_flags
when reconnecting, so fsp_flags.posix_open wasn't set.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/librpc: open_files.idl: move flag definition into open_files.idl

Nice to have everything in one place. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

smbd: rename SHARE_MODE_FLAG_POSIX_OPEN to SHARE_ENTRY_FLAG_POSIX_OPEN

share_mode_data has flags and share_mode_entry has flags, this change allows
to distinguish between both more easily. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

winbindd: let update_trusted_domains_dc() also call pdb_filter_hints()

On an AD DC we need to update sam_domain->fti, so that
find_routing_from_namespace_noinit() uses the correct
uPNSuffixes and msDS-SPNSuffixes values for the local forest.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Apr  3 10:35:10 UTC 2025 on atb-devel-224

winbindd: add find_local_sam_domain() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: pass for_netlogon to winbind_dual_SamLogon to avoid caching

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:auth/ntlm: let auth_winbind pass WB_SAMLOGON_FOR_NETLOGON

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:auth: let auth_context_create_for_netlogon() remember for_netlogon = true;

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:auth: let auth_winbind pass WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON if needed

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:auth: remember make_auth3_context_for_netlogon() was used

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbind.idl: add WB_SAMLOGON_FOR_NETLOGON

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libwbclient: add WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON to pass WBFLAG_PAM_FOR_NETLOGON

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbind_struct_protocol.h: add WBFLAG_PAM_FOR_NETLOGON

This will be used when auth_winbind is used with
make_auth3_context_for_netlogon().

This will allow winbindd to use different rules
for LogonSamLogon requests compared to
local authentications for smbd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:librpc/idl: remove unused legacy copy of winbind.idl

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

auth: let make_user_info_dc_pac() cross check PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID

If there's a mismatch someone doing strange things...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let _{get,modify}_tgt() also change the objectsid in UPN_DNS_INFO

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: allow set_pac_sids() to take upn_dns_sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>