python: Safely clear structure members

Using Py_CLEAR() ensures that these structures are observed in a
consistent state by any Python code that may run during deconstruction.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Return status code if configuration prohibits NTLM

Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb:large_ldap: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb:large_ldap: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Use correct variable

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Use more specific assertion methods

These methods produce better error messages if an assertion fails.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Remove unnecessary variable

It is conciser to use ‘r’ to refer to update_forest_info.entries[i].

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Use result of setup_local_server() instead of object field

The code is clearer if we consistently refer to the same variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor security descriptor test

Use more specific unittest methods.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor confidential attributes test

Use more specific unittest methods, and remove unused code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor ACL test

Use more specific unittest methods; remove some unused variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyglue: use Py_ssize_t in random data generation functions

Prefer 'Py_ssize_t' over 'int' in random data generation functions
to match both Python and (internally used through the library layer)
GnuTLS APIs, and use PyUnicode_FromStringAndSize() where the data
size is known.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Fixed comments to correctly match the
 new check for just negative numbers]

lib:util: prefer size_t for random data generation functions

Prefer 'size_t' over 'int' in generate_random_buffer(),
generate_secret_buffer() and generate_nonce_buffer() to
match an underlying gnutls_rnd() calls.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Change ad_dc environment to be 2016 functional level

This is not yet supported in full, but this makes ad_dc match our full set of available features.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest: Allow provision_ad_dc() to take functional_level as an argument

The $$$$$$$ is removed as it does not do what you think it does.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest: Return fl2008dc to being an alias for ad_dc_ntvfs

The change to make this independent in fc9845da69cabcc1bf046d7899b2c4aeae743170
was incorrect, as no distinct name was specified so this would conflict with
the ad_dc_ntvfs environment over the IP and name "localdc".

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008

This will allow fl008dc to become an alias of ad_dc_ntvfs again.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest: Move linked_attributes test to ad_dc selftest environment

The ad_dc_ntvfs environment will be set to use a 2008 schema
(matching the 2008 FL it runs at) and this test needs a 2016 schema.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

samba-tool domain join: Allow "ad dc functional level" to change which
level we claim to be during an AD join

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

samba-tool domain provision: Use "ad dc functional level" to control max functional level

This allows the DC to self-declare a higher level and so allow a 2016
domain to be created, for testing and controlled implementation purposes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python: Add function to get the functional level as a python intger from smb.conf

The lp.get() returns the normalised string from the enum handler

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

param: Add new parameter "ad dc functional level"

This allows the new unsupported functional levels to be unlocked, but with an smb.conf
option that is easily seen.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

samba-tool domain provision: Use common functional_level.string_to_level()

This is instead of manually parsing the functional level strings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python: Move helper functions for functional levels into a new file

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

rpc_server3: Pass winbind_env_set() state through to rpcd_*

Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224

lib: Add security_token_del_npa_flags() helper function

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

rpc: Remove named_pipe_auth_req_info6->need_idle_server

Involves bumping up the version number

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"

More code, but will be more flexible in the future.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

rpc: Add global_sid_Samba_NPA_Flags SID

This will be used as a flexible way to pass per-RPC-connection flags
over ncalrpc to the RPC server without having to modify
named_pipe_auth_req_info6 every time something new needs to be
passed. It's modeled after global_sid_Samba_SMB3.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

librpc: Simplify dcerpc_is_transport_encrypted()

Simplify logic by using security_token_count_flag_sids()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Use security_token_count_flag_sids() in open_np_file()

Simpler logic in the caller

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli: Add security_token_count_flag_sids()

To be used in a few places when checking special-case Samba SIDs.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May  9 02:58:45 UTC 2023 on atb-devel-224

winbind: Test wbinfo -u with more than 1000 users

winbind asks dcerpc_samr_LookupRids in one batch, where samr.idl has

NTSTATUS samr_LookupRids(
[in,ref]      policy_handle *domain_handle,
[in,range(0,1000)] uint32 num_rids,
[in,size_is(1000),length_is(num_rids)] uint32 rids[],
[out,ref]     lsa_Strings *names,
[out,ref]     samr_Ids *types
);

limiting num_rids to 1000 entries. Test this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

build:wafsamba: Fix TypeError in read_submodule_status()

    parts = l.split(" ")
            ^^^^^^^^^^^^
TypeError: a bytes-like object is required, not 'str'

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

gp: get_gpo() should re-raise the Exception, not return

If we return from this failure, then `new_gpo` is
set to `None` and we will fail in some obscure
way within a CSE later (since we append `None` to
the GPO list). Instead, re-raise the Exception so
we see that an error happened when fetching the
GPO.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ntvfs:posix: avoid parsing empty blob in posix_eadb_add_list()

Strictly speaking, this is not a bug because parsing loop will just skip
an empty ({NULL}, 0) blob. But it's better to avoid this case because
UBSan (as of clang-17 at least) may complain on such a parsing attempt:

source4/ntvfs/posix/posix_eadb.c:56:62: runtime error: applying zero offset to null pointer
    #0 0x7f9d71ce7b2a in posix_eadb_add_list source4/ntvfs/posix/posix_eadb.c:56
    #1 0x7f9d71ce7b2a in push_xattr_blob_tdb_raw source4/ntvfs/posix/posix_eadb.c:178
    #2 0x7f9d71cec1f5 in py_wrap_setxattr source4/ntvfs/posix/python/pyposix_eadb.c:64
    #3 0x7f9d88bd4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
    [... a lot of Python calls skipped...]

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb: do not offset against NULL pointer in ldb_ldif_read()

Fix the following error observed running samba.test.registry
compiled with clang-17 and UBsan:

lib/ldb/common/ldb_ldif.c:881:9: runtime error: applying non-zero offset 137438953440 to null pointer
    #0 0x7faa0eb3932f in ldb_ldif_read lib/ldb/common/ldb_ldif.c:881
    #1 0x7faa0eb3aec6 in ldb_ldif_read_string lib/ldb/common/ldb_ldif.c:1004
    #2 0x7faa077ed759 in dsdb_set_schema_from_ldif source4/dsdb/schema/schema_set.c:1113
    #3 0x7faa068fcbbf in py_dsdb_set_schema_from_ldif source4/dsdb/pydsdb.c:929
    #4 0x7faa1d1d4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
    [... a lot of Python calls skipped...]

I.e. number of elements should be checked against zero
before making an attempt to access an element by index.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/scripting: fix % len(res) was in the wrong place

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May  5 05:54:11 UTC 2023 on atb-devel-224

s4/dsdb: fix unnecessary backslash

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/scripting: fix a few trailing semicolons in gen_{hresult,ntstatus,werror}.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/scripting: fix a few invalid docstring args

One arg "dn" was removed, the others just had a typo.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb/tests: fix assignment to for loop variable

because the loop variables are all called 'k' and the inner and outer loop both use 'k'.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Don’t call memcpy() with a NULL pointer

Doing so is undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May  5 03:52:30 UTC 2023 on atb-devel-224

lib:addns: Don’t call memcpy() with a NULL pointer

Doing so is undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Improve _test_samr_change_password() method

Instead of using anonymous credentials, we now connect using the
passed-in credentials.

We now correctly construct nt_password and nt_verifier so as to
successfully change the password, instead of having to distinguish
between a WRONG_PASSWORD error and an error caused by the password
change being disallowed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Don’t delete silo until all tests have finished

It’s possible that we reuse the same silo across multiple tests. In that
case, we should not delete it until we are sure we have finished with
it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add remove_attribute() helper function

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Have set_forced_key() also set the NT hash

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/credentials: Add set_nt_hash()

This method allows setting the NT hash directly. This is useful in cases
where we don’t know the password, such as with a computer or server
account.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:lib: Fix typos

These typos were also spotted by a mailing list user:

https://lists.samba.org/archive/samba-technical/2023-April/138190.html

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove unused parameter

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make _tgs_req() more configurable

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make use of check_tgs_reply()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow specifying an encoded security descriptor

If we get a string, we’ll still assume it’s a DN and create a security
descriptor using it.

This is useful in cases where we don’t have a DN (e.g., the account is
not created yet).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Rename ‘objectclass’ to use correct case

This means that tests can now specify values for ‘objectClass’ in
additional_details which override the default value.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’

Make it clear that this relates to authentication, not authorization.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/scripting/bin: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/scripting/bin: Fix resource leak

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Create account cache key only if needed

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Delete non-resuable accounts as soon as possible

This helps to mitigate Samba’s slow account deletion.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use correct target principal name in log message

‘tmp’ has already been freed by this point.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml: Fix typos

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/credentials: Fix NULL dereference

We should not pass a NULL pointer to netlogon_creds_session_encrypt().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Refactor _test_samlogon()

Move logic specific to the Network logon into that branch, so it’s
easier to see what’s going on.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:util: Fix undefined bitshift

runtime error: left shift of 65535 by 16 places cannot be represented in type 'int'

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

param: Fix resource leak

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/samba: Fix invalid escape sequence

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/http: Remove unused structure

This is just a typo of ‘struct loadparm_context’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow setting a servicePrincipalName on a user account

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Fix parameter default

Now that add_dollar is honoured for all account types, we don’t want to
pass add_dollar=True for user accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused parameter

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that the salt for a managed service account is computed correctly

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow creating managed service accounts

These will be useful for testing authentication policies.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pydsdb: Add Managed Service Accounts GUID constant

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libds: Add Managed Service Accounts well-known GUID

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Always heed the add_dollar parameter

Not just if the account to be created is a computer. This allows us to
create other types of accounts with a trailing dollar.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Fix leak

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unneeded assertions

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow creating an account with an assigned policy or silo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add method to create an authentication policy

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Generify protected users test methods

We can reuse them to test accounts restricted authentication in some
form or another.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Handle NT hashes being disabled

If NT hashes are disabled, we should not expect the RC4 enctype to be
available for non-computer accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Pass client credentials down into kdc_exchange_dict

These are useful inside the test infrastructure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove test for OemChangePasswordUser2()

We don’t implement this anymore (since commit
0f53bfe7230c5e76f7ceb8baf98a9ef38a35356f).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Split out functions for testing logons and password changes

This allows their use for testing other forms of restricted accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/credentials: Allow resetting bind DN on Credentials object

Passing None into set_bind_dn() now resets it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc: Always call ndr_push_compression_state_init() for compression

This allows the push routine to cache the chosen compression algorithm in
the struct ndr_compression_state in ndr->cstate and so, in claims, avoid
calling ndr_size_CLAIMS_SET_NDR() three times per compression (more in the
overall push).

As claims is now the primary use of the libndr compression code, this is
a reasonable tradeoff compared to the other callers who have more static
algorithm selections.

By removing the struct ndr_compression_state **state argument from
ndr_push_compression_state_init() we make clear that the ndr->cstate
belongs to this NDR context, and this context alone.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

librpc: Fix talloc hierarchy for ndr_compression_state

The complexity of generic_mszip_free() is not needed, nor is a talloc
destructor required if the memory is correctly created in a tree.

Credit to OSS-Fuzz for showing the use-after-free

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15349

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python:descriptor: add missing schema 2019 aces in builtin and dns partition

Note 'samba-tool domain functionalprep' won't fix them in the database,
while a fresh provision will add these.

This is needed in order that 'samba-tool dbcheck --reset-well-known-acls'
won't reset them after a modern provision and will fix them on an old
domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Move error-handling code into more suitable spot (CID 1524680)

The loop above would only exit once ‘c’ was equal to −1, and thus this
code could never be reached.

Also set ‘ok’ to false to indicate failure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May  4 01:29:10 UTC 2023 on atb-devel-224

s3:utils: Use ‘int’ for popt parameters

Previously we were handing the addresses of bool parameters to popt for
POPT_ARG_NONE parameters. This is not supported, and popt was returning
POPT_ERROR_BADOPERATION for these parameters (not bundled popt, though,
nor on Debian or Ubuntu). Using integers instead ensures that these
addresses are aligned and sized as popt expects.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:utils: Use floating-point arithmetic when result is assigned to a double

This avoids any loss of precision from performing an integer division.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-recovery: Use correct struct ban_node_state type for state

If this codepath is hit, ctdb aborts with:

ctdb/server/ctdb_recovery_helper.c:2687: Type mismatch: name[struct ban_node_state] expected[struct node_ban_state]")
    at ../../lib/talloc/talloc.c:505

Fix this by using the correct type.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May  3 08:04:09 UTC 2023 on atb-devel-224

s4:lib:policy: cleanup and handle errors in push_recursive()

Prefer 'char' and 'ssize_t' over 'int' for I/O-related
calls and handle more possible errors in push_recursive().

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Fri Apr 28 14:19:12 UTC 2023 on atb-devel-224