CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 ldb: Add functions for handling inaccessible message elements

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 s4-acl: Make some parameters const

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently

It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 libcli/security: Make some parameters const

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects

This changes the slow aspect to be the object matching not the filter parsing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python:join: fix reused variable name in provision func

Recent updates to run adprep during the provision function re-used a
variable name that was already in use as a string. This reassignment
changed the type of the referenced object. This variable name is later
used to setup the mit krb5 kdc conf and expects the var to contain a
string. When executed with default cli options on a mit krb5 based build
samba tool fails with a traceback:
```
INFO 2023-03-23 21:22:50,399 pid:6
/usr/lib64/python3.10/site-packages/samba/provision/__init__.py #2021:
Fixing provision GUIDs
ERROR(<class 'AttributeError'>): uncaught exception - 'DomainUpdate'
object has no attribute 'upper'
  File "/usr/lib64/python3.10/site-packages/samba/netcmd/__init__.py",
line 230, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.10/site-packages/samba/netcmd/domain.py",
line 555, in run
    result = provision(self.logger,
  File
"/usr/lib64/python3.10/site-packages/samba/provision/__init__.py", line
2408, in provision
    create_kdc_conf(paths.kdcconf, realm, domain,
os.path.dirname(lp.get("log file")))
  File
"/usr/lib64/python3.10/site-packages/samba/provision/kerberos.py", line
43, in create_kdc_conf
    domain = domain.upper()
```

This change removes the re-use of the existing var name by chaining
the calls.

Fixes: 4bba26579d1
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  5 02:02:29 UTC 2023 on atb-devel-224

s4:kdc: Allocate claim value on values context

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for constructed (authentication silo) claims

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add method to create authentication silo claim

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add method to create an authentication silo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add methods to get authentication policy DNs

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Check only for the canonical representation of a security descriptor

As of commit be1aae77b7610933b1121f207e0a4df523c2d278, Samba only
produces the canonical form of a security descriptor.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/ndr: Fix NULL pointer dereference

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15348

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Update WHATSNEW.txt

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: s3:utils: Correctly wire winbind ccache support for smbget

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Correctly wire NT hash support for smbget

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Add cli_credentials_is_password_nt_hash()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Remove trailing white spaces in credentials_ntlm.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Remove trailing white spaces in credentials.h

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:tests: Add test with testdenied_upn@REALM.upn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:tests: Add a kerberos trust test for smbget

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:tests: Add kerberos test for smbget

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Correctly wire Kerberos support for smbget

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:tests: Add encryption test for smbget

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Correctly wire encryption for smbget

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml: Remove smbgetrc manpage

This has been removed, we have support for an authentication file.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml: Update smbget manpage

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Use common command line parser for smbget

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:tests: Use long options for smbget in test_smbget.sh

This is more descriptive and will help with the next commit.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Add support for parsing domain/UPN in username for smbget

The smbget utility doesn't use the common command line parser, so it
doesn't support paring of DOMAIN/user or user@realm.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Always cleanup when leaving smbget main()

This will not leak any memory. Also rename the bool to 'ok' for better
readability.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:tests: Add smbget msdfs link test with domain and UPN

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:tests: Add domain and UPN test for smbget

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:tests: Also clear the download area in smbget msdfs_link test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:selftest: Pass REALM to samba.blackbox.smbget

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:selftest: Move samba3.blackbox.smbget to ad_member

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:selftest: Move the smbget share to the provision function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb:tests: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr  4 08:30:28 UTC 2023 on atb-devel-224

lib:ldb:nssldb: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb:ldb_sqlite3: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb:ldb_map: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb:ldb_key_value: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb:include: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb:common: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml: Fix spelling in Samba-Developers-Guide

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml: Fix spelling in smb.conf manpage

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml: Fix spelling in manpages

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ctdb:doc: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

bootstrap: Fix spelling in README.md

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Fix spelling in README.Coding.md

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Indicate posix pathnames if SMB311 POSX cc requested

Avoid making smb311 posix extensions a global thing. Posix clients
could request non-posix behaviour on individual create calls.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Apr  4 07:04:13 UTC 2023 on atb-devel-224

lib:krb5_wrap: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr  3 04:53:05 UTC 2023 on atb-devel-224

lib:fuzzing: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:dbwrap: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Improve comment about weak crypto

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:compression: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:cmdline: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:addns: Fix code spelling

Best reviewed with: `git show --word-diff`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:addns: Rename additionals to additional

Fixes code spelling.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libnet: cleanup py_net_time()

Fix size of buffer passed to and always check the value returned
from strftime(), raise PyErr_NoMemory() and return NULL if zero,
or use it with PyUnicode_FromStringAndSize() (thus avoiding extra
internal call to strlen()) otherwise.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:modules: call rpcgen only if vfs_nfs4acl_xattr is enabled

rpcgen may be missing, so wrap all of the vfs_nfs4acl_xattr associated
calls in an appropriate if bld.SAMBA3_IS_ENABLED_MODULE() check.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

torture/smb2: do not use client time in delayed timestamp updates test

Client time cannot be compared to server timestamp, because the clocks
on client and server may not be in sync.

Compare server timestamps, only to previous timestamps read from server.

Signed-off-by: Amir Goldstein <amir@ctera.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Apr  1 06:23:36 UTC 2023 on atb-devel-224

lib: Fix tdb_validate() for incorrect tdb entries

We should not overwrite the "rc=1" initialization with the tdb_check
retval. This will lead to tdb_validate_child() returning 0 even when
validate_fn() found invalid entries.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14789
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture3: Add tdb-validate test

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14789
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: squash check_path_syntax() variants

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 31 21:21:57 UTC 2023 on atb-devel-224

s3: smbd: Correctly process SMB3 POSIX paths in create.

Remove knownfail for  posix path handling of case/reserved char

Signed-off-by: David Mulder <dmulder@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: Correctly set smb2req->smb1req->posix_pathnames from the calling fsp on SMB2 calls.

We must always do SMB3+POSIX operations on fsp's opened with a posix create context.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Ensure share root POSIX attrs are cleared after mode_fn

The call to mode_fn (smbd_dirptr_lanman2_mode_fn)
was filling the cleared attributes back in to the
stat. Ensure the clear happens after this call.

Signed-off-by: David Mulder <dmulder@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: Add check_path_syntax_smb2_posix().

Not yet used. Simple wrapper, identical to check_path_syntax_posix().
I want to keep SMB1/SMB2 code as separate as possible so
we can remove any SMB1 code path later.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: Flatten the check_path_syntax_smb2() wrapper.

Keep it, rather and move all SMB2 code to check_path_syntax()
as I want to keep SMB1/SMB2 code as separate as possible so
we can remove any SMB1 code path later.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: Add support for AD device claims

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 09:30:17 UTC 2023 on atb-devel-224

s4:kdc: Add support for AD client claims

We now create a client claims blob and add it to the PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Account for have_fast_support in determining whether FAST is supported

have_fast_support is unconditionally set to 1, so this doesn't change
any behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Account for Claims Valid SID in tokenGroups

More of these tests now pass against Windows. They still don't quite all
pass, but that's something to fix for another day.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Make use of torture_assert_sid_equal()

This gives a more helpful diagnostic message.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Assert that SID parsing succeeds

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Don't expect client claims to be missing

For this particular test, we don't care whether they're present or not.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: Add dom_sid_has_account_domain() to confirm a S-1-5-21 prefix

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add utility functions for AD claims

get_claims_for_principal() is a new function that creates a claims blob
for a principal based on attributes in the database.

It's not hooked into the KDC yet, so this entails no change in
behaviour.

Constructed claims and certificate claims are not supported yet.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/schema: Add dsdb_attribute_by_cn_ldb_val()

This looks up a schema attribute by its CN, similar to
dsdb_class_by_cn_ldb_val().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb: Add ldb_val -> bool,uint64,int64 parsing functions

These functions allow us to parse any value of a message element, not
only the first. They also unambiguously indicate whether an error has
occurred.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb: Split out ldb_val_as_dn() helper function

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs: update manpage for samba-tool

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 08:25:11 UTC 2023 on atb-devel-224

netcmd: tests for claims client tool

Added delete protected test to known fail as Samba doesn't seem to enforce this yet.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: add claim sub-commands to samba-tool domain

Claim Type:

 * samba-tool domain claim claim-type list
 * samba-tool domain claim claim-type create
 * samba-tool domain claim claim-type delete
 * samba-tool domain claim claim-type modify
 * samba-tool domain claim claim-type view

Claim Value Type:

 * samba-tool domain claim value-type list
 * samba-tool domain claim value-type view

To add a claim type use the attribute name, it will look up the attribute in the attribute schema and use that data type and description.

Claim types can be protected from accidental deletion just like Windows, use --protect

To delete protected claim types use --force.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

sd_utils: fix typo in get_sd_as_sddl docstring

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: simplify boolean check

Should use "is" for checking booleans rather than "==" in Python, however these can also be simplified.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move trust command to domain/trust.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move tombstones command to domain/tombstones.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move schemaupgrade command to domain/schemaupgrade.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move samba3upgrade command to domain/samba3upgrade.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move provision command to domain/provision.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move paswordsettings command to domain/passwordsettings.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move level command to domain/level.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move leave command to domain/leave.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move keytab command to domain/keytab.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move join command to domain/join.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: move info command to domain/info.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>