s3: smbd: Tweak the logic of smb2_file_rename_information().

There's no point in calling filename_convert() and then
just ignoring the returned smb_fname if it's a raw stream name.
Only call filename_convert() if we know it isn't a raw stream
name.

Ignore stream/non-stream mismatches in src and dst in
smb2_file_rename_information, let rename_internals_fsp()
take care of that as the error returns inside rename_internals_fsp()
are tested by raw.streams.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Inside filename_convert_dirfsp_nosymlink(), don't require UCF_PREP_CREATEFILE when parsing a stream name that doesn't already exist.

We don't require it for a new file. Without this change, we have
to add UCF_PREP_CREATEFILE to the destination flags when we are
doing renames to a destination stream name, but not when doing
renames to a destination file name, which makes for inconsistent API use.

filename_convert_dirfsp() is now a drop in replacement
for filename_convert(), even for the ugly SMB1 POSIX
cases.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: In filename_convert_dirfsp(), don't let an SMB1+POSIX client see a symlink to a directory with no permissions.

This isn't 100% correct, but it gets us close enough
to the old behavior for SMB1+POSIX libsmbclient. If we went through a
symlink, and we got NT_STATUS_ACCESS_DENIED on the directory
containing the target, just don't allow the client to see the
intermediate path.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: In filename_convert_dirfsp_nosymlink(), in SMB1-only POSIX mode, allow a pathname referencing a symlink to be returned.

Doesn't contain a valid smb_fname->fsp pointer of course,
and is only used by the SMB1 code to take a reference to
a smylink name for manipulation (unlinkat, readlinkat etc.).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: In filename_convert_dirfsp(), allow SMB1+POSIX to traverse non-terminal symlinks.

This is the behavior of filename_convert() and
we need to allow it for the legacy SMB1+POSIX libsmbclient
libraries already deployed out there.

When we add SMB2 POSIX we must disallow symlink
traversal over any symlinks, the client must
resolve symlinks locally.

Add a note to show this is where we need to add
an error for SMB2+POSIX names with UCF_POSIX_PATHNAMES
set.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

lib:replace: Only include <sys/mount.h> on non-Linux systems

Details at:
https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15132

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Aug  2 11:05:14 UTC 2022 on sn-devel-184

Revert "lib:replace: Remove <sys/mount.h> from filesys.h"

This reverts commit 7a6bd2279897ed389d10f09e5b315a7bca96e7d4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15132

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

ctdb-common: CID 1507498: Control flow issues (DEADCODE)

Fix typo in error checking.  While here adjust the bottom of the
range, making errno 0 invalid.

Add corresponding test cases using an alternative syntax for errno packets
(#nnn[;] - trailing ';' is optional).

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Aug  1 09:19:55 UTC 2022 on sn-devel-184

lib:replace: Remove <sys/mount.h> from filesys.h

You need to be careful if you include <sys/mount.h> or <linux/mount.h>
at least since glibc 2.36.

Details at:
https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15132

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 29 13:08:36 UTC 2022 on sn-devel-184

CVE-2022-32743 s4:rpc_server/netlogon: Reconnect to samdb as workstation account

This ensures that the database update can be attributed to the
workstation account, rather than to the anonymous SID, in the audit
logs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 28 23:41:27 UTC 2022 on sn-devel-184

CVE-2022-32743 s4:rpc_server/common: Add dcesrv_samdb_connect_session_info()

This function allows us to connect to samdb as a particular user by
passing in that user's session info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 dsdb/modules/acl: Allow simultaneous sAMAccountName, dNSHostName, and servicePrincipalName change

If the message changes the sAMAccountName, we'll check dNSHostName and
servicePrincipalName values against the new value of sAMAccountName,
rather than the account's current value. Similarly, if the message
changes the dNSHostName, we'll check servicePrincipalName values against
the new dNSHostName. This allows setting more than one of these
attributes simultaneously with validated write rights.

We now pass 'struct ldb_val' to acl_validate_spn_value() instead of
simple strings. Previously, we were relying on the data inside 'struct
ldb_val' having a terminating zero byte, even though this is not
guaranteed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 dsdb/modules/acl: Account for sAMAccountName without $

If we have an account without a trailing $, we should ensure the
servicePrincipalName matches the entire sAMAccountName. We should not
allow a match against the sAMAccountName prefix of length
strlen(samAccountName) - 1, as that could conflict with a different
account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 s4:rpc_server/netlogon: Connect to samdb as a user, rather than as system

This allows us to perform validation on a client-specified dNSHostName
value, to ensure that it matches the sAMAccountName.

We might not have any rights to modify the account, so pass the control
FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE which allows us to perform
a validated write to dNSHostName and servicePrincipalName (and
unvalidated writes to other attributes, such as operatingSystem).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 s4:rpc_server/netlogon: Always observe NETR_WS_FLAG_HANDLES_SPN_UPDATE flag

Even when there is no old DNS hostname present.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 s4:rpc_server/netlogon: Remove dNSHostName prefix check

This check is not exhaustive (it does not check the suffix of the
dNSHostName), and should be covered by a validated write check in
acl_modify().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 dsdb/modules/acl: Handle FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE control

When this control is specified, we'll assume we have Validated Write on
dNSHostName and servicePrincipalName, and Write Property on other
attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 dsdb/common: Add FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE control

Passing this control will grant the right to set validated values for
dNSHostName and servicePrincipalName, and non-validated values for other
attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 dsdb: Implement validated dNSHostName write

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 s4/dsdb/util: Add function to check for a subclass relationship

We need to be able to determine whether an object is a subclass of a
specific objectclass such as 'computer'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 s4/dsdb/util: Add dsdb_msg_get_single_value()

This function simulates an add or modify operation for an ldb message to
determine the final value of a particular single-valued attribute. This
is useful when validating attributes that should stay in sync with other
attributes, such as servicePrincipalName and dNSHostName.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 s4:torture/rpc: Fix tests to match Windows

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 tests/py_credentials: Add tests for setting dNSHostName with LogonGetDomainInfo()

Test that the value is properly validated, and that it can be set
regardless of rights on the account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

CVE-2022-32743 s4-acl: Add tests for validated dNSHostName write

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

examples/winexe: fix fetching return code of the remote command

ctrl_inbuf field is used to parse remote-side information. A typo was
there that tried to parse return code as "version 0x%x" whereas the
correct way to do it (tested on Windows 10) is to scan for "return_code
%x".

Signed-off-by: Yury Lunev <yury.lunev@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 28 18:01:16 UTC 2022 on sn-devel-184

s3: smbd: Convert reply_checkpath() to use filename_convert_dirfsp().

One less use of filename_convert().

This is the acid test of filename_convert_dirfsp() pathname error
handling.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jul 28 16:34:54 UTC 2022 on sn-devel-184

s3: smbd: Convert call_trans2mkdir() to use filename_convert_dirfsp().

One less use of filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Convert call_trans2open() to use filename_convert_dirfsp().

One less use of filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Convert reply_rmdir() to use filename_convert_dirfsp().

One less use of filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Convert reply_ctemp() to use filename_convert_dirfsp().

One less use of filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Convert reply_mknew() to use filename_convert_dirfsp().

One less use of filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Convert reply_open_and_X() to use filename_convert_dirfsp().

One less use of filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Convert reply_open() to use filename_convert_dirfsp().

One less use of filename_convert().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Fix the error processing in filename_convert_dirfsp_nosymlink() to match unix_convert() 100%

We need this in order to pass:

samba3.raw.samba3badpath
raw.chkpath
samba3.base.chkpath

Now we can convert all the SMB1 reply_openXXX functions,
and reply_checkpath().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: In filename_split_lcomp() ensure we never return a streamname if posix is set.

POSIX has no streams, even on the root of a directory.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3: smbd: Ensure we set fsp->file_id in openat_pathref_dirfsp_nosymlink().

This is a subtle one. The dirfsp returned by openat_pathref_dirfsp_nosymlink()
can be used inside open.c and passed to check_parent_access_fsp() to
check if a delete_on_close flag has been set on an existing "real"
open fsp. So the file_id must be correctly set in order for this
to work. Without it, samba3.base.delete fails in deltest20 when
we convert reply_open_and_X() to use filename_convert_dirfsp().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3:winbind: Implement dcerpc_samr_chgpasswd_user4 for PamAuthChangePassword

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 28 12:47:31 UTC 2022 on sn-devel-184

s3:libsmb: Add dcerpc_samr_chgpasswd_user4 to remote_password_change()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:test: Print the output to understand what was going wrong

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:libnet: Add support for samr_ChangePasswordUser4()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:libnet: Move code using RC4 into its own function

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:libnet: Remove unused code in libnet_ChangePassword_samr()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:torture: Add test for dcerpc_samr_ChangePasswordUser4

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:passdb: Correctly burn the plaintext_pw with samu_destroy()

memset() can be removed from the optimizer.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:passdb: Remove trailing whitespaces

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server: Implement dcesrv_samr_ChangePasswordUser4()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb: Burn the memory of hashes returned by samdb_result_hashes()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb: Remove trailing whitespaces from util.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpcclient: Implement cmd chpasswd4

Manually tested against Windows Server 2022.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

docs-xml: Remove trailing whitespaces in rpcclient.1.xml

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: Implement dcerpc_samr_chgpasswd_user4()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: Fix trailing whitespaces in cli_samr.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:util: Add generate_random_u64_range()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:util: Remove trailing whitespaces in samba_util.h

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Add test for pbkdf2

This is just that we use the right parameters for gnutls_pbkdf2() and
reach the values from Windows.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

waf: Check for gnutls_pbkdf2()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:torture: Implement test for SAMR SetUserInfo(2) level 32

make test TESTS="samba4.rpc.samr.passwords"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: Implement SAMR SetUserInfo(2) level 32

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server: Implement support for SetUserInfo(2) level 32

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:torture: Implement test for SAMR SetUserInfo(2) level 31

We can't apply this patch earlier as there are no individual tests we could
mark as knownfail. Reorganizing the whole test is a too big task for now.
However this test is working and also found some bugs.

make test TESTS="samba4.rpc.samr.passwords"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: Implement support for SAMR SetUserInfo level 31

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: Remove obosolete copy_id26_to_sam_passwd()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: Use copy_pwd_expired_to_sam_passwd() in set_user_info_26()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: Add copy_pwd_expired_to_sam_passwd() for SAMR

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: Set missing debug class for srv_samr_chgpasswd

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Add test for decode_pwd_string_from_buffer514()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Add decode_pwd_string_from_buffer514()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server: Implement support for SAMR SetUserInfo(2) level 31

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server: Add samr_set_password_aes()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()

This will be used in the following commits.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Add test for extract_pwd_blob_from_buffer514()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Add extract_pwd_blob_from_buffer514()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Implment a common create_pw_buffer_from_blob()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Use extract_pw_from_buffer() in decode_pw_buffer()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Keep data of extract_pw_from_buffer() secret

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpcclient: Implement setuserinfo2 level 31

Manually tested against Windows Server 2022.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpcclient: Encrypt the password buffers only if really needed

If we are in FIPS mode certain ciphers like RC4 are not available, so
we should make sure we do not call them. We will add AES support in the
next patch.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: Implement init_samr_CryptPasswordAES()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

samr.idl: Add samr_ChangePasswordUser4()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

samr:idl: add samr_SupportedFeatures for samr_Connect5()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

samr.idl: Add support for new AES encrypted password buffer

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Add test for encode_pwd_buffer514_from_str()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Add encode_pw_buffer_from_str()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Implement a generic encode_pwd_buffer_from_str()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Remove trailing spaces from proto.h

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Add test for samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Add samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Add test for samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

librpc:rpc: Add SAMR encryption and mac key salt definitions

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Implement samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()

This is for [MS-SAMR] 3.2.2.4 AES Cipher Usage

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:replace: Add macros to burn data from memory

This will explicitly zero data from memory. This is guaranteed to be not
optimized away.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Merge wscript_build into wscript

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Merge wscript_configure into wscript

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Reformat wscript

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

ctdb-tests: Add tests for cluster mutex I/O timeout

Block the locker helper child by taking a lock on the 2nd byte of the
lock file.  This will cause a ping timeout if the process is blocked
for long enough.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Jul 28 11:10:54 UTC 2022 on sn-devel-184

ctdb-tests: Terminate event loop if lock is no longer held

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-mutex: Test the lock by locking a 2nd byte range

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>