]> git.ipfire.org Git - thirdparty/samba.git/log
thirdparty/samba.git
4 years agos3:rpc_server: Implement the rpcd_* helper-end of the samba-dcerpc protocol
Volker Lendecke [Wed, 7 Apr 2021 07:00:23 +0000 (07:00 +0000)] 
s3:rpc_server: Implement the rpcd_* helper-end of the samba-dcerpc protocol

This is the generic code that becomes the
template that all rpcd_* instances that
serve DCERPC can use to provide services to samba-dcerpcd.

The external entry point is:
rpc_worker_main() which takes an argc/argv list
and two functions:

get_interfaces() - List all interfaces that this server provides
get_servers() - Provide the RPC server implementations

Each rpcd_* service needs only to provide
the implementations of get_interfaces() and get_servers()
and call rpc_worker_main() from their main() function
to provide services that can be connected to from samba-dcerpcd.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos3:rpc_client: Add local_np_connect()
Volker Lendecke [Wed, 7 Apr 2021 07:07:50 +0000 (07:07 +0000)] 
s3:rpc_client: Add local_np_connect()

This will be used for internal pipe connects. It starts samba_dcerpc
on demand if it's not there yet, so long as smb.conf [global]
has "rpc start on demand helpers = true" (the default setting).

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos3:rpc_server: Add samba-dcerpcd
Volker Lendecke [Wed, 9 Jun 2021 06:37:06 +0000 (08:37 +0200)] 
s3:rpc_server: Add samba-dcerpcd

Central dispatcher for incoming RPC requests, supported by helpers
that implement RPC services.

Upon startup, it asks all helpers which interfaces and endpoints to
listen on so it doesn't interfere with the samba binary when we're
configured as an Active Directory Domain Controller, then samba-dcerpcd
opens the relevant sockets. Once clients connect, start required helpers
and tell them to shut down once idle for a while.

Can be started as a full standalone daemon without smbd involved or as
a helper daemon started on demand by smbd or winbind or other local
processes trying to connect to a named pipe based RPC service.

NB. To start as a standalone daemon the smb.conf [global] option
"rpc start on demand helpers = false" must be set.
By default "rpc start on demand helpers = true"
in order to allow upgrades without needing an smb.conf change.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agodocs-xml: Add "rpc start on demand helpers", true by default.
Jeremy Allison [Mon, 4 Oct 2021 21:39:03 +0000 (14:39 -0700)] 
docs-xml: Add "rpc start on demand helpers", true by default.

If "true" allow smbd and winbindd to spawn samba-dcerpcd
as a named pipe helper. Allows upgrade without any change
to smb.conf. If samba-dcerpcd is run as a daemon this
must be set to "false".

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agoidl: Define messages sent between samba-dcerpcd and rpcd's
Volker Lendecke [Wed, 9 Jun 2021 06:27:36 +0000 (08:27 +0200)] 
idl: Define messages sent between samba-dcerpcd and rpcd's

MSG_RPC_DUMP_STATUS will be like pool-usage carrying a file descriptor to
report status to, the other two are described in rpc_host.idl.

NOALIGN on rpc_worker_status: This makes it easier to count bytes to
push into a static buffer.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agodcesrv_core: Add dcesrv_loop_next_packet()
Volker Lendecke [Thu, 21 Jan 2021 14:28:31 +0000 (15:28 +0100)] 
dcesrv_core: Add dcesrv_loop_next_packet()

This is used by the helpers of samba-dcerpcd: When accepting a DCERPC
client, normally the server engine would read the initial bind
packet. In case of samba-dcerpcd the bind packet will already be read
from the socket, so we need to inject it into the rpc server engine
externally.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agobackupkey.idl: Don't listen on \\pipe\ntsvcs
Volker Lendecke [Thu, 4 Mar 2021 17:53:37 +0000 (18:53 +0100)] 
backupkey.idl: Don't listen on \\pipe\ntsvcs

[MS-BKRP] says it SHOULD listen here. In the ad dc, this conflicts
with smbd's srv_ntsvcs_nt.c listening also on nt ntsvcs unix domain
socket. Because "samba" starts smbd after itself, smbd takes over the
socket anyway, backupkey can't have been reached over this transport.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agodcesrv_core: Add dcesrv_context_set_callbacks()
Volker Lendecke [Tue, 2 Feb 2021 14:10:38 +0000 (15:10 +0100)] 
dcesrv_core: Add dcesrv_context_set_callbacks()

We'll need to set custom callbacks on source3's global_dcesrv_ctx,
which right now is deeply embedded. Once we have everything more
nicely layered, this can go again.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos3:rpc_client: Bump debug level for ncalrpc connect error
Volker Lendecke [Thu, 8 Jul 2021 07:48:07 +0000 (09:48 +0200)] 
s3:rpc_client: Bump debug level for ncalrpc connect error

This does not have to go to syslog by default always, it might be just
a daemon not listening.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos3:rpc_server: Remove direct registry access from svcctl_init_winreg
Volker Lendecke [Sun, 13 Jun 2021 05:48:01 +0000 (07:48 +0200)] 
s3:rpc_server: Remove direct registry access from svcctl_init_winreg

Once we do registry access via a pipe into a different process, a
registry client won't be able to directly do registry transactions
anymore. In this case, I argue that doing this in a transactioned way
is overkill anyway. svcctl_init_winreg() just sets up some registry
keys, and if that leaves behind some stale entries if it fails
somewhere in the middle, it does not really matter because the only
one looking at these registry keys is the svcctl service, and that
only starts up if the init function was successfully run.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos3:services: Disable rcinit-based service control code
Volker Lendecke [Mon, 14 Jun 2021 05:54:55 +0000 (07:54 +0200)] 
s3:services: Disable rcinit-based service control code

This is a become_root user callout that I have never seen in use in
more than 20 years of Samba. Why disable now? In the next commit I
need to make a change to initializing the registry values for
services, the svcctl service won't be able to do registry transactions
anymore. I'm not sure that going without transactions is 100% safe in
all failure cases, so I decided to propose disabling the problematic
code that might lead to security issues.

One fix might be to add a lot more validation code to
_svcctl_OpenServiceW() to see whether the registry values underlying
the service are sane.

Yes, this is technical debt, but I would question that starting unix
daemons via DCERPC used at all out there.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agotest: Prime the kpasswd server
Volker Lendecke [Wed, 1 Sep 2021 10:04:43 +0000 (12:04 +0200)] 
test: Prime the kpasswd server

I was getting this failure:

[102(815)/143 at 10m59s] samba4.blackbox.net_ads_dns(ad_member:local)(ad_member:local)
UNEXPECTED(failure): samba4.blackbox.net_ads_dns(ad_member:local).Adding an unprivileged user(ad_member:local)
REASON: Exception: Exception: Could not add user unprivuser. Error setting password Incorrect net address

My preliminary analysis shows that the KRB5KRB_AP_ERR_BADADDR error
message is triggered by the libkrb5 client code. I have not yet shown
this to happen with pure libkrb5, but my theory is the following:

k5_privsafe_check_addrs() fails under the following circumstances: The
kpasswd server is contacted on IPv4 and is slow to reply. After
waiting a bit, libkrb5 also tries to contact kpasswd on
IPv6. kpasswd_sendto_msg_callback() for the IPv6 request changes the
authentication context's local_addr to IPv6. Then the IPv4 request is
replied to, and then k5_privsafe_check_addrs() bails on the address
family in ac->local_addr (IPv6) vs the one received and via the IPv4
connection.

libkrb5's src/lib/krb5/os/changepw.c has this comment:

    /*
     * TBD:  Does this tamper w/ the auth context in such a way
     * to break us?  Yes - provide 1 per conn-state / host...
     */

I think we're hit by this.

This patch hacks around the situation by priming the kpasswd server
without error checking. If the initial v4 request is quick enough
because the kpasswd server is already started up properly, everything
works flawlessly.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agorpc_server: Check info5->transport
Volker Lendecke [Sun, 28 Nov 2021 15:19:56 +0000 (16:19 +0100)] 
rpc_server: Check info5->transport

Eventually, this new mechanism might replace the ncalrpc_as_system mechanism: I
think with this we're much more flexible and even more secure: We rely on the
direct permissions on "np/" and don't have to pretend that the local client
came from a file on /root. We are more flexible because with this mechanism we
can easily fake arbitrary tokens and play with session keys.

However, this would require that the source4 librpc code needs to learn about
this mechanism, which I was not able to complete.

The source3 rpc_server side of this will go away soon, so for now only
allow NCACN_NP there. The check in source4 will stay with us for a
while, so allow NCACN_NP and NCALRPC to be set remotely here. With
NCACN_NP (the case for a client to connect on a named pipe), protect
against accidentially connecting as system.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agolibrpc: Get transport out of tstream_npa_accept_existing_recv()
Volker Lendecke [Sun, 28 Nov 2021 07:48:58 +0000 (08:48 +0100)] 
librpc: Get transport out of tstream_npa_accept_existing_recv()

To be used by the RPC servers in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agoauth: Fix a typo in auth/gensec/ncalrpc.c
Volker Lendecke [Sat, 27 Nov 2021 15:42:00 +0000 (16:42 +0100)] 
auth: Fix a typo in auth/gensec/ncalrpc.c

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agolibrpc: Add named_pipe_auth_req_info5->transport
Volker Lendecke [Sat, 27 Nov 2021 15:38:38 +0000 (16:38 +0100)] 
librpc: Add named_pipe_auth_req_info5->transport

This will serve as a check to make sure that in particular a SAMR
client is really root. This is for example used in get_user_info_18()
handing out a machine password.

The unix domain sockets for NCACN_NP can only be contacted by root,
the "np\" subdirectory for those sockets is root/root 0700.

Connecting to such a socket is done in two situations: First, local
real root processes connecting and smbd on behalf of SMB clients
connecting to \\pipe\name, smbd does become_root() there. Via the
named_pipe_auth_req_info4 smbd hands over the SMB session information
that the RPC server blindly trusts. The session information (i.e. the
NT token) is heavily influenced by external sources like the KDC. It
is highly unlikely that we get a system token via SMB, but who knows,
this is information not fully controlled by smbd.

This is where this additional field in named_pipe_auth_req_info5 makes
a difference: This field is set to NCACN_NP by smbd's code, not
directly controlled by the clients. Other clients directly connecting
to a socket in "np\" is root anyway (only smbd can do become_root())
and can set this field to NCALRPC.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agonamed_pipe_auth.idl: Add "need_idle_server"
Volker Lendecke [Wed, 9 Jun 2021 04:09:37 +0000 (06:09 +0200)] 
named_pipe_auth.idl: Add "need_idle_server"

Once RPC services are done by individual processes, we need to avoid
recursion between processes:

Any RPC server process will be able to serve multiple client requests
simultaneously, but each request is served in a single-threaded
blocking manner.

For example the netlogon RPC service needs to ask samr for
something. The netlogon->samr connection will initially be handled by
a central dispatcher assigning clients to processes. This dispatcher
needs to know that this connection can't end up in the same process
that originated the request.

With this flag an RPC client can request a samr server process that
exclusively serves its own requests and that will not serve anybody
else while serving netlogon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agonamed_pipe_auth: Bump info4 to info5
Volker Lendecke [Fri, 12 Nov 2021 18:24:33 +0000 (19:24 +0100)] 
named_pipe_auth: Bump info4 to info5

We'll add a field soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agoUpdate WHATSNEW.txt with removal of wildcard copy, rename and unlink.
Jeremy Allison [Tue, 7 Dec 2021 18:25:38 +0000 (10:25 -0800)] 
Update WHATSNEW.txt with removal of wildcard copy, rename and unlink.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Dec  9 18:57:15 UTC 2021 on sn-devel-184

4 years agos3: smbd: Remove 'const char *src_original_lcomp' from reply_mv().
Jeremy Allison [Thu, 2 Dec 2021 00:40:55 +0000 (16:40 -0800)] 
s3: smbd: Remove 'const char *src_original_lcomp' from reply_mv().

No longer used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Remove 'const char *src_original_lcomp' parameter from rename_internals().
Jeremy Allison [Thu, 2 Dec 2021 00:39:42 +0000 (16:39 -0800)] 
s3: smbd: Remove 'const char *src_original_lcomp' parameter from rename_internals().

No longer used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Inside rename_internals() remove '{ ... }' block around singleton rename...
Jeremy Allison [Thu, 2 Dec 2021 00:35:54 +0000 (16:35 -0800)] 
s3: smbd: Inside rename_internals() remove '{ ... }' block around singleton rename code.

Best viewed with 'git show -b'

As we're touching the DEBUG() code, change it to modern DBG_NOTICE().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Remove the commented out resolve_wildcards().
Jeremy Allison [Thu, 2 Dec 2021 00:31:36 +0000 (16:31 -0800)] 
s3: smbd: Remove the commented out resolve_wildcards().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Remove all wildcard code from rename_internals().
Jeremy Allison [Thu, 2 Dec 2021 00:29:43 +0000 (16:29 -0800)] 
s3: smbd: Remove all wildcard code from rename_internals().

We no longer use resolve_wildcards() so comment it out
for later removal. Keep the '{ ... }' block around the
singleton rename for now, to keep the diff small.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Remove dest_has_wild and all associated code from rename_internals()
Jeremy Allison [Thu, 2 Dec 2021 00:26:28 +0000 (16:26 -0800)] 
s3: smbd: Remove dest_has_wild and all associated code from rename_internals()

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Prepare to remove wildcard matching from rename_internals().
Jeremy Allison [Thu, 2 Dec 2021 00:25:03 +0000 (16:25 -0800)] 
s3: smbd: Prepare to remove wildcard matching from rename_internals().

src_has_wild and dest_has_wild can never be true.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: In reply_ntrename() remove 'bool dest_has_wcard' and all uses.
Jeremy Allison [Thu, 2 Dec 2021 00:17:51 +0000 (16:17 -0800)] 
s3: smbd: In reply_ntrename() remove 'bool dest_has_wcard' and all uses.

It's always false now.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: In reply_ntrename(), never set dest_has_wcard.
Jeremy Allison [Thu, 2 Dec 2021 00:14:57 +0000 (16:14 -0800)] 
s3: smbd: In reply_ntrename(), never set dest_has_wcard.

It can never be true.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: In reply_ntrename() remove the UCF_ALWAYS_ALLOW_WCARD_LCOMP flag for destin...
Jeremy Allison [Thu, 2 Dec 2021 00:12:46 +0000 (16:12 -0800)] 
s3: smbd: In reply_ntrename() remove the UCF_ALWAYS_ALLOW_WCARD_LCOMP flag for destination lookups.

We know the destination will never be a wildcard.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: In SMBntrename (0xa5) prevent wildcards in destination name.
Jeremy Allison [Thu, 2 Dec 2021 00:08:13 +0000 (16:08 -0800)] 
s3: smbd: In SMBntrename (0xa5) prevent wildcards in destination name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: In smb_file_rename_information() (SMB_FILE_RENAME_INFORMATION info level...
Jeremy Allison [Thu, 2 Dec 2021 00:07:07 +0000 (16:07 -0800)] 
s3: smbd: In smb_file_rename_information() (SMB_FILE_RENAME_INFORMATION info level) prevent destination wildcards.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Remove UCF_ALWAYS_ALLOW_WCARD_LCOMP flag from pathname processing in reply_...
Jeremy Allison [Wed, 1 Dec 2021 21:56:31 +0000 (13:56 -0800)] 
s3: smbd: Remove UCF_ALWAYS_ALLOW_WCARD_LCOMP flag from pathname processing in reply_mv().

We are no longer supporting wildcard rename via SMBmv (0x7)
as WindowsXP SMB1 and above do not use it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Remove 'bool has_wild' parameter from unlink_internals().
Jeremy Allison [Wed, 1 Dec 2021 21:03:03 +0000 (13:03 -0800)] 
s3: smbd: Remove 'bool has_wild' parameter from unlink_internals().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Change unlink_internals() to ignore has_wild parameter.
Jeremy Allison [Wed, 1 Dec 2021 20:53:29 +0000 (12:53 -0800)] 
s3: smbd: Change unlink_internals() to ignore has_wild parameter.

It's always passed as false now so we can remove the (horrible)
enumeration code for unlink.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: In reply_unlink() remove the possibility of receiving a wildcard name.
Jeremy Allison [Wed, 1 Dec 2021 20:31:44 +0000 (12:31 -0800)] 
s3: smbd: In reply_unlink() remove the possibility of receiving a wildcard name.

This was the only user of "has_wild=true" passed to
unlink_internals().

Next commit will remove this functionality from unlink_internals().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)
Jeremy Allison [Wed, 1 Dec 2021 20:24:07 +0000 (12:24 -0800)] 
s3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)

It's not used in our client code or tested.

From MS-CIFS.

This command was introduced in the LAN Manager 1.0 dialect
It was rendered obsolete in the NT LAN Manager dialect.
This command was used to perform server-side file copies, but
is no longer used. Clients SHOULD
NOT send requests using this command code.
Servers receiving requests with this command code
SHOULD return STATUS_NOT_IMPLEMENTED (ERRDOS/ERRbadfunc).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: Remove the wildcard unlink test code.
Jeremy Allison [Wed, 1 Dec 2021 20:18:35 +0000 (12:18 -0800)] 
s3: torture: Remove the wildcard unlink test code.

This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: torture: Remove the wildcard rename test code.
Jeremy Allison [Wed, 1 Dec 2021 21:22:39 +0000 (13:22 -0800)] 
s4: torture: Remove the wildcard rename test code.

This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: torture: Remove the wildcard unlink test code.
Jeremy Allison [Wed, 1 Dec 2021 20:05:20 +0000 (12:05 -0800)] 
s4: torture: Remove the wildcard unlink test code.

This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In run_smb1_wild_mangle_unlink_test() use a valid pathname for rename...
Jeremy Allison [Thu, 2 Dec 2021 22:10:41 +0000 (14:10 -0800)] 
s3: torture: In run_smb1_wild_mangle_unlink_test() use a valid pathname for rename target.

The server will not be supporting wildcard rename soon.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In torture_mangle(), use torture_deltree() for setup and cleanup.
Jeremy Allison [Thu, 2 Dec 2021 22:21:47 +0000 (14:21 -0800)] 
s3: torture: In torture_mangle(), use torture_deltree() for setup and cleanup.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In test_mask(), use torture_deltree() for setup.
Jeremy Allison [Thu, 2 Dec 2021 22:20:07 +0000 (14:20 -0800)] 
s3: torture: In test_mask(), use torture_deltree() for setup.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In run_streamerror(), use torture_deltree() for setup.
Jeremy Allison [Thu, 2 Dec 2021 22:18:56 +0000 (14:18 -0800)] 
s3: torture: In run_streamerror(), use torture_deltree() for setup.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In torture_chkpath_test(), use torture_deltree() for setup and cleanup.
Jeremy Allison [Thu, 2 Dec 2021 22:16:38 +0000 (14:16 -0800)] 
s3: torture: In torture_chkpath_test(), use torture_deltree() for setup and cleanup.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In torture_casetable(), use torture_deltree() for setup and cleanup.
Jeremy Allison [Thu, 2 Dec 2021 22:14:53 +0000 (14:14 -0800)] 
s3: torture: In torture_casetable(), use torture_deltree() for setup and cleanup.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In torture_utable(), use torture_deltree() for setup.
Jeremy Allison [Thu, 2 Dec 2021 22:13:41 +0000 (14:13 -0800)] 
s3: torture: In torture_utable(), use torture_deltree() for setup.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In run_smb1_wild_mangle_rename_test() use torture_deltree() for setup...
Jeremy Allison [Wed, 1 Dec 2021 21:51:12 +0000 (13:51 -0800)] 
s3: torture: In run_smb1_wild_mangle_rename_test() use torture_deltree() for setup and cleanup.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: In run_smb1_wild_mangle_unlink_test() use torture_deltree() for setup...
Jeremy Allison [Wed, 1 Dec 2021 20:51:54 +0000 (12:51 -0800)] 
s3: torture: In run_smb1_wild_mangle_unlink_test() use torture_deltree() for setup and cleanup.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos3: torture: Add torture_deltree() for setup and teardown.
Jeremy Allison [Thu, 2 Dec 2021 21:47:07 +0000 (13:47 -0800)] 
s3: torture: Add torture_deltree() for setup and teardown.

Not yet used.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: libcli: smbcli_unlink() is no longer used with wildcard patterns.
Jeremy Allison [Thu, 2 Dec 2021 22:23:10 +0000 (14:23 -0800)] 
s4: libcli: smbcli_unlink() is no longer used with wildcard patterns.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: torture: Use smbcli_unlink_wcard() to setup and cleanup in masktest.
Jeremy Allison [Thu, 2 Dec 2021 02:08:32 +0000 (18:08 -0800)] 
s4: torture: Use smbcli_unlink_wcard() to setup and cleanup in masktest.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: torture: Use smbcli_unlink_wcard() in base.casetable test.
Jeremy Allison [Thu, 2 Dec 2021 02:03:57 +0000 (18:03 -0800)] 
s4: torture: Use smbcli_unlink_wcard() in base.casetable test.

Avoid smbcli_unlink() calls with a wildcard path.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: torture: Use smbcli_unlink_wcard() to cleanup in base.mangle test.
Jeremy Allison [Thu, 2 Dec 2021 01:58:58 +0000 (17:58 -0800)] 
s4: torture: Use smbcli_unlink_wcard() to cleanup in base.mangle test.

Avoid using smbcli_unlink() calls with wildcard names.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: torture: Use smbcli_unlink_wcard() to remove wildcards in base.chkpath test.
Jeremy Allison [Thu, 2 Dec 2021 01:52:37 +0000 (17:52 -0800)] 
s4: torture: Use smbcli_unlink_wcard() to remove wildcards in base.chkpath test.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: torture: In raw.notify test use smbcli_unlink_wcard() in place of smbcli_unlink().
Jeremy Allison [Thu, 2 Dec 2021 20:08:49 +0000 (12:08 -0800)] 
s4: torture: In raw.notify test use smbcli_unlink_wcard() in place of smbcli_unlink().

We know we have a wildcard mask here.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: libcli: In smbcli_deltree() use smbcli_unlink_wcard() in place of smbcli_unlink().
Jeremy Allison [Thu, 2 Dec 2021 20:10:14 +0000 (12:10 -0800)] 
s4: libcli: In smbcli_deltree() use smbcli_unlink_wcard() in place of smbcli_unlink().

We know we have a wildcard mask here.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4: libcli: Add smbcli_unlink_wcard().
Jeremy Allison [Thu, 2 Dec 2021 20:05:51 +0000 (12:05 -0800)] 
s4: libcli: Add smbcli_unlink_wcard().

We will use this in place of smbcli_unlink() when we
know we are using a wildcard pattern. If can be used
to generally replace smbcli_unlink() as it calls down
to smbcli_unlink() is no wildcard is detected.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
4 years agos4-auth: Remove unused headers
Andrew Bartlett [Wed, 8 Dec 2021 02:30:02 +0000 (15:30 +1300)] 
s4-auth: Remove unused headers

These changes were submitted in a patch by
Stefan Metzmacher <metze@samba.org> in his lorikeet-heimdal
import branch of patches to upgrade to a modern Heimdal.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec  9 14:14:12 UTC 2021 on sn-devel-184

4 years agoauth/credentials: Fix cli_credentials_shallow_ccache error case
Stefan Metzmacher [Fri, 3 Apr 2020 13:29:32 +0000 (15:29 +0200)] 
auth/credentials: Fix cli_credentials_shallow_ccache error case

Avoid dangling values if something fails...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agoauth/credentials: Handle ENOENT when obtaining ccache lifetime
Stefan Metzmacher [Fri, 3 Apr 2020 13:27:45 +0000 (15:27 +0200)] 
auth/credentials: Handle ENOENT when obtaining ccache lifetime

The new Heimdal may return ENOENT instead of KRB5_CC_END.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agolibrpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal
Andrew Bartlett [Tue, 26 Sep 2017 02:10:12 +0000 (15:10 +1300)] 
librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal

This is needed to ensure Heimdal does not attempt to use nss to canonicalize the name.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec  9 07:42:38 UTC 2021 on sn-devel-184

4 years agobuild: Add missing dependency on addns
Andrew Bartlett [Tue, 7 Dec 2021 03:04:08 +0000 (16:04 +1300)] 
build: Add missing dependency on addns

This becomes noticed when we upgrade Heimdal as we do not find
the correct gssapi headers any more.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
4 years agohdb: Initialise HDB structure
Joseph Sutton [Wed, 8 Dec 2021 03:42:32 +0000 (16:42 +1300)] 
hdb: Initialise HDB structure

Additional fields may be added to this structure without us explicitly
initialising them. This could cause Heimdal to crash upon reading
garbage data, so we should zero-initialise the structure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec  9 02:47:27 UTC 2021 on sn-devel-184

4 years agotests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors
Joseph Sutton [Mon, 6 Dec 2021 01:54:31 +0000 (14:54 +1300)] 
tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors

A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  7 08:32:42 UTC 2021 on sn-devel-184

4 years agotests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0
Joseph Sutton [Mon, 6 Dec 2021 00:06:52 +0000 (13:06 +1300)] 
tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0
Joseph Sutton [Wed, 17 Nov 2021 07:17:27 +0000 (20:17 +1300)] 
tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Adjust unknown critical FAST option test
Joseph Sutton [Wed, 17 Nov 2021 07:16:32 +0000 (20:16 +1300)] 
tests/krb5: Adjust unknown critical FAST option test

Heimdal does not check FAST options when no preauth data is supplied, so
the original test could not pass against Heimdal.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Add test for FAST with invalid ticket checksum
Joseph Sutton [Wed, 17 Nov 2021 07:15:12 +0000 (20:15 +1300)] 
tests/krb5: Add test for FAST with invalid ticket checksum

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Remove magic flag constants
Joseph Sutton [Wed, 17 Nov 2021 07:14:50 +0000 (20:14 +1300)] 
tests/krb5: Remove magic flag constants

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Allow additional unexpected padata types
Joseph Sutton [Mon, 6 Dec 2021 21:59:27 +0000 (10:59 +1300)] 
tests/krb5: Allow additional unexpected padata types

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Make edata checking less strict
Joseph Sutton [Tue, 7 Dec 2021 02:45:06 +0000 (15:45 +1300)] 
tests/krb5: Make edata checking less strict

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Add tests for FAST with use-session-key flag and armor ticket
Joseph Sutton [Thu, 18 Nov 2021 00:44:32 +0000 (13:44 +1300)] 
tests/krb5: Add tests for FAST with use-session-key flag and armor ticket

This flag should be ignored and the FAST armor key used instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data
Joseph Sutton [Tue, 16 Nov 2021 06:56:24 +0000 (19:56 +1300)] 
tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Don't request renewable tickets
Joseph Sutton [Tue, 16 Nov 2021 06:55:44 +0000 (19:55 +1300)] 
tests/krb5: Don't request renewable tickets

This is not necessary for testing FAST, and was causing some of the
tests to fail.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Adjust expected error codes for FAST tests
Joseph Sutton [Tue, 16 Nov 2021 06:55:17 +0000 (19:55 +1300)] 
tests/krb5: Adjust expected error codes for FAST tests

This allows more of the tests to pass.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agokdc: Canonicalize realm for enterprise principals
Joseph Sutton [Tue, 7 Dec 2021 00:15:38 +0000 (13:15 +1300)] 
kdc: Canonicalize realm for enterprise principals

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  7 04:54:35 UTC 2021 on sn-devel-184

4 years agoheimdal_build: Do not build samba4kinit unless building embedded Heimdal
Andrew Bartlett [Mon, 6 Dec 2021 22:30:10 +0000 (11:30 +1300)] 
heimdal_build: Do not build samba4kinit unless building embedded Heimdal

We should not attempt to build local copies of Heimdal utilities against
a system krb5 library.

Inspired by a WIP commit by Stefan Metzmacher <metze@samba.org> in his
lorikeet-heimdal import branch of patches to upgrade to a modern Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agolib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators
Andrew Bartlett [Tue, 6 Jul 2021 00:26:44 +0000 (12:26 +1200)] 
lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators

This provides the defines that may be needed to use the
compiler-provided atomics, rather than a fallback.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agos4:torture: Remove pre-send and post-receive callbacks
Joseph Sutton [Thu, 2 Dec 2021 22:58:53 +0000 (11:58 +1300)] 
s4:torture: Remove pre-send and post-receive callbacks

The client-side testing done by these callbacks is no longer needed, and
the server-side testing is covered by Python-based tests. Removing these
leaves us with a more manageable test of the Kerberos API.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos4:torture: Remove test combination with enterprise principal without canonicalize...
Joseph Sutton [Thu, 2 Dec 2021 22:58:40 +0000 (11:58 +1300)] 
s4:torture: Remove test combination with enterprise principal without canonicalize flag

This test combination is not needed. Removing it allows us to avoid
modifying requests prior to sending them, which can cause problems with
an upgraded Heimdal version.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec  6 22:57:54 UTC 2021 on sn-devel-184

4 years agos4:torture: Remove AS_REQ_SELF test stage
Joseph Sutton [Thu, 2 Dec 2021 22:57:49 +0000 (11:57 +1300)] 
s4:torture: Remove AS_REQ_SELF test stage

This behaviour is already covered by existing Python tests. This test
stage also modifies the request prior to sending it, which can cause
problems with an upgraded Heimdal version.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Add tests for enterprise principals with canonicalization
Joseph Sutton [Mon, 29 Nov 2021 20:42:00 +0000 (09:42 +1300)] 
tests/krb5: Add tests for enterprise principals with canonicalization

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Add tests for AS-REQ with an SPN
Joseph Sutton [Thu, 25 Nov 2021 03:22:58 +0000 (16:22 +1300)] 
tests/krb5: Add tests for AS-REQ with an SPN

Using a SPN should only be permitted if it is also a UPN, and is not an
enterprise principal.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types
Joseph Sutton [Fri, 3 Dec 2021 00:13:29 +0000 (13:13 +1300)] 
tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Check ticket cname for Heimdal
Joseph Sutton [Thu, 25 Nov 2021 03:16:52 +0000 (16:16 +1300)] 
tests/krb5: Check ticket cname for Heimdal

This is currently not checked in several places due to STRICT_CHECKING
being set to 0.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Check logon name in PAC for canonicalization tests
Joseph Sutton [Thu, 2 Dec 2021 03:51:26 +0000 (16:51 +1300)] 
tests/krb5: Check logon name in PAC for canonicalization tests

This allows us to ensure that the correct name makes it through to the
PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agotests/krb5: Only create testing accounts once per test run
Joseph Sutton [Thu, 2 Dec 2021 03:50:55 +0000 (16:50 +1300)] 
tests/krb5: Only create testing accounts once per test run

This decreases the time that the tests take to run.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agowaf:mitkrb5: Always define lib so we get the header include path
Andreas Schneider [Mon, 6 Dec 2021 17:01:40 +0000 (18:01 +0100)] 
waf:mitkrb5: Always define lib so we get the header include path

If you have libkrb5 in a non-standard include path, we would not check the
latest version but search default paths (e.g. /usr/include) first.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agowaf:mitkrb5: Fix MIT KRB5 detection if not in default system location
Andreas Schneider [Fri, 3 Dec 2021 07:49:24 +0000 (08:49 +0100)] 
waf:mitkrb5: Fix MIT KRB5 detection if not in default system location

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agowaf:mitkrb5: Detect com_err with pkgconfig first
Andreas Schneider [Fri, 3 Dec 2021 08:13:52 +0000 (09:13 +0100)] 
waf:mitkrb5: Detect com_err with pkgconfig first

It is needed as a dependency later!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agowafsamba: Pass lib to CHECK_DECLS()
Andreas Schneider [Mon, 6 Dec 2021 17:00:33 +0000 (18:00 +0100)] 
wafsamba: Pass lib to CHECK_DECLS()

This is needed if you have headers in non-standard include paths.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos3:waf: Fix dependendies for libads
Andreas Schneider [Mon, 6 Dec 2021 17:17:35 +0000 (18:17 +0100)] 
s3:waf: Fix dependendies for libads

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos4:waf: Fix dependencies for TORTURE_UTIL
Andreas Schneider [Mon, 6 Dec 2021 17:13:58 +0000 (18:13 +0100)] 
s4:waf: Fix dependencies for TORTURE_UTIL

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos3:param: Only include smb_ldap.h for LDAP_* defines
Andreas Schneider [Mon, 6 Dec 2021 17:08:54 +0000 (18:08 +0100)] 
s3:param: Only include smb_ldap.h for LDAP_* defines

There is no need for ads.h which would pull in krb5.h and much more ...

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agos3:param: Remove trailing spaces in loadparm.c
Andreas Schneider [Mon, 6 Dec 2021 17:08:37 +0000 (18:08 +0100)] 
s3:param: Remove trailing spaces in loadparm.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agosamba-tool: Test DNS record creation on member join
David Mulder [Tue, 23 Nov 2021 15:59:01 +0000 (08:59 -0700)] 
samba-tool: Test DNS record creation on member join

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agosamba-tool: Create DNS entries on member join
David Mulder [Fri, 5 Nov 2021 20:43:18 +0000 (14:43 -0600)] 
samba-tool: Create DNS entries on member join

The net ads join command already handles this,
and the call was missing from the python bindings
for samba-tool domain join member.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
4 years agoheimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC...
Andrew Bartlett [Thu, 2 Dec 2021 00:25:07 +0000 (13:25 +1300)] 
heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed.

This will otherwise break the system-heimdal build.

This is correct regardless.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec  6 21:48:30 UTC 2021 on sn-devel-184

4 years agobuild: Remove kdc_include except where needed
Andrew Bartlett [Wed, 1 Dec 2021 22:47:35 +0000 (11:47 +1300)] 
build: Remove kdc_include except where needed

This include was being set on too many subsystems, including some MIT-related.

This was a problem because it would then trigger the mixing of MIT and Heimdal
krb5.h files.  It is now only set on the plugins and services that use the
embedded Heimdal KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
4 years agobuild: Only use embedded Heimdal include paths in an embedded Heimdal build
Andrew Bartlett [Wed, 1 Dec 2021 22:33:02 +0000 (11:33 +1300)] 
build: Only use embedded Heimdal include paths in an embedded Heimdal build

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>