git.ipfire.org Git - thirdparty/samba.git/log

ctdb-server: Drop a log message to DEBUG level

This is harmless, so it doesn't generally need to be logged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit f4a8f84328c5e692ce63bec05bb71fcb469a3e9c)

ctdb-server: Clean up connection tracking functions

Apply README.Coding, modernise logging, pre-render connection as a
string for logging, switch terminology from "tickle" to "connection",
tidy up comments.

No changes in functionality.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 3c19c8df778070705485b3c993e695ca1636bfa7)

ctdb-scripts: Use ss -H option to simplify

This option has been available since ~2018 and has been implemented in
the stub since then. I guess we didn't use it because CentOS 7?

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 0505d06b12a04a5c5e813fb3f4799278f9e5b7eb)

ctdb-scripts: Remove superseded compatibility code

Since commit 224e99804efef960ef4ce2ff2f4f6dced1e74146, square brackets
have been parsed by daemon and tool code, so drop the compatibility
code from here.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 32e4f786601712e57992ce4c8f46e5d38620a5dd)

ctdb-scripts: update_tickles() should use the public IPs cache

This avoids duplicating logic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit b3e2c69ad92c0d20bb10146d2dd6d0d475455298)

ctdb-scripts: Add caching function for public IPs

This is way more complicated than I would like but, as per the
comment, this is due to complexities in the way public IPs work. The
main consumer will be statd-callout, which will then be able to run as
a non-root user.

Also generate the cache file in test code, whenever the PNN is set.
However, this can cause "ctdb ip" to generate a fake IP layout before
public IPs are setup. So, have the "ctdb ip" stub generate the IP
layout every time it is run to avoid it being stale.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit ed3f041c309e84bcb73fda9a7a68dbf69f63e3e3)

ctdb-scripts: Don't list connections when not hosting IPs

With an empty IP filter, all incoming connections to port 2049 will be
listed, not just those to public IP addresses.  This causes error
messages like the following to be logged:

  ctdb-eventd[...]: 60.nfs: Failed to add 1 tickles

since the connection being added seems to be for a random NFS mount
that doesn't use a public IP addresses.

This has been a problem for a long time (probably since commit
04fe9e20749985c71fef1bce7f6e4c439fe11c81 in 2015).  It isn't currently
a huge deal because it only affects NFS connections.  However, this
code will soon be used to track connections to public IP addresses on
all ports.  This would result in a constant stream of log messages,
since there will always be some active connections.

The theory behind the fix is that if a node hosts no public IPs then
it should have no relevant connections and has no business changing
the list of registered tickles.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15320
RN: Update CTDB to track all TCP connections to public IP addresses

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jerry Heyman <jheyman@ddn.com>
(cherry picked from commit 1a4a6c46f1cdabfea67c264d6576a597a70c3007)

smbd: avoid a panic in close_directory()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15754

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 18 12:43:28 UTC 2024 on atb-devel-224

(backported from commit f86d1a35917cdcc07b2fa741c6a369aaad24abaf)
[slow@samba.org: context changes from Directory Leases]

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Nov 20 11:17:07 UTC 2024 on atb-devel-224

VERSION: Bump version up to Samba 4.20.7...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.20.6 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.20.6.

Signed-off-by: Jule Anger <janger@samba.org>

BUG 15590 ldb: Release LDB 2.9.2

* BUG 15590: libldb: performance issue with indexes.

Signed-off-by: Jule Anger <janger@samba.org>

libcli/auth: make use of netlogon_creds_cli_check_transport() in more places

This was somehow missing in commit
7a5ad9f64a905f5744430c6e0796c646baf9432e

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Nov 7 09:14:33 UTC 2024 on atb-devel-224

(cherry picked from commit f340dce6546a22d857cad440f8afaee9815dbdb1)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Nov 13 11:36:37 UTC 2024 on atb-devel-224

libcli/auth: split out netlogon_creds_cli_check_transport()

This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7a5ad9f64a905f5744430c6e0796c646baf9432e)

libcli/auth: let netlogon_creds_copy() copy all scalar elements

This version is good for now, as we want it to be backportable.
For master we'll add a ndr_deepcopy_struct() helper in order
to avoid future problems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8edbdd65ef78e3f26357d0254b58db3120a32880)

s4:librpc/rpc: make use of netlogon_creds_client_verify()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 132629ee3a9b73d0888d1110e4d0a45ded778e5a)

libcli/auth: make use of netlogon_creds_client_verify()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1a5984ac6312b204b51590057b8327cf4698383b)

libcli/auth: split out netlogon_creds_client_verify() that takes auth_{type,level}

This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 45faf6c35a033ec46a546dfb9d5d6aeb2fb2b83c)

libcli/auth: pass auth_{type,level} to netlogon_creds_server_step_check()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2956c7eb3c9fc2161fd2748e5aac1fc94478e8c7)

libcli/auth: pass auth_{type,level} to schannel_check_creds_state()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7b02fb50143ba5044605ec67ed41180391835dcb)

libcli/auth: return INVALID_PARAMETER for DES in netlogon_creds_{de,en}crypt_samlogon_logon

For the NetlogonGenericInformation case we want an error instead of no
encryption if only DES was negotiated...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 131f5c0b251e456c466eaca744525504e1d69492)

s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_SendToSam

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 834197dafef0f3779ba69c8e350cbd7bb9333284)

s4:rpc_server/netlogon: make use of netlogon_creds_decrypt_samr_CryptPassword

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit f1c1b8661a9121e1ff02784955c98d9f33bca8bd)

s4:rpc_server/netlogon: make use of netlogon_creds_{de,en}crypt_samr_Password()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7a7cb0d0426a891185f5acf825573d98360e98e1)

s3:rpc_server/netlogon: make use of netlogon_creds_decrypt_samr_CryptPassword()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a359b4139c8043ee3c3277b7559cb6d4f58f4044)

s3:rpc_server/netlogon: make use of netlogon_creds_{de,en}crypt_samr_Password

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 550d20fd3dd04397b3a38f8b9e0cfa574453eea1)

s4:torture/rpc: make use of netlogon_creds_{de,en}crypt_samr_Password

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 172ce406d48916c57f0742b6a0e064ac170ec8ff)

s4:torture/rpc: make use of netlogon_creds_encrypt_samr_CryptPassword()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2d7a47a175337729f4c671d7a6223f6e0ea23ebe)

s4:torture/rpc: make use of netlogon_creds_decrypt_samlogon_validation()

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a177d15c875030dfc6c11ead3ec3a3ec851261cb)

s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon()

This will make it easier to catch all places where we need to
implement the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1666d1d74dec3978837ab49f8749d59c0abcf595)

libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_Password

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e92d0509d6b4d7f86e8626ba8c5efc5b786823f1)

libcli/auth: make use of netlogon_creds_encrypt_SendToSam

This will help when implementing netr_ServerAuthenticateKerberos()...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2bd77ff7314932dc4116773731a810fe0f7ce4b7)

libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPassword

This will help when implementing netr_ServerAuthenticateKerberos()...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 285ec9ecde712e40e6f0981bcb379ee911bfe9d8)

libcli/auth: make netlogon_creds_des_{de,en}crypt_LMKey() static

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1edcd5df80bdbc4d4da5bdd5e534d7a17ec61f77)

python/tests: use encrypt_netr_PasswordInfo in KDCBaseTest._test_samlogon()

This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e7d57fc6e992ca212b834d5dd4d381244bca55c6)

pycredentials: add py_creds_encrypt_netr_PasswordInfo helper

This will replace py_creds_encrypt_samr_password in the next steps
and prepares the introduction of netr_ServerAuthenticateKerberos().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit fac378485f5f15ac0a11c3d82207c4bc780bfb80)

pycredentials: make use of netlogon_creds_encrypt_samr_CryptPassword in py_creds_encrypt_netr_crypt_password

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit ea792fa342deebefa75b77832c9057924cdcb6f6)

libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit b8681c165731666bb5eed073ab862490c33ea095)

libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8eb95a155de396981375c7f11221695fd3c7f9d5)

libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 851a9b18eccece64c3ae0cedd7c7b26a44f0eec6)

libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_logon()

This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3d4ea276bdf44202250246cd6edae2bc17e92c74)

libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()

This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a56356e399339d5bce2e699431cd3e6186229170)

netlogon.idl: add netr_ServerAuthenticateKerberos() and related stuff

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit de8de55a5fee573d0718fa8dd13168a4f0a14614)

s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE() helper macro

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 62afadb3ebac49a684fb0e5a1beb6d7db6f5e515)

dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 01577b93cbb0a26aba3209cde69475be2e1c5fb8)

s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticateGeneric()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e4132c492ded7cadc60371b524e72e41f71f75e9)

s4:dsdb/common: dsdb_trust_get_incoming_passwords only needs a const ldb_message

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit f92def2f943917d8946b03f71fcf676998701815)

libcli/auth: split out netlogon_creds_alloc()

Review with: git show --patience

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e9767315cf06bcb257b40014441dd4cd9aad0fb0)

libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy

Before storing the structure into a ctdb managed volatile database
we check against netlogon_creds_CredentialState_legacy (the structure
used before recent changes). This makes sure unpatched cluster nodes
would not get a parsing error.

We'll remove this again in master when we try to implement
netr_ServerAuthenticateKerberos() and the related changes
to netlogon_creds_CredentialState, which will break the compat...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3792fe372884aad6ea2893f2e62629dd1cddc129)

libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 17394ed7bbf8fa50570a5732f1ce84ccd5e69393)

libcli/auth: also use netlogon_creds_CredentialState_extra_info for the client

In order to allow backports and cluster updates we simulate a
dom_sid, so that the old code is able to parse the blob.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8b972fea0978101575f847eac33b09d2fd8d02e7)

s4:torture/rpc: let test_netlogon_capabilities() fail on legacy servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 498fc88c155b57a0de6150c3b1e3cfcac181d45b)

s4:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit fd4b027511b18615e215b66183f95b54bcab683e)

s3:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 484a046d8e179a3b21ead8b5bc3660095314e816)

libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit dfbc5e5a19420311eac3db5ede1c665a9198395d)

libcli/auth: remove unused creds->sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a9308c490cb5ec8908a3e4c13e2ce8a08b9027e9)

s4:rpc_server/netlogon: make use of creds->ex->client_sid

creds->sid will be removed soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 4533afc9e12c4dbbc7d11c13e775888c113d497c)

s3:rpc_server/netlogon: make use of creds->ex->client_sid

creds->sid will be removed soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 88a84d9330d2bb03176f888a0d8e5066e1e21bf6)

librpc/rpc: make use of creds->ex->client_sid in dcesrv_netr_check_schannel_get_state()

creds->sid will be removed soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 453587fbc1ef74a3b997235e84040553261fa13e)

libcli/auth: split out netlogon_creds_CredentialState_extra_info

As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.

For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.

In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.

In the following patches we'll also use it in order
to store client related information...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 518f57b93bdb84900d3b58cd94bdf1046f82a5a6)

libcli/auth: pass client_sid to netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c2ef866fca296c8f3eb1620fdd2bb9bf289d96fc)

s4:rpc_server/netlogon: add client_sid helper variables

This will make the following changes simpler...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2e8949495f601d3fd117cceccd1b464a6ae43251)

s3:rpc_server/netlogon: add client_sid helper variables

This will make the following changes simpler...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit eda3728a4079c5399f693b1d68e64e5660647c72)

s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to() only needs a const sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c9eaf5e22de730f1e7575f6697f32dbb377eae06)

s3:cli_netlogon: let rpccli_connect_netlogon() use force_reauth = true on retry

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7f478656dcf08619bc3a7ad390c7db3bfdef924e)

s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit d174b6595a962230bf71cc5c2f512a2c93a4cc1b)

s4:librpc/rpc: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 0b6ac4b082ddec5dae1392537727f3a7123ec279)

s4:librpc/rpc: define required schannel flags and enforce them

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 25294685b1c2c8652f0ca0220e8f3729e0b347e2)

s4:librpc/rpc: don't allow any unexpected upgrades of negotiate_flags

Only remove the unsupported flags from local_negotiate_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 69b0cbd13d06fa640a900acab6757425b5b77cac)

s4:librpc/rpc: do LogonControl after LogonGetCapabilities downgrade

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 24de5d1cbd25fabae6b01565907b53f5e51ea06d)

libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 25a2105ca7816c47a9c4a7fded88a922e4ccf88b)

libcli/auth: use a LogonControl after a LogonGetCapabilities downgrade

If LogonGetCapabilities was downgraded by an DCERPC Fault, we
rely on the schannel message ordering to detect failures.

Instead of letting any real winbindd request trigger this,
we do it directly in netlogon_creds_cli_check() with
a LogonControl that is also used for 'wbinfo --ping-dc'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 276137e950696fbf36450dceebd6c0250c6242d0)

libcli/auth: if we require aes we don't need to require arcfour nor strong key

But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3da40f1c6818550eb08a6d7d680c213c3f1d0649)

libcli/auth: don't allow any unexpected upgrades of negotiate_flags

Only remove the unsupported flags from state->current_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a9040c8ce76cb9911c4c0c5d623cc479e49f460d)

libcli/auth: make use of netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 69cb9aea67de0613f467f7ce2d460364ff2be241)

libcli/auth: remove unused netlogon_creds_client_init_session_key()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit cf0e07a3d2a085d31f7d682633af9ec57c155e57)

netlogon.idl: the capabilities in query_level=2 are the ones send by the client

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 86176598eee4c83dc63a9dac163f32c886477129)

s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag

With SAMBA_WEAK_CRYPTO_DISALLOWED dcesrv_netr_ServerAuthenticate3_check_downgrade()
will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not
negotiated...

And if AES was negotiated there's no harm in returning the ARCFOUR
flag...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a0bc372dee68ad255da005d2e2078da754bbef2a)

s3:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag

With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED with negotiate_flags = 0,
if AES was not negotiated...

And if AES was negotiated there's no harm in returning the ARCFOUR
flag...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e5bc5ee3e04138b10c0630640469a08fad847e56)

s3:rpc_server/netlogon: correctly negotiate flags in ServerAuthenticate2/3

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit b27661f832cc4c56cc582cf7041d90f178736ef7)

s4:torture/rpc: without weak crypto we should require AES

We should check that we can actually negotiated the strong AES
crypto instead of just checking that NETLOGON_NEG_ARCFOUR is not
there...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3dcbc8eea5bc53a8332b3ad93ea4c3df99af7830)

s4:torture/rpc: check that DOWNGRADE_DETECTED has no bits negotiated

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 36310650ee7a64603128139f512d3a4e039f8822)

s4:rpc_server: Make some arrays static

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit beaeeaff501b22fdfb3928d788597398fcbbbe29)

Backported for https://bugzilla.samba.org/show_bug.cgi?id=15425

s3:winbindd: call process_set_title() for locator child

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Oct 31 14:02:39 UTC 2024 on atb-devel-224

(cherry picked from commit e4e3f05cd7d6fdc98a24f592a099f7d24136788d)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Nov 7 13:39:23 UTC 2024 on atb-devel-224

third_party/heimdal: Import lorikeet-heimdal-202410161454 (commit 0d61538a16b5051c820702f0711102112cd01a83)

gsskrb5: let GSS_C_DCE_STYLE imply GSS_C_MUTUAL_FLAG as acceptor

Windows clients forget GSS_C_MUTUAL_FLAG in some situations where they
use GSS_C_DCE_STYLE, in the assumption that GSS_C_MUTUAL_FLAG is
implied.

Both Windows and MIT as server already imply GSS_C_MUTUAL_FLAG
when GSS_C_DCE_STYLE is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15740
PR: https://github.com/heimdal/heimdal/pull/1266

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 16 19:05:15 UTC 2024 on atb-devel-224

(cherry picked from commit ce10b28566eb7b3e26a1e404b278d3d761ac183e)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Nov 7 09:21:35 UTC 2024 on atb-devel-224

smbd: fix sharing access check for directories

This was missing from commit 6140c3177a0330f42411618c3fca28930ea02a21 and causes
all opens of directories to be handled as stat opens, bypassing the sharemode
check.

Not adding a test at this time, as my (hopefully) soon to be merged Directory
Leases branch has a test which actually detected this problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 20206a335a6af71b99f6441df145feea6563cf5a)

smbd: fix share access check for overwrite dispostions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Oct 14 12:23:04 UTC 2024 on atb-devel-224

(cherry picked from commit 6140c3177a0330f42411618c3fca28930ea02a21)

smbtorture: add subtests for overwrite dispositions vs sharemodes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 849afe05ade140898b1eab9b28d46edc8357c844)

smbtorture: fix smb2.notify.mask test

The strange function custom_smb2_create() was somehow causing
NT_STATUS_DELETE_PENDING failures:

  failure: mask [
  (../../source4/torture/smb2/notify.c:490) Incorrect status NT_STATUS_DELETE_PENDING - should be NT_STATUS_OK
  ]

I couldn't figure out what was causing this exactly, but after doing these
cleanups the error went away.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4591f27ca81dff997ef7474565fc9c373abfa4a9)

smbtorture: prepare test_overwrite_read_only_file() for more subtests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f88e52a6f487a216dbb805fabc08e862abb9b643)

dcesrv_core: better fault codes dcesrv_auth_prepare_auth3()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 10 15:17:46 UTC 2024 on atb-devel-224

(cherry picked from commit 9263ce5752063235836d5f77220b0151df6c9408)

dcesrv_core: fix the auth3 for large ntlmssp messages

I know finding any real logic in reading the patch,
doesn't really show what's going on. I tried hard
to simplify it, but this is the only way I found
that fixed the test_auth_pad_ntlm_2889_auth3 test
without breaking other tests...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8b8e4ff1b19ba06821d774d0e1a8b1cad7f06120)

gensec:spnego: ignore trailing bytes in SPNEGO_SERVER_START state

This matches Windows (at least Server 2012_R2).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 86808d66f30136850f857b749e768c88de3a079f)

gensec:ntlmssp: only allow messages up to 2888 bytes

This matches Windows (at least Server 2012_R2).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 55dd8bdb05b4e814beb50d11a6f12c94e5f6e9d5)

dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED

We should use DCERPC_FAULT_ACCESS_DENIED as default for
gensec status results of e.g. NT_STATUS_LOGON_FAILURE or
NT_STATUS_INVALID_PARAMTER.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 31a422b7e58d7a670ebedb7c91f240a3134a9624)

dcesrv_core: a failure from gensec_update results in NAK_REASON_INVALID_CHECKSUM

We already report that for gensec_start_mech_by_authtype() failures,
but we also need to do that for any invalid authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 97545873ebc2daf9c3daee914a90687625a08225)

dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3

Sometimes Windows sends 3 presentation contexts (NDR32, NDR64,
BindTimeFeatureNegotiation) in the first BIND of an association.

Binding an additional connection to the association seems to
reuse the BIND buffer and just changes the num_contexts field from
3 to 2 and leaves the BindTimeFeatureNegotiation context as padding
in places.

Note, the auth_pad_length field is send as 0 in that case,
which means we need to ignore it completely, as well as any
padding before the auth header.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 85b2dcd93848a590727dac243e8eb3614be75fad)

dcerpc_util: let dcerpc_pull_auth_trailer() expose the reject reason

If dcerpc_pull_auth_trailer() returns NT_STATUS_RPC_PROTOCOL_ERROR
it will return the BIND reject code in auth->auth_context_id.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7a6a1aae6fa74ab0f55c1160aedd2d79c9a44a90)

dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned

That what Windows also asserts.

It also makes sure that ndr_pull_dcerpc_auth() will
start with ndr->offset = 0 and don't tries to eat
possible padding.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 890fff1ca0c4e1eb8ef26c4f88aa18aeda3afc4f)

tests/dcerpc/raw_protocol: test invalid schannel binds

Note the ad_member will keep these as expected failures,
as it doesn't provide the netlogon service,
while the knownfail for the ADDC is only temporary.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit f7a3827010a859839a3ae7d0cdf297a15610d286)