git.ipfire.org Git - thirdparty/samba.git/log

s4:torture/rpc: make use of netlogon_creds_encrypt_samlogon_logon()

This will make it easier to catch all places where we need to
implement the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1666d1d74dec3978837ab49f8749d59c0abcf595)

libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_Password

This will make it easier to implement netr_ServerAuthenticateKerberos() later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e92d0509d6b4d7f86e8626ba8c5efc5b786823f1)

libcli/auth: make use of netlogon_creds_encrypt_SendToSam

This will help when implementing netr_ServerAuthenticateKerberos()...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2bd77ff7314932dc4116773731a810fe0f7ce4b7)

libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPassword

This will help when implementing netr_ServerAuthenticateKerberos()...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 285ec9ecde712e40e6f0981bcb379ee911bfe9d8)

libcli/auth: make netlogon_creds_des_{de,en}crypt_LMKey() static

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 1edcd5df80bdbc4d4da5bdd5e534d7a17ec61f77)

python/tests: use encrypt_netr_PasswordInfo in KDCBaseTest._test_samlogon()

This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e7d57fc6e992ca212b834d5dd4d381244bca55c6)

pycredentials: add py_creds_encrypt_netr_PasswordInfo helper

This will replace py_creds_encrypt_samr_password in the next steps
and prepares the introduction of netr_ServerAuthenticateKerberos().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit fac378485f5f15ac0a11c3d82207c4bc780bfb80)

pycredentials: make use of netlogon_creds_encrypt_samr_CryptPassword in py_creds_encrypt_netr_crypt_password

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit ea792fa342deebefa75b77832c9057924cdcb6f6)

libcli/auth: add netlogon_creds_{de,en}crypt_SendToSam()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit b8681c165731666bb5eed073ab862490c33ea095)

libcli/auth: add netlogon_creds_{de,en}crypt_samr_CryptPassword()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8eb95a155de396981375c7f11221695fd3c7f9d5)

libcli/auth: add netlogon_creds_{de,en}crypt_samr_Password()

These will simplify adding the logic for netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 851a9b18eccece64c3ae0cedd7c7b26a44f0eec6)

libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_logon()

This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3d4ea276bdf44202250246cd6edae2bc17e92c74)

libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()

This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a56356e399339d5bce2e699431cd3e6186229170)

netlogon.idl: add netr_ServerAuthenticateKerberos() and related stuff

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit de8de55a5fee573d0718fa8dd13168a4f0a14614)

s3:rpc_server: add DCESRV_COMPAT_NOT_USED_ON_WIRE() helper macro

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 62afadb3ebac49a684fb0e5a1beb6d7db6f5e515)

dcesrv_core: add DCESRV_NOT_USED_ON_WIRE() helper macro

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 01577b93cbb0a26aba3209cde69475be2e1c5fb8)

s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticateGeneric()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e4132c492ded7cadc60371b524e72e41f71f75e9)

s4:dsdb/common: dsdb_trust_get_incoming_passwords only needs a const ldb_message

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit f92def2f943917d8946b03f71fcf676998701815)

libcli/auth: split out netlogon_creds_alloc()

Review with: git show --patience

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e9767315cf06bcb257b40014441dd4cd9aad0fb0)

libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy

Before storing the structure into a ctdb managed volatile database
we check against netlogon_creds_CredentialState_legacy (the structure
used before recent changes). This makes sure unpatched cluster nodes
would not get a parsing error.

We'll remove this again in master when we try to implement
netr_ServerAuthenticateKerberos() and the related changes
to netlogon_creds_CredentialState, which will break the compat...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3792fe372884aad6ea2893f2e62629dd1cddc129)

libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 17394ed7bbf8fa50570a5732f1ce84ccd5e69393)

libcli/auth: also use netlogon_creds_CredentialState_extra_info for the client

In order to allow backports and cluster updates we simulate a
dom_sid, so that the old code is able to parse the blob.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 8b972fea0978101575f847eac33b09d2fd8d02e7)

s4:torture/rpc: let test_netlogon_capabilities() fail on legacy servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 498fc88c155b57a0de6150c3b1e3cfcac181d45b)

s4:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit fd4b027511b18615e215b66183f95b54bcab683e)

s3:rpc_server/netlogon: implement netr_LogonGetCapabilities query_level=2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 484a046d8e179a3b21ead8b5bc3660095314e816)

libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit dfbc5e5a19420311eac3db5ede1c665a9198395d)

libcli/auth: remove unused creds->sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a9308c490cb5ec8908a3e4c13e2ce8a08b9027e9)

s4:rpc_server/netlogon: make use of creds->ex->client_sid

creds->sid will be removed soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 4533afc9e12c4dbbc7d11c13e775888c113d497c)

s3:rpc_server/netlogon: make use of creds->ex->client_sid

creds->sid will be removed soon...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 88a84d9330d2bb03176f888a0d8e5066e1e21bf6)

librpc/rpc: make use of creds->ex->client_sid in dcesrv_netr_check_schannel_get_state()

creds->sid will be removed soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 453587fbc1ef74a3b997235e84040553261fa13e)

libcli/auth: split out netlogon_creds_CredentialState_extra_info

As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.

For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.

In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.

In the following patches we'll also use it in order
to store client related information...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 518f57b93bdb84900d3b58cd94bdf1046f82a5a6)

libcli/auth: pass client_sid to netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c2ef866fca296c8f3eb1620fdd2bb9bf289d96fc)

s4:rpc_server/netlogon: add client_sid helper variables

This will make the following changes simpler...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 2e8949495f601d3fd117cceccd1b464a6ae43251)

s3:rpc_server/netlogon: add client_sid helper variables

This will make the following changes simpler...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit eda3728a4079c5399f693b1d68e64e5660647c72)

s4:dsdb/common: samdb_confirm_rodc_allowed_to_repl_to() only needs a const sid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c9eaf5e22de730f1e7575f6697f32dbb377eae06)

s3:cli_netlogon: let rpccli_connect_netlogon() use force_reauth = true on retry

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 7f478656dcf08619bc3a7ad390c7db3bfdef924e)

s4:torture/rpc/netlogon: adjust test_netlogon_capabilities query_level=2 to request_flags

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit d174b6595a962230bf71cc5c2f512a2c93a4cc1b)

s4:librpc/rpc: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 0b6ac4b082ddec5dae1392537727f3a7123ec279)

s4:librpc/rpc: define required schannel flags and enforce them

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 25294685b1c2c8652f0ca0220e8f3729e0b347e2)

s4:librpc/rpc: don't allow any unexpected upgrades of negotiate_flags

Only remove the unsupported flags from local_negotiate_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 69b0cbd13d06fa640a900acab6757425b5b77cac)

s4:librpc/rpc: do LogonControl after LogonGetCapabilities downgrade

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 24de5d1cbd25fabae6b01565907b53f5e51ea06d)

libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the proposed capabilities

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 25a2105ca7816c47a9c4a7fded88a922e4ccf88b)

libcli/auth: use a LogonControl after a LogonGetCapabilities downgrade

If LogonGetCapabilities was downgraded by an DCERPC Fault, we
rely on the schannel message ordering to detect failures.

Instead of letting any real winbindd request trigger this,
we do it directly in netlogon_creds_cli_check() with
a LogonControl that is also used for 'wbinfo --ping-dc'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 276137e950696fbf36450dceebd6c0250c6242d0)

libcli/auth: if we require aes we don't need to require arcfour nor strong key

But we can send arcfour and strong key on the wire and don't need to
remove them from the proposed flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3da40f1c6818550eb08a6d7d680c213c3f1d0649)

libcli/auth: don't allow any unexpected upgrades of negotiate_flags

Only remove the unsupported flags from state->current_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a9040c8ce76cb9911c4c0c5d623cc479e49f460d)

libcli/auth: make use of netlogon_creds_cli_store_internal() in netlogon_creds_cli_auth_srvauth_done()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 69cb9aea67de0613f467f7ce2d460364ff2be241)

libcli/auth: remove unused netlogon_creds_client_init_session_key()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit cf0e07a3d2a085d31f7d682633af9ec57c155e57)

netlogon.idl: the capabilities in query_level=2 are the ones send by the client

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 86176598eee4c83dc63a9dac163f32c886477129)

s4:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag

With SAMBA_WEAK_CRYPTO_DISALLOWED dcesrv_netr_ServerAuthenticate3_check_downgrade()
will return DOWNGRADE_DETECTED with negotiate_flags = 0, if AES was not
negotiated...

And if AES was negotiated there's no harm in returning the ARCFOUR
flag...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a0bc372dee68ad255da005d2e2078da754bbef2a)

s3:rpc_server/netlogon: if we require AES there's no need to remove the ARCFOUR flag

With SAMBA_WEAK_CRYPTO_DISALLOWED we will return DOWNGRADE_DETECTED with negotiate_flags = 0,
if AES was not negotiated...

And if AES was negotiated there's no harm in returning the ARCFOUR
flag...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit e5bc5ee3e04138b10c0630640469a08fad847e56)

s3:rpc_server/netlogon: correctly negotiate flags in ServerAuthenticate2/3

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit b27661f832cc4c56cc582cf7041d90f178736ef7)

s4:torture/rpc: without weak crypto we should require AES

We should check that we can actually negotiated the strong AES
crypto instead of just checking that NETLOGON_NEG_ARCFOUR is not
there...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 3dcbc8eea5bc53a8332b3ad93ea4c3df99af7830)

s4:torture/rpc: check that DOWNGRADE_DETECTED has no bits negotiated

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 36310650ee7a64603128139f512d3a4e039f8822)

s4:rpc_server: Make some arrays static

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit beaeeaff501b22fdfb3928d788597398fcbbbe29)

Backported for https://bugzilla.samba.org/show_bug.cgi?id=15425

s3:winbindd: call process_set_title() for locator child

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Oct 31 14:02:39 UTC 2024 on atb-devel-224

(cherry picked from commit e4e3f05cd7d6fdc98a24f592a099f7d24136788d)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Nov 7 13:39:23 UTC 2024 on atb-devel-224

third_party/heimdal: Import lorikeet-heimdal-202410161454 (commit 0d61538a16b5051c820702f0711102112cd01a83)

gsskrb5: let GSS_C_DCE_STYLE imply GSS_C_MUTUAL_FLAG as acceptor

Windows clients forget GSS_C_MUTUAL_FLAG in some situations where they
use GSS_C_DCE_STYLE, in the assumption that GSS_C_MUTUAL_FLAG is
implied.

Both Windows and MIT as server already imply GSS_C_MUTUAL_FLAG
when GSS_C_DCE_STYLE is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15740
PR: https://github.com/heimdal/heimdal/pull/1266

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 16 19:05:15 UTC 2024 on atb-devel-224

(cherry picked from commit ce10b28566eb7b3e26a1e404b278d3d761ac183e)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Nov 7 09:21:35 UTC 2024 on atb-devel-224

smbd: fix sharing access check for directories

This was missing from commit 6140c3177a0330f42411618c3fca28930ea02a21 and causes
all opens of directories to be handled as stat opens, bypassing the sharemode
check.

Not adding a test at this time, as my (hopefully) soon to be merged Directory
Leases branch has a test which actually detected this problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 20206a335a6af71b99f6441df145feea6563cf5a)

smbd: fix share access check for overwrite dispostions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Oct 14 12:23:04 UTC 2024 on atb-devel-224

(cherry picked from commit 6140c3177a0330f42411618c3fca28930ea02a21)

smbtorture: add subtests for overwrite dispositions vs sharemodes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 849afe05ade140898b1eab9b28d46edc8357c844)

smbtorture: fix smb2.notify.mask test

The strange function custom_smb2_create() was somehow causing
NT_STATUS_DELETE_PENDING failures:

  failure: mask [
  (../../source4/torture/smb2/notify.c:490) Incorrect status NT_STATUS_DELETE_PENDING - should be NT_STATUS_OK
  ]

I couldn't figure out what was causing this exactly, but after doing these
cleanups the error went away.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4591f27ca81dff997ef7474565fc9c373abfa4a9)

smbtorture: prepare test_overwrite_read_only_file() for more subtests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15732

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f88e52a6f487a216dbb805fabc08e862abb9b643)

dcesrv_core: better fault codes dcesrv_auth_prepare_auth3()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 10 15:17:46 UTC 2024 on atb-devel-224

(cherry picked from commit 9263ce5752063235836d5f77220b0151df6c9408)

dcesrv_core: fix the auth3 for large ntlmssp messages

I know finding any real logic in reading the patch,
doesn't really show what's going on. I tried hard
to simplify it, but this is the only way I found
that fixed the test_auth_pad_ntlm_2889_auth3 test
without breaking other tests...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8b8e4ff1b19ba06821d774d0e1a8b1cad7f06120)

gensec:spnego: ignore trailing bytes in SPNEGO_SERVER_START state

This matches Windows (at least Server 2012_R2).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 86808d66f30136850f857b749e768c88de3a079f)

gensec:ntlmssp: only allow messages up to 2888 bytes

This matches Windows (at least Server 2012_R2).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 55dd8bdb05b4e814beb50d11a6f12c94e5f6e9d5)

dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED

We should use DCERPC_FAULT_ACCESS_DENIED as default for
gensec status results of e.g. NT_STATUS_LOGON_FAILURE or
NT_STATUS_INVALID_PARAMTER.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 31a422b7e58d7a670ebedb7c91f240a3134a9624)

dcesrv_core: a failure from gensec_update results in NAK_REASON_INVALID_CHECKSUM

We already report that for gensec_start_mech_by_authtype() failures,
but we also need to do that for any invalid authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 97545873ebc2daf9c3daee914a90687625a08225)

dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3

Sometimes Windows sends 3 presentation contexts (NDR32, NDR64,
BindTimeFeatureNegotiation) in the first BIND of an association.

Binding an additional connection to the association seems to
reuse the BIND buffer and just changes the num_contexts field from
3 to 2 and leaves the BindTimeFeatureNegotiation context as padding
in places.

Note, the auth_pad_length field is send as 0 in that case,
which means we need to ignore it completely, as well as any
padding before the auth header.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 85b2dcd93848a590727dac243e8eb3614be75fad)

dcerpc_util: let dcerpc_pull_auth_trailer() expose the reject reason

If dcerpc_pull_auth_trailer() returns NT_STATUS_RPC_PROTOCOL_ERROR
it will return the BIND reject code in auth->auth_context_id.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7a6a1aae6fa74ab0f55c1160aedd2d79c9a44a90)

dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned

That what Windows also asserts.

It also makes sure that ndr_pull_dcerpc_auth() will
start with ndr->offset = 0 and don't tries to eat
possible padding.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 890fff1ca0c4e1eb8ef26c4f88aa18aeda3afc4f)

tests/dcerpc/raw_protocol: test invalid schannel binds

Note the ad_member will keep these as expected failures,
as it doesn't provide the netlogon service,
while the knownfail for the ADDC is only temporary.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit f7a3827010a859839a3ae7d0cdf297a15610d286)

tests/dcerpc/raw_protocol: add more tests for auth_pad alignment

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0bc562eb26cad3a5cb8da2da54db86932791f3de)

tests/dcerpc/raw_protocol: add tests for max auth_padding, auth_len or auth_offset

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0da9e4d7430c7dbb37783e6152f7672bf29498e9)

tests/dcerpc/raw_protocol: fix comment in test_spnego_change_auth_type1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7b5c3f9b1f334eb9d7906338e2e64196a6530068)

tests/dcerpc/raw_protocol: test_no_auth_ctx_request

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 57fb07f5a3369d679f8918f853303b56e58dfb3d)

dcesrv_core: introduce dcesrv_connection->transport_max_recv_frag

The max fragment size depends on the transport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 09e8dd23ce0c08c5c04bd74121f3664f420af877)

tests/dcerpc/raw_protocol: run test_neg_xmit_ffff_ffff over tcp and smb

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a2d894fd37aaa9bce64ad95e01412681a08790ea)

dcesrv_core: add more verbose debugging for missing association groups

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ac5818f2dd348e61b4be35505bee00b330ec4450)

RawDCERPCTest: add some more auth_length related asserts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit bb8ad1f22924b581bfb66555713e98efa91372b2)

RawDCERPCTest: split prepare_pdu() and send_pdu_blob() out of send_pdu()

This will make it possible to alter pdus before sending them to the
server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 444f9c6624f5c997dfdc4ae0bfb8823a56fbef70)

s4:librpc: provide py_schannel bindings

This will be used in the dcerpc.raw_protocol test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0acbbeab4db0c8bc8ff655d652e249fecb3c4ef9)

dcerpc_util: don't allow auth_padding for BIND, ALTER_CONTEXT and AUTH3 pdus

This is how Windows 2022 (and 2025 preview) behaves...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit be02d4077db1d6c35b2e480937a04b5e70545a6d)

tests/dcerpc/raw_protocol: add more test for auth padding during ALTER_CONTEXT/AUTH3

The aim is to keep testing the code paths, which are no longer
testing because allow_bind_auth_pad is false now, which
means the existing tests fail directly at the BIND,
but we also want to test the error handling on
ALTER_CONTEXT (and AUTH3).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9309283ddbcc60cb8dac8ecd3f4bcecfbf8ac732)

dcesrv_core: return NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED for binds without contexts

This is the error Windows 2022 (and 2025 preview) return.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8e6696b2ac6990f3d6bac804c9a0f1a2b8f0ada0)

dcesrv_core: disconnect after a fault with non AUTH_LEVEL_CONNECT bind

Without an auth context using DCERPC_AUTH_LEVEL_PACKET or higher
the fault to reject requests with an invalid auth level
should trigger a disconnect after sending the fault to
the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 31c2f35bba003daee39756e83def0f3d45c19c6b)

s4:selftest: only run ad_member with AUTH_LEVEL_CONNECT_LSA=1

We only want to test against
'allow dcerpc auth level connect:lsarpc = yes' once
in order to have the related code tests.
We use the ad_memeber for that special test and
use the default on the tested ADDC.

This reveals some knownfails, which will be fixed in
the next commit...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 93bd5ba609f93ce8298f12f2a7b0ad333e0f48bf)

tests/dcerpc/raw_protocol: pass against Windows 2022 and require special env vars for legacy servers

Test works against Windows 2022 and works like this:

SMB_CONF_PATH=/dev/null SERVER=172.31.9.118 \
  TARGET_HOSTNAME=w2022-118.w2022-l7.base IGNORE_RANDOM_PAD=1 \
  DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
  USERNAME=administrator PASSWORD=A1b2C3d4 \
  python/samba/tests/dcerpc/raw_protocol.py -v -f TestDCERPC_BIND

Against a legacy Windows2012R2 server this still works:

SMB_CONF_PATH=/dev/null SERVER=172.31.9.188 \
  TARGET_HOSTNAME=w2012r2-188.w2012r2-l6.base ALLOW_BIND_AUTH_PAD=1 \
  LEGACY_BIND_NACK_NO_REASON=1 AUTH_LEVEL_CONNECT_LSA=1 \
  IGNORE_RANDOM_PAD=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE \
  USERNAME=administrator PASSWORD=A1b2C3d4 \
  python/samba/tests/dcerpc/raw_protocol.py -v -f TestDCERPC_BIND

Currently Samba behaves like 2012R2, but the next commits
will change that...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 98d908bfd07283878a7a6a630c2bfe5d27b5ffd8)

RawDCERPCTest: ignore errors in smb_pipe_socket.close()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b51ab42284211981a1ee6c8865845c7dfc985cb4)

s4:tortore/rpc: let rpc.backupkey without privacy pass against Windows 2022

The server disconnects after the first fault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8c6b5b87434e96d4cb695c0a5cf8aa0a0472c6a4)

s3:smbd: avoid false positives for got_oplock and have_other_lease in delay_for_oplock_fn

stat opens should not cause a oplock/lease downgrade if
they don't have a lease attached to itself.

Note that opens broken to NONE still count if they are
non-stat opens...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Oct 10 13:59:18 UTC 2024 on atb-devel-224

(cherry picked from commit dd5b9e08c7a98c54b62d3b097c75faa09cd17da7)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Oct 14 10:52:03 UTC 2024 on atb-devel-224

s3:smbd: allow reset_share_mode_entry() to handle more than one durable handle

This means that multiple durable handles with RH leases can
co-exist now... Before only the last remaining durable handle
was able to pass the SMB_VFS_DURABLE_DISCONNECT() step.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b1e5f5d8d2852b66ca4c858d14d367ffe228a88d)

s3:smbd: let durable_reconnect_fn already check for a disconnected handle with the correct file_id

We'll soon allow more than one disconnected durable handle, so
we need to find the correct one instead of assuming only a single
one.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 2869bd1a507e7376f0bb0ec68ed4e045b043cfdb)

s4:torture/smb2: add smb2.durable-v2-open.{keep,purge}-disconnected-* tests

These demonstrate which durables handles are kept and which are purged
because of various opens, writes or renames.

smb2.durable-v2-open.keep-disconnected-rh-with-stat-open
smb2.durable-v2-open.keep-disconnected-rh-with-rh-open
smb2.durable-v2-open.keep-disconnected-rh-with-rwh-open
smb2.durable-v2-open.keep-disconnected-rwh-with-stat-open

smb2.durable-v2-open.purge-disconnected-rwh-with-rwh-open
smb2.durable-v2-open.purge-disconnected-rwh-with-rh-open
smb2.durable-v2-open.purge-disconnected-rh-with-share-none-open
smb2.durable-v2-open.purge-disconnected-rh-with-write
smb2.durable-v2-open.purge-disconnected-rh-with-rename

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15708

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9e98cd5c7a180521026b0d73a330bdaf2c8af73a)

s4:torture/smb2: add smb2.durable-v2-open.{[non]stat[RH]-and,two-same,two-different}-lease

These show that it's possible to have durable handles in addition
of stat opens, as well as multiple durable opens with RH leases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 77c7741f39a0a9789bede7c4722bd3f35d4af3fd)

s3:smbd: only store durable handles with byte range locks when having WRITE lease

This simplifies the reconnect assumptions, when we want to allow
more than one durable handle on a file for multiple clients with
READ+HANDLE leases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0893ae88180137d44f17196234f657d362543ff5)

s4:torture/smb2: add smb2.durable-v2-open.lock-{oplock,lease,noW-lease}

This demonstrates that a W lease is required for a
durable handle to be durable when it has byte range locks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8884d617310b47375e38c0386433c5e183703454)

s4:torture/smb2: add smb2.durable-open.lock-noW-lease

This demonstrates that a W lease is required for a
durable handle to be durable when it has byte range locks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1cc1586d84a65046ab7804f17297c6964bb76c23)

s4:torture/smb2: improve error handling in durable_v2_open.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9b2417c2f04857709c25e3665cd783a68edf0cf2)

s4:torture/smb2: improve error handling in durable_open.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15649
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15651

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e65e1326a0214a7dfff75ea1e528e82c8fc64517)

netcmd:domain:policy: Fix missing conversion from tgt_lifetime minutes to 10^(-7) seconds

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15692
Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Oct 4 04:01:22 UTC 2024 on atb-devel-224

(backported from commit 3766b6a126f659a43e2e36c66689c136fc22dbc4
requiring manual merge in the test file imports)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Oct 7 09:45:40 UTC 2024 on atb-devel-224