s4:torture: remove unused ports from masktests.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:client: remove unused ports from cifsdd* functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports from smbcli_full_connection()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:client: remove unused destports from do_message_op()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports from smbcli_socket_connect()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused dest_ports from smbcli_tree_full_connection()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused dest_ports struct smb_composite_fsinfo

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports from struct smb_composite_fetchfile

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:torture/raw: remove unused dest_port handling from openbench.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused dest_ports from struct smb_composite_connect

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports from smb2_connect()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports argument from smb2_connect_ext()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused ports argument from smb2_connect_send

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: remove unused dest_ports from smb_connect_nego_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: pass struct smbcli_options to smbcli_sock_connect() instead of port strings

This allows us to build the ports array from options.transports.

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli: introduce smbcli_options.transports based on lpcfg_smb_ports()

This will allow us to avoid passing lpcfg_smb_ports() explicitly
in a lot of places in the following commits.

Once that's done we will change away from "smb ports" to
something like "client smb transports".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

libcli/smb: add struct smb_transports infrastructure

This will be able to use a structure instead of
a string array with int string values for 'smb ports'.

We'll soon add support for smb over quic, so
we need something better than tcp ports with
139 being special.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s4:libcli/smb_composite: remove unused struct smb_composite_connectmulti

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

libcli/smb: make smb2_lease_{pull,push} endian safe

smbd_smb2_send_lease_break() is already endian safe,
which means we'll get a mismatch on big endian systems,
so that smbd_smb2_send_lease_break() sends the lease key
in reversed order.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr 17 11:30:58 UTC 2025 on atb-devel-224

libcli/smb: convert smb2_lease_push() to PUSH_LE_U*

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

libcli/smb: make the last 2 reserved bytes explicit in smb2_lease_push()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

libcli/smb: convert smb2_lease_pull() to PULL_LE_U*

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15849

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

s3:smbd: work around broken "vfs mkdir use tmp name" on FAT

"vfs mkdir use tmp name" creates a name with ":" because the file should
be invisible for Windows clients. ":" however is an invalid character on
FAT filesystems and we get EINVAL back. In that case we fall back to not
using tmp names for mkdir.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15845

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>

vfs: Fix "wide links = yes"

vfs_wide_links hides symlinks from the rest of smbd, and it implicitly
follows symlinks. Also, O_PATH will expose symlinks to the rest of
smbd, remove that.

We also need to do this for posix paths, as deep inside
rename_internals we want to avoid case-insensitive lookups by setting
SMB_FILENAME_POSIX_PATH.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15841

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 16 20:56:33 UTC 2025 on atb-devel-224

lib:cmdline: POPT_CALLBACK_REASON_POST should handle if we skip the password callback

It is already checking if there is a valid ccache and disabling the callback.
In case of IAKerb we specify a ccache but might to fill one with a krbtgt.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 15 12:54:57 UTC 2025 on atb-devel-224

lib:cmdline: Make sure --use-krb5-ccache sets the ccache

Pair-Programmed-With: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

auth:creds: Do a kinit if we have a password and the ccache is empty

This implements the same behaviour for s4 clients as we have with s3
clients.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

s3-wscript: make sure to build with selftest without libevent

No need to stop running selftest in absence of libevent anymore.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Apr 11 19:47:24 UTC 2025 on atb-devel-224

s3-selftest: only run prometheus exporter tests when configured

Extract the configure info for building with prometheus exporter and
only run the blackbox test in case it is enabled.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

build: use '--with-prometheus-exporter' configure option

Prefer '--with-prometheus-exporter' configure option over
'--with-libevent', which in turn, requires libevent.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

selftest: Add test for smb_prometheus_endpoint utility

Basic test for smb_prometheus_endpoint utility. Requires valid metrics
output using 'curl'. Start/stop the endpoint utility from within the
test script itself.

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

s3/smb_prometheus_endpoint: add authentication metrics

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

smbprofile: add authentication metrics

"authentication" is the total number of requests and "authentication_failed" is
obviously the number of failed authentications.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

smbprofile: SMB2-READ result NT_STATUS_END_OF_FILE is not an error

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

smbprofile: Count failed requests

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

utils: Initial version of smb_prometheus_endpoint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Add number of sessions, tcons and files to smbstatus -P

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Add sessions, tcons and files to profile data

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Pass dummy smbd_server_connection to smbprofile_dump()

It will need access to its fields soon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Return number of workers from smbprofile_collect_tdb()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

profile: Add time buckets to smbprofile_stats_iobytes

Enable a histogram of time taken for smb2 requests. This puts all smb2
requests into buckets of <1, <2, <4, ... <256 msecs duration and
beyond.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

build: Detect libevent

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

testprogs: Use 'sync machine password to keytab' for keytab creation

We want to get rid of dedicatedkeytabfile for writing keytabs.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr 11 08:38:49 UTC 2025 on atb-devel-224

testprogs: Remove dead code

The test for this has been removed already, this is just leftover.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

docs-xml: Document 'net ads keytab list'

Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

s3:net: 'net ads keytab list' should only list default keytab

If you don't specify a keytab, assume we just want the default keytab. This will
make upcoming changes to the code easier.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

s3:net: Remove `net ads keytab flush`

This removes all entries from a keytab *and* removes all SPNs from the AD
machine account. We should not do that and if you want to get rid of the keytab
you can use `rm`.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

smbd: convert all fsp->fh->private_options to fsp_flags

Use fsp_apply_private_ntcreatex_flags() to store the private_flags as fsp_flags
and convert all users to check the fsp_flags.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr  9 14:39:26 UTC 2025 on atb-devel-224

smbd: remove broken initial-delete-on-close logic from rename_internals_fsp()

fh_get_private_options() return private_flags, not create_options and thus can
never contain FILE_DELETE_ON_CLOSE.

Afaict fsp_flags.initial_delete_on_close is already correctly filled in
open_file_ntcreate():

        /* Handle strange delete on close create semantics. */
        if (create_options & FILE_DELETE_ON_CLOSE) {
                if (!new_file_created) {
                        status = can_set_delete_on_close(fsp,
                                         existing_dos_attributes);

                        if (!NT_STATUS_IS_OK(status)) {
                                /* Remember to delete the mode we just added. */
                                lck_state.cleanup_fn =
                                        open_ntcreate_lock_cleanup_entry;
                                goto unlock;
                        }
                }
                /* Note that here we set the *initial* delete on close flag,
                   not the regular one. The magic gets handled in close. */
                fsp->fsp_flags.initial_delete_on_close = true;
        }

so we can just remove the broken handling here.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

smbd: add fsp_apply_private_ntcreatex_flags()

Not used yet, comes next.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs: add fsp_flags ntcreatex_deny_[dos|fcb] and ntcreatex_stream_baseopen

Not used for now.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

smbd: remove unused private_flags from open_file()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/locking: remove now unused private_options from share_mode_entry

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/locking: store NTCREATEX_FLAG_DENY_[DOS|FCB] as share_entry_flags

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/locking: store NTCREATEX_FLAG_STREAM_BASEOPEN as share_entry_flag

No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/locking: add and use fsp_[get|apply]_share_entry_flags()

Prepares for converting private_options to flags.

Fixes Durable Handle reconnect of POSIX opens which weren't setting the fsp_flags
when reconnecting, so fsp_flags.posix_open wasn't set.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

s3/librpc: open_files.idl: move flag definition into open_files.idl

Nice to have everything in one place. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

smbd: rename SHARE_MODE_FLAG_POSIX_OPEN to SHARE_ENTRY_FLAG_POSIX_OPEN

share_mode_data has flags and share_mode_entry has flags, this change allows
to distinguish between both more easily. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

winbindd: let update_trusted_domains_dc() also call pdb_filter_hints()

On an AD DC we need to update sam_domain->fti, so that
find_routing_from_namespace_noinit() uses the correct
uPNSuffixes and msDS-SPNSuffixes values for the local forest.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Apr  3 10:35:10 UTC 2025 on atb-devel-224

winbindd: add find_local_sam_domain() helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbindd: pass for_netlogon to winbind_dual_SamLogon to avoid caching

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:auth/ntlm: let auth_winbind pass WB_SAMLOGON_FOR_NETLOGON

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:auth: let auth_context_create_for_netlogon() remember for_netlogon = true;

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:auth: let auth_winbind pass WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON if needed

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:auth: remember make_auth3_context_for_netlogon() was used

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbind.idl: add WB_SAMLOGON_FOR_NETLOGON

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libwbclient: add WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON to pass WBFLAG_PAM_FOR_NETLOGON

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

winbind_struct_protocol.h: add WBFLAG_PAM_FOR_NETLOGON

This will be used when auth_winbind is used with
make_auth3_context_for_netlogon().

This will allow winbindd to use different rules
for LogonSamLogon requests compared to
local authentications for smbd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:librpc/idl: remove unused legacy copy of winbind.idl

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

auth: let make_user_info_dc_pac() cross check PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID

If there's a mismatch someone doing strange things...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let _{get,modify}_tgt() also change the objectsid in UPN_DNS_INFO

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: allow set_pac_sids() to take upn_dns_sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let check_device_info() allow an empty rid array

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: allow create_account_opts() to take selective_auth_allowed_sid

This will add a GUID_DRS_ALLOWED_TO_AUTHENTICATE ace with CONTROL_ACCESS
to the created account.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: allow tgs_exchange_dict() to take expected_[device_]duplicated_groups

This allows us to expect duplicated sids in the PAC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: let check_device_info() handle EXTRA_DOMAIN_SID

device info does not really have RESOURCE_SID,
so we need to map RESOURCE_SID as well as EXTRA_SID (with a S-1-5-21-
prefix) to EXTRA_DOMAIN_SID.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: create_account_opts() can't handle self.AccountType.TRUST

create_trust() is used for that...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python:tests/krb5: add KDC_ERR_PATH_NOT_ACCEPTED

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: samba_kdc_add_compounded_auth() should add Compounded_Authentication again if it's already there

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: only use compound authentication with an explicit FAST armor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: samba_kdc_update_pac() doesn't need explicit delegated_proxy_principal

It comes along as delegated_proxy.pac_princ now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: store pac_princ in struct samba_kdc_entry_pac

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: pass pac_princ to samba_kdc_entry_pac()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: pass pac_princ to samba_kdc_entry_pac_from_trusted()

For mit_samba_update_pac() we can only pass it optionally.
This should be fixed in future, but it requires changes
in MIT Kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_entry_pac[_from_trusted]() assert krbtgt is valid if pac is valid

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let hdb_samba4_check_rbcd() fill device_pac_entry() without device_entry

If we have a device_pac we also have device_server/krbtgt_entry, while
device_entry is optional.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_wdc_get_pac() use samba_kdc_get_device_pac()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_kdc_get_device_pac() always extract device_krbtgt_skdc_entry

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let samba_wdc_reget_pac() use krbtgt_skdc_entry as delegated_proxy_krbtgt_entry

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let mit_samba_check_allowed_to_delegate_from() fetch krbtgt_entry

samba_kdc_entry_pac_from_trusted() will soon assert that
it has a valid krbtgt_entry.

In the long run this should be passed from the caller...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: add some checks for SDB_F_S4U2{SELF,PROXY}_PRINCIPAL

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: let SDB_F_CROSS_REALM_PRINCIPAL result in SDB_ERR_NOT_FOUND_HERE

It means the client is remote and the kdc logic has to live without
an sdb_entry.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: pass HDB_F_{CROSS_REALM,S4U2SELF,S4U2PROXY}_PRINCIPAL as SDB_F_*

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: adjust to HDB_INTERFACE_VERSION=12

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202503211313 (commit f5c091eff46b975ede09860066239aee5f563bdf)

This is a rebase on Heimdal master as well as
some patches to prepare sid-filtering support in Samba.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202503211047 (commit 752fd2fc0d7e48791df91dd2b45899e64ef65a7a)

kdc: Constrained delegation requires a local delegating server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15837
MR: https://github.com/heimdal/heimdal/pull/1274

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: specify SDB_F_ values as hex

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

lib/ldb-samba: allow ldb_get_opaque(ldb, "backend_no_debug_connect")

We don't want expected connect/bind failures in the log output...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

lib/ldb: allow ldb_get_opaque(ldb, "backend_no_debug_connect")

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/security: split trust_forest_info_* functions into samba-security-trusts

This will avoid dependency loops in following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>