s4:nbt_server: simulate nmbd and provide unexpected handling

This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.

This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f)

s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1)

s4:libcli/dgram: make use of socket_address_copy()

This avoids talloc_reference...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2)

s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8)

libcli/nbt: add nbt_name_send_raw()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cca373b806e01fc57bd5316d3f8a17578b4b6531)

s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL

In 2024 we always want an active directory response...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2b66663c75cdb3bc1b6bc5b1736dd9d35b094b42)

s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()

This will allow source4/nbt_server to make use of
nb_packet_server_create().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 696505a1efbcc9803a287d8c267fed9d04bf8885)

s3:libsmb/unexpected: don't use talloc_tos() in async code

It's not needed and it requires the caller to setup a
stackframe...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f90cf0822d6e66426d72f92bd585119066e2a9c3)

s3:wscript: LIBNMB requires lp_ functions

We need to make this explicit in order to let LIBNMB be used
in source4 code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 011f68ae5ddc3fae8b453744aeb95766d885915e)

s3:include: split out fstring.h

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 105247c90007474947e2314b63be72fb21f09811)

s3:include: let nameserv.h be useable on its own

A lot of stuff is private to nmbd and can
be moved from nameserv.h.

This allows move required types from smb.h to
nameserv.h, so that this can be standalone.
Including it from smb.h is not a huge problem
as nmbd internals are gone from nameserv.h.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7f96c21029e3b94d38bd871c79cabf872ad77fae)

s3:libads: avoid changing ADS->server.workgroup

ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().

The result are corrupted domain values in the debug output.

Valgrind shows this:

 Invalid read of size 1
    at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
    by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
    by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
    by 0x5D2ED3F: dbgtext (debug.c:1881)
    by 0x4BFFB50: ads_find_dc (ldap.c:570)
    by 0x4C001F4: ads_connect (ldap.c:704)
    by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x4BFF0AF: ads_try_connect (ldap.c:299)
    by 0x4BFF40E: cldap_ping_list (ldap.c:367)
    by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
    by 0x4BFFA91: ads_find_dc (ldap.c:556)
    by 0x4C001F4: ads_connect (ldap.c:704)
    by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Block was alloc'd at
    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x60B250E: strdup (strdup.c:42)
    by 0x4FF1492: smb_xstrdup (util.c:743)
    by 0x4C10E62: ads_init (ads_struct.c:148)
    by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ca859e55d28f421196bc2660cfa84595ec5b57c6)

s3:libsmb: allow store_cldap_reply() to work with a ipv6 response

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224

(cherry picked from commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2)

s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send()

I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.

From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 83030780285290ecf64b57c1744634379b68ea01)

s3:utils: let smbstatus report anonymous signing/encryption explicitly

We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224

(cherry picked from commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795)

s3:smbd: allow anonymous encryption after one authenticated session setup

I have captures where a client tries smb3 encryption on an anonymous session,
we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47
was released with samba-4.15.0rc1.

Testing against Windows Server 2022 revealed that anonymous signing is always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.

https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f3ddfb828e66738ca461c3284c423defb774547c)

s3:utils: let smbstatus also report partial tcon signing/encryption

We already do that for sessions and also for the json output,
but it was missing in the non-json output for tcons.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 551756abd2c9e4922075bc3037db645355542363)

s3:utils: let smbstatus also report AES-256 encryption types for tcons

We already do that for sessions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 8119fd6d6a49b869bd9e8ff653b500e194b070de)

s3:utils: let connections_forall_read() report if the session was authenticated

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5)

s3:lib: let sessionid_traverse_read() report if the session was authenticated

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 596a10d1079f5c4a954108c81efc862c22a11f28)

s3:utils: remove unused signing_flags in connections_forall()

We never use the signing flags from the session, as the tcon
has its own signing flags.

https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9)

s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}

These demonstrate how anonymous encryption and signing work.
They pass against Windows 2022 as ad dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 6c5781b5f154857f1454f41133687fba8c4c9df9)

s4:libcli/smb2: add hack to test anonymous signing and encryption

This will be used in torture tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 6a89615d78119c0bff2fb07bd0c62e4c31ea8441)

smbXcli_base: add hacks to test anonymous signing and encryption

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 14d6e2672126adee85997dc3d3c64607c987e8b9)

tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative

This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 237d9d0228cfed6d2e08b41b888d30aac5ab89e3)

.gitlab-ci-main.yml: debug kernel details of the current runner

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 380d9c5a7392741ff2134ef1e83df45a29293db3)

.gitlab-ci: Remove tags no longer provided by gitlab.com

GitLab.com removed a number of tags from their hosted
runners and this meant our CI was being redirected to
our private runners at a larger cost to the Samba Team.

The new infrastructure is much larger than when we last
selected runners so we can just use the default, even for
the code coverage build.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May  7 13:40:55 UTC 2024 on atb-devel-224

(cherry picked from commit d58a72c572f63619111f43f6ea39ff84ae0df16e)

VERSION: Bump version up to Samba 4.20.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.20.1.

Signed-off-by: Jule Anger <janger@samba.org>

s3:utils: Fix Inherit-Only flag being automatically propagated to children

Inherit-only flag applies only to the container it was set to and it
shouldn't be automatically propagated to children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova <popova.anna235@gmail.com>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224

(cherry picked from commit 80159018e411c643fbfe7ef82bd33e30b6147901)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue May  7 08:52:48 UTC 2024 on atb-devel-224

python/samba/tests/blackbox: Add tests for Inherit-only flag propagation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova <popova.anna235@gmail.com>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit eba2bfde347041a395f0fbd3c57235be63b1890d)

tests: Add a test for "all_groups=no" to test_idmap_ad.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Apr  2 13:25:39 UTC 2024 on atb-devel-224

(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Apr 17 14:38:42 UTC 2024 on atb-devel-224

selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)

s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad

The LDAP query of lookup_groupmem() returns all group members from AD
even those with missing uidNumber.  Such group members are useless in
UNIX environment for idmap_ad backend since there is no uid mapping.

'test_user' is member of group "Domanin Users" with 200K members,
only 20K members have set uidNumber.

Without this fix:

$ time id test_user

real    1m5.946s
user    0m0.019s
sys     0m0.012s

With this fix:

$ time id test_user

real    0m3.544s
user    0m0.004s
sys     0m0.007s

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf)

docs-xml: Add parameter all_groupmem to idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c)

Do not fail checksums for RFC8009 types

While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.

[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
  check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15635

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8e931fce126e8c1128da893c806702731c08758a)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Apr 16 12:24:55 UTC 2024 on atb-devel-224

s4:dns_server: less noisy, more informative debug messages

This shouldn't have been DBG_ERR, and it might as well say something
about the tombstone.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15630

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr 12 15:18:05 UTC 2024 on atb-devel-224

(cherry picked from commit dde973d170e479632d1a411279f4f0fad6608539)

packaging: Provide a systemd service file for samba-bgqd

There might be scenarios where the background queue daemon should be
running all the time instead of being started on demand. This makes
especially sense for bigger printing servers with a lot of printers. It
takes ~1 sec to get a printer from cups, so a print server with 100
printers needs 100 seconds to update the printer_list.tdb. The service
will be killed because of idle in the meantime.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15600

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit c97071726e163b40f0e391af70e81b3e6c1ab0eb)

libcli/http: Detect unsupported Transfer-encoding type

Also removes knownfail for test that now passes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Thu Apr 11 12:24:08 UTC 2024 on atb-devel-224

selftest: Add new test for testing non-chunk transfer encoding

And add a known fail because there is a bug :-(

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 93709d31590d4ca25fbac813b9e499755b81ddb5)

selftest: fix potential reference before assigned error

This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit efdbf0511e0a89f865210170001fbebf17a45278)

libcli/http: Handle http chunked transfer encoding

Also removes the knownfail for the chunked transfer test

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348)

tests: add test for chunked encoding with http cli library

Adds http test client to excercise the http client library
and a blackbox test to run the client. This client is built
only with selftest

also adds a knownfail for the test

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 30acd609f560352d3edb0c931b9a864110025b2c)

libcli/http: Optimise reading for content-length

Instead of reading byte-by-byte we know the content length we
want to read so lets use it.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7)

selftest: Add basic content-lenght http tests

very simple test of basic http request/response plus some checks to
ensure http response doesn't exceed the response max length set by
the client call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 74cdebeae3d1bc35eea96b51b9491f6c52844b10)

Add simple http_client for use in black box tests (in following commits)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9)

VERSION: Bump version up to Samba 4.20.1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.20.0.

Signed-off-by: Jule Anger <janger@samba.org>

Revert "token_util.c: prefer capabilities over become_root"

This reverts commit 944cb51506a94084d7ab52ee044fe6f66e1aaeb9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 27 10:47:23 UTC 2024 on atb-devel-224

(cherry picked from commit 0dec2ef188a93504da873d927ca2b26f8c491fb8)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Mar 27 16:51:00 UTC 2024 on atb-devel-224

Revert "dosmode.c: prefer use of capabilities at two places over become_root"

This reverts commit c1e2fbb1b9a7551becf5caa0f08d434edf9ad862.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 32aa11e9b570ce1c0bec889b699bc4897c9d9843)

Revert "nfs4_acls.c: prefer capabilities over become_root"

This reverts commit 06e5c1e32ea7907523cc19f021225e7541e2075f.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 33e88911ee7a8974d52021632ca25c1ddfcb6f45)

Revert "vfs_acl_common.c: prefer capabilities over become_root"

This reverts commit 12734848dc9901b932644139aaa7e3f78e55c8dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit af7b930e2bfe2275cee14dc2154f2aea8875fa63)

Revert "vfs_default.c: prefer capabilities over become_root"

This reverts commit 62464bd2db2a95b1253364f4493bbb6770b73193.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 52ad635b2705bcfc8166bd90b1ad35ebb9cbc986)

Revert "vfs_posix_eadb.c: prefer capabilities over become_root"

This reverts commit 92278418dc885ed411f545e73c800ce93f858090.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 10c7a3e47c62dcb1dfe7e384960d60cafcb9e44e)

Revert "vfs_recycle.c: prefer capabilities over become_root"

This reverts commit 4227b011f6ada97a4cd72a440ed887ffdb3f219e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7f19afbd40d3ad3c8d186d0a2a64d07a2a8bd00a)

Revert "open.c: prefer capabilities over become_root"

This reverts commit b250f25fe407f9a6269b804382de4854501f2d86.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 88eb58af6783ad23d2e2b602ee9fdbbdf556b354)

Revert "posix_acls.c: prefer capabilities over become_root"

This reverts commit 1edf9ecaf56f3312e199e633bff0804243042e33.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 87479544381e103ee2b1def574a5865a3f6a93d9)

Revert "dosmode: prefer capabilities over become_root"

This reverts commit 5e925f9755fad180863861157aa7548d83dd3fde.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 58ea952fd0c716f94b1b79b8ed1829bb72732ccc)

s3/smbd: If we fail to close file_handle ensure we should reset the fd

if fsp_flags.fstat_before_close == true then close_file_smb will call
vfs_stat which can fail. If it does fail then the fd associated
with the file handle will still be set (and we will hit an assert
is the file handle destructor) when calling file_free.
We need to set fd to -1 to avoid that. To achieve that we capture and
return the vfs_stat_fsp failure status while still processing the rest
of the fd_close logic.

[2024/02/20 09:23:48.454671,  0, pid=9744] ../../source3/smbd/smb2_close.c:226(smbd_smb2_close)
  smbd_smb2_close: close_file[]: NT_STATUS_ACCESS_DENIED
[2024/02/20 09:23:48.454757,  0, pid=9744] ../../source3/smbd/fd_handle.c:40(fd_handle_destructor)
  PANIC: assert failed at ../../source3/smbd/fd_handle.c(40): (fh->fd == -1) || (fh->fd == AT_FDCWD)
[2024/02/20 09:23:48.454781,  0, pid=9744] ../../lib/util/fault.c:178(smb_panic_log)
  ===============================================================
[2024/02/20 09:23:48.454804,  0, pid=9744] ../../lib/util/fault.c:185(smb_panic_log)
  INTERNAL ERROR: assert failed: (fh->fd == -1) || (fh->fd == AT_FDCWD) in smbd (smbd[192.168.10) (client [192.168.100.15]) pid 9744 (4.21.0pre1-DEVELOPERBUILD)
[2024/02/20 09:23:48.454844,  0, pid=9744] ../../lib/util/fault.c:190(smb_panic_log)
  If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2024/02/20 09:23:48.454869,  0, pid=9744] ../../lib/util/fault.c:191(smb_panic_log)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Mar 13 10:34:45 UTC 2024 on atb-devel-224

(cherry picked from commit 6ee3f809a54d7b833ff798e68a93ada00a215d4d)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Mar 27 15:41:37 UTC 2024 on atb-devel-224

smbd: simplify handling of failing fstat() after unlinking file

close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the
fstat() triggered in fd_close() by fsp->fsp_flags.fstat_before_close being true.

This avoids getting an EACCESS error when doing an fstat() on the removed file
which seems to happen with some FUSE filesystems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6e6324cff29089a636823786183222a73fe7cb28)

ndr: always attempt ACE coda pull if ACE type suggests a coda

We were skipping the pull in cases where the coda size was calculated
to be zero. This has the right result for empty conditional ACEs, but
not for Resource Attribute ACEs where the
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised.

The situation is made a bit worse, because the function that
calculates the coda size (ndr_subcontext_size_of_ace_coda()) can
return zero in conditions that are not exactly errors, but in which
the would-be calculated value makes so little sense that zero is
thought to be a safer default.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224

(cherry picked from commit 6fb98f70c6274e172787c8d5f73aa93920171e7c)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Mar 26 11:17:58 UTC 2024 on atb-devel-224

tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224

(cherry picked from commit 4f0ed9b00389fa641a423b88ab5462b32dd7bbca)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Mar 22 11:06:51 UTC 2024 on atb-devel-224

libcli/security: check again for NULL values

BUG: https://bugzilla.samba.org/show_bug.cgi?id=156067

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224

(cherry picked from commit b815abe77991d7929717ea3ed4b9d7bef7179715)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Mar 20 12:03:45 UTC 2024 on atb-devel-224

libcli/security: claims_conversions: check for NULL in claims array

If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.

There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 78f728063a1e510966a45f7f1d9515ea3bd16214)

WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(v4-20-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-20-test): Tue Mar 19 13:30:31 UTC 2024 on atb-devel-224

libgpo: Do not segfault if we don't have a valid security descriptor

Program received signal SIGSEGV, Segmentation fault.
ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713
713 NDR_CHECK(ndr_push_security_descriptor_revision(ndr, NDR_SCALARS, r->revision));

Thread 1 (Thread 0x7ffff7ece740 (LWP 21460) "python3"):
 #0  ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713
        _flags_save_STRUCT = 0
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        __FUNCTION__ = "ndr_push_security_descriptor"
 #1  0x00007ffff617237f in ndr_push_struct_blob (blob=blob@entry=0x7fffffffdb20, mem_ctx=0x555555aa3bd0, p=0x0, fn=0x7ffff6074ad0 <ndr_push_security_descriptor>, fn@entry=0x7ffff60706c8 <ndr_push_security_descriptor@plt>) at ../../librpc/ndr/ndr.c:1438
        _status = <optimized out>
        ndr = 0x555555bf41b0
 #2  0x00007ffff607cccf in marshall_sec_desc (mem_ctx=<optimized out>, secdesc=<optimized out>, data=data@entry=0x7fffffffdb80, len=len@entry=0x7fffffffdb78) at ../../libcli/security/secdesc.c:241
        blob = {data = 0x7fffffffdb40 "`\333\377\377\377\177", length = 140737352374299}
        ndr_err = <optimized out>
        __FUNCTION__ = "marshall_sec_desc"
 #3  0x00007ffff29edd94 in GPO_marshall_get_sec_desc_buf (self=<optimized out>, args=<optimized out>, kwds=<optimized out>) at ../../libgpo/pygpo.c:119
        gpo_ptr = <optimized out>
        status = <optimized out>
        data = 0x0
        len = 0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15599

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
(cherry picked from commit b13d4359f2f16e391763d1dc6a5718def973fabb)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Mar 15 10:29:54 UTC 2024 on atb-devel-224

libgpo: Fix trailing spaces in pygpo.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
(cherry picked from commit 6fb86a0fa62d93c1c84c2000f01c381a9e8217e1)

VERSION: Bump version up to Samba 4.20.0rc5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc4 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.20.0rc4.

Signed-off-by: Jule Anger <janger@samba.org>

python:gp: Implement client site lookup in site_dn_for_machine()

This is [MS-GPOL] 3.2.5.1.4 Site Search.

The netr_DsRGetSiteName() needs to run over local rpc, however we do not
have the call implemented in our rpc_server. What netr_DsRGetSiteName()
actually does is an ldap query to get the sitename, we can just do the
same.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e4c3c61302b12419f041867b58350f11dc800318)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Fri Mar  1 09:01:06 UTC 2024 on atb-devel-224

librpc:idl: Make netlogon_samlogon_response public

This is required that we can use it with ndrdump or in python to decode
a NETLOGON_SAM_LOGON_RESPONSE_EX ldap response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588

Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e758425869729a43136ae51e6baecb2061d1525b)

VERSION: Bump version up to Samba 4.20.0rc4...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc3 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.20.0rc3.

Signed-off-by: Jule Anger <janger@samba.org>

s3/rpc_client: Fix array offset check

Previous to this commit we were modifying the offset before
the array offset check. This was causing a spurious debug
message indicating the offset was out of bounds. An second
problem is that upon detecting the error we don't exit the loop.
A third problem was that when reading the offset the check
didn't cater for the size of the integer address about to be read.

This commit moves the offset check to before the first read,
additionally when an error is detected now we actually exit the loop
and the offset have been corrected to include the size of the
integer to be read

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Feb 17 17:58:43 UTC 2024 on atb-devel-224

(cherry picked from commit 885850b6aaabf089f422b1b015481a0ccff4f90e)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Feb 26 10:37:37 UTC 2024 on atb-devel-224

s3/rpc_client: Ensure max possible row buffer size is not exceeded

The max buf size of rows buffer should not exceed 0x00004000.
Ensuring this value is within limits means we can safely use
uint32_t offsets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit f487211706a74d516bf447ed393222b4c0dce7b0)

idl: Add constant for max rows buffer size

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 01e901ef869a1a87fba0e67bce311dbeb199b717)

s3/rpc_client: cleanup unmarshalling of variant types from row columns

Prior to this change fn 'extract_variant_addresses' actually returns offsets
to the variant stored not the addresses, additionally the param in the
signature of the method is named offset where the param in reality is a
base address.
This change makes fn 'extract_variant_addresses' actually return addresses
instead of offsets and also changes the name of the incoming param. The
resulting changes are propaged to callers which hopefully makes what the
code is actually doing a little clearer

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jan 30 17:22:37 UTC 2024 on atb-devel-224

(cherry picked from commit 9b2f2302ee4828ae54f5903a3bf649ffd255fb4a)

s3/utils: use full 64 bit address for getrows (with 64bit offsets)

if 64bit offsets are used the hi 32-bits of address are stored in
the ulreserved2 member of the message header field and the low 32-bits
are stored in the ulclientbase member of the cpmgetrows message

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6ecb614b8ec6953ba15e8061fce9b395615b035a)

s3/rpc_client: Remove stray unnecessary comment

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit efa60ff3105ac80ffff6d2a5d82dd0615ddb7578)

s3/rpc_client: change type of offset to uint64_t

Offset can be a 32 or 64 bit address depending on the indexing addressing
mode negotiated by the client
With a 32 bit param we can only specify a 32 bit base address. This change
alone doesn't affect anything as it is the client itself that choses and
passes the base address offset and wspsearch is the only current user of
this code.
In this case even with 64bit addressing negotiated the address passed
represents only the lower 32-bits part of the address.
However, for coverage purposes it would be better for the client to use an
address that covers the full 64bit range of the address (when 64 bit
addressing is negotiated).
This change will alow the wspsearch client in a future commit to pass a
base address value with both the hi and low 32 bits values set to make up
the full 64 bit address.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a61eb7032896265eaef3ba225aafd6f293e7569d)

ctdb-protocol: Add missing push support for new controls

CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
CTDB_CONTROL_TCP_CLIENT_PASSED were added in commits
c6602b686b4e50d93272667ef86d3904181fb1ab and
037e8e449deb136ad5ed5e4de05439411b545b6d.  They were missing test
support for the packet push/pull.  While adding the testing (for
completeness, before adding another new control) I noticed that the
push functionality was absent.  This adds that, along with the test
support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15580

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 19 10:21:48 UTC 2024 on atb-devel-224

(cherry picked from commit dd9b11acbc4fbde1941719968aeb463b853b0ffb)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Feb 20 13:46:47 UTC 2024 on atb-devel-224

python: Remove ‘typing.Final’

This is only present in Python 3.8 and above.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15575

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d6fe66ddeeb99c550fa9a0f1abb845e6daf71f8a)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Feb 19 15:35:39 UTC 2024 on atb-devel-224

python: do not make use of typing.Final for python 3.6

Python 3.6 does not have typing.Final yet

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15575

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ecc84aa448a962f1a224144bbb65f0cef36a4279)

docs-xml: document "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Feb 13 21:06:24 UTC 2024 on atb-devel-224

(cherry picked from commit 7a674ee9ffeca047ceed7ac046db1b168d4025a6)

smb2_tcon: only announce SMB3 related share capabilities if SMB3 is used

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 32b84c5bce00c4f91191596dc00d9824e82e0f24)

smb2_tcon: only announce SMB2_SHARE_CAP_CLUSTER if rpcd_witness can run

rpcd_witness needs ncacn_ip_tcp support and that's only
available if samba-dcerpcd is not started on demand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit d8bfdaaaa737032c6a8623512fcb2cd01850628a)

docs-xml: add details for 'net witness'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 1d0938d6fe46c06432ae5fda9e7491b908a9ac56)

s3:utils: fix help string for 'net witness force-response'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 7a23429ed6a04bb14509758492bfaee5db6dbd0d)

ctdb/events: add 47.samba-dcerpcd.script

If someone wants to enable the witness service
samba-dcerpcd needs to be started as standalone service

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit f1f68108cc303b92b8a88728d12c2b699fdfc731)

ctdb/events: use 'service "$CTDB_SERVICE_NMB" status' in 48.netbios.script

We can easily monitor if the service is running at all,
that better than no monitoring at all...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15577

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit ff8f778e39af563d97b1d38f89368a3c148532f2)

VERSION: Bump version up to Samba 4.20.0rc3...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc2 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.20.0rc2.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Explain new AD DC Claims, authentication policies and Silos

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Mon Feb 12 11:55:51 UTC 2024 on atb-devel-224

WHATSNEW: Add some information about new conditional aces feature

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

WHATSNEW: note "acl_claims evaluation" smb.conf option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>