smbd: is_in_path() deals with a NULL namelist

Don't need to check in the callers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Remove a pointless NULL check

boolean short-circuiting already gives us this condition.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use SMB_VFS_FSTATAT() instead of SMB_LSTAT()

Use the dirfsp when we have it available

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Modernize two DBG statements

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Reduce indentation, remove a nested if-statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Remove unused smb2_create_blob_remove()

Trivial to re-add if needed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Avoid casts in a DBG statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Avoid a pointless DEBUGADD

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_server3: Remove a duplicate comment

Review with "git sh -U20"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpc_netlogon4: Simplify dcesrv_netr_ServerAuthenticate3_helper()

Use a switch/case statement instead of a if/else chain. Easier to read
to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

dsdb: Slightly simplify dsdb_trust_get_incoming_passwords()

Use talloc_memdup() instead of a manual copy.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lsa_srv4: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

pdb: Slightly simplify pdb_samba_dsdb_set_trusteddom_pw()

This is easier to read to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Remove IS_DOS_*() macros

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Expand IS_DOS_DIR() macro

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

examples: Expand IS_DOS_DIR() macros

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Expand IS_DOS_READONLY() macros

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Expand IS_DOS_ARCHIVE() macros

Together with the "dosmode | FILE_ATTRIBUTE_ARCHIVE" a line below this
is more obvious to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Expand IS_DOS_* macros

To me these macros hide more than they clarify.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Expand IS_DOS_* macros

To me these macros hide more than they clarify. In a lot of places we
already directly check for these flags without those macros. Unify
that.

Also, check for the dosmode bits first, lp_map_* is a bit more effort
to evaluate.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup

We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.

This means that any duplicates will be noticed early not just
in a race condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Oct 10 15:47:04 UTC 2023 on atb-devel-224

CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

s4-echo: Remove the "echo" server (port 7, RFC 862) in production builds

This demonstration should never be enabled in production, if
echo service is required other software is far better positioned
to provide it.  Reflection attacks on echo are a known issue.

This is removed for consistency with the removal of rpcecho, but was
never enabled in the default smb.conf so is mostly harmless.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC

The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact.  Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default

The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY

This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests

The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour

SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once

When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start

Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()

Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice

To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

CVE-2023-4091: smbd: use open_access_mask for access check in open_file()

If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>

CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>

CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.

We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.

The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>

CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.

For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>

ctdb: Add "home_nodes" file to deterministic IP allocation

With a file "home_nodes" next to "public_addresses" you can assign
public IPs to specific nodes when using the deterministic allocation
algorithm. Whenever the "home node" is up, the IP address will be
assigned to that node, independent of any other deterministic
calculation. The line

192.168.21.254 2

in the file "home_nodes" assigns the IP address to node 2. Only when
node 2 is not able to host IP addresses, 192.168.21.254 undergoes the
normal deterministic IP allocation algorithm.

Signed-off-by: Volker Lendecke <vl@samba.org>
add home_nodes
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 10 14:17:19 UTC 2023 on atb-devel-224

ctdb: setup $CTDB_BASE for deterministic ip alloc tests

ipalloc_deterministic() will require it in the next patch

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

ctdb: Align variable signedness

ipalloc_state->num_nodes is uint32_t
Reviewed-by: Ralph Boehme <slow@samba.org>

ctdb: Reduce indentation in get_tunable_values()

Use an early return tvals; review with "git sh -b".

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

ctdb: Fix whitespace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: Ignore fstat() error on deleted stream in fd_close().

In the fd_close() fsp->fsp_flags.fstat_before_close code path.

If this is a stream and delete-on-close was set, the
backing object (an xattr from streams_xattr) might
already be deleted so fstat() fails with
NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
ignore the error and only bail for normal files where
an fstat() should still work. NB. We cannot use
fsp_is_alternate_stream(fsp) for this as the base_fsp
has already been closed at this point and so the value
fsp_is_alternate_stream() checks for is already NULL.

Remove knownfail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 10 09:39:27 UTC 2023 on atb-devel-224

tests: Add reproducer for bug 15487

Show that smbd crashes if asked to return full information on close of a
stream handle with delete on close disposition set.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

pylibsmb: Add SMB2_CLOSE_FLAGS_FULL_INFORMATION constant

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Pass "flags" through cli_close_send() and pylibsmb

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Add "flags" to cli_smb2_close_fnum_send()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Add VFS_OPEN_HOW_WITH_BACKUP_INTENT

Indicate BACKUP_INTENT to vfs_openat(). Why? I have a customer request
who wants to add O_NOATIME in this case to avoid metadata updates when
a backup or virus-checking application comes along.

This does not fully handle BACKUP_INTENT correctly, this would require
become_root() appropriately. We might want to do that later after a
lot of careful security audit, but this patch independently might
already provide some infrastructure for it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Oct  5 14:00:33 UTC 2023 on atb-devel-224

smbd: Remove "flags2" from open_file_ntcreate()

"flags" carried just the O_ACCMODE bits, "flags2" everything
else. Unify them.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Pass struct vfs_open_how to open_file()

We want to pass BACKUP_INTENT down into reopen_from_fsp, and the
elegant way is to do this via vfs_open_how.resolve.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Remove "local_flags" from open_file()

This needs close review. I could not see where we were actually
referencing the original flags in a way that would not be available in
local_flags. The reason for this patch is that I want to pass in
vfs_open_how into open_file(), and the distinction between flags and
local_flags made this significantly harder to understand for me.

The only place where we really used both versions is the DBG_NOTICE in
the last hunk, and this will come back in the next patch.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Make open_file() a bit safer

Move adding O_RDWR before the check for read only shares. I haven't
been able to pass this condition through SMB, but in any case we
should not accidentially open with O_RDWR in the !CAN_WRITE(conn)
case.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Simplify open_file()

Simplify an if-condition:

We have to return NT_STATUS_OBJECT_NAME_INVALID even if we're not
creating. In fact, we probably should not end up in open_file() if
we're open a Windows file with a wildcard.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Simplify open_file()

We have extracted FSP_POSIX_FLAGS_PATHNAMES above.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Simplify open_file()

We handle O_TRUNC further down anyway by passing local_flags&~O_TRUNC to
reopen_from_fsp(). No need for this FIFO special case.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Simplify an if-condition in open_file()

We use the plain (flags&O_TRUNC) a few lines above, make the
if-condition a bit more readable.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Simplify open_file()

We can unconditionally just and-out O_CREAT from local_flags, so
remove an if-condition.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Don't change incoming flags in open_file()

This will be part of a const struct vfs_open_how soon. Further down in
this function we don't look at O_CREAT or O_EXCL of "flags" anymore
anyway.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Remove variable "accmode" from open_file()

We directly look at the flags in many other places in this function,
so do this also for O_ACCMODE for clarity.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Slightly simplify open_file()

Replace "truncating" variable reference with what it was defined
as. We use "(flags & O_TRUNC)" a few lines above, so it can't be that
bad.

After we set it to "false" further down, it was never used again.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Pass "struct vfs_open_how" to reopen_from_fsp()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Pass "struct vfs_open_how" to fd_open_atomic()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Pass "struct vfs_open_how" to reopen_from_procfd()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libsmb: Use pidl generated parsing for posix file info

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct  4 21:26:20 UTC 2023 on atb-devel-224

libsmb: Pass NTTIME to interpret_long_date()

Separate concerns of conversion and pulling off the wire. Needed soon
for smb311 pidl generated parsing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libndr: Factor out ndr_pull_struct_blob_noalloc()

smb3_file_posix_information is variable length with something behind.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Remove unused marshalling of smb3posix file information

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use Use smb3posix marshalling in in smbd_do_qfilepathinfo()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use Use smb3posix marshalling in in smbd_marshall_dir_entry()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Modernize a DEBUG statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Add smb3_file_posix_information_init()

Copy the logic from store_smb2_posix_info() to allow use of
ndr_push_smb3_file_posix_information().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use smb3posix marshalling in smbd_smb2_create_after_exec()

Signed-off-by: Volker Lendecke <vl@samba.org>

idl: Add smb3posix.idl

Let PIDL take care of encoding SMB2_FILE_POSIX_INFORMATION. This way
we also get parsing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Allow NULL print_name in reparse_data_buffer_marshall()

read_symlink_reparse() does this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

pylibsmb: Py_BuildValue can build tuples directly

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

tests: Run smb3unix tests with SMB1

We want to create native FIFOs with smb1 extensions

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

tests: We always do smb3 unix extensions

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

ctdb-scripts: Convert 40.vsftpd to use threshold-based fail counting

This effectively provides simple testing for the threshold-based
approach.

Add new script option CTDB_VSFTPD_MONITOR_THRESHOLDS.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Tue Oct  3 04:53:38 UTC 2023 on atb-devel-224

ctdb-scripts: Implement failcount handling with thresholds

This can be used for simple failure counting, without restarts, as
used in the 40.vsftpd event script.  That case will subsequently be
converted and this functionality can also be used elsewhere.

Add documentation to ctdb-script.options(5) to allow parameters that
use this to be more easily described.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-scripts: Avoid errors for uninitialised counters

Uninitialised counters are treated as 0, but still produce an error.

The redirect to stderr needs to come before the redirect for a missing
counter file.

The seemingly saner alternative of moving it outside the subshell
works when dash is /bin/sh (e.g. on Debian) but does not work when
bash is /bin/sh (e.g. on Fedora).

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-doc: Add some subsection names in description

A subsequent commit will add a new section, which looks out of place
without these new sections.

Best reviewed with "git show -w".

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-doc: Update CTDB manual pages to UTF-8

This will allow Unicode characters to be used, resulting in more
readable source files.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Sun Oct  1 23:46:44 UTC 2023 on atb-devel-224

s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add function to get device PAC entry from Heimdal request structure

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add function to determine whether a KDC entry represents a trust

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix indentation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove unused declaration

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type

With embedded Heimdal, we can mark a PAC as being trusted (i.e. not
issued by an RODC). This is convenient, as it saves us needing to carry
that information in flags, hoping it isn’t inadvertently lost.

System Heimdal and MIT Kerberos, however, don’t provide a way to mark a
PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that
contains this extra information if ‘krb5_const_pac’ doesn’t contain it
already. As it also stores a pointer to the client entry, the
structure’s lifetime must therefore be carefully managed. Finally, it
keeps track of whether the PAC came across a trust, to know which is
useful in some circumstances.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal_build: Define HAVE_KRB5_PAC_IS_TRUSTED when using embedded Heimdal

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add Device Restriction tests for silos and authentication policies in the KDC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove unused parameters from samba_kdc_verify_pac()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove device PAC validation

In the first place, this check was only applicable to the Heimdal KDC,
the MIT KDC not having support for compounded authentication. Secondly,
it was redundant, because _kdc_fast_check_armor_pac() would have already
been called to verify the armor ticket; a second round of validation
achieved nothing. And finally, the check was flawed: it checked only
*explicitly* armored PACs, and so would have done nothing for an armored
*AS‐REQ*.

In short, this check was useless; remove it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add method to perform an armored AS‐REQ

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Initialize variable

This avoids the following exception:

Exception: Traceback (most recent call last):
  File "/samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 2500, in test_renew_pac_request_false
    tgt = self._modify_tgt(tgt, renewable=True)
  File "samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 3014, in _modify_tgt
    return self.modified_ticket(
  File "/samba/bin/python/samba/tests/krb5/raw_testcase.py", line 5694, in modified_ticket
    auth_data, new_pac,
UnboundLocalError: local variable 'new_pac' referenced before assignment

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove ‘asserted_identity’ parameter from samba_kdc_get_user_info_dc()

It was not used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>