gssproxy: try to pretty-print a gssx_OID.

Guenther

WIP: torture: start gssapi testsuite (also supports testing gssproxy environment).

Guenther

librpc: Add gssproxy ndr IDL.

Guenther

pidl: Only add trailer alignment when necessary.

FIXME: really needed ?

Guenther

netcmd: fix broken shell command missing Model

This is already in MODELS which is populated in ModelMeta

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr  8 04:07:22 UTC 2024 on atb-devel-224

python: lint: fix pylint R1720 unnecessary "raise" after "else"

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: lint: remove unused imports in claims and gmsa commands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: tests: type check should always use "is" or "is not"

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: tests: fix closing quote in docstring example

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/http: Detect unsupported Transfer-encoding type

Also removes knownfail for test that now passes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Add new test for testing non-chunk transfer encoding

And add a known fail because there is a bug :-(

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: fix potential reference before assigned error

This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Do not fail checksums for RFC8009 types

While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.

[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
  check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Improve keytab comparison of dckeytab

This will give better output on failure as it compares strings instead
of bytes.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:winbindd: use better debug messages than 'talloc_strdup failed'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  5 13:28:42 UTC 2024 on atb-devel-224

s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages

Otherwise it's completely unclear where the messages come from

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: avoid changing ADS->server.workgroup

ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().

The result are corrupted domain values in the debug output.

Valgrind shows this:

 Invalid read of size 1
    at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
    by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
    by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
    by 0x5D2ED3F: dbgtext (debug.c:1881)
    by 0x4BFFB50: ads_find_dc (ldap.c:570)
    by 0x4C001F4: ads_connect (ldap.c:704)
    by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x4BFF0AF: ads_try_connect (ldap.c:299)
    by 0x4BFF40E: cldap_ping_list (ldap.c:367)
    by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
    by 0x4BFFA91: ads_find_dc (ldap.c:556)
    by 0x4C001F4: ads_connect (ldap.c:704)
    by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Block was alloc'd at
    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    by 0x60B250E: strdup (strdup.c:42)
    by 0x4FF1492: smb_xstrdup (util.c:743)
    by 0x4C10E62: ads_init (ads_struct.c:148)
    by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:nbt_server: simulate nmbd and provide unexpected handling

This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.

This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libcli/dgram: make use of socket_address_copy()

This avoids talloc_reference...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/nbt: add nbt_name_send_raw()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL

In 2024 we always want an active directory response...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()

This will allow source4/nbt_server to make use of
nb_packet_server_create().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb/unexpected: don't use talloc_tos() in async code

It's not needed and it requires the caller to setup a
stackframe...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:wscript: LIBNMB requires lp_ functions

We need to make this explicit in order to let LIBNMB be used
in source4 code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:include: split out fstring.h

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:include: let nameserv.h be useable on its own

A lot of stuff is private to nmbd and can
be moved from nameserv.h.

This allows move required types from smb.h to
nameserv.h, so that this can be standalone.
Including it from smb.h is not a huge problem
as nmbd internals are gone from nameserv.h.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests: Add a test for "all_groups=no" to test_idmap_ad.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Apr  2 13:25:39 UTC 2024 on atb-devel-224

selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad

The LDAP query of lookup_groupmem() returns all group members from AD
even those with missing uidNumber.  Such group members are useless in
UNIX environment for idmap_ad backend since there is no uid mapping.

'test_user' is member of group "Domanin Users" with 200K members,
only 20K members have set uidNumber.

Without this fix:

$ time id test_user

real    1m5.946s
user    0m0.019s
sys     0m0.012s

With this fix:

$ time id test_user

real    0m3.544s
user    0m0.004s
sys     0m0.007s

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

docs-xml: Add parameter all_groupmem to idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

vfs_ceph: Implement SMB_VFS_FGET_DOS_ATTRIBUTES to preserve create_time

In order to avoid the dependency on dos attribute for create_time we now
preserve the btime before parsing dos attribute which may update btime
from its value with an old one unless we explicitly reset dos attribute
with new create_time in SMB_VFS_FNTIMES implementation. Therefore have
an implementation for SMB_VFS_FGET_DOS_ATTRIBUTES to save and restore
updated create_time.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Apr  1 15:24:39 UTC 2024 on atb-devel-224

source3/smbd: Update timestamps after a successful SMB_VFS_FNTIMES

When an open file handle is used to change timestamps we fail to return
updated values to clients until next open is issued. Unless we fill in
the timestamps subsequent calls like GETINFO cannot see the latest value
causing incorrect results. Therefore copy those timestamp values as soon
as it is set on the backend.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

lib: Use struct initialization in imessaging_client_init()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 28 09:13:43 UTC 2024 on atb-devel-224

lib: Fix whitespace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib: Fix dbwrap_tdb.h prerequisites

It uses enum dbwrap_lock_order, so include dbwrap.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib: Give tallocmsg.c its own header

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib: Fix whitespace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: Remove an outdated comment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: Remove struct open_symlink_err

This was just a wrapper for a single pointer, remove it

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: Remove "unparsed" from struct open_symlink_err

We have the reserved field unparsed_path_length as part of struct
symlink_reparse_struct.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: Remove "st" from struct open_symlink_err

Since c96010a2a9f nobody reads it anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: Fix returning symlink stat info in the NO_OPATH case

Our callers don't look at symlink_err's struct stat anymore, they look
at the fname's one since we return them properly even for symlinks. So
don't bother filling in symlink_err->st, nobody reads it anyways.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: Make read_symlink_reparse() return a reparse_data_buffer

Will make generalized handling of reparse point error returns easier
once we will also allow creating symlink reparse point files over smb.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: Simplify users of fsp_fullbasepath()

All three users had to strip a trailing "/.". Centralize this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED

This in particular tests the returned NTLM password buffers as well as
the password rotation on expired accounts described at
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 28 02:53:53 UTC 2024 on atb-devel-224

python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash

We want to use the PAC returned NT hash in the UF_SMARTCARD_REQUIRED case
as it will usually be random bytes so we can not just assert on the
value any more.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/tests/krb5: Allow getting a TGT in pkinit tests

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

tests/krb5: Fix PK-INIT test framework to allow expired password keys

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/samba/krb5: Allow client address (caddr) to be missing or empty

Currently (as of 2024-02) windows 21H2 returns this as [].

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials

This function is based on a flawed premise that the
pointer is a talloc context, but the second element
in an array and any element in a structure is not a
talloc context.

The type has already been checked above.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

netcmd: docs: update documentation for new auth policy command structure

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: add service-allowed-to-authenticate-from subcommands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: add user-allowed-to-authenticate-from subcommands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: add service-allowed-to-authenticate-to subcommands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: add user-allowed-to-authenticate-to subcommands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: extract policy base commands into policy.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth policy: turn policy.py into module

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth silo: extract silo base commands into silo.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth silo: move silo_member.py into silo module

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: auth silo: turn silo.py into module

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: docs: add section headings for auth policies and silos

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: docs: consistently put <constant> around GROUP and SILO

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device"

Make it consistent with --service-allowed-to-authenticate-from-device-silo by adding =SILO

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: docs: add documentation for service-account group-msa-membership commands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: docs: add documentation for service-account base command

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: gmsa: improve descriptions of --dns-host-name and match docs

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: domain: models: add OrganizationalUnit container model

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: domain: models: move OrganizationalPerson to org.py

There are other models like OrganizationalUnit which can go in org.py better if this is done first

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: domain: models: move MODELS to registry.py because it's not really a constant

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: domain: models: MODELS lookup does need to include base Model for shell command

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: domain: models: add children method to return a models direct children

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: tests: write a test for the Model.as_dict method

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: tests: computer model tests should clean up

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: domain: models: as_dict() should also exclude empty list fields

Empty list fields happen if many=True is used on the field. This means that the field is automatically initialised as an empty list, so this can only ever be sa list or None.

The side-effect of this was that it appears in as_dict() when it shouldn't, because the field isn't populated. This fixes it.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Create KdfParameters at runtime

While this is by definition less efficient, I prefer not to have the magic
buffer of pre-caclulated bytes, we don't create Root Keys very often.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4-dsdb: Indent DH parameters table in gkdi_create_root_key()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4-dsdb: Populate new GKDI root keys from the server configuration object

This honours MS-GKDI 3.1.4.1.1 Creating a New Root Key

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

pyldb: Improve search for error string in PyErr_SetLdbError

We allow a fallback to ldb_strerror() even if there was an LDB context,
allowing failing functions to reset a previous error string but not
set a new one.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

dsdb: Add API tests for new_gkdi_root_key()

These show that the new root key should be based on the server
configuration object, not just hardcoded defaults.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

pyldb: Consolidate PyErr_SetLdbError() using the pyldb version

Now that pyldb-util is a private library to Samba, we have no excuses not to
consolidate helper functions like this.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

plydb: Keep talloc_reference() to the DN in PyDict_AsMessage

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

pyldb: Fix documentation comment on Message.from_dict() method

This method does not take keyword arguments.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4/torture: Fix misplaced positional arguments for u64 comparison

torture_assert_u64_equal_goto() can only print meaningful error message
for incorrect values if only if the function is invoked with test run
value and expected value respectively as second and thrid arguments.
Otherwise it displays the reversed message causing confusion in overall
test results.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 27 13:00:29 UTC 2024 on atb-devel-224

Revert "token_util.c: prefer capabilities over become_root"

This reverts commit 944cb51506a94084d7ab52ee044fe6f66e1aaeb9.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 27 10:47:23 UTC 2024 on atb-devel-224

Revert "dosmode.c: prefer use of capabilities at two places over become_root"

This reverts commit c1e2fbb1b9a7551becf5caa0f08d434edf9ad862.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "nfs4_acls.c: prefer capabilities over become_root"

This reverts commit 06e5c1e32ea7907523cc19f021225e7541e2075f.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "vfs_acl_common.c: prefer capabilities over become_root"

This reverts commit 12734848dc9901b932644139aaa7e3f78e55c8dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "vfs_default.c: prefer capabilities over become_root"

This reverts commit 62464bd2db2a95b1253364f4493bbb6770b73193.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "vfs_posix_eadb.c: prefer capabilities over become_root"

This reverts commit 92278418dc885ed411f545e73c800ce93f858090.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Revert "vfs_recycle.c: prefer capabilities over become_root"

This reverts commit 4227b011f6ada97a4cd72a440ed887ffdb3f219e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>