pam_winbind: add new pwd_change_prompt option (defaults to off).

This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors

A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  7 08:32:42 UTC 2021 on sn-devel-184

tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Adjust unknown critical FAST option test

Heimdal does not check FAST options when no preauth data is supplied, so
the original test could not pass against Heimdal.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add test for FAST with invalid ticket checksum

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove magic flag constants

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow additional unexpected padata types

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make edata checking less strict

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for FAST with use-session-key flag and armor ticket

This flag should be ignored and the FAST armor key used instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Don't request renewable tickets

This is not necessary for testing FAST, and was causing some of the
tests to fail.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Adjust expected error codes for FAST tests

This allows more of the tests to pass.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

kdc: Canonicalize realm for enterprise principals

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  7 04:54:35 UTC 2021 on sn-devel-184

heimdal_build: Do not build samba4kinit unless building embedded Heimdal

We should not attempt to build local copies of Heimdal utilities against
a system krb5 library.

Inspired by a WIP commit by Stefan Metzmacher <metze@samba.org> in his
lorikeet-heimdal import branch of patches to upgrade to a modern Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators

This provides the defines that may be needed to use the
compiler-provided atomics, rather than a fallback.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4:torture: Remove pre-send and post-receive callbacks

The client-side testing done by these callbacks is no longer needed, and
the server-side testing is covered by Python-based tests. Removing these
leaves us with a more manageable test of the Kerberos API.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Remove test combination with enterprise principal without canonicalize flag

This test combination is not needed. Removing it allows us to avoid
modifying requests prior to sending them, which can cause problems with
an upgraded Heimdal version.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec  6 22:57:54 UTC 2021 on sn-devel-184

s4:torture: Remove AS_REQ_SELF test stage

This behaviour is already covered by existing Python tests. This test
stage also modifies the request prior to sending it, which can cause
problems with an upgraded Heimdal version.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for enterprise principals with canonicalization

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for AS-REQ with an SPN

Using a SPN should only be permitted if it is also a UPN, and is not an
enterprise principal.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Check ticket cname for Heimdal

This is currently not checked in several places due to STRICT_CHECKING
being set to 0.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Check logon name in PAC for canonicalization tests

This allows us to ensure that the correct name makes it through to the
PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Only create testing accounts once per test run

This decreases the time that the tests take to run.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

waf:mitkrb5: Always define lib so we get the header include path

If you have libkrb5 in a non-standard include path, we would not check the
latest version but search default paths (e.g. /usr/include) first.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

waf:mitkrb5: Fix MIT KRB5 detection if not in default system location

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

waf:mitkrb5: Detect com_err with pkgconfig first

It is needed as a dependency later!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

wafsamba: Pass lib to CHECK_DECLS()

This is needed if you have headers in non-standard include paths.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:waf: Fix dependendies for libads

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:waf: Fix dependencies for TORTURE_UTIL

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:param: Only include smb_ldap.h for LDAP_* defines

There is no need for ads.h which would pull in krb5.h and much more ...

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:param: Remove trailing spaces in loadparm.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: Test DNS record creation on member join

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: Create DNS entries on member join

The net ads join command already handles this,
and the call was missing from the python bindings
for samba-tool domain join member.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed.

This will otherwise break the system-heimdal build.

This is correct regardless.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec  6 21:48:30 UTC 2021 on sn-devel-184

build: Remove kdc_include except where needed

This include was being set on too many subsystems, including some MIT-related.

This was a problem because it would then trigger the mixing of MIT and Heimdal
krb5.h files.  It is now only set on the plugins and services that use the
embedded Heimdal KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

build: Only use embedded Heimdal include paths in an embedded Heimdal build

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

docs: fix documentation for default of "fruit:zero_file_id"

This got changed by 6e65c283120e3e627f0d8570601263f904529996 without updating
the manpage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14926

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec  6 18:24:24 UTC 2021 on sn-devel-184

pytest/source_char: check for mixed direction text

As pointed out in https://lwn.net/Articles/875964, forbidding bidi
marker characters is not always going to be enough to avoid
right-to-left vs left-to-right confusion. Consider this:

$ python -c's = "b = x  # 2 * n * m"; print(s); print(s.replace("x", "א").replace("n", "ח"))'

b = x  # 2 * n * m
b = א  # 2 * ח * m

Those two lines are semantically the same, with the Hebrew letters
"א" and "ח" replacing "x" and "n". But they look like they mean
different things.

It is not enough to say we only allow these scripts (or indeed
non-ascii) in strings and comments, as demonstrated in this example:

$ python -c's = "b = \"x#\"  #  n"; print(s); print(s.replace("x", "א").replace("n", "ח"))'

b = "x#"  #  n
b = "א#"  #  ח

where the second line is visually disordered but looks valid. Any series
of neutral characters between teo RTL characters will be reversed (and
possibly mirrored).

In practice this affects one file, which is a text file for testing
unicode normalisation.

I think, for the reasons shown above, we are unlikely to see legitimate
RTL code outside perhaps of documentation files — but if we do, we can
add those files to the allow-list.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec  3 18:53:43 UTC 2021 on sn-devel-184

samba-tool domain backup: backup but do not follow symlinks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain backup: cope better with dangling symlinks

Our previous behaviour was to try to os.stat() the non-existent
target.

The new code greatly improves efficiency for this little task.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: s3-dsgetdcname: handle num_ips == 0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec  3 12:54:04 UTC 2021 on sn-devel-184

CVE-2020-25717: s3-auth: fix MIT Realm regression

This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.

As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922

Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object

This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli:auth: Allow to connect to netlogon server offering only AES

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec  2 14:49:35 UTC 2021 on sn-devel-184

s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libsmb: Remove trailing white spaces from passchange.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libnet: Remove tailing whitespaces in libnet_join.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpcclient: Remove trailing white spaces in rpcclient.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: Remove trailing white spaces from cli_pipe.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

testprogs: Add rpcclient schannel tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO

We should not fail this just because the user doesn't have
permissions on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Dec  1 11:51:50 UTC 2021 on sn-devel-184

s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share

Demonstrate that smbd fails FSCTL_QUERY_NETWORK_INTERFACE_INFO
only because the user doesn't have permissions on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids

smbd_smb2_request_process_ioctl() already detailed checks for file_ids,
which not reached before.

.allow_invalid_fileid = true was only used for SMB2_OP_IOCTL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with invalid file ids

An invalid file id for FSCTL_QUERY_NETWORK_INTERFACE_INFO gives
INVALID_PARAMETER instead of FILE_CLOSED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()

We should not send more data than the client requested.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL

It seems that we currently don't have BUFFER_TOO_SMALL handling
for FSCTL/IOCTL calls.

FSCTL_QUERY_NETWORK_INTERFACE_INFO is just an easy example
to demonstrate it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO

We should not fail this just because the user doesn't have permissions
on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smb2_server: decouple IOCTL check from signing/encryption states

There's no reason to handle FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT
differently if signing/encryption is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE

Demonstrate that smbd fails FSCTL_VALIDATE_NEGOTIATE_INFO
only because the user doesn't have permissions on the share root.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*

This will be used in tests in order to separate the tcon from
validate_negotiate_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14788

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

heimdal_build: Remove memset_s from roken, already in libreplace

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Nov 30 19:18:59 UTC 2021 on sn-devel-184

heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result

[abartlet@samba.org Squashed with TODO commit from Gary that provided
 HEIMDAL_UNUSED_ATTRIBUTE etc]

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

heimdal_build: Do not list hx509 files twice

This makes maintaining the file lists easier.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c

This is in preperation for the Heimdal upgrade (which otherwise
can be compiled with stricter flags).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

heimdal_build: Allow errors integer overflow errors in gen.c (only)

This is in preperation for the Heimdal upgrade.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:samba: split out a samba_service_init() helper function

The loading function should be in the same SAMBA_LIBRARY()
as the modules.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Nov 30 16:44:57 UTC 2021 on sn-devel-184

vfs_not_implemented: mark all functions with _PUBLIC_

These functions are used directly by other modules.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

script/autobuild.py: make sure nss, pam and krb5 plugins don't provide unexpected symbols

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

script/autobuild.py: make sure nss and pam plugins don't link any samba libraries

Note that we exclude libtalloc.so.2 in pam_winbind.so as that simulates
a system libtalloc.so.2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

nsswitch: reduce dependecies to private libraries and link static/builtin if possible

Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.

One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.

ldd /usr/lib64/sssd/libsss_ad.so| grep samba

   libsamba-util.so.0 => /lib64/libsamba-util.so.0
   libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
   libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
   libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
   libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
   libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
   libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
   libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
   libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
   libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so

When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.

This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.

We have the following libraries, which are in the that category:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so

The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.

In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

It's relatively simple to get to the point where the following are
completely static:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so

But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.

Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.

As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.

Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.

In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib/replace: use dlsym(RTLD_DEFAULT,) for {nss,nss_host,uid,socket}_wrapper_enabled()

We should not provide the symbols ourself instead we should just check
if they are already available when we want to check the result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_

Some private functions from wbclient_internal.h already
leaked into the ABI. With hide_symbols=True we make sure
this doesn't happen again.

Having wbcRequestResponse[Priv]() as part of the ABI helps us
in order to hide winbindd_[priv_]request_response() soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

nsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD

This is the only symbol which is used via dlopen()/dlsym() and
needs to be exported, in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux

The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

On other platforms, which are implemented as wrappers above the
Linux implementation, we mark the symbols as _PRIVATE_

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_

The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

nsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_

The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

nsswitch/wbinfo: use wbcRequestResponse() instead of winbindd_request_response()

We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

nsswitch: move winbindd_free_response() as inline function to winbind_struct_protocol.h

nsswitch/wb_common.c will be made completely internal soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:torture/winbind: use wbcRequestResponse() instead of winbindd_request_response()

We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:ntlm_auth: use wbcRequestResponse[Priv]() instead of winbindd_request_response()

We should try to route everything through libwbclient.so, because we'll
soon don't have a single library providing winbindd_request_response().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:utils: remove notify_msg.c from smbstatus sources

This is not needed for smbstatus and the symbols are also available
via 'smbd_base', which already contains notify_msg.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libwbclient: fix strict-overflow warning in wbcSidToString()

../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
  if (len+1 > sizeof(buf)) {
     ^

Even this would fail:
../../nsswitch/libwbclient/wbc_sid.c:83:5: error: assuming signed overflow does not occur when simplifying conditional [-Werror=strict-overflow]
  if (len >= sizeof(buf)) {
     ^

Note that this only seems to happen with gcc 7 and when -O3 and
-fvisibility=hidden are used together. E.g. in the opensuse151-samba-o3
builds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

heimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY()

This simplifies a lot and makes sure we always use the
same rules for private libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

heimdal_build: avoid using hardcoded vnum values passed to HEIMDAL_LIBRARY()

For private libraries we don't want versioned sonames,
it's also pointless to use the upstream heimdal vnum values
for our private libraries as the soname is different anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

heimdal_build: remove unused cflags argument of HEIMDAL_LIBRARY()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wafsamba: allow SAMBA_LIBRARY() to get and use original 'version-script.map' for private libraries

We'll soon use this for the internal Heimdal build and take the raw
version-script.map files in order to create our own .vscript file
with our private version suffix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wafsamba: introduce SAMBA[3]_PLUGIN()

This will be used to define plugins we provide to be used
via dbopen/dlsym to external consumers.

SAMBA_PLUGIN() is used instead of SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

With require_builtin_deps=True we make sure that only
symbols explicitly marked with _PUBLIC_ are exported
and we only link to system libraries and include all
internal depedencies as builtin subsystems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wafsamba: introduce require_builtin_deps/provide_builtin_linking/builtin_cflags to SAMBA_{SUBSYSTEM,LIBRARY}

The 'provide_builtin_linking=True' option that allows wscript files
to specify that a SAMBA_{SUBSYSTEM,LIBRARY} will also create a
builtin version of them in addition.

The logic behind this is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

This avoids the need for manual definitions of SAMBA_SUBSYSTEMS() with
like this:

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

The builtin version will also make sure that it will include all
dependecies (of internal code) also in the builtin variant.
Note that this is also possible if the dependency also
provided 'provide_builtin_linking=True' in order to limit
the scope.

We now imply '-D_PUBLIC_=_PRIVATE_' and 'hide_symbols=True' for
builtin libraries and subsystems in order to avoid exporting
the symbols of them.

With 'require_builtin_deps=True' a library can specify that it
is only able to use libraries/subsystems marked with
provide_builtin_linking=True. As a result it won't
link against any other SAMBA_LIBRARY() dependency,
but link in everything internal. Only system libraries
still get linked dynamically.

Use 'git show -w' to see a reduced diff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wafsamba: let reduce_objects() not remove duplicates of BUILTINS even if there are more than one

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wafsamba: add SAMBA_SUBSYSTEM(force_empty=False)

We will need to define empty subsystems without any dependency.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wafsamba: assert for *.sigs source files in abi_build_vscript()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wafsamba: the symbol version string of private libraries should be based on the toplevel project

If we build a private library all symbols should be made private based
on a unique suffix.

When we use a unique soname and a unique symbol version suffix it's very unlikely
to hit conflicts due to inherited libraries.

For the abi checking we still use the original vnum as abi_vnum.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>