s3-iremotewinspool: add additional openprinterex userlevel validation

When called via the PAR interface, we need to do additional userlevel
input validation.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s4-torture: add missing copyright header in iremotewinspool helper

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

create ctags also for perl modules

wip new torture test 'add_driver_printer_inf'

wip: guess a good ntprint.inf during _winspool_AsyncInstallPrinterDriverFromPackage

s3-net: add "net rpc printer migrate coredrivers" skeleton.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-spoolss: properly implement _spoolss_GetPrinterDriverPackagePath (by using winreg_get_driver_package_internal)

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

use winreg_add_driver_package_internal in _winspool_AsyncInstallPrinterDriverFromPackage

s3-spoolss: implement _spoolss PrinterIC family of calls.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3-spoolss: support OSVersionEx

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-spoolss: Set a better default Printer Port Name.

According to MS-RPRN it must follow this pattern:

"<266> Section 2.2.4.10: Windows uses the following patterns for port names:
PARALLEL_PORT = "LPT" DIGIT ":"
SERIAL_PORT = "COM" DIGIT ":"
FILE_PORT = "FILE:"
USB_PORT = "USB" 1#DIGIT ":"
UNC_PORT = SERVER_NAME DIRECTORY FILENAME
LOCAL_FILE_PORT = PATH
PORT_NAME = (PARALLEL_PORT | SERIAL_PORT | FILE_PORT | USB_PORT |
UNC_PORT | LOCAL_FILE_PORT)"

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

fixup cmd_spoolss_get_core_printer_drivers after IDL changes

fixup _spoolss_GetCorePrinterDrivers after idl changes

wip w2k8 behaviour in test_AsyncUploadPrinterDriverPackage

wip getcoreprinterdrivers

wip _winspool_AsyncDeletePrinterDriverPackage

fixup _winspool_AsyncUploadPrinterDriverPackage after IDL change

s3-spoolss: implement _spoolss_GetCorePrinterDrivers

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

install driver

s3-net: add net_inf_listdrivers

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

### CABINET WORK END ###

s3/utils/cabtool: add new tool to manipulate CAB files

Adds a new cabtool that lets users create and extract CAB files.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>

FIXME s4-torture: add validate test for MSZIP compressed cabinet files

s3-net: add "net cabinet".

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-lib/cab: add a library for generating and extracting Windows Cabinet files.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

### CABINET WORK START ###

fix GetCorePrinterDriver work

s3-iremotewinspool: implement _winspool_AsyncDeletePrinterDriverPackage

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-net: add tool to test inf parsing

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-winspool: implement _winspool_AsyncInstallPrinterDriverFromPackage

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

lib/util: add add_string_to_array_unique

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

add cabinet generation code. monstrous hack....

s3-spoolss: implement _spoolss_GetPrinterDriverPackagePath

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

HACK: pretend printer driver isolation

s3-iremotewinspool: implement _winspool_AsyncCorePrinterDriverInstalled

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-iremotewinspool: implement _winspool_AsyncUploadPrinterDriverPackage

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-iremotewinspool: enforce auth level privacy for communication

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

selftest: run the rpc.iremotewinspool testsuite against s3 iremotewinspool server.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-iremotewinspool: implement _winspool_AsyncGetRemoteNotifications (WIP)

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-iremotewinspool: implement _winspool_SyncRefreshRemoteNotifications (WIP!)

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-iremotewinspool: implement _winspool_SyncUnRegisterForRemoteNotifications

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-iremotewinspool: implement _winspool_SyncRegisterForRemoteNotifications

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-iremotewinspool: add winspool_is_privileged_user

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

rpc_spoolss: start iremotewinspool (MS-PAR) server in rpc_spoolss

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

s3-spoolss: move some spoolss globals to extra header

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

smb2_server: monitor connections with TEVENT_FD_ERROR

By asking for TEVENT_FD_ERROR we're able to fail early
when a connection to a client is broken.

In that case it does not make any sense to process
pending requests in the recv queue as it's not
possible to deliver the response to the client anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 24 10:32:56 UTC 2023 on atb-devel-224

s3:rpc_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:service_named_pipe: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/named_pipe_auth: let tstream_npa_existing_socket use tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:wrepl_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libcli/wrepl: make use of tstream_bsd_fail_readv_first_error(false)

As a client we want recv pending responses even if the server
already closed the connection.

While tstream_bsd_fail_readv_first_error(false) is the default for
tstream_bsd, the wins replication protocol is special as it has
a way to switch server and client roles on an existing tcp connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ntp_signd: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: the unexpected handler use tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dns_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: make use of tstream_bsd_fail_readv_first_error(true)

This avoids doing useless work in case the client connection
is already broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/tsocket: add tstream_bsd_fail_readv_first_error()

This gives the caller the option to fail immediately if
TEVENT_FD_ERROR appear even with pending bytes in the
recv queue.

Servers typically want to activate this in order to avoid
pointless work, while clients typically want to read
pending responses from the recv queue.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/tsocket: make use of TEVENT_FD_ERROR in tstream_bsd_fde_handler()

This makes the logic introduced to fix bug #15202 simpler.

While developing this I noticed that a lot of callers
rely on the fact that they can read the pending bytes out
of the recv queue before EOF is reported.

So I changed the code handle TEVENT_FD_ERROR together with
TEVENT_FD_READ in a way that keep the existing callers happy.

In the next step we'll add a way to let callers opt-in in order
to fail immediately if TEVENT_FD_ERROR appears (even if there
are pending bytes remaining in the recv queue).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15202

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/tsocket: let tstream_bsd_connect_send() use TEVENT_FD_ERROR instead of TEVENT_FD_READ

This mostly cosmetic, but now that we have TEVENT_FD_ERROR we should use it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/async_req: let writev_send/recv use TEVENT_FD_ERROR

Unless err_on_readability is true, we use TEVENT_FD_READ only
to detect errors. Now that we have TEVENT_FD_ERROR we should use it.

As a side effect it makes the code much simpler and clearer, as
we can directly map TEVENT_FD_ERROR to EPIPE.

In addition the err_on_readability=true case is now also
clearer, where we just map TEVENT_FD_READ to EPIPE.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/async_req: let async_connect_send use TEVENT_FD_ERROR instead of TEVENT_FD_READ

This mostly cosmetic, but now that we have TEVENT_FD_ERROR we should use it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/tsocket: make use of samba_socket_sock_error()

This is nicer than calling getsockopt(state->fd, SOL_SOCKET, SO_ERROR)
directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/tsocket: make use of samba_socket_poll_or_sock_error()

This is just a copy of the existing code...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/util: add samba_socket_{poll,sock,poll_or_sock}_error()

These are copies of the static functions in lib/tsocket/tsocket_bsd.c,
which we will replace in the next commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add device to Authenticated Users for authentication policy evaluation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 24 01:59:32 UTC 2023 on atb-devel-224

s4:kdc: Add a flag indicating that the device should be added to Authenticated Users

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add device to default groups for authentication policy evaluation

This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.

It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.

Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add a flag indicating that the device should be added to the default groups

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make a copy of the device SIDs to be placed in the security token

We shall need to add extra SIDs on the end.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test whether the device belongs to some default groups

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Work around Samba’s incorrect krbtgt principal handling

These tests fail only because they are using the ‘krbtgt@REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unnecessary target_creds variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224

s4:kdc: Add flag to indicate the upper sixteen bits of the kvno are specified

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use HDB flag constants instead of SDB ones

These flags are passed to us by Heimdal, and so they are HDB flags, not
SDB flags.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Always regard device info when the client performs RBCD

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Remove reference to non‐existent code

Commit 498542be0bbf4f26558573c1f87b77b8e3509371 removed the code in
question.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Delete connection variable

This avoids a ‘variable set but unused’ warning.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make ‘services’ parameter required

We use it unconditionally without a check for None.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unreachable exception handlers

‘IOError’ is a subclass of ‘error’, which has already been handled.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Fix RC4‐only Protected Users tests

We forgot to actually use the ‘supported_enctypes’ parameter.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unnecessary f‐strings

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Fix DES3CBC random_to_key()

Because ‘keybytes’ is an immutable bytes object, ‘keybytes[7] = …’ has
no hope of working.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make ‘keybytes’ a bytes object rather than a list

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Don’t expect edata if no error is expected

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add parameter to _tgs() specifying whether FAST is to be used

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Use None for the default values of parameters

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Move assignments closer to where the variables are used

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove incorrect functional level check

RBCD has no relevance to a method called _tgs().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Update method names to be consistent with other tests

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Have _modify_tgt() accept only keyword arguments

to prevent further accidents.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Correctly pass arguments to _modify_tgt()

We were passing the new realm as the ‘renewable’ parameter!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add ‘expect_edata’ parameter to _user2user()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Fix comment

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove marker

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Check return values of gnutls functions (CID 1547212)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>